feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02
- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
fails closed, aggregating all missing+malformed keys in one error. Reads flat
dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
.invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.
Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
edc708b826
commit
57c4eadea7
26 changed files with 2758 additions and 0 deletions
52
packages/pulumi-vault/VENDORED.md
Normal file
52
packages/pulumi-vault/VENDORED.md
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
# VENDORED — `@olsitec/pulumi-vault`
|
||||
|
||||
**Source (absolute path):** `/Users/andiolsi/work/olsicloud4/pulumi/modules/vault/`
|
||||
**Copy date:** 2026-06-30
|
||||
**Stage:** Stage-1 vendoring per [`documentation/000_TOPOLOGY.md` §5](../../documentation/000_TOPOLOGY.md).
|
||||
|
||||
## What this is
|
||||
|
||||
A verbatim copy of the olsicloud4 `modules/vault` Pulumi module — the Vault init/unseal
|
||||
capture (`VaultInitialization`) and the secret-engine/AppRole bootstrap
|
||||
(`VaultBootstrap`, `VaultExternalSecretsClusterAppRole`, `VaultProject`) plus the admin
|
||||
policy (`policy.ts`). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At
|
||||
day-zero `bootstrap/` consumes it locally through the Bun workspace, not from a registry.
|
||||
|
||||
## What was copied
|
||||
|
||||
`index.ts`, `policy.ts`, `package.json`, `tsconfig.json`, `.editorconfig`, `.gitignore`.
|
||||
|
||||
**Not copied:** `node_modules/`, `package-lock.json` (lockfiles), `.git/`.
|
||||
|
||||
## Changes made vs. the source
|
||||
|
||||
- `package.json` `name`: `vault` → `@olsitec/pulumi-vault`; added `version` (`0.0.0`,
|
||||
pre-publish placeholder) and `main`/`types` (`index.ts`) for Bun-workspace resolution.
|
||||
- **Type-only re-home (no logic change):** the upstream `index.ts` imports five
|
||||
*purely type-level* declarations from its sibling module `../../modules/olsitec`
|
||||
(`OlsitecProjectFeatureFlags`, `OlsitecCredentialTypes`, `GitProjectCredentials`,
|
||||
`OciRegistryCredentials`, `MinioBackupProjectCredentials`). That sibling transitively
|
||||
pulls in `modules/minio`, `modules/gitlab`, and `modules/kubernetes`, none of which
|
||||
belong in the foundation egg and none of which are vendored. To keep this package
|
||||
self-contained, those five type declarations were copied **verbatim** into a new local
|
||||
file `olsitec-types.ts`, and the one import line in `index.ts` was re-pointed from
|
||||
`../../modules/olsitec` to `./olsitec-types`. This is the **only** edit to `index.ts`;
|
||||
no runtime/behavioural logic changed.
|
||||
- `tsconfig.json` `files`: added `policy.ts` and `olsitec-types.ts` so the package
|
||||
type-checks standalone (`tsc --noEmit`).
|
||||
|
||||
> **Note (out of scope for T02):** `VaultProject` and `VaultBootstrap` still reference
|
||||
> minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module.
|
||||
> The foundation egg only needs `VaultInitialization` (init/unseal capture) + `VaultBootstrap`.
|
||||
> Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1
|
||||
> "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.
|
||||
|
||||
## Lifecycle (000_TOPOLOGY.md §5)
|
||||
|
||||
- **Stage 1 — VENDOR (this commit):** copied here; consumed locally via Bun workspace.
|
||||
- **Stage 2 — PUBLISH (later task):** CI publishes `@olsitec/pulumi-vault@<semver>` to the
|
||||
foundation Forgejo npm registry once it exists.
|
||||
- **Stage 3 — CONSUME (steady state):** downstream switches imports to the published package;
|
||||
the old module is frozen then removed.
|
||||
|
||||
Do not refactor the vendored logic here beyond the type-only re-home documented above.
|
||||
Loading…
Add table
Add a link
Reference in a new issue