blueprint-platform/docs/consumption/secret-provider-rollout.md

Provider-Agnostic Secret Provider Rollout

This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.

Contract Surface

• IBlueprintSecretProvider
• BlueprintSecretReference
• BlueprintSecretResolutionResult

Runtime Defaults

• AddBlueprintKeyVaultModule(...) now registers:
  • BlueprintKeyVaultRuntimeSettings with:
    • VaultName
    • SecretProviderName
  • NoOpBlueprintSecretProvider as default fallback.

The default fallback returns unresolved lookups and never introduces provider-specific behavior.

Binding Strategy

1. Keep domain and application layers dependent only on IBlueprintSecretProvider.
2. Bind provider implementation at runtime through DI:
   • Vault adapter
   • Cloud secret manager adapter
   • Environment/test adapter
3. Keep one active provider per deployment profile.

Rollout Notes

• Stage 33 keeps this contract-only baseline.
• Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
• Existing identity logic ownership remains in Thalos repositories.

Runtime Ownership Note

Provider contract ownership and runtime operational ownership are separate concerns.

• Contract ownership for provider-agnostic secret access remains in Blueprint and consuming repos.
• Vault runtime ownership, bootstrap, and recovery operations currently remain documented in general_information/Vault.md.
• Demo runtime reconciliation guidance is documented in docs/consumption/demo-runtime-source-of-truth.md.