
    4Rj                        d dl mZ d dlZd dlmZ ddlmZmZ ddlm	Z	 ddl
mZmZmZmZmZmZmZmZmZmZmZmZmZ ddlmZmZmZ d	d
lmZ dgZddZddddZ y)    )annotationsN)Optional   )CredentialResultIdentityTokenProvider)WorkloadIdentityCredentials)	ENV_SCOPEENV_API_KEYENV_PROFILEENV_AUTH_TOKENENV_CONFIG_DIRENV_WORKSPACE_IDENV_IDENTITY_TOKENENV_ORGANIZATION_IDENV_FEDERATION_RULE_IDENV_SERVICE_ACCOUNT_ID_has_active_profile_config_has_explicit_active_configresolve_identity_token_path)StaticTokenCredentialsFileIdentityTokenFile   )AnthropicErrordefault_credentialsc           
     4   t         j                  j                  t              }t         j                  j                  t              }t
        t         j                  v }t               }|r|sy|s|y|t        |      }ndd}|}t        |||t         j                  j                  t              t         j                  j                  t              xs dt         j                  j                  t                    }|j                  |        t        |      S )zBuild a :class:`CredentialResult` for the env-var federation path
    (step 4 in the precedence spec). Returns ``None`` if the required trio
    isn't fully set.Nc                 t    t         j                  j                  t              } | t	        t         d      | S )Nzz is not set; the workload-identity chain selected this provider at construction time but the env var is no longer present.)osenvirongetr   r   )values    h/var/www/html/meridian/meridian-ai/venv/lib/python3.12/site-packages/anthropic/lib/credentials/_chain.py_read_env_tokenz1_build_federation_result.<locals>._read_env_token1   s>    JJNN#56E}$)* +, - 
 L    )identity_token_providerfederation_rule_idorganization_idservice_account_idworkspace_idscopeprovider)returnstr)r   r   r    r   r   r   r   r   r   r   r   r	   bind_base_urlr   )base_urlr&   r'   has_literal_tokenidentity_token_pathidentity_providerr#   r,   s           r"   _build_federation_resultr4      s     (>?jjnn%89O*bjj857_!4!< &-.AB	 ,* 1-'::>>*@A ZZ^^$45=jjnnY'
H 8$X..r$   zhttps://api.anthropic.comr0   c                   t         j                  j                  t              ryt         j                  j                  t              }|rt        t        |            S t        t         j                  j                  t              xs# t         j                  j                  t                    }t               }|s|rCt               }|j                  |        |j                         }t        |||j                        S t        |       }||S t!               rDt               }|j                  |        	 |j                         }t        |||j                        S y# t"        $ r Y yw xY w)u  Resolve a :class:`CredentialResult` from the environment per the
    credential-resolution spec. First match wins.

    Implements steps 2-5 of the spec precedence chain (step 1 is handled at
    the client constructor level, above this function):

    Step 2a: ``ANTHROPIC_API_KEY`` → return ``None`` so the client uses its
             existing ``X-Api-Key`` header path. (API keys are not Bearer
             tokens, so they can't flow through this chain.)
    Step 2b: ``ANTHROPIC_AUTH_TOKEN`` → :class:`StaticToken` (Bearer).
    Step 3:  ``ANTHROPIC_PROFILE`` / ``ANTHROPIC_CONFIG_DIR`` set, or the
             ``active_config`` pointer file exists → load that profile.
             This is *explicit profile selection*; failures propagate.
    Step 4:  ``ANTHROPIC_FEDERATION_RULE_ID`` + ``ANTHROPIC_ORGANIZATION_ID``
             + ``ANTHROPIC_IDENTITY_TOKEN[_FILE]`` → direct jwt-bearer
             exchange via :class:`WorkloadIdentityCredentials`. Critically,
             step 4 sits **between** explicit profile (step 3) and
             fallback profile (step 5): a machine with WIF env vars wired
             up must use WIF even if a leftover ``default`` profile exists
             on disk, but a user who explicitly ``ANTHROPIC_PROFILE=dev``
             still gets their profile.
    Step 5:  Fallback active profile from disk (``configs/default.json``
             or whatever ``active_config`` points at). Errors at this step
             are swallowed and the chain falls through — a corrupt
             unselected profile shouldn't break an otherwise-explicit
             api_key= path.

    Returns ``None`` when nothing matches — the client will fall back to
    its normal "no auth configured" error.
    Nr+   )r,   extra_headersr0   r5   )r   r   r    r
   r   r   r   boolr   r   r   r   r/   r7   resolved_base_urlr4   r   r   )r0   
auth_tokenenv_explicitpointer_explicit
creds_filer7   federation_results          r"   r   r   L   s:   @ 
zz~~k" /JZ)@AA
 

{3Urzz~~n7UVL24'$&
  *"002'11
 	
 1(C$   "#$&
  *	&446M  '11
 	
   		s   7E   	E,+E,)r0   r.   r-   zOptional[CredentialResult])!
__future__r   r   typingr   _typesr   r   	_workloadr   
_constantsr	   r
   r   r   r   r   r   r   r   r   r   r   r   
_providersr   r   r   _exceptionsr   __all__r4   r    r$   r"   <module>rH      sN    " 	  ; 2    H G ) 
!,/^ ,G Or$   