-
Notifications
You must be signed in to change notification settings - Fork 400
Description
Description
CodexBar repeatedly prompts for the macOS login keychain password every few hours, despite clicking "Always Allow" each time. The ACL setting does not persist.
Environment
- CodexBar version: 0.18.0-beta.2 (Build 50)
- macOS: 15.3 (Darwin 25.2.0)
- Architecture: Apple Silicon
Affected keychain entries
Both entries under service com.steipete.codexbar.cache:
- Account:
oauth.claude - Account:
cookie.claude
Root cause analysis
The oauth.claude entry is being modified frequently (token refresh cycle). Based on the keychain dump, the entry appears to be deleted and recreated rather than updated in place. This wipes the ACL on every token refresh, causing macOS to prompt again on the next read.
Evidence:
- CodexBar is already listed in the Access Control tab for the entry
- "Always Allow" is selected each time but does not persist
- The app binary has not changed (signed Jan 21, codesign verification passes)
- The
oauth.claudeentry'smdat(modification date) changes frequently, suggesting regular token refresh writes
Expected behavior
Clicking "Always Allow" should permanently grant CodexBar access without further prompts.
Suggested fix
Use SecKeychainItemModifyAttributesAndData (or the Swift equivalent SecItemUpdate) to update the existing keychain entry in place, rather than deleting and recreating it. Updating in place preserves the user-configured ACL.