@checkstack/secrets-common 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +109 -0
- package/package.json +35 -0
- package/src/access.ts +26 -0
- package/src/backend-config.ts +83 -0
- package/src/env-mapping.test.ts +103 -0
- package/src/env-mapping.ts +81 -0
- package/src/hooks.ts +21 -0
- package/src/index.ts +62 -0
- package/src/internal-secrets.test.ts +20 -0
- package/src/internal-secrets.ts +25 -0
- package/src/mask-run-result.test.ts +40 -0
- package/src/mask-run-result.ts +50 -0
- package/src/masking.test.ts +156 -0
- package/src/masking.ts +111 -0
- package/src/metadata.ts +21 -0
- package/src/plugin-metadata.ts +9 -0
- package/src/routes.ts +8 -0
- package/src/rpc-contract.ts +108 -0
- package/src/secret-field.test.ts +89 -0
- package/src/secret-field.ts +87 -0
- package/src/test-secret-env.test.ts +61 -0
- package/src/test-secret-env.ts +54 -0
- package/tsconfig.json +11 -0
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
import { SECRET_TEMPLATE_REGEX } from "./secret-field";
|
|
2
|
+
import { normalizeSecretEnvValue } from "./env-mapping";
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Placeholder a declared secret is injected as in the test path when the
|
|
6
|
+
* user provides no override (decision 4: real values never reach the test
|
|
7
|
+
* surface).
|
|
8
|
+
*/
|
|
9
|
+
export function secretTestPlaceholder(name: string): string {
|
|
10
|
+
return `__SECRET_${name}__`;
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
/**
|
|
14
|
+
* Build the env to inject for an in-UI script/collector TEST run from the
|
|
15
|
+
* consumer's declared `secretEnv` mapping. NO real secret value is ever
|
|
16
|
+
* resolved here (decision 4): for each `{ ENV_NAME: "${{ secrets.NAME }}" }`
|
|
17
|
+
* entry, inject the user's override for NAME if provided, otherwise a
|
|
18
|
+
* `__SECRET_<NAME>__` placeholder. Also returns the override values so they
|
|
19
|
+
* can be masked out of the test result (an override must not round-trip
|
|
20
|
+
* unmasked).
|
|
21
|
+
*/
|
|
22
|
+
export function buildTestSecretEnv({
|
|
23
|
+
secretEnv,
|
|
24
|
+
secretOverrides,
|
|
25
|
+
}: {
|
|
26
|
+
secretEnv?: Record<string, string>;
|
|
27
|
+
secretOverrides?: Record<string, string>;
|
|
28
|
+
}): { env: Record<string, string>; maskValues: string[] } {
|
|
29
|
+
const env: Record<string, string> = {};
|
|
30
|
+
const maskValues: string[] = [];
|
|
31
|
+
if (!secretEnv) return { env, maskValues };
|
|
32
|
+
|
|
33
|
+
for (const [envName, rawValue] of Object.entries(secretEnv)) {
|
|
34
|
+
// A tolerated bare secret name is normalized to the canonical template
|
|
35
|
+
// here (the schema no longer transforms — see `secretEnvValueSchema`).
|
|
36
|
+
const template = normalizeSecretEnvValue(rawValue);
|
|
37
|
+
SECRET_TEMPLATE_REGEX.lastIndex = 0;
|
|
38
|
+
const match = SECRET_TEMPLATE_REGEX.exec(template);
|
|
39
|
+
const secretName = match?.[1];
|
|
40
|
+
if (!secretName) {
|
|
41
|
+
// Non-template, non-name value (shouldn't happen given schema validation).
|
|
42
|
+
env[envName] = secretTestPlaceholder(envName);
|
|
43
|
+
continue;
|
|
44
|
+
}
|
|
45
|
+
const override = secretOverrides?.[secretName];
|
|
46
|
+
if (override === undefined) {
|
|
47
|
+
env[envName] = secretTestPlaceholder(secretName);
|
|
48
|
+
} else {
|
|
49
|
+
env[envName] = override;
|
|
50
|
+
maskValues.push(override);
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
return { env, maskValues };
|
|
54
|
+
}
|