fix: accept sk-ant-sid02 session keys for claude web

[careful-cat8480]

Anthropic changed their session key format from sk-ant-sid01-* to sk-ant-sid02-*. The validation in claude/index.mjs was hardcoded to only accept sid01, causing an error for anyone with a newer key.
Changed the startsWith check from sk-ant-sid01 to sk-ant-sid to accept any version going forward.

---

Summary by CodeRabbit

• Bug Fixes
  • Broadened Claude service session-key validation to accept a wider, variable session-key format and updated the invalid-key example in error messages. This reduces false rejections during authentication and gives clearer guidance for correcting malformed keys.

[qodo-code-review]

Review Summary by Qodo

Accept sk-ant-sid02 session keys for Claude Web

🐞 Bug fix

Walkthroughs

Description

• Accept newer sk-ant-sid02 session key format
• Update validation to support any sid version
• Fix error message to reflect generic format

Diagram

flowchart LR
  A["Session Key Validation"] -->|Old: sk-ant-sid01| B["Rejected"]
  A -->|New: sk-ant-sid| C["Accepted"]
  C -->|Supports sid01, sid02, etc.| D["Forward Compatible"]

Loading

File Changes

1. src/services/clients/claude/index.mjs 🐞 Bug fix +2/-2

Update session key validation for forward compatibility

• Changed session key validation from sk-ant-sid01 to sk-ant-sid
• Updated error message to reflect generic format sk-ant-sid**-*****
• Enables support for newer session key versions (sid02 and beyond)

src/services/clients/claude/index.mjs

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Overbroad key validation ☑ 🐞 ≡

Description

Claude now accepts any sessionKey starting with sk-ant-sid, including malformed values missing
a numeric version and - separator, which pushes failures to later API calls instead of failing
fast in the constructor. This key is then used verbatim in the Cookie header for all Claude
requests, so malformed keys will cause confusing auth/request errors downstream.

Code

src/services/clients/claude/index.mjs[R77-78]

+    if (!sessionKey.startsWith('sk-ant-sid')) {
+      throw new Error('Session key invalid: Must be in the format sk-ant-sid**-*****')

Evidence

The constructor only checks startsWith('sk-ant-sid'), which does not enforce the documented
sk-ant-sid**-... structure; later requests always include cookie: sessionKey=, so any
malformed-but-prefix-matching value will be sent to Claude.ai and fail at request time rather than
at initialization.

src/services/clients/claude/index.mjs[74-84]
src/services/clients/claude/index.mjs[218-224]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`Claude` session key validation was broadened to accept `sid02`, but the current check only enforces a prefix (`startsWith('sk-ant-sid')`). This allows malformed keys (missing version digits and/or `-` separator) to pass validation and fail later during HTTP requests.
### Issue Context
The `sessionKey` is used verbatim in the `Cookie` header (`cookie: `sessionKey=${this.sessionKey}`) across Claude requests, so validating the full expected shape up front improves correctness and debuggability.
### Fix Focus Areas
- src/services/clients/claude/index.mjs[74-84]
- src/services/clients/claude/index.mjs[218-224]
### Suggested change
Replace the prefix check with a forward-compatible format check, e.g.:
- `const key = String(sessionKey).trim()`
- `if (!/^sk-ant-sid\d+-/.test(key)) throw new Error('... sk-ant-sid<version>-*****')`
This keeps compatibility with `sid01`, `sid02`, etc., while rejecting clearly malformed inputs early.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Sid01-only examples remain ☑ 🐞 ⚙

Description

The file still includes sid01-specific example text (JSDoc and a request() help message), which is
now inconsistent with the updated version-agnostic validation. This can mislead users into thinking
only sid01 is supported even though the constructor now accepts sid02+.

Code

src/services/clients/claude/index.mjs[78]

+      throw new Error('Session key invalid: Must be in the format sk-ant-sid**-*****')

Evidence

While the constructor validation was updated to accept sk-ant-sid*, the same file still hardcodes
sk-ant-sid01-***** in its usage examples/help text, creating conflicting guidance for users.

src/services/clients/claude/index.mjs[40-53]
src/services/clients/claude/index.mjs[163-169]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
After updating validation to accept `sk-ant-sid*`, the file still contains sid01-only examples/help text that contradict the new behavior.
### Issue Context
Users often copy/paste these strings when configuring the client; keeping them aligned reduces confusion.
### Fix Focus Areas
- src/services/clients/claude/index.mjs[40-53]
- src/services/clients/claude/index.mjs[163-169]
### Suggested change
Replace `sk-ant-sid01-*****` example values with a version-agnostic form (e.g., `sk-ant-sid02-*****` or `sk-ant-sid<version>-*****`), consistent with the constructor validation and error message.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e8e1e0c-d352-4fc0-b33a-9f9cdd2dcf7c

📥 Commits

Reviewing files that changed from the base of the PR and between 2c15a5c and 1ba0997.

📒 Files selected for processing (1)

• src/services/clients/claude/index.mjs

🚧 Files skipped from review as they are similar to previous changes (1)

• src/services/clients/claude/index.mjs

---

📝 Walkthrough

Walkthrough

Constructor validation in the Claude client was changed: the sessionKey check was replaced with a regex requiring the pattern ^sk-ant-sid\d+- (e.g., sk-ant-sid12-...) and the validation error message was updated to reference sk-ant-sidXX-*****. Other constructor control flow is unchanged.

Changes

Cohort / File(s)	Summary
Claude Client Validation src/services/clients/claude/index.mjs	Replaced fixed sessionKey.startsWith('sk-ant-sid01') check with a regex ^sk-ant-sid\d+- and updated the thrown validation and example messages to show sk-ant-sidXX-*****. No other functional changes in the constructor.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped into code at the break of day,
Tuned a key pattern so more keys may play,
From 01 to many digits bright,
I thumped my paw and twitched in delight,
Carrots and commits—hooray! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating Claude session key validation to accept the newer sk-ant-sid02 format alongside the previous sk-ant-sid01 format.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.