fix: auto-remap renamed vault types on load

.claude/skills/swamp-vault/SKILL.md

@@ -36,35 +36,49 @@ Vaults use the dual-layer architecture:
 
 ## Vault Types
 
-Two vault types are available:
+Three vault types are available:
 
-### local_encryption
+### aws-sm
 
-Stores secrets encrypted locally using AES-GCM. Best for development and local
-workflows.
+Integrates with AWS Secrets Manager. Region is resolved at creation time from
+`--region` flag or `AWS_REGION` env var.
 
 ```yaml
 config:
-  auto_generate: true # Generate encryption key automatically
-  # OR
-  ssh_key_path: "~/.ssh/id_rsa" # Use SSH key for encryption
+  region: "us-east-1" # Resolved at creation time
+```
+
+### azure-kv
+
+Integrates with Azure Key Vault. Vault URL is resolved at creation time from
+`--vault-url` flag or `AZURE_KEYVAULT_URL` env var. Uses
+`DefaultAzureCredential` for authentication (env vars, managed identity, Azure
+CLI).
+
+```yaml
+config:
+  vault_url: "https://myvault.vault.azure.net/" # Resolved at creation time
+  # secret_prefix: "swamp/"  # Optional: prefix for all secret names
 ```
 
-### aws
+### local_encryption
 
-Integrates with AWS Secrets Manager. Best for production environments.
+Stores secrets encrypted locally using AES-GCM. Best for development and local
+workflows.
 
 ```yaml
 config:
-  region: "us-east-1" # Required
-  # profile: "default"  # Optional: AWS profile name
+  auto_generate: true # Generate encryption key automatically
+  # OR
+  ssh_key_path: "~/.ssh/id_rsa" # Use SSH key for encryption
 ```
 
 ## Create a Vault
 
 ```bash
 swamp vault create local_encryption dev-secrets --json
-swamp vault create aws prod-secrets --json
+swamp vault create aws-sm prod-secrets --region us-east-1 --json
+swamp vault create azure-kv azure-secrets --vault-url https://myvault.vault.azure.net/ --json
 ```
 
 **Output shape:**

.claude/skills/swamp-vault/references/providers.md

@@ -56,23 +56,31 @@ createdAt: 2025-02-01T...
 }
 ```
 
-## AWS Secrets Manager Provider
+## AWS Secrets Manager Provider (`aws-sm`)
 
 ### Configuration Options
 
 ```yaml
-# .swamp/vault/aws/{id}.yaml
+# .swamp/vault/aws-sm/{id}.yaml
 id: def-456
 name: prod-vault
-type: aws
+type: aws-sm
 config:
-  region: us-east-1 # Required
-  profile: production # Optional: AWS profile name
-  endpoint_url: http://localhost:4566 # Optional: LocalStack endpoint
-  secret_prefix: myapp/ # Optional: Prefix for all secret names
+  region: us-east-1 # Resolved at creation time from --region or AWS_REGION
 createdAt: 2025-02-01T...
 ```
 
+### Creation
+
+```bash
+# Explicit region
+swamp vault create aws-sm prod-vault --region us-east-1
+
+# From environment variable (logs a message confirming env var usage)
+export AWS_REGION=us-east-1
+swamp vault create aws-sm prod-vault
+```
+
 ### Authentication
 
 AWS credentials are obtained from the default credential chain:
@@ -91,11 +99,56 @@ Secrets in AWS Secrets Manager are named:
 
 ### Auto-Registration
 
-If AWS credentials are detected in the environment, swamp automatically
-registers a default `aws` vault. This vault uses:
+If AWS credentials and region are detected in the environment
+(`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION`), swamp
+automatically registers a default `aws-sm` vault.
+
+## Azure Key Vault Provider (`azure-kv`)
+
+### Configuration Options
+
+```yaml
+# .swamp/vault/azure-kv/{id}.yaml
+id: ghi-789
+name: azure-secrets
+type: azure-kv
+config:
+  vault_url: https://myvault.vault.azure.net/ # Resolved at creation time
+  secret_prefix: swamp/ # Optional: prefix for all secret names
+createdAt: 2025-02-01T...
+```
+
+### Creation
+
+```bash
+# Explicit vault URL
+swamp vault create azure-kv azure-secrets --vault-url https://myvault.vault.azure.net/
+
+# From environment variable (logs a message confirming env var usage)
+export AZURE_KEYVAULT_URL=https://myvault.vault.azure.net/
+swamp vault create azure-kv azure-secrets
+```
+
+### Authentication
+
+Uses `DefaultAzureCredential` from the Azure SDK, which tries (in order):
+
+1. Environment variables: `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`,
+   `AZURE_CLIENT_SECRET`
+2. Workload Identity (Azure-hosted workloads)
+3. Managed Identity (Azure VMs, App Service, etc.)
+4. Azure CLI credentials (`az login`)
+5. Azure PowerShell credentials
+6. Azure Developer CLI credentials
+
+### Secret Naming
+
+Azure Key Vault secret names only allow alphanumeric characters and hyphens.
+Forward slashes and underscores in swamp secret names are automatically
+converted to hyphens when stored.
 
-- Region from `AWS_REGION` or `AWS_DEFAULT_REGION` (defaults to `us-east-1`)
-- Default credential chain for authentication
+- Without prefix: `{secret-key}` (with `/` and `_` replaced by `-`)
+- With prefix: `{secret_prefix}{secret-key}` (same replacement applied)
 
 ## Mock Provider (Testing Only)
 

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
         run: deno fmt --check
 
       - name: Run deno test
-        run: deno test --allow-read --allow-write --allow-env --allow-run --allow-net
+        run: deno test --allow-read --allow-write --allow-env --allow-run --allow-net --allow-sys
 
   claude-review:
     # NOTE: For this to block merges, enable branch protection on main with:

deno.json

@@ -5,7 +5,7 @@
   "exports": "./main.ts",
   "tasks": {
     "dev": "deno run --allow-read --allow-write --allow-env --allow-run --allow-sys main.ts",
-    "test": "deno test --allow-read --allow-write --allow-env --allow-run --allow-net",
+    "test": "deno test --allow-read --allow-write --allow-env --allow-run --allow-net --allow-sys",
     "check": "deno check main.ts",
     "lint": "deno lint",
     "fmt": "deno fmt",
@@ -31,6 +31,8 @@
     "@types/react": "npm:@types/react@^18.3.28",
     "@aws-sdk/client-cloudcontrol": "npm:@aws-sdk/client-cloudcontrol@^3.993.0",
     "@aws-sdk/client-secrets-manager": "npm:@aws-sdk/client-secrets-manager@^3.993.0",
+    "@azure/identity": "npm:@azure/identity@^4.8.0",
+    "@azure/keyvault-secrets": "npm:@azure/keyvault-secrets@^4.9.0",
     "cel-js": "npm:@marcbachmann/cel-js@7.5.1",
     "fast-json-patch": "npm:fast-json-patch@^3.1.1"
   },