fix: accept Claude session keys in sk-ant-sid02 format

[octo-patch]

Fixes #935

Problem

Anthropic has started issuing Claude Web session keys in the format sk-ant-sid02-*****, but the extension's Claude client validates keys strictly against the sk-ant-sid01- prefix. This causes users with new-format keys to see an error:

Session key invalid: Must be in the format sk-ant-sid01-*****

Solution

Relaxed the session key prefix check from sk-ant-sid01 to sk-ant-sid so that it accepts both the sid01 and sid02 formats (and any future versioned formats Anthropic may introduce).

Testing

• Verified the validation logic change in src/services/clients/claude/index.mjs
• sk-ant-sid01-xxxxx — still accepted ✓
• sk-ant-sid02-xxxxx — now accepted ✓
• Completely invalid keys (e.g. invalid-key) — still rejected ✓

---

Summary by CodeRabbit

• Bug Fixes
  • Expanded Claude client key validation to accept additional API key formats for improved compatibility.
  • Broadened validation error messaging to clearly describe accepted key format examples for easier troubleshooting.

[qodo-code-review]

Review Summary by Qodo

Accept Claude session keys in sk-ant-sid02 format

🐞 Bug fix

Walkthroughs

Description

• Relaxed Claude session key validation prefix check
• Now accepts both sk-ant-sid01 and sk-ant-sid02 formats
• Maintains forward compatibility with future key versions
• Updated error message to reflect accepted formats

Diagram

flowchart LR
  A["Session Key Validation"] -->|Old: sk-ant-sid01 only| B["Rejected new format keys"]
  A -->|New: sk-ant-sid prefix| C["Accepts sid01 and sid02"]
  C -->|Future compatible| D["Ready for new formats"]

Loading

File Changes

1. src/services/clients/claude/index.mjs 🐞 Bug fix +2/-2

Relax session key prefix validation for multiple formats

• Changed session key prefix validation from sk-ant-sid01 to sk-ant-sid
• Updated error message to indicate both sk-ant-sid01-***** and sk-ant-sid02-***** formats are
 accepted
• Maintains backward compatibility while enabling new format support

src/services/clients/claude/index.mjs

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Too-permissive key validation ☑ 🐞 Bug ≡ Correctness

Description

Claude constructor only checks sessionKey.startsWith('sk-ant-sid'), so malformed values (e.g.,
missing version/dash) will pass validation and then be sent as a Cookie header, leading to
downstream authentication failures with confusing user-facing messaging.

Code

src/services/clients/claude/index.mjs[R77-78]

+    if (!sessionKey.startsWith('sk-ant-sid')) {
+      throw new Error('Session key invalid: Must be in the format sk-ant-sid01-***** or sk-ant-sid02-*****')

Evidence

The constructor now accepts any string beginning with sk-ant-sid without verifying the required
version segment and hyphen, then uses the raw value to build the cookie: sessionKey=... header for
Claude requests. If the cookie value is malformed-but-prefix-matching, requests will fail
authentication and the extension may incorrectly instruct the user to “login first” because it maps
generic auth failures to that message.

src/services/clients/claude/index.mjs[74-83]
src/services/clients/claude/index.mjs[218-224]
src/services/wrappers.mjs[54-78]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`sessionKey.startsWith('sk-ant-sid')` is overly broad and allows malformed values to pass constructor validation; these values are then used in request Cookie headers and can fail later with misleading errors.
### Issue Context
The PR intends to accept both `sk-ant-sid01-...` and `sk-ant-sid02-...` (and future versions), but the current check doesn’t enforce the `sid<version>-` structure.
### Fix Focus Areas
- src/services/clients/claude/index.mjs[74-83]
### Suggested change
- Replace the `startsWith` check with a regex that enforces:
- prefix `sk-ant-sid`
- a numeric version segment
- a trailing `-` after the version
Example:

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea1d3851-d17e-4d14-a805-6c0b775b2a22

📥 Commits

Reviewing files that changed from the base of the PR and between 46acd1c and ee16c1e.

📒 Files selected for processing (1)

• src/services/clients/claude/index.mjs

🚧 Files skipped from review as they are similar to previous changes (1)

• src/services/clients/claude/index.mjs

---

📝 Walkthrough

Walkthrough

The Claude client's constructor session key validation was changed from a strict sk-ant-sid01 prefix check to a regex that accepts sk-ant-sidNN- (numeric NN) prefixes. The constructor's validation failure message was broadened to describe the accepted sk-ant-sidNN-***** format with examples.

Changes

Cohort / File(s)	Summary
Session Key Validation src/services/clients/claude/index.mjs	Replaced startsWith('sk-ant-sid01') check with a regex allowing sk-ant-sidNN- (any numeric NN) and updated the validation error text to sk-ant-sidNN-***** with examples like sk-ant-sid01-***** and sk-ant-sid02-*****.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I dug a tunnel through keys and logs,
Found sk-ant-sid02 beneath the clogs,
Now doors swing open, numbers play,
Claude and me hop, hip-hip-hooray! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main change: accepting Claude session keys in the sk-ant-sid02 format, which directly addresses the primary objective.
Linked Issues check	✅ Passed	The code changes fully satisfy issue #935 by updating session key validation to accept both sk-ant-sid01 and sk-ant-sid02 formats, resolving the reported error.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the session key validation issue; no unrelated or out-of-scope modifications are present in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[gemini-code-assist]

Code Review

This pull request updates the Claude client to support a wider range of session keys by checking for the 'sk-ant-sid' prefix. A review comment suggests generalizing the error message to align with this more flexible validation logic, ensuring the message remains accurate if additional key formats are introduced.

[gemini-code-assist]

The logic has been updated to generically accept any session key starting with sk-ant-sid, which is a good improvement for future-proofing. However, the error message still explicitly lists only sid01 and sid02. If Anthropic releases a sid03 format in the future, this message will become misleading to users because the code would actually accept the key, but the error message would imply it is unsupported. It is better to use a more generic error message that matches the implementation's flexibility.

Suggested change

	if (!sessionKey.startsWith('sk-ant-sid')) {
	throw new Error('Session key invalid: Must be in the format sk-ant-sid01-***** or sk-ant-sid02-*****')
	if (!sessionKey.startsWith('sk-ant-sid')) {
	throw new Error('Session key invalid: Must be in the format sk-ant-sid...')
	}

[octo-patch]

Thanks for the reviews! I've pushed a follow-up commit (ee16c1e) that addresses the validation/error-message inconsistency raised by CodeRabbit, Qodo and gemini-code-assist.

The check is now ^sk-ant-sid\d+-/ which:

• Accepts existing sid01 / sid02 keys ✅
• Accepts future sidNN versions, keeping the original PR's forward-compatibility intent ✅
• Rejects malformed keys like sk-ant-sidney or sk-ant-sid02 (missing trailing -) at construction time ✅

Error message updated to sk-ant-sidNN-***** (e.g. sk-ant-sid01-*****, sk-ant-sid02-*****) so it now matches the actual validation while still listing the known formats.