ROADMAP/fleet_platform/v0_3_plan.md

@@ -9,7 +9,7 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator
 - [x] NATS + auth callout deployed in `fleet-staging` namespace
 - [x] Operator deployed (older version, 2-3 weeks old)
 - [x] Config-driven OpenBao installer (`examples/openbao`)
-- [x] `harmony-fleet-deploy` binary reads `FleetDeploySecrets` from OpenBao
+- [x] `harmony-fleet-deploy` binary reads `FleetDeployConfig` + `FleetDeploySecrets` from OpenBao
 
 ## Immediate next steps
 
@@ -34,8 +34,7 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator
 - [ ] Create `.envrc` with minimal env:
   ```bash
   export OPENBAO_URL=https://secrets-stg.cb1.nationtech.io
-  export HARMONY_SECRET_NAMESPACE=fleet-staging
+  export HARMONY_CONFIG_NAMESPACE=fleet-staging
-  export HARMONY_FLEET_NAMESPACE=fleet-staging
   # export OPENBAO_TOKEN=<root token for now; SSO later>
   ```
 - [ ] Write deploy invocation (shell script or just `harmony-fleet-deploy` call):
@@ -78,15 +77,14 @@ Written 2026-05-31. Picks up after OpenBao + Zitadel + NATS + callout + operator
 
 ```bash
 OPENBAO_URL=https://secrets-stg.cb1.nationtech.io
-HARMONY_SECRET_NAMESPACE=fleet-staging
+HARMONY_CONFIG_NAMESPACE=fleet-staging
 # SSO auth or root token (SSO is the goal)
 ```
 
 ### OpenBao (read via ConfigClient)
 
+- `FleetDeployConfig` (k8s namespaces, NATS URL, chart coords) at `secret/data/fleet-staging/FleetDeployConfig`
 - `FleetDeploySecrets` (operator creds) at `secret/data/fleet-staging/FleetDeploySecrets`
-- k8s namespaces (`fleet-staging`, `zitadel-staging`, `openbao-staging`) as config values
-- Chart registry/project coords as config values
 
 ## Missing features (post-UI)
 
@@ -95,7 +93,7 @@ HARMONY_SECRET_NAMESPACE=fleet-staging
 - [ ] Per-device OpenBao policies (templated policies, one role per device type)
 - [ ] Device identity claim in JWT (Zitadel `client_id` with `device-` prefix)
 - [ ] OpenBao JWT auth role granularity (extend `OpenbaoJwtAuth` to list of roles)
-- [ ] Move k8s namespaces + chart coords into `ConfigClient` config struct (env = only identifier + auth)
+- [x] Move k8s namespaces + chart coords into `ConfigClient` config struct (env = only identifier + auth)
 
 ### Operator capabilities
 

examples/openbao/src/main.rs

@@ -84,7 +84,6 @@ async fn main() -> Result<()> {
         "host must be set (e.g. secrets-stg.<base>)"
     );
 
-
     let instance = OpenbaoInstance {
         namespace: cfg.namespace.clone(),
         release: cfg.release.clone(),

fleet/harmony-fleet-deploy/src/main.rs

@@ -15,7 +15,9 @@ use harmony::inventory::Inventory;
 use harmony::topology::K8sAnywhereTopology;
 use harmony_cli::Args as HarmonyCliArgs;
 use harmony_config::ConfigClient;
-use harmony_fleet_deploy::{FleetDeployConfig, FleetDeploySecrets, FleetOperatorScore, version_from_tag};
+use harmony_fleet_deploy::{
+    FleetDeployConfig, FleetDeploySecrets, FleetOperatorScore, version_from_tag,
+};
 
 #[derive(Parser, Debug)]
 #[command(
@@ -46,7 +48,11 @@ struct CliConfig {
     operator_chart_project: Option<String>,
 
     /// Config namespace `FleetDeploySecrets` and `FleetDeployConfig` resolve under (Env → OpenBao).
-    #[arg(long, env = "HARMONY_SECRET_NAMESPACE", default_value = "fleet-staging")]
+    #[arg(
+        long,
+        env = "HARMONY_CONFIG_NAMESPACE",
+        default_value = "fleet-staging"
+    )]
     config_namespace: String,
 
     #[command(flatten)]
@@ -96,8 +102,12 @@ async fn main() -> Result<()> {
     };
 
     let namespace = cli.namespace.unwrap_or(config.namespace);
-    let registry = cli.operator_chart_registry.unwrap_or(config.operator_chart_registry);
+    let registry = cli
-    let project = cli.operator_chart_project.unwrap_or(config.operator_chart_project);
+        .operator_chart_registry
+        .unwrap_or(config.operator_chart_registry);
+    let project = cli
+        .operator_chart_project
+        .unwrap_or(config.operator_chart_project);
 
     let operator = FleetOperatorScore::new()
         .namespace(namespace)