fix(cli): claude auth fix for CLAUDE_CONFIG_DIR set and not set#705
fix(cli): claude auth fix for CLAUDE_CONFIG_DIR set and not set#705ctrlok wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates the sandbox preparation logic to support custom Claude configuration directories via the CLAUDE_CONFIG_DIR environment variable and adds support for Claude's locking mechanism by pre-creating a .lock directory. The review identifies several issues: the custom configuration and lock directories are not currently added to the sandbox capabilities, which will lead to permission denials; the symlink logic does not account for changes to the environment variable once a link exists; and the use of std::fs::rename may fail if the target directory is on a different filesystem.
|
I'm using this build for a two days now and got token refreshed both for my main and work claude accounts. |
|
This is what I have discovered as well, but I am not sure forcing the client to use file based key storage is right. I would rather give slightly more liberal access to the keychain |
|
I think there should be both ways possible. At least for me - I'm using Nono to restrict agents to access files and data on my machine, especially passwords by some inaccurate prompt. I'll update this PR with option of wider keychain access then. |
|
@lukehinds wdyt about how better split that - by group or to create a separate profile for credentials on fs and not in keychain? |
|
@lukehinds I updated logic that relies on claude-code profile name to rely on included groups and added two groups
I tried to make keychain works, but after few hours of trying I gave up, hope someone else will be able to make it work. Right now everyone with claude-code profile will have exatly the same experience as before, but it will be possible to use The PR may broke expirience for users that use claude_code_macos group in other profiles. Still I think it is fair to show users explicitly that they allow keychain access to claude-code. wdyt? |
for claude-no-kc profile Signed-off-by: Seva Poliakov <seva@ctrlok.com>
c2150d2 to
d02260a
Compare
|
@lukehinds I updated the PR: removed everything related to groups and leaved support for CLAUDE_CONFIG_DIR and also made everything work with claude-no-kc profile introduced in #722. |
Hey! After #691 I found that I still have an issue with login to claude for both cases (with and without CLAUDE_CONFIG_DIR).
The issue was that while claude had access to read keychain entries "Claude Code-credentials-hash" - it had no ability write them because of
And then I tried more ideas based on our research at #684 and #691 and found that claude uses ~/.claude/.credentials or ~/.$CLAUDE_CONFIG_DIR/.credentials if it can't access keychain. It just stores the credentials there.
so I think that by disabling access to keychain for claude we can fix the issue and as well make it more secure. Because there shouldn't be a need to access keychain at all.
As alternative solution, we can access keychain from
nonobefore we starting a sandbox and then pass the credentials to~/.claude/.credentialsfile but main problem that it will not allow to refresh token or login to claude from nono sandbox (or we will need to watch the file and do some clever write-back to keychain, which looks hard enough)Anyway, with current code changes I preserved a symlinks, added support for CLAUDE_CONFIG_DIR and fixed the issue with refreshing a token.