docs(agent): clarify claude oauth env

2026-05-28 18:20:09 -04:00
parent cacba087c9
commit cdb1870b1c
14 changed files with 41 additions and 40 deletions
@@ -26,7 +26,7 @@ entry and pushes straight at gitea/github with ssh-gate doing dumb
 L4 forwarding. There is no boundary between "the agent thinks this
 commit is fine" and "the secret hits an external remote." If a
 compromised or careless agent stages a `.env`, slips a token into
-a fixture, or commits the `BOT_BOTTLE_OAUTH_TOKEN` itself, `git
+a fixture, or commits the `BOT_BOTTLE_CLAUDE_OAUTH_TOKEN` itself, `git
 push` ships it.

 Host-side pre-commit / pre-push hooks are the usual defense, but