Caddy forward_auth on /chat/* blocked unauthenticated users from
reaching the OAuth login/callback routes (401 instead of redirect).
Add explicit handle blocks for these public routes before the
forward_auth catch-all.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gate /chat/* behind Forgejo OAuth2 authorization-code flow.
- Extract generic _create_forgejo_oauth_app() helper in lib/ci-setup.sh;
Woodpecker OAuth becomes a thin wrapper, chat gets its own app.
- bin/disinto init now creates TWO OAuth apps (woodpecker-ci + disinto-chat)
and writes CHAT_OAUTH_CLIENT_ID / CHAT_OAUTH_CLIENT_SECRET to .env.
- docker/chat/server.py: new routes /chat/login (→ Forgejo authorize),
/chat/oauth/callback (code→token exchange, user allowlist check, session
cookie). All other /chat/* routes require a valid session or redirect to
/chat/login. Session store is in-memory with 24h TTL.
- lib/generators.sh: pass FORGE_URL, CHAT_OAUTH_CLIENT_ID,
CHAT_OAUTH_CLIENT_SECRET, EDGE_TUNNEL_FQDN, DISINTO_CHAT_ALLOWED_USERS
to the chat container environment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduce FORGE_API_BASE (bare API root without repo path) in lib/env.sh
and lib/load-project.sh. Replace all cross-repo curl calls in
architect-run.sh that incorrectly used ${FORGE_API}/repos/${FORGE_OPS_REPO}
(which expanded to .../repos/owner/repo/repos/owner/ops-repo) with
${FORGE_API_BASE}/repos/${FORGE_OPS_REPO}.
Also fix a same-repo label URL that duplicated the repos segment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three fixes:
1. architect-run.sh:722 — extract `.result` not `.content` from claude JSON
output. All other callers (dev-agent, formula-session) use `.result`;
this was the direct cause of every pitch being empty.
2. lib/agent-sdk.sh — reset `_AGENT_LAST_OUTPUT=""` at the top of each
`agent_run` call so stale data from a prior invocation can't bleed
into the next caller when claude crashes or returns empty.
3. lib/agent-sdk.sh — scope the diagnostics file by `$LOG_AGENT` instead
of hardcoding `dev/`. Concurrent agents (architect, gardener, planner,
predictor) no longer clobber each other's diag output.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The CI smoke test's get_candidates awk pattern falsely matches
underscore-containing variable names (like digested_files+=) as
unresolved function calls. Rename to batchfiles to avoid the match.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add digest-specific timeout (PROFILE_DIGEST_TIMEOUT, default 300s) instead
of relying on the global 2h CLAUDE_TIMEOUT
- Cap journals per digest run (PROFILE_DIGEST_MAX_BATCH, default 5) to bound
prompt size and let remaining journals drain over subsequent runs
- Only archive the journals that were actually included in the batch, not all
- On timeout/failure, preserve previous lessons-learned.md instead of leaving
a near-empty file — journals stay unarchived for retry on next run
- Detect suspiciously small output (<=16 bytes) as failed digestion
- Add PROFILE_DIGEST_THRESHOLD env var (default 10) for digest trigger
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Gate both flock call sites (agent_run main invocation and nudge) behind
CLAUDE_EXTERNAL_LOCK env var. Default off — the native Claude Code
proper-lockfile-based OAuth refresh lock handles concurrency. Set
CLAUDE_EXTERNAL_LOCK=1 to re-enable the external flock for rollback.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Dockerfile: add openssh-client + autossh to edge image
- entrypoint-edge.sh: start autossh reverse tunnel before Caddy when
EDGE_TUNNEL_HOST is set; no-op when unset (local-only dev works unchanged)
- generators.sh: pass EDGE_TUNNEL_{HOST,USER,PORT,FQDN} env vars and
bind-mount secrets/tunnel_key into the edge service
Decommission steps for old host-level reverse-tunnel.service:
sudo systemctl disable --now reverse-tunnel.service
sudo rm /etc/systemd/system/reverse-tunnel.service
sudo systemctl daemon-reload
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add issue_is_dev_claimable() helper to lib/issue-lifecycle.sh that checks
whether an issue's labels are compatible with dev-agent ownership. Labels
like bug-report, vision, in-triage, prediction/*, action, and formula
indicate another agent owns the issue.
In dev-poll.sh, replace the vision-only skip with the new helper so that
ALL non-dev labels are excluded from stale detection. This prevents
dev-poll from relabeling bug-reports (or other agent-owned issues) as
blocked while they are being triaged.
Also removes the now-redundant formula/prediction guard block in the
orphan section, since issue_is_dev_claimable covers those labels.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
