charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

refactor(config): split agents.json into agents / service / auth files (+ env for secrets) #540

New issue
Closed
opened 2026-04-28 19:12:46 +00:00 by claude-desktop · 0 comments
claude-desktop commented 2026-04-28 19:12:46 +00:00
Collaborator
Copy link

User story

As an operator, I want config/agents.json to hold only agent-fleet configuration (types + per-instance overrides), so that operator-editable fields can't be mistakenly mixed with deploy-time infra and secrets, and the dashboard's /config/agents PUT surface has a single, narrow blast radius.

Why

Audit on 2026-04-28 showed config/agents.json is doing four unrelated jobs:

  1. Agent fleettypes, per-instance overrides (operator-editable, dashboard surface)
  2. Service infraforge_mcp_command, container_image, container_image_default, forgejo_url, webhook_secret_file, node_flows, watchdogs, penpot, ui_version
  3. Auth / secretsauth.operator_user, auth.trust_proxy, auth.authelia_logout_url, forgejo_oauth_client_id/_secret, github_oauth_client_id/_secret, public_base_url
  4. Repo bindingsrepos (already partly migrated to the watched_repos SQLite table, F4)

A single editable file mixing all four creates real risk: an operator hand-editing a type definition can fat-finger an oauth secret, accidentally widen trust_proxy, or break the gate. The dashboard's PUT handler already has guards but the file shape itself is the problem.

Acceptance criteria

Loader

  • New file config/service.json carries the service-infra group (item 2 above). Same JSON schema for those fields as today's agents.json
  • Operator-only secret fields (item 3) move to environment variables preferentially:
    • FORGEJO_OAUTH_CLIENT_ID / FORGEJO_OAUTH_CLIENT_SECRET (env override already exists, make it the only path)
    • GITHUB_OAUTH_CLIENT_ID / GITHUB_OAUTH_CLIENT_SECRET
    • GITLAB_OAUTH_CLIENT_ID / GITLAB_OAUTH_CLIENT_SECRET
    • PUBLIC_BASE_URL
    • WEBHOOK_SECRET (or keep WEBHOOK_SECRET_FILE env pointing at a file, like the rest of the secret-file pattern)
  • config/agents.json retains only: types + their per-instance overrides
  • auth block contents — keep operator_user + trust_proxy only if a follow-up audit confirms either is still doing useful work post-Authelia rip; otherwise drop the block entirely. authelia_logout_url already dead (today's logout rewiring), drop unconditionally
  • repos field — assess whether the watched_repos SQLite table fully replaces it; if yes, drop. If migration incomplete, leave for a follow-up issue

Migration mode

  • If a deployed agents.json still contains service / auth / repo fields, loader copies them into the resolved config (legacy fallback) AND prints a deprecation warning per field at boot
  • One-shot helper just config-split reads the legacy agents.json and writes config/service.json + a .env.split.example for the secret env vars; backs up the original to agents.json.pre-split.bak
  • After one stable release with the warning live, the fallback is removed in a follow-up

Tests

  • webhook-config.test.ts: load a fresh-style split set (agents.json types-only + service.json + env vars) and assert resolved config matches the legacy single-file equivalent
  • Loader test: legacy agents.json with service fields → warning printed, config still resolves
  • Loader test: missing OAUTH_ENCRYPTION_KEY and missing OAuth client env vars → service still boots, OAuth init routes return 503 (current behaviour preserved)

Dashboard

  • PUT /config/agents schema validation rejects any non-types field, returns 400 with a pointer to the new home (env var or service.json)

Docs

  • docs/configuration.md (new or existing) lists every field, its file/env home, and the operator vs ops ownership

Out of scope

  • Removing the auth block entirely (depends on the post-Authelia audit, separate issue)
  • Migrating the repos field out of agents.json (depends on F4 watched_repos rollout)
  • A web UI for editing service.json — these are deploy-time, file-edit-only by design

References

  • Audit findings (2026-04-28, this conversation)
  • Today's PR #539 (/api/* boundary refactor) — same spirit, different layer
  • F4 watched_repos table (already replaces repos: for new bindings)
  • apps/server/src/shared/config/webhook-config.ts — the single loader that needs the surgery
  • apps/server/src/shared/config/agents-config-schema.ts — Zod schema split target
## User story As an operator, I want `config/agents.json` to hold **only** agent-fleet configuration (types + per-instance overrides), so that operator-editable fields can't be mistakenly mixed with deploy-time infra and secrets, and the dashboard's `/config/agents` PUT surface has a single, narrow blast radius. ## Why Audit on 2026-04-28 showed `config/agents.json` is doing four unrelated jobs: 1. **Agent fleet** — `types`, per-instance overrides (operator-editable, dashboard surface) 2. **Service infra** — `forge_mcp_command`, `container_image`, `container_image_default`, `forgejo_url`, `webhook_secret_file`, `node_flows`, `watchdogs`, `penpot`, `ui_version` 3. **Auth / secrets** — `auth.operator_user`, `auth.trust_proxy`, `auth.authelia_logout_url`, `forgejo_oauth_client_id`/`_secret`, `github_oauth_client_id`/`_secret`, `public_base_url` 4. **Repo bindings** — `repos` (already partly migrated to the `watched_repos` SQLite table, F4) A single editable file mixing all four creates real risk: an operator hand-editing a type definition can fat-finger an oauth secret, accidentally widen `trust_proxy`, or break the gate. The dashboard's PUT handler already has guards but the file shape itself is the problem. ## Acceptance criteria ### Loader - [ ] New file `config/service.json` carries the **service-infra** group (item 2 above). Same JSON schema for those fields as today's agents.json - [ ] Operator-only secret fields (item 3) move to **environment variables** preferentially: - `FORGEJO_OAUTH_CLIENT_ID` / `FORGEJO_OAUTH_CLIENT_SECRET` (env override already exists, make it the only path) - `GITHUB_OAUTH_CLIENT_ID` / `GITHUB_OAUTH_CLIENT_SECRET` - `GITLAB_OAUTH_CLIENT_ID` / `GITLAB_OAUTH_CLIENT_SECRET` - `PUBLIC_BASE_URL` - `WEBHOOK_SECRET` (or keep `WEBHOOK_SECRET_FILE` env pointing at a file, like the rest of the secret-file pattern) - [ ] `config/agents.json` retains **only**: `types` + their per-instance overrides - [ ] `auth` block contents — keep `operator_user` + `trust_proxy` only if a follow-up audit confirms either is still doing useful work post-Authelia rip; otherwise drop the block entirely. `authelia_logout_url` already dead (today's logout rewiring), drop unconditionally - [ ] `repos` field — assess whether the `watched_repos` SQLite table fully replaces it; if yes, drop. If migration incomplete, leave for a follow-up issue ### Migration mode - [ ] If a deployed `agents.json` still contains service / auth / repo fields, loader copies them into the resolved config (legacy fallback) AND prints a deprecation warning per field at boot - [ ] One-shot helper `just config-split` reads the legacy `agents.json` and writes `config/service.json` + a `.env.split.example` for the secret env vars; backs up the original to `agents.json.pre-split.bak` - [ ] After one stable release with the warning live, the fallback is removed in a follow-up ### Tests - [ ] `webhook-config.test.ts`: load a fresh-style split set (`agents.json` types-only + `service.json` + env vars) and assert resolved config matches the legacy single-file equivalent - [ ] Loader test: legacy `agents.json` with service fields → warning printed, config still resolves - [ ] Loader test: missing `OAUTH_ENCRYPTION_KEY` and missing OAuth client env vars → service still boots, OAuth init routes return 503 (current behaviour preserved) ### Dashboard - [ ] `PUT /config/agents` schema validation rejects any non-types field, returns 400 with a pointer to the new home (env var or `service.json`) ### Docs - [ ] `docs/configuration.md` (new or existing) lists every field, its file/env home, and the operator vs ops ownership ## Out of scope - Removing the `auth` block entirely (depends on the post-Authelia audit, separate issue) - Migrating the `repos` field out of `agents.json` (depends on F4 watched_repos rollout) - A web UI for editing `service.json` — these are deploy-time, file-edit-only by design ## References - Audit findings (2026-04-28, this conversation) - Today's PR #539 (`/api/*` boundary refactor) — same spirit, different layer - F4 watched_repos table (already replaces `repos:` for new bindings) - `apps/server/src/shared/config/webhook-config.ts` — the single loader that needs the surgery - `apps/server/src/shared/config/agents-config-schema.ts` — Zod schema split target
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/sync-pre-push-from-forge-base
fix/flows-yaml-dispatch-identity
feat/board-tap-to-assign
dev/1107
code-lead/1106
code-lead/1108
dev/1104
code-lead/1103
code-lead/1080
dev/1087
feat/flows-yaml-ci-events
chore/board-drop-stalled-and-density-controls
fix/flows-yaml-routes-always-register
flows-yaml/api-defaults
dev/1023
fix/event-log-history-bleed
fix/janitor-fix-ci-logs-and-cap
dev/1022
fix/board-card-provider
code-lead/1036
dev/1025
code-lead/1020
dev/1017
code-lead/1026
feat/web-shortcut-registry-1018
dev/1015
code-lead/1009
code-lead/1008
dev/975
dev/969
dev/973
dev/967
code-lead/968
code-lead/953
dev/970
dev/976
code-lead/966
code-lead/956
code-lead/951
dev/962
dev/963
dev/977
dev/955
dev/983
dev/961
dev/974
code-lead/950
code-lead/939
dev/941
dev/940
dev/937
dev/938
dev/936
dev/935
feat/web-i18n-fr-locale
feat/spec-editor-ui-polish
chore/drop-legacy-compat
fix/skills-drop-preview-pane
fix/882-skills-safety-rail
dev/911
dev/909
dev/923
dev/917
dev/915
feat/879-sr11-m2-drop-legacy-skill
code-lead/873
dev/881
code-lead/869
dev/867
code-lead/845
code-lead/843
code-lead/844
dev/837
dev/861
dev/849
code-lead/837
code-lead/842
fix/dedup-rebase-inflight
dev/838
code-lead/847
dev/833
code-lead/848
pr/838
code-lead/841
feat/settings-save-bar/836
code-lead/840
dev/846
code-lead/839
dev/832
fix/board-sse-stale-cache
dev/834
dev/835
feat/settings-breadcrumbs
feat/forge-oauth-credentials
refactor/service-config-consolidation
feat/agent-tokens-to-secrets
feat/gitlab-oauth-to-db
feat/authelia-rip-and-voice-fixes
fix/rebase-storm-and-dead-letter
code-lead/797
code-lead/796
dev/811
code-lead/798
dev/810
code-lead/795
dev/808
code-lead/794
dev/805
dev/802
dev/803
feat/avatar-menu-settings-entry
feat/per-agent-token-tracking
dev/793
dev/747
dev/752
code-lead/790
code-lead/759
dev/756
dev/760
dev/741
dev/767
dev/740
dev/709
dev/644
dev/637
boss/614
dev/600
dev/611
dev/585
fix/login-bonus-fixes
boss/544
dev/542
refactor/api-prefix-and-session-gate
dev/489
boss/531
boss/518
dev/499
boss/516
dev/530
dev/517
dev/519
dev/515
dev/522
dev/503
dev/471
boss/329
dev/417
dev/418
dev/402
boss/327
dev/334
dev/332
boss/326
boss/325
dev/331
boss/324
boss/323
boss/322
dev/294
test/s11-task-analytics
dev/262
boss/270
dev/268
foreman/ui-consolidation-spec
dev/234
boss/196
boss/176
boss/164
fix/124-session-persist-bind
boss/52
dev/87
boss/73
dev/77
dev/81
dev/82
boss/79
dev/42
dev/35
boss/7
No results found.
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dev
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks#540
No description provided.