Non-Blocking Review Concern: Document keychain idle-lock implications for any future headless secret reads
Source: claude (PR review bot)
Location: scripts/server/first-boot.sh (removed block ~line 484-492)
PR: #35 — feat(phase4): drop target-keychain path, use ssh AcceptEnv for OP token (#35)
Date: 2026-04-16
What was flagged
This PR correctly removes the security set-keychain-settings -l -u block since the OP token no longer lives in the login keychain. However, if a future setup script reads other secrets (TimeMachine, WiFi, etc.) from the login keychain in a headless/non-SSH context, the default idle-lock behavior may cause silent failures. Worth noting in the credential-flow docs or re-introducing the setting if/when such a reader is added.
Context
This issue was automatically created from a non-blocking concern identified
during pre-merge review of PR #35. It was safe to merge but worth tracking.
Created by lib-review-issues.sh
Non-Blocking Review Concern: Document keychain idle-lock implications for any future headless secret reads
Source: claude (PR review bot)
Location:
scripts/server/first-boot.sh (removed block ~line 484-492)PR: #35 — feat(phase4): drop target-keychain path, use ssh AcceptEnv for OP token (#35)
Date: 2026-04-16
What was flagged
This PR correctly removes the
security set-keychain-settings -l -ublock since the OP token no longer lives in the login keychain. However, if a future setup script reads other secrets (TimeMachine, WiFi, etc.) from the login keychain in a headless/non-SSH context, the default idle-lock behavior may cause silent failures. Worth noting in the credential-flow docs or re-introducing the setting if/when such a reader is added.Context
This issue was automatically created from a non-blocking concern identified
during pre-merge review of PR #35. It was safe to merge but worth tracking.
Created by lib-review-issues.sh