fix(ansible): inject AUTOBOT_INTERNAL_API_KEY into SLM and backend process env (#3512)

[mrveiss]

What was broken

personality_proxy.py and voice_proxy.py in the SLM backend read AUTOBOT_INTERNAL_API_KEY from their process environment. When the variable is absent (which it always was), both proxies immediately returned HTTP 503:

Personality service not configured (missing internal API key)

The main backend's auth_middleware.py also reads AUTOBOT_INTERNAL_API_KEY — the same gap meant the internal-key auth path could never succeed.

The Ansible role already defined autobot_internal_api_key in defaults/main.yml and wrote it into the nginx config (autobot-slm.conf.j2) for the X-Internal-API-Key proxy header, but it was never written into the EnvironmentFile templates that systemd loads for the actual Python processes.

What was fixed

Added AUTOBOT_INTERNAL_API_KEY={{ autobot_internal_api_key }} to both EnvironmentFile templates so the variable is available in the process environment at runtime. Updated the comment in defaults/main.yml to make clear that setting this variable is required for personality and voice proxies to function.

Files changed

• autobot-slm-backend/ansible/roles/slm_manager/templates/slm-secrets.env.j2 — added AUTOBOT_INTERNAL_API_KEY after SLM_ADMIN_PASSWORD
• autobot-slm-backend/ansible/roles/backend/templates/backend.env.j2 — added AUTOBOT_INTERNAL_API_KEY in the Security section after CORS_ORIGINS
• autobot-slm-backend/ansible/roles/slm_manager/defaults/main.yml — updated comment to state the variable is REQUIRED for personality/voice proxies and is now injected into process environments

Operators must set autobot_internal_api_key to a non-empty secret in their Ansible inventory or vault; the default of "" disables the feature (proxies will still 503 unless a value is provided).

Closes #3512

[github-actions]

✅ SSOT Configuration Compliance: Passing

🎉 No hardcoded values detected that have SSOT config equivalents!

[mrveiss]

Code review

Found 1 issue (now fixed in the same PR):

1. autobot_internal_api_key undefined in the backend Ansible role — backend.env.j2 referenced {{ autobot_internal_api_key }} but roles/backend/defaults/main.yml had no default for it. When the backend role runs on a separate fleet host (without slm_manager vars in scope), Ansible would abort with an undefined-variable error or silently render an empty string. Fixed by adding autobot_internal_api_key: "" to the backend role defaults.

AutoBot-AI/autobot-slm-backend/ansible/roles/backend/defaults/main.yml

Lines 48 to 55 in 2a2a876

	# API settings
	backend_secret_key: "change-me-in-production"
	backend_jwt_secret: "autobot-jwt-secret-change-in-production-minimum-32-chars"
	backend_cors_origins: "*"
	# Internal API key shared with SLM backend for proxy authentication (#1779, #3512).
	# REQUIRED for personality and voice proxies — set via Ansible Vault or inventory.
	autobot_internal_api_key: ""

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}