v0.5.1: run self_update BEFORE the auth prompt (chicken-and-egg fix)

In 0.5.0 (and every prior version), prompt_first_run_auth was called unconditionally at script load time, BEFORE self_update. On a never- authenticated box, this meant a broken lib/oauth.sh trapped the user: 1. larry starts 2. no creds → auth prompt fires 3. pick OAuth → old broken oauth.sh runs → rate_limit_error 4. Ctrl-C at the API-key fallback prompt 5. script exits — self_update never ran 6. relaunch → exact same trap, forever Fix: defer the auth-prompt call to run AFTER self_update. The auth function DEFINITION stays where it is; only the CALL site moves. Now on a fresh box: 1. larry starts 2. self_update phase A pulls MANIFEST and refreshes everything, including a patched lib/oauth.sh 3. THEN the auth prompt fires, using the now-correct OAuth code Verified: with no ANTHROPIC_API_KEY and no .oauth.json, the manifest sync log lines appear before the "First-run authentication setup" menu. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 09:02:07 -07:00 · 2026-05-27 09:02:07 -07:00 · 9b198f4e50
commit 9b198f4e50
parent a527dc7172
2 changed files with 14 additions and 5 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.5.0
+0.5.1
--- a/larry.sh
+++ b/larry.sh
@ -36,7 +36,7 @@ set -o pipefail
 # ─────────────────────────────────────────────────────────────────────────────
 # Config
 # ─────────────────────────────────────────────────────────────────────────────
-LARRY_VERSION="0.5.0"
+LARRY_VERSION="0.5.1"
 LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
 LARRY_BASE_URL="${LARRY_BASE_URL:-https://raw.githubusercontent.com/bojj27/cloverleaf-larry/main}"
 LARRY_UPDATE_URL="${LARRY_UPDATE_URL:-${LARRY_BASE_URL}/larry.sh}"
@ -176,9 +176,10 @@ prompt_api_key() {
  log "API key saved."
 }

-if [ -z "$LARRY_AUTH_MODE" ]; then
-  prompt_first_run_auth
-fi
+# NOTE: the auth-prompt CALL (prompt_first_run_auth) is deliberately deferred
+# until AFTER self_update has run — otherwise a broken lib/oauth.sh traps the
+# user before the auto-update mechanism gets a chance to fix it. See call site
+# below the self_update block.

 # ─────────────────────────────────────────────────────────────────────────────
 # Fetch agents if missing
@ -352,6 +353,14 @@ self_update() {
 }
 self_update

+# ── Deferred auth prompt ────────────────────────────────────────────────────
+# Now that self_update has had a chance to refresh lib/oauth.sh, gate on
+# credentials. On a fresh box (no .oauth.json, no API key) this is the first
+# interactive prompt the user sees.
+if [ -z "$LARRY_AUTH_MODE" ]; then
+  prompt_first_run_auth
+fi
+
 # ─────────────────────────────────────────────────────────────────────────────
 # Cloverleaf environment detection
 # Surfaces HCIROOT / HCISITE / HCISITEDIR and which tool layer is present
 @ -1 +1 @@
 .5.0
 .5.1