Root cause analysis: Keychain prompts caused by Claude Code CLI resetting partition_id on every token refresh

Root cause: Claude Code CLI refreshes OAuth tokens via `security add-generic-password -U`, which internally does delete + re-add. This resets the Keychain item's `partition_id` to `apple-tool:` only, wiping any `teamid:` granted by "Always Allow". The prompt reappears every time the token is refreshed (multiple times per day).

Verification:

```
security dump-keychain -a 2>&1 | grep -A 40 "Claude Code-credentials" | grep "description"

Before: description: apple-tool:,teamid:Y5PE65HELJ
After:  description: apple-tool:
```

Fix: Read the keychain item via `/usr/bin/security find-generic-password -s "Claude Code-credentials" -w` (subprocess) instead of `SecItemCopyMatching`. The calling process is `/usr/bin/security` which matches `apple-tool:` — no prompt, regardless of `partition_id` resets.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Root cause analysis: Keychain prompts caused by Claude Code CLI resetting partition_id on every token refresh #367

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Root cause analysis: Keychain prompts caused by Claude Code CLI resetting partition_id on every token refresh #367

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions