macOS compatibility: Keychain credential fallback + BSD-portable commands

[joelrodriguez-creator]

Summary

Four small changes that let statusline.sh and test_statusline.sh run cleanly on macOS. All fallbacks are Darwin-only or use feature detection — Linux behavior is unchanged.

The problems

On a clean macOS install of Claude Code, the tool installed fine but the session/weekly usage sections silently never rendered. Tracing it down turned up four distinct macOS-compat bugs, any one of which would have been enough to break the usage display:

1. OAuth token moved to Keychain. Newer Claude Code builds on macOS store the subscription token in the macOS Keychain under service name Claude Code-credentials instead of ~/.claude/.credentials.json. refresh_usage_api returned 1 on every invocation because [ ! -f "$CREDENTIALS_FILE" ] was always true, and the cache was never written.
2. flock isn't on macOS by default. It's a GNU util-linux tool. ( flock -n 9 || exit 0; refresh_usage_api ) 9>"$LOCK_FILE" errors out on Darwin and skips the refresh entirely (so even if problem macOS compatibility: Keychain credential fallback + BSD-portable commands #1 were fixed, problem #2 would still block the usage display).
3. sed alternation was non-portable. sed 's/🟢\|🟡\|🔴/⚠/' only works on GNU sed. BSD sed treats \| as literal backslash-pipe in basic regex, so the stale-indicator substitution silently became a no-op.
4. Test suite used two more GNU-only idioms. touch -d '30 minutes ago' and unquoted wc -l output. Three test failures on macOS before this PR.

The fixes

• read_oauth_token helper tries $CREDENTIALS_FILE first, then falls back to security find-generic-password -s "Claude Code-credentials" -a "$(whoami)" -w on Darwin. Non-macOS systems without the file still fail fast as they did before.
• command -v flock check — use the lock when available, call refresh_usage_api directly when not. The cache_age_sec gate above already throttles refresh to once per REFRESH_INTERVAL, so the worst case on a lockless system is 1–2 duplicate API calls per interval for a single user.
• sed -E 's/(🟢|🟡|🔴)/⚠/' — works on both GNU and BSD sed.
• touch_minutes_ago helper that tries GNU date -d first, falls back to BSD date -v. count_char pipes through tr -d ' ' to strip BSD wc -l's whitespace padding.

Test results

Environment	Before	After
macOS 25.3 (Darwin)	53 passed / 3 failed	56 passed / 0 failed
Linux	(not re-tested in this PR)	unchanged — fallbacks only activate when GNU tools are absent

The Linux happy path is unaffected: if $CREDENTIALS_FILE exists, flock is installed, and GNU tools are available, none of the new branches execute.

Test plan

• bash test_statusline.sh passes on macOS (56/56)
• Statusline renders the session quota section live on macOS with Keychain-backed auth (verified with a real OAuth token — ⏳ 🟢 ▓▓░░░░ 29% ↻ 6h33m)
• Render latency benchmarked: ~60ms cached, ~340ms on refresh (once per REFRESH_INTERVAL)
• Re-test on Linux to confirm no regression — I don't have a Linux env handy, but happy to wait on CI or another reviewer

Out of scope

• Windows: Claude Code on Windows probably stores OAuth tokens in Windows Credential Manager (cmdkey / Get-Credential). I didn't implement that branch — no Windows box to verify against. Would be a follow-up PR once someone with a Windows install can test it.
• Larger test refactor: the test suite could use a proper stub for the refresh function to make individual tests hermetic. Left as-is; the minimal fixes here preserve existing test shape.

🤖 Generated with Claude Code