---
applyTo: "Fuchs/**,Fuchs_DataService/**"
---

# Configuration & Secrets Instructions

## Settings Source
- All application settings live in `Fuchs/appsettings.json`. **Never** use `Web.config` or `System.Configuration.ConfigurationManager` for app settings.
- App-specific settings are nested under the `"Fuchs"` key, e.g. `_config["Fuchs:SMS_APIKey"]`.
- Connection strings live under the standard `"ConnectionStrings"` key and are read via `IConfiguration.GetConnectionString(...)`.
- `appsettings.Development.json` (git-ignored) overrides secrets for local development.

## Startup Order
- Call `FuchsOcmsIntranet.Initialize(configuration)` at app start in `Program.cs` **before** DI registration.
- `Fuchs_intranet` receives `IConfiguration` via its constructor — inject it, never read config statically.

## Azure Key Vault — Secret Naming
Secret names must satisfy `^[0-9a-zA-Z-]+$` (alphanumerics and hyphens only; no underscores, dots, or spaces).

- Hierarchy levels are separated by `--` (double hyphen), which maps to `:` in `IConfiguration`.
- Underscores within a name segment are encoded as a single `-` in Key Vault and decoded back to `_` when the key is reconstructed.
- The app prefix `fuchs` is prepended to every secret name.
- Format: `{appname}--{Section}--{key-with-hyphens-for-underscores}`

### Examples
| Key Vault name | `IConfiguration` key |
|----------------|----------------------|
| `fuchs--ConnectionStrings--ocms-ConnectionString` | `ConnectionStrings:ocms_ConnectionString` |
| `fuchs--Fuchs--SMS-APIKey` | `Fuchs:SMS_APIKey` |
| `fuchs--Fuchs--Email--Main--password` | `Fuchs:Email:Main:password` |

## Adding a New Secret
1. Replace every `_` in the original config key with `-` for the Key Vault name.
2. Add the entry to `ManagedSecretKeys` in `appsettings.json` using the same hyphenated form **without** the `fuchs--` prefix.
3. Read it through `IConfiguration` with the underscore form (`Fuchs:SMS_APIKey`).

## Secret Management Wiring
- Secret management is provided by `OCORE_web.Secrets.SecretManagementWebExtensions.AddSecretManagement(...)` (called in `Program.cs`).
- Do **not** create a local `SecretManagementExtensions` stub in Fuchs — it collides with the OCORE_web extension and causes ambiguous extension-method resolution.