From 38aa33defddf36263838fbba6df2a878d597cef0 Mon Sep 17 00:00:00 2001
From: hermes <hermes@noreply.143.198.27.163>
Date: Sat, 21 Mar 2026 21:51:48 -0400
Subject: [PATCH] =?UTF-8?q?fix:=20get=5Ftoken()=20priority=20order=20?=
 =?UTF-8?q?=E2=80=94=20config=20token=5Ffile=20before=20repo-root=20fallba?=
 =?UTF-8?q?ck?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The .timmy_gitea_token file in repo root was checked BEFORE config-provided
token_file, causing tests to leak real tokens and fail on any machine with
the file present.

Reorders priority: config[token] > config[token_file] > .timmy_gitea_token
Adds Path.exists monkeypatch in test_returns_none_when_no_token to isolate
from repo-root state.

Fixes 2 test failures on main.
---
 .../timmy_automations/test_health_snapshot.py | 11 ++++++++-
 .../daily_run/health_snapshot.py              | 23 +++++++++++--------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/tests/timmy_automations/test_health_snapshot.py b/tests/timmy_automations/test_health_snapshot.py
index 2cc2cb1c..cc660014 100644
--- a/tests/timmy_automations/test_health_snapshot.py
+++ b/tests/timmy_automations/test_health_snapshot.py
@@ -60,8 +60,17 @@ class TestGetToken:
 
         assert token == "file-token-456"
 
-    def test_returns_none_when_no_token(self):
+    def test_returns_none_when_no_token(self, monkeypatch):
         """Return None when no token available."""
+        # Prevent repo-root .timmy_gitea_token fallback from leaking real token
+        _orig_exists = Path.exists
+
+        def _exists_no_timmy(self):
+            if self.name == ".timmy_gitea_token":
+                return False
+            return _orig_exists(self)
+
+        monkeypatch.setattr(Path, "exists", _exists_no_timmy)
         config = {"token_file": "/nonexistent/path"}
         token = hs.get_token(config)
 
diff --git a/timmy_automations/daily_run/health_snapshot.py b/timmy_automations/daily_run/health_snapshot.py
index dbcc44cb..216dcf74 100755
--- a/timmy_automations/daily_run/health_snapshot.py
+++ b/timmy_automations/daily_run/health_snapshot.py
@@ -53,21 +53,26 @@ def load_config() -> dict:
 
 
 def get_token(config: dict) -> str | None:
-    """Get Gitea token from environment or file."""
+    """Get Gitea token from environment or file.
+
+    Priority: config["token"] > config["token_file"] > .timmy_gitea_token
+    """
     if "token" in config:
         return config["token"]
-    
-    # Try timmy's token file
+
+    # Explicit token_file from config takes priority
+    token_file_str = config.get("token_file", "")
+    if token_file_str:
+        token_file = Path(token_file_str)
+        if token_file.exists():
+            return token_file.read_text().strip()
+
+    # Fallback: repo-root .timmy_gitea_token
     repo_root = Path(__file__).resolve().parent.parent.parent
     timmy_token_path = repo_root / ".timmy_gitea_token"
     if timmy_token_path.exists():
         return timmy_token_path.read_text().strip()
-    
-    # Fallback to legacy token file
-    token_file = Path(config["token_file"]).expanduser()
-    if token_file.exists():
-        return token_file.read_text().strip()
-    
+
     return None
 
 
-- 
2.43.0