From 26616fced56d7d4b18ec4f3157a65366be35f90f Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Thu, 14 May 2026 12:53:48 +0100
Subject: fix(zsh): preserve forwarded SSH_AUTH_SOCK in SSH sessions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

zprofile unconditionally pointed SSH_AUTH_SOCK at the local
gpg-agent's ssh socket. On remote machines (e.g. remote-dev VM)
that clobbers ssh-agent forwarding — `ssh-add -L` reports no
identities because the VM's gpg-agent has no keys.

Only override when there's no forwarded socket (no $SSH_CONNECTION
or no $SSH_AUTH_SOCK from sshd).
---
 dot_config/zsh/dot_zprofile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dot_config/zsh/dot_zprofile b/dot_config/zsh/dot_zprofile
index 3c824d3..c02d15a 100644
--- a/dot_config/zsh/dot_zprofile
+++ b/dot_config/zsh/dot_zprofile
@@ -41,8 +41,12 @@ export LESS="-F --RAW-CONTROL-CHARS"
 
 # ── GPG / SSH ─────────────────────────────────────────────────────────────────
 unset SSH_AGENT_PID
-SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
-export SSH_AUTH_SOCK
+# If we're inside an SSH session with a forwarded agent socket, keep it.
+# Otherwise route SSH auth through the local gpg-agent.
+if [[ -z "$SSH_CONNECTION" || -z "$SSH_AUTH_SOCK" ]]; then
+	SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+	export SSH_AUTH_SOCK
+fi
 
 # ── FZF ───────────────────────────────────────────────────────────────────────
 export FZF_DEFAULT_COMMAND="fd --type file --follow --hidden --exclude .git --color=always"
-- 
cgit v1.3.1