The SDK pipe hardcoded setting_sources=[], so chats never loaded ~/.claude/CLAUDE.md or any settings.json. Expose it as a valve (default empty = isolated baseline) so single-user/homelab instances can opt into persistent context, while shared deployments keep the safe default. Parse via _parse_setting_sources(): comma-split, lowercase, drop unknown tokens so a typo can't silently widen inheritance. README documents the opt-in plus the hooks/permissions security tradeoff (CLAUDE.md and settings.json load together — a Claude Code coupling) and why the valve does not apply to the sandboxed pipe. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| anthropic-proxy | ||
| sandbox | ||
| .gitignore | ||
| README.md | ||
| claude_agent_pipe.py | ||
| claude_agent_pipe_sandboxed.py | ||
| sync_pipe.py | ||
README.md
OpenWebUI Claude Code Pipe
Run Claude Code's agent loop from inside Open WebUI chats, via the Claude Agent SDK.
This is an Open WebUI Pipe that exposes Claude Code as a selectable model. Each chat gets its own isolated workspace directory; agent turns within the same chat resume the same Claude Code session, so context (files, prior tool calls) carries forward.
Features
- Full Claude Code agent loop — Read, Write, Edit, Bash, Glob, Grep, WebSearch, WebFetch (configurable allowlist)
- Per-chat workspaces — each
chat_idgets a sandboxed working directory that persists across turns - Dual auth — bring your own Anthropic API key (pay-per-token) or a Claude Pro/Max OAuth token (bills against your subscription)
- Streaming UI — tool calls render inline with previews; generated images/PDFs/CSVs surface as artifacts in the chat
- Configurable valves — model, permission mode, tool allowlist, max turns, workspace root, setting sources (
CLAUDE.md)
Requirements
- Open WebUI (any recent version with the Pipes/Functions framework)
- Python deps (auto-installed by Open WebUI from the file header):
claude-agent-sdk>=0.1.60anthropic>=0.40.0
- The
claudeCLI must be available on the host running Open WebUI's Python backend (the SDK shells out to it). Install vianpm install -g @anthropic-ai/claude-code.
Installation
- In Open WebUI, go to Workspace → Functions → + (or Admin Panel → Functions).
- Paste the contents of
claude_agent_pipe.pyinto the editor. - Save and enable the function.
- Open the function's Valves and configure auth (one of):
ANTHROPIC_API_KEY— standard pay-per-token billingCLAUDE_CODE_OAUTH_TOKEN— generate on a machine with a browser viaclaude setup-token; bills against your Pro/Max/Team subscription
- A new model named Claude Code will appear in the model picker.
Configuration (Valves)
| Valve | Default | Description |
|---|---|---|
ANTHROPIC_API_KEY |
(env) | Anthropic API key. Falls back to the backend's env var. |
CLAUDE_CODE_OAUTH_TOKEN |
(empty) | Claude subscription OAuth token. Takes priority over the API key when set. |
MODEL |
claude-haiku-4-5 |
Claude model ID (e.g. claude-haiku-4-5, claude-sonnet-4-6, claude-opus-4-7). |
PERMISSION_MODE |
bypassPermissions |
default, acceptEdits, bypassPermissions, plan, or dontAsk. |
ALLOWED_TOOLS |
Read,Write,Edit,Bash,Glob,Grep,WebSearch,WebFetch |
Comma-separated tools auto-approved without prompting. |
WORKDIR_ROOT |
/tmp/claude-agent-pipe |
Root directory for per-chat workspaces. |
MAX_TURNS |
30 |
Max agent turns per user message. 0 disables the cap. |
SETTING_SOURCES |
(empty) | Comma-separated filesystem setting sources to load: user, project, local. Empty = none (isolated baseline). See below. |
Persistent context via CLAUDE.md (SETTING_SOURCES)
By default the pipe passes setting_sources=[] to the SDK, so no filesystem
settings are loaded: each chat starts from a clean baseline and does not
inherit the backend user's ~/.claude/ or the workdir's .claude/. This is the
safe default for shared deployments.
If you run a single-user/homelab instance and want persistent environmental
context (e.g. a host inventory or standing instructions in
~/.claude/CLAUDE.md) without re-explaining it every chat, set the valve:
| Value | Loads |
|---|---|
| (empty) | Nothing — isolated baseline (default). |
user |
~/.claude/CLAUDE.md and ~/.claude/settings.json. |
user,project,local |
Above plus the workdir's .claude/settings.json and .claude/settings.local.json. |
Each token maps to one source — user → ~/.claude/, project →
<workdir>/.claude/settings.json, local → <workdir>/.claude/settings.local.json.
Unknown tokens are dropped.
[!WARNING] Settings sources load more than
CLAUDE.md. A loadedsettings.jsoncan define hooks that execute shell commands, permission grants, env vars, and MCP servers — for every chat, under the backend user's identity, with the pipe's defaultbypassPermissionsmode. Only enableSETTING_SOURCESon an instance you fully trust and control. Do not enable it on multi-user or public deployments — it breaks per-chat isolation and lets host config influence (or run code in) every user's session. There is no way to loadCLAUDE.mdwithout also loadingsettings.jsonfrom the same source; that coupling is in Claude Code, not this pipe.
Does this apply to the sandboxed pipe?
Not directly. claude_agent_pipe_sandboxed.py
doesn't use setting_sources at all — it shells the claude CLI inside an
open-terminal sandbox with a per-chat CLAUDE_CONFIG_DIR that's created
fresh each chat, so there's no host ~/.claude/ to inherit and nothing to
disable. Persistent context there is meant to come from mechanisms already built
for isolation:
- Workspace Model system prompt — appended on every turn (
--append-system-prompt); the natural place for standing instructions. - Baking into the image — skills are already vendored into the sandbox image at build time; a
CLAUDE.mdor settings can be baked the same way (under the per-chatCLAUDE_CONFIG_DIRlayout) if you want file-based context.
Because the sandbox isolates the agent and a proxy holds the credentials, the
security tradeoff is far milder there — but the setting_sources valve itself
has nothing to act on, so it's intentionally not added to the sandboxed pipe.
Auth notes
When both auth methods are present, the OAuth token wins and the API key is unset before invoking the SDK so it can't override.
Per Anthropic's terms: a Claude subscription is for personal use — don't re-offer subscription auth to other end users through a shared Open WebUI deployment. For multi-user setups, use API keys.
License
MIT