This handles secrets and config management for Pulumi through their ESC service. You get centralized storage, dynamic OIDC credentials for AWS/Azure/GCP, and integration with external vaults like 1Password or HashiCorp Vault. The main value is composable environments that layer base config with cloud-specific and stack-specific settings, all version controlled with RBAC. Commands are straightforward: pulumi env init to create, pulumi env set for values, pulumi config env add to link to stacks. One thing to note is the distinction between get (shows structure, hides secrets) and open (resolves everything including credentials), which matters when you're debugging versus just checking configuration layout.
npx skills add https://github.com/pulumi/agent-skills --skill pulumi-esc