charles/claude-hooks

Fork 0

feat(agent-config): TOK-2 swap runtime token reads to the secret resolver #772

Merged

charles merged 4 commits from code-lead/758 into main

2026-05-03 09:20:49 +00:00

code-lead commented

2026-05-02 21:35:19 +00:00

Collaborator

Closes #758

Drops the legacy readFileSync(tokenFile) fallback in deps.ts and overlays mergeAgent with getAgentTokenSync(type) so a Forgejo token revoked at scope='global' invalidates the next dispatch without a restart.

Test plan

bun x turbo run typecheck clean
bun x @biomejs/biome@^2 check . clean (only pre-existing warnings)
Server tests pass except 3 pre-existing pr-approved-merge fixtures (boss → code-lead rename)
New tokens-sync.test.ts cases assert revoke-at-scope='global' returns null on the next sync resolve

Closes #758 Drops the legacy `readFileSync(tokenFile)` fallback in `deps.ts` and overlays `mergeAgent` with `getAgentTokenSync(type)` so a Forgejo token revoked at `scope='global'` invalidates the next dispatch without a restart. ## Test plan - [x] `bun x turbo run typecheck` clean - [x] `bun x @biomejs/biome@^2 check .` clean (only pre-existing warnings) - [x] Server tests pass except 3 pre-existing pr-approved-merge fixtures (`boss` → `code-lead` rename) - [x] New `tokens-sync.test.ts` cases assert revoke-at-`scope='global'` returns null on the next sync resolve

code-lead self-assigned this

2026-05-02 21:35:19 +00:00

code-lead added 1 commit

2026-05-02 21:35:19 +00:00

feat(agent-config): TOK-2 swap runtime token reads to the secret resolver

qa / dockerfile (pull_request) Successful in 4s

Details

qa / qa (pull_request) Failing after 21m56s

Details

74342c2eb2

Drops the legacy `readFileSync(tokenFile)` fallback in `deps.ts` and
overlays `mergeAgent` with `getAgentTokenSync(type)` so a Forgejo
token revoked at `scope='global'` invalidates the next dispatch
without a restart. Adds a sync twin of `decrypt`/`getAgentToken`
because `mergeAgent` runs on the synchronous side of the SDK.

Closes #758

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

code-lead added 1 commit

2026-05-02 22:28:15 +00:00

fix(ci): pr-approved-merge tests expect code-lead, not boss

qa / dockerfile (pull_request) Successful in 9s

Details

qa / qa (pull_request) Failing after 4m52s

Details

6d6abc07d7

Commit 5780999 (`fix(flows): pr-approved-merge resolves code-lead, not
stale 'boss'`) flipped the flow graph's `resolve_boss` literal from
`type: "boss"` to `type: "code-lead"` and bumped
`PR_APPROVED_MERGE_GRAPH_VERSION` 2 → 3, but missed the matching test
expectations. Three end-to-end execute cases still asserted
`dispatchCalls[0]?.type === "boss"`, so every CI run after 5780999
landed has been red on this file. The TOK-2 PR rebased onto that broken
main and inherited the failures.

Update the three boss → code-lead assertions and the
`branch_prefix === "boss"` derivation check (the test fixture's default
`mkAgentEnvelope` derives `branch_prefix` from the queried `type`, which
is now `code-lead`).

code-lead added 1 commit

2026-05-02 22:36:51 +00:00

chore(ci): re-trigger after #758 hook-timeout flake

qa / dockerfile (pull_request) Successful in 5s

Details

qa / qa (pull_request) Successful in 3m37s

Details

284d520a72

Run #1418 had a single non-deterministic failure: `POST /agents > 400
on invalid name (uppercase)` aborted with `a beforeEach/afterEach hook
timed out for this test` at 5677.94 ms. The local run completes the
entire 47-test file in ~5.5 s with deterministic green, and the test
itself does no I/O beyond the shared beforeEach (`stateDir.setup()` +
`resetDb()` + `loadWebhookConfig` + `createOperatorSession`) — runner-side
variance under `act` is the most plausible cause.

Per the qa runbook: trivial re-trigger to confirm whether the same
error reproduces. If it does, the flake is real and gets a real fix
in a follow-up; if not, this empty commit unblocks the merge gate.

code-lead requested review from reviewer

2026-05-02 22:40:32 +00:00

reviewer approved these changes

2026-05-02 22:44:38 +00:00

reviewer left a comment

Logic correct: decryptSync is a clean extraction of decrypt with audit-log intact; mergeAgent overlay via resolveForgejoTokenForType correctly surfaces revoked tokens as "" without a restart; deps.ts CLI drops the last readFileSync(tokenFile).
Nit (non-blocking): the test named "revoke at scope=global takes effect on the next mergeAgent" exercises getAgentTokenSync directly, not the mergeAgent → resolveForgejoTokenForType path — a thin test calling resolveAgent after seeding the secret store would close the AC gap, but not blocking.

Logic correct: `decryptSync` is a clean extraction of `decrypt` with audit-log intact; `mergeAgent` overlay via `resolveForgejoTokenForType` correctly surfaces revoked tokens as `""` without a restart; `deps.ts` CLI drops the last `readFileSync(tokenFile)`. Nit (non-blocking): the test named "revoke at scope=global takes effect on the next mergeAgent" exercises `getAgentTokenSync` directly, not the `mergeAgent` → `resolveForgejoTokenForType` path — a thin test calling `resolveAgent` after seeding the secret store would close the AC gap, but not blocking.

charles added 1 commit

2026-05-02 23:06:48 +00:00

Merge branch 'main' into code-lead/758

qa / dockerfile (pull_request) Successful in 7s

Details

qa / qa (pull_request) Successful in 3m50s

Details

046ef84fed

# Conflicts:
#	apps/server/src/domain/flows/pr-approved-merge-graph.test.ts

charles merged commit 18fdd77ac0 into main

2026-05-03 09:20:49 +00:00

charles deleted branch code-lead/758

2026-05-03 09:20:49 +00:00

charles referenced this pull request from a commit

2026-05-03 09:20:50 +00:00

feat(agent-config): TOK-2 swap runtime token reads to the secret resolver (#772)

No reviewers

No labels

No milestone

No project

No assignees

3 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks!772

No description provided.

Rows
Columns