# ECP-0061: agenix Secrets (Local Dev Convenience)

Status: Draft

Note: CI handling in this proposal is superseded by `ECP-0062` (single SSH identity + repo-encrypted secrets for deploy).

## Goal

Provide a simple, repo-native way to manage a small set of long-lived tokens for local development without committing plaintext secrets:

- Cloudflare API token (local `wrangler deploy`)
- Codeberg token (optional; for `fj` CLI)

## Non-Goals

- CI secrets management (CI should use Forgejo Actions secrets).
- A general secret distribution scheme for the network protocol.

## Proposal

1. Add `secrets/` using `agenix`:
   - `secrets/secrets.nix` maps secret filenames to recipients.
   - Encrypted files (optional, not required to exist):
     - `secrets/cloudflare-api-token.age`
     - `secrets/codeberg-token.age`
2. Add tools to the nix dev shell:
   - `agenix`
   - `forgejo-cli` (`fj`)
3. Update scripts to use these secrets opportunistically:
   - `scripts/deploy-workers.sh` loads `CLOUDFLARE_API_TOKEN` via `agenix -d` when present.
   - `scripts/fj-auth-codeberg.sh` configures `fj` using `CODEBERG_TOKEN` (env) or `agenix`.

## Rationale

`agenix` keeps sensitive tokens out of git while still being easy to use on a single machine.
CI remains clean and auditable by using the platform's secret store.

## Rollout / Reversibility

- Additive. If a developer doesn't use `agenix`, nothing breaks.
- Easy to remove later if a different secret system is adopted.