2026-03-15 17:57:12 +01:00
|
|
|
# Disinto — Environment Configuration
|
2026-03-12 12:44:15 +00:00
|
|
|
# Copy to .env and fill in your values.
|
|
|
|
|
# NEVER commit .env to the repo.
|
2026-03-23 18:58:33 +00:00
|
|
|
#
|
|
|
|
|
# With SOPS + age installed, `disinto init` encrypts secrets into .env.enc
|
|
|
|
|
# and removes plaintext .env. To migrate an existing .env: `disinto secrets migrate`
|
|
|
|
|
#
|
|
|
|
|
# Variables marked [SECRET] are credentials that grant access if leaked.
|
|
|
|
|
# Variables marked [CONFIG] are non-sensitive and safe in plaintext.
|
2026-03-12 12:44:15 +00:00
|
|
|
|
2026-03-20 15:01:28 +00:00
|
|
|
# ── Per-project config ────────────────────────────────────────────────────
|
fix: Replace Codeberg dependency with local Forgejo instance (#611)
- Add setup_forge() to bin/disinto: provisions Forgejo via Docker,
creates admin + bot users (dev-bot, review-bot), generates API
tokens, creates repo, and pushes code — all automated
- Rename env vars: CODEBERG_TOKEN→FORGE_TOKEN, REVIEW_BOT_TOKEN→
FORGE_REVIEW_TOKEN, CODEBERG_REPO→FORGE_REPO, CODEBERG_API→
FORGE_API, CODEBERG_WEB→FORGE_WEB, CODEBERG_BOT_USERNAMES→
FORGE_BOT_USERNAMES (with backwards-compat fallbacks)
- Rename API helpers: codeberg_api()→forge_api(), codeberg_api_all()
→forge_api_all() (with compat aliases)
- Add forge_url field to project TOML; load-project.sh derives
FORGE_API/FORGE_WEB from forge_url + repo
- Update parse_repo_slug() to accept any host URL, not just codeberg
- Forgejo data stored under ~/.disinto/forgejo/ (not in factory repo)
- Update all 58 files: agent scripts, formulas, docs, site HTML
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 16:57:12 +00:00
|
|
|
# Project-specific settings (FORGE_REPO, PROJECT_REPO_ROOT, PRIMARY_BRANCH,
|
2026-03-20 15:01:28 +00:00
|
|
|
# WOODPECKER_REPO_ID) now live in projects/*.toml — see projects/harb.toml
|
|
|
|
|
# for an example. Do NOT set them here; they leak into every session.
|
2026-03-14 13:49:09 +01:00
|
|
|
|
fix: Replace Codeberg dependency with local Forgejo instance (#611)
- Add setup_forge() to bin/disinto: provisions Forgejo via Docker,
creates admin + bot users (dev-bot, review-bot), generates API
tokens, creates repo, and pushes code — all automated
- Rename env vars: CODEBERG_TOKEN→FORGE_TOKEN, REVIEW_BOT_TOKEN→
FORGE_REVIEW_TOKEN, CODEBERG_REPO→FORGE_REPO, CODEBERG_API→
FORGE_API, CODEBERG_WEB→FORGE_WEB, CODEBERG_BOT_USERNAMES→
FORGE_BOT_USERNAMES (with backwards-compat fallbacks)
- Rename API helpers: codeberg_api()→forge_api(), codeberg_api_all()
→forge_api_all() (with compat aliases)
- Add forge_url field to project TOML; load-project.sh derives
FORGE_API/FORGE_WEB from forge_url + repo
- Update parse_repo_slug() to accept any host URL, not just codeberg
- Forgejo data stored under ~/.disinto/forgejo/ (not in factory repo)
- Update all 58 files: agent scripts, formulas, docs, site HTML
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 16:57:12 +00:00
|
|
|
# ── Forge (Forgejo) ─────────────────────────────────────────────────────
|
2026-03-23 18:58:33 +00:00
|
|
|
FORGE_URL=http://localhost:3000 # [CONFIG] local Forgejo instance
|
fix: Replace Codeberg dependency with local Forgejo instance (#611)
- Add setup_forge() to bin/disinto: provisions Forgejo via Docker,
creates admin + bot users (dev-bot, review-bot), generates API
tokens, creates repo, and pushes code — all automated
- Rename env vars: CODEBERG_TOKEN→FORGE_TOKEN, REVIEW_BOT_TOKEN→
FORGE_REVIEW_TOKEN, CODEBERG_REPO→FORGE_REPO, CODEBERG_API→
FORGE_API, CODEBERG_WEB→FORGE_WEB, CODEBERG_BOT_USERNAMES→
FORGE_BOT_USERNAMES (with backwards-compat fallbacks)
- Rename API helpers: codeberg_api()→forge_api(), codeberg_api_all()
→forge_api_all() (with compat aliases)
- Add forge_url field to project TOML; load-project.sh derives
FORGE_API/FORGE_WEB from forge_url + repo
- Update parse_repo_slug() to accept any host URL, not just codeberg
- Forgejo data stored under ~/.disinto/forgejo/ (not in factory repo)
- Update all 58 files: agent scripts, formulas, docs, site HTML
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 16:57:12 +00:00
|
|
|
|
2026-03-14 13:49:09 +01:00
|
|
|
# ── Auth tokens ───────────────────────────────────────────────────────────
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
# Each agent has its own Forgejo account and API token (#747).
|
|
|
|
|
# Per-agent tokens fall back to FORGE_TOKEN if not set.
|
2026-04-10 10:41:49 +00:00
|
|
|
#
|
|
|
|
|
# Tokens and passwords are auto-generated by `disinto init` and stored in .env.
|
|
|
|
|
# Each bot user gets:
|
|
|
|
|
# - FORGE_TOKEN_<BOT> = API token for REST calls (user identity via /api/v1/user)
|
|
|
|
|
# - FORGE_PASS_<BOT> = password for git HTTP push (#361, Forgejo 11.x limitation)
|
|
|
|
|
#
|
2026-04-16 08:55:45 +00:00
|
|
|
# Local-model agents hired with `disinto hire-an-agent` are keyed by *agent
|
|
|
|
|
# name* (not role), so multiple local-model dev agents can coexist without
|
|
|
|
|
# colliding on credentials (#834). For an agent named `dev-qwen2` the vars are:
|
|
|
|
|
# - FORGE_TOKEN_DEV_QWEN2
|
|
|
|
|
# - FORGE_PASS_DEV_QWEN2
|
|
|
|
|
# Name conversion: tr 'a-z-' 'A-Z_' (lowercase→UPPER, hyphens→underscores).
|
|
|
|
|
# The compose generator looks these up via the agent's `forge_user` field in
|
2026-04-16 11:25:34 +00:00
|
|
|
# the project TOML. Configure local-model agents via [agents.X] sections in
|
|
|
|
|
# projects/*.toml — this is the canonical activation path.
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_TOKEN= # [SECRET] dev-bot API token (default for all agents)
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_PASS= # [SECRET] dev-bot password for git HTTP push (#361)
|
2026-03-23 18:58:33 +00:00
|
|
|
FORGE_REVIEW_TOKEN= # [SECRET] review-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_REVIEW_PASS= # [SECRET] review-bot password for git HTTP push
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_PLANNER_TOKEN= # [SECRET] planner-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_PLANNER_PASS= # [SECRET] planner-bot password for git HTTP push
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_GARDENER_TOKEN= # [SECRET] gardener-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_GARDENER_PASS= # [SECRET] gardener-bot password for git HTTP push
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_VAULT_TOKEN= # [SECRET] vault-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_VAULT_PASS= # [SECRET] vault-bot password for git HTTP push
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_SUPERVISOR_TOKEN= # [SECRET] supervisor-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_SUPERVISOR_PASS= # [SECRET] supervisor-bot password for git HTTP push
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
FORGE_PREDICTOR_TOKEN= # [SECRET] predictor-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_PREDICTOR_PASS= # [SECRET] predictor-bot password for git HTTP push
|
2026-04-01 09:53:47 +00:00
|
|
|
FORGE_ARCHITECT_TOKEN= # [SECRET] architect-bot API token
|
2026-04-10 10:41:49 +00:00
|
|
|
FORGE_ARCHITECT_PASS= # [SECRET] architect-bot password for git HTTP push
|
2026-04-15 07:41:16 +00:00
|
|
|
FORGE_FILER_TOKEN= # [SECRET] filer-bot API token (issues:write on project repo only)
|
|
|
|
|
FORGE_FILER_PASS= # [SECRET] filer-bot password for git HTTP push
|
|
|
|
|
FORGE_BOT_USERNAMES=dev-bot,review-bot,planner-bot,gardener-bot,vault-bot,supervisor-bot,predictor-bot,architect-bot,filer-bot
|
fix: Replace Codeberg dependency with local Forgejo instance (#611)
- Add setup_forge() to bin/disinto: provisions Forgejo via Docker,
creates admin + bot users (dev-bot, review-bot), generates API
tokens, creates repo, and pushes code — all automated
- Rename env vars: CODEBERG_TOKEN→FORGE_TOKEN, REVIEW_BOT_TOKEN→
FORGE_REVIEW_TOKEN, CODEBERG_REPO→FORGE_REPO, CODEBERG_API→
FORGE_API, CODEBERG_WEB→FORGE_WEB, CODEBERG_BOT_USERNAMES→
FORGE_BOT_USERNAMES (with backwards-compat fallbacks)
- Rename API helpers: codeberg_api()→forge_api(), codeberg_api_all()
→forge_api_all() (with compat aliases)
- Add forge_url field to project TOML; load-project.sh derives
FORGE_API/FORGE_WEB from forge_url + repo
- Update parse_repo_slug() to accept any host URL, not just codeberg
- Forgejo data stored under ~/.disinto/forgejo/ (not in factory repo)
- Update all 58 files: agent scripts, formulas, docs, site HTML
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 16:57:12 +00:00
|
|
|
|
|
|
|
|
# ── Backwards compatibility ───────────────────────────────────────────────
|
|
|
|
|
# If CODEBERG_TOKEN is set but FORGE_TOKEN is not, env.sh falls back to
|
|
|
|
|
# CODEBERG_TOKEN automatically (same for REVIEW_BOT_TOKEN, CODEBERG_REPO,
|
|
|
|
|
# CODEBERG_BOT_USERNAMES). No action needed for existing deployments.
|
fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)
Each agent now gets its own Forgejo account (dev-bot, review-bot,
planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot,
action-bot) with a dedicated API token. This enables:
- Audit trail: every forge action attributable to a specific agent
- Permission boundaries: agents act under their own identity
- Vault authorization model: vault-bot comments = proof of approval
Changes:
- bin/disinto: setup_forge() creates all 8 bot accounts during init,
stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as
repo collaborators
- lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN
for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots
- Agent scripts: each agent overrides FORGE_TOKEN with its per-agent
token after sourcing env.sh (gardener, planner, supervisor, predictor,
vault, action)
- .env.example: documents all per-agent token fields
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00
|
|
|
# Per-agent tokens default to FORGE_TOKEN when unset (single-token setups).
|
2026-03-20 19:01:56 +00:00
|
|
|
|
2026-03-14 13:49:09 +01:00
|
|
|
# ── Woodpecker CI ─────────────────────────────────────────────────────────
|
2026-03-23 18:58:33 +00:00
|
|
|
WOODPECKER_TOKEN= # [SECRET] Woodpecker API token
|
|
|
|
|
WOODPECKER_SERVER=http://localhost:8000 # [CONFIG] Woodpecker server URL
|
2026-03-25 14:07:27 +00:00
|
|
|
WOODPECKER_AGENT_SECRET= # [SECRET] shared secret for server↔agent auth (auto-generated)
|
2026-04-15 10:56:39 +00:00
|
|
|
# Woodpecker privileged-plugin allowlist — comma-separated image names
|
|
|
|
|
# Add plugins/docker (and others) here to allow privileged execution
|
|
|
|
|
WOODPECKER_PLUGINS_PRIVILEGED=plugins/docker
|
|
|
|
|
|
2026-03-20 15:01:28 +00:00
|
|
|
# WOODPECKER_REPO_ID — now per-project, set in projects/*.toml [ci] section
|
2026-03-12 12:44:15 +00:00
|
|
|
|
|
|
|
|
# Woodpecker Postgres (for direct DB queries)
|
2026-03-23 18:58:33 +00:00
|
|
|
WOODPECKER_DB_PASSWORD= # [SECRET] Postgres password
|
|
|
|
|
WOODPECKER_DB_USER=woodpecker # [CONFIG] Postgres user
|
|
|
|
|
WOODPECKER_DB_HOST=127.0.0.1 # [CONFIG] Postgres host
|
|
|
|
|
WOODPECKER_DB_NAME=woodpecker # [CONFIG] Postgres database name
|
2026-03-12 12:44:15 +00:00
|
|
|
|
2026-04-12 01:52:16 +00:00
|
|
|
# ── Chat OAuth (#708) ────────────────────────────────────────────────────
|
|
|
|
|
CHAT_OAUTH_CLIENT_ID= # [SECRET] Chat OAuth2 client ID (auto-generated by init)
|
|
|
|
|
CHAT_OAUTH_CLIENT_SECRET= # [SECRET] Chat OAuth2 client secret (auto-generated by init)
|
|
|
|
|
DISINTO_CHAT_ALLOWED_USERS= # [CONFIG] CSV of allowed usernames (disinto-admin always allowed)
|
2026-04-12 02:21:02 +00:00
|
|
|
FORWARD_AUTH_SECRET= # [SECRET] Shared secret for Caddy ↔ chat forward_auth (#709)
|
2026-04-12 01:52:16 +00:00
|
|
|
|
2026-03-26 16:59:57 +00:00
|
|
|
# ── Vault-only secrets (DO NOT put these in .env) ────────────────────────
|
|
|
|
|
# These tokens grant access to external systems (GitHub, ClawHub, deploy targets).
|
2026-04-15 18:35:03 +00:00
|
|
|
# They live ONLY in secrets/<NAME>.enc (age-encrypted, one file per key) and are
|
|
|
|
|
# decrypted into the ephemeral runner container at fire time (#745, #777).
|
|
|
|
|
# lib/env.sh explicitly unsets them so agents can never hold them directly —
|
|
|
|
|
# all external actions go through vault dispatch.
|
2026-03-26 16:59:57 +00:00
|
|
|
#
|
|
|
|
|
# GITHUB_TOKEN — GitHub API access (publish, deploy, post)
|
|
|
|
|
# CLAWHUB_TOKEN — ClawHub registry credentials (publish)
|
2026-04-15 18:35:03 +00:00
|
|
|
# CADDY_SSH_KEY — SSH key for Caddy log collection
|
2026-03-26 16:59:57 +00:00
|
|
|
# (deploy keys) — SSH keys for deployment targets
|
|
|
|
|
#
|
2026-04-15 18:35:03 +00:00
|
|
|
# To manage secrets: disinto secrets add/show/remove/list
|
2026-03-26 16:59:57 +00:00
|
|
|
|
2026-03-21 09:54:21 +00:00
|
|
|
# ── Project-specific secrets ──────────────────────────────────────────────
|
|
|
|
|
# Store all project secrets here so formulas reference env vars, never hardcode.
|
2026-03-23 18:58:33 +00:00
|
|
|
BASE_RPC_URL= # [SECRET] on-chain RPC endpoint
|
2026-03-21 09:54:21 +00:00
|
|
|
|
2026-03-14 13:49:09 +01:00
|
|
|
# ── Tuning ────────────────────────────────────────────────────────────────
|
2026-03-23 18:58:33 +00:00
|
|
|
CLAUDE_TIMEOUT=7200 # [CONFIG] max seconds per Claude invocation
|
2026-03-25 15:34:55 +00:00
|
|
|
|
2026-04-15 20:01:47 +00:00
|
|
|
# ── Host paths (Nomad-portable) ────────────────────────────────────────────
|
|
|
|
|
# These env vars externalize host-side bind-mount paths from docker-compose.yml.
|
|
|
|
|
# At cutover, Nomad jobspecs reference the same vars — no path translation.
|
|
|
|
|
# Defaults point at current paths so an empty .env override still works.
|
|
|
|
|
CLAUDE_BIN_DIR=/usr/local/bin/claude # [CONFIG] host path to claude CLI binary (resolved by `disinto init`)
|
|
|
|
|
CLAUDE_CONFIG_FILE=${HOME}/.claude.json # [CONFIG] host path to claude config JSON file
|
|
|
|
|
CLAUDE_DIR=${HOME}/.claude # [CONFIG] host path to .claude directory (reproduce/edge)
|
|
|
|
|
AGENT_SSH_DIR=${HOME}/.ssh # [CONFIG] host path to SSH keys directory
|
|
|
|
|
SOPS_AGE_DIR=${HOME}/.config/sops/age # [CONFIG] host path to SOPS age key directory
|
|
|
|
|
|
2026-04-10 21:04:47 +00:00
|
|
|
# ── Claude Code shared OAuth state ─────────────────────────────────────────
|
|
|
|
|
# Shared directory used by every factory container so Claude Code's internal
|
|
|
|
|
# proper-lockfile-based OAuth refresh lock works across containers. Both
|
|
|
|
|
# values must live outside $HOME (so docker bind mounts don't depend on UID
|
|
|
|
|
# mapping) and must be the same absolute path on host and inside each
|
|
|
|
|
# container. See docs/CLAUDE-AUTH-CONCURRENCY.md.
|
|
|
|
|
CLAUDE_SHARED_DIR=/var/lib/disinto/claude-shared
|
|
|
|
|
CLAUDE_CONFIG_DIR=${CLAUDE_SHARED_DIR}/config
|
2026-04-10 20:32:07 +00:00
|
|
|
|
2026-03-26 13:21:22 +00:00
|
|
|
# ── Factory safety ────────────────────────────────────────────────────────
|
|
|
|
|
# Disables Claude Code auto-updater, telemetry, error reporting, and bug
|
|
|
|
|
# command. Factory sessions are production processes — they must never phone
|
|
|
|
|
# home or auto-update mid-session. Added after #725 (crash during red-team run).
|
|
|
|
|
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 # [CONFIG] suppress all non-essential traffic
|
|
|
|
|
|