@hasna/knowledge 0.2.26 → 0.2.27

package/docs/architecture/ai-native-knowledge-base.md

@@ -159,6 +159,30 @@ s3://<knowledge-bucket>/<org>/<project>/knowledge/
   wiki/
 ```
 
+Hasna XYZ production uses the canonical open-source knowledge bucket and app
+path-compatible prefix:
+
+```text
+s3://hasna-xyz-opensource-knowledge-prod/.hasna/apps/knowledge/
+```
+
+The app config can be materialized with:
+
+```bash
+open-knowledge setup --mode hosted --canonical-hasna-xyz --scope project --json
+```
+
+The canonical metadata-only secret paths are:
+
+```text
+hasna/xyz/opensource/knowledge/prod/env
+hasna/xyz/opensource/knowledge/prod/aws
+hasna/xyz/opensource/knowledge/prod/s3
+```
+
+`hasna/xyz/opensource/knowledge/prod/rds` is reserved for a future hosted
+runtime database if the wrapper provisions one.
+
 Raw files still route through `open-files`. Knowledge S3 storage is for derived
 artifacts such as wiki pages, index shards, schema versions, logs, exports, and
 run outputs.

package/docs/architecture/hosted-wrapper-responsibilities.md

@@ -86,6 +86,14 @@ The OSS package may know a storage contract, bucket name, prefix, region, and
 profile. It must not contain tenant secret values, connector credentials, RDS
 passwords, hosted KMS key material, or privileged AWS role assumptions.
 
+For Hasna XYZ production, the OSS contract names
+`hasna-xyz-opensource-knowledge-prod` and prefix
+`.hasna/apps/knowledge/`, plus metadata-only secret paths under
+`hasna/xyz/opensource/knowledge/prod/{env,aws,s3}`. Hosted code is responsible
+for resolving those secrets, assuming AWS roles, enforcing tenant prefixes, and
+provisioning `hasna/xyz/opensource/knowledge/prod/rds` only if a hosted runtime
+database is introduced.
+
 Generated artifacts are safe to sync remotely only when they remain derived:
 wiki pages, index shards, schema files, logs, exports, run payloads, embeddings,
 and citation metadata. Raw source bytes stay in `open-files`.

package/docs/canonical-secrets-bootstrap-2026-06-08.md

@@ -0,0 +1,127 @@
+# Canonical Secrets Bootstrap Evidence: 2026-06-08
+
+Scope: canonical Hasna XYZ app secret paths in account `hasna-xyz-infra`
+(`789877399345`), region `us-east-1`, mirrored into the local `spark02`
+`secrets` vault.
+
+This note records names and migration intent only. It intentionally does not
+include secret payloads, passwords, API keys, connection strings, or `.env`
+contents.
+
+## Ownership Rule
+
+App-owned runtime/config secrets use:
+
+```txt
+hasna/xyz/{app_type}/{app}/prod/{component}
+```
+
+Shared infra/admin pointers use an infra-owned path:
+
+```txt
+hasna/xyz/infra/{resource_group}/prod/{component}/{role}
+```
+
+Legacy master credentials copied for migration are suffixed with
+`legacy-master`. They are deprecation inputs for migration jobs, not the clean
+runtime secret names new app code should read.
+
+## Open Files
+
+Created or verified in AWS Secrets Manager and the local vault:
+
+```txt
+hasna/xyz/opensource/files/prod/env
+hasna/xyz/opensource/files/prod/aws
+hasna/xyz/opensource/files/prod/s3
+hasna/xyz/opensource/files/prod/rds
+```
+
+Meaning:
+
+- `env`: app environment configuration.
+- `aws`: AWS account/profile/region and related app config metadata.
+- `s3`: canonical app storage bucket metadata for
+  `hasna-xyz-opensource-files-prod`.
+- `rds`: app runtime database connection fields for database `files` and role
+  `files_app`.
+
+The `aws` and `s3` entries are metadata-only. They do not contain access keys or
+tokens.
+
+## Open Knowledge
+
+Created or verified in AWS Secrets Manager and the local vault:
+
+```txt
+hasna/xyz/opensource/knowledge/prod/env
+hasna/xyz/opensource/knowledge/prod/aws
+hasna/xyz/opensource/knowledge/prod/s3
+```
+
+Meaning:
+
+- `env`: open-knowledge production app config metadata.
+- `aws`: AWS account/profile/region and related app config metadata.
+- `s3`: canonical app storage bucket metadata for
+  `hasna-xyz-opensource-knowledge-prod`.
+
+No `hasna/xyz/opensource/knowledge/prod/rds` secret was created in this pass.
+The OSS package is local-first and currently uses SQLite for local knowledge
+state. If a hosted wrapper later provisions an app database, the app-owned
+runtime secret should use:
+
+```txt
+hasna/xyz/opensource/knowledge/prod/rds
+```
+
+## Legacy Secret Mapping
+
+Mapped legacy AWS Secrets Manager names to canonical ownership paths:
+
+| Legacy name | Canonical path | Use |
+| --- | --- | --- |
+| `prod/microservice/rds/master` | `hasna/xyz/opensource/microservices/prod/rds/legacy-master` | Migration-only legacy master alias. |
+| `prod/connect/rds/master` | `hasna/xyz/opensource/connectors/prod/rds/legacy-master` | Migration-only legacy master alias. |
+| `internalapps/prod/rds/master` | `hasna/xyz/infra/apps/prod/postgres/legacy-internalapps-master` | Migration-only legacy shared/admin alias. |
+| `internalapps/prod/iapp-news/env` | `hasna/xyz/internalapp/news/prod/env` | Canonical app env path for internalapp `news`. |
+
+The three RDS aliases preserve old master credential payloads under explicit
+legacy names so migration jobs can read them without relying on noncanonical
+paths. They should not be used as the final runtime credentials for new app
+code. Clean app runtime database credentials should be provisioned under
+app-owned paths such as:
+
+```txt
+hasna/xyz/opensource/files/prod/rds
+hasna/xyz/internalapp/news/prod/rds
+```
+
+The shared canonical Postgres admin pointer remains:
+
+```txt
+hasna/xyz/infra/apps/prod/postgres/master
+```
+
+## Verification
+
+AWS Secrets Manager name-only verification returned these canonical entries:
+
+```txt
+hasna/xyz/infra/apps/prod/postgres/legacy-internalapps-master
+hasna/xyz/infra/apps/prod/postgres/master
+hasna/xyz/internalapp/news/prod/env
+hasna/xyz/opensource/connectors/prod/rds/legacy-master
+hasna/xyz/opensource/files/prod/aws
+hasna/xyz/opensource/files/prod/env
+hasna/xyz/opensource/files/prod/rds
+hasna/xyz/opensource/files/prod/s3
+hasna/xyz/opensource/knowledge/prod/aws
+hasna/xyz/opensource/knowledge/prod/env
+hasna/xyz/opensource/knowledge/prod/s3
+hasna/xyz/opensource/microservices/prod/rds/legacy-master
+```
+
+Local `secrets list` verification returned the same names with redacted values.
+
+No secret values were printed during creation or verification.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/knowledge",
-  "version": "0.2.26",
+  "version": "0.2.27",
   "description": "Agent-friendly local knowledge CLI with JSON output, pagination, and safe destructive actions",
   "type": "module",
   "bin": {

package/src/cli.ts

@@ -57,6 +57,7 @@ interface Flags {
   provider?: string;
   mode?: string;
   apiUrl?: string;
+  canonicalHasnaXyz?: boolean;
   apiKey?: string;
   email?: string;
   org?: string;
@@ -125,6 +126,7 @@ function parseArgs(argv: string[]): ParseResult {
       case '--provider': flags.provider = argv[i + 1]; i += 1; break;
       case '--mode': flags.mode = argv[i + 1]; i += 1; break;
       case '--api-url': flags.apiUrl = argv[i + 1]; i += 1; break;
+      case '--canonical-hasna-xyz': flags.canonicalHasnaXyz = true; break;
       case '--api-key': flags.apiKey = argv[i + 1]; i += 1; break;
       case '--email': flags.email = argv[i + 1]; i += 1; break;
       case '--org': flags.org = argv[i + 1]; i += 1; break;
@@ -204,7 +206,7 @@ Commands:
   dedupe                       Remove duplicate items by title+content (requires --yes)
   stats                        Show knowledge base statistics
   paths                        Show resolved workspace/store paths
-  setup                        Configure local or hosted mode
+  setup                        Configure local, hosted, or canonical Hasna XYZ S3 mode
   auth login|whoami|logout     Manage hosted API credentials
   remote contracts|status      Inspect hosted client contracts/readiness
   storage status|validate      Inspect local/S3 artifact storage contract
@@ -299,7 +301,7 @@ function printCommandHelp(command: string): void {
   if (command === 'dedupe') { console.log('Usage: open-knowledge dedupe --yes [--json]'); return; }
   if (command === 'stats') { console.log('Usage: open-knowledge stats [--json]'); return; }
   if (command === 'paths') { console.log('Usage: open-knowledge paths [--scope local|global|project] [--json]'); return; }
-  if (command === 'setup') { console.log('Usage: open-knowledge setup --mode local|hosted [--api-url https://...] [--scope local|global|project] [--json]'); return; }
+  if (command === 'setup') { console.log('Usage: open-knowledge setup --mode local|hosted [--api-url https://...] [--canonical-hasna-xyz] [--scope local|global|project] [--json]'); return; }
   if (command === 'auth') { console.log('Usage: open-knowledge auth login|whoami|logout [--api-key <key>] [--email <email>] [--org <slug>] [--api-url https://...] [--scope local|global|project] [--json]'); return; }
   if (command === 'remote') { console.log('Usage: open-knowledge remote contracts|status [--scope local|global|project] [--json]'); return; }
   if (command === 'storage') { console.log('Usage: open-knowledge storage status|validate [--scope local|global|project] [--json]'); return; }
@@ -358,11 +360,11 @@ async function run(argv: string[]): Promise<void> {
   if (flags.completions) {
     const shell = flags.completions;
     if (shell === 'bash') {
-      console.log(`_open_knowledge() { local cur; cur="${"$"}{COMP_WORDS[COMP_CWORD]}"; COMPREPLY=($(compgen -W "add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge --json --yes --help --version --desc --page --limit --search --sort --id --store --title --content --url --tag --format --completions --purpose --model --dimensions --semantic --context --generate --approve-write --provider --mode --api-url --api-key --email --org --org-id --user-id --domain --file-results --full --fake --no-color --scope --archived --include-archived" -- "$cur")); }; complete -F _open_knowledge open-knowledge`);
+      console.log(`_open_knowledge() { local cur; cur="${"$"}{COMP_WORDS[COMP_CWORD]}"; COMPREPLY=($(compgen -W "add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge --json --yes --help --version --desc --page --limit --search --sort --id --store --title --content --url --tag --format --completions --purpose --model --dimensions --semantic --context --generate --approve-write --provider --mode --api-url --canonical-hasna-xyz --api-key --email --org --org-id --user-id --domain --file-results --full --fake --no-color --scope --archived --include-archived" -- "$cur")); }; complete -F _open_knowledge open-knowledge`);
     } else if (shell === 'zsh') {
-      console.log(`#compdef open-knowledge\n_open_knowledge() { _arguments -C "1: :(add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge)" "(--json)--json" "(--yes)-y" "(--help)--help" "(--version)--version" "(--desc)--desc" "(--archived)--archived" "(--include-archived)--include-archived" "(--semantic)--semantic" "(--context)--context" "(--generate)--generate" "(--approve-write)--approve-write" "(--file-results)--file-results" "(--full)--full" "(--fake)--fake" "(-p --page)"{-p,--page}"[page number]:number:" "(-l --limit)"{-l,--limit}"[items per page]:number:" "(-s --search)"{-s,--search}"[search text]:text:" "(--sort)--sort"\{created,title\}:" "(--id)--id[item id]:id:" "(--store)--store[store path]:path:" "(--title)--title[new title]:" "(--content)--content[new content]:" "(--url)--url[source url]:" "(-t --tag)"{-t,--tag}"[tag]:tag:" "(--format)--format[json|jsonl]:" "(--completions)--completions[output completions]:shell:(bash zsh fish):" "(--purpose)--purpose[purpose]:" "(--model)--model[model ref]:" "(--dimensions)--dimensions[embedding dimensions]:number:" "(--provider)--provider[provider]:" "(--mode)--mode"\{local,hosted\}:" "(--api-url)--api-url[hosted API URL]:" "(--api-key)--api-key[hosted API key]:" "(--email)--email[email]:" "(--org)--org[org slug]:" "(--org-id)--org-id[org id]:" "(--user-id)--user-id[user id]:" "(--domain)--domain[domain]:" "(--no-color)--no-color[disable color]" "(--scope)--scope"\{local,global,project\}:" }; _open_knowledge`);
+      console.log(`#compdef open-knowledge\n_open_knowledge() { _arguments -C "1: :(add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge)" "(--json)--json" "(--yes)-y" "(--help)--help" "(--version)--version" "(--desc)--desc" "(--archived)--archived" "(--include-archived)--include-archived" "(--semantic)--semantic" "(--context)--context" "(--generate)--generate" "(--approve-write)--approve-write" "(--canonical-hasna-xyz)--canonical-hasna-xyz" "(--file-results)--file-results" "(--full)--full" "(--fake)--fake" "(-p --page)"{-p,--page}"[page number]:number:" "(-l --limit)"{-l,--limit}"[items per page]:number:" "(-s --search)"{-s,--search}"[search text]:text:" "(--sort)--sort"\{created,title\}:" "(--id)--id[item id]:id:" "(--store)--store[store path]:path:" "(--title)--title[new title]:" "(--content)--content[new content]:" "(--url)--url[source url]:" "(-t --tag)"{-t,--tag}"[tag]:tag:" "(--format)--format[json|jsonl]:" "(--completions)--completions[output completions]:shell:(bash zsh fish):" "(--purpose)--purpose[purpose]:" "(--model)--model[model ref]:" "(--dimensions)--dimensions[embedding dimensions]:number:" "(--provider)--provider[provider]:" "(--mode)--mode"\{local,hosted\}:" "(--api-url)--api-url[hosted API URL]:" "(--api-key)--api-key[hosted API key]:" "(--email)--email[email]:" "(--org)--org[org slug]:" "(--org-id)--org-id[org id]:" "(--user-id)--user-id[user id]:" "(--domain)--domain[domain]:" "(--no-color)--no-color[disable color]" "(--scope)--scope"\{local,global,project\}:" }; _open_knowledge`);
     } else if (shell === 'fish') {
-      console.log(`complete -c open-knowledge -f; complete -c open-knowledge -a "add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge"; complete -c open-knowledge -l json; complete -c open-knowledge -l yes -s y; complete -c open-knowledge -l help -s h; complete -c open-knowledge -l version -s v; complete -c open-knowledge -l desc; complete -c open-knowledge -l archived; complete -c open-knowledge -l include-archived; complete -c open-knowledge -l semantic; complete -c open-knowledge -l context; complete -c open-knowledge -l generate; complete -c open-knowledge -l approve-write; complete -c open-knowledge -l provider; complete -c open-knowledge -l mode; complete -c open-knowledge -l api-url; complete -c open-knowledge -l api-key; complete -c open-knowledge -l email; complete -c open-knowledge -l org; complete -c open-knowledge -l org-id; complete -c open-knowledge -l user-id; complete -c open-knowledge -l domain; complete -c open-knowledge -l file-results; complete -c open-knowledge -l full; complete -c open-knowledge -l fake; complete -c open-knowledge -s p -l page; complete -c open-knowledge -s l -l limit; complete -c open-knowledge -s s -l search; complete -c open-knowledge -l sort; complete -c open-knowledge -l id; complete -c open-knowledge -l store; complete -c open-knowledge -l title; complete -c open-knowledge -l content; complete -c open-knowledge -l url; complete -c open-knowledge -s t -l tag; complete -c open-knowledge -l format; complete -c open-knowledge -l completions; complete -c open-knowledge -l purpose; complete -c open-knowledge -l model; complete -c open-knowledge -l dimensions; complete -c open-knowledge -l no-color; complete -c open-knowledge -l scope -a "local global project"`);
+      console.log(`complete -c open-knowledge -f; complete -c open-knowledge -a "add list get update archive restore upsert untag delete export prune dedupe stats paths setup auth remote storage db wiki source ingest reindex search web ask build embeddings providers safety help ls rm edit unarchive knowledge"; complete -c open-knowledge -l json; complete -c open-knowledge -l yes -s y; complete -c open-knowledge -l help -s h; complete -c open-knowledge -l version -s v; complete -c open-knowledge -l desc; complete -c open-knowledge -l archived; complete -c open-knowledge -l include-archived; complete -c open-knowledge -l semantic; complete -c open-knowledge -l context; complete -c open-knowledge -l generate; complete -c open-knowledge -l approve-write; complete -c open-knowledge -l canonical-hasna-xyz; complete -c open-knowledge -l provider; complete -c open-knowledge -l mode; complete -c open-knowledge -l api-url; complete -c open-knowledge -l api-key; complete -c open-knowledge -l email; complete -c open-knowledge -l org; complete -c open-knowledge -l org-id; complete -c open-knowledge -l user-id; complete -c open-knowledge -l domain; complete -c open-knowledge -l file-results; complete -c open-knowledge -l full; complete -c open-knowledge -l fake; complete -c open-knowledge -s p -l page; complete -c open-knowledge -s l -l limit; complete -c open-knowledge -s s -l search; complete -c open-knowledge -l sort; complete -c open-knowledge -l id; complete -c open-knowledge -l store; complete -c open-knowledge -l title; complete -c open-knowledge -l content; complete -c open-knowledge -l url; complete -c open-knowledge -s t -l tag; complete -c open-knowledge -l format; complete -c open-knowledge -l completions; complete -c open-knowledge -l purpose; complete -c open-knowledge -l model; complete -c open-knowledge -l dimensions; complete -c open-knowledge -l no-color; complete -c open-knowledge -l scope -a "local global project"`);
     } else {
       throw new Error("Invalid --completions value. Use 'bash', 'zsh', or 'fish'.");
     }
@@ -397,6 +399,7 @@ async function run(argv: string[]): Promise<void> {
     const result = service.setup({
       mode: flags.mode,
       apiUrl: flags.apiUrl,
+      canonicalHasnaXyz: flags.canonicalHasnaXyz,
     });
     output(result, flags.json);
     return;

package/src/service.ts

@@ -36,6 +36,7 @@ import {
 } from './storage-contract';
 import { initializeWikiLayout, recordWikiLayoutCatalog } from './wiki-layout';
 import {
+  canonicalHasnaXyzKnowledgeStorage,
   ensureKnowledgeWorkspace,
   readKnowledgeConfig,
   resolveScopedWorkspace,
@@ -70,6 +71,9 @@ export interface KnowledgeSetupResult {
   ok: true;
   mode: KnowledgeConfig['mode'];
   api_url: string | null;
+  storage_type: KnowledgeConfig['storage']['type'];
+  artifact_uri_prefix: string;
+  canonical_hasna_xyz: StorageContract['canonical_hasna_xyz'];
   config_path: string;
   next: string[];
   message: string;
@@ -130,7 +134,7 @@ export class KnowledgeService {
     return validateStorageConfig(this.config(), this.ensureWorkspace());
   }
 
-  setup(options: { mode?: string; apiUrl?: string } = {}): KnowledgeSetupResult {
+  setup(options: { mode?: string; apiUrl?: string; canonicalHasnaXyz?: boolean } = {}): KnowledgeSetupResult {
     const workspace = this.ensureWorkspace();
     const current = this.config();
     const mode = normalizeMode(options.mode) ?? current.mode;
@@ -146,16 +150,23 @@ export class KnowledgeService {
         ...(current.hosted ?? {}),
         ...(apiUrl ? { api_url: apiUrl } : {}),
       },
+      storage: options.canonicalHasnaXyz
+        ? canonicalHasnaXyzKnowledgeStorage()
+        : current.storage,
     };
     writeKnowledgeConfig(workspace.configPath, nextConfig);
     this.cachedConfig = nextConfig;
+    const storage = resolveStorageContract(nextConfig, workspace, this.scope);
     return {
       ok: true,
       mode,
       api_url: nextConfig.hosted?.api_url ?? null,
+      storage_type: nextConfig.storage.type,
+      artifact_uri_prefix: storage.artifact_store.uri_prefix,
+      canonical_hasna_xyz: storage.canonical_hasna_xyz,
       config_path: workspace.configPath,
       next: mode === 'hosted'
-        ? ['open-knowledge auth login --api-key <key>', 'open-knowledge remote contracts --json']
+        ? ['open-knowledge auth login --api-key <key>', 'open-knowledge storage status --json', 'open-knowledge remote contracts --json']
         : ['open-knowledge search <query>', 'knowledge <prompt>'],
       message: `Set knowledge mode to ${mode}`,
     };

package/src/storage-contract.ts

@@ -3,7 +3,7 @@ import type { Database } from 'bun:sqlite';
 import { DEFAULT_KNOWLEDGE_API_URL, normalizeKnowledgeApiOrigin } from './auth';
 import { REMOTE_KNOWLEDGE_CONTRACT_VERSION } from './remote-client';
 import type { KnowledgeConfig, KnowledgeWorkspace } from './workspace';
-import { HASNA_KNOWLEDGE_APP_PATH } from './workspace';
+import { HASNA_KNOWLEDGE_APP_PATH, HASNA_XYZ_KNOWLEDGE_CANONICAL } from './workspace';
 
 export interface StorageArtifactClass {
   kind: string;
@@ -36,6 +36,30 @@ export interface StorageContract {
       kms_key_configured: boolean;
     } | null;
   };
+  canonical_hasna_xyz: {
+    division: typeof HASNA_XYZ_KNOWLEDGE_CANONICAL.division;
+    app_type: typeof HASNA_XYZ_KNOWLEDGE_CANONICAL.app_type;
+    app: typeof HASNA_XYZ_KNOWLEDGE_CANONICAL.app;
+    env: typeof HASNA_XYZ_KNOWLEDGE_CANONICAL.env;
+    active: boolean;
+    local_path: string;
+    s3: {
+      bucket: string;
+      region: string;
+      profile: string;
+      prefix: string;
+      uri_prefix: string;
+      server_side_encryption: string;
+    };
+    secrets: {
+      env: string;
+      aws: string;
+      s3: string;
+      rds: null;
+      future_rds: string;
+    };
+    evidence_doc: string;
+  };
   hosted: {
     enabled: boolean;
     api_url: string;
@@ -134,6 +158,11 @@ export function resolveStorageContract(
   const s3 = config.storage.s3 ?? null;
   const prefix = s3?.prefix?.replace(/^\/+|\/+$/g, '') ?? '';
   const s3UriPrefix = s3 ? `s3://${s3.bucket}/${prefix ? `${prefix}/` : ''}` : '';
+  const canonicalPrefix = HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.prefix.replace(/^\/+|\/+$/g, '');
+  const canonicalS3UriPrefix = `s3://${HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.bucket}/${canonicalPrefix}/`;
+  const canonicalActive = config.storage.type === 's3'
+    && s3?.bucket === HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.bucket
+    && (s3.region ?? null) === HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.region;
 
   return {
     scope,
@@ -171,6 +200,30 @@ export function resolveStorageContract(
           }
         : null,
     },
+    canonical_hasna_xyz: {
+      division: HASNA_XYZ_KNOWLEDGE_CANONICAL.division,
+      app_type: HASNA_XYZ_KNOWLEDGE_CANONICAL.app_type,
+      app: HASNA_XYZ_KNOWLEDGE_CANONICAL.app,
+      env: HASNA_XYZ_KNOWLEDGE_CANONICAL.env,
+      active: canonicalActive,
+      local_path: HASNA_XYZ_KNOWLEDGE_CANONICAL.local_path,
+      s3: {
+        bucket: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.bucket,
+        region: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.region,
+        profile: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.profile,
+        prefix: canonicalPrefix,
+        uri_prefix: canonicalS3UriPrefix,
+        server_side_encryption: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.server_side_encryption,
+      },
+      secrets: {
+        env: HASNA_XYZ_KNOWLEDGE_CANONICAL.secrets.env,
+        aws: HASNA_XYZ_KNOWLEDGE_CANONICAL.secrets.aws,
+        s3: HASNA_XYZ_KNOWLEDGE_CANONICAL.secrets.s3,
+        rds: HASNA_XYZ_KNOWLEDGE_CANONICAL.secrets.rds,
+        future_rds: HASNA_XYZ_KNOWLEDGE_CANONICAL.secrets.future_rds,
+      },
+      evidence_doc: HASNA_XYZ_KNOWLEDGE_CANONICAL.evidence_doc,
+    },
     hosted: {
       enabled: config.mode === 'hosted',
       api_url: normalizeKnowledgeApiOrigin(config.hosted?.api_url ?? DEFAULT_KNOWLEDGE_API_URL),

package/src/workspace.ts

@@ -82,6 +82,44 @@ export interface KnowledgeConfig {
   };
 }
 
+export const HASNA_XYZ_KNOWLEDGE_CANONICAL = {
+  division: 'xyz',
+  app_type: 'opensource',
+  app: 'knowledge',
+  env: 'prod',
+  local_path: HASNA_KNOWLEDGE_APP_PATH,
+  s3: {
+    bucket: 'hasna-xyz-opensource-knowledge-prod',
+    region: 'us-east-1',
+    profile: 'hasna-xyz-infra',
+    prefix: '.hasna/apps/knowledge',
+    server_side_encryption: 'AES256',
+  },
+  secrets: {
+    env: 'hasna/xyz/opensource/knowledge/prod/env',
+    aws: 'hasna/xyz/opensource/knowledge/prod/aws',
+    s3: 'hasna/xyz/opensource/knowledge/prod/s3',
+    rds: null,
+    future_rds: 'hasna/xyz/opensource/knowledge/prod/rds',
+  },
+  source_owner: 'open-files',
+  evidence_doc: 'docs/canonical-secrets-bootstrap-2026-06-08.md',
+} as const;
+
+export function canonicalHasnaXyzKnowledgeStorage(): KnowledgeConfig['storage'] {
+  return {
+    type: 's3',
+    artifacts_root: 'artifacts',
+    s3: {
+      bucket: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.bucket,
+      prefix: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.prefix,
+      region: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.region,
+      profile: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.profile,
+      server_side_encryption: HASNA_XYZ_KNOWLEDGE_CANONICAL.s3.server_side_encryption,
+    },
+  };
+}
+
 export function legacyGlobalStorePath(): string {
   return join(homedir(), '.open-knowledge', 'db.json');
 }