192 lines
6.7 KiB
TypeScript
192 lines
6.7 KiB
TypeScript
/**
|
|
* Environment variables that control inference routing: which provider to use,
|
|
* which endpoint to hit, and which model IDs to send.
|
|
*
|
|
* When CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST is truthy in the spawn env, these
|
|
* are stripped from settings-sourced env so the host's routing config isn't
|
|
* overridden by a user's ~/.claude/settings.json — e.g. a Bedrock setup for
|
|
* terminal CLI that would break a host that only supports first-party auth.
|
|
*
|
|
* @[MODEL LAUNCH]: New models usually don't need changes here —
|
|
* VERTEX_REGION_CLAUDE_* is prefix-matched. New providers or new routing
|
|
* config vars (endpoint, project, region, auth) do.
|
|
*/
|
|
const PROVIDER_MANAGED_ENV_VARS = new Set([
|
|
// The flag itself — settings can't unset it once the host set it
|
|
'CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST',
|
|
// Provider selection
|
|
'CLAUDE_CODE_USE_BEDROCK',
|
|
'CLAUDE_CODE_USE_VERTEX',
|
|
'CLAUDE_CODE_USE_FOUNDRY',
|
|
// Endpoint config (base URLs, project/resource identifiers)
|
|
'ANTHROPIC_BASE_URL',
|
|
'ANTHROPIC_BEDROCK_BASE_URL',
|
|
'ANTHROPIC_VERTEX_BASE_URL',
|
|
'ANTHROPIC_FOUNDRY_BASE_URL',
|
|
'ANTHROPIC_FOUNDRY_RESOURCE',
|
|
'ANTHROPIC_VERTEX_PROJECT_ID',
|
|
// Region routing (per-model VERTEX_REGION_CLAUDE_* handled by prefix below)
|
|
'CLOUD_ML_REGION',
|
|
// Auth
|
|
'ANTHROPIC_API_KEY',
|
|
'ANTHROPIC_AUTH_TOKEN',
|
|
'CLAUDE_CODE_OAUTH_TOKEN',
|
|
'AWS_BEARER_TOKEN_BEDROCK',
|
|
'ANTHROPIC_FOUNDRY_API_KEY',
|
|
'CLAUDE_CODE_SKIP_BEDROCK_AUTH',
|
|
'CLAUDE_CODE_SKIP_VERTEX_AUTH',
|
|
'CLAUDE_CODE_SKIP_FOUNDRY_AUTH',
|
|
// Model defaults — often set to provider-specific ID formats
|
|
'ANTHROPIC_MODEL',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_SMALL_FAST_MODEL',
|
|
'ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION',
|
|
'CLAUDE_CODE_SUBAGENT_MODEL',
|
|
])
|
|
|
|
const PROVIDER_MANAGED_ENV_PREFIXES = [
|
|
// Per-model Vertex region overrides — scales with model releases, so
|
|
// prefix-matched to avoid drift on each launch.
|
|
'VERTEX_REGION_CLAUDE_',
|
|
]
|
|
|
|
export function isProviderManagedEnvVar(key: string): boolean {
|
|
const upper = key.toUpperCase()
|
|
return (
|
|
PROVIDER_MANAGED_ENV_VARS.has(upper) ||
|
|
PROVIDER_MANAGED_ENV_PREFIXES.some(p => upper.startsWith(p))
|
|
)
|
|
}
|
|
|
|
/**
|
|
* Dangerous shell settings that can execute arbitrary shell code
|
|
*/
|
|
export const DANGEROUS_SHELL_SETTINGS = [
|
|
'apiKeyHelper',
|
|
'awsAuthRefresh',
|
|
'awsCredentialExport',
|
|
'gcpAuthRefresh',
|
|
'otelHeadersHelper',
|
|
'statusLine',
|
|
] as const
|
|
|
|
/**
|
|
* Safe environment variables that can be applied before trust dialog.
|
|
* These are Claude Code specific settings that don't pose security risks.
|
|
*
|
|
* IMPORTANT: This is the source of truth for which env vars are safe.
|
|
* Any env var NOT in this list is considered dangerous and will trigger
|
|
* a security dialog when set via remote managed settings.
|
|
*
|
|
* Dangerous env vars (NOT in this list):
|
|
*
|
|
* === REDIRECT TO ATTACKER-CONTROLLED SERVER ===
|
|
* - ANTHROPIC_BASE_URL, ANTHROPIC_BEDROCK_BASE_URL, ANTHROPIC_FOUNDRY_BASE_URL, ANTHROPIC_VERTEX_BASE_URL
|
|
* - HTTP_PROXY, HTTPS_PROXY, NO_PROXY, http_proxy, https_proxy, no_proxy
|
|
* - OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_LOGS_ENDPOINT, OTEL_EXPORTER_OTLP_METRICS_ENDPOINT
|
|
*
|
|
* === TRUST ATTACKER-CONTROLLED SERVER ===
|
|
* - NODE_TLS_REJECT_UNAUTHORIZED
|
|
* - NODE_EXTRA_CA_CERTS
|
|
*
|
|
* === SWITCH TO ATTACKER-CONTROLLED PROJECT ===
|
|
* - ANTHROPIC_FOUNDRY_RESOURCE
|
|
* - ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN
|
|
* - AWS_BEARER_TOKEN_BEDROCK
|
|
*/
|
|
export const SAFE_ENV_VARS = new Set([
|
|
'ANTHROPIC_CUSTOM_HEADERS',
|
|
'ANTHROPIC_CUSTOM_MODEL_OPTION',
|
|
'ANTHROPIC_CUSTOM_MODEL_OPTION_DESCRIPTION',
|
|
'ANTHROPIC_CUSTOM_MODEL_OPTION_NAME',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_HAIKU_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_OPUS_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_DESCRIPTION',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_NAME',
|
|
'ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTED_CAPABILITIES',
|
|
'ANTHROPIC_FOUNDRY_API_KEY',
|
|
'ANTHROPIC_MODEL',
|
|
'ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION',
|
|
'ANTHROPIC_SMALL_FAST_MODEL',
|
|
'AWS_DEFAULT_REGION',
|
|
'AWS_PROFILE',
|
|
'AWS_REGION',
|
|
'BASH_DEFAULT_TIMEOUT_MS',
|
|
'BASH_MAX_OUTPUT_LENGTH',
|
|
'BASH_MAX_TIMEOUT_MS',
|
|
'CLAUDE_BASH_MAINTAIN_PROJECT_WORKING_DIR',
|
|
'CLAUDE_CODE_API_KEY_HELPER_TTL_MS',
|
|
'CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS',
|
|
'CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC',
|
|
'CLAUDE_CODE_DISABLE_TERMINAL_TITLE',
|
|
'CLAUDE_CODE_ENABLE_TELEMETRY',
|
|
'CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS',
|
|
'CLAUDE_CODE_IDE_SKIP_AUTO_INSTALL',
|
|
'CLAUDE_CODE_MAX_OUTPUT_TOKENS',
|
|
'CLAUDE_CODE_SKIP_BEDROCK_AUTH',
|
|
'CLAUDE_CODE_SKIP_FOUNDRY_AUTH',
|
|
'CLAUDE_CODE_SKIP_VERTEX_AUTH',
|
|
'CLAUDE_CODE_SUBAGENT_MODEL',
|
|
'CLAUDE_CODE_USE_BEDROCK',
|
|
'CLAUDE_CODE_USE_FOUNDRY',
|
|
'CLAUDE_CODE_USE_VERTEX',
|
|
'DISABLE_AUTOUPDATER',
|
|
'DISABLE_BUG_COMMAND',
|
|
'DISABLE_COST_WARNINGS',
|
|
'DISABLE_ERROR_REPORTING',
|
|
'DISABLE_FEEDBACK_COMMAND',
|
|
'DISABLE_TELEMETRY',
|
|
'ENABLE_TOOL_SEARCH',
|
|
'MAX_MCP_OUTPUT_TOKENS',
|
|
'MAX_THINKING_TOKENS',
|
|
'MCP_TIMEOUT',
|
|
'MCP_TOOL_TIMEOUT',
|
|
'OTEL_EXPORTER_OTLP_HEADERS',
|
|
'OTEL_EXPORTER_OTLP_LOGS_HEADERS',
|
|
'OTEL_EXPORTER_OTLP_LOGS_PROTOCOL',
|
|
'OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE',
|
|
'OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY',
|
|
'OTEL_EXPORTER_OTLP_METRICS_HEADERS',
|
|
'OTEL_EXPORTER_OTLP_METRICS_PROTOCOL',
|
|
'OTEL_EXPORTER_OTLP_PROTOCOL',
|
|
'OTEL_EXPORTER_OTLP_TRACES_HEADERS',
|
|
'OTEL_LOG_TOOL_DETAILS',
|
|
'OTEL_LOG_USER_PROMPTS',
|
|
'OTEL_LOGS_EXPORT_INTERVAL',
|
|
'OTEL_LOGS_EXPORTER',
|
|
'OTEL_METRIC_EXPORT_INTERVAL',
|
|
'OTEL_METRICS_EXPORTER',
|
|
'OTEL_METRICS_INCLUDE_ACCOUNT_UUID',
|
|
'OTEL_METRICS_INCLUDE_SESSION_ID',
|
|
'OTEL_METRICS_INCLUDE_VERSION',
|
|
'OTEL_RESOURCE_ATTRIBUTES',
|
|
'USE_BUILTIN_RIPGREP',
|
|
'VERTEX_REGION_CLAUDE_3_5_HAIKU',
|
|
'VERTEX_REGION_CLAUDE_3_5_SONNET',
|
|
'VERTEX_REGION_CLAUDE_3_7_SONNET',
|
|
'VERTEX_REGION_CLAUDE_4_0_OPUS',
|
|
'VERTEX_REGION_CLAUDE_4_0_SONNET',
|
|
'VERTEX_REGION_CLAUDE_4_1_OPUS',
|
|
'VERTEX_REGION_CLAUDE_4_5_SONNET',
|
|
'VERTEX_REGION_CLAUDE_4_6_SONNET',
|
|
'VERTEX_REGION_CLAUDE_HAIKU_4_5',
|
|
])
|