npm - mtrx-cli - Versions diffs - 0.1.0 → 0.1.2 - Mend

mtrx-cli 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/package.json +1 -1
package/src/matrx/cli/launcher.py +152 -51
package/src/matrx/cli/main.py +103 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mtrx-cli",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "MATRX CLI for routing Codex and Claude through Matrx",
   "homepage": "https://mtrx.so",
   "repository": {

package/src/matrx/cli/launcher.py CHANGED Viewed

@@ -3,6 +3,7 @@ from __future__ import annotations
 import base64
 import hashlib
 import datetime as dt
+import httpx
 import json
 import os
 import platform
@@ -123,7 +124,7 @@ def build_launch_plan(
         raise ValueError(f"{tool} executable not found in PATH")
     route = resolve_route(state, tool, route_override)
-    env = dict(base_env or os.environ)
+    env = dict(os.environ if base_env is None else base_env)
     auth_source = ""
     launch_args = list(passthrough_args or [])
@@ -164,11 +165,17 @@ def prepare_routed_setup(
     """
     route = resolve_route(state, tool, route_override)
     changed = False
-    env = dict(base_env or os.environ)
+    env = dict(os.environ if base_env is None else base_env)
     if route == "matrx" and _ensure_matrx_auth(state, env=env):
         changed = True
     if route == "matrx" and _persist_workspace_binding_from_env(state, env):
         changed = True
+    if route == "matrx" and tool == "claude":
+        mx_key, _ = _resolve_matrx_route_key(state, env)
+        if _approve_claude_custom_api_key(mx_key):
+            changed = True
+        if _sync_claude_subscription_to_matrx(state, env):
+            changed = True
     if _sync_tool_route_config(state, tool=tool, route=route):
         changed = True
@@ -200,6 +207,10 @@ def claude_settings_path() -> Path:
     return Path.home() / ".claude" / "settings.json"
+def claude_state_path() -> Path:
+    return Path.home() / ".claude.json"
 def codex_config_path() -> Path:
     return Path.home() / ".codex" / "config.toml"
@@ -247,6 +258,102 @@ def read_codex_access_token() -> str | None:
     return token.strip()
+def _read_claude_app_state() -> dict:
+    path = claude_state_path()
+    if not path.exists():
+        return {}
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return {}
+    return data if isinstance(data, dict) else {}
+def _write_claude_app_state(data: dict) -> None:
+    path = claude_state_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8")
+def _approve_claude_custom_api_key(raw_key: str) -> bool:
+    if not raw_key:
+        return False
+    state = _read_claude_app_state()
+    custom = state.setdefault("customApiKeyResponses", {})
+    approved = custom.get("approved")
+    rejected = custom.get("rejected")
+    if not isinstance(approved, list):
+        approved = []
+    if not isinstance(rejected, list):
+        rejected = []
+    changed = False
+    if raw_key not in approved:
+        approved.append(raw_key)
+        changed = True
+    if raw_key in rejected:
+        rejected = [value for value in rejected if value != raw_key]
+        changed = True
+    if not changed:
+        return False
+    custom["approved"] = approved
+    custom["rejected"] = rejected
+    _write_claude_app_state(state)
+    return True
+def _resolve_claude_subscription_token(state: dict) -> str:
+    token = (read_claude_oauth_token() or "").strip()
+    if token:
+        return token
+    return (state.get("auth", {}).get("claude_code", {}).get("oauth_token") or "").strip()
+def _sync_claude_subscription_to_matrx(state: dict, env: dict[str, str]) -> bool:
+    token = _resolve_claude_subscription_token(state)
+    if not token:
+        return False
+    mx_key, _ = _resolve_matrx_route_key(state, env)
+    if not mx_key:
+        return False
+    auth_cfg = state.setdefault("auth", {}).setdefault("claude_code", {})
+    token_fp = _fingerprint_secret(token)
+    key_fp = _fingerprint_secret(mx_key)
+    base_url = ensure_root_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
+    if (
+        auth_cfg.get("server_synced_token_fingerprint") == token_fp
+        and auth_cfg.get("server_synced_matrx_key_fingerprint") == key_fp
+        and auth_cfg.get("server_synced_base_url") == base_url
+    ):
+        return False
+    try:
+        with httpx.Client(timeout=15) as client:
+            response = client.post(
+                f"{base_url.rstrip('/')}/v1/subscriptions/claude-code",
+                headers={
+                    "X-Matrx-Key": mx_key,
+                    "Content-Type": "application/json",
+                },
+                json={"token": token},
+            )
+        response.raise_for_status()
+    except httpx.HTTPError:
+        return False
+    auth_cfg["server_synced_token_fingerprint"] = token_fp
+    auth_cfg["server_synced_matrx_key_fingerprint"] = key_fp
+    auth_cfg["server_synced_base_url"] = base_url
+    auth_cfg["server_synced_at"] = dt.datetime.now(dt.timezone.utc).isoformat()
+    return True
 def _resolve_matrx_route_key(
     state: dict,
     env: dict[str, str],
@@ -372,8 +479,8 @@ def _build_claude_env(
 ) -> tuple[dict[str, str], str]:
     matrx = state["auth"]["matrx"]
     anthropic = state["auth"]["anthropic"]
-    # Claude Code gateway uses the root URL, not a /v1-suffixed base.
-    proxy_base = ensure_root_url(matrx.get("base_url"))
+    proxy_root = ensure_root_url(matrx.get("base_url"))
+    proxy_base = ensure_v1_url(matrx.get("base_url"))
     mx_key, matrx_auth_source = _resolve_matrx_route_key(state, env)
     direct_key = (anthropic.get("key") or "").strip()
@@ -381,10 +488,11 @@ def _build_claude_env(
         if not mx_key:
             raise ValueError("No Matrx key available. Run: mtrx login matrx --key mx_... or set MTRX_KEY")
         env.pop("MTRX_KEY", None)
-        env["MATRX_BASE_URL"] = proxy_base
+        env.pop("MATRX_CLAUDE_MODE", None)
+        env["MATRX_BASE_URL"] = proxy_root
         env["MATRX_API_KEY"] = mx_key
-        # Claude Code gateway uses root URL, not /v1
         env["ANTHROPIC_BASE_URL"] = proxy_base
+        env["ANTHROPIC_API_KEY"] = mx_key
         group_id, project_id = _resolve_matrx_context_overrides(state, env)
         session_id = str(uuid.uuid4())
         # Evolutionary scaffolding: env snapshot for AI context injection
@@ -392,7 +500,6 @@ def _build_claude_env(
         env_b64 = base64.b64encode(json.dumps(env_snap).encode()).decode() if env_snap else ""
         custom_headers = "\n".join(
             [
-                f"x-matrx-key: {mx_key}",
                 "x-matrx-agent-id: claude-cli",
                 "x-matrx-provider: claude_code",
                 f"x-matrx-session-id: {session_id}",
@@ -404,33 +511,34 @@ def _build_claude_env(
             custom_headers += f"\nx-matrx-project-id: {project_id}"
         if env_b64:
             custom_headers += f"\nx-matrx-env: {env_b64}"
-        # Always send the matrx key via ANTHROPIC_CUSTOM_HEADERS so it arrives on
-        # the dedicated X-Matrx-Key header. This keeps the Authorization slot free
-        # for the real Anthropic credential (OAuth token or API key) so the proxy can
-        # forward it to Anthropic without confusing the matrx key with a provider key.
         env["ANTHROPIC_CUSTOM_HEADERS"] = custom_headers
         env.pop("ANTHROPIC_AUTH_TOKEN", None)
-        if _claude_uses_oauth(state):
-            # OAuth token flows through natively via Authorization: Bearer sk-ant-oat01-*
-            env.pop("ANTHROPIC_API_KEY", None)
-        else:
-            # Non-OAuth: if a saved Anthropic API key is available, set it so the SDK
-            # sends x-api-key to the proxy and the proxy can forward it upstream.
-            # If no key is saved, the proxy will fall back to the org vault.
-            if direct_key:
-                env["ANTHROPIC_API_KEY"] = direct_key
-            else:
-                env.pop("ANTHROPIC_API_KEY", None)
         return env, matrx_auth_source
     # Direct route: clear any matrx-managed env vars
     env.pop("MTRX_KEY", None)
-    _clear_if_matches(env, "ANTHROPIC_BASE_URL", proxy_base)
-    _clear_if_matches(env, "ANTHROPIC_API_KEY", mx_key)
-    _clear_if_matches(env, "ANTHROPIC_AUTH_TOKEN", mx_key)
-    custom_headers = env.get("ANTHROPIC_CUSTOM_HEADERS", "")
-    if mx_key and mx_key in custom_headers:
+    env.pop("MATRX_CLAUDE_MODE", None)
+    env.pop("MATRX_BASE_URL", None)
+    env.pop("MATRX_API_KEY", None)
+    for candidate in {proxy_root, proxy_base}:
+        _clear_if_matches(env, "ANTHROPIC_BASE_URL", candidate)
+    anthropic_api_key = (env.get("ANTHROPIC_API_KEY") or "").strip()
+    if anthropic_api_key.startswith("mx_") or anthropic_api_key == mx_key:
+        env.pop("ANTHROPIC_API_KEY", None)
+    anthropic_auth_token = (env.get("ANTHROPIC_AUTH_TOKEN") or "").strip()
+    if (
+        anthropic_auth_token == mx_key
+        or anthropic_auth_token.startswith("mx_")
+        or anthropic_auth_token.lower().startswith("bearer mx_")
+    ):
+        env.pop("ANTHROPIC_AUTH_TOKEN", None)
+    custom_headers = (env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
+    if "x-matrx-" in custom_headers.lower():
         env.pop("ANTHROPIC_CUSTOM_HEADERS", None)
     if claude_oauth_available():
         return env, "local_claude_oauth"
     if env.get("ANTHROPIC_API_KEY"):
@@ -450,11 +558,12 @@ def _validate_claude_launch_plan(plan: LaunchPlan, state: dict) -> None:
         return
     base_url = (plan.env.get("ANTHROPIC_BASE_URL") or "").strip()
+    expected_base_url = ensure_v1_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
     if not base_url:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_BASE_URL")
-    if base_url.endswith("/v1"):
+    if base_url != expected_base_url:
         raise ValueError(
-            "Claude Matrx route must use the gateway root base URL, not a /v1 URL. "
+            "Claude Matrx route must use the Matrx /v1 base URL. "
             f"Got: {base_url}"
         )
@@ -462,27 +571,24 @@ def _validate_claude_launch_plan(plan: LaunchPlan, state: dict) -> None:
     if not mx_key.startswith("mx_"):
         raise ValueError("Claude Matrx route is missing a valid MATRX_API_KEY")
-    # All routes use ANTHROPIC_CUSTOM_HEADERS for matrx key delivery so that
-    # the Authorization slot remains free for the real Anthropic credential.
+    anthropic_key = (plan.env.get("ANTHROPIC_API_KEY") or "").strip()
+    if anthropic_key != mx_key:
+        raise ValueError("Claude Matrx route must set ANTHROPIC_API_KEY to the same mx_ key as MATRX_API_KEY")
     custom_headers = (plan.env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
-    if not custom_headers or mx_key not in custom_headers:
-        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with the Matrx key")
+    if not custom_headers:
+        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS")
     lowered_headers = custom_headers.lower()
     if "x-matrx-session-id:" not in lowered_headers:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Session-Id")
     if "x-matrx-provider: claude_code" not in lowered_headers:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Provider=claude_code")
+    if "x-matrx-agent-id: claude-cli" not in lowered_headers:
+        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Agent-Id=claude-cli")
     if plan.env.get("ANTHROPIC_AUTH_TOKEN"):
         raise ValueError("Claude Matrx route should not set ANTHROPIC_AUTH_TOKEN")
-    if _claude_uses_oauth(state):
-        oauth_token = read_claude_oauth_token() or (state.get("auth", {}).get("claude_code", {}).get("oauth_token") or "").strip()
-        if not oauth_token:
-            raise ValueError("Claude OAuth was selected but no Claude OAuth token is available. Run: mtrx login claude-code --import")
-        if plan.env.get("ANTHROPIC_API_KEY"):
-            raise ValueError("Claude Matrx OAuth route should not set ANTHROPIC_API_KEY")
 def _validate_codex_launch_plan(plan: LaunchPlan, state: dict) -> None:
     if plan.route != "matrx":
@@ -531,16 +637,18 @@ def describe_launch_plan(plan: LaunchPlan, state: dict) -> list[str]:
         ]
     if plan.tool == "claude":
-        base_url = ensure_root_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
+        base_url = ensure_v1_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
         custom_headers = (plan.env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
-        api_key_present = bool((plan.env.get("ANTHROPIC_API_KEY") or "").strip())
+        anthropic_key = (plan.env.get("ANTHROPIC_API_KEY") or "").strip()
         return [
             "Launching claude via Matrx",
             f"  base_url: {base_url or DEFAULT_MATRX_BASE_URL}",
             f"  auth_source: {plan.auth_source}",
-            f"  oauth_mode: {_claude_uses_oauth(state)}",
             f"  custom_headers_present: {bool(custom_headers)}",
-            f"  api_key_present: {api_key_present}",
+            f"  proxy_key_present: {anthropic_key.startswith('mx_')}",
+            f"  subscription_token_available: {bool(_resolve_claude_subscription_token(state))}",
+            "  runtime_route: env injection",
+            "  persistent_route: disabled",
         ]
     return []
@@ -594,13 +702,6 @@ def _clear_if_matches(env: dict[str, str], key: str, expected: str) -> None:
         env.pop(key, None)
-def _claude_uses_oauth(state: dict) -> bool:
-    if read_claude_oauth_token():
-        return True
-    imported = (state.get("auth", {}).get("claude_code", {}).get("oauth_token") or "").strip()
-    return bool(imported)
 def _sync_tool_route_config(state: dict, *, tool: str, route: str) -> bool:
     if tool == "claude":
         return _cleanup_claude_managed_config(state)

package/src/matrx/cli/main.py CHANGED Viewed

@@ -10,6 +10,8 @@ import threading
 import urllib.parse
 import webbrowser
+import httpx
 from matrx.cli.launcher import (
     prepare_routed_setup,
     build_launch_plan,
@@ -52,6 +54,8 @@ def main(argv: list[str] | None = None) -> int:
         return _cmd_status()
     if args.command == "doctor":
         return _cmd_doctor()
+    if args.command == "personal":
+        return _cmd_personal(args)
     if args.command in {"codex", "claude"}:
         return _cmd_launch(args.command, args.route, remainder)
@@ -79,6 +83,11 @@ def _build_parser() -> argparse.ArgumentParser:
     subparsers.add_parser("status")
     subparsers.add_parser("doctor")
+    personal = subparsers.add_parser("personal")
+    personal_subparsers = personal.add_subparsers(dest="personal_command")
+    optimize = personal_subparsers.add_parser("optimize")
+    optimize.add_argument("mode", choices=["on", "off", "status"])
     codex = subparsers.add_parser("codex")
     codex.add_argument("--route", choices=["direct", "matrx"])
@@ -379,6 +388,100 @@ def _cmd_status() -> int:
     return 0
+def _personal_matrx_key(state: dict) -> str:
+    return (state.get("auth", {}).get("matrx", {}).get("key") or "").strip()
+def _matrx_api_json(
+    state: dict,
+    *,
+    method: str,
+    path: str,
+    key: str,
+    json_body: dict | None = None,
+) -> dict:
+    base_url = ensure_root_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
+    url = f"{base_url.rstrip('/')}/v1{path}"
+    headers = {"X-Matrx-Key": key}
+    if json_body is not None:
+        headers["Content-Type"] = "application/json"
+    try:
+        with httpx.Client(timeout=15) as client:
+            response = client.request(method, url, headers=headers, json=json_body)
+    except httpx.HTTPError as exc:
+        raise ValueError(f"Matrx API request failed: {exc}") from exc
+    if response.status_code >= 400:
+        detail = response.text.strip() or response.reason_phrase
+        raise ValueError(f"Matrx API error ({response.status_code}) for {path}: {detail}")
+    if response.status_code == 204 or not response.content:
+        return {}
+    return response.json()
+def _resolve_personal_policy_target(state: dict, *, key: str) -> tuple[dict, dict]:
+    context = _matrx_api_json(state, method="GET", path="/auth/context", key=key)
+    project_id = (context.get("project_id") or "").strip()
+    group_id = (context.get("group_id") or "").strip()
+    if not project_id:
+        raise ValueError("Saved Matrx key is not project-scoped; personal optimization is unavailable")
+    if not group_id:
+        raise ValueError("No default personal group found for the current Matrx project")
+    group = _matrx_api_json(state, method="GET", path=f"/groups/{group_id}", key=key)
+    policy_id = (group.get("policy_id") or "").strip()
+    if not policy_id:
+        raise ValueError("Default personal group has no optimization policy attached")
+    policy = _matrx_api_json(state, method="GET", path=f"/policies/{policy_id}", key=key)
+    return context, policy
+def _cmd_personal_optimize(args) -> int:
+    state = load_state()
+    key = _personal_matrx_key(state)
+    if not key:
+        print("Personal Matrx login required. Run: mtrx login matrx", file=sys.stderr)
+        return 1
+    try:
+        context, policy = _resolve_personal_policy_target(state, key=key)
+        mode = args.mode
+        if mode == "status":
+            print(f"Personal optimization: {policy.get('mode', 'unknown')}")
+            print(f"  project: {context.get('project_id') or '-'}")
+            print(f"  group: {context.get('group_id') or '-'}")
+            print(f"  policy: {policy.get('id') or '-'}")
+            return 0
+        target_mode = "optimize" if mode == "on" else "observe"
+        updated = _matrx_api_json(
+            state,
+            method="PATCH",
+            path=f"/policies/{policy['id']}",
+            key=key,
+            json_body={"mode": target_mode},
+        )
+    except ValueError as exc:
+        print(str(exc), file=sys.stderr)
+        return 1
+    print(f"Personal optimization: {updated.get('mode', target_mode)}")
+    print(f"  project: {context.get('project_id') or '-'}")
+    print(f"  group: {context.get('group_id') or '-'}")
+    print(f"  policy: {updated.get('id') or policy.get('id') or '-'}")
+    return 0
+def _cmd_personal(args) -> int:
+    if args.personal_command == "optimize":
+        return _cmd_personal_optimize(args)
+    print("Use: mtrx personal optimize <on|off|status>", file=sys.stderr)
+    return 1
 def _cmd_doctor() -> int:
     state = load_state()
     failures = 0