Syncs project memory, custom agents, and commands across machines. Excludes secrets (settings.json), session state, and runtime files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.2 KiB
name, description, type
| name | description | type |
|---|---|---|
| Kiro Gateway token sync architecture | How kiro-gateway HA cluster handles AWS SSO OIDC tokens — Mac is the single auth authority, syncs to LXCs every 20min via LaunchAgent | reference |
Three kiro-gateway LXCs (900/.215 on PX1, 901/.216 on PX2, 902/.217 on PX3) proxy Kiro IDE's API behind VIP 192.168.86.210:8000.
Auth uses AWS SSO OIDC via kiro-cli. Credentials are in /root/.local/share/kiro-cli/data.sqlite3 on each LXC (auth_kv table, key kirocli:odic:token).
Critical: AWS SSO OIDC refresh tokens are single-use. Multiple LXCs cannot independently hold the same token — whichever refreshes first invalidates the others.
Solution: Mac is the single token authority. LaunchAgent com.csader.kiro-token-sync (script at ~/.local/bin/kiro-token-sync.sh) syncs Mac's ~/Library/Application Support/kiro-cli/data.sqlite3 to all three LXCs every 20 minutes via scp + pct push. Log at ~/Library/Logs/kiro-token-sync.log.
If tokens expire: Copy Mac's DB manually, or run kiro-cli login (requires browser) then run the sync script. No non-interactive re-auth path exists once refresh token is dead.
Full ops doc: 4 - Areas/Home/Homelab-2026/Operations/Kiro Gateway Operations.md