fix: Comprehensive authentication error handling

[mantarayDigital]

Summary

This PR provides comprehensive authentication error handling across all entry points:

• Shell launchers (start.sh, start_ui.sh)
• Python CLI launcher (start.py)
• Web UI server (server/main.py, server/services/process_manager.py)

Root Cause

Claude CLI no longer stores credentials at ~/.claude/.credentials.json. Multiple files in the codebase checked for this non-existent file, causing:

• False "not authenticated" prompts when users were logged in
• Generic error messages that didn't explain authentication failures
• No actionable guidance when auth actually failed

Changes

1. start.sh - Shell Launcher

- # Check for credentials file
- CLAUDE_CREDS="$HOME/.claude/.credentials.json"
- if [ -f "$CLAUDE_CREDS" ]; then
+ # Check for Claude CLI configuration directory
+ if [ -d "$HOME/.claude" ]; then
+     echo "[OK] Claude CLI directory found"
+     echo "     (If you're not logged in, run: claude login)"

2. start.py - Python CLI Launcher

• Added AUTH_ERROR_PATTERNS - 10 regex patterns to detect auth errors
• Added is_auth_error() helper function
• Added print_auth_error_help() for consistent error messaging
• Updated run_spec_creation() to capture stderr and detect auth failures
• Updated run_agent() to capture stderr and detect auth failures

3. start_ui.sh - UI Shell Launcher

• Added Claude CLI installation check with download link
• Added ~/.claude directory check with login reminder
• Non-blocking warnings (UI still starts)

4. server/main.py - Setup Status API

- credentials_path = Path.home() / ".claude" / ".credentials.json"
- credentials = credentials_path.exists()
+ claude_dir = Path.home() / ".claude"
+ credentials = claude_dir.exists() and claude_dir.is_dir()

5. server/services/process_manager.py - Agent Process Streaming

• Added AUTH_ERROR_PATTERNS and is_auth_error() helper
• Added AUTH_ERROR_HELP message template
• Updated _stream_output() to detect auth errors in real-time
• Buffers last 20 lines to catch auth errors on process exit
• Broadcasts clear help message to WebSocket clients

Auth Error Patterns Detected

AUTH_ERROR_PATTERNS = [
    r"not\s+logged\s+in",
    r"not\s+authenticated", 
    r"authentication\s+(failed|required|error)",
    r"login\s+required",
    r"please\s+(run\s+)?['\"]?claude\s+login",
    r"unauthorized",
    r"invalid\s+(token|credential|api.?key)",
    r"expired\s+(token|session|credential)",
    r"could\s+not\s+authenticate",
    r"sign\s+in\s+(to|required)",
]

Example Output

CLI (start.py)

==================================================
  Authentication Error Detected
==================================================

Claude CLI requires authentication to work.

To fix this, run:
  claude login

This will open a browser window to sign in.
After logging in, try running this command again.
==================================================

Web UI (WebSocket stream)

================================================================================
  AUTHENTICATION ERROR DETECTED
================================================================================

Claude CLI requires authentication to work.

To fix this, run:
  claude login

This will open a browser window to sign in.
After logging in, try starting the agent again.
================================================================================

Files Changed

File	Changes
start.sh	Fix credential check, add login reminder
start.py	Add auth error detection helpers and handling
start_ui.sh	Add Claude CLI check with guidance
server/main.py	Fix setup_status() credential check
server/services/process_manager.py	Add real-time auth error detection

Design Principles

1. Honest messaging - We can't verify auth without an API call, so we say what we know
2. Non-blocking - Warnings don't prevent the app from running
3. Actionable - Every error message tells users exactly what to do
4. Consistent - Same patterns and messages across CLI and UI

Test Plan

• Run ./start.sh with Claude CLI installed → Shows directory found + reminder
• Run ./start_ui.sh with Claude CLI installed → Shows status + reminder
• Start agent via CLI when not authenticated → Shows auth error help box
• Start agent via UI when not authenticated → WebSocket streams auth error help
• /api/setup/status returns credentials: true when ~/.claude exists
• Normal authenticated flow works without extra output

---

🤖 Generated with Claude Code

Summary by CodeRabbit

• Refactor

  • Removed interactive login and credential-file handling from startup.
  • Simplified readiness checks to verify CLI availability and config directory presence.
  • Updated user messages to indicate missing configuration without attempting login.
  • Kept virtual environment setup, dependency installation, and app start unchanged.

• Improvements

  • Added runtime detection of CLI authentication failures and clear, user-facing guidance suggesting a login when auth issues occur.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces interactive credential-file/login logic in shell scripts with readiness checks for Claude CLI and config directory; adds runtime Claude CLI authentication detection and user guidance in Python (start.py, process manager), capturing stderr, scanning for auth errors, and printing help suggesting claude login. Server API setup now checks for ~/.claude directory existence rather than a credentials file.

Changes

Cohort / File(s)	Summary
Shell start scripts start.sh, start_ui.sh	Remove interactive credential-file handling and login prompts; add Claude CLI presence and config-directory checks (examines ~/.claude), print guidance if missing; keep venv creation, dependency install, and app run logic.
CLI auth helpers & runner logic start.py	Add AUTH_ERROR_PATTERNS, is_auth_error(output: str), and print_auth_error_help(); capture stderr from Claude CLI in run_spec_creation and run_agent, detect auth errors and print targeted guidance (suggest claude login) or surface other stderr; expose new constants/functions.
Server process output handling server/services/process_manager.py	Add AUTH_ERROR_PATTERNS, AUTH_ERROR_HELP, and is_auth_error(text); stream outputs with on-the-fly auth-error detection, broadcast help message when detected, and post-process buffered output for auth hints on non-zero exits.
Server setup status server/main.py	Change /api/setup/status to infer Claude configuration by checking that ~/.claude exists and is a directory rather than requiring a specific credentials file.

Sequence Diagram(s)

sequenceDiagram
  participant StartScript as start.sh / start_ui.sh
  participant PythonRunner as start.py
  participant ClaudeCLI as Claude CLI (external)
  participant FS as Filesystem (~/.claude & spec)
  participant Agent as Agent process

  StartScript->>PythonRunner: invoke runner
  PythonRunner->>ClaudeCLI: run spec creation command
  ClaudeCLI-->>PythonRunner: stdout / stderr + exit code
  alt exit non-zero & matches AUTH_ERROR_PATTERNS
    PythonRunner->>PythonRunner: is_auth_error(stderr) -> true
    PythonRunner->>StartScript: print_auth_error_help()
  else exit non-zero other error
    PythonRunner->>StartScript: print stderr / hints
  end
  PythonRunner->>FS: check for produced spec file
  alt spec exists
    PythonRunner->>Agent: run agent with spec
    Agent-->>PythonRunner: stdout / stderr + exit code
    alt agent exit non-zero & matches AUTH_ERROR_PATTERNS
      PythonRunner->>StartScript: print_auth_error_help()
    else
      PythonRunner->>StartScript: print stderr / hints
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through shell and Python tracks,
Sniffed Claude’s messages, and left no cracks.
If auth goes sour, I’ll point the sign:
"Run claude login" — then all will shine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: Comprehensive authentication error handling' accurately describes the main change: adding authentication error detection and handling across multiple files and entry points.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 122f03d and 71eb07e.

📒 Files selected for processing (1)

• start.sh

🔇 Additional comments (1)

start.sh (1)

23-27: Pragmatic authentication check - well-documented approach.

The comment correctly notes that modern Claude CLI on macOS stores credentials in the encrypted macOS Keychain rather than in a .credentials.json file, and the credentials file gets deleted when logging in on macOS. The dual check (claude --version + directory existence) is a reasonable heuristic that:

• Verifies the CLI is functional (not just present in PATH)
• Confirms the config directory has been initialized
• Works across platforms (macOS uses Keychain, Linux still uses .credentials.json in this directory)

The approach balances reliability with user experience by avoiding forced interactive flows.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @start.sh:
- Around line 23-28: Replace the existing directory-only check in the if
statement that currently reads like the block checking "$HOME/.claude" with a
combined operational check that runs the claude CLI version command and verifies
the directory exists (i.e., use a command-execution check for "claude --version"
and the directory test together). Update the if condition used around the echo
lines so it only enters the block when the CLI executable returns success and
the config directory exists, and keep the existing echo messages unchanged.
- Around line 29-35: The else branch currently still blocks with a read prompt;
remove the blocking read or guard it so the script truly emits a non-blocking
warning. Specifically, in the else block that prints "[!] Claude CLI not
configured" (the section containing the read -p "Press Enter to continue anyway,
or Ctrl+C to exit..."), either delete that read line entirely to make the
warning non-blocking, or wrap it in an interactive-only guard (e.g., if [ -t 0
]; then read -p ...; fi) so automated/non-interactive runs are not blocked.

🧹 Nitpick comments (1)

start.sh (1)

26-28: Consider refining the authenticated-user message.

Line 28 displays "(If you're not logged in, run: claude login)" even when the .claude directory exists, which typically indicates the user IS logged in. This might cause unnecessary confusion for authenticated users.

Consider a more confident message when the directory exists, or move the login reminder to the else block where it's more contextually appropriate.

💬 Suggested messaging refinement

 if claude --version &> /dev/null && [ -d "$HOME/.claude" ]; then
-    echo "[OK] Claude CLI directory found"
-    echo "     (If you're not logged in, run: claude login)"
+    echo "[OK] Claude CLI configured"

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 71eb07e and 81dbc4b.

📒 Files selected for processing (1)

• start.sh

🔇 Additional comments (1)

start.sh (1)

23-35: Note: Authentication error handling in start.py becomes more critical.

Since this script now performs relaxed authentication checks and allows execution to continue without confirming the user is authenticated, robust error handling in start.py becomes increasingly important.

The previous review comment on this PR identified that start.py doesn't explicitly handle Claude authentication failures—when run_spec_creation() or run_agent() call the Claude CLI, subprocess errors aren't parsed or contextualized for the user.

With start.sh being more permissive, consider prioritizing the authentication error handling improvements in start.py to provide users with clear feedback when authentication actually fails during operation.

Based on past review comments on this PR.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Implementation doesn't match PR description: missing CLI operational check.

The PR description explicitly states the fix should use:

if claude --version &> /dev/null && [ -d "$HOME/.claude" ]; then

However, line 26 only checks for the directory:

if [ -d "$HOME/.claude" ]; then

The claude --version check is essential because it verifies the CLI is operational, not just that a config directory exists. Without it, the script could proceed with a broken or misconfigured CLI installation.

🔧 Add the operational check as described in the PR

-if [ -d "$HOME/.claude" ]; then
+if claude --version &> /dev/null && [ -d "$HOME/.claude" ]; then
     echo "[OK] Claude CLI directory found"
     echo "     (If you're not logged in, run: claude login)"

🤖 Prompt for AI Agents

In @start.sh around lines 23 - 28, Replace the existing directory-only check in
the if statement that currently reads like the block checking "$HOME/.claude"
with a combined operational check that runs the claude CLI version command and
verifies the directory exists (i.e., use a command-execution check for "claude
--version" and the directory test together). Update the if condition used around
the echo lines so it only enters the block when the CLI executable returns
success and the config directory exists, and keep the existing echo messages
unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Script still blocks execution, contradicting PR's non-blocking claim.

The PR description states the change "emits a non-blocking warning with instructions when not configured (instead of forcing login)" and "removes the forced interactive flow." However, line 34 still blocks execution:

read -p "Press Enter to continue anyway, or Ctrl+C to exit..."

This forces user interaction before the script can proceed, which contradicts the non-blocking design goal.

♻️ Make the warning truly non-blocking

 else
     echo "[!] Claude CLI not configured"
     echo ""
     echo "Please run 'claude login' to authenticate before continuing."
-    echo ""
-    read -p "Press Enter to continue anyway, or Ctrl+C to exit..."
 fi

🤖 Prompt for AI Agents

In @start.sh around lines 29 - 35, The else branch currently still blocks with a
read prompt; remove the blocking read or guard it so the script truly emits a
non-blocking warning. Specifically, in the else block that prints "[!] Claude
CLI not configured" (the section containing the read -p "Press Enter to continue
anyway, or Ctrl+C to exit..."), either delete that read line entirely to make
the warning non-blocking, or wrap it in an interactive-only guard (e.g., if [ -t
0 ]; then read -p ...; fi) so automated/non-interactive runs are not blocked.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

start.py (4)

28-40: Consider refining overly broad patterns.

Some regex patterns might produce false positives:

• Line 35: r"unauthorized" is very broad and could match non-authentication errors (e.g., "unauthorized access to resource X" might be a permissions issue rather than a login issue)
• Line 36: r"invalid\s+(token|credential|api.?key)" won't match api_key (underscore separator) - consider api[._\s]?key instead

These are unlikely to cause significant issues but could lead to misleading error messages in edge cases.

♻️ Suggested refinements

-    r"unauthorized",
+    r"(not\s+authorized|unauthorized\s+(access|request|user))",
-    r"invalid\s+(token|credential|api.?key)",
+    r"invalid\s+(token|credential|api[._\s]?key)",

---

43-60: Update docstring to match actual usage.

The docstring states the function accepts "Combined stdout/stderr from subprocess," but in practice, only stderr is passed to this function (lines 280, 450). The implementation is correct, but the documentation is misleading.

📝 Proposed docstring fix

     """
     Check if output contains Claude CLI authentication error messages.
 
     Args:
-        output: Combined stdout/stderr from subprocess
+        output: stderr output from subprocess
 
     Returns:
         True if authentication error detected, False otherwise
     """

---

297-299: Remove or clarify redundant authentication hint.

Lines 297-299 suggest running claude login after any non-zero exit where no spec was created. However:

• If the failure was actually an auth error, print_auth_error_help() was already called at line 281, and the function returned False at line 282.
• This code path only executes for non-authentication errors where spec creation failed.
• Suggesting claude login for non-auth failures could mislead users away from the actual problem (e.g., filesystem issues, invalid project path, etc.).

Consider either removing this hint or making it more conditional.

♻️ Suggested fix

             print("\n" + "-" * 50)
             print("Spec creation incomplete.")
             print(f"Please ensure app_spec.txt exists in: {get_project_prompts_dir(project_dir)}")
-            # If failed with non-zero exit and no spec, might be auth issue
-            if result.returncode != 0:
-                print("\nIf you're having authentication issues, try running: claude login")
             return False

Or make it more specific:

-            # If failed with non-zero exit and no spec, might be auth issue
-            if result.returncode != 0:
-                print("\nIf you're having authentication issues, try running: claude login")
+            # Only hint about auth if we haven't already shown the auth error help
+            if result.returncode != 0 and not is_auth_error(stderr_output):
+                print("\nIf the issue persists, verify Claude CLI is working: claude --version")

---

456-457: Remove generic authentication hint for non-auth errors.

Lines 456-457 suggest running claude login whenever stderr contains "error" or "exception", even after the specific auth error detection (line 450) determined it's not an authentication error.

This is misleading because:

• The function already has comprehensive auth error pattern matching via is_auth_error()
• If the patterns didn't match, the error is likely not auth-related
• Generic terms like "error" and "exception" appear in most stderr output (filesystem errors, Python exceptions, validation errors, etc.)
• This could misdirect users away from the actual problem

Trust the specific auth detection and remove this generic fallback.

♻️ Proposed fix

             elif stderr_output.strip():
                 # Show any other errors
                 print(f"\nAgent error:\n{stderr_output.strip()}")
-                # Still hint about auth if exit was unexpected
-                if "error" in stderr_output.lower() or "exception" in stderr_output.lower():
-                    print("\nIf this is an authentication issue, try running: claude login")

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 81dbc4b and 780cfd3.

📒 Files selected for processing (1)

• start.py

🔇 Additional comments (2)

start.py (2)

12-12: LGTM!

The re import is necessary for the new authentication error pattern matching functionality.

---

63-73: LGTM!

The authentication error help message is clear, well-formatted, and provides actionable guidance to users.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @server/main.py:
- Around line 123-127: The current directory-based check using claude_dir and
credentials is unreliable; change the logic so credentials is true when the
appropriate environment variables are present instead of checking ~/.claude:
check ANTHROPIC_API_KEY for standard auth and also consider provider flags like
CLAUDE_CODE_USE_BEDROCK or CLAUDE_CODE_USE_VERTEX combined with their respective
provider credential env vars; update the assignment of the credentials variable
(replace the claude_dir.exists() check) to test os.environ for these keys so
authentication detection is based on environment variables rather than directory
presence.

In @server/services/process_manager.py:
- Around line 39-51: Update the AUTH_ERROR_PATTERNS list to include two
additional regexes to catch missing API key/session and setup-token messages:
add a pattern matching "missing api key" or "missing session" (e.g.,
r"missing\s+(api.?key|session)") and a pattern matching setup-token mentions
(e.g., r"setup.?token"); ensure these new patterns are appended to the
AUTH_ERROR_PATTERNS array so functions that scan error strings (using
AUTH_ERROR_PATTERNS) will detect "Missing API key · Run /login" and "Please run
setup-token" cases.

🧹 Nitpick comments (1)

start_ui.sh (1)

23-30: Consider clarifying the "not configured" message.

Line 28's message says "run 'claude login' first" but the script continues execution regardless. This creates a minor inconsistency between the imperative tone and the non-blocking behavior.

💬 Suggested messaging refinement

-        echo "[!] Claude CLI not configured - run 'claude login' first"
+        echo "[!] Claude CLI may not be configured - run 'claude login' if you see auth errors"

This aligns the message with the non-blocking design and sets appropriate expectations.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 780cfd3 and b2c19b0.

📒 Files selected for processing (3)

• server/main.py
• server/services/process_manager.py
• start_ui.sh

🧰 Additional context used

🧬 Code graph analysis (1)

server/services/process_manager.py (1)

start.py (1)

• is_auth_error (43-60)

🔇 Additional comments (5)

start_ui.sh (1)

12-22: LGTM! Clear messaging for missing Claude CLI.

The check provides helpful guidance with installation instructions. The non-blocking approach (continuing despite missing CLI) aligns with the PR's design decision to show warnings rather than hard failures.

server/services/process_manager.py (4)

54-62: LGTM! Clean authentication error detection logic.

The implementation is straightforward and correct:

• Defensive early return for empty input
• Case-insensitive matching via lowercase conversion
• Short-circuit on first pattern match for efficiency

---

65-78: LGTM! Clear and actionable authentication help message.

The help banner is well-formatted and provides users with:

• Clear problem identification
• Specific command to run (claude login)
• Expected behavior (browser window)
• Next steps

---

229-256: Effective real-time authentication error detection with buffering.

The implementation correctly:

• Maintains a 20-line sliding window for auth error detection on exit
• Detects auth errors in real-time during streaming
• Broadcasts help only once during streaming (via auth_error_detected flag)
• Preserves formatting by broadcasting help line-by-line

The 20-line buffer is a reasonable trade-off between memory usage and coverage. Authentication errors typically appear early in Claude CLI output, so this should catch most cases.

---

268-273: LGTM! Defensive auth error detection on process exit.

This fallback check ensures authentication errors are caught even if:

• They weren't detected during real-time streaming
• They appear within the last 20 lines of output
• The process exits with a non-zero code

The not auth_error_detected guard prevents duplicate help messages.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Claude CLI ~/.claude directory authentication configuration

💡 Result:

Summary — what ~/.claude is and how authentication/config works

• ~/.claude contains Claude Code user settings (settings.json) and per-project .claude/settings*.json files. User settings apply globally; project settings live in .claude/ in the project. [1][2]

• Authentication is normally done with an Anthropic API key via the ANTHROPIC_API_KEY environment variable. Claude Code also supports enterprise providers (Amazon Bedrock, Google Vertex) by setting provider-specific env vars and credentials (e.g., CLAUDE_CODE_USE_BEDROCK=1 + AWS creds). Some third‑party wrappers/proxies (e.g., ZenMux) use different env vars (ANTHROPIC_BASE_URL / ANTHROPIC_AUTH_TOKEN). [3][2][5]

Quick examples

• Preferred: export ANTHROPIC_API_KEY="sk-..." (works systemwide / in your shell/profile). [3]
• Alternative (user settings file): put an apiKey field in ~/.claude/settings.json (less recommended for secrets). [1][4]
• For Bedrock/Vertex: set CLAUDE_CODE_USE_BEDROCK=1 and configure AWS credentials, or CLAUDE_CODE_USE_VERTEX=1 and configure GCP credentials. [3]

Notes / gotchas

• Environment-variable auth is the standard / recommended method. Some third‑party tools or versions may change how ~/.claude/env or settings are read — check your Claude Code version/docs if env settings in settings.json appear ignored. [5][1]

Sources
[1] Claude Code settings (settings.json, user & project settings).
[2] Claude Code CLI reference (commands/flags & config file locations).
[3] Claude Code SDK — Authentication (ANTHROPIC_API_KEY, Bedrock/Vertex).
[4] Community config reference (example ~/.claude config).
[5] Third‑party integration note (env loading / ANTHROPIC_BASE_URL / ANTHROPIC_AUTH_TOKEN).

---

The directory-based authentication check is unreliable and should verify the ANTHROPIC_API_KEY environment variable instead.

Web search confirms that Claude CLI authentication is primarily handled via the ANTHROPIC_API_KEY environment variable (or provider-specific env vars for enterprise), not by checking directory existence. While ~/.claude stores settings.json, the directory's presence does not reliably indicate authentication is configured—a user could have the directory without credentials set, or vice versa.

Instead, the check should verify the relevant environment variable(s):

• For standard auth: check if ANTHROPIC_API_KEY is set
• For enterprise: check CLAUDE_CODE_USE_BEDROCK, CLAUDE_CODE_USE_VERTEX, or similar provider flags alongside their respective credentials

🤖 Prompt for AI Agents

In @server/main.py around lines 123 - 127, The current directory-based check
using claude_dir and credentials is unreliable; change the logic so credentials
is true when the appropriate environment variables are present instead of
checking ~/.claude: check ANTHROPIC_API_KEY for standard auth and also consider
provider flags like CLAUDE_CODE_USE_BEDROCK or CLAUDE_CODE_USE_VERTEX combined
with their respective provider credential env vars; update the assignment of the
credentials variable (replace the claude_dir.exists() check) to test os.environ
for these keys so authentication detection is based on environment variables
rather than directory presence.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

Claude CLI authentication error messages and login requirements

💡 Result:

Summary — common Claude (Claude Code / claude CLI) authentication errors and what they mean

• "Missing API key · Run /login" — CLI/IDE couldn’t find a stored session or ANTHROPIC_API_KEY; run the interactive /login inside claude or set ANTHROPIC_API_KEY in your environment (export ANTHROPIC_API_KEY=sk-...). [1][2]

• "Invalid API key · Please run /login" — the provided API key is rejected or not accepted by the current auth flow (CLI sometimes expects a session from /login rather than a raw API key); re-check key value, ensure it’s an Anthropic API key, or run /login to authenticate. [2][3]

• Errors about Cloudflare/verification or web-based auth failures — when the browser-based auth flow is blocked (e.g., Cloudflare checks or SSO/browser restrictions) the CLI cannot complete interactive /login; resolve by allowing the browser flow or using an API key if the CLI build supports it. (Users have reported this preventing login.) [3]

• "Please run setup-token" (or instructions referencing setup-token) — some CLI workflows expect a subscription/session-based token; use claude setup-token if your account/subscription supports it, or use ANTHROPIC_API_KEY for direct API access if the CLI version supports it. [1][2]

Quick checklist to fix auth problems

• If automation/non-interactive: export ANTHROPIC_API_KEY with a valid Anthropic API key and retry. [1]
• If interactive CLI/IDE: run /login from within claude to open the browser auth flow and complete sign-in. [1][3]
• If browser flow is blocked: allow the browser auth, disable blocking proxies/Cloudflare checks, or use an API-key-compatible CLI version. [3]
• If errors persist: check ~/.config/claude/config.json for conflicting config and update CLI to the latest release. [1][3]

Sources

1. Anthropic Claude Code quickstart / CLI auth docs. [Anthropic documentation]. [1]
2. Claude CLI docs / integration notes (environment variable ANTHROPIC_API_KEY; setup-token mention). [2]
3. GitHub issue reports describing "Missing API key · Run /login" and Cloudflare/browser auth failures. [3]

Would you like exact command examples for exporting keys, running /login, or checking your config file?

---

🏁 Script executed:

# Find the is_auth_error function and understand pattern usage
rg -A 10 "is_auth_error|AUTH_ERROR_PATTERNS" server/services/process_manager.py

Repository: leonvanzyl/autocoder

Length of output: 1944

---

🏁 Script executed:

# Search for any test files that might show expected error messages
fd -e test.py -e spec.py -o -e "*test*.py" | xargs rg -l "AUTH_ERROR|auth.*error" 2>/dev/null | head -5

Repository: leonvanzyl/autocoder

Length of output: 241

---

🏁 Script executed:

# Look for any claude CLI or authentication-related documentation in the repo
fd -type f \( -name "*.md" -o -name "*.txt" -o -name "*.rst" \) | xargs rg -l "claude.*login|authentication.*error|not.*logged" 2>/dev/null | head -10

Repository: leonvanzyl/autocoder

Length of output: 361

---

Add missing patterns for API key and setup-token errors.

The patterns cover most common authentication errors well, but the web documentation reveals gaps:

1. "Missing API key · Run /login" — The current invalid\s+(token|credential|api.?key) pattern covers "Invalid API key" but misses the "missing" variant. Add pattern: r"missing\s+(api.?key|session)"

2. "Please run setup-token" — Not covered by any current pattern. Add pattern: r"setup.?token"

These additions would ensure more comprehensive coverage of Claude CLI authentication error messages as documented.

🤖 Prompt for AI Agents

In @server/services/process_manager.py around lines 39 - 51, Update the
AUTH_ERROR_PATTERNS list to include two additional regexes to catch missing API
key/session and setup-token messages: add a pattern matching "missing api key"
or "missing session" (e.g., r"missing\s+(api.?key|session)") and a pattern
matching setup-token mentions (e.g., r"setup.?token"); ensure these new patterns
are appended to the AUTH_ERROR_PATTERNS array so functions that scan error
strings (using AUTH_ERROR_PATTERNS) will detect "Missing API key · Run /login"
and "Please run setup-token" cases.

[leonvanzyl]

@mantarayDigital Thank you!