## Stack - **Language:** Kubernetes manifests, Bash Make targets, SOPS-encrypted secret custody - **Key deps:** Keycloak (SSO/MFA), age/SOPS, KeePassXC-based credential custody, repo-local git hooks ## Dev Commands ```bash make help # list all targets make hooks && make hooks-test # secrets-guard git hooks make check-secrets # fail if anything under secrets/ is unencrypted make sops-edit FILE=secrets/foo.yaml # edit encrypted file make sops-custody-check # validate custody age key without writing to disk make sops-custody-run COMMAND='...' # run one command with temporary custody key make creds-init # one-time credential custody setup make creds-generate # generate service secrets + KeePassXC guide make creds-bundle # age-encrypt ops bundle for offsite storage ``` Credential material never lands in Git, State Hub, or logs — the hooks and check-secrets enforce this. Deployment of identity services runs through the S2/S5 railiance repos, not from here.