railiance-fabric/fabric/dependencies/railiance-forge-runtime-secrets.yaml

apiVersion: railiance.fabric/v1alpha1
kind: DependencyDeclaration
metadata:
  id: railiance-forge.source-forge.needs-runtime-secrets
  name: Forge runtime secrets dependency
  owner: railiance-forge
  repo: railiance-forge
  domain: railiance
  source_links:
    - label: Backup and restore handoff
      path: /home/worsch/railiance-forge/docs/backup-restore-secret-handoff.md
spec:
  lifecycle: active
  environments: [dev, staging, prod]
  consumer_service_id: railiance-forge.source-forge
  requires:
    capability_type: runtime-secrets
    capability_id: railiance-platform.openbao.runtime-secrets
  interface:
    type: openbao-kv-v2-mount
    version_constraint: ">=v1 <v2"
  auth:
    method: kubernetes_service_account
  criticality: critical
  data_classification: secret
  fallback:
    mode: manual
    description: SOPS/age bootstrap can carry encrypted deploy input, but runtime secret custody belongs to the platform path.