Skip to content

docs(adr): Configuration & Secrets — 027 model · 028 provider · 029 management · 030 docs/maturation#624

Open
seanspeaks wants to merge 7 commits into
nextfrom
claude/frigg-adr-ssm-env-management
Open

docs(adr): Configuration & Secrets — 027 model · 028 provider · 029 management · 030 docs/maturation#624
seanspeaks wants to merge 7 commits into
nextfrom
claude/frigg-adr-ssm-env-management

Conversation

@seanspeaks

@seanspeaks seanspeaks commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Draft ADRs for Frigg's configuration & secrets design. Rebased onto the unified register (now mergeable; index reads 001–030).

  • ADR-027 — Model & Tiers. Three scopes (platform, app-level per-API-module, per-connection) × {config, secret}; the env-overload problem; management vs runtime planes; variable scoping (global vs module-scoped vs per-connection, derived from the integration→module graph — confirmed feasible in the current infra); the free-fast→mature path. Resolved: tier-2 = mirror models (ModuleCredential/ModuleConfig); scope boundary = derive+annotate; precedence = one backend per (tier,env) + deterministic overlap order.
  • ADR-028 — Provider Plugin. secrets/config as an ADR-PLUGINS plugin; read+write port; both runtime modes (materialized default | direct) with the bootstrap-token rationale; AWS/GCP/Azure/1Password/Vault/DB adapters; deferred credentialSource override.
  • ADR-029 — Management. Admin API is the one brain; routing map (tier × env → backend); "unified 1Password" = all tiers → 1password; CLI/curl/GUI are thin clients; first-class local provider.
  • ADR-030 — Docs & Adopter Maturation. The "Configuration & Secrets" guide outline, the L0→L3 maturation journey ("all globals in the pipeline → managed config as you scale"), and a cross-pattern worked example (illustrative now; full version is a post-implementation doc deliverable).

Each ADR has an ASCII diagram + sample code.

Status

All four Draft — open items are implementation-detail only. Sharing for context/iteration, not requesting merge yet.

🤖 Generated with Claude Code

Formalize the intended SSM/Secrets env-loading feature: app-config flag
`ssm: { enable: true }` auto-attaches the AWS Parameters & Secrets Lambda
Extension, loads params under /${service}/${stage} into process.env on cold
start (SecureString KMS-decrypted, cached on warm invocations). Reconciles the
three coexisting mechanisms today — the merged IAM-only SsmBuilder, the
unmerged draft loader on feature/finish-ssm-based-env-management, and build-time
appDefinition.environment — and flags the doc/code drift in ssm-configuration.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

Claude Code Review is paused for this repository. To reconnect it, an admin of this repository's GitHub organization (or the account owner, for personal repositories) who can also manage your Claude organization's Code Review settings needs to re-link GitHub in Code Review settings. This is a one-time step.

Tip: disable this comment in your organization's Code Review settings.

@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

…rovider plugin) + 029 (management)

Replace the narrow SSM-runtime-loading ADR with a broader Configuration & Secrets
model: three scopes (platform / app-level per-API-module / instance) x {config,
secret}, the env-overload problem (10+ modules x OAuth creds), the free-and-fast
-> mature adoption path, the instance-secret isolation invariant, and a new
app-level module-credential tier (Integration.config/Credential are instance-
scoped and NOT that home).

028 makes secrets/config a provider plugin (AWS/GCP/Azure/1Password/Vault/DB) per
ADR-PLUGINS; the SSM/Secrets runtime loader becomes the AWS adapter. 029 makes an
admin API the single management brain that routes storage by app definition, with
the CLI, curl, and a future GUI as thin clients.

Drafts — open questions recorded; not yet for review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@seanspeaks seanspeaks changed the title docs(adr): ADR-027 — SSM-Based Runtime Environment Loading docs(adr): Configuration & Secrets — model (027) + provider plugin (028) + management (029) Jul 10, 2026
027: rename tier-3 to "per-connection" (vs deployment tenancy); add
management-plane vs runtime-plane; expand variable scoping (global vs
module-scoped vs per-connection, derived from the integration->module graph,
usage-based); record resolved decisions (both runtime modes w/ materialized
default; per-connection DB-default + deferred non-Frigg credential-source
override) and the function-granularity open question.

028: port is read+write; runtime mode decided (both; materialized default for
external managers, w/ bootstrap-token rationale); mode selects scoping
realization; 1Password both modes; deferred credentialSource adapter.

029: routing map (tier x env -> backend); "unified 1Password" = all tiers ->
1password; first-class local provider default; scoping emitted from the graph,
not hand-maintained.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

…scoping in code

Tier-2 = Option A: new ModuleCredential/ModuleConfig models (app+env+module
scoped, field-encrypted) rather than overloading Credential/config.

Confirmed against infra code that per-function env/IAM scoping is feasible today
without restructuring: integration-builder emits per-integration functions
(HTTP/webhook/queue/extension), base-definition-factory packages individually;
env is global only because infrastructure-composer Object.assigns onto
provider.environment. materialized scoping = emit functions[name].environment
from the integration->module graph. Closes the function-granularity open question.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

… 027-029

Resolve the last two open questions: scope boundary = derive-by-default with
explicit per-variable override; precedence = separate namespaces + one backend
per (tier,env) via the routing map, provider/routing-map wins on real overlaps,
local overrides locally, validation warns (strict optional).

Add ASCII diagrams to all three (027 tier/plane flow; 028 provider port +
adapters + materialized/direct; 029 one-API-many-clients + routing) and a
scope-annotation sample to 027.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

# Conflicts:
#	docs/architecture-decisions/README.md
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@seanspeaks seanspeaks changed the title docs(adr): Configuration & Secrets — model (027) + provider plugin (028) + management (029) docs(adr): Configuration &amp; Secrets — 027 model · 028 provider · 029 management · 030 docs/maturation Jul 10, 2026
@seanspeaks
seanspeaks requested a review from d-klotz July 10, 2026 05:24
…ts ADRs

- Status Draft -> Proposed on ADR-027/028/029/030 + README index (Draft
  is not in the sanctioned status vocabulary)
- ADR-027: collapse stale tier-2 'open decision' Option A/B block (mirror
  models is decided; alternative moved to Alternatives Considered)
- ADR-027/030: reconcile tier-3 with ADR-024 Global Entities — tier-3 now
  covers both per-end-user connections and admin-authored global entities
  (userId:null); isolation invariant restated to include both
- ADR-028: frame the new secrets/config type as an ADR-016 taxonomy
  extension; soften 'zero references' to 'no functional impl, only stubs';
  fix TTL attribution to the AWS Parameters&Secrets Lambda extension
- ADR-029: mark /api/v2/admin/variables as this ADR's own namespace (not
  ADR-010's); refresh stale reporting-key open question
- ADR-PLUGINS mnemonic -> ADR-016; add Alternatives Considered + cross
  links (024/030) per ADR-014 convention; align 029 title with the index

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019BQcoqYva5TXM2DQAyEG5o
@cursor

cursor Bot commented Jul 10, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants