Skip to content

Comments

fix: auto-remap renamed vault types on load#422

Merged
stack72 merged 3 commits intomainfrom
feat/azure-kv-vault-provider
Feb 23, 2026
Merged

fix: auto-remap renamed vault types on load#422
stack72 merged 3 commits intomainfrom
feat/azure-kv-vault-provider

Conversation

@johnrwatson
Copy link
Contributor

@johnrwatson johnrwatson commented Feb 23, 2026

Summary

  • After renaming vault types (awsaws-sm, azureazure-kv) in feat: Azure Key Vault vault provider #420, existing users with old vault configs on disk (type: aws in their YAML files) would have their vaults silently fail to load. registerVault() rejects the old type name at the switch statement, and the error was caught and logged at debug level — so vaults just disappeared with no clear indication of what went wrong.
  • This fix remaps deprecated type names to their current equivalents in fromRepository() before calling registerVault(), with a warning log so users know the name changed and can update their configs.
  • Adds tests verifying that both awsaws-sm and azureazure-kv remapping works when loading from a vault config repository.

Test plan

  • deno fmt --check passes
  • deno lint passes
  • deno run test — all 1817 tests pass
  • New tests verify fromRepository() loads old type: aws configs as aws-sm and old type: azure configs as azure-kv

🤖 Generated with Claude Code

johnrwatson and others added 2 commits February 23, 2026 13:37
@johnrwatson @claude
feat: add Azure Key Vault provider and rename vault types (#420)
e45b687 
Add Azure Key Vault (`azure-kv`) as a vault provider using
DefaultAzureCredential from the Azure SDK. Rename existing vault types
for consistency: `aws` → `aws-sm`, `azure` → `azure-kv`.

Key changes:
- New AzureKvVaultProvider with secret name sanitization (/ and _ → -)
- vault create gains --region (AWS) and --vault-url (Azure) flags with
  env var fallback (AWS_REGION, AZURE_KEYVAULT_URL) and logging
- Runtime migration hints warn when old type names are used in config
- Hidden `vault type list` alias for `vault type search`
- AWS provider now requires explicit region (no silent default)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@johnrwatson @claude
fix: add --allow-sys to CI test command for Azure SDK compatibility
f1dbc82 
The Azure SDK's core-rest-pipeline calls os.release() which requires
the --allow-sys permission in Deno.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@johnrwatson johnrwatson marked this pull request as draft February 23, 2026 14:02
@johnrwatson @pirminf @claude
fix: auto-remap renamed vault types on load
c04dd0b 
After renaming vault types (aws → aws-sm, azure → azure-kv), existing
users with old vault configs on disk would have their vaults fail to
load. The YAML files contain type: aws and registerVault() rejects the
old type name at the switch statement.

Remap deprecated type names to their current equivalents before calling
registerVault(), with a warning log so users know the name changed.

Co-Authored-By: Pirmin Felber <pirminf@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@johnrwatson johnrwatson force-pushed the feat/azure-kv-vault-provider branch from b5c2436 to c04dd0b Compare February 23, 2026 14:03
@johnrwatson johnrwatson marked this pull request as ready for review February 23, 2026 14:03
github-actions[bot]
github-actions bot approved these changes Feb 23, 2026
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Approved

This PR is well-implemented and ready for merge.

Review Summary

Code Quality:

  • ✅ TypeScript strict mode compliance
  • ✅ Named exports used throughout
  • ✅ AGPLv3 copyright headers on new files
  • ✅ Proper type definitions (AzureKvVaultConfig interface)

Domain-Driven Design:

  • AzureKvVaultProvider correctly implements VaultProvider interface
  • ✅ Clean separation between domain service and infrastructure adapters
  • ✅ Configuration types are proper value objects

Test Coverage:

  • ✅ New tests in azure_kv_vault_provider_test.ts (lives next to source)
  • ✅ Comprehensive auto-remapping tests in vault_service_test.ts
  • ✅ All existing tests updated for renamed types

Security:

  • ✅ Uses DefaultAzureCredential (Azure SDK best practice)
  • ✅ No hardcoded credentials
  • ✅ Required config validation with clear error messages

Backwards Compatibility:

  • ✅ Auto-remaps deprecated types (awsaws-sm, azureazure-kv) on load
  • ✅ Warning logs guide users to update configs
  • ✅ Helpful error messages when using old type names directly

Minor Suggestions (non-blocking)

  1. The double cast as unknown as AzureKvVaultConfig in vault_service.ts:112 could potentially use a type guard, but it's consistent with existing provider patterns.

  2. The toAzureSecretName character replacement (/ and _-) can cause collisions—documented but worth noting for users storing secrets with both characters.

🤖 Generated with Claude Code

@stack72 stack72 merged commit 43628cc into main Feb 23, 2026
7 checks passed
@stack72 stack72 deleted the feat/azure-kv-vault-provider branch February 23, 2026 14:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnrwatson @stack72