proxyagent 0.4.0__tar.gz → 0.5.0__tar.gz

{proxyagent-0.4.0 → proxyagent-0.5.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: proxyagent
-Version: 0.4.0
+Version: 0.5.0
 Summary: Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools.
 Project-URL: Homepage, https://github.com/teddyoweh/proxyagent
 Author-email: Spawn Labs <teddy@spawnlabs.ai>
@@ -168,6 +168,27 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Harnesses & auth modes
+You run an **agent harness**, and each one can authenticate several ways. The proxy's job
+is to centralise *all* of them so the machine running the harness holds only a `pa_` token:
+
+| Harness | Provider | Auth modes |
+|---|---|---|
+| **Claude Code** | Anthropic | API key · OAuth (subscription) · AWS Bedrock · Google Vertex |
+| **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
+| **Gemini CLI** | Google | API key · OAuth · Vertex |
+
+Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
+Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
+being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
+none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+
+## Per-token budgets
+Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.
+```bash
+proxyagent token new ci --budget 5.00      # this token may spend at most $5
+```
+
 ## Supported providers
 `anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
 `xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.

{proxyagent-0.4.0 → proxyagent-0.5.0}/README.md

@@ -136,6 +136,27 @@ proxyagent.run("claude-code", goal="build the app",
                proxy="https://proxy.you.com", token=token)
 ```
 
+## Harnesses & auth modes
+You run an **agent harness**, and each one can authenticate several ways. The proxy's job
+is to centralise *all* of them so the machine running the harness holds only a `pa_` token:
+
+| Harness | Provider | Auth modes |
+|---|---|---|
+| **Claude Code** | Anthropic | API key · OAuth (subscription) · AWS Bedrock · Google Vertex |
+| **Codex** | OpenAI | API key · OAuth (ChatGPT) · Azure |
+| **Gemini CLI** | Google | API key · OAuth · Vertex |
+
+Connect each mode once in the dashboard's **Harnesses** tab. API-key mode is wired today;
+Bedrock / Vertex / OAuth-refresh (the cloud-credential paths enterprises actually use) are
+being built out — the proxy holds the AWS/GCP creds and signs upstream, so the machine needs
+none. The model providers below are the *backends* for model-agnostic harnesses (aider, Cline…).
+
+## Per-token budgets
+Cap what any token can spend; once its summed cost crosses the cap, the proxy returns **402**.
+```bash
+proxyagent token new ci --budget 5.00      # this token may spend at most $5
+```
+
 ## Supported providers
 `anthropic` · `openai` · `gemini` · `groq` · `openrouter` · `mistral` · `deepseek` ·
 `xai` · `together` — Anthropic uses its Messages API; the rest are OpenAI-compatible.

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/__init__.py

@@ -16,7 +16,7 @@ from typing import Optional
 
 from .harness import run  # noqa: F401  (the headline SDK call)
 
-__version__ = "0.4.0"
+__version__ = "0.5.0"
 __all__ = ["run", "serve", "create_app", "Config", "Admin", "__version__"]
 
 

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/cli.py

@@ -219,16 +219,19 @@ def token_new(
     scope: list[str] = typer.Option(["*"], "--scope", help="Allowed provider:model globs, e.g. anthropic:claude-*"),
     ttl: Optional[int] = typer.Option(None, "--ttl", help="Seconds until expiry."),
     rate: int = typer.Option(0, "--rate", help="Max requests/min (0 = unlimited)."),
+    budget: Optional[float] = typer.Option(None, "--budget", help="Max $ this token may spend."),
     proxy: str = typer.Option("http://127.0.0.1:8080", "--proxy"),
     admin: Optional[str] = typer.Option(None, "--admin"),
 ):
     """Mint a machine token — give it to a remote machine; it holds no real key."""
     if not _is_remote(proxy, admin):
-        plain, _ = _local_store().create_token(label, list(scope), ttl_seconds=ttl, rate_limit=rate)
+        plain, _ = _local_store().create_token(label, list(scope), ttl_seconds=ttl,
+                                               rate_limit=rate, budget_usd=budget)
     else:
         with _admin_client(proxy, admin) as c:
             r = c.post("/admin/tokens", json={"label": label, "scope": list(scope),
-                                              "ttl_seconds": ttl, "rate_limit": rate})
+                                              "ttl_seconds": ttl, "rate_limit": rate,
+                                              "budget_usd": budget})
         if r.status_code >= 400:
             err.print(f"[red]✗[/red] {r.text}"); raise typer.Exit(1)
         plain = r.json()["token"]

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/config.py

@@ -83,6 +83,27 @@ CATALOG: dict[str, dict] = {
 }
 
 
+# Agent harnesses (what you actually RUN) and the auth modes each supports. The model
+# providers above are the *backends*; these are the agents. Auth mode availability is
+# what makes the proxy valuable — it can centralise all of them so the machine holds none.
+HARNESSES: dict[str, dict] = {
+    "claude-code": {"label": "Claude Code", "provider": "anthropic", "color": "#D97757",
+                    "install": "npm i -g @anthropic-ai/claude-code",
+                    "auth": ["api_key", "oauth", "bedrock", "vertex"]},
+    "codex":       {"label": "Codex", "provider": "openai", "color": "#10A37F",
+                    "install": "npm i -g @openai/codex",
+                    "auth": ["api_key", "oauth", "azure"]},
+    "gemini-cli":  {"label": "Gemini CLI", "provider": "gemini", "color": "#4285F4",
+                    "install": "npm i -g @google/gemini-cli",
+                    "auth": ["api_key", "oauth", "vertex"]},
+}
+AUTH_LABELS = {"api_key": "API key", "oauth": "OAuth", "bedrock": "AWS Bedrock",
+               "vertex": "Google Vertex", "azure": "Azure"}
+# Auth modes that are fully wired today (just a key swap). Others are surfaced in the
+# UI as "available" and built out (Bedrock SigV4 / Vertex token / OAuth refresh).
+AUTH_READY = {"api_key"}
+
+
 @dataclass
 class Config:
     home: Path = HOME

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/server.py

@@ -15,7 +15,7 @@ from fastapi.responses import HTMLResponse, JSONResponse, StreamingResponse
 from pydantic import BaseModel
 
 from . import aliases, crypto
-from .config import CATALOG, Config, PROVIDERS
+from .config import AUTH_LABELS, AUTH_READY, CATALOG, HARNESSES, Config, PROVIDERS
 from .providers import forward, scope_allows
 from .security import token_matches
 from .store import Store, now_ms
@@ -29,6 +29,7 @@ class TokenBody(BaseModel):
     scope: list[str] = ["*"]
     ttl_seconds: int | None = None
     rate_limit: int = 0
+    budget_usd: float | None = None
 
 
 class ProviderBody(BaseModel):
@@ -66,6 +67,9 @@ def create_app(config: Config | None = None) -> FastAPI:
             raise HTTPException(401, "token expired")
         if row["rate_limit"] and store.recent_request_count(row["id"]) >= row["rate_limit"]:
             raise HTTPException(429, "rate limit exceeded")
+        budget = row.get("budget_usd")
+        if budget is not None and store.token_spend(row["id"]) >= budget:
+            raise HTTPException(402, f"token budget of ${budget:.4f} exhausted")
         store.touch_token(row["id"])
         return row
 
@@ -147,10 +151,10 @@ def create_app(config: Config | None = None) -> FastAPI:
     async def create_token(body: TokenBody, authorization: str | None = Header(None),
                            x_admin_token: str | None = Header(None)):
         require_admin(authorization, x_admin_token)
-        plain, row = store.create_token(body.label, body.scope,
-                                        ttl_seconds=body.ttl_seconds, rate_limit=body.rate_limit)
+        plain, row = store.create_token(body.label, body.scope, ttl_seconds=body.ttl_seconds,
+                                        rate_limit=body.rate_limit, budget_usd=body.budget_usd)
         return {"token": plain, "id": row["id"], "label": row["label"],
-                "scope": body.scope, "note": "shown once — store it now"}
+                "scope": body.scope, "budget_usd": body.budget_usd, "note": "shown once — store it now"}
 
     @app.get("/admin/tokens")
     async def list_tokens_ep(authorization: str | None = Header(None),
@@ -161,7 +165,8 @@ def create_app(config: Config | None = None) -> FastAPI:
             out.append({"id": t["id"], "label": t["label"], "masked": t["masked"],
                         "scope": _json.loads(t["scope_json"]), "revoked": bool(t["revoked"]),
                         "rate_limit": t["rate_limit"], "expires_ms": t["expires_ms"],
-                        "last_used_ms": t["last_used_ms"]})
+                        "last_used_ms": t["last_used_ms"], "budget_usd": t.get("budget_usd"),
+                        "spent_usd": round(store.token_spend(t["id"]), 6)})
         return {"tokens": out}
 
     @app.delete("/admin/tokens/{tid}")
@@ -218,6 +223,26 @@ def create_app(config: Config | None = None) -> FastAPI:
             raise HTTPException(404, "no such credential")
         return {"ok": True}
 
+    @app.get("/admin/harnesses")
+    async def harnesses(authorization: str | None = Header(None),
+                        x_admin_token: str | None = Header(None)):
+        require_admin(authorization, x_admin_token)
+        stored = {c["provider"] for c in store.list_credentials() if c["active"]}
+        out = []
+        for name, h in HARNESSES.items():
+            prov = PROVIDERS.get(h["provider"])
+            configured = bool(prov and prov.key) or h["provider"] in stored
+            out.append({
+                "name": name, "label": h["label"], "provider": h["provider"],
+                "color": h["color"], "install": h["install"],
+                "auth": [{"mode": m, "label": AUTH_LABELS.get(m, m),
+                          "ready": m in AUTH_READY,
+                          "connected": m == "api_key" and configured}
+                         for m in h["auth"]],
+                "configured": configured,
+            })
+        return {"harnesses": out}
+
     @app.get("/admin/catalog")
     async def catalog(authorization: str | None = Header(None),
                       x_admin_token: str | None = Header(None)):

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/store.py

@@ -22,7 +22,7 @@ CREATE TABLE IF NOT EXISTS proxy_agent_tokens (
     id TEXT PRIMARY KEY, hash TEXT NOT NULL UNIQUE, label TEXT,
     scope_json TEXT NOT NULL DEFAULT '["*"]', rate_limit INTEGER NOT NULL DEFAULT 0,
     created_ms BIGINT, expires_ms BIGINT, revoked INTEGER NOT NULL DEFAULT 0,
-    last_used_ms BIGINT, masked TEXT
+    last_used_ms BIGINT, masked TEXT, budget_usd DOUBLE PRECISION
 );
 CREATE TABLE IF NOT EXISTS proxy_agent_keys (
     id TEXT PRIMARY KEY, provider TEXT NOT NULL, kind TEXT NOT NULL DEFAULT 'api_key',
@@ -47,22 +47,32 @@ class Store:
         self.db = DB(str(path), url=url)
         self.db.executescript(_SCHEMA)
         self.backend = "postgres" if self.db.pg else "sqlite"
+        # migrate older DBs created before budget_usd existed
+        try:
+            self.db.execute("ALTER TABLE proxy_agent_tokens ADD COLUMN budget_usd DOUBLE PRECISION")
+        except Exception:
+            pass
 
     # -- machine tokens ---------------------------------------------------- #
 
-    def create_token(self, label, scope, *, ttl_seconds=None, rate_limit=0):
+    def create_token(self, label, scope, *, ttl_seconds=None, rate_limit=0, budget_usd=None):
         plain = new_token()
         tid = "tok_" + uuid.uuid4().hex[:12]
         expires = now_ms() + ttl_seconds * 1000 if ttl_seconds else None
         self.db.execute(
             """INSERT INTO proxy_agent_tokens
-               (id, hash, label, scope_json, rate_limit, created_ms, expires_ms, masked)
-               VALUES (?, ?, ?, ?, ?, ?, ?, ?)""",
+               (id, hash, label, scope_json, rate_limit, created_ms, expires_ms, masked, budget_usd)
+               VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""",
             (tid, hash_token(plain), label, json.dumps(scope), rate_limit, now_ms(),
-             expires, mask(plain)),
+             expires, mask(plain), budget_usd),
         )
         return plain, self.get_token(tid)
 
+    def token_spend(self, token_id: str) -> float:
+        r = self.db.fetchone(
+            "SELECT COALESCE(SUM(cost_usd),0) s FROM proxy_agent_calls WHERE token_id=?", (token_id,))
+        return float((r or {}).get("s", 0) or 0)
+
     def get_token(self, tid):
         return self.db.fetchone("SELECT * FROM proxy_agent_tokens WHERE id=?", (tid,))
 
@@ -88,10 +98,12 @@ class Store:
     # -- provider credentials (proxy_agent_keys) --------------------------- #
 
     def add_credential(self, provider, secret, *, kind="api_key", refresh=None,
-                       expires_ms=None, label=None, meta=None):
+                       expires_ms=None, label=None, meta=None, replace=True):
         cid = "key_" + uuid.uuid4().hex[:12]
-        # one active credential per provider: deactivate older ones
-        self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=?", (provider,))
+        # replace=True (default, the UI "connect"): swap the key. replace=False adds an
+        # ADDITIONAL active key to the provider's pool for failover/rotation.
+        if replace:
+            self.db.execute("UPDATE proxy_agent_keys SET active=0 WHERE provider=?", (provider,))
         self.db.execute(
             """INSERT INTO proxy_agent_keys
                (id, provider, kind, secret, refresh, expires_ms, label, created_ms, meta_json, active)

{proxyagent-0.4.0 → proxyagent-0.5.0}/proxyagent/ui/index.html

@@ -70,13 +70,20 @@
     </div>
 
     <div class="tabs">
-      <div class="tab on" data-t="providers" onclick="tab('providers')">Providers</div>
+      <div class="tab on" data-t="harnesses" onclick="tab('harnesses')">Harnesses</div>
+      <div class="tab" data-t="providers" onclick="tab('providers')">Model endpoints</div>
       <div class="tab" data-t="tokens" onclick="tab('tokens')">Machine tokens</div>
       <div class="tab" data-t="models" onclick="tab('models')">Model routing</div>
       <div class="tab" data-t="activity" onclick="tab('activity')">Activity</div>
     </div>
 
-    <section id="t_providers">
+    <section id="t_harnesses">
+      <p class="muted" style="margin:0 0 14px">The agents you run. Connect each auth method once — the machine running the harness then holds only a <code>pa_</code> token.</p>
+      <div class="grid" id="harngrid"></div>
+    </section>
+
+    <section id="t_providers" class="hide">
+      <p class="muted" style="margin:0 0 14px">Raw model backends for model-agnostic harnesses (aider, Cline, Codex pointed elsewhere…).</p>
       <div class="grid" id="provgrid"></div>
     </section>
 
@@ -86,12 +93,13 @@
         <div class="row">
           <input id="tk_label" placeholder="label (e.g. macbook-01)"/>
           <input id="tk_scope" placeholder="scope: * or anthropic:claude-*" style="flex:1"/>
-          <input id="tk_ttl" type="number" placeholder="ttl (s)" style="width:110px"/>
+          <input id="tk_ttl" type="number" placeholder="ttl (s)" style="width:100px"/>
+          <input id="tk_budget" type="number" step="0.01" placeholder="budget $" style="width:100px"/>
           <button onclick="mintToken()">Mint</button>
         </div>
         <div id="tk_out" class="tok hide"></div>
       </div>
-      <div class="card"><table><thead><tr><th>ID</th><th>Label</th><th>Token</th><th>Scope</th><th>Status</th><th></th></tr></thead><tbody id="toks"></tbody></table></div>
+      <div class="card"><table><thead><tr><th>ID</th><th>Label</th><th>Token</th><th>Scope</th><th>Budget</th><th>Status</th><th></th></tr></thead><tbody id="toks"></tbody></table></div>
     </section>
 
     <section id="t_models" class="hide">
@@ -121,7 +129,7 @@ async function api(p,o={}){const r=await fetch(p,{...o,headers:{...H(),...(o.hea
 function val(id){return document.getElementById(id).value.trim()}
 function saveAdmin(){const v=document.getElementById("admintok").value.trim();if(v){localStorage.setItem("pa_admin",v);boot()}}
 function logout(){localStorage.removeItem("pa_admin");document.getElementById("app").classList.add("hide");document.getElementById("gate").classList.remove("hide")}
-function tab(t){document.querySelectorAll(".tab").forEach(e=>e.classList.toggle("on",e.dataset.t===t));["providers","tokens","models","activity"].forEach(s=>document.getElementById("t_"+s).classList.toggle("hide",s!==t))}
+function tab(t){document.querySelectorAll(".tab").forEach(e=>e.classList.toggle("on",e.dataset.t===t));["harnesses","providers","tokens","models","activity"].forEach(s=>document.getElementById("t_"+s).classList.toggle("hide",s!==t))}
 
 // ---- provider logos (inline, brand-tinted) ----
 const MARK={
@@ -148,9 +156,28 @@ async function boot(){
     document.getElementById("s_cost").textContent="$"+(u.usage.cost_usd||0).toFixed(4);
     document.getElementById("badge_backend").textContent=u.backend;
     document.getElementById("enc").textContent=u.encryption?"🔒 encrypted at rest":"⚠ encryption off";
-    refreshProviders();refreshTokens();refreshAliases();refreshLogs();
+    renderHarnesses();refreshProviders();refreshTokens();refreshAliases();refreshLogs();
   }catch(e){document.getElementById("gateerr").textContent="Invalid admin token."}
 }
+async function renderHarnesses(){
+  const d=await(await api("/admin/harnesses")).json();
+  document.getElementById("harngrid").innerHTML=d.harnesses.map(h=>{
+    const chips=h.auth.map(a=>{
+      const cls=a.connected?"badge on":(a.ready?"badge":"badge");
+      const tag=a.connected?"✓ connected":(a.ready?"connect":"soon");
+      return `<span class="${cls}" title="${a.ready?'available now':'coming soon'}">${a.label} · ${tag}</span>`}).join("");
+    return `<div class="prov"><div class="top">${logo(h.provider,h.color)}<div style="flex:1"><h3>${h.label}</h3><div class="ep">runs on ${h.provider}</div></div>
+      ${h.configured?'<span class="pill ok">ready</span>':'<span class="pill no">connect a key</span>'}</div>
+      <div class="badges">${chips}</div>
+      <div class="models mono" style="font-size:11px">${h.install}</div>
+      <div class="row"><button class="sm" onclick="openConnect('h_${h.name}')">Connect API key</button></div>
+      <div class="connect" id="c_h_${h.name}">
+        <input id="k_h_${h.name}" type="password" placeholder="${h.provider} API key"/>
+        <div class="row"><button class="sm" onclick="connectHarness('${h.name}','${h.provider}')">Save</button><button class="ghost sm" onclick="openConnect('h_${h.name}')">Cancel</button></div>
+      </div></div>`}).join("");
+}
+async function connectHarness(name,provider){const key=document.getElementById("k_h_"+name).value.trim();if(!key)return;
+  await api("/admin/providers",{method:"POST",body:JSON.stringify({provider,secret:key,kind:"api_key"})});renderHarnesses();refreshProviders()}
 async function refreshProviders(){
   const d=await(await api("/admin/catalog")).json();const g=document.getElementById("provgrid");
   let connected=0;
@@ -176,8 +203,8 @@ async function connect(n){const key=document.getElementById("k_"+n).value.trim()
 async function disconnect(id){await api("/admin/providers/"+id,{method:"DELETE"});refreshProviders()}
 
 async function refreshTokens(){const d=await(await api("/admin/tokens")).json();
-  document.getElementById("toks").innerHTML=d.tokens.map(t=>`<tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td><td class="mono">${(t.scope||[]).join(", ")}</td><td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td><td>${t.revoked?"":`<button class="danger sm" onclick="revokeTok('${t.id}')">revoke</button>`}</td></tr>`).join("")}
-async function mintToken(){const body={label:val("tk_label")||"machine",scope:(val("tk_scope")||"*").split(",").map(s=>s.trim()),ttl_seconds:parseInt(val("tk_ttl"))||null};
+  document.getElementById("toks").innerHTML=d.tokens.map(t=>`<tr><td class="mono">${t.id}</td><td>${t.label||""}</td><td class="mono">${t.masked||""}</td><td class="mono">${(t.scope||[]).join(", ")}</td><td class="mono">${t.budget_usd?('$'+(t.spent_usd||0).toFixed(4)+' / $'+(+t.budget_usd).toFixed(2)):'—'}</td><td>${t.revoked?'<span class="pill no">revoked</span>':'<span class="pill ok">active</span>'}</td><td>${t.revoked?"":`<button class="danger sm" onclick="revokeTok('${t.id}')">revoke</button>`}</td></tr>`).join("")}
+async function mintToken(){const body={label:val("tk_label")||"machine",scope:(val("tk_scope")||"*").split(",").map(s=>s.trim()),ttl_seconds:parseInt(val("tk_ttl"))||null,budget_usd:parseFloat(val("tk_budget"))||null};
   const d=await(await api("/admin/tokens",{method:"POST",body:JSON.stringify(body)})).json();
   const el=document.getElementById("tk_out");el.classList.remove("hide");el.innerHTML=`<b>Token (shown once):</b><br/><span class="mono">${d.token}</span>`;refreshTokens()}
 async function revokeTok(id){await api("/admin/tokens/"+id,{method:"DELETE"});refreshTokens()}

{proxyagent-0.4.0 → proxyagent-0.5.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "proxyagent"
-version = "0.4.0"
+version = "0.5.0"
 description = "Run any agent (Claude, Codex, custom) on any machine — with no API key on the machine. A secure, self-hosted proxy for models and tools."
 readme = "README.md"
 requires-python = ">=3.10"

{proxyagent-0.4.0 → proxyagent-0.5.0}/tests/test_proxy.py

@@ -165,3 +165,26 @@ def test_model_remap_reroutes_provider():
     _aliases.set_map({"gpt-4o": "anthropic:mock"})
     assert remap("openai", "gpt-4o") == ("anthropic", "mock")
     assert remap("openai", "gpt-4o-mini") == ("openai", "gpt-4o-mini")  # no match
+
+
+def test_budget_exhaustion_returns_402():
+    c = _client()
+    r = c.post("/admin/tokens", headers=ADMIN, json={"scope": ["*"], "budget_usd": 0.001})
+    tok, tid = r.json()["token"], r.json()["id"]
+    # under budget (mock costs $0) → ok
+    assert c.post("/anthropic/v1/messages", headers={"x-api-key": tok},
+                  json={"model": "mock", "messages": [{"role": "user", "content": "hi"}]}).status_code == 200
+    # record spend over the cap, then the next call is blocked
+    c.app.state.store.log_request(token_id=tid, provider="anthropic", model="x", status=200, cost_usd=0.05)
+    assert c.post("/anthropic/v1/messages", headers={"x-api-key": tok},
+                  json={"model": "mock", "messages": []}).status_code == 402
+
+
+def test_harness_catalog():
+    c = _client()
+    h = c.get("/admin/harnesses", headers=ADMIN).json()["harnesses"]
+    names = {x["name"] for x in h}
+    assert {"claude-code", "codex", "gemini-cli"} <= names
+    cc = next(x for x in h if x["name"] == "claude-code")
+    assert {a["mode"] for a in cc["auth"]} == {"api_key", "oauth", "bedrock", "vertex"}
+    assert any(a["mode"] == "api_key" and a["ready"] for a in cc["auth"])