Open
Conversation
New page covering installation, wincred credential storage, config.yaml setup, and service validation for running baton-runner on Windows Server. Added to the Deploy connectors nav group. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds two new baton-runner documentation pages (general config reference and Windows service guide) and updates site navigation to include them under Deploy connectors. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (2)
baton/baton-runner-windows.mdx (2)
58-66: Consider adding a security reminder about the temporary plaintext credentials.The YAML files contain plaintext credentials. While the cleanup step at line 196 mentions deleting these files, it might be helpful to add a brief warning here that these are temporary and will be secured via wincred in subsequent steps.
📝 Suggested addition
Open each connector YAML file in Notepad and add the following, replacing the values with the connection string and ConductorOne credentials for that instance: +<Note> +These files temporarily contain plaintext credentials. You'll import them into Windows Credential Manager in the next section and can delete these files afterward. +</Note> + ```yaml BATON_DSN: server=192.168.1.40;user id=sa;password=YOUR_PASSWORD;port=1434🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` around lines 58 - 66, Add a brief security reminder next to the YAML block in the Step that instructs editing connector YAML files: note that the BATON_DSN, BATON_CLIENT_ID and BATON_CLIENT_SECRET are temporary plaintext credentials, advise using them only for initial setup, warn to avoid committing or sharing the files, and call out that these credentials will be secured via wincred in subsequent steps and removed in the cleanup step referenced later (the YAML block containing BATON_DSN/BATON_CLIENT_ID/BATON_CLIENT_SECRET and the cleanup step at the end).
195-197: Consider strengthening the recommendation to delete plaintext credential files.Marking this as "Optional" may lead users to leave plaintext credentials on disk. Since the credentials are now stored securely in wincred, deleting these files should be a recommended practice rather than optional.
📝 Suggested change
<Step> -**Optional.** After confirming all connectors are syncing across several sync cycles, delete or clear the connector YAML files (`sql1.yaml`, `sql2.yaml`). These files contained plaintext credentials and are no longer needed once the secrets are stored in wincred. +**Recommended.** After confirming all connectors are syncing across several sync cycles, delete the connector YAML files (`sql1.yaml`, `sql2.yaml`). These files contain plaintext credentials and are no longer needed once the secrets are stored in wincred. </Step>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` around lines 195 - 197, Change the guidance from optional to recommended: update the Step text that references `sql1.yaml` and `sql2.yaml` and `wincred` to instruct users to delete or securely wipe those plaintext connector YAML files after confirming connectors sync across several cycles, rather than marking it "Optional"; mention that credentials are now stored in `wincred` and recommend deletion or secure clearing of the files to remove plaintext secrets from disk.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@baton/baton-runner-windows.mdx`:
- Around line 58-66: Add a brief security reminder next to the YAML block in the
Step that instructs editing connector YAML files: note that the BATON_DSN,
BATON_CLIENT_ID and BATON_CLIENT_SECRET are temporary plaintext credentials,
advise using them only for initial setup, warn to avoid committing or sharing
the files, and call out that these credentials will be secured via wincred in
subsequent steps and removed in the cleanup step referenced later (the YAML
block containing BATON_DSN/BATON_CLIENT_ID/BATON_CLIENT_SECRET and the cleanup
step at the end).
- Around line 195-197: Change the guidance from optional to recommended: update
the Step text that references `sql1.yaml` and `sql2.yaml` and `wincred` to
instruct users to delete or securely wipe those plaintext connector YAML files
after confirming connectors sync across several cycles, rather than marking it
"Optional"; mention that credentials are now stored in `wincred` and recommend
deletion or secure clearing of the files to remove plaintext secrets from disk.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
baton/baton-runner-windows.mdx (1)
19-20: Add a direct download link for the baton-runner installer.You link
baton-sql-serveron Line 19, but Line 20 references the baton-runner installer without a URL. Adding the explicit link improves completion rate and reduces guesswork.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` around lines 19 - 20, The documentation currently links to baton-sql-server but omits a direct URL for the baton-runner installer; update the content where the installer is referenced (the line mentioning "The baton-runner installer downloaded") to include the explicit download URL for the baton-runner installer so users can click directly; make sure the text uses the same markdown link format as the existing baton-sql-server reference and verify the URL points to the official baton-runner installer release.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@baton/baton-runner-windows.mdx`:
- Line 196: Change the guidance that currently marks removing plaintext
connector YAMLs as "Optional" to a mandatory cleanup step: require users to
delete or securely wipe the connector files (sql1.yaml, sql2.yaml) after
verifying the secrets are stored in wincred, and update the sentence to
explicitly state deletion/secure erasure is required to avoid lingering
plaintext credentials on disk. Ensure the revised text replaces the word
"Optional" and adds a one-line imperative (e.g., "Delete or securely wipe
sql1.yaml and sql2.yaml now that credentials are in wincred") so readers cannot
skip this cleanup.
---
Nitpick comments:
In `@baton/baton-runner-windows.mdx`:
- Around line 19-20: The documentation currently links to baton-sql-server but
omits a direct URL for the baton-runner installer; update the content where the
installer is referenced (the line mentioning "The baton-runner installer
downloaded") to include the explicit download URL for the baton-runner installer
so users can click directly; make sure the text uses the same markdown link
format as the existing baton-sql-server reference and verify the URL points to
the official baton-runner installer release.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
baton/baton-runner-windows.mdx (1)
212-212:⚠️ Potential issue | 🟠 MajorMake plaintext connector-file cleanup mandatory, not optional.
Line 212 still allows skipping deletion of files that contain plaintext secrets. This should be a required cleanup step immediately after validation.
Suggested doc fix
-**Optional.** After confirming all connectors are syncing across several sync cycles, delete or clear the connector YAML files (`sql1.yaml`, `sql2.yaml`). These files contained plaintext credentials and are no longer needed once the secrets are stored in wincred. +After confirming baton-runner starts successfully and both connectors sync, delete or securely wipe `sql1.yaml` and `sql2.yaml` immediately. These files contain plaintext credentials and are no longer needed once secrets are stored in wincred.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` at line 212, The step that currently reads "Optional." about deleting connector YAML files (`sql1.yaml`, `sql2.yaml`) must be changed to a required immediate cleanup: update the text to mark it "Mandatory." and instruct users to delete or securely clear those connector files immediately after validating that connectors are syncing (no longer allowing skipping), referencing the plaintext-secret files `sql1.yaml` and `sql2.yaml` and the fact secrets are stored in wincred; ensure the sentence enforces immediate action (e.g., "Delete or securely clear `sql1.yaml` and `sql2.yaml` immediately after validation") and remove any language that permits postponing this step.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@baton/baton-runner-windows.mdx`:
- Around line 167-171: The PowerShell test uses a relative path (.\config.yaml)
which can fail if the shell's CWD isn't the baton-runner config folder; update
the example command that invokes baton-runner.exe so it uses the absolute config
path (e.g., replace .\config.yaml with the full path to
C:\ProgramData\ConductorOne\baton-runner\config.yaml) so the invocation of
baton-runner.exe reliably loads the intended config file.
---
Duplicate comments:
In `@baton/baton-runner-windows.mdx`:
- Line 212: The step that currently reads "Optional." about deleting connector
YAML files (`sql1.yaml`, `sql2.yaml`) must be changed to a required immediate
cleanup: update the text to mark it "Mandatory." and instruct users to delete or
securely clear those connector files immediately after validating that
connectors are syncing (no longer allowing skipping), referencing the
plaintext-secret files `sql1.yaml` and `sql2.yaml` and the fact secrets are
stored in wincred; ensure the sentence enforces immediate action (e.g., "Delete
or securely clear `sql1.yaml` and `sql2.yaml` immediately after validation") and
remove any language that permits postponing this step.
Comment on lines
+167
to
+171
| Test the configuration by running baton-runner from PowerShell. Press **Ctrl+C** to stop it once you've confirmed it starts without errors: | ||
|
|
||
| ```powershell | ||
| & "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c .\config.yaml | ||
| ``` |
Contributor
There was a problem hiding this comment.
Use an absolute config path in the test command.
Line 170 depends on the current working directory. If the shell isn’t in C:\ProgramData\ConductorOne\baton-runner, the check can fail or read the wrong file.
Suggested doc fix
-& "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c .\config.yaml
+& "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c "C:\ProgramData\ConductorOne\baton-runner\config.yaml"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| Test the configuration by running baton-runner from PowerShell. Press **Ctrl+C** to stop it once you've confirmed it starts without errors: | |
| ```powershell | |
| & "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c .\config.yaml | |
| ``` | |
| Test the configuration by running baton-runner from PowerShell. Press **Ctrl+C** to stop it once you've confirmed it starts without errors: | |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@baton/baton-runner-windows.mdx` around lines 167 - 171, The PowerShell test
uses a relative path (.\config.yaml) which can fail if the shell's CWD isn't the
baton-runner config folder; update the example command that invokes
baton-runner.exe so it uses the absolute config path (e.g., replace
.\config.yaml with the full path to
C:\ProgramData\ConductorOne\baton-runner\config.yaml) so the invocation of
baton-runner.exe reliably loads the intended config file.
Covers all config.yaml options, all four documented secret backends (wincred, insecure, AWS Secrets Manager, HashiCorp Vault), and log level. Secret Server included as a commented-out section pending confirmation. Also trims the Windows guide intro to link to the reference page instead, and adds the reference page to the Deploy connectors nav group. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (2)
baton/baton-runner-windows.mdx (2)
167-171:⚠️ Potential issue | 🟡 MinorUse an absolute config path in the test command.
Line 170 relies on the current working directory; using an absolute path makes this check reliable.
Suggested fix
-& "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c .\config.yaml +& "C:\Program Files (x86)\ConductorOne\baton-runner\baton-runner.exe" -c "C:\ProgramData\ConductorOne\baton-runner\config.yaml"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` around lines 167 - 171, The test command uses a relative path (.\config.yaml) which depends on the current working directory; update the invocation of baton-runner.exe so the -c argument uses the absolute path to the config file (full filesystem path to config.yaml) instead of .\config.yaml to make the check reliable—locate the code sample invoking "baton-runner.exe" and replace the relative config path with the absolute path to your config.yaml.
212-213:⚠️ Potential issue | 🟠 MajorMake plaintext credential cleanup mandatory, not optional.
Line 212 currently allows skipping deletion of files that contain plaintext secrets, which weakens the security guidance.
Suggested fix
-**Optional.** After confirming all connectors are syncing across several sync cycles, delete or clear the connector YAML files (`sql1.yaml`, `sql2.yaml`). These files contained plaintext credentials and are no longer needed once the secrets are stored in wincred. +After confirming baton-runner starts successfully and both connectors sync, delete or securely clear the connector YAML files (`sql1.yaml`, `sql2.yaml`) immediately. These files contain plaintext credentials and are no longer needed once secrets are stored in wincred.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@baton/baton-runner-windows.mdx` around lines 212 - 213, Change the guidance in the Step element that currently reads "Optional. After confirming..." to make removal mandatory: replace the "Optional" phrasing with a direct instruction to securely delete or securely overwrite/clear the connector YAML files (sql1.yaml, sql2.yaml, sql3.yaml, etc.) that contained plaintext credentials once secrets are stored in wincred, and remove any language that allows skipping the cleanup; update the Step block in baton/baton-runner-windows.mdx (the Step element containing the plaintext-credential cleanup sentence) to instruct secure deletion or secure wiping and to verify files are removed.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@baton/baton-runner-windows.mdx`:
- Around line 167-171: The test command uses a relative path (.\config.yaml)
which depends on the current working directory; update the invocation of
baton-runner.exe so the -c argument uses the absolute path to the config file
(full filesystem path to config.yaml) instead of .\config.yaml to make the check
reliable—locate the code sample invoking "baton-runner.exe" and replace the
relative config path with the absolute path to your config.yaml.
- Around line 212-213: Change the guidance in the Step element that currently
reads "Optional. After confirming..." to make removal mandatory: replace the
"Optional" phrasing with a direct instruction to securely delete or securely
overwrite/clear the connector YAML files (sql1.yaml, sql2.yaml, sql3.yaml, etc.)
that contained plaintext credentials once secrets are stored in wincred, and
remove any language that allows skipping the cleanup; update the Step block in
baton/baton-runner-windows.mdx (the Step element containing the
plaintext-credential cleanup sentence) to instruct secure deletion or secure
wiping and to verify files are removed.
- Add log-level as a top-level config.yaml key (not just an env var) - Add real-world example showing config-driven connectors with BATON_CONFIG_PATH, BATON_FILE, and BATON_PROVISIONING patterns - Document both config file and env var options for log level Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@baton/baton-runner.mdx`:
- Around line 94-105: The secret mapping for the HTTP_API_App_01 connector uses
DB_PASSWORD which looks like a copy-paste from a DB connector; update the
envFrom->secrets key for HTTP_API_App_01 to a more appropriate name (e.g.,
API_KEY or API_TOKEN) so the entry under HTTP_API_App_01:DB_PASSWORD becomes
HTTP_API_App_01:API_KEY (or API_TOKEN), leaving BATON_CLIENT_ID and
BATON_CLIENT_SECRET unchanged; locate the HTTP_API_App_01 block in the YAML
snippet and replace the DB_PASSWORD secret key accordingly.
Comment on lines
+94
to
+105
| - name: HTTP_API_App_01 | ||
| path: C:\ConductorOne\baton-http.exe | ||
| config: | ||
| env: | ||
| BATON_CONFIG_PATH: C:\ConductorOne\HTTP_API_App_01.yaml | ||
| BATON_FILE: C:\ConductorOne\HTTP_API_App_01.c1z | ||
| BATON_PROVISIONING: true | ||
| envFrom: | ||
| secrets: | ||
| DB_PASSWORD: HTTP_API_App_01:DB_PASSWORD | ||
| BATON_CLIENT_ID: HTTP_API_App_01:BATON_CLIENT_ID | ||
| BATON_CLIENT_SECRET: HTTP_API_App_01:BATON_CLIENT_SECRET |
Contributor
There was a problem hiding this comment.
Possible copy-paste error: DB_PASSWORD for HTTP API connector.
The HTTP_API_App_01 connector uses DB_PASSWORD as the secret key, but this is described as an HTTP API application. This appears to be a copy-paste artifact from the database connectors above. Consider using a more appropriate key name like API_KEY or API_TOKEN for consistency with the connector type.
📝 Suggested fix
- name: HTTP_API_App_01
path: C:\ConductorOne\baton-http.exe
config:
env:
BATON_CONFIG_PATH: C:\ConductorOne\HTTP_API_App_01.yaml
BATON_FILE: C:\ConductorOne\HTTP_API_App_01.c1z
BATON_PROVISIONING: true
envFrom:
secrets:
- DB_PASSWORD: HTTP_API_App_01:DB_PASSWORD
+ API_TOKEN: HTTP_API_App_01:API_TOKEN
BATON_CLIENT_ID: HTTP_API_App_01:BATON_CLIENT_ID
BATON_CLIENT_SECRET: HTTP_API_App_01:BATON_CLIENT_SECRET📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| - name: HTTP_API_App_01 | |
| path: C:\ConductorOne\baton-http.exe | |
| config: | |
| env: | |
| BATON_CONFIG_PATH: C:\ConductorOne\HTTP_API_App_01.yaml | |
| BATON_FILE: C:\ConductorOne\HTTP_API_App_01.c1z | |
| BATON_PROVISIONING: true | |
| envFrom: | |
| secrets: | |
| DB_PASSWORD: HTTP_API_App_01:DB_PASSWORD | |
| BATON_CLIENT_ID: HTTP_API_App_01:BATON_CLIENT_ID | |
| BATON_CLIENT_SECRET: HTTP_API_App_01:BATON_CLIENT_SECRET | |
| - name: HTTP_API_App_01 | |
| path: C:\ConductorOne\baton-http.exe | |
| config: | |
| env: | |
| BATON_CONFIG_PATH: C:\ConductorOne\HTTP_API_App_01.yaml | |
| BATON_FILE: C:\ConductorOne\HTTP_API_App_01.c1z | |
| BATON_PROVISIONING: true | |
| envFrom: | |
| secrets: | |
| API_TOKEN: HTTP_API_App_01:API_TOKEN | |
| BATON_CLIENT_ID: HTTP_API_App_01:BATON_CLIENT_ID | |
| BATON_CLIENT_SECRET: HTTP_API_App_01:BATON_CLIENT_SECRET |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@baton/baton-runner.mdx` around lines 94 - 105, The secret mapping for the
HTTP_API_App_01 connector uses DB_PASSWORD which looks like a copy-paste from a
DB connector; update the envFrom->secrets key for HTTP_API_App_01 to a more
appropriate name (e.g., API_KEY or API_TOKEN) so the entry under
HTTP_API_App_01:DB_PASSWORD becomes HTTP_API_App_01:API_KEY (or API_TOKEN),
leaving BATON_CLIENT_ID and BATON_CLIENT_SECRET unchanged; locate the
HTTP_API_App_01 block in the YAML snippet and replace the DB_PASSWORD secret key
accordingly.
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
baton/baton-runner-windows.mdxconfig.yaml, and validating syncsdocs.jsonChanges from the original draft
<Steps>/<Step>components<Note>calloutsBATON_CLIENT SECRET→BATON_CLIENT_SECRETctl c→ Ctrl+CTest plan
🤖 Generated with Claude Code
Summary by CodeRabbit