lhumina_code/hero_skills
23
0
Fork 0
Code Issues 14 Pull requests 3 Projects Releases 1 Packages 1 Wiki Activity Actions

bug: secrets_sync appends duplicate keys in secrets.toml instead of replacing #111

New issue
Closed
opened 2026-04-21 15:25:30 +00:00 by sameh-farouk · 0 comments
sameh-farouk commented 2026-04-21 15:25:30 +00:00
Member
Copy link

Summary

When rotating a secret (e.g. forge_token), editing secrets.toml and running secrets_sync can leave the file with two forge_token entries — one under [cfg] and a duplicate elsewhere. TOML's last-key-wins means the stale value silently wins on load (secrets source), so $env.FORGE_TOKEN never reflects the rotation and forge user keeps returning 401 with the old, revoked token.

Caught during a token rotation where the new value appeared not to apply across fresh SSH sessions until the duplicate at the bottom of the file was manually removed.

Location

tools/modules/secrets_lib.nu — the write path (secrets_set / the secrets_merge append logic around lines 97–140).

Proposed fix

  1. On write: search the file for an existing key (case-insensitive), replace in place if found, otherwise append under the correct section.
  2. On load (secrets source): warn when any key appears more than once in secrets.toml, so duplicates surface loudly rather than silently.
  3. Optional: secrets_sync could dedupe + canonicalize the file on every run, ensuring last-wins never causes silent wrong values.

Impact

High-friction, low-severity. Silently makes rotation appear not to work. Easy to misdiagnose as a token/scope issue.

### Summary When rotating a secret (e.g. `forge_token`), editing `secrets.toml` and running `secrets_sync` can leave the file with two `forge_token` entries — one under `[cfg]` and a duplicate elsewhere. TOML's last-key-wins means the stale value silently wins on load (`secrets source`), so `$env.FORGE_TOKEN` never reflects the rotation and `forge user` keeps returning 401 with the old, revoked token. Caught during a token rotation where the new value appeared not to apply across fresh SSH sessions until the duplicate at the bottom of the file was manually removed. ### Location `tools/modules/secrets_lib.nu` — the write path (`secrets_set` / the `secrets_merge` append logic around lines 97–140). ### Proposed fix 1. On write: search the file for an existing key (case-insensitive), replace in place if found, otherwise append under the correct section. 2. On load (`secrets source`): warn when any key appears more than once in `secrets.toml`, so duplicates surface loudly rather than silently. 3. Optional: `secrets_sync` could dedupe + canonicalize the file on every run, ensuring last-wins never causes silent wrong values. ### Impact High-friction, low-severity. Silently makes rotation appear not to work. Easy to misdiagnose as a token/scope issue.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
development_fix_livekit_config_consistency_153
develop_hero_claude
fix/client-root-scope-hint-151
main
latest
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_skills#111
No description provided.