feat(signatures): add Azure Key Vault signer

[Mythie]

Summary

• Adds AzureKeyVaultSigner for signing PDFs with keys stored in Azure Key Vault and Managed HSM, following the same pattern as the existing GoogleKmsSigner
• Supports RSA (PKCS#1 v1.5 and PSS) and ECDSA with automatic algorithm resolution from key type and digest algorithm
• Azure SDK packages are optional peer dependencies, dynamically imported at runtime — zero impact on bundle size for non-Azure users

Details

New files

• src/signatures/signers/azure-key-vault.ts — Full implementation with AzureKeyVaultSigner.create() factory, algorithm mapping, JWK-to-SPKI conversion, and REST error handling
• src/signatures/signers/azure-key-vault.test.ts — 48 unit tests + 8 integration tests (skipped without Azure credentials)
• apps/docs/content/docs/guides/signatures/azure-key-vault.mdx — Documentation page with setup, API reference, and examples
• .agents/plans/warm-purple-cloud-azure-key-vault-signer.md — Implementation plan

Modified files

• src/signatures/types.ts — Added AzureKeyVaultSignerError
• src/signatures/signers/index.ts, src/signatures/index.ts, src/index.ts — Added exports
• package.json — Added @azure/keyvault-keys, @azure/keyvault-certificates, @azure/identity as optional peer deps
• apps/docs/content/docs/guides/signatures/index.mdx — Updated KMS section to include Azure
• apps/docs/content/docs/guides/signatures/meta.json — Added page to nav

Also included (separate commit)

• fix(docs): move content into apps/docs — Relocates content/docs/ into apps/docs/content/docs/ to resolve a Next.js turbopack issue

Testing

• All 2893 tests pass (bun run test:run)
• Typecheck clean (bun run typecheck)
• Lint clean (bun run lint)
• Manual integration testing with Azure credentials still pending

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
core	Ready	Preview, Comment	Feb 7, 2026 11:09pm