From f842aba56a7fd76635285c2b22cad0b3b917343a Mon Sep 17 00:00:00 2001
From: "A. F. Dudley" <a.frederick.dudley@gmail.com>
Date: Mon, 9 Mar 2026 06:20:16 +0000
Subject: [PATCH] fix: sync-tools playbook uses agent forwarding, not socket
 hunting

- Add become: false to git tasks so SSH_AUTH_SOCK survives (sudo drops it)
- Fetch explicit branch names instead of bare `git fetch origin`
- Remove the fragile `Find SSH agent socket` workaround

Requires ForwardAgent yes in SSH config (added to ~/.ssh/config).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 playbooks/biscayne-sync-tools.yml | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/playbooks/biscayne-sync-tools.yml b/playbooks/biscayne-sync-tools.yml
index a2d2ef19..76ba610e 100644
--- a/playbooks/biscayne-sync-tools.yml
+++ b/playbooks/biscayne-sync-tools.yml
@@ -30,15 +30,19 @@
     stack_branch: main
 
   tasks:
+    # Git operations run as the connecting user (no become) so that
+    # SSH agent forwarding works. sudo drops SSH_AUTH_SOCK.
     - name: Update laconic-so (editable install)
+      become: false
       ansible.builtin.shell: |
         cd {{ laconic_so_repo }}
-        git fetch origin
+        git fetch origin {{ laconic_so_branch }}
         git reset --hard origin/{{ laconic_so_branch }}
       register: laconic_so_update
       changed_when: true
 
     - name: Show laconic-so version
+      become: false
       ansible.builtin.shell:
         cmd: set -o pipefail && cd {{ laconic_so_repo }} && git log --oneline -1
         executable: /bin/bash
@@ -49,24 +53,17 @@
       ansible.builtin.debug:
         msg: "laconic-so: {{ laconic_so_version.stdout }}"
 
-    - name: Find SSH agent socket
-      ansible.builtin.shell:
-        cmd: set -o pipefail && ls -t /tmp/ssh-*/agent.* 2>/dev/null | head -1
-        executable: /bin/bash
-      register: ssh_agent_socket
-      changed_when: false
-      failed_when: ssh_agent_socket.stdout == ""
-
     - name: Pull agave-stack repo
+      become: false
       ansible.builtin.shell: |
-        export SSH_AUTH_SOCK={{ ssh_agent_socket.stdout }}
         cd {{ stack_repo }}
-        git fetch origin
+        git fetch origin {{ stack_branch }}
         git reset --hard origin/{{ stack_branch }}
       register: stack_update
       changed_when: true
 
     - name: Show agave-stack version
+      become: false
       ansible.builtin.shell:
         cmd: set -o pipefail && cd {{ stack_repo }} && git log --oneline -1
         executable: /bin/bash