| title | Providers |
|---|---|
| description | AI provider configuration and model selection |
The default provider is the local Codex CLI.
Clawpatch integrates coding harnesses and agent CLIs only. Direct model API providers are out of scope; see the project vision.
clawpatch doctorProvider names today:
codex: shells out tocodex exec(default)acpx: routes through any ACP-compatible coding agent viaacpxclaude: shells out to Claude Code in print mode (claude -p)grok: shells out to the xAI Grok Build CLI in headless mode (grok --prompt-file)opencode: shells out toopencode run --format jsonpi: shells out topi -p(non-interactive print mode)cursor: shells out tocursor-agent -p --output-format jsonmock: deterministic provider for tests and fixturesmock-fail: failure provider for tests
Codex invocation:
- review: read-only sandbox
- revalidate: read-only sandbox
- fix: workspace-write sandbox
- output: strict JSON schema via
--output-schema - final message capture:
--output-last-message - timeout: 300 seconds by default, matching the Cursor provider; override with
CLAWPATCH_CODEX_TIMEOUT_MSorCLAWPATCH_PROVIDER_TIMEOUT_MS
Model selection:
clawpatch review --model <model>
CLAWPATCH_MODEL=<model> clawpatch reviewReasoning effort selection:
clawpatch review --model gpt-5.5 --reasoning-effort xhigh
CLAWPATCH_REASONING_EFFORT=xhigh clawpatch reviewWhen reasoningEffort is unset, Clawpatch does not pass a reasoning override
and Codex uses its own configured default. Explicit values are passed to Codex
as model_reasoning_effort.
Trusted Codex CLI config passthrough:
{
"provider": {
"name": "codex",
"model": null,
"reasoningEffort": null,
"codexConfig": {
"model_provider": "local",
"model_providers.local.base_url": "https://example.invalid/v1",
"model_providers.local.env_key": "CLAWPATCH_CODEX_API_KEY"
}
}
}Load a config like this with clawpatch --config trusted-config.json ... or
CLAWPATCH_CONFIG=trusted-config.json. Clawpatch rejects non-empty
provider.codexConfig from auto-discovered repository or state config files so
a checkout cannot silently redirect Codex provider routing or credential lookup.
Values are limited to strings, finite numbers, booleans, and null, then passed
as repeated -c key=value arguments before --model and reasoning overrides.
Do not place raw secrets in codexConfig; point Codex at an explicit env var
instead.
The opencode provider shells out to the local OpenCode CLI.
- review / revalidate:
opencode run --format json --dir <root> --file <prompt> - fix: adds
--dangerously-skip-permissions - output: parsed from JSONL
textevents - read-only operations: set
OPENCODE_PERMISSIONto deny edit, shell, subagent, and web tools - model selection:
--model <provider/model>
Provider selection:
clawpatch review --provider opencode --model opencode/big-pickle
CLAWPATCH_PROVIDER=opencode CLAWPATCH_MODEL=opencode/big-pickle clawpatch review
clawpatch fix --finding <id> --provider opencodePermission caveat: OpenCode permissions are configuration-driven. Clawpatch
sets a restrictive OPENCODE_PERMISSION for review and revalidate, and uses
--dangerously-skip-permissions only during explicit fix. Review remains
prompted as read-only, but the same isolated-checkout guidance applies when
running third-party agents.
The acpx provider routes through acpx <agent> exec, where <agent> is any
ACP-compatible coding agent.
- review / revalidate:
--approve-readsplus an explicit read-only prompt directive - fix:
--approve-all - output:
--format json --json-strict --suppress-reads, parsed from known ACP NDJSON envelope kinds - tested envelope shape:
acpx@^0.8.0 - timeout: 180 seconds by default, override with
CLAWPATCH_ACPX_TIMEOUT_MSorCLAWPATCH_PROVIDER_TIMEOUT_MS
Permission caveat: acpx --approve-all is not the same as codex --sandbox workspace-write. Codex's workspace-write mode is an enforced sandbox. ACPX
approval flags control ACP permission prompts; the underlying agent still has
whatever filesystem and network access its own runtime grants. For untrusted
code, run clawpatch fix --provider acpx inside an isolated checkout. For
review and revalidate, strict read-only behavior still depends on the underlying
agent honoring read-only permissions and the prompt directive.
Agent selection uses --model as <agent> or <agent>:<model>, split on the
first colon:
- unset: agent
codex, default model codex: agentcodex, default modelclaude: agentclaude, default modelclaude:sonnet-4-5: agentclaude, modelsonnet-4-5ollama:llama3:70b: agentollama, modelllama3:70b
Migration note: --provider codex --model gpt-5-codex is not equivalent to
--provider acpx --model gpt-5-codex; the latter selects an ACP agent named
gpt-5-codex. Use --provider acpx --model codex:gpt-5-codex.
The claude provider shells out to the local
Claude Code CLI in non-interactive
print mode.
Install Claude Code. The default isolated mode accepts an Anthropic API key or the supported cloud-provider auth variables:
export ANTHROPIC_API_KEY=sk-ant-...
claude --versionTo use the configured Claude Code binary's /login or setup-token auth state,
opt into host auth context:
CLAWPATCH_CLAUDE_AUTH_CONTEXT=host clawpatch doctor --provider claude
CLAWPATCH_CLAUDE_AUTH_CONTEXT=host clawpatch review --provider claudeHost auth context requires Claude Code 2.1.169 or newer.
Set CLAWPATCH_CLAUDE_BIN to an executable path when Clawpatch should invoke a
specific Claude Code installation.
Provider selection:
clawpatch review --provider claude
CLAWPATCH_PROVIDER=claude clawpatch review
clawpatch fix --finding <id> --provider claude
clawpatch doctor --provider claudeFor low-cost smoke checks, pass a smaller model explicitly:
clawpatch review --provider claude --model claude-haiku-4-5-20251001 --limit 1How the Claude provider works:
- Doctor:
clawpatch doctor --provider claudechecks that the Claude Code binary is available, readsclaude --version, and blocks known vulnerable versions. In host auth context it also runs one minimal structured provider query through the same auth/runtime boundary; this makes a network request and may consume provider credits. - Auth/isolation: provider runs use
--barewith a default-deny environment. Clawpatch forwards only minimal execution variables plus explicit Anthropic API key, Vertex AI, Google ADC, cloud-gateway, and Bedrock/AWS auth variables. It does not pass hostHOME, OAuth/keychain state, or whole Claude config/cache directories; OAuth subscription auth is not available in Claude Code--baremode. Cloud auth env is available to Claude Code itself, while Claude tool subprocess env scrubbing is enabled. AWS profile names are forwarded only whenAWS_CONFIG_FILEorAWS_SHARED_CREDENTIALS_FILEpoints at explicit profile files. - Host auth context:
CLAWPATCH_CLAUDE_AUTH_CONTEXT=hostreplaces--barewith Claude Code--safe-mode, exposes only the hostHOME/USERPROFILEand optionalCLAUDE_CONFIG_DIRauth locators, and permitsCLAUDE_CODE_OAUTH_TOKEN. It does not inherit the whole host environment; the auth allowlist, temporary XDG/cache/data directories, subprocess env scrubbing, tool limits, empty strict MCP config, disabled slash commands, and disabled browser integration remain in force.--safe-modedisables user and repository customizations while retaining normal authentication. - Structured output: provider runs use
--output-format json --json-schemaand parse the returnedstructured_outputfield. - Read-only operations (map, review, revalidate): use
--tools "Read,Grep,Glob" --permission-mode dontAsk. - Write operation (fix): uses Claude's default tool set with
--permission-mode acceptEdits. Clawpatch still relies on its existing clean worktree preflight beforefix. - Ambient config isolation: runs add
--strict-mcp-configwith an empty MCP configuration,--disable-slash-commands, and--no-chrome. - Model selection:
--model <model>is passed through to Claude. - Reasoning effort:
low,medium,high, andxhighare passed as--effort. Clawpatchminimalmaps to Claudelow; Clawpatchnoneis treated as no override because Claude does not accept--effort none. skipGitRepoCheck: Claude has no equivalent flag, so this option is a no-op for the Claude provider.- Timeout: 180 seconds by default, override with
CLAWPATCH_CLAUDE_TIMEOUT_MSorCLAWPATCH_PROVIDER_TIMEOUT_MS.
Permission caveat: Claude tool restrictions are enforced by Claude Code, and
safe mode is configuration isolation rather than an OS sandbox. Host auth
context makes the host auth locator visible to the Claude process; use it only
for trusted repositories. For write operations during fix, Claude may edit
the current worktree. For untrusted code, keep the default isolated auth
context and run clawpatch fix --provider claude inside an isolated checkout.
The grok provider shells out to the local Grok Build CLI.
Install the Grok CLI:
curl -fsSL https://x.ai/cli/install.sh | bashThen ensure grok --version works and authenticate using the flow supported by
the local Grok CLI.
Provider selection:
clawpatch review --provider grok
CLAWPATCH_PROVIDER=grok clawpatch review
clawpatch fix --finding <id> --provider grok --model grok-build
clawpatch doctor --provider grokHow the Grok provider works:
- Headless mode:
--prompt-fileplus--output-format json --always-approve --verbatim --cwd <root> - Read-only operations: adds
--disallowed-tools "search_replace,run_terminal_cmd,Agent" - Write operations: uses full
--always-approveso the agent can edit files and run validation commands - Structured output: validates the returned JSON against the same Zod schemas used for Codex
- Large prompts: always uses
--prompt-fileinstead of passing prompt text on the command line
The pi provider shells out to the local pi coding agent
in non-interactive print mode (pi -p).
Install pi:
curl -fsSL https://pi.dev/install.sh | shAuthenticate with an API key:
export ANTHROPIC_API_KEY=sk-ant-...Or use a subscription:
pi
/loginThen verify:
pi --versionProvider selection:
clawpatch review --provider pi
CLAWPATCH_PROVIDER=pi clawpatch review
clawpatch fix --finding <id> --provider pi --model anthropic/claude-sonnet-4
clawpatch doctor --provider piHow the pi provider works:
- Non-interactive mode:
pi -p --no-sessionwith all discovery flags disabled (--no-context-files --no-skills --no-extensions --no-prompt-templates --no-themes) to isolate the agent from project and user configuration - Prompt delivery: written to a temp file and passed via
@<path>file reference - Read-only operations (map, review, revalidate):
--tools readrestricts the agent to the read tool only - Write operations (fix): uses the default tool set (read, bash, edit, write)
- Model selection:
--model <pattern>supports provider-prefixed IDs likeanthropic/claude-sonnet-4and thinking-level shorthands likesonnet:high - Reasoning effort:
--thinking <level>maps from clawpatch's reasoning effort - Output: parsed from stdout text using the shared
extractJsonhelper - Timeout: 180 seconds by default, override with
CLAWPATCH_PI_TIMEOUT_MSorCLAWPATCH_PROVIDER_TIMEOUT_MS
Permission caveat: pi's --tools read restricts the agent to the read tool for
review and revalidate, but enforcement depends on pi honoring the tool allowlist.
For write operations during fix, the agent has full filesystem and shell access.
For untrusted code, run clawpatch fix --provider pi inside an isolated checkout.
The cursor provider shells out to the local Cursor Agent CLI in headless print
mode. It is experimental and disabled for map, review, fix, and
revalidate by default while HITL verification is incomplete.
Verify local availability:
cursor-agent --version
clawpatch doctor --provider cursorExperimental provider selection:
CURSOR_API_KEY=... CLAWPATCH_CURSOR_EXPERIMENTAL=1 clawpatch review --provider cursor
CURSOR_API_KEY=... CLAWPATCH_CURSOR_EXPERIMENTAL=1 CLAWPATCH_PROVIDER=cursor clawpatch review
CURSOR_API_KEY=... CLAWPATCH_CURSOR_EXPERIMENTAL=1 CLAWPATCH_CURSOR_ALLOW_WRITE=1 clawpatch fix --finding <id> --provider cursor --model <model>
clawpatch doctor --provider cursorHow the Cursor provider works:
- Headless mode:
cursor-agent --trust -p --output-format json --workspace <root> - Read-only operations: also pass Cursor's documented
--mode ask - Output: parses Cursor's
type: "result"JSON envelope and then extracts the Clawpatch JSON object from theresulttext - Prompt delivery: writes the full Clawpatch prompt to a temporary file, then
passes a short positional
[prompt...]instruction telling Cursor to read it - Model selection: passes
--model <model>when configured - Model names: pass Cursor model ids, for example
composer-2.5for Composer 2.5 without fast mode - Reasoning effort and
skipGitRepoCheck: not mapped to Cursor CLI flags - Authentication: experimental execution uses the host user environment and
passes
CURSOR_API_KEYthrough when present. Prefer API-key auth for headless runs; relying on the user's Cursor login can touch the macOS login keychain. Clawpatch also setsNO_OPEN_BROWSER=1to reduce browser prompts during headless runs. - Read-only guard: map, review, and revalidate pass
--mode askand include read-only instructions in the prompt. Clawpatch does not setCURSOR_CONFIG_DIR, because that can bypass the user's existing Cursor auth profile and trigger browser login prompts. - Timeout: 300 seconds by default, override with
CLAWPATCH_CURSOR_TIMEOUT_MSorCLAWPATCH_PROVIDER_TIMEOUT_MS - Advisory handling: semver-like Cursor CLI versions below
2.5.0are blocked for CVE-2026-26268 / GHSA-8pcm-8jpx-hv8r. Date-formatted CLI builds are allowed only when Clawpatch can verify a semver Cursor app version from the local macOS app bundle.
Permission caveat: Cursor's print mode is documented as having access to tools,
including write and shell. Clawpatch therefore keeps Cursor execution behind
CLAWPATCH_CURSOR_EXPERIMENTAL=1, uses --mode ask for read-only operations,
and separately requires CLAWPATCH_CURSOR_ALLOW_WRITE=1 for fix. The
implementation uses --trust for the explicit trusted-workspace path and never
uses --force or --yolo. Complete HITL verification before promoting this to
default provider support, especially for ambient rules, MCP configuration,
temporary prompt file handling, timeout behavior, and any claimed read-only mode.