generated from coulomb/repo-seed
- Fill .claude/rules/stack-and-commands.md (was an empty TODO template) - Normalize workplan frontmatter statuses to canonical vocabulary (completed/done -> finished) per ADR-001 - Repair glued frontmatter delimiter in NK-WP-0001 (superseded_by line) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1.0 KiB
1.0 KiB
Stack
- Language: Kubernetes manifests, Bash Make targets, SOPS-encrypted secret custody
- Key deps: Keycloak (SSO/MFA), age/SOPS, KeePassXC-based credential custody, repo-local git hooks
Dev Commands
make help # list all targets
make hooks && make hooks-test # secrets-guard git hooks
make check-secrets # fail if anything under secrets/ is unencrypted
make sops-edit FILE=secrets/foo.yaml # edit encrypted file
make sops-custody-check # validate custody age key without writing to disk
make sops-custody-run COMMAND='...' # run one command with temporary custody key
make creds-init # one-time credential custody setup
make creds-generate # generate service secrets + KeePassXC guide
make creds-bundle # age-encrypt ops bundle for offsite storage
Credential material never lands in Git, State Hub, or logs — the hooks and check-secrets enforce this. Deployment of identity services runs through the S2/S5 railiance repos, not from here.