Skip to content

fix(prep-airdrop): guard against service account token in environment#26

Merged
smartwatermelon merged 1 commit intomainfrom
claude/fix-prep-airdrop-service-token-guard
Apr 12, 2026
Merged

fix(prep-airdrop): guard against service account token in environment#26
smartwatermelon merged 1 commit intomainfrom
claude/fix-prep-airdrop-service-token-guard

Conversation

@smartwatermelon
Copy link
Copy Markdown
Owner

@smartwatermelon smartwatermelon commented Apr 12, 2026

Summary

  • Add early exit in prep-airdrop.sh when OP_SERVICE_ACCOUNT_TOKEN is set in the environment
  • The service account token only has Automation vault access; this script needs interactive 1Password auth for the Personal vault
  • Mirrors the same fix previously applied in mac-server-setup

Test plan

  • With OP_SERVICE_ACCOUNT_TOKEN set: script exits with instructions
  • With token unset (or via opp subshell): script proceeds as before
  • shellcheck clean
  • code-reviewer + adversarial-reviewer: PASS

🤖 Generated with Claude Code

@claude
fix(prep-airdrop): guard against service account token in environment
18940e3 
Same fix as mac-server-setup: add early exit if OP_SERVICE_ACCOUNT_TOKEN
is set, with instructions to use the opp() subshell pattern for Personal
vault access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@smartwatermelon smartwatermelon merged commit f8c8a91 into main Apr 12, 2026
1 check passed
@smartwatermelon smartwatermelon deleted the claude/fix-prep-airdrop-service-token-guard branch April 12, 2026 03:46
@claude
Copy link
Copy Markdown

claude bot commented Apr 12, 2026

PR Review: fix(prep-airdrop): guard against service account token in environment

File: prep-airdrop.sh (+11 lines, no deletions)

Summary

Adds a defensive early-exit guard that detects when OP_SERVICE_ACCOUNT_TOKEN is present and aborts with an actionable error message. This prevents a confusing, cryptic 1Password vault-access failure when the service account token (Automation vault only) is in the environment and the script needs Personal vault access.

Findings

No blocking issues found.

Non-blocking observations (ordered by maintenance impact)

  1. Guard placement after config validation (prep-airdrop.sh, around the new block): The guard fires after the : "${ONEPASSWORD_TIMEMACHINE_ITEM:?...}" required-var checks. A user who has OP_SERVICE_ACCOUNT_TOKEN set and is missing config vars will see the config error first, not the token guard. This is a minor UX ordering preference — moving the guard above the required-var block would give the most specific error first. Low maintenance impact; not worth a change on its own.

  2. Redundant :- default in -n test: [[ -n "${OP_SERVICE_ACCOUNT_TOKEN:-}" ]] — the :- empty-string default is redundant because -n already treats an unset variable as false. Harmless and won't confuse shellcheck, but [[ -n "${OP_SERVICE_ACCOUNT_TOKEN}" ]] is slightly cleaner. Purely stylistic.

  3. --help blocked when token is set: Because the help handler comes after the guard, running OP_SERVICE_ACCOUNT_TOKEN=x ./prep-airdrop.sh --help exits 1 before showing help. Minor UX rough edge; unlikely to matter in practice since the error message itself is informative.

Positives

  • The guard comment clearly explains the vault-access split (Automation vs. Personal), saving future maintainers from re-deriving the reason.
  • Error output correctly goes to stderr correctly.
  • The suggested workaround subshell is accurate and immediately actionable.
  • basename "$0" in the error string correctly expands at runtime — no quoting or shellcheck issues.
  • Fail-fast behavior is strictly better than the previous silent mismatch that would surface as a cryptic vault-access error mid-script.

VERDICT: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smartwatermelon