feat(contrib/keyvault): add Azure Key Vault TokenStore

Makefile

@@ -170,20 +170,23 @@ test: ## Run tests (all modules)
 	go test -v ./...
 	cd sdk && go test -v ./...
 	cd plugins/contrib && go test -v ./...
+	cd plugins/contrib/microsoft/keyvault && go test -v ./...
 	cd admin && go test -tags dev -v ./...
 
 .PHONY: test-race
 test-race: ## Run tests with race detector
 	go test -race -v ./...
 	cd sdk && go test -race -v ./...
 	cd plugins/contrib && go test -race -v ./...
+	cd plugins/contrib/microsoft/keyvault && go test -race -v ./...
 	cd admin && go test -race -tags dev -v ./...
 
 .PHONY: test-cover
 test-cover: ## Run tests with coverage
 	go test -coverprofile=coverage.out ./...
 	cd sdk && go test -coverprofile=coverage-sdk.out ./...
 	cd plugins/contrib && go test -coverprofile=coverage-contrib.out ./...
+	cd plugins/contrib/microsoft/keyvault && go test -coverprofile=coverage-keyvault.out ./...
 	cd admin && go test -tags dev -coverprofile=coverage-admin.out ./...
 	go tool cover -html=coverage.out -o coverage.html
 	@echo "Coverage report: coverage.html"
@@ -325,6 +328,7 @@ lint: ## Run linters (all modules)
 		$(GOLANGCI_LINT) run && \
 		(cd sdk && $(GOLANGCI_LINT) run) && \
 		(cd plugins/contrib && $(GOLANGCI_LINT) run) && \
+		(cd plugins/contrib/microsoft/keyvault && $(GOLANGCI_LINT) run) && \
 		(cd admin && $(GOLANGCI_LINT) run --build-tags=dev); \
 	else \
 		echo "golangci-lint not installed. Run: make tools"; \
@@ -336,6 +340,7 @@ lint-fix: ## Run linters and fix issues
 	$(GOLANGCI_LINT) run --fix
 	cd sdk && $(GOLANGCI_LINT) run --fix
 	cd plugins/contrib && $(GOLANGCI_LINT) run --fix
+	cd plugins/contrib/microsoft/keyvault && $(GOLANGCI_LINT) run --fix
 	cd admin && $(GOLANGCI_LINT) run --fix --build-tags=dev
 
 .PHONY: fmt
@@ -346,6 +351,8 @@ fmt: ## Format code (all modules)
 	cd sdk && gofmt -s -w .
 	cd plugins/contrib && go fmt ./...
 	cd plugins/contrib && gofmt -s -w .
+	cd plugins/contrib/microsoft/keyvault && go fmt ./...
+	cd plugins/contrib/microsoft/keyvault && gofmt -s -w .
 	cd admin && go fmt ./...
 	cd admin && gofmt -s -w .
 
@@ -354,6 +361,7 @@ vet: ## Run go vet (all modules)
 	go vet ./...
 	cd sdk && go vet ./...
 	cd plugins/contrib && go vet ./...
+	cd plugins/contrib/microsoft/keyvault && go vet ./...
 	cd admin && go vet -tags dev ./...
 
 .PHONY: tidy
@@ -362,6 +370,7 @@ tidy: ## Tidy and verify go.mod (all modules)
 	go mod verify
 	cd sdk && go mod tidy
 	cd plugins/contrib && go mod tidy && go mod verify
+	cd plugins/contrib/microsoft/keyvault && go mod tidy && go mod verify
 	cd admin && go mod tidy
 
 .PHONY: gosec

docs/guides/onboarding-refresh-tokens.md

@@ -123,6 +123,56 @@ store := microsoft.NewFileStore("/var/lib/chaperone/tokens")
 
 Each tenant gets a single file. The base directory is created automatically at runtime when Microsoft rotates the token.
 
+### Azure Key Vault
+
+[`keyvault.Store`](../reference/contrib-plugins.md#microsoft-keyvault-store) persists each tenant's refresh token as a Key Vault secret. The secret name is `{prefix}{hex(sha256(tenantID))}`; the original tenantID is preserved on the `tenantID` tag. `chaperone-onboard` has no dedicated Key Vault subcommand — pipe stdout directly into `az keyvault secret set`.
+
+**Prerequisites:**
+
+- An Azure Key Vault with the identity running chaperone granted `Key Vault Secrets Officer` (or equivalent `get` + `set` access policy).
+- The Azure CLI (`az`) logged in as a principal with `set` permission.
+- `shasum` or `sha256sum` available locally (any POSIX system has one).
+
+**Seed one tenant:**
+
+```bash
+TENANT="contoso.onmicrosoft.com"
+PREFIX="chaperone-rt-"  # must match keyvault.Config.Prefix (default shown)
+HASH=$(printf '%s' "$TENANT" | shasum -a 256 | awk '{print $1}')
+SECRET_NAME="${PREFIX}${HASH}"
+
+export CHAPERONE_ONBOARD_CLIENT_SECRET='your-app-secret'
+
+chaperone-onboard microsoft \
+    -tenant "$TENANT" \
+    -client-id 12345678-abcd-1234-abcd-1234567890ab \
+  | az keyvault secret set \
+      --vault-name myvault \
+      --name "$SECRET_NAME" \
+      --file /dev/stdin \
+      --tags "tenantID=$TENANT" "managedBy=chaperone" \
+      --output none
+```
+
+> **Keep the prefix aligned.** If you customize `keyvault.Config.Prefix` (e.g., `"env-staging-"` to namespace multiple environments in a shared vault), use the same prefix when computing `SECRET_NAME` above. Otherwise the proxy will look for a different secret name than the one you created and return `ErrTenantNotFound`.
+
+After seeding, point the proxy at the vault:
+
+```go
+import (
+    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+    "github.com/cloudblue/chaperone/plugins/contrib/microsoft/keyvault"
+)
+
+cred, _ := azidentity.NewDefaultAzureCredential(nil)
+store, _ := keyvault.NewStore(keyvault.Config{
+    VaultURL:   "https://myvault.vault.azure.net/",
+    Credential: cred,
+})
+```
+
+Rotations land as new secret versions; `Load` always reads the latest.
+
 ### Other backends
 
 - **Vault:** Use the Vault CLI or API to write the token to the expected KV path. See the [Vault-backed skeleton](../reference/contrib-plugins.md#vault-backed-tokenstore) in the contrib reference.

docs/reference/contrib-plugins.md

@@ -727,6 +727,118 @@ Seed each tenant with [`chaperone-onboard microsoft`](../guides/onboarding-refre
   fabrikam.onmicrosoft.com
 ```
 
+<a id="microsoft-keyvault-store"></a>
+### Microsoft `keyvault.Store`
+
+```go
+type Store struct{ /* unexported */ }
+```
+
+An Azure Key Vault-backed [`TokenStore`](#tokenstoremicrosoft) that stores one refresh token per tenant as a Key Vault secret. Lives in the separate submodule `github.com/cloudblue/chaperone/plugins/contrib/microsoft/keyvault` so the Azure SDK dependencies do not leak into consumers that use only `FileStore` or other contrib building blocks.
+
+```go
+import "github.com/cloudblue/chaperone/plugins/contrib/microsoft/keyvault"
+```
+
+#### `Config`
+
+```go
+type Config struct {
+    VaultURL      string                  // required, e.g. "https://myvault.vault.azure.net/"
+    Credential    azcore.TokenCredential  // required
+    Prefix        string                  // default: "chaperone-rt-"
+    ClientOptions *azsecrets.ClientOptions
+    Logger        *slog.Logger
+}
+```
+
+| Field | Description |
+|-------|-------------|
+| `VaultURL` | The Key Vault URL. Standard vaults only (`*.vault.azure.net` or sovereign-cloud equivalents). Managed HSM is not tested. |
+| `Credential` | Any [`azcore.TokenCredential`](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore#TokenCredential) — the distributor constructs it from `azidentity` (`NewDefaultAzureCredential`, `NewManagedIdentityCredential`, `NewWorkloadIdentityCredential`, `NewClientSecretCredential`, etc.). |
+| `Prefix` | Prepended to every secret name. Override to namespace multiple environments in a shared vault. |
+| `ClientOptions` | Passed through to `azsecrets.NewClient`. Use to configure retry policy, transport, etc. |
+| `Logger` | Structured logger for warnings. Resolved lazily — `nil` means `slog.Default()` is used at log-emit time. |
+
+#### `NewStore`
+
+```go
+func NewStore(cfg Config) (*Store, error)
+```
+
+Constructs a `Store`. Returns an error if `VaultURL` or `Credential` is missing, or if the underlying `azsecrets` client fails to initialize. Unlike [`NewFileStore`](#newfilestore), it returns an error instead of panicking on misconfiguration — a Key Vault store typically runs far from the local disk, so fail-fast with an error is more operationally friendly.
+
+#### Secret naming
+
+Each tenant maps to a secret named `{Prefix}{hex(sha256(tenantID))}`. SHA-256 hex is used because:
+
+- Key Vault secret names are restricted to `^[0-9a-zA-Z-]{1,127}$` — no dots allowed. Valid tenantIDs may contain dots (`contoso.onmicrosoft.com`), so a naive encoding would fail.
+- A naive "dot→hyphen" substitution would collide (`my-a.b` and `my.a-b` both map to `my-a-b`). SHA-256 guarantees collision resistance.
+- Secret names appear in Azure Activity Log entries; hashing the tenantID keeps tenant identities out of the audit log.
+
+The original `tenantID` is preserved on each secret as the `tenantID` tag for operator visibility in the Azure portal. Chaperone also adds a `managedBy: chaperone` tag.
+
+#### RBAC
+
+The identity backing `Credential` needs Get and Set permissions on secrets in the vault. Either:
+
+- **Azure RBAC**: `Key Vault Secrets User` (read) + `Key Vault Secrets Officer` (write) — scope to the vault. If write access is already covered, `Key Vault Secrets Officer` alone suffices.
+- **Access Policies**: `get` + `set` on secrets.
+
+`list`, `delete`, and `recover` are **not** required.
+
+#### Error behavior
+
+| Method | Condition | Error |
+|--------|-----------|-------|
+| `Load` | Secret does not exist (`SecretNotFound`, HTTP 404) | Wraps [`ErrTenantNotFound`](#sentinel-errors) |
+| `Load` | Any other Key Vault failure (HTTP 403, 429, 5xx, network error) | Wrapped SDK error (not `ErrTenantNotFound`) |
+| `Load` / `Save` | Invalid `tenantID` | Validation error (not `ErrTenantNotFound`) |
+| `Save` | Empty `refreshToken` | Returns an error |
+
+Throttling (HTTP 429) is handled by the Azure SDK's default retry pipeline, which honors `Retry-After` automatically.
+
+#### Example: `DefaultAzureCredential`
+
+```go
+import (
+    "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+    "github.com/cloudblue/chaperone/plugins/contrib/microsoft"
+    "github.com/cloudblue/chaperone/plugins/contrib/microsoft/keyvault"
+)
+
+cred, err := azidentity.NewDefaultAzureCredential(nil)
+if err != nil { /* ... */ }
+
+store, err := keyvault.NewStore(keyvault.Config{
+    VaultURL:   "https://myvault.vault.azure.net/",
+    Credential: cred,
+})
+if err != nil { /* ... */ }
+
+source := microsoft.NewRefreshTokenSource(microsoft.Config{
+    ClientID:     os.Getenv("MS_CLIENT_ID"),
+    ClientSecret: os.Getenv("MS_CLIENT_SECRET"),
+    Store:        store,
+})
+```
+
+#### Example: `ManagedIdentityCredential` (AKS pod with system-assigned identity)
+
+```go
+cred, err := azidentity.NewManagedIdentityCredential(nil)
+```
+
+#### Example: `WorkloadIdentityCredential` (AKS workload identity)
+
+```go
+cred, err := azidentity.NewWorkloadIdentityCredential(nil)
+```
+
+#### Seeding tenants
+
+See the [Azure Key Vault section](../guides/onboarding-refresh-tokens.md#azure-key-vault) of the onboarding guide for the operator workflow.
+
 ---
 
 ## Sentinel errors

go.mod

@@ -31,9 +31,9 @@ require (
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/net v0.52.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/grpc v1.80.0 // indirect

go.sum

@@ -67,12 +67,10 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
-golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
-golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
 google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 h1:VPWxll4HlMw1Vs/qXtN7BvhZqsS9cdAittCNvVENElA=

go.work

@@ -3,6 +3,7 @@ go 1.26.2
 use (
 	.
 	./plugins/contrib
+	./plugins/contrib/microsoft/keyvault
 	./sdk
   ./admin
 )

go.work.sum

@@ -0,0 +1,51 @@
+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 h1:jHb/wfvRikGdxMXYV3QG/SzUOPYN9KEUUuC0Yd0/vC0=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1/go.mod h1:pzBXCYn05zvYIrwLgtK8Ap8QcjRg+0i76tMQdWN6wOk=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 h1:fhqpLE3UEXi9lPaBRpQ6XuRW0nU7hgg4zlmZZa+a9q4=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0/go.mod h1:7dCRMLwisfRH3dBupKeNCioWYUZ4SS09Z14H+7i8ZoY=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.4.0/go.mod h1:gpl+q95AzZlKVI3xSoseF9QPrypk0hQqBiJYeB/cR/I=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.31.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
+github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
+github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b/go.mod h1:fvzegU4vN3H1qMT+8wDmzjAcDONcgo2/SZ/TyfdUOFs=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/cloudblue/chaperone/plugins/contrib v0.1.0/go.mod h1:ZLjFwm8WU12NbjQTWHLMlKuw0Fn5SYZtuv8mMkzAhEI=
+github.com/cloudblue/chaperone/plugins/contrib v0.1.1/go.mod h1:ZLjFwm8WU12NbjQTWHLMlKuw0Fn5SYZtuv8mMkzAhEI=
+github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
+github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
+github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
+github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
+github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
+github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
+go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=

plugins/contrib/go.mod

@@ -4,4 +4,4 @@ go 1.26.2
 
 require github.com/cloudblue/chaperone/sdk v0.1.0
 
-require golang.org/x/sync v0.19.0
+require golang.org/x/sync v0.20.0

plugins/contrib/go.sum

@@ -1,4 +1,3 @@
 github.com/cloudblue/chaperone/sdk v0.1.0 h1:OsrqjLfcaP35eSRLzsmL1r6wYf4IkmE/WG17GSCdgIE=
 github.com/cloudblue/chaperone/sdk v0.1.0/go.mod h1:p6JOMXPqVfm8EqvnyDAozgrmkvhfbs1O32am/dthnFc=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=

plugins/contrib/microsoft/filestore.go

@@ -21,7 +21,7 @@ import (
 // directory, synced to disk, and then renamed to the target path. This
 // prevents corruption from a crash mid-write.
 //
-// TenantIDs are validated against [validTenantID] to prevent path traversal,
+// TenantIDs are validated against [ValidateTenantID] to prevent path traversal,
 // regardless of whether the caller has already validated them.
 //
 // It is safe for concurrent use from multiple goroutines.
@@ -41,7 +41,7 @@ func NewFileStore(baseDir string) *FileStore {
 // Load retrieves the current refresh token for the given tenant.
 // Returns [contrib.ErrTenantNotFound] if no token file exists.
 func (f *FileStore) Load(_ context.Context, tenantID string) (string, error) {
-	if err := validateTenantID(tenantID); err != nil {
+	if err := ValidateTenantID(tenantID); err != nil {
 		return "", err
 	}
 
@@ -61,7 +61,7 @@ func (f *FileStore) Load(_ context.Context, tenantID string) (string, error) {
 
 // Save persists a rotated refresh token to disk atomically.
 func (f *FileStore) Save(_ context.Context, tenantID, refreshToken string) error {
-	if err := validateTenantID(tenantID); err != nil {
+	if err := ValidateTenantID(tenantID); err != nil {
 		return err
 	}
 	if refreshToken == "" {
@@ -113,18 +113,3 @@ func (f *FileStore) Save(_ context.Context, tenantID, refreshToken string) error
 func (f *FileStore) tokenPath(tenantID string) string {
 	return filepath.Join(f.baseDir, tenantID)
 }
-
-// validateTenantID rejects tenant IDs that could cause path traversal.
-// This is defense-in-depth: RefreshTokenSource also validates, but FileStore
-// is a public type and must not rely on callers for safety.
-func validateTenantID(tenantID string) error {
-	if !validTenantID.MatchString(tenantID) {
-		display := tenantID
-		if len(display) > 64 {
-			display = display[:64] + "..."
-		}
-		return fmt.Errorf("invalid tenant ID %q: must match %s",
-			display, validTenantID.String())
-	}
-	return nil
-}