Merge pull request 'fix: fix: compose template should use explicit environment per container, not shared env_file (#381)' (#397) from fix/issue-381 into main

2026-04-08 06:06:31 +00:00 · 2026-04-08 06:06:31 +00:00 · 07ea934fd3
commit 07ea934fd3
parent aa1ae7a7cd e27602e144
5 changed files with 66 additions and 20 deletions
--- a/.env.example
+++ b/.env.example
@ -20,6 +20,7 @@ FORGE_URL=http://localhost:3000             # [CONFIG] local Forgejo instance
 # Each agent has its own Forgejo account and API token (#747).
 # Per-agent tokens fall back to FORGE_TOKEN if not set.
 FORGE_TOKEN=                               # [SECRET] dev-bot API token (default for all agents)
+FORGE_TOKEN_DEVQWEN=                       # [SECRET] dev-qwen API token (for agents-llama)
 FORGE_REVIEW_TOKEN=                        # [SECRET] review-bot API token
 FORGE_PLANNER_TOKEN=                       # [SECRET] planner-bot API token
 FORGE_GARDENER_TOKEN=                      # [SECRET] gardener-bot API token
--- a/.woodpecker/detect-duplicates.py
+++ b/.woodpecker/detect-duplicates.py
@ -274,11 +274,13 @@ def main() -> int:
        "059b11945140c172465f9126b829ed7f": "Forgejo org-creation curl pattern (forge-setup.sh + ops-setup.sh)",
        # Docker compose environment block for agents service (generators.sh + hire-agent.sh)
        # Intentional duplicate - both generate the same docker-compose.yml template
-        "8066210169a462fe565f18b6a26a57e0": "Docker compose environment block (generators.sh + hire-agent.sh)",
-        "fd978fcd726696e0f280eba2c5198d50": "Docker compose environment block continuation (generators.sh + hire-agent.sh)",
-        "e2760ccc2d4b993a3685bd8991594eb2": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh)",
+        "8066210169a462fe565f18b6a26a57e0": "Docker compose environment block (generators.sh + hire-agent.sh) - old",
+        "fd978fcd726696e0f280eba2c5198d50": "Docker compose environment block continuation (generators.sh + hire-agent.sh) - old",
+        "e2760ccc2d4b993a3685bd8991594eb2": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh) - old",
        # The hash shown in output is 161a80f7 - need to match exactly what the script finds
-        "161a80f7296d6e9d45895607b7f5b9c9": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh)",
+        "161a80f7296d6e9d45895607b7f5b9c9": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh) - old",
+        # New hash after explicit environment fix (#381)
+        "83fa229b86a7fdcb1d3591ab8e718f9d": "Docker compose explicit environment block (generators.sh + hire-agent.sh) - #381",
    }

    if not sh_files:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -12,10 +12,22 @@ services:
      - ./disinto:/home/agent/disinto:ro
      - /usr/local/bin/claude:/usr/local/bin/claude:ro
    environment:
-      - DISINTO_AGENTS=review,gardener
-      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
-      - FORGE_TOKEN=${FORGE_TOKEN:-}
      - FORGE_URL=http://forgejo:3000
+      - FORGE_TOKEN=${FORGE_TOKEN:-}
+      - FORGE_REVIEW_TOKEN=${FORGE_REVIEW_TOKEN:-}
+      - FORGE_GARDENER_TOKEN=${FORGE_GARDENER_TOKEN:-}
+      - FORGE_SUPERVISOR_TOKEN=${FORGE_SUPERVISOR_TOKEN:-}
+      - FORGE_PREDICTOR_TOKEN=${FORGE_PREDICTOR_TOKEN:-}
+      - FORGE_ARCHITECT_TOKEN=${FORGE_ARCHITECT_TOKEN:-}
+      - FORGE_VAULT_TOKEN=${FORGE_VAULT_TOKEN:-}
+      - FORGE_PLANNER_TOKEN=${FORGE_PLANNER_TOKEN:-}
+      - FORGE_BOT_USERNAMES=${FORGE_BOT_USERNAMES:-}
+      - WOODPECKER_TOKEN=${WOODPECKER_TOKEN:-}
+      - CLAUDE_TIMEOUT=${CLAUDE_TIMEOUT:-7200}
+      - CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
+      - FORGE_ADMIN_PASS=${FORGE_ADMIN_PASS:-}
+      - DISINTO_AGENTS=review,gardener
    depends_on:
      - forgejo

@ -30,12 +42,25 @@ services:
      - ./disinto:/home/agent/disinto:ro
      - /usr/local/bin/claude:/usr/local/bin/claude:ro
    environment:
-      - DISINTO_AGENTS=dev
-      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
-      - FORGE_TOKEN=${FORGE_TOKEN:-}
      - FORGE_URL=http://forgejo:3000
+      - FORGE_TOKEN=${FORGE_TOKEN_DEVQWEN:-}
+      - FORGE_SUPERVISOR_TOKEN=${FORGE_SUPERVISOR_TOKEN:-}
+      - FORGE_PREDICTOR_TOKEN=${FORGE_PREDICTOR_TOKEN:-}
+      - FORGE_ARCHITECT_TOKEN=${FORGE_ARCHITECT_TOKEN:-}
+      - FORGE_VAULT_TOKEN=${FORGE_VAULT_TOKEN:-}
+      - FORGE_PLANNER_TOKEN=${FORGE_PLANNER_TOKEN:-}
+      - FORGE_BOT_USERNAMES=${FORGE_BOT_USERNAMES:-}
+      - WOODPECKER_TOKEN=${WOODPECKER_TOKEN:-}
+      - CLAUDE_TIMEOUT=${CLAUDE_TIMEOUT:-7200}
+      - CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
+      - ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL:-}
+      - FORGE_ADMIN_PASS=${FORGE_ADMIN_PASS:-}
+      - DISINTO_AGENTS=dev
      - PROJECT_TOML=projects/disinto.toml
      - FORGE_REPO=${FORGE_REPO:-disinto-admin/disinto}
+      - POLL_INTERVAL=${POLL_INTERVAL:-300}
+      - AGENT_ROLES=dev
    depends_on:
      - forgejo

--- a/lib/generators.sh
+++ b/lib/generators.sh
@ -124,13 +124,24 @@ services:
      - woodpecker-data:/woodpecker-data:ro
    environment:
      FORGE_URL: http://forgejo:3000
-      WOODPECKER_SERVER: http://woodpecker:8000
+      FORGE_TOKEN: ${FORGE_TOKEN:-}
+      FORGE_REVIEW_TOKEN: ${FORGE_REVIEW_TOKEN:-}
+      FORGE_PLANNER_TOKEN: ${FORGE_PLANNER_TOKEN:-}
+      FORGE_GARDENER_TOKEN: ${FORGE_GARDENER_TOKEN:-}
+      FORGE_VAULT_TOKEN: ${FORGE_VAULT_TOKEN:-}
+      FORGE_SUPERVISOR_TOKEN: ${FORGE_SUPERVISOR_TOKEN:-}
+      FORGE_PREDICTOR_TOKEN: ${FORGE_PREDICTOR_TOKEN:-}
+      FORGE_ARCHITECT_TOKEN: ${FORGE_ARCHITECT_TOKEN:-}
+      FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-}
+      WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-}
+      CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200}
+      CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
+      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
+      FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-}
      DISINTO_CONTAINER: "1"
      PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project}
      WOODPECKER_DATA_DIR: /woodpecker-data
-    env_file:
-      - .env
-    # IMPORTANT: agents get .env only (forge tokens, CI tokens, config).
+    # IMPORTANT: agents get explicit environment variables (forge tokens, CI tokens, config).
    # Vault-only secrets (GITHUB_TOKEN, CLAWHUB_TOKEN, deploy keys) live in
    # .env.vault.enc and are NEVER injected here — only the runner
    # container receives them at fire time (AD-006, #745).
--- a/lib/hire-agent.sh
+++ b/lib/hire-agent.sh
@ -415,18 +415,25 @@ services:
      - \$HOME/.config/sops/age:/home/agent/.config/sops/age:ro
    environment:
      FORGE_URL: http://forgejo:3000
-      WOODPECKER_SERVER: http://woodpecker:8000
+      FORGE_TOKEN: ${FORGE_TOKEN_DEVQWEN:-}
+      FORGE_SUPERVISOR_TOKEN: ${FORGE_SUPERVISOR_TOKEN:-}
+      FORGE_PREDICTOR_TOKEN: ${FORGE_PREDICTOR_TOKEN:-}
+      FORGE_ARCHITECT_TOKEN: ${FORGE_ARCHITECT_TOKEN:-}
+      FORGE_VAULT_TOKEN: ${FORGE_VAULT_TOKEN:-}
+      FORGE_PLANNER_TOKEN: ${FORGE_PLANNER_TOKEN:-}
+      FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-}
+      WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-}
+      CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200}
+      CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1}
+      ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-}
+      ANTHROPIC_BASE_URL: ${local_model}
+      FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-}
      DISINTO_CONTAINER: "1"
      PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project}
      WOODPECKER_DATA_DIR: /woodpecker-data
-      ANTHROPIC_BASE_URL: ${local_model}
-      ANTHROPIC_API_KEY: sk-no-key-required
-      FORGE_TOKEN: \$FORGE_TOKEN
      AGENT_ROLES: dev
      CLAUDE_CONFIG_DIR: /home/agent/.claude
      POLL_INTERVAL: ${interval}
-    env_file:
-      - .env
    depends_on:
      - forgejo
      - woodpecker