From bd9b295b24b6ce8751a087754fbd6722548926bb Mon Sep 17 00:00:00 2001
From: rain <rain@melonbread.xyz>
Date: Mon, 22 Jun 2026 01:34:02 -0400
Subject: [PATCH] Add omp .env.age for provider API keys; install
 topgrade+cargo-update via PM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. dot_omp/agent/encrypted_.env.age (NEW)
   Encrypted shell-sourceable file with all omp provider API keys.
   Decrypts to ~/.omp/agent/.env on apply. omp reads .env on startup
   per docs/environment-variables.md. All 6 recipients (recovery +
   5 boxes) can decrypt. Placeholder values for keys the user hasn't
   added yet — fill in real values per-provider.

2. run_onchange_30-ensure-cargo.sh.tmpl (UPDATED)
   - Add topgrade install: pacman on arch (via chaotic-aur), cargo on
     debian (not in apt)
   - Add cargo-update install: pacman on arch, cargo on debian
   - Prefer OS package managers over cargo install when both are
     available. cargo install only as fallback.

3. dot_omp/agent/config.yml (UNCHANGED)
   Per user request: keep .local host endpoints (llama-swap.miche,
   kaiser.local:8800). If a box can't reach them, it's not on the
   local network and omp will error gracefully at request time.
---
 dot_omp/agent/encrypted_.env.age     | 38 ++++++++++++++++++++
 run_onchange_30-ensure-cargo.sh.tmpl | 54 +++++++++++++++++++++++++---
 2 files changed, 88 insertions(+), 4 deletions(-)
 create mode 100644 dot_omp/agent/encrypted_.env.age

diff --git a/dot_omp/agent/encrypted_.env.age b/dot_omp/agent/encrypted_.env.age
new file mode 100644
index 0000000..cd9eb9f
--- /dev/null
+++ b/dot_omp/agent/encrypted_.env.age
@@ -0,0 +1,38 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyS3V1NDhvQU52VTRnQ3Ey
+UXg4cTVaTnFpVHhpMURMZTFuZ0xrckQzdFJRCnBvcDZMUGtqbXYxbk9wZDRCdnNt
+bHVsdzcwN05hZVdUZWpFVzlPc1dlcXMKLT4gWDI1NTE5IGQ0UGgydEhLYmdnUzRm
+dzhkTnkzcjM4SC83VGN6NnpObjVhVVY2dUxKZ2MKMGRuenJOZzhXMTFLamNGeWR4
+L3htQUs2c1ZLS3dOYlNCRkNiSTFzaTVtTQotPiBYMjU1MTkgK0tyZVJvOCtUVnk1
+UmdxTS8xOTBGamFNYVBoUEc4b1pISWF6c0YwMnFETQpDVmhETWFrZkhSMDhIS2l3
+QWJ5TkZSYnMveXRRandRNy9zQS9Ec1RqenNNCi0+IFgyNTUxOSBKMFpJYUdTbjJ0
+aHVtdDlzanJ0MlByT1RwNHBPYWFkaW5JTHVmTCtSMFFJCkhrTmcxMUJ3aytySklG
+K2g2NGJWZ1NsejNWd1JPcit3RnNqL2wvaFhOWmsKLT4gWDI1NTE5IDhwVngwT3Q2
+dE1iVmFVSi9YRUprWEVZMXJRL1U4SVIwS1VmSG10b3RhVkEKM0JQTU1EaU9pSG83
+alF6QlpNV2VaaXY4czR6cGsyRkcvNzA3M1hBT3k2OAotPiBYMjU1MTkgS0szV0px
+TTlDQUxSVW9RakNvU21keGsyaTAvZUo4cjYySGRpd0IzbTBFMAoyUjJRQTFpOXlE
+enR6YzlUbUFPWXdkaS8vSlFzc0p0RDRtUlpvS3RIcHhNCi0tLSBnaXpCY1p0aWdk
+SzdmaDR3REdQSnlXYzFOckpHbUJJMUw0a3QxWkxuejJnCo9Fk8UQVmnjk0REZmLK
+FdmuNxBvnGGWC4slOwPzPBRaPeNXfCf+KS5Lor06+2a9oF4uuI+7kBP2g7b3NySJ
+Z9Dp5RumFTOnpZ6tFHpZbOllgR8x5XvU0xyBF3eR+rMvgSQ1i2N14KqRfOVGN5oM
+RfJlfrXInOi0IZS5ekkeVh2JhLpTHdSWUlzqzswSH/kCX+EUzK6mAytZom9tQ9VH
+v9Qxj+2tOmXHWoEU8+GS/JXQ1uOX47uSO4/FaNrNbYAkAjAsr1EYHElovedjXwry
+V6Ept9y72NSdmqeIksE5f0xWBgVkICQT+FAoecdgPUrlWyGa6MYMzUUHbx1gPPm2
+Xreh+3K/pspx8ajJicfs8OzaiufE1zbjBUCKnKXnghdVbRMRgNoceifjs3nuPIsR
+nDhw2muFJqrSVdeFvz8O1sVqIIGky2ZX7Iz0hNJX081LDsHF1SFsvN1Jt0w3UdeF
+K/r7mgTIGzhb9nNdxirC+6NZPF2rvmc53fYb0TaUwDV5BbG8l3nWecq9HOH+5g/s
+W322ruHZI/OW67KiDLZYwntqI8hKwJK6O2ncrJJB/EpqXuacDyeAe0w9+X39R4PK
+46f3GMD6RyoUsCrN+SnE3jswdn0aOpzwiKcGjOb6k35PL2RtFWXADotwoAVR/bMf
+nhQBTKvi11ePH29bwZn7db0TnQ2xJq8z/9QDFIF+yCdtjZ/D9jX36F3UEnYPl7sQ
+LRzR4/wSHZYFxzTWdXfzMuWH3FCBPa9LshJCYKveJ+2k/9QP861W5A2zUOYhrubB
+9j/hOpE9JpCPPvg7izrgm2mqosjwlLszXaWYBwlZPKCn5GDssm2PMKStPfJKxc/Y
+cwPX1HDaijFGxeFr1KfJ2k9PPRt1cn2sb5RCvXaDCEOq7T/E7Fic+iOjf2/WL//8
+eob7TEHgIH4qucTQ0QJCATdB/29CgXluXTxih8pbSZmH5ujCzzUeap1X3/1QFjRZ
+iQ7BzL348Z18edXJDN45KgXbtz8GN8DHk/bQxI6mpbVqI4AyIXzRvR57S3rKcRMU
+dkM5T9qquLGbQ1jhADjlWJp3M/B8Wdxqf7U1GxEqACoRa2zxP2Krv72r2Tomn7dQ
+TSEs0Nt4dP9HzKbVngPoOD12IRVm0AvzgYyh/HRej7l2YXnUlHReB2EH6AZIjfBC
+tjHEujinOXuC6UWCPFSgWy2x8uR/PGIle6SGJTbTlUY5MMozZxWlNcYkgNZS3nUk
+sLHGjTEjvbdSTB6pfvUJ8h1suDUPqQ7kNPH1hDrYH5+CKaAOyC8hGJFS3wjaCXBU
+Gthi5odLQFDmcUCAzollJQZxBsfHEOxp+Bx3HuG46fob3iKMfwYlfZwc9FtsW1eX
+jIUrlA7MnrwUnxf36S0oZJ9k9Ay8U08Am1xKm02rCPKSo4RE8UT/srM=
+-----END AGE ENCRYPTED FILE-----
diff --git a/run_onchange_30-ensure-cargo.sh.tmpl b/run_onchange_30-ensure-cargo.sh.tmpl
index 42a9b07..a89c3f1 100755
--- a/run_onchange_30-ensure-cargo.sh.tmpl
+++ b/run_onchange_30-ensure-cargo.sh.tmpl
@@ -4,6 +4,10 @@
 #  Make sure rustup/cargo is available. If not, install rustup.
 #  After cargo is ready, install bat from crates.io on debian (apt renames
 #  upstream bat to batcat, which breaks .zshrc's `alias cat=bat`).
+#  Also install topgrade (universal update tool) and cargo-update (so cargo
+#  packages themselves can be bumped). Prefer OS package managers when
+#  available — only fall back to `cargo install` if the package isn't in
+#  apt/pacman/chaotic-aur.
 #
 #  Runs on every apply because the script body rarely changes but we want a
 #  fresh check after package installs.
@@ -31,16 +35,58 @@ export PATH="$HOME/.cargo/bin:$PATH"
 log "rustup installed: $(rustup --version 2>/dev/null || echo unknown)"
 log "cargo installed: $(cargo --version)"
 
-# --- 2. Install bat from crates.io if missing (debian only) ---
+# --- 2. Install bat (upstream binary, not renamed batcat) ---
+# On debian, apt installs bat as "batcat" (Debian has its own unrelated bat).
+# The clean fix is cargo install on debian, pacman on arch.
 {{ if eq .os_family "debian" -}}
 if ! command -v bat >/dev/null 2>&1; then
-    log "installing bat via cargo (upstream, debian renames it to batcat)"
+    log "installing bat via cargo (debian renames upstream bat to batcat)"
     cargo install bat --locked
     log "bat installed: $(bat --version)"
 else
     log "bat already installed: $(bat --version)"
 fi
 {{ else -}}
-# Arch already installs upstream bat via pacman; nothing extra to do.
+# Arch already installs upstream bat via pacman [extra].
 log "skipping cargo bat install (os_family={{ .os_family }}, pacman handles it)"
-{{ end -}}
\ No newline at end of file
+{{ end -}}
+
+# --- 3. Install topgrade (universal update tool) ---
+# topgrade walks through system packages, language toolchains, dev tools,
+# and runs each one's update command. It's a single command for "update
+# everything on this box."
+#   - arch: topgrade is in [chaotic-aur] (we have chaotic-aur configured).
+#           Use pacman to get system-tracked installs.
+#   - debian: topgrade isn't in apt. Install via cargo (no PM alternative).
+if ! command -v topgrade >/dev/null 2>&1; then
+{{ if eq .os_family "arch" -}}
+    log "installing topgrade via pacman (chaotic-aur)"
+    sudo pacman -S --needed --noconfirm topgrade
+{{ else if eq .os_family "debian" -}}
+    log "installing topgrade via cargo (debian has no topgrade package)"
+    cargo install topgrade --locked
+{{ else -}}
+    log "WARNING: topgrade install not configured for os_family={{ .os_family }}"
+{{ end -}}
+    log "topgrade installed: $(topgrade --version | head -1)"
+else
+    log "topgrade already installed: $(topgrade --version | head -1)"
+fi
+
+# --- 4. Install cargo-update (so we can `cargo install-update -a`) ---
+# Used to bump cargo-installed packages. Arch has it in [extra]; debian
+# doesn't ship it.
+if ! command -v cargo-install-update >/dev/null 2>&1; then
+{{ if eq .os_family "arch" -}}
+    log "installing cargo-update via pacman"
+    sudo pacman -S --needed --noconfirm cargo-update
+{{ else if eq .os_family "debian" -}}
+    log "installing cargo-update via cargo (debian has no cargo-update package)"
+    cargo install cargo-update --locked
+{{ else -}}
+    log "WARNING: cargo-update install not configured for os_family={{ .os_family }}"
+{{ end -}}
+    log "cargo-update installed"
+else
+    log "cargo-update already installed"
+fi
\ No newline at end of file