Skip to content

Remove dead securityCLIReadOverride process-global test static#2240

Merged
steipete merged 3 commits into
steipete:mainfrom
anagnorisis2peripeteia:finish-2204-securitycliread
Jul 17, 2026
Merged

Remove dead securityCLIReadOverride process-global test static#2240
steipete merged 3 commits into
steipete:mainfrom
anagnorisis2peripeteia:finish-2204-securitycliread

Conversation

@anagnorisis2peripeteia

@anagnorisis2peripeteia anagnorisis2peripeteia commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Remove the dead securityCLIReadOverride process-global test-override static
(ClaudeOAuthCredentials / +TestingOverrides / +SecurityCLIReader) together with its unused
setSecurityCLIReadOverrideForTesting setter. Its test call sites already use the task-local
withSecurityCLIReadOverrideForTesting scope; the static + setter were the leftover process-global.

Changes

  • Delete nonisolated(unsafe) static var securityCLIReadOverride + setSecurityCLIReadOverrideForTesting(_:).
  • Drop the dead taskLocal ?? static / || static != nil fallback from the three readers
    (currentSecurityCLIReadOverrideForTesting, the SecurityCLIReader override check, and the
    ClaudeOAuthCredentials persistent-ref guard). The @TaskLocal taskSecurityCLIReadOverride, its
    with… scopes, and the TestingOverridesSnapshot machinery are untouched.

Validation

  • make check → 0 violations / 1465 files.
  • Full suite, contract config (GROUP_SIZE=4 TIMEOUT=120 RETRY=0): 660 selections / 165 groups,
    first-pass 165/165, 0 failed, 0 retries, 0 timeouts
    (639s).
  • Static verification: setSecurityCLIReadOverrideForTesting has zero callers repo-wide (rg);
    the static was written only inside it, so production only ever read the default nil. Tests drive the
    live path via withSecurityCLIReadOverrideForTesting (10+ sites).

Why safe / no behavioral delta

The static was never written outside the (now-removed, uncalled) setter, so no reader saw a non-nil
value — pure dead-seam removal. Unlike #2239's statics this one is module-internal (not private), so
it had cross-file readers within CodexBarCore (the SecurityCLIReader override check, the persistent-ref
guard) — all traced and updated; no readers remain.

Related

Out of scope

Notes

  • No CHANGELOG entry — internal test synchronization only.

Real-behavior proof

No reader behavior changes, shown three ways from this PR head (c776132, Swift 6.3.3, arm64 macOS).

1 — Live /usr/bin/security Claude keychain read from a fresh PR-head build.
The reader this PR touches is the experimental Security-CLI reader, which production deliberately
migrates away (ClaudeOAuthKeychainReadStrategyPreference.current() rewrites
.securityCLIExperimental → .securityFramework), so it is only reachable by forcing the strategy. A
small local harness (not committed) forces the strategy only to select the reader and sets no
taskSecurityCLIReadOverride — so the reader runs the real
/usr/bin/security find-generic-password -s "Claude Code-credentials" -w and validates it via parse():

$ swift run -Xswiftc -enable-testing SecurityCLIRealProof
…
Build of product 'SecurityCLIRealProof' complete! (17.99s)
strategy   : .securityCLIExperimental (forced — production migrates it to .securityFramework)
result stub: NONE — taskSecurityCLIReadOverride is nil → real /usr/bin/security read

reader returned VALIDATED payload_bytes=799
parsed OK (redacted):
  accessToken  = sk-ant-oat01-…  (len=108)
  scopes       = user:inference, user:profile, user:sessions:claude_code, … (5 total)
  subscription = «redacted»
  expiresAt    = «future timestamp, redacted»

PASS: fresh PR-head SecurityCLIReader performed a real Claude keychain read via /usr/bin/security.

This is the real behavior gate, met: the reader is not bypassed — it executes the real security
binary against the live login keychain and returns the live account credential (redacted above). A
stubbed / synthetic branch cannot produce a real 799-byte sk-ant-oat01- payload; running that exact
command standalone returns the identical 799 bytes.

2 — Zero remaining references to the removed static + setter (repo-wide); the task-local scope is the
sole override path:

$ grep -rn "setSecurityCLIReadOverrideForTesting" Sources Tests
(no matches — 0 call sites)
$ grep -rn "nonisolated(unsafe) static var securityCLIReadOverride" Sources
(no matches — static removed)
$ grep -rl "withSecurityCLIReadOverrideForTesting" Tests | wc -l   # surviving task-local scope sites
11

(The retained TestingOverridesSnapshot.securityCLIReadOverride field and
currentSecurityCLIReadOverrideForTesting() reader are intentionally untouched — only the
nonisolated(unsafe) static + its setter were removed.)

3 — Focused suites exercise the reader's success / timeout / non-zero-exit fallback branches
end-to-end against the built module:

$ swift test --filter "SecurityCLI"
Build complete! (85.26s)
… claude-usage: error_type=SecurityCLIReadError reader=securityCLI reason=timedOut … falling back
… claude-usage: error_type=SecurityCLIReadError reader=securityCLI reason=nonZeroExit status=1 … falling back
✔ Test run with 23 tests in 3 suites passed after 0.036 seconds.

23/23 pass; removing the dead static changes no reader behavior.

Review history: https://gist.github.com/d431f466ef2271e9b542abb200fb1d4f
Authored with Claude.

ClaudeOAuthCredentials' securityCLIReadOverride kept a nonisolated(unsafe) process-global static
plus its setSecurityCLIReadOverrideForTesting setter after test call sites moved to the task-local
withSecurityCLIReadOverrideForTesting scope. The setter has no remaining callers and the static is
read only as a dead `taskLocal ?? static` fallback in three places, so remove it; the task-local
path and the TestingOverridesSnapshot machinery are unchanged.

Part of steipete#2204. No user-visible behavior change — internal test synchronization only.
@anagnorisis2peripeteia

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@clawsweeper

clawsweeper Bot commented Jul 17, 2026

Copy link
Copy Markdown

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

@clawsweeper

clawsweeper Bot commented Jul 17, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 17, 2026, 3:29 PM ET / 19:29 UTC.

Summary
The branch removes the unused process-global securityCLIReadOverride test static and setter, leaving the existing task-local override as the only override path across three Claude OAuth reader sites.

Reproducibility: not applicable. This PR removes dead internal test state rather than fixing a reported user-visible failure. The supplied diff and zero-caller evidence provide a clear source-level verification path for the cleanup.

Review metrics: 2 noteworthy metrics.

  • Patch size: 3 files affected; 3 additions, 8 deletions. The change is tightly constrained to deleting one dead override seam and its three dependent fallback reads.
  • Reader coverage: 3 reader sites updated. All known consumers of the removed static are changed together, avoiding a stale compile-time or behavioral reference.

Root-cause cluster
Relationship: fixed_by_candidate
Canonical: #2204
Summary: This PR is a focused candidate fix for the broader task-local test-override migration tracked by the canonical issue.

Members:

Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Next step before merge

  • No repair is indicated; the remaining action is normal maintainer review after the queued exact-head checks complete.

Security
Cleared: The three-file Swift cleanup removes an internal test override path and introduces no new dependency, secret, permission, execution, or supply-chain surface.

Review details

Best possible solution:

Merge the focused cleanup once the exact-head macOS and Linux checks finish successfully, retaining the task-local testing seam and no process-global fallback.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR removes dead internal test state rather than fixing a reported user-visible failure. The supplied diff and zero-caller evidence provide a clear source-level verification path for the cleanup.

Is this the best way to solve the issue?

Yes. Removing an uncalled shared static while preserving the established task-local scopes is the narrowest maintainable solution and avoids maintaining a second test-override mechanism.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against cfb7b8036087.

Label changes

Label changes:

  • add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • remove rating: 🐚 platinum hermit: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

  • P3: This is internal test-synchronization cleanup with no intended user-visible behavior change.
  • rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body provides redacted, after-fix terminal proof of a fresh branch-head real Security CLI credential read plus focused Security CLI test output; this directly supports the unchanged live reader behavior.
  • proof: sufficient: Contributor real behavior proof is sufficient. The PR body provides redacted, after-fix terminal proof of a fresh branch-head real Security CLI credential read plus focused Security CLI test output; this directly supports the unchanged live reader behavior.
Evidence reviewed

What I checked:

Likely related people:

  • anagnorisis2peripeteia: Authored this focused cleanup and the already-merged related dead-override removal, providing demonstrated history on the same task-local migration effort. (role: related implementation contributor; confidence: high; commits: c7761323474d, 43b305623ff9; files: Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift, Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+SecurityCLIReader.swift, Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials.swift)
  • steipete: Authored the branch’s current-main synchronization commits and is the strongest available routing candidate from the supplied recent history for a final merge decision. (role: recent integration contributor; confidence: medium; commits: 9557b9f37b82, eae1e2b4aeb3; files: Sources/CodexBarCore/Providers/Claude/ClaudeOAuth/ClaudeOAuthCredentials+TestingOverrides.swift)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.
Review history (7 earlier review cycles)
  • reviewed 2026-07-16T23:50:14.244Z sha c776132 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-17T00:57:25.976Z sha c776132 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-17T09:53:53.191Z sha c776132 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-17T10:16:15.103Z sha c776132 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-17T10:26:27.562Z sha c776132 :: needs real behavior proof before merge. :: none
  • reviewed 2026-07-17T11:06:11.580Z sha c776132 :: needs maintainer review before merge. :: none
  • reviewed 2026-07-17T18:38:52.006Z sha 9557b9f :: needs maintainer review before merge. :: none

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 17, 2026
@anagnorisis2peripeteia

Copy link
Copy Markdown
Contributor Author

@clawsweeper re-review

@anagnorisis2peripeteia
anagnorisis2peripeteia marked this pull request as draft July 17, 2026 10:21
@anagnorisis2peripeteia
anagnorisis2peripeteia marked this pull request as ready for review July 17, 2026 10:21
@clawsweeper clawsweeper Bot added proof: sufficient Contributor real behavior proof is sufficient. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. and removed rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels Jul 17, 2026
@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. and removed rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. labels Jul 17, 2026
@clawsweeper clawsweeper Bot added rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. and removed rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. labels Jul 17, 2026
@steipete
steipete merged commit d7b2d0a into steipete:main Jul 17, 2026
8 checks passed
@steipete

Copy link
Copy Markdown
Owner

Maintainer verification complete.

  • Audited the full effective diff and searched for the removed setSecurityCLIReadOverrideForTesting API: no remaining call sites. Same-name remaining values are snapshot/local forwarding state; the active override path remains task-local.
  • Merged fresh origin/main into the contributor branch without force-pushing. Final verified head: eae1e2b4aeb385cebf3e03d2fe7867811fb6b0d8.
  • make check: passed; SwiftFormat reported 0 files needing changes and SwiftLint reported 0 violations.
  • swift test --filter 'ClaudeOAuthCredentialsStoreSecurityCLITests|ClaudeOAuthCredentialsStoreIsolatedSecurityCLITests|ClaudeOAuthCredentialsStoreSecurityCLIFallbackPolicyTests|ClaudeOAuthDelegatedRefreshCoordinatorTests': 37 tests in 4 suites passed.
  • Final autoreview: clean; no accepted/actionable findings.
  • Exact-head CI: all 8 checks passed, including both Linux builds, both macOS test shards, lint, aggregate, changes, and GitGuardian.

Merged with merge commit d7b2d0a5c5af65ebe2f233bca3923e56c7a8adc7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. proof: sufficient Contributor real behavior proof is sufficient. rating: 🦞 diamond lobster Very strong PR readiness with only minor maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants