Stop background Claude keychain discovery#2137
Conversation
|
Codex review: needs real behavior proof before merge. Reviewed July 13, 2026, 8:35 PM ET / July 14, 2026, 00:35 UTC. Summary Reproducibility: no. there is not yet a high-confidence live reproduction in the PR. The linked screenshot and current source identify a credible background Security.framework path, but the contributor explicitly avoided a real Keychain read and supplied no affected-Mac before/after proof. Review metrics: none identified. Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Land the interaction-aware guard after a redacted affected-Mac recording or runtime transcript shows background refresh remains prompt-free and an explicit Refresh still discovers the MCP-only credential under the same configuration. Do we have a high-confidence way to reproduce the issue? No, there is not yet a high-confidence live reproduction in the PR. The linked screenshot and current source identify a credible background Security.framework path, but the contributor explicitly avoided a real Keychain read and supplied no affected-Mac before/after proof. Is this the best way to solve the issue? Yes, provisionally: gating the MCP-only detector immediately before the Security.framework read is the narrowest way to honor the existing interaction policy while preserving explicit and opt-in discovery. Real macOS proof is still required before merge. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against 315ff65f7b2a. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Summary
Claude Code-credentialsthrough Security.framework when the prompt policy isonlyOnUserActionalwayspolicyRoot cause
The MCP-only payload detector bypassed the normal Claude prompt-policy gate and issued a Security.framework “no UI” read during background availability checks. Legacy Keychain ACLs can still display the macOS password dialog for these reads, causing recurring prompts even though the call was marked non-interactive.
Fixes #2115.
User impact
Background refreshes no longer touch the Claude Code Keychain item under the default
onlyOnUserActionpolicy. Explicit refreshes can still inspect it when needed.Validation
swift test --filter ClaudeOAuthCredentialsStoreMCPOnlyGuardTestsmake checkmake test(blocked by an unrelated current-mainAdaptiveRefreshTimerTestsbaseline failure: “manual mode performs the initial refresh but no recurring ticks” observes 2 refreshes instead of 1; reproduced when running that suite alone)No live Keychain read was used for validation.