charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Move final JSON / plain-text state to DB (gitlab token, SDK sessions, agent secrets) #823

New issue
Closed
opened 2026-05-04 11:56:50 +00:00 by claude-desktop · 0 comments
claude-desktop commented 2026-05-04 11:56:50 +00:00
Collaborator
Copy link

User story

As an operator, I want every piece of runtime state that claude-hooks itself owns to live in the SQLite DB rather than scattered JSON / plain-text files on disk, so that backups / restores / migrations are atomic, secrets are encrypted at rest, and the dashboard's Settings → Service surface is the single source of truth.

Three storage holdouts remain after DOB-4 / DOB-5 ripped service.json and agents.json:

  1. ~/.local/state/claude-hooks/gitlab-oauth-token.json — the F3-GL GitLab OAuth access + refresh tokens.
  2. ~/.local/state/claude-hooks/sessions.json — the Claude SDK session-resume map (<forge>:<agent>:<repo>:<issue>{id, last_used_at}).
  3. ~/.config/claude-hooks/tokens/<agent> + ~/.config/claude-hooks/penpot-token — per-agent Forgejo PATs and the Penpot API token, both stored as plain-text mode-0600 files.

The Claude Code SDK config dirs under ~/.config/claude-hooks/agent-env/<agent>/ (settings.json, policy-limits.json, mcp-needs-auth-cache.json, system-prompt.md, sessions/) are owned by the SDK and stay on disk — they're the SDK's wire format. Same for ~/.config/claude-hooks/claude-credentials/.credentials.json (mounted into containers).

Acceptance criteria

GitLab OAuth → DB

  • operator_oauth_tokens already has rows for forgejo / github via upsertOperatorOAuth. Land the GitLab equivalent — oauth-gitlab.ts reads / writes the row instead of gitlab-oauth-token.json.
  • Migration 012-migrate-gitlab-oauth-to-db.ts: if the JSON file exists and no DB row for forge_type='gitlab', parse the file and insert via upsertOperatorOAuth. Then unlink the JSON file. Idempotent.
  • Drop gitlabOAuthTokenPath() + every readFile / writeFile reference.
  • Tests: existing oauth-gitlab.test.ts paths exercise DB; add a migration test seeding the JSON file then asserting the row + file removal.

Claude SDK sessions → DB

  • New table claude_sdk_sessions:
    key TEXT PRIMARY KEY, session_id TEXT NOT NULL, last_used_at INTEGER NOT NULL, created_at INTEGER NOT NULL.
    key is the <forge>:<agent>:<repo>:<issue> shape used today.
  • infrastructure/database/sessions.ts becomes a thin DB-backed accessor (getSession, setSession, pruneStale, etc.) — same external API as today, no callers re-touched.
  • Migration 013-migrate-sessions-to-db.ts: if sessions.json exists, parse + bulk-insert (INSERT OR REPLACE) every entry, then unlink the file. Idempotent.
  • Pruning hook (any existing TTL sweep) moves to a SQL DELETE WHERE last_used_at < ?.
  • Tests: round-trip + migration fixture with a populated sessions.json.

Agent / Penpot tokens → secret table

  • Two new well-known secret names in the existing secret table (already AES-256-GCM in #SC-* land):
    - agent_token:<agent> — replaces ~/.config/claude-hooks/tokens/<agent>.
    - penpot_api_token — replaces ~/.config/claude-hooks/penpot-token.
  • Container mount code (container.ts / container-reconcile.ts) reads from the secret table and writes the plaintext to a tmpfile inside the container's tokens mount at startup (mount target unchanged so the in-container Forgejo / Penpot MCP keeps working without code change).
  • Per-agent admin endpoint (/agents/:name/token PATCH or similar) writes the secret via setSecret. The existing CLI / dashboard rotate flow targets the secret name instead of the file path.
  • Migration 014-migrate-agent-tokens-to-secrets.ts: for every existing file under ~/.config/claude-hooks/tokens/, insert the plaintext into the secret table under agent_token:<filename>, then unlink the file. Same for penpot-token. Idempotent.
  • Tests: round-trip the rotate flow; assert cat tokens/<agent> no longer required.

Cleanup

  • Remove getStateRootSessionsPath() / gitlabOAuthTokenPath() exports.
  • docs/credentials.md updated to reflect the new flow (DB-only).
  • Boot-time backups (agents.db.bak-<ts>) cover everything now — no separate JSON backup recipe.

Out of scope

  • The Claude Code SDK config dirs under ~/.config/claude-hooks/agent-env/<agent>/. Those are owned by the SDK and mounted as-is into the container. The SDK reads them by path; switching them to DB would require forking the SDK.
  • ~/.config/claude-hooks/claude-credentials/.credentials.json — Anthropic API credentials in the SDK's own format. Same reasoning.
  • architect-uploads/<id>/{blob,meta.json} — the file-attachment blobs are intentionally on disk (large binaries shouldn't live in SQLite). The sidecar JSON could move to DB later but the binary cannot.
  • Backup / restore tooling overhaul. The existing agents.db.bak-* rotation is enough.
  • Re-encrypting the secret table with a different cipher. Stays AES-256-GCM.

References

  • apps/server/src/http/handlers/oauth-gitlab.ts — the JSON write path being replaced.
  • apps/server/src/infrastructure/database/sessions.ts — current file-backed session-resume store.
  • apps/server/src/infrastructure/container/container-reconcile.ts — token-file mount source.
  • apps/server/src/infrastructure/container/container.ts — Penpot token + claude-credentials mount paths.
  • docs/credentials.md — current shape of the credential mounts (will need an update).
  • DOB-4 (#819) and DOB-5 (#820) — prior storage rips that ripped agents.json and service.json.

Suggested implementation order

  1. GitLab OAuth → DB (smallest blast radius — F3-GL is rarely re-auth'd, the other two adapters already use the DB row, schema unchanged).
  2. Claude SDK sessions → DB (medium — hot path during dispatch; needs the migration to back-fill before the first read).
  3. Agent / Penpot tokens → secret table (largest — touches container mount code + rotate flow + every per-agent runtime).

Each step should ship as its own commit / PR so a regression on one doesn't block the others, even if the issue stays single.

## User story As an operator, I want every piece of runtime state that claude-hooks itself owns to live in the SQLite DB rather than scattered JSON / plain-text files on disk, so that backups / restores / migrations are atomic, secrets are encrypted at rest, and the dashboard's Settings → Service surface is the single source of truth. Three storage holdouts remain after DOB-4 / DOB-5 ripped `service.json` and `agents.json`: 1. `~/.local/state/claude-hooks/gitlab-oauth-token.json` — the F3-GL GitLab OAuth access + refresh tokens. 2. `~/.local/state/claude-hooks/sessions.json` — the Claude SDK session-resume map (`<forge>:<agent>:<repo>:<issue>` → `{id, last_used_at}`). 3. `~/.config/claude-hooks/tokens/<agent>` + `~/.config/claude-hooks/penpot-token` — per-agent Forgejo PATs and the Penpot API token, both stored as plain-text mode-0600 files. The Claude Code SDK config dirs under `~/.config/claude-hooks/agent-env/<agent>/` (settings.json, policy-limits.json, mcp-needs-auth-cache.json, system-prompt.md, sessions/) are owned by the SDK and **stay on disk** — they're the SDK's wire format. Same for `~/.config/claude-hooks/claude-credentials/.credentials.json` (mounted into containers). ## Acceptance criteria ### GitLab OAuth → DB - [ ] `operator_oauth_tokens` already has rows for forgejo / github via `upsertOperatorOAuth`. Land the GitLab equivalent — `oauth-gitlab.ts` reads / writes the row instead of `gitlab-oauth-token.json`. - [ ] Migration `012-migrate-gitlab-oauth-to-db.ts`: if the JSON file exists and no DB row for `forge_type='gitlab'`, parse the file and insert via `upsertOperatorOAuth`. Then `unlink` the JSON file. Idempotent. - [ ] Drop `gitlabOAuthTokenPath()` + every `readFile` / `writeFile` reference. - [ ] Tests: existing `oauth-gitlab.test.ts` paths exercise DB; add a migration test seeding the JSON file then asserting the row + file removal. ### Claude SDK sessions → DB - [ ] New table `claude_sdk_sessions`: `key TEXT PRIMARY KEY, session_id TEXT NOT NULL, last_used_at INTEGER NOT NULL, created_at INTEGER NOT NULL`. `key` is the `<forge>:<agent>:<repo>:<issue>` shape used today. - [ ] `infrastructure/database/sessions.ts` becomes a thin DB-backed accessor (`getSession`, `setSession`, `pruneStale`, etc.) — same external API as today, no callers re-touched. - [ ] Migration `013-migrate-sessions-to-db.ts`: if `sessions.json` exists, parse + bulk-insert (`INSERT OR REPLACE`) every entry, then `unlink` the file. Idempotent. - [ ] Pruning hook (any existing TTL sweep) moves to a SQL `DELETE WHERE last_used_at < ?`. - [ ] Tests: round-trip + migration fixture with a populated `sessions.json`. ### Agent / Penpot tokens → `secret` table - [ ] Two new well-known secret names in the existing `secret` table (already AES-256-GCM in #SC-* land): - `agent_token:<agent>` — replaces `~/.config/claude-hooks/tokens/<agent>`. - `penpot_api_token` — replaces `~/.config/claude-hooks/penpot-token`. - [ ] Container mount code (`container.ts` / `container-reconcile.ts`) reads from the secret table and writes the plaintext to a tmpfile inside the container's tokens mount at startup (mount target unchanged so the in-container Forgejo / Penpot MCP keeps working without code change). - [ ] Per-agent admin endpoint (`/agents/:name/token` PATCH or similar) writes the secret via `setSecret`. The existing CLI / dashboard rotate flow targets the secret name instead of the file path. - [ ] Migration `014-migrate-agent-tokens-to-secrets.ts`: for every existing file under `~/.config/claude-hooks/tokens/`, insert the plaintext into the secret table under `agent_token:<filename>`, then `unlink` the file. Same for `penpot-token`. Idempotent. - [ ] Tests: round-trip the rotate flow; assert `cat tokens/<agent>` no longer required. ### Cleanup - [ ] Remove `getStateRootSessionsPath()` / `gitlabOAuthTokenPath()` exports. - [ ] `docs/credentials.md` updated to reflect the new flow (DB-only). - [ ] Boot-time backups (`agents.db.bak-<ts>`) cover everything now — no separate JSON backup recipe. ## Out of scope - The Claude Code SDK config dirs under `~/.config/claude-hooks/agent-env/<agent>/`. Those are owned by the SDK and mounted as-is into the container. The SDK reads them by path; switching them to DB would require forking the SDK. - `~/.config/claude-hooks/claude-credentials/.credentials.json` — Anthropic API credentials in the SDK's own format. Same reasoning. - `architect-uploads/<id>/{blob,meta.json}` — the file-attachment blobs are intentionally on disk (large binaries shouldn't live in SQLite). The sidecar JSON could move to DB later but the binary cannot. - Backup / restore tooling overhaul. The existing `agents.db.bak-*` rotation is enough. - Re-encrypting the secret table with a different cipher. Stays AES-256-GCM. ## References - `apps/server/src/http/handlers/oauth-gitlab.ts` — the JSON write path being replaced. - `apps/server/src/infrastructure/database/sessions.ts` — current file-backed session-resume store. - `apps/server/src/infrastructure/container/container-reconcile.ts` — token-file mount source. - `apps/server/src/infrastructure/container/container.ts` — Penpot token + claude-credentials mount paths. - `docs/credentials.md` — current shape of the credential mounts (will need an update). - DOB-4 (#819) and DOB-5 (#820) — prior storage rips that ripped `agents.json` and `service.json`. ## Suggested implementation order 1. **GitLab OAuth → DB** (smallest blast radius — F3-GL is rarely re-auth'd, the other two adapters already use the DB row, schema unchanged). 2. **Claude SDK sessions → DB** (medium — hot path during dispatch; needs the migration to back-fill before the first read). 3. **Agent / Penpot tokens → `secret` table** (largest — touches container mount code + rotate flow + every per-agent runtime). Each step should ship as its own commit / PR so a regression on one doesn't block the others, even if the issue stays single.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/sync-pre-push-from-forge-base
fix/flows-yaml-dispatch-identity
feat/board-tap-to-assign
dev/1107
code-lead/1106
code-lead/1108
dev/1104
code-lead/1103
code-lead/1080
dev/1087
feat/flows-yaml-ci-events
chore/board-drop-stalled-and-density-controls
fix/flows-yaml-routes-always-register
flows-yaml/api-defaults
dev/1023
fix/event-log-history-bleed
fix/janitor-fix-ci-logs-and-cap
dev/1022
fix/board-card-provider
code-lead/1036
dev/1025
code-lead/1020
dev/1017
code-lead/1026
feat/web-shortcut-registry-1018
dev/1015
code-lead/1009
code-lead/1008
dev/975
dev/969
dev/973
dev/967
code-lead/968
code-lead/953
dev/970
dev/976
code-lead/966
code-lead/956
code-lead/951
dev/962
dev/963
dev/977
dev/955
dev/983
dev/961
dev/974
code-lead/950
code-lead/939
dev/941
dev/940
dev/937
dev/938
dev/936
dev/935
feat/web-i18n-fr-locale
feat/spec-editor-ui-polish
chore/drop-legacy-compat
fix/skills-drop-preview-pane
fix/882-skills-safety-rail
dev/911
dev/909
dev/923
dev/917
dev/915
feat/879-sr11-m2-drop-legacy-skill
code-lead/873
dev/881
code-lead/869
dev/867
code-lead/845
code-lead/843
code-lead/844
dev/837
dev/861
dev/849
code-lead/837
code-lead/842
fix/dedup-rebase-inflight
dev/838
code-lead/847
dev/833
code-lead/848
pr/838
code-lead/841
feat/settings-save-bar/836
code-lead/840
dev/846
code-lead/839
dev/832
fix/board-sse-stale-cache
dev/834
dev/835
feat/settings-breadcrumbs
feat/forge-oauth-credentials
refactor/service-config-consolidation
feat/agent-tokens-to-secrets
feat/gitlab-oauth-to-db
feat/authelia-rip-and-voice-fixes
fix/rebase-storm-and-dead-letter
code-lead/797
code-lead/796
dev/811
code-lead/798
dev/810
code-lead/795
dev/808
code-lead/794
dev/805
dev/802
dev/803
feat/avatar-menu-settings-entry
feat/per-agent-token-tracking
dev/793
dev/747
dev/752
code-lead/790
code-lead/759
dev/756
dev/760
dev/741
dev/767
dev/740
dev/709
dev/644
dev/637
boss/614
dev/600
dev/611
dev/585
fix/login-bonus-fixes
boss/544
dev/542
refactor/api-prefix-and-session-gate
dev/489
boss/531
boss/518
dev/499
boss/516
dev/530
dev/517
dev/519
dev/515
dev/522
dev/503
dev/471
boss/329
dev/417
dev/418
dev/402
boss/327
dev/334
dev/332
boss/326
boss/325
dev/331
boss/324
boss/323
boss/322
dev/294
test/s11-task-analytics
dev/262
boss/270
dev/268
foreman/ui-consolidation-spec
dev/234
boss/196
boss/176
boss/164
fix/124-session-persist-bind
boss/52
dev/87
boss/73
dev/77
dev/81
dev/82
boss/79
dev/42
dev/35
boss/7
No results found.
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks#823
No description provided.