Fix menu bar recovery and Claude CLI startup

[afarwind]

Summary

• Prevent background app auto refresh from using Claude CLI fallback in auto mode, because an unauthenticated Claude CLI can open a browser OAuth flow during app startup.
• Extend menu bar visibility defaults repair to cover macOS Control Center defaults (com.apple.controlcenter) using NSStatusItem Visible Item-* keys.
• Keep the Control Center repair out of tests by injecting test defaults, and add focused coverage for both fixes.

Context

I hit two related startup issues locally:

1. CodexBar was running, but no menu bar icon was visible.
2. Launching CodexBar opened Chrome to a Claude OAuth URL.

For the menu bar issue, the app already had recovery logic for stale NSStatusItem VisibleCC ... keys, but on my macOS 26 setup the hidden state was stored under com.apple.controlcenter as NSStatusItem Visible Item-* = 0. This PR extends the one-time repair to handle that real system state.

For the Claude OAuth issue, the app background refresh could include Claude CLI as an auto-mode fallback. If Claude CLI is not authenticated, starting it can trigger the browser login flow. This PR suppresses that fallback only for app background auto refreshes, while keeping explicit CLI mode, user-initiated refreshes, and CLI runtime behavior intact.

Tests

• swift test --filter ClaudeSourcePlannerTests
• swift test --filter StatusItemControllerSplitLifecycleTests
• make check

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 24, 2026, 8:56 PM ET / 00:56 UTC.

Summary
The branch extends hidden status-item defaults repair into com.apple.controlcenter, suppresses unauthenticated Claude CLI fallback during app background Auto refreshes, and adds focused Swift tests.

Reproducibility: no. independent high-confidence runtime reproduction was established in this review. Source inspection confirms current main lacks the Control Center defaults repair and can plan Claude CLI in app/background/Auto, while the live macOS and browser-launch side effects rely on contributor-provided context.

Review metrics: 2 noteworthy metrics.

• Changed surface: 6 files, +206/-11. The diff couples macOS status-item defaults repair with Claude provider planning, so proof needs to cover both startup behaviors.
• Reported validation: 3 commands claimed. The PR body reports two focused Swift test filters and make check, but those are supplemental to the missing real app proof.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Add redacted fresh-bundle proof showing the menu-bar item is visible after launch on the affected macOS setup.
• [P1] Add proof or logs showing app/background/Auto no longer opens Claude OAuth for an unauthenticated CLI and still works with prompt-free credentials.
• Update the PR body with the proof so ClawSweeper can re-review automatically.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: The PR has reproduction context and test commands, but it does not show after-fix real behavior from a freshly built app; screenshots, recordings, terminal output, copied live output, linked artifacts, or redacted logs should show the menu-bar icon visible and no Claude OAuth browser launch, with private data redacted, then the PR body update should trigger re-review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Mantis proof suggestion
A real desktop proof would materially help because the PR changes visible macOS menu-bar recovery and browser-launch side effects. A maintainer can ask Mantis to capture proof by posting this exact PR comment:

@openclaw-mantis visual task: verify a freshly built CodexBar launch keeps the menu bar icon visible and does not open Claude OAuth during background Auto refresh.

Risk before merge

• [P1] The PR still lacks redacted after-fix proof from a freshly built app launch showing the menu-bar item visible and no Claude OAuth browser startup.
• [P1] The Control Center repair mutates private macOS com.apple.controlcenter defaults, so maintainers should explicitly accept the upgrade behavior before merge.
• [P1] The Claude change alters provider source routing for app/background/Auto refreshes; the added tests are useful, but live unauthenticated and authenticated CLI behavior is not shown.

Maintainer options:

1. Require Fresh Launch Proof (recommended)
   Ask for a redacted recording, logs, or terminal output from a freshly built app showing the icon becomes visible and app/background/Auto does not open Claude OAuth while an authenticated CLI path still refreshes.
2. Accept The Defaults Repair Risk
   Maintainers can choose to merge after reviewing the code and tests, but they would be explicitly accepting the private Control Center defaults mutation without live proof.
3. Split Runtime Surfaces
   If review stays uncertain, split the macOS status-item repair and Claude provider-routing change so each can be proven and merged independently.

Next step before merge

• [P1] The remaining blocker is contributor/maintainer proof and compatibility judgment, not a narrow automated code repair.

Security
Cleared: No concrete security or supply-chain regression was found; the auth-related change is tracked as provider-routing compatibility risk.

Review details

Best possible solution:

Require fresh-bundle macOS proof for both startup fixes, then land the narrow repair if maintainers accept the Control Center defaults and Claude Auto routing behavior.

Do we have a high-confidence way to reproduce the issue?

No independent high-confidence runtime reproduction was established in this review. Source inspection confirms current main lacks the Control Center defaults repair and can plan Claude CLI in app/background/Auto, while the live macOS and browser-launch side effects rely on contributor-provided context.

Is this the best way to solve the issue?

Unclear. The latest code shape is narrow and addresses the previous CLI compatibility concern, but it is not yet the best merge path until fresh-bundle proof and maintainer acceptance of private Control Center defaults mutation are present.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against ada3660e9d61.

Label changes

Label justifications:

• P2: The PR targets bounded startup bugs with meaningful user impact, but it is not a confirmed broad outage or emergency.
• merge-risk: 🚨 compatibility: Merging changes upgrade-time menu-bar visibility defaults and background Auto fallback behavior for existing users.
• merge-risk: 🚨 auth-provider: Merging changes Claude provider source routing by suppressing CLI fallback unless prompt-free credentials are detected.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🧂 unranked krab and patch quality is 🐚 platinum hermit.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: The PR has reproduction context and test commands, but it does not show after-fix real behavior from a freshly built app; screenshots, recordings, terminal output, copied live output, linked artifacts, or redacted logs should show the menu-bar icon visible and no Claude OAuth browser launch, with private data redacted, then the PR body update should trigger re-review or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

What I checked:

• Repository policy applied: AGENTS.md was read fully; its guidance affected this review by avoiding live Keychain/provider probes and by requiring freshly built bundle proof for menu-bar runtime behavior. (AGENTS.md:1, ada3660e9d61)
• Current main status-item repair boundary: Current main only repairs the app defaults domain for the NSStatusItem VisibleCC prefix, so it does not cover the contributor's reported com.apple.controlcenter / NSStatusItem Visible Item-* state. (Sources/CodexBar/MenuBarStatusItemDefaultsRepair.swift:5, ada3660e9d61)
• PR Control Center repair: The PR adds a separate one-shot Control Center repair pass and deletes false NSStatusItem Visible Item-* or codexbar-* keys from the injected Control Center defaults suite. (Sources/CodexBar/MenuBarStatusItemDefaultsRepair.swift:13, 883962209253)
• Current main Claude Auto planning: Current main marks Claude CLI available in planning whenever the binary resolves, so app/background/Auto can attempt CLI fallback after OAuth. (Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift:82, ada3660e9d61)
• PR Claude CLI compatibility adjustment: The latest PR head keeps CLI in the app/background/Auto plan only when prompt-free credentials are detected, while preserving explicit CLI mode, user-initiated refresh, CLI runtime, and authenticated background Auto paths. (Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift:85, 883962209253)
• Provider pipeline availability behavior: The provider pipeline skips planned strategies whose isAvailable value is false, so the CLI planning boolean directly controls whether CLI is fetched in Auto mode. (Sources/CodexBarCore/Providers/ProviderFetchPlan.swift:204, ada3660e9d61)

Likely related people:

• Peter Steinberger: Git history shows Peter authored the hidden status-item defaults repair and several adjacent menu-bar placement/recovery changes that this PR extends. (role: recent status-item recovery contributor; confidence: high; commits: 6665d028, 8545c76d, f3802870; files: Sources/CodexBar/MenuBarStatusItemDefaultsRepair.swift, Sources/CodexBar/StatusItemController.swift, Sources/CodexBar/MenuBarVisibilityWatcher.swift)
• Ratul Sarna: Git history links Ratul to the Claude OAuth Keychain prompt, startup bootstrap, and prompt-free keychain behavior touched by the Claude planning change. (role: Claude OAuth/background routing contributor; confidence: high; commits: b90774ef, 69f34e86, 63a3810b; files: Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift, Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift, Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift)
• pdurlej: Related issue history shows this handle supplied Tahoe Control Center visibility diagnostics and the existing guidance path adjacent to the menu-bar repair surface. (role: adjacent Control Center visibility contributor; confidence: medium; commits: e6ea0aec, 8545c76d; files: Sources/CodexBar/MenuBarVisibilityWatcher.swift, Sources/CodexBar/MenuBarStatusItemWindowProbe.swift, Tests/CodexBarTests/MenuBarVisibilityWatcherTests.swift)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[afarwind]

Additional proof/context:

• Reproduced on macOS 26.5.1 with CodexBar 0.37.2.
• CodexBar was running in Activity Monitor, but no CodexBar status item was visible in the menu bar.
• defaults read com.apple.controlcenter showed the hidden status item state stored as:
  • NSStatusItem Visible Item-0 = 0
  • ...
  • NSStatusItem Visible Item-11 = 0
• The existing app-local repair only handled NSStatusItem VisibleCC ..., so it did not cover this actual macOS Control Center state.
• I also verified via UserDefaults(suiteName: "com.apple.controlcenter") that the app can read those NSStatusItem Visible Item-* keys at runtime.
• Launching CodexBar also opened Claude OAuth in Chrome because background app auto refresh could include Claude CLI fallback; if Claude CLI is unauthenticated, starting it can trigger browser login.

Compatibility/risk notes:

• The Control Center repair is still one-shot and scoped to hidden CodexBar/default Item-* status item keys.
• Tests inject separate UserDefaults suites, so they do not touch the real system Control Center defaults.
• Claude CLI remains available for explicit CLI mode, user-initiated refreshes, and CLI runtime usage.

Validation run locally:

• swift test --filter ClaudeSourcePlannerTests
• swift test --filter StatusItemControllerSplitLifecycleTests
• make check

[afarwind]

Follow-up pushed in 88396220 to address the Claude Auto fallback compatibility concern.

Changes:

• Prevent app/background/auto from starting Claude CLI when there are no prompt-free Claude credentials, avoiding unauthenticated CLI browser OAuth startup.
• Preserve existing background Auto CLI fallback when prompt-free Claude credentials are already available.
• Added provider-pipeline coverage for both CLI-only app/background/Auto cases.

Validation:

• swift test --filter ClaudeSourcePlannerTests
• swift test --filter ClaudeBaselineCharacterizationTests
• make check

@clawssweeper re-review