npm - mtrx-cli - Versions diffs - 0.1.1 → 0.1.2 - Mend

mtrx-cli 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/matrx/cli/launcher.py +150 -56

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mtrx-cli",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "MATRX CLI for routing Codex and Claude through Matrx",
   "homepage": "https://mtrx.so",
   "repository": {

package/src/matrx/cli/launcher.py CHANGED Viewed

@@ -3,6 +3,7 @@ from __future__ import annotations
 import base64
 import hashlib
 import datetime as dt
+import httpx
 import json
 import os
 import platform
@@ -169,6 +170,12 @@ def prepare_routed_setup(
         changed = True
     if route == "matrx" and _persist_workspace_binding_from_env(state, env):
         changed = True
+    if route == "matrx" and tool == "claude":
+        mx_key, _ = _resolve_matrx_route_key(state, env)
+        if _approve_claude_custom_api_key(mx_key):
+            changed = True
+        if _sync_claude_subscription_to_matrx(state, env):
+            changed = True
     if _sync_tool_route_config(state, tool=tool, route=route):
         changed = True
@@ -200,6 +207,10 @@ def claude_settings_path() -> Path:
     return Path.home() / ".claude" / "settings.json"
+def claude_state_path() -> Path:
+    return Path.home() / ".claude.json"
 def codex_config_path() -> Path:
     return Path.home() / ".codex" / "config.toml"
@@ -247,6 +258,102 @@ def read_codex_access_token() -> str | None:
     return token.strip()
+def _read_claude_app_state() -> dict:
+    path = claude_state_path()
+    if not path.exists():
+        return {}
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return {}
+    return data if isinstance(data, dict) else {}
+def _write_claude_app_state(data: dict) -> None:
+    path = claude_state_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8")
+def _approve_claude_custom_api_key(raw_key: str) -> bool:
+    if not raw_key:
+        return False
+    state = _read_claude_app_state()
+    custom = state.setdefault("customApiKeyResponses", {})
+    approved = custom.get("approved")
+    rejected = custom.get("rejected")
+    if not isinstance(approved, list):
+        approved = []
+    if not isinstance(rejected, list):
+        rejected = []
+    changed = False
+    if raw_key not in approved:
+        approved.append(raw_key)
+        changed = True
+    if raw_key in rejected:
+        rejected = [value for value in rejected if value != raw_key]
+        changed = True
+    if not changed:
+        return False
+    custom["approved"] = approved
+    custom["rejected"] = rejected
+    _write_claude_app_state(state)
+    return True
+def _resolve_claude_subscription_token(state: dict) -> str:
+    token = (read_claude_oauth_token() or "").strip()
+    if token:
+        return token
+    return (state.get("auth", {}).get("claude_code", {}).get("oauth_token") or "").strip()
+def _sync_claude_subscription_to_matrx(state: dict, env: dict[str, str]) -> bool:
+    token = _resolve_claude_subscription_token(state)
+    if not token:
+        return False
+    mx_key, _ = _resolve_matrx_route_key(state, env)
+    if not mx_key:
+        return False
+    auth_cfg = state.setdefault("auth", {}).setdefault("claude_code", {})
+    token_fp = _fingerprint_secret(token)
+    key_fp = _fingerprint_secret(mx_key)
+    base_url = ensure_root_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
+    if (
+        auth_cfg.get("server_synced_token_fingerprint") == token_fp
+        and auth_cfg.get("server_synced_matrx_key_fingerprint") == key_fp
+        and auth_cfg.get("server_synced_base_url") == base_url
+    ):
+        return False
+    try:
+        with httpx.Client(timeout=15) as client:
+            response = client.post(
+                f"{base_url.rstrip('/')}/v1/subscriptions/claude-code",
+                headers={
+                    "X-Matrx-Key": mx_key,
+                    "Content-Type": "application/json",
+                },
+                json={"token": token},
+            )
+        response.raise_for_status()
+    except httpx.HTTPError:
+        return False
+    auth_cfg["server_synced_token_fingerprint"] = token_fp
+    auth_cfg["server_synced_matrx_key_fingerprint"] = key_fp
+    auth_cfg["server_synced_base_url"] = base_url
+    auth_cfg["server_synced_at"] = dt.datetime.now(dt.timezone.utc).isoformat()
+    return True
 def _resolve_matrx_route_key(
     state: dict,
     env: dict[str, str],
@@ -372,20 +479,20 @@ def _build_claude_env(
 ) -> tuple[dict[str, str], str]:
     matrx = state["auth"]["matrx"]
     anthropic = state["auth"]["anthropic"]
-    # Claude Code gateway uses the root URL, not a /v1-suffixed base.
-    proxy_base = ensure_root_url(matrx.get("base_url"))
+    proxy_root = ensure_root_url(matrx.get("base_url"))
+    proxy_base = ensure_v1_url(matrx.get("base_url"))
     mx_key, matrx_auth_source = _resolve_matrx_route_key(state, env)
     direct_key = (anthropic.get("key") or "").strip()
-    oauth_mode = _claude_effective_oauth_mode(state, env)
     if route == "matrx":
         if not mx_key:
             raise ValueError("No Matrx key available. Run: mtrx login matrx --key mx_... or set MTRX_KEY")
         env.pop("MTRX_KEY", None)
-        env["MATRX_BASE_URL"] = proxy_base
+        env.pop("MATRX_CLAUDE_MODE", None)
+        env["MATRX_BASE_URL"] = proxy_root
         env["MATRX_API_KEY"] = mx_key
-        # Claude Code gateway uses root URL, not /v1
         env["ANTHROPIC_BASE_URL"] = proxy_base
+        env["ANTHROPIC_API_KEY"] = mx_key
         group_id, project_id = _resolve_matrx_context_overrides(state, env)
         session_id = str(uuid.uuid4())
         # Evolutionary scaffolding: env snapshot for AI context injection
@@ -393,7 +500,6 @@ def _build_claude_env(
         env_b64 = base64.b64encode(json.dumps(env_snap).encode()).decode() if env_snap else ""
         custom_headers = "\n".join(
             [
-                f"x-matrx-key: {mx_key}",
                 "x-matrx-agent-id: claude-cli",
                 "x-matrx-provider: claude_code",
                 f"x-matrx-session-id: {session_id}",
@@ -405,33 +511,34 @@ def _build_claude_env(
             custom_headers += f"\nx-matrx-project-id: {project_id}"
         if env_b64:
             custom_headers += f"\nx-matrx-env: {env_b64}"
-        # Always send the matrx key via ANTHROPIC_CUSTOM_HEADERS so it arrives on
-        # the dedicated X-Matrx-Key header. This keeps the Authorization slot free
-        # for the real Anthropic credential (OAuth token or API key) so the proxy can
-        # forward it to Anthropic without confusing the matrx key with a provider key.
         env["ANTHROPIC_CUSTOM_HEADERS"] = custom_headers
         env.pop("ANTHROPIC_AUTH_TOKEN", None)
-        if oauth_mode:
-            # OAuth token flows through natively via Authorization: Bearer sk-ant-oat01-*
-            env.pop("ANTHROPIC_API_KEY", None)
-        else:
-            # Non-OAuth: if a saved Anthropic API key is available, set it so the SDK
-            # sends x-api-key to the proxy and the proxy can forward it upstream.
-            # If no key is saved, the proxy will fall back to the org vault.
-            if direct_key:
-                env["ANTHROPIC_API_KEY"] = direct_key
-            else:
-                env.pop("ANTHROPIC_API_KEY", None)
         return env, matrx_auth_source
     # Direct route: clear any matrx-managed env vars
     env.pop("MTRX_KEY", None)
-    _clear_if_matches(env, "ANTHROPIC_BASE_URL", proxy_base)
-    _clear_if_matches(env, "ANTHROPIC_API_KEY", mx_key)
-    _clear_if_matches(env, "ANTHROPIC_AUTH_TOKEN", mx_key)
-    custom_headers = env.get("ANTHROPIC_CUSTOM_HEADERS", "")
-    if mx_key and mx_key in custom_headers:
+    env.pop("MATRX_CLAUDE_MODE", None)
+    env.pop("MATRX_BASE_URL", None)
+    env.pop("MATRX_API_KEY", None)
+    for candidate in {proxy_root, proxy_base}:
+        _clear_if_matches(env, "ANTHROPIC_BASE_URL", candidate)
+    anthropic_api_key = (env.get("ANTHROPIC_API_KEY") or "").strip()
+    if anthropic_api_key.startswith("mx_") or anthropic_api_key == mx_key:
+        env.pop("ANTHROPIC_API_KEY", None)
+    anthropic_auth_token = (env.get("ANTHROPIC_AUTH_TOKEN") or "").strip()
+    if (
+        anthropic_auth_token == mx_key
+        or anthropic_auth_token.startswith("mx_")
+        or anthropic_auth_token.lower().startswith("bearer mx_")
+    ):
+        env.pop("ANTHROPIC_AUTH_TOKEN", None)
+    custom_headers = (env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
+    if "x-matrx-" in custom_headers.lower():
         env.pop("ANTHROPIC_CUSTOM_HEADERS", None)
     if claude_oauth_available():
         return env, "local_claude_oauth"
     if env.get("ANTHROPIC_API_KEY"):
@@ -451,11 +558,12 @@ def _validate_claude_launch_plan(plan: LaunchPlan, state: dict) -> None:
         return
     base_url = (plan.env.get("ANTHROPIC_BASE_URL") or "").strip()
+    expected_base_url = ensure_v1_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
     if not base_url:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_BASE_URL")
-    if base_url.endswith("/v1"):
+    if base_url != expected_base_url:
         raise ValueError(
-            "Claude Matrx route must use the gateway root base URL, not a /v1 URL. "
+            "Claude Matrx route must use the Matrx /v1 base URL. "
             f"Got: {base_url}"
         )
@@ -463,24 +571,24 @@ def _validate_claude_launch_plan(plan: LaunchPlan, state: dict) -> None:
     if not mx_key.startswith("mx_"):
         raise ValueError("Claude Matrx route is missing a valid MATRX_API_KEY")
-    # All routes use ANTHROPIC_CUSTOM_HEADERS for matrx key delivery so that
-    # the Authorization slot remains free for the real Anthropic credential.
+    anthropic_key = (plan.env.get("ANTHROPIC_API_KEY") or "").strip()
+    if anthropic_key != mx_key:
+        raise ValueError("Claude Matrx route must set ANTHROPIC_API_KEY to the same mx_ key as MATRX_API_KEY")
     custom_headers = (plan.env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
-    if not custom_headers or mx_key not in custom_headers:
-        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with the Matrx key")
+    if not custom_headers:
+        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS")
     lowered_headers = custom_headers.lower()
     if "x-matrx-session-id:" not in lowered_headers:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Session-Id")
     if "x-matrx-provider: claude_code" not in lowered_headers:
         raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Provider=claude_code")
+    if "x-matrx-agent-id: claude-cli" not in lowered_headers:
+        raise ValueError("Claude Matrx route is missing ANTHROPIC_CUSTOM_HEADERS with X-Matrx-Agent-Id=claude-cli")
     if plan.env.get("ANTHROPIC_AUTH_TOKEN"):
         raise ValueError("Claude Matrx route should not set ANTHROPIC_AUTH_TOKEN")
-    if _claude_effective_oauth_mode(state, plan.env):
-        if plan.env.get("ANTHROPIC_API_KEY"):
-            raise ValueError("Claude Matrx OAuth route should not set ANTHROPIC_API_KEY")
 def _validate_codex_launch_plan(plan: LaunchPlan, state: dict) -> None:
     if plan.route != "matrx":
@@ -529,16 +637,18 @@ def describe_launch_plan(plan: LaunchPlan, state: dict) -> list[str]:
         ]
     if plan.tool == "claude":
-        base_url = ensure_root_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
+        base_url = ensure_v1_url(state.get("auth", {}).get("matrx", {}).get("base_url"))
         custom_headers = (plan.env.get("ANTHROPIC_CUSTOM_HEADERS") or "").strip()
-        api_key_present = bool((plan.env.get("ANTHROPIC_API_KEY") or "").strip())
+        anthropic_key = (plan.env.get("ANTHROPIC_API_KEY") or "").strip()
         return [
             "Launching claude via Matrx",
             f"  base_url: {base_url or DEFAULT_MATRX_BASE_URL}",
             f"  auth_source: {plan.auth_source}",
-            f"  oauth_mode: {_claude_effective_oauth_mode(state, plan.env)}",
             f"  custom_headers_present: {bool(custom_headers)}",
-            f"  api_key_present: {api_key_present}",
+            f"  proxy_key_present: {anthropic_key.startswith('mx_')}",
+            f"  subscription_token_available: {bool(_resolve_claude_subscription_token(state))}",
+            "  runtime_route: env injection",
+            "  persistent_route: disabled",
         ]
     return []
@@ -592,22 +702,6 @@ def _clear_if_matches(env: dict[str, str], key: str, expected: str) -> None:
         env.pop(key, None)
-def _claude_uses_oauth(state: dict) -> bool:
-    if read_claude_oauth_token():
-        return True
-    imported = (state.get("auth", {}).get("claude_code", {}).get("oauth_token") or "").strip()
-    return bool(imported)
-def _claude_effective_oauth_mode(state: dict, env: dict[str, str] | None = None) -> bool:
-    requested = ((env or {}).get("MATRX_CLAUDE_MODE") or "").strip().lower()
-    if requested == "oauth":
-        return True
-    if requested == "api-key":
-        return False
-    return _claude_uses_oauth(state)
 def _sync_tool_route_config(state: dict, *, tool: str, route: str) -> bool:
     if tool == "claude":
         return _cleanup_claude_managed_config(state)