Remove Claude auth token helper support (#450)

* Drop Claude auth token helper support

- Require `claude auth login` for Claude setup
- Remove helper-command settings, contracts, and picker logic
- Update related error and setup copy

* Remove marketing fog and simplify background (#451)

- Replace layered atmospheric glows with cleaner grid and edge treatment
- Remove unused section glow and reflection accents from hero/get-started

* Require Claude CLI login and drop auth token helpers

- Remove helper-command auth token resolution
- Update Claude health checks and settings copy
- Strip Anthropic credential env vars before launch

* Update packages/contracts/src/orchestration.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: BunsDev

apps/server/src/doctor.ts

@@ -87,9 +87,7 @@ const doctorProgram = Effect.gen(function* () {
     console.log("No providers are ready. Set up at least one provider to start coding:");
     console.log("");
     console.log("  Codex:  npm install -g @openai/codex && codex login");
-    console.log(
-      "  Claude Code: npm install -g @anthropic-ai/claude-code && claude auth login (or set ANTHROPIC_API_KEY / ANTHROPIC_AUTH_TOKEN)",
-    );
+    console.log("  Claude Code: npm install -g @anthropic-ai/claude-code && claude auth login");
     console.log("  Copilot: npm install -g @github/copilot && copilot login");
   } else if (readyCount === statuses.length) {
     console.log("All providers are ready.");

apps/server/src/provider/Layers/ClaudeAdapter.test.ts

@@ -132,7 +132,6 @@ class FakeClaudeQuery implements AsyncIterable<SDKMessage> {
 function makeHarness(config?: {
   readonly nativeEventLogPath?: string;
   readonly nativeEventLogger?: ClaudeAdapterLiveOptions["nativeEventLogger"];
-  readonly readAuthTokenFromHelperCommand?: ClaudeAdapterLiveOptions["readAuthTokenFromHelperCommand"];
   readonly cwd?: string;
   readonly baseDir?: string;
 }) {
@@ -149,11 +148,6 @@ function makeHarness(config?: {
       createInput = input;
       return query;
     },
-    ...(config?.readAuthTokenFromHelperCommand
-      ? {
-          readAuthTokenFromHelperCommand: config.readAuthTokenFromHelperCommand,
-        }
-      : {}),
     ...(config?.nativeEventLogger
       ? {
           nativeEventLogger: config.nativeEventLogger,
@@ -358,64 +352,8 @@ describe("ClaudeAdapterLive", () => {
     );
   });
 
-  it.effect("sources ANTHROPIC_AUTH_TOKEN from the configured helper command", () => {
-    const helperCommand = "op read op://shared/anthropic/token --no-newline";
-    const helperToken = "helper-token";
-    let helperCall: {
-      readonly command: string;
-      readonly options?: { readonly cwd?: string };
-    } | null = null;
-    const helper: NonNullable<ClaudeAdapterLiveOptions["readAuthTokenFromHelperCommand"]> = (
-      command,
-      options,
-    ) => {
-      helperCall = {
-        command,
-        ...(options?.cwd ? { options: { cwd: options.cwd } } : {}),
-      };
-      return helperToken;
-    };
-    const harness = makeHarness({
-      readAuthTokenFromHelperCommand: helper,
-    });
-
-    return Effect.gen(function* () {
-      const adapter = yield* ClaudeAdapter;
-      yield* adapter.startSession({
-        threadId: THREAD_ID,
-        provider: "claudeAgent",
-        cwd: THREAD_CWD,
-        runtimeMode: "full-access",
-        env: {
-          ANTHROPIC_AUTH_TOKEN: "",
-        },
-        providerOptions: {
-          claudeAgent: {
-            authTokenHelperCommand: helperCommand,
-          },
-        },
-      });
-
-      const createInput = harness.getLastCreateQueryInput();
-      assert.equal(createInput?.options.env?.ANTHROPIC_AUTH_TOKEN, helperToken);
-      assert.equal(helperCall?.command, helperCommand);
-      assert.equal(helperCall?.options?.cwd, THREAD_CWD);
-    }).pipe(
-      Effect.provideService(Random.Random, makeDeterministicRandomService()),
-      Effect.provide(harness.layer),
-    );
-  });
-
-  it.effect("prefers an explicit ANTHROPIC_AUTH_TOKEN over the helper command", () => {
-    let helperCallCount = 0;
-    const helper: NonNullable<ClaudeAdapterLiveOptions["readAuthTokenFromHelperCommand"]> = () => {
-      helperCallCount += 1;
-      return "helper-token";
-    };
-    const harness = makeHarness({
-      readAuthTokenFromHelperCommand: helper,
-    });
-
+  it.effect("strips Anthropic credential env vars before starting Claude Code", () => {
+    const harness = makeHarness();
     return Effect.gen(function* () {
       const adapter = yield* ClaudeAdapter;
       yield* adapter.startSession({
@@ -424,18 +362,14 @@ describe("ClaudeAdapterLive", () => {
         cwd: THREAD_CWD,
         runtimeMode: "full-access",
         env: {
+          ANTHROPIC_API_KEY: "api-key",
           ANTHROPIC_AUTH_TOKEN: "env-token",
         },
-        providerOptions: {
-          claudeAgent: {
-            authTokenHelperCommand: "op read op://shared/anthropic/token --no-newline",
-          },
-        },
       });
 
       const createInput = harness.getLastCreateQueryInput();
-      assert.equal(createInput?.options.env?.ANTHROPIC_AUTH_TOKEN, "env-token");
-      assert.equal(helperCallCount, 0);
+      assert.equal(createInput?.options.env?.ANTHROPIC_API_KEY, undefined);
+      assert.equal(createInput?.options.env?.ANTHROPIC_AUTH_TOKEN, undefined);
     }).pipe(
       Effect.provideService(Random.Random, makeDeterministicRandomService()),
       Effect.provide(harness.layer),

apps/server/src/provider/Layers/ClaudeAdapter.ts

@@ -75,7 +75,6 @@ import {
   extractTextAttachmentContents,
 } from "../../attachmentText.ts";
 import { ServerConfig } from "../../config.ts";
-import { readClaudeAuthTokenFromHelperCommand } from "../claudeAuthTokenHelper.ts";
 import {
   ProviderAdapterProcessError,
   ProviderAdapterRequestError,
@@ -187,7 +186,6 @@ export interface ClaudeAdapterLiveOptions {
     readonly prompt: AsyncIterable<SDKUserMessage>;
     readonly options: ClaudeQueryOptions;
   }) => ClaudeQueryRuntime;
-  readonly readAuthTokenFromHelperCommand?: typeof readClaudeAuthTokenFromHelperCommand;
   readonly nativeEventLogPath?: string;
   readonly nativeEventLogger?: EventNdjsonLogger;
 }
@@ -211,12 +209,6 @@ function toError(cause: unknown, fallback: string): Error {
   return cause instanceof Error ? cause : new Error(toMessage(cause, fallback));
 }
 
-function nonEmptyTrimmed(value: string | undefined): string | undefined {
-  if (!value) return undefined;
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : undefined;
-}
-
 function normalizeClaudeStreamMessages(cause: Cause.Cause<Error>): ReadonlyArray<string> {
   const errors = Cause.prettyErrors(cause)
     .map((error) => error.message.trim())
@@ -263,7 +255,7 @@ function isClaudeAuthCause(cause: Cause.Cause<Error>): boolean {
 }
 
 function claudeAuthFailureMessage(): string {
-  return "Claude Code is not configured with a supported Anthropic credential. Set ANTHROPIC_API_KEY or ANTHROPIC_AUTH_TOKEN and try again.";
+  return "Claude Code must be authenticated with `claude auth login` before starting a session. API key and auth token credentials are not supported.";
 }
 
 function messageFromClaudeStreamCause(cause: Cause.Cause<Error>, fallback: string): string {
@@ -1025,8 +1017,6 @@ function makeClaudeAdapter(options?: ClaudeAdapterLiveOptions) {
             stream: "native",
           })
         : undefined);
-    const readAuthTokenFromHelperCommand =
-      options?.readAuthTokenFromHelperCommand ?? readClaudeAuthTokenFromHelperCommand;
 
     const createQuery =
       options?.createQuery ??
@@ -2832,28 +2822,11 @@ function makeClaudeAdapter(options?: ClaudeAdapterLiveOptions) {
         };
         const runtimeEnv = input.env ? compactNodeProcessEnv(input.env) : undefined;
         const baseEnv = mergeNodeProcessEnv(process.env, runtimeEnv);
-        const explicitAuthToken = nonEmptyTrimmed(baseEnv.ANTHROPIC_AUTH_TOKEN);
-        const helperCommand = providerOptions?.authTokenHelperCommand;
-        let authToken = explicitAuthToken;
-        if (!authToken && helperCommand) {
-          authToken = yield* Effect.try({
-            try: () =>
-              readAuthTokenFromHelperCommand(helperCommand, {
-                ...(input.cwd ? { cwd: input.cwd } : {}),
-                env: baseEnv,
-              }),
-            catch: (cause) =>
-              new ProviderAdapterProcessError({
-                provider: PROVIDER,
-                threadId,
-                detail: `Failed to resolve Claude auth token from helper command: ${toMessage(cause, "unknown error")}`,
-                cause,
-              }),
-          });
-        }
-        const queryEnv = authToken
-          ? mergeNodeProcessEnv(baseEnv, { ANTHROPIC_AUTH_TOKEN: authToken })
-          : baseEnv;
+        const {
+          ANTHROPIC_API_KEY: _anthropicApiKey,
+          ANTHROPIC_AUTH_TOKEN: _anthropicAuthToken,
+          ...queryEnv
+        } = baseEnv;
 
         const queryOptions: ClaudeQueryOptions = {
           ...(input.cwd ? { cwd: input.cwd } : {}),

apps/server/src/provider/Layers/ProviderHealth.test.ts

@@ -470,13 +470,17 @@ it.layer(NodeServices.layer)("ProviderHealth", (it) => {
   // ── checkClaudeProviderStatus tests ──────────────────────────
 
   describe("checkClaudeProviderStatus", () => {
-    it.effect("returns ready when claude is installed and authenticated", () =>
+    it.effect("rejects Claude API-key auth and requires CLI login", () =>
       Effect.gen(function* () {
         const status = yield* checkClaudeProviderStatus;
         assert.strictEqual(status.provider, "claudeAgent");
-        assert.strictEqual(status.status, "ready");
+        assert.strictEqual(status.status, "error");
         assert.strictEqual(status.available, true);
-        assert.strictEqual(status.authStatus, "authenticated");
+        assert.strictEqual(status.authStatus, "unauthenticated");
+        assert.strictEqual(
+          status.message,
+          "Claude authentication status reported unsupported credential type 'apiKey'. Run `claude auth login` and try again. API key and auth token credentials are not supported.",
+        );
       }).pipe(
         Effect.provide(
           mockSpawnerLayer((args) => {
@@ -535,7 +539,7 @@ it.layer(NodeServices.layer)("ProviderHealth", (it) => {
         assert.strictEqual(status.authStatus, "unauthenticated");
         assert.strictEqual(
           status.message,
-          "Claude is not configured with a supported Anthropic credential. Run `claude auth login`, or set ANTHROPIC_API_KEY / ANTHROPIC_AUTH_TOKEN, and try again.",
+          "Claude Code must be authenticated with `claude auth login` before starting a session. Run `claude auth login` and try again. API key and auth token credentials are not supported.",
         );
       }).pipe(
         Effect.provide(
@@ -561,7 +565,7 @@ it.layer(NodeServices.layer)("ProviderHealth", (it) => {
         assert.strictEqual(status.status, "ready");
         assert.strictEqual(status.available, true);
         assert.strictEqual(status.authStatus, "authenticated");
-        assert.strictEqual(status.message, "Claude Code CLI is ready via Claude.ai login.");
+        assert.strictEqual(status.message, "Claude Code CLI is ready via `claude auth login`.");
       }).pipe(
         Effect.provide(
           mockSpawnerLayer((args) => {
@@ -626,10 +630,10 @@ it.layer(NodeServices.layer)("ProviderHealth", (it) => {
   // ── parseClaudeAuthStatusFromOutput pure tests ────────────────────
 
   describe("parseClaudeAuthStatusFromOutput", () => {
-    it("exit code 0 with no auth markers is ready", () => {
+    it("exit code 0 with no auth markers is unknown", () => {
       const parsed = parseClaudeAuthStatusFromOutput({ stdout: "OK\n", stderr: "", code: 0 });
-      assert.strictEqual(parsed.status, "ready");
-      assert.strictEqual(parsed.authStatus, "authenticated");
+      assert.strictEqual(parsed.status, "warning");
+      assert.strictEqual(parsed.authStatus, "unknown");
     });
 
     it("JSON with loggedIn=true is authenticated", () => {
@@ -640,7 +644,7 @@ it.layer(NodeServices.layer)("ProviderHealth", (it) => {
       });
       assert.strictEqual(parsed.status, "ready");
       assert.strictEqual(parsed.authStatus, "authenticated");
-      assert.strictEqual(parsed.message, "Claude Code CLI is ready via Claude.ai login.");
+      assert.strictEqual(parsed.message, "Claude Code CLI is ready via `claude auth login`.");
     });
 
     it("JSON with loggedIn=false is unauthenticated", () => {

apps/server/src/provider/Layers/ProviderHealth.ts

@@ -160,9 +160,8 @@ function hasGeminiHeadlessAuthEnv(): boolean {
 }
 
 const CLAUDE_CLI_AUTH_METHODS = new Set(["claude.ai", "oauth"]);
-const CLAUDE_SUPPORTED_AUTH_METHODS = new Set(["apiKey", "authToken", "claude.ai", "oauth"]);
 const CLAUDE_AUTH_GUIDANCE =
-  "Run `claude auth login`, or set ANTHROPIC_API_KEY / ANTHROPIC_AUTH_TOKEN, and try again.";
+  "Run `claude auth login` and try again. API key and auth token credentials are not supported.";
 
 export function parseAuthStatusFromOutput(result: CommandResult): {
   readonly status: ServerProviderStatusState;
@@ -660,14 +659,14 @@ export function parseClaudeAuthStatusFromOutput(result: CommandResult): {
     lowerOutput.includes("not logged in") ||
     lowerOutput.includes("login required") ||
     lowerOutput.includes("authentication required") ||
-    lowerOutput.includes("oauth authentication is currently not supported") ||
     lowerOutput.includes("run `claude login`") ||
-    lowerOutput.includes("run claude login")
+    lowerOutput.includes("run claude login") ||
+    lowerOutput.includes("api key and auth token credentials are not supported")
   ) {
     return {
       status: "error",
       authStatus: "unauthenticated",
-      message: `Claude is not configured with a supported Anthropic credential. ${CLAUDE_AUTH_GUIDANCE}`,
+      message: `Claude Code must be authenticated with \`claude auth login\` before starting a session. ${CLAUDE_AUTH_GUIDANCE}`,
     };
   }
 
@@ -700,35 +699,39 @@ export function parseClaudeAuthStatusFromOutput(result: CommandResult): {
   const authMethod = parsedAuth.authMethod?.trim();
   const normalizedAuthMethod = authMethod?.toLowerCase();
   if (parsedAuth.auth === true) {
-    if (authMethod && !CLAUDE_SUPPORTED_AUTH_METHODS.has(authMethod)) {
+    if (normalizedAuthMethod && !CLAUDE_CLI_AUTH_METHODS.has(normalizedAuthMethod)) {
       return {
-        status: "warning",
-        authStatus: "unknown",
-        message: `Claude authentication status reported an unsupported credential type '${authMethod}'. ${CLAUDE_AUTH_GUIDANCE}`,
+        status: "error",
+        authStatus: "unauthenticated",
+        message: `Claude authentication status reported unsupported credential type '${authMethod}'. ${CLAUDE_AUTH_GUIDANCE}`,
       };
     }
     if (normalizedAuthMethod && CLAUDE_CLI_AUTH_METHODS.has(normalizedAuthMethod)) {
       return {
         status: "ready",
         authStatus: "authenticated",
-        message: "Claude Code CLI is ready via Claude.ai login.",
+        message: "Claude Code CLI is ready via `claude auth login`.",
       };
     }
-    return { status: "ready", authStatus: "authenticated" };
+    return {
+      status: "warning",
+      authStatus: "unknown",
+      message: "Could not verify Claude CLI authentication method from status output.",
+    };
   }
   if (parsedAuth.auth === false) {
     return {
       status: "error",
       authStatus: "unauthenticated",
-      message: `Claude is not configured with a supported Anthropic credential. ${CLAUDE_AUTH_GUIDANCE}`,
+      message: `Claude Code must be authenticated with \`claude auth login\` before starting a session. ${CLAUDE_AUTH_GUIDANCE}`,
     };
   }
   if (parsedAuth.attemptedJsonParse) {
-    if (authMethod && !CLAUDE_SUPPORTED_AUTH_METHODS.has(authMethod)) {
+    if (normalizedAuthMethod && !CLAUDE_CLI_AUTH_METHODS.has(normalizedAuthMethod)) {
       return {
         status: "error",
         authStatus: "unauthenticated",
-        message: `Claude authentication status reported an unsupported credential type '${authMethod}'. ${CLAUDE_AUTH_GUIDANCE}`,
+        message: `Claude authentication status reported unsupported credential type '${authMethod}'. ${CLAUDE_AUTH_GUIDANCE}`,
       };
     }
     return {
@@ -738,10 +741,6 @@ export function parseClaudeAuthStatusFromOutput(result: CommandResult): {
         "Could not verify Claude authentication status from JSON output (missing auth marker).",
     };
   }
-  if (result.code === 0) {
-    return { status: "ready", authStatus: "authenticated" };
-  }
-
   const detail = detailFromResult(result);
   return {
     status: "warning",