fix(S-54): load OP_SERVICE_ACCOUNT_TOKEN first in secrets.fish#77
Closed
tieubao wants to merge 1 commit into
Closed
fix(S-54): load OP_SERVICE_ACCOUNT_TOKEN first in secrets.fish#77tieubao wants to merge 1 commit into
tieubao wants to merge 1 commit into
Conversation
Go's `range` sorts map keys alphabetically, so CLOUDFLARE_API_TOKEN was loaded before OP_SERVICE_ACCOUNT_TOKEN. On $SECONDARY hosts where the SA token sits in System.keychain (S-53) but other vars don't, the CLOUDFLARE cache miss called `op read` with no bearer in env, falling through to 1P Desktop integration. 1P walked the peer-PID parent chain to attribute the request and landed on `tailscaled` (the SSH-transport ancestor when Tailscale SSH is in use), popping an "Allow tailscaled to access 1Password?" dialog every cold mosh session. Reordering so OP_SERVICE_ACCOUNT_TOKEN loads first means subsequent cache misses fall through to bearer-auth `op read` directly against the 1P API: no Desktop integration, no app-attribution walk, no popup. Branched off main (PR #76 still open with S-51 scope per scope-lock rule). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
Member
Author
|
Closing as superseded: the SA-token-first ordering fix landed via commit 7c4ffc4 ( |
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
home/dot_config/fish/conf.d/secrets.fish.tmplsoOP_SERVICE_ACCOUNT_TOKENis loaded before iterating the rest of.secrets. Go'srangesorts map keys alphabetically, so without this reorderCLOUDFLARE_API_TOKENwas loading first.tieubao@miniafter S-51 widened the gate tois-loginand S-53 seeded only the SA token in System.keychain.Why "tailscaled"?
After S-51 / S-53, on
\$SECONDARYhosts the alphabetically-first var (CLOUDFLARE) cache-misses →op readruns with empty\$OP_SERVICE_ACCOUNT_TOKEN→ falls back to 1P Desktop integration → 1P walks the peer-PID parent chain looking for a non-shell ancestor. With Tailscale SSH as the SSH transport, that chain islaunchd → tailscaled → /usr/bin/login → fish → bash → op. Shells / login get skipped;tailscaledis the first "interesting" ancestor. Hence the misattribution.After this fix, every
op readruns with bearer auth in env → bypasses Desktop integration entirely → no attribution walk → no popup.Test plan
chezmoi execute-templaterendered output putsOP_SERVICE_ACCOUNT_TOKENline firstfish -nclean on rendered outputtieubao@mini, confirm fresh mosh session triggers no popup\$OP_SERVICE_ACCOUNT_TOKEN,\$CLOUDFLARE_API_TOKEN,\$R2_*all populated in remote shellNotes
Branched off
main, notfeat/multi-machine-op(PR #76), to respect scope-lock. Trivial 3-way merge if/when #76 lands first.Spec:
docs/specs/S-54-load-sa-token-first.md.🤖 Generated with Claude Code