Add ENTIRE_CHECKPOINT_TOKEN for checkpoint push/fetch auth#818
Merged
Conversation
Inject a bearer token into git push/fetch operations for checkpoint branches when the ENTIRE_CHECKPOINT_TOKEN env var is set. The token is passed via GIT_CONFIG_COUNT env vars (not CLI args) to avoid exposing it in /proc/cmdline. Only HTTPS remotes are supported; SSH remotes trigger a warning that the token is ignored. Signed-off-by: Paulo Gomes <paulo@entire.io> Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Entire-Checkpoint: 0d5153892d18
Contributor
There was a problem hiding this comment.
Pull request overview
Adds optional bearer-token authentication for checkpoint-related git push/git fetch operations when ENTIRE_CHECKPOINT_TOKEN is set, by injecting an http.extraHeader Authorization header via GIT_CONFIG_COUNT env vars (avoiding CLI args exposure).
Changes:
- Introduces
strategy.CheckpointGitCommandto build git CLI commands with conditional token injection for HTTPS remotes (and warn/ignore for SSH). - Switches checkpoint push/fetch call sites to use
CheckpointGitCommand. - Adds unit/integration-style tests validating protocol resolution, env injection, and that git actually sends the Authorization header over HTTPS.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cmd/entire/cli/strategy/push_common.go | Uses CheckpointGitCommand for checkpoint branch push/fetch. |
| cmd/entire/cli/strategy/checkpoint_token.go | New helper for protocol detection and token injection via GIT_CONFIG_* env vars. |
| cmd/entire/cli/strategy/checkpoint_token_test.go | Tests for protocol resolution, env injection, stderr warning, and real HTTPS header behavior. |
| cmd/entire/cli/strategy/checkpoint_remote.go | Uses CheckpointGitCommand for metadata-branch fetch-by-URL with GIT_TERMINAL_PROMPT=0. |
| cmd/entire/cli/git_operations.go | Routes several origin fetch operations through strategy.CheckpointGitCommand. |
Reject tokens containing control characters (CR, LF, null, etc.) to prevent HTTP header injection when the value is concatenated into http.extraHeader. Emit the SSH token warning only once per process via sync.Once, and improve doc comments for CheckpointGitCommand. Signed-off-by: Paulo Gomes <paulo@entire.io> Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Entire-Checkpoint: ff9b5ede9efe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Inject a bearer token into git push/fetch operations for checkpoint branches when the
ENTIRE_CHECKPOINT_TOKENenv var is set. The token is passed viaGIT_CONFIG_COUNTenv vars (not CLI args) to avoid exposing it in /proc/cmdline. Only HTTPS remotes are supported; SSH remotes trigger a warning that the token is ignored.Note
Medium Risk
Moderate risk because it changes how git network commands are constructed and modifies authentication behavior via environment injection, which could affect checkpoint syncing and credential handling. Scope is limited to checkpoint/metadata git operations and is covered by new unit and integration-style tests.
Overview
Adds
ENTIRE_CHECKPOINT_TOKENsupport for checkpoint git operations by introducingstrategy.CheckpointGitCommand, which injects a bearer token ashttp.extraHeaderviaGIT_CONFIG_*env vars for HTTPS remotes (and warns/ignores tokens for SSH or unknown targets).Updates checkpoint-related
git fetch/pushcall sites (including metadata fetches and checkpoint-remote bootstrap fetch) to use this wrapper, while preserving non-interactive behavior by explicitly appendingGIT_TERMINAL_PROMPT=0where needed.Adds comprehensive tests validating protocol detection, env var filtering/injection, SSH warning behavior, and that real git requests to an HTTPS test server actually include the
Authorizationheader.Written by Cursor Bugbot for commit ea1a7da. Configure here.