feat(security): add role_wrapper.sh and update setup_missions for secure token injection

native_crumbcore_v1/scripts/role_wrapper.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# 🛡️ Crumbforest Role Wrapper
+# Injects secrets securely at runtime without storing them in user env.
+
+ENV_FILE="/opt/crumbforest/.env"
+
+# 1. Check if .env exists
+if [ ! -f "$ENV_FILE" ]; then
+    echo "❌ Error: Configuration not found at $ENV_FILE"
+    exit 1
+fi
+
+# 2. Extract API Key (securely)
+# We use grep/sed to avoid sourcing the entire file (security best practice)
+API_KEY=$(grep "^OPENROUTER_API_KEY=" "$ENV_FILE" | cut -d'=' -f2-)
+
+if [ -z "$API_KEY" ]; then
+    echo "❌ Error: OPENROUTER_API_KEY not found in config."
+    exit 1
+fi
+
+# 3. Export for the sub-process
+export OPENROUTER_API_KEY="$API_KEY"
+
+# 4. Determine the target script
+ROLE_SCRIPT="$1"
+shift  # Remove script name from args
+
+# Check if script exists
+if [ ! -f "$ROLE_SCRIPT" ]; then
+    echo "❌ Error: Role script not found: $ROLE_SCRIPT"
+    exit 1
+fi
+
+# 5. Execute the role script with arguments
+# We use 'exec' to replace the wrapper process with the target
+exec "$ROLE_SCRIPT" "$@"

native_crumbcore_v1/setup_missions.sh

@@ -76,6 +76,22 @@ echo "Tipp: Schau dir den Ordner 'missions' an."
 PS1='\[\033[01;32m\]\u@crumbforest\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
 alias ll='ls -alF'
 alias bugsy='tail -f /var/log/crumbforest/chat_history.jsonl'
+
+EOF
+fi
+
+# 4b. Setup Role Aliases (Separate check to ensure update on existing installs)
+if ! grep -q "alias dumbo" "$HOME_DIR/.bashrc"; then
+    cat << 'EOF' >> "$HOME_DIR/.bashrc"
+
+# 🎭 Role Aliases (Secure Wrapper)
+WRAPPER="/opt/crumbforest/native_crumbcore_v1/scripts/role_wrapper.sh"
+DUMBO_SCRIPT="/opt/crumbforest/app/crumbforest_roles/dumbo_zero.sh"
+
+# Define Dumbo alias if script exists
+if [ -f "$DUMBO_SCRIPT" ]; then
+    alias dumbo="$WRAPPER $DUMBO_SCRIPT"
+fi
 EOF
 fi