foundation/bootstrap/components
Andreas Niemann fbd1ad4d1d feat(credentials): mirror Forgejo crypto secrets into Vault (CONTRACT_002)
Close the known gap: foundation/forgejo/service-credentials held only the
admin user/pw; the crypto secrets Forgejo auto-generates into app.ini were
never captured. Make that path single-owned at GATE B and write admin +
crypto together.

- credentials.ts: drop the forgejo block from the GATE-A writer (its crypto
  secrets don't exist until Forgejo first-starts) and add
  writeForgejoCredentialsToVault — runs after forgejo.ready, reads SECRET_KEY,
  INTERNAL_TOKEN, LFS_JWT_SECRET ([server]) and oauth2 JWT_SECRET straight off
  the live app.ini via docker-exec (ADR-007), and puts the full path. One
  writer per Vault path avoids a put/patch race on re-runs.
- index.ts: wire it at GATE B (dependsOn vault.init + forgejo.ready).

Keys: forgejoAdminUser, forgejoAdminPassword, forgejoSecretKey,
forgejoInternalToken, forgejoJwtSecret, forgejoOauth2JwtSecret.

Validated live: forgejo path now has all six; postgres/rustfs paths intact
through the GATE-A writer replacement; idempotent at 43 unchanged.

FINDING: forgejoSecretKey mirrors EMPTY — skipping the web installer
(INSTALL_LOCK) left Forgejo's [security] SECRET_KEY unset. Fixed next commit.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 23:28:17 +02:00
..
credentials.ts feat(credentials): mirror Forgejo crypto secrets into Vault (CONTRACT_002) 2026-06-30 23:28:17 +02:00
dns.ts feat(bootstrap): real olsitec.net config + DNS records (steps 1+2) 2026-06-30 20:47:30 +02:00
forgejo.ts feat(bootstrap): forgejo admin + org + repo + operator key (T09) 2026-06-30 22:31:13 +02:00
network.ts feat(bootstrap): shared docker provider + foundation-net precursor (ADR-006) 2026-06-30 18:18:40 +02:00
postgres.ts feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
proxy.ts feat(bootstrap): caddy public ingress + DNS-01 TLS (T07) 2026-06-30 21:54:12 +02:00
runner.ts feat(bootstrap): forgejo actions runner (T10) 2026-06-30 22:38:37 +02:00
rustfs.ts feat(bootstrap): rustfs S3 data-plane + buckets/service account (T04) 2026-06-30 21:19:53 +02:00
vault.ts feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00