fix: keep interactive OAuth setup-token inheriting stdin

The blanket DEVNULL pass muzzled run_oauth_setup_token()'s interactive 'claude setup-token' login, which needs inherited stdin to prompt the user. Revert that one call and replace the guard's brittle file:line whitelist with an inline 'noqa: subprocess-stdin' marker that travels with the code.
2026-06-09 08:21:50 +00:00 · 2026-06-08 22:12:18 -07:00 · 2026-06-08 22:12:18 -07:00 · 2c1aaa9cba
commit 2c1aaa9cba
parent 8bb60ff039
2 changed files with 20 additions and 2 deletions
--- a/agent/anthropic_adapter.py
+++ b/agent/anthropic_adapter.py
@ -1164,9 +1164,12 @@ def run_oauth_setup_token() -> Optional[str]:
            "Install it with: npm install -g @anthropic-ai/claude-code"
        )

-    # Run interactively — stdin/stdout/stderr inherited so user can interact
+    # Run interactively — stdin/stdout/stderr inherited so the user can
+    # complete the OAuth login prompt. Must keep inherited stdin; the TUI-EOF
+    # concern does not apply to an interactive login the user explicitly
+    # invokes.  noqa: subprocess-stdin
    try:
-        subprocess.run([claude_path, "setup-token"], stdin=subprocess.DEVNULL)
+        subprocess.run([claude_path, "setup-token"])
    except (KeyboardInterrupt, EOFError):
        return None

--- a/scripts/check_subprocess_stdin.py
+++ b/scripts/check_subprocess_stdin.py
@ -44,6 +44,13 @@ KNOWN_SAFE = {
    "plugins/security-guidance/patterns.py",  # subprocess mentions are in reminder strings, not calls
 }

+# Inline marker that exempts a single subprocess call from this check.
+# Put it in a comment on (or within) the call when the process MUST inherit
+# stdin — e.g. an interactive login the user explicitly invokes. Travels with
+# the line, so it survives edits that shift line numbers (unlike a pinned
+# file:line entry).
+EXEMPT_MARKER = "noqa: subprocess-stdin"
+
 # Directories to skip entirely.
 SKIP_DIRS = {
    "tests/",
@ -105,6 +112,14 @@ def find_subprocess_calls(content: str, filepath: str) -> list[dict]:
                        if "input=" in call_text:
                            break

+                        # Inline exemption marker on the call itself or within
+                        # the few comment lines immediately above it → the call
+                        # intentionally inherits stdin.
+                        window_start = max(0, i - 4)
+                        preceding = "\n".join(lines[window_start:i])
+                        if EXEMPT_MARKER in call_text or EXEMPT_MARKER in preceding:
+                            break
+
                        violations.append({
                            "file": filepath,
                            "line": i + 1,