feat(core): Actually use KeyManager ProviderConfig

service/internal/security/in_process_provider.go

@@ -97,8 +97,10 @@ func (k *KeyDetailsAdapter) ExportCertificate(_ context.Context) (string, error)
 }
 
 func (k *KeyDetailsAdapter) ProviderConfig() *policy.KeyProviderConfig {
-	// Provider config is not supported for this adapter.
-	return nil
+	return &policy.KeyProviderConfig{
+		Manager: inProcessSystemName,
+		Name:    "static",
+	}
 }
 
 // NewSecurityProviderAdapter creates a new adapter that implements SecurityProvider using a CryptoProvider

service/kas/access/publicKey_test.go

@@ -182,7 +182,9 @@ func TestPublicKeyWithSecurityProvider(t *testing.T) {
 
 	// Create Provider with the mock security provider
 	delegator := trust.NewDelegatingKeyService(mockProvider, logger.CreateTestLogger(), nil)
-	delegator.RegisterKeyManager(mockProvider.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) { return mockProvider, nil })
+	delegator.RegisterKeyManagerCtx(mockProvider.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+		return mockProvider, nil
+	})
 	kas := Provider{
 		KeyDelegator: delegator,
 		KASConfig: KASConfig{
@@ -351,7 +353,7 @@ func TestStandardCertificateHandlerEmpty(t *testing.T) {
 	inProcess := security.NewSecurityProviderAdapter(c, nil, nil)
 
 	delegator := trust.NewDelegatingKeyService(inProcess, logger.CreateTestLogger(), nil)
-	delegator.RegisterKeyManager(inProcess.Name(), func(_ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+	delegator.RegisterKeyManagerCtx(inProcess.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 		return inProcess, nil
 	})
 

service/kas/kas.go

@@ -61,7 +61,7 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					}
 				}
 
-				var kmgrNames []string
+				var kmgrs []string
 
 				if kasCfg.Preview.KeyManagement {
 					srp.Logger.Info("preview feature: key management is enabled")
@@ -75,23 +75,26 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 
 					// Configure new delegation service
 					p.KeyDelegator = trust.NewDelegatingKeyService(NewPlatformKeyIndexer(srp.SDK, kasURL.String(), srp.Logger), srp.Logger, cacheClient)
-					for _, manager := range srp.KeyManagerFactories {
-						p.KeyDelegator.RegisterKeyManager(manager.Name, manager.Factory)
-						kmgrNames = append(kmgrNames, manager.Name)
+					if len(srp.KeyManagerFactories) > 0 {
+						srp.Logger.Error("kas service ignores legacy KeyManagerFactories; using KeyManagerCtxFactories instead")
+					}
+					for _, manager := range srp.KeyManagerCtxFactories {
+						p.KeyDelegator.RegisterKeyManagerCtx(manager.Name, manager.Factory)
+						kmgrs = append(kmgrs, manager.Name)
 					}
 
 					// Register Basic Key Manager
-					p.KeyDelegator.RegisterKeyManager(security.BasicManagerName, func(opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+					p.KeyDelegator.RegisterKeyManagerCtx(security.BasicManagerName, func(_ context.Context, opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 						bm, err := security.NewBasicManager(opts.Logger, opts.Cache, kasCfg.RootKey)
 						if err != nil {
 							return nil, err
 						}
 						return bm, nil
 					})
-					kmgrNames = append(kmgrNames, security.BasicManagerName)
+					kmgrs = append(kmgrs, security.BasicManagerName)
 					// Explicitly set the default manager for session key generation.
 					// This should be configurable, e.g., defaulting to BasicManager or an HSM if available.
-					p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager
+					p.KeyDelegator.SetDefaultMode(security.BasicManagerName, "", nil) // Example: default to BasicManager
 				} else {
 					// Set up both the legacy CryptoProvider and the new SecurityProvider
 					kasCfg.UpgradeMapToKeyring(srp.OTDF.CryptoProvider)
@@ -100,14 +103,14 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					inProcessService := initSecurityProviderAdapter(p.CryptoProvider, kasCfg, srp.Logger)
 
 					p.KeyDelegator = trust.NewDelegatingKeyService(inProcessService, srp.Logger, nil)
-					p.KeyDelegator.RegisterKeyManager(inProcessService.Name(), func(*trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
+					p.KeyDelegator.RegisterKeyManagerCtx(inProcessService.Name(), func(_ context.Context, _ *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 						return inProcessService, nil
 					})
 					// Set default for non-key-management mode
-					p.KeyDelegator.SetDefaultMode(inProcessService.Name())
-					kmgrNames = append(kmgrNames, inProcessService.Name())
+					p.KeyDelegator.SetDefaultMode(inProcessService.Name(), "", nil)
+					kmgrs = append(kmgrs, inProcessService.Name())
 				}
-				srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrNames))
+				srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrs))
 
 				p.SDK = srp.SDK
 				p.Logger = srp.Logger

service/policy/db/key_access_server_registry.go

@@ -480,6 +480,7 @@ func (c PolicyDBClient) GetKey(ctx context.Context, identifier any) (*policy.Kas
 	if key.ProviderConfigID.Valid {
 		providerConfig = &policy.KeyProviderConfig{}
 		providerConfig.Id = UUIDToString(key.ProviderConfigID)
+		providerConfig.Manager = key.PcManager.String
 		providerConfig.Name = key.ProviderName.String
 		providerConfig.ConfigJson = key.PcConfig
 		providerConfig.Metadata = &common.Metadata{}

service/policy/db/queries/key_access_server_registry.sql

@@ -188,6 +188,7 @@ SELECT
       'updated_at', kask.updated_at                
     )
   ) AS metadata,
+  pc.manager AS pc_manager,
   pc.provider_name,
   pc.config AS pc_config,
   JSON_STRIP_NULLS(JSON_BUILD_OBJECT('labels', pc.metadata -> 'labels', 'created_at', pc.created_at, 'updated_at', pc.updated_at)) AS pc_metadata,

service/policy/keymanagement/key_management.go

@@ -69,8 +69,11 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer
 
 				// Register key managers in well-known configuration
 				ksvc.keyManagerFactories = make([]registeredManagers, 0, len(srp.KeyManagerFactories))
+				if len(srp.KeyManagerFactories) > 0 {
+					srp.Logger.Error("keymanagement: ignoring legacy KeyManagerFactories; using KeyManagerCtxFactories instead")
+				}
 				managersMap := make(map[string]any)
-				for i, factory := range srp.KeyManagerFactories {
+				for i, factory := range srp.KeyManagerCtxFactories {
 					rm := registeredManagers{
 						Name:        factory.Name,
 						Description: "Key manager: " + factory.Name,