2b578f5058
An install switching TO broker-mode (the v0.9.0 default) carried long-lived Anthropic/OAuth credentials from the pre-broker era. Broker-mode authenticates via short-lived broker tokens and never uses them — they are a pure security liability on the box, acutely so on a PHI box. On the next self-update the agent now cleans them up automatically: - Secure-deletes $LARRY_HOME/.api-key and .oauth.json (reuses the uninstall-larry.sh shred -u -z -n3 -> overwrite -> rm logic). - Strips the ANTHROPIC_API_KEY / CLAUDE_CODE_OAUTH_TOKEN LINES from $LARRY_HOME/.env and from ~/.bashrc, ~/.bash_profile, ~/.profile (backup first); every other line is kept. - Idempotent (.broker-cred-wiped marker, written only after a run that removed something); silent no-op when clean. - Hard-guarded on LARRY_AUTH_MODE=broker: does NOT fire under the apikey escape hatch (which legitimately still needs the key). Only the two Anthropic/OAuth vars are touched (LARRY_* / GITEA_TOKEN are still needed in broker mode). - Prints a reminder to ALSO revoke at the source (local deletion != server revocation), per the decommission / kill-switch docs. Fires at the broker-resolution block (after self_update synced a fresh lib/broker.sh, before the fail-closed preflight). New functions in lib/broker.sh: _broker_wipe_obsolete_credentials, _broker_strip_cred_lines_from_env, _broker_strip_cred_lines_from_rc. VERSION + MANIFEST regenerated. Tested: 31/31 assertions pass across the upgrade-wipe, apikey-non-wipe, clean-no-op, idempotency, dangerous-path-guard, and selective-line-strip paths. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2 lines
6 B
Plaintext
2 lines
6 B
Plaintext
0.9.1
|