Windows: msys path-conversion mangles leading-slash SSM param names #156

New issue

Open

opened 2026-05-29 15:16:17 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-29 15:16:17 +00:00

Owner

Copy link

Problem

On the Windows tower, running Windows-native coily.exe from an msys/git-bash shell, any argument that looks like a POSIX absolute path gets rewritten by msys path-conversion before it reaches coily/AWS. This silently mangles leading-slash SSM parameter names.

Observed:

• coily ops aws ssm get-parameter --name /coilysiren/netlify/token -> ParameterNotFound (the leading slash is stripped/rewritten, so AWS looks up a slash-less name that doesn't exist).
• coily ops aws ssm get-parameters-by-path --path /coilysiren --recursive -> ValidationException: The parameter name must begin with a forward slash "/" (single-segment /coilysiren gets rewritten to a Windows path like C:/Program Files/Git/coilysiren, which no longer starts with /).

Both resolve correctly when path-conversion is disabled:

MSYS_NO_PATHCONV=1 coily ops aws ssm get-parameter --name /coilysiren/netlify/token --query Parameter.Type --output text
# -> SecureString

This is a real footgun: the failure mode looks like a missing param or a wrong AWS account, when the param is present and the account is correct. It will bite every leading-slash arg on Windows (SSM names, any /-rooted value), not just Netlify.

Asks

1. Guard inside coily.exe on Windows so callers don't have to think about it. Options:
   • Detect msys/cygwin (MSYSTEM set, or running under git-bash) and set MSYS_NO_PATHCONV=1 / MSYS2_ARG_CONV_EXCL='*' for child aws invocations, or
   • Pass SSM names in a conversion-safe form to the child process.
2. Detect-and-warn fallback: if a leading-slash arg arrives already rewritten to a drive-letter path (C:/...coilysiren...), emit a clear operator notice naming msys path-conversion as the cause, rather than surfacing a raw ParameterNotFound / ValidationException.

Workaround (in place now)

export MSYS_NO_PATHCONV=1 added to the tower shell rc so interactive + agent calls stop mangling. Issue tracks the durable in-binary fix.

Origin

Surfaced while wiring a Netlify PAT into SSM for the coily ops netlify work (agentic-os-kai#518) on kai-desktop-tower. The token put had actually succeeded; the reads only appeared to fail because of msys path-conversion.

## Problem On the Windows tower, running Windows-native `coily.exe` from an msys/git-bash shell, any argument that looks like a POSIX absolute path gets rewritten by msys path-conversion *before* it reaches coily/AWS. This silently mangles leading-slash SSM parameter names. Observed: - `coily ops aws ssm get-parameter --name /coilysiren/netlify/token` -> `ParameterNotFound` (the leading slash is stripped/rewritten, so AWS looks up a slash-less name that doesn't exist). - `coily ops aws ssm get-parameters-by-path --path /coilysiren --recursive` -> `ValidationException: The parameter name must begin with a forward slash "/"` (single-segment `/coilysiren` gets rewritten to a Windows path like `C:/Program Files/Git/coilysiren`, which no longer starts with `/`). Both resolve correctly when path-conversion is disabled: ``` MSYS_NO_PATHCONV=1 coily ops aws ssm get-parameter --name /coilysiren/netlify/token --query Parameter.Type --output text # -> SecureString ``` This is a real footgun: the failure mode looks like a missing param or a wrong AWS account, when the param is present and the account is correct. It will bite every leading-slash arg on Windows (SSM names, any `/`-rooted value), not just Netlify. ## Asks 1. **Guard inside `coily.exe` on Windows** so callers don't have to think about it. Options: - Detect msys/cygwin (`MSYSTEM` set, or running under git-bash) and set `MSYS_NO_PATHCONV=1` / `MSYS2_ARG_CONV_EXCL='*'` for child `aws` invocations, or - Pass SSM names in a conversion-safe form to the child process. 2. **Detect-and-warn fallback:** if a leading-slash arg arrives already rewritten to a drive-letter path (`C:/...coilysiren...`), emit a clear operator notice naming msys path-conversion as the cause, rather than surfacing a raw `ParameterNotFound` / `ValidationException`. ## Workaround (in place now) `export MSYS_NO_PATHCONV=1` added to the tower shell rc so interactive + agent calls stop mangling. Issue tracks the durable in-binary fix. ## Origin Surfaced while wiring a Netlify PAT into SSM for the `coily ops netlify` work (agentic-os-kai#518) on kai-desktop-tower. The token put had actually succeeded; the reads only appeared to fail because of msys path-conversion.

coilysiren added the

P2

label 2026-05-31 01:52:35 +00:00

coilysiren added

P3

and removed

P2

labels 2026-05-31 06:59:39 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dispatch/issue-306

args-file-mcporter

claude/coily-docker-image-FF2Rw

claude/busy-almeida-0168e4

v2.50.0

v2.49.1

v2.49.0

v2.48.0

v2.47.0

v2.46.0

v2.45.0

v2.44.1

v2.44.0

v2.43.2

v2.43.1

v2.43.0

v2.42.0

v2.41.0

v2.40.2

v2.40.1

v2.40.0

v2.39.0

v2.37.2

v2.38.0

v2.23.0

v2.37.1

v2.37.0

v2.36.0

v2.35.0

v2.34.0

v2.33.0

v2.32.0

v2.31.0

v2.30.0

v2.29.2

v2.29.1

v2.29.0

v2.28.0

v2.27.0

v2.26.0

v2.25.0

v2.24.0

v2.22.0

v2.21.0

v2.20.0

v2.19.0

v2.18.1

v2.18.0

v2.17.0

v2.16.0

v2.15.2

v2.15.1

v2.15.0

v2.14.0

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1

v2.7.0

v2.6.0

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.0

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.8

v1.8.7

v1.8.6

v1.8.5

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.6.0

v1.5.123

v1.5.122

v1.5.121

v1.5.120

v1.5.119

v1.5.118

v1.5.117

v1.5.116

v1.5.115

v1.5.114

v1.5.113

v1.5.112

v1.5.111

v1.5.110

v1.5.109

v1.5.108

v1.5.107

v1.5.106

v1.5.105

v1.5.104

v1.5.103

v1.5.102

v1.5.101

v1.5.100

v1.5.99

v1.5.98

v1.5.97

v1.5.96

v1.5.95

v1.5.94

v1.5.93

v1.5.92

v1.5.91

v1.5.90

v1.5.89

v1.5.88

v1.5.87

v1.5.86

v1.5.85

v1.5.84

v1.5.83

v1.5.82

v1.5.81

v1.5.80

v1.5.79

v1.5.78

v1.5.77

v1.5.76

v1.5.75

v1.5.74

v1.5.73

v1.5.72

v1.5.71

v1.5.70

v1.5.69

v1.5.68

v1.5.67

v1.5.66

v1.5.65

v1.5.64

v1.5.63

v1.5.62

v1.5.61

v1.5.60

v1.5.59

v1.5.58

v1.5.57

v1.5.56

v1.5.55

v1.5.54

v1.5.53

v1.5.52

v1.5.51

v1.5.50

v1.5.49

v1.5.48

v1.5.47

v1.5.46

v1.5.45

v1.5.44

v1.5.43

v1.5.42

v1.5.41

v1.5.40

v1.5.39

v1.5.38

v1.5.37

v1.5.36

v1.5.35

v1.5.34

v1.5.33

v1.5.32

v1.5.31

v1.5.30

v1.5.29

v1.5.28

v1.5.27

v1.5.26

v1.5.25

v1.5.24

v1.5.23

v1.5.22

v1.5.21

v1.5.20

v1.5.19

v1.5.18

v1.5.17

v1.5.16

v1.5.15

v1.5.14

v1.5.13

v1.5.12

v1.5.11

v1.5.10

v1.5.9

v1.5.8

v1.5.7

v1.5.6

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.1

v1.4.0

v1.3.0

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.0

v0.0.38

v0.0.37

v0.0.36

v0.0.35

v0.0.34

v0.0.33

v0.0.32

v0.0.31

v0.0.30

v0.0.29

v0.0.28

v0.0.27

v0.0.26

v0.0.25

v0.0.24

v0.0.23

v0.0.22

v0.0.21

v0.0.20

v0.0.19

v0.0.18

v0.0.17

v0.0.16

v0.0.15

v0.0.14

v0.0.13

v0.0.12

v0.0.11

v0.0.10

v0.0.9

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

tools-latest

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-bridge/coily#156

No description provided.