HoneyDrunk.Vault 0.7.0

.NET 10.0

dotnet add package HoneyDrunk.Vault --version 0.7.0

NuGet\Install-Package HoneyDrunk.Vault -Version 0.7.0

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="HoneyDrunk.Vault" Version="0.7.0" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

<PackageVersion Include="HoneyDrunk.Vault" Version="0.7.0" />
                    

                            Directory.Packages.props

<PackageReference Include="HoneyDrunk.Vault" />
                    

                            Project file

For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.

paket add HoneyDrunk.Vault --version 0.7.0

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: HoneyDrunk.Vault, 0.7.0"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

#:package HoneyDrunk.Vault@0.7.0

#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.

#addin nuget:?package=HoneyDrunk.Vault&version=0.7.0
                    

                            Install as a Cake Addin

#tool nuget:?package=HoneyDrunk.Vault&version=0.7.0
                    

                            Install as a Cake Tool

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

HoneyDrunk.Vault

Core secrets and configuration management library for HoneyDrunk.OS. This package provides the abstractions, caching, orchestration, telemetry, and Kernel lifecycle integration that all Vault providers plug into.

This package contains no provider implementations. It defines the Vault contract, runtime behavior, cache, telemetry, and lifecycle integration used by provider packages. Vault itself does not talk to Azure, AWS, files, or configuration—providers do.

Overview

Vault gives applications a unified, Kernel-aware interface for secrets and configuration no matter where those values live. Providers supply the values; Vault handles resilience, caching, lifecycle behavior, and distributed tracing.

You'll need at least one provider package (File, Azure Key Vault, AWS, InMemory, or Configuration) to store and retrieve secrets.

Key Abstractions:

ISecretStore - Primary interface for accessing secrets (inject this in your services)
IConfigProvider - Typed configuration access with defaults
IVaultClient - Combined orchestrator for secrets and config (use when you need both)
SecretIdentifier - Immutable identifier (name + optional version)
SecretValue - Immutable secret data + metadata

Application code injects ISecretStore and IConfigProvider, not IVaultClient. IVaultClient is useful when your service needs a unified façade for both secrets and config, but most apps won't need it.

Features

Multiple provider support (File, Azure, AWS, Configuration, InMemory)
Kernel lifecycle integration (startup, health, readiness)
In-memory caching with TTL and optional sliding expiration
Retry and circuit breaker resilience policies
Grid context propagation for tracing and correlation
Secure telemetry (never logs secret values)
Pluggable provider model

Installation

dotnet add package HoneyDrunk.Vault

Quick Start

Consuming Secrets

using HoneyDrunk.Vault.Abstractions;
using HoneyDrunk.Vault.Models;

public class MyService
{
    private readonly ISecretStore _store;

    public MyService(ISecretStore store)
    {
        _store = store;
    }

    public async Task<string> GetConnectionStringAsync()
    {
        var secret = await _store.GetSecretAsync(
            new SecretIdentifier("db-connection-string"));
        return secret.Value;
    }
}

Registering Vault Inside a HoneyDrunk Node

AddVault(options => ...) only exists when HoneyDrunk.Kernel is referenced. This is the Kernel "builder" API, not a general DI API.

var builder = WebApplication.CreateBuilder(args);

builder.Services
    .AddHoneyDrunkGrid(grid => { grid.StudioId = "my-studio"; })
    .AddHoneyDrunkNode(node => { node.NodeId = "my-service-node"; })
    .AddVault(options =>
    {
        options.Cache.Enabled = true;
        options.Cache.DefaultTtl = TimeSpan.FromMinutes(15);

        options.Resilience.RetryEnabled = true;
        options.Resilience.MaxRetryAttempts = 3;

        options.AddAzureKeyVaultProvider(akv =>
        {
            akv.VaultUri = new Uri("https://my-vault.vault.azure.net/");
            akv.UseManagedIdentity = true;
        });

        options.WarmupKeys.Add("db-connection-string");
        options.HealthCheckSecretKey = "health-check-secret";
    });

var app = builder.Build();

Plain ASP.NET Core (No Kernel)

For apps that don't use Kernel, register a provider directly using provider-level DI extensions:

builder.Services.AddVaultWithFile(o =>
{
    o.SecretsFilePath = "secrets.json";
});

builder.Services.AddVaultWithAzureKeyVault(o =>
{
    o.VaultUri = new Uri("https://my-vault.vault.azure.net/");
    o.UseManagedIdentity = true;
});

Architecture

HoneyDrunk.Vault (Core)
├── Abstractions
│   ├── ISecretStore / IConfigProvider
│   ├── ISecretProvider / IConfigSource
│   └── SecretIdentifier / SecretValue / SecretVersion
├── Services
│   ├── VaultClient
│   └── SecretCache
├── Lifecycle
│   └── VaultStartupHook
├── Health
│   ├── VaultHealthContributor
│   └── VaultReadinessContributor
└── Telemetry
    └── VaultTelemetry

Key Interfaces

ISecretStore

Main interface for secret access:

public interface ISecretStore
{
    string ProviderName { get; }
    bool IsAvailable { get; }
    
    Task<SecretValue> GetSecretAsync(SecretIdentifier identifier, CancellationToken cancellationToken = default);
    Task<VaultResult<SecretValue>> TryGetSecretAsync(SecretIdentifier identifier, CancellationToken cancellationToken = default);
    Task<IReadOnlyList<SecretVersion>> ListSecretVersionsAsync(string secretName, CancellationToken cancellationToken = default);
    Task<bool> CheckHealthAsync(CancellationToken cancellationToken = default);
}

IConfigProvider

Typed configuration access:

public interface IConfigProvider
{
    Task<string> GetValueAsync(string key, CancellationToken cancellationToken = default);
    Task<T> GetValueAsync<T>(string key, T defaultValue, CancellationToken cancellationToken = default);
    Task<string?> TryGetValueAsync(string key, CancellationToken cancellationToken = default);
}

Health Checks

Inside a HoneyDrunk node, Vault participates automatically in health and readiness checks through Kernel's aggregation model. No extra wiring is required.

When using AddVault with Kernel, VaultHealthContributor and VaultReadinessContributor are automatically registered and surface vault status on Kernel's health aggregation endpoints.

Telemetry

Vault emits OpenTelemetry activities for all operations. Traces include:

Provider name
Operation type (get, list, etc.)
Cache hit/miss status
Execution duration
Grid correlation metadata

Security Note: Secret values are never logged or emitted in telemetry. Only secret names and provider metadata appear in traces.

Configuration Options

Key configurable components include:

VaultCacheOptions - TTL, max size, sliding expiration
VaultResilienceOptions - Retry, circuit breaker, timeout
Provider registration - Multiple providers with optional default
Warmup keys - Preload critical secrets on startup
Health check secret - Secret used for readiness checks

For full documentation of all configuration options, see the /docs directory.

VaultOptions

public class VaultOptions
{
    public Dictionary<string, ProviderRegistration> Providers { get; }
    public string? DefaultProvider { get; set; }
    public VaultCacheOptions Cache { get; set; }
    public VaultResilienceOptions Resilience { get; set; }
    public bool EnableTelemetry { get; set; }
    public List<string> WarmupKeys { get; }
    public string? HealthCheckSecretKey { get; set; }
}

VaultCacheOptions

public class VaultCacheOptions
{
    public bool Enabled { get; set; }
    public TimeSpan DefaultTtl { get; set; }
    public int MaxSize { get; set; }
    public TimeSpan? SlidingExpiration { get; set; }
}

VaultResilienceOptions

public class VaultResilienceOptions
{
    public bool RetryEnabled { get; set; }
    public int MaxRetryAttempts { get; set; }
    public TimeSpan RetryDelay { get; set; }
    public bool CircuitBreakerEnabled { get; set; }
    public int FailureThreshold { get; set; }
    public TimeSpan CircuitBreakDuration { get; set; }
    public TimeSpan Timeout { get; set; }
}

Error Handling

Use Get* methods for required values and TryGet* for optional flows:

try
{
    var secret = await _store.GetSecretAsync(id);
}
catch (SecretNotFoundException) { ... }
catch (VaultOperationException) { ... }

// For optional secrets
var result = await _store.TryGetSecretAsync(id);
if (result.IsSuccess)
{
    var secret = result.Value;
}

Best Practices

Inject ISecretStore or IConfigProvider, not concrete providers
Enable caching in production - Improves performance and reduces provider load
Use resilience settings for external stores - Protect against transient failures
Use warmup keys for latency-sensitive secrets - Preload on startup
Never log secret values - Use secret names only in logs and telemetry
Prefer TryGetSecretAsync for optional secrets and GetSecretAsync for required ones - Keeps exception paths meaningful

License

MIT License - see LICENSE file for details.

Support

For issues, questions, or contributions, please visit the GitHub repository.

Product	Compatible and additional computed target framework versions.
.NET	net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net10.0
- HoneyDrunk.Kernel (>= 0.8.0)
- HoneyDrunk.Kernel.Abstractions (>= 0.8.0)
- Microsoft.Extensions.Caching.Memory (>= 10.0.8)
- Microsoft.Extensions.Options (>= 10.0.8)
- Microsoft.Extensions.Resilience (>= 10.6.0)

NuGet packages (18)

Showing the top 5 NuGet packages that depend on HoneyDrunk.Vault:

Package	Downloads
HoneyDrunk.Vault.Providers.AzureKeyVault Azure Key Vault provider for HoneyDrunk.Vault. Provides enterprise-grade secret management using Azure Key Vault with support for Managed Identity and Service Principal authentication.	3.0K
HoneyDrunk.Vault.Providers.File File-based secrets and configuration provider for HoneyDrunk.Vault. Ideal for local development and testing with support for file watching and optional encryption.	2.9K
HoneyDrunk.Vault.Providers.AppConfiguration Azure App Configuration bootstrap extensions for HoneyDrunk.Vault using environment variable discovery.	2.3K
HoneyDrunk.Vault.EventGrid Event Grid webhook helpers for HoneyDrunk.Vault cache invalidation.	2.0K
HoneyDrunk.Data.SqlServer SQL Server specialization for HoneyDrunk.Data. Complete architecture overhaul with SQL Server and Azure SQL configuration, model conventions, retry-on-failure support, and enhanced health diagnostics.	1.4K

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last Updated
0.7.0	556	5/27/2026
0.6.0	116	5/26/2026
0.5.0	1,159	5/18/2026
0.4.0	165	5/4/2026
0.3.0	1,139	4/25/2026
0.2.0	289	1/25/2026
0.1.0	552	12/8/2025

v0.7.0: Sonar duplication reduction (ADR-0011 D11) + coverage backfill. ISecretProvider now extends ISecretStore and exposes the FetchSecretAsync / TryFetchSecretAsync / ListVersionsAsync trio as default interface methods delegating to SecretStoreFacade; ISecretStore.TryGetSecretAsync is similarly a DIM (breaking — existing implementers may no longer need the redundant overrides). New DictionarySecretLookup / DictionaryConfigLookup helpers consolidate the in-memory/file-store lookup pattern. AddVaultCore now resolves the composite via a factory so the optional VaultTelemetry parameter binds to null when telemetry is disabled. See CHANGELOG.md for details.