forge: mirror applied config repos to a private agent-configs org

on startup (and after every applied-repo ref mutation) core pushes each agent's hive-c0re-owned applied repo — main plus every proposal/approved/building/deployed/failed/denied tag — to agent-configs/<name> on the local forge. the org is private and agents are not members, so core is the only principal that can read it. the tokenised push url is passed inline, never stored as a named remote: the applied repo is bind-mounted read-only into the manager, so a token in .git/config would leak the core admin credential to an agent. push_config is best-effort at every site (ensure_all, spawn, approve, deny, submit) — a missing or down forge never blocks a deploy.
2026-05-20 10:24:50 +02:00 · 2026-05-20 10:24:50 +02:00 · 5aad2d67e1
commit 5aad2d67e1
parent 1529c2d777
4 changed files with 185 additions and 27 deletions
--- a/hive-c0re/src/manager_server.rs
+++ b/hive-c0re/src/manager_server.rs
@ -481,6 +481,10 @@ async fn submit_apply_commit(
        .approvals
        .set_fetched_sha(id, &sha)
        .map_err(|e| anyhow::anyhow!("persist fetched_sha: {e:#}"))?;
+    // Mirror the freshly-planted proposal/<id> tag to the forge.
+    if let Err(e) = crate::forge::push_config(agent).await {
+        tracing::warn!(%agent, %id, error = ?e, "forge: push_config after submit failed");
+    }
    // Phase 5b: surface the new pending approval on the dashboard
    // event channel. Compute the diff once here so live subscribers
    // get a fully-formed row without a snapshot refetch.