From c3cd924cddfdfb87e3941bead0642e2b24fb0207 Mon Sep 17 00:00:00 2001
From: Manohar <manohar@tiger>
Date: Wed, 10 Jun 2026 02:46:48 +0000
Subject: [PATCH] fix(bridge): read bridge token from env in agents-activity

The bearer token was hardcoded in source and leaked via the public GitHub
mirror. Token itself rotated server-side as part of this deploy.
---
 bridge/src/routes/agents-activity.ts | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bridge/src/routes/agents-activity.ts b/bridge/src/routes/agents-activity.ts
index 0855577..2f0bd35 100644
--- a/bridge/src/routes/agents-activity.ts
+++ b/bridge/src/routes/agents-activity.ts
@@ -37,9 +37,12 @@ function timeAgo(timestamp: number | null): string {
 
 router.get("/", async (_req: Request, res: Response) => {
   try {
-    // Use execInSandbox to call /tiger/agents from inside OpenClaw container
+    // Use execInSandbox to call /tiger/agents from inside OpenClaw container.
+    // Token comes from env — a previous version hardcoded it here, which
+    // leaked it to the public GitHub mirror (rotated 2026-06-10).
+    const token = process.env.TIGER_BRIDGE_TOKEN || "";
     const { stdout } = await execInSandbox(
-      `curl -s "http://172.17.0.1:3456/tiger/agents" -H "Authorization: Bearer 14fb879429386b69beac339bbd98e43011ec29485da17592410da34ed97e0236"`
+      `curl -s "http://172.17.0.1:3456/tiger/agents" -H "Authorization: Bearer ${token}"`
     );
 
     let rawData: any;