Skip to content

fix(account): preserve full OAuth credential blob for token refresh#104

Merged
himerus merged 13 commits intostagingfrom
fix/oauth-raw-blob-credential
Apr 15, 2026
Merged

fix(account): preserve full OAuth credential blob for token refresh#104
himerus merged 13 commits intostagingfrom
fix/oauth-raw-blob-credential

Conversation

@himerus
Copy link
Copy Markdown
Contributor

@himerus himerus commented Apr 15, 2026

Summary

  • Root cause: readClaudeCodeCredential() extracted only 6 fields from Claude Code's keychain blob, stripping OAuth metadata (tokenEndpoint, clientId, etc.) needed for token refresh. After ~2 hours when the access token expired, Claude Code couldn't refresh → persistent 401 errors breaking cron jobs and overnight workflows.
  • All credential storage/restoration now uses raw blob passthrough — no field extraction or re-wrapping
  • Added keychainSetRaw, keychainGetRaw, readClaudeCodeCredentialRaw, parseCredentialForDisplay, rawCredentialHasToken to keychain module
  • Updated accountAdd, accountSwitch, accountRotate, syncBackActiveCredential to use raw blobs

Post-deploy action

Existing accounts must be rotated once to re-capture the full credential blob:

npx @bookedsolid/reagent@latest account rotate <account-name>
npx @bookedsolid/reagent@latest account switch <account-name>

Test plan

  • npx tsc --noEmit — clean
  • 786 tests pass, 0 failures
  • All 6 preflight gates pass
  • After release: rotate account, switch, verify token survives 2+ hours

himerus and others added 13 commits April 13, 2026 22:17
@himerus
Merge pull request #97 from bookedsolidtech/staging
74c17d2 
feat(account): add account verify, preserve credential fields, expiry warnings
@github-actions
chore: version packages
b5a9b17
@himerus
Merge pull request #98 from bookedsolidtech/changeset-release/main
05a97af 
chore: version packages
@himerus
Merge pull request #99 from bookedsolidtech/staging
590ffe5 
fix(account): keychain slot swap for rswitch — sessions survive overnight
@himerus
Revert "0.15.4"
d9a225c 
This reverts commit b75fb09.
@himerus
chore: add changeset for OAuth env fix
a519e3c
@himerus
Merge branch 'staging'
17b8aa1
@github-actions
chore: version packages
f131e8b
@himerus
Merge pull request #100 from bookedsolidtech/changeset-release/main
d7c4c94 
chore: version packages
@himerus
chore: resolve CHANGELOG merge conflict (staging → main)
8374a5f
@himerus
fix(account): preserve full OAuth credential blob to fix token refresh
8f99e4c 
readClaudeCodeCredential() was destructively extracting only 6 fields
from Claude Code's keychain blob, stripping OAuth metadata needed for
token refresh (tokenEndpoint, clientId, etc.). After ~2 hours when the
access token expired, Claude Code could not refresh — causing 401 errors
that broke cron jobs and overnight workflows.

All credential storage and restoration now uses raw blob passthrough:
- Added keychainSetRaw/keychainGetRaw for opaque blob storage
- Added readClaudeCodeCredentialRaw for lossless keychain reads
- Added parseCredentialForDisplay for display-only field extraction
- accountAdd, accountSwitch, accountRotate, syncBackActiveCredential
  all use raw blobs — no field extraction or re-wrapping
@himerus
chore: add changeset for OAuth credential blob fix
d9b6b08
@himerus
chore: fix changeset formatting
ebc42b7
@himerus himerus merged commit e1b31be into staging Apr 15, 2026
4 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@himerus