claude-sdk-proxy 2.3.2 → 3.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-sdk-proxy",
-  "version": "2.3.2",
+  "version": "3.0.0",
   "description": "Anthropic Messages API proxy backed by Claude Agent SDK — use Claude Max with any API client",
   "type": "module",
   "main": "./src/proxy/server.ts",

package/src/mcpTools.ts

@@ -1,207 +1,3 @@
-import { createSdkMcpServer, tool } from "@anthropic-ai/claude-agent-sdk"
-import { z } from "zod"
-import { createPrivateKey, createPublicKey, sign, randomBytes } from "node:crypto"
-import { readFileSync } from "node:fs"
-import { homedir } from "node:os"
-
-// ── Gateway helpers ──────────────────────────────────────────────────────────
-
-function b64urlEncode(buf: Buffer): string {
-  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "")
-}
-
-function signPayload(privateKeyPem: string, payload: string): string {
-  const key = createPrivateKey(privateKeyPem)
-  return b64urlEncode(sign(null, Buffer.from(payload, "utf8"), key))
-}
-
-function pubKeyRawB64url(publicKeyPem: string): string {
-  const pubKey = createPublicKey(publicKeyPem)
-  const der = pubKey.export({ type: "spki", format: "der" }) as Buffer
-  return b64urlEncode(der.slice(12)) // strip 12-byte ED25519 SPKI prefix
-}
-
-let _identity: { deviceId: string; privateKeyPem: string; publicKeyPem: string } | null = null
-let _gatewayToken: string | null = null
-
-function loadGatewayConfig(): { identity: typeof _identity; token: string } {
-  if (!_identity || !_gatewayToken) {
-    const identity = JSON.parse(readFileSync(`${homedir()}/.openclaw/identity/device.json`, "utf8"))
-    const cfg = JSON.parse(readFileSync(`${homedir()}/.openclaw/openclaw.json`, "utf8"))
-    const token: string = cfg?.gateway?.auth?.token
-    if (!token) throw new Error("gateway token not found in openclaw.json")
-    _identity = identity
-    _gatewayToken = token
-  }
-  return { identity: _identity!, token: _gatewayToken! }
-}
-
-function invalidateGatewayConfig() {
-  _identity = null
-  _gatewayToken = null
-}
-
-async function sendViaGateway(
-  to: string,
-  message?: string,
-  mediaUrl?: string
-): Promise<{ ok: boolean; error?: string }> {
-  let identity: ReturnType<typeof loadGatewayConfig>["identity"]
-  let token: string
-  try {
-    const cfg = loadGatewayConfig()
-    identity = cfg.identity
-    token = cfg.token
-  } catch (e) {
-    invalidateGatewayConfig()
-    return { ok: false, error: `config error: ${e instanceof Error ? e.message : String(e)}` }
-  }
-
-  return new Promise((resolve) => {
-    const ws = new WebSocket("ws://127.0.0.1:18789")
-    let settled = false
-    let connected = false
-
-    const finish = (result: { ok: boolean; error?: string }) => {
-      if (settled) return
-      settled = true
-      clearTimeout(timer)
-      try { ws.close() } catch {}
-      resolve(result)
-    }
-
-    const timer = setTimeout(() => finish({ ok: false, error: "timeout waiting for gateway" }), 10_000)
-
-    ws.onerror = () => finish({ ok: false, error: "gateway websocket error" })
-
-    ws.onclose = (event: CloseEvent) => {
-      if (!settled) finish({ ok: false, error: `gateway closed unexpectedly (code=${event.code})` })
-    }
-
-    ws.onmessage = (event: MessageEvent) => {
-      try {
-        const frame = JSON.parse(event.data as string)
-
-        if (!connected && frame.type === "event" && frame.event === "connect.challenge") {
-          const nonce: string = frame.payload.nonce
-          const signedAtMs = Date.now()
-          const SCOPES = ["operator.admin", "operator.write"]
-          const authPayload = ["v2", identity!.deviceId, "cli", "cli", "operator",
-            SCOPES.join(","), String(signedAtMs), token, nonce].join("|")
-          ws.send(JSON.stringify({
-            type: "req", id: "conn1", method: "connect",
-            params: {
-              minProtocol: 3, maxProtocol: 3,
-              client: { id: "cli", version: "1.0.0", platform: "linux", mode: "cli" },
-              caps: [],
-              scopes: SCOPES,
-              auth: { token },
-              device: {
-                id: identity!.deviceId,
-                publicKey: pubKeyRawB64url(identity!.publicKeyPem),
-                signature: signPayload(identity!.privateKeyPem, authPayload),
-                signedAt: signedAtMs,
-                nonce
-              }
-            }
-          }))
-
-        } else if (!connected && frame.type === "res" && frame.id === "conn1") {
-          if (!frame.ok) {
-            if (frame.error?.message?.includes("unauthorized") ||
-                frame.error?.message?.includes("pairing")) {
-              invalidateGatewayConfig()
-            }
-            finish({ ok: false, error: `gateway connect failed: ${frame.error?.message || "unknown"}` })
-            return
-          }
-          connected = true
-          const sendParams: Record<string, unknown> = {
-            to,
-            channel: "telegram",
-            idempotencyKey: randomBytes(16).toString("hex")
-          }
-          if (message) sendParams.message = message
-          if (mediaUrl) sendParams.mediaUrl = mediaUrl
-          ws.send(JSON.stringify({
-            type: "req", id: "send1", method: "send",
-            params: sendParams
-          }))
-
-        } else if (connected && frame.type === "res" && frame.id === "send1") {
-          if (frame.ok) {
-            finish({ ok: true })
-          } else {
-            finish({ ok: false, error: frame.error?.message || "send failed" })
-          }
-        }
-      } catch (e) {
-        finish({ ok: false, error: `parse error: ${e instanceof Error ? e.message : String(e)}` })
-      }
-    }
-  })
-}
-
-// ── MCP server factory ───────────────────────────────────────────────────────
-// Provides only the gateway message tool. File operations, bash, etc. use
-// Claude Code's built-in tools (which are more robust and don't need MCP).
-//
-// state.messageSent is set on successful delivery. The proxy uses this to
-// auto-suppress text responses when messages were sent via tool (prevents
-// double-delivery without requiring Claude to know about any sentinel value).
-
-export interface McpServerState { messageSent: boolean }
-
-export function createMcpServer(state: McpServerState = { messageSent: false }) {
-  return createSdkMcpServer({
-    name: "opencode",
-    version: "1.0.0",
-    tools: [
-      tool(
-        "message",
-        "Send a message or file to a chat. Provide `to` (chat ID from conversation_label, e.g. '-1001426819337'), and either `message` (text) or `filePath`/`path`/`media` (absolute path to a file). Write files to /tmp/ before sending.",
-        {
-          action: z.string().optional().describe("Action to perform. Default: 'send'."),
-          to: z.string().describe("Chat ID, extracted from conversation_label."),
-          message: z.string().optional().describe("Text message to send."),
-          filePath: z.string().optional().describe("Absolute path to a file to send as attachment."),
-          path: z.string().optional().describe("Alias for filePath."),
-          media: z.string().optional().describe("Alias for filePath."),
-          caption: z.string().optional().describe("Caption for a media attachment."),
-        },
-        async (args) => {
-          try {
-            const rawMedia = args.media ?? args.path ?? args.filePath
-            let mediaUrl: string | undefined
-            if (rawMedia) {
-              if (rawMedia.startsWith("http://") || rawMedia.startsWith("https://") || rawMedia.startsWith("file://")) {
-                mediaUrl = rawMedia
-              } else {
-                const absPath = rawMedia.startsWith("/") ? rawMedia : `/tmp/${rawMedia}`
-                mediaUrl = `file://${absPath}`
-              }
-            }
-            const textMessage = args.message ?? args.caption
-            if (!textMessage && !mediaUrl) {
-              return { content: [{ type: "text", text: "Error: provide message or filePath/path/media" }], isError: true }
-            }
-            const result = await sendViaGateway(args.to, textMessage, mediaUrl)
-            if (result.ok) {
-              state.messageSent = true
-              return { content: [{ type: "text", text: `Sent to ${args.to}` }] }
-            }
-            return {
-              content: [{ type: "text", text: `Failed: ${result.error}` }],
-              isError: true
-            }
-          } catch (error) {
-            return {
-              content: [{ type: "text", text: `Error: ${error instanceof Error ? error.message : String(error)}` }],
-              isError: true
-            }
-          }
-        }
-      )
-    ]
-  })
-}
+// mcpTools.ts — removed. The proxy no longer provides any MCP tools.
+// Tool definitions come from the API caller (standard Anthropic tool loop).
+export {}

package/src/proxy/server.ts

@@ -11,8 +11,6 @@ import { tmpdir } from "os"
 import { randomBytes } from "crypto"
 import { fileURLToPath } from "url"
 import { join, dirname } from "path"
-import { createMcpServer, type McpServerState } from "../mcpTools"
-
 // Base62 ID generator — matches Anthropic's real ID format (e.g. msg_01XFDUDYJgAACzvnptvVoYEL)
 const BASE62 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 function generateId(prefix: string, length = 24): string {
@@ -29,12 +27,6 @@ const PROXY_VERSION: string = (() => {
   } catch { return "unknown" }
 })()
 
-// Only block tools that add noise — everything else (Read, Write, Edit, Bash,
-// Glob, Grep, WebFetch, WebSearch) uses Claude Code's robust built-in implementations.
-const BLOCKED_BUILTIN_TOOLS = ["TodoWrite", "NotebookEdit"]
-
-const MCP_SERVER_NAME = "opencode"
-
 function resolveClaudeExecutable(): string {
   try {
     const sdkPath = fileURLToPath(import.meta.resolve("@anthropic-ai/claude-agent-sdk"))
@@ -158,26 +150,9 @@ function cleanupTempFiles(tempFiles: string[]) {
 }
 
 // ── Client tool-use support ──────────────────────────────────────────────────
-// When the caller provides tool definitions (e.g. Claude Code, LangChain, etc.)
-// we switch to single-turn mode: inject tool defs into the system prompt, run
-// one LLM turn, parse <tool_use> blocks from the output, and return them as
-// proper Anthropic tool_use content blocks.
-//
-// We stay in agent mode (multi-turn, built-in + MCP tools) when:
-//   - No tools in the request, OR
-//   - The request has markers indicating the agent manages its own tool loop
-
-function isClientToolMode(body: any): boolean {
-  if (!body.tools?.length) return false
-  if (body.messages?.some((m: any) =>
-    Array.isArray(m.content) && m.content.some((b: any) => b.type === "tool_result")
-  )) return true
-  const sysText = Array.isArray(body.system)
-    ? body.system.filter((b: any) => b.type === "text").map((b: any) => b.text).join(" ")
-    : String(body.system ?? "")
-  if (sysText.includes("conversation_label") || sysText.includes("chat id:")) return false
-  return true
-}
+// The proxy never uses Claude Code's built-in tools. All tools come from the
+// API caller. Tool definitions are injected into the system prompt; <tool_use>
+// XML blocks in the output are parsed back into Anthropic tool_use content.
 
 function buildClientToolsPrompt(tools: any[]): string {
   const defs = tools.map((t: any) => {
@@ -237,46 +212,32 @@ function roughTokens(text: string): number {
 }
 
 // ── Query options builder ────────────────────────────────────────────────────
+// Always runs with all built-in tools disabled (tools: []) and maxTurns: 1.
+// The proxy is a pure API translation layer — tool definitions come from the
+// caller and are injected into the system prompt. No MCP servers, no agent loop.
 
 function buildQueryOptions(
   model: "sonnet" | "opus" | "haiku",
   opts: {
     partial?: boolean
-    clientToolMode?: boolean
     systemPrompt?: string
-    mcpState?: McpServerState
     abortController?: AbortController
     thinking?: { type: "adaptive" } | { type: "enabled"; budgetTokens?: number } | { type: "disabled" }
   } = {}
 ) {
-  const base = {
+  return {
     model,
     pathToClaudeCodeExecutable: claudeExecutable,
     permissionMode: "bypassPermissions" as const,
     allowDangerouslySkipPermissions: true,
     persistSession: false,
     settingSources: [],
+    tools: [] as string[],
+    maxTurns: 1,
     ...(opts.partial ? { includePartialMessages: true } : {}),
     ...(opts.abortController ? { abortController: opts.abortController } : {}),
     ...(opts.thinking ? { thinking: opts.thinking } : {}),
     ...(opts.systemPrompt ? { systemPrompt: opts.systemPrompt } : {}),
-    disallowedTools: [...BLOCKED_BUILTIN_TOOLS],
-  }
-
-  if (opts.clientToolMode) {
-    // Disable ALL built-in tools — the caller manages its own tool loop.
-    // Tool definitions are already baked into the systemPrompt.
-    return {
-      ...base,
-      maxTurns: 1,
-      tools: [] as string[],
-    }
-  }
-
-  return {
-    ...base,
-    maxTurns: 200,
-    mcpServers: { [MCP_SERVER_NAME]: createMcpServer(opts.mcpState) }
   }
 }
 
@@ -396,8 +357,7 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
 
       const model = mapModelToClaudeModel(body.model || "sonnet")
       const stream = body.stream ?? false
-      const clientToolMode = isClientToolMode(body)
-      const mcpState: McpServerState = { messageSent: false }
+      const hasTools = body.tools?.length > 0
       const abortController = new AbortController()
       const timeout = setTimeout(() => abortController.abort(), finalConfig.requestTimeoutMs)
 
@@ -423,34 +383,19 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
       }
 
       // Build the prompt from messages. The SDK's query() takes a single prompt
-      // string. To avoid the model continuing a "Human:/Assistant:" format in its
-      // response, we use neutral delimiters and only the last user message as the
-      // primary prompt when there's minimal context.
+      // string, so multi-turn conversations are serialized with XML-delimited
+      // turns. Prior turns go into the system prompt as context, the last user
+      // message becomes the prompt.
       const messages = body.messages as Array<{ role: string; content: string | Array<any> }>
 
       let prompt: string
       let systemPrompt: string | undefined
+      const toolsSection = hasTools ? buildClientToolsPrompt(body.tools) : ""
 
-      if (clientToolMode) {
-        // Client tool mode: serialize all messages as context, inject tools
-        const conversationParts = messages
-          .map((m) => {
-            const tag = m.role === "assistant" ? "assistant_message" : "user_message"
-            return `<${tag}>\n${serializeContent(m.content, tempFiles)}\n</${tag}>`
-          })
-          .join("\n\n")
-        const toolsSection = buildClientToolsPrompt(body.tools)
-        systemPrompt = systemContext
-          ? `${systemContext}${toolsSection}`
-          : toolsSection
-        prompt = conversationParts
-      } else if (messages.length === 1) {
-        // Single message: pass directly as prompt (most common case)
-        systemPrompt = systemContext || undefined
+      if (messages.length === 1) {
+        systemPrompt = ((systemContext || "") + toolsSection).trim() || undefined
         prompt = serializeContent(messages[0]!.content, tempFiles)
       } else {
-        // Multi-turn: build conversation context with XML-delimited turns.
-        // Put prior turns in system prompt as context, last user message as prompt.
         const lastMsg = messages[messages.length - 1]!
         const priorMsgs = messages.slice(0, -1)
 
@@ -465,11 +410,11 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
         const contextSection = contextParts
           ? `\n\n<conversation_history>\n${contextParts}\n</conversation_history>`
           : ""
-        systemPrompt = (baseSystem + contextSection).trim() || undefined
+        systemPrompt = (baseSystem + contextSection + toolsSection).trim() || undefined
         prompt = serializeContent(lastMsg.content, tempFiles)
       }
 
-      claudeLog("proxy.request", { reqId, model, stream, msgs: body.messages?.length, clientToolMode, ...(thinking ? { thinking: thinking.type } : {}), queueActive: requestQueue.activeCount, queueWaiting: requestQueue.waitingCount })
+      claudeLog("proxy.request", { reqId, model, stream, msgs: body.messages?.length, hasTools, ...(thinking ? { thinking: thinking.type } : {}), queueActive: requestQueue.activeCount, queueWaiting: requestQueue.waitingCount })
 
       // Acquire a slot in the concurrency queue — all code after this MUST
       // release via the try/finally blocks in both streaming and non-streaming paths.
@@ -478,18 +423,12 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
       // ── Non-streaming ──────────────────────────────────────────────────────
       if (!stream) {
         let fullText = ""
-        let lastCleanText = ""
         try {
-          for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: false, clientToolMode, systemPrompt, mcpState, abortController, thinking }) })) {
+          for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: false, systemPrompt, abortController, thinking }) })) {
             if (message.type === "assistant") {
               let turnText = ""
-              let hasToolUse = false
               for (const block of message.message.content) {
                 if (block.type === "text") turnText += block.text
-                if (block.type === "tool_use") hasToolUse = true
-              }
-              if (!hasToolUse && turnText) {
-                lastCleanText = turnText
               }
               fullText = turnText
             }
@@ -499,10 +438,8 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
           cleanupTempFiles(tempFiles)
           requestQueue.release()
         }
-        // In agent mode, prefer the last turn that had no tool_use
-        if (!clientToolMode && lastCleanText) fullText = lastCleanText
 
-        if (clientToolMode) {
+        if (hasTools) {
           const { toolCalls, textBefore } = parseToolUse(fullText)
           const content: any[] = []
           if (textBefore) content.push({ type: "text", text: textBefore })
@@ -518,11 +455,8 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
           })
         }
 
-        // If the MCP message tool delivered anything, suppress the proxy's
-        // own text response so the client doesn't double-deliver.
-        if (mcpState.messageSent) fullText = "NO_REPLY"
         if (!fullText || !fullText.trim()) fullText = "..."
-        claudeLog("proxy.response", { reqId, len: fullText.length, messageSent: mcpState.messageSent })
+        claudeLog("proxy.response", { reqId, len: fullText.length })
         return c.json({
           id: generateId("msg_"),
           type: "message", role: "assistant",
@@ -564,11 +498,11 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
               }
             })
 
-            // ── Client tool mode: buffer → emit blocks at end ─────────────
-            if (clientToolMode) {
+            if (hasTools) {
+              // ── With tools: buffer output, parse tool_use blocks at end ──
               let fullText = ""
               try {
-                for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: true, clientToolMode: true, systemPrompt, abortController, thinking }) })) {
+                for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: true, systemPrompt, abortController, thinking }) })) {
                   if (message.type === "stream_event") {
                     const ev = message.event as any
                     if (ev.type === "content_block_delta" && ev.delta?.type === "text_delta") {
@@ -613,17 +547,13 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
               return
             }
 
-            // ── Agent mode: real-time streaming ─────────────────────────
-            // Forward text deltas to the client as they arrive from the SDK.
-            // For single-turn (most chat requests), this gives true token-by-
-            // token streaming. For multi-turn (agent tool use), the client
-            // sees all turns' text streamed in real-time.
+            // ── No tools: stream text deltas directly ─────────────────────
             sse("content_block_start", { type: "content_block_start", index: 0, content_block: { type: "text", text: "" } })
 
             let fullText = ""
             let hasStreamed = false
             try {
-              for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: true, systemPrompt, mcpState, abortController, thinking }) })) {
+              for await (const message of query({ prompt, options: buildQueryOptions(model, { partial: true, systemPrompt, abortController, thinking }) })) {
                 if (message.type === "stream_event") {
                   const ev = message.event as any
                   if (ev.type === "content_block_delta" && ev.delta?.type === "text_delta") {
@@ -643,11 +573,9 @@ export function createProxyServer(config: Partial<ProxyConfig> = {}) {
               releaseQueue()
             }
 
-            claudeLog("proxy.stream.done", { reqId, len: fullText.length, messageSent: mcpState.messageSent })
+            claudeLog("proxy.stream.done", { reqId, len: fullText.length })
 
-            if (mcpState.messageSent) {
-              sse("content_block_delta", { type: "content_block_delta", index: 0, delta: { type: "text_delta", text: "\nNO_REPLY" } })
-            } else if (!hasStreamed) {
+            if (!hasStreamed) {
               sse("content_block_delta", { type: "content_block_delta", index: 0, delta: { type: "text_delta", text: "..." } })
             }