openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎extensions/anthropic/cli-backend.ts‎
Lines changed: 6 additions & 0 deletions b/‎extensions/anthropic/cli-backend.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎extensions/anthropic/cli-migration.test.ts‎
Lines changed: 166 additions & 0 deletions b/‎extensions/anthropic/cli-migration.test.ts‎
Lines changed: 166 additions & 0 deletions
diff --git a/‎extensions/anthropic/cli-shared.test.ts‎
Lines changed: 71 additions & 1 deletion b/‎extensions/anthropic/cli-shared.test.ts‎
Lines changed: 71 additions & 1 deletion
@@ -141,6 +141,14 @@ Docs: https://docs.openclaw.ai
 - Telegram/reasoning: only create a Telegram reasoning preview lane when the session is explicitly `reasoning:stream`, so hidden `<think>` traces from streamed replies stop surfacing as chat previews on normal sessions. Thanks @vincentkoc.
 - Feishu/reasoning: only expose streamed reasoning previews when the session is explicitly `reasoning:stream`, so hidden reasoning traces do not surface on normal streaming sessions. Thanks @vincentkoc.
 - Providers/OpenAI: support GPT-5.4 assistant `phase` metadata across OpenAI-family Responses replay and the Gateway `/v1/responses` compatibility layer, including `commentary` tool preambles and `final_answer` replies.
+- Models/Anthropic CLI auth: replace migrated `agents.defaults.models` allowlists when `openclaw models auth login --provider anthropic --method cli --set-default` switches to `claude-cli/*`, so stale `anthropic/*` entries do not linger beside the migrated Claude CLI defaults. Thanks @vincentkoc.
+- Plugins/auth-choice: apply provider-owned auth config patches without recursively preserving replaced default-model maps, so Anthropic Claude CLI and similar migrations can intentionally swap model allowlists during onboarding and setup instead of accumulating stale entries. Thanks @vincentkoc.
+- Anthropic CLI onboarding: rewrite migrated fallback model refs during non-interactive Claude CLI setup too, so onboarding and scripted setup no longer keep stale `anthropic/*` fallbacks after switching the primary model to `claude-cli/*`. Thanks @vincentkoc.
+- Agents/Claude CLI: treat malformed bare `--permission-mode` backend overrides as missing and fail safe back to `bypassPermissions`, so custom `cliBackends.claude-cli.args` security config cannot accidentally consume the next flag as a bogus permission mode. Thanks @vincentkoc.
+- Agents/Claude CLI/security: clear inherited Claude Code provider-routing and managed-auth env overrides, and mark OpenClaw-launched Claude CLI runs as host-managed, so Claude CLI backdoor sessions cannot be silently redirected to proxy, Bedrock, Vertex, Foundry, or parent-managed token contexts. Thanks @vincentkoc.
+- Agents/Claude CLI/security: clear inherited Claude Code config-root and plugin-root env overrides like `CLAUDE_CONFIG_DIR` and `CLAUDE_CODE_PLUGIN_*`, so OpenClaw-launched Claude CLI runs cannot be silently pointed at an alternate Claude config/plugin tree with different hooks, plugins, or auth context. Thanks @vincentkoc.
+- Agents/Claude CLI/security: force host-managed Claude CLI backdoor runs to `--setting-sources user`, even under custom backend arg overrides, so repo-local `.claude` project/local settings, hooks, and plugin discovery do not silently execute inside non-interactive OpenClaw sessions. Thanks @vincentkoc.
+- Agents/Claude CLI/images: reuse stable hydrated image file paths and preserve shared media extensions like HEIC when passing image refs to local CLI runs, so Claude CLI image prompts stop thrashing KV cache prefixes and oddball image formats do not fall back to `.bin`. Thanks @vincentkoc.
 
 ## 2026.4.2
 
 
@@ -6,6 +6,7 @@ import {
 import {
   CLAUDE_CLI_BACKEND_ID,
   CLAUDE_CLI_CLEAR_ENV,
+  CLAUDE_CLI_HOST_MANAGED_ENV,
   CLAUDE_CLI_MODEL_ALIASES,
   CLAUDE_CLI_SESSION_ID_FIELDS,
   normalizeClaudeBackendConfig,
@@ -23,6 +24,8 @@ export function buildAnthropicCliBackend(): CliBackendPlugin {
         "stream-json",
         "--include-partial-messages",
         "--verbose",
+        "--setting-sources",
+        "user",
         "--permission-mode",
         "bypassPermissions",
       ],
@@ -32,6 +35,8 @@ export function buildAnthropicCliBackend(): CliBackendPlugin {
         "stream-json",
         "--include-partial-messages",
         "--verbose",
+        "--setting-sources",
+        "user",
         "--permission-mode",
         "bypassPermissions",
         "--resume",
@@ -47,6 +52,7 @@ export function buildAnthropicCliBackend(): CliBackendPlugin {
       systemPromptArg: "--append-system-prompt",
       systemPromptMode: "append",
       systemPromptWhen: "first",
+      env: { ...CLAUDE_CLI_HOST_MANAGED_ENV },
       clearEnv: [...CLAUDE_CLI_CLEAR_ENV],
       reliability: {
         watchdog: {
 
@@ -1,3 +1,7 @@
+import type {
+  ProviderAuthContext,
+  ProviderAuthMethodNonInteractiveContext,
+} from "openclaw/plugin-sdk/plugin-entry";
 import { describe, expect, it, vi } from "vitest";
 
 const { readClaudeCliCredentialsForSetup, readClaudeCliCredentialsForSetupNonInteractive } =
@@ -16,6 +20,67 @@ vi.mock("./cli-auth-seam.js", async (importActual) => {
 });
 
 const { buildAnthropicCliMigrationResult, hasClaudeCliAuth } = await import("./cli-migration.js");
+const { registerSingleProviderPlugin } =
+  await import("../../test/helpers/plugins/plugin-registration.js");
+const { default: anthropicPlugin } = await import("./index.js");
+
+async function resolveAnthropicCliAuthMethod() {
+  const provider = await registerSingleProviderPlugin(anthropicPlugin);
+  const method = provider.auth.find((entry) => entry.id === "cli");
+  if (!method) {
+    throw new Error("anthropic cli auth method missing");
+  }
+  return method;
+}
+
+function createProviderAuthContext(
+  config: ProviderAuthContext["config"] = {},
+): ProviderAuthContext {
+  return {
+    config,
+    opts: {},
+    env: {},
+    agentDir: "/tmp/openclaw/agents/main",
+    workspaceDir: "/tmp/openclaw/workspace",
+    prompter: {
+      confirm: vi.fn(),
+      note: vi.fn(),
+      select: vi.fn(),
+      text: vi.fn(),
+    },
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(),
+    },
+    allowSecretRefPrompt: false,
+    isRemote: false,
+    openUrl: vi.fn(),
+    oauth: {
+      createVpsAwareHandlers: vi.fn(),
+    },
+  };
+}
+
+function createProviderAuthMethodNonInteractiveContext(
+  config: ProviderAuthMethodNonInteractiveContext["config"] = {},
+): ProviderAuthMethodNonInteractiveContext {
+  return {
+    authChoice: "anthropic-cli",
+    config,
+    baseConfig: config,
+    opts: {},
+    runtime: {
+      log: vi.fn(),
+      error: vi.fn(),
+      exit: vi.fn(),
+    },
+    agentDir: "/tmp/openclaw/agents/main",
+    workspaceDir: "/tmp/openclaw/workspace",
+    resolveApiKey: vi.fn(async () => null),
+    toApiKeyCredential: vi.fn(() => null),
+  };
+}
 
 describe("anthropic cli migration", () => {
   it("detects local Claude CLI auth", () => {
@@ -95,4 +160,105 @@ describe("anthropic cli migration", () => {
       },
     });
   });
+
+  it("registered cli auth tells users to run claude auth login when local auth is missing", async () => {
+    readClaudeCliCredentialsForSetup.mockReturnValue(null);
+    const method = await resolveAnthropicCliAuthMethod();
+
+    await expect(method.run(createProviderAuthContext())).rejects.toThrow(
+      [
+        "Claude CLI is not authenticated on this host.",
+        "Run claude auth login first, then re-run this setup.",
+      ].join("\n"),
+    );
+  });
+
+  it("registered cli auth returns the same migration result as the builder", async () => {
+    readClaudeCliCredentialsForSetup.mockReturnValue({
+      type: "oauth",
+      provider: "anthropic",
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: Date.now() + 60_000,
+    });
+    const method = await resolveAnthropicCliAuthMethod();
+    const config = {
+      agents: {
+        defaults: {
+          model: {
+            primary: "anthropic/claude-sonnet-4-6",
+            fallbacks: ["anthropic/claude-opus-4-6", "openai/gpt-5.2"],
+          },
+          models: {
+            "anthropic/claude-sonnet-4-6": { alias: "Sonnet" },
+            "anthropic/claude-opus-4-6": { alias: "Opus" },
+            "openai/gpt-5.2": {},
+          },
+        },
+      },
+    };
+
+    await expect(method.run(createProviderAuthContext(config))).resolves.toEqual(
+      buildAnthropicCliMigrationResult(config),
+    );
+  });
+
+  it("registered non-interactive cli auth rewrites anthropic fallbacks before setting the claude-cli default", async () => {
+    readClaudeCliCredentialsForSetupNonInteractive.mockReturnValue({
+      type: "oauth",
+      provider: "anthropic",
+      access: "access-token",
+      refresh: "refresh-token",
+      expires: Date.now() + 60_000,
+    });
+    const method = await resolveAnthropicCliAuthMethod();
+    const config = {
+      agents: {
+        defaults: {
+          model: {
+            primary: "anthropic/claude-sonnet-4-6",
+            fallbacks: ["anthropic/claude-opus-4-6", "openai/gpt-5.2"],
+          },
+          models: {
+            "anthropic/claude-sonnet-4-6": { alias: "Sonnet" },
+            "anthropic/claude-opus-4-6": { alias: "Opus" },
+            "openai/gpt-5.2": {},
+          },
+        },
+      },
+    };
+
+    await expect(
+      method.runNonInteractive?.(createProviderAuthMethodNonInteractiveContext(config)),
+    ).resolves.toMatchObject({
+      agents: {
+        defaults: {
+          model: {
+            primary: "claude-cli/claude-sonnet-4-6",
+            fallbacks: ["claude-cli/claude-opus-4-6", "openai/gpt-5.2"],
+          },
+          models: {
+            "claude-cli/claude-sonnet-4-6": { alias: "Sonnet" },
+            "claude-cli/claude-opus-4-6": { alias: "Opus" },
+            "openai/gpt-5.2": {},
+          },
+        },
+      },
+    });
+  });
+
+  it("registered non-interactive cli auth reports missing local auth and exits cleanly", async () => {
+    readClaudeCliCredentialsForSetupNonInteractive.mockReturnValue(null);
+    const method = await resolveAnthropicCliAuthMethod();
+    const ctx = createProviderAuthMethodNonInteractiveContext();
+
+    await expect(method.runNonInteractive?.(ctx)).resolves.toBeNull();
+    expect(ctx.runtime.error).toHaveBeenCalledWith(
+      [
+        'Auth choice "anthropic-cli" requires Claude CLI auth on this host.',
+        "Run claude auth login first.",
+      ].join("\n"),
+    );
+    expect(ctx.runtime.exit).toHaveBeenCalledWith(1);
+  });
 });
@@ -1,6 +1,12 @@
 import { describe, expect, it } from "vitest";
 import { buildAnthropicCliBackend } from "./cli-backend.js";
-import { normalizeClaudeBackendConfig, normalizeClaudePermissionArgs } from "./cli-shared.js";
+import {
+  CLAUDE_CLI_CLEAR_ENV,
+  CLAUDE_CLI_HOST_MANAGED_ENV,
+  normalizeClaudeBackendConfig,
+  normalizeClaudePermissionArgs,
+  normalizeClaudeSettingSourcesArgs,
+} from "./cli-shared.js";
 
 describe("normalizeClaudePermissionArgs", () => {
   it("injects bypassPermissions when args omit permission flags", () => {
@@ -33,6 +39,43 @@ describe("normalizeClaudePermissionArgs", () => {
       "--permission-mode=acceptEdits",
     ]);
   });
+
+  it("treats a bare permission-mode flag as malformed and falls back to bypassPermissions", () => {
+    expect(
+      normalizeClaudePermissionArgs(["-p", "--permission-mode", "--output-format", "stream-json"]),
+    ).toEqual(["-p", "--output-format", "stream-json", "--permission-mode", "bypassPermissions"]);
+  });
+});
+
+describe("normalizeClaudeSettingSourcesArgs", () => {
+  it("injects user-only setting sources when args omit the flag", () => {
+    expect(
+      normalizeClaudeSettingSourcesArgs(["-p", "--output-format", "stream-json", "--verbose"]),
+    ).toEqual(["-p", "--output-format", "stream-json", "--verbose", "--setting-sources", "user"]);
+  });
+
+  it("forces explicit project or local setting sources back to user-only", () => {
+    expect(normalizeClaudeSettingSourcesArgs(["-p", "--setting-sources", "project"])).toEqual([
+      "-p",
+      "--setting-sources",
+      "user",
+    ]);
+    expect(normalizeClaudeSettingSourcesArgs(["-p", "--setting-sources=local,user"])).toEqual([
+      "-p",
+      "--setting-sources=user",
+    ]);
+  });
+
+  it("treats a bare setting-sources flag as malformed and falls back to user-only", () => {
+    expect(
+      normalizeClaudeSettingSourcesArgs([
+        "-p",
+        "--setting-sources",
+        "--output-format",
+        "stream-json",
+      ]),
+    ).toEqual(["-p", "--output-format", "stream-json", "--setting-sources", "user"]);
+  });
 });
 
 describe("normalizeClaudeBackendConfig", () => {
@@ -48,6 +91,8 @@ describe("normalizeClaudeBackendConfig", () => {
       "--output-format",
       "stream-json",
       "--verbose",
+      "--setting-sources",
+      "user",
       "--permission-mode",
       "bypassPermissions",
     ]);
@@ -58,6 +103,8 @@ describe("normalizeClaudeBackendConfig", () => {
       "--verbose",
       "--resume",
       "{sessionId}",
+      "--setting-sources",
+      "user",
       "--permission-mode",
       "bypassPermissions",
     ]);
@@ -77,7 +124,30 @@ describe("normalizeClaudeBackendConfig", () => {
 
     expect(normalized?.args).toContain("--permission-mode");
     expect(normalized?.args).toContain("bypassPermissions");
+    expect(normalized?.args).toContain("--setting-sources");
+    expect(normalized?.args).toContain("user");
     expect(normalized?.resumeArgs).toContain("--permission-mode");
     expect(normalized?.resumeArgs).toContain("bypassPermissions");
+    expect(normalized?.resumeArgs).toContain("--setting-sources");
+    expect(normalized?.resumeArgs).toContain("user");
+  });
+
+  it("marks claude cli as host-managed, restricts setting sources, and clears inherited env overrides", () => {
+    const backend = buildAnthropicCliBackend();
+
+    expect(backend.config.env).toEqual(CLAUDE_CLI_HOST_MANAGED_ENV);
+    expect(backend.config.args).toContain("--setting-sources");
+    expect(backend.config.args).toContain("user");
+    expect(backend.config.resumeArgs).toContain("--setting-sources");
+    expect(backend.config.resumeArgs).toContain("user");
+    expect(backend.config.clearEnv).toEqual([...CLAUDE_CLI_CLEAR_ENV]);
+    expect(backend.config.clearEnv).toContain("ANTHROPIC_BASE_URL");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CONFIG_DIR");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_USE_BEDROCK");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_OAUTH_TOKEN");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_PLUGIN_CACHE_DIR");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_PLUGIN_SEED_DIR");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_REMOTE");
+    expect(backend.config.clearEnv).toContain("CLAUDE_CODE_USE_COWORK_PLUGINS");
   });
 });