fix: feat: consolidate secret stores — single granular secrets/*.enc, deprecate .env.vault.enc (#777)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 18:35:03 +00:00 · 2026-04-15 18:35:03 +00:00 · 88676e65ae
commit 88676e65ae
parent a87dcdf40b
14 changed files with 254 additions and 130 deletions
--- a/lib/generators.sh
+++ b/lib/generators.sh
@ -372,8 +372,8 @@ services:
      PLANNER_INTERVAL: ${PLANNER_INTERVAL:-43200}
    # IMPORTANT: agents get explicit environment variables (forge tokens, CI tokens, config).
    # Vault-only secrets (GITHUB_TOKEN, CLAWHUB_TOKEN, deploy keys) live in
-    # .env.vault.enc and are NEVER injected here — only the runner
-    # container receives them at fire time (AD-006, #745).
+    # secrets/*.enc and are NEVER injected here — only the runner
+    # container receives them at fire time (AD-006, #745, #777).
    depends_on:
      forgejo:
        condition: service_healthy