diff --git a/journal/2026-07-13.md b/journal/2026-07-13.md index d5ccbbf..0b240ce 100644 --- a/journal/2026-07-13.md +++ b/journal/2026-07-13.md @@ -1388,3 +1388,10 @@ tags: [scope/global, type/log] **Reason:** other **Vault notes touched:** (none) + +## Session — 2026-07-13T16:26:29Z + +**Project:** /home/jared/dev/cc-os +**Reason:** other +**Vault notes touched:** +(none) diff --git a/reference/credvault-bulk-call-behaviors.md b/reference/credvault-bulk-call-behaviors.md new file mode 100644 index 0000000..05b8502 --- /dev/null +++ b/reference/credvault-bulk-call-behaviors.md @@ -0,0 +1,40 @@ +--- +summary: Two credvault behaviors that surface in bulk/scripted use — intermittent bw-sync failures needing retry with 20s+ backoff, and the trailing newline on get --secret-only that breaks naive hash comparisons. +tags: + - type/reference + - tool/credvault +scope: global +date: 2026-07-13 +--- + +# credvault behaviors under bulk/scripted use + +Discovered 2026-07-13 during a 33-key backfill loop (`credvault ensure --secret-file` per key). + +## 1. Intermittent `bitwarden_command_failed` ("bw sync failed") under rapid calls + +When credvault is invoked many times in quick succession, the underlying `bw sync` +intermittently fails and the CLI returns `bitwarden_command_failed`. It is transient: +the same call succeeds on retry. Backoff matters — 8s between retries was not always +enough; 20s+ per retry (up to 5 attempts) cleared every failure. + +**Rule:** any bulk credvault loop must retry specifically on `bitwarden_command_failed` +with ≥20s backoff, and classify per-key outcomes (`created`/`existing`/`secret_conflict`/ +`missing-source`/failed) rather than aborting the whole run. + +## 2. `get --secret-only` output ends with a trailing newline + +When verifying a stored value against its source by hash, the vault side includes a +trailing `\n` that a `tr -d '\n'`-stripped source does not — producing false MISMATCHes. +Normalize both sides first: + +```bash +credvault get --secret-only | tr -d '\n' | sha256sum +``` + +(Values that are genuinely multi-line files, e.g. a service-account JSON stored via +`--secret-file`, round-trip byte-identical and compare fine without stripping.) + +## Related + +- [[credvault-locked-status-is-not-blocking]] diff --git a/reference/credvault-locked-status-is-not-blocking.md b/reference/credvault-locked-status-is-not-blocking.md index 75781cd..a84dd47 100644 --- a/reference/credvault-locked-status-is-not-blocking.md +++ b/reference/credvault-locked-status-is-not-blocking.md @@ -21,3 +21,7 @@ existing key succeeded (`"result": "existing"`). genuine `authentication_failed` / `vault_locked` **error returned by an operation** requires human intervention — and per the credential-management skill, never attempt to fix vault auth yourself. + +## Related + +- [[credvault-bulk-call-behaviors]]