refactor: eliminate cd usage in bun wrapper script

Replace explicit directory changes with subshell execution to avoid
changing the main shell's working directory. Infisical now runs from
project root in a subprocess while preserving the original shell
location.

🤖 Generated with Codebuff Co-Authored-By: Codebuff
<noreply@codebuff.com>

Author: brandonkachen

.bin/bun

@@ -22,8 +22,21 @@ if [ -z "$REAL_BUN" ]; then
     REAL_BUN=$(PATH=$(echo "$PATH" | tr ':' '\n' | grep -v "^$SCRIPT_DIR$" | tr '\n' ':') which bun)
 fi
 
+# Function to find project root using git
+find_project_root() {
+    # Use git to find the repository root
+    local git_root=$(git rev-parse --show-toplevel 2>/dev/null)
+    if [ -n "$git_root" ]; then
+        echo "$git_root"
+    else
+        # Fallback to current directory if not in a git repo
+        echo "$(pwd)"
+    fi
+}
+
 # Infisical cache configuration
-CACHE_FILE=".infisical-cache"
+PROJECT_ROOT="$(find_project_root)"
+CACHE_FILE="$PROJECT_ROOT/.infisical-cache"
 CACHE_TTL_SECONDS=${INFISICAL_CACHE_TTL:-900}  # Default 15 minutes, configurable via env var
 
 # Clean up any leftover temporary files
@@ -45,8 +58,8 @@ is_cache_valid() {
     fi
 
     # Check if .infisical.json has been modified since cache was created
-    if [ -f ".infisical.json" ]; then
-        local infisical_time=$(stat -f "%m" ".infisical.json" 2>/dev/null || stat -c "%Y" ".infisical.json" 2>/dev/null)
+    if [ -f "$PROJECT_ROOT/.infisical.json" ]; then
+        local infisical_time=$(stat -f "%m" "$PROJECT_ROOT/.infisical.json" 2>/dev/null || stat -c "%Y" "$PROJECT_ROOT/.infisical.json" 2>/dev/null)
         if [ $infisical_time -gt $cache_time ]; then
             return 1
         fi
@@ -82,12 +95,12 @@ create_cache() {
     # Set performance optimizations for Infisical
     export INFISICAL_DISABLE_UPDATE_CHECK=true
 
-    # Try to get secrets using infisical export with timeout (fast path)
+    # Run infisical export in a subshell from project root to avoid cd in main shell
     local output
     local temp_file=$(mktemp)
 
-    # Run infisical export in background, suppress stderr to avoid cluttered output
-    (infisical export > "$temp_file" 2>/dev/null; echo $? > "$temp_file.exit") &
+    # Run infisical export in background from project root, suppress stderr to avoid cluttered output
+    (cd "$PROJECT_ROOT" && infisical export > "$temp_file" 2>/dev/null; echo $? > "$temp_file.exit") &
     local pid=$!
 
     # Wait up to 10 seconds

knowledge.md

@@ -216,7 +216,7 @@ The `.bin/bun` script automatically wraps bun commands with infisical when secre
 
 **Performance Optimizations**: The wrapper uses `--silent` flag with Infisical to reduce CLI output overhead and sets `INFISICAL_DISABLE_UPDATE_CHECK=true` to skip version checks for faster startup times.
 
-**Infisical Caching**: The wrapper implements robust caching of environment variables in `.infisical-cache` with a 15-minute TTL (configurable via `INFISICAL_CACHE_TTL`). This reduces startup time from ~1.2s to ~0.16s (87% improvement). The cache uses `infisical export` which outputs secrets directly in `KEY='value'` format, ensuring ONLY Infisical-managed secrets are cached (no system environment variables). Multi-line secrets like RSA private keys are handled correctly using `source` command. Cache automatically invalidates when `.infisical.json` is modified or after TTL expires.
+**Infisical Caching**: The wrapper implements robust caching of environment variables in `.infisical-cache` with a 15-minute TTL (configurable via `INFISICAL_CACHE_TTL`). This reduces startup time from ~1.2s to ~0.16s (87% improvement). The cache uses `infisical export` which outputs secrets directly in `KEY='value'` format, ensuring ONLY Infisical-managed secrets are cached (no system environment variables). Multi-line secrets like RSA private keys are handled correctly using `source` command. Cache automatically invalidates when `.infisical.json` is modified or after TTL expires. Uses subshell execution to avoid changing the main shell's working directory.
 
 **Session Validation**: The wrapper detects expired Infisical sessions using `infisical export` with a robust 10-second timeout implementation that works cross-platform (macOS and Linux). Uses background processes with polling to prevent hanging on interactive prompts. Valid sessions output environment variables in `KEY='value'` format, while expired sessions either output interactive prompts or timeout. Provides clear error messages directing users to run `infisical login`.