- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
fails closed, aggregating all missing+malformed keys in one error. Reads flat
dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
.invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.
Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.1 KiB
2.1 KiB
T02 — Pulumi project skeleton + passphrase backend + config.ts — Subtask Outline
Task: PLAN-002 §10 T02 · Mode: BUILD (scaffolding; no deploy) · Date: 2026-06-30 Realizes: CONTRACT_001 (config schema), 000_TOPOLOGY.md §5 Stage-1 vendoring, ADR-005.
Goal
Scaffold the Bun-workspace mono-repo + the bootstrap/ Pulumi egg with a typed
config layer (CONTRACT_001), and vendor the pulumi-docker + pulumi-vault shared
modules into packages/. No real VM, no pulumi up.
Subtasks
- Workspace root —
foundation/package.jsonwithworkspaces: ["packages/*","bootstrap"]. - Vendor
@olsitec/pulumi-docker— copy olsicloud4modules/dockersource only; rename package;VENDORED.md. - Vendor
@olsitec/pulumi-vault— copymodules/vault(incl.policy.ts) source only; rename;VENDORED.md.- Sub-issue: upstream
index.tsimports 5 type-only decls from../../modules/olsitec(which pulls in minio/gitlab/kubernetes). Re-homed those types verbatim into a localolsitec-types.ts; re-pointed the one import. No logic change.
- Sub-issue: upstream
bootstrap/Pulumi.yaml—name: foundation,runtime: nodejs+packagemanager: bun.bootstrap/config.ts—FoundationConfiginterface +loadConfig()that reads flat dotted Pulumi keys and FAILS CLOSED listing all missing/malformed required keys.bootstrap/index.ts— no-op scaffold; callsloadConfig()so preview exercises validation; creates no resources; exports a few non-secret outputs.bootstrap/Pulumi.foundation.yaml— NON-secret placeholders only (CONTRACT_001 §1.2). No secrets, no encryptionsalt.- Validate —
bun installlinks the workspace;tsc --noEmiton all three;pulumi previewunder the passphrase provider + local file backend (bootstrap/state/, gitignored) + throwaway ENV passphrase. Demonstrate the fail-closed path.
Key contracts honoured
- CONTRACT_001 §1.1 shape; §1.2 non-secret keys under
foundation:; §1.3 secrets deferred. - CONTRACT_003 fixed names/ports/network referenced by the placeholder config.
- Image digests come from
VERSIONS(T01), not config.