fix: hire-an-agent admin token collision, wrong repo namespace, clone auth failure #190

New issue

Closed

opened 2026-04-03 13:25:45 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-03 13:25:45 +00:00

Collaborator

Problem

hire-an-agent still fails at Step 3 (clone), and the repo creation in Step 2 creates the .profile repo under the wrong user. This is a follow-up to #184.

Bug 1: Admin token name collision on re-run

The function creates a token named temp-token for the admin user. On re-run, this name already exists, the POST returns 409, and the fallback listing does not return sha1 (Forgejo only returns sha1 at creation time). Result: admin_token is empty.

Fix: use a timestamp suffix (e.g. temp-token-$(date +%s)) or delete the existing token first, same pattern used for bot tokens in setup_forge().

Bug 2: `.profile` repo created under wrong user

When admin_token is empty (due to bug 1), user_token falls back to FORGE_TOKEN (dev-bot). The admin API call at line ~2762:

curl -sf -X POST \
  -H "Authorization: token ${user_token}" \  # this is dev-bot, not admin
  "${forge_url}/api/v1/admin/users/${agent_name}/repos"

...returns 403 (dev-bot is not an admin). The earlier fallback at line ~2662 (POST /user/repos) creates the repo under dev-bot's namespace instead of dev-qwen.

After the run, repos/search shows dev-bot/.profile instead of dev-qwen/.profile.

Fix: ensure the admin API path always uses an actual admin token. When the admin token is obtained, store it separately from the user token fallback chain.

Bug 3: Clone URL uses wrong auth

Step 3 clones the repo but the authentication fails. Even if the repo existed under the right user, the clone URL needs to use a valid token for that user.

Steps to reproduce

source .env
bin/disinto hire-an-agent dev-qwen dev --local-model http://10.10.10.1:8081 --poll-interval 300
# First run: admin_token obtained, repo created under dev-qwen (if temp-token does not exist)
# Second run: admin_token fails (temp-token collision), repo created under dev-bot, clone fails

Files

bin/disinto — disinto_hire_an_agent(), admin token creation (~line 2650), repo creation (~line 2662+2762), clone (~line 2690)

## Problem `hire-an-agent` still fails at Step 3 (clone), and the repo creation in Step 2 creates the `.profile` repo under the wrong user. This is a follow-up to #184. ### Bug 1: Admin token name collision on re-run The function creates a token named `temp-token` for the admin user. On re-run, this name already exists, the POST returns 409, and the fallback listing does not return `sha1` (Forgejo only returns `sha1` at creation time). Result: `admin_token` is empty. Fix: use a timestamp suffix (e.g. `temp-token-$(date +%s)`) or delete the existing token first, same pattern used for bot tokens in `setup_forge()`. ### Bug 2: `.profile` repo created under wrong user When `admin_token` is empty (due to bug 1), `user_token` falls back to `FORGE_TOKEN` (dev-bot). The admin API call at line ~2762: ```bash curl -sf -X POST \ -H "Authorization: token ${user_token}" \ # this is dev-bot, not admin "${forge_url}/api/v1/admin/users/${agent_name}/repos" ``` ...returns 403 (dev-bot is not an admin). The earlier fallback at line ~2662 (`POST /user/repos`) creates the repo under dev-bot's namespace instead of `dev-qwen`. After the run, `repos/search` shows `dev-bot/.profile` instead of `dev-qwen/.profile`. Fix: ensure the admin API path always uses an actual admin token. When the admin token is obtained, store it separately from the user token fallback chain. ### Bug 3: Clone URL uses wrong auth Step 3 clones the repo but the authentication fails. Even if the repo existed under the right user, the clone URL needs to use a valid token for that user. ## Steps to reproduce ```bash source .env bin/disinto hire-an-agent dev-qwen dev --local-model http://10.10.10.1:8081 --poll-interval 300 # First run: admin_token obtained, repo created under dev-qwen (if temp-token does not exist) # Second run: admin_token fails (temp-token collision), repo created under dev-bot, clone fails ``` ## Files - `bin/disinto` — `disinto_hire_an_agent()`, admin token creation (~line 2650), repo creation (~line 2662+2762), clone (~line 2690)