From 9943d3c6d8cf82907ba6e588f9bd867235cadba2 Mon Sep 17 00:00:00 2001 From: Alexander Whitestone Date: Sat, 4 Apr 2026 18:25:02 -0400 Subject: [PATCH] Harden dispatch credential handling --- bin/agent-dispatch.sh | 58 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 47 insertions(+), 11 deletions(-) diff --git a/bin/agent-dispatch.sh b/bin/agent-dispatch.sh index cde5fd72..deb16abe 100755 --- a/bin/agent-dispatch.sh +++ b/bin/agent-dispatch.sh @@ -16,7 +16,31 @@ REPO="${3:?Usage: agent-dispatch.sh }" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" LANES_FILE="${SCRIPT_DIR%/bin}/playbooks/agent-lanes.json" -GITEA_URL="${GITEA_URL:-http://143.198.27.163:3000}" + +resolve_gitea_url() { + if [ -n "${GITEA_URL:-}" ]; then + printf '%s\n' "${GITEA_URL%/}" + return 0 + fi + if [ -f "$HOME/.hermes/gitea_api" ]; then + python3 - "$HOME/.hermes/gitea_api" <<'PY' +from pathlib import Path +import sys + +raw = Path(sys.argv[1]).read_text().strip().rstrip("/") +print(raw[:-7] if raw.endswith("/api/v1") else raw) +PY + return 0 + fi + if [ -f "$HOME/.config/gitea/base-url" ]; then + tr -d '[:space:]' < "$HOME/.config/gitea/base-url" + return 0 + fi + echo "ERROR: set GITEA_URL or create ~/.hermes/gitea_api" >&2 + return 1 +} + +GITEA_URL="$(resolve_gitea_url)" resolve_token_file() { local agent="$1" @@ -26,8 +50,16 @@ resolve_token_file() { "$HOME/.hermes/${agent}_token" \ "$HOME/.hermes/${normalized}_token" \ "$HOME/.config/gitea/${agent}-token" \ - "$HOME/.config/gitea/${normalized}-token" \ - "$HOME/.config/gitea/token"; do + "$HOME/.config/gitea/${normalized}-token"; do + if [ -f "$candidate" ]; then + printf '%s\n' "$candidate" + return 0 + fi + done + for candidate in \ + "$HOME/.config/gitea/timmy-token" \ + "$HOME/.hermes/gitea_token_vps" \ + "$HOME/.hermes/gitea_token_timmy"; do if [ -f "$candidate" ]; then printf '%s\n' "$candidate" return 0 @@ -48,14 +80,14 @@ REPO_OWNER="${REPO%%/*}" REPO_NAME="${REPO##*/}" BRANCH="${AGENT_NAME}/issue-${ISSUE_NUM}" -python3 - "$LANES_FILE" "$AGENT_NAME" "$ISSUE_NUM" "$REPO" "$REPO_OWNER" "$REPO_NAME" "$BRANCH" "$GITEA_URL" "$GITEA_TOKEN" <<'PY' +python3 - "$LANES_FILE" "$AGENT_NAME" "$ISSUE_NUM" "$REPO" "$REPO_OWNER" "$REPO_NAME" "$BRANCH" "$GITEA_URL" "$GITEA_TOKEN" "$TOKEN_FILE" <<'PY' import json import sys import textwrap import urllib.error import urllib.request -lanes_path, agent, issue_num, repo, repo_owner, repo_name, branch, gitea_url, token = sys.argv[1:] +lanes_path, agent, issue_num, repo, repo_owner, repo_name, branch, gitea_url, token, token_file = sys.argv[1:] with open(lanes_path) as f: lanes = json.load(f) @@ -108,7 +140,7 @@ YOUR ISSUE: #{issue_num} — "{issue.get('title', f'Issue #{issue_num}')}" REPO: {repo} GITEA API: {gitea_url}/api/v1 -GITEA TOKEN: {token} +GITEA TOKEN FILE: {token_file} WORK BRANCH: {branch} LANE: @@ -143,23 +175,27 @@ WORKFLOW: 8. Comment on the issue with the PR link and the same concise summary. GIT / API SETUP: -git clone http://{agent}:{token}@143.198.27.163:3000/{repo}.git /tmp/{agent}-work-{issue_num} +export GITEA_URL="{gitea_url}" +export GITEA_TOKEN_FILE="{token_file}" +export GITEA_TOKEN="$(tr -d '[:space:]' < "$GITEA_TOKEN_FILE")" +git config --global http."$GITEA_URL/".extraHeader "Authorization: token $GITEA_TOKEN" +git clone "$GITEA_URL/{repo}.git" /tmp/{agent}-work-{issue_num} cd /tmp/{agent}-work-{issue_num} git ls-remote --exit-code origin {branch} >/dev/null 2>&1 && git fetch origin {branch} && git checkout {branch} || git checkout -b {branch} ISSUE FETCH COMMANDS: -curl -s -H "Authorization: token {token}" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}" -curl -s -H "Authorization: token {token}" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments" +curl -s -H "Authorization: token $GITEA_TOKEN" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}" +curl -s -H "Authorization: token $GITEA_TOKEN" "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments" PR CREATION TEMPLATE: curl -s -X POST "{gitea_url}/api/v1/repos/{repo}/pulls" \\ - -H "Authorization: token {token}" \\ + -H "Authorization: token $GITEA_TOKEN" \\ -H "Content-Type: application/json" \\ -d '{{"title":"[{agent}] (#{issue_num})","body":"Fixes #{issue_num}\\n\\n## Summary\\n- \\n\\n## Verification\\n- \\n\\n## Risks\\n- ","head":"{branch}","base":"main"}}' ISSUE COMMENT TEMPLATE: curl -s -X POST "{gitea_url}/api/v1/repos/{repo}/issues/{issue_num}/comments" \\ - -H "Authorization: token {token}" \\ + -H "Authorization: token $GITEA_TOKEN" \\ -H "Content-Type: application/json" \\ -d '{{"body":"PR submitted.\\n\\nSummary:\\n- \\n\\nVerification:\\n- \\n\\nRisks:\\n- "}}'