docs(adr): Configuration & Secrets — 027 model · 028 provider · 029 management · 030 docs/maturation#624
docs(adr): Configuration & Secrets — 027 model · 028 provider · 029 management · 030 docs/maturation#624seanspeaks wants to merge 7 commits into
Conversation
Formalize the intended SSM/Secrets env-loading feature: app-config flag
`ssm: { enable: true }` auto-attaches the AWS Parameters & Secrets Lambda
Extension, loads params under /${service}/${stage} into process.env on cold
start (SecureString KMS-decrypted, cached on warm invocations). Reconciles the
three coexisting mechanisms today — the merged IAM-only SsmBuilder, the
unmerged draft loader on feature/finish-ssm-based-env-management, and build-time
appDefinition.environment — and flags the doc/code drift in ssm-configuration.md.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
There was a problem hiding this comment.
Claude Code Review
Claude Code Review is paused for this repository. To reconnect it, an admin of this repository's GitHub organization (or the account owner, for personal repositories) who can also manage your Claude organization's Code Review settings needs to re-link GitHub in Code Review settings. This is a one-time step.
Tip: disable this comment in your organization's Code Review settings.
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
…rovider plugin) + 029 (management)
Replace the narrow SSM-runtime-loading ADR with a broader Configuration & Secrets
model: three scopes (platform / app-level per-API-module / instance) x {config,
secret}, the env-overload problem (10+ modules x OAuth creds), the free-and-fast
-> mature adoption path, the instance-secret isolation invariant, and a new
app-level module-credential tier (Integration.config/Credential are instance-
scoped and NOT that home).
028 makes secrets/config a provider plugin (AWS/GCP/Azure/1Password/Vault/DB) per
ADR-PLUGINS; the SSM/Secrets runtime loader becomes the AWS adapter. 029 makes an
admin API the single management brain that routes storage by app definition, with
the CLI, curl, and a future GUI as thin clients.
Drafts — open questions recorded; not yet for review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
027: rename tier-3 to "per-connection" (vs deployment tenancy); add management-plane vs runtime-plane; expand variable scoping (global vs module-scoped vs per-connection, derived from the integration->module graph, usage-based); record resolved decisions (both runtime modes w/ materialized default; per-connection DB-default + deferred non-Frigg credential-source override) and the function-granularity open question. 028: port is read+write; runtime mode decided (both; materialized default for external managers, w/ bootstrap-token rationale); mode selects scoping realization; 1Password both modes; deferred credentialSource adapter. 029: routing map (tier x env -> backend); "unified 1Password" = all tiers -> 1password; first-class local provider default; scoping emitted from the graph, not hand-maintained. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
…scoping in code Tier-2 = Option A: new ModuleCredential/ModuleConfig models (app+env+module scoped, field-encrypted) rather than overloading Credential/config. Confirmed against infra code that per-function env/IAM scoping is feasible today without restructuring: integration-builder emits per-integration functions (HTTP/webhook/queue/extension), base-definition-factory packages individually; env is global only because infrastructure-composer Object.assigns onto provider.environment. materialized scoping = emit functions[name].environment from the integration->module graph. Closes the function-granularity open question. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
… 027-029 Resolve the last two open questions: scope boundary = derive-by-default with explicit per-variable override; precedence = separate namespaces + one backend per (tier,env) via the routing map, provider/routing-map wins on real overlaps, local overrides locally, validation warns (strict optional). Add ASCII diagrams to all three (027 tier/plane flow; 028 provider port + adapters + materialized/direct; 029 one-API-many-clients + routing) and a scope-annotation sample to 027. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
# Conflicts: # docs/architecture-decisions/README.md
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
…ts ADRs - Status Draft -> Proposed on ADR-027/028/029/030 + README index (Draft is not in the sanctioned status vocabulary) - ADR-027: collapse stale tier-2 'open decision' Option A/B block (mirror models is decided; alternative moved to Alternatives Considered) - ADR-027/030: reconcile tier-3 with ADR-024 Global Entities — tier-3 now covers both per-end-user connections and admin-authored global entities (userId:null); isolation invariant restated to include both - ADR-028: frame the new secrets/config type as an ADR-016 taxonomy extension; soften 'zero references' to 'no functional impl, only stubs'; fix TTL attribution to the AWS Parameters&Secrets Lambda extension - ADR-029: mark /api/v2/admin/variables as this ADR's own namespace (not ADR-010's); refresh stale reporting-key open question - ADR-PLUGINS mnemonic -> ADR-016; add Alternatives Considered + cross links (024/030) per ADR-014 convention; align 029 title with the index Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|



Summary
Draft ADRs for Frigg's configuration & secrets design. Rebased onto the unified register (now mergeable; index reads 001–030).
ModuleCredential/ModuleConfig); scope boundary = derive+annotate; precedence = one backend per (tier,env) + deterministic overlap order.materializeddefault |direct) with the bootstrap-token rationale; AWS/GCP/Azure/1Password/Vault/DB adapters; deferredcredentialSourceoverride.1password; CLI/curl/GUI are thin clients; first-class local provider.Each ADR has an ASCII diagram + sample code.
Status
All four Draft — open items are implementation-detail only. Sharing for context/iteration, not requesting merge yet.
🤖 Generated with Claude Code