[GH-ISSUE #78] bug(docker): kiro-cli SQLite volume mounted as read-only breaks token persistence #50

New issue

Open

opened 2026-02-27 07:17:42 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:42 +03:00

Owner

Originally created by @kilhyeonjun on GitHub (Feb 12, 2026).
Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/78

Bug Description

When using KIRO_CLI_DB_FILE authentication with Docker, the documentation and docker-compose.yml recommend mounting the kiro-cli SQLite database as read-only (:ro). However, auth.py writes refreshed tokens back to the SQLite database via _save_credentials_to_sqlite(), which fails silently with:

SQLite error saving credentials: attempt to write a readonly database

Impact

Refreshed tokens are never persisted to disk
After container restart, stale/expired tokens are loaded → authentication failures
Downstream services (e.g., Telegram bots) receive Connection error or HTTP 504

Affected Files

All documentation recommends :ro for kiro-cli SQLite mount:

docker-compose.yml L52
README.md L343
AGENTS.md L200
docs/ja/README.md L343
docs/ru/README.md L343
docs/pt/README.md L343
docs/zh/README.md L343
docs/ko/README.md L343
docs/id/README.md L343
docs/es/README.md L343

Code Reference

kiro/auth.py:

L446: _save_credentials_to_sqlite() — writes refreshed tokens to SQLite
L629, L756: called after token refresh

Expected Behavior

kiro-cli SQLite volume should be mounted as :rw (or without flag, which defaults to rw) so that refreshed tokens can be persisted.

Note: ~/.aws/sso/cache mount should remain :ro — the gateway only reads from it.

Suggested Fix

Change kiro-cli SQLite mount from :ro to :rw in all documentation and docker-compose.yml.

Originally created by @kilhyeonjun on GitHub (Feb 12, 2026). Original GitHub issue: https://github.com/jwadow/kiro-gateway/issues/78 ## Bug Description When using `KIRO_CLI_DB_FILE` authentication with Docker, the documentation and `docker-compose.yml` recommend mounting the kiro-cli SQLite database as read-only (`:ro`). However, `auth.py` writes refreshed tokens back to the SQLite database via `_save_credentials_to_sqlite()`, which fails silently with: ``` SQLite error saving credentials: attempt to write a readonly database ``` ## Impact - Refreshed tokens are never persisted to disk - After container restart, stale/expired tokens are loaded → authentication failures - Downstream services (e.g., Telegram bots) receive `Connection error` or `HTTP 504` ## Affected Files All documentation recommends `:ro` for kiro-cli SQLite mount: - `docker-compose.yml` L52 - `README.md` L343 - `AGENTS.md` L200 - `docs/ja/README.md` L343 - `docs/ru/README.md` L343 - `docs/pt/README.md` L343 - `docs/zh/README.md` L343 - `docs/ko/README.md` L343 - `docs/id/README.md` L343 - `docs/es/README.md` L343 ## Code Reference `kiro/auth.py`: - L446: `_save_credentials_to_sqlite()` — writes refreshed tokens to SQLite - L629, L756: called after token refresh ## Expected Behavior kiro-cli SQLite volume should be mounted as `:rw` (or without flag, which defaults to rw) so that refreshed tokens can be persisted. > Note: `~/.aws/sso/cache` mount should remain `:ro` — the gateway only reads from it. ## Suggested Fix Change kiro-cli SQLite mount from `:ro` to `:rw` in all documentation and `docker-compose.yml`.