foundation/documentation/000_baseline.md
Andreas Niemann f18676e6b3 chore: scaffold olsitec-foundation mono-repo
Repo topology, baseline overlay, planning docs (PLAN-001/002), ADR-004/005,
and the bootstrap/packages/documentation skeleton. Implementation (T00+) not started.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 17:10:46 +02:00

3.9 KiB

000 — olsitec-foundation Baseline (Overlay)

This project follows the canonical Olsitec agentic baseline.

Canonical source: ../../ai-baseline/000_baseline.md (git repo ai-baseline, hosted at forge.olsitec.de/olsitec/ai-baseline once the foundation is up). Read it for the full operating model, modes, prime directives, documentation thresholds, delegation, and session protocols.

This file lists only foundation-specific deviations. Where this overlay and the canonical baseline disagree, this overlay wins for foundation work.


Foundation-Specific Deviations

D1 — Default mode is HIGH-RISK / INFRA

Almost all foundation work touches a VM, Docker, Vault, Postgres, or secrets. Treat BOOTSTRAP / day-zero work as HIGH-RISK / INFRA by default: verify host/cwd/branch, log commands, snapshot before destructive steps (canonical §2.3, §11). Drop to BUILD only for pure docs/package edits.

D2 — The master passphrase is sacred

  • PULUMI_CONFIG_PASSPHRASE is the single root of trust (PLAN-002 §4, ADR-002).
  • Never print, echo, log, or commit the passphrase, the Vault root token, or Vault unseal keys — except as the already-encrypted secure: v1:… values inside Pulumi.foundation.yaml.
  • Secrets at rest live only in: passphrase-encrypted Pulumi config, or Vault. Never in plain files, never in docs, never in command logs.

D3 — Hosting is Forgejo, not gitlab.com

  • The canonical baseline / ADR-003 references gitlab.com:olsitec-nci/*. For the foundation, the source of truth is foundation-Forgejo (forge.olsitec.de/olsitec/*). GitLab is what we are replacing.
  • During day-zero (before handover) the canonical remote may be a local clone + offsite mirror; after PLAN-002 Phase 7, origin is Forgejo.

D4 — Pulumi runs against a remote VM over SSH

  • bootstrap/ deploys via @pulumi/docker over SSH to the foundation VM. Before any pulumi up: confirm which VM the Docker provider targets, the SSH key, and that you are on the intended stack (pulumi stack ls). A local edit is not present on the VM until applied.

D5 — Determinism is a hard requirement

  • Pin every image and tool by digest in VERSIONS. No floating tags. preflight/ enforces it.
  • Credentials: random (high-entropy, via @pulumi/random → Vault) vs derived (deterministic from config). The only external secret is the passphrase (PLAN-002 §4.2).

D6 — MCP may not know this project yet

  • olsitec-foundation is not registered in Olsitec MCP at authoring time (verified: MCP returns only omnibook/fishreg/olsitrack2/svelte_common/third_party_apis/external_data_sync/seaspots).
  • Treat this repo as the source of truth; register the project in MCP once stable (PLAN-002 §8).

D7 — Repo topology

  • Read 000_TOPOLOGY.md before creating files: know whether your change belongs in bootstrap/, a packages/pulumi-*, documentation/, or the separate ai-baseline repo.
  • Never bypass the four foundation interfaces (repo in Forgejo, image/chart in Forgejo registry, secret in Vault, CI in Forgejo Actions) once they exist.

D8 — Document homes

  • Planning & strategy → documentation/planning/.
  • Architecture decisions → documentation/decisions/ (ADR-NNN).
  • Interface contracts (T00) → documentation/contracts/ (CONTRACT-NNN).
  • Per-task agent workspaces → documentation/agents/task_NNN_*/ (canonical §7.2).

Quick pointers

Need Go to
Full workflow rules ../../ai-baseline/000_baseline.md
Why the platform is layered decisions/ADR_004_layered_platform_foundation.md
Repo boundaries / module strategy decisions/ADR_005_repo_topology.md, 000_TOPOLOGY.md
The vision planning/PLAN-001-forgejo.md
The implementation strategy & task list planning/PLAN-002-foundation-implementation.md