Harden dispatch credential handling

2026-04-04 18:25:02 -04:00
parent 7f097f2ef7
commit 9943d3c6d8
1 changed files with 47 additions and 11 deletions
--- a/bin/agent-dispatch.sh
+++ b/bin/agent-dispatch.sh
@@ -16,7 +16,31 @@ REPO="${3:?Usage: agent-dispatch.sh <agent> <issue_num> <owner/repo>}"

 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 LANES_FILE="${SCRIPT_DIR%/bin}/playbooks/agent-lanes.json"
-GITEA_URL="${GITEA_URL:-http://143.198.27.163:3000}"
+
+resolve_gitea_url() {
+  if [ -n "${GITEA_URL:-}" ]; then
+    printf '%s\n' "${GITEA_URL%/}"
+    return 0
+  fi
+  if [ -f "$HOME/.hermes/gitea_api" ]; then
+    python3 - "$HOME/.hermes/gitea_api" <<'PY'
+from pathlib import Path
+import sys
+
+raw = Path(sys.argv[1]).read_text().strip().rstrip("/")
+print(raw[:-7] if raw.endswith("/api/v1") else raw)
+PY
+    return 0
+  fi
+  if [ -f "$HOME/.config/gitea/base-url" ]; then
+    tr -d '[:space:]' < "$HOME/.config/gitea/base-url"
+    return 0
+  fi
+  echo "ERROR: set GITEA_URL or create ~/.hermes/gitea_api" >&2
+  return 1
+}
+
+GITEA_URL="$(resolve_gitea_url)"

 resolve_token_file() {
  local agent="$1"
@@ -26,8 +50,16 @@ resolve_token_file() {
    "$HOME/.hermes/${agent}_token" \
    "$HOME/.hermes/${normalized}_token" \
    "$HOME/.config/gitea/${agent}-token" \
-    "$HOME/.config/gitea/${normalized}-token" \
-    "$HOME/.config/gitea/token"; do
+    "$HOME/.config/gitea/${normalized}-token"; do
+    if [ -f "$candidate" ]; then
+      printf '%s\n' "$candidate"
+      return 0
+    fi
+  done
+  for candidate in \
+    "$HOME/.config/gitea/timmy-token" \
+    "$HOME/.hermes/gitea_token_vps" \
+    "$HOME/.hermes/gitea_token_timmy"; do
    if [ -f "$candidate" ]; then
      printf '%s\n' "$candidate"
      return 0
@@ -48,14 +80,14 @@ REPO_OWNER="${REPO%%/*}"
 REPO_NAME="${REPO##*/}"
 BRANCH="${AGENT_NAME}/issue-${ISSUE_NUM}"

-python3 - "$LANES_FILE" "$AGENT_NAME" "$ISSUE_NUM" "$REPO" "$REPO_OWNER" "$REPO_NAME" "$BRANCH" "$GITEA_URL" "$GITEA_TOKEN" <<'PY'
+python3 - "$LANES_FILE" "$AGENT_NAME" "$ISSUE_NUM" "$REPO" "$REPO_OWNER" "$REPO_NAME" "$BRANCH" "$GITEA_URL" "$GITEA_TOKEN" "$TOKEN_FILE" <<'PY'
 import json
 import sys
 import textwrap
 import urllib.error
 import urllib.request

-lanes_path, agent, issue_num, repo, repo_owner, repo_name, branch, gitea_url, token = sys.argv[1:]
+lanes_path, agent, issue_num, repo, repo_owner, repo_name, branch, gitea_url, token, token_file = sys.argv[1:]

 with open(lanes_path) as f:
    lanes = json.load(f)
@@ -108,7 +140,7 @@ YOUR ISSUE: #{issue_num} — "{issue.get('title', f'Issue #{issue_num}')}"

 REPO: {repo}
 GITEA API: {gitea_url}/api/v1
-GITEA TOKEN: {token}
+GITEA TOKEN FILE: {token_file}
 WORK BRANCH: {branch}

 LANE:
@@ -143,23 +175,27 @@ WORKFLOW:
 8. Comment on the issue with the PR link and the same concise summary.

 GIT / API SETUP:
-git clone http://{agent}:{token}@143.198.27.163:3000/{repo}.git /tmp/{agent}-work-{issue_num}
+export GITEA_URL="{gitea_url}"
+export GITEA_TOKEN_FILE="{token_file}"
+export GITEA_TOKEN="$(tr -d '[:space:]' < "$GITEA_TOKEN_FILE")"
+git config --global http."$GITEA_URL/".extraHeader "Authorization: token $GITEA_TOKEN"
+git clone "$GITEA_URL/{repo}.git" /tmp/{agent}-work-{issue_num}
 cd /tmp/{agent}-work-{issue_num}
 git ls-remote --exit-code origin {branch} >/dev/null 2>&1 && git fetch origin {branch} && git checkout {branch} || git checkout -b {branch}

 ISSUE FETCH COMMANDS:
-curl -s -H "Authorization: token {token}" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}"
-curl -s -H "Authorization: token {token}" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments"
+curl -s -H "Authorization: token $GITEA_TOKEN" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}"
+curl -s -H "Authorization: token $GITEA_TOKEN" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments"

 PR CREATION TEMPLATE:
 curl -s -X POST "{gitea_url}/api/v1/repos/{repo}/pulls" \\
-  -H "Authorization: token {token}" \\
+  -H "Authorization: token $GITEA_TOKEN" \\
  -H "Content-Type: application/json" \\
  -d '{{"title":"[{agent}] <description> (#{issue_num})","body":"Fixes #{issue_num}\\n\\n## Summary\\n- <change>\\n\\n## Verification\\n- <command/output>\\n\\n## Risks\\n- <if any>","head":"{branch}","base":"main"}}'

 ISSUE COMMENT TEMPLATE:
 curl -s -X POST "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments" \\
-  -H "Authorization: token {token}" \\
+  -H "Authorization: token $GITEA_TOKEN" \\
  -H "Content-Type: application/json" \\
  -d '{{"body":"PR submitted.\\n\\nSummary:\\n- <change>\\n\\nVerification:\\n- <command/output>\\n\\nRisks:\\n- <if any>"}}'