@contractspec/integration.runtime 1.44.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +18 -0
- package/dist/health.d.ts +22 -0
- package/dist/health.d.ts.map +1 -0
- package/dist/health.js +70 -0
- package/dist/health.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.js +9 -0
- package/dist/runtime.d.ts +100 -0
- package/dist/runtime.d.ts.map +1 -0
- package/dist/runtime.js +187 -0
- package/dist/runtime.js.map +1 -0
- package/dist/secrets/env-secret-provider.d.ts +32 -0
- package/dist/secrets/env-secret-provider.d.ts.map +1 -0
- package/dist/secrets/env-secret-provider.js +82 -0
- package/dist/secrets/env-secret-provider.js.map +1 -0
- package/dist/secrets/gcp-secret-manager.d.ts +33 -0
- package/dist/secrets/gcp-secret-manager.d.ts.map +1 -0
- package/dist/secrets/gcp-secret-manager.js +230 -0
- package/dist/secrets/gcp-secret-manager.js.map +1 -0
- package/dist/secrets/index.d.ts +5 -0
- package/dist/secrets/index.js +6 -0
- package/dist/secrets/manager.d.ts +48 -0
- package/dist/secrets/manager.d.ts.map +1 -0
- package/dist/secrets/manager.js +104 -0
- package/dist/secrets/manager.js.map +1 -0
- package/dist/secrets/provider.d.ts +53 -0
- package/dist/secrets/provider.d.ts.map +1 -0
- package/dist/secrets/provider.js +59 -0
- package/dist/secrets/provider.js.map +1 -0
- package/package.json +70 -0
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
|
|
2
|
+
import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
|
|
3
|
+
import { CallOptions } from "google-gax";
|
|
4
|
+
|
|
5
|
+
//#region src/secrets/gcp-secret-manager.d.ts
|
|
6
|
+
type SecretManagerClient = SecretManagerServiceClient;
|
|
7
|
+
interface GcpSecretManagerProviderOptions {
|
|
8
|
+
projectId?: string;
|
|
9
|
+
client?: SecretManagerClient;
|
|
10
|
+
clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];
|
|
11
|
+
defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;
|
|
12
|
+
}
|
|
13
|
+
declare class GcpSecretManagerProvider implements SecretProvider {
|
|
14
|
+
readonly id = "gcp-secret-manager";
|
|
15
|
+
private readonly client;
|
|
16
|
+
private readonly explicitProjectId?;
|
|
17
|
+
private readonly replication;
|
|
18
|
+
constructor(options?: GcpSecretManagerProviderOptions);
|
|
19
|
+
canHandle(reference: SecretReference): boolean;
|
|
20
|
+
getSecret(reference: SecretReference, options?: {
|
|
21
|
+
version?: string;
|
|
22
|
+
}, callOptions?: CallOptions): Promise<SecretValue>;
|
|
23
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
24
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
25
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
26
|
+
private parseReference;
|
|
27
|
+
private buildNames;
|
|
28
|
+
private buildVersionName;
|
|
29
|
+
private ensureSecretExists;
|
|
30
|
+
}
|
|
31
|
+
//#endregion
|
|
32
|
+
export { GcpSecretManagerProvider };
|
|
33
|
+
//# sourceMappingURL=gcp-secret-manager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gcp-secret-manager.d.ts","names":[],"sources":["../../src/secrets/gcp-secret-manager.ts"],"sourcesContent":[],"mappings":";;;;;KAmBK,mBAAA,GAAsB;UAEjB,+BAAA;EAFL,SAAA,CAAA,EAAA,MAAA;EAEK,MAAA,CAAA,EAEC,mBAFD;EAEC,aAAA,CAAA,EACO,qBADP,CAAA,OACoC,0BADpC,CAAA,CAAA,CAAA,CAAA;EACoC,kBAAA,CAAA,EACxB,MAAA,CAAO,MAAA,CAAO,KAAA,CAAM,aAAA,CAAc,EAAA,CAAG,YADb;;AACxB,cAaV,wBAAA,YAAoC,cAbW,CAAA;EAAY,SAAA,EAAA,GAAA,oBAAA;EAa3D,iBAAA,MAAA;EAMU,iBAAA,iBAAA;EAQA,iBAAA,WAAA;EAUR,WAAA,CAAA,OAAA,CAAA,EAlBQ,+BAkBR;EAEG,SAAA,CAAA,SAAA,EAZK,eAYL,CAAA,EAAA,OAAA;EACL,SAAA,CAAA,SAAA,EAHE,eAGF,EAAA,OAyCE,CAzCF,EAAA;IAAR,OAAA,CAAA,EAAA,MAAA;EAyCU,CAAA,EAAA,WAAA,CAAA,EA1CG,WA0CH,CAAA,EAzCV,OAyCU,CAzCF,WAyCE,CAAA;EACF,SAAA,CAAA,SAAA,EADE,eACF,EAAA,OAAA,EAAA,kBAAA,CAAA,EACR,OADQ,CACA,oBADA,CAAA;EACA,YAAA,CAAA,SAAA,EAsCE,eAtCF,EAAA,OAAA,EAuCA,kBAvCA,CAAA,EAwCR,OAxCQ,CAwCA,oBAxCA,CAAA;EAAR,YAAA,CAAA,SAAA,EA4C2B,eA5C3B,CAAA,EA4C6C,OA5C7C,CAAA,IAAA,CAAA;EAsCU,QAAA,cAAA;EACF,QAAA,UAAA;EACA,QAAA,gBAAA;EAAR,QAAA,kBAAA"}
|
|
@@ -0,0 +1,230 @@
|
|
|
1
|
+
import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
|
|
2
|
+
import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
|
|
3
|
+
|
|
4
|
+
//#region src/secrets/gcp-secret-manager.ts
|
|
5
|
+
const DEFAULT_REPLICATION = { automatic: {} };
|
|
6
|
+
var GcpSecretManagerProvider = class {
|
|
7
|
+
id = "gcp-secret-manager";
|
|
8
|
+
client;
|
|
9
|
+
explicitProjectId;
|
|
10
|
+
replication;
|
|
11
|
+
constructor(options = {}) {
|
|
12
|
+
this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
|
|
13
|
+
this.explicitProjectId = options.projectId;
|
|
14
|
+
this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
|
|
15
|
+
}
|
|
16
|
+
canHandle(reference) {
|
|
17
|
+
try {
|
|
18
|
+
return parseSecretUri(reference).provider === "gcp";
|
|
19
|
+
} catch {
|
|
20
|
+
return false;
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
async getSecret(reference, options, callOptions) {
|
|
24
|
+
const location = this.parseReference(reference);
|
|
25
|
+
const secretVersionName = this.buildVersionName(location, options?.version);
|
|
26
|
+
try {
|
|
27
|
+
const [result] = await this.client.accessSecretVersion({ name: secretVersionName }, callOptions ?? {});
|
|
28
|
+
const payload = result.payload;
|
|
29
|
+
if (!payload?.data) throw new SecretProviderError({
|
|
30
|
+
message: `Secret payload empty for ${secretVersionName}`,
|
|
31
|
+
provider: this.id,
|
|
32
|
+
reference,
|
|
33
|
+
code: "UNKNOWN"
|
|
34
|
+
});
|
|
35
|
+
const version = extractVersionFromName(result.name ?? secretVersionName);
|
|
36
|
+
return {
|
|
37
|
+
data: payload.data,
|
|
38
|
+
version,
|
|
39
|
+
metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : void 0,
|
|
40
|
+
retrievedAt: /* @__PURE__ */ new Date()
|
|
41
|
+
};
|
|
42
|
+
} catch (error) {
|
|
43
|
+
throw toSecretProviderError({
|
|
44
|
+
error,
|
|
45
|
+
provider: this.id,
|
|
46
|
+
reference,
|
|
47
|
+
operation: "access"
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
async setSecret(reference, payload) {
|
|
52
|
+
const location = this.parseReference(reference);
|
|
53
|
+
const { secretName } = this.buildNames(location);
|
|
54
|
+
const data = normalizeSecretPayload(payload);
|
|
55
|
+
await this.ensureSecretExists(location, payload);
|
|
56
|
+
try {
|
|
57
|
+
const response = await this.client.addSecretVersion({
|
|
58
|
+
parent: secretName,
|
|
59
|
+
payload: { data }
|
|
60
|
+
});
|
|
61
|
+
if (!response) throw new SecretProviderError({
|
|
62
|
+
message: `No version returned when adding secret version for ${secretName}`,
|
|
63
|
+
provider: this.id,
|
|
64
|
+
reference,
|
|
65
|
+
code: "UNKNOWN"
|
|
66
|
+
});
|
|
67
|
+
const [version] = response;
|
|
68
|
+
const versionName = version?.name ?? `${secretName}/versions/latest`;
|
|
69
|
+
return {
|
|
70
|
+
reference: `gcp://${versionName}`,
|
|
71
|
+
version: extractVersionFromName(versionName) ?? "latest"
|
|
72
|
+
};
|
|
73
|
+
} catch (error) {
|
|
74
|
+
throw toSecretProviderError({
|
|
75
|
+
error,
|
|
76
|
+
provider: this.id,
|
|
77
|
+
reference,
|
|
78
|
+
operation: "addSecretVersion"
|
|
79
|
+
});
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
async rotateSecret(reference, payload) {
|
|
83
|
+
return this.setSecret(reference, payload);
|
|
84
|
+
}
|
|
85
|
+
async deleteSecret(reference) {
|
|
86
|
+
const location = this.parseReference(reference);
|
|
87
|
+
const { secretName } = this.buildNames(location);
|
|
88
|
+
try {
|
|
89
|
+
await this.client.deleteSecret({ name: secretName });
|
|
90
|
+
} catch (error) {
|
|
91
|
+
throw toSecretProviderError({
|
|
92
|
+
error,
|
|
93
|
+
provider: this.id,
|
|
94
|
+
reference,
|
|
95
|
+
operation: "delete"
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
parseReference(reference) {
|
|
100
|
+
const parsed = parseSecretUri(reference);
|
|
101
|
+
if (parsed.provider !== "gcp") throw new SecretProviderError({
|
|
102
|
+
message: `Unsupported secret provider: ${parsed.provider}`,
|
|
103
|
+
provider: this.id,
|
|
104
|
+
reference,
|
|
105
|
+
code: "INVALID"
|
|
106
|
+
});
|
|
107
|
+
const segments = parsed.path.split("/").filter(Boolean);
|
|
108
|
+
if (segments.length < 4 || segments[0] !== "projects") throw new SecretProviderError({
|
|
109
|
+
message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
|
|
110
|
+
provider: this.id,
|
|
111
|
+
reference,
|
|
112
|
+
code: "INVALID"
|
|
113
|
+
});
|
|
114
|
+
const projectIdCandidate = segments[1] ?? this.explicitProjectId;
|
|
115
|
+
if (!projectIdCandidate) throw new SecretProviderError({
|
|
116
|
+
message: `Unable to resolve project or secret from reference "${parsed.path}"`,
|
|
117
|
+
provider: this.id,
|
|
118
|
+
reference,
|
|
119
|
+
code: "INVALID"
|
|
120
|
+
});
|
|
121
|
+
const indexOfSecrets = segments.indexOf("secrets");
|
|
122
|
+
if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) throw new SecretProviderError({
|
|
123
|
+
message: `Unable to resolve project or secret from reference "${parsed.path}"`,
|
|
124
|
+
provider: this.id,
|
|
125
|
+
reference,
|
|
126
|
+
code: "INVALID"
|
|
127
|
+
});
|
|
128
|
+
const resolvedProjectId = projectIdCandidate;
|
|
129
|
+
const secretIdCandidate = segments[indexOfSecrets + 1];
|
|
130
|
+
if (!secretIdCandidate) throw new SecretProviderError({
|
|
131
|
+
message: `Unable to resolve secret ID from reference "${parsed.path}"`,
|
|
132
|
+
provider: this.id,
|
|
133
|
+
reference,
|
|
134
|
+
code: "INVALID"
|
|
135
|
+
});
|
|
136
|
+
const secretId = secretIdCandidate;
|
|
137
|
+
const indexOfVersions = segments.indexOf("versions");
|
|
138
|
+
return {
|
|
139
|
+
projectId: resolvedProjectId,
|
|
140
|
+
secretId,
|
|
141
|
+
version: parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : void 0)
|
|
142
|
+
};
|
|
143
|
+
}
|
|
144
|
+
buildNames(location) {
|
|
145
|
+
const projectId = location.projectId ?? this.explicitProjectId;
|
|
146
|
+
if (!projectId) throw new SecretProviderError({
|
|
147
|
+
message: "Project ID must be provided either in reference or provider configuration",
|
|
148
|
+
provider: this.id,
|
|
149
|
+
reference: `gcp://projects//secrets/${location.secretId}`,
|
|
150
|
+
code: "INVALID"
|
|
151
|
+
});
|
|
152
|
+
const projectParent = `projects/${projectId}`;
|
|
153
|
+
return {
|
|
154
|
+
projectParent,
|
|
155
|
+
secretName: `${projectParent}/secrets/${location.secretId}`
|
|
156
|
+
};
|
|
157
|
+
}
|
|
158
|
+
buildVersionName(location, explicitVersion) {
|
|
159
|
+
const { secretName } = this.buildNames(location);
|
|
160
|
+
return `${secretName}/versions/${explicitVersion ?? location.version ?? "latest"}`;
|
|
161
|
+
}
|
|
162
|
+
async ensureSecretExists(location, payload) {
|
|
163
|
+
const { secretName, projectParent } = this.buildNames(location);
|
|
164
|
+
try {
|
|
165
|
+
await this.client.getSecret({ name: secretName });
|
|
166
|
+
} catch (error) {
|
|
167
|
+
const providerError = toSecretProviderError({
|
|
168
|
+
error,
|
|
169
|
+
provider: this.id,
|
|
170
|
+
reference: `gcp://${secretName}`,
|
|
171
|
+
operation: "getSecret",
|
|
172
|
+
suppressThrow: true
|
|
173
|
+
});
|
|
174
|
+
if (!providerError || providerError.code !== "NOT_FOUND") {
|
|
175
|
+
if (providerError) throw providerError;
|
|
176
|
+
throw error;
|
|
177
|
+
}
|
|
178
|
+
try {
|
|
179
|
+
await this.client.createSecret({
|
|
180
|
+
parent: projectParent,
|
|
181
|
+
secretId: location.secretId,
|
|
182
|
+
secret: {
|
|
183
|
+
replication: this.replication,
|
|
184
|
+
labels: payload.labels
|
|
185
|
+
}
|
|
186
|
+
});
|
|
187
|
+
} catch (creationError) {
|
|
188
|
+
throw toSecretProviderError({
|
|
189
|
+
error: creationError,
|
|
190
|
+
provider: this.id,
|
|
191
|
+
reference: `gcp://${secretName}`,
|
|
192
|
+
operation: "createSecret"
|
|
193
|
+
});
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
}
|
|
197
|
+
};
|
|
198
|
+
function extractVersionFromName(name) {
|
|
199
|
+
const segments = name.split("/").filter(Boolean);
|
|
200
|
+
const index = segments.indexOf("versions");
|
|
201
|
+
if (index === -1 || index + 1 >= segments.length) return;
|
|
202
|
+
return segments[index + 1];
|
|
203
|
+
}
|
|
204
|
+
function toSecretProviderError(params) {
|
|
205
|
+
const { error, provider, reference, operation, suppressThrow } = params;
|
|
206
|
+
if (error instanceof SecretProviderError) return error;
|
|
207
|
+
const code = deriveErrorCode(error);
|
|
208
|
+
const providerError = new SecretProviderError({
|
|
209
|
+
message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
|
|
210
|
+
provider,
|
|
211
|
+
reference,
|
|
212
|
+
code,
|
|
213
|
+
cause: error
|
|
214
|
+
});
|
|
215
|
+
if (suppressThrow) return providerError;
|
|
216
|
+
throw providerError;
|
|
217
|
+
}
|
|
218
|
+
function deriveErrorCode(error) {
|
|
219
|
+
if (typeof error !== "object" || error === null) return "UNKNOWN";
|
|
220
|
+
const code = error.code;
|
|
221
|
+
if (code === 5 || code === "NOT_FOUND") return "NOT_FOUND";
|
|
222
|
+
if (code === 6 || code === "ALREADY_EXISTS") return "INVALID";
|
|
223
|
+
if (code === 7 || code === "PERMISSION_DENIED" || code === 403) return "FORBIDDEN";
|
|
224
|
+
if (code === 3 || code === "INVALID_ARGUMENT") return "INVALID";
|
|
225
|
+
return "UNKNOWN";
|
|
226
|
+
}
|
|
227
|
+
|
|
228
|
+
//#endregion
|
|
229
|
+
export { GcpSecretManagerProvider };
|
|
230
|
+
//# sourceMappingURL=gcp-secret-manager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gcp-secret-manager.js","names":["DEFAULT_REPLICATION: protos.google.cloud.secretmanager.v1.IReplication"],"sources":["../../src/secrets/gcp-secret-manager.ts"],"sourcesContent":["import {\n protos,\n SecretManagerServiceClient,\n} from '@google-cloud/secret-manager';\nimport type { CallOptions } from 'google-gax';\n\nimport {\n normalizeSecretPayload,\n parseSecretUri,\n SecretProviderError,\n} from './provider';\nimport type {\n SecretProvider,\n SecretReference,\n SecretRotationResult,\n SecretValue,\n SecretWritePayload,\n} from './provider';\n\ntype SecretManagerClient = SecretManagerServiceClient;\n\ninterface GcpSecretManagerProviderOptions {\n projectId?: string;\n client?: SecretManagerClient;\n clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];\n defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;\n}\n\ninterface GcpSecretLocation {\n projectId: string;\n secretId: string;\n version?: string;\n}\n\nconst DEFAULT_REPLICATION: protos.google.cloud.secretmanager.v1.IReplication = {\n automatic: {},\n};\n\nexport class GcpSecretManagerProvider implements SecretProvider {\n readonly id = 'gcp-secret-manager';\n private readonly client: SecretManagerClient;\n private readonly explicitProjectId?: string;\n private readonly replication: protos.google.cloud.secretmanager.v1.IReplication;\n\n constructor(options: GcpSecretManagerProviderOptions = {}) {\n this.client =\n options.client ??\n new SecretManagerServiceClient(options.clientOptions ?? {});\n this.explicitProjectId = options.projectId;\n this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;\n }\n\n canHandle(reference: SecretReference): boolean {\n try {\n const parsed = parseSecretUri(reference);\n return parsed.provider === 'gcp';\n } catch {\n return false;\n }\n }\n\n async getSecret(\n reference: SecretReference,\n options?: { version?: string },\n callOptions?: CallOptions\n ): Promise<SecretValue> {\n const location = this.parseReference(reference);\n const secretVersionName = this.buildVersionName(location, options?.version);\n try {\n const response = await this.client.accessSecretVersion(\n {\n name: secretVersionName,\n },\n callOptions ?? {}\n );\n const [result] = response;\n const payload = result.payload;\n if (!payload?.data) {\n throw new SecretProviderError({\n message: `Secret payload empty for ${secretVersionName}`,\n provider: this.id,\n reference,\n code: 'UNKNOWN',\n });\n }\n\n const version = extractVersionFromName(result.name ?? secretVersionName);\n return {\n data: payload.data as Uint8Array,\n version,\n metadata: payload.dataCrc32c\n ? { crc32c: payload.dataCrc32c.toString() }\n : undefined,\n retrievedAt: new Date(),\n };\n } catch (error) {\n throw toSecretProviderError({\n error,\n provider: this.id,\n reference,\n operation: 'access',\n });\n }\n }\n\n async setSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n const location = this.parseReference(reference);\n const { secretName } = this.buildNames(location);\n const data = normalizeSecretPayload(payload);\n await this.ensureSecretExists(location, payload);\n\n try {\n const response = await this.client.addSecretVersion({\n parent: secretName,\n payload: {\n data,\n },\n });\n if (!response) {\n throw new SecretProviderError({\n message: `No version returned when adding secret version for ${secretName}`,\n provider: this.id,\n reference,\n code: 'UNKNOWN',\n });\n }\n const [version] = response;\n const versionName = version?.name ?? `${secretName}/versions/latest`;\n return {\n reference: `gcp://${versionName}`,\n version: extractVersionFromName(versionName) ?? 'latest',\n };\n } catch (error) {\n throw toSecretProviderError({\n error,\n provider: this.id,\n reference,\n operation: 'addSecretVersion',\n });\n }\n }\n\n async rotateSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n return this.setSecret(reference, payload);\n }\n\n async deleteSecret(reference: SecretReference): Promise<void> {\n const location = this.parseReference(reference);\n const { secretName } = this.buildNames(location);\n try {\n await this.client.deleteSecret({\n name: secretName,\n });\n } catch (error) {\n throw toSecretProviderError({\n error,\n provider: this.id,\n reference,\n operation: 'delete',\n });\n }\n }\n\n private parseReference(reference: SecretReference): GcpSecretLocation {\n const parsed = parseSecretUri(reference);\n if (parsed.provider !== 'gcp') {\n throw new SecretProviderError({\n message: `Unsupported secret provider: ${parsed.provider}`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n\n const segments = parsed.path.split('/').filter(Boolean);\n if (segments.length < 4 || segments[0] !== 'projects') {\n throw new SecretProviderError({\n message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received \"${parsed.path}\"`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n\n const projectIdCandidate = segments[1] ?? this.explicitProjectId;\n if (!projectIdCandidate) {\n throw new SecretProviderError({\n message: `Unable to resolve project or secret from reference \"${parsed.path}\"`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n\n const indexOfSecrets = segments.indexOf('secrets');\n if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) {\n throw new SecretProviderError({\n message: `Unable to resolve project or secret from reference \"${parsed.path}\"`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n\n const resolvedProjectId = projectIdCandidate;\n const secretIdCandidate = segments[indexOfSecrets + 1];\n if (!secretIdCandidate) {\n throw new SecretProviderError({\n message: `Unable to resolve secret ID from reference \"${parsed.path}\"`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n const secretId = secretIdCandidate;\n const indexOfVersions = segments.indexOf('versions');\n const version =\n parsed.extras?.version ??\n (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length\n ? segments[indexOfVersions + 1]\n : undefined);\n\n return {\n projectId: resolvedProjectId,\n secretId,\n version,\n };\n }\n\n private buildNames(location: GcpSecretLocation): {\n secretName: string;\n projectParent: string;\n } {\n const projectId = location.projectId ?? this.explicitProjectId;\n if (!projectId) {\n throw new SecretProviderError({\n message:\n 'Project ID must be provided either in reference or provider configuration',\n provider: this.id,\n reference: `gcp://projects//secrets/${location.secretId}`,\n code: 'INVALID',\n });\n }\n\n const projectParent = `projects/${projectId}`;\n const secretName = `${projectParent}/secrets/${location.secretId}`;\n return {\n projectParent,\n secretName,\n };\n }\n\n private buildVersionName(\n location: GcpSecretLocation,\n explicitVersion?: string\n ): string {\n const { secretName } = this.buildNames(location);\n const version = explicitVersion ?? location.version ?? 'latest';\n return `${secretName}/versions/${version}`;\n }\n\n private async ensureSecretExists(\n location: GcpSecretLocation,\n payload: SecretWritePayload\n ): Promise<void> {\n const { secretName, projectParent } = this.buildNames(location);\n try {\n await this.client.getSecret({ name: secretName });\n } catch (error) {\n const providerError = toSecretProviderError({\n error,\n provider: this.id,\n reference: `gcp://${secretName}`,\n operation: 'getSecret',\n suppressThrow: true,\n });\n if (!providerError || providerError.code !== 'NOT_FOUND') {\n if (providerError) {\n throw providerError;\n }\n throw error;\n }\n try {\n await this.client.createSecret({\n parent: projectParent,\n secretId: location.secretId,\n secret: {\n replication: this.replication,\n labels: payload.labels,\n },\n });\n } catch (creationError) {\n const creationProviderError = toSecretProviderError({\n error: creationError,\n provider: this.id,\n reference: `gcp://${secretName}`,\n operation: 'createSecret',\n });\n throw creationProviderError;\n }\n }\n }\n}\n\nfunction extractVersionFromName(name: string): string | undefined {\n const segments = name.split('/').filter(Boolean);\n const index = segments.indexOf('versions');\n if (index === -1 || index + 1 >= segments.length) {\n return undefined;\n }\n return segments[index + 1];\n}\n\nfunction toSecretProviderError(params: {\n error: unknown;\n provider: string;\n reference: SecretReference;\n operation: string;\n suppressThrow?: boolean;\n}): SecretProviderError {\n const { error, provider, reference, operation, suppressThrow } = params;\n if (error instanceof SecretProviderError) {\n return error;\n }\n\n const code = deriveErrorCode(error);\n const message =\n error instanceof Error\n ? error.message\n : `Unknown error during ${operation}`;\n\n const providerError = new SecretProviderError({\n message,\n provider,\n reference,\n code,\n cause: error,\n });\n\n if (suppressThrow) {\n return providerError;\n }\n\n throw providerError;\n}\n\nfunction deriveErrorCode(error: unknown): SecretProviderError['code'] {\n if (typeof error !== 'object' || error === null) {\n return 'UNKNOWN';\n }\n\n const errorAny = error as { code?: number | string };\n const code = errorAny.code;\n if (code === 5 || code === 'NOT_FOUND') return 'NOT_FOUND';\n if (code === 6 || code === 'ALREADY_EXISTS') return 'INVALID';\n if (code === 7 || code === 'PERMISSION_DENIED' || code === 403) {\n return 'FORBIDDEN';\n }\n if (code === 3 || code === 'INVALID_ARGUMENT') return 'INVALID';\n return 'UNKNOWN';\n}\n"],"mappings":";;;;AAkCA,MAAMA,sBAAyE,EAC7E,WAAW,EAAE,EACd;AAED,IAAa,2BAAb,MAAgE;CAC9D,AAAS,KAAK;CACd,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,YAAY,UAA2C,EAAE,EAAE;AACzD,OAAK,SACH,QAAQ,UACR,IAAI,2BAA2B,QAAQ,iBAAiB,EAAE,CAAC;AAC7D,OAAK,oBAAoB,QAAQ;AACjC,OAAK,cAAc,QAAQ,sBAAsB;;CAGnD,UAAU,WAAqC;AAC7C,MAAI;AAEF,UADe,eAAe,UAAU,CAC1B,aAAa;UACrB;AACN,UAAO;;;CAIX,MAAM,UACJ,WACA,SACA,aACsB;EACtB,MAAM,WAAW,KAAK,eAAe,UAAU;EAC/C,MAAM,oBAAoB,KAAK,iBAAiB,UAAU,SAAS,QAAQ;AAC3E,MAAI;GAOF,MAAM,CAAC,UANU,MAAM,KAAK,OAAO,oBACjC,EACE,MAAM,mBACP,EACD,eAAe,EAAE,CAClB;GAED,MAAM,UAAU,OAAO;AACvB,OAAI,CAAC,SAAS,KACZ,OAAM,IAAI,oBAAoB;IAC5B,SAAS,4BAA4B;IACrC,UAAU,KAAK;IACf;IACA,MAAM;IACP,CAAC;GAGJ,MAAM,UAAU,uBAAuB,OAAO,QAAQ,kBAAkB;AACxE,UAAO;IACL,MAAM,QAAQ;IACd;IACA,UAAU,QAAQ,aACd,EAAE,QAAQ,QAAQ,WAAW,UAAU,EAAE,GACzC;IACJ,6BAAa,IAAI,MAAM;IACxB;WACM,OAAO;AACd,SAAM,sBAAsB;IAC1B;IACA,UAAU,KAAK;IACf;IACA,WAAW;IACZ,CAAC;;;CAIN,MAAM,UACJ,WACA,SAC+B;EAC/B,MAAM,WAAW,KAAK,eAAe,UAAU;EAC/C,MAAM,EAAE,eAAe,KAAK,WAAW,SAAS;EAChD,MAAM,OAAO,uBAAuB,QAAQ;AAC5C,QAAM,KAAK,mBAAmB,UAAU,QAAQ;AAEhD,MAAI;GACF,MAAM,WAAW,MAAM,KAAK,OAAO,iBAAiB;IAClD,QAAQ;IACR,SAAS,EACP,MACD;IACF,CAAC;AACF,OAAI,CAAC,SACH,OAAM,IAAI,oBAAoB;IAC5B,SAAS,sDAAsD;IAC/D,UAAU,KAAK;IACf;IACA,MAAM;IACP,CAAC;GAEJ,MAAM,CAAC,WAAW;GAClB,MAAM,cAAc,SAAS,QAAQ,GAAG,WAAW;AACnD,UAAO;IACL,WAAW,SAAS;IACpB,SAAS,uBAAuB,YAAY,IAAI;IACjD;WACM,OAAO;AACd,SAAM,sBAAsB;IAC1B;IACA,UAAU,KAAK;IACf;IACA,WAAW;IACZ,CAAC;;;CAIN,MAAM,aACJ,WACA,SAC+B;AAC/B,SAAO,KAAK,UAAU,WAAW,QAAQ;;CAG3C,MAAM,aAAa,WAA2C;EAC5D,MAAM,WAAW,KAAK,eAAe,UAAU;EAC/C,MAAM,EAAE,eAAe,KAAK,WAAW,SAAS;AAChD,MAAI;AACF,SAAM,KAAK,OAAO,aAAa,EAC7B,MAAM,YACP,CAAC;WACK,OAAO;AACd,SAAM,sBAAsB;IAC1B;IACA,UAAU,KAAK;IACf;IACA,WAAW;IACZ,CAAC;;;CAIN,AAAQ,eAAe,WAA+C;EACpE,MAAM,SAAS,eAAe,UAAU;AACxC,MAAI,OAAO,aAAa,MACtB,OAAM,IAAI,oBAAoB;GAC5B,SAAS,gCAAgC,OAAO;GAChD,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAGJ,MAAM,WAAW,OAAO,KAAK,MAAM,IAAI,CAAC,OAAO,QAAQ;AACvD,MAAI,SAAS,SAAS,KAAK,SAAS,OAAO,WACzC,OAAM,IAAI,oBAAoB;GAC5B,SAAS,mHAAmH,OAAO,KAAK;GACxI,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAGJ,MAAM,qBAAqB,SAAS,MAAM,KAAK;AAC/C,MAAI,CAAC,mBACH,OAAM,IAAI,oBAAoB;GAC5B,SAAS,uDAAuD,OAAO,KAAK;GAC5E,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAGJ,MAAM,iBAAiB,SAAS,QAAQ,UAAU;AAClD,MAAI,mBAAmB,MAAM,iBAAiB,KAAK,SAAS,OAC1D,OAAM,IAAI,oBAAoB;GAC5B,SAAS,uDAAuD,OAAO,KAAK;GAC5E,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAGJ,MAAM,oBAAoB;EAC1B,MAAM,oBAAoB,SAAS,iBAAiB;AACpD,MAAI,CAAC,kBACH,OAAM,IAAI,oBAAoB;GAC5B,SAAS,+CAA+C,OAAO,KAAK;GACpE,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAEJ,MAAM,WAAW;EACjB,MAAM,kBAAkB,SAAS,QAAQ,WAAW;AAOpD,SAAO;GACL,WAAW;GACX;GACA,SARA,OAAO,QAAQ,YACd,oBAAoB,MAAM,kBAAkB,IAAI,SAAS,SACtD,SAAS,kBAAkB,KAC3B;GAML;;CAGH,AAAQ,WAAW,UAGjB;EACA,MAAM,YAAY,SAAS,aAAa,KAAK;AAC7C,MAAI,CAAC,UACH,OAAM,IAAI,oBAAoB;GAC5B,SACE;GACF,UAAU,KAAK;GACf,WAAW,2BAA2B,SAAS;GAC/C,MAAM;GACP,CAAC;EAGJ,MAAM,gBAAgB,YAAY;AAElC,SAAO;GACL;GACA,YAHiB,GAAG,cAAc,WAAW,SAAS;GAIvD;;CAGH,AAAQ,iBACN,UACA,iBACQ;EACR,MAAM,EAAE,eAAe,KAAK,WAAW,SAAS;AAEhD,SAAO,GAAG,WAAW,YADL,mBAAmB,SAAS,WAAW;;CAIzD,MAAc,mBACZ,UACA,SACe;EACf,MAAM,EAAE,YAAY,kBAAkB,KAAK,WAAW,SAAS;AAC/D,MAAI;AACF,SAAM,KAAK,OAAO,UAAU,EAAE,MAAM,YAAY,CAAC;WAC1C,OAAO;GACd,MAAM,gBAAgB,sBAAsB;IAC1C;IACA,UAAU,KAAK;IACf,WAAW,SAAS;IACpB,WAAW;IACX,eAAe;IAChB,CAAC;AACF,OAAI,CAAC,iBAAiB,cAAc,SAAS,aAAa;AACxD,QAAI,cACF,OAAM;AAER,UAAM;;AAER,OAAI;AACF,UAAM,KAAK,OAAO,aAAa;KAC7B,QAAQ;KACR,UAAU,SAAS;KACnB,QAAQ;MACN,aAAa,KAAK;MAClB,QAAQ,QAAQ;MACjB;KACF,CAAC;YACK,eAAe;AAOtB,UAN8B,sBAAsB;KAClD,OAAO;KACP,UAAU,KAAK;KACf,WAAW,SAAS;KACpB,WAAW;KACZ,CAAC;;;;;AAOV,SAAS,uBAAuB,MAAkC;CAChE,MAAM,WAAW,KAAK,MAAM,IAAI,CAAC,OAAO,QAAQ;CAChD,MAAM,QAAQ,SAAS,QAAQ,WAAW;AAC1C,KAAI,UAAU,MAAM,QAAQ,KAAK,SAAS,OACxC;AAEF,QAAO,SAAS,QAAQ;;AAG1B,SAAS,sBAAsB,QAMP;CACtB,MAAM,EAAE,OAAO,UAAU,WAAW,WAAW,kBAAkB;AACjE,KAAI,iBAAiB,oBACnB,QAAO;CAGT,MAAM,OAAO,gBAAgB,MAAM;CAMnC,MAAM,gBAAgB,IAAI,oBAAoB;EAC5C,SALA,iBAAiB,QACb,MAAM,UACN,wBAAwB;EAI5B;EACA;EACA;EACA,OAAO;EACR,CAAC;AAEF,KAAI,cACF,QAAO;AAGT,OAAM;;AAGR,SAAS,gBAAgB,OAA6C;AACpE,KAAI,OAAO,UAAU,YAAY,UAAU,KACzC,QAAO;CAIT,MAAM,OADW,MACK;AACtB,KAAI,SAAS,KAAK,SAAS,YAAa,QAAO;AAC/C,KAAI,SAAS,KAAK,SAAS,iBAAkB,QAAO;AACpD,KAAI,SAAS,KAAK,SAAS,uBAAuB,SAAS,IACzD,QAAO;AAET,KAAI,SAAS,KAAK,SAAS,mBAAoB,QAAO;AACtD,QAAO"}
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./provider.js";
|
|
2
|
+
import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
|
|
3
|
+
import { EnvSecretProvider } from "./env-secret-provider.js";
|
|
4
|
+
import { SecretProviderManager, SecretProviderManagerOptions } from "./manager.js";
|
|
5
|
+
export { EnvSecretProvider, GcpSecretManagerProvider, ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
|
|
2
|
+
import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
|
|
3
|
+
import { EnvSecretProvider } from "./env-secret-provider.js";
|
|
4
|
+
import { SecretProviderManager } from "./manager.js";
|
|
5
|
+
|
|
6
|
+
export { EnvSecretProvider, GcpSecretManagerProvider, SecretProviderError, SecretProviderManager, normalizeSecretPayload, parseSecretUri };
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
|
|
2
|
+
|
|
3
|
+
//#region src/secrets/manager.d.ts
|
|
4
|
+
interface RegisterOptions {
|
|
5
|
+
/**
|
|
6
|
+
* Larger priority values are attempted first. Defaults to 0.
|
|
7
|
+
*/
|
|
8
|
+
priority?: number;
|
|
9
|
+
}
|
|
10
|
+
interface SecretProviderManagerOptions {
|
|
11
|
+
/**
|
|
12
|
+
* Override manager identifier. Defaults to "secret-provider-manager".
|
|
13
|
+
*/
|
|
14
|
+
id?: string;
|
|
15
|
+
/**
|
|
16
|
+
* Providers to pre-register. They are registered in array order with
|
|
17
|
+
* descending priority (first entry wins ties).
|
|
18
|
+
*/
|
|
19
|
+
providers?: {
|
|
20
|
+
provider: SecretProvider;
|
|
21
|
+
priority?: number;
|
|
22
|
+
}[];
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Composite secret provider that delegates to registered providers.
|
|
26
|
+
* Providers are attempted in order of descending priority, respecting the
|
|
27
|
+
* registration order for ties. This enables privileged overrides (e.g.
|
|
28
|
+
* environment variables) while still supporting durable backends like GCP
|
|
29
|
+
* Secret Manager.
|
|
30
|
+
*/
|
|
31
|
+
declare class SecretProviderManager implements SecretProvider {
|
|
32
|
+
readonly id: string;
|
|
33
|
+
private readonly providers;
|
|
34
|
+
private registrationCounter;
|
|
35
|
+
constructor(options?: SecretProviderManagerOptions);
|
|
36
|
+
register(provider: SecretProvider, options?: RegisterOptions): this;
|
|
37
|
+
canHandle(reference: SecretReference): boolean;
|
|
38
|
+
getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
|
|
39
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
40
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
41
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
42
|
+
private delegateToFirst;
|
|
43
|
+
private composeError;
|
|
44
|
+
}
|
|
45
|
+
type SecretFetchOptions = Parameters<SecretProvider['getSecret']>[1];
|
|
46
|
+
//#endregion
|
|
47
|
+
export { SecretProviderManager, SecretProviderManagerOptions };
|
|
48
|
+
//# sourceMappingURL=manager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"manager.d.ts","names":[],"sources":["../../src/secrets/manager.ts"],"sourcesContent":[],"mappings":";;;UAeU,eAAA;;AATU;AAgBpB;EAmBa,QAAA,CAAA,EAAA,MAAA;;AAaQ,UAhCJ,4BAAA,CAgCI;EAAyB;;;EAuBhC,EAAA,CAAA,EAAA,MAAA;EACD;;;;EA2BA,SAAA,CAAA,EAAA;IAAR,QAAA,EA1EqB,cA0ErB;IAOU,QAAA,CAAA,EAAA,MAAA;EACF,CAAA,EAAA;;;;;;;AA2EZ;;cAnJY,qBAAA,YAAiC;;;;wBAKvB;qBAQF,0BAAyB;uBAevB;uBAOR,2BACD,qBACT,QAAQ;uBAyBE,0BACF,qBACR,QAAQ;0BAOE,0BACF,qBACR,QAAQ;0BAMmB,kBAAkB;;;;KA8E7C,kBAAA,GAAqB,WAAW"}
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
import { SecretProviderError } from "./provider.js";
|
|
2
|
+
|
|
3
|
+
//#region src/secrets/manager.ts
|
|
4
|
+
/**
|
|
5
|
+
* Composite secret provider that delegates to registered providers.
|
|
6
|
+
* Providers are attempted in order of descending priority, respecting the
|
|
7
|
+
* registration order for ties. This enables privileged overrides (e.g.
|
|
8
|
+
* environment variables) while still supporting durable backends like GCP
|
|
9
|
+
* Secret Manager.
|
|
10
|
+
*/
|
|
11
|
+
var SecretProviderManager = class {
|
|
12
|
+
id;
|
|
13
|
+
providers = [];
|
|
14
|
+
registrationCounter = 0;
|
|
15
|
+
constructor(options = {}) {
|
|
16
|
+
this.id = options.id ?? "secret-provider-manager";
|
|
17
|
+
const initialProviders = options.providers ?? [];
|
|
18
|
+
for (const entry of initialProviders) this.register(entry.provider, { priority: entry.priority });
|
|
19
|
+
}
|
|
20
|
+
register(provider, options = {}) {
|
|
21
|
+
this.providers.push({
|
|
22
|
+
provider,
|
|
23
|
+
priority: options.priority ?? 0,
|
|
24
|
+
order: this.registrationCounter++
|
|
25
|
+
});
|
|
26
|
+
this.providers.sort((a, b) => {
|
|
27
|
+
if (a.priority !== b.priority) return b.priority - a.priority;
|
|
28
|
+
return a.order - b.order;
|
|
29
|
+
});
|
|
30
|
+
return this;
|
|
31
|
+
}
|
|
32
|
+
canHandle(reference) {
|
|
33
|
+
return this.providers.some(({ provider }) => safeCanHandle(provider, reference));
|
|
34
|
+
}
|
|
35
|
+
async getSecret(reference, options) {
|
|
36
|
+
const errors = [];
|
|
37
|
+
for (const { provider } of this.providers) {
|
|
38
|
+
if (!safeCanHandle(provider, reference)) continue;
|
|
39
|
+
try {
|
|
40
|
+
return await provider.getSecret(reference, options);
|
|
41
|
+
} catch (error) {
|
|
42
|
+
if (error instanceof SecretProviderError) {
|
|
43
|
+
errors.push(error);
|
|
44
|
+
if (error.code !== "NOT_FOUND") break;
|
|
45
|
+
continue;
|
|
46
|
+
}
|
|
47
|
+
throw error;
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
throw this.composeError("getSecret", reference, errors, options?.version);
|
|
51
|
+
}
|
|
52
|
+
async setSecret(reference, payload) {
|
|
53
|
+
return this.delegateToFirst("setSecret", reference, (provider) => provider.setSecret(reference, payload));
|
|
54
|
+
}
|
|
55
|
+
async rotateSecret(reference, payload) {
|
|
56
|
+
return this.delegateToFirst("rotateSecret", reference, (provider) => provider.rotateSecret(reference, payload));
|
|
57
|
+
}
|
|
58
|
+
async deleteSecret(reference) {
|
|
59
|
+
await this.delegateToFirst("deleteSecret", reference, (provider) => provider.deleteSecret(reference));
|
|
60
|
+
}
|
|
61
|
+
async delegateToFirst(operation, reference, invoker) {
|
|
62
|
+
const errors = [];
|
|
63
|
+
for (const { provider } of this.providers) {
|
|
64
|
+
if (!safeCanHandle(provider, reference)) continue;
|
|
65
|
+
try {
|
|
66
|
+
return await invoker(provider);
|
|
67
|
+
} catch (error) {
|
|
68
|
+
if (error instanceof SecretProviderError) {
|
|
69
|
+
errors.push(error);
|
|
70
|
+
continue;
|
|
71
|
+
}
|
|
72
|
+
throw error;
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
throw this.composeError(operation, reference, errors);
|
|
76
|
+
}
|
|
77
|
+
composeError(operation, reference, errors, version) {
|
|
78
|
+
if (errors.length === 1) {
|
|
79
|
+
const [singleError] = errors;
|
|
80
|
+
if (singleError) return singleError;
|
|
81
|
+
}
|
|
82
|
+
const messageParts = [`No registered secret provider could ${operation}`, `reference "${reference}"`];
|
|
83
|
+
if (version) messageParts.push(`(version: ${version})`);
|
|
84
|
+
if (errors.length > 1) messageParts.push(`Attempts: ${errors.map((error) => `${error.provider}:${error.code}`).join(", ")}`);
|
|
85
|
+
return new SecretProviderError({
|
|
86
|
+
message: messageParts.join(" "),
|
|
87
|
+
provider: this.id,
|
|
88
|
+
reference,
|
|
89
|
+
code: errors.length > 0 ? errors[errors.length - 1].code : "UNKNOWN",
|
|
90
|
+
cause: errors
|
|
91
|
+
});
|
|
92
|
+
}
|
|
93
|
+
};
|
|
94
|
+
function safeCanHandle(provider, reference) {
|
|
95
|
+
try {
|
|
96
|
+
return provider.canHandle(reference);
|
|
97
|
+
} catch {
|
|
98
|
+
return false;
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
//#endregion
|
|
103
|
+
export { SecretProviderManager };
|
|
104
|
+
//# sourceMappingURL=manager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"manager.js","names":["errors: SecretProviderError[]"],"sources":["../../src/secrets/manager.ts"],"sourcesContent":["import type {\n SecretProvider,\n SecretReference,\n SecretRotationResult,\n SecretValue,\n SecretWritePayload,\n} from './provider';\nimport { SecretProviderError } from './provider';\n\ninterface ProviderRegistration {\n readonly provider: SecretProvider;\n readonly priority: number;\n readonly order: number;\n}\n\ninterface RegisterOptions {\n /**\n * Larger priority values are attempted first. Defaults to 0.\n */\n priority?: number;\n}\n\nexport interface SecretProviderManagerOptions {\n /**\n * Override manager identifier. Defaults to \"secret-provider-manager\".\n */\n id?: string;\n /**\n * Providers to pre-register. They are registered in array order with\n * descending priority (first entry wins ties).\n */\n providers?: { provider: SecretProvider; priority?: number }[];\n}\n\n/**\n * Composite secret provider that delegates to registered providers.\n * Providers are attempted in order of descending priority, respecting the\n * registration order for ties. This enables privileged overrides (e.g.\n * environment variables) while still supporting durable backends like GCP\n * Secret Manager.\n */\nexport class SecretProviderManager implements SecretProvider {\n readonly id: string;\n private readonly providers: ProviderRegistration[] = [];\n private registrationCounter = 0;\n\n constructor(options: SecretProviderManagerOptions = {}) {\n this.id = options.id ?? 'secret-provider-manager';\n const initialProviders = options.providers ?? [];\n for (const entry of initialProviders) {\n this.register(entry.provider, { priority: entry.priority });\n }\n }\n\n register(provider: SecretProvider, options: RegisterOptions = {}): this {\n this.providers.push({\n provider,\n priority: options.priority ?? 0,\n order: this.registrationCounter++,\n });\n this.providers.sort((a, b) => {\n if (a.priority !== b.priority) {\n return b.priority - a.priority;\n }\n return a.order - b.order;\n });\n return this;\n }\n\n canHandle(reference: SecretReference): boolean {\n return this.providers.some(({ provider }) =>\n safeCanHandle(provider, reference)\n );\n }\n\n async getSecret(\n reference: SecretReference,\n options?: SecretFetchOptions\n ): Promise<SecretValue> {\n const errors: SecretProviderError[] = [];\n\n for (const { provider } of this.providers) {\n if (!safeCanHandle(provider, reference)) {\n continue;\n }\n try {\n return await provider.getSecret(reference, options);\n } catch (error) {\n if (error instanceof SecretProviderError) {\n errors.push(error);\n if (error.code !== 'NOT_FOUND') {\n break;\n }\n continue;\n }\n throw error;\n }\n }\n\n throw this.composeError('getSecret', reference, errors, options?.version);\n }\n\n async setSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n return this.delegateToFirst('setSecret', reference, (provider) =>\n provider.setSecret(reference, payload)\n );\n }\n\n async rotateSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n return this.delegateToFirst('rotateSecret', reference, (provider) =>\n provider.rotateSecret(reference, payload)\n );\n }\n\n async deleteSecret(reference: SecretReference): Promise<void> {\n await this.delegateToFirst('deleteSecret', reference, (provider) =>\n provider.deleteSecret(reference)\n );\n }\n\n private async delegateToFirst<T>(\n operation: 'setSecret' | 'rotateSecret' | 'deleteSecret',\n reference: SecretReference,\n invoker: (provider: SecretProvider) => Promise<T>\n ): Promise<T> {\n const errors: SecretProviderError[] = [];\n\n for (const { provider } of this.providers) {\n if (!safeCanHandle(provider, reference)) {\n continue;\n }\n try {\n return await invoker(provider);\n } catch (error) {\n if (error instanceof SecretProviderError) {\n errors.push(error);\n continue;\n }\n throw error;\n }\n }\n\n throw this.composeError(operation, reference, errors);\n }\n\n private composeError(\n operation: string,\n reference: SecretReference,\n errors: SecretProviderError[],\n version?: string\n ): SecretProviderError {\n if (errors.length === 1) {\n const [singleError] = errors;\n if (singleError) {\n return singleError;\n }\n }\n\n const messageParts = [\n `No registered secret provider could ${operation}`,\n `reference \"${reference}\"`,\n ];\n if (version) {\n messageParts.push(`(version: ${version})`);\n }\n if (errors.length > 1) {\n messageParts.push(\n `Attempts: ${errors\n .map((error) => `${error.provider}:${error.code}`)\n .join(', ')}`\n );\n }\n\n return new SecretProviderError({\n message: messageParts.join(' '),\n provider: this.id,\n reference,\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n code: errors.length > 0 ? errors[errors.length - 1]!.code : 'UNKNOWN',\n cause: errors,\n });\n }\n}\n\nfunction safeCanHandle(provider: SecretProvider, reference: SecretReference) {\n try {\n return provider.canHandle(reference);\n } catch {\n return false;\n }\n}\n\ntype SecretFetchOptions = Parameters<SecretProvider['getSecret']>[1];\n"],"mappings":";;;;;;;;;;AAyCA,IAAa,wBAAb,MAA6D;CAC3D,AAAS;CACT,AAAiB,YAAoC,EAAE;CACvD,AAAQ,sBAAsB;CAE9B,YAAY,UAAwC,EAAE,EAAE;AACtD,OAAK,KAAK,QAAQ,MAAM;EACxB,MAAM,mBAAmB,QAAQ,aAAa,EAAE;AAChD,OAAK,MAAM,SAAS,iBAClB,MAAK,SAAS,MAAM,UAAU,EAAE,UAAU,MAAM,UAAU,CAAC;;CAI/D,SAAS,UAA0B,UAA2B,EAAE,EAAQ;AACtE,OAAK,UAAU,KAAK;GAClB;GACA,UAAU,QAAQ,YAAY;GAC9B,OAAO,KAAK;GACb,CAAC;AACF,OAAK,UAAU,MAAM,GAAG,MAAM;AAC5B,OAAI,EAAE,aAAa,EAAE,SACnB,QAAO,EAAE,WAAW,EAAE;AAExB,UAAO,EAAE,QAAQ,EAAE;IACnB;AACF,SAAO;;CAGT,UAAU,WAAqC;AAC7C,SAAO,KAAK,UAAU,MAAM,EAAE,eAC5B,cAAc,UAAU,UAAU,CACnC;;CAGH,MAAM,UACJ,WACA,SACsB;EACtB,MAAMA,SAAgC,EAAE;AAExC,OAAK,MAAM,EAAE,cAAc,KAAK,WAAW;AACzC,OAAI,CAAC,cAAc,UAAU,UAAU,CACrC;AAEF,OAAI;AACF,WAAO,MAAM,SAAS,UAAU,WAAW,QAAQ;YAC5C,OAAO;AACd,QAAI,iBAAiB,qBAAqB;AACxC,YAAO,KAAK,MAAM;AAClB,SAAI,MAAM,SAAS,YACjB;AAEF;;AAEF,UAAM;;;AAIV,QAAM,KAAK,aAAa,aAAa,WAAW,QAAQ,SAAS,QAAQ;;CAG3E,MAAM,UACJ,WACA,SAC+B;AAC/B,SAAO,KAAK,gBAAgB,aAAa,YAAY,aACnD,SAAS,UAAU,WAAW,QAAQ,CACvC;;CAGH,MAAM,aACJ,WACA,SAC+B;AAC/B,SAAO,KAAK,gBAAgB,gBAAgB,YAAY,aACtD,SAAS,aAAa,WAAW,QAAQ,CAC1C;;CAGH,MAAM,aAAa,WAA2C;AAC5D,QAAM,KAAK,gBAAgB,gBAAgB,YAAY,aACrD,SAAS,aAAa,UAAU,CACjC;;CAGH,MAAc,gBACZ,WACA,WACA,SACY;EACZ,MAAMA,SAAgC,EAAE;AAExC,OAAK,MAAM,EAAE,cAAc,KAAK,WAAW;AACzC,OAAI,CAAC,cAAc,UAAU,UAAU,CACrC;AAEF,OAAI;AACF,WAAO,MAAM,QAAQ,SAAS;YACvB,OAAO;AACd,QAAI,iBAAiB,qBAAqB;AACxC,YAAO,KAAK,MAAM;AAClB;;AAEF,UAAM;;;AAIV,QAAM,KAAK,aAAa,WAAW,WAAW,OAAO;;CAGvD,AAAQ,aACN,WACA,WACA,QACA,SACqB;AACrB,MAAI,OAAO,WAAW,GAAG;GACvB,MAAM,CAAC,eAAe;AACtB,OAAI,YACF,QAAO;;EAIX,MAAM,eAAe,CACnB,uCAAuC,aACvC,cAAc,UAAU,GACzB;AACD,MAAI,QACF,cAAa,KAAK,aAAa,QAAQ,GAAG;AAE5C,MAAI,OAAO,SAAS,EAClB,cAAa,KACX,aAAa,OACV,KAAK,UAAU,GAAG,MAAM,SAAS,GAAG,MAAM,OAAO,CACjD,KAAK,KAAK,GACd;AAGH,SAAO,IAAI,oBAAoB;GAC7B,SAAS,aAAa,KAAK,IAAI;GAC/B,UAAU,KAAK;GACf;GAEA,MAAM,OAAO,SAAS,IAAI,OAAO,OAAO,SAAS,GAAI,OAAO;GAC5D,OAAO;GACR,CAAC;;;AAIN,SAAS,cAAc,UAA0B,WAA4B;AAC3E,KAAI;AACF,SAAO,SAAS,UAAU,UAAU;SAC9B;AACN,SAAO"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
//#region src/secrets/provider.d.ts
|
|
2
|
+
type SecretReference = string;
|
|
3
|
+
interface SecretValue {
|
|
4
|
+
data: Uint8Array;
|
|
5
|
+
version?: string;
|
|
6
|
+
metadata?: Record<string, string>;
|
|
7
|
+
retrievedAt: Date;
|
|
8
|
+
}
|
|
9
|
+
interface SecretFetchOptions {
|
|
10
|
+
version?: string;
|
|
11
|
+
}
|
|
12
|
+
type SecretPayloadEncoding = 'utf-8' | 'base64' | 'binary';
|
|
13
|
+
interface SecretWritePayload {
|
|
14
|
+
data: string | Uint8Array;
|
|
15
|
+
encoding?: SecretPayloadEncoding;
|
|
16
|
+
contentType?: string;
|
|
17
|
+
labels?: Record<string, string>;
|
|
18
|
+
}
|
|
19
|
+
interface SecretRotationResult {
|
|
20
|
+
reference: SecretReference;
|
|
21
|
+
version: string;
|
|
22
|
+
}
|
|
23
|
+
interface SecretProvider {
|
|
24
|
+
readonly id: string;
|
|
25
|
+
canHandle(reference: SecretReference): boolean;
|
|
26
|
+
getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
|
|
27
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
28
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
29
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
30
|
+
}
|
|
31
|
+
interface ParsedSecretUri {
|
|
32
|
+
provider: string;
|
|
33
|
+
path: string;
|
|
34
|
+
extras?: Record<string, string>;
|
|
35
|
+
}
|
|
36
|
+
declare class SecretProviderError extends Error {
|
|
37
|
+
readonly provider: string;
|
|
38
|
+
readonly reference: SecretReference;
|
|
39
|
+
readonly code: 'NOT_FOUND' | 'FORBIDDEN' | 'INVALID' | 'UNKNOWN';
|
|
40
|
+
readonly cause?: unknown;
|
|
41
|
+
constructor(params: {
|
|
42
|
+
message: string;
|
|
43
|
+
provider: string;
|
|
44
|
+
reference: SecretReference;
|
|
45
|
+
code?: SecretProviderError['code'];
|
|
46
|
+
cause?: unknown;
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
declare function parseSecretUri(reference: SecretReference): ParsedSecretUri;
|
|
50
|
+
declare function normalizeSecretPayload(payload: SecretWritePayload): Uint8Array;
|
|
51
|
+
//#endregion
|
|
52
|
+
export { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };
|
|
53
|
+
//# sourceMappingURL=provider.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider.d.ts","names":[],"sources":["../../src/secrets/provider.ts"],"sourcesContent":[],"mappings":";KAEY,eAAA;AAAA,UAEK,WAAA,CAFU;EAEV,IAAA,EACT,UADoB;EACpB,OAAA,CAAA,EAAA,MAAA;EAEK,QAAA,CAAA,EAAA,MAAA,CAAA,MAAA,EAAA,MAAA,CAAA;EACE,WAAA,EAAA,IAAA;;AAGE,UAAA,kBAAA,CAAkB;EAIvB,OAAA,CAAA,EAAA,MAAA;AAEZ;AACiB,KAHL,qBAAA,GAGK,OAAA,GAAA,QAAA,GAAA,QAAA;AACJ,UAFI,kBAAA,CAEJ;EAEF,IAAA,EAAA,MAAA,GAHM,UAGN;EAAM,QAAA,CAAA,EAFJ,qBAEI;EAGA,WAAA,CAAA,EAAA,MAAA;EAKA,MAAA,CAAA,EARN,MAQM,CAAA,MAAc,EAAA,MAAA,CAAA;;AAIhB,UATE,oBAAA,CASF;EACD,SAAA,EATD,eASC;EACD,OAAA,EAAA,MAAA;;AAEE,UARE,cAAA,CAQF;EACF,SAAA,EAAA,EAAA,MAAA;EACA,SAAA,CAAA,SAAA,EARU,eAQV,CAAA,EAAA,OAAA;EAAR,SAAA,CAAA,SAAA,EANU,eAMV,EAAA,OAAA,CAAA,EALS,kBAKT,CAAA,EAJA,OAIA,CAJQ,WAIR,CAAA;EAEU,SAAA,CAAA,SAAA,EAJA,eAIA,EAAA,OAAA,EAHF,kBAGE,CAAA,EAFV,OAEU,CAFF,oBAEE,CAAA;EACF,YAAA,CAAA,SAAA,EADE,eACF,EAAA,OAAA,EAAA,kBAAA,CAAA,EACR,OADQ,CACA,oBADA,CAAA;EACA,YAAA,CAAA,SAAA,EACa,eADb,CAAA,EAC+B,OAD/B,CAAA,IAAA,CAAA;;AACa,UAGT,eAAA,CAHS;EAAkB,QAAA,EAAA,MAAA;EAAO,IAAA,EAAA,MAAA;EAGlC,MAAA,CAAA,EAGN,MAHM,CAAA,MAAe,EAAA,MAGrB,CAAA;AAGX;AAEsB,cAFT,mBAAA,SAA4B,KAAA,CAEnB;EAOP,SAAA,QAAA,EAAA,MAAA;EACJ,SAAA,SAAA,EARW,eAQX;EAV8B,SAAA,IAAA,EAAA,WAAA,GAAA,WAAA,GAAA,SAAA,GAAA,SAAA;EAAK,SAAA,KAAA,CAAA,EAAA,OAAA;EAsB9B,WAAA,CAAA,MAAc,EAAA;IAiDd,OAAA,EAAA,MAAA;;eA9DD;WACJ;;;;iBAYK,cAAA,YAA0B,kBAAkB;iBAiD5C,sBAAA,UACL,qBACR"}
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
import { Buffer } from "node:buffer";
|
|
2
|
+
|
|
3
|
+
//#region src/secrets/provider.ts
|
|
4
|
+
var SecretProviderError = class extends Error {
|
|
5
|
+
provider;
|
|
6
|
+
reference;
|
|
7
|
+
code;
|
|
8
|
+
cause;
|
|
9
|
+
constructor(params) {
|
|
10
|
+
super(params.message);
|
|
11
|
+
this.name = "SecretProviderError";
|
|
12
|
+
this.provider = params.provider;
|
|
13
|
+
this.reference = params.reference;
|
|
14
|
+
this.code = params.code ?? "UNKNOWN";
|
|
15
|
+
this.cause = params.cause;
|
|
16
|
+
}
|
|
17
|
+
};
|
|
18
|
+
function parseSecretUri(reference) {
|
|
19
|
+
if (!reference) throw new SecretProviderError({
|
|
20
|
+
message: "Secret reference cannot be empty",
|
|
21
|
+
provider: "unknown",
|
|
22
|
+
reference,
|
|
23
|
+
code: "INVALID"
|
|
24
|
+
});
|
|
25
|
+
const [scheme, rest] = reference.split("://");
|
|
26
|
+
if (!scheme || !rest) throw new SecretProviderError({
|
|
27
|
+
message: `Invalid secret reference: ${reference}`,
|
|
28
|
+
provider: "unknown",
|
|
29
|
+
reference,
|
|
30
|
+
code: "INVALID"
|
|
31
|
+
});
|
|
32
|
+
const queryIndex = rest.indexOf("?");
|
|
33
|
+
if (queryIndex === -1) return {
|
|
34
|
+
provider: scheme,
|
|
35
|
+
path: rest
|
|
36
|
+
};
|
|
37
|
+
const path = rest.slice(0, queryIndex);
|
|
38
|
+
const query = rest.slice(queryIndex + 1);
|
|
39
|
+
return {
|
|
40
|
+
provider: scheme,
|
|
41
|
+
path,
|
|
42
|
+
extras: Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
|
|
43
|
+
const [keyRaw, valueRaw] = pair.split("=");
|
|
44
|
+
const key = keyRaw ?? "";
|
|
45
|
+
const value = valueRaw ?? "";
|
|
46
|
+
return [decodeURIComponent(key), decodeURIComponent(value)];
|
|
47
|
+
}))
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
function normalizeSecretPayload(payload) {
|
|
51
|
+
if (payload.data instanceof Uint8Array) return payload.data;
|
|
52
|
+
if (payload.encoding === "base64") return Buffer.from(payload.data, "base64");
|
|
53
|
+
if (payload.encoding === "binary") return Buffer.from(payload.data, "binary");
|
|
54
|
+
return Buffer.from(payload.data, "utf-8");
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
//#endregion
|
|
58
|
+
export { SecretProviderError, normalizeSecretPayload, parseSecretUri };
|
|
59
|
+
//# sourceMappingURL=provider.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"provider.js","names":[],"sources":["../../src/secrets/provider.ts"],"sourcesContent":["import { Buffer } from 'node:buffer';\n\nexport type SecretReference = string;\n\nexport interface SecretValue {\n data: Uint8Array;\n version?: string;\n metadata?: Record<string, string>;\n retrievedAt: Date;\n}\n\nexport interface SecretFetchOptions {\n version?: string;\n}\n\nexport type SecretPayloadEncoding = 'utf-8' | 'base64' | 'binary';\n\nexport interface SecretWritePayload {\n data: string | Uint8Array;\n encoding?: SecretPayloadEncoding;\n contentType?: string;\n labels?: Record<string, string>;\n}\n\nexport interface SecretRotationResult {\n reference: SecretReference;\n version: string;\n}\n\nexport interface SecretProvider {\n readonly id: string;\n canHandle(reference: SecretReference): boolean;\n getSecret(\n reference: SecretReference,\n options?: SecretFetchOptions\n ): Promise<SecretValue>;\n setSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult>;\n rotateSecret(\n reference: SecretReference,\n payload: SecretWritePayload\n ): Promise<SecretRotationResult>;\n deleteSecret(reference: SecretReference): Promise<void>;\n}\n\nexport interface ParsedSecretUri {\n provider: string;\n path: string;\n extras?: Record<string, string>;\n}\n\nexport class SecretProviderError extends Error {\n readonly provider: string;\n readonly reference: SecretReference;\n readonly code: 'NOT_FOUND' | 'FORBIDDEN' | 'INVALID' | 'UNKNOWN';\n readonly cause?: unknown;\n\n constructor(params: {\n message: string;\n provider: string;\n reference: SecretReference;\n code?: SecretProviderError['code'];\n cause?: unknown;\n }) {\n super(params.message);\n this.name = 'SecretProviderError';\n this.provider = params.provider;\n this.reference = params.reference;\n this.code = params.code ?? 'UNKNOWN';\n this.cause = params.cause;\n }\n}\n\nexport function parseSecretUri(reference: SecretReference): ParsedSecretUri {\n if (!reference) {\n throw new SecretProviderError({\n message: 'Secret reference cannot be empty',\n provider: 'unknown',\n reference,\n code: 'INVALID',\n });\n }\n\n const [scheme, rest] = reference.split('://');\n if (!scheme || !rest) {\n throw new SecretProviderError({\n message: `Invalid secret reference: ${reference}`,\n provider: 'unknown',\n reference,\n code: 'INVALID',\n });\n }\n\n const queryIndex = rest.indexOf('?');\n if (queryIndex === -1) {\n return {\n provider: scheme,\n path: rest,\n };\n }\n\n const path = rest.slice(0, queryIndex);\n const query = rest.slice(queryIndex + 1);\n const extras = Object.fromEntries(\n query\n .split('&')\n .filter(Boolean)\n .map((pair) => {\n const [keyRaw, valueRaw] = pair.split('=');\n const key = keyRaw ?? '';\n const value = valueRaw ?? '';\n return [decodeURIComponent(key), decodeURIComponent(value)];\n })\n );\n\n return {\n provider: scheme,\n path,\n extras,\n };\n}\n\nexport function normalizeSecretPayload(\n payload: SecretWritePayload\n): Uint8Array {\n if (payload.data instanceof Uint8Array) {\n return payload.data;\n }\n\n if (payload.encoding === 'base64') {\n return Buffer.from(payload.data, 'base64');\n }\n\n if (payload.encoding === 'binary') {\n return Buffer.from(payload.data, 'binary');\n }\n\n return Buffer.from(payload.data, 'utf-8');\n}\n"],"mappings":";;;AAqDA,IAAa,sBAAb,cAAyC,MAAM;CAC7C,AAAS;CACT,AAAS;CACT,AAAS;CACT,AAAS;CAET,YAAY,QAMT;AACD,QAAM,OAAO,QAAQ;AACrB,OAAK,OAAO;AACZ,OAAK,WAAW,OAAO;AACvB,OAAK,YAAY,OAAO;AACxB,OAAK,OAAO,OAAO,QAAQ;AAC3B,OAAK,QAAQ,OAAO;;;AAIxB,SAAgB,eAAe,WAA6C;AAC1E,KAAI,CAAC,UACH,OAAM,IAAI,oBAAoB;EAC5B,SAAS;EACT,UAAU;EACV;EACA,MAAM;EACP,CAAC;CAGJ,MAAM,CAAC,QAAQ,QAAQ,UAAU,MAAM,MAAM;AAC7C,KAAI,CAAC,UAAU,CAAC,KACd,OAAM,IAAI,oBAAoB;EAC5B,SAAS,6BAA6B;EACtC,UAAU;EACV;EACA,MAAM;EACP,CAAC;CAGJ,MAAM,aAAa,KAAK,QAAQ,IAAI;AACpC,KAAI,eAAe,GACjB,QAAO;EACL,UAAU;EACV,MAAM;EACP;CAGH,MAAM,OAAO,KAAK,MAAM,GAAG,WAAW;CACtC,MAAM,QAAQ,KAAK,MAAM,aAAa,EAAE;AAaxC,QAAO;EACL,UAAU;EACV;EACA,QAfa,OAAO,YACpB,MACG,MAAM,IAAI,CACV,OAAO,QAAQ,CACf,KAAK,SAAS;GACb,MAAM,CAAC,QAAQ,YAAY,KAAK,MAAM,IAAI;GAC1C,MAAM,MAAM,UAAU;GACtB,MAAM,QAAQ,YAAY;AAC1B,UAAO,CAAC,mBAAmB,IAAI,EAAE,mBAAmB,MAAM,CAAC;IAC3D,CACL;EAMA;;AAGH,SAAgB,uBACd,SACY;AACZ,KAAI,QAAQ,gBAAgB,WAC1B,QAAO,QAAQ;AAGjB,KAAI,QAAQ,aAAa,SACvB,QAAO,OAAO,KAAK,QAAQ,MAAM,SAAS;AAG5C,KAAI,QAAQ,aAAa,SACvB,QAAO,OAAO,KAAK,QAAQ,MAAM,SAAS;AAG5C,QAAO,OAAO,KAAK,QAAQ,MAAM,QAAQ"}
|