Merge pull request 'feat: wire breakpilot-compliance to Infisical for local dev' (#30) from feat/infisical-secrets into main

- Add .infisical.json linking the repo to the breakpilot-compliance
  project on the self-hosted secrets.meghsakha.com instance.
- Add Makefile with infisical-aware targets (make dev, dev-build,
  dev-down, secrets, secrets-set). `make dev` runs `infisical run
  --env=dev -- docker compose up`, so secrets are injected at run
  time and .env files no longer touch disk.
- Add INFISICAL_SETUP.md with per-developer onboarding (CLI install,
  login, verify project link, run targets, Claude Code usage patterns,
  troubleshooting).
- Update README Quick Start to drop the cp .env.example .env step and
  point at make dev + INFISICAL_SETUP.md.
- Remove HashiCorp Vault references from CLAUDE.md (core-services list
  + sensitive-files list) and compliance-checklist.md TOM section;
  replace with Infisical.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -130,10 +130,11 @@ rsync -avz --exclude node_modules --exclude .next --exclude .git \
 
 **breakpilot-core MUSS laufen!** Dieses Projekt nutzt Core-Services:
 - Valkey (Session-Cache)
-- Vault (Secrets)
 - RAG-Service (Vektorsuche fuer Compliance-Dokumente)
 - Nginx (Reverse Proxy)
 
+Secrets liegen in Infisical (`secrets.meghsakha.com`); die Projektverknuepfung steht in `.infisical.json`. Lokal mit `infisical run --env=dev -- docker compose up` (oder `make dev`) starten — `.env`/`.env.local` werden nicht mehr verwendet.
+
 **Externe Services (Production):**
 - PostgreSQL 17 (sslmode=require) — Schemas: `compliance`, `public`
 - Qdrant @ `qdrant-dev.breakpilot.ai` (HTTPS, API-Key)
@@ -316,7 +317,7 @@ ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/brea
 
 ### 5. Sensitive Dateien
 **NIEMALS aendern oder committen:**
-- `.env`, `.env.local`, Vault-Tokens, SSL-Zertifikate
+- `.env`, `.env.local`, Infisical-Tokens, SSL-Zertifikate
 - `*.pdf`, `*.docx`, kompilierte Binaries, grosse Medien
 
 ---

.claude/rules/compliance-checklist.md

@@ -92,7 +92,7 @@ Wenn Hochrisiko:
 
 - [ ] **Transit:** TLS 1.3 für alle Verbindungen
 - [ ] **Rest:** Datenbank-Verschlüsselung
-- [ ] **Secrets:** Vault für Credentials
+- [ ] **Secrets:** Infisical (`secrets.meghsakha.com`) für Credentials
 
 ### Zugriffskontrollen
 

.infisical.json

@@ -0,0 +1,5 @@
+{
+    "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23",
+    "defaultEnvironment": "",
+    "gitBranchToEnvironmentMapping": null
+}

INFISICAL_SETUP.md

@@ -0,0 +1,157 @@
+# Infisical Setup for Local Development
+
+This is the per-developer onboarding for accessing the `breakpilot-compliance` secrets while developing locally. Once this is done, **everything you launch through `make dev` (or `infisical run …`) gets the dev secrets injected as environment variables** — including any Claude Code session that spawns those commands.
+
+Secrets live in the self-hosted Infisical instance at **`secrets.meghsakha.com`**. The project link is committed in `.infisical.json`, so you don't need to know the project ID.
+
+---
+
+## 1. Install the Infisical CLI
+
+**macOS (recommended):**
+
+```bash
+brew install infisical/get-cli/infisical
+```
+
+**Other platforms / manual install:**
+
+See <https://infisical.com/docs/cli/overview>. Verify with:
+
+```bash
+infisical --version
+# infisical version 0.43.x (or newer)
+```
+
+---
+
+## 2. Log in to the self-hosted instance
+
+```bash
+infisical login --domain https://secrets.meghsakha.com
+```
+
+This opens a browser for SSO. The login is persisted to your OS keychain — you only do this once per machine.
+
+Sanity check:
+
+```bash
+cd ~/projects/breakpilot-compliance   # wherever you cloned the repo
+infisical --domain https://secrets.meghsakha.com secrets --env=dev
+```
+
+You should see a table of secret names + values. If you get an auth error, re-run `infisical login`.
+
+---
+
+## 3. Verify the project link
+
+The repo already contains `.infisical.json` pointing at the `breakpilot-compliance` project:
+
+```bash
+cat .infisical.json
+# { "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23", ... }
+```
+
+If the file is missing (rare — only if you reset the repo), recreate it:
+
+```bash
+infisical init --domain https://secrets.meghsakha.com
+```
+
+Pick the `breakpilot-compliance` project from the picker.
+
+---
+
+## 4. Launch the stack
+
+```bash
+make dev
+```
+
+This runs `infisical run --env=dev -- docker compose up`. Every service in the compose stack sees its secrets as normal env vars — no `.env` file ever touches disk.
+
+Other targets:
+
+| Target | What it does |
+|--------|--------------|
+| `make dev-build` | Same as `make dev` but rebuilds images first |
+| `make dev-down` | Stop the stack (no secrets needed) |
+| `make dev-logs` | Tail logs |
+| `make dev-ps` | List running containers |
+| `make secrets` | Print all secrets in `dev` (read-only) |
+| `make secrets-set KEY=FOO VALUE=bar` | Add or update a secret in `dev` |
+
+To target a different environment:
+
+```bash
+make dev ENV=staging
+make secrets ENV=prod
+```
+
+---
+
+## 5. Using secrets from Claude Code
+
+When Claude Code runs commands in this repo via its Bash tool, the commands inherit your shell's environment. Two patterns:
+
+**Pattern A — let Claude launch the stack normally**
+
+Claude just runs `make dev`. The Infisical CLI inside that command resolves secrets at run time and passes them to docker compose. Claude doesn't see plaintext secrets in its context, but the running services do.
+
+**Pattern B — let Claude run a one-off script with secrets**
+
+If Claude needs to execute a Python/Go script that requires secrets, wrap the command:
+
+```bash
+infisical run --env=dev -- python scripts/some_one_off.py
+```
+
+This works for any subprocess: pytest, alembic, go run, npm scripts. If Claude proposes a command that reads env vars and runs raw, ask it to wrap it in `infisical run --env=dev --` first.
+
+**What Claude should not do:**
+
+- `infisical export --env=dev > .env` — defeats the whole point and the `.gitignore` will still try to keep the file out.
+- `infisical secrets get KEY --env=dev --raw` and pasting the value into a code edit — secrets must stay out of the repo.
+
+If you want Claude to never accidentally dump secrets, add this to your `.claude/settings.json` permissions (project-level or user-level):
+
+```json
+{
+  "permissions": {
+    "deny": [
+      "Bash(infisical export*)",
+      "Bash(infisical secrets get*)"
+    ]
+  }
+}
+```
+
+---
+
+## Troubleshooting
+
+| Symptom | Fix |
+|---------|-----|
+| `please either run infisical init or pass --projectId` | `.infisical.json` is missing or unreadable — re-run `infisical init` |
+| `unauthorized` / `please log in` | Re-run `infisical login --domain https://secrets.meghsakha.com` |
+| `make dev` says secret is empty | Check the name in `make secrets` matches what docker-compose expects, then update the service config or rename the secret in Infisical |
+| Browser SSO doesn't open | Use `infisical login --domain https://secrets.meghsakha.com --method=user` and paste the URL manually |
+
+---
+
+## What the dev env contains
+
+Run `make secrets` to see the live list. As of this writing the dev env includes (at minimum):
+
+- `BREAKPILOT_DB_PASSWORD`
+- `BREAKPILOT_QDRANT_API_KEY`
+- `LITELLM_API_KEY`
+
+Every other variable in `.env.example` either has a sane default in `docker-compose.yml` or needs to be added to Infisical. To add one:
+
+```bash
+make secrets-set KEY=ANTHROPIC_API_KEY VALUE=sk-ant-xxxx
+```
+
+Or via the web UI: <https://secrets.meghsakha.com>.

Makefile

@@ -0,0 +1,57 @@
+# breakpilot-compliance — developer workflow
+#
+# Secrets are managed in Infisical (secrets.meghsakha.com). The project
+# link lives in .infisical.json. To get started:
+#   1) infisical login --domain https://secrets.meghsakha.com   (once per machine)
+#   2) make dev
+#
+# .env / .env.local are NOT used in this repo anymore. Anything that needs
+# secrets MUST be launched through `infisical run` so the values come from
+# the secrets store instead of disk.
+
+INFISICAL ?= infisical
+INFISICAL_DOMAIN ?= https://secrets.meghsakha.com
+ENV ?= dev
+
+INFISICAL_RUN := $(INFISICAL) --domain $(INFISICAL_DOMAIN) run --env=$(ENV) --
+INFISICAL_SECRETS := $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets --env=$(ENV)
+
+.PHONY: help dev dev-build dev-down dev-logs dev-ps secrets secrets-set check-loc
+
+help:
+	@echo "Targets:"
+	@echo "  dev           Start the full compose stack with secrets injected from Infisical"
+	@echo "  dev-build     Same as dev, but force a rebuild first"
+	@echo "  dev-down      Stop the compose stack (no secrets needed)"
+	@echo "  dev-logs      Tail logs from all services"
+	@echo "  dev-ps        Show running containers"
+	@echo "  secrets       List all secrets in the current env ($(ENV))"
+	@echo "  secrets-set   Set a secret (KEY=... VALUE=...)"
+	@echo "  check-loc     Run the 500-line LOC guard"
+
+dev:
+	$(INFISICAL_RUN) docker compose up
+
+dev-build:
+	$(INFISICAL_RUN) docker compose up --build
+
+dev-down:
+	docker compose down
+
+dev-logs:
+	docker compose logs -f
+
+dev-ps:
+	docker compose ps
+
+secrets:
+	$(INFISICAL_SECRETS)
+
+secrets-set:
+	@if [ -z "$(KEY)" ] || [ -z "$(VALUE)" ]; then \
+		echo "Usage: make secrets-set KEY=MY_KEY VALUE=my_value"; exit 1; \
+	fi
+	$(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets set $(KEY)=$(VALUE) --env=$(ENV)
+
+check-loc:
+	bash scripts/check-loc.sh

README.md

@@ -42,23 +42,26 @@ All containers share the external `breakpilot-network` Docker network and depend
 
 ## Quick Start
 
-**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+
+**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+, [Infisical CLI](https://infisical.com/docs/cli/overview)
 
 ```bash
 git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git
 cd breakpilot-compliance
 
-# Copy and populate secrets (never commit .env)
-cp .env.example .env
+# One-time per machine: log in to the self-hosted Infisical instance
+infisical login --domain https://secrets.meghsakha.com
 
-# Start all services
-docker compose up -d
+# Start the full stack with secrets injected from Infisical (env=dev)
+make dev
 ```
 
+Secrets are pulled from Infisical (`secrets.meghsakha.com`) at runtime; `.env` files are not used. See [INFISICAL_SETUP.md](./INFISICAL_SETUP.md) for full onboarding, and `make help` for the rest of the targets (`dev-build`, `dev-down`, `secrets`, `secrets-set`).
+
 For the Orca/Hetzner production target (x86_64), use the override:
 
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
+make dev ENV=prod  # or:
+infisical run --env=prod -- docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d
 ```
 
 ---