Cowork scheduled tasks silently fail `git push` — headless runtime inherits dangling session sockets, breaking all credential channels

Open 💬 1 comment Opened Jun 20, 2026 by 8007342

Severity: High (autonomous runs cannot persist any work; failure is silent)

Environment: Cowork scheduled-task runtime on Linux. Interactive session fully authenticated (gh auth status green, token in keyring, HTTPS protocol).

Repro:

  1. Authenticate gh interactively (token lands in the GNOME keyring).
  2. Run a scheduled/headless Cowork task that performs git push over HTTPS.
  3. Observe: git fetch succeeds (anonymous public read) but git push fails with could not read Username for 'https://github.com'; gh auth status in the task reports "not logged into any GitHub hosts."

Root cause: The headless context has no /run/user/<uid> (no XDG runtime dir, keyring daemon, or rootless podman socket), yet still inherits DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus and SSH_AUTH_SOCK=/run/user/1000/gcr/ssh. The keyring is unreachable over the dangling D-Bus socket, so gh's secret-service backend can't read the token; the gcr ssh-agent socket is dangling, so SSH auth also fails. HTTPS has no credential; only anonymous reads work. The environment advertises capabilities the sandbox does not provide.

Impact: An autonomous loop committed 17 times across ~2 days and could never push; every cycle re-logged "push blocked." No credential state was surfaced to the operator. Behavior diverges between interactive and scheduled contexts that share $HOME and hostname, making it a Heisenbug.

Recommended fixes:

  1. Make the environment honest — at context entry, either provide /run/user/<uid> and its sockets, or scrub DBUS_SESSION_BUS_ADDRESS, SSH_AUTH_SOCK, and XDG_RUNTIME_DIR so client tools fall back gracefully instead of dialing dead sockets.
  2. Provide an explicit credential broker for scheduled tasks (e.g. first-class GH_TOKEN/credential injection) rather than implicitly relying on an unlocked desktop keyring.
  3. Surface credential reachability at task start and fail loud when no channel exists, instead of silently accreting unpushable commits.

Reference implementation: The Tillandsias project demonstrates the correct posture — credentials and runtime capabilities are explicit, declared, and brokered (GitHub login helper, Vault, network enclave, managed egress, hermetic wrappers) rather than inherited from ambient session state. Source and the full multi-agent meta-orchestration architecture this incident was found in: https://github.com/8007342/tillandsias/

Reporter: Luis Daniel Rangel Tovar — https://www.linkedin.com/in/luisdanielrangeltovar/

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗