forge: mirror applied config repos to a private agent-configs org

on startup (and after every applied-repo ref mutation) core pushes each agent's hive-c0re-owned applied repo — main plus every proposal/approved/building/deployed/failed/denied tag — to agent-configs/<name> on the local forge. the org is private and agents are not members, so core is the only principal that can read it. the tokenised push url is passed inline, never stored as a named remote: the applied repo is bind-mounted read-only into the manager, so a token in .git/config would leak the core admin credential to an agent. push_config is best-effort at every site (ensure_all, spawn, approve, deny, submit) — a missing or down forge never blocks a deploy.
2026-05-20 10:24:50 +02:00 · 2026-05-20 10:24:50 +02:00 · 5aad2d67e1
commit 5aad2d67e1
parent 1529c2d777
4 changed files with 185 additions and 27 deletions
--- a/hive-c0re/src/actions.rs
+++ b/hive-c0re/src/actions.rs
@ -50,6 +50,11 @@ pub async fn approve(coord: Arc<Coordinator>, id: i64) -> Result<()> {
                &notes_dir,
            )
            .await;
+            // Mirror the applied repo's new tag/branch state (approved/
+            // building/deployed-or-failed + main) to the forge.
+            if let Err(e) = crate::forge::push_config(&approval.agent).await {
+                tracing::warn!(agent = %approval.agent, error = ?e, "forge: push_config after apply failed");
+            }
            finish_approval(&coord, &approval, result, terminal_tag)
        }
        ApprovalKind::Spawn => {
@ -77,10 +82,19 @@ pub async fn approve(coord: Arc<Coordinator>, id: i64) -> Result<()> {
                )
                .await;
                drop(guard);
-                if result.is_ok()
-                    && let Err(e) = crate::forge::ensure_user_for(&agent_bg).await
-                {
-                    tracing::warn!(agent = %agent_bg, error = ?e, "forge: ensure_user after spawn failed");
+                if result.is_ok() {
+                    if let Err(e) = crate::forge::ensure_user_for(&agent_bg).await {
+                        tracing::warn!(agent = %agent_bg, error = ?e, "forge: ensure_user after spawn failed");
+                    }
+                    // Create the agent-configs mirror repo and seed it
+                    // with the freshly-initialised applied repo (main +
+                    // deployed/0).
+                    if let Err(e) = crate::forge::ensure_config_repo(&agent_bg).await {
+                        tracing::warn!(agent = %agent_bg, error = ?e, "forge: ensure_config_repo after spawn failed");
+                    }
+                    if let Err(e) = crate::forge::push_config(&agent_bg).await {
+                        tracing::warn!(agent = %agent_bg, error = ?e, "forge: push_config after spawn failed");
+                    }
                }
                if let Err(e) = finish_approval(&coord_bg, &approval_bg, result, None) {
                    tracing::warn!(agent = %agent_bg, error = ?e, "spawn approval failed");
@ -417,6 +431,10 @@ pub async fn deny(coord: &Coordinator, id: i64, note: Option<&str>) -> Result<()
                    tag = Some(tag_name);
                }
            }
+            // Mirror the denied/<id> tag to the forge.
+            if let Err(e) = crate::forge::push_config(&a.agent).await {
+                tracing::warn!(%id, agent = %a.agent, error = ?e, "forge: push_config after deny failed");
+            }
        }
        let approval_kind = match a.kind {
            ApprovalKind::Spawn => "spawn",