feat(credential): oauth-capture routes with phantom-token broker

[christine-at-datadog]

Linked Issue

Closes #1265

Summary

When a sandboxed agent runs claude /login (or other coding agent equivalent), the proxy TLS-intercepts the OAuth token endpoint, swaps the real access_token/refresh_token for nono_<hex> nonces before the response reaches the agent, and resolves nonces back to real tokens on egress. The agent's original keychain entry only ever holds nonces.

Built on existing primitives:

• Added a capture path in the nonce mint/resolve engine
• Hooked up HTTP/1.1 and HTTP/2 forwarding in the proxy's TLS intercept loop
• Added dispatch mode to tool-sandbox Capture action
• Set up a nono-only ACL entry to macOS keychain FFI

Net new:

• Fake tokens in the agent's keychain — when the agent logs in, it gets placeholder values instead of real credentials. The proxy swaps them back to real tokens on the way out. The real tokens live in a separate, nono-owned keychain entry the agent can't read.
• The broker remembers credentials across sessions — it saves the real tokens to its keychain entry so they survive restarts, detects when the agent has logged out and cleans up stale placeholders, and protects its entry so only nono can read it.
• Token response interception — when the OAuth server sends back the login response, nono catches it before the agent sees it, swaps the real tokens for placeholders, then lets the (now-modified) response through.
• credential_routes as a single config entry — instead of manually configuring proxy routes, you declare one entry with the API host and token endpoint, and nono figures out the rest.
• Same host vs. different host — if the token endpoint and API are on the same host, one proxy route covers both. If they're on different hosts (claude's case: platform.claude.com for login, api.anthropic.com for inference), nono generates two routes automatically.

Additional Notes

• feat(credential-broker): add macos keychain credential broker #1034 is a stateless subprocess keyring mediator; this broker is an OAuth phantom-token store with per-entry SecAccess ACL + holds nonce pairs.
• The pattern should be agent agnostic. The one claude-specific layer from this PR is the orphan-GC hydration reader (current_claude_access_token) which knows claude's keychain service name, account "unknown", and claudeAiOauth JSON envelope shape. For a different OAuth agent, write an analogous reader and pass it to build_shared_broker; everything else is reused unchanged.

Adding OAuth capture to an existing profile

Add credential_routes alongside your existing network.tls_intercept block. Two cases:

Same host for token endpoint and API:

"network": {
  "listen_port": [0],
  "tls_intercept": { "ca_lifecycle": "session" }
},
"environment": { "deny_vars": ["ANTHROPIC_BASE_URL"] },
"credential_routes": [
  {
    "name": "anthropic_oauth",
    "upstream": "https://api.anthropic.com",
    "capture": {
      "type": "oauth_intercept",
      "token_url_match": "/v1/oauth/token"
    }
  }
]

Cross-host (token endpoint on a different host than the API — claude's case):

"credential_routes": [
  {
    "name": "anthropic_oauth",
    "upstream": "https://api.anthropic.com",
    "capture": {
      "type": "oauth_intercept",
      "token_host": "https://platform.claude.com",
      "token_url_match": "/v1/oauth/token"
    }
  }
]

token_host absent → defaults to upstream. Cross-host desugars to two routes: a capture route on token_host and an egress (nonce-resolve) route on upstream.

listen_port: [0] is required so the agent's OAuth callback server can bind. deny_vars: ["ANTHROPIC_BASE_URL"] prevents an enterprise gateway from routing inference traffic away from api.anthropic.com where nonces resolve.

Checklist

• An issue exists and is linked above
• All commits are signed-off, using DCO
• All new code follows the project's coding standards (CLAUDE.md) and is covered by tests
• Public-facing changes are paired with documentation updates
• Release note has been added to CHANGELOG.md if needed

Agent Compliance Check

• I am not prohibited from contributing under this policy
• An issue already exists (feat(credential): credential mediation for OAuth-capture routes #1265)
• I disclosed that I am an agent in the issue discussion
• I described my intent and approach in the issue discussion
• I reviewed repository coding and security rules for the affected area
• I provided required attribution for reused or adapted code
• I did not use forbidden patterns such as unwrap/expect
• I used NonoError where required
• I validated and canonicalized all relevant paths
• This PR matches the approved or disclosed issue scope

[github-actions]

PR Review Summary

Size

Metric	Value
Lines added	+3253
Lines removed	-12
Total changed	3265
Classification	Large (> 300 lines)

Affected crates

• crates/nono-proxy — downstream consumers depend on this crate. API or behaviour changes will affect external callers; treat any breaking change with extra scrutiny.
• crates/nono-cli — CLI changes. Verify argument parsing, flag documentation, and UX behaviour across supported platforms.

Blast radius — Moderate

This PR touches: source code,configuration / policy files

---

_{Updated automatically on each push to this PR.}