78 lines
2.9 KiB
Markdown
78 lines
2.9 KiB
Markdown
# Phase 4: Auth Passthrough - Discussion Log
|
|
|
|
> **Audit trail only.** Do not use as input to planning, research, or execution agents.
|
|
> Decisions captured in CONTEXT.md — this log preserves the Q&A.
|
|
|
|
**Date:** 2026-04-10
|
|
**Phase:** 04-auth-passthrough
|
|
**Mode:** discuss
|
|
**Areas discussed:** Missing credentials fallback, Audit display, API key + OAuth coexistence, Which credential files
|
|
|
|
---
|
|
|
|
## Areas Discussed
|
|
|
|
### Missing credentials fallback
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| What should happen if ~/.claude/.credentials.json doesn't exist on the host? | Skip silently / Warn in audit / Hard error | Skip silently |
|
|
|
|
**Rationale:** No credentials = no subscription access inside sandbox. Claude will prompt to log in. No need to warn or error.
|
|
|
|
---
|
|
|
|
### Audit display
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| Should the credential mount appear in the pre-launch env audit? | Show in audit / Silent | Show in audit |
|
|
|
|
**User input:** Requested a broader audit redesign — three sections (env, mounts, network), unified env var list with color + prefix-based categorization. Not just a minimal mount line.
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| Fold audit redesign into Phase 4 or defer? | Fold into Phase 4 / Phase 4 shows mount only | Fold into Phase 4 |
|
|
|
|
**Rationale:** Phase 4 already touches the audit; doing the full redesign avoids a half-done audit screen.
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| Color scheme for unified env var list? | Green/Yellow/Cyan / Green/Yellow/Magenta / You decide | Green/Yellow/Cyan + accessibility prefixes |
|
|
|
|
**User input:** Requested accessibility prefixes alongside colors: `[~]` sandbox-generated, `[>]` host allowlisted, `[+]` user-configured.
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| Prefix characters? | [S]/[H]/[U] / [~]/[>]/[+] / You decide | [~] / [>] / [+] |
|
|
|
|
---
|
|
|
|
### API key + OAuth coexistence
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| When ANTHROPIC_API_KEY is set, still mount credentials? | Always mount if credentials exist / Skip mount when API key is set | Always mount if credentials exist |
|
|
|
|
**Rationale:** Simpler logic. Claude Code handles precedence internally.
|
|
|
|
---
|
|
|
|
### Which credential files
|
|
|
|
| Question | Options | Selected |
|
|
|----------|---------|----------|
|
|
| Which auth files to mount? | .credentials.json only / Entire ~/.claude / credentials.json + .oauth-token | .credentials.json only |
|
|
|
|
**Rationale:** Minimal surface. Other ~/.claude contents belong to Phase 5 (instance isolation).
|
|
|
|
---
|
|
|
|
## Corrections Made
|
|
|
|
None — all selections were user-confirmed choices.
|
|
|
|
## Scope Notes
|
|
|
|
- Audit redesign (three sections, color + prefix) folded into Phase 4 scope at user request.
|
|
- Network section in audit is a placeholder in Phase 4 — Phase 6 makes it dynamic.
|