Setup skill writes container secrets to .env instead of ~/.config/hydra/secrets.env #3
Description
I noticed a discrepancy between the setup skill (/.claude/skills/setup/SKILL.md) and how secrets are actually
consumed at runtime.
Current behavior in SKILL.md:
The setup flow writes all credentials to the project-root .env file:
echo "CLAUDE_CODE_OAUTH_TOKEN=<token>" >> .env
echo "ANTHROPIC_API_KEY=<key>" >> .env
echo "MEM0_API_KEY=<key>" >> .env
How the code actually works:
- Container secrets are resolved by
src/secrets.ts → loadSecrets(), which reads from~/.config/hydra/secrets.env
(not .env). - These are injected into containers via Docker -e flags through resolveContainerSecrets().
- The project-root .env is loaded by dotenv/config into process.env, which is used by the host process (e.g.,
env:TELEGRAM_BOT_TOKEN references inhydra.yaml).
So if a user follows the setup skill, their CLAUDE_CODE_OAUTH_TOKEN ends up in .env but the container never
reads it from there — it looks in secrets.env and finds nothing.
I'm not sure if this is intentional or an oversight — is there a reason the setup skill targets .env rather than
~/.config/hydra/secrets.env? For example, is there a planned migration to unify the two files, or does the host
process also need CLAUDE_CODE_OAUTH_TOKEN in process.env for something I'm not seeing?
Would appreciate any clarification on the intended design here.