[#2060] fix: rename forge.local to nico.local

[prbinu-nvidia]

Description

This fix aligns SPIFFE trust domain defaults with Helm’s existing nico.local convention.

Helm already sets global.spiffe.trustDomain: nico.local and renders it into [auth.trust] via ConfigMap. Rust code still defaulted to forge.local when no config/env override was present, which could produce Vault machine PKI URI SANs under the wrong trust domain on non-Helm or misconfigured paths.

This PR changes only the trust domain default

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Related Issues (Optional)

#2060

Breaking Changes

Migration / rollout

Legacy sites with existing forge.local machine/service certs must keep an explicit override before upgrading:

global:
  spiffe:
    trustDomain: forge.local

Or layer helm/examples/carbide-legacy.yaml.

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 82443eef-fa75-4c4d-beba-72732ec3861f

📥 Commits

Reviewing files that changed from the base of the PR and between 555cf20 and a401ca1.

📒 Files selected for processing (5)

• crates/bmc-proxy/src/config.rs
• crates/secrets/src/forge_vault.rs
• dev/mac-local-dev/carbide-api-config.toml
• dev/mac-local-dev/run-carbide-api.sh
• helm/examples/carbide-legacy.yaml

✅ Files skipped from review due to trivial changes (1)

• helm/examples/carbide-legacy.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• crates/secrets/src/forge_vault.rs
• dev/mac-local-dev/carbide-api-config.toml
• crates/bmc-proxy/src/config.rs
• dev/mac-local-dev/run-carbide-api.sh

---

Summary by CodeRabbit

• Configuration Updates
  • Changed the default SPIFFE trust domain from forge.local to nico.local in runtime configuration and local development settings.
  • Updated Vault PKI role URI SANs to allow spiffe://nico.local/* instead of spiffe://forge.local/*.
• Tests
  • Updated and added assertions to validate the nico.local default trust-domain behavior.
• Documentation
  • Refreshed Helm inline legacy notes to reflect nico.local defaults and correct issuance/SAN expectations (effective Helm value remains unchanged).

Walkthrough

The default SPIFFE trust domain is systematically renamed from forge.local to nico.local across the forge_vault and bmc-proxy Rust crates, the local development TOML configuration, and the Vault PKI role shell script. A unit test is added to assert the new default. The Helm legacy example receives explanatory migration comments with no functional value change.

Changes

Default SPIFFE Trust Domain Rename

Layer / File(s)	Summary
Rust default trust domain constant, docs, and validation crates/secrets/src/forge_vault.rs, crates/bmc-proxy/src/config.rs	DEFAULT_SPIFFE_TRUST_DOMAIN constant updated to nico.local; VaultConfig field doc comment updated; unit test added asserting VaultConfig::default().spiffe_trust_domain() returns "nico.local"; bmc-proxy Defaults::trust_config() default aligned to "nico.local"; all corresponding configuration test case assertions in parses_config_shapes updated to expect the new domain.
Local dev config and Vault PKI script dev/mac-local-dev/carbide-api-config.toml, dev/mac-local-dev/run-carbide-api.sh	spiffe_trust_domain in the TOML config and allowed_uri_sans in the Vault PKI role setup script updated from forge.local to nico.local.
Helm legacy example migration comments helm/examples/carbide-legacy.yaml	Inline comments added under global.spiffe documenting the legacy trust domain override to forge.local and the pending migration to nico.local; no configuration values changed.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: renaming the default SPIFFE trust domain from forge.local to nico.local across multiple files and configurations.
Description check	✅ Passed	The description clearly explains the rationale for the change, migration path, and testing approach, all aligned with the actual modifications throughout the codebase.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/bmc-proxy/src/config.rs`:
- Around line 71-74: The trust_config() function now returns "nico.local" as the
spiffe_trust_domain default at line 73, but the test expectations in the table
assertion for the parses_config_shapes test are still checking for
"forge.local". Update the table expectations in the parses_config_shapes test to
assert "nico.local" instead of "forge.local" to match the new default trust
domain returned by trust_config().

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0be644a3-2d0e-4a33-8b9d-d61bdfd9621b

📥 Commits

Reviewing files that changed from the base of the PR and between 3e90c44 and 70e0be8.

📒 Files selected for processing (5)

• crates/bmc-proxy/src/config.rs
• crates/secrets/src/forge_vault.rs
• dev/mac-local-dev/carbide-api-config.toml
• dev/mac-local-dev/run-carbide-api.sh
• helm/examples/carbide-legacy.yaml

[poroh]

Reapproving

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	244	4	22	103	6	109
machine-validation-runner	671	23	178	262	37	171
machine_validation	671	23	178	262	37	171
nvmetal-carbide	671	23	178	262	37	171
TOTAL	2263	73	556	895	117	622

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.