Cradicle Explorer
42aea1cf94e7dc890036c131
/ utils / managedEnvConstants.ts
managedEnvConstants.ts
  1  /**
  2   * Environment variables that control inference routing: which provider to use,
  3   * which endpoint to hit, and which model IDs to send.
  4   *
  5   * When CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST is truthy in the spawn env, these
  6   * are stripped from settings-sourced env so the host's routing config isn't
  7   * overridden by a user's ~/.claude/settings.json — e.g. a Bedrock setup for
  8   * terminal CLI that would break a host that only supports first-party auth.
  9   *
 10   * @[MODEL LAUNCH]: New models usually don't need changes here —
 11   * VERTEX_REGION_CLAUDE_* is prefix-matched. New providers or new routing
 12   * config vars (endpoint, project, region, auth) do.
 13   */
 14  const PROVIDER_MANAGED_ENV_VARS = new Set([
 15    // The flag itself — settings can't unset it once the host set it
 16    'CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST',
 17    // Provider selection
 18    'CLAUDE_CODE_USE_BEDROCK',
 19    'CLAUDE_CODE_USE_VERTEX',
 20    'CLAUDE_CODE_USE_FOUNDRY',
 21    // Endpoint config (base URLs, project/resource identifiers)
 22    'ANTHROPIC_BASE_URL',
 23    'ANTHROPIC_BEDROCK_BASE_URL',
 24    'ANTHROPIC_VERTEX_BASE_URL',
 25    'ANTHROPIC_FOUNDRY_BASE_URL',
 26    'ANTHROPIC_FOUNDRY_RESOURCE',
 27    'ANTHROPIC_VERTEX_PROJECT_ID',
 28    // Region routing (per-model VERTEX_REGION_CLAUDE_* handled by prefix below)
 29    'CLOUD_ML_REGION',
 30    // Auth
 31    'ANTHROPIC_API_KEY',
 32    'ANTHROPIC_AUTH_TOKEN',
 33    'CLAUDE_CODE_OAUTH_TOKEN',
 34    'AWS_BEARER_TOKEN_BEDROCK',
 35    'ANTHROPIC_FOUNDRY_API_KEY',
 36    'CLAUDE_CODE_SKIP_BEDROCK_AUTH',
 37    'CLAUDE_CODE_SKIP_VERTEX_AUTH',
 38    'CLAUDE_CODE_SKIP_FOUNDRY_AUTH',
 39    // Model defaults — often set to provider-specific ID formats
 40    'ANTHROPIC_MODEL',
 41    'ANTHROPIC_DEFAULT_HAIKU_MODEL',
 42    'ANTHROPIC_DEFAULT_HAIKU_MODEL_DESCRIPTION',
 43    'ANTHROPIC_DEFAULT_HAIKU_MODEL_NAME',
 44    'ANTHROPIC_DEFAULT_HAIKU_MODEL_SUPPORTED_CAPABILITIES',
 45    'ANTHROPIC_DEFAULT_OPUS_MODEL',
 46    'ANTHROPIC_DEFAULT_OPUS_MODEL_DESCRIPTION',
 47    'ANTHROPIC_DEFAULT_OPUS_MODEL_NAME',
 48    'ANTHROPIC_DEFAULT_OPUS_MODEL_SUPPORTED_CAPABILITIES',
 49    'ANTHROPIC_DEFAULT_SONNET_MODEL',
 50    'ANTHROPIC_DEFAULT_SONNET_MODEL_DESCRIPTION',
 51    'ANTHROPIC_DEFAULT_SONNET_MODEL_NAME',
 52    'ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTED_CAPABILITIES',
 53    'ANTHROPIC_SMALL_FAST_MODEL',
 54    'ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION',
 55    'CLAUDE_CODE_SUBAGENT_MODEL',
 56  ])
 57  
 58  const PROVIDER_MANAGED_ENV_PREFIXES = [
 59    // Per-model Vertex region overrides — scales with model releases, so
 60    // prefix-matched to avoid drift on each launch.
 61    'VERTEX_REGION_CLAUDE_',
 62  ]
 63  
 64  export function isProviderManagedEnvVar(key: string): boolean {
 65    const upper = key.toUpperCase()
 66    return (
 67      PROVIDER_MANAGED_ENV_VARS.has(upper) ||
 68      PROVIDER_MANAGED_ENV_PREFIXES.some(p => upper.startsWith(p))
 69    )
 70  }
 71  
 72  /**
 73   * Dangerous shell settings that can execute arbitrary shell code
 74   */
 75  export const DANGEROUS_SHELL_SETTINGS = [
 76    'apiKeyHelper',
 77    'awsAuthRefresh',
 78    'awsCredentialExport',
 79    'gcpAuthRefresh',
 80    'otelHeadersHelper',
 81    'statusLine',
 82  ] as const
 83  
 84  /**
 85   * Safe environment variables that can be applied before trust dialog.
 86   * These are Claude Code specific settings that don't pose security risks.
 87   *
 88   * IMPORTANT: This is the source of truth for which env vars are safe.
 89   * Any env var NOT in this list is considered dangerous and will trigger
 90   * a security dialog when set via remote managed settings.
 91   *
 92   * Dangerous env vars (NOT in this list):
 93   *
 94   * === REDIRECT TO ATTACKER-CONTROLLED SERVER ===
 95   * - ANTHROPIC_BASE_URL, ANTHROPIC_BEDROCK_BASE_URL, ANTHROPIC_FOUNDRY_BASE_URL, ANTHROPIC_VERTEX_BASE_URL
 96   * - HTTP_PROXY, HTTPS_PROXY, NO_PROXY, http_proxy, https_proxy, no_proxy
 97   * - OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_LOGS_ENDPOINT, OTEL_EXPORTER_OTLP_METRICS_ENDPOINT
 98   *
 99   * === TRUST ATTACKER-CONTROLLED SERVER ===
100   * - NODE_TLS_REJECT_UNAUTHORIZED
101   * - NODE_EXTRA_CA_CERTS
102   *
103   * === SWITCH TO ATTACKER-CONTROLLED PROJECT ===
104   * - ANTHROPIC_FOUNDRY_RESOURCE
105   * - ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN
106   * - AWS_BEARER_TOKEN_BEDROCK
107   */
108  export const SAFE_ENV_VARS = new Set([
109    'ANTHROPIC_CUSTOM_HEADERS',
110    'ANTHROPIC_CUSTOM_MODEL_OPTION',
111    'ANTHROPIC_CUSTOM_MODEL_OPTION_DESCRIPTION',
112    'ANTHROPIC_CUSTOM_MODEL_OPTION_NAME',
113    'ANTHROPIC_DEFAULT_HAIKU_MODEL',
114    'ANTHROPIC_DEFAULT_HAIKU_MODEL_DESCRIPTION',
115    'ANTHROPIC_DEFAULT_HAIKU_MODEL_NAME',
116    'ANTHROPIC_DEFAULT_HAIKU_MODEL_SUPPORTED_CAPABILITIES',
117    'ANTHROPIC_DEFAULT_OPUS_MODEL',
118    'ANTHROPIC_DEFAULT_OPUS_MODEL_DESCRIPTION',
119    'ANTHROPIC_DEFAULT_OPUS_MODEL_NAME',
120    'ANTHROPIC_DEFAULT_OPUS_MODEL_SUPPORTED_CAPABILITIES',
121    'ANTHROPIC_DEFAULT_SONNET_MODEL',
122    'ANTHROPIC_DEFAULT_SONNET_MODEL_DESCRIPTION',
123    'ANTHROPIC_DEFAULT_SONNET_MODEL_NAME',
124    'ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTED_CAPABILITIES',
125    'ANTHROPIC_FOUNDRY_API_KEY',
126    'ANTHROPIC_MODEL',
127    'ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION',
128    'ANTHROPIC_SMALL_FAST_MODEL',
129    'AWS_DEFAULT_REGION',
130    'AWS_PROFILE',
131    'AWS_REGION',
132    'BASH_DEFAULT_TIMEOUT_MS',
133    'BASH_MAX_OUTPUT_LENGTH',
134    'BASH_MAX_TIMEOUT_MS',
135    'CLAUDE_BASH_MAINTAIN_PROJECT_WORKING_DIR',
136    'CLAUDE_CODE_API_KEY_HELPER_TTL_MS',
137    'CLAUDE_CODE_DISABLE_EXPERIMENTAL_BETAS',
138    'CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC',
139    'CLAUDE_CODE_DISABLE_TERMINAL_TITLE',
140    'CLAUDE_CODE_ENABLE_TELEMETRY',
141    'CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS',
142    'CLAUDE_CODE_IDE_SKIP_AUTO_INSTALL',
143    'CLAUDE_CODE_MAX_OUTPUT_TOKENS',
144    'CLAUDE_CODE_SKIP_BEDROCK_AUTH',
145    'CLAUDE_CODE_SKIP_FOUNDRY_AUTH',
146    'CLAUDE_CODE_SKIP_VERTEX_AUTH',
147    'CLAUDE_CODE_SUBAGENT_MODEL',
148    'CLAUDE_CODE_USE_BEDROCK',
149    'CLAUDE_CODE_USE_FOUNDRY',
150    'CLAUDE_CODE_USE_VERTEX',
151    'DISABLE_AUTOUPDATER',
152    'DISABLE_BUG_COMMAND',
153    'DISABLE_COST_WARNINGS',
154    'DISABLE_ERROR_REPORTING',
155    'DISABLE_FEEDBACK_COMMAND',
156    'DISABLE_TELEMETRY',
157    'ENABLE_TOOL_SEARCH',
158    'MAX_MCP_OUTPUT_TOKENS',
159    'MAX_THINKING_TOKENS',
160    'MCP_TIMEOUT',
161    'MCP_TOOL_TIMEOUT',
162    'OTEL_EXPORTER_OTLP_HEADERS',
163    'OTEL_EXPORTER_OTLP_LOGS_HEADERS',
164    'OTEL_EXPORTER_OTLP_LOGS_PROTOCOL',
165    'OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE',
166    'OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY',
167    'OTEL_EXPORTER_OTLP_METRICS_HEADERS',
168    'OTEL_EXPORTER_OTLP_METRICS_PROTOCOL',
169    'OTEL_EXPORTER_OTLP_PROTOCOL',
170    'OTEL_EXPORTER_OTLP_TRACES_HEADERS',
171    'OTEL_LOG_TOOL_DETAILS',
172    'OTEL_LOG_USER_PROMPTS',
173    'OTEL_LOGS_EXPORT_INTERVAL',
174    'OTEL_LOGS_EXPORTER',
175    'OTEL_METRIC_EXPORT_INTERVAL',
176    'OTEL_METRICS_EXPORTER',
177    'OTEL_METRICS_INCLUDE_ACCOUNT_UUID',
178    'OTEL_METRICS_INCLUDE_SESSION_ID',
179    'OTEL_METRICS_INCLUDE_VERSION',
180    'OTEL_RESOURCE_ATTRIBUTES',
181    'USE_BUILTIN_RIPGREP',
182    'VERTEX_REGION_CLAUDE_3_5_HAIKU',
183    'VERTEX_REGION_CLAUDE_3_5_SONNET',
184    'VERTEX_REGION_CLAUDE_3_7_SONNET',
185    'VERTEX_REGION_CLAUDE_4_0_OPUS',
186    'VERTEX_REGION_CLAUDE_4_0_SONNET',
187    'VERTEX_REGION_CLAUDE_4_1_OPUS',
188    'VERTEX_REGION_CLAUDE_4_5_SONNET',
189    'VERTEX_REGION_CLAUDE_4_6_SONNET',
190    'VERTEX_REGION_CLAUDE_HAIKU_4_5',
191  ])