Secrets backends

Adapters never read `process.env` directly. Every secret — database URL, vault passwords, connector credentials — flows through a platform `SecretsAdapter` with a `get` / `list` / optional `set` contract. That single seam is what lets DataBridge swap between an environment-variable backend in a laptop demo and a hosted vault in production without touching adapter code (see `docs/OPERATOR_GUIDE.md` §11).

Three vault backends ship as workspace packages, selected at boot via the `DATABRIDGE_SECRETS_BACKEND` environment variable: `azure-keyvault` (`@databridge/secrets-azure-keyvault`, Azure Key Vault REST v7.4), `aws-sm` (`@databridge/secrets-aws-sm`, AWS Secrets Manager with hand-rolled SigV4), and `vault` (`@databridge/secrets-hashicorp-vault`, HashiCorp Vault KV v2 with token or AppRole auth). Two built-in backends — `env` (default, read-only) and `memory` (ephemeral, the only one supporting `set()`) — round out the menu.

All three vault backends are zero-dependency `fetch` clients — no `@azure/keyvault-secrets`, no `aws-sdk`, no `node-vault` — and they are CI-tested against recorded HTTP fixtures plus a shared conformance suite. That keeps DataBridge installable in air-gapped environments where pulling SDKs is awkward.

Whichever backend is selected can be wrapped in `TtlCachingSecretsAdapter` by setting `DATABRIDGE_SECRETS_CACHE_TTL_MS` (start with 30–60 seconds). The cache bounds vault round-trips per key, write-throughs invalidate the touched key and the list cache, and failures are never cached. A non-numeric TTL value refuses to boot — a typo must not silently disable caching.

All backends throw `SecretsBackendError` with a `code` you can branch and alert on: `not-found` (key absent), `auth` (401/403, permission denied), `throttled` (429), and `unknown` (5xx / malformed bodies). That taxonomy is the contract — operator alerting should pivot on the `code`, not on a regex over a message string.