Skip to content

fix(server,core): clarify Claude auth posture on per-user installs (#1983 hardening)#2002

Merged
Wirasm merged 2 commits into
devfrom
fix/claude-auth-posture-hardening
Jun 26, 2026
Merged

fix(server,core): clarify Claude auth posture on per-user installs (#1983 hardening)#2002
Wirasm merged 2 commits into
devfrom
fix/claude-auth-posture-hardening

Conversation

@Wirasm

@Wirasm Wirasm commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

UX Journey

Before

Per-user install (no shared Claude key), user has connected a subscription:
  boot ──▶ forces CLAUDE_USE_GLOBAL_AUTH=true (sentinel)
  chat ──▶ provider logs `using_global_auth`  [!] (misleading — token IS delivered per-request)
  no-cred case ──▶ "Claude Code returned an error result" / raw "Not logged in"  [!] generic

After

Per-user install:
  boot ──▶ [skips the sentinel] — auth is per-request; boot check accepts per-user posture
  chat ──▶ no misleading global-auth signal
  no-cred case ──▶ *"Not logged in … Connect a subscription or API key in Settings → Agents …"*

Architecture Diagram

After

server/index.ts ── shouldDefaultClaudeGlobalAuth(env) [+]  ─┐
                ── hasClaudeBootAuthPosture(env)      [+]  ─┴─▶ boot/claude-auth-posture.ts [+] (pure, tested)
orchestrator (isError result) ── errorDetail (subtype + errors) [~] ─▶ classifyAndFormatError
error-formatter ── not-logged-in pattern [+]

Connection inventory:

From To Status Notes
server/index.ts boot/claude-auth-posture new pure env→bool helpers, imported early
orchestrator (isError handler) utils/error-formatter modified carries SDK error detail, not just subtype
claude/provider.ts header modified stale auth comment corrected

Label Snapshot

  • Risk: risk: low
  • Size: size: S
  • Scope: server, core, tests
  • Module: server:boot, core:orchestrator, core:utils, providers:claude (comment only)

Change Metadata

  • Change type: bug (hardening / clarity)
  • Primary scope: multi (server + core)

Linked Issue

Validation Evidence (required)

bun run validate   # all guards + type-check + lint + format:check + batched tests
  • Evidence: bun run validate green. New/updated tests:
    • packages/server/src/boot/claude-auth-posture.test.ts — env matrix for both helpers (solo→default, per-user→skip, explicit creds, operator-set, empty-string).
    • packages/core/src/utils/error-formatter.test.ts — not-logged-in cases (names connect surfaces, doesn't leak raw string).
    • Registered the new server test in @archon/server package.json batch.
  • Skipped: none.

Security Impact (required)

  • New permissions/capabilities? No
  • New external network calls? No
  • Secrets/tokens handling changed? No — only changes whether a non-secret boot sentinel is set; no credential read/delivery path touched.
  • File system access scope changed? No

Compatibility / Migration

  • Backward compatible? Yes — solo installs behave identically (verified by test: no creds → default true; explicit creds → false; operator-set → never overridden).
  • Config/env changes? No
  • Database migration needed? No

Human Verification (required)

Side Effects / Blast Radius (required)

  • Affected subsystems: server boot auth posture, chat error formatting.
  • Potential unintended effects: a per-user install with NO shared Claude key and NO connected per-user creds will still pass the boot check (via TOKEN_ENCRYPTION_KEY) and surface the actionable not-logged-in message at chat time — intended.
  • Guardrails: boot claude_credentials_missing warn still fires when nothing resolves; ai_result_error log on failed turns.

Rollback Plan (required)

  • Fast rollback: revert this PR (additive helper + 3 small edits).
  • Feature toggles: none.
  • Observable failure symptoms: server exit(1) at boot with "no_ai_credentials" on an install that should be valid (would indicate hasClaudeBootAuthPosture regressed).

Risks and Mitigations

  • Risk: a deployment that relied on the implicit CLAUDE_USE_GLOBAL_AUTH=true auto-default AND had TOKEN_ENCRYPTION_KEY set but expected global auth.
    • Mitigation: such an install can set CLAUDE_USE_GLOBAL_AUTH=true explicitly (the helper never overrides an explicit value). Per-user installs are precisely the ones that should NOT use a shared global login.

Summary by CodeRabbit

  • Bug Fixes
    • Improved AI operation error messages by including richer SDK-provided error details when failures occur.
    • Enhanced “not logged in / run /login” detection with clearer provider guidance, including the relevant connection setup surfaces and safer handling to avoid leaking sensitive underlying text.
    • Updated Claude authentication posture so boot-time defaults and credential validation behave more consistently for different credential configurations.
  • Documentation
    • Clarified Claude subprocess authentication behavior and how credentials/environment values are used.
  • Tests
    • Added coverage for error classification and startup authentication posture decisions.

…1983 hardening)

Follow-up hardening to the #1983/#1984 investigation. No behavior change for
solo installs; removes the misleading global-auth signal on per-user installs
and makes the not-logged-in case actionable.

- Extract the boot auth-posture decision into pure, testable helpers
  (server/src/boot/claude-auth-posture.ts): `shouldDefaultClaudeGlobalAuth`
  and `hasClaudeBootAuthPosture`. The `CLAUDE_USE_GLOBAL_AUTH=true` boot
  auto-default is now SKIPPED when per-user keys are enabled
  (TOKEN_ENCRYPTION_KEY) — those installs deliver Claude auth per-request, so
  the sentinel was misleading (it made the Claude provider log
  `using_global_auth` on installs that authenticated fine, which derailed the
  #1983 triage). The boot credential check now treats per-user-keys as a valid
  posture so a per-user-only install (no shared Claude key) doesn't exit(1).
- Fix the stale auth comment in claude/provider.ts: `buildSubprocessEnv` has
  not filtered env tokens since #1067; document that per-request
  `requestOptions.env` merges last and that CLAUDE_USE_GLOBAL_AUTH is an
  Archon-only boot sentinel the CLI ignores.
- Make the "Not logged in" chat error actionable: carry the SDK error detail
  (not just the subtype) into classifyAndFormatError, and add a not-logged-in
  pattern that names the connect surfaces (Settings → Agents / `claude /login`
  / CLAUDE_API_KEY) instead of leaking the raw CLI string.

Tests: claude-auth-posture.test.ts (env matrix), error-formatter not-logged-in
cases. Solo path unchanged (no creds → still defaults to global auth).

Closes #1983.
@Wirasm Wirasm added the bug Something is broken label Jun 15, 2026
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9662c85-b2ec-4a4c-ae75-db283aaed199

📥 Commits

Reviewing files that changed from the base of the PR and between fbf7ede and d132ae8.

📒 Files selected for processing (2)
  • packages/server/src/boot/claude-auth-posture.test.ts
  • packages/server/src/boot/claude-auth-posture.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • packages/server/src/boot/claude-auth-posture.test.ts
  • packages/server/src/boot/claude-auth-posture.ts

📝 Walkthrough

Walkthrough

Moves Claude boot auth checks into a dedicated helper, updates server boot wiring and tests, adds a Claude provider auth comment update, and introduces not-logged-in error classification using richer orchestrator error context.

Changes

Claude Auth Posture and Error Handling

Layer / File(s) Summary
Claude auth posture module and boot wiring
packages/server/src/boot/claude-auth-posture.ts, packages/server/src/boot/claude-auth-posture.test.ts, packages/server/src/index.ts, packages/server/package.json, packages/providers/src/claude/provider.ts
claude-auth-posture.ts exports shouldDefaultClaudeGlobalAuth and hasClaudeBootAuthPosture as pure env-to-boolean functions. index.ts imports them and replaces inline CLAUDE_* env checks at boot. Tests cover default, per-user, explicit-credential, explicit-override, and empty-string scenarios. The server test script is updated, and the Claude provider header comment is revised to document env merge order and CLAUDE_USE_GLOBAL_AUTH.
Not-logged-in error classification and richer SDK error context
packages/core/src/utils/error-formatter.ts, packages/core/src/utils/error-formatter.test.ts, packages/core/src/orchestrator/orchestrator-agent.ts
classifyAndFormatError gains an early branch detecting "Not logged in" / "Please run /login" and returning a Settings → Agents guidance message. Orchestrator streaming and batch error paths now build syntheticError from msg.errorSubtype plus joined msg.errors entries instead of subtype alone, feeding the new classifier with full SDK context. Two tests validate correct classification and no raw-message leakage.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • coleam00/Archon#1089: Updates the same orchestrator error path and error formatting flow that this PR extends with richer SDK error text.
  • coleam00/Archon#1662: Touches the same errorSubtype === 'success' handling in orchestrator-agent.ts that this PR preserves while changing synthetic error construction.
  • coleam00/Archon#1045: Overlaps with the Claude boot defaulting and credential detection logic in packages/server/src/index.ts that this PR refactors into a helper module.

Suggested labels

architecture

🐇 I thumped through the boot-time mist,
found auth rules tucked in a helper list.
"Not logged in?" said I, "No need to frown—
just point to Settings → Agents and settle down."
With env clues joined and errors clarified,
the little Claude keys now travel upright.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main server and core auth-posture hardening for per-user Claude installs.
Description check ✅ Passed The description covers the required sections and is mostly complete, with only minor template details abbreviated.
Linked Issues check ✅ Passed The changes align with #1983 by fixing per-user Claude auth posture and making the missing-credential error actionable.
Out of Scope Changes check ✅ Passed The remaining edits are supporting changes for the same auth and error-handling work, with no unrelated scope apparent.
Docstring Coverage ✅ Passed Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/claude-auth-posture-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/server/src/boot/claude-auth-posture.ts`:
- Around line 35-40: The hasClaudeBootAuthPosture function uses truthiness to
check the CLAUDE_USE_GLOBAL_AUTH environment variable, which incorrectly treats
the string 'false' as truthy and counts it as valid auth posture. Replace the
CLAUDE_USE_GLOBAL_AUTH condition in the Boolean check with an explicit equality
comparison (=== 'true') to ensure only the string 'true' is treated as a valid
Claude authentication posture.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ad264f5a-dc5c-402c-82ac-ac5629de200a

📥 Commits

Reviewing files that changed from the base of the PR and between e77a338 and fbf7ede.

📒 Files selected for processing (8)
  • packages/core/src/orchestrator/orchestrator-agent.ts
  • packages/core/src/utils/error-formatter.test.ts
  • packages/core/src/utils/error-formatter.ts
  • packages/providers/src/claude/provider.ts
  • packages/server/package.json
  • packages/server/src/boot/claude-auth-posture.test.ts
  • packages/server/src/boot/claude-auth-posture.ts
  • packages/server/src/index.ts

Comment thread packages/server/src/boot/claude-auth-posture.ts
…posture

hasClaudeBootAuthPosture used plain truthiness on the sentinel, so an explicit
CLAUDE_USE_GLOBAL_AUTH=false (which setup.ts writes) wrongly counted as a valid
Claude auth posture and suppressed the no-credentials boot warn/exit. Parse it
enabled-only (=== 'true'), matching the codebase convention (ARCHON_DOCKER,
ARCHON_AUTH_OPEN_SIGNUP). Adds regression tests for the 'false' and
arbitrary-value cases.

Addresses CodeRabbit review on claude-auth-posture.ts.
@Wirasm Wirasm merged commit 658f487 into dev Jun 26, 2026
4 checks passed
@Wirasm Wirasm deleted the fix/claude-auth-posture-hardening branch June 26, 2026 11:02
@Wirasm Wirasm mentioned this pull request Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something is broken

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant