toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claudebox/.planning/phases/04-auth-passthrough/04-REVIEW-FIX.md

2.5 KiB
Raw Blame History

phase fixed_at review_path iteration findings_in_scope fixed skipped status
04-auth-passthrough 2026-04-10T00:00:00Z .planning/phases/04-auth-passthrough/04-REVIEW.md 1 4 4 0 all_fixed

Phase 04: Code Review Fix Report

Fixed at: 2026-04-10 Source review: .planning/phases/04-auth-passthrough/04-REVIEW.md Iteration: 1

Summary:

  • Findings in scope: 4 (2 Critical, 2 Warning; Info excluded by fix_scope)
  • Fixed: 4
  • Skipped: 0

Fixed Issues

CR-01: CREDS_FILE path resolves against the wrong directory on the host

Files modified: claudebox.sh Commit: adb9dd1 Applied fix: Changed CREDS_FILE from $HOME/.claude/.credentials.json to $HOME/.claudebox/.credentials.json. Added comments explaining that the ~/.claude -> ~/.claudebox symlink only exists inside the sandbox at runtime, so host-side credential detection must use the real claudebox config directory path.

CR-02: Credentials bind target uses a symlink path — may silently fail

Files modified: claudebox.sh Commit: adb9dd1 Applied fix: Changed the BWRAP_ARGS credential bind destination from $HOME/.claude/.credentials.json (symlink path, unresolvable by bwrap at bind time) to $HOME/.claudebox/.credentials.json (canonical real directory). Also updated the --dry-run output block to print the corrected destination path.

WR-01: Credentials file mounted read-write instead of read-only

Files modified: claudebox.sh Commit: adb9dd1 Applied fix: Changed --bind to --ro-bind for the credentials bind in both the BWRAP_ARGS array (line ~366) and the --dry-run output block (line ~333). Also updated the print_audit mounts display to show (read-only) and display $CREDS_FILE (the actual host source path) instead of the hardcoded symlink path inside the sandbox.

WR-02: dry-run ENV_ARGS loop hard-codes stride of 3 — breaks if any non-setenv arg is added

Files modified: claudebox.sh Commit: 0922b75 Applied fix: Added a guard assertion before the stride-3 loop that checks ${#ENV_ARGS[@]} % 3 != 0 and exits with a BUG: message if the invariant is violated. This catches any future breakage immediately rather than producing silently mangled output. Also changed (( dry_run_i += 3 )) to dry_run_i=$(( dry_run_i + 3 )) to use safe arithmetic assignment compatible with set -euo pipefail (which writeShellApplication enables).

Fixed: 2026-04-10 Fixer: Claude (gsd-code-fixer) Iteration: 1