From cdbe668b0d362a62d04df4dd2428397f10334b63 Mon Sep 17 00:00:00 2001 From: openhands Date: Fri, 13 Mar 2026 09:33:38 +0000 Subject: [PATCH] security: gardener uses codeberg_api helper, never exposes tokens Prompt now references codeberg_api function instead of raw curl+token. Explicit instruction to never echo/log credentials. --- .gitignore | 1 + gardener/gardener-poll.sh | 12 +++++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 16f2721..aca022b 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ state.json # OS .DS_Store +gardener.log diff --git a/gardener/gardener-poll.sh b/gardener/gardener-poll.sh index 53b2e2f..1a8f188 100755 --- a/gardener/gardener-poll.sh +++ b/gardener/gardener-poll.sh @@ -153,12 +153,14 @@ $ISSUE_SUMMARY $(echo -e "$PROBLEMS") ## Tools available -- Codeberg API via curl (token in CODEBERG_TOKEN env var) +- Codeberg API via \`codeberg_api\` shell function (auth handled automatically) - Base URL: https://codeberg.org/api/v1/repos/johba/harb -- Relabel issues: \`curl -X PUT .../issues/{number}/labels -d '{"labels":[652336]}'\` (652336=backlog, 1219499=tech-debt) -- Add comments: \`curl -X POST .../issues/{number}/comments -d '{"body":"..."}'\` -- Close issues: \`curl -X PATCH .../issues/{number} -d '{"state":"closed"}'\` -- Edit issue body: \`curl -X PATCH .../issues/{number} -d '{"body":"..."}'\` +- Codeberg API helper: use the shell function \`codeberg_api METHOD PATH [DATA]\` (auth is handled automatically, NEVER include tokens in commands) +- Relabel: \`codeberg_api PUT "/issues/{number}/labels" '{"labels":[652336]}'\` (652336=backlog, 1219499=tech-debt) +- Comment: \`codeberg_api POST "/issues/{number}/comments" '{"body":"..."}'\` +- Close: \`codeberg_api PATCH "/issues/{number}" '{"state":"closed"}'\` +- Edit body: \`codeberg_api PATCH "/issues/{number}" '{"body":"..."}'\` +- NEVER echo, log, or include API tokens, secrets, or credentials in any output - You're running in the harb repo root. Read these before making decisions: - docs/PRODUCT-TRUTH.md — what the protocol is, key mechanics - docs/ARCHITECTURE.md — file structure, packages, how things connect