Preserve Claude usage source after login#1971
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 7, 2026, 8:21 PM ET / 00:21 UTC. Summary Reproducibility: yes. source-level: current Review metrics: 1 noteworthy metric.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Maintainer decision needed
Security Review detailsBest possible solution: Land the narrow source-preservation behavior only after a maintainer accepts the current proof as sufficient or provides a redacted completed OAuth/Keychain login transcript. Do we have a high-confidence way to reproduce the issue? Yes, source-level: current Is this the best way to solve the issue? Unclear until maintainer proof acceptance is settled. The code change is a narrow maintainable fix for the fallback-hostile login state, but the auth-provider path still needs either a proof override or a completed redacted OAuth/Keychain transcript. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against aa401f1d8b74. Label changesLabel justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
Review history (9 earlier review cycles; latest 8 shown)
|
|
@clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Maintainer decision requested. This PR is now scoped to the narrow fix ClawSweeper recommended:
The remaining ClawSweeper blocker is not another code issue. It wants either:
I am not running live Claude/OAuth/Keychain proof unprompted because |
|
Updated the PR body with clean-worktree after-fix proof at Proof added:
@clawsweeper re-review |
|
Added stronger behavior proof in This no longer stops at the policy helper:
Verified: No external fork code was downloaded or used. @clawsweeper re-review |
|
🦞🧹 I asked ClawSweeper to review this item again. |
|
Live proof attempt added to the PR body. What I could verify without exposing secrets:
Live OAuth completion is blocked externally:
So the proof state is now:
@steipete could you accept this as the proof override ClawSweeper asks for, or provide/run a maintainer-side redacted live OAuth transcript? @clawsweeper re-review |
|
Current maintainer action needed after the latest ClawSweeper rerun:
The current branch head is |
Fixes #1970.
Summary
oauth.Current-main verification
steipete/CodexBarmainon 2026-07-07; latest checked SHA:aa401f1d8b7412b6a71abb6d13f57f5efc64d2ad.Sources/CodexBar/Providers/Claude/ClaudeLoginFlow.swiftstill forces.oauthafter successful login on currentmain.SettingsStoreTestsstill expects the default Claude source to be.auto.git merge-treeinto refreshedupstream/mainhas no conflict and leaves the PR scoped to the Claude login source policy, focused test, and Claude docs.Why
CodexBar defaults Claude to Auto, and Auto is the fallback-capable source mode. The login flow currently persists
oauthafter the runner reports success. If OAuth credentials are not readable afterward, that removes the fallback path and can leave the app repeatedly asking for Claude credentials.Preserving the selected source keeps the default setup resilient: default Auto remains Auto, so OAuth can still be preferred when available, but CLI/Web fallback remains available when OAuth is not usable. Explicit source choices remain explicit.
After-fix proof
Verified on 2026-07-07 at PR head
c98779b7b2b03bc95da8fac409492d8a8faa559e(origin/codex/claude-login-auto-source).What the stronger proof covers:
runClaudeLoginFlow()still callsClaudeLoginRunner.run(timeout:onPhaseChange:)unchanged.StatusItemController.runClaudeLoginFlowpost-login code path instead of stopping at the policy helper.SettingsStore,UsageStore, andStatusItemControllerinstances, simulates Claude login phases plus a successful runner result, then asserts:true,loginPhasereturns to.idle,settings.setProviderEnabled, andClaudeUsageDataSourcecase (auto,api,oauth,web,cli) is preserved after successful login.Claude loginwithoutcome=successfor each source, followed byProvider mode updated provider=claude value=auto/api/oauth/web/cli, proving the patched success path leaves the intended source intact.Relevant source anchors:
Sources/CodexBar/Providers/Claude/ClaudeLoginFlow.swiftTests/CodexBarTests/ClaudeLoginFlowPolicyTests.swiftCommand output:
Commands run
swift test --filter ClaudeLoginFlowPolicyTestsswift test --filter ClaudeSourcePlannerTestsswift test --filter ClaudeOAuthTestsmake checkmake test(exits on the existing unrelatedAdaptiveRefreshTimerTests.swift:117failure noted below)Existing unrelated test failures observed
make testfails inAdaptiveRefreshTimerTests.swift:117, testmanual mode performs the initial refresh but no recurring ticks: expected completed refresh count1, got2.swift test --no-parallel --filter AdaptiveRefreshTimerTestsreproduces the same failure outside this PR.swift test --filter SettingsStoreTestsalso fails inSettingsStoreTests.swift:1236, testmenu observation token ignores merged switcher selection churn: expecteddidChange.get()to be false but it was true.swift test --no-parallel --filter "menu observation token ignores merged switcher selection churn"reproduces the same failure.Live-provider proof
Attempted on 2026-07-07 at PR head
c98779b7b2b03bc95da8fac409492d8a8faa559eafter explicit live/browser proof escalation.What could be verified live without exposing credentials:
2.1.201 (Claude Code).claude auth statusreports a realclaude.ailogin withloggedIn: true,apiProvider: firstParty, andsubscriptionType: max(email/org redacted from PR text).Live OAuth login attempt result:
claude auth login --claudeailaunched a real OAuth flow and waited for a code.agent-browserreached Claude/CloudflarePerforming security verificationand could not advance past human verification.Sign in - Claude; completing it would require interactive credentials/human browser verification. The waiting CLI was stopped; no token, cookie, authorization code, or Keychain payload was captured or posted.What this proves:
source: claude).autoinstead of forcingoauth.Remaining proof gap:
Screenshots
Not applicable; this is a provider settings/source policy and docs change with no UI changes.