From 9c229d803b32a2ae94dcab2df49fa18c8d4ee7b1 Mon Sep 17 00:00:00 2001 From: kilhyeonjun Date: Mon, 2 Feb 2026 09:42:28 +0900 Subject: [PATCH 001/131] fix(kiro): support kiro-cli 1.24+ Q Developer format - Add parsing for new 'Plan: X' format from kiro-cli 1.24+ - Handle 'managed by admin' cases for enterprise plans - Add isUsageOutputComplete checks for new format - Add 3 test cases for Q Developer plan formats Fixes #287 --- .../Providers/Kiro/KiroStatusProbe.swift | 39 ++++++++++++++- .../CodexBarTests/KiroStatusProbeTests.swift | 49 +++++++++++++++++++ 2 files changed, 86 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift index fd408da80..c0fdc7b0b 100644 --- a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift +++ b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift @@ -359,14 +359,31 @@ public struct KiroStatusProbe: Sendable { // Track which key patterns matched to detect format changes var matchedPercent = false var matchedCredits = false + var matchedNewFormat = false - // Parse plan name from "| KIRO FREE" or similar + // Parse plan name from "| KIRO FREE" or similar (legacy format) var planName = "Kiro" if let planMatch = stripped.range(of: #"\|\s*(KIRO\s+\w+)"#, options: .regularExpression) { let raw = String(stripped[planMatch]).replacingOccurrences(of: "|", with: "") planName = raw.trimmingCharacters(in: .whitespaces) } + // Parse plan name from "Plan: Q Developer Pro" (new format, kiro-cli 1.24+) + if let newPlanMatch = stripped.range(of: #"Plan:\s*(.+)"#, options: .regularExpression) { + let line = String(stripped[newPlanMatch]) + // Extract just the plan name, stopping at newline + let planLine = line.replacingOccurrences(of: "Plan:", with: "").trimmingCharacters(in: .whitespaces) + if let firstLine = planLine.split(separator: "\n").first { + planName = String(firstLine).trimmingCharacters(in: .whitespaces) + matchedNewFormat = true + } + } + + // Check if this is a managed/enterprise plan with no usage data + let isManagedPlan = lowered.contains("managed by admin") + || lowered.contains("managed by organization") + || lowered.contains("enterprise") + // Parse reset date from "resets on 01/01" var resetsAt: Date? if let resetMatch = stripped.range(of: #"resets on (\d{2}/\d{2})"#, options: .regularExpression) { @@ -423,8 +440,24 @@ public struct KiroStatusProbe: Sendable { } } + // For managed/enterprise plans in new format, we may not have usage data + // but we should still show the plan name without error + if matchedNewFormat, isManagedPlan { + // Managed plans don't expose credits; return snapshot with plan name only + return KiroUsageSnapshot( + planName: planName, + creditsUsed: 0, + creditsTotal: 0, + creditsPercent: 0, + bonusCreditsUsed: nil, + bonusCreditsTotal: nil, + bonusExpiryDays: nil, + resetsAt: nil, + updatedAt: Date()) + } + // Require at least one key pattern to match to avoid silent failures - if !matchedPercent, !matchedCredits { + if !matchedPercent, !matchedCredits, !matchedNewFormat { throw KiroStatusProbeError.parseError( "No recognizable usage patterns found. Kiro CLI output format may have changed.") } @@ -482,5 +515,7 @@ public struct KiroStatusProbe: Sendable { return stripped.contains("covered in plan") || stripped.contains("resets on") || stripped.contains("bonus credits") + || stripped.contains("plan:") + || stripped.contains("managed by admin") } } diff --git a/Tests/CodexBarTests/KiroStatusProbeTests.swift b/Tests/CodexBarTests/KiroStatusProbeTests.swift index 578c06f4b..57c57d910 100644 --- a/Tests/CodexBarTests/KiroStatusProbeTests.swift +++ b/Tests/CodexBarTests/KiroStatusProbeTests.swift @@ -122,6 +122,55 @@ struct KiroStatusProbeTests { } } + // MARK: - New Format (kiro-cli 1.24+, Q Developer) + + @Test + func parsesQDeveloperManagedPlan() throws { + let output = """ + Plan: Q Developer Pro + Your plan is managed by admin + + Tip: to see context window usage, run /context + """ + + let probe = KiroStatusProbe() + let snapshot = try probe.parse(output: output) + + #expect(snapshot.planName == "Q Developer Pro") + #expect(snapshot.creditsPercent == 0) + #expect(snapshot.creditsUsed == 0) + #expect(snapshot.creditsTotal == 0) + #expect(snapshot.bonusCreditsUsed == nil) + #expect(snapshot.resetsAt == nil) + } + + @Test + func parsesQDeveloperFreePlan() throws { + let output = """ + Plan: Q Developer Free + Your plan is managed by admin + """ + + let probe = KiroStatusProbe() + let snapshot = try probe.parse(output: output) + + #expect(snapshot.planName == "Q Developer Free") + #expect(snapshot.creditsPercent == 0) + } + + @Test + func parsesNewFormatWithANSICodes() throws { + let output = """ + \u{001B}[38;5;141mPlan: Q Developer Pro\u{001B}[0m + Your plan is managed by admin + """ + + let probe = KiroStatusProbe() + let snapshot = try probe.parse(output: output) + + #expect(snapshot.planName == "Q Developer Pro") + } + // MARK: - Snapshot Conversion @Test From 7559522d79e48821cba47b490ffe8ed14cb0eceb Mon Sep 17 00:00:00 2001 From: kilhyeonjun Date: Mon, 2 Feb 2026 10:25:09 +0900 Subject: [PATCH 002/131] fix: require usage data for non-managed new format plans Address review feedback: only bypass parse error for managed plans that don't expose usage data. Non-managed plans with Plan: header but no usage data will now correctly throw parse error instead of falling back to default 50 credits. --- Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift index c0fdc7b0b..e6cc967db 100644 --- a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift +++ b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift @@ -457,7 +457,8 @@ public struct KiroStatusProbe: Sendable { } // Require at least one key pattern to match to avoid silent failures - if !matchedPercent, !matchedCredits, !matchedNewFormat { + // Only bypass error for managed plans in new format (they don't expose usage data) + if !matchedPercent, !matchedCredits, !(matchedNewFormat && isManagedPlan) { throw KiroStatusProbeError.parseError( "No recognizable usage patterns found. Kiro CLI output format may have changed.") } From 0521c53da80ef88aa9a9e45f1866c0b87c37f0a8 Mon Sep 17 00:00:00 2001 From: Floh <48927090+Flohhhhh@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:11:53 -0500 Subject: [PATCH 003/131] Consider usageBarsShowUsed in smart menu updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix provider switcher progress to update immediately when “Show usage as used” changes by treating the setting as a switcher rebuild trigger. Split cached state between “last observed” and “switcher built with” to keep smart menu updates safe and avoid stale tab indicators. --- Sources/CodexBar/StatusItemController+Menu.swift | 3 +++ Sources/CodexBar/StatusItemController.swift | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/Sources/CodexBar/StatusItemController+Menu.swift b/Sources/CodexBar/StatusItemController+Menu.swift index 2167b2914..c12e96075 100644 --- a/Sources/CodexBar/StatusItemController+Menu.swift +++ b/Sources/CodexBar/StatusItemController+Menu.swift @@ -120,9 +120,11 @@ extension StatusItemController { let hasTokenAccountSwitcher = menu.items.contains { $0.view is TokenAccountSwitcherView } let switcherProvidersMatch = enabledProviders == self.lastSwitcherProviders + let switcherUsageBarsShowUsedMatch = self.settings.usageBarsShowUsed == self.lastSwitcherUsageBarsShowUsed let canSmartUpdate = self.shouldMergeIcons && enabledProviders.count > 1 && switcherProvidersMatch && + switcherUsageBarsShowUsedMatch && tokenAccountDisplay == nil && !hasTokenAccountSwitcher && !menu.items.isEmpty && @@ -154,6 +156,7 @@ extension StatusItemController { // Track which providers the switcher was built with for smart update detection if self.shouldMergeIcons, enabledProviders.count > 1 { self.lastSwitcherProviders = enabledProviders + self.lastSwitcherUsageBarsShowUsed = self.settings.usageBarsShowUsed } self.addTokenAccountSwitcherIfNeeded(to: menu, display: tokenAccountDisplay) let menuContext = MenuCardContext( diff --git a/Sources/CodexBar/StatusItemController.swift b/Sources/CodexBar/StatusItemController.swift index dce63bf76..48d3af6bc 100644 --- a/Sources/CodexBar/StatusItemController.swift +++ b/Sources/CodexBar/StatusItemController.swift @@ -81,6 +81,10 @@ final class StatusItemController: NSObject, NSMenuDelegate, StatusItemControllin private var lastProviderOrder: [UsageProvider] private var lastMergeIcons: Bool private var lastSwitcherShowsIcons: Bool + private var lastObservedUsageBarsShowUsed: Bool + /// Tracks which `usageBarsShowUsed` mode the provider switcher was built with. + /// Used to decide whether we can "smart update" menu content without rebuilding the switcher. + var lastSwitcherUsageBarsShowUsed: Bool /// Tracks which providers the merged menu's switcher was built with, to detect when it needs full rebuild. var lastSwitcherProviders: [UsageProvider] = [] let loginLogger = CodexBarLog.logger(LogCategories.login) @@ -152,6 +156,8 @@ final class StatusItemController: NSObject, NSMenuDelegate, StatusItemControllin self.lastProviderOrder = settings.providerOrder self.lastMergeIcons = settings.mergeIcons self.lastSwitcherShowsIcons = settings.switcherShowsIcons + self.lastObservedUsageBarsShowUsed = settings.usageBarsShowUsed + self.lastSwitcherUsageBarsShowUsed = settings.usageBarsShowUsed self.statusBar = statusBar let item = statusBar.statusItem(withLength: NSStatusItem.variableLength) // Ensure the icon is rendered at 1:1 without resampling (crisper edges for template images). @@ -291,6 +297,11 @@ final class StatusItemController: NSObject, NSMenuDelegate, StatusItemControllin self.lastSwitcherShowsIcons = showsIcons shouldRefresh = true } + let usageBarsShowUsed = self.settings.usageBarsShowUsed + if usageBarsShowUsed != self.lastObservedUsageBarsShowUsed { + self.lastObservedUsageBarsShowUsed = usageBarsShowUsed + shouldRefresh = true + } return shouldRefresh } From 3e59132072c4c870313a85eeb8f545ccdd6b33d7 Mon Sep 17 00:00:00 2001 From: teron131 <131616347+teron131@users.noreply.github.com> Date: Mon, 9 Feb 2026 11:03:04 +0800 Subject: [PATCH 004/131] Show dynamic credits in menu bar when Codex limits are exhausted --- .../StatusItemController+Animation.swift | 22 ++++- .../StatusItemAnimationTests.swift | 92 +++++++++++++++++++ 2 files changed, 112 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index 2fb70778e..e448e327d 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -343,12 +343,30 @@ extension StatusItemController { } func menuBarDisplayText(for provider: UsageProvider, snapshot: UsageSnapshot?) -> String? { - MenuBarDisplayText.displayText( + let percentWindow = self.menuBarPercentWindow(for: provider, snapshot: snapshot) + let displayText = MenuBarDisplayText.displayText( mode: self.settings.menuBarDisplayMode, provider: provider, - percentWindow: self.menuBarPercentWindow(for: provider, snapshot: snapshot), + percentWindow: percentWindow, paceWindow: snapshot?.secondary, showUsed: self.settings.usageBarsShowUsed) + + let sessionExhausted = (snapshot?.primary?.remainingPercent ?? 100) <= 0 + let weeklyExhausted = (snapshot?.secondary?.remainingPercent ?? 100) <= 0 + + if provider == .codex, + self.settings.menuBarDisplayMode == .percent, + !self.settings.usageBarsShowUsed, + (sessionExhausted || weeklyExhausted), + let creditsRemaining = self.store.credits?.remaining, + creditsRemaining > 0 + { + return UsageFormatter + .creditsString(from: creditsRemaining) + .replacingOccurrences(of: " left", with: "") + } + + return displayText } private func menuBarPercentWindow(for provider: UsageProvider, snapshot: UsageSnapshot?) -> RateWindow? { diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index 64ef3d8e4..9134f15d5 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -267,4 +267,96 @@ struct StatusItemAnimationTests { #expect(pace == nil) #expect(both == nil) } + + @Test + func menuBarDisplayTextUsesCreditsWhenCodexWeeklyIsExhausted() { + let settings = SettingsStore( + configStore: testConfigStore(suiteName: "StatusItemAnimationTests-credits-fallback"), + zaiTokenStore: NoopZaiTokenStore()) + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = .codex + settings.menuBarDisplayMode = .percent + settings.usageBarsShowUsed = false + settings.setMenuBarMetricPreference(.secondary, for: .codex) + + let registry = ProviderRegistry.shared + if let codexMeta = registry.metadata[.codex] { + settings.setProviderEnabled(provider: .codex, metadata: codexMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + let snapshot = UsageSnapshot( + primary: RateWindow(usedPercent: 20, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 100, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + updatedAt: Date()) + + let remainingCredits = (snapshot.primary?.usedPercent ?? 0) * 4.5 + (snapshot.secondary?.usedPercent ?? 0) / 10 + store._setSnapshotForTesting(snapshot, provider: .codex) + store._setErrorForTesting(nil, provider: .codex) + store.credits = CreditsSnapshot(remaining: remainingCredits, events: [], updatedAt: Date()) + + let displayText = controller.menuBarDisplayText(for: .codex, snapshot: snapshot) + let expected = UsageFormatter + .creditsString(from: remainingCredits) + .replacingOccurrences(of: " left", with: "") + + #expect(displayText == expected) + } + + @Test + func menuBarDisplayTextUsesCreditsWhenCodexSessionIsExhausted() { + let settings = SettingsStore( + configStore: testConfigStore(suiteName: "StatusItemAnimationTests-credits-fallback-session"), + zaiTokenStore: NoopZaiTokenStore()) + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = .codex + settings.menuBarDisplayMode = .percent + settings.usageBarsShowUsed = false + settings.setMenuBarMetricPreference(.primary, for: .codex) + + let registry = ProviderRegistry.shared + if let codexMeta = registry.metadata[.codex] { + settings.setProviderEnabled(provider: .codex, metadata: codexMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + let snapshot = UsageSnapshot( + primary: RateWindow(usedPercent: 100, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 40, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + updatedAt: Date()) + + let remainingCredits = (snapshot.primary?.usedPercent ?? 0) - (snapshot.secondary?.usedPercent ?? 0) / 2 + store._setSnapshotForTesting(snapshot, provider: .codex) + store._setErrorForTesting(nil, provider: .codex) + store.credits = CreditsSnapshot(remaining: remainingCredits, events: [], updatedAt: Date()) + + let displayText = controller.menuBarDisplayText(for: .codex, snapshot: snapshot) + let expected = UsageFormatter + .creditsString(from: remainingCredits) + .replacingOccurrences(of: " left", with: "") + + #expect(displayText == expected) + } } From dde24d42e8d8841296b101dc2c59aea1d37331eb Mon Sep 17 00:00:00 2001 From: ratulsarna Date: Mon, 9 Feb 2026 22:24:54 +0530 Subject: [PATCH 005/131] Amp: detect login redirects and fail fast Extracted from #324 (thanks @JosephDoUrden). --- .../Providers/Amp/AmpUsageFetcher.swift | 35 +++++++++++++++++++ .../CodexBarTests/AmpUsageFetcherTests.swift | 27 ++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift index 02b52ccad..3ef31c4cb 100644 --- a/Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Amp/AmpUsageFetcher.swift @@ -261,6 +261,9 @@ public struct AmpUsageFetcher: Sendable { if httpResponse.statusCode == 401 || httpResponse.statusCode == 403 { throw AmpUsageError.invalidCredentials } + if diagnostics.detectedLoginRedirect { + throw AmpUsageError.invalidCredentials + } throw AmpUsageError.networkError("HTTP \(httpResponse.statusCode)") } @@ -277,6 +280,7 @@ public struct AmpUsageFetcher: Sendable { private let cookieHeader: String private let logger: ((String) -> Void)? var redirects: [String] = [] + private(set) var detectedLoginRedirect = false init(cookieHeader: String, logger: ((String) -> Void)?) { self.cookieHeader = cookieHeader @@ -293,6 +297,16 @@ public struct AmpUsageFetcher: Sendable { let from = response.url?.absoluteString ?? "unknown" let to = request.url?.absoluteString ?? "unknown" self.redirects.append("\(response.statusCode) \(from) -> \(to)") + + if let toURL = request.url, AmpUsageFetcher.isLoginRedirect(toURL) { + if let logger { + logger("[amp] Detected login redirect, aborting (invalid session)") + } + self.detectedLoginRedirect = true + completionHandler(nil) + return + } + var updated = request if AmpUsageFetcher.shouldAttachCookie(to: request.url), !self.cookieHeader.isEmpty { updated.setValue(self.cookieHeader, forHTTPHeaderField: "Cookie") @@ -364,4 +378,25 @@ public struct AmpUsageFetcher: Sendable { if host == "ampcode.com" || host == "www.ampcode.com" { return true } return host.hasSuffix(".ampcode.com") } + + static func isLoginRedirect(_ url: URL) -> Bool { + guard self.shouldAttachCookie(to: url) else { return false } + + let path = url.path.lowercased() + let components = path.split(separator: "/").map(String.init) + if components.contains("login") { return true } + if components.contains("signin") { return true } + if components.contains("sign-in") { return true } + + // Amp currently redirects to /auth/sign-in?returnTo=... when session is invalid. Keep this slightly broader + // than one exact path so we keep working if Amp changes auth routes. + if components.contains("auth") { + let query = url.query?.lowercased() ?? "" + if query.contains("returnto=") { return true } + if query.contains("redirect=") { return true } + if query.contains("redirectto=") { return true } + } + + return false + } } diff --git a/Tests/CodexBarTests/AmpUsageFetcherTests.swift b/Tests/CodexBarTests/AmpUsageFetcherTests.swift index afbf81c9c..8a4e8506c 100644 --- a/Tests/CodexBarTests/AmpUsageFetcherTests.swift +++ b/Tests/CodexBarTests/AmpUsageFetcherTests.swift @@ -17,4 +17,31 @@ struct AmpUsageFetcherTests { #expect(!AmpUsageFetcher.shouldAttachCookie(to: URL(string: "https://ampcode.com.evil.com"))) #expect(!AmpUsageFetcher.shouldAttachCookie(to: nil)) } + + @Test + func detectsLoginRedirects() throws { + let signIn = try #require(URL(string: "https://ampcode.com/auth/sign-in?returnTo=%2Fsettings")) + #expect(AmpUsageFetcher.isLoginRedirect(signIn)) + + let sso = try #require(URL(string: "https://ampcode.com/auth/sso?returnTo=%2Fsettings")) + #expect(AmpUsageFetcher.isLoginRedirect(sso)) + + let login = try #require(URL(string: "https://ampcode.com/login")) + #expect(AmpUsageFetcher.isLoginRedirect(login)) + + let signin = try #require(URL(string: "https://www.ampcode.com/signin")) + #expect(AmpUsageFetcher.isLoginRedirect(signin)) + } + + @Test + func ignoresNonLoginURLs() throws { + let settings = try #require(URL(string: "https://ampcode.com/settings")) + #expect(!AmpUsageFetcher.isLoginRedirect(settings)) + + let signOut = try #require(URL(string: "https://ampcode.com/auth/sign-out")) + #expect(!AmpUsageFetcher.isLoginRedirect(signOut)) + + let evil = try #require(URL(string: "https://ampcode.com.evil.com/auth/sign-in")) + #expect(!AmpUsageFetcher.isLoginRedirect(evil)) + } } From cc7013b8113eba1e1a04b367e56a927957a4339c Mon Sep 17 00:00:00 2001 From: Apoorv Darshan Date: Sat, 31 Jan 2026 04:21:57 +0530 Subject: [PATCH 006/131] fix: use region-specific API endpoint for MiniMax usage fetch Global region users with API keys (sk-cp-...) were getting "credentials invalid" errors because the fetcher used a hardcoded China endpoint. - Add apiBaseURLString and apiRemainsURL to MiniMaxAPIRegion for region-specific API hosts (api.minimax.io vs api.minimaxi.com) - Update fetchUsage(apiToken:) to accept region parameter - Pass region from settings through MiniMaxAPIFetchStrategy - Make API region picker always visible in settings UI - Default to global when settings are absent (CLI/library contexts) Fixes #276 --- .../Providers/MiniMax/MiniMaxProviderImplementation.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBar/Providers/MiniMax/MiniMaxProviderImplementation.swift b/Sources/CodexBar/Providers/MiniMax/MiniMaxProviderImplementation.swift index 10ad3ca05..b2bdf0627 100644 --- a/Sources/CodexBar/Providers/MiniMax/MiniMaxProviderImplementation.swift +++ b/Sources/CodexBar/Providers/MiniMax/MiniMaxProviderImplementation.swift @@ -99,7 +99,7 @@ struct MiniMaxProviderImplementation: ProviderImplementation { subtitle: "Choose the MiniMax host (global .io or China mainland .com).", binding: regionBinding, options: regionOptions, - isVisible: { authMode().allowsCookies }, + isVisible: nil, onChange: nil), ] } From 0422dd1b1cea396bd88ba0ca92053f999af18074 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 13:27:15 +0530 Subject: [PATCH 007/131] MiniMax: retry China API host on invalid credentials When fetching with an API token and region defaults to .global, retry the China mainland API host if the global host rejects the token. This preserves upgrade behavior for users who previously depended on the China endpoint by default. Credit: @apoorvdarshan (PR #277, issue #276 investigation). --- .../MiniMax/MiniMaxUsageFetcher.swift | 35 ++++- .../MiniMaxAPITokenFetchTests.swift | 144 ++++++++++++++++++ 2 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift diff --git a/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift b/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift index 432411efd..62f753ee2 100644 --- a/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift @@ -58,9 +58,42 @@ public struct MiniMaxUsageFetcher: Sendable { throw MiniMaxUsageError.invalidCredentials } + let regionsToTry: [MiniMaxAPIRegion] = { + // Historically, MiniMax API token fetching used a China endpoint by default in some configurations. + // If the user has no persisted region and we default to `.global`, retry the China endpoint when the + // global host rejects the token so upgrades don't regress existing setups. + if region == .global { return [.global, .chinaMainland] } + return [region] + }() + + var lastError: Error? + for (index, attemptRegion) in regionsToTry.enumerated() { + do { + return try await self.fetchUsageOnce(apiToken: cleaned, region: attemptRegion, now: now) + } catch let error as MiniMaxUsageError { + lastError = error + if index == 0, regionsToTry.count > 1, case .invalidCredentials = error { + Self.log.debug("MiniMax API token rejected for global host, retrying China mainland host") + continue + } + throw error + } catch { + lastError = error + throw error + } + } + + throw lastError ?? MiniMaxUsageError.invalidCredentials + } + + private static func fetchUsageOnce( + apiToken: String, + region: MiniMaxAPIRegion, + now: Date) async throws -> MiniMaxUsageSnapshot + { var request = URLRequest(url: region.apiRemainsURL) request.httpMethod = "GET" - request.setValue("Bearer \(cleaned)", forHTTPHeaderField: "Authorization") + request.setValue("Bearer \(apiToken)", forHTTPHeaderField: "Authorization") request.setValue("application/json", forHTTPHeaderField: "accept") request.setValue("application/json", forHTTPHeaderField: "Content-Type") request.setValue("CodexBar", forHTTPHeaderField: "MM-API-Source") diff --git a/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift b/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift new file mode 100644 index 000000000..a54042957 --- /dev/null +++ b/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift @@ -0,0 +1,144 @@ +import CodexBarCore +import Foundation +import Testing + +@Suite(.serialized) +struct MiniMaxAPITokenFetchTests { + @Test + func retriesChinaHostWhenGlobalRejectsToken() async throws { + let registered = URLProtocol.registerClass(MiniMaxAPITokenStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(MiniMaxAPITokenStubURLProtocol.self) + } + MiniMaxAPITokenStubURLProtocol.handler = nil + MiniMaxAPITokenStubURLProtocol.requests = [] + } + + MiniMaxAPITokenStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let host = url.host ?? "" + if host == "api.minimax.io" { + return Self.makeResponse(url: url, body: "{}", statusCode: 401) + } + if host == "api.minimaxi.com" { + let start = 1_700_000_000_000 + let end = start + 5 * 60 * 60 * 1000 + let body = """ + { + "base_resp": { "status_code": 0 }, + "current_subscribe_title": "Max", + "model_remains": [ + { + "current_interval_total_count": 1000, + "current_interval_usage_count": 250, + "start_time": \(start), + "end_time": \(end), + "remains_time": 240000 + } + ] + } + """ + return Self.makeResponse(url: url, body: body) + } + return Self.makeResponse(url: url, body: "{}", statusCode: 404) + } + + let now = Date(timeIntervalSince1970: 1_700_000_000) + let snapshot = try await MiniMaxUsageFetcher.fetchUsage(apiToken: "sk-cp-test", region: .global, now: now) + + #expect(snapshot.planName == "Max") + #expect(MiniMaxAPITokenStubURLProtocol.requests.count == 2) + #expect(MiniMaxAPITokenStubURLProtocol.requests.first?.url?.host == "api.minimax.io") + #expect(MiniMaxAPITokenStubURLProtocol.requests.last?.url?.host == "api.minimaxi.com") + } + + @Test + func doesNotRetryWhenRegionIsChinaMainland() async throws { + let registered = URLProtocol.registerClass(MiniMaxAPITokenStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(MiniMaxAPITokenStubURLProtocol.self) + } + MiniMaxAPITokenStubURLProtocol.handler = nil + MiniMaxAPITokenStubURLProtocol.requests = [] + } + + MiniMaxAPITokenStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let host = url.host ?? "" + if host == "api.minimaxi.com" { + let start = 1_700_000_000_000 + let end = start + 5 * 60 * 60 * 1000 + let body = """ + { + "base_resp": { "status_code": 0 }, + "current_subscribe_title": "Max", + "model_remains": [ + { + "current_interval_total_count": 1000, + "current_interval_usage_count": 250, + "start_time": \(start), + "end_time": \(end), + "remains_time": 240000 + } + ] + } + """ + return Self.makeResponse(url: url, body: body) + } + return Self.makeResponse(url: url, body: "{}", statusCode: 401) + } + + let now = Date(timeIntervalSince1970: 1_700_000_000) + _ = try await MiniMaxUsageFetcher.fetchUsage(apiToken: "sk-cp-test", region: .chinaMainland, now: now) + + #expect(MiniMaxAPITokenStubURLProtocol.requests.count == 1) + #expect(MiniMaxAPITokenStubURLProtocol.requests.first?.url?.host == "api.minimaxi.com") + } + + private static func makeResponse( + url: URL, + body: String, + statusCode: Int = 200) -> (HTTPURLResponse, Data) + { + let response = HTTPURLResponse( + url: url, + statusCode: statusCode, + httpVersion: "HTTP/1.1", + headerFields: ["Content-Type": "application/json"])! + return (response, Data(body.utf8)) + } +} + +final class MiniMaxAPITokenStubURLProtocol: URLProtocol { + nonisolated(unsafe) static var handler: ((URLRequest) throws -> (HTTPURLResponse, Data))? + nonisolated(unsafe) static var requests: [URLRequest] = [] + + override static func canInit(with request: URLRequest) -> Bool { + guard let host = request.url?.host else { return false } + return host == "api.minimax.io" || host == "api.minimaxi.com" + } + + override static func canonicalRequest(for request: URLRequest) -> URLRequest { + request + } + + override func startLoading() { + Self.requests.append(self.request) + guard let handler = Self.handler else { + self.client?.urlProtocol(self, didFailWithError: URLError(.badServerResponse)) + return + } + do { + let (response, data) = try handler(self.request) + self.client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed) + self.client?.urlProtocol(self, didLoad: data) + self.client?.urlProtocolDidFinishLoading(self) + } catch { + self.client?.urlProtocol(self, didFailWithError: error) + } + } + + override func stopLoading() {} +} From 609eb6b617f13c81d0a4afd277c27133950e0cfd Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 13:43:10 +0530 Subject: [PATCH 008/131] MiniMax: preserve API fallback on China retry failure If global host rejects the API token and the China host is unreachable, keep returning invalidCredentials so the pipeline can fall back to web. --- .../MiniMax/MiniMaxUsageFetcher.swift | 38 ++++++++----------- .../MiniMaxAPITokenFetchTests.swift | 33 ++++++++++++++++ 2 files changed, 49 insertions(+), 22 deletions(-) diff --git a/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift b/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift index 62f753ee2..debe08288 100644 --- a/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/MiniMax/MiniMaxUsageFetcher.swift @@ -58,32 +58,26 @@ public struct MiniMaxUsageFetcher: Sendable { throw MiniMaxUsageError.invalidCredentials } - let regionsToTry: [MiniMaxAPIRegion] = { - // Historically, MiniMax API token fetching used a China endpoint by default in some configurations. - // If the user has no persisted region and we default to `.global`, retry the China endpoint when the - // global host rejects the token so upgrades don't regress existing setups. - if region == .global { return [.global, .chinaMainland] } - return [region] - }() - - var lastError: Error? - for (index, attemptRegion) in regionsToTry.enumerated() { + // Historically, MiniMax API token fetching used a China endpoint by default in some configurations. If the + // user has no persisted region and we default to `.global`, retry the China endpoint when the global host + // rejects the token so upgrades don't regress existing setups. + if region != .global { + return try await self.fetchUsageOnce(apiToken: cleaned, region: region, now: now) + } + + do { + return try await self.fetchUsageOnce(apiToken: cleaned, region: .global, now: now) + } catch let error as MiniMaxUsageError { + guard case .invalidCredentials = error else { throw error } + Self.log.debug("MiniMax API token rejected for global host, retrying China mainland host") do { - return try await self.fetchUsageOnce(apiToken: cleaned, region: attemptRegion, now: now) - } catch let error as MiniMaxUsageError { - lastError = error - if index == 0, regionsToTry.count > 1, case .invalidCredentials = error { - Self.log.debug("MiniMax API token rejected for global host, retrying China mainland host") - continue - } - throw error + return try await self.fetchUsageOnce(apiToken: cleaned, region: .chinaMainland, now: now) } catch { - lastError = error - throw error + // Preserve the original invalid-credentials error so the fetch pipeline can fall back to web. + Self.log.debug("MiniMax China mainland retry failed, preserving global invalidCredentials") + throw MiniMaxUsageError.invalidCredentials } } - - throw lastError ?? MiniMaxUsageError.invalidCredentials } private static func fetchUsageOnce( diff --git a/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift b/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift index a54042957..e427484f8 100644 --- a/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift +++ b/Tests/CodexBarTests/MiniMaxAPITokenFetchTests.swift @@ -53,6 +53,39 @@ struct MiniMaxAPITokenFetchTests { #expect(MiniMaxAPITokenStubURLProtocol.requests.last?.url?.host == "api.minimaxi.com") } + @Test + func preservesInvalidCredentialsWhenChinaRetryFailsTransport() async throws { + let registered = URLProtocol.registerClass(MiniMaxAPITokenStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(MiniMaxAPITokenStubURLProtocol.self) + } + MiniMaxAPITokenStubURLProtocol.handler = nil + MiniMaxAPITokenStubURLProtocol.requests = [] + } + + MiniMaxAPITokenStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let host = url.host ?? "" + if host == "api.minimax.io" { + return Self.makeResponse(url: url, body: "{}", statusCode: 401) + } + if host == "api.minimaxi.com" { + throw URLError(.cannotFindHost) + } + return Self.makeResponse(url: url, body: "{}", statusCode: 404) + } + + let now = Date(timeIntervalSince1970: 1_700_000_000) + await #expect(throws: MiniMaxUsageError.invalidCredentials) { + _ = try await MiniMaxUsageFetcher.fetchUsage(apiToken: "sk-cp-test", region: .global, now: now) + } + + #expect(MiniMaxAPITokenStubURLProtocol.requests.count == 2) + #expect(MiniMaxAPITokenStubURLProtocol.requests.first?.url?.host == "api.minimax.io") + #expect(MiniMaxAPITokenStubURLProtocol.requests.last?.url?.host == "api.minimaxi.com") + } + @Test func doesNotRetryWhenRegionIsChinaMainland() async throws { let registered = URLProtocol.registerClass(MiniMaxAPITokenStubURLProtocol.self) From 6e31b4ab6ecff9be45909d721afe1d963194a37b Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 13:59:07 +0530 Subject: [PATCH 009/131] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0bf6a172..e73ca94de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ ### Provider & Usage Fixes - Cursor: compute usage against `plan.limit` rather than `breakdown.total` to avoid incorrect limit interpretation (#240). Thanks @robinebers! - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! +- Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden! - Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev! - OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07! - Token-account precedence: selected token account env injection now correctly overrides provider config `apiKey` values in app and CLI environments. Thanks @arvindcr4! From cb4343044160207f3b3434c2a569478fa0c968d2 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 14:01:10 +0530 Subject: [PATCH 010/131] Update CHANGELOG for MiniMax region fallback --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e73ca94de..b12b37312 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ ### Highlights - Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, and make failure modes deterministic (#245, #305, #308, #309). Thanks @manikv12! - Claude: harden Claude Code PTY capture for `/usage` and `/status` (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320). -- Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234). Thanks @robinebers +- Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers and @theglove44! - Menu bar animation behavior was hardened in merged mode and fallback mode (#283, #291). Thanks @vignesh07 and @Ilakiancs! - CI/tooling reliability improved via pinned lint tools, deterministic macOS test execution, and PTY timing test stabilization plus Node 24-ready GitHub Actions upgrades (#292, #312, #290). @@ -20,6 +20,8 @@ ### Provider & Usage Fixes - Cursor: compute usage against `plan.limit` rather than `breakdown.total` to avoid incorrect limit interpretation (#240). Thanks @robinebers! - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! +- MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to + avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! - Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden! - Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev! - OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07! From 262cc7c69a5de3ac27151cef68ef289633e4ecc3 Mon Sep 17 00:00:00 2001 From: MOHAMED MOHANA Date: Tue, 10 Feb 2026 11:11:52 +0300 Subject: [PATCH 011/131] Fix z.ai API schema changes - handle missing token limit fields The z.ai API has changed the TOKENS_LIMIT response schema. The usage, currentValue, and remaining fields are now omitted from the response. This caused JSON decoding to fail with "The data couldn't be read because it is missing." Changes: - Make usage, currentValue, remaining optional in ZaiLimitEntry struct - Make usage, currentValue, remaining optional in ZaiLimitRaw struct - Update computedUsedPercent to handle nil values by using percentage directly - Update toLimitEntry() to handle optional values with nil defaults - Update zaiLimitDetailText() to handle optional fields gracefully - Add tests for new API schema with missing token limit fields - Fix test expectation for correct window minutes calculation (300 not 15) Fixes parsing errors for z.ai provider with updated API schema while maintaining backward compatibility with old responses. --- Sources/CodexBar/MenuCardView.swift | 15 +++- .../Providers/Zai/ZaiUsageStats.swift | 31 ++++---- Tests/CodexBarTests/ZaiProviderTests.swift | 75 +++++++++++++++++++ 3 files changed, 104 insertions(+), 17 deletions(-) diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index 5c0bb2d9b..947c3354b 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -807,10 +807,17 @@ extension UsageMenuCardView.Model { private static func zaiLimitDetailText(limit: ZaiLimitEntry?) -> String? { guard let limit else { return nil } - let currentStr = UsageFormatter.tokenCountString(limit.currentValue) - let usageStr = UsageFormatter.tokenCountString(limit.usage) - let remainingStr = UsageFormatter.tokenCountString(limit.remaining) - return "\(currentStr) / \(usageStr) (\(remainingStr) remaining)" + + if let currentValue = limit.currentValue, + let usage = limit.usage, + let remaining = limit.remaining { + let currentStr = UsageFormatter.tokenCountString(currentValue) + let usageStr = UsageFormatter.tokenCountString(usage) + let remainingStr = UsageFormatter.tokenCountString(remaining) + return "\(currentStr) / \(usageStr) (\(remainingStr) remaining)" + } + + return nil } private struct PaceDetail { diff --git a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift index 41dbf720d..a68a51712 100644 --- a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift +++ b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift @@ -22,9 +22,9 @@ public struct ZaiLimitEntry: Sendable { public let type: ZaiLimitType public let unit: ZaiLimitUnit public let number: Int - public let usage: Int - public let currentValue: Int - public let remaining: Int + public let usage: Int? + public let currentValue: Int? + public let remaining: Int? public let percentage: Double public let usageDetails: [ZaiUsageDetail] public let nextResetTime: Date? @@ -33,9 +33,9 @@ public struct ZaiLimitEntry: Sendable { type: ZaiLimitType, unit: ZaiLimitUnit, number: Int, - usage: Int, - currentValue: Int, - remaining: Int, + usage: Int?, + currentValue: Int?, + remaining: Int?, percentage: Double, usageDetails: [ZaiUsageDetail], nextResetTime: Date?) @@ -93,12 +93,17 @@ extension ZaiLimitEntry { } private var computedUsedPercent: Double? { - guard self.usage > 0 else { return nil } - let limit = max(0, self.usage) + guard let usage = self.usage else { + return nil + } + guard usage > 0 else { return nil } + let limit = max(0, usage) guard limit > 0 else { return nil } - let usedFromRemaining = limit - self.remaining - let used = max(0, min(limit, max(usedFromRemaining, self.currentValue))) + let remaining = self.remaining ?? 0 + let currentValue = self.currentValue ?? 0 + let usedFromRemaining = limit - remaining + let used = max(0, min(limit, max(usedFromRemaining, currentValue))) let percent = (Double(used) / Double(limit)) * 100 return min(100, max(0, percent)) } @@ -225,9 +230,9 @@ private struct ZaiLimitRaw: Codable { let type: String let unit: Int let number: Int - let usage: Int - let currentValue: Int - let remaining: Int + let usage: Int? + let currentValue: Int? + let remaining: Int? let percentage: Int let usageDetails: [ZaiUsageDetail]? let nextResetTime: Int? diff --git a/Tests/CodexBarTests/ZaiProviderTests.swift b/Tests/CodexBarTests/ZaiProviderTests.swift index 8b094ba8b..abad4a0dd 100644 --- a/Tests/CodexBarTests/ZaiProviderTests.swift +++ b/Tests/CodexBarTests/ZaiProviderTests.swift @@ -71,6 +71,34 @@ struct ZaiUsageSnapshotTests { #expect(usage.secondary?.resetDescription == "30 days window") #expect(usage.zaiUsage?.tokenLimit?.usage == 100) } + + @Test + func mapsUsageSnapshotWindowsWithMissingFields() { + let reset = Date(timeIntervalSince1970: 123) + let tokenLimit = ZaiLimitEntry( + type: .tokensLimit, + unit: .hours, + number: 5, + usage: nil, + currentValue: nil, + remaining: nil, + percentage: 25, + usageDetails: [], + nextResetTime: reset) + let snapshot = ZaiUsageSnapshot( + tokenLimit: tokenLimit, + timeLimit: nil, + planName: nil, + updatedAt: reset) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary?.usedPercent == 25) + #expect(usage.primary?.windowMinutes == 300) + #expect(usage.primary?.resetsAt == reset) + #expect(usage.primary?.resetDescription == "5 hours window") + #expect(usage.zaiUsage?.tokenLimit?.usage == nil) + } } @Suite @@ -117,6 +145,7 @@ struct ZaiUsageParsingTests { #expect(snapshot.planName == "Pro") #expect(snapshot.tokenLimit?.usage == 40_000_000) #expect(snapshot.timeLimit?.usageDetails.first?.modelCode == "search-prime") + #expect(snapshot.tokenLimit?.percentage == 34.0) } @Test @@ -164,6 +193,52 @@ struct ZaiUsageParsingTests { #expect(snapshot.tokenLimit == nil) #expect(snapshot.timeLimit == nil) } + + @Test + func parsesNewSchemaWithMissingTokenLimitFields() throws { + let json = """ + { + "code": 200, + "msg": "Operation successful", + "data": { + "limits": [ + { + "type": "TIME_LIMIT", + "unit": 5, + "number": 1, + "usage": 100, + "currentValue": 0, + "remaining": 100, + "percentage": 0, + "usageDetails": [ + { "modelCode": "search-prime", "usage": 0 }, + { "modelCode": "web-reader", "usage": 1 }, + { "modelCode": "zread", "usage": 0 } + ] + }, + { + "type": "TOKENS_LIMIT", + "unit": 3, + "number": 5, + "percentage": 1, + "nextResetTime": 1770724088678 + } + ] + }, + "success": true + } + """ + + let snapshot = try ZaiUsageFetcher.parseUsageSnapshot(from: Data(json.utf8)) + + #expect(snapshot.tokenLimit?.percentage == 1.0) + #expect(snapshot.tokenLimit?.usage == nil) + #expect(snapshot.tokenLimit?.currentValue == nil) + #expect(snapshot.tokenLimit?.remaining == nil) + #expect(snapshot.tokenLimit?.usedPercent == 1.0) + #expect(snapshot.tokenLimit?.windowMinutes == 300) + #expect(snapshot.timeLimit?.usage == 100) + } } @Suite From b4b92279ec94ce7b19c5bdbb2a95bd262441e163 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 14:57:56 +0530 Subject: [PATCH 012/131] Fix z.ai used percent fallback Avoid inventing zeros when quota fields are missing; fix SwiftFormat and add tests. --- Sources/CodexBar/MenuCardView.swift | 7 +- .../Providers/Zai/ZaiUsageStats.swift | 26 ++++--- Tests/CodexBarTests/ZaiProviderTests.swift | 72 +++++++++++++++++++ 3 files changed, 92 insertions(+), 13 deletions(-) diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index 947c3354b..90b8c3aff 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -807,16 +807,17 @@ extension UsageMenuCardView.Model { private static func zaiLimitDetailText(limit: ZaiLimitEntry?) -> String? { guard let limit else { return nil } - + if let currentValue = limit.currentValue, let usage = limit.usage, - let remaining = limit.remaining { + let remaining = limit.remaining + { let currentStr = UsageFormatter.tokenCountString(currentValue) let usageStr = UsageFormatter.tokenCountString(usage) let remainingStr = UsageFormatter.tokenCountString(remaining) return "\(currentStr) / \(usageStr) (\(remainingStr) remaining)" } - + return nil } diff --git a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift index a68a51712..37be7bea2 100644 --- a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift +++ b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift @@ -93,17 +93,23 @@ extension ZaiLimitEntry { } private var computedUsedPercent: Double? { - guard let usage = self.usage else { - return nil + guard let limit = self.usage, limit > 0 else { return nil } + + // z.ai sometimes omits quota fields; don't invent zeros (can yield 100% used incorrectly). + var usedRaw: Int? + if let remaining = self.remaining { + let usedFromRemaining = limit - remaining + if let currentValue = self.currentValue { + usedRaw = max(usedFromRemaining, currentValue) + } else { + usedRaw = usedFromRemaining + } + } else if let currentValue = self.currentValue { + usedRaw = currentValue } - guard usage > 0 else { return nil } - let limit = max(0, usage) - guard limit > 0 else { return nil } - - let remaining = self.remaining ?? 0 - let currentValue = self.currentValue ?? 0 - let usedFromRemaining = limit - remaining - let used = max(0, min(limit, max(usedFromRemaining, currentValue))) + guard let usedRaw else { return nil } + + let used = max(0, min(limit, usedRaw)) let percent = (Double(used) / Double(limit)) * 100 return min(100, max(0, percent)) } diff --git a/Tests/CodexBarTests/ZaiProviderTests.swift b/Tests/CodexBarTests/ZaiProviderTests.swift index abad4a0dd..6139fdacc 100644 --- a/Tests/CodexBarTests/ZaiProviderTests.swift +++ b/Tests/CodexBarTests/ZaiProviderTests.swift @@ -99,6 +99,78 @@ struct ZaiUsageSnapshotTests { #expect(usage.primary?.resetDescription == "5 hours window") #expect(usage.zaiUsage?.tokenLimit?.usage == nil) } + + @Test + func mapsUsageSnapshotWindowsWithMissingRemainingUsesCurrentValue() { + let reset = Date(timeIntervalSince1970: 123) + let tokenLimit = ZaiLimitEntry( + type: .tokensLimit, + unit: .hours, + number: 5, + usage: 100, + currentValue: 20, + remaining: nil, + percentage: 25, + usageDetails: [], + nextResetTime: reset) + let snapshot = ZaiUsageSnapshot( + tokenLimit: tokenLimit, + timeLimit: nil, + planName: nil, + updatedAt: reset) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary?.usedPercent == 20) + } + + @Test + func mapsUsageSnapshotWindowsWithMissingCurrentValueUsesRemaining() { + let reset = Date(timeIntervalSince1970: 123) + let tokenLimit = ZaiLimitEntry( + type: .tokensLimit, + unit: .hours, + number: 5, + usage: 100, + currentValue: nil, + remaining: 80, + percentage: 25, + usageDetails: [], + nextResetTime: reset) + let snapshot = ZaiUsageSnapshot( + tokenLimit: tokenLimit, + timeLimit: nil, + planName: nil, + updatedAt: reset) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary?.usedPercent == 20) + } + + @Test + func mapsUsageSnapshotWindowsWithMissingRemainingAndCurrentValueFallsBackToPercentage() { + let reset = Date(timeIntervalSince1970: 123) + let tokenLimit = ZaiLimitEntry( + type: .tokensLimit, + unit: .hours, + number: 5, + usage: 100, + currentValue: nil, + remaining: nil, + percentage: 25, + usageDetails: [], + nextResetTime: reset) + let snapshot = ZaiUsageSnapshot( + tokenLimit: tokenLimit, + timeLimit: nil, + planName: nil, + updatedAt: reset) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary?.usedPercent == 25) + } } @Suite From 0a82673b3d6d7bd07714fa74212e4654a578867f Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 15:23:39 +0530 Subject: [PATCH 013/131] Handle empty z.ai responses Add explicit empty-body guards for z.ai quota fetch/parse to avoid opaque JSON decoding errors. thanks @halilertekin --- .../CodexBarCore/Providers/Zai/ZaiUsageStats.swift | 12 ++++++++++++ Tests/CodexBarTests/ZaiProviderTests.swift | 10 ++++++++++ 2 files changed, 22 insertions(+) diff --git a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift index 37be7bea2..f94adb1b6 100644 --- a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift +++ b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift @@ -315,6 +315,14 @@ public struct ZaiUsageFetcher: Sendable { throw ZaiUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorMessage)") } + // Some upstream issues (wrong endpoint/region/proxy) can yield HTTP 200 with an empty body. + // JSONDecoder will otherwise throw an opaque Cocoa error ("data is missing"). + guard !data.isEmpty else { + Self.log.error("z.ai API returned empty body (HTTP 200) for \(quotaURL.absoluteString)") + throw ZaiUsageError.parseFailed( + "Empty response body (HTTP 200). Check z.ai API region (Global vs BigModel CN) and your API token.") + } + // Log raw response for debugging if let jsonString = String(data: data, encoding: .utf8) { Self.log.debug("z.ai API response: \(jsonString)") @@ -334,6 +342,10 @@ public struct ZaiUsageFetcher: Sendable { } static func parseUsageSnapshot(from data: Data) throws -> ZaiUsageSnapshot { + guard !data.isEmpty else { + throw ZaiUsageError.parseFailed("Empty response body") + } + let decoder = JSONDecoder() let apiResponse = try decoder.decode(ZaiQuotaLimitResponse.self, from: data) diff --git a/Tests/CodexBarTests/ZaiProviderTests.swift b/Tests/CodexBarTests/ZaiProviderTests.swift index 6139fdacc..c4184396a 100644 --- a/Tests/CodexBarTests/ZaiProviderTests.swift +++ b/Tests/CodexBarTests/ZaiProviderTests.swift @@ -175,6 +175,16 @@ struct ZaiUsageSnapshotTests { @Suite struct ZaiUsageParsingTests { + @Test + func emptyBodyReturnsParseFailed() { + #expect { + _ = try ZaiUsageFetcher.parseUsageSnapshot(from: Data()) + } throws: { error in + guard case let ZaiUsageError.parseFailed(message) = error else { return false } + return message == "Empty response body" + } + } + @Test func parsesUsageResponse() throws { let json = """ From 7825992249907e2d2788692138fb97a08601942a Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 15:43:16 +0530 Subject: [PATCH 014/131] Redact z.ai quota URL in logs Avoid logging full quota URL when response body is empty; log only host/port/path to prevent leaking credentials or query params. --- Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift index f94adb1b6..1592a6181 100644 --- a/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift +++ b/Sources/CodexBarCore/Providers/Zai/ZaiUsageStats.swift @@ -318,7 +318,7 @@ public struct ZaiUsageFetcher: Sendable { // Some upstream issues (wrong endpoint/region/proxy) can yield HTTP 200 with an empty body. // JSONDecoder will otherwise throw an opaque Cocoa error ("data is missing"). guard !data.isEmpty else { - Self.log.error("z.ai API returned empty body (HTTP 200) for \(quotaURL.absoluteString)") + Self.log.error("z.ai API returned empty body (HTTP 200) for \(Self.safeURLForLogging(quotaURL))") throw ZaiUsageError.parseFailed( "Empty response body (HTTP 200). Check z.ai API region (Global vs BigModel CN) and your API token.") } @@ -341,6 +341,13 @@ public struct ZaiUsageFetcher: Sendable { } } + private static func safeURLForLogging(_ url: URL) -> String { + let host = url.host ?? "" + let port = url.port.map { ":\($0)" } ?? "" + let path = url.path.isEmpty ? "/" : url.path + return "\(host)\(port)\(path)" + } + static func parseUsageSnapshot(from data: Data) throws -> ZaiUsageSnapshot { guard !data.isEmpty else { throw ZaiUsageError.parseFailed("Empty response body") From 42de9d7ceb609a2b1f994eb55e79450bb75af7cd Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 16:19:57 +0530 Subject: [PATCH 015/131] Update CHANGELOG for z.ai quota fixes --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b12b37312..30bd7503e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,8 @@ - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! - MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! +- z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden + empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin! - Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden! - Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev! - OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07! From d01b5307521cb43278b3151842de98142729e5bb Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 10 Feb 2026 17:21:41 +0530 Subject: [PATCH 016/131] Fix z.ai menu visibility --- CHANGELOG.md | 2 ++ Sources/CodexBar/UsageStore.swift | 10 +++++++- .../CodexBarTests/ZaiAvailabilityTests.swift | 24 +++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30bd7503e..70ec64a34 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,8 @@ avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! - z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin! +- z.ai: fix provider visibility in the menu when enabled with token-account credentials (availability now considers the + effective fetch environment). - Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden! - Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev! - OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07! diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 522efa626..77754a0c5 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -395,10 +395,18 @@ final class UsageStore { } func isProviderAvailable(_ provider: UsageProvider) -> Bool { + // Availability should mirror the effective fetch environment, including token-account overrides. + // Otherwise providers (notably token-account-backed API providers) can fetch successfully but be + // hidden from the menu because their credentials are not in ProcessInfo's environment. + let environment = ProviderRegistry.makeEnvironment( + base: ProcessInfo.processInfo.environment, + provider: provider, + settings: self.settings, + tokenOverride: nil) let context = ProviderAvailabilityContext( provider: provider, settings: self.settings, - environment: ProcessInfo.processInfo.environment) + environment: environment) return ProviderCatalog.implementation(for: provider)? .isAvailable(context: context) ?? true diff --git a/Tests/CodexBarTests/ZaiAvailabilityTests.swift b/Tests/CodexBarTests/ZaiAvailabilityTests.swift index ec0d40d9f..6ce229589 100644 --- a/Tests/CodexBarTests/ZaiAvailabilityTests.swift +++ b/Tests/CodexBarTests/ZaiAvailabilityTests.swift @@ -29,6 +29,30 @@ struct ZaiAvailabilityTests { #expect(store.isEnabled(.zai) == true) #expect(settings.zaiAPIToken == "zai-test-token") } + + @Test + func enablesZaiWhenTokenExistsInTokenAccounts() throws { + let suite = "ZaiAvailabilityTests-token-accounts" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + let configStore = testConfigStore(suiteName: suite) + + let settings = SettingsStore( + userDefaults: defaults, + configStore: configStore, + zaiTokenStore: NoopZaiTokenStore()) + let store = UsageStore( + fetcher: UsageFetcher(environment: [:]), + browserDetection: BrowserDetection(cacheTTL: 0), + settings: settings) + + settings.addTokenAccount(provider: .zai, label: "primary", token: "zai-token-account") + + let metadata = try #require(ProviderRegistry.shared.metadata[.zai]) + settings.setProviderEnabled(provider: .zai, metadata: metadata, enabled: true) + + #expect(store.isEnabled(.zai) == true) + } } private struct StubZaiTokenStore: ZaiTokenStoring { From 448970d33e849a608702e4d0c4ce8ef484fe745a Mon Sep 17 00:00:00 2001 From: Martin Giuliano Aranda Schimpf Date: Tue, 10 Feb 2026 09:27:26 -0300 Subject: [PATCH 017/131] fix: add claude opus 4.6 pricing --- .../Vendored/CostUsage/CostUsagePricing.swift | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift index 37f87cf57..7409617fd 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift @@ -64,6 +64,16 @@ enum CostUsagePricing { outputCostPerTokenAboveThreshold: nil, cacheCreationInputCostPerTokenAboveThreshold: nil, cacheReadInputCostPerTokenAboveThreshold: nil), + "claude-opus-4-6-20260205": ClaudePricing( + inputCostPerToken: 5e-6, + outputCostPerToken: 2.5e-5, + cacheCreationInputCostPerToken: 6.25e-6, + cacheReadInputCostPerToken: 5e-7, + thresholdTokens: nil, + inputCostPerTokenAboveThreshold: nil, + outputCostPerTokenAboveThreshold: nil, + cacheCreationInputCostPerTokenAboveThreshold: nil, + cacheReadInputCostPerTokenAboveThreshold: nil), "claude-sonnet-4-5": ClaudePricing( inputCostPerToken: 3e-6, outputCostPerToken: 1.5e-5, From 9a205c674471e1340aa8cd1643c6011738879e68 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 01:40:24 +0530 Subject: [PATCH 018/131] Add Opus 4.6 pricing test --- CHANGELOG.md | 1 + Tests/CodexBarTests/CostUsagePricingTests.swift | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70ec64a34..c5fbb9b87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! - MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! +- Claude: add Opus 4.6 pricing so token cost scanning tracks USD consumed correctly (#348). Thanks @arandaschimpf! - z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin! - z.ai: fix provider visibility in the menu when enabled with token-account credentials (availability now considers the diff --git a/Tests/CodexBarTests/CostUsagePricingTests.swift b/Tests/CodexBarTests/CostUsagePricingTests.swift index 695a4843a..edef3a885 100644 --- a/Tests/CodexBarTests/CostUsagePricingTests.swift +++ b/Tests/CodexBarTests/CostUsagePricingTests.swift @@ -36,6 +36,17 @@ struct CostUsagePricingTests { #expect(cost != nil) } + @Test + func claudeCostSupportsOpus46DatedVariant() { + let cost = CostUsagePricing.claudeCostUSD( + model: "claude-opus-4-6-20260205", + inputTokens: 10, + cacheReadInputTokens: 0, + cacheCreationInputTokens: 0, + outputTokens: 5) + #expect(cost != nil) + } + @Test func claudeCostReturnsNilForUnknownModels() { let cost = CostUsagePricing.claudeCostUSD( From ac3e306c5400588230c6695ac4711b0a6647e510 Mon Sep 17 00:00:00 2001 From: 1bcMax Date: Tue, 10 Feb 2026 22:42:00 -0500 Subject: [PATCH 019/131] Add short aliases for opus-4-5, opus-4-6, haiku-4-5 models When Claude Code reports model names without date suffixes (e.g., 'claude-opus-4-6' instead of 'claude-opus-4-6-20260205'), the cost tracking lookup fails because only the full dated versions existed in the pricing dictionary. This adds short aliases matching other models like 'claude-sonnet-4-5' and 'claude-opus-4-1' which already had short versions. Fixes #349 --- .../Vendored/CostUsage/CostUsagePricing.swift | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift index 7409617fd..0e6557a66 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsagePricing.swift @@ -54,6 +54,16 @@ enum CostUsagePricing { outputCostPerTokenAboveThreshold: nil, cacheCreationInputCostPerTokenAboveThreshold: nil, cacheReadInputCostPerTokenAboveThreshold: nil), + "claude-haiku-4-5": ClaudePricing( + inputCostPerToken: 1e-6, + outputCostPerToken: 5e-6, + cacheCreationInputCostPerToken: 1.25e-6, + cacheReadInputCostPerToken: 1e-7, + thresholdTokens: nil, + inputCostPerTokenAboveThreshold: nil, + outputCostPerTokenAboveThreshold: nil, + cacheCreationInputCostPerTokenAboveThreshold: nil, + cacheReadInputCostPerTokenAboveThreshold: nil), "claude-opus-4-5-20251101": ClaudePricing( inputCostPerToken: 5e-6, outputCostPerToken: 2.5e-5, @@ -64,6 +74,16 @@ enum CostUsagePricing { outputCostPerTokenAboveThreshold: nil, cacheCreationInputCostPerTokenAboveThreshold: nil, cacheReadInputCostPerTokenAboveThreshold: nil), + "claude-opus-4-5": ClaudePricing( + inputCostPerToken: 5e-6, + outputCostPerToken: 2.5e-5, + cacheCreationInputCostPerToken: 6.25e-6, + cacheReadInputCostPerToken: 5e-7, + thresholdTokens: nil, + inputCostPerTokenAboveThreshold: nil, + outputCostPerTokenAboveThreshold: nil, + cacheCreationInputCostPerTokenAboveThreshold: nil, + cacheReadInputCostPerTokenAboveThreshold: nil), "claude-opus-4-6-20260205": ClaudePricing( inputCostPerToken: 5e-6, outputCostPerToken: 2.5e-5, @@ -74,6 +94,16 @@ enum CostUsagePricing { outputCostPerTokenAboveThreshold: nil, cacheCreationInputCostPerTokenAboveThreshold: nil, cacheReadInputCostPerTokenAboveThreshold: nil), + "claude-opus-4-6": ClaudePricing( + inputCostPerToken: 5e-6, + outputCostPerToken: 2.5e-5, + cacheCreationInputCostPerToken: 6.25e-6, + cacheReadInputCostPerToken: 5e-7, + thresholdTokens: nil, + inputCostPerTokenAboveThreshold: nil, + outputCostPerTokenAboveThreshold: nil, + cacheCreationInputCostPerTokenAboveThreshold: nil, + cacheReadInputCostPerTokenAboveThreshold: nil), "claude-sonnet-4-5": ClaudePricing( inputCostPerToken: 3e-6, outputCostPerToken: 1.5e-5, From 46ce3d70b3d28e69fff1ced7acdf48671d7ae9b2 Mon Sep 17 00:00:00 2001 From: Kathie-yu Date: Tue, 3 Feb 2026 10:27:24 +0800 Subject: [PATCH 020/131] Add Warp provider --- .gitignore | 4 + Sources/CodexBar/IconRenderer.swift | 223 +++++++++++++++--- .../ProviderImplementationRegistry.swift | 1 + .../Warp/WarpProviderImplementation.swift | 41 ++++ .../Providers/Warp/WarpSettingsStore.swift | 16 ++ .../CodexBar/Resources/ProviderIcon-warp.svg | 4 + .../SettingsStore+MenuObservation.swift | 1 + .../StatusItemController+Animation.swift | 12 +- Sources/CodexBar/UsageStore.swift | 7 + Sources/CodexBarCLI/TokenAccountCLI.swift | 2 +- .../Config/ProviderConfigEnvironment.swift | 4 + .../CodexBarCore/Logging/LogCategories.swift | 1 + .../Providers/ProviderDescriptor.swift | 1 + .../Providers/ProviderTokenResolver.swift | 10 + .../CodexBarCore/Providers/Providers.swift | 2 + .../Warp/WarpProviderDescriptor.swift | 67 ++++++ .../Providers/Warp/WarpSettingsReader.swift | 36 +++ .../Providers/Warp/WarpUsageFetcher.swift | 198 ++++++++++++++++ .../Vendored/CostUsage/CostUsageScanner.swift | 2 + .../CodexBarWidgetProvider.swift | 1 + .../CodexBarWidget/CodexBarWidgetViews.swift | 3 + .../CLIProviderSelectionTests.swift | 1 + .../ProviderTokenResolverTests.swift | 22 ++ docs/providers.md | 10 +- docs/warp.md | 46 ++++ 25 files changed, 685 insertions(+), 30 deletions(-) create mode 100644 Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift create mode 100644 Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift create mode 100644 Sources/CodexBar/Resources/ProviderIcon-warp.svg create mode 100644 Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift create mode 100644 Sources/CodexBarCore/Providers/Warp/WarpSettingsReader.swift create mode 100644 Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift create mode 100644 docs/warp.md diff --git a/.gitignore b/.gitignore index c96e6eebf..2607ea4e9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,9 @@ # Xcode user/session xcuserdata/ +.swiftpm/xcode/xcshareddata/ +.codexbar/config.json +*.env +*.local # Build products .build/ diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 0f9a4b794..058310596 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -140,16 +140,22 @@ enum IconRenderer { addGeminiTwist: Bool = false, addAntigravityTwist: Bool = false, addFactoryTwist: Bool = false, - blink: CGFloat = 0) + addWarpTwist: Bool = false, + blink: CGFloat = 0, + drawTrackFill: Bool = true, + warpEyesFilled: Bool = false) { let rect = rectPx.rect() // Claude reads better as a blockier critter; Codex stays as a capsule. - let cornerRadiusPx = addNotches ? 0 : rectPx.h / 2 + // Warp uses small corner radius for rounded rectangle (matching logo style) + let cornerRadiusPx = addNotches ? 0 : (addWarpTwist ? 3 : rectPx.h / 2) let radius = Self.grid.pt(cornerRadiusPx) let trackPath = NSBezierPath(roundedRect: rect, xRadius: radius, yRadius: radius) - baseFill.withAlphaComponent(trackFillAlpha * alpha).setFill() - trackPath.fill() + if drawTrackFill { + baseFill.withAlphaComponent(trackFillAlpha * alpha).setFill() + trackPath.fill() + } // Crisp outline: stroke an inset path so the stroke stays within pixel bounds. let strokeWidthPx = 2 // 1 pt == 2 px at 2× @@ -574,6 +580,144 @@ enum IconRenderer { drawBlinkAsterisk(cx: rdCx, cy: yCy) } } + + // Warp twist: "Warp" style face with a diagonal slash + if addWarpTwist { + let ctx = NSGraphicsContext.current?.cgContext + let centerXPx = rectPx.midXPx + let eyeCenterYPx = rectPx.y + rectPx.h / 2 + + ctx?.saveGState() + ctx?.setShouldAntialias(true) // Smooth edges for tilted ellipse eyes + + // 1. Draw Eyes (Tilted ellipse cutouts - "fox eye" / "cat eye" style) + // Eyes are elliptical and tilted outward (outer corners pointing up) + let eyeWidthPx: CGFloat = 5.3125 // Scaled up 125% to match rounded rect face + let eyeHeightPx: CGFloat = 8.5 // Scaled up 125% to match rounded rect face + let eyeOffsetPx: CGFloat = 7 + let eyeTiltAngle: CGFloat = .pi / 3 // 60 degrees tilt + + let leftEyeCx = Self.grid.pt(centerXPx) - Self.grid.pt(Int(eyeOffsetPx)) + let rightEyeCx = Self.grid.pt(centerXPx) + Self.grid.pt(Int(eyeOffsetPx)) + let eyeCy = Self.grid.pt(eyeCenterYPx) + let eyeW = Self.grid.pt(Int(eyeWidthPx)) + let eyeH = Self.grid.pt(Int(eyeHeightPx)) + + // Helper to draw a tilted ellipse eye + func drawTiltedEyeCutout(cx: CGFloat, cy: CGFloat, tiltAngle: CGFloat) { + let eyeRect = CGRect( + x: -eyeW / 2, + y: -eyeH / 2, + width: eyeW, + height: eyeH) + let eyePath = NSBezierPath(ovalIn: eyeRect) + + var transform = AffineTransform.identity + transform.translate(x: cx, y: cy) + transform.rotate(byRadians: tiltAngle) + eyePath.transform(using: transform) + eyePath.fill() + } + + if warpEyesFilled { + fillColor.withAlphaComponent(alpha).setFill() + drawTiltedEyeCutout(cx: leftEyeCx, cy: eyeCy, tiltAngle: eyeTiltAngle) + drawTiltedEyeCutout(cx: rightEyeCx, cy: eyeCy, tiltAngle: -eyeTiltAngle) + } else { + // Clear eyes using blend mode + ctx?.setBlendMode(.clear) + drawTiltedEyeCutout(cx: leftEyeCx, cy: eyeCy, tiltAngle: eyeTiltAngle) + drawTiltedEyeCutout(cx: rightEyeCx, cy: eyeCy, tiltAngle: -eyeTiltAngle) + ctx?.setBlendMode(.normal) + } + ctx?.restoreGState() // Restore graphics state + + // 2. Draw Slash (Diagonal cut) + // Must cut through the bar (track + fill). + ctx?.saveGState() + ctx?.setShouldAntialias(true) // Slash should be smooth + + let slashPath = NSBezierPath() + // Thickness: looks like ~1.5px or 2px. Let's try 1.5px (0.75pt at 2x) + let slashThicknessPx: CGFloat = 1.5 + slashPath.lineWidth = slashThicknessPx / Self.outputScale + + // Geometry: Center of slash is center of bar. + // Angle: Bottom-Left to Top-Right. + // Reference image (Warp logo) has a steeper angle, closer to 70-75 degrees. + // Previous was pi/3.2 (~56 deg). Let's try making it steeper. + // pi/2.4 is 75 degrees. + let angle: CGFloat = .pi / 2.4 + + // Let's define it by points relative to center. + let cx = Self.grid.pt(centerXPx) + let cy = Self.grid.pt(eyeCenterYPx) + let length = Self.grid.pt(rectPx.h + 8) // Extend slightly beyond height + + let dx = cos(angle) * length / 2 + let dy = sin(angle) * length / 2 + + // From bottom-left area to top-right area + slashPath.move(to: NSPoint(x: cx - dx, y: cy - dy)) + slashPath.line(to: NSPoint(x: cx + dx, y: cy + dy)) + + // First pass: Erase everything under the stroke (blend mode clear) + ctx?.saveGState() + ctx?.setBlendMode(.clear) + NSColor.white.setStroke() + slashPath.stroke() + ctx?.restoreGState() + + // Second pass: Draw the visible "tips" of the slash outside the ellipse + // We need to mask out the inner part (the ellipse) so we only draw the outside tips. + // However, since we just erased the line from the ellipse, the ellipse has a gap. + // We want to draw a black line *in the gap*? No, the user wants "black edge" + // The user said: "在该椭圆外侧再增加一圈细黑边... 有一圈黑色的斜线露出" + // Wait, looking at the red circles: + // The red circles highlight the tips of the slash sticking OUT of the capsule. + // The slash INSIDE the capsule is a cut (white/transparent). + // The slash OUTSIDE the capsule is black (fill color). + + // So: + // 1. Cut the slash through everything (which we did with blendMode .clear). + // 2. Draw the slash again with normal blend mode, but CLIP it to NOT be inside the capsule. + + // Define the outer clip path (inverse of the track path) + // It's hard to do inverse clip directly. + // Instead, we can: + // a. Draw the full black slash. + // b. Draw the capsule (track + fill) ON TOP of it (but we already drew them). + // c. Retrospective approach: + // We already drew the capsule. + // We cut the slash through the capsule (clear mode). + // Now we want to fill the slash *outside* the capsule. + // We can draw the full slash in black, but set the clip region to exclude the capsule rect. + + // Create a path for the capsule shape + // Re-create the track path logic + let capsuleRadius = Self.grid.pt(addNotches ? 0 : rectPx.h / 2) + let capsuleRect = rectPx.rect() + let capsulePath = NSBezierPath(roundedRect: capsuleRect, xRadius: capsuleRadius, yRadius: capsuleRadius) + + // Set clipping to EXCLUDE the capsule. + // EvenOdd rule with a giant rect + capsule path? + let hugeRect = CGRect(x: -1000, y: -1000, width: 2000, height: 2000) + let inverseClipPath = NSBezierPath(rect: hugeRect) + inverseClipPath.append(capsulePath) + inverseClipPath.windingRule = .evenOdd + + ctx?.saveGState() + inverseClipPath.addClip() + + // Now draw the black slash + fillColor.withAlphaComponent(alpha).setFill() // Use fill color for the stroke to match style + fillColor.withAlphaComponent(alpha).setStroke() + slashPath.stroke() + + ctx?.restoreGState() + + ctx?.restoreGState() + } } let topValue = primaryRemaining @@ -598,35 +742,58 @@ enum IconRenderer { addGeminiTwist: style == .gemini || style == .antigravity, addAntigravityTwist: style == .antigravity, addFactoryTwist: style == .factory, + addWarpTwist: style == .warp, blink: blink) drawBar(rectPx: bottomRectPx, remaining: bottomValue) } else if !hasWeekly { - // Weekly missing (e.g. Claude enterprise): keep normal layout but - // dim the bottom track to indicate N/A. - if topValue == nil, let ratio = creditsRatio { - // Credits-only: show credits prominently (e.g. credits loaded before usage). - drawBar( - rectPx: creditsRectPx, - remaining: ratio, - alpha: creditsAlpha, - addNotches: style == .claude, - addFace: style == .codex, - addGeminiTwist: style == .gemini || style == .antigravity, - addAntigravityTwist: style == .antigravity, - addFactoryTwist: style == .factory, - blink: blink) - drawBar(rectPx: creditsBottomRectPx, remaining: nil, alpha: 0.45) - } else { + if style == .warp { + if topValue != nil { + drawBar( + rectPx: topRectPx, + remaining: 100, + addWarpTwist: true, + blink: blink) + } else { + drawBar( + rectPx: topRectPx, + remaining: nil, + addWarpTwist: true, + blink: blink) + } drawBar( - rectPx: topRectPx, + rectPx: bottomRectPx, remaining: topValue, - addNotches: style == .claude, - addFace: style == .codex, - addGeminiTwist: style == .gemini || style == .antigravity, - addAntigravityTwist: style == .antigravity, - addFactoryTwist: style == .factory, blink: blink) - drawBar(rectPx: bottomRectPx, remaining: nil, alpha: 0.45) + } else { + // Weekly missing (e.g. Claude enterprise): keep normal layout but + // dim the bottom track to indicate N/A. + if topValue == nil, let ratio = creditsRatio { + // Credits-only: show credits prominently (e.g. credits loaded before usage). + drawBar( + rectPx: creditsRectPx, + remaining: ratio, + alpha: creditsAlpha, + addNotches: style == .claude, + addFace: style == .codex, + addGeminiTwist: style == .gemini || style == .antigravity, + addAntigravityTwist: style == .antigravity, + addFactoryTwist: style == .factory, + addWarpTwist: style == .warp, + blink: blink) + drawBar(rectPx: creditsBottomRectPx, remaining: nil, alpha: 0.45) + } else { + drawBar( + rectPx: topRectPx, + remaining: topValue, + addNotches: style == .claude, + addFace: style == .codex, + addGeminiTwist: style == .gemini || style == .antigravity, + addAntigravityTwist: style == .antigravity, + addFactoryTwist: style == .factory, + addWarpTwist: style == .warp, + blink: blink) + drawBar(rectPx: bottomRectPx, remaining: nil, alpha: 0.45) + } } } else { // Weekly exhausted/missing: show credits on top (thicker), weekly (likely 0) on bottom. @@ -640,6 +807,7 @@ enum IconRenderer { addGeminiTwist: style == .gemini || style == .antigravity, addAntigravityTwist: style == .antigravity, addFactoryTwist: style == .factory, + addWarpTwist: style == .warp, blink: blink) } else { // No credits available; fall back to 5h if present. @@ -651,6 +819,7 @@ enum IconRenderer { addGeminiTwist: style == .gemini || style == .antigravity, addAntigravityTwist: style == .antigravity, addFactoryTwist: style == .factory, + addWarpTwist: style == .warp, blink: blink) } drawBar(rectPx: creditsBottomRectPx, remaining: bottomValue) diff --git a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift index f6a9b2a3b..fef37cef9 100644 --- a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift +++ b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift @@ -30,6 +30,7 @@ enum ProviderImplementationRegistry { case .kimik2: KimiK2ProviderImplementation() case .amp: AmpProviderImplementation() case .synthetic: SyntheticProviderImplementation() + case .warp: WarpProviderImplementation() } } diff --git a/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift new file mode 100644 index 000000000..d1f2872b3 --- /dev/null +++ b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift @@ -0,0 +1,41 @@ +import AppKit +import CodexBarCore +import CodexBarMacroSupport +import Foundation + +@ProviderImplementationRegistration +struct WarpProviderImplementation: ProviderImplementation { + let id: UsageProvider = .warp + + @MainActor + func observeSettings(_ settings: SettingsStore) { + _ = settings.warpAPIToken + } + + @MainActor + func settingsFields(context: ProviderSettingsContext) -> [ProviderSettingsFieldDescriptor] { + [ + ProviderSettingsFieldDescriptor( + id: "warp-api-token", + title: "API key", + subtitle: "Stored in ~/.codexbar/config.json. Generate one at app.warp.dev.", + kind: .secure, + placeholder: "wk-...", + binding: context.stringBinding(\.warpAPIToken), + actions: [ + ProviderSettingsActionDescriptor( + id: "warp-open-api-keys", + title: "Open Warp Settings", + style: .link, + isVisible: nil, + perform: { + if let url = URL(string: "https://app.warp.dev/settings/account") { + NSWorkspace.shared.open(url) + } + }), + ], + isVisible: nil, + onActivate: { context.settings.ensureWarpAPITokenLoaded() }), + ] + } +} diff --git a/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift b/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift new file mode 100644 index 000000000..ed6a6d1f8 --- /dev/null +++ b/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift @@ -0,0 +1,16 @@ +import CodexBarCore +import Foundation + +extension SettingsStore { + var warpAPIToken: String { + get { self.configSnapshot.providerConfig(for: .warp)?.sanitizedAPIKey ?? "" } + set { + self.updateProviderConfig(provider: .warp) { entry in + entry.apiKey = self.normalizedConfigValue(newValue) + } + self.logSecretUpdate(provider: .warp, field: "apiKey", value: newValue) + } + } + + func ensureWarpAPITokenLoaded() {} +} diff --git a/Sources/CodexBar/Resources/ProviderIcon-warp.svg b/Sources/CodexBar/Resources/ProviderIcon-warp.svg new file mode 100644 index 000000000..30a992a08 --- /dev/null +++ b/Sources/CodexBar/Resources/ProviderIcon-warp.svg @@ -0,0 +1,4 @@ + + + + diff --git a/Sources/CodexBar/SettingsStore+MenuObservation.swift b/Sources/CodexBar/SettingsStore+MenuObservation.swift index 6c69f6a7f..4fa5640a8 100644 --- a/Sources/CodexBar/SettingsStore+MenuObservation.swift +++ b/Sources/CodexBar/SettingsStore+MenuObservation.swift @@ -53,6 +53,7 @@ extension SettingsStore { _ = self.augmentCookieHeader _ = self.ampCookieHeader _ = self.copilotAPIToken + _ = self.warpAPIToken _ = self.tokenAccountsByProvider _ = self.debugLoadingPattern _ = self.selectedMenuProvider diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index 2fb70778e..ed0095fc3 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -304,7 +304,14 @@ extension StatusItemController { } let style: IconStyle = self.store.style(for: provider) - let blink = self.blinkAmount(for: provider) + let isLoading = phase != nil && self.shouldAnimate(provider: provider) + let blink: CGFloat = { + guard isLoading, style == .warp, let phase else { + return self.blinkAmount(for: provider) + } + let normalized = (sin(phase * 3) + 1) / 2 + return CGFloat(max(0, min(normalized, 1))) + }() let wiggle = self.wiggleAmount(for: provider) let tilt = self.tiltAmount(for: provider) * .pi / 28 // limit to ~6.4° if let morphProgress { @@ -421,6 +428,9 @@ extension StatusItemController { let isStale = self.store.isStale(provider: provider) let hasData = self.store.snapshot(for: provider) != nil + if provider == .warp, !hasData, self.store.refreshingProviders.contains(provider) { + return true + } return !hasData && !isStale } diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 77754a0c5..abba50993 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1237,6 +1237,13 @@ extension UsageStore { let text = "JetBrains AI debug log not yet implemented" await MainActor.run { self.probeLogs[.jetbrains] = text } return text + case .warp: + let resolution = ProviderTokenResolver.warpResolution() + let hasAny = resolution != nil + let source = resolution?.source.rawValue ?? "none" + let text = "WARP_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" + await MainActor.run { self.probeLogs[.warp] = text } + return text } }.value } diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index 4809cfb06..1b0bc5c8a 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -147,7 +147,7 @@ struct TokenAccountCLIContext { return self.makeSnapshot( jetbrains: ProviderSettingsSnapshot.JetBrainsProviderSettings( ideBasePath: nil)) - case .gemini, .antigravity, .copilot, .kiro, .vertexai, .kimik2, .synthetic: + case .gemini, .antigravity, .copilot, .kiro, .vertexai, .kimik2, .synthetic, .warp: return nil } } diff --git a/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift b/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift index a05b2dd25..1969ba6ab 100644 --- a/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift +++ b/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift @@ -21,6 +21,10 @@ public enum ProviderConfigEnvironment { } case .synthetic: env[SyntheticSettingsReader.apiKeyKey] = apiKey + case .warp: + if let key = WarpSettingsReader.apiKeyEnvironmentKeys.first { + env[key] = apiKey + } default: break } diff --git a/Sources/CodexBarCore/Logging/LogCategories.swift b/Sources/CodexBarCore/Logging/LogCategories.swift index d3d31c8fe..550ffc814 100644 --- a/Sources/CodexBarCore/Logging/LogCategories.swift +++ b/Sources/CodexBarCore/Logging/LogCategories.swift @@ -54,6 +54,7 @@ public enum LogCategories { public static let tokenCost = "token-cost" public static let ttyRunner = "tty-runner" public static let vertexAIFetcher = "vertexai-fetcher" + public static let warpUsage = "warp-usage" public static let webkitTeardown = "webkit-teardown" public static let zaiSettings = "zai-settings" public static let zaiTokenStore = "zai-token-store" diff --git a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift index 6aff83695..80e552223 100644 --- a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift @@ -71,6 +71,7 @@ public enum ProviderDescriptorRegistry { .kimik2: KimiK2ProviderDescriptor.descriptor, .amp: AmpProviderDescriptor.descriptor, .synthetic: SyntheticProviderDescriptor.descriptor, + .warp: WarpProviderDescriptor.descriptor, ] private static let bootstrap: Void = { for provider in UsageProvider.allCases { diff --git a/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift b/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift index 6b978775a..4134d67bf 100644 --- a/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift +++ b/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift @@ -45,6 +45,10 @@ public enum ProviderTokenResolver { self.kimiK2Resolution(environment: environment)?.token } + public static func warpToken(environment: [String: String] = ProcessInfo.processInfo.environment) -> String? { + self.warpResolution(environment: environment)?.token + } + public static func zaiResolution( environment: [String: String] = ProcessInfo.processInfo.environment) -> ProviderTokenResolution? { @@ -100,6 +104,12 @@ public enum ProviderTokenResolver { self.resolveEnv(KimiK2SettingsReader.apiKey(environment: environment)) } + public static func warpResolution( + environment: [String: String] = ProcessInfo.processInfo.environment) -> ProviderTokenResolution? + { + self.resolveEnv(WarpSettingsReader.apiKey(environment: environment)) + } + private static func cleaned(_ raw: String?) -> String? { guard var value = raw?.trimmingCharacters(in: .whitespacesAndNewlines), !value.isEmpty else { return nil diff --git a/Sources/CodexBarCore/Providers/Providers.swift b/Sources/CodexBarCore/Providers/Providers.swift index a267fb953..3fc0de98c 100644 --- a/Sources/CodexBarCore/Providers/Providers.swift +++ b/Sources/CodexBarCore/Providers/Providers.swift @@ -21,6 +21,7 @@ public enum UsageProvider: String, CaseIterable, Sendable, Codable { case kimik2 case amp case synthetic + case warp } // swiftformat:enable sortDeclarations @@ -44,6 +45,7 @@ public enum IconStyle: Sendable, CaseIterable { case jetbrains case amp case synthetic + case warp case combined } diff --git a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift new file mode 100644 index 000000000..d1abb8ed9 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift @@ -0,0 +1,67 @@ +import CodexBarMacroSupport +import Foundation + +@ProviderDescriptorRegistration +@ProviderDescriptorDefinition +public enum WarpProviderDescriptor { + static func makeDescriptor() -> ProviderDescriptor { + ProviderDescriptor( + id: .warp, + metadata: ProviderMetadata( + id: .warp, + displayName: "Warp", + sessionLabel: "Credits", + weeklyLabel: "Credits", + opusLabel: nil, + supportsOpus: false, + supportsCredits: false, + creditsHint: "", + toggleTitle: "Show Warp usage", + cliName: "warp", + defaultEnabled: false, + isPrimaryProvider: false, + usesAccountFallback: false, + browserCookieOrder: nil, + dashboardURL: "https://app.warp.dev/settings/account", + statusPageURL: nil), + branding: ProviderBranding( + iconStyle: .warp, + iconResourceName: "ProviderIcon-warp", + color: ProviderColor(red: 147 / 255, green: 139 / 255, blue: 180 / 255)), + tokenCost: ProviderTokenCostConfig( + supportsTokenCost: false, + noDataMessage: { "Warp cost summary is not available." }), + fetchPlan: ProviderFetchPlan( + sourceModes: [.auto, .api], + pipeline: ProviderFetchPipeline(resolveStrategies: { _ in [WarpAPIFetchStrategy()] })), + cli: ProviderCLIConfig( + name: "warp", + aliases: ["warp-ai", "warp-terminal"], + versionDetector: nil)) + } +} + +struct WarpAPIFetchStrategy: ProviderFetchStrategy { + let id: String = "warp.api" + let kind: ProviderFetchKind = .apiToken + + func isAvailable(_ context: ProviderFetchContext) async -> Bool { + Self.resolveToken(environment: context.env) != nil + } + + func fetch(_ context: ProviderFetchContext) async throws -> ProviderFetchResult { + guard let apiKey = Self.resolveToken(environment: context.env) else { + throw WarpUsageError.missingCredentials + } + let usage = try await WarpUsageFetcher.fetchUsage(apiKey: apiKey) + return self.makeResult( + usage: usage.toUsageSnapshot(), + sourceLabel: "api") + } + + func shouldFallback(on _: Error, context _: ProviderFetchContext) -> Bool { false } + + private static func resolveToken(environment: [String: String]) -> String? { + ProviderTokenResolver.warpToken(environment: environment) + } +} diff --git a/Sources/CodexBarCore/Providers/Warp/WarpSettingsReader.swift b/Sources/CodexBarCore/Providers/Warp/WarpSettingsReader.swift new file mode 100644 index 000000000..cd3c639c1 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Warp/WarpSettingsReader.swift @@ -0,0 +1,36 @@ +import Foundation + +public struct WarpSettingsReader: Sendable { + public static let apiKeyEnvironmentKeys = [ + "WARP_API_KEY", + "WARP_TOKEN", + ] + + public static func apiKey( + environment: [String: String] = ProcessInfo.processInfo.environment) -> String? + { + for key in self.apiKeyEnvironmentKeys { + guard let raw = environment[key]?.trimmingCharacters(in: .whitespacesAndNewlines), + !raw.isEmpty + else { + continue + } + let cleaned = Self.cleaned(raw) + if !cleaned.isEmpty { + return cleaned + } + } + return nil + } + + private static func cleaned(_ raw: String) -> String { + var value = raw + if (value.hasPrefix("\"") && value.hasSuffix("\"")) || + (value.hasPrefix("'") && value.hasSuffix("'")) + { + value.removeFirst() + value.removeLast() + } + return value.trimmingCharacters(in: .whitespacesAndNewlines) + } +} diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift new file mode 100644 index 000000000..8ef495111 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -0,0 +1,198 @@ +import Foundation +#if canImport(FoundationNetworking) +import FoundationNetworking +#endif + +public struct WarpUsageSnapshot: Sendable { + public let requestLimit: Int + public let requestsUsed: Int + public let nextRefreshTime: Date? + public let isUnlimited: Bool + public let updatedAt: Date + + public init( + requestLimit: Int, + requestsUsed: Int, + nextRefreshTime: Date?, + isUnlimited: Bool, + updatedAt: Date + ) { + self.requestLimit = requestLimit + self.requestsUsed = requestsUsed + self.nextRefreshTime = nextRefreshTime + self.isUnlimited = isUnlimited + self.updatedAt = updatedAt + } + + public func toUsageSnapshot() -> UsageSnapshot { + let usedPercent: Double + if self.isUnlimited { + usedPercent = 0 + } else if self.requestLimit > 0 { + usedPercent = min(100, max(0, Double(self.requestsUsed) / Double(self.requestLimit) * 100)) + } else { + usedPercent = 0 + } + + let resetDescription: String? + if self.isUnlimited { + resetDescription = "Unlimited" + } else { + resetDescription = "\(self.requestsUsed)/\(self.requestLimit) credits" + } + + let rateWindow = RateWindow( + usedPercent: usedPercent, + windowMinutes: nil, + resetsAt: self.nextRefreshTime, + resetDescription: resetDescription) + + let identity = ProviderIdentitySnapshot( + providerID: .warp, + accountEmail: nil, + accountOrganization: nil, + loginMethod: nil) + + return UsageSnapshot( + primary: rateWindow, + secondary: nil, + tertiary: nil, + providerCost: nil, + updatedAt: self.updatedAt, + identity: identity) + } +} + +public enum WarpUsageError: LocalizedError, Sendable { + case missingCredentials + case networkError(String) + case apiError(Int, String) + case parseFailed(String) + + public var errorDescription: String? { + switch self { + case .missingCredentials: + "Missing Warp API key." + case let .networkError(message): + "Warp network error: \(message)" + case let .apiError(code, message): + "Warp API error (\(code)): \(message)" + case let .parseFailed(message): + "Failed to parse Warp response: \(message)" + } + } +} + +public struct WarpUsageFetcher: Sendable { + private static let log = CodexBarLog.logger(LogCategories.warpUsage) + private static let apiURL = URL(string: "https://app.warp.dev/graphql/v2?op=GetRequestLimitInfo")! + private static let clientID = "warp-app" + private static let clientVersion = "v0.2026.01.07.08.13.stable_01" + + private static let graphQLQuery = """ + query GetRequestLimitInfo($requestContext: RequestContext!) { + user(requestContext: $requestContext) { + __typename + ... on UserOutput { + user { + requestLimitInfo { + isUnlimited + nextRefreshTime + requestLimit + requestsUsedSinceLastRefresh + } + } + } + } + } + """ + + public static func fetchUsage(apiKey: String) async throws -> WarpUsageSnapshot { + guard !apiKey.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else { + throw WarpUsageError.missingCredentials + } + + var request = URLRequest(url: self.apiURL) + request.httpMethod = "POST" + request.timeoutInterval = 15 + request.setValue("application/json", forHTTPHeaderField: "Content-Type") + request.setValue(self.clientID, forHTTPHeaderField: "x-warp-client-id") + request.setValue(self.clientVersion, forHTTPHeaderField: "x-warp-client-version") + request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") + + let variables: [String: Any] = [ + "requestContext": [ + "clientContext": [:] as [String: Any], + "osContext": [ + "category": "macOS", + "name": "macOS", + "version": "15.0", + ] as [String: Any], + ] as [String: Any], + ] + + let body: [String: Any] = [ + "query": self.graphQLQuery, + "variables": variables, + "operationName": "GetRequestLimitInfo", + ] + + request.httpBody = try JSONSerialization.data(withJSONObject: body) + + let (data, response) = try await URLSession.shared.data(for: request) + + guard let httpResponse = response as? HTTPURLResponse else { + throw WarpUsageError.networkError("Invalid response") + } + + guard httpResponse.statusCode == 200 else { + let body = String(data: data, encoding: .utf8) ?? "HTTP \(httpResponse.statusCode)" + Self.log.error("Warp API returned \(httpResponse.statusCode): \(body)") + throw WarpUsageError.apiError(httpResponse.statusCode, body) + } + + if let jsonString = String(data: data, encoding: .utf8) { + Self.log.debug("Warp API response: \(jsonString)") + } + + return try Self.parseResponse(data: data) + } + + private static func parseResponse(data: Data) throws -> WarpUsageSnapshot { + guard let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any], + let dataObj = json["data"] as? [String: Any], + let userObj = dataObj["user"] as? [String: Any], + let innerUserObj = userObj["user"] as? [String: Any], + let limitInfo = innerUserObj["requestLimitInfo"] as? [String: Any] + else { + throw WarpUsageError.parseFailed("Unable to extract requestLimitInfo from response.") + } + + let isUnlimited = limitInfo["isUnlimited"] as? Bool ?? false + let requestLimit = limitInfo["requestLimit"] as? Int ?? 0 + let requestsUsed = limitInfo["requestsUsedSinceLastRefresh"] as? Int ?? 0 + + var nextRefreshTime: Date? + if let nextRefreshTimeString = limitInfo["nextRefreshTime"] as? String { + nextRefreshTime = Self.parseDate(nextRefreshTimeString) + } + + return WarpUsageSnapshot( + requestLimit: requestLimit, + requestsUsed: requestsUsed, + nextRefreshTime: nextRefreshTime, + isUnlimited: isUnlimited, + updatedAt: Date()) + } + + private static func parseDate(_ dateString: String) -> Date? { + let formatter = ISO8601DateFormatter() + formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds] + if let date = formatter.date(from: dateString) { + return date + } + let fallback = ISO8601DateFormatter() + fallback.formatOptions = [.withInternetDateTime] + return fallback.date(from: dateString) + } +} diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift index d47d7d557..1936d7eff 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift @@ -99,6 +99,8 @@ enum CostUsageScanner { return CostUsageDailyReport(data: [], summary: nil) case .synthetic: return CostUsageDailyReport(data: [], summary: nil) + case .warp: + return CostUsageDailyReport(data: [], summary: nil) } } diff --git a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift index 1634611ee..0d46a0510 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift @@ -59,6 +59,7 @@ enum ProviderChoice: String, AppEnum { case .kimik2: return nil // Kimi K2 not yet supported in widgets case .amp: return nil // Amp not yet supported in widgets case .synthetic: return nil // Synthetic not yet supported in widgets + case .warp: return nil // Warp not yet supported in widgets } } } diff --git a/Sources/CodexBarWidget/CodexBarWidgetViews.swift b/Sources/CodexBarWidget/CodexBarWidgetViews.swift index ed39b4506..85ae62f42 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetViews.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetViews.swift @@ -275,6 +275,7 @@ private struct ProviderSwitchChip: View { case .kimik2: "Kimi K2" case .amp: "Amp" case .synthetic: "Synthetic" + case .warp: "Warp" } } } @@ -605,6 +606,8 @@ enum WidgetColors { Color(red: 220 / 255, green: 38 / 255, blue: 38 / 255) // Amp red case .synthetic: Color(red: 20 / 255, green: 20 / 255, blue: 20 / 255) // Synthetic charcoal + case .warp: + Color(red: 147 / 255, green: 139 / 255, blue: 180 / 255) } } } diff --git a/Tests/CodexBarTests/CLIProviderSelectionTests.swift b/Tests/CodexBarTests/CLIProviderSelectionTests.swift index ec8551802..66b3afa22 100644 --- a/Tests/CodexBarTests/CLIProviderSelectionTests.swift +++ b/Tests/CodexBarTests/CLIProviderSelectionTests.swift @@ -20,6 +20,7 @@ struct CLIProviderSelectionTests { "|copilot|", "|synthetic|", "|kiro|", + "|warp|", "|both|", "|all]", ] diff --git a/Tests/CodexBarTests/ProviderTokenResolverTests.swift b/Tests/CodexBarTests/ProviderTokenResolverTests.swift index 004b63b15..867b3ad45 100644 --- a/Tests/CodexBarTests/ProviderTokenResolverTests.swift +++ b/Tests/CodexBarTests/ProviderTokenResolverTests.swift @@ -17,4 +17,26 @@ struct ProviderTokenResolverTests { let resolution = ProviderTokenResolver.copilotResolution(environment: env) #expect(resolution?.token == "token") } + + @Test + func warpResolutionUsesEnvironmentToken() { + let env = ["WARP_API_KEY": "wk-test-token"] + let resolution = ProviderTokenResolver.warpResolution(environment: env) + #expect(resolution?.token == "wk-test-token") + #expect(resolution?.source == .environment) + } + + @Test + func warpResolutionTrimsToken() { + let env = ["WARP_API_KEY": " wk-token "] + let resolution = ProviderTokenResolver.warpResolution(environment: env) + #expect(resolution?.token == "wk-token") + } + + @Test + func warpResolutionReturnsNilWhenMissing() { + let env: [String: String] = [:] + let resolution = ProviderTokenResolver.warpResolution(environment: env) + #expect(resolution == nil) + } } diff --git a/docs/providers.md b/docs/providers.md index d25dfb887..3054b6ff9 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -1,5 +1,5 @@ --- -summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Vertex AI, Augment, Amp, JetBrains AI)." +summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Warp, Vertex AI, Augment, Amp, JetBrains AI)." read_when: - Adding or modifying provider fetch/parsing - Adjusting provider labels, toggles, or metadata @@ -34,6 +34,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Vertex AI | Google ADC OAuth (gcloud) → Cloud Monitoring quota usage (`oauth`). | | JetBrains AI | Local XML quota file (`local`). | | Amp | Web settings page via browser cookies (`web`). | +| Warp | API token (Keychain/env) → GraphQL request limits (`api`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. @@ -121,6 +122,13 @@ until the session is invalid, to avoid repeated Keychain prompts. - Status: AWS Health Dashboard (manual link, no auto-polling). - Details: `docs/kiro.md`. +## Warp +- API token from Settings or `WARP_API_KEY` / `WARP_TOKEN` env var. +- GraphQL credit limits: `https://app.warp.dev/graphql/v2?op=GetRequestLimitInfo`. +- Shows monthly credits usage and next refresh time. +- Status: none yet. +- Details: `docs/warp.md`. + ## Vertex AI - OAuth credentials from `gcloud auth application-default login` (ADC). - Quota usage via Cloud Monitoring `consumer_quota` metrics for `aiplatform.googleapis.com`. diff --git a/docs/warp.md b/docs/warp.md new file mode 100644 index 000000000..3dd407821 --- /dev/null +++ b/docs/warp.md @@ -0,0 +1,46 @@ +--- +summary: "Warp provider notes: API token setup and request limit parsing." +read_when: + - Adding or modifying the Warp provider + - Debugging Warp API tokens or request limits + - Adjusting Warp usage labels or reset behavior +--- + +# Warp Provider + +The Warp provider reads credit limits from Warp's GraphQL API using an API token. + +## Features + +- **Monthly credits usage**: Shows credits used vs. plan limit. +- **Reset timing**: Displays the next refresh time when available. +- **Token-based auth**: Uses API key stored in Settings or env vars. + +## Setup + +1. Open **Settings → Providers** +2. Enable **Warp** +3. Enter your API key from `https://app.warp.dev/settings/account` + +### Environment variables (optional) + +- `WARP_API_KEY` +- `WARP_TOKEN` + +## How it works + +- Endpoint: `https://app.warp.dev/graphql/v2?op=GetRequestLimitInfo` +- Query: `GetRequestLimitInfo` +- Fields used: `isUnlimited`, `nextRefreshTime`, `requestLimit`, `requestsUsedSinceLastRefresh` (API uses request-named fields for credits) + +If `isUnlimited` is true, the UI shows “Unlimited” and a full remaining bar. + +## Troubleshooting + +### “Missing Warp API key” + +Add a key in **Settings → Providers → Warp**, or set `WARP_API_KEY`. + +### “Warp API error” + +Confirm the token is valid and that your network can reach `app.warp.dev`. From f13d2bb38bb62d286ea5859f7af5a61195a09820 Mon Sep 17 00:00:00 2001 From: Kathie-yu Date: Tue, 3 Feb 2026 23:29:59 +0800 Subject: [PATCH 021/131] Remove diagonal slash from Warp icon Co-Authored-By: Craft Agent --- Sources/CodexBar/IconRenderer.swift | 86 ----------------------------- 1 file changed, 86 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 058310596..dbcaee33f 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -631,92 +631,6 @@ enum IconRenderer { ctx?.setBlendMode(.normal) } ctx?.restoreGState() // Restore graphics state - - // 2. Draw Slash (Diagonal cut) - // Must cut through the bar (track + fill). - ctx?.saveGState() - ctx?.setShouldAntialias(true) // Slash should be smooth - - let slashPath = NSBezierPath() - // Thickness: looks like ~1.5px or 2px. Let's try 1.5px (0.75pt at 2x) - let slashThicknessPx: CGFloat = 1.5 - slashPath.lineWidth = slashThicknessPx / Self.outputScale - - // Geometry: Center of slash is center of bar. - // Angle: Bottom-Left to Top-Right. - // Reference image (Warp logo) has a steeper angle, closer to 70-75 degrees. - // Previous was pi/3.2 (~56 deg). Let's try making it steeper. - // pi/2.4 is 75 degrees. - let angle: CGFloat = .pi / 2.4 - - // Let's define it by points relative to center. - let cx = Self.grid.pt(centerXPx) - let cy = Self.grid.pt(eyeCenterYPx) - let length = Self.grid.pt(rectPx.h + 8) // Extend slightly beyond height - - let dx = cos(angle) * length / 2 - let dy = sin(angle) * length / 2 - - // From bottom-left area to top-right area - slashPath.move(to: NSPoint(x: cx - dx, y: cy - dy)) - slashPath.line(to: NSPoint(x: cx + dx, y: cy + dy)) - - // First pass: Erase everything under the stroke (blend mode clear) - ctx?.saveGState() - ctx?.setBlendMode(.clear) - NSColor.white.setStroke() - slashPath.stroke() - ctx?.restoreGState() - - // Second pass: Draw the visible "tips" of the slash outside the ellipse - // We need to mask out the inner part (the ellipse) so we only draw the outside tips. - // However, since we just erased the line from the ellipse, the ellipse has a gap. - // We want to draw a black line *in the gap*? No, the user wants "black edge" - // The user said: "在该椭圆外侧再增加一圈细黑边... 有一圈黑色的斜线露出" - // Wait, looking at the red circles: - // The red circles highlight the tips of the slash sticking OUT of the capsule. - // The slash INSIDE the capsule is a cut (white/transparent). - // The slash OUTSIDE the capsule is black (fill color). - - // So: - // 1. Cut the slash through everything (which we did with blendMode .clear). - // 2. Draw the slash again with normal blend mode, but CLIP it to NOT be inside the capsule. - - // Define the outer clip path (inverse of the track path) - // It's hard to do inverse clip directly. - // Instead, we can: - // a. Draw the full black slash. - // b. Draw the capsule (track + fill) ON TOP of it (but we already drew them). - // c. Retrospective approach: - // We already drew the capsule. - // We cut the slash through the capsule (clear mode). - // Now we want to fill the slash *outside* the capsule. - // We can draw the full slash in black, but set the clip region to exclude the capsule rect. - - // Create a path for the capsule shape - // Re-create the track path logic - let capsuleRadius = Self.grid.pt(addNotches ? 0 : rectPx.h / 2) - let capsuleRect = rectPx.rect() - let capsulePath = NSBezierPath(roundedRect: capsuleRect, xRadius: capsuleRadius, yRadius: capsuleRadius) - - // Set clipping to EXCLUDE the capsule. - // EvenOdd rule with a giant rect + capsule path? - let hugeRect = CGRect(x: -1000, y: -1000, width: 2000, height: 2000) - let inverseClipPath = NSBezierPath(rect: hugeRect) - inverseClipPath.append(capsulePath) - inverseClipPath.windingRule = .evenOdd - - ctx?.saveGState() - inverseClipPath.addClip() - - // Now draw the black slash - fillColor.withAlphaComponent(alpha).setFill() // Use fill color for the stroke to match style - fillColor.withAlphaComponent(alpha).setStroke() - slashPath.stroke() - - ctx?.restoreGState() - - ctx?.restoreGState() } } From aee846b003e45bddf77e37c8d21092b5b8d03a4f Mon Sep 17 00:00:00 2001 From: Kathie-yu Date: Wed, 4 Feb 2026 23:46:58 +0800 Subject: [PATCH 022/131] Add Warp add-on credits support --- Sources/CodexBar/IconRenderer.swift | 20 ++- Sources/CodexBar/MenuCardView.swift | 13 +- Sources/CodexBar/MenuDescriptor.swift | 15 +- .../Warp/WarpProviderDescriptor.swift | 2 +- .../Providers/Warp/WarpUsageFetcher.swift | 151 +++++++++++++++++- 5 files changed, 183 insertions(+), 18 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index dbcaee33f..8108cb3f3 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -634,20 +634,29 @@ enum IconRenderer { } } + let effectiveWeeklyRemaining: Double? = { + if style == .warp, let weeklyRemaining, weeklyRemaining <= 0 { + return nil + } + return weeklyRemaining + }() let topValue = primaryRemaining - let bottomValue = weeklyRemaining + let bottomValue = effectiveWeeklyRemaining let creditsRatio = creditsRemaining.map { min($0 / Self.creditsCap * 100, 100) } - let hasWeekly = (weeklyRemaining != nil) - let weeklyAvailable = hasWeekly && (weeklyRemaining ?? 0) > 0 + let hasWeekly = (bottomValue != nil) + let weeklyAvailable = hasWeekly && (bottomValue ?? 0) > 0 let creditsAlpha: CGFloat = 1.0 let topRectPx = RectPx(x: barXPx, y: 19, w: barWidthPx, h: 12) let bottomRectPx = RectPx(x: barXPx, y: 5, w: barWidthPx, h: 8) let creditsRectPx = RectPx(x: barXPx, y: 14, w: barWidthPx, h: 16) let creditsBottomRectPx = RectPx(x: barXPx, y: 4, w: barWidthPx, h: 6) + // Warp special case: when no bonus or bonus exhausted, show "top full, bottom=monthly" + let warpNoBonus = style == .warp && !weeklyAvailable + if weeklyAvailable { - // Normal: top=5h, bottom=weekly, no credits. + // Normal: top=primary, bottom=secondary (bonus/weekly). drawBar( rectPx: topRectPx, remaining: topValue, @@ -659,8 +668,9 @@ enum IconRenderer { addWarpTwist: style == .warp, blink: blink) drawBar(rectPx: bottomRectPx, remaining: bottomValue) - } else if !hasWeekly { + } else if !hasWeekly || warpNoBonus { if style == .warp { + // Warp: no bonus or bonus exhausted -> top=full, bottom=monthly credits if topValue != nil { drawBar( rectPx: topRectPx, diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index 90b8c3aff..fdd6c79c0 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -762,13 +762,22 @@ extension UsageMenuCardView.Model { window: weekly, now: input.now, showUsed: input.usageBarsShowUsed) + var weeklyResetText = Self.resetText(for: weekly, style: input.resetTimeDisplayStyle, now: input.now) + var weeklyDetailText: String? = input.provider == .zai ? zaiTimeDetail : nil + if input.provider == .warp, + let detail = weekly.resetDescription, + !detail.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty + { + weeklyResetText = nil + weeklyDetailText = detail + } metrics.append(Metric( id: "secondary", title: input.metadata.weeklyLabel, percent: Self.clamped(input.usageBarsShowUsed ? weekly.usedPercent : weekly.remainingPercent), percentStyle: percentStyle, - resetText: Self.resetText(for: weekly, style: input.resetTimeDisplayStyle, now: input.now), - detailText: input.provider == .zai ? zaiTimeDetail : nil, + resetText: weeklyResetText, + detailText: weeklyDetailText, detailLeftText: paceDetail?.leftLabel, detailRightText: paceDetail?.rightLabel, pacePercent: paceDetail?.pacePercent, diff --git a/Sources/CodexBar/MenuDescriptor.swift b/Sources/CodexBar/MenuDescriptor.swift index 36a9c861b..8d64e0339 100644 --- a/Sources/CodexBar/MenuDescriptor.swift +++ b/Sources/CodexBar/MenuDescriptor.swift @@ -123,12 +123,18 @@ struct MenuDescriptor { showUsed: settings.usageBarsShowUsed) } if let weekly = snap.secondary { + let weeklyResetOverride: String? = { + guard provider == .warp else { return nil } + let detail = weekly.resetDescription?.trimmingCharacters(in: .whitespacesAndNewlines) + return (detail?.isEmpty ?? true) ? nil : detail + }() Self.appendRateWindow( entries: &entries, title: meta.weeklyLabel, window: weekly, resetStyle: resetStyle, - showUsed: settings.usageBarsShowUsed) + showUsed: settings.usageBarsShowUsed, + resetOverride: weeklyResetOverride) if let paceSummary = UsagePaceText.weeklySummary(provider: provider, window: weekly) { entries.append(.text(paceSummary, .secondary)) } @@ -343,12 +349,15 @@ struct MenuDescriptor { title: String, window: RateWindow, resetStyle: ResetTimeDisplayStyle, - showUsed: Bool) + showUsed: Bool, + resetOverride: String? = nil) { let line = UsageFormatter .usageLine(remaining: window.remainingPercent, used: window.usedPercent, showUsed: showUsed) entries.append(.text("\(title): \(line)", .primary)) - if let reset = UsageFormatter.resetLine(for: window, style: resetStyle) { + if let resetOverride { + entries.append(.text(resetOverride, .secondary)) + } else if let reset = UsageFormatter.resetLine(for: window, style: resetStyle) { entries.append(.text(reset, .secondary)) } } diff --git a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift index d1abb8ed9..3c22d75df 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift @@ -11,7 +11,7 @@ public enum WarpProviderDescriptor { id: .warp, displayName: "Warp", sessionLabel: "Credits", - weeklyLabel: "Credits", + weeklyLabel: "Add-on credits", opusLabel: nil, supportsOpus: false, supportsCredits: false, diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift index 8ef495111..e6f57e47c 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -9,19 +9,33 @@ public struct WarpUsageSnapshot: Sendable { public let nextRefreshTime: Date? public let isUnlimited: Bool public let updatedAt: Date + // Combined bonus credits (user-level + workspace-level) + public let bonusCreditsRemaining: Int + public let bonusCreditsTotal: Int + // Earliest expiring bonus batch with remaining credits + public let bonusNextExpiration: Date? + public let bonusNextExpirationRemaining: Int public init( requestLimit: Int, requestsUsed: Int, nextRefreshTime: Date?, isUnlimited: Bool, - updatedAt: Date + updatedAt: Date, + bonusCreditsRemaining: Int = 0, + bonusCreditsTotal: Int = 0, + bonusNextExpiration: Date? = nil, + bonusNextExpirationRemaining: Int = 0 ) { self.requestLimit = requestLimit self.requestsUsed = requestsUsed self.nextRefreshTime = nextRefreshTime self.isUnlimited = isUnlimited self.updatedAt = updatedAt + self.bonusCreditsRemaining = bonusCreditsRemaining + self.bonusCreditsTotal = bonusCreditsTotal + self.bonusNextExpiration = bonusNextExpiration + self.bonusNextExpirationRemaining = bonusNextExpirationRemaining } public func toUsageSnapshot() -> UsageSnapshot { @@ -41,12 +55,36 @@ public struct WarpUsageSnapshot: Sendable { resetDescription = "\(self.requestsUsed)/\(self.requestLimit) credits" } - let rateWindow = RateWindow( + let primary = RateWindow( usedPercent: usedPercent, windowMinutes: nil, resetsAt: self.nextRefreshTime, resetDescription: resetDescription) + // Secondary: combined bonus/add-on credits (user + workspace) + let bonusUsedPercent: Double = { + guard self.bonusCreditsTotal > 0 else { + return self.bonusCreditsRemaining > 0 ? 0 : 100 + } + let used = self.bonusCreditsTotal - self.bonusCreditsRemaining + return min(100, max(0, Double(used) / Double(self.bonusCreditsTotal) * 100)) + }() + + var bonusDetail: String? + if self.bonusCreditsRemaining > 0, + let expiry = self.bonusNextExpiration, + self.bonusNextExpirationRemaining > 0 + { + let dateText = expiry.formatted(date: .abbreviated, time: .shortened) + bonusDetail = "\(self.bonusNextExpirationRemaining) credits expires on \(dateText)" + } + + let secondary = RateWindow( + usedPercent: bonusUsedPercent, + windowMinutes: nil, + resetsAt: nil, + resetDescription: bonusDetail) + let identity = ProviderIdentitySnapshot( providerID: .warp, accountEmail: nil, @@ -54,8 +92,8 @@ public struct WarpUsageSnapshot: Sendable { loginMethod: nil) return UsageSnapshot( - primary: rateWindow, - secondary: nil, + primary: primary, + secondary: secondary, tertiary: nil, providerCost: nil, updatedAt: self.updatedAt, @@ -87,7 +125,6 @@ public struct WarpUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.warpUsage) private static let apiURL = URL(string: "https://app.warp.dev/graphql/v2?op=GetRequestLimitInfo")! private static let clientID = "warp-app" - private static let clientVersion = "v0.2026.01.07.08.13.stable_01" private static let graphQLQuery = """ query GetRequestLimitInfo($requestContext: RequestContext!) { @@ -101,6 +138,20 @@ public struct WarpUsageFetcher: Sendable { requestLimit requestsUsedSinceLastRefresh } + bonusGrants { + requestCreditsGranted + requestCreditsRemaining + expiration + } + workspaces { + bonusGrantsInfo { + grants { + requestCreditsGranted + requestCreditsRemaining + expiration + } + } + } } } } @@ -117,7 +168,6 @@ public struct WarpUsageFetcher: Sendable { request.timeoutInterval = 15 request.setValue("application/json", forHTTPHeaderField: "Content-Type") request.setValue(self.clientID, forHTTPHeaderField: "x-warp-client-id") - request.setValue(self.clientVersion, forHTTPHeaderField: "x-warp-client-version") request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") let variables: [String: Any] = [ @@ -177,12 +227,99 @@ public struct WarpUsageFetcher: Sendable { nextRefreshTime = Self.parseDate(nextRefreshTimeString) } + // Parse and combine bonus credits from user-level and workspace-level + let bonus = Self.parseBonusCredits(from: innerUserObj) + return WarpUsageSnapshot( requestLimit: requestLimit, requestsUsed: requestsUsed, nextRefreshTime: nextRefreshTime, isUnlimited: isUnlimited, - updatedAt: Date()) + updatedAt: Date(), + bonusCreditsRemaining: bonus.remaining, + bonusCreditsTotal: bonus.total, + bonusNextExpiration: bonus.nextExpiration, + bonusNextExpirationRemaining: bonus.nextExpirationRemaining) + } + + private struct BonusGrant: Sendable { + let granted: Int + let remaining: Int + let expiration: Date? + } + + private struct BonusSummary: Sendable { + let remaining: Int + let total: Int + let nextExpiration: Date? + let nextExpirationRemaining: Int + } + + private static func parseBonusCredits(from userObj: [String: Any]) -> BonusSummary { + var grants: [BonusGrant] = [] + + // User-level bonus grants + if let bonusGrants = userObj["bonusGrants"] as? [[String: Any]] { + for grant in bonusGrants { + grants.append(Self.parseBonusGrant(from: grant)) + } + } + + // Workspace-level bonus grants + if let workspaces = userObj["workspaces"] as? [[String: Any]] { + for workspace in workspaces { + if let bonusGrantsInfo = workspace["bonusGrantsInfo"] as? [String: Any], + let workspaceGrants = bonusGrantsInfo["grants"] as? [[String: Any]] + { + for grant in workspaceGrants { + grants.append(Self.parseBonusGrant(from: grant)) + } + } + } + } + + let totalRemaining = grants.reduce(0) { $0 + $1.remaining } + let totalGranted = grants.reduce(0) { $0 + $1.granted } + + let expiring = grants.compactMap { grant -> (date: Date, remaining: Int)? in + guard grant.remaining > 0, let expiration = grant.expiration else { return nil } + return (expiration, grant.remaining) + } + + let nextExpiration: Date? + let nextExpirationRemaining: Int + if let earliest = expiring.min(by: { $0.date < $1.date }) { + let earliestKey = Int(earliest.date.timeIntervalSince1970) + let remaining = expiring.reduce(0) { result, item in + let key = Int(item.date.timeIntervalSince1970) + return result + (key == earliestKey ? item.remaining : 0) + } + nextExpiration = earliest.date + nextExpirationRemaining = remaining + } else { + nextExpiration = nil + nextExpirationRemaining = 0 + } + + return BonusSummary( + remaining: totalRemaining, + total: totalGranted, + nextExpiration: nextExpiration, + nextExpirationRemaining: nextExpirationRemaining) + } + + private static func parseBonusGrant(from grant: [String: Any]) -> BonusGrant { + let granted = self.intValue(grant["requestCreditsGranted"]) + let remaining = self.intValue(grant["requestCreditsRemaining"]) + let expiration = (grant["expiration"] as? String).flatMap(Self.parseDate) + return BonusGrant(granted: granted, remaining: remaining, expiration: expiration) + } + + private static func intValue(_ value: Any?) -> Int { + if let int = value as? Int { return int } + if let num = value as? NSNumber { return num.intValue } + if let text = value as? String, let int = Int(text) { return int } + return 0 } private static func parseDate(_ dateString: String) -> Date? { From 224314ad282f88b2e7eabd81d5f92447e20713b8 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 17:31:51 +0530 Subject: [PATCH 023/131] Harden Warp usage fetcher --- Sources/CodexBar/IconRenderer.swift | 11 +- .../Warp/WarpProviderDescriptor.swift | 4 +- .../Providers/Warp/WarpUsageFetcher.swift | 143 ++++++++++----- Tests/CodexBarTests/SettingsStoreTests.swift | 1 + .../CodexBarTests/WarpUsageFetcherTests.swift | 168 ++++++++++++++++++ 5 files changed, 280 insertions(+), 47 deletions(-) create mode 100644 Tests/CodexBarTests/WarpUsageFetcherTests.swift diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 8108cb3f3..4eb913477 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -1,6 +1,7 @@ import AppKit import CodexBarCore +// swiftlint:disable:next type_body_length enum IconRenderer { private static let creditsCap: Double = 1000 private static let baseSize = NSSize(width: 18, height: 18) @@ -586,16 +587,16 @@ enum IconRenderer { let ctx = NSGraphicsContext.current?.cgContext let centerXPx = rectPx.midXPx let eyeCenterYPx = rectPx.y + rectPx.h / 2 - + ctx?.saveGState() ctx?.setShouldAntialias(true) // Smooth edges for tilted ellipse eyes // 1. Draw Eyes (Tilted ellipse cutouts - "fox eye" / "cat eye" style) // Eyes are elliptical and tilted outward (outer corners pointing up) - let eyeWidthPx: CGFloat = 5.3125 // Scaled up 125% to match rounded rect face - let eyeHeightPx: CGFloat = 8.5 // Scaled up 125% to match rounded rect face + let eyeWidthPx: CGFloat = 5.3125 // Scaled up 125% to match rounded rect face + let eyeHeightPx: CGFloat = 8.5 // Scaled up 125% to match rounded rect face let eyeOffsetPx: CGFloat = 7 - let eyeTiltAngle: CGFloat = .pi / 3 // 60 degrees tilt + let eyeTiltAngle: CGFloat = .pi / 3 // 60 degrees tilt let leftEyeCx = Self.grid.pt(centerXPx) - Self.grid.pt(Int(eyeOffsetPx)) let rightEyeCx = Self.grid.pt(centerXPx) + Self.grid.pt(Int(eyeOffsetPx)) @@ -603,7 +604,7 @@ enum IconRenderer { let eyeW = Self.grid.pt(Int(eyeWidthPx)) let eyeH = Self.grid.pt(Int(eyeHeightPx)) - // Helper to draw a tilted ellipse eye + /// Draw a tilted ellipse eye at the given center. func drawTiltedEyeCutout(cx: CGFloat, cy: CGFloat, tiltAngle: CGFloat) { let eyeRect = CGRect( x: -eyeW / 2, diff --git a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift index 3c22d75df..1b2d583fc 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift @@ -59,7 +59,9 @@ struct WarpAPIFetchStrategy: ProviderFetchStrategy { sourceLabel: "api") } - func shouldFallback(on _: Error, context _: ProviderFetchContext) -> Bool { false } + func shouldFallback(on _: Error, context _: ProviderFetchContext) -> Bool { + false + } private static func resolveToken(environment: [String: String]) -> String? { ProviderTokenResolver.warpToken(environment: environment) diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift index e6f57e47c..4581db605 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -25,8 +25,8 @@ public struct WarpUsageSnapshot: Sendable { bonusCreditsRemaining: Int = 0, bonusCreditsTotal: Int = 0, bonusNextExpiration: Date? = nil, - bonusNextExpirationRemaining: Int = 0 - ) { + bonusNextExpirationRemaining: Int = 0) + { self.requestLimit = requestLimit self.requestsUsed = requestsUsed self.nextRefreshTime = nextRefreshTime @@ -39,20 +39,18 @@ public struct WarpUsageSnapshot: Sendable { } public func toUsageSnapshot() -> UsageSnapshot { - let usedPercent: Double - if self.isUnlimited { - usedPercent = 0 + let usedPercent: Double = if self.isUnlimited { + 0 } else if self.requestLimit > 0 { - usedPercent = min(100, max(0, Double(self.requestsUsed) / Double(self.requestLimit) * 100)) + min(100, max(0, Double(self.requestsUsed) / Double(self.requestLimit) * 100)) } else { - usedPercent = 0 + 0 } - let resetDescription: String? - if self.isUnlimited { - resetDescription = "Unlimited" + let resetDescription: String? = if self.isUnlimited { + "Unlimited" } else { - resetDescription = "\(self.requestsUsed)/\(self.requestLimit) credits" + "\(self.requestsUsed)/\(self.requestLimit) credits" } let primary = RateWindow( @@ -127,47 +125,53 @@ public struct WarpUsageFetcher: Sendable { private static let clientID = "warp-app" private static let graphQLQuery = """ - query GetRequestLimitInfo($requestContext: RequestContext!) { - user(requestContext: $requestContext) { - __typename - ... on UserOutput { - user { - requestLimitInfo { - isUnlimited - nextRefreshTime - requestLimit - requestsUsedSinceLastRefresh - } - bonusGrants { + query GetRequestLimitInfo($requestContext: RequestContext!) { + user(requestContext: $requestContext) { + __typename + ... on UserOutput { + user { + requestLimitInfo { + isUnlimited + nextRefreshTime + requestLimit + requestsUsedSinceLastRefresh + } + bonusGrants { + requestCreditsGranted + requestCreditsRemaining + expiration + } + workspaces { + bonusGrantsInfo { + grants { requestCreditsGranted requestCreditsRemaining expiration } - workspaces { - bonusGrantsInfo { - grants { - requestCreditsGranted - requestCreditsRemaining - expiration - } - } - } } } } } - """ + } + } + """ public static func fetchUsage(apiKey: String) async throws -> WarpUsageSnapshot { guard !apiKey.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else { throw WarpUsageError.missingCredentials } + let osVersion = ProcessInfo.processInfo.operatingSystemVersion + let osVersionString = "\(osVersion.majorVersion).\(osVersion.minorVersion).\(osVersion.patchVersion)" + var request = URLRequest(url: self.apiURL) request.httpMethod = "POST" request.timeoutInterval = 15 request.setValue("application/json", forHTTPHeaderField: "Content-Type") request.setValue(self.clientID, forHTTPHeaderField: "x-warp-client-id") + request.setValue("macOS", forHTTPHeaderField: "x-warp-os-category") + request.setValue("macOS", forHTTPHeaderField: "x-warp-os-name") + request.setValue(osVersionString, forHTTPHeaderField: "x-warp-os-version") request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") let variables: [String: Any] = [ @@ -176,7 +180,7 @@ public struct WarpUsageFetcher: Sendable { "osContext": [ "category": "macOS", "name": "macOS", - "version": "15.0", + "version": osVersionString, ] as [String: Any], ] as [String: Any], ] @@ -208,19 +212,43 @@ public struct WarpUsageFetcher: Sendable { return try Self.parseResponse(data: data) } + static func _parseResponseForTesting(_ data: Data) throws -> WarpUsageSnapshot { + try self.parseResponse(data: data) + } + private static func parseResponse(data: Data) throws -> WarpUsageSnapshot { - guard let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any], - let dataObj = json["data"] as? [String: Any], - let userObj = dataObj["user"] as? [String: Any], - let innerUserObj = userObj["user"] as? [String: Any], + guard let root = try? JSONSerialization.jsonObject(with: data), + let json = root as? [String: Any] + else { + throw WarpUsageError.parseFailed("Root JSON is not an object.") + } + + if let rawErrors = json["errors"] as? [Any], !rawErrors.isEmpty { + let messages = rawErrors.compactMap(Self.graphQLErrorMessage(from:)) + let summary = messages.isEmpty ? "GraphQL request failed." : messages.prefix(3).joined(separator: " | ") + throw WarpUsageError.apiError(200, summary) + } + + guard let dataObj = json["data"] as? [String: Any], + let userObj = dataObj["user"] as? [String: Any] + else { + throw WarpUsageError.parseFailed("Missing data.user in response.") + } + + let typeName = (userObj["__typename"] as? String)?.trimmingCharacters(in: .whitespacesAndNewlines) + + guard let innerUserObj = userObj["user"] as? [String: Any], let limitInfo = innerUserObj["requestLimitInfo"] as? [String: Any] else { + if let typeName, !typeName.isEmpty, typeName != "UserOutput" { + throw WarpUsageError.parseFailed("Unexpected user type '\(typeName)'.") + } throw WarpUsageError.parseFailed("Unable to extract requestLimitInfo from response.") } - let isUnlimited = limitInfo["isUnlimited"] as? Bool ?? false - let requestLimit = limitInfo["requestLimit"] as? Int ?? 0 - let requestsUsed = limitInfo["requestsUsedSinceLastRefresh"] as? Int ?? 0 + let isUnlimited = Self.boolValue(limitInfo["isUnlimited"]) + let requestLimit = self.intValue(limitInfo["requestLimit"]) + let requestsUsed = self.intValue(limitInfo["requestsUsedSinceLastRefresh"]) var nextRefreshTime: Date? if let nextRefreshTimeString = limitInfo["nextRefreshTime"] as? String { @@ -322,6 +350,39 @@ public struct WarpUsageFetcher: Sendable { return 0 } + private static func boolValue(_ value: Any?) -> Bool { + if let bool = value as? Bool { + return bool + } + if let number = value as? NSNumber { + return number.boolValue + } + if let text = value as? String { + let normalized = text.trimmingCharacters(in: .whitespacesAndNewlines).lowercased() + if ["true", "1", "yes"].contains(normalized) { + return true + } + if ["false", "0", "no"].contains(normalized) { + return false + } + } + return false + } + + private static func graphQLErrorMessage(from value: Any) -> String? { + if let message = value as? String { + let trimmed = message.trimmingCharacters(in: .whitespacesAndNewlines) + return trimmed.isEmpty ? nil : trimmed + } + if let dict = value as? [String: Any], + let message = dict["message"] as? String + { + let trimmed = message.trimmingCharacters(in: .whitespacesAndNewlines) + return trimmed.isEmpty ? nil : trimmed + } + return nil + } + private static func parseDate(_ dateString: String) -> Date? { let formatter = ISO8601DateFormatter() formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds] diff --git a/Tests/CodexBarTests/SettingsStoreTests.swift b/Tests/CodexBarTests/SettingsStoreTests.swift index fad99a763..77e1b767c 100644 --- a/Tests/CodexBarTests/SettingsStoreTests.swift +++ b/Tests/CodexBarTests/SettingsStoreTests.swift @@ -364,6 +364,7 @@ struct SettingsStoreTests { .kimik2, .amp, .synthetic, + .warp, ]) // Move one provider; ensure it's persisted across instances. diff --git a/Tests/CodexBarTests/WarpUsageFetcherTests.swift b/Tests/CodexBarTests/WarpUsageFetcherTests.swift new file mode 100644 index 000000000..9779b8028 --- /dev/null +++ b/Tests/CodexBarTests/WarpUsageFetcherTests.swift @@ -0,0 +1,168 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite +struct WarpUsageFetcherTests { + @Test + func parsesSnapshotAndAggregatesBonusCredits() throws { + let json = """ + { + "data": { + "user": { + "__typename": "UserOutput", + "user": { + "requestLimitInfo": { + "isUnlimited": false, + "nextRefreshTime": "2026-02-28T19:16:33.462988Z", + "requestLimit": 1500, + "requestsUsedSinceLastRefresh": 5 + }, + "bonusGrants": [ + { + "requestCreditsGranted": 20, + "requestCreditsRemaining": 10, + "expiration": "2026-03-01T10:00:00Z" + } + ], + "workspaces": [ + { + "bonusGrantsInfo": { + "grants": [ + { + "requestCreditsGranted": "15", + "requestCreditsRemaining": "5", + "expiration": "2026-03-15T10:00:00Z" + } + ] + } + } + ] + } + } + } + } + """ + + let snapshot = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + let formatter = ISO8601DateFormatter() + formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds] + let expectedRefresh = formatter.date(from: "2026-02-28T19:16:33.462988Z") + let expectedExpiry = ISO8601DateFormatter().date(from: "2026-03-01T10:00:00Z") + + #expect(snapshot.requestLimit == 1500) + #expect(snapshot.requestsUsed == 5) + #expect(snapshot.isUnlimited == false) + #expect(snapshot.nextRefreshTime != nil) + #expect(abs((snapshot.nextRefreshTime?.timeIntervalSince1970 ?? 0) - + (expectedRefresh?.timeIntervalSince1970 ?? 0)) + < 0.5) + #expect(snapshot.bonusCreditsTotal == 35) + #expect(snapshot.bonusCreditsRemaining == 15) + #expect(snapshot.bonusNextExpirationRemaining == 10) + #expect(abs((snapshot.bonusNextExpiration?.timeIntervalSince1970 ?? 0) - + (expectedExpiry?.timeIntervalSince1970 ?? 0)) + < 0.5) + } + + @Test + func graphQLErrorsThrowAPIError() { + let json = """ + { + "errors": [ + { "message": "Unauthorized" } + ] + } + """ + + #expect { + _ = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + } throws: { error in + guard case let WarpUsageError.apiError(code, message) = error else { return false } + return code == 200 && message.contains("Unauthorized") + } + } + + @Test + func nullUnlimitedAndStringNumericsParseSafely() throws { + let json = """ + { + "data": { + "user": { + "__typename": "UserOutput", + "user": { + "requestLimitInfo": { + "isUnlimited": null, + "nextRefreshTime": "2026-02-28T19:16:33Z", + "requestLimit": "1500", + "requestsUsedSinceLastRefresh": "5" + } + } + } + } + } + """ + + let snapshot = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + + #expect(snapshot.isUnlimited == false) + #expect(snapshot.requestLimit == 1500) + #expect(snapshot.requestsUsed == 5) + #expect(snapshot.nextRefreshTime != nil) + } + + @Test + func unexpectedTypenameReturnsParseError() { + let json = """ + { + "data": { + "user": { + "__typename": "AuthError" + } + } + } + """ + + #expect { + _ = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + } throws: { error in + guard case let WarpUsageError.parseFailed(message) = error else { return false } + return message.contains("Unexpected user type") + } + } + + @Test + func missingRequestLimitInfoReturnsParseError() { + let json = """ + { + "data": { + "user": { + "__typename": "UserOutput", + "user": {} + } + } + } + """ + + #expect { + _ = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + } throws: { error in + guard case let WarpUsageError.parseFailed(message) = error else { return false } + return message.contains("requestLimitInfo") + } + } + + @Test + func invalidRootReturnsParseError() { + let json = """ + [{ "data": {} }] + """ + + #expect { + _ = try WarpUsageFetcher._parseResponseForTesting(Data(json.utf8)) + } throws: { error in + guard case let WarpUsageError.parseFailed(message) = error else { return false } + return message == "Root JSON is not an object." + } + } +} From 4da53962faa942b79db05ad3aec3f38fe2937693 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 18:33:05 +0530 Subject: [PATCH 024/131] Address Warp review follow-ups --- Sources/CodexBar/IconRenderer.swift | 16 ++--- Sources/CodexBar/MenuCardView.swift | 10 ++- Sources/CodexBar/MenuDescriptor.swift | 7 ++ .../Warp/WarpProviderImplementation.swift | 2 +- .../Providers/Warp/WarpSettingsStore.swift | 2 - .../Providers/Warp/WarpUsageFetcher.swift | 64 +++++++++++++++++-- docs/providers.md | 2 +- 7 files changed, 83 insertions(+), 20 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 4eb913477..8dd26bfae 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -592,17 +592,17 @@ enum IconRenderer { ctx?.setShouldAntialias(true) // Smooth edges for tilted ellipse eyes // 1. Draw Eyes (Tilted ellipse cutouts - "fox eye" / "cat eye" style) - // Eyes are elliptical and tilted outward (outer corners pointing up) - let eyeWidthPx: CGFloat = 5.3125 // Scaled up 125% to match rounded rect face - let eyeHeightPx: CGFloat = 8.5 // Scaled up 125% to match rounded rect face - let eyeOffsetPx: CGFloat = 7 + // Keep sizes in integer pixels so grid conversion stays exact. + let eyeWidthPx = 5 + let eyeHeightPx = 8 + let eyeOffsetPx = 7 let eyeTiltAngle: CGFloat = .pi / 3 // 60 degrees tilt - let leftEyeCx = Self.grid.pt(centerXPx) - Self.grid.pt(Int(eyeOffsetPx)) - let rightEyeCx = Self.grid.pt(centerXPx) + Self.grid.pt(Int(eyeOffsetPx)) + let leftEyeCx = Self.grid.pt(centerXPx) - Self.grid.pt(eyeOffsetPx) + let rightEyeCx = Self.grid.pt(centerXPx) + Self.grid.pt(eyeOffsetPx) let eyeCy = Self.grid.pt(eyeCenterYPx) - let eyeW = Self.grid.pt(Int(eyeWidthPx)) - let eyeH = Self.grid.pt(Int(eyeHeightPx)) + let eyeW = Self.grid.pt(eyeWidthPx) + let eyeH = Self.grid.pt(eyeHeightPx) /// Draw a tilted ellipse eye at the given center. func drawTiltedEyeCutout(cx: CGFloat, cy: CGFloat, tiltAngle: CGFloat) { diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index fdd6c79c0..bcdc9a310 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -743,6 +743,14 @@ extension UsageMenuCardView.Model { let zaiTokenDetail = Self.zaiLimitDetailText(limit: zaiUsage?.tokenLimit) let zaiTimeDetail = Self.zaiLimitDetailText(limit: zaiUsage?.timeLimit) if let primary = snapshot.primary { + var primaryDetailText: String? = input.provider == .zai ? zaiTokenDetail : nil + if input.provider == .warp, + primary.resetsAt != nil, + let detail = primary.resetDescription, + !detail.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty + { + primaryDetailText = detail + } metrics.append(Metric( id: "primary", title: input.metadata.sessionLabel, @@ -750,7 +758,7 @@ extension UsageMenuCardView.Model { input.usageBarsShowUsed ? primary.usedPercent : primary.remainingPercent), percentStyle: percentStyle, resetText: Self.resetText(for: primary, style: input.resetTimeDisplayStyle, now: input.now), - detailText: input.provider == .zai ? zaiTokenDetail : nil, + detailText: primaryDetailText, detailLeftText: nil, detailRightText: nil, pacePercent: nil, diff --git a/Sources/CodexBar/MenuDescriptor.swift b/Sources/CodexBar/MenuDescriptor.swift index 8d64e0339..b348fa519 100644 --- a/Sources/CodexBar/MenuDescriptor.swift +++ b/Sources/CodexBar/MenuDescriptor.swift @@ -121,6 +121,13 @@ struct MenuDescriptor { window: primary, resetStyle: resetStyle, showUsed: settings.usageBarsShowUsed) + if provider == .warp, + primary.resetsAt != nil, + let detail = primary.resetDescription?.trimmingCharacters(in: .whitespacesAndNewlines), + !detail.isEmpty + { + entries.append(.text(detail, .secondary)) + } } if let weekly = snap.secondary { let weeklyResetOverride: String? = { diff --git a/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift index d1f2872b3..aee9f5a2a 100644 --- a/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift @@ -35,7 +35,7 @@ struct WarpProviderImplementation: ProviderImplementation { }), ], isVisible: nil, - onActivate: { context.settings.ensureWarpAPITokenLoaded() }), + onActivate: nil), ] } } diff --git a/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift b/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift index ed6a6d1f8..735b700b8 100644 --- a/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift +++ b/Sources/CodexBar/Providers/Warp/WarpSettingsStore.swift @@ -11,6 +11,4 @@ extension SettingsStore { self.logSecretUpdate(provider: .warp, field: "apiKey", value: newValue) } } - - func ensureWarpAPITokenLoaded() {} } diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift index 4581db605..703663180 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -200,16 +200,22 @@ public struct WarpUsageFetcher: Sendable { } guard httpResponse.statusCode == 200 else { - let body = String(data: data, encoding: .utf8) ?? "HTTP \(httpResponse.statusCode)" - Self.log.error("Warp API returned \(httpResponse.statusCode): \(body)") - throw WarpUsageError.apiError(httpResponse.statusCode, body) + let summary = Self.apiErrorSummary(statusCode: httpResponse.statusCode, data: data) + Self.log.error("Warp API returned \(httpResponse.statusCode): \(summary)") + throw WarpUsageError.apiError(httpResponse.statusCode, summary) } - if let jsonString = String(data: data, encoding: .utf8) { - Self.log.debug("Warp API response: \(jsonString)") + do { + let snapshot = try Self.parseResponse(data: data) + Self.log.debug( + "Warp usage parsed requestLimit=\(snapshot.requestLimit) requestsUsed=\(snapshot.requestsUsed) " + + "bonusRemaining=\(snapshot.bonusCreditsRemaining) bonusTotal=\(snapshot.bonusCreditsTotal) " + + "isUnlimited=\(snapshot.isUnlimited)") + return snapshot + } catch { + Self.log.error("Warp response parse failed bytes=\(data.count) error=\(error.localizedDescription)") + throw error } - - return try Self.parseResponse(data: data) } static func _parseResponseForTesting(_ data: Data) throws -> WarpUsageSnapshot { @@ -383,6 +389,50 @@ public struct WarpUsageFetcher: Sendable { return nil } + private static func apiErrorSummary(statusCode: Int, data: Data) -> String { + guard let root = try? JSONSerialization.jsonObject(with: data), + let json = root as? [String: Any] + else { + return "Unexpected response body (\(data.count) bytes)." + } + + if let rawErrors = json["errors"] as? [Any], !rawErrors.isEmpty { + let messages = rawErrors.compactMap(Self.graphQLErrorMessage(from:)) + let joined = messages.prefix(3).joined(separator: " | ") + if !joined.isEmpty { + return Self.compactSummaryText(joined) + } + } + + if let error = json["error"] as? String { + let trimmed = error.trimmingCharacters(in: .whitespacesAndNewlines) + if !trimmed.isEmpty { + return Self.compactSummaryText(trimmed) + } + } + + if let message = json["message"] as? String { + let trimmed = message.trimmingCharacters(in: .whitespacesAndNewlines) + if !trimmed.isEmpty { + return Self.compactSummaryText(trimmed) + } + } + + return "HTTP \(statusCode) (\(data.count) bytes)." + } + + private static func compactSummaryText(_ text: String, maxLength: Int = 200) -> String { + let collapsed = text + .components(separatedBy: .newlines) + .joined(separator: " ") + .trimmingCharacters(in: .whitespacesAndNewlines) + if collapsed.count <= maxLength { + return collapsed + } + let limitIndex = collapsed.index(collapsed.startIndex, offsetBy: maxLength) + return "\(collapsed[.. Date? { let formatter = ISO8601DateFormatter() formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds] diff --git a/docs/providers.md b/docs/providers.md index 3054b6ff9..ee9fa2f5c 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -34,7 +34,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Vertex AI | Google ADC OAuth (gcloud) → Cloud Monitoring quota usage (`oauth`). | | JetBrains AI | Local XML quota file (`local`). | | Amp | Web settings page via browser cookies (`web`). | -| Warp | API token (Keychain/env) → GraphQL request limits (`api`). | +| Warp | API token (config/env) → GraphQL request limits (`api`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. From 0d2899a9f52c06db93fe424d236ae35ce641c8a7 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 18:57:03 +0530 Subject: [PATCH 025/131] Refine Warp usage window semantics --- Sources/CodexBar/MenuCardView.swift | 7 ++- Sources/CodexBar/MenuDescriptor.swift | 13 ++++- .../Providers/Warp/WarpUsageFetcher.swift | 36 ++++++++----- Tests/CodexBarTests/MenuCardModelTests.swift | 45 ++++++++++++++++ .../CodexBarTests/WarpUsageFetcherTests.swift | 54 +++++++++++++++++++ 5 files changed, 137 insertions(+), 18 deletions(-) diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index bcdc9a310..89a930dc1 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -744,20 +744,23 @@ extension UsageMenuCardView.Model { let zaiTimeDetail = Self.zaiLimitDetailText(limit: zaiUsage?.timeLimit) if let primary = snapshot.primary { var primaryDetailText: String? = input.provider == .zai ? zaiTokenDetail : nil + var primaryResetText = Self.resetText(for: primary, style: input.resetTimeDisplayStyle, now: input.now) if input.provider == .warp, - primary.resetsAt != nil, let detail = primary.resetDescription, !detail.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty { primaryDetailText = detail } + if input.provider == .warp, primary.resetsAt == nil { + primaryResetText = nil + } metrics.append(Metric( id: "primary", title: input.metadata.sessionLabel, percent: Self.clamped( input.usageBarsShowUsed ? primary.usedPercent : primary.remainingPercent), percentStyle: percentStyle, - resetText: Self.resetText(for: primary, style: input.resetTimeDisplayStyle, now: input.now), + resetText: primaryResetText, detailText: primaryDetailText, detailLeftText: nil, detailRightText: nil, diff --git a/Sources/CodexBar/MenuDescriptor.swift b/Sources/CodexBar/MenuDescriptor.swift index b348fa519..af9fd8e79 100644 --- a/Sources/CodexBar/MenuDescriptor.swift +++ b/Sources/CodexBar/MenuDescriptor.swift @@ -115,14 +115,23 @@ struct MenuDescriptor { if let snap = store.snapshot(for: provider) { let resetStyle = settings.resetTimeDisplayStyle if let primary = snap.primary { + let warpPrimaryResetOverride: String? = { + guard provider == .warp, primary.resetsAt != nil else { return nil } + let resetOnlyWindow = RateWindow( + usedPercent: primary.usedPercent, + windowMinutes: primary.windowMinutes, + resetsAt: primary.resetsAt, + resetDescription: nil) + return UsageFormatter.resetLine(for: resetOnlyWindow, style: resetStyle) + }() Self.appendRateWindow( entries: &entries, title: meta.sessionLabel, window: primary, resetStyle: resetStyle, - showUsed: settings.usageBarsShowUsed) + showUsed: settings.usageBarsShowUsed, + resetOverride: warpPrimaryResetOverride) if provider == .warp, - primary.resetsAt != nil, let detail = primary.resetDescription?.trimmingCharacters(in: .whitespacesAndNewlines), !detail.isEmpty { diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift index 703663180..0ea5c2307 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -56,18 +56,10 @@ public struct WarpUsageSnapshot: Sendable { let primary = RateWindow( usedPercent: usedPercent, windowMinutes: nil, - resetsAt: self.nextRefreshTime, + resetsAt: self.isUnlimited ? nil : self.nextRefreshTime, resetDescription: resetDescription) // Secondary: combined bonus/add-on credits (user + workspace) - let bonusUsedPercent: Double = { - guard self.bonusCreditsTotal > 0 else { - return self.bonusCreditsRemaining > 0 ? 0 : 100 - } - let used = self.bonusCreditsTotal - self.bonusCreditsRemaining - return min(100, max(0, Double(used) / Double(self.bonusCreditsTotal) * 100)) - }() - var bonusDetail: String? if self.bonusCreditsRemaining > 0, let expiry = self.bonusNextExpiration, @@ -77,11 +69,27 @@ public struct WarpUsageSnapshot: Sendable { bonusDetail = "\(self.bonusNextExpirationRemaining) credits expires on \(dateText)" } - let secondary = RateWindow( - usedPercent: bonusUsedPercent, - windowMinutes: nil, - resetsAt: nil, - resetDescription: bonusDetail) + let hasBonusWindow = self.bonusCreditsTotal > 0 + || self.bonusCreditsRemaining > 0 + || (bonusDetail?.isEmpty == false) + + let secondary: RateWindow? + if hasBonusWindow { + let bonusUsedPercent: Double = { + guard self.bonusCreditsTotal > 0 else { + return self.bonusCreditsRemaining > 0 ? 0 : 100 + } + let used = self.bonusCreditsTotal - self.bonusCreditsRemaining + return min(100, max(0, Double(used) / Double(self.bonusCreditsTotal) * 100)) + }() + secondary = RateWindow( + usedPercent: bonusUsedPercent, + windowMinutes: nil, + resetsAt: nil, + resetDescription: bonusDetail) + } else { + secondary = nil + } let identity = ProviderIdentitySnapshot( providerID: .warp, diff --git a/Tests/CodexBarTests/MenuCardModelTests.swift b/Tests/CodexBarTests/MenuCardModelTests.swift index a735f6a19..8deab6533 100644 --- a/Tests/CodexBarTests/MenuCardModelTests.swift +++ b/Tests/CodexBarTests/MenuCardModelTests.swift @@ -432,4 +432,49 @@ struct MenuCardModelTests { #expect(model.creditsHintCopyText?.isEmpty == true) #expect(model.creditsHintText?.contains("codex@example.com") == false) } + + @Test + func warpModelShowsPrimaryDetailWhenResetDateMissing() throws { + let now = Date() + let identity = ProviderIdentitySnapshot( + providerID: .warp, + accountEmail: nil, + accountOrganization: nil, + loginMethod: nil) + let snapshot = UsageSnapshot( + primary: RateWindow( + usedPercent: 10, + windowMinutes: nil, + resetsAt: nil, + resetDescription: "10/100 credits"), + secondary: nil, + tertiary: nil, + updatedAt: now, + identity: identity) + let metadata = try #require(ProviderDefaults.metadata[.warp]) + + let model = UsageMenuCardView.Model.make(.init( + provider: .warp, + metadata: metadata, + snapshot: snapshot, + credits: nil, + creditsError: nil, + dashboard: nil, + dashboardError: nil, + tokenSnapshot: nil, + tokenError: nil, + account: AccountInfo(email: nil, plan: nil), + isRefreshing: false, + lastError: nil, + usageBarsShowUsed: true, + resetTimeDisplayStyle: .countdown, + tokenCostUsageEnabled: false, + showOptionalCreditsAndExtraUsage: true, + hidePersonalInfo: false, + now: now)) + + let primary = try #require(model.metrics.first) + #expect(primary.resetText == nil) + #expect(primary.detailText == "10/100 credits") + } } diff --git a/Tests/CodexBarTests/WarpUsageFetcherTests.swift b/Tests/CodexBarTests/WarpUsageFetcherTests.swift index 9779b8028..7448bb094 100644 --- a/Tests/CodexBarTests/WarpUsageFetcherTests.swift +++ b/Tests/CodexBarTests/WarpUsageFetcherTests.swift @@ -165,4 +165,58 @@ struct WarpUsageFetcherTests { return message == "Root JSON is not an object." } } + + @Test + func toUsageSnapshotOmitsSecondaryWhenNoBonusCredits() { + let source = WarpUsageSnapshot( + requestLimit: 100, + requestsUsed: 10, + nextRefreshTime: Date().addingTimeInterval(3600), + isUnlimited: false, + updatedAt: Date(), + bonusCreditsRemaining: 0, + bonusCreditsTotal: 0, + bonusNextExpiration: nil, + bonusNextExpirationRemaining: 0) + + let snapshot = source.toUsageSnapshot() + #expect(snapshot.secondary == nil) + } + + @Test + func toUsageSnapshotKeepsBonusWindowWhenBonusExists() throws { + let source = WarpUsageSnapshot( + requestLimit: 100, + requestsUsed: 10, + nextRefreshTime: Date().addingTimeInterval(3600), + isUnlimited: false, + updatedAt: Date(), + bonusCreditsRemaining: 0, + bonusCreditsTotal: 20, + bonusNextExpiration: nil, + bonusNextExpirationRemaining: 0) + + let snapshot = source.toUsageSnapshot() + let secondary = try #require(snapshot.secondary) + #expect(secondary.usedPercent == 100) + } + + @Test + func toUsageSnapshotUnlimitedPrimaryDoesNotShowResetDate() throws { + let source = WarpUsageSnapshot( + requestLimit: 0, + requestsUsed: 0, + nextRefreshTime: Date().addingTimeInterval(3600), + isUnlimited: true, + updatedAt: Date(), + bonusCreditsRemaining: 0, + bonusCreditsTotal: 0, + bonusNextExpiration: nil, + bonusNextExpirationRemaining: 0) + + let snapshot = source.toUsageSnapshot() + let primary = try #require(snapshot.primary) + #expect(primary.resetsAt == nil) + #expect(primary.resetDescription == "Unlimited") + } } From a46f123a73a3286dcae4902409689690998137e1 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 20:51:02 +0530 Subject: [PATCH 026/131] Improve Warp reset/detail rendering --- Sources/CodexBar/IconRenderer.swift | 2 +- Sources/CodexBar/MenuDescriptor.swift | 17 ++--- Sources/CodexBarCLI/CLIRenderer.swift | 35 +++++++++- Tests/CodexBarTests/CLISnapshotTests.swift | 64 +++++++++++++++++++ .../ClaudeOAuthKeychainAccessGateTests.swift | 21 +++--- 5 files changed, 118 insertions(+), 21 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 8dd26bfae..a33d4ce3e 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -582,7 +582,7 @@ enum IconRenderer { } } - // Warp twist: "Warp" style face with a diagonal slash + // Warp twist: "Warp" style face with tilted-eye cutouts. if addWarpTwist { let ctx = NSGraphicsContext.current?.cgContext let centerXPx = rectPx.midXPx diff --git a/Sources/CodexBar/MenuDescriptor.swift b/Sources/CodexBar/MenuDescriptor.swift index af9fd8e79..495cbd7ef 100644 --- a/Sources/CodexBar/MenuDescriptor.swift +++ b/Sources/CodexBar/MenuDescriptor.swift @@ -115,22 +115,23 @@ struct MenuDescriptor { if let snap = store.snapshot(for: provider) { let resetStyle = settings.resetTimeDisplayStyle if let primary = snap.primary { - let warpPrimaryResetOverride: String? = { - guard provider == .warp, primary.resetsAt != nil else { return nil } - let resetOnlyWindow = RateWindow( + let primaryWindow = if provider == .warp { + // Warp primary uses resetDescription for non-reset detail (e.g., "Unlimited", "X/Y credits"). + // Avoid rendering it as a "Resets ..." line. + RateWindow( usedPercent: primary.usedPercent, windowMinutes: primary.windowMinutes, resetsAt: primary.resetsAt, resetDescription: nil) - return UsageFormatter.resetLine(for: resetOnlyWindow, style: resetStyle) - }() + } else { + primary + } Self.appendRateWindow( entries: &entries, title: meta.sessionLabel, - window: primary, + window: primaryWindow, resetStyle: resetStyle, - showUsed: settings.usageBarsShowUsed, - resetOverride: warpPrimaryResetOverride) + showUsed: settings.usageBarsShowUsed) if provider == .warp, let detail = primary.resetDescription?.trimmingCharacters(in: .whitespacesAndNewlines), !detail.isEmpty diff --git a/Sources/CodexBarCLI/CLIRenderer.swift b/Sources/CodexBarCLI/CLIRenderer.swift index 914061fa5..649ba00cc 100644 --- a/Sources/CodexBarCLI/CLIRenderer.swift +++ b/Sources/CodexBarCLI/CLIRenderer.swift @@ -21,7 +21,14 @@ enum CLIRenderer { if let primary = snapshot.primary { lines.append(self.rateLine(title: meta.sessionLabel, window: primary, useColor: context.useColor)) - if let reset = self.resetLine(for: primary, style: context.resetStyle, now: now) { + if provider == .warp { + if let reset = self.resetLineForWarp(window: primary, style: context.resetStyle, now: now) { + lines.append(self.subtleLine(reset, useColor: context.useColor)) + } + if let detail = self.detailLineForWarp(window: primary) { + lines.append(self.subtleLine(detail, useColor: context.useColor)) + } + } else if let reset = self.resetLine(for: primary, style: context.resetStyle, now: now) { lines.append(self.subtleLine(reset, useColor: context.useColor)) } } else if let cost = snapshot.providerCost { @@ -36,7 +43,14 @@ enum CLIRenderer { if let pace = self.paceLine(provider: provider, window: weekly, useColor: context.useColor, now: now) { lines.append(pace) } - if let reset = self.resetLine(for: weekly, style: context.resetStyle, now: now) { + if provider == .warp { + if let reset = self.resetLineForWarp(window: weekly, style: context.resetStyle, now: now) { + lines.append(self.subtleLine(reset, useColor: context.useColor)) + } + if let detail = self.detailLineForWarp(window: weekly) { + lines.append(self.subtleLine(detail, useColor: context.useColor)) + } + } else if let reset = self.resetLine(for: weekly, style: context.resetStyle, now: now) { lines.append(self.subtleLine(reset, useColor: context.useColor)) } } @@ -84,6 +98,23 @@ enum CLIRenderer { UsageFormatter.resetLine(for: window, style: style, now: now) } + private static func resetLineForWarp(window: RateWindow, style: ResetTimeDisplayStyle, now: Date) -> String? { + // Warp uses resetDescription for non-reset detail. Only render "Resets ..." when a concrete reset date exists. + guard window.resetsAt != nil else { return nil } + let resetOnlyWindow = RateWindow( + usedPercent: window.usedPercent, + windowMinutes: window.windowMinutes, + resetsAt: window.resetsAt, + resetDescription: nil) + return UsageFormatter.resetLine(for: resetOnlyWindow, style: style, now: now) + } + + private static func detailLineForWarp(window: RateWindow) -> String? { + guard let desc = window.resetDescription else { return nil } + let trimmed = desc.trimmingCharacters(in: .whitespacesAndNewlines) + return trimmed.isEmpty ? nil : trimmed + } + private static func headerLine(_ header: String, useColor: Bool) -> String { let decorated = "== \(header) ==" guard useColor else { return decorated } diff --git a/Tests/CodexBarTests/CLISnapshotTests.swift b/Tests/CodexBarTests/CLISnapshotTests.swift index aaf237092..18cde0c98 100644 --- a/Tests/CodexBarTests/CLISnapshotTests.swift +++ b/Tests/CodexBarTests/CLISnapshotTests.swift @@ -65,6 +65,70 @@ struct CLISnapshotTests { #expect(!output.contains("Weekly:")) } + @Test + func rendersWarpUnlimitedAsDetailNotReset() { + let meta = ProviderDescriptorRegistry.descriptor(for: .warp).metadata + let snap = UsageSnapshot( + primary: .init(usedPercent: 0, windowMinutes: nil, resetsAt: nil, resetDescription: "Unlimited"), + secondary: nil, + tertiary: nil, + updatedAt: Date(timeIntervalSince1970: 0), + identity: ProviderIdentitySnapshot( + providerID: .warp, + accountEmail: nil, + accountOrganization: nil, + loginMethod: nil)) + + let output = CLIRenderer.renderText( + provider: .warp, + snapshot: snap, + credits: nil, + context: RenderContext( + header: "Warp 0.0.0 (warp)", + status: nil, + useColor: false, + resetStyle: .absolute)) + + #expect(output.contains("\(meta.sessionLabel): 100% left")) + #expect(!output.contains("Resets Unlimited")) + #expect(output.contains("Unlimited")) + } + + @Test + func rendersWarpCreditsAsDetailAndResetAsDate() { + let meta = ProviderDescriptorRegistry.descriptor(for: .warp).metadata + let now = Date(timeIntervalSince1970: 0) + let snap = UsageSnapshot( + primary: .init( + usedPercent: 10, + windowMinutes: nil, + resetsAt: now.addingTimeInterval(3600), + resetDescription: "10/100 credits"), + secondary: nil, + tertiary: nil, + updatedAt: now, + identity: ProviderIdentitySnapshot( + providerID: .warp, + accountEmail: nil, + accountOrganization: nil, + loginMethod: nil)) + + let output = CLIRenderer.renderText( + provider: .warp, + snapshot: snap, + credits: nil, + context: RenderContext( + header: "Warp 0.0.0 (warp)", + status: nil, + useColor: false, + resetStyle: .absolute)) + + #expect(output.contains("\(meta.sessionLabel): 90% left")) + #expect(output.contains("Resets")) + #expect(output.contains("10/100 credits")) + #expect(!output.contains("Resets 10/100 credits")) + } + @Test func rendersPaceLineWhenWeeklyHasReset() { let now = Date() diff --git a/Tests/CodexBarTests/ClaudeOAuthKeychainAccessGateTests.swift b/Tests/CodexBarTests/ClaudeOAuthKeychainAccessGateTests.swift index e40052306..3854b7b12 100644 --- a/Tests/CodexBarTests/ClaudeOAuthKeychainAccessGateTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthKeychainAccessGateTests.swift @@ -7,17 +7,18 @@ struct ClaudeOAuthKeychainAccessGateTests { @Test func blocksUntilCooldownExpires() { KeychainAccessGate.withTaskOverrideForTesting(false) { - ClaudeOAuthKeychainAccessGate.resetForTesting() - defer { ClaudeOAuthKeychainAccessGate.resetForTesting() } - - let now = Date(timeIntervalSince1970: 1000) - #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now)) + let store = ClaudeOAuthKeychainAccessGate.DeniedUntilStore() + ClaudeOAuthKeychainAccessGate.withDeniedUntilStoreOverrideForTesting(store) { + let now = Date(timeIntervalSince1970: 1000) + #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now)) - ClaudeOAuthKeychainAccessGate.recordDenied(now: now) - #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) == false) - #expect( - ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now.addingTimeInterval(60 * 60 * 6 - 1)) == false) - #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now.addingTimeInterval(60 * 60 * 6 + 1))) + ClaudeOAuthKeychainAccessGate.recordDenied(now: now) + #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) == false) + #expect( + ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now.addingTimeInterval(60 * 60 * 6 - 1)) + == false) + #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now.addingTimeInterval(60 * 60 * 6 + 1))) + } } } From 924ec2eb1b7ceef275ac685371f54a817b81f45c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 21:13:18 +0530 Subject: [PATCH 027/131] Fix Warp no-bonus icon in show-used mode --- .../StatusItemController+Animation.swift | 16 ++++++ .../CodexBar/StatusItemController+Menu.swift | 10 +++- .../StatusItemAnimationTests.swift | 53 +++++++++++++++++++ 3 files changed, 78 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index ed0095fc3..47dcd7498 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -195,6 +195,14 @@ extension StatusItemController { // user setting we pass either "percent left" or "percent used". var primary = showUsed ? snapshot?.primary?.usedPercent : snapshot?.primary?.remainingPercent var weekly = showUsed ? snapshot?.secondary?.usedPercent : snapshot?.secondary?.remainingPercent + if showUsed, + primaryProvider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining <= 0 + { + // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. + weekly = 0 + } var credits: Double? = primaryProvider == .codex ? self.store.credits?.remaining : nil var stale = self.store.isStale(provider: primaryProvider) var morphProgress: Double? @@ -279,6 +287,14 @@ extension StatusItemController { } var primary = showUsed ? snapshot?.primary?.usedPercent : snapshot?.primary?.remainingPercent var weekly = showUsed ? snapshot?.secondary?.usedPercent : snapshot?.secondary?.remainingPercent + if showUsed, + provider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining <= 0 + { + // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. + weekly = 0 + } var credits: Double? = provider == .codex ? self.store.credits?.remaining : nil var stale = self.store.isStale(provider: provider) var morphProgress: Double? diff --git a/Sources/CodexBar/StatusItemController+Menu.swift b/Sources/CodexBar/StatusItemController+Menu.swift index 259d2bd5b..e5f49b418 100644 --- a/Sources/CodexBar/StatusItemController+Menu.swift +++ b/Sources/CodexBar/StatusItemController+Menu.swift @@ -751,7 +751,15 @@ extension StatusItemController { let snapshot = self.store.snapshot(for: provider) let showUsed = self.settings.usageBarsShowUsed let primary = showUsed ? snapshot?.primary?.usedPercent : snapshot?.primary?.remainingPercent - let weekly = showUsed ? snapshot?.secondary?.usedPercent : snapshot?.secondary?.remainingPercent + var weekly = showUsed ? snapshot?.secondary?.usedPercent : snapshot?.secondary?.remainingPercent + if showUsed, + provider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining <= 0 + { + // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. + weekly = 0 + } let credits = provider == .codex ? self.store.credits?.remaining : nil let stale = self.store.isStale(provider: provider) let style = self.store.style(for: provider) diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index 64ef3d8e4..8389e3233 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -124,6 +124,59 @@ struct StatusItemAnimationTests { #expect(alpha > 0.05) } + @Test + func warpNoBonusLayoutIsPreservedInShowUsedModeWhenBonusIsExhausted() { + let settings = SettingsStore( + configStore: testConfigStore(suiteName: "StatusItemAnimationTests-warp-no-bonus-used"), + zaiTokenStore: NoopZaiTokenStore(), + syntheticTokenStore: NoopSyntheticTokenStore()) + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = false + settings.menuBarShowsBrandIconWithPercent = false + settings.usageBarsShowUsed = true + + let registry = ProviderRegistry.shared + if let warpMeta = registry.metadata[.warp] { + settings.setProviderEnabled(provider: .warp, metadata: warpMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + // Primary used=10%. Bonus exhausted: used=100% (remaining=0%). + let snapshot = UsageSnapshot( + primary: RateWindow(usedPercent: 10, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 100, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + updatedAt: Date()) + store._setSnapshotForTesting(snapshot, provider: .warp) + store._setErrorForTesting(nil, provider: .warp) + + controller.applyIcon(for: .warp, phase: nil) + + guard let image = controller.statusItems[.warp]?.button?.image else { + #expect(Bool(false)) + return + } + let rep = image.representations.compactMap { $0 as? NSBitmapImageRep }.first(where: { + $0.pixelsWide == 36 && $0.pixelsHigh == 36 + }) + #expect(rep != nil) + guard let rep else { return } + + // In the Warp "no bonus/exhausted bonus" layout, the bottom bar shows primary usage (10%), + // so a pixel near the right side of the bottom bar should *not* be fully opaque. + let alpha = (rep.colorAt(x: 25, y: 9) ?? .clear).alphaComponent + #expect(alpha < 0.6) + } + @Test func menuBarPercentUsesConfiguredMetric() { let settings = SettingsStore( From 1f2d17166662103836196e2a061c012fa7a3dce8 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 21:24:40 +0530 Subject: [PATCH 028/131] Add Warp env override regression test --- .../ProviderConfigEnvironmentTests.swift | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift index e61a2e3d1..0e81e34fc 100644 --- a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift +++ b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift @@ -14,6 +14,21 @@ struct ProviderConfigEnvironmentTests { #expect(env[ZaiSettingsReader.apiTokenKey] == "z-token") } + @Test + func appliesAPIKeyOverrideForWarp() { + let config = ProviderConfig(id: .warp, apiKey: "w-token") + let env = ProviderConfigEnvironment.applyAPIKeyOverride( + base: [:], + provider: .warp, + config: config) + + let key = WarpSettingsReader.apiKeyEnvironmentKeys.first + #expect(key != nil) + guard let key else { return } + + #expect(env[key] == "w-token") + } + @Test func leavesEnvironmentWhenAPIKeyMissing() { let config = ProviderConfig(id: .zai, apiKey: nil) From 68b8efa4970651aa9aece27e305f641277db9a38 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 22:36:52 +0530 Subject: [PATCH 029/131] Fix Warp eye cutout rendering --- Sources/CodexBar/IconRenderer.swift | 23 +++++------ Tests/CodexBarTests/CodexbarTests.swift | 53 +++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 12 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index a33d4ce3e..243f88ebb 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -606,18 +606,17 @@ enum IconRenderer { /// Draw a tilted ellipse eye at the given center. func drawTiltedEyeCutout(cx: CGFloat, cy: CGFloat, tiltAngle: CGFloat) { - let eyeRect = CGRect( - x: -eyeW / 2, - y: -eyeH / 2, - width: eyeW, - height: eyeH) - let eyePath = NSBezierPath(ovalIn: eyeRect) - - var transform = AffineTransform.identity - transform.translate(x: cx, y: cy) - transform.rotate(byRadians: tiltAngle) - eyePath.transform(using: transform) - eyePath.fill() + guard let ctx else { return } + let eyeRect = CGRect(x: -eyeW / 2, y: -eyeH / 2, width: eyeW, height: eyeH) + + // Use CGContext transforms instead of AffineTransform-on-path so the rotation origin + // is unambiguous and the current blend mode is consistently respected. + ctx.saveGState() + ctx.translateBy(x: cx, y: cy) + ctx.rotate(by: tiltAngle) + ctx.addEllipse(in: eyeRect) + ctx.fillPath() + ctx.restoreGState() } if warpEyesFilled { diff --git a/Tests/CodexBarTests/CodexbarTests.swift b/Tests/CodexBarTests/CodexbarTests.swift index 4b1fecfe5..737081635 100644 --- a/Tests/CodexBarTests/CodexbarTests.swift +++ b/Tests/CodexBarTests/CodexbarTests.swift @@ -115,6 +115,59 @@ struct CodexBarTests { #expect(internalHoles >= 16) // at least one 4×4 eye block, but typically two eyes => 32 } + @Test + func iconRendererWarpEyesCutOutAtExpectedCenters() { + // Regression: Warp eyes should be tilted in-place and remain centered on the face. + let image = IconRenderer.makeIcon( + primaryRemaining: 50, + weeklyRemaining: 50, + creditsRemaining: nil, + stale: false, + style: .warp) + + let bitmapReps = image.representations.compactMap { $0 as? NSBitmapImageRep } + let rep = bitmapReps.first(where: { $0.pixelsWide == 36 && $0.pixelsHigh == 36 }) + #expect(rep != nil) + guard let rep else { return } + + func alphaAt(px x: Int, _ y: Int) -> CGFloat { + (rep.colorAt(x: x, y: y) ?? .clear).alphaComponent + } + + func minAlphaNear(px cx: Int, _ cy: Int, radius: Int) -> CGFloat { + var minAlpha: CGFloat = 1.0 + let x0 = max(0, cx - radius) + let x1 = min(rep.pixelsWide - 1, cx + radius) + let y0 = max(0, cy - radius) + let y1 = min(rep.pixelsHigh - 1, cy + radius) + for y in y0...y1 { + for x in x0...x1 { + minAlpha = min(minAlpha, alphaAt(px: x, y)) + } + } + return minAlpha + } + + func minAlphaNearEitherOrigin(px cx: Int, _ cy: Int, radius: Int) -> CGFloat { + let flippedY = (rep.pixelsHigh - 1) - cy + return min(minAlphaNear(px: cx, cy, radius: radius), minAlphaNear(px: cx, flippedY, radius: radius)) + } + + // These are the center pixels for the two Warp eye cutouts in the top bar (36×36 canvas). + // If the eyes are rotated around the wrong origin, these points will not be fully punched out. + let leftEyeCenter = (x: 11, y: 25) + let rightEyeCenter = (x: 25, y: 25) + + // The eye ellipse height is even (8 px), so the exact center can land between pixel rows. + // Assert via a small neighborhood search rather than a single pixel. + #expect(minAlphaNearEitherOrigin(px: leftEyeCenter.x, leftEyeCenter.y, radius: 2) < 0.05) + #expect(minAlphaNearEitherOrigin(px: rightEyeCenter.x, rightEyeCenter.y, radius: 2) < 0.05) + + // Sanity: nearby top bar track area should remain visible (not everything is transparent). + let midAlpha = max(alphaAt(px: 18, 25), alphaAt(px: 18, (rep.pixelsHigh - 1) - 25)) + #expect(midAlpha > 0.05) + } + @Test func accountInfoParsesAuthToken() throws { let tmp = try FileManager.default.url( From 2509030da8c79c47357d1fa50dae93ac93c55753 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 23:11:15 +0530 Subject: [PATCH 030/131] Fix Warp bonus lane in show-used mode --- .../StatusItemController+Animation.swift | 18 +++++++ .../CodexBar/StatusItemController+Menu.swift | 9 ++++ .../StatusItemAnimationTests.swift | 53 +++++++++++++++++++ 3 files changed, 80 insertions(+) diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index 47dcd7498..3c77d03e0 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -203,6 +203,15 @@ extension StatusItemController { // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. weekly = 0 } + if showUsed, + primaryProvider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining > 0, + weekly == 0 + { + // In show-used mode, `0` means "unused", not "missing". Keep the weekly lane present. + weekly = Self.loadingPercentEpsilon + } var credits: Double? = primaryProvider == .codex ? self.store.credits?.remaining : nil var stale = self.store.isStale(provider: primaryProvider) var morphProgress: Double? @@ -295,6 +304,15 @@ extension StatusItemController { // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. weekly = 0 } + if showUsed, + provider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining > 0, + weekly == 0 + { + // In show-used mode, `0` means "unused", not "missing". Keep the weekly lane present. + weekly = Self.loadingPercentEpsilon + } var credits: Double? = provider == .codex ? self.store.credits?.remaining : nil var stale = self.store.isStale(provider: provider) var morphProgress: Double? diff --git a/Sources/CodexBar/StatusItemController+Menu.swift b/Sources/CodexBar/StatusItemController+Menu.swift index e5f49b418..5c5a529e7 100644 --- a/Sources/CodexBar/StatusItemController+Menu.swift +++ b/Sources/CodexBar/StatusItemController+Menu.swift @@ -760,6 +760,15 @@ extension StatusItemController { // Preserve Warp "no bonus/exhausted bonus" layout even in show-used mode. weekly = 0 } + if showUsed, + provider == .warp, + let remaining = snapshot?.secondary?.remainingPercent, + remaining > 0, + weekly == 0 + { + // In show-used mode, `0` means "unused", not "missing". Keep the weekly lane present. + weekly = 0.0001 + } let credits = provider == .codex ? self.store.credits?.remaining : nil let stale = self.store.isStale(provider: provider) let style = self.store.style(for: provider) diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index 8389e3233..2838c2974 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -177,6 +177,59 @@ struct StatusItemAnimationTests { #expect(alpha < 0.6) } + @Test + func warpBonusLaneIsPreservedInShowUsedModeWhenBonusIsUnused() { + let settings = SettingsStore( + configStore: testConfigStore(suiteName: "StatusItemAnimationTests-warp-unused-bonus-used"), + zaiTokenStore: NoopZaiTokenStore(), + syntheticTokenStore: NoopSyntheticTokenStore()) + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = false + settings.menuBarShowsBrandIconWithPercent = false + settings.usageBarsShowUsed = true + + let registry = ProviderRegistry.shared + if let warpMeta = registry.metadata[.warp] { + settings.setProviderEnabled(provider: .warp, metadata: warpMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + // Bonus exists but is unused: used=0% (remaining=100%). + let snapshot = UsageSnapshot( + primary: RateWindow(usedPercent: 10, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 0, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + updatedAt: Date()) + store._setSnapshotForTesting(snapshot, provider: .warp) + store._setErrorForTesting(nil, provider: .warp) + + controller.applyIcon(for: .warp, phase: nil) + + guard let image = controller.statusItems[.warp]?.button?.image else { + #expect(Bool(false)) + return + } + let rep = image.representations.compactMap { $0 as? NSBitmapImageRep }.first(where: { + $0.pixelsWide == 36 && $0.pixelsHigh == 36 + }) + #expect(rep != nil) + guard let rep else { return } + + // When we incorrectly treat "0 used" as "no bonus", the Warp branch makes the top bar full (100%). + // A pixel near the right side of the top bar should remain in the track-only range for 10% usage. + let alpha = (rep.colorAt(x: 31, y: 25) ?? .clear).alphaComponent + #expect(alpha < 0.6) + } + @Test func menuBarPercentUsesConfiguredMetric() { let settings = SettingsStore( From 030982d35949d64a7d93b1f53b62d42772348287 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 11 Feb 2026 23:18:06 +0530 Subject: [PATCH 031/131] Update changelog for Warp provider --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5fbb9b87..68a4e7ea6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ### Highlights - Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, and make failure modes deterministic (#245, #305, #308, #309). Thanks @manikv12! - Claude: harden Claude Code PTY capture for `/usage` and `/status` (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320). +- New provider: Warp (credits + add-on credits) (#352). Thanks @Kathie-yu! - Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers and @theglove44! - Menu bar animation behavior was hardened in merged mode and fallback mode (#283, #291). Thanks @vignesh07 and @Ilakiancs! @@ -18,6 +19,7 @@ - CodexBar syncs its cached OAuth token when the Claude Code Keychain entry changes, so updated auth is picked up without requiring a restart. ### Provider & Usage Fixes +- Warp: add Warp provider support (credits + add-on credits), configurable via Settings or `WARP_API_KEY`/`WARP_TOKEN` (#352). Thanks @Kathie-yu! - Cursor: compute usage against `plan.limit` rather than `breakdown.total` to avoid incorrect limit interpretation (#240). Thanks @robinebers! - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! - MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to From f493450737ab869e4435a5164d1d5bf32e0afda5 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 00:29:25 +0530 Subject: [PATCH 032/131] Fix Warp usage fetch 429 edge rate limit --- .../Providers/Warp/WarpUsageFetcher.swift | 21 ++++++++++++++++--- .../CodexBarTests/WarpUsageFetcherTests.swift | 9 ++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift index 0ea5c2307..79ec2e8f0 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpUsageFetcher.swift @@ -131,6 +131,9 @@ public struct WarpUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.warpUsage) private static let apiURL = URL(string: "https://app.warp.dev/graphql/v2?op=GetRequestLimitInfo")! private static let clientID = "warp-app" + /// Warp's GraphQL endpoint is fronted by an edge limiter that returns HTTP 429 ("Rate exceeded.") + /// unless the User-Agent matches the official client pattern (e.g. "Warp/1.0"). + private static let userAgent = "Warp/1.0" private static let graphQLQuery = """ query GetRequestLimitInfo($requestContext: RequestContext!) { @@ -176,11 +179,13 @@ public struct WarpUsageFetcher: Sendable { request.httpMethod = "POST" request.timeoutInterval = 15 request.setValue("application/json", forHTTPHeaderField: "Content-Type") + request.setValue("application/json", forHTTPHeaderField: "Accept") request.setValue(self.clientID, forHTTPHeaderField: "x-warp-client-id") request.setValue("macOS", forHTTPHeaderField: "x-warp-os-category") request.setValue("macOS", forHTTPHeaderField: "x-warp-os-name") request.setValue(osVersionString, forHTTPHeaderField: "x-warp-os-version") request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") + request.setValue(self.userAgent, forHTTPHeaderField: "User-Agent") let variables: [String: Any] = [ "requestContext": [ @@ -230,6 +235,10 @@ public struct WarpUsageFetcher: Sendable { try self.parseResponse(data: data) } + static func _apiErrorSummaryForTesting(statusCode: Int, data: Data) -> String { + self.apiErrorSummary(statusCode: statusCode, data: data) + } + private static func parseResponse(data: Data) throws -> WarpUsageSnapshot { guard let root = try? JSONSerialization.jsonObject(with: data), let json = root as? [String: Any] @@ -401,6 +410,12 @@ public struct WarpUsageFetcher: Sendable { guard let root = try? JSONSerialization.jsonObject(with: data), let json = root as? [String: Any] else { + if let text = String(data: data, encoding: .utf8)? + .trimmingCharacters(in: .whitespacesAndNewlines), + !text.isEmpty + { + return self.compactSummaryText(text) + } return "Unexpected response body (\(data.count) bytes)." } @@ -408,21 +423,21 @@ public struct WarpUsageFetcher: Sendable { let messages = rawErrors.compactMap(Self.graphQLErrorMessage(from:)) let joined = messages.prefix(3).joined(separator: " | ") if !joined.isEmpty { - return Self.compactSummaryText(joined) + return self.compactSummaryText(joined) } } if let error = json["error"] as? String { let trimmed = error.trimmingCharacters(in: .whitespacesAndNewlines) if !trimmed.isEmpty { - return Self.compactSummaryText(trimmed) + return self.compactSummaryText(trimmed) } } if let message = json["message"] as? String { let trimmed = message.trimmingCharacters(in: .whitespacesAndNewlines) if !trimmed.isEmpty { - return Self.compactSummaryText(trimmed) + return self.compactSummaryText(trimmed) } } diff --git a/Tests/CodexBarTests/WarpUsageFetcherTests.swift b/Tests/CodexBarTests/WarpUsageFetcherTests.swift index 7448bb094..9fb74999c 100644 --- a/Tests/CodexBarTests/WarpUsageFetcherTests.swift +++ b/Tests/CodexBarTests/WarpUsageFetcherTests.swift @@ -219,4 +219,13 @@ struct WarpUsageFetcherTests { #expect(primary.resetsAt == nil) #expect(primary.resetDescription == "Unlimited") } + + @Test + func apiErrorSummaryIncludesPlainTextBodies() { + // Regression: Warp edge returns 429 with a non-JSON body ("Rate exceeded.") when User-Agent is missing/wrong. + let summary = WarpUsageFetcher._apiErrorSummaryForTesting( + statusCode: 429, + data: Data("Rate exceeded.".utf8)) + #expect(summary.contains("Rate exceeded.")) + } } From 0a5896b2cdab6bf9b22d1a9956020d846b6a0a44 Mon Sep 17 00:00:00 2001 From: Julian le Roux <78623349+julerex@users.noreply.github.com> Date: Thu, 12 Feb 2026 14:42:47 +0530 Subject: [PATCH 033/131] Fix script path casing and host-only SwiftPM packaging fallback (partial cherry picked from commit ed76573b601a6f152167ecee758a080c66d83c82) --- Scripts/compile_and_run.sh | 6 +++--- Scripts/package_app.sh | 30 +++++++++++++++++++++++------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/Scripts/compile_and_run.sh b/Scripts/compile_and_run.sh index 13544fba6..ce6992d45 100755 --- a/Scripts/compile_and_run.sh +++ b/Scripts/compile_and_run.sh @@ -201,12 +201,12 @@ if [[ -n "${RELEASE_ARCHES}" ]]; then ARCHES_VALUE="${RELEASE_ARCHES}" fi if [[ "${DEBUG_LLDB}" == "1" ]]; then - run_step "package app" env CODEXBAR_ALLOW_LLDB=1 ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/scripts/package_app.sh" debug + run_step "package app" env CODEXBAR_ALLOW_LLDB=1 ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/Scripts/package_app.sh" debug else if [[ -n "${SIGNING_MODE}" ]]; then - run_step "package app" env CODEXBAR_SIGNING="${SIGNING_MODE}" ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/scripts/package_app.sh" + run_step "package app" env CODEXBAR_SIGNING="${SIGNING_MODE}" ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/Scripts/package_app.sh" else - run_step "package app" env ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/scripts/package_app.sh" + run_step "package app" env ARCHES="${ARCHES_VALUE}" "${ROOT_DIR}/Scripts/package_app.sh" fi fi diff --git a/Scripts/package_app.sh b/Scripts/package_app.sh index a6a3754b7..08ee481a0 100755 --- a/Scripts/package_app.sh +++ b/Scripts/package_app.sh @@ -210,6 +210,21 @@ build_product_path() { esac } +# Resolve path to built binary; some SwiftPM versions use .build/$CONF/ when building for host only. +resolve_binary_path() { + local name="$1" + local arch="$2" + local candidate + candidate=$(build_product_path "$name" "$arch") + if [[ -f "$candidate" ]]; then + echo "$candidate" + return + fi + if [[ "$arch" == "arm64" || "$arch" == "x86_64" ]] && [[ -f ".build/$CONF/$name" ]]; then + echo ".build/$CONF/$name" + fi +} + verify_binary_arches() { local binary="$1"; shift local expected=("$@") @@ -236,9 +251,9 @@ install_binary() { local binaries=() for arch in "${ARCH_LIST[@]}"; do local src - src=$(build_product_path "$name" "$arch") - if [[ ! -f "$src" ]]; then - echo "ERROR: Missing ${name} build for ${arch} at ${src}" >&2 + src=$(resolve_binary_path "$name" "$arch") + if [[ -z "$src" || ! -f "$src" ]]; then + echo "ERROR: Missing ${name} build for ${arch} at $(build_product_path "$name" "$arch")" >&2 exit 1 fi binaries+=("$src") @@ -254,14 +269,14 @@ install_binary() { install_binary "CodexBar" "$APP/Contents/MacOS/CodexBar" # Ship CodexBarCLI alongside the app for easy symlinking. -if [[ -f "$(build_product_path "CodexBarCLI" "${ARCH_LIST[0]}")" ]]; then +if [[ -n "$(resolve_binary_path "CodexBarCLI" "${ARCH_LIST[0]}")" ]]; then install_binary "CodexBarCLI" "$APP/Contents/Helpers/CodexBarCLI" fi # Watchdog helper: ensures `claude` probes die when CodexBar crashes/gets killed. -if [[ -f "$(build_product_path "CodexBarClaudeWatchdog" "${ARCH_LIST[0]}")" ]]; then +if [[ -n "$(resolve_binary_path "CodexBarClaudeWatchdog" "${ARCH_LIST[0]}")" ]]; then install_binary "CodexBarClaudeWatchdog" "$APP/Contents/Helpers/CodexBarClaudeWatchdog" fi -if [[ -f "$(build_product_path "CodexBarWidget" "${ARCH_LIST[0]}")" ]]; then +if [[ -n "$(resolve_binary_path "CodexBarWidget" "${ARCH_LIST[0]}")" ]]; then WIDGET_APP="$APP/Contents/PlugIns/CodexBarWidget.appex" mkdir -p "$WIDGET_APP/Contents/MacOS" "$WIDGET_APP/Contents/Resources" cat > "$WIDGET_APP/Contents/Info.plist" < Date: Thu, 12 Feb 2026 21:09:09 +0530 Subject: [PATCH 034/131] Do not persist selected provider when menu opens --- .../CodexBar/StatusItemController+Menu.swift | 6 +-- Tests/CodexBarTests/StatusMenuTests.swift | 37 +++++++++++++++++++ 2 files changed, 40 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBar/StatusItemController+Menu.swift b/Sources/CodexBar/StatusItemController+Menu.swift index 5c5a529e7..16966a720 100644 --- a/Sources/CodexBar/StatusItemController+Menu.swift +++ b/Sources/CodexBar/StatusItemController+Menu.swift @@ -52,9 +52,9 @@ extension StatusItemController { var provider: UsageProvider? if self.shouldMergeIcons { - self.selectedMenuProvider = self.resolvedMenuProvider() - self.lastMenuProvider = self.selectedMenuProvider ?? .codex - provider = self.selectedMenuProvider + let resolvedProvider = self.resolvedMenuProvider() + self.lastMenuProvider = resolvedProvider ?? .codex + provider = resolvedProvider } else { if let menuProvider = self.menuProviders[ObjectIdentifier(menu)] { self.lastMenuProvider = menuProvider diff --git a/Tests/CodexBarTests/StatusMenuTests.swift b/Tests/CodexBarTests/StatusMenuTests.swift index 37d33c5e8..76ef67329 100644 --- a/Tests/CodexBarTests/StatusMenuTests.swift +++ b/Tests/CodexBarTests/StatusMenuTests.swift @@ -75,6 +75,43 @@ struct StatusMenuTests { #expect(controller.lastMenuProvider == .codex) } + @Test + func mergedMenuOpenDoesNotPersistResolvedProviderWhenSelectionIsNil() { + self.disableMenuCardsForTesting() + let settings = self.makeSettings() + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = nil + + let registry = ProviderRegistry.shared + if let codexMeta = registry.metadata[.codex] { + settings.setProviderEnabled(provider: .codex, metadata: codexMeta, enabled: false) + } + if let claudeMeta = registry.metadata[.claude] { + settings.setProviderEnabled(provider: .claude, metadata: claudeMeta, enabled: true) + } + if let geminiMeta = registry.metadata[.gemini] { + settings.setProviderEnabled(provider: .gemini, metadata: geminiMeta, enabled: false) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + let menu = controller.makeMenu() + #expect(settings.selectedMenuProvider == nil) + controller.menuWillOpen(menu) + #expect(settings.selectedMenuProvider == nil) + #expect(controller.lastMenuProvider == .claude) + } + @Test func providerToggleUpdatesStatusItemVisibility() { self.disableMenuCardsForTesting() From dd609d0b35cce827c0fa2e8c4d4cdc2e3413f8cf Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 21:25:01 +0530 Subject: [PATCH 035/131] Exercise merged-menu path in regression test --- Tests/CodexBarTests/StatusMenuTests.swift | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Tests/CodexBarTests/StatusMenuTests.swift b/Tests/CodexBarTests/StatusMenuTests.swift index 76ef67329..74b516c9f 100644 --- a/Tests/CodexBarTests/StatusMenuTests.swift +++ b/Tests/CodexBarTests/StatusMenuTests.swift @@ -85,15 +85,16 @@ struct StatusMenuTests { settings.selectedMenuProvider = nil let registry = ProviderRegistry.shared - if let codexMeta = registry.metadata[.codex] { - settings.setProviderEnabled(provider: .codex, metadata: codexMeta, enabled: false) - } - if let claudeMeta = registry.metadata[.claude] { - settings.setProviderEnabled(provider: .claude, metadata: claudeMeta, enabled: true) - } - if let geminiMeta = registry.metadata[.gemini] { - settings.setProviderEnabled(provider: .gemini, metadata: geminiMeta, enabled: false) + var enabledProviders: [UsageProvider] = [] + for provider in UsageProvider.allCases { + guard let metadata = registry.metadata[provider] else { continue } + let shouldEnable = enabledProviders.count < 2 + settings.setProviderEnabled(provider: provider, metadata: metadata, enabled: shouldEnable) + if shouldEnable { + enabledProviders.append(provider) + } } + #expect(enabledProviders.count == 2) let fetcher = UsageFetcher() let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) @@ -105,11 +106,14 @@ struct StatusMenuTests { preferencesSelection: PreferencesSelection(), statusBar: self.makeStatusBarForTesting()) + let expectedResolved = store.enabledProviders().first ?? .codex + #expect(store.enabledProviders().count > 1) + #expect(controller.shouldMergeIcons == true) let menu = controller.makeMenu() #expect(settings.selectedMenuProvider == nil) controller.menuWillOpen(menu) #expect(settings.selectedMenuProvider == nil) - #expect(controller.lastMenuProvider == .claude) + #expect(controller.lastMenuProvider == expectedResolved) } @Test From 1acd74f6dd41cbbab830f68b827ac07d05d6b648 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 21:59:27 +0530 Subject: [PATCH 036/131] Use resolved provider for merged menu refresh --- .../CodexBar/StatusItemController+Menu.swift | 2 +- Tests/CodexBarTests/StatusMenuTests.swift | 67 +++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBar/StatusItemController+Menu.swift b/Sources/CodexBar/StatusItemController+Menu.swift index 16966a720..2508e25f0 100644 --- a/Sources/CodexBar/StatusItemController+Menu.swift +++ b/Sources/CodexBar/StatusItemController+Menu.swift @@ -539,7 +539,7 @@ extension StatusItemController { private func menuProvider(for menu: NSMenu) -> UsageProvider? { if self.shouldMergeIcons { - return self.selectedMenuProvider ?? self.resolvedMenuProvider() + return self.resolvedMenuProvider() } if let provider = self.menuProviders[ObjectIdentifier(menu)] { return provider diff --git a/Tests/CodexBarTests/StatusMenuTests.swift b/Tests/CodexBarTests/StatusMenuTests.swift index 74b516c9f..55fc217c6 100644 --- a/Tests/CodexBarTests/StatusMenuTests.swift +++ b/Tests/CodexBarTests/StatusMenuTests.swift @@ -116,6 +116,73 @@ struct StatusMenuTests { #expect(controller.lastMenuProvider == expectedResolved) } + @Test + func mergedMenuRefreshUsesResolvedEnabledProviderWhenPersistedSelectionIsDisabled() { + self.disableMenuCardsForTesting() + let settings = self.makeSettings() + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = .codex + + let registry = ProviderRegistry.shared + if let codexMeta = registry.metadata[.codex] { + settings.setProviderEnabled(provider: .codex, metadata: codexMeta, enabled: false) + } + if let claudeMeta = registry.metadata[.claude] { + settings.setProviderEnabled(provider: .claude, metadata: claudeMeta, enabled: true) + } + if let geminiMeta = registry.metadata[.gemini] { + settings.setProviderEnabled(provider: .gemini, metadata: geminiMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let event = CreditEvent(date: Date(), service: "CLI", creditsUsed: 1) + let breakdown = OpenAIDashboardSnapshot.makeDailyBreakdown(from: [event], maxDays: 30) + store.openAIDashboard = OpenAIDashboardSnapshot( + signedInEmail: "user@example.com", + codeReviewRemainingPercent: 100, + creditEvents: [event], + dailyBreakdown: breakdown, + usageBreakdown: breakdown, + creditsPurchaseURL: nil, + updatedAt: Date()) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + let expectedResolved = store.enabledProviders().first ?? .codex + #expect(store.enabledProviders().count > 1) + #expect(controller.shouldMergeIcons == true) + + func hasOpenAIWebSubmenus(_ menu: NSMenu) -> Bool { + let usageItem = menu.items.first { ($0.representedObject as? String) == "menuCardUsage" } + let creditsItem = menu.items.first { ($0.representedObject as? String) == "menuCardCredits" } + let hasUsageBreakdown = usageItem?.submenu?.items + .contains { ($0.representedObject as? String) == "usageBreakdownChart" } == true + let hasCreditsHistory = creditsItem?.submenu?.items + .contains { ($0.representedObject as? String) == "creditsHistoryChart" } == true + return hasUsageBreakdown || hasCreditsHistory + } + + let menu = controller.makeMenu() + controller.menuWillOpen(menu) + + #expect(controller.lastMenuProvider == expectedResolved) + #expect(settings.selectedMenuProvider == .codex) + #expect(hasOpenAIWebSubmenus(menu) == false) + + controller.menuContentVersion &+= 1 + controller.refreshOpenMenusIfNeeded() + + #expect(hasOpenAIWebSubmenus(menu) == false) + } + @Test func providerToggleUpdatesStatusItemVisibility() { self.disableMenuCardsForTesting() From 5b52899ea62a3f80b857f919581883f4a5192b87 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 16:18:43 +0530 Subject: [PATCH 037/131] Enforce Claude keychain prompt policy across keychain paths --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 57 ++-- .../Providers/Claude/ClaudeUsageFetcher.swift | 15 + ...uthCredentialsStorePromptPolicyTests.swift | 264 ++++++++++++++++++ .../ClaudeOAuthCredentialsStoreTests.swift | 177 ++---------- ...deOAuthDelegatedRefreshRecoveryTests.swift | 45 +-- Tests/CodexBarTests/ClaudeUsageTests.swift | 129 +++++++-- 6 files changed, 484 insertions(+), 203 deletions(-) create mode 100644 Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index c8fa63d7d..ee0de09eb 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -783,7 +783,8 @@ public enum ClaudeOAuthCredentialsStore { public static func hasClaudeKeychainCredentialsWithoutPrompt() -> Bool { #if os(macOS) - if !self.keychainAccessAllowed { return false } + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } if ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } @@ -819,7 +820,8 @@ public enum ClaudeOAuthCredentialsStore { now: Date = Date()) -> ClaudeOAuthCredentialRecord? { #if os(macOS) - if !self.keychainAccessAllowed { return nil } + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } if respectKeychainPromptCooldown, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) { @@ -921,7 +923,8 @@ public enum ClaudeOAuthCredentialsStore { respectKeychainPromptCooldown: Bool) -> ClaudeOAuthCredentialRecord? { #if os(macOS) - if !self.keychainAccessAllowed { return nil } + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } // If Keychain preflight indicates interaction is likely, skip the silent repair read. // Why: non-interactive probes can still show UI on some systems, and if interaction is required we should @@ -1038,16 +1041,14 @@ public enum ClaudeOAuthCredentialsStore { } private static func currentClaudeKeychainFingerprintWithoutPrompt() -> ClaudeKeychainFingerprint? { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } #if DEBUG if let store = taskClaudeKeychainOverrideStore { return store.fingerprint } if let override = taskClaudeKeychainFingerprintOverride ?? self .claudeKeychainFingerprintOverride { return override } #endif #if os(macOS) - if !self.keychainAccessAllowed { - return nil - } - let newest: ClaudeKeychainCandidate? = self.claudeKeychainCandidatesWithoutPrompt().first ?? self.claudeKeychainLegacyCandidateWithoutPrompt() guard let newest else { return nil } @@ -1086,15 +1087,13 @@ public enum ClaudeOAuthCredentialsStore { } private static func loadFromClaudeKeychainNonInteractive() throws -> Data? { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } #if DEBUG if let store = taskClaudeKeychainOverrideStore { return store.data } if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif #if os(macOS) - if !self.keychainAccessAllowed { - return nil - } - // Keep semantics aligned with fingerprinting: if there are multiple entries, we only ever consult the newest // candidate (same as currentClaudeKeychainFingerprintWithoutPrompt()) to avoid syncing from a different item. let candidates = self.claudeKeychainCandidatesWithoutPrompt() @@ -1119,13 +1118,14 @@ public enum ClaudeOAuthCredentialsStore { } public static func loadFromClaudeKeychain() throws -> Data { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { + throw ClaudeOAuthCredentialsError.notFound + } #if DEBUG if let override = self.claudeKeychainDataOverride { return override } #endif #if os(macOS) - if !self.keychainAccessAllowed { - throw ClaudeOAuthCredentialsError.notFound - } let candidates = self.claudeKeychainCandidatesWithoutPrompt() if let newest = candidates.first { do { @@ -1187,6 +1187,8 @@ public enum ClaudeOAuthCredentialsStore { } private static func claudeKeychainCandidatesWithoutPrompt() -> [ClaudeKeychainCandidate] { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return [] } if ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return [] } var query: [String: Any] = [ @@ -1224,6 +1226,8 @@ public enum ClaudeOAuthCredentialsStore { } private static func claudeKeychainLegacyCandidateWithoutPrompt() -> ClaudeKeychainCandidate? { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } if ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return nil } var query: [String: Any] = [ @@ -1255,6 +1259,8 @@ public enum ClaudeOAuthCredentialsStore { candidate: ClaudeKeychainCandidate, allowKeychainPrompt: Bool) throws -> Data? { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } self.log.debug( "Claude keychain data read start", metadata: [ @@ -1313,6 +1319,8 @@ public enum ClaudeOAuthCredentialsStore { } private static func loadClaudeKeychainLegacyData(allowKeychainPrompt: Bool) throws -> Data? { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } self.log.debug( "Claude keychain legacy data read start", metadata: [ @@ -1439,6 +1447,20 @@ public enum ClaudeOAuthCredentialsStore { return !KeychainAccessGate.isDisabled } + private static func shouldAllowClaudeCodeKeychainAccess( + mode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current()) -> Bool + { + guard self.keychainAccessAllowed else { return false } + switch mode { + case .never: + return false + case .onlyOnUserAction: + return ProviderInteractionContext.current == .userInitiated + case .always: + return true + } + } + private static func credentialsFileURL() -> URL { #if DEBUG if let override = self.taskCredentialsURLOverride { return override } @@ -1509,7 +1531,8 @@ extension ClaudeOAuthCredentialsStore { @discardableResult static func syncFromClaudeKeychainWithoutPrompt(now: Date = Date()) -> Bool { #if os(macOS) - if !self.keychainAccessAllowed { return false } + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } // If background keychain access has been denied/blocked, don't attempt silent reads that could trigger // repeated prompts on misbehaving configurations. User actions clear/bypass this gate elsewhere. @@ -1582,7 +1605,9 @@ extension ClaudeOAuthCredentialsStore { } private static func shouldShowClaudeKeychainPreAlert() -> Bool { - switch KeychainAccessPreflight.checkGenericPassword(service: self.claudeKeychainService, account: nil) { + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } + return switch KeychainAccessPreflight.checkGenericPassword(service: self.claudeKeychainService, account: nil) { case .interactionRequired: true case .failure: diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 9b128544f..5fbb9f114 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -110,6 +110,18 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { return policy } + private static func assertDelegatedRefreshAllowedInCurrentInteraction( + policy: ClaudeOAuthKeychainPromptPolicy) throws + { + if policy.mode == .onlyOnUserAction, + policy.interaction != .userInitiated + { + throw ClaudeUsageError.oauthFailed( + "Claude OAuth token expired, but background repair is suppressed when Keychain prompt policy " + + "is set to only prompt on user action. Open the CodexBar menu or click Refresh to retry.") + } + } + #if DEBUG @TaskLocal static var loadOAuthCredentialsOverride: (@Sendable ( [String: String], @@ -383,6 +395,9 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { try Task.checkCancellation() + let delegatedPromptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() + try Self.assertDelegatedRefreshAllowedInCurrentInteraction(policy: delegatedPromptPolicy) + let delegatedOutcome = await Self.attemptDelegatedRefresh() Self.log.info( "Claude OAuth delegated refresh attempted", diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift new file mode 100644 index 000000000..9706327e9 --- /dev/null +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -0,0 +1,264 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite(.serialized) +struct ClaudeOAuthCredentialsStorePromptPolicyTests { + private func makeCredentialsData(accessToken: String, expiresAt: Date, refreshToken: String? = nil) -> Data { + let millis = Int(expiresAt.timeIntervalSince1970 * 1000) + let refreshField: String = { + guard let refreshToken else { return "" } + return ",\n \"refreshToken\": \"\(refreshToken)\"" + }() + let json = """ + { + "claudeAiOauth": { + "accessToken": "\(accessToken)", + "expiresAt": \(millis), + "scopes": ["user:profile"]\(refreshField) + } + } + """ + return Data(json.utf8) + } + + @Test + func doesNotReadClaudeKeychainInBackgroundWhenPromptModeOnlyOnUserAction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() + + let fingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "ref1") + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + do { + _ = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: fingerprint) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) + } + } + } + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + } + } + } + } + + @Test + func canReadClaudeKeychainOnUserActionWhenPromptModeOnlyOnUserAction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() + + let fingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "ref1") + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: fingerprint) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) + } + } + } + + #expect(creds.accessToken == "keychain-token") + } + } + } + } + + @Test + func doesNotShowPreAlertWhenClaudeKeychainReadableWithoutInteraction() throws { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .allowed + } + + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 0) + } + } + + @Test + func showsPreAlertWhenClaudeKeychainLikelyRequiresInteraction() throws { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .interactionRequired + } + + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 1) + } + } + + @Test + func showsPreAlertWhenClaudeKeychainPreflightFails() throws { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .failure(-1) + } + + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 1) + } + } +} diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift index a5df002e0..566f83b81 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift @@ -27,12 +27,10 @@ struct ClaudeOAuthCredentialsStoreTests { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" try ProviderInteractionContext.$current.withValue(.background) { try KeychainCacheStore.withServiceOverrideForTesting(service) { - try KeychainAccessGate.withTaskOverrideForTesting(true) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { KeychainCacheStore.setTestStoreForTesting(true) defer { KeychainCacheStore.setTestStoreForTesting(false) } - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } @@ -54,10 +52,15 @@ struct ClaudeOAuthCredentialsStoreTests { ClaudeOAuthCredentialsStore.invalidateCache() KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) defer { KeychainCacheStore.clear(key: cacheKey) } - _ = try ClaudeOAuthCredentialsStore.load(environment: [:]) + _ = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) + } // Re-store to cache after file check has marked file as "seen" KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) + let creds = try ClaudeOAuthKeychainPromptPreference + .withTaskOverrideForTesting(.onlyOnUserAction) { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) + } #expect(creds.accessToken == "cached") #expect(creds.isExpired == false) @@ -88,31 +91,33 @@ struct ClaudeOAuthCredentialsStoreTests { expiresAt: Date(timeIntervalSinceNow: 3600)) // Simulate Claude Keychain containing creds, without querying the real Keychain. - try ClaudeOAuthCredentialsStore - .withClaudeKeychainOverridesForTesting(data: keychainData, fingerprint: nil) { - // When repair is disabled, non-interactive loads should not consult Claude's keychain data. - do { - _ = try ClaudeOAuthCredentialsStore.loadRecord( + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainOverridesForTesting(data: keychainData, fingerprint: nil) { + // When repair is disabled, non-interactive loads should not consult Claude's keychain data. + do { + _ = try ClaudeOAuthCredentialsStore.loadRecord( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true, + allowClaudeKeychainRepairWithoutPrompt: false) + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + + // With repair enabled, we should be able to seed from the "Claude keychain" override. + let record = try ClaudeOAuthCredentialsStore.loadRecord( environment: [:], allowKeychainPrompt: false, respectKeychainPromptCooldown: true, - allowClaudeKeychainRepairWithoutPrompt: false) - Issue.record("Expected ClaudeOAuthCredentialsError.notFound") - } catch let error as ClaudeOAuthCredentialsError { - guard case .notFound = error else { - Issue.record("Expected .notFound, got \(error)") - return - } + allowClaudeKeychainRepairWithoutPrompt: true) + #expect(record.credentials.accessToken == "claude-keychain") } - - // With repair enabled, we should be able to seed from the "Claude keychain" override. - let record = try ClaudeOAuthCredentialsStore.loadRecord( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true, - allowClaudeKeychainRepairWithoutPrompt: true) - #expect(record.credentials.accessToken == "claude-keychain") - } + } } } @@ -785,126 +790,6 @@ struct ClaudeOAuthCredentialsStoreTests { } } - @Test - func doesNotShowPreAlertWhenClaudeKeychainReadableWithoutInteraction() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .allowed - } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } - - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 0) - } - } - - @Test - func showsPreAlertWhenClaudeKeychainLikelyRequiresInteraction() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .interactionRequired - } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } - - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) - } - } - - @Test - func showsPreAlertWhenClaudeKeychainPreflightFails() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .failure(-1) - } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } - - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) - } - } - @Test func syncFromClaudeKeychainWithoutPrompt_respectsBackoffInBackground() { ProviderInteractionContext.$current.withValue(.background) { diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift index d8b3d3a4f..2e81cbe88 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift @@ -123,17 +123,22 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { return .attemptedSucceeded } - let snapshot = try await ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: freshData, - fingerprint: fingerprint) - { - try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride - .withValue(delegatedOverride) { - try await fetcher.loadLatestUsage(model: "sonnet") + let snapshot = try await ClaudeOAuthKeychainPromptPreference + .withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: freshData, + fingerprint: fingerprint) + { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } } + } } - } // If Claude keychain already contains fresh credentials, we should recover without needing a // CLI @@ -222,14 +227,20 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { return .attemptedSucceeded } - let snapshot = try await ClaudeOAuthCredentialsStore - .withMutableClaudeKeychainOverrideStoreForTesting( - keychainOverrideStore) - { - try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride - .withValue(delegatedOverride) { - try await fetcher.loadLatestUsage(model: "sonnet") + let snapshot = try await ClaudeOAuthKeychainPromptPreference + .withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeOAuthCredentialsStore + .withMutableClaudeKeychainOverrideStoreForTesting( + keychainOverrideStore) + { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride + .withValue(fetchOverride) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } } } } diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index ddf6d715f..4fae8fbad 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -80,13 +80,20 @@ struct ClaudeUsageTests { rateLimitTier: nil) } - let snapshot = try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride, operation: { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride, operation: { - try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride, operation: { - try await fetcher.loadLatestUsage(model: "sonnet") + let snapshot = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride, operation: { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue( + delegatedOverride, + operation: { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride + .withValue(loadCredsOverride, operation: { + try await fetcher.loadLatestUsage(model: "sonnet") + }) + }) }) - }) - }) + } + } #expect(await loadCounter.current() == 2) #expect(await delegatedCounter.current() == 1) @@ -119,11 +126,19 @@ struct ClaudeUsageTests { throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI } - _ = try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride, operation: { - try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride, operation: { - try await fetcher.loadLatestUsage(model: "sonnet") - }) - }) + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue( + delegatedOverride, + operation: { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue( + loadCredsOverride, + operation: { + try await fetcher.loadLatestUsage(model: "sonnet") + }) + }) + } + } Issue.record("Expected delegated retry to fail when credentials remain expired") } catch let error as ClaudeUsageError { guard case let .oauthFailed(message) = error else { @@ -164,11 +179,19 @@ struct ClaudeUsageTests { } do { - _ = try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride, operation: { - try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride, operation: { - try await fetcher.loadLatestUsage(model: "sonnet") - }) - }) + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue( + delegatedOverride, + operation: { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue( + loadCredsOverride, + operation: { + try await fetcher.loadLatestUsage(model: "sonnet") + }) + }) + } + } Issue.record("Expected delegated retry to fail fast when CLI is unavailable") } catch let error as ClaudeUsageError { guard case let .oauthFailed(message) = error else { @@ -225,21 +248,79 @@ struct ClaudeUsageTests { rateLimitTier: nil) } - let snapshot = try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride, operation: { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride, operation: { - try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride, operation: { - try await fetcher.loadLatestUsage(model: "sonnet") + let snapshot = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride, operation: { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue( + delegatedOverride, + operation: { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride + .withValue(loadCredsOverride, operation: { + try await fetcher.loadLatestUsage(model: "sonnet") + }) + }) }) - }) - }) + } + } #expect(await loadCounter.current() == 2) #expect(await delegatedCounter.current() == 1) #expect(snapshot.primary.usedPercent == 7) - // Second call in Auto-mode must keep Keychain non-interactive (allowKeychainPrompt=false). + // User-initiated repair: if the delegated refresh couldn't sync silently, we may allow an interactive prompt + // on the retry to help recovery. #expect(flags.allowKeychainPromptFlags.count == 2) - #expect(flags.allowKeychainPromptFlags[1] == false) + #expect(flags.allowKeychainPromptFlags[1] == true) + } + + @Test + func oauthDelegatedRetry_onlyOnUserAction_background_suppressesDelegation() async throws { + let loadCounter = AsyncCounter() + let delegatedCounter = AsyncCounter() + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true) + + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, _ in + _ = await loadCounter.increment() + throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI + } + + do { + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride) { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + Issue.record("Expected delegated refresh to be suppressed in background") + } catch let error as ClaudeUsageError { + guard case let .oauthFailed(message) = error else { + Issue.record("Expected ClaudeUsageError.oauthFailed, got \(error)") + return + } + #expect(message.contains("background repair is suppressed")) + } catch { + Issue.record("Expected ClaudeUsageError, got \(error)") + } + + #expect(await loadCounter.current() == 1) + #expect(await delegatedCounter.current() == 0) } @Test From 345440526fc8560a9499363db0cb2cdf1938c814 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 16:33:15 +0530 Subject: [PATCH 038/131] Stabilize Claude OAuth keychain prompt policy tests --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 3 +- ...uthCredentialsStorePromptPolicyTests.swift | 232 ++++++++++-------- .../ClaudeOAuthCredentialsStoreTests.swift | 45 ++-- ...deOAuthDelegatedRefreshRecoveryTests.swift | 2 +- ...eOAuthFetchStrategyAvailabilityTests.swift | 18 +- 5 files changed, 169 insertions(+), 131 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index ee0de09eb..27cc6efe1 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -1123,7 +1123,8 @@ public enum ClaudeOAuthCredentialsStore { throw ClaudeOAuthCredentialsError.notFound } #if DEBUG - if let override = self.claudeKeychainDataOverride { return override } + if let store = taskClaudeKeychainOverrideStore, let override = store.data { return override } + if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif #if os(macOS) let candidates = self.claudeKeychainCandidatesWithoutPrompt() diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index 9706327e9..d015d4abc 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -36,8 +36,6 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) } let tempDir = FileManager.default.temporaryDirectory @@ -93,8 +91,6 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) } let tempDir = FileManager.default.temporaryDirectory @@ -132,133 +128,157 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { @Test func doesNotShowPreAlertWhenClaudeKeychainReadableWithoutInteraction() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .allowed - } + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .allowed + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 0) } } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 0) } } @Test func showsPreAlertWhenClaudeKeychainLikelyRequiresInteraction() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .interactionRequired - } + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .interactionRequired + } + + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 1) } } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) } } @Test func showsPreAlertWhenClaudeKeychainPreflightFails() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } - - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(keychainData) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .failure(-1) - } + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) + } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .failure(-1) + } + + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } + } + } + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 1) } } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) } } } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift index 566f83b81..8ecb2bc0c 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift @@ -164,31 +164,36 @@ struct ClaudeOAuthCredentialsStoreTests { @Test func returnsExpiredFileWhenNoOtherSources() throws { - try KeychainAccessGate.withTaskOverrideForTesting(true) { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(true) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let expiredData = self.makeCredentialsData( - accessToken: "expired-only", - expiresAt: Date(timeIntervalSinceNow: -3600)) - try expiredData.write(to: fileURL) + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let expiredData = self.makeCredentialsData( + accessToken: "expired-only", + expiresAt: Date(timeIntervalSinceNow: -3600)) + try expiredData.write(to: fileURL) - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } + ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) + defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } - ClaudeOAuthCredentialsStore.invalidateCache() - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) + ClaudeOAuthCredentialsStore.invalidateCache() + let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) - #expect(creds.accessToken == "expired-only") - #expect(creds.isExpired == true) + #expect(creds.accessToken == "expired-only") + #expect(creds.isExpired == true) + } + } } } } diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift index 2e81cbe88..1068561db 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift @@ -228,7 +228,7 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { } let snapshot = try await ClaudeOAuthKeychainPromptPreference - .withTaskOverrideForTesting(.onlyOnUserAction) { + .withTaskOverrideForTesting(.always) { try await ProviderInteractionContext.$current.withValue(.userInitiated) { try await ClaudeOAuthCredentialsStore .withMutableClaudeKeychainOverrideStoreForTesting( diff --git a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift index 23730c4a2..266a7f9ed 100644 --- a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift @@ -121,6 +121,15 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { func autoMode_userInitiated_clearsKeychainCooldownGate() async { let context = self.makeContext(sourceMode: .auto) let strategy = ClaudeOAuthFetchStrategy() + let recordWithoutRequiredScope = ClaudeOAuthCredentialRecord( + credentials: ClaudeOAuthCredentials( + accessToken: "expired-token", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: -60), + scopes: ["user:inference"], + rateLimitTier: nil), + owner: .claudeCLI, + source: .cacheKeychain) await KeychainAccessGate.withTaskOverrideForTesting(false) { ClaudeOAuthKeychainAccessGate.resetForTesting() @@ -130,9 +139,12 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { ClaudeOAuthKeychainAccessGate.recordDenied(now: now) #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) == false) - _ = await ProviderInteractionContext.$current.withValue(.userInitiated) { - await strategy.isAvailable(context) - } + _ = await ClaudeOAuthFetchStrategy.$nonInteractiveCredentialRecordOverride + .withValue(recordWithoutRequiredScope) { + await ProviderInteractionContext.$current.withValue(.userInitiated) { + await strategy.isAvailable(context) + } + } #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now)) } From d761ade9cd28c0c205fcc924464edaa0adcc3785 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 23:13:45 +0530 Subject: [PATCH 039/131] Allow CLI OAuth delegated refresh in background --- .../Claude/ClaudeProviderDescriptor.swift | 1 + .../Providers/Claude/ClaudeUsageFetcher.swift | 13 +++- Tests/CodexBarTests/ClaudeUsageTests.swift | 60 +++++++++++++++++++ 3 files changed, 71 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift index 8bbeff2bc..384dbc4e7 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift @@ -211,6 +211,7 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { environment: context.env, dataSource: .oauth, oauthKeychainPromptCooldownEnabled: context.sourceMode == .auto, + allowBackgroundDelegatedRefresh: context.runtime == .cli, useWebExtras: false) let usage = try await fetcher.loadLatestUsage(model: "sonnet") return self.makeResult( diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 5fbb9f114..97a45b76e 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -61,6 +61,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { private let environment: [String: String] private let dataSource: ClaudeUsageDataSource private let oauthKeychainPromptCooldownEnabled: Bool + private let allowBackgroundDelegatedRefresh: Bool private let useWebExtras: Bool private let manualCookieHeader: String? private let keepCLISessionsAlive: Bool @@ -111,10 +112,12 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { } private static func assertDelegatedRefreshAllowedInCurrentInteraction( - policy: ClaudeOAuthKeychainPromptPolicy) throws + policy: ClaudeOAuthKeychainPromptPolicy, + allowBackgroundDelegatedRefresh: Bool) throws { if policy.mode == .onlyOnUserAction, - policy.interaction != .userInitiated + policy.interaction != .userInitiated, + !allowBackgroundDelegatedRefresh { throw ClaudeUsageError.oauthFailed( "Claude OAuth token expired, but background repair is suppressed when Keychain prompt policy " @@ -143,6 +146,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { environment: [String: String] = ProcessInfo.processInfo.environment, dataSource: ClaudeUsageDataSource = .oauth, oauthKeychainPromptCooldownEnabled: Bool = false, + allowBackgroundDelegatedRefresh: Bool = false, useWebExtras: Bool = false, manualCookieHeader: String? = nil, keepCLISessionsAlive: Bool = false) @@ -151,6 +155,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { self.environment = environment self.dataSource = dataSource self.oauthKeychainPromptCooldownEnabled = oauthKeychainPromptCooldownEnabled + self.allowBackgroundDelegatedRefresh = allowBackgroundDelegatedRefresh self.useWebExtras = useWebExtras self.manualCookieHeader = manualCookieHeader self.keepCLISessionsAlive = keepCLISessionsAlive @@ -396,7 +401,9 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { try Task.checkCancellation() let delegatedPromptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() - try Self.assertDelegatedRefreshAllowedInCurrentInteraction(policy: delegatedPromptPolicy) + try Self.assertDelegatedRefreshAllowedInCurrentInteraction( + policy: delegatedPromptPolicy, + allowBackgroundDelegatedRefresh: self.allowBackgroundDelegatedRefresh) let delegatedOutcome = await Self.attemptDelegatedRefresh() Self.log.info( diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 4fae8fbad..446f9ed50 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -323,6 +323,66 @@ struct ClaudeUsageTests { #expect(await delegatedCounter.current() == 0) } + @Test + func oauthDelegatedRetry_onlyOnUserAction_background_allowsDelegationForCLI() async throws { + let loadCounter = AsyncCounter() + let delegatedCounter = AsyncCounter() + let usageResponse = try Self.makeOAuthUsageResponse() + + final class FlagBox: @unchecked Sendable { + var allowKeychainPromptFlags: [Bool] = [] + } + let flags = FlagBox() + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: false, + allowBackgroundDelegatedRefresh: true) + + let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { _ in usageResponse } + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, allowKeychainPrompt, _ in + flags.allowKeychainPromptFlags.append(allowKeychainPrompt) + let call = await loadCounter.increment() + if call == 1 { + throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI + } + return ClaudeOAuthCredentials( + accessToken: "fresh-token", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600), + scopes: ["user:profile"], + rateLimitTier: nil) + } + + let snapshot = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride) { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + } + + #expect(await loadCounter.current() == 2) + #expect(await delegatedCounter.current() == 1) + #expect(snapshot.primary.usedPercent == 7) + #expect(flags.allowKeychainPromptFlags.allSatisfy { !$0 }) + } + @Test func parsesUsageJSONWhenWeeklyMissing() { let json = """ From 63a3810b0c7e9e422ed4464cb25ecc2172d36d2e Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 23:44:33 +0530 Subject: [PATCH 040/131] Allow startup OAuth keychain bootstrap when cache is empty --- Sources/CodexBar/UsageStore.swift | 44 +++++++----- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 9 ++- .../Claude/ClaudeProviderDescriptor.swift | 12 ++++ .../Providers/Claude/ClaudeUsageFetcher.swift | 67 +++++++++++++++---- .../ProviderInteractionContext.swift | 9 +++ ...eOAuthFetchStrategyAvailabilityTests.swift | 40 +++++++++++ Tests/CodexBarTests/ClaudeUsageTests.swift | 47 +++++++++++++ 7 files changed, 191 insertions(+), 37 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index abba50993..0167276d7 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -193,6 +193,7 @@ final class UsageStore { @ObservationIgnored private var pathDebugRefreshTask: Task? @ObservationIgnored var lastKnownSessionRemaining: [UsageProvider: Double] = [:] @ObservationIgnored var lastTokenFetchAt: [UsageProvider: Date] = [:] + @ObservationIgnored private var hasCompletedInitialRefresh: Bool = false @ObservationIgnored private let tokenFetchTTL: TimeInterval = 60 * 60 @ObservationIgnored private let tokenFetchTimeout: TimeInterval = 10 * 60 @@ -432,30 +433,37 @@ final class UsageStore { func refresh(forceTokenUsage: Bool = false) async { guard !self.isRefreshing else { return } - self.isRefreshing = true - defer { self.isRefreshing = false } + let refreshPhase: ProviderRefreshPhase = self.hasCompletedInitialRefresh ? .regular : .startup - await withTaskGroup(of: Void.self) { group in - for provider in UsageProvider.allCases { - group.addTask { await self.refreshProvider(provider) } - group.addTask { await self.refreshStatus(provider) } + await ProviderRefreshContext.$current.withValue(refreshPhase) { + self.isRefreshing = true + defer { + self.isRefreshing = false + self.hasCompletedInitialRefresh = true } - group.addTask { await self.refreshCreditsIfNeeded() } - } - // Token-cost usage can be slow; run it outside the refresh group so we don't block menu updates. - self.scheduleTokenRefresh(force: forceTokenUsage) + await withTaskGroup(of: Void.self) { group in + for provider in UsageProvider.allCases { + group.addTask { await self.refreshProvider(provider) } + group.addTask { await self.refreshStatus(provider) } + } + group.addTask { await self.refreshCreditsIfNeeded() } + } - // OpenAI web scrape depends on the current Codex account email (which can change after login/account switch). - // Run this after Codex usage refresh so we don't accidentally scrape with stale credentials. - await self.refreshOpenAIDashboardIfNeeded(force: forceTokenUsage) + // Token-cost usage can be slow; run it outside the refresh group so we don't block menu updates. + self.scheduleTokenRefresh(force: forceTokenUsage) - if self.openAIDashboardRequiresLogin { - await self.refreshProvider(.codex) - await self.refreshCreditsIfNeeded() - } + // OpenAI web scrape depends on the current Codex account email (which can change after login/account + // switch). Run this after Codex usage refresh so we don't accidentally scrape with stale credentials. + await self.refreshOpenAIDashboardIfNeeded(force: forceTokenUsage) + + if self.openAIDashboardRequiresLogin { + await self.refreshProvider(.codex) + await self.refreshCreditsIfNeeded() + } - self.persistWidgetSnapshot(reason: "refresh") + self.persistWidgetSnapshot(reason: "refresh") + } } /// For demo/testing: drop the snapshot so the loading animation plays, then restore the last snapshot. diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 27cc6efe1..701011a2c 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -313,6 +313,7 @@ public enum ClaudeOAuthCredentialsStore { #if DEBUG @TaskLocal private static var taskCredentialsURLOverride: URL? #endif + @TaskLocal static var allowBackgroundPromptBootstrap: Bool = false // In-memory cache (nonisolated for synchronous access) private static let memoryCacheLock = NSLock() private nonisolated(unsafe) static var cachedCredentialRecord: ClaudeOAuthCredentialRecord? @@ -1453,12 +1454,10 @@ public enum ClaudeOAuthCredentialsStore { { guard self.keychainAccessAllowed else { return false } switch mode { - case .never: - return false + case .never: return false case .onlyOnUserAction: - return ProviderInteractionContext.current == .userInitiated - case .always: - return true + return ProviderInteractionContext.current == .userInitiated || self.allowBackgroundPromptBootstrap + case .always: return true } } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift index 384dbc4e7..83b306a3f 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift @@ -201,6 +201,16 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { if ProviderInteractionContext.current == .userInitiated { _ = ClaudeOAuthKeychainAccessGate.clearDenied() } + + let shouldAllowStartupBootstrap = context.runtime == .app && + ProviderRefreshContext.current == .startup && + ProviderInteractionContext.current == .background && + ClaudeOAuthKeychainPromptPreference.current() == .onlyOnUserAction && + !ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: context.env) + if shouldAllowStartupBootstrap { + return ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() + } + guard ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() else { return false } return ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() } @@ -212,6 +222,8 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { dataSource: .oauth, oauthKeychainPromptCooldownEnabled: context.sourceMode == .auto, allowBackgroundDelegatedRefresh: context.runtime == .cli, + allowStartupBootstrapPrompt: context.runtime == .app && + (context.sourceMode == .auto || context.sourceMode == .oauth), useWebExtras: false) let usage = try await fetcher.loadLatestUsage(model: "sonnet") return self.makeResult( diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 97a45b76e..45c0d44d0 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -62,6 +62,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { private let dataSource: ClaudeUsageDataSource private let oauthKeychainPromptCooldownEnabled: Bool private let allowBackgroundDelegatedRefresh: Bool + private let allowStartupBootstrapPrompt: Bool private let useWebExtras: Bool private let manualCookieHeader: String? private let keepCLISessionsAlive: Bool @@ -134,6 +135,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { @TaskLocal static var delegatedRefreshAttemptOverride: (@Sendable ( Date, TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? + @TaskLocal static var hasCachedCredentialsOverride: Bool? #endif /// Creates a new ClaudeUsageFetcher. @@ -147,6 +149,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { dataSource: ClaudeUsageDataSource = .oauth, oauthKeychainPromptCooldownEnabled: Bool = false, allowBackgroundDelegatedRefresh: Bool = false, + allowStartupBootstrapPrompt: Bool = false, useWebExtras: Bool = false, manualCookieHeader: String? = nil, keepCLISessionsAlive: Bool = false) @@ -156,6 +159,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { self.dataSource = dataSource self.oauthKeychainPromptCooldownEnabled = oauthKeychainPromptCooldownEnabled self.allowBackgroundDelegatedRefresh = allowBackgroundDelegatedRefresh + self.allowStartupBootstrapPrompt = allowStartupBootstrapPrompt self.useWebExtras = useWebExtras self.manualCookieHeader = manualCookieHeader self.keepCLISessionsAlive = keepCLISessionsAlive @@ -352,32 +356,67 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { // MARK: - OAuth API path + private func shouldAllowStartupBootstrapPrompt( + policy: ClaudeOAuthKeychainPromptPolicy, + hasCache: Bool) -> Bool + { + guard self.allowStartupBootstrapPrompt else { return false } + guard !hasCache else { return false } + guard policy.mode == .onlyOnUserAction else { return false } + guard policy.interaction == .background else { return false } + return ProviderRefreshContext.current == .startup + } + + private static func logOAuthBootstrapPromptDecision( + allowKeychainPrompt: Bool, + policy: ClaudeOAuthKeychainPromptPolicy, + hasCache: Bool, + startupBootstrapOverride: Bool) + { + guard allowKeychainPrompt else { return } + self.log.info( + "Claude OAuth keychain prompt allowed (bootstrap)", + metadata: [ + "interaction": policy.interactionLabel, + "promptMode": policy.mode.rawValue, + "hasCache": "\(hasCache)", + "startupBootstrapOverride": "\(startupBootstrapOverride)", + ]) + } + private func loadViaOAuth(allowDelegatedRetry: Bool) async throws -> ClaudeUsageSnapshot { do { let promptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() // Allow keychain prompt when no cached credentials exist (bootstrap case) + #if DEBUG + let hasCache = Self.hasCachedCredentialsOverride + ?? ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: self.environment) + #else let hasCache = ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: self.environment) + #endif + let startupBootstrapOverride = self.shouldAllowStartupBootstrapPrompt( + policy: promptPolicy, + hasCache: hasCache) // Note: `hasCachedCredentials` intentionally returns true for expired Claude-CLI-owned creds, because the // repair path is delegated refresh via Claude CLI (followed by a silent re-sync) rather than immediately // prompting on the initial load. - let allowKeychainPrompt = promptPolicy.canPromptNow && !hasCache - if allowKeychainPrompt { - Self.log.info( - "Claude OAuth keychain prompt allowed (bootstrap)", - metadata: [ - "interaction": promptPolicy.interactionLabel, - "promptMode": promptPolicy.mode.rawValue, - "hasCache": "\(hasCache)", - ]) - } + let allowKeychainPrompt = (promptPolicy.canPromptNow || startupBootstrapOverride) && !hasCache + Self.logOAuthBootstrapPromptDecision( + allowKeychainPrompt: allowKeychainPrompt, + policy: promptPolicy, + hasCache: hasCache, + startupBootstrapOverride: startupBootstrapOverride) // Ownership-aware credential loading: // - Claude CLI-owned credentials delegate refresh to Claude CLI. // - CodexBar-owned credentials use direct token-endpoint refresh. - let creds = try await Self.loadOAuthCredentials( - environment: self.environment, - allowKeychainPrompt: allowKeychainPrompt, - respectKeychainPromptCooldown: promptPolicy.shouldRespectKeychainPromptCooldown) + let creds = try await ClaudeOAuthCredentialsStore.$allowBackgroundPromptBootstrap + .withValue(startupBootstrapOverride) { + try await Self.loadOAuthCredentials( + environment: self.environment, + allowKeychainPrompt: allowKeychainPrompt, + respectKeychainPromptCooldown: promptPolicy.shouldRespectKeychainPromptCooldown) + } // The usage endpoint requires user:profile scope. if !creds.scopes.contains("user:profile") { throw ClaudeUsageError.oauthFailed( diff --git a/Sources/CodexBarCore/Providers/ProviderInteractionContext.swift b/Sources/CodexBarCore/Providers/ProviderInteractionContext.swift index 9d0c23e51..448344951 100644 --- a/Sources/CodexBarCore/Providers/ProviderInteractionContext.swift +++ b/Sources/CodexBarCore/Providers/ProviderInteractionContext.swift @@ -8,3 +8,12 @@ public enum ProviderInteraction: Sendable, Equatable { public enum ProviderInteractionContext { @TaskLocal public static var current: ProviderInteraction = .background } + +public enum ProviderRefreshPhase: Sendable, Equatable { + case regular + case startup +} + +public enum ProviderRefreshContext { + @TaskLocal public static var current: ProviderRefreshPhase = .regular +} diff --git a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift index 266a7f9ed..1953257b2 100644 --- a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift @@ -149,5 +149,45 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { #expect(ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now)) } } + + @Test + func autoMode_onlyOnUserAction_background_startup_withoutCache_isAvailableForBootstrap() async throws { + let context = self.makeContext(sourceMode: .auto) + let strategy = ClaudeOAuthFetchStrategy() + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + + try await KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthKeychainAccessGate.resetForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthKeychainAccessGate.resetForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + let available = await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + await ProviderRefreshContext.$current.withValue(.startup) { + await ProviderInteractionContext.$current.withValue(.background) { + await strategy.isAvailable(context) + } + } + } + } + + #expect(available == true) + } + } + } } #endif diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 446f9ed50..7bc6928ec 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -323,6 +323,53 @@ struct ClaudeUsageTests { #expect(await delegatedCounter.current() == 0) } + @Test + func oauthBootstrap_onlyOnUserAction_background_startup_allowsInteractiveReadWhenNoCache() async throws { + final class FlagBox: @unchecked Sendable { + var allowKeychainPromptFlags: [Bool] = [] + } + + let flags = FlagBox() + let usageResponse = try Self.makeOAuthUsageResponse() + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true, + allowStartupBootstrapPrompt: true) + + let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { _ in usageResponse } + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, allowKeychainPrompt, _ in + flags.allowKeychainPromptFlags.append(allowKeychainPrompt) + return ClaudeOAuthCredentials( + accessToken: "fresh-token", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600), + scopes: ["user:profile"], + rateLimitTier: nil) + } + + let snapshot = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderRefreshContext.$current.withValue(.startup) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$hasCachedCredentialsOverride.withValue(false) { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + } + } + + #expect(flags.allowKeychainPromptFlags == [true]) + #expect(snapshot.primary.usedPercent == 7) + } + @Test func oauthDelegatedRetry_onlyOnUserAction_background_allowsDelegationForCLI() async throws { let loadCounter = AsyncCounter() From d5714c5c32683850b9caee4bd786ee50f966f54d Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 12 Feb 2026 23:55:10 +0530 Subject: [PATCH 041/131] Restore Warp no-bonus icon layout semantics Align Warp no-bonus/exhausted rendering to top=monthly credits with a dimmed bottom track. Thanks @Kathie-yu --- Sources/CodexBar/IconRenderer.swift | 21 +++++-------------- .../StatusItemAnimationTests.swift | 4 ++-- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/Sources/CodexBar/IconRenderer.swift b/Sources/CodexBar/IconRenderer.swift index 243f88ebb..648a3fc5f 100644 --- a/Sources/CodexBar/IconRenderer.swift +++ b/Sources/CodexBar/IconRenderer.swift @@ -652,7 +652,7 @@ enum IconRenderer { let creditsRectPx = RectPx(x: barXPx, y: 14, w: barWidthPx, h: 16) let creditsBottomRectPx = RectPx(x: barXPx, y: 4, w: barWidthPx, h: 6) - // Warp special case: when no bonus or bonus exhausted, show "top full, bottom=monthly" + // Warp special case: when no bonus or bonus exhausted, show "top monthly, bottom dimmed" let warpNoBonus = style == .warp && !weeklyAvailable if weeklyAvailable { @@ -670,24 +670,13 @@ enum IconRenderer { drawBar(rectPx: bottomRectPx, remaining: bottomValue) } else if !hasWeekly || warpNoBonus { if style == .warp { - // Warp: no bonus or bonus exhausted -> top=full, bottom=monthly credits - if topValue != nil { - drawBar( - rectPx: topRectPx, - remaining: 100, - addWarpTwist: true, - blink: blink) - } else { - drawBar( - rectPx: topRectPx, - remaining: nil, - addWarpTwist: true, - blink: blink) - } + // Warp: no bonus or bonus exhausted -> top=monthly credits, bottom=dimmed track drawBar( - rectPx: bottomRectPx, + rectPx: topRectPx, remaining: topValue, + addWarpTwist: true, blink: blink) + drawBar(rectPx: bottomRectPx, remaining: nil, alpha: 0.45) } else { // Weekly missing (e.g. Claude enterprise): keep normal layout but // dim the bottom track to indicate N/A. diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index 2838c2974..e4c8a5407 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -171,8 +171,8 @@ struct StatusItemAnimationTests { #expect(rep != nil) guard let rep else { return } - // In the Warp "no bonus/exhausted bonus" layout, the bottom bar shows primary usage (10%), - // so a pixel near the right side of the bottom bar should *not* be fully opaque. + // In the Warp "no bonus/exhausted bonus" layout, the bottom bar is a dimmed track. + // A pixel near the right side of the bottom bar should remain subdued (not fully opaque). let alpha = (rep.colorAt(x: 25, y: 9) ?? .clear).alphaComponent #expect(alpha < 0.6) } From bc49112f8db4d13396050a3d16a413d760750dc0 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 00:22:15 +0530 Subject: [PATCH 042/131] Stabilize Claude prompt-policy tests under full suite --- ...uthCredentialsStorePromptPolicyTests.swift | 219 ++++++++++-------- 1 file changed, 117 insertions(+), 102 deletions(-) diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index d015d4abc..e48b03894 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -130,49 +130,54 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { func doesNotShowPreAlertWhenClaudeKeychainReadableWithoutInteraction() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" try KeychainCacheStore.withServiceOverrideForTesting(service) { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .allowed + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .allowed + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } } } + + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits == 0) } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 0) } } } @@ -182,49 +187,54 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { func showsPreAlertWhenClaudeKeychainLikelyRequiresInteraction() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" try KeychainCacheStore.withServiceOverrideForTesting(service) { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .interactionRequired + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .interactionRequired + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } } } + + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits >= 1) } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) } } } @@ -234,49 +244,54 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { func showsPreAlertWhenClaudeKeychainPreflightFails() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" try KeychainCacheStore.withServiceOverrideForTesting(service) { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - ClaudeOAuthCredentialsStore.invalidateCache() - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) - } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let keychainData = self.makeCredentialsData( - accessToken: "keychain-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in - .failure(-1) + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + KeychainPromptHandler.handler = nil + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in - preAlertHits += 1 - } + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let keychainData = self.makeCredentialsData( + accessToken: "keychain-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + .failure(-1) + } - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + var preAlertHits = 0 + KeychainPromptHandler.handler = { _ in + preAlertHits += 1 + } + + let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) + } } } + + #expect(creds.accessToken == "keychain-token") + #expect(preAlertHits >= 1) } - #expect(creds.accessToken == "keychain-token") - #expect(preAlertHits == 1) } } } From ede701b189c6ded888d610e8dcb232f47f570d64 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 00:29:01 +0530 Subject: [PATCH 043/131] Document pre-alert test cardinality follow-up --- .../ClaudeOAuthCredentialsStorePromptPolicyTests.swift | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index e48b03894..3d42242e7 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -233,6 +233,9 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { } #expect(creds.accessToken == "keychain-token") + // TODO: tighten this to `== 1` once keychain pre-alert delivery is deduplicated/scoped. + // Today `KeychainPromptHandler.handler` is a global callback, so parallel test activity can + // legitimately observe multiple hits in a single test run. #expect(preAlertHits >= 1) } } @@ -290,6 +293,9 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { } #expect(creds.accessToken == "keychain-token") + // TODO: tighten this to `== 1` once keychain pre-alert delivery is deduplicated/scoped. + // Today `KeychainPromptHandler.handler` is a global callback, so parallel test activity can + // legitimately observe multiple hits in a single test run. #expect(preAlertHits >= 1) } } From b2b7097748a4e71876966160832acac1dc2d4e96 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 01:05:55 +0530 Subject: [PATCH 044/131] Clarify delegated OAuth recovery policy in background mode --- .../Providers/Claude/ClaudeUsageFetcher.swift | 28 +++++- ...deOAuthDelegatedRefreshRecoveryTests.swift | 97 +++++++++++++++++++ 2 files changed, 121 insertions(+), 4 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 45c0d44d0..357066184 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -384,6 +384,24 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { ]) } + private static func logDeferredBackgroundDelegatedRecoveryIfNeeded( + delegatedOutcome: ClaudeOAuthDelegatedRefreshCoordinator.Outcome, + didSyncSilently: Bool, + policy: ClaudeOAuthKeychainPromptPolicy) + { + guard delegatedOutcome == .attemptedSucceeded else { return } + guard !didSyncSilently else { return } + guard policy.mode == .onlyOnUserAction else { return } + guard policy.interaction == .background else { return } + self.log.info( + "Claude OAuth delegated refresh completed; background recovery deferred until user action", + metadata: [ + "interaction": policy.interactionLabel, + "promptMode": policy.mode.rawValue, + "delegatedOutcome": self.delegatedRefreshOutcomeLabel(delegatedOutcome), + ]) + } + private func loadViaOAuth(allowDelegatedRetry: Bool) async throws -> ClaudeUsageSnapshot { do { let promptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() @@ -476,12 +494,14 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { // avoid bypassing the prompt cooldown and to let the fallback chain proceed. _ = ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged() - let didSyncSilently: Bool = { - guard delegatedOutcome == .attemptedSucceeded else { return false } - return ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt(now: Date()) - }() + let didSyncSilently = delegatedOutcome == .attemptedSucceeded + && ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt(now: Date()) let promptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() + Self.logDeferredBackgroundDelegatedRecoveryIfNeeded( + delegatedOutcome: delegatedOutcome, + didSyncSilently: didSyncSilently, + policy: promptPolicy) let retryAllowKeychainPrompt = promptPolicy.canPromptNow && !didSyncSilently if retryAllowKeychainPrompt { Self.log.info( diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift index 1068561db..c05457542 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift @@ -260,4 +260,101 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { } } } + + @Test + func delegatedRefresh_attemptedSucceeded_backgroundOnlyOnUserAction_doesNotRecoverFromKeychain() async throws { + let delegatedCounter = AsyncCounter() + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + + try await KeychainCacheStore.withServiceOverrideForTesting(service) { + try await KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } + ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() + defer { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() } + + try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + ClaudeOAuthCredentialsStore.invalidateCache() + let expiredData = self.makeCredentialsData( + accessToken: "expired-token", + expiresAt: Date(timeIntervalSinceNow: -3600)) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .claudeCLI) + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + defer { KeychainCacheStore.clear(key: cacheKey) } + + // Expired Claude-CLI-owned credentials are still considered cache-present (delegatable). + #expect(ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: [:]) == true) + + let stubFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "test") + let keychainOverrideStore = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( + data: Data(), + fingerprint: stubFingerprint) + let freshData = self.makeCredentialsData( + accessToken: "fresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: false, + allowBackgroundDelegatedRefresh: true) + + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + keychainOverrideStore.data = freshData + keychainOverrideStore.fingerprint = stubFingerprint + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } + + do { + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeOAuthCredentialsStore + .withMutableClaudeKeychainOverrideStoreForTesting(keychainOverrideStore) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + Issue.record( + "Expected OAuth fetch failure: background keychain recovery should stay blocked") + } catch let error as ClaudeUsageError { + guard case let .oauthFailed(message) = error else { + Issue.record("Expected ClaudeUsageError.oauthFailed, got \(error)") + return + } + #expect(message.contains("still unavailable after delegated Claude CLI refresh")) + } catch { + Issue.record("Expected ClaudeUsageError, got \(error)") + } + + #expect(await delegatedCounter.current() == 1) + } + } + } + } + } } From 6f0641d96d733a0b4d6bbf17804c4b16bad5ff8c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 02:04:05 +0530 Subject: [PATCH 045/131] Stabilize Claude OAuth full-suite test isolation --- .../KeychainAccessPreflight.swift | 71 +++ ...udeOAuthCredentials+TestingOverrides.swift | 78 +++ .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 20 +- ...uthCredentialsStorePromptPolicyTests.swift | 132 ++--- .../ClaudeOAuthCredentialsStoreTests.swift | 340 ++++++------- ...deOAuthDelegatedRefreshRecoveryTests.swift | 452 +++++++++--------- 6 files changed, 635 insertions(+), 458 deletions(-) create mode 100644 Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift diff --git a/Sources/CodexBarCore/KeychainAccessPreflight.swift b/Sources/CodexBarCore/KeychainAccessPreflight.swift index c05cd5bec..0ca26604e 100644 --- a/Sources/CodexBarCore/KeychainAccessPreflight.swift +++ b/Sources/CodexBarCore/KeychainAccessPreflight.swift @@ -34,7 +34,44 @@ public struct KeychainPromptContext: Sendable { } public enum KeychainPromptHandler { + final class HandlerStore: @unchecked Sendable { + let handler: (KeychainPromptContext) -> Void + + init(handler: @escaping (KeychainPromptContext) -> Void) { + self.handler = handler + } + } + + @TaskLocal private static var taskHandlerStore: HandlerStore? public nonisolated(unsafe) static var handler: ((KeychainPromptContext) -> Void)? + + public static func notify(_ context: KeychainPromptContext) { + if let taskHandlerStore { + taskHandlerStore.handler(context) + return + } + self.handler?(context) + } + + #if DEBUG + static func withHandlerForTesting( + _ handler: ((KeychainPromptContext) -> Void)?, + operation: () throws -> T) rethrows -> T + { + try self.$taskHandlerStore.withValue(handler.map(HandlerStore.init(handler:))) { + try operation() + } + } + + static func withHandlerForTesting( + _ handler: ((KeychainPromptContext) -> Void)?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskHandlerStore.withValue(handler.map(HandlerStore.init(handler:))) { + try await operation() + } + } + #endif } public enum KeychainAccessPreflight { @@ -48,16 +85,50 @@ public enum KeychainAccessPreflight { private static let log = CodexBarLog.logger(LogCategories.keychainPreflight) #if DEBUG + final class CheckGenericPasswordOverrideStore: @unchecked Sendable { + let check: (String, String?) -> Outcome + + init(check: @escaping (String, String?) -> Outcome) { + self.check = check + } + } + + @TaskLocal private static var taskCheckGenericPasswordOverrideStore: CheckGenericPasswordOverrideStore? private nonisolated(unsafe) static var checkGenericPasswordOverride: ((String, String?) -> Outcome)? static func setCheckGenericPasswordOverrideForTesting(_ override: ((String, String?) -> Outcome)?) { self.checkGenericPasswordOverride = override } + + static func withCheckGenericPasswordOverrideForTesting( + _ override: ((String, String?) -> Outcome)?, + operation: () throws -> T) rethrows -> T + { + try self.$taskCheckGenericPasswordOverrideStore.withValue( + override.map(CheckGenericPasswordOverrideStore.init(check:))) + { + try operation() + } + } + + static func withCheckGenericPasswordOverrideForTesting( + _ override: ((String, String?) -> Outcome)?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskCheckGenericPasswordOverrideStore.withValue( + override.map(CheckGenericPasswordOverrideStore.init(check:))) + { + try await operation() + } + } #endif public static func checkGenericPassword(service: String, account: String?) -> Outcome { #if os(macOS) #if DEBUG + if let override = self.taskCheckGenericPasswordOverrideStore { + return override.check(service, account) + } if let override = self.checkGenericPasswordOverride { return override(service, account) } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift new file mode 100644 index 000000000..39c82b6b4 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift @@ -0,0 +1,78 @@ +import Foundation + +#if DEBUG +extension ClaudeOAuthCredentialsStore { + final class CredentialsFileFingerprintStore: @unchecked Sendable { + var fingerprint: CredentialsFileFingerprint? + + init(fingerprint: CredentialsFileFingerprint? = nil) { + self.fingerprint = fingerprint + } + + func load() -> CredentialsFileFingerprint? { + self.fingerprint + } + + func save(_ fingerprint: CredentialsFileFingerprint?) { + self.fingerprint = fingerprint + } + } + + @TaskLocal static var taskKeychainAccessOverride: Bool? + @TaskLocal static var taskCredentialsFileFingerprintStoreOverride: CredentialsFileFingerprintStore? + + static func withKeychainAccessOverrideForTesting( + _ disabled: Bool?, + operation: () throws -> T) rethrows -> T + { + try self.$taskKeychainAccessOverride.withValue(disabled) { + try operation() + } + } + + static func withKeychainAccessOverrideForTesting( + _ disabled: Bool?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskKeychainAccessOverride.withValue(disabled) { + try await operation() + } + } + + fileprivate static func withCredentialsFileFingerprintStoreOverrideForTesting( + _ store: CredentialsFileFingerprintStore?, + operation: () throws -> T) rethrows -> T + { + try self.$taskCredentialsFileFingerprintStoreOverride.withValue(store) { + try operation() + } + } + + fileprivate static func withCredentialsFileFingerprintStoreOverrideForTesting( + _ store: CredentialsFileFingerprintStore?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskCredentialsFileFingerprintStoreOverride.withValue(store) { + try await operation() + } + } + + static func withIsolatedCredentialsFileTrackingForTesting( + operation: () throws -> T) rethrows -> T + { + let store = CredentialsFileFingerprintStore() + return try self.$taskCredentialsFileFingerprintStoreOverride.withValue(store) { + try operation() + } + } + + static func withIsolatedCredentialsFileTrackingForTesting( + operation: () async throws -> T) async rethrows -> T + { + let store = CredentialsFileFingerprintStore() + return try await self.$taskCredentialsFileFingerprintStoreOverride.withValue(store) { + try await operation() + } + } +} +#endif diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 701011a2c..bf45b92d7 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -203,7 +203,6 @@ public enum ClaudeOAuthCredentialsStore { } #if DEBUG - private nonisolated(unsafe) static var keychainAccessOverride: Bool? private nonisolated(unsafe) static var claudeKeychainDataOverride: Data? private nonisolated(unsafe) static var claudeKeychainFingerprintOverride: ClaudeKeychainFingerprint? @TaskLocal private static var taskClaudeKeychainDataOverride: Data? @@ -223,10 +222,6 @@ public enum ClaudeOAuthCredentialsStore { } @TaskLocal private static var taskClaudeKeychainFingerprintStoreOverride: ClaudeKeychainFingerprintStore? - static func setKeychainAccessOverrideForTesting(_ disabled: Bool?) { - self.keychainAccessOverride = disabled - } - static func setClaudeKeychainDataOverrideForTesting(_ data: Data?) { self.claudeKeychainDataOverride = data } @@ -292,7 +287,7 @@ public enum ClaudeOAuthCredentialsStore { } #endif - private struct CredentialsFileFingerprint: Codable, Equatable, Sendable { + struct CredentialsFileFingerprint: Codable, Equatable, Sendable { let modifiedAtMs: Int? let size: Int } @@ -534,7 +529,7 @@ public enum ClaudeOAuthCredentialsStore { // Some macOS configurations still show the system keychain prompt even for our "silent" probes. // Only show the in-app pre-alert when we have evidence that Keychain interaction is likely. if self.shouldShowClaudeKeychainPreAlert() { - KeychainPromptHandler.handler?( + KeychainPromptHandler.notify( KeychainPromptContext( kind: .claudeOAuth, service: self.claudeKeychainService, @@ -1442,9 +1437,7 @@ public enum ClaudeOAuthCredentialsStore { private static var keychainAccessAllowed: Bool { #if DEBUG - if let override = self.keychainAccessOverride { - return !override - } + if let override = self.taskKeychainAccessOverride { return !override } #endif return !KeychainAccessGate.isDisabled } @@ -1469,6 +1462,9 @@ public enum ClaudeOAuthCredentialsStore { } private static func loadFileFingerprint() -> CredentialsFileFingerprint? { + #if DEBUG + if let store = self.taskCredentialsFileFingerprintStoreOverride { return store.load() } + #endif guard let data = UserDefaults.standard.data(forKey: self.fileFingerprintKey) else { return nil } @@ -1476,6 +1472,9 @@ public enum ClaudeOAuthCredentialsStore { } private static func saveFileFingerprint(_ fingerprint: CredentialsFileFingerprint?) { + #if DEBUG + if let store = self.taskCredentialsFileFingerprintStoreOverride { store.save(fingerprint); return } + #endif guard let fingerprint else { UserDefaults.standard.removeObject(forKey: self.fileFingerprintKey) return @@ -1497,6 +1496,7 @@ public enum ClaudeOAuthCredentialsStore { #if DEBUG static func _resetCredentialsFileTrackingForTesting() { + if let store = self.taskCredentialsFileFingerprintStoreOverride { store.save(nil); return } UserDefaults.standard.removeObject(forKey: self.fileFingerprintKey) } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index 3d42242e7..5867ccf68 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -140,8 +140,6 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { defer { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } let tempDir = FileManager.default.temporaryDirectory @@ -153,27 +151,33 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { accessToken: "keychain-token", expiresAt: Date(timeIntervalSinceNow: 3600)) - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in .allowed } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in + let promptHandler: (KeychainPromptContext) -> Void = { _ in preAlertHits += 1 } - - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( - .onlyOnUserAction) - { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - } - } - } + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + }) + }) #expect(creds.accessToken == "keychain-token") #expect(preAlertHits == 0) @@ -197,8 +201,6 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { defer { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } let tempDir = FileManager.default.temporaryDirectory @@ -210,32 +212,37 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { accessToken: "keychain-token", expiresAt: Date(timeIntervalSinceNow: 3600)) - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in .interactionRequired } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in + let promptHandler: (KeychainPromptContext) -> Void = { _ in preAlertHits += 1 } - - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( - .onlyOnUserAction) - { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - } - } - } + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + }) + }) #expect(creds.accessToken == "keychain-token") // TODO: tighten this to `== 1` once keychain pre-alert delivery is deduplicated/scoped. - // Today `KeychainPromptHandler.handler` is a global callback, so parallel test activity can - // legitimately observe multiple hits in a single test run. + // This path can currently emit more than one pre-alert during a single load attempt. #expect(preAlertHits >= 1) } } @@ -257,8 +264,6 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { defer { ClaudeOAuthCredentialsStore.invalidateCache() ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - KeychainPromptHandler.handler = nil - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting(nil) } let tempDir = FileManager.default.temporaryDirectory @@ -270,32 +275,37 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { accessToken: "keychain-token", expiresAt: Date(timeIntervalSinceNow: 3600)) - KeychainAccessPreflight.setCheckGenericPasswordOverrideForTesting { _, _ in + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in .failure(-1) } - - var preAlertHits = 0 - KeychainPromptHandler.handler = { _ in + let promptHandler: (KeychainPromptContext) -> Void = { _ in preAlertHits += 1 } - - let creds = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( - .onlyOnUserAction) - { - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: keychainData, - fingerprint: nil) - { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: true) - } - } - } + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: keychainData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + }) + }) #expect(creds.accessToken == "keychain-token") // TODO: tighten this to `== 1` once keychain pre-alert delivery is deduplicated/scoped. - // Today `KeychainPromptHandler.handler` is a global callback, so parallel test activity can - // legitimately observe multiple hits in a single test run. + // This path can currently emit more than one pre-alert during a single load attempt. #expect(preAlertHits >= 1) } } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift index 8ecb2bc0c..e5c35d3b4 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift @@ -72,51 +72,60 @@ struct ClaudeOAuthCredentialsStoreTests { @Test func loadRecord_nonInteractiveRepairCanBeDisabled() throws { - KeychainCacheStore.setTestStoreForTesting(true) - defer { KeychainCacheStore.setTestStoreForTesting(false) } + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } - ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() - defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } - // Ensure file-based lookup doesn't interfere (and avoid touching ~/.claude). - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - ClaudeOAuthCredentialsStore.invalidateCache() + try ClaudeOAuthCredentialsStore.withIsolatedCredentialsFileTrackingForTesting { + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + // Ensure file-based lookup doesn't interfere (and avoid touching ~/.claude). + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + ClaudeOAuthCredentialsStore.invalidateCache() - let keychainData = self.makeCredentialsData( - accessToken: "claude-keychain", - expiresAt: Date(timeIntervalSinceNow: 3600)) + let keychainData = self.makeCredentialsData( + accessToken: "claude-keychain", + expiresAt: Date(timeIntervalSinceNow: 3600)) - // Simulate Claude Keychain containing creds, without querying the real Keychain. - try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore - .withClaudeKeychainOverridesForTesting(data: keychainData, fingerprint: nil) { - // When repair is disabled, non-interactive loads should not consult Claude's keychain data. - do { - _ = try ClaudeOAuthCredentialsStore.loadRecord( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true, - allowClaudeKeychainRepairWithoutPrompt: false) - Issue.record("Expected ClaudeOAuthCredentialsError.notFound") - } catch let error as ClaudeOAuthCredentialsError { - guard case .notFound = error else { - Issue.record("Expected .notFound, got \(error)") - return - } + // Simulate Claude Keychain containing creds, without querying the real Keychain. + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainOverridesForTesting(data: keychainData, fingerprint: nil) { + // When repair is disabled, non-interactive loads should not consult Claude's + // keychain data. + do { + _ = try ClaudeOAuthCredentialsStore.loadRecord( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true, + allowClaudeKeychainRepairWithoutPrompt: false) + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + + // With repair enabled, we should be able to seed from the "Claude keychain" + // override. + let record = try ClaudeOAuthCredentialsStore.loadRecord( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true, + allowClaudeKeychainRepairWithoutPrompt: true) + #expect(record.credentials.accessToken == "claude-keychain") + } } - - // With repair enabled, we should be able to seed from the "Claude keychain" override. - let record = try ClaudeOAuthCredentialsStore.loadRecord( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true, - allowClaudeKeychainRepairWithoutPrompt: true) - #expect(record.credentials.accessToken == "claude-keychain") } + } } } } @@ -130,35 +139,34 @@ struct ClaudeOAuthCredentialsStoreTests { defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } // Avoid interacting with the real Keychain in unit tests. - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } - - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let first = self.makeCredentialsData( - accessToken: "first", - expiresAt: Date(timeIntervalSinceNow: 3600)) - try first.write(to: fileURL) + try ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let first = self.makeCredentialsData( + accessToken: "first", + expiresAt: Date(timeIntervalSinceNow: 3600)) + try first.write(to: fileURL) - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry(data: first, storedAt: Date()) - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry(data: first, storedAt: Date()) + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - _ = try ClaudeOAuthCredentialsStore.load(environment: [:]) + _ = try ClaudeOAuthCredentialsStore.load(environment: [:]) - let updated = self.makeCredentialsData( - accessToken: "second", - expiresAt: Date(timeIntervalSinceNow: 3600)) - try updated.write(to: fileURL) + let updated = self.makeCredentialsData( + accessToken: "second", + expiresAt: Date(timeIntervalSinceNow: 3600)) + try updated.write(to: fileURL) - #expect(ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged()) - KeychainCacheStore.clear(key: cacheKey) + #expect(ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged()) + KeychainCacheStore.clear(key: cacheKey) - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) - #expect(creds.accessToken == "second") + let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) + #expect(creds.accessToken == "second") + } } } @@ -184,14 +192,13 @@ struct ClaudeOAuthCredentialsStoreTests { expiresAt: Date(timeIntervalSinceNow: -3600)) try expiredData.write(to: fileURL) - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } - - ClaudeOAuthCredentialsStore.invalidateCache() - let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) + try ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + ClaudeOAuthCredentialsStore.invalidateCache() + let creds = try ClaudeOAuthCredentialsStore.load(environment: [:]) - #expect(creds.accessToken == "expired-only") - #expect(creds.isExpired == true) + #expect(creds.accessToken == "expired-only") + #expect(creds.isExpired == true) + } } } } @@ -211,37 +218,36 @@ struct ClaudeOAuthCredentialsStoreTests { try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) let fileURL = tempDir.appendingPathComponent("credentials.json") await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } - - ClaudeOAuthCredentialsStore.invalidateCache() - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - defer { KeychainCacheStore.clear(key: cacheKey) } + await ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + ClaudeOAuthCredentialsStore.invalidateCache() + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + defer { KeychainCacheStore.clear(key: cacheKey) } - let expiredData = self.makeCredentialsData( - accessToken: "expired-claude-cli-owner", - expiresAt: Date(timeIntervalSinceNow: -3600), - refreshToken: "refresh-token") - KeychainCacheStore.store( - key: cacheKey, - entry: ClaudeOAuthCredentialsStore.CacheEntry( - data: expiredData, - storedAt: Date(), - owner: .claudeCLI)) - - do { - _ = try await ClaudeOAuthCredentialsStore.loadWithAutoRefresh( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true) - Issue.record("Expected delegated refresh error for Claude CLI-owned credentials") - } catch let error as ClaudeOAuthCredentialsError { - guard case .refreshDelegatedToClaudeCLI = error else { - Issue.record("Expected .refreshDelegatedToClaudeCLI, got \(error)") - return + let expiredData = self.makeCredentialsData( + accessToken: "expired-claude-cli-owner", + expiresAt: Date(timeIntervalSinceNow: -3600), + refreshToken: "refresh-token") + KeychainCacheStore.store( + key: cacheKey, + entry: ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .claudeCLI)) + + do { + _ = try await ClaudeOAuthCredentialsStore.loadWithAutoRefresh( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + Issue.record("Expected delegated refresh error for Claude CLI-owned credentials") + } catch let error as ClaudeOAuthCredentialsError { + guard case .refreshDelegatedToClaudeCLI = error else { + Issue.record("Expected .refreshDelegatedToClaudeCLI, got \(error)") + return + } + } catch { + Issue.record("Expected ClaudeOAuthCredentialsError, got \(error)") } - } catch { - Issue.record("Expected ClaudeOAuthCredentialsError, got \(error)") } } } @@ -261,38 +267,37 @@ struct ClaudeOAuthCredentialsStoreTests { try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) let fileURL = tempDir.appendingPathComponent("credentials.json") await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } + await ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + ClaudeOAuthCredentialsStore.invalidateCache() + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + defer { KeychainCacheStore.clear(key: cacheKey) } - ClaudeOAuthCredentialsStore.invalidateCache() - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - defer { KeychainCacheStore.clear(key: cacheKey) } + let expiredData = self.makeCredentialsData( + accessToken: "expired-codexbar-owner", + expiresAt: Date(timeIntervalSinceNow: -3600), + refreshToken: "refresh-token") + KeychainCacheStore.store( + key: cacheKey, + entry: ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .codexbar)) - let expiredData = self.makeCredentialsData( - accessToken: "expired-codexbar-owner", - expiresAt: Date(timeIntervalSinceNow: -3600), - refreshToken: "refresh-token") - KeychainCacheStore.store( - key: cacheKey, - entry: ClaudeOAuthCredentialsStore.CacheEntry( - data: expiredData, - storedAt: Date(), - owner: .codexbar)) - - await ClaudeOAuthRefreshFailureGate.$shouldAttemptOverride.withValue(false) { - do { - _ = try await ClaudeOAuthCredentialsStore.loadWithAutoRefresh( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true) - Issue.record("Expected refresh failure for CodexBar-owned direct refresh path") - } catch let error as ClaudeOAuthCredentialsError { - guard case .refreshFailed = error else { - Issue.record("Expected .refreshFailed, got \(error)") - return + await ClaudeOAuthRefreshFailureGate.$shouldAttemptOverride.withValue(false) { + do { + _ = try await ClaudeOAuthCredentialsStore.loadWithAutoRefresh( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + Issue.record("Expected refresh failure for CodexBar-owned direct refresh path") + } catch let error as ClaudeOAuthCredentialsError { + guard case .refreshFailed = error else { + Issue.record("Expected .refreshFailed, got \(error)") + return + } + } catch { + Issue.record("Expected ClaudeOAuthCredentialsError, got \(error)") } - } catch { - Issue.record("Expected ClaudeOAuthCredentialsError, got \(error)") } } } @@ -312,29 +317,28 @@ struct ClaudeOAuthCredentialsStoreTests { try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) let fileURL = tempDir.appendingPathComponent("credentials.json") try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } + try ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + ClaudeOAuthCredentialsStore.invalidateCache() + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + defer { KeychainCacheStore.clear(key: cacheKey) } - ClaudeOAuthCredentialsStore.invalidateCache() - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - defer { KeychainCacheStore.clear(key: cacheKey) } - - let validData = self.makeCredentialsData( - accessToken: "legacy-owner", - expiresAt: Date(timeIntervalSinceNow: 3600), - refreshToken: "refresh-token") - KeychainCacheStore.store( - key: cacheKey, - entry: ClaudeOAuthCredentialsStore.CacheEntry( - data: validData, - storedAt: Date())) - - let record = try ClaudeOAuthCredentialsStore.loadRecord( - environment: [:], - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true) - #expect(record.owner == .claudeCLI) - #expect(record.source == .cacheKeychain) + let validData = self.makeCredentialsData( + accessToken: "legacy-owner", + expiresAt: Date(timeIntervalSinceNow: 3600), + refreshToken: "refresh-token") + KeychainCacheStore.store( + key: cacheKey, + entry: ClaudeOAuthCredentialsStore.CacheEntry( + data: validData, + storedAt: Date())) + + let record = try ClaudeOAuthCredentialsStore.loadRecord( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + #expect(record.owner == .claudeCLI) + #expect(record.source == .cacheKeychain) + } } } @@ -799,24 +803,24 @@ struct ClaudeOAuthCredentialsStoreTests { func syncFromClaudeKeychainWithoutPrompt_respectsBackoffInBackground() { ProviderInteractionContext.$current.withValue(.background) { KeychainAccessGate.withTaskOverrideForTesting(true) { - ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(true) - defer { ClaudeOAuthCredentialsStore.setKeychainAccessOverrideForTesting(nil) } - - let store = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( - data: self.makeCredentialsData( - accessToken: "override-token", - expiresAt: Date(timeIntervalSinceNow: 3600)), - fingerprint: ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 1, - createdAt: 1, - persistentRefHash: "deadbeefdead")) - - let deniedStore = ClaudeOAuthKeychainAccessGate.DeniedUntilStore() - deniedStore.deniedUntil = Date(timeIntervalSinceNow: 3600) - - ClaudeOAuthKeychainAccessGate.withDeniedUntilStoreOverrideForTesting(deniedStore) { - ClaudeOAuthCredentialsStore.withMutableClaudeKeychainOverrideStoreForTesting(store) { - #expect(ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt(now: Date()) == false) + ClaudeOAuthCredentialsStore.withKeychainAccessOverrideForTesting(true) { + let store = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( + data: self.makeCredentialsData( + accessToken: "override-token", + expiresAt: Date(timeIntervalSinceNow: 3600)), + fingerprint: ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "deadbeefdead")) + + let deniedStore = ClaudeOAuthKeychainAccessGate.DeniedUntilStore() + deniedStore.deniedUntil = Date(timeIntervalSinceNow: 3600) + + ClaudeOAuthKeychainAccessGate.withDeniedUntilStoreOverrideForTesting(deniedStore) { + ClaudeOAuthCredentialsStore.withMutableClaudeKeychainOverrideStoreForTesting(store) { + #expect(ClaudeOAuthCredentialsStore + .syncFromClaudeKeychainWithoutPrompt(now: Date()) == false) + } } } } diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift index c05457542..fa25a78e6 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshRecoveryTests.swift @@ -74,82 +74,88 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() defer { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() } - try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - let snapshot = try await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - // Seed an expired cache entry owned by Claude CLI, so the initial load delegates refresh. - ClaudeOAuthCredentialsStore.invalidateCache() - let expiredData = self.makeCredentialsData( - accessToken: "expired-token", - expiresAt: Date(timeIntervalSinceNow: -3600)) - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( - data: expiredData, - storedAt: Date(), - owner: .claudeCLI) - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - defer { KeychainCacheStore.clear(key: cacheKey) } - - // Sanity: setup should be visible to the code under test. - // Otherwise it may attempt interactive reads. - #expect(ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: [:]) == true) - - // Simulate Claude CLI writing fresh credentials into the Claude Code keychain entry. - let freshData = self.makeCredentialsData( - accessToken: "fresh-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - let fingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 1, - createdAt: 1, - persistentRefHash: "test") - - let fetcher = ClaudeUsageFetcher( - browserDetection: BrowserDetection(cacheTTL: 0), - environment: [:], - dataSource: .oauth, - oauthKeychainPromptCooldownEnabled: true) - - let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { token in - await tokenCapture.set(token) - return usageResponse - } - let delegatedOverride: (@Sendable ( - Date, - TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in - _ = await delegatedCounter.increment() - return .attemptedSucceeded - } + try await ClaudeOAuthCredentialsStore.withIsolatedCredentialsFileTrackingForTesting { + try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + let snapshot = try await ClaudeOAuthCredentialsStore + .withCredentialsURLOverrideForTesting(fileURL) { + // Seed an expired cache entry owned by Claude CLI, so the initial load delegates + // refresh. + ClaudeOAuthCredentialsStore.invalidateCache() + let expiredData = self.makeCredentialsData( + accessToken: "expired-token", + expiresAt: Date(timeIntervalSinceNow: -3600)) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .claudeCLI) + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + defer { KeychainCacheStore.clear(key: cacheKey) } + + // Sanity: setup should be visible to the code under test. + // Otherwise it may attempt interactive reads. + #expect(ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: [:]) == true) + + // Simulate Claude CLI writing fresh credentials into the Claude Code keychain entry. + let freshData = self.makeCredentialsData( + accessToken: "fresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let fingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "test") + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true) + + let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { token in + await tokenCapture.set(token) + return usageResponse + } + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } - let snapshot = try await ClaudeOAuthKeychainPromptPreference - .withTaskOverrideForTesting(.onlyOnUserAction) { - try await ProviderInteractionContext.$current.withValue(.userInitiated) { - try await ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( - data: freshData, - fingerprint: fingerprint) - { - try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride - .withValue(delegatedOverride) { - try await fetcher.loadLatestUsage(model: "sonnet") - } + let snapshot = try await ClaudeOAuthKeychainPromptPreference + .withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: freshData, + fingerprint: fingerprint) + { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride + .withValue(fetchOverride) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } } } - } - } - // If Claude keychain already contains fresh credentials, we should recover without needing a - // CLI - // touch. - #expect(await delegatedCounter.current() == 0) - #expect(await tokenCapture.get() == "fresh-token") - #expect(snapshot.primary.usedPercent == 7) - #expect(snapshot.secondary?.usedPercent == 21) - return snapshot + // If Claude keychain already contains fresh credentials, we should recover without + // needing a + // CLI + // touch. + #expect(await delegatedCounter.current() == 0) + #expect(await tokenCapture.get() == "fresh-token") + #expect(snapshot.primary.usedPercent == 7) + #expect(snapshot.secondary?.usedPercent == 21) + return snapshot + } + _ = snapshot } - _ = snapshot } } } @@ -172,90 +178,96 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() defer { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() } - try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - let snapshot = try await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - // Seed an expired cache entry owned by Claude CLI, so the initial load delegates refresh. - ClaudeOAuthCredentialsStore.invalidateCache() - let expiredData = self.makeCredentialsData( - accessToken: "expired-token", - expiresAt: Date(timeIntervalSinceNow: -3600)) - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( - data: expiredData, - storedAt: Date(), - owner: .claudeCLI) - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - defer { KeychainCacheStore.clear(key: cacheKey) } - - // Ensure we don't silently repair from the Claude keychain before delegation. - // Use an explicit empty-data override so we never consult the real system Keychain during - // tests. - let stubFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 1, - createdAt: 1, - persistentRefHash: "test") - let keychainOverrideStore = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( - data: Data(), - fingerprint: stubFingerprint) - - let freshData = self.makeCredentialsData( - accessToken: "fresh-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - - let fetcher = ClaudeUsageFetcher( - browserDetection: BrowserDetection(cacheTTL: 0), - environment: [:], - dataSource: .oauth, - oauthKeychainPromptCooldownEnabled: true) - - let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { token in - await tokenCapture.set(token) - return usageResponse - } + try await ClaudeOAuthCredentialsStore.withIsolatedCredentialsFileTrackingForTesting { + try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + let snapshot = try await ClaudeOAuthCredentialsStore + .withCredentialsURLOverrideForTesting(fileURL) { + // Seed an expired cache entry owned by Claude CLI, so the initial load delegates + // refresh. + ClaudeOAuthCredentialsStore.invalidateCache() + let expiredData = self.makeCredentialsData( + accessToken: "expired-token", + expiresAt: Date(timeIntervalSinceNow: -3600)) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .claudeCLI) + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + defer { KeychainCacheStore.clear(key: cacheKey) } + + // Ensure we don't silently repair from the Claude keychain before delegation. + // Use an explicit empty-data override so we never consult the real system Keychain + // during + // tests. + let stubFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "test") + let keychainOverrideStore = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( + data: Data(), + fingerprint: stubFingerprint) + + let freshData = self.makeCredentialsData( + accessToken: "fresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true) + + let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { token in + await tokenCapture.set(token) + return usageResponse + } - let delegatedOverride: (@Sendable ( - Date, - TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in - // Simulate Claude CLI writing fresh credentials after the delegated refresh touch. - keychainOverrideStore.data = freshData - keychainOverrideStore.fingerprint = stubFingerprint - _ = await delegatedCounter.increment() - return .attemptedSucceeded - } + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + // Simulate Claude CLI writing fresh credentials after the delegated refresh touch. + keychainOverrideStore.data = freshData + keychainOverrideStore.fingerprint = stubFingerprint + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } - let snapshot = try await ClaudeOAuthKeychainPromptPreference - .withTaskOverrideForTesting(.always) { - try await ProviderInteractionContext.$current.withValue(.userInitiated) { - try await ClaudeOAuthCredentialsStore - .withMutableClaudeKeychainOverrideStoreForTesting( - keychainOverrideStore) - { - try await ClaudeUsageFetcher.$fetchOAuthUsageOverride - .withValue(fetchOverride) { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride - .withValue(delegatedOverride) { - try await fetcher.loadLatestUsage(model: "sonnet") + let snapshot = try await ClaudeOAuthKeychainPromptPreference + .withTaskOverrideForTesting(.always) { + try await ProviderInteractionContext.$current.withValue(.userInitiated) { + try await ClaudeOAuthCredentialsStore + .withMutableClaudeKeychainOverrideStoreForTesting( + keychainOverrideStore) + { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride + .withValue(fetchOverride) { + try await ClaudeUsageFetcher + .$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } } } } + } + + #expect(await delegatedCounter.current() == 1) + let capturedToken = await tokenCapture.get() + if capturedToken != "fresh-token" { + Issue.record("Expected fresh-token, got \(capturedToken ?? "nil")") } + #expect(capturedToken == "fresh-token") + #expect(snapshot.primary.usedPercent == 7) + #expect(snapshot.secondary?.usedPercent == 21) + return snapshot } - - #expect(await delegatedCounter.current() == 1) - let capturedToken = await tokenCapture.get() - if capturedToken != "fresh-token" { - Issue.record("Expected fresh-token, got \(capturedToken ?? "nil")") - } - #expect(capturedToken == "fresh-token") - #expect(snapshot.primary.usedPercent == 7) - #expect(snapshot.secondary?.usedPercent == 21) - return snapshot + _ = snapshot } - _ = snapshot } } } @@ -276,82 +288,84 @@ struct ClaudeOAuthDelegatedRefreshRecoveryTests { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() defer { ClaudeOAuthCredentialsStore._resetClaudeKeychainChangeTrackingForTesting() } - try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - - await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - ClaudeOAuthCredentialsStore.invalidateCache() - let expiredData = self.makeCredentialsData( - accessToken: "expired-token", - expiresAt: Date(timeIntervalSinceNow: -3600)) - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( - data: expiredData, - storedAt: Date(), - owner: .claudeCLI) - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - defer { KeychainCacheStore.clear(key: cacheKey) } - - // Expired Claude-CLI-owned credentials are still considered cache-present (delegatable). - #expect(ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: [:]) == true) - - let stubFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 1, - createdAt: 1, - persistentRefHash: "test") - let keychainOverrideStore = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( - data: Data(), - fingerprint: stubFingerprint) - let freshData = self.makeCredentialsData( - accessToken: "fresh-token", - expiresAt: Date(timeIntervalSinceNow: 3600)) - - let fetcher = ClaudeUsageFetcher( - browserDetection: BrowserDetection(cacheTTL: 0), - environment: [:], - dataSource: .oauth, - oauthKeychainPromptCooldownEnabled: false, - allowBackgroundDelegatedRefresh: true) - - let delegatedOverride: (@Sendable ( - Date, - TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in - keychainOverrideStore.data = freshData - keychainOverrideStore.fingerprint = stubFingerprint - _ = await delegatedCounter.increment() - return .attemptedSucceeded - } + try await ClaudeOAuthCredentialsStore.withIsolatedCredentialsFileTrackingForTesting { + try await ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + ClaudeOAuthCredentialsStore.invalidateCache() + let expiredData = self.makeCredentialsData( + accessToken: "expired-token", + expiresAt: Date(timeIntervalSinceNow: -3600)) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( + data: expiredData, + storedAt: Date(), + owner: .claudeCLI) + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + defer { KeychainCacheStore.clear(key: cacheKey) } + + // Expired Claude-CLI-owned credentials are still considered cache-present (delegatable). + #expect(ClaudeOAuthCredentialsStore.hasCachedCredentials(environment: [:]) == true) + + let stubFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "test") + let keychainOverrideStore = ClaudeOAuthCredentialsStore.ClaudeKeychainOverrideStore( + data: Data(), + fingerprint: stubFingerprint) + let freshData = self.makeCredentialsData( + accessToken: "fresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: false, + allowBackgroundDelegatedRefresh: true) + + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + keychainOverrideStore.data = freshData + keychainOverrideStore.fingerprint = stubFingerprint + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } - do { - _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( - .onlyOnUserAction) - { - try await ProviderInteractionContext.$current.withValue(.background) { - try await ClaudeOAuthCredentialsStore - .withMutableClaudeKeychainOverrideStoreForTesting(keychainOverrideStore) { - try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride - .withValue(delegatedOverride) { - try await fetcher.loadLatestUsage(model: "sonnet") - } - } + do { + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeOAuthCredentialsStore + .withMutableClaudeKeychainOverrideStoreForTesting(keychainOverrideStore) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride + .withValue(delegatedOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } } + Issue.record( + "Expected OAuth fetch failure: background keychain recovery should stay blocked") + } catch let error as ClaudeUsageError { + guard case let .oauthFailed(message) = error else { + Issue.record("Expected ClaudeUsageError.oauthFailed, got \(error)") + return + } + #expect(message.contains("still unavailable after delegated Claude CLI refresh")) + } catch { + Issue.record("Expected ClaudeUsageError, got \(error)") } - Issue.record( - "Expected OAuth fetch failure: background keychain recovery should stay blocked") - } catch let error as ClaudeUsageError { - guard case let .oauthFailed(message) = error else { - Issue.record("Expected ClaudeUsageError.oauthFailed, got \(error)") - return - } - #expect(message.contains("still unavailable after delegated Claude CLI refresh")) - } catch { - Issue.record("Expected ClaudeUsageError, got \(error)") - } - #expect(await delegatedCounter.current() == 1) + #expect(await delegatedCounter.current() == 1) + } } } } From c1a8fe0f65ae4537bccc09a171aafd6546ea2b11 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 02:40:27 +0530 Subject: [PATCH 046/131] Suppress delegated refresh for never keychain policy --- .../Providers/Claude/ClaudeUsageFetcher.swift | 3 ++ Tests/CodexBarTests/ClaudeUsageTests.swift | 51 +++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 357066184..2ebccd06e 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -116,6 +116,9 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { policy: ClaudeOAuthKeychainPromptPolicy, allowBackgroundDelegatedRefresh: Bool) throws { + if policy.mode == .never { + throw ClaudeUsageError.oauthFailed("Delegated refresh is disabled by 'never' keychain policy.") + } if policy.mode == .onlyOnUserAction, policy.interaction != .userInitiated, !allowBackgroundDelegatedRefresh diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 7bc6928ec..873095ae2 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -323,6 +323,57 @@ struct ClaudeUsageTests { #expect(await delegatedCounter.current() == 0) } + @Test + func oauthDelegatedRetry_never_background_suppressesDelegationEvenForCLI() async throws { + let loadCounter = AsyncCounter() + let delegatedCounter = AsyncCounter() + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true, + allowBackgroundDelegatedRefresh: true) + + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, _ in + _ = await loadCounter.increment() + throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI + } + + do { + _ = try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.never) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue(delegatedOverride) { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + Issue.record("Expected delegated refresh to be suppressed for prompt policy 'never'") + } catch let error as ClaudeUsageError { + guard case let .oauthFailed(message) = error else { + Issue.record("Expected ClaudeUsageError.oauthFailed, got \(error)") + return + } + #expect(message.contains("Delegated refresh is disabled by 'never' keychain policy")) + } catch { + Issue.record("Expected ClaudeUsageError, got \(error)") + } + + #expect(await loadCounter.current() == 1) + #expect(await delegatedCounter.current() == 0) + } + @Test func oauthBootstrap_onlyOnUserAction_background_startup_allowsInteractiveReadWhenNoCache() async throws { final class FlagBox: @unchecked Sendable { From 5f9b46df8fa64ff54b35d0e7d1c774e8784dd00a Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 12:15:52 +0530 Subject: [PATCH 047/131] Prefer Claude CLI before web in auto fallback --- Sources/CodexBar/UsageStore.swift | 3 ++- .../Claude/ClaudeProviderDescriptor.swift | 10 ++++++--- Tests/CodexBarTests/CLIWebFallbackTests.swift | 22 +++++++++++++++++-- Tests/CodexBarTests/ClaudeOAuthTests.swift | 18 +++++++++++++-- docs/claude.md | 4 ++-- docs/configuration.md | 2 +- docs/providers.md | 6 ++--- 7 files changed, 51 insertions(+), 14 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 0167276d7..a763642dd 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1286,10 +1286,11 @@ extension UsageStore { selectedDataSource: claudeUsageDataSource, webExtrasEnabled: claudeWebExtrasEnabled, hasWebSession: hasKey, + hasCLI: hasClaudeBinary, hasOAuthCredentials: hasOAuthCredentials) if claudeUsageDataSource == .auto { - lines.append("pipeline_order=oauth→web→cli") + lines.append("pipeline_order=oauth→cli→web") lines.append("auto_heuristic=\(strategy.dataSource.rawValue)") } else { lines.append("strategy=\(strategy.dataSource.rawValue)") diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift index 83b306a3f..6ce68bd99 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift @@ -84,11 +84,11 @@ public enum ClaudeProviderDescriptor { case .auto: return [ ClaudeOAuthFetchStrategy(), - ClaudeWebFetchStrategy(browserDetection: context.browserDetection), ClaudeCLIFetchStrategy( useWebExtras: webExtrasEnabled, manualCookieHeader: manualCookieHeader, browserDetection: context.browserDetection), + ClaudeWebFetchStrategy(browserDetection: context.browserDetection), ] } } @@ -102,12 +102,16 @@ public enum ClaudeProviderDescriptor { selectedDataSource: ClaudeUsageDataSource, webExtrasEnabled: Bool, hasWebSession: Bool, + hasCLI: Bool, hasOAuthCredentials: Bool) -> ClaudeUsageStrategy { if selectedDataSource == .auto { if hasOAuthCredentials { return ClaudeUsageStrategy(dataSource: .oauth, useWebExtras: false) } + if hasCLI { + return ClaudeUsageStrategy(dataSource: .cli, useWebExtras: false) + } if hasWebSession { return ClaudeUsageStrategy(dataSource: .web, useWebExtras: false) } @@ -232,7 +236,7 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { } func shouldFallback(on _: Error, context: ProviderFetchContext) -> Bool { - // In Auto mode, fall back to the next strategy (web/cli) if OAuth fails (e.g. user cancels keychain prompt + // In Auto mode, fall back to the next strategy (cli/web) if OAuth fails (e.g. user cancels keychain prompt // or auth breaks). context.runtime == .app && context.sourceMode == .auto } @@ -316,6 +320,6 @@ struct ClaudeCLIFetchStrategy: ProviderFetchStrategy { } func shouldFallback(on _: Error, context: ProviderFetchContext) -> Bool { - false + context.runtime == .app && context.sourceMode == .auto } } diff --git a/Tests/CodexBarTests/CLIWebFallbackTests.swift b/Tests/CodexBarTests/CLIWebFallbackTests.swift index 6421f4a03..7b435d436 100644 --- a/Tests/CodexBarTests/CLIWebFallbackTests.swift +++ b/Tests/CodexBarTests/CLIWebFallbackTests.swift @@ -4,10 +4,13 @@ import Testing @Suite struct CLIWebFallbackTests { - private func makeContext(sourceMode: ProviderSourceMode = .auto) -> ProviderFetchContext { + private func makeContext( + runtime: ProviderRuntime = .cli, + sourceMode: ProviderSourceMode = .auto) -> ProviderFetchContext + { let browserDetection = BrowserDetection(cacheTTL: 0) return ProviderFetchContext( - runtime: .cli, + runtime: runtime, sourceMode: sourceMode, includeCredits: true, webTimeout: 60, @@ -57,4 +60,19 @@ struct CLIWebFallbackTests { #expect(strategy.shouldFallback(on: ClaudeWebAPIFetcher.FetchError.noSessionKeyFound, context: context)) #expect(strategy.shouldFallback(on: ClaudeWebAPIFetcher.FetchError.unauthorized, context: context)) } + + @Test + func claudeCLIFallbackIsEnabledOnlyForAppAuto() { + let strategy = ClaudeCLIFetchStrategy( + useWebExtras: false, + manualCookieHeader: nil, + browserDetection: BrowserDetection(cacheTTL: 0)) + let error = ClaudeUsageError.parseFailed("cli failed") + + #expect(strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .auto))) + #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .cli))) + #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .web))) + #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .oauth))) + #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .cli, sourceMode: .auto))) + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthTests.swift b/Tests/CodexBarTests/ClaudeOAuthTests.swift index 2a7660bf5..478dcc6ef 100644 --- a/Tests/CodexBarTests/ClaudeOAuthTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthTests.swift @@ -244,26 +244,40 @@ struct ClaudeOAuthTests { selectedDataSource: .auto, webExtrasEnabled: false, hasWebSession: true, + hasCLI: true, hasOAuthCredentials: true) #expect(strategy.dataSource == .oauth) } @Test - func fallsBackToWebWhenOAuthMissing() { + func fallsBackToCLIWhenOAuthMissingAndCLIAvailable() { let strategy = ClaudeProviderDescriptor.resolveUsageStrategy( selectedDataSource: .auto, webExtrasEnabled: false, hasWebSession: true, + hasCLI: true, + hasOAuthCredentials: false) + #expect(strategy.dataSource == .cli) + } + + @Test + func fallsBackToWebWhenOAuthMissingAndCLIMissing() { + let strategy = ClaudeProviderDescriptor.resolveUsageStrategy( + selectedDataSource: .auto, + webExtrasEnabled: false, + hasWebSession: true, + hasCLI: false, hasOAuthCredentials: false) #expect(strategy.dataSource == .web) } @Test - func fallsBackToCLIWhenNoOAuthOrWeb() { + func fallsBackToCLIWhenOAuthMissingAndWebMissing() { let strategy = ClaudeProviderDescriptor.resolveUsageStrategy( selectedDataSource: .auto, webExtrasEnabled: false, hasWebSession: false, + hasCLI: true, hasOAuthCredentials: false) #expect(strategy.dataSource == .cli) } diff --git a/docs/claude.md b/docs/claude.md index 564672dda..7c1a6ea98 100644 --- a/docs/claude.md +++ b/docs/claude.md @@ -15,8 +15,8 @@ Claude supports three usage data paths plus local cost usage. Source selection i ### Default selection (debug menu disabled) 1) OAuth API (if Claude CLI credentials include `user:profile` scope). -2) Web API (browser cookies, `sessionKey`), if OAuth missing. -3) CLI PTY (`claude`), if no OAuth and no web session. +2) CLI PTY (`claude`), if OAuth is unavailable or fails. +3) Web API (browser cookies, `sessionKey`), if OAuth + CLI are unavailable or fail. Usage source picker: - Preferences → Providers → Claude → Usage source (Auto/OAuth/Web/CLI). diff --git a/docs/configuration.md b/docs/configuration.md index 020293718..467207988 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -43,7 +43,7 @@ All provider fields are optional unless noted. - `enabled`: enable/disable provider (defaults to provider default). - `source`: preferred source mode. - `auto|web|cli|oauth|api` - - `auto` uses web where possible, with CLI fallback. + - `auto` uses provider-specific fallback order (see `docs/providers.md`). - `api` uses provider API key flow (when supported). - `apiKey`: raw API token for providers that support direct API usage. - `cookieSource`: cookie selection policy. diff --git a/docs/providers.md b/docs/providers.md index ee9fa2f5c..1ff383f7a 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -19,7 +19,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Provider | Strategies (ordered for auto) | | --- | --- | | Codex | Web dashboard (`openai-web`) → CLI RPC/PTy (`codex-cli`); app uses CLI usage + optional dashboard scrape. | -| Claude | OAuth API (`oauth`) → Web API (`web`) → CLI PTY (`claude`). | +| Claude | OAuth API (`oauth`) → CLI PTY (`claude`) → Web API (`web`). | | Gemini | OAuth API via Gemini CLI credentials (`api`). | | Antigravity | Local LSP/HTTP probe (`local`). | | Cursor | Web API via cookies → stored WebKit session (`web`). | @@ -46,8 +46,8 @@ until the session is invalid, to avoid repeated Keychain prompts. ## Claude - OAuth API (preferred when CLI credentials exist). -- Web API (browser cookies) fallback when OAuth missing. -- CLI PTY fallback when OAuth + web are unavailable. +- CLI PTY fallback when OAuth is unavailable or fails (app Auto mode). +- Web API (browser cookies) fallback when OAuth + CLI are unavailable or fail (app Auto mode). - Local cost usage: scans `~/.config/claude/projects/**/*.jsonl` (last 30 days). - Status: Statuspage.io (Anthropic). - Details: `docs/claude.md`. From cd1c231cc6264b89717fd7b23adc1d711d1598bc Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 12:27:01 +0530 Subject: [PATCH 048/131] Preserve Claude auto fallback error surfacing --- .../Claude/ClaudeProviderDescriptor.swift | 27 +++++++++++----- Tests/CodexBarTests/CLIWebFallbackTests.swift | 31 +++++++++++++++++-- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift index 6ce68bd99..aeb852b21 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift @@ -263,11 +263,7 @@ struct ClaudeWebFetchStrategy: ProviderFetchStrategy { let browserDetection: BrowserDetection func isAvailable(_ context: ProviderFetchContext) async -> Bool { - if let header = Self.manualCookieHeader(from: context) { - return ClaudeWebAPIFetcher.hasSessionKey(cookieHeader: header) - } - guard context.settings?.claude?.cookieSource != .off else { return false } - return ClaudeWebAPIFetcher.hasSessionKey(browserDetection: self.browserDetection) + Self.isAvailableForFallback(context: context, browserDetection: self.browserDetection) } func fetch(_ context: ProviderFetchContext) async throws -> ProviderFetchResult { @@ -285,7 +281,20 @@ struct ClaudeWebFetchStrategy: ProviderFetchStrategy { func shouldFallback(on error: Error, context: ProviderFetchContext) -> Bool { guard context.sourceMode == .auto else { return false } _ = error - return true + // In CLI runtime auto mode, web comes before CLI so fallback is required. + // In app runtime auto mode, web is terminal and should surface its concrete error. + return context.runtime == .cli + } + + fileprivate static func isAvailableForFallback( + context: ProviderFetchContext, + browserDetection: BrowserDetection) -> Bool + { + if let header = self.manualCookieHeader(from: context) { + return ClaudeWebAPIFetcher.hasSessionKey(cookieHeader: header) + } + guard context.settings?.claude?.cookieSource != .off else { return false } + return ClaudeWebAPIFetcher.hasSessionKey(browserDetection: browserDetection) } private static func manualCookieHeader(from context: ProviderFetchContext) -> String? { @@ -320,6 +329,10 @@ struct ClaudeCLIFetchStrategy: ProviderFetchStrategy { } func shouldFallback(on _: Error, context: ProviderFetchContext) -> Bool { - context.runtime == .app && context.sourceMode == .auto + guard context.runtime == .app, context.sourceMode == .auto else { return false } + // Only fall through when web is actually available; otherwise preserve actionable CLI errors. + return ClaudeWebFetchStrategy.isAvailableForFallback( + context: context, + browserDetection: self.browserDetection) } } diff --git a/Tests/CodexBarTests/CLIWebFallbackTests.swift b/Tests/CodexBarTests/CLIWebFallbackTests.swift index 7b435d436..8ebc1cbb1 100644 --- a/Tests/CodexBarTests/CLIWebFallbackTests.swift +++ b/Tests/CodexBarTests/CLIWebFallbackTests.swift @@ -6,7 +6,8 @@ import Testing struct CLIWebFallbackTests { private func makeContext( runtime: ProviderRuntime = .cli, - sourceMode: ProviderSourceMode = .auto) -> ProviderFetchContext + sourceMode: ProviderSourceMode = .auto, + settings: ProviderSettingsSnapshot? = nil) -> ProviderFetchContext { let browserDetection = BrowserDetection(cacheTTL: 0) return ProviderFetchContext( @@ -17,12 +18,21 @@ struct CLIWebFallbackTests { webDebugDumpHTML: false, verbose: false, env: [:], - settings: nil, + settings: settings, fetcher: UsageFetcher(), claudeFetcher: ClaudeUsageFetcher(browserDetection: browserDetection), browserDetection: browserDetection) } + private func makeClaudeSettingsSnapshot(cookieHeader: String?) -> ProviderSettingsSnapshot { + ProviderSettingsSnapshot.make( + claude: .init( + usageDataSource: .auto, + webExtrasEnabled: false, + cookieSource: .manual, + manualCookieHeader: cookieHeader)) + } + @Test func codexFallsBackWhenCookiesMissing() { let context = self.makeContext() @@ -68,11 +78,26 @@ struct CLIWebFallbackTests { manualCookieHeader: nil, browserDetection: BrowserDetection(cacheTTL: 0)) let error = ClaudeUsageError.parseFailed("cli failed") + let webAvailableSettings = self.makeClaudeSettingsSnapshot(cookieHeader: "sessionKey=sk-ant-test") + let webUnavailableSettings = self.makeClaudeSettingsSnapshot(cookieHeader: "foo=bar") - #expect(strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .auto))) + #expect(strategy.shouldFallback( + on: error, + context: self.makeContext(runtime: .app, sourceMode: .auto, settings: webAvailableSettings))) + #expect(!strategy.shouldFallback( + on: error, + context: self.makeContext(runtime: .app, sourceMode: .auto, settings: webUnavailableSettings))) #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .cli))) #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .web))) #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .oauth))) #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .cli, sourceMode: .auto))) } + + @Test + func claudeWebFallbackIsDisabledForAppAuto() { + let strategy = ClaudeWebFetchStrategy(browserDetection: BrowserDetection(cacheTTL: 0)) + let error = ClaudeWebAPIFetcher.FetchError.unauthorized + #expect(strategy.shouldFallback(on: error, context: self.makeContext(runtime: .cli, sourceMode: .auto))) + #expect(!strategy.shouldFallback(on: error, context: self.makeContext(runtime: .app, sourceMode: .auto))) + } } From b15acdf2f97dfb0120f25b162c155bbb1585e1e3 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 12:37:21 +0530 Subject: [PATCH 049/131] Clarify Claude auto order by runtime in docs --- docs/providers.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/providers.md b/docs/providers.md index 1ff383f7a..dd21169bf 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -19,7 +19,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Provider | Strategies (ordered for auto) | | --- | --- | | Codex | Web dashboard (`openai-web`) → CLI RPC/PTy (`codex-cli`); app uses CLI usage + optional dashboard scrape. | -| Claude | OAuth API (`oauth`) → CLI PTY (`claude`) → Web API (`web`). | +| Claude | App Auto: OAuth API (`oauth`) → CLI PTY (`claude`) → Web API (`web`). CLI Auto: Web API (`web`) → CLI PTY (`claude`). | | Gemini | OAuth API via Gemini CLI credentials (`api`). | | Antigravity | Local LSP/HTTP probe (`local`). | | Cursor | Web API via cookies → stored WebKit session (`web`). | @@ -45,9 +45,8 @@ until the session is invalid, to avoid repeated Keychain prompts. - Details: `docs/codex.md`. ## Claude -- OAuth API (preferred when CLI credentials exist). -- CLI PTY fallback when OAuth is unavailable or fails (app Auto mode). -- Web API (browser cookies) fallback when OAuth + CLI are unavailable or fail (app Auto mode). +- App Auto: OAuth API (`oauth`) → CLI PTY (`claude`) → Web API (`web`). +- CLI Auto: Web API (`web`) → CLI PTY (`claude`). - Local cost usage: scans `~/.config/claude/projects/**/*.jsonl` (last 30 days). - Status: Statuspage.io (Anthropic). - Details: `docs/claude.md`. From acc3d4adda332c239a8600ca913a9d44f934de93 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 12:54:37 +0530 Subject: [PATCH 050/131] Harden idle-timeout PTY test against CI stalls --- .../CodexBarTests/TTYCommandRunnerTests.swift | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/Tests/CodexBarTests/TTYCommandRunnerTests.swift b/Tests/CodexBarTests/TTYCommandRunnerTests.swift index 4c0257067..7d18f52eb 100644 --- a/Tests/CodexBarTests/TTYCommandRunnerTests.swift +++ b/Tests/CodexBarTests/TTYCommandRunnerTests.swift @@ -112,24 +112,28 @@ struct TTYCommandRunnerEnvTests { let script = """ #!/bin/sh echo "hello" - sleep 10 + sleep 30 """ try script.write(to: scriptURL, atomically: true, encoding: .utf8) try fm.setAttributes([.posixPermissions: 0o755], ofItemAtPath: scriptURL.path) let runner = TTYCommandRunner() - let timeout: TimeInterval = 12 - let scriptedSleep: TimeInterval = 10 - let startedAt = Date() - let result = try runner.run( - binary: scriptURL.path, - send: "", - options: .init(timeout: timeout, idleTimeout: 0.2)) - let elapsed = Date().timeIntervalSince(startedAt) - - #expect(result.text.contains("hello")) - // CI runners can delay PTY scheduling/reads; assert we stop well before script completion. - #expect(elapsed < (scriptedSleep - 1.0)) + let timeout: TimeInterval = 6 + var fastestElapsed = TimeInterval.greatestFiniteMagnitude + // CI can occasionally pause a test process long enough to miss an idle window. + // Retry once and assert that at least one run exits well before timeout. + for _ in 0..<2 { + let startedAt = Date() + let result = try runner.run( + binary: scriptURL.path, + send: "", + options: .init(timeout: timeout, idleTimeout: 0.2)) + let elapsed = Date().timeIntervalSince(startedAt) + + #expect(result.text.contains("hello")) + fastestElapsed = min(fastestElapsed, elapsed) + } + #expect(fastestElapsed < (timeout - 1.0)) } @Test From fb141df2b104d6e1534e08a0241ff66b6d209aa3 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 12:58:36 +0530 Subject: [PATCH 051/131] Expose Claude keychain prompt policy in Preferences --- CHANGELOG.md | 2 + .../PreferencesProviderSettingsRows.swift | 2 + .../Claude/ClaudeProviderImplementation.swift | 35 +++++++++++++ .../Shared/ProviderSettingsDescriptors.swift | 3 ++ Sources/CodexBar/SettingsStore+Defaults.swift | 11 ++++ Sources/CodexBar/SettingsStore.swift | 2 + Sources/CodexBar/SettingsStoreState.swift | 1 + .../PreferencesPaneSmokeTests.swift | 1 + .../ProviderSettingsDescriptorTests.swift | 51 +++++++++++++++++++ .../SettingsStoreCoverageTests.swift | 35 +++++++++++++ docs/claude.md | 10 ++++ docs/ui.md | 4 ++ 12 files changed, 157 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68a4e7ea6..c88697ec1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,8 @@ - Claude OAuth-only mode stays strict: OAuth failures do not silently fall back to Web/CLI. - Keychain prompting is hardened (cooldowns after explicit denial/cancel/no-access + pre-alert only when interaction is likely) to reduce repeated prompts during refresh. - CodexBar syncs its cached OAuth token when the Claude Code Keychain entry changes, so updated auth is picked up without requiring a restart. +- Preferences now expose Claude’s Keychain prompt policy (Never / Only on user action / Always allow prompts) in + Providers → Claude; when global Keychain access is disabled in Advanced, the policy remains visible but inactive. ### Provider & Usage Fixes - Warp: add Warp provider support (credits + add-on credits), configurable via Settings or `WARP_API_KEY`/`WARP_TOKEN` (#352). Thanks @Kathie-yu! diff --git a/Sources/CodexBar/PreferencesProviderSettingsRows.swift b/Sources/CodexBar/PreferencesProviderSettingsRows.swift index 5d7abde9a..414f41c55 100644 --- a/Sources/CodexBar/PreferencesProviderSettingsRows.swift +++ b/Sources/CodexBar/PreferencesProviderSettingsRows.swift @@ -98,6 +98,7 @@ struct ProviderSettingsPickerRowView: View { let picker: ProviderSettingsPickerDescriptor var body: some View { + let isEnabled = self.picker.isEnabled?() ?? true VStack(alignment: .leading, spacing: 6) { HStack(alignment: .firstTextBaseline, spacing: 10) { Text(self.picker.title) @@ -133,6 +134,7 @@ struct ProviderSettingsPickerRowView: View { .fixedSize(horizontal: false, vertical: true) } } + .disabled(!isEnabled) .onChange(of: self.picker.binding.wrappedValue) { _, selection in guard let onChange = self.picker.onChange else { return } Task { @MainActor in diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 08147f3cc..956bd8f08 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -23,6 +23,7 @@ struct ClaudeProviderImplementation: ProviderImplementation { _ = settings.claudeUsageDataSource _ = settings.claudeCookieSource _ = settings.claudeCookieHeader + _ = settings.claudeOAuthKeychainPromptMode _ = settings.claudeWebExtrasEnabled } @@ -72,6 +73,12 @@ struct ClaudeProviderImplementation: ProviderImplementation { set: { raw in context.settings.claudeCookieSource = ProviderCookieSource(rawValue: raw) ?? .auto }) + let keychainPromptPolicyBinding = Binding( + get: { context.settings.claudeOAuthKeychainPromptMode.rawValue }, + set: { raw in + context.settings.claudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptMode(rawValue: raw) + ?? .onlyOnUserAction + }) let usageOptions = ClaudeUsageDataSource.allCases.map { ProviderSettingsPickerOption(id: $0.rawValue, title: $0.displayName) @@ -79,6 +86,17 @@ struct ClaudeProviderImplementation: ProviderImplementation { let cookieOptions = ProviderCookieSourceUI.options( allowsOff: false, keychainDisabled: context.settings.debugDisableKeychainAccess) + let keychainPromptPolicyOptions: [ProviderSettingsPickerOption] = [ + ProviderSettingsPickerOption( + id: ClaudeOAuthKeychainPromptMode.never.rawValue, + title: "Never prompt"), + ProviderSettingsPickerOption( + id: ClaudeOAuthKeychainPromptMode.onlyOnUserAction.rawValue, + title: "Only on user action"), + ProviderSettingsPickerOption( + id: ClaudeOAuthKeychainPromptMode.always.rawValue, + title: "Always allow prompts"), + ] let cookieSubtitle: () -> String? = { ProviderCookieSourceUI.subtitle( @@ -88,6 +106,13 @@ struct ClaudeProviderImplementation: ProviderImplementation { manual: "Paste a Cookie header from a claude.ai request.", off: "Claude cookies are disabled.") } + let keychainPromptPolicySubtitle: () -> String? = { + if context.settings.debugDisableKeychainAccess { + return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." + } + return "Controls Claude OAuth Keychain prompts. Choosing \"Never prompt\" can make OAuth unavailable; " + + "use Web/CLI when needed." + } return [ ProviderSettingsPickerDescriptor( @@ -103,6 +128,16 @@ struct ClaudeProviderImplementation: ProviderImplementation { let label = context.store.sourceLabel(for: .claude) return label == "auto" ? nil : label }), + ProviderSettingsPickerDescriptor( + id: "claude-keychain-prompt-policy", + title: "Keychain prompt policy", + subtitle: "Controls whether Claude OAuth may trigger macOS Keychain prompts.", + dynamicSubtitle: keychainPromptPolicySubtitle, + binding: keychainPromptPolicyBinding, + options: keychainPromptPolicyOptions, + isVisible: nil, + isEnabled: { !context.settings.debugDisableKeychainAccess }, + onChange: nil), ProviderSettingsPickerDescriptor( id: "claude-cookie-source", title: "Claude cookies", diff --git a/Sources/CodexBar/Providers/Shared/ProviderSettingsDescriptors.swift b/Sources/CodexBar/Providers/Shared/ProviderSettingsDescriptors.swift index c624a671e..d5a85b8f7 100644 --- a/Sources/CodexBar/Providers/Shared/ProviderSettingsDescriptors.swift +++ b/Sources/CodexBar/Providers/Shared/ProviderSettingsDescriptors.swift @@ -112,6 +112,7 @@ struct ProviderSettingsPickerDescriptor: Identifiable { let binding: Binding let options: [ProviderSettingsPickerOption] let isVisible: (() -> Bool)? + let isEnabled: (() -> Bool)? let onChange: ((_ selection: String) async -> Void)? let trailingText: (() -> String?)? @@ -123,6 +124,7 @@ struct ProviderSettingsPickerDescriptor: Identifiable { binding: Binding, options: [ProviderSettingsPickerOption], isVisible: (() -> Bool)?, + isEnabled: (() -> Bool)? = nil, onChange: ((_ selection: String) async -> Void)?, trailingText: (() -> String?)? = nil) { @@ -133,6 +135,7 @@ struct ProviderSettingsPickerDescriptor: Identifiable { self.binding = binding self.options = options self.isVisible = isVisible + self.isEnabled = isEnabled self.onChange = onChange self.trailingText = trailingText } diff --git a/Sources/CodexBar/SettingsStore+Defaults.swift b/Sources/CodexBar/SettingsStore+Defaults.swift index 0e06b99fc..27da90c7b 100644 --- a/Sources/CodexBar/SettingsStore+Defaults.swift +++ b/Sources/CodexBar/SettingsStore+Defaults.swift @@ -188,6 +188,17 @@ extension SettingsStore { } } + var claudeOAuthKeychainPromptMode: ClaudeOAuthKeychainPromptMode { + get { + let raw = self.defaultsState.claudeOAuthKeychainPromptModeRaw + return ClaudeOAuthKeychainPromptMode(rawValue: raw ?? "") ?? .onlyOnUserAction + } + set { + self.defaultsState.claudeOAuthKeychainPromptModeRaw = newValue.rawValue + self.userDefaults.set(newValue.rawValue, forKey: "claudeOAuthKeychainPromptMode") + } + } + var claudeWebExtrasEnabled: Bool { get { self.claudeWebExtrasEnabledRaw } set { self.claudeWebExtrasEnabledRaw = newValue } diff --git a/Sources/CodexBar/SettingsStore.swift b/Sources/CodexBar/SettingsStore.swift index e140de0ac..ecf6bbd6c 100644 --- a/Sources/CodexBar/SettingsStore.swift +++ b/Sources/CodexBar/SettingsStore.swift @@ -203,6 +203,7 @@ extension SettingsStore { let hidePersonalInfo = userDefaults.object(forKey: "hidePersonalInfo") as? Bool ?? false let randomBlinkEnabled = userDefaults.object(forKey: "randomBlinkEnabled") as? Bool ?? false let menuBarShowsHighestUsage = userDefaults.object(forKey: "menuBarShowsHighestUsage") as? Bool ?? false + let claudeOAuthKeychainPromptModeRaw = userDefaults.string(forKey: "claudeOAuthKeychainPromptMode") let claudeWebExtrasEnabledRaw = userDefaults.object(forKey: "claudeWebExtrasEnabled") as? Bool ?? false let creditsExtrasDefault = userDefaults.object(forKey: "showOptionalCreditsAndExtraUsage") as? Bool let showOptionalCreditsAndExtraUsage = creditsExtrasDefault ?? true @@ -237,6 +238,7 @@ extension SettingsStore { hidePersonalInfo: hidePersonalInfo, randomBlinkEnabled: randomBlinkEnabled, menuBarShowsHighestUsage: menuBarShowsHighestUsage, + claudeOAuthKeychainPromptModeRaw: claudeOAuthKeychainPromptModeRaw, claudeWebExtrasEnabledRaw: claudeWebExtrasEnabledRaw, showOptionalCreditsAndExtraUsage: showOptionalCreditsAndExtraUsage, openAIWebAccessEnabled: openAIWebAccessEnabled, diff --git a/Sources/CodexBar/SettingsStoreState.swift b/Sources/CodexBar/SettingsStoreState.swift index 9d8e833ba..e82109f34 100644 --- a/Sources/CodexBar/SettingsStoreState.swift +++ b/Sources/CodexBar/SettingsStoreState.swift @@ -21,6 +21,7 @@ struct SettingsDefaultsState: Sendable { var hidePersonalInfo: Bool var randomBlinkEnabled: Bool var menuBarShowsHighestUsage: Bool + var claudeOAuthKeychainPromptModeRaw: String? var claudeWebExtrasEnabledRaw: Bool var showOptionalCreditsAndExtraUsage: Bool var openAIWebAccessEnabled: Bool diff --git a/Tests/CodexBarTests/PreferencesPaneSmokeTests.swift b/Tests/CodexBarTests/PreferencesPaneSmokeTests.swift index ff20e3952..cedeeca59 100644 --- a/Tests/CodexBarTests/PreferencesPaneSmokeTests.swift +++ b/Tests/CodexBarTests/PreferencesPaneSmokeTests.swift @@ -30,6 +30,7 @@ struct PreferencesPaneSmokeTests { settings.hidePersonalInfo = true settings.resetTimesShowAbsolute = true settings.debugDisableKeychainAccess = true + settings.claudeOAuthKeychainPromptMode = .always settings.refreshFrequency = .manual let store = Self.makeUsageStore(settings: settings) diff --git a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift index 9e05c7462..c63fd3d0f 100644 --- a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift +++ b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift @@ -134,6 +134,7 @@ struct ProviderSettingsDescriptorTests { configStore: configStore, zaiTokenStore: NoopZaiTokenStore(), syntheticTokenStore: NoopSyntheticTokenStore()) + settings.debugDisableKeychainAccess = false let store = UsageStore( fetcher: UsageFetcher(environment: [:]), browserDetection: BrowserDetection(cacheTTL: 0), @@ -161,6 +162,56 @@ struct ProviderSettingsDescriptorTests { let pickers = ClaudeProviderImplementation().settingsPickers(context: context) #expect(pickers.contains(where: { $0.id == "claude-usage-source" })) #expect(pickers.contains(where: { $0.id == "claude-cookie-source" })) + let keychainPicker = try #require(pickers.first(where: { $0.id == "claude-keychain-prompt-policy" })) + let optionIDs = Set(keychainPicker.options.map(\.id)) + #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.never.rawValue)) + #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.onlyOnUserAction.rawValue)) + #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.always.rawValue)) + #expect(keychainPicker.isEnabled?() ?? true) + } + + @Test + func claudeKeychainPromptPolicyPickerDisabledWhenGlobalKeychainDisabled() throws { + let suite = "ProviderSettingsDescriptorTests-claude-keychain-disabled" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + let configStore = testConfigStore(suiteName: suite) + let settings = SettingsStore( + userDefaults: defaults, + configStore: configStore, + zaiTokenStore: NoopZaiTokenStore(), + syntheticTokenStore: NoopSyntheticTokenStore()) + settings.debugDisableKeychainAccess = true + let store = UsageStore( + fetcher: UsageFetcher(environment: [:]), + browserDetection: BrowserDetection(cacheTTL: 0), + settings: settings) + + let context = ProviderSettingsContext( + provider: .claude, + settings: settings, + store: store, + boolBinding: { keyPath in + Binding( + get: { settings[keyPath: keyPath] }, + set: { settings[keyPath: keyPath] = $0 }) + }, + stringBinding: { keyPath in + Binding( + get: { settings[keyPath: keyPath] }, + set: { settings[keyPath: keyPath] = $0 }) + }, + statusText: { _ in nil }, + setStatusText: { _, _ in }, + lastAppActiveRunAt: { _ in nil }, + setLastAppActiveRunAt: { _, _ in }, + requestConfirmation: { _ in }) + + let pickers = ClaudeProviderImplementation().settingsPickers(context: context) + let keychainPicker = try #require(pickers.first(where: { $0.id == "claude-keychain-prompt-policy" })) + #expect(keychainPicker.isEnabled?() == false) + let subtitle = keychainPicker.dynamicSubtitle?() ?? "" + #expect(subtitle.localizedCaseInsensitiveContains("inactive")) } @Test diff --git a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift index 724e8dece..c51f49ada 100644 --- a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift +++ b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift @@ -149,6 +149,41 @@ struct SettingsStoreCoverageTests { #expect(settings.kimiCookieSource == .off) } + @Test + func claudeKeychainPromptMode_defaultsToOnlyOnUserAction() { + let settings = Self.makeSettingsStore() + #expect(settings.claudeOAuthKeychainPromptMode == .onlyOnUserAction) + } + + @Test + func claudeKeychainPromptMode_persistsAcrossStoreReload() throws { + let suite = "SettingsStoreCoverageTests-claude-keychain-prompt-mode" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + let configStore = testConfigStore(suiteName: suite) + + let first = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + first.claudeOAuthKeychainPromptMode = .never + #expect( + defaults.string(forKey: "claudeOAuthKeychainPromptMode") + == ClaudeOAuthKeychainPromptMode.never.rawValue) + + let second = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + #expect(second.claudeOAuthKeychainPromptMode == .never) + } + + @Test + func claudeKeychainPromptMode_invalidRawFallsBackToOnlyOnUserAction() throws { + let suite = "SettingsStoreCoverageTests-claude-keychain-prompt-mode-invalid" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + defaults.set("invalid-mode", forKey: "claudeOAuthKeychainPromptMode") + let configStore = testConfigStore(suiteName: suite) + + let settings = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + #expect(settings.claudeOAuthKeychainPromptMode == .onlyOnUserAction) + } + private static func makeSettingsStore(suiteName: String = "SettingsStoreCoverageTests") -> SettingsStore { let defaults = UserDefaults(suiteName: suiteName)! defaults.removePersistentDomain(forName: suiteName) diff --git a/docs/claude.md b/docs/claude.md index 564672dda..0b322b35b 100644 --- a/docs/claude.md +++ b/docs/claude.md @@ -21,6 +21,16 @@ Claude supports three usage data paths plus local cost usage. Source selection i Usage source picker: - Preferences → Providers → Claude → Usage source (Auto/OAuth/Web/CLI). +## Keychain prompt policy (Claude OAuth) +- Preferences → Providers → Claude → Keychain prompt policy. +- Options: + - `Never prompt`: never attempts interactive Claude OAuth Keychain prompts. + - `Only on user action` (default): interactive prompts are reserved for user-initiated repair flows. + - `Always allow prompts`: allows interactive prompts in both user and background flows. +- This setting only affects Claude OAuth Keychain prompting behavior; it does not switch your Claude usage source. +- If Preferences → Advanced → Disable Keychain access is enabled, this policy remains visible but inactive until + Keychain access is re-enabled. + ### Debug selection (debug menu enabled) - The Debug pane can force OAuth / Web / CLI. - Web extras are internal-only (not exposed in the Providers pane). diff --git a/docs/ui.md b/docs/ui.md index 73f6fc57a..9c3d13475 100644 --- a/docs/ui.md +++ b/docs/ui.md @@ -26,6 +26,10 @@ read_when: ## Preferences notes - Advanced: “Disable Keychain access” turns off browser cookie import; paste Cookie headers manually in Providers. +- Providers → Claude: “Keychain prompt policy” controls Claude OAuth prompt behavior (Never / Only on user action / + Always allow prompts). +- When “Disable Keychain access” is enabled in Advanced, the Claude keychain prompt policy remains visible but is + inactive. ## Widgets (high level) - Widget entries mirror the menu card; detailed pipeline in `docs/widgets.md`. From b38e4da1b7dfbf9b2505308fa1a9a34896d202d5 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 13 Feb 2026 15:41:04 +0530 Subject: [PATCH 052/131] Update CHANGELOG.md --- CHANGELOG.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c88697ec1..b4abbbbf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Unreleased ### Highlights -- Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, and make failure modes deterministic (#245, #305, #308, #309). Thanks @manikv12! +- Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, surface a setting to control prompt policy and make failure modes deterministic (#245, #305, #308, #309, #364). Thanks @manikv12! - Claude: harden Claude Code PTY capture for `/usage` and `/status` (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320). - New provider: Warp (credits + add-on credits) (#352). Thanks @Kathie-yu! - Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers @@ -10,15 +10,12 @@ - Menu bar animation behavior was hardened in merged mode and fallback mode (#283, #291). Thanks @vignesh07 and @Ilakiancs! - CI/tooling reliability improved via pinned lint tools, deterministic macOS test execution, and PTY timing test stabilization plus Node 24-ready GitHub Actions upgrades (#292, #312, #290). -### Claude OAuth & Keychain (upgrade-relevant behavior) -- Claude OAuth creds are cached in CodexBar Keychain. This reduces Keychain prompts until the token expires. -- If Claude OAuth credentials are present but expired, CodexBar performs at most one delegated refresh handoff to the Claude CLI and one OAuth retry before falling back to Web/CLI in Auto mode. -- Claude Auto mode keeps Keychain prompts suppressed during background refreshes. Interactive Keychain prompting is only attempted during user-initiated repair flows (e.g. menu open / manual refresh) when cached OAuth is missing/expired/unusable. -- Claude OAuth-only mode stays strict: OAuth failures do not silently fall back to Web/CLI. -- Keychain prompting is hardened (cooldowns after explicit denial/cancel/no-access + pre-alert only when interaction is likely) to reduce repeated prompts during refresh. -- CodexBar syncs its cached OAuth token when the Claude Code Keychain entry changes, so updated auth is picked up without requiring a restart. -- Preferences now expose Claude’s Keychain prompt policy (Never / Only on user action / Always allow prompts) in - Providers → Claude; when global Keychain access is disabled in Advanced, the policy remains visible but inactive. +### Claude OAuth & Keychain +- Claude OAuth creds are cached in CodexBar Keychain to reduce repeated prompts. +- Prompts can still appear when Claude OAuth credentials are expired, invalid, or missing and re-auth is required. +- In Auto mode, background refresh keeps prompts suppressed; interactive prompts are limited to user actions (menu open or manual refresh). +- OAuth-only mode remains strict (no silent Web/CLI fallback); Auto mode may do one delegated CLI refresh + one OAuth retry before falling back. +- Preferences now expose a Claude Keychain prompt policy (Never / Only on user action / Always allow prompts) under Providers → Claude; if global Keychain access is disabled in Advanced, this control remains visible but inactive. ### Provider & Usage Fixes - Warp: add Warp provider support (credits + add-on credits), configurable via Settings or `WARP_API_KEY`/`WARP_TOKEN` (#352). Thanks @Kathie-yu! From c2738ec6fe91a926fd03939a47babf9b7c6dcd70 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Feb 2026 18:32:22 +0100 Subject: [PATCH 053/131] docs: prepare 0.18.0-beta.3 release --- CHANGELOG.md | 2 +- version.env | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4abbbbf7..a4bf73a76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## Unreleased +## 0.18.0-beta.3 — 2026-02-13 ### Highlights - Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, surface a setting to control prompt policy and make failure modes deterministic (#245, #305, #308, #309, #364). Thanks @manikv12! - Claude: harden Claude Code PTY capture for `/usage` and `/status` (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320). diff --git a/version.env b/version.env index 6a74e5881..ec4258206 100644 --- a/version.env +++ b/version.env @@ -1,2 +1,2 @@ -MARKETING_VERSION=0.18.0-beta.2 -BUILD_NUMBER=50 +MARKETING_VERSION=0.18.0-beta.3 +BUILD_NUMBER=51 From 2f5b6af0860a6b6881872e0001aea59ad3167806 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 13 Feb 2026 18:59:04 +0100 Subject: [PATCH 054/131] docs: update appcast for 0.18.0-beta.3 --- CHANGELOG.md | 12 ++++------ appcast.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4bf73a76..b8ebc8be1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,7 @@ - Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, surface a setting to control prompt policy and make failure modes deterministic (#245, #305, #308, #309, #364). Thanks @manikv12! - Claude: harden Claude Code PTY capture for `/usage` and `/status` (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320). - New provider: Warp (credits + add-on credits) (#352). Thanks @Kathie-yu! -- Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers - and @theglove44! +- Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers and @theglove44! - Menu bar animation behavior was hardened in merged mode and fallback mode (#283, #291). Thanks @vignesh07 and @Ilakiancs! - CI/tooling reliability improved via pinned lint tools, deterministic macOS test execution, and PTY timing test stabilization plus Node 24-ready GitHub Actions upgrades (#292, #312, #290). @@ -21,13 +20,10 @@ - Warp: add Warp provider support (credits + add-on credits), configurable via Settings or `WARP_API_KEY`/`WARP_TOKEN` (#352). Thanks @Kathie-yu! - Cursor: compute usage against `plan.limit` rather than `breakdown.total` to avoid incorrect limit interpretation (#240). Thanks @robinebers! - MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44! -- MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to - avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! +- MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan! - Claude: add Opus 4.6 pricing so token cost scanning tracks USD consumed correctly (#348). Thanks @arandaschimpf! -- z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden - empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin! -- z.ai: fix provider visibility in the menu when enabled with token-account credentials (availability now considers the - effective fetch environment). +- z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin! +- z.ai: fix provider visibility in the menu when enabled with token-account credentials (availability now considers the effective fetch environment). - Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden! - Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev! - OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07! diff --git a/appcast.xml b/appcast.xml index 3f63a89e9..c7bc8f030 100644 --- a/appcast.xml +++ b/appcast.xml @@ -2,6 +2,68 @@ CodexBar + + 0.18.0-beta.3 + Fri, 13 Feb 2026 18:57:54 +0100 + https://raw.githubusercontent.com/steipete/CodexBar/main/appcast.xml + 51 + 0.18.0-beta.3 + 14.0 + CodexBar 0.18.0-beta.3 +

Highlights

+
    +
  • Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, surface a setting to control prompt policy and make failure modes deterministic (#245, #305, #308, #309, #364). Thanks @manikv12!
    • +
  • Claude: harden Claude Code PTY capture for /usage and /status (prompt automation, safer command palette confirmation, partial UTF-8 handling, and parsing guards against status-bar context meters) (#320).
    • +
  • New provider: Warp (credits + add-on credits) (#352). Thanks @Kathie-yu!
    • +
  • Provider correctness fixes landed for Cursor plan parsing and MiniMax region routing (#240, #234, #344). Thanks @robinebers and @theglove44!
    • +
  • Menu bar animation behavior was hardened in merged mode and fallback mode (#283, #291). Thanks @vignesh07 and @Ilakiancs!
    • +
  • CI/tooling reliability improved via pinned lint tools, deterministic macOS test execution, and PTY timing test stabilization plus Node 24-ready GitHub Actions upgrades (#292, #312, #290).
    • +
+

Claude OAuth & Keychain

+
    +
  • Claude OAuth creds are cached in CodexBar Keychain to reduce repeated prompts.
    • +
  • Prompts can still appear when Claude OAuth credentials are expired, invalid, or missing and re-auth is required.
    • +
  • In Auto mode, background refresh keeps prompts suppressed; interactive prompts are limited to user actions (menu open or manual refresh).
    • +
  • OAuth-only mode remains strict (no silent Web/CLI fallback); Auto mode may do one delegated CLI refresh + one OAuth retry before falling back.
    • +
  • Preferences now expose a Claude Keychain prompt policy (Never / Only on user action / Always allow prompts) under Providers → Claude; if global Keychain access is disabled in Advanced, this control remains visible but inactive.
    • +
+

Provider & Usage Fixes

+
    +
  • Warp: add Warp provider support (credits + add-on credits), configurable via Settings or WARP_API_KEY/WARP_TOKEN (#352). Thanks @Kathie-yu!
    • +
  • Cursor: compute usage against plan.limit rather than breakdown.total to avoid incorrect limit interpretation (#240). Thanks @robinebers!
    • +
  • MiniMax: correct API region URL selection to route requests to the expected regional endpoint (#234). Thanks @theglove44!
    • +
  • MiniMax: always show the API region picker and retry the China endpoint when the global host rejects the token to avoid upgrade regressions for users without a persisted region (#344). Thanks @apoorvdarshan!
    • +
  • Claude: add Opus 4.6 pricing so token cost scanning tracks USD consumed correctly (#348). Thanks @arandaschimpf!
    • +
  • z.ai: handle quota responses with missing token-limit fields, avoid incorrect used-percent calculations, and harden empty-response behavior with safer logging (#346). Thanks @MohamedMohana and @halilertekin!
    • +
  • z.ai: fix provider visibility in the menu when enabled with token-account credentials (availability now considers the effective fetch environment).
    • +
  • Amp: detect login redirects during usage fetch and fail fast when the session is invalid (#339). Thanks @JosephDoUrden!
    • +
  • Resource loading: fix app bundle lookup path to avoid "could not load resource bundle" startup failures (#223). Thanks @validatedev!
    • +
  • OpenAI Web dashboard: keep WebView instances cached for reuse to reduce repeated network fetch overhead; tests were updated to avoid network-dependent flakes (#284). Thanks @vignesh07!
    • +
  • Token-account precedence: selected token account env injection now correctly overrides provider config apiKey values in app and CLI environments. Thanks @arvindcr4!
    • +
  • Claude: make Claude CLI probing more resilient by scoping auto-input to the active subcommand and trimming to the latest Usage panel before parsing to avoid false matches from earlier screen fragments (#320).
    • +
+

Menu Bar & UI Behavior

+
    +
  • Prevent fallback-provider loading animation loops (battery/CPU drain when no providers are enabled) (#283). Thanks @vignesh07!
    • +
  • Prevent status overlay rendering for disabled providers while in merged mode (#291). Thanks @Ilakiancs!
    • +
+

CI, Tooling & Test Stability

+
    +
  • Pin SwiftFormat/SwiftLint versions and harden lint installer behavior (version drift + temp-file leak fixes) (#292).
    • +
  • Use more deterministic macOS CI test settings (including non-parallel paths where needed) and align runner/toolchain behavior for stability (#292).
    • +
  • Stabilize PTY command timing tests to reduce CI flakiness (#312).
    • +
  • Upgrade actions/checkout to v6 and actions/github-script to v8 for Node 24 compatibility in upstream-monitor.yml (#290). Thanks @salmanmkc!
    • +
  • Tests: add TaskLocal-based keychain/cache overrides so keychain gating and KeychainCacheStore test stores do not leak across concurrent test execution (#320).
    • +
+

Docs & Maintenance

+
    +
  • Update docs for Claude data fetch behavior and keychain troubleshooting notes.
    • +
  • Update MIT license year.
    • +
+

View full changelog

+]]> + + 0.18.0-beta.2 Wed, 21 Jan 2026 08:42:37 +0000 From 0ace8b66ba68d151915cf1d22bfede4908005ed9 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sat, 14 Feb 2026 19:30:30 +0530 Subject: [PATCH 055/131] Improve OpenCode HTTP error extraction Adapt OpenCode error extraction from PR #280. - Parse HTML fallback for non-JSON errors - Parse JSON 'detail' in addition to 'message'/'error' Thanks @SalimBinYousuf1 --- .../OpenCode/OpenCodeUsageFetcher.swift | 13 +- .../OpenCodeUsageFetcherErrorTests.swift | 115 ++++++++++++++++++ 2 files changed, 126 insertions(+), 2 deletions(-) create mode 100644 Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift diff --git a/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift b/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift index 289c779f3..bc6b0af29 100644 --- a/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift @@ -409,18 +409,27 @@ public struct OpenCodeUsageFetcher: Sendable { private static func extractServerErrorMessage(from text: String) -> String? { guard let data = text.data(using: .utf8), - let object = try? JSONSerialization.jsonObject(with: data, options: []), - let dict = object as? [String: Any] + let object = try? JSONSerialization.jsonObject(with: data, options: []) else { + // If it's not JSON, try to extract error from HTML if possible + if let match = text.range(of: #"(?i)<title>([^<]+)"#, options: .regularExpression) { + return String(text[match].dropFirst(7).dropLast(8)).trimmingCharacters(in: .whitespacesAndNewlines) + } return nil } + guard let dict = object as? [String: Any] else { return nil } + if let message = dict["message"] as? String, !message.isEmpty { return message } if let error = dict["error"] as? String, !error.isEmpty { return error } + // Check for common error fields in some frameworks + if let detail = dict["detail"] as? String, !detail.isEmpty { + return detail + } return nil } diff --git a/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift b/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift new file mode 100644 index 000000000..2dbb75350 --- /dev/null +++ b/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift @@ -0,0 +1,115 @@ +import CodexBarCore +import Foundation +import Testing + +@Suite(.serialized) +struct OpenCodeUsageFetcherErrorTests { + @Test + func extractsApiErrorFromUppercaseHTMLTitle() async throws { + let registered = URLProtocol.registerClass(OpenCodeStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenCodeStubURLProtocol.self) + } + OpenCodeStubURLProtocol.handler = nil + } + + OpenCodeStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let body = "403 Forbiddendenied" + return Self.makeResponse(url: url, body: body, statusCode: 500, contentType: "text/html") + } + + do { + _ = try await OpenCodeUsageFetcher.fetchUsage( + cookieHeader: "auth=test", + timeout: 2, + workspaceIDOverride: "wrk_TEST123") + Issue.record("Expected OpenCodeUsageError.apiError") + } catch let error as OpenCodeUsageError { + switch error { + case let .apiError(message): + #expect(message.contains("HTTP 500")) + #expect(message.contains("403 Forbidden")) + default: + Issue.record("Expected apiError, got: \(error)") + } + } + } + + @Test + func extractsApiErrorFromDetailField() async throws { + let registered = URLProtocol.registerClass(OpenCodeStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenCodeStubURLProtocol.self) + } + OpenCodeStubURLProtocol.handler = nil + } + + OpenCodeStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let body = #"{"detail":"Workspace missing"}"# + return Self.makeResponse(url: url, body: body, statusCode: 500, contentType: "application/json") + } + + do { + _ = try await OpenCodeUsageFetcher.fetchUsage( + cookieHeader: "auth=test", + timeout: 2, + workspaceIDOverride: "wrk_TEST123") + Issue.record("Expected OpenCodeUsageError.apiError") + } catch let error as OpenCodeUsageError { + switch error { + case let .apiError(message): + #expect(message.contains("HTTP 500")) + #expect(message.contains("Workspace missing")) + default: + Issue.record("Expected apiError, got: \(error)") + } + } + } + + private static func makeResponse( + url: URL, + body: String, + statusCode: Int, + contentType: String) -> (HTTPURLResponse, Data) + { + let response = HTTPURLResponse( + url: url, + statusCode: statusCode, + httpVersion: "HTTP/1.1", + headerFields: ["Content-Type": contentType])! + return (response, Data(body.utf8)) + } +} + +final class OpenCodeStubURLProtocol: URLProtocol { + nonisolated(unsafe) static var handler: ((URLRequest) throws -> (HTTPURLResponse, Data))? + + override static func canInit(with request: URLRequest) -> Bool { + request.url?.host == "opencode.ai" + } + + override static func canonicalRequest(for request: URLRequest) -> URLRequest { + request + } + + override func startLoading() { + guard let handler = Self.handler else { + self.client?.urlProtocol(self, didFailWithError: URLError(.badServerResponse)) + return + } + do { + let (response, data) = try handler(self.request) + self.client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed) + self.client?.urlProtocol(self, didLoad: data) + self.client?.urlProtocolDidFinishLoading(self) + } catch { + self.client?.urlProtocol(self, didFailWithError: error) + } + } + + override func stopLoading() {} +} From f4f405a97cef6ba449a46dec1b00e64f26c3f735 Mon Sep 17 00:00:00 2001 From: daegwang Date: Sat, 14 Feb 2026 13:24:48 -0800 Subject: [PATCH 056/131] fix: correct Claude CLI package name in setup message The npm package was renamed from @anthropic-ai/claude-cli to @anthropic-ai/claude-code. --- Sources/CodexBar/StatusItemController+Actions.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBar/StatusItemController+Actions.swift b/Sources/CodexBar/StatusItemController+Actions.swift index 65485d870..efe63ffd8 100644 --- a/Sources/CodexBar/StatusItemController+Actions.swift +++ b/Sources/CodexBar/StatusItemController+Actions.swift @@ -230,7 +230,7 @@ extension StatusItemController { case .missingBinary: self.presentLoginAlert( title: "Claude CLI not found", - message: "Install the Claude CLI (npm i -g @anthropic-ai/claude-cli) and try again.") + message: "Install the Claude CLI (npm i -g @anthropic-ai/claude-code) and try again.") case let .launchFailed(message): self.presentLoginAlert(title: "Could not start claude /login", message: message) case .timedOut: From 27c1bb95770b30f7da5e26f6c15d952671573f74 Mon Sep 17 00:00:00 2001 From: CryptoSageSnr Date: Sun, 1 Feb 2026 15:30:31 +0200 Subject: [PATCH 057/131] Add Ollama provider support --- .gitignore | 1 + Sources/CodexBar/PreferencesDebugPane.swift | 2 + .../Ollama/OllamaProviderImplementation.swift | 81 ++++ .../Ollama/OllamaSettingsStore.swift | 60 +++ .../ProviderImplementationRegistry.swift | 1 + .../Resources/ProviderIcon-ollama.svg | 3 + .../SettingsStore+MenuObservation.swift | 2 + Sources/CodexBar/UsageStore+Logging.swift | 1 + Sources/CodexBar/UsageStore.swift | 19 + Sources/CodexBarCLI/TokenAccountCLI.swift | 7 + .../CodexBarCore/Logging/LogCategories.swift | 1 + .../Ollama/OllamaProviderDescriptor.swift | 72 ++++ .../Providers/Ollama/OllamaUsageFetcher.swift | 380 ++++++++++++++++++ .../Providers/Ollama/OllamaUsageParser.swift | 114 ++++++ .../Ollama/OllamaUsageSnapshot.swift | 66 +++ .../Providers/ProviderDescriptor.swift | 1 + .../Providers/ProviderSettingsSnapshot.swift | 19 + .../CodexBarCore/Providers/Providers.swift | 2 + .../Vendored/CostUsage/CostUsageScanner.swift | 2 + .../CodexBarWidgetProvider.swift | 1 + .../CodexBarWidget/CodexBarWidgetViews.swift | 3 + .../CLIProviderSelectionTests.swift | 1 + .../OllamaUsageFetcherTests.swift | 20 + .../OllamaUsageParserTests.swift | 92 +++++ Tests/CodexBarTests/SettingsStoreTests.swift | 1 + docs/ollama.md | 52 +++ docs/providers.md | 10 +- 27 files changed, 1013 insertions(+), 1 deletion(-) create mode 100644 Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift create mode 100644 Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift create mode 100644 Sources/CodexBar/Resources/ProviderIcon-ollama.svg create mode 100644 Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift create mode 100644 Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift create mode 100644 Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift create mode 100644 Sources/CodexBarCore/Providers/Ollama/OllamaUsageSnapshot.swift create mode 100644 Tests/CodexBarTests/OllamaUsageFetcherTests.swift create mode 100644 Tests/CodexBarTests/OllamaUsageParserTests.swift create mode 100644 docs/ollama.md diff --git a/.gitignore b/.gitignore index 2607ea4e9..d44f986f6 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ debug_*.swift .DS_Store .vscode/ .codex/environments/ +.swiftpm-cache/ # Debug/analysis docs docs/*-analysis.md diff --git a/Sources/CodexBar/PreferencesDebugPane.swift b/Sources/CodexBar/PreferencesDebugPane.swift index 1b8083406..c5d4730b4 100644 --- a/Sources/CodexBar/PreferencesDebugPane.swift +++ b/Sources/CodexBar/PreferencesDebugPane.swift @@ -106,6 +106,7 @@ struct DebugPane: View { Text("Cursor").tag(UsageProvider.cursor) Text("Augment").tag(UsageProvider.augment) Text("Amp").tag(UsageProvider.amp) + Text("Ollama").tag(UsageProvider.ollama) } .pickerStyle(.segmented) .frame(width: 460) @@ -299,6 +300,7 @@ struct DebugPane: View { Text("Antigravity").tag(UsageProvider.antigravity) Text("Augment").tag(UsageProvider.augment) Text("Amp").tag(UsageProvider.amp) + Text("Ollama").tag(UsageProvider.ollama) } .pickerStyle(.segmented) .frame(width: 360) diff --git a/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift new file mode 100644 index 000000000..5d71c5b39 --- /dev/null +++ b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift @@ -0,0 +1,81 @@ +import AppKit +import CodexBarCore +import CodexBarMacroSupport +import Foundation +import SwiftUI + +@ProviderImplementationRegistration +struct OllamaProviderImplementation: ProviderImplementation { + let id: UsageProvider = .ollama + + @MainActor + func observeSettings(_ settings: SettingsStore) { + _ = settings.ollamaCookieSource + _ = settings.ollamaCookieHeader + } + + @MainActor + func settingsSnapshot(context: ProviderSettingsSnapshotContext) -> ProviderSettingsSnapshotContribution? { + .ollama(context.settings.ollamaSettingsSnapshot(tokenOverride: context.tokenOverride)) + } + + @MainActor + func settingsPickers(context: ProviderSettingsContext) -> [ProviderSettingsPickerDescriptor] { + let cookieBinding = Binding( + get: { context.settings.ollamaCookieSource.rawValue }, + set: { raw in + context.settings.ollamaCookieSource = ProviderCookieSource(rawValue: raw) ?? .auto + }) + let cookieOptions = ProviderCookieSourceUI.options( + allowsOff: false, + keychainDisabled: context.settings.debugDisableKeychainAccess) + + let cookieSubtitle: () -> String? = { + ProviderCookieSourceUI.subtitle( + source: context.settings.ollamaCookieSource, + keychainDisabled: context.settings.debugDisableKeychainAccess, + auto: "Automatic imports browser cookies.", + manual: "Paste a Cookie header or cURL capture from Ollama settings.", + off: "Ollama cookies are disabled.") + } + + return [ + ProviderSettingsPickerDescriptor( + id: "ollama-cookie-source", + title: "Cookie source", + subtitle: "Automatic imports browser cookies.", + dynamicSubtitle: cookieSubtitle, + binding: cookieBinding, + options: cookieOptions, + isVisible: nil, + onChange: nil), + ] + } + + @MainActor + func settingsFields(context: ProviderSettingsContext) -> [ProviderSettingsFieldDescriptor] { + [ + ProviderSettingsFieldDescriptor( + id: "ollama-cookie", + title: "", + subtitle: "", + kind: .secure, + placeholder: "Cookie: …", + binding: context.stringBinding(\.ollamaCookieHeader), + actions: [ + ProviderSettingsActionDescriptor( + id: "ollama-open-settings", + title: "Open Ollama Settings", + style: .link, + isVisible: nil, + perform: { + if let url = URL(string: "https://ollama.com/settings") { + NSWorkspace.shared.open(url) + } + }), + ], + isVisible: { context.settings.ollamaCookieSource == .manual }, + onActivate: { }), + ] + } +} diff --git a/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift new file mode 100644 index 000000000..a74534574 --- /dev/null +++ b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift @@ -0,0 +1,60 @@ +import CodexBarCore +import Foundation + +extension SettingsStore { + var ollamaCookieHeader: String { + get { self.configSnapshot.providerConfig(for: .ollama)?.sanitizedCookieHeader ?? "" } + set { + self.updateProviderConfig(provider: .ollama) { entry in + entry.cookieHeader = self.normalizedConfigValue(newValue) + } + self.logSecretUpdate(provider: .ollama, field: "cookieHeader", value: newValue) + } + } + + var ollamaCookieSource: ProviderCookieSource { + get { self.resolvedCookieSource(provider: .ollama, fallback: .auto) } + set { + self.updateProviderConfig(provider: .ollama) { entry in + entry.cookieSource = newValue + } + self.logProviderModeChange(provider: .ollama, field: "cookieSource", value: newValue.rawValue) + } + } +} + +extension SettingsStore { + func ollamaSettingsSnapshot(tokenOverride: TokenAccountOverride?) -> ProviderSettingsSnapshot.OllamaProviderSettings { + ProviderSettingsSnapshot.OllamaProviderSettings( + cookieSource: self.ollamaSnapshotCookieSource(tokenOverride: tokenOverride), + manualCookieHeader: self.ollamaSnapshotCookieHeader(tokenOverride: tokenOverride)) + } + + private func ollamaSnapshotCookieHeader(tokenOverride: TokenAccountOverride?) -> String { + let fallback = self.ollamaCookieHeader + guard let support = TokenAccountSupportCatalog.support(for: .ollama), + case .cookieHeader = support.injection + else { + return fallback + } + guard let account = ProviderTokenAccountSelection.selectedAccount( + provider: .ollama, + settings: self, + override: tokenOverride) + else { + return fallback + } + return TokenAccountSupportCatalog.normalizedCookieHeader(account.token, support: support) + } + + private func ollamaSnapshotCookieSource(tokenOverride: TokenAccountOverride?) -> ProviderCookieSource { + let fallback = self.ollamaCookieSource + guard let support = TokenAccountSupportCatalog.support(for: .ollama), + support.requiresManualCookieSource + else { + return fallback + } + if self.tokenAccounts(for: .ollama).isEmpty { return fallback } + return .manual + } +} diff --git a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift index fef37cef9..8754e595f 100644 --- a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift +++ b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift @@ -29,6 +29,7 @@ enum ProviderImplementationRegistry { case .jetbrains: JetBrainsProviderImplementation() case .kimik2: KimiK2ProviderImplementation() case .amp: AmpProviderImplementation() + case .ollama: OllamaProviderImplementation() case .synthetic: SyntheticProviderImplementation() case .warp: WarpProviderImplementation() } diff --git a/Sources/CodexBar/Resources/ProviderIcon-ollama.svg b/Sources/CodexBar/Resources/ProviderIcon-ollama.svg new file mode 100644 index 000000000..23b80bc53 --- /dev/null +++ b/Sources/CodexBar/Resources/ProviderIcon-ollama.svg @@ -0,0 +1,3 @@ + + + diff --git a/Sources/CodexBar/SettingsStore+MenuObservation.swift b/Sources/CodexBar/SettingsStore+MenuObservation.swift index 4fa5640a8..36416222f 100644 --- a/Sources/CodexBar/SettingsStore+MenuObservation.swift +++ b/Sources/CodexBar/SettingsStore+MenuObservation.swift @@ -36,6 +36,7 @@ extension SettingsStore { _ = self.kimiCookieSource _ = self.augmentCookieSource _ = self.ampCookieSource + _ = self.ollamaCookieSource _ = self.mergeIcons _ = self.switcherShowsIcons _ = self.zaiAPIToken @@ -52,6 +53,7 @@ extension SettingsStore { _ = self.kimiK2APIToken _ = self.augmentCookieHeader _ = self.ampCookieHeader + _ = self.ollamaCookieHeader _ = self.copilotAPIToken _ = self.warpAPIToken _ = self.tokenAccountsByProvider diff --git a/Sources/CodexBar/UsageStore+Logging.swift b/Sources/CodexBar/UsageStore+Logging.swift index 4a72e3520..4522a0ffb 100644 --- a/Sources/CodexBar/UsageStore+Logging.swift +++ b/Sources/CodexBar/UsageStore+Logging.swift @@ -14,6 +14,7 @@ extension UsageStore { "kimiCookieSource": self.settings.kimiCookieSource.rawValue, "augmentCookieSource": self.settings.augmentCookieSource.rawValue, "ampCookieSource": self.settings.ampCookieSource.rawValue, + "ollamaCookieSource": self.settings.ollamaCookieSource.rawValue, "openAIWebAccess": self.settings.openAIWebAccessEnabled ? "1" : "0", "claudeWebExtras": self.settings.claudeWebExtrasEnabled ? "1" : "0", ] diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index a763642dd..38dd05ca7 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1241,6 +1241,12 @@ extension UsageStore { ampCookieHeader: self.settings.ampCookieHeader) await MainActor.run { self.probeLogs[.amp] = text } return text + case .ollama: + let text = await self.debugOllamaLog( + ollamaCookieSource: self.settings.ollamaCookieSource, + ollamaCookieHeader: self.settings.ollamaCookieHeader) + await MainActor.run { self.probeLogs[.ollama] = text } + return text case .jetbrains: let text = "JetBrains AI debug log not yet implemented" await MainActor.run { self.probeLogs[.jetbrains] = text } @@ -1434,6 +1440,19 @@ extension UsageStore { } } + private func debugOllamaLog( + ollamaCookieSource: ProviderCookieSource, + ollamaCookieHeader: String) async -> String + { + await self.runWithTimeout(seconds: 15) { + let fetcher = OllamaUsageFetcher(browserDetection: self.browserDetection) + let manualHeader = ollamaCookieSource == .manual + ? CookieHeaderNormalizer.normalize(ollamaCookieHeader) + : nil + return await fetcher.debugRawProbe(cookieHeaderOverride: manualHeader) + } + } + private func runWithTimeout(seconds: Double, operation: @escaping @Sendable () async -> String) async -> String { await withTaskGroup(of: String?.self) { group -> String in group.addTask { await operation() } diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index 1b0bc5c8a..b0a3bc781 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -135,6 +135,11 @@ struct TokenAccountCLIContext { amp: ProviderSettingsSnapshot.AmpProviderSettings( cookieSource: cookieSource, manualCookieHeader: cookieHeader)) + case .ollama: + return self.makeSnapshot( + ollama: ProviderSettingsSnapshot.OllamaProviderSettings( + cookieSource: cookieSource, + manualCookieHeader: cookieHeader)) case .kimi: return self.makeSnapshot( kimi: ProviderSettingsSnapshot.KimiProviderSettings( @@ -163,6 +168,7 @@ struct TokenAccountCLIContext { kimi: ProviderSettingsSnapshot.KimiProviderSettings? = nil, augment: ProviderSettingsSnapshot.AugmentProviderSettings? = nil, amp: ProviderSettingsSnapshot.AmpProviderSettings? = nil, + ollama: ProviderSettingsSnapshot.OllamaProviderSettings? = nil, jetbrains: ProviderSettingsSnapshot.JetBrainsProviderSettings? = nil) -> ProviderSettingsSnapshot { ProviderSettingsSnapshot.make( @@ -176,6 +182,7 @@ struct TokenAccountCLIContext { kimi: kimi, augment: augment, amp: amp, + ollama: ollama, jetbrains: jetbrains) } diff --git a/Sources/CodexBarCore/Logging/LogCategories.swift b/Sources/CodexBarCore/Logging/LogCategories.swift index 550ffc814..5904ce7ad 100644 --- a/Sources/CodexBarCore/Logging/LogCategories.swift +++ b/Sources/CodexBarCore/Logging/LogCategories.swift @@ -40,6 +40,7 @@ public enum LogCategories { public static let notifications = "notifications" public static let openAIWeb = "openai-web" public static let openAIWebview = "openai-webview" + public static let ollama = "ollama" public static let opencodeUsage = "opencode-usage" public static let providerDetection = "provider-detection" public static let providers = "providers" diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift new file mode 100644 index 000000000..c70b03e86 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift @@ -0,0 +1,72 @@ +import CodexBarMacroSupport +import Foundation + +@ProviderDescriptorRegistration +@ProviderDescriptorDefinition +public enum OllamaProviderDescriptor { + static func makeDescriptor() -> ProviderDescriptor { + ProviderDescriptor( + id: .ollama, + metadata: ProviderMetadata( + id: .ollama, + displayName: "Ollama", + sessionLabel: "Session", + weeklyLabel: "Weekly", + opusLabel: nil, + supportsOpus: false, + supportsCredits: false, + creditsHint: "", + toggleTitle: "Show Ollama usage", + cliName: "ollama", + defaultEnabled: false, + isPrimaryProvider: false, + usesAccountFallback: false, + browserCookieOrder: ProviderBrowserCookieDefaults.defaultImportOrder, + dashboardURL: "https://ollama.com/settings", + statusPageURL: nil), + branding: ProviderBranding( + iconStyle: .ollama, + iconResourceName: "ProviderIcon-ollama", + color: ProviderColor(red: 32 / 255, green: 32 / 255, blue: 32 / 255)), + tokenCost: ProviderTokenCostConfig( + supportsTokenCost: false, + noDataMessage: { "Ollama cost summary is not supported." }), + fetchPlan: ProviderFetchPlan( + sourceModes: [.auto, .web], + pipeline: ProviderFetchPipeline(resolveStrategies: { _ in [OllamaStatusFetchStrategy()] })), + cli: ProviderCLIConfig( + name: "ollama", + versionDetector: nil)) + } +} + +struct OllamaStatusFetchStrategy: ProviderFetchStrategy { + let id: String = "ollama.web" + let kind: ProviderFetchKind = .web + + func isAvailable(_ context: ProviderFetchContext) async -> Bool { + guard context.settings?.ollama?.cookieSource != .off else { return false } + return true + } + + func fetch(_ context: ProviderFetchContext) async throws -> ProviderFetchResult { + let fetcher = OllamaUsageFetcher(browserDetection: context.browserDetection) + let manual = Self.manualCookieHeader(from: context) + let logger: ((String) -> Void)? = context.verbose + ? { msg in CodexBarLog.logger(LogCategories.ollama).verbose(msg) } + : nil + let snap = try await fetcher.fetch(cookieHeaderOverride: manual, logger: logger) + return self.makeResult( + usage: snap.toUsageSnapshot(), + sourceLabel: "web") + } + + func shouldFallback(on _: Error, context _: ProviderFetchContext) -> Bool { + false + } + + private static func manualCookieHeader(from context: ProviderFetchContext) -> String? { + guard context.settings?.ollama?.cookieSource == .manual else { return nil } + return CookieHeaderNormalizer.normalize(context.settings?.ollama?.manualCookieHeader) + } +} diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift new file mode 100644 index 000000000..6971df99f --- /dev/null +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -0,0 +1,380 @@ +import Foundation +#if canImport(FoundationNetworking) +import FoundationNetworking +#endif + +#if os(macOS) +import SweetCookieKit +#endif + +public enum OllamaUsageError: LocalizedError, Sendable { + case notLoggedIn + case invalidCredentials + case parseFailed(String) + case networkError(String) + case noSessionCookie + + public var errorDescription: String? { + switch self { + case .notLoggedIn: + "Not logged in to Ollama. Please log in via ollama.com/settings." + case .invalidCredentials: + "Ollama session cookie expired. Please log in again." + case let .parseFailed(message): + "Could not parse Ollama usage: \(message)" + case let .networkError(message): + "Ollama request failed: \(message)" + case .noSessionCookie: + "No Ollama session cookie found. Please log in to ollama.com in your browser." + } + } +} + +#if os(macOS) +private let ollamaCookieImportOrder: BrowserCookieImportOrder = + ProviderDefaults.metadata[.ollama]?.browserCookieOrder ?? Browser.defaultImportOrder + +public enum OllamaCookieImporter { + private static let cookieClient = BrowserCookieClient() + private static let cookieDomains = ["ollama.com", "www.ollama.com"] + private static let sessionCookieNames: Set = [ + "session", + "ollama_session", + "__Host-ollama_session", + "__Secure-next-auth.session-token", + "next-auth.session-token", + ] + + public struct SessionInfo: Sendable { + public let cookies: [HTTPCookie] + public let sourceLabel: String + + public init(cookies: [HTTPCookie], sourceLabel: String) { + self.cookies = cookies + self.sourceLabel = sourceLabel + } + + public var cookieHeader: String { + self.cookies.map { "\($0.name)=\($0.value)" }.joined(separator: "; ") + } + } + + public static func importSession( + browserDetection: BrowserDetection, + logger: ((String) -> Void)? = nil) throws -> SessionInfo + { + let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } + let installed = ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) + var fallback: SessionInfo? + + for browserSource in installed { + do { + let query = BrowserCookieQuery(domains: self.cookieDomains) + let sources = try Self.cookieClient.records( + matching: query, + in: browserSource, + logger: log) + for source in sources where !source.records.isEmpty { + let cookies = BrowserCookieClient.makeHTTPCookies(source.records, origin: query.origin) + guard !cookies.isEmpty else { continue } + let names = cookies.map(\.name).joined(separator: ", ") + log("\(source.label) cookies: \(names)") + + let hasSessionCookie = cookies.contains { cookie in + if Self.sessionCookieNames.contains(cookie.name) { return true } + return cookie.name.lowercased().contains("session") + } + + if hasSessionCookie { + log("Found Ollama session cookie in \(source.label)") + return SessionInfo(cookies: cookies, sourceLabel: source.label) + } + + if fallback == nil { + fallback = SessionInfo(cookies: cookies, sourceLabel: source.label) + } + + log("\(source.label) cookies found, but no recognized session cookie present") + } + } catch { + BrowserCookieAccessGate.recordIfNeeded(error) + log("\(browserSource.displayName) cookie import failed: \(error.localizedDescription)") + } + } + + if let fallback { + log("Using \(fallback.sourceLabel) cookies without a recognized session token") + return fallback + } + + throw OllamaUsageError.noSessionCookie + } +} +#endif + +public struct OllamaUsageFetcher: Sendable { + private static let settingsURL = URL(string: "https://ollama.com/settings")! + @MainActor private static var recentDumps: [String] = [] + + public let browserDetection: BrowserDetection + + public init(browserDetection: BrowserDetection) { + self.browserDetection = browserDetection + } + + public func fetch( + cookieHeaderOverride: String? = nil, + logger: ((String) -> Void)? = nil, + now: Date = Date()) async throws -> OllamaUsageSnapshot + { + let log: (String) -> Void = { msg in logger?("[ollama] \(msg)") } + let cookieHeader = try await self.resolveCookieHeader(override: cookieHeaderOverride, logger: log) + + if let logger { + let names = self.cookieNames(from: cookieHeader) + if !names.isEmpty { + logger("[ollama] Cookie names: \(names.joined(separator: ", "))") + } + let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: logger) + do { + let (html, responseInfo) = try await self.fetchHTMLWithDiagnostics( + cookieHeader: cookieHeader, + diagnostics: diagnostics) + self.logDiagnostics(responseInfo: responseInfo, diagnostics: diagnostics, logger: logger) + do { + return try OllamaUsageParser.parse(html: html, now: now) + } catch { + logger("[ollama] Parse failed: \(error.localizedDescription)") + self.logHTMLHints(html: html, logger: logger) + throw error + } + } catch { + self.logDiagnostics(responseInfo: nil, diagnostics: diagnostics, logger: logger) + throw error + } + } + + let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: nil) + let (html, _) = try await self.fetchHTMLWithDiagnostics( + cookieHeader: cookieHeader, + diagnostics: diagnostics) + return try OllamaUsageParser.parse(html: html, now: now) + } + + public func debugRawProbe(cookieHeaderOverride: String? = nil) async -> String { + let stamp = ISO8601DateFormatter().string(from: Date()) + var lines: [String] = [] + lines.append("=== Ollama Debug Probe @ \(stamp) ===") + lines.append("") + + do { + let cookieHeader = try await self.resolveCookieHeader( + override: cookieHeaderOverride, + logger: { msg in lines.append("[cookie] \(msg)") }) + let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: nil) + let cookieNames = CookieHeaderNormalizer.pairs(from: cookieHeader).map(\.name) + lines.append("Cookie names: \(cookieNames.joined(separator: ", "))") + + let (snapshot, responseInfo) = try await self.fetchWithDiagnostics( + cookieHeader: cookieHeader, + diagnostics: diagnostics) + + lines.append("") + lines.append("Fetch Success") + lines.append("Status: \(responseInfo.statusCode) \(responseInfo.url)") + + if !diagnostics.redirects.isEmpty { + lines.append("") + lines.append("Redirects:") + for entry in diagnostics.redirects { + lines.append(" \(entry)") + } + } + + lines.append("") + lines.append("Plan: \(snapshot.planName ?? "unknown")") + lines.append("Session: \(snapshot.sessionUsedPercent?.description ?? "nil")%") + lines.append("Weekly: \(snapshot.weeklyUsedPercent?.description ?? "nil")%") + lines.append("Session resetsAt: \(snapshot.sessionResetsAt?.description ?? "nil")") + lines.append("Weekly resetsAt: \(snapshot.weeklyResetsAt?.description ?? "nil")") + + let output = lines.joined(separator: "\n") + Task { @MainActor in Self.recordDump(output) } + return output + } catch { + lines.append("") + lines.append("Probe Failed: \(error.localizedDescription)") + let output = lines.joined(separator: "\n") + Task { @MainActor in Self.recordDump(output) } + return output + } + } + + public static func latestDumps() async -> String { + await MainActor.run { + let result = Self.recentDumps.joined(separator: "\n\n---\n\n") + return result.isEmpty ? "No Ollama probe dumps captured yet." : result + } + } + + private func resolveCookieHeader( + override: String?, + logger: ((String) -> Void)?) async throws -> String + { + if let override = CookieHeaderNormalizer.normalize(override) { + if !override.isEmpty { + logger?("[ollama] Using manual cookie header") + return override + } + throw OllamaUsageError.noSessionCookie + } + #if os(macOS) + let session = try OllamaCookieImporter.importSession(browserDetection: self.browserDetection, logger: logger) + logger?("[ollama] Using cookies from \(session.sourceLabel)") + return session.cookieHeader + #else + throw OllamaUsageError.noSessionCookie + #endif + } + + private func fetchWithDiagnostics( + cookieHeader: String, + diagnostics: RedirectDiagnostics, + now: Date = Date()) async throws -> (OllamaUsageSnapshot, ResponseInfo) + { + let (html, responseInfo) = try await self.fetchHTMLWithDiagnostics( + cookieHeader: cookieHeader, + diagnostics: diagnostics) + let snapshot = try OllamaUsageParser.parse(html: html, now: now) + return (snapshot, responseInfo) + } + + private func fetchHTMLWithDiagnostics( + cookieHeader: String, + diagnostics: RedirectDiagnostics) async throws -> (String, ResponseInfo) + { + var request = URLRequest(url: Self.settingsURL) + request.httpMethod = "GET" + request.setValue(cookieHeader, forHTTPHeaderField: "Cookie") + request.setValue( + "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + forHTTPHeaderField: "accept") + request.setValue( + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) " + + "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36", + forHTTPHeaderField: "user-agent") + request.setValue("en-US,en;q=0.9", forHTTPHeaderField: "accept-language") + request.setValue("https://ollama.com", forHTTPHeaderField: "origin") + request.setValue(Self.settingsURL.absoluteString, forHTTPHeaderField: "referer") + + let session = URLSession(configuration: .ephemeral, delegate: diagnostics, delegateQueue: nil) + let (data, response) = try await session.data(for: request) + guard let httpResponse = response as? HTTPURLResponse else { + throw OllamaUsageError.networkError("Invalid response") + } + let responseInfo = ResponseInfo( + statusCode: httpResponse.statusCode, + url: httpResponse.url?.absoluteString ?? "unknown") + + guard httpResponse.statusCode == 200 else { + if httpResponse.statusCode == 401 || httpResponse.statusCode == 403 { + throw OllamaUsageError.invalidCredentials + } + throw OllamaUsageError.networkError("HTTP \(httpResponse.statusCode)") + } + + let html = String(data: data, encoding: .utf8) ?? "" + return (html, responseInfo) + } + + @MainActor private static func recordDump(_ text: String) { + if self.recentDumps.count >= 5 { self.recentDumps.removeFirst() } + self.recentDumps.append(text) + } + + private final class RedirectDiagnostics: NSObject, URLSessionTaskDelegate, @unchecked Sendable { + private let cookieHeader: String + private let logger: ((String) -> Void)? + var redirects: [String] = [] + + init(cookieHeader: String, logger: ((String) -> Void)?) { + self.cookieHeader = cookieHeader + self.logger = logger + } + + func urlSession( + _: URLSession, + task _: URLSessionTask, + willPerformHTTPRedirection response: HTTPURLResponse, + newRequest request: URLRequest, + completionHandler: @escaping (URLRequest?) -> Void) + { + let from = response.url?.absoluteString ?? "unknown" + let to = request.url?.absoluteString ?? "unknown" + self.redirects.append("\(response.statusCode) \(from) -> \(to)") + var updated = request + if OllamaUsageFetcher.shouldAttachCookie(to: request.url), !self.cookieHeader.isEmpty { + updated.setValue(self.cookieHeader, forHTTPHeaderField: "Cookie") + } else { + updated.setValue(nil, forHTTPHeaderField: "Cookie") + } + if let referer = response.url?.absoluteString { + updated.setValue(referer, forHTTPHeaderField: "referer") + } + if let logger { + logger("[ollama] Redirect \(response.statusCode) \(from) -> \(to)") + } + completionHandler(updated) + } + } + + private struct ResponseInfo: Sendable { + let statusCode: Int + let url: String + } + + private func logDiagnostics( + responseInfo: ResponseInfo?, + diagnostics: RedirectDiagnostics, + logger: (String) -> Void) + { + if let responseInfo { + logger("[ollama] Response: \(responseInfo.statusCode) \(responseInfo.url)") + } + if !diagnostics.redirects.isEmpty { + logger("[ollama] Redirects:") + for entry in diagnostics.redirects { + logger("[ollama] \(entry)") + } + } + } + + private func logHTMLHints(html: String, logger: (String) -> Void) { + let trimmed = html + .replacingOccurrences(of: "\n", with: " ") + .replacingOccurrences(of: "\t", with: " ") + .trimmingCharacters(in: .whitespacesAndNewlines) + if !trimmed.isEmpty { + let snippet = trimmed.prefix(240) + logger("[ollama] HTML snippet: \(snippet)") + } + logger("[ollama] Contains Cloud Usage: \(html.contains("Cloud Usage"))") + logger("[ollama] Contains Session usage: \(html.contains("Session usage"))") + logger("[ollama] Contains Weekly usage: \(html.contains("Weekly usage"))") + } + + private func cookieNames(from header: String) -> [String] { + header.split(separator: ";", omittingEmptySubsequences: false).compactMap { part in + let trimmed = part.trimmingCharacters(in: .whitespaces) + guard let idx = trimmed.firstIndex(of: "=") else { return nil } + let name = trimmed[.. Bool { + guard let host = url?.host?.lowercased() else { return false } + if host == "ollama.com" || host == "www.ollama.com" { return true } + return host.hasSuffix(".ollama.com") + } +} diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift new file mode 100644 index 000000000..a1def6e81 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift @@ -0,0 +1,114 @@ +import Foundation + +enum OllamaUsageParser { + static func parse(html: String, now: Date = Date()) throws -> OllamaUsageSnapshot { + let plan = self.parsePlanName(html) + let email = self.parseAccountEmail(html) + let session = self.parseUsageBlock(label: "Session usage", html: html) + let weekly = self.parseUsageBlock(label: "Weekly usage", html: html) + + if session == nil && weekly == nil { + if self.looksSignedOut(html) { + throw OllamaUsageError.notLoggedIn + } + throw OllamaUsageError.parseFailed("Missing Ollama usage data.") + } + + return OllamaUsageSnapshot( + planName: plan, + accountEmail: email, + sessionUsedPercent: session?.usedPercent, + weeklyUsedPercent: weekly?.usedPercent, + sessionResetsAt: session?.resetsAt, + weeklyResetsAt: weekly?.resetsAt, + updatedAt: now) + } + + private struct UsageBlock: Sendable { + let usedPercent: Double + let resetsAt: Date? + } + + private static func parsePlanName(_ html: String) -> String? { + let pattern = #"Cloud Usage\s*\s*]*>([^<]+)"# + guard let raw = self.firstCapture(in: html, pattern: pattern, options: [.dotMatchesLineSeparators]) + else { return nil } + let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines) + return trimmed.isEmpty ? nil : trimmed + } + + private static func parseAccountEmail(_ html: String) -> String? { + let pattern = #"id=\"header-email\"[^>]*>([^<]+)<"# + guard let raw = self.firstCapture(in: html, pattern: pattern, options: [.dotMatchesLineSeparators]) + else { return nil } + let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines) + guard trimmed.contains("@") else { return nil } + return trimmed + } + + private static func parseUsageBlock(label: String, html: String) -> UsageBlock? { + guard let labelRange = html.range(of: label) else { return nil } + let tail = String(html[labelRange.upperBound...]) + let window = String(tail.prefix(800)) + + guard let usedPercent = self.parsePercent(in: window) else { return nil } + let resetsAt = self.parseISODate(in: window) + return UsageBlock(usedPercent: usedPercent, resetsAt: resetsAt) + } + + private static func parsePercent(in text: String) -> Double? { + let usedPattern = #"([0-9]+(?:\.[0-9]+)?)\s*%\s*used"# + if let raw = self.firstCapture(in: text, pattern: usedPattern, options: [.caseInsensitive]) { + return Double(raw) + } + let widthPattern = #"width:\s*([0-9]+(?:\.[0-9]+)?)%"# + if let raw = self.firstCapture(in: text, pattern: widthPattern, options: [.caseInsensitive]) { + return Double(raw) + } + return nil + } + + private static func parseISODate(in text: String) -> Date? { + let pattern = #"data-time=\"([^\"]+)\""# + guard let raw = self.firstCapture(in: text, pattern: pattern, options: []) else { return nil } + let formatter = ISO8601DateFormatter() + formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds] + if let date = formatter.date(from: raw) { + return date + } + let fallback = ISO8601DateFormatter() + fallback.formatOptions = [.withInternetDateTime] + return fallback.date(from: raw) + } + + private static func firstCapture( + in text: String, + pattern: String, + options: NSRegularExpression.Options) -> String? + { + guard let regex = try? NSRegularExpression(pattern: pattern, options: options) else { return nil } + return Self.performMatch(regex: regex, text: text) + } + + private static func performMatch( + regex: NSRegularExpression, + text: String) -> String? + { + let range = NSRange(text.startIndex.. 1, + let captureRange = Range(match.range(at: 1), in: text) + else { return nil } + return String(text[captureRange]) + } + + private static func looksSignedOut(_ html: String) -> Bool { + let lower = html.lowercased() + if lower.contains("sign in") || lower.contains("log in") || lower.contains("login") { + return true + } + if lower.contains("/login") || lower.contains("/signin") { + return true + } + return false + } +} diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageSnapshot.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageSnapshot.swift new file mode 100644 index 000000000..002f78d81 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageSnapshot.swift @@ -0,0 +1,66 @@ +import Foundation + +public struct OllamaUsageSnapshot: Sendable { + public let planName: String? + public let accountEmail: String? + public let sessionUsedPercent: Double? + public let weeklyUsedPercent: Double? + public let sessionResetsAt: Date? + public let weeklyResetsAt: Date? + public let updatedAt: Date + + public init( + planName: String?, + accountEmail: String?, + sessionUsedPercent: Double?, + weeklyUsedPercent: Double?, + sessionResetsAt: Date?, + weeklyResetsAt: Date?, + updatedAt: Date) + { + self.planName = planName + self.accountEmail = accountEmail + self.sessionUsedPercent = sessionUsedPercent + self.weeklyUsedPercent = weeklyUsedPercent + self.sessionResetsAt = sessionResetsAt + self.weeklyResetsAt = weeklyResetsAt + self.updatedAt = updatedAt + } +} + +extension OllamaUsageSnapshot { + public func toUsageSnapshot() -> UsageSnapshot { + let sessionWindow = self.makeWindow( + usedPercent: self.sessionUsedPercent, + resetsAt: self.sessionResetsAt) + let weeklyWindow = self.makeWindow( + usedPercent: self.weeklyUsedPercent, + resetsAt: self.weeklyResetsAt) + + let plan = self.planName?.trimmingCharacters(in: .whitespacesAndNewlines) + let email = self.accountEmail?.trimmingCharacters(in: .whitespacesAndNewlines) + let identity = ProviderIdentitySnapshot( + providerID: .ollama, + accountEmail: email?.isEmpty == false ? email : nil, + accountOrganization: nil, + loginMethod: plan?.isEmpty == false ? plan : nil) + + return UsageSnapshot( + primary: sessionWindow, + secondary: weeklyWindow, + tertiary: nil, + providerCost: nil, + updatedAt: self.updatedAt, + identity: identity) + } + + private func makeWindow(usedPercent: Double?, resetsAt: Date?) -> RateWindow? { + guard let usedPercent else { return nil } + let clamped = min(100, max(0, usedPercent)) + return RateWindow( + usedPercent: clamped, + windowMinutes: nil, + resetsAt: resetsAt, + resetDescription: nil) + } +} diff --git a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift index 80e552223..f7ed0884b 100644 --- a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift @@ -70,6 +70,7 @@ public enum ProviderDescriptorRegistry { .jetbrains: JetBrainsProviderDescriptor.descriptor, .kimik2: KimiK2ProviderDescriptor.descriptor, .amp: AmpProviderDescriptor.descriptor, + .ollama: OllamaProviderDescriptor.descriptor, .synthetic: SyntheticProviderDescriptor.descriptor, .warp: WarpProviderDescriptor.descriptor, ] diff --git a/Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift b/Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift index f83cb9fd1..a6fe9d61e 100644 --- a/Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift +++ b/Sources/CodexBarCore/Providers/ProviderSettingsSnapshot.swift @@ -15,6 +15,7 @@ public struct ProviderSettingsSnapshot: Sendable { kimi: KimiProviderSettings? = nil, augment: AugmentProviderSettings? = nil, amp: AmpProviderSettings? = nil, + ollama: OllamaProviderSettings? = nil, jetbrains: JetBrainsProviderSettings? = nil) -> ProviderSettingsSnapshot { ProviderSettingsSnapshot( @@ -31,6 +32,7 @@ public struct ProviderSettingsSnapshot: Sendable { kimi: kimi, augment: augment, amp: amp, + ollama: ollama, jetbrains: jetbrains) } @@ -167,6 +169,16 @@ public struct ProviderSettingsSnapshot: Sendable { } } + public struct OllamaProviderSettings: Sendable { + public let cookieSource: ProviderCookieSource + public let manualCookieHeader: String? + + public init(cookieSource: ProviderCookieSource, manualCookieHeader: String?) { + self.cookieSource = cookieSource + self.manualCookieHeader = manualCookieHeader + } + } + public let debugMenuEnabled: Bool public let debugKeepCLISessionsAlive: Bool public let codex: CodexProviderSettings? @@ -180,6 +192,7 @@ public struct ProviderSettingsSnapshot: Sendable { public let kimi: KimiProviderSettings? public let augment: AugmentProviderSettings? public let amp: AmpProviderSettings? + public let ollama: OllamaProviderSettings? public let jetbrains: JetBrainsProviderSettings? public var jetbrainsIDEBasePath: String? { @@ -200,6 +213,7 @@ public struct ProviderSettingsSnapshot: Sendable { kimi: KimiProviderSettings?, augment: AugmentProviderSettings?, amp: AmpProviderSettings?, + ollama: OllamaProviderSettings?, jetbrains: JetBrainsProviderSettings? = nil) { self.debugMenuEnabled = debugMenuEnabled @@ -215,6 +229,7 @@ public struct ProviderSettingsSnapshot: Sendable { self.kimi = kimi self.augment = augment self.amp = amp + self.ollama = ollama self.jetbrains = jetbrains } } @@ -231,6 +246,7 @@ public enum ProviderSettingsSnapshotContribution: Sendable { case kimi(ProviderSettingsSnapshot.KimiProviderSettings) case augment(ProviderSettingsSnapshot.AugmentProviderSettings) case amp(ProviderSettingsSnapshot.AmpProviderSettings) + case ollama(ProviderSettingsSnapshot.OllamaProviderSettings) case jetbrains(ProviderSettingsSnapshot.JetBrainsProviderSettings) } @@ -248,6 +264,7 @@ public struct ProviderSettingsSnapshotBuilder: Sendable { public var kimi: ProviderSettingsSnapshot.KimiProviderSettings? public var augment: ProviderSettingsSnapshot.AugmentProviderSettings? public var amp: ProviderSettingsSnapshot.AmpProviderSettings? + public var ollama: ProviderSettingsSnapshot.OllamaProviderSettings? public var jetbrains: ProviderSettingsSnapshot.JetBrainsProviderSettings? public init(debugMenuEnabled: Bool = false, debugKeepCLISessionsAlive: Bool = false) { @@ -268,6 +285,7 @@ public struct ProviderSettingsSnapshotBuilder: Sendable { case let .kimi(value): self.kimi = value case let .augment(value): self.augment = value case let .amp(value): self.amp = value + case let .ollama(value): self.ollama = value case let .jetbrains(value): self.jetbrains = value } } @@ -287,6 +305,7 @@ public struct ProviderSettingsSnapshotBuilder: Sendable { kimi: self.kimi, augment: self.augment, amp: self.amp, + ollama: self.ollama, jetbrains: self.jetbrains) } } diff --git a/Sources/CodexBarCore/Providers/Providers.swift b/Sources/CodexBarCore/Providers/Providers.swift index 3fc0de98c..418535b52 100644 --- a/Sources/CodexBarCore/Providers/Providers.swift +++ b/Sources/CodexBarCore/Providers/Providers.swift @@ -20,6 +20,7 @@ public enum UsageProvider: String, CaseIterable, Sendable, Codable { case jetbrains case kimik2 case amp + case ollama case synthetic case warp } @@ -44,6 +45,7 @@ public enum IconStyle: Sendable, CaseIterable { case augment case jetbrains case amp + case ollama case synthetic case warp case combined diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift index 1936d7eff..3269222a4 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift @@ -97,6 +97,8 @@ enum CostUsageScanner { return CostUsageDailyReport(data: [], summary: nil) case .amp: return CostUsageDailyReport(data: [], summary: nil) + case .ollama: + return CostUsageDailyReport(data: [], summary: nil) case .synthetic: return CostUsageDailyReport(data: [], summary: nil) case .warp: diff --git a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift index 0d46a0510..7b094bf46 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift @@ -58,6 +58,7 @@ enum ProviderChoice: String, AppEnum { case .kimi: return nil // Kimi not yet supported in widgets case .kimik2: return nil // Kimi K2 not yet supported in widgets case .amp: return nil // Amp not yet supported in widgets + case .ollama: return nil // Ollama not yet supported in widgets case .synthetic: return nil // Synthetic not yet supported in widgets case .warp: return nil // Warp not yet supported in widgets } diff --git a/Sources/CodexBarWidget/CodexBarWidgetViews.swift b/Sources/CodexBarWidget/CodexBarWidgetViews.swift index 85ae62f42..6e3ea3528 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetViews.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetViews.swift @@ -274,6 +274,7 @@ private struct ProviderSwitchChip: View { case .kimi: "Kimi" case .kimik2: "Kimi K2" case .amp: "Amp" + case .ollama: "Ollama" case .synthetic: "Synthetic" case .warp: "Warp" } @@ -604,6 +605,8 @@ enum WidgetColors { Color(red: 76 / 255, green: 0 / 255, blue: 255 / 255) // Kimi K2 purple case .amp: Color(red: 220 / 255, green: 38 / 255, blue: 38 / 255) // Amp red + case .ollama: + Color(red: 32 / 255, green: 32 / 255, blue: 32 / 255) // Ollama charcoal case .synthetic: Color(red: 20 / 255, green: 20 / 255, blue: 20 / 255) // Synthetic charcoal case .warp: diff --git a/Tests/CodexBarTests/CLIProviderSelectionTests.swift b/Tests/CodexBarTests/CLIProviderSelectionTests.swift index 66b3afa22..fe74c2860 100644 --- a/Tests/CodexBarTests/CLIProviderSelectionTests.swift +++ b/Tests/CodexBarTests/CLIProviderSelectionTests.swift @@ -21,6 +21,7 @@ struct CLIProviderSelectionTests { "|synthetic|", "|kiro|", "|warp|", + "|ollama|", "|both|", "|all]", ] diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift new file mode 100644 index 000000000..c520e8cd4 --- /dev/null +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -0,0 +1,20 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite +struct OllamaUsageFetcherTests { + @Test + func attachesCookieForOllamaHosts() { + #expect(OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://ollama.com/settings"))) + #expect(OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://www.ollama.com"))) + #expect(OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://app.ollama.com/path"))) + } + + @Test + func rejectsNonOllamaHosts() { + #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://example.com"))) + #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://ollama.com.evil.com"))) + #expect(!OllamaUsageFetcher.shouldAttachCookie(to: nil)) + } +} diff --git a/Tests/CodexBarTests/OllamaUsageParserTests.swift b/Tests/CodexBarTests/OllamaUsageParserTests.swift new file mode 100644 index 000000000..01d81dcbc --- /dev/null +++ b/Tests/CodexBarTests/OllamaUsageParserTests.swift @@ -0,0 +1,92 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite +struct OllamaUsageParserTests { + @Test + func parsesCloudUsageFromSettingsHTML() throws { + let now = Date(timeIntervalSince1970: 1_700_000_000) + let html = """ +
+

+ Cloud Usage + free +

+

user@example.com

+
+ Session usage + 0.1% used +
Resets in 3 hours
+
+
+ Weekly usage + 0.7% used +
Resets in 2 days
+
+
+ """ + + let snapshot = try OllamaUsageParser.parse(html: html, now: now) + + #expect(snapshot.planName == "free") + #expect(snapshot.accountEmail == "user@example.com") + #expect(snapshot.sessionUsedPercent == 0.1) + #expect(snapshot.weeklyUsedPercent == 0.7) + + let formatter = ISO8601DateFormatter() + formatter.formatOptions = [.withInternetDateTime] + let expectedSession = formatter.date(from: "2026-01-30T18:00:00Z") + let expectedWeekly = formatter.date(from: "2026-02-02T00:00:00Z") + #expect(snapshot.sessionResetsAt == expectedSession) + #expect(snapshot.weeklyResetsAt == expectedWeekly) + + let usage = snapshot.toUsageSnapshot() + #expect(usage.identity?.loginMethod == "free") + #expect(usage.identity?.accountEmail == "user@example.com") + } + + @Test + func missingUsageThrowsParseFailed() { + let html = "No usage here." + + #expect { + try OllamaUsageParser.parse(html: html) + } throws: { error in + guard case let OllamaUsageError.parseFailed(message) = error else { return false } + return message.contains("Missing Ollama usage data") + } + } + + @Test + func signedOutThrowsNotLoggedIn() { + let html = "Please sign in to Ollama." + + #expect { + try OllamaUsageParser.parse(html: html) + } throws: { error in + guard case OllamaUsageError.notLoggedIn = error else { return false } + return true + } + } + + @Test + func parsesUsageWhenUsedIsCapitalized() throws { + let now = Date(timeIntervalSince1970: 1_700_000_000) + let html = """ +
+ Session usage + 1.2% Used +
Resets in 3 hours
+ Weekly usage + 3.4% USED +
Resets in 2 days
+
+ """ + + let snapshot = try OllamaUsageParser.parse(html: html, now: now) + + #expect(snapshot.sessionUsedPercent == 1.2) + #expect(snapshot.weeklyUsedPercent == 3.4) + } +} diff --git a/Tests/CodexBarTests/SettingsStoreTests.swift b/Tests/CodexBarTests/SettingsStoreTests.swift index 77e1b767c..6354f65a8 100644 --- a/Tests/CodexBarTests/SettingsStoreTests.swift +++ b/Tests/CodexBarTests/SettingsStoreTests.swift @@ -363,6 +363,7 @@ struct SettingsStoreTests { .jetbrains, .kimik2, .amp, + .ollama, .synthetic, .warp, ]) diff --git a/docs/ollama.md b/docs/ollama.md new file mode 100644 index 000000000..88233879f --- /dev/null +++ b/docs/ollama.md @@ -0,0 +1,52 @@ +--- +summary: "Ollama provider notes: settings scrape, cookie auth, and Cloud Usage parsing." +read_when: + - Adding or modifying the Ollama provider + - Debugging Ollama cookie import or settings parsing + - Adjusting Ollama menu labels or usage mapping +--- + +# Ollama Provider + +The Ollama provider scrapes the **Plan & Billing** page to extract Cloud Usage limits for session and weekly windows. + +## Features + +- **Plan badge**: Reads the plan tier (Free/Pro/Max) from the Cloud Usage header. +- **Session + weekly usage**: Parses the percent-used values shown in the usage bars. +- **Reset timestamps**: Uses the `data-time` attribute on the “Resets in …” elements. +- **Browser cookie auth**: No API keys required. + +## Setup + +1. Open **Settings → Providers**. +2. Enable **Ollama**. +3. Leave **Cookie source** on **Auto** (recommended). + +### Manual cookie import (optional) + +1. Open `https://ollama.com/settings` in your browser. +2. Copy a `Cookie:` header from the Network tab. +3. Paste it into **Ollama → Cookie source → Manual**. + +## How it works + +- Fetches `https://ollama.com/settings` using browser cookies. +- Parses: + - Plan badge under **Cloud Usage**. + - **Session usage** and **Weekly usage** percentages. + - `data-time` ISO timestamps for reset times. + +## Troubleshooting + +### “No Ollama session cookie found” + +Log in to `https://ollama.com/settings` in a supported browser (Safari or Chromium-based), then refresh in CodexBar. + +### “Ollama session cookie expired” + +Sign out and back in at `https://ollama.com/settings`, then refresh. + +### “Could not parse Ollama usage” + +The settings page HTML may have changed. Capture the latest page HTML and update `OllamaUsageParser`. diff --git a/docs/providers.md b/docs/providers.md index dd21169bf..b69d05694 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -1,5 +1,5 @@ --- -summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Warp, Vertex AI, Augment, Amp, JetBrains AI)." +summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Warp, Vertex AI, Augment, Amp, Ollama, JetBrains AI)." read_when: - Adding or modifying provider fetch/parsing - Adjusting provider labels, toggles, or metadata @@ -35,6 +35,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | JetBrains AI | Local XML quota file (`local`). | | Amp | Web settings page via browser cookies (`web`). | | Warp | API token (config/env) → GraphQL request limits (`api`). | +| Ollama | Web settings page via browser cookies (`web`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. @@ -146,4 +147,11 @@ until the session is invalid, to avoid repeated Keychain prompts. - Parses Amp Free usage from the settings HTML. - Status: none yet. - Details: `docs/amp.md`. + +## Ollama +- Web settings page (`https://ollama.com/settings`) via browser cookies. +- Parses Cloud Usage plan badge, session/weekly usage, and reset timestamps. +- Status: none yet. +- Details: `docs/ollama.md`. + See also: `docs/provider.md` for architecture notes. From 3b3071d66d15cbb86de80f4b91cf0eb0b57e4d0c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 19:44:50 +0530 Subject: [PATCH 058/131] Fix Ollama formatting violations --- .../Providers/Ollama/OllamaProviderImplementation.swift | 2 +- Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift | 3 ++- Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift index 5d71c5b39..d61895de3 100644 --- a/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift @@ -75,7 +75,7 @@ struct OllamaProviderImplementation: ProviderImplementation { }), ], isVisible: { context.settings.ollamaCookieSource == .manual }, - onActivate: { }), + onActivate: {}), ] } } diff --git a/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift index a74534574..c8b7abaec 100644 --- a/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift +++ b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift @@ -24,7 +24,8 @@ extension SettingsStore { } extension SettingsStore { - func ollamaSettingsSnapshot(tokenOverride: TokenAccountOverride?) -> ProviderSettingsSnapshot.OllamaProviderSettings { + func ollamaSettingsSnapshot(tokenOverride: TokenAccountOverride?) -> ProviderSettingsSnapshot + .OllamaProviderSettings { ProviderSettingsSnapshot.OllamaProviderSettings( cookieSource: self.ollamaSnapshotCookieSource(tokenOverride: tokenOverride), manualCookieHeader: self.ollamaSnapshotCookieHeader(tokenOverride: tokenOverride)) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift index a1def6e81..de7a6cc3e 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift @@ -7,7 +7,7 @@ enum OllamaUsageParser { let session = self.parseUsageBlock(label: "Session usage", html: html) let weekly = self.parseUsageBlock(label: "Weekly usage", html: html) - if session == nil && weekly == nil { + if session == nil, weekly == nil { if self.looksSignedOut(html) { throw OllamaUsageError.notLoggedIn } From 1270eda04fb5763ccab75765a0124846c7d48b4f Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 19:50:50 +0530 Subject: [PATCH 059/131] Harden Ollama usage parsing for label variants and auth detection --- .../Providers/Ollama/OllamaUsageParser.swift | 39 +++++++++++++++++-- .../OllamaUsageParserTests.swift | 34 +++++++++++++++- 2 files changed, 68 insertions(+), 5 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift index de7a6cc3e..c8ccb1a56 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift @@ -1,10 +1,12 @@ import Foundation enum OllamaUsageParser { + private static let primaryUsageLabels = ["Session usage", "Hourly usage"] + static func parse(html: String, now: Date = Date()) throws -> OllamaUsageSnapshot { let plan = self.parsePlanName(html) let email = self.parseAccountEmail(html) - let session = self.parseUsageBlock(label: "Session usage", html: html) + let session = self.parseUsageBlock(labels: self.primaryUsageLabels, html: html) let weekly = self.parseUsageBlock(label: "Weekly usage", html: html) if session == nil, weekly == nil { @@ -56,6 +58,15 @@ enum OllamaUsageParser { return UsageBlock(usedPercent: usedPercent, resetsAt: resetsAt) } + private static func parseUsageBlock(labels: [String], html: String) -> UsageBlock? { + for label in labels { + if let parsed = self.parseUsageBlock(label: label, html: html) { + return parsed + } + } + return nil + } + private static func parsePercent(in text: String) -> Double? { let usedPattern = #"([0-9]+(?:\.[0-9]+)?)\s*%\s*used"# if let raw = self.firstCapture(in: text, pattern: usedPattern, options: [.caseInsensitive]) { @@ -103,10 +114,32 @@ enum OllamaUsageParser { private static func looksSignedOut(_ html: String) -> Bool { let lower = html.lowercased() - if lower.contains("sign in") || lower.contains("log in") || lower.contains("login") { + if lower.contains("sign in to ollama") || lower.contains("log in to ollama") { + return true + } + let hasAuthRoute = lower.contains("/api/auth/signin") || lower.contains("/auth/signin") + let hasLoginRoute = lower.contains("action=\"/login\"") + || lower.contains("action='/login'") + || lower.contains("href=\"/login\"") + || lower.contains("href='/login'") + || lower.contains("action=\"/signin\"") + || lower.contains("action='/signin'") + || lower.contains("href=\"/signin\"") + || lower.contains("href='/signin'") + let hasPasswordField = lower.contains("type=\"password\"") + || lower.contains("type='password'") + || lower.contains("name=\"password\"") + || lower.contains("name='password'") + let hasEmailField = lower.contains("type=\"email\"") + || lower.contains("type='email'") + || lower.contains("name=\"email\"") + || lower.contains("name='email'") + let hasAuthForm = lower.contains(" + +

Sign in to Ollama

+
+ + +
+ + + """ #expect { try OllamaUsageParser.parse(html: html) @@ -70,6 +80,26 @@ struct OllamaUsageParserTests { } } + @Test + func parsesHourlyUsageAsPrimaryWindow() throws { + let now = Date(timeIntervalSince1970: 1_700_000_000) + let html = """ +
+ Hourly usage + 2.5% used +
Resets in 3 hours
+ Weekly usage + 4.2% used +
Resets in 2 days
+
+ """ + + let snapshot = try OllamaUsageParser.parse(html: html, now: now) + + #expect(snapshot.sessionUsedPercent == 2.5) + #expect(snapshot.weeklyUsedPercent == 4.2) + } + @Test func parsesUsageWhenUsedIsCapitalized() throws { let now = Date(timeIntervalSince1970: 1_700_000_000) From 783e7de2a327e6a1d595cda931fd7965c20d62c6 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 19:55:32 +0530 Subject: [PATCH 060/131] Complete Ollama token account support across settings and CLI --- .../Ollama/OllamaProviderImplementation.swift | 16 +++++++++- .../Ollama/OllamaSettingsStore.swift | 2 ++ Sources/CodexBarCLI/TokenAccountCLI.swift | 2 +- .../TokenAccountSupportCatalog+Data.swift | 7 +++++ .../CodexBarTests/ConfigValidationTests.swift | 12 ++++++++ .../SettingsStoreAdditionalTests.swift | 10 +++++++ .../SettingsStoreCoverageTests.swift | 1 + ...kenAccountEnvironmentPrecedenceTests.swift | 30 +++++++++++++++++++ 8 files changed, 78 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift index d61895de3..99d8582f1 100644 --- a/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Ollama/OllamaProviderImplementation.swift @@ -19,6 +19,20 @@ struct OllamaProviderImplementation: ProviderImplementation { .ollama(context.settings.ollamaSettingsSnapshot(tokenOverride: context.tokenOverride)) } + @MainActor + func tokenAccountsVisibility(context: ProviderSettingsContext, support: TokenAccountSupport) -> Bool { + guard support.requiresManualCookieSource else { return true } + if !context.settings.tokenAccounts(for: context.provider).isEmpty { return true } + return context.settings.ollamaCookieSource == .manual + } + + @MainActor + func applyTokenAccountCookieSource(settings: SettingsStore) { + if settings.ollamaCookieSource != .manual { + settings.ollamaCookieSource = .manual + } + } + @MainActor func settingsPickers(context: ProviderSettingsContext) -> [ProviderSettingsPickerDescriptor] { let cookieBinding = Binding( @@ -75,7 +89,7 @@ struct OllamaProviderImplementation: ProviderImplementation { }), ], isVisible: { context.settings.ollamaCookieSource == .manual }, - onActivate: {}), + onActivate: { context.settings.ensureOllamaCookieLoaded() }), ] } } diff --git a/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift index c8b7abaec..99e0d6504 100644 --- a/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift +++ b/Sources/CodexBar/Providers/Ollama/OllamaSettingsStore.swift @@ -21,6 +21,8 @@ extension SettingsStore { self.logProviderModeChange(provider: .ollama, field: "cookieSource", value: newValue.rawValue) } } + + func ensureOllamaCookieLoaded() {} } extension SettingsStore { diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index b0a3bc781..2487a2b1b 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -280,13 +280,13 @@ struct TokenAccountCLIContext { account: ProviderTokenAccount?, config: ProviderConfig?) -> ProviderCookieSource { - if let override = config?.cookieSource { return override } if let account, TokenAccountSupportCatalog.support(for: provider)?.requiresManualCookieSource == true { if provider == .claude, TokenAccountSupportCatalog.isClaudeOAuthToken(account.token) { return .off } return .manual } + if let override = config?.cookieSource { return override } if config?.sanitizedCookieHeader != nil { return .manual } diff --git a/Sources/CodexBarCore/TokenAccountSupportCatalog+Data.swift b/Sources/CodexBarCore/TokenAccountSupportCatalog+Data.swift index b2bc65d41..2a1d0f1d4 100644 --- a/Sources/CodexBarCore/TokenAccountSupportCatalog+Data.swift +++ b/Sources/CodexBarCore/TokenAccountSupportCatalog+Data.swift @@ -51,5 +51,12 @@ extension TokenAccountSupportCatalog { injection: .cookieHeader, requiresManualCookieSource: true, cookieName: nil), + .ollama: TokenAccountSupport( + title: "Session tokens", + subtitle: "Store multiple Ollama Cookie headers.", + placeholder: "Cookie: …", + injection: .cookieHeader, + requiresManualCookieSource: true, + cookieName: nil), ] } diff --git a/Tests/CodexBarTests/ConfigValidationTests.swift b/Tests/CodexBarTests/ConfigValidationTests.swift index d076b3185..ca0363a85 100644 --- a/Tests/CodexBarTests/ConfigValidationTests.swift +++ b/Tests/CodexBarTests/ConfigValidationTests.swift @@ -39,4 +39,16 @@ struct ConfigValidationTests { let issues = CodexBarConfigValidator.validate(config) #expect(issues.contains(where: { $0.code == "token_accounts_unused" })) } + + @Test + func allowsOllamaTokenAccounts() { + let accounts = ProviderTokenAccountData( + version: 1, + accounts: [ProviderTokenAccount(id: UUID(), label: "a", token: "t", addedAt: 0, lastUsed: nil)], + activeIndex: 0) + var config = CodexBarConfig.makeDefault() + config.setProviderConfig(ProviderConfig(id: .ollama, tokenAccounts: accounts)) + let issues = CodexBarConfigValidator.validate(config) + #expect(!issues.contains(where: { $0.code == "token_accounts_unused" && $0.provider == .ollama })) + } } diff --git a/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift b/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift index c70eb957b..7b30c5a47 100644 --- a/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift +++ b/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift @@ -42,6 +42,16 @@ struct SettingsStoreAdditionalTests { #expect(settings.claudeCookieSource == .manual) } + @Test + func ollamaTokenAccountsSetManualCookieSourceWhenRequired() { + let settings = Self.makeSettingsStore(suite: "SettingsStoreAdditionalTests-ollama-token-accounts") + + settings.addTokenAccount(provider: .ollama, label: "Primary", token: "session=token-1") + + #expect(settings.tokenAccounts(for: .ollama).count == 1) + #expect(settings.ollamaCookieSource == .manual) + } + @Test func detectsTokenCostUsageSourcesFromFilesystem() throws { let fm = FileManager.default diff --git a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift index c51f49ada..f9a6ca726 100644 --- a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift +++ b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift @@ -124,6 +124,7 @@ struct SettingsStoreCoverageTests { settings.ensureKimiK2APITokenLoaded() settings.ensureAugmentCookieLoaded() settings.ensureAmpCookieLoaded() + settings.ensureOllamaCookieLoaded() settings.ensureCopilotAPITokenLoaded() settings.ensureTokenAccountsLoaded() diff --git a/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift b/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift index 5cd8d0857..ca97cccab 100644 --- a/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift +++ b/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift @@ -45,6 +45,36 @@ struct TokenAccountEnvironmentPrecedenceTests { #expect(env[ZaiSettingsReader.apiTokenKey] != "config-token") } + @Test + func ollamaTokenAccountSelectionForcesManualCookieSourceInCLISettingsSnapshot() throws { + let accounts = ProviderTokenAccountData( + version: 1, + accounts: [ + ProviderTokenAccount( + id: UUID(), + label: "Primary", + token: "session=account-token", + addedAt: 0, + lastUsed: nil), + ], + activeIndex: 0) + let config = CodexBarConfig( + providers: [ + ProviderConfig( + id: .ollama, + cookieSource: .auto, + tokenAccounts: accounts), + ]) + let selection = TokenAccountCLISelection(label: nil, index: nil, allAccounts: false) + let tokenContext = try TokenAccountCLIContext(selection: selection, config: config, verbose: false) + let account = try #require(tokenContext.resolvedAccounts(for: .ollama).first) + let snapshot = try #require(tokenContext.settingsSnapshot(for: .ollama, account: account)) + let ollamaSettings = try #require(snapshot.ollama) + + #expect(ollamaSettings.cookieSource == .manual) + #expect(ollamaSettings.manualCookieHeader == "session=account-token") + } + private static func makeSettingsStore(suite: String) -> SettingsStore { let defaults = UserDefaults(suiteName: suite)! defaults.removePersistentDomain(forName: suite) From b2ef621d5fef1613e47a0bd48df2d56a2d106110 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 20:04:56 +0530 Subject: [PATCH 061/131] Add experimental Claude OAuth security reader --- .../Claude/ClaudeProviderImplementation.swift | 32 ++ Sources/CodexBar/SettingsStore+Defaults.swift | 11 + .../SettingsStore+MenuObservation.swift | 2 + Sources/CodexBar/SettingsStore.swift | 2 + Sources/CodexBar/SettingsStoreState.swift | 1 + .../ClaudeOAuthCredentialModels.swift | 156 ++++++++++ ...deOAuthCredentials+SecurityCLIReader.swift | 217 ++++++++++++++ ...udeOAuthCredentials+TestingOverrides.swift | 25 ++ .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 247 ++++++---------- .../ClaudeOAuthKeychainReadStrategy.swift | 46 +++ ...uthCredentialsStorePromptPolicyTests.swift | 128 ++++++++ ...AuthCredentialsStoreSecurityCLITests.swift | 274 ++++++++++++++++++ .../ClaudeOAuthCredentialsStoreTests.swift | 78 +++-- .../ProviderSettingsDescriptorTests.swift | 9 + .../SettingsStoreCoverageTests.swift | 35 +++ 15 files changed, 1072 insertions(+), 191 deletions(-) create mode 100644 Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift create mode 100644 Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift create mode 100644 Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainReadStrategy.swift create mode 100644 Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 956bd8f08..d45567082 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -24,6 +24,7 @@ struct ClaudeProviderImplementation: ProviderImplementation { _ = settings.claudeCookieSource _ = settings.claudeCookieHeader _ = settings.claudeOAuthKeychainPromptMode + _ = settings.claudeOAuthKeychainReadStrategy _ = settings.claudeWebExtrasEnabled } @@ -79,6 +80,12 @@ struct ClaudeProviderImplementation: ProviderImplementation { context.settings.claudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptMode(rawValue: raw) ?? .onlyOnUserAction }) + let keychainReadStrategyBinding = Binding( + get: { context.settings.claudeOAuthKeychainReadStrategy.rawValue }, + set: { raw in + context.settings.claudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategy(rawValue: raw) + ?? .securityFramework + }) let usageOptions = ClaudeUsageDataSource.allCases.map { ProviderSettingsPickerOption(id: $0.rawValue, title: $0.displayName) @@ -97,6 +104,14 @@ struct ClaudeProviderImplementation: ProviderImplementation { id: ClaudeOAuthKeychainPromptMode.always.rawValue, title: "Always allow prompts"), ] + let keychainReadStrategyOptions: [ProviderSettingsPickerOption] = [ + ProviderSettingsPickerOption( + id: ClaudeOAuthKeychainReadStrategy.securityFramework.rawValue, + title: "Standard (default)"), + ProviderSettingsPickerOption( + id: ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, + title: "Experimental (/usr/bin/security)"), + ] let cookieSubtitle: () -> String? = { ProviderCookieSourceUI.subtitle( @@ -113,6 +128,13 @@ struct ClaudeProviderImplementation: ProviderImplementation { return "Controls Claude OAuth Keychain prompts. Choosing \"Never prompt\" can make OAuth unavailable; " + "use Web/CLI when needed." } + let keychainReadStrategySubtitle: () -> String? = { + if context.settings.debugDisableKeychainAccess { + return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." + } + return "Experimental mode reads via /usr/bin/security. Consent applies to that tool's ACL entry, not " + + "directly to CodexBar." + } return [ ProviderSettingsPickerDescriptor( @@ -138,6 +160,16 @@ struct ClaudeProviderImplementation: ProviderImplementation { isVisible: nil, isEnabled: { !context.settings.debugDisableKeychainAccess }, onChange: nil), + ProviderSettingsPickerDescriptor( + id: "claude-oauth-keychain-reader", + title: "OAuth keychain reader", + subtitle: "Choose how CodexBar reads Claude OAuth credentials from Keychain.", + dynamicSubtitle: keychainReadStrategySubtitle, + binding: keychainReadStrategyBinding, + options: keychainReadStrategyOptions, + isVisible: nil, + isEnabled: { !context.settings.debugDisableKeychainAccess }, + onChange: nil), ProviderSettingsPickerDescriptor( id: "claude-cookie-source", title: "Claude cookies", diff --git a/Sources/CodexBar/SettingsStore+Defaults.swift b/Sources/CodexBar/SettingsStore+Defaults.swift index 27da90c7b..ff4f0856d 100644 --- a/Sources/CodexBar/SettingsStore+Defaults.swift +++ b/Sources/CodexBar/SettingsStore+Defaults.swift @@ -199,6 +199,17 @@ extension SettingsStore { } } + var claudeOAuthKeychainReadStrategy: ClaudeOAuthKeychainReadStrategy { + get { + let raw = self.defaultsState.claudeOAuthKeychainReadStrategyRaw + return ClaudeOAuthKeychainReadStrategy(rawValue: raw ?? "") ?? .securityFramework + } + set { + self.defaultsState.claudeOAuthKeychainReadStrategyRaw = newValue.rawValue + self.userDefaults.set(newValue.rawValue, forKey: "claudeOAuthKeychainReadStrategy") + } + } + var claudeWebExtrasEnabled: Bool { get { self.claudeWebExtrasEnabledRaw } set { self.claudeWebExtrasEnabledRaw = newValue } diff --git a/Sources/CodexBar/SettingsStore+MenuObservation.swift b/Sources/CodexBar/SettingsStore+MenuObservation.swift index 4fa5640a8..7b050aed7 100644 --- a/Sources/CodexBar/SettingsStore+MenuObservation.swift +++ b/Sources/CodexBar/SettingsStore+MenuObservation.swift @@ -21,6 +21,8 @@ extension SettingsStore { _ = self.costUsageEnabled _ = self.hidePersonalInfo _ = self.randomBlinkEnabled + _ = self.claudeOAuthKeychainPromptMode + _ = self.claudeOAuthKeychainReadStrategy _ = self.claudeWebExtrasEnabled _ = self.showOptionalCreditsAndExtraUsage _ = self.openAIWebAccessEnabled diff --git a/Sources/CodexBar/SettingsStore.swift b/Sources/CodexBar/SettingsStore.swift index ecf6bbd6c..2504c03da 100644 --- a/Sources/CodexBar/SettingsStore.swift +++ b/Sources/CodexBar/SettingsStore.swift @@ -204,6 +204,7 @@ extension SettingsStore { let randomBlinkEnabled = userDefaults.object(forKey: "randomBlinkEnabled") as? Bool ?? false let menuBarShowsHighestUsage = userDefaults.object(forKey: "menuBarShowsHighestUsage") as? Bool ?? false let claudeOAuthKeychainPromptModeRaw = userDefaults.string(forKey: "claudeOAuthKeychainPromptMode") + let claudeOAuthKeychainReadStrategyRaw = userDefaults.string(forKey: "claudeOAuthKeychainReadStrategy") let claudeWebExtrasEnabledRaw = userDefaults.object(forKey: "claudeWebExtrasEnabled") as? Bool ?? false let creditsExtrasDefault = userDefaults.object(forKey: "showOptionalCreditsAndExtraUsage") as? Bool let showOptionalCreditsAndExtraUsage = creditsExtrasDefault ?? true @@ -239,6 +240,7 @@ extension SettingsStore { randomBlinkEnabled: randomBlinkEnabled, menuBarShowsHighestUsage: menuBarShowsHighestUsage, claudeOAuthKeychainPromptModeRaw: claudeOAuthKeychainPromptModeRaw, + claudeOAuthKeychainReadStrategyRaw: claudeOAuthKeychainReadStrategyRaw, claudeWebExtrasEnabledRaw: claudeWebExtrasEnabledRaw, showOptionalCreditsAndExtraUsage: showOptionalCreditsAndExtraUsage, openAIWebAccessEnabled: openAIWebAccessEnabled, diff --git a/Sources/CodexBar/SettingsStoreState.swift b/Sources/CodexBar/SettingsStoreState.swift index e82109f34..77cfbed6c 100644 --- a/Sources/CodexBar/SettingsStoreState.swift +++ b/Sources/CodexBar/SettingsStoreState.swift @@ -22,6 +22,7 @@ struct SettingsDefaultsState: Sendable { var randomBlinkEnabled: Bool var menuBarShowsHighestUsage: Bool var claudeOAuthKeychainPromptModeRaw: String? + var claudeOAuthKeychainReadStrategyRaw: String? var claudeWebExtrasEnabledRaw: Bool var showOptionalCreditsAndExtraUsage: Bool var openAIWebAccessEnabled: Bool diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift new file mode 100644 index 000000000..d5286435c --- /dev/null +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift @@ -0,0 +1,156 @@ +import Foundation + +#if os(macOS) +import Security +#endif + +public struct ClaudeOAuthCredentials: Sendable { + public let accessToken: String + public let refreshToken: String? + public let expiresAt: Date? + public let scopes: [String] + public let rateLimitTier: String? + + public init( + accessToken: String, + refreshToken: String?, + expiresAt: Date?, + scopes: [String], + rateLimitTier: String?) + { + self.accessToken = accessToken + self.refreshToken = refreshToken + self.expiresAt = expiresAt + self.scopes = scopes + self.rateLimitTier = rateLimitTier + } + + public var isExpired: Bool { + guard let expiresAt else { return true } + return Date() >= expiresAt + } + + public var expiresIn: TimeInterval? { + guard let expiresAt else { return nil } + return expiresAt.timeIntervalSinceNow + } + + public static func parse(data: Data) throws -> ClaudeOAuthCredentials { + let decoder = JSONDecoder() + guard let root = try? decoder.decode(Root.self, from: data) else { + throw ClaudeOAuthCredentialsError.decodeFailed + } + guard let oauth = root.claudeAiOauth else { + throw ClaudeOAuthCredentialsError.missingOAuth + } + let accessToken = oauth.accessToken?.trimmingCharacters(in: .whitespacesAndNewlines) ?? "" + guard !accessToken.isEmpty else { + throw ClaudeOAuthCredentialsError.missingAccessToken + } + let expiresAt = oauth.expiresAt.map { millis in + Date(timeIntervalSince1970: millis / 1000.0) + } + return ClaudeOAuthCredentials( + accessToken: accessToken, + refreshToken: oauth.refreshToken, + expiresAt: expiresAt, + scopes: oauth.scopes ?? [], + rateLimitTier: oauth.rateLimitTier) + } + + private struct Root: Decodable { + let claudeAiOauth: OAuth? + } + + private struct OAuth: Decodable { + let accessToken: String? + let refreshToken: String? + let expiresAt: Double? + let scopes: [String]? + let rateLimitTier: String? + + enum CodingKeys: String, CodingKey { + case accessToken + case refreshToken + case expiresAt + case scopes + case rateLimitTier + } + } +} + +public enum ClaudeOAuthCredentialOwner: String, Codable, Sendable { + case claudeCLI + case codexbar + case environment +} + +public enum ClaudeOAuthCredentialSource: String, Sendable { + case environment + case memoryCache + case cacheKeychain + case credentialsFile + case claudeKeychain +} + +public struct ClaudeOAuthCredentialRecord: Sendable { + public let credentials: ClaudeOAuthCredentials + public let owner: ClaudeOAuthCredentialOwner + public let source: ClaudeOAuthCredentialSource + + public init( + credentials: ClaudeOAuthCredentials, + owner: ClaudeOAuthCredentialOwner, + source: ClaudeOAuthCredentialSource) + { + self.credentials = credentials + self.owner = owner + self.source = source + } +} + +public enum ClaudeOAuthCredentialsError: LocalizedError, Sendable { + case decodeFailed + case missingOAuth + case missingAccessToken + case notFound + case keychainError(Int) + case readFailed(String) + case refreshFailed(String) + case noRefreshToken + case refreshDelegatedToClaudeCLI + + public var errorDescription: String? { + switch self { + case .decodeFailed: + return "Claude OAuth credentials are invalid." + case .missingOAuth: + return "Claude OAuth credentials missing. Run `claude` to authenticate." + case .missingAccessToken: + return "Claude OAuth access token missing. Run `claude` to authenticate." + case .notFound: + return "Claude OAuth credentials not found. Run `claude` to authenticate." + case let .keychainError(status): + #if os(macOS) + if status == Int(errSecUserCanceled) + || status == Int(errSecAuthFailed) + || status == Int(errSecInteractionNotAllowed) + || status == Int(errSecNoAccessForItem) + { + return "Claude Keychain access was denied. CodexBar will back off in the background until you retry " + + "via a user action (menu open / manual refresh). " + + "Switch Claude Usage source to Web/CLI, or allow access in Keychain Access." + } + #endif + return "Claude OAuth keychain error: \(status)" + case let .readFailed(message): + return "Claude OAuth credentials read failed: \(message)" + case let .refreshFailed(message): + return "Claude OAuth token refresh failed: \(message)" + case .noRefreshToken: + return "Claude OAuth refresh token missing. Run `claude` to authenticate." + case .refreshDelegatedToClaudeCLI: + return "Claude OAuth refresh is delegated to Claude CLI." + } + } +} diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift new file mode 100644 index 000000000..e7a5a96f5 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -0,0 +1,217 @@ +import Dispatch +import Foundation + +#if canImport(Darwin) +import Darwin +#elseif canImport(Glibc) +import Glibc +#endif + +extension ClaudeOAuthCredentialsStore { + private static let securityBinaryPath = "/usr/bin/security" + private static let securityCLIReadTimeout: TimeInterval = 1.5 + + static func shouldPreferSecurityCLIKeychainRead() -> Bool { + ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental + } + + static func shouldBypassPreAlertForPreferredReader() -> Bool { + self.shouldPreferSecurityCLIKeychainRead() + } + + #if os(macOS) + private enum SecurityCLIReadError: Error, Sendable { + case binaryUnavailable + case launchFailed + case timedOut + case nonZeroExit(status: Int32, stderrLength: Int) + } + + private struct SecurityCLIReadCommandResult: Sendable { + let status: Int32 + let stdout: Data + let stderrLength: Int + let durationMs: Double + } + + static func loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: Bool) -> Data? { + guard self.shouldPreferSecurityCLIKeychainRead() else { return nil } + + do { + let output: Data + let status: Int32 + let stderrLength: Int + let durationMs: Double + #if DEBUG + if let override = self.taskSecurityCLIReadOverride { + switch override { + case let .data(data): + output = data ?? Data() + status = 0 + stderrLength = 0 + durationMs = 0 + case .timedOut: + throw SecurityCLIReadError.timedOut + case .nonZeroExit: + throw SecurityCLIReadError.nonZeroExit(status: 1, stderrLength: 0) + } + } else { + let result = try self.runClaudeSecurityCLIRead(timeout: self.securityCLIReadTimeout) + output = result.stdout + status = result.status + stderrLength = result.stderrLength + durationMs = result.durationMs + } + #else + let result = try self.runClaudeSecurityCLIRead(timeout: self.securityCLIReadTimeout) + output = result.stdout + status = result.status + stderrLength = result.stderrLength + durationMs = result.durationMs + #endif + + let sanitized = self.sanitizeSecurityCLIOutput(output) + guard !sanitized.isEmpty else { return nil } + guard (try? ClaudeOAuthCredentials.parse(data: sanitized)) != nil else { + self.log.warning( + "Claude keychain security CLI output invalid; falling back", + metadata: [ + "reader": "securityCLI", + "status": "\(status)", + "duration_ms": String(format: "%.2f", durationMs), + "stderr_length": "\(stderrLength)", + ]) + return nil + } + + self.log.debug( + "Claude keychain security CLI read succeeded", + metadata: [ + "reader": "securityCLI", + "interactive": "\(allowKeychainPrompt)", + "status": "\(status)", + "duration_ms": String(format: "%.2f", durationMs), + "stderr_length": "\(stderrLength)", + ]) + return sanitized + } catch let error as SecurityCLIReadError { + var metadata: [String: String] = [ + "reader": "securityCLI", + "interactive": "\(allowKeychainPrompt)", + "error_type": String(describing: type(of: error)), + ] + switch error { + case .binaryUnavailable: + metadata["reason"] = "binaryUnavailable" + case .launchFailed: + metadata["reason"] = "launchFailed" + case .timedOut: + metadata["reason"] = "timedOut" + case let .nonZeroExit(status, stderrLength): + metadata["reason"] = "nonZeroExit" + metadata["status"] = "\(status)" + metadata["stderr_length"] = "\(stderrLength)" + } + self.log.warning("Claude keychain security CLI read failed; falling back", metadata: metadata) + return nil + } catch { + self.log.warning( + "Claude keychain security CLI read failed; falling back", + metadata: [ + "reader": "securityCLI", + "interactive": "\(allowKeychainPrompt)", + "error_type": String(describing: type(of: error)), + ]) + return nil + } + } + + private static func sanitizeSecurityCLIOutput(_ data: Data) -> Data { + var sanitized = data + while let last = sanitized.last, last == 0x0A || last == 0x0D { + sanitized.removeLast() + } + return sanitized + } + + private static func runClaudeSecurityCLIRead(timeout: TimeInterval) throws -> SecurityCLIReadCommandResult { + guard FileManager.default.isExecutableFile(atPath: self.securityBinaryPath) else { + throw SecurityCLIReadError.binaryUnavailable + } + + let process = Process() + process.executableURL = URL(fileURLWithPath: self.securityBinaryPath) + process.arguments = [ + "find-generic-password", + "-s", + self.claudeKeychainService, + "-w", + ] + + let stdoutPipe = Pipe() + let stderrPipe = Pipe() + process.standardOutput = stdoutPipe + process.standardError = stderrPipe + process.standardInput = nil + + let startedAt = DispatchTime.now().uptimeNanoseconds + do { + try process.run() + } catch { + throw SecurityCLIReadError.launchFailed + } + + var processGroup: pid_t? + let pid = process.processIdentifier + if setpgid(pid, pid) == 0 { + processGroup = pid + } + + let deadline = Date().addingTimeInterval(timeout) + while process.isRunning, Date() < deadline { + Thread.sleep(forTimeInterval: 0.02) + } + + if process.isRunning { + self.terminate(process: process, processGroup: processGroup) + throw SecurityCLIReadError.timedOut + } + + let stdout = stdoutPipe.fileHandleForReading.readDataToEndOfFile() + let stderr = stderrPipe.fileHandleForReading.readDataToEndOfFile() + let status = process.terminationStatus + let durationMs = Double(DispatchTime.now().uptimeNanoseconds - startedAt) / 1_000_000.0 + guard status == 0 else { + throw SecurityCLIReadError.nonZeroExit(status: status, stderrLength: stderr.count) + } + + return SecurityCLIReadCommandResult( + status: status, + stdout: stdout, + stderrLength: stderr.count, + durationMs: durationMs) + } + + private static func terminate(process: Process, processGroup: pid_t?) { + guard process.isRunning else { return } + process.terminate() + if let processGroup { + kill(-processGroup, SIGTERM) + } + let deadline = Date().addingTimeInterval(0.4) + while process.isRunning, Date() < deadline { + usleep(50000) + } + if process.isRunning { + if let processGroup { + kill(-processGroup, SIGKILL) + } + kill(process.processIdentifier, SIGKILL) + } + } + #else + static func loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt _: Bool) -> Data? { + nil + } + #endif +} diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift index 39c82b6b4..9f2274621 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift @@ -18,8 +18,15 @@ extension ClaudeOAuthCredentialsStore { } } + enum SecurityCLIReadOverride: Sendable { + case data(Data?) + case timedOut + case nonZeroExit + } + @TaskLocal static var taskKeychainAccessOverride: Bool? @TaskLocal static var taskCredentialsFileFingerprintStoreOverride: CredentialsFileFingerprintStore? + @TaskLocal static var taskSecurityCLIReadOverride: SecurityCLIReadOverride? static func withKeychainAccessOverrideForTesting( _ disabled: Bool?, @@ -74,5 +81,23 @@ extension ClaudeOAuthCredentialsStore { try await operation() } } + + static func withSecurityCLIReadOverrideForTesting( + _ readOverride: SecurityCLIReadOverride?, + operation: () throws -> T) rethrows -> T + { + try self.$taskSecurityCLIReadOverride.withValue(readOverride) { + try operation() + } + } + + static func withSecurityCLIReadOverrideForTesting( + _ readOverride: SecurityCLIReadOverride?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskSecurityCLIReadOverride.withValue(readOverride) { + try await operation() + } + } } #endif diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index bf45b92d7..e319a2468 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -14,161 +14,10 @@ import LocalAuthentication import Security #endif -public struct ClaudeOAuthCredentials: Sendable { - public let accessToken: String - public let refreshToken: String? - public let expiresAt: Date? - public let scopes: [String] - public let rateLimitTier: String? - - public init( - accessToken: String, - refreshToken: String?, - expiresAt: Date?, - scopes: [String], - rateLimitTier: String?) - { - self.accessToken = accessToken - self.refreshToken = refreshToken - self.expiresAt = expiresAt - self.scopes = scopes - self.rateLimitTier = rateLimitTier - } - - public var isExpired: Bool { - guard let expiresAt else { return true } - return Date() >= expiresAt - } - - public var expiresIn: TimeInterval? { - guard let expiresAt else { return nil } - return expiresAt.timeIntervalSinceNow - } - - public static func parse(data: Data) throws -> ClaudeOAuthCredentials { - let decoder = JSONDecoder() - guard let root = try? decoder.decode(Root.self, from: data) else { - throw ClaudeOAuthCredentialsError.decodeFailed - } - guard let oauth = root.claudeAiOauth else { - throw ClaudeOAuthCredentialsError.missingOAuth - } - let accessToken = oauth.accessToken?.trimmingCharacters(in: .whitespacesAndNewlines) ?? "" - guard !accessToken.isEmpty else { - throw ClaudeOAuthCredentialsError.missingAccessToken - } - let expiresAt = oauth.expiresAt.map { millis in - Date(timeIntervalSince1970: millis / 1000.0) - } - return ClaudeOAuthCredentials( - accessToken: accessToken, - refreshToken: oauth.refreshToken, - expiresAt: expiresAt, - scopes: oauth.scopes ?? [], - rateLimitTier: oauth.rateLimitTier) - } - - private struct Root: Decodable { - let claudeAiOauth: OAuth? - } - - private struct OAuth: Decodable { - let accessToken: String? - let refreshToken: String? - let expiresAt: Double? - let scopes: [String]? - let rateLimitTier: String? - - enum CodingKeys: String, CodingKey { - case accessToken - case refreshToken - case expiresAt - case scopes - case rateLimitTier - } - } -} - -public enum ClaudeOAuthCredentialOwner: String, Codable, Sendable { - case claudeCLI - case codexbar - case environment -} - -public enum ClaudeOAuthCredentialSource: String, Sendable { - case environment - case memoryCache - case cacheKeychain - case credentialsFile - case claudeKeychain -} - -public struct ClaudeOAuthCredentialRecord: Sendable { - public let credentials: ClaudeOAuthCredentials - public let owner: ClaudeOAuthCredentialOwner - public let source: ClaudeOAuthCredentialSource - - public init( - credentials: ClaudeOAuthCredentials, - owner: ClaudeOAuthCredentialOwner, - source: ClaudeOAuthCredentialSource) - { - self.credentials = credentials - self.owner = owner - self.source = source - } -} - -public enum ClaudeOAuthCredentialsError: LocalizedError, Sendable { - case decodeFailed - case missingOAuth - case missingAccessToken - case notFound - case keychainError(Int) - case readFailed(String) - case refreshFailed(String) - case noRefreshToken - case refreshDelegatedToClaudeCLI - - public var errorDescription: String? { - switch self { - case .decodeFailed: - return "Claude OAuth credentials are invalid." - case .missingOAuth: - return "Claude OAuth credentials missing. Run `claude` to authenticate." - case .missingAccessToken: - return "Claude OAuth access token missing. Run `claude` to authenticate." - case .notFound: - return "Claude OAuth credentials not found. Run `claude` to authenticate." - case let .keychainError(status): - #if os(macOS) - if status == Int(errSecUserCanceled) - || status == Int(errSecAuthFailed) - || status == Int(errSecInteractionNotAllowed) - || status == Int(errSecNoAccessForItem) - { - return "Claude Keychain access was denied. CodexBar will back off in the background until you retry " - + "via a user action (menu open / manual refresh). " - + "Switch Claude Usage source to Web/CLI, or allow access in Keychain Access." - } - #endif - return "Claude OAuth keychain error: \(status)" - case let .readFailed(message): - return "Claude OAuth credentials read failed: \(message)" - case let .refreshFailed(message): - return "Claude OAuth token refresh failed: \(message)" - case .noRefreshToken: - return "Claude OAuth refresh token missing. Run `claude` to authenticate." - case .refreshDelegatedToClaudeCLI: - return "Claude OAuth refresh is delegated to Claude CLI." - } - } -} - // swiftlint:disable type_body_length public enum ClaudeOAuthCredentialsStore { private static let credentialsPath = ".claude/.credentials.json" - private static let claudeKeychainService = "Claude Code-credentials" + static let claudeKeychainService = "Claude Code-credentials" private static let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) public static let environmentTokenKey = "CODEXBAR_CLAUDE_OAUTH_TOKEN" public static let environmentScopesKey = "CODEXBAR_CLAUDE_OAUTH_SCOPES" @@ -186,7 +35,7 @@ public enum ClaudeOAuthCredentialsStore { ?? self.defaultOAuthClientID } - private static let log = CodexBarLog.logger(LogCategories.claudeUsage) + static let log = CodexBarLog.logger(LogCategories.claudeUsage) private static let fileFingerprintKey = "ClaudeOAuthCredentialsFileFingerprintV2" private static let claudeKeychainPromptLock = NSLock() private static let claudeKeychainFingerprintKey = "ClaudeOAuthClaudeKeychainFingerprintV2" @@ -526,6 +375,25 @@ public enum ClaudeOAuthCredentialsStore { source: .cacheKeychain) } + if self.shouldPreferSecurityCLIKeychainRead(), + let keychainData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) + { + let creds = try ClaudeOAuthCredentials.parse(data: keychainData) + let record = ClaudeOAuthCredentialRecord( + credentials: creds, + owner: .claudeCLI, + source: .claudeKeychain) + self.writeMemoryCache( + record: ClaudeOAuthCredentialRecord( + credentials: creds, + owner: .claudeCLI, + source: .memoryCache), + timestamp: Date()) + self.saveToCacheKeychain(keychainData, owner: .claudeCLI) + self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) + return record + } + // Some macOS configurations still show the system keychain prompt even for our "silent" probes. // Only show the in-app pre-alert when we have evidence that Keychain interaction is likely. if self.shouldShowClaudeKeychainPreAlert() { @@ -535,7 +403,11 @@ public enum ClaudeOAuthCredentialsStore { service: self.claudeKeychainService, account: nil)) } - let keychainData = try self.loadFromClaudeKeychain() + let keychainData: Data = if self.shouldPreferSecurityCLIKeychainRead() { + try self.loadFromClaudeKeychainUsingSecurityFramework() + } else { + try self.loadFromClaudeKeychain() + } let creds = try ClaudeOAuthCredentials.parse(data: keychainData) let record = ClaudeOAuthCredentialRecord( credentials: creds, @@ -783,6 +655,19 @@ public enum ClaudeOAuthCredentialsStore { guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } if ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } + if self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) != nil { + return true + } + #if DEBUG + if let store = self.taskClaudeKeychainOverrideStore, + let data = store.data + { + return (try? ClaudeOAuthCredentials.parse(data: data)) != nil + } + if let data = self.taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { + return (try? ClaudeOAuthCredentials.parse(data: data)) != nil + } + #endif var query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, @@ -826,7 +711,9 @@ public enum ClaudeOAuthCredentialsStore { // Do not attempt a non-interactive data read if preflight indicates interaction is likely. // Why: on some systems, Security.framework can still surface UI even for "no UI" queries. - if self.shouldShowClaudeKeychainPreAlert() { + if !self.shouldBypassPreAlertForPreferredReader(), + self.shouldShowClaudeKeychainPreAlert() + { return nil } @@ -925,7 +812,9 @@ public enum ClaudeOAuthCredentialsStore { // If Keychain preflight indicates interaction is likely, skip the silent repair read. // Why: non-interactive probes can still show UI on some systems, and if interaction is required we should // let the interactive prompt path handle it (when allowed). - if self.shouldShowClaudeKeychainPreAlert() { + if !self.shouldBypassPreAlertForPreferredReader(), + self.shouldShowClaudeKeychainPreAlert() + { return nil } @@ -1090,6 +979,10 @@ public enum ClaudeOAuthCredentialsStore { if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif #if os(macOS) + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) { + return data + } + // Keep semantics aligned with fingerprinting: if there are multiple entries, we only ever consult the newest // candidate (same as currentClaudeKeychainFingerprintWithoutPrompt()) to avoid syncing from a different item. let candidates = self.claudeKeychainCandidatesWithoutPrompt() @@ -1118,6 +1011,23 @@ public enum ClaudeOAuthCredentialsStore { guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { throw ClaudeOAuthCredentialsError.notFound } + #if DEBUG + if let store = taskClaudeKeychainOverrideStore, let override = store.data { return override } + if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } + #endif + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) { + self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) + return data + } + return try self.loadFromClaudeKeychainUsingSecurityFramework() + } + + /// Legacy alias for backward compatibility + public static func loadFromKeychain() throws -> Data { + try self.loadFromClaudeKeychain() + } + + private static func loadFromClaudeKeychainUsingSecurityFramework() throws -> Data { #if DEBUG if let store = taskClaudeKeychainOverrideStore, let override = store.data { return override } if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } @@ -1170,11 +1080,6 @@ public enum ClaudeOAuthCredentialsStore { #endif } - /// Legacy alias for backward compatibility - public static func loadFromKeychain() throws -> Data { - try self.loadFromClaudeKeychain() - } - #if os(macOS) private struct ClaudeKeychainCandidate: Sendable { let persistentRef: Data @@ -1557,9 +1462,27 @@ extension ClaudeOAuthCredentialsStore { } #endif + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false), + !data.isEmpty + { + if let creds = try? ClaudeOAuthCredentials.parse(data: data), !creds.isExpired { + self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) + self.writeMemoryCache( + record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), + timestamp: now) + self.saveToCacheKeychain(data, owner: .claudeCLI) + return true + } + self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) + } + // Skip the silent data read if preflight indicates interaction is likely. // Why: on some systems, Security.framework can still surface UI even for "no UI" probes. - if self.shouldShowClaudeKeychainPreAlert() { return false } + if !self.shouldBypassPreAlertForPreferredReader(), + self.shouldShowClaudeKeychainPreAlert() + { + return false + } // Consult only the newest candidate to avoid syncing from a different keychain entry (e.g. old login). if let candidate = self.claudeKeychainCandidatesWithoutPrompt().first, diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainReadStrategy.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainReadStrategy.swift new file mode 100644 index 000000000..7f766d1e4 --- /dev/null +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainReadStrategy.swift @@ -0,0 +1,46 @@ +import Foundation + +public enum ClaudeOAuthKeychainReadStrategy: String, Sendable, Codable, CaseIterable { + case securityFramework + case securityCLIExperimental +} + +public enum ClaudeOAuthKeychainReadStrategyPreference { + private static let userDefaultsKey = "claudeOAuthKeychainReadStrategy" + + #if DEBUG + @TaskLocal private static var taskOverride: ClaudeOAuthKeychainReadStrategy? + #endif + + public static func current(userDefaults: UserDefaults = .standard) -> ClaudeOAuthKeychainReadStrategy { + #if DEBUG + if let taskOverride { return taskOverride } + #endif + if let raw = userDefaults.string(forKey: self.userDefaultsKey), + let strategy = ClaudeOAuthKeychainReadStrategy(rawValue: raw) + { + return strategy + } + return .securityFramework + } + + #if DEBUG + static func withTaskOverrideForTesting( + _ strategy: ClaudeOAuthKeychainReadStrategy?, + operation: () throws -> T) rethrows -> T + { + try self.$taskOverride.withValue(strategy) { + try operation() + } + } + + static func withTaskOverrideForTesting( + _ strategy: ClaudeOAuthKeychainReadStrategy?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskOverride.withValue(strategy) { + try await operation() + } + } + #endif +} diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index 5867ccf68..3b58fdc6c 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -312,4 +312,132 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { } } } + + @Test + func experimentalReader_skipsPreAlertWhenSecurityCLIReadSucceeds() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .interactionRequired + } + let promptHandler: (KeychainPromptContext) -> Void = { _ in + preAlertHits += 1 + } + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + } + }) + }) + + #expect(creds.accessToken == "security-token") + #expect(preAlertHits == 0) + } + } + } + } + } + + @Test + func experimentalReader_showsPreAlertWhenSecurityCLIFailsAndFallbackNeedsInteraction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .interactionRequired + } + let promptHandler: (KeychainPromptContext) -> Void = { _ in + preAlertHits += 1 + } + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting(.timedOut) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + } + } + }) + }) + + #expect(creds.accessToken == "fallback-token") + #expect(preAlertHits >= 1) + } + } + } + } + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift new file mode 100644 index 000000000..238fc05db --- /dev/null +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -0,0 +1,274 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite(.serialized) +struct ClaudeOAuthCredentialsStoreSecurityCLITests { + private func makeCredentialsData(accessToken: String, expiresAt: Date, refreshToken: String? = nil) -> Data { + let millis = Int(expiresAt.timeIntervalSince1970 * 1000) + let refreshField: String = { + guard let refreshToken else { return "" } + return ",\n \"refreshToken\": \"\(refreshToken)\"" + }() + let json = """ + { + "claudeAiOauth": { + "accessToken": "\(accessToken)", + "expiresAt": \(millis), + "scopes": ["user:profile"]\(refreshField) + } + } + """ + return Data(json.utf8) + } + + @Test + func experimentalReader_prefersSecurityCLIForNonInteractiveLoad() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-token", + expiresAt: Date(timeIntervalSinceNow: 3600), + refreshToken: "security-refresh") + + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } + }) + }) + + #expect(creds.accessToken == "security-token") + #expect(creds.refreshToken == "security-refresh") + #expect(creds.scopes.contains("user:profile")) + } + } + } + } + + @Test + func experimentalReader_fallsBackWhenSecurityCLIThrows() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600), + refreshToken: "fallback-refresh") + + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .timedOut) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } + } + }) + }) + + #expect(creds.accessToken == "fallback-token") + } + } + } + } + + @Test + func experimentalReader_fallsBackWhenSecurityCLIOutputMalformed() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(Data("not-json".utf8))) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } + } + }) + }) + + #expect(creds.accessToken == "fallback-token") + } + } + } + } + + @Test + func experimentalReader_loadFromClaudeKeychainUsesSecurityCLI() throws { + let securityData = self.makeCredentialsData( + accessToken: "security-direct", + expiresAt: Date(timeIntervalSinceNow: 3600), + refreshToken: "security-refresh") + + let loaded = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .always, + operation: { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + } + } + }) + }) + + let creds = try ClaudeOAuthCredentials.parse(data: loaded) + #expect(creds.accessToken == "security-direct") + #expect(creds.refreshToken == "security-refresh") + } + + @Test + func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_usesSecurityCLI() throws { + let securityData = self.makeCredentialsData( + accessToken: "security-available", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let hasCredentials = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .always, + operation: { + ProviderInteractionContext.$current.withValue(.userInitiated) { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() + } + } + }) + }) + + #expect(hasCredentials == true) + } + + @Test + func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_fallsBackWhenSecurityCLIFails() throws { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-available", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let hasCredentials = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .always, + operation: { + ProviderInteractionContext.$current.withValue(.userInitiated) { + ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .nonZeroExit) + { + ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() + } + } + } + }) + }) + + #expect(hasCredentials == true) + } +} diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift index e5c35d3b4..5fd258eb0 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreTests.swift @@ -33,37 +33,57 @@ struct ClaudeOAuthCredentialsStoreTests { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() defer { ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() } + try ClaudeOAuthCredentialsStore.withIsolatedCredentialsFileTrackingForTesting { + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let expiredData = self.makeCredentialsData( + accessToken: "expired", + expiresAt: Date(timeIntervalSinceNow: -3600)) + try expiredData.write(to: fileURL) + + let cachedData = self.makeCredentialsData( + accessToken: "cached", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry( + data: cachedData, + storedAt: Date()) + let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) + ClaudeOAuthCredentialsStore.invalidateCache() + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + defer { KeychainCacheStore.clear(key: cacheKey) } + _ = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityFramework) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } + // Re-store to cache after file check has marked file as "seen" + KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityFramework) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } - let tempDir = FileManager.default.temporaryDirectory - .appendingPathComponent(UUID().uuidString, isDirectory: true) - try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) - let fileURL = tempDir.appendingPathComponent("credentials.json") - try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - let expiredData = self.makeCredentialsData( - accessToken: "expired", - expiresAt: Date(timeIntervalSinceNow: -3600)) - try expiredData.write(to: fileURL) - - let cachedData = self.makeCredentialsData( - accessToken: "cached", - expiresAt: Date(timeIntervalSinceNow: 3600)) - let cacheEntry = ClaudeOAuthCredentialsStore.CacheEntry(data: cachedData, storedAt: Date()) - let cacheKey = KeychainCacheStore.Key.oauth(provider: .claude) - ClaudeOAuthCredentialsStore.invalidateCache() - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - defer { KeychainCacheStore.clear(key: cacheKey) } - _ = try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) - } - // Re-store to cache after file check has marked file as "seen" - KeychainCacheStore.store(key: cacheKey, entry: cacheEntry) - let creds = try ClaudeOAuthKeychainPromptPreference - .withTaskOverrideForTesting(.onlyOnUserAction) { - try ClaudeOAuthCredentialsStore.load(environment: [:], allowKeychainPrompt: false) + #expect(creds.accessToken == "cached") + #expect(creds.isExpired == false) } - - #expect(creds.accessToken == "cached") - #expect(creds.isExpired == false) + } } } } diff --git a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift index c63fd3d0f..766066483 100644 --- a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift +++ b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift @@ -168,6 +168,11 @@ struct ProviderSettingsDescriptorTests { #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.onlyOnUserAction.rawValue)) #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.always.rawValue)) #expect(keychainPicker.isEnabled?() ?? true) + let readStrategyPicker = try #require(pickers.first(where: { $0.id == "claude-oauth-keychain-reader" })) + let readStrategyOptionIDs = Set(readStrategyPicker.options.map(\.id)) + #expect(readStrategyOptionIDs.contains(ClaudeOAuthKeychainReadStrategy.securityFramework.rawValue)) + #expect(readStrategyOptionIDs.contains(ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue)) + #expect(readStrategyPicker.isEnabled?() ?? true) } @Test @@ -212,6 +217,10 @@ struct ProviderSettingsDescriptorTests { #expect(keychainPicker.isEnabled?() == false) let subtitle = keychainPicker.dynamicSubtitle?() ?? "" #expect(subtitle.localizedCaseInsensitiveContains("inactive")) + let readStrategyPicker = try #require(pickers.first(where: { $0.id == "claude-oauth-keychain-reader" })) + #expect(readStrategyPicker.isEnabled?() == false) + let readStrategySubtitle = readStrategyPicker.dynamicSubtitle?() ?? "" + #expect(readStrategySubtitle.localizedCaseInsensitiveContains("inactive")) } @Test diff --git a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift index c51f49ada..87e876141 100644 --- a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift +++ b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift @@ -184,6 +184,41 @@ struct SettingsStoreCoverageTests { #expect(settings.claudeOAuthKeychainPromptMode == .onlyOnUserAction) } + @Test + func claudeKeychainReadStrategy_defaultsToSecurityFramework() { + let settings = Self.makeSettingsStore() + #expect(settings.claudeOAuthKeychainReadStrategy == .securityFramework) + } + + @Test + func claudeKeychainReadStrategy_persistsAcrossStoreReload() throws { + let suite = "SettingsStoreCoverageTests-claude-keychain-read-strategy" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + let configStore = testConfigStore(suiteName: suite) + + let first = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + first.claudeOAuthKeychainReadStrategy = .securityCLIExperimental + #expect( + defaults.string(forKey: "claudeOAuthKeychainReadStrategy") + == ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue) + + let second = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + #expect(second.claudeOAuthKeychainReadStrategy == .securityCLIExperimental) + } + + @Test + func claudeKeychainReadStrategy_invalidRawFallsBackToSecurityFramework() throws { + let suite = "SettingsStoreCoverageTests-claude-keychain-read-strategy-invalid" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + defaults.set("invalid-strategy", forKey: "claudeOAuthKeychainReadStrategy") + let configStore = testConfigStore(suiteName: suite) + + let settings = Self.makeSettingsStore(userDefaults: defaults, configStore: configStore) + #expect(settings.claudeOAuthKeychainReadStrategy == .securityFramework) + } + private static func makeSettingsStore(suiteName: String = "SettingsStoreCoverageTests") -> SettingsStore { let defaults = UserDefaults(suiteName: suiteName)! defaults.removePersistentDomain(forName: suiteName) From 7a2a3b00fe6e90e568cda5cda0f794ec9a95afdf Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 20:10:24 +0530 Subject: [PATCH 062/131] Avoid Security.framework polling in experimental refresh --- ...deOAuthCredentials+SecurityCLIReader.swift | 7 +- ...udeOAuthCredentials+TestingOverrides.swift | 6 + ...audeOAuthDelegatedRefreshCoordinator.swift | 44 ++++-- ...AuthDelegatedRefreshCoordinatorTests.swift | 144 ++++++++++++++++++ 4 files changed, 191 insertions(+), 10 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index e7a5a96f5..c665b6abe 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -43,7 +43,7 @@ extension ClaudeOAuthCredentialsStore { let stderrLength: Int let durationMs: Double #if DEBUG - if let override = self.taskSecurityCLIReadOverride { + if let override = self.taskSecurityCLIReadOverride ?? self.securityCLIReadOverride { switch override { case let .data(data): output = data ?? Data() @@ -54,6 +54,11 @@ extension ClaudeOAuthCredentialsStore { throw SecurityCLIReadError.timedOut case .nonZeroExit: throw SecurityCLIReadError.nonZeroExit(status: 1, stderrLength: 0) + case let .dynamic(read): + output = read() ?? Data() + status = 0 + stderrLength = 0 + durationMs = 0 } } else { let result = try self.runClaudeSecurityCLIRead(timeout: self.securityCLIReadTimeout) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift index 9f2274621..1a96afc97 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift @@ -22,11 +22,13 @@ extension ClaudeOAuthCredentialsStore { case data(Data?) case timedOut case nonZeroExit + case dynamic(@Sendable () -> Data?) } @TaskLocal static var taskKeychainAccessOverride: Bool? @TaskLocal static var taskCredentialsFileFingerprintStoreOverride: CredentialsFileFingerprintStore? @TaskLocal static var taskSecurityCLIReadOverride: SecurityCLIReadOverride? + nonisolated(unsafe) static var securityCLIReadOverride: SecurityCLIReadOverride? static func withKeychainAccessOverrideForTesting( _ disabled: Bool?, @@ -99,5 +101,9 @@ extension ClaudeOAuthCredentialsStore { try await operation() } } + + static func setSecurityCLIReadOverrideForTesting(_ readOverride: SecurityCLIReadOverride?) { + self.securityCLIReadOverride = readOverride + } } #endif diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift index f589b8dde..04d220d96 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift @@ -72,7 +72,7 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { return .skippedByCooldown } - let fingerprintBefore = self.currentClaudeKeychainFingerprint() + let baseline = self.currentKeychainChangeObservationBaseline() var touchError: Error? do { @@ -84,7 +84,7 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { // "Touch succeeded" must mean we actually observed the Claude keychain entry change. // Otherwise we end up in a long cooldown with still-expired credentials. let changed = await self.waitForClaudeKeychainChange( - from: fingerprintBefore, + from: baseline, timeout: min(max(timeout, 1), 2)) if changed { self.recordAttempt(now: now, cooldown: self.defaultCooldownInterval) @@ -145,8 +145,20 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { try await ClaudeStatusProbe.touchOAuthAuthPath(timeout: timeout) } + private enum KeychainChangeObservationBaseline: Sendable { + case securityFramework(fingerprint: ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint?) + case securityCLI(data: Data?) + } + + private static func currentKeychainChangeObservationBaseline() -> KeychainChangeObservationBaseline { + if ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental { + return .securityCLI(data: self.currentClaudeKeychainDataViaSecurityCLIForObservation()) + } + return .securityFramework(fingerprint: self.currentClaudeKeychainFingerprint()) + } + private static func waitForClaudeKeychainChange( - from fingerprintBefore: ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint?, + from baseline: KeychainChangeObservationBaseline, timeout: TimeInterval) async -> Bool { // Prefer correctness but bound the delay. Keychain writes can be slightly delayed after the CLI touch. @@ -157,13 +169,23 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { let delays: [TimeInterval] = [0.2, 0.5, 0.8].filter { $0 <= clampedTimeout } let deadline = Date().addingTimeInterval(clampedTimeout) - func isObservedChange(_ current: ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint?) -> Bool { - // Treat "no fingerprint" as "not observed"; we only succeed if we can read a fingerprint and it differs. - guard let current else { return false } - return current != fingerprintBefore + func isObservedChange() -> Bool { + switch baseline { + case let .securityFramework(fingerprintBefore): + // Treat "no fingerprint" as "not observed"; we only succeed if we can read a fingerprint and it + // differs. + guard let current = self.currentClaudeKeychainFingerprintForObservation() else { return false } + return current != fingerprintBefore + case let .securityCLI(dataBefore): + // In experimental mode, avoid Security.framework observation entirely and detect change from + // /usr/bin/security output only. + guard let current = self.currentClaudeKeychainDataViaSecurityCLIForObservation() else { return false } + guard let dataBefore else { return true } + return current != dataBefore + } } - if isObservedChange(self.currentClaudeKeychainFingerprintForObservation()) { + if isObservedChange() { return true } @@ -176,7 +198,7 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { return false } - if isObservedChange(self.currentClaudeKeychainFingerprintForObservation()) { + if isObservedChange() { return true } } @@ -212,6 +234,10 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { } } + private static func currentClaudeKeychainDataViaSecurityCLIForObservation() -> Data? { + ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) + } + private static func clearInFlightTaskIfStillCurrent(id: UInt64) { self.stateLock.lock() if self.inFlightAttemptID == id { diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift index 0f6b7ab4a..d9df629cc 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift @@ -15,6 +15,20 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { } } + private func makeCredentialsData(accessToken: String, expiresAt: Date) -> Data { + let millis = Int(expiresAt.timeIntervalSince1970 * 1000) + let json = """ + { + "claudeAiOauth": { + "accessToken": "\(accessToken)", + "expiresAt": \(millis), + "scopes": ["user:profile"] + } + } + """ + return Data(json.utf8) + } + @Test func cooldownPreventsRepeatedAttempts() async { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() @@ -210,4 +224,134 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { #expect(outcomes.allSatisfy { $0 == .attemptedSucceeded }) #expect(counter.count == 1) } + + @Test + func experimentalStrategy_doesNotUseSecurityFrameworkFingerprintObservation() async { + ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() + defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } + let strategyKey = "claudeOAuthKeychainReadStrategy" + let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) + UserDefaults.standard.set( + ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, + forKey: strategyKey) + defer { + if let previousStrategy { + UserDefaults.standard.set(previousStrategy, forKey: strategyKey) + } else { + UserDefaults.standard.removeObject(forKey: strategyKey) + } + } + + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } + } + let fingerprintCounter = CounterBox() + ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { + fingerprintCounter.increment() + return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "framework-fingerprint") + } + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } + + let securityData = self.makeCredentialsData( + accessToken: "security-token-a", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.data(securityData)) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 60000), + timeout: 0.1) + + guard case .attemptedFailed = outcome else { + Issue.record("Expected .attemptedFailed outcome") + return + } + #expect(fingerprintCounter.count < 1) + } + + @Test + func experimentalStrategy_observesSecurityCLIChangeAfterTouch() async { + ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() + defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } + let strategyKey = "claudeOAuthKeychainReadStrategy" + let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) + UserDefaults.standard.set( + ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, + forKey: strategyKey) + defer { + if let previousStrategy { + UserDefaults.standard.set(previousStrategy, forKey: strategyKey) + } else { + UserDefaults.standard.removeObject(forKey: strategyKey) + } + } + + final class DataBox: @unchecked Sendable { + private let lock = NSLock() + private var _data: Data? + init(data: Data?) { + self._data = data + } + + func load() -> Data? { + self.lock.lock() + defer { self.lock.unlock() } + return self._data + } + + func store(_ data: Data?) { + self.lock.lock() + self._data = data + self.lock.unlock() + } + } + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } + } + let fingerprintCounter = CounterBox() + ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { + fingerprintCounter.increment() + return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 11, + createdAt: 11, + persistentRefHash: "framework-fingerprint") + } + + let beforeData = self.makeCredentialsData( + accessToken: "security-token-before", + expiresAt: Date(timeIntervalSinceNow: -60)) + let afterData = self.makeCredentialsData( + accessToken: "security-token-after", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let dataBox = DataBox(data: beforeData) + + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in + dataBox.store(afterData) + } + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { dataBox.load() }) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 61000), + timeout: 0.1) + + #expect(outcome == .attemptedSucceeded) + #expect(fingerprintCounter.count < 1) + } } From 8fa2d257211e9beed3fc50fa28a77aa5418bfec4 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 20:26:18 +0530 Subject: [PATCH 063/131] Add Claude OAuth diagnostics for expiry and source selection --- .../ClaudeOAuthCredentialModels.swift | 27 +++ ...deOAuthCredentials+SecurityCLIReader.swift | 26 ++- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 20 +- .../Providers/Claude/ClaudeUsageFetcher.swift | 179 ++++++++++++------ 4 files changed, 188 insertions(+), 64 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift index d5286435c..a62a13819 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentialModels.swift @@ -79,6 +79,33 @@ public struct ClaudeOAuthCredentials: Sendable { } } +extension ClaudeOAuthCredentials { + func diagnosticsMetadata(now: Date = Date()) -> [String: String] { + let hasRefreshToken = !(self.refreshToken?.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty ?? true) + let hasUserProfileScope = self.scopes.contains("user:profile") + + var metadata: [String: String] = [ + "hasRefreshToken": "\(hasRefreshToken)", + "scopesCount": "\(self.scopes.count)", + "hasUserProfileScope": "\(hasUserProfileScope)", + ] + + if let expiresAt = self.expiresAt { + let expiresAtMs = Int(expiresAt.timeIntervalSince1970 * 1000.0) + let expiresInSec = Int(expiresAt.timeIntervalSince(now).rounded()) + metadata["expiresAtMs"] = "\(expiresAtMs)" + metadata["expiresInSec"] = "\(expiresInSec)" + metadata["isExpired"] = "\(now >= expiresAt)" + } else { + metadata["expiresAtMs"] = "nil" + metadata["expiresInSec"] = "nil" + metadata["isExpired"] = "true" + } + + return metadata + } +} + public enum ClaudeOAuthCredentialOwner: String, Codable, Sendable { case claudeCLI case codexbar diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index c665b6abe..b7b265b92 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -77,7 +77,10 @@ extension ClaudeOAuthCredentialsStore { let sanitized = self.sanitizeSecurityCLIOutput(output) guard !sanitized.isEmpty else { return nil } - guard (try? ClaudeOAuthCredentials.parse(data: sanitized)) != nil else { + let parsedCredentials: ClaudeOAuthCredentials + do { + parsedCredentials = try ClaudeOAuthCredentials.parse(data: sanitized) + } catch { self.log.warning( "Claude keychain security CLI output invalid; falling back", metadata: [ @@ -85,19 +88,26 @@ extension ClaudeOAuthCredentialsStore { "status": "\(status)", "duration_ms": String(format: "%.2f", durationMs), "stderr_length": "\(stderrLength)", + "payload_bytes": "\(sanitized.count)", + "parse_error_type": String(describing: type(of: error)), ]) return nil } + var metadata: [String: String] = [ + "reader": "securityCLI", + "interactive": "\(allowKeychainPrompt)", + "status": "\(status)", + "duration_ms": String(format: "%.2f", durationMs), + "stderr_length": "\(stderrLength)", + "payload_bytes": "\(sanitized.count)", + ] + for (key, value) in parsedCredentials.diagnosticsMetadata(now: Date()) { + metadata[key] = value + } self.log.debug( "Claude keychain security CLI read succeeded", - metadata: [ - "reader": "securityCLI", - "interactive": "\(allowKeychainPrompt)", - "status": "\(status)", - "duration_ms": String(format: "%.2f", durationMs), - "stderr_length": "\(stderrLength)", - ]) + metadata: metadata) return sanitized } catch let error as SecurityCLIReadError { var metadata: [String: String] = [ diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index e319a2468..37f7cde61 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -446,17 +446,33 @@ public enum ClaudeOAuthCredentialsStore { allowKeychainPrompt: allowKeychainPrompt, respectKeychainPromptCooldown: respectKeychainPromptCooldown) let credentials = record.credentials + let now = Date() + var expiryMetadata = credentials.diagnosticsMetadata(now: now) + expiryMetadata["source"] = record.source.rawValue + expiryMetadata["owner"] = record.owner.rawValue + expiryMetadata["allowKeychainPrompt"] = "\(allowKeychainPrompt)" + expiryMetadata["respectPromptCooldown"] = "\(respectKeychainPromptCooldown)" + expiryMetadata["readStrategy"] = ClaudeOAuthKeychainReadStrategyPreference.current().rawValue + + let isExpired: Bool = if let expiresAt = credentials.expiresAt { + now >= expiresAt + } else { + true + } // If not expired, return as-is - guard credentials.isExpired else { + guard isExpired else { + self.log.debug("Claude OAuth credentials loaded for usage", metadata: expiryMetadata) return credentials } + self.log.info("Claude OAuth credentials considered expired", metadata: expiryMetadata) + switch record.owner { case .claudeCLI: self.log.info( "Claude OAuth credentials expired; delegating refresh to Claude CLI", - metadata: ["source": record.source.rawValue]) + metadata: expiryMetadata) throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI case .environment: self.log.warning("Environment OAuth token expired and cannot be auto-refreshed") diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index 2ebccd06e..ae8284b9e 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -303,60 +303,6 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { } } - public func loadLatestUsage(model: String = "sonnet") async throws -> ClaudeUsageSnapshot { - switch self.dataSource { - case .auto: - let oauthCreds = try? ClaudeOAuthCredentialsStore.load( - environment: self.environment, - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true) - let hasOAuthCredentials = oauthCreds?.scopes.contains("user:profile") ?? false - let hasWebSession = - if let header = self.manualCookieHeader { - ClaudeWebAPIFetcher.hasSessionKey(cookieHeader: header) - } else { - ClaudeWebAPIFetcher.hasSessionKey(browserDetection: self.browserDetection) - } - let hasCLI = TTYCommandRunner.which("claude") != nil - if hasOAuthCredentials { - var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - } - if hasWebSession { - return try await self.loadViaWebAPI() - } - if hasCLI { - do { - var snap = try await self.loadViaPTY(model: model, timeout: 10) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - } catch { - // CLI failed; OAuth is the last resort. - } - } - var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - case .oauth: - var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - case .web: - return try await self.loadViaWebAPI() - case .cli: - do { - var snap = try await self.loadViaPTY(model: model, timeout: 10) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - } catch { - var snap = try await self.loadViaPTY(model: model, timeout: 24) - snap = await self.applyWebExtrasIfNeeded(to: snap) - return snap - } - } - } - // MARK: - OAuth API path private func shouldAllowStartupBootstrapPrompt( @@ -976,6 +922,131 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { } } +extension ClaudeUsageFetcher { + public func loadLatestUsage(model: String = "sonnet") async throws -> ClaudeUsageSnapshot { + switch self.dataSource { + case .auto: + let oauthCreds: ClaudeOAuthCredentials? + let oauthProbeError: Error? + do { + oauthCreds = try ClaudeOAuthCredentialsStore.load( + environment: self.environment, + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + oauthProbeError = nil + } catch { + oauthCreds = nil + oauthProbeError = error + } + + let hasOAuthCredentials = oauthCreds?.scopes.contains("user:profile") ?? false + let hasWebSession = + if let header = self.manualCookieHeader { + ClaudeWebAPIFetcher.hasSessionKey(cookieHeader: header) + } else { + ClaudeWebAPIFetcher.hasSessionKey(browserDetection: self.browserDetection) + } + let hasCLI = TTYCommandRunner.which("claude") != nil + + var autoDecisionMetadata: [String: String] = [ + "hasOAuthCredentials": "\(hasOAuthCredentials)", + "hasWebSession": "\(hasWebSession)", + "hasCLI": "\(hasCLI)", + "oauthReadStrategy": ClaudeOAuthKeychainReadStrategyPreference.current().rawValue, + ] + if let oauthCreds { + autoDecisionMetadata["oauthProbe"] = "success" + for (key, value) in oauthCreds.diagnosticsMetadata(now: Date()) { + autoDecisionMetadata[key] = value + } + } else if let oauthProbeError { + autoDecisionMetadata["oauthProbe"] = "failure" + autoDecisionMetadata["oauthProbeError"] = Self.oauthCredentialProbeErrorLabel(oauthProbeError) + } else { + autoDecisionMetadata["oauthProbe"] = "none" + } + + func logAutoDecision(selected: String) { + var metadata = autoDecisionMetadata + metadata["selected"] = selected + Self.log.debug("Claude auto source decision", metadata: metadata) + } + + if hasOAuthCredentials { + logAutoDecision(selected: "oauth") + var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + } + if hasWebSession { + logAutoDecision(selected: "web") + return try await self.loadViaWebAPI() + } + if hasCLI { + do { + logAutoDecision(selected: "cli") + var snap = try await self.loadViaPTY(model: model, timeout: 10) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + } catch { + Self.log.debug( + "Claude auto source CLI path failed; falling back to OAuth", + metadata: [ + "errorType": String(describing: type(of: error)), + ]) + } + } + logAutoDecision(selected: "oauthFallback") + var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + case .oauth: + var snap = try await self.loadViaOAuth(allowDelegatedRetry: true) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + case .web: + return try await self.loadViaWebAPI() + case .cli: + do { + var snap = try await self.loadViaPTY(model: model, timeout: 10) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + } catch { + var snap = try await self.loadViaPTY(model: model, timeout: 24) + snap = await self.applyWebExtrasIfNeeded(to: snap) + return snap + } + } + } + + private static func oauthCredentialProbeErrorLabel(_ error: Error) -> String { + guard let oauthError = error as? ClaudeOAuthCredentialsError else { + return String(describing: type(of: error)) + } + + return switch oauthError { + case .decodeFailed: + "decodeFailed" + case .missingOAuth: + "missingOAuth" + case .missingAccessToken: + "missingAccessToken" + case .notFound: + "notFound" + case let .keychainError(status): + "keychainError:\(status)" + case .readFailed: + "readFailed" + case .refreshFailed: + "refreshFailed" + case .noRefreshToken: + "noRefreshToken" + case .refreshDelegatedToClaudeCLI: + "refreshDelegatedToClaudeCLI" + } + } +} + #if DEBUG extension ClaudeUsageFetcher { public static func _mapOAuthUsageForTesting( From 97a81a4bdf10de022e3306febd4bf19c4d507f27 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 21:57:00 +0530 Subject: [PATCH 064/131] Make experimental Claude reader ignore prompt policy --- .../Claude/ClaudeProviderImplementation.swift | 13 +- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 25 +- .../ClaudeOAuthKeychainPromptMode.swift | 21 ++ .../Claude/ClaudeProviderDescriptor.swift | 12 +- .../Providers/Claude/ClaudeUsageFetcher.swift | 244 +++++++++--------- ...AuthCredentialsStoreSecurityCLITests.swift | 29 +++ ...eOAuthFetchStrategyAvailabilityTests.swift | 59 ++++- Tests/CodexBarTests/ClaudeUsageTests.swift | 65 +++++ .../ProviderSettingsDescriptorTests.swift | 44 ++++ 9 files changed, 378 insertions(+), 134 deletions(-) diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index d45567082..22af2339c 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -125,15 +125,18 @@ struct ClaudeProviderImplementation: ProviderImplementation { if context.settings.debugDisableKeychainAccess { return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." } - return "Controls Claude OAuth Keychain prompts. Choosing \"Never prompt\" can make OAuth unavailable; " + - "use Web/CLI when needed." + return "Controls Claude OAuth Keychain prompts for Standard reader mode. Choosing \"Never prompt\" can " + + "make OAuth unavailable; use Web/CLI when needed." } let keychainReadStrategySubtitle: () -> String? = { if context.settings.debugDisableKeychainAccess { return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." } - return "Experimental mode reads via /usr/bin/security. Consent applies to that tool's ACL entry, not " + - "directly to CodexBar." + if context.settings.claudeOAuthKeychainReadStrategy == .securityCLIExperimental { + return "Experimental mode reads via /usr/bin/security. Keychain prompt policy does not apply in this " + + "mode and is hidden." + } + return "Standard mode uses Security.framework and respects the keychain prompt policy below." } return [ @@ -157,7 +160,7 @@ struct ClaudeProviderImplementation: ProviderImplementation { dynamicSubtitle: keychainPromptPolicySubtitle, binding: keychainPromptPolicyBinding, options: keychainPromptPolicyOptions, - isVisible: nil, + isVisible: { context.settings.claudeOAuthKeychainReadStrategy == .securityFramework }, isEnabled: { !context.settings.debugDisableKeychainAccess }, onChange: nil), ProviderSettingsPickerDescriptor( diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 37f7cde61..359c08f93 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -343,9 +343,10 @@ public enum ClaudeOAuthCredentialsStore { respectKeychainPromptCooldown: Bool, lastError: inout Error?) -> ClaudeOAuthCredentialRecord? { + let shouldApplyPromptCooldown = self.isPromptPolicyApplicable && respectKeychainPromptCooldown let promptAllowed = allowKeychainPrompt - && (!respectKeychainPromptCooldown || ClaudeOAuthKeychainAccessGate.shouldAllowPrompt()) + && (!shouldApplyPromptCooldown || ClaudeOAuthKeychainAccessGate.shouldAllowPrompt()) guard promptAllowed else { return nil } do { @@ -669,7 +670,8 @@ public enum ClaudeOAuthCredentialsStore { #if os(macOS) let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } - if ProviderInteractionContext.current == .background, + if self.isPromptPolicyApplicable, + ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } if self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) != nil { return true @@ -719,7 +721,8 @@ public enum ClaudeOAuthCredentialsStore { #if os(macOS) let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } - if respectKeychainPromptCooldown, + if self.isPromptPolicyApplicable, + respectKeychainPromptCooldown, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) { return nil @@ -834,7 +837,8 @@ public enum ClaudeOAuthCredentialsStore { return nil } - if respectKeychainPromptCooldown, + if self.isPromptPolicyApplicable, + respectKeychainPromptCooldown, ProviderInteractionContext.current != .userInitiated, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) { @@ -1107,7 +1111,8 @@ public enum ClaudeOAuthCredentialsStore { private static func claudeKeychainCandidatesWithoutPrompt() -> [ClaudeKeychainCandidate] { let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return [] } - if ProviderInteractionContext.current == .background, + if self.isPromptPolicyApplicable, + ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return [] } var query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, @@ -1146,7 +1151,8 @@ public enum ClaudeOAuthCredentialsStore { private static func claudeKeychainLegacyCandidateWithoutPrompt() -> ClaudeKeychainCandidate? { let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } - if ProviderInteractionContext.current == .background, + if self.isPromptPolicyApplicable, + ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return nil } var query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, @@ -1363,6 +1369,10 @@ public enum ClaudeOAuthCredentialsStore { return !KeychainAccessGate.isDisabled } + private static var isPromptPolicyApplicable: Bool { + ClaudeOAuthKeychainPromptPreference.isApplicable() + } + private static func shouldAllowClaudeCodeKeychainAccess( mode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current()) -> Bool { @@ -1457,7 +1467,8 @@ extension ClaudeOAuthCredentialsStore { // If background keychain access has been denied/blocked, don't attempt silent reads that could trigger // repeated prompts on misbehaving configurations. User actions clear/bypass this gate elsewhere. - if ProviderInteractionContext.current == .background, + if self.isPromptPolicyApplicable, + ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) { return false } #if DEBUG diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift index 743246a54..76bea1c55 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift @@ -14,6 +14,10 @@ public enum ClaudeOAuthKeychainPromptPreference { #endif public static func current(userDefaults: UserDefaults = .standard) -> ClaudeOAuthKeychainPromptMode { + self.effectiveMode(userDefaults: userDefaults) + } + + public static func storedMode(userDefaults: UserDefaults = .standard) -> ClaudeOAuthKeychainPromptMode { #if DEBUG if let taskOverride { return taskOverride } #endif @@ -25,6 +29,23 @@ public enum ClaudeOAuthKeychainPromptPreference { return .onlyOnUserAction } + public static func isApplicable( + readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) -> Bool + { + readStrategy == .securityFramework + } + + public static func effectiveMode( + userDefaults: UserDefaults = .standard, + readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) + -> ClaudeOAuthKeychainPromptMode + { + guard self.isApplicable(readStrategy: readStrategy) else { + return .always + } + return self.storedMode(userDefaults: userDefaults) + } + #if DEBUG static func withTaskOverrideForTesting( _ mode: ClaudeOAuthKeychainPromptMode?, diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift index aeb852b21..002a600ae 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeProviderDescriptor.swift @@ -202,11 +202,13 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { // // User actions should be able to recover immediately even if a prior background attempt tripped the // keychain cooldown gate. Clear the cooldown before deciding availability so the fetch path can proceed. - if ProviderInteractionContext.current == .userInitiated { + let promptPolicyApplicable = ClaudeOAuthKeychainPromptPreference.isApplicable() + if promptPolicyApplicable, ProviderInteractionContext.current == .userInitiated { _ = ClaudeOAuthKeychainAccessGate.clearDenied() } - let shouldAllowStartupBootstrap = context.runtime == .app && + let shouldAllowStartupBootstrap = promptPolicyApplicable && + context.runtime == .app && ProviderRefreshContext.current == .startup && ProviderInteractionContext.current == .background && ClaudeOAuthKeychainPromptPreference.current() == .onlyOnUserAction && @@ -215,7 +217,11 @@ struct ClaudeOAuthFetchStrategy: ProviderFetchStrategy { return ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() } - guard ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() else { return false } + if promptPolicyApplicable, + !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() + { + return false + } return ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index ae8284b9e..a9a79be9d 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -74,6 +74,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { private struct ClaudeOAuthKeychainPromptPolicy: Sendable { let mode: ClaudeOAuthKeychainPromptMode + let isApplicable: Bool let interaction: ProviderInteraction var canPromptNow: Bool { @@ -90,7 +91,8 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { /// Respect the Keychain prompt cooldown for background operations to avoid spamming system dialogs. /// User actions (menu open / refresh / settings) are allowed to bypass the cooldown. var shouldRespectKeychainPromptCooldown: Bool { - self.interaction != .userInitiated + guard self.isApplicable else { return false } + return self.interaction != .userInitiated } var interactionLabel: String { @@ -99,12 +101,14 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { } private static func currentClaudeOAuthKeychainPromptPolicy() -> ClaudeOAuthKeychainPromptPolicy { + let isApplicable = ClaudeOAuthKeychainPromptPreference.isApplicable() let policy = ClaudeOAuthKeychainPromptPolicy( mode: ClaudeOAuthKeychainPromptPreference.current(), + isApplicable: isApplicable, interaction: ProviderInteractionContext.current) // User actions should be able to immediately retry a repair after a background cooldown was recorded. - if policy.interaction == .userInitiated { + if policy.isApplicable, policy.interaction == .userInitiated { if ClaudeOAuthKeychainAccessGate.clearDenied() { Self.log.info("Claude OAuth keychain cooldown cleared by user action") } @@ -116,6 +120,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { policy: ClaudeOAuthKeychainPromptPolicy, allowBackgroundDelegatedRefresh: Bool) throws { + guard policy.isApplicable else { return } if policy.mode == .never { throw ClaudeUsageError.oauthFailed("Delegated refresh is disabled by 'never' keychain policy.") } @@ -309,6 +314,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { policy: ClaudeOAuthKeychainPromptPolicy, hasCache: Bool) -> Bool { + guard policy.isApplicable else { return false } guard self.allowStartupBootstrapPrompt else { return false } guard !hasCache else { return false } guard policy.mode == .onlyOnUserAction else { return false } @@ -328,6 +334,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { metadata: [ "interaction": policy.interactionLabel, "promptMode": policy.mode.rawValue, + "promptPolicyApplicable": "\(policy.isApplicable)", "hasCache": "\(hasCache)", "startupBootstrapOverride": "\(startupBootstrapOverride)", ]) @@ -398,119 +405,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { throw error } catch let error as ClaudeOAuthCredentialsError { if case .refreshDelegatedToClaudeCLI = error { - guard allowDelegatedRetry else { - throw ClaudeUsageError.oauthFailed( - "Claude OAuth token expired and delegated Claude CLI refresh did not recover. " - + "Run `claude login`, then retry.") - } - - try Task.checkCancellation() - - let delegatedPromptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() - try Self.assertDelegatedRefreshAllowedInCurrentInteraction( - policy: delegatedPromptPolicy, - allowBackgroundDelegatedRefresh: self.allowBackgroundDelegatedRefresh) - - let delegatedOutcome = await Self.attemptDelegatedRefresh() - Self.log.info( - "Claude OAuth delegated refresh attempted", - metadata: [ - "outcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), - ]) - - do { - // In Auto mode, avoid forcing interactive Keychain prompts or blocking the fallback chain when - // delegation cannot run. - if self.oauthKeychainPromptCooldownEnabled { - switch delegatedOutcome { - case .skippedByCooldown, .cliUnavailable: - throw ClaudeUsageError.oauthFailed( - "Claude OAuth token expired; delegated refresh is unavailable (outcome=" - + "\(Self.delegatedRefreshOutcomeLabel(delegatedOutcome))).") - case .attemptedSucceeded: - break - case .attemptedFailed: - // Delegation ran but didn't observe a keychain change. We'll attempt a non-interactive - // reload below (allowKeychainPrompt=false) and then allow the Auto chain to fall back. - break - } - } - - try Task.checkCancellation() - - // After delegated refresh, reload credentials and retry OAuth once. - // In OAuth mode we allow an interactive Keychain prompt here; in Auto mode we keep it silent to - // avoid bypassing the prompt cooldown and to let the fallback chain proceed. - _ = ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged() - - let didSyncSilently = delegatedOutcome == .attemptedSucceeded - && ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt(now: Date()) - - let promptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() - Self.logDeferredBackgroundDelegatedRecoveryIfNeeded( - delegatedOutcome: delegatedOutcome, - didSyncSilently: didSyncSilently, - policy: promptPolicy) - let retryAllowKeychainPrompt = promptPolicy.canPromptNow && !didSyncSilently - if retryAllowKeychainPrompt { - Self.log.info( - "Claude OAuth keychain prompt allowed (post-delegation retry)", - metadata: [ - "interaction": promptPolicy.interactionLabel, - "promptMode": promptPolicy.mode.rawValue, - "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), - "didSyncSilently": "\(didSyncSilently)", - ]) - } - if Self.isClaudeOAuthFlowDebugEnabled { - Self.log.debug( - "Claude OAuth credential load (post-delegation retry start)", - metadata: [ - "cooldownEnabled": "\(self.oauthKeychainPromptCooldownEnabled)", - "didSyncSilently": "\(didSyncSilently)", - "allowKeychainPrompt": "\(retryAllowKeychainPrompt)", - "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), - "interaction": promptPolicy.interactionLabel, - "promptMode": promptPolicy.mode.rawValue, - ]) - } - let refreshedCreds = try await Self.loadOAuthCredentials( - environment: self.environment, - allowKeychainPrompt: retryAllowKeychainPrompt, - respectKeychainPromptCooldown: promptPolicy.shouldRespectKeychainPromptCooldown) - if Self.isClaudeOAuthFlowDebugEnabled { - Self.log.debug( - "Claude OAuth credential load (post-delegation retry)", - metadata: [ - "cooldownEnabled": "\(self.oauthKeychainPromptCooldownEnabled)", - "didSyncSilently": "\(didSyncSilently)", - "allowKeychainPrompt": "\(retryAllowKeychainPrompt)", - "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), - "interaction": promptPolicy.interactionLabel, - "promptMode": promptPolicy.mode.rawValue, - ]) - } - - if !refreshedCreds.scopes.contains("user:profile") { - let scopes = refreshedCreds.scopes.joined(separator: ", ") - throw ClaudeUsageError.oauthFailed( - "Claude OAuth token missing 'user:profile' scope (has: \(scopes)). " - + "Run `claude setup-token` to re-generate credentials, " - + "or switch Claude Source to Web/CLI.") - } - - let usage = try await Self.fetchOAuthUsage(accessToken: refreshedCreds.accessToken) - return try Self.mapOAuthUsage(usage, credentials: refreshedCreds) - } catch { - Self.log.debug( - "Claude OAuth post-delegation retry failed", - metadata: Self.delegatedRetryFailureMetadata( - error: error, - oauthKeychainPromptCooldownEnabled: self.oauthKeychainPromptCooldownEnabled, - delegatedOutcome: delegatedOutcome)) - throw ClaudeUsageError.oauthFailed( - Self.delegatedRefreshFailureMessage(for: delegatedOutcome, retryError: error)) - } + return try await self.loadViaOAuthAfterDelegatedRefresh(allowDelegatedRetry: allowDelegatedRetry) } throw ClaudeUsageError.oauthFailed(error.localizedDescription) } catch let error as ClaudeOAuthFetchError { @@ -529,6 +424,125 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { } } + private func loadViaOAuthAfterDelegatedRefresh(allowDelegatedRetry: Bool) async throws -> ClaudeUsageSnapshot { + guard allowDelegatedRetry else { + throw ClaudeUsageError.oauthFailed( + "Claude OAuth token expired and delegated Claude CLI refresh did not recover. " + + "Run `claude login`, then retry.") + } + + try Task.checkCancellation() + + let delegatedPromptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() + try Self.assertDelegatedRefreshAllowedInCurrentInteraction( + policy: delegatedPromptPolicy, + allowBackgroundDelegatedRefresh: self.allowBackgroundDelegatedRefresh) + + let delegatedOutcome = await Self.attemptDelegatedRefresh() + Self.log.info( + "Claude OAuth delegated refresh attempted", + metadata: [ + "outcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), + ]) + + do { + // In Auto mode, avoid forcing interactive Keychain prompts or blocking the fallback chain when + // delegation cannot run. + if self.oauthKeychainPromptCooldownEnabled { + switch delegatedOutcome { + case .skippedByCooldown, .cliUnavailable: + throw ClaudeUsageError.oauthFailed( + "Claude OAuth token expired; delegated refresh is unavailable (outcome=" + + "\(Self.delegatedRefreshOutcomeLabel(delegatedOutcome))).") + case .attemptedSucceeded: + break + case .attemptedFailed: + // Delegation ran but didn't observe a keychain change. We'll attempt a non-interactive reload + // below (allowKeychainPrompt=false) and then allow the Auto chain to fall back. + break + } + } + + try Task.checkCancellation() + + // After delegated refresh, reload credentials and retry OAuth once. + // In OAuth mode we allow an interactive Keychain prompt here; in Auto mode we keep it silent to avoid + // bypassing the prompt cooldown and to let the fallback chain proceed. + _ = ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged() + + let didSyncSilently = delegatedOutcome == .attemptedSucceeded + && ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt(now: Date()) + + let promptPolicy = Self.currentClaudeOAuthKeychainPromptPolicy() + Self.logDeferredBackgroundDelegatedRecoveryIfNeeded( + delegatedOutcome: delegatedOutcome, + didSyncSilently: didSyncSilently, + policy: promptPolicy) + let retryAllowKeychainPrompt = promptPolicy.canPromptNow && !didSyncSilently + if retryAllowKeychainPrompt { + Self.log.info( + "Claude OAuth keychain prompt allowed (post-delegation retry)", + metadata: [ + "interaction": promptPolicy.interactionLabel, + "promptMode": promptPolicy.mode.rawValue, + "promptPolicyApplicable": "\(promptPolicy.isApplicable)", + "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), + "didSyncSilently": "\(didSyncSilently)", + ]) + } + if Self.isClaudeOAuthFlowDebugEnabled { + Self.log.debug( + "Claude OAuth credential load (post-delegation retry start)", + metadata: [ + "cooldownEnabled": "\(self.oauthKeychainPromptCooldownEnabled)", + "didSyncSilently": "\(didSyncSilently)", + "allowKeychainPrompt": "\(retryAllowKeychainPrompt)", + "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), + "interaction": promptPolicy.interactionLabel, + "promptMode": promptPolicy.mode.rawValue, + "promptPolicyApplicable": "\(promptPolicy.isApplicable)", + ]) + } + let refreshedCreds = try await Self.loadOAuthCredentials( + environment: self.environment, + allowKeychainPrompt: retryAllowKeychainPrompt, + respectKeychainPromptCooldown: promptPolicy.shouldRespectKeychainPromptCooldown) + if Self.isClaudeOAuthFlowDebugEnabled { + Self.log.debug( + "Claude OAuth credential load (post-delegation retry)", + metadata: [ + "cooldownEnabled": "\(self.oauthKeychainPromptCooldownEnabled)", + "didSyncSilently": "\(didSyncSilently)", + "allowKeychainPrompt": "\(retryAllowKeychainPrompt)", + "delegatedOutcome": Self.delegatedRefreshOutcomeLabel(delegatedOutcome), + "interaction": promptPolicy.interactionLabel, + "promptMode": promptPolicy.mode.rawValue, + "promptPolicyApplicable": "\(promptPolicy.isApplicable)", + ]) + } + + if !refreshedCreds.scopes.contains("user:profile") { + let scopes = refreshedCreds.scopes.joined(separator: ", ") + throw ClaudeUsageError.oauthFailed( + "Claude OAuth token missing 'user:profile' scope (has: \(scopes)). " + + "Run `claude setup-token` to re-generate credentials, " + + "or switch Claude Source to Web/CLI.") + } + + let usage = try await Self.fetchOAuthUsage(accessToken: refreshedCreds.accessToken) + return try Self.mapOAuthUsage(usage, credentials: refreshedCreds) + } catch { + Self.log.debug( + "Claude OAuth post-delegation retry failed", + metadata: Self.delegatedRetryFailureMetadata( + error: error, + oauthKeychainPromptCooldownEnabled: self.oauthKeychainPromptCooldownEnabled, + delegatedOutcome: delegatedOutcome)) + throw ClaudeUsageError.oauthFailed( + Self.delegatedRefreshFailureMessage(for: delegatedOutcome, retryError: error)) + } + } + private static func loadOAuthCredentials( environment: [String: String], allowKeychainPrompt: Bool, diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 238fc05db..712531a60 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -271,4 +271,33 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { #expect(hasCredentials == true) } + + @Test + func experimentalReader_ignoresPromptPolicyAndCooldownForBackgroundSilentCheck() throws { + let securityData = self.makeCredentialsData( + accessToken: "security-background", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let hasCredentials = try KeychainAccessGate.withTaskOverrideForTesting(false) { + try ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(false) { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .never, + operation: { + ProviderInteractionContext.$current.withValue(.background) { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() + } + } + }) + }) + } + } + + #expect(hasCredentials == true) + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift index 1953257b2..4f9514967 100644 --- a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift @@ -176,10 +176,12 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { let fileURL = tempDir.appendingPathComponent("credentials.json") let available = await ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { - await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { - await ProviderRefreshContext.$current.withValue(.startup) { - await ProviderInteractionContext.$current.withValue(.background) { - await strategy.isAvailable(context) + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting(.securityFramework) { + await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + await ProviderRefreshContext.$current.withValue(.startup) { + await ProviderInteractionContext.$current.withValue(.background) { + await strategy.isAvailable(context) + } } } } @@ -189,5 +191,54 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { } } } + + @Test + func autoMode_experimental_reader_ignoresPromptPolicyCooldownGate() async throws { + let context = self.makeContext(sourceMode: .auto) + let strategy = ClaudeOAuthFetchStrategy() + let securityData = Data(""" + { + "claudeAiOauth": { + "accessToken": "security-token", + "expiresAt": \(Int(Date(timeIntervalSinceNow: 3600).timeIntervalSince1970 * 1000)), + "scopes": ["user:profile"] + } + } + """.utf8) + + let recordWithoutRequiredScope = ClaudeOAuthCredentialRecord( + credentials: ClaudeOAuthCredentials( + accessToken: "token-no-scope", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: -60), + scopes: ["user:inference"], + rateLimitTier: nil), + owner: .claudeCLI, + source: .cacheKeychain) + + let available = try await KeychainAccessGate.withTaskOverrideForTesting(false) { + await ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(false) { + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + await ClaudeOAuthFetchStrategy.$nonInteractiveCredentialRecordOverride.withValue( + recordWithoutRequiredScope) + { + await ProviderInteractionContext.$current.withValue(.background) { + await ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting(.data( + securityData)) + { + await strategy.isAvailable(context) + } + } + } + } + } + } + } + + #expect(available == true) + } } #endif diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 873095ae2..897c4b77a 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -855,3 +855,68 @@ struct ClaudeUsageTests { #expect(cliVersion?.isEmpty != true) } } + +extension ClaudeUsageTests { + @Test + func oauthDelegatedRetry_experimental_background_ignoresOnlyOnUserActionSuppression() async throws { + let loadCounter = AsyncCounter() + let delegatedCounter = AsyncCounter() + let usageResponse = try Self.makeOAuthUsageResponse() + + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true, + allowBackgroundDelegatedRefresh: false) + + let fetchOverride: (@Sendable (String) async throws -> OAuthUsageResponse)? = { _ in usageResponse } + let delegatedOverride: (@Sendable ( + Date, + TimeInterval) async -> ClaudeOAuthDelegatedRefreshCoordinator.Outcome)? = { _, _ in + _ = await delegatedCounter.increment() + return .attemptedSucceeded + } + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, _ in + let call = await loadCounter.increment() + if call == 1 { + throw ClaudeOAuthCredentialsError.refreshDelegatedToClaudeCLI + } + return ClaudeOAuthCredentials( + accessToken: "fresh-token", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: 3600), + scopes: ["user:profile"], + rateLimitTier: nil) + } + + let snapshot = try await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$hasCachedCredentialsOverride.withValue(true) { + try await ClaudeUsageFetcher.$fetchOAuthUsageOverride.withValue(fetchOverride) { + try await ClaudeUsageFetcher.$delegatedRefreshAttemptOverride.withValue( + delegatedOverride) + { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue( + loadCredsOverride) + { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + } + } + } + }) + + #expect(await loadCounter.current() == 2) + #expect(await delegatedCounter.current() == 1) + #expect(snapshot.primary.usedPercent == 7) + } +} diff --git a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift index 766066483..65cfbdd1a 100644 --- a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift +++ b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift @@ -175,6 +175,50 @@ struct ProviderSettingsDescriptorTests { #expect(readStrategyPicker.isEnabled?() ?? true) } + @Test + func claudePromptPolicyPickerHiddenWhenExperimentalReaderSelected() throws { + let suite = "ProviderSettingsDescriptorTests-claude-prompt-hidden-experimental" + let defaults = try #require(UserDefaults(suiteName: suite)) + defaults.removePersistentDomain(forName: suite) + let configStore = testConfigStore(suiteName: suite) + let settings = SettingsStore( + userDefaults: defaults, + configStore: configStore, + zaiTokenStore: NoopZaiTokenStore(), + syntheticTokenStore: NoopSyntheticTokenStore()) + settings.debugDisableKeychainAccess = false + settings.claudeOAuthKeychainReadStrategy = .securityCLIExperimental + + let store = UsageStore( + fetcher: UsageFetcher(environment: [:]), + browserDetection: BrowserDetection(cacheTTL: 0), + settings: settings) + + let context = ProviderSettingsContext( + provider: .claude, + settings: settings, + store: store, + boolBinding: { keyPath in + Binding( + get: { settings[keyPath: keyPath] }, + set: { settings[keyPath: keyPath] = $0 }) + }, + stringBinding: { keyPath in + Binding( + get: { settings[keyPath: keyPath] }, + set: { settings[keyPath: keyPath] = $0 }) + }, + statusText: { _ in nil }, + setStatusText: { _, _ in }, + lastAppActiveRunAt: { _ in nil }, + setLastAppActiveRunAt: { _, _ in }, + requestConfirmation: { _ in }) + + let pickers = ClaudeProviderImplementation().settingsPickers(context: context) + let keychainPicker = try #require(pickers.first(where: { $0.id == "claude-keychain-prompt-policy" })) + #expect(keychainPicker.isVisible?() == false) + } + @Test func claudeKeychainPromptPolicyPickerDisabledWhenGlobalKeychainDisabled() throws { let suite = "ProviderSettingsDescriptorTests-claude-keychain-disabled" From fe3cd2f0742423234d23a9d4c068d2f0bf4b2676 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 23:04:12 +0530 Subject: [PATCH 065/131] Apply stored prompt policy to experimental fallback --- .../Claude/ClaudeProviderImplementation.swift | 4 +- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 130 +++++++++-- .../ClaudeOAuthKeychainPromptMode.swift | 11 + ...uthCredentialsStorePromptPolicyTests.swift | 221 ++++++++++++++++++ ...AuthCredentialsStoreSecurityCLITests.swift | 52 ++++- ...eOAuthFetchStrategyAvailabilityTests.swift | 58 ++++- Tests/CodexBarTests/ClaudeUsageTests.swift | 31 +++ 7 files changed, 472 insertions(+), 35 deletions(-) diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 22af2339c..9c067f49a 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -133,8 +133,8 @@ struct ClaudeProviderImplementation: ProviderImplementation { return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." } if context.settings.claudeOAuthKeychainReadStrategy == .securityCLIExperimental { - return "Experimental mode reads via /usr/bin/security. Keychain prompt policy does not apply in this " + - "mode and is hidden." + return "Experimental mode reads via /usr/bin/security first. If it falls back to Security.framework, " + + "the stored keychain prompt policy still applies (default: only on user action)." } return "Standard mode uses Security.framework and respects the keychain prompt policy below." } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 359c08f93..9699793bf 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -14,6 +14,7 @@ import LocalAuthentication import Security #endif +// swiftlint:disable file_length // swiftlint:disable type_body_length public enum ClaudeOAuthCredentialsStore { private static let credentialsPath = ".claude/.credentials.json" @@ -395,6 +396,25 @@ public enum ClaudeOAuthCredentialsStore { return record } + let shouldPreferSecurityCLIKeychainRead = self.shouldPreferSecurityCLIKeychainRead() + var fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.current() + if shouldPreferSecurityCLIKeychainRead { + fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() + let fallbackDecision = self.securityFrameworkFallbackPromptDecision( + promptMode: fallbackPromptMode, + allowKeychainPrompt: allowKeychainPrompt, + respectKeychainPromptCooldown: respectKeychainPromptCooldown) + self.log.debug( + "Claude keychain Security.framework fallback prompt policy evaluated", + metadata: [ + "reader": "securityFrameworkFallback", + "fallbackPromptMode": fallbackPromptMode.rawValue, + "fallbackPromptAllowed": "\(fallbackDecision.allowed)", + "fallbackBlockedReason": fallbackDecision.blockedReason ?? "none", + ]) + guard fallbackDecision.allowed else { return nil } + } + // Some macOS configurations still show the system keychain prompt even for our "silent" probes. // Only show the in-app pre-alert when we have evidence that Keychain interaction is likely. if self.shouldShowClaudeKeychainPreAlert() { @@ -404,8 +424,10 @@ public enum ClaudeOAuthCredentialsStore { service: self.claudeKeychainService, account: nil)) } - let keychainData: Data = if self.shouldPreferSecurityCLIKeychainRead() { - try self.loadFromClaudeKeychainUsingSecurityFramework() + let keychainData: Data = if shouldPreferSecurityCLIKeychainRead { + try self.loadFromClaudeKeychainUsingSecurityFramework( + promptMode: fallbackPromptMode, + allowKeychainPrompt: true) } else { try self.loadFromClaudeKeychain() } @@ -1039,6 +1061,27 @@ public enum ClaudeOAuthCredentialsStore { self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) return data } + if self.shouldPreferSecurityCLIKeychainRead() { + let fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() + let fallbackDecision = self.securityFrameworkFallbackPromptDecision( + promptMode: fallbackPromptMode, + allowKeychainPrompt: true, + respectKeychainPromptCooldown: false) + self.log.debug( + "Claude keychain Security.framework fallback prompt policy evaluated", + metadata: [ + "reader": "securityFrameworkFallback", + "fallbackPromptMode": fallbackPromptMode.rawValue, + "fallbackPromptAllowed": "\(fallbackDecision.allowed)", + "fallbackBlockedReason": fallbackDecision.blockedReason ?? "none", + ]) + guard fallbackDecision.allowed else { + throw ClaudeOAuthCredentialsError.notFound + } + return try self.loadFromClaudeKeychainUsingSecurityFramework( + promptMode: fallbackPromptMode, + allowKeychainPrompt: true) + } return try self.loadFromClaudeKeychainUsingSecurityFramework() } @@ -1047,17 +1090,23 @@ public enum ClaudeOAuthCredentialsStore { try self.loadFromClaudeKeychain() } - private static func loadFromClaudeKeychainUsingSecurityFramework() throws -> Data { + private static func loadFromClaudeKeychainUsingSecurityFramework( + promptMode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current(), + allowKeychainPrompt: Bool = true) throws -> Data + { #if DEBUG if let store = taskClaudeKeychainOverrideStore, let override = store.data { return override } if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif #if os(macOS) - let candidates = self.claudeKeychainCandidatesWithoutPrompt() + let candidates = self.claudeKeychainCandidatesWithoutPrompt(promptMode: promptMode) if let newest = candidates.first { do { - if let data = try self.loadClaudeKeychainData(candidate: newest, allowKeychainPrompt: true), - !data.isEmpty + if let data = try self.loadClaudeKeychainData( + candidate: newest, + allowKeychainPrompt: allowKeychainPrompt, + promptMode: promptMode), + !data.isEmpty { // Store fingerprint after a successful interactive read so we don't immediately try to // "sync" in the background (which can still show UI on some systems). @@ -1081,8 +1130,10 @@ public enum ClaudeOAuthCredentialsStore { // Fallback: legacy query (may pick an arbitrary duplicate). do { - if let data = try self.loadClaudeKeychainLegacyData(allowKeychainPrompt: true), - !data.isEmpty + if let data = try self.loadClaudeKeychainLegacyData( + allowKeychainPrompt: allowKeychainPrompt, + promptMode: promptMode), + !data.isEmpty { // Same as above: store fingerprint after interactive read to avoid background "sync" reads. self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) @@ -1108,9 +1159,11 @@ public enum ClaudeOAuthCredentialsStore { let createdAt: Date? } - private static func claudeKeychainCandidatesWithoutPrompt() -> [ClaudeKeychainCandidate] { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return [] } + private static func claudeKeychainCandidatesWithoutPrompt( + promptMode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference + .current()) -> [ClaudeKeychainCandidate] + { + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return [] } if self.isPromptPolicyApplicable, ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return [] } @@ -1148,9 +1201,11 @@ public enum ClaudeOAuthCredentialsStore { } } - private static func claudeKeychainLegacyCandidateWithoutPrompt() -> ClaudeKeychainCandidate? { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } + private static func claudeKeychainLegacyCandidateWithoutPrompt( + promptMode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference + .current()) -> ClaudeKeychainCandidate? + { + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return nil } if self.isPromptPolicyApplicable, ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return nil } @@ -1181,10 +1236,10 @@ public enum ClaudeOAuthCredentialsStore { private static func loadClaudeKeychainData( candidate: ClaudeKeychainCandidate, - allowKeychainPrompt: Bool) throws -> Data? + allowKeychainPrompt: Bool, + promptMode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current()) throws -> Data? { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return nil } self.log.debug( "Claude keychain data read start", metadata: [ @@ -1242,9 +1297,11 @@ public enum ClaudeOAuthCredentialsStore { } } - private static func loadClaudeKeychainLegacyData(allowKeychainPrompt: Bool) throws -> Data? { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } + private static func loadClaudeKeychainLegacyData( + allowKeychainPrompt: Bool, + promptMode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current()) throws -> Data? + { + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return nil } self.log.debug( "Claude keychain legacy data read start", metadata: [ @@ -1373,6 +1430,37 @@ public enum ClaudeOAuthCredentialsStore { ClaudeOAuthKeychainPromptPreference.isApplicable() } + private static func securityFrameworkFallbackPromptDecision( + promptMode: ClaudeOAuthKeychainPromptMode, + allowKeychainPrompt: Bool, + respectKeychainPromptCooldown: Bool) -> (allowed: Bool, blockedReason: String?) + { + guard allowKeychainPrompt else { + return (allowed: false, blockedReason: "allowKeychainPromptFalse") + } + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { + return (allowed: false, blockedReason: self.fallbackBlockedReason(promptMode: promptMode)) + } + if respectKeychainPromptCooldown, + !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() + { + return (allowed: false, blockedReason: "cooldown") + } + return (allowed: true, blockedReason: nil) + } + + private static func fallbackBlockedReason(promptMode: ClaudeOAuthKeychainPromptMode) -> String { + if !self.keychainAccessAllowed { return "keychainDisabled" } + switch promptMode { + case .never: + return "never" + case .onlyOnUserAction: + return "onlyOnUserAction-background" + case .always: + return "disallowed" + } + } + private static func shouldAllowClaudeCodeKeychainAccess( mode: ClaudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptPreference.current()) -> Bool { @@ -1707,3 +1795,5 @@ extension ClaudeOAuthCredentialsStore { } #endif } + +// swiftlint:enable file_length diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift index 76bea1c55..3ae21771b 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthKeychainPromptMode.swift @@ -46,6 +46,17 @@ public enum ClaudeOAuthKeychainPromptPreference { return self.storedMode(userDefaults: userDefaults) } + public static func securityFrameworkFallbackMode( + userDefaults: UserDefaults = .standard, + readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) + -> ClaudeOAuthKeychainPromptMode + { + if readStrategy == .securityCLIExperimental { + return self.storedMode(userDefaults: userDefaults) + } + return self.effectiveMode(userDefaults: userDefaults, readStrategy: readStrategy) + } + #if DEBUG static func withTaskOverrideForTesting( _ mode: ClaudeOAuthKeychainPromptMode?, diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index 3b58fdc6c..416bb828b 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -440,4 +440,225 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { } } } + + @Test + func experimentalReader_doesNotFallbackInBackgroundWhenStoredModeOnlyOnUserAction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .interactionRequired + } + let promptHandler: (KeychainPromptContext) -> Void = { _ in + preAlertHits += 1 + } + + do { + _ = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting(.timedOut) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true, + respectKeychainPromptCooldown: true) + } + } + } + } + } + }) + }) + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + + #expect(preAlertHits == 0) + } + } + } + } + } + + @Test + func experimentalReader_doesNotFallbackWhenStoredModeNever() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .interactionRequired + } + let promptHandler: (KeychainPromptContext) -> Void = { _ in + preAlertHits += 1 + } + + do { + _ = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.never) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting(.timedOut) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true) + } + } + } + } + } + }) + }) + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + + #expect(preAlertHits == 0) + } + } + } + } + } + + @Test + func experimentalReader_allowsFallbackInBackgroundWhenStoredModeAlways() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + var preAlertHits = 0 + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .interactionRequired + } + let promptHandler: (KeychainPromptContext) -> Void = { _ in + preAlertHits += 1 + } + + let creds = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try KeychainPromptHandler.withHandlerForTesting(promptHandler, operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting(.timedOut) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true, + respectKeychainPromptCooldown: false) + } + } + } + } + } + }) + }) + + #expect(creds.accessToken == "fallback-token") + #expect(preAlertHits >= 1) + } + } + } + } + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 712531a60..95fad4b94 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -218,15 +218,15 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } @Test - func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_usesSecurityCLI() throws { + func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_usesSecurityCLI() { let securityData = self.makeCredentialsData( accessToken: "security-available", expiresAt: Date(timeIntervalSinceNow: 3600)) - let hasCredentials = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + let hasCredentials = ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( .securityCLIExperimental, operation: { - try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( .always, operation: { ProviderInteractionContext.$current.withValue(.userInitiated) { @@ -243,15 +243,15 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } @Test - func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_fallsBackWhenSecurityCLIFails() throws { + func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_fallsBackWhenSecurityCLIFails() { let fallbackData = self.makeCredentialsData( accessToken: "fallback-available", expiresAt: Date(timeIntervalSinceNow: 3600)) - let hasCredentials = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + let hasCredentials = ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( .securityCLIExperimental, operation: { - try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( .always, operation: { ProviderInteractionContext.$current.withValue(.userInitiated) { @@ -273,17 +273,17 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } @Test - func experimentalReader_ignoresPromptPolicyAndCooldownForBackgroundSilentCheck() throws { + func experimentalReader_ignoresPromptPolicyAndCooldownForBackgroundSilentCheck() { let securityData = self.makeCredentialsData( accessToken: "security-background", expiresAt: Date(timeIntervalSinceNow: 3600)) - let hasCredentials = try KeychainAccessGate.withTaskOverrideForTesting(false) { - try ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(false) { - try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + let hasCredentials = KeychainAccessGate.withTaskOverrideForTesting(false) { + ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(false) { + ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( .securityCLIExperimental, operation: { - try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( .never, operation: { ProviderInteractionContext.$current.withValue(.background) { @@ -300,4 +300,34 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { #expect(hasCredentials == true) } + + @Test + func experimentalReader_loadFromClaudeKeychainFallbackBlockedWhenStoredModeNever() throws { + var threwNotFound = false + do { + _ = try KeychainAccessGate.withTaskOverrideForTesting(false) { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .never, + operation: { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .nonZeroExit) + { + try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + } + } + }) + }) + } + } catch let error as ClaudeOAuthCredentialsError { + if case .notFound = error { + threwNotFound = true + } + } + + #expect(threwNotFound == true) + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift index 4f9514967..be33a035e 100644 --- a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift @@ -193,7 +193,7 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { } @Test - func autoMode_experimental_reader_ignoresPromptPolicyCooldownGate() async throws { + func autoMode_experimental_reader_ignoresPromptPolicyCooldownGate() async { let context = self.makeContext(sourceMode: .auto) let strategy = ClaudeOAuthFetchStrategy() let securityData = Data(""" @@ -216,7 +216,7 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { owner: .claudeCLI, source: .cacheKeychain) - let available = try await KeychainAccessGate.withTaskOverrideForTesting(false) { + let available = await KeychainAccessGate.withTaskOverrideForTesting(false) { await ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(false) { await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( .securityCLIExperimental) @@ -240,5 +240,59 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { #expect(available == true) } + + @Test + func autoMode_experimental_reader_securityFailure_keepsAvailabilityForNoUIPresenceCheck() async { + let context = self.makeContext(sourceMode: .auto) + let strategy = ClaudeOAuthFetchStrategy() + let fallbackData = Data(""" + { + "claudeAiOauth": { + "accessToken": "fallback-token", + "expiresAt": \(Int(Date(timeIntervalSinceNow: 3600).timeIntervalSince1970 * 1000)), + "scopes": ["user:profile"] + } + } + """.utf8) + + let recordWithoutRequiredScope = ClaudeOAuthCredentialRecord( + credentials: ClaudeOAuthCredentials( + accessToken: "token-no-scope", + refreshToken: "refresh-token", + expiresAt: Date(timeIntervalSinceNow: -60), + scopes: ["user:inference"], + rateLimitTier: nil), + owner: .claudeCLI, + source: .cacheKeychain) + + let available = await KeychainAccessGate.withTaskOverrideForTesting(false) { + await ClaudeOAuthKeychainAccessGate.withShouldAllowPromptOverrideForTesting(true) { + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + await ClaudeOAuthFetchStrategy.$nonInteractiveCredentialRecordOverride.withValue( + recordWithoutRequiredScope) + { + await ProviderInteractionContext.$current.withValue(.background) { + await ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + await ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .nonZeroExit) + { + await strategy.isAvailable(context) + } + } + } + } + } + } + } + } + + #expect(available == true) + } } #endif diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 897c4b77a..470643c17 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -919,4 +919,35 @@ extension ClaudeUsageTests { #expect(await delegatedCounter.current() == 1) #expect(snapshot.primary.usedPercent == 7) } + + @Test + func oauthLoad_experimental_background_fallbackBlocked_propagatesOAuthFailure() async throws { + let fetcher = ClaudeUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + environment: [:], + dataSource: .oauth, + oauthKeychainPromptCooldownEnabled: true, + allowBackgroundDelegatedRefresh: false) + + let loadCredsOverride: (@Sendable ( + [String: String], + Bool, + Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, _ in + throw ClaudeOAuthCredentialsError.notFound + } + + await #expect(throws: ClaudeUsageError.self) { + try await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try await ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.onlyOnUserAction) { + try await ProviderInteractionContext.$current.withValue(.background) { + try await ClaudeUsageFetcher.$loadOAuthCredentialsOverride.withValue(loadCredsOverride) { + try await fetcher.loadLatestUsage(model: "sonnet") + } + } + } + }) + } + } } From 2b78ea92e196bd8504bf13bc4fa05718919699ae Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 23:07:30 +0530 Subject: [PATCH 066/131] Split testing overrides out of ClaudeOAuthCredentials --- ...udeOAuthCredentials+TestingOverrides.swift | 84 ++++++++++++++++++ .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 88 ------------------- 2 files changed, 84 insertions(+), 88 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift index 1a96afc97..6b6ceebc2 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift @@ -2,6 +2,90 @@ import Foundation #if DEBUG extension ClaudeOAuthCredentialsStore { + nonisolated(unsafe) static var claudeKeychainDataOverride: Data? + nonisolated(unsafe) static var claudeKeychainFingerprintOverride: ClaudeKeychainFingerprint? + @TaskLocal static var taskClaudeKeychainDataOverride: Data? + @TaskLocal static var taskClaudeKeychainFingerprintOverride: ClaudeKeychainFingerprint? + @TaskLocal static var taskMemoryCacheStoreOverride: MemoryCacheStore? + @TaskLocal static var taskClaudeKeychainFingerprintStoreOverride: ClaudeKeychainFingerprintStore? + + final class ClaudeKeychainFingerprintStore: @unchecked Sendable { + var fingerprint: ClaudeKeychainFingerprint? + + init(fingerprint: ClaudeKeychainFingerprint? = nil) { + self.fingerprint = fingerprint + } + } + + final class MemoryCacheStore: @unchecked Sendable { + var record: ClaudeOAuthCredentialRecord? + var timestamp: Date? + } + + static func setClaudeKeychainDataOverrideForTesting(_ data: Data?) { + self.claudeKeychainDataOverride = data + } + + static func setClaudeKeychainFingerprintOverrideForTesting(_ fingerprint: ClaudeKeychainFingerprint?) { + self.claudeKeychainFingerprintOverride = fingerprint + } + + static func withClaudeKeychainOverridesForTesting( + data: Data?, + fingerprint: ClaudeKeychainFingerprint?, + operation: () throws -> T) rethrows -> T + { + try self.$taskClaudeKeychainDataOverride.withValue(data) { + try self.$taskClaudeKeychainFingerprintOverride.withValue(fingerprint) { + try operation() + } + } + } + + static func withClaudeKeychainOverridesForTesting( + data: Data?, + fingerprint: ClaudeKeychainFingerprint?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskClaudeKeychainDataOverride.withValue(data) { + try await self.$taskClaudeKeychainFingerprintOverride.withValue(fingerprint) { + try await operation() + } + } + } + + static func withClaudeKeychainFingerprintStoreOverrideForTesting( + _ store: ClaudeKeychainFingerprintStore?, + operation: () throws -> T) rethrows -> T + { + try self.$taskClaudeKeychainFingerprintStoreOverride.withValue(store) { + try operation() + } + } + + static func withClaudeKeychainFingerprintStoreOverrideForTesting( + _ store: ClaudeKeychainFingerprintStore?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskClaudeKeychainFingerprintStoreOverride.withValue(store) { + try await operation() + } + } + + static func withIsolatedMemoryCacheForTesting(operation: () throws -> T) rethrows -> T { + let store = MemoryCacheStore() + return try self.$taskMemoryCacheStoreOverride.withValue(store) { + try operation() + } + } + + static func withIsolatedMemoryCacheForTesting(operation: () async throws -> T) async rethrows -> T { + let store = MemoryCacheStore() + return try await self.$taskMemoryCacheStoreOverride.withValue(store) { + try await operation() + } + } + final class CredentialsFileFingerprintStore: @unchecked Sendable { var fingerprint: CredentialsFileFingerprint? diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 9699793bf..330a4d6ce 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -14,7 +14,6 @@ import LocalAuthentication import Security #endif -// swiftlint:disable file_length // swiftlint:disable type_body_length public enum ClaudeOAuthCredentialsStore { private static let credentialsPath = ".claude/.credentials.json" @@ -52,91 +51,6 @@ public enum ClaudeOAuthCredentialsStore { let persistentRefHash: String? } - #if DEBUG - private nonisolated(unsafe) static var claudeKeychainDataOverride: Data? - private nonisolated(unsafe) static var claudeKeychainFingerprintOverride: ClaudeKeychainFingerprint? - @TaskLocal private static var taskClaudeKeychainDataOverride: Data? - @TaskLocal private static var taskClaudeKeychainFingerprintOverride: ClaudeKeychainFingerprint? - @TaskLocal private static var taskMemoryCacheStoreOverride: MemoryCacheStore? - final class ClaudeKeychainFingerprintStore: @unchecked Sendable { - var fingerprint: ClaudeKeychainFingerprint? - - init(fingerprint: ClaudeKeychainFingerprint? = nil) { - self.fingerprint = fingerprint - } - } - - final class MemoryCacheStore: @unchecked Sendable { - var record: ClaudeOAuthCredentialRecord? - var timestamp: Date? - } - - @TaskLocal private static var taskClaudeKeychainFingerprintStoreOverride: ClaudeKeychainFingerprintStore? - static func setClaudeKeychainDataOverrideForTesting(_ data: Data?) { - self.claudeKeychainDataOverride = data - } - - static func setClaudeKeychainFingerprintOverrideForTesting(_ fingerprint: ClaudeKeychainFingerprint?) { - self.claudeKeychainFingerprintOverride = fingerprint - } - - static func withClaudeKeychainOverridesForTesting( - data: Data?, - fingerprint: ClaudeKeychainFingerprint?, - operation: () throws -> T) rethrows -> T - { - try self.$taskClaudeKeychainDataOverride.withValue(data) { - try self.$taskClaudeKeychainFingerprintOverride.withValue(fingerprint) { - try operation() - } - } - } - - static func withClaudeKeychainOverridesForTesting( - data: Data?, - fingerprint: ClaudeKeychainFingerprint?, - operation: () async throws -> T) async rethrows -> T - { - try await self.$taskClaudeKeychainDataOverride.withValue(data) { - try await self.$taskClaudeKeychainFingerprintOverride.withValue(fingerprint) { - try await operation() - } - } - } - - static func withClaudeKeychainFingerprintStoreOverrideForTesting( - _ store: ClaudeKeychainFingerprintStore?, - operation: () throws -> T) rethrows -> T - { - try self.$taskClaudeKeychainFingerprintStoreOverride.withValue(store) { - try operation() - } - } - - static func withClaudeKeychainFingerprintStoreOverrideForTesting( - _ store: ClaudeKeychainFingerprintStore?, - operation: () async throws -> T) async rethrows -> T - { - try await self.$taskClaudeKeychainFingerprintStoreOverride.withValue(store) { - try await operation() - } - } - - static func withIsolatedMemoryCacheForTesting(operation: () throws -> T) rethrows -> T { - let store = MemoryCacheStore() - return try self.$taskMemoryCacheStoreOverride.withValue(store) { - try operation() - } - } - - static func withIsolatedMemoryCacheForTesting(operation: () async throws -> T) async rethrows -> T { - let store = MemoryCacheStore() - return try await self.$taskMemoryCacheStoreOverride.withValue(store) { - try await operation() - } - } - #endif - struct CredentialsFileFingerprint: Codable, Equatable, Sendable { let modifiedAtMs: Int? let size: Int @@ -1795,5 +1709,3 @@ extension ClaudeOAuthCredentialsStore { } #endif } - -// swiftlint:enable file_length From 448b30942560cfae01277a30f014e0b79be7ba3d Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 23:19:17 +0530 Subject: [PATCH 067/131] Adjust Ollama branding color for readability --- .../Providers/Ollama/OllamaProviderDescriptor.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift index c70b03e86..98de57502 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift @@ -27,7 +27,7 @@ public enum OllamaProviderDescriptor { branding: ProviderBranding( iconStyle: .ollama, iconResourceName: "ProviderIcon-ollama", - color: ProviderColor(red: 32 / 255, green: 32 / 255, blue: 32 / 255)), + color: ProviderColor(red: 136 / 255, green: 136 / 255, blue: 136 / 255)), tokenCost: ProviderTokenCostConfig( supportsTokenCost: false, noDataMessage: { "Ollama cost summary is not supported." }), From e54e7055683785136d5a382dcb7c702dfb41a9de Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 15 Feb 2026 23:32:26 +0530 Subject: [PATCH 068/131] Reduce cyclomatic complexity in usage debug paths --- Sources/CodexBar/UsageStore.swift | 110 ++++++------------ .../Vendored/CostUsage/CostUsageScanner.swift | 38 +----- 2 files changed, 40 insertions(+), 108 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 38dd05ca7..cb3d91161 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1150,115 +1150,77 @@ extension UsageStore { let keepCLISessionsAlive = self.settings.debugKeepCLISessionsAlive let cursorCookieSource = self.settings.cursorCookieSource let cursorCookieHeader = self.settings.cursorCookieHeader + let ampCookieSource = self.settings.ampCookieSource + let ampCookieHeader = self.settings.ampCookieHeader + let ollamaCookieSource = self.settings.ollamaCookieSource + let ollamaCookieHeader = self.settings.ollamaCookieHeader return await Task.detached(priority: .utility) { () -> String in + let unimplementedDebugLogMessages: [UsageProvider: String] = [ + .gemini: "Gemini debug log not yet implemented", + .antigravity: "Antigravity debug log not yet implemented", + .opencode: "OpenCode debug log not yet implemented", + .factory: "Droid debug log not yet implemented", + .copilot: "Copilot debug log not yet implemented", + .vertexai: "Vertex AI debug log not yet implemented", + .kiro: "Kiro debug log not yet implemented", + .kimi: "Kimi debug log not yet implemented", + .kimik2: "Kimi K2 debug log not yet implemented", + .jetbrains: "JetBrains AI debug log not yet implemented", + ] + let text: String switch provider { case .codex: - let raw = await self.codexFetcher.debugRawRateLimits() - await MainActor.run { self.probeLogs[.codex] = raw } - return raw + text = await self.codexFetcher.debugRawRateLimits() case .claude: - let text = await self.debugClaudeLog( + text = await self.debugClaudeLog( claudeWebExtrasEnabled: claudeWebExtrasEnabled, claudeUsageDataSource: claudeUsageDataSource, claudeCookieSource: claudeCookieSource, claudeCookieHeader: claudeCookieHeader, keepCLISessionsAlive: keepCLISessionsAlive) - await MainActor.run { self.probeLogs[.claude] = text } - return text case .zai: let resolution = ProviderTokenResolver.zaiResolution() let hasAny = resolution != nil let source = resolution?.source.rawValue ?? "none" - let text = "Z_AI_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" - await MainActor.run { self.probeLogs[.zai] = text } - return text + text = "Z_AI_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" case .synthetic: let resolution = ProviderTokenResolver.syntheticResolution() let hasAny = resolution != nil let source = resolution?.source.rawValue ?? "none" - let text = "SYNTHETIC_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" - await MainActor.run { self.probeLogs[.synthetic] = text } - return text - case .gemini: - let text = "Gemini debug log not yet implemented" - await MainActor.run { self.probeLogs[.gemini] = text } - return text - case .antigravity: - let text = "Antigravity debug log not yet implemented" - await MainActor.run { self.probeLogs[.antigravity] = text } - return text + text = "SYNTHETIC_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" case .cursor: - let text = await self.debugCursorLog( + text = await self.debugCursorLog( cursorCookieSource: cursorCookieSource, cursorCookieHeader: cursorCookieHeader) - await MainActor.run { self.probeLogs[.cursor] = text } - return text - case .opencode: - let text = "OpenCode debug log not yet implemented" - await MainActor.run { self.probeLogs[.opencode] = text } - return text - case .factory: - let text = "Droid debug log not yet implemented" - await MainActor.run { self.probeLogs[.factory] = text } - return text - case .copilot: - let text = "Copilot debug log not yet implemented" - await MainActor.run { self.probeLogs[.copilot] = text } - return text case .minimax: let tokenResolution = ProviderTokenResolver.minimaxTokenResolution() let cookieResolution = ProviderTokenResolver.minimaxCookieResolution() let tokenSource = tokenResolution?.source.rawValue ?? "none" let cookieSource = cookieResolution?.source.rawValue ?? "none" - let text = "MINIMAX_API_KEY=\(tokenResolution == nil ? "missing" : "present") " + + text = "MINIMAX_API_KEY=\(tokenResolution == nil ? "missing" : "present") " + "source=\(tokenSource) MINIMAX_COOKIE=\(cookieResolution == nil ? "missing" : "present") " + "source=\(cookieSource)" - await MainActor.run { self.probeLogs[.minimax] = text } - return text - case .vertexai: - let text = "Vertex AI debug log not yet implemented" - await MainActor.run { self.probeLogs[.vertexai] = text } - return text - case .kiro: - let text = "Kiro debug log not yet implemented" - await MainActor.run { self.probeLogs[.kiro] = text } - return text case .augment: - let text = await self.debugAugmentLog() - await MainActor.run { self.probeLogs[.augment] = text } - return text - case .kimi: - let text = "Kimi debug log not yet implemented" - await MainActor.run { self.probeLogs[.kimi] = text } - return text - case .kimik2: - let text = "Kimi K2 debug log not yet implemented" - await MainActor.run { self.probeLogs[.kimik2] = text } - return text + text = await self.debugAugmentLog() case .amp: - let text = await self.debugAmpLog( - ampCookieSource: self.settings.ampCookieSource, - ampCookieHeader: self.settings.ampCookieHeader) - await MainActor.run { self.probeLogs[.amp] = text } - return text + text = await self.debugAmpLog( + ampCookieSource: ampCookieSource, + ampCookieHeader: ampCookieHeader) case .ollama: - let text = await self.debugOllamaLog( - ollamaCookieSource: self.settings.ollamaCookieSource, - ollamaCookieHeader: self.settings.ollamaCookieHeader) - await MainActor.run { self.probeLogs[.ollama] = text } - return text - case .jetbrains: - let text = "JetBrains AI debug log not yet implemented" - await MainActor.run { self.probeLogs[.jetbrains] = text } - return text + text = await self.debugOllamaLog( + ollamaCookieSource: ollamaCookieSource, + ollamaCookieHeader: ollamaCookieHeader) case .warp: let resolution = ProviderTokenResolver.warpResolution() let hasAny = resolution != nil let source = resolution?.source.rawValue ?? "none" - let text = "WARP_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" - await MainActor.run { self.probeLogs[.warp] = text } - return text + text = "WARP_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" + case .gemini, .antigravity, .opencode, .factory, .copilot, .vertexai, .kiro, .kimi, .kimik2, .jetbrains: + text = unimplementedDebugLogMessages[provider] ?? "Debug log not yet implemented" } + + await MainActor.run { self.probeLogs[provider] = text } + return text }.value } diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift index 3269222a4..4546bd07f 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift @@ -57,52 +57,22 @@ enum CostUsageScanner { options: Options = Options()) -> CostUsageDailyReport { let range = CostUsageDayRange(since: since, until: until) + let emptyReport = CostUsageDailyReport(data: [], summary: nil) switch provider { case .codex: return self.loadCodexDaily(range: range, now: now, options: options) case .claude: return self.loadClaudeDaily(provider: .claude, range: range, now: now, options: options) - case .zai: - return CostUsageDailyReport(data: [], summary: nil) - case .gemini: - return CostUsageDailyReport(data: [], summary: nil) - case .antigravity: - return CostUsageDailyReport(data: [], summary: nil) - case .cursor: - return CostUsageDailyReport(data: [], summary: nil) - case .opencode: - return CostUsageDailyReport(data: [], summary: nil) - case .factory: - return CostUsageDailyReport(data: [], summary: nil) - case .copilot: - return CostUsageDailyReport(data: [], summary: nil) - case .minimax: - return CostUsageDailyReport(data: [], summary: nil) case .vertexai: var filtered = options if filtered.claudeLogProviderFilter == .all { filtered.claudeLogProviderFilter = .vertexAIOnly } return self.loadClaudeDaily(provider: .vertexai, range: range, now: now, options: filtered) - case .kiro: - return CostUsageDailyReport(data: [], summary: nil) - case .kimi: - return CostUsageDailyReport(data: [], summary: nil) - case .kimik2: - return CostUsageDailyReport(data: [], summary: nil) - case .augment: - return CostUsageDailyReport(data: [], summary: nil) - case .jetbrains: - return CostUsageDailyReport(data: [], summary: nil) - case .amp: - return CostUsageDailyReport(data: [], summary: nil) - case .ollama: - return CostUsageDailyReport(data: [], summary: nil) - case .synthetic: - return CostUsageDailyReport(data: [], summary: nil) - case .warp: - return CostUsageDailyReport(data: [], summary: nil) + case .zai, .gemini, .antigravity, .cursor, .opencode, .factory, .copilot, .minimax, .kiro, .kimi, .kimik2, + .augment, .jetbrains, .amp, .ollama, .synthetic, .warp: + return emptyReport } } From e4e5e197d37caae4aea3d9f8c9a2eeec0865d787 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 00:05:40 +0530 Subject: [PATCH 069/131] Harden Ollama session cookie detection --- .../Providers/Ollama/OllamaUsageFetcher.swift | 49 ++++++++------- .../OllamaUsageFetcherTests.swift | 60 +++++++++++++++++++ 2 files changed, 86 insertions(+), 23 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 6971df99f..638eedb34 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -65,7 +65,7 @@ public enum OllamaCookieImporter { { let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } let installed = ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) - var fallback: SessionInfo? + var candidates: [SessionInfo] = [] for browserSource in installed { do { @@ -77,24 +77,7 @@ public enum OllamaCookieImporter { for source in sources where !source.records.isEmpty { let cookies = BrowserCookieClient.makeHTTPCookies(source.records, origin: query.origin) guard !cookies.isEmpty else { continue } - let names = cookies.map(\.name).joined(separator: ", ") - log("\(source.label) cookies: \(names)") - - let hasSessionCookie = cookies.contains { cookie in - if Self.sessionCookieNames.contains(cookie.name) { return true } - return cookie.name.lowercased().contains("session") - } - - if hasSessionCookie { - log("Found Ollama session cookie in \(source.label)") - return SessionInfo(cookies: cookies, sourceLabel: source.label) - } - - if fallback == nil { - fallback = SessionInfo(cookies: cookies, sourceLabel: source.label) - } - - log("\(source.label) cookies found, but no recognized session cookie present") + candidates.append(SessionInfo(cookies: cookies, sourceLabel: source.label)) } } catch { BrowserCookieAccessGate.recordIfNeeded(error) @@ -102,13 +85,33 @@ public enum OllamaCookieImporter { } } - if let fallback { - log("Using \(fallback.sourceLabel) cookies without a recognized session token") - return fallback - } + return try self.selectSessionInfo(from: candidates, logger: log) + } + static func selectSessionInfo( + from candidates: [SessionInfo], + logger: ((String) -> Void)? = nil) throws -> SessionInfo + { + for candidate in candidates { + let names = candidate.cookies.map(\.name).joined(separator: ", ") + logger?("\(candidate.sourceLabel) cookies: \(names)") + if self.containsRecognizedSessionCookie(in: candidate.cookies) { + logger?("Found Ollama session cookie in \(candidate.sourceLabel)") + return candidate + } + logger?("\(candidate.sourceLabel) cookies found, but no recognized session cookie present") + } throw OllamaUsageError.noSessionCookie } + + private static func containsRecognizedSessionCookie(in cookies: [HTTPCookie]) -> Bool { + cookies.contains { cookie in + if self.sessionCookieNames.contains(cookie.name) { return true } + // next-auth can split tokens into chunked cookies: `.0`, `.1`, ... + return cookie.name.hasPrefix("__Secure-next-auth.session-token.") || + cookie.name.hasPrefix("next-auth.session-token.") + } + } } #endif diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index c520e8cd4..e5511171c 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -17,4 +17,64 @@ struct OllamaUsageFetcherTests { #expect(!OllamaUsageFetcher.shouldAttachCookie(to: URL(string: "https://ollama.com.evil.com"))) #expect(!OllamaUsageFetcher.shouldAttachCookie(to: nil)) } + + #if os(macOS) + @Test + func cookieSelectorSkipsSessionLikeNoiseAndFindsRecognizedCookie() throws { + let first = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], + sourceLabel: "Profile A") + let second = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "__Secure-next-auth.session-token", value: "auth")], + sourceLabel: "Profile B") + + let selected = try OllamaCookieImporter.selectSessionInfo(from: [first, second]) + #expect(selected.sourceLabel == "Profile B") + } + + @Test + func cookieSelectorThrowsWhenNoRecognizedSessionCookieExists() { + let candidates = [ + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], + sourceLabel: "Profile A"), + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "tracking_session", value: "noise")], + sourceLabel: "Profile B"), + ] + + do { + _ = try OllamaCookieImporter.selectSessionInfo(from: candidates) + Issue.record("Expected OllamaUsageError.noSessionCookie") + } catch OllamaUsageError.noSessionCookie { + // expected + } catch { + Issue.record("Expected OllamaUsageError.noSessionCookie, got \(error)") + } + } + + @Test + func cookieSelectorAcceptsChunkedNextAuthSessionTokenCookie() throws { + let candidate = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "next-auth.session-token.0", value: "chunk0")], + sourceLabel: "Profile C") + + let selected = try OllamaCookieImporter.selectSessionInfo(from: [candidate]) + #expect(selected.sourceLabel == "Profile C") + } + + private static func makeCookie( + name: String, + value: String, + domain: String = "ollama.com") -> HTTPCookie + { + HTTPCookie( + properties: [ + .name: name, + .value: value, + .domain: domain, + .path: "/", + ])! + } + #endif } From e006d1a023a04175cffb1b82a8e48eb25933ded9 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 00:47:41 +0530 Subject: [PATCH 070/131] Harden Ollama manual cookie mode and auth detection --- Sources/CodexBar/UsageStore.swift | 4 +- .../Ollama/OllamaProviderDescriptor.swift | 6 ++- .../Providers/Ollama/OllamaUsageFetcher.swift | 40 +++++++++++++++---- .../Providers/Ollama/OllamaUsageParser.swift | 12 +++--- .../OllamaUsageFetcherTests.swift | 22 ++++++++++ .../OllamaUsageParserTests.swift | 20 ++++++++++ 6 files changed, 89 insertions(+), 15 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index cb3d91161..b42856c71 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1411,7 +1411,9 @@ extension UsageStore { let manualHeader = ollamaCookieSource == .manual ? CookieHeaderNormalizer.normalize(ollamaCookieHeader) : nil - return await fetcher.debugRawProbe(cookieHeaderOverride: manualHeader) + return await fetcher.debugRawProbe( + cookieHeaderOverride: manualHeader, + manualCookieMode: ollamaCookieSource == .manual) } } diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift index 98de57502..4702609fa 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaProviderDescriptor.swift @@ -52,10 +52,14 @@ struct OllamaStatusFetchStrategy: ProviderFetchStrategy { func fetch(_ context: ProviderFetchContext) async throws -> ProviderFetchResult { let fetcher = OllamaUsageFetcher(browserDetection: context.browserDetection) let manual = Self.manualCookieHeader(from: context) + let isManualMode = context.settings?.ollama?.cookieSource == .manual let logger: ((String) -> Void)? = context.verbose ? { msg in CodexBarLog.logger(LogCategories.ollama).verbose(msg) } : nil - let snap = try await fetcher.fetch(cookieHeaderOverride: manual, logger: logger) + let snap = try await fetcher.fetch( + cookieHeaderOverride: manual, + manualCookieMode: isManualMode, + logger: logger) return self.makeResult( usage: snap.toUsageSnapshot(), sourceLabel: "web") diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 638eedb34..a6730d632 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -127,11 +127,15 @@ public struct OllamaUsageFetcher: Sendable { public func fetch( cookieHeaderOverride: String? = nil, + manualCookieMode: Bool = false, logger: ((String) -> Void)? = nil, now: Date = Date()) async throws -> OllamaUsageSnapshot { let log: (String) -> Void = { msg in logger?("[ollama] \(msg)") } - let cookieHeader = try await self.resolveCookieHeader(override: cookieHeaderOverride, logger: log) + let cookieHeader = try await self.resolveCookieHeader( + override: cookieHeaderOverride, + manualCookieMode: manualCookieMode, + logger: log) if let logger { let names = self.cookieNames(from: cookieHeader) @@ -164,7 +168,10 @@ public struct OllamaUsageFetcher: Sendable { return try OllamaUsageParser.parse(html: html, now: now) } - public func debugRawProbe(cookieHeaderOverride: String? = nil) async -> String { + public func debugRawProbe( + cookieHeaderOverride: String? = nil, + manualCookieMode: Bool = false) async -> String + { let stamp = ISO8601DateFormatter().string(from: Date()) var lines: [String] = [] lines.append("=== Ollama Debug Probe @ \(stamp) ===") @@ -173,6 +180,7 @@ public struct OllamaUsageFetcher: Sendable { do { let cookieHeader = try await self.resolveCookieHeader( override: cookieHeaderOverride, + manualCookieMode: manualCookieMode, logger: { msg in lines.append("[cookie] \(msg)") }) let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: nil) let cookieNames = CookieHeaderNormalizer.pairs(from: cookieHeader).map(\.name) @@ -222,14 +230,15 @@ public struct OllamaUsageFetcher: Sendable { private func resolveCookieHeader( override: String?, + manualCookieMode: Bool, logger: ((String) -> Void)?) async throws -> String { - if let override = CookieHeaderNormalizer.normalize(override) { - if !override.isEmpty { - logger?("[ollama] Using manual cookie header") - return override - } - throw OllamaUsageError.noSessionCookie + if let manualHeader = try Self.resolveManualCookieHeader( + override: override, + manualCookieMode: manualCookieMode, + logger: logger) + { + return manualHeader } #if os(macOS) let session = try OllamaCookieImporter.importSession(browserDetection: self.browserDetection, logger: logger) @@ -240,6 +249,21 @@ public struct OllamaUsageFetcher: Sendable { #endif } + static func resolveManualCookieHeader( + override: String?, + manualCookieMode: Bool, + logger: ((String) -> Void)? = nil) throws -> String? + { + if let override = CookieHeaderNormalizer.normalize(override) { + logger?("[ollama] Using manual cookie header") + return override + } + if manualCookieMode { + throw OllamaUsageError.noSessionCookie + } + return nil + } + private func fetchWithDiagnostics( cookieHeader: String, diagnostics: RedirectDiagnostics, diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift index c8ccb1a56..fad1f362d 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift @@ -114,9 +114,7 @@ enum OllamaUsageParser { private static func looksSignedOut(_ html: String) -> Bool { let lower = html.lowercased() - if lower.contains("sign in to ollama") || lower.contains("log in to ollama") { - return true - } + let hasSignInHeading = lower.contains("sign in to ollama") || lower.contains("log in to ollama") let hasAuthRoute = lower.contains("/api/auth/signin") || lower.contains("/auth/signin") let hasLoginRoute = lower.contains("action=\"/login\"") || lower.contains("action='/login'") @@ -135,11 +133,15 @@ enum OllamaUsageParser { || lower.contains("name=\"email\"") || lower.contains("name='email'") let hasAuthForm = lower.contains(" + +

Usage Dashboard

+

If you have an account, you can sign in from the homepage.

+
No usage rows rendered.
+ + + """ + + #expect { + try OllamaUsageParser.parse(html: html) + } throws: { error in + guard case let OllamaUsageError.parseFailed(message) = error else { return false } + return message.contains("Missing Ollama usage data") + } + } + @Test func parsesHourlyUsageAsPrimaryWindow() throws { let now = Date(timeIntervalSince1970: 1_700_000_000) From 87687d6313f9c4a8350cc0893be940ae528388e1 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 01:07:40 +0530 Subject: [PATCH 071/131] Harden Ollama cookie import defaults and manual validation --- .../Providers/Ollama/OllamaUsageFetcher.swift | 43 +++++++++++++------ .../OllamaUsageFetcherTests.swift | 27 ++++++++++++ 2 files changed, 58 insertions(+), 12 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index a6730d632..855eff096 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -7,6 +7,27 @@ import FoundationNetworking import SweetCookieKit #endif +private let ollamaSessionCookieNames: Set = [ + "session", + "ollama_session", + "__Host-ollama_session", + "__Secure-next-auth.session-token", + "next-auth.session-token", +] + +private func isRecognizedOllamaSessionCookieName(_ name: String) -> Bool { + if ollamaSessionCookieNames.contains(name) { return true } + // next-auth can split tokens into chunked cookies: `.0`, `.1`, ... + return name.hasPrefix("__Secure-next-auth.session-token.") || + name.hasPrefix("next-auth.session-token.") +} + +private func hasRecognizedOllamaSessionCookie(in header: String) -> Bool { + CookieHeaderNormalizer.pairs(from: header).contains { pair in + isRecognizedOllamaSessionCookieName(pair.name) + } +} + public enum OllamaUsageError: LocalizedError, Sendable { case notLoggedIn case invalidCredentials @@ -37,13 +58,7 @@ private let ollamaCookieImportOrder: BrowserCookieImportOrder = public enum OllamaCookieImporter { private static let cookieClient = BrowserCookieClient() private static let cookieDomains = ["ollama.com", "www.ollama.com"] - private static let sessionCookieNames: Set = [ - "session", - "ollama_session", - "__Host-ollama_session", - "__Secure-next-auth.session-token", - "next-auth.session-token", - ] + static let defaultPreferredBrowsers: [Browser] = [.chrome] public struct SessionInfo: Sendable { public let cookies: [HTTPCookie] @@ -61,10 +76,13 @@ public enum OllamaCookieImporter { public static func importSession( browserDetection: BrowserDetection, + preferredBrowsers: [Browser] = [.chrome], logger: ((String) -> Void)? = nil) throws -> SessionInfo { let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } - let installed = ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) + let installed = preferredBrowsers.isEmpty + ? ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) + : preferredBrowsers.cookieImportCandidates(using: browserDetection) var candidates: [SessionInfo] = [] for browserSource in installed { @@ -106,10 +124,7 @@ public enum OllamaCookieImporter { private static func containsRecognizedSessionCookie(in cookies: [HTTPCookie]) -> Bool { cookies.contains { cookie in - if self.sessionCookieNames.contains(cookie.name) { return true } - // next-auth can split tokens into chunked cookies: `.0`, `.1`, ... - return cookie.name.hasPrefix("__Secure-next-auth.session-token.") || - cookie.name.hasPrefix("next-auth.session-token.") + isRecognizedOllamaSessionCookieName(cookie.name) } } } @@ -255,6 +270,10 @@ public struct OllamaUsageFetcher: Sendable { logger: ((String) -> Void)? = nil) throws -> String? { if let override = CookieHeaderNormalizer.normalize(override) { + guard hasRecognizedOllamaSessionCookie(in: override) else { + logger?("[ollama] Manual cookie header missing recognized session cookie") + throw OllamaUsageError.noSessionCookie + } logger?("[ollama] Using manual cookie header") return override } diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index ba1c15e9b..e527dda35 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -40,7 +40,34 @@ struct OllamaUsageFetcherTests { #expect(resolved == nil) } + @Test + func manualModeWithoutRecognizedSessionCookieThrowsNoSessionCookie() { + do { + _ = try OllamaUsageFetcher.resolveManualCookieHeader( + override: "analytics_session_id=noise; theme=dark", + manualCookieMode: true) + Issue.record("Expected OllamaUsageError.noSessionCookie") + } catch OllamaUsageError.noSessionCookie { + // expected + } catch { + Issue.record("Expected OllamaUsageError.noSessionCookie, got \(error)") + } + } + + @Test + func manualModeWithRecognizedSessionCookieAcceptsHeader() throws { + let resolved = try OllamaUsageFetcher.resolveManualCookieHeader( + override: "next-auth.session-token.0=abc; theme=dark", + manualCookieMode: true) + #expect(resolved?.contains("next-auth.session-token.0=abc") == true) + } + #if os(macOS) + @Test + func cookieImporterDefaultsToChromeFirst() { + #expect(OllamaCookieImporter.defaultPreferredBrowsers == [.chrome]) + } + @Test func cookieSelectorSkipsSessionLikeNoiseAndFindsRecognizedCookie() throws { let first = OllamaCookieImporter.SessionInfo( From c7bdbc670cf794e2244a9a5914b6d7b5466abc3c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 02:27:14 +0530 Subject: [PATCH 072/131] Harden Ollama cookie fallback and diagnostics logging --- .../Providers/Ollama/OllamaUsageFetcher.swift | 93 +++++++++++++------ .../OllamaUsageFetcherTests.swift | 19 ++++ 2 files changed, 82 insertions(+), 30 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 855eff096..e80994c81 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -80,30 +80,22 @@ public enum OllamaCookieImporter { logger: ((String) -> Void)? = nil) throws -> SessionInfo { let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } - let installed = preferredBrowsers.isEmpty + let preferredSources = preferredBrowsers.isEmpty ? ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) : preferredBrowsers.cookieImportCandidates(using: browserDetection) - var candidates: [SessionInfo] = [] - - for browserSource in installed { - do { - let query = BrowserCookieQuery(domains: self.cookieDomains) - let sources = try Self.cookieClient.records( - matching: query, - in: browserSource, - logger: log) - for source in sources where !source.records.isEmpty { - let cookies = BrowserCookieClient.makeHTTPCookies(source.records, origin: query.origin) - guard !cookies.isEmpty else { continue } - candidates.append(SessionInfo(cookies: cookies, sourceLabel: source.label)) - } - } catch { - BrowserCookieAccessGate.recordIfNeeded(error) - log("\(browserSource.displayName) cookie import failed: \(error.localizedDescription)") - } - } - - return try self.selectSessionInfo(from: candidates, logger: log) + let preferredCandidates = self.collectSessionInfo(from: preferredSources, logger: log) + return try self.selectSessionInfoWithFallback( + preferredCandidates: preferredCandidates, + loadFallbackCandidates: { + guard !preferredBrowsers.isEmpty else { return [] } + let fallbackSources = self.fallbackBrowserSources( + browserDetection: browserDetection, + excluding: preferredSources) + guard !fallbackSources.isEmpty else { return [] } + log("No recognized Ollama session in preferred browsers; trying fallback import order") + return self.collectSessionInfo(from: fallbackSources, logger: log) + }, + logger: log) } static func selectSessionInfo( @@ -122,6 +114,53 @@ public enum OllamaCookieImporter { throw OllamaUsageError.noSessionCookie } + static func selectSessionInfoWithFallback( + preferredCandidates: [SessionInfo], + loadFallbackCandidates: () -> [SessionInfo], + logger: ((String) -> Void)? = nil) throws -> SessionInfo + { + do { + return try self.selectSessionInfo(from: preferredCandidates, logger: logger) + } catch OllamaUsageError.noSessionCookie { + let fallbackCandidates = loadFallbackCandidates() + return try self.selectSessionInfo(from: fallbackCandidates, logger: logger) + } + } + + private static func fallbackBrowserSources( + browserDetection: BrowserDetection, + excluding triedSources: [Browser]) -> [Browser] + { + let tried = Set(triedSources) + return ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) + .filter { !tried.contains($0) } + } + + private static func collectSessionInfo( + from browserSources: [Browser], + logger: @escaping (String) -> Void) -> [SessionInfo] + { + var candidates: [SessionInfo] = [] + for browserSource in browserSources { + do { + let query = BrowserCookieQuery(domains: self.cookieDomains) + let sources = try Self.cookieClient.records( + matching: query, + in: browserSource, + logger: logger) + for source in sources where !source.records.isEmpty { + let cookies = BrowserCookieClient.makeHTTPCookies(source.records, origin: query.origin) + guard !cookies.isEmpty else { continue } + candidates.append(SessionInfo(cookies: cookies, sourceLabel: source.label)) + } + } catch { + BrowserCookieAccessGate.recordIfNeeded(error) + logger("\(browserSource.displayName) cookie import failed: \(error.localizedDescription)") + } + } + return candidates + } + private static func containsRecognizedSessionCookie(in cookies: [HTTPCookie]) -> Bool { cookies.contains { cookie in isRecognizedOllamaSessionCookieName(cookie.name) @@ -396,16 +435,10 @@ public struct OllamaUsageFetcher: Sendable { } private func logHTMLHints(html: String, logger: (String) -> Void) { - let trimmed = html - .replacingOccurrences(of: "\n", with: " ") - .replacingOccurrences(of: "\t", with: " ") - .trimmingCharacters(in: .whitespacesAndNewlines) - if !trimmed.isEmpty { - let snippet = trimmed.prefix(240) - logger("[ollama] HTML snippet: \(snippet)") - } + logger("[ollama] HTML length: \(html.utf8.count) bytes") logger("[ollama] Contains Cloud Usage: \(html.contains("Cloud Usage"))") logger("[ollama] Contains Session usage: \(html.contains("Session usage"))") + logger("[ollama] Contains Hourly usage: \(html.contains("Hourly usage"))") logger("[ollama] Contains Weekly usage: \(html.contains("Weekly usage"))") } diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index e527dda35..77193036a 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -112,6 +112,25 @@ struct OllamaUsageFetcherTests { #expect(selected.sourceLabel == "Profile C") } + @Test + func cookieSelectorFallsBackToNonChromeCandidateWhenPreferredPassHasNoSession() throws { + let preferred = [ + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], + sourceLabel: "Chrome Profile"), + ] + let fallback = [ + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "next-auth.session-token.0", value: "chunk0")], + sourceLabel: "Safari Profile"), + ] + + let selected = try OllamaCookieImporter.selectSessionInfoWithFallback( + preferredCandidates: preferred, + loadFallbackCandidates: { fallback }) + #expect(selected.sourceLabel == "Safari Profile") + } + private static func makeCookie( name: String, value: String, From 5580a18b390c27eb632817e63937c25ecabad233 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 02:46:43 +0530 Subject: [PATCH 073/131] Keep Ollama auto cookie import Chrome-only by default --- .../Providers/Ollama/OllamaUsageFetcher.swift | 6 ++++ .../OllamaUsageFetcherTests.swift | 29 ++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index e80994c81..537c9b241 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -77,6 +77,7 @@ public enum OllamaCookieImporter { public static func importSession( browserDetection: BrowserDetection, preferredBrowsers: [Browser] = [.chrome], + allowFallbackBrowsers: Bool = false, logger: ((String) -> Void)? = nil) throws -> SessionInfo { let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } @@ -86,6 +87,7 @@ public enum OllamaCookieImporter { let preferredCandidates = self.collectSessionInfo(from: preferredSources, logger: log) return try self.selectSessionInfoWithFallback( preferredCandidates: preferredCandidates, + allowFallbackBrowsers: allowFallbackBrowsers, loadFallbackCandidates: { guard !preferredBrowsers.isEmpty else { return [] } let fallbackSources = self.fallbackBrowserSources( @@ -116,9 +118,13 @@ public enum OllamaCookieImporter { static func selectSessionInfoWithFallback( preferredCandidates: [SessionInfo], + allowFallbackBrowsers: Bool, loadFallbackCandidates: () -> [SessionInfo], logger: ((String) -> Void)? = nil) throws -> SessionInfo { + guard allowFallbackBrowsers else { + return try self.selectSessionInfo(from: preferredCandidates, logger: logger) + } do { return try self.selectSessionInfo(from: preferredCandidates, logger: logger) } catch OllamaUsageError.noSessionCookie { diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index 77193036a..4285d03e2 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -113,7 +113,33 @@ struct OllamaUsageFetcherTests { } @Test - func cookieSelectorFallsBackToNonChromeCandidateWhenPreferredPassHasNoSession() throws { + func cookieSelectorDoesNotFallbackWhenFallbackDisabled() { + let preferred = [ + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], + sourceLabel: "Chrome Profile"), + ] + let fallback = [ + OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "next-auth.session-token.0", value: "chunk0")], + sourceLabel: "Safari Profile"), + ] + + do { + _ = try OllamaCookieImporter.selectSessionInfoWithFallback( + preferredCandidates: preferred, + allowFallbackBrowsers: false, + loadFallbackCandidates: { fallback }) + Issue.record("Expected OllamaUsageError.noSessionCookie") + } catch OllamaUsageError.noSessionCookie { + // expected + } catch { + Issue.record("Expected OllamaUsageError.noSessionCookie, got \(error)") + } + } + + @Test + func cookieSelectorFallsBackToNonChromeCandidateWhenFallbackEnabled() throws { let preferred = [ OllamaCookieImporter.SessionInfo( cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], @@ -127,6 +153,7 @@ struct OllamaUsageFetcherTests { let selected = try OllamaCookieImporter.selectSessionInfoWithFallback( preferredCandidates: preferred, + allowFallbackBrowsers: true, loadFallbackCandidates: { fallback }) #expect(selected.sourceLabel == "Safari Profile") } From 2c198b04bcac7d0eefdc56535d36e8c308e3cd87 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 02:58:17 +0530 Subject: [PATCH 074/131] Align Ollama docs with Chrome-only auto import --- docs/ollama.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/ollama.md b/docs/ollama.md index 88233879f..5be112746 100644 --- a/docs/ollama.md +++ b/docs/ollama.md @@ -21,7 +21,7 @@ The Ollama provider scrapes the **Plan & Billing** page to extract Cloud Usage l 1. Open **Settings → Providers**. 2. Enable **Ollama**. -3. Leave **Cookie source** on **Auto** (recommended). +3. Leave **Cookie source** on **Auto** (recommended, imports Chrome cookies by default). ### Manual cookie import (optional) @@ -41,7 +41,8 @@ The Ollama provider scrapes the **Plan & Billing** page to extract Cloud Usage l ### “No Ollama session cookie found” -Log in to `https://ollama.com/settings` in a supported browser (Safari or Chromium-based), then refresh in CodexBar. +Log in to `https://ollama.com/settings` in Chrome, then refresh in CodexBar. +If your active session is only in Safari (or another browser), use **Cookie source → Manual** and paste a cookie header. ### “Ollama session cookie expired” From cb0ddf3cb2872d8bb0a3d6f9e45716d0b6fb0b8d Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 12:00:31 +0530 Subject: [PATCH 075/131] Retry Ollama cookie candidates on auth failure --- .../Providers/Ollama/OllamaUsageFetcher.swift | 175 ++++++++++++++---- .../OllamaUsageFetcherTests.swift | 24 +++ 2 files changed, 167 insertions(+), 32 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 537c9b241..4bcfd0cb8 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -74,18 +74,18 @@ public enum OllamaCookieImporter { } } - public static func importSession( + public static func importSessions( browserDetection: BrowserDetection, preferredBrowsers: [Browser] = [.chrome], allowFallbackBrowsers: Bool = false, - logger: ((String) -> Void)? = nil) throws -> SessionInfo + logger: ((String) -> Void)? = nil) throws -> [SessionInfo] { let log: (String) -> Void = { msg in logger?("[ollama-cookie] \(msg)") } let preferredSources = preferredBrowsers.isEmpty ? ollamaCookieImportOrder.cookieImportCandidates(using: browserDetection) : preferredBrowsers.cookieImportCandidates(using: browserDetection) let preferredCandidates = self.collectSessionInfo(from: preferredSources, logger: log) - return try self.selectSessionInfoWithFallback( + return try self.selectSessionInfosWithFallback( preferredCandidates: preferredCandidates, allowFallbackBrowsers: allowFallbackBrowsers, loadFallbackCandidates: { @@ -100,37 +100,86 @@ public enum OllamaCookieImporter { logger: log) } - static func selectSessionInfo( - from candidates: [SessionInfo], + public static func importSession( + browserDetection: BrowserDetection, + preferredBrowsers: [Browser] = [.chrome], + allowFallbackBrowsers: Bool = false, logger: ((String) -> Void)? = nil) throws -> SessionInfo { + let sessions = try self.importSessions( + browserDetection: browserDetection, + preferredBrowsers: preferredBrowsers, + allowFallbackBrowsers: allowFallbackBrowsers, + logger: logger) + guard let first = sessions.first else { + throw OllamaUsageError.noSessionCookie + } + return first + } + + static func selectSessionInfos( + from candidates: [SessionInfo], + logger: ((String) -> Void)? = nil) throws -> [SessionInfo] + { + var recognized: [SessionInfo] = [] for candidate in candidates { let names = candidate.cookies.map(\.name).joined(separator: ", ") logger?("\(candidate.sourceLabel) cookies: \(names)") if self.containsRecognizedSessionCookie(in: candidate.cookies) { logger?("Found Ollama session cookie in \(candidate.sourceLabel)") - return candidate + recognized.append(candidate) + } else { + logger?("\(candidate.sourceLabel) cookies found, but no recognized session cookie present") } - logger?("\(candidate.sourceLabel) cookies found, but no recognized session cookie present") } - throw OllamaUsageError.noSessionCookie + guard !recognized.isEmpty else { + throw OllamaUsageError.noSessionCookie + } + return recognized } - static func selectSessionInfoWithFallback( + static func selectSessionInfo( + from candidates: [SessionInfo], + logger: ((String) -> Void)? = nil) throws -> SessionInfo + { + guard let first = try self.selectSessionInfos(from: candidates, logger: logger).first else { + throw OllamaUsageError.noSessionCookie + } + return first + } + + static func selectSessionInfosWithFallback( preferredCandidates: [SessionInfo], allowFallbackBrowsers: Bool, loadFallbackCandidates: () -> [SessionInfo], - logger: ((String) -> Void)? = nil) throws -> SessionInfo + logger: ((String) -> Void)? = nil) throws -> [SessionInfo] { guard allowFallbackBrowsers else { - return try self.selectSessionInfo(from: preferredCandidates, logger: logger) + return try self.selectSessionInfos(from: preferredCandidates, logger: logger) } do { - return try self.selectSessionInfo(from: preferredCandidates, logger: logger) + return try self.selectSessionInfos(from: preferredCandidates, logger: logger) } catch OllamaUsageError.noSessionCookie { let fallbackCandidates = loadFallbackCandidates() - return try self.selectSessionInfo(from: fallbackCandidates, logger: logger) + return try self.selectSessionInfos(from: fallbackCandidates, logger: logger) + } + } + + static func selectSessionInfoWithFallback( + preferredCandidates: [SessionInfo], + allowFallbackBrowsers: Bool, + loadFallbackCandidates: () -> [SessionInfo], + logger: ((String) -> Void)? = nil) throws -> SessionInfo + { + guard let first = try self.selectSessionInfosWithFallback( + preferredCandidates: preferredCandidates, + allowFallbackBrowsers: allowFallbackBrowsers, + loadFallbackCandidates: loadFallbackCandidates, + logger: logger).first + else { + throw OllamaUsageError.noSessionCookie } + return first } private static func fallbackBrowserSources( @@ -179,6 +228,11 @@ public struct OllamaUsageFetcher: Sendable { private static let settingsURL = URL(string: "https://ollama.com/settings")! @MainActor private static var recentDumps: [String] = [] + private struct CookieCandidate: Sendable { + let cookieHeader: String + let sourceLabel: String + } + public let browserDetection: BrowserDetection public init(browserDetection: BrowserDetection) { @@ -191,41 +245,98 @@ public struct OllamaUsageFetcher: Sendable { logger: ((String) -> Void)? = nil, now: Date = Date()) async throws -> OllamaUsageSnapshot { - let log: (String) -> Void = { msg in logger?("[ollama] \(msg)") } - let cookieHeader = try await self.resolveCookieHeader( + let cookieCandidates = try await self.resolveCookieCandidates( override: cookieHeaderOverride, manualCookieMode: manualCookieMode, - logger: log) + logger: logger) + return try await self.fetchUsingCookieCandidates( + cookieCandidates, + logger: logger, + now: now) + } - if let logger { - let names = self.cookieNames(from: cookieHeader) + static func shouldRetryWithNextCookieCandidate(after error: Error) -> Bool { + switch error { + case OllamaUsageError.invalidCredentials, OllamaUsageError.notLoggedIn: + true + default: + false + } + } + + private func fetchUsingCookieCandidates( + _ candidates: [CookieCandidate], + logger: ((String) -> Void)?, + now: Date) async throws -> OllamaUsageSnapshot + { + var lastAuthError: Error? + for (index, candidate) in candidates.enumerated() { + let hasMoreCandidates = index + 1 < candidates.count + logger?("[ollama] Using cookies from \(candidate.sourceLabel)") + let names = self.cookieNames(from: candidate.cookieHeader) if !names.isEmpty { - logger("[ollama] Cookie names: \(names.joined(separator: ", "))") + logger?("[ollama] Cookie names: \(names.joined(separator: ", "))") } - let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: logger) + let diagnostics = RedirectDiagnostics(cookieHeader: candidate.cookieHeader, logger: logger) do { let (html, responseInfo) = try await self.fetchHTMLWithDiagnostics( - cookieHeader: cookieHeader, + cookieHeader: candidate.cookieHeader, diagnostics: diagnostics) - self.logDiagnostics(responseInfo: responseInfo, diagnostics: diagnostics, logger: logger) + if let logger { + self.logDiagnostics(responseInfo: responseInfo, diagnostics: diagnostics, logger: logger) + } do { return try OllamaUsageParser.parse(html: html, now: now) } catch { - logger("[ollama] Parse failed: \(error.localizedDescription)") - self.logHTMLHints(html: html, logger: logger) - throw error + if let logger { + logger("[ollama] Parse failed: \(error.localizedDescription)") + self.logHTMLHints(html: html, logger: logger) + } + guard hasMoreCandidates, Self.shouldRetryWithNextCookieCandidate(after: error) else { + throw error + } + lastAuthError = error + logger?("[ollama] Auth failed for \(candidate.sourceLabel); trying next cookie candidate") + continue } } catch { - self.logDiagnostics(responseInfo: nil, diagnostics: diagnostics, logger: logger) - throw error + if let logger { + self.logDiagnostics(responseInfo: nil, diagnostics: diagnostics, logger: logger) + } + guard hasMoreCandidates, Self.shouldRetryWithNextCookieCandidate(after: error) else { + throw error + } + lastAuthError = error + logger?("[ollama] Auth failed for \(candidate.sourceLabel); trying next cookie candidate") } } - let diagnostics = RedirectDiagnostics(cookieHeader: cookieHeader, logger: nil) - let (html, _) = try await self.fetchHTMLWithDiagnostics( - cookieHeader: cookieHeader, - diagnostics: diagnostics) - return try OllamaUsageParser.parse(html: html, now: now) + if let lastAuthError { + throw lastAuthError + } + throw OllamaUsageError.noSessionCookie + } + + private func resolveCookieCandidates( + override: String?, + manualCookieMode: Bool, + logger: ((String) -> Void)?) async throws -> [CookieCandidate] + { + if let manualHeader = try Self.resolveManualCookieHeader( + override: override, + manualCookieMode: manualCookieMode, + logger: logger) + { + return [CookieCandidate(cookieHeader: manualHeader, sourceLabel: "manual cookie header")] + } + #if os(macOS) + let sessions = try OllamaCookieImporter.importSessions(browserDetection: self.browserDetection, logger: logger) + return sessions.map { session in + CookieCandidate(cookieHeader: session.cookieHeader, sourceLabel: session.sourceLabel) + } + #else + throw OllamaUsageError.noSessionCookie + #endif } public func debugRawProbe( diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index 4285d03e2..102b69914 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -62,6 +62,14 @@ struct OllamaUsageFetcherTests { #expect(resolved?.contains("next-auth.session-token.0=abc") == true) } + @Test + func retryPolicyRetriesOnlyForAuthErrors() { + #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.invalidCredentials)) + #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.notLoggedIn)) + #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.parseFailed("bad html"))) + #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.networkError("timeout"))) + } + #if os(macOS) @Test func cookieImporterDefaultsToChromeFirst() { @@ -112,6 +120,22 @@ struct OllamaUsageFetcherTests { #expect(selected.sourceLabel == "Profile C") } + @Test + func cookieSelectorKeepsRecognizedCandidatesInOrder() throws { + let first = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "session", value: "stale")], + sourceLabel: "Chrome Profile A") + let second = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "next-auth.session-token.0", value: "valid")], + sourceLabel: "Chrome Profile B") + let noise = OllamaCookieImporter.SessionInfo( + cookies: [Self.makeCookie(name: "analytics_session_id", value: "noise")], + sourceLabel: "Chrome Profile C") + + let selected = try OllamaCookieImporter.selectSessionInfos(from: [first, noise, second]) + #expect(selected.map(\.sourceLabel) == ["Chrome Profile A", "Chrome Profile B"]) + } + @Test func cookieSelectorDoesNotFallbackWhenFallbackDisabled() { let preferred = [ From b58c62e0f875426cb7e8cd196657d83f4e0f97f3 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 12:16:37 +0530 Subject: [PATCH 076/131] Retry Ollama cookie candidates after auth-like parse failures --- .../CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift | 2 ++ Tests/CodexBarTests/OllamaUsageFetcherTests.swift | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 4bcfd0cb8..2748e64bc 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -259,6 +259,8 @@ public struct OllamaUsageFetcher: Sendable { switch error { case OllamaUsageError.invalidCredentials, OllamaUsageError.notLoggedIn: true + case let OllamaUsageError.parseFailed(message): + message.localizedCaseInsensitiveContains("missing ollama usage data") default: false } diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index 102b69914..ca05a653a 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -66,7 +66,10 @@ struct OllamaUsageFetcherTests { func retryPolicyRetriesOnlyForAuthErrors() { #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.invalidCredentials)) #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.notLoggedIn)) - #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.parseFailed("bad html"))) + #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate( + after: OllamaUsageError.parseFailed("Missing Ollama usage data."))) + #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate( + after: OllamaUsageError.parseFailed("Unexpected parser mismatch."))) #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.networkError("timeout"))) } From 76525a8d1444d1a35f59ba17d4eeae62b73bac1c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 15:08:26 +0530 Subject: [PATCH 077/131] Add shared provider candidate retry runner --- .../ProviderCandidateRetryRunner.swift | 37 ++++++ .../ProviderCandidateRetryRunnerTests.swift | 120 ++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift create mode 100644 Tests/CodexBarTests/ProviderCandidateRetryRunnerTests.swift diff --git a/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift b/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift new file mode 100644 index 000000000..d049cebd6 --- /dev/null +++ b/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift @@ -0,0 +1,37 @@ +import Foundation + +enum ProviderCandidateRetryRunnerError: Error, Sendable { + case noCandidates +} + +enum ProviderCandidateRetryRunner { + static func run( + _ candidates: [Candidate], + shouldRetry: (Error) -> Bool, + onRetry: (Candidate, Error) -> Void = { _, _ in }, + attempt: (Candidate) async throws -> Output) async throws -> Output + { + guard !candidates.isEmpty else { + throw ProviderCandidateRetryRunnerError.noCandidates + } + + var lastError: Error? + for (index, candidate) in candidates.enumerated() { + do { + return try await attempt(candidate) + } catch { + lastError = error + let hasMoreCandidates = index + 1 < candidates.count + guard hasMoreCandidates, shouldRetry(error) else { + throw error + } + onRetry(candidate, error) + } + } + + if let lastError { + throw lastError + } + throw ProviderCandidateRetryRunnerError.noCandidates + } +} diff --git a/Tests/CodexBarTests/ProviderCandidateRetryRunnerTests.swift b/Tests/CodexBarTests/ProviderCandidateRetryRunnerTests.swift new file mode 100644 index 000000000..4632d1b95 --- /dev/null +++ b/Tests/CodexBarTests/ProviderCandidateRetryRunnerTests.swift @@ -0,0 +1,120 @@ +import Testing +@testable import CodexBarCore + +@Suite +struct ProviderCandidateRetryRunnerTests { + private enum TestError: Error, Equatable { + case retryable(Int) + case nonRetryable(Int) + } + + @Test + func retriesThenSucceeds() async throws { + let candidates = [1, 2, 3] + var attempted: [Int] = [] + var retried: [Int] = [] + + let output = try await ProviderCandidateRetryRunner.run( + candidates, + shouldRetry: { error in + if case TestError.retryable = error { + return true + } + return false + }, + onRetry: { candidate, _ in + retried.append(candidate) + }, + attempt: { candidate in + attempted.append(candidate) + guard candidate == 3 else { + throw TestError.retryable(candidate) + } + return candidate * 10 + }) + + #expect(output == 30) + #expect(attempted == [1, 2, 3]) + #expect(retried == [1, 2]) + } + + @Test + func nonRetryableFailsImmediately() async { + let candidates = [1, 2, 3] + var attempted: [Int] = [] + var retried: [Int] = [] + + do { + _ = try await ProviderCandidateRetryRunner.run( + candidates, + shouldRetry: { error in + if case TestError.retryable = error { + return true + } + return false + }, + onRetry: { candidate, _ in + retried.append(candidate) + }, + attempt: { candidate in + attempted.append(candidate) + throw TestError.nonRetryable(candidate) + }) + Issue.record("Expected TestError.nonRetryable") + } catch let error as TestError { + #expect(error == .nonRetryable(1)) + #expect(attempted == [1]) + #expect(retried.isEmpty) + } catch { + Issue.record("Expected TestError.nonRetryable(1), got \(error)") + } + } + + @Test + func exhaustedRetryableThrowsLastError() async { + let candidates = [1, 2] + var attempted: [Int] = [] + var retried: [Int] = [] + + do { + _ = try await ProviderCandidateRetryRunner.run( + candidates, + shouldRetry: { error in + if case TestError.retryable = error { + return true + } + return false + }, + onRetry: { candidate, _ in + retried.append(candidate) + }, + attempt: { candidate in + attempted.append(candidate) + throw TestError.retryable(candidate) + }) + Issue.record("Expected TestError.retryable") + } catch let error as TestError { + #expect(error == .retryable(2)) + #expect(attempted == [1, 2]) + #expect(retried == [1]) + } catch { + Issue.record("Expected TestError.retryable(2), got \(error)") + } + } + + @Test + func emptyCandidatesThrowsNoCandidates() async { + do { + let candidates: [Int] = [] + _ = try await ProviderCandidateRetryRunner.run( + candidates, + shouldRetry: { _ in true }, + attempt: { _ in 1 }) + Issue.record("Expected ProviderCandidateRetryRunnerError.noCandidates") + } catch ProviderCandidateRetryRunnerError.noCandidates { + // expected + } catch { + Issue.record("Expected ProviderCandidateRetryRunnerError.noCandidates, got \(error)") + } + } +} From 32ffc9fd9e4b2bff1ece1319eba45431113a95b4 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 15:12:47 +0530 Subject: [PATCH 078/131] Use typed Ollama parse failures for retries --- .../Providers/Ollama/OllamaUsageFetcher.swift | 108 +++++++++++------- .../Providers/Ollama/OllamaUsageParser.swift | 29 ++++- .../OllamaUsageFetcherTests.swift | 2 + .../OllamaUsageParserTests.swift | 36 ++++++ 4 files changed, 129 insertions(+), 46 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index 2748e64bc..a3fc67009 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -233,6 +233,10 @@ public struct OllamaUsageFetcher: Sendable { let sourceLabel: String } + enum RetryableParseFailure: Error, Sendable { + case missingUsageData + } + public let browserDetection: BrowserDetection public init(browserDetection: BrowserDetection) { @@ -259,8 +263,8 @@ public struct OllamaUsageFetcher: Sendable { switch error { case OllamaUsageError.invalidCredentials, OllamaUsageError.notLoggedIn: true - case let OllamaUsageError.parseFailed(message): - message.localizedCaseInsensitiveContains("missing ollama usage data") + case RetryableParseFailure.missingUsageData: + true default: false } @@ -271,52 +275,72 @@ public struct OllamaUsageFetcher: Sendable { logger: ((String) -> Void)?, now: Date) async throws -> OllamaUsageSnapshot { - var lastAuthError: Error? - for (index, candidate) in candidates.enumerated() { - let hasMoreCandidates = index + 1 < candidates.count - logger?("[ollama] Using cookies from \(candidate.sourceLabel)") - let names = self.cookieNames(from: candidate.cookieHeader) - if !names.isEmpty { - logger?("[ollama] Cookie names: \(names.joined(separator: ", "))") - } - let diagnostics = RedirectDiagnostics(cookieHeader: candidate.cookieHeader, logger: logger) - do { - let (html, responseInfo) = try await self.fetchHTMLWithDiagnostics( - cookieHeader: candidate.cookieHeader, - diagnostics: diagnostics) - if let logger { - self.logDiagnostics(responseInfo: responseInfo, diagnostics: diagnostics, logger: logger) - } - do { - return try OllamaUsageParser.parse(html: html, now: now) - } catch { - if let logger { - logger("[ollama] Parse failed: \(error.localizedDescription)") - self.logHTMLHints(html: html, logger: logger) + do { + return try await ProviderCandidateRetryRunner.run( + candidates, + shouldRetry: { error in + Self.shouldRetryWithNextCookieCandidate(after: error) + }, + onRetry: { candidate, _ in + logger?("[ollama] Auth failed for \(candidate.sourceLabel); trying next cookie candidate") + }, + attempt: { candidate in + logger?("[ollama] Using cookies from \(candidate.sourceLabel)") + let names = self.cookieNames(from: candidate.cookieHeader) + if !names.isEmpty { + logger?("[ollama] Cookie names: \(names.joined(separator: ", "))") } - guard hasMoreCandidates, Self.shouldRetryWithNextCookieCandidate(after: error) else { + + let diagnostics = RedirectDiagnostics(cookieHeader: candidate.cookieHeader, logger: logger) + do { + let (html, responseInfo) = try await self.fetchHTMLWithDiagnostics( + cookieHeader: candidate.cookieHeader, + diagnostics: diagnostics) + if let logger { + self.logDiagnostics(responseInfo: responseInfo, diagnostics: diagnostics, logger: logger) + } + do { + return try Self.parseSnapshotForRetry(html: html, now: now) + } catch { + let surfacedError = Self.surfacedError(from: error) + if let logger { + logger("[ollama] Parse failed: \(surfacedError.localizedDescription)") + self.logHTMLHints(html: html, logger: logger) + } + throw error + } + } catch { + if let logger { + self.logDiagnostics(responseInfo: nil, diagnostics: diagnostics, logger: logger) + } throw error } - lastAuthError = error - logger?("[ollama] Auth failed for \(candidate.sourceLabel); trying next cookie candidate") - continue - } - } catch { - if let logger { - self.logDiagnostics(responseInfo: nil, diagnostics: diagnostics, logger: logger) - } - guard hasMoreCandidates, Self.shouldRetryWithNextCookieCandidate(after: error) else { - throw error - } - lastAuthError = error - logger?("[ollama] Auth failed for \(candidate.sourceLabel); trying next cookie candidate") - } + }) + } catch ProviderCandidateRetryRunnerError.noCandidates { + throw OllamaUsageError.noSessionCookie + } catch { + throw Self.surfacedError(from: error) + } + } + + private static func parseSnapshotForRetry(html: String, now: Date) throws -> OllamaUsageSnapshot { + switch OllamaUsageParser.parseClassified(html: html, now: now) { + case let .success(snapshot): + return snapshot + case .failure(.notLoggedIn): + throw OllamaUsageError.notLoggedIn + case .failure(.missingUsageData): + throw RetryableParseFailure.missingUsageData } + } - if let lastAuthError { - throw lastAuthError + private static func surfacedError(from error: Error) -> Error { + switch error { + case RetryableParseFailure.missingUsageData: + OllamaUsageError.parseFailed("Missing Ollama usage data.") + default: + error } - throw OllamaUsageError.noSessionCookie } private func resolveCookieCandidates( diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift index fad1f362d..f93f35864 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageParser.swift @@ -3,7 +3,28 @@ import Foundation enum OllamaUsageParser { private static let primaryUsageLabels = ["Session usage", "Hourly usage"] + enum ParseFailure: Sendable, Equatable { + case notLoggedIn + case missingUsageData + } + + enum ClassifiedParseResult: Sendable { + case success(OllamaUsageSnapshot) + case failure(ParseFailure) + } + static func parse(html: String, now: Date = Date()) throws -> OllamaUsageSnapshot { + switch self.parseClassified(html: html, now: now) { + case let .success(snapshot): + return snapshot + case .failure(.notLoggedIn): + throw OllamaUsageError.notLoggedIn + case .failure(.missingUsageData): + throw OllamaUsageError.parseFailed("Missing Ollama usage data.") + } + } + + static func parseClassified(html: String, now: Date = Date()) -> ClassifiedParseResult { let plan = self.parsePlanName(html) let email = self.parseAccountEmail(html) let session = self.parseUsageBlock(labels: self.primaryUsageLabels, html: html) @@ -11,19 +32,19 @@ enum OllamaUsageParser { if session == nil, weekly == nil { if self.looksSignedOut(html) { - throw OllamaUsageError.notLoggedIn + return .failure(.notLoggedIn) } - throw OllamaUsageError.parseFailed("Missing Ollama usage data.") + return .failure(.missingUsageData) } - return OllamaUsageSnapshot( + return .success(OllamaUsageSnapshot( planName: plan, accountEmail: email, sessionUsedPercent: session?.usedPercent, weeklyUsedPercent: weekly?.usedPercent, sessionResetsAt: session?.resetsAt, weeklyResetsAt: weekly?.resetsAt, - updatedAt: now) + updatedAt: now)) } private struct UsageBlock: Sendable { diff --git a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift index ca05a653a..8020638f8 100644 --- a/Tests/CodexBarTests/OllamaUsageFetcherTests.swift +++ b/Tests/CodexBarTests/OllamaUsageFetcherTests.swift @@ -67,6 +67,8 @@ struct OllamaUsageFetcherTests { #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.invalidCredentials)) #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate(after: OllamaUsageError.notLoggedIn)) #expect(OllamaUsageFetcher.shouldRetryWithNextCookieCandidate( + after: OllamaUsageFetcher.RetryableParseFailure.missingUsageData)) + #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate( after: OllamaUsageError.parseFailed("Missing Ollama usage data."))) #expect(!OllamaUsageFetcher.shouldRetryWithNextCookieCandidate( after: OllamaUsageError.parseFailed("Unexpected parser mismatch."))) diff --git a/Tests/CodexBarTests/OllamaUsageParserTests.swift b/Tests/CodexBarTests/OllamaUsageParserTests.swift index 1dee39b78..e01d167ae 100644 --- a/Tests/CodexBarTests/OllamaUsageParserTests.swift +++ b/Tests/CodexBarTests/OllamaUsageParserTests.swift @@ -58,6 +58,19 @@ struct OllamaUsageParserTests { } } + @Test + func classifiedParseMissingUsageReturnsTypedFailure() { + let html = "No usage here. login status unknown." + let result = OllamaUsageParser.parseClassified(html: html) + + switch result { + case .success: + Issue.record("Expected classified parse failure for missing usage data") + case let .failure(failure): + #expect(failure == .missingUsageData) + } + } + @Test func signedOutThrowsNotLoggedIn() { let html = """ @@ -80,6 +93,29 @@ struct OllamaUsageParserTests { } } + @Test + func classifiedParseSignedOutReturnsTypedFailure() { + let html = """ + + +

Sign in to Ollama

+
+ + +
+ + + """ + + let result = OllamaUsageParser.parseClassified(html: html) + switch result { + case .success: + Issue.record("Expected classified parse failure for signed-out HTML") + case let .failure(failure): + #expect(failure == .notLoggedIn) + } + } + @Test func genericSignInTextWithoutAuthMarkersThrowsParseFailed() { let html = """ From e775a5981a36260c294f2e806d800221d069adbf Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 19:52:04 +0530 Subject: [PATCH 079/131] Move Claude prompt-free creds toggle to Advanced keychain settings --- .../CodexBar/PreferencesAdvancedPane.swift | 9 ++++- .../Claude/ClaudeProviderImplementation.swift | 39 +------------------ Sources/CodexBar/SettingsStore+Defaults.swift | 9 +++++ .../ProviderSettingsDescriptorTests.swift | 9 ----- .../SettingsStoreCoverageTests.swift | 12 ++++++ 5 files changed, 30 insertions(+), 48 deletions(-) diff --git a/Sources/CodexBar/PreferencesAdvancedPane.swift b/Sources/CodexBar/PreferencesAdvancedPane.swift index 1db4897f2..1bfcd0636 100644 --- a/Sources/CodexBar/PreferencesAdvancedPane.swift +++ b/Sources/CodexBar/PreferencesAdvancedPane.swift @@ -80,9 +80,14 @@ struct AdvancedPane: View { SettingsSection( title: "Keychain access", caption: """ - Disable all Keychain reads and writes. Browser cookie import is unavailable; paste Cookie \ - headers manually in Providers. + Control how CodexBar uses Keychain. Disabling Keychain access entirely also disables browser \ + cookie import. """) { + PreferenceToggleRow( + title: "Claude creds without prompts (experimental)", + subtitle: "Use /usr/bin/security to read Claude credentials and avoid CodexBar " + + "keychain prompts.", + binding: self.$settings.claudeOAuthPromptFreeCredentialsEnabled) PreferenceToggleRow( title: "Disable Keychain access", subtitle: "Prevents any Keychain access while enabled.", diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 9c067f49a..38028b456 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -80,12 +80,6 @@ struct ClaudeProviderImplementation: ProviderImplementation { context.settings.claudeOAuthKeychainPromptMode = ClaudeOAuthKeychainPromptMode(rawValue: raw) ?? .onlyOnUserAction }) - let keychainReadStrategyBinding = Binding( - get: { context.settings.claudeOAuthKeychainReadStrategy.rawValue }, - set: { raw in - context.settings.claudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategy(rawValue: raw) - ?? .securityFramework - }) let usageOptions = ClaudeUsageDataSource.allCases.map { ProviderSettingsPickerOption(id: $0.rawValue, title: $0.displayName) @@ -104,15 +98,6 @@ struct ClaudeProviderImplementation: ProviderImplementation { id: ClaudeOAuthKeychainPromptMode.always.rawValue, title: "Always allow prompts"), ] - let keychainReadStrategyOptions: [ProviderSettingsPickerOption] = [ - ProviderSettingsPickerOption( - id: ClaudeOAuthKeychainReadStrategy.securityFramework.rawValue, - title: "Standard (default)"), - ProviderSettingsPickerOption( - id: ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, - title: "Experimental (/usr/bin/security)"), - ] - let cookieSubtitle: () -> String? = { ProviderCookieSourceUI.subtitle( source: context.settings.claudeCookieSource, @@ -125,18 +110,8 @@ struct ClaudeProviderImplementation: ProviderImplementation { if context.settings.debugDisableKeychainAccess { return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." } - return "Controls Claude OAuth Keychain prompts for Standard reader mode. Choosing \"Never prompt\" can " + - "make OAuth unavailable; use Web/CLI when needed." - } - let keychainReadStrategySubtitle: () -> String? = { - if context.settings.debugDisableKeychainAccess { - return "Global Keychain access is disabled in Advanced, so this setting is currently inactive." - } - if context.settings.claudeOAuthKeychainReadStrategy == .securityCLIExperimental { - return "Experimental mode reads via /usr/bin/security first. If it falls back to Security.framework, " + - "the stored keychain prompt policy still applies (default: only on user action)." - } - return "Standard mode uses Security.framework and respects the keychain prompt policy below." + return "Controls Claude OAuth Keychain prompts when experimental reader mode is off. Choosing " + + "\"Never prompt\" can make OAuth unavailable; use Web/CLI when needed." } return [ @@ -163,16 +138,6 @@ struct ClaudeProviderImplementation: ProviderImplementation { isVisible: { context.settings.claudeOAuthKeychainReadStrategy == .securityFramework }, isEnabled: { !context.settings.debugDisableKeychainAccess }, onChange: nil), - ProviderSettingsPickerDescriptor( - id: "claude-oauth-keychain-reader", - title: "OAuth keychain reader", - subtitle: "Choose how CodexBar reads Claude OAuth credentials from Keychain.", - dynamicSubtitle: keychainReadStrategySubtitle, - binding: keychainReadStrategyBinding, - options: keychainReadStrategyOptions, - isVisible: nil, - isEnabled: { !context.settings.debugDisableKeychainAccess }, - onChange: nil), ProviderSettingsPickerDescriptor( id: "claude-cookie-source", title: "Claude cookies", diff --git a/Sources/CodexBar/SettingsStore+Defaults.swift b/Sources/CodexBar/SettingsStore+Defaults.swift index ff4f0856d..0f6315847 100644 --- a/Sources/CodexBar/SettingsStore+Defaults.swift +++ b/Sources/CodexBar/SettingsStore+Defaults.swift @@ -210,6 +210,15 @@ extension SettingsStore { } } + var claudeOAuthPromptFreeCredentialsEnabled: Bool { + get { self.claudeOAuthKeychainReadStrategy == .securityCLIExperimental } + set { + self.claudeOAuthKeychainReadStrategy = newValue + ? .securityCLIExperimental + : .securityFramework + } + } + var claudeWebExtrasEnabled: Bool { get { self.claudeWebExtrasEnabledRaw } set { self.claudeWebExtrasEnabledRaw = newValue } diff --git a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift index 65cfbdd1a..74ba76f8f 100644 --- a/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift +++ b/Tests/CodexBarTests/ProviderSettingsDescriptorTests.swift @@ -168,11 +168,6 @@ struct ProviderSettingsDescriptorTests { #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.onlyOnUserAction.rawValue)) #expect(optionIDs.contains(ClaudeOAuthKeychainPromptMode.always.rawValue)) #expect(keychainPicker.isEnabled?() ?? true) - let readStrategyPicker = try #require(pickers.first(where: { $0.id == "claude-oauth-keychain-reader" })) - let readStrategyOptionIDs = Set(readStrategyPicker.options.map(\.id)) - #expect(readStrategyOptionIDs.contains(ClaudeOAuthKeychainReadStrategy.securityFramework.rawValue)) - #expect(readStrategyOptionIDs.contains(ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue)) - #expect(readStrategyPicker.isEnabled?() ?? true) } @Test @@ -261,10 +256,6 @@ struct ProviderSettingsDescriptorTests { #expect(keychainPicker.isEnabled?() == false) let subtitle = keychainPicker.dynamicSubtitle?() ?? "" #expect(subtitle.localizedCaseInsensitiveContains("inactive")) - let readStrategyPicker = try #require(pickers.first(where: { $0.id == "claude-oauth-keychain-reader" })) - #expect(readStrategyPicker.isEnabled?() == false) - let readStrategySubtitle = readStrategyPicker.dynamicSubtitle?() ?? "" - #expect(readStrategySubtitle.localizedCaseInsensitiveContains("inactive")) } @Test diff --git a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift index 693159f19..aa3c096b8 100644 --- a/Tests/CodexBarTests/SettingsStoreCoverageTests.swift +++ b/Tests/CodexBarTests/SettingsStoreCoverageTests.swift @@ -220,6 +220,18 @@ struct SettingsStoreCoverageTests { #expect(settings.claudeOAuthKeychainReadStrategy == .securityFramework) } + @Test + func claudePromptFreeCredentialsToggle_mapsToReadStrategy() { + let settings = Self.makeSettingsStore() + #expect(settings.claudeOAuthPromptFreeCredentialsEnabled == false) + + settings.claudeOAuthPromptFreeCredentialsEnabled = true + #expect(settings.claudeOAuthKeychainReadStrategy == .securityCLIExperimental) + + settings.claudeOAuthPromptFreeCredentialsEnabled = false + #expect(settings.claudeOAuthKeychainReadStrategy == .securityFramework) + } + private static func makeSettingsStore(suiteName: String = "SettingsStoreCoverageTests") -> SettingsStore { let defaults = UserDefaults(suiteName: suiteName)! defaults.removePersistentDomain(forName: suiteName) From bca44feb76a0d9add7b85b44362153b0fb34a882 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 20:55:25 +0530 Subject: [PATCH 080/131] Harden experimental Claude keychain reads and account selection --- ...deOAuthCredentials+SecurityCLIReader.swift | 38 +++++-- ...udeOAuthCredentials+TestingOverrides.swift | 21 +++- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 35 ++++-- ...AuthCredentialsStoreSecurityCLITests.swift | 107 ++++++++++++++++++ ...AuthDelegatedRefreshCoordinatorTests.swift | 2 +- 5 files changed, 180 insertions(+), 23 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index b7b265b92..e26990118 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -11,12 +11,12 @@ extension ClaudeOAuthCredentialsStore { private static let securityBinaryPath = "/usr/bin/security" private static let securityCLIReadTimeout: TimeInterval = 1.5 - static func shouldPreferSecurityCLIKeychainRead() -> Bool { - ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental + struct SecurityCLIReadRequest: Sendable { + let account: String? } - static func shouldBypassPreAlertForPreferredReader() -> Bool { - self.shouldPreferSecurityCLIKeychainRead() + static func shouldPreferSecurityCLIKeychainRead() -> Bool { + ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental } #if os(macOS) @@ -38,6 +38,7 @@ extension ClaudeOAuthCredentialsStore { guard self.shouldPreferSecurityCLIKeychainRead() else { return nil } do { + let preferredAccount = self.preferredClaudeKeychainAccountForSecurityCLIRead() let output: Data let status: Int32 let stderrLength: Int @@ -55,20 +56,24 @@ extension ClaudeOAuthCredentialsStore { case .nonZeroExit: throw SecurityCLIReadError.nonZeroExit(status: 1, stderrLength: 0) case let .dynamic(read): - output = read() ?? Data() + output = read(SecurityCLIReadRequest(account: preferredAccount)) ?? Data() status = 0 stderrLength = 0 durationMs = 0 } } else { - let result = try self.runClaudeSecurityCLIRead(timeout: self.securityCLIReadTimeout) + let result = try self.runClaudeSecurityCLIRead( + timeout: self.securityCLIReadTimeout, + account: preferredAccount) output = result.stdout status = result.status stderrLength = result.stderrLength durationMs = result.durationMs } #else - let result = try self.runClaudeSecurityCLIRead(timeout: self.securityCLIReadTimeout) + let result = try self.runClaudeSecurityCLIRead( + timeout: self.securityCLIReadTimeout, + account: preferredAccount) output = result.stdout status = result.status stderrLength = result.stderrLength @@ -101,6 +106,7 @@ extension ClaudeOAuthCredentialsStore { "duration_ms": String(format: "%.2f", durationMs), "stderr_length": "\(stderrLength)", "payload_bytes": "\(sanitized.count)", + "accountPinned": preferredAccount == nil ? "0" : "1", ] for (key, value) in parsedCredentials.diagnosticsMetadata(now: Date()) { metadata[key] = value @@ -149,19 +155,27 @@ extension ClaudeOAuthCredentialsStore { return sanitized } - private static func runClaudeSecurityCLIRead(timeout: TimeInterval) throws -> SecurityCLIReadCommandResult { + private static func runClaudeSecurityCLIRead( + timeout: TimeInterval, + account: String?) throws -> SecurityCLIReadCommandResult + { guard FileManager.default.isExecutableFile(atPath: self.securityBinaryPath) else { throw SecurityCLIReadError.binaryUnavailable } - let process = Process() - process.executableURL = URL(fileURLWithPath: self.securityBinaryPath) - process.arguments = [ + var arguments = [ "find-generic-password", "-s", self.claudeKeychainService, - "-w", ] + if let account, !account.isEmpty { + arguments.append(contentsOf: ["-a", account]) + } + arguments.append("-w") + + let process = Process() + process.executableURL = URL(fileURLWithPath: self.securityBinaryPath) + process.arguments = arguments let stdoutPipe = Pipe() let stderrPipe = Pipe() diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift index 6b6ceebc2..dbcd11105 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift @@ -106,12 +106,13 @@ extension ClaudeOAuthCredentialsStore { case data(Data?) case timedOut case nonZeroExit - case dynamic(@Sendable () -> Data?) + case dynamic(@Sendable (SecurityCLIReadRequest) -> Data?) } @TaskLocal static var taskKeychainAccessOverride: Bool? @TaskLocal static var taskCredentialsFileFingerprintStoreOverride: CredentialsFileFingerprintStore? @TaskLocal static var taskSecurityCLIReadOverride: SecurityCLIReadOverride? + @TaskLocal static var taskSecurityCLIReadAccountOverride: String? nonisolated(unsafe) static var securityCLIReadOverride: SecurityCLIReadOverride? static func withKeychainAccessOverrideForTesting( @@ -186,6 +187,24 @@ extension ClaudeOAuthCredentialsStore { } } + static func withSecurityCLIReadAccountOverrideForTesting( + _ account: String?, + operation: () throws -> T) rethrows -> T + { + try self.$taskSecurityCLIReadAccountOverride.withValue(account) { + try operation() + } + } + + static func withSecurityCLIReadAccountOverrideForTesting( + _ account: String?, + operation: () async throws -> T) async rethrows -> T + { + try await self.$taskSecurityCLIReadAccountOverride.withValue(account) { + try await operation() + } + } + static func setSecurityCLIReadOverrideForTesting(_ readOverride: SecurityCLIReadOverride?) { self.securityCLIReadOverride = readOverride } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 330a4d6ce..a55f19f26 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -666,9 +666,7 @@ public enum ClaudeOAuthCredentialsStore { // Do not attempt a non-interactive data read if preflight indicates interaction is likely. // Why: on some systems, Security.framework can still surface UI even for "no UI" queries. - if !self.shouldBypassPreAlertForPreferredReader(), - self.shouldShowClaudeKeychainPreAlert() - { + if self.shouldShowClaudeKeychainPreAlert() { return nil } @@ -767,9 +765,7 @@ public enum ClaudeOAuthCredentialsStore { // If Keychain preflight indicates interaction is likely, skip the silent repair read. // Why: non-interactive probes can still show UI on some systems, and if interaction is required we should // let the interactive prompt path handle it (when allowed). - if !self.shouldBypassPreAlertForPreferredReader(), - self.shouldShowClaudeKeychainPreAlert() - { + if self.shouldShowClaudeKeychainPreAlert() { return nil } @@ -1387,6 +1383,29 @@ public enum ClaudeOAuthCredentialsStore { } } + static func preferredClaudeKeychainAccountForSecurityCLIRead() -> String? { + #if DEBUG + if let override = self.taskSecurityCLIReadAccountOverride { return override } + #endif + #if os(macOS) + let mode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } + // Keep experimental mode prompt-safe: avoid Security.framework candidate probes when preflight says + // interaction is likely. + if self.shouldShowClaudeKeychainPreAlert() { + return nil + } + guard let account = self.claudeKeychainCandidatesWithoutPrompt(promptMode: mode).first?.account, + !account.isEmpty + else { + return nil + } + return account + #else + return nil + #endif + } + private static func credentialsFileURL() -> URL { #if DEBUG if let override = self.taskCredentialsURLOverride { return override } @@ -1507,9 +1526,7 @@ extension ClaudeOAuthCredentialsStore { // Skip the silent data read if preflight indicates interaction is likely. // Why: on some systems, Security.framework can still surface UI even for "no UI" probes. - if !self.shouldBypassPreAlertForPreferredReader(), - self.shouldShowClaudeKeychainPreAlert() - { + if self.shouldShowClaudeKeychainPreAlert() { return false } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 95fad4b94..531077e0d 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -330,4 +330,111 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { #expect(threwNotFound == true) } + + @Test + func experimentalReader_securityCLIRead_pinsPreferredAccountWhenAvailable() throws { + let securityData = self.makeCredentialsData( + accessToken: "security-account-pinned", + expiresAt: Date(timeIntervalSinceNow: 3600)) + final class AccountBox: @unchecked Sendable { + var value: String? + } + let pinnedAccount = AccountBox() + + let loaded = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadAccountOverrideForTesting("new-account") { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .always, + operation: { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { request in + pinnedAccount.value = request.account + return securityData + }) { + try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + } + } + }) + } + }) + + let creds = try ClaudeOAuthCredentials.parse(data: loaded) + #expect(pinnedAccount.value == "new-account") + #expect(creds.accessToken == "security-account-pinned") + } + + @Test + func experimentalReader_freshnessSync_skipsSecurityCLIWhenPreflightRequiresInteraction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-sync", + expiresAt: Date(timeIntervalSinceNow: 3600)) + final class ReadCounter: @unchecked Sendable { + var count = 0 + } + let securityReadCalls = ReadCounter() + + func loadWithPreflight( + _ outcome: KeychainAccessPreflight.Outcome) throws -> ClaudeOAuthCredentials + { + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + outcome + } + return try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { _ in + securityReadCalls.count += 1 + return securityData + }) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + } + } + } + } + }) + } + + let first = try loadWithPreflight(.allowed) + #expect(first.accessToken == "security-sync") + #expect(securityReadCalls.count == 1) + + let second = try loadWithPreflight(.interactionRequired) + #expect(second.accessToken == "security-sync") + #expect(securityReadCalls.count == 1) + } + } + } + } + } } diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift index d9df629cc..e58eb228e 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift @@ -344,7 +344,7 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in dataBox.store(afterData) } - ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { dataBox.load() }) + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in dataBox.load() }) defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( From e0bc042f9710cfc021bb895fb2e315fb60258dd6 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 21:50:24 +0530 Subject: [PATCH 081/131] Honor global keychain disable in experimental Claude reader --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 5 +- ...AuthCredentialsStoreSecurityCLITests.swift | 63 +++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index a55f19f26..9cedc0a30 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -291,6 +291,9 @@ public enum ClaudeOAuthCredentialsStore { source: .cacheKeychain) } + let promptMode = ClaudeOAuthKeychainPromptPreference.current() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return nil } + if self.shouldPreferSecurityCLIKeychainRead(), let keychainData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) { @@ -311,7 +314,7 @@ public enum ClaudeOAuthCredentialsStore { } let shouldPreferSecurityCLIKeychainRead = self.shouldPreferSecurityCLIKeychainRead() - var fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.current() + var fallbackPromptMode = promptMode if shouldPreferSecurityCLIKeychainRead { fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() let fallbackDecision = self.securityFrameworkFallbackPromptDecision( diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 531077e0d..d32641d41 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -437,4 +437,67 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } } + + @Test + func experimentalReader_loadWithPrompt_doesNotReadWhenGlobalKeychainDisabled() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(true) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-should-not-read", + expiresAt: Date(timeIntervalSinceNow: 3600)) + var threwNotFound = false + final class ReadCounter: @unchecked Sendable { + var count = 0 + } + let securityReadCalls = ReadCounter() + + do { + _ = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { _ in + securityReadCalls.count += 1 + return securityData + }) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true, + respectKeychainPromptCooldown: false) + } + } + } + }) + } catch let error as ClaudeOAuthCredentialsError { + if case .notFound = error { + threwNotFound = true + } else { + throw error + } + } + + #expect(threwNotFound == true) + #expect(securityReadCalls.count.isZero) + } + } + } + } } From bbe090174df7f2c7723a2707f713f07b0d508e76 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 22:10:51 +0530 Subject: [PATCH 082/131] Skip Security.framework probe after security CLI sync --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 4 +- ...AuthCredentialsStoreSecurityCLITests.swift | 54 ++++++++++++++++++- 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 9cedc0a30..df118e318 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -1517,14 +1517,14 @@ extension ClaudeOAuthCredentialsStore { !data.isEmpty { if let creds = try? ClaudeOAuthCredentials.parse(data: data), !creds.isExpired { - self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) + // Keep delegated refresh recovery on the security CLI path only in experimental mode. + // Avoid Security.framework fingerprint probes here because "no UI" queries can still prompt. self.writeMemoryCache( record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), timestamp: now) self.saveToCacheKeychain(data, owner: .claudeCLI) return true } - self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) } // Skip the silent data read if preflight indicates interaction is likely. diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index d32641d41..566370b22 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -438,6 +438,58 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } + @Test + func experimentalReader_syncFromClaudeKeychainWithoutPrompt_skipsFingerprintProbeAfterSecurityCLIRead() { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + defer { ClaudeOAuthCredentialsStore.invalidateCache() } + + let securityData = self.makeCredentialsData( + accessToken: "security-sync-no-fingerprint-probe", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let fingerprintStore = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprintStore() + let sentinelFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 123, + createdAt: 122, + persistentRefHash: "sentinel") + + let synced = ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + ProviderInteractionContext.$current.withValue(.background) { + ClaudeOAuthCredentialsStore.withClaudeKeychainFingerprintStoreOverrideForTesting( + fingerprintStore) + { + ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: nil, + fingerprint: sentinelFingerprint) + { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + ClaudeOAuthCredentialsStore.syncFromClaudeKeychainWithoutPrompt( + now: Date()) + } + } + } + } + } + }) + + #expect(synced == true) + #expect(fingerprintStore.fingerprint == nil) + } + } + } + } + @Test func experimentalReader_loadWithPrompt_doesNotReadWhenGlobalKeychainDisabled() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" @@ -495,7 +547,7 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } #expect(threwNotFound == true) - #expect(securityReadCalls.count.isZero) + #expect(securityReadCalls.count < 1) } } } From d3296faa6a312f0f2bbd6b74c578a8a8db16e6d3 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 22:12:36 +0530 Subject: [PATCH 083/131] Remove unreachable retry runner fallback --- .../Providers/ProviderCandidateRetryRunner.swift | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift b/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift index d049cebd6..5b2048236 100644 --- a/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift +++ b/Sources/CodexBarCore/Providers/ProviderCandidateRetryRunner.swift @@ -15,12 +15,10 @@ enum ProviderCandidateRetryRunner { throw ProviderCandidateRetryRunnerError.noCandidates } - var lastError: Error? for (index, candidate) in candidates.enumerated() { do { return try await attempt(candidate) } catch { - lastError = error let hasMoreCandidates = index + 1 < candidates.count guard hasMoreCandidates, shouldRetry(error) else { throw error @@ -28,10 +26,6 @@ enum ProviderCandidateRetryRunner { onRetry(candidate, error) } } - - if let lastError { - throw lastError - } throw ProviderCandidateRetryRunnerError.noCandidates } } From 565ddca85a66f5c4a211c2948114ee3067b4ada4 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 22:27:22 +0530 Subject: [PATCH 084/131] Add Ollama retry mapping coverage test --- .../Providers/Ollama/OllamaUsageFetcher.swift | 14 +++- .../OllamaUsageFetcherRetryMappingTests.swift | 82 +++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 Tests/CodexBarTests/OllamaUsageFetcherRetryMappingTests.swift diff --git a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift index a3fc67009..9e5c4b068 100644 --- a/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Ollama/OllamaUsageFetcher.swift @@ -238,9 +238,21 @@ public struct OllamaUsageFetcher: Sendable { } public let browserDetection: BrowserDetection + private let makeURLSession: @Sendable (URLSessionTaskDelegate?) -> URLSession public init(browserDetection: BrowserDetection) { self.browserDetection = browserDetection + self.makeURLSession = { delegate in + URLSession(configuration: .ephemeral, delegate: delegate, delegateQueue: nil) + } + } + + init( + browserDetection: BrowserDetection, + makeURLSession: @escaping @Sendable (URLSessionTaskDelegate?) -> URLSession) + { + self.browserDetection = browserDetection + self.makeURLSession = makeURLSession } public func fetch( @@ -495,7 +507,7 @@ public struct OllamaUsageFetcher: Sendable { request.setValue("https://ollama.com", forHTTPHeaderField: "origin") request.setValue(Self.settingsURL.absoluteString, forHTTPHeaderField: "referer") - let session = URLSession(configuration: .ephemeral, delegate: diagnostics, delegateQueue: nil) + let session = self.makeURLSession(diagnostics) let (data, response) = try await session.data(for: request) guard let httpResponse = response as? HTTPURLResponse else { throw OllamaUsageError.networkError("Invalid response") diff --git a/Tests/CodexBarTests/OllamaUsageFetcherRetryMappingTests.swift b/Tests/CodexBarTests/OllamaUsageFetcherRetryMappingTests.swift new file mode 100644 index 000000000..ceff20813 --- /dev/null +++ b/Tests/CodexBarTests/OllamaUsageFetcherRetryMappingTests.swift @@ -0,0 +1,82 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite(.serialized) +struct OllamaUsageFetcherRetryMappingTests { + @Test + func missingUsageShapeSurfacesPublicParseFailedMessage() async { + defer { OllamaRetryMappingStubURLProtocol.handler = nil } + + OllamaRetryMappingStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let body = "No usage data rendered." + return Self.makeResponse(url: url, body: body, statusCode: 200) + } + + let fetcher = OllamaUsageFetcher( + browserDetection: BrowserDetection(cacheTTL: 0), + makeURLSession: { delegate in + let config = URLSessionConfiguration.ephemeral + config.protocolClasses = [OllamaRetryMappingStubURLProtocol.self] + return URLSession(configuration: config, delegate: delegate, delegateQueue: nil) + }) + do { + _ = try await fetcher.fetch( + cookieHeaderOverride: "session=test-cookie", + manualCookieMode: true) + Issue.record("Expected OllamaUsageError.parseFailed") + } catch let error as OllamaUsageError { + guard case let .parseFailed(message) = error else { + Issue.record("Expected parseFailed, got \(error)") + return + } + #expect(message == "Missing Ollama usage data.") + } catch { + Issue.record("Expected OllamaUsageError.parseFailed, got \(error)") + } + } + + private static func makeResponse( + url: URL, + body: String, + statusCode: Int) -> (HTTPURLResponse, Data) + { + let response = HTTPURLResponse( + url: url, + statusCode: statusCode, + httpVersion: "HTTP/1.1", + headerFields: ["Content-Type": "text/html"])! + return (response, Data(body.utf8)) + } +} + +final class OllamaRetryMappingStubURLProtocol: URLProtocol { + nonisolated(unsafe) static var handler: ((URLRequest) throws -> (HTTPURLResponse, Data))? + + override static func canInit(with request: URLRequest) -> Bool { + guard let host = request.url?.host?.lowercased() else { return false } + return host == "ollama.com" || host == "www.ollama.com" + } + + override static func canonicalRequest(for request: URLRequest) -> URLRequest { + request + } + + override func startLoading() { + guard let handler = Self.handler else { + self.client?.urlProtocol(self, didFailWithError: URLError(.badServerResponse)) + return + } + do { + let (response, data) = try handler(self.request) + self.client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed) + self.client?.urlProtocol(self, didLoad: data) + self.client?.urlProtocolDidFinishLoading(self) + } catch { + self.client?.urlProtocol(self, didFailWithError: error) + } + } + + override func stopLoading() {} +} From 59f071088305862b70fec7870f0b35b623acbe18 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 22:33:12 +0530 Subject: [PATCH 085/131] Guard delegated observation and skip CLI fingerprint probes --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 2 - ...audeOAuthDelegatedRefreshCoordinator.swift | 3 +- ...AuthCredentialsStoreSecurityCLITests.swift | 85 ++++++++++++++++++- ...AuthDelegatedRefreshCoordinatorTests.swift | 53 ++++++++++++ 4 files changed, 137 insertions(+), 6 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index df118e318..2b247f5a5 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -309,7 +309,6 @@ public enum ClaudeOAuthCredentialsStore { source: .memoryCache), timestamp: Date()) self.saveToCacheKeychain(keychainData, owner: .claudeCLI) - self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) return record } @@ -971,7 +970,6 @@ public enum ClaudeOAuthCredentialsStore { if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) { - self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) return data } if self.shouldPreferSecurityCLIKeychainRead() { diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift index 04d220d96..f2b2b499e 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift @@ -235,7 +235,8 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { } private static func currentClaudeKeychainDataViaSecurityCLIForObservation() -> Data? { - ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) + guard !KeychainAccessGate.isDisabled else { return nil } + return ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) } private static func clearInFlightTaskIfStillCurrent(id: UInt64) { diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 566370b22..9bf62e133 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -195,6 +195,11 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { accessToken: "security-direct", expiresAt: Date(timeIntervalSinceNow: 3600), refreshToken: "security-refresh") + let fingerprintStore = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprintStore() + let sentinelFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 200, + createdAt: 199, + persistentRefHash: "sentinel") let loaded = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( .securityCLIExperimental, @@ -203,10 +208,19 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { .always, operation: { try ProviderInteractionContext.$current.withValue(.userInitiated) { - try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( - .data(securityData)) + try ClaudeOAuthCredentialsStore.withClaudeKeychainFingerprintStoreOverrideForTesting( + fingerprintStore) { - try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: nil, + fingerprint: sentinelFingerprint) + { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + } + } } } }) @@ -215,6 +229,7 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { let creds = try ClaudeOAuthCredentials.parse(data: loaded) #expect(creds.accessToken == "security-direct") #expect(creds.refreshToken == "security-refresh") + #expect(fingerprintStore.fingerprint == nil) } @Test @@ -490,6 +505,70 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } + @Test + func experimentalReader_loadWithPrompt_skipsFingerprintProbeAfterSecurityCLISuccess() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-load-with-prompt", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let fingerprintStore = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprintStore() + let sentinelFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 321, + createdAt: 320, + persistentRefHash: "sentinel") + + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.userInitiated) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainFingerprintStoreOverrideForTesting( + fingerprintStore) + { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: nil, + fingerprint: sentinelFingerprint) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: true, + respectKeychainPromptCooldown: false) + } + } + } + } + } + }) + + #expect(creds.accessToken == "security-load-with-prompt") + #expect(fingerprintStore.fingerprint == nil) + } + } + } + } + @Test func experimentalReader_loadWithPrompt_doesNotReadWhenGlobalKeychainDisabled() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift index e58eb228e..c3d864450 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift @@ -354,4 +354,57 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { #expect(outcome == .attemptedSucceeded) #expect(fingerprintCounter.count < 1) } + + @Test + func experimentalStrategy_observationSkipsSecurityCLIWhenGlobalKeychainDisabled() async { + ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() + defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } + let strategyKey = "claudeOAuthKeychainReadStrategy" + let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) + UserDefaults.standard.set( + ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, + forKey: strategyKey) + defer { + if let previousStrategy { + UserDefaults.standard.set(previousStrategy, forKey: strategyKey) + } else { + UserDefaults.standard.removeObject(forKey: strategyKey) + } + } + + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } + } + + let securityReadCounter = CounterBox() + let securityData = self.makeCredentialsData( + accessToken: "security-should-not-be-read", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in + securityReadCounter.increment() + return securityData + }) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + let previousKeychainDisabled = KeychainAccessGate.isDisabled + KeychainAccessGate.isDisabled = true + defer { KeychainAccessGate.isDisabled = previousKeychainDisabled } + + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 62000), + timeout: 0.1) + + guard case .attemptedFailed = outcome else { + Issue.record("Expected .attemptedFailed outcome") + return + } + #expect(securityReadCounter.count < 1) + } } From 879294e9c2206308f1a4c26cf28e0a430cc7ce2d Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 23:18:29 +0530 Subject: [PATCH 086/131] Respect stored prompt mode for freshness sync and isolate coordinator tests --- ...deOAuthCredentials+SecurityCLIReader.swift | 15 +- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 4 +- ...audeOAuthDelegatedRefreshCoordinator.swift | 52 +++- ...AuthCredentialsStoreSecurityCLITests.swift | 72 +++++ ...AuthDelegatedRefreshCoordinatorTests.swift | 269 ++++++++---------- 5 files changed, 248 insertions(+), 164 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index e26990118..2ebfd8acf 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -15,8 +15,11 @@ extension ClaudeOAuthCredentialsStore { let account: String? } - static func shouldPreferSecurityCLIKeychainRead() -> Bool { - ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental + static func shouldPreferSecurityCLIKeychainRead( + readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) + -> Bool + { + readStrategy == .securityCLIExperimental } #if os(macOS) @@ -34,8 +37,12 @@ extension ClaudeOAuthCredentialsStore { let durationMs: Double } - static func loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: Bool) -> Data? { - guard self.shouldPreferSecurityCLIKeychainRead() else { return nil } + static func loadFromClaudeKeychainViaSecurityCLIIfEnabled( + allowKeychainPrompt: Bool, + readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) + -> Data? + { + guard self.shouldPreferSecurityCLIKeychainRead(readStrategy: readStrategy) else { return nil } do { let preferredAccount = self.preferredClaudeKeychainAccountForSecurityCLIRead() diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 2b247f5a5..0fe96bf0a 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -737,7 +737,9 @@ public enum ClaudeOAuthCredentialsStore { guard cached.owner == .claudeCLI else { return false } guard self.keychainAccessAllowed else { return false } - let mode = ClaudeOAuthKeychainPromptPreference.current() + // Freshness sync is opportunistic and may perform Security.framework fingerprint checks. + // Keep this gated by the user's stored prompt policy even in experimental reader mode. + let mode = ClaudeOAuthKeychainPromptPreference.storedMode() switch mode { case .never: return false diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift index f2b2b499e..72a64def3 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift @@ -53,13 +53,26 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { self.nextAttemptID += 1 let attemptID = self.nextAttemptID // Detached to avoid inheriting the caller's executor context (e.g. MainActor) and cancellation state. - let task = Task.detached(priority: .utility) { await self.performAttempt(now: now, timeout: timeout) } + let readStrategy = ClaudeOAuthKeychainReadStrategyPreference.current() + let keychainAccessDisabled = KeychainAccessGate.isDisabled + let task = Task.detached(priority: .utility) { + await self.performAttempt( + now: now, + timeout: timeout, + readStrategy: readStrategy, + keychainAccessDisabled: keychainAccessDisabled) + } self.inFlightAttemptID = attemptID self.inFlightTask = task return .start(attemptID, task) } - private static func performAttempt(now: Date, timeout: TimeInterval) async -> Outcome { + private static func performAttempt( + now: Date, + timeout: TimeInterval, + readStrategy: ClaudeOAuthKeychainReadStrategy, + keychainAccessDisabled: Bool) async -> Outcome + { guard self.isClaudeCLIAvailable() else { self.log.info("Claude OAuth delegated refresh skipped: claude CLI unavailable") return .cliUnavailable @@ -72,7 +85,9 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { return .skippedByCooldown } - let baseline = self.currentKeychainChangeObservationBaseline() + let baseline = self.currentKeychainChangeObservationBaseline( + readStrategy: readStrategy, + keychainAccessDisabled: keychainAccessDisabled) var touchError: Error? do { @@ -85,6 +100,8 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { // Otherwise we end up in a long cooldown with still-expired credentials. let changed = await self.waitForClaudeKeychainChange( from: baseline, + readStrategy: readStrategy, + keychainAccessDisabled: keychainAccessDisabled, timeout: min(max(timeout, 1), 2)) if changed { self.recordAttempt(now: now, cooldown: self.defaultCooldownInterval) @@ -150,15 +167,22 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { case securityCLI(data: Data?) } - private static func currentKeychainChangeObservationBaseline() -> KeychainChangeObservationBaseline { - if ClaudeOAuthKeychainReadStrategyPreference.current() == .securityCLIExperimental { - return .securityCLI(data: self.currentClaudeKeychainDataViaSecurityCLIForObservation()) + private static func currentKeychainChangeObservationBaseline( + readStrategy: ClaudeOAuthKeychainReadStrategy, + keychainAccessDisabled: Bool) -> KeychainChangeObservationBaseline + { + if readStrategy == .securityCLIExperimental { + return .securityCLI(data: self.currentClaudeKeychainDataViaSecurityCLIForObservation( + readStrategy: readStrategy, + keychainAccessDisabled: keychainAccessDisabled)) } return .securityFramework(fingerprint: self.currentClaudeKeychainFingerprint()) } private static func waitForClaudeKeychainChange( from baseline: KeychainChangeObservationBaseline, + readStrategy: ClaudeOAuthKeychainReadStrategy, + keychainAccessDisabled: Bool, timeout: TimeInterval) async -> Bool { // Prefer correctness but bound the delay. Keychain writes can be slightly delayed after the CLI touch. @@ -179,7 +203,10 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { case let .securityCLI(dataBefore): // In experimental mode, avoid Security.framework observation entirely and detect change from // /usr/bin/security output only. - guard let current = self.currentClaudeKeychainDataViaSecurityCLIForObservation() else { return false } + guard let current = self.currentClaudeKeychainDataViaSecurityCLIForObservation( + readStrategy: readStrategy, + keychainAccessDisabled: keychainAccessDisabled) + else { return false } guard let dataBefore else { return true } return current != dataBefore } @@ -234,9 +261,14 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { } } - private static func currentClaudeKeychainDataViaSecurityCLIForObservation() -> Data? { - guard !KeychainAccessGate.isDisabled else { return nil } - return ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) + private static func currentClaudeKeychainDataViaSecurityCLIForObservation( + readStrategy: ClaudeOAuthKeychainReadStrategy, + keychainAccessDisabled: Bool) -> Data? + { + guard !keychainAccessDisabled else { return nil } + return ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + allowKeychainPrompt: false, + readStrategy: readStrategy) } private static func clearInFlightTaskIfStillCurrent(id: UInt64) { diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 9bf62e133..201d2276f 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -453,6 +453,78 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } + @Test + func experimentalReader_freshnessSync_background_respectsStoredOnlyOnUserAction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-sync-only-on-user-action", + expiresAt: Date(timeIntervalSinceNow: 3600)) + final class ReadCounter: @unchecked Sendable { + var count = 0 + } + let securityReadCalls = ReadCounter() + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .allowed + } + + func load(_ interaction: ProviderInteraction) throws -> ClaudeOAuthCredentials { + try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(interaction) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { _ in + securityReadCalls.count += 1 + return securityData + }) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + } + } + } + } + }) + } + + let first = try load(.userInitiated) + #expect(first.accessToken == "security-sync-only-on-user-action") + #expect(securityReadCalls.count == 1) + + let second = try load(.background) + #expect(second.accessToken == "security-sync-only-on-user-action") + #expect(securityReadCalls.count == 1) + } + } + } + } + } + @Test func experimentalReader_syncFromClaudeKeychainWithoutPrompt_skipsFingerprintProbeAfterSecurityCLIRead() { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift index c3d864450..279594fbd 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift @@ -229,182 +229,153 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { func experimentalStrategy_doesNotUseSecurityFrameworkFingerprintObservation() async { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } - let strategyKey = "claudeOAuthKeychainReadStrategy" - let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) - UserDefaults.standard.set( - ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, - forKey: strategyKey) - defer { - if let previousStrategy { - UserDefaults.standard.set(previousStrategy, forKey: strategyKey) - } else { - UserDefaults.standard.removeObject(forKey: strategyKey) + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } } - } - - final class CounterBox: @unchecked Sendable { - private let lock = NSLock() - private(set) var count: Int = 0 - func increment() { - self.lock.lock() - self.count += 1 - self.lock.unlock() + let fingerprintCounter = CounterBox() + ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { + fingerprintCounter.increment() + return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 1, + createdAt: 1, + persistentRefHash: "framework-fingerprint") } + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } + + let securityData = self.makeCredentialsData( + accessToken: "security-token-a", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.data(securityData)) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 60000), + timeout: 0.1) + + guard case .attemptedFailed = outcome else { + Issue.record("Expected .attemptedFailed outcome") + return + } + #expect(fingerprintCounter.count < 1) } - let fingerprintCounter = CounterBox() - ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { - fingerprintCounter.increment() - return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 1, - createdAt: 1, - persistentRefHash: "framework-fingerprint") - } - ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) - ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } - - let securityData = self.makeCredentialsData( - accessToken: "security-token-a", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.data(securityData)) - defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } - let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( - now: Date(timeIntervalSince1970: 60000), - timeout: 0.1) - - guard case .attemptedFailed = outcome else { - Issue.record("Expected .attemptedFailed outcome") - return - } - #expect(fingerprintCounter.count < 1) } @Test func experimentalStrategy_observesSecurityCLIChangeAfterTouch() async { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } - let strategyKey = "claudeOAuthKeychainReadStrategy" - let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) - UserDefaults.standard.set( - ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, - forKey: strategyKey) - defer { - if let previousStrategy { - UserDefaults.standard.set(previousStrategy, forKey: strategyKey) - } else { - UserDefaults.standard.removeObject(forKey: strategyKey) - } - } + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + final class DataBox: @unchecked Sendable { + private let lock = NSLock() + private var _data: Data? + init(data: Data?) { + self._data = data + } - final class DataBox: @unchecked Sendable { - private let lock = NSLock() - private var _data: Data? - init(data: Data?) { - self._data = data - } + func load() -> Data? { + self.lock.lock() + defer { self.lock.unlock() } + return self._data + } - func load() -> Data? { - self.lock.lock() - defer { self.lock.unlock() } - return self._data + func store(_ data: Data?) { + self.lock.lock() + self._data = data + self.lock.unlock() + } } - - func store(_ data: Data?) { - self.lock.lock() - self._data = data - self.lock.unlock() + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } } - } - final class CounterBox: @unchecked Sendable { - private let lock = NSLock() - private(set) var count: Int = 0 - func increment() { - self.lock.lock() - self.count += 1 - self.lock.unlock() + let fingerprintCounter = CounterBox() + ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { + fingerprintCounter.increment() + return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 11, + createdAt: 11, + persistentRefHash: "framework-fingerprint") } - } - let fingerprintCounter = CounterBox() - ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { - fingerprintCounter.increment() - return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( - modifiedAt: 11, - createdAt: 11, - persistentRefHash: "framework-fingerprint") - } - let beforeData = self.makeCredentialsData( - accessToken: "security-token-before", - expiresAt: Date(timeIntervalSinceNow: -60)) - let afterData = self.makeCredentialsData( - accessToken: "security-token-after", - expiresAt: Date(timeIntervalSinceNow: 3600)) - let dataBox = DataBox(data: beforeData) + let beforeData = self.makeCredentialsData( + accessToken: "security-token-before", + expiresAt: Date(timeIntervalSinceNow: -60)) + let afterData = self.makeCredentialsData( + accessToken: "security-token-after", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let dataBox = DataBox(data: beforeData) + + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in + dataBox.store(afterData) + } + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in dataBox.load() }) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } - ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) - ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in - dataBox.store(afterData) - } - ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in dataBox.load() }) - defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 61000), + timeout: 0.1) - let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( - now: Date(timeIntervalSince1970: 61000), - timeout: 0.1) - - #expect(outcome == .attemptedSucceeded) - #expect(fingerprintCounter.count < 1) + #expect(outcome == .attemptedSucceeded) + #expect(fingerprintCounter.count < 1) + } } @Test func experimentalStrategy_observationSkipsSecurityCLIWhenGlobalKeychainDisabled() async { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } - let strategyKey = "claudeOAuthKeychainReadStrategy" - let previousStrategy = UserDefaults.standard.string(forKey: strategyKey) - UserDefaults.standard.set( - ClaudeOAuthKeychainReadStrategy.securityCLIExperimental.rawValue, - forKey: strategyKey) - defer { - if let previousStrategy { - UserDefaults.standard.set(previousStrategy, forKey: strategyKey) - } else { - UserDefaults.standard.removeObject(forKey: strategyKey) + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } } - } - final class CounterBox: @unchecked Sendable { - private let lock = NSLock() - private(set) var count: Int = 0 - func increment() { - self.lock.lock() - self.count += 1 - self.lock.unlock() + let securityReadCounter = CounterBox() + let securityData = self.makeCredentialsData( + accessToken: "security-should-not-be-read", + expiresAt: Date(timeIntervalSinceNow: 3600)) + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in + securityReadCounter.increment() + return securityData + }) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + let outcome = await KeychainAccessGate.withTaskOverrideForTesting(true) { + await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 62000), + timeout: 0.1) } - } - - let securityReadCounter = CounterBox() - let securityData = self.makeCredentialsData( - accessToken: "security-should-not-be-read", - expiresAt: Date(timeIntervalSinceNow: 3600)) - ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) - ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in } - ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in - securityReadCounter.increment() - return securityData - }) - defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } - let previousKeychainDisabled = KeychainAccessGate.isDisabled - KeychainAccessGate.isDisabled = true - defer { KeychainAccessGate.isDisabled = previousKeychainDisabled } - let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( - now: Date(timeIntervalSince1970: 62000), - timeout: 0.1) - - guard case .attemptedFailed = outcome else { - Issue.record("Expected .attemptedFailed outcome") - return + guard case .attemptedFailed = outcome else { + Issue.record("Expected .attemptedFailed outcome") + return + } + #expect(securityReadCounter.count < 1) } - #expect(securityReadCounter.count < 1) } } From 9bf5dce49b98483d0c2803aa22ecf97eb506ad15 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 23:28:37 +0530 Subject: [PATCH 087/131] Align non-mac security CLI stub with readStrategy API --- .../ClaudeOAuthCredentials+SecurityCLIReader.swift | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index 2ebfd8acf..db62b503b 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -246,7 +246,11 @@ extension ClaudeOAuthCredentialsStore { } } #else - static func loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt _: Bool) -> Data? { + static func loadFromClaudeKeychainViaSecurityCLIIfEnabled( + allowKeychainPrompt _: Bool, + readStrategy _: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) + -> Data? + { nil } #endif From 6d342aa4e81746fb9ed4b2283aa32093db8ac9ef Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 23:45:09 +0530 Subject: [PATCH 088/131] Keep experimental no-prompt repair on security CLI path --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 23 +++++++ ...AuthCredentialsStoreSecurityCLITests.swift | 64 +++++++++++++++++++ 2 files changed, 87 insertions(+) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 0fe96bf0a..ad9385bc9 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -782,6 +782,29 @@ public enum ClaudeOAuthCredentialsStore { } do { + if self.shouldPreferSecurityCLIKeychainRead(), + let securityData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false), + !securityData.isEmpty + { + // Keep CLI-success repair prompt-safe in experimental mode by avoiding Security.framework fingerprint + // probes, which can still show UI on some systems even for "no UI" queries. + guard let creds = try? ClaudeOAuthCredentials.parse(data: securityData) else { return nil } + if creds.isExpired { + return ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .claudeKeychain) + } + + self.writeMemoryCache( + record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), + timestamp: now) + self.saveToCacheKeychain(securityData, owner: .claudeCLI) + + self.log.info( + "Claude keychain credentials loaded without prompt; syncing OAuth cache", + metadata: ["interaction": ProviderInteractionContext + .current == .userInitiated ? "user" : "background"]) + return ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .claudeKeychain) + } + guard let data = try self.loadFromClaudeKeychainNonInteractive(), !data.isEmpty else { return nil } let fingerprint = self.currentClaudeKeychainFingerprintWithoutPrompt() guard let creds = try? ClaudeOAuthCredentials.parse(data: data) else { diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 201d2276f..d7569db8e 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -577,6 +577,70 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } + @Test + func experimentalReader_noPromptRepair_skipsFingerprintProbeAfterSecurityCLISuccess() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-repair-no-fingerprint-probe", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let fingerprintStore = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprintStore() + let sentinelFingerprint = ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 456, + createdAt: 455, + persistentRefHash: "sentinel") + + let record = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting(.always) { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore + .withClaudeKeychainFingerprintStoreOverrideForTesting( + fingerprintStore) + { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: nil, + fingerprint: sentinelFingerprint) + { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .data(securityData)) + { + try ClaudeOAuthCredentialsStore.loadRecord( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + } + } + } + } + } + }) + + #expect(record.credentials.accessToken == "security-repair-no-fingerprint-probe") + #expect(record.source == .claudeKeychain) + #expect(fingerprintStore.fingerprint == nil) + } + } + } + } + @Test func experimentalReader_loadWithPrompt_skipsFingerprintProbeAfterSecurityCLISuccess() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" From 8db7fd628238bc88e0443ce67c0fc5a253fde92b Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Mon, 16 Feb 2026 23:58:31 +0530 Subject: [PATCH 089/131] Require baseline for CLI keychain change observation --- ...audeOAuthDelegatedRefreshCoordinator.swift | 4 +- ...AuthDelegatedRefreshCoordinatorTests.swift | 68 +++++++++++++++++++ 2 files changed, 71 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift index 72a64def3..61d515342 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift @@ -203,11 +203,13 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { case let .securityCLI(dataBefore): // In experimental mode, avoid Security.framework observation entirely and detect change from // /usr/bin/security output only. + // If baseline capture failed (nil), treat observation as inconclusive and do not infer a change from + // a later successful read. + guard let dataBefore else { return false } guard let current = self.currentClaudeKeychainDataViaSecurityCLIForObservation( readStrategy: readStrategy, keychainAccessDisabled: keychainAccessDisabled) else { return false } - guard let dataBefore else { return true } return current != dataBefore } } diff --git a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift index 279594fbd..3ab8f87c9 100644 --- a/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthDelegatedRefreshCoordinatorTests.swift @@ -337,6 +337,74 @@ struct ClaudeOAuthDelegatedRefreshCoordinatorTests { } } + @Test + func experimentalStrategy_missingBaselineDoesNotAutoSucceedWhenLaterReadSucceeds() async { + ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() + defer { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() } + await ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + final class DataBox: @unchecked Sendable { + private let lock = NSLock() + private var _data: Data? + init(data: Data?) { + self._data = data + } + + func load() -> Data? { + self.lock.lock() + defer { self.lock.unlock() } + return self._data + } + + func store(_ data: Data?) { + self.lock.lock() + self._data = data + self.lock.unlock() + } + } + final class CounterBox: @unchecked Sendable { + private let lock = NSLock() + private(set) var count: Int = 0 + func increment() { + self.lock.lock() + self.count += 1 + self.lock.unlock() + } + } + let fingerprintCounter = CounterBox() + ClaudeOAuthDelegatedRefreshCoordinator.setKeychainFingerprintOverrideForTesting { + fingerprintCounter.increment() + return ClaudeOAuthCredentialsStore.ClaudeKeychainFingerprint( + modifiedAt: 21, + createdAt: 21, + persistentRefHash: "framework-fingerprint") + } + + let afterData = self.makeCredentialsData( + accessToken: "security-token-after-baseline-miss", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let dataBox = DataBox(data: nil) + + ClaudeOAuthDelegatedRefreshCoordinator.setCLIAvailableOverrideForTesting(true) + ClaudeOAuthDelegatedRefreshCoordinator.setTouchAuthPathOverrideForTesting { _ in + dataBox.store(afterData) + } + ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(.dynamic { _ in dataBox.load() }) + defer { ClaudeOAuthCredentialsStore.setSecurityCLIReadOverrideForTesting(nil) } + + let outcome = await ClaudeOAuthDelegatedRefreshCoordinator.attempt( + now: Date(timeIntervalSince1970: 61500), + timeout: 0.1) + + guard case .attemptedFailed = outcome else { + Issue.record("Expected .attemptedFailed outcome when baseline is unavailable") + return + } + #expect(fingerprintCounter.count < 1) + } + } + @Test func experimentalStrategy_observationSkipsSecurityCLIWhenGlobalKeychainDisabled() async { ClaudeOAuthDelegatedRefreshCoordinator.resetForTesting() From 84170760bb23275043108c0e007863ce0375cfae Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 00:15:51 +0530 Subject: [PATCH 090/131] Respect cooldown for background OAuth keychain retries --- .../Providers/Claude/ClaudeUsageFetcher.swift | 1 - Tests/CodexBarTests/ClaudeUsageTests.swift | 8 +++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index a9a79be9d..dbce38b00 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -91,7 +91,6 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { /// Respect the Keychain prompt cooldown for background operations to avoid spamming system dialogs. /// User actions (menu open / refresh / settings) are allowed to bypass the cooldown. var shouldRespectKeychainPromptCooldown: Bool { - guard self.isApplicable else { return false } return self.interaction != .userInitiated } diff --git a/Tests/CodexBarTests/ClaudeUsageTests.swift b/Tests/CodexBarTests/ClaudeUsageTests.swift index 470643c17..7f007b811 100644 --- a/Tests/CodexBarTests/ClaudeUsageTests.swift +++ b/Tests/CodexBarTests/ClaudeUsageTests.swift @@ -922,6 +922,10 @@ extension ClaudeUsageTests { @Test func oauthLoad_experimental_background_fallbackBlocked_propagatesOAuthFailure() async throws { + final class FlagBox: @unchecked Sendable { + var respectPromptCooldownFlags: [Bool] = [] + } + let flags = FlagBox() let fetcher = ClaudeUsageFetcher( browserDetection: BrowserDetection(cacheTTL: 0), environment: [:], @@ -932,7 +936,8 @@ extension ClaudeUsageTests { let loadCredsOverride: (@Sendable ( [String: String], Bool, - Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, _ in + Bool) async throws -> ClaudeOAuthCredentials)? = { _, _, respectKeychainPromptCooldown in + flags.respectPromptCooldownFlags.append(respectKeychainPromptCooldown) throw ClaudeOAuthCredentialsError.notFound } @@ -949,5 +954,6 @@ extension ClaudeUsageTests { } }) } + #expect(flags.respectPromptCooldownFlags == [true]) } } From bf170339bdb3de549e3c153d80cd53e092863229 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 00:38:52 +0530 Subject: [PATCH 091/131] Clarify security CLI interaction semantics --- .../ClaudeOAuthCredentials+Hashing.swift | 18 ++++++ ...deOAuthCredentials+SecurityCLIReader.swift | 14 +++-- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 46 +++++++-------- ...audeOAuthDelegatedRefreshCoordinator.swift | 2 +- .../Providers/Claude/ClaudeUsageFetcher.swift | 2 +- ...AuthCredentialsStoreSecurityCLITests.swift | 59 +++++++++++++++++++ 6 files changed, 108 insertions(+), 33 deletions(-) create mode 100644 Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+Hashing.swift diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+Hashing.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+Hashing.swift new file mode 100644 index 000000000..5e836192d --- /dev/null +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+Hashing.swift @@ -0,0 +1,18 @@ +import Foundation + +#if canImport(CryptoKit) +import CryptoKit +#endif + +extension ClaudeOAuthCredentialsStore { + static func sha256Prefix(_ data: Data) -> String? { + #if canImport(CryptoKit) + let digest = SHA256.hash(data: data) + let hex = digest.compactMap { String(format: "%02x", $0) }.joined() + return String(hex.prefix(12)) + #else + _ = data + return nil + #endif + } +} diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index db62b503b..1fa5aac3d 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -37,12 +37,15 @@ extension ClaudeOAuthCredentialsStore { let durationMs: Double } + /// Attempts a Claude keychain read via `/usr/bin/security` when the experimental reader is enabled. + /// - Important: `interaction` is diagnostics context only and does not gate CLI execution. static func loadFromClaudeKeychainViaSecurityCLIIfEnabled( - allowKeychainPrompt: Bool, + interaction: ProviderInteraction, readStrategy: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) -> Data? { guard self.shouldPreferSecurityCLIKeychainRead(readStrategy: readStrategy) else { return nil } + let interactionMetadata = interaction == .userInitiated ? "user" : "background" do { let preferredAccount = self.preferredClaudeKeychainAccountForSecurityCLIRead() @@ -97,6 +100,7 @@ extension ClaudeOAuthCredentialsStore { "Claude keychain security CLI output invalid; falling back", metadata: [ "reader": "securityCLI", + "callerInteraction": interactionMetadata, "status": "\(status)", "duration_ms": String(format: "%.2f", durationMs), "stderr_length": "\(stderrLength)", @@ -108,7 +112,7 @@ extension ClaudeOAuthCredentialsStore { var metadata: [String: String] = [ "reader": "securityCLI", - "interactive": "\(allowKeychainPrompt)", + "callerInteraction": interactionMetadata, "status": "\(status)", "duration_ms": String(format: "%.2f", durationMs), "stderr_length": "\(stderrLength)", @@ -125,7 +129,7 @@ extension ClaudeOAuthCredentialsStore { } catch let error as SecurityCLIReadError { var metadata: [String: String] = [ "reader": "securityCLI", - "interactive": "\(allowKeychainPrompt)", + "callerInteraction": interactionMetadata, "error_type": String(describing: type(of: error)), ] switch error { @@ -147,7 +151,7 @@ extension ClaudeOAuthCredentialsStore { "Claude keychain security CLI read failed; falling back", metadata: [ "reader": "securityCLI", - "interactive": "\(allowKeychainPrompt)", + "callerInteraction": interactionMetadata, "error_type": String(describing: type(of: error)), ]) return nil @@ -247,7 +251,7 @@ extension ClaudeOAuthCredentialsStore { } #else static func loadFromClaudeKeychainViaSecurityCLIIfEnabled( - allowKeychainPrompt _: Bool, + interaction _: ProviderInteraction, readStrategy _: ClaudeOAuthKeychainReadStrategy = ClaudeOAuthKeychainReadStrategyPreference.current()) -> Data? { diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index ad9385bc9..71855bdaa 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -5,10 +5,6 @@ import Foundation import FoundationNetworking #endif -#if canImport(CryptoKit) -import CryptoKit -#endif - #if os(macOS) import LocalAuthentication import Security @@ -295,7 +291,8 @@ public enum ClaudeOAuthCredentialsStore { guard self.shouldAllowClaudeCodeKeychainAccess(mode: promptMode) else { return nil } if self.shouldPreferSecurityCLIKeychainRead(), - let keychainData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) + let keychainData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current) { let creds = try ClaudeOAuthCredentials.parse(data: keychainData) let record = ClaudeOAuthCredentialRecord( @@ -611,7 +608,9 @@ public enum ClaudeOAuthCredentialsStore { if self.isPromptPolicyApplicable, ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } - if self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) != nil { + if self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current) != nil + { return true } #if DEBUG @@ -783,7 +782,8 @@ public enum ClaudeOAuthCredentialsStore { do { if self.shouldPreferSecurityCLIKeychainRead(), - let securityData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false), + let securityData = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current), !securityData.isEmpty { // Keep CLI-success repair prompt-safe in experimental mode by avoiding Security.framework fingerprint @@ -939,26 +939,18 @@ public enum ClaudeOAuthCredentialsStore { return "\(modifiedAt):\(fingerprint.size)" } - private static func sha256Prefix(_ data: Data) -> String? { - #if canImport(CryptoKit) - let digest = SHA256.hash(data: data) - let hex = digest.compactMap { String(format: "%02x", $0) }.joined() - return String(hex.prefix(12)) - #else - _ = data - return nil - #endif - } - private static func loadFromClaudeKeychainNonInteractive() throws -> Data? { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return nil } + guard self.shouldAllowClaudeCodeKeychainAccess(mode: ClaudeOAuthKeychainPromptPreference.current()) else { + return nil + } #if DEBUG if let store = taskClaudeKeychainOverrideStore { return store.data } if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif #if os(macOS) - if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false) { + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current) + { return data } @@ -986,15 +978,16 @@ public enum ClaudeOAuthCredentialsStore { } public static func loadFromClaudeKeychain() throws -> Data { - let mode = ClaudeOAuthKeychainPromptPreference.current() - guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { + guard self.shouldAllowClaudeCodeKeychainAccess(mode: ClaudeOAuthKeychainPromptPreference.current()) else { throw ClaudeOAuthCredentialsError.notFound } #if DEBUG if let store = taskClaudeKeychainOverrideStore, let override = store.data { return override } if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } #endif - if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: true) { + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current) + { return data } if self.shouldPreferSecurityCLIKeychainRead() { @@ -1536,8 +1529,9 @@ extension ClaudeOAuthCredentialsStore { } #endif - if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled(allowKeychainPrompt: false), - !data.isEmpty + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current), + !data.isEmpty { if let creds = try? ClaudeOAuthCredentials.parse(data: data), !creds.isExpired { // Keep delegated refresh recovery on the security CLI path only in experimental mode. diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift index 61d515342..d94940602 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthDelegatedRefreshCoordinator.swift @@ -269,7 +269,7 @@ public enum ClaudeOAuthDelegatedRefreshCoordinator { { guard !keychainAccessDisabled else { return nil } return ClaudeOAuthCredentialsStore.loadFromClaudeKeychainViaSecurityCLIIfEnabled( - allowKeychainPrompt: false, + interaction: .background, readStrategy: readStrategy) } diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift index dbce38b00..ed57ac71b 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeUsageFetcher.swift @@ -91,7 +91,7 @@ public struct ClaudeUsageFetcher: ClaudeUsageFetching, Sendable { /// Respect the Keychain prompt cooldown for background operations to avoid spamming system dialogs. /// User actions (menu open / refresh / settings) are allowed to bypass the cooldown. var shouldRespectKeychainPromptCooldown: Bool { - return self.interaction != .userInitiated + self.interaction != .userInitiated } var interactionLabel: String { diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index d7569db8e..4d498da83 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -76,6 +76,65 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { } } + @Test + func experimentalReader_nonInteractiveBackgroundLoad_stillExecutesSecurityCLIRead() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + ClaudeOAuthCredentialsStore.setClaudeKeychainDataOverrideForTesting(nil) + ClaudeOAuthCredentialsStore.setClaudeKeychainFingerprintOverrideForTesting(nil) + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let securityData = self.makeCredentialsData( + accessToken: "security-token-background", + expiresAt: Date(timeIntervalSinceNow: 3600), + refreshToken: "security-refresh-background") + final class ReadCounter: @unchecked Sendable { + var count = 0 + } + let securityReadCalls = ReadCounter() + + let creds = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { _ in + securityReadCalls.count += 1 + return securityData + }) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false) + } + } + }) + }) + + #expect(creds.accessToken == "security-token-background") + #expect(securityReadCalls.count == 1) + } + } + } + } + @Test func experimentalReader_fallsBackWhenSecurityCLIThrows() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" From 54120b9c4a67b646f2a1307da277c7962cdabe0c Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 01:16:25 +0530 Subject: [PATCH 092/131] Limit security CLI account pinning to user actions --- ...deOAuthCredentials+SecurityCLIReader.swift | 3 +- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 7 +++- ...AuthCredentialsStoreSecurityCLITests.swift | 35 +++++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift index 1fa5aac3d..72cb6dd96 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift @@ -48,7 +48,8 @@ extension ClaudeOAuthCredentialsStore { let interactionMetadata = interaction == .userInitiated ? "user" : "background" do { - let preferredAccount = self.preferredClaudeKeychainAccountForSecurityCLIRead() + let preferredAccount = self.preferredClaudeKeychainAccountForSecurityCLIRead( + interaction: interaction) let output: Data let status: Int32 let stderrLength: Int diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 71855bdaa..d0484a386 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -1402,7 +1402,12 @@ public enum ClaudeOAuthCredentialsStore { } } - static func preferredClaudeKeychainAccountForSecurityCLIRead() -> String? { + static func preferredClaudeKeychainAccountForSecurityCLIRead( + interaction: ProviderInteraction = ProviderInteractionContext.current) -> String? + { + // Keep the experimental background path fully on /usr/bin/security by default. + // Account pinning requires Security.framework candidate probing, so only allow it on explicit user actions. + guard interaction == .userInitiated else { return nil } #if DEBUG if let override = self.taskSecurityCLIReadAccountOverride { return override } #endif diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift index 4d498da83..bfae65a0f 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLITests.swift @@ -440,6 +440,41 @@ struct ClaudeOAuthCredentialsStoreSecurityCLITests { #expect(creds.accessToken == "security-account-pinned") } + @Test + func experimentalReader_securityCLIRead_doesNotPinAccountInBackground() throws { + let securityData = self.makeCredentialsData( + accessToken: "security-account-not-pinned", + expiresAt: Date(timeIntervalSinceNow: 3600)) + final class AccountBox: @unchecked Sendable { + var value: String? + } + let pinnedAccount = AccountBox() + + let loaded = try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadAccountOverrideForTesting("new-account") { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .always, + operation: { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .dynamic { request in + pinnedAccount.value = request.account + return securityData + }) { + try ClaudeOAuthCredentialsStore.loadFromClaudeKeychain() + } + } + }) + } + }) + + let creds = try ClaudeOAuthCredentials.parse(data: loaded) + #expect(pinnedAccount.value == nil) + #expect(creds.accessToken == "security-account-not-pinned") + } + @Test func experimentalReader_freshnessSync_skipsSecurityCLIWhenPreflightRequiresInteraction() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" From ad48e052d4ba0029d3cec757a803a1a1e2a65eba Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 01:18:00 +0530 Subject: [PATCH 093/131] Run Claude debug OAuth probe off MainActor --- Sources/CodexBar/UsageStore.swift | 35 ++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index b42856c71..84280b3c0 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1231,7 +1231,14 @@ extension UsageStore { claudeCookieHeader: String, keepCLISessionsAlive: Bool) async -> String { - await self.runWithTimeout(seconds: 15) { + struct OAuthDebugProbe: Sendable { + let hasCredentials: Bool + let ownerRawValue: String + let sourceRawValue: String + let isExpired: Bool + } + + return await self.runWithTimeout(seconds: 15) { var lines: [String] = [] let manualHeader = claudeCookieSource == .manual ? CookieHeaderNormalizer.normalize(claudeCookieHeader) @@ -1241,12 +1248,20 @@ extension UsageStore { } else { ClaudeWebAPIFetcher.hasSessionKey(browserDetection: self.browserDetection) { msg in lines.append(msg) } } - // Don't prompt for keychain access during debug dump - let oauthRecord = try? ClaudeOAuthCredentialsStore.loadRecord( - allowKeychainPrompt: false, - respectKeychainPromptCooldown: true, - allowClaudeKeychainRepairWithoutPrompt: false) - let hasOAuthCredentials = oauthRecord?.credentials.scopes.contains("user:profile") == true + // Run potentially blocking keychain probes off MainActor so debug dumps don't stall UI rendering. + let oauthProbe = await Task.detached(priority: .utility) { + // Don't prompt for keychain access during debug dump. + let oauthRecord = try? ClaudeOAuthCredentialsStore.loadRecord( + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true, + allowClaudeKeychainRepairWithoutPrompt: false) + return OAuthDebugProbe( + hasCredentials: oauthRecord?.credentials.scopes.contains("user:profile") == true, + ownerRawValue: oauthRecord?.owner.rawValue ?? "none", + sourceRawValue: oauthRecord?.source.rawValue ?? "none", + isExpired: oauthRecord?.credentials.isExpired ?? false) + }.value + let hasOAuthCredentials = oauthProbe.hasCredentials let hasClaudeBinary = ClaudeOAuthDelegatedRefreshCoordinator.isClaudeCLIAvailable() let delegatedCooldownSeconds = ClaudeOAuthDelegatedRefreshCoordinator.cooldownRemainingSeconds() @@ -1265,9 +1280,9 @@ extension UsageStore { } lines.append("hasSessionKey=\(hasKey)") lines.append("hasOAuthCredentials=\(hasOAuthCredentials)") - lines.append("oauthCredentialOwner=\(oauthRecord?.owner.rawValue ?? "none")") - lines.append("oauthCredentialSource=\(oauthRecord?.source.rawValue ?? "none")") - lines.append("oauthCredentialExpired=\(oauthRecord?.credentials.isExpired ?? false)") + lines.append("oauthCredentialOwner=\(oauthProbe.ownerRawValue)") + lines.append("oauthCredentialSource=\(oauthProbe.sourceRawValue)") + lines.append("oauthCredentialExpired=\(oauthProbe.isExpired)") lines.append("delegatedRefreshCLIAvailable=\(hasClaudeBinary)") lines.append("delegatedRefreshCooldownActive=\(delegatedCooldownSeconds != nil)") if let delegatedCooldownSeconds { From f2e55b2ce32bbc3d721ee13d1c73535742672907 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 01:19:05 +0530 Subject: [PATCH 094/131] Disable experimental Claude toggle when keychain is off --- Sources/CodexBar/PreferencesAdvancedPane.swift | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Sources/CodexBar/PreferencesAdvancedPane.swift b/Sources/CodexBar/PreferencesAdvancedPane.swift index 1bfcd0636..20c7bb5f4 100644 --- a/Sources/CodexBar/PreferencesAdvancedPane.swift +++ b/Sources/CodexBar/PreferencesAdvancedPane.swift @@ -85,9 +85,12 @@ struct AdvancedPane: View { """) { PreferenceToggleRow( title: "Claude creds without prompts (experimental)", - subtitle: "Use /usr/bin/security to read Claude credentials and avoid CodexBar " + + subtitle: self.settings.debugDisableKeychainAccess + ? "Inactive while \"Disable Keychain access\" is enabled." + : "Use /usr/bin/security to read Claude credentials and avoid CodexBar " + "keychain prompts.", binding: self.$settings.claudeOAuthPromptFreeCredentialsEnabled) + .disabled(self.settings.debugDisableKeychainAccess) PreferenceToggleRow( title: "Disable Keychain access", subtitle: "Prevents any Keychain access while enabled.", From 96816679169eb4e2b5405f0b543c4c15bda1caf9 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 01:20:14 +0530 Subject: [PATCH 095/131] Clarify prompt policy applies to framework reader --- Sources/CodexBar/PreferencesAdvancedPane.swift | 3 ++- .../Providers/Claude/ClaudeProviderImplementation.swift | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBar/PreferencesAdvancedPane.swift b/Sources/CodexBar/PreferencesAdvancedPane.swift index 20c7bb5f4..86702b23f 100644 --- a/Sources/CodexBar/PreferencesAdvancedPane.swift +++ b/Sources/CodexBar/PreferencesAdvancedPane.swift @@ -88,7 +88,8 @@ struct AdvancedPane: View { subtitle: self.settings.debugDisableKeychainAccess ? "Inactive while \"Disable Keychain access\" is enabled." : "Use /usr/bin/security to read Claude credentials and avoid CodexBar " + - "keychain prompts.", + "keychain prompts. Claude Keychain prompt policy applies only in " + + "Security.framework mode.", binding: self.$settings.claudeOAuthPromptFreeCredentialsEnabled) .disabled(self.settings.debugDisableKeychainAccess) PreferenceToggleRow( diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 38028b456..6885c88a7 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -131,7 +131,7 @@ struct ClaudeProviderImplementation: ProviderImplementation { ProviderSettingsPickerDescriptor( id: "claude-keychain-prompt-policy", title: "Keychain prompt policy", - subtitle: "Controls whether Claude OAuth may trigger macOS Keychain prompts.", + subtitle: "Applies only to the Security.framework OAuth keychain reader.", dynamicSubtitle: keychainPromptPolicySubtitle, binding: keychainPromptPolicyBinding, options: keychainPromptPolicyOptions, From ecb9888fd2eea99b26b431c4bb4cb9bd33863739 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 01:44:55 +0530 Subject: [PATCH 096/131] Harden Kiro managed-plan parsing --- .../Providers/Kiro/KiroStatusProbe.swift | 15 ++++----- .../CodexBarTests/KiroStatusProbeTests.swift | 32 +++++++++++++++++++ 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift index e6cc967db..2e90d136a 100644 --- a/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift +++ b/Sources/CodexBarCore/Providers/Kiro/KiroStatusProbe.swift @@ -379,10 +379,9 @@ public struct KiroStatusProbe: Sendable { } } - // Check if this is a managed/enterprise plan with no usage data + // Check if this is a managed plan with no usage data let isManagedPlan = lowered.contains("managed by admin") || lowered.contains("managed by organization") - || lowered.contains("enterprise") // Parse reset date from "resets on 01/01" var resetsAt: Date? @@ -440,9 +439,9 @@ public struct KiroStatusProbe: Sendable { } } - // For managed/enterprise plans in new format, we may not have usage data - // but we should still show the plan name without error - if matchedNewFormat, isManagedPlan { + // Managed plans in new format may omit usage metrics. Only fall back to zeros when + // we did not parse any usage values, so we do not mask real metrics. + if matchedNewFormat, isManagedPlan, !matchedPercent, !matchedCredits { // Managed plans don't expose credits; return snapshot with plan name only return KiroUsageSnapshot( planName: planName, @@ -456,9 +455,9 @@ public struct KiroStatusProbe: Sendable { updatedAt: Date()) } - // Require at least one key pattern to match to avoid silent failures - // Only bypass error for managed plans in new format (they don't expose usage data) - if !matchedPercent, !matchedCredits, !(matchedNewFormat && isManagedPlan) { + // Require at least one key pattern to match to avoid silent failures. + // Managed plans without usage data return early above. + if !matchedPercent, !matchedCredits { throw KiroStatusProbeError.parseError( "No recognizable usage patterns found. Kiro CLI output format may have changed.") } diff --git a/Tests/CodexBarTests/KiroStatusProbeTests.swift b/Tests/CodexBarTests/KiroStatusProbeTests.swift index 95e956dcb..e1b35be14 100644 --- a/Tests/CodexBarTests/KiroStatusProbeTests.swift +++ b/Tests/CodexBarTests/KiroStatusProbeTests.swift @@ -171,6 +171,38 @@ struct KiroStatusProbeTests { #expect(snapshot.planName == "Q Developer Pro") } + @Test + func rejectsHeaderOnlyNewFormatWithoutManagedMarker() { + let output = """ + Plan: Q Developer Pro + Tip: to see context window usage, run /context + """ + + let probe = KiroStatusProbe() + #expect(throws: KiroStatusProbeError.self) { + try probe.parse(output: output) + } + } + + @Test + func preservesParsedUsageForManagedPlanWithMetrics() throws { + let output = """ + Plan: Q Developer Enterprise + Your plan is managed by admin + ████████████████████████████████████████████████████ 40% + (20.00 of 50 covered in plan), resets on 03/15 + """ + + let probe = KiroStatusProbe() + let snapshot = try probe.parse(output: output) + + #expect(snapshot.planName == "Q Developer Enterprise") + #expect(snapshot.creditsPercent == 40) + #expect(snapshot.creditsUsed == 20) + #expect(snapshot.creditsTotal == 50) + #expect(snapshot.resetsAt != nil) + } + // MARK: - Snapshot Conversion @Test From 48cd466452ad7a8811cbeaf029388795fa0d60a4 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 02:12:50 +0530 Subject: [PATCH 097/131] Run provider fetches off MainActor --- Sources/CodexBar/ProviderRegistry.swift | 25 ++++++++++------------- Sources/CodexBar/UsageStore+Refresh.swift | 13 +++++++++++- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/Sources/CodexBar/ProviderRegistry.swift b/Sources/CodexBar/ProviderRegistry.swift index 8a503fcbc..1e26c4c86 100644 --- a/Sources/CodexBar/ProviderRegistry.swift +++ b/Sources/CodexBar/ProviderRegistry.swift @@ -4,7 +4,8 @@ import Foundation struct ProviderSpec { let style: IconStyle let isEnabled: @MainActor () -> Bool - let fetch: () async -> ProviderFetchOutcome + let descriptor: ProviderDescriptor + let makeFetchContext: @MainActor () -> ProviderFetchContext } struct ProviderRegistry { @@ -33,22 +34,19 @@ struct ProviderRegistry { let spec = ProviderSpec( style: descriptor.branding.iconStyle, isEnabled: { settings.isProviderEnabled(provider: provider, metadata: meta) }, - fetch: { + descriptor: descriptor, + makeFetchContext: { let sourceMode = ProviderCatalog.implementation(for: provider)? .sourceMode(context: ProviderSourceModeContext(provider: provider, settings: settings)) ?? .auto - let snapshot = await MainActor.run { - Self.makeSettingsSnapshot(settings: settings, tokenOverride: nil) - } - let env = await MainActor.run { - Self.makeEnvironment( - base: ProcessInfo.processInfo.environment, - provider: provider, - settings: settings, - tokenOverride: nil) - } + let snapshot = Self.makeSettingsSnapshot(settings: settings, tokenOverride: nil) + let env = Self.makeEnvironment( + base: ProcessInfo.processInfo.environment, + provider: provider, + settings: settings, + tokenOverride: nil) let verbose = settings.isVerboseLoggingEnabled - let context = ProviderFetchContext( + return ProviderFetchContext( runtime: .app, sourceMode: sourceMode, includeCredits: false, @@ -60,7 +58,6 @@ struct ProviderRegistry { fetcher: codexFetcher, claudeFetcher: claudeFetcher, browserDetection: browserDetection) - return await descriptor.fetchOutcome(context: context) }) specs[provider] = spec } diff --git a/Sources/CodexBar/UsageStore+Refresh.swift b/Sources/CodexBar/UsageStore+Refresh.swift index 0963b8a63..0c456cb75 100644 --- a/Sources/CodexBar/UsageStore+Refresh.swift +++ b/Sources/CodexBar/UsageStore+Refresh.swift @@ -42,7 +42,18 @@ extension UsageStore { } } - let outcome = await spec.fetch() + let fetchContext = spec.makeFetchContext() + let descriptor = spec.descriptor + // Keep provider fetch work off MainActor so slow keychain/process reads don't stall menu/UI responsiveness. + let outcome = await withTaskGroup( + of: ProviderFetchOutcome.self, + returning: ProviderFetchOutcome.self) + { group in + group.addTask { + await descriptor.fetchOutcome(context: fetchContext) + } + return await group.next()! + } if provider == .claude, ClaudeOAuthCredentialsStore.invalidateCacheIfCredentialsFileChanged() { From 75fe890e89bd52d9c2f5f125760666babdf5739a Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 02:26:37 +0530 Subject: [PATCH 098/131] Update Warp API key guidance links --- .../Providers/Warp/WarpProviderImplementation.swift | 7 ++++--- .../Providers/Warp/WarpProviderDescriptor.swift | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift index aee9f5a2a..e9cb82de9 100644 --- a/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Warp/WarpProviderImplementation.swift @@ -18,18 +18,19 @@ struct WarpProviderImplementation: ProviderImplementation { ProviderSettingsFieldDescriptor( id: "warp-api-token", title: "API key", - subtitle: "Stored in ~/.codexbar/config.json. Generate one at app.warp.dev.", + subtitle: "Stored in ~/.codexbar/config.json. In Warp, open Settings > Platform > API Keys, " + + "then create one.", kind: .secure, placeholder: "wk-...", binding: context.stringBinding(\.warpAPIToken), actions: [ ProviderSettingsActionDescriptor( id: "warp-open-api-keys", - title: "Open Warp Settings", + title: "Open Warp API Key Guide", style: .link, isVisible: nil, perform: { - if let url = URL(string: "https://app.warp.dev/settings/account") { + if let url = URL(string: "https://docs.warp.dev/reference/cli/api-keys") { NSWorkspace.shared.open(url) } }), diff --git a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift index 1b2d583fc..29506321c 100644 --- a/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Warp/WarpProviderDescriptor.swift @@ -22,7 +22,7 @@ public enum WarpProviderDescriptor { isPrimaryProvider: false, usesAccountFallback: false, browserCookieOrder: nil, - dashboardURL: "https://app.warp.dev/settings/account", + dashboardURL: "https://docs.warp.dev/reference/cli/api-keys", statusPageURL: nil), branding: ProviderBranding( iconStyle: .warp, From 32371494ce514bb784823d4d49a34db2323b3329 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 12:44:56 +0530 Subject: [PATCH 099/131] Update Warp API key setup instructions for clarity --- docs/warp.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/warp.md b/docs/warp.md index 3dd407821..eeb66145e 100644 --- a/docs/warp.md +++ b/docs/warp.md @@ -20,7 +20,10 @@ The Warp provider reads credit limits from Warp's GraphQL API using an API token 1. Open **Settings → Providers** 2. Enable **Warp** -3. Enter your API key from `https://app.warp.dev/settings/account` +3. In Warp, open your profile menu → **Settings → Platform → API Keys**, then create a key. +4. Enter the created `wk-...` key in CodexBar. + +Reference guide: `https://docs.warp.dev/reference/cli/api-keys` ### Environment variables (optional) From 9c86a1ae5ce81f84528542e2cacb4469c4ebef63 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 13:09:45 +0530 Subject: [PATCH 100/131] Respect stored mode in noninteractive keychain fallback --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 27 ++++---- ...uthCredentialsStorePromptPolicyTests.swift | 68 +++++++++++++++++++ 2 files changed, 82 insertions(+), 13 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index d0484a386..57b8ae10f 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -940,23 +940,25 @@ public enum ClaudeOAuthCredentialsStore { } private static func loadFromClaudeKeychainNonInteractive() throws -> Data? { - guard self.shouldAllowClaudeCodeKeychainAccess(mode: ClaudeOAuthKeychainPromptPreference.current()) else { - return nil - } - #if DEBUG - if let store = taskClaudeKeychainOverrideStore { return store.data } - if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } - #endif #if os(macOS) + let fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( interaction: ProviderInteractionContext.current) { return data } + // For experimental strategy, enforce stored prompt policy before any Security.framework fallback probes. + guard self.shouldAllowClaudeCodeKeychainAccess(mode: fallbackPromptMode) else { return nil } + + #if DEBUG + if let store = taskClaudeKeychainOverrideStore { return store.data } + if let override = taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride { return override } + #endif + // Keep semantics aligned with fingerprinting: if there are multiple entries, we only ever consult the newest // candidate (same as currentClaudeKeychainFingerprintWithoutPrompt()) to avoid syncing from a different item. - let candidates = self.claudeKeychainCandidatesWithoutPrompt() + let candidates = self.claudeKeychainCandidatesWithoutPrompt(promptMode: fallbackPromptMode) if let newest = candidates.first { if let data = try self.loadClaudeKeychainData(candidate: newest, allowKeychainPrompt: false), !data.isEmpty @@ -966,11 +968,10 @@ public enum ClaudeOAuthCredentialsStore { return nil } - if let data = try self.loadClaudeKeychainLegacyData(allowKeychainPrompt: false), - !data.isEmpty - { - return data - } + let legacyData = try self.loadClaudeKeychainLegacyData( + allowKeychainPrompt: false, + promptMode: fallbackPromptMode) + if let legacyData, !legacyData.isEmpty { return legacyData } return nil #else return nil diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift index 416bb828b..41ea049f7 100644 --- a/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStorePromptPolicyTests.swift @@ -594,6 +594,74 @@ struct ClaudeOAuthCredentialsStorePromptPolicyTests { } } + @Test + func experimentalReader_nonInteractiveFallbackBlockedInBackgroundWhenStoredModeOnlyOnUserAction() throws { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + try KeychainCacheStore.withServiceOverrideForTesting(service) { + try KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + try ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + defer { + ClaudeOAuthCredentialsStore.invalidateCache() + ClaudeOAuthCredentialsStore._resetCredentialsFileTrackingForTesting() + } + + let tempDir = FileManager.default.temporaryDirectory + .appendingPathComponent(UUID().uuidString, isDirectory: true) + try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true) + let fileURL = tempDir.appendingPathComponent("credentials.json") + try ClaudeOAuthCredentialsStore.withCredentialsURLOverrideForTesting(fileURL) { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-token-only-on-user-action", + expiresAt: Date(timeIntervalSinceNow: 3600)) + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + .allowed + } + + do { + _ = try KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + try ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental) + { + try ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction) + { + try ProviderInteractionContext.$current.withValue(.background) { + try ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + try ClaudeOAuthCredentialsStore + .withSecurityCLIReadOverrideForTesting(.timedOut) { + try ClaudeOAuthCredentialsStore.load( + environment: [:], + allowKeychainPrompt: false, + respectKeychainPromptCooldown: true) + } + } + } + } + } + }) + Issue.record("Expected ClaudeOAuthCredentialsError.notFound") + } catch let error as ClaudeOAuthCredentialsError { + guard case .notFound = error else { + Issue.record("Expected .notFound, got \(error)") + return + } + } + } + } + } + } + } + @Test func experimentalReader_allowsFallbackInBackgroundWhenStoredModeAlways() throws { let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" From d5fa07682dc99dc5e4786116ebcbed3d198e44ab Mon Sep 17 00:00:00 2001 From: Jiacheng Jiang Date: Thu, 5 Feb 2026 14:37:00 +0800 Subject: [PATCH 101/131] feat(kimi) fix kimi provider menu bar order --- Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift index c39e1602a..4e96e38ac 100644 --- a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift +++ b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift @@ -73,8 +73,8 @@ extension KimiUsageSnapshot { loginMethod: nil) return UsageSnapshot( - primary: weeklyWindow, - secondary: rateLimitWindow, + primary: rateLimitWindow ?? weeklyWindow, + secondary: weeklyWindow, tertiary: nil, providerCost: nil, updatedAt: self.updatedAt, From 7fbfa52b45f208ea7143d6e545a22ccb8c3f618e Mon Sep 17 00:00:00 2001 From: Jiacheng Jiang Date: Thu, 5 Feb 2026 20:09:08 +0800 Subject: [PATCH 102/131] fix(kimi): swap UI labels to match usage data order MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Following the data swap in commit f14971a where rate limit became primary and weekly became secondary, update the UI labels to match: - sessionLabel (shown for primary): "Weekly" → "Rate Limit" - weeklyLabel (shown for secondary): "Rate Limit" → "Weekly" This ensures the UI displays: - "Rate Limit" label with rate limit data - "Weekly" label with weekly data Co-Authored-By: Claude Sonnet 4.5 --- .../CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift index 711c20bc8..bd7392baf 100644 --- a/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift @@ -10,8 +10,8 @@ public enum KimiProviderDescriptor { metadata: ProviderMetadata( id: .kimi, displayName: "Kimi", - sessionLabel: "Weekly", - weeklyLabel: "Rate Limit", + sessionLabel: "Rate Limit", + weeklyLabel: "Weekly", opusLabel: nil, supportsOpus: false, supportsCredits: false, From c49b6919e80c4f7c74a842beed1f801cc26a3d96 Mon Sep 17 00:00:00 2001 From: Jiacheng Jiang Date: Thu, 5 Feb 2026 22:37:30 +0800 Subject: [PATCH 103/131] fix(kimi): avoid duplicate weekly usage when rate limit is missing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When rateLimitWindow is nil, set secondary to nil instead of weeklyWindow to prevent showing the same weekly metric twice under different labels. Before: - No rate limit → primary: weekly, secondary: weekly (duplicate) After: - No rate limit → primary: weekly, secondary: nil (correct) - Has rate limit → primary: rate limit, secondary: weekly (correct) Co-Authored-By: Claude Sonnet 4.5 --- Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift index 4e96e38ac..70ccca408 100644 --- a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift +++ b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift @@ -74,7 +74,7 @@ extension KimiUsageSnapshot { return UsageSnapshot( primary: rateLimitWindow ?? weeklyWindow, - secondary: weeklyWindow, + secondary: rateLimitWindow != nil ? weeklyWindow : nil, tertiary: nil, providerCost: nil, updatedAt: self.updatedAt, From cb1f82448075b9c29bec51a5d43636216d174327 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 13:29:41 +0530 Subject: [PATCH 104/131] Respect fallback policy in silent keychain probes --- .../ClaudeOAuth/ClaudeOAuthCredentials.swift | 64 +++++----- ...sStoreSecurityCLIFallbackPolicyTests.swift | 109 ++++++++++++++++++ 2 files changed, 145 insertions(+), 28 deletions(-) create mode 100644 Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests.swift diff --git a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift index 57b8ae10f..e3e52c51f 100644 --- a/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift +++ b/Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift @@ -605,14 +605,16 @@ public enum ClaudeOAuthCredentialsStore { #if os(macOS) let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } - if self.isPromptPolicyApplicable, - ProviderInteractionContext.current == .background, - !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } if self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( interaction: ProviderInteractionContext.current) != nil { return true } + + let fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: fallbackPromptMode) else { return false } + if ProviderInteractionContext.current == .background, + !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt() { return false } #if DEBUG if let store = self.taskClaudeKeychainOverrideStore, let data = store.data @@ -1511,14 +1513,32 @@ extension ClaudeOAuthCredentialsStore { let mode = ClaudeOAuthKeychainPromptPreference.current() guard self.shouldAllowClaudeCodeKeychainAccess(mode: mode) else { return false } - // If background keychain access has been denied/blocked, don't attempt silent reads that could trigger - // repeated prompts on misbehaving configurations. User actions clear/bypass this gate elsewhere. - if self.isPromptPolicyApplicable, - ProviderInteractionContext.current == .background, + if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( + interaction: ProviderInteractionContext.current), + !data.isEmpty + { + if let creds = try? ClaudeOAuthCredentials.parse(data: data), !creds.isExpired { + // Keep delegated refresh recovery on the security CLI path only in experimental mode. + // Avoid Security.framework fingerprint probes here because "no UI" queries can still prompt. + self.writeMemoryCache( + record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), + timestamp: now) + self.saveToCacheKeychain(data, owner: .claudeCLI) + return true + } + } + + let fallbackPromptMode = ClaudeOAuthKeychainPromptPreference.securityFrameworkFallbackMode() + guard self.shouldAllowClaudeCodeKeychainAccess(mode: fallbackPromptMode) else { return false } + + // If background keychain access has been denied/blocked, don't attempt silent Security.framework fallback + // reads that could trigger repeated prompts on misbehaving configurations. + if ProviderInteractionContext.current == .background, !ClaudeOAuthKeychainAccessGate.shouldAllowPrompt(now: now) { return false } #if DEBUG - // Test hook: allow unit tests to simulate a "silent" keychain read without touching the real Keychain. + // Test hook: allow unit tests to simulate a silent Security.framework fallback read without touching + // the real Keychain. let override = self.taskClaudeKeychainOverrideStore?.data ?? self.taskClaudeKeychainDataOverride ?? self.claudeKeychainDataOverride if let override, @@ -1535,21 +1555,6 @@ extension ClaudeOAuthCredentialsStore { } #endif - if let data = self.loadFromClaudeKeychainViaSecurityCLIIfEnabled( - interaction: ProviderInteractionContext.current), - !data.isEmpty - { - if let creds = try? ClaudeOAuthCredentials.parse(data: data), !creds.isExpired { - // Keep delegated refresh recovery on the security CLI path only in experimental mode. - // Avoid Security.framework fingerprint probes here because "no UI" queries can still prompt. - self.writeMemoryCache( - record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), - timestamp: now) - self.saveToCacheKeychain(data, owner: .claudeCLI) - return true - } - } - // Skip the silent data read if preflight indicates interaction is likely. // Why: on some systems, Security.framework can still surface UI even for "no UI" probes. if self.shouldShowClaudeKeychainPreAlert() { @@ -1557,7 +1562,7 @@ extension ClaudeOAuthCredentialsStore { } // Consult only the newest candidate to avoid syncing from a different keychain entry (e.g. old login). - if let candidate = self.claudeKeychainCandidatesWithoutPrompt().first, + if let candidate = self.claudeKeychainCandidatesWithoutPrompt(promptMode: fallbackPromptMode).first, let data = try? self.loadClaudeKeychainData(candidate: candidate, allowKeychainPrompt: false), !data.isEmpty { @@ -1579,16 +1584,19 @@ extension ClaudeOAuthCredentialsStore { self.saveClaudeKeychainFingerprint(fingerprint) } - if let data = try? self.loadClaudeKeychainLegacyData(allowKeychainPrompt: false), - !data.isEmpty, - let creds = try? ClaudeOAuthCredentials.parse(data: data), + let legacyData = try? self.loadClaudeKeychainLegacyData( + allowKeychainPrompt: false, + promptMode: fallbackPromptMode) + if let legacyData, + !legacyData.isEmpty, + let creds = try? ClaudeOAuthCredentials.parse(data: legacyData), !creds.isExpired { self.saveClaudeKeychainFingerprint(self.currentClaudeKeychainFingerprintWithoutPrompt()) self.writeMemoryCache( record: ClaudeOAuthCredentialRecord(credentials: creds, owner: .claudeCLI, source: .memoryCache), timestamp: now) - self.saveToCacheKeychain(data, owner: .claudeCLI) + self.saveToCacheKeychain(legacyData, owner: .claudeCLI) return true } diff --git a/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests.swift b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests.swift new file mode 100644 index 000000000..4db21b4b4 --- /dev/null +++ b/Tests/CodexBarTests/ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests.swift @@ -0,0 +1,109 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite(.serialized) +struct ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests { + private func makeCredentialsData(accessToken: String, expiresAt: Date) -> Data { + let millis = Int(expiresAt.timeIntervalSince1970 * 1000) + let json = """ + { + "claudeAiOauth": { + "accessToken": "\(accessToken)", + "expiresAt": \(millis), + "scopes": ["user:profile"] + } + } + """ + return Data(json.utf8) + } + + @Test + func experimentalReader_hasClaudeKeychainCredentialsWithoutPrompt_backgroundFallbackBlockedByStoredPolicy() { + let fallbackData = self.makeCredentialsData( + accessToken: "fallback-should-be-blocked", + expiresAt: Date(timeIntervalSinceNow: 3600)) + + let hasCredentials = KeychainAccessGate.withTaskOverrideForTesting(false) { + ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + ProviderInteractionContext.$current.withValue(.background) { + ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .nonZeroExit) + { + ClaudeOAuthCredentialsStore.hasClaudeKeychainCredentialsWithoutPrompt() + } + } + } + }) + }) + } + + #expect(hasCredentials == false) + } + + @Test + func experimentalReader_syncFromClaudeKeychainWithoutPrompt_backgroundFallbackBlockedByStoredPolicy() { + let service = "com.steipete.codexbar.cache.tests.\(UUID().uuidString)" + KeychainCacheStore.withServiceOverrideForTesting(service) { + KeychainAccessGate.withTaskOverrideForTesting(false) { + KeychainCacheStore.setTestStoreForTesting(true) + defer { KeychainCacheStore.setTestStoreForTesting(false) } + + ClaudeOAuthCredentialsStore.withIsolatedMemoryCacheForTesting { + ClaudeOAuthCredentialsStore.invalidateCache() + defer { ClaudeOAuthCredentialsStore.invalidateCache() } + + let fallbackData = self.makeCredentialsData( + accessToken: "sync-fallback-should-be-blocked", + expiresAt: Date(timeIntervalSinceNow: 3600)) + final class Counter: @unchecked Sendable { + var value = 0 + } + let preflightCalls = Counter() + let preflightOverride: (String, String?) -> KeychainAccessPreflight.Outcome = { _, _ in + preflightCalls.value += 1 + return .allowed + } + + let synced = KeychainAccessPreflight.withCheckGenericPasswordOverrideForTesting( + preflightOverride, + operation: { + ClaudeOAuthKeychainReadStrategyPreference.withTaskOverrideForTesting( + .securityCLIExperimental, + operation: { + ClaudeOAuthKeychainPromptPreference.withTaskOverrideForTesting( + .onlyOnUserAction, + operation: { + ProviderInteractionContext.$current.withValue(.background) { + ClaudeOAuthCredentialsStore.withClaudeKeychainOverridesForTesting( + data: fallbackData, + fingerprint: nil) + { + ClaudeOAuthCredentialsStore.withSecurityCLIReadOverrideForTesting( + .timedOut) + { + ClaudeOAuthCredentialsStore + .syncFromClaudeKeychainWithoutPrompt(now: Date()) + } + } + } + }) + }) + }) + + #expect(synced == false) + #expect(preflightCalls.value == 0) + } + } + } + } +} From 148d47e1ca2c2226ed3b293fe041045de13bcf45 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 14:11:19 +0530 Subject: [PATCH 105/131] Align OAuth availability test with fallback policy --- .../ClaudeOAuthFetchStrategyAvailabilityTests.swift | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift index be33a035e..6bebf67a4 100644 --- a/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift +++ b/Tests/CodexBarTests/ClaudeOAuthFetchStrategyAvailabilityTests.swift @@ -242,7 +242,7 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { } @Test - func autoMode_experimental_reader_securityFailure_keepsAvailabilityForNoUIPresenceCheck() async { + func autoMode_experimental_reader_securityFailure_blocksAvailabilityWhenStoredPolicyBlocksFallback() async { let context = self.makeContext(sourceMode: .auto) let strategy = ClaudeOAuthFetchStrategy() let fallbackData = Data(""" @@ -292,7 +292,7 @@ struct ClaudeOAuthFetchStrategyAvailabilityTests { } } - #expect(available == true) + #expect(available == false) } } #endif From b8189b4cf93f92e2c5c3920b100f9e455c40a77b Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 21:29:34 +0530 Subject: [PATCH 106/131] Move Claude prompt-free toggle to Claude options --- .../CodexBar/PreferencesAdvancedPane.swift | 13 ++------ .../Claude/ClaudeProviderImplementation.swift | 30 +++++++++++++++++++ 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/Sources/CodexBar/PreferencesAdvancedPane.swift b/Sources/CodexBar/PreferencesAdvancedPane.swift index 86702b23f..1db4897f2 100644 --- a/Sources/CodexBar/PreferencesAdvancedPane.swift +++ b/Sources/CodexBar/PreferencesAdvancedPane.swift @@ -80,18 +80,9 @@ struct AdvancedPane: View { SettingsSection( title: "Keychain access", caption: """ - Control how CodexBar uses Keychain. Disabling Keychain access entirely also disables browser \ - cookie import. + Disable all Keychain reads and writes. Browser cookie import is unavailable; paste Cookie \ + headers manually in Providers. """) { - PreferenceToggleRow( - title: "Claude creds without prompts (experimental)", - subtitle: self.settings.debugDisableKeychainAccess - ? "Inactive while \"Disable Keychain access\" is enabled." - : "Use /usr/bin/security to read Claude credentials and avoid CodexBar " + - "keychain prompts. Claude Keychain prompt policy applies only in " + - "Security.framework mode.", - binding: self.$settings.claudeOAuthPromptFreeCredentialsEnabled) - .disabled(self.settings.debugDisableKeychainAccess) PreferenceToggleRow( title: "Disable Keychain access", subtitle: "Prevents any Keychain access while enabled.", diff --git a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift index 6885c88a7..de1bdffc7 100644 --- a/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift +++ b/Sources/CodexBar/Providers/Claude/ClaudeProviderImplementation.swift @@ -62,6 +62,36 @@ struct ClaudeProviderImplementation: ProviderImplementation { } } + @MainActor + func settingsToggles(context: ProviderSettingsContext) -> [ProviderSettingsToggleDescriptor] { + let subtitle = if context.settings.debugDisableKeychainAccess { + "Inactive while \"Disable Keychain access\" is enabled in Advanced." + } else { + "Use /usr/bin/security to read Claude credentials and avoid CodexBar keychain prompts." + } + + let promptFreeBinding = Binding( + get: { context.settings.claudeOAuthPromptFreeCredentialsEnabled }, + set: { enabled in + guard !context.settings.debugDisableKeychainAccess else { return } + context.settings.claudeOAuthPromptFreeCredentialsEnabled = enabled + }) + + return [ + ProviderSettingsToggleDescriptor( + id: "claude-oauth-prompt-free-credentials", + title: "Avoid Keychain prompts (experimental)", + subtitle: subtitle, + binding: promptFreeBinding, + statusText: nil, + actions: [], + isVisible: nil, + onChange: nil, + onAppDidBecomeActive: nil, + onAppearWhenEnabled: nil), + ] + } + @MainActor func settingsPickers(context: ProviderSettingsContext) -> [ProviderSettingsPickerDescriptor] { let usageBinding = Binding( From ad6c7518bcabceb4eb3d09b2348c93f3fcee1037 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Tue, 17 Feb 2026 22:17:40 +0530 Subject: [PATCH 107/131] Scope Kimi short-window priority to automatic metric selection --- Sources/CodexBar/StatusItemController.swift | 2 +- Sources/CodexBar/UsageStore.swift | 4 +- .../Kimi/KimiProviderDescriptor.swift | 4 +- .../Providers/Kimi/KimiUsageSnapshot.swift | 4 +- .../StatusItemAnimationTests.swift | 39 +++++++++++++++++++ .../UsageStoreCoverageTests.swift | 28 +++++++++++++ 6 files changed, 74 insertions(+), 7 deletions(-) diff --git a/Sources/CodexBar/StatusItemController.swift b/Sources/CodexBar/StatusItemController.swift index dce63bf76..5a0a8a044 100644 --- a/Sources/CodexBar/StatusItemController.swift +++ b/Sources/CodexBar/StatusItemController.swift @@ -125,7 +125,7 @@ final class StatusItemController: NSObject, NSMenuDelegate, StatusItemControllin let usedPercent = (primary.usedPercent + secondary.usedPercent) / 2 return RateWindow(usedPercent: usedPercent, windowMinutes: nil, resetsAt: nil, resetDescription: nil) case .automatic: - if provider == .factory { + if provider == .factory || provider == .kimi { return snapshot?.secondary ?? snapshot?.primary } return snapshot?.primary ?? snapshot?.secondary diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index b42856c71..5164328a1 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -314,8 +314,8 @@ final class UsageStore { for provider in self.enabledProviders() { guard let snapshot = self.snapshots[provider] else { continue } // Use the same window selection logic as menuBarPercentWindow: - // Factory uses secondary (premium) first, others use primary (session) first. - let window: RateWindow? = if provider == .factory { + // Factory and Kimi use secondary first, others use primary first. + let window: RateWindow? = if provider == .factory || provider == .kimi { snapshot.secondary ?? snapshot.primary } else { snapshot.primary ?? snapshot.secondary diff --git a/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift index bd7392baf..711c20bc8 100644 --- a/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/Kimi/KimiProviderDescriptor.swift @@ -10,8 +10,8 @@ public enum KimiProviderDescriptor { metadata: ProviderMetadata( id: .kimi, displayName: "Kimi", - sessionLabel: "Rate Limit", - weeklyLabel: "Weekly", + sessionLabel: "Weekly", + weeklyLabel: "Rate Limit", opusLabel: nil, supportsOpus: false, supportsCredits: false, diff --git a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift index 70ccca408..c39e1602a 100644 --- a/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift +++ b/Sources/CodexBarCore/Providers/Kimi/KimiUsageSnapshot.swift @@ -73,8 +73,8 @@ extension KimiUsageSnapshot { loginMethod: nil) return UsageSnapshot( - primary: rateLimitWindow ?? weeklyWindow, - secondary: rateLimitWindow != nil ? weeklyWindow : nil, + primary: weeklyWindow, + secondary: rateLimitWindow, tertiary: nil, providerCost: nil, updatedAt: self.updatedAt, diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index e4c8a5407..de7f4708e 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -269,6 +269,45 @@ struct StatusItemAnimationTests { #expect(window?.usedPercent == 42) } + @Test + func menuBarPercentAutomaticPrefersRateLimitForKimi() { + let settings = SettingsStore( + configStore: testConfigStore(suiteName: "StatusItemAnimationTests-kimi-automatic"), + zaiTokenStore: NoopZaiTokenStore()) + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = .kimi + settings.setMenuBarMetricPreference(.automatic, for: .kimi) + + let registry = ProviderRegistry.shared + if let kimiMeta = registry.metadata[.kimi] { + settings.setProviderEnabled(provider: .kimi, metadata: kimiMeta, enabled: true) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + let snapshot = UsageSnapshot( + primary: RateWindow(usedPercent: 12, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 42, windowMinutes: 300, resetsAt: nil, resetDescription: nil), + updatedAt: Date()) + + store._setSnapshotForTesting(snapshot, provider: .kimi) + store._setErrorForTesting(nil, provider: .kimi) + + let window = controller.menuBarMetricWindow(for: .kimi, snapshot: snapshot) + + #expect(window?.usedPercent == 42) + } + @Test func menuBarPercentUsesAverageForGemini() { let settings = SettingsStore( diff --git a/Tests/CodexBarTests/UsageStoreCoverageTests.swift b/Tests/CodexBarTests/UsageStoreCoverageTests.swift index 889ff4f20..32ea42851 100644 --- a/Tests/CodexBarTests/UsageStoreCoverageTests.swift +++ b/Tests/CodexBarTests/UsageStoreCoverageTests.swift @@ -71,6 +71,34 @@ struct UsageStoreCoverageTests { #expect(label.contains("openai-web")) } + @Test + func providerWithHighestUsagePrefersKimiRateLimitWindow() throws { + let settings = Self.makeSettingsStore(suite: "UsageStoreCoverageTests-kimi-highest") + let store = Self.makeUsageStore(settings: settings) + let metadata = ProviderRegistry.shared.metadata + + try settings.setProviderEnabled(provider: .codex, metadata: #require(metadata[.codex]), enabled: true) + try settings.setProviderEnabled(provider: .kimi, metadata: #require(metadata[.kimi]), enabled: true) + + let now = Date() + store._setSnapshotForTesting( + UsageSnapshot( + primary: RateWindow(usedPercent: 60, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: nil, + updatedAt: now), + provider: .codex) + store._setSnapshotForTesting( + UsageSnapshot( + primary: RateWindow(usedPercent: 10, windowMinutes: nil, resetsAt: nil, resetDescription: nil), + secondary: RateWindow(usedPercent: 80, windowMinutes: 300, resetsAt: nil, resetDescription: nil), + updatedAt: now), + provider: .kimi) + + let highest = store.providerWithHighestUsage() + #expect(highest?.provider == .kimi) + #expect(highest?.usedPercent == 80) + } + @Test func providerAvailabilityAndSubscriptionDetection() { let zaiStore = InMemoryZaiTokenStore(value: "zai-token") From 8348c85cd8d43affa0c9d83be20ff42d895fe1dc Mon Sep 17 00:00:00 2001 From: chountalas Date: Tue, 3 Feb 2026 20:51:10 -0700 Subject: [PATCH 108/131] feat: Add OpenRouter provider for credit-based usage tracking Adds OpenRouter as a new provider that tracks credit usage via their API. Features: - Fetches credits from /api/v1/credits endpoint - Shows credit usage percentage and remaining balance - Supports OPENROUTER_API_KEY environment variable - Settings UI for API key configuration New files: - OpenRouterProviderDescriptor.swift - Provider descriptor + fetch strategy - OpenRouterUsageStats.swift - API fetcher + response models - OpenRouterSettingsReader.swift - Environment variable reader - OpenRouterProviderImplementation.swift - UI implementation - OpenRouterSettingsStore.swift - Settings extension - ProviderIcon-openrouter.svg - Provider icon - docs/openrouter.md - Provider documentation Co-Authored-By: Claude Opus 4.5 --- README.md | 3 +- .../OpenRouterProviderImplementation.swift | 56 +++++ .../OpenRouter/OpenRouterSettingsStore.swift | 16 ++ .../Resources/ProviderIcon-openrouter.svg | 9 + .../CodexBarCore/Logging/LogCategories.swift | 1 + .../OpenRouterProviderDescriptor.swift | 83 +++++++ .../OpenRouter/OpenRouterSettingsReader.swift | 38 +++ .../OpenRouter/OpenRouterUsageStats.swift | 233 ++++++++++++++++++ .../Providers/ProviderDescriptor.swift | 1 + .../Providers/ProviderTokenResolver.swift | 10 + .../CodexBarCore/Providers/Providers.swift | 2 + Sources/CodexBarCore/UsageFetcher.swift | 5 + docs/claude.md | 9 + docs/openrouter.md | 54 ++++ docs/providers.md | 11 +- 15 files changed, 529 insertions(+), 2 deletions(-) create mode 100644 Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift create mode 100644 Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift create mode 100644 Sources/CodexBar/Resources/ProviderIcon-openrouter.svg create mode 100644 Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift create mode 100644 Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift create mode 100644 Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift create mode 100644 docs/openrouter.md diff --git a/README.md b/README.md index 757fbf030..c68d64cf8 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # CodexBar 🎚️ - May your tokens never run out. -Tiny macOS 14+ menu bar app that keeps your Codex, Claude, Cursor, Gemini, Antigravity, Droid (Factory), Copilot, z.ai, Kiro, Vertex AI, Augment, Amp, and JetBrains AI limits visible (session + weekly where available) and shows when each window resets. One status item per provider (or Merge Icons mode); enable what you use from Settings. No Dock icon, minimal UI, dynamic bar icons in the menu bar. +Tiny macOS 14+ menu bar app that keeps your Codex, Claude, Cursor, Gemini, Antigravity, Droid (Factory), Copilot, z.ai, Kiro, Vertex AI, Augment, Amp, JetBrains AI, and OpenRouter limits visible (session + weekly where available) and shows when each window resets. One status item per provider (or Merge Icons mode); enable what you use from Settings. No Dock icon, minimal UI, dynamic bar icons in the menu bar. CodexBar menu screenshot @@ -46,6 +46,7 @@ Linux support via Omarchy: community Waybar module and TUI, driven by the `codex - [Augment](docs/augment.md) — Browser cookie-based authentication with automatic session keepalive; credits tracking and usage monitoring. - [Amp](docs/amp.md) — Browser cookie-based authentication with Amp Free usage tracking. - [JetBrains AI](docs/jetbrains.md) — Local XML-based quota from JetBrains IDE configuration; monthly credits tracking. +- [OpenRouter](docs/openrouter.md) — API token for credit-based usage tracking across multiple AI providers. - Open to new providers: [provider authoring guide](docs/provider.md). ## Icon & Screenshot diff --git a/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift new file mode 100644 index 000000000..89e47e1ea --- /dev/null +++ b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift @@ -0,0 +1,56 @@ +import AppKit +import CodexBarCore +import CodexBarMacroSupport +import Foundation +import SwiftUI + +@ProviderImplementationRegistration +struct OpenRouterProviderImplementation: ProviderImplementation { + let id: UsageProvider = .openrouter + + @MainActor + func presentation(context _: ProviderPresentationContext) -> ProviderPresentation { + ProviderPresentation { _ in "api" } + } + + @MainActor + func observeSettings(_ settings: SettingsStore) { + _ = settings.openRouterAPIToken + } + + @MainActor + func settingsSnapshot(context: ProviderSettingsSnapshotContext) -> ProviderSettingsSnapshotContribution? { + _ = context + return nil + } + + @MainActor + func isAvailable(context: ProviderAvailabilityContext) -> Bool { + if OpenRouterSettingsReader.apiToken(environment: context.environment) != nil { + return true + } + context.settings.ensureOpenRouterAPITokenLoaded() + return !context.settings.openRouterAPIToken.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty + } + + @MainActor + func settingsPickers(context _: ProviderSettingsContext) -> [ProviderSettingsPickerDescriptor] { + [] + } + + @MainActor + func settingsFields(context: ProviderSettingsContext) -> [ProviderSettingsFieldDescriptor] { + [ + ProviderSettingsFieldDescriptor( + id: "openrouter-api-key", + title: "API key", + subtitle: "Stored in ~/.codexbar/config.json. Get your key from openrouter.ai/settings/keys.", + kind: .secure, + placeholder: "sk-or-v1-...", + binding: context.stringBinding(\.openRouterAPIToken), + actions: [], + isVisible: nil, + onActivate: { context.settings.ensureOpenRouterAPITokenLoaded() }), + ] + } +} diff --git a/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift b/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift new file mode 100644 index 000000000..5f0ee030f --- /dev/null +++ b/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift @@ -0,0 +1,16 @@ +import CodexBarCore +import Foundation + +extension SettingsStore { + var openRouterAPIToken: String { + get { self.configSnapshot.providerConfig(for: .openrouter)?.sanitizedAPIKey ?? "" } + set { + self.updateProviderConfig(provider: .openrouter) { entry in + entry.apiKey = self.normalizedConfigValue(newValue) + } + self.logSecretUpdate(provider: .openrouter, field: "apiKey", value: newValue) + } + } + + func ensureOpenRouterAPITokenLoaded() {} +} diff --git a/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg b/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg new file mode 100644 index 000000000..c5fb0c13a --- /dev/null +++ b/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/Sources/CodexBarCore/Logging/LogCategories.swift b/Sources/CodexBarCore/Logging/LogCategories.swift index 5904ce7ad..37a7726ef 100644 --- a/Sources/CodexBarCore/Logging/LogCategories.swift +++ b/Sources/CodexBarCore/Logging/LogCategories.swift @@ -42,6 +42,7 @@ public enum LogCategories { public static let openAIWebview = "openai-webview" public static let ollama = "ollama" public static let opencodeUsage = "opencode-usage" + public static let openRouterUsage = "openrouter-usage" public static let providerDetection = "provider-detection" public static let providers = "providers" public static let sessionQuota = "sessionQuota" diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift new file mode 100644 index 000000000..9334241fc --- /dev/null +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift @@ -0,0 +1,83 @@ +import CodexBarMacroSupport +import Foundation + +@ProviderDescriptorRegistration +@ProviderDescriptorDefinition +public enum OpenRouterProviderDescriptor { + static func makeDescriptor() -> ProviderDescriptor { + ProviderDescriptor( + id: .openrouter, + metadata: ProviderMetadata( + id: .openrouter, + displayName: "OpenRouter", + sessionLabel: "Credits", + weeklyLabel: "Usage", + opusLabel: nil, + supportsOpus: false, + supportsCredits: true, + creditsHint: "Credit balance from OpenRouter API", + toggleTitle: "Show OpenRouter usage", + cliName: "openrouter", + defaultEnabled: false, + isPrimaryProvider: false, + usesAccountFallback: false, + dashboardURL: "https://openrouter.ai/settings/credits", + statusPageURL: nil, + statusLinkURL: "https://status.openrouter.ai"), + branding: ProviderBranding( + iconStyle: .openrouter, + iconResourceName: "ProviderIcon-openrouter", + color: ProviderColor(red: 111 / 255, green: 66 / 255, blue: 193 / 255)), + tokenCost: ProviderTokenCostConfig( + supportsTokenCost: false, + noDataMessage: { "OpenRouter cost summary is not yet supported." }), + fetchPlan: ProviderFetchPlan( + sourceModes: [.auto, .api], + pipeline: ProviderFetchPipeline(resolveStrategies: { _ in [OpenRouterAPIFetchStrategy()] })), + cli: ProviderCLIConfig( + name: "openrouter", + aliases: ["or"], + versionDetector: nil)) + } +} + +struct OpenRouterAPIFetchStrategy: ProviderFetchStrategy { + let id: String = "openrouter.api" + let kind: ProviderFetchKind = .apiToken + + func isAvailable(_ context: ProviderFetchContext) async -> Bool { + Self.resolveToken(environment: context.env) != nil + } + + func fetch(_ context: ProviderFetchContext) async throws -> ProviderFetchResult { + guard let apiKey = Self.resolveToken(environment: context.env) else { + throw OpenRouterSettingsError.missingToken + } + let usage = try await OpenRouterUsageFetcher.fetchUsage( + apiKey: apiKey, + environment: context.env) + return self.makeResult( + usage: usage.toUsageSnapshot(), + sourceLabel: "api") + } + + func shouldFallback(on _: Error, context _: ProviderFetchContext) -> Bool { + false + } + + private static func resolveToken(environment: [String: String]) -> String? { + ProviderTokenResolver.openRouterToken(environment: environment) + } +} + +/// Errors related to OpenRouter settings +public enum OpenRouterSettingsError: LocalizedError, Sendable { + case missingToken + + public var errorDescription: String? { + switch self { + case .missingToken: + "OpenRouter API token not configured. Set OPENROUTER_API_KEY environment variable or configure in Settings." + } + } +} diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift new file mode 100644 index 000000000..646b648f9 --- /dev/null +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift @@ -0,0 +1,38 @@ +import Foundation + +/// Reads OpenRouter settings from environment variables +public enum OpenRouterSettingsReader { + /// Environment variable key for OpenRouter API token + public static let envKey = "OPENROUTER_API_KEY" + + /// Returns the API token from environment if present and non-empty + public static func apiToken(environment: [String: String] = ProcessInfo.processInfo.environment) -> String? { + cleaned(environment[envKey]) + } + + /// Returns the API URL, defaulting to production endpoint + public static func apiURL(environment: [String: String] = ProcessInfo.processInfo.environment) -> URL { + if let override = environment["OPENROUTER_API_URL"], + let url = URL(string: cleaned(override) ?? "") + { + return url + } + return URL(string: "https://openrouter.ai/api/v1")! + } + + static func cleaned(_ raw: String?) -> String? { + guard var value = raw?.trimmingCharacters(in: .whitespacesAndNewlines), !value.isEmpty else { + return nil + } + + if (value.hasPrefix("\"") && value.hasSuffix("\"")) || + (value.hasPrefix("'") && value.hasSuffix("'")) + { + value.removeFirst() + value.removeLast() + } + + value = value.trimmingCharacters(in: .whitespacesAndNewlines) + return value.isEmpty ? nil : value + } +} diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift new file mode 100644 index 000000000..2aa4e680e --- /dev/null +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -0,0 +1,233 @@ +import Foundation +#if canImport(FoundationNetworking) +import FoundationNetworking +#endif + +/// OpenRouter credits API response +public struct OpenRouterCreditsResponse: Decodable, Sendable { + public let data: OpenRouterCreditsData +} + +/// OpenRouter credits data +public struct OpenRouterCreditsData: Decodable, Sendable { + /// Total credits ever added to the account (in USD) + public let totalCredits: Double + /// Total credits used (in USD) + public let totalUsage: Double + + private enum CodingKeys: String, CodingKey { + case totalCredits = "total_credits" + case totalUsage = "total_usage" + } + + /// Remaining credits (total - usage) + public var balance: Double { + max(0, totalCredits - totalUsage) + } + + /// Usage percentage (0-100) + public var usedPercent: Double { + guard totalCredits > 0 else { return 0 } + return min(100, (totalUsage / totalCredits) * 100) + } +} + +/// OpenRouter key info API response (for rate limits) +public struct OpenRouterKeyResponse: Decodable, Sendable { + public let data: OpenRouterKeyData +} + +/// OpenRouter key data with rate limit info +public struct OpenRouterKeyData: Decodable, Sendable { + /// Rate limit per interval + public let rateLimit: OpenRouterRateLimit? + /// Usage limits + public let limit: Double? + /// Current usage + public let usage: Double? + + private enum CodingKeys: String, CodingKey { + case rateLimit = "rate_limit" + case limit + case usage + } +} + +/// OpenRouter rate limit info +public struct OpenRouterRateLimit: Decodable, Sendable { + /// Number of requests allowed + public let requests: Int + /// Interval for the rate limit (e.g., "10s", "1m") + public let interval: String +} + +/// Complete OpenRouter usage snapshot +public struct OpenRouterUsageSnapshot: Sendable { + public let totalCredits: Double + public let totalUsage: Double + public let balance: Double + public let usedPercent: Double + public let rateLimit: OpenRouterRateLimit? + public let updatedAt: Date + + public init( + totalCredits: Double, + totalUsage: Double, + balance: Double, + usedPercent: Double, + rateLimit: OpenRouterRateLimit?, + updatedAt: Date) + { + self.totalCredits = totalCredits + self.totalUsage = totalUsage + self.balance = balance + self.usedPercent = usedPercent + self.rateLimit = rateLimit + self.updatedAt = updatedAt + } + + /// Returns true if this snapshot contains valid data + public var isValid: Bool { + totalCredits >= 0 + } +} + +extension OpenRouterUsageSnapshot { + public func toUsageSnapshot() -> UsageSnapshot { + // Primary: credits usage percentage + let primary = RateWindow( + usedPercent: usedPercent, + windowMinutes: nil, + resetsAt: nil, + resetDescription: "Credits") + + // Format balance for identity display + let balanceStr = String(format: "$%.2f", balance) + let identity = ProviderIdentitySnapshot( + providerID: .openrouter, + accountEmail: nil, + accountOrganization: nil, + loginMethod: "Balance: \(balanceStr)") + + return UsageSnapshot( + primary: primary, + secondary: nil, + tertiary: nil, + providerCost: nil, + openRouterUsage: self, + updatedAt: updatedAt, + identity: identity) + } +} + +/// Fetches usage stats from the OpenRouter API +public struct OpenRouterUsageFetcher: Sendable { + private static let log = CodexBarLog.logger(LogCategories.openRouterUsage) + + /// Fetches credits usage from OpenRouter using the provided API key + public static func fetchUsage( + apiKey: String, + environment: [String: String] = ProcessInfo.processInfo.environment) async throws -> OpenRouterUsageSnapshot + { + guard !apiKey.isEmpty else { + throw OpenRouterUsageError.invalidCredentials + } + + let baseURL = OpenRouterSettingsReader.apiURL(environment: environment) + let creditsURL = baseURL.appendingPathComponent("credits") + + var request = URLRequest(url: creditsURL) + request.httpMethod = "GET" + request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") + request.setValue("application/json", forHTTPHeaderField: "Accept") + + let (data, response) = try await URLSession.shared.data(for: request) + + guard let httpResponse = response as? HTTPURLResponse else { + throw OpenRouterUsageError.networkError("Invalid response") + } + + guard httpResponse.statusCode == 200 else { + let errorMessage = String(data: data, encoding: .utf8) ?? "Unknown error" + Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorMessage)") + throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorMessage)") + } + + // Log raw response for debugging + if let jsonString = String(data: data, encoding: .utf8) { + Self.log.debug("OpenRouter credits response: \(jsonString)") + } + + do { + let decoder = JSONDecoder() + let creditsResponse = try decoder.decode(OpenRouterCreditsResponse.self, from: data) + + // Optionally fetch rate limit info from /key endpoint + let rateLimit = await fetchRateLimit(apiKey: apiKey, baseURL: baseURL) + + return OpenRouterUsageSnapshot( + totalCredits: creditsResponse.data.totalCredits, + totalUsage: creditsResponse.data.totalUsage, + balance: creditsResponse.data.balance, + usedPercent: creditsResponse.data.usedPercent, + rateLimit: rateLimit, + updatedAt: Date()) + } catch let error as DecodingError { + Self.log.error("OpenRouter JSON decoding error: \(error.localizedDescription)") + throw OpenRouterUsageError.parseFailed(error.localizedDescription) + } catch let error as OpenRouterUsageError { + throw error + } catch { + Self.log.error("OpenRouter parsing error: \(error.localizedDescription)") + throw OpenRouterUsageError.parseFailed(error.localizedDescription) + } + } + + /// Fetches rate limit info from /key endpoint + private static func fetchRateLimit(apiKey: String, baseURL: URL) async -> OpenRouterRateLimit? { + let keyURL = baseURL.appendingPathComponent("key") + + var request = URLRequest(url: keyURL) + request.httpMethod = "GET" + request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") + request.setValue("application/json", forHTTPHeaderField: "Accept") + + do { + let (data, response) = try await URLSession.shared.data(for: request) + + guard let httpResponse = response as? HTTPURLResponse, + httpResponse.statusCode == 200 + else { + return nil + } + + let decoder = JSONDecoder() + let keyResponse = try decoder.decode(OpenRouterKeyResponse.self, from: data) + return keyResponse.data.rateLimit + } catch { + Self.log.debug("Failed to fetch OpenRouter rate limit: \(error.localizedDescription)") + return nil + } + } +} + +/// Errors that can occur during OpenRouter usage fetching +public enum OpenRouterUsageError: LocalizedError, Sendable { + case invalidCredentials + case networkError(String) + case apiError(String) + case parseFailed(String) + + public var errorDescription: String? { + switch self { + case .invalidCredentials: + "Invalid OpenRouter API credentials" + case let .networkError(message): + "OpenRouter network error: \(message)" + case let .apiError(message): + "OpenRouter API error: \(message)" + case let .parseFailed(message): + "Failed to parse OpenRouter response: \(message)" + } + } +} diff --git a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift index f7ed0884b..0e18e2c3f 100644 --- a/Sources/CodexBarCore/Providers/ProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/ProviderDescriptor.swift @@ -72,6 +72,7 @@ public enum ProviderDescriptorRegistry { .amp: AmpProviderDescriptor.descriptor, .ollama: OllamaProviderDescriptor.descriptor, .synthetic: SyntheticProviderDescriptor.descriptor, + .openrouter: OpenRouterProviderDescriptor.descriptor, .warp: WarpProviderDescriptor.descriptor, ] private static let bootstrap: Void = { diff --git a/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift b/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift index 4134d67bf..7c746cf2b 100644 --- a/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift +++ b/Sources/CodexBarCore/Providers/ProviderTokenResolver.swift @@ -49,6 +49,10 @@ public enum ProviderTokenResolver { self.warpResolution(environment: environment)?.token } + public static func openRouterToken(environment: [String: String] = ProcessInfo.processInfo.environment) -> String? { + self.openRouterResolution(environment: environment)?.token + } + public static func zaiResolution( environment: [String: String] = ProcessInfo.processInfo.environment) -> ProviderTokenResolution? { @@ -110,6 +114,12 @@ public enum ProviderTokenResolver { self.resolveEnv(WarpSettingsReader.apiKey(environment: environment)) } + public static func openRouterResolution( + environment: [String: String] = ProcessInfo.processInfo.environment) -> ProviderTokenResolution? + { + self.resolveEnv(OpenRouterSettingsReader.apiToken(environment: environment)) + } + private static func cleaned(_ raw: String?) -> String? { guard var value = raw?.trimmingCharacters(in: .whitespacesAndNewlines), !value.isEmpty else { return nil diff --git a/Sources/CodexBarCore/Providers/Providers.swift b/Sources/CodexBarCore/Providers/Providers.swift index 418535b52..d7a0b7d7c 100644 --- a/Sources/CodexBarCore/Providers/Providers.swift +++ b/Sources/CodexBarCore/Providers/Providers.swift @@ -22,6 +22,7 @@ public enum UsageProvider: String, CaseIterable, Sendable, Codable { case amp case ollama case synthetic + case openrouter case warp } @@ -47,6 +48,7 @@ public enum IconStyle: Sendable, CaseIterable { case amp case ollama case synthetic + case openrouter case warp case combined } diff --git a/Sources/CodexBarCore/UsageFetcher.swift b/Sources/CodexBarCore/UsageFetcher.swift index ca300ea9f..23b1ccce2 100644 --- a/Sources/CodexBarCore/UsageFetcher.swift +++ b/Sources/CodexBarCore/UsageFetcher.swift @@ -54,6 +54,7 @@ public struct UsageSnapshot: Codable, Sendable { public let providerCost: ProviderCostSnapshot? public let zaiUsage: ZaiUsageSnapshot? public let minimaxUsage: MiniMaxUsageSnapshot? + public let openRouterUsage: OpenRouterUsageSnapshot? public let cursorRequests: CursorRequestUsage? public let updatedAt: Date public let identity: ProviderIdentitySnapshot? @@ -77,6 +78,7 @@ public struct UsageSnapshot: Codable, Sendable { providerCost: ProviderCostSnapshot? = nil, zaiUsage: ZaiUsageSnapshot? = nil, minimaxUsage: MiniMaxUsageSnapshot? = nil, + openRouterUsage: OpenRouterUsageSnapshot? = nil, cursorRequests: CursorRequestUsage? = nil, updatedAt: Date, identity: ProviderIdentitySnapshot? = nil) @@ -87,6 +89,7 @@ public struct UsageSnapshot: Codable, Sendable { self.providerCost = providerCost self.zaiUsage = zaiUsage self.minimaxUsage = minimaxUsage + self.openRouterUsage = openRouterUsage self.cursorRequests = cursorRequests self.updatedAt = updatedAt self.identity = identity @@ -100,6 +103,7 @@ public struct UsageSnapshot: Codable, Sendable { self.providerCost = try container.decodeIfPresent(ProviderCostSnapshot.self, forKey: .providerCost) self.zaiUsage = nil // Not persisted, fetched fresh each time self.minimaxUsage = nil // Not persisted, fetched fresh each time + self.openRouterUsage = nil // Not persisted, fetched fresh each time self.cursorRequests = nil // Not persisted, fetched fresh each time self.updatedAt = try container.decode(Date.self, forKey: .updatedAt) if let identity = try container.decodeIfPresent(ProviderIdentitySnapshot.self, forKey: .identity) { @@ -183,6 +187,7 @@ public struct UsageSnapshot: Codable, Sendable { providerCost: self.providerCost, zaiUsage: self.zaiUsage, minimaxUsage: self.minimaxUsage, + openRouterUsage: self.openRouterUsage, cursorRequests: self.cursorRequests, updatedAt: self.updatedAt, identity: scopedIdentity) diff --git a/docs/claude.md b/docs/claude.md index 22737efd9..50cb14bef 100644 --- a/docs/claude.md +++ b/docs/claude.md @@ -113,3 +113,12 @@ Usage source picker: `Sources/CodexBarCore/Providers/Claude/ClaudeCLISession.swift` - Cost usage: `Sources/CodexBarCore/CostUsageFetcher.swift`, `Sources/CodexBarCore/Vendored/CostUsage/*` + + + +# Recent Activity + + + +*No recent activity* + \ No newline at end of file diff --git a/docs/openrouter.md b/docs/openrouter.md new file mode 100644 index 000000000..dea631dec --- /dev/null +++ b/docs/openrouter.md @@ -0,0 +1,54 @@ +# OpenRouter Provider + +[OpenRouter](https://openrouter.ai) is a unified API that provides access to multiple AI models from different providers (OpenAI, Anthropic, Google, Meta, and more) through a single endpoint. + +## Authentication + +OpenRouter uses API key authentication. Get your API key from [OpenRouter Settings](https://openrouter.ai/settings/keys). + +### Environment Variable + +Set the `OPENROUTER_API_KEY` environment variable: + +```bash +export OPENROUTER_API_KEY="sk-or-v1-..." +``` + +### Settings + +You can also configure the API key in CodexBar Settings → Providers → OpenRouter. + +## Data Source + +The OpenRouter provider fetches usage data from two API endpoints: + +1. **Credits API** (`/api/v1/credits`): Returns total credits purchased and total usage. The balance is calculated as `total_credits - total_usage`. + +2. **Key API** (`/api/v1/key`): Returns rate limit information for your API key. + +## Display + +The OpenRouter menu card shows: + +- **Primary meter**: Credit usage percentage (how much of your purchased credits have been used) +- **Balance**: Displayed in the identity section as "Balance: $X.XX" + +## CLI Usage + +```bash +codexbar --provider openrouter +codexbar -p or # alias +``` + +## Environment Variables + +| Variable | Description | +|----------|-------------| +| `OPENROUTER_API_KEY` | Your OpenRouter API key (required) | +| `OPENROUTER_API_URL` | Override the base API URL (optional, defaults to `https://openrouter.ai/api/v1`) | + +## Notes + +- Credit values are cached on OpenRouter's side and may be up to 60 seconds stale +- OpenRouter uses a credit-based billing system where you pre-purchase credits +- Rate limits depend on your credit balance (10+ credits = 1000 free model requests/day) diff --git a/docs/providers.md b/docs/providers.md index b69d05694..a776fc562 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -1,5 +1,5 @@ --- -summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Warp, Vertex AI, Augment, Amp, Ollama, JetBrains AI)." +summary: "Provider data sources and parsing overview (Codex, Claude, Gemini, Antigravity, Cursor, Droid/Factory, z.ai, Copilot, Kimi, Kimi K2, Kiro, Warp, Vertex AI, Augment, Amp, Ollama, JetBrains AI, OpenRouter)." read_when: - Adding or modifying provider fetch/parsing - Adjusting provider labels, toggles, or metadata @@ -36,6 +36,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Amp | Web settings page via browser cookies (`web`). | | Warp | API token (config/env) → GraphQL request limits (`api`). | | Ollama | Web settings page via browser cookies (`web`). | +| OpenRouter | API token (Keychain/env) → credits API (`api`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. @@ -154,4 +155,12 @@ until the session is invalid, to avoid repeated Keychain prompts. - Status: none yet. - Details: `docs/ollama.md`. +## OpenRouter +- API token from Keychain or `OPENROUTER_API_KEY` env var. +- Credits endpoint: `https://openrouter.ai/api/v1/credits` (returns total credits purchased and usage). +- Key info endpoint: `https://openrouter.ai/api/v1/key` (returns rate limit info). +- Override base URL with `OPENROUTER_API_URL` env var. +- Status: `https://status.openrouter.ai` (link only, no auto-polling yet). +- Details: `docs/openrouter.md`. + See also: `docs/provider.md` for architecture notes. From e61b73c71815e047ada71920c9edbe9b550e7f36 Mon Sep 17 00:00:00 2001 From: chountalas Date: Tue, 3 Feb 2026 20:56:36 -0700 Subject: [PATCH 109/131] fix: Add missing openrouter switch cases for exhaustive matching Added .openrouter case to all switch statements that iterate over UsageProvider to fix compilation errors: - CostUsageScanner.swift (returns empty report) - TokenAccountCLI.swift (returns nil settings) - CodexBarWidgetProvider.swift (not yet supported in widgets) - CodexBarWidgetViews.swift (short label + color) - ProviderImplementationRegistry.swift (implementation registration) - UsageStore.swift (debug log output) Co-Authored-By: Claude Opus 4.5 --- .../Providers/Shared/ProviderImplementationRegistry.swift | 1 + Sources/CodexBar/UsageStore.swift | 5 +++++ Sources/CodexBarCLI/TokenAccountCLI.swift | 2 +- .../CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift | 2 +- Sources/CodexBarWidget/CodexBarWidgetProvider.swift | 1 + Sources/CodexBarWidget/CodexBarWidgetViews.swift | 3 +++ 6 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift index 8754e595f..9fbf84b39 100644 --- a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift +++ b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift @@ -31,6 +31,7 @@ enum ProviderImplementationRegistry { case .amp: AmpProviderImplementation() case .ollama: OllamaProviderImplementation() case .synthetic: SyntheticProviderImplementation() + case .openrouter: OpenRouterProviderImplementation() case .warp: WarpProviderImplementation() } } diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 84280b3c0..aa5faddb4 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1210,6 +1210,11 @@ extension UsageStore { text = await self.debugOllamaLog( ollamaCookieSource: ollamaCookieSource, ollamaCookieHeader: ollamaCookieHeader) + case .openrouter: + let resolution = ProviderTokenResolver.openRouterResolution() + let hasAny = resolution != nil + let source = resolution?.source.rawValue ?? "none" + text = "OPENROUTER_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" case .warp: let resolution = ProviderTokenResolver.warpResolution() let hasAny = resolution != nil diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index 2487a2b1b..4d6d05d17 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -152,7 +152,7 @@ struct TokenAccountCLIContext { return self.makeSnapshot( jetbrains: ProviderSettingsSnapshot.JetBrainsProviderSettings( ideBasePath: nil)) - case .gemini, .antigravity, .copilot, .kiro, .vertexai, .kimik2, .synthetic, .warp: + case .gemini, .antigravity, .copilot, .kiro, .vertexai, .kimik2, .synthetic, .openrouter, .warp: return nil } } diff --git a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift index 4546bd07f..f5cb75f5e 100644 --- a/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift +++ b/Sources/CodexBarCore/Vendored/CostUsage/CostUsageScanner.swift @@ -71,7 +71,7 @@ enum CostUsageScanner { } return self.loadClaudeDaily(provider: .vertexai, range: range, now: now, options: filtered) case .zai, .gemini, .antigravity, .cursor, .opencode, .factory, .copilot, .minimax, .kiro, .kimi, .kimik2, - .augment, .jetbrains, .amp, .ollama, .synthetic, .warp: + .augment, .jetbrains, .amp, .ollama, .synthetic, .openrouter, .warp: return emptyReport } } diff --git a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift index 7b094bf46..aa9739c01 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift @@ -60,6 +60,7 @@ enum ProviderChoice: String, AppEnum { case .amp: return nil // Amp not yet supported in widgets case .ollama: return nil // Ollama not yet supported in widgets case .synthetic: return nil // Synthetic not yet supported in widgets + case .openrouter: return nil // OpenRouter not yet supported in widgets case .warp: return nil // Warp not yet supported in widgets } } diff --git a/Sources/CodexBarWidget/CodexBarWidgetViews.swift b/Sources/CodexBarWidget/CodexBarWidgetViews.swift index 6e3ea3528..f007623f6 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetViews.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetViews.swift @@ -276,6 +276,7 @@ private struct ProviderSwitchChip: View { case .amp: "Amp" case .ollama: "Ollama" case .synthetic: "Synthetic" + case .openrouter: "OpenRouter" case .warp: "Warp" } } @@ -609,6 +610,8 @@ enum WidgetColors { Color(red: 32 / 255, green: 32 / 255, blue: 32 / 255) // Ollama charcoal case .synthetic: Color(red: 20 / 255, green: 20 / 255, blue: 20 / 255) // Synthetic charcoal + case .openrouter: + Color(red: 111 / 255, green: 66 / 255, blue: 193 / 255) // OpenRouter purple case .warp: Color(red: 147 / 255, green: 139 / 255, blue: 180 / 255) } From 07927c461cb84b55eea34adda96fd62c1ae126da Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 00:27:10 +0530 Subject: [PATCH 110/131] Fix OpenRouter formatting and lint guards --- .../Shared/ProviderImplementationRegistry.swift | 1 + .../OpenRouter/OpenRouterSettingsReader.swift | 2 +- .../Providers/OpenRouter/OpenRouterUsageStats.swift | 10 +++++----- Sources/CodexBarWidget/CodexBarWidgetProvider.swift | 1 + Sources/CodexBarWidget/CodexBarWidgetViews.swift | 1 + 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift index 9fbf84b39..1cb530ce8 100644 --- a/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift +++ b/Sources/CodexBar/Providers/Shared/ProviderImplementationRegistry.swift @@ -10,6 +10,7 @@ enum ProviderImplementationRegistry { private static let lock = NSLock() private static let store = Store() + // swiftlint:disable:next cyclomatic_complexity private static func makeImplementation(for provider: UsageProvider) -> (any ProviderImplementation) { switch provider { case .codex: CodexProviderImplementation() diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift index 646b648f9..e5e3f4d78 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterSettingsReader.swift @@ -7,7 +7,7 @@ public enum OpenRouterSettingsReader { /// Returns the API token from environment if present and non-empty public static func apiToken(environment: [String: String] = ProcessInfo.processInfo.environment) -> String? { - cleaned(environment[envKey]) + self.cleaned(environment[self.envKey]) } /// Returns the API URL, defaulting to production endpoint diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index 2aa4e680e..bc8286545 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -22,13 +22,13 @@ public struct OpenRouterCreditsData: Decodable, Sendable { /// Remaining credits (total - usage) public var balance: Double { - max(0, totalCredits - totalUsage) + max(0, self.totalCredits - self.totalUsage) } /// Usage percentage (0-100) public var usedPercent: Double { - guard totalCredits > 0 else { return 0 } - return min(100, (totalUsage / totalCredits) * 100) + guard self.totalCredits > 0 else { return 0 } + return min(100, (self.totalUsage / self.totalCredits) * 100) } } @@ -88,7 +88,7 @@ public struct OpenRouterUsageSnapshot: Sendable { /// Returns true if this snapshot contains valid data public var isValid: Bool { - totalCredits >= 0 + self.totalCredits >= 0 } } @@ -115,7 +115,7 @@ extension OpenRouterUsageSnapshot { tertiary: nil, providerCost: nil, openRouterUsage: self, - updatedAt: updatedAt, + updatedAt: self.updatedAt, identity: identity) } } diff --git a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift index aa9739c01..1f8a8cdfe 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetProvider.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetProvider.swift @@ -39,6 +39,7 @@ enum ProviderChoice: String, AppEnum { } } + // swiftlint:disable:next cyclomatic_complexity init?(provider: UsageProvider) { switch provider { case .codex: self = .codex diff --git a/Sources/CodexBarWidget/CodexBarWidgetViews.swift b/Sources/CodexBarWidget/CodexBarWidgetViews.swift index f007623f6..7ad1064e5 100644 --- a/Sources/CodexBarWidget/CodexBarWidgetViews.swift +++ b/Sources/CodexBarWidget/CodexBarWidgetViews.swift @@ -570,6 +570,7 @@ private struct UsageHistoryChart: View { } enum WidgetColors { + // swiftlint:disable:next cyclomatic_complexity static func color(for provider: UsageProvider) -> Color { switch provider { case .codex: From a8752ee3dd9a51da5c6d4260170a31b26e97a123 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 00:30:42 +0530 Subject: [PATCH 111/131] Wire OpenRouter config token into fetch env --- .../Config/ProviderConfigEnvironment.swift | 2 ++ .../ProviderConfigEnvironmentTests.swift | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift b/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift index 1969ba6ab..9a72d340a 100644 --- a/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift +++ b/Sources/CodexBarCore/Config/ProviderConfigEnvironment.swift @@ -25,6 +25,8 @@ public enum ProviderConfigEnvironment { if let key = WarpSettingsReader.apiKeyEnvironmentKeys.first { env[key] = apiKey } + case .openrouter: + env[OpenRouterSettingsReader.envKey] = apiKey default: break } diff --git a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift index 0e81e34fc..04ee4b25e 100644 --- a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift +++ b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift @@ -29,6 +29,17 @@ struct ProviderConfigEnvironmentTests { #expect(env[key] == "w-token") } + @Test + func appliesAPIKeyOverrideForOpenRouter() { + let config = ProviderConfig(id: .openrouter, apiKey: "or-token") + let env = ProviderConfigEnvironment.applyAPIKeyOverride( + base: [:], + provider: .openrouter, + config: config) + + #expect(env[OpenRouterSettingsReader.envKey] == "or-token") + } + @Test func leavesEnvironmentWhenAPIKeyMissing() { let config = ProviderConfig(id: .zai, apiKey: nil) From c1b53df819fe4210762df0533207d277169a3ab7 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 00:54:54 +0530 Subject: [PATCH 112/131] Preserve provider order and bound OpenRouter key fetch --- .../OpenRouter/OpenRouterUsageStats.swift | 46 +++++++++++++++++-- .../CodexBarCore/Providers/Providers.swift | 4 +- Tests/CodexBarTests/SettingsStoreTests.swift | 1 + 3 files changed, 46 insertions(+), 5 deletions(-) diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index bc8286545..5e0d6595e 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -123,6 +123,7 @@ extension OpenRouterUsageSnapshot { /// Fetches usage stats from the OpenRouter API public struct OpenRouterUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.openRouterUsage) + private static let rateLimitTimeoutSeconds: TimeInterval = 1.0 /// Fetches credits usage from OpenRouter using the provided API key public static func fetchUsage( @@ -162,8 +163,12 @@ public struct OpenRouterUsageFetcher: Sendable { let decoder = JSONDecoder() let creditsResponse = try decoder.decode(OpenRouterCreditsResponse.self, from: data) - // Optionally fetch rate limit info from /key endpoint - let rateLimit = await fetchRateLimit(apiKey: apiKey, baseURL: baseURL) + // Optionally fetch rate limit info from /key endpoint, but keep this bounded so + // credits updates are not blocked by a slow or unavailable secondary endpoint. + let rateLimit = await fetchRateLimit( + apiKey: apiKey, + baseURL: baseURL, + timeoutSeconds: Self.rateLimitTimeoutSeconds) return OpenRouterUsageSnapshot( totalCredits: creditsResponse.data.totalCredits, @@ -184,13 +189,48 @@ public struct OpenRouterUsageFetcher: Sendable { } /// Fetches rate limit info from /key endpoint - private static func fetchRateLimit(apiKey: String, baseURL: URL) async -> OpenRouterRateLimit? { + private static func fetchRateLimit( + apiKey: String, + baseURL: URL, + timeoutSeconds: TimeInterval) async -> OpenRouterRateLimit? + { + let timeout = max(0.1, timeoutSeconds) + let timeoutNanoseconds = UInt64(timeout * 1_000_000_000) + + return await withTaskGroup(of: OpenRouterRateLimit?.self) { group in + group.addTask { + await Self.fetchRateLimitRequest( + apiKey: apiKey, + baseURL: baseURL, + timeoutSeconds: timeout) + } + group.addTask { + try? await Task.sleep(nanoseconds: timeoutNanoseconds) + Self.log.debug("OpenRouter /key enrichment timed out after \(timeout)s") + return nil + } + + let result = await group.next() + group.cancelAll() + if let result { + return result + } + return nil + } + } + + private static func fetchRateLimitRequest( + apiKey: String, + baseURL: URL, + timeoutSeconds: TimeInterval) async -> OpenRouterRateLimit? + { let keyURL = baseURL.appendingPathComponent("key") var request = URLRequest(url: keyURL) request.httpMethod = "GET" request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") request.setValue("application/json", forHTTPHeaderField: "Accept") + request.timeoutInterval = timeoutSeconds do { let (data, response) = try await URLSession.shared.data(for: request) diff --git a/Sources/CodexBarCore/Providers/Providers.swift b/Sources/CodexBarCore/Providers/Providers.swift index d7a0b7d7c..b6d75ebb1 100644 --- a/Sources/CodexBarCore/Providers/Providers.swift +++ b/Sources/CodexBarCore/Providers/Providers.swift @@ -22,8 +22,8 @@ public enum UsageProvider: String, CaseIterable, Sendable, Codable { case amp case ollama case synthetic - case openrouter case warp + case openrouter } // swiftformat:enable sortDeclarations @@ -48,8 +48,8 @@ public enum IconStyle: Sendable, CaseIterable { case amp case ollama case synthetic - case openrouter case warp + case openrouter case combined } diff --git a/Tests/CodexBarTests/SettingsStoreTests.swift b/Tests/CodexBarTests/SettingsStoreTests.swift index 6354f65a8..cfeb90048 100644 --- a/Tests/CodexBarTests/SettingsStoreTests.swift +++ b/Tests/CodexBarTests/SettingsStoreTests.swift @@ -366,6 +366,7 @@ struct SettingsStoreTests { .ollama, .synthetic, .warp, + .openrouter, ]) // Move one provider; ensure it's persisted across instances. From 67de5f5061435d69711f591e0337dd3ebee4b472 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 01:07:35 +0530 Subject: [PATCH 113/131] Fix OpenRouter reset text and timeout logging --- .../OpenRouter/OpenRouterUsageStats.swift | 10 +++++++-- .../OpenRouterUsageStatsTests.swift | 22 +++++++++++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 Tests/CodexBarTests/OpenRouterUsageStatsTests.swift diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index 5e0d6595e..fe31cbeb1 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -99,7 +99,7 @@ extension OpenRouterUsageSnapshot { usedPercent: usedPercent, windowMinutes: nil, resetsAt: nil, - resetDescription: "Credits") + resetDescription: nil) // Format balance for identity display let balanceStr = String(format: "$%.2f", balance) @@ -205,7 +205,13 @@ public struct OpenRouterUsageFetcher: Sendable { timeoutSeconds: timeout) } group.addTask { - try? await Task.sleep(nanoseconds: timeoutNanoseconds) + do { + try await Task.sleep(nanoseconds: timeoutNanoseconds) + } catch { + // Cancelled because the /key request finished first. + return nil + } + guard !Task.isCancelled else { return nil } Self.log.debug("OpenRouter /key enrichment timed out after \(timeout)s") return nil } diff --git a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift new file mode 100644 index 000000000..03c569957 --- /dev/null +++ b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift @@ -0,0 +1,22 @@ +import CodexBarCore +import Foundation +import Testing + +@Suite +struct OpenRouterUsageStatsTests { + @Test + func toUsageSnapshot_doesNotSetSyntheticResetDescription() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + rateLimit: nil, + updatedAt: Date(timeIntervalSince1970: 1_739_841_600)) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary?.resetsAt == nil) + #expect(usage.primary?.resetDescription == nil) + } +} From ff1c5848263b2dffb8690bde0db473ae5da2f14a Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 01:43:18 +0530 Subject: [PATCH 114/131] Harden OpenRouter logging and widget selection --- Sources/CodexBar/UsageStore.swift | 6 ++- Sources/CodexBarCLI/TokenAccountCLI.swift | 2 + .../OpenRouter/OpenRouterUsageStats.swift | 38 +++++++++++++++---- .../CodexBarWidgetProvider.swift | 3 +- docs/claude.md | 9 ----- 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index aa5faddb4..5536c0c0b 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1154,6 +1154,10 @@ extension UsageStore { let ampCookieHeader = self.settings.ampCookieHeader let ollamaCookieSource = self.settings.ollamaCookieSource let ollamaCookieHeader = self.settings.ollamaCookieHeader + let openRouterEnvironment = ProviderConfigEnvironment.applyAPIKeyOverride( + base: ProcessInfo.processInfo.environment, + provider: .openrouter, + config: self.settings.providerConfig(for: .openrouter)) return await Task.detached(priority: .utility) { () -> String in let unimplementedDebugLogMessages: [UsageProvider: String] = [ .gemini: "Gemini debug log not yet implemented", @@ -1211,7 +1215,7 @@ extension UsageStore { ollamaCookieSource: ollamaCookieSource, ollamaCookieHeader: ollamaCookieHeader) case .openrouter: - let resolution = ProviderTokenResolver.openRouterResolution() + let resolution = ProviderTokenResolver.openRouterResolution(environment: openRouterEnvironment) let hasAny = resolution != nil let source = resolution?.source.rawValue ?? "none" text = "OPENROUTER_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index 4d6d05d17..14b2e0af9 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -228,6 +228,8 @@ struct TokenAccountCLIContext { tertiary: snapshot.tertiary, providerCost: snapshot.providerCost, zaiUsage: snapshot.zaiUsage, + minimaxUsage: snapshot.minimaxUsage, + openRouterUsage: snapshot.openRouterUsage, cursorRequests: snapshot.cursorRequests, updatedAt: snapshot.updatedAt, identity: identity) diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index fe31cbeb1..75dae006f 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -124,6 +124,8 @@ extension OpenRouterUsageSnapshot { public struct OpenRouterUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.openRouterUsage) private static let rateLimitTimeoutSeconds: TimeInterval = 1.0 + private static let maxErrorBodyLength = 240 + private static let debugFullErrorBodiesEnvKey = "CODEXBAR_DEBUG_OPENROUTER_ERROR_BODIES" /// Fetches credits usage from OpenRouter using the provided API key public static func fetchUsage( @@ -149,14 +151,12 @@ public struct OpenRouterUsageFetcher: Sendable { } guard httpResponse.statusCode == 200 else { - let errorMessage = String(data: data, encoding: .utf8) ?? "Unknown error" - Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorMessage)") - throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorMessage)") - } - - // Log raw response for debugging - if let jsonString = String(data: data, encoding: .utf8) { - Self.log.debug("OpenRouter credits response: \(jsonString)") + let errorSummary = Self.sanitizedResponseBodySummary(data) + if Self.debugFullErrorBodiesEnabled, let fullBody = String(data: data, encoding: .utf8), !fullBody.isEmpty { + Self.log.debug("OpenRouter non-200 body: \(fullBody)") + } + Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorSummary)") + throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorSummary)") } do { @@ -255,6 +255,28 @@ public struct OpenRouterUsageFetcher: Sendable { return nil } } + + private static var debugFullErrorBodiesEnabled: Bool { + ProcessInfo.processInfo.environment[self.debugFullErrorBodiesEnvKey] == "1" + } + + private static func sanitizedResponseBodySummary(_ data: Data) -> String { + guard !data.isEmpty else { return "empty body" } + + guard let rawBody = String(bytes: data, encoding: .utf8) else { + return "non-text body (\(data.count) bytes)" + } + + let body = rawBody + .replacingOccurrences(of: #"\s+"#, with: " ", options: .regularExpression) + .trimmingCharacters(in: .whitespacesAndNewlines) + + guard !body.isEmpty else { return "non-text body (\(data.count) bytes)" } + guard body.count > Self.maxErrorBodyLength else { return body } + + let index = body.index(body.startIndex, offsetBy: Self.maxErrorBodyLength) + return "\(body[.. [UsageProvider] { let enabled = snapshot.enabledProviders let providers = enabled.isEmpty ? snapshot.entries.map(\.provider) : enabled - return providers.isEmpty ? [.codex] : providers + let supported = providers.filter { ProviderChoice(provider: $0) != nil } + return supported.isEmpty ? [.codex] : supported } } diff --git a/docs/claude.md b/docs/claude.md index 50cb14bef..22737efd9 100644 --- a/docs/claude.md +++ b/docs/claude.md @@ -113,12 +113,3 @@ Usage source picker: `Sources/CodexBarCore/Providers/Claude/ClaudeCLISession.swift` - Cost usage: `Sources/CodexBarCore/CostUsageFetcher.swift`, `Sources/CodexBarCore/Vendored/CostUsage/*` - - - -# Recent Activity - - - -*No recent activity* - \ No newline at end of file From 6e007a4ff3f682dd7b964bc13b0c890640c85809 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 02:09:19 +0530 Subject: [PATCH 115/131] Harden OpenRouter diagnostics and token account labels --- .../OpenRouterProviderImplementation.swift | 3 +- .../OpenRouter/OpenRouterSettingsStore.swift | 2 - .../CodexBar/UsageStore+TokenAccounts.swift | 2 + Sources/CodexBar/UsageStore.swift | 17 +++++++- .../OpenRouter/OpenRouterUsageStats.swift | 40 +++++++++++++++++-- docs/providers.md | 4 +- 6 files changed, 57 insertions(+), 11 deletions(-) diff --git a/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift index 89e47e1ea..b604dcf6c 100644 --- a/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift +++ b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift @@ -29,7 +29,6 @@ struct OpenRouterProviderImplementation: ProviderImplementation { if OpenRouterSettingsReader.apiToken(environment: context.environment) != nil { return true } - context.settings.ensureOpenRouterAPITokenLoaded() return !context.settings.openRouterAPIToken.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty } @@ -50,7 +49,7 @@ struct OpenRouterProviderImplementation: ProviderImplementation { binding: context.stringBinding(\.openRouterAPIToken), actions: [], isVisible: nil, - onActivate: { context.settings.ensureOpenRouterAPITokenLoaded() }), + onActivate: nil), ] } } diff --git a/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift b/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift index 5f0ee030f..130cdf3dd 100644 --- a/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift +++ b/Sources/CodexBar/Providers/OpenRouter/OpenRouterSettingsStore.swift @@ -11,6 +11,4 @@ extension SettingsStore { self.logSecretUpdate(provider: .openrouter, field: "apiKey", value: newValue) } } - - func ensureOpenRouterAPITokenLoaded() {} } diff --git a/Sources/CodexBar/UsageStore+TokenAccounts.swift b/Sources/CodexBar/UsageStore+TokenAccounts.swift index 7127a1233..3c6cae7d1 100644 --- a/Sources/CodexBar/UsageStore+TokenAccounts.swift +++ b/Sources/CodexBar/UsageStore+TokenAccounts.swift @@ -198,6 +198,8 @@ extension UsageStore { tertiary: snapshot.tertiary, providerCost: snapshot.providerCost, zaiUsage: snapshot.zaiUsage, + minimaxUsage: snapshot.minimaxUsage, + openRouterUsage: snapshot.openRouterUsage, cursorRequests: snapshot.cursorRequests, updatedAt: snapshot.updatedAt, identity: identity) diff --git a/Sources/CodexBar/UsageStore.swift b/Sources/CodexBar/UsageStore.swift index 5536c0c0b..20bb7491f 100644 --- a/Sources/CodexBar/UsageStore.swift +++ b/Sources/CodexBar/UsageStore.swift @@ -1154,8 +1154,13 @@ extension UsageStore { let ampCookieHeader = self.settings.ampCookieHeader let ollamaCookieSource = self.settings.ollamaCookieSource let ollamaCookieHeader = self.settings.ollamaCookieHeader + let processEnvironment = ProcessInfo.processInfo.environment + let openRouterConfigToken = self.settings.providerConfig(for: .openrouter)?.sanitizedAPIKey + let openRouterHasConfigToken = !(openRouterConfigToken?.trimmingCharacters(in: .whitespacesAndNewlines) + .isEmpty ?? true) + let openRouterHasEnvToken = OpenRouterSettingsReader.apiToken(environment: processEnvironment) != nil let openRouterEnvironment = ProviderConfigEnvironment.applyAPIKeyOverride( - base: ProcessInfo.processInfo.environment, + base: processEnvironment, provider: .openrouter, config: self.settings.providerConfig(for: .openrouter)) return await Task.detached(priority: .utility) { () -> String in @@ -1217,7 +1222,15 @@ extension UsageStore { case .openrouter: let resolution = ProviderTokenResolver.openRouterResolution(environment: openRouterEnvironment) let hasAny = resolution != nil - let source = resolution?.source.rawValue ?? "none" + let source: String = if resolution == nil { + "none" + } else if openRouterHasConfigToken, openRouterHasEnvToken { + "settings-config (overrides env)" + } else if openRouterHasConfigToken { + "settings-config" + } else { + resolution?.source.rawValue ?? "environment" + } text = "OPENROUTER_API_KEY=\(hasAny ? "present" : "missing") source=\(source)" case .warp: let resolution = ProviderTokenResolver.warpResolution() diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index 75dae006f..f7a1ea040 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -125,6 +125,7 @@ public struct OpenRouterUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.openRouterUsage) private static let rateLimitTimeoutSeconds: TimeInterval = 1.0 private static let maxErrorBodyLength = 240 + private static let maxDebugErrorBodyLength = 2000 private static let debugFullErrorBodiesEnvKey = "CODEXBAR_DEBUG_OPENROUTER_ERROR_BODIES" /// Fetches credits usage from OpenRouter using the provided API key @@ -152,8 +153,8 @@ public struct OpenRouterUsageFetcher: Sendable { guard httpResponse.statusCode == 200 else { let errorSummary = Self.sanitizedResponseBodySummary(data) - if Self.debugFullErrorBodiesEnabled, let fullBody = String(data: data, encoding: .utf8), !fullBody.isEmpty { - Self.log.debug("OpenRouter non-200 body: \(fullBody)") + if Self.debugFullErrorBodiesEnabled, let debugBody = Self.redactedDebugResponseBody(data) { + Self.log.debug("OpenRouter non-200 body (redacted): \(debugBody)") } Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorSummary)") throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorSummary)") @@ -267,7 +268,7 @@ public struct OpenRouterUsageFetcher: Sendable { return "non-text body (\(data.count) bytes)" } - let body = rawBody + let body = Self.redactSensitiveBodyContent(rawBody) .replacingOccurrences(of: #"\s+"#, with: " ", options: .regularExpression) .trimmingCharacters(in: .whitespacesAndNewlines) @@ -277,6 +278,39 @@ public struct OpenRouterUsageFetcher: Sendable { let index = body.index(body.startIndex, offsetBy: Self.maxErrorBodyLength) return "\(body[.. String? { + guard let rawBody = String(bytes: data, encoding: .utf8) else { return nil } + + let body = Self.redactSensitiveBodyContent(rawBody) + .replacingOccurrences(of: #"\s+"#, with: " ", options: .regularExpression) + .trimmingCharacters(in: .whitespacesAndNewlines) + guard !body.isEmpty else { return nil } + guard body.count > Self.maxDebugErrorBodyLength else { return body } + + let index = body.index(body.startIndex, offsetBy: Self.maxDebugErrorBodyLength) + return "\(body[.. String { + let replacements: [(String, String)] = [ + (#"(?i)(bearer\s+)[A-Za-z0-9._\-]+"#, "$1[REDACTED]"), + (#"(?i)(sk-or-v1-)[A-Za-z0-9._\-]+"#, "$1[REDACTED]"), + ( + #"(?i)(\"(?:api_?key|authorization|token|access_token|refresh_token)\"\s*:\s*\")([^\"]+)(\")"#, + "$1[REDACTED]$3"), + ( + #"(?i)((?:api_?key|authorization|token|access_token|refresh_token)\s*[=:]\s*)([^,\s]+)"#, + "$1[REDACTED]"), + ] + + return replacements.reduce(text) { partial, replacement in + partial.replacingOccurrences( + of: replacement.0, + with: replacement.1, + options: .regularExpression) + } + } } /// Errors that can occur during OpenRouter usage fetching diff --git a/docs/providers.md b/docs/providers.md index a776fc562..cc456ebdc 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -36,7 +36,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Amp | Web settings page via browser cookies (`web`). | | Warp | API token (config/env) → GraphQL request limits (`api`). | | Ollama | Web settings page via browser cookies (`web`). | -| OpenRouter | API token (Keychain/env) → credits API (`api`). | +| OpenRouter | API token (config/env override) → credits API (`api`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. @@ -156,7 +156,7 @@ until the session is invalid, to avoid repeated Keychain prompts. - Details: `docs/ollama.md`. ## OpenRouter -- API token from Keychain or `OPENROUTER_API_KEY` env var. +- API token from `~/.codexbar/config.json` (`providerConfig.openrouter.apiKey`) or `OPENROUTER_API_KEY` env var. - Credits endpoint: `https://openrouter.ai/api/v1/credits` (returns total credits purchased and usage). - Key info endpoint: `https://openrouter.ai/api/v1/key` (returns rate limit info). - Override base URL with `OPENROUTER_API_URL` env var. From d2aad5a74ae8cfc44fa00bb2a6443d53d6afa540 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 02:36:51 +0530 Subject: [PATCH 116/131] Harden OpenRouter errors and relabel snapshot copies --- .../CodexBar/UsageStore+TokenAccounts.swift | 12 +- Sources/CodexBarCLI/TokenAccountCLI.swift | 12 +- .../OpenRouter/OpenRouterUsageStats.swift | 14 +- Sources/CodexBarCore/UsageFetcher.swift | 16 ++- .../OpenRouterUsageStatsTests.swift | 98 +++++++++++++- .../ProviderConfigEnvironmentTests.swift | 12 ++ ...kenAccountEnvironmentPrecedenceTests.swift | 121 ++++++++++++++++++ docs/providers.md | 2 +- 8 files changed, 253 insertions(+), 34 deletions(-) diff --git a/Sources/CodexBar/UsageStore+TokenAccounts.swift b/Sources/CodexBar/UsageStore+TokenAccounts.swift index 3c6cae7d1..3e55ffa9f 100644 --- a/Sources/CodexBar/UsageStore+TokenAccounts.swift +++ b/Sources/CodexBar/UsageStore+TokenAccounts.swift @@ -192,16 +192,6 @@ extension UsageStore { accountEmail: resolvedEmail, accountOrganization: existing?.accountOrganization, loginMethod: existing?.loginMethod) - return UsageSnapshot( - primary: snapshot.primary, - secondary: snapshot.secondary, - tertiary: snapshot.tertiary, - providerCost: snapshot.providerCost, - zaiUsage: snapshot.zaiUsage, - minimaxUsage: snapshot.minimaxUsage, - openRouterUsage: snapshot.openRouterUsage, - cursorRequests: snapshot.cursorRequests, - updatedAt: snapshot.updatedAt, - identity: identity) + return snapshot.withIdentity(identity) } } diff --git a/Sources/CodexBarCLI/TokenAccountCLI.swift b/Sources/CodexBarCLI/TokenAccountCLI.swift index 14b2e0af9..c1617905e 100644 --- a/Sources/CodexBarCLI/TokenAccountCLI.swift +++ b/Sources/CodexBarCLI/TokenAccountCLI.swift @@ -222,17 +222,7 @@ struct TokenAccountCLIContext { accountEmail: resolvedEmail, accountOrganization: existing?.accountOrganization, loginMethod: existing?.loginMethod) - return UsageSnapshot( - primary: snapshot.primary, - secondary: snapshot.secondary, - tertiary: snapshot.tertiary, - providerCost: snapshot.providerCost, - zaiUsage: snapshot.zaiUsage, - minimaxUsage: snapshot.minimaxUsage, - openRouterUsage: snapshot.openRouterUsage, - cursorRequests: snapshot.cursorRequests, - updatedAt: snapshot.updatedAt, - identity: identity) + return snapshot.withIdentity(identity) } func effectiveSourceMode( diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index f7a1ea040..fc0199119 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -152,12 +152,12 @@ public struct OpenRouterUsageFetcher: Sendable { } guard httpResponse.statusCode == 200 else { - let errorSummary = Self.sanitizedResponseBodySummary(data) + let errorSummary = LogRedactor.redact(Self.sanitizedResponseBodySummary(data)) if Self.debugFullErrorBodiesEnabled, let debugBody = Self.redactedDebugResponseBody(data) { - Self.log.debug("OpenRouter non-200 body (redacted): \(debugBody)") + Self.log.debug("OpenRouter non-200 body (redacted): \(LogRedactor.redact(debugBody))") } Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorSummary)") - throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode): \(errorSummary)") + throw OpenRouterUsageError.apiError("HTTP \(httpResponse.statusCode)") } do { @@ -311,6 +311,14 @@ public struct OpenRouterUsageFetcher: Sendable { options: .regularExpression) } } + + static func _sanitizedResponseBodySummaryForTesting(_ body: String) -> String { + self.sanitizedResponseBodySummary(Data(body.utf8)) + } + + static func _redactedDebugResponseBodyForTesting(_ body: String) -> String? { + self.redactedDebugResponseBody(Data(body.utf8)) + } } /// Errors that can occur during OpenRouter usage fetching diff --git a/Sources/CodexBarCore/UsageFetcher.swift b/Sources/CodexBarCore/UsageFetcher.swift index 23b1ccce2..1a0fef004 100644 --- a/Sources/CodexBarCore/UsageFetcher.swift +++ b/Sources/CodexBarCore/UsageFetcher.swift @@ -176,11 +176,8 @@ public struct UsageSnapshot: Codable, Sendable { self.identity(for: provider)?.loginMethod } - public func scoped(to provider: UsageProvider) -> UsageSnapshot { - guard let identity else { return self } - let scopedIdentity = identity.scoped(to: provider) - if scopedIdentity.providerID == identity.providerID { return self } - return UsageSnapshot( + public func withIdentity(_ identity: ProviderIdentitySnapshot?) -> UsageSnapshot { + UsageSnapshot( primary: self.primary, secondary: self.secondary, tertiary: self.tertiary, @@ -190,7 +187,14 @@ public struct UsageSnapshot: Codable, Sendable { openRouterUsage: self.openRouterUsage, cursorRequests: self.cursorRequests, updatedAt: self.updatedAt, - identity: scopedIdentity) + identity: identity) + } + + public func scoped(to provider: UsageProvider) -> UsageSnapshot { + guard let identity else { return self } + let scopedIdentity = identity.scoped(to: provider) + if scopedIdentity.providerID == identity.providerID { return self } + return self.withIdentity(scopedIdentity) } } diff --git a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift index 03c569957..4e81dba71 100644 --- a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift +++ b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift @@ -1,8 +1,8 @@ -import CodexBarCore import Foundation import Testing +@testable import CodexBarCore -@Suite +@Suite(.serialized) struct OpenRouterUsageStatsTests { @Test func toUsageSnapshot_doesNotSetSyntheticResetDescription() { @@ -19,4 +19,98 @@ struct OpenRouterUsageStatsTests { #expect(usage.primary?.resetsAt == nil) #expect(usage.primary?.resetDescription == nil) } + + @Test + func sanitizers_redactSensitiveTokenShapes() { + let body = """ + {"error":"bad token sk-or-v1-abc123","token":"secret-token","authorization":"Bearer sk-or-v1-xyz789"} + """ + + let summary = OpenRouterUsageFetcher._sanitizedResponseBodySummaryForTesting(body) + let debugBody = OpenRouterUsageFetcher._redactedDebugResponseBodyForTesting(body) + + #expect(summary.contains("sk-or-v1-[REDACTED]")) + #expect(summary.contains("\"token\":\"[REDACTED]\"")) + #expect(!summary.contains("secret-token")) + #expect(!summary.contains("sk-or-v1-abc123")) + + #expect(debugBody?.contains("sk-or-v1-[REDACTED]") == true) + #expect(debugBody?.contains("\"token\":\"[REDACTED]\"") == true) + #expect(debugBody?.contains("secret-token") == false) + #expect(debugBody?.contains("sk-or-v1-xyz789") == false) + } + + @Test + func non200FetchThrowsGenericHTTPErrorWithoutBodyDetails() async throws { + let registered = URLProtocol.registerClass(OpenRouterStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenRouterStubURLProtocol.self) + } + OpenRouterStubURLProtocol.handler = nil + } + + OpenRouterStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + let body = #"{"error":"invalid sk-or-v1-super-secret","token":"dont-leak-me"}"# + return Self.makeResponse(url: url, body: body, statusCode: 401) + } + + do { + _ = try await OpenRouterUsageFetcher.fetchUsage( + apiKey: "sk-or-v1-test", + environment: ["OPENROUTER_API_URL": "https://openrouter.test/api/v1"]) + Issue.record("Expected OpenRouterUsageError.apiError") + } catch let error as OpenRouterUsageError { + guard case let .apiError(message) = error else { + Issue.record("Expected apiError, got: \(error)") + return + } + #expect(message == "HTTP 401") + #expect(!message.contains("dont-leak-me")) + #expect(!message.contains("sk-or-v1-super-secret")) + } + } + + private static func makeResponse( + url: URL, + body: String, + statusCode: Int = 200) -> (HTTPURLResponse, Data) + { + let response = HTTPURLResponse( + url: url, + statusCode: statusCode, + httpVersion: "HTTP/1.1", + headerFields: ["Content-Type": "application/json"])! + return (response, Data(body.utf8)) + } +} + +final class OpenRouterStubURLProtocol: URLProtocol { + nonisolated(unsafe) static var handler: ((URLRequest) throws -> (HTTPURLResponse, Data))? + + override static func canInit(with request: URLRequest) -> Bool { + request.url?.host == "openrouter.test" + } + + override static func canonicalRequest(for request: URLRequest) -> URLRequest { + request + } + + override func startLoading() { + guard let handler = Self.handler else { + self.client?.urlProtocol(self, didFailWithError: URLError(.badServerResponse)) + return + } + do { + let (response, data) = try handler(self.request) + self.client?.urlProtocol(self, didReceive: response, cacheStoragePolicy: .notAllowed) + self.client?.urlProtocol(self, didLoad: data) + self.client?.urlProtocolDidFinishLoading(self) + } catch { + self.client?.urlProtocol(self, didFailWithError: error) + } + } + + override func stopLoading() {} } diff --git a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift index 04ee4b25e..88f1b35c7 100644 --- a/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift +++ b/Tests/CodexBarTests/ProviderConfigEnvironmentTests.swift @@ -40,6 +40,18 @@ struct ProviderConfigEnvironmentTests { #expect(env[OpenRouterSettingsReader.envKey] == "or-token") } + @Test + func openRouterConfigOverrideWinsOverEnvironmentToken() { + let config = ProviderConfig(id: .openrouter, apiKey: "config-token") + let env = ProviderConfigEnvironment.applyAPIKeyOverride( + base: [OpenRouterSettingsReader.envKey: "env-token"], + provider: .openrouter, + config: config) + + #expect(env[OpenRouterSettingsReader.envKey] == "config-token") + #expect(ProviderTokenResolver.openRouterToken(environment: env) == "config-token") + } + @Test func leavesEnvironmentWhenAPIKeyMissing() { let config = ProviderConfig(id: .zai, apiKey: nil) diff --git a/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift b/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift index ca97cccab..cb36b24ae 100644 --- a/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift +++ b/Tests/CodexBarTests/TokenAccountEnvironmentPrecedenceTests.swift @@ -75,6 +75,46 @@ struct TokenAccountEnvironmentPrecedenceTests { #expect(ollamaSettings.manualCookieHeader == "session=account-token") } + @Test + func applyAccountLabelInAppPreservesSnapshotFields() { + let settings = Self.makeSettingsStore(suite: "TokenAccountEnvironmentPrecedenceTests-apply-app") + let store = Self.makeUsageStore(settings: settings) + let snapshot = Self.makeSnapshotWithAllFields(provider: .zai) + let account = ProviderTokenAccount( + id: UUID(), + label: "Team Account", + token: "account-token", + addedAt: 0, + lastUsed: nil) + + let labeled = store.applyAccountLabel(snapshot, provider: .zai, account: account) + + Self.expectSnapshotFieldsPreserved(before: snapshot, after: labeled) + #expect(labeled.identity?.providerID == .zai) + #expect(labeled.identity?.accountEmail == "Team Account") + } + + @Test + func applyAccountLabelInCLIPreservesSnapshotFields() throws { + let context = try TokenAccountCLIContext( + selection: TokenAccountCLISelection(label: nil, index: nil, allAccounts: false), + config: CodexBarConfig(providers: []), + verbose: false) + let snapshot = Self.makeSnapshotWithAllFields(provider: .zai) + let account = ProviderTokenAccount( + id: UUID(), + label: "CLI Account", + token: "account-token", + addedAt: 0, + lastUsed: nil) + + let labeled = context.applyAccountLabel(snapshot, provider: .zai, account: account) + + Self.expectSnapshotFieldsPreserved(before: snapshot, after: labeled) + #expect(labeled.identity?.providerID == .zai) + #expect(labeled.identity?.accountEmail == "CLI Account") + } + private static func makeSettingsStore(suite: String) -> SettingsStore { let defaults = UserDefaults(suiteName: suite)! defaults.removePersistentDomain(forName: suite) @@ -99,4 +139,85 @@ struct TokenAccountEnvironmentPrecedenceTests { copilotTokenStore: InMemoryCopilotTokenStore(), tokenAccountStore: InMemoryTokenAccountStore()) } + + private static func makeUsageStore(settings: SettingsStore) -> UsageStore { + UsageStore( + fetcher: UsageFetcher(environment: [:]), + browserDetection: BrowserDetection(cacheTTL: 0), + settings: settings) + } + + private static func makeSnapshotWithAllFields(provider: UsageProvider) -> UsageSnapshot { + let now = Date(timeIntervalSince1970: 1_700_000_000) + let reset = Date(timeIntervalSince1970: 1_700_003_600) + let tokenLimit = ZaiLimitEntry( + type: .tokensLimit, + unit: .hours, + number: 6, + usage: 200, + currentValue: 40, + remaining: 160, + percentage: 20, + usageDetails: [ZaiUsageDetail(modelCode: "glm-4", usage: 40)], + nextResetTime: reset) + let identity = ProviderIdentitySnapshot( + providerID: provider, + accountEmail: nil, + accountOrganization: "Org", + loginMethod: "Pro") + + return UsageSnapshot( + primary: RateWindow(usedPercent: 21, windowMinutes: 60, resetsAt: reset, resetDescription: "primary"), + secondary: RateWindow(usedPercent: 42, windowMinutes: 1440, resetsAt: nil, resetDescription: "secondary"), + tertiary: RateWindow(usedPercent: 7, windowMinutes: nil, resetsAt: nil, resetDescription: "tertiary"), + providerCost: ProviderCostSnapshot( + used: 12.5, + limit: 25, + currencyCode: "USD", + period: "Monthly", + resetsAt: reset, + updatedAt: now), + zaiUsage: ZaiUsageSnapshot( + tokenLimit: tokenLimit, + timeLimit: nil, + planName: "Z.ai Pro", + updatedAt: now), + minimaxUsage: MiniMaxUsageSnapshot( + planName: "MiniMax", + availablePrompts: 500, + currentPrompts: 120, + remainingPrompts: 380, + windowMinutes: 1440, + usedPercent: 24, + resetsAt: reset, + updatedAt: now), + openRouterUsage: OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 10, + balance: 40, + usedPercent: 20, + rateLimit: nil, + updatedAt: now), + cursorRequests: CursorRequestUsage(used: 7, limit: 70), + updatedAt: now, + identity: identity) + } + + private static func expectSnapshotFieldsPreserved(before: UsageSnapshot, after: UsageSnapshot) { + #expect(after.primary?.usedPercent == before.primary?.usedPercent) + #expect(after.secondary?.usedPercent == before.secondary?.usedPercent) + #expect(after.tertiary?.usedPercent == before.tertiary?.usedPercent) + #expect(after.providerCost?.used == before.providerCost?.used) + #expect(after.providerCost?.limit == before.providerCost?.limit) + #expect(after.providerCost?.currencyCode == before.providerCost?.currencyCode) + #expect(after.zaiUsage?.planName == before.zaiUsage?.planName) + #expect(after.zaiUsage?.tokenLimit?.usage == before.zaiUsage?.tokenLimit?.usage) + #expect(after.minimaxUsage?.planName == before.minimaxUsage?.planName) + #expect(after.minimaxUsage?.availablePrompts == before.minimaxUsage?.availablePrompts) + #expect(after.openRouterUsage?.balance == before.openRouterUsage?.balance) + #expect(after.openRouterUsage?.rateLimit?.requests == before.openRouterUsage?.rateLimit?.requests) + #expect(after.cursorRequests?.used == before.cursorRequests?.used) + #expect(after.cursorRequests?.limit == before.cursorRequests?.limit) + #expect(after.updatedAt == before.updatedAt) + } } diff --git a/docs/providers.md b/docs/providers.md index cc456ebdc..5b6126847 100644 --- a/docs/providers.md +++ b/docs/providers.md @@ -36,7 +36,7 @@ until the session is invalid, to avoid repeated Keychain prompts. | Amp | Web settings page via browser cookies (`web`). | | Warp | API token (config/env) → GraphQL request limits (`api`). | | Ollama | Web settings page via browser cookies (`web`). | -| OpenRouter | API token (config/env override) → credits API (`api`). | +| OpenRouter | API token (config, overrides env) → credits API (`api`). | ## Codex - Web dashboard (when enabled): `https://chatgpt.com/codex/settings/usage` via WebView + browser cookies. From 85473358ad1385e12aa83147a85b6e97b6e01b4a Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 12:25:26 +0530 Subject: [PATCH 117/131] Gate OpenRouter test hooks and document snapshot copy --- .../Providers/OpenRouter/OpenRouterUsageStats.swift | 2 ++ Sources/CodexBarCore/UsageFetcher.swift | 1 + 2 files changed, 3 insertions(+) diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index fc0199119..7a138eedc 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -312,6 +312,7 @@ public struct OpenRouterUsageFetcher: Sendable { } } + #if DEBUG static func _sanitizedResponseBodySummaryForTesting(_ body: String) -> String { self.sanitizedResponseBodySummary(Data(body.utf8)) } @@ -319,6 +320,7 @@ public struct OpenRouterUsageFetcher: Sendable { static func _redactedDebugResponseBodyForTesting(_ body: String) -> String? { self.redactedDebugResponseBody(Data(body.utf8)) } + #endif } /// Errors that can occur during OpenRouter usage fetching diff --git a/Sources/CodexBarCore/UsageFetcher.swift b/Sources/CodexBarCore/UsageFetcher.swift index 1a0fef004..9834b00bf 100644 --- a/Sources/CodexBarCore/UsageFetcher.swift +++ b/Sources/CodexBarCore/UsageFetcher.swift @@ -176,6 +176,7 @@ public struct UsageSnapshot: Codable, Sendable { self.identity(for: provider)?.loginMethod } + /// Keep this initializer-style copy in sync with UsageSnapshot fields so relabeling/scoping never drops data. public func withIdentity(_ identity: ProviderIdentitySnapshot?) -> UsageSnapshot { UsageSnapshot( primary: self.primary, From 9d6b32b8789fed62a6c1162bcd1a2276f0c9d8c4 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 12:59:34 +0530 Subject: [PATCH 118/131] Improve OpenRouter request resilience and headers --- .../OpenRouter/OpenRouterUsageStats.swift | 22 +++++++++-- .../OpenRouterUsageStatsTests.swift | 39 +++++++++++++++++++ docs/openrouter.md | 2 + 3 files changed, 60 insertions(+), 3 deletions(-) diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index 7a138eedc..15712b360 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -124,9 +124,13 @@ extension OpenRouterUsageSnapshot { public struct OpenRouterUsageFetcher: Sendable { private static let log = CodexBarLog.logger(LogCategories.openRouterUsage) private static let rateLimitTimeoutSeconds: TimeInterval = 1.0 + private static let creditsRequestTimeoutSeconds: TimeInterval = 15 private static let maxErrorBodyLength = 240 private static let maxDebugErrorBodyLength = 2000 private static let debugFullErrorBodiesEnvKey = "CODEXBAR_DEBUG_OPENROUTER_ERROR_BODIES" + private static let httpRefererEnvKey = "OPENROUTER_HTTP_REFERER" + private static let clientTitleEnvKey = "OPENROUTER_X_TITLE" + private static let defaultClientTitle = "CodexBar" /// Fetches credits usage from OpenRouter using the provided API key public static func fetchUsage( @@ -144,6 +148,12 @@ public struct OpenRouterUsageFetcher: Sendable { request.httpMethod = "GET" request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization") request.setValue("application/json", forHTTPHeaderField: "Accept") + request.timeoutInterval = Self.creditsRequestTimeoutSeconds + if let referer = Self.sanitizedHeaderValue(environment[self.httpRefererEnvKey]) { + request.setValue(referer, forHTTPHeaderField: "HTTP-Referer") + } + let title = Self.sanitizedHeaderValue(environment[self.clientTitleEnvKey]) ?? Self.defaultClientTitle + request.setValue(title, forHTTPHeaderField: "X-Title") let (data, response) = try await URLSession.shared.data(for: request) @@ -153,7 +163,9 @@ public struct OpenRouterUsageFetcher: Sendable { guard httpResponse.statusCode == 200 else { let errorSummary = LogRedactor.redact(Self.sanitizedResponseBodySummary(data)) - if Self.debugFullErrorBodiesEnabled, let debugBody = Self.redactedDebugResponseBody(data) { + if Self.debugFullErrorBodiesEnabled(environment: environment), + let debugBody = Self.redactedDebugResponseBody(data) + { Self.log.debug("OpenRouter non-200 body (redacted): \(LogRedactor.redact(debugBody))") } Self.log.error("OpenRouter API returned \(httpResponse.statusCode): \(errorSummary)") @@ -257,8 +269,12 @@ public struct OpenRouterUsageFetcher: Sendable { } } - private static var debugFullErrorBodiesEnabled: Bool { - ProcessInfo.processInfo.environment[self.debugFullErrorBodiesEnvKey] == "1" + private static func debugFullErrorBodiesEnabled(environment: [String: String]) -> Bool { + environment[self.debugFullErrorBodiesEnvKey] == "1" + } + + private static func sanitizedHeaderValue(_ raw: String?) -> String? { + OpenRouterSettingsReader.cleaned(raw) } private static func sanitizedResponseBodySummary(_ data: Data) -> String { diff --git a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift index 4e81dba71..8ce66e69e 100644 --- a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift +++ b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift @@ -72,6 +72,45 @@ struct OpenRouterUsageStatsTests { } } + @Test + func fetchUsage_setsCreditsTimeoutAndClientHeaders() async throws { + let registered = URLProtocol.registerClass(OpenRouterStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenRouterStubURLProtocol.self) + } + OpenRouterStubURLProtocol.handler = nil + } + + OpenRouterStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + switch url.path { + case "/api/v1/credits": + #expect(request.timeoutInterval == 15) + #expect(request.value(forHTTPHeaderField: "HTTP-Referer") == "https://codexbar.example") + #expect(request.value(forHTTPHeaderField: "X-Title") == "CodexBar QA") + let body = #"{"data":{"total_credits":100,"total_usage":40}}"# + return Self.makeResponse(url: url, body: body, statusCode: 200) + case "/api/v1/key": + let body = #"{"data":{"rate_limit":{"requests":120,"interval":"10s"}}}"# + return Self.makeResponse(url: url, body: body, statusCode: 200) + default: + return Self.makeResponse(url: url, body: "{}", statusCode: 404) + } + } + + let usage = try await OpenRouterUsageFetcher.fetchUsage( + apiKey: "sk-or-v1-test", + environment: [ + "OPENROUTER_API_URL": "https://openrouter.test/api/v1", + "OPENROUTER_HTTP_REFERER": " https://codexbar.example ", + "OPENROUTER_X_TITLE": "CodexBar QA", + ]) + + #expect(usage.totalCredits == 100) + #expect(usage.totalUsage == 40) + } + private static func makeResponse( url: URL, body: String, diff --git a/docs/openrouter.md b/docs/openrouter.md index dea631dec..a0d7985e3 100644 --- a/docs/openrouter.md +++ b/docs/openrouter.md @@ -46,6 +46,8 @@ codexbar -p or # alias |----------|-------------| | `OPENROUTER_API_KEY` | Your OpenRouter API key (required) | | `OPENROUTER_API_URL` | Override the base API URL (optional, defaults to `https://openrouter.ai/api/v1`) | +| `OPENROUTER_HTTP_REFERER` | Optional client referer sent as `HTTP-Referer` header | +| `OPENROUTER_X_TITLE` | Optional client title sent as `X-Title` header (defaults to `CodexBar`) | ## Notes From 82a81835101837a268d61b7e76a70e78b61bdde2 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 16:31:08 +0530 Subject: [PATCH 119/131] Update OpenRouter icon and brand color --- .../Resources/ProviderIcon-openrouter.svg | 20 +++++++++++-------- .../OpenRouterProviderDescriptor.swift | 2 +- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg b/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg index c5fb0c13a..94e78feee 100644 --- a/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg +++ b/Sources/CodexBar/Resources/ProviderIcon-openrouter.svg @@ -1,9 +1,13 @@ - - - - - - - - + + + + + + + + + + + + diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift index 9334241fc..711954198 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterProviderDescriptor.swift @@ -27,7 +27,7 @@ public enum OpenRouterProviderDescriptor { branding: ProviderBranding( iconStyle: .openrouter, iconResourceName: "ProviderIcon-openrouter", - color: ProviderColor(red: 111 / 255, green: 66 / 255, blue: 193 / 255)), + color: ProviderColor(red: 100 / 255, green: 103 / 255, blue: 242 / 255)), tokenCost: ProviderTokenCostConfig( supportsTokenCost: false, noDataMessage: { "OpenRouter cost summary is not yet supported." }), From 34a903941cc83e5e07b66b790acb3f3e9546fc59 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Wed, 18 Feb 2026 23:59:38 +0530 Subject: [PATCH 120/131] Refine OpenRouter key quota popup semantics --- Sources/CodexBar/MenuCardView.swift | 101 ++++++++++- .../StatusItemController+Animation.swift | 28 +++ .../OpenRouter/OpenRouterUsageStats.swift | 127 +++++++++++--- Sources/CodexBarCore/UsageFetcher.swift | 4 +- Tests/CodexBarTests/MenuCardModelTests.swift | 160 ++++++++++++++++++ .../OpenRouterUsageStatsTests.swift | 104 +++++++++++- .../StatusItemControllerMenuTests.swift | 55 ++++++ 7 files changed, 542 insertions(+), 37 deletions(-) diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index 89a930dc1..3380c4123 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -61,12 +61,14 @@ struct UsageMenuCardView: View { let spendLine: String } + let provider: UsageProvider let providerName: String let email: String let subtitleText: String let subtitleStyle: SubtitleStyle let planText: String? let metrics: [Metric] + let usageNotes: [String] let creditsText: String? let creditsRemaining: Double? let creditsHintText: String? @@ -81,6 +83,13 @@ struct UsageMenuCardView: View { let width: CGFloat @Environment(\.menuItemHighlighted) private var isHighlighted + static func popupMetricTitle(provider: UsageProvider, metric: Model.Metric) -> String { + if provider == .openrouter, metric.id == "primary" { + return "API key limit" + } + return metric.title + } + var body: some View { VStack(alignment: .leading, spacing: 6) { UsageMenuCardHeaderView(model: self.model) @@ -90,13 +99,15 @@ struct UsageMenuCardView: View { } if self.model.metrics.isEmpty { - if let placeholder = self.model.placeholder { + if !self.model.usageNotes.isEmpty { + UsageNotesContent(notes: self.model.usageNotes) + } else if let placeholder = self.model.placeholder { Text(placeholder) .foregroundStyle(MenuHighlightStyle.secondary(self.isHighlighted)) .font(.subheadline) } } else { - let hasUsage = !self.model.metrics.isEmpty + let hasUsage = !self.model.metrics.isEmpty || !self.model.usageNotes.isEmpty let hasCredits = self.model.creditsText != nil let hasProviderCost = self.model.providerCost != nil let hasCost = self.model.tokenUsage != nil || hasProviderCost @@ -107,8 +118,12 @@ struct UsageMenuCardView: View { ForEach(self.model.metrics, id: \.id) { metric in MetricRow( metric: metric, + title: Self.popupMetricTitle(provider: self.model.provider, metric: metric), progressColor: self.model.progressColor) } + if !self.model.usageNotes.isEmpty { + UsageNotesContent(notes: self.model.usageNotes) + } } } if hasUsage, hasCredits || hasCost { @@ -172,7 +187,8 @@ struct UsageMenuCardView: View { } private var hasDetails: Bool { - !self.model.metrics.isEmpty || self.model.placeholder != nil || self.model.tokenUsage != nil || + !self.model.metrics.isEmpty || !self.model.usageNotes.isEmpty || self.model.placeholder != nil || + self.model.tokenUsage != nil || self.model.providerCost != nil } } @@ -305,12 +321,13 @@ private struct ProviderCostContent: View { private struct MetricRow: View { let metric: UsageMenuCardView.Model.Metric + let title: String let progressColor: Color @Environment(\.menuItemHighlighted) private var isHighlighted var body: some View { VStack(alignment: .leading, spacing: 6) { - Text(self.metric.title) + Text(self.title) .font(.body) .fontWeight(.medium) UsageProgressBar( @@ -350,6 +367,7 @@ private struct MetricRow: View { } } } + .frame(maxWidth: .infinity, alignment: .leading) if let detail = self.metric.detailText { Text(detail) .font(.footnote) @@ -361,6 +379,24 @@ private struct MetricRow: View { } } +private struct UsageNotesContent: View { + let notes: [String] + @Environment(\.menuItemHighlighted) private var isHighlighted + + var body: some View { + VStack(alignment: .leading, spacing: 4) { + ForEach(Array(self.notes.enumerated()), id: \.offset) { _, note in + Text(note) + .font(.footnote) + .foregroundStyle(MenuHighlightStyle.secondary(self.isHighlighted)) + .lineLimit(2) + .fixedSize(horizontal: false, vertical: true) + } + } + .frame(maxWidth: .infinity, alignment: .leading) + } +} + struct UsageMenuCardHeaderSectionView: View { let model: UsageMenuCardView.Model let showDivider: Bool @@ -391,7 +427,9 @@ struct UsageMenuCardUsageSectionView: View { var body: some View { VStack(alignment: .leading, spacing: 12) { if self.model.metrics.isEmpty { - if let placeholder = self.model.placeholder { + if !self.model.usageNotes.isEmpty { + UsageNotesContent(notes: self.model.usageNotes) + } else if let placeholder = self.model.placeholder { Text(placeholder) .foregroundStyle(MenuHighlightStyle.secondary(self.isHighlighted)) .font(.subheadline) @@ -400,8 +438,12 @@ struct UsageMenuCardUsageSectionView: View { ForEach(self.model.metrics, id: \.id) { metric in MetricRow( metric: metric, + title: UsageMenuCardView.popupMetricTitle(provider: self.model.provider, metric: metric), progressColor: self.model.progressColor) } + if !self.model.usageNotes.isEmpty { + UsageNotesContent(notes: self.model.usageNotes) + } } if self.showBottomDivider { Divider() @@ -601,7 +643,10 @@ extension UsageMenuCardView.Model { account: input.account, metadata: input.metadata) let metrics = Self.metrics(input: input) - let creditsText: String? = if input.provider == .codex, !input.showOptionalCreditsAndExtraUsage { + let usageNotes = Self.usageNotes(provider: input.provider, snapshot: input.snapshot) + let creditsText: String? = if input.provider == .openrouter { + nil + } else if input.provider == .codex, !input.showOptionalCreditsAndExtraUsage { nil } else { Self.creditsLine(metadata: input.metadata, credits: input.credits, error: input.creditsError) @@ -624,12 +669,14 @@ extension UsageMenuCardView.Model { let placeholder = input.snapshot == nil && !input.isRefreshing && input.lastError == nil ? "No usage yet" : nil return UsageMenuCardView.Model( + provider: input.provider, providerName: input.metadata.displayName, email: redacted.email, subtitleText: redacted.subtitleText, subtitleStyle: subtitle.style, planText: planText, metrics: metrics, + usageNotes: usageNotes, creditsText: creditsText, creditsRemaining: input.credits?.remaining, creditsHintText: redacted.creditsHintText, @@ -640,6 +687,27 @@ extension UsageMenuCardView.Model { progressColor: Self.progressColor(for: input.provider)) } + private static func usageNotes(provider: UsageProvider, snapshot: UsageSnapshot?) -> [String] { + guard provider == .openrouter else { + return [] + } + guard let snapshot else { return [] } + if let openRouter = snapshot.openRouterUsage { + switch openRouter.keyQuotaStatus { + case .available: + return [] + case .noLimitConfigured: + return ["No limit set for the API key"] + case .unavailable: + return ["API key limit unavailable right now"] + } + } + if snapshot.primary == nil { + return ["API key limit unavailable right now"] + } + return [] + } + private static func email( for provider: UsageProvider, snapshot: UsageSnapshot?, @@ -742,9 +810,15 @@ extension UsageMenuCardView.Model { let zaiUsage = input.provider == .zai ? snapshot.zaiUsage : nil let zaiTokenDetail = Self.zaiLimitDetailText(limit: zaiUsage?.tokenLimit) let zaiTimeDetail = Self.zaiLimitDetailText(limit: zaiUsage?.timeLimit) + let openRouterQuotaDetail = Self.openRouterQuotaDetail(provider: input.provider, snapshot: snapshot) if let primary = snapshot.primary { var primaryDetailText: String? = input.provider == .zai ? zaiTokenDetail : nil var primaryResetText = Self.resetText(for: primary, style: input.resetTimeDisplayStyle, now: input.now) + if input.provider == .openrouter, + let openRouterQuotaDetail + { + primaryResetText = openRouterQuotaDetail + } if input.provider == .warp, let detail = primary.resetDescription, !detail.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty @@ -841,6 +915,21 @@ extension UsageMenuCardView.Model { return nil } + private static func openRouterQuotaDetail(provider: UsageProvider, snapshot: UsageSnapshot) -> String? { + guard provider == .openrouter, + let usage = snapshot.openRouterUsage, + usage.hasValidKeyQuota, + let keyRemaining = usage.keyRemaining, + let keyLimit = usage.keyLimit + else { + return nil + } + + let remaining = UsageFormatter.usdString(keyRemaining) + let limit = UsageFormatter.usdString(keyLimit) + return "\(remaining)/\(limit) left" + } + private struct PaceDetail { let leftLabel: String let rightLabel: String? diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index 3c77d03e0..587189d6a 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -259,6 +259,14 @@ extension StatusItemController { return } + if Self.shouldUseOpenRouterBrandFallback(provider: primaryProvider, snapshot: snapshot), + let brand = ProviderBrandIcon.image(for: primaryProvider) + { + self.setButtonTitle(nil, for: button) + self.setButtonImage(brand, for: button) + return + } + self.setButtonTitle(nil, for: button) if let morphProgress { let image = IconRenderer.makeMorphIcon(progress: morphProgress, style: style) @@ -294,6 +302,14 @@ extension StatusItemController { self.setButtonTitle(displayText, for: button) return } + + if Self.shouldUseOpenRouterBrandFallback(provider: provider, snapshot: snapshot), + let brand = ProviderBrandIcon.image(for: provider) + { + self.setButtonTitle(nil, for: button) + self.setButtonImage(brand, for: button) + return + } var primary = showUsed ? snapshot?.primary?.usedPercent : snapshot?.primary?.remainingPercent var weekly = showUsed ? snapshot?.secondary?.usedPercent : snapshot?.secondary?.remainingPercent if showUsed, @@ -508,6 +524,18 @@ extension StatusItemController { } } + nonisolated static func shouldUseOpenRouterBrandFallback( + provider: UsageProvider, + snapshot: UsageSnapshot?) -> Bool + { + guard provider == .openrouter, + let openRouterUsage = snapshot?.openRouterUsage + else { + return false + } + return openRouterUsage.keyQuotaStatus == .noLimitConfigured + } + private func advanceAnimationPattern() { let patterns = LoadingPattern.allCases if let idx = patterns.firstIndex(of: self.animationPattern) { diff --git a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift index 15712b360..fbcc3e44c 100644 --- a/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift +++ b/Sources/CodexBarCore/Providers/OpenRouter/OpenRouterUsageStats.swift @@ -32,12 +32,12 @@ public struct OpenRouterCreditsData: Decodable, Sendable { } } -/// OpenRouter key info API response (for rate limits) +/// OpenRouter key info API response public struct OpenRouterKeyResponse: Decodable, Sendable { public let data: OpenRouterKeyData } -/// OpenRouter key data with rate limit info +/// OpenRouter key data with quota and rate limit info public struct OpenRouterKeyData: Decodable, Sendable { /// Rate limit per interval public let rateLimit: OpenRouterRateLimit? @@ -54,19 +54,28 @@ public struct OpenRouterKeyData: Decodable, Sendable { } /// OpenRouter rate limit info -public struct OpenRouterRateLimit: Decodable, Sendable { +public struct OpenRouterRateLimit: Codable, Sendable { /// Number of requests allowed public let requests: Int /// Interval for the rate limit (e.g., "10s", "1m") public let interval: String } +public enum OpenRouterKeyQuotaStatus: String, Codable, Sendable { + case available + case noLimitConfigured + case unavailable +} + /// Complete OpenRouter usage snapshot -public struct OpenRouterUsageSnapshot: Sendable { +public struct OpenRouterUsageSnapshot: Codable, Sendable { public let totalCredits: Double public let totalUsage: Double public let balance: Double public let usedPercent: Double + public let keyDataFetched: Bool + public let keyLimit: Double? + public let keyUsage: Double? public let rateLimit: OpenRouterRateLimit? public let updatedAt: Date @@ -75,6 +84,9 @@ public struct OpenRouterUsageSnapshot: Sendable { totalUsage: Double, balance: Double, usedPercent: Double, + keyDataFetched: Bool = false, + keyLimit: Double? = nil, + keyUsage: Double? = nil, rateLimit: OpenRouterRateLimit?, updatedAt: Date) { @@ -82,6 +94,9 @@ public struct OpenRouterUsageSnapshot: Sendable { self.totalUsage = totalUsage self.balance = balance self.usedPercent = usedPercent + self.keyDataFetched = keyDataFetched || keyLimit != nil || keyUsage != nil + self.keyLimit = keyLimit + self.keyUsage = keyUsage self.rateLimit = rateLimit self.updatedAt = updatedAt } @@ -90,16 +105,62 @@ public struct OpenRouterUsageSnapshot: Sendable { public var isValid: Bool { self.totalCredits >= 0 } + + public var hasValidKeyQuota: Bool { + guard self.keyDataFetched, + let keyLimit, + let keyUsage + else { + return false + } + return keyLimit > 0 && keyUsage >= 0 + } + + public var keyQuotaStatus: OpenRouterKeyQuotaStatus { + if self.hasValidKeyQuota { + return .available + } + guard self.keyDataFetched else { + return .unavailable + } + if let keyLimit, keyLimit > 0 { + return .unavailable + } + return .noLimitConfigured + } + + public var keyRemaining: Double? { + guard self.hasValidKeyQuota, + let keyLimit, + let keyUsage + else { + return nil + } + return max(0, keyLimit - keyUsage) + } + + public var keyUsedPercent: Double? { + guard self.hasValidKeyQuota, + let keyLimit, + let keyUsage + else { + return nil + } + return min(100, max(0, (keyUsage / keyLimit) * 100)) + } } extension OpenRouterUsageSnapshot { public func toUsageSnapshot() -> UsageSnapshot { - // Primary: credits usage percentage - let primary = RateWindow( - usedPercent: usedPercent, - windowMinutes: nil, - resetsAt: nil, - resetDescription: nil) + let primary: RateWindow? = if let keyUsedPercent { + RateWindow( + usedPercent: keyUsedPercent, + windowMinutes: nil, + resetsAt: nil, + resetDescription: nil) + } else { + nil + } // Format balance for identity display let balanceStr = String(format: "$%.2f", balance) @@ -176,9 +237,9 @@ public struct OpenRouterUsageFetcher: Sendable { let decoder = JSONDecoder() let creditsResponse = try decoder.decode(OpenRouterCreditsResponse.self, from: data) - // Optionally fetch rate limit info from /key endpoint, but keep this bounded so + // Optionally fetch key quota/rate-limit info from /key endpoint, but keep this bounded so // credits updates are not blocked by a slow or unavailable secondary endpoint. - let rateLimit = await fetchRateLimit( + let keyFetch = await fetchKeyData( apiKey: apiKey, baseURL: baseURL, timeoutSeconds: Self.rateLimitTimeoutSeconds) @@ -188,7 +249,10 @@ public struct OpenRouterUsageFetcher: Sendable { totalUsage: creditsResponse.data.totalUsage, balance: creditsResponse.data.balance, usedPercent: creditsResponse.data.usedPercent, - rateLimit: rateLimit, + keyDataFetched: keyFetch.fetched, + keyLimit: keyFetch.data?.limit, + keyUsage: keyFetch.data?.usage, + rateLimit: keyFetch.data?.rateLimit, updatedAt: Date()) } catch let error as DecodingError { Self.log.error("OpenRouter JSON decoding error: \(error.localizedDescription)") @@ -201,18 +265,23 @@ public struct OpenRouterUsageFetcher: Sendable { } } - /// Fetches rate limit info from /key endpoint - private static func fetchRateLimit( + /// Fetches key quota/rate-limit info from /key endpoint + private struct OpenRouterKeyFetchResult: Sendable { + let data: OpenRouterKeyData? + let fetched: Bool + } + + private static func fetchKeyData( apiKey: String, baseURL: URL, - timeoutSeconds: TimeInterval) async -> OpenRouterRateLimit? + timeoutSeconds: TimeInterval) async -> OpenRouterKeyFetchResult { let timeout = max(0.1, timeoutSeconds) let timeoutNanoseconds = UInt64(timeout * 1_000_000_000) - return await withTaskGroup(of: OpenRouterRateLimit?.self) { group in + return await withTaskGroup(of: OpenRouterKeyFetchResult.self) { group in group.addTask { - await Self.fetchRateLimitRequest( + await Self.fetchKeyDataRequest( apiKey: apiKey, baseURL: baseURL, timeoutSeconds: timeout) @@ -222,11 +291,13 @@ public struct OpenRouterUsageFetcher: Sendable { try await Task.sleep(nanoseconds: timeoutNanoseconds) } catch { // Cancelled because the /key request finished first. - return nil + return OpenRouterKeyFetchResult(data: nil, fetched: false) + } + guard !Task.isCancelled else { + return OpenRouterKeyFetchResult(data: nil, fetched: false) } - guard !Task.isCancelled else { return nil } Self.log.debug("OpenRouter /key enrichment timed out after \(timeout)s") - return nil + return OpenRouterKeyFetchResult(data: nil, fetched: false) } let result = await group.next() @@ -234,14 +305,14 @@ public struct OpenRouterUsageFetcher: Sendable { if let result { return result } - return nil + return OpenRouterKeyFetchResult(data: nil, fetched: false) } } - private static func fetchRateLimitRequest( + private static func fetchKeyDataRequest( apiKey: String, baseURL: URL, - timeoutSeconds: TimeInterval) async -> OpenRouterRateLimit? + timeoutSeconds: TimeInterval) async -> OpenRouterKeyFetchResult { let keyURL = baseURL.appendingPathComponent("key") @@ -257,15 +328,15 @@ public struct OpenRouterUsageFetcher: Sendable { guard let httpResponse = response as? HTTPURLResponse, httpResponse.statusCode == 200 else { - return nil + return OpenRouterKeyFetchResult(data: nil, fetched: false) } let decoder = JSONDecoder() let keyResponse = try decoder.decode(OpenRouterKeyResponse.self, from: data) - return keyResponse.data.rateLimit + return OpenRouterKeyFetchResult(data: keyResponse.data, fetched: true) } catch { - Self.log.debug("Failed to fetch OpenRouter rate limit: \(error.localizedDescription)") - return nil + Self.log.debug("Failed to fetch OpenRouter /key enrichment: \(error.localizedDescription)") + return OpenRouterKeyFetchResult(data: nil, fetched: false) } } diff --git a/Sources/CodexBarCore/UsageFetcher.swift b/Sources/CodexBarCore/UsageFetcher.swift index 9834b00bf..f2370e9ca 100644 --- a/Sources/CodexBarCore/UsageFetcher.swift +++ b/Sources/CodexBarCore/UsageFetcher.swift @@ -64,6 +64,7 @@ public struct UsageSnapshot: Codable, Sendable { case secondary case tertiary case providerCost + case openRouterUsage case updatedAt case identity case accountEmail @@ -103,7 +104,7 @@ public struct UsageSnapshot: Codable, Sendable { self.providerCost = try container.decodeIfPresent(ProviderCostSnapshot.self, forKey: .providerCost) self.zaiUsage = nil // Not persisted, fetched fresh each time self.minimaxUsage = nil // Not persisted, fetched fresh each time - self.openRouterUsage = nil // Not persisted, fetched fresh each time + self.openRouterUsage = try container.decodeIfPresent(OpenRouterUsageSnapshot.self, forKey: .openRouterUsage) self.cursorRequests = nil // Not persisted, fetched fresh each time self.updatedAt = try container.decode(Date.self, forKey: .updatedAt) if let identity = try container.decodeIfPresent(ProviderIdentitySnapshot.self, forKey: .identity) { @@ -131,6 +132,7 @@ public struct UsageSnapshot: Codable, Sendable { try container.encode(self.secondary, forKey: .secondary) try container.encode(self.tertiary, forKey: .tertiary) try container.encodeIfPresent(self.providerCost, forKey: .providerCost) + try container.encodeIfPresent(self.openRouterUsage, forKey: .openRouterUsage) try container.encode(self.updatedAt, forKey: .updatedAt) try container.encodeIfPresent(self.identity, forKey: .identity) try container.encodeIfPresent(self.identity?.accountEmail, forKey: .accountEmail) diff --git a/Tests/CodexBarTests/MenuCardModelTests.swift b/Tests/CodexBarTests/MenuCardModelTests.swift index 8deab6533..8909b7f7d 100644 --- a/Tests/CodexBarTests/MenuCardModelTests.swift +++ b/Tests/CodexBarTests/MenuCardModelTests.swift @@ -391,6 +391,166 @@ struct MenuCardModelTests { #expect(model.providerCost == nil) } + @Test + @MainActor + func openRouterModel_usesAPIKeyQuotaBarAndQuotaDetail() throws { + let now = Date() + let metadata = try #require(ProviderDefaults.metadata[.openrouter]) + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyLimit: 20, + keyUsage: 0.5, + rateLimit: nil, + updatedAt: now).toUsageSnapshot() + + let model = UsageMenuCardView.Model.make(.init( + provider: .openrouter, + metadata: metadata, + snapshot: snapshot, + credits: nil, + creditsError: nil, + dashboard: nil, + dashboardError: nil, + tokenSnapshot: nil, + tokenError: nil, + account: AccountInfo(email: nil, plan: nil), + isRefreshing: false, + lastError: nil, + usageBarsShowUsed: false, + resetTimeDisplayStyle: .countdown, + tokenCostUsageEnabled: false, + showOptionalCreditsAndExtraUsage: true, + hidePersonalInfo: false, + now: now)) + + #expect(model.creditsText == nil) + #expect(model.metrics.count == 1) + #expect(model.usageNotes.isEmpty) + let metric = try #require(model.metrics.first) + let popupTitle = UsageMenuCardView.popupMetricTitle( + provider: .openrouter, + metric: metric) + #expect(popupTitle == "API key limit") + #expect(metric.resetText == "$19.50/$20.00 left") + #expect(metric.detailRightText == nil) + } + + @Test + func openRouterModel_withoutKeyLimitShowsTextOnlySummary() throws { + let now = Date() + let metadata = try #require(ProviderDefaults.metadata[.openrouter]) + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyDataFetched: true, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: now).toUsageSnapshot() + + let model = UsageMenuCardView.Model.make(.init( + provider: .openrouter, + metadata: metadata, + snapshot: snapshot, + credits: nil, + creditsError: nil, + dashboard: nil, + dashboardError: nil, + tokenSnapshot: nil, + tokenError: nil, + account: AccountInfo(email: nil, plan: nil), + isRefreshing: false, + lastError: nil, + usageBarsShowUsed: false, + resetTimeDisplayStyle: .countdown, + tokenCostUsageEnabled: false, + showOptionalCreditsAndExtraUsage: true, + hidePersonalInfo: false, + now: now)) + + #expect(model.metrics.isEmpty) + #expect(model.creditsText == nil) + #expect(model.placeholder == nil) + #expect(model.usageNotes == ["No limit set for the API key"]) + } + + @Test + func openRouterModel_whenKeyFetchUnavailableShowsUnavailableNote() throws { + let now = Date() + let metadata = try #require(ProviderDefaults.metadata[.openrouter]) + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyDataFetched: false, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: now).toUsageSnapshot() + + let model = UsageMenuCardView.Model.make(.init( + provider: .openrouter, + metadata: metadata, + snapshot: snapshot, + credits: nil, + creditsError: nil, + dashboard: nil, + dashboardError: nil, + tokenSnapshot: nil, + tokenError: nil, + account: AccountInfo(email: nil, plan: nil), + isRefreshing: false, + lastError: nil, + usageBarsShowUsed: false, + resetTimeDisplayStyle: .countdown, + tokenCostUsageEnabled: false, + showOptionalCreditsAndExtraUsage: true, + hidePersonalInfo: false, + now: now)) + + #expect(model.metrics.isEmpty) + #expect(model.usageNotes == ["API key limit unavailable right now"]) + } + + @Test + func openRouterModel_legacyCachedSnapshotWithoutOpenRouterUsageShowsUnavailableNote() throws { + let now = Date() + let metadata = try #require(ProviderDefaults.metadata[.openrouter]) + let snapshot = UsageSnapshot( + primary: nil, + secondary: nil, + updatedAt: now) + + let model = UsageMenuCardView.Model.make(.init( + provider: .openrouter, + metadata: metadata, + snapshot: snapshot, + credits: nil, + creditsError: nil, + dashboard: nil, + dashboardError: nil, + tokenSnapshot: nil, + tokenError: nil, + account: AccountInfo(email: nil, plan: nil), + isRefreshing: false, + lastError: nil, + usageBarsShowUsed: false, + resetTimeDisplayStyle: .countdown, + tokenCostUsageEnabled: false, + showOptionalCreditsAndExtraUsage: true, + hidePersonalInfo: false, + now: now)) + + #expect(model.metrics.isEmpty) + #expect(model.usageNotes == ["API key limit unavailable right now"]) + } + @Test func hidesEmailWhenPersonalInfoHidden() throws { let now = Date() diff --git a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift index 8ce66e69e..25ec01bcf 100644 --- a/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift +++ b/Tests/CodexBarTests/OpenRouterUsageStatsTests.swift @@ -5,19 +5,60 @@ import Testing @Suite(.serialized) struct OpenRouterUsageStatsTests { @Test - func toUsageSnapshot_doesNotSetSyntheticResetDescription() { + func toUsageSnapshot_usesKeyQuotaForPrimaryWindow() { let snapshot = OpenRouterUsageSnapshot( totalCredits: 50, totalUsage: 45.3895596325, balance: 4.6104403675, usedPercent: 90.779119265, + keyLimit: 20, + keyUsage: 5, rateLimit: nil, updatedAt: Date(timeIntervalSince1970: 1_739_841_600)) let usage = snapshot.toUsageSnapshot() + #expect(usage.primary?.usedPercent == 25) #expect(usage.primary?.resetsAt == nil) #expect(usage.primary?.resetDescription == nil) + #expect(usage.openRouterUsage?.keyQuotaStatus == .available) + } + + @Test + func toUsageSnapshot_withoutValidKeyLimitOmitsPrimaryWindow() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: Date(timeIntervalSince1970: 1_739_841_600)) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary == nil) + #expect(usage.openRouterUsage?.keyQuotaStatus == .unavailable) + } + + @Test + func toUsageSnapshot_whenNoLimitConfiguredOmitsPrimaryAndMarksNoLimit() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyDataFetched: true, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: Date(timeIntervalSince1970: 1_739_841_600)) + + let usage = snapshot.toUsageSnapshot() + + #expect(usage.primary == nil) + #expect(usage.openRouterUsage?.keyQuotaStatus == .noLimitConfigured) } @Test @@ -92,7 +133,7 @@ struct OpenRouterUsageStatsTests { let body = #"{"data":{"total_credits":100,"total_usage":40}}"# return Self.makeResponse(url: url, body: body, statusCode: 200) case "/api/v1/key": - let body = #"{"data":{"rate_limit":{"requests":120,"interval":"10s"}}}"# + let body = #"{"data":{"limit":20,"usage":0.5,"rate_limit":{"requests":120,"interval":"10s"}}}"# return Self.makeResponse(url: url, body: body, statusCode: 200) default: return Self.makeResponse(url: url, body: "{}", statusCode: 404) @@ -109,6 +150,65 @@ struct OpenRouterUsageStatsTests { #expect(usage.totalCredits == 100) #expect(usage.totalUsage == 40) + #expect(usage.keyDataFetched) + #expect(usage.keyLimit == 20) + #expect(usage.keyUsage == 0.5) + #expect(usage.keyRemaining == 19.5) + #expect(usage.keyUsedPercent == 2.5) + #expect(usage.keyQuotaStatus == .available) + } + + @Test + func fetchUsage_whenKeyEndpointFailsMarksQuotaUnavailable() async throws { + let registered = URLProtocol.registerClass(OpenRouterStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenRouterStubURLProtocol.self) + } + OpenRouterStubURLProtocol.handler = nil + } + + OpenRouterStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + switch url.path { + case "/api/v1/credits": + let body = #"{"data":{"total_credits":100,"total_usage":40}}"# + return Self.makeResponse(url: url, body: body, statusCode: 200) + case "/api/v1/key": + return Self.makeResponse(url: url, body: "{}", statusCode: 500) + default: + return Self.makeResponse(url: url, body: "{}", statusCode: 404) + } + } + + let usage = try await OpenRouterUsageFetcher.fetchUsage( + apiKey: "sk-or-v1-test", + environment: ["OPENROUTER_API_URL": "https://openrouter.test/api/v1"]) + + #expect(!usage.keyDataFetched) + #expect(usage.keyQuotaStatus == .unavailable) + } + + @Test + func usageSnapshot_roundTripPersistsOpenRouterUsageMetadata() throws { + let openRouter = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45.3895596325, + balance: 4.6104403675, + usedPercent: 90.779119265, + keyDataFetched: true, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: Date(timeIntervalSince1970: 1_739_841_600)) + let snapshot = openRouter.toUsageSnapshot() + + let encoder = JSONEncoder() + let data = try encoder.encode(snapshot) + let decoded = try JSONDecoder().decode(UsageSnapshot.self, from: data) + + #expect(decoded.openRouterUsage?.keyDataFetched == true) + #expect(decoded.openRouterUsage?.keyQuotaStatus == .noLimitConfigured) } private static func makeResponse( diff --git a/Tests/CodexBarTests/StatusItemControllerMenuTests.swift b/Tests/CodexBarTests/StatusItemControllerMenuTests.swift index 9e83f1238..976a0d965 100644 --- a/Tests/CodexBarTests/StatusItemControllerMenuTests.swift +++ b/Tests/CodexBarTests/StatusItemControllerMenuTests.swift @@ -50,4 +50,59 @@ struct StatusItemControllerMenuTests { #expect(percent == 80) } + + @Test + func openRouterBrandFallbackEnabledWhenNoKeyLimitConfigured() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45, + balance: 5, + usedPercent: 90, + keyDataFetched: true, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: Date()).toUsageSnapshot() + + #expect(StatusItemController.shouldUseOpenRouterBrandFallback( + provider: .openrouter, + snapshot: snapshot)) + #expect(MenuBarDisplayText.percentText(window: snapshot.primary, showUsed: false) == nil) + } + + @Test + func openRouterBrandFallbackDisabledWhenKeyQuotaFetchUnavailable() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45, + balance: 5, + usedPercent: 90, + keyDataFetched: false, + keyLimit: nil, + keyUsage: nil, + rateLimit: nil, + updatedAt: Date()).toUsageSnapshot() + + #expect(!StatusItemController.shouldUseOpenRouterBrandFallback( + provider: .openrouter, + snapshot: snapshot)) + } + + @Test + func openRouterBrandFallbackDisabledWhenKeyQuotaAvailable() { + let snapshot = OpenRouterUsageSnapshot( + totalCredits: 50, + totalUsage: 45, + balance: 5, + usedPercent: 90, + keyLimit: 20, + keyUsage: 2, + rateLimit: nil, + updatedAt: Date()).toUsageSnapshot() + + #expect(!StatusItemController.shouldUseOpenRouterBrandFallback( + provider: .openrouter, + snapshot: snapshot)) + #expect(snapshot.primary?.usedPercent == 10) + } } From d6a6905800a606ceefb982c97192fd29b464d211 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 19 Feb 2026 01:16:03 +0530 Subject: [PATCH 121/131] Refine OpenRouter settings and fallback status icons --- Sources/CodexBar/MenuCardView.swift | 24 +++--- .../PreferencesProviderDetailView.swift | 84 ++++++++++++++++--- .../CodexBar/PreferencesProvidersPane.swift | 41 +++++---- .../OpenRouterProviderImplementation.swift | 4 +- .../SettingsStore+MenuPreferences.swift | 19 +++++ .../StatusItemController+Animation.swift | 50 ++++++++++- Tests/CodexBarTests/MenuCardModelTests.swift | 33 -------- .../ProvidersPaneCoverageTests.swift | 33 ++++++++ .../SettingsStoreAdditionalTests.swift | 14 ++++ .../StatusItemAnimationTests.swift | 47 +++++++++++ 10 files changed, 274 insertions(+), 75 deletions(-) diff --git a/Sources/CodexBar/MenuCardView.swift b/Sources/CodexBar/MenuCardView.swift index 3380c4123..a1bfc7141 100644 --- a/Sources/CodexBar/MenuCardView.swift +++ b/Sources/CodexBar/MenuCardView.swift @@ -688,24 +688,20 @@ extension UsageMenuCardView.Model { } private static func usageNotes(provider: UsageProvider, snapshot: UsageSnapshot?) -> [String] { - guard provider == .openrouter else { + guard provider == .openrouter, + let openRouter = snapshot?.openRouterUsage + else { return [] } - guard let snapshot else { return [] } - if let openRouter = snapshot.openRouterUsage { - switch openRouter.keyQuotaStatus { - case .available: - return [] - case .noLimitConfigured: - return ["No limit set for the API key"] - case .unavailable: - return ["API key limit unavailable right now"] - } - } - if snapshot.primary == nil { + + switch openRouter.keyQuotaStatus { + case .available: + return [] + case .noLimitConfigured: + return ["No limit set for the API key"] + case .unavailable: return ["API key limit unavailable right now"] } - return [] } private static func email( diff --git a/Sources/CodexBar/PreferencesProviderDetailView.swift b/Sources/CodexBar/PreferencesProviderDetailView.swift index f8b843240..58a55deb5 100644 --- a/Sources/CodexBar/PreferencesProviderDetailView.swift +++ b/Sources/CodexBar/PreferencesProviderDetailView.swift @@ -17,6 +17,31 @@ struct ProviderDetailView: View { let onCopyError: (String) -> Void let onRefresh: () -> Void + static func metricTitle(provider: UsageProvider, metric: UsageMenuCardView.Model.Metric) -> String { + UsageMenuCardView.popupMetricTitle(provider: provider, metric: metric) + } + + static func planRow(provider: UsageProvider, planText: String?) -> (label: String, value: String)? { + guard let rawPlan = planText?.trimmingCharacters(in: .whitespacesAndNewlines), + !rawPlan.isEmpty + else { + return nil + } + guard provider == .openrouter else { + return (label: "Plan", value: rawPlan) + } + + let prefix = "Balance:" + if rawPlan.hasPrefix(prefix) { + let valueStart = rawPlan.index(rawPlan.startIndex, offsetBy: prefix.count) + let trimmedValue = rawPlan[valueStart...].trimmingCharacters(in: .whitespacesAndNewlines) + if !trimmedValue.isEmpty { + return (label: "Balance", value: trimmedValue) + } + } + return (label: "Balance", value: rawPlan) + } + var body: some View { ScrollView { VStack(alignment: .leading, spacing: 16) { @@ -89,11 +114,13 @@ struct ProviderDetailView: View { if !self.model.email.isEmpty { infoLabels.append("Account") } - if let plan = self.model.planText, !plan.isEmpty { - infoLabels.append("Plan") + if let planRow = Self.planRow(provider: self.provider, planText: self.model.planText) { + infoLabels.append(planRow.label) } - var metricLabels = self.model.metrics.map(\.title) + var metricLabels = self.model.metrics.map { metric in + Self.metricTitle(provider: self.provider, metric: metric) + } if self.model.creditsText != nil { metricLabels.append("Credits") } @@ -210,7 +237,6 @@ private struct ProviderDetailInfoGrid: View { let version = self.store.version(for: self.provider) ?? "not detected" let updated = self.updatedText let email = self.model.email - let plan = self.model.planText ?? "" let enabledText = self.isEnabled ? "Enabled" : "Disabled" Grid(alignment: .leading, horizontalSpacing: 12, verticalSpacing: 6) { @@ -230,8 +256,8 @@ private struct ProviderDetailInfoGrid: View { ProviderDetailInfoRow(label: "Account", value: email, labelWidth: self.labelWidth) } - if !plan.isEmpty { - ProviderDetailInfoRow(label: "Plan", value: plan, labelWidth: self.labelWidth) + if let planRow = ProviderDetailView.planRow(provider: self.provider, planText: self.model.planText) { + ProviderDetailInfoRow(label: planRow.label, value: planRow.value, labelWidth: self.labelWidth) } } .font(.footnote) @@ -272,15 +298,18 @@ struct ProviderMetricsInlineView: View { let labelWidth: CGFloat var body: some View { + let hasMetrics = !self.model.metrics.isEmpty + let hasUsageNotes = !self.model.usageNotes.isEmpty + let hasCredits = self.model.creditsText != nil + let hasProviderCost = self.model.providerCost != nil + let hasTokenUsage = self.model.tokenUsage != nil ProviderSettingsSection( title: "Usage", spacing: 8, verticalPadding: 6, horizontalPadding: 0) { - if self.model.metrics.isEmpty, self.model.providerCost == nil, - self.model.creditsText == nil, self.model.tokenUsage == nil - { + if !hasMetrics, !hasUsageNotes, !hasProviderCost, !hasCredits, !hasTokenUsage { Text(self.placeholderText) .font(.footnote) .foregroundStyle(.secondary) @@ -288,10 +317,18 @@ struct ProviderMetricsInlineView: View { ForEach(self.model.metrics, id: \.id) { metric in ProviderMetricInlineRow( metric: metric, + title: ProviderDetailView.metricTitle(provider: self.provider, metric: metric), progressColor: self.model.progressColor, labelWidth: self.labelWidth) } + if hasUsageNotes { + ProviderUsageNotesInlineView( + notes: self.model.usageNotes, + labelWidth: self.labelWidth, + alignsWithMetricContent: hasMetrics) + } + if let credits = self.model.creditsText { ProviderMetricInlineTextRow( title: "Credits", @@ -330,12 +367,13 @@ struct ProviderMetricsInlineView: View { private struct ProviderMetricInlineRow: View { let metric: UsageMenuCardView.Model.Metric + let title: String let progressColor: Color let labelWidth: CGFloat var body: some View { HStack(alignment: .top, spacing: 10) { - Text(self.metric.title) + Text(self.title) .font(.subheadline.weight(.semibold)) .lineLimit(1) .frame(width: self.labelWidth, alignment: .leading) @@ -397,6 +435,32 @@ private struct ProviderMetricInlineRow: View { } } +private struct ProviderUsageNotesInlineView: View { + let notes: [String] + let labelWidth: CGFloat + let alignsWithMetricContent: Bool + + var body: some View { + HStack(alignment: .top, spacing: 10) { + if self.alignsWithMetricContent { + Spacer() + .frame(width: self.labelWidth) + } + VStack(alignment: .leading, spacing: 4) { + ForEach(Array(self.notes.enumerated()), id: \.offset) { _, note in + Text(note) + .font(.footnote) + .foregroundStyle(.secondary) + .lineLimit(2) + .fixedSize(horizontal: false, vertical: true) + } + } + .frame(maxWidth: .infinity, alignment: .leading) + } + .padding(.vertical, 2) + } +} + private struct ProviderMetricInlineTextRow: View { let title: String let value: String diff --git a/Sources/CodexBar/PreferencesProvidersPane.swift b/Sources/CodexBar/PreferencesProvidersPane.swift index c08711077..877c78da9 100644 --- a/Sources/CodexBar/PreferencesProvidersPane.swift +++ b/Sources/CodexBar/PreferencesProvidersPane.swift @@ -264,21 +264,32 @@ struct ProvidersPane: View { func menuBarMetricPicker(for provider: UsageProvider) -> ProviderSettingsPickerDescriptor? { if provider == .zai { return nil } - let metadata = self.store.metadata(for: provider) - let supportsAverage = self.settings.menuBarMetricSupportsAverage(for: provider) - var options: [ProviderSettingsPickerOption] = [ - ProviderSettingsPickerOption(id: MenuBarMetricPreference.automatic.rawValue, title: "Automatic"), - ProviderSettingsPickerOption( - id: MenuBarMetricPreference.primary.rawValue, - title: "Primary (\(metadata.sessionLabel))"), - ProviderSettingsPickerOption( - id: MenuBarMetricPreference.secondary.rawValue, - title: "Secondary (\(metadata.weeklyLabel))"), - ] - if supportsAverage { - options.append(ProviderSettingsPickerOption( - id: MenuBarMetricPreference.average.rawValue, - title: "Average (\(metadata.sessionLabel) + \(metadata.weeklyLabel))")) + let options: [ProviderSettingsPickerOption] + if provider == .openrouter { + options = [ + ProviderSettingsPickerOption(id: MenuBarMetricPreference.automatic.rawValue, title: "Automatic"), + ProviderSettingsPickerOption( + id: MenuBarMetricPreference.primary.rawValue, + title: "Primary (API key limit)"), + ] + } else { + let metadata = self.store.metadata(for: provider) + let supportsAverage = self.settings.menuBarMetricSupportsAverage(for: provider) + var metricOptions: [ProviderSettingsPickerOption] = [ + ProviderSettingsPickerOption(id: MenuBarMetricPreference.automatic.rawValue, title: "Automatic"), + ProviderSettingsPickerOption( + id: MenuBarMetricPreference.primary.rawValue, + title: "Primary (\(metadata.sessionLabel))"), + ProviderSettingsPickerOption( + id: MenuBarMetricPreference.secondary.rawValue, + title: "Secondary (\(metadata.weeklyLabel))"), + ] + if supportsAverage { + metricOptions.append(ProviderSettingsPickerOption( + id: MenuBarMetricPreference.average.rawValue, + title: "Average (\(metadata.sessionLabel) + \(metadata.weeklyLabel))")) + } + options = metricOptions } return ProviderSettingsPickerDescriptor( id: "menuBarMetric", diff --git a/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift index b604dcf6c..d584a2430 100644 --- a/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift +++ b/Sources/CodexBar/Providers/OpenRouter/OpenRouterProviderImplementation.swift @@ -43,7 +43,9 @@ struct OpenRouterProviderImplementation: ProviderImplementation { ProviderSettingsFieldDescriptor( id: "openrouter-api-key", title: "API key", - subtitle: "Stored in ~/.codexbar/config.json. Get your key from openrouter.ai/settings/keys.", + subtitle: "Stored in ~/.codexbar/config.json. " + + "Get your key from openrouter.ai/settings/keys and set a key spending limit " + + "there to enable API key quota tracking.", kind: .secure, placeholder: "sk-or-v1-...", binding: context.stringBinding(\.openRouterAPIToken), diff --git a/Sources/CodexBar/SettingsStore+MenuPreferences.swift b/Sources/CodexBar/SettingsStore+MenuPreferences.swift index c3136c272..210a286d4 100644 --- a/Sources/CodexBar/SettingsStore+MenuPreferences.swift +++ b/Sources/CodexBar/SettingsStore+MenuPreferences.swift @@ -4,6 +4,16 @@ import Foundation extension SettingsStore { func menuBarMetricPreference(for provider: UsageProvider) -> MenuBarMetricPreference { if provider == .zai { return .primary } + if provider == .openrouter { + let raw = self.menuBarMetricPreferencesRaw[provider.rawValue] ?? "" + let preference = MenuBarMetricPreference(rawValue: raw) ?? .automatic + switch preference { + case .automatic, .primary: + return preference + case .secondary, .average: + return .automatic + } + } let raw = self.menuBarMetricPreferencesRaw[provider.rawValue] ?? "" let preference = MenuBarMetricPreference(rawValue: raw) ?? .automatic if preference == .average, !self.menuBarMetricSupportsAverage(for: provider) { @@ -17,6 +27,15 @@ extension SettingsStore { self.menuBarMetricPreferencesRaw[provider.rawValue] = MenuBarMetricPreference.primary.rawValue return } + if provider == .openrouter { + switch preference { + case .automatic, .primary: + self.menuBarMetricPreferencesRaw[provider.rawValue] = preference.rawValue + case .secondary, .average: + self.menuBarMetricPreferencesRaw[provider.rawValue] = MenuBarMetricPreference.automatic.rawValue + } + return + } self.menuBarMetricPreferencesRaw[provider.rawValue] = preference.rawValue } diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index 587189d6a..a411cf8c1 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -263,7 +263,9 @@ extension StatusItemController { let brand = ProviderBrandIcon.image(for: primaryProvider) { self.setButtonTitle(nil, for: button) - self.setButtonImage(brand, for: button) + self.setButtonImage( + Self.brandImageWithStatusOverlay(brand: brand, statusIndicator: statusIndicator), + for: button) return } @@ -307,7 +309,11 @@ extension StatusItemController { let brand = ProviderBrandIcon.image(for: provider) { self.setButtonTitle(nil, for: button) - self.setButtonImage(brand, for: button) + self.setButtonImage( + Self.brandImageWithStatusOverlay( + brand: brand, + statusIndicator: self.store.statusIndicator(for: provider)), + for: button) return } var primary = showUsed ? snapshot?.primary?.usedPercent : snapshot?.primary?.remainingPercent @@ -536,6 +542,46 @@ extension StatusItemController { return openRouterUsage.keyQuotaStatus == .noLimitConfigured } + nonisolated static func brandImageWithStatusOverlay( + brand: NSImage, + statusIndicator: ProviderStatusIndicator) -> NSImage + { + guard statusIndicator.hasIssue else { return brand } + + let image = NSImage(size: brand.size) + image.lockFocus() + brand.draw( + at: .zero, + from: NSRect(origin: .zero, size: brand.size), + operation: .sourceOver, + fraction: 1.0) + Self.drawBrandStatusOverlay(indicator: statusIndicator, size: brand.size) + image.unlockFocus() + image.isTemplate = brand.isTemplate + return image + } + + private nonisolated static func drawBrandStatusOverlay(indicator: ProviderStatusIndicator, size: NSSize) { + guard indicator.hasIssue else { return } + + let color = NSColor.labelColor + switch indicator { + case .minor, .maintenance: + let dotSize = CGSize(width: 4, height: 4) + let dotOrigin = CGPoint(x: size.width - dotSize.width - 2, y: 2) + color.setFill() + NSBezierPath(ovalIn: CGRect(origin: dotOrigin, size: dotSize)).fill() + case .major, .critical, .unknown: + color.setFill() + let lineRect = CGRect(x: size.width - 6, y: 4, width: 2, height: 6) + NSBezierPath(roundedRect: lineRect, xRadius: 1, yRadius: 1).fill() + let dotRect = CGRect(x: size.width - 6, y: 2, width: 2, height: 2) + NSBezierPath(ovalIn: dotRect).fill() + case .none: + break + } + } + private func advanceAnimationPattern() { let patterns = LoadingPattern.allCases if let idx = patterns.firstIndex(of: self.animationPattern) { diff --git a/Tests/CodexBarTests/MenuCardModelTests.swift b/Tests/CodexBarTests/MenuCardModelTests.swift index 8909b7f7d..1df1bb3bb 100644 --- a/Tests/CodexBarTests/MenuCardModelTests.swift +++ b/Tests/CodexBarTests/MenuCardModelTests.swift @@ -518,39 +518,6 @@ struct MenuCardModelTests { #expect(model.usageNotes == ["API key limit unavailable right now"]) } - @Test - func openRouterModel_legacyCachedSnapshotWithoutOpenRouterUsageShowsUnavailableNote() throws { - let now = Date() - let metadata = try #require(ProviderDefaults.metadata[.openrouter]) - let snapshot = UsageSnapshot( - primary: nil, - secondary: nil, - updatedAt: now) - - let model = UsageMenuCardView.Model.make(.init( - provider: .openrouter, - metadata: metadata, - snapshot: snapshot, - credits: nil, - creditsError: nil, - dashboard: nil, - dashboardError: nil, - tokenSnapshot: nil, - tokenError: nil, - account: AccountInfo(email: nil, plan: nil), - isRefreshing: false, - lastError: nil, - usageBarsShowUsed: false, - resetTimeDisplayStyle: .countdown, - tokenCostUsageEnabled: false, - showOptionalCreditsAndExtraUsage: true, - hidePersonalInfo: false, - now: now)) - - #expect(model.metrics.isEmpty) - #expect(model.usageNotes == ["API key limit unavailable right now"]) - } - @Test func hidesEmailWhenPersonalInfoHidden() throws { let now = Date() diff --git a/Tests/CodexBarTests/ProvidersPaneCoverageTests.swift b/Tests/CodexBarTests/ProvidersPaneCoverageTests.swift index e3f2bd553..e5ea668de 100644 --- a/Tests/CodexBarTests/ProvidersPaneCoverageTests.swift +++ b/Tests/CodexBarTests/ProvidersPaneCoverageTests.swift @@ -14,6 +14,39 @@ struct ProvidersPaneCoverageTests { ProvidersPaneTestHarness.exercise(settings: settings, store: store) } + @Test + func openRouterMenuBarMetricPicker_showsOnlyAutomaticAndPrimary() { + let settings = Self.makeSettingsStore(suite: "ProvidersPaneCoverageTests-openrouter-picker") + let store = Self.makeUsageStore(settings: settings) + let pane = ProvidersPane(settings: settings, store: store) + + let picker = pane._test_menuBarMetricPicker(for: .openrouter) + #expect(picker?.options.map(\.id) == [ + MenuBarMetricPreference.automatic.rawValue, + MenuBarMetricPreference.primary.rawValue, + ]) + #expect(picker?.options.map(\.title) == [ + "Automatic", + "Primary (API key limit)", + ]) + } + + @Test + func providerDetailPlanRow_formatsOpenRouterAsBalance() { + let row = ProviderDetailView.planRow(provider: .openrouter, planText: "Balance: $4.61") + + #expect(row?.label == "Balance") + #expect(row?.value == "$4.61") + } + + @Test + func providerDetailPlanRow_keepsPlanLabelForNonOpenRouter() { + let row = ProviderDetailView.planRow(provider: .codex, planText: "Pro") + + #expect(row?.label == "Plan") + #expect(row?.value == "Pro") + } + private static func makeSettingsStore(suite: String) -> SettingsStore { let defaults = UserDefaults(suiteName: suite)! defaults.removePersistentDomain(forName: suite) diff --git a/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift b/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift index 7b30c5a47..7ec91584c 100644 --- a/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift +++ b/Tests/CodexBarTests/SettingsStoreAdditionalTests.swift @@ -20,6 +20,20 @@ struct SettingsStoreAdditionalTests { #expect(settings.menuBarMetricPreference(for: .gemini) == .average) } + @Test + func menuBarMetricPreferenceRestrictsOpenRouterToAutomaticOrPrimary() { + let settings = Self.makeSettingsStore(suite: "SettingsStoreAdditionalTests-openrouter-metric") + + settings.setMenuBarMetricPreference(.secondary, for: .openrouter) + #expect(settings.menuBarMetricPreference(for: .openrouter) == .automatic) + + settings.setMenuBarMetricPreference(.average, for: .openrouter) + #expect(settings.menuBarMetricPreference(for: .openrouter) == .automatic) + + settings.setMenuBarMetricPreference(.primary, for: .openrouter) + #expect(settings.menuBarMetricPreference(for: .openrouter) == .primary) + } + @Test func minimaxAuthModeUsesStoredValues() { let settings = Self.makeSettingsStore(suite: "SettingsStoreAdditionalTests-minimax") diff --git a/Tests/CodexBarTests/StatusItemAnimationTests.swift b/Tests/CodexBarTests/StatusItemAnimationTests.swift index e4c8a5407..94936ae76 100644 --- a/Tests/CodexBarTests/StatusItemAnimationTests.swift +++ b/Tests/CodexBarTests/StatusItemAnimationTests.swift @@ -6,6 +6,19 @@ import Testing @MainActor @Suite struct StatusItemAnimationTests { + private func maxAlpha(in rep: NSBitmapImageRep) -> CGFloat { + var maxAlpha: CGFloat = 0 + for x in 0.. maxAlpha { + maxAlpha = alpha + } + } + } + return maxAlpha + } + private func makeStatusBarForTesting() -> NSStatusBar { let env = ProcessInfo.processInfo.environment if env["GITHUB_ACTIONS"] == "true" || env["CI"] == "true" { @@ -373,4 +386,38 @@ struct StatusItemAnimationTests { #expect(pace == nil) #expect(both == nil) } + + @Test + func brandImageWithStatusOverlayReturnsOriginalImageWhenNoIssue() { + let brand = NSImage(size: NSSize(width: 16, height: 16)) + brand.isTemplate = true + + let output = StatusItemController.brandImageWithStatusOverlay(brand: brand, statusIndicator: .none) + + #expect(output === brand) + } + + @Test + func brandImageWithStatusOverlayDrawsIssueMark() throws { + let size = NSSize(width: 16, height: 16) + let brand = NSImage(size: size) + brand.lockFocus() + NSColor.clear.setFill() + NSBezierPath(rect: NSRect(origin: .zero, size: size)).fill() + brand.unlockFocus() + brand.isTemplate = true + + let baselineData = try #require(brand.tiffRepresentation) + let baselineRep = try #require(NSBitmapImageRep(data: baselineData)) + let baselineAlpha = self.maxAlpha(in: baselineRep) + + let output = StatusItemController.brandImageWithStatusOverlay(brand: brand, statusIndicator: .major) + + #expect(output !== brand) + let outputData = try #require(output.tiffRepresentation) + let outputRep = try #require(NSBitmapImageRep(data: outputData)) + let outputAlpha = self.maxAlpha(in: outputRep) + #expect(baselineAlpha < 0.01) + #expect(outputAlpha > 0.01) + } } From 064ca72da14ff101d986962544322b2b314553b1 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Thu, 19 Feb 2026 14:56:02 +0530 Subject: [PATCH 122/131] Update CHANGELOG.md --- CHANGELOG.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8ebc8be1..df022e39c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,31 @@ # Changelog +## Unreleased +### Highlights +- Add an experimental option to suppress Claude Keychain prompts. +- Add OpenRouter provider for credit-based usage tracking (#396). Thanks @chountalas! +- Add Ollama provider, including token-account support in Settings and CLI (#380). Thanks @CryptoSageSnr! + + +### Providers & Usage +- OpenRouter: add credit tracking, key-quota popup support, token-account labels, fallback status icons, and updated icon/color (#396). Thanks @chountalas! +- Ollama: add provider support with token-account support in app/CLI, Chrome-default auto cookie import, and manual-cookie mode (#380). Thanks @CryptoSageSnr! +- Update Kiro parsing for `kiro-cli` 1.24+ / Q Developer formats and non-managed plan handling (#288). Thanks @kilhyeonjun! +- OpenCode: surface clearer HTTP errors. Thanks @SalimBinYousuf1! +- Warp: update API key setup guidance. +- Fix Claude setup message package name (#376). Thanks @daegwang! + +### Claude OAuth & Keychain +- Add an experimental Claude OAuth Security-CLI reader path and option in settings. +- Apply stored prompt mode and fallback policy to silent/noninteractive keychain probes. +- Add cooldown for background OAuth keychain retries. +- Disable experimental toggle when keychain access is disabled. + +### Dev & Tests +- Run provider fetches and Claude debug OAuth probes off `MainActor`. +- Split Claude OAuth test overrides and isolate coordinator tests. + + ## 0.18.0-beta.3 — 2026-02-13 ### Highlights - Claude OAuth/keychain flows were reworked across a series of follow-up PRs to reduce prompt storms, stabilize background behavior, surface a setting to control prompt policy and make failure modes deterministic (#245, #305, #308, #309, #364). Thanks @manikv12! From 503ac4e0bb5d5a1b1dc249b0ebe832197d262b8f Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 20 Feb 2026 15:29:05 +0530 Subject: [PATCH 123/131] Add test for merged menu rebuilds switcher on usage change --- Tests/CodexBarTests/StatusMenuTests.swift | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/Tests/CodexBarTests/StatusMenuTests.swift b/Tests/CodexBarTests/StatusMenuTests.swift index 55fc217c6..212ecd897 100644 --- a/Tests/CodexBarTests/StatusMenuTests.swift +++ b/Tests/CodexBarTests/StatusMenuTests.swift @@ -183,6 +183,53 @@ struct StatusMenuTests { #expect(hasOpenAIWebSubmenus(menu) == false) } + @Test + func openMergedMenuRebuildsSwitcherWhenUsageBarsModeChanges() { + self.disableMenuCardsForTesting() + let settings = self.makeSettings() + settings.statusChecksEnabled = false + settings.refreshFrequency = .manual + settings.mergeIcons = true + settings.selectedMenuProvider = .codex + settings.usageBarsShowUsed = false + + let registry = ProviderRegistry.shared + for provider in UsageProvider.allCases { + guard let metadata = registry.metadata[provider] else { continue } + let shouldEnable = provider == .codex || provider == .claude + settings.setProviderEnabled(provider: provider, metadata: metadata, enabled: shouldEnable) + } + + let fetcher = UsageFetcher() + let store = UsageStore(fetcher: fetcher, browserDetection: BrowserDetection(cacheTTL: 0), settings: settings) + let controller = StatusItemController( + store: store, + settings: settings, + account: fetcher.loadAccountInfo(), + updater: DisabledUpdaterController(), + preferencesSelection: PreferencesSelection(), + statusBar: self.makeStatusBarForTesting()) + + #expect(store.enabledProviders().count == 2) + #expect(controller.shouldMergeIcons == true) + + let menu = controller.makeMenu() + controller.menuWillOpen(menu) + + let initialSwitcher = menu.items.first?.view as? ProviderSwitcherView + #expect(initialSwitcher != nil) + let initialSwitcherID = initialSwitcher.map(ObjectIdentifier.init) + + settings.usageBarsShowUsed = true + controller.handleProviderConfigChange(reason: "usageBarsShowUsed") + + let updatedSwitcher = menu.items.first?.view as? ProviderSwitcherView + #expect(updatedSwitcher != nil) + if let initialSwitcherID, let updatedSwitcher { + #expect(initialSwitcherID != ObjectIdentifier(updatedSwitcher)) + } + } + @Test func providerToggleUpdatesStatusItemVisibility() { self.disableMenuCardsForTesting() From 0b64f58a08fa094b8f9e2243f487b599a7e30358 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 20 Feb 2026 15:29:10 +0530 Subject: [PATCH 124/131] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index df022e39c..a4d2aa382 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ ### Providers & Usage - OpenRouter: add credit tracking, key-quota popup support, token-account labels, fallback status icons, and updated icon/color (#396). Thanks @chountalas! - Ollama: add provider support with token-account support in app/CLI, Chrome-default auto cookie import, and manual-cookie mode (#380). Thanks @CryptoSageSnr! +- Menu: rebuild the merged provider switcher when “Show usage as used” changes so switcher progress updates immediately (#306). Thanks @Flohhhhh! - Update Kiro parsing for `kiro-cli` 1.24+ / Q Developer formats and non-managed plan handling (#288). Thanks @kilhyeonjun! - OpenCode: surface clearer HTTP errors. Thanks @SalimBinYousuf1! - Warp: update API key setup guidance. From 063fb223736fa796b651bba4805dfb6d55d3f229 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Fri, 20 Feb 2026 17:26:18 +0530 Subject: [PATCH 125/131] Fix redundant parentheses in Codex guard --- Sources/CodexBar/StatusItemController+Animation.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBar/StatusItemController+Animation.swift b/Sources/CodexBar/StatusItemController+Animation.swift index e448e327d..13f28db18 100644 --- a/Sources/CodexBar/StatusItemController+Animation.swift +++ b/Sources/CodexBar/StatusItemController+Animation.swift @@ -357,7 +357,7 @@ extension StatusItemController { if provider == .codex, self.settings.menuBarDisplayMode == .percent, !self.settings.usageBarsShowUsed, - (sessionExhausted || weeklyExhausted), + sessionExhausted || weeklyExhausted, let creditsRemaining = self.store.credits?.remaining, creditsRemaining > 0 { From 7ead92d25b80f9997bbe6a957a0ca000003dd04d Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sat, 21 Feb 2026 22:14:41 +0530 Subject: [PATCH 126/131] Handle OpenCode null subscription responses gracefully --- .../OpenCode/OpenCodeUsageFetcher.swift | 27 ++++ .../OpenCodeUsageFetcherErrorTests.swift | 132 ++++++++++++++++++ 2 files changed, 159 insertions(+) diff --git a/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift b/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift index bc6b0af29..ed27f1d4f 100644 --- a/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift +++ b/Sources/CodexBarCore/Providers/OpenCode/OpenCodeUsageFetcher.swift @@ -161,6 +161,10 @@ public struct OpenCodeUsageFetcher: Sendable { if self.looksSignedOut(text: text) { throw OpenCodeUsageError.invalidCredentials } + if self.isExplicitNullPayload(text: text) { + Self.log.warning("OpenCode subscription GET returned null; skipping POST fallback.") + throw self.missingSubscriptionDataError(workspaceID: workspaceID) + } if self.parseSubscriptionJSON(text: text, now: Date()) == nil, self.extractDouble( pattern: #"rollingUsage[^}]*?usagePercent\s*:\s*([0-9]+(?:\.[0-9]+)?)"#, @@ -178,11 +182,34 @@ public struct OpenCodeUsageFetcher: Sendable { if self.looksSignedOut(text: fallback) { throw OpenCodeUsageError.invalidCredentials } + if self.isExplicitNullPayload(text: fallback) { + Self.log.warning("OpenCode subscription POST returned null.") + throw self.missingSubscriptionDataError(workspaceID: workspaceID) + } return fallback } return text } + private static func isExplicitNullPayload(text: String) -> Bool { + let trimmed = text.trimmingCharacters(in: .whitespacesAndNewlines) + if trimmed.caseInsensitiveCompare("null") == .orderedSame { + return true + } + guard let data = trimmed.data(using: .utf8), + let object = try? JSONSerialization.jsonObject(with: data, options: []) + else { + return false + } + return object is NSNull + } + + private static func missingSubscriptionDataError(workspaceID: String) -> OpenCodeUsageError { + OpenCodeUsageError.apiError( + "No subscription usage data was returned for workspace \(workspaceID). " + + "This usually means this workspace does not have OpenCode Black usage data.") + } + private static func normalizeWorkspaceID(_ raw: String?) -> String? { guard let raw else { return nil } let trimmed = raw.trimmingCharacters(in: .whitespacesAndNewlines) diff --git a/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift b/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift index 2dbb75350..d64ffb06b 100644 --- a/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift +++ b/Tests/CodexBarTests/OpenCodeUsageFetcherErrorTests.swift @@ -70,6 +70,138 @@ struct OpenCodeUsageFetcherErrorTests { } } + @Test + func subscriptionGetNullSkipsPostAndReturnsGracefulError() async throws { + let registered = URLProtocol.registerClass(OpenCodeStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenCodeStubURLProtocol.self) + } + OpenCodeStubURLProtocol.handler = nil + } + + var methods: [String] = [] + var urls: [URL] = [] + var queries: [String] = [] + var contentTypes: [String] = [] + OpenCodeStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + methods.append(request.httpMethod ?? "GET") + urls.append(url) + queries.append(url.query ?? "") + contentTypes.append(request.value(forHTTPHeaderField: "Content-Type") ?? "") + + if request.httpMethod?.uppercased() == "GET" { + return Self.makeResponse(url: url, body: "null", statusCode: 200, contentType: "application/json") + } + + let body = #"{"status":500,"unhandled":true,"message":"HTTPError"}"# + return Self.makeResponse(url: url, body: body, statusCode: 500, contentType: "application/json") + } + + do { + _ = try await OpenCodeUsageFetcher.fetchUsage( + cookieHeader: "auth=test", + timeout: 2, + workspaceIDOverride: "wrk_TEST123") + Issue.record("Expected OpenCodeUsageError.apiError") + } catch let error as OpenCodeUsageError { + switch error { + case let .apiError(message): + #expect(message.contains("No subscription usage data")) + #expect(message.contains("wrk_TEST123")) + default: + Issue.record("Expected apiError, got: \(error)") + } + } + + #expect(methods == ["GET"]) + #expect(queries[0].contains("id=")) + #expect(queries[0].contains("wrk_TEST123")) + #expect(urls[0].path == "/_server") + #expect(contentTypes[0].isEmpty) + } + + @Test + func subscriptionGetPayloadDoesNotFallbackToPost() async throws { + let registered = URLProtocol.registerClass(OpenCodeStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenCodeStubURLProtocol.self) + } + OpenCodeStubURLProtocol.handler = nil + } + + var methods: [String] = [] + OpenCodeStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + methods.append(request.httpMethod ?? "GET") + + let body = """ + { + "rollingUsage": { "usagePercent": 17, "resetInSec": 600 }, + "weeklyUsage": { "usagePercent": 75, "resetInSec": 7200 } + } + """ + return Self.makeResponse(url: url, body: body, statusCode: 200, contentType: "application/json") + } + + let snapshot = try await OpenCodeUsageFetcher.fetchUsage( + cookieHeader: "auth=test", + timeout: 2, + workspaceIDOverride: "wrk_TEST123") + + #expect(snapshot.rollingUsagePercent == 17) + #expect(snapshot.weeklyUsagePercent == 75) + #expect(methods == ["GET"]) + } + + @Test + func subscriptionGetMissingFieldsFallsBackToPost() async throws { + let registered = URLProtocol.registerClass(OpenCodeStubURLProtocol.self) + defer { + if registered { + URLProtocol.unregisterClass(OpenCodeStubURLProtocol.self) + } + OpenCodeStubURLProtocol.handler = nil + } + + var methods: [String] = [] + OpenCodeStubURLProtocol.handler = { request in + guard let url = request.url else { throw URLError(.badURL) } + methods.append(request.httpMethod ?? "GET") + + if request.httpMethod?.uppercased() == "GET" { + return Self.makeResponse( + url: url, + body: #"{"ok":true}"#, + statusCode: 200, + contentType: "application/json") + } + + let body = """ + { + "rollingUsage": { "usagePercent": 22, "resetInSec": 300 }, + "weeklyUsage": { "usagePercent": 44, "resetInSec": 3600 } + } + """ + return Self.makeResponse( + url: url, + body: body, + statusCode: 200, + contentType: "application/json") + } + + let snapshot = try await OpenCodeUsageFetcher.fetchUsage( + cookieHeader: "auth=test", + timeout: 2, + workspaceIDOverride: "wrk_TEST123") + + #expect(snapshot.rollingUsagePercent == 22) + #expect(snapshot.weeklyUsagePercent == 44) + #expect(methods == ["GET", "POST"]) + } + private static func makeResponse( url: URL, body: String, From 106a4e8fb21d90a2898b62ca6b06751b91e21c3a Mon Sep 17 00:00:00 2001 From: Spiros Raptis Date: Fri, 20 Feb 2026 18:44:27 +0200 Subject: [PATCH 127/131] Ignore cancelled OpenAI dashboard navigations --- .../OpenAIDashboardNavigationDelegate.swift | 11 +++++++++++ ...penAIDashboardNavigationDelegateTests.swift | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift diff --git a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift index 0bf4e24b8..56b821865 100644 --- a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift +++ b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift @@ -19,13 +19,24 @@ final class NavigationDelegate: NSObject, WKNavigationDelegate { } func webView(_ webView: WKWebView, didFail navigation: WKNavigation!, withError error: Error) { + if Self.shouldIgnoreNavigationError(error) { + return + } self.completeOnce(.failure(error)) } func webView(_ webView: WKWebView, didFailProvisionalNavigation navigation: WKNavigation!, withError error: Error) { + if Self.shouldIgnoreNavigationError(error) { + return + } self.completeOnce(.failure(error)) } + static func shouldIgnoreNavigationError(_ error: Error) -> Bool { + let nsError = error as NSError + return nsError.domain == NSURLErrorDomain && nsError.code == NSURLErrorCancelled + } + private func completeOnce(_ result: Result) { guard !self.hasCompleted else { return } self.hasCompleted = true diff --git a/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift new file mode 100644 index 000000000..09bdd0553 --- /dev/null +++ b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift @@ -0,0 +1,18 @@ +import Foundation +import Testing +@testable import CodexBarCore + +@Suite +struct OpenAIDashboardNavigationDelegateTests { + @Test("ignores NSURLErrorCancelled") + func ignoresCancelledNavigationError() { + let error = NSError(domain: NSURLErrorDomain, code: NSURLErrorCancelled) + #expect(NavigationDelegate.shouldIgnoreNavigationError(error)) + } + + @Test("does not ignore non-cancelled URL errors") + func doesNotIgnoreOtherURLErrors() { + let error = NSError(domain: NSURLErrorDomain, code: NSURLErrorTimedOut) + #expect(!NavigationDelegate.shouldIgnoreNavigationError(error)) + } +} From c7d1c580dfe49c680287c179e79734434256aa3a Mon Sep 17 00:00:00 2001 From: Spiros Raptis Date: Fri, 20 Feb 2026 18:51:37 +0200 Subject: [PATCH 128/131] Mark navigation error helper nonisolated --- .../OpenAIWeb/OpenAIDashboardNavigationDelegate.swift | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift index 56b821865..e9f6e88e7 100644 --- a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift +++ b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift @@ -32,7 +32,7 @@ final class NavigationDelegate: NSObject, WKNavigationDelegate { self.completeOnce(.failure(error)) } - static func shouldIgnoreNavigationError(_ error: Error) -> Bool { + nonisolated static func shouldIgnoreNavigationError(_ error: Error) -> Bool { let nsError = error as NSError return nsError.domain == NSURLErrorDomain && nsError.code == NSURLErrorCancelled } From d99d8722c225e6d56abf96e00041dcb489d82984 Mon Sep 17 00:00:00 2001 From: Spiros Raptis Date: Fri, 20 Feb 2026 19:17:31 +0200 Subject: [PATCH 129/131] Complete continuation on ignored cancelled navigation --- .../OpenAIDashboardNavigationDelegate.swift | 2 ++ ...penAIDashboardNavigationDelegateTests.swift | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift index e9f6e88e7..52ff42ecb 100644 --- a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift +++ b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift @@ -20,6 +20,7 @@ final class NavigationDelegate: NSObject, WKNavigationDelegate { func webView(_ webView: WKWebView, didFail navigation: WKNavigation!, withError error: Error) { if Self.shouldIgnoreNavigationError(error) { + self.completeOnce(.success(())) return } self.completeOnce(.failure(error)) @@ -27,6 +28,7 @@ final class NavigationDelegate: NSObject, WKNavigationDelegate { func webView(_ webView: WKWebView, didFailProvisionalNavigation navigation: WKNavigation!, withError error: Error) { if Self.shouldIgnoreNavigationError(error) { + self.completeOnce(.success(())) return } self.completeOnce(.failure(error)) diff --git a/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift index 09bdd0553..0f27055f3 100644 --- a/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift +++ b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift @@ -1,5 +1,6 @@ import Foundation import Testing +import WebKit @testable import CodexBarCore @Suite @@ -15,4 +16,21 @@ struct OpenAIDashboardNavigationDelegateTests { let error = NSError(domain: NSURLErrorDomain, code: NSURLErrorTimedOut) #expect(!NavigationDelegate.shouldIgnoreNavigationError(error)) } + + @MainActor + @Test("cancelled failures complete with success") + func cancelledFailureCompletesWithSuccess() { + let webView = WKWebView() + var result: Result? + let delegate = NavigationDelegate { result = $0 } + + delegate.webView(webView, didFail: nil, withError: NSError(domain: NSURLErrorDomain, code: NSURLErrorCancelled)) + + switch result { + case .success?: + #expect(Bool(true)) + default: + #expect(Bool(false)) + } + } } From 28c827700ded7e922467e049e700b13a6fa600ef Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sat, 21 Feb 2026 22:32:52 +0530 Subject: [PATCH 130/131] Avoid early completion on cancelled WebKit navigation --- .../OpenAIDashboardNavigationDelegate.swift | 10 ++---- ...enAIDashboardNavigationDelegateTests.swift | 31 +++++++++++++++++-- 2 files changed, 31 insertions(+), 10 deletions(-) diff --git a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift index 52ff42ecb..f2f8c7e3a 100644 --- a/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift +++ b/Sources/CodexBarCore/OpenAIWeb/OpenAIDashboardNavigationDelegate.swift @@ -19,18 +19,12 @@ final class NavigationDelegate: NSObject, WKNavigationDelegate { } func webView(_ webView: WKWebView, didFail navigation: WKNavigation!, withError error: Error) { - if Self.shouldIgnoreNavigationError(error) { - self.completeOnce(.success(())) - return - } + if Self.shouldIgnoreNavigationError(error) { return } self.completeOnce(.failure(error)) } func webView(_ webView: WKWebView, didFailProvisionalNavigation navigation: WKNavigation!, withError error: Error) { - if Self.shouldIgnoreNavigationError(error) { - self.completeOnce(.success(())) - return - } + if Self.shouldIgnoreNavigationError(error) { return } self.completeOnce(.failure(error)) } diff --git a/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift index 0f27055f3..f9cb184eb 100644 --- a/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift +++ b/Tests/CodexBarTests/OpenAIDashboardNavigationDelegateTests.swift @@ -18,13 +18,15 @@ struct OpenAIDashboardNavigationDelegateTests { } @MainActor - @Test("cancelled failures complete with success") - func cancelledFailureCompletesWithSuccess() { + @Test("cancelled failure is ignored until finish") + func cancelledFailureIsIgnoredUntilFinish() { let webView = WKWebView() var result: Result? let delegate = NavigationDelegate { result = $0 } delegate.webView(webView, didFail: nil, withError: NSError(domain: NSURLErrorDomain, code: NSURLErrorCancelled)) + #expect(result == nil) + delegate.webView(webView, didFinish: nil) switch result { case .success?: @@ -33,4 +35,29 @@ struct OpenAIDashboardNavigationDelegateTests { #expect(Bool(false)) } } + + @MainActor + @Test("cancelled provisional failure is ignored until real failure") + func cancelledProvisionalFailureIsIgnoredUntilRealFailure() { + let webView = WKWebView() + var result: Result? + let delegate = NavigationDelegate { result = $0 } + + delegate.webView( + webView, + didFailProvisionalNavigation: nil, + withError: NSError(domain: NSURLErrorDomain, code: NSURLErrorCancelled)) + #expect(result == nil) + + let timeout = NSError(domain: NSURLErrorDomain, code: NSURLErrorTimedOut) + delegate.webView(webView, didFailProvisionalNavigation: nil, withError: timeout) + + switch result { + case let .failure(error as NSError)?: + #expect(error.domain == NSURLErrorDomain) + #expect(error.code == NSURLErrorTimedOut) + default: + #expect(Bool(false)) + } + } } From 559e7ec7a04cb127cfb7a6389cc3e229bc983691 Mon Sep 17 00:00:00 2001 From: Ratul Sarna Date: Sun, 22 Feb 2026 00:15:21 +0530 Subject: [PATCH 131/131] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4d2aa382..122f164c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,8 +10,10 @@ ### Providers & Usage - OpenRouter: add credit tracking, key-quota popup support, token-account labels, fallback status icons, and updated icon/color (#396). Thanks @chountalas! - Ollama: add provider support with token-account support in app/CLI, Chrome-default auto cookie import, and manual-cookie mode (#380). Thanks @CryptoSageSnr! +- Codex: in percent display mode with "show remaining," show remaining credits in the menu bar when session or weekly usage is exhausted (#336). Thanks @teron131! - Menu: rebuild the merged provider switcher when “Show usage as used” changes so switcher progress updates immediately (#306). Thanks @Flohhhhh! - Update Kiro parsing for `kiro-cli` 1.24+ / Q Developer formats and non-managed plan handling (#288). Thanks @kilhyeonjun! +- OpenCode: treat explicit `null` subscription responses as missing usage data, skip POST fallback, and return a clearer workspace-specific error (#412). - OpenCode: surface clearer HTTP errors. Thanks @SalimBinYousuf1! - Warp: update API key setup guidance. - Fix Claude setup message package name (#376). Thanks @daegwang!