v3.1: per-account dir + workspace pin (no more keychain materialize)

[gradyzhuo]

Summary

v3.1 is a structural rework of how orrery manages Claude credentials. The v3.0.x design — swap keychain items inside a shared CLAUDE_CONFIG_DIR — caused identity/plan drift (the gradyzhuo+team / jiabao+max mixed-display bug), /login poisoning of pool slots, and mid-session /status flapping when another shell ran orrery use. v3.1 fixes the root cause: each Claude account gets its own CLAUDE_CONFIG_DIR, with workspace content (projects/, memory/, agents/, commands/, todos/) shared across pinned accounts via symlinks.

New conceptual model:

• Account = identity (oauthAccount, userID, credential) — lives in ~/.orrery/accounts/claude/<id>/
• Workspace = work context (sessions, memory, projects) — lives in ~/.orrery/envs/<name>/claude-workspace/
• Pin = which workspace an Account symlinks into (default: `origin`)

orrery use X now just export CLAUDE_CONFIG_DIR=<X's dir> in the shell — no keychain copy, no .claude.json mutation, no disturbance to running claude sessions. The new `claude()` shell wrapper handles per-launch identity/shared merge and per-exit split.

Delivered across 4 plans (43 commits)

• Plan 1 (foundation, 16 commits): `Account.workspace` field, `ClaudeAccountDirectory` (per-account dir + 5 symlinks), `ClaudeJsonMerge` (per-account vs shared field categorization), `orrery pin` command
• Plan 2 (launch hooks, 7 commits): `_prepare-claude-launch` and `_capture-claude-exit` internal subcommands, `claude()` shell wrapper that merges identity+shared into `.claude.json` at launch and splits back at exit
• Plan 3 (migration + use UX + rename, 8 commits): opt-in `orrery migrate-to-v3.1`, `_account-dir` internal lookup, shell `use)` case that exports CLAUDE_CONFIG_DIR, `orrery workspace` alias for `orrery sandbox`, phantom loop integration
• Plan 4 (cleanup, 12 commits): auto-migrate on startup, deleted `KeychainCredentialAdapter` + `ClaudeOAuthSnapshot` + `ToolAuth.liveActiveInfo`, RunCommand claude branches gone, `orrery sandbox` removed from public CLI, L10n vocabulary rename, AccountAddFinalize auto-applies v3.1 layout

Net: +~2300 / -~900 lines, 315 tests passing (244 baseline + ~70 new).

Out of scope (deferred)

• Origin's existing `/.claude/projects/` session content is NOT migrated into the new workspace dir — needs separate UX design around the existing `/.claude` symlink
• The `--sandbox`/`-s` ArgumentParser flag in set-env/unset-env remains as-is (renaming would be a breaking arg-parser change)
• `SandboxCommand` type stays internal (referenced by `WorkspaceCommand`'s subcommand alias); a future PR can inline it

Design docs

• `docs/superpowers/specs/2026-05-27-v3.1-account-workspace-pin-design.html`
• `docs/superpowers/specs/2026-05-27-claude-launch-prepare-design.html`
• `docs/superpowers/plans/2026-05-27-v3.1-foundation.{md,html}`
• `docs/superpowers/plans/2026-05-28-v3.1-shell-launch-hooks.md`
• `docs/superpowers/plans/2026-05-28-v3.1-migration-and-use-ux.md`
• `docs/superpowers/plans/2026-05-28-v3.1-cleanup.md`

Test Plan

• `swift build` succeeds
• `swift test` — 315/315 pass
• Manual smoke (Plan 1 T12): `orrery pin` creates account dir + workspace + 5 symlinks correctly
• Manual smoke (Plan 2 T7): real claude through wrapper writes identity to per-account, shared to workspace, zero cross-pollution (9/9 verify)
• Manual smoke (Plan 3 T8): migrated/un-migrated mix — v3.1 accounts export CLAUDE_CONFIG_DIR, legacy fall through to materialize, real claude resume works
• Manual smoke (Plan 4 T11): fresh install → auto-migrate fires → `orrery use` exports → real claude through wrapper → 9/9 verify; `orrery sandbox` removed from `--help`; `orrery workspace` works
• CI runs on push (Release workflow builds for macOS arm64 + Linux x86_64/arm64)
• Side-by-side install (`bash /tmp/orrery-v3.1-install.sh install`) — verify against your real claude accounts without touching production v3.0.4

🤖 Generated with Claude Code