aesthetic.computer / core
Monorepo for Aesthetic.Computer aesthetic.computer
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

flash-mac: auto-run ac-login if ~/.ac-token is stale

Split the script's bootstrap into two phases:

Phase 1 (as user): check ~/.ac-token expiry. If within 60s of
expiring (or missing entirely), invoke tezos/ac-login.mjs to open
the OAuth browser dance. The fresh token lands at ~/.ac-token.

Phase 2 (re-exec as root via sudo): carries on with the existing
privileged flash work.

Why split: ac-login.mjs needs to open a browser as the actual logged-in
user (not root), so we can't wait until after the sudo escalation.
Doing it unconditionally in phase 1 means a reflash always produces
a fresh token for the MongoDB fetch in the newly-root phase — which
means a reflash always bakes the latest Claude OAuth token and
GitHub PAT into the initramfs without any manual pre-step.

If ac-login.mjs isn't found (e.g. user copied just flash-mac.sh to
another machine) we warn and proceed; the downstream MongoDB fetch
will then fail-soft with a "creds fetch: skipped" log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

prompt.ac/@jeffrey c88b7390 726d70a4

+44 -7
+44 -7
fedac/native/scripts/flash-mac.sh
··· 34 34 USB_DEV="${1:?usage: $0 /dev/diskN [SRC_DIR]}" 35 35 SRC_DIR="${2:-/tmp/ac-os-pull}" 36 36 37 - # This script needs root for diskutil/sgdisk/dd/newfs_msdos/mount_msdos. 38 - # Re-exec under sudo if invoked as a regular user (sudoers.d/ac-flash-mac 39 - # whitelists this exact path NOPASSWD). 40 - if [ "$(id -u)" != "0" ]; then 41 - exec sudo --preserve-env=PATH "$0" "$@" 42 - fi 43 - 44 37 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" 45 38 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" 39 + REAL_REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" 46 40 NATIVE_DIR="${REPO_ROOT}/native" 47 41 [ -d "${NATIVE_DIR}/boot" ] || NATIVE_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" 42 + 43 + # --- step 1: ensure ~/.ac-token is fresh (run ac-login if stale) --- 44 + # Done BEFORE the sudo exec so the OAuth browser dance happens as the 45 + # actual user. If ac-login.mjs isn't findable we skip the refresh and 46 + # leave the downstream bake to fail-soft with a warning. 47 + if [ "$(id -u)" != "0" ]; then 48 + NEEDS_LOGIN=1 49 + if [ -f "${HOME}/.ac-token" ] && command -v node >/dev/null 2>&1; then 50 + NEEDS_LOGIN="$(node -e ' 51 + try { 52 + const t = JSON.parse(require("fs").readFileSync(process.env.HOME+"/.ac-token", "utf8")); 53 + const rawExp = t.expires_at || 0; 54 + const expMs = rawExp > 10_000_000_000 ? rawExp : rawExp * 1000; 55 + // Consider stale if expired or within 60s of expiring 56 + process.stdout.write((!expMs || Date.now() >= expMs - 60000) ? "1" : "0"); 57 + } catch { process.stdout.write("1"); } 58 + ')" 59 + fi 60 + if [ "${NEEDS_LOGIN}" = "1" ]; then 61 + AC_LOGIN="" 62 + for p in "${REAL_REPO_ROOT}/tezos/ac-login.mjs" \ 63 + "${HOME}/aesthetic-computer/tezos/ac-login.mjs"; do 64 + [ -f "${p}" ] && AC_LOGIN="${p}" && break 65 + done 66 + if [ -n "${AC_LOGIN}" ] && command -v node >/dev/null 2>&1; then 67 + echo "[flash-mac] ~/.ac-token is stale — running ac-login to refresh…" 68 + echo "[flash-mac] script: ${AC_LOGIN}" 69 + node "${AC_LOGIN}" || { 70 + echo "[flash-mac] ac-login failed (non-fatal; proceeding without Claude bake)" >&2 71 + } 72 + else 73 + echo "[flash-mac] WARN: ac-login.mjs not found — Claude creds won't be baked" >&2 74 + echo "[flash-mac] searched: ${REAL_REPO_ROOT}/tezos/ac-login.mjs" >&2 75 + fi 76 + fi 77 + fi 78 + 79 + # --- step 2: re-exec under sudo --- 80 + # Needs root for diskutil/sgdisk/dd/newfs_msdos/mount_msdos. sudoers.d/ 81 + # ac-flash-mac whitelists this exact path NOPASSWD. 82 + if [ "$(id -u)" != "0" ]; then 83 + exec sudo --preserve-env=PATH "$0" "$@" 84 + fi 48 85 49 86 KERNEL="${SRC_DIR}/vmlinuz" 50 87 INITRAMFS="${SRC_DIR}/initramfs.cpio.gz"