feat: GCP SM, Azure KV, 1Password Connect providers (Plan 9)#211
Merged
Conversation
Add gcp-sm:// provider backed by GCP Secret Manager SDK. Uses Application Default Credentials for ambient auth. Includes config, provider, gRPC error mapping, JSON field extraction, concurrency tests, and contract compliance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add azure-kv:// provider backed by Azure Key Vault SDK. Uses DefaultAzureCredential for ambient auth. Rejects URIs with path components (KV names only allow alphanumerics and hyphens). Includes config, provider, HTTP error mapping, JSON field extraction, concurrency tests, and contract compliance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add op:// provider backed by 1Password Connect SDK. Supports auth chaining via api_key_ref and Dependencies(). Uses field-by-label extraction on structured item fields (different from JSON field extraction in other providers). Includes config, provider, HTTP error mapping, vault-by-title resolution, concurrency tests, and contract compliance. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… (Plan 9, Task 4) Add gcp-sm, azure-kv, op to knownProviderTypes in policy validation. Add constructors and YAML decoders to session config for all three new providers. Includes decode tests for each provider type including 1Password's api_key_ref chaining. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gcp-sm://) provider backed by Application Default Credentialsazure-kv://) provider backed by DefaultAzureCredentialop://) provider with auth chaining support (api_key_ref)knownProviderTypes) and session config (DefaultConstructors, YAML decoders)Test Plan
go test ./internal/proxy/secrets/gcpsm/ -v -race— 24 tests (mock-based, contract)go test ./internal/proxy/secrets/azurekv/ -v -race— 22 tests (mock-based, contract)go test ./internal/proxy/secrets/onepassword/ -v -race— 22 tests (mock-based, contract)go test ./internal/policy/ -v -run TestValidateSecrets— policy validation for new typesgo test ./internal/session/ -v -run TestResolveProviderConfigs— YAML decode for new typesgo test ./...— full suite, no regressionsGOOS=windows go build ./...— cross-compilation clean🤖 Generated with Claude Code