fix(auth): stop treating CLAUDE_CODE_OAUTH_TOKEN as Anthropic API key

[alanxchen85]

Summary

• Remove CLAUDE_CODE_OAUTH_TOKEN from Anthropic provider's api_key_env_vars in auth.py
• Remove from extra_env_vars in providers.py
• Remove from auth status fallback in web_server.py

Problem

When Hermes runs alongside Claude Code (common on dev machines), it picks up CLAUDE_CODE_OAUTH_TOKEN and tries to use it for Anthropic API requests. The token is an OAuth token scoped to Claude Code's client ID — the Anthropic API rejects it with HTTP 400. This causes silent auth failures or crash loops.

The token is already blocked from terminal subprocesses (local.py line 53) and marked as implicit in setup.py, but the auth resolver still treats it as a valid API key.

Fix

Remove CLAUDE_CODE_OAUTH_TOKEN from the three places that use it as an Anthropic credential. Users who want Anthropic access in Hermes should set ANTHROPIC_API_KEY explicitly.

Test plan

• Hermes no longer auto-detects Anthropic as configured when only CLAUDE_CODE_OAUTH_TOKEN is present
• hermes setup still prompts for Anthropic API key correctly
• Explicit ANTHROPIC_API_KEY still works as before
• No regression on machines without Claude Code installed

Fixes #15080

🤖 Generated with Claude Code

[teknium1]

Thanks for the PR. Closing — picking up CLAUDE_CODE_OAUTH_TOKEN for Anthropic auth is intentional in Hermes. The adapter recognizes cc--prefixed tokens as valid Anthropic OAuth (see _looks_like_anthropic_oauth_token in agent/anthropic_adapter.py:320) and uses the Bearer auth path for them. That's a feature — it lets users who have Claude Code installed use Anthropic through Hermes without re-authenticating.

Your bug report (HTTP 400) suggests the OAuth handling didn't work for your specific scenario — that's worth investigating, but the fix isn't to drop the pickup entirely. Could you file an issue with the exact error body and the token prefix (cc- / eyJ / sk-ant-oat- etc. — don't paste the token itself) so we can see which code path rejected it?