Summary
Clawpatch review flagged that packages/assistant/src/oauth/token-provider.ts appears to classify keychain read failures as expired-token errors. That can make credential-store failures look like ordinary token expiry, which weakens debugging and may trigger the wrong recovery path.
Observed Context
Risk
A storage/keychain access failure should remain distinguishable from an expired OAuth token. Collapsing these cases can hide platform/keychain problems and cause callers or UI flows to present misleading remediation.
Suggested Fix Direction
Audit the token-provider error path and preserve distinct error categories for:
- expired or invalid OAuth token
- keychain/storage read failure
- missing token / unauthenticated state
Add focused tests that assert keychain read failures are not surfaced as token-expired errors.
Source
Reported by Clawpatch external review; not fixed in PR #197 because it is unrelated to the perception assembler/read-layer changes.
Summary
Clawpatch review flagged that
packages/assistant/src/oauth/token-provider.tsappears to classify keychain read failures as expired-token errors. That can make credential-store failures look like ordinary token expiry, which weakens debugging and may trigger the wrong recovery path.Observed Context
packages/assistant/src/oauth/token-provider.ts.Risk
A storage/keychain access failure should remain distinguishable from an expired OAuth token. Collapsing these cases can hide platform/keychain problems and cause callers or UI flows to present misleading remediation.
Suggested Fix Direction
Audit the token-provider error path and preserve distinct error categories for:
Add focused tests that assert keychain read failures are not surfaced as token-expired errors.
Source
Reported by Clawpatch external review; not fixed in PR #197 because it is unrelated to the perception assembler/read-layer changes.