Documentation
¶
Overview ¶
Package wrapper provides secure wrapper script generation for Claude Code execution.
This package handles:
- Temporary authentication directory creation with secure permissions
- Temporary token file writing for secure API key passing
- Cross-platform wrapper script generation (PowerShell for Windows, shell for Unix)
- Argument escaping to prevent command injection
Security:
- Temporary directories use 0700 permissions (owner only)
- Token files use 0600 permissions (owner only)
- Wrapper scripts immediately delete token files after use
- PowerShell argument escaping prevents command injection attacks
- API keys never appear in /proc/<pid>/environ
Thread Safety:
- Temp directory creation uses os.MkdirTemp (thread-safe)
- Not thread-safe for concurrent script generation in same directory
Platform Support:
- Windows: PowerShell (.ps1) scripts with cmd.exe execution
- Unix/Linux/macOS: Shell scripts with sh execution
- Cross-platform argument escaping (platform-specific special characters)
Index ¶
- func CreateTempAuthDir() (string, error)
- func EscapePowerShellArg(arg string) string
- func ExecCommand(name string, arg ...string) *exec.Cmd
- func GenerateWrapperScript(authDir, tokenPath, cliPath string, cliArgs []string, envVarName ...string) (string, bool, error)
- func WriteTempTokenFile(authDir, token string) (string, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CreateTempAuthDir ¶
CreateTempAuthDir creates a private temporary directory for storing auth files. The directory is created with 0700 permissions (owner only) to ensure security. Returns the path to the temporary directory.
func EscapePowerShellArg ¶
EscapePowerShellArg escapes a string for use as a PowerShell argument. It wraps the argument in single quotes and escapes special characters to prevent command injection. Special characters escaped: backtick, dollar sign, double quote, single quote, ampersand, semicolon, pipe, percent, and common control characters. Note: Some escape sequences like `v (vertical tab) and `f (form feed) are not supported in older PowerShell versions (5.1 and below), so we only escape commonly supported control characters.
func ExecCommand ¶
ExecCommand wraps exec.Command for testability.
func GenerateWrapperScript ¶
func GenerateWrapperScript(authDir, tokenPath, cliPath string, cliArgs []string, envVarName ...string) (string, bool, error)
GenerateWrapperScript creates a temporary script that reads the API key from the token file, sets the specified environment variable, cleans up the token file, and executes the CLI command with the provided arguments. envVarName defaults to "ANTHROPIC_AUTH_TOKEN" if empty. Returns the path to the wrapper script and whether to use shell execution.
func WriteTempTokenFile ¶
WriteTempTokenFile creates a temporary file with the API key content. The file is created with 0600 permissions (owner read/write only) to ensure security. Returns the path to the temporary file.
Types ¶
This section is empty.
Source Files