fix: read Claude Code OAuth credentials from macOS Keychain

[staszewski]

What does this PR do?

On macOS, gauss /prove (and any autoformalize workflow) fails immediately with "Not logged in · Please run /login" in the spawned Claude Code session, even though claude itself works fine and the user was authenticated. Fix is to add a _read_keychain_claude_credentials() helper that reads from the macOS Keychain via the built-in security CLI.

Root cause: Claude Code v2+ stores OAuth tokens in the macOS Keychain under the entry "Claude Code-credentials" rather than writing them to ~/.claude/.credentials.json. Gauss's _has_local_claude_login() only checks for the credentials file, so it always returns False on macOS with Claude Code v2+. Gauss then falls back to ANTHROPIC_TOKEN from ~/.gauss/.env, which is typically stale or invalid, and Claude Code rejects it.

There is workaround if changes proposed by me here are not relevant though.
Either do one-time sync like this:
security find-generic-password -s "Claude Code-credentials" -w > ~/.claude/.credentials.json

or add to ~/.zshrc to auto-sync on every gauss invocation:

  gauss() {
    security find-generic-password -s "Claude Code-credentials" -w \
      > ~/.claude/.credentials.json 2>/dev/null
    command gauss "$@"
  }

Related Issue

No issue found, I just straight up tried to fix it.

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

gauss_cli/autoformalize.py — added _read_keychain_claude_credentials() to read from the macOS Keychain
tests/gauss_cli/test_autoformalize.py - tests

How to Test

1. Install Claude Code v2+ on macOS and log in via claude auth login (Claude Pro / OAuth)
2. Confirm ~/.claude/.credentials.json does not exist — ls ~/.claude/.credentials.json
3. Confirm credentials are in the Keychain — security find-generic-password -s "Claude Code-credentials" -w
4. Without this fix: run gauss /prove 1+1=2 in a Lean project → observe "Not logged in" in the spawned session
5. With this fix: run gauss /prove 1+1=2 → session authenticates and the prove workflow starts correctly

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform:

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

For New Skills

• This skill is broadly useful to most users (if bundled) — see Contributing Guide
• SKILL.md follows the standard format (frontmatter, trigger conditions, steps, pitfalls)
• No external dependencies that aren't already available (prefer stdlib, curl, existing Gauss tools)
• I've tested the skill end-to-end: gauss --toolsets skills -q "Use the X skill to do Y"

Screenshots / Logs

Before:

After: