Implementation Roadmap

Phase Timeline

Phase	Name	Timeline	Status
0	Credential Stabilization	2026 Q2 (30–60 days)	Not started
1	Vault-Lite	2026 Q3 (90 days)	Not started
2	Trust Introduction	2027	Planned
3	Asset Trust	2028+	Vision

Target Progression

2026:  Vault as Secret Manager
         ├── KV secrets engine
         ├── Azure AD + GitHub auth
         ├── Audit logging
         └── Simple role policies

2027:  Vault as Trust Platform
         ├── PKI engine
         ├── Device certificates
         ├── MQTT mTLS
         └── Certificate lifecycle

2028+: Vault PKI + Asset Identity + Cryptographic Proof
         ├── Battery identity
         ├── Device identity at scale
         ├── Blockchain anchoring
         └── Asset registry integration

Phase 0 Checkpoints

• Mandate Bitwarden organization-wide
• Complete credential inventory
• Define credential audit deadline
• Accelerate passkey adoption
• Secure executive sponsorship

Phase 1 Checkpoints

• Deploy Vault OSS (VM or container)
• Configure KV secrets engine
• Integrate Azure AD authentication
• Integrate GitHub authentication
• Define role-based policies (developers, operations, production)
• Enable audit logging
• Document secret injection pattern
• Document unseal and recovery procedure
• Create new hire onboarding playbook
• Set up git leak detection (gitleaks/trufflehog)

Phase 2 Prerequisites

• Phase 1 stable and operational
• At least 1 dedicated person with PKI expertise
• Internal CA requirements defined
• Device certificate use cases documented