infra/scripts/workstation
Viktor Barzin c70810a51b
All checks were successful
ci/woodpecker/push/default Pipeline was successful
workstation: per-user long-lived Claude token to end concurrent-refresh logout
A heavy user (emo) runs 8+ always-on `claude` agents + their t3-serve instance,
all sharing one ~/.claude/.credentials.json. When the shared access token expires
the processes refresh simultaneously; OAuth refresh-token rotation makes the
losing writer persist an EMPTY refresh token, logging the user out roughly every
access-token lifetime (~8h). Re-issuing the credential never sticks — the race
recurs (this is why emo's "standalone token" fix kept regressing).

Fix: an opt-in, per-user, non-rotating setup-token (sk-ant-oat01, ~1y, scope
user:inference) kept in the user's OWN Vault path (field `setup_token`).
claude-auth-sync materializes it to a user-owned
~/.config/claude-auth-sync/claude-oauth.env and, while it is present, SKIPS the
rotating-credential validate/backup/restore (so no false
WorkstationClaudeAuthInvalid). start-claude.sh and t3-serve@.service load it as
CLAUDE_CODE_OAUTH_TOKEN, so every session of that user uses the non-rotating
token and there is nothing to race on.

Fail-safe + opt-in: with no `setup_token` in Vault, every path is a no-op, so
users on the normal per-user Enterprise-SSO flow are unaffected. This is each
user's OWN identity, never the forbidden shared CLAUDE_CODE_OAUTH_TOKEN. Runbook
documents enable/disable/rotate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 08:07:43 +00:00
..
claude-hooks workstation: harden memory hooks — prune dead plugin refs + homelab-CLI-only store 2026-06-22 09:24:42 +00:00
claude-skills devvm: personalize emo's cluster-health skill for ha-sofia 2026-06-26 16:03:14 +00:00
playwright workstation: per-user playwright browser MCP for all users, reproducible from git 2026-06-16 20:33:47 +00:00
skel workstation: per-user long-lived Claude token to end concurrent-refresh logout 2026-06-28 08:07:43 +00:00
.gitignore fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 2026-06-09 08:45:33 +00:00
claude-auth-sync.sh workstation: per-user long-lived Claude token to end concurrent-refresh logout 2026-06-28 08:07:43 +00:00
managed-settings.json fix(workstation): carry OS/sudo authz policy into managed-settings source + multi-tenancy doc 2026-06-26 08:25:33 +00:00
packages.txt workstation: switch devvm OOM backstop from systemd-oomd to earlyoom 2026-06-22 10:39:16 +00:00
roster.yaml workstation: per-user code_layout — workspace puts project repos under ~/code (ancamilea + tripit) 2026-06-10 18:05:31 +00:00
roster_engine.py workstation: per-user playwright browser MCP for all users, reproducible from git 2026-06-16 20:33:47 +00:00
setup-devvm.sh homelab vault: install bw system-wide + onboarding runbook 2026-06-27 08:16:52 +00:00
test_roster_engine.py workstation: per-user playwright browser MCP for all users, reproducible from git 2026-06-16 20:33:47 +00:00