docker config

njbrake · njbrake · commit bd91bf1aa2cd · 2026-02-24T08:26:40.000-05:00
diff --git a/src/session/container_config.rs b/src/session/container_config.rs
@@ -210,6 +210,14 @@ fn copy_dir_recursive(src: &Path, dest: &Path) -> Result<()> {
     Ok(())
 }
 
+/// Parse the `expiresAt` timestamp from a Claude Code credential JSON string.
+/// Returns `None` if the JSON is malformed or the field is missing/wrong type.
+#[cfg(any(target_os = "macos", test))]
+fn parse_credential_expires_at(content: &str) -> Option<u64> {
+    let value: serde_json::Value = serde_json::from_str(content).ok()?;
+    value.get("claudeAiOauth")?.get("expiresAt")?.as_u64()
+}
+
 /// Extract credentials from the macOS Keychain and write to a file.
 /// Returns Ok(true) if credentials were written, Ok(false) if not available.
 #[cfg(target_os = "macos")]
@@ -265,6 +273,35 @@ fn extract_keychain_credential(service: &str, dest: &Path) -> Result<bool> {
         return Ok(false);
     }
 
+    // Compare expiresAt timestamps: only overwrite if keychain credential is fresher
+    // than the existing sandbox credential, or if either is unparseable.
+    if dest.exists() {
+        if let Ok(existing_content) = std::fs::read_to_string(dest) {
+            let existing_exp = parse_credential_expires_at(&existing_content);
+            let keychain_exp = parse_credential_expires_at(trimmed);
+
+            if let (Some(existing), Some(keychain)) = (existing_exp, keychain_exp) {
+                if keychain <= existing {
+                    tracing::debug!(
+                        "Keychain credential for '{}' is not fresher (keychain={}, sandbox={}), keeping sandbox",
+                        service,
+                        keychain,
+                        existing
+                    );
+                    return Ok(false);
+                }
+            } else if existing_exp.is_some() && keychain_exp.is_none() {
+                // Sandbox is parseable but keychain is not -- keep sandbox.
+                tracing::debug!(
+                    "Keychain credential for '{}' is unparseable but sandbox is valid, keeping sandbox",
+                    service
+                );
+                return Ok(false);
+            }
+            // All other cases (both unparseable, or only keychain parseable): overwrite.
+        }
+    }
+
     std::fs::write(dest, trimmed)?;
     tracing::debug!(
         "Extracted keychain credential for '{}' -> {}",
@@ -1187,4 +1224,86 @@ mod tests {
             r#"{"token":"abc"}"#
         );
     }
+
+    // --- credential freshness tests ---
+
+    #[test]
+    fn test_parse_credential_expires_at_valid() {
+        let json = r#"{"claudeAiOauth":{"expiresAt":1700000000}}"#;
+        assert_eq!(parse_credential_expires_at(json), Some(1700000000));
+    }
+
+    #[test]
+    fn test_parse_credential_expires_at_missing_key() {
+        // Missing claudeAiOauth entirely.
+        assert_eq!(parse_credential_expires_at(r#"{"other":"data"}"#), None);
+        // Missing expiresAt inside claudeAiOauth.
+        assert_eq!(
+            parse_credential_expires_at(r#"{"claudeAiOauth":{"token":"abc"}}"#),
+            None
+        );
+    }
+
+    #[test]
+    fn test_parse_credential_expires_at_invalid_json() {
+        assert_eq!(parse_credential_expires_at("not json at all"), None);
+        assert_eq!(parse_credential_expires_at(""), None);
+    }
+
+    #[test]
+    fn test_parse_credential_expires_at_wrong_type() {
+        // expiresAt is a string instead of a number.
+        let json = r#"{"claudeAiOauth":{"expiresAt":"1700000000"}}"#;
+        assert_eq!(parse_credential_expires_at(json), None);
+    }
+
+    #[test]
+    fn test_credential_freshness_comparison() {
+        let dir = TempDir::new().unwrap();
+        let dest = dir.path().join(".credentials.json");
+
+        let stale = r#"{"claudeAiOauth":{"expiresAt":1000}}"#;
+        let fresh = r#"{"claudeAiOauth":{"expiresAt":2000}}"#;
+
+        // Sandbox has fresh credential, keychain has stale: sandbox should be kept.
+        fs::write(&dest, fresh).unwrap();
+        let existing_exp = parse_credential_expires_at(fresh);
+        let keychain_exp = parse_credential_expires_at(stale);
+        assert!(existing_exp.is_some());
+        assert!(keychain_exp.is_some());
+        assert!(keychain_exp.unwrap() <= existing_exp.unwrap());
+
+        // Sandbox has stale credential, keychain has fresh: keychain should win.
+        fs::write(&dest, stale).unwrap();
+        let existing_exp = parse_credential_expires_at(stale);
+        let keychain_exp = parse_credential_expires_at(fresh);
+        assert!(keychain_exp.unwrap() > existing_exp.unwrap());
+    }
+
+    #[test]
+    fn test_credential_comparison_with_unparseable_files() {
+        // When sandbox is parseable but keychain is not, sandbox should be kept.
+        let valid = r#"{"claudeAiOauth":{"expiresAt":1000}}"#;
+        let invalid = "not-json";
+
+        let existing_exp = parse_credential_expires_at(valid);
+        let keychain_exp = parse_credential_expires_at(invalid);
+        assert!(existing_exp.is_some());
+        assert!(keychain_exp.is_none());
+        // Decision: keep sandbox (existing is parseable, keychain is not).
+
+        // When both are unparseable, keychain wins (fallback to current behavior).
+        let existing_exp = parse_credential_expires_at(invalid);
+        let keychain_exp = parse_credential_expires_at("also-not-json");
+        assert!(existing_exp.is_none());
+        assert!(keychain_exp.is_none());
+        // Decision: overwrite (both unparseable).
+
+        // When only keychain is parseable, keychain wins.
+        let existing_exp = parse_credential_expires_at(invalid);
+        let keychain_exp = parse_credential_expires_at(valid);
+        assert!(existing_exp.is_none());
+        assert!(keychain_exp.is_some());
+        // Decision: overwrite (sandbox is unparseable).
+    }
 }
