foundation/packages/pulumi-vault/VENDORED.md
Andreas Niemann 57c4eadea7 feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02
- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
  packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
  fails closed, aggregating all missing+malformed keys in one error. Reads flat
  dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
  .invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
  resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
  logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
  verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.

Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 18:06:21 +02:00

2.9 KiB

VENDORED — @olsitec/pulumi-vault

Source (absolute path): /Users/andiolsi/work/olsicloud4/pulumi/modules/vault/ Copy date: 2026-06-30 Stage: Stage-1 vendoring per documentation/000_TOPOLOGY.md §5.

What this is

A verbatim copy of the olsicloud4 modules/vault Pulumi module — the Vault init/unseal capture (VaultInitialization) and the secret-engine/AppRole bootstrap (VaultBootstrap, VaultExternalSecretsClusterAppRole, VaultProject) plus the admin policy (policy.ts). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At day-zero bootstrap/ consumes it locally through the Bun workspace, not from a registry.

What was copied

index.ts, policy.ts, package.json, tsconfig.json, .editorconfig, .gitignore.

Not copied: node_modules/, package-lock.json (lockfiles), .git/.

Changes made vs. the source

  • package.json name: vault@olsitec/pulumi-vault; added version (0.0.0, pre-publish placeholder) and main/types (index.ts) for Bun-workspace resolution.
  • Type-only re-home (no logic change): the upstream index.ts imports five purely type-level declarations from its sibling module ../../modules/olsitec (OlsitecProjectFeatureFlags, OlsitecCredentialTypes, GitProjectCredentials, OciRegistryCredentials, MinioBackupProjectCredentials). That sibling transitively pulls in modules/minio, modules/gitlab, and modules/kubernetes, none of which belong in the foundation egg and none of which are vendored. To keep this package self-contained, those five type declarations were copied verbatim into a new local file olsitec-types.ts, and the one import line in index.ts was re-pointed from ../../modules/olsitec to ./olsitec-types. This is the only edit to index.ts; no runtime/behavioural logic changed.
  • tsconfig.json files: added policy.ts and olsitec-types.ts so the package type-checks standalone (tsc --noEmit).

Note (out of scope for T02): VaultProject and VaultBootstrap still reference minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module. The foundation egg only needs VaultInitialization (init/unseal capture) + VaultBootstrap. Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1 "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.

Lifecycle (000_TOPOLOGY.md §5)

  • Stage 1 — VENDOR (this commit): copied here; consumed locally via Bun workspace.
  • Stage 2 — PUBLISH (later task): CI publishes @olsitec/pulumi-vault@<semver> to the foundation Forgejo npm registry once it exists.
  • Stage 3 — CONSUME (steady state): downstream switches imports to the published package; the old module is frozen then removed.

Do not refactor the vendored logic here beyond the type-only re-home documented above.