vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ceec22f714dfed370bea4473db27db8efa0a10ee
sentryagent-idp/openspec/specs/vault/spec.md
SentryAgent.ai Developer d42c653eea chore(openspec): archive engineering-docs and phase-2-production-ready changes 
- engineering-docs → archive/2026-03-29-engineering-docs (63/63 tasks complete)
- phase-2-production-ready → archive/2026-03-29-phase-2-production-ready (89/89 tasks complete)
- openspec/specs/ synced with all Phase 1 + Phase 2 + engineering-docs capabilities (22 specs total)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-29 12:41:53 +00:00

928 B
Raw Blame History

Spec: HashiCorp Vault Integration

Status: Pending CEO approval Workstream: 1 of 8

Scope

  • VaultClient class wrapping node-vault
  • 005_add_vault_path.sql migration
  • Updated CredentialService to write secrets to Vault instead of PostgreSQL
  • New env vars: VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
  • Migration guide: bcrypt → Vault coexistence strategy

Acceptance Criteria

  • New credentials: secret written to Vault KV v2, vault_path stored in PostgreSQL
  • Credential rotation: Vault versioned update, vault_path unchanged
  • Credential revocation: Vault secret deleted, DB status = revoked
  • Existing bcrypt credentials continue to work until rotated
  • VaultClient follows existing service interface pattern (DRY, SOLID)
  • Zero any types, TypeScript strict
  • VAULT_ADDR / VAULT_TOKEN validation at startup (fail-fast)
  • DevOps docs updated with Vault setup section
Reference in New Issue View Git Blame Copy Permalink