Skip to content

Secrets & Workflow

Python config, secrets classification, file edit workflow, and deploy verification.

Source: extracted from AGENTS.md

Python Configuration

  • Python: 3.12 (.python-version)
  • ruff target: py311, line-length 100, double quotes
  • mypy: strict mode (disallow_untyped_defs, strict_equality, etc.)
  • yamlfix: line-length 120, block style sequences
  • uv workspace: root + scripts/mikrotik member

Secrets Management

  • Infisical is configured (.infisical.json with workspace ID)
  • Komodo secrets referenced as [[SECRET_NAME]] in TOML environment blocks

Secrets Classification (MUST FOLLOW)

Decision tree: Is it a real secret (external auth, billing, password)? → Komodo Variable. Is it an internal key (service-to-service, homelab-only)? → Hardcode in compose.yaml.

  • Secrets → Komodo Variable: DB_PASSWORD, OPENAI_API_KEY, LITELLM_MASTER_KEY
  • Non-secrets → Hardcode: GEMINI_CLIENT_ID, internal proxy keys
  • Why: Over-secretizing creates unnecessary Variables, slows deployments. Tailscale VPN already protects the network layer.

File Edit Workflow

When Opencode blocks file operations on .env or sensitive files, use Gitea API:

  1. gitea_get_file_contents() → get current content + SHA
  2. gitea_create_or_update_file() → write updated content
  3. git pull gitea main → sync local
  4. git push origin main → sync GitHub

Deploy Verification

Komodo may report EXECUTION FAILED while containers are actually running. Always verify via API:

  • km container -s unraid -c <service> -a (may be stale)
  • Direct API: ListDockerContainers → ground truth
  • GetStackLog → actual container output
  • If containers running → false alarm, no action needed

Gitea Troubleshooting

If git push gitea fails silently, check if repo is archived:

  • curl ... /api/v1/repos/.../docker-compose | python3 -c "...print(archived)..."
  • Fix: curl -X PATCH ... -d '{"archived": false}'