# Credential state — net-kingdom SSO/MFA stack
# This file is SAFE TO COMMIT. It contains no secrets.
# Updated automatically by make creds-* targets and sso-mfa/bootstrap/creds-verify.sh.
#
# keepass_confirmed is the only field that requires manual operator intervention.
# Set it to true after you have entered all generated secrets into KeePassXC.

generated_at: "2026-03-20T02:57:00+00:00"
bundle_at: null
keepass_confirmed: false

secrets_applied:
  postgres: false
  lldap: false
  authelia: false
  privacyidea: false
  # keycape requires PI_ADMIN_TOKEN from post-privacyIDEA T04 bootstrap.
  # Run: sso-mfa/k8s/keycape/create-pi-token.sh, then re-run keycape/create-secrets.sh.
  keycape: false

# enckey_bootstrapped: set by sso-mfa/k8s/privacyidea/enckey-bootstrap.sh
# This step is TIME-SENSITIVE — it must run while the privacyIDEA pod is live.
enckey_bootstrapped: false

# pi_admin_created: set after sso-mfa/k8s/privacyidea/bootstrap-admin.sh completes
pi_admin_created: false