Merge 3.2.1 to main

.github/workflows/keyfactor-release-workflow.yml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@v4
+    uses: keyfactor/actions/.github/workflows/starter.yml@v5
     with:
       command_token_url: ${{ vars.COMMAND_TOKEN_URL }}
       command_hostname: ${{ vars.COMMAND_HOSTNAME }}
@@ -24,4 +24,4 @@ jobs:
       entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }}
       entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }}
       command_client_id: ${{ secrets.COMMAND_CLIENT_ID }}
-      command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }}
+      command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }}

.gitignore

@@ -6,7 +6,11 @@
 /hashicorp-vault-orchestrator/obj
 /hashicorp-vault-orchestrator/Properties
 /hashicorp-vault-orchestrator/hashicorp-vault-orchestrator.csproj.user
+/hashicorp-vault-orchestrator.Tests/bin
+/hashicorp-vault-orchestrator.Tests/obj
+/hashicorp-vault-orchestrator.Tests/hashicorp-vault-orchestrator.Tests.csproj.user
 .vs
+.idea
 *.licenseheader
 README.md
 /README.md

CHANGELOG.md

@@ -1,3 +1,16 @@
+## 3.2.1
+
+* **bug fix:** Inventory and Management jobs against a Vault Enterprise namespaced KV store no longer fail with `permission denied` when the Vault token is scoped to a namespace. The `X-Vault-Namespace` header is now sent on all job types (Inventory, Management, Discovery) when a namespace is detected in the `MountPoint` field, not just Discovery.
+* **bug fix:** `sys/mounts` returning HTTP 403 (token lacks `read` on `sys/mounts`) no longer crashes the job. The extension now logs a warning, defaults to KV v2, and continues normally.
+* **bug fix:** KV v1 engine version was not being cached after detection, causing a redundant `sys/mounts` call on every subsequent operation within the same job.
+* **fix:** `MountPoint` field now supports the `<namespace>/<mount>` format on Inventory and Management jobs. The namespace is parsed by splitting on the last `/`, supporting nested namespaces (e.g. `ep/common/secret` → namespace `ep/common`, mount `secret`). Previously this parsing only occurred for Discovery jobs.
+* **build:** Added `net10.0` to `TargetFrameworks` for compatibility with Universal Orchestrator 25.5.x.
+* **fix:** Management-Add against a file-format store (HCVKVPFX, HCVKVJKS, HCVKVP12) that was never successfully Created now auto-seeds an empty store and passphrase on first use rather than failing with a 404.
+* **fix:** `StorePath` trailing slash normalization now applied consistently for PEM and PKI store types regardless of whether the value came from store properties or the job configuration directly.
+* **fix:** `GetTokenPoliciesAsync` failure during job initialization no longer crashes the orchestrator process — errors are caught and logged at debug level.
+* **tests:** Added `hashicorp-vault-orchestrator.Tests` xUnit project covering KV version detection (including 403 fallback and caching), Enterprise namespace/mount parsing, CreateFileStore path correctness, and Management-Add write behavior.
+* **docs:** Updated README Security Considerations with `sys/mounts` permission requirement, a minimum recommended HCL policy example, and Vault Enterprise namespace guidance. Added Enterprise namespace parsing notes to all `MountPoint` field descriptions.
+
 ## 3.2.0
 * added parameter "PassphrasePath" to support custom passphrase path (no longer needs to be a secret named 'passphrase' on the same level)
 * added support for optional parameter on store path and passphrase path to indicate the property containing the value (if JSON secret)