Problem
Containerized dev-loop runs need GitHub authentication for git operations, gh CLI, PR comments, and push. No dedicated token contract exists — only scattered GH_TOKEN mentions.
Decisions (concrete)
| # |
Decision |
Resolution |
| 1 |
Token type |
Fine-grained PAT (not classic PAT, not GitHub App — MVP) |
| 2 |
Required scopes |
Contents: Read & Write, Pull requests: Read & Write, Metadata: Read — no org/admin/delete |
| 3 |
Injection mechanism |
docker run -e GH_TOKEN=$GH_TOKEN — no Docker secrets, no mounted credential files for MVP |
| 4 |
Identity model |
Single bot PAT shared across all containers on one host |
| 5 |
Host-side storage |
Operator chooses one: macOS Keychain → loaded into shell env, .env file (gitignored), or plain env var — injected at docker run time |
| 6 |
Token lifetime |
Fine-grained PATs support 1-year max; operator sets expiry; rotation is manual for MVP |
| 7 |
Stale-token detection |
Container startup validates GH_TOKEN present + calls gh auth status --hostname github.com before any git/gh op |
| 8 |
Multi-container parallel |
Same token re-used; fine-grained PATs support concurrent requests without contention |
Scope
- Token specification: type, required scopes, lifetime window
- Injection contract:
GH_TOKEN env var via docker run -e — no alternatives for MVP
- Host-side storage: documented options (keychain,
.env, env var) with security guidance
- Startup validation:
GH_TOKEN present + gh auth status check before first operation
- Error surfaces: missing token → non-zero exit with clear message; expired/invalid → same
- Rotation strategy: documented manual rotation steps; automated rotation is out of scope
Non-goals
- GitHub App installation tokens (post-MVP upgrade path)
- OAuth flow or interactive browser login inside container
- Docker secrets or mounted credential files
- Automated token renewal / refresh flows
- Multi-node token distribution (single-machine only)
- Replacing host
gh auth — container concern only
- Per-run ephemeral tokens
Acceptance Criteria
Definition of Done
AC / DoD Matrix
| AC |
DoD gate |
Notes |
| AC1 |
Startup validation script |
Exit ≠ 0 + message on missing token |
| AC2 |
Startup validation script + integration test |
gh auth status non-zero path |
| AC3 |
Integration test (or manual smoke) |
All three gh/git ops verified |
| AC4 |
Docs PR merged |
README section in parent #716 |
| AC5 |
Parallel-container test / manual log |
No 401/403 under shared PAT |
| AC6 |
Image inspection / Dockerfile review |
No secret leak in layers |
| AC7 |
Startup script + CI check |
Orchestration can catch failure |
Problem
Containerized dev-loop runs need GitHub authentication for git operations,
ghCLI, PR comments, and push. No dedicated token contract exists — only scatteredGH_TOKENmentions.Decisions (concrete)
Contents: Read & Write,Pull requests: Read & Write,Metadata: Read— no org/admin/deletedocker run -e GH_TOKEN=$GH_TOKEN— no Docker secrets, no mounted credential files for MVP.envfile (gitignored), or plain env var — injected atdocker runtimeGH_TOKENpresent + callsgh auth status --hostname github.combefore any git/gh opScope
GH_TOKENenv var viadocker run -e— no alternatives for MVP.env, env var) with security guidanceGH_TOKENpresent +gh auth statuscheck before first operationNon-goals
gh auth— container concern onlyAcceptance Criteria
GH_TOKENis absentGH_TOKENis invalid or expired (gh auth statusnon-zero)git push,gh pr comment, andgh pr createall succeed inside container when a valid fine-grained PAT with required scopes is injected viadocker run -e GH_TOKEN=...GH_TOKENto disk inside the container image or filesystemDefinition of Done
docker run -e GH_TOKENpattern is used in all container invocation examples in docs and codeAC / DoD Matrix
gh auth statusnon-zero path