AgileWebs/blueprint-platform

José René White Enciso d4c3bf8f8a feat(blueprint-platform): add provider-agnostic secret provider contract

2026-03-11 03:43:13 -06:00

1.1 KiB

Raw Blame History

Provider-Agnostic Secret Provider Rollout

This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.

Contract Surface

IBlueprintSecretProvider
BlueprintSecretReference
BlueprintSecretResolutionResult

Runtime Defaults

AddBlueprintKeyVaultModule(...) now registers:
- BlueprintKeyVaultRuntimeSettings with:
  - VaultName
  - SecretProviderName
- NoOpBlueprintSecretProvider as default fallback.

The default fallback returns unresolved lookups and never introduces provider-specific behavior.

Binding Strategy

Keep domain and application layers dependent only on IBlueprintSecretProvider.
Bind provider implementation at runtime through DI:
- Vault adapter
- Cloud secret manager adapter
- Environment/test adapter
Keep one active provider per deployment profile.

Rollout Notes

Stage 33 keeps this contract-only baseline.
Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
Existing identity logic ownership remains in Thalos repositories.