Claude 7081c98a79 fix: [nomad-step-2] S2.5 — bin/disinto init --import-env / --import-sops / --age-key wire-up (#883) ... Wire the Step-2 building blocks (import, auth, policies) into `disinto init --backend=nomad` so a single command on a fresh LXC provisions cluster + policies + auth + imports secrets + deploys services. Adds three flags to `disinto init --backend=nomad`: --import-env PATH plaintext .env from old stack --import-sops PATH sops-encrypted .env.vault.enc (requires --age-key) --age-key PATH age keyfile to decrypt --import-sops Flow: cluster-up.sh → vault-apply-policies.sh → vault-nomad-auth.sh → (optional) vault-import.sh → deploy.sh. Policies + auth run on every nomad real-run path (idempotent); import runs only when --import-* is set; all layers safe to re-run. Flag validation: --import-sops without --age-key → error --age-key without --import-sops → error --import-env alone (no sops) → OK --backend=docker + any --import-* → error Dry-run prints a five-section plan (cluster-up + policies + auth + import + deploy) with every argv that would be executed; touches nothing, logs no secret values. Dry-run output prints one line per --import-* flag that is actually set — not in an if/elif chain — so all three paths appear when all three flags are passed. Prior attempts regressed this invariant. Tests: tests/disinto-init-nomad.bats +10 cases covering flag validation, dry-run plan shape (each flag prints its own path), policies+auth always-on (without --import-*), and --flag=value form. Docs: docs/nomad-migration.md new file — cutover-day runbook with invocation shape, flag summary, idempotency contract, dry-run, and secret-hygiene notes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>		2026-04-16 19:04:04 +00:00
..
AGENT-DESIGN.md	fix: chore(26a): delete action-agent.sh, action-poll.sh, and action/AGENTS.md (#65)	2026-03-31 19:42:25 +00:00
agents-llama.md	fix: docs/agents-llama.md teaches the legacy activation flow (#848)	2026-04-16 12:53:03 +00:00
BLAST-RADIUS.md	fix: docs/BLAST-RADIUS.md + vault/SCHEMA.md: document blast-radius tier system (#440)	2026-04-08 19:59:51 +00:00
CLAUDE-AUTH-CONCURRENCY.md	fix: docs/CLAUDE-AUTH-CONCURRENCY.md and smoke-init.sh reference credentials.json without leading dot (#680)	2026-04-11 22:41:34 +00:00
edge-routing-fallback.md	fix: vision(#623): per-project subdomain fallback path (contingency) (#713)	2026-04-12 03:27:05 +00:00
EVAL-MCP-SERVER.md	fix: tech-debt: sweep cron-isms from code comments, helpers, lib, and public site copy (#548)	2026-04-10 08:54:11 +00:00
EVIDENCE-ARCHITECTURE.md	fix: {project}-ops repo — separate operations from code (#757) (#767)	2026-03-26 19:55:12 +01:00
investigation-685-reviewer-approved-destructive-compose.md	fix: extend step 8 approval-bias carve-out to include infra files (step 3c), fix count	2026-04-11 19:50:59 +00:00
mirror-bootstrap.md	fix: use FORGE_API_BASE for /repos/migrate endpoint, build payload with jq	2026-04-15 20:29:27 +00:00
nomad-migration.md	fix: [nomad-step-2] S2.5 — bin/disinto init --import-env / --import-sops / --age-key wire-up (#883)	2026-04-16 19:04:04 +00:00
OBSERVABLE-DEPLOY.md	fix: feat: observable addressables — engagement measurement for deployed artifacts (#718)	2026-03-26 11:57:19 +00:00
PHASE-PROTOCOL.md	fix: chore: remove dead tmux-based session code (agent-session.sh, phase-handler.sh) (#262)	2026-04-05 22:25:53 +00:00
updating-factory.md	fix: fix: make _generate_compose_impl the canonical compose source — remove tracked docker-compose.yml + update docs (#603)	2026-04-10 16:40:44 +00:00
VAULT.md	fix: [nomad-prep] P0 — rename lib/vault.sh + vault/ to action-vault namespace (#792)	2026-04-15 18:16:32 +00:00