```plaintext
%% Secrets Management Strategy (ADR-0017)
%% Flowchart showing dual secret paths: SOPS bootstrap vs Vault runtime
flowchart TB
subgraph bootstrap["🚀 Bootstrap Secrets (Git-encrypted)"]
direction TB
sops_files["*.sops.yaml
📄 Encrypted in Git"]
age_key["🔑 Age Key
(backed up externally)"]
sops_dec["SOPS Decryption"]
flux_dec["Flux Controller"]
bs_secrets["🔐 Bootstrap Secrets
• Talos machine secrets
• GitHub deploy key
• Initial Vault unseal"]
end
subgraph runtime["⚙️ Runtime Secrets (Vault-managed)"]
direction TB
vault["🏦 HashiCorp Vault
HA (3 replicas) + Raft"]
eso["External Secrets
Operator"]
app_secrets["🔑 Application Secrets
• Database credentials
• API keys
• OAuth secrets"]
end
subgraph apps["📦 Applications"]
direction TB
pods["Workload Pods"]
end
%% Bootstrap flow
sops_files -->|"Commit to Git"| flux_dec
age_key -->|"Decrypts"| sops_dec
flux_dec --> sops_dec
sops_dec -->|"Creates"| bs_secrets
%% Runtime flow
vault -->|"ExternalSecret CR"| eso
eso -->|"Syncs to"| app_secrets
%% Consumption
bs_secrets -->|"Mounted"| pods
app_secrets -->|"Mounted"| pods
classDef bootstrap fill:#3498db,color:white
classDef vault fill:#27ae60,color:white
classDef secrets fill:#e74c3c,color:white
classDef app fill:#9b59b6,color:white
class sops_files,age_key,sops_dec,flux_dec bootstrap
class vault,eso vault
class bs_secrets,app_secrets secrets
class pods app
```