bot-bottle/docs/prds/0038-smolmachines-env-contract.md

# PRD 0038: smolmachines Env Contract and Secret-Safe Injection

- **Status:** Active
- **Author:** didericis-codex
- **Created:** 2026-06-02
- **Issue:** #135

## Summary

Make smolmachines env handling match Docker's contract: resolve manifest env
entries through `resolve_env()`, keep secret and interpolated values out of
host argv, and document or enforce an explicit env contract for the backend.

## Problem

`bot_bottle/backend/smolmachines/prepare.py` builds the guest env from
`bottle.env` directly, bypassing `resolve_env()`. Entries like `?prompt` and
`${HOST_VAR}` can reach the guest literally rather than being prompted or
resolved. In contrast, Docker resolves env through `resolve_env()` before
writing a mode-600 env file.

`smolmachines/smolvm.py` renders env as `-e KEY=VALUE` on `smolvm machine
create` argv, and `SmolmachinesBottle.agent_argv` / `exec` prepend
`env KEY=VALUE …` onto the `smolvm machine exec` argv. Any literal or resolved
secret value is therefore visible in the host process table.

The two backends have no shared env contract document. Divergence will silently
widen as new manifest env features are added.

## Goals / Success Criteria

- Manifest env entries are resolved through `resolve_env()` before being
  injected into the smolmachines guest, matching Docker behaviour.
- No manifest env value (literal or resolved) appears on host argv during
  machine creation or exec.
- Define and document an explicit smolmachines env contract covering literals,
  `?prompt` secrets, and `${HOST_VAR}` interpolations.
- Unit tests cover: literal passthrough, prompted-secret resolution,
  host-var interpolation, and the no-argv-leak invariant.

## Non-goals

- No changes to the Docker env path.
- No changes to manifest schema or `resolve_env()` itself.
- No changes to smolmachines networking or mount handling.
- No new runtime dependencies.

## Scope

In scope:

- `bot_bottle/backend/smolmachines/prepare.py` env resolution.
- `bot_bottle/backend/smolmachines/smolvm.py` machine-create argv.
- `bot_bottle/backend/smolmachines/bottle.py` `agent_argv` / `exec` env
  injection.
- `bot_bottle/env.py` if helper changes are needed to support the smolmachines
  path.
- Unit tests in `tests/unit/` covering the above.

Out of scope:

- Integration tests that start a live smolmachines VM.
- Docker backend changes.
- Dashboard or CLI changes.

## Design

Run smolmachines env through `resolve_env()` at prepare time, exactly as Docker
does. After resolution, inject env into the guest through a mechanism that does
not expose values on host argv — for example by writing a mode-600 env file
into the machine's state directory and loading it at exec time, or by passing
env through `smolvm`'s stdin if the tool supports it.

If `smolvm` provides no stdin or env-file injection path, document this as a
known limitation and at minimum move env values behind a per-invocation
tmpfile rather than inline argv.

The env contract for smolmachines should mirror Docker's:

- Literals: passed as-is after resolution.
- `?prompt` entries: prompted at prepare time; resolved value injected, never
  on argv.
- `${HOST_VAR}` entries: interpolated from the operator's env at prepare time;
  resolved value injected, never on argv.

## Testing Strategy

- Unit tests for `prepare.py` asserting `resolve_env()` is called and that
  resolution results are used rather than raw `bottle.env` values.
- Unit tests for `smolvm.py` machine-create argv asserting no env value appears
  inline.
- Unit tests for `bottle.py` exec path asserting the same argv invariant.

Run:

- `python3 -m unittest tests.unit.test_smolmachines_prepare`
- `python3 -m unittest discover -s tests/unit`

## Open Questions

- Does `smolvm machine create` support an env-file flag or stdin injection that
  avoids `-e KEY=VALUE` argv?