( path: string, tokenName: string, )
| 55 | * else — treated as "no fallback", not an error. |
| 56 | */ |
| 57 | export function readTokenFromWellKnownFile( |
| 58 | path: string, |
| 59 | tokenName: string, |
| 60 | ): string | null { |
| 61 | try { |
| 62 | const fsOps = getFsImplementation() |
| 63 | // eslint-disable-next-line custom-rules/no-sync-fs -- fallback read for CCR subprocess path, one-shot at startup, caller is sync |
| 64 | const token = fsOps.readFileSync(path, { encoding: 'utf8' }).trim() |
| 65 | if (!token) { |
| 66 | return null |
| 67 | } |
| 68 | logForDebugging(`Read ${tokenName} from well-known file ${path}`) |
| 69 | return token |
| 70 | } catch (error) { |
| 71 | // ENOENT is the expected outcome outside CCR — stay silent. Anything |
| 72 | // else (EACCES from perm misconfig, etc.) is worth surfacing in the |
| 73 | // debug log so subprocess auth failures aren't mysterious. |
| 74 | if (!isENOENT(error)) { |
| 75 | logForDebugging( |
| 76 | `Failed to read ${tokenName} from ${path}: ${errorMessage(error)}`, |
| 77 | { level: 'debug' }, |
| 78 | ) |
| 79 | } |
| 80 | return null |
| 81 | } |
| 82 | } |
| 83 | |
| 84 | /** |
| 85 | * Shared FD-or-well-known-file credential reader. |
no test coverage detected