@floracodex/nestjs-secrets 1.0.0-rc.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Michael De Soto | Flora Codex
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,96 @@
+# NestJS Secrets: Effortless Cloud Secrets in Your NestJS Configuration
+
+`NestJS Secrets` simplifies how you manage configuration and securely integrate secrets from cloud providers into your NestJS applications. It enhances NestJS's standard `ConfigModule` without reinventing the wheel, allowing you to keep sensitive data out of your codebase and easily handle environment-specific settings.
+
+**For full documentation, please visit our [GitHub Wiki](https://github.com/floracodex/nestjs-secrets/wiki).**
+
+## Key Features
+
+* Load configuration from YAML or JSON files.
+* Merge multiple configuration files with defined precedence.
+* Resolve secrets directly from native identifiers of major cloud providers:
+    * [AWS Parameter Store](https://github.com/floracodex/nestjs-secrets/wiki/5.1.-Using-with-AWS-Parameter-Store)
+    * [AWS Secrets Manager](https://github.com/floracodex/nestjs-secrets/wiki/5.2.-Using-with-AWS-Secrets-Manager)
+    * [Azure Key Vault](https://github.com/floracodex/nestjs-secrets/wiki/5.3.-Using-with-Azure-Key-Vault)
+    * [Google Cloud Secret Manager](https://github.com/floracodex/nestjs-secrets/wiki/5.4.-Using-with-Google-Cloud-Secret-Manager)
+* Extensible architecture to support custom secret providers.
+* Seamless integration with the standard NestJS `ConfigService`.
+
+## Installation
+
+```bash
+npm install @floracodex/nestjs-secrets @nestjs/config
+```
+
+## Requirements
+
+* **Node.js:** `^18.x || ^20.x || ^22.x` (Node.js 18.x or newer is recommended, preferably an active LTS version as of May 2025)
+* **NestJS:** Requires NestJS version `^10.0.0` or `^11.0.0`.
+* `@nestjs/config`: Requires `@nestjs/config` version `^3.0.0` or `^4.0.0`.
+
+## Quick Start
+
+### 1. Create a configuration file (e.g., `settings.yaml`):
+
+```yaml
+# settings.yaml
+db:
+    host: db.example.com
+    # Example: Native ARN for an AWS Parameter Store secret
+    password: 'arn:aws:ssm:us-east-1:123456789012:parameter/myapplication/dev/db_password'
+```
+
+### 2. Import and configure `SecretsModule` in your `AppModule`:
+
+```typescript
+// app.module.ts
+import {Module} from '@nestjs/common';
+import {SecretsModule} from '@floracodex/nestjs-secrets';
+import {SSMClient} from '@aws-sdk/client-ssm'; // Example for AWS Parameter Store
+
+@Module({
+    imports: [
+        SecretsModule.forRoot({
+            // Provide the SDK client for your secret provider
+            client: new SSMClient({region: 'us-east-1'}),
+            files: ['settings.yaml'],
+            isGlobal: true,
+            cache: true
+        })
+    ]
+})
+export class AppModule {
+}
+```
+
+_NestJS Secrets often auto-detects the provider from the client. See the [Cloud Provider Guides on our Wiki](https://github.com/floracodex/nestjs-secrets/wiki/5.-Cloud-Provider-Integration-Guides) for specifics._
+
+### 3. Access configuration in your services:
+
+```typescript
+// any.service.ts
+import {Injectable} from '@nestjs/common';
+import {ConfigService} from '@nestjs/config';
+
+@Injectable()
+export class AnyService {
+    constructor(private configService: ConfigService) {
+        const dbPassword = this.configService.get<string>('db.password');
+        // db.password now holds the resolved secret value
+    }
+}
+```
+
+For more detailed examples and explanations, please see the [Basic Usage Guide on our Wiki](https://github.com/floracodex/nestjs-secrets/wiki/4.-Basic-Usage-Guide).
+
+## Advanced Usage
+`NestJS Secrets` also supports custom secret providers and manual configuration for more complex scenarios.
+
+Learn more in the [Advanced Usage section of our Wiki](https://github.com/floracodex/nestjs-secrets/wiki/6.-Advanced-Usage).
+
+## Contributing
+We welcome contributions! If you'd like to report a bug, suggest a feature, or contribute code (especially new secret providers), please see our [Contributing Guidelines on the Wiki](https://github.com/floracodex/nestjs-secrets/wiki/7.-Contributing-Guidelines).
+
+## License
+
+This project is licensed under the [MIT License](https://github.com/floracodex/nestjs-secrets/blob/main/LICENSE).

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export * from './interfaces/secrets-loader-options.interface';
+export * from './interfaces/secrets-module-options.interface';
+export * from './interfaces/secrets-provider.interface';
+export * from './modules/secrets.module';
+export * from './services/secrets-loader.service';

package/dist/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./interfaces/secrets-loader-options.interface"), exports);
+__exportStar(require("./interfaces/secrets-module-options.interface"), exports);
+__exportStar(require("./interfaces/secrets-provider.interface"), exports);
+__exportStar(require("./modules/secrets.module"), exports);
+__exportStar(require("./services/secrets-loader.service"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,gFAA8D;AAC9D,gFAA8D;AAC9D,0EAAwD;AACxD,2DAAyC;AACzC,oEAAkD"}

package/dist/interfaces/secrets-loader-options.interface.d.ts

@@ -0,0 +1,12 @@
+import { SecretsProvider, SecretsProviderType } from './secrets-provider.interface';
+export interface SecretsLoaderOptions {
+    provider?: SecretsProviderType | SecretsProvider;
+    client?: any;
+    /**
+     * Base directory for config files (absolute or relative). If relative and not specified, defaults to
+     * <app_root>/config. If just a directory name is given (e.g. 'config'), it's resolved relative to app root
+     */
+    root?: string;
+    files: string[];
+    fileType?: 'yaml' | 'json';
+}

package/dist/interfaces/secrets-loader-options.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=secrets-loader-options.interface.js.map

package/dist/interfaces/secrets-loader-options.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-loader-options.interface.js","sourceRoot":"","sources":["../../src/interfaces/secrets-loader-options.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/secrets-module-options.interface.d.ts

@@ -0,0 +1,4 @@
+import { ConfigModuleOptions } from '@nestjs/config';
+import { SecretsLoaderOptions } from './secrets-loader-options.interface';
+export interface SecretsModuleOptions extends ConfigModuleOptions, SecretsLoaderOptions {
+}

package/dist/interfaces/secrets-module-options.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=secrets-module-options.interface.js.map

package/dist/interfaces/secrets-module-options.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-module-options.interface.js","sourceRoot":"","sources":["../../src/interfaces/secrets-module-options.interface.ts"],"names":[],"mappings":""}

package/dist/interfaces/secrets-provider.interface.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Interface for secret providers
+ */
+export declare abstract class SecretsProvider {
+    /**
+     * Checks if a string is a valid secret reference for this provider
+     * @param value The string to check
+     * @returns True if the string is a valid secret reference
+     */
+    abstract isSecretReference(value: string): boolean;
+    /**
+     * Resolves a secret reference to its actual value.
+     * @param secretRef The reference to the secret
+     * @returns The resolved secret value (string or array of strings)
+     * @throws Error when the secret cannot be retrieved or has an invalid format
+     */
+    abstract resolveSecret(secretRef: string): Promise<string | string[]>;
+}
+/**
+ * The secret providers included with this library.
+ *
+ * Note: You can also use a custom provider by passing an instance of your provider class to the SecretsLoaderService.
+ * Open a PR or reach out to us at support@floracodex.com if you implement your own provider. We'd love to officially
+ * support it if it makes sense to add it to this list.
+ */
+export type SecretsProviderType = 'AwsParameterStoreProvider' | 'AwsSecretsManagerProvider' | 'AzureKeyVaultProvider' | 'GoogleSecretManagerProvider';

package/dist/interfaces/secrets-provider.interface.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretsProvider = void 0;
+/**
+ * Interface for secret providers
+ */
+class SecretsProvider {
+}
+exports.SecretsProvider = SecretsProvider;
+//# sourceMappingURL=secrets-provider.interface.js.map

package/dist/interfaces/secrets-provider.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-provider.interface.js","sourceRoot":"","sources":["../../src/interfaces/secrets-provider.interface.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,MAAsB,eAAe;CAepC;AAfD,0CAeC"}

package/dist/modules/secrets.module.d.ts

@@ -0,0 +1,5 @@
+import { DynamicModule } from '@nestjs/common';
+import { SecretsModuleOptions } from '../interfaces/secrets-module-options.interface';
+export declare class SecretsModule {
+    static forRoot(options: SecretsModuleOptions): Promise<DynamicModule>;
+}

package/dist/modules/secrets.module.js

@@ -0,0 +1,37 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var SecretsModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretsModule = void 0;
+const common_1 = require("@nestjs/common");
+const config_1 = require("@nestjs/config");
+const secrets_loader_service_1 = require("../services/secrets-loader.service");
+let SecretsModule = SecretsModule_1 = class SecretsModule {
+    static async forRoot(options) {
+        const secretsLoaderService = new secrets_loader_service_1.SecretsLoaderService();
+        const configFactory = secretsLoaderService.createConfigFactory(options);
+        return {
+            module: SecretsModule_1,
+            imports: [
+                await config_1.ConfigModule.forRoot({
+                    ...options,
+                    load: [configFactory],
+                    // Override any options that we handle ourselves
+                    ignoreEnvFile: true
+                })
+            ],
+            exports: [config_1.ConfigModule]
+        };
+    }
+};
+exports.SecretsModule = SecretsModule;
+exports.SecretsModule = SecretsModule = SecretsModule_1 = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({})
+], SecretsModule);
+//# sourceMappingURL=secrets.module.js.map

package/dist/modules/secrets.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.module.js","sourceRoot":"","sources":["../../src/modules/secrets.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAA6D;AAC7D,2CAA4C;AAC5C,+EAAwE;AAKjE,IAAM,aAAa,qBAAnB,MAAM,aAAa;IACtB,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAA6B;QAC9C,MAAM,oBAAoB,GAAG,IAAI,6CAAoB,EAAE,CAAC;QACxD,MAAM,aAAa,GAAG,oBAAoB,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAExE,OAAO;YACH,MAAM,EAAE,eAAa;YACrB,OAAO,EAAE;gBACL,MAAM,qBAAY,CAAC,OAAO,CAAC;oBACvB,GAAG,OAAO;oBACV,IAAI,EAAE,CAAC,aAAa,CAAC;oBACrB,gDAAgD;oBAChD,aAAa,EAAE,IAAI;iBACtB,CAAC;aACL;YACD,OAAO,EAAE,CAAC,qBAAY,CAAC;SAC1B,CAAC;IACN,CAAC;CACJ,CAAA;AAlBY,sCAAa;wBAAb,aAAa;IAFzB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,aAAa,CAkBzB"}

package/dist/providers/aws-parameter-store.provider.d.ts

@@ -0,0 +1,39 @@
+import { SSMClient } from '@aws-sdk/client-ssm';
+import { SecretsProvider } from '../interfaces/secrets-provider.interface';
+export declare class AwsParameterStoreProvider implements SecretsProvider {
+    private readonly client;
+    private readonly logger;
+    /**
+     * Regular expression to validate AWS Parameter Store paths.
+     * Matches either:
+     * - Path format: /path/to/parameter
+     * - ARN format: arn:aws:ssm:region:account:parameter/path/to/parameter
+     */
+    private readonly parameterPathPattern;
+    constructor(client: SSMClient);
+    /**
+     * Checks if a string is a valid Parameter Store reference.
+     * @param value The string to check
+     * @returns True if the string is a valid Parameter Store reference
+     */
+    isSecretReference(value: string): boolean;
+    /**
+     * Resolves a Parameter Store reference to its actual value
+     * @param secretRef The reference to the secret in AWS Parameter Store
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret cannot be retrieved or has an invalid format
+     */
+    resolveSecret(secretRef: string): Promise<string | string[]>;
+    /**
+     * Retrieves all parameters under a specific path.
+     * @param pathRef The parameter path reference ending with '/*'
+     * @returns Array of parameter values
+     */
+    private retrieveParametersByPath;
+    /**
+     * Retrieves a single parameter by name.
+     * @param paramName The parameter name or ARN
+     * @returns The parameter value
+     */
+    private retrieveSingleParameter;
+}

package/dist/providers/aws-parameter-store.provider.js

@@ -0,0 +1,98 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AwsParameterStoreProvider_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsParameterStoreProvider = void 0;
+const common_1 = require("@nestjs/common");
+const client_ssm_1 = require("@aws-sdk/client-ssm");
+let AwsParameterStoreProvider = AwsParameterStoreProvider_1 = class AwsParameterStoreProvider {
+    client;
+    logger = new common_1.Logger(AwsParameterStoreProvider_1.name);
+    /**
+     * Regular expression to validate AWS Parameter Store paths.
+     * Matches either:
+     * - Path format: /path/to/parameter
+     * - ARN format: arn:aws:ssm:region:account:parameter/path/to/parameter
+     */
+    parameterPathPattern = /^(?:\/[a-zA-Z0-9_./-]+|arn:[a-z-]+:ssm:[a-z0-9-]+:\d{12}:parameter\/[a-zA-Z0-9_./-]+)$/;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Checks if a string is a valid Parameter Store reference.
+     * @param value The string to check
+     * @returns True if the string is a valid Parameter Store reference
+     */
+    isSecretReference(value) {
+        return this.parameterPathPattern.test(value);
+    }
+    /**
+     * Resolves a Parameter Store reference to its actual value
+     * @param secretRef The reference to the secret in AWS Parameter Store
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret cannot be retrieved or has an invalid format
+     */
+    async resolveSecret(secretRef) {
+        if (secretRef.endsWith('/*')) {
+            return await this.retrieveParametersByPath(secretRef);
+        }
+        return await this.retrieveSingleParameter(secretRef);
+    }
+    /**
+     * Retrieves all parameters under a specific path.
+     * @param pathRef The parameter path reference ending with '/*'
+     * @returns Array of parameter values
+     */
+    async retrieveParametersByPath(pathRef) {
+        const basePath = pathRef.slice(0, -2);
+        const command = new client_ssm_1.GetParametersByPathCommand({
+            Path: basePath,
+            WithDecryption: true,
+            Recursive: true
+        });
+        const response = await this.client.send(command);
+        if (!response.Parameters || response.Parameters.length === 0) {
+            throw new Error(`No parameters found at path: ${basePath}`);
+        }
+        return response.Parameters.map((param) => {
+            if (!param.Value) {
+                this.logger.warn(`Parameter ${param.Name} has no value`);
+                return '';
+            }
+            return param.Value;
+        }).filter(Boolean);
+    }
+    /**
+     * Retrieves a single parameter by name.
+     * @param paramName The parameter name or ARN
+     * @returns The parameter value
+     */
+    async retrieveSingleParameter(paramName) {
+        const command = new client_ssm_1.GetParameterCommand({
+            Name: paramName,
+            WithDecryption: true
+        });
+        const response = await this.client.send(command);
+        if (!response.Parameter) {
+            throw new Error(`Parameter not found: ${paramName}`);
+        }
+        if (!response.Parameter.Value) {
+            throw new Error(`Parameter value is empty for: ${paramName}`);
+        }
+        return response.Parameter.Value;
+    }
+};
+exports.AwsParameterStoreProvider = AwsParameterStoreProvider;
+exports.AwsParameterStoreProvider = AwsParameterStoreProvider = AwsParameterStoreProvider_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [client_ssm_1.SSMClient])
+], AwsParameterStoreProvider);
+//# sourceMappingURL=aws-parameter-store.provider.js.map

package/dist/providers/aws-parameter-store.provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-parameter-store.provider.js","sourceRoot":"","sources":["../../src/providers/aws-parameter-store.provider.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,2CAAkD;AAClD,oDAA0G;AAInG,IAAM,yBAAyB,iCAA/B,MAAM,yBAAyB;IAWL;IAVZ,MAAM,GAAG,IAAI,eAAM,CAAC,2BAAyB,CAAC,IAAI,CAAC,CAAC;IAErE;;;;;OAKG;IACc,oBAAoB,GAAG,wFAAwF,CAAC;IAEjI,YAA6B,MAAiB;QAAjB,WAAM,GAAN,MAAM,CAAW;IAC9C,CAAC;IAED;;;;OAIG;IACH,iBAAiB,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACjC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,SAAS,CAAC,CAAC;QAC1D,CAAC;QAED,OAAO,MAAM,IAAI,CAAC,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,wBAAwB,CAAC,OAAe;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAEtC,MAAM,OAAO,GAAG,IAAI,uCAA0B,CAAC;YAC3C,IAAI,EAAE,QAAQ;YACd,cAAc,EAAE,IAAI;YACpB,SAAS,EAAE,IAAI;SAClB,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,KAAgB,EAAE,EAAE;YAChD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,KAAK,CAAC,IAAI,eAAe,CAAC,CAAC;gBACzD,OAAO,EAAE,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC,KAAK,CAAC;QACvB,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,uBAAuB,CAAC,SAAiB;QACnD,MAAM,OAAO,GAAG,IAAI,gCAAmB,CAAC;YACpC,IAAI,EAAE,SAAS;YACf,cAAc,EAAE,IAAI;SACvB,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,wBAAwB,SAAS,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,iCAAiC,SAAS,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC;IACpC,CAAC;CACJ,CAAA;AAzFY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,mBAAU,GAAE;qCAY4B,sBAAS;GAXrC,yBAAyB,CAyFrC"}

package/dist/providers/aws-secrets-manager.provider.d.ts

@@ -0,0 +1,30 @@
+import { SecretsManager } from '@aws-sdk/client-secrets-manager';
+import { SecretsProvider } from '../interfaces/secrets-provider.interface';
+export declare class AwsSecretsManagerProvider implements SecretsProvider {
+    private readonly client;
+    private readonly logger;
+    /**
+     * Regular expression pattern for validating AWS Secrets Manager ARNs
+     */
+    private readonly arnPattern;
+    constructor(client: SecretsManager);
+    /**
+     * Checks if a string is a valid AWS Secrets Manager ARN.
+     * @param value The string to check
+     * @returns True if the string is a valid AWS Secrets Manager ARN
+     */
+    isSecretReference(value: string): boolean;
+    /**
+     * Resolves an AWS Secrets Manager ARN to its actual value
+     * @param secretRef The AWS Secrets Manager ARN
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret cannot be retrieved or has an invalid format
+     */
+    resolveSecret(secretRef: string): Promise<string>;
+    /**
+     * Decodes a binary secret to a string.
+     * @param binaryData The binary data to decode
+     * @returns The decoded string
+     */
+    private decodeBinarySecret;
+}

package/dist/providers/aws-secrets-manager.provider.js

@@ -0,0 +1,65 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AwsSecretsManagerProvider_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsSecretsManagerProvider = void 0;
+const common_1 = require("@nestjs/common");
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+let AwsSecretsManagerProvider = AwsSecretsManagerProvider_1 = class AwsSecretsManagerProvider {
+    client;
+    logger = new common_1.Logger(AwsSecretsManagerProvider_1.name);
+    /**
+     * Regular expression pattern for validating AWS Secrets Manager ARNs
+     */
+    arnPattern = /^arn:aws:secretsmanager:[a-z0-9-]+:[0-9]+:secret:.+$/;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Checks if a string is a valid AWS Secrets Manager ARN.
+     * @param value The string to check
+     * @returns True if the string is a valid AWS Secrets Manager ARN
+     */
+    isSecretReference(value) {
+        return this.arnPattern.test(value);
+    }
+    /**
+     * Resolves an AWS Secrets Manager ARN to its actual value
+     * @param secretRef The AWS Secrets Manager ARN
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret cannot be retrieved or has an invalid format
+     */
+    async resolveSecret(secretRef) {
+        const response = await this.client.getSecretValue({ SecretId: secretRef });
+        if (response.SecretString) {
+            return response.SecretString;
+        }
+        else if (response.SecretBinary) {
+            return this.decodeBinarySecret(response.SecretBinary);
+        }
+        throw new Error('Secret value is empty');
+    }
+    /**
+     * Decodes a binary secret to a string.
+     * @param binaryData The binary data to decode
+     * @returns The decoded string
+     */
+    decodeBinarySecret(binaryData) {
+        const buff = Buffer.from(binaryData, 'base64');
+        return buff.toString('utf8');
+    }
+};
+exports.AwsSecretsManagerProvider = AwsSecretsManagerProvider;
+exports.AwsSecretsManagerProvider = AwsSecretsManagerProvider = AwsSecretsManagerProvider_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [client_secrets_manager_1.SecretsManager])
+], AwsSecretsManagerProvider);
+//# sourceMappingURL=aws-secrets-manager.provider.js.map

package/dist/providers/aws-secrets-manager.provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-secrets-manager.provider.js","sourceRoot":"","sources":["../../src/providers/aws-secrets-manager.provider.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,2CAAkD;AAClD,4EAA+D;AAIxD,IAAM,yBAAyB,iCAA/B,MAAM,yBAAyB;IAQL;IAPZ,MAAM,GAAG,IAAI,eAAM,CAAC,2BAAyB,CAAC,IAAI,CAAC,CAAC;IAErE;;OAEG;IACc,UAAU,GAAG,sDAAsD,CAAC;IAErF,YAA6B,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IACnD,CAAC;IAED;;;;OAIG;IACH,iBAAiB,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,EAAC,QAAQ,EAAE,SAAS,EAAC,CAAC,CAAC;QAEzE,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,QAAQ,CAAC,YAAY,CAAC;QACjC,CAAC;aAAM,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC7C,CAAC;IAED;;;;OAIG;IACK,kBAAkB,CAAC,UAAe;QACtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,UAA+B,EAAE,QAAQ,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CAEJ,CAAA;AAhDY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,mBAAU,GAAE;qCAS4B,uCAAc;GAR1C,yBAAyB,CAgDrC"}

package/dist/providers/azure-key-vault.provider.d.ts

@@ -0,0 +1,34 @@
+import { SecretClient } from '@azure/keyvault-secrets';
+import { SecretsProvider } from '../interfaces/secrets-provider.interface';
+export declare class AzureKeyVaultProvider implements SecretsProvider {
+    private readonly client;
+    private readonly logger;
+    /**
+     * Regular expression to validate Azure Vault paths.
+     * - Standard format: https://<vault-name>.vault.azure.net/secrets/<secret-name>
+     * - With versions: https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>
+     * - With paths in secret names: https://<vault-name>.vault.azure.net/secrets/<path>/<secret-name>
+     */
+    private readonly secretUrlPattern;
+    constructor(client: SecretClient);
+    /**
+     * Checks if the provided string is a valid Azure Key Vault secret reference.
+     * @param value The string to check
+     * @returns True if the string is a valid Azure Key Vault secret reference
+     */
+    isSecretReference(value: string): boolean;
+    /**
+     * Resolves an Azure Key Vault secret reference to its actual value.
+     * @param secretRef The reference URL to the secret (https://<vault-name>.vault.azure.net/secrets/<secret-name>[/<version>])
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret reference is invalid or cannot be retrieved
+     */
+    resolveSecret(secretRef: string): Promise<string>;
+    /**
+     * Parses an Azure Key Vault secret reference and extracts the secret name.
+     * @param secretRef The Azure Key Vault secret reference URL
+     * @returns The extracted secret name
+     * @throws Error when the secret reference format is invalid
+     */
+    private parseSecretReference;
+}

package/dist/providers/azure-key-vault.provider.js

@@ -0,0 +1,74 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var AzureKeyVaultProvider_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultProvider = void 0;
+const common_1 = require("@nestjs/common");
+const keyvault_secrets_1 = require("@azure/keyvault-secrets");
+let AzureKeyVaultProvider = AzureKeyVaultProvider_1 = class AzureKeyVaultProvider {
+    client;
+    logger = new common_1.Logger(AzureKeyVaultProvider_1.name);
+    /**
+     * Regular expression to validate Azure Vault paths.
+     * - Standard format: https://<vault-name>.vault.azure.net/secrets/<secret-name>
+     * - With versions: https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>
+     * - With paths in secret names: https://<vault-name>.vault.azure.net/secrets/<path>/<secret-name>
+     */
+    secretUrlPattern = /^https:\/\/[\w-]+\.vault\.azure\.net\/secrets\/([^/\s]+)(?:\/([^/\s]+))?$/;
+    constructor(client) {
+        this.client = client;
+    }
+    /**
+     * Checks if the provided string is a valid Azure Key Vault secret reference.
+     * @param value The string to check
+     * @returns True if the string is a valid Azure Key Vault secret reference
+     */
+    isSecretReference(value) {
+        return this.secretUrlPattern.test(value);
+    }
+    /**
+     * Resolves an Azure Key Vault secret reference to its actual value.
+     * @param secretRef The reference URL to the secret (https://<vault-name>.vault.azure.net/secrets/<secret-name>[/<version>])
+     * @returns The resolved secret value as a string
+     * @throws Error when the secret reference is invalid or cannot be retrieved
+     */
+    async resolveSecret(secretRef) {
+        const secretName = this.parseSecretReference(secretRef);
+        const response = await this.client.getSecret(secretName);
+        if (!response || !response.value) {
+            throw new Error(`Secret '${secretName}' was retrieved but has an empty value`);
+        }
+        return response.value;
+    }
+    /**
+     * Parses an Azure Key Vault secret reference and extracts the secret name.
+     * @param secretRef The Azure Key Vault secret reference URL
+     * @returns The extracted secret name
+     * @throws Error when the secret reference format is invalid
+     */
+    parseSecretReference(secretRef) {
+        const match = secretRef.match(this.secretUrlPattern);
+        if (!match) {
+            throw new Error(`Invalid Azure Key Vault secret reference: ${secretRef}. Expected format: https://<vault-name>.vault.azure.net/secrets/<secret-name>[/<version>]`);
+        }
+        // Extract the vault name (match[0]) and secret name (match[1])
+        const vaultName = match[0];
+        const secretName = match[1];
+        this.logger.debug(`Parsed secret reference from vault: ${vaultName}, secret: ${secretName}`);
+        return secretName;
+    }
+};
+exports.AzureKeyVaultProvider = AzureKeyVaultProvider;
+exports.AzureKeyVaultProvider = AzureKeyVaultProvider = AzureKeyVaultProvider_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [keyvault_secrets_1.SecretClient])
+], AzureKeyVaultProvider);
+//# sourceMappingURL=azure-key-vault.provider.js.map

package/dist/providers/azure-key-vault.provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-key-vault.provider.js","sourceRoot":"","sources":["../../src/providers/azure-key-vault.provider.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,2CAAkD;AAClD,8DAAqD;AAI9C,IAAM,qBAAqB,6BAA3B,MAAM,qBAAqB;IAWD;IAVZ,MAAM,GAAG,IAAI,eAAM,CAAC,uBAAqB,CAAC,IAAI,CAAC,CAAC;IAEjE;;;;;OAKG;IACc,gBAAgB,GAAG,2EAA2E,CAAC;IAEhH,YAA6B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IACjD,CAAC;IAED;;;;OAIG;IACH,iBAAiB,CAAC,KAAa;QAC3B,OAAO,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CAAC,SAAiB;QACjC,MAAM,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAExD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAEzD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,WAAW,UAAU,wCAAwC,CAAC,CAAC;QACnF,CAAC;QAED,OAAO,QAAQ,CAAC,KAAK,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,SAAiB;QAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAErD,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,6CAA6C,SAAS,2FAA2F,CAAC,CAAC;QACvK,CAAC;QAED,+DAA+D;QAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAE5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,SAAS,aAAa,UAAU,EAAE,CAAC,CAAC;QAC7F,OAAO,UAAU,CAAC;IACtB,CAAC;CAEJ,CAAA;AA9DY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,mBAAU,GAAE;qCAY4B,+BAAY;GAXxC,qBAAqB,CA8DjC"}