Cowork scheduled tasks silently fail `git push` — headless runtime inherits dangling session sockets, breaking all credential channels
Severity: High (autonomous runs cannot persist any work; failure is silent)
Environment: Cowork scheduled-task runtime on Linux. Interactive session fully authenticated (gh auth status green, token in keyring, HTTPS protocol).
Repro:
- Authenticate
ghinteractively (token lands in the GNOME keyring). - Run a scheduled/headless Cowork task that performs
git pushover HTTPS. - Observe:
git fetchsucceeds (anonymous public read) butgit pushfails withcould not read Username for 'https://github.com';gh auth statusin the task reports "not logged into any GitHub hosts."
Root cause: The headless context has no /run/user/<uid> (no XDG runtime dir, keyring daemon, or rootless podman socket), yet still inherits DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus and SSH_AUTH_SOCK=/run/user/1000/gcr/ssh. The keyring is unreachable over the dangling D-Bus socket, so gh's secret-service backend can't read the token; the gcr ssh-agent socket is dangling, so SSH auth also fails. HTTPS has no credential; only anonymous reads work. The environment advertises capabilities the sandbox does not provide.
Impact: An autonomous loop committed 17 times across ~2 days and could never push; every cycle re-logged "push blocked." No credential state was surfaced to the operator. Behavior diverges between interactive and scheduled contexts that share $HOME and hostname, making it a Heisenbug.
Recommended fixes:
- Make the environment honest — at context entry, either provide
/run/user/<uid>and its sockets, or scrubDBUS_SESSION_BUS_ADDRESS,SSH_AUTH_SOCK, andXDG_RUNTIME_DIRso client tools fall back gracefully instead of dialing dead sockets. - Provide an explicit credential broker for scheduled tasks (e.g. first-class
GH_TOKEN/credential injection) rather than implicitly relying on an unlocked desktop keyring. - Surface credential reachability at task start and fail loud when no channel exists, instead of silently accreting unpushable commits.
Reference implementation: The Tillandsias project demonstrates the correct posture — credentials and runtime capabilities are explicit, declared, and brokered (GitHub login helper, Vault, network enclave, managed egress, hermetic wrappers) rather than inherited from ambient session state. Source and the full multi-agent meta-orchestration architecture this incident was found in: https://github.com/8007342/tillandsias/
Reporter: Luis Daniel Rangel Tovar — https://www.linkedin.com/in/luisdanielrangeltovar/
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗