TOK-1: Tokens migrate into the secret table #757

New issue

Closed

opened 2026-05-02 17:27:50 +00:00 by claude-desktop · 0 comments

claude-desktop commented 2026-05-02 17:27:50 +00:00

Collaborator

Copy link

As a platform engineer, I want every per-agent forge token currently living at ~/.config/claude-hooks/tokens/<agent> to get a row in the SC-6 secret table referenced from agent_type.token_secret_id, so that token bytes never sit in plaintext on disk and rotation runs through the same encrypted-secret + access-log surface as every other secret.

Acceptance criteria

Migration

• On first boot post-deploy, a one-shot migration sweep reads every existing tokens/<agent> file, writes the bytes to secret, sets agent_type.token_secret_id (or per-instance override row if present), and renames the file to tokens/.<agent>.migrated.bak (operator inspectable, not auto-deleted).
• The migration is idempotent: a re-run after the rename is a no-op.

Resolver

• getAgentToken(typeName) reads through the SC-6 secret resolver with access logging.
• The plaintext token_file path on agents.json is deprecated; the builtin-sync writes the contents into the secret table on first boot then ignores the path on subsequent boots.

Tests

• Unit: migration is idempotent.
• Integration: a token rotated at scope='agent_type' via the dashboard is picked up by the next dispatch's Forgejo client without a restart.

Out of scope

• Per-instance token override — covered by TOK-3.
• Filesystem-read removal from the runtime — covered by TOK-2.

References

• Spec: specs/config-to-db.md § Story TOK-1.
• Precedent: SC-6 — encrypted secrets + access log.
• Blocked by: AT-1.

As a platform engineer, I want every per-agent forge token currently living at `~/.config/claude-hooks/tokens/<agent>` to get a row in the SC-6 `secret` table referenced from `agent_type.token_secret_id`, so that token bytes never sit in plaintext on disk and rotation runs through the same encrypted-secret + access-log surface as every other secret. ## Acceptance criteria ### Migration - [ ] On first boot post-deploy, a one-shot migration sweep reads every existing `tokens/<agent>` file, writes the bytes to `secret`, sets `agent_type.token_secret_id` (or per-instance override row if present), and renames the file to `tokens/.<agent>.migrated.bak` (operator inspectable, not auto-deleted). - [ ] The migration is idempotent: a re-run after the rename is a no-op. ### Resolver - [ ] `getAgentToken(typeName)` reads through the SC-6 secret resolver with access logging. - [ ] The plaintext `token_file` path on agents.json is deprecated; the builtin-sync writes the contents into the `secret` table on first boot then ignores the path on subsequent boots. ### Tests - [ ] Unit: migration is idempotent. - [ ] Integration: a token rotated at `scope='agent_type'` via the dashboard is picked up by the next dispatch's Forgejo client without a restart. ## Out of scope - Per-instance token override — covered by TOK-3. - Filesystem-read removal from the runtime — covered by TOK-2. ## References - Spec: `specs/config-to-db.md` § Story TOK-1. - Precedent: SC-6 — encrypted secrets + access log. - Blocked by: AT-1.

claude-desktop added the

area:security

type:user-story

labels 2026-05-02 17:28:59 +00:00

claude-desktop added this to the Config to DB milestone 2026-05-02 17:29:00 +00:00

code-lead was assigned by claude-desktop 2026-05-02 19:18:02 +00:00

code-lead referenced this issue from a commit 2026-05-02 19:32:15 +00:00

feat(agent-config): TOK-1 migrate forge tokens into the secret table (#757)

code-lead referenced this issue from a pull request that will close it, 2026-05-02 19:32:28 +00:00

feat(agent-config): TOK-1 migrate forge tokens into the secret table (#757) #764

charles closed this issue 2026-05-02 19:39:41 +00:00

charles referenced this issue from a commit 2026-05-02 19:39:42 +00:00

feat(agent-config): TOK-1 migrate forge tokens into the secret table (#757) (#764)

charles referenced this issue from a commit 2026-05-04 12:15:14 +00:00

feat(secrets): migrate Penpot token from plaintext file to secret table

charles referenced this issue from a commit 2026-05-04 12:37:09 +00:00

feat(secrets): migrate Penpot token from plaintext file to secret table

charles referenced this issue from a commit 2026-05-04 12:53:18 +00:00

feat(secrets): migrate Penpot token from plaintext file to secret table

charles referenced this issue from a commit 2026-05-04 12:58:05 +00:00

feat(secrets): migrate Penpot token from plaintext file to secret table

charles referenced this issue from a commit 2026-05-04 13:05:58 +00:00

feat(secrets): migrate Penpot token from plaintext file to secret table

claude-desktop referenced this issue 2026-05-05 05:39:47 +00:00

Unify forge-token secret prefix: FORGEJO_TOKEN_* → FORGE_TOKEN_* #867

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dev/1213

code-lead/1210

code-lead/1202

code-lead/1201

code-lead/1199

code-lead/1198

dev/1166

dev/1168-error-banner

feat/error-banner-1168

dev/1168

dev/1165

dev/1169-board-redispatch

feat/1169-board-card-redispatch

code-lead/1164

dev/1169

dev/1170

dev/1161

code-lead/1159

code-lead/1150

code-lead/1148

dev/1149

code-lead/1151

dev/1152

code-lead/1147

code-lead/1139

code-lead/1138

code-lead/1137

code-lead/1136

code-lead/1131

code-lead/1122

code-lead/1121

code-lead/1120

code-lead/1119

code-lead/1117

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels   

area:agents

Agent types, pool scheduling, per-instance config

  

area:dashboard

Dashboard UI and observability surfaces

  

area:database

DB layer — schema, migrations, ORM, raw SQL

  

area:design

UI/UX mockup work — routes to designer agent

  

area:design-review

Design review dispatch — routes to design-reviewer agent

  

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

  

area:infra

Deployment, isolation, containers, systemd units

  

area:meta

Tracking, scaffolding, project setup

  

area:security

Security — routes to reviewer-security (opus)

  

area:sessions

Session-id store, Claude SDK resume logic

  

area:webhook

Forgejo webhook routing and handlers

  

area:workdir

Clone cache, worktrees, git identity

  

security

Security-sensitive issue

  

type:bug

Bug

  

type:chore

Chore

  

type:meta

Tracking or decisions, not implementation work

  

type:user-story

User story

No labels

area:agents

area:dashboard

area:database

area:design

area:design-review

area:flows

area:infra

area:meta

area:security

area:sessions

area:webhook

area:workdir

security

type:bug

type:chore

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

Config to DB

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

code-lead

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#757

No description provided.