@phnx-labs/agents-cli 1.14.5 → 1.14.6

package/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.14.6
+
+**Fix: OAuth token refresh now persists to Keychain**
+
+- Fixed bug where refreshed Claude OAuth tokens were used but never saved back to macOS Keychain
+- Previously, agents-cli would refresh expired tokens on each run but discard them, eventually exhausting the refresh token
+- Now refreshed `accessToken`, `refreshToken`, and `expiresAt` are written back to Keychain after successful refresh
+- Accounts will stay healthy across runs without requiring re-login
+
 ## 1.14.5
 
 **Browser: custom binary and Electron app support**

package/dist/lib/usage.js

@@ -211,7 +211,7 @@ async function getClaudeUsageInfo(options) {
         if (!isClaudeUsageOrgMatch(requestedOrgId, liveOrgId)) {
             return { snapshot: null, error: null };
         }
-        const accessToken = await getClaudeAccessToken(oauth);
+        const accessToken = await getClaudeAccessToken(oauth, options?.home);
         if (!accessToken) {
             return { snapshot: null, error: null };
         }
@@ -343,9 +343,14 @@ function normalizeClaudeWindow(window, key, label, shortLabel) {
         windowMinutes: inferWindowMinutes(key),
     };
 }
+let warnedNonDarwin = false;
 /** Load Claude OAuth credentials from the macOS Keychain. */
 export async function loadClaudeOauth(home) {
     if (process.platform !== 'darwin') {
+        if (!warnedNonDarwin && process.stderr.isTTY) {
+            process.stderr.write('[agents] Usage tracking requires macOS Keychain. Skipped on this platform.\n');
+            warnedNonDarwin = true;
+        }
         return null;
     }
     try {
@@ -374,6 +379,74 @@ export async function loadClaudeOauth(home) {
         return null;
     }
 }
+/**
+ * Save Claude OAuth credentials to the macOS Keychain.
+ * Reads the existing payload, merges the new OAuth fields, and writes back.
+ */
+async function saveClaudeOauth(home, credentials) {
+    if (process.platform !== 'darwin') {
+        return false;
+    }
+    try {
+        const account = os.userInfo().username;
+        const service = getClaudeKeychainService(home);
+        // Read existing payload to preserve other fields
+        let existingPayload = {};
+        try {
+            const { stdout } = await execFileAsync('security', [
+                'find-generic-password',
+                '-a',
+                account,
+                '-s',
+                service,
+                '-w',
+            ]);
+            existingPayload = JSON.parse(stdout.trim());
+        }
+        catch {
+            // No existing entry, start fresh
+        }
+        // Merge new credentials into existing payload
+        const newPayload = {
+            ...existingPayload,
+            claudeAiOauth: {
+                ...existingPayload.claudeAiOauth,
+                accessToken: credentials.accessToken,
+                refreshToken: credentials.refreshToken,
+                expiresAt: credentials.expiresAt,
+                scopes: credentials.scopes ?? existingPayload.claudeAiOauth?.scopes,
+            },
+        };
+        const payloadJson = JSON.stringify(newPayload);
+        // Delete existing entry first (security add-generic-password -U can fail)
+        try {
+            await execFileAsync('security', [
+                'delete-generic-password',
+                '-a',
+                account,
+                '-s',
+                service,
+            ]);
+        }
+        catch {
+            // Entry might not exist, ignore
+        }
+        // Add updated entry
+        await execFileAsync('security', [
+            'add-generic-password',
+            '-a',
+            account,
+            '-s',
+            service,
+            '-w',
+            payloadJson,
+        ]);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Derive the Keychain service name for a Claude home directory.
  * Managed (non-default) homes get a hash suffix for isolation.
@@ -493,8 +566,8 @@ function isCachedUsageWindowFresh(window, capturedAt, now) {
     }
     return true;
 }
-/** Obtain a valid access token, refreshing if expired. */
-async function getClaudeAccessToken(oauth) {
+/** Obtain a valid access token, refreshing if expired. Saves refreshed tokens to Keychain. */
+async function getClaudeAccessToken(oauth, home) {
     const accessToken = oauth.accessToken?.trim();
     if (!accessToken) {
         return null;
@@ -507,7 +580,12 @@ async function getClaudeAccessToken(oauth) {
         return null;
     }
     const refreshed = await refreshClaudeToken(oauth);
-    return refreshed?.accessToken?.trim() || null;
+    if (!refreshed?.accessToken) {
+        return null;
+    }
+    // Persist refreshed credentials to Keychain so they survive across runs
+    await saveClaudeOauth(home, refreshed);
+    return refreshed.accessToken.trim();
 }
 /** Refresh an expired Claude OAuth access token using the refresh token. */
 async function refreshClaudeToken(oauth) {
@@ -547,7 +625,7 @@ export async function isClaudeAuthValid(home) {
     const oauth = await loadClaudeOauth(home);
     if (!oauth)
         return false;
-    const token = await getClaudeAccessToken(oauth);
+    const token = await getClaudeAccessToken(oauth, home);
     return token !== null;
 }
 /** Build a User-Agent string for Claude API requests. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phnx-labs/agents-cli",
-  "version": "1.14.5",
+  "version": "1.14.6",
   "description": "One CLI for all your AI coding agents - versions, config, cloud dispatch, sessions, and teams",
   "type": "module",
   "main": "dist/index.js",