# Phase 01: Merge PR #745 - Isolated Credentials **PR:** https://github.com/thedotmack/claude-mem/pull/745 **Branch:** `fix/isolated-credentials-733` **Status:** Has conflicts, needs rebase **Review:** Approved by bayanoj330-dev **Priority:** HIGH - Foundation for credential isolation, required by PR #847 ## Summary Fixes API key hijacking issue (#733) where SDK would use `ANTHROPIC_API_KEY` from random project `.env` files instead of Claude Code CLI subscription billing. **Root Cause:** The SDK's `query()` function inherits from `process.env` when no `env` option is passed. **Solution:** Centralized credential management via `~/.claude-mem/.env` with `EnvManager.ts`. ## Files Changed | File | Change | |------|--------| | `src/shared/EnvManager.ts` | NEW: Centralized credential storage and isolated env builder | | `src/services/worker/SDKAgent.ts` | Pass isolated env to SDK `query()` | | `src/services/worker/GeminiAgent.ts` | Use `getCredential()` instead of `process.env` | | `src/services/worker/OpenRouterAgent.ts` | Use `getCredential()` instead of `process.env` | | `src/shared/SettingsDefaultsManager.ts` | Add `CLAUDE_MEM_CLAUDE_AUTH_METHOD` setting | ## Dependencies - **None** - This is a foundation PR ## Tasks - [x] Checkout PR branch `fix/isolated-credentials-733` and rebase onto main to resolve conflicts - ✓ Resolved 4 conflicts (3 build artifacts, 1 source file) - ✓ Merged both main's zombie process cleanup and PR's isolated credentials into SDKAgent.ts - ✓ Commit 006ff401 now sits on top of main (aedee33c) - [ ] Review `EnvManager.ts` implementation for security and correctness - [ ] Verify build succeeds after rebase - [ ] Run test suite to ensure no regressions - [ ] Merge PR #745 to main with admin override if needed - [ ] Verify auth method shows "Claude Code CLI (subscription billing)" in logs after merge ## Verification ```bash # After merge, check logs for correct auth method grep -i "authMethod" ~/.claude-mem/logs/*.log | tail -5 ``` ## Notes - This PR creates the `EnvManager.ts` module that PR #847 depends on - The isolated env approach ensures SDK subprocess never sees random API keys from parent process - If no `ANTHROPIC_API_KEY` is in `~/.claude-mem/.env`, Claude Code CLI billing is used (default)