The resume command previously showed the session *name* (e.g.
`claude --resume issue-146`), which does not work because
`claude --resume` requires the session UUID, not its name.
Changes:
- Add `_find_session_uuid(session_name)` that scans Claude's JSONL
files to look up the UUID for a named session.
- `_run_loop()` now resolves the UUID and prints
`claude --resume <uuid>` when an agent is running; falls back to
a hint to run `scripts/agent_loop.py list` if the UUID cannot be
found yet.
- `_start_agent()` no longer prints a broken resume command (the UUID
is not available immediately at startup); it now directs the user
to `scripts/agent_loop.py list`.
- Module docstring updated to document the UUID-based resume workflow.
- 13 new tests covering `_find_session_uuid()` and the updated resume
output in `_run_loop()`.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a "Credential Security" section to DAGGER.md that explains the
current problem (production secrets stored in Codeberg alongside Dagger
TLS credentials) and lists four solutions with pros/cons:
1. Runner-level environment variables — simplest, no new infra
2. Secret files on CI host with restricted permissions — OS-enforced isolation
3. Dagger host as pipeline orchestrator — cleanest security boundary
4. External secret manager (Vault) — full audit trail, team-scale solution
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
