Skip to content

feature(container): Add claude vertex auth forwarding with GCP credential support#954

Merged
njbrake merged 2 commits intonjbrake:mainfrom
CharlyRipp:feature/vertex-auto-detect
May 7, 2026
Merged

feature(container): Add claude vertex auth forwarding with GCP credential support#954
njbrake merged 2 commits intonjbrake:mainfrom
CharlyRipp:feature/vertex-auto-detect

Conversation

@CharlyRipp
Copy link
Copy Markdown
Contributor

@CharlyRipp CharlyRipp commented May 7, 2026
edited
Loading

Description

Auto-forward Vertex AI and API provider environment variables into sandboxed containers, and auto-mount GCP Application Default Credentials when Vertex is enabled.

Closes #952

What changed

  1. src/session/environment.rs: New AUTO_FORWARD_API_ENV_VARS constant that auto-forwards ANTHROPIC_API_KEY, ANTHROPIC_VERTEX_PROJECT_ID, ANTHROPIC_VERTEX_REGION, CLAUDE_CODE_USE_VERTEX, and CLOUD_ML_REGION when set on the host. Uses EnvEntry::Inherit (key-only in argv) to keep secrets out of process listings and logs.

  2. src/session/container_config.rs: When CLAUDE_CODE_USE_VERTEX is set, mounts GCP credentials into the container at the well-known ADC path (/root/.config/gcloud/application_default_credentials.json). Supports both GOOGLE_APPLICATION_CREDENTIALS (custom path) and the default ADC location.

  3. src/session/config.rs: Updated default_sandbox_environment() to include the new API vars so they appear in the TUI new-session env list.

How I tested

  • Built with cargo build --release, created a sandboxed session
  • Verified env vars appear inside the container (env | grep ANTHROPIC)
  • Verified ADC file is mounted at the expected path
  • cargo test passes (3 pre-existing container runtime failures unrelated to this change)
  • cargo fmt --check and cargo clippy clean

PR Type

  • New Feature
  • Bug Fix
  • Refactor
  • Documentation
  • Infrastructure / CI

Checklist

  • I understand the code I am submitting
  • New and existing tests pass
  • Documentation was updated where necessary
  • For UI changes: included screenshot or recording

AI Usage

  • No AI was used
  • AI was used for drafting/refactoring
  • This is fully AI-generated

AI Model/Tool used: Claude Code

Any Additional AI Details you'd like to share:
Used Claude for codebase discovery, identifying the right env var names from official docs, edge case review, and code review of the changes. The feature idea, testing, and final decisions are mine.

  • I am an AI Agent filling out this form (check box if true)

@CharlyRipp CharlyRipp marked this pull request as ready for review May 7, 2026 16:59
@CharlyRipp CharlyRipp requested a review from njbrake as a code owner May 7, 2026 16:59
Seluj78
Seluj78 approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@Seluj78 Seluj78 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, LGTM but I am not a rust expert :) And I cannot test

@njbrake @claude
refactor(sandbox): tighten Vertex auto-detect scope and gating
7adfe5a 
Address review feedback before merge:

- Gate the env var auto-forward and GCP cred mount on
  CLAUDE_CODE_USE_VERTEX being set (and non-empty) on the host, so
  non-Vertex users see no behavior change. Empty string is treated as
  unset, matching how the flag is conventionally interpreted.
- Drop ANTHROPIC_API_KEY from the auto-forward list. Vertex auth uses
  GCP credentials, and force-forwarding the API key would change
  behavior for users who have it set on their shell for unrelated
  reasons. Users who want it forwarded can add it to sandbox.environment
  explicitly.
- Gate the GCP cred mount on tool == "claude". CLAUDE_CODE_USE_VERTEX is
  Claude-specific; there is no reason to expose GCP credentials to other
  agents (opencode, codex, etc.) just because the host happens to have
  the flag exported globally.
- Revert the change to default_sandbox_environment(): the runtime
  auto-forward is now the single mechanism, matching the
  DEFAULT_TERMINAL_ENV_VARS precedent. Adding the keys to the
  user-editable list created a fake opt-out (user removes it, still
  forwarded) and was just noise.
- Add unit tests covering the cred mount in container_config: default
  ADC path, custom GOOGLE_APPLICATION_CREDENTIALS, missing flag, missing
  ADC file, non-claude tool, empty flag string.
- Document the auto-detect behavior in docs/guides/sandbox.md.

Rename AUTO_FORWARD_API_ENV_VARS -> AUTO_FORWARD_VERTEX_ENV_VARS to
reflect the narrower scope, and add a host_vertex_enabled() helper used
by both the env collector and the cred mount.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@njbrake
Copy link
Copy Markdown
Owner

njbrake commented May 7, 2026

Note: this comment was drafted by Claude via back-and-forth with @njbrake. The reasoning and decisions are his; the prose is Claude's.

Hey @CharlyRipp, thanks for this. Apologies for the unilateral push, but I went ahead and added a refactor commit on top of yours (7adfe5a3) to tighten scope before merge. If anything in here lands wrong with you, happy to revert or rework.

Quick summary of what changed:

  1. Gated everything on CLAUDE_CODE_USE_VERTEX being set (and non-empty) on the host. The env var auto-forward now only runs when Vertex is enabled, so non-Vertex users see no behavior change. Empty string is treated as unset.
  2. Gated the GCP cred mount on tool == "claude". CLAUDE_CODE_USE_VERTEX is Claude-specific, so no reason to expose GCP creds to opencode/codex/cursor sessions even if a user has the flag exported globally.
  3. Reverted the change to default_sandbox_environment(). With (1) in place, the runtime auto-forward is the single mechanism, matching the DEFAULT_TERMINAL_ENV_VARS precedent. Adding the keys to the user-editable list created a confusing fake opt-out (user removes from the list, value still forwarded).
  4. Added unit tests for the cred mount logic in container_config.rs: default ADC, custom GOOGLE_APPLICATION_CREDENTIALS, flag unset, flag empty, non-claude tool, missing ADC file.
  5. Documented the auto-detect in docs/guides/sandbox.md.

The one place I'd value your input before merging: I dropped ANTHROPIC_API_KEY from the auto-forward list. My reasoning is that #952 is Vertex-specific (Vertex auth uses GCP, not the API key), and force-forwarding it would be a behavior change for users who happen to have it on their shell for unrelated reasons. They can still add it explicitly via sandbox.environment. But if you had a specific workflow in mind where both Vertex and the API key need to be in the container together, please push back, I'm happy to put it back.

The other four items are general cleanups I'd have asked for in any review. ANTHROPIC_API_KEY is the judgment call where your perspective matters most.

@CharlyRipp
Copy link
Copy Markdown
Contributor Author

CharlyRipp commented May 7, 2026

Perfect! Exactly things I was curious about and 💯 agree with.
The ANTHROPIC_API_KEY was definitely more forward thinking on other use-cases, outside of vertex.

@njbrake njbrake merged commit 011001d into njbrake:main May 7, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njbrake njbrake Awaiting requested review from njbrake njbrake is a code owner

1 more reviewer

@Seluj78 Seluj78 Seluj78 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auto-detect Vertex AI credentials for sandboxed sessions

3 participants

@CharlyRipp @njbrake @Seluj78