Fix stale OAuth token causing silent failures in long-running proxy

[WilsonLiu95]

Summary

• Strip CLAUDE_CODE_OAUTH_TOKEN from subprocess environment so the CLI reads fresh credentials from the OS keychain on every invocation
• Fixes silent failures when the proxy runs as a long-lived daemon (e.g. via nohup, launchd, or systemd)

Problem

When the proxy is launched from Claude Desktop (or any parent process that sets CLAUDE_CODE_OAUTH_TOKEN), the env var is a point-in-time snapshot. The Claude CLI prioritizes this env var over the OS keychain, so subprocesses keep using the stale token even after Claude Desktop refreshes the keychain credential.

Once the original token's usage window expires, all subprocess requests fail with "You're out of extra usage" (HTTP 400), while the keychain token remains perfectly valid. The proxy returns SSE error chunks that the OpenAI SDK silently drops, causing downstream consumers to receive empty responses with no error indication.

Root cause chain

Claude Desktop sets CLAUDE_CODE_OAUTH_TOKEN
  → nohup starts proxy (inherits token snapshot)
    → proxy spawns claude subprocess (passes stale token via process.env)
      → CLI uses env var token instead of keychain
        → stale token's 5h usage window exhausted → "out of extra usage"
          → subprocess exit code 1 → proxy sends SSE error
            → OpenAI SDK silently drops error → consumer gets 0 replies

Fix

Remove CLAUDE_CODE_OAUTH_TOKEN from the subprocess environment. This forces the Claude CLI to fall back to reading fresh credentials from the OS keychain (which Claude Desktop keeps up to date automatically).

Test plan

• Proxy responds correctly to streaming requests after fix
• Proxy responds correctly to large requests (40KB+ system prompt, 63 tools)
• Subprocess uses keychain token (verified by checking token freshness)
• Verify proxy survives token refresh cycles over 24+ hours

🤖 Generated with Claude Code