feat: update Claude Code authentication wrapper and increase sync interval while removing Gemini debug logs

.env.example

@@ -45,8 +45,19 @@ PAPERCLIP_DEPLOYMENT_MODE=authenticated
 # Paperclip Agent Providers (varies by setup)
 # ============================================================================
 
-# If using Claude as an agent provider
-ANTHROPIC_API_KEY=sk-ant-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# Claude Code — choose one mode or neither:
+#
+# Subscription mode (Claude Pro/Max — no per-token cost):
+#   1. Run `claude login` locally to authenticate once
+#   2. Copy the token from ~/.claude/.credentials.json
+#   3. Paste it here (takes priority over API key if both are set)
+# ANTHROPIC_AUTH_TOKEN=your-oauth-token-from-credentials-json
+#
+# API key mode (pay-per-use):
+# ANTHROPIC_API_KEY=sk-ant-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+#
+# Neither set → Claude Code uses stored OAuth credentials from ~/.claude/
+#               (requires first-time login inside the container)
 
 # For other LLM providers (OpenAI, etc.)
 # LLM_API_KEY=your-api-key

Dockerfile

@@ -57,17 +57,30 @@ RUN npm init -y && npm install express@4 cors morgan
 # Install agent CLIs globally
 RUN npm install -g @google/gemini-cli @anthropic-ai/claude-code @openai/codex
 
-# Wrap agent CLIs so they:
-# 1. Drop cloudflare-proxy.js NODE_OPTIONS (would conflict with their HTTP)
-# 2. Pre-set --max-old-space-size=4096 so gemini doesn't trigger heap-size
-#    self-relaunch (the spawn fails in HF Spaces containers)
-RUN for cmd in claude codex; do \
-        if [ -e /usr/local/bin/$cmd ]; then \
-            mv /usr/local/bin/$cmd /usr/local/bin/${cmd}-real && \
-            printf '#!/bin/sh\nunset NODE_OPTIONS\nexport NODE_OPTIONS="--max-old-space-size=4096 --no-deprecation --no-warnings"\nexec /usr/local/bin/%s-real "$@"\n' "$cmd" > /usr/local/bin/$cmd && \
-            chmod +x /usr/local/bin/$cmd; \
-        fi; \
-    done
+# Claude Code wrapper — auth mode selection:
+#   ANTHROPIC_AUTH_TOKEN set → subscription mode (OAuth token, takes priority)
+#   ANTHROPIC_API_KEY set    → API key mode
+#   Neither set              → uses stored OAuth credentials in ~/.claude/
+# If both are set, subscription token wins: unset API key to avoid conflict.
+# Also drops cloudflare NODE_OPTIONS and caps heap size.
+RUN if [ -e /usr/local/bin/claude ]; then \
+    mv /usr/local/bin/claude /usr/local/bin/claude-real && \
+    { \
+      echo '#!/bin/sh'; \
+      echo 'unset NODE_OPTIONS'; \
+      echo '[ -n "$ANTHROPIC_AUTH_TOKEN" ] && unset ANTHROPIC_API_KEY'; \
+      echo 'export NODE_OPTIONS="--max-old-space-size=4096 --no-deprecation --no-warnings"'; \
+      echo 'exec /usr/local/bin/claude-real "$@"'; \
+    } > /usr/local/bin/claude && \
+    chmod +x /usr/local/bin/claude; \
+fi
+
+# Codex wrapper — drops cloudflare NODE_OPTIONS, caps heap size
+RUN if [ -e /usr/local/bin/codex ]; then \
+    mv /usr/local/bin/codex /usr/local/bin/codex-real && \
+    printf '#!/bin/sh\nunset NODE_OPTIONS\nexport NODE_OPTIONS="--max-old-space-size=4096 --no-deprecation --no-warnings"\nexec /usr/local/bin/codex-real "$@"\n' > /usr/local/bin/codex && \
+    chmod +x /usr/local/bin/codex; \
+fi
 
 # Gemini wrapper — fix for "Failed to relaunch the CLI process":
 #
@@ -86,10 +99,6 @@ RUN for cmd in claude codex; do \
 RUN mv /usr/local/bin/gemini /usr/local/bin/gemini-real && \
     { \
       echo '#!/bin/sh'; \
-      echo '# Log invocation so we can see what env Paperclip actually passes'; \
-      echo 'echo "=== gemini wrapper $(date) args: $@ ===" >> /tmp/gemini-wrapper.log'; \
-      echo 'env | sort >> /tmp/gemini-wrapper.log'; \
-      echo ''; \
       echo 'unset NODE_OPTIONS'; \
       echo 'export NODE_OPTIONS="--max-old-space-size=4096 --no-deprecation --no-warnings"'; \
       echo 'export GEMINI_CLI_NO_RELAUNCH=1'; \
@@ -100,8 +109,7 @@ RUN mv /usr/local/bin/gemini /usr/local/bin/gemini-real && \
       echo 'export SANDBOX=1'; \
       echo 'exec /usr/local/bin/gemini-real "$@"'; \
     } > /usr/local/bin/gemini && \
-    chmod +x /usr/local/bin/gemini && \
-    echo "=== gemini wrapper ===" && cat /usr/local/bin/gemini
+    chmod +x /usr/local/bin/gemini
 
 # Install Python dependencies for sync
 RUN pip install --no-cache-dir --break-system-packages huggingface_hub PyYAML

health-server.js

@@ -10,7 +10,7 @@ const PAPERCLIP_PORT = 3100;
 const startTime = Date.now();
 
 const HF_BACKUP_ENABLED = !!process.env.HF_TOKEN;
-const SYNC_INTERVAL = process.env.SYNC_INTERVAL || "180";
+const SYNC_INTERVAL = process.env.SYNC_INTERVAL || "86400";
 
 const UPTIMEROBOT_SETUP_ENABLED =
   String(process.env.UPTIMEROBOT_SETUP_ENABLED || "true").toLowerCase() === "true";
@@ -36,8 +36,7 @@ function isLocalRoute(pathname) {
   return (
     pathname === "/health" ||
     pathname === "/status" ||
-    pathname === "/uptimerobot/setup" ||
-    pathname === "/debug/gemini-log"
+    pathname === "/uptimerobot/setup"
   );
 }
 
@@ -804,19 +803,6 @@ const server = http.createServer((req, res) => {
     return;
   }
 
-  // ── Gemini wrapper debug log ──────────────────────────────────────────────
-  if (pathname === "/debug/gemini-log") {
-    try {
-      const log = fs.readFileSync("/tmp/gemini-wrapper.log", "utf8");
-      res.writeHead(200, { "Content-Type": "text/plain" });
-      res.end(log);
-    } catch {
-      res.writeHead(200, { "Content-Type": "text/plain" });
-      res.end("No log yet — click 'Test now' on the Gemini adapter first.\n");
-    }
-    return;
-  }
-
   // ── UptimeRobot setup endpoint ─────────────────────────────────────────────
   if (pathname === "/uptimerobot/setup") {
     if (req.method !== "POST") {

start.sh

@@ -35,8 +35,12 @@ export PAPERCLIP_ALLOWED_HOSTNAMES="${PAPERCLIP_ALLOWED_HOSTNAMES:-${_ALLOWED}}"
 
 # LLM API keys
 export GEMINI_API_KEY="${GEMINI_API_KEY:-}"
-export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY:-}"
 export OPENAI_API_KEY="${OPENAI_API_KEY:-}"
+# Anthropic/Claude Code — set one or neither:
+#   ANTHROPIC_AUTH_TOKEN : subscription mode (OAuth token from ~/.claude/.credentials.json)
+#   ANTHROPIC_API_KEY    : API key mode (sk-ant-...)
+export ANTHROPIC_AUTH_TOKEN="${ANTHROPIC_AUTH_TOKEN:-}"
+export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY:-}"
 
 mkdir -p "${PAPERCLIP_HOME}"
 
@@ -64,9 +68,9 @@ if [ -z "${PAPERCLIP_AGENT_JWT_SECRET:-}" ]; then
 fi
 
 # ── Validate LLM providers ───────────────────────────────────────────────────
-if [ -z "${GEMINI_API_KEY:-}" ] && [ -z "${ANTHROPIC_API_KEY:-}" ] && [ -z "${OPENAI_API_KEY:-}" ]; then
+if [ -z "${GEMINI_API_KEY:-}" ] && [ -z "${ANTHROPIC_API_KEY:-}" ] && [ -z "${ANTHROPIC_AUTH_TOKEN:-}" ] && [ -z "${OPENAI_API_KEY:-}" ]; then
     echo "⚠️  WARNING: No LLM provider configured"
-    echo "   Set at least one of: GEMINI_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY"
+    echo "   Set at least one of: GEMINI_API_KEY, ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, OPENAI_API_KEY"
     echo "   Agents will fail to run without an LLM provider"
     echo ""
 fi
@@ -288,6 +292,18 @@ cleanup() {
 }
 trap cleanup SIGTERM SIGINT
 
+# ── Codex API key config ─────────────────────────────────────────────────────
+# Codex default auth mode is "chatgpt" (OAuth). Setting forced_login_method="api"
+# makes it read OPENAI_API_KEY from env instead of prompting for browser login.
+if [ -n "${OPENAI_API_KEY:-}" ]; then
+    mkdir -p /home/paperclip/.codex
+    cat > /home/paperclip/.codex/config.toml <<'TOMLEOF'
+forced_login_method = "api"
+TOMLEOF
+    chmod 600 /home/paperclip/.codex/config.toml
+    chown -R paperclip:paperclip /home/paperclip/.codex
+fi
+
 # ── Ensure paperclip user owns runtime dirs ──────────────────────────────────
 chown -R paperclip:paperclip /app /paperclip 2>/dev/null || true