@danielsoren/secrets-loader 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,578 @@
+# @danielsoren/secrets-loader
+
+Load one JSON secret from a provider, merge local overrides, validate with Zod, and return typed backend config.
+
+> **Provider support:** AWS Secrets Manager today. The API is shaped so other providers (e.g. GCP, Vault) can plug in later without breaking changes.
+
+```ts
+import { loadSecrets } from "@danielsoren/secrets-loader";
+import { z } from "zod";
+
+const schema = z.object({
+  NODE_ENV: z.enum(["development", "test", "production"]),
+  DATABASE_URL: z.url(),
+  JWT_SECRET: z.string().min(32),
+  PORT: z.coerce.number().int().positive().default(3000),
+});
+
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: { secretId: "prod/my-api" },
+  },
+});
+
+if (!result.success) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+const app = createApp({ env: result.data });
+await app.listen(result.data.PORT);
+```
+
+## Why this package exists
+
+A managed secret store is a good place to keep backend secrets, but loading them at runtime creates one awkward problem: secrets are async, while app configuration often wants to be available before anything else starts.
+
+This package makes that startup step explicit:
+
+1. fetch one secret from a configured provider (AWS today).
+2. parse it as a JSON object.
+3. merge it with local `process.env` if configured.
+4. validate it with Zod.
+5. return a typed result.
+6. optionally write validated values to `process.env`.
+
+No import-time magic. No hidden globals. No surprise mutation.
+
+## Requirements
+
+```txt
+Node.js >= 22
+ESM project
+Backend/server runtime
+```
+
+This package is not intended for browser/frontend usage.
+
+## Installation
+
+```bash
+npm install @danielsoren/secrets-loader zod
+```
+
+or:
+
+```bash
+pnpm add @danielsoren/secrets-loader zod
+```
+
+The AWS provider uses AWS SDK v3 internally. `zod` is a peer dependency.
+
+## Secret format
+
+Store one JSON object as the secret value (`SecretString` in AWS Secrets Manager):
+
+```json
+{
+  "NODE_ENV": "production",
+  "DATABASE_URL": "postgres://user:pass@host:5432/app",
+  "JWT_SECRET": "replace-with-a-long-secret",
+  "PORT": "3000"
+}
+```
+
+Top-level arrays, strings, numbers, booleans, and `null` are invalid.
+
+For AWS, `SecretBinary` is not supported in v1.
+
+## Recommended usage: load first, then compose your app
+
+```ts
+import { loadSecrets } from "@danielsoren/secrets-loader";
+import { z } from "zod";
+import { createApp } from "./app.js";
+
+const schema = z.object({
+  NODE_ENV: z.enum(["development", "test", "production"]),
+  DATABASE_URL: z.url(),
+  JWT_SECRET: z.string().min(32),
+  PORT: z.coerce.number().int().positive().default(3000),
+});
+
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: { secretId: "prod/my-api" },
+  },
+});
+
+if (!result.success) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+const app = createApp({
+  env: result.data,
+});
+
+await app.listen(result.data.PORT);
+```
+
+Then your application can receive config explicitly:
+
+```ts
+import type { z } from "zod";
+
+const schema = z.object({
+  DATABASE_URL: z.url(),
+  JWT_SECRET: z.string().min(32),
+  PORT: z.coerce.number(),
+});
+
+type AppEnv = z.output<typeof schema>;
+
+export function createApp(ctx: { env: AppEnv }) {
+  const db = createDb(ctx.env.DATABASE_URL);
+  // create routes/services/etc.
+}
+```
+
+Dependency-injection style is the safest approach: app startup is deterministic and typed.
+
+## Source modes
+
+`loadSecrets` can combine provider values and local `process.env` values.
+
+Default mode:
+
+```ts
+"provider-then-process-env"
+```
+
+Provider values are loaded first, then local environment variables override them.
+
+| Mode | Provider fetch? | Uses process.env? | Priority |
+|---|---:|---:|---|
+| `provider-only` | yes | no | provider only |
+| `process-env-only` | no | yes | local only |
+| `provider-then-process-env` | yes | yes | `process.env` overrides provider |
+| `process-env-then-provider` | yes | yes | provider overrides `process.env` |
+
+Example:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  source: "process-env-then-provider",
+  providers: {
+    aws: { secretId: "prod/my-api" },
+  },
+});
+```
+
+## Local-only mode
+
+Useful for tests, local scripts, or environments where the provider is not available:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  source: "process-env-only",
+});
+```
+
+In this mode, no provider config is required and no provider is called.
+
+## AWS provider
+
+The AWS provider reads from AWS Secrets Manager. Configure it under `providers.aws`.
+
+### Region and credentials
+
+You can pass a region explicitly:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: {
+      secretId: "prod/my-api",
+      region: "eu-central-1",
+    },
+  },
+});
+```
+
+If `region` is omitted, AWS SDK default region resolution is used.
+
+Credentials are also resolved by AWS SDK by default. You may either omit credentials and use normal AWS SDK mechanisms, or pass explicit credentials through `providers.aws.credentials`.
+
+Normal AWS SDK mechanisms include:
+
+```txt
+AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY
+AWS_SESSION_TOKEN
+AWS_REGION
+AWS_PROFILE
+IAM role
+ECS task role
+EC2 instance role
+Lambda execution role
+```
+
+You can also pass explicit credentials when needed:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: {
+      secretId: "prod/my-api",
+      region: "eu-central-1",
+      credentials: {
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
+        sessionToken: process.env.AWS_SESSION_TOKEN,
+      },
+    },
+  },
+});
+```
+
+If `credentials` is omitted, the package does not pass any credential override to AWS SDK. `accessKeyId` and `secretAccessKey` are both required when `credentials` is provided; `sessionToken` is optional.
+
+## Validation and typing
+
+The returned `data` type is inferred from the Zod schema output (`z.output<TSchema>`), so coercions and transforms are reflected in the final type.
+
+```ts
+const schema = z.object({
+  PORT: z.coerce.number().int().positive(),
+});
+
+const result = await loadSecrets({
+  schema,
+  source: "process-env-only",
+});
+
+if (result.success) {
+  // number, not string
+  result.data.PORT;
+}
+```
+
+## Result object
+
+`loadSecrets` does not intentionally throw for expected failures. It returns a discriminated union:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId } },
+});
+
+if (result.success) {
+  result.data;
+  result.meta;
+} else {
+  result.error.code;
+  result.error.message;
+  result.error.issues;
+}
+```
+
+Success:
+
+```ts
+{
+  success: true,
+  data: { DATABASE_URL: "...", PORT: 3000 },
+  error: null,
+  meta: {
+    source: "provider-then-process-env",
+    secretId: "prod/my-api",
+    loadedAt: new Date(),
+    cache: { enabled: false, hit: false },
+    usedSources: { aws: true, processEnv: true },
+    processEnvMutation: {
+      requested: false,
+      performed: false,
+      overwrite: false,
+      writtenKeys: [],
+      skippedKeys: [],
+    },
+  },
+}
+```
+
+Failure:
+
+```ts
+{
+  success: false,
+  data: null,
+  error: {
+    code: "SCHEMA_VALIDATION_FAILED",
+    message: "Secret validation failed.",
+    issues: [{ path: "DATABASE_URL", message: "Invalid URL" }],
+  },
+  meta: { /* ... */ },
+}
+```
+
+## Error codes
+
+```ts
+type LoadSecretsErrorCode =
+  | "AWS_SECRET_ID_MISSING"
+  | "AWS_FETCH_FAILED"
+  | "AWS_SECRET_EMPTY"
+  | "AWS_SECRET_BINARY_UNSUPPORTED"
+  | "SECRET_JSON_INVALID"
+  | "SECRET_JSON_NOT_OBJECT"
+  | "SCHEMA_VALIDATION_FAILED"
+  | "PROCESS_ENV_WRITE_FAILED"
+  | "TIMEOUT"
+  | "INVALID_OPTIONS"
+  | "UNKNOWN";
+```
+
+`AWS_*` codes are emitted when the AWS provider is in use. Future providers will introduce their own prefixed codes alongside these.
+
+Package-generated `message` fields are sanitized and never contain secret values. The optional `cause` field may contain the raw SDK or system error — do not blindly `JSON.stringify(result.error)` into public logs if you cannot trust upstream error contents.
+
+## Optional process.env mutation
+
+By default, the package does not write to `process.env`.
+
+You can enable mutation:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: { secretId: "prod/my-api" },
+  },
+  processEnv: {
+    mutate: true,
+    overwrite: false,
+  },
+});
+```
+
+Rules:
+
+- mutation happens only after successful validation.
+- failed validation writes nothing.
+- `overwrite: false` preserves existing environment variables.
+- `overwrite: true` replaces existing values.
+- `null` and `undefined` values are skipped.
+
+Stringification rules used when writing to `process.env`:
+
+```txt
+string  -> same value
+number  -> String(value)
+boolean -> "true" | "false"
+bigint  -> String(value)
+Date    -> toISOString()
+object  -> JSON.stringify(value)
+array   -> JSON.stringify(value)
+null/undefined -> skip
+```
+
+Useful for legacy libraries that read directly from `process.env`. The recommended default is still explicit app context / DI.
+
+## Cache
+
+Cache is disabled by default.
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: {
+    aws: { secretId: "prod/my-api" },
+  },
+  cache: {
+    enabled: true,
+    ttlMs: 60_000,
+  },
+});
+```
+
+The cache stores only the fetched secret string, not the final validated config. That means:
+
+- repeated provider calls can be avoided.
+- `process.env` is still re-read on every call.
+- validation still runs on every call.
+
+Security note: enabling the cache keeps the secret string in process memory until TTL expires.
+
+## Timeout
+
+Default provider fetch timeout:
+
+```ts
+5000 // milliseconds
+```
+
+Override:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/my-api" } },
+  timeoutMs: 10_000,
+});
+```
+
+If the timeout is reached, the error code is `"TIMEOUT"`.
+
+## Framework examples
+
+### Hono
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/api" } },
+});
+if (!result.success) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+const app = new Hono<{ Variables: { env: typeof result.data } }>();
+app.use("*", async (c, next) => {
+  c.set("env", result.data);
+  await next();
+});
+```
+
+### Express
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/api" } },
+});
+if (!result.success) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+const app = express();
+const env = result.data;
+
+app.get("/health", (_req, res) => {
+  res.json({ env: env.NODE_ENV });
+});
+
+app.listen(env.PORT);
+```
+
+### Generic service composition
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/worker" } },
+});
+if (!result.success) {
+  console.error(result.error.message);
+  process.exit(1);
+}
+
+const worker = createWorker({
+  env: result.data,
+  db: createDb(result.data.DATABASE_URL),
+});
+
+await worker.start();
+```
+
+## Recommended IAM policy (AWS)
+
+Prefer least privilege:
+
+```json
+{
+  "Effect": "Allow",
+  "Action": "secretsmanager:GetSecretValue",
+  "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT_ID:secret:prod/my-api-*"
+}
+```
+
+## Security notes
+
+- Do not use this package in frontend code.
+- Do not embed loaded secrets into frontend bundles.
+- Do not log `result.data`.
+- Do not log raw provider errors if your logging pipeline is public or shared.
+- Package-generated error messages are sanitized and do not include secret values.
+- `process.env` mutation is off by default.
+- Cache is off by default.
+- The package has no import-time side effects.
+
+## Limitations
+
+v1 intentionally does not support:
+
+- multiple secrets in one call.
+- providers other than AWS Secrets Manager.
+- AWS `SecretBinary`.
+- custom AWS endpoints.
+- LocalStack-specific configuration.
+- browser usage.
+- CommonJS.
+- throwing mode.
+- automatic import-time loading.
+
+## Roadmap
+
+The `providers.aws` shape is designed so additional providers can be added without breaking the existing API. Likely future additions:
+
+- additional cloud providers (e.g. GCP Secret Manager, HashiCorp Vault).
+- custom provider injection.
+
+These are not implemented yet.
+
+## Bad patterns to avoid
+
+Avoid async global initialization soup:
+
+```ts
+// avoid
+export let env;
+
+loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/api" } },
+}).then((result) => {
+  if (result.success) {
+    env = result.data;
+  }
+});
+```
+
+Prefer explicit startup:
+
+```ts
+const result = await loadSecrets({
+  schema,
+  providers: { aws: { secretId: "prod/api" } },
+});
+
+if (!result.success) {
+  process.exit(1);
+}
+
+await startApp(result.data);
+```
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,82 @@
+import { z } from 'zod';
+
+type SecretSourceMode = "provider-only" | "process-env-only" | "provider-then-process-env" | "process-env-then-provider";
+type AwsCredentialsOption = {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+};
+type AwsOption = {
+    secretId?: string;
+    region?: string;
+    credentials?: AwsCredentialsOption;
+};
+type ProvidersOption = {
+    aws?: AwsOption;
+};
+type CacheOption = {
+    enabled?: boolean;
+    ttlMs?: number;
+};
+type ProcessEnvOption = {
+    mutate?: boolean;
+    overwrite?: boolean;
+};
+type LoadSecretsOptions<TSchema extends z.ZodTypeAny> = {
+    schema: TSchema;
+    providers?: ProvidersOption;
+    source?: SecretSourceMode;
+    timeoutMs?: number;
+    cache?: CacheOption;
+    processEnv?: ProcessEnvOption;
+};
+type LoadSecretsErrorCode = "AWS_SECRET_ID_MISSING" | "AWS_FETCH_FAILED" | "AWS_SECRET_EMPTY" | "AWS_SECRET_BINARY_UNSUPPORTED" | "SECRET_JSON_INVALID" | "SECRET_JSON_NOT_OBJECT" | "SCHEMA_VALIDATION_FAILED" | "PROCESS_ENV_WRITE_FAILED" | "TIMEOUT" | "INVALID_OPTIONS" | "UNKNOWN";
+type LoadSecretsIssue = {
+    path: string;
+    message: string;
+};
+type LoadSecretsError = {
+    code: LoadSecretsErrorCode;
+    message: string;
+    issues?: LoadSecretsIssue[];
+    cause?: unknown;
+};
+type LoadSecretsMeta = {
+    source: SecretSourceMode;
+    secretId?: string;
+    region?: string;
+    loadedAt: Date;
+    cache: {
+        enabled: boolean;
+        hit: boolean;
+        ttlMs?: number;
+    };
+    usedSources: {
+        aws: boolean;
+        processEnv: boolean;
+    };
+    processEnvMutation: {
+        requested: boolean;
+        performed: boolean;
+        overwrite: boolean;
+        writtenKeys: string[];
+        skippedKeys: string[];
+    };
+};
+type LoadSecretsSuccess<TData> = {
+    success: true;
+    data: TData;
+    error: null;
+    meta: LoadSecretsMeta;
+};
+type LoadSecretsFailure = {
+    success: false;
+    data: null;
+    error: LoadSecretsError;
+    meta: LoadSecretsMeta;
+};
+type LoadSecretsResult<TData> = LoadSecretsSuccess<TData> | LoadSecretsFailure;
+
+declare function loadSecrets<TSchema extends z.ZodTypeAny>(options: LoadSecretsOptions<TSchema>): Promise<LoadSecretsResult<z.output<TSchema>>>;
+
+export { type AwsCredentialsOption, type AwsOption, type CacheOption, type LoadSecretsError, type LoadSecretsErrorCode, type LoadSecretsFailure, type LoadSecretsIssue, type LoadSecretsMeta, type LoadSecretsOptions, type LoadSecretsResult, type LoadSecretsSuccess, type ProcessEnvOption, type ProvidersOption, type SecretSourceMode, loadSecrets };

package/dist/index.js

@@ -0,0 +1,472 @@
+// src/aws/fetch-secret-string.ts
+import { GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
+
+// src/core/errors.ts
+var MESSAGES = {
+  AWS_SECRET_ID_MISSING: "AWS secretId is required for the selected source mode.",
+  AWS_FETCH_FAILED: "Failed to fetch secret from AWS Secrets Manager.",
+  AWS_SECRET_EMPTY: "AWS secret value is empty.",
+  AWS_SECRET_BINARY_UNSUPPORTED: "SecretBinary is not supported. Store the secret as a JSON object in SecretString.",
+  SECRET_JSON_INVALID: "AWS SecretString must be valid JSON.",
+  SECRET_JSON_NOT_OBJECT: "AWS SecretString must contain a JSON object.",
+  SCHEMA_VALIDATION_FAILED: "Secret validation failed.",
+  PROCESS_ENV_WRITE_FAILED: "Failed to write validated secrets to process.env.",
+  TIMEOUT: "Timed out while fetching secret from AWS Secrets Manager.",
+  INVALID_OPTIONS: "Invalid loadSecrets options.",
+  UNKNOWN: "Unexpected error while loading secrets."
+};
+function createError(code, options) {
+  const error = {
+    code,
+    message: MESSAGES[code]
+  };
+  if (options?.issues !== void 0) {
+    error.issues = options.issues;
+  }
+  if (options?.cause !== void 0) {
+    error.cause = options.cause;
+  }
+  return error;
+}
+
+// src/utils/timeout.ts
+var TimeoutError = class extends Error {
+  constructor(message = "Operation timed out") {
+    super(message);
+    this.name = "TimeoutError";
+  }
+};
+function withTimeout(promise, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      reject(new TimeoutError());
+    }, timeoutMs);
+    promise.then(
+      (value) => {
+        clearTimeout(timer);
+        resolve(value);
+      },
+      (err) => {
+        clearTimeout(timer);
+        reject(err);
+      }
+    );
+  });
+}
+
+// src/aws/create-secrets-manager-client.ts
+import {
+  SecretsManagerClient
+} from "@aws-sdk/client-secrets-manager";
+function createSecretsManagerClient(input) {
+  const config = {};
+  if (input.region !== void 0) {
+    config.region = input.region;
+  }
+  if (input.credentials !== void 0) {
+    const { accessKeyId, secretAccessKey, sessionToken } = input.credentials;
+    config.credentials = sessionToken !== void 0 ? { accessKeyId, secretAccessKey, sessionToken } : { accessKeyId, secretAccessKey };
+  }
+  return new SecretsManagerClient(config);
+}
+
+// src/aws/fetch-secret-string.ts
+async function fetchSecretString(input) {
+  const client = createSecretsManagerClient({
+    ...input.region !== void 0 ? { region: input.region } : {},
+    ...input.credentials !== void 0 ? { credentials: input.credentials } : {}
+  });
+  try {
+    const response = await withTimeout(
+      client.send(new GetSecretValueCommand({ SecretId: input.secretId })),
+      input.timeoutMs
+    );
+    const secretString = response.SecretString;
+    if (typeof secretString === "string" && secretString.length > 0) {
+      return { success: true, secretString };
+    }
+    if (response.SecretBinary !== void 0) {
+      return {
+        success: false,
+        error: createError("AWS_SECRET_BINARY_UNSUPPORTED")
+      };
+    }
+    return { success: false, error: createError("AWS_SECRET_EMPTY") };
+  } catch (cause) {
+    if (cause instanceof TimeoutError) {
+      return { success: false, error: createError("TIMEOUT", { cause }) };
+    }
+    return {
+      success: false,
+      error: createError("AWS_FETCH_FAILED", { cause })
+    };
+  } finally {
+    try {
+      client.destroy();
+    } catch {
+    }
+  }
+}
+
+// src/core/cache.ts
+var cache = /* @__PURE__ */ new Map();
+function buildCacheKey(secretId, region) {
+  return `${region ?? "default"}:${secretId}`;
+}
+function getCachedSecretString(key, now = Date.now()) {
+  const entry = cache.get(key);
+  if (!entry) return null;
+  if (now >= entry.expiresAt) {
+    cache.delete(key);
+    return null;
+  }
+  return entry.value;
+}
+function setCachedSecretString(key, value, ttlMs, now = Date.now()) {
+  cache.set(key, { value, expiresAt: now + ttlMs });
+}
+
+// src/core/merge-sources.ts
+function mergeSources(input) {
+  const { source, providerValues, processEnvValues } = input;
+  switch (source) {
+    case "provider-only":
+      return { ...providerValues ?? {} };
+    case "process-env-only":
+      return { ...processEnvValues ?? {} };
+    case "provider-then-process-env":
+      return { ...providerValues ?? {}, ...processEnvValues ?? {} };
+    case "process-env-then-provider":
+      return { ...processEnvValues ?? {}, ...providerValues ?? {} };
+  }
+}
+
+// src/core/constants.ts
+var DEFAULT_SOURCE = "provider-then-process-env";
+var DEFAULT_TIMEOUT_MS = 5e3;
+var DEFAULT_CACHE_ENABLED = false;
+var DEFAULT_CACHE_TTL_MS = 6e4;
+var DEFAULT_PROCESS_ENV_MUTATE = false;
+var DEFAULT_PROCESS_ENV_OVERWRITE = false;
+
+// src/core/normalize-options.ts
+var VALID_SOURCES = /* @__PURE__ */ new Set([
+  "provider-only",
+  "process-env-only",
+  "provider-then-process-env",
+  "process-env-then-provider"
+]);
+function normalizeOptions(options) {
+  const source = options.source ?? DEFAULT_SOURCE;
+  if (!VALID_SOURCES.has(source)) {
+    return { success: false, error: createError("INVALID_OPTIONS") };
+  }
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+    return { success: false, error: createError("INVALID_OPTIONS") };
+  }
+  const cacheEnabled = options.cache?.enabled ?? DEFAULT_CACHE_ENABLED;
+  const cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;
+  if (cacheEnabled && (!Number.isFinite(cacheTtlMs) || cacheTtlMs <= 0)) {
+    return { success: false, error: createError("INVALID_OPTIONS") };
+  }
+  const mutate = options.processEnv?.mutate ?? DEFAULT_PROCESS_ENV_MUTATE;
+  const overwrite = options.processEnv?.overwrite ?? DEFAULT_PROCESS_ENV_OVERWRITE;
+  const awsInput = options.providers?.aws;
+  const aws = {};
+  if (awsInput?.secretId !== void 0 && awsInput.secretId.length > 0) {
+    aws.secretId = awsInput.secretId;
+  }
+  if (awsInput?.region !== void 0 && awsInput.region.length > 0) {
+    aws.region = awsInput.region;
+  }
+  if (awsInput?.credentials !== void 0) {
+    const c = awsInput.credentials;
+    if (typeof c.accessKeyId !== "string" || c.accessKeyId.length === 0 || typeof c.secretAccessKey !== "string" || c.secretAccessKey.length === 0) {
+      return { success: false, error: createError("INVALID_OPTIONS") };
+    }
+    aws.credentials = {
+      accessKeyId: c.accessKeyId,
+      secretAccessKey: c.secretAccessKey,
+      ...c.sessionToken !== void 0 ? { sessionToken: c.sessionToken } : {}
+    };
+  }
+  return {
+    success: true,
+    data: {
+      source,
+      timeoutMs,
+      providers: { aws },
+      cache: {
+        enabled: cacheEnabled,
+        ttlMs: cacheTtlMs
+      },
+      processEnv: {
+        mutate,
+        overwrite
+      }
+    }
+  };
+}
+
+// src/core/process-env.ts
+function snapshotProcessEnv() {
+  const snapshot = {};
+  for (const key of Object.keys(process.env)) {
+    snapshot[key] = process.env[key];
+  }
+  return snapshot;
+}
+function stringifyForEnv(value) {
+  if (value === null || value === void 0) return null;
+  if (typeof value === "string") return value;
+  if (typeof value === "number") return String(value);
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "bigint") return value.toString();
+  if (value instanceof Date) return value.toISOString();
+  if (typeof value === "object") return JSON.stringify(value);
+  return String(value);
+}
+function mutateProcessEnv(validated, overwrite) {
+  const candidates = [];
+  const skippedKeys = [];
+  for (const key of Object.keys(validated)) {
+    const stringified = stringifyForEnv(validated[key]);
+    if (stringified === null) {
+      skippedKeys.push(key);
+      continue;
+    }
+    if (!overwrite && Object.hasOwn(process.env, key) && process.env[key] !== void 0) {
+      skippedKeys.push(key);
+      continue;
+    }
+    candidates.push([key, stringified]);
+  }
+  const previous = /* @__PURE__ */ new Map();
+  const writtenKeys = [];
+  try {
+    for (const [key, value] of candidates) {
+      previous.set(key, process.env[key]);
+      process.env[key] = value;
+      writtenKeys.push(key);
+    }
+    return { success: true, writtenKeys, skippedKeys };
+  } catch (cause) {
+    for (const [key, prev] of previous) {
+      if (prev === void 0) {
+        delete process.env[key];
+      } else {
+        process.env[key] = prev;
+      }
+    }
+    return {
+      success: false,
+      error: createError("PROCESS_ENV_WRITE_FAILED", { cause }),
+      writtenKeys: [],
+      skippedKeys
+    };
+  }
+}
+
+// src/core/resolve-source-mode.ts
+function sourceUsesProvider(source) {
+  return source !== "process-env-only";
+}
+function sourceUsesProcessEnv(source) {
+  return source !== "provider-only";
+}
+
+// src/core/result.ts
+function success(meta, data) {
+  return {
+    success: true,
+    data,
+    error: null,
+    meta
+  };
+}
+function failure(meta, error) {
+  return {
+    success: false,
+    data: null,
+    error,
+    meta
+  };
+}
+
+// src/core/validate-schema.ts
+function mapIssues(error) {
+  return error.issues.map((issue) => {
+    const path = issue.path.map((p) => String(p)).join(".");
+    return {
+      path: path.length === 0 ? "<root>" : path,
+      message: issue.message
+    };
+  });
+}
+async function validateSchema(schema, value) {
+  const parsed = await schema.safeParseAsync(value);
+  if (parsed.success) {
+    return { success: true, data: parsed.data };
+  }
+  return { success: false, issues: mapIssues(parsed.error) };
+}
+
+// src/utils/is-plain-record.ts
+function isPlainRecord(value) {
+  if (value === null || typeof value !== "object") return false;
+  if (Array.isArray(value)) return false;
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+}
+
+// src/utils/parse-json-secret.ts
+function parseJsonSecret(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    return {
+      success: false,
+      error: {
+        code: "SECRET_JSON_INVALID",
+        message: "AWS SecretString must be valid JSON."
+      }
+    };
+  }
+  if (!isPlainRecord(parsed)) {
+    return {
+      success: false,
+      error: {
+        code: "SECRET_JSON_NOT_OBJECT",
+        message: "AWS SecretString must contain a JSON object."
+      }
+    };
+  }
+  return { success: true, data: parsed };
+}
+
+// src/load-secrets.ts
+function createInitialMeta(normalized) {
+  const meta = {
+    source: normalized.source,
+    loadedAt: /* @__PURE__ */ new Date(),
+    cache: {
+      enabled: normalized.cache.enabled,
+      hit: false
+    },
+    usedSources: {
+      aws: sourceUsesProvider(normalized.source),
+      processEnv: sourceUsesProcessEnv(normalized.source)
+    },
+    processEnvMutation: {
+      requested: normalized.processEnv.mutate,
+      performed: false,
+      overwrite: normalized.processEnv.overwrite,
+      writtenKeys: [],
+      skippedKeys: []
+    }
+  };
+  if (normalized.providers.aws.secretId !== void 0) {
+    meta.secretId = normalized.providers.aws.secretId;
+  }
+  if (normalized.providers.aws.region !== void 0) {
+    meta.region = normalized.providers.aws.region;
+  }
+  if (normalized.cache.enabled) {
+    meta.cache.ttlMs = normalized.cache.ttlMs;
+  }
+  return meta;
+}
+async function loadSecrets(options) {
+  const normalizedResult = normalizeOptions(options);
+  if (!normalizedResult.success) {
+    const reportedSource = options.source ?? "provider-then-process-env";
+    const baseMeta = {
+      source: reportedSource,
+      loadedAt: /* @__PURE__ */ new Date(),
+      cache: { enabled: false, hit: false },
+      usedSources: {
+        aws: sourceUsesProvider(reportedSource),
+        processEnv: sourceUsesProcessEnv(reportedSource)
+      },
+      processEnvMutation: {
+        requested: options.processEnv?.mutate ?? false,
+        performed: false,
+        overwrite: options.processEnv?.overwrite ?? false,
+        writtenKeys: [],
+        skippedKeys: []
+      }
+    };
+    return failure(baseMeta, normalizedResult.error);
+  }
+  const normalized = normalizedResult.data;
+  const meta = createInitialMeta(normalized);
+  try {
+    let providerValues;
+    let processEnvValues;
+    if (sourceUsesProvider(normalized.source)) {
+      const aws = normalized.providers.aws;
+      if (aws.secretId === void 0 || aws.secretId.length === 0) {
+        return failure(meta, createError("AWS_SECRET_ID_MISSING"));
+      }
+      let secretString = null;
+      const cacheKey = buildCacheKey(aws.secretId, aws.region);
+      if (normalized.cache.enabled) {
+        secretString = getCachedSecretString(cacheKey);
+        if (secretString !== null) {
+          meta.cache.hit = true;
+        }
+      }
+      if (secretString === null) {
+        const fetchResult = await fetchSecretString({
+          secretId: aws.secretId,
+          timeoutMs: normalized.timeoutMs,
+          ...aws.region !== void 0 ? { region: aws.region } : {},
+          ...aws.credentials !== void 0 ? { credentials: aws.credentials } : {}
+        });
+        if (!fetchResult.success) {
+          return failure(meta, fetchResult.error);
+        }
+        secretString = fetchResult.secretString;
+        if (normalized.cache.enabled) {
+          setCachedSecretString(cacheKey, secretString, normalized.cache.ttlMs);
+        }
+      }
+      const parsed = parseJsonSecret(secretString);
+      if (!parsed.success) {
+        return failure(meta, parsed.error);
+      }
+      providerValues = parsed.data;
+    }
+    if (sourceUsesProcessEnv(normalized.source)) {
+      processEnvValues = snapshotProcessEnv();
+    }
+    const merged = mergeSources({
+      source: normalized.source,
+      ...providerValues !== void 0 ? { providerValues } : {},
+      ...processEnvValues !== void 0 ? { processEnvValues } : {}
+    });
+    const validation = await validateSchema(options.schema, merged);
+    if (!validation.success) {
+      return failure(meta, createError("SCHEMA_VALIDATION_FAILED", { issues: validation.issues }));
+    }
+    if (normalized.processEnv.mutate) {
+      const validatedRecord = validation.data && typeof validation.data === "object" && !Array.isArray(validation.data) ? validation.data : {};
+      const mutation = mutateProcessEnv(validatedRecord, normalized.processEnv.overwrite);
+      meta.processEnvMutation.writtenKeys = mutation.writtenKeys;
+      meta.processEnvMutation.skippedKeys = mutation.skippedKeys;
+      if (!mutation.success) {
+        return failure(meta, mutation.error);
+      }
+      meta.processEnvMutation.performed = true;
+    }
+    return success(meta, validation.data);
+  } catch (cause) {
+    return failure(meta, createError("UNKNOWN", { cause }));
+  }
+}
+export {
+  loadSecrets
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/aws/fetch-secret-string.ts","../src/core/errors.ts","../src/utils/timeout.ts","../src/aws/create-secrets-manager-client.ts","../src/core/cache.ts","../src/core/merge-sources.ts","../src/core/constants.ts","../src/core/normalize-options.ts","../src/core/process-env.ts","../src/core/resolve-source-mode.ts","../src/core/result.ts","../src/core/validate-schema.ts","../src/utils/is-plain-record.ts","../src/utils/parse-json-secret.ts","../src/load-secrets.ts"],"sourcesContent":["import { GetSecretValueCommand } from \"@aws-sdk/client-secrets-manager\";\nimport { createError } from \"../core/errors.js\";\nimport type { AwsCredentialsOption, LoadSecretsError } from \"../core/types.js\";\nimport { TimeoutError, withTimeout } from \"../utils/timeout.js\";\nimport { createSecretsManagerClient } from \"./create-secrets-manager-client.js\";\n\nexport type FetchSecretStringInput = {\n  secretId: string;\n  region?: string;\n  credentials?: AwsCredentialsOption;\n  timeoutMs: number;\n};\n\nexport type FetchSecretStringResult =\n  | { success: true; secretString: string }\n  | { success: false; error: LoadSecretsError };\n\nexport async function fetchSecretString(\n  input: FetchSecretStringInput,\n): Promise<FetchSecretStringResult> {\n  const client = createSecretsManagerClient({\n    ...(input.region !== undefined ? { region: input.region } : {}),\n    ...(input.credentials !== undefined ? { credentials: input.credentials } : {}),\n  });\n\n  try {\n    const response = await withTimeout(\n      client.send(new GetSecretValueCommand({ SecretId: input.secretId })),\n      input.timeoutMs,\n    );\n\n    const secretString = response.SecretString;\n    if (typeof secretString === \"string\" && secretString.length > 0) {\n      return { success: true, secretString };\n    }\n\n    if (response.SecretBinary !== undefined) {\n      return {\n        success: false,\n        error: createError(\"AWS_SECRET_BINARY_UNSUPPORTED\"),\n      };\n    }\n\n    return { success: false, error: createError(\"AWS_SECRET_EMPTY\") };\n  } catch (cause) {\n    if (cause instanceof TimeoutError) {\n      return { success: false, error: createError(\"TIMEOUT\", { cause }) };\n    }\n    return {\n      success: false,\n      error: createError(\"AWS_FETCH_FAILED\", { cause }),\n    };\n  } finally {\n    try {\n      client.destroy();\n    } catch {\n      // ignore client destroy errors\n    }\n  }\n}\n","import type { LoadSecretsError, LoadSecretsErrorCode, LoadSecretsIssue } from \"./types.js\";\n\nconst MESSAGES: Record<LoadSecretsErrorCode, string> = {\n  AWS_SECRET_ID_MISSING: \"AWS secretId is required for the selected source mode.\",\n  AWS_FETCH_FAILED: \"Failed to fetch secret from AWS Secrets Manager.\",\n  AWS_SECRET_EMPTY: \"AWS secret value is empty.\",\n  AWS_SECRET_BINARY_UNSUPPORTED:\n    \"SecretBinary is not supported. Store the secret as a JSON object in SecretString.\",\n  SECRET_JSON_INVALID: \"AWS SecretString must be valid JSON.\",\n  SECRET_JSON_NOT_OBJECT: \"AWS SecretString must contain a JSON object.\",\n  SCHEMA_VALIDATION_FAILED: \"Secret validation failed.\",\n  PROCESS_ENV_WRITE_FAILED: \"Failed to write validated secrets to process.env.\",\n  TIMEOUT: \"Timed out while fetching secret from AWS Secrets Manager.\",\n  INVALID_OPTIONS: \"Invalid loadSecrets options.\",\n  UNKNOWN: \"Unexpected error while loading secrets.\",\n};\n\nexport function createError(\n  code: LoadSecretsErrorCode,\n  options?: { issues?: LoadSecretsIssue[]; cause?: unknown },\n): LoadSecretsError {\n  const error: LoadSecretsError = {\n    code,\n    message: MESSAGES[code],\n  };\n  if (options?.issues !== undefined) {\n    error.issues = options.issues;\n  }\n  if (options?.cause !== undefined) {\n    error.cause = options.cause;\n  }\n  return error;\n}\n","export class TimeoutError extends Error {\n  constructor(message = \"Operation timed out\") {\n    super(message);\n    this.name = \"TimeoutError\";\n  }\n}\n\nexport function withTimeout<T>(promise: Promise<T>, timeoutMs: number): Promise<T> {\n  return new Promise<T>((resolve, reject) => {\n    const timer = setTimeout(() => {\n      reject(new TimeoutError());\n    }, timeoutMs);\n\n    promise.then(\n      (value) => {\n        clearTimeout(timer);\n        resolve(value);\n      },\n      (err: unknown) => {\n        clearTimeout(timer);\n        reject(err as Error);\n      },\n    );\n  });\n}\n","import {\n  SecretsManagerClient,\n  type SecretsManagerClientConfig,\n} from \"@aws-sdk/client-secrets-manager\";\nimport type { AwsCredentialsOption } from \"../core/types.js\";\n\nexport type CreateSecretsManagerClientInput = {\n  region?: string;\n  credentials?: AwsCredentialsOption;\n};\n\nexport function createSecretsManagerClient(\n  input: CreateSecretsManagerClientInput,\n): SecretsManagerClient {\n  const config: SecretsManagerClientConfig = {};\n  if (input.region !== undefined) {\n    config.region = input.region;\n  }\n  if (input.credentials !== undefined) {\n    const { accessKeyId, secretAccessKey, sessionToken } = input.credentials;\n    config.credentials =\n      sessionToken !== undefined\n        ? { accessKeyId, secretAccessKey, sessionToken }\n        : { accessKeyId, secretAccessKey };\n  }\n  return new SecretsManagerClient(config);\n}\n","type CacheEntry = {\n  value: string;\n  expiresAt: number;\n};\n\nconst cache = new Map<string, CacheEntry>();\n\nexport function buildCacheKey(secretId: string, region?: string): string {\n  return `${region ?? \"default\"}:${secretId}`;\n}\n\nexport function getCachedSecretString(key: string, now: number = Date.now()): string | null {\n  const entry = cache.get(key);\n  if (!entry) return null;\n  if (now >= entry.expiresAt) {\n    cache.delete(key);\n    return null;\n  }\n  return entry.value;\n}\n\nexport function setCachedSecretString(\n  key: string,\n  value: string,\n  ttlMs: number,\n  now: number = Date.now(),\n): void {\n  cache.set(key, { value, expiresAt: now + ttlMs });\n}\n\nexport function clearCache(): void {\n  cache.clear();\n}\n","import type { SecretSourceMode } from \"./types.js\";\n\nexport type MergeSourcesInput = {\n  source: SecretSourceMode;\n  providerValues?: Record<string, unknown>;\n  processEnvValues?: Record<string, string | undefined>;\n};\n\nexport function mergeSources(input: MergeSourcesInput): Record<string, unknown> {\n  const { source, providerValues, processEnvValues } = input;\n\n  switch (source) {\n    case \"provider-only\":\n      return { ...(providerValues ?? {}) };\n    case \"process-env-only\":\n      return { ...(processEnvValues ?? {}) };\n    case \"provider-then-process-env\":\n      return { ...(providerValues ?? {}), ...(processEnvValues ?? {}) };\n    case \"process-env-then-provider\":\n      return { ...(processEnvValues ?? {}), ...(providerValues ?? {}) };\n  }\n}\n","import type { SecretSourceMode } from \"./types.js\";\n\nexport const DEFAULT_SOURCE: SecretSourceMode = \"provider-then-process-env\";\nexport const DEFAULT_TIMEOUT_MS = 5000;\nexport const DEFAULT_CACHE_ENABLED = false;\nexport const DEFAULT_CACHE_TTL_MS = 60_000;\nexport const DEFAULT_PROCESS_ENV_MUTATE = false;\nexport const DEFAULT_PROCESS_ENV_OVERWRITE = false;\n","import {\n  DEFAULT_CACHE_ENABLED,\n  DEFAULT_CACHE_TTL_MS,\n  DEFAULT_PROCESS_ENV_MUTATE,\n  DEFAULT_PROCESS_ENV_OVERWRITE,\n  DEFAULT_SOURCE,\n  DEFAULT_TIMEOUT_MS,\n} from \"./constants.js\";\nimport { createError } from \"./errors.js\";\nimport type { LoadSecretsError, LoadSecretsOptions, NormalizedOptions } from \"./types.js\";\n\nexport type NormalizeResult =\n  | { success: true; data: NormalizedOptions }\n  | { success: false; error: LoadSecretsError };\n\nconst VALID_SOURCES = new Set([\n  \"provider-only\",\n  \"process-env-only\",\n  \"provider-then-process-env\",\n  \"process-env-then-provider\",\n]);\n\nexport function normalizeOptions<TSchema extends import(\"zod\").z.ZodTypeAny>(\n  options: LoadSecretsOptions<TSchema>,\n): NormalizeResult {\n  const source = options.source ?? DEFAULT_SOURCE;\n  if (!VALID_SOURCES.has(source)) {\n    return { success: false, error: createError(\"INVALID_OPTIONS\") };\n  }\n\n  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n  if (!Number.isFinite(timeoutMs) || timeoutMs <= 0) {\n    return { success: false, error: createError(\"INVALID_OPTIONS\") };\n  }\n\n  const cacheEnabled = options.cache?.enabled ?? DEFAULT_CACHE_ENABLED;\n  const cacheTtlMs = options.cache?.ttlMs ?? DEFAULT_CACHE_TTL_MS;\n  if (cacheEnabled && (!Number.isFinite(cacheTtlMs) || cacheTtlMs <= 0)) {\n    return { success: false, error: createError(\"INVALID_OPTIONS\") };\n  }\n\n  const mutate = options.processEnv?.mutate ?? DEFAULT_PROCESS_ENV_MUTATE;\n  const overwrite = options.processEnv?.overwrite ?? DEFAULT_PROCESS_ENV_OVERWRITE;\n\n  const awsInput = options.providers?.aws;\n  const aws: NormalizedOptions[\"providers\"][\"aws\"] = {};\n  if (awsInput?.secretId !== undefined && awsInput.secretId.length > 0) {\n    aws.secretId = awsInput.secretId;\n  }\n  if (awsInput?.region !== undefined && awsInput.region.length > 0) {\n    aws.region = awsInput.region;\n  }\n  if (awsInput?.credentials !== undefined) {\n    const c = awsInput.credentials;\n    if (\n      typeof c.accessKeyId !== \"string\" ||\n      c.accessKeyId.length === 0 ||\n      typeof c.secretAccessKey !== \"string\" ||\n      c.secretAccessKey.length === 0\n    ) {\n      return { success: false, error: createError(\"INVALID_OPTIONS\") };\n    }\n    aws.credentials = {\n      accessKeyId: c.accessKeyId,\n      secretAccessKey: c.secretAccessKey,\n      ...(c.sessionToken !== undefined ? { sessionToken: c.sessionToken } : {}),\n    };\n  }\n\n  return {\n    success: true,\n    data: {\n      source,\n      timeoutMs,\n      providers: { aws },\n      cache: {\n        enabled: cacheEnabled,\n        ttlMs: cacheTtlMs,\n      },\n      processEnv: {\n        mutate,\n        overwrite,\n      },\n    },\n  };\n}\n","import { createError } from \"./errors.js\";\nimport type { LoadSecretsError } from \"./types.js\";\n\nexport function snapshotProcessEnv(): Record<string, string | undefined> {\n  const snapshot: Record<string, string | undefined> = {};\n  for (const key of Object.keys(process.env)) {\n    snapshot[key] = process.env[key];\n  }\n  return snapshot;\n}\n\nexport function stringifyForEnv(value: unknown): string | null {\n  if (value === null || value === undefined) return null;\n  if (typeof value === \"string\") return value;\n  if (typeof value === \"number\") return String(value);\n  if (typeof value === \"boolean\") return value ? \"true\" : \"false\";\n  if (typeof value === \"bigint\") return value.toString();\n  if (value instanceof Date) return value.toISOString();\n  if (typeof value === \"object\") return JSON.stringify(value);\n  return String(value);\n}\n\nexport type MutationOutcome = {\n  success: true;\n  writtenKeys: string[];\n  skippedKeys: string[];\n};\n\nexport type MutationResult =\n  | MutationOutcome\n  | { success: false; error: LoadSecretsError; writtenKeys: string[]; skippedKeys: string[] };\n\nexport function mutateProcessEnv(\n  validated: Record<string, unknown>,\n  overwrite: boolean,\n): MutationResult {\n  const candidates: Array<[string, string]> = [];\n  const skippedKeys: string[] = [];\n\n  for (const key of Object.keys(validated)) {\n    const stringified = stringifyForEnv(validated[key]);\n    if (stringified === null) {\n      skippedKeys.push(key);\n      continue;\n    }\n    if (!overwrite && Object.hasOwn(process.env, key) && process.env[key] !== undefined) {\n      skippedKeys.push(key);\n      continue;\n    }\n    candidates.push([key, stringified]);\n  }\n\n  const previous = new Map<string, string | undefined>();\n  const writtenKeys: string[] = [];\n\n  try {\n    for (const [key, value] of candidates) {\n      previous.set(key, process.env[key]);\n      process.env[key] = value;\n      writtenKeys.push(key);\n    }\n    return { success: true, writtenKeys, skippedKeys };\n  } catch (cause) {\n    for (const [key, prev] of previous) {\n      if (prev === undefined) {\n        delete process.env[key];\n      } else {\n        process.env[key] = prev;\n      }\n    }\n    return {\n      success: false,\n      error: createError(\"PROCESS_ENV_WRITE_FAILED\", { cause }),\n      writtenKeys: [],\n      skippedKeys,\n    };\n  }\n}\n","import type { SecretSourceMode } from \"./types.js\";\n\nexport function sourceUsesProvider(source: SecretSourceMode): boolean {\n  return source !== \"process-env-only\";\n}\n\nexport function sourceUsesProcessEnv(source: SecretSourceMode): boolean {\n  return source !== \"provider-only\";\n}\n","import type {\n  LoadSecretsError,\n  LoadSecretsFailure,\n  LoadSecretsMeta,\n  LoadSecretsSuccess,\n} from \"./types.js\";\n\nexport function success<TData>(meta: LoadSecretsMeta, data: TData): LoadSecretsSuccess<TData> {\n  return {\n    success: true,\n    data,\n    error: null,\n    meta,\n  };\n}\n\nexport function failure(meta: LoadSecretsMeta, error: LoadSecretsError): LoadSecretsFailure {\n  return {\n    success: false,\n    data: null,\n    error,\n    meta,\n  };\n}\n","import type { z } from \"zod\";\nimport type { LoadSecretsIssue } from \"./types.js\";\n\nexport type ValidateSchemaResult<TData> =\n  | { success: true; data: TData }\n  | { success: false; issues: LoadSecretsIssue[] };\n\ntype ZodLikeIssue = {\n  path: ReadonlyArray<PropertyKey>;\n  message: string;\n};\n\ntype ZodLikeError = {\n  issues: ReadonlyArray<ZodLikeIssue>;\n};\n\nfunction mapIssues(error: ZodLikeError): LoadSecretsIssue[] {\n  return error.issues.map((issue) => {\n    const path = issue.path.map((p) => String(p)).join(\".\");\n    return {\n      path: path.length === 0 ? \"<root>\" : path,\n      message: issue.message,\n    };\n  });\n}\n\nexport async function validateSchema<TSchema extends z.ZodTypeAny>(\n  schema: TSchema,\n  value: unknown,\n): Promise<ValidateSchemaResult<z.output<TSchema>>> {\n  const parsed = await schema.safeParseAsync(value);\n  if (parsed.success) {\n    return { success: true, data: parsed.data as z.output<TSchema> };\n  }\n  return { success: false, issues: mapIssues(parsed.error as ZodLikeError) };\n}\n","export function isPlainRecord(value: unknown): value is Record<string, unknown> {\n  if (value === null || typeof value !== \"object\") return false;\n  if (Array.isArray(value)) return false;\n  const proto = Object.getPrototypeOf(value);\n  return proto === Object.prototype || proto === null;\n}\n","import type { LoadSecretsError } from \"../core/types.js\";\nimport { isPlainRecord } from \"./is-plain-record.js\";\n\nexport type ParseJsonSecretResult =\n  | { success: true; data: Record<string, unknown> }\n  | { success: false; error: LoadSecretsError };\n\nexport function parseJsonSecret(input: string): ParseJsonSecretResult {\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(input);\n  } catch {\n    return {\n      success: false,\n      error: {\n        code: \"SECRET_JSON_INVALID\",\n        message: \"AWS SecretString must be valid JSON.\",\n      },\n    };\n  }\n\n  if (!isPlainRecord(parsed)) {\n    return {\n      success: false,\n      error: {\n        code: \"SECRET_JSON_NOT_OBJECT\",\n        message: \"AWS SecretString must contain a JSON object.\",\n      },\n    };\n  }\n\n  return { success: true, data: parsed };\n}\n","import type { z } from \"zod\";\nimport { fetchSecretString } from \"./aws/fetch-secret-string.js\";\nimport { buildCacheKey, getCachedSecretString, setCachedSecretString } from \"./core/cache.js\";\nimport { createError } from \"./core/errors.js\";\nimport { mergeSources } from \"./core/merge-sources.js\";\nimport { normalizeOptions } from \"./core/normalize-options.js\";\nimport { mutateProcessEnv, snapshotProcessEnv } from \"./core/process-env.js\";\nimport { sourceUsesProcessEnv, sourceUsesProvider } from \"./core/resolve-source-mode.js\";\nimport { failure, success } from \"./core/result.js\";\nimport type {\n  LoadSecretsMeta,\n  LoadSecretsOptions,\n  LoadSecretsResult,\n  NormalizedOptions,\n} from \"./core/types.js\";\nimport { validateSchema } from \"./core/validate-schema.js\";\nimport { parseJsonSecret } from \"./utils/parse-json-secret.js\";\n\nfunction createInitialMeta(normalized: NormalizedOptions): LoadSecretsMeta {\n  const meta: LoadSecretsMeta = {\n    source: normalized.source,\n    loadedAt: new Date(),\n    cache: {\n      enabled: normalized.cache.enabled,\n      hit: false,\n    },\n    usedSources: {\n      aws: sourceUsesProvider(normalized.source),\n      processEnv: sourceUsesProcessEnv(normalized.source),\n    },\n    processEnvMutation: {\n      requested: normalized.processEnv.mutate,\n      performed: false,\n      overwrite: normalized.processEnv.overwrite,\n      writtenKeys: [],\n      skippedKeys: [],\n    },\n  };\n  if (normalized.providers.aws.secretId !== undefined) {\n    meta.secretId = normalized.providers.aws.secretId;\n  }\n  if (normalized.providers.aws.region !== undefined) {\n    meta.region = normalized.providers.aws.region;\n  }\n  if (normalized.cache.enabled) {\n    meta.cache.ttlMs = normalized.cache.ttlMs;\n  }\n  return meta;\n}\n\nexport async function loadSecrets<TSchema extends z.ZodTypeAny>(\n  options: LoadSecretsOptions<TSchema>,\n): Promise<LoadSecretsResult<z.output<TSchema>>> {\n  const normalizedResult = normalizeOptions(options);\n\n  if (!normalizedResult.success) {\n    const reportedSource = options.source ?? \"provider-then-process-env\";\n    const baseMeta: LoadSecretsMeta = {\n      source: reportedSource,\n      loadedAt: new Date(),\n      cache: { enabled: false, hit: false },\n      usedSources: {\n        aws: sourceUsesProvider(reportedSource),\n        processEnv: sourceUsesProcessEnv(reportedSource),\n      },\n      processEnvMutation: {\n        requested: options.processEnv?.mutate ?? false,\n        performed: false,\n        overwrite: options.processEnv?.overwrite ?? false,\n        writtenKeys: [],\n        skippedKeys: [],\n      },\n    };\n    return failure(baseMeta, normalizedResult.error);\n  }\n\n  const normalized = normalizedResult.data;\n  const meta = createInitialMeta(normalized);\n\n  try {\n    let providerValues: Record<string, unknown> | undefined;\n    let processEnvValues: Record<string, string | undefined> | undefined;\n\n    if (sourceUsesProvider(normalized.source)) {\n      const aws = normalized.providers.aws;\n      if (aws.secretId === undefined || aws.secretId.length === 0) {\n        return failure(meta, createError(\"AWS_SECRET_ID_MISSING\"));\n      }\n\n      let secretString: string | null = null;\n      const cacheKey = buildCacheKey(aws.secretId, aws.region);\n\n      if (normalized.cache.enabled) {\n        secretString = getCachedSecretString(cacheKey);\n        if (secretString !== null) {\n          meta.cache.hit = true;\n        }\n      }\n\n      if (secretString === null) {\n        const fetchResult = await fetchSecretString({\n          secretId: aws.secretId,\n          timeoutMs: normalized.timeoutMs,\n          ...(aws.region !== undefined ? { region: aws.region } : {}),\n          ...(aws.credentials !== undefined ? { credentials: aws.credentials } : {}),\n        });\n\n        if (!fetchResult.success) {\n          return failure(meta, fetchResult.error);\n        }\n\n        secretString = fetchResult.secretString;\n\n        if (normalized.cache.enabled) {\n          setCachedSecretString(cacheKey, secretString, normalized.cache.ttlMs);\n        }\n      }\n\n      const parsed = parseJsonSecret(secretString);\n      if (!parsed.success) {\n        return failure(meta, parsed.error);\n      }\n      providerValues = parsed.data;\n    }\n\n    if (sourceUsesProcessEnv(normalized.source)) {\n      processEnvValues = snapshotProcessEnv();\n    }\n\n    const merged = mergeSources({\n      source: normalized.source,\n      ...(providerValues !== undefined ? { providerValues } : {}),\n      ...(processEnvValues !== undefined ? { processEnvValues } : {}),\n    });\n\n    const validation = await validateSchema(options.schema, merged);\n\n    if (!validation.success) {\n      return failure(meta, createError(\"SCHEMA_VALIDATION_FAILED\", { issues: validation.issues }));\n    }\n\n    if (normalized.processEnv.mutate) {\n      const validatedRecord =\n        validation.data && typeof validation.data === \"object\" && !Array.isArray(validation.data)\n          ? (validation.data as Record<string, unknown>)\n          : {};\n      const mutation = mutateProcessEnv(validatedRecord, normalized.processEnv.overwrite);\n      meta.processEnvMutation.writtenKeys = mutation.writtenKeys;\n      meta.processEnvMutation.skippedKeys = mutation.skippedKeys;\n      if (!mutation.success) {\n        return failure(meta, mutation.error);\n      }\n      meta.processEnvMutation.performed = true;\n    }\n\n    return success(meta, validation.data);\n  } catch (cause) {\n    return failure(meta, createError(\"UNKNOWN\", { cause }));\n  }\n}\n"],"mappings":";AAAA,SAAS,6BAA6B;;;ACEtC,IAAM,WAAiD;AAAA,EACrD,uBAAuB;AAAA,EACvB,kBAAkB;AAAA,EAClB,kBAAkB;AAAA,EAClB,+BACE;AAAA,EACF,qBAAqB;AAAA,EACrB,wBAAwB;AAAA,EACxB,0BAA0B;AAAA,EAC1B,0BAA0B;AAAA,EAC1B,SAAS;AAAA,EACT,iBAAiB;AAAA,EACjB,SAAS;AACX;AAEO,SAAS,YACd,MACA,SACkB;AAClB,QAAM,QAA0B;AAAA,IAC9B;AAAA,IACA,SAAS,SAAS,IAAI;AAAA,EACxB;AACA,MAAI,SAAS,WAAW,QAAW;AACjC,UAAM,SAAS,QAAQ;AAAA,EACzB;AACA,MAAI,SAAS,UAAU,QAAW;AAChC,UAAM,QAAQ,QAAQ;AAAA,EACxB;AACA,SAAO;AACT;;;AChCO,IAAM,eAAN,cAA2B,MAAM;AAAA,EACtC,YAAY,UAAU,uBAAuB;AAC3C,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AAEO,SAAS,YAAe,SAAqB,WAA+B;AACjF,SAAO,IAAI,QAAW,CAAC,SAAS,WAAW;AACzC,UAAM,QAAQ,WAAW,MAAM;AAC7B,aAAO,IAAI,aAAa,CAAC;AAAA,IAC3B,GAAG,SAAS;AAEZ,YAAQ;AAAA,MACN,CAAC,UAAU;AACT,qBAAa,KAAK;AAClB,gBAAQ,KAAK;AAAA,MACf;AAAA,MACA,CAAC,QAAiB;AAChB,qBAAa,KAAK;AAClB,eAAO,GAAY;AAAA,MACrB;AAAA,IACF;AAAA,EACF,CAAC;AACH;;;ACxBA;AAAA,EACE;AAAA,OAEK;AAQA,SAAS,2BACd,OACsB;AACtB,QAAM,SAAqC,CAAC;AAC5C,MAAI,MAAM,WAAW,QAAW;AAC9B,WAAO,SAAS,MAAM;AAAA,EACxB;AACA,MAAI,MAAM,gBAAgB,QAAW;AACnC,UAAM,EAAE,aAAa,iBAAiB,aAAa,IAAI,MAAM;AAC7D,WAAO,cACL,iBAAiB,SACb,EAAE,aAAa,iBAAiB,aAAa,IAC7C,EAAE,aAAa,gBAAgB;AAAA,EACvC;AACA,SAAO,IAAI,qBAAqB,MAAM;AACxC;;;AHTA,eAAsB,kBACpB,OACkC;AAClC,QAAM,SAAS,2BAA2B;AAAA,IACxC,GAAI,MAAM,WAAW,SAAY,EAAE,QAAQ,MAAM,OAAO,IAAI,CAAC;AAAA,IAC7D,GAAI,MAAM,gBAAgB,SAAY,EAAE,aAAa,MAAM,YAAY,IAAI,CAAC;AAAA,EAC9E,CAAC;AAED,MAAI;AACF,UAAM,WAAW,MAAM;AAAA,MACrB,OAAO,KAAK,IAAI,sBAAsB,EAAE,UAAU,MAAM,SAAS,CAAC,CAAC;AAAA,MACnE,MAAM;AAAA,IACR;AAEA,UAAM,eAAe,SAAS;AAC9B,QAAI,OAAO,iBAAiB,YAAY,aAAa,SAAS,GAAG;AAC/D,aAAO,EAAE,SAAS,MAAM,aAAa;AAAA,IACvC;AAEA,QAAI,SAAS,iBAAiB,QAAW;AACvC,aAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO,YAAY,+BAA+B;AAAA,MACpD;AAAA,IACF;AAEA,WAAO,EAAE,SAAS,OAAO,OAAO,YAAY,kBAAkB,EAAE;AAAA,EAClE,SAAS,OAAO;AACd,QAAI,iBAAiB,cAAc;AACjC,aAAO,EAAE,SAAS,OAAO,OAAO,YAAY,WAAW,EAAE,MAAM,CAAC,EAAE;AAAA,IACpE;AACA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,YAAY,oBAAoB,EAAE,MAAM,CAAC;AAAA,IAClD;AAAA,EACF,UAAE;AACA,QAAI;AACF,aAAO,QAAQ;AAAA,IACjB,QAAQ;AAAA,IAER;AAAA,EACF;AACF;;;AItDA,IAAM,QAAQ,oBAAI,IAAwB;AAEnC,SAAS,cAAc,UAAkB,QAAyB;AACvE,SAAO,GAAG,UAAU,SAAS,IAAI,QAAQ;AAC3C;AAEO,SAAS,sBAAsB,KAAa,MAAc,KAAK,IAAI,GAAkB;AAC1F,QAAM,QAAQ,MAAM,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI,OAAO,MAAM,WAAW;AAC1B,UAAM,OAAO,GAAG;AAChB,WAAO;AAAA,EACT;AACA,SAAO,MAAM;AACf;AAEO,SAAS,sBACd,KACA,OACA,OACA,MAAc,KAAK,IAAI,GACjB;AACN,QAAM,IAAI,KAAK,EAAE,OAAO,WAAW,MAAM,MAAM,CAAC;AAClD;;;ACpBO,SAAS,aAAa,OAAmD;AAC9E,QAAM,EAAE,QAAQ,gBAAgB,iBAAiB,IAAI;AAErD,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO,EAAE,GAAI,kBAAkB,CAAC,EAAG;AAAA,IACrC,KAAK;AACH,aAAO,EAAE,GAAI,oBAAoB,CAAC,EAAG;AAAA,IACvC,KAAK;AACH,aAAO,EAAE,GAAI,kBAAkB,CAAC,GAAI,GAAI,oBAAoB,CAAC,EAAG;AAAA,IAClE,KAAK;AACH,aAAO,EAAE,GAAI,oBAAoB,CAAC,GAAI,GAAI,kBAAkB,CAAC,EAAG;AAAA,EACpE;AACF;;;ACnBO,IAAM,iBAAmC;AACzC,IAAM,qBAAqB;AAC3B,IAAM,wBAAwB;AAC9B,IAAM,uBAAuB;AAC7B,IAAM,6BAA6B;AACnC,IAAM,gCAAgC;;;ACQ7C,IAAM,gBAAgB,oBAAI,IAAI;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,SAAS,iBACd,SACiB;AACjB,QAAM,SAAS,QAAQ,UAAU;AACjC,MAAI,CAAC,cAAc,IAAI,MAAM,GAAG;AAC9B,WAAO,EAAE,SAAS,OAAO,OAAO,YAAY,iBAAiB,EAAE;AAAA,EACjE;AAEA,QAAM,YAAY,QAAQ,aAAa;AACvC,MAAI,CAAC,OAAO,SAAS,SAAS,KAAK,aAAa,GAAG;AACjD,WAAO,EAAE,SAAS,OAAO,OAAO,YAAY,iBAAiB,EAAE;AAAA,EACjE;AAEA,QAAM,eAAe,QAAQ,OAAO,WAAW;AAC/C,QAAM,aAAa,QAAQ,OAAO,SAAS;AAC3C,MAAI,iBAAiB,CAAC,OAAO,SAAS,UAAU,KAAK,cAAc,IAAI;AACrE,WAAO,EAAE,SAAS,OAAO,OAAO,YAAY,iBAAiB,EAAE;AAAA,EACjE;AAEA,QAAM,SAAS,QAAQ,YAAY,UAAU;AAC7C,QAAM,YAAY,QAAQ,YAAY,aAAa;AAEnD,QAAM,WAAW,QAAQ,WAAW;AACpC,QAAM,MAA6C,CAAC;AACpD,MAAI,UAAU,aAAa,UAAa,SAAS,SAAS,SAAS,GAAG;AACpE,QAAI,WAAW,SAAS;AAAA,EAC1B;AACA,MAAI,UAAU,WAAW,UAAa,SAAS,OAAO,SAAS,GAAG;AAChE,QAAI,SAAS,SAAS;AAAA,EACxB;AACA,MAAI,UAAU,gBAAgB,QAAW;AACvC,UAAM,IAAI,SAAS;AACnB,QACE,OAAO,EAAE,gBAAgB,YACzB,EAAE,YAAY,WAAW,KACzB,OAAO,EAAE,oBAAoB,YAC7B,EAAE,gBAAgB,WAAW,GAC7B;AACA,aAAO,EAAE,SAAS,OAAO,OAAO,YAAY,iBAAiB,EAAE;AAAA,IACjE;AACA,QAAI,cAAc;AAAA,MAChB,aAAa,EAAE;AAAA,MACf,iBAAiB,EAAE;AAAA,MACnB,GAAI,EAAE,iBAAiB,SAAY,EAAE,cAAc,EAAE,aAAa,IAAI,CAAC;AAAA,IACzE;AAAA,EACF;AAEA,SAAO;AAAA,IACL,SAAS;AAAA,IACT,MAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA,WAAW,EAAE,IAAI;AAAA,MACjB,OAAO;AAAA,QACL,SAAS;AAAA,QACT,OAAO;AAAA,MACT;AAAA,MACA,YAAY;AAAA,QACV;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;AClFO,SAAS,qBAAyD;AACvE,QAAM,WAA+C,CAAC;AACtD,aAAW,OAAO,OAAO,KAAK,QAAQ,GAAG,GAAG;AAC1C,aAAS,GAAG,IAAI,QAAQ,IAAI,GAAG;AAAA,EACjC;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,OAA+B;AAC7D,MAAI,UAAU,QAAQ,UAAU,OAAW,QAAO;AAClD,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,SAAU,QAAO,OAAO,KAAK;AAClD,MAAI,OAAO,UAAU,UAAW,QAAO,QAAQ,SAAS;AACxD,MAAI,OAAO,UAAU,SAAU,QAAO,MAAM,SAAS;AACrD,MAAI,iBAAiB,KAAM,QAAO,MAAM,YAAY;AACpD,MAAI,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK;AAC1D,SAAO,OAAO,KAAK;AACrB;AAYO,SAAS,iBACd,WACA,WACgB;AAChB,QAAM,aAAsC,CAAC;AAC7C,QAAM,cAAwB,CAAC;AAE/B,aAAW,OAAO,OAAO,KAAK,SAAS,GAAG;AACxC,UAAM,cAAc,gBAAgB,UAAU,GAAG,CAAC;AAClD,QAAI,gBAAgB,MAAM;AACxB,kBAAY,KAAK,GAAG;AACpB;AAAA,IACF;AACA,QAAI,CAAC,aAAa,OAAO,OAAO,QAAQ,KAAK,GAAG,KAAK,QAAQ,IAAI,GAAG,MAAM,QAAW;AACnF,kBAAY,KAAK,GAAG;AACpB;AAAA,IACF;AACA,eAAW,KAAK,CAAC,KAAK,WAAW,CAAC;AAAA,EACpC;AAEA,QAAM,WAAW,oBAAI,IAAgC;AACrD,QAAM,cAAwB,CAAC;AAE/B,MAAI;AACF,eAAW,CAAC,KAAK,KAAK,KAAK,YAAY;AACrC,eAAS,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC;AAClC,cAAQ,IAAI,GAAG,IAAI;AACnB,kBAAY,KAAK,GAAG;AAAA,IACtB;AACA,WAAO,EAAE,SAAS,MAAM,aAAa,YAAY;AAAA,EACnD,SAAS,OAAO;AACd,eAAW,CAAC,KAAK,IAAI,KAAK,UAAU;AAClC,UAAI,SAAS,QAAW;AACtB,eAAO,QAAQ,IAAI,GAAG;AAAA,MACxB,OAAO;AACL,gBAAQ,IAAI,GAAG,IAAI;AAAA,MACrB;AAAA,IACF;AACA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO,YAAY,4BAA4B,EAAE,MAAM,CAAC;AAAA,MACxD,aAAa,CAAC;AAAA,MACd;AAAA,IACF;AAAA,EACF;AACF;;;AC3EO,SAAS,mBAAmB,QAAmC;AACpE,SAAO,WAAW;AACpB;AAEO,SAAS,qBAAqB,QAAmC;AACtE,SAAO,WAAW;AACpB;;;ACDO,SAAS,QAAe,MAAuB,MAAwC;AAC5F,SAAO;AAAA,IACL,SAAS;AAAA,IACT;AAAA,IACA,OAAO;AAAA,IACP;AAAA,EACF;AACF;AAEO,SAAS,QAAQ,MAAuB,OAA6C;AAC1F,SAAO;AAAA,IACL,SAAS;AAAA,IACT,MAAM;AAAA,IACN;AAAA,IACA;AAAA,EACF;AACF;;;ACPA,SAAS,UAAU,OAAyC;AAC1D,SAAO,MAAM,OAAO,IAAI,CAAC,UAAU;AACjC,UAAM,OAAO,MAAM,KAAK,IAAI,CAAC,MAAM,OAAO,CAAC,CAAC,EAAE,KAAK,GAAG;AACtD,WAAO;AAAA,MACL,MAAM,KAAK,WAAW,IAAI,WAAW;AAAA,MACrC,SAAS,MAAM;AAAA,IACjB;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,eACpB,QACA,OACkD;AAClD,QAAM,SAAS,MAAM,OAAO,eAAe,KAAK;AAChD,MAAI,OAAO,SAAS;AAClB,WAAO,EAAE,SAAS,MAAM,MAAM,OAAO,KAA0B;AAAA,EACjE;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,UAAU,OAAO,KAAqB,EAAE;AAC3E;;;ACnCO,SAAS,cAAc,OAAkD;AAC9E,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO;AACxD,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO;AACjC,QAAM,QAAQ,OAAO,eAAe,KAAK;AACzC,SAAO,UAAU,OAAO,aAAa,UAAU;AACjD;;;ACEO,SAAS,gBAAgB,OAAsC;AACpE,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,KAAK;AAAA,EAC3B,QAAQ;AACN,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,cAAc,MAAM,GAAG;AAC1B,WAAO;AAAA,MACL,SAAS;AAAA,MACT,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS;AAAA,MACX;AAAA,IACF;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,MAAM,MAAM,OAAO;AACvC;;;ACdA,SAAS,kBAAkB,YAAgD;AACzE,QAAM,OAAwB;AAAA,IAC5B,QAAQ,WAAW;AAAA,IACnB,UAAU,oBAAI,KAAK;AAAA,IACnB,OAAO;AAAA,MACL,SAAS,WAAW,MAAM;AAAA,MAC1B,KAAK;AAAA,IACP;AAAA,IACA,aAAa;AAAA,MACX,KAAK,mBAAmB,WAAW,MAAM;AAAA,MACzC,YAAY,qBAAqB,WAAW,MAAM;AAAA,IACpD;AAAA,IACA,oBAAoB;AAAA,MAClB,WAAW,WAAW,WAAW;AAAA,MACjC,WAAW;AAAA,MACX,WAAW,WAAW,WAAW;AAAA,MACjC,aAAa,CAAC;AAAA,MACd,aAAa,CAAC;AAAA,IAChB;AAAA,EACF;AACA,MAAI,WAAW,UAAU,IAAI,aAAa,QAAW;AACnD,SAAK,WAAW,WAAW,UAAU,IAAI;AAAA,EAC3C;AACA,MAAI,WAAW,UAAU,IAAI,WAAW,QAAW;AACjD,SAAK,SAAS,WAAW,UAAU,IAAI;AAAA,EACzC;AACA,MAAI,WAAW,MAAM,SAAS;AAC5B,SAAK,MAAM,QAAQ,WAAW,MAAM;AAAA,EACtC;AACA,SAAO;AACT;AAEA,eAAsB,YACpB,SAC+C;AAC/C,QAAM,mBAAmB,iBAAiB,OAAO;AAEjD,MAAI,CAAC,iBAAiB,SAAS;AAC7B,UAAM,iBAAiB,QAAQ,UAAU;AACzC,UAAM,WAA4B;AAAA,MAChC,QAAQ;AAAA,MACR,UAAU,oBAAI,KAAK;AAAA,MACnB,OAAO,EAAE,SAAS,OAAO,KAAK,MAAM;AAAA,MACpC,aAAa;AAAA,QACX,KAAK,mBAAmB,cAAc;AAAA,QACtC,YAAY,qBAAqB,cAAc;AAAA,MACjD;AAAA,MACA,oBAAoB;AAAA,QAClB,WAAW,QAAQ,YAAY,UAAU;AAAA,QACzC,WAAW;AAAA,QACX,WAAW,QAAQ,YAAY,aAAa;AAAA,QAC5C,aAAa,CAAC;AAAA,QACd,aAAa,CAAC;AAAA,MAChB;AAAA,IACF;AACA,WAAO,QAAQ,UAAU,iBAAiB,KAAK;AAAA,EACjD;AAEA,QAAM,aAAa,iBAAiB;AACpC,QAAM,OAAO,kBAAkB,UAAU;AAEzC,MAAI;AACF,QAAI;AACJ,QAAI;AAEJ,QAAI,mBAAmB,WAAW,MAAM,GAAG;AACzC,YAAM,MAAM,WAAW,UAAU;AACjC,UAAI,IAAI,aAAa,UAAa,IAAI,SAAS,WAAW,GAAG;AAC3D,eAAO,QAAQ,MAAM,YAAY,uBAAuB,CAAC;AAAA,MAC3D;AAEA,UAAI,eAA8B;AAClC,YAAM,WAAW,cAAc,IAAI,UAAU,IAAI,MAAM;AAEvD,UAAI,WAAW,MAAM,SAAS;AAC5B,uBAAe,sBAAsB,QAAQ;AAC7C,YAAI,iBAAiB,MAAM;AACzB,eAAK,MAAM,MAAM;AAAA,QACnB;AAAA,MACF;AAEA,UAAI,iBAAiB,MAAM;AACzB,cAAM,cAAc,MAAM,kBAAkB;AAAA,UAC1C,UAAU,IAAI;AAAA,UACd,WAAW,WAAW;AAAA,UACtB,GAAI,IAAI,WAAW,SAAY,EAAE,QAAQ,IAAI,OAAO,IAAI,CAAC;AAAA,UACzD,GAAI,IAAI,gBAAgB,SAAY,EAAE,aAAa,IAAI,YAAY,IAAI,CAAC;AAAA,QAC1E,CAAC;AAED,YAAI,CAAC,YAAY,SAAS;AACxB,iBAAO,QAAQ,MAAM,YAAY,KAAK;AAAA,QACxC;AAEA,uBAAe,YAAY;AAE3B,YAAI,WAAW,MAAM,SAAS;AAC5B,gCAAsB,UAAU,cAAc,WAAW,MAAM,KAAK;AAAA,QACtE;AAAA,MACF;AAEA,YAAM,SAAS,gBAAgB,YAAY;AAC3C,UAAI,CAAC,OAAO,SAAS;AACnB,eAAO,QAAQ,MAAM,OAAO,KAAK;AAAA,MACnC;AACA,uBAAiB,OAAO;AAAA,IAC1B;AAEA,QAAI,qBAAqB,WAAW,MAAM,GAAG;AAC3C,yBAAmB,mBAAmB;AAAA,IACxC;AAEA,UAAM,SAAS,aAAa;AAAA,MAC1B,QAAQ,WAAW;AAAA,MACnB,GAAI,mBAAmB,SAAY,EAAE,eAAe,IAAI,CAAC;AAAA,MACzD,GAAI,qBAAqB,SAAY,EAAE,iBAAiB,IAAI,CAAC;AAAA,IAC/D,CAAC;AAED,UAAM,aAAa,MAAM,eAAe,QAAQ,QAAQ,MAAM;AAE9D,QAAI,CAAC,WAAW,SAAS;AACvB,aAAO,QAAQ,MAAM,YAAY,4BAA4B,EAAE,QAAQ,WAAW,OAAO,CAAC,CAAC;AAAA,IAC7F;AAEA,QAAI,WAAW,WAAW,QAAQ;AAChC,YAAM,kBACJ,WAAW,QAAQ,OAAO,WAAW,SAAS,YAAY,CAAC,MAAM,QAAQ,WAAW,IAAI,IACnF,WAAW,OACZ,CAAC;AACP,YAAM,WAAW,iBAAiB,iBAAiB,WAAW,WAAW,SAAS;AAClF,WAAK,mBAAmB,cAAc,SAAS;AAC/C,WAAK,mBAAmB,cAAc,SAAS;AAC/C,UAAI,CAAC,SAAS,SAAS;AACrB,eAAO,QAAQ,MAAM,SAAS,KAAK;AAAA,MACrC;AACA,WAAK,mBAAmB,YAAY;AAAA,IACtC;AAEA,WAAO,QAAQ,MAAM,WAAW,IAAI;AAAA,EACtC,SAAS,OAAO;AACd,WAAO,QAAQ,MAAM,YAAY,WAAW,EAAE,MAAM,CAAC,CAAC;AAAA,EACxD;AACF;","names":[]}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@danielsoren/secrets-loader",
+  "version": "0.1.0",
+  "description": "Load one JSON secret from a provider (AWS today; pluggable in the future), merge local overrides, validate with Zod, and return typed config.",
+  "type": "module",
+  "sideEffects": false,
+  "engines": {
+    "node": ">=22"
+  },
+  "files": ["dist", "README.md", "LICENSE"],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "types": "./dist/index.d.ts",
+  "main": "./dist/index.js",
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "lint": "biome check .",
+    "format": "biome format --write .",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "pnpm lint && pnpm typecheck && pnpm test && pnpm build"
+  },
+  "keywords": ["secrets", "secrets-manager", "aws", "config", "env", "zod", "typescript", "esm"],
+  "license": "MIT",
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.0.0"
+  },
+  "peerDependencies": {
+    "zod": "^4.0.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^1.9.4",
+    "@changesets/cli": "^2.27.0",
+    "@types/node": "^22.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0",
+    "zod": "^4.0.0"
+  }
+}