Skip to content

Materialize safe env and config from secret references #142

Description

@BramVR

What to build

Define and implement safe env/config Materialization from Secret references so env readiness becomes actionable without CodeMesh storing raw secret values. This is HITL until the automated secret-reference fixture and allowed backend shape are chosen.

Acceptance criteria

  • A Secret reference model is documented and implemented without reading, storing, logging, or exporting raw secret values in CodeMesh state.
  • Env/config Materialization can create approved files or variables from configured references only after readiness and policy checks pass.
  • Missing or invalid Secret references produce actionable blockers without leaking values.
  • Public artifacts, reports, and Crabbox visuals redact or avoid sensitive values by construction.
  • Docs and ADRs describe the backend boundary, materialization lifecycle, and no-raw-secret invariant.

Required proof

  • Fake/local gate: make test, make e2e, and make docs:list must pass.
  • Real gate: an automatic configured secret-reference fixture must pass in CI or Crabbox without manual Bram steps; skipped, missing, or fake-only proof fails this issue.
  • Merge rule: if the required real gate is skipped, missing, incomplete, or replaced by fake-only proof, this issue is not complete.

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions