Expand description
Identity injection at agent CLI spawn time.
When an agent instance is launched, the launch modal records an
identity_id on the db_agent_instances row (v7 schema). Right
before the CLI subprocess starts, this module:
- Looks up the active instance for the spawning block.
- Reads its
identity_id. Empty / “blank” / not-found → noop (the agent inherits ambient credentials). - Reads the bindings for that Identity bundle.
- For each binding: looks up the Account row, resolves its
SecretRefto a plaintext value, looks up the provider → env-var matrix, and merges those env vars into the spawnenv_varsHashMap.
Failure mode is warn-don’t-block: missing accounts, env-var resolution errors, unknown providers — all logged and skipped. The agent CLI launches with whatever ambient credentials remain. This is intentional: identity injection is a convenience, not a security gate. The caller flags hard-required-creds workflows separately.
Closes Phase 2 of issue #678 (the per-instance injection layer). Phase 1 (Account registry + UI) and the v7 schema reshape (Bundle entity) were prerequisites; Phase 3 (encrypted vault, OAuth flows) is deferred.
Re-exports§
pub use resolver::inject_identity_env;
Modules§
- auth_
patterns - Per-provider stdout/stderr pattern matchers for the pre-launch
OAuth flow. The
auth loginsubprocess of each CLI provider emits an OAuth URL (or device code) to stdout/stderr in a slightly different shape. This module knows how to extract them. - auth_
session - In-memory manager for pre-launch OAuth sessions.
- migration
- One-shot startup migration that seeds a “Default” identity bundle from
ambient OAuth credentials living in the user’s home dir
(
<HOME>/.<auth_dir_name>/.credentials.jsonfor each oauth-class provider). - resolver
- Identity → env-var resolver.