@contractspec/integration.runtime 1.56.1 → 1.58.0

package/dist/secrets/gcp-secret-manager.js

@@ -1,230 +1,347 @@
-import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
-import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
+// @bun
+// src/secrets/provider.ts
+import { Buffer } from "buffer";
 
-//#region src/secrets/gcp-secret-manager.ts
-const DEFAULT_REPLICATION = { automatic: {} };
-var GcpSecretManagerProvider = class {
-	id = "gcp-secret-manager";
-	client;
-	explicitProjectId;
-	replication;
-	constructor(options = {}) {
-		this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
-		this.explicitProjectId = options.projectId;
-		this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
-	}
-	canHandle(reference) {
-		try {
-			return parseSecretUri(reference).provider === "gcp";
-		} catch {
-			return false;
-		}
-	}
-	async getSecret(reference, options, callOptions) {
-		const location = this.parseReference(reference);
-		const secretVersionName = this.buildVersionName(location, options?.version);
-		try {
-			const [result] = await this.client.accessSecretVersion({ name: secretVersionName }, callOptions ?? {});
-			const payload = result.payload;
-			if (!payload?.data) throw new SecretProviderError({
-				message: `Secret payload empty for ${secretVersionName}`,
-				provider: this.id,
-				reference,
-				code: "UNKNOWN"
-			});
-			const version = extractVersionFromName(result.name ?? secretVersionName);
-			return {
-				data: payload.data,
-				version,
-				metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : void 0,
-				retrievedAt: /* @__PURE__ */ new Date()
-			};
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "access"
-			});
-		}
-	}
-	async setSecret(reference, payload) {
-		const location = this.parseReference(reference);
-		const { secretName } = this.buildNames(location);
-		const data = normalizeSecretPayload(payload);
-		await this.ensureSecretExists(location, payload);
-		try {
-			const response = await this.client.addSecretVersion({
-				parent: secretName,
-				payload: { data }
-			});
-			if (!response) throw new SecretProviderError({
-				message: `No version returned when adding secret version for ${secretName}`,
-				provider: this.id,
-				reference,
-				code: "UNKNOWN"
-			});
-			const [version] = response;
-			const versionName = version?.name ?? `${secretName}/versions/latest`;
-			return {
-				reference: `gcp://${versionName}`,
-				version: extractVersionFromName(versionName) ?? "latest"
-			};
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "addSecretVersion"
-			});
-		}
-	}
-	async rotateSecret(reference, payload) {
-		return this.setSecret(reference, payload);
-	}
-	async deleteSecret(reference) {
-		const location = this.parseReference(reference);
-		const { secretName } = this.buildNames(location);
-		try {
-			await this.client.deleteSecret({ name: secretName });
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "delete"
-			});
-		}
-	}
-	parseReference(reference) {
-		const parsed = parseSecretUri(reference);
-		if (parsed.provider !== "gcp") throw new SecretProviderError({
-			message: `Unsupported secret provider: ${parsed.provider}`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const segments = parsed.path.split("/").filter(Boolean);
-		if (segments.length < 4 || segments[0] !== "projects") throw new SecretProviderError({
-			message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const projectIdCandidate = segments[1] ?? this.explicitProjectId;
-		if (!projectIdCandidate) throw new SecretProviderError({
-			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const indexOfSecrets = segments.indexOf("secrets");
-		if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) throw new SecretProviderError({
-			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const resolvedProjectId = projectIdCandidate;
-		const secretIdCandidate = segments[indexOfSecrets + 1];
-		if (!secretIdCandidate) throw new SecretProviderError({
-			message: `Unable to resolve secret ID from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const secretId = secretIdCandidate;
-		const indexOfVersions = segments.indexOf("versions");
-		return {
-			projectId: resolvedProjectId,
-			secretId,
-			version: parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : void 0)
-		};
-	}
-	buildNames(location) {
-		const projectId = location.projectId ?? this.explicitProjectId;
-		if (!projectId) throw new SecretProviderError({
-			message: "Project ID must be provided either in reference or provider configuration",
-			provider: this.id,
-			reference: `gcp://projects//secrets/${location.secretId}`,
-			code: "INVALID"
-		});
-		const projectParent = `projects/${projectId}`;
-		return {
-			projectParent,
-			secretName: `${projectParent}/secrets/${location.secretId}`
-		};
-	}
-	buildVersionName(location, explicitVersion) {
-		const { secretName } = this.buildNames(location);
-		return `${secretName}/versions/${explicitVersion ?? location.version ?? "latest"}`;
-	}
-	async ensureSecretExists(location, payload) {
-		const { secretName, projectParent } = this.buildNames(location);
-		try {
-			await this.client.getSecret({ name: secretName });
-		} catch (error) {
-			const providerError = toSecretProviderError({
-				error,
-				provider: this.id,
-				reference: `gcp://${secretName}`,
-				operation: "getSecret",
-				suppressThrow: true
-			});
-			if (!providerError || providerError.code !== "NOT_FOUND") {
-				if (providerError) throw providerError;
-				throw error;
-			}
-			try {
-				await this.client.createSecret({
-					parent: projectParent,
-					secretId: location.secretId,
-					secret: {
-						replication: this.replication,
-						labels: payload.labels
-					}
-				});
-			} catch (creationError) {
-				throw toSecretProviderError({
-					error: creationError,
-					provider: this.id,
-					reference: `gcp://${secretName}`,
-					operation: "createSecret"
-				});
-			}
-		}
-	}
+class SecretProviderError extends Error {
+  provider;
+  reference;
+  code;
+  cause;
+  constructor(params) {
+    super(params.message);
+    this.name = "SecretProviderError";
+    this.provider = params.provider;
+    this.reference = params.reference;
+    this.code = params.code ?? "UNKNOWN";
+    this.cause = params.cause;
+  }
+}
+function parseSecretUri(reference) {
+  if (!reference) {
+    throw new SecretProviderError({
+      message: "Secret reference cannot be empty",
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const [scheme, rest] = reference.split("://");
+  if (!scheme || !rest) {
+    throw new SecretProviderError({
+      message: `Invalid secret reference: ${reference}`,
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const queryIndex = rest.indexOf("?");
+  if (queryIndex === -1) {
+    return {
+      provider: scheme,
+      path: rest
+    };
+  }
+  const path = rest.slice(0, queryIndex);
+  const query = rest.slice(queryIndex + 1);
+  const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
+    const [keyRaw, valueRaw] = pair.split("=");
+    const key = keyRaw ?? "";
+    const value = valueRaw ?? "";
+    return [decodeURIComponent(key), decodeURIComponent(value)];
+  }));
+  return {
+    provider: scheme,
+    path,
+    extras
+  };
+}
+function normalizeSecretPayload(payload) {
+  if (payload.data instanceof Uint8Array) {
+    return payload.data;
+  }
+  if (payload.encoding === "base64") {
+    return Buffer.from(payload.data, "base64");
+  }
+  if (payload.encoding === "binary") {
+    return Buffer.from(payload.data, "binary");
+  }
+  return Buffer.from(payload.data, "utf-8");
+}
+
+// src/secrets/gcp-secret-manager.ts
+import {
+  SecretManagerServiceClient
+} from "@google-cloud/secret-manager";
+var DEFAULT_REPLICATION = {
+  automatic: {}
 };
+
+class GcpSecretManagerProvider {
+  id = "gcp-secret-manager";
+  client;
+  explicitProjectId;
+  replication;
+  constructor(options = {}) {
+    this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
+    this.explicitProjectId = options.projectId;
+    this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
+  }
+  canHandle(reference) {
+    try {
+      const parsed = parseSecretUri(reference);
+      return parsed.provider === "gcp";
+    } catch {
+      return false;
+    }
+  }
+  async getSecret(reference, options, callOptions) {
+    const location = this.parseReference(reference);
+    const secretVersionName = this.buildVersionName(location, options?.version);
+    try {
+      const response = await this.client.accessSecretVersion({
+        name: secretVersionName
+      }, callOptions ?? {});
+      const [result] = response;
+      const payload = result.payload;
+      if (!payload?.data) {
+        throw new SecretProviderError({
+          message: `Secret payload empty for ${secretVersionName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const version = extractVersionFromName(result.name ?? secretVersionName);
+      return {
+        data: payload.data,
+        version,
+        metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : undefined,
+        retrievedAt: new Date
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "access"
+      });
+    }
+  }
+  async setSecret(reference, payload) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    const data = normalizeSecretPayload(payload);
+    await this.ensureSecretExists(location, payload);
+    try {
+      const response = await this.client.addSecretVersion({
+        parent: secretName,
+        payload: {
+          data
+        }
+      });
+      if (!response) {
+        throw new SecretProviderError({
+          message: `No version returned when adding secret version for ${secretName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const [version] = response;
+      const versionName = version?.name ?? `${secretName}/versions/latest`;
+      return {
+        reference: `gcp://${versionName}`,
+        version: extractVersionFromName(versionName) ?? "latest"
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "addSecretVersion"
+      });
+    }
+  }
+  async rotateSecret(reference, payload) {
+    return this.setSecret(reference, payload);
+  }
+  async deleteSecret(reference) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    try {
+      await this.client.deleteSecret({
+        name: secretName
+      });
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "delete"
+      });
+    }
+  }
+  parseReference(reference) {
+    const parsed = parseSecretUri(reference);
+    if (parsed.provider !== "gcp") {
+      throw new SecretProviderError({
+        message: `Unsupported secret provider: ${parsed.provider}`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const segments = parsed.path.split("/").filter(Boolean);
+    if (segments.length < 4 || segments[0] !== "projects") {
+      throw new SecretProviderError({
+        message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const projectIdCandidate = segments[1] ?? this.explicitProjectId;
+    if (!projectIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const indexOfSecrets = segments.indexOf("secrets");
+    if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const resolvedProjectId = projectIdCandidate;
+    const secretIdCandidate = segments[indexOfSecrets + 1];
+    if (!secretIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve secret ID from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const secretId = secretIdCandidate;
+    const indexOfVersions = segments.indexOf("versions");
+    const version = parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : undefined);
+    return {
+      projectId: resolvedProjectId,
+      secretId,
+      version
+    };
+  }
+  buildNames(location) {
+    const projectId = location.projectId ?? this.explicitProjectId;
+    if (!projectId) {
+      throw new SecretProviderError({
+        message: "Project ID must be provided either in reference or provider configuration",
+        provider: this.id,
+        reference: `gcp://projects//secrets/${location.secretId}`,
+        code: "INVALID"
+      });
+    }
+    const projectParent = `projects/${projectId}`;
+    const secretName = `${projectParent}/secrets/${location.secretId}`;
+    return {
+      projectParent,
+      secretName
+    };
+  }
+  buildVersionName(location, explicitVersion) {
+    const { secretName } = this.buildNames(location);
+    const version = explicitVersion ?? location.version ?? "latest";
+    return `${secretName}/versions/${version}`;
+  }
+  async ensureSecretExists(location, payload) {
+    const { secretName, projectParent } = this.buildNames(location);
+    try {
+      await this.client.getSecret({ name: secretName });
+    } catch (error) {
+      const providerError = toSecretProviderError({
+        error,
+        provider: this.id,
+        reference: `gcp://${secretName}`,
+        operation: "getSecret",
+        suppressThrow: true
+      });
+      if (!providerError || providerError.code !== "NOT_FOUND") {
+        if (providerError) {
+          throw providerError;
+        }
+        throw error;
+      }
+      try {
+        await this.client.createSecret({
+          parent: projectParent,
+          secretId: location.secretId,
+          secret: {
+            replication: this.replication,
+            labels: payload.labels
+          }
+        });
+      } catch (creationError) {
+        const creationProviderError = toSecretProviderError({
+          error: creationError,
+          provider: this.id,
+          reference: `gcp://${secretName}`,
+          operation: "createSecret"
+        });
+        throw creationProviderError;
+      }
+    }
+  }
+}
 function extractVersionFromName(name) {
-	const segments = name.split("/").filter(Boolean);
-	const index = segments.indexOf("versions");
-	if (index === -1 || index + 1 >= segments.length) return;
-	return segments[index + 1];
+  const segments = name.split("/").filter(Boolean);
+  const index = segments.indexOf("versions");
+  if (index === -1 || index + 1 >= segments.length) {
+    return;
+  }
+  return segments[index + 1];
 }
 function toSecretProviderError(params) {
-	const { error, provider, reference, operation, suppressThrow } = params;
-	if (error instanceof SecretProviderError) return error;
-	const code = deriveErrorCode(error);
-	const providerError = new SecretProviderError({
-		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
-		provider,
-		reference,
-		code,
-		cause: error
-	});
-	if (suppressThrow) return providerError;
-	throw providerError;
+  const { error, provider, reference, operation, suppressThrow } = params;
+  if (error instanceof SecretProviderError) {
+    return error;
+  }
+  const code = deriveErrorCode(error);
+  const message = error instanceof Error ? error.message : `Unknown error during ${operation}`;
+  const providerError = new SecretProviderError({
+    message,
+    provider,
+    reference,
+    code,
+    cause: error
+  });
+  if (suppressThrow) {
+    return providerError;
+  }
+  throw providerError;
 }
 function deriveErrorCode(error) {
-	if (typeof error !== "object" || error === null) return "UNKNOWN";
-	const code = error.code;
-	if (code === 5 || code === "NOT_FOUND") return "NOT_FOUND";
-	if (code === 6 || code === "ALREADY_EXISTS") return "INVALID";
-	if (code === 7 || code === "PERMISSION_DENIED" || code === 403) return "FORBIDDEN";
-	if (code === 3 || code === "INVALID_ARGUMENT") return "INVALID";
-	return "UNKNOWN";
+  if (typeof error !== "object" || error === null) {
+    return "UNKNOWN";
+  }
+  const errorAny = error;
+  const code = errorAny.code;
+  if (code === 5 || code === "NOT_FOUND")
+    return "NOT_FOUND";
+  if (code === 6 || code === "ALREADY_EXISTS")
+    return "INVALID";
+  if (code === 7 || code === "PERMISSION_DENIED" || code === 403) {
+    return "FORBIDDEN";
+  }
+  if (code === 3 || code === "INVALID_ARGUMENT")
+    return "INVALID";
+  return "UNKNOWN";
 }
-
-//#endregion
-export { GcpSecretManagerProvider };
-//# sourceMappingURL=gcp-secret-manager.js.map
+export {
+  GcpSecretManagerProvider
+};

package/dist/secrets/index.d.ts

@@ -1,5 +1,5 @@
-import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./provider.js";
-import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
-import { EnvSecretProvider } from "./env-secret-provider.js";
-import { SecretProviderManager, SecretProviderManagerOptions } from "./manager.js";
-export { EnvSecretProvider, GcpSecretManagerProvider, ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };
+export * from './provider';
+export * from './gcp-secret-manager';
+export * from './env-secret-provider';
+export * from './manager';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,WAAW,CAAC"}