feat(cli): add --no-activate flag to auth login#45
Open
tak848 wants to merge 2 commits intoanthropics:mainfrom
Open
feat(cli): add --no-activate flag to auth login#45tak848 wants to merge 2 commits intoanthropics:mainfrom
tak848 wants to merge 2 commits intoanthropics:mainfrom
Conversation
Allow `ant auth login` to skip writing the logged-in profile to active_config. Default behavior is unchanged. Use case: bootstrapping a profile for an external tool without retargeting the active profile used by Claude Code and Claude Agent SDK consumers, which share the same active_config resolution per the WIF reference. Covered by an end-to-end test (TestAuthLoginNoSetActive) that exercises the active_config write path against the existing token-server harness, including the ANTHROPIC_PROFILE env-source path. No SDK-side change is required.
Match `ant`'s existing `profile activate` verb and the `--no-<verb>` flag pattern used elsewhere in this CLI (e.g. `--no-browser`). The previous name leaked the internal `active_config` filename into the public flag surface; the operation users already think in is "activate". No behavior change. Renames the flag, the corresponding stderr message, and TestAuthLoginNoActivate.
tak848
added a commit
to tak848/ccgate
that referenced
this pull request
May 7, 2026
…5.0+ - README + ja/README: third union branch, profile snippet, active_config caveat, link to upstream PR anthropics/anthropic-cli#45. - docs/api-key-helper + ja: new "Profile-based authentication" section (Quick start, Auto-login bootstrap Beta, env-var migration), updated field table, 401/403 matrix gains a profile column, Recovery checklist gains every profile_load + auto_login error_class label. - docs/configuration + ja: profile credential_source value, profile_load reason row. - defaults.jsonnet (claude / codex): auth example block now lists the profile shape with the [Beta] auto_login variant. - examples/{claude,codex}/ccgate.jsonnet: commented-out profile + Beta variants alongside the existing provider block. All copy is honest about the Beta scope: ccgate does not save / restore active_config in this release; root fix is upstream. Refs #69
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
ant auth login --profile <name>unconditionally writes<name>toactive_config, which is the resolution surface shared between this CLI, the Anthropic Go SDK, Claude Code, and the Claude Agent SDK (WIF reference). Bootstrapping a profile for a separate automation tool therefore silently retargets the active profile used by every other consumer of that surface, with no opt-out today.For comparison, other CLIs handle the "login also activates" question differently:
aws-clidoes not maintain a separate active-profile pointer at all — every command resolves through--profile <name>/AWS_PROFILE, falling back to the literaldefaultprofile.gcloud auth loginactivates the new account by default (same shape asanttoday) but provides--no-activateas an explicit opt-out for users who want to log in without changing the active account.kubectlseparates auth from activation: switching the active context is an explicit kubeconfig operation, canonicallykubectl config use-context <name>.The current default is the right one for single-tool users — most do want the just-logged-in profile to become the new active one — and this PR does not change it. It just adds an opt-out flag, both for users hit by the shared-surface footgun above and for users who prefer to manage activation manually (closer to the aws-style "always pass
--profile" model).Change
Add a
--no-activateflag (defaultfalse) toant auth login. When set,auth loginwritesconfigs/<profile>.jsonandcredentials/<profile>.jsonas usual but does not create or retargetactive_config. When the flag would otherwise have skipped a retarget,auth loginprints→ active profile unchanged (still "<prev>"; --no-activate in effect)to stderr; first-login or no-op cases stay silent.The flag name follows
ant's existingprofile activateverb and the--no-<verb>pattern used by--no-browseron the same command. The patch is one flag plus one AND condition on the existing activation guard — no SDK-side change, no migration.Compatibility
No breaking change. Default behavior with the flag unset is identical to today; the existing
TestAuthLoginActivatesExplicitProfileregression test still passes unchanged.Tests
New
TestAuthLoginNoActivate(3 subtests via the existing mock-token-server harness) covers:--profile B --no-activatewith prioractive_config=AkeepsA; first login with--no-activateleavesactive_configabsent silently;--no-activateis honored when the profile resolves viaANTHROPIC_PROFILE../scripts/testpasses locally.Related future work
A symmetric
ant profile deactivate(or equivalent flag onprofile activate) for clearingactive_configis a natural follow-up —--no-activateis the write-side opt-out, but there is no first-class way to remove an existing pointer today. Out of scope here; happy to file a separate PR if there is interest.Process note
Filing this as a regular PR rather than an issue because GitHub Issues are not enabled on this repo. Happy to redirect to a different channel if there is a preferred path for CLI feature requests.