[Bugfix #985] consult -m claude: authenticate against subscription, not metered API#986
Merged
Conversation
…scription Strip ANTHROPIC_API_KEY/ANTHROPIC_AUTH_TOKEN from the Claude Agent SDK subprocess env when CLAUDE_CODE_OAUTH_TOKEN is present, so consult authenticates against the Claude subscription rather than the metered Opus API. The SDK prioritizes ANTHROPIC_API_KEY over the OAuth token, which silently routed CMAP/review traffic to the metered API. - Extract env-building into pure exported helper buildClaudeConsultEnv() - Deletion scoped to the local subprocess env copy, never process.env, so other callers (persona, dev:local) are unaffected - Preserve the API key when no OAuth token is set (CI / key-only envs) - Regression test covering both auth paths + no-mutation invariant - Doc note in consult.md incl. 2026-06-15 subscription-credit caveat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #985
Problem
consult -m clauderuns CMAP/review traffic on the metered Opus API instead of the Claude subscription.runClaudeConsultation()built the Agent SDK subprocess env by copying all ofprocess.env, includingANTHROPIC_API_KEY/ANTHROPIC_AUTH_TOKEN. The Agent SDK prioritizes the API key overCLAUDE_CODE_OAUTH_TOKEN, so the subprocess silently authenticated as a metered key rather than the subscription. Reported by an external adopter (~$150/day on a heavy dev day).Fix
Scoped to consult's Claude subprocess env only (
packages/codev/src/commands/consult/index.ts):buildClaudeConsultEnv(processEnv).CLAUDE_CODE_OAUTH_TOKENis set, deleteANTHROPIC_API_KEYandANTHROPIC_AUTH_TOKENfrom the local env copy — never from globalprocess.env. Other callers that need the API key (persona, dev:local) are unaffected.CLAUDE_CODE_OAUTH_TOKENis not set, behavior is unchanged (fall back to the API key) so CI / key-only environments still authenticate.Test
__tests__/claude-auth-env.test.ts(4 cases):process.envis never mutated (deletion scoped to the copy).Verification: consult suite 79/79 pass,
tsc --noEmitclean.Effect & caveat
CMAP/review traffic runs on the Claude subscription instead of the metered Opus API — material saving (~$150/day reported on a heavy day).
Caveat (documented in
consult.md, not a blocker): dedicated Agent-SDK subscription credit starts 2026-06-15; before then, subscription auth draws from the interactive Max quota.Scope / notes
Isolated change in
consult/index.ts(Claude-path env) + regression test + doc note.area/consult. Distinct from the Gemini auth work (#778) — this is the Claude lane.Adjacent and intentionally out of scope: line ~519 hardcodes
model: 'claude-opus-4-6'. Noted, not touched.