From 12f895a35781fa42a325c87164470daae7010d62 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sat, 28 Mar 2026 21:26:44 +0000
Subject: [PATCH 1/5] fix: secrets migrate-vault: missing post-encrypt
 verification step (#39)

---
 bin/disinto | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bin/disinto b/bin/disinto
index d6b8c6e..2abd2af 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2150,6 +2150,12 @@ disinto_secrets() {
       fi
       _secrets_ensure_sops
       encrypt_env_file "$vault_env_file" "$vault_enc_file"
+      # Verify decryption works
+      if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
+        echo "Error: failed to verify .env.vault.enc decryption" >&2
+        rm -f "$vault_enc_file"
+        exit 1
+      fi
       rm -f "$vault_env_file"
       echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"
       ;;

From 76a4d42a4254be569eeaf3bb0d48b4d06b154057 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sat, 28 Mar 2026 21:44:11 +0000
Subject: [PATCH 2/5] fix: fix: DELETE /issues/{n}/labels/{id} uses label name
 instead of numeric ID (silent no-op) (#41)

---
 dev/dev-poll.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/dev/dev-poll.sh b/dev/dev-poll.sh
index 22ba929..53b5995 100755
--- a/dev/dev-poll.sh
+++ b/dev/dev-poll.sh
@@ -155,9 +155,10 @@ try_direct_merge() {
     if [ "$issue_num" -gt 0 ]; then
       issue_close "$issue_num"
       # Remove in-progress label (don't re-add backlog — issue is closed)
+      IP_ID=$(_ilc_in_progress_id)
       curl -sf -X DELETE \
         -H "Authorization: token ${FORGE_TOKEN}" \
-        "${API}/issues/${issue_num}/labels/in-progress" >/dev/null 2>&1 || true
+        "${API}/issues/${issue_num}/labels/${IP_ID}" >/dev/null 2>&1 || true
       rm -f "/tmp/dev-session-${PROJECT_NAME}-${issue_num}.sid" \
             "/tmp/dev-impl-summary-${PROJECT_NAME}-${issue_num}.txt"
     fi
@@ -325,8 +326,9 @@ if [ "$ORPHAN_COUNT" -gt 0 ]; then
   SKIP_LABEL=$(echo "$ORPHAN_LABELS" | grep -oE '^(formula|action|prediction/dismissed|prediction/unreviewed)$' | head -1) || true
   if [ -n "$SKIP_LABEL" ]; then
     log "issue #${ISSUE_NUM} has '${SKIP_LABEL}' label — removing in-progress, skipping"
+    IP_ID=$(_ilc_in_progress_id)
     curl -sf -X DELETE -H "Authorization: token ${FORGE_TOKEN}" \
-      "${API}/issues/${ISSUE_NUM}/labels/in-progress" >/dev/null 2>&1 || true
+      "${API}/issues/${ISSUE_NUM}/labels/${IP_ID}" >/dev/null 2>&1 || true
     exit 0
   fi
 
@@ -400,8 +402,9 @@ if [ "$ORPHAN_COUNT" -gt 0 ]; then
     if [ -n "$ASSIGNEE" ] && [ "$ASSIGNEE" != "$BOT_USER" ]; then
       log "issue #${ISSUE_NUM} assigned to ${ASSIGNEE} — skipping (not orphaned)"
       # Remove in-progress label since this agent isn't working on it
+      IP_ID=$(_ilc_in_progress_id)
       curl -sf -X DELETE -H "Authorization: token ${FORGE_TOKEN}" \
-        "${API}/issues/${ISSUE_NUM}/labels/in-progress" >/dev/null 2>&1 || true
+        "${API}/issues/${ISSUE_NUM}/labels/${IP_ID}" >/dev/null 2>&1 || true
       exit 0
     fi
 

From f3e37b171172decb3a072674235c386813cc4d29 Mon Sep 17 00:00:00 2001
From: johba <johba@disinto>
Date: Sat, 28 Mar 2026 21:49:03 +0000
Subject: [PATCH 3/5] chore: permanently remove smoke-init.yml

This keeps getting re-added by agents. It spins up a full Forgejo
inside CI and never finishes within the timeout.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .woodpecker/smoke-init.yml | 43 --------------------------------------
 1 file changed, 43 deletions(-)
 delete mode 100644 .woodpecker/smoke-init.yml

diff --git a/.woodpecker/smoke-init.yml b/.woodpecker/smoke-init.yml
deleted file mode 100644
index ecb8105..0000000
--- a/.woodpecker/smoke-init.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-# .woodpecker/smoke-init.yml — End-to-end smoke test for disinto init
-#
-# Uses the Forgejo image directly (not as a service) so we have CLI
-# access to set up Forgejo and create the bootstrap admin user.
-# Then runs disinto init --bare --yes against the local Forgejo instance.
-#
-# Forgejo refuses to run as root, so all forgejo commands use su-exec
-# to run as the 'git' user (pre-created in the Forgejo Docker image).
-
-when:
-  - event: pull_request
-    path:
-      - "bin/disinto"
-      - "lib/load-project.sh"
-      - "tests/smoke-init.sh"
-      - ".woodpecker/smoke-init.yml"
-  - event: push
-    branch: main
-    path:
-      - "bin/disinto"
-      - "lib/load-project.sh"
-      - "tests/smoke-init.sh"
-      - ".woodpecker/smoke-init.yml"
-
-steps:
-  - name: smoke-init
-    image: codeberg.org/forgejo/forgejo:11.0
-    environment:
-      SMOKE_FORGE_URL: http://localhost:3000
-    commands:
-      # Install test dependencies (Alpine-based image)
-      - apk add --no-cache bash curl jq python3 git >/dev/null 2>&1
-      # Set up Forgejo data directories and config (owned by git user)
-      - mkdir -p /data/gitea/conf /data/gitea/repositories /data/gitea/lfs /data/gitea/log /data/git/.ssh /data/ssh
-      - printf '[database]\nDB_TYPE = sqlite3\nPATH = /data/gitea/forgejo.db\n\n[server]\nHTTP_PORT = 3000\nROOT_URL = http://localhost:3000/\nLFS_START_SERVER = false\n\n[security]\nINSTALL_LOCK = true\n\n[service]\nDISABLE_REGISTRATION = true\n' > /data/gitea/conf/app.ini
-      - chown -R git:git /data
-      # Start Forgejo as git user in background and wait for API
-      - su-exec git forgejo web --config /data/gitea/conf/app.ini &
-      - for i in $(seq 1 30); do curl -sf http://localhost:3000/api/v1/version >/dev/null 2>&1 && break; sleep 1; done
-      # Create bootstrap admin user via CLI
-      - su-exec git forgejo admin user create --admin --username setup-admin --password "SetupPass-789xyz" --email "setup-admin@smoke.test" --must-change-password=false --config /data/gitea/conf/app.ini
-      # Run the smoke test (as root is fine — only forgejo binary needs git user)
-      - bash tests/smoke-init.sh

From cb39cbcaced173c9dcdcec3942f8fd991d03dfb3 Mon Sep 17 00:00:00 2001
From: johba <johba@disinto>
Date: Sat, 28 Mar 2026 21:49:30 +0000
Subject: [PATCH 4/5] chore: gitignore smoke-init.yml to prevent agents
 recreating it

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index bcc5231..b828cf5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@ gardener/dust.jsonl
 
 # Individual encrypted secrets (managed by disinto secrets add)
 secrets/
+.woodpecker/smoke-init.yml

From 6c996b4f6ad10c897b3b32470cecd26f11a040ba Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Sat, 28 Mar 2026 21:26:44 +0000
Subject: [PATCH 5/5] fix: secrets migrate-vault: missing post-encrypt
 verification step (#39)

---
 bin/disinto | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bin/disinto b/bin/disinto
index d6b8c6e..2abd2af 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2150,6 +2150,12 @@ disinto_secrets() {
       fi
       _secrets_ensure_sops
       encrypt_env_file "$vault_env_file" "$vault_enc_file"
+      # Verify decryption works
+      if ! sops -d "$vault_enc_file" >/dev/null 2>&1; then
+        echo "Error: failed to verify .env.vault.enc decryption" >&2
+        rm -f "$vault_enc_file"
+        exit 1
+      fi
       rm -f "$vault_env_file"
       echo "Migrated: .env.vault -> .env.vault.enc (plaintext removed)"
       ;;