npm - @acmekit/secrets-aws - Versions diffs - 2.13.53 - Mend

@acmekit/secrets-aws 2.13.53

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/index.d.ts +18 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +119 -0
package/dist/index.js.map +1 -0
package/dist/initialize/index.d.ts +4 -0
package/dist/initialize/index.d.ts.map +1 -0
package/dist/initialize/index.js +16 -0
package/dist/initialize/index.js.map +1 -0
package/dist/loaders/index.d.ts +14 -0
package/dist/loaders/index.d.ts.map +1 -0
package/dist/loaders/index.js +59 -0
package/dist/loaders/index.js.map +1 -0
package/dist/services/aws-secrets.d.ts +28 -0
package/dist/services/aws-secrets.d.ts.map +1 -0
package/dist/services/aws-secrets.js +113 -0
package/dist/services/aws-secrets.js.map +1 -0
package/dist/services/index.d.ts +2 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +9 -0
package/dist/services/index.js.map +1 -0
package/dist/tsconfig.tsbuildinfo +1 -0
package/dist/types/index.d.ts +49 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +3 -0
package/dist/types/index.js.map +1 -0
package/package.json +40 -0

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { ModuleExports } from "@acmekit/framework/types";
+import type { Logger } from "@acmekit/framework/types";
+import type { ContainerLike } from "@acmekit/framework/types";
+import { AwsSecretsModuleOptions } from "./types";
+declare const moduleDefinition: ModuleExports;
+export default moduleDefinition;
+export * from "./initialize";
+export * from "./types";
+/**
+ * Bootstrap injection hook called by `secretsBootstrapLoader` before modules initialize.
+ *
+ * Fetches secrets configured under `inject` and writes them to `process.env`.
+ * Runs before `pgConnectionLoader` so database credentials can come from AWS Secrets Manager.
+ *
+ * Values are NEVER logged.
+ */
+export declare function bootstrapInject(options: AwsSecretsModuleOptions, container: ContainerLike, logger?: Logger): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AACxD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAG7D,OAAO,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAA;AAOjD,QAAA,MAAM,gBAAgB,EAAE,aAGvB,CAAA;AAED,eAAe,gBAAgB,CAAA;AAC/B,cAAc,cAAc,CAAA;AAC5B,cAAc,SAAS,CAAA;AAEvB;;;;;;;GAOG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,uBAAuB,EAChC,SAAS,EAAE,aAAa,EACxB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CA6Df"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,119 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bootstrapInject = bootstrapInject;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const awilix_1 = require("@acmekit/framework/awilix");
+const loaders_1 = __importStar(require("./loaders"));
+const aws_secrets_1 = __importDefault(require("./services/aws-secrets"));
+const CONTAINER_KEY = "secretsManagerClient";
+const service = aws_secrets_1.default;
+const loaders = [loaders_1.default];
+const moduleDefinition = {
+    service,
+    loaders,
+};
+exports.default = moduleDefinition;
+__exportStar(require("./initialize"), exports);
+__exportStar(require("./types"), exports);
+/**
+ * Bootstrap injection hook called by `secretsBootstrapLoader` before modules initialize.
+ *
+ * Fetches secrets configured under `inject` and writes them to `process.env`.
+ * Runs before `pgConnectionLoader` so database credentials can come from AWS Secrets Manager.
+ *
+ * Values are NEVER logged.
+ */
+async function bootstrapInject(options, container, logger) {
+    const inject = options.inject ?? [];
+    if (!inject.length) {
+        return;
+    }
+    let client;
+    // Idempotent: reuse client if the module loader already ran (unlikely at bootstrap, but safe)
+    if (container.hasRegistration?.(CONTAINER_KEY)) {
+        client = container.resolve(CONTAINER_KEY);
+    }
+    else {
+        client = (0, loaders_1.createSecretsManagerClient)(options);
+        container.register?.({
+            [CONTAINER_KEY]: (0, awilix_1.asValue)(client),
+        });
+    }
+    for (const secretConfig of inject) {
+        try {
+            const response = await client.send(new client_secrets_manager_1.GetSecretValueCommand({
+                SecretId: secretConfig.secretId,
+                VersionStage: secretConfig.versionStage,
+            }));
+            const raw = response.SecretString;
+            if (!raw) {
+                continue;
+            }
+            let parsed;
+            try {
+                parsed = JSON.parse(raw);
+            }
+            catch {
+                // Secret is a plain string — inject under the secretId key itself
+                parsed = { [secretConfig.secretId]: raw };
+            }
+            for (const [secretKey, secretValue] of Object.entries(parsed)) {
+                const envKey = secretConfig.mapping
+                    ? (secretConfig.mapping[secretKey] ?? secretKey)
+                    : secretKey;
+                if (!secretConfig.override && process.env[envKey] !== undefined) {
+                    continue;
+                }
+                // Write to process.env — never log the value
+                process.env[envKey] = String(secretValue);
+            }
+        }
+        catch (err) {
+            const message = `Failed to bootstrap secret "${secretConfig.secretId}": ` + err.message;
+            if (options.fallback === false) {
+                throw new Error(message);
+            }
+            logger?.warn(message);
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,0CAiEC;AAnGD,4EAGwC;AACxC,sDAAmD;AAInD,qDAA8D;AAC9D,yEAAsD;AAGtD,MAAM,aAAa,GAAG,sBAAsB,CAAA;AAE5C,MAAM,OAAO,GAAG,qBAAiB,CAAA;AACjC,MAAM,OAAO,GAAG,CAAC,iBAAM,CAAC,CAAA;AAExB,MAAM,gBAAgB,GAAkB;IACtC,OAAO;IACP,OAAO;CACR,CAAA;AAED,kBAAe,gBAAgB,CAAA;AAC/B,+CAA4B;AAC5B,0CAAuB;AAEvB;;;;;;;GAOG;AACI,KAAK,UAAU,eAAe,CACnC,OAAgC,EAChC,SAAwB,EACxB,MAAe;IAEf,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAA;IACnC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAM;IACR,CAAC;IAED,IAAI,MAA4B,CAAA;IAEhC,8FAA8F;IAC9F,IAAK,SAAiB,CAAC,eAAe,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC;QACxD,MAAM,GAAI,SAAiB,CAAC,OAAO,CAAC,aAAa,CAAyB,CAAA;IAC5E,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,IAAA,oCAA0B,EAAC,OAAO,CAAC,CAC3C;QAAC,SAAiB,CAAC,QAAQ,EAAE,CAAC;YAC7B,CAAC,aAAa,CAAC,EAAE,IAAA,gBAAO,EAAC,MAAM,CAAC;SACjC,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,MAAM,YAAY,IAAI,MAAM,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAChC,IAAI,8CAAqB,CAAC;gBACxB,QAAQ,EAAE,YAAY,CAAC,QAAQ;gBAC/B,YAAY,EAAE,YAAY,CAAC,YAAY;aACxC,CAAC,CACH,CAAA;YAED,MAAM,GAAG,GAAG,QAAQ,CAAC,YAAY,CAAA;YACjC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,SAAQ;YACV,CAAC;YAED,IAAI,MAA8B,CAAA;YAClC,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,MAAM,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAA;YAC3C,CAAC;YAED,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9D,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO;oBACjC,CAAC,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;oBAChD,CAAC,CAAC,SAAS,CAAA;gBAEb,IAAI,CAAC,YAAY,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,SAAS,EAAE,CAAC;oBAChE,SAAQ;gBACV,CAAC;gBAED,6CAA6C;gBAC7C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,CAAA;YAC3C,CAAC;QACH,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,OAAO,GACX,+BAA+B,YAAY,CAAC,QAAQ,KAAK,GAAG,GAAG,CAAC,OAAO,CAAA;YACzE,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAA;YAC1B,CAAC;YACD,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;QACvB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/initialize/index.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import { ExternalModuleDeclaration, ISecretsModuleService } from "@acmekit/framework/types";
+import { AwsSecretsModuleOptions } from "../types";
+export declare const initialize: (options?: AwsSecretsModuleOptions | ExternalModuleDeclaration) => Promise<ISecretsModuleService>;
+//# sourceMappingURL=index.d.ts.map

package/dist/initialize/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/initialize/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EAEtB,MAAM,0BAA0B,CAAA;AAEjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAElD,eAAO,MAAM,UAAU,GACrB,UAAU,uBAAuB,GAAG,yBAAyB,KAC5D,OAAO,CAAC,qBAAqB,CAW/B,CAAA"}

package/dist/initialize/index.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.initialize = void 0;
+const modules_sdk_1 = require("@acmekit/framework/modules-sdk");
+const utils_1 = require("@acmekit/framework/utils");
+const initialize = async (options) => {
+    const serviceKey = utils_1.Modules.SECRETS;
+    const loaded = await modules_sdk_1.AcmeKitModule.bootstrap({
+        moduleKey: serviceKey,
+        defaultPath: "@acmekit/secrets-aws",
+        declaration: options,
+    });
+    return loaded[serviceKey];
+};
+exports.initialize = initialize;
+//# sourceMappingURL=index.js.map

package/dist/initialize/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/initialize/index.ts"],"names":[],"mappings":";;;AAAA,gEAA8D;AAM9D,oDAAkD;AAG3C,MAAM,UAAU,GAAG,KAAK,EAC7B,OAA6D,EAC7B,EAAE;IAClC,MAAM,UAAU,GAAG,eAAO,CAAC,OAAO,CAAA;IAClC,MAAM,MAAM,GAAG,MAAM,2BAAa,CAAC,SAAS,CAAwB;QAClE,SAAS,EAAE,UAAU;QACrB,WAAW,EAAE,sBAAsB;QACnC,WAAW,EAAE,OAEgB;KAC9B,CAAC,CAAA;IAEF,OAAO,MAAM,CAAC,UAAU,CAAC,CAAA;AAC3B,CAAC,CAAA;AAbY,QAAA,UAAU,cAatB"}

package/dist/loaders/index.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { LoaderOptions } from "@acmekit/framework/types";
+import { AwsSecretsModuleOptions } from "../types";
+/**
+ * Creates a configured SecretsManagerClient from module options.
+ */
+export declare function createSecretsManagerClient(options: AwsSecretsModuleOptions): SecretsManagerClient;
+/**
+ * Module loader — runs during the parallel module initialization phase.
+ * Idempotent: skips client creation if `secretsBootstrapLoader` already ran.
+ */
+declare const _default: ({ container, logger, options, }: LoaderOptions) => Promise<void>;
+export default _default;
+//# sourceMappingURL=index.d.ts.map

package/dist/loaders/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/loaders/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,oBAAoB,EACrB,MAAM,iCAAiC,CAAA;AAGxC,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AACxD,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAIlD;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,uBAAuB,GAC/B,oBAAoB,CActB;AAED;;;GAGG;yBACmB,iCAInB,aAAa,KAAG,OAAO,CAAC,IAAI,CAAC;AAJhC,wBA4CC"}

package/dist/loaders/index.js ADDED Viewed

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSecretsManagerClient = createSecretsManagerClient;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const credential_providers_1 = require("@aws-sdk/credential-providers");
+const awilix_1 = require("@acmekit/framework/awilix");
+const CONTAINER_KEY = "secretsManagerClient";
+/**
+ * Creates a configured SecretsManagerClient from module options.
+ */
+function createSecretsManagerClient(options) {
+    const { region, endpoint, roleArn } = options;
+    const credentials = roleArn
+        ? (0, credential_providers_1.fromTemporaryCredentials)({
+            params: { RoleArn: roleArn, RoleSessionName: "acmekit-secrets" },
+        })
+        : undefined;
+    return new client_secrets_manager_1.SecretsManagerClient({
+        region,
+        endpoint,
+        credentials,
+    });
+}
+/**
+ * Module loader — runs during the parallel module initialization phase.
+ * Idempotent: skips client creation if `secretsBootstrapLoader` already ran.
+ */
+exports.default = async ({ container, logger, options, }) => {
+    if (container.hasRegistration(CONTAINER_KEY)) {
+        return;
+    }
+    const moduleOptions = options;
+    if (!moduleOptions?.region && !process.env.AWS_REGION) {
+        logger?.warn("No AWS region configured for the Secrets module. " +
+            "Set `region` in module options or the AWS_REGION environment variable.");
+    }
+    const client = createSecretsManagerClient(moduleOptions ?? {});
+    if (moduleOptions?.verifyOnStartup !== false) {
+        const inject = moduleOptions?.inject ?? [];
+        for (const secretConfig of inject) {
+            try {
+                await client.send(new client_secrets_manager_1.DescribeSecretCommand({ SecretId: secretConfig.secretId }));
+            }
+            catch (err) {
+                const message = `Secrets module startup verification failed for "${secretConfig.secretId}": ` +
+                    err.message;
+                if (moduleOptions?.fallback === false) {
+                    throw new Error(message);
+                }
+                logger?.warn(message);
+            }
+        }
+    }
+    logger?.info("Secrets module 'secrets-aws': AWS Secrets Manager client ready");
+    container.register({
+        [CONTAINER_KEY]: (0, awilix_1.asValue)(client),
+    });
+};
+//# sourceMappingURL=index.js.map

package/dist/loaders/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/loaders/index.ts"],"names":[],"mappings":";;AAcA,gEAgBC;AA9BD,4EAGwC;AACxC,wEAAwE;AACxE,sDAAmD;AAInD,MAAM,aAAa,GAAG,sBAAsB,CAAA;AAE5C;;GAEG;AACH,SAAgB,0BAA0B,CACxC,OAAgC;IAEhC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,OAAO,CAAA;IAE7C,MAAM,WAAW,GAAG,OAAO;QACzB,CAAC,CAAC,IAAA,+CAAwB,EAAC;YACvB,MAAM,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE;SACjE,CAAC;QACJ,CAAC,CAAC,SAAS,CAAA;IAEb,OAAO,IAAI,6CAAoB,CAAC;QAC9B,MAAM;QACN,QAAQ;QACR,WAAW;KACZ,CAAC,CAAA;AACJ,CAAC;AAED;;;GAGG;AACH,kBAAe,KAAK,EAAE,EACpB,SAAS,EACT,MAAM,EACN,OAAO,GACO,EAAiB,EAAE;IACjC,IAAI,SAAS,CAAC,eAAe,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7C,OAAM;IACR,CAAC;IAED,MAAM,aAAa,GAAG,OAAkC,CAAA;IAExD,IAAI,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;QACtD,MAAM,EAAE,IAAI,CACV,mDAAmD;YACjD,wEAAwE,CAC3E,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,0BAA0B,CAAC,aAAa,IAAI,EAAE,CAAC,CAAA;IAE9D,IAAI,aAAa,EAAE,eAAe,KAAK,KAAK,EAAE,CAAC;QAC7C,MAAM,MAAM,GAAG,aAAa,EAAE,MAAM,IAAI,EAAE,CAAA;QAC1C,KAAK,MAAM,YAAY,IAAI,MAAM,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,YAAY,CAAC,QAAQ,EAAE,CAAC,CAC/D,CAAA;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,OAAO,GACX,mDAAmD,YAAY,CAAC,QAAQ,KAAK;oBAC7E,GAAG,CAAC,OAAO,CAAA;gBACb,IAAI,aAAa,EAAE,QAAQ,KAAK,KAAK,EAAE,CAAC;oBACtC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,CAAA;gBAC1B,CAAC;gBACD,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAA;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,EAAE,IAAI,CAAC,gEAAgE,CAAC,CAAA;IAE9E,SAAS,CAAC,QAAQ,CAAC;QACjB,CAAC,aAAa,CAAC,EAAE,IAAA,gBAAO,EAAC,MAAM,CAAC;KACjC,CAAC,CAAA;AACJ,CAAC,CAAA"}

package/dist/services/aws-secrets.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { ISecretsModuleService, SecretGetOptions } from "@acmekit/framework/types";
+import { AwsSecretsModuleOptions } from "../types";
+type InjectedDependencies = {
+    secretsManagerClient: SecretsManagerClient;
+};
+/**
+ * AWS Secrets Manager provider for `ISecretsModuleService`.
+ *
+ * Supports two access patterns:
+ * - Bootstrap injection: fetched by `secretsBootstrapLoader` at startup, written to `process.env`
+ * - Runtime access: `get()`, `getJSON()`, `getKey()` — use `cache: false` for audit-trail-per-call
+ *
+ * Secret values are NEVER logged.
+ */
+declare class AwsSecretsService implements ISecretsModuleService {
+    #private;
+    constructor({ secretsManagerClient }: InjectedDependencies, options?: AwsSecretsModuleOptions);
+    __hooks: {
+        onApplicationShutdown: () => Promise<void>;
+    };
+    get(secretId: string, options?: SecretGetOptions): Promise<string | null>;
+    getJSON<T>(secretId: string, options?: SecretGetOptions): Promise<T | null>;
+    getKey(secretId: string, key: string, options?: SecretGetOptions): Promise<string | null>;
+    invalidate(secretId: string): void;
+}
+export default AwsSecretsService;
+//# sourceMappingURL=aws-secrets.d.ts.map

package/dist/services/aws-secrets.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-secrets.d.ts","sourceRoot":"","sources":["../../src/services/aws-secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,oBAAoB,EACrB,MAAM,iCAAiC,CAAA;AACxC,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EACjB,MAAM,0BAA0B,CAAA;AAEjC,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAA;AAElD,KAAK,oBAAoB,GAAG;IAC1B,oBAAoB,EAAE,oBAAoB,CAAA;CAC3C,CAAA;AASD;;;;;;;;GAQG;AACH,cAAM,iBAAkB,YAAW,qBAAqB;;gBAMpD,EAAE,oBAAoB,EAAE,EAAE,oBAAoB,EAC9C,OAAO,GAAE,uBAA4B;IAMvC,OAAO;;MAIN;IAEK,GAAG,CACP,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAkCnB,OAAO,CAAC,CAAC,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IAYd,MAAM,CACV,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKzB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;CAuCnC;AAED,eAAe,iBAAiB,CAAA"}

package/dist/services/aws-secrets.js ADDED Viewed

@@ -0,0 +1,113 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _AwsSecretsService_instances, _AwsSecretsService_client, _AwsSecretsService_defaultCacheTtl, _AwsSecretsService_cache, _AwsSecretsService_fromCache, _AwsSecretsService_toCache, _AwsSecretsService_fetchRaw;
+Object.defineProperty(exports, "__esModule", { value: true });
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const utils_1 = require("@acmekit/framework/utils");
+const DEFAULT_CACHE_TTL = 300; // seconds
+/**
+ * AWS Secrets Manager provider for `ISecretsModuleService`.
+ *
+ * Supports two access patterns:
+ * - Bootstrap injection: fetched by `secretsBootstrapLoader` at startup, written to `process.env`
+ * - Runtime access: `get()`, `getJSON()`, `getKey()` — use `cache: false` for audit-trail-per-call
+ *
+ * Secret values are NEVER logged.
+ */
+class AwsSecretsService {
+    constructor({ secretsManagerClient }, options = {}) {
+        _AwsSecretsService_instances.add(this);
+        _AwsSecretsService_client.set(this, void 0);
+        _AwsSecretsService_defaultCacheTtl.set(this, void 0);
+        _AwsSecretsService_cache.set(this, new Map());
+        this.__hooks = {
+            onApplicationShutdown: async () => {
+                __classPrivateFieldGet(this, _AwsSecretsService_cache, "f").clear();
+            },
+        };
+        __classPrivateFieldSet(this, _AwsSecretsService_client, secretsManagerClient, "f");
+        __classPrivateFieldSet(this, _AwsSecretsService_defaultCacheTtl, options.defaultCache ?? DEFAULT_CACHE_TTL, "f");
+    }
+    async get(secretId, options = {}) {
+        const { cache, validate, versionStage, versionId } = options;
+        if (cache !== false) {
+            const cached = __classPrivateFieldGet(this, _AwsSecretsService_instances, "m", _AwsSecretsService_fromCache).call(this, secretId);
+            if (cached !== null) {
+                return cached;
+            }
+        }
+        const value = await __classPrivateFieldGet(this, _AwsSecretsService_instances, "m", _AwsSecretsService_fetchRaw).call(this, secretId, { versionStage, versionId });
+        if (value === null) {
+            return null;
+        }
+        if (validate) {
+            const result = validate(value);
+            if (result !== true) {
+                const reason = typeof result === "string" ? result : "Validation failed";
+                throw new utils_1.AcmeKitError(utils_1.AcmeKitError.Types.INVALID_DATA, `Secret validation failed for "${secretId}": ${reason}`);
+            }
+        }
+        if (cache !== false) {
+            const ttl = typeof cache === "number" ? cache : __classPrivateFieldGet(this, _AwsSecretsService_defaultCacheTtl, "f");
+            __classPrivateFieldGet(this, _AwsSecretsService_instances, "m", _AwsSecretsService_toCache).call(this, secretId, value, ttl);
+        }
+        return value;
+    }
+    async getJSON(secretId, options) {
+        const raw = await this.get(secretId, options);
+        if (raw === null) {
+            return null;
+        }
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    async getKey(secretId, key, options) {
+        const json = await this.getJSON(secretId, options);
+        return json?.[key] ?? null;
+    }
+    invalidate(secretId) {
+        __classPrivateFieldGet(this, _AwsSecretsService_cache, "f").delete(secretId);
+    }
+}
+_AwsSecretsService_client = new WeakMap(), _AwsSecretsService_defaultCacheTtl = new WeakMap(), _AwsSecretsService_cache = new WeakMap(), _AwsSecretsService_instances = new WeakSet(), _AwsSecretsService_fromCache = function _AwsSecretsService_fromCache(secretId) {
+    const entry = __classPrivateFieldGet(this, _AwsSecretsService_cache, "f").get(secretId);
+    if (!entry) {
+        return null;
+    }
+    if (entry.expiresAt !== Infinity && Date.now() >= entry.expiresAt) {
+        __classPrivateFieldGet(this, _AwsSecretsService_cache, "f").delete(secretId);
+        return null;
+    }
+    return entry.value;
+}, _AwsSecretsService_toCache = function _AwsSecretsService_toCache(secretId, value, ttl) {
+    if (ttl === 0) {
+        return;
+    }
+    __classPrivateFieldGet(this, _AwsSecretsService_cache, "f").set(secretId, {
+        value,
+        expiresAt: ttl === Infinity ? Infinity : Date.now() + ttl * 1000,
+    });
+}, _AwsSecretsService_fetchRaw = async function _AwsSecretsService_fetchRaw(secretId, opts) {
+    const response = await __classPrivateFieldGet(this, _AwsSecretsService_client, "f").send(new client_secrets_manager_1.GetSecretValueCommand({
+        SecretId: secretId,
+        VersionStage: opts.versionStage,
+        VersionId: opts.versionId,
+    }));
+    return response.SecretString ?? null;
+};
+exports.default = AwsSecretsService;
+//# sourceMappingURL=aws-secrets.js.map

package/dist/services/aws-secrets.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"aws-secrets.js","sourceRoot":"","sources":["../../src/services/aws-secrets.ts"],"names":[],"mappings":";;;;;;;;;;;;;;AAAA,4EAGwC;AAKxC,oDAAuD;AAYvD,MAAM,iBAAiB,GAAG,GAAG,CAAA,CAAC,UAAU;AAExC;;;;;;;;GAQG;AACH,MAAM,iBAAiB;IAKrB,YACE,EAAE,oBAAoB,EAAwB,EAC9C,UAAmC,EAAE;;QAN9B,4CAA6B;QAC7B,qDAAwB;QACxB,mCAAkC,IAAI,GAAG,EAAE,EAAA;QAUpD,YAAO,GAAG;YACR,qBAAqB,EAAE,KAAK,IAAI,EAAE;gBAChC,uBAAA,IAAI,gCAAO,CAAC,KAAK,EAAE,CAAA;YACrB,CAAC;SACF,CAAA;QARC,uBAAA,IAAI,6BAAW,oBAAoB,MAAA,CAAA;QACnC,uBAAA,IAAI,sCAAoB,OAAO,CAAC,YAAY,IAAI,iBAAiB,MAAA,CAAA;IACnE,CAAC;IAQD,KAAK,CAAC,GAAG,CACP,QAAgB,EAChB,UAA4B,EAAE;QAE9B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,OAAO,CAAA;QAE5D,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,uBAAA,IAAI,kEAAW,MAAf,IAAI,EAAY,QAAQ,CAAC,CAAA;YACxC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,OAAO,MAAM,CAAA;YACf,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,uBAAA,IAAI,iEAAU,MAAd,IAAI,EAAW,QAAQ,EAAE,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAA;QACzE,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAA;YAC9B,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;gBACpB,MAAM,MAAM,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAA;gBACxE,MAAM,IAAI,oBAAY,CACpB,oBAAY,CAAC,KAAK,CAAC,YAAY,EAC/B,iCAAiC,QAAQ,MAAM,MAAM,EAAE,CACxD,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,uBAAA,IAAI,0CAAiB,CAAA;YACrE,uBAAA,IAAI,gEAAS,MAAb,IAAI,EAAU,QAAQ,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QACrC,CAAC;QAED,OAAO,KAAK,CAAA;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CACX,QAAgB,EAChB,OAA0B;QAE1B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAC7C,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,OAAO,IAAI,CAAA;QACb,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAM,CAAA;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CACV,QAAgB,EAChB,GAAW,EACX,OAA0B;QAE1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAyB,QAAQ,EAAE,OAAO,CAAC,CAAA;QAC1E,OAAO,IAAI,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;IAC5B,CAAC;IAED,UAAU,CAAC,QAAgB;QACzB,uBAAA,IAAI,gCAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAC9B,CAAC;CAqCF;4PAnCY,QAAgB;IACzB,MAAM,KAAK,GAAG,uBAAA,IAAI,gCAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAA;IACb,CAAC;IACD,IAAI,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QAClE,uBAAA,IAAI,gCAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QAC5B,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAA;AACpB,CAAC,mEAEQ,QAAgB,EAAE,KAAa,EAAE,GAAW;IACnD,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;QACd,OAAM;IACR,CAAC;IACD,uBAAA,IAAI,gCAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;QACxB,KAAK;QACL,SAAS,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI;KACjE,CAAC,CAAA;AACJ,CAAC,gCAED,KAAK,sCACH,QAAgB,EAChB,IAAmD;IAEnD,MAAM,QAAQ,GAAG,MAAM,uBAAA,IAAI,iCAAQ,CAAC,IAAI,CACtC,IAAI,8CAAqB,CAAC;QACxB,QAAQ,EAAE,QAAQ;QAClB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC,CACH,CAAA;IACD,OAAO,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAA;AACtC,CAAC;AAGH,kBAAe,iBAAiB,CAAA"}

package/dist/services/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { default as AwsSecretsService } from "./aws-secrets";
2	+ //# sourceMappingURL=index.d.ts.map

package/dist/services/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,eAAe,CAAA"}

package/dist/services/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsSecretsService = void 0;
+var aws_secrets_1 = require("./aws-secrets");
+Object.defineProperty(exports, "AwsSecretsService", { enumerable: true, get: function () { return __importDefault(aws_secrets_1).default; } });
+//# sourceMappingURL=index.js.map

package/dist/services/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/services/index.ts"],"names":[],"mappings":";;;;;;AAAA,6CAA4D;AAAnD,iIAAA,OAAO,OAAqB"}

package/dist/tsconfig.tsbuildinfo ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"root":["../src/index.ts","../src/initialize/index.ts","../src/loaders/index.ts","../src/services/aws-secrets.ts","../src/services/index.ts","../src/services/__tests__/aws-secrets.spec.ts","../src/types/index.ts"],"version":"5.9.3"}

package/dist/types/index.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+import { SecretInjectConfig } from "@acmekit/framework/types";
+export type AwsSecretsModuleOptions = {
+    /**
+     * AWS region for Secrets Manager (e.g. "us-east-1").
+     * Falls back to AWS SDK default credential chain if omitted.
+     */
+    region?: string;
+    /**
+     * Custom endpoint URL. Use for VPC interface endpoints (no public internet required).
+     * @example "https://vpce-xxx.secretsmanager.us-east-1.vpce.amazonaws.com"
+     */
+    endpoint?: string;
+    /**
+     * IAM Role ARN to assume before accessing Secrets Manager.
+     * Enables per-service isolation: each service uses its own narrowly-scoped role.
+     * @example "arn:aws:iam::123456789012:role/SweepServiceSecretsRole"
+     */
+    roleArn?: string;
+    /**
+     * Verify access to all `inject` secrets at startup using DescribeSecret.
+     * Fails fast if IAM permissions or network connectivity are misconfigured.
+     * @default true
+     */
+    verifyOnStartup?: boolean;
+    /**
+     * Default TTL (seconds) for runtime secret caching.
+     * Individual calls can override via `SecretGetOptions.cache`.
+     * @default 300
+     */
+    defaultCache?: number;
+    /**
+     * When `true`, log a warning and continue if a secret cannot be fetched.
+     * When `false`, throw an error and halt startup.
+     * @default true
+     */
+    fallback?: boolean;
+    /**
+     * Secrets to fetch at startup and inject into `process.env`.
+     * Processed by `secretsBootstrapLoader` before other modules initialize.
+     */
+    inject?: SecretInjectConfig[];
+};
+declare module "@acmekit/types" {
+    interface ModuleOptions {
+        "@acmekit/secrets-aws": AwsSecretsModuleOptions;
+        "@acmekit/acmekit/secrets-aws": AwsSecretsModuleOptions;
+    }
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAA;AAE7D,MAAM,MAAM,uBAAuB,GAAG;IACpC;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;IAEf;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;IAEhB;;;;OAIG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IAEzB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAA;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,kBAAkB,EAAE,CAAA;CAC9B,CAAA;AAED,OAAO,QAAQ,gBAAgB,CAAC;IAC9B,UAAU,aAAa;QACrB,sBAAsB,EAAE,uBAAuB,CAAA;QAC/C,8BAA8B,EAAE,uBAAuB,CAAA;KACxD;CACF"}

package/dist/types/index.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":""}

package/package.json ADDED Viewed

@@ -0,0 +1,40 @@
+{
+  "name": "@acmekit/secrets-aws",
+  "version": "2.13.53",
+  "description": "AWS Secrets Manager provider for AcmeKit — production secrets management",
+  "main": "dist/index.js",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/acmekit/acmekit",
+    "directory": "packages/modules/secrets-aws"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist",
+    "!dist/**/__tests__",
+    "!dist/**/__mocks__",
+    "!dist/**/__fixtures__"
+  ],
+  "author": "AcmeKit",
+  "license": "MIT",
+  "scripts": {
+    "watch": "yarn run -T tsc --build --watch",
+    "build": "yarn run -T rimraf dist && yarn run -T tsc --build",
+    "test": "../../../node_modules/.bin/jest --passWithNoTests"
+  },
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.0.0",
+    "@aws-sdk/credential-providers": "^3.0.0"
+  },
+  "devDependencies": {
+    "@acmekit/framework": "2.13.53"
+  },
+  "peerDependencies": {
+    "@acmekit/framework": "2.13.53"
+  }
+}