# AGM Phase 1 Environment Bootstrap Runbook

Date: 2026-04-18  
Purpose: Securely provision required environment variables and validate endpoint behavior after hardening.

## 1) Provision AGM Command-Center Variables
Source template: `.env.enterprise.template` in this repository.

Required:
- AGM_AUTOMATION_WEBHOOK_TOKEN
- AGM_EXPORT_TOKEN

Required when chat mirror is enabled:
- AGM_CHAT_DB_HOST
- AGM_CHAT_DB_NAME
- AGM_CHAT_DB_USER
- AGM_CHAT_DB_PASSWORD

Recommended:
- AGM_SLA_ACK_WEBHOOK_URL
- AGM_REVENUE_OPS_EMAIL
- AGM_SALES_OPS_EMAIL
- AGM_MARKETING_OPS_EMAIL
- AGM_PARTNERSHIPS_EMAIL

## 2) Provision CRM Variables
Source template: `../crm/.env.enterprise.template`.

Required:
- CRM_GOOGLE_API_KEY_1
- CRM_GOOGLE_CSE_ID

Optional failover:
- CRM_GOOGLE_API_KEY_2..CRM_GOOGLE_API_KEY_12
- CRM_BING_API_KEY

## 3) Windows Host Quick Set (Current Shell)
```powershell
$env:AGM_AUTOMATION_WEBHOOK_TOKEN = "<token>"
$env:AGM_EXPORT_TOKEN = "<token>"
$env:AGM_CHAT_DB_HOST = "localhost"
$env:AGM_CHAT_DB_NAME = "<db>"
$env:AGM_CHAT_DB_USER = "<user>"
$env:AGM_CHAT_DB_PASSWORD = "<password>"
```

## 4) Execute Security Smoke Tests
From `agmnetwork`:
```powershell
pwsh -File .\scripts\smoke-test-phase1-security.ps1 -BaseUrl "http://127.0.0.1:8000"
```

Expected outcomes:
- Missing token checks return 403 (or 500 only if env is intentionally unset).
- Valid header-token checks return 200.

## 5) Evidence Capture
- Save smoke-test console output to sprint evidence.
- Update:
  - AGM_PHASE1_VALIDATION_CHECKLIST_2026-04-18.md
  - AGM_PHASE1_SECRETS_MIGRATION_BACKLOG_2026-04-18.md

## 6) Rotation and Ownership
- Rotate P0 tokens and DB secrets every 30 days.
- Enforce least privilege for chat DB credentials.
- Record owner and rotation date in your secure secret manager.