98 lines
6.2 KiB
Markdown
98 lines
6.2 KiB
Markdown
---
|
|
phase: 04-auth-passthrough
|
|
verified: 2026-04-10T00:00:00Z
|
|
status: passed
|
|
score: 7/7 must-haves verified
|
|
overrides_applied: 0
|
|
re_verification:
|
|
previous_status: gaps_found
|
|
previous_score: 6/7
|
|
gaps_closed:
|
|
- "OAuth token refresh can write back to the credentials file (read-write mount) — reverted from --ro-bind to --bind in both BWRAP_ARGS and dry-run block; print_audit mounts display updated to show (read-write)"
|
|
- "AUTH-01 and AUTH-02 requirements are tracked in REQUIREMENTS.md — both IDs added under v2 Authentication Passthrough section with definitions and traceability entries"
|
|
gaps_remaining: []
|
|
regressions: []
|
|
---
|
|
|
|
# Phase 04: auth-passthrough Verification Report
|
|
|
|
**Phase Goal:** Mount ~/.claude/.credentials.json read-write into the sandbox and rewrite the pre-launch audit to a unified env/mounts/network display.
|
|
**Verified:** 2026-04-10
|
|
**Status:** passed
|
|
**Re-verification:** Yes — after gap closure
|
|
|
|
## Goal Achievement
|
|
|
|
### Observable Truths
|
|
|
|
| # | Truth | Status | Evidence |
|
|
|---|-------|--------|----------|
|
|
| 1 | claudebox launches successfully when ~/.claudebox/.credentials.json exists on the host | VERIFIED | Lines 107-112: CREDS_FILE set to $HOME/.claudebox/.credentials.json; CREDS_MOUNT conditional detection; BWRAP_ARGS conditional append at lines 370-371 |
|
|
| 2 | OAuth token refresh can write back to the credentials file (read-write mount) | VERIFIED | Line 371: --bind used (not --ro-bind); line 338 dry-run block also outputs --bind; print_audit line 269 shows (read-write) label |
|
|
| 3 | claudebox launches without error when ~/.claudebox/.credentials.json does not exist | VERIFIED | CREDS_MOUNT=false path: --bind simply omitted from BWRAP_ARGS; no error or warning output |
|
|
| 4 | ANTHROPIC_API_KEY is passed into the sandbox when set on the host | VERIFIED | Line 214: HOST_ALLOWLIST includes ANTHROPIC_API_KEY; conditional --setenv applied in the loop at lines 215-221 |
|
|
| 5 | The audit screen shows all env vars in a single unified list with [~]/[>]/[+] prefixes | VERIFIED | print_audit lines 242-259: three loops — sandbox [~] (green), host [>] (yellow), extra [+] (cyan) — with literal text prefixes |
|
|
| 6 | The audit screen shows a Mounts section and a Network section after the env list | VERIFIED | Lines 265-276: Mounts section (CWD, ~/.claude, conditional credentials with read-write label); Network section ("full (host network)") |
|
|
| 7 | The --dry-run output mirrors the credential bind when the file exists | VERIFIED | Lines 337-338: conditional block prints --bind $CREDS_FILE $HOME/.claudebox/.credentials.json when CREDS_MOUNT=true |
|
|
|
|
**Score:** 7/7 truths verified
|
|
|
|
### Required Artifacts
|
|
|
|
| Artifact | Expected | Status | Details |
|
|
|----------|----------|--------|---------|
|
|
| `claudebox.sh` | Credential mount logic, updated print_audit, updated --dry-run block | VERIFIED | File exists (383 lines), substantive, all three pieces present and wired into execution path; bash -n passes |
|
|
|
|
### Key Link Verification
|
|
|
|
| From | To | Via | Status | Details |
|
|
|------|----|-----|--------|---------|
|
|
| CREDS_MOUNT detection (lines 108-112) | BWRAP_ARGS conditional append (lines 370-371) | if [[ "$CREDS_MOUNT" == true ]] | WIRED | --bind used; read-write mount |
|
|
| CREDS_MOUNT detection | dry-run display block (lines 337-338) | if [[ "$CREDS_MOUNT" == true ]] | WIRED | --bind mirrored correctly |
|
|
| print_audit function | AUDIT_SANDBOX_KEYS / AUDIT_HOST_KEYS / AUDIT_EXTRA_KEYS arrays | [~]/[>]/[+] prefix loops (lines 242-259) | WIRED | Three loops reading from correct audit arrays |
|
|
| CREDS_MOUNT | print_audit Mounts section (lines 268-270) | if [[ "$CREDS_MOUNT" == true ]] | WIRED | Conditional credentials line shows (read-write) label |
|
|
|
|
### Data-Flow Trace (Level 4)
|
|
|
|
Not applicable — claudebox.sh is a shell launcher script. All data flows are shell variable assignments and bwrap argument construction, not rendered dynamic UI components.
|
|
|
|
### Behavioral Spot-Checks
|
|
|
|
| Behavior | Command | Result | Status |
|
|
|----------|---------|--------|--------|
|
|
| Script syntax valid | bash -n claudebox.sh | SYNTAX OK | PASS |
|
|
| Credential bind is read-write (not read-only) | grep --bind.*credentials claudebox.sh | Lines 338, 371 confirm --bind | PASS |
|
|
| No --ro-bind on credentials | grep ro-bind.*credentials claudebox.sh | No output | PASS |
|
|
| [~]/[>]/[+] prefixes present | grep pattern in print_audit | Lines 244, 250, 255, 259 | PASS |
|
|
| Mounts and Network sections present | lines 265, 275 | Both sections confirmed | PASS |
|
|
| print_audit credentials label says read-write | grep read-write claudebox.sh | Lines 266, 267, 269 | PASS |
|
|
|
|
### Requirements Coverage
|
|
|
|
| Requirement | Source | Description | Status | Evidence |
|
|
|-------------|--------|-------------|--------|---------|
|
|
| AUTH-01 | REQUIREMENTS.md v2, Phase 4 | ~/.claudebox/.credentials.json bind-mounted read-write when file exists | SATISFIED | Defined in REQUIREMENTS.md lines 61-62; implemented at claudebox.sh lines 107-112, 370-371; traceability entry at line 128 |
|
|
| AUTH-02 | REQUIREMENTS.md v2, Phase 4 | Silent skip when credentials file absent | SATISFIED | Defined in REQUIREMENTS.md lines 63-64; implemented at claudebox.sh line 111 (CREDS_MOUNT=false); traceability entry at line 129 |
|
|
|
|
### Anti-Patterns Found
|
|
|
|
| File | Line | Pattern | Severity | Impact |
|
|
|------|------|---------|----------|--------|
|
|
| claudebox.sh | 276 | "full (host network)" placeholder | Info | Intentional Phase 6 placeholder; documented in SUMMARY known stubs |
|
|
|
|
### Human Verification Required
|
|
|
|
None. All must-haves are verified programmatically.
|
|
|
|
### Gaps Summary
|
|
|
|
No gaps. Both gaps from the initial verification are closed:
|
|
|
|
**Gap 1 (closed):** Credential mount is now `--bind` (read-write) in both the actual BWRAP_ARGS (line 371) and the dry-run display block (line 338). The print_audit mounts section labels credentials as `(read-write)`. The WR-01 code-review change that had introduced `--ro-bind` was reverted per the plan's original intent (OAuth refresh requires write access).
|
|
|
|
**Gap 2 (closed):** AUTH-01 and AUTH-02 are now defined in REQUIREMENTS.md under the v2 "Authentication Passthrough" section with full descriptions and traceability table entries showing Phase 4 / Complete.
|
|
|
|
---
|
|
|
|
_Verified: 2026-04-10_
|
|
_Verifier: Claude (gsd-verifier)_
|