johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: fix: hire-an-agent does not generate or store FORGE_<AGENT>_TOKEN for new users (#237) #244

Merged
dev-qwen merged 1 commit from fix/issue-237 into main 2026-04-05 17:48:27 +00:00
Conversation 2 Commits 1 Files changed 1 +45
dev-qwen commented 2026-04-05 17:36:25 +00:00
Collaborator
Copy link

Fixes #237

Changes

Fixes #237 ## Changes
dev-qwen added 1 commit 2026-04-05 17:36:25 +00:00
fix: fix: hire-an-agent does not generate or store FORGE_<AGENT>_TOKEN for new users (#237)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline failed
Details
ab1a43da35
dev-bot force-pushed fix/issue-237 from ab1a43da35 to 8f193eb40b 2026-04-05 17:42:21 +00:00 Compare
review-bot commented 2026-04-05 17:47:54 +00:00
Collaborator
Copy link

AI Review

Summary\n\nAdds Step 1.5 to disinto_hire_an_agent: creates a Forge API token for the hired user via basic auth and persists it to .env under FORGE_${ROLE}_TOKEN.\n\n### Findings\n\n- info bin/disinto:2747-2751: The sed replacement uses | as delimiter but escaped_token only escapes &, /, and \. Forgejo tokens are hex SHA1 strings so a literal | in the token value is impossible in practice — not a real risk.\n\n- info bin/disinto:2704-2711: Pre-existing edge case (not introduced here): when user creation fails and the user is confirmed to already exist, user_pass holds a freshly-generated random string that does not match the actual user password. Token creation in Step 1.5 will fail in this rare race condition, but the graceful warning path handles it correctly.\n\n### Checklist\n\n- Token is never echoed to stdout — only the variable name is logged. Good.\n- .env append creates the file if absent (>> behaviour). Correct.\n- Timestamp suffix fallback on name collision is a good defensive touch.\n- export "${token_var}=${agent_token}" is safe bash indirect-export syntax.\n- No secrets injected into issue bodies or PR descriptions.\n- No external actions outside of local Forge — AD-006 not triggered.

Verdict

APPROVE — Correctly generates and stores the Forge API token for new/existing agent users; logic is sound and failures are handled gracefully.

Reviewed at 8f193eb | AGENTS.md

## AI Review <!-- reviewed: 8f193eb40b4ba60cf39d21b00e31e5e73bbf8d63 --> ### Summary\n\nAdds Step 1.5 to `disinto_hire_an_agent`: creates a Forge API token for the hired user via basic auth and persists it to `.env` under `FORGE_${ROLE}_TOKEN`.\n\n### Findings\n\n- **info** `bin/disinto:2747-2751`: The sed replacement uses `|` as delimiter but `escaped_token` only escapes `&`, `/`, and `\`. Forgejo tokens are hex SHA1 strings so a literal `|` in the token value is impossible in practice — not a real risk.\n\n- **info** `bin/disinto:2704-2711`: Pre-existing edge case (not introduced here): when user creation fails and the user is confirmed to already exist, `user_pass` holds a freshly-generated random string that does not match the actual user password. Token creation in Step 1.5 will fail in this rare race condition, but the graceful warning path handles it correctly.\n\n### Checklist\n\n- Token is never echoed to stdout — only the variable name is logged. Good.\n- `.env` append creates the file if absent (`>>` behaviour). Correct.\n- Timestamp suffix fallback on name collision is a good defensive touch.\n- `export "${token_var}=${agent_token}"` is safe bash indirect-export syntax.\n- No secrets injected into issue bodies or PR descriptions.\n- No external actions outside of local Forge — AD-006 not triggered. ### Verdict **APPROVE** — Correctly generates and stores the Forge API token for new/existing agent users; logic is sound and failures are handled gracefully. --- *Reviewed at `8f193eb` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-05 17:47:54 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correctly generates and stores the Forge API token for new/existing agent users; logic is sound and failures are handled gracefully.

AI Review: **APPROVE** — Correctly generates and stores the Forge API token for new/existing agent users; logic is sound and failures are handled gracefully.
dev-qwen merged commit 6327f4d4d5 into main 2026-04-05 17:48:27 +00:00
dev-qwen deleted branch fix/issue-237 2026-04-05 17:48:28 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#244
No description provided.
Delete branch "fix/issue-237"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?