vessux · vessux · Jun 13, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/README.md b/README.md
@@ -56,9 +56,10 @@ openlock validate /path/to/your/repo  # lint the manifest + policy
 openlock sandbox /path/to/your/repo   # launch (path defaults to cwd)
 ```
 
-`sandbox` requires an `.openlock/` (run `openlock init` first, or it errors). The first
-`sandbox` run prompts for `claude setup-token` if you have no credentials, runs `git init`
-if the path isn't a git repo yet, and (re)attaches the session.
+`sandbox` requires an `.openlock/` (run `openlock init` first, or it errors). If you have no
+credentials it runs `openlock login` (the Anthropic provider imports your Claude subscription
+token from an isolated `claude auth login`). The first run also `git init`s the path if it
+isn't a git repo yet, and (re)attaches the session.
 
 ## Usage
 

diff --git a/docs/agent-config-reference.md b/docs/agent-config-reference.md
@@ -27,7 +27,7 @@ Top-level keys: `version` (required, integer) plus optional `filesystem_policy`,
 
   - endpoint keys: `host`, `port`, `ports`, `protocol`, `tls`, `enforcement`, `access`, `rules`, `allowed_ips`, `deny_rules`, `allow_encoded_slash`, `cred_inject`, `echo`, `trust_check`.
   - L7 rule: `allow` with matchers `method`, `path`, `command`, `query`; `deny_rules` use the same matchers. The query matcher key is `any`.
-  - `cred_inject`: `provider`, `strip_headers`, `inject` (each inject entry has `header`, `from_credential`).
+  - `cred_inject`: `provider`, `strip_headers`, `inject` (each inject entry has `header`, `from_credential`, and an optional `value_prefix` — a literal string such as `"Bearer "` prepended to the resolved credential when composing the header).
   - `trust_check`: `registry`.
   - binary entry: `path` (string). A deprecated `harness` boolean is also accepted on a binary entry — legacy, unrelated to the top-level harness enum below; real policies omit it.
 - `filesystem_policy`: `include_workdir`, `read_only`, `read_write`.

diff --git a/policies/default.yaml b/policies/default.yaml
@@ -47,30 +47,14 @@ network_policies:
           inject:
             - header: Authorization
               from_credential: ANTHROPIC_BEARER_TOKEN
+              value_prefix: 'Bearer '
     allowed_secrets:
       - ANTHROPIC_BEARER_TOKEN
   opencode:
     binaries:
       - path: /usr/local/bin/opencode
       - path: /usr/local/bin/node
     endpoints:
-      - host: api.anthropic.com
-        port: 443
-        protocol: rest
-        enforcement: enforce
-        rules:
-          - allow:
-              method: POST
-              path: /v1/**
-        cred_inject:
-          provider: anthropic
-          strip_headers:
-            - Authorization
-            - x-api-key
-            - Cookie
-          inject:
-            - header: x-api-key
-              from_credential: ANTHROPIC_API_KEY
       - host: openrouter.ai
         port: 443
         protocol: rest
@@ -97,7 +81,6 @@ network_policies:
               method: GET
               path: /**
     allowed_secrets:
-      - ANTHROPIC_API_KEY
       - OPENROUTER_BEARER_TOKEN
   npm_packages:
     binaries:

diff --git a/policies/wire-proof-local.yaml b/policies/wire-proof-local.yaml
@@ -2,7 +2,7 @@
 #
 # Usage:
 #   Terminal 1: just gateway-vm
-#   Terminal 2: just cli provider create --name anthropic --type claude --credential ANTHROPIC_API_KEY=sk-test-key
+#   Terminal 2: just cli provider create --name anthropic --type claude-oauth --credential ANTHROPIC_BEARER_TOKEN=sk-test-key
 #              just cli sandbox create --name wire-proof --provider anthropic \
 #                --policy policies/wire-proof-local.yaml -- /bin/bash
 #
@@ -40,5 +40,5 @@ network_policies:
           provider: anthropic
           strip_headers: [Authorization, x-api-key, Cookie]
           inject:
-            - { header: Authorization, from_credential: ANTHROPIC_BEARER_TOKEN }
-    allowed_secrets: [ANTHROPIC_BEARER_TOKEN, ANTHROPIC_AUTH_TOKEN]
+            - { header: Authorization, from_credential: ANTHROPIC_BEARER_TOKEN, value_prefix: "Bearer " }
+    allowed_secrets: [ANTHROPIC_BEARER_TOKEN]
diff --git a/scripts/render-default-policies.ts b/scripts/render-default-policies.ts
@@ -51,6 +51,9 @@ function harnessBlock(harness: Harness): Record<string, unknown> {
               inject: ep.cred_inject.inject.map((i) => ({
                 header: i.header,
                 from_credential: i.from_credential,
+                // Preserve the literal prefix (e.g. "Bearer ") when present; a
+                // cred whose stored value carries no prefix omits the key.
+                ...(i.value_prefix ? { value_prefix: i.value_prefix } : {}),
               })),
             },
           }

diff --git a/src/cli/sandbox.test.ts b/src/cli/sandbox.test.ts
@@ -24,4 +24,13 @@ describe("sandbox flagSchema (extended)", () => {
     });
     expect(values.provider).toBe("openrouter");
   });
+
+  it("accepts --no-attach as a boolean", () => {
+    const { values } = parseArgs({
+      args: ["--no-attach"],
+      options: flagSchema,
+      allowPositionals: true,
+    });
+    expect(values["no-attach"]).toBe(true);
+  });
 });
diff --git a/src/cli/sandbox.ts b/src/cli/sandbox.ts
@@ -7,6 +7,7 @@ export const flagSchema = {
   harness: { type: "string" },
   provider: { type: "string" },
   branch: { type: "string", short: "b" },
+  "no-attach": { type: "boolean" },
   help: { type: "boolean", short: "h" },
 } as const satisfies ParseArgsOptionsConfig;
 
@@ -29,6 +30,7 @@ export function sandboxCmd(args: string[]): void {
       harness: values.harness,
       provider: values.provider,
       branch: values.branch,
+      noAttach: values["no-attach"] === true,
     }),
   );
 }
diff --git a/src/config-core/policy/schema.test.ts b/src/config-core/policy/schema.test.ts
@@ -157,6 +157,52 @@ describe("validateSchema", () => {
     expect(errors.some((e) => e.message.includes("nope"))).toBe(true);
   });
 
+  test("accepts cred_inject header with value_prefix", () => {
+    const errors = validateSchema({
+      version: 1,
+      network_policies: {
+        test: {
+          endpoints: [
+            {
+              host: "api.anthropic.com",
+              cred_inject: {
+                provider: "anthropic",
+                strip_headers: ["Authorization"],
+                inject: [
+                  {
+                    header: "Authorization",
+                    from_credential: "ANTHROPIC_BEARER_TOKEN",
+                    value_prefix: "Bearer ",
+                  },
+                ],
+              },
+            },
+          ],
+        },
+      },
+    });
+    expect(errors).toHaveLength(0);
+  });
+
+  test("rejects unknown field in cred_inject header (allowlist still enforced)", () => {
+    const errors = validateSchema({
+      version: 1,
+      network_policies: {
+        test: {
+          endpoints: [
+            {
+              host: "x.com",
+              cred_inject: {
+                inject: [{ header: "Authorization", from_credential: "X", value_suffix: "nope" }],
+              },
+            },
+          ],
+        },
+      },
+    });
+    expect(errors.some((e) => e.message.includes("value_suffix"))).toBe(true);
+  });
+
   test("rejects missing required fields in cred_inject header", () => {
     const errors = validateSchema({
       version: 1,

diff --git a/src/config-core/policy/schema.ts b/src/config-core/policy/schema.ts
@@ -4,7 +4,7 @@ const L7_ALLOW_KEYS = new Set(["method", "path", "command", "query"]);
 const L7_RULE_KEYS = new Set(["allow"]);
 const L7_DENY_KEYS = new Set(["method", "path", "command", "query"]);
 
-const CRED_INJECT_HEADER_KEYS = new Set(["header", "from_credential"]);
+const CRED_INJECT_HEADER_KEYS = new Set(["header", "from_credential", "value_prefix"]);
 const CRED_INJECT_KEYS = new Set(["provider", "strip_headers", "inject"]);
 const TRUST_CHECK_KEYS = new Set(["registry"]);
 
@@ -281,6 +281,7 @@ function validateCredInjectHeader(val: unknown, path: string): ValidationError[]
   for (const f of ["header", "from_credential"] as const) {
     requireScalar(errors, obj, f, "string", path);
   }
+  optionalScalar(errors, obj, "value_prefix", "string", path);
   return errors;
 }
 

diff --git a/src/config-core/policy/types.ts b/src/config-core/policy/types.ts
@@ -1,6 +1,7 @@
 interface CredInjectHeader {
   header: string;
   from_credential: string;
+  value_prefix?: string;
 }
 
 interface CredInject {

diff --git a/src/login.ts b/src/login.ts
@@ -52,11 +52,12 @@ export async function _loginForTests(args: {
   const id = args.providerFlag ? validateProviderId(args.providerFlag) : await args.pick(args.io);
   const plugin = PROVIDERS[id];
   args.io.writeStdout(`\nAuthenticating with ${plugin.displayName}...\n`);
-  const creds = await plugin.loginInteractive(args.io);
+  const result = await plugin.loginInteractive(args.io);
   writeProvider(id, {
     type: plugin.openshellType,
-    credentials: creds,
+    credentials: result.credentials,
     created_at: new Date().toISOString(),
+    refresh: result.refresh,
   });
   args.io.writeStdout(`\nCredentials saved for provider '${id}'.\n`);
 }