fix(credentials): reduce duplicate keychain prompts

scari · scari · commit dda89bdd25b8 · 2026-02-20T02:26:18.000+09:00
diff --git a/AgentBar/Services/CopilotUsageProvider.swift b/AgentBar/Services/CopilotUsageProvider.swift
@@ -58,7 +58,13 @@ final class CopilotUsageProvider: UsageProviderProtocol, @unchecked Sendable {
         } else {
             self.primaryCredentialProvider = { Self.readGHCLIToken() }
             self.fallbackCredentialProvider = fallbackCredentialProvider ?? {
-                KeychainManager.load(account: ServiceType.copilot.keychainAccount)
+                guard UserDefaults.standard.bool(
+                    forKey: CopilotCredentialSettings.manualPATEnabledKey,
+                    defaultValue: false
+                ) else {
+                    return nil
+                }
+                return KeychainManager.load(account: ServiceType.copilot.keychainAccount)
             }
         }
     }
diff --git a/AgentBar/Services/ZaiUsageProvider.swift b/AgentBar/Services/ZaiUsageProvider.swift
@@ -28,6 +28,8 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {
 
     private let apiClient: APIClient
     private let credentialProvider: @Sendable () -> String?
+    private let credentialLock = NSLock()
+    nonisolated(unsafe) private var cachedCredential: String??
 
     /// Minimum cache TTL to avoid excessive API requests (Z.ai is API-based).
     static let minCacheTTL: TimeInterval = 60
@@ -43,10 +45,11 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {
         self.credentialProvider = credentialProvider ?? {
             KeychainManager.load(account: ServiceType.zai.keychainAccount)
         }
+        self.cachedCredential = nil
     }
 
     func isConfigured() async -> Bool {
-        credentialProvider() != nil
+        resolveCredential() != nil
     }
 
     /// Returns cached response if within minimum TTL, nil otherwise.
@@ -74,7 +77,7 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {
             return cached
         }
 
-        guard let apiKey = credentialProvider() else {
+        guard let apiKey = resolveCredential() else {
             throw APIError.unauthorized
         }
 
@@ -163,4 +166,17 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {
         }
     }
 
+    private func resolveCredential() -> String? {
+        credentialLock.lock()
+        if let cachedCredential {
+            credentialLock.unlock()
+            return cachedCredential
+        }
+
+        let loadedCredential = credentialProvider()
+        cachedCredential = loadedCredential
+        credentialLock.unlock()
+        return loadedCredential
+    }
+
 }
diff --git a/AgentBar/Utilities/UserDefaultsExtensions.swift b/AgentBar/Utilities/UserDefaultsExtensions.swift
@@ -19,6 +19,11 @@ enum BuyMeACoffeeSettings {
     static let hideButtonKey = "hideBuyMeACoffeeButton"
 }
 
+enum CopilotCredentialSettings {
+    /// Enables Keychain fallback for Copilot when gh CLI token is unavailable.
+    static let manualPATEnabledKey = "copilotManualPATEnabled"
+}
+
 extension UserDefaults {
     func bool(forKey key: String, defaultValue: Bool) -> Bool {
         guard object(forKey: key) != nil else { return defaultValue }
diff --git a/AgentBar/Views/Settings/SettingsView.swift b/AgentBar/Views/Settings/SettingsView.swift
@@ -34,6 +34,7 @@ struct SettingsView: View {
     @AppStorage("geminiDailyLimit") private var geminiDailyLimit: Double = 1_000
 
     @AppStorage("copilotEnabled") private var copilotEnabled = true
+    @AppStorage(CopilotCredentialSettings.manualPATEnabledKey) private var copilotManualPATEnabled = false
 
     @AppStorage("cursorEnabled") private var cursorEnabled = true
     @AppStorage("cursorPlan") private var cursorPlan: String = CursorPlan.pro.rawValue
@@ -587,6 +588,9 @@ struct SettingsView: View {
             hasSavedToken: hasSavedCopilotPAT
         )
         hasSavedCopilotPAT = outcome.hasSavedToken
+        if outcome.didSave {
+            copilotManualPATEnabled = true
+        }
         copilotPAT = outcome.tokenFieldValue
         return outcome.didSave
     }
@@ -649,7 +653,11 @@ struct SettingsView: View {
     }
 
     private func loadAPIKeys() {
-        hasSavedCopilotPAT = KeychainManager.load(account: ServiceType.copilot.keychainAccount) != nil
+        if copilotManualPATEnabled {
+            hasSavedCopilotPAT = KeychainManager.load(account: ServiceType.copilot.keychainAccount) != nil
+        } else {
+            hasSavedCopilotPAT = false
+        }
         hasSavedZaiAPIKey = KeychainManager.load(account: ServiceType.zai.keychainAccount) != nil
         copilotPAT = ""
         zaiAPIKey = ""
diff --git a/docs/assets/screenshot.png b/docs/assets/screenshot.png

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,13 @@ final class CopilotUsageProvider: UsageProviderProtocol, @unchecked Sendable {`
`58`	`58`	`} else {`
`59`	`59`	`self.primaryCredentialProvider = { Self.readGHCLIToken() }`
`60`	`60`	`self.fallbackCredentialProvider = fallbackCredentialProvider ?? {`
`61`		`- KeychainManager.load(account: ServiceType.copilot.keychainAccount)`
	`61`	`+ guard UserDefaults.standard.bool(`
	`62`	`+ forKey: CopilotCredentialSettings.manualPATEnabledKey,`
	`63`	`+ defaultValue: false`
	`64`	`+ ) else {`
	`65`	`+ return nil`
	`66`	`+ }`
	`67`	`+ return KeychainManager.load(account: ServiceType.copilot.keychainAccount)`
`62`	`68`	`}`
`63`	`69`	`}`
`64`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {`
`28`	`28`
`29`	`29`	`private let apiClient: APIClient`
`30`	`30`	`private let credentialProvider: @Sendable () -> String?`
	`31`	`+ private let credentialLock = NSLock()`
	`32`	`+ nonisolated(unsafe) private var cachedCredential: String??`
`31`	`33`
`32`	`34`	`/// Minimum cache TTL to avoid excessive API requests (Z.ai is API-based).`
`33`	`35`	`static let minCacheTTL: TimeInterval = 60`
`@@ -43,10 +45,11 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {`
`43`	`45`	`self.credentialProvider = credentialProvider ?? {`
`44`	`46`	`KeychainManager.load(account: ServiceType.zai.keychainAccount)`
`45`	`47`	`}`
	`48`	`+ self.cachedCredential = nil`
`46`	`49`	`}`
`47`	`50`
`48`	`51`	`func isConfigured() async -> Bool {`
`49`		`- credentialProvider() != nil`
	`52`	`+ resolveCredential() != nil`
`50`	`53`	`}`
`51`	`54`
`52`	`55`	`/// Returns cached response if within minimum TTL, nil otherwise.`
`@@ -74,7 +77,7 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {`
`74`	`77`	`return cached`
`75`	`78`	`}`
`76`	`79`
`77`		`- guard let apiKey = credentialProvider() else {`
	`80`	`+ guard let apiKey = resolveCredential() else {`
`78`	`81`	`throw APIError.unauthorized`
`79`	`82`	`}`
`80`	`83`
`@@ -163,4 +166,17 @@ final class ZaiUsageProvider: UsageProviderProtocol, @unchecked Sendable {`
`163`	`166`	`}`
`164`	`167`	`}`
`165`	`168`
	`169`	`+ private func resolveCredential() -> String? {`
	`170`	`+ credentialLock.lock()`
	`171`	`+ if let cachedCredential {`
	`172`	`+ credentialLock.unlock()`
	`173`	`+ return cachedCredential`
	`174`	`+ }`
	`175`	`+`
	`176`	`+ let loadedCredential = credentialProvider()`
	`177`	`+ cachedCredential = loadedCredential`
	`178`	`+ credentialLock.unlock()`
	`179`	`+ return loadedCredential`
	`180`	`+ }`
	`181`	`+`
`166`	`182`	`}`