# VENDORED — `@olsitec/pulumi-vault` **Source (absolute path):** `/Users/andiolsi/work/olsicloud4/pulumi/modules/vault/` **Copy date:** 2026-06-30 **Stage:** Stage-1 vendoring per [`documentation/000_TOPOLOGY.md` §5](../../documentation/000_TOPOLOGY.md). ## What this is A verbatim copy of the olsicloud4 `modules/vault` Pulumi module — the Vault init/unseal capture (`VaultInitialization`) and the secret-engine/AppRole bootstrap (`VaultBootstrap`, `VaultExternalSecretsClusterAppRole`, `VaultProject`) plus the admin policy (`policy.ts`). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At day-zero `bootstrap/` consumes it locally through the Bun workspace, not from a registry. ## What was copied `index.ts`, `policy.ts`, `package.json`, `tsconfig.json`, `.editorconfig`, `.gitignore`. **Not copied:** `node_modules/`, `package-lock.json` (lockfiles), `.git/`. ## Changes made vs. the source - `package.json` `name`: `vault` → `@olsitec/pulumi-vault`; added `version` (`0.0.0`, pre-publish placeholder) and `main`/`types` (`index.ts`) for Bun-workspace resolution. - **Type-only re-home (no logic change):** the upstream `index.ts` imports five *purely type-level* declarations from its sibling module `../../modules/olsitec` (`OlsitecProjectFeatureFlags`, `OlsitecCredentialTypes`, `GitProjectCredentials`, `OciRegistryCredentials`, `MinioBackupProjectCredentials`). That sibling transitively pulls in `modules/minio`, `modules/gitlab`, and `modules/kubernetes`, none of which belong in the foundation egg and none of which are vendored. To keep this package self-contained, those five type declarations were copied **verbatim** into a new local file `olsitec-types.ts`, and the one import line in `index.ts` was re-pointed from `../../modules/olsitec` to `./olsitec-types`. This is the **only** edit to `index.ts`; no runtime/behavioural logic changed. - `tsconfig.json` `files`: added `policy.ts` and `olsitec-types.ts` so the package type-checks standalone (`tsc --noEmit`). > **Note (out of scope for T02):** `VaultProject` and `VaultBootstrap` still reference > minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module. > The foundation egg only needs `VaultInitialization` (init/unseal capture) + `VaultBootstrap`. > Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1 > "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is. ## Lifecycle (000_TOPOLOGY.md §5) - **Stage 1 — VENDOR (this commit):** copied here; consumed locally via Bun workspace. - **Stage 2 — PUBLISH (later task):** CI publishes `@olsitec/pulumi-vault@` to the foundation Forgejo npm registry once it exists. - **Stage 3 — CONSUME (steady state):** downstream switches imports to the published package; the old module is frozen then removed. Do not refactor the vendored logic here beyond the type-only re-home documented above.