fix: remove GitHub CLI dependency from secrets setup

- setup-secrets.sh: Now uses curl + GitHub API directly (no gh CLI)
- setup-secrets.py: Uses requests + GitHub API directly (no gh CLI)
- GITHUB_SECRETS_SETUP.md: Updated docs to reflect pure API approach

All methods now work without GitHub CLI:
- Method 1: Web UI (manual, no tools)
- Method 2: Bash script (curl + python)
- Method 3: Python script (requests + python)
- Method 4: Raw API (curl + jq)

Each method handles NaCl encryption for GitHub API.

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

Author: bhunt

GITHUB_SECRETS_SETUP.md

@@ -64,73 +64,93 @@ You should see all 5 secrets listed (values are hidden for security).
 
 ---
 
-## Method 2: GitHub CLI (Fast, 2 minutes)
+## Method 2: Bash Script (Fast, 2 minutes)
 
-**Requires**: GitHub CLI installed (`gh`) and authenticated
+**Requires**: curl, python3, PyNaCl (no GitHub CLI needed!)
 
-### Install & Authenticate
+### Setup
 
 ```bash
-# Install if you haven't
-brew install gh
+# Install dependencies
+pip install pynacl
 
-# Authenticate
-gh auth login
-# Follow prompts (choose HTTPS, create token if needed)
+# Create GitHub Personal Access Token:
+# 1. Go to: https://github.com/settings/tokens/new
+# 2. Name: "Binary Math Secrets"
+# 3. Scopes: repo, admin:repo_hook
+# 4. Generate and copy token
 ```
 
-### Run Our Script
+### Run the Script
 
 ```bash
-# Make executable
-chmod +x setup-secrets.sh
+# Set your token in environment
+export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
 
-# Run the script
+# Make executable and run
+chmod +x setup-secrets.sh
 ./setup-secrets.sh
 ```
 
 The script will:
-1. Prompt for each secret value
-2. Use `gh secret set` to add them
-3. Confirm each one
+1. Validate your token
+2. Fetch GitHub's public key
+3. Prompt for each secret value
+4. Encrypt with PyNaCl
+5. POST directly to GitHub API
+6. Confirm each one
 
-### Verify
+### What It Does (Under the hood)
 
-```bash
-gh secret list --repo ciscoittech/binary-math-system
-```
+- ✅ Uses curl for HTTP calls (no CLI)
+- ✅ Uses Python + PyNaCl for encryption
+- ✅ Directly calls GitHub API endpoints
+- ✅ Completely CLI-free approach
 
 ---
 
-## Method 3: Python Script (Automated, 2 minutes)
+## Method 3: Python Script (Fully Automated)
 
-**Requires**: Python 3.7+, `requests`, `pynacl` libraries
+**Requires**: Python 3.7+, `requests`, `pynacl` libraries (no CLI)
 
 ### Setup
 
 ```bash
 # Install dependencies
 pip install requests pynacl
 
-# Make executable
-chmod +x setup-secrets.py
+# Create GitHub Personal Access Token:
+# 1. Go to: https://github.com/settings/tokens/new
+# 2. Name: "Binary Math Secrets"
+# 3. Scopes: repo, admin:repo_hook
+# 4. Generate and copy token
+```
+
+### Run
 
-# Run
+```bash
+# Set your token
+export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
+
+# Run the script
+chmod +x setup-secrets.py
 python3 setup-secrets.py
 ```
 
 The script will:
-1. Use GitHub API to encrypt secrets
-2. Prompt for each value
-3. Set them directly via API
+1. Get your token from environment
+2. Fetch GitHub's public key via API
+3. Prompt for each secret value
+4. Encrypt with PyNaCl
+5. POST directly to GitHub API
+6. Verify each one
 
 ### What It Does
 
-- Authenticates via `gh` CLI
-- Gets public key from GitHub for encryption
-- Encrypts each secret with public key
-- Posts to GitHub API
-- Verifies setup
+- ✅ Uses requests for HTTP calls (no CLI)
+- ✅ Uses PyNaCl for encryption
+- ✅ Directly calls GitHub API endpoints
+- ✅ Completely CLI-free approach
 
 ---
 
@@ -175,52 +195,55 @@ curl -X PUT \
 
 ---
 
-## Recommended: Use Method 1 or 2
+## Recommended: Use Method 1, 2, or 3
 
-### If you like clicking:
-→ **Method 1** (Web UI)
+### If you prefer clicking (easiest):
+→ **Method 1** (Web UI - no tools needed)
 
-### If you like terminals:
-→ **Method 2** (GitHub CLI)
+### If you prefer shell (fast):
+→ **Method 2** (Bash script - no GitHub CLI)
 
-### If you want it fully automated:
-→ **Method 3** (Python script)
+### If you want full automation:
+→ **Method 3** (Python script - no GitHub CLI)
 
 ---
 
 ## Troubleshooting
 
-### "gh: command not found"
+### "GITHUB_TOKEN not set"
 ```bash
-# Install GitHub CLI
-brew install gh
-
-# Then authenticate
-gh auth login
-```
-
-### "Not authenticated with GitHub"
-```bash
-# Authenticate
-gh auth login
+# Create Personal Access Token at:
+# https://github.com/settings/tokens/new
+#
+# Scopes: repo, admin:repo_hook
+#
+# Then set it:
+export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
 
 # Verify
-gh auth status
+echo $GITHUB_TOKEN  # Should show your token
 ```
 
-### "Python: No module named requests"
+### "No module named requests" or "No module named nacl"
 ```bash
 pip install requests pynacl
 ```
 
-### "401 Unauthorized" (API method)
+### "401 Unauthorized"
 ```bash
-# Your token may have expired
-gh auth login  # Re-authenticate
+# Your token may have expired or wrong scopes
+# Create new at: https://github.com/settings/tokens/new
+# Make sure scopes include: repo, admin:repo_hook
 
-# Or create new Personal Access Token:
-# https://github.com/settings/tokens/new
-# Scopes: repo, admin:repo_hook
+# Set it again
+export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
+```
+
+### "Failed to get public key"
+```bash
+# Your token may not have correct permissions
+# Check it has: repo, admin:repo_hook scopes
+# Create new at: https://github.com/settings/tokens/new
 ```
 
 ### Secrets not showing up
@@ -234,22 +257,17 @@ gh auth login  # Re-authenticate
 
 After adding secrets, verify they're there:
 
-### Via Web UI
+### Via Web UI (Best)
 - Go to `https://github.com/ciscoittech/binary-math-system/settings/secrets/actions`
-- You should see all 5 secrets listed
+- You should see all 5 secrets listed (values are hidden)
 
-### Via CLI
-```bash
-gh secret list --repo ciscoittech/binary-math-system
+Expected to see:
 ```
-
-Expected output:
-```
-CLOUDFLARE_API_TOKEN
-CLOUDFLARE_ACCOUNT_ID
-TURSO_URL
-TURSO_AUTH_TOKEN
-OPENROUTER_API_KEY
+CLOUDFLARE_API_TOKEN       Updated X minutes ago
+CLOUDFLARE_ACCOUNT_ID      Updated X minutes ago
+TURSO_URL                  Updated X minutes ago
+TURSO_AUTH_TOKEN           Updated X minutes ago
+OPENROUTER_API_KEY         Updated X minutes ago (optional)
 ```
 
 ---
@@ -264,13 +282,17 @@ After secrets are set:
    ```
 
 2. **Watch GitHub Actions**
-   ```bash
-   https://github.com/ciscoittech/binary-math-system/actions
-   ```
+   - Go to: `https://github.com/ciscoittech/binary-math-system/actions`
+   - Should see workflow running
+   - Tests will run, then deploy to Cloudflare
 
-3. **Monitor logs**
+3. **Verify deployment**
    ```bash
-   gh run list --repo ciscoittech/binary-math-system
+   # Check API is live
+   curl https://api.binarymath.dev/health
+
+   # Visit web app
+   https://binary-math.pages.dev
    ```
 
 ---
@@ -289,17 +311,23 @@ After secrets are set:
 
 To update a secret (e.g., if token expires):
 
-### Method 1 (Web UI)
-1. Go to Settings → Secrets
-2. Find the secret
-3. Click "Update"
-4. Enter new value
-5. Click "Update secret"
+### Method 1 (Web UI - Easiest)
+1. Go to `https://github.com/ciscoittech/binary-math-system/settings/secrets/actions`
+2. Find the secret you want to update
+3. Click the secret name
+4. Click "Update"
+5. Enter new value
+6. Click "Update secret"
 
-### Method 2 (CLI)
+### Method 2 (Script)
 ```bash
-gh secret set SECRET_NAME --repo ciscoittech/binary-math-system
-# Paste new value when prompted
+# Set your token
+export GITHUB_TOKEN=ghp_xxxxxxxxxxxx
+
+# Update one secret
+pip install requests pynacl
+python3 setup-secrets.py
+# Just enter the value for the one you want to update, skip others
 ```
 
 ---

setup-secrets.py

@@ -9,7 +9,6 @@
 import sys
 import json
 import base64
-import subprocess
 from pathlib import Path
 
 try:
@@ -19,6 +18,13 @@
     print("Install with: pip install requests")
     sys.exit(1)
 
+try:
+    from nacl import public, utils
+except ImportError:
+    print("❌ PyNaCl library not installed")
+    print("Install with: pip install pynacl")
+    sys.exit(1)
+
 # Configuration
 REPO = "ciscoittech/binary-math-system"
 GITHUB_API = "https://api.github.com"
@@ -60,20 +66,22 @@
 
 
 def get_github_token():
-    """Get GitHub token from gh CLI"""
-    try:
-        result = subprocess.run(
-            ["gh", "auth", "token"],
-            capture_output=True,
-            text=True,
-            check=True,
-        )
-        return result.stdout.strip()
-    except (FileNotFoundError, subprocess.CalledProcessError):
-        print("❌ GitHub CLI not installed or not authenticated")
-        print("Install: https://cli.github.com")
-        print("Or set GITHUB_TOKEN environment variable")
+    """Get GitHub token from environment variable"""
+    token = os.getenv("GITHUB_TOKEN")
+    if not token:
+        print("❌ GITHUB_TOKEN environment variable not set")
+        print()
+        print("Create a Personal Access Token:")
+        print("  1. Go to: https://github.com/settings/tokens/new")
+        print("  2. Name: 'Binary Math Secrets'")
+        print("  3. Scopes: repo, admin:repo_hook")
+        print("  4. Generate token and copy it")
+        print()
+        print("Then run:")
+        print("  export GITHUB_TOKEN=ghp_xxxxxxxxxxxx")
+        print("  python3 setup-secrets.py")
         return None
+    return token
 
 
 def get_public_key(token):