Secret store interface and adapters (env / Vault / AWS-SM / K8s / Doppler)

[tayebmokni]

Summary

Define the secrets.Store interface in pkg/security/secrets/ per doc 13 §5.2 and ship five adapters: EnvStore (dev only), VaultStore (Vault KV v2 with Watch via KV subscriptions), AWSSMStore (Secrets Manager, polled with TTL), K8sSecretStore (projected volume + file watcher), and DopplerStore (REST API). Backend selection is config-driven (secrets.backend = "vault" | "aws-sm" | "k8s" | "doppler" | "env"). The interface exposes Get, GetBinary, and optional Watch.

Design reference

• docs/13-security-baseline.md §5.2 (system secret adapter), §5.7 (tradeoffs)

Acceptance criteria

• pkg/security/secrets/store.go defines the Store interface (Get, GetBinary, Watch) and ErrNotFound sentinel
• EnvStore adapter for development backed by environment variables
• VaultStore adapter against Vault KV v2 with rotation notifications via Watch
• AWSSMStore adapter against AWS Secrets Manager with TTL polling
• K8sSecretStore adapter against projected volume with file watcher
• DopplerStore adapter against Doppler REST API
• Backend selection via secrets.backend config key
• Unit tests for each adapter with fake backends; integration test for at least one cloud backend
• Redaction helpers from §5.6 (never log values; errors.RedactedWrap)

Dependencies

none

Complexity

L