fix: stabilize secrets land + docs note (#26155) (thanks @joshavant)

2026-05-08 08:01:23 +00:00 · 2026-02-26 15:46:57 +01:00
parent 4380d74d49
commit 47fc6a0806
6 changed files with 39 additions and 19 deletions
--- a/src/agents/auth-profiles/store.ts
+++ b/src/agents/auth-profiles/store.ts
@@ -338,24 +338,20 @@ function applyLegacyStore(store: AuthProfileStore, legacy: LegacyAuthStore): voi
  }
 }

-function loadCoercedStoreWithExternalSync(authPath: string): AuthProfileStore | null {
+function loadCoercedStore(authPath: string): AuthProfileStore | null {
  const raw = loadJsonFile(authPath);
-  const store = coerceAuthStore(raw);
-  if (!store) {
-    return null;
-  }
-  // Sync from external CLI tools on every load.
-  const synced = syncExternalCliCredentials(store);
-  if (synced) {
-    saveJsonFile(authPath, store);
-  }
-  return store;
+  return coerceAuthStore(raw);
 }

 export function loadAuthProfileStore(): AuthProfileStore {
  const authPath = resolveAuthStorePath();
-  const asStore = loadCoercedStoreWithExternalSync(authPath);
+  const asStore = loadCoercedStore(authPath);
  if (asStore) {
+    // Sync from external CLI tools on every load.
+    const synced = syncExternalCliCredentials(asStore);
+    if (synced) {
+      saveJsonFile(authPath, asStore);
+    }
    return asStore;
  }
  const legacyRaw = loadJsonFile(resolveLegacyAuthStorePath());
@@ -381,7 +377,7 @@ function loadAuthProfileStoreForAgent(
 ): AuthProfileStore {
  const readOnly = options?.readOnly === true;
  const authPath = resolveAuthStorePath(agentDir);
-  const asStore = loadCoercedStoreWithExternalSync(authPath);
+  const asStore = loadCoercedStore(authPath);
  if (asStore) {
    // Runtime secret activation must remain read-only:
    // sync external CLI credentials in-memory, but never persist while readOnly.