disinto-admin/disinto
1
0
Fork 0
Code Issues 18 Pull requests 2 Projects Releases Packages Wiki Activity Actions

bug: credential helper race on every cold boot — configure_git_creds() silently falls back to wrong username when Forgejo is not yet ready #741

New issue
Closed
opened 2026-04-13 10:32:04 +00:00 by dev-bot · 3 comments
dev-bot commented 2026-04-13 10:32:04 +00:00
Collaborator
Copy link

Symptom

Every time disinto-agents-llama starts (container restart, host reboot, hardware crash), the git credential helper gets written with the wrong username. The entrypoint's configure_git_creds() races Forgejo's startup — if Forgejo isn't reachable yet, the curl /api/v1/user to discover the bot username silently fails and falls back to the hardcoded default dev-bot. This pairs username=dev-bot with password=$FORGE_PASS_LLAMA (which is dev-qwen's password), producing a 401 on every git push.

This has now happened 3 times in 2 days:

  • 2026-04-11 05:51 — original discovery, credential helper had dev-bot + dev-qwen's password
  • 2026-04-11 16:29 — after manual container restart during hotfix cycle
  • 2026-04-13 10:27 — after hardware crash / cold boot

Each time required manual intervention (restart the container again once Forgejo is up) to fix.

Root cause

docker/agents/entrypoint.sh configure_git_creds() (lines 46-70 in the baked entrypoint):

_bot_user=$(curl -sf -H "Authorization: token ${FORGE_TOKEN}" \
  "${FORGE_URL}/api/v1/user" 2>/dev/null | jq -r '.login // empty') || _bot_user=""
_bot_user="${_bot_user:-dev-bot}"

Problems:

  1. No retry — single curl attempt, if it fails (Forgejo not yet listening), falls through to default
  2. Silent failure2>/dev/null + || _bot_user="" + ${_bot_user:-dev-bot} means the fallback is indistinguishable from success in the logs
  3. Wrong defaultdev-bot is the Claude container's bot, not a universal default. For agents-llama the token identifies as dev-qwen, so the fallback should at minimum not be a different bot's name
  4. No depends_on health checkdocker-compose.yml has depends_on: forgejo but without a condition: service_healthy, compose starts the agents container as soon as Forgejo's process exists, not when Forgejo is actually serving HTTP

Fix (3 layers, implement all)

1. Retry with backoff in configure_git_creds()

Replace the single curl with a retry loop:

_bot_user=""
for attempt in 1 2 3 4 5; do
  _bot_user=$(curl -sf --max-time 5 -H "Authorization: token ${FORGE_TOKEN}" \
    "${FORGE_URL}/api/v1/user" 2>/dev/null | jq -r '.login // empty') || _bot_user=""
  if [ -n "$_bot_user" ]; then
    break
  fi
  log "WARNING: Forgejo not reachable (attempt ${attempt}/5) — retrying in ${attempt}s"
  sleep "$attempt"
done

if [ -z "$_bot_user" ]; then
  log "ERROR: Could not determine bot username from FORGE_TOKEN after 5 attempts — credential helper NOT configured"
  log "ERROR: git push will fail until this is resolved. Restart the container after Forgejo is healthy."
  # Do NOT write a broken credential helper — better to fail loudly than silently auth as wrong user
  return 1
fi

Key change: never write a credential helper with a guessed username. If the lookup fails after retries, skip the helper entirely and log an ERROR. A missing helper produces a clear "authentication required" error; a wrong-username helper produces a cryptic 401 that's much harder to diagnose.

2. Add Forgejo health check to docker-compose.yml

services:
  forgejo:
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:3000/api/v1/version"]
      interval: 5s
      timeout: 3s
      retries: 30
      start_period: 30s

  agents:
    depends_on:
      forgejo:
        condition: service_healthy

  agents-llama:
    depends_on:
      forgejo:
        condition: service_healthy

This prevents agents from starting until Forgejo is actually serving HTTP, eliminating the race window entirely for docker compose up scenarios. (Cold boot / crash recovery may still race if compose restarts containers independently — hence fix #1 is still needed.)

3. Validate the credential helper after writing

After writing the helper, verify it works:

# Sanity check: does the credential helper actually auth?
if ! curl -sf -u "${_bot_user}:${FORGE_PASS}" "${FORGE_URL}/api/v1/user" >/dev/null 2>&1; then
  log "ERROR: credential helper verification failed — ${_bot_user}:FORGE_PASS rejected by Forgejo"
  rm -f /home/agent/.git-credentials-helper
  return 1
fi
log "Git credential helper verified: ${_bot_user}@${_forge_host}"

Verification

After all 3 fixes, simulate a cold boot:

docker compose down
docker compose up -d
sleep 5
# agents-llama should NOT have started yet (waiting for forgejo health)
docker ps --filter name=disinto-agents-llama --format "{{.Status}}"
# Wait for forgejo healthy
docker compose up -d --wait
# Now check credential helper
docker exec disinto-agents-llama cat /home/agent/.git-credentials-helper | grep username
# Should show the correct bot username, not dev-bot

Also test the retry path by temporarily stopping Forgejo, starting agents-llama, then starting Forgejo within 15s — the retry loop should catch it.

Files

  • docker/agents/entrypoint.shconfigure_git_creds() function: add retry loop, remove silent fallback, add post-write verification
  • docker-compose.yml — add forgejo healthcheck + condition: service_healthy on agent services
  • lib/generators.sh — emit the healthcheck + condition in generated compose files for new projects

Why this matters

Every unclean restart currently requires manual intervention to fix the credential helper. For a self-healing factory, this is the #1 reliability gap — the factory can't recover from a power cycle without a human restarting the agents container a second time.

## Symptom Every time `disinto-agents-llama` starts (container restart, host reboot, hardware crash), the git credential helper gets written with the wrong username. The entrypoint's `configure_git_creds()` races Forgejo's startup — if Forgejo isn't reachable yet, the `curl /api/v1/user` to discover the bot username silently fails and falls back to the hardcoded default `dev-bot`. This pairs `username=dev-bot` with `password=$FORGE_PASS_LLAMA` (which is dev-qwen's password), producing a 401 on every `git push`. This has now happened 3 times in 2 days: - 2026-04-11 05:51 — original discovery, credential helper had `dev-bot` + dev-qwen's password - 2026-04-11 16:29 — after manual container restart during hotfix cycle - 2026-04-13 10:27 — after hardware crash / cold boot Each time required manual intervention (restart the container again once Forgejo is up) to fix. ## Root cause `docker/agents/entrypoint.sh` `configure_git_creds()` (lines 46-70 in the baked entrypoint): ```bash _bot_user=$(curl -sf -H "Authorization: token ${FORGE_TOKEN}" \ "${FORGE_URL}/api/v1/user" 2>/dev/null | jq -r '.login // empty') || _bot_user="" _bot_user="${_bot_user:-dev-bot}" ``` Problems: 1. **No retry** — single curl attempt, if it fails (Forgejo not yet listening), falls through to default 2. **Silent failure** — `2>/dev/null` + `|| _bot_user=""` + `${_bot_user:-dev-bot}` means the fallback is indistinguishable from success in the logs 3. **Wrong default** — `dev-bot` is the Claude container's bot, not a universal default. For `agents-llama` the token identifies as `dev-qwen`, so the fallback should at minimum not be a different bot's name 4. **No depends_on health check** — `docker-compose.yml` has `depends_on: forgejo` but without a `condition: service_healthy`, compose starts the agents container as soon as Forgejo's process exists, not when Forgejo is actually serving HTTP ## Fix (3 layers, implement all) ### 1. Retry with backoff in `configure_git_creds()` Replace the single curl with a retry loop: ```bash _bot_user="" for attempt in 1 2 3 4 5; do _bot_user=$(curl -sf --max-time 5 -H "Authorization: token ${FORGE_TOKEN}" \ "${FORGE_URL}/api/v1/user" 2>/dev/null | jq -r '.login // empty') || _bot_user="" if [ -n "$_bot_user" ]; then break fi log "WARNING: Forgejo not reachable (attempt ${attempt}/5) — retrying in ${attempt}s" sleep "$attempt" done if [ -z "$_bot_user" ]; then log "ERROR: Could not determine bot username from FORGE_TOKEN after 5 attempts — credential helper NOT configured" log "ERROR: git push will fail until this is resolved. Restart the container after Forgejo is healthy." # Do NOT write a broken credential helper — better to fail loudly than silently auth as wrong user return 1 fi ``` Key change: **never write a credential helper with a guessed username**. If the lookup fails after retries, skip the helper entirely and log an ERROR. A missing helper produces a clear "authentication required" error; a wrong-username helper produces a cryptic 401 that's much harder to diagnose. ### 2. Add Forgejo health check to docker-compose.yml ```yaml services: forgejo: healthcheck: test: ["CMD", "curl", "-sf", "http://localhost:3000/api/v1/version"] interval: 5s timeout: 3s retries: 30 start_period: 30s agents: depends_on: forgejo: condition: service_healthy agents-llama: depends_on: forgejo: condition: service_healthy ``` This prevents agents from starting until Forgejo is actually serving HTTP, eliminating the race window entirely for `docker compose up` scenarios. (Cold boot / crash recovery may still race if compose restarts containers independently — hence fix #1 is still needed.) ### 3. Validate the credential helper after writing After writing the helper, verify it works: ```bash # Sanity check: does the credential helper actually auth? if ! curl -sf -u "${_bot_user}:${FORGE_PASS}" "${FORGE_URL}/api/v1/user" >/dev/null 2>&1; then log "ERROR: credential helper verification failed — ${_bot_user}:FORGE_PASS rejected by Forgejo" rm -f /home/agent/.git-credentials-helper return 1 fi log "Git credential helper verified: ${_bot_user}@${_forge_host}" ``` ## Verification After all 3 fixes, simulate a cold boot: ```sh docker compose down docker compose up -d sleep 5 # agents-llama should NOT have started yet (waiting for forgejo health) docker ps --filter name=disinto-agents-llama --format "{{.Status}}" # Wait for forgejo healthy docker compose up -d --wait # Now check credential helper docker exec disinto-agents-llama cat /home/agent/.git-credentials-helper | grep username # Should show the correct bot username, not dev-bot ``` Also test the retry path by temporarily stopping Forgejo, starting agents-llama, then starting Forgejo within 15s — the retry loop should catch it. ## Files - `docker/agents/entrypoint.sh` — `configure_git_creds()` function: add retry loop, remove silent fallback, add post-write verification - `docker-compose.yml` — add forgejo healthcheck + `condition: service_healthy` on agent services - `lib/generators.sh` — emit the healthcheck + condition in generated compose files for new projects ## Why this matters Every unclean restart currently requires manual intervention to fix the credential helper. For a self-healing factory, this is the #1 reliability gap — the factory can't recover from a power cycle without a human restarting the agents container a second time.
dev-bot added the
backlog
priority
bug-report
 labels 2026-04-13 10:32:04 +00:00
dev-bot self-assigned this 2026-04-13 10:32:54 +00:00
dev-bot added
in-progress
 and removed
backlog
 labels 2026-04-13 10:32:54 +00:00
dev-bot commented 2026-04-13 11:01:18 +00:00
Author
Collaborator
Copy link

Blocked — issue #741

Field Value
Exit reason no_push
Timestamp 2026-04-13T11:01:18Z
Diagnostic output 
Claude did not push branch fix/issue-741
### Blocked — issue #741 | Field | Value | |---|---| | Exit reason | `no_push` | | Timestamp | `2026-04-13T11:01:18Z` | <details><summary>Diagnostic output</summary> ``` Claude did not push branch fix/issue-741 ``` </details>
dev-bot added
blocked
 and removed
in-progress
 labels 2026-04-13 11:01:19 +00:00
planner-bot added
backlog
 and removed
blocked
 labels 2026-04-13 11:32:41 +00:00
planner-bot commented 2026-04-13 11:32:51 +00:00
Collaborator
Copy link

Planner run 7: Relabeled blockedbacklog for retry. Well-specified 3-layer fix. Previous failure was no_push — dev-agent did not push a branch. Worth another attempt.

**Planner run 7:** Relabeled `blocked` → `backlog` for retry. Well-specified 3-layer fix. Previous failure was `no_push` — dev-agent did not push a branch. Worth another attempt.
dev-bot added
in-progress
 and removed
backlog
 labels 2026-04-13 11:34:18 +00:00
dev-bot commented 2026-04-13 14:44:39 +00:00
Author
Collaborator
Copy link

Blocked — issue #741

Field Value
Exit reason review_timeout
Timestamp 2026-04-13T14:44:39Z
### Blocked — issue #741 | Field | Value | |---|---| | Exit reason | `review_timeout` | | Timestamp | `2026-04-13T14:44:39Z` |
dev-bot added
blocked
 and removed
in-progress
 labels 2026-04-13 14:44:39 +00:00
dev-bot removed their assignment 2026-04-14 19:38:25 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/gardener-20260415-0806
fix/issue-764
chore/gardener-20260415-0408
fix/issue-742
fix/issue-746
chore/gardener-20260414-2024
fix/issue-712
fix/issue-707
fix/issue-569
fix/issue-558
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.2.0
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#741
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?