From d82f86fc951e322d9550e309cc3c7186c94feb48 Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Date: Mon, 22 Jun 2026 21:00:35 +0200 Subject: [PATCH] feat: wire breakpilot-compliance to Infisical for local dev - Add .infisical.json linking the repo to the breakpilot-compliance project on the self-hosted secrets.meghsakha.com instance. - Add Makefile with infisical-aware targets (make dev, dev-build, dev-down, secrets, secrets-set). `make dev` runs `infisical run --env=dev -- docker compose up`, so secrets are injected at run time and .env files no longer touch disk. - Add INFISICAL_SETUP.md with per-developer onboarding (CLI install, login, verify project link, run targets, Claude Code usage patterns, troubleshooting). - Update README Quick Start to drop the cp .env.example .env step and point at make dev + INFISICAL_SETUP.md. - Remove HashiCorp Vault references from CLAUDE.md (core-services list + sensitive-files list) and compliance-checklist.md TOM section; replace with Infisical. Co-Authored-By: Claude Opus 4.7 --- .claude/CLAUDE.md | 5 +- .claude/rules/compliance-checklist.md | 2 +- .infisical.json | 5 + INFISICAL_SETUP.md | 157 ++++++++++++++++++++++++++ Makefile | 57 ++++++++++ README.md | 15 ++- 6 files changed, 232 insertions(+), 9 deletions(-) create mode 100644 .infisical.json create mode 100644 INFISICAL_SETUP.md create mode 100644 Makefile diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index e29640d2..37f39a82 100644 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -130,10 +130,11 @@ rsync -avz --exclude node_modules --exclude .next --exclude .git \ **breakpilot-core MUSS laufen!** Dieses Projekt nutzt Core-Services: - Valkey (Session-Cache) -- Vault (Secrets) - RAG-Service (Vektorsuche fuer Compliance-Dokumente) - Nginx (Reverse Proxy) +Secrets liegen in Infisical (`secrets.meghsakha.com`); die Projektverknuepfung steht in `.infisical.json`. Lokal mit `infisical run --env=dev -- docker compose up` (oder `make dev`) starten — `.env`/`.env.local` werden nicht mehr verwendet. + **Externe Services (Production):** - PostgreSQL 17 (sslmode=require) — Schemas: `compliance`, `public` - Qdrant @ `qdrant-dev.breakpilot.ai` (HTTPS, API-Key) @@ -316,7 +317,7 @@ ssh macmini "/usr/local/bin/docker compose -f /Users/benjaminadmin/Projekte/brea ### 5. Sensitive Dateien **NIEMALS aendern oder committen:** -- `.env`, `.env.local`, Vault-Tokens, SSL-Zertifikate +- `.env`, `.env.local`, Infisical-Tokens, SSL-Zertifikate - `*.pdf`, `*.docx`, kompilierte Binaries, grosse Medien --- diff --git a/.claude/rules/compliance-checklist.md b/.claude/rules/compliance-checklist.md index 2b6cc2d2..26247e97 100644 --- a/.claude/rules/compliance-checklist.md +++ b/.claude/rules/compliance-checklist.md @@ -92,7 +92,7 @@ Wenn Hochrisiko: - [ ] **Transit:** TLS 1.3 für alle Verbindungen - [ ] **Rest:** Datenbank-Verschlüsselung -- [ ] **Secrets:** Vault für Credentials +- [ ] **Secrets:** Infisical (`secrets.meghsakha.com`) für Credentials ### Zugriffskontrollen diff --git a/.infisical.json b/.infisical.json new file mode 100644 index 00000000..e2a19fa3 --- /dev/null +++ b/.infisical.json @@ -0,0 +1,5 @@ +{ + "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23", + "defaultEnvironment": "", + "gitBranchToEnvironmentMapping": null +} \ No newline at end of file diff --git a/INFISICAL_SETUP.md b/INFISICAL_SETUP.md new file mode 100644 index 00000000..2af99047 --- /dev/null +++ b/INFISICAL_SETUP.md @@ -0,0 +1,157 @@ +# Infisical Setup for Local Development + +This is the per-developer onboarding for accessing the `breakpilot-compliance` secrets while developing locally. Once this is done, **everything you launch through `make dev` (or `infisical run …`) gets the dev secrets injected as environment variables** — including any Claude Code session that spawns those commands. + +Secrets live in the self-hosted Infisical instance at **`secrets.meghsakha.com`**. The project link is committed in `.infisical.json`, so you don't need to know the project ID. + +--- + +## 1. Install the Infisical CLI + +**macOS (recommended):** + +```bash +brew install infisical/get-cli/infisical +``` + +**Other platforms / manual install:** + +See . Verify with: + +```bash +infisical --version +# infisical version 0.43.x (or newer) +``` + +--- + +## 2. Log in to the self-hosted instance + +```bash +infisical login --domain https://secrets.meghsakha.com +``` + +This opens a browser for SSO. The login is persisted to your OS keychain — you only do this once per machine. + +Sanity check: + +```bash +cd ~/projects/breakpilot-compliance # wherever you cloned the repo +infisical --domain https://secrets.meghsakha.com secrets --env=dev +``` + +You should see a table of secret names + values. If you get an auth error, re-run `infisical login`. + +--- + +## 3. Verify the project link + +The repo already contains `.infisical.json` pointing at the `breakpilot-compliance` project: + +```bash +cat .infisical.json +# { "workspaceId": "996bda36-9e01-4071-ae8d-69a9f9ff5a23", ... } +``` + +If the file is missing (rare — only if you reset the repo), recreate it: + +```bash +infisical init --domain https://secrets.meghsakha.com +``` + +Pick the `breakpilot-compliance` project from the picker. + +--- + +## 4. Launch the stack + +```bash +make dev +``` + +This runs `infisical run --env=dev -- docker compose up`. Every service in the compose stack sees its secrets as normal env vars — no `.env` file ever touches disk. + +Other targets: + +| Target | What it does | +|--------|--------------| +| `make dev-build` | Same as `make dev` but rebuilds images first | +| `make dev-down` | Stop the stack (no secrets needed) | +| `make dev-logs` | Tail logs | +| `make dev-ps` | List running containers | +| `make secrets` | Print all secrets in `dev` (read-only) | +| `make secrets-set KEY=FOO VALUE=bar` | Add or update a secret in `dev` | + +To target a different environment: + +```bash +make dev ENV=staging +make secrets ENV=prod +``` + +--- + +## 5. Using secrets from Claude Code + +When Claude Code runs commands in this repo via its Bash tool, the commands inherit your shell's environment. Two patterns: + +**Pattern A — let Claude launch the stack normally** + +Claude just runs `make dev`. The Infisical CLI inside that command resolves secrets at run time and passes them to docker compose. Claude doesn't see plaintext secrets in its context, but the running services do. + +**Pattern B — let Claude run a one-off script with secrets** + +If Claude needs to execute a Python/Go script that requires secrets, wrap the command: + +```bash +infisical run --env=dev -- python scripts/some_one_off.py +``` + +This works for any subprocess: pytest, alembic, go run, npm scripts. If Claude proposes a command that reads env vars and runs raw, ask it to wrap it in `infisical run --env=dev --` first. + +**What Claude should not do:** + +- `infisical export --env=dev > .env` — defeats the whole point and the `.gitignore` will still try to keep the file out. +- `infisical secrets get KEY --env=dev --raw` and pasting the value into a code edit — secrets must stay out of the repo. + +If you want Claude to never accidentally dump secrets, add this to your `.claude/settings.json` permissions (project-level or user-level): + +```json +{ + "permissions": { + "deny": [ + "Bash(infisical export*)", + "Bash(infisical secrets get*)" + ] + } +} +``` + +--- + +## Troubleshooting + +| Symptom | Fix | +|---------|-----| +| `please either run infisical init or pass --projectId` | `.infisical.json` is missing or unreadable — re-run `infisical init` | +| `unauthorized` / `please log in` | Re-run `infisical login --domain https://secrets.meghsakha.com` | +| `make dev` says secret is empty | Check the name in `make secrets` matches what docker-compose expects, then update the service config or rename the secret in Infisical | +| Browser SSO doesn't open | Use `infisical login --domain https://secrets.meghsakha.com --method=user` and paste the URL manually | + +--- + +## What the dev env contains + +Run `make secrets` to see the live list. As of this writing the dev env includes (at minimum): + +- `BREAKPILOT_DB_PASSWORD` +- `BREAKPILOT_QDRANT_API_KEY` +- `LITELLM_API_KEY` + +Every other variable in `.env.example` either has a sane default in `docker-compose.yml` or needs to be added to Infisical. To add one: + +```bash +make secrets-set KEY=ANTHROPIC_API_KEY VALUE=sk-ant-xxxx +``` + +Or via the web UI: . diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..53f2360d --- /dev/null +++ b/Makefile @@ -0,0 +1,57 @@ +# breakpilot-compliance — developer workflow +# +# Secrets are managed in Infisical (secrets.meghsakha.com). The project +# link lives in .infisical.json. To get started: +# 1) infisical login --domain https://secrets.meghsakha.com (once per machine) +# 2) make dev +# +# .env / .env.local are NOT used in this repo anymore. Anything that needs +# secrets MUST be launched through `infisical run` so the values come from +# the secrets store instead of disk. + +INFISICAL ?= infisical +INFISICAL_DOMAIN ?= https://secrets.meghsakha.com +ENV ?= dev + +INFISICAL_RUN := $(INFISICAL) --domain $(INFISICAL_DOMAIN) run --env=$(ENV) -- +INFISICAL_SECRETS := $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets --env=$(ENV) + +.PHONY: help dev dev-build dev-down dev-logs dev-ps secrets secrets-set check-loc + +help: + @echo "Targets:" + @echo " dev Start the full compose stack with secrets injected from Infisical" + @echo " dev-build Same as dev, but force a rebuild first" + @echo " dev-down Stop the compose stack (no secrets needed)" + @echo " dev-logs Tail logs from all services" + @echo " dev-ps Show running containers" + @echo " secrets List all secrets in the current env ($(ENV))" + @echo " secrets-set Set a secret (KEY=... VALUE=...)" + @echo " check-loc Run the 500-line LOC guard" + +dev: + $(INFISICAL_RUN) docker compose up + +dev-build: + $(INFISICAL_RUN) docker compose up --build + +dev-down: + docker compose down + +dev-logs: + docker compose logs -f + +dev-ps: + docker compose ps + +secrets: + $(INFISICAL_SECRETS) + +secrets-set: + @if [ -z "$(KEY)" ] || [ -z "$(VALUE)" ]; then \ + echo "Usage: make secrets-set KEY=MY_KEY VALUE=my_value"; exit 1; \ + fi + $(INFISICAL) --domain $(INFISICAL_DOMAIN) secrets set $(KEY)=$(VALUE) --env=$(ENV) + +check-loc: + bash scripts/check-loc.sh diff --git a/README.md b/README.md index 0928de0e..fdc892b6 100644 --- a/README.md +++ b/README.md @@ -42,23 +42,26 @@ All containers share the external `breakpilot-network` Docker network and depend ## Quick Start -**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+ +**Prerequisites:** Docker, Go 1.24+, Python 3.12+, Node.js 20+, [Infisical CLI](https://infisical.com/docs/cli/overview) ```bash git clone ssh://git@gitea.meghsakha.com:22222/Benjamin_Boenisch/breakpilot-compliance.git cd breakpilot-compliance -# Copy and populate secrets (never commit .env) -cp .env.example .env +# One-time per machine: log in to the self-hosted Infisical instance +infisical login --domain https://secrets.meghsakha.com -# Start all services -docker compose up -d +# Start the full stack with secrets injected from Infisical (env=dev) +make dev ``` +Secrets are pulled from Infisical (`secrets.meghsakha.com`) at runtime; `.env` files are not used. See [INFISICAL_SETUP.md](./INFISICAL_SETUP.md) for full onboarding, and `make help` for the rest of the targets (`dev-build`, `dev-down`, `secrets`, `secrets-set`). + For the Orca/Hetzner production target (x86_64), use the override: ```bash -docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d +make dev ENV=prod # or: +infisical run --env=prod -- docker compose -f docker-compose.yml -f docker-compose.hetzner.yml up -d ``` --- -- 2.52.0