Non-Blocking Review Concern: No verification that sshd_config includes sshd_config.d drop-in directory
Source: pre-push whole-codebase review
Location: scripts/server/setup-ssh-access.sh:196-212
Date: 2026-04-16
What was flagged
The new block writes /etc/ssh/sshd_config.d/200-claude-env.conf assuming macOS's default sshd_config contains Include /etc/ssh/sshd_config.d/*. This is true for stock macOS Ventura+ and is almost certainly fine for the Apple Silicon Mac Mini targets this project supports, but if a target has a customized or older sshd_config without the Include directive, the drop-in will be silently ignored: the ssh session will reject the injected OP_SERVICE_ACCOUNT_TOKEN, and because this PR also removed the keychain fallback (prep-airdrop.sh, first-boot.sh), claude-wrapper would have no credential path at all. A belt-and-suspenders grep -q '^Include.*sshd_config.d' /etc/ssh/sshd_config check (or a mkdir -p on the drop-in dir before tee) would make the failure mode loud instead of silent. Pre-existing assumption carried forward rather than introduced by this diff, hence non-blocking.
Context
This issue was automatically created from a non-blocking concern identified
during pre-push whole-codebase review. It was flagged for tracking.
Created by lib-review-issues.sh
Non-Blocking Review Concern: No verification that sshd_config includes sshd_config.d drop-in directory
Source: pre-push whole-codebase review
Location:
scripts/server/setup-ssh-access.sh:196-212Date: 2026-04-16
What was flagged
The new block writes
/etc/ssh/sshd_config.d/200-claude-env.confassuming macOS's defaultsshd_configcontainsInclude /etc/ssh/sshd_config.d/*. This is true for stock macOS Ventura+ and is almost certainly fine for the Apple Silicon Mac Mini targets this project supports, but if a target has a customized or oldersshd_configwithout the Include directive, the drop-in will be silently ignored: the ssh session will reject the injectedOP_SERVICE_ACCOUNT_TOKEN, and because this PR also removed the keychain fallback (prep-airdrop.sh, first-boot.sh),claude-wrapperwould have no credential path at all. A belt-and-suspendersgrep -q '^Include.*sshd_config.d' /etc/ssh/sshd_configcheck (or amkdir -pon the drop-in dir beforetee) would make the failure mode loud instead of silent. Pre-existing assumption carried forward rather than introduced by this diff, hence non-blocking.Context
This issue was automatically created from a non-blocking concern identified
during pre-push whole-codebase review. It was flagged for tracking.
Created by lib-review-issues.sh