Tags: getagentseal/codeburn
Tags
fix(menubar): read Claude keychain via security CLI on silent refresh (… …#490) (#491) Background token refreshes re-read the "Claude Code-credentials" keychain item via the Security framework. On macOS Sierra+, access is governed by the item's partition list, not the legacy "Always Allow" ACL. Claude Code resets that partition list every time it rotates the credential, dropping our app from the allowed set, so the next read raises a fresh keychain password prompt. On a heavy usage day this fires dozens of times. The LAContext interactionNotAllowed flag we relied on does not suppress that prompt for a plain generic-password item. Route the silent path (proactive refresh and post-401 re-read) through /usr/bin/security instead. The Apple-signed security binary sits in the item's apple-tool: partition, so it reads the secret without prompting and without depending on the user's ACL grant. It is read-only and never spends the shared refresh token, preserving the existing invariant that the Claude CLI owns the grant. The user-initiated bootstrap keeps the framework read, where a single consent prompt is expected. Drops the now-unused LocalAuthentication import.
Store credential cache in file instead of keychain, use cache for per… …-provider menubar Credential cache: switched from keychain to file-based storage under Application Support. Ad-hoc signed builds invalidate keychain ACLs on every rebuild, causing repeated macOS password prompts. Existing keychain entries are migrated to file on first read, then deleted. Per-provider menubar: the Codex/Claude/etc tabs previously re-parsed all sessions from scratch (22s). Now parses only today with the provider filter and uses the daily cache for historical days, matching the fast path the All tab already uses. Daily cache bumped to v7 to force a clean rebuild after pricing and provider changes since v6.
PreviousNext