Fix Claude plugin auth compatibility across custom OAuth and keychain setups

[robinebers]

Summary

• add Claude auth compatibility for custom config dirs, custom OAuth endpoints, staging/local OAuth, and env-injected access tokens
• update Claude credential lookup and refresh behavior to use the correct keychain service, pass custom home paths to ccusage, and include the user:file_upload scope
• expand host API env allowlists and redaction coverage for Claude auth inputs, keychain logging, IDs, and filesystem paths
• add plugin and Rust regression tests covering the new Claude auth and redaction paths

Testing

• Not run (not requested)

---

Note

Medium Risk
Touches OAuth credential discovery/refresh and macOS keychain read/write behavior, which can break authentication or usage reporting across environments if misconfigured. Adds broader env passthrough and more logging/redaction logic, increasing configuration surface area but with regression tests to reduce risk.

Overview
Improves the Claude plugin’s auth compatibility by supporting CLAUDE_CONFIG_DIR for credential file lookup and ccusage home overrides, env-injected access tokens via CLAUDE_CODE_OAUTH_TOKEN (treated as inference-only and skips live /api/oauth/usage), and expanded refresh scopes to include user:file_upload.

Adds flexible OAuth routing for local/staging/custom endpoints and client ID overrides, and namespaces keychain service names with an OAuth suffix to avoid collisions. On the Rust side, expands the host env allowlist for these Claude variables, fixes macOS keychain access to always target the current account (and logs hits/misses), and strengthens redaction to cover additional IDs and filesystem paths (including redacting app_data_dir and ccusage runner paths).

^{Written by Cursor Bugbot for commit cc1d180. This will update automatically on new commits. Configure here.}

---

Summary by cubic

Fixes Claude plugin auth across custom config dirs and custom/staging/local OAuth, with account-scoped keychain and broader redaction. Adds env token support, includes the user:file_upload scope, and skips live usage when tokens lack user:profile.

• New Features

  • Read creds from CLAUDE_CONFIG_DIR; pass and expand home path to ccusage.
  • Support staging/local/custom OAuth endpoints and client IDs; keychain service names include an OAuth suffix.
  • Accept CLAUDE_CODE_OAUTH_TOKEN for inference-only sessions; skip live usage when missing user:profile.
  • Include user:file_upload in OAuth refresh scope.
  • Added tests for custom home, keychain suffixes, env tokens, scope, and usage-skip behavior.

• Bug Fixes

  • macOS keychain reads/writes target the current account; logs redact the account.
  • Expanded host API env allowlist for Claude auth vars (e.g., CLAUDE_CONFIG_DIR, USE_LOCAL_OAUTH, CLAUDE_LOCAL_OAUTH_API_BASE, CLAUDE_CODE_OAUTH_CLIENT_ID); sensitive values redacted.
  • Redaction now covers team/payment IDs and filesystem paths; app_data_dir and ccusage paths masked as [PATH].
  • More robust token refresh and 401 retry handling in usage requests.

^{Written for commit cc1d180. Summary will update on new commits.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR improves Claude plugin authentication compatibility across custom config locations and multiple OAuth environments, and strengthens host-side redaction/logging around those auth flows.

Changes:

• Claude plugin now reads credentials from CLAUDE_CONFIG_DIR, supports staging/local/custom OAuth bases, and supports env-injected access tokens.
• Keychain credential lookup/refresh now uses an OAuth-environment-specific service name and refresh scope includes user:file_upload.
• Claude usage querying via ccusage can receive an explicit home path override.
• Host API expands the env allowlist for Claude auth inputs and adds more robust redaction of IDs and filesystem paths.
• macOS keychain integration now targets an explicit account (current user) and adds structured logging for keychain hits/misses/writes.
• Adds JS plugin regression tests for the new Claude auth behaviors and Rust tests for env allowlisting, keychain args, and redaction.

Technical Notes: Live usage fetch is skipped for “inference-only” env-injected tokens, but ccusage-based historical usage is still queried.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

homePath is taken directly from CLAUDE_CONFIG_DIR and passed through to ccusage, but the Rust ccusage wrapper sets the env var without ~ expansion (unlike host.fs.* paths). If a user sets CLAUDE_CONFIG_DIR=~/.claude-custom, credential reads may work while ccusage queries silently point at a non-existent directory.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

This test mutates the process-wide USER env var and assumes env changes are “serialized”, but Rust tests run in parallel by default so this can be flaky and/or leak into other tests. If any other test reads USER concurrently, results can become nondeterministic.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cubic-dev-ai]

No issues found across 5 files