Normalizes Hashtable, OrderedDictionary, PSObject-wrapped, and typed generic dictionaries into IDictionary<string,string>[] before parameter binding, enabling native PowerShell @{...} and [ordered]@{...} literals against the strongly-typed -Secrets parameter on New-/Update-InfisicalSecret. Adds 8 transformation tests; 174/174 passing.
- Endpoint registry: register POST/PATCH/DELETE /api/v4/secrets/batch as preferred candidates for BulkCreate/Update/Delete; v3 raw routes retained as automatic fallback.
- DTOs: add projectId (required for v4) alongside workspaceId on the three batch request envelopes; both serialized when set, both ignored when null.
- SecretsClient: populate ProjectId in CreateBatch/UpdateBatch/DeleteBatch so v4 succeeds on first attempt.
- Cmdlets: -Secrets on New/Update-InfisicalSecret changed from Hashtable[] to IDictionary<string,string>[] for stronger typing and tab-completion; converter rewritten to accept IEnumerable<IDictionary<string,string>>. TagIds parsed from comma-separated string; nested Metadata dropped from bulk hashtable surface (still settable programmatically on bulk items).
- Tests: 166 passing (was 161). Bulk endpoints now resolve to v4 primary with v3 fallback; new tests verify projectId envelope serialization, dual-key omission, and TagIds trimming.
- Bulk parameter sets on New-/Update-/Remove-InfisicalSecret via v3/secrets/batch/raw.
- Copy-InfisicalSecret cmdlet wrapping v4/secrets/duplicate.
- InfisicalCmdletBase.Resolve{ProjectId,Environment,SecretPath,ApiVersion,OrganizationId} with verbose inheritance logging.
- All resource cmdlets refactored to use the resolution helpers.
- InfisicalBulkSecretConverter for flexible Hashtable -> DTO mapping.
- 22 new unit tests covering registry, DTOs, converter, and inheritance helpers. Total: 161 passing.
Adds <RollForward>LatestMajor</RollForward> to the test project so the net8.0 testhost can run on hosts that only have a newer .NET runtime installed (e.g. CI hosts with .NET 10 only). Locally with .NET 8 present this is a no-op; on the runner with .NET 10.0.8 the testhost will roll forward instead of aborting with 'You must install or update .NET to run this application'.
All three jobs (build, release, publish) now target runs-on: powershell-linux, which maps to :host on the Gitea runner so steps execute directly on the host OS instead of inside a Docker container. Dropped the apt-get/sudo install blocks and actions/setup-dotnet in favor of a fast preflight that verifies pwsh (and dotnet for the build job) are present, failing loudly otherwise. Publish job migrated off the legacy PowerShellGet v2 path (Set-PSRepository / Install-PackageProvider NuGet / Publish-Module) to Microsoft.PowerShell.PSResourceGet (Set-PSResourceRepository / Publish-PSResource), which is bundled with PS 7.4+ on Linux and does not depend on the NuGet package provider.
Get-InfisicalSecrets and Get-InfisicalSecret now return real secret values by default. Pass -ViewSecretValue:False to opt in to the server's hidden response. InfisicalSecretMapper detects the <hidden-by-infisical> placeholder and the secretValueHidden flag; in either case SecretValue is set to null instead of pushing the literal placeholder into a SecureString, so downstream auth/export/dictionary consumers can never silently use the placeholder as if it were a real secret.
InfisicalSecret.GetPlainTextValue() returns the SecureString contents as a managed string for ergonomic PowerShell access. ConvertTo-InfisicalSecretDictionary -AsPlainText emits Dictionary<string,string> instead of Dictionary<string,SecureString>; default behavior unchanged. Export-InfisicalSecrets already writes plain text via secret.UsePlainTextValue(), so no switch was added there.
- Endpoint registry now stores ordered candidate lists per logical operation; Get/TryGet preserve prior behavior, new GetCandidates(name) exposes the ladder. Added v3 fallbacks (/api/v3/secrets/raw and /api/v3/secrets/raw/{secretName}) after v4. - InfisicalConnection gains PinnedApiVersion and a ResolvedEndpointVersions cache so the chosen version sticks for the session. - InfisicalSecretsClient.SendWithVersionFallback walks candidates in pin -> cached -> registry order, falls back on routing-style failures (404 without an Infisical JSON envelope, 405, or 400 mentioning workspaceId/projectSlug) when no version is pinned, and surfaces real application errors immediately. - Get-InfisicalSecret(s) expose -ApiVersion; Connect-Infisical sets PinnedApiVersion only when -ApiVersion is explicitly bound on the command line (env-var/default values do not pin). - Logger.Error routes via WriteWarning to avoid premature terminating errors that masked InfisicalApiException details; EnsureSuccess no longer redacts non-2xx bodies so server error envelopes are visible. - InfisicalSecretsClient sends both projectId and workspaceId so it works against both new and legacy server-side validators.
- InfisicalSecretsClient: use projectId / includeImports (camelCase) per Infisical v4 OpenAPI
- Get-InfisicalSecrets / Get-InfisicalSecret: change [bool] flag parameters to [switch]
- DesignSpec.md: updated 14.3 / 14.4 examples to match new switch syntax
- build.ps1: anchor Update-Changelog regex to the literal '## Unreleased' line and limit replacement to 1 to stop exponential duplication of carried-forward markers
- Manifest bumped to 2026.06.03.0032 (commit c866760105)
Scripts:
- Add scripts/Install-GiteaRunner.ps1: cross-platform installer for the
Gitea act_runner daemon (systemd / launchd / Windows Service).
- PowerShell 7+ runtime guard (works under irm | iex).
- Explicit env var resolution (Process -> User -> Machine) for
InstanceUrl and RegistrationToken with named candidates.
- UTF-8 (no BOM) for every file write via [System.IO.File] APIs.
- System proxy + DefaultNetworkCredentials on all web calls.
- Optional -Labels; ServiceName/ServiceDisplayName split prevents
systemd 'Invalid unit name' errors caused by whitespace.
- config.yaml is always generated before the registration skip-check
so upgrades produce a config the daemon can load.
Module:
- InfisicalHttpClient: enable UseDefaultCredentials and attach the
system proxy with DefaultNetworkCredentials so requests work behind
authenticated corporate proxies / SSO.
- ExportInfisicalSecretsCmdlet: make the UTF-8 (no BOM) case explicit
in the encoding resolver.
CI/CD (.gitea/workflows/publish-psgallery.yml):
- Split into build -> release -> publish with hard `needs:` ordering
so publish never runs unless build and release both succeed.
- Build job uploads Module/PSInfisicalAPI as an artifact.
- Release job downloads the artifact, reads the version from the
manifest, zips the module, and creates a Gitea release tagged with
the bare version. Release notes include version, full + short commit
SHA, build timestamp, merged PR info, workflow run link, and any
matching CHANGELOG.md section. Skips cleanly when the tag already
exists.
- Publish job re-validates the downloaded manifest and runs
Publish-Module against PSGallery using PSGALLERY_API_KEY.
GraceSolutions
gsadmin