perf(secrets): batch mode for secret-cache-read (~15 ms fish-startup) (S-61)#83
Merged
Conversation
… (S-61) Adds `secret-cache-read --batch VAR1 REF1 [VAR2 REF2 ...]` mode that resolves N pairs in one bash invocation, emitting NUL-separated VAR\0VALUE pairs on stdout. Saves ~15 ms warm fish-startup on a 4-secret config (170 ms -> 155 ms across 5 cold-fish runs on Hans Air M4). The kernel `security find-generic-password` syscall itself is the irreducible cost; batching collapses bash-startup amortization (~3 ms × N). Internal two-pass loop resolves OP_SERVICE_ACCOUNT_TOKEN first so subsequent op-read fallbacks have bearer auth in env (preserves the SA-token-first ordering, mirrors the comment chain in the secrets.fish template). The template no longer needs a conditional "load this var first" block — ordering is the script's responsibility. Refactor: introduces `_load_one` helper used by both single-pair and batch modes. Keeps main's negative-cache (24h TTL) and `-A` flag for cross-Security-Session reads (S-51). `secrets.fish.tmpl` switches to one batched invocation, splits the NUL-separated output via `string split0`, and `set -gx` each pair. Renumbering note: this work was originally drafted as S-55 on `perf/batch-secret-cache` (2026-05-07) but renumbered to S-61 to avoid colliding with `S-55-claude-md-modify-idempotency` shipped earlier today. Verified on Mac mini: shellcheck clean, `fish -n` clean on rendered template, all 4 secrets populate via the new path with non-empty lengths. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
secret-cache-read --batch VAR1 REF1 [VAR2 REF2 ...]mode that resolves N pairs in one bash invocation, emitting NUL-separatedVAR\0VALUEpairs on stdout. Single batched call fromsecrets.fish.tmplreplaces 4 separate forks at every login fish startup.Saves ~15 ms warm fish-startup on a 4-secret config (170 ms -> 155 ms across 5 cold-fish runs on Hans Air M4). The kernel
security find-generic-passwordsyscall itself is the irreducible cost; batching collapses bash-startup amortization (~3 ms × N). Honest measurement: originally predicted ~50 ms, actual is ~15 ms.Replaces PR #78
PR #78 (
perf/batch-secret-cache, drafted 2026-05-07) carried the same idea but couldn't rebase cleanly: main had evolved the single-pair script with negative-cache (24h TTL) and the-Aflag for cross-Security-Session reads (S-51). Rather than wrestle a 4-way conflict, this is a fresh implementation merging both.PR #77 was already closed as superseded (its SA-token-first reorder landed via commit 7c4ffc4).
Renumbering note
Originally drafted as S-55 on the old branch. Renumbered to S-61 to avoid colliding with
S-55-claude-md-modify-idempotencyshipped earlier today (v0.6.0).Test plan
shellcheck --severity=warning home/dot_local/bin/executable_secret-cache-readcleanchezmoi execute-template < home/dot_config/fish/conf.d/secrets.fish.tmplrenders cleanlyfish -nclean on rendered templatechezmoi apply ~/.config/fish/conf.d/secrets.fish ~/.local/bin/secret-cache-readdeploysfish -l -c '...'populates all 4 secrets via new batched path: OP_SERVICE_ACCOUNT_TOKEN (860), CLOUDFLARE_API_TOKEN (53), R2_ACCESS_KEY_ID (32), R2_SECRET_ACCESS_KEY (64)-Aflag for cross-Security-Session reads preserved (S-51)🤖 Generated with Claude Code