vault: session notes 2026-07-13
This commit is contained in:
parent
1affdecb31
commit
071825e4ac
|
|
@ -1388,3 +1388,10 @@ tags: [scope/global, type/log]
|
||||||
**Reason:** other
|
**Reason:** other
|
||||||
**Vault notes touched:**
|
**Vault notes touched:**
|
||||||
(none)
|
(none)
|
||||||
|
|
||||||
|
## Session — 2026-07-13T16:26:29Z
|
||||||
|
|
||||||
|
**Project:** /home/jared/dev/cc-os
|
||||||
|
**Reason:** other
|
||||||
|
**Vault notes touched:**
|
||||||
|
(none)
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
summary: Two credvault behaviors that surface in bulk/scripted use — intermittent bw-sync failures needing retry with 20s+ backoff, and the trailing newline on get --secret-only that breaks naive hash comparisons.
|
||||||
|
tags:
|
||||||
|
- type/reference
|
||||||
|
- tool/credvault
|
||||||
|
scope: global
|
||||||
|
date: 2026-07-13
|
||||||
|
---
|
||||||
|
|
||||||
|
# credvault behaviors under bulk/scripted use
|
||||||
|
|
||||||
|
Discovered 2026-07-13 during a 33-key backfill loop (`credvault ensure --secret-file` per key).
|
||||||
|
|
||||||
|
## 1. Intermittent `bitwarden_command_failed` ("bw sync failed") under rapid calls
|
||||||
|
|
||||||
|
When credvault is invoked many times in quick succession, the underlying `bw sync`
|
||||||
|
intermittently fails and the CLI returns `bitwarden_command_failed`. It is transient:
|
||||||
|
the same call succeeds on retry. Backoff matters — 8s between retries was not always
|
||||||
|
enough; 20s+ per retry (up to 5 attempts) cleared every failure.
|
||||||
|
|
||||||
|
**Rule:** any bulk credvault loop must retry specifically on `bitwarden_command_failed`
|
||||||
|
with ≥20s backoff, and classify per-key outcomes (`created`/`existing`/`secret_conflict`/
|
||||||
|
`missing-source`/failed) rather than aborting the whole run.
|
||||||
|
|
||||||
|
## 2. `get --secret-only` output ends with a trailing newline
|
||||||
|
|
||||||
|
When verifying a stored value against its source by hash, the vault side includes a
|
||||||
|
trailing `\n` that a `tr -d '\n'`-stripped source does not — producing false MISMATCHes.
|
||||||
|
Normalize both sides first:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
credvault get <key> --secret-only | tr -d '\n' | sha256sum
|
||||||
|
```
|
||||||
|
|
||||||
|
(Values that are genuinely multi-line files, e.g. a service-account JSON stored via
|
||||||
|
`--secret-file`, round-trip byte-identical and compare fine without stripping.)
|
||||||
|
|
||||||
|
## Related
|
||||||
|
|
||||||
|
- [[credvault-locked-status-is-not-blocking]]
|
||||||
|
|
@ -21,3 +21,7 @@ existing key succeeded (`"result": "existing"`).
|
||||||
genuine `authentication_failed` / `vault_locked` **error returned by an operation** requires
|
genuine `authentication_failed` / `vault_locked` **error returned by an operation** requires
|
||||||
human intervention — and per the credential-management skill, never attempt to fix vault
|
human intervention — and per the credential-management skill, never attempt to fix vault
|
||||||
auth yourself.
|
auth yourself.
|
||||||
|
|
||||||
|
## Related
|
||||||
|
|
||||||
|
- [[credvault-bulk-call-behaviors]]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue