hire-an-agent does not persist per-agent secrets to .env #847

New issue

Closed

opened 2026-04-16 10:03:53 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 10:03:53 +00:00

Collaborator

Problem

disinto hire-an-agent <name> <role> creates a Forgejo user and API token successfully, but does not write the resulting credentials into /home/johba/disinto/.env. The compose service block is emitted referencing env vars like FORGE_TOKEN_DEV_QWEN, FORGE_PASS_DEV_QWEN, and ANTHROPIC_BASE_URL — none of which exist in .env. The container starts with empty credentials and either crash-loops or 401s against Forgejo silently.

Generalization: the bug applies to any secret an emitted service block references, regardless of backend. Local-model agents need FORGE_TOKEN_<USER> + FORGE_PASS_<USER> + ANTHROPIC_BASE_URL; Anthropic-backend agents need FORGE_TOKEN_<USER> + FORGE_PASS_<USER> + ANTHROPIC_API_KEY. Today neither set is persisted by hire-an-agent.

Repro

Run disinto hire-an-agent dev-qwen dev --local-model http://10.10.10.1:8081 --model unsloth/Qwen3.5-35B-A3B on a fresh .env with no FORGE_TOKEN_DEV_QWEN.
Confirm Forgejo user + token were created (visible in admin UI).
grep DEV_QWEN /home/johba/disinto/.env → empty.
disinto up → disinto-agents-llama starts with blank FORGE_TOKEN; git push and Forgejo API calls return 401.

Naming rule (so the fix matches reality)

Env-var keys are derived from forge_user: dashes → underscores, uppercased. So agent dev-qwen needs:

FORGE_TOKEN_DEV_QWEN
FORGE_PASS_DEV_QWEN
ANTHROPIC_BASE_URL (shared, when local model) OR ANTHROPIC_API_KEY (when Anthropic backend)

Fix

hire-an-agent writes/merges the required vars into .env after creating the Forgejo user.
disinto up validates that every emitted service block has its required env vars present, and fails loudly with the exact missing keys.

Do both: write on hire, validate on up.

Rotation

Define the rotation path explicitly:

Re-running disinto hire-an-agent <same-name> should rotate the API token + password idempotently and update .env in place, OR
Introduce disinto agent rotate <name> as a separate subcommand.

Either works; pick one and document it. Today there is no defined rotation story, which is how this whole class of bug started (secrets drifted out of .env, no one remembered how to regenerate them).

Acceptance

After hire-an-agent dev-qwen, .env contains the agent's token + password + backend URL/API key.
disinto up with a service referencing missing keys exits non-zero with a message listing the missing keys.
Rotation command/flow is documented in docs/agents-llama.md and discoverable from disinto --help.

Related: #845, #846.

## Problem `disinto hire-an-agent <name> <role>` creates a Forgejo user and API token successfully, but does not write the resulting credentials into `/home/johba/disinto/.env`. The compose service block is emitted referencing env vars like `FORGE_TOKEN_DEV_QWEN`, `FORGE_PASS_DEV_QWEN`, and `ANTHROPIC_BASE_URL` — none of which exist in `.env`. The container starts with empty credentials and either crash-loops or 401s against Forgejo silently. Generalization: the bug applies to **any** secret an emitted service block references, regardless of backend. Local-model agents need `FORGE_TOKEN_<USER>` + `FORGE_PASS_<USER>` + `ANTHROPIC_BASE_URL`; Anthropic-backend agents need `FORGE_TOKEN_<USER>` + `FORGE_PASS_<USER>` + `ANTHROPIC_API_KEY`. Today neither set is persisted by `hire-an-agent`. ## Repro 1. Run `disinto hire-an-agent dev-qwen dev --local-model http://10.10.10.1:8081 --model unsloth/Qwen3.5-35B-A3B` on a fresh `.env` with no `FORGE_TOKEN_DEV_QWEN`. 2. Confirm Forgejo user + token were created (visible in admin UI). 3. `grep DEV_QWEN /home/johba/disinto/.env` → empty. 4. `disinto up` → `disinto-agents-llama` starts with blank `FORGE_TOKEN`; git push and Forgejo API calls return 401. ## Naming rule (so the fix matches reality) Env-var keys are derived from `forge_user`: dashes → underscores, uppercased. So agent `dev-qwen` needs: - `FORGE_TOKEN_DEV_QWEN` - `FORGE_PASS_DEV_QWEN` - `ANTHROPIC_BASE_URL` (shared, when local model) OR `ANTHROPIC_API_KEY` (when Anthropic backend) ## Fix - `hire-an-agent` writes/merges the required vars into `.env` after creating the Forgejo user. - `disinto up` validates that every emitted service block has its required env vars present, and fails loudly with the exact missing keys. Do both: write on hire, validate on up. ## Rotation Define the rotation path explicitly: - Re-running `disinto hire-an-agent <same-name>` should rotate the API token + password idempotently and update `.env` in place, OR - Introduce `disinto agent rotate <name>` as a separate subcommand. Either works; pick one and document it. Today there is no defined rotation story, which is how this whole class of bug started (secrets drifted out of `.env`, no one remembered how to regenerate them). ## Acceptance - After `hire-an-agent dev-qwen`, `.env` contains the agent's token + password + backend URL/API key. - `disinto up` with a service referencing missing keys exits non-zero with a message listing the missing keys. - Rotation command/flow is documented in `docs/agents-llama.md` and discoverable from `disinto --help`. Related: #845, #846.

dev-bot added the

Rows
Columns