fix(claude-code): guard unrecognized authMethod from legacy fallback

Davidson3556 · Davidson3556 · commit 819585c14196 · 2026-05-05T04:10:01.000-07:00
Future authMethod values (e.g. oauth/sso) emitted alongside a populated
apiKeySource were skipping both explicit branches and landing on the
legacy heuristic, mis-reporting the env var as the active source — the
same kind of mis-attribution this PR fixes for claude.ai. Surface the
authMethod verbatim instead. Adds the missing stderr-only-JSON contract
test so a future stderr-parsing refactor cannot silently change
_probe_cli_auth's return value.
diff --git a/app/integrations/llm_cli/claude_code.py b/app/integrations/llm_cli/claude_code.py
@@ -97,6 +97,12 @@ def _auth_status_from_json_payload(data: dict) -> tuple[bool, str]:
         return True, f"Authenticated via {source}."
     if auth_method == "claude.ai":
         return True, f"Authenticated via Claude subscription{f' ({email})' if email else ''}."
+    if auth_method:
+        # Unrecognized but non-empty authMethod (e.g. a future "oauth" / "sso"):
+        # surface it verbatim instead of leaning on apiKeySource, which the CLI
+        # also populates for env-supplied API keys regardless of the active
+        # method and would mis-report the source.
+        return True, f"Authenticated via {auth_method}{f' ({email})' if email else ''}."
     # Older CLI versions may omit authMethod — fall back to legacy heuristic.
     if api_key_source:
         return True, f"Authenticated via {api_key_source}."
diff --git a/tests/integrations/llm_cli/test_claude_code_adapter.py b/tests/integrations/llm_cli/test_claude_code_adapter.py
@@ -247,6 +247,53 @@ def test_probe_cli_auth_api_key_only_uses_authmethod(mock_run: MagicMock) -> Non
     assert "ANTHROPIC_API_KEY" in detail
 
 
+@patch("app.integrations.llm_cli.claude_code.subprocess.run")
+def test_probe_cli_auth_unrecognized_authmethod_does_not_use_apikeysource(
+    mock_run: MagicMock,
+) -> None:
+    """A future authMethod (e.g. ``oauth``) must not fall through to apiKeySource.
+
+    The CLI populates ``apiKeySource`` whenever the env contributes an API key,
+    so a logged-in subscription/OAuth user with ``ANTHROPIC_API_KEY`` set would
+    otherwise be reported as "Authenticated via ANTHROPIC_API_KEY" — the exact
+    mis-reporting the legacy heuristic produced for ``claude.ai``.
+    """
+    m = MagicMock()
+    m.returncode = 0
+    m.stdout = (
+        '{"loggedIn": true, "authMethod": "oauth", '
+        '"apiKeySource": "ANTHROPIC_API_KEY", "email": "user@example.com"}\n'
+    )
+    m.stderr = ""
+    mock_run.return_value = m
+    logged_in, detail = _probe_cli_auth("/usr/bin/claude")
+    assert logged_in is True
+    assert "ANTHROPIC_API_KEY" not in detail
+    assert "oauth" in detail
+    assert "user@example.com" in detail
+
+
+@patch("app.integrations.llm_cli.claude_code.subprocess.run")
+def test_probe_cli_auth_exit_1_json_on_stderr_only_is_probe_failure(
+    mock_run: MagicMock,
+) -> None:
+    """Exit 1 with JSON only on stderr is treated as an opaque probe failure.
+
+    ``_try_parse_auth_status_stdout`` reads stdout only, so JSON that lands on
+    stderr falls through to the exit-code branch and returns ``(None, "claude
+    auth status failed: …")``. Pinning this contract guards against a future
+    refactor that starts parsing stderr and silently changes the return value.
+    """
+    m = MagicMock()
+    m.returncode = 1
+    m.stdout = ""
+    m.stderr = '{"loggedIn": false, "authMethod": "none"}'
+    mock_run.return_value = m
+    logged_in, detail = _probe_cli_auth("/usr/bin/claude")
+    assert logged_in is None
+    assert "failed" in detail
+
+
 @patch("app.integrations.llm_cli.claude_code.subprocess.run")
 def test_probe_cli_auth_timeout(mock_run: MagicMock) -> None:
     import subprocess
