> For the complete documentation index, see [llms.txt](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase21-session03-authoritative-claude-usage-oauth/security-compliance.md).

# Security Compliance

**Session ID**: `phase21-session03-authoritative-claude-usage-oauth` **Created**: 2026-06-02 14:54 **Last Updated**: 2026-06-02 15:13

***

## OAuth Privacy Baseline

* Claude OAuth credentials remain script-only under `scripts/lib/`.
* Browser-visible generated data may include only bounded usage percentages, reset timestamps, fetched timestamps, source labels, and safe plan-tier labels.
* OAuth access tokens, refresh tokens, raw credential JSON, authorization headers, raw response bodies, and credential paths must not be emitted to generated data, logs, UI state, fixtures, or snapshots.
* Missing credentials, missing Claude CLI, non-200 responses, timeouts, malformed payloads, and unexpected errors must return `null` and preserve local-log estimates.

## Redaction Baseline

* Aggregate free-form log redaction must cover representative Claude OAuth token forms such as `sk-ant-oat01-*`, bearer headers, `accessToken`, `refreshToken`, and credential-shaped strings.
* Redaction must preserve legitimate usage counters such as `tokens`, `tokenCount`, and model accounting fields.
* Tests must prove token-bearing values do not survive the redaction path.

## Fallback Baseline

* The aggregate must continue producing valid local estimate output without OAuth credentials.
* The OAuth fetch timeout must be six seconds or less.
* Keychain reads must use a short timeout and process cleanup.
* The UI must label authoritative usage as live and fallback usage as estimate without exposing credential metadata.

***

## Task Log

### Task T002 - Create OAuth privacy, redaction, and fallback baseline

**Started**: 2026-06-02 14:54 **Completed**: 2026-06-02 14:54 **Duration**: 1 minute

**Notes**:

* Established script-only credential handling, browser-safe payload boundaries, redaction coverage, and null-fallback requirements.

**Files Changed**:

* `.spec_system/specs/phase21-session03-authoritative-claude-usage-oauth/security-compliance.md` - Added OAuth security baseline.

***

## Final Sign-off

* OAuth credential access is script-only.
* Browser-visible authoritative usage is bounded to safe fields.
* Redaction covers representative Claude OAuth token shapes.
* Missing credentials, missing CLI, non-200 responses, timeouts, malformed payloads, and thrown errors fall back to estimates.
* Focused tests, typechecks, full test suite, ASCII scan, and LF scan passed.

***


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ai-os-and-trend-finder.gitbook.io/ai-os-and-trend-finder-docs/.spec_system/archive/sessions/phase21-session03-authoritative-claude-usage-oauth/security-compliance.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
