feat(cli): VT_BACKEND routing pin (auto|agent|passkey)#4
Merged
Conversation
…ment docs The config-file fallback made VT_AUTH presence ambient — a copied config.toml silently opts a host into agent-socket probing, weakening the old "env var present = per-host intent" routing signal. Make intent explicit: - VT_BACKEND=auto (default): existing behavior — agent first when VT_AUTH is set, passkey fallback on recoverable errors. - VT_BACKEND=agent: agent only; unreachable socket is an actionable error instead of silently paging the phone. sign@vt's decrypt-then-sign fallback still applies (its decrypt honors the pin). - VT_BACKEND=passkey: never probe the agent socket even when VT_AUTH is set; vt run (agent-only) errors out. Invalid values fail loudly at startup (VTClient::new), which also validates per-pin requirements (agent→VT_AUTH, passkey→VT_PASSKEY_URL). has_auth_token() is false under the passkey pin, so vt ssh connect skips agent-identity discovery. Docs: CLAUDE.md routing section + config.example.toml now spell out the placement discipline (VT_AUTH only in configs of hosts that can reach a vt agent) and the one-shot escape hatch (`VT_AUTH= vt …`, empty env var beats the file and skips the agent).
…h is probed per call, safe to sync
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The config-file fallback (
~/.config/vt/config.toml) madeVT_AUTHpresence ambient: a copied config silently opts a host into agent-socket probing, weakening the old "env var present = per-host intent" routing signal. This PR makes routing intent explicit with aVT_BACKENDpin (env or config key, validated inVTClient::new):auto(default) — existing behavior: agent first whenVT_AUTHis set, passkey fallback pershould_fallback_to_cf.agent— agent only; an unreachable socket is an actionable error instead of silently paging the phone. RequiresVT_AUTH.sign@vt's decrypt-then-sign fallback still applies — its decrypt honors the pin.passkey— never probes the agent socket even whenVT_AUTHis set (shared config case). RequiresVT_PASSKEY_URL.vt run(agent-only) errors out;vt ssh connectskips agent-identity discovery (has_auth_token→ false).auto.Docs (CLAUDE.md + config.example.toml) now spell out the placement discipline —
VT_AUTHonly in configs of hosts that can actually reach a vt agent — and the one-shot escape hatchVT_AUTH= vt …(set-but-empty env var beats the file and skips the agent).Reviewed by codex-expert: no routing-boundary violations (passkey never probes the socket; agent never reaches CF), validation combos complete, docs match code. Verdict: safe to merge.
Test plan
cargo test(227 passed; newBackend::parseunit tests)cargo check --target x86_64-unknown-linux-gnu(zigbuild)🤖 Generated with Claude Code