- Create vault-resolver.js: URI parser, auth chain (env → file → AppRole), in-memory caching
- Add resolveConfigValueAsync() to pi-coding-agent for lazy vault URI resolution
- Integrate vault credential resolution into auth-storage credential loading path
- Add doctor check (checkVaultHealth) for vault setup validation at startup
- Document vault setup, auth methods, examples, troubleshooting in preferences-reference.md
- Add comprehensive test suite (18 tests) for vault URI parsing, auth, caching, fallback
Auth Chain:
1. VAULT_TOKEN env var (simplest for local dev)
2. ~/.vault-token file (recommended for local dev)
3. VAULT_ROLE_ID + VAULT_SECRET_ID env vars (AppRole for CI/CD)
Fail-open behavior: If vault unavailable, falls back to plaintext URIs to allow continued operation.
URI Format: vault://secret/path/to/secret#fieldname
Example: ANTHROPIC_API_KEY=vault://secret/anthropic/prod#api_key
Tests: parseVaultUri, isVaultUri, resolveSecret, caching, edge cases all passing (18/18).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
a2a44f8d15