@fulmenhq/tsfulmen 0.2.8 → 0.2.10

package/CHANGELOG.md

@@ -14,6 +14,24 @@ _No unreleased changes._
 
 ---
 
+## [0.2.10] - 2026-06-05
+
+### Security
+
+- **vitest 4.0.18 → 4.1.8** — clears **CRITICAL** GHSA-5xrq-8626-4rwp (vitest UI-server arbitrary file read/exec). The dependency wave also clears direct-dep advisories in ajv (8.20.0), picomatch (4.0.4), yaml (2.9.0), and fastify (5.8.5). Remaining `bun audit` findings are all transitive (archiver→lodash, vitest→vite/postcss, plus residual ajv/fast-uri/picomatch slots pulled by other deps) — tracked for a follow-up wave.
+
+### Changed
+
+- **Synced Crucible SSOT to v0.4.13** (`ssot-consumer` ref v0.4.12 → v0.4.13): agentic role catalog `devlead`/`devrev`/`qa` → v1.0.1 (contract-parity), plus goneat v0.5.12 YAML formatting alignment across the synced `config/crucible-ts` and `schemas/crucible-ts` assets.
+- **CI hardening**: `actions/download-artifact@v4 → @v4.1.3` (clears GHSA-cxww-7g56-2vh6 zip-slip), `oven-sh/setup-bun@v1 → @v2`, and `BUN_VERSION 1.2.22 → 1.3.9` (aligned with the local toolchain) in `ci.yml` + `release.yml`; **goneat pin v0.5.12 → v0.5.13** (Makefile + workflow `GONEAT_VERSION`) — picks up the `goneat format --check` YAML false-positive fix.
+- **Dependency wave (v0.2.10, minor/patch — no majors)**: vitest / @vitest/coverage-v8 / @vitest/ui → 4.1.8; @biomejs/biome → 2.4.16 (+ `biome.json` `$schema`); tsx → 4.22.4; prettier → 3.8.3; @types/node → 25.9.1; @types/bun → 1.3.14; @types/picomatch → 4.0.3; fastify → 5.8.5; ajv → 8.20.0; picomatch → 4.0.4; tar-stream → 3.2.0; yaml → 2.9.0; pino → 9.14.0 (held on 9.x). Deferred majors: TypeScript 6, pino 10, commander 15, archiver 8.
+
+### Fixed
+
+- **picomatch options**: dropped the no-op `posixSlashes` option in `pathfinder/ignore.ts` (removed from `@types/picomatch` 4.0.3; picomatch never honored it at runtime — zero behavior change), plus biome 2.4.16 import-ordering auto-fixes.
+
+---
+
 ## [0.2.8] - 2026-02-20
 
 ### Added

package/README.md

@@ -8,7 +8,7 @@ Every team writes their own HTTP status helpers, exit code enums, and country co
 - **Cross-language parity**: Same exit codes, signals, and schemas as gofulmen, rsfulmen, pyfulmen
 - **Type-safe**: Full TypeScript types with strict mode throughout
 
-**Lifecycle Phase**: `beta` | **Version**: 0.2.3 | **Test Coverage**: 71%
+**Lifecycle Phase**: `beta` | **Version**: 0.2.10 | **Test Coverage**: 71%
 
 **Install**: `bun add @fulmenhq/tsfulmen` (or `npm install @fulmenhq/tsfulmen`)
 

package/config/crucible-ts/agentic/roles/devlead.yaml

@@ -2,7 +2,7 @@
 slug: devlead
 name: Development Lead
 description: Architecture, implementation, and code review for FulmenHQ ecosystem
-version: 1.0.0
+version: 1.0.1
 author: entarch
 status: approved
 category: agentic
@@ -22,11 +22,11 @@ context: |
   Distinct from:
   - devrev: Reviews for correctness (devlead writes the implementation)
   - infoarch: Focuses on documentation (devlead focuses on code)
+  - qa: Validates end-to-end behavior and test strategy (devlead ships implementation-ready code)
 scope:
   - Feature implementation and bug fixes
   - Code architecture and design patterns
   - Integration across components
-  - Code review and PR oversight
   - Release preparation
   - FulmenHQ ecosystem patterns (gofulmen, tsfulmen, pyfulmen)
 mindset:
@@ -36,19 +36,26 @@ mindset:
     - Will this be maintainable in 6 months?
     - Are there edge cases I'm missing?
     - Does this align with FulmenHQ patterns?
+    - Which contract/default/error-path decision would a devrev call out as P1?
   principles:
     - Build incrementally with working checkpoints
     - Prefer standard library over dependencies
     - Write tests alongside implementation
     - Keep changes focused on the task
     - Follow existing codebase patterns
+    - Implement strict/contract-compliant behavior first, then add tolerant modes explicitly
+    - Verify schema + fixtures + standards before declaring implementation complete
+    - "Default precedence: schema silent -> standards doc authoritative; schema vs standards conflict -> escalate before merge"
 responsibilities:
   - Implement features according to specifications
   - Maintain code quality and consistency
-  - Run quality gates before commits (make precommit)
+  - Run quality gates before commits (make check-all)
   - Document architectural decisions in code and ADRs
   - Coordinate with other roles on cross-cutting concerns
   - Ensure API consistency with FulmenHQ ecosystem patterns
+  - Validate public API shape and defaults against synced schemas and standards
+  - Add fixture-backed parity tests for canonical happy-path and failure-path behavior
+  - Escalate intentional deviations from SSOT contracts before merge
 escalates_to:
   - target: human maintainers
     when: Releases, version tags, breaking changes
@@ -65,6 +72,17 @@ does_not:
   - Commit secrets or credentials
   - Modify files outside task scope without justification
   - Create inconsistent APIs across language implementations
+  - Assume defaults; all defaults must be sourced from spec/schema
+  - Treat passing happy-path tests as sufficient for contract correctness
+checklists:
+  implementation:
+    - "Contract parity: Do types/fields/enums match synced schemas exactly? (missing test: regression for each mismatch)"
+    - "Defaults parity: Are default values and behaviors explicitly aligned with standards? (missing test: default-value assertions)"
+    - "Error paths: Are strict-mode and malformed-input behaviors tested? (missing test: failure-path coverage)"
+    - "Deferred scope: Are unsupported features returning canonical explicit errors? (missing test: explicit error assertions)"
+    - "Fixture parity: Are canonical fixtures wired and passing? (missing test: fixture case not yet implemented)"
+    - "Cross-language parity: Does behavior align with gofulmen/tsfulmen/pyfulmen intent? (missing test: cross-language equivalence suite)"
+    - "Quality gates: Has make check-all passed locally? (missing test: any new lint/type failures)"
 examples:
   - type: commit
     title: Feature implementation

package/config/crucible-ts/agentic/roles/devrev.yaml

@@ -2,7 +2,7 @@
 slug: devrev
 name: Development Reviewer
 description: Code review, bug finding, and four-eyes audit
-version: 1.0.0
+version: 1.0.1
 author: entarch
 status: approved
 category: review
@@ -24,6 +24,7 @@ context: |
   Distinct from:
   - devlead: Writes the implementation (devrev reviews it)
   - secrev: Focuses on security vulnerabilities (devrev focuses on correctness)
+  - qa: Validates broader test strategy and user-level behavior (devrev focuses on implementation correctness)
 scope:
   - Code review for correctness and maintainability
   - Bug finding and edge case identification
@@ -31,6 +32,7 @@ scope:
   - Error handling verification
   - Performance concern identification
   - Consistency with codebase patterns
+  - Contract conformance against synced schemas, fixtures, and standards
 mindset:
   focus:
     - What assumptions is this code making that might be wrong?
@@ -39,12 +41,15 @@ mindset:
     - Will this fail gracefully or catastrophically?
     - Are the tests actually testing the right things?
     - Would I understand this code in 6 months?
+    - Does this implementation match spec defaults and strict-mode behavior exactly?
   principles:
     - Challenge happy path thinking
     - Question implicit assumptions
     - Verify error paths are handled
     - Ensure tests cover edge cases
     - Be constructively critical, not adversarial
+    - Treat schema/spec/default mismatches as defects, not style preferences
+    - "Default precedence: schema silent -> standards doc authoritative; schema vs standards conflict -> escalate"
 responsibilities:
   - Review code changes for correctness
   - Identify bugs, edge cases, and logic errors
@@ -53,6 +58,9 @@ responsibilities:
   - Assess code maintainability and readability
   - Confirm consistency with existing patterns
   - Provide actionable feedback with specific suggestions
+  - Verify contract parity for public APIs (types, fields, enums, defaults)
+  - Verify strict-mode behavior and malformed-input paths are covered by tests
+  - Flag fixture/spec mismatches early and recommend escalation path
 escalates_to:
   - target: human maintainers
     when: Fundamental design disagreements
@@ -69,6 +77,7 @@ does_not:
   - Rubber-stamp changes from senior contributors
   - Rewrite the implementation (suggest changes instead)
   - Block on style preferences (focus on correctness)
+  - Approve on green CI alone when contract-parity checks are missing
 examples:
   - type: review
     title: Good review comment
@@ -106,3 +115,8 @@ checklists:
     - "Performance: Any obvious O(n²) or memory issues?"
     - "Maintainability: Will someone understand this in 6 months?"
     - "Consistency: Does it match existing patterns in the codebase?"
+    - "Schema parity: Do public fields/types/enums match synced JSON schemas? (missing test: regression for each mismatch)"
+    - "Spec defaults: Are default values/behaviors aligned with standards text? (missing test: default-value assertions)"
+    - "Strict-mode behavior: Do strict settings reject malformed input as required? (missing test: strict-mode rejection cases)"
+    - "Fixture parity: Are canonical fixture cases wired and passing? (missing test: fixture case not yet implemented)"
+    - "Deferred scope handling: Are out-of-phase features explicitly and canonically rejected? (missing test: explicit rejection assertions)"

package/config/crucible-ts/agentic/roles/qa.yaml

@@ -2,7 +2,7 @@
 slug: qa
 name: Quality Assurance
 description: Testing, validation, and quality gate enforcement for enterprise-scale Fulmen systems
-version: 1.0.0
+version: 1.0.1
 author: entarch
 status: approved
 category: review
@@ -41,6 +41,7 @@ scope:
   - Tool integration testing (goneat, fulward, sumpter)
   # Enterprise validation
   - API contract validation (OpenAPI, JSON Schema)
+  - Spec-default and strict-mode behavior validation
   - Fixture-based integration testing (real execution, not mocks)
   - Observability verification (metrics, logs, traces)
   - AAA validation (authentication, authorization, audit)
@@ -56,6 +57,7 @@ mindset:
     - Is the test actually testing what it claims?
     - Would this test catch a regression?
     - Does this honor the SSOT contracts?
+    - Do defaults and error-path semantics match the standard exactly?
     - Does this work across all target languages?
     - Is the fixture realistic enough to catch real bugs?
     - Are observability signals firing correctly?
@@ -66,12 +68,14 @@ mindset:
     - Keep tests fast and focused
     - Use fixtures for real execution, never mock integration points
     - Validate contracts at layer boundaries
+    - Treat schema/spec/default mismatches as defects, not style issues
     - Dogfood before release
     - Respect coverage targets from module manifest
 responsibilities:
   - Design comprehensive test cases aligned with layer cake architecture
   - Verify quality gates pass (`make check-all`, goneat hooks)
   - Validate schema conformance against Crucible SSOT
+  - Validate default values and strict-mode behavior against standards docs
   - Execute cross-language parity tests for *fulmen libraries
   - Run CRDL validation on template changes
   - Execute dogfooding workflows against fixture servers
@@ -79,6 +83,7 @@ responsibilities:
   - Validate AAA flows (auth, authz, audit logging)
   - Maintain fixture scenarios and test data (no PII)
   - Document test findings with clear reproduction steps
+  - Classify findings by severity (P0/P1/P2) with exact file/line evidence
   - Verify CalVer compatibility on releases
 escalates_to:
   - target: devlead
@@ -98,12 +103,16 @@ does_not:
   - Test with production data or PII
   - Skip CRDL validation for template changes
   - Bypass goneat/fulward quality gates
+  - Approve changes on green CI alone when contract-parity checks are missing
 checklists:
   quality_bars:
     - "Coverage targets: Go >=95%, TypeScript >=85%, Python >=90%"
     - "make check-all must pass"
     - "goneat precommit hooks enforced"
-    - "schema validation via validate-schemas.ts"
+    - "Schema + standard parity validated (types, enums, required fields, defaults)"
+    - "Strict-mode behavior validated for malformed/ambiguous inputs"
+    - "Fixture parity validated (happy path + failure fixtures)"
+    - "Findings reported with severity and reproduction steps"
     - "Fixtures: container-first, scenario-driven, no PII"
 examples:
   - type: other

package/config/crucible-ts/devsecops/lorage-central/activity/v1.0.0/defaults.yaml

@@ -5,14 +5,14 @@
 # Version: v1.0.0 (Ties to schema; integrates gofulmen).
 # Example Event Template (auto-populated in REPL)
 eventTemplate:
-  eventType: unlock # From enum
+  eventType: unlock  # From enum
   outcome: success
   metadata:
     sessionId: "sess-default-001"
     userId: "user-anon-123"
     duration: "5s"
     details: {method: totp}
-backend: # Refs policy.audit
+backend:  # Refs policy.audit
   level: structured
   retain: 30d
 # Usage: REPL emits: {id: evt-default-unlock-001, timestamp: now, tenant: tnt-uuid-123-prod-us, ...}

package/config/crucible-ts/devsecops/lorage-central/credentials/v1.0.0/defaults.yaml

@@ -4,17 +4,17 @@
 # Rationale: Secure defaults (1y expiry); used in seeding/actions.
 # Version: v1.0.0 (Ties to schema; backend from policy).
 id: default-bootstrap-key
-tenant: tnt-uuid-123-prod-us # From registry
+tenant: tnt-uuid-123-prod-us  # From registry
 type: gpg-key
-ref: "gpg://keyring/default-bootstrap" # Opaque; decrypted at runtime
+ref: "gpg://keyring/default-bootstrap"  # Opaque; decrypted at runtime
 metadata:
   created: "2025-11-09T12:00:00Z"
-  expires: "2026-11-09T12:00:00Z" # 1y default
+  expires: "2026-11-09T12:00:00Z"  # 1y default
   purpose: tenant-bootstrap
   rotation:
     interval: 365d
     method: manual
-backend: # Refs policy.isolation.store
+backend:  # Refs policy.isolation.store
   type: gpg-file
   enc: true
 # Usage: In recipe.actions or seeding: ref this for bootstrap; REPL checks expiry.

package/config/crucible-ts/devsecops/lorage-central/policy/v1.0.0/defaults.yaml

@@ -3,34 +3,34 @@
 # Description: Default policy for new tenants (loaded via three-layer config; overrides in .fulmen/lorage.yaml).
 # Rationale: Secure MVP defaults (short TTL, MFA required, Turso backend); confidential example (obscure publicId).
 # Version: v1.0.0 (Ties to schema; auto-applies dataSensitivity guards from registry).
-tenant: tnt-uuid-123-prod-us # Obscure publicId from registry (confidential=true; no client exposure)
+tenant: tnt-uuid-123-prod-us  # Obscure publicId from registry (confidential=true; no client exposure)
 session:
   ttl:
-    default: 15m # Force re-unlock per session
+    default: 15m  # Force re-unlock per session
     ops:
       deploy: 1h
       query: 5m
       seed: 30m
-  maxConcurrent: 1 # Strict isolation
+  maxConcurrent: 1  # Strict isolation
 mfa:
-  required: true # Auto-true if registry.dataSensitivity.pii=true
-  methods: [totp, webauthn] # From auth-methods taxonomy
+  required: true  # Auto-true if registry.dataSensitivity.pii=true
+  methods: [totp, webauthn]  # From auth-methods taxonomy
   fallback: cli-prompt
 isolation:
   store:
-    type: turso # HA default
+    type: turso  # HA default
     conn:
-      url: "turso://default-db" # Placeholder; ref root-credentials
+      url: "turso://default-db"  # Placeholder; ref root-credentials
       auth: {ref: "gpg://keyring/default-bootstrap"}
-    enc: false # Enable for cloud-free
+    enc: false  # Enable for cloud-free
   crossAccess: false
-geoRestrictions: [eu-west-1] # From registry.geo (e.g., EU for GDPR)
-cloudRestrictions: [aws, doc] # From registry.cloud
+geoRestrictions: [eu-west-1]  # From registry.geo (e.g., EU for GDPR)
+cloudRestrictions: [aws, doc]  # From registry.cloud
 dataSensitivityGuards:
-  pii: false # Auto-from registry; triggers mfa/geo if true
-  phi: false # Triggers enc/audit if true
+  pii: false  # Auto-from registry; triggers mfa/geo if true
+  phi: false  # Triggers enc/audit if true
 audit:
-  level: structured # gofulmen integration
+  level: structured  # gofulmen integration
   retain: 30d
 # Usage: REPL loads defaults + overrides; validates against schema/registry.
 # Example Override: For PHI tenant, set dataSensitivityGuards.phi: true → auto-enc=true.

package/config/crucible-ts/devsecops/lorage-central/recipe/v1.0.0/defaults.yaml

@@ -3,27 +3,27 @@
 # Description: Default recipe config (e.g., for Mattermost MVP); loaded via three-layer.
 # Rationale: Declarative base (components/phases); procedural actions for bootstrap.
 # Version: v1.0.0 (Ties to schema; refs taxonomies for provider/backend/phase).
-name: mattermost-stack # Slug-safe
+name: mattermost-stack  # Slug-safe
 type: deploy
 target:
-  provider: doc # From infra-providers
+  provider: doc  # From infra-providers
   region: nyc3
-  backend: opentofu # From toolchains
+  backend: opentofu  # From toolchains
 components:
   - name: postgres
     image: postgres:15
-    phase: storage # From infra-phases (order 3)
+    phase: storage  # From infra-phases (order 3)
     ports: [5432]
     env:
       POSTGRES_DB: mattermost
     secrets:
       - ref: "gpg://keyring/acme/db-pass"
         injectAs: POSTGRES_PASSWORD
-    dependsOn: [] # No deps for base DB
-    module: db-postgres # Tofu module
+    dependsOn: []  # No deps for base DB
+    module: db-postgres  # Tofu module
   - name: mattermost
     image: mattermost/mattermost-team:latest
-    phase: compute # Order 4
+    phase: compute  # Order 4
     ports: [8065]
     env:
       MM_POSTGRES_URL: "postgres://user:pass@localhost:5432/mattermost"
@@ -34,15 +34,15 @@ components:
     module: app-mattermost
 actions:
   - type: bootstrap
-    phase: bootstrap # Order 0; procedural for key gen
-    cmd: "gpg --gen-key --batch acme-bootstrap" # Example script
+    phase: bootstrap  # Order 0; procedural for key gen
+    cmd: "gpg --gen-key --batch acme-bootstrap"  # Example script
     dependsOn: []
   - type: script
-    phase: network # Order 2
-    cmd: "doctl compute vpc create --name acme-vpc" # SDK wrapper for VPC
+    phase: network  # Order 2
+    cmd: "doctl compute vpc create --name acme-vpc"  # SDK wrapper for VPC
     dependsOn: [bootstrap]
 secrets:
-  backend: gpg-keyring # Refs policy.isolation.store
+  backend: gpg-keyring  # Refs policy.isolation.store
   globalRefs:
     - ref: "turso://shared-network-key"
 validate:
@@ -50,7 +50,7 @@ validate:
     endpoint: "http://localhost:8065/health"
   - type: connect
     endpoint: "postgres://localhost:5432/mattermost"
-diff: # For seed type
+diff:  # For seed type
   from: v1-0
   to: v1-1
   changes:

package/config/crucible-ts/devsecops/lorage-central/runbooks/v1.0.0/defaults.yaml

@@ -3,26 +3,26 @@
 # Description: Default runbook config (e.g., global-network prototype); loaded via three-layer.
 # Rationale: Serializes Markdown prototypes (e.g., from .plans/research/); executable in REPL.
 # Version: v1.0.0 (Ties to schema; refs phases/recipe for steps).
-id: global-network # Slug-safe
+id: global-network  # Slug-safe
 title: Global Enterprise Network Setup
-tenantScope: [all] # Or specific publicIds
+tenantScope: [all]  # Or specific publicIds
 description: >-
   Beginnings of the Runbook: Global Enterprise Picture with Tenants. Our runbook will live in the IDE... (from prototypes).
 phases:
-  - id: bootstrap # From infra-phases
+  - id: bootstrap  # From infra-phases
     title: Initial Setup
     description: "Core Components: Provision monitoring first."
     steps:
       - id: vaultwarden-init
         type: script
-        content: "docker run -d --name vaultwarden vaultwarden/server:latest" # Bootstrap secrets
+        content: "docker run -d --name vaultwarden vaultwarden/server:latest"  # Bootstrap secrets
         dependsOn: []
         parallel: false
       - id: prometheus-setup
         type: action
-        ref: prometheus-stack # Ref recipe
+        ref: prometheus-stack  # Ref recipe
         dependsOn: [vaultwarden-init]
-  - id: network # Order 2
+  - id: network  # Order 2
     title: Networking Backbone
     description: "Zero-trust backbone (Cloudflare Gateway); VPC peering for hybrids."
     steps:
@@ -35,10 +35,10 @@ phases:
           | 3 Leaps Sponsored | Internal | Sponsored OSS | Cloudflare (Workers/DNS), Azure (AI), Hetzner (compute) | API tokens, DB creds | Worker deployments, basic storage |
           | 3 Leaps Commercial | External | Client-specific | Client-dictated (AWS/Azure/GCP) | Isolated vaults | Hybrid connectivity, compliance-heavy |
         dependsOn: []
-        parallel: true # Table review parallel with setup
+        parallel: true  # Table review parallel with setup
       - id: vpc-peering-setup
         type: script
-        content: "doctl compute vpc create --name global-vpc" # Create VPC for hybrid peering
+        content: "doctl compute vpc create --name global-vpc"  # Create VPC for hybrid peering
         dependsOn: [tenant-table]
         validate:
           type: custom

package/config/crucible-ts/devsecops/lorage-central/tenant/v1.0.0/defaults.yaml

@@ -5,24 +5,24 @@
 # Version: v1.0.0 (Ties to schema; geo/cloud from taxonomies).
 client:
   id: default-client-internal
-  name: Default Client # Confidential; not exposed
-  confidential: true # Obscure publicIds (UUID-based)
+  name: Default Client  # Confidential; not exposed
+  confidential: true  # Obscure publicIds (UUID-based)
 tenants:
-  - publicId: tnt-uuid-123-prod-us # Globally unique/obscure
+  - publicId: tnt-uuid-123-prod-us  # Globally unique/obscure
     purpose: production-mattermost
-    geo: [na] # From geo-regions (expands to us/ca)
-    cloud: [doc, aws] # From infra-providers
+    geo: [na]  # From geo-regions (expands to us/ca)
+    cloud: [doc, aws]  # From infra-providers
     dataSensitivity:
       pii: false
       phi: false
-      other: [] # e.g., [pci-dss]
+      other: []  # e.g., [pci-dss]
   - publicId: tnt-uuid-456-dev-eu
     purpose: development-testing
-    geo: [eu] # Expands to de/fr/gb/ch (conventions)
+    geo: [eu]  # Expands to de/fr/gb/ch (conventions)
     cloud: [gcp]
     dataSensitivity:
-      pii: true # Triggers policy guards (mfa/geo)
+      pii: true  # Triggers policy guards (mfa/geo)
       phi: false
-globalUniqueness: true # Enforced (UUID for anon)
+globalUniqueness: true  # Enforced (UUID for anon)
 # Usage: REPL loads defaults + client overrides; validates publicId uniqueness.
 # Example: For confidential client, generate UUID publicIds; pii=true → policy.mfa.required=true.

package/config/crucible-ts/devsecops/secrets/v1.0.0/defaults.yaml

@@ -42,7 +42,7 @@ projects:
         type: password
         value: debug
 policies:
-  allow_plain_secrets: true # OK for development
+  allow_plain_secrets: true  # OK for development
 
 # Example 2: Full-Featured Credentials with Metadata & Rotation
 # Use case: Production secrets with lifecycle tracking and rotation policies
@@ -142,7 +142,7 @@ projects:
     credentials:
       DATABASE_URL:
         type: password
-        ref: vault://secrets/staging/db-url # Shared reference
+        ref: vault://secrets/staging/db-url  # Shared reference
       QUEUE_URL:
         type: password
         value: amqp://staging-queue.internal:5672
@@ -153,7 +153,7 @@ projects:
         type: password
         value: https://fake@sentry.io/staging
   - project_slug: frontend_staging
-    env_prefix: VITE_ # Override global prefix for frontend
+    env_prefix: VITE_  # Override global prefix for frontend
     credentials:
       API_URL:
         type: password
@@ -181,7 +181,7 @@ projects:
 schema_version: v1.0.0
 encryption:
   method: gpg
-  key_id: 7A8B9C0D1E2F3A4B # GPG key fingerprint
+  key_id: 7A8B9C0D1E2F3A4B  # GPG key fingerprint
   encrypted_at: "2025-11-15T10:00:00Z"
   cipher: AES-256-GCM
 # The 'projects' array is encrypted inside this ciphertext blob
@@ -207,7 +207,7 @@ ciphertext: |
   ...real encrypted payload would be here...
   -----END PGP MESSAGE-----
 policies:
-  allow_plain_secrets: false # Enforce encryption for production
+  allow_plain_secrets: false  # Enforce encryption for production
 
 # Example 5: Production Environment (Encrypted - age)
 # Use case: Modern encryption with age instead of GPG