From ac0944df706e23671e0e8ded48e6d36143a2f82d Mon Sep 17 00:00:00 2001
From: technowhizz <7688823+technowhizz@users.noreply.github.com>
Date: Thu, 20 Nov 2025 17:11:15 +0000
Subject: [PATCH 1/4] Add vscode to gitignore editors

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index c3f5a5d..ad7cf48 100644
--- a/.gitignore
+++ b/.gitignore
@@ -107,3 +107,4 @@ venv.bak/
 *~
 .*.swp
 .*sw?
+.vscode

From 3b46900e05191d894e78d609b2d81c19af08bf3c Mon Sep 17 00:00:00 2001
From: technowhizz <7688823+technowhizz@users.noreply.github.com>
Date: Thu, 20 Nov 2025 18:13:14 +0000
Subject: [PATCH 2/4] Add logic to deal with vault password scripts

---
 beokay.py | 60 +++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 17 deletions(-)

diff --git a/beokay.py b/beokay.py
index 6669cbc..d317048 100755
--- a/beokay.py
+++ b/beokay.py
@@ -53,9 +53,15 @@ def parse_args():
     create_parser.add_argument("--python", default="python3", help="Python "
                                "executable to use to create the Kayobe "
                                "virtual environment")
-    create_parser.add_argument("--vault-password-file", help="Path to an "
-                               "Ansible Vault password file used to encrypt "
-                               "secrets")
+    create_vault_password_group = create_parser.add_mutually_exclusive_group()
+    create_vault_password_group.add_argument("--vault-password-file",
+                                             help="Path to an Ansible Vault "
+                                                  "password file used to "
+                                                  "encrypt secrets")
+    create_vault_password_group.add_argument("--vault-password-script",
+                                             help="Path to a script that "
+                                                  "prints the Ansible Vault "
+                                                  "password to stdout")
     destroy_parser = subparsers.add_parser("destroy",
                                            help="Destroy a Kayobe environment")
     destroy_parser.add_argument("--base-path", default=os.getcwd(),
@@ -69,10 +75,17 @@ def parse_args():
                             help="Kayobe configuration environment file to "
                                  "source")
     run_parser.add_argument("--kayobe-config-env-name", default=None,
-                            help="Kayobe configuration environment name to "
+                             help="Kayobe configuration environment name to "
                                  "use")
-    run_parser.add_argument("--vault-password-file", help="Path to an Ansible "
-                            "Vault password file used to encrypt secrets")
+    run_vault_password_group = run_parser.add_mutually_exclusive_group()
+    run_vault_password_group.add_argument("--vault-password-file",
+                                          help="Path to an Ansible Vault "
+                                               "password file used to encrypt "
+                                               "secrets")
+    run_vault_password_group.add_argument("--vault-password-script",
+                                          help="Path to a script that "
+                                               "prints the Ansible Vault "
+                                               "password to stdout")
     parsed_args = parser.parse_args()
 
     if parsed_args.action == None:
@@ -115,6 +128,10 @@ def set_vault_password(parsed_args):
     if parsed_args.vault_password_file:
         with open(parsed_args.vault_password_file) as f:
             os.environ["KAYOBE_VAULT_PASSWORD"] = f.read()
+    elif parsed_args.vault_password_script:
+        output = subprocess.check_output(parsed_args.vault_password_script,
+                                         shell=True, text=True)
+        os.environ["KAYOBE_VAULT_PASSWORD"] = output
 
 
 def git_clone(repo, branch, path, ssh_key):
@@ -178,17 +195,26 @@ def create_env_vars_script(parsed_args):
     """Creates an env-vars script for the kayobe environment."""
     env_vars_file = os.path.join(get_path(parsed_args), 'env-vars.sh')
     env_name = get_env_name(parsed_args)
-    vault_password = (f"export KAYOBE_VAULT_PASSWORD=$(cat {parsed_args.vault_password_file})"
-                      if parsed_args.vault_password_file else "")
-
-    # Construct the content for the script
-    content = f"""#!/bin/bash
-{vault_password}
-source {get_path(parsed_args, 'venvs', 'kayobe', 'bin', 'activate')}
-source {get_path(parsed_args, 'src', 'kayobe-config', 'kayobe-env')}{env_name}
-source <(kayobe complete)
-cd {get_path(parsed_args, 'src', 'kayobe-config', 'etc', 'kayobe/')}
-    """
+    vault_password = ""
+    if parsed_args.vault_password_file:
+        vault_password = ("export KAYOBE_VAULT_PASSWORD=$(cat "
+                          f"{parsed_args.vault_password_file})")
+    elif parsed_args.vault_password_script:
+        vault_password = ("export KAYOBE_VAULT_PASSWORD=$("
+                          f"{parsed_args.vault_password_script})")
+
+    lines = [
+        "#!/bin/bash",
+    ]
+    if vault_password:
+        lines.append(vault_password)
+    lines.extend([
+        f"source {get_path(parsed_args, 'venvs', 'kayobe', 'bin', 'activate')}",
+        f"source {get_path(parsed_args, 'src', 'kayobe-config', 'kayobe-env')}{env_name}",
+        "source <(kayobe complete)",
+        f"cd {get_path(parsed_args, 'src', 'kayobe-config', 'etc', 'kayobe/')}",
+    ])
+    content = "\n".join(lines) + "\n"
 
     # Write the script
     with open(env_vars_file, "w", encoding="utf-8") as f:

From 0c4ee390ed11766421f333aaac1ec36f7d49145c Mon Sep 17 00:00:00 2001
From: technowhizz <7688823+technowhizz@users.noreply.github.com>
Date: Thu, 20 Nov 2025 18:48:53 +0000
Subject: [PATCH 3/4] Add safe quoting with shlex

---
 beokay.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/beokay.py b/beokay.py
index d317048..dcbb7f7 100755
--- a/beokay.py
+++ b/beokay.py
@@ -14,6 +14,7 @@
     BooleanOptionalAction = "store_true"
 import os
 import os.path
+import shlex
 import shutil
 import subprocess
 import sys
@@ -198,10 +199,10 @@ def create_env_vars_script(parsed_args):
     vault_password = ""
     if parsed_args.vault_password_file:
         vault_password = ("export KAYOBE_VAULT_PASSWORD=$(cat "
-                          f"{parsed_args.vault_password_file})")
+                          f"{shlex.quote(parsed_args.vault_password_file)})")
     elif parsed_args.vault_password_script:
         vault_password = ("export KAYOBE_VAULT_PASSWORD=$("
-                          f"{parsed_args.vault_password_script})")
+                          f"{shlex.quote(parsed_args.vault_password_script)})")
 
     lines = [
         "#!/bin/bash",

From 381effdb7dbc6ac9f72f139f6c94a9ccbd427094 Mon Sep 17 00:00:00 2001
From: technowhizz <7688823+technowhizz@users.noreply.github.com>
Date: Wed, 26 Nov 2025 13:52:14 +0000
Subject: [PATCH 4/4] Remove extra space

---
 beokay.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/beokay.py b/beokay.py
index dcbb7f7..94b0a6d 100755
--- a/beokay.py
+++ b/beokay.py
@@ -76,7 +76,7 @@ def parse_args():
                             help="Kayobe configuration environment file to "
                                  "source")
     run_parser.add_argument("--kayobe-config-env-name", default=None,
-                             help="Kayobe configuration environment name to "
+                            help="Kayobe configuration environment name to "
                                  "use")
     run_vault_password_group = run_parser.add_mutually_exclusive_group()
     run_vault_password_group.add_argument("--vault-password-file",