#8469: fix(auth): detect actual keychain account name when writing Claude CLI credentials

## Problem When OpenClaw refreshes OAuth tokens and tries to write them back to macOS Keychain, it uses a hardcoded account name `"Claude Code"`, but Claude Code CLI may create the keychain entry with the system username (e.g., `"username"`) as the account. This causes the write to fail silently (or create a duplicate entry), breaking token sync between OpenClaw and Claude Code. ## Solution Added `detectClaudeCliKeychainAccount()` function that parses the existing keychain entry to find the actual account name before writing. This ensures we update the correct entry regardless of what account name was used when it was created. ## Changes - Added `detectClaudeCliKeychainAccount()` to detect the actual account name from the keychain entry - Modified `writeClaudeCliKeychainCredentials()` to use the detected account name - Added logging of the account name used when writing Fixes #8447 <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR fixes Claude CLI keychain refresh writes on macOS by detecting the existing keychain item’s account name (instead of always using the hardcoded `"Claude Code"`) and then using that account when updating the `Claude Code-credentials` entry. The change is localized to `src/agents/cli-credentials.ts`, in the code path that writes refreshed OAuth tokens back into the Keychain so OpenClaw and Claude Code stay in sync. <h3>Confidence Score: 4/5</h3> - This PR is likely safe to merge, with a small risk of edge-case failures in account-name detection. - The change is small and scoped, but it relies on parsing `security` CLI output, which is historically format-unstable; if the regex fails, the fix can degrade back to the previous behavior for some users. - src/agents/cli-credentials.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->