fix: isolate GitHub token selection by cwd git remote owner#28
Merged
smartwatermelon merged 1 commit intomainfrom Mar 27, 2026
Merged
fix: isolate GitHub token selection by cwd git remote owner#28smartwatermelon merged 1 commit intomainfrom
smartwatermelon merged 1 commit intomainfrom
Conversation
load_github_token() now detects the repo owner from the cwd's git
remote and selects the matching per-org token (env var or flat file).
This prevents sessions in nightowlstudiollc repos from getting the
smartwatermelon token.
Key changes:
- Detect cwd owner from git remote origin URL
- Check GH_TOKEN_{OWNER} env vars before flat files
- Move load_github_token call after inject_secrets in the wrapper
so 1Password-injected env vars are available
- Remove default GH_TOKEN from secrets.op to prevent override
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
load_github_token()now detects the repo owner from the cwd's git remote and selects the matching per-org token (GH_TOKEN_{OWNER}env var → flat file fallback)load_github_tokencall to afterinject_secretsin the wrapper so 1Password env vars are availableGH_TOKENfromsecrets.opand deleted the defaultgh-tokenflat file to prevent cross-org token leakagePreviously, sessions in nightowlstudiollc repos started with the smartwatermelon token as default, giving access to both orgs. Now the session token matches the cwd's repo owner.
Test plan
~/Developer/clients/amelia-boone— verify only nightowlstudiollc repos accessible~/Developer/claude-wrapper— verify only smartwatermelon repos accessibleGH_TOKENset (graceful degradation)🤖 Generated with Claude Code