fix: shared Claude OAuth credentials in containers — mount + flock to prevent token rotation race (#693)
- Make ~/.claude volume mount read-write (was :ro) so containers can write back refreshed OAuth tokens - Wrap Claude CLI in flock(1) inside tmux sessions using ~/.claude/session.lock — prevents concurrent token refresh races across agents sharing the same credentials - Add ANTHROPIC_API_KEY detection in entrypoint.sh: when set, skips OAuth entirely (no rotation issues, metered billing) - Log active auth method (API key vs OAuth vs missing) at container startup for easier 401 debugging - Document 'claude auth login' requirement in disinto init output Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
cfdbaeeb5b
commit
cf6400e8f3
3 changed files with 34 additions and 2 deletions
|
|
@ -55,6 +55,18 @@ if ! command -v claude &>/dev/null; then
|
|||
fi
|
||||
log "Claude CLI: $(claude --version 2>&1 || true)"
|
||||
|
||||
# ANTHROPIC_API_KEY fallback: when set, Claude uses the API key directly
|
||||
# and OAuth token refresh is not needed (no rotation race). Log which
|
||||
# auth method is active so operators can debug 401s.
|
||||
if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
|
||||
log "Auth: ANTHROPIC_API_KEY is set — using API key (no OAuth rotation)"
|
||||
elif [ -f /home/agent/.claude/credentials.json ]; then
|
||||
log "Auth: OAuth credentials mounted from host (~/.claude)"
|
||||
else
|
||||
log "WARNING: No ANTHROPIC_API_KEY and no OAuth credentials found."
|
||||
log "Run 'claude auth login' on the host, or set ANTHROPIC_API_KEY in .env"
|
||||
fi
|
||||
|
||||
install_project_crons
|
||||
|
||||
# Configure tea CLI login for forge operations (runs as agent user).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue