# Migration status — greentic-deployer
- What changed: adopted `greentic-types::SecretRequirement` across planning/apply paths; secrets are preflighted via secrets-store lookups with scoped provider paths and aggregated missing-secret errors that point to `greentic-secrets init --pack <pack>`; provider manifests now emit scoped secret metadata. Integrated `greentic-config` for config resolution (`--config`, `--explain-config`, offline guard) and paths/telemetry defaults; added Dependabot configuration and Dependabot-only auto-merge workflow with explicit permissions. Config explain now has human/default and JSON modes, and `--config` replaces project discovery. Telemetry now honors greentic-config exporter/endpoint/sampling, distributor HTTP client respects network/tls/proxy settings, and channel base domain is read from `deployer.base_domain` in config (defaulting to `deploy.greentic.ai`).
- What broke/risks: tests not run in this change; relies on packs emitting `secret_requirements` with valid scopes; secrets-store resolution still depends on environment credentials being present.
- Next repos to update: ensure pack builders emit `secret_requirements` in `.gtpack`; runners/dev/CLI should pass structured requirements and secrets-store bindings consistently.