onev.cat / tang
A CLI for tangled operations.
11
fork

Configure Feed

Select the types of activity you want to include in your feed.

tg auth login: fall back to BSKY_HANDLE / BSKY_APP_PASSWORD #4

open opened by
austegard.com

Summary#

tg auth login only reads ATPROTO_HANDLE and ATPROTO_APP_PASSWORD from the environment (see bin/tg ~L209, L212). On Claude Code on the Web, Anthropic provisions Bluesky credentials as BSKY_HANDLE / BSKY_APP_PASSWORD, so a SessionStart hook that simply runs tg auth login reports "unauthenticated" even though perfectly usable creds are sitting in the env.

Repro#

In a CCotw container with BSKY_HANDLE and BSKY_APP_PASSWORD set but no ATPROTO_*:

$ tg auth status
Not authenticated.

$ ATPROTO_HANDLE="$BSKY_HANDLE" ATPROTO_APP_PASSWORD="$BSKY_APP_PASSWORD" tg auth login
Logged in as austegard.com (did:plc:r2whjvupgfw55mllpksnombn)

That manual remap is the only thing standing between the hub session and authenticated tg usage.

Proposed fix#

In `cmd_auth_login`, after ATPROTO_HANDLE / ATPROTO_APP_PASSWORD, also consult BSKY_HANDLE / BSKY_APP_PASSWORD as a secondary source. ATPROTO_* should still win if both are set (it's the more specific name). Update the --handle help text on the auth login subparser (`bin/tg` ~L919) to mention the fallback once added.

This keeps the public interface ATProto-shaped while making the CLI usable in environments that only expose Bluesky-flavoured env vars (CCotw today, probably more hosted sandboxes tomorrow).

Why here vs. in the hub's boot.sh#

The hub repo's `boot.sh` could trivially do the remap before calling `tg auth login`, and arguably should. But anyone embedding `tg` in a similar hosted environment will hit the same wall, so a one-line fallback inside `tg` itself seems worth it. Happy to send a patch via `tg pr create` if you'd like.

austegard.com (author)

On reflection this isn't a tg problem โ€” the CLI's ATPROTO_* env vars are the right contract for an ATProto-native tool. The right place to bridge BSKY_* (as exposed by Claude Code on the Web) into ATPROTO_* is the embedding environment, i.e. the hub's boot.sh. Closing; will patch that on the hub side. Sorry for the noise.

onev.cat

Update after the fix and E2E testing:

  • The record shape is now correct: new CLI-created issues/pulls write the canonical repo DID instead of the legacy repo AT URI.
  • We verified this with a real E2E case. A PR created by the fixed local tang binary on a temporary repo was ingested by AppView and became visible here: https://tangled.org/onev.cat/tang-e2e-pr-did-20260517220149/pulls/1/round/0
  • The fix for this issue has also been merged via https://tangled.org/onev.cat/tang/pulls/3/round/0.
  • There may still be a separate AppView projection issue in core: one valid CLI-created PR record on the existing onev.cat/tang repo was present in PDS/Constellation but did not get an AppView DB row. The exact runtime cause is unknown from public data, but the suspected area is AppView pull ingest/retry/backfill behavior.

Tracked separately in core: https://tangled.org/tangled.org/core/issues/575

sign up or login to add to the discussion
Labels

None yet.

assignee

None yet.

Participants 2
AT URI
at://did:plc:r2whjvupgfw55mllpksnombn/sh.tangled.repo.issue/3mlpadamdcv25