Prism-Vault Changelog
All notable changes to the Prism-Vault subproject are documented here. Format follows Keep a Changelog. Dates are UTC.Prism-Vault is a separable subproject with its own version/build/deploy
lifecycle (SPEC-122 §Subproject Boundary). This changelog is distinct from the
main Prism changelog — Prism-Vault carries its own version string
from the first implementation commit so it can peel off into a standalone
service later. Entries are curated per arc, not per commit; the git log is the
source of truth for per-commit detail.
Unreleased — v0.1 (design)
Design
- SPEC-122 v0.1 — Prism-Vault Shared Config and Secrets Service (Texi
architecture). Prism-first shared config, secret, and credential-resolution
service. Broker with three internal surfaces (Secret Store, Config Store,
Credential Resolver) behind one identity/scope/policy/audit gate. Provider
adapters for Vault KV v2, Render env/secret bindings, and a future managed
provider. Canonical scope tuple
tenant_id / project_id / environment / service / record_name. Default-deny authorization, fail-closed on uncertainty, audit-before-return. Six-phase Prism-first rollout (Phase 0 boundary → Phase 5 Janus/DPA-Crawl). See SPEC-122 and Plan #28. - Subproject boundary established. Prism-Vault begins as a separable subproject inside the Prism umbrella with its own version, build artifact, deploy config, contract tests, and this changelog — repo-separation-ready from the first commit.
- Documentation lane opened. Prism-Vault docs structure stood up: this changelog, the overview, and the documentation contract defining what docs each implementation phase must produce as the skeleton lands.
No implementation code has landed yet. The first dated, versioned entry will
appear when Phase 0 (service boundary and contract) ships.