claude-wrapper/claude-env.sh at main · aproorg/claude-wrapper · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/usr/bin/env bash
# claude-env.sh — Claude Code environment configuration
# This file is fetched and cached by the thin bootstrap at ~/.config/claude/env.sh
# Edit THIS file to change configuration for all developers.

# ============================================================================
# Configuration
# ============================================================================
LITELLM_BASE_URL="https://litellm.ai.apro.is"
OP_ACCOUNT="aproorg.1password.eu"
OP_ITEM="op://Employee/ai.apro.is litellm"

# Source local overrides (written by install.js)
_CLAUDE_LOCAL_ENV="${XDG_CONFIG_HOME:-$HOME/.config}/claude/local.env"
if [[ -f "$_CLAUDE_LOCAL_ENV" ]]; then
  # shellcheck disable=SC1090
  source "$_CLAUDE_LOCAL_ENV"
fi
unset _CLAUDE_LOCAL_ENV

# Models
CLAUDE_MODEL_OPUS="claude-opus-4-6"
CLAUDE_MODEL_SONNET="sonnet"
CLAUDE_MODEL_HAIKU="haiku"

# ============================================================================
# Project Detection
# ============================================================================
sanitize_name() {
  # Strip anything except alphanumeric, hyphen, underscore, dot; strip leading dots
  local name
  name=$(echo "$1" | tr -cd 'a-zA-Z0-9_.-' | sed 's/^\.*//')
  echo "${name:-unnamed}"
}

detect_project() {
  local raw_name=""

  if [[ -n "${CLAUDE_PROJECT:-}" ]]; then
    raw_name="$CLAUDE_PROJECT"
  else
    # Try git remote name, strip .git suffix
    raw_name=$(git remote get-url origin 2>/dev/null | sed -E 's#.*/##; s#\.git$##' || true)
    [[ -z "$raw_name" ]] && raw_name=$(basename "$PWD")
  fi

  sanitize_name "$raw_name"
}

# ============================================================================
# API Key Management
# ============================================================================
get_api_key() {
  local project="$1"
  local cache_dir="${XDG_CACHE_HOME:-$HOME/.cache}/claude"
  local cache_file="$cache_dir/${project}.key"
  local cache_ttl=43200 # 12 hours

  # Create cache dir with restrictive permissions from the start
  (
    umask 077
    mkdir -p "$cache_dir"
  )

  # Check cache
  if [[ -s "$cache_file" ]]; then
    local cache_age
    cache_age=$(($(date +%s) - $(stat -f %m "$cache_file" 2>/dev/null || stat -c %Y "$cache_file" 2>/dev/null || echo 0)))
    if [[ $cache_age -lt $cache_ttl ]]; then
      [[ "${CLAUDE_DEBUG:-0}" == "1" ]] && echo "key=cached" >&2
      cat "$cache_file"
      return
    fi
  fi

  local key=""

  # Try project-specific field first, then fall back to default
  key=$(op --account "$OP_ACCOUNT" read "${OP_ITEM}/${project}" 2>/dev/null || true)

  # Fall back to default "API Key" field
  if [[ -z "$key" ]]; then
    key=$(op --account "$OP_ACCOUNT" read "${OP_ITEM}/API Key" 2>/dev/null || true)

    if [[ -n "$key" && "${CLAUDE_DEBUG:-0}" == "1" ]]; then
      echo "Note: No key for project '$project', using default" >&2
    fi
  fi

  if [[ -z "$key" ]]; then
    echo "ERROR: Failed to retrieve API key from 1Password" >&2
    return 1
  fi

  # Write cache file with restrictive permissions atomically
  (
    umask 077
    echo "$key" >"$cache_file.tmp.$$" && mv "$cache_file.tmp.$$" "$cache_file"
  )

  [[ "${CLAUDE_DEBUG:-0}" == "1" ]] && echo "key=fetched" >&2
  echo "$key"
}

clear_cache() {
  rm -rf "${XDG_CACHE_HOME:-$HOME/.cache}/claude"/*.key
  rm -f "${XDG_CACHE_HOME:-$HOME/.cache}/claude/env-remote.sh"
  echo "Claude env + API key cache cleared" >&2
}

# ============================================================================
# Main
# ============================================================================

# Handle cache clear command
if [[ "${1:-}" == "--clear-cache" ]]; then
  clear_cache
  return 0 2>/dev/null || exit 0
fi

CLAUDE_PROJECT=$(detect_project)

# Export base configuration
export ANTHROPIC_BASE_URL="${LITELLM_BASE_URL}"
export ANTHROPIC_MODEL="${CLAUDE_MODEL:-$CLAUDE_MODEL_OPUS}"
export ANTHROPIC_SMALL_FAST_MODEL="${CLAUDE_MODEL_HAIKU}"
export CLAUDE_CODE_SUBAGENT_MODEL="${CLAUDE_MODEL_HAIKU}"

# Feature flags
export CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS=1
export CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1
export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

# Get API key
if API_KEY=$(get_api_key "$CLAUDE_PROJECT"); then
  export ANTHROPIC_AUTH_TOKEN="$API_KEY"
else
  echo "Warning: Could not retrieve Claude API key" >&2
fi

# Export project for debugging
export CLAUDE_PROJECT

if [[ "${CLAUDE_DEBUG:-0}" == "1" ]]; then
  echo "Claude: project=$CLAUDE_PROJECT base=$LITELLM_BASE_URL model=$ANTHROPIC_MODEL" >&2
fi