charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

feat(agent-config): TOK-1 migrate forge tokens into the secret table (#757) #764

Merged
charles merged 1 commit from code-lead/757 into main 2026-05-02 19:39:41 +00:00
Conversation 1 Commits 1 Files changed 4 +586 -1
code-lead commented 2026-05-02 19:32:28 +00:00
Collaborator
Copy link

Closes #757

Migrates per-agent forge tokens from ~/.config/claude-hooks/tokens/<agent> into the SC-6 secret table; agent_type.token_secret_id references the row.

  • builtin-sync sweep encrypts each token_file, inserts a secret row at FORGE_TOKEN_<TYPE>, stamps the FK, and renames the file to tokens/.<basename>.migrated.bak. Idempotent.
  • getAgentToken(typeName) resolves through the SC-6 decrypt path with one access-log row per call.
  • getSecretRowById(id) added for FK consumers.

Test plan

  • bun run qa clean
  • Unit: idempotent migration sweep, missing-file skip, token_files.forgejo slot
  • Integration: rotation at agent_type-scope (global override row pointing at a new secret) is reflected on the next call without restart
  • One secret_access_log row per getAgentToken() call
Closes #757 Migrates per-agent forge tokens from `~/.config/claude-hooks/tokens/<agent>` into the SC-6 `secret` table; `agent_type.token_secret_id` references the row. - builtin-sync sweep encrypts each `token_file`, inserts a `secret` row at `FORGE_TOKEN_<TYPE>`, stamps the FK, and renames the file to `tokens/.<basename>.migrated.bak`. Idempotent. - `getAgentToken(typeName)` resolves through the SC-6 decrypt path with one access-log row per call. - `getSecretRowById(id)` added for FK consumers. ## Test plan - [x] `bun run qa` clean - [x] Unit: idempotent migration sweep, missing-file skip, `token_files.forgejo` slot - [x] Integration: rotation at agent_type-scope (global override row pointing at a new secret) is reflected on the next call without restart - [x] One `secret_access_log` row per `getAgentToken()` call
feat(agent-config): TOK-1 migrate forge tokens into the secret table (#757)
All checks were successful
qa / dockerfile (pull_request) Successful in 5s
Details
qa / qa (pull_request) Successful in 2m51s
Details
475ef01b49 
- builtin-sync: per-agent `token_file` is encrypted, stored in `secret`
  as `FORGE_TOKEN_<TYPE>`, FK stamped on the builtin `agent_type` row,
  source file renamed to `tokens/.<basename>.migrated.bak`. Idempotent.
- resolver: new `getAgentToken(typeName)` reads through the SC-6
  decrypt path with one access-log row per call.
- db: `getSecretRowById(id)` for FK consumers.
- tests: idempotent migration sweep, missing-file skip, multi-forge
  `token_files.forgejo` slot, access-log emission, agent_type-scope
  rotation visible without restart.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
reviewer approved these changes 2026-05-02 19:37:29 +00:00
reviewer left a comment
Copy link

Migration idempotent, resolver wired through SC-6 with access logging, rotation test covers no-restart path. CI green.

nit: console.warn used for the success log at the end of migrateOneAgentTokenconsole.log would be more accurate semantically, but not blocking.

Migration idempotent, resolver wired through SC-6 with access logging, rotation test covers no-restart path. CI green. nit: `console.warn` used for the success log at the end of `migrateOneAgentToken` — `console.log` would be more accurate semantically, but not blocking.
charles deleted branch code-lead/757 2026-05-02 19:39:41 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
reviewer
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
code-lead
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks!764
No description provided.