Secrets & Workflow¶
Python config, secrets classification, file edit workflow, and deploy verification.
Source: extracted from AGENTS.md
Python Configuration¶
- Python: 3.12 (
.python-version) - ruff target: py311, line-length 100, double quotes
- mypy: strict mode (
disallow_untyped_defs,strict_equality, etc.) - yamlfix: line-length 120, block style sequences
- uv workspace: root +
scripts/mikrotikmember
Secrets Management¶
- Infisical is configured (
.infisical.jsonwith workspace ID) - Komodo secrets referenced as
[[SECRET_NAME]]in TOML environment blocks
Secrets Classification (MUST FOLLOW)¶
Decision tree: Is it a real secret (external auth, billing, password)? → Komodo Variable. Is it an internal key (service-to-service, homelab-only)? → Hardcode in compose.yaml.
- Secrets → Komodo Variable:
DB_PASSWORD,OPENAI_API_KEY,LITELLM_MASTER_KEY - Non-secrets → Hardcode:
GEMINI_CLIENT_ID, internal proxy keys - Why: Over-secretizing creates unnecessary Variables, slows deployments. Tailscale VPN already protects the network layer.
File Edit Workflow¶
When Opencode blocks file operations on .env or sensitive files, use Gitea API:
gitea_get_file_contents()→ get current content + SHAgitea_create_or_update_file()→ write updated contentgit pull gitea main→ sync localgit push origin main→ sync GitHub
Deploy Verification¶
Komodo may report EXECUTION FAILED while containers are actually running. Always verify via API:
km container -s unraid -c <service> -a(may be stale)- Direct API:
ListDockerContainers→ ground truth GetStackLog→ actual container output- If containers running → false alarm, no action needed
Gitea Troubleshooting¶
If git push gitea fails silently, check if repo is archived:
curl ... /api/v1/repos/.../docker-compose | python3 -c "...print(archived)..."- Fix:
curl -X PATCH ... -d '{"archived": false}'