chore(openspec): archive engineering-docs and phase-2-production-ready changes
- engineering-docs → archive/2026-03-29-engineering-docs (63/63 tasks complete) - phase-2-production-ready → archive/2026-03-29-phase-2-production-ready (89/89 tasks complete) - openspec/specs/ synced with all Phase 1 + Phase 2 + engineering-docs capabilities (22 specs total) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
21
openspec/specs/vault/spec.md
Normal file
21
openspec/specs/vault/spec.md
Normal file
@@ -0,0 +1,21 @@
|
||||
# Spec: HashiCorp Vault Integration
|
||||
|
||||
**Status**: Pending CEO approval
|
||||
**Workstream**: 1 of 8
|
||||
|
||||
## Scope
|
||||
- VaultClient class wrapping `node-vault`
|
||||
- `005_add_vault_path.sql` migration
|
||||
- Updated CredentialService to write secrets to Vault instead of PostgreSQL
|
||||
- New env vars: VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
|
||||
- Migration guide: bcrypt → Vault coexistence strategy
|
||||
|
||||
## Acceptance Criteria
|
||||
- [ ] New credentials: secret written to Vault KV v2, `vault_path` stored in PostgreSQL
|
||||
- [ ] Credential rotation: Vault versioned update, `vault_path` unchanged
|
||||
- [ ] Credential revocation: Vault secret deleted, DB status = `revoked`
|
||||
- [ ] Existing bcrypt credentials continue to work until rotated
|
||||
- [ ] VaultClient follows existing service interface pattern (DRY, SOLID)
|
||||
- [ ] Zero `any` types, TypeScript strict
|
||||
- [ ] `VAULT_ADDR` / `VAULT_TOKEN` validation at startup (fail-fast)
|
||||
- [ ] DevOps docs updated with Vault setup section
|
||||
Reference in New Issue
Block a user