Confirm OAuth success on the agent before reporting login exit

[mathisdittrich]

Summary

• The box-agent now confirms a Claude / Codex login succeeded itself, before telling the cloud the pty exited
• When the login pty closes, the agent polls claude auth status (resp. codex login status) directly at 0.5s intervals for up to 15s
• On success it emits claude_authed / codex_authed and skips the *_login_exited event; on timeout it emits *_login_exited so the cloud fails fast
• Each login attempt now emits exactly one terminal event

The bug

Cloud-driven Claude login occasionally showed the user "Try again" even though the sign-in had actually worked.

Root cause is a race between two components that don't share timing:

1. Agent auth-poll loop (_auth_poll_loop) runs at 1s cadence for the first 60s of agent uptime, then 15s. Every cloud-driven login happens well past that 60s (box has booted + gone through Telegram setup first), so it's on the 15s cadence. It also only emits claude_authed on a state flip.
2. Cloud exit watchdog starts a 10s timer on claude_login_exited and calls set_failed("…Try again…") if the login state hasn't flipped to done.

Timeline for a typical box: user pastes code → claude writes ~/.claude.json + exits (~2s) → agent sends claude_login_exited → cloud starts 10s watchdog → agent's next auth-poll tick is up to 15s away → watchdog fires set_failed at T+10s, the real claude_authed lands at T+15s. The user sees "Try again" for a few seconds before the dialog advances.

The fix

Move success-detection to the agent, which sits on the same filesystem claude writes its credentials to — the right place to own the decision. The agent's tight 0.5s post-exit poll confirms the credential write within a second or two of it happening, independent of the lazy 15s general poll. The general poll keeps its 15s cadence; it only exists for logout detection, where latency is harmless.

Pairs with a cloud-side PR that drops the now-unnecessary exit watchdog and treats *_login_exited as a definitive failure signal.

Files

• agent/box_agent.py — new _claude_login_await_success + _codex_login_await_success; called from the two pty-exit handlers

Test plan

• ruff check agent/ clean, py_compile clean
• Staging: complete a Claude OAuth on a box that's been up >60s, confirm the dialog advances with no "Try again" flash
• Staging: same for Codex device-auth
• Negative: paste a bad code / cancel mid-flow, confirm claude_login_exited still fires within ~15s and the cloud surfaces the failure

🤖 Generated with Claude Code

---

Summary by cubic

The agent now verifies Claude/Codex OAuth success locally before reporting a login exit. This removes the race that briefly showed “Try again” after a successful sign-in.

• Bug Fixes
  • After the login pty closes, poll claude auth status / codex login status every 0.5s for up to 15s.
  • On success, emit claude_authed / codex_authed and skip *_login_exited; on timeout, emit *_login_exited to fail fast.
  • Ensure exactly one terminal event per attempt; keep the general 15s auth poll for logout only.
  • Implemented in agent/box_agent.py via _claude_login_await_success and _codex_login_await_success.

^{Written for commit 7e5430d. Summary will update on new commits. Review in cubic}

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}