Add Vault product with 6 plugins and 16 skills

[MrFixit96]

Summary

Add Vault as the third product after Terraform and Packer with job-oriented plugin naming and decision framework-driven skills.

Design Approach

This PR encodes "tacit knowledge" and reduces the "3-4 documentation hops" users typically need by:

1. Job-oriented plugin names — named for what users are trying to accomplish (matching Terraform/Packer patterns)
2. "What Are You Trying to Solve?" decision frameworks — every skill starts by routing users to the right solution
3. Mental model sections — explaining how each component works before diving into reference material

Structure

vault/
├── README.md
├── credential-generation/
│   ├── .claude-plugin/plugin.json
│   ├── SPEC.md
│   └── skills/
│       ├── secrets-engines/
│       │   ├── SKILL.md
│       │   └── references/secrets-engines.md
│       └── vault-agent/
│           ├── SKILL.md
│           └── references/vault-agent.md
├── app-access/
│   ├── .claude-plugin/plugin.json
│   ├── SPEC.md
│   └── skills/
│       ├── auth-methods/
│       │   ├── SKILL.md
│       │   └── references/auth-methods.md
│       ├── policies/
│       │   ├── SKILL.md
│       │   └── references/policies.md
│       ├── token-management/
│       │   ├── SKILL.md
│       │   └── references/token-management.md
│       ├── identity-system/
│       │   ├── SKILL.md
│       │   └── references/identity-system.md
│       └── response-wrapping/
│           ├── SKILL.md
│           └── references/response-wrapping.md
├── deployment/
│   ├── .claude-plugin/plugin.json
│   ├── SPEC.md
│   └── skills/
│       ├── kubernetes-integration/
│       │   ├── SKILL.md
│       │   └── references/kubernetes.md
│       ├── production-operations/
│       │   ├── SKILL.md
│       │   └── references/
│       │       ├── production-operations.md
│       │       └── enterprise.md
│       └── troubleshooting/
│           ├── SKILL.md
│           └── references/troubleshooting.md
├── multi-tenancy/
│   ├── .claude-plugin/plugin.json
│   ├── SPEC.md
│   └── skills/
│       └── enterprise-features/
│           ├── SKILL.md
│           └── references/enterprise.md
├── ai-workflows/
│   ├── .claude-plugin/plugin.json
│   ├── SPEC.md
│   └── skills/
│       ├── vault-mcp-server/
│       │   ├── SKILL.md
│       │   └── references/vault-mcp-server.md
│       └── mcp-secrets-workflows/
│           ├── SKILL.md
│           └── references/mcp-secrets-workflows.md
└── hashicorp-secrets-engines/
    ├── .claude-plugin/plugin.json
    ├── SPEC.md
    └── skills/
        ├── consul-secrets/
        │   ├── SKILL.md
        │   └── references/consul-secrets.md
        ├── nomad-secrets/
        │   ├── SKILL.md
        │   └── references/nomad-secrets.md
        └── terraform-cloud-secrets/
            ├── SKILL.md
            └── references/terraform-cloud-secrets.md

Plugins (6)

All plugins are v0.2.0, named for the job the user is trying to accomplish:

Plugin Name	Directory	User Intent	Skills
vault-credential-generation	vault/credential-generation	"Generate credentials for my app"	secrets-engines, vault-agent
vault-app-access	vault/app-access	"Give my app access to Vault"	auth-methods, policies, token-management, identity-system, response-wrapping
vault-deployment	vault/deployment	"Deploy and operate Vault"	kubernetes-integration, production-operations, troubleshooting
vault-multi-tenancy	vault/multi-tenancy	"Set up multi-tenant Vault"	enterprise-features
vault-ai-workflows	vault/ai-workflows	"Let AI manage my secrets"	vault-mcp-server, mcp-secrets-workflows
vault-hashicorp-secrets-engines	vault/hashicorp-secrets-engines	"Generate tokens for HashiCorp products"	consul-secrets, nomad-secrets, terraform-cloud-secrets

Skills (16)

Plugin	Skill	Description
credential-generation	secrets-engines	KV secrets, database dynamic credentials, AWS/Azure/GCP credentials, Transit encryption, PKI certificates, SSH, TOTP
credential-generation	vault-agent	Auto-auth, caching, secret file templating, sidecar patterns
app-access	auth-methods	AppRole, Kubernetes, OIDC/JWT, AWS IAM, Azure, GCP, LDAP, GitHub auth
app-access	policies	ACL policies, capabilities, templated policies, path patterns, Sentinel (Enterprise)
app-access	token-management	Token types, periodic/batch tokens, accessors, orphan tokens, lifecycle
app-access	identity-system	Entities, aliases, groups, identity tokens, OIDC provider
app-access	response-wrapping	Cubbyhole secrets, secure distribution, wrapped tokens, bootstrap workflows
deployment	kubernetes-integration	Vault Secrets Operator (VSO), Agent Injector, CSI Provider, Kubernetes auth
deployment	production-operations	HA architecture, Integrated Storage (Raft), auto-unseal, DR replication, monitoring, backup/recovery
deployment	troubleshooting	Sealed Vault, permission denied, token expired, performance, audit log analysis
multi-tenancy	enterprise-features	Namespaces, Performance/DR replication, Sentinel, MFA, Control Groups, HSM
ai-workflows	vault-mcp-server	Install and configure Vault MCP Server for AI-assisted secrets management
ai-workflows	mcp-secrets-workflows	Managing secrets with Claude, KV mounts via MCP, automating Vault operations
hashicorp-secrets-engines	consul-secrets	Dynamic Consul ACL tokens through Vault
hashicorp-secrets-engines	nomad-secrets	Dynamic Nomad ACL tokens through Vault
hashicorp-secrets-engines	terraform-cloud-secrets	Dynamic Terraform Cloud/Enterprise API tokens through Vault

Skill Decision Framework Pattern

Every skill starts with a decision framework that routes users to the right solution:

## What Are You Trying to Solve?

### "I need my CI/CD pipeline to access Vault"
→ Use **AppRole** with response wrapping. [Jump to AppRole](#approle)

### "I need my Kubernetes pods to get secrets"
→ Use **Kubernetes auth**. [Jump to Kubernetes](#kubernetes)

Followed by:

• "How X Works" mental model section
• Decision tables mapping problems to solutions
• Detailed reference material

Changes Summary

• 49 files changed (46 added, 3 modified)
• 6 plugin directories with plugin.json (v0.2.0) and SPEC.md
• 16 SKILL.md files with decision frameworks
• 17 reference documents
• vault/README.md with installation instructions
• Updated: .claude-plugin/marketplace.json, CHANGELOG.md, README.md

Repository Totals After Merge

• 11 plugins (terraform: 3, packer: 2, vault: 6)
• 29 skills (terraform: 9, packer: 4, vault: 16)

[hashicorp-cla-app]

All committers have signed the CLA.

[gautambaghel]

@MrFixit96 - Thanks for the PR, will merge this week after getting the Tessl pipeline setup for feedback

Do you mind fixing the CI that's failing? it seems the repo structure has issues

[MrFixit96]

CI failure analysis summary for run https://github.com/hashicorp/agent-skills/actions/runs/23818076999/job/69422941930?pr=22

Root cause: this is a workflow script bug in .github/workflows/tessl-skill-review.yml, not a SKILL.md validation/content failure.

What happened:

• Tessl successfully reviewed the first changed skill (overallPassed: true, reviewScore: 74).
• The job then crashed with exit code 127:
  /home/runner/work/_temp/...sh: line 99: vault/ai-workflows/skills/mcp-secrets-workflows\: No such file or directory

Why it failed:

• In Run skill reviews, the table row is built with backticks:
  TABLE="${TABLE}\\n| \\${DIR_DISPLAY}\ | ..."
• Bash treats backticks as command substitution, so it attempts to execute the skill path as a command.

Suggested fix:

• Replace backtick-based formatting with a safe representation (for example <code>${DIR_DISPLAY}</code>), or build rows with printf to avoid command substitution.

Note: same failure signature appears in earlier failed Tessl runs, so this looks systemic to the workflow script.

[gautambaghel]

@MrFixit96 some minor changes requested