forge: auto-create a user + token per agent on spawn / startup

new forge module probes the hive-forge nixos-container (no-op when absent), and ensures every agent + the manager has a forgejo user named after them with an access token at `<state>/forge-token` (visible inside the container as `/state/forge-token`). idempotent: skips user creation when forgejo reports 'already exists', skips token issuance when the file is present, scopes the token to read:user,write:repository,write:issue. token-name suffixed with a clock so re-issuing doesn't collide with a stale name. shells out via `nixos-container run hive-forge -- runuser -u forgejo -- forgejo admin` (runuser instead of sudo since sudo isn't in the container by default). hooks: ensure_all sweeps existing containers at hive-c0re startup (backgrounded), and the actions.rs spawn task calls ensure_user_for the new agent right after lifecycle::spawn succeeds. failures log a warning but don't abort spawn — a missing token is recoverable from the next startup sweep.
2026-05-16 20:55:13 +02:00 · 2026-05-16 20:55:13 +02:00 · 480d646f69
commit 480d646f69
parent 6e9c67dd94
3 changed files with 211 additions and 0 deletions
--- a/hive-c0re/src/actions.rs
+++ b/hive-c0re/src/actions.rs
@ -77,6 +77,11 @@ pub async fn approve(coord: Arc<Coordinator>, id: i64) -> Result<()> {
                )
                .await;
                drop(guard);
+                if result.is_ok()
+                    && let Err(e) = crate::forge::ensure_user_for(&agent_bg).await
+                {
+                    tracing::warn!(agent = %agent_bg, error = ?e, "forge: ensure_user after spawn failed");
+                }
                if let Err(e) = finish_approval(&coord_bg, &approval_bg, result, None) {
                    tracing::warn!(agent = %agent_bg, error = ?e, "spawn approval failed");
                }