Emit auth/required when Claude flips native → proxy#323828
Open
TylerLeonhardt wants to merge 1 commit into
Open
Emit auth/required when Claude flips native → proxy#323828TylerLeonhardt wants to merge 1 commit into
auth/required when Claude flips native → proxy#323828TylerLeonhardt wants to merge 1 commit into
Conversation
When the Claude agent's transport mode flips from native to proxy at runtime (via a `claudeUseCopilotProxy` root-config change) and it has no live proxy handle, proactively emit the AHP `auth/required` notification so the connected client re-authenticates GitHub Copilot — instead of only failing the next command lazily with `AHP_AUTH_REQUIRED`. - IAgent gains an optional `onDidRequireAuth` event; AgentHostStateManager gains `emitAuthRequired` (mirrors `emitProgress`), fired on the root channel and forwarded to clients over the existing notification path. - AgentSideEffects wires the agent event to the state manager. - ClaudeAgent fires it on the native→proxy flip when no proxy handle exists, and hardens `authenticate()` so an unchanged token still starts the proxy when no live handle is present (closes a re-auth deadlock). - Adds unit tests for the flip-emit and hardening behaviors. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR wires up the host-side producer for the Agent Host Protocol auth/required notification so connected clients are proactively prompted to re-authenticate when Claude’s transport mode flips native → proxy at runtime and no proxy handle is available.
Changes:
- Adds optional
IAgent.onDidRequireAuthfor agents to signal that client re-authentication is needed. - Adds
AgentHostStateManager.emitAuthRequired()and wires agent events throughAgentSideEffectsto emitauth/requiredon the root channel. - Updates
ClaudeAgentto fireonDidRequireAuthon native→proxy flips when no proxy handle exists, and adjustsauthenticate()to start the proxy even when the token is unchanged but no handle exists; adds focused unit tests.
Show a summary per file
| File | Description |
|---|---|
| src/vs/platform/agentHost/test/node/claudeAgent.test.ts | Adds coverage for native→proxy flip emitting auth/required only when appropriate, plus the unchanged-token/no-handle proxy-start case. |
| src/vs/platform/agentHost/node/claude/claudeAgent.ts | Introduces onDidRequireAuth emission on native→proxy flips without a proxy handle and hardens authenticate() to avoid same-token re-auth deadlocks. |
| src/vs/platform/agentHost/node/agentSideEffects.ts | Subscribes (optionally) to agent.onDidRequireAuth and forwards to the state manager. |
| src/vs/platform/agentHost/node/agentHostStateManager.ts | Adds emitAuthRequired() to emit the auth/required notification on the root channel via the existing notification pipeline. |
| src/vs/platform/agentHost/common/agentService.ts | Extends IAgent with optional onDidRequireAuth to support agent-level auth requirement signaling. |
Review details
- Files reviewed: 5/5 changed files
- Comments generated: 0
- Review effort level: Low
chrmarti
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the missing host-side producer for the AHP
auth/requirednotification: when the Claude agent's transport mode flips from native → proxy at runtime and it has no live proxy handle, the host proactively tells the connected client to re-authenticate GitHub Copilot — instead of only failing the client's next command lazily withAHP_AUTH_REQUIRED.Why
auth/requiredis a declared server→client notification and the client already consumes it (remoteAgentHostProtocolClient), and the transport already carries it — but nothing on the host ever emitted it. A runtime transport flip (driven by theclaudeUseCopilotProxyroot config) makes GitHub Copilot auth newly required, yet the already-connected client isn't told; it only finds out when the nextcreateSession/sendMessagefails. This wires up the producer.AgentSignalis deliberately not used — it's per-session turn progress, the wrong layer for an agent-level auth-state change.Changes
IAgent.onDidRequireAuth(optional event) — an agent signals it needs the client to (re-)authenticate a resource.common/agentService.tsAgentHostStateManager.emitAuthRequired— mirrorsemitProgress; firesauth/requiredon the root channel, reusing the existingonDidEmitNotification→ both wire paths (local IPC + remote WebSocket).node/agentHostStateManager.tsAgentSideEffects— subscribes the agent event → state manager, alongside the existingonDidCustomizationsChangewiring.node/agentSideEffects.tsClaudeAgent— fires on the native→proxy flip when!_proxyHandle(a handle persists across a proxy→native→proxy round-trip, so it fires only when a credential is genuinely missing); and hardensauthenticate()so an unchanged token still starts the proxy when no live handle exists, closing a same-token re-auth deadlock.node/claude/claudeAgent.tstest/node/claudeAgent.test.tsTesting
npm run typecheck-client— cleannpm run valid-layers-check— clean🤖 Generated with Claude Code