feat(claude): route Claude Code through proxy via <model>@<base_url> (#652)

## Summary
- Add `<model>@<base_url>` spec parsing for the `claude-code` agent; when a proxy URL is present, pin all tier aliases (Opus/Sonnet/Haiku/subagent) to the given model via env.
- Strip inherited `ANTHROPIC_*` / `CLAUDECODE` / `CLAUDE_CODE_SUBAGENT_MODEL` from the child env so roborev owns routing; forward configured `ANTHROPIC_API_KEY` as `ANTHROPIC_AUTH_TOKEN` in proxy mode (fallback placeholder otherwise).
- Reject proxy-only specs (`@http://...`) with a clear error; README documents the feature and the credentials-in-URL caveat.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Chris K Wensel <cwensel@users.noreply.github.com>

Author: cwensel

README.md

@@ -187,6 +187,46 @@ See [configuration guide](https://roborev.io/configuration/) for all options.
 
 roborev auto-detects installed agents.
 
+### Routing Claude Code to a proxy (Ollama, LiteLLM, etc.)
+
+The `claude-code` agent accepts a model spec of the form `<model>@<base_url>`.
+When `<base_url>` starts with `http(s)://`, roborev points Claude Code at
+that endpoint and pins all tier aliases (Opus/Sonnet/Haiku/subagent) to the
+given model.
+
+```toml
+# .roborev.toml — local Ollama for reviews, real Anthropic for fixes
+agent = "claude-code"
+review_model = "glm-5.1:cloud@http://127.0.0.1:11434"
+fix_model    = "sonnet"
+```
+
+Or via CLI: `roborev review --model 'glm-5.1:cloud@http://127.0.0.1:11434'`.
+
+**Proxy auth.** Set `ROBOREV_CLAUDE_PROXY_TOKEN` to forward a bearer token
+to the proxy as `ANTHROPIC_AUTH_TOKEN`. If unset, roborev sends a placeholder
+(sufficient for gateways that don't check the header, such as Ollama).
+roborev does *not* forward `ANTHROPIC_API_KEY` to proxy endpoints — that
+would leak a real Anthropic credential to arbitrary third parties.
+
+**URL restrictions.** Proxy URLs must not embed `user:pass@` credentials
+(use `ROBOREV_CLAUDE_PROXY_TOKEN`); `http://` is only accepted for loopback
+hosts (`127.0.0.1`, `::1`, `localhost`) so plaintext endpoints can't receive
+tokens over the wire. Use `https://` for remote proxies. The full URL
+(including any path or query string) is forwarded as-is to
+`ANTHROPIC_BASE_URL`, so include the path your gateway expects (e.g.
+LiteLLM may want a trailing `/v1`; Ollama wants no path).
+
+**Environment behavior (breaking change in this release).** When the
+`claude-code` agent runs, roborev always strips inherited `ANTHROPIC_API_KEY`,
+`ANTHROPIC_BASE_URL`, `ANTHROPIC_AUTH_TOKEN`,
+`ANTHROPIC_DEFAULT_{OPUS,SONNET,HAIKU}_MODEL`, and `CLAUDE_CODE_SUBAGENT_MODEL`
+from the child environment. If you were previously routing Claude Code by
+exporting these vars in your shell, switch to the `<model>@<base_url>` spec
+instead. For native (non-proxy) mode, configure `ANTHROPIC_API_KEY` via
+roborev's config (it is re-injected from roborev's stored key, not inherited
+from the operator's shell).
+
 ## Security Model
 
 roborev delegates code review and fix tasks to AI coding agents that

internal/agent/agent_test_cli_helpers_test.go

@@ -85,6 +85,7 @@ type MockCLIOpts struct {
 	ExitCode     int
 	CaptureArgs  bool
 	CaptureStdin bool
+	CaptureEnv   bool
 	StdoutLines  []string
 	StderrLines  []string
 }
@@ -94,6 +95,7 @@ type MockCLIResult struct {
 	CmdPath   string
 	ArgsFile  string
 	StdinFile string
+	EnvFile   string
 }
 
 // readMockArgs reads the captured arguments from a mock CLI's ArgsFile and splits them into a slice.
@@ -106,6 +108,21 @@ func readMockArgs(t *testing.T, path string) []string {
 	return strings.Split(strings.TrimSpace(string(content)), " ")
 }
 
+// readMockEnv reads the captured env from a mock CLI's EnvFile.
+// Returns each env var as a "KEY=VALUE" string.
+func readMockEnv(t *testing.T, path string) []string {
+	t.Helper()
+	content, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatalf("failed to read env file %s: %v", path, err)
+	}
+	trimmed := strings.TrimRight(string(content), "\n")
+	if trimmed == "" {
+		return nil
+	}
+	return strings.Split(trimmed, "\n")
+}
+
 // assertContainsArg checks that args contains target, failing with a descriptive message.
 func assertContainsArg(t *testing.T, args []string, target string) {
 	t.Helper()
@@ -152,6 +169,11 @@ func mockAgentCLI(t *testing.T, opts MockCLIOpts) *MockCLIResult {
 		fmt.Fprintf(&script, "cat > %q\n", result.StdinFile)
 	}
 
+	if opts.CaptureEnv {
+		result.EnvFile = filepath.Join(tmpDir, "env.txt")
+		fmt.Fprintf(&script, "env > %q\n", result.EnvFile)
+	}
+
 	if len(opts.StdoutLines) > 0 {
 		stdoutFile := filepath.Join(tmpDir, "stdout.txt")
 		content := strings.Join(opts.StdoutLines, "\n")

internal/agent/claude.go

@@ -5,6 +5,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
+	"net/url"
+	"os"
 	"os/exec"
 	"slices"
 	"strings"
@@ -105,14 +108,110 @@ func (a *ClaudeAgent) CommandLine() string {
 	return a.Command + " " + strings.Join(args, " ")
 }
 
+// parseModel splits a model spec of the form "<model>@<base_url>" into its
+// components. The split happens at the first "@" whose suffix starts with
+// http:// or https:// (so proxy URLs embedded after the model are recognized
+// while leaving the rest of the spec intact).
+//
+// Rejections (return error):
+//   - Proxy URL containing userinfo (user:pass@host) — these leak into
+//     child-process env, /proc, and error messages. Operators must use
+//     ROBOREV_CLAUDE_PROXY_TOKEN for proxy auth.
+//   - Trailing bare "@" with no URL suffix (e.g. "sonnet@") — malformed
+//     input that previously fell through to native routing silently.
+//   - Leading "@http(s)://" with no model — proxy mode must pin tier
+//     aliases to a concrete model name.
+//   - Bare "http(s)://" URL with no "<model>@" prefix — same reason.
+//   - Leading "@" with non-URL suffix (e.g. "@foo") — would pass through to
+//     Claude as `--model @foo` and produce a confusing downstream error.
+func parseModel(spec string) (model, baseURL string, err error) {
+	if strings.HasPrefix(spec, "@http://") || strings.HasPrefix(spec, "@https://") {
+		return "", "", fmt.Errorf("model spec %q has proxy URL but no model; use '<model>@%s'", spec, spec[1:])
+	}
+	if strings.HasPrefix(spec, "http://") || strings.HasPrefix(spec, "https://") {
+		return "", "", fmt.Errorf("model spec %q is a bare proxy URL; use '<model>@%s'", spec, spec)
+	}
+	if strings.HasPrefix(spec, "@") {
+		return "", "", fmt.Errorf("model spec %q starts with '@'; model name must come before the '@<base_url>' suffix", spec)
+	}
+	for i := 1; i < len(spec); i++ {
+		if spec[i] != '@' {
+			continue
+		}
+		suffix := spec[i+1:]
+		if strings.HasPrefix(suffix, "http://") || strings.HasPrefix(suffix, "https://") {
+			if err := validateProxyURL(suffix); err != nil {
+				return "", "", err
+			}
+			model := spec[:i]
+			// Reject specs like "foo@httpx://bar@http://host" where the model
+			// component itself contains a URL-like substring — these indicate
+			// a malformed multi-URL spec that would otherwise silently pass
+			// a nonsensical --model argument to Claude.
+			if strings.Contains(model, "://") {
+				return "", "", fmt.Errorf("model spec %q has URL-like substring in model component %q; only one '@<base_url>' suffix is allowed", spec, model)
+			}
+			return model, suffix, nil
+		}
+	}
+	if strings.HasSuffix(spec, "@") {
+		return "", "", fmt.Errorf("model spec %q has trailing '@' — remove it or append a proxy URL as '<model>@http(s)://<host>'", spec)
+	}
+	return spec, "", nil
+}
+
+// validateProxyURL rejects proxy URLs that would leak credentials via the
+// child-process environment. The parsed URL must not contain userinfo; http://
+// is only permitted for loopback hosts so real credentials aren't forwarded
+// over plaintext to remote endpoints.
+func validateProxyURL(raw string) error {
+	u, err := url.ParseRequestURI(raw)
+	if err != nil {
+		return fmt.Errorf("invalid proxy URL %q: %w", raw, err)
+	}
+	if u.Host == "" {
+		return fmt.Errorf("proxy URL %q has no host", raw)
+	}
+	if u.User != nil {
+		return fmt.Errorf("proxy URL must not embed credentials; set ROBOREV_CLAUDE_PROXY_TOKEN instead")
+	}
+	// Reject fragments — they have no server-side meaning for HTTP requests
+	// and indicate operator error. Belt-and-suspenders: also scan the raw
+	// string in case ParseRequestURI's fragment handling changes.
+	if u.Fragment != "" || strings.Contains(raw, "#") {
+		return fmt.Errorf("proxy URL %q must not contain a fragment", raw)
+	}
+	if u.Scheme == "http" && !isLoopbackHost(u.Hostname()) {
+		return fmt.Errorf("proxy URL %q uses http:// with a non-loopback host; use https:// or a loopback address", raw)
+	}
+	return nil
+}
+
+func isLoopbackHost(host string) bool {
+	if host == "localhost" {
+		return true
+	}
+	if ip := net.ParseIP(host); ip != nil {
+		return ip.IsLoopback()
+	}
+	return false
+}
+
 func (a *ClaudeAgent) buildArgs(agenticMode, includeEffort bool) []string {
 	sessionID := sanitizedResumeSessionID(a.SessionID)
 	// Always use stdin piping + stream-json for non-interactive execution
 	// (following claude-code-action pattern from Anthropic)
 	args := []string{"-p", "--verbose", "--output-format", "stream-json"}
 
-	if a.Model != "" {
-		args = append(args, "--model", a.Model)
+	// buildArgs is also called from CommandLine() for display; on parse error
+	// fall back to the raw configured model so operators see what they typed
+	// in logs. Review() re-parses and surfaces the error before execution.
+	model, _, parseErr := parseModel(a.Model)
+	if parseErr != nil {
+		model = a.Model
+	}
+	if model != "" {
+		args = append(args, "--model", model)
 	}
 	if sessionID != "" {
 		args = append(args, "--resume", sessionID)
@@ -161,6 +260,11 @@ func claudeSupportsEffortFlag(ctx context.Context, command string) bool {
 }
 
 func (a *ClaudeAgent) Review(ctx context.Context, repoPath, commitSHA, prompt string, output io.Writer) (string, error) {
+	model, baseURL, err := parseModel(a.Model)
+	if err != nil {
+		return "", err
+	}
+
 	// Use agentic mode if either per-job setting or global setting enables it
 	agenticMode := a.Agentic || AllowUnsafeAgents()
 
@@ -185,12 +289,57 @@ func (a *ClaudeAgent) Review(ctx context.Context, repoPath, commitSHA, prompt st
 	// Use cmd.Environ() (not os.Environ()) so PWD=<cmd.Dir> is
 	// synthesized correctly. Set env before configureSubprocess so
 	// GIT_OPTIONAL_LOCKS=0 is appended to the final environment.
-	stripKeys := []string{"ANTHROPIC_API_KEY", "CLAUDECODE"}
+	// Always strip inherited Anthropic routing env so roborev owns the
+	// routing decision: native mode uses Anthropic defaults, proxy mode
+	// injects its own block below. This prevents silent misrouting when
+	// the user has exported these vars in their shell.
+	stripKeys := []string{
+		"ANTHROPIC_API_KEY",
+		"CLAUDECODE",
+		"ANTHROPIC_BASE_URL",
+		"ANTHROPIC_AUTH_TOKEN",
+		"ANTHROPIC_DEFAULT_OPUS_MODEL",
+		"ANTHROPIC_DEFAULT_SONNET_MODEL",
+		"ANTHROPIC_DEFAULT_HAIKU_MODEL",
+		"CLAUDE_CODE_SUBAGENT_MODEL",
+	}
 	cmd := exec.CommandContext(ctx, a.Command, args...)
 	cmd.Dir = repoPath
 	baseEnv := cmd.Environ()
 	env := filterEnv(baseEnv, stripKeys...)
-	if apiKey := AnthropicAPIKey(); apiKey != "" {
+	if baseURL != "" {
+		// Route Claude Code to an OpenAI/Anthropic-compatible proxy (Ollama,
+		// LiteLLM, etc.). Pin all tier aliases to the same model so Claude's
+		// internal tier-switching stays on the proxy target.
+		//
+		// Proxy auth is opt-in via ROBOREV_CLAUDE_PROXY_TOKEN, read from the
+		// roborev process environment (not the agent's). We deliberately do
+		// NOT reuse ANTHROPIC_API_KEY: forwarding a real Anthropic credential
+		// to an arbitrary third-party proxy is an exfiltration risk. If the
+		// env var is unset, send a placeholder — gateways that don't check
+		// the header (Ollama, most local dev proxies) accept it, and
+		// gateways that do check will reject with a clear 401.
+		// Trim whitespace so a token pasted from a config file with a
+		// trailing newline doesn't fail auth at the proxy with a confusing
+		// 401. Reject embedded control characters (newline, carriage return,
+		// NUL) that survive trimming — these would either be rejected by
+		// exec (NUL) or produce malformed HTTP headers at the proxy.
+		authToken := strings.TrimSpace(os.Getenv("ROBOREV_CLAUDE_PROXY_TOKEN"))
+		if strings.ContainsAny(authToken, "\n\r\x00") {
+			return "", fmt.Errorf("ROBOREV_CLAUDE_PROXY_TOKEN must not contain control characters (newline, carriage return, or NUL)")
+		}
+		if authToken == "" {
+			authToken = "proxy"
+		}
+		env = append(env,
+			"ANTHROPIC_BASE_URL="+baseURL,
+			"ANTHROPIC_AUTH_TOKEN="+authToken,
+			"ANTHROPIC_DEFAULT_OPUS_MODEL="+model,
+			"ANTHROPIC_DEFAULT_SONNET_MODEL="+model,
+			"ANTHROPIC_DEFAULT_HAIKU_MODEL="+model,
+			"CLAUDE_CODE_SUBAGENT_MODEL="+model,
+		)
+	} else if apiKey := AnthropicAPIKey(); apiKey != "" {
 		env = append(env, "ANTHROPIC_API_KEY="+apiKey)
 	}
 	env = append(env, "CLAUDE_NO_SOUND=1")