{
  "scope_and_authority": {
    "canonical_example_template": "secrets/.env.secrets.example",
    "runtime_loaded_secret_env_file": "secrets/stack-secrets.env",
    "dns_inventory_secret_env_file": "secrets/dynu.env",
    "docker_secret_files_pattern": "secrets/*.txt"
  },
  "env_template_variables": [
    {
      "variable": "NEXTCLOUD_DB_USER",
      "used_by": "apps/nextcloud/docker-compose.yml",
      "purpose": "Nextcloud database username (non-secret identifier but environment-specific)."
    },
    {
      "variable": "NEXTCLOUD_ADMIN_USER",
      "used_by": "apps/nextcloud/docker-compose.yml",
      "purpose": "Initial Nextcloud admin username."
    },
    {
      "variable": "NEXTCLOUD_SMTP_FROM_ADDRESS",
      "used_by": "apps/nextcloud/docker-compose.yml",
      "purpose": "SMTP sender local-part for outbound mail configuration."
    },
    {
      "variable": "NEXTCLOUD_SMTP_DOMAIN",
      "used_by": "apps/nextcloud/docker-compose.yml",
      "purpose": "SMTP sender domain for outbound mail configuration."
    },
    {
      "variable": "NEXTCLOUD_SMTP_NAME",
      "used_by": "apps/nextcloud/docker-compose.yml",
      "purpose": "SMTP display/sender name derived from address + domain in the example file."
    },
    {
      "variable": "PASSBOLT_DB_NAME",
      "used_by": "apps/passbolt/docker-compose.yml",
      "purpose": "Passbolt database name."
    },
    {
      "variable": "PASSBOLT_DB_USER",
      "used_by": "apps/passbolt/docker-compose.yml",
      "purpose": "Passbolt database username."
    },
    {
      "variable": "PASSBOLT_GPG_SERVER_KEY_FINGERPRINT",
      "used_by": "apps/passbolt/docker-compose.yml",
      "purpose": "Passbolt server GPG key fingerprint."
    },
    {
      "variable": "GRAMPSWEB_SECRET_KEY",
      "used_by": "apps/gramps/docker-compose.yml",
      "purpose": "Secret key used by Gramps Web for session/security signing."
    },
    {
      "variable": "GRAMPSWEB_EMAIL_HOST_USER",
      "used_by": "apps/gramps/docker-compose.yml",
      "purpose": "SMTP username for Gramps outbound email."
    },
    {
      "variable": "GRAMPSWEB_EMAIL_HOST_PASSWORD",
      "used_by": "apps/gramps/docker-compose.yml",
      "purpose": "SMTP password for Gramps outbound email."
    },
    {
      "variable": "GOTIFY_DEFAULTUSER_NAME",
      "used_by": "monitoring/gotify/docker-compose.yml",
      "purpose": "Gotify default username."
    },
    {
      "variable": "GOTIFY_DEFAULTUSER_PASS",
      "used_by": "monitoring/gotify/docker-compose.yml",
      "purpose": "Gotify default user password."
    },
    {
      "variable": "INFLUXDB_INIT_USERNAME",
      "used_by": "monitoring/prometheus/docker-compose.yml",
      "purpose": "InfluxDB initial username."
    },
    {
      "variable": "PIHOLE_PASSWORD",
      "used_by": "monitoring/prometheus/docker-compose.yml",
      "purpose": "Exporter auth / Pi-hole integration password."
    }
  ],
  "file_based_secrets": [
    {
      "path": "secrets/nextcloud_db_root_password.txt",
      "purpose": "Nextcloud MariaDB root password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/nextcloud_db_password.txt",
      "purpose": "Nextcloud MariaDB application user password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/nextcloud_admin_password.txt",
      "purpose": "Initial Nextcloud admin password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/nextcloud_smtp_password.txt",
      "purpose": "Nextcloud SMTP account password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/nextcloud_redis_password.txt",
      "purpose": "Nextcloud Redis runtime password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/passbolt_db_password.txt",
      "purpose": "Passbolt database user password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/influxdb_init_password.txt",
      "purpose": "InfluxDB initialization password file.",
      "managed_by": "local_file",
      "committed": false
    },
    {
      "path": "secrets/prometheus_kuma_basic_auth_password.txt",
      "purpose": "Uptime Kuma Prometheus scrape basic-auth password file.",
      "managed_by": "local_file",
      "committed": false
    }
  ],
  "externally_managed_secrets": [
    "Database/root passwords for Nextcloud, Passbolt, and supporting services are provided via Docker secret files.",
    "Redis runtime password is loaded from a Docker secret file.",
    "DOCKER_INFLUXDB_INIT_PASSWORD is loaded from a Docker secret in monitoring.",
    "Uptime Kuma basic-auth password is loaded via password_file in Prometheus configuration.",
    "Core stack secret values (for example Authelia and CrowdSec values) are injected via environment substitution."
  ],
  "commit_safety_rules": [
    "Never commit secrets/stack-secrets.env.",
    "Never commit secrets/dynu.env.",
    "Never commit real secrets/*.txt files.",
    "Never commit real Terraform .tfvars containing credentials.",
    "Never commit Terraform state files with sensitive runtime metadata."
  ],
  "related_docs": [
    "docs/security-secrets.md",
    "docs/deployment-prerequisites.md",
    "docs/source-of-truth.md"
  ]
}