scud-cli 1.67.0

Fast, simple task master for AI-driven development
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

//! OAuth token reader for Claude Code's macOS Keychain credentials.
//!
//! Reads OAuth tokens stored by Claude Code in the macOS Keychain,
//! enabling direct Anthropic API calls using subscription billing (Pro/Max).

use anyhow::{Context, Result};
use serde::Deserialize;

/// OAuth credentials stored by Claude Code
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct ClaudeOAuthCredentials {
    pub access_token: String,
    pub refresh_token: String,
    pub expires_at: u64,
}

#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
struct KeychainData {
    claude_ai_oauth: Option<ClaudeOAuthCredentials>,
}

/// API credential type resolved from available sources
#[derive(Debug)]
pub enum ApiCredential {
    /// Bearer token from Claude Code OAuth (subscription billing)
    OAuth(String),
    /// Standard x-api-key (API billing)
    ApiKey(String),
}

/// Read OAuth credentials from Claude Code's macOS Keychain entry.
///
/// Returns `Ok(None)` if no credentials are stored (e.g. Claude Code
/// not installed or user not logged in).
pub fn read_claude_oauth() -> Result<Option<ClaudeOAuthCredentials>> {
    let output = std::process::Command::new("security")
        .args([
            "find-generic-password",
            "-s",
            "Claude Code-credentials",
            "-w",
        ])
        .output()
        .context("Failed to read from macOS Keychain")?;

    if !output.status.success() {
        return Ok(None);
    }

    let json_str = String::from_utf8(output.stdout).context("Keychain data is not valid UTF-8")?;
    let data: KeychainData =
        serde_json::from_str(json_str.trim()).context("Failed to parse keychain JSON")?;

    Ok(data.claude_ai_oauth)
}

/// Check if an OAuth token is still valid (with 5-minute buffer).
pub fn is_token_valid(creds: &ClaudeOAuthCredentials) -> bool {
    let now_ms = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap()
        .as_millis() as u64;
    creds.expires_at > now_ms + 300_000
}

/// Resolve the best available API credential for Anthropic.
///
/// Priority: OAuth token (subscription) > ANTHROPIC_API_KEY env var.
pub fn resolve_anthropic_credential() -> Result<ApiCredential> {
    // Try OAuth first
    if let Ok(Some(creds)) = read_claude_oauth() {
        if is_token_valid(&creds) {
            return Ok(ApiCredential::OAuth(creds.access_token));
        }
        tracing::warn!("Claude Code OAuth token expired, falling back to API key");
    }

    // Fall back to API key
    if let Ok(key) = std::env::var("ANTHROPIC_API_KEY") {
        return Ok(ApiCredential::ApiKey(key));
    }

    anyhow::bail!(
        "No Anthropic credentials available. Either:\n\
         - Log in to Claude Code (`claude` CLI) for OAuth, or\n\
         - Set ANTHROPIC_API_KEY environment variable"
    )
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_is_token_valid_future_expiry() {
        let future_ms = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_millis() as u64
            + 3_600_000; // 1 hour from now

        let creds = ClaudeOAuthCredentials {
            access_token: "test-token".to_string(),
            refresh_token: "test-refresh".to_string(),
            expires_at: future_ms,
        };

        assert!(is_token_valid(&creds));
    }

    #[test]
    fn test_is_token_valid_past_expiry() {
        let creds = ClaudeOAuthCredentials {
            access_token: "test-token".to_string(),
            refresh_token: "test-refresh".to_string(),
            expires_at: 1000, // Way in the past
        };

        assert!(!is_token_valid(&creds));
    }

    #[test]
    fn test_is_token_valid_within_buffer() {
        // Token expires in 2 minutes - within 5 minute buffer, should be invalid
        let now_ms = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_millis() as u64;

        let creds = ClaudeOAuthCredentials {
            access_token: "test-token".to_string(),
            refresh_token: "test-refresh".to_string(),
            expires_at: now_ms + 120_000, // 2 minutes from now
        };

        assert!(!is_token_valid(&creds));
    }

    #[test]
    fn test_keychain_data_deserialization() {
        let json = r#"{"claudeAiOauth": {"accessToken": "sk-ant-oat01-test", "refreshToken": "refresh-123", "expiresAt": 9999999999999}}"#;
        let data: KeychainData = serde_json::from_str(json).unwrap();
        let creds = data.claude_ai_oauth.unwrap();
        assert_eq!(creds.access_token, "sk-ant-oat01-test");
        assert_eq!(creds.refresh_token, "refresh-123");
        assert_eq!(creds.expires_at, 9999999999999);
    }

    #[test]
    fn test_keychain_data_missing_oauth() {
        let json = r#"{}"#;
        let data: KeychainData = serde_json::from_str(json).unwrap();
        assert!(data.claude_ai_oauth.is_none());
    }
}