Skip to content

fix(run): regenerate persisted authority key on demand when missing#218

Merged
veeso merged 2 commits into
mainfrom
fix/persisted-authority-key-regen
Jul 1, 2026
Merged

fix(run): regenerate persisted authority key on demand when missing#218
veeso merged 2 commits into
mainfrom
fix/persisted-authority-key-regen

Conversation

@veeso

@veeso veeso commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Fixes FIR-404 — https://linear.app/firma-ai/issue/FIR-404

Summary

firma run fails closed with failed to read key file … No such file or directory when the persisted [authority].key_file no longer exists on disk — e.g. it lives in $XDG_RUNTIME_DIR (a tmpfs cleared on logout/reboot) and the machine has since rebooted.

Root cause

The persisted authority-config path added in #174 reads the configured key_file directly but never generates it when absent, despite:

  • persisted_authority_config’s doc claiming “The key is generated on demand if the configured path has none yet.”
  • generate_authority_key’s doc referencing an ensure_authority_key helper that was never implemented.

Before #174, autostart always minted a fresh ephemeral key in the per-run marker dir, so a missing configured key never mattered. #174 switched to reading the persisted key without regenerating it.

Fix

  • Implement ensure_authority_key — idempotent: reuse an existing key so issued tokens survive restarts; mint one (creating the parent dir) only when the secret is missing. Called from persisted_authority_config.

Test

  • crates/firma/tests/run_echo_smoke.rs: scaffolds a real persisted config, wipes the key to mimic the tmpfs wipe, and runs firma run -- echo hello end to end — asserting the sandboxed command executes and the key is regenerated. Skips gracefully only when the host lacks unprivileged user namespaces.
  • regenerates_missing_key_file unit test on persisted_authority_config.

#174’s e2e scenarios always run against a freshly-minted key in a tempdir and are #[ignore]d, so they never exercise a stale persisted config — this adds the missing coverage.

Verification

  • Reproduced the failure on unpatched code (authority autostart failed); patched → prints hello, key regenerated.
  • cargo clippy -p firma-run -p firma --tests clean; cargo fmt --check clean; new + existing tests pass.

veeso added 2 commits July 1, 2026 15:39
The persisted authority-config path (added in #174) read the configured
key_file directly but never generated it when absent, despite the doc
comments promising on-demand generation and referencing an
ensure_authority_key helper that was never implemented.

When key_file lives in a volatile location (e.g. $XDG_RUNTIME_DIR, a
tmpfs cleared on logout), the persisted config keeps pointing at it after
a reboot even though the file is gone, so 'firma run' failed closed with
'failed to read key file … No such file or directory'.

Implement ensure_authority_key (idempotent: reuse an existing key so
issued tokens survive restarts; mint one only when missing) and call it
from persisted_authority_config.

Add a full-stack smoke test that scaffolds a persisted config, wipes the
key, and runs 'firma run -- echo hello' end to end — the coverage #174
lacked, since its e2e scenarios always run against a freshly-minted key
in a tempdir and never exercise a stale persisted config.
CI runners and macOS lack the bubblewrap sandbox 'firma run' needs, so
the end-to-end smoke test failed with 'backend error (bwrap): bubblewrap
is not installed'. Restrict it to Linux and skip cleanly when the sandbox
is absent; the always-running regenerates_missing_key_file unit test
still guards the fix on every platform. The smoke test runs fully wherever
bwrap is present.
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 72.72727% with 9 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/firma-run/src/authority/supervisor.rs 72.72% 6 Missing and 3 partials ⚠️

📢 Thoughts on this report? Let us know!

@veeso veeso merged commit d5aa452 into main Jul 1, 2026
14 of 15 checks passed
@veeso veeso deleted the fix/persisted-authority-key-regen branch July 1, 2026 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant