hailin
/
it0
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: enable SDK subscription mode with OAuth credentials mount 

- Mount ~/.claude/ into agent-service container for OAuth token access
- Switch default engine to claude_agent_sdk
- Remove ANTHROPIC_API_KEY from env in subscription mode so SDK uses OAuth
- Keep API key mode for per-tenant billing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
hailin 2026-02-23 06:14:45 -08:00
parent 9126225317
commit b963b7d4da
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deploy/docker/docker-compose.yml
View File

@ -118,6 +118,8 @@ services:
restart: unless-stopped restart: unless-stopped
ports: ports:
- "13002:3002" - "13002:3002"
volumes:
- ${HOME}/.claude:/root/.claude:ro
environment: environment:
- DB_HOST=postgres - DB_HOST=postgres
- DB_PORT=5432 - DB_PORT=5432
@ -127,7 +129,7 @@ services:
- REDIS_URL=redis://redis:6379 - REDIS_URL=redis://redis:6379
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY} - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL} - ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL}
- AGENT_ENGINE_TYPE=claude_api - AGENT_ENGINE_TYPE=claude_agent_sdk
- AGENT_SERVICE_PORT=3002 - AGENT_SERVICE_PORT=3002
healthcheck: healthcheck:
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3002/',r=>{process.exit(r.statusCode<500?0:1)}).on('error',()=>process.exit(1))\""] test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3002/',r=>{process.exit(r.statusCode<500?0:1)}).on('error',()=>process.exit(1))\""]

8
packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
View File

@ -50,7 +50,7 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
const tenantId = TenantContextService.getTenantId(); const tenantId = TenantContextService.getTenantId();
const tenantConfig = await this.tenantConfigService.findByTenantId(tenantId); const tenantConfig = await this.tenantConfigService.findByTenantId(tenantId);
// Build environment — subscription mode uses inherited CLI auth, api_key mode overrides // Build environment — subscription mode uses OAuth from ~/.claude/.credentials.json
const env: Record<string, string> = { ...process.env } as Record<string, string>; const env: Record<string, string> = { ...process.env } as Record<string, string>;
// Disable TLS verification for proxy endpoints (self-signed certs) // Disable TLS verification for proxy endpoints (self-signed certs)
const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL'); const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
@ -59,12 +59,16 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
env.ANTHROPIC_BASE_URL = baseURL; env.ANTHROPIC_BASE_URL = baseURL;
} }
if (tenantConfig?.billingMode === 'api_key') { if (tenantConfig?.billingMode === 'api_key') {
// Tenant uses their own API key
try { try {
env.ANTHROPIC_API_KEY = this.tenantConfigService.decryptApiKey(tenantConfig); env.ANTHROPIC_API_KEY = this.tenantConfigService.decryptApiKey(tenantConfig);
} catch (err) { } catch (err) {
yield { type: 'error', message: 'Tenant API key not configured or invalid', code: 'API_KEY_ERROR' }; yield { type: 'error', message: 'Tenant API key not configured or invalid', code: 'API_KEY_ERROR' };
return; return;
} }
} else {
// Subscription mode: remove API key so SDK uses OAuth credentials
delete env.ANTHROPIC_API_KEY;
} }
// Create approval gate with tenant-configurable timeout // Create approval gate with tenant-configurable timeout
@ -244,6 +248,8 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
yield { type: 'error', message: 'Tenant API key invalid', code: 'API_KEY_ERROR' }; yield { type: 'error', message: 'Tenant API key invalid', code: 'API_KEY_ERROR' };
return; return;
} }
} else {
delete env.ANTHROPIC_API_KEY;
} }
const timeoutSec = tenantConfig?.approvalTimeoutSeconds ?? 120; const timeoutSec = tenantConfig?.approvalTimeoutSeconds ?? 120;