chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy #519

Open

jason.woltje wants to merge 2 commits from chore/canonize-vault-secrets-policy into main

pull from: chore/canonize-vault-secrets-policy

merge into: mosaicstack:main

mosaicstack:main

mosaicstack:fix/git-wrapper-rollup-20260526

mosaicstack:fix/git-wrapper-repo-detection

mosaicstack:fix/woodpecker-wrapper-legacy-mosaic

mosaicstack:fix/t_301e4e3b-pr-merge-gitea-empty-uid

mosaicstack:fix/t-a292e96f-gitea-pr-metadata

mosaicstack:fix/gitea-pr-metadata-login-t-a292e96f

mosaicstack:fix/t_a292e96f-pr-metadata-gitea

mosaicstack:fix/t_3a368a52-gitea-usc-login

mosaicstack:fix/pr-ci-wait-stdin-collision

mosaicstack:docs/mission-control-resilience

mosaicstack:fix/bootstrap-hotfix

mosaicstack:fix/populate-known-packages-list

mosaicstack:fix/idempotent-init

Conversation 0 Commits 2 Files Changed 5 +792

2 Commits

Author	SHA1	Message	Date
Hermes Agent	e88a89f34d	fix(framework): remediate Codex review findings in VAULT-SECRETS.md ... Two should-fix findings from automated Codex review: 1. Vault KV v2 policy path — add explicit path for exact top-level `secret/data/k3s/<app>` entry alongside the wildcard `/*` sub-path rule. Without the exact path, apps reading the top-level secret get permission denied from Vault KV v2 even with the wildcard. 2. Go envconfig example — remove unused `os` import from config.go snippet (os was only referenced in a comment). Move the main() usage to a separate clearly-labelled main.go block to make both snippets copy-paste compilable. Both fixes mirrored to duplicate path: guides/ <-> packages/mosaic/framework/guides/ Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 12:01:29 -05:00
Hermes Agent	373e4558a3	chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy ... Encodes operator-approved (Jason, 2026-05-22) secrets policy as binding framework rules across all Mosaic agent sessions and projects. Changes: - STANDARDS.md: add "Secrets handling (HARD RULE)" subsection under Non-Negotiables — Vault as SSOT, ESO bridge as default, Direct-Vault opt-in only, forbidden ${VAR:-default} for required values, forbidden .env in prod, required startup schema validation - VAULT-SECRETS.md: add four new sections — architecture decision matrix (ESO vs Direct-Vault), full ESO bridge worked example (Vault path + ExternalSecret + Deployment YAML + zod/pydantic/Go validators), Direct-Vault opt-in pattern (AppRole provisioning + ESO bootstrap for chicken-and-egg), and forbidden patterns CI lint targets - BOOTSTRAP.md: add "Secrets Bootstrap" required subsection with checklist for new apps (Vault path, README docs, ExternalSecret, secretKeyRef, schema validator, Direct-Vault justification) All duplicate file paths kept in sync (md5-equal pairs): guides/ <-> packages/mosaic/framework/guides/ packages/mosaic/framework/defaults/STANDARDS.md (single copy in repo) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 11:58:27 -05:00