ccproxy-api 0.1.0__py3-none-any.whl → 0.1.2__py3-none-any.whl

ccproxy/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.1.0'
-__version_tuple__ = version_tuple = (0, 1, 0)
+__version__ = version = '0.1.2'
+__version_tuple__ = version_tuple = (0, 1, 2)

ccproxy/api/app.py

@@ -2,6 +2,7 @@
 
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
+from datetime import UTC, datetime
 from typing import Any
 
 from fastapi import FastAPI, HTTPException
@@ -23,11 +24,13 @@ from ccproxy.api.routes.metrics import (
     prometheus_router,
 )
 from ccproxy.api.routes.proxy import router as proxy_router
+from ccproxy.auth.exceptions import CredentialsNotFoundError
 from ccproxy.auth.oauth.routes import router as oauth_router
 from ccproxy.config.settings import Settings, get_settings
 from ccproxy.core.logging import setup_logging
 from ccproxy.observability.storage.duckdb_simple import SimpleDuckDBStorage
 from ccproxy.scheduler.manager import start_scheduler, stop_scheduler
+from ccproxy.services.credentials import CredentialsManager
 
 
 logger = get_logger(__name__)
@@ -58,6 +61,73 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
             "claude_cli_search_paths", paths=settings.claude.get_searched_paths()
         )
 
+    # Validate authentication token at startup
+    try:
+        credentials_manager = CredentialsManager()
+        validation = await credentials_manager.validate()
+
+        if validation.valid and not validation.expired:
+            credentials = validation.credentials
+            oauth_token = credentials.claude_ai_oauth if credentials else None
+
+            if oauth_token and oauth_token.expires_at_datetime:
+                hours_until_expiry = int(
+                    (
+                        oauth_token.expires_at_datetime - datetime.now(UTC)
+                    ).total_seconds()
+                    / 3600
+                )
+                logger.info(
+                    "auth_token_valid",
+                    expires_in_hours=hours_until_expiry,
+                    subscription_type=oauth_token.subscription_type,
+                    credentials_path=str(validation.path) if validation.path else None,
+                )
+            else:
+                logger.info("auth_token_valid", credentials_path=str(validation.path))
+        elif validation.expired:
+            logger.warning(
+                "auth_token_expired",
+                message="Authentication token has expired. Please run 'ccproxy auth login' to refresh.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+        else:
+            logger.warning(
+                "auth_token_invalid",
+                message="Authentication token is invalid. Please run 'ccproxy auth login'.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+    except CredentialsNotFoundError:
+        logger.warning(
+            "auth_token_not_found",
+            message="No authentication credentials found. Please run 'ccproxy auth login' to authenticate.",
+            searched_paths=settings.auth.storage.storage_paths,
+        )
+    except Exception as e:
+        logger.error(
+            "auth_token_validation_error",
+            error=str(e),
+            message="Failed to validate authentication token. The server will continue without authentication.",
+        )
+
+    # Validate Claude binary at startup
+    claude_path, found_in_path = settings.claude.find_claude_cli()
+    if claude_path:
+        logger.info(
+            "claude_binary_found",
+            path=claude_path,
+            found_in_path=found_in_path,
+            message=f"Claude CLI binary found at: {claude_path}",
+        )
+    else:
+        searched_paths = settings.claude.get_searched_paths()
+        logger.warning(
+            "claude_binary_not_found",
+            message="Claude CLI binary not found. Please install Claude CLI to use SDK features.",
+            searched_paths=searched_paths,
+            install_command="npm install -g @anthropic-ai/claude-code",
+        )
+
     # Start scheduler system
     try:
         scheduler = await start_scheduler(settings)

ccproxy/api/dependencies.py

@@ -22,11 +22,13 @@ SettingsDep = Annotated[Settings, Depends(get_settings)]
 
 
 def get_claude_service(
+    settings: SettingsDep,
     auth_manager: AuthManagerDep,
 ) -> ClaudeSDKService:
     """Get Claude SDK service instance.
 
     Args:
+        settings: Application settings dependency
         auth_manager: Authentication manager dependency
 
     Returns:
@@ -39,6 +41,7 @@ def get_claude_service(
     return ClaudeSDKService(
         auth_manager=auth_manager,
         metrics=metrics,
+        settings=settings,
     )
 
 

ccproxy/api/routes/claude.py

@@ -173,9 +173,3 @@ async def list_models(
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def claude_sdk_status() -> dict[str, str]:
-    """Get Claude SDK status."""
-    return {"status": "claude sdk endpoint available", "service": "direct"}

ccproxy/api/routes/proxy.py

@@ -11,6 +11,7 @@ from starlette.background import BackgroundTask
 from ccproxy.adapters.openai.adapter import OpenAIAdapter
 from ccproxy.api.dependencies import ProxyServiceDep
 from ccproxy.api.responses import ProxyResponse
+from ccproxy.auth.conditional import ConditionalAuthDep
 from ccproxy.core.errors import ProxyHTTPException
 
 
@@ -22,6 +23,7 @@ router = APIRouter(tags=["proxy"])
 async def create_openai_chat_completion(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a chat completion using Claude AI with OpenAI-compatible format.
 
@@ -98,6 +100,9 @@ async def create_openai_chat_completion(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -108,6 +113,7 @@ async def create_openai_chat_completion(
 async def create_anthropic_message(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a message using Claude AI with Anthropic format.
 
@@ -180,6 +186,9 @@ async def create_anthropic_message(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -190,6 +199,7 @@ async def create_anthropic_message(
 async def list_models(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> Response:
     """List available models using the proxy service.
 
@@ -226,13 +236,10 @@ async def list_models(
             media_type=response_headers.get("content-type", "application/json"),
         )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def proxy_status() -> dict[str, str]:
-    """Get proxy status."""
-    return {"status": "proxy API available", "version": "1.0.0"}

ccproxy/auth/conditional.py

@@ -0,0 +1,84 @@
+"""Conditional authentication dependencies."""
+
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from ccproxy.auth.bearer import BearerTokenAuthManager
+from ccproxy.auth.exceptions import AuthenticationError
+from ccproxy.auth.manager import AuthManager
+from ccproxy.config.settings import Settings, get_settings
+
+
+# FastAPI security scheme for bearer tokens
+bearer_scheme = HTTPBearer(auto_error=False)
+
+
+async def get_conditional_auth_manager(
+    request: Request,
+    credentials: Annotated[
+        HTTPAuthorizationCredentials | None, Depends(bearer_scheme)
+    ] = None,
+    settings: Annotated[Settings | None, Depends(get_settings)] = None,
+) -> AuthManager | None:
+    """Get authentication manager only if auth is required.
+
+    This dependency checks if authentication is configured and validates
+    the token if required. If no auth is configured, returns None.
+
+    Args:
+        request: The FastAPI request object
+        credentials: HTTP authorization credentials
+        settings: Application settings
+
+    Returns:
+        AuthManager instance if authenticated, None if no auth required
+
+    Raises:
+        HTTPException: If auth is required but credentials are invalid
+    """
+    # Check if auth is required for this configuration
+    if settings is None or not settings.security.auth_token:
+        # No auth configured, return None
+        return None
+
+    # Auth is required, validate credentials
+    if not credentials or not credentials.credentials:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Validate the token
+    if credentials.credentials != settings.security.auth_token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Create and return auth manager
+    try:
+        bearer_auth = BearerTokenAuthManager(credentials.credentials)
+        if await bearer_auth.is_authenticated():
+            return bearer_auth
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Authentication failed",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+    except (AuthenticationError, ValueError) as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
+
+
+# Type alias for conditional auth dependency
+ConditionalAuthDep = Annotated[
+    AuthManager | None, Depends(get_conditional_auth_manager)
+]

ccproxy/claude_sdk/converter.py

@@ -109,7 +109,7 @@ class MessageConverter:
         for block in contents:
             text_parts.append(MessageConverter.extract_text_from_content(block))
 
-        return " ".join(text_parts)
+        return "\n".join(text_parts)
 
     @staticmethod
     def convert_to_anthropic_response(

ccproxy/claude_sdk/options.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from ccproxy.config.settings import Settings
 from ccproxy.core.async_utils import patched_typing
 
 
@@ -14,8 +15,17 @@ class OptionsHandler:
     Handles creation and management of Claude SDK options.
     """
 
-    @staticmethod
+    def __init__(self, settings: Settings | None = None) -> None:
+        """
+        Initialize options handler.
+
+        Args:
+            settings: Application settings containing default Claude options
+        """
+        self.settings = settings
+
     def create_options(
+        self,
         model: str,
         temperature: float | None = None,
         max_tokens: int | None = None,
@@ -37,6 +47,18 @@ class OptionsHandler:
         """
         options = ClaudeCodeOptions(model=model)
 
+        # First apply settings from configuration if available
+        if self.settings and self.settings.claude.code_options:
+            code_opts = self.settings.claude.code_options
+
+            # Apply settings from configuration
+            for attr_name in dir(code_opts):
+                if not attr_name.startswith("_"):
+                    value = getattr(code_opts, attr_name, None)
+                    if value is not None and hasattr(options, attr_name):
+                        setattr(options, attr_name, value)
+
+        # Then apply API parameters (these override settings)
         if temperature is not None:
             options.temperature = temperature  # type: ignore[attr-defined]
 

ccproxy/cli/commands/__init__.py

@@ -2,7 +2,8 @@
 
 from .auth import app as auth_app
 from .config import app as config_app
+from .permission import app as permission_app
 from .serve import api
 
 
-__all__ = ["api", "auth_app", "config_app"]
+__all__ = ["api", "auth_app", "config_app", "permission_app"]

ccproxy/cli/commands/auth.py

@@ -4,7 +4,7 @@ import asyncio
 import json
 from datetime import UTC, datetime, timezone
 from pathlib import Path
-from typing import Optional
+from typing import Annotated, Optional
 
 import typer
 from rich import box
@@ -52,16 +52,20 @@ def get_docker_credential_paths() -> list[Path]:
 
 @app.command(name="validate")
 def validate_credentials(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to validate",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to validate",
+        ),
+    ] = None,
 ) -> None:
     """Validate Claude CLI credentials.
 
@@ -176,16 +180,20 @@ def validate_credentials(
 
 @app.command(name="info")
 def credential_info(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to display info for",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to display info for",
+        ),
+    ] = None,
 ) -> None:
     """Display detailed credential information.
 
@@ -376,16 +384,20 @@ def credential_info(
 
 @app.command(name="login")
 def login_command(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to save to",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to save to",
+        ),
+    ] = None,
 ) -> None:
     """Login to Claude using OAuth authentication.
 
@@ -470,18 +482,22 @@ def login_command(
 
 @app.command()
 def renew(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        "-d",
-        help="Renew credentials for Docker environment",
-    ),
-    credential_file: Path | None = typer.Option(
-        None,
-        "--credential-file",
-        "-f",
-        help="Path to custom credential file",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            "-d",
+            help="Renew credentials for Docker environment",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        Path | None,
+        typer.Option(
+            "--credential-file",
+            "-f",
+            help="Path to custom credential file",
+        ),
+    ] = None,
 ) -> None:
     """Force renew Claude credentials without checking expiration.
 

ccproxy/cli/commands/config/commands.py

@@ -361,7 +361,7 @@ def generate_token(
 
         # Show environment variable commands - server first, then clients
         console.print("[bold]Server Environment Variables:[/bold]")
-        console.print(f"[cyan]export AUTH_TOKEN={token}[/cyan]")
+        console.print(f"[cyan]export SECURITY__AUTH_TOKEN={token}[/cyan]")
         console.print()
 
         console.print("[bold]Client Environment Variables:[/bold]")
@@ -380,7 +380,7 @@ def generate_token(
         console.print()
 
         console.print("[bold]For .env file:[/bold]")
-        console.print(f"[cyan]AUTH_TOKEN={token}[/cyan]")
+        console.print(f"[cyan]SECURITY__AUTH_TOKEN={token}[/cyan]")
         console.print()
 
         console.print("[bold]Usage with curl (using environment variables):[/bold]")

ccproxy/cli/commands/permission.py

@@ -0,0 +1,128 @@
+"""MCP permission prompt tool for Claude Code SDK."""
+
+import json
+from pathlib import Path
+from typing import Annotated, Any, Optional
+
+import typer
+from structlog import get_logger
+
+from ccproxy.config.settings import config_manager
+from ccproxy.models.responses import (
+    PermissionToolAllowResponse,
+    PermissionToolDenyResponse,
+)
+
+
+app = typer.Typer(
+    rich_markup_mode="rich",
+    add_completion=False,
+    no_args_is_help=False,
+    pretty_exceptions_enable=False,
+)
+
+logger = get_logger(__name__)
+
+
+@app.command()
+def permission_tool(
+    tool_name: Annotated[
+        str, typer.Argument(help="Name of the tool to check permissions for")
+    ],
+    tool_input: Annotated[str, typer.Argument(help="JSON string of the tool input")],
+    config: Annotated[
+        Path | None,
+        typer.Option(
+            "--config",
+            "-c",
+            help="Path to configuration file (TOML, JSON, or YAML)",
+            exists=True,
+            file_okay=True,
+            dir_okay=False,
+            readable=True,
+        ),
+    ] = None,
+) -> None:
+    """
+    MCP permission prompt tool for Claude Code SDK.
+
+    This tool is used by the Claude Code SDK to check permissions for tool calls.
+    It returns a JSON response indicating whether the tool call should be allowed or denied.
+
+    Response format:
+    - Allow: {"behavior": "allow", "updatedInput": {...}}
+    - Deny: {"behavior": "deny", "message": "reason"}
+
+    Examples:
+        ccproxy-perm "bash" '{"command": "ls -la"}'
+        ccproxy-perm "edit_file" '{"path": "/etc/passwd", "content": "..."}'
+    """
+
+    try:
+        # Parse the tool input JSON
+        try:
+            input_data = json.loads(tool_input)
+        except json.JSONDecodeError as e:
+            response = PermissionToolDenyResponse(message=f"Invalid JSON input: {e}")
+            print(response.model_dump_json(by_alias=True))
+            raise typer.Exit(1) from e
+
+        # Load settings to get permission configuration
+        settings = config_manager.load_settings(config_path=config)
+
+        # Basic permission checking logic
+        # This can be extended with more sophisticated rules
+
+        # Check for potentially dangerous commands
+        dangerous_patterns = [
+            "rm -rf",
+            "sudo",
+            "passwd",
+            "chmod 777",
+            "/etc/passwd",
+            "/etc/shadow",
+            "format",
+            "mkfs",
+        ]
+
+        # Convert input to string for pattern matching
+        input_str = json.dumps(input_data).lower()
+
+        # Check for dangerous patterns
+        for pattern in dangerous_patterns:
+            if pattern in input_str:
+                response = PermissionToolDenyResponse(
+                    message=f"Tool call contains potentially dangerous pattern: {pattern}"
+                )
+                print(response.model_dump_json(by_alias=True))
+                return
+
+        # Check for specific tool restrictions
+        restricted_tools = {"exec", "system", "shell", "subprocess"}
+
+        if tool_name.lower() in restricted_tools:
+            response = PermissionToolDenyResponse(
+                message=f"Tool {tool_name} is restricted for security reasons"
+            )
+            print(response.model_dump_json(by_alias=True))
+            return
+
+        # Allow the tool call with original input
+        allow_response = PermissionToolAllowResponse(updated_input=input_data)
+        print(allow_response.model_dump_json(by_alias=True))
+
+    except Exception as e:
+        error_response = PermissionToolDenyResponse(
+            message=f"Error processing permission request: {e}"
+        )
+        print(error_response.model_dump_json(by_alias=True))
+        raise typer.Exit(1) from e
+
+
+def main() -> None:
+    """Entry point for ccproxy-perm command."""
+    app()
+
+
+if __name__ == "__main__":
+    main()