Skip to content

fix(supervisor): opt-out for persisting provider creds in service file#1787

Open
eric-jones wants to merge 1 commit intogastownhall:mainfrom
eric-jones:fix/stg-fiyg-plist-creds-optout
Open

fix(supervisor): opt-out for persisting provider creds in service file#1787
eric-jones wants to merge 1 commit intogastownhall:mainfrom
eric-jones:fix/stg-fiyg-plist-creds-optout

Conversation

@eric-jones
Copy link
Copy Markdown
Contributor

@eric-jones eric-jones commented May 7, 2026
edited by blacksmith-sh Bot
Loading

Summary

Adds an opt-out env var, GC_SUPERVISOR_OMIT_PROVIDER_CREDS. When set to "1"
at the time the supervisor service file is generated, provider-credential env
vars (ANTHROPIC_*, GEMINI_*, GOOGLE_*, OPENAI_*) are excluded from the
generated launchd plist / systemd unit. Default behavior is unchanged.

Background — provider creds are persisted in plaintext (mode 0600) into the
service file by design (#1198) so launchd/systemd-spawned supervisors can
deliver creds to agent sessions. The opt-out gives users who'd prefer to avoid
the on-disk plaintext (Time Machine backup posture, crash dumps, regression
surface) a way to disable persistence and deliver creds to the supervisor by
another mechanism (e.g. a wrapper around gc supervisor run).

This is the smallest concrete proposal in #1786; happy to take a different
direction if preferred (e.g. credentials-file loading at supervisor start,
Keychain).

Testing

Checklist

View in Codesmith
Need help on this PR? Tag @codesmith with what you need.

  • Let Codesmith autofix CI failures and bot reviews

@eric-jones
fix(supervisor): opt-out for persisting provider creds in service file
624cbdf 
Adds GC_SUPERVISOR_OMIT_PROVIDER_CREDS. When set to "1" at the time the
supervisor service file is generated, provider-credential env vars
(ANTHROPIC_*, GEMINI_*, GOOGLE_*, OPENAI_*) are excluded from the
generated launchd plist or systemd unit. Default behavior is unchanged.

Background: provider creds are persisted in plaintext (mode 0600) into
the service file by design (gastownhall#1198) so launchd/systemd-spawned
supervisors can deliver creds to agent sessions. The opt-out gives
users who'd prefer to avoid the on-disk plaintext (Time Machine
backups, crash dumps, regression surface) a way to disable persistence
and deliver creds via another mechanism.

Refs gastownhall#1786.
@eric-jones eric-jones requested a review from julianknutsen as a code owner May 7, 2026 08:16
@github-actions github-actions Bot added the status/needs-triage Inbox — we haven't looked at it yet label May 7, 2026
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@eric-jones eric-jones changed the title fix(supervisor): opt-out for persisting provider creds (#1786) fix(supervisor): opt-out for persisting provider creds in service file May 7, 2026
@randy-release-manager randy-release-manager Bot added kind/feature New capability priority/p2 Medium — real problem, workaround exists and removed status/needs-triage Inbox — we haven't looked at it yet labels May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianknutsen julianknutsen Awaiting requested review from julianknutsen

Assignees

No one assigned

Labels

kind/feature New capability priority/p2 Medium — real problem, workaround exists

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eric-jones @codecov-commenter