ccproxy-api 0.1.0__tar.gz → 0.1.1__tar.gz

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/.github/workflows/release.yml

@@ -130,6 +130,9 @@ jobs:
     needs: [build-package, build-release-docker]
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@v4
 

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.1] - 2025-07-22
+
+### Added
+- **Conditional Authentication**: API endpoints now support optional authentication - when `SECURITY__AUTH_TOKEN` is configured, authentication is enforced; when not configured, the proxy runs in open mode.
+- **Startup Validation**: Added comprehensive validation checks during application startup:
+  - Validates OAuth credentials and warns about expired tokens
+  - Checks for Claude CLI binary availability with installation instructions
+  - Logs token expiration time and subscription type when valid
+- **Default Command**: The `serve` command is now the default - running `ccproxy` without subcommands automatically starts the server.
+- **Alternative Entry Point**: Added `ccproxy-api` as an alternative command-line entry point.
+
+### Changed
+- **Authentication Variable**: Renamed environment variable from `AUTH_TOKEN` to `SECURITY__AUTH_TOKEN` for better namespace organization and clarity.
+- **Credential Priority**: Reordered credential search paths to prioritize ccproxy-specific credentials before Claude CLI paths.
+- **CLI Syntax**: Migrated all CLI parameters to modern Annotated syntax for better type safety and IDE support.
+- **Pydantic v2**: Updated all models to use Pydantic v2 configuration syntax (`model_config` instead of `Config` class).
+- **Documentation**: Improved Aider integration docs with correct API endpoint URLs and added installation options (uv, pipx).
+
+### Fixed
+- **Authentication Separation**: Fixed critical issue where auth token was incorrectly used for both client and upstream authentication - now client auth token is separate from OAuth credentials.
+- **URL Paths**: Fixed documentation to use `/api` endpoints for Aider compatibility instead of SDK mode paths.
+- **Default Values**: Fixed default values for list parameters in CLI (docker_env, docker_volume, docker_arg).
+
+### Removed
+- **Status Endpoints**: Removed redundant `/status` endpoints from both Claude SDK and proxy routes.
+- **Permission Tool**: Removed Claude permission tool functionality and related CLI options (`--permission-mode`, `--permission-prompt-tool-name`) that are no longer needed.
+- **Deprecated Options**: Removed references to deprecated permission_mode and permission_prompt_tool_name from documentation.
+
 ## [0.1.0] - 2025-07-21
 
 This is the initial public release of the CCProxy API.

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ccproxy-api
-Version: 0.1.0
+Version: 0.1.1
 Summary: API server that provides an Anthropic and OpenAI compatible interface over Claude Code, allowing to use your Claude OAuth account or over the API.
 License-File: LICENSE
 Requires-Python: >=3.11
@@ -43,14 +43,26 @@ It includes a translation layer to support both Anthropic and OpenAI-compatible
 # The official claude-code CLI is required for SDK mode
 npm install -g @anthropic-ai/claude-code
 
-# Install ccproxy
-pipx install git+https://github.com/caddyglow/ccproxy-api.git@dev
+# run it with uv
+uvx ccproxy-api
+
+# run it with pipx
+pipx run ccproxy-api
+
+# install with uv
+uv tool install ccproxy-api
+
+# Install ccproxy with pip
+pipx install ccproxy-api
 
 # Optional: Enable shell completion
 eval "$(ccproxy --show-completion zsh)"  # For zsh
 eval "$(ccproxy --show-completion bash)" # For bash
 ```
 
+
+For dev version replace `ccproxy-api` with `git+https://github.com/caddyglow/ccproxy-api.git@dev`
+
 ## Authentication
 
 The proxy uses two different authentication mechanisms depending on the mode.
@@ -61,12 +73,23 @@ The proxy uses two different authentication mechanisms depending on the mode.
     claude /login
     ```
 
+    It's also possible now to get a long live token to avoid renewing issues
+    using
+    ```sh
+    ```bash
+    claude setup-token`
+
 2.  **ccproxy (`api` mode):**
     This mode uses its own OAuth2 flow to obtain credentials for direct API access.
     ```bash
     ccproxy auth login
     ```
-    You can check the status of these credentials with `ccproxy auth validate` and `ccproxy auth info`.
+
+    If you are already connected with Claude CLI the credentials should be found automatically
+
+You can check the status of these credentials with `ccproxy auth validate` and `ccproxy auth info`.
+
+Warning is show on start up if no credentials are setup.
 
 ## Usage
 
@@ -102,6 +125,38 @@ export ANTHROPIC_BASE_URL="http://localhost:8000/api"
 export ANTHROPIC_API_KEY="dummy-key"
 ```
 
+
+## Using with Aider
+
+CCProxy works seamlessly with Aider and other AI coding assistants:
+
+### Anthropic Mode
+```bash
+export ANTHROPIC_API_KEY=dummy
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8000/api
+aider --model claude-sonnet-4-20250514
+```
+
+### OpenAI Mode with Model Mapping
+
+If your tool only supports OpenAI settings, ccproxy automatically maps OpenAI models to Claude:
+
+```bash
+export OPENAI_API_KEY=dummy
+export OPENAI_BASE_URL=http://127.0.0.1:8000/api/v1
+aider --model o3-mini
+```
+
+### API Mode (Direct Proxy)
+
+For minimal interference and direct API access:
+
+```bash
+export OPENAI_API_KEY=dummy
+export OPENAI_BASE_URL=http://127.0.0.1:8000/api/v1
+aider --model o3-mini
+```
+
 ### `curl` Example
 
 ```bash
@@ -185,16 +240,16 @@ You can enable token authentication for the proxy. This supports multiple header
 **1. Generate a Token:**
 ```bash
 ccproxy generate-token
-# Output: AUTH_TOKEN=abc123xyz789...
+# Output: SECURITY__AUTH_TOKEN=abc123xyz789...
 ```
 
 **2. Configure the Token:**
 ```bash
 # Set environment variable
-export AUTH_TOKEN=abc123xyz789...
+export SECURITY__AUTH_TOKEN=abc123xyz789...
 
 # Or add to .env file
-echo "AUTH_TOKEN=abc123xyz789..." >> .env
+echo "SECURITY__AUTH_TOKEN=abc123xyz789..." >> .env
 ```
 
 **3. Use in Requests:**

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/README.md

@@ -14,14 +14,26 @@ It includes a translation layer to support both Anthropic and OpenAI-compatible
 # The official claude-code CLI is required for SDK mode
 npm install -g @anthropic-ai/claude-code
 
-# Install ccproxy
-pipx install git+https://github.com/caddyglow/ccproxy-api.git@dev
+# run it with uv
+uvx ccproxy-api
+
+# run it with pipx
+pipx run ccproxy-api
+
+# install with uv
+uv tool install ccproxy-api
+
+# Install ccproxy with pip
+pipx install ccproxy-api
 
 # Optional: Enable shell completion
 eval "$(ccproxy --show-completion zsh)"  # For zsh
 eval "$(ccproxy --show-completion bash)" # For bash
 ```
 
+
+For dev version replace `ccproxy-api` with `git+https://github.com/caddyglow/ccproxy-api.git@dev`
+
 ## Authentication
 
 The proxy uses two different authentication mechanisms depending on the mode.
@@ -32,12 +44,23 @@ The proxy uses two different authentication mechanisms depending on the mode.
     claude /login
     ```
 
+    It's also possible now to get a long live token to avoid renewing issues
+    using
+    ```sh
+    ```bash
+    claude setup-token`
+
 2.  **ccproxy (`api` mode):**
     This mode uses its own OAuth2 flow to obtain credentials for direct API access.
     ```bash
     ccproxy auth login
     ```
-    You can check the status of these credentials with `ccproxy auth validate` and `ccproxy auth info`.
+
+    If you are already connected with Claude CLI the credentials should be found automatically
+
+You can check the status of these credentials with `ccproxy auth validate` and `ccproxy auth info`.
+
+Warning is show on start up if no credentials are setup.
 
 ## Usage
 
@@ -73,6 +96,38 @@ export ANTHROPIC_BASE_URL="http://localhost:8000/api"
 export ANTHROPIC_API_KEY="dummy-key"
 ```
 
+
+## Using with Aider
+
+CCProxy works seamlessly with Aider and other AI coding assistants:
+
+### Anthropic Mode
+```bash
+export ANTHROPIC_API_KEY=dummy
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8000/api
+aider --model claude-sonnet-4-20250514
+```
+
+### OpenAI Mode with Model Mapping
+
+If your tool only supports OpenAI settings, ccproxy automatically maps OpenAI models to Claude:
+
+```bash
+export OPENAI_API_KEY=dummy
+export OPENAI_BASE_URL=http://127.0.0.1:8000/api/v1
+aider --model o3-mini
+```
+
+### API Mode (Direct Proxy)
+
+For minimal interference and direct API access:
+
+```bash
+export OPENAI_API_KEY=dummy
+export OPENAI_BASE_URL=http://127.0.0.1:8000/api/v1
+aider --model o3-mini
+```
+
 ### `curl` Example
 
 ```bash
@@ -156,16 +211,16 @@ You can enable token authentication for the proxy. This supports multiple header
 **1. Generate a Token:**
 ```bash
 ccproxy generate-token
-# Output: AUTH_TOKEN=abc123xyz789...
+# Output: SECURITY__AUTH_TOKEN=abc123xyz789...
 ```
 
 **2. Configure the Token:**
 ```bash
 # Set environment variable
-export AUTH_TOKEN=abc123xyz789...
+export SECURITY__AUTH_TOKEN=abc123xyz789...
 
 # Or add to .env file
-echo "AUTH_TOKEN=abc123xyz789..." >> .env
+echo "SECURITY__AUTH_TOKEN=abc123xyz789..." >> .env
 ```
 
 **3. Use in Requests:**

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/ccproxy/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.1.0'
-__version_tuple__ = version_tuple = (0, 1, 0)
+__version__ = version = '0.1.1'
+__version_tuple__ = version_tuple = (0, 1, 1)

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/ccproxy/api/app.py

@@ -2,6 +2,7 @@
 
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
+from datetime import UTC, datetime
 from typing import Any
 
 from fastapi import FastAPI, HTTPException
@@ -23,11 +24,13 @@ from ccproxy.api.routes.metrics import (
     prometheus_router,
 )
 from ccproxy.api.routes.proxy import router as proxy_router
+from ccproxy.auth.exceptions import CredentialsNotFoundError
 from ccproxy.auth.oauth.routes import router as oauth_router
 from ccproxy.config.settings import Settings, get_settings
 from ccproxy.core.logging import setup_logging
 from ccproxy.observability.storage.duckdb_simple import SimpleDuckDBStorage
 from ccproxy.scheduler.manager import start_scheduler, stop_scheduler
+from ccproxy.services.credentials import CredentialsManager
 
 
 logger = get_logger(__name__)
@@ -58,6 +61,73 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
             "claude_cli_search_paths", paths=settings.claude.get_searched_paths()
         )
 
+    # Validate authentication token at startup
+    try:
+        credentials_manager = CredentialsManager()
+        validation = await credentials_manager.validate()
+
+        if validation.valid and not validation.expired:
+            credentials = validation.credentials
+            oauth_token = credentials.claude_ai_oauth if credentials else None
+
+            if oauth_token and oauth_token.expires_at_datetime:
+                hours_until_expiry = int(
+                    (
+                        oauth_token.expires_at_datetime - datetime.now(UTC)
+                    ).total_seconds()
+                    / 3600
+                )
+                logger.info(
+                    "auth_token_valid",
+                    expires_in_hours=hours_until_expiry,
+                    subscription_type=oauth_token.subscription_type,
+                    credentials_path=str(validation.path) if validation.path else None,
+                )
+            else:
+                logger.info("auth_token_valid", credentials_path=str(validation.path))
+        elif validation.expired:
+            logger.warning(
+                "auth_token_expired",
+                message="Authentication token has expired. Please run 'ccproxy auth login' to refresh.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+        else:
+            logger.warning(
+                "auth_token_invalid",
+                message="Authentication token is invalid. Please run 'ccproxy auth login'.",
+                credentials_path=str(validation.path) if validation.path else None,
+            )
+    except CredentialsNotFoundError:
+        logger.warning(
+            "auth_token_not_found",
+            message="No authentication credentials found. Please run 'ccproxy auth login' to authenticate.",
+            searched_paths=settings.auth.storage.storage_paths,
+        )
+    except Exception as e:
+        logger.error(
+            "auth_token_validation_error",
+            error=str(e),
+            message="Failed to validate authentication token. The server will continue without authentication.",
+        )
+
+    # Validate Claude binary at startup
+    claude_path, found_in_path = settings.claude.find_claude_cli()
+    if claude_path:
+        logger.info(
+            "claude_binary_found",
+            path=claude_path,
+            found_in_path=found_in_path,
+            message=f"Claude CLI binary found at: {claude_path}",
+        )
+    else:
+        searched_paths = settings.claude.get_searched_paths()
+        logger.warning(
+            "claude_binary_not_found",
+            message="Claude CLI binary not found. Please install Claude CLI to use SDK features.",
+            searched_paths=searched_paths,
+            install_command="npm install -g @anthropic-ai/claude-code",
+        )
+
     # Start scheduler system
     try:
         scheduler = await start_scheduler(settings)

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/ccproxy/api/routes/claude.py

@@ -173,9 +173,3 @@ async def list_models(
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def claude_sdk_status() -> dict[str, str]:
-    """Get Claude SDK status."""
-    return {"status": "claude sdk endpoint available", "service": "direct"}

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/ccproxy/api/routes/proxy.py

@@ -11,6 +11,7 @@ from starlette.background import BackgroundTask
 from ccproxy.adapters.openai.adapter import OpenAIAdapter
 from ccproxy.api.dependencies import ProxyServiceDep
 from ccproxy.api.responses import ProxyResponse
+from ccproxy.auth.conditional import ConditionalAuthDep
 from ccproxy.core.errors import ProxyHTTPException
 
 
@@ -22,6 +23,7 @@ router = APIRouter(tags=["proxy"])
 async def create_openai_chat_completion(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a chat completion using Claude AI with OpenAI-compatible format.
 
@@ -98,6 +100,9 @@ async def create_openai_chat_completion(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -108,6 +113,7 @@ async def create_openai_chat_completion(
 async def create_anthropic_message(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> StreamingResponse | Response:
     """Create a message using Claude AI with Anthropic format.
 
@@ -180,6 +186,9 @@ async def create_anthropic_message(
                     media_type=response_headers.get("content-type", "application/json"),
                 )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
@@ -190,6 +199,7 @@ async def create_anthropic_message(
 async def list_models(
     request: Request,
     proxy_service: ProxyServiceDep,
+    auth: ConditionalAuthDep,
 ) -> Response:
     """List available models using the proxy service.
 
@@ -226,13 +236,10 @@ async def list_models(
             media_type=response_headers.get("content-type", "application/json"),
         )
 
+    except HTTPException:
+        # Re-raise HTTPException as-is (including 401 auth errors)
+        raise
     except Exception as e:
         raise HTTPException(
             status_code=500, detail=f"Internal server error: {str(e)}"
         ) from e
-
-
-@router.get("/status")
-async def proxy_status() -> dict[str, str]:
-    """Get proxy status."""
-    return {"status": "proxy API available", "version": "1.0.0"}

ccproxy_api-0.1.1/ccproxy/auth/conditional.py

@@ -0,0 +1,84 @@
+"""Conditional authentication dependencies."""
+
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from ccproxy.auth.bearer import BearerTokenAuthManager
+from ccproxy.auth.exceptions import AuthenticationError
+from ccproxy.auth.manager import AuthManager
+from ccproxy.config.settings import Settings, get_settings
+
+
+# FastAPI security scheme for bearer tokens
+bearer_scheme = HTTPBearer(auto_error=False)
+
+
+async def get_conditional_auth_manager(
+    request: Request,
+    credentials: Annotated[
+        HTTPAuthorizationCredentials | None, Depends(bearer_scheme)
+    ] = None,
+    settings: Annotated[Settings | None, Depends(get_settings)] = None,
+) -> AuthManager | None:
+    """Get authentication manager only if auth is required.
+
+    This dependency checks if authentication is configured and validates
+    the token if required. If no auth is configured, returns None.
+
+    Args:
+        request: The FastAPI request object
+        credentials: HTTP authorization credentials
+        settings: Application settings
+
+    Returns:
+        AuthManager instance if authenticated, None if no auth required
+
+    Raises:
+        HTTPException: If auth is required but credentials are invalid
+    """
+    # Check if auth is required for this configuration
+    if settings is None or not settings.security.auth_token:
+        # No auth configured, return None
+        return None
+
+    # Auth is required, validate credentials
+    if not credentials or not credentials.credentials:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Validate the token
+    if credentials.credentials != settings.security.auth_token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid authentication credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Create and return auth manager
+    try:
+        bearer_auth = BearerTokenAuthManager(credentials.credentials)
+        if await bearer_auth.is_authenticated():
+            return bearer_auth
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Authentication failed",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+    except (AuthenticationError, ValueError) as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(e),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
+
+
+# Type alias for conditional auth dependency
+ConditionalAuthDep = Annotated[
+    AuthManager | None, Depends(get_conditional_auth_manager)
+]

{ccproxy_api-0.1.0 → ccproxy_api-0.1.1}/ccproxy/cli/commands/auth.py

@@ -4,7 +4,7 @@ import asyncio
 import json
 from datetime import UTC, datetime, timezone
 from pathlib import Path
-from typing import Optional
+from typing import Annotated, Optional
 
 import typer
 from rich import box
@@ -52,16 +52,20 @@ def get_docker_credential_paths() -> list[Path]:
 
 @app.command(name="validate")
 def validate_credentials(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to validate",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to validate",
+        ),
+    ] = None,
 ) -> None:
     """Validate Claude CLI credentials.
 
@@ -176,16 +180,20 @@ def validate_credentials(
 
 @app.command(name="info")
 def credential_info(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to display info for",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to display info for",
+        ),
+    ] = None,
 ) -> None:
     """Display detailed credential information.
 
@@ -376,16 +384,20 @@ def credential_info(
 
 @app.command(name="login")
 def login_command(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        help="Use Docker credential paths (from get_claude_docker_home_dir())",
-    ),
-    credential_file: str | None = typer.Option(
-        None,
-        "--credential-file",
-        help="Path to specific credential file to save to",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            help="Use Docker credential paths (from get_claude_docker_home_dir())",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        str | None,
+        typer.Option(
+            "--credential-file",
+            help="Path to specific credential file to save to",
+        ),
+    ] = None,
 ) -> None:
     """Login to Claude using OAuth authentication.
 
@@ -470,18 +482,22 @@ def login_command(
 
 @app.command()
 def renew(
-    docker: bool = typer.Option(
-        False,
-        "--docker",
-        "-d",
-        help="Renew credentials for Docker environment",
-    ),
-    credential_file: Path | None = typer.Option(
-        None,
-        "--credential-file",
-        "-f",
-        help="Path to custom credential file",
-    ),
+    docker: Annotated[
+        bool,
+        typer.Option(
+            "--docker",
+            "-d",
+            help="Renew credentials for Docker environment",
+        ),
+    ] = False,
+    credential_file: Annotated[
+        Path | None,
+        typer.Option(
+            "--credential-file",
+            "-f",
+            help="Path to custom credential file",
+        ),
+    ] = None,
 ) -> None:
     """Force renew Claude credentials without checking expiration.