fix: External actions (publish, deploy, post) must go through vault — agents cannot hold tokens directly (#745)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:59:57 +00:00 · 2026-03-26 16:59:57 +00:00 · 569313ac93
commit 569313ac93
parent 320236080e
5 changed files with 62 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@ -47,6 +47,19 @@ WOODPECKER_DB_USER=woodpecker              # [CONFIG] Postgres user
 WOODPECKER_DB_HOST=127.0.0.1              # [CONFIG] Postgres host
 WOODPECKER_DB_NAME=woodpecker              # [CONFIG] Postgres database name

+# ── Vault-only secrets (DO NOT put these in .env) ────────────────────────
+# These tokens grant access to external systems (GitHub, ClawHub, deploy targets).
+# They live ONLY in .env.vault.enc and are injected into the ephemeral vault-runner
+# container at fire time (#745). lib/env.sh explicitly unsets them so agents
+# can never hold them directly — all external actions go through vault dispatch.
+#
+#   GITHUB_TOKEN          — GitHub API access (publish, deploy, post)
+#   CLAWHUB_TOKEN         — ClawHub registry credentials (publish)
+#   (deploy keys)         — SSH keys for deployment targets
+#
+# To manage vault secrets: disinto secrets edit-vault
+# See also: vault/vault-run-action.sh, vault/vault-fire.sh
+
 # ── Project-specific secrets ──────────────────────────────────────────────
 # Store all project secrets here so formulas reference env vars, never hardcode.
 BASE_RPC_URL=                              # [SECRET] on-chain RPC endpoint