chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy #519
Reference in New Issue
Block a user
Delete Branch "chore/canonize-vault-secrets-policy"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
This PR encodes the Vault-as-source-of-truth + ESO-default secrets policy as binding framework rules, effective for all future agent work across all Mosaic projects.
Operator decision: Jason approved this wording via Discord on 2026-05-22.
Files updated
guides/VAULT-SECRETS.mdpackages/mosaic/framework/guides/VAULT-SECRETS.mdguides/BOOTSTRAP.mdpackages/mosaic/framework/guides/BOOTSTRAP.mdpackages/mosaic/framework/defaults/STANDARDS.md### Secrets handling (HARD RULE)under Non-NegotiablesDuplicate-path sync note
The framework files exist at two paths in this repo and must stay in sync:
guides/<->packages/mosaic/framework/guides/packages/mosaic/framework/defaults/STANDARDS.mdis the single canonical copy (no root-leveldefaults/dir exists in this repo)All pairs are md5-equal after this commit. Future maintainers: always edit both paths when modifying these files.
Policy summary (verbatim from STANDARDS.md)
${VAR:-default}fallback syntax is forbidden for required values in deploy configs. Use${VAR:?VAR is required}..envfiles in production deployment paths are forbidden.Recommended follow-up (subsequent PRs)
.woodpecker/) that catch the forbidden patterns listed inVAULT-SECRETS.md - Forbidden Patterns-- specifically: untagged${VAR:-default}in deploy configs,vault kvcalls in app source, hardcoded credential patterns, and.envfiles in production paths. Initially in warning mode, then error mode per Jason's staged-rollout plan.Review requirement
DO NOT MERGE without operator approval. This policy binds every future agent session and every Mosaic project. Jason should review the verbatim wording before this lands on main.
e88a89f34dtof6b901dbca