chore(deploy): disable nested secrets symlinks (real dirs only)

ia_dev_deploy_ensure_nested_secrets_symlinks is a no-op; nested .secrets/<site>/<env> must be material directories.
2026-04-16 12:56:15 +02:00 · 2026-04-16 12:56:15 +02:00 · 7dd97e5df7
commit 7dd97e5df7
parent bd604d28b8
1 changed files with 5 additions and 30 deletions
--- a/deploy/lib/deploy-conf-handling.sh
+++ b/deploy/lib/deploy-conf-handling.sh
@ -29,37 +29,12 @@ ia_dev_deploy_secrets_export_from_conf() {
 }

 # ia_dev_deploy_ensure_nested_secrets_symlinks <secrets_parent> <env>
-# LeCoffre connect-db-paths expects `.secrets/<site>/<env>/` under secrets_parent. ia_dev conf often has a flat `<env>/` tree only.
-# For each site in lecoffreio, enso, genealogie: if `<secrets_parent>/<site>/<env>` is missing and `<secrets_parent>/<env>` is a directory,
-# create `<site>/<env>` as a symlink to `../<env>` (same convention as a manual `ln -sfn ../pprod lecoffreio/pprod`).
-# Skips a site when a real (non-symlink) directory already exists at the nested path.
+# Intentionally a no-op: nested `.secrets/<site>/<env>/` must be **real directories** (no symlinks —
+# low maintainability, breaks tooling expectations). Maintain `lecoffreio|enso|genealogie/<env>/`
+# as normal folders; use `deploy/scripts_v2/materialize-nested-secrets-mandatory.mjs` on the LeCoffre
+# clone or copy from a canonical tree.
 ia_dev_deploy_ensure_nested_secrets_symlinks() {
-	local secrets_parent="${1:?}"
-	local env_name="${2:?}"
-	if [[ ! -d "$secrets_parent" ]]; then
 	return 0
-	fi
-	if [[ ! "$env_name" =~ ^(test|pprod|prod)$ ]]; then
-		return 0
-	fi
-	local flat="${secrets_parent}/${env_name}"
-	if [[ ! -d "$flat" ]]; then
-		return 0
-	fi
-	local site nested
-	for site in lecoffreio enso genealogie; do
-		nested="${secrets_parent}/${site}/${env_name}"
-		if [[ -d "$nested" && ! -L "$nested" ]]; then
-			continue
-		fi
-		if [[ -e "$nested" && ! -L "$nested" ]]; then
-			echo "[ia_dev][deploy][WARN] ${nested} exists and is not a symlink or directory; skip" >&2
-			continue
-		fi
-		mkdir -p "${secrets_parent}/${site}"
-		ln -sfn "../${env_name}" "$nested"
-		echo "[ia_dev][deploy] Nested secrets path: ${nested} -> ../${env_name}" >&2
-	done
 }

 # ia_dev_deploy_export_runtime_context <repository_root> <env> — required handoff to project orchestrator (blocking checks below)