fix(keyring): persist OAuth tokens across Homebrew upgrades

Disable KeychainTrustApplication to prevent macOS Keychain from tying
access control to the specific binary hash. This allows tokens to
survive across Homebrew upgrades where the binary hash changes.

Users may see a one-time keychain access prompt after upgrade.

Fixes openclaw#86

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: salmonumbrella

internal/secrets/store.go

@@ -173,8 +173,14 @@ func openKeyring() (keyring.Keyring, error) {
 	}
 
 	cfg := keyring.Config{
-		ServiceName:              config.AppName,
-		KeychainTrustApplication: runtime.GOOS == "darwin",
+		ServiceName: config.AppName,
+		// KeychainTrustApplication is intentionally false to support Homebrew upgrades.
+		// When true, macOS Keychain ties access control to the specific binary hash.
+		// Homebrew upgrades install a new binary with a different hash, causing the
+		// new binary to lose access to existing keychain items. With false, users may
+		// see a one-time keychain prompt after upgrade (click "Always Allow"), but
+		// tokens survive across upgrades. See: https://github.com/steipete/gogcli/issues/86
+		KeychainTrustApplication: false,
 		AllowedBackends:          backends,
 		FileDir:                  keyringDir,
 		FilePasswordFunc:         fileKeyringPasswordFunc(),

internal/secrets/store_test.go

@@ -17,10 +17,11 @@ import (
 var errKeyringOpenBlocked = errors.New("keyring open blocked")
 
 // keyringConfig creates a keyring.Config for testing.
+// KeychainTrustApplication is false to match production config (see store.go).
 func keyringConfig(keyringDir string) keyring.Config {
 	return keyring.Config{
 		ServiceName:              config.AppName,
-		KeychainTrustApplication: runtime.GOOS == "darwin",
+		KeychainTrustApplication: false,
 		AllowedBackends:          []keyring.BackendType{keyring.FileBackend},
 		FileDir:                  keyringDir,
 		FilePasswordFunc:         fileKeyringPasswordFunc(),