generated from coulomb/repo-seed
- Fill .claude/rules/stack-and-commands.md (was an empty TODO template) - Normalize workplan frontmatter statuses to canonical vocabulary (completed/done -> finished) per ADR-001 - Repair glued frontmatter delimiter in NK-WP-0001 (superseded_by line) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
23 lines
1.0 KiB
Markdown
23 lines
1.0 KiB
Markdown
## Stack
|
|
|
|
- **Language:** Kubernetes manifests, Bash Make targets, SOPS-encrypted secret custody
|
|
- **Key deps:** Keycloak (SSO/MFA), age/SOPS, KeePassXC-based credential custody, repo-local git hooks
|
|
|
|
## Dev Commands
|
|
|
|
```bash
|
|
make help # list all targets
|
|
make hooks && make hooks-test # secrets-guard git hooks
|
|
make check-secrets # fail if anything under secrets/ is unencrypted
|
|
make sops-edit FILE=secrets/foo.yaml # edit encrypted file
|
|
make sops-custody-check # validate custody age key without writing to disk
|
|
make sops-custody-run COMMAND='...' # run one command with temporary custody key
|
|
make creds-init # one-time credential custody setup
|
|
make creds-generate # generate service secrets + KeePassXC guide
|
|
make creds-bundle # age-encrypt ops bundle for offsite storage
|
|
```
|
|
|
|
Credential material never lands in Git, State Hub, or logs — the hooks and
|
|
check-secrets enforce this. Deployment of identity services runs through the
|
|
S2/S5 railiance repos, not from here.
|