Skip to content

feat(selfhost): add claude code token to native Docker secrets#5144

Merged
JSONbored merged 1 commit into
mainfrom
claude/update-claude-token-d7b1f9
Jul 12, 2026
Merged

feat(selfhost): add claude code token to native Docker secrets#5144
JSONbored merged 1 commit into
mainfrom
claude/update-claude-token-d7b1f9

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

  • Adds CLAUDE_CODE_OAUTH_TOKEN to the native Docker Compose secrets convention (docker-compose.yml, scripts/selfhost-init-secrets.sh, secrets/README.md, .env.example) — it was the last core self-host secret still requiring an inline .env value.
  • No application code change needed: the existing generic <NAME>_FILE loader (src/selfhost/load-file-secrets.ts) already resolves any _FILE-suffixed var, confirmed by reading it before making this change.

Scope

  • The PR title follows type(scope): short summary Conventional Commit format.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • Linked issue — not applicable; this is an owner-authored infra/config PR, not a contributor PR subject to the linked-issue gate.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage — skipped, see note below
  • npm run test:workers — skipped, see note below
  • npm run build:mcp — skipped, see note below
  • npm run test:mcp-pack — skipped, see note below
  • npm run ui:openapi:check — skipped, see note below
  • npm run ui:lint — skipped, see note below
  • npm run ui:typecheck — skipped, see note below
  • npm run ui:build — skipped, see note below
  • npm audit --audit-level=moderate
  • New or changed behavior has unit/integration tests — not applicable, see note below

If any required check was skipped, explain why:

  • This diff touches only docker-compose.yml, scripts/selfhost-init-secrets.sh, secrets/README.md, and .env.example — no src/**, apps/gittensory-ui/**, or API/schema files, and adds zero application code (the generic secret-file loader already covers this var). Codecov's patch gate only measures src/**, so there's no coverage obligation here. Ran the checks that actually apply to what changed instead: docker compose -f docker-compose.yml config --quiet (valid), npm run selfhost:env-reference:check (clean — confirms no new literal env.SOMETHING read was introduced), npm run docs:drift-check (clean), and bash -n scripts/selfhost-init-secrets.sh (valid). Skipped the UI/MCP/miner/workers suites since none of their inputs changed.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed — confirmed by grepping the full working tree for the real token value before pushing.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth/cookie/CORS/GitHub App/Cloudflare/session negative-path tests — not applicable, no such change.
  • API/OpenAPI/MCP behavior updated — not applicable.
  • UI changes use live API data — not applicable, no UI change.
  • Public docs are updated where needed (secrets/README.md, .env.example).

UI Evidence

Not applicable — no visible UI/frontend change.

Notes

  • This completes the file-secret migration for every core self-host secret used by the always-on gittensory service (see secrets/README.md's table) — CLAUDE_CODE_OAUTH_TOKEN was the only one left requiring an inline .env value.
  • Follow-up (server-side, outside this PR's diff): after merge, populate secrets/claude_code_oauth_token.txt on deployments that opt into this and remove the now-redundant CLAUDE_CODE_OAUTH_TOKEN= line from .env.

Extends the file-mounted secrets convention (secrets/README.md) to cover
CLAUDE_CODE_OAUTH_TOKEN, the one core self-host secret still requiring an
inline .env value. The existing generic <NAME>_FILE loader
(src/selfhost/load-file-secrets.ts) already reads any *_FILE var, so this
needs no application code change -- just the compose secrets wiring, the
init-script placeholder, and doc updates.
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored self-assigned this Jul 12, 2026
@codecov

codecov Bot commented Jul 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.33%. Comparing base (1d4a6fd) to head (aa43ee1).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5144   +/-   ##
=======================================
  Coverage   94.33%   94.33%           
=======================================
  Files         472      472           
  Lines       39878    39878           
  Branches    14544    14544           
=======================================
  Hits        37617    37617           
  Misses       1583     1583           
  Partials      678      678           
Flag Coverage Δ
shard-1 46.34% <ø> (ø)
shard-2 34.69% <ø> (ø)
shard-3 32.06% <ø> (ø)
shard-4 31.97% <ø> (ø)
shard-5 33.61% <ø> (ø)
shard-6 44.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored
JSONbored merged commit af23119 into main Jul 12, 2026
18 checks passed
@JSONbored
JSONbored deleted the claude/update-claude-token-d7b1f9 branch July 12, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant