@dataflint/mcp-server 1.0.14 → 1.0.17

package/dist/auth/secrets/aws-secrets-provider.d.ts

@@ -0,0 +1,45 @@
+/**
+ * AWS Secrets Manager Provider
+ *
+ * Loads M2M credentials from AWS Secrets Manager.
+ * Uses dynamic import to avoid requiring AWS SDK when not in AWS environment.
+ */
+import { Auth0M2MCredentials, IAuthLogger } from "../types";
+import { ISecretsProvider } from "./types";
+/**
+ * AWS Secrets Manager provider for M2M credentials
+ *
+ * This provider:
+ * 1. Detects AWS environment via env vars
+ * 2. Dynamically imports AWS SDK to avoid bundling overhead
+ * 3. Loads credentials from Secrets Manager
+ *
+ * @example
+ * ```typescript
+ * const provider = new AWSSecretsProvider(logger);
+ * if (await provider.isAvailable()) {
+ *   const credentials = await provider.loadAuth0M2MCredentials('my-secret-name');
+ * }
+ * ```
+ */
+export declare class AWSSecretsProvider implements ISecretsProvider {
+    private logger;
+    private region;
+    constructor(logger?: IAuthLogger);
+    /**
+     * Get the provider name for logging
+     */
+    getName(): string;
+    /**
+     * Check if running in AWS environment with credentials available
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Load Auth0 M2M credentials from AWS Secrets Manager
+     *
+     * @param secretName - The name or ARN of the secret in Secrets Manager
+     * @returns M2M credentials or null if not found
+     */
+    loadAuth0M2MCredentials(secretName: string): Promise<Auth0M2MCredentials | null>;
+}
+//# sourceMappingURL=aws-secrets-provider.d.ts.map

package/dist/auth/secrets/aws-secrets-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-secrets-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/secrets/aws-secrets-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAY3C;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,kBAAmB,YAAW,gBAAgB;IACvD,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAqB;gBAEvB,MAAM,CAAC,EAAE,WAAW;IAKhC;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAwBrC;;;;;OAKG;IACG,uBAAuB,CACzB,UAAU,EAAE,MAAM,GACnB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;CAiEzC"}

package/dist/auth/secrets/aws-secrets-provider.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * AWS Secrets Manager Provider
+ *
+ * Loads M2M credentials from AWS Secrets Manager.
+ * Uses dynamic import to avoid requiring AWS SDK when not in AWS environment.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AWSSecretsProvider = void 0;
+/**
+ * Default no-op logger
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * AWS Secrets Manager provider for M2M credentials
+ *
+ * This provider:
+ * 1. Detects AWS environment via env vars
+ * 2. Dynamically imports AWS SDK to avoid bundling overhead
+ * 3. Loads credentials from Secrets Manager
+ *
+ * @example
+ * ```typescript
+ * const provider = new AWSSecretsProvider(logger);
+ * if (await provider.isAvailable()) {
+ *   const credentials = await provider.loadAuth0M2MCredentials('my-secret-name');
+ * }
+ * ```
+ */
+class AWSSecretsProvider {
+    logger;
+    region;
+    constructor(logger) {
+        this.logger = logger || noopLogger;
+        this.region = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION;
+    }
+    /**
+     * Get the provider name for logging
+     */
+    getName() {
+        return "AWS Secrets Manager";
+    }
+    /**
+     * Check if running in AWS environment with credentials available
+     */
+    async isAvailable() {
+        // Check for AWS environment indicators
+        const hasRegion = !!(process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION);
+        const hasExecutionEnv = !!process.env.AWS_EXECUTION_ENV;
+        const hasCredentials = !!(process.env.AWS_ACCESS_KEY_ID ||
+            process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ||
+            process.env.AWS_WEB_IDENTITY_TOKEN_FILE);
+        const isAWSEnvironment = hasRegion && (hasExecutionEnv || hasCredentials);
+        if (isAWSEnvironment) {
+            this.logger.debug("AWS environment detected");
+        }
+        else {
+            this.logger.debug("Not in AWS environment");
+        }
+        return isAWSEnvironment;
+    }
+    /**
+     * Load Auth0 M2M credentials from AWS Secrets Manager
+     *
+     * @param secretName - The name or ARN of the secret in Secrets Manager
+     * @returns M2M credentials or null if not found
+     */
+    async loadAuth0M2MCredentials(secretName) {
+        this.logger.info(`Loading M2M credentials from AWS Secrets Manager: ${secretName}`);
+        try {
+            // Dynamic import to avoid bundling AWS SDK when not needed
+            const { SecretsManagerClient, GetSecretValueCommand } = 
+            // @ts-expect-error - @aws-sdk/client-secrets-manager is an optional runtime dependency
+            await import("@aws-sdk/client-secrets-manager");
+            const client = new SecretsManagerClient({
+                region: this.region,
+            });
+            const command = new GetSecretValueCommand({
+                SecretId: secretName,
+            });
+            const response = await client.send(command);
+            if (!response.SecretString) {
+                this.logger.error("Secret value is empty or binary");
+                return null;
+            }
+            const secretValue = JSON.parse(response.SecretString);
+            // Validate required fields
+            if (!secretValue.client_id ||
+                !secretValue.client_secret ||
+                !secretValue.audience ||
+                !secretValue.domain) {
+                this.logger.error("Secret missing required fields (client_id, client_secret, audience, domain)");
+                return null;
+            }
+            this.logger.info("M2M credentials loaded from AWS Secrets Manager");
+            return {
+                client_id: secretValue.client_id,
+                client_secret: secretValue.client_secret,
+                audience: secretValue.audience,
+                domain: secretValue.domain,
+            };
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                if (error.name === "ResourceNotFoundException") {
+                    this.logger.warn(`Secret not found: ${secretName}`);
+                    return null;
+                }
+                if (error.message.includes("Cannot find module")) {
+                    this.logger.warn("AWS SDK not available - @aws-sdk/client-secrets-manager not installed");
+                    return null;
+                }
+                this.logger.error("Failed to load secret from AWS", error);
+            }
+            return null;
+        }
+    }
+}
+exports.AWSSecretsProvider = AWSSecretsProvider;
+//# sourceMappingURL=aws-secrets-provider.js.map

package/dist/auth/secrets/aws-secrets-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-secrets-provider.js","sourceRoot":"","sources":["../../../src/auth/secrets/aws-secrets-provider.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAKH;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAa,kBAAkB;IACnB,MAAM,CAAc;IACpB,MAAM,CAAqB;IAEnC,YAAY,MAAoB;QAC5B,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;QACnC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC3E,CAAC;IAED;;OAEG;IACH,OAAO;QACH,OAAO,qBAAqB,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACb,uCAAuC;QACvC,MAAM,SAAS,GAAG,CAAC,CAAC,CAChB,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAC3D,CAAC;QACF,MAAM,eAAe,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;QACxD,MAAM,cAAc,GAAG,CAAC,CAAC,CACrB,OAAO,CAAC,GAAG,CAAC,iBAAiB;YAC7B,OAAO,CAAC,GAAG,CAAC,sCAAsC;YAClD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAC1C,CAAC;QAEF,MAAM,gBAAgB,GAClB,SAAS,IAAI,CAAC,eAAe,IAAI,cAAc,CAAC,CAAC;QAErD,IAAI,gBAAgB,EAAE,CAAC;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAChD,CAAC;QAED,OAAO,gBAAgB,CAAC;IAC5B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,uBAAuB,CACzB,UAAkB;QAElB,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,qDAAqD,UAAU,EAAE,CACpE,CAAC;QAEF,IAAI,CAAC;YACD,2DAA2D;YAC3D,MAAM,EAAE,oBAAoB,EAAE,qBAAqB,EAAE;YACjD,uFAAuF;YACvF,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;YAEpD,MAAM,MAAM,GAAG,IAAI,oBAAoB,CAAC;gBACpC,MAAM,EAAE,IAAI,CAAC,MAAM;aACtB,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,qBAAqB,CAAC;gBACtC,QAAQ,EAAE,UAAU;aACvB,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5C,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;gBACzB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,CAAC,CAAC;gBACrD,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAEtD,2BAA2B;YAC3B,IACI,CAAC,WAAW,CAAC,SAAS;gBACtB,CAAC,WAAW,CAAC,aAAa;gBAC1B,CAAC,WAAW,CAAC,QAAQ;gBACrB,CAAC,WAAW,CAAC,MAAM,EACrB,CAAC;gBACC,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,6EAA6E,CAChF,CAAC;gBACF,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;YACpE,OAAO;gBACH,SAAS,EAAE,WAAW,CAAC,SAAS;gBAChC,aAAa,EAAE,WAAW,CAAC,aAAa;gBACxC,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,MAAM,EAAE,WAAW,CAAC,MAAM;aAC7B,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;gBACzB,IAAI,KAAK,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;oBAC7C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC;oBACpD,OAAO,IAAI,CAAC;gBAChB,CAAC;gBACD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;oBAC/C,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,uEAAuE,CAC1E,CAAC;oBACF,OAAO,IAAI,CAAC;gBAChB,CAAC;gBACD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;YAC/D,CAAC;YACD,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;CACJ;AApHD,gDAoHC"}

package/dist/auth/secrets/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Secrets Providers Module
+ *
+ * Provides multiple strategies for loading M2M credentials:
+ * - AWS Secrets Manager (production)
+ * - Local file (development)
+ */
+export { ISecretsProvider } from "./types";
+export { AWSSecretsProvider } from "./aws-secrets-provider";
+export { LocalFileSecretsProvider } from "./local-file-secrets-provider";
+export { SecretsProvider } from "./secrets-provider";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,wBAAwB,CAAC;AAC5D,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/auth/secrets/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * Secrets Providers Module
+ *
+ * Provides multiple strategies for loading M2M credentials:
+ * - AWS Secrets Manager (production)
+ * - Local file (development)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretsProvider = exports.LocalFileSecretsProvider = exports.AWSSecretsProvider = void 0;
+var aws_secrets_provider_1 = require("./aws-secrets-provider");
+Object.defineProperty(exports, "AWSSecretsProvider", { enumerable: true, get: function () { return aws_secrets_provider_1.AWSSecretsProvider; } });
+var local_file_secrets_provider_1 = require("./local-file-secrets-provider");
+Object.defineProperty(exports, "LocalFileSecretsProvider", { enumerable: true, get: function () { return local_file_secrets_provider_1.LocalFileSecretsProvider; } });
+var secrets_provider_1 = require("./secrets-provider");
+Object.defineProperty(exports, "SecretsProvider", { enumerable: true, get: function () { return secrets_provider_1.SecretsProvider; } });
+//# sourceMappingURL=index.js.map

package/dist/auth/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/secrets/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAGH,+DAA4D;AAAnD,0HAAA,kBAAkB,OAAA;AAC3B,6EAAyE;AAAhE,uIAAA,wBAAwB,OAAA;AACjC,uDAAqD;AAA5C,mHAAA,eAAe,OAAA"}

package/dist/auth/secrets/local-file-secrets-provider.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Local File Secrets Provider
+ *
+ * Loads M2M credentials from local file system.
+ * Primarily used for local development and testing.
+ */
+import { Auth0M2MCredentials, IAuthLogger } from "../types";
+import { ISecretsProvider } from "./types";
+/**
+ * Local file secrets provider for M2M credentials
+ *
+ * Loads credentials from `~/.dataflint/m2m_secret.{environment}.json`
+ *
+ * @example
+ * ```typescript
+ * const provider = new LocalFileSecretsProvider('prod', logger);
+ * if (await provider.isAvailable()) {
+ *   const credentials = await provider.loadAuth0M2MCredentials('unused');
+ * }
+ * ```
+ */
+export declare class LocalFileSecretsProvider implements ISecretsProvider {
+    private logger;
+    private environment;
+    private secretFilePath;
+    constructor(environment: string, logger?: IAuthLogger);
+    /**
+     * Get the provider name for logging
+     */
+    getName(): string;
+    /**
+     * Check if the local secret file exists
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Load Auth0 M2M credentials from local file
+     *
+     * @param _secretName - Ignored, uses environment-based file path
+     * @returns M2M credentials or null if not found or invalid
+     */
+    loadAuth0M2MCredentials(_secretName: string): Promise<Auth0M2MCredentials | null>;
+    /**
+     * Get the path to the secret file (for diagnostics)
+     */
+    getSecretFilePath(): string;
+}
+//# sourceMappingURL=local-file-secrets-provider.d.ts.map

package/dist/auth/secrets/local-file-secrets-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-file-secrets-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/secrets/local-file-secrets-provider.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAY3C;;;;;;;;;;;;GAYG;AACH,qBAAa,wBAAyB,YAAW,gBAAgB;IAC7D,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,cAAc,CAAS;gBAEnB,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW;IAUrD;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAgBrC;;;;;OAKG;IACG,uBAAuB,CACzB,WAAW,EAAE,MAAM,GACpB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAqDtC;;OAEG;IACH,iBAAiB,IAAI,MAAM;CAG9B"}

package/dist/auth/secrets/local-file-secrets-provider.js

@@ -0,0 +1,151 @@
+"use strict";
+/**
+ * Local File Secrets Provider
+ *
+ * Loads M2M credentials from local file system.
+ * Primarily used for local development and testing.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LocalFileSecretsProvider = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/**
+ * Default no-op logger
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Local file secrets provider for M2M credentials
+ *
+ * Loads credentials from `~/.dataflint/m2m_secret.{environment}.json`
+ *
+ * @example
+ * ```typescript
+ * const provider = new LocalFileSecretsProvider('prod', logger);
+ * if (await provider.isAvailable()) {
+ *   const credentials = await provider.loadAuth0M2MCredentials('unused');
+ * }
+ * ```
+ */
+class LocalFileSecretsProvider {
+    logger;
+    environment;
+    secretFilePath;
+    constructor(environment, logger) {
+        this.logger = logger || noopLogger;
+        this.environment = environment;
+        this.secretFilePath = path.join(os.homedir(), ".dataflint", `m2m_secret.${environment}.json`);
+    }
+    /**
+     * Get the provider name for logging
+     */
+    getName() {
+        return "Local File";
+    }
+    /**
+     * Check if the local secret file exists
+     */
+    async isAvailable() {
+        const exists = fs.existsSync(this.secretFilePath);
+        if (exists) {
+            this.logger.debug(`Local M2M secret file found: ${this.secretFilePath}`);
+        }
+        else {
+            this.logger.debug(`Local M2M secret file not found: ${this.secretFilePath}`);
+        }
+        return exists;
+    }
+    /**
+     * Load Auth0 M2M credentials from local file
+     *
+     * @param _secretName - Ignored, uses environment-based file path
+     * @returns M2M credentials or null if not found or invalid
+     */
+    async loadAuth0M2MCredentials(_secretName) {
+        this.logger.info(`Loading M2M credentials from local file: ${this.secretFilePath}`);
+        try {
+            if (!fs.existsSync(this.secretFilePath)) {
+                this.logger.debug("Local secret file does not exist");
+                return null;
+            }
+            // Check file permissions (should be 0600 for security)
+            const stats = fs.statSync(this.secretFilePath);
+            const mode = stats.mode & 0o777;
+            if (mode !== 0o600) {
+                this.logger.warn(`Secret file has insecure permissions: ${mode.toString(8)}. Should be 600.`);
+            }
+            const content = fs.readFileSync(this.secretFilePath, "utf8");
+            const secretValue = JSON.parse(content);
+            // Validate required fields
+            if (!secretValue.client_id ||
+                !secretValue.client_secret ||
+                !secretValue.audience ||
+                !secretValue.domain) {
+                this.logger.error("Local secret file missing required fields (client_id, client_secret, audience, domain)");
+                return null;
+            }
+            this.logger.info("M2M credentials loaded from local file");
+            return {
+                client_id: secretValue.client_id,
+                client_secret: secretValue.client_secret,
+                audience: secretValue.audience,
+                domain: secretValue.domain,
+            };
+        }
+        catch (error) {
+            if (error instanceof SyntaxError) {
+                this.logger.error("Failed to parse local secret file as JSON");
+            }
+            else {
+                this.logger.error("Failed to load local secret file", error);
+            }
+            return null;
+        }
+    }
+    /**
+     * Get the path to the secret file (for diagnostics)
+     */
+    getSecretFilePath() {
+        return this.secretFilePath;
+    }
+}
+exports.LocalFileSecretsProvider = LocalFileSecretsProvider;
+//# sourceMappingURL=local-file-secrets-provider.js.map

package/dist/auth/secrets/local-file-secrets-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-file-secrets-provider.js","sourceRoot":"","sources":["../../../src/auth/secrets/local-file-secrets-provider.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAIzB;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAa,wBAAwB;IACzB,MAAM,CAAc;IACpB,WAAW,CAAS;IACpB,cAAc,CAAS;IAE/B,YAAY,WAAmB,EAAE,MAAoB;QACjD,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;QACnC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,IAAI,CAC3B,EAAE,CAAC,OAAO,EAAE,EACZ,YAAY,EACZ,cAAc,WAAW,OAAO,CACnC,CAAC;IACN,CAAC;IAED;;OAEG;IACH,OAAO;QACH,OAAO,YAAY,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACb,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAElD,IAAI,MAAM,EAAE,CAAC;YACT,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,gCAAgC,IAAI,CAAC,cAAc,EAAE,CACxD,CAAC;QACN,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,oCAAoC,IAAI,CAAC,cAAc,EAAE,CAC5D,CAAC;QACN,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,uBAAuB,CACzB,WAAmB;QAEnB,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,4CAA4C,IAAI,CAAC,cAAc,EAAE,CACpE,CAAC;QAEF,IAAI,CAAC;YACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;gBACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;gBACtD,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,uDAAuD;YACvD,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC/C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC;YAChC,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,yCAAyC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAC9E,CAAC;YACN,CAAC;YAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;YAC7D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAExC,2BAA2B;YAC3B,IACI,CAAC,WAAW,CAAC,SAAS;gBACtB,CAAC,WAAW,CAAC,aAAa;gBAC1B,CAAC,WAAW,CAAC,QAAQ;gBACrB,CAAC,WAAW,CAAC,MAAM,EACrB,CAAC;gBACC,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,wFAAwF,CAC3F,CAAC;gBACF,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;YAC3D,OAAO;gBACH,SAAS,EAAE,WAAW,CAAC,SAAS;gBAChC,aAAa,EAAE,WAAW,CAAC,aAAa;gBACxC,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,MAAM,EAAE,WAAW,CAAC,MAAM;aAC7B,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACJ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;YACjE,CAAC;YACD,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,iBAAiB;QACb,OAAO,IAAI,CAAC,cAAc,CAAC;IAC/B,CAAC;CACJ;AA5GD,4DA4GC"}

package/dist/auth/secrets/secrets-provider.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Composite Secrets Provider
+ *
+ * Tries multiple secrets providers in priority order:
+ * 1. AWS Secrets Manager (production environments)
+ * 2. Local file (development/testing)
+ */
+import { Auth0M2MCredentials, IAuthLogger } from "../types";
+import { ISecretsProvider } from "./types";
+/**
+ * Composite secrets provider that tries multiple sources in order
+ *
+ * Priority:
+ * 1. AWS Secrets Manager (if in AWS environment)
+ * 2. Local file (~/.dataflint/m2m_secret.{env}.json)
+ *
+ * @example
+ * ```typescript
+ * const provider = new SecretsProvider('prod', logger);
+ * const credentials = await provider.loadAuth0M2MCredentials('auth0_m2m_databricks_loader_prod');
+ * if (credentials) {
+ *   // Use credentials for Auth0 M2M authentication
+ * }
+ * ```
+ */
+export declare class SecretsProvider implements ISecretsProvider {
+    private logger;
+    private providers;
+    private environment;
+    constructor(environment: string, logger?: IAuthLogger);
+    /**
+     * Get the provider name for logging
+     */
+    getName(): string;
+    /**
+     * Check if any provider is available
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Load Auth0 M2M credentials from the first available provider
+     *
+     * @param secretName - The name of the secret (used for AWS, ignored for local file)
+     * @returns M2M credentials or null if not found in any provider
+     */
+    loadAuth0M2MCredentials(secretName: string): Promise<Auth0M2MCredentials | null>;
+    /**
+     * Get the default secret name for M2M credentials based on environment
+     *
+     * @param environment - The environment (prod, staging, local)
+     * @returns The default secret name
+     */
+    static getDefaultSecretName(environment: string): string;
+}
+//# sourceMappingURL=secrets-provider.d.ts.map

package/dist/auth/secrets/secrets-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-provider.d.ts","sourceRoot":"","sources":["../../../src/auth/secrets/secrets-provider.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAc3C;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,eAAgB,YAAW,gBAAgB;IACpD,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,SAAS,CAAqB;IACtC,OAAO,CAAC,WAAW,CAAS;gBAEhB,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,WAAW;IAWrD;;OAEG;IACH,OAAO,IAAI,MAAM;IAIjB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAarC;;;;;OAKG;IACG,uBAAuB,CACzB,UAAU,EAAE,MAAM,GACnB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IA+BtC;;;;;OAKG;IACH,MAAM,CAAC,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM;CAG3D"}

package/dist/auth/secrets/secrets-provider.js

@@ -0,0 +1,106 @@
+"use strict";
+/**
+ * Composite Secrets Provider
+ *
+ * Tries multiple secrets providers in priority order:
+ * 1. AWS Secrets Manager (production environments)
+ * 2. Local file (development/testing)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretsProvider = void 0;
+const aws_secrets_provider_1 = require("./aws-secrets-provider");
+const local_file_secrets_provider_1 = require("./local-file-secrets-provider");
+/**
+ * Default no-op logger
+ */
+const noopLogger = {
+    info: () => { },
+    warn: () => { },
+    error: () => { },
+    debug: () => { },
+};
+/**
+ * Composite secrets provider that tries multiple sources in order
+ *
+ * Priority:
+ * 1. AWS Secrets Manager (if in AWS environment)
+ * 2. Local file (~/.dataflint/m2m_secret.{env}.json)
+ *
+ * @example
+ * ```typescript
+ * const provider = new SecretsProvider('prod', logger);
+ * const credentials = await provider.loadAuth0M2MCredentials('auth0_m2m_databricks_loader_prod');
+ * if (credentials) {
+ *   // Use credentials for Auth0 M2M authentication
+ * }
+ * ```
+ */
+class SecretsProvider {
+    logger;
+    providers;
+    environment;
+    constructor(environment, logger) {
+        this.logger = logger || noopLogger;
+        this.environment = environment;
+        // Initialize providers in priority order
+        this.providers = [
+            new aws_secrets_provider_1.AWSSecretsProvider(logger),
+            new local_file_secrets_provider_1.LocalFileSecretsProvider(environment, logger),
+        ];
+    }
+    /**
+     * Get the provider name for logging
+     */
+    getName() {
+        return "Composite Secrets Provider";
+    }
+    /**
+     * Check if any provider is available
+     */
+    async isAvailable() {
+        for (const provider of this.providers) {
+            if (await provider.isAvailable()) {
+                this.logger.debug(`Secrets provider available: ${provider.getName()}`);
+                return true;
+            }
+        }
+        this.logger.debug("No secrets providers available");
+        return false;
+    }
+    /**
+     * Load Auth0 M2M credentials from the first available provider
+     *
+     * @param secretName - The name of the secret (used for AWS, ignored for local file)
+     * @returns M2M credentials or null if not found in any provider
+     */
+    async loadAuth0M2MCredentials(secretName) {
+        this.logger.info("Attempting to load M2M credentials...");
+        for (const provider of this.providers) {
+            const providerName = provider.getName();
+            if (!(await provider.isAvailable())) {
+                this.logger.debug(`Provider not available: ${providerName}`);
+                continue;
+            }
+            this.logger.info(`Trying provider: ${providerName}`);
+            const credentials = await provider.loadAuth0M2MCredentials(secretName);
+            if (credentials) {
+                this.logger.info(`M2M credentials loaded from: ${providerName}`);
+                return credentials;
+            }
+            this.logger.debug(`No credentials found in provider: ${providerName}`);
+        }
+        this.logger.info("No M2M credentials found in any provider");
+        return null;
+    }
+    /**
+     * Get the default secret name for M2M credentials based on environment
+     *
+     * @param environment - The environment (prod, staging, local)
+     * @returns The default secret name
+     */
+    static getDefaultSecretName(environment) {
+        return `auth0_m2m_databricks_loader_${environment}`;
+    }
+}
+exports.SecretsProvider = SecretsProvider;
+//# sourceMappingURL=secrets-provider.js.map

package/dist/auth/secrets/secrets-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-provider.js","sourceRoot":"","sources":["../../../src/auth/secrets/secrets-provider.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAIH,iEAA4D;AAC5D,+EAAyE;AAEzE;;GAEG;AACH,MAAM,UAAU,GAAgB;IAC5B,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC;IACd,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;IACf,KAAK,EAAE,GAAG,EAAE,GAAE,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAa,eAAe;IAChB,MAAM,CAAc;IACpB,SAAS,CAAqB;IAC9B,WAAW,CAAS;IAE5B,YAAY,WAAmB,EAAE,MAAoB;QACjD,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,UAAU,CAAC;QACnC,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAE/B,yCAAyC;QACzC,IAAI,CAAC,SAAS,GAAG;YACb,IAAI,yCAAkB,CAAC,MAAM,CAAC;YAC9B,IAAI,sDAAwB,CAAC,WAAW,EAAE,MAAM,CAAC;SACpD,CAAC;IACN,CAAC;IAED;;OAEG;IACH,OAAO;QACH,OAAO,4BAA4B,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACb,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACpC,IAAI,MAAM,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,+BAA+B,QAAQ,CAAC,OAAO,EAAE,EAAE,CACtD,CAAC;gBACF,OAAO,IAAI,CAAC;YAChB,CAAC;QACL,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,OAAO,KAAK,CAAC;IACjB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,uBAAuB,CACzB,UAAkB;QAElB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;QAE1D,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC;YAExC,IAAI,CAAC,CAAC,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,YAAY,EAAE,CAAC,CAAC;gBAC7D,SAAS;YACb,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,YAAY,EAAE,CAAC,CAAC;YACrD,MAAM,WAAW,GACb,MAAM,QAAQ,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;YAEvD,IAAI,WAAW,EAAE,CAAC;gBACd,IAAI,CAAC,MAAM,CAAC,IAAI,CACZ,gCAAgC,YAAY,EAAE,CACjD,CAAC;gBACF,OAAO,WAAW,CAAC;YACvB,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,KAAK,CACb,qCAAqC,YAAY,EAAE,CACtD,CAAC;QACN,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,oBAAoB,CAAC,WAAmB;QAC3C,OAAO,+BAA+B,WAAW,EAAE,CAAC;IACxD,CAAC;CACJ;AAvFD,0CAuFC"}

package/dist/auth/secrets/types.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Secrets Provider Types
+ *
+ * Defines interfaces for loading M2M credentials from various sources.
+ */
+import { Auth0M2MCredentials } from "../types";
+/**
+ * Interface for secrets providers that can load M2M credentials
+ *
+ * Implementations:
+ * - AWSSecretsProvider: Loads from AWS Secrets Manager
+ * - LocalFileSecretsProvider: Loads from local file system
+ */
+export interface ISecretsProvider {
+    /**
+     * Get the name of this provider for logging
+     */
+    getName(): string;
+    /**
+     * Check if this provider is available in the current environment
+     * (e.g., AWS credentials available, local file exists)
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Load Auth0 M2M credentials from the secrets source
+     *
+     * @param secretName - The name/path of the secret to load
+     * @returns The M2M credentials or null if not found
+     */
+    loadAuth0M2MCredentials(secretName: string): Promise<Auth0M2MCredentials | null>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/secrets/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/auth/secrets/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAE/C;;;;;;GAMG;AACH,MAAM,WAAW,gBAAgB;IAC7B;;OAEG;IACH,OAAO,IAAI,MAAM,CAAC;IAElB;;;OAGG;IACH,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhC;;;;;OAKG;IACH,uBAAuB,CACnB,UAAU,EAAE,MAAM,GACnB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;CAC1C"}

package/dist/auth/secrets/types.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Secrets Provider Types
+ *
+ * Defines interfaces for loading M2M credentials from various sources.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/auth/secrets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/auth/secrets/types.ts"],"names":[],"mappings":";AAAA;;;;GAIG"}