b9a1fa1b1f
Third-party Anthropic-compat providers (MiniMax, GLM, Kimi, DeepSeek)
all reuse the Anthropic SDK's wire format, which means the claude CLI
and claude-code-sdk read the bearer token from ANTHROPIC_AUTH_TOKEN no
matter which vendor is being talked to. Pre-#244:
* Canvas surfaced the vendor-specific name (MINIMAX_API_KEY, etc.)
to the user — so a user who saved only MINIMAX_API_KEY hit a
silent 401 on first call.
* The boot audit said `MINIMAX_API_KEY=set`, making it look like an
SDK bug rather than a routing gap.
* A user with multiple vendor keys could only run one workspace at a
time because they all fought over the shared ANTHROPIC_AUTH_TOKEN
slot.
Diagnostic-only audit logging shipped earlier (#32) but the actual
routing was never written — task #244 was mismarked complete.
Changes:
* config.yaml: third-party model `required_env` now references the
per-vendor name (MINIMAX_API_KEY, GLM_API_KEY, KIMI_API_KEY,
DEEPSEEK_API_KEY) so canvas asks the user for the right key.
First-party Anthropic models still use ANTHROPIC_AUTH_TOKEN /
CLAUDE_CODE_OAUTH_TOKEN.
* config.yaml: each third-party provider's `auth_env` lists the
vendor name FIRST (priority order) so projection picks the
vendor key over a stale ANTHROPIC_AUTH_TOKEN.
* adapter.py: new `_project_vendor_auth(provider)` helper, called
from `setup()` right after `_resolve_provider`. Idempotent — only
projects when ANTHROPIC_AUTH_TOKEN is unset (operator override
always wins). Logs the projection by NAME, never by VALUE
(mirrors `_audit_auth_env_presence`).
* tests/test_provider_routing.py: 6 new tests pin the contract —
vendor-key-set projects, AUTH_TOKEN-already-set is never
clobbered, first-party providers skip projection, secret value
never leaks into a log record, empty-string vendor env doesn't
trigger projection, and the same routing fires for GLM / Kimi /
DeepSeek.
Mirrors the parallel hermes-side fix from task #249 / hermes PR #38;
keeps the two runtimes' multi-vendor UX in lockstep.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .claude | ||
| .github/workflows | ||
| .molecule-ci/scripts | ||
| runbooks | ||
| scripts | ||
| tests | ||
| __init__.py | ||
| .gitattributes | ||
| .gitignore | ||
| adapter.py | ||
| claude_sdk_executor.py | ||
| CLAUDE.md | ||
| config.yaml | ||
| Dockerfile | ||
| entrypoint.sh | ||
| known-issues.md | ||
| README.md | ||
| requirements.txt | ||
template-claude-code-default
Molecule AI workspace template for the claude-code-default runtime.
Usage
In Molecule AI canvas
Select this template when creating a new workspace — it appears in the template picker automatically.
From a URL (community install)
Paste this URL when creating a workspace:
github://Molecule-AI/template-claude-code-default
Files
config.yaml— workspace configuration (runtime, model, skills, etc.)system-prompt.md— agent system prompt (if present)
Auth paths
| Path | Env var(s) | Where to get the key |
|---|---|---|
| OAuth (Claude Code subscription) | CLAUDE_CODE_OAUTH_TOKEN |
claude login |
| Anthropic API (direct) | ANTHROPIC_API_KEY |
console.anthropic.com |
| Third-party Anthropic-compat (e.g. Xiaomi MiMo pay-as-you-go) | ANTHROPIC_API_KEY (provider's key) |
provider console |
| Xiaomi MiMo Token Plan | ANTHROPIC_API_KEY (Token Plan key), ANTHROPIC_BASE_URL (Token Plan endpoint) |
token-plan dashboard |
For third-party providers, entrypoint.sh rewrites ANTHROPIC_BASE_URL based on the selected MODEL so the claude CLI routes there. Currently auto-routes mimo-* models to https://api.xiaomimimo.com/anthropic (pay-as-you-go). Token Plan users should set ANTHROPIC_BASE_URL=https://token-plan-sgp.xiaomimimo.com/anthropic as a workspace or org-level secret — the shell mapping is the fallback and operator-set values always win. Other Token Plan endpoints (e.g. token-plan-hk.xiaomimimo.com) can be used by setting the secret explicitly.
Schema version
template_schema_version: 1 — compatible with Molecule AI platform v1.x.
License
Business Source License 1.1 — © Molecule AI.