npm - clawmoney - Versions diffs - 0.15.62 → 0.15.64 - Mend

clawmoney 0.15.62 → 0.15.64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/commands/relay-setup.js +10 -6
package/dist/commands/setup.js +3 -0
package/dist/relay/upstream/claude-api.js +58 -1
package/package.json +1 -1

package/dist/commands/relay-setup.js CHANGED Viewed

@@ -261,6 +261,7 @@ export async function relaySetupCommand() {
         return Promise.all(tasks);
     };
     const registrations = [];
+    const cliSummary = [];
     for (const cli of selectedClis) {
         const allModels = modelsForCli(cli);
         const recommended = (RECOMMENDED_MODELS[cli] ?? []).filter((m) => allModels.includes(m));
@@ -268,7 +269,7 @@ export async function relaySetupCommand() {
             log.warn(`${cli}: no recommended models found — skipping`);
             continue;
         }
-        log.success(`${chalk.bold(cli)}: ${recommended.length} models ${chalk.dim("— " + recommended.join(", "))}`);
+        cliSummary.push(`${chalk.bold(cli)} ${chalk.dim(`(${recommended.length})`)}`);
         for (const model of recommended) {
             const p = API_PRICES[model];
             registrations.push({
@@ -279,6 +280,9 @@ export async function relaySetupCommand() {
             });
         }
     }
+    if (cliSummary.length > 0) {
+        log.success(`Registering: ${cliSummary.join(chalk.dim(" · "))}`);
+    }
     if (registrations.length === 0) {
         cancel("No models selected — nothing to register");
         process.exit(0);
@@ -501,7 +505,7 @@ export async function relaySetupCommand() {
         // Non-fatal: worst case is the daemon preflights extra cli_types,
         // which is annoying but doesn't break anything.
         log.warn(`Could not prune old providers: ${err.message} — ` +
-            `run \`clawmoney relay status\` and clean manually if needed`);
+            `run \`npx clawmoney relay status\` and clean manually if needed`);
     }
     // ── Step 8: auto-start the daemon ──
     //
@@ -527,10 +531,10 @@ export async function relaySetupCommand() {
     // instead of 6.
     log.message(chalk.dim("Next:") +
         "\n" +
-        `  ${chalk.cyan("clawmoney relay status")}   daemon + provider list\n` +
-        `  ${chalk.cyan("clawmoney relay logs")}     tail daemon log\n` +
-        `  ${chalk.cyan("clawmoney wallet balance")} on-chain + relay earnings\n` +
-        `  ${chalk.cyan("clawmoney relay stop")}     stop daemon`);
+        `  ${chalk.cyan("npx clawmoney relay status")}   daemon + provider list\n` +
+        `  ${chalk.cyan("npx clawmoney relay logs")}     tail daemon log\n` +
+        `  ${chalk.cyan("npx clawmoney wallet balance")} on-chain + relay earnings\n` +
+        `  ${chalk.cyan("npx clawmoney relay stop")}     stop daemon`);
     const cliLabel = uniqueClis.length === 1
         ? `${uniqueClis[0]} daemon running`
         : `daemon serving ${uniqueClis.join(" + ")}`;

package/dist/commands/setup.js CHANGED Viewed

@@ -179,6 +179,9 @@ export async function setupCommand() {
         if (!checkData.exists || agentStatus === 'UNCLAIMED') {
             // Step 6: Register new agent
             agentSpinner.text = 'Registering agent...';
+            // Backend generates the anonymous provider slug from email hash
+            // — we deliberately do NOT send a name here so users can't pick
+            // something that leaks PII.
             const registerBody = { email };
             if (walletAddress) {
                 registerBody.wallet_address = walletAddress;

package/dist/relay/upstream/claude-api.js CHANGED Viewed

@@ -519,6 +519,38 @@ async function refreshUpstreamToken(refreshToken) {
 let cachedCreds = null;
 let refreshInflight = null;
 const REFRESH_SKEW_MS = 3 * 60 * 1000;
+// ── Auth-broken circuit breaker ─────────────────────────────────────────
+//
+// If Anthropic's OAuth refresh endpoint rejects our refresh_token as
+// invalid (400 invalid_grant, 401, 403 "Request not allowed", etc.),
+// that's a persistent condition — the token is not going to start
+// working again on its own. Every subsequent buyer request would burn
+// another refresh attempt on Anthropic, which looks like brute-forcing
+// from their anti-abuse side and risks getting the provider's account
+// flagged.
+//
+// Cache the "broken" state for AUTH_BROKEN_CACHE_MS. During that window
+// ALL calls to getFreshCreds() short-circuit with the cached error
+// WITHOUT hitting Anthropic. After the window expires we allow exactly
+// one probe refresh — if it succeeds, we're unbroken; if it fails
+// again, the window is extended by another interval.
+//
+// Transient 5xx responses are NOT cached — those are "maybe the server
+// is having a moment" and worth retrying. Only 4xx "no, really, the
+// token is bad" responses trip the breaker.
+const AUTH_BROKEN_CACHE_MS = 5 * 60 * 1000;
+let authBrokenUntilMs = 0;
+let authBrokenError = null;
+function isAuthBrokenError(err) {
+    const msg = err.message.toLowerCase();
+    // Matches messages produced by refreshUpstreamToken:
+    //   "Token refresh failed: 400 ...invalid_grant..."
+    //   "Token refresh failed: 401 ..."
+    //   "Token refresh failed: 403 ...Request not allowed..."
+    return (msg.includes("invalid_grant") ||
+        msg.includes("request not allowed") ||
+        /token refresh failed:\s*40[0134]/.test(msg));
+}
 async function doRefreshAndPersist(current) {
     logger.info("[claude-api] refreshing OAuth token...");
     const fresh = await refreshUpstreamToken(current.refreshToken);
@@ -569,6 +601,14 @@ async function doRefreshAndPersist(current) {
     return next;
 }
 async function getFreshCreds() {
+    // Circuit breaker: if the OAuth endpoint is known-broken for this
+    // daemon, throw the cached error immediately without touching
+    // Anthropic again. This is what keeps a retry storm from burning
+    // one refresh attempt per buyer request and getting the account
+    // flagged.
+    if (authBrokenUntilMs && Date.now() < authBrokenUntilMs && authBrokenError) {
+        throw authBrokenError;
+    }
     if (!cachedCreds) {
         cachedCreds = loadClaudeOAuth();
     }
@@ -582,7 +622,24 @@ async function getFreshCreds() {
             refreshInflight = null;
         });
     }
-    cachedCreds = await refreshInflight;
+    try {
+        cachedCreds = await refreshInflight;
+    }
+    catch (err) {
+        const e = err;
+        if (isAuthBrokenError(e)) {
+            authBrokenUntilMs = Date.now() + AUTH_BROKEN_CACHE_MS;
+            authBrokenError = e;
+            logger.error(`[claude-api] OAuth refresh rejected by Anthropic — caching auth-broken state for ${AUTH_BROKEN_CACHE_MS / 1000}s. Subsequent requests will fail fast without hitting the OAuth endpoint. Fix: re-login with 'claude /login' and restart the daemon. Root cause: ${e.message.slice(0, 200)}`);
+        }
+        throw err;
+    }
+    // Successful refresh — clear any cached broken state.
+    if (authBrokenUntilMs) {
+        authBrokenUntilMs = 0;
+        authBrokenError = null;
+        logger.info("[claude-api] OAuth refresh recovered — auth-broken cache cleared");
+    }
     return cachedCreds;
 }
 // ── Version drift check ──

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "clawmoney",
-  "version": "0.15.62",
+  "version": "0.15.64",
   "description": "ClawMoney CLI -- Earn rewards with your AI agent",
   "type": "module",
   "bin": {