Skip to content

feat(linux): opt-in headless token-file fallback#203

Merged
oratis merged 2 commits into
mainfrom
feat/linux-keyring-fallback
Jun 27, 2026
Merged

feat(linux): opt-in headless token-file fallback#203
oratis merged 2 commits into
mainfrom
feat/linux-keyring-fallback

Conversation

@oratis

@oratis oratis commented Jun 27, 2026

Copy link
Copy Markdown
Owner

Resolves the last open P1 item (docs/CROSS-PLATFORM-HARDENING.md #2). On headless/server Linux there's often no Secret Service daemon, so the GitHub token store would fail at runtime.

What

  • keyring errors on Linux now carry an actionable hint (how to enable the fallback).
  • MARKUP_TOKEN_FILE_FALLBACK=1 → store the token in a 0600 file under $XDG_DATA_HOME instead of the keyring.
  • Opt-in on purpose — we never silently downgrade to on-disk storage (would betray the privacy posture). Weaker than the system keyring, but still keeps the token out of the webview (the exact threat the keyring move addressed: webview scripts can't read the file).

Why opt-in + plaintext (not auto + crypto)

Home-grown "encryption" with a host-derivable key is security theater — it implies protection it can't give. An explicit opt-in 0600 file is honest about its guarantee (filesystem perms on a single-user box) and unblocks GitHub features for headless users who knowingly accept it.

Tests

Roundtrip (save → load → 0600 perms → delete → idempotent) is unit-tested. The module compiles on all Unix (cfg(unix)) so the test runs on the macOS CI host; it's only activated on Linux. The Linux activation paths are compile-checked by the cross-platform CI job (ubuntu).

🤖 Generated with Claude Code

oratis and others added 2 commits June 27, 2026 13:52
Adds build-desktop (Linux deb+appimage, Windows nsis) + release-desktop jobs
that attach the installers to the same GitHub Release on every v* tag. The
build step is identical to the proven cross-platform-bundle spike.

Decoupled from the macOS build/release jobs (mirrors the `mas` job): a flaky
AppImage/NSIS build can't block a macOS release and vice versa. Unsigned today
(Windows cert is the owner's call) and no auto-updater (Win/Linux updates are
manual re-downloads) — both documented inline + in the hardening doc.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Linux Secret Service needs a running keyring daemon, which headless/server
boxes lack. keyring errors now carry an actionable hint, and setting
MARKUP_TOKEN_FILE_FALLBACK=1 stores the GitHub token in a 0600 file under
$XDG_DATA_HOME instead. Opt-in on purpose — never a silent downgrade to
on-disk storage. Weaker than the keyring but still keeps the token out of the
webview (the original threat); roundtrip + 0600 perms unit-tested (runs on the
macOS CI host via cfg(unix)).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@oratis oratis merged commit c99c666 into main Jun 27, 2026
6 checks passed
@oratis oratis deleted the feat/linux-keyring-fallback branch June 27, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant