UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

340 lines (258 loc) 8.43 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
# Secure Token Load **Type**: Security Pattern **Category**: API Authentication **Version**: 1.0.0 ## Purpose Provides secure patterns for loading authentication tokens from environment variables or secure files without exposing token values in logs, history, or process lists. ## When to Use Use this pattern whenever you need to: - Authenticate API requests to Gitea, GitHub, GitLab, etc. - Access tokens stored in `~/.config/` or environment variables - Execute multiple authenticated operations in sequence - Generate agent definitions or commands that require API access ## Pattern Overview **Priority Order**: 1. Environment variable (CI/CD, containers) 2. Secure file with restricted permissions (development) 3. Vault integration (future/enterprise) **Key Principle**: Load tokens at point of use, never store in persistent variables. ## Single-Line Pattern For single API calls, load token inline: ```bash # Pattern curl -s -H "Authorization: token $(cat ~/.config/SERVICE/token)" \ "https://api.example.com/endpoint" # Gitea example curl -s -H "Authorization: token $(cat ~/.config/gitea/token)" \ "https://git.integrolabs.net/api/v1/repos/roctinam/sysops/issues?state=open" # GitHub example curl -s -H "Authorization: token $(cat ~/.config/github/token)" \ "https://api.github.com/user/repos" # Environment variable alternative curl -s -H "Authorization: token ${GITEA_TOKEN}" \ "https://git.integrolabs.net/api/v1/user" ``` ## Multi-Line Pattern (Heredoc) For operations requiring multiple API calls or complex logic, use heredoc: ```bash bash <<'EOF' # Load token once within heredoc scope TOKEN=$(cat ~/.config/gitea/token) # Multiple API operations REPOS=$(curl -s -H "Authorization: token ${TOKEN}" \ "https://git.integrolabs.net/api/v1/users/roctinam/repos") ISSUES=$(curl -s -H "Authorization: token ${TOKEN}" \ "https://git.integrolabs.net/api/v1/repos/roctinam/sysops/issues") # Process results echo "Repositories:" echo "${REPOS}" | jq -r '.[].full_name' echo "Issues:" echo "${ISSUES}" | jq -r '.[] | "\(.number): \(.title)"' # Token automatically discarded when heredoc exits EOF ``` ## Environment Variable Pattern For CI/CD or container environments: ```bash # Set in CI/CD secrets, then use directly curl -s -H "Authorization: token ${GITEA_TOKEN}" \ "https://git.integrolabs.net/api/v1/user" ``` **GitHub Actions**: ```yaml jobs: deploy: steps: - name: API Call env: GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} run: | curl -s -H "Authorization: token ${GITEA_TOKEN}" \ "https://git.integrolabs.net/api/v1/user" ``` **GitLab CI**: ```yaml script: - | curl -s -H "Authorization: token ${GITEA_TOKEN}" \ "https://git.integrolabs.net/api/v1/user" ``` ## Token Validation Pattern Test token validity without exposing value: ```bash bash <<'EOF' TOKEN=$(cat ~/.config/gitea/token) STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token ${TOKEN}" \ "https://git.integrolabs.net/api/v1/user") case ${STATUS} in 200) echo "✓ Token is valid" ;; 401) echo "✗ Token is invalid or expired" ;; 403) echo "✗ Token lacks required permissions" ;; *) echo "✗ Unexpected status: ${STATUS}" ;; esac EOF ``` ## Admin vs Standard Token Selection Different operations require different privilege levels: ```bash # Standard operations (roctibot) bash <<'EOF' TOKEN=$(cat ~/.config/gitea/token) # ... standard API calls ... EOF # Admin operations (roctinam) bash <<'EOF' TOKEN=$(cat ~/.config/gitea/admin-token) # ... admin API calls (create repos, manage users, etc.) ... EOF ``` ## Token File Setup First-time setup of token files: ```bash # Create directory with correct permissions mkdir -p ~/.config/gitea chmod 700 ~/.config/gitea # Create token file (replace TOKEN_VALUE with actual token) echo "TOKEN_VALUE" > ~/.config/gitea/token chmod 600 ~/.config/gitea/token # Verify permissions ls -la ~/.config/gitea/ # Should show: -rw------- 1 user user ... token ``` ## Error Handling Pattern Check for token file existence and permissions: ```bash bash <<'EOF' TOKEN_FILE=~/.config/gitea/token # Check if file exists if [ ! -f "${TOKEN_FILE}" ]; then echo "Error: Token file not found at ${TOKEN_FILE}" echo "Create token at: https://git.integrolabs.net/user/settings/applications" exit 1 fi # Check permissions PERMS=$(stat -c "%a" "${TOKEN_FILE}") if [ "${PERMS}" != "600" ]; then echo "Warning: Insecure permissions on ${TOKEN_FILE}" echo "Fixing permissions..." chmod 600 "${TOKEN_FILE}" fi # Use token TOKEN=$(cat "${TOKEN_FILE}") curl -s -H "Authorization: token ${TOKEN}" \ "https://git.integrolabs.net/api/v1/user" | jq . EOF ``` ## JSON POST with Token Secure pattern for API POST requests: ```bash bash <<'EOF' TOKEN=$(cat ~/.config/gitea/token) curl -s -X POST \ -H "Authorization: token ${TOKEN}" \ -H "Content-Type: application/json" \ "https://git.integrolabs.net/api/v1/repos/roctinam/sysops/issues" \ -d '{ "title": "New Issue", "body": "Issue description..." }' | jq . EOF ``` ## Anti-Patterns (AVOID) ### DON'T: Store in Persistent Variable ```bash # BAD: Token persists in shell environment export GITEA_TOKEN=$(cat ~/.config/gitea/token) curl -s -H "Authorization: token ${GITEA_TOKEN}" "..." # Token still accessible after command ``` ### DON'T: Echo Token Value ```bash # BAD: Token exposed in output TOKEN=$(cat ~/.config/gitea/token) echo "Token: ${TOKEN}" # NEVER DO THIS ``` ### DON'T: Pass as Command Argument ```bash # BAD: Token visible in process list ./script.sh --token "abc123..." # Visible in 'ps aux' ``` ### DON'T: Hard-Code in Files ```bash # BAD: Token committed to git GITEA_TOKEN="abc123..." # NEVER COMMIT TOKENS ``` ## Integration with Agents When documenting API usage in agent definitions: ```markdown ## Example: List Repository Issues ```bash bash <<'EOF' TOKEN=$(cat ~/.config/gitea/token) curl -s -H "Authorization: token ${TOKEN}" \ "https://git.integrolabs.net/api/v1/repos/roctinam/sysops/issues?state=all" \ | jq -r '.[] | "\(.number): \(.title)"' EOF ``` **Security Notes**: - Token loaded within heredoc scope only - Never exposed in logs or history - Automatically cleaned up after execution ``` ## Token Rotation Secure token replacement procedure: ```bash # 1. Generate new token via web UI # 2. Test new token before replacing bash <<'EOF' # Test new token (paste actual value temporarily) NEW_TOKEN="paste_new_token_here" STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ -H "Authorization: token ${NEW_TOKEN}" \ "https://git.integrolabs.net/api/v1/user") if [ ${STATUS} -eq 200 ]; then echo "New token is valid" else echo "New token failed with status ${STATUS}" exit 1 fi EOF # 3. If valid, update token file atomically bash <<'EOF' echo "paste_new_token_here" > ~/.config/gitea/token.new chmod 600 ~/.config/gitea/token.new mv ~/.config/gitea/token.new ~/.config/gitea/token echo "Token updated successfully" EOF # 4. Revoke old token via web UI ``` ## Quick Reference | Use Case | Pattern | |----------|---------| | Single API call | `$(cat ~/.config/SERVICE/token)` inline | | Multiple calls | Heredoc with scoped `TOKEN` variable | | CI/CD | `${SERVICE_TOKEN}` environment variable | | Test validity | Heredoc with status code check | | Admin operations | Use `admin-token` file instead of `token` | | Setup new token | Create file with mode 600 | ## Security Checklist Before using tokens in any automation: - [ ] Token loaded from secure file or environment variable - [ ] No tokens in command-line arguments - [ ] No tokens echoed or logged - [ ] Token files have mode 600 permissions - [ ] Heredoc used for multi-line operations - [ ] No tokens in git-tracked files - [ ] Token validation tested before deployment ## References - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/docs/token-security.md - Comprehensive security documentation - @~/.claude/CLAUDE.md - Token file locations and conventions - @$AIWG_ROOT/agentic/code/frameworks/sdlc-complete/rules/token-security.md - Enforcement rules - [Gitea API Docs](https://docs.gitea.io/en-us/api-usage/) - [GitHub Token Best Practices](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure) --- **Version History** | Version | Date | Changes | |---------|------|---------| | 1.0.0 | 2026-01-13 | Initial pattern for Issue #18 |