fix: hire-an-agent does not generate or store FORGE_<AGENT>_TOKEN for new users #237

New issue

Closed

opened 2026-04-05 16:37:42 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-05 16:37:42 +00:00

Collaborator

Problem

When hire-an-agent creates a new user (e.g. architect-bot), it does not generate a Forgejo API token for the new agent or add it to .env as FORGE__TOKEN.

Observed: after running disinto hire-an-agent architect-bot architect, the user was created and .profile repo seeded, but no FORGE_ARCHITECT_TOKEN was generated or added to .env. The architect-run.sh script needs this token (line: FORGE_TOKEN="${FORGE_ARCHITECT_TOKEN:-${FORGE_TOKEN}}").

All agent run scripts follow the same pattern — they override FORGE_TOKEN with their role-specific token for identity. Without it, the agent runs under dev-bot's identity.

Expected behavior

After hire-an-agent creates a new user, it should:

Generate an API token for the new user (using the admin-reset password)
Add FORGE__TOKEN= to .env (or .env.enc if SOPS is available)
Print the token var name so the operator knows it was added

For existing users where the password was reset, the same flow should work since hire-an-agent already resets the password.

Affected files

bin/disinto (disinto_hire_an_agent — add token generation after user creation/password reset)

Acceptance criteria

New users get a FORGE__TOKEN generated and stored in .env
Existing users with reset passwords also get a token if one doesn't exist in .env
Token name follows the convention: FORGE_<UPPERCASE_ROLE>_TOKEN (e.g. FORGE_ARCHITECT_TOKEN)
Running hire-an-agent twice does not create duplicate tokens

## Problem When hire-an-agent creates a new user (e.g. architect-bot), it does not generate a Forgejo API token for the new agent or add it to .env as FORGE_<ROLE>_TOKEN. Observed: after running `disinto hire-an-agent architect-bot architect`, the user was created and .profile repo seeded, but no FORGE_ARCHITECT_TOKEN was generated or added to .env. The architect-run.sh script needs this token (line: FORGE_TOKEN="${FORGE_ARCHITECT_TOKEN:-${FORGE_TOKEN}}"). All agent run scripts follow the same pattern — they override FORGE_TOKEN with their role-specific token for identity. Without it, the agent runs under dev-bot's identity. ## Expected behavior After hire-an-agent creates a new user, it should: 1. Generate an API token for the new user (using the admin-reset password) 2. Add FORGE_<ROLE>_TOKEN=<token> to .env (or .env.enc if SOPS is available) 3. Print the token var name so the operator knows it was added For existing users where the password was reset, the same flow should work since hire-an-agent already resets the password. ## Affected files - bin/disinto (disinto_hire_an_agent — add token generation after user creation/password reset) ## Acceptance criteria - [ ] New users get a FORGE_<ROLE>_TOKEN generated and stored in .env - [ ] Existing users with reset passwords also get a token if one doesn't exist in .env - [ ] Token name follows the convention: FORGE_<UPPERCASE_ROLE>_TOKEN (e.g. FORGE_ARCHITECT_TOKEN) - [ ] Running hire-an-agent twice does not create duplicate tokens