Merge pull request #428 from staszewski/fix/macos-keychain-claude-auth

fix: read Claude Code OAuth credentials from macOS Keychain

Author: gauss-math-inc

gauss_cli/__init__.py

@@ -10,5 +10,5 @@
 - gauss status         - Show status of all components
 """
 
-__version__ = "0.2.0"
-__release_date__ = "2026.3.12"
+__version__ = "0.2.1"
+__release_date__ = "2026.3.26"

gauss_cli/autoformalize.py

@@ -7,6 +7,7 @@
 import shlex
 import shutil
 import subprocess
+import sys
 import time
 from collections.abc import Mapping, Sequence
 from dataclasses import dataclass
@@ -529,6 +530,31 @@ def _has_local_claude_auth(real_home: Path) -> bool:
     return _has_local_claude_login(real_home) or _has_local_claude_api_key(real_home)
 
 
+def _read_keychain_claude_credentials() -> str | None:
+    """Return the Claude Code OAuth credentials JSON from the macOS Keychain, or ``None``."""
+    if sys.platform != "darwin":
+        return None
+    try:
+        result = subprocess.run(
+            ["security", "find-generic-password", "-s", "Claude Code-credentials", "-w"],
+            capture_output=True,
+            text=True,
+            timeout=5,
+        )
+        if result.returncode != 0:
+            return None
+        payload = result.stdout.strip()
+        if not payload:
+            return None
+        data = json.loads(payload)
+        oauth = data.get("claudeAiOauth")
+        if isinstance(oauth, Mapping) and str(oauth.get("accessToken", "")).strip():
+            return payload
+    except Exception:
+        pass
+    return None
+
+
 def _has_local_claude_login(real_home: Path) -> bool:
     credentials = real_home / ".claude" / ".credentials.json"
     if credentials.exists():
@@ -539,7 +565,7 @@ def _has_local_claude_login(real_home: Path) -> bool:
                 return True
         except Exception:
             pass
-    return False
+    return _read_keychain_claude_credentials() is not None
 
 
 def _load_local_claude_config(real_home: Path) -> dict[str, Any]:
@@ -1164,8 +1190,13 @@ def _stage_claude_credentials(
     destination_credentials = managed_claude_dir / ".credentials.json"
     if destination_credentials.exists():
         destination_credentials.unlink()
-    if copy_oauth_credentials and source_credentials.exists():
-        shutil.copy2(source_credentials, destination_credentials)
+    if copy_oauth_credentials:
+        if source_credentials.exists():
+            shutil.copy2(source_credentials, destination_credentials)
+        else:
+            keychain_payload = _read_keychain_claude_credentials()
+            if keychain_payload:
+                destination_credentials.write_text(keychain_payload, encoding="utf-8")
 
     payload = _load_json_dict(managed_key_path)
     payload.update(_load_local_claude_config(real_home))

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "gauss-agent"
-version = "0.2.0"
+version = "0.2.1"
 description = "Gauss is a focused Lean autoformalization workspace with a managed Claude Code launcher."
 readme = "README.md"
 requires-python = ">=3.11"

tests/gauss_cli/test_autoformalize.py

@@ -465,6 +465,53 @@ def test_build_claude_runtime_with_local_login_stages_managed_env_and_prompt(mon
     assert payload["mcpServers"]["lean-lsp"]["env"]["LEAN_PROJECT_PATH"] == str(shared_bundle.project.lean_root)
 
 
+def test_build_claude_runtime_falls_back_to_macos_keychain_when_credentials_file_absent(monkeypatch, tmp_path: Path):
+    shared_bundle = _shared_bundle(tmp_path)
+    workflow = _workflow("/prove", "File.lean")
+    installed_plugin_root = (
+        tmp_path
+        / "managed"
+        / "claude-home"
+        / ".claude"
+        / "plugins"
+        / "cache"
+        / "lean4-skills"
+        / "lean4"
+        / "4.4.0"
+    )
+    (installed_plugin_root / "skills" / "lean4").mkdir(parents=True)
+    (installed_plugin_root / "skills" / "lean4" / "SKILL.md").write_text("# Lean4\n", encoding="utf-8")
+    keychain_payload = json.dumps({"claudeAiOauth": {"accessToken": "sk-ant-oat01-test"}})
+    monkeypatch.setattr(autoformalize, "_require_executable", lambda name, _msg, _env: f"/usr/bin/{name}")
+    monkeypatch.setattr(autoformalize, "_claude_permission_args", lambda: ("--dangerously-skip-permissions",))
+    monkeypatch.setattr(autoformalize, "_install_managed_claude_plugin", lambda **_kwargs: installed_plugin_root)
+    monkeypatch.setattr(autoformalize, "_read_keychain_claude_credentials", lambda: keychain_payload)
+
+    runtime = autoformalize._build_claude_runtime(
+        auth_mode="auto",
+        user_instruction=workflow.workflow_args,
+        workflow=workflow,
+        base_environment={"HOME": str(shared_bundle.real_home), "PATH": "/usr/bin"},
+        include_persisted_env=False,
+        shared_bundle=shared_bundle,
+    )
+
+    managed_credentials = runtime.managed_context.backend_home / ".claude" / ".credentials.json"
+    assert managed_credentials.exists()
+    staged = json.loads(managed_credentials.read_text(encoding="utf-8"))
+    assert staged["claudeAiOauth"]["accessToken"] == "sk-ant-oat01-test"
+    assert "ANTHROPIC_API_KEY" not in runtime.child_env
+
+
+def test_has_local_claude_login_detects_macos_keychain_when_credentials_file_absent(monkeypatch, tmp_path: Path):
+    real_home = tmp_path / "real-home"
+    real_home.mkdir()
+    keychain_payload = json.dumps({"claudeAiOauth": {"accessToken": "sk-ant-oat01-test"}})
+    monkeypatch.setattr(autoformalize, "_read_keychain_claude_credentials", lambda: keychain_payload)
+
+    assert autoformalize._has_local_claude_login(real_home) is True
+
+
 def test_build_claude_runtime_accepts_anthropic_api_key(monkeypatch, tmp_path: Path):
     shared_bundle = _shared_bundle(tmp_path)
     workflow = _workflow("/formalize")
@@ -483,6 +530,7 @@ def test_build_claude_runtime_accepts_anthropic_api_key(monkeypatch, tmp_path: P
     monkeypatch.setattr(autoformalize, "_require_executable", lambda name, _msg, _env: f"/usr/bin/{name}")
     monkeypatch.setattr(autoformalize, "_claude_permission_args", lambda: ("--dangerously-skip-permissions",))
     monkeypatch.setattr(autoformalize, "_install_managed_claude_plugin", lambda **_kwargs: installed_plugin_root)
+    monkeypatch.setattr(autoformalize, "_read_keychain_claude_credentials", lambda: None)
 
     runtime = autoformalize._build_claude_runtime(
         auth_mode="auto",