bryan/cloverleaf-larry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
39f0e00c01
cloverleaf-larry/larry-auth.sh

108 lines
4.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# larry-auth.sh — top-level auth wrapper.
# larry-auth.sh --api-key [--no-validate] set the per-client API key (default rail)
# larry-auth.sh --api-key --clear remove the stored key
# larry-auth.sh --api-key --status show the key masked
# larry-auth.sh <login|logout|status|...> forward to lib/oauth.sh (opt-in OAuth)
#
# API key is the DEFAULT / sanctioned rail (v0.8.10). OAuth is opt-in and risks
# the user's Max account (Anthropic blocks Claude-Code impersonation). See
# Deliverables/2026-05-27-cloverleaf-larry-api-key-default-rail.md.
set -e
SELF_DIR="$(cd "$(dirname "$0")" && pwd)"
LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
LARRY_API_KEY_FILE="${LARRY_API_KEY_FILE:-$LARRY_HOME/.api-key}"
LARRY_API_URL="${LARRY_API_URL:-https://api.anthropic.com/v1/messages}"
LARRY_MODEL="${LARRY_MODEL:-claude-sonnet-4-6}"
# strip_cr — prefer the shared primitive; fall back to inline parameter expansion.
if [ -r "$SELF_DIR/lib/cygwin-safe.sh" ]; then
# shellcheck disable=SC1091
. "$SELF_DIR/lib/cygwin-safe.sh"
elif [ -r "$LARRY_HOME/lib/cygwin-safe.sh" ]; then
# shellcheck disable=SC1091
. "$LARRY_HOME/lib/cygwin-safe.sh"
fi
command -v strip_cr >/dev/null 2>&1 || strip_cr() { local v="${1:-}"; printf '%s' "${v//$'\r'/}"; }
_mask_api_key() {
local k; k=$(strip_cr "${1:-}")
[ -z "$k" ] && { printf '(none)'; return 0; }
local len=${#k}
[ "$len" -le 12 ] && { printf '(set, len=%d)' "$len"; return 0; }
printf '%s…%s (len=%d)' "$(printf '%s' "$k" | cut -c1-13)" "$(printf '%s' "$k" | tail -c 4)" "$len"
}
# One cheap test call to confirm the key authenticates. 0=valid, 1=invalid
# (prints HTTP code), 2=could-not-test (no curl / network).
_validate_api_key() {
local key; key=$(strip_cr "${1:-}")
command -v curl >/dev/null 2>&1 || return 2
local body code
body='{"model":"'"$LARRY_MODEL"'","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'
# Key via --config on stdin (off argv / process table).
code=$(printf 'header = "x-api-key: %s"\n' "$key" | curl -sS -o /dev/null -w '%{http_code}' --config - \
-H "anthropic-version: 2023-06-01" -H "content-type: application/json" \
--max-time 20 -d "$body" "$LARRY_API_URL" 2>/dev/null) || return 2
[ "$code" = "200" ] && return 0
printf '%s' "$code"; return 1
}
set_api_key_cli() {
local do_validate=1
[ "${1:-}" = "--no-validate" ] && do_validate=0
mkdir -p "$LARRY_HOME" 2>/dev/null || true
echo "Set Anthropic API key (per-client). Mint one for THIS machine at"
echo "https://console.anthropic.com — one dedicated, independently-revocable key."
echo "Stored at $LARRY_API_KEY_FILE (mode 0600); never leaves this machine."
printf 'Paste key (input hidden): '
local key=""
read -rs key 2>/dev/null || read -r key
echo ""
key=$(strip_cr "$key"); key="${key//$'\n'/}"
key="${key#"${key%%[![:space:]]*}"}"; key="${key%"${key##*[![:space:]]}"}"
[ -z "$key" ] && { echo "larry-auth: no key entered — nothing changed" >&2; return 1; }
case "$key" in sk-ant-*) : ;; *) echo "warning: doesn't look like sk-ant-... — storing anyway" >&2 ;; esac
if [ "$do_validate" = "1" ]; then
printf 'Validating… '
local vout vrc; vout=$(_validate_api_key "$key"); vrc=$?
if [ "$vrc" = "0" ]; then echo "valid"
elif [ "$vrc" = "2" ]; then echo "skipped (curl/network unavailable)"
else echo "FAILED (HTTP ${vout:-?})"; echo "larry-auth: key did not authenticate — not stored." >&2; key=""; return 1; fi
fi
umask 077
printf '%s\n' "$key" > "$LARRY_API_KEY_FILE"
chmod 600 "$LARRY_API_KEY_FILE" 2>/dev/null || true
echo "stored at $LARRY_API_KEY_FILE (0600) — $(_mask_api_key "$key")"
key=""
}
case "${1:-status}" in
--api-key|--apikey|api-key|apikey)
shift
case "${1:-}" in
--clear)
if [ -f "$LARRY_API_KEY_FILE" ]; then rm -f "$LARRY_API_KEY_FILE"; echo "cleared $LARRY_API_KEY_FILE"
else echo "no key file to remove ($LARRY_API_KEY_FILE)"; fi ;;
--status)
if [ -f "$LARRY_API_KEY_FILE" ]; then
k=$(strip_cr "$(cat "$LARRY_API_KEY_FILE" 2>/dev/null)"); k="${k//$'\n'/}"
echo "API key: $(_mask_api_key "$k") [$LARRY_API_KEY_FILE]"; k=""
else echo "API key: (none set) — run: larry-auth.sh --api-key"; fi ;;
--no-validate) set_api_key_cli --no-validate ;;
""|set) set_api_key_cli ;;
*) echo "usage: larry-auth.sh --api-key [--clear|--status|--no-validate]" >&2; exit 2 ;;
esac
;;
*)
# OAuth (opt-in) path — forward to lib/oauth.sh.
OAUTH=""
for c in "$SELF_DIR/lib/oauth.sh" "$LARRY_HOME/lib/oauth.sh"; do
[ -x "$c" ] && { OAUTH="$c"; break; }
done
[ -n "$OAUTH" ] || { echo "larry-auth: cannot find lib/oauth.sh — reinstall larry-anywhere" >&2; exit 1; }
exec "$OAUTH" "$@"
;;
esac
Reference in New Issue View Git Blame Copy Permalink