tea-login: never fail switch-to-configuration

a failed tea-login oneshot used to abort `nixos-container update` (switch-to-configuration exits 4), which blocked every rebuild whether the agent needed tea or not. drop `set -e`, exit 0 on every failure path (mkdir, tea login add, missing forge). also fix the unit description, which hardcoded /state (manager-only) — sub- agents have /agents/<name>/state.
2026-05-17 02:58:39 +02:00 · 2026-05-17 02:58:39 +02:00 · 6652ae90ab
commit 6652ae90ab
parent 600ed509f4
1 changed files with 22 additions and 15 deletions
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@ -186,10 +186,10 @@
    # One-shot: configure tea with the agent's forge token if
    # hive-c0re seeded one and tea hasn't been configured yet.
    # Runs before the harness service so the first turn can already
-    # `tea repos create`. Idempotent — exits 0 if config already
-    # exists, exits 0 if no token file (hive-forge not enabled).
+    # `tea repos create`. *Always* exits 0 — never fail a NixOS
+    # switch-to-configuration over a missing/temperamental forge.
    systemd.services.tea-login = {
-      description = "configure tea CLI from /state/forge-token";
+      description = "configure tea CLI from hive-forge token (best-effort)";
      wantedBy = [ "multi-user.target" ];
      after = [ "local-fs.target" ];
      serviceConfig = {
@ -201,16 +201,20 @@
        pkgs.coreutils
      ];
      script = ''
-        set -eu
+        # No `set -e`: any subshell failure here (tea exit, mkdir,
+        # missing forge) must not propagate. A failed unit aborts
+        # `nixos-container update`, which would block every rebuild.
        CONFIG=/root/.config/tea/config.yml
-        # Manager keeps the legacy /state bind; sub-agents have
-        # /agents/<name>/state. Glob covers both — there's exactly one
-        # hit either way (manager: /state, sub-agent: its own
-        # /agents/* mount), since each container only sees its own
-        # state dir.
+        # Manager bind-mounts state at /state; sub-agents at
+        # /agents/<name>/state. Glob both — each container only sees
+        # its own mount, so there's exactly one hit either way (or
+        # zero, when the forge hasn't been seeded yet).
        TOKEN_FILE=""
        for f in /state/forge-token /agents/*/state/forge-token; do
-          [ -f "$f" ] && TOKEN_FILE="$f" && break
+          if [ -f "$f" ]; then
+            TOKEN_FILE="$f"
+            break
+          fi
        done
        if [ -z "$TOKEN_FILE" ]; then
          echo "tea-login: no forge-token (hive-forge not seeded); skipping"
@ -220,11 +224,14 @@
          echo "tea-login: $CONFIG already present; skipping"
          exit 0
        fi
-        mkdir -p "$(dirname "$CONFIG")"
-        tea login add \
-          --name forge \
-          --url ${lib.escapeShellArg config.hyperhive.forge.url} \
-          --token "$(cat "$TOKEN_FILE")"
+        mkdir -p "$(dirname "$CONFIG")" || true
+        if ! tea login add \
+              --name forge \
+              --url ${lib.escapeShellArg config.hyperhive.forge.url} \
+              --token "$(cat "$TOKEN_FILE")"; then
+          echo "tea-login: tea login add failed; continuing without tea"
+          exit 0
+        fi
        echo "tea-login: configured for ${config.hyperhive.forge.url} from $TOKEN_FILE"
      '';
    };