# Story 5.6: Secret Store Integration

## Metadata
- **Story ID**: 5.6
- **Title**: Secret Store Integration
- **Epic**: 5 - Infrastructure Adapters
- **Status**: Pending
- **Priority**: Medium
- **Estimated Time**: 4-5 hours
- **Dependencies**: 0.2

## Goal
Implement secret store integration supporting HashiCorp Vault and AWS Secrets Manager for secure secret management.

## Description
This story implements secret store adapters that can retrieve secrets from external secret management systems, with integration into the configuration system.

## Deliverables

### 1. Secret Store Interface (`pkg/infra/secret/secret.go`)
- `SecretStore` interface with:
  - `GetSecret(ctx context.Context, key string) (string, error)`
  - `GetSecrets(ctx context.Context, prefix string) (map[string]string, error)`

### 2. Vault Implementation (`internal/infra/secret/vault_store.go`)
- HashiCorp Vault client
- Support KV v2 secrets
- Authentication (token, app role)
- Secret caching

### 3. AWS Secrets Manager (`internal/infra/secret/aws_secrets.go`)
- AWS Secrets Manager client
- Secret retrieval
- Secret caching

### 4. Configuration Integration
- Integrate with config loader
- Overlay secrets on top of file/env config
- Load secrets lazily (cache)
- Secret key resolution

### 5. Configuration
- Secret store config in `config/default.yaml`:
  - Provider (vault, aws, none)
  - Connection settings
  - Cache settings

### 6. DI Integration
- Provider function for SecretStore
- Register in DI container (optional, via config)

## Acceptance Criteria
- [ ] Secret store interface is defined
- [ ] Vault implementation works
- [ ] AWS Secrets Manager implementation works
- [ ] Secrets are loaded into config
- [ ] Secret caching works
- [ ] Configuration integration works
- [ ] Secret store is optional (can be disabled)

## Files to Create/Modify
- `pkg/infra/secret/secret.go` - Secret store interface
- `internal/infra/secret/vault_store.go` - Vault implementation
- `internal/infra/secret/aws_secrets.go` - AWS implementation
- `internal/config/loader.go` - Integrate secret loading
- `internal/di/providers.go` - Add secret store provider
- `config/default.yaml` - Add secret store config