gac 2.3.0__py3-none-any.whl → 2.7.0__py3-none-any.whl

gac/oauth/claude_code.py

@@ -0,0 +1,397 @@
+"""Claude Code OAuth authentication utilities.
+
+Implements PKCE OAuth flow for Claude Code subscriptions.
+"""
+
+import base64
+import hashlib
+import logging
+import secrets
+import threading
+import time
+import webbrowser
+from dataclasses import dataclass
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from pathlib import Path
+from typing import Any, TypedDict
+from urllib.parse import parse_qs, urlencode, urlparse
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+
+class ClaudeCodeConfig(TypedDict):
+    """Type definition for Claude Code OAuth configuration."""
+
+    auth_url: str
+    token_url: str
+    api_base_url: str
+    client_id: str
+    scope: str
+    redirect_host: str
+    redirect_path: str
+    callback_port_range: tuple[int, int]
+    callback_timeout: int
+    anthropic_version: str
+
+
+# Claude Code OAuth configuration
+CLAUDE_CODE_CONFIG: ClaudeCodeConfig = {
+    "auth_url": "https://claude.ai/oauth/authorize",
+    "token_url": "https://console.anthropic.com/v1/oauth/token",
+    "api_base_url": "https://api.anthropic.com",
+    "client_id": "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+    "scope": "org:create_api_key user:profile user:inference",
+    "redirect_host": "http://localhost",
+    "redirect_path": "callback",
+    "callback_port_range": (8765, 8795),
+    "callback_timeout": 180,
+    "anthropic_version": "2023-06-01",
+}
+
+
+@dataclass
+class OAuthContext:
+    """Runtime state for an in-progress OAuth flow."""
+
+    state: str
+    code_verifier: str
+    code_challenge: str
+    created_at: float
+    redirect_uri: str | None = None
+
+
+class _OAuthResult:
+    """Stores OAuth callback results."""
+
+    def __init__(self) -> None:
+        self.code: str | None = None
+        self.state: str | None = None
+        self.error: str | None = None
+
+
+class _CallbackHandler(BaseHTTPRequestHandler):
+    """HTTP handler for OAuth callback."""
+
+    result: _OAuthResult
+    received_event: threading.Event
+
+    def do_GET(self) -> None:  # noqa: N802
+        """Handle GET request from OAuth redirect."""
+        logger.info("OAuth callback received: path=%s", self.path)
+        parsed = urlparse(self.path)
+        params: dict[str, list[str]] = parse_qs(parsed.query)
+
+        code = params.get("code", [None])[0]
+        state = params.get("state", [None])[0]
+
+        if code and state:
+            self.result.code = code
+            self.result.state = state
+            success_html = _get_success_html()
+            self._write_response(200, success_html)
+        else:
+            self.result.error = "Missing code or state"
+            failure_html = _get_failure_html()
+            self._write_response(400, failure_html)
+
+        self.received_event.set()
+
+    def log_message(self, format: str, *args: Any) -> None:  # noqa: A003
+        """Suppress HTTP server logs."""
+        return
+
+    def _write_response(self, status: int, body: str) -> None:
+        """Write HTTP response."""
+        self.send_response(status)
+        self.send_header("Content-Type", "text/html; charset=utf-8")
+        self.end_headers()
+        self.wfile.write(body.encode("utf-8"))
+
+
+def _get_success_html() -> str:
+    """Return HTML for successful authentication."""
+    return """
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Authentication Successful</title>
+    <style>
+        body { font-family: system-ui; text-align: center; padding: 50px; }
+        h1 { color: #10a37f; }
+    </style>
+</head>
+<body>
+    <h1>✓ Authentication Successful!</h1>
+    <p>You can close this window and return to your terminal.</p>
+</body>
+</html>
+"""
+
+
+def _get_failure_html() -> str:
+    """Return HTML for failed authentication."""
+    return """
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Authentication Failed</title>
+    <style>
+        body { font-family: system-ui; text-align: center; padding: 50px; }
+        h1 { color: #ef4444; }
+    </style>
+</head>
+<body>
+    <h1>✗ Authentication Failed</h1>
+    <p>Missing authorization code. Please try again.</p>
+</body>
+</html>
+"""
+
+
+def _urlsafe_b64encode(data: bytes) -> str:
+    """Base64url encode without padding."""
+    return base64.urlsafe_b64encode(data).decode("utf-8").rstrip("=")
+
+
+def _generate_code_verifier() -> str:
+    """Generate PKCE code verifier."""
+    return _urlsafe_b64encode(secrets.token_bytes(64))
+
+
+def _compute_code_challenge(code_verifier: str) -> str:
+    """Compute PKCE code challenge from verifier."""
+    digest = hashlib.sha256(code_verifier.encode("utf-8")).digest()
+    return _urlsafe_b64encode(digest)
+
+
+def prepare_oauth_context() -> OAuthContext:
+    """Create a new OAuth PKCE context."""
+    state = secrets.token_urlsafe(32)
+    code_verifier = _generate_code_verifier()
+    code_challenge = _compute_code_challenge(code_verifier)
+    return OAuthContext(
+        state=state,
+        code_verifier=code_verifier,
+        code_challenge=code_challenge,
+        created_at=time.time(),
+    )
+
+
+def build_authorization_url(context: OAuthContext) -> str:
+    """Build the Claude authorization URL with PKCE parameters."""
+    if not context.redirect_uri:
+        raise RuntimeError("Redirect URI has not been assigned for this OAuth context")
+
+    params = {
+        "response_type": "code",
+        "client_id": CLAUDE_CODE_CONFIG["client_id"],
+        "redirect_uri": context.redirect_uri,
+        "scope": CLAUDE_CODE_CONFIG["scope"],
+        "state": context.state,
+        "code": "true",
+        "code_challenge": context.code_challenge,
+        "code_challenge_method": "S256",
+    }
+    return f"{CLAUDE_CODE_CONFIG['auth_url']}?{urlencode(params)}"
+
+
+def _start_callback_server(context: OAuthContext) -> tuple[HTTPServer, _OAuthResult, threading.Event] | None:
+    """Start local HTTP server to receive OAuth callback."""
+    port_range = CLAUDE_CODE_CONFIG["callback_port_range"]
+
+    for port in range(port_range[0], port_range[1] + 1):
+        try:
+            server = HTTPServer(("localhost", port), _CallbackHandler)
+            context.redirect_uri = f"{CLAUDE_CODE_CONFIG['redirect_host']}:{port}/{CLAUDE_CODE_CONFIG['redirect_path']}"
+            result = _OAuthResult()
+            event = threading.Event()
+            _CallbackHandler.result = result
+            _CallbackHandler.received_event = event
+
+            def run_server(srv: HTTPServer = server) -> None:
+                with srv:
+                    srv.serve_forever()
+
+            threading.Thread(target=run_server, daemon=True).start()
+            return server, result, event
+        except OSError:
+            continue
+
+    logger.error("Could not start OAuth callback server; all candidate ports are in use")
+    return None
+
+
+def exchange_code_for_tokens(auth_code: str, context: OAuthContext) -> dict[str, Any] | None:
+    """Exchange authorization code for access tokens."""
+    if not context.redirect_uri:
+        raise RuntimeError("Redirect URI missing from OAuth context")
+
+    payload = {
+        "grant_type": "authorization_code",
+        "client_id": CLAUDE_CODE_CONFIG["client_id"],
+        "code": auth_code,
+        "state": context.state,
+        "code_verifier": context.code_verifier,
+        "redirect_uri": context.redirect_uri,
+    }
+
+    headers = {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "anthropic-beta": "oauth-2025-04-20",
+    }
+
+    logger.info("Exchanging code for tokens: %s", CLAUDE_CODE_CONFIG["token_url"])
+    try:
+        response = httpx.post(
+            CLAUDE_CODE_CONFIG["token_url"],
+            json=payload,
+            headers=headers,
+            timeout=30,
+        )
+        logger.info("Token exchange response: %s", response.status_code)
+        if response.status_code == 200:
+            tokens: dict[str, Any] = response.json()
+            # Add expiry timestamp if not present
+            if "expires_at" not in tokens and "expires_in" in tokens:
+                tokens["expires_at"] = time.time() + tokens["expires_in"]
+            return tokens
+        logger.error("Token exchange failed: %s - %s", response.status_code, response.text)
+    except Exception as exc:
+        logger.error("Token exchange error: %s", exc)
+    return None
+
+
+def perform_oauth_flow(quiet: bool = False) -> dict[str, Any] | None:
+    """Perform full OAuth flow and return tokens."""
+    context = prepare_oauth_context()
+
+    # Start callback server
+    started = _start_callback_server(context)
+    if not started:
+        if not quiet:
+            print("❌ Could not start OAuth callback server; all ports are in use")
+        return None
+
+    server, result, event = started
+    redirect_uri = context.redirect_uri
+
+    if not redirect_uri:
+        if not quiet:
+            print("❌ Failed to assign redirect URI for OAuth flow")
+        server.shutdown()
+        return None
+
+    # Build auth URL and open browser
+    auth_url = build_authorization_url(context)
+
+    if not quiet:
+        print("\n🔐 Opening browser for Claude Code OAuth authentication...")
+        print(f"   If it doesn't open automatically, visit: {auth_url}\n")
+        print(f"   Listening for callback on {redirect_uri}")
+        print("   (Waiting up to 3 minutes...)\n")
+
+    try:
+        webbrowser.open(auth_url)
+    except Exception as exc:
+        logger.warning("Failed to open browser automatically: %s", exc)
+        if not quiet:
+            print(f"⚠️  Failed to open browser automatically: {exc}")
+            print(f"   Please open the URL manually: {auth_url}\n")
+
+    # Wait for callback
+    timeout = CLAUDE_CODE_CONFIG["callback_timeout"]
+    if not event.wait(timeout=timeout):
+        if not quiet:
+            print("❌ OAuth callback timed out. Please try again.")
+        server.shutdown()
+        return None
+
+    server.shutdown()
+
+    # Check for errors
+    if result.error:
+        if not quiet:
+            print(f"❌ OAuth callback error: {result.error}")
+        return None
+
+    # Validate state
+    if result.state != context.state:
+        if not quiet:
+            print("❌ State mismatch detected; aborting authentication for security")
+        return None
+
+    # Exchange code for tokens
+    if not quiet:
+        print("✓ Authorization code received")
+        print("  Exchanging for access token...\n")
+
+    tokens = exchange_code_for_tokens(result.code, context)  # type: ignore[arg-type]
+    if not tokens:
+        if not quiet:
+            print("❌ Token exchange failed. Please try again.")
+        return None
+
+    if not quiet:
+        print("✓ Claude Code authentication successful!")
+
+    return tokens
+
+
+def get_token_storage_path() -> Path:
+    """Get path for storing OAuth tokens."""
+    return Path.home() / ".gac.env"
+
+
+def load_stored_token() -> str | None:
+    """Load stored access token from .gac.env."""
+    from dotenv import dotenv_values
+
+    env_path = get_token_storage_path()
+    if not env_path.exists():
+        return None
+
+    env_vars = dotenv_values(str(env_path))
+    return env_vars.get("CLAUDE_CODE_ACCESS_TOKEN")
+
+
+def save_token(access_token: str) -> bool:
+    """Save access token to .gac.env and update environment."""
+    import os
+
+    from dotenv import set_key
+
+    env_path = get_token_storage_path()
+    try:
+        set_key(str(env_path), "CLAUDE_CODE_ACCESS_TOKEN", access_token)
+        # Also update the current environment so the token is immediately available
+        os.environ["CLAUDE_CODE_ACCESS_TOKEN"] = access_token
+        return True
+    except Exception as exc:
+        logger.error("Failed to save token: %s", exc)
+        return False
+
+
+def authenticate_and_save(quiet: bool = False) -> bool:
+    """Perform OAuth flow and save token."""
+    tokens = perform_oauth_flow(quiet=quiet)
+    if not tokens:
+        return False
+
+    access_token = tokens.get("access_token")
+    if not access_token:
+        if not quiet:
+            print("❌ No access token returned from authentication")
+        return False
+
+    if not save_token(access_token):
+        if not quiet:
+            print("❌ Failed to save access token")
+        return False
+
+    if not quiet:
+        print(f"✓ Access token saved to {get_token_storage_path()}")
+
+    return True

gac/providers/__init__.py

@@ -3,6 +3,7 @@
 from .anthropic import call_anthropic_api
 from .cerebras import call_cerebras_api
 from .chutes import call_chutes_api
+from .claude_code import call_claude_code_api
 from .custom_anthropic import call_custom_anthropic_api
 from .custom_openai import call_custom_openai_api
 from .deepseek import call_deepseek_api
@@ -24,6 +25,7 @@ __all__ = [
     "call_anthropic_api",
     "call_cerebras_api",
     "call_chutes_api",
+    "call_claude_code_api",
     "call_custom_anthropic_api",
     "call_custom_openai_api",
     "call_deepseek_api",

gac/providers/claude_code.py

@@ -0,0 +1,102 @@
+"""Claude Code provider implementation.
+
+This provider allows users with Claude Code subscriptions to use their OAuth tokens
+instead of paying for the expensive Anthropic API.
+"""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def call_claude_code_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Claude Code API using OAuth token.
+
+    This provider uses the Claude Code subscription OAuth token instead of the Anthropic API key.
+    It authenticates using Bearer token authentication with the special anthropic-beta header.
+
+    Environment variables:
+        CLAUDE_CODE_ACCESS_TOKEN: OAuth access token from Claude Code authentication
+
+    Args:
+        model: Model name (e.g., 'claude-sonnet-4-5')
+        messages: List of message dictionaries with 'role' and 'content' keys
+        temperature: Sampling temperature (0.0-1.0)
+        max_tokens: Maximum tokens in response
+
+    Returns:
+        Generated text response
+
+    Raises:
+        AIError: If authentication fails or API call fails
+    """
+    access_token = os.getenv("CLAUDE_CODE_ACCESS_TOKEN")
+    if not access_token:
+        raise AIError.authentication_error(
+            "CLAUDE_CODE_ACCESS_TOKEN not found in environment variables. "
+            "Please authenticate with Claude Code and set this token."
+        )
+
+    url = "https://api.anthropic.com/v1/messages"
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "anthropic-version": "2023-06-01",
+        "anthropic-beta": "oauth-2025-04-20",
+        "content-type": "application/json",
+    }
+
+    # Convert messages to Anthropic format
+    # IMPORTANT: Claude Code OAuth tokens require the system message to be EXACTLY
+    # "You are Claude Code, Anthropic's official CLI for Claude." with NO additional content.
+    # Any other instructions must be moved to the user message.
+    anthropic_messages = []
+    system_instructions = ""
+
+    for msg in messages:
+        if msg["role"] == "system":
+            system_instructions = msg["content"]
+        else:
+            anthropic_messages.append({"role": msg["role"], "content": msg["content"]})
+
+    # Claude Code requires this exact system message, nothing more
+    system_message = "You are Claude Code, Anthropic's official CLI for Claude."
+
+    # Move any system instructions into the first user message
+    if system_instructions and anthropic_messages:
+        # Prepend system instructions to the first user message
+        first_user_msg = anthropic_messages[0]
+        first_user_msg["content"] = f"{system_instructions}\n\n{first_user_msg['content']}"
+
+    data = {
+        "model": model,
+        "messages": anthropic_messages,
+        "temperature": temperature,
+        "max_tokens": max_tokens,
+        "system": system_message,
+    }
+
+    try:
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        response_data = response.json()
+        content = response_data["content"][0]["text"]
+        if content is None:
+            raise AIError.model_error("Claude Code API returned null content")
+        if content == "":
+            raise AIError.model_error("Claude Code API returned empty content")
+        return content
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 401:
+            raise AIError.authentication_error(
+                f"Claude Code authentication failed: {e.response.text}. "
+                "Your token may have expired. Please re-authenticate."
+            ) from e
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"Claude Code API rate limit exceeded: {e.response.text}") from e
+        raise AIError.model_error(f"Claude Code API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"Claude Code API request timed out: {str(e)}") from e
+    except Exception as e:
+        raise AIError.model_error(f"Error calling Claude Code API: {str(e)}") from e

gac/providers/custom_anthropic.py

@@ -30,7 +30,7 @@ def call_custom_anthropic_api(model: str, messages: list[dict], temperature: flo
         CUSTOM_ANTHROPIC_VERSION: API version header (optional, defaults to '2023-06-01')
 
     Args:
-        model: The model to use (e.g., 'claude-3-5-sonnet-20241022', 'claude-3-5-haiku-latest')
+        model: The model to use (e.g., 'claude-sonnet-4-5', 'claude-haiku-4-5')
         messages: List of message dictionaries with 'role' and 'content' keys
         temperature: Controls randomness (0.0-1.0)
         max_tokens: Maximum tokens in the response

gac/utils.py

@@ -1,7 +1,9 @@
 """Utility functions for gac."""
 
+import locale
 import logging
 import subprocess
+import sys
 
 from rich.console import Console
 from rich.theme import Theme
@@ -65,18 +67,47 @@ def print_message(message: str, level: str = "info") -> None:
     console.print(message, style=level)
 
 
-def run_subprocess(
+def get_safe_encodings() -> list[str]:
+    """Get a list of safe encodings to try for subprocess calls, in order of preference.
+
+    Returns:
+        List of encoding strings to try, with UTF-8 first
+    """
+    encodings = ["utf-8"]
+
+    # Add locale encoding as fallback
+    locale_encoding = locale.getpreferredencoding(False)
+    if locale_encoding and locale_encoding not in encodings:
+        encodings.append(locale_encoding)
+
+    # Windows-specific fallbacks
+    if sys.platform == "win32":
+        windows_encodings = ["cp65001", "cp936", "cp1252"]  # UTF-8, GBK, Windows-1252
+        for enc in windows_encodings:
+            if enc not in encodings:
+                encodings.append(enc)
+
+    # Final fallback to system default
+    if "utf-8" not in encodings:
+        encodings.append("utf-8")
+
+    return encodings
+
+
+def run_subprocess_with_encoding(
     command: list[str],
+    encoding: str,
     silent: bool = False,
     timeout: int = 60,
     check: bool = True,
     strip_output: bool = True,
     raise_on_error: bool = True,
 ) -> str:
-    """Run a subprocess command safely and return the output.
+    """Run subprocess with a specific encoding, handling encoding errors gracefully.
 
     Args:
         command: List of command arguments
+        encoding: Specific encoding to use
         silent: If True, suppress debug logging
         timeout: Command timeout in seconds
         check: Whether to check return code (for compatibility)
@@ -91,7 +122,7 @@ def run_subprocess(
         subprocess.CalledProcessError: If the command fails and raise_on_error is True
     """
     if not silent:
-        logger.debug(f"Running command: {' '.join(command)}")
+        logger.debug(f"Running command: {' '.join(command)} (encoding: {encoding})")
 
     try:
         result = subprocess.run(
@@ -100,6 +131,8 @@ def run_subprocess(
             text=True,
             check=False,
             timeout=timeout,
+            encoding=encoding,
+            errors="replace",  # Replace problematic characters instead of crashing
         )
 
         should_raise = result.returncode != 0 and (check or raise_on_error)
@@ -123,6 +156,11 @@ def run_subprocess(
         if raise_on_error:
             raise
         return ""
+    except UnicodeError as e:
+        # This should be rare with errors="replace", but handle it just in case
+        if not silent:
+            logger.debug(f"Encoding error with {encoding}: {e}")
+        raise
     except Exception as e:
         if not silent:
             logger.debug(f"Command error: {e}")
@@ -132,6 +170,69 @@ def run_subprocess(
         return ""
 
 
+def run_subprocess(
+    command: list[str],
+    silent: bool = False,
+    timeout: int = 60,
+    check: bool = True,
+    strip_output: bool = True,
+    raise_on_error: bool = True,
+) -> str:
+    """Run a subprocess command safely and return the output, trying multiple encodings.
+
+    Args:
+        command: List of command arguments
+        silent: If True, suppress debug logging
+        timeout: Command timeout in seconds
+        check: Whether to check return code (for compatibility)
+        strip_output: Whether to strip whitespace from output
+        raise_on_error: Whether to raise an exception on error
+
+    Returns:
+        Command output as string
+
+    Raises:
+        GacError: If the command times out
+        subprocess.CalledProcessError: If the command fails and raise_on_error is True
+
+    Note:
+        Tries multiple encodings in order: utf-8, locale encoding, platform-specific fallbacks
+        This prevents UnicodeDecodeError on systems with non-UTF-8 locales (e.g., Chinese Windows)
+    """
+    encodings = get_safe_encodings()
+    last_exception = None
+
+    for encoding in encodings:
+        try:
+            return run_subprocess_with_encoding(
+                command=command,
+                encoding=encoding,
+                silent=silent,
+                timeout=timeout,
+                check=check,
+                strip_output=strip_output,
+                raise_on_error=raise_on_error,
+            )
+        except UnicodeError as e:
+            last_exception = e
+            if not silent:
+                logger.debug(f"Failed to decode with {encoding}: {e}")
+            continue
+        except (subprocess.CalledProcessError, GacError, subprocess.TimeoutExpired):
+            # These are not encoding-related errors, so don't retry with other encodings
+            raise
+
+    # If we get here, all encodings failed with UnicodeError
+    if not silent:
+        logger.error(f"Failed to decode command output with any encoding: {encodings}")
+
+    # Raise the last UnicodeError we encountered
+    if last_exception:
+        raise subprocess.CalledProcessError(1, command, "", f"Encoding error: {last_exception}") from last_exception
+    else:
+        raise subprocess.CalledProcessError(1, command, "", "All encoding attempts failed")
+
+
 def edit_commit_message_inplace(message: str) -> str | None:
     """Edit commit message in-place using rich terminal editing.