Skip to content

vision: OAuth-from-keychain fallback for macOS Claude Code users#25

Merged
abe238 merged 1 commit into
mainfrom
feature/oauth-from-keychain
May 26, 2026
Merged

vision: OAuth-from-keychain fallback for macOS Claude Code users#25
abe238 merged 1 commit into
mainfrom
feature/oauth-from-keychain

Conversation

@abe238
Copy link
Copy Markdown
Owner

@abe238 abe238 commented May 26, 2026

Summary

Makes `bambu vision watch` Just Work™ for users who already have Claude Code installed on macOS — no API key paste required.

Credential resolution

`ClaudeVisionProvider` now resolves credentials in this order, first hit wins:

  1. Explicit `api_key=` argument
  2. `ANTHROPIC_API_KEY` env var (regular API key)
  3. `ANTHROPIC_AUTH_TOKEN` env var (OAuth bearer)
  4. macOS only: `Claude Code-credentials` keychain entry → `claudeAiOauth.accessToken`

Option 4 is read on demand via the `security` command, never written to disk, never logged. Falls through cleanly on any failure (missing entry, wrong format, non-Mac).

Verified live

Ran `bambu vision classify` against a real captured A1-mini frame with no env vars set:

```
$ bambu vision classify /tmp/bambu-frames/current-print-...jpg --model claude-haiku-4-5
classification: unknown
confidence: 30.00%
is_failure: False
cost: $0.0022
reasoning: Frame is at an oblique angle with poor lighting and significant
glare on the build plate, making it impossible to clearly assess
layer quality, extrusion state, or print geometry.
```

(That "unknown" verdict is actually correct — the captured frame is a wide-angle workspace shot, not a print-bed view. The model honestly admitted it couldn't tell. Better frames during an active print will give crisper verdicts.)

Tests

  • 12 new tests in `tests/vision/test_credentials.py` covering precedence + every failure path of the keychain reader (non-Mac, missing `security` binary, nonzero exit, non-JSON blob, missing keys, happy path).
  • Modified the existing `test_missing_api_key_raises_runtime_error` to block the keychain fallback so the test works platform-independently.
  • New `test_oauth_token_from_keychain_used_when_no_env_var` confirms the provider passes `auth_token=` (not `api_key=`) when the keychain branch fires.
  • 51 tests passing locally; pre-commit + ruff + gitleaks clean.

Caveat

Using Claude Code's OAuth token spends the same Claude account's quota as Claude Code itself. Heavy vision use during normal coding sessions can rate-limit both. For unattended long-running prints, a separate `ANTHROPIC_API_KEY` is still the right call. Documented in `docs/vision.md`.

@abe238
vision: OAuth-from-keychain fallback for Mac users with Claude Code
d59218b 
Adds a credential resolver to ClaudeVisionProvider:

  1. explicit api_key= argument
  2. ANTHROPIC_API_KEY env var
  3. ANTHROPIC_AUTH_TOKEN env var (OAuth bearer)
  4. macOS only: 'Claude Code-credentials' keychain entry

The keychain branch makes 'bambu vision watch' work on a Mac with Claude
Code authenticated with zero extra setup. Token is read on demand via the
'security' command, never written to disk, never logged. Falls through to
the next source on any failure (missing entry, wrong format, non-Mac).

Verified live: 'bambu vision classify <real-frame>' against a captured A1
mini frame returned a valid JSON verdict via the keychain path (cost
~$0.0022 with Haiku 4.5).

Tests: 51 passing (39 prior + 11 credentials + 1 OAuth-keychain-wiring).
@abe238 abe238 merged commit b5bb312 into main May 26, 2026
4 checks passed
@abe238 abe238 deleted the feature/oauth-from-keychain branch May 26, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@abe238