Nanoclaw use-native-credential-proxy

Replace OneCLI gateway with the built-in credential proxy. For users who want simple .env-based credential management without installing OneCLI. Reads API key or OAuth token from .env and injects into container API requests.

install

source · Clone the upstream repo

git clone https://github.com/qwibitai/nanoclaw

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/qwibitai/nanoclaw "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.claude/skills/use-native-credential-proxy" ~/.claude/skills/qwibitai-nanoclaw-use-native-credential-proxy && rm -rf "$T"

manifest: .claude/skills/use-native-credential-proxy/SKILL.md

Use Native Credential Proxy

This skill replaces the OneCLI gateway with NanoClaw's built-in credential proxy. Containers get credentials injected via a local HTTP proxy that reads from

.env

— no external services needed.

Phase 1: Pre-flight

Check if already applied

Check if

src/credential-proxy.ts

is imported in

src/index.ts

grep "credential-proxy" src/index.ts

If it shows an import for

startCredentialProxy

, the native proxy is already active. Skip to Phase 3 (Setup).

Check if OneCLI is active

grep "@onecli-sh/sdk" package.json

@onecli-sh/sdk

appears, OneCLI is the active credential provider. Proceed with Phase 2 to replace it.

If neither check matches, you may be on an older version. Run

/update-nanoclaw

first, then retry.

Phase 2: Apply Code Changes

Ensure upstream remote

git remote -v

upstream

is missing, add it:

git remote add upstream https://github.com/qwibitai/nanoclaw.git

Merge the skill branch

git fetch upstream skill/native-credential-proxy
git merge upstream/skill/native-credential-proxy || {
  git checkout --theirs package-lock.json
  git add package-lock.json
  git merge --continue
}

This merges in:

src/credential-proxy.ts

and

src/credential-proxy.test.ts

(the proxy implementation)

Restored credential proxy usage in

src/index.ts

src/container-runner.ts

src/container-runtime.ts

src/config.ts

Removed
```
@onecli-sh/sdk
```
dependency
Restored
```
CREDENTIAL_PROXY_PORT
```
config (default 3001)
Restored platform-aware proxy bind address detection
Reverted setup skill to
```
.env
```
-based credential instructions

If the merge reports conflicts beyond

package-lock.json

, resolve them by reading the conflicted files and understanding the intent of both sides.

Update main group CLAUDE.md

Replace the OneCLI auth reference with the native proxy:

groups/main/CLAUDE.md

, replace:

OneCLI manages credentials (including Anthropic auth) — run
onecli --help
.

with:

The native credential proxy manages credentials (including Anthropic auth) via
.env
— see
src/credential-proxy.ts
.

Validate code changes

npm install
npm run build
npx vitest run src/credential-proxy.test.ts src/container-runner.test.ts

All tests must pass and build must be clean before proceeding.

Phase 3: Setup Credentials

AskUserQuestion: Do you want to use your Claude subscription (Pro/Max) or an Anthropic API key?

Claude subscription (Pro/Max) — description: "Uses your existing Claude Pro or Max subscription. You'll run
```
claude setup-token
```
in another terminal to get your token."
Anthropic API key — description: "Pay-per-use API key from console.anthropic.com."

Subscription path

Tell the user to run

claude setup-token

in another terminal and copy the token it outputs. Do NOT collect the token in chat.

Once they have the token, add it to

.env

# Add to .env (create file if needed)
echo 'CLAUDE_CODE_OAUTH_TOKEN=<token>' >> .env

Note:

ANTHROPIC_AUTH_TOKEN

is also supported as a fallback.

API key path

Tell the user to get an API key from https://console.anthropic.com/settings/keys if they don't have one.

Add it to

.env

echo 'ANTHROPIC_API_KEY=<key>' >> .env

After either path

If the user's response happens to contain a token or key (starts with

sk-ant-

or looks like a token): write it to

.env

on their behalf using the appropriate variable name.

Optional: If the user needs a custom API endpoint, they can add

ANTHROPIC_BASE_URL=<url>

.env

(defaults to

https://api.anthropic.com

Phase 4: Verify

Rebuild and restart:

npm run build

Then restart the service:

macOS:

launchctl kickstart -k gui/$(id -u)/com.nanoclaw

Linux:
```
systemctl --user restart nanoclaw
```
WSL/manual: stop and re-run
```
bash start-nanoclaw.sh
```

Check logs for successful proxy startup:

tail -20 logs/nanoclaw.log | grep "Credential proxy"

Expected:

Credential proxy started

with port and auth mode.

Send a test message in the registered chat to verify the agent responds.
Note: after applying this skill, the OneCLI credential steps in
```
/setup
```
no longer apply.
```
.env
```
is now the credential source.

Troubleshooting

"Credential proxy upstream error" in logs: Check that

.env

has a valid

ANTHROPIC_API_KEY

CLAUDE_CODE_OAUTH_TOKEN

. Verify the API is reachable:

curl -s https://api.anthropic.com/v1/messages -H "x-api-key: test" | head

Port 3001 already in use: Set

CREDENTIAL_PROXY_PORT=<other port>

.env

or as an environment variable.

Container can't reach proxy (Linux): The proxy binds to the

docker0

bridge IP by default. If that interface doesn't exist (e.g. rootless Docker), set

CREDENTIAL_PROXY_HOST=0.0.0.0

as an environment variable.

OAuth token expired (401 errors): Re-run

claude setup-token

in a terminal and update the token in

.env

Removal

To revert to OneCLI gateway:

Find the merge commit:
```
git log --oneline --merges -5
```
Revert it:
```
git revert <merge-commit> -m 1
```
(undoes the skill branch merge, keeps your other changes)
```
npm install
```
(re-adds
```
@onecli-sh/sdk
```
)
```
npm run build
```
Follow
```
/setup
```
step 4 to configure OneCLI credentials

Remove

ANTHROPIC_API_KEY

CLAUDE_CODE_OAUTH_TOKEN

from

.env