Skip to content

refactor(config): simplify credential passing — eliminate cache, use env vars directly#480

Merged
zbigniewsobiecki merged 1 commit intodevfrom
refactor/simplify-credential-passing
Feb 22, 2026
Merged

refactor(config): simplify credential passing — eliminate cache, use env vars directly#480
zbigniewsobiecki merged 1 commit intodevfrom
refactor/simplify-credential-passing

Conversation

@zbigniewsobiecki
Copy link
Copy Markdown
Member

@zbigniewsobiecki zbigniewsobiecki commented Feb 22, 2026

Summary

  • Eliminate the credential cache module — credentials are immutable during a worker run, so a cache is unnecessary overhead
  • Router sets individual env vars instead of a JSON blob (CASCADE_CREDENTIALS), plus CASCADE_CREDENTIAL_KEYS as a comma-separated key list sentinel
  • Remove loadRouterCredentials() from worker-entry — env vars are already set by Docker, no parsing needed
  • Credential functions use CASCADE_CREDENTIAL_KEYS as the worker-context guard (replaces cache-based guard)
  • Remove legacy GITHUB_TOKEN fallback in resolveGitHubToken — all projects use dual-persona tokens, let errors propagate
  • Clean up dead env vars from scrub list (CASCADE_CREDENTIALS, CASCADE_CREDENTIALS_PROJECT_ID)

Before: Router → JSON blob env var → Worker parses JSON → spreads to process.env → populates cache module → credential functions check process.env + cache + DB fallback guards. Three mechanisms.

After: Router sets individual env vars → credential functions read from process.env → done. One mechanism.

Test plan

  • npm run typecheck — clean
  • npm run lint — clean
  • npm test — all 2515 tests pass (156 files)
  • Worker-context tests updated to use CASCADE_CREDENTIAL_KEYS env var
  • Legacy fallback tests replaced with error-propagation test
  • Dead env var scrub tests removed

🤖 Generated with Claude Code

@zbigniewsobiecki @claude
refactor(config): simplify credential passing — eliminate cache, use …
be4103e 
…env vars directly

Credentials are immutable during a worker run. The previous three-mechanism
approach (JSON blob env var → parse + spread to process.env → populate cache
module → credential functions check env + cache + DB guards) is replaced by
a single mechanism: router sets individual env vars, credential functions
read from process.env.

- Router sets individual env vars + CASCADE_CREDENTIAL_KEYS sentinel
- Delete loadRouterCredentials() from worker-entry (env vars set by Docker)
- Credential functions use CASCADE_CREDENTIAL_KEYS as worker-context guard
- getAllProjectCredentials reconstructs map from env var key list
- Remove legacy GITHUB_TOKEN fallback in resolveGitHubToken
- Remove dead CASCADE_CREDENTIALS/CASCADE_CREDENTIALS_PROJECT_ID from scrub list

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zbigniewsobiecki zbigniewsobiecki merged commit 4ab7ad2 into dev Feb 22, 2026
5 checks passed
@zbigniewsobiecki zbigniewsobiecki deleted the refactor/simplify-credential-passing branch February 22, 2026 16:12
@zbigniewsobiecki zbigniewsobiecki mentioned this pull request Feb 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zbigniewsobiecki