fix: address Greptile P1 security + CodeRabbit follow-ups on PR #2302

- EnvManager: add ANTHROPIC_AUTH_TOKEN to BLOCKED_ENV_VARS so a token
  inherited from the parent shell can no longer short-circuit the OAuth
  lookup at SDK spawn time. Mirrors the ANTHROPIC_API_KEY treatment
  added in issue #733. Explicit gateway tokens in
  ~/.claude-mem/.env are still re-injected by buildIsolatedEnv().
- install.ts: extract resolveClaudeAuthMethod() that returns a stored
  CLAUDE_MEM_CLAUDE_AUTH_METHOD when present and otherwise infers
  the mode from ~/.claude-mem/.env (ANTHROPIC_BASE_URL → gateway,
  ANTHROPIC_API_KEY → api-key, else subscription). persistClaudeProvider,
  the interactive Claude auth flow, and promptClaudeModel now use it,
  so older installs that pre-date the setting are no longer
  misclassified as 'subscription' (which would clear working
  credentials and disable custom gateway models).
- configureDirectApiKey: when an Anthropic API key already exists,
  prompt to keep or rotate it instead of silently re-saving — restores
  the ability to update a revoked or rotated key from the installer
  without losing the cancel-safe behaviour added in 7f3686fd.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alex Newman
2026-05-04 20:59:11 -07:00
parent 7f3686fd2c
commit 5edf1557c4
2 changed files with 45 additions and 23 deletions
+4
View File
@@ -13,6 +13,10 @@ export const ENV_FILE_PATH = paths.envFile();
const BLOCKED_ENV_VARS = [
'ANTHROPIC_API_KEY', // Issue #733: Prevent auto-discovery from project .env files
'ANTHROPIC_AUTH_TOKEN', // Same leak risk as ANTHROPIC_API_KEY; a token inherited from the
// shell would otherwise short-circuit OAuth lookup at spawn time.
// The fresh token from ~/.claude-mem/.env is re-injected below
// when explicit gateway credentials are configured.
'CLAUDECODE', // Prevent "cannot be launched inside another Claude Code session" error
'CLAUDE_CODE_OAUTH_TOKEN', // Issue #2215: prevent stale parent-process token from leaking into
// isolated env. The fresh token is read from the keychain at spawn