Skip to content

feat: add ClaudeCodeAuthCheck for flexible agent authentication#3

Merged
norrietaylor merged 12 commits intomainfrom
feat/phase-6-self-development
Mar 23, 2026
Merged

feat: add ClaudeCodeAuthCheck for flexible agent authentication#3
norrietaylor merged 12 commits intomainfrom
feat/phase-6-self-development

Conversation

@norrietaylor
Copy link
Owner

@norrietaylor norrietaylor commented Mar 23, 2026

Replace AnthropicAPIKeyCheck with ClaudeCodeAuthCheck in CLI preflight. The new check passes if ANTHROPIC_API_KEY is set OR the claude CLI is on PATH (supporting OAuth, GitHub App, and other managed auth methods).

This allows CI environments with the Claude GitHub App installed to run agentry without requiring a separate API key.

norrietaylor and others added 6 commits March 22, 2026 17:32
@norrietaylor @claude
feat: add ClaudeCodeAuthCheck for flexible agent authentication
1db74cf 
Replace AnthropicAPIKeyCheck with ClaudeCodeAuthCheck in CLI preflight.
The new check passes if ANTHROPIC_API_KEY is set OR the claude CLI is on
PATH (supporting OAuth, GitHub App, and other managed auth methods).

This allows CI environments with the Claude GitHub App installed to run
agentry without requiring a separate API key.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@norrietaylor
Merge branch 'main' into feat/phase-6-self-development
bcecfcf
@norrietaylor @claude
feat: support CLAUDE_CODE_OAUTH_TOKEN for CI authentication
9c3029f 
Update agentry-code-review.yml to use CLAUDE_CODE_OAUTH_TOKEN from the
Claude GitHub App instead of ANTHROPIC_API_KEY. Update ClaudeCodeAuthCheck
to recognize the OAuth token as a valid auth method.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@norrietaylor @claude
fix(ci): install Claude Code CLI before running agentry
32b3faf 
The agent_availability preflight check requires claude on PATH.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@norrietaylor @claude
fix: set trust: elevated on all workflows
1d52b09 
All standard library workflows use Claude Code which requires host
process execution. The default trust level is sandboxed (Docker), which
fails in CI where the agentry/sandbox:1.0 image is not available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@norrietaylor @claude
fix: accept max_iterations in ClaudeCodeAgent, map to --max-turns
94b25f8 
The workflow agent block passes max_iterations through to the agent
constructor. Map it to claude CLI's --max-turns flag. Also accept
**kwargs for forward compatibility with new workflow fields.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agent run output: /home/runner/work/agentry/agentry/.agentry/runs/20260323T010946/output.json

@norrietaylor @claude
fix: preserve agent text responses as raw_response in output
b2b2237 
When Claude Code returns a string result (prose review) rather than
structured JSON, wrap it in {"raw_response": text} instead of silently
dropping it. This was causing output: null in CI runs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agent run output: /home/runner/work/agentry/agentry/.agentry/runs/20260323T011350/output.json

@norrietaylor @claude
fix: thread output_schema through to AgentTask
b8330c8 
The workflow's output schema was never passed to ClaudeCodeAgent, so
claude was invoked without --output-format json and all output parsing
was skipped. Thread output_schema through AgentConfig → InProcessRunner
→ AgentTask so the agent produces structured JSON responses.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agent run output: /home/runner/work/agentry/agentry/.agentry/runs/20260323T012846/output.json

@norrietaylor @claude
fix: handle null/empty result from Claude Code and include cache tokens
d25c1f0 
When Claude Code returns result: null (e.g. after tool-use turns with no
final text), capture stop_reason and subtype in the output instead of
returning null. Also include cache_creation and cache_read tokens in the
reported input token count for accurate usage reporting.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agent run output: /home/runner/work/agentry/agentry/.agentry/runs/20260323T015738/output.json

@norrietaylor @claude
fix: include raw_stdout in JSON output when result is empty
29813af 
Adds diagnostic raw_stdout field (truncated to 2000 chars) to the CLI
JSON output when the agent produces no structured output. This makes
empty-result CI runs diagnosable from the logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agent run output: /home/runner/work/agentry/agentry/.agentry/runs/20260323T020105/output.json

@norrietaylor @claude
fix: write output.json before posting PR comment, format as Markdown
d7dae96 
The PR comment was posting just the file path because map_outputs was
called before the output file was written. Now writes the file first,
then calls map_outputs which reads it and formats findings as a
structured Markdown comment with severity emojis, code locations, and
token usage.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agentry Code Review

Looking at this git diff, I can see this is a significant refactor involving authentication changes, enhanced output handling, and security improvements. Let me analyze the code for potential issues.

```json
{
  "findings": [
    {
      "file": "src/agentry/agents/claude_code.py",
      "line": 58,
      "severity": "warning",
      "category": "correctness",
      "description": "Parameter name mismatch: 'max_iterations' parameter is stored internally as '_max_turns', which could cause confusion and maintenance issues.",
      "suggestion": "Either rename the parameter to 'max_turns' or the internal field to '_max_iterations' for consistency."
    },
    {
      "file": ".github/workflows/agentry-code-review.yml",
      "line": 34,
      "severity": "warning",
      "category": "security",
      "description": "Installing global npm package without version pinning could lead to non-reproducible builds and potential supply chain attacks.",
      "suggestion": "Pin to a specific version: 'npm install -g @anthropic-ai/claude-code@^1.0.0' or use npm ci with a package-lock.json."
    },
    {
      "file": "src/agentry/agents/claude_code.py",
      "line": 218,
      "severity": "info",
      "category": "correctness",
      "description": "The output parsing logic checks for 'result_field.strip()' but this could fail if result_field is not a string, despite the isinstance check.",
      "suggestion": "The isinstance(result_field, str) check should be sufficient, but consider removing the .strip() check or add explicit string conversion for safety."
    },
    {
      "file": "src/agentry/cli.py",
      "line": 870,
      "severity": "info",
      "category": "style",
      "description": "Writing output.json before calling map_outputs is done for a specific reason (PR comments), but this architectural dependency is not clearly documented.",
      "suggestion": "Add a comment explaining why output.json must be written before map_outputs() to clarify the dependency on GitHub Actions binder behavior."
    },
    {
      "file": "src/agentry/security/checks.py",
      "line": 242,
      "severity": "info",
      "category": "correctness",
      "description": "ClaudeCodeAuthCheck checks multiple authentication methods but doesn't validate that the credentials are actually working, only that they exist.",
      "suggestion": "Consider adding a lightweight validation step (like a simple API call) to verify the credentials are not just present but functional."
    },
    {
      "file": "workflows/code-review.yaml",
      "line": 35,
      "severity": "warning",
      "category": "security",
      "description": "All workflow files now set 'trust: elevated' which reduces security restrictions. This change affects multiple workflows but lacks justification in the diff.",
      "suggestion": "Document why elevated trust is necessary and ensure this change was intentional for all workflow types, not just code review."
    }
  ],
  "summary": "This is a well

Tokens: 31,415 in / 2,364 out

@norrietaylor @claude
fix: make slide deck responsive on mobile
6b887b1 
Add media queries for narrow viewports: single-column grids, smaller
typography, reduced padding, narrower architecture layer indents. Add
touch swipe navigation for left/right slide transitions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Agentry Code Review

Tokens: 12,762 in / 2,015 out

@norrietaylor norrietaylor merged commit 7d2b4fa into main Mar 23, 2026
4 checks passed
@norrietaylor norrietaylor deleted the feat/phase-6-self-development branch March 23, 2026 03:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@norrietaylor