bd daemon sync: 2026-01-24 21:15:32

.beads/issues.jsonl

@@ -170,7 +170,7 @@
 {"id":"ops-jrz1-wj2","title":"Design API key provisioning strategy","description":"opencode needs API keys (OpenAI, Anthropic). Options: 1) Shared key with proxy + rate limiting, 2) Per-user keys in sops-nix. Need to prevent key exposure and enable usage tracking.","status":"closed","priority":1,"issue_type":"task","created_at":"2025-12-05T15:32:19.526073243-08:00","updated_at":"2025-12-05T17:25:10.534718515-08:00","closed_at":"2025-12-05T17:25:10.534718515-08:00","dependencies":[{"issue_id":"ops-jrz1-wj2","depends_on_id":"ops-jrz1-3so","type":"parent-child","created_at":"2025-12-05T17:05:47.103332379-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-xoad","title":"Create release cycle and changelog process","description":"Need a way to communicate changes to users - changelog, release notes, or similar.\n\nIdeas:\n- MOTD on SSH login showing recent changes\n- /etc/motd.d/ with dynamic changelog\n- bd-powered changelog generation\n\n## Release Checklist (future)\n- [ ] Review/validate user-facing docs (~/AGENTS.md, ~/README.md)\n- [ ] Update changelog\n- [ ] Deploy\n- [ ] Notify users\n\nNext session priority.","status":"in_progress","priority":2,"issue_type":"task","created_at":"2026-01-10T13:49:46.492349303-08:00","created_by":"dan","updated_at":"2026-01-22T15:32:27.591031778-08:00"}
 {"id":"ops-jrz1-xz1","title":"Fix maubot admin UI exposed to internet (port 29316)","description":"Maubot admin UI on port 29316 is publicly accessible (returns 401 but API surface exposed). Firewall explicitly allows this port. Risk: brute force on admin password, direct exploit of any maubot vulnerabilities. Fix: bind to 127.0.0.1 only, remove from firewall, access via SSH tunnel.","status":"closed","priority":1,"issue_type":"bug","created_at":"2025-12-04T21:03:22.531676543-08:00","updated_at":"2025-12-04T22:35:24.162735368-08:00","closed_at":"2025-12-04T22:35:24.162735368-08:00"}
-{"id":"ops-jrz1-xz7","title":"Research: Multi-user auth storage for agentic coders","description":"Investigate where auth credentials are stored for each agentic coder when multiple users authenticate:\n\n## Questions\n- Claude Code: Where is OAuth token stored? ~/.claude? Conflicts between users?\n- opencode: Auth storage location?\n- gemini-cli: Auth storage?\n- codex: Auth storage?\n\n## Goal\nUnderstand if there are isolation issues when multiple users auth on same server.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-02T17:30:15.028994987-08:00","created_by":"dan","updated_at":"2026-01-02T17:30:15.028994987-08:00"}
+{"id":"ops-jrz1-xz7","title":"Research: Multi-user auth storage for agentic coders","description":"Investigate where auth credentials are stored for each agentic coder when multiple users authenticate:\n\n## Questions\n- Claude Code: Where is OAuth token stored? ~/.claude? Conflicts between users?\n- opencode: Auth storage location?\n- gemini-cli: Auth storage?\n- codex: Auth storage?\n\n## Goal\nUnderstand if there are isolation issues when multiple users auth on same server.","notes":"No isolation issues. Each tool stores auth in user's home directory:\n\n- Claude Code: ~/.claude/.credentials.json (600)\n- Gemini CLI: ~/.gemini/oauth_creds.json (600)\n- OpenCode: ~/.config/opencode/config.json (600)\n\nHome dirs are chmod 700, so users can't read each other's credentials. Each user authenticates independently.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T17:30:15.028994987-08:00","created_by":"dan","updated_at":"2026-01-24T21:15:32.127904644-08:00","closed_at":"2026-01-24T21:15:32.127904644-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-y8le","title":"Stop Matrix before backup for RocksDB consistency","description":"RocksDB is backed up while running, risking corrupt snapshots. Add systemd pre-hook to stop matrix-continuwuity during backup window.","status":"closed","priority":4,"issue_type":"task","created_at":"2026-01-10T14:01:50.945222296-08:00","created_by":"dan","updated_at":"2026-01-10T20:15:25.90394816-08:00","closed_at":"2026-01-10T20:15:25.90394816-08:00","close_reason":"Accepting risk: RocksDB has crash consistency, 3 AM backup window has minimal activity, and we have multiple daily snapshots. Can re-evaluate if restore drill shows corruption."}
 {"id":"ops-jrz1-yhu","title":"configuration.nix: Consider custom iptables chain for egress rules","description":"Same iptables match pattern repeated 8 times. Could create custom chain for cleaner rule management. Optional - readability tradeoff. configuration.nix:68-79","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T08:17:35.532609792-08:00","created_by":"dan","updated_at":"2026-01-03T10:07:28.725278889-08:00","closed_at":"2026-01-03T10:07:28.725278889-08:00","close_reason":"Wontfix: current inline rules work fine, custom chain is marginal improvement"}
 {"id":"ops-jrz1-zgs8","title":"Set up B2 automated backups with restic","status":"closed","priority":1,"issue_type":"task","created_at":"2026-01-10T13:32:34.753782465-08:00","created_by":"dan","updated_at":"2026-01-10T13:52:46.518193686-08:00","closed_at":"2026-01-10T13:52:46.518193686-08:00","close_reason":"B2 backup operational: bucket ops-jrz1-backup, daily 3 AM, weekly integrity check, tested successfully"}