From ee001534eb28a9bf2ff3599f7599c2f9f2a9dc69 Mon Sep 17 00:00:00 2001 From: Agent Date: Wed, 8 Apr 2026 05:53:09 +0000 Subject: [PATCH 1/2] fix: fix: compose template should use explicit environment per container, not shared env_file (#381) --- .env.example | 1 + docker-compose.yml | 37 +++++++++++++++++++++++++++++++------ lib/generators.sh | 19 +++++++++++++++---- lib/hire-agent.sh | 19 +++++++++++++------ 4 files changed, 60 insertions(+), 16 deletions(-) diff --git a/.env.example b/.env.example index 6124671..037abe1 100644 --- a/.env.example +++ b/.env.example @@ -20,6 +20,7 @@ FORGE_URL=http://localhost:3000 # [CONFIG] local Forgejo instance # Each agent has its own Forgejo account and API token (#747). # Per-agent tokens fall back to FORGE_TOKEN if not set. FORGE_TOKEN= # [SECRET] dev-bot API token (default for all agents) +FORGE_TOKEN_DEVQWEN= # [SECRET] dev-qwen API token (for agents-llama) FORGE_REVIEW_TOKEN= # [SECRET] review-bot API token FORGE_PLANNER_TOKEN= # [SECRET] planner-bot API token FORGE_GARDENER_TOKEN= # [SECRET] gardener-bot API token diff --git a/docker-compose.yml b/docker-compose.yml index dd9dcca..ee58d35 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,10 +12,22 @@ services: - ./disinto:/home/agent/disinto:ro - /usr/local/bin/claude:/usr/local/bin/claude:ro environment: - - DISINTO_AGENTS=review,gardener - - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-} - - FORGE_TOKEN=${FORGE_TOKEN:-} - FORGE_URL=http://forgejo:3000 + - FORGE_TOKEN=${FORGE_TOKEN:-} + - FORGE_REVIEW_TOKEN=${FORGE_REVIEW_TOKEN:-} + - FORGE_GARDENER_TOKEN=${FORGE_GARDENER_TOKEN:-} + - FORGE_SUPERVISOR_TOKEN=${FORGE_SUPERVISOR_TOKEN:-} + - FORGE_PREDICTOR_TOKEN=${FORGE_PREDICTOR_TOKEN:-} + - FORGE_ARCHITECT_TOKEN=${FORGE_ARCHITECT_TOKEN:-} + - FORGE_VAULT_TOKEN=${FORGE_VAULT_TOKEN:-} + - FORGE_PLANNER_TOKEN=${FORGE_PLANNER_TOKEN:-} + - FORGE_BOT_USERNAMES=${FORGE_BOT_USERNAMES:-} + - WOODPECKER_TOKEN=${WOODPECKER_TOKEN:-} + - CLAUDE_TIMEOUT=${CLAUDE_TIMEOUT:-7200} + - CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1} + - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-} + - FORGE_ADMIN_PASS=${FORGE_ADMIN_PASS:-} + - DISINTO_AGENTS=review,gardener depends_on: - forgejo @@ -30,12 +42,25 @@ services: - ./disinto:/home/agent/disinto:ro - /usr/local/bin/claude:/usr/local/bin/claude:ro environment: - - DISINTO_AGENTS=dev - - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-} - - FORGE_TOKEN=${FORGE_TOKEN:-} - FORGE_URL=http://forgejo:3000 + - FORGE_TOKEN=${FORGE_TOKEN_DEVQWEN:-} + - FORGE_SUPERVISOR_TOKEN=${FORGE_SUPERVISOR_TOKEN:-} + - FORGE_PREDICTOR_TOKEN=${FORGE_PREDICTOR_TOKEN:-} + - FORGE_ARCHITECT_TOKEN=${FORGE_ARCHITECT_TOKEN:-} + - FORGE_VAULT_TOKEN=${FORGE_VAULT_TOKEN:-} + - FORGE_PLANNER_TOKEN=${FORGE_PLANNER_TOKEN:-} + - FORGE_BOT_USERNAMES=${FORGE_BOT_USERNAMES:-} + - WOODPECKER_TOKEN=${WOODPECKER_TOKEN:-} + - CLAUDE_TIMEOUT=${CLAUDE_TIMEOUT:-7200} + - CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1} + - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-} + - ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL:-} + - FORGE_ADMIN_PASS=${FORGE_ADMIN_PASS:-} + - DISINTO_AGENTS=dev - PROJECT_TOML=projects/disinto.toml - FORGE_REPO=${FORGE_REPO:-disinto-admin/disinto} + - POLL_INTERVAL=${POLL_INTERVAL:-300} + - AGENT_ROLES=dev depends_on: - forgejo diff --git a/lib/generators.sh b/lib/generators.sh index 75e5e18..80386d2 100644 --- a/lib/generators.sh +++ b/lib/generators.sh @@ -124,13 +124,24 @@ services: - woodpecker-data:/woodpecker-data:ro environment: FORGE_URL: http://forgejo:3000 - WOODPECKER_SERVER: http://woodpecker:8000 + FORGE_TOKEN: ${FORGE_TOKEN:-} + FORGE_REVIEW_TOKEN: ${FORGE_REVIEW_TOKEN:-} + FORGE_PLANNER_TOKEN: ${FORGE_PLANNER_TOKEN:-} + FORGE_GARDENER_TOKEN: ${FORGE_GARDENER_TOKEN:-} + FORGE_VAULT_TOKEN: ${FORGE_VAULT_TOKEN:-} + FORGE_SUPERVISOR_TOKEN: ${FORGE_SUPERVISOR_TOKEN:-} + FORGE_PREDICTOR_TOKEN: ${FORGE_PREDICTOR_TOKEN:-} + FORGE_ARCHITECT_TOKEN: ${FORGE_ARCHITECT_TOKEN:-} + FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-} + WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-} + CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200} + CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1} + ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-} + FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-} DISINTO_CONTAINER: "1" PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project} WOODPECKER_DATA_DIR: /woodpecker-data - env_file: - - .env - # IMPORTANT: agents get .env only (forge tokens, CI tokens, config). + # IMPORTANT: agents get explicit environment variables (forge tokens, CI tokens, config). # Vault-only secrets (GITHUB_TOKEN, CLAWHUB_TOKEN, deploy keys) live in # .env.vault.enc and are NEVER injected here — only the runner # container receives them at fire time (AD-006, #745). diff --git a/lib/hire-agent.sh b/lib/hire-agent.sh index 1ddd72a..b15b2b7 100644 --- a/lib/hire-agent.sh +++ b/lib/hire-agent.sh @@ -415,18 +415,25 @@ services: - \$HOME/.config/sops/age:/home/agent/.config/sops/age:ro environment: FORGE_URL: http://forgejo:3000 - WOODPECKER_SERVER: http://woodpecker:8000 + FORGE_TOKEN: ${FORGE_TOKEN_DEVQWEN:-} + FORGE_SUPERVISOR_TOKEN: ${FORGE_SUPERVISOR_TOKEN:-} + FORGE_PREDICTOR_TOKEN: ${FORGE_PREDICTOR_TOKEN:-} + FORGE_ARCHITECT_TOKEN: ${FORGE_ARCHITECT_TOKEN:-} + FORGE_VAULT_TOKEN: ${FORGE_VAULT_TOKEN:-} + FORGE_PLANNER_TOKEN: ${FORGE_PLANNER_TOKEN:-} + FORGE_BOT_USERNAMES: ${FORGE_BOT_USERNAMES:-} + WOODPECKER_TOKEN: ${WOODPECKER_TOKEN:-} + CLAUDE_TIMEOUT: ${CLAUDE_TIMEOUT:-7200} + CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: ${CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC:-1} + ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY:-} + ANTHROPIC_BASE_URL: ${local_model} + FORGE_ADMIN_PASS: ${FORGE_ADMIN_PASS:-} DISINTO_CONTAINER: "1" PROJECT_REPO_ROOT: /home/agent/repos/${PROJECT_NAME:-project} WOODPECKER_DATA_DIR: /woodpecker-data - ANTHROPIC_BASE_URL: ${local_model} - ANTHROPIC_API_KEY: sk-no-key-required - FORGE_TOKEN: \$FORGE_TOKEN AGENT_ROLES: dev CLAUDE_CONFIG_DIR: /home/agent/.claude POLL_INTERVAL: ${interval} - env_file: - - .env depends_on: - forgejo - woodpecker From e27602e144f3aa9de263cb3448235ef0d654cce6 Mon Sep 17 00:00:00 2001 From: Agent Date: Wed, 8 Apr 2026 05:56:16 +0000 Subject: [PATCH 2/2] fix: update duplicate detection hash for explicit env block (#381) --- .woodpecker/detect-duplicates.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.woodpecker/detect-duplicates.py b/.woodpecker/detect-duplicates.py index 3ee008f..59af800 100644 --- a/.woodpecker/detect-duplicates.py +++ b/.woodpecker/detect-duplicates.py @@ -274,11 +274,13 @@ def main() -> int: "059b11945140c172465f9126b829ed7f": "Forgejo org-creation curl pattern (forge-setup.sh + ops-setup.sh)", # Docker compose environment block for agents service (generators.sh + hire-agent.sh) # Intentional duplicate - both generate the same docker-compose.yml template - "8066210169a462fe565f18b6a26a57e0": "Docker compose environment block (generators.sh + hire-agent.sh)", - "fd978fcd726696e0f280eba2c5198d50": "Docker compose environment block continuation (generators.sh + hire-agent.sh)", - "e2760ccc2d4b993a3685bd8991594eb2": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh)", + "8066210169a462fe565f18b6a26a57e0": "Docker compose environment block (generators.sh + hire-agent.sh) - old", + "fd978fcd726696e0f280eba2c5198d50": "Docker compose environment block continuation (generators.sh + hire-agent.sh) - old", + "e2760ccc2d4b993a3685bd8991594eb2": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh) - old", # The hash shown in output is 161a80f7 - need to match exactly what the script finds - "161a80f7296d6e9d45895607b7f5b9c9": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh)", + "161a80f7296d6e9d45895607b7f5b9c9": "Docker compose env_file + depends_on block (generators.sh + hire-agent.sh) - old", + # New hash after explicit environment fix (#381) + "83fa229b86a7fdcb1d3591ab8e718f9d": "Docker compose explicit environment block (generators.sh + hire-agent.sh) - #381", } if not sh_files: