Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.05.0117. Module DLL and manifest embed BuildCommitHash=cffda99591c9, matching the source commit they were produced from.
BREAKING CHANGES
- Connect-Infisical no longer accepts -ProjectId, -Environment, or -SecretPath.
- InfisicalConnection no longer carries ProjectId, Environment, or DefaultSecretPath.
- Every cmdlet that previously inherited those fields now requires -ProjectId
and/or -Environment as Mandatory=true. -SecretPath / -Path remain optional
and default to "/" at the client layer.
- INFISICAL_PROJECT_ID, INFISICAL_ENVIRONMENT, INFISICAL_SECRET_PATH env-var
scanning removed from Connect-Infisical.
- Resolve{ProjectId,Environment,SecretPath} helpers removed from
InfisicalCmdletBase. ResolveOrganizationId retained.
ADDED
- Get-InfisicalProject -Type <enum> filters the list by product surface
(secret-manager, cert-manager, kms, ssh, secret-scanning, pam, ai) with
IntelliSense via ValidateSet.
- Get-InfisicalProject -IncludeRoles switch maps to includeRoles=true/false
query parameter (always sent).
RATIONALE
- Implicit connection scoping caused 400 Bad Request when the active
connection's ProjectId belonged to a different product surface than the
cmdlet's target (e.g. secret-manager project id passed to /cert-manager/*).
- Explicit parameters make scope unambiguous and make scripts portable
across projects.
- The new -Type filter on Get-InfisicalProject lets callers discover the
correct project id for each subsequent CRUD invocation without needing
connection-level inheritance.
INTERNAL
- All client classes (Secrets / Folders / Environments / Tags / Projects /
Pki) now receive scoping as explicit arguments rather than reading the
InfisicalConnection object.
- Client-layer SecretPath / Path defaulting to "/" is preserved via
FirstNonEmpty(...).
- Help XML updated to remove all "session-pinned" / "active connection"
phrasing; OrderedDictionary splatting examples now include the mandatory
parameters.
- 216/216 unit tests passing.
Get-InfisicalCertificateApplication declared [Alias("Id", "ApplicationId")] on its Id parameter and Get-InfisicalCertificateApplicationEnrollment / New-InfisicalScepDynamicChallenge declared [Alias("Id", "ApplicationId")] on their ApplicationId parameter. PowerShell rejects an [Alias] entry whose value matches the parameter's own name with ParameterNameConflictsWithAlias at registration time, leaving the cmdlets unusable. Removed the self-referential alias from each.
Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2335. Module DLL and manifest embed BuildCommitHash=3c39a99b9a4c, matching the source commit they were produced from.
FromEnrollment (new default) consumes an InfisicalCertificateApplicationEnrollment and auto-fills ServerUrl from scep.scepEndpointUrl, CAThumbprint from the RA certificate thumbprint, and mints a fresh dynamic challenge automatically when challengeType=dynamic and -Challenge is not supplied. FromProfile preserves the legacy projection from an InfisicalCertificateProfile but now requires -ApplicationId so the server URL is built against /scep/applications/{appId}/profiles/{profileId}/pkiclient.exe. Manual requires explicit -ServerUrl, -Challenge, and -UniqueId. Module manifest, help XML, and build.ps1 expectedCmds list updated to register the three new cmdlets. CHANGELOG updated.
Get-InfisicalCertificateApplication exposes List/ById/ByName parameter sets over /api/v1/cert-manager/applications. Get-InfisicalCertificateApplicationEnrollment returns the per-application/profile enrollment block (API/EST/ACME/SCEP) with the computed RA cert thumbprint. New-InfisicalScepDynamicChallenge wraps POST /scep/applications/{appId}/profiles/{profileId}/challenge and returns the minted challenge as a SecureString (default) or string (-AsPlainText), surfacing plan-restriction and not-configured errors as descriptive ErrorRecords.
Adds InfisicalCertificateApplication and InfisicalCertificateApplicationEnrollment models (with SCEP/EST/ACME/API sub-blocks) and DTO/mapper layer. Mapper computes the SHA-1 RA certificate thumbprint from the enrollment PEM so it can be fed directly into MDM payloads. InfisicalPkiClient gains ListCertificateApplications, GetCertificateApplication, GetCertificateApplicationByName, ListCertificateApplicationProfiles, GetCertificateApplicationEnrollment, and GenerateScepDynamicChallenge. InfisicalApiInvoker accepts an optional extraHeaders argument so callers can attach x-infisical-project-id and override Accept (used by the plain-text SCEP challenge endpoint). New endpoint names and registry entries cover /api/v1/cert-manager/applications/** and /scep/applications/**/profiles/**/challenge.
Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2147. Module DLL and manifest embed BuildCommitHash=183fb48c32ce, matching the source commit they were produced from.
Adds Get-/Export-/Write-InfisicalScepMdmProfile(ToWmi) to CmdletsToExport in the module manifest and to the build.ps1 manifest template and expected-cmdlet probe. Adds MAML help entries (description, notes, two examples each with an OrderedDictionary splat) for all three cmdlets. Updates README's cmdlet count from 34 to 37 and the cmdlet table with one-line descriptions. CHANGELOG entry summarizes the new feature, the default SCEP URL pattern, the elevation/platform guards, and the export-vs-throw rule for -Force.
Submits an InfisicalScepMdmProfile to the local MDM Bridge WMI provider (root/cimv2/mdm/dmmap, MDM_ClientCertificateInstall_SCEP02 by default). Builds a property hashtable mirroring the CSP node set and invokes New-CimInstance via InvokeCommand.InvokeScript so no new package references are required. Guards: throws PlatformNotSupportedException off Windows; Device-scope enrollment requires an elevated session unless -SkipElevationCheck is passed; supports -WhatIf; -PassThru emits the returned CIM instance.
Writes the SyncML payload from InfisicalScepMdmProfile.ToSyncMl() to disk as UTF-8 (no BOM). Honors -WhatIf, auto-creates the target directory, and follows the project rule for -Force: if the file exists without -Force, logs a warning and returns instead of throwing. Optional -PassThru emits the resulting FileInfo.
Maps an InfisicalCertificateProfile (pipeline-bound) to an InfisicalScepMdmProfile model. ServerUrl defaults to {baseUri}/scep/{profileId}/pkiclient.exe derived from the active connection. UniqueId defaults to a sanitized slug. Challenge is accepted as SecureString and decrypted with SecureStringToGlobalAllocUnicode (zero/free on exit). KeyAlgorithm and EkuMapping are inherited from the source profile defaults when not overridden.
POCO mirrors the Windows ClientCertificateInstall/SCEP CSP node set (ServerURL, Challenge, SubjectName, SubjectAlternativeNames, EKUMapping, KeyUsage, KeyLength, KeyAlgorithm, HashAlgorithm, KeyProtection, ContainerName, ValidPeriod, ValidPeriodUnits, RetryCount, RetryDelay, TemplateName, CAThumbprint, CustomTextToShowInPrompt) plus a Scope hint (Device or User) and a UniqueId for the CSP path segment. ToSyncMl() builds an Atomic SyncBody of Replace operations and a trailing Exec on Install/Enroll using XDocument, serializes through XmlWriter with explicit settings (UTF-8 no BOM, indented, no BOM, Replace newline handling), then round-trip-validates through XmlReader before returning the string.
Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.2112. Module DLL and manifest embed BuildCommitHash=3754de74f6c8, matching the source commit they were produced from.
Issuance via Request-InfisicalCertificate -CertificateProfileId no longer throws when the API responds without a certificate body (e.g. status pending_approval / pending_validation). InfisicalPkiClient.IssueCertificateByProfile now logs a warning and returns an InfisicalSignedCertificate populated only with Status, StatusMessage, and CertificateRequestId. New Status, StatusMessage, CertificateRequestId properties on InfisicalSignedCertificate and InfisicalCertificateResult propagate the lifecycle state. The cmdlet short-circuits when CertificatePem is empty: it skips key build, install, chain install, and private-key write, scrubs PrivateKeyPem, and emits a status-only result so callers can poll or trigger approval. Whether issuance is immediate is dictated by the certificate policy bound to the profile.
New ByProfile parameter set bound by -CertificateProfileId (alias ProfileId) POSTs to /api/v1/cert-manager/certificates with the profile id, the locally generated CSR, and an attributes envelope (subject fields, ttl, notBefore, notAfter, keyUsages, extendedKeyUsages). The wrapped response is unwrapped into the existing InfisicalSignedCertificate so reuse, install, chain-completion and key-protection paths remain unchanged. Issuance that returns without a certificate (e.g. status pending_approval) raises a configuration exception that surfaces the reported status and message. Ttl/NotBefore/NotAfter/KeyUsage/ExtendedKeyUsage parameters are now shared by ByCa and ByProfile. MAML help and existing parameter-set test updated.
List parameter set gains -Kind Internal|Acme|Any. Internal (default) preserves current behavior against /api/v1/cert-manager/ca/internal. Any binds to the generic /api/v1/cert-manager/ca endpoint returning both internal and ACME CAs. Acme uses the generic endpoint and client-side filters to type=acme. ById retrieval is unchanged and still resolves against the internal CA endpoint. The existing InfisicalCertificateAuthority model already exposes a Type property to distinguish entries when -Kind Any is used. MAML help updated.
Covers GET /api/v1/cert-manager/certificate-policies (List default with optional -Limit, -Offset) and GET /api/v1/cert-manager/certificate-policies/{certificatePolicyId} (ById). New InfisicalCertificatePolicy model surfaces subject, SANs, key usages, extended key usages, algorithms, and validity. Polymorphic string-or-array fields (allowed/required/keyAlgorithm) are normalized to arrays; sans is normalized whether the API returns an object or an array. Manifest, build expected list, and MAML help updated.
Covers GET /api/v1/cert-manager/certificate-profiles (List default with optional -Limit, -Offset, -IncludeConfigs) and GET /api/v1/cert-manager/certificate-profiles/{certificateProfileId} (ById). New InfisicalCertificateProfile model surfaces ca/policy ids, slug, enrollment type, per-profile defaults (ttl, key/extended key usages with polymorphic string-or-array shapes flattened) and embedded CA/policy/apiConfig summaries. Manifest, build expected list, and MAML help updated.
Parse the JSON envelope (message/error/reqId) returned by 4xx/5xx responses and include the human-readable message in the InfisicalApiException message itself, plus new ApiErrorMessage and ApiRequestId properties. InfisicalErrorDetails and the error handler propagate the new fields so PowerShell error records and the logger surface the server-side reason instead of an opaque status line.
Auto-generated by build.ps1 -CommitArtifacts. Build 2026.06.04.1920. Module DLL and manifest embed BuildCommitHash=0f8f44afdb38, matching the source commit they were produced from.
New switch stages and commits only the three build-output paths (Module/PSInfisicalAPI/bin/**, Module/PSInfisicalAPI/PSInfisicalAPI.psd1, CHANGELOG.md) with a message referencing the embedded BuildCommitHash. Mutually exclusive with -CommitOnSuccess. README and CHANGELOG updated to document the recommended two-commit workflow.
Rebuild outputs only: Module DLL and manifest now embed BuildCommitHash=a34db831d8bf, matching the source commit they were produced from. CHANGELOG gains the 2026.06.04.1917 build stamp. No source changes.
Refreshed Module/PSInfisicalAPI/bin/PSInfisicalAPI.dll and Module/PSInfisicalAPI/PSInfisicalAPI.psd1 so the embedded BuildCommitHash matches the now-checked-in source (was 51bf819, now 2489b7a). CHANGELOG gains the 2026.06.04.1915 build stamp.
README cmdlets section now lists all 34 cmdlets grouped by Session/Secrets/Projects/Environments/Folders/Tags/PKI, each with the synopsis pulled verbatim from Get-Help to keep the two surfaces in sync.
BREAKING: Removed Get-InfisicalProjects, Get-InfisicalEnvironments, Get-InfisicalFolders, Get-InfisicalTags, Get-InfisicalSecrets, and Get-InfisicalCertificates. Their list behavior is now the default parameter set on the singular cmdlets; supplying the identity parameter switches to single-record retrieval. No back-compat aliases.
Fix: SignCertificateBySubscriber endpoint resolved to /api/v1/pki/subscribers/{subscriberName}/sign-certificate (was /pki/pki-subscribers and /cert-manager/pki-subscribers, both 404).
Added Get-InfisicalPkiSubscriber (List/ByName), InfisicalPkiSubscriber model, DTOs, mapper, and InfisicalPkiClient.ListPkiSubscribers/GetPkiSubscriber. MAML help refreshed for all consolidated cmdlets with 2 straight-line + 1 OrderedDictionary splat examples each. README extended with extension guide. CHANGELOG updated. 230/230 tests pass.
Cmdlets added: Request-InfisicalCertificate, Get-InfisicalCertificate, Get-InfisicalCertificates. Request supports BySubscriber/ByCa parameter sets, BouncyCastle CSR generation (RSA/ECDSA/Ed25519), local-key generation, -Install/-InstallChain (chain certs routed to Root vs CertificateAuthority by self-signed status), idempotency reuse with -AllowRenewal/-RenewalThresholdDays, local chain reconstruction with -LocalChainOnly opt-out, Infisical bundle fallback when local stores are incomplete, and private-key protection modes (Exportable/LocalOnly/NonExportable/Ephemeral) via -PrivateKeyProtection plus -PersistKey/-MachineKey/-PrivateKeyPath.
Install-InfisicalCertificate fix: chain certs were previously dumped into CertificateAuthority unconditionally. They are now routed by Subject==Issuer (self-signed -> Root, otherwise -> CertificateAuthority), matching Request-InfisicalCertificate. Routing centralized in InfisicalCertificateRequestHelpers.GetChainCertificateTargetStore and a new InstallChain(IEnumerable<X509Certificate2>,...) overload.
Help: authored Module/PSInfisicalAPI/en-US/PSInfisicalAPI.dll-Help.xml covering all 39 cmdlets (synopsis, description, notes, two examples per cmdlet: one-liner + OrderedDictionary splat with preceding Get- resolvers for IDs/slugs).
Build pipeline: build.ps1 stages the help XML into bin/<culture>/ next to the DLL during publish (hard-fails if missing or has zero <command:command> entries). Test-ModuleImports now enumerates every exported cmdlet via Get-Command, cross-checks against expected names, and asserts non-empty synopsis (rejecting auto-generated cmdlet-name fallback), non-empty description, and at least one example with a non-empty <dev:code> block.
Tests: 230/230 passing (up from 190).
Normalizes Hashtable, OrderedDictionary, PSObject-wrapped, and typed generic dictionaries into IDictionary<string,string>[] before parameter binding, enabling native PowerShell @{...} and [ordered]@{...} literals against the strongly-typed -Secrets parameter on New-/Update-InfisicalSecret. Adds 8 transformation tests; 174/174 passing.
- Endpoint registry: register POST/PATCH/DELETE /api/v4/secrets/batch as preferred candidates for BulkCreate/Update/Delete; v3 raw routes retained as automatic fallback.
- DTOs: add projectId (required for v4) alongside workspaceId on the three batch request envelopes; both serialized when set, both ignored when null.
- SecretsClient: populate ProjectId in CreateBatch/UpdateBatch/DeleteBatch so v4 succeeds on first attempt.
- Cmdlets: -Secrets on New/Update-InfisicalSecret changed from Hashtable[] to IDictionary<string,string>[] for stronger typing and tab-completion; converter rewritten to accept IEnumerable<IDictionary<string,string>>. TagIds parsed from comma-separated string; nested Metadata dropped from bulk hashtable surface (still settable programmatically on bulk items).
- Tests: 166 passing (was 161). Bulk endpoints now resolve to v4 primary with v3 fallback; new tests verify projectId envelope serialization, dual-key omission, and TagIds trimming.
- Bulk parameter sets on New-/Update-/Remove-InfisicalSecret via v3/secrets/batch/raw.
- Copy-InfisicalSecret cmdlet wrapping v4/secrets/duplicate.
- InfisicalCmdletBase.Resolve{ProjectId,Environment,SecretPath,ApiVersion,OrganizationId} with verbose inheritance logging.
- All resource cmdlets refactored to use the resolution helpers.
- InfisicalBulkSecretConverter for flexible Hashtable -> DTO mapping.
- 22 new unit tests covering registry, DTOs, converter, and inheritance helpers. Total: 161 passing.
Adds <RollForward>LatestMajor</RollForward> to the test project so the net8.0 testhost can run on hosts that only have a newer .NET runtime installed (e.g. CI hosts with .NET 10 only). Locally with .NET 8 present this is a no-op; on the runner with .NET 10.0.8 the testhost will roll forward instead of aborting with 'You must install or update .NET to run this application'.
All three jobs (build, release, publish) now target runs-on: powershell-linux, which maps to :host on the Gitea runner so steps execute directly on the host OS instead of inside a Docker container. Dropped the apt-get/sudo install blocks and actions/setup-dotnet in favor of a fast preflight that verifies pwsh (and dotnet for the build job) are present, failing loudly otherwise. Publish job migrated off the legacy PowerShellGet v2 path (Set-PSRepository / Install-PackageProvider NuGet / Publish-Module) to Microsoft.PowerShell.PSResourceGet (Set-PSResourceRepository / Publish-PSResource), which is bundled with PS 7.4+ on Linux and does not depend on the NuGet package provider.
Get-InfisicalSecrets and Get-InfisicalSecret now return real secret values by default. Pass -ViewSecretValue:False to opt in to the server's hidden response. InfisicalSecretMapper detects the <hidden-by-infisical> placeholder and the secretValueHidden flag; in either case SecretValue is set to null instead of pushing the literal placeholder into a SecureString, so downstream auth/export/dictionary consumers can never silently use the placeholder as if it were a real secret.
InfisicalSecret.GetPlainTextValue() returns the SecureString contents as a managed string for ergonomic PowerShell access. ConvertTo-InfisicalSecretDictionary -AsPlainText emits Dictionary<string,string> instead of Dictionary<string,SecureString>; default behavior unchanged. Export-InfisicalSecrets already writes plain text via secret.UsePlainTextValue(), so no switch was added there.
gsadmin
GraceSolutions