fix: cache third-party keychain data to eliminate repeated password prompts#114
Merged
fix: cache third-party keychain data to eliminate repeated password prompts#114
Conversation
…te repeated password prompts Cache browser encryption keys (Chrome/Brave/Arc/Edge Safe Storage), Claude Code credentials, and Copilot CLI tokens in our own keychain items after the first successful read. App-owned keychain items use Developer ID-based ACL which persists across app updates, unlike third-party items whose partition_id can reset on token refresh. Key changes: - BrowserCookieService: cache encryption keys with stale-key detection and automatic re-fetch when browser rotates its key - TokenManager: cache readKeychainJSON and Copilot CLI account data with fallback to original keychain on cache parse failure - ClaudeProvider/CopilotProvider: invalidate keychain + memory caches on 401/403 so stale tokens auto-recover on next fetch cycle Co-authored-by: opencode (Sisyphus, oMo) <no-reply@opencode.ai> Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
partition_idresets on token refreshProblem
macOS prompts for keychain password daily because:
partition_idACL which resets when the original app refreshes tokensSolution
Cache-first strategy: Read third-party keychain once → cache in our own keychain → all subsequent reads use cache (no prompt). Self-healing when keys/tokens change:
BrowserCookieService.swiftcom.copilotmonitor.BrowserEncryptionKeyCacheTokenManager.swiftcom.copilotmonitor.KeychainDataCacheTokenManager.swiftcom.copilotmonitor.KeychainDataCacheCache invalidation paths
ClaudeProvidercallsinvalidateClaudeKeychainCaches()→ clears persistent + memory cacheCopilotProvidercallsinvalidateCopilotKeychainCaches()→ clears persistent + memory cachereadKeychainJSONfalls through to original keychain if cached data can't be parsedChanged Files
BrowserCookieService.swift— Encryption key cache layer with stale-key detectionTokenManager.swift— Keychain data cache helpers, Copilot CLI account serialization cache, invalidation methodsClaudeProvider.swift— Invalidate Claude keychain cache on 401CopilotProvider.swift— Invalidate Copilot keychain cache on 401/403