feat: Implement Dapr.SecretsManagement as a purpose-specific client

.github/workflows/sdk_build.yml

@@ -356,7 +356,8 @@ jobs:
           files=$(ls packages/*.nupkg | jq -R -s -c '
             split("\n")[:-1]
             | map(select(
-                (test("/Dapr\\.Workflow\\.Versioning\\.(Abstractions|Generators|Runtime)\\.")) | not
+                ((test("/Dapr\\.Workflow\\.Versioning\\.(Abstractions|Generators|Runtime)\\.")) | not) and
+                ((test("/Dapr\\.SecretsManagement\\.(Abstractions|Generators|Runtime)\\.")) | not)
               ))
           ')
           echo "matrix=$files" >> $GITHUB_OUTPUT

all.sln

@@ -260,6 +260,19 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.IntegrationTest.Actors
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WorkflowRetryPolicy", "examples\Workflow\WorkflowRetryPolicy\WorkflowRetryPolicy.csproj", "{6C77A2C4-0A96-4B90-AFEA-16E86A906259}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.SecretsManagement.Abstractions", "src\Dapr.SecretsManagement.Abstractions\Dapr.SecretsManagement.Abstractions.csproj", "{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.SecretsManagement.Runtime", "src\Dapr.SecretsManagement.Runtime\Dapr.SecretsManagement.Runtime.csproj", "{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.SecretsManagement.Generators", "src\Dapr.SecretsManagement.Generators\Dapr.SecretsManagement.Generators.csproj", "{B42DD6AA-255C-4606-8A1B-263B26650DED}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.SecretsManagement", "src\Dapr.SecretsManagement\Dapr.SecretsManagement.csproj", "{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.SecretsManagement.Runtime.Test", "test\Dapr.SecretsManagement.Runtime.Test\Dapr.SecretsManagement.Runtime.Test.csproj", "{87842296-C78B-42B9-8E96-5054E79CD700}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SecretManagement", "SecretManagement", "{929A8AD2-DB45-B92A-7930-EBDD2DBAF802}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SecretManagementSample", "examples\SecretManagement\SecretManagementSample\SecretManagementSample.csproj", "{ED74B33F-3CE7-42EB-BAA1-623F43900B15}"
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.AI.Microsoft.Extensions.Test", "test\Dapr.AI.Microsoft.Extensions.Test\Dapr.AI.Microsoft.Extensions.Test.csproj", "{86CBB08F-601A-4B0B-87BF-383D391A961C}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dapr.DistributedLock.Test", "test\Dapr.DistributedLock.Test\Dapr.DistributedLock.Test.csproj", "{2B8E9CAD-F9A2-43B9-BB1C-619CF64476A0}"
@@ -1498,6 +1511,78 @@ Global
 		{A1B2C3D4-E5F6-7890-ABCD-EF1234567890}.Release|x64.Build.0 = Release|Any CPU
 		{A1B2C3D4-E5F6-7890-ABCD-EF1234567890}.Release|x86.ActiveCfg = Release|Any CPU
 		{A1B2C3D4-E5F6-7890-ABCD-EF1234567890}.Release|x86.Build.0 = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|x64.Build.0 = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Debug|x86.Build.0 = Debug|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|x64.ActiveCfg = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|x64.Build.0 = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|x86.ActiveCfg = Release|Any CPU
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E}.Release|x86.Build.0 = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|x64.Build.0 = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Debug|x86.Build.0 = Debug|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|x64.ActiveCfg = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|x64.Build.0 = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|x86.ActiveCfg = Release|Any CPU
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2}.Release|x86.Build.0 = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|x64.Build.0 = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Debug|x86.Build.0 = Debug|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|x64.ActiveCfg = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|x64.Build.0 = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|x86.ActiveCfg = Release|Any CPU
+		{B42DD6AA-255C-4606-8A1B-263B26650DED}.Release|x86.Build.0 = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|x64.Build.0 = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Debug|x86.Build.0 = Debug|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|x64.ActiveCfg = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|x64.Build.0 = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|x86.ActiveCfg = Release|Any CPU
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7}.Release|x86.Build.0 = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|x64.Build.0 = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Debug|x86.Build.0 = Debug|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|Any CPU.Build.0 = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|x64.ActiveCfg = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|x64.Build.0 = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|x86.ActiveCfg = Release|Any CPU
+		{87842296-C78B-42B9-8E96-5054E79CD700}.Release|x86.Build.0 = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|x64.Build.0 = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Debug|x86.Build.0 = Debug|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|Any CPU.Build.0 = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|x64.ActiveCfg = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|x64.Build.0 = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|x86.ActiveCfg = Release|Any CPU
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15}.Release|x86.Build.0 = Release|Any CPU
 		{8777EAD2-419B-4683-826A-82B7C1F4F69F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{8777EAD2-419B-4683-826A-82B7C1F4F69F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{8777EAD2-419B-4683-826A-82B7C1F4F69F}.Debug|x64.ActiveCfg = Debug|Any CPU
@@ -1681,6 +1766,13 @@ Global
 		{01A20A89-53A1-4D5B-B563-89E157718474} = {8462B106-175A-423A-BA94-BE0D39D0BD8E}
 		{7B14879F-156B-417E-ACA3-0B5A69CC2F39} = {8462B106-175A-423A-BA94-BE0D39D0BD8E}
 		{A1B2C3D4-E5F6-7890-ABCD-EF1234567890} = {8462B106-175A-423A-BA94-BE0D39D0BD8E}
+		{366FA402-B13D-4EE2-9BA4-A0C3134C6C6E} = {27C5D71D-0721-4221-9286-B94AB07B58CF}
+		{F99CE5A1-FDA1-415C-B1E6-C8787734ACD2} = {27C5D71D-0721-4221-9286-B94AB07B58CF}
+		{B42DD6AA-255C-4606-8A1B-263B26650DED} = {27C5D71D-0721-4221-9286-B94AB07B58CF}
+		{1BECAC48-1C83-43D2-A91F-9AFA634A68C7} = {27C5D71D-0721-4221-9286-B94AB07B58CF}
+		{87842296-C78B-42B9-8E96-5054E79CD700} = {DD020B34-460F-455F-8D17-CF4A949F100B}
+		{929A8AD2-DB45-B92A-7930-EBDD2DBAF802} = {D687DDC4-66C5-4667-9E3A-FD8B78ECAA78}
+		{ED74B33F-3CE7-42EB-BAA1-623F43900B15} = {929A8AD2-DB45-B92A-7930-EBDD2DBAF802}
 		{6C77A2C4-0A96-4B90-AFEA-16E86A906259} = {BF3ED6BF-ADF3-4D25-8E89-02FB8D945CA9}
 		{86CBB08F-601A-4B0B-87BF-383D391A961C} = {0AF0FE8D-C234-4F04-8514-32206ACE01BD}
 		{2B8E9CAD-F9A2-43B9-BB1C-619CF64476A0} = {0AF0FE8D-C234-4F04-8514-32206ACE01BD}

examples/SecretManagement/README.md

@@ -0,0 +1,37 @@
+# Dapr Secrets Management Sample
+
+This sample demonstrates how to use the Dapr Secrets Management SDK to retrieve secrets from Dapr secret store components.
+
+## Features Demonstrated
+
+1. **Direct secret retrieval** — Using `DaprSecretsManagementClient` to fetch individual or bulk secrets via gRPC.
+2. **Typed secret stores** — Using the `[SecretStore]` and `[Secret]` attributes with the source generator to create strongly-typed secret accessors.
+3. **Dependency injection** — Registering the secrets client and typed stores via `IServiceCollection` extensions.
+
+## Prerequisites
+
+- [Dapr CLI](https://docs.dapr.io/getting-started/install-dapr-cli/)
+- [.NET 10 SDK](https://dotnet.microsoft.com/download/dotnet/10.0)
+- A configured Dapr secret store component (e.g., local file, Kubernetes secrets, Azure Key Vault)
+
+## Running the Sample
+
+```bash
+dapr run --app-id secret-sample --app-port 6543 -- dotnet run
+```
+
+## Endpoints
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/secrets/{storeName}/{key}` | Retrieve a single secret by key |
+| GET | `/secrets/{storeName}` | Retrieve all secrets from a store |
+| GET | `/typed-secrets` | Retrieve secrets using the source-generated typed store |
+
+## NuGet Package Note
+
+When consuming from NuGet, install the single **`Dapr.SecretsManagement`** package. The sub-projects (`Abstractions`, `Runtime`, `Generators`) are bundled into this one package and are not published individually.
+
+```xml
+<PackageReference Include="Dapr.SecretsManagement" Version="<version>" />
+```

examples/SecretManagement/SecretManagementSample/IMyVaultSecrets.cs

@@ -0,0 +1,40 @@
+// ------------------------------------------------------------------------
+//  Copyright 2026 The Dapr Authors
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//      http://www.apache.org/licenses/LICENSE-2.0
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+//  ------------------------------------------------------------------------
+
+using Dapr.SecretsManagement.Abstractions;
+
+namespace SecretManagementSample;
+
+/// <summary>
+/// Example of a typed secret store interface. Apply the <see cref="SecretStoreAttribute"/> to an interface
+/// and the Dapr Secrets Management source generator will produce:
+///   1. A concrete implementation that caches secrets loaded at startup.
+///   2. A DI registration extension method (e.g., <c>AddMyVaultSecrets()</c>).
+///
+/// Properties without <see cref="SecretAttribute"/> use the property name as the secret key.
+/// Properties with <see cref="SecretAttribute"/> use the specified secret name.
+/// </summary>
+[SecretStore("my-vault")]
+public partial interface IMyVaultSecrets
+{
+    /// <summary>
+    /// The database connection string, retrieved from the "db-connection-string" secret key.
+    /// </summary>
+    [Secret("db-connection-string")]
+    string DatabaseConnection { get; }
+
+    /// <summary>
+    /// The API key. Uses the property name "ApiKey" as the secret key.
+    /// </summary>
+    string ApiKey { get; }
+}

examples/SecretManagement/SecretManagementSample/Program.cs

@@ -0,0 +1,58 @@
+// ------------------------------------------------------------------------
+//  Copyright 2026 The Dapr Authors
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//      http://www.apache.org/licenses/LICENSE-2.0
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+//  ------------------------------------------------------------------------
+
+using Dapr.SecretsManagement;
+using Dapr.SecretsManagement.Extensions;
+using SecretManagementSample;
+
+var builder = WebApplication.CreateBuilder(args);
+
+// Register the Dapr Secrets Management client and the source-generated typed secret store.
+// AddMyVaultSecrets() is a generated extension method — see IMyVaultSecrets.cs.
+builder.Services.AddDaprSecretsManagementClient()
+    .AddMyVaultSecrets();
+
+var app = builder.Build();
+
+// --- Example 1: Direct secret retrieval ---
+app.MapGet("/secrets/{storeName}/{key}", async (
+    string storeName,
+    string key,
+    DaprSecretsManagementClient secretsClient,
+    CancellationToken cancellationToken) =>
+{
+    var secret = await secretsClient.GetSecretAsync(storeName, key, cancellationToken: cancellationToken);
+    return Results.Ok(secret);
+});
+
+// --- Example 2: Bulk secret retrieval ---
+app.MapGet("/secrets/{storeName}", async (
+    string storeName,
+    DaprSecretsManagementClient secretsClient,
+    CancellationToken cancellationToken) =>
+{
+    var secrets = await secretsClient.GetBulkSecretAsync(storeName, cancellationToken: cancellationToken);
+    return Results.Ok(secrets);
+});
+
+// --- Example 3: Using the source-generated typed secret store ---
+app.MapGet("/typed-secrets", (SecretManagementSample.IMyVaultSecrets secrets) =>
+{
+    return Results.Ok(new
+    {
+        DatabaseConnection = secrets.DatabaseConnection,
+        ApiKey = secrets.ApiKey
+    });
+});
+
+app.Run();

examples/SecretManagement/SecretManagementSample/Properties/launchSettings.json

@@ -0,0 +1,13 @@
+{
+  "profiles": {
+    "SecretManagementSample": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": false,
+      "applicationUrl": "http://localhost:6543",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

examples/SecretManagement/SecretManagementSample/SecretManagementSample.csproj

@@ -0,0 +1,29 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+
+        <!-- Added for demonstration purposes - emit generated source files to disk for inspection -->
+        <EmitCompilerGeneratedFiles>true</EmitCompilerGeneratedFiles>
+        <CompilerGeneratedFilesOutputPath>$(BaseIntermediateOutputPath)Generated</CompilerGeneratedFilesOutputPath>
+    </PropertyGroup>
+
+    <!--
+        NOTE: When consuming from NuGet, use the single 'Dapr.SecretsManagement' package instead of
+        these individual project references. The sub-projects (Abstractions, Runtime, Generators) are
+        NOT published to NuGet individually — they are bundled into the Dapr.SecretsManagement package.
+
+        Replace the ProjectReference items below with:
+            <PackageReference Include="Dapr.SecretsManagement" Version="<version>" />
+    -->
+    <ItemGroup>
+        <ProjectReference Include="..\..\..\src\Dapr.SecretsManagement.Abstractions\Dapr.SecretsManagement.Abstractions.csproj" />
+        <ProjectReference Include="..\..\..\src\Dapr.SecretsManagement.Runtime\Dapr.SecretsManagement.Runtime.csproj" />
+        <ProjectReference Include="..\..\..\src\Dapr.SecretsManagement.Generators\Dapr.SecretsManagement.Generators.csproj"
+                          OutputItemType="Analyzer"
+                          ReferenceOutputAssembly="false" />
+    </ItemGroup>
+
+</Project>