eco-server: harden boot path + resolve -userToken leak and DiscordLink error (post-reboot incident) #537
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#537
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Incident (2026-07-10): Eco game server did not come back after kai-server reboot
eco.coilysiren.me(EcoServer 0.13.0.4) crash-looped after the reboot ~08:28. Two independent regressions, both now fixed inbdc6bab:1. Missing boot scripts (fixed)
eco-server.servicerunsscripts/eco-server-pre.sh(steamcmd validate) andscripts/eco-server-start.sh(token injection + launch) as itsExecStartPre/ExecStart. Both were deleted ind51837a(coilysiren/inbox#174) as "never called in a real deploy" - but they are the actual boot path. The running process predated the deletion, so it only broke on the first reboot since. Boot failed with exit 127 (No such file or directory). Restored fromd51837a^.2. Dropped Strange Cloud login (fixed)
bc5a48bdropped-userTokenfrom theEcoServerlaunch on the theory that injecting the token intoNetwork.ecoasServerAPITokenreplaces it. It does not: EcoServer 0.13.0.4 only accepts Strange Cloud login via argv (-userToken/-username+-password/-steamTicket/-offline). Without the flag every boot failed withNo authentication methods were available, even though the JWT (valid, non-expired, play.eco-issued) was present in the config. Re-added-userToken; the server now authenticates (Logged in as coilysiren) and players connect.Open follow-ups
-userToken=<jwt>re-exposes the bearer token in/proc/<pid>/cmdlineand anysystemctl status/ps/journald scrape. The token is valid until 2052, so the leak is meaningful. Options: find a non-argv token path in EcoServer 0.13 (none in the accepted-methods list), rotate to a shorter-lived token, or accept + document.bc5a48b's fix regressed availability, so it can't simply be reinstated.System.InvalidOperationException: TextCommandProcessor has not been configuredfires from the DiscordLink plugin on each DiscordMessageCreatedevent. Non-fatal (server + players fine) but noisy in the journal. Likely a DiscordLink config/version mismatch after the steamcmd update.systemd/*.serviceExecStart references before deletingscripts/. Consider a pre-commit check that fails when a trackedExecStart/ExecStartPrepath points at a non-existent repo file.Refs: coilysiren/inbox#174 (removal record), commits
d51837a,bc5a48b,bdc6bab.Folded under the resilience epic #541 - eco-server post-reboot boot path is another surface of the same self-recovery gap