Decisions

Pending: Use python-dotenv or alternative for loading env vars?

User Tasks

FR-015: Secrets & Environment Management

Summary

Establish a strategy for managing API keys, credentials, and environment-specific configuration.

Problem / Motivation

As Opus grows, it will need API keys and credentials for: email (FR-062), health/finance APIs (FR-033), VPS SSH keys (FR-025), Telegram bot tokens (FR-032), and more. Without a strategy, secrets end up hardcoded, committed to git, or scattered across files.

Proposed Solution

Standard .env file with .env.example template, loaded via python-dotenv or similar. Git-ignored, documented, easy to replicate on VPS.

Open Questions

No open questions.

Phase Overview

Phase	Description	Status
Phase 1	.env setup + conventions	—
Phase 2	Vault-based secrets (optional)	—

Phase 1: .env Setup —

Goal: Establish the standard .env pattern for secret management.

File / Feature	Details	Owner	Status
`.env.example`	Template with all expected variables (empty values)	opus	—
`.gitignore`	Ensure .env is ignored	opus	—
python-dotenv	Add dependency, load in src/opus config	opus	—
Documentation	Where secrets go, how to add new ones	opus	—

Phase 2: Advanced (Optional) —

Goal: Encrypted secrets and rotation for multi-device sync.

File / Feature	Details	Owner	Status
Vault-based secrets	Encrypted secrets in vault for sync between devices	opus	—
Secret rotation	Reminders for expiring keys	opus	—

Acceptance Criteria:

.env.example exists with documented variables
.env is in .gitignore
Python code loads env vars via standard method
Adding a new secret has a documented process

Notes:

Not needed until external integrations start (FR-062, FR-033, FR-032)
But good to establish early so the pattern exists
Keep it simple — .env + python-dotenv is enough for now

Prerequisites / Gap Analysis

Requirements

Requirement	Description
REQ-1	FR-009 (Python Project Scaffold) for dependency management

Current State

Component	Status	Details
`.env`	—	Does not exist
`.env.example`	—	Does not exist
`.gitignore`	done	Exists but may not cover .env

Gap (What’s missing?)

Gap	Effort	Blocker?
Entire secrets infrastructure	Low	No

Test

Manual tests

Test	Expected	Owner	Actual	Last
`.env` is git-ignored	`git status` does not show .env	opus	pending	-
`.env.example` exists	Template with documented variables	opus	pending	-
Python loads env vars	`os.environ` populated from .env	opus	pending	-

AI-verified tests

Scenario	Expected behavior	Verification method
…	…	…

E2E tests

Scenario	Assertion
…	…

Integration tests

Component	Coverage
…	…

Unit tests

Component	Tests	Coverage
…	…	…

History

Date	Event	Details
2026-02-27	Created
2026-02-27	Renumbered	From FR-030 to FR-015
2026-02-28	Reformatted	Aligned to feature-request template

References

FR-009 (Python Project Scaffold) — prerequisite for dependency management
FR-062 (Email/WhatsApp Access) — will need secrets
FR-025 (VPS Deployment) — will need SSH keys

Opus Vault

Explorer

Secrets & Environment Management