fix: hydrate devcontainer ssh agent socket

[boblangley]

What Changed

Fix terminal PTY environment hydration for devcontainers by resolving a usable SSH_AUTH_SOCK when spawning terminal sessions.

The change:

• Keeps a valid inherited SSH_AUTH_SOCK
• Falls back to the newest same-user VS Code forwarded socket at /tmp/vscode-ssh-auth-*.sock
• Preserves explicit runtime env overrides
• Adds focused tests for resolver behavior and terminal spawn env behavior

Why

Fixes #3067.

When the T3 Code server starts before VS Code attaches to a devcontainer, the server process does not inherit VS Code’s later-injected forwarded SSH agent environment. Terminals spawned by that server therefore miss SSH_AUTH_SOCK, even though the forwarded socket exists and works in normal VS Code terminals.

Resolving the socket at terminal spawn time makes server-started terminals match the attached devcontainer environment without requiring a server restart.

Checklist

• This PR is small and focused
• I explained what changed and why
• I included before/after screenshots for any UI changes
• I included a video for animation/interaction changes

---

Note

Low Risk
Scoped to terminal spawn env and SSH agent socket discovery; behavior change is intentional (stale sockets dropped) with solid unit coverage.

Overview
Fixes devcontainer terminals missing SSH agent forwarding when the server starts before VS Code injects SSH_AUTH_SOCK.

Adds resolveSshAuthSock in shared (@t3tools/shared/sshAgent): on POSIX, reuse a valid same-user inherited socket or pick the newest matching VS Code forwarded socket under temp//tmp; on Windows, only accept OpenSSH named pipes. createTerminalSpawnEnv no longer copies SSH_AUTH_SOCK from the server process—it sets it via the resolver (defaulting to resolveSshAuthSock), and runtime open env can still override. TerminalManager wires an injectable sshAuthSockResolver for tests.

^{Reviewed by Cursor Bugbot for commit 6042f22. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Fix SSH agent socket resolution in devcontainer terminals

• Adds resolveSshAuthSock in packages/shared/src/sshAgent.ts to compute a valid SSH_AUTH_SOCK path: on POSIX it validates the inherited socket by type/uid or falls back to scanning temp directories for VS Code forwarded sockets; on Windows it only accepts named pipe values.
• createTerminalSpawnEnv in apps/server/src/terminal/Manager.ts now strips the inherited SSH_AUTH_SOCK and replaces it using the resolver, preventing stale or inaccessible socket paths from propagating into terminal processes.
• runtimeEnv values still override the resolved socket, preserving existing override behavior.
• Behavioral Change: SSH_AUTH_SOCK is no longer passed through from the base environment; it is always re-resolved unless explicitly set via runtimeEnv.

^{Macroscope summarized 6042f22.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 36f5d162-05ea-4070-b0e1-59cd6219a98f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[macroscopeapp]

Approvability

Verdict: Needs human review

1 blocking correctness issue found. This PR introduces new SSH agent socket discovery and hydration functionality that changes terminal spawn behavior. Combined with an open high-severity review comment about potential Windows compatibility issues, these changes warrant human review.

^{You can customize Macroscope's approvability policy. Learn more.}

[cursor]

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

Want reviews to match your repository better? Bugbot Learning can learn team-specific rules from PR activity. A team admin can enable Learning in the Cursor dashboard.

^{Reviewed by Cursor Bugbot for commit 8a655cb. Configure here.}

[boblangley]

Rebased the PR.