docs/pr-1848-body.md
Fixes the background browser-launch regression in https://github.com/steipete/CodexBar/issues/1844: when Claude Code stores only MCP OAuth state in Claude Code-credentials (no claudeAiOauth), CodexBar no longer runs background delegated claude /status refresh—which can launch the default browser via /usr/bin/open.
Scope: fail-closed safety guard for both keychain readers. Discovery of Claude Code 2.1.x's primary OAuth storage location remains tracked by https://github.com/steipete/CodexBar/issues/1823.
On Claude Code 2.1.x, the Claude Code-credentials keychain item may contain only mcpOAuth. CodexBar then fails to parse Claude OAuth credentials, treats the session as expired, and may periodically attempt delegated CLI refresh. That path can open the user's default browser from the background.
Contributing issues on main:
ClaudeOAuthKeychainPromptPreference.current(), which becomes .always when the experimental security CLI reader is active—so onlyOnUserAction did not suppress background repair.claude /status even when the keychain shape could not succeed.securityCLIExperimental). Background refresh with onlyOnUserAction fails closed with existing user-action guidance instead of calling claude /status.ClaudeOAuthCredentialsError.mcpOAuthOnlyKeychain, skip delegated CLI touch, and fail fast during expired Claude CLI credential load.readRawClaudeKeychainPayloadViaSecurityCLIIfEnabled vs parsed credential load./usr/bin/security reader can target a disposable keychain only while all general keychain access is disabled. Scripts/verify_1844_live.sh combines that keychain with disposable HOME, CFFIXED_USER_HOME, credentials, config, and a synthetic claude fixture that distinguishes benign CLI discovery from /status touch.docs/verify-1844-proof.mdCodexBar.app and packaged CodexBarCLI isolated live proofmake check, 45-shard make test, and autoreview on the local portmake check
swift test --filter ClaudeOAuthTests
swift test --filter ClaudeUsageTests
swift test --filter ClaudeOAuthDelegatedRefreshCoordinatorTests
swift test --filter 'expired claude CLI owner blocks background'
swift test --filter ClaudeOAuthCredentialsStoreMCPOnlyGuardTests
./Scripts/verify_1844_live.sh
Fixes https://github.com/steipete/CodexBar/issues/1844. Primary OAuth storage discovery remains tracked by https://github.com/steipete/CodexBar/issues/1823.