fix: feat: consolidate secret stores — single granular secrets/*.enc, deprecate .env.vault.enc (#777)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 18:35:03 +00:00 · 2026-04-15 18:35:03 +00:00 · 88676e65ae
commit 88676e65ae
parent a87dcdf40b
14 changed files with 254 additions and 130 deletions
--- a/.env.example
+++ b/.env.example
@ -83,16 +83,17 @@ FORWARD_AUTH_SECRET=                      # [SECRET] Shared secret for Caddy ↔

 # ── Vault-only secrets (DO NOT put these in .env) ────────────────────────
 # These tokens grant access to external systems (GitHub, ClawHub, deploy targets).
-# They live ONLY in .env.vault.enc and are injected into the ephemeral runner
-# container at fire time (#745). lib/env.sh explicitly unsets them so agents
-# can never hold them directly — all external actions go through vault dispatch.
+# They live ONLY in secrets/<NAME>.enc (age-encrypted, one file per key) and are
+# decrypted into the ephemeral runner container at fire time (#745, #777).
+# lib/env.sh explicitly unsets them so agents can never hold them directly —
+# all external actions go through vault dispatch.
 #
 #   GITHUB_TOKEN          — GitHub API access (publish, deploy, post)
 #   CLAWHUB_TOKEN         — ClawHub registry credentials (publish)
+#   CADDY_SSH_KEY         — SSH key for Caddy log collection
 #   (deploy keys)         — SSH keys for deployment targets
 #
-# To manage vault secrets: disinto secrets edit-vault
-# (vault redesign in progress: PR-based approval, see #73-#77)
+# To manage secrets: disinto secrets add/show/remove/list

 # ── Project-specific secrets ──────────────────────────────────────────────
 # Store all project secrets here so formulas reference env vars, never hardcode.