
Git Credentials Without a Shell
The symptom is weird: you ssh into the secure-agent-pod, run git push, and it works. You open the VS Code source control panel in the same session, click Sync, and get:
remote: Invalid username or token. Password authentication is not supported for Git operations.
fatal: Authentication failed for 'https://github.com/.../...'Same pod, same user, same repo. What’s different?
Where the token actually lives
Kubernetes injects env vars into the container’s PID 1 at startup. In the secure-agent-pod, entrypoint.sh is PID 1, so it gets GITHUB_TOKEN (and the rest of agent-secrets-tier2) via envFrom. Everything PID 1 spawns — sshd, supercronic, vibe-kanban — inherits that env by the normal Unix rules.
But SSH sessions do not inherit PID 1’s env. OpenSSH builds a fresh environment for each new session from /etc/environment, PAM, and the login shell’s init files. GITHUB_TOKEN isn’t in any of those. So when you ssh in, your shell has no token.
The usual workaround is to re-hydrate from /proc/1/environ in .bashrc:
_env_from_pid1() { cat /proc/1/environ 2>/dev/null | tr '\0' '\n' | grep "^${1}=" | cut -d= -f2-; }
export GITHUB_TOKEN="${GITHUB_TOKEN:-$(_env_from_pid1 GITHUB_TOKEN)}"That works for interactive shells. Your terminal sources .bashrc, gets the token, git works.
VS Code’s git doesn’t source .bashrc. Neither does cron. Neither does any subprocess that its parent didn’t explicitly set up. You get a silent auth failure.
The fix
Skip the env var entirely. Read /proc/1/environ directly from the credential helper:
[credential]
helper = "!f() { echo \"username=clawdia-ai-assistant\"; echo \"password=$(tr '\\0' '\\n' < /proc/1/environ | sed -n 's/^GITHUB_TOKEN=//p')\"; }; f"Every git invocation — regardless of how it was spawned, whether it sourced a shell init file, whether the env contains GITHUB_TOKEN — reads the kernel’s view of PID 1’s startup environment and returns the token.
$ kubectl exec -n secure-agent-pod deploy/secure-agent-pod -c kali -- git config --get credential.helper
!f() { echo "username=clawdia-ai-assistant"; echo "password=$(tr '