Skip to content

Emit auth/required when Claude flips native → proxy#323828

Open
TylerLeonhardt wants to merge 1 commit into
mainfrom
tyleonha/claude-emit-auth-required-on-flip
Open

Emit auth/required when Claude flips native → proxy#323828
TylerLeonhardt wants to merge 1 commit into
mainfrom
tyleonha/claude-emit-auth-required-on-flip

Conversation

@TylerLeonhardt

Copy link
Copy Markdown
Member

What

Adds the missing host-side producer for the AHP auth/required notification: when the Claude agent's transport mode flips from native → proxy at runtime and it has no live proxy handle, the host proactively tells the connected client to re-authenticate GitHub Copilot — instead of only failing the client's next command lazily with AHP_AUTH_REQUIRED.

Why

auth/required is a declared server→client notification and the client already consumes it (remoteAgentHostProtocolClient), and the transport already carries it — but nothing on the host ever emitted it. A runtime transport flip (driven by the claudeUseCopilotProxy root config) makes GitHub Copilot auth newly required, yet the already-connected client isn't told; it only finds out when the next createSession/sendMessage fails. This wires up the producer.

AgentSignal is deliberately not used — it's per-session turn progress, the wrong layer for an agent-level auth-state change.

Changes

  • IAgent.onDidRequireAuth (optional event) — an agent signals it needs the client to (re-)authenticate a resource. common/agentService.ts
  • AgentHostStateManager.emitAuthRequired — mirrors emitProgress; fires auth/required on the root channel, reusing the existing onDidEmitNotification → both wire paths (local IPC + remote WebSocket). node/agentHostStateManager.ts
  • AgentSideEffects — subscribes the agent event → state manager, alongside the existing onDidCustomizationsChange wiring. node/agentSideEffects.ts
  • ClaudeAgent — fires on the native→proxy flip when !_proxyHandle (a handle persists across a proxy→native→proxy round-trip, so it fires only when a credential is genuinely missing); and hardens authenticate() so an unchanged token still starts the proxy when no live handle exists, closing a same-token re-auth deadlock. node/claude/claudeAgent.ts
  • Tests — flip emits once; no emit when a handle already exists / on proxy→native / at construction; unchanged-token starts the proxy. test/node/claudeAgent.test.ts

Testing

  • npm run typecheck-client — clean
  • ClaudeAgent unit suite — 160 passing (incl. 5 new), 0 failing
  • npm run valid-layers-check — clean

🤖 Generated with Claude Code

When the Claude agent's transport mode flips from native to proxy at
runtime (via a `claudeUseCopilotProxy` root-config change) and it has no
live proxy handle, proactively emit the AHP `auth/required` notification
so the connected client re-authenticates GitHub Copilot — instead of only
failing the next command lazily with `AHP_AUTH_REQUIRED`.

- IAgent gains an optional `onDidRequireAuth` event; AgentHostStateManager
  gains `emitAuthRequired` (mirrors `emitProgress`), fired on the root
  channel and forwarded to clients over the existing notification path.
- AgentSideEffects wires the agent event to the state manager.
- ClaudeAgent fires it on the native→proxy flip when no proxy handle
  exists, and hardens `authenticate()` so an unchanged token still starts
  the proxy when no live handle is present (closes a re-auth deadlock).
- Adds unit tests for the flip-emit and hardening behaviors.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 1, 2026 04:19

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR wires up the host-side producer for the Agent Host Protocol auth/required notification so connected clients are proactively prompted to re-authenticate when Claude’s transport mode flips native → proxy at runtime and no proxy handle is available.

Changes:

  • Adds optional IAgent.onDidRequireAuth for agents to signal that client re-authentication is needed.
  • Adds AgentHostStateManager.emitAuthRequired() and wires agent events through AgentSideEffects to emit auth/required on the root channel.
  • Updates ClaudeAgent to fire onDidRequireAuth on native→proxy flips when no proxy handle exists, and adjusts authenticate() to start the proxy even when the token is unchanged but no handle exists; adds focused unit tests.
Show a summary per file
File Description
src/vs/platform/agentHost/test/node/claudeAgent.test.ts Adds coverage for native→proxy flip emitting auth/required only when appropriate, plus the unchanged-token/no-handle proxy-start case.
src/vs/platform/agentHost/node/claude/claudeAgent.ts Introduces onDidRequireAuth emission on native→proxy flips without a proxy handle and hardens authenticate() to avoid same-token re-auth deadlocks.
src/vs/platform/agentHost/node/agentSideEffects.ts Subscribes (optionally) to agent.onDidRequireAuth and forwards to the state manager.
src/vs/platform/agentHost/node/agentHostStateManager.ts Adds emitAuthRequired() to emit the auth/required notification on the root channel via the existing notification pipeline.
src/vs/platform/agentHost/common/agentService.ts Extends IAgent with optional onDidRequireAuth to support agent-level auth requirement signaling.

Review details

  • Files reviewed: 5/5 changed files
  • Comments generated: 0
  • Review effort level: Low
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants