Add Atmos auth integration to Geodesic

[osterman]

Summary

This PR integrates Atmos authentication support into Geodesic by:

• Mounting Atmos-specific directories (.cache/atmos and .local/share/atmos) when they exist on the host
• Configuring Atmos XDG environment variables for proper credential and cache storage
• Adding a new use-identity helper function for seamless Atmos auth workflow

Changes

1. Wrapper Script (wrapper-body.sh)

• Added conditional mounting of .cache/atmos and .local/share/atmos directories
• Only mounts directories if they exist on the host to avoid unnecessary overhead
• Enables persistent SSO token caching and keyring storage across Geodesic sessions

2. Atmos Configuration (atmos.sh)

• Export ATMOS_XDG_CONFIG_HOME, ATMOS_XDG_DATA_HOME, and ATMOS_XDG_CACHE_HOME environment variables
• These direct Atmos to use the container's home directory paths that are mounted from the host

3. New use-identity Function

• Added in atmos.sh as a general-purpose function (not AWS-specific)
• Usage: use-identity [identity-name]
  • use-identity alone brings up the interactive identity selector
  • use-identity my-identity directly authenticates with that identity using --identity=my-identity syntax
• Integrates with AWS prompt refresh when available (checks for export_current_aws_role)

Test Plan

• Verify Atmos auth directories are mounted when present
• Test use-identity with no arguments (should show selector)
• Test use-identity my-identity (should authenticate directly)
• Verify SSO tokens persist across Geodesic sessions
• Verify keyring data persists across Geodesic sessions
• Confirm existing assume-role workflows still work
• Test with Geodesic container that has Atmos installed

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds the atmos package, sets XDG environment defaults and a use-identity() auth helper in the shell profile, and mounts Atmos cache/data host directories into containers when present.

Changes

Cohort / File(s)	Change Summary
Package Management packages.txt	Added atmos@cloudposse=1.198.0 to the essential packages list.
Shell Configuration & Authentication rootfs/etc/profile.d/atmos.sh	Exported XDG variables ATMOS_XDG_CONFIG_HOME, ATMOS_XDG_DATA_HOME, ATMOS_XDG_CACHE_HOME. Added use-identity() function that validates presence of the atmos CLI, runs atmos auth env (with optional --identity), evaluates the output to set env vars, and calls export_current_aws_role if available. Preserves existing atmos_configure_base_path behavior.
Container Mounting rootfs/templates/wrapper-body.sh	Added logic to conditionally append Docker --volume mounts for host ~/.cache/atmos and ~/.local/share/atmos (if they exist) to DOCKER_LAUNCH_ARGS, with debug logging; placed after HOMEDIR_MOUNTS processing and before workspace mounts.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Inspect use-identity() for safe handling of eval on CLI output and error paths when atmos is missing or returns unexpected output.
• Verify XDG default paths match Atmos expectations and do not conflict with other profile scripts.
• Confirm Docker volume mount semantics and path quoting are correct for varied host environments.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add Atmos auth integration to Geodesic' clearly and concisely summarizes the main objective of the PR, accurately reflecting the core changes across multiple files.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the three main components (wrapper script changes, atmos configuration, and use-identity function) with clear implementation details and testing guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch atmos-auth-integration

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6d9a0ae and 7db21e1.

📒 Files selected for processing (1)

• packages.txt (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages.txt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

rootfs/templates/wrapper-body.sh (1)

534-541: Consider adding Atmos mounts to tracking variable for consistency.

Unlike HOMEDIR_MOUNTS (which updates GEODESIC_HOMEDIR_MOUNTS for container visibility), the Atmos mounts do not update any tracking variable. If container-side code or logging needs to know which Atmos directories are mounted, consider updating a tracking variable here.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9dcc82c and 6d9a0ae.

📒 Files selected for processing (3)

• packages.txt (1 hunks)
• rootfs/etc/profile.d/atmos.sh (1 hunks)
• rootfs/templates/wrapper-body.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2024-12-31T04:41:45.788Z

Learnt from: Nuru
Repo: cloudposse/geodesic PR: 961
File: rootfs/templates/wrapper-body.sh:1-1
Timestamp: 2024-12-31T04:41:45.788Z
Learning: The file `rootfs/templates/wrapper-body.sh` is a partial template fragment that merges with a shebang from an earlier template, so no separate shebang is required here. Also, `homedir_default_mounts` must remain a string in order to be properly exported to a subshell.

Applied to files:

• rootfs/templates/wrapper-body.sh

📚 Learning: 2025-01-20T04:29:55.469Z

Learnt from: Nuru
Repo: cloudposse/geodesic PR: 961
File: rootfs/templates/wrapper-body.sh:312-312
Timestamp: 2025-01-20T04:29:55.469Z
Learning: The Geodesic wrapper script is split into two parts: a header template (`wrapper-header.sh.tmpl`) that defines variables and a body (`wrapper-body.sh`) that contains the main logic. These files are concatenated during the build process to create the final wrapper script.

Applied to files:

• rootfs/templates/wrapper-body.sh

🧬 Code graph analysis (1)

rootfs/etc/profile.d/atmos.sh (1)

rootfs/etc/profile.d/aws.sh (1)

• export_current_aws_role (112-249)

🔇 Additional comments (4)

rootfs/templates/wrapper-body.sh (1)

534-541: Mount implementation follows established patterns correctly.

The Atmos directory mounts are conditionally applied, follow the same structure as HOMEDIR_MOUNTS, and include proper debug logging. The inline comment justifying why these small directories are mounted is helpful.

rootfs/etc/profile.d/atmos.sh (3)

3-7: XDG path exports are correct and align with mounted directories.

The parameter expansion patterns are correct, defaults follow XDG Base Directory spec, and the paths correspond to the mounted Atmos directories from wrapper-body.sh. This enables Atmos to locate cached credentials and config within the container's home.

---

9-42: use-identity function is well-structured with good error handling.

The function correctly splits into two modes (no-args for selector, with-args for direct identity), properly checks for the atmos command, and captures/validates command output before processing. The optional AWS role refresh integration improves UX by updating the prompt after credential changes.

---

36-36: The eval usage here is acceptable given atmos is a trusted tool.

Line 36 evaluates output from atmos auth env, which is designed to produce shell variable exports. Since atmos is a controlled Cloud Posse tool and the output has already been validated by the command's exit status check (lines 23, 29), the security risk is low. The stderr is captured (lines 23, 29 use 2>&1), so any errors prevent eval from executing.

Please confirm in your test plan that use-identity interactions (both no-args and with-args) have been validated as part of the PR test items.