Keychain-unavailable environments fail with a raw error and never surface the FJ_TOKEN fallback #93

New issue

Closed

opened 2026-06-10 21:20:08 +00:00 by stephen · 2 comments

stephen commented 2026-06-10 21:20:08 +00:00

Owner

Copy link

Observation

When FJ_TOKEN is unset and the OS keychain is unreachable (locked Login keychain over SSH, a headless Linux container with no Secret Service / D-Bus, a copied hosts.toml on a machine that never ran fj auth login), every authenticated command fails with a raw keychain error and no mention of the FJ_TOKEN fallback.

Token resolution tries the env var first, then the keychain (src/client/resolve.rs:27-36):

AuthKind::Pat => match auth::env_token() {
    Some(token) => token,
    None => auth::load_token(&name)?.ok_or_else(|| {
        anyhow!(
            "no token stored for host '{name}'. Run `fj auth login --host {name}` \
             or set FJ_TOKEN for this process."
        )
    })?,
},

The helpful ok_or_else message only fires when load_token returns Ok(None). But load_token returns Ok(None) only for keyring::Error::NoEntry (src/auth/mod.rs:38-45):

pub fn load_token(host: &str) -> Result<Option<String>> {
    let entry = entry(host)?;                       // (a) Entry::new can fail
    match entry.get_password() {
        Ok(token) => Ok(Some(token)),
        Err(keyring::Error::NoEntry) => Ok(None),
        Err(e) => Err(e).with_context(|| format!("reading token for {host} from keychain")),  // (b)
    }
}

Any other keychain failure: service unavailable, no Secret Service, locked keychain, access denied, propagates through ? at path (a) or (b). The user sees opening keychain entry for rasterhub.com: <platform error> or reading token for rasterhub.com from keychain: <platform error> and the FJ_TOKEN hint at resolve.rs:32-36 is never reached.

The FJ_TOKEN doc comment (src/auth/mod.rs:47-49) even states its purpose is to "avoid touching keychain services in headless containers", but nothing tells a stuck user that the lever exists.

Why it matters

CI/CD and remote dev are exactly where paying teams put a forge CLI, and exactly where the keychain is absent. The current failure looks like "fj is broken in containers" rather than "set one env var". A new team evaluating fj in their pipeline hits a dead end whose fix (FJ_TOKEN) is documented in CLAUDE.md and used by this repo's own CI, but is invisible at the point of failure. That is a silent adoption cliff for the headless use case.

Possible directions (sketches)

• (sketch) Treat "keychain service unavailable / locked / denied" the same as NoEntry inside load_token, returning Ok(None) so the existing actionable resolve.rs message ("...or set FJ_TOKEN for this process.") is what the user sees. Keep the raw error available under --debug.
• (sketch) Alternatively, catch the keychain error at resolve.rs and append the same "set FJ_TOKEN" guidance to it, preserving the underlying cause for diagnosis.
• (sketch) A short troubleshooting entry ("running fj in CI / containers: set FJ_TOKEN") cross-linked from the keychain error text.

Confidence

High that the code path drops the FJ_TOKEN hint on non-NoEntry keychain errors (verified in resolve.rs + auth/mod.rs). Medium on real-world frequency per environment; a quick repro in a container with no Secret Service (or FJ_TOKEN unset + login keychain locked) would confirm the exact surfaced string and raise this to high.

## Observation When `FJ_TOKEN` is unset and the OS keychain is unreachable (locked Login keychain over SSH, a headless Linux container with no Secret Service / D-Bus, a copied `hosts.toml` on a machine that never ran `fj auth login`), every authenticated command fails with a raw keychain error and **no mention of the `FJ_TOKEN` fallback**. Token resolution tries the env var first, then the keychain (`src/client/resolve.rs:27-36`): ```rust AuthKind::Pat => match auth::env_token() { Some(token) => token, None => auth::load_token(&name)?.ok_or_else(|| { anyhow!( "no token stored for host '{name}'. Run `fj auth login --host {name}` \ or set FJ_TOKEN for this process." ) })?, }, ``` The helpful `ok_or_else` message only fires when `load_token` returns `Ok(None)`. But `load_token` returns `Ok(None)` **only** for `keyring::Error::NoEntry` (`src/auth/mod.rs:38-45`): ```rust pub fn load_token(host: &str) -> Result<Option<String>> { let entry = entry(host)?; // (a) Entry::new can fail match entry.get_password() { Ok(token) => Ok(Some(token)), Err(keyring::Error::NoEntry) => Ok(None), Err(e) => Err(e).with_context(|| format!("reading token for {host} from keychain")), // (b) } } ``` Any **other** keychain failure: service unavailable, no Secret Service, locked keychain, access denied, propagates through `?` at path (a) or (b). The user sees `opening keychain entry for rasterhub.com: <platform error>` or `reading token for rasterhub.com from keychain: <platform error>` and the `FJ_TOKEN` hint at `resolve.rs:32-36` is never reached. The `FJ_TOKEN` doc comment (`src/auth/mod.rs:47-49`) even states its purpose is to "avoid touching keychain services in headless containers", but nothing tells a stuck user that the lever exists. ## Why it matters CI/CD and remote dev are exactly where paying teams put a forge CLI, and exactly where the keychain is absent. The current failure looks like "fj is broken in containers" rather than "set one env var". A new team evaluating `fj` in their pipeline hits a dead end whose fix (`FJ_TOKEN`) is documented in `CLAUDE.md` and used by this repo's own CI, but is invisible at the point of failure. That is a silent adoption cliff for the headless use case. ## Possible directions (sketches) - *(sketch)* Treat "keychain service unavailable / locked / denied" the same as `NoEntry` inside `load_token`, returning `Ok(None)` so the existing actionable `resolve.rs` message ("...or set FJ_TOKEN for this process.") is what the user sees. Keep the raw error available under `--debug`. - *(sketch)* Alternatively, catch the keychain error at `resolve.rs` and append the same "set FJ_TOKEN" guidance to it, preserving the underlying cause for diagnosis. - *(sketch)* A short troubleshooting entry ("running fj in CI / containers: set `FJ_TOKEN`") cross-linked from the keychain error text. ## Confidence High that the code path drops the `FJ_TOKEN` hint on non-`NoEntry` keychain errors (verified in `resolve.rs` + `auth/mod.rs`). Medium on real-world frequency per environment; a quick repro in a container with no Secret Service (or `FJ_TOKEN` unset + login keychain locked) would confirm the exact surfaced string and raise this to high.

stephen added the

opportunity

label 2026-06-10 21:20:32 +00:00

stephen referenced this issue 2026-06-10 21:58:33 +00:00

Surface the FJ_TOKEN fallback when the OS keychain is unavailable #96

stephen referenced this issue 2026-06-10 21:58:33 +00:00

Add --label and --assignee to fj issue create #97

stephen added the

converted

label 2026-06-10 21:58:54 +00:00

stephen commented 2026-06-10 21:59:31 +00:00

Author

Owner

Copy link

Converted (label converted). This opportunity became one backlog item:

• rasterstate/fj#96 (backlog, p1): Surface the FJ_TOKEN fallback when the OS keychain is unavailable.

Kept open per the product-agent triage convention. Rationale: a silent dead-end in CI/headless containers (exactly where teams evaluate a forge CLI, and where the keychain is absent) is a real blocker-to-adoption, and the verified code path drops the actionable FJ_TOKEN hint on any non-NoEntry keychain error. Sized S; the fix maps keychain-unavailable errors to Ok(None) so the existing resolve.rs guidance fires, preserving the raw cause under --debug.

**Converted** (label `converted`). This opportunity became one backlog item: - rasterstate/fj#96 (`backlog`, `p1`): Surface the `FJ_TOKEN` fallback when the OS keychain is unavailable. Kept open per the product-agent triage convention. Rationale: a silent dead-end in CI/headless containers (exactly where teams evaluate a forge CLI, and where the keychain is absent) is a real blocker-to-adoption, and the verified code path drops the actionable `FJ_TOKEN` hint on any non-`NoEntry` keychain error. Sized S; the fix maps keychain-unavailable errors to `Ok(None)` so the existing `resolve.rs` guidance fires, preserving the raw cause under `--debug`.

stephen commented 2026-06-10 23:52:17 +00:00

Author

Owner

Copy link

All derived backlog items are merged: rasterstate/fj#96 closed by PR #102. Closing this opportunity per the issue state machine (operator-approved).

All derived backlog items are merged: rasterstate/fj#96 closed by PR #102. Closing this opportunity per the issue state machine (operator-approved).

stephen closed this issue 2026-06-10 23:52:17 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

wip/claude-1/rasterstate-fj

feat/166-lock-unlock

wip/codex-4/rasterstate-fj

feat/168-rerun-failed

feat/169-repo-collaborator

feat/172-create-template

feat/164-pr-merge-auto

wip/claude-2/rasterstate-fj

feat/170-list-filters

feat/171-color-control

feat/165-pr-create-fill

feat/165-pr-create-fill-codex

wip/claude-3/rasterstate-fj

wip/codex-2/rasterstate-fj

fix/123-extend-friendly-errors-409-422

fix/159-merge-reason

wip/claude-4/rasterstate-fj

fix/158-issue-add-assignee-endpoint

fix/147b-keychain-noentry-fallback

feat/147-file-token-store

feat/133-release-scripting

feat/139-workflow-run-handle

feat/140-body-file

fix/pr-comment-test-green

wip/codex-3/rasterstate-fj

feat/137-org-secrets-vars

feat/132-tag-branch-refs

feat/138-run-list-filters

feat/131-pr-comment-edit

feat/134-error-ux-exit-codes

feat/136-api-body-input

feat/135-run-exit-status

feat/113-pr-list-filters

fix/111-list-paginate

fix/112-json-readonly

feat/114-pr-labels

fix/115-version-pipe

fix/91-runlog-auth-error

feat/98-issue-edit-labels

fix/96-keychain-fallback

feat/97-issue-create-labels

fix/99-readme-json-global

fix/alias-quoted-args

fix/remote-scp-colon-owner

harden/hostname-validation

fix/json-path-numeric-object-keys

fix/debug-body-preview-utf8-panic

wip/codex-1/rasterstate-fj

readme-drop-github

feat/stack-review-enriched

feat/stack-sync

feat/stack-new-real

feat/work-context-enriched

feat/agent-review-impl

feat/agent-explain-impl

feat/agent-provider

feat/stack-review

feat/stack-new

feat/work-continue

feat/work-resume-session

feat/work-context-impl

feat/work-stack-agent-commands

adopt-fjord-actions

ci/coverage-strict-gate

refactor/coverage-region-exclude

refactor/converge-json-path

refactor/split-client-resolve

test/api-coverage-round4

test/api-coverage-round3

test/cov-ignore-drift-guard

test/e2e-smoke-coverage

test/command-tree-guard

refactor/split-workflow-artifacts

chore/coverage-intent-config

test/api-label-milestone-hook

test/output-and-repo-core

refactor/split-issue-comments

refactor/split-repo-social

refactor/split-pr-module

test/api-wiremock

test/backfill-pure-helpers

cleanup/hoist-truncate-human-size

feat/run-download-and-workflow-list

feat/parity-followups

feat/actions-logs-and-gh-parity

sso-pat-guidance

test/observability-smoke

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels   

backlog

Accepted but not scheduled

  

blocked

Blocked or stalled waiting on external progress

  

converted

Converted into tracked work

  

opportunity

Potential product or business opportunity

  

p1

Priority 1

  

p2

Priority 2

  

p3

Priority 3

  

parked

Paused intentionally until later

No labels

backlog

blocked

converted

opportunity

p1

p2

p3

parked

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

rasterstate/fj#93

No description provided.