fix: roundhouse installer asks for bot token directly#45
Conversation
…ts Manager UX improvement: instead of asking for a Secrets Manager ARN (which requires pre-creating the secret), the installer now: 1. Prompts for the actual Telegram bot token 2. Validates the format 3. Auto-creates a secret at /lowkey/<env-name>/telegram-bot-token 4. Passes the secret name to CFN/Terraform Also adds --telegram-bot-token flag for non-interactive/CI use. The --telegram-bot-token-secret flag is preserved for advanced users who pre-create their own secrets.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 34fc66be42
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| aws secretsmanager restore-secret --secret-id "$secret_name" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true | ||
| if sm_err=$(aws secretsmanager create-secret \ | ||
| --name "$secret_name" \ | ||
| --secret-string "$rh_bot_token" \ |
There was a problem hiding this comment.
The new secret-creation flow sends the Telegram token as --secret-string "$rh_bot_token", which exposes the raw token in the aws process arguments while the command runs. On shared hosts (or any environment with process inspection/audit tooling), other users or monitoring agents can read it from ps/proc, so this change leaks a credential that previously was never handled in plaintext by the installer. Use a safer input path (for example file:// from a locked temp file) so the token is not present in argv.
Useful? React with 👍 / 👎.
Previously 'aws secretsmanager create-secret --secret-string "$rh_bot_token"' exposed the raw Telegram bot token in argv while the command ran \u2014 readable by any process via ps/proc on shared hosts. Write the token to a chmod 600 temp file and pass 'file://$token_file' to --secret-string so the secret never appears in argv. Clean up on RETURN and on failure. Addresses Codex P2 on PR #45.
|
Addressed Codex review 4229732406 in c0e3d05: P2 \u2014 bot token in argv: AGREE, FIXED. |
…ts Manager UX improvement: instead of asking for a Secrets Manager ARN (which requires pre-creating the secret), the installer now: 1. Prompts for the actual Telegram bot token (masked input) 2. Validates the format 3. After user confirms deployment, creates secret at /lowkey/<env>/telegram-bot-token 4. Passes the generated secret name to CFN/Terraform Security: token written to chmod-600 temp file, passed via file:// to avoid exposing in process argv. File cleaned up immediately after use. Also adds --telegram-bot-token flag for non-interactive/CI use. The --telegram-bot-token-secret flag is preserved for advanced users.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c0e3d055a6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| --telegram-bot-token) | ||
| if [[ $# -lt 2 || "$2" == --* ]]; then | ||
| echo -e "\033[0;31m✗\033[0m --telegram-bot-token requires a token value" >&2 | ||
| exit 1 | ||
| fi | ||
| TELEGRAM_BOT_TOKEN_RAW="$2"; shift 2 ;; |
There was a problem hiding this comment.
Parsing --telegram-bot-token into TELEGRAM_BOT_TOKEN_RAW leaks the bot token through process arguments (ps//proc) and often shell history or CI job logs before the script’s safer Secrets Manager flow runs. This reintroduces credential exposure for non-interactive installs on shared hosts; use stdin/env/file input instead of argv for secret material.
Useful? React with 👍 / 👎.
royosherove
force-pushed
the
fix/roundhouse-token-ux
branch
from
c0e3d05 to
bc9ce6d
Compare
|
Addressed Codex review 4229766478 in aba09eb: P2 \u2014 remove
The existing SM write path (c0e3d05) already passes via Verified both new handlers with a smoke test reading a fake |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bc9ce6d340
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| _telem_method_selected 2>/dev/null || true | ||
|
|
||
| # Roundhouse: save bot token to Secrets Manager (deferred until after user confirmation) | ||
| if [[ -n "${_RH_BOT_TOKEN:-}" && -n "${_RH_SECRET_NAME:-}" ]]; then |
There was a problem hiding this comment.
Only checking _RH_BOT_TOKEN/_RH_SECRET_NAME here allows a stale Roundhouse token to be uploaded even when the user’s final selection is a different pack. In run_config_and_review, those globals are set during the first pass, and the recursive “Change settings” path can switch PACK_NAME without clearing them, so main still executes the Secrets Manager write. This causes unexpected secret creation/updates and persists credentials for deployments that are no longer Roundhouse.
Useful? React with 👍 / 👎.
Previously the Secrets Manager write happened before show_summary ran.
If the user hit "Change settings" and switched away from roundhouse on
the second pass, the token was already in AWS \u2014 an orphan secret for a
pack that wasn't being deployed.
Split the roundhouse logic in two:
1. Before show_summary: collect/validate the token, stash it locally
in _rh_pending_token, and set TELEGRAM_BOT_TOKEN_SECRET to the
expected name so the summary reflects the eventual state.
2. On "Change settings": clear both so the re-entry starts clean.
3. After show_summary confirms: only upload when PACK_NAME is still
roundhouse AND we actually have a pending token.
Addresses Codex P2 on PR #45.
|
Addressed Codex review 4229792301 in 66bca29: P2 \u2014 gate token upload on final pack selection: AGREE, FIXED. Right call \u2014 the SM write ran before Split the roundhouse flow:
|
1 participant
UX fix: instead of asking users for a Secrets Manager ARN (confusing),
the installer now:
/lowkey/<env-name>/telegram-bot-tokenAlso adds:
--telegram-bot-tokenCLI flag for non-interactive useprompt_secret()helper (gum --password mode)