opencode-cluade-auth 1.0.1 → 1.0.2

package/README.md

@@ -89,6 +89,21 @@ npm pack --dry-run
 npm publish --dry-run
 ```
 
+## GitHub Actions Publish
+
+This repo includes a package-specific publish workflow at
+`.github/workflows/publish-opencode-cluade-auth.yml`.
+
+- trigger manually with `workflow_dispatch`, or push a tag matching
+  `opencode-cluade-auth-v*`
+- the workflow hard-checks that `package.json` is publishing
+  `opencode-cluade-auth`
+- npm auth is read only from the GitHub secret
+  `NPM_TOKEN_OPENCODE_CLAUDE_AUTH`
+
+That secret is intended to be repo-scoped so it does not overlap with other
+packages or repos such as `oh-my-aegis`.
+
 ## Limitations
 
 - streaming responses are exposed as buffered Anthropic SSE, not live token passthrough

package/dist/anthropic-compat.d.ts

@@ -24,6 +24,11 @@ type ClaudeResponseEnvelope = {
         arguments: Record<string, unknown>;
     }>;
 };
+type ClaudeToolCall = {
+    id: string;
+    name: string;
+    arguments: Record<string, unknown>;
+};
 export declare function extractAnthropicRequest(raw: unknown): {
     ok: true;
     model: string;
@@ -43,6 +48,16 @@ export declare function buildClaudePreparedRequest(params: {
     tools: AnthropicTool[];
 }): ClaudePreparedRequest;
 export declare function parseClaudeResponseEnvelope(text: string): ClaudeResponseEnvelope | null;
+export declare function validateToolCalls(params: {
+    toolCalls: ClaudeToolCall[];
+    tools: AnthropicTool[];
+}): {
+    ok: true;
+    toolCalls: ClaudeToolCall[];
+} | {
+    ok: false;
+    reason: string;
+};
 export declare function buildAnthropicMessageResponse(params: {
     model: string;
     content: string;

package/dist/anthropic-compat.js

@@ -183,6 +183,182 @@ export function parseClaudeResponseEnvelope(text) {
     });
     return toolCalls.length > 0 ? { type: "tool-calls", tool_calls: toolCalls } : null;
 }
+function requiredFieldsFromSchema(schema) {
+    if (!schema) {
+        return [];
+    }
+    const required = schema.required;
+    if (!Array.isArray(required)) {
+        return [];
+    }
+    return required.filter((entry) => typeof entry === "string" && entry.trim() !== "");
+}
+function propertiesFromSchema(schema) {
+    if (!schema) {
+        return {};
+    }
+    const properties = schema.properties;
+    return isRecord(properties) ? properties : {};
+}
+function typeUnionFromSchema(schema) {
+    if (!schema) {
+        return [];
+    }
+    const type = schema.type;
+    if (typeof type === "string" && type.trim() !== "") {
+        return [type];
+    }
+    if (Array.isArray(type)) {
+        return type.filter((entry) => typeof entry === "string" && entry.trim() !== "");
+    }
+    return [];
+}
+function enumValuesFromSchema(schema) {
+    if (!schema) {
+        return null;
+    }
+    const values = schema.enum;
+    return Array.isArray(values) ? values : null;
+}
+function constValueFromSchema(schema) {
+    if (!schema) {
+        return { hasConst: false };
+    }
+    if (!Object.prototype.hasOwnProperty.call(schema, "const")) {
+        return { hasConst: false };
+    }
+    return { hasConst: true, value: schema.const };
+}
+function itemsFromSchema(schema) {
+    if (!schema) {
+        return undefined;
+    }
+    const items = schema.items;
+    return isRecord(items) ? items : undefined;
+}
+function additionalPropertiesIsFalse(schema) {
+    if (!schema) {
+        return false;
+    }
+    return schema.additionalProperties === false;
+}
+function matchesSchemaType(value, type) {
+    switch (type) {
+        case "string":
+            return typeof value === "string";
+        case "number":
+            return typeof value === "number" && Number.isFinite(value);
+        case "integer":
+            return typeof value === "number" && Number.isInteger(value);
+        case "boolean":
+            return typeof value === "boolean";
+        case "object":
+            return isRecord(value);
+        case "array":
+            return Array.isArray(value);
+        case "null":
+            return value === null;
+        default:
+            return true;
+    }
+}
+function matchesSchemaTypes(value, types) {
+    if (types.length === 0) {
+        return true;
+    }
+    return types.some((type) => matchesSchemaType(value, type));
+}
+function isBlankString(value) {
+    return typeof value === "string" && value.trim() === "";
+}
+function hasRequiredFields(args, required) {
+    return required.every((field) => Object.prototype.hasOwnProperty.call(args, field) && args[field] !== undefined);
+}
+function validateValueAgainstSchema(value, schema, isRequired) {
+    if (!schema) {
+        return true;
+    }
+    const enumValues = enumValuesFromSchema(schema);
+    if (enumValues && !enumValues.some((entry) => Object.is(entry, value))) {
+        return false;
+    }
+    const constValue = constValueFromSchema(schema);
+    if (constValue.hasConst && !Object.is(constValue.value, value)) {
+        return false;
+    }
+    const types = typeUnionFromSchema(schema);
+    if (!matchesSchemaTypes(value, types)) {
+        return false;
+    }
+    if (isRequired && types.includes("string") && isBlankString(value)) {
+        return false;
+    }
+    const properties = propertiesFromSchema(schema);
+    const requiredFields = requiredFieldsFromSchema(schema);
+    const itemsSchema = itemsFromSchema(schema);
+    const hasAdditionalPropertiesConstraint = additionalPropertiesIsFalse(schema);
+    const expectsObject = hasAdditionalPropertiesConstraint || requiredFields.length > 0 || Object.keys(properties).length > 0;
+    const expectsArray = Boolean(itemsSchema);
+    if (Array.isArray(value)) {
+        if (!itemsSchema) {
+            return true;
+        }
+        return value.every((entry) => validateValueAgainstSchema(entry, itemsSchema, false));
+    }
+    if (isRecord(value)) {
+        if (!hasRequiredFields(value, requiredFields)) {
+            return false;
+        }
+        if (hasAdditionalPropertiesConstraint) {
+            for (const key of Object.keys(value)) {
+                if (!Object.prototype.hasOwnProperty.call(properties, key)) {
+                    return false;
+                }
+            }
+        }
+        for (const field of requiredFields) {
+            const propertySchema = isRecord(properties[field]) ? properties[field] : undefined;
+            const fieldTypes = typeUnionFromSchema(propertySchema);
+            if (fieldTypes.includes("string") && isBlankString(value[field])) {
+                return false;
+            }
+        }
+        for (const [field, fieldValue] of Object.entries(value)) {
+            const propertySchema = isRecord(properties[field]) ? properties[field] : undefined;
+            if (!propertySchema) {
+                continue;
+            }
+            if (!validateValueAgainstSchema(fieldValue, propertySchema, requiredFields.includes(field))) {
+                return false;
+            }
+        }
+        return true;
+    }
+    if (value === null && types.includes("null")) {
+        return true;
+    }
+    if (expectsObject || expectsArray) {
+        return false;
+    }
+    return true;
+}
+export function validateToolCalls(params) {
+    const toolsByName = new Map(params.tools.map((tool) => [tool.name, tool]));
+    for (const toolCall of params.toolCalls) {
+        const tool = toolsByName.get(toolCall.name);
+        if (!tool) {
+            return { ok: false, reason: `unknown tool requested: ${toolCall.name}` };
+        }
+        const required = requiredFieldsFromSchema(tool.inputSchema);
+        if (!hasRequiredFields(toolCall.arguments, required)) {
+            return { ok: false, reason: `missing required tool arguments for ${toolCall.name}` };
+        }
+        if (!validateValueAgainstSchema(toolCall.arguments, tool.inputSchema, true)) {
+            return { ok: false, reason: `invalid tool arguments for ${toolCall.name}` };
+        }
+    }
+    return { ok: true, toolCalls: params.toolCalls };
+}
 export function buildAnthropicMessageResponse(params) {
     return new Response(JSON.stringify({
         id: `msg_${Date.now()}`,

package/dist/fetch.js

@@ -1,4 +1,4 @@
-import { buildAnthropicErrorResponse, buildAnthropicMessageResponse, buildAnthropicMessageStreamResponse, buildAnthropicToolUseResponse, buildAnthropicToolUseStreamResponse, buildClaudePreparedRequest, extractAnthropicRequest, parseClaudeResponseEnvelope, } from "./anthropic-compat.js";
+import { buildAnthropicErrorResponse, buildAnthropicMessageResponse, buildAnthropicMessageStreamResponse, buildAnthropicToolUseResponse, buildAnthropicToolUseStreamResponse, buildClaudePreparedRequest, extractAnthropicRequest, parseClaudeResponseEnvelope, validateToolCalls, } from "./anthropic-compat.js";
 import { runClaudeCode } from "./claude-cli.js";
 function effortFromRequest(_raw) {
     return undefined;
@@ -45,15 +45,20 @@ export function createClaudeCodeFetch(deps = {}) {
         const responseText = result.responseText ?? "";
         const envelope = parseClaudeResponseEnvelope(responseText);
         if (envelope?.type === "tool-calls") {
+            const validation = validateToolCalls({ toolCalls: envelope.tool_calls, tools: request.tools });
+            if (!validation.ok) {
+                return buildAnthropicErrorResponse(502, validation.reason);
+            }
+            const toolCalls = validation.toolCalls;
             if (request.stream) {
                 return buildAnthropicToolUseStreamResponse({
                     model: request.model,
-                    toolCalls: envelope.tool_calls,
+                    toolCalls,
                 });
             }
             return buildAnthropicToolUseResponse({
                 model: request.model,
-                toolCalls: envelope.tool_calls,
+                toolCalls,
             });
         }
         if (request.stream) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-cluade-auth",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Claude Code CLI-backed Anthropic auth plugin for OpenCode.",
   "license": "MIT",
   "type": "module",