Conversation
…-09, H-12, H-14)
H-12: Dedup concurrent same-role token resolution.
Add an inFlight Map<string, Promise<TokenResolveResult>> in front of the
existing token cache. Two callers for the same (squadDir, role) that both
miss the cache now share a single getInstallationToken invocation. The
in-flight slot is released via .finally on success AND failure so the next
call starts fresh.
H-14: Surface PEM key age.
Add getKeyAgeDays(projectRoot, role) in identity/storage.ts — returns
integer days since the PEM file's mtime, or null when the file is missing
or stat fails (e.g., WSL drvfs / restricted mounts — silently skipped).
squad identity status — inline 'key age: Nd' per role, dim/yellow/red.
squad identity doctor — new check 'keys/<role>.pem age within rotation
window'. ok <60d, warn >=60d, fail >=SQUAD_IDENTITY_KEY_MAX_AGE_DAYS
(default 90, env-overridable).
H-09: Additive sync cache-only resolver.
Add resolveTokenSync(squadDir, role) — returns cached token if present
and outside the 10-minute refresh margin, or null. Does NOT read disk,
sign a JWT, call the GitHub API, or populate the cache. Respects the
SQUAD_IDENTITY_MOCK hook for parity with the async path.
shell/spawn.ts::spawnAgent now tries resolveTokenSync first and falls
through to the async resolveToken on miss. Public async resolveToken API
is unchanged — this ships as a new named export, semver minor (not a
breaking change).
Tests: 17 new across test/identity/{dedup,key-age,sync-resolve}.test.ts.
All 194 identity tests pass under npx vitest run test/identity/.
Changeset: @bradygaster/squad-sdk minor, @bradygaster/squad-cli patch.
Closes H-09, H-12, H-14 in docs/proposals/identity-hardening-roadmap-2026-04-20.md.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sabbour
left a comment
sabbour
left a comment
There was a problem hiding this comment.
✅ APPROVE — Flight (Lead) Review
All 19 hard checks pass. No blockers. Ready to merge.
H-12 (Dedup): ✅ All 5 checks pass
Clean .finally() release on success AND failure. Cache-hit fast path never touches inFlight. No deadlock risk. 5 focused dedup tests.
H-14 (Key Age): ✅ All 4 checks pass
getKeyAgeDays returns null gracefully (missing PEM, stat failure). Thresholds correct: doctor warns ≥60d, fails ≥90d (env-overridable). Status displays dim/yellow/red correctly. Roles without PEMs silently skipped.
H-09 (Sync Resolver): ✅ All 5 checks pass
resolveTokenSync is truly synchronous (function, not async function). Cache-only, no I/O. spawnAgent tries sync-first → async fallthrough. Additive — resolveToken unchanged. 6 solid tests including mock parity and return-type assertion.
Cross-cutting: ✅ All 5 checks pass
No token leakage. Changeset names correct (@bradygaster/*). Scope clean: resolve-token.mjs and docs/identity/ untouched. Build green. 177 identity tests pass. No signs of lost work in commit history.
Nits (non-blocking)
- N-1: PR body says "194 tests / 18 files" but actual run yields 177/15. All 17 new tests are present — likely stale count.
- N-2: Key-age env override test validates semantics, not doctor output integration. Low risk given 5-line
getKeyAgeMaxDays().
Call-outs
resolveTokenInternal extraction is clean. mtime over createdAt schema change is the right call. Sync-first fallthrough in spawn.ts is well-executed.
Full review: docs/reviews/pr-26-dedup-keyage-sync-review-2026-04-21.md
1 participant
What
Three identity hardening items from
docs/proposals/identity-hardening-roadmap-2026-04-20.mdbundled in one PR since they all touchpackages/squad-sdk/src/identity/tokens.tsand we don't want merge churn.H-12 — Concurrent same-role request dedup
inFlight: Map<string, Promise<TokenResolveResult>>intokens.ts.(squadDir, role)that both miss the token cache now share onegetInstallationTokencall..finallyon success AND failure so the next call starts fresh.H-14 — Key age warnings
getKeyAgeDays(projectRoot, role)instorage.ts. Returns integer days since PEMmtime, ornullwhen the file is missing /statfails (silent skip for WSL drvfs / restricted mounts — don't false-fail operators).squad identity status— inlinekey age: Ndper role (dim <60d / yellow ≥60d / red ≥max).squad identity doctor— new checkkeys/<role>.pem age within rotation window. ok <60d, ⚠ warn ≥60d, ✗ fail ≥SQUAD_IDENTITY_KEY_MAX_AGE_DAYS(default 90).H-09 — Additive sync cache-only resolver
The roadmap's original H-09 (remove
asyncfromgenerateAppJWT) would be a breaking SDK change. Rather than break consumers mid-migration, this PR lands the additive variant spelled out in the task brief:resolveTokenSync(squadDir, role)— returns cached token synchronously ornull. No disk I/O, no JWT sign, no network, no cache population. RespectsSQUAD_IDENTITY_MOCK.packages/squad-cli/src/cli/shell/spawn.ts::spawnAgentnow triesresolveTokenSyncfirst and falls through to asyncresolveTokenon miss.resolveTokenAPI unchanged — consumers stillawaitit.Tests
17 new tests across:
test/identity/dedup.test.ts(5)test/identity/key-age.test.ts(6)test/identity/sync-resolve.test.ts(6)npx vitest run test/identity/ --reporter=dot→ 18 files / 194 tests pass.npm run build→ green.Scope hygiene
resolve-token.mjstemplate copies (FIDO owns canonicalization in parallel).docs/identity/(McWriter owns docs)..changeset/identity-dedup-key-age.mdbumps@bradygaster/squad-sdkminor (new exports) and@bradygaster/squad-clipatch.Roadmap references
docs/proposals/identity-hardening-roadmap-2026-04-20.md§H-09 (reframed additive — see.squad/agents/eecom/history.mdfor rationale)Working as EECOM (Core Dev).
🤖 Created by GitHub Copilot CLI