From ec92d2f28a7831e04c4caebf5eecef204951edce Mon Sep 17 00:00:00 2001
From: Yvette Carlisle <y@acg.box>
Date: Wed, 27 May 2026 19:39:24 +0800
Subject: [PATCH] {"schema":"decodex/commit/1","summary":"Bypass inherited Git
 credential helpers","authority":"manual"}

---
 apps/decodex/src/agent/json_rpc.rs      | 22 ++++++++++++----------
 apps/decodex/src/default_branch_sync.rs | 18 ++++++++++--------
 apps/decodex/src/git_credentials.rs     |  3 +++
 3 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/apps/decodex/src/agent/json_rpc.rs b/apps/decodex/src/agent/json_rpc.rs
index 9c81e522..ca80ba2c 100644
--- a/apps/decodex/src/agent/json_rpc.rs
+++ b/apps/decodex/src/agent/json_rpc.rs
@@ -786,26 +786,28 @@ mod tests {
 		assert_eq!(envs.get("GIT_TERMINAL_PROMPT").map(String::as_str), Some("0"));
 		assert_eq!(envs.get("GCM_INTERACTIVE").map(String::as_str), Some("never"));
 		assert_eq!(envs.get("GIT_ASKPASS").map(String::as_str), Some("/tmp/decodex-askpass.sh"));
-		assert_eq!(envs.get("GIT_CONFIG_COUNT").map(String::as_str), Some("9"));
+		assert_eq!(envs.get("GIT_CONFIG_COUNT").map(String::as_str), Some("10"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_0").map(String::as_str), Some("credential.helper"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_0").map(String::as_str), Some(""));
 		assert_eq!(
-			envs.get("GIT_CONFIG_KEY_1").map(String::as_str),
+			envs.get("GIT_CONFIG_KEY_2").map(String::as_str),
 			Some("url.https://github.com/.insteadOf")
 		);
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_1").map(String::as_str), Some("git@github.com-x:"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_2").map(String::as_str), Some("git@github.com-x:"));
 		assert_eq!(
-			envs.get("GIT_CONFIG_KEY_5").map(String::as_str),
+			envs.get("GIT_CONFIG_KEY_6").map(String::as_str),
 			Some("url.https://github.com/.insteadOf")
 		);
 		assert_eq!(
-			envs.get("GIT_CONFIG_VALUE_5").map(String::as_str),
+			envs.get("GIT_CONFIG_VALUE_6").map(String::as_str),
 			Some("ssh://git@github.com-y/")
 		);
-		assert_eq!(envs.get("GIT_CONFIG_KEY_6").map(String::as_str), Some("commit.gpgsign"));
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_6").map(String::as_str), Some("false"));
-		assert_eq!(envs.get("GIT_CONFIG_KEY_7").map(String::as_str), Some("tag.gpgsign"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_7").map(String::as_str), Some("commit.gpgsign"));
 		assert_eq!(envs.get("GIT_CONFIG_VALUE_7").map(String::as_str), Some("false"));
-		assert_eq!(envs.get("GIT_CONFIG_KEY_8").map(String::as_str), Some("user.signingkey"));
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_8").map(String::as_str), Some(""));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_8").map(String::as_str), Some("tag.gpgsign"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_8").map(String::as_str), Some("false"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_9").map(String::as_str), Some("user.signingkey"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_9").map(String::as_str), Some(""));
 	}
 
 	#[test]
diff --git a/apps/decodex/src/default_branch_sync.rs b/apps/decodex/src/default_branch_sync.rs
index 45d4ba63..655db08c 100644
--- a/apps/decodex/src/default_branch_sync.rs
+++ b/apps/decodex/src/default_branch_sync.rs
@@ -376,18 +376,20 @@ mod tests {
 			envs.get("GIT_ASKPASS").map(String::as_str),
 			Some("/tmp/decodex-default-branch-askpass.sh")
 		);
-		assert_eq!(envs.get("GIT_CONFIG_COUNT").map(String::as_str), Some("9"));
+		assert_eq!(envs.get("GIT_CONFIG_COUNT").map(String::as_str), Some("10"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_0").map(String::as_str), Some("credential.helper"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_0").map(String::as_str), Some(""));
 		assert_eq!(
-			envs.get("GIT_CONFIG_KEY_0").map(String::as_str),
+			envs.get("GIT_CONFIG_KEY_1").map(String::as_str),
 			Some("url.https://github.com/.insteadOf")
 		);
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_0").map(String::as_str), Some("git@github.com:"));
-		assert_eq!(envs.get("GIT_CONFIG_KEY_6").map(String::as_str), Some("commit.gpgsign"));
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_6").map(String::as_str), Some("false"));
-		assert_eq!(envs.get("GIT_CONFIG_KEY_7").map(String::as_str), Some("tag.gpgsign"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_1").map(String::as_str), Some("git@github.com:"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_7").map(String::as_str), Some("commit.gpgsign"));
 		assert_eq!(envs.get("GIT_CONFIG_VALUE_7").map(String::as_str), Some("false"));
-		assert_eq!(envs.get("GIT_CONFIG_KEY_8").map(String::as_str), Some("user.signingkey"));
-		assert_eq!(envs.get("GIT_CONFIG_VALUE_8").map(String::as_str), Some(""));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_8").map(String::as_str), Some("tag.gpgsign"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_8").map(String::as_str), Some("false"));
+		assert_eq!(envs.get("GIT_CONFIG_KEY_9").map(String::as_str), Some("user.signingkey"));
+		assert_eq!(envs.get("GIT_CONFIG_VALUE_9").map(String::as_str), Some(""));
 	}
 
 	#[test]
diff --git a/apps/decodex/src/git_credentials.rs b/apps/decodex/src/git_credentials.rs
index 099bffb6..f64450e0 100644
--- a/apps/decodex/src/git_credentials.rs
+++ b/apps/decodex/src/git_credentials.rs
@@ -106,6 +106,9 @@ impl GitCredentialEnvironment {
 		let mut git_config_entries = Vec::new();
 
 		if self.github_token.is_some() && self.git_askpass_path.is_some() {
+			// Empty helper resets inherited helpers so routed askpass owns GitHub auth.
+			git_config_entries.push((String::from("credential.helper"), String::new()));
+
 			for ssh_prefix in GITHUB_SSH_URL_PREFIXES {
 				git_config_entries.push((
 					format!("url.{GITHUB_HTTPS_URL_BASE}.insteadOf"),