Yea that is a hard problem to solve. Right now RunSecret depends on the host system (your laptop, CI runner, or application container) having access to the secret vault(s) of choice that you reference. This can be through ENV VARS, OIDC, or IAM roles (in some cases) but currently there is no HSM support.