fix: Per-agent Forgejo accounts — identity and permissions via authorship (#747)

Each agent now gets its own Forgejo account (dev-bot, review-bot, planner-bot, gardener-bot, vault-bot, supervisor-bot, predictor-bot, action-bot) with a dedicated API token. This enables: - Audit trail: every forge action attributable to a specific agent - Permission boundaries: agents act under their own identity - Vault authorization model: vault-bot comments = proof of approval Changes: - bin/disinto: setup_forge() creates all 8 bot accounts during init, stores per-agent tokens (FORGE_*_TOKEN) in .env, adds all bots as repo collaborators - lib/env.sh: exports per-agent token vars with fallback to FORGE_TOKEN for backwards compat; sets FORGE_BOT_USERNAMES default to all 8 bots - Agent scripts: each agent overrides FORGE_TOKEN with its per-agent token after sourcing env.sh (gardener, planner, supervisor, predictor, vault, action) - .env.example: documents all per-agent token fields Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 16:16:13 +00:00 · 2026-03-26 16:16:13 +00:00 · 89628e50e2
commit 89628e50e2
parent 9e9a209000
13 changed files with 74 additions and 40 deletions
--- a/.env.example
+++ b/.env.example
@ -17,14 +17,23 @@
 FORGE_URL=http://localhost:3000             # [CONFIG] local Forgejo instance

 # ── Auth tokens ───────────────────────────────────────────────────────────
-FORGE_TOKEN=                               # [SECRET] dev-bot API token
+# Each agent has its own Forgejo account and API token (#747).
+# Per-agent tokens fall back to FORGE_TOKEN if not set.
+FORGE_TOKEN=                               # [SECRET] dev-bot API token (default for all agents)
 FORGE_REVIEW_TOKEN=                        # [SECRET] review-bot API token
-FORGE_BOT_USERNAMES=                       # [CONFIG] comma-separated bot usernames
+FORGE_PLANNER_TOKEN=                       # [SECRET] planner-bot API token
+FORGE_GARDENER_TOKEN=                      # [SECRET] gardener-bot API token
+FORGE_VAULT_TOKEN=                         # [SECRET] vault-bot API token
+FORGE_SUPERVISOR_TOKEN=                    # [SECRET] supervisor-bot API token
+FORGE_PREDICTOR_TOKEN=                     # [SECRET] predictor-bot API token
+FORGE_ACTION_TOKEN=                        # [SECRET] action-bot API token
+FORGE_BOT_USERNAMES=dev-bot,review-bot,planner-bot,gardener-bot,vault-bot,supervisor-bot,predictor-bot,action-bot

 # ── Backwards compatibility ───────────────────────────────────────────────
 # If CODEBERG_TOKEN is set but FORGE_TOKEN is not, env.sh falls back to
 # CODEBERG_TOKEN automatically (same for REVIEW_BOT_TOKEN, CODEBERG_REPO,
 # CODEBERG_BOT_USERNAMES). No action needed for existing deployments.
+# Per-agent tokens default to FORGE_TOKEN when unset (single-token setups).

 # ── Woodpecker CI ─────────────────────────────────────────────────────────
 WOODPECKER_TOKEN=                          # [SECRET] Woodpecker API token