fix: escape dollar signs in docker-compose override to prevent secret exposure (#182)

2026-04-03 08:27:52 +00:00 · 2026-04-03 08:27:52 +00:00 · ca73bc24c6
commit ca73bc24c6
parent 99adbc9fb5
1 changed files with 9 additions and 10 deletions
--- a/bin/disinto
+++ b/bin/disinto
@ -2896,18 +2896,17 @@ EOF
      echo "  Model endpoint is reachable"
    fi

-    # Generate service name from agent name (lowercase, replace - with -)
+    # Generate service name from agent name (lowercase)
    local service_name="agents-${agent_name}"
    service_name=$(echo "$service_name" | tr '[:upper:]' '[:lower:]')

    # Set default poll interval
    local interval="${poll_interval:-300}"

-    # Generate token for the agent (use same token as FORGE_TOKEN for simplicity)
-    local agent_token="${FORGE_TOKEN}"
-
    # Generate the override compose file
-    cat > "$override_file" <<OVERRIDEOF
+    # Note: $${VAR} syntax is used so docker-compose interpolates at runtime,
+    # not at generation time (AD-005: secrets via env var indirection)
+    cat > "$override_file" <<'OVERRIDEOF'
 # docker-compose.override.yml — auto-generated by disinto hire-an-agent
 # Local model agent configuration for ${agent_name}

@ -2921,11 +2920,11 @@ services:
    volumes:
      - agent-data-llama:/home/agent/data
      - project-repos-llama:/home/agent/repos
-      - ${HOME}/.claude:/home/agent/.claude
-      - ${HOME}/.claude.json:/home/agent/.claude.json:ro
+      - $${HOME}/.claude:/home/agent/.claude
+      - $${HOME}/.claude.json:/home/agent/.claude.json:ro
      - CLAUDE_BIN_PLACEHOLDER:/usr/local/bin/claude:ro
-      - ${HOME}/.ssh:/home/agent/.ssh:ro
-      - ${HOME}/.config/sops/age:/home/agent/.config/sops/age:ro
+      - $${HOME}/.ssh:/home/agent/.ssh:ro
+      - $${HOME}/.config/sops/age:/home/agent/.config/sops/age:ro
    environment:
      FORGE_URL: http://forgejo:3000
      WOODPECKER_SERVER: http://woodpecker:8000
@ -2934,7 +2933,7 @@ services:
      WOODPECKER_DATA_DIR: /woodpecker-data
      ANTHROPIC_BASE_URL: ${local_model}
      ANTHROPIC_API_KEY: sk-no-key-required
-      FORGE_TOKEN_OVERRIDE: ${agent_token}
+      FORGE_TOKEN_OVERRIDE: $${FORGE_TOKEN}
      CLAUDE_CONFIG_DIR: /home/agent/.claude
      POLL_INTERVAL: ${interval}
    env_file: