Skip to content

fix: harden credential persistence#225

Merged
jlitola merged 2 commits into
mainfrom
credential-persistence-safety
Jul 16, 2026
Merged

fix: harden credential persistence#225
jlitola merged 2 commits into
mainfrom
credential-persistence-safety

Conversation

@jlitola

@jlitola jlitola commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • retain OAuth refresh credentials after transient transport, timeout, and 5xx failures while keeping terminal cleanup restricted to classified 4xx responses
  • cap auth-associated file rewrites at POSIX 0600 without broadening more-restrictive modes
  • reconcile ambiguous canonical token and client records before clearing legacy plaintext copies, serialized with external writers in file mode
  • document the resulting refresh, migration, locking, and permission guarantees

This is PR 2 of the P0/P1 quality-review plan and addresses P0.2 and P1.4. PR 3 remains scoped to built-artifact smoke coverage in CI.

Verification

  • bun test (2,462 passed)
  • bun run typecheck
  • bun run format:check
  • bun run lint (one pre-existing warning in src/commands/init/agent-definitions.ts)
  • bun run build
  • bun run build in packages/mcp
  • bun run validate:packages
  • authenticated bun run smoke:cli (65 steps)
  • authenticated bun run smoke:mcp (38 steps)
  • bun run smoke:proxy-node

Review

An independent final review reported no findings.

Retain refresh credentials after transient failures, cap auth file permissions, and reconcile ambiguous legacy copies behind the auth lock. Add file-backed and concurrency regression coverage and document the storage guarantees.
@jlitola jlitola added bug Something isn't working javascript Pull requests that update javascript code labels Jul 16, 2026
Use a writable replacement target on Windows, where mode 0400 maps to a read-only attribute and blocks rename. Keep the restrictive-mode assertion on POSIX while still exercising replacement content on Windows.
@jlitola
jlitola merged commit 8e085dd into main Jul 16, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant