Context

Follow-up from the discussion in #1199 (comment) after #1217 landed (macOS Keychain / uncertain auth onboarding fix).

Product intent from that thread:

• Prefer Claude CLI login + subscription (OAuth / CLI session) over ANTHROPIC_API_KEY where possible — API key is a fallback, not the primary path we optimize for.
• End-to-end parity: behavior should hold cross-OS from Claude auth through actual execution (not only onboarding).

Original bug: onboarding treated uncertain Keychain auth as failure; #1217 added live probing. This issue tracks verification and gap analysis for the broader integration.

Goals

1. Confirm fix: live-probe macOS Keychain auth for Claude Code CLI onboarding (#1199) #1217 fully addresses the onboarding false-negative paths called out in #1199 (including Keychain / logged_in is None handling and live claude -p verification where appropriate).
2. Auth ordering & messaging: codebase and wizard copy should consistently treat subscription/CLI login as first-class; API key as explicit fallback — document any remaining places that imply API key is required for Claude Code CLI.
3. Cross-OS matrix: enumerate Linux vs macOS vs Windows (if supported) for: install detection, login detection, execution, env vars (ANTHROPIC_API_KEY vs credential files vs Keychain), and failure modes.

References

• #1199 (comment) — blocker + desired auth priority discussion
• #1217 — onboarding fix PR