bug(cli/setup): archon setup silently overwrites repo .env and loses secrets

[133Felix]

Problem

archon setup unconditionally overwrites <repo>/.env on every run. No existence check, no backup, no confirmation prompt. Any user-added secrets — tokens, custom vars, credentials the wizard doesn't know about — are permanently lost.

This is a data-loss bug. .env is gitignored, so there is no recovery path; users rediscover the loss only when a platform adapter fails to authenticate and they have to re-collect every secret from scratch.

Where it happens

• packages/cli/src/commands/setup.ts:1311-1331 — writeEnvFiles() calls writeFileSync(repoEnvPath, content) unconditionally for both ~/.archon/.env and <repo>/.env.
• packages/cli/src/commands/setup.ts:1567-1614 — "Add platforms" mode makes it worse: the written SetupConfig is built from boolean presence flags returned by checkExistingConfig(), which never reads the actual values. Result on every "Add" run:
  • database is hardcoded to { type: 'sqlite' } → silently downgrades an existing PostgreSQL config
  • claudeApiKey / claudeOauthToken / codexTokens are undefined → auth lines are dropped from the regenerated file

Impact

• Lost secrets on every archon setup re-run touching an existing repo
• Silent PostgreSQL→SQLite downgrade in "Add" mode
• Forced re-collection of bot tokens, webhook secrets, API keys
• Happens on the documented onboarding path

Proposed Fix

1. Refuse to overwrite an existing non-empty <repo>/.env without explicit consent. Default to a timestamped backup + non-destructive merge (only add keys that don't already exist).
2. In "Add" mode, parse the existing file and carry all values forward; only write keys the user changed this run.
3. Explicit --force flag for users who actually want to regenerate.

Relationship to #1196

Same user journey, two angles:

• feat(cli/web): archon setup --init-repo — skill + .archon/ only, skip config wizard #1196: "Don't run the wizard at all when I just want the skill + .archon/ scaffold."
• This: "And when the wizard does run, it must not destroy my .env."

Landing #1196 avoids the overwrite for the scaffold-only path but doesn't fix it for users legitimately updating config. Both should ship — ideally together.

Severity

Data-loss bug → priority: high. No git history, no backup, no undo.

Definition of Done

• archon setup never silently overwrites a non-empty repo .env
• Existing values are preserved (merge) or backed up (.env.archon-backup-<ts>)
• "Add" mode reads existing values instead of regenerating from booleans
• --force flag for opt-in destructive rewrite
• Tests: fresh, merge-preserves-user-keys, add-mode-preserves-db-url, --force overwrites, --init-repo (feat(cli/web): archon setup --init-repo — skill + .archon/ only, skip config wizard #1196) never touches .env
• Cross-linked with feat(cli/web): archon setup --init-repo — skill + .archon/ only, skip config wizard #1196

[Wirasm]

Discussed design — unifies with #1302

The overwrite + "Add" mode bugs are real; fix design below was worked out alongside #1302 (the read-side counterpart). TL;DR — the write side should mirror the load side: scope by archon-owned directory, never touch the target repo's .env.

What changes

1. archon setup never writes to <repo>/.env. Ever.

Not by default, not with --force, not in any mode. Rationale: stripCwdEnv() in packages/paths/src/strip-cwd-env.ts deliberately erases every <repo>/.env key from process.env on every run (and must keep doing so — it protects archon from target-repo var leaks, e.g. a user's own ANTHROPIC_API_KEY for their unrelated app). If setup writes to <repo>/.env, the next run silently deletes the values. Writing to a file whose contents we then erase is incoherent. Stop doing it.

2. Scope-aware write target.

Two archon-owned locations, mirroring the existing .archon/config.yaml convention:

• ~/.archon/.env — user scope (default). Applies everywhere.
• <cwd>/.archon/.env — project scope. Overrides user scope for this repo only.

archon setup gets a scope choice — interactive prompt OR --scope home|project flag. Default home. Users with per-project secrets (different SLACK_WEBHOOK for each repo's #gh-digest channel, different DATABASE_URL per env, etc.) pick project.

3. Merge-only writes. Never clobber existing keys.

For whichever scope the user picked:

• Parse existing file into existing: Map<key, value> via dotenv's parser.
• Compute proposed keys from the user's current selections → proposed: Map<key, value>.
• For each proposed key: keep existing[key] if present and non-empty; else add from proposed.
• Preserve keys in existing not in proposed verbatim (user-added custom vars survive).
• Write the merged file.

4. Backup before every write, even merges.

<scope-path>.archon-backup-<ISO-ts> copy before the file is rewritten. Cheap safety rail; survives --force too.

5. --force flag — opt-in full regen of the selected scope.

Skips the merge (values proposed by the wizard this run win over existing). Backup still written. Logged explicitly:

[archon] --force: overwriting existing <path> (backup at <path>.archon-backup-<ts>)

6. "Add" mode config builder bug (setup.ts:1571) fix.

Once #3 (merge-only) is in place, the hardcoded database: { type: 'sqlite' } stops being a silent PostgreSQL downgrade (SQLite lives in proposed; existing DATABASE_URL=postgresql://… stays in existing; merge preserves Postgres). Still worth reading the existing DB URL and reflecting it in the interactive summary (cosmetic honesty — don't print "Using SQLite" when we'll actually keep their Postgres).

Migration for users on prior versions

• Leave existing <repo>/.env alone. Principle: never touch the target repo's .env.

• At setup start, if <cwd>/.env exists, emit a one-time note:

  [archon] Note: <cwd>/.env exists but is not managed by archon. Values here
          are stripped from the archon process at runtime (safety guard).
          To put vars into archon's env, use ~/.archon/.env (user scope) or
          <cwd>/.archon/.env (project scope).
  

• Do NOT delete, migrate, or copy. The user's <repo>/.env is their concern — we just stop writing there and stop pretending it's loadable.

Table (mirrors the design in #1302)

Path	strip-cwd-env	Archon loads?	archon setup writes?
<repo>/.env	strips (keeps guard)	never	never
<repo>/.archon/.env	untouched	yes (repo scope)	yes if --scope project
~/.archon/.env	untouched	yes (user scope)	yes if --scope home (default)

Tests

• Fresh run (no existing env): writes expected content to the selected scope
• Merge preserves user-added keys (MY_CUSTOM=foo in ~/.archon/.env survives a second archon setup run)
• "Add" mode: existing DATABASE_URL=postgresql://… in ~/.archon/.env survives adding a new platform
• "Add" mode: existing bot tokens (CLAUDE_CODE_OAUTH_TOKEN, SLACK_BOT_TOKEN, etc.) survive
• --force writes from scratch AND writes backup
• Backup filename is timestamped and recoverable
• Assert <repo>/.env is untouched after archon setup on a clean repo, on a repo with a pre-existing .env, and on a re-run with new platforms selected
• --scope project writes to <cwd>/.archon/.env, not ~/.archon/.env

Relation to #1302

This issue is the write side. #1302 is the read side. They must agree on the same three paths for the model to be coherent:

• CLI silently strips repo-local .env vars; logs say (0) from .env instead of stripped N keys #1302 loads from ~/.archon/.env + <cwd>/.archon/.env (with clearer strip log).
• This issue (bug(cli/setup): archon setup silently overwrites repo .env and loses secrets #1303) writes to the same two locations, never to <repo>/.env.

Landing either without the other leaves the system half-coherent. Ideally ship together, or #1303 on top of #1302.