Docs: document --compact flag for model type describe

Running swamp datastore setup extension <type> --config ... as a full migration (i.e. without --skip-migration) relocates the repo-root <repo>/.swamp/secrets directory into the datastore cache and then deletes the repo-root copy. But the local_encryption vault always reads from <base_dir>/.swamp/secrets/local_encryption/<vault> (base_dir = repo root), independent of the datastore. After setup, every ${{ vault.get(...) }} fails and swamp vault list-keys / read-secret report empty / "not found". The repo is functionally broken for any vault-dependent operation until the secrets are manually restored.

This is datastore-backend-agnostic: it reproduces for any extension datastore (and the filesystem datastore), because the migration target list is core's DEFAULT_DATASTORE_SUBDIRS, which includes secrets.

There is also a security dimension when the target datastore syncs the tier to shared storage: the local_encryption .key (symmetric key) sits right next to its .enc ciphertext, so migrating/syncing secrets/ co-locates key + ciphertext in the shared backend (encryption-at-rest defeated). This report is about the functional break; the sync-exposure side is being fixed independently in the affected extension.

Root cause

datastoreSetupExtension hardcodes the migration config without directories: src/libswamp/datastores/setup.ts:376 → const config = { type: "filesystem", path: cachePath };
migrateDatastore resolves the dirs to copy via getDatastoreDirectories(config), which falls back to DEFAULT_DATASTORE_SUBDIRS when directories is absent: src/domain/datastore/datastore_migration_service.ts:57 and src/domain/datastore/datastore_config.ts:171.
DEFAULT_DATASTORE_SUBDIRS includes "secrets": src/domain/datastore/datastore_config.ts:49.
On success, setup deletes every migrated source dir: src/libswamp/datastores/setup.ts:463 (cleanupSourceDirs(<repo>/.swamp, directoriesMigrated)), which Deno.remove(..., {recursive:true})s <repo>/.swamp/secrets.
The vault reads from a fixed repo-root path, unaffected by the datastore cache: src/domain/vaults/local_encryption_vault_provider.ts:80-88 ({base_dir}/.swamp/secrets/local_encryption/{vault}).

Net effect: the migration moves the vault's storage out from under it and deletes the original.

Steps to reproduce

Repo with a local_encryption vault holding a secret under <repo>/.swamp/secrets/local_encryption/<vault>/.
swamp datastore setup extension <type> --config ... (no --skip-migration).
swamp vault list-keys <vault> → count: 0; a model's ${{ vault.get(...) }} no longer resolves.
<repo>/.swamp/secrets is gone; the files now live only under the datastore cache.

Proof (drives the real core functions)

Reproduced end-to-end against the core source by invoking the exact functions the setup flow uses — migrateDatastore (the setup.ts:376 call), the mirrored cleanupSourceDirs deletion, and the real LocalEncryptionVaultProvider:

[1] Secret written. Repo-root vault dir contents:
    - ROUTER_ADMIN_PASSWORD.enc
    - .key
[1] vault.get before migration => "hunter2-super-secret"

[2] DEFAULT_DATASTORE_SUBDIRS includes 'secrets': true
[2] getDatastoreDirectories(...) includes 'secrets': true

[3] migrateDatastore result.directoriesMigrated: [ "data", "secrets" ]
[3] 'secrets' was migrated into the cache: true
[3] cache now holds the secret .enc: .key, ROUTER_ADMIN_PASSWORD.enc

[4] repo-root .swamp/secrets deleted by cleanup: true

[5] vault.get after migration FAILED: true
    error: Secret 'ROUTER_ADMIN_PASSWORD' not found in local vault 'infra'

==== ISSUE #6 REPRODUCED ✅ ====

Workaround

Restore the repo-root secrets from a pre-migration copy (it lives outside the cache, so it won't re-sync):

cp -a <backup>/.swamp/secrets <repo>/.swamp/secrets

Suggested fix

The secrets/ tier should never be part of the datastore migration. Options, narrowest first:

Exclude secrets from the migration in datastoreSetupExtension / the filesystem setup path (don't copy or delete the vault tier).
Remove "secrets" from DEFAULT_DATASTORE_SUBDIRS so no backend ever migrates/syncs it.
Alternatively, have local_encryption read from the datastore cache path when an extension datastore is active (more invasive; couples the vault to the datastore).

Whichever path is taken, the migration must not delete <repo>/.swamp/secrets while the vault still reads it.

Environment

swamp CLI: 20260206.200442.0 (root cause verified against current main, commit df3947ba)
Originally observed with @keeb/mongodb-datastore 2026.05.05.1 on swamp 20260513.132340.0, MongoDB 7.x replica set
Backend-agnostic — the migration list is core's DEFAULT_DATASTORE_SUBDIRS

02Bog Flow

Open

6/13/2026, 7:57:53 PM

No activity in this phase yet.

03Sludge Pulse

Docs: document --compact flag for model type describe

datastore setup migration relocates and deletes repo-root .swamp/secrets, breaking all local_encryption vault.get

Registry content-type search filter can match versions absent from the displayed extension

Docs: document reports.require failure semantics in the manual (unresolvable required report fails the run)

Reports tab on extension page is non-functional

vault read-secret mixes log output into stdout

Resource-leak test failures on main: extension_rubric_scorer_test and worker_gateway_test

Landing page clips the curl install command instead of rendering the full text

model delete --json output shape doesn't match the documented {deleted, modelId, modelName, artifactsDeleted}

model search --json returns a bare model object instead of {query, results} when exactly one model matches

Extension author gitignore guidance: add .swamp.yaml and CLAUDE.md to recommended excludes

reports.require in workflow YAML does not auto-execute pulled extension reports

Yanked extension version still shown as active on swamp-club.com and in 'extension search'

Add deprecate/yank/unyank actions for own extensions on the web interface

Expose per-run memory/CPU metrics for method & workflow executions

model method run OOMs at 4GB V8 heap on long high-fan-out methods; non-configurable heap + crash leaves run stuck in "running"

Tier-up announcements never fire for direct score contributions (badge awards, feed credits)

CI never runs the discord-bot service test suite

Discord role sync never assigns lower leaderboard tiers (Swamp Baby / Muck Runt / Sludge Whelp)

Docs: document globalArgument input reference validation in workflow validate

Remote execution: UAT coverage for tokens, enrollment, and dispatch

Remote execution: comprehensive reference documentation

doctor extensions: pulled-extension source files reported as orphans that --repair can't evict (nested @swamp/aws/* sibling mis-attribution)

Channel-based publishing for local extension backports

Feature: make extension yank channel-scoped (--channel) so it doesn't nuke every channel

swamp update --setup-auto does not work with bluefin44 (crontab not found, should

Feature: demote / withdraw an extension version from the stable channel

Docs: extension-publish skill guide doesn't cover release channels

workflow validate: resolve model globalArguments expressions against the calling workflow's declared inputs

Add a way to list registered report definitions (report search only lists results)

Inconsistent resource-field accessor: data get returns content, data query and CEL use attributes

Extension API: allow export const extension to add resource specs, or document that it cannot

@swamp/aws/cloudformation: expose StackSet instances, drift, and operations (Cloud Control cannot)

workflow validate: method args with a Zod .default() are treated as required

Profile months overlap in trajectory

model type describe --json: bloated output (40% duplicated specs, no compact mode) and lost method-to-output mapping drive agents to read extension source

UAT: Release channel CLI and adversarial tests

Docs: Add release channel documentation to the manual

Test skill evals with Fable in multi-skill eval tests

Guide users toward filing feature requests when @swamp extensions lack a needed capability

Guide users toward filing feature requests when @swamp extensions are missing features

correcting capitlization of Swamp, Swamp Club, and The Swamp on the swamp-club.com website

API: Add release channel support for extension versions (beta, rc, stable)

Add @swamp/hetzner-cloud/server-types model for availability and project limits

Resident/warm worker mode — `model method run` has ~6s fixed per-invocation overhead that rules out latency-sensitive use

Issue submission returns wrong URL path

Dynamic resource attribute refresh for model instances

`vault put` inside workflow steps still acquires global `.datastore.lock` after #382

extension quality scorer mis-detects quoted phrases in comments as bare imports

extension push: credentials-sensitive-field false positive when .meta({ sensitive: true }) is on a continuation line

Local source-loading should discover a report co-located with its model in a paths.base:manifest extension

extension push: optionally sync the published bundle to the manifest `repository:` (git mirror)

Add 'creek' extension kind for cross-querying external systems alongside swamp data

Docs: vault refresh hooks (--refresh-from, --refresh-ttl, --clear-refresh)

Support CI-friendly adversarial review artifacts for extension push

Deprecate "No slow types" (fast-check) rubric factor on server-side scorer

Registry scorer fails on bare specifiers — mirror CLI fix from #505

Official extension for GitHub repository configuration (environments, variables, secrets)

Feature request: @swamp/tailscale extension

Option to change email in your Swamp Club profile or delete account

Docs: vault reference in manual promotes inline KEY=VALUE as primary example

extension push error for disallowed file types doesn't mention binaries field

swamp help extension omits yank and unyank (machine-readable CLI schema misses real subcommands)

Extension model method execute lacks typed args/context — every author has to use ': any' to unblock tests

@webframp/hashicorp-vault: empty KV engine causes 'data.data.keys is not iterable' on vault put

workflow resume fails to register all extension model types (local and pulled) — "Unknown model type"

model method run: cannot pass arrays, numbers, or booleans via --input

extension push --dry-run --json reports local helper imports as bogus model entries

Extension source: direct-content export scan only reads first 64 KiB, silently drops exports beyond it

Homepage install command: wrong domain and missing https:// protocol

Homepage install command: wrong domain and missing https:// protocol

first-class refresh hook for short-lived vault values (gcloud / aws-sso / kubectl-oidc token UX)

swamp issue ripple logged "Posted ripple on issue #514" but the ripple is not visible on the Lab

vault guide promotes inline secret values (KEY=VALUE) as a primary "swamp vault put" example

swamp-getting-started SKILL.md still references removed swamp-model / swamp-workflow / swamp-vault / swamp-extension / swamp-repo skills

extension rm blocked by stale /workspace bundle_types rows from prior container sessions with host repo bind-mounted

extension search returns null repository fields that extension info populates

Quality rubric: scope "No slow types" for model extensions (consumed via model+CEL, not type imports)

data get/list --workflow and workflow history get/logs cannot resolve extension-delivered workflows (Workflow not found)

Docs: add doctor secrets and doctor vaults to the troubleshooting how-to guide