ward: point host-side dispatch/agent forgejo API token at the coilyco-ops bot (follow-up to #151) #160

Closed
opened 2026-06-18 05:18:16 +00:00 by coilysiren · 1 comment
Owner

What

Point ward's host-side dispatch / agent forgejo API token at the coilyco-ops bot, matching what #151 already did for ward-kdl.

#151 swapped only the ward-kdl forgejo guardfile onto the bot creds (origin/main cmd/ward-kdl/ward-kdl.forgejo.guardfile.kdl now reads value ssm "/forgejo/coilyco-ops/api-token"). The separate host-side cmd/ward path was intentionally left on the operator's personal PAT. This issue closes that gap for the API surface.

Concrete change

cmd/ward/forgejo_issue.go:25

const forgejoSSMTokenPath = "/forgejo/api-token" //nolint:gosec // SSM path, not a credential

/forgejo/coilyco-ops/api-token.

This one const feeds forgejoAPIToken() (forgejo_issue.go:33), which is the bearer used by:

  • cmd/ward/agent.go:552 - the agent issue-verb
  • the ward dispatch forgejo issue-filing path (forgejo_issue.go:54)

So every automated issue create/comment from the host attributes to coilyco-ops instead of the human operator.

Prereqs / verification

  • Bot scopes (write:repository write:issue read:user write:organization, minted by infrastructure/scripts/provision-coilyco-ops-bot.sh, stashed at SSM /forgejo/coilyco-ops/api-token) already cover the issue/comment API - this is the same token #151 verified authenticates.
  • go build && go vet && go test ./... green.
  • Manually confirm an issue created via ward (or ward dispatch) shows author coilyco-ops.

Docs to update in the same commit

  • docs/dispatch.md:45 - "bearer token from SSM /forgejo/api-token" → bot path.
  • Mirror the guardfile comment style from #151 (why the bot, provisioning/rotation source).

Notes

  • Sibling issue covers the container git-over-HTTPS push token (cmd/ward/container.go) - separate because it needs the bot to have git push (collaborator) access, a stronger prereq than the API scope here.
  • Out of scope: agentic-os/scripts/git-credential-forgejo-ssm.sh (Kai's personal local-host git push credential) stays personal unless decided otherwise.

Follow-up to #151.

## What Point ward's host-side **dispatch / agent forgejo API** token at the `coilyco-ops` bot, matching what #151 already did for ward-kdl. `#151` swapped only the **ward-kdl** forgejo guardfile onto the bot creds (origin/main `cmd/ward-kdl/ward-kdl.forgejo.guardfile.kdl` now reads `value ssm "/forgejo/coilyco-ops/api-token"`). The separate **host-side `cmd/ward`** path was intentionally left on the operator's personal PAT. This issue closes that gap for the API surface. ## Concrete change `cmd/ward/forgejo_issue.go:25` ```go const forgejoSSMTokenPath = "/forgejo/api-token" //nolint:gosec // SSM path, not a credential ``` → `/forgejo/coilyco-ops/api-token`. This one const feeds `forgejoAPIToken()` (`forgejo_issue.go:33`), which is the bearer used by: - `cmd/ward/agent.go:552` - the agent issue-verb - the `ward dispatch` forgejo issue-filing path (`forgejo_issue.go:54`) So every automated issue create/comment from the host attributes to `coilyco-ops` instead of the human operator. ## Prereqs / verification - Bot scopes (`write:repository write:issue read:user write:organization`, minted by `infrastructure/scripts/provision-coilyco-ops-bot.sh`, stashed at SSM `/forgejo/coilyco-ops/api-token`) already cover the issue/comment API - this is the same token #151 verified authenticates. - `go build && go vet && go test ./...` green. - Manually confirm an issue created via `ward` (or `ward dispatch`) shows author `coilyco-ops`. ## Docs to update in the same commit - `docs/dispatch.md:45` - "bearer token from SSM `/forgejo/api-token`" → bot path. - Mirror the guardfile comment style from #151 (why the bot, provisioning/rotation source). ## Notes - Sibling issue covers the **container git-over-HTTPS push token** (`cmd/ward/container.go`) - separate because it needs the bot to have git push (collaborator) access, a stronger prereq than the API scope here. - Out of scope: `agentic-os/scripts/git-credential-forgejo-ssm.sh` (Kai's personal local-host git push credential) stays personal unless decided otherwise. Follow-up to #151.
Author
Owner

🔒 Reserved by ward agent claude — container ward-ward-issue-160-claude-18c32e07 on host kais-macbook-pro.local is carrying this issue (reserved 2026-06-18T06:31:38Z). Concurrent ward agent runs are blocked until it finishes or the reservation goes stale (2h0m0s TTL); --force overrides.

— Claude (she/her), via ward agent

<!-- ward-agent-reservation --> 🔒 Reserved by `ward agent claude` — container `ward-ward-issue-160-claude-18c32e07` on host `kais-macbook-pro.local` is carrying this issue (reserved 2026-06-18T06:31:38Z). Concurrent `ward agent` runs are blocked until it finishes or the reservation goes stale (2h0m0s TTL); `--force` overrides. <!-- ward-agent-signature --> — Claude (she/her), via `ward agent`
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/ward#160
No description provided.