Add HashiCorp Vault integration for secret management

Pull API keys from Vault KV v2 instead of env vars or config files.
Uses reqwest directly (no new dependencies) for a single GET request.

Config fields: vault_addr, vault_token, vault_path, vault_key,
vault_mount, vault_namespace. All support env var fallbacks
(VAULT_ADDR, VAULT_TOKEN, VAULT_PATH, VAULT_KEY, VAULT_NAMESPACE).

CLI flags: --vault-addr, --vault-path, --vault-key

Usage:
  export VAULT_ADDR=https://vault:8200
  export VAULT_TOKEN=s.mytoken
  diffscope review --vault-path diffscope --diff my.diff

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: haasonsaas

src/config.rs

@@ -128,6 +128,30 @@ pub struct Config {
     #[serde(default = "default_feedback_suppression_margin")]
     pub feedback_suppression_margin: usize,
 
+    /// HashiCorp Vault server address (e.g., https://vault.example.com:8200).
+    #[serde(default)]
+    pub vault_addr: Option<String>,
+
+    /// Vault authentication token.
+    #[serde(default)]
+    pub vault_token: Option<String>,
+
+    /// Secret path in Vault (e.g., "diffscope" or "ci/diffscope").
+    #[serde(default)]
+    pub vault_path: Option<String>,
+
+    /// Key within the Vault secret to extract as the API key (default: "api_key").
+    #[serde(default)]
+    pub vault_key: Option<String>,
+
+    /// Vault KV engine mount point (default: "secret").
+    #[serde(default)]
+    pub vault_mount: Option<String>,
+
+    /// Vault Enterprise namespace.
+    #[serde(default)]
+    pub vault_namespace: Option<String>,
+
     #[serde(default)]
     pub plugins: PluginConfig,
 
@@ -261,6 +285,12 @@ impl Default for Config {
             include_fix_suggestions: true,
             feedback_suppression_threshold: default_feedback_suppression_threshold(),
             feedback_suppression_margin: default_feedback_suppression_margin(),
+            vault_addr: None,
+            vault_token: None,
+            vault_path: None,
+            vault_key: None,
+            vault_mount: None,
+            vault_namespace: None,
             plugins: PluginConfig::default(),
             exclude_patterns: Vec::new(),
             paths: HashMap::new(),
@@ -685,6 +715,31 @@ impl Config {
         }
     }
 
+    /// Try to resolve the API key from Vault if Vault is configured and api_key is not set.
+    pub async fn resolve_vault_api_key(&mut self) -> Result<()> {
+        if self.api_key.is_some() {
+            return Ok(());
+        }
+
+        let vault_config = crate::vault::try_build_vault_config(
+            self.vault_addr.as_deref(),
+            self.vault_token.as_deref(),
+            self.vault_path.as_deref(),
+            self.vault_key.as_deref(),
+            self.vault_mount.as_deref(),
+            self.vault_namespace.as_deref(),
+        );
+
+        if let Some(vc) = vault_config {
+            tracing::info!("Fetching API key from Vault at {}", vc.addr);
+            let secret = crate::vault::fetch_secret(&vc).await?;
+            self.api_key = Some(secret);
+            tracing::info!("API key loaded from Vault");
+        }
+
+        Ok(())
+    }
+
     /// Returns true if the configured base_url points to a local/self-hosted server.
     pub fn is_local_endpoint(&self) -> bool {
         match self.base_url.as_deref() {

src/main.rs

@@ -7,6 +7,7 @@ mod parsing;
 mod plugins;
 mod review;
 mod server;
+mod vault;
 
 use anyhow::Result;
 use clap::{Parser, Subcommand};
@@ -81,6 +82,15 @@ struct Cli {
     #[arg(long, global = true, help = "Output language (e.g., en, ja, de)")]
     output_language: Option<String>,
 
+    #[arg(long, global = true, help = "Vault server address (e.g., https://vault:8200)")]
+    vault_addr: Option<String>,
+
+    #[arg(long, global = true, help = "Vault secret path (e.g., diffscope)")]
+    vault_path: Option<String>,
+
+    #[arg(long, global = true, help = "Key within Vault secret to use as API key (default: api_key)")]
+    vault_key: Option<String>,
+
     #[arg(long, global = true, default_value = "json")]
     output_format: OutputFormat,
 
@@ -315,8 +325,22 @@ async fn main() -> Result<()> {
     if let Some(lang) = cli.output_language {
         config.output_language = Some(lang);
     }
+    if let Some(vault_addr) = cli.vault_addr {
+        config.vault_addr = Some(vault_addr);
+    }
+    if let Some(vault_path) = cli.vault_path {
+        config.vault_path = Some(vault_path);
+    }
+    if let Some(vault_key) = cli.vault_key {
+        config.vault_key = Some(vault_key);
+    }
     config.normalize();
 
+    // Resolve API key from Vault if configured and api_key is not already set
+    if let Err(e) = config.resolve_vault_api_key().await {
+        eprintln!("Warning: Failed to fetch API key from Vault: {:#}", e);
+    }
+
     match cli.command {
         Commands::Review {
             diff,