ECP-0061: agenix secrets for local dev tokens

2026-02-15 17:21:23 -05:00 · 2026-02-15 17:21:23 -05:00 · 6cb4a9e401
commit 6cb4a9e401
parent 810556aa99
1 changed files with 40 additions and 0 deletions
--- a/evolution/proposals/ECP-0061-agenix-secrets.md
+++ b/evolution/proposals/ECP-0061-agenix-secrets.md
@ -0,0 +1,40 @@
+# ECP-0061: agenix Secrets (Local Dev Convenience)
+
+Status: Draft
+
+## Goal
+
+Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:
+
+- Cloudflare API token (local `wrangler deploy`)
+- Codeberg token (optional; for `tea` CLI)
+
+## Non-Goals
+
+- CI secrets management (CI should use Forgejo Actions secrets).
+- A general secret distribution scheme for the network protocol.
+
+## Proposal
+
+1. Add `secrets/` using `agenix`:
+   - `secrets/secrets.nix` maps secret filenames to recipients.
+   - Encrypted files (optional, not required to exist):
+     - `secrets/cloudflare-api-token.age`
+     - `secrets/codeberg-token.age`
+2. Add tools to the nix dev shell:
+   - `agenix`
+   - `tea` (Forgejo/Gitea-compatible CLI)
+3. Update scripts to use these secrets opportunistically:
+   - `scripts/deploy-workers.sh` loads `CLOUDFLARE_API_TOKEN` via `agenix -d` when present.
+   - `scripts/tea-login-codeberg.sh` configures `tea` using `CODEBERG_TOKEN` (env) or `agenix`.
+
+## Rationale
+
+`agenix` keeps sensitive tokens out of git while still being easy to use on a single machine.
+CI remains clean and auditable by using the platform's secret store.
+
+## Rollout / Reversibility
+
+- Additive. If a developer doesn't use `agenix`, nothing breaks.
+- Easy to remove later if a different secret system is adopted.
+