Custom Anthropic-compatible providers that authenticate with ANTHROPIC_AUTH_TOKEN must not also inherit the user's local login or keychain API key as x-api-key. The Provider Test path uses direct fetch and already sent only Authorization, while real desktop sessions use the Anthropic SDK and could attach both headers in trusted project cwd sessions.
Constraint: Provider Test uses direct fetch while real sessions use Anthropic SDK headers
Rejected: Disable prompt, git, or context loading | 401 reproduced with a minimal prompt and no tools while the extra x-api-key persisted
Confidence: high
Scope-risk: narrow
Directive: Do not fallback to local Anthropic API keys when ANTHROPIC_AUTH_TOKEN is explicit unless ANTHROPIC_API_KEY or an explicit apiKey is also provided
Tested: bun test src/services/api/client.test.ts
Tested: bun run check:server
Tested: source CLI proxy capture verified Authorization=true and x-api-key=false in a real repository cwd
Tested: live parallel source CLI calls returned ok for PackyCodex2ccCustom and 胜算云
Not-tested: Rebuilt macOS app artifact after this patch