chore(framework): canonize Vault-as-SSOT + ESO-default secrets policy
Encodes operator-approved (Jason, 2026-05-22) secrets policy as binding
framework rules across all Mosaic agent sessions and projects.
Changes:
- STANDARDS.md: add "Secrets handling (HARD RULE)" subsection under
Non-Negotiables — Vault as SSOT, ESO bridge as default, Direct-Vault
opt-in only, forbidden ${VAR:-default} for required values, forbidden
.env in prod, required startup schema validation
- VAULT-SECRETS.md: add four new sections — architecture decision matrix
(ESO vs Direct-Vault), full ESO bridge worked example (Vault path +
ExternalSecret + Deployment YAML + zod/pydantic/Go validators),
Direct-Vault opt-in pattern (AppRole provisioning + ESO bootstrap
for chicken-and-egg), and forbidden patterns CI lint targets
- BOOTSTRAP.md: add "Secrets Bootstrap" required subsection with
checklist for new apps (Vault path, README docs, ExternalSecret,
secretKeyRef, schema validator, Direct-Vault justification)
All duplicate file paths kept in sync (md5-equal pairs):
guides/ <-> packages/mosaic/framework/guides/
packages/mosaic/framework/defaults/STANDARDS.md (single copy in repo)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
373e4558a3