From 34fc66be42707b5509da77d302ddf5ea1dba778a Mon Sep 17 00:00:00 2001 From: "Loki@FastStart" Date: Tue, 5 May 2026 15:58:05 +0000 Subject: [PATCH 1/2] fix: roundhouse installer asks for bot token directly, saves to Secrets Manager UX improvement: instead of asking for a Secrets Manager ARN (which requires pre-creating the secret), the installer now: 1. Prompts for the actual Telegram bot token 2. Validates the format 3. Auto-creates a secret at /lowkey//telegram-bot-token 4. Passes the secret name to CFN/Terraform Also adds --telegram-bot-token flag for non-interactive/CI use. The --telegram-bot-token-secret flag is preserved for advanced users who pre-create their own secrets. --- install.sh | 63 +++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 55 insertions(+), 8 deletions(-) diff --git a/install.sh b/install.sh index c041796..964ad71 100755 --- a/install.sh +++ b/install.sh @@ -704,6 +704,12 @@ while [[ $# -gt 0 ]]; do exit 1 fi KIRO_FROM_SECRET="$2"; shift 2 ;; + --telegram-bot-token) + if [[ $# -lt 2 || "$2" == --* ]]; then + echo -e "\033[0;31m✗\033[0m --telegram-bot-token requires a token value" >&2 + exit 1 + fi + TELEGRAM_BOT_TOKEN_RAW="$2"; shift 2 ;; --telegram-bot-token-secret) if [[ $# -lt 2 || "$2" == --* ]]; then echo -e "\033[0;31m✗\033[0m --telegram-bot-token-secret requires a Secrets Manager id or arn" >&2 @@ -738,9 +744,11 @@ Options: --method Deploy method (default: cfn) --kiro-from-secret Secrets Manager id/arn for Kiro API key (kiro-cli headless mode) + --telegram-bot-token Telegram bot token (roundhouse pack; + saved to Secrets Manager automatically) --telegram-bot-token-secret Secrets Manager id/arn for Telegram bot token - (roundhouse pack) + (roundhouse pack, advanced/pre-created) --telegram-user Telegram username for bot pairing (roundhouse pack, without @) --debug-in-repo Dev-only: run installer from cwd @@ -909,6 +917,17 @@ prompt() { printf -v "$var" '%s' "${value:-$default}" } +prompt_secret() { + local text="$1" var="$2" default="${3:-}" + if [[ "$AUTO_YES" == true && -n "$default" ]]; then + printf -v "$var" '%s' "$default" + return + fi + local value + _gum_or_die value $GUM input --password --header "$text" --placeholder "$text" || value="$default" + printf -v "$var" '%s' "${value:-$default}" +} + confirm() { local text="$1" default="${2:-default_no}" if [[ "$AUTO_YES" == true ]]; then return 0; fi @@ -2985,14 +3004,42 @@ run_config_and_review() { # Pack-specific parameter collection (after build_deploy_params so we can amend) if [[ "${PACK_NAME:-}" == "roundhouse" ]]; then if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then - echo "" - echo -e " ${BOLD}Roundhouse requires a Telegram bot token.${NC}" - echo -e " Store it in AWS Secrets Manager and provide the secret id/arn." - echo "" - prompt "Secrets Manager id for Telegram bot token" TELEGRAM_BOT_TOKEN_SECRET "" - if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then - fail "Telegram bot token secret is required for roundhouse pack" + local rh_bot_token="${TELEGRAM_BOT_TOKEN_RAW:-}" + if [[ -z "$rh_bot_token" ]]; then + echo "" + echo -e " ${BOLD}Roundhouse connects to Telegram.${NC}" + echo -e " Create a bot via @BotFather and paste the token below." + echo "" + prompt_secret "Telegram bot token" rh_bot_token "" + fi + if [[ -z "$rh_bot_token" ]]; then + fail "Telegram bot token is required for roundhouse pack" + fi + # Validate token format + if [[ ! "$rh_bot_token" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then + fail "Invalid Telegram bot token format (expected: 123456:ABC-DEF...)" + fi + # Save to Secrets Manager with auto-generated name + local secret_name="/lowkey/${ENV_NAME}/telegram-bot-token" + local sm_err="" + info "Storing bot token in Secrets Manager: ${secret_name}" + # Restore if in pending-deletion state + aws secretsmanager restore-secret --secret-id "$secret_name" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true + if sm_err=$(aws secretsmanager create-secret \ + --name "$secret_name" \ + --secret-string "$rh_bot_token" \ + --description "Telegram bot token for roundhouse pack (${ENV_NAME})" \ + --region "$DEPLOY_REGION" 2>&1); then + ok "Token saved to Secrets Manager" + elif sm_err=$(aws secretsmanager put-secret-value \ + --secret-id "$secret_name" \ + --secret-string "$rh_bot_token" \ + --region "$DEPLOY_REGION" 2>&1); then + ok "Token updated in Secrets Manager" + else + fail "Failed to save bot token to Secrets Manager: ${sm_err}" fi + TELEGRAM_BOT_TOKEN_SECRET="$secret_name" fi if [[ -z "${TELEGRAM_USER:-}" ]]; then prompt "Telegram username (without @)" TELEGRAM_USER "" From bc9ce6d340f36e65714a6465760d616eb48cc870 Mon Sep 17 00:00:00 2001 From: Roy Osherove <575051+royosherove@users.noreply.github.com> Date: Tue, 5 May 2026 16:08:10 +0000 Subject: [PATCH 2/2] fix: roundhouse installer asks for bot token directly, saves to Secrets Manager UX improvement: instead of asking for a Secrets Manager ARN (which requires pre-creating the secret), the installer now: 1. Prompts for the actual Telegram bot token (masked input) 2. Validates the format 3. After user confirms deployment, creates secret at /lowkey//telegram-bot-token 4. Passes the generated secret name to CFN/Terraform Security: token written to chmod-600 temp file, passed via file:// to avoid exposing in process argv. File cleaned up immediately after use. Also adds --telegram-bot-token flag for non-interactive/CI use. The --telegram-bot-token-secret flag is preserved for advanced users. --- install.sh | 63 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 26 deletions(-) diff --git a/install.sh b/install.sh index 964ad71..db4913c 100755 --- a/install.sh +++ b/install.sh @@ -3004,42 +3004,24 @@ run_config_and_review() { # Pack-specific parameter collection (after build_deploy_params so we can amend) if [[ "${PACK_NAME:-}" == "roundhouse" ]]; then if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then - local rh_bot_token="${TELEGRAM_BOT_TOKEN_RAW:-}" - if [[ -z "$rh_bot_token" ]]; then + _RH_BOT_TOKEN="${TELEGRAM_BOT_TOKEN_RAW:-}" + if [[ -z "$_RH_BOT_TOKEN" ]]; then echo "" echo -e " ${BOLD}Roundhouse connects to Telegram.${NC}" echo -e " Create a bot via @BotFather and paste the token below." echo "" - prompt_secret "Telegram bot token" rh_bot_token "" + prompt_secret "Telegram bot token" _RH_BOT_TOKEN "" fi - if [[ -z "$rh_bot_token" ]]; then + if [[ -z "$_RH_BOT_TOKEN" ]]; then fail "Telegram bot token is required for roundhouse pack" fi # Validate token format - if [[ ! "$rh_bot_token" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then + if [[ ! "$_RH_BOT_TOKEN" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then fail "Invalid Telegram bot token format (expected: 123456:ABC-DEF...)" fi - # Save to Secrets Manager with auto-generated name - local secret_name="/lowkey/${ENV_NAME}/telegram-bot-token" - local sm_err="" - info "Storing bot token in Secrets Manager: ${secret_name}" - # Restore if in pending-deletion state - aws secretsmanager restore-secret --secret-id "$secret_name" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true - if sm_err=$(aws secretsmanager create-secret \ - --name "$secret_name" \ - --secret-string "$rh_bot_token" \ - --description "Telegram bot token for roundhouse pack (${ENV_NAME})" \ - --region "$DEPLOY_REGION" 2>&1); then - ok "Token saved to Secrets Manager" - elif sm_err=$(aws secretsmanager put-secret-value \ - --secret-id "$secret_name" \ - --secret-string "$rh_bot_token" \ - --region "$DEPLOY_REGION" 2>&1); then - ok "Token updated in Secrets Manager" - else - fail "Failed to save bot token to Secrets Manager: ${sm_err}" - fi - TELEGRAM_BOT_TOKEN_SECRET="$secret_name" + # Secret name determined now; actual write deferred until after user confirms + _RH_SECRET_NAME="/lowkey/${ENV_NAME}/telegram-bot-token" + TELEGRAM_BOT_TOKEN_SECRET="$_RH_SECRET_NAME" fi if [[ -z "${TELEGRAM_USER:-}" ]]; then prompt "Telegram username (without @)" TELEGRAM_USER "" @@ -3088,6 +3070,35 @@ main() { _telem_pack_selected 2>/dev/null || true _telem_method_selected 2>/dev/null || true + # Roundhouse: save bot token to Secrets Manager (deferred until after user confirmation) + if [[ -n "${_RH_BOT_TOKEN:-}" && -n "${_RH_SECRET_NAME:-}" ]]; then + info "Storing bot token in Secrets Manager: ${_RH_SECRET_NAME}" + local token_file + token_file=$(mktemp /tmp/lowkey-rh-token.XXXXXX) + chmod 600 "$token_file" + printf '%s' "$_RH_BOT_TOKEN" > "$token_file" + # Restore if in pending-deletion state + aws secretsmanager restore-secret --secret-id "$_RH_SECRET_NAME" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true + local sm_err="" + if sm_err=$(aws secretsmanager create-secret \ + --name "$_RH_SECRET_NAME" \ + --secret-string "file://${token_file}" \ + --description "Telegram bot token for roundhouse pack (${ENV_NAME})" \ + --region "$DEPLOY_REGION" 2>&1); then + ok "Token saved to Secrets Manager" + elif sm_err=$(aws secretsmanager put-secret-value \ + --secret-id "$_RH_SECRET_NAME" \ + --secret-string "file://${token_file}" \ + --region "$DEPLOY_REGION" 2>&1); then + ok "Token updated in Secrets Manager" + else + rm -f "$token_file" + fail "Failed to save bot token to Secrets Manager: ${sm_err}" + fi + rm -f "$token_file" + unset _RH_BOT_TOKEN + fi + # Console deploy exits early (no clone, no bootstrap wait) if [[ "$DEPLOY_METHOD" == "$DEPLOY_CFN_CONSOLE" ]]; then TOTAL_STEPS=5