Skip to content

feat: Linux support + drop credential gate from passthrough#22

Draft
diranged wants to merge 4 commits into
mainfrom
feature/linux-support
Draft

feat: Linux support + drop credential gate from passthrough#22
diranged wants to merge 4 commits into
mainfrom
feature/linux-support

Conversation

@diranged

@diranged diranged commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

  • Linux support. Splits the four macOS security CLI shell-outs in internal/profile into darwin-only helpers (keychainHas / keychainRead / keychainDelete) gated by //go:build, with no-op stubs on !darwin that fall through to the existing .credentials.json codepath. Claude Code itself writes .credentials.json (mode 0600) into CLAUDE_CONFIG_DIR on Linux, so profile isolation works end-to-end without a Linux secret-store backend.
  • Drop the credential gate. Removes the profile %q has no credentials pre-flight in passthrough.go. It duplicated work claude already does, hardcoded auth login as the only bootstrap path (which is broken on Linux), and forced us to track claude's auth subcommand surface (isAuthCmd, hasExternalAuth). Banner still reports Auth: none, so the user isn't flying blind -- claude renders its own no-creds message and exits when appropriate.
  • Linux smoke harness. Adds hack/Dockerfile.linux-test + make docker-test so the linux binary can be exercised locally without a real linux box.
  • Docs. README / ARCHITECTURE.md / DEVELOPMENT.md / SECURITY.md updated to give Linux's file-based credential path equal billing instead of treating it as a degraded fallback. Build-tag layout documented.

Closes #21

Test plan

  • go build ./... and go vet ./... clean on darwin and GOOS=linux GOARCH=amd64
  • go test ./internal/profile/ passes on darwin
  • make docker-test-build succeeds (golang:1.25-bookworm + Claude Code via npm)
  • Inside the linux container:
    • claude-profile list shows a seeded profile with auth=file
    • claude-profile show work parses .credentials.json (subscription, rate limit, scopes)
    • strace -f -e execve confirms the security CLI is never invoked
    • claude-profile delete work cleans up the dir without calling keychain
    • After gate removal: claude-profile -P matt exec's straight into claude TUI; /login works there
  • Regression test on macOS: existing auth=keychain profile still works; delete still removes the keychain entry too

Notes

  • Pre-existing failure in internal/cli/statusline_test.go::TestStatuslineCmd_DefaultColor reproduces on a clean main checkout. Not addressed here.
  • Windows is out of scope. The goreleaser Windows build still ships but would land on the file fallback path; tracked separately.

🤖 Generated with Claude Code

diranged and others added 4 commits April 25, 2026 12:53
@diranged @claude
feat(profile): add Linux support via build-tagged keychain helpers
2b22ac1 
Splits the macOS `security` CLI shell-outs in internal/profile out into
darwin-only helper methods, with stubs on non-darwin builds that fall
through to the existing .credentials.json path. Claude Code itself
writes .credentials.json (mode 0600) into CLAUDE_CONFIG_DIR on Linux,
so profile isolation works end-to-end without a Linux secret-store
backend. Adds a hack/Dockerfile.linux-test smoke harness with
make docker-test for exercising the linux binary locally.

Refs #21

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@diranged
Merge branch 'main' into feature/linux-support
0705455
@diranged @claude
refactor(cli): drop credential gate from passthrough
211abe6 
The gate (\`profile %q has no credentials\`) tried to fail fast when a
profile had no creds, but it duplicated work claude already does when
launched without auth and forced us to track claude's auth subcommand
surface (\`isAuthCmd\`, \`hasExternalAuth\`). It also blocked legitimate
bootstrap paths the gate didn't know about: TUI \`/login\`, \`setup-token\`,
or seeded \`.credentials.json\` files. The banner already reports
\`Auth: none\` so the user isn't flying blind. Let claude render its own
no-creds message and exit when appropriate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@diranged @claude
docs: reflect Linux support and credential gate removal
2ed2f1c 
- Reframe credential storage to give the Linux .credentials.json path
  equal billing alongside the macOS keychain (it's the default on
  Linux, not a degraded fallback).
- Document the build-tag layout for keychain helpers
  (profile_darwin.go / profile_other.go) in ARCHITECTURE.md.
- Add `make docker-test` to DEVELOPMENT.md.
- Drop "skips keychain check" wording from the Bedrock/Vertex/API-key
  sections; the gate is gone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@diranged diranged changed the title feat(profile): add Linux support feat: Linux support + drop credential gate from passthrough Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Linux support

1 participant

@diranged