From f1831b8a5622c7ba5553051470d7143978e1aaf0 Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sat, 9 May 2026 15:12:09 +0800
Subject: [PATCH] chore: add gen_auth_secret + bootstrap env files

---
 .env.development           | 13 +++++++++
 envs/.env.example          | 24 ++++++++++++++++
 scripts/gen_auth_secret.sh | 58 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 .env.development
 create mode 100644 envs/.env.example
 create mode 100755 scripts/gen_auth_secret.sh

diff --git a/.env.development b/.env.development
new file mode 100644
index 0000000..2bfe660
--- /dev/null
+++ b/.env.development
@@ -0,0 +1,13 @@
+DATABASE_URL=postgres://placeholder:placeholder@192.168.0.210:5432/whatsapp_bot_dev
+TELEGRAM_BOT_TOKEN=placeholder
+TELEGRAM_OPERATOR_WHITELIST=0
+TELEGRAM_QR_CHAT_ID=0
+DATA_DIR=/data
+SESSIONS_DIR=/data/sessions
+MEDIA_DIR=/data/media
+BOT_HEALTH_PORT=8081
+BOT_LOG_LEVEL=debug
+SEED_OPERATOR_TELEGRAM_ID=0
+SEED_OPERATOR_NAME=Dev
+WEB_PORT=3000
+AUTH_SECRET=86f656580a58f03b6ccb43d257e0e801ecd5356e042e8886b3c7c569e29ff13c
diff --git a/envs/.env.example b/envs/.env.example
new file mode 100644
index 0000000..b7e449f
--- /dev/null
+++ b/envs/.env.example
@@ -0,0 +1,24 @@
+# === Postgres ===
+DATABASE_URL=postgres://USER:PASS@192.168.0.210:5432/whatsapp_bot_dev
+
+# === Telegram ===
+TELEGRAM_BOT_TOKEN=
+TELEGRAM_OPERATOR_WHITELIST=
+TELEGRAM_QR_CHAT_ID=
+
+# === App data paths (inside containers) ===
+DATA_DIR=/data
+SESSIONS_DIR=/data/sessions
+MEDIA_DIR=/data/media
+
+# === Bot service ===
+BOT_HEALTH_PORT=8081
+BOT_LOG_LEVEL=info
+
+# === Seed (used by scripts/db.sh seed) ===
+SEED_OPERATOR_TELEGRAM_ID=
+SEED_OPERATOR_NAME=Operator
+
+# === Web (placeholder for plan 3) ===
+WEB_PORT=3000
+AUTH_SECRET=
diff --git a/scripts/gen_auth_secret.sh b/scripts/gen_auth_secret.sh
new file mode 100755
index 0000000..2ed1ecf
--- /dev/null
+++ b/scripts/gen_auth_secret.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# Generate a 32-byte (64 hex chars) AUTH_SECRET for web session signing.
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Generate AUTH_SECRET.
+
+Usage:
+  scripts/gen_auth_secret.sh                Print a fresh secret to stdout.
+  scripts/gen_auth_secret.sh --write        Set AUTH_SECRET= in ./.env.development
+                                            (creates if missing, replaces if present).
+  scripts/gen_auth_secret.sh --write PATH   Same, against an explicit env path.
+EOF
+}
+
+generate() {
+  if command -v openssl >/dev/null 2>&1; then
+    openssl rand -hex 32
+  else
+    head -c 32 /dev/urandom | xxd -p -c 64
+  fi
+}
+
+write_into() {
+  local target="$1"
+  local secret
+  secret="$(generate)"
+  if [[ -f "${target}" ]] && grep -q '^AUTH_SECRET=' "${target}"; then
+    local tmp
+    tmp="$(mktemp)"
+    awk -v s="${secret}" '
+      /^AUTH_SECRET=/ { print "AUTH_SECRET=" s; next }
+      { print }
+    ' "${target}" > "${tmp}"
+    mv "${tmp}" "${target}"
+    echo "Replaced AUTH_SECRET in ${target}"
+  else
+    [[ -f "${target}" ]] || touch "${target}"
+    if [[ -s "${target}" && -n "$(tail -c 1 "${target}")" ]]; then
+      printf '\n' >> "${target}"
+    fi
+    printf 'AUTH_SECRET=%s\n' "${secret}" >> "${target}"
+    echo "Appended AUTH_SECRET to ${target}"
+  fi
+}
+
+case "${1:-}" in
+  -h|--help) usage ;;
+  --write)
+    target="${2:-.env.development}"
+    ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+    [[ "${target}" = /* ]] || target="${ROOT_DIR}/${target}"
+    write_into "${target}"
+    ;;
+  "") generate ;;
+  *) echo "Unknown option: $1" >&2; usage >&2; exit 2 ;;
+esac