cb5252588c
Split secrets into two SOPS-encrypted files: - .env.enc for agent secrets (FORGE_TOKEN, CLAUDE_API_KEY, etc.) - .env.vault.enc for vault secrets (GITHUB_TOKEN, deploy keys, etc.) Add ephemeral vault-runner container (profiles: ["vault"]) that receives only vault secrets at runtime. Agents never see vault secrets; vault-runner never sees agent secrets. Key changes: - bin/disinto: vault-run subcommand, dual-file secrets management, vault-runner service in compose template - vault/vault-fire.sh: delegates action execution to vault-runner container via disinto vault-run (bare-metal fallback preserved) - vault/vault-poll.sh: new phase 5 detects vault-bot authorized comments on issues with action label - vault/vault-run-action.sh: entrypoint for ephemeral container, dispatches to action handlers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
24 lines
368 B
Text
24 lines
368 B
Text
# Plaintext secrets (never commit)
|
|
.env
|
|
|
|
# Encrypted secrets — safe to commit (SOPS-encrypted with age)
|
|
!.env.enc
|
|
!.env.vault.enc
|
|
!.sops.yaml
|
|
|
|
# Per-box project config (generated by disinto init)
|
|
projects/*.toml
|
|
|
|
# Runtime state
|
|
*.log
|
|
*.log.*
|
|
*.log.old
|
|
state.json
|
|
*.lock
|
|
*.pid
|
|
metrics/supervisor-metrics.jsonl
|
|
|
|
# OS
|
|
.DS_Store
|
|
dev/ci-fixes-*.json
|
|
gardener/dust.jsonl
|