fix(claude): use sk-ant-oat01 placeholder, drop CLAUDE_CODE_OAUTH_TOKEN env#351
Merged
dpup merged 2 commits intoMay 18, 2026
Merged
Conversation
…EN env Claude Code checks the sk-ant-oat prefix to decide whether the session is OAuth-authenticated. With the previous CLAUDE_CODE_OAUTH_TOKEN=moat-proxy-injected env var, Claude Code did not recognize the session as OAuth and skipped the OAuth code paths that determine account capabilities (e.g. 1M context window availability for subscription accounts). Replace the env var with a .credentials.json containing an sk-ant-oat01-* placeholder. The real token is still injected by the proxy at the network layer; the placeholder never reaches Anthropic's servers. - Add credential.ClaudeOAuthPlaceholder constant - containerEnvForCredential and OAuthProvider.ContainerEnv return nil for the "claude" provider so Claude Code reads .credentials.json instead of the env var - WriteCredentialsFile writes the new placeholder
abezzub-dr
force-pushed
the
fix/claude-oauth-placeholder-token
branch
from
66644c3 to
bfe9477
Compare
TestStartNoFirewallWhenNotEnabled was flaky on CI. The test installs a Store backed by t.TempDir() on the Run, but never stops the monitor goroutine that Start() spawns. captureLogs inside monitorContainerExit opens <store>/logs.jsonl, racing with the testing framework's TempDir cleanup: depending on scheduling the test failed with either "directory not empty" (cleanup interleaved with the goroutine's file creation) or warning logs about "no such file or directory" (cleanup finished first). Register a t.Cleanup after the store t.TempDir() call. Because Cleanup runs LIFO, this fires before the temp dir is removed: monitorCancel unblocks WaitContainer, monitorWg.Wait blocks until captureLogs and cleanupResources finish, and only then does t.TempDir() proceed. Reproduced 6/20 failures without the fix; 100 race-enabled runs pass after it.
dpup
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Split out of #308 per @dpup's review.
Claude Code checks the
sk-ant-oatprefix to decide whether the session is OAuth-authenticated. With the previousCLAUDE_CODE_OAUTH_TOKEN=moat-proxy-injectedenv var, Claude Code did not recognize the session as OAuth and skipped the OAuth code paths that determine account capabilities (e.g. 1M context window availability for subscription accounts).Replace the env var with a
.credentials.jsoncontaining ansk-ant-oat01-*placeholder. The real token is still injected by the proxy at the network layer; the placeholder never reaches Anthropic's servers.credential.ClaudeOAuthPlaceholderconstantcontainerEnvForCredentialandOAuthProvider.ContainerEnvreturnnilfor theclaudeprovider so Claude Code reads.credentials.jsoninstead of the env varWriteCredentialsFilewrites the new placeholderTest plan
make test-unit(unrelatedinternal/depsURL-reachability failures only)make lintmoat clauderecognizes OAuth session and shows subscription tier