vault: bw sync on every read so reads show the latest values
`bw unlock` only decrypts the LOCAL cache, so a persisted (already logged-in) session served stale data — a password changed in the web vault wouldn't appear until the next fresh login. Add a best-effort `bw sync` in openSession (the chokepoint every read shares: get, get --all, list, code, status), so reads reflect current server-side values. Best-effort by design: a transient sync failure warns on stderr and falls back to the cached vault rather than failing the read (an AFK agent shouldn't break on a network blip). status keeps its own explicit sync so a reachability failure still surfaces in its report. CLI v0.10.1. Tests assert the sync runs after unlock and before the read, and that a read still succeeds when sync fails. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
3d948c7033
commit
12a45fa94e
4 changed files with 88 additions and 3 deletions
|
|
@ -234,6 +234,16 @@ only seed-derived path stays the specially-audited `vault code`. Like
|
|||
`get --json`, the dump is all secret values, so it **refuses a terminal** — pipe
|
||||
it (`homelab vault get <name> --all | jq`).
|
||||
|
||||
### v0.10.1 — reads `bw sync` first (always fresh)
|
||||
|
||||
Every vault read (`get`, `get --all`, `list`, `code`, `status`) now runs `bw
|
||||
sync` when opening its session, so it reflects the latest server-side values.
|
||||
`bw unlock` only decrypts the *local* cache, so without this a persisted
|
||||
(already-logged-in) session served stale data — a password changed in the web
|
||||
vault wouldn't show up until the next login. The sync is **best-effort**: a
|
||||
transient failure warns on stderr and falls back to the cached vault rather than
|
||||
failing the read.
|
||||
|
||||
## Build / install
|
||||
|
||||
Built from source to `/usr/local/bin/homelab` during devvm provisioning
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue