bug: agent-type rename migration (#670) misses secret table + token file paths #741

New issue

Closed

opened 2026-05-02 11:45:43 +00:00 by claude-desktop · 2 comments

claude-desktop commented 2026-05-02 11:45:43 +00:00

Collaborator

Copy link

The agent-type rename migration #670 (boss → code-lead, foreman → architect) migrates DB rows in the agents table but leaves two other artifacts pointing at old names:

1. secret table rows named FORGEJO_TOKEN_BOSS, FORGEJO_TOKEN_FOREMAN — never renamed to FORGEJO_TOKEN_CODE_LEAD, FORGEJO_TOKEN_ARCHITECT. Result: render-to-disk fails at boot with secret "FORGEJO_TOKEN_CODE_LEAD" referenced by ${SECRET:FORGEJO_TOKEN_CODE_LEAD} is not in the secret store. Render-queue retries every few seconds, never succeeds. Container env never materialized → dispatched tasks silently no-op (no error path; flow's agent.dispatch enqueues onto a worker whose container has no creds, container start fails or blocks).
2. Token files at ~/.config/claude-hooks/tokens/<type> — the migration does not rename tokens/boss → tokens/code-lead or tokens/foreman → tokens/architect. Result: at boot, webhook-config.parseTypeTokenFiles logs no forgejo token for type code-lead at .../tokens/code-lead because agents.json already points at the new path but the filesystem still has the old name. Operator must do the mv manually.

Both artifacts carry agent-type names baked into their identifiers and must move together with the DB row migration to be useful.

Reproduction (already observed)

1. Apply rename PR #670 to a service that previously ran boss / foreman.
2. Boot service. Observe:
   • [webhook] no forgejo token for type code-lead at /home/charles/.config/claude-hooks/tokens/code-lead
   • [startup] render-to-disk for code-lead-2 failed: secret "FORGEJO_TOKEN_CODE_LEAD" ... is not in the secret store
3. Assign an issue to code-lead. Webhook fires, flow runs, but no [code-lead-*] enqueued log line appears. Container stays in Created state. Issue sits IDLE indefinitely.

Acceptance criteria

Migration: rename secret rows alongside agent rows

• The same on-boot migration that does boss → code-lead / foreman → architect for the agents table extends to the secret table.
• For each rename pair (old, new):
  • If secret has FORGEJO_TOKEN_<OLD_UPPER> and not FORGEJO_TOKEN_<NEW_UPPER>: UPDATE secret SET name='FORGEJO_TOKEN_<NEW_UPPER>' WHERE name='FORGEJO_TOKEN_<OLD_UPPER>'.
  • If both exist: leave the new one, log a warning: [agents] secret rename skipped: FORGEJO_TOKEN_<NEW_UPPER> already present, dropping orphan FORGEJO_TOKEN_<OLD_UPPER>. Drop the orphan to avoid leaving stale rows.
  • If neither exists: no-op.
• Boot log: [agents] migrated <N> secret row(s) → code-lead / architect (#670).
• Idempotent: re-running the migration on already-migrated DB is a no-op.
• Generic enough that future per-type rename adds (foo → bar) cover both agents rows and any secret named <UPPER>_TOKEN_FOO / FOO_TOKEN. Consider a regex sweep ^(.*)_(?:TOKEN_)?<OLD_UPPER>$ → re-target with <NEW_UPPER>.

Migration: rename token files alongside agent rows

• Same migration scans ~/.config/claude-hooks/tokens/ (path from env or config) for files named after old types. For each (old, new) pair: if tokens/<old> exists and tokens/<new> does not, rename(2) it. If both exist, leave the new one and log warning. If neither exists, no-op.
• Optional: also rename agent-env/<old> → agent-env/<new> directory (today this dir is per-instance not per-type, but check the actual layout). If the migration does not own this rename, the boot log MUST direct the operator to do it manually with the exact mv commands.
• Boot log: [agents] renamed <N> token file(s) → tokens/code-lead, tokens/architect.

Operator escape hatch

• If migration cannot reach the filesystem (read-only, EACCES), log a clear instruction with the exact mv commands the operator must run, instead of silent failure.
• Same for the secret table — if the secret-table is locked / encrypted with a key the runtime cannot resolve at boot, surface the issue clearly.

Tests

• Migration unit test: seed agents with boss row + secret with FORGEJO_TOKEN_BOSS + create a temp tokens/boss file. Run migration. Assert:
  • agents row renamed to code-lead
  • secret row renamed to FORGEJO_TOKEN_CODE_LEAD
  • tokens/boss gone, tokens/code-lead present with same content
• Migration test: seed BOTH FORGEJO_TOKEN_BOSS and FORGEJO_TOKEN_CODE_LEAD. Assert: orphan BOSS dropped, warning logged, CODE_LEAD value preserved.
• Migration test: re-run on already-migrated state. Assert: no-op, no errors, no warnings.
• Boot test: start service post-rename with mismatched agents.json token paths. Assert: filesystem and DB both align after first boot, no manual intervention required.

Out of scope

• The PENPOT_TOKEN missing-from-secret-store gap discovered in the same investigation. That is a separate dashboard onboarding bug — designer / design-reviewer agents fail render-to-disk because nobody ever entered the Penpot token. Track separately.
• Multi-forge token files (tokens/<type>.github, tokens/<type>.gitlab) — out of scope until FM-3 ships.
• Cleaning up the empty agent-env/.code-lead.empty.bak left behind during the manual mv (operator removes after confirming sound).

References

• PR / issue #670 — original rename migration that this completes.
• Memory agent_role_rename_2026_05_02.md — operator-side migration record.
• Discovered 2026-05-02 — issues #730 / #731 sat IDLE for ~30 min on code-lead because of the missed secret + token-file rename.

The agent-type rename migration `#670` (boss → code-lead, foreman → architect) migrates DB rows in the `agents` table but leaves two other artifacts pointing at old names: 1. **`secret` table rows** named `FORGEJO_TOKEN_BOSS`, `FORGEJO_TOKEN_FOREMAN` — never renamed to `FORGEJO_TOKEN_CODE_LEAD`, `FORGEJO_TOKEN_ARCHITECT`. Result: render-to-disk fails at boot with `secret "FORGEJO_TOKEN_CODE_LEAD" referenced by ${SECRET:FORGEJO_TOKEN_CODE_LEAD} is not in the secret store`. Render-queue retries every few seconds, never succeeds. Container env never materialized → dispatched tasks silently no-op (no error path; flow's `agent.dispatch` enqueues onto a worker whose container has no creds, container start fails or blocks). 2. **Token files** at `~/.config/claude-hooks/tokens/<type>` — the migration does not rename `tokens/boss` → `tokens/code-lead` or `tokens/foreman` → `tokens/architect`. Result: at boot, `webhook-config.parseTypeTokenFiles` logs `no forgejo token for type code-lead at .../tokens/code-lead` because `agents.json` already points at the new path but the filesystem still has the old name. Operator must do the `mv` manually. Both artifacts carry agent-type names baked into their identifiers and must move together with the DB row migration to be useful. ## Reproduction (already observed) 1. Apply rename PR `#670` to a service that previously ran `boss` / `foreman`. 2. Boot service. Observe: - `[webhook] no forgejo token for type code-lead at /home/charles/.config/claude-hooks/tokens/code-lead` - `[startup] render-to-disk for code-lead-2 failed: secret "FORGEJO_TOKEN_CODE_LEAD" ... is not in the secret store` 3. Assign an issue to `code-lead`. Webhook fires, flow runs, but no `[code-lead-*] enqueued` log line appears. Container stays in `Created` state. Issue sits IDLE indefinitely. ## Acceptance criteria ### Migration: rename `secret` rows alongside agent rows - [ ] The same on-boot migration that does `boss` → `code-lead` / `foreman` → `architect` for the `agents` table extends to the `secret` table. - [ ] For each rename pair `(old, new)`: - If `secret` has `FORGEJO_TOKEN_<OLD_UPPER>` and not `FORGEJO_TOKEN_<NEW_UPPER>`: `UPDATE secret SET name='FORGEJO_TOKEN_<NEW_UPPER>' WHERE name='FORGEJO_TOKEN_<OLD_UPPER>'`. - If both exist: leave the new one, log a warning: `[agents] secret rename skipped: FORGEJO_TOKEN_<NEW_UPPER> already present, dropping orphan FORGEJO_TOKEN_<OLD_UPPER>`. Drop the orphan to avoid leaving stale rows. - If neither exists: no-op. - [ ] Boot log: `[agents] migrated <N> secret row(s) → code-lead / architect (#670)`. - [ ] Idempotent: re-running the migration on already-migrated DB is a no-op. - [ ] Generic enough that future per-type rename adds (`foo` → `bar`) cover both `agents` rows and any secret named `<UPPER>_TOKEN_FOO` / `FOO_TOKEN`. Consider a regex sweep `^(.*)_(?:TOKEN_)?<OLD_UPPER>$` → re-target with `<NEW_UPPER>`. ### Migration: rename token files alongside agent rows - [ ] Same migration scans `~/.config/claude-hooks/tokens/` (path from env or config) for files named after old types. For each `(old, new)` pair: if `tokens/<old>` exists and `tokens/<new>` does not, `rename(2)` it. If both exist, leave the new one and log warning. If neither exists, no-op. - [ ] Optional: also rename `agent-env/<old>` → `agent-env/<new>` directory (today this dir is per-instance not per-type, but check the actual layout). If the migration does not own this rename, the boot log MUST direct the operator to do it manually with the exact `mv` commands. - [ ] Boot log: `[agents] renamed <N> token file(s) → tokens/code-lead, tokens/architect`. ### Operator escape hatch - [ ] If migration cannot reach the filesystem (read-only, EACCES), log a clear instruction with the exact `mv` commands the operator must run, instead of silent failure. - [ ] Same for the secret table — if the secret-table is locked / encrypted with a key the runtime cannot resolve at boot, surface the issue clearly. ### Tests - [ ] Migration unit test: seed `agents` with `boss` row + `secret` with `FORGEJO_TOKEN_BOSS` + create a temp `tokens/boss` file. Run migration. Assert: - `agents` row renamed to `code-lead` - `secret` row renamed to `FORGEJO_TOKEN_CODE_LEAD` - `tokens/boss` gone, `tokens/code-lead` present with same content - [ ] Migration test: seed BOTH `FORGEJO_TOKEN_BOSS` and `FORGEJO_TOKEN_CODE_LEAD`. Assert: orphan `BOSS` dropped, warning logged, `CODE_LEAD` value preserved. - [ ] Migration test: re-run on already-migrated state. Assert: no-op, no errors, no warnings. - [ ] Boot test: start service post-rename with mismatched `agents.json` token paths. Assert: filesystem and DB both align after first boot, no manual intervention required. ## Out of scope - The `PENPOT_TOKEN` missing-from-secret-store gap discovered in the same investigation. That is a separate dashboard onboarding bug — designer / design-reviewer agents fail render-to-disk because nobody ever entered the Penpot token. Track separately. - Multi-forge token files (`tokens/<type>.github`, `tokens/<type>.gitlab`) — out of scope until FM-3 ships. - Cleaning up the empty `agent-env/.code-lead.empty.bak` left behind during the manual mv (operator removes after confirming sound). ## References - PR / issue `#670` — original rename migration that this completes. - Memory `agent_role_rename_2026_05_02.md` — operator-side migration record. - Discovered 2026-05-02 — issues #730 / #731 sat IDLE for ~30 min on `code-lead` because of the missed secret + token-file rename.

claude-desktop added the

area:agents

type:bug

labels 2026-05-02 11:45:43 +00:00

dev was assigned by claude-desktop 2026-05-02 11:45:54 +00:00

dev commented 2026-05-02 18:11:56 +00:00

Collaborator

Copy link

🦵 @charles kicked the queue — re-running implement on @dev.

🦵 @charles kicked the queue — re-running implement on @dev.

dev commented 2026-05-03 10:04:22 +00:00

Collaborator

Copy link

🦵 @charles kicked the queue — re-running implement on @dev.

🦵 @charles kicked the queue — re-running implement on @dev.

dev referenced this issue from a commit 2026-05-03 10:11:05 +00:00

fix: extend #670 rename migration to cover secret table + token files (#741)

dev referenced this issue from a pull request that will close it, 2026-05-03 10:11:27 +00:00

fix: extend #670 rename migration to cover secret table + token files #786

reviewer closed this issue 2026-05-03 10:17:17 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels   

area:agents

Agent types, pool scheduling, per-instance config

  

area:dashboard

Dashboard UI and observability surfaces

  

area:database

DB layer — schema, migrations, ORM, raw SQL

  

area:design

UI/UX mockup work — routes to designer agent

  

area:design-review

Design review dispatch — routes to design-reviewer agent

  

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

  

area:infra

Deployment, isolation, containers, systemd units

  

area:meta

Tracking, scaffolding, project setup

  

area:security

Security — routes to reviewer-security (opus)

  

area:sessions

Session-id store, Claude SDK resume logic

  

area:webhook

Forgejo webhook routing and handlers

  

area:workdir

Clone cache, worktrees, git identity

  

security

Security-sensitive issue

  

type:bug

Bug

  

type:chore

Chore

  

type:meta

Tracking or decisions, not implementation work

  

type:user-story

User story

No labels

area:agents

area:dashboard

area:database

area:design

area:design-review

area:flows

area:infra

area:meta

area:security

area:sessions

area:webhook

area:workdir

security

type:bug

type:chore

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

dev

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#741

No description provided.