fix(auth): support first-party Anthropic OAuth (#45) thanks @BunsDev

Restores Anthropic OAuth/PKCE behind COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID so Coven Code does not become API-key-only while still blocking borrowed Claude Code OAuth tokens.

Verified locally after rebasing on current main:
- rustfmt --edition 2021 --check crates/cli/src/oauth_flow.rs
- cargo test -p claurst-core test_oauth_bearer_token_requires_configured_client_id -- --nocapture
- cargo test -p claurst --no-default-features --bin coven-code oauth_flow -- --nocapture
- cargo check -p claurst-core
- cargo check -p claurst-api
- cargo check -p claurst --no-default-features
- git diff --check origin/main...HEAD
- Runtime auth status smoke: old borrowed Claude.ai bearer token is disabled / loggedIn false
- Runtime auth status smoke: configured first-party bearer token is accepted / loggedIn true

Co-authored-by: Nova <nova@openclaw.ai>

Author: BunsDev

README.md

@@ -103,9 +103,10 @@ export ANTHROPIC_API_KEY=<your-key>
 coven-code
 ```
 
-Or log in via OAuth (Anthropic accounts):
+Or log in via OAuth after configuring a Coven Code OAuth client:
 
 ```bash
+export COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID=<registered-client-id>
 coven-code auth login
 ```
 

docs/auth.md

@@ -94,16 +94,15 @@ coven-code --api-key "sk-ant-api03-..." "your prompt"
 Coven Code supports an OAuth 2.0 PKCE flow that authenticates through either
 the Anthropic Console or Claude.ai in your browser.
 
-> **Important:** The OAuth client IDs in Coven Code are registered to Anthropic's
-> official Claude Code CLI application. Anthropic's authorization server may
-> reject or misattribute OAuth requests originating from Coven Code. The API key
-> method is the recommended path for Coven Code users.
->
-> If OAuth login is attempted and fails, use Method 1 (API key) instead.
+> **Important:** Coven Code must not reuse Claude Code's OAuth client ID.
+> Anthropic OAuth requires a client ID registered for Coven Code and supplied
+> through `COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID`. Until that first-party client
+> is configured, use Method 1 (API key).
 
-### Claude.ai flow (default)
+### Claude.ai flow
 
 ```bash
+export COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID=<registered-client-id>
 coven-code auth login
 ```
 
@@ -125,6 +124,7 @@ API calls.
 ### Console flow (creates an API key)
 
 ```bash
+export COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID=<registered-client-id>
 coven-code auth login --console
 ```
 
@@ -204,8 +204,8 @@ providers:
 
 ```bash
 # Add accounts (each login becomes its own profile)
-coven-code auth login                       # Claude.ai (default)
-coven-code auth login --console             # Console / API-key flow
+coven-code auth login                       # Claude.ai, requires COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID
+coven-code auth login --console             # Console / API-key flow, requires COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID
 coven-code auth login --label work          # name the profile
 coven-code codex login                      # ChatGPT/Codex OAuth
 coven-code codex login --label personal

src-rust/crates/api/src/lib.rs

@@ -549,9 +549,9 @@ pub mod client {
                         model
                     )
                 } else {
-                    "Set ANTHROPIC_API_KEY, or use --provider to select a different provider \
-                     (e.g. --provider openai). Anthropic OAuth login is disabled until Coven Code \
-                     has its own OAuth client.".to_string()
+                    "Set ANTHROPIC_API_KEY, configure COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID \
+                     and run `coven-code auth login`, or use --provider to select a different \
+                     provider (e.g. --provider openai).".to_string()
                 };
                 return Err(ClaudeError::Auth(
                     format!("No API key for the selected model. {}", hint)
@@ -653,9 +653,9 @@ pub mod client {
                 } else if model.starts_with("llama") {
                     format!("Model '{}' looks like a Llama model. Use `--provider groq` or `--provider ollama` for local.", model)
                 } else {
-                    "Set ANTHROPIC_API_KEY, or use --provider to select a different provider \
-                     (e.g. --provider openai). Anthropic OAuth login is disabled until Coven Code \
-                     has its own OAuth client.".to_string()
+                    "Set ANTHROPIC_API_KEY, configure COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID \
+                     and run `coven-code auth login`, or use --provider to select a different \
+                     provider (e.g. --provider openai).".to_string()
                 };
                 return Err(ClaudeError::Auth(
                     format!("No API key for the selected model. {}", hint)

src-rust/crates/cli/src/main.rs

@@ -864,7 +864,7 @@ async fn main() -> anyhow::Result<()> {
                          - Set GOOGLE_API_KEY for Google Gemini\n\
                          - Set GROQ_API_KEY for Groq (fast, free tier available)\n\
                          - Run `coven-code --provider ollama` for local models (no key needed)\n\
-                         - Anthropic OAuth login is disabled until Coven Code has its own OAuth client"
+                         - Configure COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID, then run `coven-code auth login` for first-party Anthropic OAuth"
                     );
                 } else {
                     (String::new(), false)
@@ -3840,13 +3840,11 @@ async fn run_interactive(
                 }
                 "anthropic" => {
                     let tx2 = device_auth_tx.clone();
-                    // Anthropic OAuth requires a registered application.
-                    // Coven Code does not have its own registered OAuth app with Anthropic.
-                    // Users should use an API key from console.anthropic.com instead.
+                    // Anthropic OAuth requires a registered Coven Code application.
                     tokio::spawn(async move {
                         let _ = tx2.send(DeviceAuthEvent::Error(
-                            "Anthropic OAuth requires a registered application.\n\
-                             Use an API key instead: console.anthropic.com/settings/keys".to_string()
+                            "Anthropic OAuth requires COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID.\n\
+                             Configure a Coven Code OAuth client, or use an API key for now: console.anthropic.com/settings/keys".to_string()
                         )).await;
                     });
                 }
@@ -4238,7 +4236,7 @@ async fn run_interactive(
 // Called before Cli::parse() so it doesn't conflict with positional `prompt`.
 //
 // Usage:
-//   claude auth login [--console]   — Anthropic OAuth is disabled until Coven Code has its own client
+//   claude auth login [--console]   — Anthropic OAuth with a configured Coven Code client
 //   claude auth logout              — Clear stored credentials
 //   claude auth status [--json]     — Show authentication status
 
@@ -4325,7 +4323,7 @@ async fn handle_auth_command(args: &[String]) -> anyhow::Result<()> {
 
 fn print_auth_usage() {
     eprintln!("Usage: coven-code auth <subcommand>");
-    eprintln!("  login [--console] [--label <name>]   Authenticate (claude.ai by default)");
+    eprintln!("  login [--console] [--label <name>]   Authenticate with a configured Coven Code OAuth client");
     eprintln!("  logout                                Remove the active account's credentials");
     eprintln!("  status [--json]                       Show authentication status");
     eprintln!("  list                                  List all stored Anthropic accounts");
@@ -4651,12 +4649,12 @@ async fn auth_status(json_output: bool) {
                 .filter(|tokens| !tokens.uses_bearer_auth() && tokens.api_key.is_some())
                 .map(|_| "/login managed key".to_string())
         });
-    let usable_oauth_tokens = oauth_tokens
-        .as_ref()
-        .filter(|tokens| !tokens.uses_bearer_auth());
+    let usable_oauth_tokens = oauth_tokens.as_ref().filter(|tokens| {
+        !tokens.uses_bearer_auth() || tokens.uses_configured_oauth_client()
+    });
     let disabled_bearer_token = oauth_tokens
         .as_ref()
-        .is_some_and(|tokens| tokens.uses_bearer_auth());
+        .is_some_and(|tokens| tokens.uses_bearer_auth() && !tokens.uses_configured_oauth_client());
     let token_source = usable_oauth_tokens.map(|tokens| {
         if tokens.uses_bearer_auth() {
             "claude.ai".to_string()
@@ -4739,9 +4737,9 @@ async fn auth_status(json_output: bool) {
         if !logged_in {
             let hint = if active_provider == "anthropic" {
                 if disabled_bearer_token {
-                    "Stored claude.ai OAuth tokens are disabled; set ANTHROPIC_API_KEY.".to_string()
+                    "Stored claude.ai OAuth tokens were minted by an unsupported client; configure COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID and run `coven-code auth login`, or set ANTHROPIC_API_KEY for now.".to_string()
                 } else {
-                    "Set ANTHROPIC_API_KEY.".to_string()
+                    "Set ANTHROPIC_API_KEY, or configure COVEN_CODE_ANTHROPIC_OAUTH_CLIENT_ID and run `coven-code auth login`.".to_string()
                 }
             } else if let Some(env_var) =
                 claurst_core::config::primary_api_key_env_var_for_provider(active_provider)