- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
fails closed, aggregating all missing+malformed keys in one error. Reads flat
dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
.invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.
Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2.9 KiB
VENDORED — @olsitec/pulumi-vault
Source (absolute path): /Users/andiolsi/work/olsicloud4/pulumi/modules/vault/
Copy date: 2026-06-30
Stage: Stage-1 vendoring per documentation/000_TOPOLOGY.md §5.
What this is
A verbatim copy of the olsicloud4 modules/vault Pulumi module — the Vault init/unseal
capture (VaultInitialization) and the secret-engine/AppRole bootstrap
(VaultBootstrap, VaultExternalSecretsClusterAppRole, VaultProject) plus the admin
policy (policy.ts). Core of the foundation secret layer (ADR-004, PLAN-002 §4). At
day-zero bootstrap/ consumes it locally through the Bun workspace, not from a registry.
What was copied
index.ts, policy.ts, package.json, tsconfig.json, .editorconfig, .gitignore.
Not copied: node_modules/, package-lock.json (lockfiles), .git/.
Changes made vs. the source
package.jsonname:vault→@olsitec/pulumi-vault; addedversion(0.0.0, pre-publish placeholder) andmain/types(index.ts) for Bun-workspace resolution.- Type-only re-home (no logic change): the upstream
index.tsimports five purely type-level declarations from its sibling module../../modules/olsitec(OlsitecProjectFeatureFlags,OlsitecCredentialTypes,GitProjectCredentials,OciRegistryCredentials,MinioBackupProjectCredentials). That sibling transitively pulls inmodules/minio,modules/gitlab, andmodules/kubernetes, none of which belong in the foundation egg and none of which are vendored. To keep this package self-contained, those five type declarations were copied verbatim into a new local fileolsitec-types.ts, and the one import line inindex.tswas re-pointed from../../modules/olsitecto./olsitec-types. This is the only edit toindex.ts; no runtime/behavioural logic changed. tsconfig.jsonfiles: addedpolicy.tsandolsitec-types.tsso the package type-checks standalone (tsc --noEmit).
Note (out of scope for T02):
VaultProjectandVaultBootstrapstill reference minio/garage/cockroach/mongo credential shapes inherited from the Layer-1 olsitec module. The foundation egg only needsVaultInitialization(init/unseal capture) +VaultBootstrap. Trimming the unused Layer-1 surface is a deliberate later refactor (000_TOPOLOGY.md §5.1 "refactor for Layer 0"), NOT part of Stage-1 vendoring — Stage 1 preserves the source as-is.
Lifecycle (000_TOPOLOGY.md §5)
- Stage 1 — VENDOR (this commit): copied here; consumed locally via Bun workspace.
- Stage 2 — PUBLISH (later task): CI publishes
@olsitec/pulumi-vault@<semver>to the foundation Forgejo npm registry once it exists. - Stage 3 — CONSUME (steady state): downstream switches imports to the published package; the old module is frozen then removed.
Do not refactor the vendored logic here beyond the type-only re-home documented above.