@contractspec/lib.contracts-integrations 2.0.0

package/dist/integrations/secrets/env-secret-provider.d.ts

@@ -0,0 +1,28 @@
+import type { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from './provider';
+interface EnvSecretProviderOptions {
+    /**
+     * Optional map to alias secret references to environment variable names.
+     * Useful when referencing secrets from other providers (e.g. gcp://...)
+     * while still allowing local overrides.
+     */
+    aliases?: Record<string, string>;
+}
+/**
+ * Environment-variable backed secret provider. Read-only by design.
+ * Allows overriding other secret providers by deriving environment variable
+ * names from secret references (or by using explicit aliases).
+ */
+export declare class EnvSecretProvider implements SecretProvider {
+    readonly id = "env";
+    private readonly aliases;
+    constructor(options?: EnvSecretProviderOptions);
+    canHandle(reference: SecretReference): boolean;
+    getSecret(reference: SecretReference): Promise<SecretValue>;
+    setSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+    rotateSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+    deleteSecret(reference: SecretReference): Promise<void>;
+    private resolveEnvKey;
+    private deriveEnvKey;
+    private forbiddenError;
+}
+export {};

package/dist/integrations/secrets/env-secret-provider.js

@@ -0,0 +1,159 @@
+// @bun
+// src/integrations/secrets/provider.ts
+import { Buffer as Buffer2 } from "buffer";
+
+class SecretProviderError extends Error {
+  provider;
+  reference;
+  code;
+  cause;
+  constructor(params) {
+    super(params.message);
+    this.name = "SecretProviderError";
+    this.provider = params.provider;
+    this.reference = params.reference;
+    this.code = params.code ?? "UNKNOWN";
+    this.cause = params.cause;
+  }
+}
+function parseSecretUri(reference) {
+  if (!reference) {
+    throw new SecretProviderError({
+      message: "Secret reference cannot be empty",
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const [scheme, rest] = reference.split("://");
+  if (!scheme || !rest) {
+    throw new SecretProviderError({
+      message: `Invalid secret reference: ${reference}`,
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const queryIndex = rest.indexOf("?");
+  if (queryIndex === -1) {
+    return {
+      provider: scheme,
+      path: rest
+    };
+  }
+  const path = rest.slice(0, queryIndex);
+  const query = rest.slice(queryIndex + 1);
+  const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
+    const [keyRaw, valueRaw] = pair.split("=");
+    const key = keyRaw ?? "";
+    const value = valueRaw ?? "";
+    return [decodeURIComponent(key), decodeURIComponent(value)];
+  }));
+  return {
+    provider: scheme,
+    path,
+    extras
+  };
+}
+function normalizeSecretPayload(payload) {
+  if (payload.data instanceof Uint8Array) {
+    return payload.data;
+  }
+  if (payload.encoding === "base64") {
+    return Buffer2.from(payload.data, "base64");
+  }
+  if (payload.encoding === "binary") {
+    return Buffer2.from(payload.data, "binary");
+  }
+  return Buffer2.from(payload.data, "utf-8");
+}
+
+// src/integrations/secrets/env-secret-provider.ts
+class EnvSecretProvider {
+  id = "env";
+  aliases;
+  constructor(options = {}) {
+    this.aliases = options.aliases ?? {};
+  }
+  canHandle(reference) {
+    const envKey = this.resolveEnvKey(reference);
+    return envKey !== undefined && process.env[envKey] !== undefined;
+  }
+  async getSecret(reference) {
+    const envKey = this.resolveEnvKey(reference);
+    if (!envKey) {
+      throw new SecretProviderError({
+        message: `Unable to resolve environment variable for reference "${reference}".`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const value = process.env[envKey];
+    if (value === undefined) {
+      throw new SecretProviderError({
+        message: `Environment variable "${envKey}" not found for reference "${reference}".`,
+        provider: this.id,
+        reference,
+        code: "NOT_FOUND"
+      });
+    }
+    return {
+      data: Buffer.from(value, "utf-8"),
+      version: "current",
+      metadata: {
+        source: "env",
+        envKey
+      },
+      retrievedAt: new Date
+    };
+  }
+  async setSecret(reference, _payload) {
+    throw this.forbiddenError("setSecret", reference);
+  }
+  async rotateSecret(reference, _payload) {
+    throw this.forbiddenError("rotateSecret", reference);
+  }
+  async deleteSecret(reference) {
+    throw this.forbiddenError("deleteSecret", reference);
+  }
+  resolveEnvKey(reference) {
+    if (!reference) {
+      return;
+    }
+    if (this.aliases[reference]) {
+      return this.aliases[reference];
+    }
+    if (!reference.includes("://")) {
+      return reference;
+    }
+    try {
+      const parsed = parseSecretUri(reference);
+      if (parsed.provider === "env") {
+        return parsed.path;
+      }
+      if (parsed.extras?.env) {
+        return parsed.extras.env;
+      }
+      return this.deriveEnvKey(parsed.path);
+    } catch {
+      return reference;
+    }
+  }
+  deriveEnvKey(path) {
+    if (!path)
+      return;
+    return path.split(/[\/:\-\.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
+  }
+  forbiddenError(operation, reference) {
+    return new SecretProviderError({
+      message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
+      provider: this.id,
+      reference,
+      code: "FORBIDDEN"
+    });
+  }
+}
+export {
+  EnvSecretProvider
+};

package/dist/integrations/secrets/gcp-secret-manager.d.ts

@@ -0,0 +1,29 @@
+import { protos, SecretManagerServiceClient } from '@google-cloud/secret-manager';
+import type { CallOptions } from 'google-gax';
+import type { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from './provider';
+type SecretManagerClient = SecretManagerServiceClient;
+interface GcpSecretManagerProviderOptions {
+    projectId?: string;
+    client?: SecretManagerClient;
+    clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];
+    defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;
+}
+export declare class GcpSecretManagerProvider implements SecretProvider {
+    readonly id = "gcp-secret-manager";
+    private readonly client;
+    private readonly explicitProjectId?;
+    private readonly replication;
+    constructor(options?: GcpSecretManagerProviderOptions);
+    canHandle(reference: SecretReference): boolean;
+    getSecret(reference: SecretReference, options?: {
+        version?: string;
+    }, callOptions?: CallOptions): Promise<SecretValue>;
+    setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+    rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+    deleteSecret(reference: SecretReference): Promise<void>;
+    private parseReference;
+    private buildNames;
+    private buildVersionName;
+    private ensureSecretExists;
+}
+export {};

package/dist/integrations/secrets/gcp-secret-manager.js

@@ -0,0 +1,347 @@
+// @bun
+// src/integrations/secrets/provider.ts
+import { Buffer } from "buffer";
+
+class SecretProviderError extends Error {
+  provider;
+  reference;
+  code;
+  cause;
+  constructor(params) {
+    super(params.message);
+    this.name = "SecretProviderError";
+    this.provider = params.provider;
+    this.reference = params.reference;
+    this.code = params.code ?? "UNKNOWN";
+    this.cause = params.cause;
+  }
+}
+function parseSecretUri(reference) {
+  if (!reference) {
+    throw new SecretProviderError({
+      message: "Secret reference cannot be empty",
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const [scheme, rest] = reference.split("://");
+  if (!scheme || !rest) {
+    throw new SecretProviderError({
+      message: `Invalid secret reference: ${reference}`,
+      provider: "unknown",
+      reference,
+      code: "INVALID"
+    });
+  }
+  const queryIndex = rest.indexOf("?");
+  if (queryIndex === -1) {
+    return {
+      provider: scheme,
+      path: rest
+    };
+  }
+  const path = rest.slice(0, queryIndex);
+  const query = rest.slice(queryIndex + 1);
+  const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
+    const [keyRaw, valueRaw] = pair.split("=");
+    const key = keyRaw ?? "";
+    const value = valueRaw ?? "";
+    return [decodeURIComponent(key), decodeURIComponent(value)];
+  }));
+  return {
+    provider: scheme,
+    path,
+    extras
+  };
+}
+function normalizeSecretPayload(payload) {
+  if (payload.data instanceof Uint8Array) {
+    return payload.data;
+  }
+  if (payload.encoding === "base64") {
+    return Buffer.from(payload.data, "base64");
+  }
+  if (payload.encoding === "binary") {
+    return Buffer.from(payload.data, "binary");
+  }
+  return Buffer.from(payload.data, "utf-8");
+}
+
+// src/integrations/secrets/gcp-secret-manager.ts
+import {
+  SecretManagerServiceClient
+} from "@google-cloud/secret-manager";
+var DEFAULT_REPLICATION = {
+  automatic: {}
+};
+
+class GcpSecretManagerProvider {
+  id = "gcp-secret-manager";
+  client;
+  explicitProjectId;
+  replication;
+  constructor(options = {}) {
+    this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
+    this.explicitProjectId = options.projectId;
+    this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
+  }
+  canHandle(reference) {
+    try {
+      const parsed = parseSecretUri(reference);
+      return parsed.provider === "gcp";
+    } catch {
+      return false;
+    }
+  }
+  async getSecret(reference, options, callOptions) {
+    const location = this.parseReference(reference);
+    const secretVersionName = this.buildVersionName(location, options?.version);
+    try {
+      const response = await this.client.accessSecretVersion({
+        name: secretVersionName
+      }, callOptions ?? {});
+      const [result] = response;
+      const payload = result.payload;
+      if (!payload?.data) {
+        throw new SecretProviderError({
+          message: `Secret payload empty for ${secretVersionName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const version = extractVersionFromName(result.name ?? secretVersionName);
+      return {
+        data: payload.data,
+        version,
+        metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : undefined,
+        retrievedAt: new Date
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "access"
+      });
+    }
+  }
+  async setSecret(reference, payload) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    const data = normalizeSecretPayload(payload);
+    await this.ensureSecretExists(location, payload);
+    try {
+      const response = await this.client.addSecretVersion({
+        parent: secretName,
+        payload: {
+          data
+        }
+      });
+      if (!response) {
+        throw new SecretProviderError({
+          message: `No version returned when adding secret version for ${secretName}`,
+          provider: this.id,
+          reference,
+          code: "UNKNOWN"
+        });
+      }
+      const [version] = response;
+      const versionName = version?.name ?? `${secretName}/versions/latest`;
+      return {
+        reference: `gcp://${versionName}`,
+        version: extractVersionFromName(versionName) ?? "latest"
+      };
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "addSecretVersion"
+      });
+    }
+  }
+  async rotateSecret(reference, payload) {
+    return this.setSecret(reference, payload);
+  }
+  async deleteSecret(reference) {
+    const location = this.parseReference(reference);
+    const { secretName } = this.buildNames(location);
+    try {
+      await this.client.deleteSecret({
+        name: secretName
+      });
+    } catch (error) {
+      throw toSecretProviderError({
+        error,
+        provider: this.id,
+        reference,
+        operation: "delete"
+      });
+    }
+  }
+  parseReference(reference) {
+    const parsed = parseSecretUri(reference);
+    if (parsed.provider !== "gcp") {
+      throw new SecretProviderError({
+        message: `Unsupported secret provider: ${parsed.provider}`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const segments = parsed.path.split("/").filter(Boolean);
+    if (segments.length < 4 || segments[0] !== "projects") {
+      throw new SecretProviderError({
+        message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const projectIdCandidate = segments[1] ?? this.explicitProjectId;
+    if (!projectIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const indexOfSecrets = segments.indexOf("secrets");
+    if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) {
+      throw new SecretProviderError({
+        message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const resolvedProjectId = projectIdCandidate;
+    const secretIdCandidate = segments[indexOfSecrets + 1];
+    if (!secretIdCandidate) {
+      throw new SecretProviderError({
+        message: `Unable to resolve secret ID from reference "${parsed.path}"`,
+        provider: this.id,
+        reference,
+        code: "INVALID"
+      });
+    }
+    const secretId = secretIdCandidate;
+    const indexOfVersions = segments.indexOf("versions");
+    const version = parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : undefined);
+    return {
+      projectId: resolvedProjectId,
+      secretId,
+      version
+    };
+  }
+  buildNames(location) {
+    const projectId = location.projectId ?? this.explicitProjectId;
+    if (!projectId) {
+      throw new SecretProviderError({
+        message: "Project ID must be provided either in reference or provider configuration",
+        provider: this.id,
+        reference: `gcp://projects//secrets/${location.secretId}`,
+        code: "INVALID"
+      });
+    }
+    const projectParent = `projects/${projectId}`;
+    const secretName = `${projectParent}/secrets/${location.secretId}`;
+    return {
+      projectParent,
+      secretName
+    };
+  }
+  buildVersionName(location, explicitVersion) {
+    const { secretName } = this.buildNames(location);
+    const version = explicitVersion ?? location.version ?? "latest";
+    return `${secretName}/versions/${version}`;
+  }
+  async ensureSecretExists(location, payload) {
+    const { secretName, projectParent } = this.buildNames(location);
+    try {
+      await this.client.getSecret({ name: secretName });
+    } catch (error) {
+      const providerError = toSecretProviderError({
+        error,
+        provider: this.id,
+        reference: `gcp://${secretName}`,
+        operation: "getSecret",
+        suppressThrow: true
+      });
+      if (!providerError || providerError.code !== "NOT_FOUND") {
+        if (providerError) {
+          throw providerError;
+        }
+        throw error;
+      }
+      try {
+        await this.client.createSecret({
+          parent: projectParent,
+          secretId: location.secretId,
+          secret: {
+            replication: this.replication,
+            labels: payload.labels
+          }
+        });
+      } catch (creationError) {
+        const creationProviderError = toSecretProviderError({
+          error: creationError,
+          provider: this.id,
+          reference: `gcp://${secretName}`,
+          operation: "createSecret"
+        });
+        throw creationProviderError;
+      }
+    }
+  }
+}
+function extractVersionFromName(name) {
+  const segments = name.split("/").filter(Boolean);
+  const index = segments.indexOf("versions");
+  if (index === -1 || index + 1 >= segments.length) {
+    return;
+  }
+  return segments[index + 1];
+}
+function toSecretProviderError(params) {
+  const { error, provider, reference, operation, suppressThrow } = params;
+  if (error instanceof SecretProviderError) {
+    return error;
+  }
+  const code = deriveErrorCode(error);
+  const message = error instanceof Error ? error.message : `Unknown error during ${operation}`;
+  const providerError = new SecretProviderError({
+    message,
+    provider,
+    reference,
+    code,
+    cause: error
+  });
+  if (suppressThrow) {
+    return providerError;
+  }
+  throw providerError;
+}
+function deriveErrorCode(error) {
+  if (typeof error !== "object" || error === null) {
+    return "UNKNOWN";
+  }
+  const errorAny = error;
+  const code = errorAny.code;
+  if (code === 5 || code === "NOT_FOUND")
+    return "NOT_FOUND";
+  if (code === 6 || code === "ALREADY_EXISTS")
+    return "INVALID";
+  if (code === 7 || code === "PERMISSION_DENIED" || code === 403) {
+    return "FORBIDDEN";
+  }
+  if (code === 3 || code === "INVALID_ARGUMENT")
+    return "INVALID";
+  return "UNKNOWN";
+}
+export {
+  GcpSecretManagerProvider
+};

package/dist/integrations/secrets/index.d.ts

@@ -0,0 +1,6 @@
+export * from './provider';
+export * from './gcp-secret-manager';
+export * from './aws-secret-manager';
+export * from './scaleway-secret-manager';
+export * from './env-secret-provider';
+export * from './manager';