@augmenting-integrations/db-secret-loader 0.0.1

package/README.md

@@ -0,0 +1,32 @@
+# @augmenting-integrations/db-secret-loader
+
+Resolve a Prisma `DATABASE_URL` from AWS Secrets Manager.
+
+The Prisma client is generated from your spoke's schema, so this package does
+NOT instantiate `PrismaClient` for you -- it only assembles the connection
+string. Wire it up in your spoke's `src/lib/db.ts`:
+
+```ts
+import { PrismaClient } from "@prisma/client";
+import { loadDatabaseUrl } from "@augmenting-integrations/db-secret-loader";
+
+let _db: Promise<PrismaClient> | undefined;
+export function getDb(): Promise<PrismaClient> {
+  if (!_db) {
+    _db = (async () => {
+      const url = await loadDatabaseUrl({
+        secretArn: process.env.DB_SECRET_ARN,
+        host: process.env.DB_HOST,
+        dbName: process.env.DB_NAME,
+        fallbackUrl: process.env.DATABASE_URL,
+      });
+      return new PrismaClient({ datasources: { db: { url } } });
+    })();
+  }
+  return _db;
+}
+```
+
+The secret payload must be a JSON object with at least `username` and
+`password` keys -- the shape RDS Aurora ships when you create a managed
+master secret.

package/dist/index.cjs

@@ -0,0 +1,65 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  loadDatabaseUrl: () => loadDatabaseUrl
+});
+module.exports = __toCommonJS(index_exports);
+var import_client_secrets_manager = require("@aws-sdk/client-secrets-manager");
+var cache = /* @__PURE__ */ new Map();
+var secretsClient;
+async function loadDatabaseUrl(opts) {
+  if (opts.fallbackUrl) return opts.fallbackUrl;
+  const { secretArn, host, dbName } = opts;
+  if (!secretArn || !host || !dbName) {
+    throw new Error(
+      `[db-secret-loader] loadDatabaseUrl requires either fallbackUrl or (secretArn + host + dbName). Got secretArn=${!!secretArn}, host=${!!host}, dbName=${!!dbName}.`
+    );
+  }
+  const cacheKey = `${secretArn}|${host}|${dbName}|${opts.port ?? 5432}`;
+  const cached = cache.get(cacheKey);
+  if (cached) return cached;
+  secretsClient ??= new import_client_secrets_manager.SecretsManagerClient({});
+  const res = await secretsClient.send(
+    new import_client_secrets_manager.GetSecretValueCommand({ SecretId: secretArn })
+  );
+  if (!res.SecretString) {
+    throw new Error(`[db-secret-loader] secret ${secretArn} has no SecretString`);
+  }
+  const { username, password } = JSON.parse(res.SecretString);
+  if (!username || !password) {
+    throw new Error(
+      `[db-secret-loader] secret ${secretArn} JSON is missing username or password`
+    );
+  }
+  const userEnc = encodeURIComponent(username);
+  const passEnc = encodeURIComponent(password);
+  const port = opts.port ?? 5432;
+  const qs = opts.queryString ?? "schema=public&sslmode=require";
+  const url = `postgresql://${userEnc}:${passEnc}@${host}:${port}/${dbName}?${qs}`;
+  cache.set(cacheKey, url);
+  return url;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  loadDatabaseUrl
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import {\n  SecretsManagerClient,\n  GetSecretValueCommand,\n} from \"@aws-sdk/client-secrets-manager\";\n\n// =============================================================================\n// db-secret-loader -- assemble a Prisma DATABASE_URL from AWS Secrets Manager\n//\n// The library DOES NOT instantiate PrismaClient -- the Prisma client is\n// generated from the spoke's schema and lives in the spoke's node_modules.\n// We only resolve the connection string here. The spoke does:\n//\n//   const url = await loadDatabaseUrl({ ... });\n//   return new PrismaClient({ datasources: { db: { url } } });\n//\n// Lambda containers are reused across invocations, so the secret fetch is\n// cached at the module level (per-container lifetime). Caller is expected to\n// cache the resulting PrismaClient on globalThis or similar.\n// =============================================================================\n\nexport type LoadDatabaseUrlOptions = {\n  /** AWS Secrets Manager ARN holding `{username, password}` JSON. */\n  secretArn?: string;\n  /** Aurora endpoint host (RDS Proxy host typically). */\n  host?: string;\n  /** Database name (the `dbname` in `postgresql://.../dbname`). */\n  dbName?: string;\n  /** Port; defaults to 5432. */\n  port?: number;\n  /**\n   * Local-dev fallback. If set, used as-is and the secret fetch is skipped.\n   * Typical local value: `postgresql://postgres:postgres@localhost:5432/app`.\n   */\n  fallbackUrl?: string;\n  /**\n   * Query-string fragment appended to the assembled URL (without leading `?`).\n   * Defaults to `schema=public&sslmode=require`.\n   */\n  queryString?: string;\n};\n\nconst cache = new Map<string, string>();\nlet secretsClient: SecretsManagerClient | undefined;\n\n/**\n * Resolve a Prisma `DATABASE_URL`. Caches by `secretArn` for the container\n * lifetime. Throws with an actionable message when neither `fallbackUrl` nor\n * the full `secretArn + host + dbName` triple is provided.\n */\nexport async function loadDatabaseUrl(opts: LoadDatabaseUrlOptions): Promise<string> {\n  if (opts.fallbackUrl) return opts.fallbackUrl;\n\n  const { secretArn, host, dbName } = opts;\n  if (!secretArn || !host || !dbName) {\n    throw new Error(\n      `[db-secret-loader] loadDatabaseUrl requires either fallbackUrl or (secretArn + host + dbName). Got secretArn=${!!secretArn}, host=${!!host}, dbName=${!!dbName}.`,\n    );\n  }\n\n  const cacheKey = `${secretArn}|${host}|${dbName}|${opts.port ?? 5432}`;\n  const cached = cache.get(cacheKey);\n  if (cached) return cached;\n\n  secretsClient ??= new SecretsManagerClient({});\n  const res = await secretsClient.send(\n    new GetSecretValueCommand({ SecretId: secretArn }),\n  );\n  if (!res.SecretString) {\n    throw new Error(`[db-secret-loader] secret ${secretArn} has no SecretString`);\n  }\n  const { username, password } = JSON.parse(res.SecretString) as {\n    username?: string;\n    password?: string;\n  };\n  if (!username || !password) {\n    throw new Error(\n      `[db-secret-loader] secret ${secretArn} JSON is missing username or password`,\n    );\n  }\n  const userEnc = encodeURIComponent(username);\n  const passEnc = encodeURIComponent(password);\n  const port = opts.port ?? 5432;\n  const qs = opts.queryString ?? \"schema=public&sslmode=require\";\n  const url = `postgresql://${userEnc}:${passEnc}@${host}:${port}/${dbName}?${qs}`;\n  cache.set(cacheKey, url);\n  return url;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oCAGO;AAsCP,IAAM,QAAQ,oBAAI,IAAoB;AACtC,IAAI;AAOJ,eAAsB,gBAAgB,MAA+C;AACnF,MAAI,KAAK,YAAa,QAAO,KAAK;AAElC,QAAM,EAAE,WAAW,MAAM,OAAO,IAAI;AACpC,MAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ;AAClC,UAAM,IAAI;AAAA,MACR,gHAAgH,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC,MAAM;AAAA,IACjK;AAAA,EACF;AAEA,QAAM,WAAW,GAAG,SAAS,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,QAAQ,IAAI;AACpE,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,OAAQ,QAAO;AAEnB,oBAAkB,IAAI,mDAAqB,CAAC,CAAC;AAC7C,QAAM,MAAM,MAAM,cAAc;AAAA,IAC9B,IAAI,oDAAsB,EAAE,UAAU,UAAU,CAAC;AAAA,EACnD;AACA,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI,MAAM,6BAA6B,SAAS,sBAAsB;AAAA,EAC9E;AACA,QAAM,EAAE,UAAU,SAAS,IAAI,KAAK,MAAM,IAAI,YAAY;AAI1D,MAAI,CAAC,YAAY,CAAC,UAAU;AAC1B,UAAM,IAAI;AAAA,MACR,6BAA6B,SAAS;AAAA,IACxC;AAAA,EACF;AACA,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,QAAM,OAAO,KAAK,QAAQ;AAC1B,QAAM,KAAK,KAAK,eAAe;AAC/B,QAAM,MAAM,gBAAgB,OAAO,IAAI,OAAO,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,IAAI,EAAE;AAC9E,QAAM,IAAI,UAAU,GAAG;AACvB,SAAO;AACT;","names":[]}

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+export type LoadDatabaseUrlOptions = {
+    /** AWS Secrets Manager ARN holding `{username, password}` JSON. */
+    secretArn?: string;
+    /** Aurora endpoint host (RDS Proxy host typically). */
+    host?: string;
+    /** Database name (the `dbname` in `postgresql://.../dbname`). */
+    dbName?: string;
+    /** Port; defaults to 5432. */
+    port?: number;
+    /**
+     * Local-dev fallback. If set, used as-is and the secret fetch is skipped.
+     * Typical local value: `postgresql://postgres:postgres@localhost:5432/app`.
+     */
+    fallbackUrl?: string;
+    /**
+     * Query-string fragment appended to the assembled URL (without leading `?`).
+     * Defaults to `schema=public&sslmode=require`.
+     */
+    queryString?: string;
+};
+/**
+ * Resolve a Prisma `DATABASE_URL`. Caches by `secretArn` for the container
+ * lifetime. Throws with an actionable message when neither `fallbackUrl` nor
+ * the full `secretArn + host + dbName` triple is provided.
+ */
+export declare function loadDatabaseUrl(opts: LoadDatabaseUrlOptions): Promise<string>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAoBA,MAAM,MAAM,sBAAsB,GAAG;IACnC,mEAAmE;IACnE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,CAAC;AAKF;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,sBAAsB,GAAG,OAAO,CAAC,MAAM,CAAC,CAqCnF"}

package/dist/index.js

@@ -0,0 +1,43 @@
+// src/index.ts
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand
+} from "@aws-sdk/client-secrets-manager";
+var cache = /* @__PURE__ */ new Map();
+var secretsClient;
+async function loadDatabaseUrl(opts) {
+  if (opts.fallbackUrl) return opts.fallbackUrl;
+  const { secretArn, host, dbName } = opts;
+  if (!secretArn || !host || !dbName) {
+    throw new Error(
+      `[db-secret-loader] loadDatabaseUrl requires either fallbackUrl or (secretArn + host + dbName). Got secretArn=${!!secretArn}, host=${!!host}, dbName=${!!dbName}.`
+    );
+  }
+  const cacheKey = `${secretArn}|${host}|${dbName}|${opts.port ?? 5432}`;
+  const cached = cache.get(cacheKey);
+  if (cached) return cached;
+  secretsClient ??= new SecretsManagerClient({});
+  const res = await secretsClient.send(
+    new GetSecretValueCommand({ SecretId: secretArn })
+  );
+  if (!res.SecretString) {
+    throw new Error(`[db-secret-loader] secret ${secretArn} has no SecretString`);
+  }
+  const { username, password } = JSON.parse(res.SecretString);
+  if (!username || !password) {
+    throw new Error(
+      `[db-secret-loader] secret ${secretArn} JSON is missing username or password`
+    );
+  }
+  const userEnc = encodeURIComponent(username);
+  const passEnc = encodeURIComponent(password);
+  const port = opts.port ?? 5432;
+  const qs = opts.queryString ?? "schema=public&sslmode=require";
+  const url = `postgresql://${userEnc}:${passEnc}@${host}:${port}/${dbName}?${qs}`;
+  cache.set(cacheKey, url);
+  return url;
+}
+export {
+  loadDatabaseUrl
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import {\n  SecretsManagerClient,\n  GetSecretValueCommand,\n} from \"@aws-sdk/client-secrets-manager\";\n\n// =============================================================================\n// db-secret-loader -- assemble a Prisma DATABASE_URL from AWS Secrets Manager\n//\n// The library DOES NOT instantiate PrismaClient -- the Prisma client is\n// generated from the spoke's schema and lives in the spoke's node_modules.\n// We only resolve the connection string here. The spoke does:\n//\n//   const url = await loadDatabaseUrl({ ... });\n//   return new PrismaClient({ datasources: { db: { url } } });\n//\n// Lambda containers are reused across invocations, so the secret fetch is\n// cached at the module level (per-container lifetime). Caller is expected to\n// cache the resulting PrismaClient on globalThis or similar.\n// =============================================================================\n\nexport type LoadDatabaseUrlOptions = {\n  /** AWS Secrets Manager ARN holding `{username, password}` JSON. */\n  secretArn?: string;\n  /** Aurora endpoint host (RDS Proxy host typically). */\n  host?: string;\n  /** Database name (the `dbname` in `postgresql://.../dbname`). */\n  dbName?: string;\n  /** Port; defaults to 5432. */\n  port?: number;\n  /**\n   * Local-dev fallback. If set, used as-is and the secret fetch is skipped.\n   * Typical local value: `postgresql://postgres:postgres@localhost:5432/app`.\n   */\n  fallbackUrl?: string;\n  /**\n   * Query-string fragment appended to the assembled URL (without leading `?`).\n   * Defaults to `schema=public&sslmode=require`.\n   */\n  queryString?: string;\n};\n\nconst cache = new Map<string, string>();\nlet secretsClient: SecretsManagerClient | undefined;\n\n/**\n * Resolve a Prisma `DATABASE_URL`. Caches by `secretArn` for the container\n * lifetime. Throws with an actionable message when neither `fallbackUrl` nor\n * the full `secretArn + host + dbName` triple is provided.\n */\nexport async function loadDatabaseUrl(opts: LoadDatabaseUrlOptions): Promise<string> {\n  if (opts.fallbackUrl) return opts.fallbackUrl;\n\n  const { secretArn, host, dbName } = opts;\n  if (!secretArn || !host || !dbName) {\n    throw new Error(\n      `[db-secret-loader] loadDatabaseUrl requires either fallbackUrl or (secretArn + host + dbName). Got secretArn=${!!secretArn}, host=${!!host}, dbName=${!!dbName}.`,\n    );\n  }\n\n  const cacheKey = `${secretArn}|${host}|${dbName}|${opts.port ?? 5432}`;\n  const cached = cache.get(cacheKey);\n  if (cached) return cached;\n\n  secretsClient ??= new SecretsManagerClient({});\n  const res = await secretsClient.send(\n    new GetSecretValueCommand({ SecretId: secretArn }),\n  );\n  if (!res.SecretString) {\n    throw new Error(`[db-secret-loader] secret ${secretArn} has no SecretString`);\n  }\n  const { username, password } = JSON.parse(res.SecretString) as {\n    username?: string;\n    password?: string;\n  };\n  if (!username || !password) {\n    throw new Error(\n      `[db-secret-loader] secret ${secretArn} JSON is missing username or password`,\n    );\n  }\n  const userEnc = encodeURIComponent(username);\n  const passEnc = encodeURIComponent(password);\n  const port = opts.port ?? 5432;\n  const qs = opts.queryString ?? \"schema=public&sslmode=require\";\n  const url = `postgresql://${userEnc}:${passEnc}@${host}:${port}/${dbName}?${qs}`;\n  cache.set(cacheKey, url);\n  return url;\n}\n"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAsCP,IAAM,QAAQ,oBAAI,IAAoB;AACtC,IAAI;AAOJ,eAAsB,gBAAgB,MAA+C;AACnF,MAAI,KAAK,YAAa,QAAO,KAAK;AAElC,QAAM,EAAE,WAAW,MAAM,OAAO,IAAI;AACpC,MAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ;AAClC,UAAM,IAAI;AAAA,MACR,gHAAgH,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC,MAAM;AAAA,IACjK;AAAA,EACF;AAEA,QAAM,WAAW,GAAG,SAAS,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,QAAQ,IAAI;AACpE,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,OAAQ,QAAO;AAEnB,oBAAkB,IAAI,qBAAqB,CAAC,CAAC;AAC7C,QAAM,MAAM,MAAM,cAAc;AAAA,IAC9B,IAAI,sBAAsB,EAAE,UAAU,UAAU,CAAC;AAAA,EACnD;AACA,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI,MAAM,6BAA6B,SAAS,sBAAsB;AAAA,EAC9E;AACA,QAAM,EAAE,UAAU,SAAS,IAAI,KAAK,MAAM,IAAI,YAAY;AAI1D,MAAI,CAAC,YAAY,CAAC,UAAU;AAC1B,UAAM,IAAI;AAAA,MACR,6BAA6B,SAAS;AAAA,IACxC;AAAA,EACF;AACA,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,QAAM,UAAU,mBAAmB,QAAQ;AAC3C,QAAM,OAAO,KAAK,QAAQ;AAC1B,QAAM,KAAK,KAAK,eAAe;AAC/B,QAAM,MAAM,gBAAgB,OAAO,IAAI,OAAO,IAAI,IAAI,IAAI,IAAI,IAAI,MAAM,IAAI,EAAE;AAC9E,QAAM,IAAI,UAAU,GAAG;AACvB,SAAO;AACT;","names":[]}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@augmenting-integrations/db-secret-loader",
+  "version": "0.0.1",
+  "description": "Resolve a Prisma DATABASE_URL from AWS Secrets Manager (or a fallback env var). The spoke still owns `new PrismaClient()`; this package only assembles the connection string from the SecretsManager JSON shape that RDS Aurora ships with.",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "sideEffects": false,
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "clean": "rm -rf dist",
+    "test": "vitest run --passWithNoTests"
+  },
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.700.0"
+  },
+  "devDependencies": {
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2",
+    "vitest": "^4.1.5"
+  }
+}