From c5e1157f470285f653f171535c7966f775e6097d Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 19 Apr 2026 01:47:36 +0000
Subject: [PATCH] Fix shenv clobbering forwarded SSH socket with local agent in
 tmux

ssh/rc env changes (including SSH_REMOTE_AUTH_SOCK) are lost because
ssh/rc runs as a sshd child process, not the user's shell. The shell
always receives SSH_AUTH_SOCK set to the raw forwarded socket path.

Fresh SSH login worked fine (step 1 catches the raw socket). The bug
was in tmux new windows: SSH_AUTH_SOCK there is our stable symlink, so
step 1 fails, then steps 2/3 look up the system agent and overwrite the
symlink that ssh/rc just set to the forwarded socket.

Fix: only run the system agent lookup when the stable symlink is already
broken. A valid symlink means ssh/rc (or a previous shenv run) already
set it correctly; don't clobber it.

https://claude.ai/code/session_01RhXaFzxJA5D2BcGcz18ipA
---
 dotfiles/shenv | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/dotfiles/shenv b/dotfiles/shenv
index 734d4d8..368dfd3 100755
--- a/dotfiles/shenv
+++ b/dotfiles/shenv
@@ -113,17 +113,17 @@ _is_link_path() {
 
 _CANDIDATE=""
 
-# 1. Highest priority: ssh/rc sets SSH_REMOTE_AUTH_SOCK to the raw forwarded socket before
-# rewriting SSH_AUTH_SOCK to the stable symlink, so it survives the rewrite.
-if [ -S "${SSH_REMOTE_AUTH_SOCK:-}" ] && ! _is_link_path "${SSH_REMOTE_AUTH_SOCK}"; then
-  _CANDIDATE="${SSH_REMOTE_AUTH_SOCK}"
-# If current environment has a valid socket that is NOT our link, it's a prime candidate (e.g. SSH forwarding).
-elif [ -S "${SSH_AUTH_SOCK:-}" ] && ! _is_link_path "${SSH_AUTH_SOCK}"; then
+# 1. If current environment has a valid socket that is NOT our link, it's a prime candidate
+# (e.g. fresh SSH login: sshd sets SSH_AUTH_SOCK to the raw forwarded socket before ssh/rc
+# rewrites it to the stable symlink; the shell inherits the original raw path).
+if [ -S "${SSH_AUTH_SOCK:-}" ] && ! _is_link_path "${SSH_AUTH_SOCK}"; then
   _CANDIDATE="${SSH_AUTH_SOCK}"
 fi
 
-# 2. If no candidate yet, or we're currently using the link, try to find the "real" system agent.
-if [ -z "${_CANDIDATE}" ] || _is_link_path "${SSH_AUTH_SOCK:-}"; then
+# 2. Only look for a system agent if the stable link is already broken.  If the link is
+# valid (e.g. a tmux pane where SSH_AUTH_SOCK points to our symlink which ssh/rc just
+# updated to the forwarded socket), leave it alone — don't clobber it with a local agent.
+if [ -z "${_CANDIDATE}" ] && [ ! -S "${_SSH_AUTH_LINK}" ]; then
   _FOUND=""
   if [ "$(uname)" = "Darwin" ]; then
     _FOUND=$(launchctl getenv SSH_AUTH_SOCK 2>/dev/null)
@@ -147,8 +147,8 @@ if [ -z "${_CANDIDATE}" ] || _is_link_path "${SSH_AUTH_SOCK:-}"; then
   fi
 fi
 
-# 3. Last resort: search common paths if we still don't have a valid candidate.
-if [ ! -S "${_CANDIDATE}" ]; then
+# 3. Last resort: search common paths if we still don't have a candidate and the link is broken.
+if [ ! -S "${_CANDIDATE}" ] && [ ! -S "${_SSH_AUTH_LINK}" ]; then
   _U=$(id -u)
   for _p in "/run/user/${_U}/keyring/ssh" "/run/user/${_U}/ssh-agent.socket" "/run/user/${_U}/openssh_agent" "/run/user/${_U}/gnupg/S.gpg-agent.ssh"; do
     if [ -S "${_p}" ] && ! _is_link_path "${_p}"; then