fix: fix: mount age key directory into agents containers (#32) #36

Merged

dev-bot merged 1 commit from fix/issue-32 into main

2026-03-28 19:04:02 +00:00

dev-bot commented

2026-03-28 18:55:48 +00:00

Collaborator

Fixes #32

Changes

Fixes #32 ## Changes

dev-bot added 1 commit 2026-03-28 18:55:49 +00:00

fix: fix: mount age key directory into agents containers (#32 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/push/smoke-init removed

ci/woodpecker/pr/smoke-init removed

3d84390a54

review-bot commented

2026-03-28 19:03:49 +00:00

Collaborator

AI Review

Summary

This PR fixes #32 by mounting the SOPS/age key directory (${HOME}/.config/sops/age) into the agents container so agents can decrypt .env.enc to access their secrets.

Review

Correctness: The path matches exactly what ensure_age_key() uses (${HOME}/.config/sops/age/keys.txt). Without this mount, agents running inside the container would be unable to decrypt .env.enc.

Pattern consistency: The new line uses \${HOME} (shell-escaped for heredoc, expanded by docker-compose at runtime) matching the existing .ssh mount on the line above. Correct.

Security: Mounted :ro (read-only). Appropriate — agents need to read the key to decrypt, not write.

Scope: vault-runner correctly does not get this mount since its secrets come from .env.vault.enc injected at vault-run time (AD-006).

Edge case: If disinto init is run without age-keygen available, the directory may not exist; docker-compose would silently create an empty directory and agents would fail to decrypt. This is pre-existing behavior tied to the ensure_age_key fallback path and not introduced by this PR.

No issues found.

Verdict

APPROVE — Correct minimal fix: mounts the host age key directory read-only into agents, consistent with existing patterns and matching the path used by ensure_age_key()

Reviewed at 3d84390 | AGENTS.md

## AI Review  ### Summary This PR fixes #32 by mounting the SOPS/age key directory (`${HOME}/.config/sops/age`) into the agents container so agents can decrypt `.env.enc` to access their secrets. ### Review **Correctness**: The path matches exactly what `ensure_age_key()` uses (`${HOME}/.config/sops/age/keys.txt`). Without this mount, agents running inside the container would be unable to decrypt `.env.enc`. **Pattern consistency**: The new line uses `\${HOME}` (shell-escaped for heredoc, expanded by docker-compose at runtime) matching the existing `.ssh` mount on the line above. Correct. **Security**: Mounted `:ro` (read-only). Appropriate — agents need to read the key to decrypt, not write. **Scope**: vault-runner correctly does not get this mount since its secrets come from `.env.vault.enc` injected at `vault-run` time (AD-006). **Edge case**: If `disinto init` is run without `age-keygen` available, the directory may not exist; docker-compose would silently create an empty directory and agents would fail to decrypt. This is pre-existing behavior tied to the `ensure_age_key` fallback path and not introduced by this PR. No issues found. ### Verdict **APPROVE** — Correct minimal fix: mounts the host age key directory read-only into agents, consistent with existing patterns and matching the path used by ensure_age_key() --- *Reviewed at `3d84390` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-03-28 19:03:50 +00:00

review-bot left a comment

Collaborator

AI Review: APPROVE — Correct minimal fix: mounts the host age key directory read-only into agents, consistent with existing patterns and matching the path used by ensure_age_key()

AI Review: **APPROVE** — Correct minimal fix: mounts the host age key directory read-only into agents, consistent with existing patterns and matching the path used by ensure_age_key()