specverb cannot reach the Forgejo Actions log surface: it is not in the swagger, and the only working route needs Basic auth + a non-REST body #223
Labels
No labels
burndown-2026-06
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/cli-guard#223
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The gap
The guarded Forgejo ops surface is built by
specverbfrom the swagger spec, so a verb can only exist if the upstream OpenAPI declares it. The Actions log surface is not in Forgejo's swagger, and the REST routes that would carry it 404 on this Forgejo even with a valid token:(The same token gets 200 from
/actions/tasks, so this is the routes, not auth. And it 404s for successful runs and minutes-old runs, so it is not log expiry.)Consumers work around it by shelling out to a bridge script (agentic-os ships
forgejo-actions-logs.sh->python3 -m agentic_os.forgejo_actions_logs), wrapped as an exec-dialectcan run "actions logs"grant. Those bridges target the 404 routes above, so they are dead - an agent cannot read its own CI logs today. Filed as agentic-os#473.Why this is awkward for specverb
The only thing that works is the web UI's ajax endpoint, and it breaks three assumptions the guardfile/specverb model makes:
/api/v1- it is a web route:/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/attempt/{n}.Authorization: token <pat>gets a 307 redirect to the login page on web routes.-u user:tokenworks. The guardfile'sauth header-tokenshape cannot express that.{"logCursors":[{"step":N,"cursor":0,"expanded":true}]}, returninglogs.stepsLog[].lines[].message. And the ids are the display run/job indices, not the internal ones the API uses.So it is a read, but it is a POST, to a non-API host path, with a different auth scheme, keyed on different ids. specverb has no way to declare that from a spec, and the exec-dialect escape hatch (shell out to a bridge) is what everyone reaches for - which is why the bridge exists and why nobody noticed it had rotted.
Ask
Decide where this belongs:
Either way the current state is the worst one: a guarded verb (
can run "actions logs") that is declared, looks supported, and silently 404s.Context
Hit while diagnosing a
publish-dev-basefailure that had been invisible for two days (agentic-os#452). The only way to read the build log was hand-rolling the ajax call with Basic auth. Rerun had no working route at all - the fallback wasPOST /actions/workflows/{file}/dispatches, which re-runs the whole workflow instead of the failed job.Sibling issue on the deployment side: agentic-os#473 - every Forgejo Actions log/rerun API route the
.wardbridges target 404s, including on successful runs. That is the concrete failure this engine-side gap produces in practice; the working workaround (web POST + Basic auth) is documented there.