feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02

- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
  packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
  fails closed, aggregating all missing+malformed keys in one error. Reads flat
  dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
  .invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
  resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
  logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
  verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.

Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-06-30 18:06:21 +02:00
parent edc708b826
commit 57c4eadea7
26 changed files with 2758 additions and 0 deletions

View file

@ -0,0 +1,52 @@
# VENDORED — `@olsitec/pulumi-vault`
**Source (absolute path):** `/Users/andiolsi/work/olsicloud4/pulumi/modules/vault/`
**Copy date:** 2026-06-30
**Stage:** Stage-1 vendoring per [`documentation/000_TOPOLOGY.md` §5](../../documentation/000_TOPOLOGY.md).
## What this is
A verbatim copy of the olsicloud4 `modules/vault` Pulumi module — the Vault init/unseal
capture (`VaultInitialization`) and the secret-engine/AppRole bootstrap
(`VaultBootstrap`, `VaultExternalSecretsClusterAppRole`, `VaultProject`) plus the admin
policy (`policy.ts`). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At
day-zero `bootstrap/` consumes it locally through the Bun workspace, not from a registry.
## What was copied
`index.ts`, `policy.ts`, `package.json`, `tsconfig.json`, `.editorconfig`, `.gitignore`.
**Not copied:** `node_modules/`, `package-lock.json` (lockfiles), `.git/`.
## Changes made vs. the source
- `package.json` `name`: `vault``@olsitec/pulumi-vault`; added `version` (`0.0.0`,
pre-publish placeholder) and `main`/`types` (`index.ts`) for Bun-workspace resolution.
- **Type-only re-home (no logic change):** the upstream `index.ts` imports five
*purely type-level* declarations from its sibling module `../../modules/olsitec`
(`OlsitecProjectFeatureFlags`, `OlsitecCredentialTypes`, `GitProjectCredentials`,
`OciRegistryCredentials`, `MinioBackupProjectCredentials`). That sibling transitively
pulls in `modules/minio`, `modules/gitlab`, and `modules/kubernetes`, none of which
belong in the foundation egg and none of which are vendored. To keep this package
self-contained, those five type declarations were copied **verbatim** into a new local
file `olsitec-types.ts`, and the one import line in `index.ts` was re-pointed from
`../../modules/olsitec` to `./olsitec-types`. This is the **only** edit to `index.ts`;
no runtime/behavioural logic changed.
- `tsconfig.json` `files`: added `policy.ts` and `olsitec-types.ts` so the package
type-checks standalone (`tsc --noEmit`).
> **Note (out of scope for T02):** `VaultProject` and `VaultBootstrap` still reference
> minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module.
> The foundation egg only needs `VaultInitialization` (init/unseal capture) + `VaultBootstrap`.
> Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1
> "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.
## Lifecycle (000_TOPOLOGY.md §5)
- **Stage 1 — VENDOR (this commit):** copied here; consumed locally via Bun workspace.
- **Stage 2 — PUBLISH (later task):** CI publishes `@olsitec/pulumi-vault@<semver>` to the
foundation Forgejo npm registry once it exists.
- **Stage 3 — CONSUME (steady state):** downstream switches imports to the published package;
the old module is frozen then removed.
Do not refactor the vendored logic here beyond the type-only re-home documented above.