foundation/documentation/agents/task_002_pulumi_skeleton/000_subtask_outline.md
Andreas Niemann 57c4eadea7 feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02
- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
  packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
  fails closed, aggregating all missing+malformed keys in one error. Reads flat
  dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
  .invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
  resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
  logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
  verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.

Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 18:06:21 +02:00

2.1 KiB

T02 — Pulumi project skeleton + passphrase backend + config.ts — Subtask Outline

Task: PLAN-002 §10 T02 · Mode: BUILD (scaffolding; no deploy) · Date: 2026-06-30 Realizes: CONTRACT_001 (config schema), 000_TOPOLOGY.md §5 Stage-1 vendoring, ADR-005.

Goal

Scaffold the Bun-workspace mono-repo + the bootstrap/ Pulumi egg with a typed config layer (CONTRACT_001), and vendor the pulumi-docker + pulumi-vault shared modules into packages/. No real VM, no pulumi up.

Subtasks

  1. Workspace rootfoundation/package.json with workspaces: ["packages/*","bootstrap"].
  2. Vendor @olsitec/pulumi-docker — copy olsicloud4 modules/docker source only; rename package; VENDORED.md.
  3. Vendor @olsitec/pulumi-vault — copy modules/vault (incl. policy.ts) source only; rename; VENDORED.md.
    • Sub-issue: upstream index.ts imports 5 type-only decls from ../../modules/olsitec (which pulls in minio/gitlab/kubernetes). Re-homed those types verbatim into a local olsitec-types.ts; re-pointed the one import. No logic change.
  4. bootstrap/Pulumi.yamlname: foundation, runtime: nodejs + packagemanager: bun.
  5. bootstrap/config.tsFoundationConfig interface + loadConfig() that reads flat dotted Pulumi keys and FAILS CLOSED listing all missing/malformed required keys.
  6. bootstrap/index.ts — no-op scaffold; calls loadConfig() so preview exercises validation; creates no resources; exports a few non-secret outputs.
  7. bootstrap/Pulumi.foundation.yaml — NON-secret placeholders only (CONTRACT_001 §1.2). No secrets, no encryptionsalt.
  8. Validatebun install links the workspace; tsc --noEmit on all three; pulumi preview under the passphrase provider + local file backend (bootstrap/state/, gitignored) + throwaway ENV passphrase. Demonstrate the fail-closed path.

Key contracts honoured

  • CONTRACT_001 §1.1 shape; §1.2 non-secret keys under foundation:; §1.3 secrets deferred.
  • CONTRACT_003 fixed names/ports/network referenced by the placeholder config.
  • Image digests come from VERSIONS (T01), not config.