fix(desktop): seed auth token in worktree setup to avoid re-authentication

[Kitenite]

Summary

• New worktrees require re-authentication because the setup script sets SUPERSET_HOME_DIR to a worktree-local superset-dev-data/ directory, but never copies the auth token there
• The encrypted token at ~/.superset/auth-token.enc uses the machine's hardware UUID for encryption, so it's portable across worktrees on the same machine
• Adds a step_seed_auth_token to the setup script that copies the token, matching the existing step_seed_local_db pattern

Changes

• .superset/lib/setup/steps.sh — Added step_seed_auth_token() function that copies ~/.superset/auth-token.enc to superset-dev-data/auth-token.enc with 0600 permissions
• .superset/lib/setup/main.sh — Added step 5 (seed auth token) after seeding the local DB, renumbered subsequent steps

Test Plan

• Create a new workspace/worktree via the desktop app
• Verify setup output shows "Auth token seeded from ~/.superset/auth-token.enc"
• Confirm the new worktree starts authenticated without requiring sign-in
• Verify -f/--force flag overwrites an existing token
• Verify graceful skip when no source token exists (fresh machine)

Summary by CodeRabbit

• Chores
  • Enhanced development environment setup process to include authentication token initialization during initial configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces a new authentication token seeding step to the setup process that copies a pre-existing auth token from the user's home directory into the superset development data directory with appropriate directory and file permissions.

Changes

Cohort / File(s)	Summary
Setup orchestration .superset/lib/setup/main.sh	Introduces a new auth token seeding step into the setup flow and renumbers subsequent steps (Neon, port allocation, Electric SQL, and environment configuration) to accommodate the insertion.
Step implementation .superset/lib/setup/steps.sh	Adds step_seed_auth_token() function that copies auth token from $HOME/.superset/auth-token.enc to superset-dev-data/auth-token.enc with conditional overwrite logic controlled by FORCE_OVERWRITE_DATA flag, directory permissions set to 700, and file permissions set to 600.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(setup): workspace dev data path + DB seed + force flags #1491: Adds complementary step_seed_local_db() function and the FORCE_OVERWRITE_DATA flag pattern for conditional overwrite logic in the setup flow.

Poem

🐰 A token is seeded with care,
In the dev-data folder so rare,
With permissions just right—700, 600—
The setup flows smooth, old and new,
One step added, the rest dance anew! 🥕✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main change: adding auth token seeding to worktree setup to prevent re-authentication.
Description check	✅ Passed	The description includes a clear summary, specific changes to files, and test plan, covering all major sections of the template.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch kitenite/persist-load-state-in-new-wt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.superset/lib/setup/steps.sh (1)

193-194: ⚠️ Potential issue | 🟡 Minor

Stale step-number comment: step_start_electric still reads "Step 6" but allocate_port_base is now step 7 after this PR's renumbering.

📝 Proposed fix

-  # Step 6 allocates SUPERSET_PORT_BASE; Electric must use that reserved port.
+  # Step 7 allocates SUPERSET_PORT_BASE; Electric must use that reserved port.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.superset/lib/setup/steps.sh around lines 193 - 194, Update the stale
step-number in the comment inside the step_start_electric block: change the
reference "Step 6" to "Step 7" so it matches the renumbering after
allocate_port_base; locate the comment near the step_start_electric
function/section that mentions SUPERSET_PORT_BASE and adjust the step number
text to "Step 7".

🧹 Nitpick comments (1)

.superset/lib/setup/steps.sh (1)

464-471: mkdir/chmod 700 run before the destination-exists check — inconsistent with step_seed_local_db.

In step_seed_local_db, mkdir -p "$dev_data_dir" only runs after all guard checks pass. Here, the directory is created and its permissions are modified even when the step is about to be skipped. Reordering to match the sibling pattern avoids an unnecessary chmod 700 on an already-existing directory.

♻️ Proposed reorder

-  mkdir -p "$dev_data_dir"
-  chmod 700 "$dev_data_dir"
-
   if [ -f "$dest_token" ] && [ "$FORCE_OVERWRITE_DATA" != "1" ]; then
     warn "Auth token already exists at $dest_token — skipping (use -f/--force)"
     step_skipped "Seed auth token (already exists)"
     return 0
   fi
 
+  mkdir -p "$dev_data_dir"
+  chmod 700 "$dev_data_dir"
+
   if ! install -m 600 "$source_token" "$dest_token"; then

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.superset/lib/setup/steps.sh around lines 464 - 471, The mkdir/chmod for
"$dev_data_dir" are performed before the guard that skips the step, causing
unnecessary creation/permission changes; reorder the code in this step to match
step_seed_local_db by moving the mkdir -p "$dev_data_dir" and chmod 700
"$dev_data_dir" to after the guard block that checks [ -f "$dest_token" ] && [
"$FORCE_OVERWRITE_DATA" != "1" ], so the directory is only created and
permissions set when the step proceeds (use the same placement pattern as in
step_seed_local_db).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.superset/lib/setup/steps.sh:
- Around line 473-477: The copy+chmod sequence using "$source_token" and
"$dest_token" leaves a brief permission exposure and lacks chmod error handling;
replace the two-step cp + chmod 600 with a single atomic install call (install
-m 600 "$source_token" "$dest_token") and propagate the existing error handling
(log via error "Failed to copy auth token" and return 1) if install fails,
removing the separate chmod invocation.

---

Outside diff comments:
In @.superset/lib/setup/steps.sh:
- Around line 193-194: Update the stale step-number in the comment inside the
step_start_electric block: change the reference "Step 6" to "Step 7" so it
matches the renumbering after allocate_port_base; locate the comment near the
step_start_electric function/section that mentions SUPERSET_PORT_BASE and adjust
the step number text to "Step 7".

---

Nitpick comments:
In @.superset/lib/setup/steps.sh:
- Around line 464-471: The mkdir/chmod for "$dev_data_dir" are performed before
the guard that skips the step, causing unnecessary creation/permission changes;
reorder the code in this step to match step_seed_local_db by moving the mkdir -p
"$dev_data_dir" and chmod 700 "$dev_data_dir" to after the guard block that
checks [ -f "$dest_token" ] && [ "$FORCE_OVERWRITE_DATA" != "1" ], so the
directory is only created and permissions set when the step proceeds (use the
same placement pattern as in step_seed_local_db).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

cp + chmod 600 leaves a brief exposure window and has no chmod error handling.

cp creates $dest_token with umask-derived permissions (typically 644) before chmod 600 tightens them. If chmod fails (e.g., filesystem issue), the encrypted token remains group/world-readable. Use install -m 600 to set permissions atomically in a single call.

🔒 Proposed fix using install -m 600

-  if ! cp "$source_token" "$dest_token"; then
-    error "Failed to copy auth token"
-    return 1
-  fi
-  chmod 600 "$dest_token"
+  if ! install -m 600 "$source_token" "$dest_token"; then
+    error "Failed to copy auth token"
+    return 1
+  fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! cp "$source_token" "$dest_token"; then
	error "Failed to copy auth token"
	return 1
	fi
	chmod 600 "$dest_token"
	if ! install -m 600 "$source_token" "$dest_token"; then
	error "Failed to copy auth token"
	return 1
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.superset/lib/setup/steps.sh around lines 473 - 477, The copy+chmod sequence
using "$source_token" and "$dest_token" leaves a brief permission exposure and
lacks chmod error handling; replace the two-step cp + chmod 600 with a single
atomic install call (install -m 600 "$source_token" "$dest_token") and propagate
the existing error handling (log via error "Failed to copy auth token" and
return 1) if install fails, removing the separate chmod invocation.

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch
• ✅ Electric Fly.io app

Thank you for your contribution! 🎉