GoCodeAlone
diff --git a/‎CHANGELOG.md‎
Lines changed: 11 additions & 3 deletions b/‎CHANGELOG.md‎
Lines changed: 11 additions & 3 deletions
diff --git a/‎cmd/wfctl/dsl-reference-embedded.md‎
Lines changed: 128 additions & 12 deletions b/‎cmd/wfctl/dsl-reference-embedded.md‎
Lines changed: 128 additions & 12 deletions
diff --git a/‎docs/WFCTL.md‎
Lines changed: 34 additions & 8 deletions b/‎docs/WFCTL.md‎
Lines changed: 34 additions & 8 deletions
@@ -10,12 +10,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - **`wfctl dev`** (`cmd/wfctl/dev.go`, `dev_compose.go`, `dev_process.go`, `dev_k8s.go`, `dev_expose.go`): local development cluster management. Subcommands: `up`, `down`, `logs`, `status`, `restart`. Three modes: docker-compose (default), process (`--local`, with hot-reload via fsnotify), and minikube (`--k8s`). Exposure integrations: Tailscale Funnel, Cloudflare Tunnel, ngrok (`--expose`). Auto-detects `environments.local.exposure.method` when `--expose` is omitted.
-- **`wfctl wizard`** (`cmd/wfctl/wizard.go`, `wizard_models.go`): interactive Bubbletea TUI wizard for project setup. Nine screens: project info → services → infrastructure → environments → deployment → secrets → CI/CD → review → write. Generates a complete `app.yaml` and optionally triggers `wfctl ci init`. Navigates with Enter/Esc/Tab/Space/arrows.
+- **`wfctl wizard`** (`cmd/wfctl/wizard.go`, `wizard_models.go`): interactive Bubbletea TUI wizard for project setup. Eleven screens: project info → services → infrastructure → infra resolution (per-env strategy) → environments → deployment → secret stores → secret routing → secret values → CI/CD → review → write. New screens vs prior version: per-environment infra resolution (container/provision/existing with connection details for "existing"), named secret store configuration with add/remove flow, per-secret store routing (← → to assign), and bulk hidden secret input with Ctrl+G auto-generation for keys/tokens. Generates a complete `app.yaml` including `secretStores:` and per-secret `store:` routing.
+- **`wfctl secrets setup`** (`cmd/wfctl/secrets_setup.go`): standalone interactive command to set all secrets for a given environment. Reads `secrets.entries` from config, resolves store per secret (env override → per-secret store → defaultStore → legacy provider), prompts with hidden terminal input, and supports `--auto-gen-keys` flag to auto-generate random hex values for names ending in `_KEY`, `_SECRET`, `_TOKEN`, or `_SIGNING`.
+- **Plugin manifest `moduleInfraRequirements`** (`config/plugin_manifest.go`): `PluginManifestFile` struct with `moduleInfraRequirements` map, `ModuleInfraSpec`, and `InfraRequirement`. Allows plugin authors to declare infrastructure dependencies (type, name, Docker image, ports, secrets, providers) per module type.
+- **Multi-store secrets** (`config/secrets_config.go`, `config/config.go`): `SecretStoreConfig`, `SecretStores` map on `WorkflowConfig`, `DefaultStore` on `SecretsConfig`, and `Store` field on `SecretEntry` for per-secret store routing.
+- **Per-environment infra resolution** (`config/infra_resolution.go`): `InfraEnvironmentResolution` with `strategy` (container/provision/existing), `dockerImage`, `port`, `provider`, `config`, and `connection` (host/port/auth). Added `Environments` map to `InfraResourceConfig`.
+- **`SecretsProvider.Check()`** (`cmd/wfctl/secrets_providers.go`): `SecretState` enum (Set/NotSet/NoAccess/FetchError/Unconfigured) and `Check()` method on the interface with `envProvider` implementation. `SecretStatus` now includes `Store` and `State` fields.
+- **Multi-store secret resolution** (`cmd/wfctl/secrets_resolve.go`): `ResolveSecretStore` (priority: env override → per-secret store → defaultStore → legacy provider → "env"), `getProviderForStore` (maps SecretStores config to providers), `buildSecretStatuses` (access-aware status for `wfctl secrets list`).
+- **`detect_infra_needs` plugin manifest integration** (`cmd/wfctl/plugin_infra.go`, `mcp/scaffold_tools.go`): `LoadPluginManifests` and `DetectPluginInfraNeeds` scan local plugin directories for `plugin.json` manifests and surface module-type infra requirements. MCP tool gains optional `plugins_dir` parameter.
 
 ### Documentation
 
-- `docs/WFCTL.md`: added `dev up/down/logs/status/restart` reference (flags, mode table, exposure methods), `wizard` reference (screen list, navigation keys).
-- `CHANGELOG.md`: entry for wfctl dev + wizard.
+- `docs/WFCTL.md`: updated `wizard` reference (11 screens, new navigation keys); added `secrets setup` command reference with flag table and examples; updated `secrets list` description to mention multi-store routing.
+- `docs/dsl-reference.md` + `cmd/wfctl/dsl-reference-embedded.md`: expanded `infrastructure` fields with per-env resolution strategies, connection config, and extended example; added `secretStores:` section with example and relationships; updated `secrets:` section with `defaultStore`, per-secret `store` field, multi-store example, and `secrets setup` CLI command.
+- `docs/plugin-manifest-guide.md`: new guide for plugin authors on declaring infrastructure requirements in `plugin.json` via `moduleInfraRequirements`.
 
 
 
 
@@ -668,7 +668,27 @@ These top-level sections describe infrastructure-as-code resources that the engi
   - `capabilities` (array) — resource capability definitions
 
 ### `infrastructure` Fields
-A map of infrastructure resource definitions. Structure is plugin-defined.
+
+The `infrastructure:` section declares infrastructure resources the application depends on. Each resource can specify per-environment resolution strategies.
+
+- `infrastructure.resources` (array) — list of infrastructure resource declarations. Each entry:
+  - `name` (string, required) — unique resource name
+  - `type` (string, required) — resource type (e.g., `postgresql`, `redis`, `nats`, `s3-bucket`)
+  - `provider` (string) — IaC provider to use for provisioning (e.g., `aws`, `gcp`, `azure`, `digitalocean`)
+  - `config` (map) — resource-specific configuration
+  - `environments` (map) — per-environment resolution strategies. Each key is an environment name and the value is an `InfraEnvironmentResolution` object:
+    - `strategy` (string, required) — how to resolve this resource in this environment:
+      - `container` — run a container locally (for local/CI environments)
+      - `provision` — provision via IaC plugin (for staging/production)
+      - `existing` — connect to an already-running instance
+    - `dockerImage` (string) — container image to use when `strategy: container`
+    - `port` (int) — container port when `strategy: container`
+    - `provider` (string) — override IaC provider for this environment
+    - `config` (map) — environment-specific resource configuration
+    - `connection` (object) — connection details when `strategy: existing`:
+      - `host` (string, required) — hostname or IP
+      - `port` (int) — port number
+      - `auth` (string) — authentication reference (e.g., a secret name)
 
 ### `sidecars` Fields
 - `sidecars` (array) — list of sidecar container definitions
@@ -699,6 +719,43 @@ platform:
             ports:
               - container_port: 8080
 
+infrastructure:
+  resources:
+    - name: db
+      type: postgresql
+      provider: aws
+      config:
+        instanceClass: db.t3.micro
+      environments:
+        local:
+          strategy: container
+          dockerImage: postgres:16
+          port: 5432
+        staging:
+          strategy: provision
+          provider: aws
+        production:
+          strategy: provision
+          provider: aws
+          config:
+            instanceClass: db.r6g.large
+    - name: cache
+      type: redis
+      environments:
+        local:
+          strategy: container
+          dockerImage: redis:7
+          port: 6379
+        staging:
+          strategy: existing
+          connection:
+            host: redis.internal.staging.example.com
+            port: 6379
+            auth: REDIS_PASSWORD
+        production:
+          strategy: provision
+          provider: aws
+
 sidecars:
   - name: redis-cache
     type: redis
@@ -715,6 +772,8 @@ sidecars:
 - `platform.context` module type references the `platform` section org/environment values
 - Sidecars are deployed alongside the application container but are not addressable as workflow modules
 - `infrastructure` resources are provisioned by IaC plugins before application start
+- `infrastructure.resources[*].environments` per-env strategies control `wfctl dev up` container lifecycle
+- Plugins declare their infra requirements in `plugin.json` via `moduleInfraRequirements`
 
 ---
 
@@ -877,33 +936,70 @@ environments:
 
 ---
 
+<!-- section: secretStores -->
+## Secret Stores
+
+The optional `secretStores:` section declares named secret storage backends. This enables routing different secrets to different backends (e.g., application secrets in environment variables, payment keys in AWS Secrets Manager).
+
+### Fields
+
+- `secretStores.<name>` (object) — a named store. Fields:
+  - `provider` (string, required) — backend provider: `env`, `vault`, `aws-secrets-manager`, `gcp-secret-manager`
+  - `config` (map) — provider-specific configuration (e.g., Vault address, AWS region)
+
+### Example
+
+```yaml
+secretStores:
+  primary:
+    provider: env
+  payment-vault:
+    provider: aws-secrets-manager
+    config:
+      region: us-east-1
+```
+
+### Relationship to Other Sections
+
+- `secrets.defaultStore` references a named store from `secretStores`
+- `secrets.entries[*].store` routes an individual secret to a specific store
+- `environments[*].secretsProvider` overrides the store name for all secrets in that environment
+
+---
+
 <!-- section: secrets -->
 ## Secrets
 
-The optional `secrets:` section declares the application's secret management configuration: which provider to use, rotation policy, and what secrets the application needs.
+The optional `secrets:` section declares the application's secret management configuration: which stores to use, rotation policy, and what secrets the application needs.
 
 ### Fields
 
-- `secrets.provider` (string, required) — secrets provider name. Currently supported: `env`
-- `secrets.config` (map) — provider-specific configuration
+- `secrets.defaultStore` (string) — name of the default store from `secretStores`. When set, all secrets without an explicit `store` field use this store.
+- `secrets.provider` (string) — legacy single-provider name (use `defaultStore` + `secretStores` for new configs). Supported: `env`, `vault`, `aws-secrets-manager`, `gcp-secret-manager`
+- `secrets.config` (map) — provider-specific configuration (used with legacy `provider` field)
 - `secrets.rotation` (object) — default rotation policy:
   - `enabled` (bool) — enable automatic rotation
   - `interval` (string) — rotation interval (e.g., `30d`, `7d`)
   - `strategy` (string) — rotation strategy (`dual-credential`, `graceful`, `immediate`)
 - `secrets.entries` (array) — declared secrets the application needs. Each entry:
   - `name` (string, required) — secret name (typically an env var name)
   - `description` (string) — human-readable description
+  - `store` (string) — name of a specific store from `secretStores`; overrides `defaultStore` and environment override
   - `rotation` (object) — per-secret rotation override (same fields as `secrets.rotation`)
 
-### Example
+### Example (multi-store)
 
 ```yaml
+secretStores:
+  primary:
+    provider: env
+  payment-vault:
+    provider: aws-secrets-manager
+    config:
+      region: us-east-1
+
 secrets:
-  provider: env
-  rotation:
-    enabled: true
-    interval: 30d
-    strategy: dual-credential
+  defaultStore: primary
   entries:
     - name: DATABASE_URL
       description: PostgreSQL connection string
@@ -915,22 +1011,42 @@ secrets:
         strategy: graceful
     - name: STRIPE_SECRET_KEY
       description: Stripe payment API key
+      store: payment-vault
+```
+
+### Example (single provider, legacy)
+
+```yaml
+secrets:
+  provider: env
+  rotation:
+    enabled: true
+    interval: 30d
+    strategy: dual-credential
+  entries:
+    - name: DATABASE_URL
+      description: PostgreSQL connection string
+    - name: JWT_SECRET
+      description: JWT signing key
 ```
 
 ### CLI Commands
 
 - `wfctl secrets detect --config app.yaml` — scan config for secret-like values
 - `wfctl secrets set DATABASE_URL --value "..."` — set a secret in the provider
 - `wfctl secrets set TLS_CERT --from-file ./certs/server.crt` — set from file
-- `wfctl secrets list --config app.yaml` — list declared secrets and status
+- `wfctl secrets list --config app.yaml` — list declared secrets and their store routing
 - `wfctl secrets validate --config app.yaml` — verify all secrets are set
 - `wfctl secrets init --provider env --env staging` — initialize provider config
 - `wfctl secrets rotate DATABASE_URL --env production` — trigger rotation
 - `wfctl secrets sync --from staging --to production` — sync secret structure
+- `wfctl secrets setup --env local` — interactively set all secrets for an environment
+- `wfctl secrets setup --env production --auto-gen-keys` — set secrets, auto-generating key/token values
 
 ### Relationship to Other Sections
 
-- `environments[*].secretsProvider` overrides the top-level provider per environment
+- `secretStores` must be declared before referencing store names in `secrets.defaultStore` or `secrets.entries[*].store`
+- `environments[*].secretsProvider` overrides the store for all secrets in that environment
 - `environments[*].secretsPrefix` is prepended to secret names when resolving in that environment
 - `ci.deploy.environments` can reference secrets from the `secrets:` section
 
 
@@ -1326,7 +1326,7 @@ wfctl secrets set TLS_CERT --from-file ./certs/server.crt
 
 #### `secrets list`
 
-List all declared secrets and their set/unset status.
+List all declared secrets, their store routing, and access-aware set/unset status. For multi-store configs, each secret shows which store it resolves to and whether the store is accessible.
 
 ```bash
 wfctl secrets list --config app.yaml
@@ -1364,6 +1364,26 @@ Copy secret structure from one environment to another (Tier 2 implementation).
 wfctl secrets sync --from staging --to production
 ```
 
+#### `secrets setup`
+
+Interactively set all secrets declared in the config for a given environment. Prompts for each secret's value with hidden terminal input. Secrets in inaccessible stores are skipped. Use `--auto-gen-keys` to automatically generate random values for secrets whose names end in `_KEY`, `_SECRET`, `_TOKEN`, or `_SIGNING`.
+
+```
+wfctl secrets setup [options]
+```
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--env` | `local` | Target environment name |
+| `--config` | `app.yaml` | Workflow config file |
+| `--auto-gen-keys` | `false` | Auto-generate random values for key/token/secret-named entries |
+
+```bash
+wfctl secrets setup --env local
+wfctl secrets setup --env production --auto-gen-keys
+wfctl secrets setup --env staging --config config/staging.yaml
+```
+
 ---
 
 ### `git connect`
@@ -1787,12 +1807,15 @@ No flags. The wizard runs in the terminal and collects:
 1. **Project info** — name and description
 2. **Services** — single-service or multi-service (comma-separated names)
 3. **Infrastructure** — PostgreSQL, Redis cache, NATS message queue (checkboxes)
-4. **Environments** — local, staging, production (checkboxes)
-5. **Deployment** — provider per environment (Docker Compose, Kubernetes, AWS ECS)
-6. **Secrets** — secrets provider (env vars, Vault, AWS Secrets Manager, GCP Secret Manager)
-7. **CI/CD** — generate CI bootstrap and select platform (GitHub Actions, GitLab CI)
-8. **Review** — preview generated YAML
-9. **Write** — save to `app.yaml`
+4. **Infra resolution** — per-environment strategy for each selected infrastructure resource (container/provision/existing); if "existing", prompts for host:port
+5. **Environments** — local, staging, production (checkboxes)
+6. **Deployment** — provider per environment (Docker Compose, Kubernetes, AWS ECS)
+7. **Secret stores** — define named stores (env, Vault, AWS Secrets Manager, GCP Secret Manager); Space to add, Delete to remove, Enter to continue
+8. **Secret routing** — assign each required secret to a store (← → to change store)
+9. **Secret values** — enter values for required secrets with hidden input; Ctrl+G auto-generates random values for keys/tokens
+10. **CI/CD** — generate CI bootstrap and select platform (GitHub Actions, GitLab CI)
+11. **Review** — preview generated YAML
+12. **Write** — save to `app.yaml`
 
 **Navigation:**
 
@@ -1801,8 +1824,10 @@ No flags. The wizard runs in the terminal and collects:
 | `Enter` | Advance to next screen / confirm |
 | `Esc` | Go back to previous screen |
 | `Tab` | Move focus between fields |
-| `Space` | Toggle checkbox / select option |
+| `Space` | Toggle checkbox / add store |
 | `↑` / `↓` | Move cursor in lists |
+| `←` / `→` | Change strategy or store selection |
+| `Ctrl+G` | Auto-generate a random secret value (bulk secrets screen) |
 | `Ctrl+C` | Quit without saving |
 
 **Example:**
@@ -1811,6 +1836,7 @@ No flags. The wizard runs in the terminal and collects:
 wfctl wizard
 # Follow the interactive prompts to generate app.yaml
 wfctl validate app.yaml
+wfctl secrets setup --env local   # set secret values interactively
 wfctl dev up
 ```