shunt-proxy 0.1.90

A local proxy that pools multiple Claude accounts behind a single endpoint, routing requests to maximise rate limits
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

//! Credential abstraction — supports OAuth (with refresh) and static API keys.
//!
//! All provider-specific auth is gated behind this enum so the rest of the
//! codebase stays credential-type-agnostic.

use serde::{Deserialize, Serialize};

use crate::oauth::OAuthCredential;

// ---------------------------------------------------------------------------
// Credential enum
// ---------------------------------------------------------------------------

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(tag = "type", rename_all = "lowercase")]
pub enum Credential {
    /// OAuth credential with access + refresh tokens and an expiry.
    /// Used by Anthropic (claude.ai) and OpenAI (chatgpt.com) accounts.
    Oauth(OAuthCredential),
    /// Static API key — no expiry, no refresh.
    /// Used by Groq, Mistral, OpenRouter, Gemini, Ollama Cloud, etc.
    Apikey { key: String },
}

impl Credential {
    /// The bearer token to send in `Authorization: Bearer <token>`.
    ///
    /// For OAuth accounts: prefers `id_token` over `access_token` when
    /// present (required by chatgpt.com / Codex). Falls back to
    /// `access_token` for standard Anthropic OAuth.
    ///
    /// For API-key accounts: returns the raw key directly.
    pub fn bearer_token(&self) -> &str {
        match self {
            Credential::Oauth(c) => c.id_token.as_deref().unwrap_or(&c.access_token),
            Credential::Apikey { key } => key,
        }
    }

    /// The raw `access_token` string.
    ///
    /// Used when you need the access_token specifically (e.g. token-rotation
    /// comparison in the 401 handler, Anthropic auth headers).
    ///
    /// For API-key accounts returns the key (same as `bearer_token`).
    pub fn access_token(&self) -> &str {
        match self {
            Credential::Oauth(c) => &c.access_token,
            Credential::Apikey { key } => key,
        }
    }

    /// True if the credential should be refreshed before use.
    /// Always false for API-key credentials.
    pub fn needs_refresh(&self) -> bool {
        match self {
            Credential::Oauth(c) => c.needs_refresh(),
            Credential::Apikey { .. } => false,
        }
    }

    /// Account email, if known. None for API-key credentials.
    pub fn email(&self) -> Option<&str> {
        match self {
            Credential::Oauth(c) => c.email.as_deref(),
            Credential::Apikey { .. } => None,
        }
    }

    /// True when a refresh_token is available to attempt recovery.
    /// Always false for API-key credentials.
    pub fn has_refresh_token(&self) -> bool {
        match self {
            Credential::Oauth(c) => !c.refresh_token.is_empty(),
            Credential::Apikey { .. } => false,
        }
    }

    /// Borrow the inner OAuthCredential, if this is an OAuth credential.
    pub fn as_oauth(&self) -> Option<&OAuthCredential> {
        match self {
            Credential::Oauth(c) => Some(c),
            Credential::Apikey { .. } => None,
        }
    }

    /// Mutably borrow the inner OAuthCredential.
    pub fn as_oauth_mut(&mut self) -> Option<&mut OAuthCredential> {
        match self {
            Credential::Oauth(c) => Some(c),
            Credential::Apikey { .. } => None,
        }
    }

    /// Display string for status/monitor output.
    /// Shows email for OAuth accounts, masked key for API-key accounts.
    pub fn masked_display(&self) -> String {
        match self {
            Credential::Oauth(c) => c.email.clone().unwrap_or_else(|| "oauth".to_owned()),
            Credential::Apikey { key } => {
                let suffix = &key[key.len().saturating_sub(4)..];
                format!("···{suffix}")
            }
        }
    }
}

impl From<OAuthCredential> for Credential {
    fn from(c: OAuthCredential) -> Self {
        Credential::Oauth(c)
    }
}

// ---------------------------------------------------------------------------
// Backwards-compatible deserialization for CredentialsStore
// ---------------------------------------------------------------------------

/// Deserialize a `HashMap<String, Credential>` that may contain old-format
/// entries (written before the `"type"` tag was introduced).
///
/// Old format: `{ "access_token": "...", "refresh_token": "...", ... }`
/// New format: `{ "type": "oauth", "access_token": "...", ... }`
///             `{ "type": "apikey", "key": "..." }`
pub fn deserialize_credential_map<'de, D>(
    deserializer: D,
) -> Result<std::collections::HashMap<String, Credential>, D::Error>
where
    D: serde::Deserializer<'de>,
{
    use std::collections::HashMap;
    let raw: HashMap<String, serde_json::Value> = HashMap::deserialize(deserializer)?;
    let mut out = HashMap::with_capacity(raw.len());
    for (k, v) in raw {
        let cred = if v.get("type").is_some() {
            // New tagged format — deserialize directly.
            serde_json::from_value::<Credential>(v).map_err(serde::de::Error::custom)?
        } else {
            // Legacy format — treat as OAuth.
            serde_json::from_value::<OAuthCredential>(v)
                .map(Credential::Oauth)
                .map_err(serde::de::Error::custom)?
        };
        out.insert(k, cred);
    }
    Ok(out)
}