From 5bcaaf7d889f90f3b7ebaf189768d99afef0108e Mon Sep 17 00:00:00 2001
From: johba <johba@disinto>
Date: Sun, 29 Mar 2026 07:56:38 +0000
Subject: [PATCH] fix: preserve FORGE_TOKEN override when sourcing .env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same pattern as FORGE_URL — the llama container sets FORGE_TOKEN
to dev-qwen token via FORGE_TOKEN_OVERRIDE, but env.sh sources .env
which clobbers it back to dev-bot. All PRs and issue claims show
dev-bot instead of dev-qwen, and assignee locking fails.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/env.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/env.sh b/lib/env.sh
index 6bc181e..d2af00e 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -28,18 +28,22 @@ export DISINTO_LOG_DIR
 if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
   set -a
   _saved_forge_url="${FORGE_URL:-}"
+  _saved_forge_token="${FORGE_TOKEN:-}"
   eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
     || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
   set +a
   [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
+  [ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"
 elif [ -f "$FACTORY_ROOT/.env" ]; then
   # Preserve compose-injected FORGE_URL (localhost in .env != forgejo in Docker)
   _saved_forge_url="${FORGE_URL:-}"
+  _saved_forge_token="${FORGE_TOKEN:-}"
   set -a
   # shellcheck source=/dev/null
   source "$FACTORY_ROOT/.env"
   set +a
   [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
+  [ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"
 fi
 
 # PATH: foundry, node, system