From 6a94faa0e0380947e40b9cf0a917a7d40f62df02 Mon Sep 17 00:00:00 2001
From: Matt <matt@letsbe.solutions>
Date: Tue, 9 Dec 2025 16:01:04 +0100
Subject: [PATCH] fix: Add CREDENTIALS_PATH and REGISTRATION_TOKEN for
 persistent auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add REGISTRATION_TOKEN env var (replaces legacy AGENT_TOKEN for new registrations)
- Add CREDENTIALS_PATH=/home/agent/.letsbe-agent/credentials.json to fix
  path mismatch (agent runs as root, ~ expands to /root, but volume is
  mounted at /home/agent/.letsbe-agent)
- Reduce CIRCUIT_BREAKER_COOLDOWN from 300s to 30s for faster recovery
- Update comments to clarify credential persistence behavior

This fixes the issue where agents would fail to reconnect after container
restarts because credentials were being saved to /root/.letsbe-agent/
instead of the persisted volume at /home/agent/.letsbe-agent/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 docker-compose.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index cd94895..d2532df 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,11 +10,19 @@ services:
     environment:
       # Required: Orchestrator connection
       - ORCHESTRATOR_URL=${ORCHESTRATOR_URL:-http://host.docker.internal:8000}
-      - AGENT_TOKEN=${AGENT_TOKEN:-dev-token}
 
-      # Tenant assignment
-      # Required in production. Set to the tenant UUID this agent belongs to.
-      # Example: TENANT_ID=550e8400-e29b-41d4-a716-446655440000
+      # Registration token for first-time registration (multi-use tokens recommended)
+      # After registration, credentials are persisted and token is no longer needed
+      - REGISTRATION_TOKEN=${REGISTRATION_TOKEN:-}
+
+      # Credentials path - must match the volume mount for persistence across restarts
+      # Agent runs as root, so ~ expands to /root, but volume is at /home/agent/.letsbe-agent
+      - CREDENTIALS_PATH=/home/agent/.letsbe-agent/credentials.json
+
+      # Legacy auth (deprecated - use REGISTRATION_TOKEN instead)
+      - AGENT_TOKEN=${AGENT_TOKEN:-}
+
+      # Tenant assignment (set automatically after registration via token)
       - TENANT_ID=${TENANT_ID:-}
 
       # Timing (seconds)
@@ -30,7 +38,7 @@ services:
       - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
       - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
       - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
-      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}
+      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-30}
 
       # Security
       - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
@@ -56,7 +64,7 @@ services:
       - /opt/letsbe/stacks:/opt/letsbe/stacks
       - /opt/letsbe/nginx:/opt/letsbe/nginx
 
-      # Pending results persistence
+      # Credentials and pending results persistence
       - agent_home:/home/agent/.letsbe-agent
 
       # Playwright artifacts storage