From 64da561534224e581980b514e08bb84407755105 Mon Sep 17 00:00:00 2001
From: imSp4rky <george+slight@slight.me>
Date: Sun, 17 May 2026 12:18:32 -0600
Subject: [PATCH] feat(vaults): tolerate vault failures during key get/add

Wrap vault get_key/add_key/add_keys calls in broad exception handlers so a single failing vault (network, auth, driver error) no longer aborts the operation - other vaults are still consulted/written. Failure cause is logged at WARNING so issues remain debuggable.

Inspired by unshackle-dl/unshackle#104 by @CodeName393.

Co-authored-by: CodeName393 <62503817+CodeName393@users.noreply.github.com>
---
 unshackle/core/vaults.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/unshackle/core/vaults.py b/unshackle/core/vaults.py
index 1c50f71..00c2728 100644
--- a/unshackle/core/vaults.py
+++ b/unshackle/core/vaults.py
@@ -1,3 +1,4 @@
+import logging
 from typing import Any, Iterator, Optional, Union
 from uuid import UUID
 
@@ -5,6 +6,8 @@ from unshackle.core.config import config
 from unshackle.core.utilities import import_module_by_path
 from unshackle.core.vault import Vault
 
+log = logging.getLogger(__name__)
+
 _VAULTS = sorted(
     (path for path in config.directories.vaults.glob("*.py") if path.stem.lower() != "__init__"), key=lambda x: x.stem
 )
@@ -48,7 +51,13 @@ class Vaults:
     def get_key(self, kid: Union[UUID, str]) -> tuple[Optional[str], Optional[Vault]]:
         """Get Key from the first Vault it can by KID (Key ID) and Service."""
         for vault in self.vaults:
-            key = vault.get_key(kid, self.service)
+            try:
+                key = vault.get_key(kid, self.service)
+            except (PermissionError, NotImplementedError):
+                continue
+            except Exception as e:
+                log.warning(f"Failed to get key from Vault '{vault.name}': {e}")
+                continue
             if key and key.count("0") != len(key):
                 return key, vault
         return None, None
@@ -62,6 +71,8 @@ class Vaults:
                     success += vault.add_key(self.service, kid, key)
                 except (PermissionError, NotImplementedError):
                     pass
+                except Exception as e:
+                    log.warning(f"Failed to add key to Vault '{vault.name}': {e}")
         return success
 
     def add_keys(self, kid_keys: dict[Union[UUID, str], str]) -> int:
@@ -79,6 +90,8 @@ class Vaults:
                     success += 1
                 except (PermissionError, NotImplementedError):
                     pass
+                except Exception as e:
+                    log.warning(f"Failed to add keys to Vault '{vault.name}': {e}")
         return success