Skip to content

fix: roundhouse installer asks for bot token directly #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
royosherove merged 2 commits into from
May 5, 2026
Merged

fix: roundhouse installer asks for bot token directly #45

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
34fc66b
fix: roundhouse installer asks for bot token directly, saves to Secre…
May 5, 2026
bc9ce6d
fix: roundhouse installer asks for bot token directly, saves to Secre…
royosherove May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 66 additions & 8 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,12 @@ while [[ $# -gt 0 ]]; do
exit 1
fi
KIRO_FROM_SECRET="$2"; shift 2 ;;
--telegram-bot-token)
if [[ $# -lt 2 || "$2" == --* ]]; then
echo -e "\033[0;31m✗\033[0m --telegram-bot-token requires a token value" >&2
exit 1
fi
TELEGRAM_BOT_TOKEN_RAW="$2"; shift 2 ;;
Comment on lines +707 to +712
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop accepting Telegram token via CLI argument

Parsing --telegram-bot-token into TELEGRAM_BOT_TOKEN_RAW leaks the bot token through process arguments (ps//proc) and often shell history or CI job logs before the script’s safer Secrets Manager flow runs. This reintroduces credential exposure for non-interactive installs on shared hosts; use stdin/env/file input instead of argv for secret material.

Useful? React with 👍 / 👎.

--telegram-bot-token-secret)
if [[ $# -lt 2 || "$2" == --* ]]; then
echo -e "\033[0;31m✗\033[0m --telegram-bot-token-secret requires a Secrets Manager id or arn" >&2
Expand Down Expand Up @@ -738,9 +744,11 @@ Options:
--method <cfn|terraform|tf> Deploy method (default: cfn)
--kiro-from-secret <id|arn> Secrets Manager id/arn for Kiro API key
(kiro-cli headless mode)
--telegram-bot-token <token> Telegram bot token (roundhouse pack;
saved to Secrets Manager automatically)
--telegram-bot-token-secret <id|arn>
Secrets Manager id/arn for Telegram bot token
(roundhouse pack)
(roundhouse pack, advanced/pre-created)
--telegram-user <username> Telegram username for bot pairing
(roundhouse pack, without @)
--debug-in-repo Dev-only: run installer from cwd
Expand Down Expand Up @@ -909,6 +917,17 @@ prompt() {
printf -v "$var" '%s' "${value:-$default}"
}

prompt_secret() {
local text="$1" var="$2" default="${3:-}"
if [[ "$AUTO_YES" == true && -n "$default" ]]; then
printf -v "$var" '%s' "$default"
return
fi
local value
_gum_or_die value $GUM input --password --header "$text" --placeholder "$text" || value="$default"
printf -v "$var" '%s' "${value:-$default}"
}

confirm() {
local text="$1" default="${2:-default_no}"
if [[ "$AUTO_YES" == true ]]; then return 0; fi
Expand Down Expand Up @@ -2985,14 +3004,24 @@ run_config_and_review() {
# Pack-specific parameter collection (after build_deploy_params so we can amend)
if [[ "${PACK_NAME:-}" == "roundhouse" ]]; then
if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then
echo ""
echo -e " ${BOLD}Roundhouse requires a Telegram bot token.${NC}"
echo -e " Store it in AWS Secrets Manager and provide the secret id/arn."
echo ""
prompt "Secrets Manager id for Telegram bot token" TELEGRAM_BOT_TOKEN_SECRET ""
if [[ -z "${TELEGRAM_BOT_TOKEN_SECRET:-}" ]]; then
fail "Telegram bot token secret is required for roundhouse pack"
_RH_BOT_TOKEN="${TELEGRAM_BOT_TOKEN_RAW:-}"
if [[ -z "$_RH_BOT_TOKEN" ]]; then
echo ""
echo -e " ${BOLD}Roundhouse connects to Telegram.${NC}"
echo -e " Create a bot via @BotFather and paste the token below."
echo ""
prompt_secret "Telegram bot token" _RH_BOT_TOKEN ""
fi
if [[ -z "$_RH_BOT_TOKEN" ]]; then
fail "Telegram bot token is required for roundhouse pack"
fi
# Validate token format
if [[ ! "$_RH_BOT_TOKEN" =~ ^[0-9]+:[A-Za-z0-9_-]+$ ]]; then
fail "Invalid Telegram bot token format (expected: 123456:ABC-DEF...)"
fi
# Secret name determined now; actual write deferred until after user confirms
_RH_SECRET_NAME="/lowkey/${ENV_NAME}/telegram-bot-token"
TELEGRAM_BOT_TOKEN_SECRET="$_RH_SECRET_NAME"
fi
if [[ -z "${TELEGRAM_USER:-}" ]]; then
prompt "Telegram username (without @)" TELEGRAM_USER ""
Expand Down Expand Up @@ -3041,6 +3070,35 @@ main() {
_telem_pack_selected 2>/dev/null || true
_telem_method_selected 2>/dev/null || true

# Roundhouse: save bot token to Secrets Manager (deferred until after user confirmation)
if [[ -n "${_RH_BOT_TOKEN:-}" && -n "${_RH_SECRET_NAME:-}" ]]; then
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Gate token upload on final pack selection

Only checking _RH_BOT_TOKEN/_RH_SECRET_NAME here allows a stale Roundhouse token to be uploaded even when the user’s final selection is a different pack. In run_config_and_review, those globals are set during the first pass, and the recursive “Change settings” path can switch PACK_NAME without clearing them, so main still executes the Secrets Manager write. This causes unexpected secret creation/updates and persists credentials for deployments that are no longer Roundhouse.

Useful? React with 👍 / 👎.

info "Storing bot token in Secrets Manager: ${_RH_SECRET_NAME}"
local token_file
token_file=$(mktemp /tmp/lowkey-rh-token.XXXXXX)
chmod 600 "$token_file"
printf '%s' "$_RH_BOT_TOKEN" > "$token_file"
# Restore if in pending-deletion state
aws secretsmanager restore-secret --secret-id "$_RH_SECRET_NAME" --region "$DEPLOY_REGION" >/dev/null 2>&1 || true
local sm_err=""
if sm_err=$(aws secretsmanager create-secret \
--name "$_RH_SECRET_NAME" \
--secret-string "file://${token_file}" \
--description "Telegram bot token for roundhouse pack (${ENV_NAME})" \
--region "$DEPLOY_REGION" 2>&1); then
ok "Token saved to Secrets Manager"
elif sm_err=$(aws secretsmanager put-secret-value \
--secret-id "$_RH_SECRET_NAME" \
--secret-string "file://${token_file}" \
--region "$DEPLOY_REGION" 2>&1); then
ok "Token updated in Secrets Manager"
else
rm -f "$token_file"
fail "Failed to save bot token to Secrets Manager: ${sm_err}"
fi
rm -f "$token_file"
unset _RH_BOT_TOKEN
fi

# Console deploy exits early (no clone, no bootstrap wait)
if [[ "$DEPLOY_METHOD" == "$DEPLOY_CFN_CONSOLE" ]]; then
TOTAL_STEPS=5
Expand Down
Loading