feat: HashiCorp Vault base integration (Token auth, KV v2, Get Secret)

[marko00djokic]

Closes #3928

Summary

• Adds pkg/integrations/hashicorp_vault/ — new integration package for HashiCorp Vault
• Auth: Token only (X-Vault-Token header); optional Enterprise namespace via X-Vault-Namespace
• Sync(): calls GET /v1/auth/token/lookup-self to verify credentials and mark integration ready
• Get Secret component: reads a KV v2 secret (GET /v1/<mount>/data/<path>); optionally extracts a single key via the key config field; emits hashicorp_vault.secret payload on the default output channel
• Registers the integration with a blank import in pkg/server/server.go (alphabetically between harness and hetzner)

Configuration

Field	Required	Description
baseURL	yes	Vault server URL, e.g. https://vault.example.com
token	yes	Vault token (hvs.… or s.…)
namespace	no	Vault Enterprise namespace; omit for community edition

Get Secret component inputs

Field	Required	Default	Description
mount	no	secret	KV v2 mount path
path	yes	—	Secret path, e.g. myapp/db
key	no	—	If set, extract only this key into value

Test plan

• vault_test.go — TestSync_Success, TestSync_InvalidToken, TestSync_MissingToken, TestSync_MissingBaseURL, TestSync_WithNamespace
• get_secret_test.go — TestGetSecret_Execute_AllData, TestGetSecret_Execute_SpecificKey, TestGetSecret_Execute_KeyNotFound, TestGetSecret_Execute_APIError, TestGetSecret_Setup_MissingPath, TestGetSecret_Execute_DefaultMount

[superplanehq-integration]

👋 Commands for maintainers:

• /sp start - Start an ephemeral machine (takes ~30s)
• /sp stop - Stop a running machine (auto-executed on pr close)

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 528a88a. Configure here.}

[cursor]

Gitignore entry corrupted by accidental path duplication

Medium Severity

The .worktrees/ gitignore entry was accidentally changed to .worktrees/.worktrees/. This means the top-level .worktrees/ directory is no longer ignored by git, which could cause worktree metadata files to be tracked and accidentally committed. This change is unrelated to the HashiCorp Vault integration and appears to be an accidental edit.

 

^{Reviewed by Cursor Bugbot for commit 528a88a. Configure here.}

[NickDub]

Hi @marko00djokic, I've also started working on this integration on my side, since I was the one who requested it.
You can take a look at my pull request: NickDub#1

For my part, I added a trigger to detect changes to secrets.