# Provider-Agnostic Secret Provider Rollout

This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.

## Contract Surface

- `IBlueprintSecretProvider`
- `BlueprintSecretReference`
- `BlueprintSecretResolutionResult`

## Runtime Defaults

- `AddBlueprintKeyVaultModule(...)` now registers:
  - `BlueprintKeyVaultRuntimeSettings` with:
    - `VaultName`
    - `SecretProviderName`
  - `NoOpBlueprintSecretProvider` as default fallback.

The default fallback returns unresolved lookups and never introduces provider-specific behavior.

## Binding Strategy

1. Keep domain and application layers dependent only on `IBlueprintSecretProvider`.
2. Bind provider implementation at runtime through DI:
   - Vault adapter
   - Cloud secret manager adapter
   - Environment/test adapter
3. Keep one active provider per deployment profile.

## Rollout Notes

- Stage 33 keeps this contract-only baseline.
- Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
- Existing identity logic ownership remains in Thalos repositories.

## Runtime Ownership Note

Provider contract ownership and runtime operational ownership are separate concerns.

- Contract ownership for provider-agnostic secret access remains in Blueprint and consuming repos.
- Vault runtime ownership, bootstrap, and recovery operations currently remain documented in `general_information/Vault.md`.
- Demo runtime reconciliation guidance is documented in `docs/consumption/demo-runtime-source-of-truth.md`.