reysic · alta01 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,25 +2,34 @@ name: Release
 
 on:
   push:
-    tags: [v*]
+    tags:
+      - "v*"
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   release:
     runs-on: windows-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Setup .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "10.0.102"
+
       - name: Setup Git
         run: |
           git config --global url."https://user:${{ secrets.GITHUB_TOKEN }}@github".insteadOf https://github
           git config --global user.name github-actions
-          git config --global user.email github-actions@github.com          
+          git config --global user.email github-actions@github.com
 
       - name: Run release script
         shell: PowerShell
-        run: ./release.ps1
+        run: ./release.ps1
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,142 @@
+# AGENTS.md — Azure Key Vault Explorer
+
+This file provides context for AI coding agents working in this repository.
+
+## What this project is
+
+Azure Key Vault Explorer is a Windows desktop application (.NET 10 / WinForms) for browsing,
+editing, and managing secrets, keys, and certificates stored in Azure Key Vault. It supports
+ClickOnce deployment so end users install and auto-update via a hosted manifest URL.
+
+This repository is a fork of [reysic/AzureKeyVaultExplorer](https://github.com/reysic/AzureKeyVaultExplorer),
+which originated from [microsoft/AzureKeyVaultExplorer](https://github.com/microsoft/AzureKeyVaultExplorer).
+Changes developed here are intended to be contributed back upstream via a PR to reysic's fork.
+
+## Tech stack
+
+| Layer | Technology |
+|---|---|
+| UI | Windows Forms (.NET 10) |
+| Auth | Microsoft.Identity.Client (MSAL v4) — browser-based OAuth |
+| Azure SDK | Microsoft.Azure.Management.KeyVault (ARM), Microsoft.Azure.KeyVault (data plane) |
+| Publishing | ClickOnce via MSBuild `/target:publish` with `ClickOnceProfile.pubxml` |
+| CI | GitHub Actions (`.github/workflows/release.yml`), triggered by `v*` tags |
+
+## Repository layout
+
+```
+AzureKeyVaultExplorer.sln       Solution file
+Vault/
+  Explorer/                     Main WinForms app (VaultExplorer.csproj)
+    Common/                     Helpers: ActivationUri, Utils, UxOperation
+    Config/                     VaultConfigurationManager + JSON config templates
+    Controls/                   ListViews, custom WinForms controls
+    Dialogs/
+      Subscriptions/            SubscriptionsManagerDialog — vault picker via ARM
+      Secrets/                  SecretDialog
+      Certificates/             CertificateDialog
+      Settings/                 SettingsDialog
+    Model/                      Domain objects: PropObjects, ContentTypes, Tags, Aliases
+    Globals.cs                  All global URL constants (GitHub, ClickOnce install URL)
+    MainForm.cs                 Main window; hosts vault dropdown and secret list
+    Program.cs                  Entry point; handles ClickOnce activation URI
+  Library/                      Vault access abstractions (VaultAccess*, VaultConfig, etc.)
+  Core/                         Utilities shared across Library and Explorer
+  ClearClipboard/               Companion exe to clear clipboard after copy-secret
+  Build/                        T4 templates and version props
+.github/workflows/release.yml  CI release workflow
+release.ps1                     Local / CI publish script (requires MSBuild 17.14+)
+release.md                      Step-by-step release instructions
+tag_and_push.ps1               Creates and pushes a `v*` tag to trigger release
+```
+
+## Key constants — always keep these pointing to reysic
+
+`Vault/Explorer/Globals.cs` holds every URL string the app uses at runtime:
+
+```csharp
+OnlineActivationUri  = "https://reysic.github.io/AzureKeyVaultExplorer/VaultExplorer.application"
+GitHubUrl            = "https://github.com/reysic/AzureKeyVaultExplorer"
+GitHubIssuesUrl      = "https://github.com/reysic/AzureKeyVaultExplorer/issues"
+ActivationUrl        = "https://reysic.github.io/AzureKeyVaultExplorer/VaultExplorer.application"
+```
+
+`Vault/Explorer/Properties/PublishProfiles/ClickOnceProfile.pubxml` holds the ClickOnce
+`InstallUrl`, `ErrorReportUrl`, and `SupportUrl` — these must also point to reysic.
+
+## How to build locally
+
+```
+dotnet build AzureKeyVaultExplorer.sln
+```
+
+Requirements: .NET 10 SDK (`dotnet --list-sdks` should show `10.x`).
+
+## How to publish (ClickOnce release)
+
+See `release.md`. Short version:
+
+1. Run `.\tag_and_push.ps1` — creates and pushes a `v*` tag.
+2. GitHub Actions runs `release.ps1` which publishes with MSBuild and pushes output to `gh-pages`.
+3. Users install / update from `https://reysic.github.io/AzureKeyVaultExplorer`.
+
+For local-only publish validation (no gh-pages push):
+```powershell
+.\release.ps1 -OnlyBuild
+```
+
+Requires: **Visual Studio 2022 17.14+** (MSBuild 17.14+ for .NET 10 ClickOnce).
+
+## Vault picker dialog (SubscriptionsManagerDialog)
+
+The "Pick vault from subscription..." flow in `MainForm.cs` opens
+`Vault/Explorer/Dialogs/Subscriptions/SubscriptionsManagerDialog.cs`.
+
+Key behaviors to be aware of when editing it:
+
+- **Account → Tenant → Subscription → Vault** — cascading async selection.
+- `uxButtonOK` starts **disabled**; it is only enabled after `Vaults.GetAsync` succeeds in
+  `uxListViewVaults_SelectedIndexChanged`. A try-catch wraps this call — errors show a warning
+  MessageBox but leave the dialog open so the user can pick a different vault.
+- The onboarding prompt (no saved accounts) fires from the `Shown` event, not the constructor,
+  so the form is fully rendered before any MessageBox appears.
+- `MinimumSize` is set in the Designer to prevent the window from being resized so small that
+  the OK/Cancel buttons are clipped.
+
+## UxOperation pattern
+
+`Common/UxOperation.cs` is used with `using` to show progress while async work runs:
+
+```csharp
+using (var op = this.NewUxOperationWithProgress(controlsToDisable))
+{
+    // async work here; op.CancellationToken is available
+}
+```
+
+`Dispose()` re-enables controls, hides the progress bar, and resets the cursor.
+
+## Configuration files (user-editable)
+
+Located in the app's install folder or a user-specified "Root location":
+
+| File | Purpose |
+|---|---|
+| `Vaults.json` | Vault credential definitions |
+| `VaultAliases.json` | Named vault aliases shown in the main dropdown |
+| `SecretKinds.json` | Regex-validated secret types with tag schemas |
+| `CustomTags.json` | Tag definitions referenced by SecretKinds |
+
+## Known open items
+
+- Deprecated Azure SDK packages (Microsoft.Azure.KeyVault, Microsoft.Azure.Management.KeyVault,
+  Microsoft.IdentityModel.Clients.ActiveDirectory, etc.) — migration to Track 2 non-preview
+  packages is a pending backlog item.
+- PowerShell integration was removed (does not work with .NET 8+).
+
+## Coding conventions
+
+- Namespace prefix: `Microsoft.Vault.*`
+- `async void` is used only for WinForms event handlers; wrap async body in try-catch.
+- All user-visible strings are inline (no resource file abstraction needed for this tool).
+- Designer-generated code lives in `*.Designer.cs`; do not edit `.resx` binary sections manually.
diff --git a/README.md b/README.md
@@ -1,10 +1,12 @@
 # ![bigKey](./Screenshots/Key64x64.png) Azure Key Vault Explorer
 
-**NOTE: This is a fork of the original project located at [https://github.com/microsoft/AzureKeyVaultExplorer](https://github.com/microsoft/AzureKeyVaultExplorer). This fork is not maintained by, or affiliated with, Microsoft, and was created to allow for continued development of the tool by the community.**
+**NOTE: This repository is a fork of [reysic/AzureKeyVaultExplorer](https://github.com/reysic/AzureKeyVaultExplorer), which itself originated from [microsoft/AzureKeyVaultExplorer](https://github.com/microsoft/AzureKeyVaultExplorer). This fork is community-maintained and includes updates developed with GitHub Copilot assistance.**
 
 Azure Key Vault Explorer - be productive when working with secrets!
 
-**[Click here to install the latest version (https://reysic.github.io/AzureKeyVaultExplorer)](https://reysic.github.io/AzureKeyVaultExplorer)**
+**[Click here to install the latest version (VaultExplorer.application)](https://reysic.github.io/AzureKeyVaultExplorer/VaultExplorer.application)**
+
+If the install link does not load yet, enable **GitHub Pages** in this fork (`Settings -> Pages`) and publish from the branch that contains this repository.
 
 Original Authors: Eli Zeitlin, Gokhan Ozhan, Anna Zeitlin  
 Current Authors: [reysic](https://github.com/reysic), [softworkz](https://github.com/softworkz)  
@@ -33,6 +35,26 @@ Contact: Submit issues/PRs on this repo
 * [Contributing](#contributing)
   * [TODOs](#todos)
 
+## Recent Updates
+
+* **Tenant selector and account flow improvements**
+  * Sign in first, then select tenant from discovered tenants before loading subscriptions.
+  * Added support for saved accounts with known tenants and selectable default tenant behavior.
+  * Reduced duplicate login prompts in common account/tenant switch flows.
+* **Subscription vault selection improvements**
+  * Better handling for "Pick vault from subscription..." and immediate vault activation after selecting a vault.
+  * Improved quick switching behavior with persisted last selected vault.
+  * Added clearer onboarding/error messages when no accounts or subscriptions are configured yet.
+* **Platform/runtime modernization**
+  * Migrated Windows projects to **.NET 10** target frameworks.
+  * Updated build compatibility for current `dotnet` tooling and maintained vulnerability-clean package baseline.
+* **Release and deployment hardening**
+  * ClickOnce release workflow is configured in `.github/workflows/release.yml` and uses `release.ps1`.
+  * Release docs are now fork-specific and include tag-driven publish steps (`release.md`).
+* **Deprecated package validation status**
+  * Deprecated package scan was re-run and confirms legacy Azure SDK packages are still present.
+  * Migration to non-deprecated Azure SDK Track 2 packages remains an open refactor backlog item.
+
 ## Key features
 
 * Best user experience for authentication, you will be prompted at most *once* to enter your credentials
@@ -68,7 +90,7 @@ Contact: Submit issues/PRs on this repo
 
 There are 4 ways how you can make Vault Explorer to work with your vaults:
 
-1. In case Vault Explorer is not installed on the box, you may just run: reysic.github.io/AzureKeyVaultExplorer?vault://[ENTER HERE YOUR VAULT NAME]`
+1. In case Vault Explorer is not installed on the box, you may just run: `reysic.github.io/AzureKeyVaultExplorer?vault://[ENTER HERE YOUR VAULT NAME]`
 2. In case Vault Explorer already installed on the box, you can just hit Win+R type `vault://[ENTER HERE YOUR VAULT NAME]` and hit Enter
     * Note: The above two methods do **NOT** allow for alternative account login  
 3. Run Vault Explorer, open vault combo box, select last item "Pick vault from subscription..."  
@@ -301,16 +323,18 @@ Telemetry can be disabled in the Settings dialog. Set *Disable telemetry* to *Tr
 
 ### Building
 
-This project has been tested with Visual Studio 2022 and .NET Framework 4.8. To build locally:
+This fork is tested with Visual Studio 2022 and .NET 10 SDK. To build locally:
 
 * Clone this repo
-* Build and run
+* Install .NET 10 SDK (`dotnet --list-sdks` should show `10.x`)
+* Run `dotnet build AzureKeyVaultExplorer.sln`
+* Run and test the application from `Vault\Explorer`
 
 PRs are welcome!
 
 ### Publishing
 
-See [release.md](https://github.com/reysic/AzureKeyVaultExplorer/blob/c6c5153fc071ef74d306dff636df2f432d6dc27e/release.md). Following that process automatically triggers a couple of [Actions](https://github.com/reysic/AzureKeyVaultExplorer/actions), which run [release.ps1](https://github.com/reysic/AzureKeyVaultExplorer/blob/c6c5153fc071ef74d306dff636df2f432d6dc27e/release.ps1).
+See [release.md](./release.md). Following that process triggers [Actions](https://github.com/reysic/AzureKeyVaultExplorer/actions), which run [release.ps1](https://github.com/reysic/AzureKeyVaultExplorer/blob/main/release.ps1).
 
 ### TODOs
 
@@ -321,13 +345,14 @@ See [release.md](https://github.com/reysic/AzureKeyVaultExplorer/blob/c6c5153fc0
   * Microsoft.IdentityModel.Clients.ActiveDirectory
   * Microsoft.Rest.ClientRuntime
   * Microsoft.Rest.ClientRuntime.Azure
+  * Status: Validation completed; migration to non-deprecated replacements is still pending.
 * Setup ClickOnce deployment
   * Re-establish existing ClickOnce install with new URL - :white_check_mark:
   * Document release process - :white_check_mark:
   * Configure ClickOnce deployments for future releases - :white_check_mark:
 * Improve onboarding
-  * Better error messaging if user hasn't configured subscription dialog values
-* Update README.md to reflect latest  state
+  * Better error messaging if user hasn't configured subscription dialog values - :white_check_mark:
+* Update README.md to reflect latest state - :white_check_mark:
 
 #### softworkz Updates