fix(claude): only reverse-remap OAuth tool names that were forward-renamed
remapOAuthToolNames renames lowercase client-sent tools (e.g. `glob` → `Glob`) to Claude Code equivalents on OAuth requests to avoid tool-name fingerprinting. The reverse pass previously ran against a *global* reverse map and rewrote every tool_use block whose name matched any value in oauthToolRenameMap — regardless of what the client actually sent. For clients that send mixed casing (notably Amp CLI — `Bash`, `Read`, `Grep`, `Task` alongside `glob`, `skill`, etc.) this corrupted the response. Any forward rename in the request set the "renamed" flag, which then unconditionally lowercased every `Bash` in the response to `bash`. Amp's tool registry has `Bash`, not `bash`, so it rejected the tool_use with `tool "bash" is not allowed for smart mode` and tool execution failed. Fix: `remapOAuthToolNames` now returns a per-request map keyed on the upstream (TitleCase) name valued with the original client-sent name. The reverse functions take this map and only touch entries in it. Names the client sent in TitleCase pass through untouched in both directions. - Change remapOAuthToolNames signature from `([]byte, bool)` to `([]byte, map[string]string)`; populate at every rename site (tools[], tool_choice.name, message tool_use, tool_reference, nested tool_reference inside tool_result). - Change reverseRemapOAuthToolNames and reverseRemapOAuthToolNamesFromStreamLine to accept and consume the per-request map; remove the global oauthToolRenameReverseMap. - Update all three executor call sites (Execute, ExecuteStream direct passthrough, ExecuteStream translated) + count_tokens. - Add regression tests for the mixed-case scenario in both the non-streaming and SSE code paths.
This commit is contained in:
Enzo Lucchesi
@@ -65,14 +65,13 @@ var oauthToolRenameMap = map[string]string{
|
||||
"notebookedit": "NotebookEdit",
|
||||
}
|
||||
|
||||
// oauthToolRenameReverseMap is the inverse of oauthToolRenameMap for response decoding.
|
||||
var oauthToolRenameReverseMap = func() map[string]string {
|
||||
m := make(map[string]string, len(oauthToolRenameMap))
|
||||
for k, v := range oauthToolRenameMap {
|
||||
m[v] = k
|
||||
}
|
||||
return m
|
||||
}()
|
||||
// The reverse map is now computed per-request in remapOAuthToolNames so that
|
||||
// only names the client actually caused us to rewrite are restored on the
|
||||
// response. A global reverse map — as used previously — corrupted responses
|
||||
// for clients that sent mixed casing (e.g. Amp CLI sends `Bash` TitleCase
|
||||
// alongside `glob` lowercase; the request flagged renames via `glob→Glob`,
|
||||
// then the global reverse map incorrectly rewrote every `Bash` in the
|
||||
// response to `bash`, causing Amp to reject the tool_use as unknown).
|
||||
|
||||
// oauthToolsToRemove lists tool names that must be stripped from OAuth requests
|
||||
// even after remapping. Currently empty — all tools are mapped instead of removed.
|
||||
@@ -191,7 +190,7 @@ func (e *ClaudeExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, r
|
||||
bodyForTranslation := body
|
||||
bodyForUpstream := body
|
||||
oauthToken := isClaudeOAuthToken(apiKey)
|
||||
oauthToolNamesRemapped := false
|
||||
var oauthToolNamesReverseMap map[string]string
|
||||
if oauthToken && !auth.ToolPrefixDisabled() {
|
||||
bodyForUpstream = applyClaudeToolPrefix(body, claudeToolPrefix)
|
||||
}
|
||||
@@ -199,7 +198,7 @@ func (e *ClaudeExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, r
|
||||
// tools without official counterparts. This prevents Anthropic from
|
||||
// fingerprinting the request as third-party via tool naming patterns.
|
||||
if oauthToken {
|
||||
bodyForUpstream, oauthToolNamesRemapped = remapOAuthToolNames(bodyForUpstream)
|
||||
bodyForUpstream, oauthToolNamesReverseMap = remapOAuthToolNames(bodyForUpstream)
|
||||
}
|
||||
// Enable cch signing by default for OAuth tokens (not just experimental flag).
|
||||
// Claude Code always computes cch; missing or invalid cch is a detectable fingerprint.
|
||||
@@ -297,8 +296,8 @@ func (e *ClaudeExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, r
|
||||
data = stripClaudeToolPrefixFromResponse(data, claudeToolPrefix)
|
||||
}
|
||||
// Reverse the OAuth tool name remap so the downstream client sees original names.
|
||||
if isClaudeOAuthToken(apiKey) && oauthToolNamesRemapped {
|
||||
data = reverseRemapOAuthToolNames(data)
|
||||
if isClaudeOAuthToken(apiKey) && len(oauthToolNamesReverseMap) > 0 {
|
||||
data = reverseRemapOAuthToolNames(data, oauthToolNamesReverseMap)
|
||||
}
|
||||
var param any
|
||||
out := sdktranslator.TranslateNonStream(
|
||||
@@ -373,7 +372,7 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
|
||||
bodyForTranslation := body
|
||||
bodyForUpstream := body
|
||||
oauthToken := isClaudeOAuthToken(apiKey)
|
||||
oauthToolNamesRemapped := false
|
||||
var oauthToolNamesReverseMap map[string]string
|
||||
if oauthToken && !auth.ToolPrefixDisabled() {
|
||||
bodyForUpstream = applyClaudeToolPrefix(body, claudeToolPrefix)
|
||||
}
|
||||
@@ -381,7 +380,7 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
|
||||
// tools without official counterparts. This prevents Anthropic from
|
||||
// fingerprinting the request as third-party via tool naming patterns.
|
||||
if oauthToken {
|
||||
bodyForUpstream, oauthToolNamesRemapped = remapOAuthToolNames(bodyForUpstream)
|
||||
bodyForUpstream, oauthToolNamesReverseMap = remapOAuthToolNames(bodyForUpstream)
|
||||
}
|
||||
// Enable cch signing by default for OAuth tokens (not just experimental flag).
|
||||
if oauthToken || experimentalCCHSigningEnabled(e.cfg, auth) {
|
||||
@@ -475,8 +474,8 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
|
||||
if isClaudeOAuthToken(apiKey) && !auth.ToolPrefixDisabled() {
|
||||
line = stripClaudeToolPrefixFromStreamLine(line, claudeToolPrefix)
|
||||
}
|
||||
if isClaudeOAuthToken(apiKey) && oauthToolNamesRemapped {
|
||||
line = reverseRemapOAuthToolNamesFromStreamLine(line)
|
||||
if isClaudeOAuthToken(apiKey) && len(oauthToolNamesReverseMap) > 0 {
|
||||
line = reverseRemapOAuthToolNamesFromStreamLine(line, oauthToolNamesReverseMap)
|
||||
}
|
||||
// Forward the line as-is to preserve SSE format
|
||||
cloned := make([]byte, len(line)+1)
|
||||
@@ -505,8 +504,8 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
|
||||
if isClaudeOAuthToken(apiKey) && !auth.ToolPrefixDisabled() {
|
||||
line = stripClaudeToolPrefixFromStreamLine(line, claudeToolPrefix)
|
||||
}
|
||||
if isClaudeOAuthToken(apiKey) && oauthToolNamesRemapped {
|
||||
line = reverseRemapOAuthToolNamesFromStreamLine(line)
|
||||
if isClaudeOAuthToken(apiKey) && len(oauthToolNamesReverseMap) > 0 {
|
||||
line = reverseRemapOAuthToolNamesFromStreamLine(line, oauthToolNamesReverseMap)
|
||||
}
|
||||
chunks := sdktranslator.TranslateStream(
|
||||
ctx,
|
||||
@@ -1009,8 +1008,25 @@ func isClaudeOAuthToken(apiKey string) bool {
|
||||
// It operates on: tools[].name, tool_choice.name, and all tool_use/tool_reference
|
||||
// references in messages. Removed tools' corresponding tool_result blocks are preserved
|
||||
// (they just become orphaned, which is safe for Claude).
|
||||
func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
renamed := false
|
||||
//
|
||||
// The returned map is keyed on the upstream (TitleCase) name and maps to the
|
||||
// client-supplied original name. Callers MUST pass this map to the reverse
|
||||
// functions so only names the client actually caused us to rewrite are restored
|
||||
// on the response. A global reverse map (the previous implementation) incorrectly
|
||||
// rewrote names the client originally sent in TitleCase (e.g. Amp CLI's `Bash`)
|
||||
// when any OTHER tool in the same request triggered a forward rename (e.g.
|
||||
// Amp's `glob`→`Glob`), because the global reverse map contained `Bash`→`bash`
|
||||
// regardless of what the client originally sent.
|
||||
func remapOAuthToolNames(body []byte) ([]byte, map[string]string) {
|
||||
reverseMap := make(map[string]string)
|
||||
recordRename := func(original, renamed string) {
|
||||
// Preserve the first-seen original name if the same upstream name is
|
||||
// produced from multiple call sites; they all map back identically.
|
||||
if _, exists := reverseMap[renamed]; !exists {
|
||||
reverseMap[renamed] = original
|
||||
}
|
||||
}
|
||||
|
||||
// 1. Rewrite tools array in a single pass (if present).
|
||||
// IMPORTANT: do not mutate names first and then rebuild from an older gjson
|
||||
// snapshot. gjson results are snapshots of the original bytes; rebuilding from a
|
||||
@@ -1043,7 +1059,7 @@ func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
updatedTool, err := sjson.Set(toolJSON, "name", newName)
|
||||
if err == nil {
|
||||
toolJSON = updatedTool
|
||||
renamed = true
|
||||
recordRename(name, newName)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1068,7 +1084,7 @@ func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
body, _ = sjson.DeleteBytes(body, "tool_choice")
|
||||
} else if newName, ok := oauthToolRenameMap[tcName]; ok && newName != tcName {
|
||||
body, _ = sjson.SetBytes(body, "tool_choice.name", newName)
|
||||
renamed = true
|
||||
recordRename(tcName, newName)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1088,14 +1104,14 @@ func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
if newName, ok := oauthToolRenameMap[name]; ok && newName != name {
|
||||
path := fmt.Sprintf("messages.%d.content.%d.name", msgIndex.Int(), contentIndex.Int())
|
||||
body, _ = sjson.SetBytes(body, path, newName)
|
||||
renamed = true
|
||||
recordRename(name, newName)
|
||||
}
|
||||
case "tool_reference":
|
||||
toolName := part.Get("tool_name").String()
|
||||
if newName, ok := oauthToolRenameMap[toolName]; ok && newName != toolName {
|
||||
path := fmt.Sprintf("messages.%d.content.%d.tool_name", msgIndex.Int(), contentIndex.Int())
|
||||
body, _ = sjson.SetBytes(body, path, newName)
|
||||
renamed = true
|
||||
recordRename(toolName, newName)
|
||||
}
|
||||
case "tool_result":
|
||||
// Handle nested tool_reference blocks inside tool_result.content[]
|
||||
@@ -1109,7 +1125,7 @@ func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
if newName, ok := oauthToolRenameMap[nestedToolName]; ok && newName != nestedToolName {
|
||||
nestedPath := fmt.Sprintf("messages.%d.content.%d.content.%d.tool_name", msgIndex.Int(), contentIndex.Int(), nestedIndex.Int())
|
||||
body, _ = sjson.SetBytes(body, nestedPath, newName)
|
||||
renamed = true
|
||||
recordRename(nestedToolName, newName)
|
||||
}
|
||||
}
|
||||
return true
|
||||
@@ -1122,13 +1138,16 @@ func remapOAuthToolNames(body []byte) ([]byte, bool) {
|
||||
})
|
||||
}
|
||||
|
||||
return body, renamed
|
||||
return body, reverseMap
|
||||
}
|
||||
|
||||
// reverseRemapOAuthToolNames reverses the tool name mapping for non-stream responses.
|
||||
// It maps Claude Code TitleCase names back to the original lowercase names so the
|
||||
// downstream client receives tool names it recognizes.
|
||||
func reverseRemapOAuthToolNames(body []byte) []byte {
|
||||
// reverseRemapOAuthToolNames reverses the tool name mapping for non-stream responses
|
||||
// using the per-request map produced by remapOAuthToolNames. Names the client sent
|
||||
// that were NOT forward-renamed are passed through unchanged.
|
||||
func reverseRemapOAuthToolNames(body []byte, reverseMap map[string]string) []byte {
|
||||
if len(reverseMap) == 0 {
|
||||
return body
|
||||
}
|
||||
content := gjson.GetBytes(body, "content")
|
||||
if !content.Exists() || !content.IsArray() {
|
||||
return body
|
||||
@@ -1138,13 +1157,13 @@ func reverseRemapOAuthToolNames(body []byte) []byte {
|
||||
switch partType {
|
||||
case "tool_use":
|
||||
name := part.Get("name").String()
|
||||
if origName, ok := oauthToolRenameReverseMap[name]; ok {
|
||||
if origName, ok := reverseMap[name]; ok {
|
||||
path := fmt.Sprintf("content.%d.name", index.Int())
|
||||
body, _ = sjson.SetBytes(body, path, origName)
|
||||
}
|
||||
case "tool_reference":
|
||||
toolName := part.Get("tool_name").String()
|
||||
if origName, ok := oauthToolRenameReverseMap[toolName]; ok {
|
||||
if origName, ok := reverseMap[toolName]; ok {
|
||||
path := fmt.Sprintf("content.%d.tool_name", index.Int())
|
||||
body, _ = sjson.SetBytes(body, path, origName)
|
||||
}
|
||||
@@ -1154,8 +1173,12 @@ func reverseRemapOAuthToolNames(body []byte) []byte {
|
||||
return body
|
||||
}
|
||||
|
||||
// reverseRemapOAuthToolNamesFromStreamLine reverses the tool name mapping for SSE stream lines.
|
||||
func reverseRemapOAuthToolNamesFromStreamLine(line []byte) []byte {
|
||||
// reverseRemapOAuthToolNamesFromStreamLine reverses the tool name mapping for SSE
|
||||
// stream lines, using the per-request reverseMap produced by remapOAuthToolNames.
|
||||
func reverseRemapOAuthToolNamesFromStreamLine(line []byte, reverseMap map[string]string) []byte {
|
||||
if len(reverseMap) == 0 {
|
||||
return line
|
||||
}
|
||||
payload := helps.JSONPayload(line)
|
||||
if len(payload) == 0 || !gjson.ValidBytes(payload) {
|
||||
return line
|
||||
@@ -1173,7 +1196,7 @@ func reverseRemapOAuthToolNamesFromStreamLine(line []byte) []byte {
|
||||
switch blockType {
|
||||
case "tool_use":
|
||||
name := contentBlock.Get("name").String()
|
||||
if origName, ok := oauthToolRenameReverseMap[name]; ok {
|
||||
if origName, ok := reverseMap[name]; ok {
|
||||
updated, err = sjson.SetBytes(payload, "content_block.name", origName)
|
||||
if err != nil {
|
||||
return line
|
||||
@@ -1183,7 +1206,7 @@ func reverseRemapOAuthToolNamesFromStreamLine(line []byte) []byte {
|
||||
}
|
||||
case "tool_reference":
|
||||
toolName := contentBlock.Get("tool_name").String()
|
||||
if origName, ok := oauthToolRenameReverseMap[toolName]; ok {
|
||||
if origName, ok := reverseMap[toolName]; ok {
|
||||
updated, err = sjson.SetBytes(payload, "content_block.tool_name", origName)
|
||||
if err != nil {
|
||||
return line
|
||||
|
||||
Reference in New Issue
Block a user