# Vault Setup

Execute parts A → B → C sequentially. Pause for user input at each part.

Never print secret values into chat, files, or logs — reference only the env keys and where each value lives.

---

## Part A — Default Secrets

Output:

> 1. Navigate to the Vault UI (the `VAULT_ADDRESS` value from `.env.local`, path `/ui/`) and log in.
> 2. Find your project, open the "default" secret path, click 'Edit' (toggle 'View as JSON').
> 3. Fill in a JSON object with the following keys, then save. When finished, type 'done'.

The user fills the values; tell them where each one comes from:

| Key                   | Value source                                                |
| --------------------- | ----------------------------------------------------------- |
| `DATABASE_URL`        | `.env.local`                                                 |
| `ENTRA_CLIENT_ID`     | `.env.local`                                                 |
| `ENTRA_CLIENT_SECRET` | the memorized secret from the Entra ID step                  |
| `SESSION_SECRET`      | generate a fresh 64-char hex string (never reuse a default)  |

Wait for "done".

---

## Part B — Harbor Vault Secret

Output:

> Now, go to the root path of your project in Vault and click 'Create secret'.
>
> 1. Name it exactly: `harborvault`
> 2. Toggle 'JSON' mode.
> 3. Go to another existing project in your Vault, copy the JSON values from its `harborvault` secret, and paste them into this new one, then save.
>
> Once finished, type 'done'.

Wait for "done".

---

## Part C — Local Vault Credentials

Ask: **"Please provide your Vault Username and Password so I can add them to your local environment."**

Once received, add the keys `VAULT_USERNAME` and `VAULT_PASSWORD` with the provided values to `.env.local`. The dev server pulls the remaining secrets from Vault at startup — `VAULT_ADDRESS` and `VAULT_SECRET_PATH` are already set in `.env`.