deploy: add pluggable env backend and sync workflow (#98)

Author: benvinegar

AGENTS.md

@@ -124,6 +124,13 @@ sudo baudbot rollback previous
 # Register a server with Slack broker (after OAuth callback)
 sudo baudbot broker register --broker-url https://broker.example.com --workspace-id T0123ABCD --auth-code <code>
 
+# Rotate an API key after setup (prompts hidden input)
+sudo baudbot env set ANTHROPIC_API_KEY --restart
+
+# Optional: use external secret source instead of ~/.baudbot/.env
+sudo baudbot env backend set-command 'your-secret-tool export baudbot-prod'
+sudo baudbot env sync --restart
+
 # Launch agent directly (debug/dev)
 sudo -u baudbot_agent ~/runtime/start.sh
 

CONFIGURATION.md

@@ -218,7 +218,34 @@ BAUDBOT_SOURCE_DIR=/home/your_username/baudbot
 
 ## Applying Configuration
 
-After editing `~/.config/.env`:
+Quick key updates after setup (recommended):
+
+```bash
+# Update a key in file backend (and mirror runtime when run with sudo)
+sudo baudbot env set ANTHROPIC_API_KEY
+
+# Optional: pass value inline + restart automatically
+sudo baudbot env set OPENAI_API_KEY sk-... --restart
+```
+
+### Optional: move source-of-truth away from `~/.baudbot/.env`
+
+`baudbot env` supports a pluggable source backend:
+
+```bash
+# Show active backend
+baudbot env backend show
+
+# Use command backend (command must output KEY=VALUE lines)
+sudo baudbot env backend set-command 'your-secret-tool export baudbot-prod'
+
+# Sync rendered source env into runtime .env and restart
+sudo baudbot env sync --restart
+```
+
+This keeps runtime compatibility (`~/.config/.env` is still rendered for varlock/startup) while moving authoritative storage to an external source.
+
+Manual edits also work. After editing `~/.config/.env` directly:
 
 ```bash
 # Re-deploy config and restart cleanly

README.md

@@ -94,6 +94,20 @@ sudo baudbot broker register \
   --auth-code <auth-code-from-oauth-callback>
 ```
 
+Need to rotate/update a key later?
+
+```bash
+sudo baudbot env set ANTHROPIC_API_KEY
+# or: sudo baudbot env set OPENAI_API_KEY sk-... --restart
+```
+
+Want to move source-of-truth off `~/.baudbot/.env` later?
+
+```bash
+sudo baudbot env backend set-command 'your-secret-tool export baudbot-prod'
+sudo baudbot env sync --restart
+```
+
 See [CONFIGURATION.md](CONFIGURATION.md) for required environment variables and secret setup.
 
 ## Core agents

bin/baudbot

@@ -112,6 +112,7 @@ usage() {
   echo "  install        Bootstrap install from GitHub (download script, then escalate)"
   echo "  setup          One-time system setup (user, deps, firewall, systemd; --experimental enables risky integrations)"
   echo "  config         Interactive secrets and config setup"
+  echo "  env            Manage env vars and backend source (set/get/sync/backend)"
   echo "  deploy         Deploy source + config to agent runtime"
   echo "  broker         Slack broker commands (register workspace linkage)"
   echo ""
@@ -706,6 +707,11 @@ case "${1:-}" in
     exec "$BAUDBOT_ROOT/bin/config.sh" "$@"
     ;;
 
+  env)
+    shift
+    exec "$BAUDBOT_ROOT/bin/env.sh" "$@"
+    ;;
+
   broker)
     shift
     case "${1:-}" in

bin/deploy.sh

@@ -43,10 +43,24 @@ else
 fi
 DEPLOY_HOME=$(getent passwd "$DEPLOY_USER" | cut -d: -f6 2>/dev/null || echo "")
 ADMIN_CONFIG="$DEPLOY_HOME/.baudbot/.env"
+RENDER_ENV_SCRIPT="$BAUDBOT_SRC/bin/render-env.sh"
+
+source_env_value() {
+  local key="$1"
+  if [ -x "$RENDER_ENV_SCRIPT" ]; then
+    BAUDBOT_ADMIN_HOME="$DEPLOY_HOME" BAUDBOT_CONFIG_USER="$DEPLOY_USER" "$RENDER_ENV_SCRIPT" --get "$key" 2>/dev/null || true
+    return 0
+  fi
+  if [ -f "$ADMIN_CONFIG" ]; then
+    grep -E "^${key}=" "$ADMIN_CONFIG" | tail -n 1 | cut -d= -f2- || true
+    return 0
+  fi
+  return 0
+}
 
 EXPERIMENTAL_MODE="${BAUDBOT_EXPERIMENTAL:-}"
-if [ -z "$EXPERIMENTAL_MODE" ] && [ -f "$ADMIN_CONFIG" ]; then
-  EXPERIMENTAL_MODE=$(grep '^BAUDBOT_EXPERIMENTAL=' "$ADMIN_CONFIG" | head -1 | cut -d= -f2- || true)
+if [ -z "$EXPERIMENTAL_MODE" ]; then
+  EXPERIMENTAL_MODE="$(source_env_value BAUDBOT_EXPERIMENTAL)"
 fi
 case "$EXPERIMENTAL_MODE" in
   1|true|TRUE|yes|YES|on|ON) EXPERIMENTAL_MODE=1 ;;
@@ -320,12 +334,22 @@ fi
 
 echo "Deploying config..."
 
-# Uses admin config resolved near script start (ADMIN_CONFIG).
+# Uses admin env source resolved near script start.
 
-if [ -f "$ADMIN_CONFIG" ]; then
+if [ -x "$RENDER_ENV_SCRIPT" ] && BAUDBOT_ADMIN_HOME="$DEPLOY_HOME" BAUDBOT_CONFIG_USER="$DEPLOY_USER" "$RENDER_ENV_SCRIPT" --check >/dev/null 2>&1; then
+  if [ "$DRY_RUN" -eq 0 ]; then
+    as_agent bash -c "mkdir -p '$BAUDBOT_HOME/.config'"
+    # Stream rendered config directly to agent-owned target to avoid staging secrets in /tmp.
+    BAUDBOT_ADMIN_HOME="$DEPLOY_HOME" BAUDBOT_CONFIG_USER="$DEPLOY_USER" "$RENDER_ENV_SCRIPT" | as_agent bash -c "cat > '$BAUDBOT_HOME/.config/.env'"
+    as_agent chmod 600 "$BAUDBOT_HOME/.config/.env"
+    log "✓ env source → ~/.config/.env (600)"
+  else
+    log "would render env source → ~/.config/.env"
+  fi
+elif [ -f "$ADMIN_CONFIG" ]; then
+  # Backward-compatible fallback for older checkouts without render-env.sh.
   if [ "$DRY_RUN" -eq 0 ]; then
     as_agent bash -c "mkdir -p '$BAUDBOT_HOME/.config'"
-    # Stream directly to agent-owned target to avoid staging secrets in /tmp.
     as_agent bash -c "cat > '$BAUDBOT_HOME/.config/.env'" < "$ADMIN_CONFIG"
     as_agent chmod 600 "$BAUDBOT_HOME/.config/.env"
     log "✓ .env → ~/.config/.env (600)"
@@ -335,9 +359,9 @@ if [ -f "$ADMIN_CONFIG" ]; then
 else
   # Fallback: check if agent already has a .env (written directly by old install.sh)
   if as_agent test -f "$BAUDBOT_HOME/.config/.env" 2>/dev/null; then
-    log "- .env: using existing agent config (no ~/.baudbot/.env found)"
+    log "- .env: using existing agent config (no env source found)"
   else
-    log "⚠ no config found — run: baudbot config"
+    log "⚠ no config source found — run: baudbot config or configure 'baudbot env backend'"
   fi
 fi
 

bin/doctor.sh

@@ -92,15 +92,24 @@ fi
 echo ""
 echo "Admin config:"
 
-# Check for admin config dir
+# Check for admin config/env source
 ADMIN_USER="${SUDO_USER:-$(whoami)}"
 ADMIN_HOME=$(getent passwd "$ADMIN_USER" | cut -d: -f6 2>/dev/null || echo "")
 ADMIN_CONFIG="$ADMIN_HOME/.baudbot/.env"
+BACKEND_CONF="$ADMIN_HOME/.baudbot/env-store.conf"
+RENDER_ENV_SCRIPT="${BAUDBOT_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}/bin/render-env.sh"
 
-if [ -n "$ADMIN_HOME" ] && [ -f "$ADMIN_CONFIG" ]; then
+ADMIN_BACKEND="file"
+if [ -f "$BACKEND_CONF" ]; then
+  ADMIN_BACKEND=$(grep -E '^BAUDBOT_ENV_BACKEND=' "$BACKEND_CONF" | tail -n1 | cut -d= -f2- || echo "file")
+fi
+
+if [ -n "$ADMIN_HOME" ] && [ -x "$RENDER_ENV_SCRIPT" ] && BAUDBOT_ADMIN_HOME="$ADMIN_HOME" BAUDBOT_CONFIG_USER="$ADMIN_USER" "$RENDER_ENV_SCRIPT" --check >/dev/null 2>&1; then
+  pass "admin env source is configured (backend: $ADMIN_BACKEND)"
+elif [ -n "$ADMIN_HOME" ] && [ -f "$ADMIN_CONFIG" ]; then
   pass "admin config exists ($ADMIN_CONFIG)"
 else
-  warn "admin config not found at $ADMIN_CONFIG (run: baudbot config)"
+  warn "admin env source not found (run: baudbot config, or configure: baudbot env backend ...)"
 fi
 
 echo ""