@contractspec/lib.contracts-integrations 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/index.d.ts +11 -0
- package/dist/index.js +3676 -0
- package/dist/integrations/binding.d.ts +14 -0
- package/dist/integrations/binding.js +1 -0
- package/dist/integrations/connection.d.ts +47 -0
- package/dist/integrations/connection.js +1 -0
- package/dist/integrations/docs/integrations.docblock.d.ts +2 -0
- package/dist/integrations/docs/integrations.docblock.js +110 -0
- package/dist/integrations/health.d.ts +17 -0
- package/dist/integrations/health.js +73 -0
- package/dist/integrations/health.test.d.ts +1 -0
- package/dist/integrations/index.d.ts +11 -0
- package/dist/integrations/index.js +3264 -0
- package/dist/integrations/integrations.capability.d.ts +1 -0
- package/dist/integrations/integrations.capability.js +18 -0
- package/dist/integrations/integrations.feature.d.ts +5 -0
- package/dist/integrations/integrations.feature.js +33 -0
- package/dist/integrations/meeting-recorder/contracts/index.d.ts +7 -0
- package/dist/integrations/meeting-recorder/contracts/index.js +474 -0
- package/dist/integrations/meeting-recorder/contracts/meetings.d.ts +451 -0
- package/dist/integrations/meeting-recorder/contracts/meetings.js +219 -0
- package/dist/integrations/meeting-recorder/contracts/transcripts.d.ts +166 -0
- package/dist/integrations/meeting-recorder/contracts/transcripts.js +287 -0
- package/dist/integrations/meeting-recorder/contracts/webhooks.d.ts +85 -0
- package/dist/integrations/meeting-recorder/contracts/webhooks.js +172 -0
- package/dist/integrations/meeting-recorder/meeting-recorder.capability.d.ts +1 -0
- package/dist/integrations/meeting-recorder/meeting-recorder.capability.js +18 -0
- package/dist/integrations/meeting-recorder/meeting-recorder.feature.d.ts +5 -0
- package/dist/integrations/meeting-recorder/meeting-recorder.feature.js +33 -0
- package/dist/integrations/meeting-recorder/models.d.ts +402 -0
- package/dist/integrations/meeting-recorder/models.js +122 -0
- package/dist/integrations/meeting-recorder/telemetry.d.ts +13 -0
- package/dist/integrations/meeting-recorder/telemetry.js +54 -0
- package/dist/integrations/openbanking/contracts/accounts.d.ts +282 -0
- package/dist/integrations/openbanking/contracts/accounts.js +328 -0
- package/dist/integrations/openbanking/contracts/balances.d.ts +158 -0
- package/dist/integrations/openbanking/contracts/balances.js +292 -0
- package/dist/integrations/openbanking/contracts/index.d.ts +7 -0
- package/dist/integrations/openbanking/contracts/index.js +644 -0
- package/dist/integrations/openbanking/contracts/transactions.d.ts +206 -0
- package/dist/integrations/openbanking/contracts/transactions.js +298 -0
- package/dist/integrations/openbanking/guards.d.ts +8 -0
- package/dist/integrations/openbanking/guards.js +42 -0
- package/dist/integrations/openbanking/guards.test.d.ts +1 -0
- package/dist/integrations/openbanking/models.d.ts +223 -0
- package/dist/integrations/openbanking/models.js +110 -0
- package/dist/integrations/openbanking/openbanking.capability.d.ts +1 -0
- package/dist/integrations/openbanking/openbanking.capability.js +18 -0
- package/dist/integrations/openbanking/openbanking.feature.d.ts +5 -0
- package/dist/integrations/openbanking/openbanking.feature.js +35 -0
- package/dist/integrations/openbanking/telemetry.d.ts +12 -0
- package/dist/integrations/openbanking/telemetry.js +51 -0
- package/dist/integrations/operations.d.ts +430 -0
- package/dist/integrations/operations.js +297 -0
- package/dist/integrations/operations.test.d.ts +1 -0
- package/dist/integrations/providers/analytics-reader.d.ts +103 -0
- package/dist/integrations/providers/analytics-reader.js +1 -0
- package/dist/integrations/providers/analytics-writer.d.ts +6 -0
- package/dist/integrations/providers/analytics-writer.js +1 -0
- package/dist/integrations/providers/analytics.d.ts +47 -0
- package/dist/integrations/providers/analytics.js +1 -0
- package/dist/integrations/providers/calendar.d.ts +75 -0
- package/dist/integrations/providers/calendar.js +1 -0
- package/dist/integrations/providers/database.d.ts +12 -0
- package/dist/integrations/providers/database.js +1 -0
- package/dist/integrations/providers/elevenlabs.d.ts +3 -0
- package/dist/integrations/providers/elevenlabs.js +86 -0
- package/dist/integrations/providers/email.d.ts +83 -0
- package/dist/integrations/providers/email.js +1 -0
- package/dist/integrations/providers/embedding.d.ts +21 -0
- package/dist/integrations/providers/embedding.js +1 -0
- package/dist/integrations/providers/fal.d.ts +3 -0
- package/dist/integrations/providers/fal.js +112 -0
- package/dist/integrations/providers/fathom.d.ts +3 -0
- package/dist/integrations/providers/fathom.js +126 -0
- package/dist/integrations/providers/fireflies.d.ts +3 -0
- package/dist/integrations/providers/fireflies.js +106 -0
- package/dist/integrations/providers/gcs-storage.d.ts +3 -0
- package/dist/integrations/providers/gcs-storage.js +97 -0
- package/dist/integrations/providers/gmail.d.ts +3 -0
- package/dist/integrations/providers/gmail.js +109 -0
- package/dist/integrations/providers/google-calendar.d.ts +3 -0
- package/dist/integrations/providers/google-calendar.js +92 -0
- package/dist/integrations/providers/gradium.d.ts +3 -0
- package/dist/integrations/providers/gradium.js +110 -0
- package/dist/integrations/providers/granola.d.ts +3 -0
- package/dist/integrations/providers/granola.js +107 -0
- package/dist/integrations/providers/index.d.ts +38 -0
- package/dist/integrations/providers/index.js +2094 -0
- package/dist/integrations/providers/jira.d.ts +3 -0
- package/dist/integrations/providers/jira.js +108 -0
- package/dist/integrations/providers/linear.d.ts +3 -0
- package/dist/integrations/providers/linear.js +107 -0
- package/dist/integrations/providers/llm.d.ts +79 -0
- package/dist/integrations/providers/llm.js +1 -0
- package/dist/integrations/providers/meeting-recorder.d.ts +129 -0
- package/dist/integrations/providers/meeting-recorder.js +1 -0
- package/dist/integrations/providers/mistral.d.ts +3 -0
- package/dist/integrations/providers/mistral.js +94 -0
- package/dist/integrations/providers/notion.d.ts +3 -0
- package/dist/integrations/providers/notion.js +113 -0
- package/dist/integrations/providers/openbanking.d.ts +125 -0
- package/dist/integrations/providers/openbanking.js +1 -0
- package/dist/integrations/providers/payments.d.ts +106 -0
- package/dist/integrations/providers/payments.js +1 -0
- package/dist/integrations/providers/posthog-llm-telemetry.d.ts +51 -0
- package/dist/integrations/providers/posthog-llm-telemetry.js +176 -0
- package/dist/integrations/providers/posthog.d.ts +3 -0
- package/dist/integrations/providers/posthog.js +106 -0
- package/dist/integrations/providers/postmark.d.ts +3 -0
- package/dist/integrations/providers/postmark.js +98 -0
- package/dist/integrations/providers/powens.d.ts +3 -0
- package/dist/integrations/providers/powens.js +124 -0
- package/dist/integrations/providers/project-management.d.ts +32 -0
- package/dist/integrations/providers/project-management.js +1 -0
- package/dist/integrations/providers/providers.test.d.ts +1 -0
- package/dist/integrations/providers/qdrant.d.ts +3 -0
- package/dist/integrations/providers/qdrant.js +101 -0
- package/dist/integrations/providers/registry.d.ts +6 -0
- package/dist/integrations/providers/registry.js +1878 -0
- package/dist/integrations/providers/sms.d.ts +31 -0
- package/dist/integrations/providers/sms.js +1 -0
- package/dist/integrations/providers/storage.d.ts +57 -0
- package/dist/integrations/providers/storage.js +1 -0
- package/dist/integrations/providers/stripe.d.ts +3 -0
- package/dist/integrations/providers/stripe.js +105 -0
- package/dist/integrations/providers/supabase-postgres.d.ts +3 -0
- package/dist/integrations/providers/supabase-postgres.js +87 -0
- package/dist/integrations/providers/supabase-vector.d.ts +3 -0
- package/dist/integrations/providers/supabase-vector.js +107 -0
- package/dist/integrations/providers/tldv.d.ts +3 -0
- package/dist/integrations/providers/tldv.js +106 -0
- package/dist/integrations/providers/twilio-sms.d.ts +3 -0
- package/dist/integrations/providers/twilio-sms.js +91 -0
- package/dist/integrations/providers/vector-store.d.ts +39 -0
- package/dist/integrations/providers/vector-store.js +1 -0
- package/dist/integrations/providers/voice.d.ts +31 -0
- package/dist/integrations/providers/voice.js +1 -0
- package/dist/integrations/runtime.d.ts +95 -0
- package/dist/integrations/runtime.js +209 -0
- package/dist/integrations/runtime.test.d.ts +1 -0
- package/dist/integrations/secrets/aws-secret-manager.d.ts +28 -0
- package/dist/integrations/secrets/aws-secret-manager.js +346 -0
- package/dist/integrations/secrets/env-secret-provider.d.ts +28 -0
- package/dist/integrations/secrets/env-secret-provider.js +159 -0
- package/dist/integrations/secrets/gcp-secret-manager.d.ts +29 -0
- package/dist/integrations/secrets/gcp-secret-manager.js +347 -0
- package/dist/integrations/secrets/index.d.ts +6 -0
- package/dist/integrations/secrets/index.js +1129 -0
- package/dist/integrations/secrets/manager.d.ts +44 -0
- package/dist/integrations/secrets/manager.js +183 -0
- package/dist/integrations/secrets/provider.d.ts +49 -0
- package/dist/integrations/secrets/provider.js +74 -0
- package/dist/integrations/secrets/provider.test.d.ts +1 -0
- package/dist/integrations/secrets/scaleway-secret-manager.d.ts +35 -0
- package/dist/integrations/secrets/scaleway-secret-manager.js +375 -0
- package/dist/integrations/secrets-types.d.ts +14 -0
- package/dist/integrations/secrets-types.js +1 -0
- package/dist/integrations/spec.d.ts +72 -0
- package/dist/integrations/spec.js +22 -0
- package/dist/integrations/spec.test.d.ts +1 -0
- package/dist/node/index.js +3675 -0
- package/dist/node/integrations/binding.js +0 -0
- package/dist/node/integrations/connection.js +0 -0
- package/dist/node/integrations/docs/integrations.docblock.js +109 -0
- package/dist/node/integrations/health.js +72 -0
- package/dist/node/integrations/index.js +3263 -0
- package/dist/node/integrations/integrations.capability.js +17 -0
- package/dist/node/integrations/integrations.feature.js +32 -0
- package/dist/node/integrations/meeting-recorder/contracts/index.js +473 -0
- package/dist/node/integrations/meeting-recorder/contracts/meetings.js +218 -0
- package/dist/node/integrations/meeting-recorder/contracts/transcripts.js +286 -0
- package/dist/node/integrations/meeting-recorder/contracts/webhooks.js +171 -0
- package/dist/node/integrations/meeting-recorder/meeting-recorder.capability.js +17 -0
- package/dist/node/integrations/meeting-recorder/meeting-recorder.feature.js +32 -0
- package/dist/node/integrations/meeting-recorder/models.js +121 -0
- package/dist/node/integrations/meeting-recorder/telemetry.js +53 -0
- package/dist/node/integrations/openbanking/contracts/accounts.js +327 -0
- package/dist/node/integrations/openbanking/contracts/balances.js +291 -0
- package/dist/node/integrations/openbanking/contracts/index.js +643 -0
- package/dist/node/integrations/openbanking/contracts/transactions.js +297 -0
- package/dist/node/integrations/openbanking/guards.js +41 -0
- package/dist/node/integrations/openbanking/models.js +109 -0
- package/dist/node/integrations/openbanking/openbanking.capability.js +17 -0
- package/dist/node/integrations/openbanking/openbanking.feature.js +34 -0
- package/dist/node/integrations/openbanking/telemetry.js +50 -0
- package/dist/node/integrations/operations.js +296 -0
- package/dist/node/integrations/providers/analytics-reader.js +0 -0
- package/dist/node/integrations/providers/analytics-writer.js +0 -0
- package/dist/node/integrations/providers/analytics.js +0 -0
- package/dist/node/integrations/providers/calendar.js +0 -0
- package/dist/node/integrations/providers/database.js +0 -0
- package/dist/node/integrations/providers/elevenlabs.js +85 -0
- package/dist/node/integrations/providers/email.js +0 -0
- package/dist/node/integrations/providers/embedding.js +0 -0
- package/dist/node/integrations/providers/fal.js +111 -0
- package/dist/node/integrations/providers/fathom.js +125 -0
- package/dist/node/integrations/providers/fireflies.js +105 -0
- package/dist/node/integrations/providers/gcs-storage.js +96 -0
- package/dist/node/integrations/providers/gmail.js +108 -0
- package/dist/node/integrations/providers/google-calendar.js +91 -0
- package/dist/node/integrations/providers/gradium.js +109 -0
- package/dist/node/integrations/providers/granola.js +106 -0
- package/dist/node/integrations/providers/index.js +2093 -0
- package/dist/node/integrations/providers/jira.js +107 -0
- package/dist/node/integrations/providers/linear.js +106 -0
- package/dist/node/integrations/providers/llm.js +0 -0
- package/dist/node/integrations/providers/meeting-recorder.js +0 -0
- package/dist/node/integrations/providers/mistral.js +93 -0
- package/dist/node/integrations/providers/notion.js +112 -0
- package/dist/node/integrations/providers/openbanking.js +0 -0
- package/dist/node/integrations/providers/payments.js +0 -0
- package/dist/node/integrations/providers/posthog-llm-telemetry.js +175 -0
- package/dist/node/integrations/providers/posthog.js +105 -0
- package/dist/node/integrations/providers/postmark.js +97 -0
- package/dist/node/integrations/providers/powens.js +123 -0
- package/dist/node/integrations/providers/project-management.js +0 -0
- package/dist/node/integrations/providers/qdrant.js +100 -0
- package/dist/node/integrations/providers/registry.js +1877 -0
- package/dist/node/integrations/providers/sms.js +0 -0
- package/dist/node/integrations/providers/storage.js +0 -0
- package/dist/node/integrations/providers/stripe.js +104 -0
- package/dist/node/integrations/providers/supabase-postgres.js +86 -0
- package/dist/node/integrations/providers/supabase-vector.js +106 -0
- package/dist/node/integrations/providers/tldv.js +105 -0
- package/dist/node/integrations/providers/twilio-sms.js +90 -0
- package/dist/node/integrations/providers/vector-store.js +0 -0
- package/dist/node/integrations/providers/voice.js +0 -0
- package/dist/node/integrations/runtime.js +208 -0
- package/dist/node/integrations/secrets/aws-secret-manager.js +345 -0
- package/dist/node/integrations/secrets/env-secret-provider.js +158 -0
- package/dist/node/integrations/secrets/gcp-secret-manager.js +346 -0
- package/dist/node/integrations/secrets/index.js +1128 -0
- package/dist/node/integrations/secrets/manager.js +182 -0
- package/dist/node/integrations/secrets/provider.js +73 -0
- package/dist/node/integrations/secrets/scaleway-secret-manager.js +374 -0
- package/dist/node/integrations/secrets-types.js +0 -0
- package/dist/node/integrations/spec.js +21 -0
- package/package.json +1029 -0
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
// src/integrations/runtime.ts
|
|
2
|
+
import { performance } from "node:perf_hooks";
|
|
3
|
+
var DEFAULT_MAX_ATTEMPTS = 3;
|
|
4
|
+
var DEFAULT_BACKOFF_MS = 250;
|
|
5
|
+
|
|
6
|
+
class IntegrationCallGuard {
|
|
7
|
+
secretProvider;
|
|
8
|
+
telemetry;
|
|
9
|
+
maxAttempts;
|
|
10
|
+
backoffMs;
|
|
11
|
+
shouldRetry;
|
|
12
|
+
sleep;
|
|
13
|
+
now;
|
|
14
|
+
constructor(secretProvider, options = {}) {
|
|
15
|
+
this.secretProvider = secretProvider;
|
|
16
|
+
this.telemetry = options.telemetry;
|
|
17
|
+
this.maxAttempts = Math.max(1, options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS);
|
|
18
|
+
this.backoffMs = options.backoffMs ?? DEFAULT_BACKOFF_MS;
|
|
19
|
+
this.shouldRetry = options.shouldRetry ?? ((error) => typeof error === "object" && error !== null && ("retryable" in error) && Boolean(error.retryable));
|
|
20
|
+
this.sleep = options.sleep ?? ((ms) => ms <= 0 ? Promise.resolve() : new Promise((resolve) => setTimeout(resolve, ms)));
|
|
21
|
+
this.now = options.now ?? (() => new Date);
|
|
22
|
+
}
|
|
23
|
+
async executeWithGuards(slotId, operation, _input, resolvedConfig, executor) {
|
|
24
|
+
const integration = this.findIntegration(slotId, resolvedConfig);
|
|
25
|
+
if (!integration) {
|
|
26
|
+
return this.failure({
|
|
27
|
+
tenantId: resolvedConfig.tenantId,
|
|
28
|
+
appId: resolvedConfig.appId,
|
|
29
|
+
environment: resolvedConfig.environment,
|
|
30
|
+
blueprintName: resolvedConfig.blueprintName,
|
|
31
|
+
blueprintVersion: resolvedConfig.blueprintVersion,
|
|
32
|
+
configVersion: resolvedConfig.configVersion,
|
|
33
|
+
slotId,
|
|
34
|
+
operation
|
|
35
|
+
}, undefined, {
|
|
36
|
+
code: "SLOT_NOT_BOUND",
|
|
37
|
+
message: `Integration slot "${slotId}" is not bound for tenant "${resolvedConfig.tenantId}".`,
|
|
38
|
+
retryable: false
|
|
39
|
+
}, 0);
|
|
40
|
+
}
|
|
41
|
+
const status = integration.connection.status;
|
|
42
|
+
if (status === "disconnected" || status === "error") {
|
|
43
|
+
return this.failure(this.makeContext(slotId, operation, resolvedConfig), integration, {
|
|
44
|
+
code: "CONNECTION_NOT_READY",
|
|
45
|
+
message: `Integration connection "${integration.connection.meta.label}" is in status "${status}".`,
|
|
46
|
+
retryable: false
|
|
47
|
+
}, 0);
|
|
48
|
+
}
|
|
49
|
+
const secrets = await this.fetchSecrets(integration.connection);
|
|
50
|
+
let attempt = 0;
|
|
51
|
+
const started = performance.now();
|
|
52
|
+
while (attempt < this.maxAttempts) {
|
|
53
|
+
attempt += 1;
|
|
54
|
+
try {
|
|
55
|
+
const data = await executor(integration.connection, secrets);
|
|
56
|
+
const duration = performance.now() - started;
|
|
57
|
+
this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "success", duration);
|
|
58
|
+
return {
|
|
59
|
+
success: true,
|
|
60
|
+
data,
|
|
61
|
+
metadata: {
|
|
62
|
+
latencyMs: duration,
|
|
63
|
+
connectionId: integration.connection.meta.id,
|
|
64
|
+
ownershipMode: integration.connection.ownershipMode,
|
|
65
|
+
attempts: attempt
|
|
66
|
+
}
|
|
67
|
+
};
|
|
68
|
+
} catch (error) {
|
|
69
|
+
const duration = performance.now() - started;
|
|
70
|
+
this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "error", duration, this.errorCodeFor(error), error instanceof Error ? error.message : String(error));
|
|
71
|
+
const retryable = this.shouldRetry(error, attempt);
|
|
72
|
+
if (!retryable || attempt >= this.maxAttempts) {
|
|
73
|
+
return {
|
|
74
|
+
success: false,
|
|
75
|
+
error: {
|
|
76
|
+
code: this.errorCodeFor(error),
|
|
77
|
+
message: error instanceof Error ? error.message : String(error),
|
|
78
|
+
retryable,
|
|
79
|
+
cause: error
|
|
80
|
+
},
|
|
81
|
+
metadata: {
|
|
82
|
+
latencyMs: duration,
|
|
83
|
+
connectionId: integration.connection.meta.id,
|
|
84
|
+
ownershipMode: integration.connection.ownershipMode,
|
|
85
|
+
attempts: attempt
|
|
86
|
+
}
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
await this.sleep(this.backoffMs);
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
return {
|
|
93
|
+
success: false,
|
|
94
|
+
error: {
|
|
95
|
+
code: "UNKNOWN_ERROR",
|
|
96
|
+
message: "Integration call failed after retries.",
|
|
97
|
+
retryable: false
|
|
98
|
+
},
|
|
99
|
+
metadata: {
|
|
100
|
+
latencyMs: performance.now() - started,
|
|
101
|
+
connectionId: integration.connection.meta.id,
|
|
102
|
+
ownershipMode: integration.connection.ownershipMode,
|
|
103
|
+
attempts: this.maxAttempts
|
|
104
|
+
}
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
findIntegration(slotId, config) {
|
|
108
|
+
return config.integrations.find((integration) => integration.slot.slotId === slotId);
|
|
109
|
+
}
|
|
110
|
+
async fetchSecrets(connection) {
|
|
111
|
+
if (!this.secretProvider.canHandle(connection.secretRef)) {
|
|
112
|
+
throw new Error(`Secret provider "${this.secretProvider.id}" cannot handle reference "${connection.secretRef}".`);
|
|
113
|
+
}
|
|
114
|
+
const secret = await this.secretProvider.getSecret(connection.secretRef);
|
|
115
|
+
return this.parseSecret(secret);
|
|
116
|
+
}
|
|
117
|
+
parseSecret(secret) {
|
|
118
|
+
const text = new TextDecoder().decode(secret.data);
|
|
119
|
+
try {
|
|
120
|
+
const parsed = JSON.parse(text);
|
|
121
|
+
if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
|
|
122
|
+
const entries = Object.entries(parsed).filter(([, value]) => typeof value === "string" || typeof value === "number" || typeof value === "boolean");
|
|
123
|
+
return Object.fromEntries(entries.map(([key, value]) => [key, String(value)]));
|
|
124
|
+
}
|
|
125
|
+
} catch {}
|
|
126
|
+
return { secret: text };
|
|
127
|
+
}
|
|
128
|
+
emitTelemetry(context, integration, status, durationMs, errorCode, errorMessage) {
|
|
129
|
+
if (!this.telemetry || !integration)
|
|
130
|
+
return;
|
|
131
|
+
this.telemetry.record({
|
|
132
|
+
tenantId: context.tenantId,
|
|
133
|
+
appId: context.appId,
|
|
134
|
+
environment: context.environment,
|
|
135
|
+
slotId: context.slotId,
|
|
136
|
+
integrationKey: integration.connection.meta.integrationKey,
|
|
137
|
+
integrationVersion: integration.connection.meta.integrationVersion,
|
|
138
|
+
connectionId: integration.connection.meta.id,
|
|
139
|
+
status,
|
|
140
|
+
durationMs,
|
|
141
|
+
errorCode,
|
|
142
|
+
errorMessage,
|
|
143
|
+
occurredAt: this.now(),
|
|
144
|
+
metadata: {
|
|
145
|
+
blueprint: `${context.blueprintName}.v${context.blueprintVersion}`,
|
|
146
|
+
configVersion: context.configVersion,
|
|
147
|
+
operation: context.operation
|
|
148
|
+
}
|
|
149
|
+
});
|
|
150
|
+
}
|
|
151
|
+
failure(context, integration, error, attempts) {
|
|
152
|
+
if (integration) {
|
|
153
|
+
this.emitTelemetry(context, integration, "error", 0, error.code, error.message);
|
|
154
|
+
}
|
|
155
|
+
return {
|
|
156
|
+
success: false,
|
|
157
|
+
error,
|
|
158
|
+
metadata: {
|
|
159
|
+
latencyMs: 0,
|
|
160
|
+
connectionId: integration?.connection.meta.id ?? "unknown",
|
|
161
|
+
ownershipMode: integration?.connection.ownershipMode ?? "managed",
|
|
162
|
+
attempts
|
|
163
|
+
}
|
|
164
|
+
};
|
|
165
|
+
}
|
|
166
|
+
makeContext(slotId, operation, config) {
|
|
167
|
+
return {
|
|
168
|
+
tenantId: config.tenantId,
|
|
169
|
+
appId: config.appId,
|
|
170
|
+
environment: config.environment,
|
|
171
|
+
blueprintName: config.blueprintName,
|
|
172
|
+
blueprintVersion: config.blueprintVersion,
|
|
173
|
+
configVersion: config.configVersion,
|
|
174
|
+
slotId,
|
|
175
|
+
operation
|
|
176
|
+
};
|
|
177
|
+
}
|
|
178
|
+
errorCodeFor(error) {
|
|
179
|
+
if (typeof error === "object" && error !== null && "code" in error && typeof error.code === "string") {
|
|
180
|
+
return error.code;
|
|
181
|
+
}
|
|
182
|
+
return "PROVIDER_ERROR";
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
function ensureConnectionReady(integration) {
|
|
186
|
+
const status = integration.connection.status;
|
|
187
|
+
if (status === "disconnected" || status === "error") {
|
|
188
|
+
throw new Error(`Integration connection "${integration.connection.meta.label}" is in status "${status}".`);
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
function connectionStatusLabel(status) {
|
|
192
|
+
switch (status) {
|
|
193
|
+
case "connected":
|
|
194
|
+
return "connected";
|
|
195
|
+
case "disconnected":
|
|
196
|
+
return "disconnected";
|
|
197
|
+
case "error":
|
|
198
|
+
return "error";
|
|
199
|
+
case "unknown":
|
|
200
|
+
default:
|
|
201
|
+
return "unknown";
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
export {
|
|
205
|
+
ensureConnectionReady,
|
|
206
|
+
connectionStatusLabel,
|
|
207
|
+
IntegrationCallGuard
|
|
208
|
+
};
|
|
@@ -0,0 +1,345 @@
|
|
|
1
|
+
// src/integrations/secrets/provider.ts
|
|
2
|
+
import { Buffer } from "node:buffer";
|
|
3
|
+
|
|
4
|
+
class SecretProviderError extends Error {
|
|
5
|
+
provider;
|
|
6
|
+
reference;
|
|
7
|
+
code;
|
|
8
|
+
cause;
|
|
9
|
+
constructor(params) {
|
|
10
|
+
super(params.message);
|
|
11
|
+
this.name = "SecretProviderError";
|
|
12
|
+
this.provider = params.provider;
|
|
13
|
+
this.reference = params.reference;
|
|
14
|
+
this.code = params.code ?? "UNKNOWN";
|
|
15
|
+
this.cause = params.cause;
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
function parseSecretUri(reference) {
|
|
19
|
+
if (!reference) {
|
|
20
|
+
throw new SecretProviderError({
|
|
21
|
+
message: "Secret reference cannot be empty",
|
|
22
|
+
provider: "unknown",
|
|
23
|
+
reference,
|
|
24
|
+
code: "INVALID"
|
|
25
|
+
});
|
|
26
|
+
}
|
|
27
|
+
const [scheme, rest] = reference.split("://");
|
|
28
|
+
if (!scheme || !rest) {
|
|
29
|
+
throw new SecretProviderError({
|
|
30
|
+
message: `Invalid secret reference: ${reference}`,
|
|
31
|
+
provider: "unknown",
|
|
32
|
+
reference,
|
|
33
|
+
code: "INVALID"
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
const queryIndex = rest.indexOf("?");
|
|
37
|
+
if (queryIndex === -1) {
|
|
38
|
+
return {
|
|
39
|
+
provider: scheme,
|
|
40
|
+
path: rest
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
const path = rest.slice(0, queryIndex);
|
|
44
|
+
const query = rest.slice(queryIndex + 1);
|
|
45
|
+
const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
|
|
46
|
+
const [keyRaw, valueRaw] = pair.split("=");
|
|
47
|
+
const key = keyRaw ?? "";
|
|
48
|
+
const value = valueRaw ?? "";
|
|
49
|
+
return [decodeURIComponent(key), decodeURIComponent(value)];
|
|
50
|
+
}));
|
|
51
|
+
return {
|
|
52
|
+
provider: scheme,
|
|
53
|
+
path,
|
|
54
|
+
extras
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
function normalizeSecretPayload(payload) {
|
|
58
|
+
if (payload.data instanceof Uint8Array) {
|
|
59
|
+
return payload.data;
|
|
60
|
+
}
|
|
61
|
+
if (payload.encoding === "base64") {
|
|
62
|
+
return Buffer.from(payload.data, "base64");
|
|
63
|
+
}
|
|
64
|
+
if (payload.encoding === "binary") {
|
|
65
|
+
return Buffer.from(payload.data, "binary");
|
|
66
|
+
}
|
|
67
|
+
return Buffer.from(payload.data, "utf-8");
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
// src/integrations/secrets/aws-secret-manager.ts
|
|
71
|
+
import { Buffer as Buffer2 } from "node:buffer";
|
|
72
|
+
import {
|
|
73
|
+
CreateSecretCommand,
|
|
74
|
+
DeleteSecretCommand,
|
|
75
|
+
GetSecretValueCommand,
|
|
76
|
+
PutSecretValueCommand,
|
|
77
|
+
SecretsManagerClient
|
|
78
|
+
} from "@aws-sdk/client-secrets-manager";
|
|
79
|
+
var DEFAULT_DELETE_RECOVERY_DAYS = 7;
|
|
80
|
+
|
|
81
|
+
class AwsSecretsManagerProvider {
|
|
82
|
+
id = "aws-secrets-manager";
|
|
83
|
+
explicitRegion;
|
|
84
|
+
injectedClient;
|
|
85
|
+
clientConfig;
|
|
86
|
+
clientsByRegion = new Map;
|
|
87
|
+
constructor(options = {}) {
|
|
88
|
+
this.explicitRegion = options.region;
|
|
89
|
+
this.injectedClient = options.client;
|
|
90
|
+
this.clientConfig = options.clientConfig;
|
|
91
|
+
}
|
|
92
|
+
canHandle(reference) {
|
|
93
|
+
try {
|
|
94
|
+
const parsed = parseSecretUri(reference);
|
|
95
|
+
return parsed.provider === "aws" && (parsed.path === "secretsmanager" || parsed.path.startsWith("secretsmanager/"));
|
|
96
|
+
} catch {
|
|
97
|
+
return false;
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
async getSecret(reference, options) {
|
|
101
|
+
const location = this.parseReference(reference);
|
|
102
|
+
const client = this.getClient(location.region);
|
|
103
|
+
const requestedVersion = options?.version ?? location.stage ?? location.version;
|
|
104
|
+
const input = {
|
|
105
|
+
SecretId: location.secretId,
|
|
106
|
+
...this.buildVersionSelector(requestedVersion)
|
|
107
|
+
};
|
|
108
|
+
try {
|
|
109
|
+
const result = await client.send(new GetSecretValueCommand(input));
|
|
110
|
+
const data = extractAwsSecretBytes(result, reference, this.id);
|
|
111
|
+
return {
|
|
112
|
+
data,
|
|
113
|
+
version: typeof result.VersionId === "string" && result.VersionId ? result.VersionId : requestedVersion,
|
|
114
|
+
metadata: {
|
|
115
|
+
region: location.region,
|
|
116
|
+
secretId: location.secretId,
|
|
117
|
+
...requestedVersion ? { requestedVersion } : {}
|
|
118
|
+
},
|
|
119
|
+
retrievedAt: new Date
|
|
120
|
+
};
|
|
121
|
+
} catch (error) {
|
|
122
|
+
throw toAwsSecretProviderError({
|
|
123
|
+
error,
|
|
124
|
+
provider: this.id,
|
|
125
|
+
reference,
|
|
126
|
+
operation: "getSecret"
|
|
127
|
+
});
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
async setSecret(reference, payload) {
|
|
131
|
+
const location = this.parseReference(reference);
|
|
132
|
+
const client = this.getClient(location.region);
|
|
133
|
+
const bytes = normalizeSecretPayload(payload);
|
|
134
|
+
try {
|
|
135
|
+
const result = await client.send(new PutSecretValueCommand({
|
|
136
|
+
SecretId: location.secretId,
|
|
137
|
+
SecretBinary: bytes
|
|
138
|
+
}));
|
|
139
|
+
const versionId = typeof result.VersionId === "string" && result.VersionId ? result.VersionId : "latest";
|
|
140
|
+
return {
|
|
141
|
+
reference: this.buildReference(location.region, location.secretId, {
|
|
142
|
+
version: versionId
|
|
143
|
+
}),
|
|
144
|
+
version: versionId
|
|
145
|
+
};
|
|
146
|
+
} catch (error) {
|
|
147
|
+
if (!isAwsNotFound(error)) {
|
|
148
|
+
throw toAwsSecretProviderError({
|
|
149
|
+
error,
|
|
150
|
+
provider: this.id,
|
|
151
|
+
reference,
|
|
152
|
+
operation: "putSecretValue"
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
if (looksLikeAwsArn(location.secretId)) {
|
|
156
|
+
throw new SecretProviderError({
|
|
157
|
+
message: `Secret not found: ${location.secretId}`,
|
|
158
|
+
provider: this.id,
|
|
159
|
+
reference,
|
|
160
|
+
code: "NOT_FOUND",
|
|
161
|
+
cause: error
|
|
162
|
+
});
|
|
163
|
+
}
|
|
164
|
+
try {
|
|
165
|
+
const created = await client.send(new CreateSecretCommand({
|
|
166
|
+
Name: location.secretId,
|
|
167
|
+
SecretBinary: bytes
|
|
168
|
+
}));
|
|
169
|
+
const versionId = typeof created.VersionId === "string" && created.VersionId ? created.VersionId : "latest";
|
|
170
|
+
return {
|
|
171
|
+
reference: this.buildReference(location.region, location.secretId, {
|
|
172
|
+
version: versionId
|
|
173
|
+
}),
|
|
174
|
+
version: versionId
|
|
175
|
+
};
|
|
176
|
+
} catch (creationError) {
|
|
177
|
+
throw toAwsSecretProviderError({
|
|
178
|
+
error: creationError,
|
|
179
|
+
provider: this.id,
|
|
180
|
+
reference,
|
|
181
|
+
operation: "createSecret"
|
|
182
|
+
});
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
}
|
|
186
|
+
async rotateSecret(reference, payload) {
|
|
187
|
+
return this.setSecret(reference, payload);
|
|
188
|
+
}
|
|
189
|
+
async deleteSecret(reference) {
|
|
190
|
+
const location = this.parseReference(reference);
|
|
191
|
+
const client = this.getClient(location.region);
|
|
192
|
+
try {
|
|
193
|
+
await client.send(new DeleteSecretCommand({
|
|
194
|
+
SecretId: location.secretId,
|
|
195
|
+
RecoveryWindowInDays: DEFAULT_DELETE_RECOVERY_DAYS
|
|
196
|
+
}));
|
|
197
|
+
} catch (error) {
|
|
198
|
+
throw toAwsSecretProviderError({
|
|
199
|
+
error,
|
|
200
|
+
provider: this.id,
|
|
201
|
+
reference,
|
|
202
|
+
operation: "deleteSecret"
|
|
203
|
+
});
|
|
204
|
+
}
|
|
205
|
+
}
|
|
206
|
+
getClient(region) {
|
|
207
|
+
if (this.injectedClient) {
|
|
208
|
+
return this.injectedClient;
|
|
209
|
+
}
|
|
210
|
+
const cached = this.clientsByRegion.get(region);
|
|
211
|
+
if (cached) {
|
|
212
|
+
return cached;
|
|
213
|
+
}
|
|
214
|
+
const client = new SecretsManagerClient({
|
|
215
|
+
...this.clientConfig ?? {},
|
|
216
|
+
region
|
|
217
|
+
});
|
|
218
|
+
this.clientsByRegion.set(region, client);
|
|
219
|
+
return client;
|
|
220
|
+
}
|
|
221
|
+
parseReference(reference) {
|
|
222
|
+
const parsed = parseSecretUri(reference);
|
|
223
|
+
if (parsed.provider !== "aws") {
|
|
224
|
+
throw new SecretProviderError({
|
|
225
|
+
message: `Unsupported secret provider: ${parsed.provider}`,
|
|
226
|
+
provider: this.id,
|
|
227
|
+
reference,
|
|
228
|
+
code: "INVALID"
|
|
229
|
+
});
|
|
230
|
+
}
|
|
231
|
+
const segments = parsed.path.split("/").filter(Boolean);
|
|
232
|
+
if (segments.length < 3 || segments[0] !== "secretsmanager") {
|
|
233
|
+
throw new SecretProviderError({
|
|
234
|
+
message: "Expected secret reference format aws://secretsmanager/{region}/{secretIdOrArn}[?version=...]",
|
|
235
|
+
provider: this.id,
|
|
236
|
+
reference,
|
|
237
|
+
code: "INVALID"
|
|
238
|
+
});
|
|
239
|
+
}
|
|
240
|
+
const regionCandidate = segments[1];
|
|
241
|
+
const region = this.resolveRegion(regionCandidate);
|
|
242
|
+
const secretId = segments.slice(2).join("/");
|
|
243
|
+
if (!secretId) {
|
|
244
|
+
throw new SecretProviderError({
|
|
245
|
+
message: `Unable to resolve secret id from reference "${parsed.path}"`,
|
|
246
|
+
provider: this.id,
|
|
247
|
+
reference,
|
|
248
|
+
code: "INVALID"
|
|
249
|
+
});
|
|
250
|
+
}
|
|
251
|
+
return {
|
|
252
|
+
region,
|
|
253
|
+
secretId,
|
|
254
|
+
version: parsed.extras?.version,
|
|
255
|
+
stage: parsed.extras?.stage
|
|
256
|
+
};
|
|
257
|
+
}
|
|
258
|
+
resolveRegion(regionCandidate) {
|
|
259
|
+
const region = regionCandidate ?? this.explicitRegion ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION;
|
|
260
|
+
if (!region) {
|
|
261
|
+
throw new SecretProviderError({
|
|
262
|
+
message: "AWS region must be provided either in reference (aws://secretsmanager/{region}/...) or via AWS_REGION/AWS_DEFAULT_REGION.",
|
|
263
|
+
provider: this.id,
|
|
264
|
+
reference: "aws://secretsmanager//",
|
|
265
|
+
code: "INVALID"
|
|
266
|
+
});
|
|
267
|
+
}
|
|
268
|
+
return region;
|
|
269
|
+
}
|
|
270
|
+
buildVersionSelector(version) {
|
|
271
|
+
if (!version)
|
|
272
|
+
return {};
|
|
273
|
+
if (version === "latest" || version === "current") {
|
|
274
|
+
return { VersionStage: "AWSCURRENT" };
|
|
275
|
+
}
|
|
276
|
+
if (version.startsWith("AWS")) {
|
|
277
|
+
return { VersionStage: version };
|
|
278
|
+
}
|
|
279
|
+
return { VersionId: version };
|
|
280
|
+
}
|
|
281
|
+
buildReference(region, secretId, extras) {
|
|
282
|
+
const base = `aws://secretsmanager/${region}/${secretId}`;
|
|
283
|
+
const query = extras ? Object.entries(extras).filter(([, value]) => Boolean(value)).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&") : "";
|
|
284
|
+
return query ? `${base}?${query}` : base;
|
|
285
|
+
}
|
|
286
|
+
}
|
|
287
|
+
function extractAwsSecretBytes(result, reference, provider) {
|
|
288
|
+
if (!result || typeof result !== "object") {
|
|
289
|
+
throw new SecretProviderError({
|
|
290
|
+
message: "Invalid AWS Secrets Manager response",
|
|
291
|
+
provider,
|
|
292
|
+
reference,
|
|
293
|
+
code: "UNKNOWN",
|
|
294
|
+
cause: result
|
|
295
|
+
});
|
|
296
|
+
}
|
|
297
|
+
const record = result;
|
|
298
|
+
if (record.SecretBinary instanceof Uint8Array) {
|
|
299
|
+
return record.SecretBinary;
|
|
300
|
+
}
|
|
301
|
+
if (typeof record.SecretBinary === "string") {
|
|
302
|
+
return Buffer2.from(record.SecretBinary, "base64");
|
|
303
|
+
}
|
|
304
|
+
if (typeof record.SecretString === "string") {
|
|
305
|
+
return Buffer2.from(record.SecretString, "utf-8");
|
|
306
|
+
}
|
|
307
|
+
throw new SecretProviderError({
|
|
308
|
+
message: "AWS secret value is empty",
|
|
309
|
+
provider,
|
|
310
|
+
reference,
|
|
311
|
+
code: "NOT_FOUND",
|
|
312
|
+
cause: result
|
|
313
|
+
});
|
|
314
|
+
}
|
|
315
|
+
function looksLikeAwsArn(secretId) {
|
|
316
|
+
return secretId.startsWith("arn:aws:secretsmanager:");
|
|
317
|
+
}
|
|
318
|
+
function isAwsNotFound(error) {
|
|
319
|
+
if (!error || typeof error !== "object")
|
|
320
|
+
return false;
|
|
321
|
+
const err = error;
|
|
322
|
+
if (typeof err.$metadata?.httpStatusCode === "number") {
|
|
323
|
+
return err.$metadata.httpStatusCode === 404;
|
|
324
|
+
}
|
|
325
|
+
return err.name === "ResourceNotFoundException";
|
|
326
|
+
}
|
|
327
|
+
function toAwsSecretProviderError(params) {
|
|
328
|
+
const { error, provider, reference, operation } = params;
|
|
329
|
+
if (error instanceof SecretProviderError) {
|
|
330
|
+
return error;
|
|
331
|
+
}
|
|
332
|
+
const httpStatusCode = typeof error === "object" && error !== null && "$metadata" in error && typeof error.$metadata === "object" && error.$metadata?.httpStatusCode;
|
|
333
|
+
const code = httpStatusCode === 404 ? "NOT_FOUND" : httpStatusCode === 401 || httpStatusCode === 403 ? "FORBIDDEN" : httpStatusCode === 400 ? "INVALID" : "UNKNOWN";
|
|
334
|
+
const message = error instanceof Error ? error.message : `Unknown error during ${operation}`;
|
|
335
|
+
return new SecretProviderError({
|
|
336
|
+
message,
|
|
337
|
+
provider,
|
|
338
|
+
reference,
|
|
339
|
+
code,
|
|
340
|
+
cause: error
|
|
341
|
+
});
|
|
342
|
+
}
|
|
343
|
+
export {
|
|
344
|
+
AwsSecretsManagerProvider
|
|
345
|
+
};
|
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
// src/integrations/secrets/provider.ts
|
|
2
|
+
import { Buffer as Buffer2 } from "node:buffer";
|
|
3
|
+
|
|
4
|
+
class SecretProviderError extends Error {
|
|
5
|
+
provider;
|
|
6
|
+
reference;
|
|
7
|
+
code;
|
|
8
|
+
cause;
|
|
9
|
+
constructor(params) {
|
|
10
|
+
super(params.message);
|
|
11
|
+
this.name = "SecretProviderError";
|
|
12
|
+
this.provider = params.provider;
|
|
13
|
+
this.reference = params.reference;
|
|
14
|
+
this.code = params.code ?? "UNKNOWN";
|
|
15
|
+
this.cause = params.cause;
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
function parseSecretUri(reference) {
|
|
19
|
+
if (!reference) {
|
|
20
|
+
throw new SecretProviderError({
|
|
21
|
+
message: "Secret reference cannot be empty",
|
|
22
|
+
provider: "unknown",
|
|
23
|
+
reference,
|
|
24
|
+
code: "INVALID"
|
|
25
|
+
});
|
|
26
|
+
}
|
|
27
|
+
const [scheme, rest] = reference.split("://");
|
|
28
|
+
if (!scheme || !rest) {
|
|
29
|
+
throw new SecretProviderError({
|
|
30
|
+
message: `Invalid secret reference: ${reference}`,
|
|
31
|
+
provider: "unknown",
|
|
32
|
+
reference,
|
|
33
|
+
code: "INVALID"
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
const queryIndex = rest.indexOf("?");
|
|
37
|
+
if (queryIndex === -1) {
|
|
38
|
+
return {
|
|
39
|
+
provider: scheme,
|
|
40
|
+
path: rest
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
const path = rest.slice(0, queryIndex);
|
|
44
|
+
const query = rest.slice(queryIndex + 1);
|
|
45
|
+
const extras = Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
|
|
46
|
+
const [keyRaw, valueRaw] = pair.split("=");
|
|
47
|
+
const key = keyRaw ?? "";
|
|
48
|
+
const value = valueRaw ?? "";
|
|
49
|
+
return [decodeURIComponent(key), decodeURIComponent(value)];
|
|
50
|
+
}));
|
|
51
|
+
return {
|
|
52
|
+
provider: scheme,
|
|
53
|
+
path,
|
|
54
|
+
extras
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
function normalizeSecretPayload(payload) {
|
|
58
|
+
if (payload.data instanceof Uint8Array) {
|
|
59
|
+
return payload.data;
|
|
60
|
+
}
|
|
61
|
+
if (payload.encoding === "base64") {
|
|
62
|
+
return Buffer2.from(payload.data, "base64");
|
|
63
|
+
}
|
|
64
|
+
if (payload.encoding === "binary") {
|
|
65
|
+
return Buffer2.from(payload.data, "binary");
|
|
66
|
+
}
|
|
67
|
+
return Buffer2.from(payload.data, "utf-8");
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
// src/integrations/secrets/env-secret-provider.ts
|
|
71
|
+
class EnvSecretProvider {
|
|
72
|
+
id = "env";
|
|
73
|
+
aliases;
|
|
74
|
+
constructor(options = {}) {
|
|
75
|
+
this.aliases = options.aliases ?? {};
|
|
76
|
+
}
|
|
77
|
+
canHandle(reference) {
|
|
78
|
+
const envKey = this.resolveEnvKey(reference);
|
|
79
|
+
return envKey !== undefined && process.env[envKey] !== undefined;
|
|
80
|
+
}
|
|
81
|
+
async getSecret(reference) {
|
|
82
|
+
const envKey = this.resolveEnvKey(reference);
|
|
83
|
+
if (!envKey) {
|
|
84
|
+
throw new SecretProviderError({
|
|
85
|
+
message: `Unable to resolve environment variable for reference "${reference}".`,
|
|
86
|
+
provider: this.id,
|
|
87
|
+
reference,
|
|
88
|
+
code: "INVALID"
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
const value = process.env[envKey];
|
|
92
|
+
if (value === undefined) {
|
|
93
|
+
throw new SecretProviderError({
|
|
94
|
+
message: `Environment variable "${envKey}" not found for reference "${reference}".`,
|
|
95
|
+
provider: this.id,
|
|
96
|
+
reference,
|
|
97
|
+
code: "NOT_FOUND"
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
return {
|
|
101
|
+
data: Buffer.from(value, "utf-8"),
|
|
102
|
+
version: "current",
|
|
103
|
+
metadata: {
|
|
104
|
+
source: "env",
|
|
105
|
+
envKey
|
|
106
|
+
},
|
|
107
|
+
retrievedAt: new Date
|
|
108
|
+
};
|
|
109
|
+
}
|
|
110
|
+
async setSecret(reference, _payload) {
|
|
111
|
+
throw this.forbiddenError("setSecret", reference);
|
|
112
|
+
}
|
|
113
|
+
async rotateSecret(reference, _payload) {
|
|
114
|
+
throw this.forbiddenError("rotateSecret", reference);
|
|
115
|
+
}
|
|
116
|
+
async deleteSecret(reference) {
|
|
117
|
+
throw this.forbiddenError("deleteSecret", reference);
|
|
118
|
+
}
|
|
119
|
+
resolveEnvKey(reference) {
|
|
120
|
+
if (!reference) {
|
|
121
|
+
return;
|
|
122
|
+
}
|
|
123
|
+
if (this.aliases[reference]) {
|
|
124
|
+
return this.aliases[reference];
|
|
125
|
+
}
|
|
126
|
+
if (!reference.includes("://")) {
|
|
127
|
+
return reference;
|
|
128
|
+
}
|
|
129
|
+
try {
|
|
130
|
+
const parsed = parseSecretUri(reference);
|
|
131
|
+
if (parsed.provider === "env") {
|
|
132
|
+
return parsed.path;
|
|
133
|
+
}
|
|
134
|
+
if (parsed.extras?.env) {
|
|
135
|
+
return parsed.extras.env;
|
|
136
|
+
}
|
|
137
|
+
return this.deriveEnvKey(parsed.path);
|
|
138
|
+
} catch {
|
|
139
|
+
return reference;
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
deriveEnvKey(path) {
|
|
143
|
+
if (!path)
|
|
144
|
+
return;
|
|
145
|
+
return path.split(/[\/:\-\.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
|
|
146
|
+
}
|
|
147
|
+
forbiddenError(operation, reference) {
|
|
148
|
+
return new SecretProviderError({
|
|
149
|
+
message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
|
|
150
|
+
provider: this.id,
|
|
151
|
+
reference,
|
|
152
|
+
code: "FORBIDDEN"
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
export {
|
|
157
|
+
EnvSecretProvider
|
|
158
|
+
};
|