Description
Add native Anthropic OAuth (Claude Pro/Max subscription) authentication to openab-agent, alongside the existing Codex OAuth and Anthropic API-key paths.
- New CLI:
openab-agent auth anthropic-oauth [--no-browser] — PKCE browser/paste login against claude.ai.
- New OAuth mode on
AnthropicProvider: Bearer token + Claude Code identity headers (anthropic-beta: claude-code-20250219,oauth-2025-04-20, x-app: cli) and the required Claude Code system block; tool-name normalisation (read↔Read, …).
- Stored as a new
anthropic-oauth tenant in ~/.openab/agent/auth.json (namespaced next to codex); JSON token exchange + scope-less refresh.
- Provider auto-detect order: Anthropic API key → Anthropic OAuth → Codex OAuth.
Use Case
Today openab-agent can only reach Anthropic via ANTHROPIC_API_KEY (pay-per-token). Codex already supports subscription login, but Claude Pro/Max subscribers cannot use their subscription with the native agent. This lets users run openab-agent on the Claude subscription they already pay for, with no API key — matching the Codex experience and lowering the barrier for the default native backend.
Proposed Solution
Port the flow from the Pi agent's packages/ai/src/utils/oauth/anthropic.ts + anthropic-messages.ts:
auth.rs namespaced token store (load/save/refresh _for(provider)),
login_anthropic_browser_flow(), per-provider refresh encoding
llm.rs AnthropicAuth { ApiKey | OAuth }; OAuth headers + CC system +
tool-name normalisation; select_provider wiring
acp.rs session/model selection via AnthropicProvider::auto*()
main.rs `auth anthropic-oauth` subcommand
Also bumps the stale default model claude-sonnet-4-20250514 → claude-opus-4-8 (the old dated snapshot 404s on the subscription endpoint).
Status: implemented and validated end-to-end on a real Pro/Max account — login, a live claude-opus-4-8 chat, and a real bash tool call all succeed; cargo build clean (0 warnings), 194 unit tests pass. PR to follow.
Out of scope (separate follow-up): GitHub Copilot OAuth (device-flow + two-tier token — structurally different).
Description
Add native Anthropic OAuth (Claude Pro/Max subscription) authentication to
openab-agent, alongside the existing Codex OAuth and Anthropic API-key paths.openab-agent auth anthropic-oauth [--no-browser]— PKCE browser/paste login againstclaude.ai.AnthropicProvider:Bearertoken + Claude Code identity headers (anthropic-beta: claude-code-20250219,oauth-2025-04-20,x-app: cli) and the required Claude Code system block; tool-name normalisation (read↔Read, …).anthropic-oauthtenant in~/.openab/agent/auth.json(namespaced next tocodex); JSON token exchange + scope-less refresh.Use Case
Today
openab-agentcan only reach Anthropic viaANTHROPIC_API_KEY(pay-per-token). Codex already supports subscription login, but Claude Pro/Max subscribers cannot use their subscription with the native agent. This lets users runopenab-agenton the Claude subscription they already pay for, with no API key — matching the Codex experience and lowering the barrier for the default native backend.Proposed Solution
Port the flow from the Pi agent's
packages/ai/src/utils/oauth/anthropic.ts+anthropic-messages.ts:Also bumps the stale default model
claude-sonnet-4-20250514→claude-opus-4-8(the old dated snapshot 404s on the subscription endpoint).Status: implemented and validated end-to-end on a real Pro/Max account — login, a live
claude-opus-4-8chat, and a realbashtool call all succeed;cargo buildclean (0 warnings), 194 unit tests pass. PR to follow.Out of scope (separate follow-up): GitHub Copilot OAuth (device-flow + two-tier token — structurally different).