# Vault policy for the veylant-proxy role (E10-03).
# Grants read-only access to all secrets under the veylant/ path.
#
# Apply to Vault:
#   vault policy write veylant-proxy deploy/k8s/vault/vault-policy.hcl
#
# Then create the Kubernetes auth role:
#   vault write auth/kubernetes/role/veylant-proxy \
#     bound_service_account_names=veylant-proxy \
#     bound_service_account_namespaces=veylant \
#     policies=veylant-proxy \
#     ttl=1h

# LLM provider API keys — read only.
path "secret/data/veylant/llm-keys" {
  capabilities = ["read"]
}

# Cryptographic secrets (AES key for prompt encryption) — read only.
path "secret/data/veylant/crypto" {
  capabilities = ["read"]
}

# Database connection URL — read only.
path "secret/data/veylant/database" {
  capabilities = ["read"]
}

# Allow metadata reads (needed for dynamic lease renewal).
path "secret/metadata/veylant/*" {
  capabilities = ["read", "list"]
}

# Deny all other paths explicitly (defense-in-depth).
path "*" {
  capabilities = ["deny"]
}