@griffin-app/griffin-executor 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/executor.d.ts.map +1 -1
- package/dist/executor.js +55 -10
- package/dist/executor.js.map +1 -1
- package/dist/executor.test.js +83 -0
- package/dist/executor.test.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/secrets/factory.d.ts +3 -99
- package/dist/secrets/factory.d.ts.map +1 -1
- package/dist/secrets/factory.js +3 -117
- package/dist/secrets/factory.js.map +1 -1
- package/dist/secrets/index.d.ts +5 -3
- package/dist/secrets/index.d.ts.map +1 -1
- package/dist/secrets/index.js +4 -2
- package/dist/secrets/index.js.map +1 -1
- package/dist/secrets/providers/aws.d.ts +10 -12
- package/dist/secrets/providers/aws.d.ts.map +1 -1
- package/dist/secrets/providers/aws.js +44 -58
- package/dist/secrets/providers/aws.js.map +1 -1
- package/dist/secrets/providers/index.d.ts +0 -2
- package/dist/secrets/providers/index.d.ts.map +1 -1
- package/dist/secrets/providers/index.js +0 -2
- package/dist/secrets/providers/index.js.map +1 -1
- package/dist/secrets/resolver.d.ts.map +1 -1
- package/dist/secrets/resolver.js +1 -1
- package/dist/secrets/resolver.js.map +1 -1
- package/dist/secrets/secrets.test.js.map +1 -1
- package/package.json +3 -3
- package/src/executor.test.ts +90 -0
- package/src/executor.ts +84 -12
- package/src/index.ts +0 -8
- package/src/secrets/factory.ts +5 -211
- package/src/secrets/index.ts +3 -9
- package/src/secrets/providers/index.ts +0 -10
- package/src/secrets/resolver.ts +5 -1
- package/src/secrets/secrets.test.ts +1 -0
- package/tsconfig.tsbuildinfo +1 -0
- package/src/secrets/providers/aws.ts +0 -178
|
@@ -2,8 +2,8 @@
|
|
|
2
2
|
* Factory for creating SecretProvider instances from configuration.
|
|
3
3
|
*
|
|
4
4
|
* This module provides pure factory functions that construct providers
|
|
5
|
-
* from config objects.
|
|
6
|
-
*
|
|
5
|
+
* from config objects. The only provider available in the executor is `env`.
|
|
6
|
+
* AWS secrets are resolved via the hub's POST /secrets/resolve endpoint.
|
|
7
7
|
*/
|
|
8
8
|
import type { SecretProvider } from "./types.js";
|
|
9
9
|
/**
|
|
@@ -11,111 +11,15 @@ import type { SecretProvider } from "./types.js";
|
|
|
11
11
|
*/
|
|
12
12
|
export interface EnvProviderConfig {
|
|
13
13
|
provider: "env";
|
|
14
|
-
/**
|
|
15
|
-
* Optional prefix to prepend to secret refs.
|
|
16
|
-
* For example, prefix="APP_" means secret("env:API_KEY") looks for "APP_API_KEY".
|
|
17
|
-
*/
|
|
18
14
|
prefix?: string;
|
|
19
|
-
/**
|
|
20
|
-
* Custom environment object to read from.
|
|
21
|
-
* If not provided, caller should pass process.env.
|
|
22
|
-
*/
|
|
23
15
|
env?: Record<string, string | undefined>;
|
|
24
16
|
}
|
|
25
|
-
/**
|
|
26
|
-
* Configuration for AWS Secrets Manager provider.
|
|
27
|
-
*/
|
|
28
|
-
export interface AwsProviderConfig {
|
|
29
|
-
provider: "aws";
|
|
30
|
-
/**
|
|
31
|
-
* AWS region for Secrets Manager.
|
|
32
|
-
*/
|
|
33
|
-
region: string;
|
|
34
|
-
/**
|
|
35
|
-
* Optional prefix for secret names.
|
|
36
|
-
* For example, prefix="myapp/" means secret("aws:api-key") looks for "myapp/api-key".
|
|
37
|
-
*/
|
|
38
|
-
prefix?: string;
|
|
39
|
-
/**
|
|
40
|
-
* Optional IAM role to assume.
|
|
41
|
-
*/
|
|
42
|
-
roleArn?: string;
|
|
43
|
-
/**
|
|
44
|
-
* Optional external ID for role assumption.
|
|
45
|
-
*/
|
|
46
|
-
externalId?: string;
|
|
47
|
-
/**
|
|
48
|
-
* AWS credentials. If not provided, uses ambient credentials (IAM role, environment, etc).
|
|
49
|
-
*/
|
|
50
|
-
credentials?: {
|
|
51
|
-
accessKeyId: string;
|
|
52
|
-
secretAccessKey: string;
|
|
53
|
-
};
|
|
54
|
-
}
|
|
55
|
-
/**
|
|
56
|
-
* Configuration for HashiCorp Vault provider.
|
|
57
|
-
*/
|
|
58
|
-
export interface VaultProviderConfig {
|
|
59
|
-
provider: "vault";
|
|
60
|
-
/**
|
|
61
|
-
* Vault server address (e.g., "https://vault.example.com").
|
|
62
|
-
*/
|
|
63
|
-
address: string;
|
|
64
|
-
/**
|
|
65
|
-
* Vault authentication token.
|
|
66
|
-
*/
|
|
67
|
-
token: string;
|
|
68
|
-
/**
|
|
69
|
-
* Optional Vault namespace.
|
|
70
|
-
*/
|
|
71
|
-
namespace?: string;
|
|
72
|
-
/**
|
|
73
|
-
* KV secrets engine version (1 or 2). Defaults to 2.
|
|
74
|
-
*/
|
|
75
|
-
kvVersion?: 1 | 2;
|
|
76
|
-
/**
|
|
77
|
-
* Optional prefix for secret paths.
|
|
78
|
-
*/
|
|
79
|
-
prefix?: string;
|
|
80
|
-
}
|
|
81
17
|
/**
|
|
82
18
|
* Union type for all provider configurations.
|
|
83
19
|
*/
|
|
84
|
-
export type SecretProviderConfig = EnvProviderConfig
|
|
20
|
+
export type SecretProviderConfig = EnvProviderConfig;
|
|
85
21
|
/**
|
|
86
22
|
* Create a SecretProvider from configuration.
|
|
87
|
-
*
|
|
88
|
-
* This is a pure factory function - it does not access environment variables
|
|
89
|
-
* or external state. All configuration must be provided by the caller.
|
|
90
|
-
*
|
|
91
|
-
* @example
|
|
92
|
-
* // Environment provider
|
|
93
|
-
* const envProvider = await createSecretProvider({
|
|
94
|
-
* provider: "env",
|
|
95
|
-
* prefix: "APP_",
|
|
96
|
-
* env: process.env,
|
|
97
|
-
* });
|
|
98
|
-
*
|
|
99
|
-
* @example
|
|
100
|
-
* // AWS provider with credentials
|
|
101
|
-
* const awsProvider = await createSecretProvider({
|
|
102
|
-
* provider: "aws",
|
|
103
|
-
* region: "us-east-1",
|
|
104
|
-
* prefix: "myapp/",
|
|
105
|
-
* credentials: {
|
|
106
|
-
* accessKeyId: "...",
|
|
107
|
-
* secretAccessKey: "...",
|
|
108
|
-
* },
|
|
109
|
-
* });
|
|
110
|
-
*
|
|
111
|
-
* @example
|
|
112
|
-
* // Vault provider
|
|
113
|
-
* const vaultProvider = await createSecretProvider({
|
|
114
|
-
* provider: "vault",
|
|
115
|
-
* address: "https://vault.example.com",
|
|
116
|
-
* token: "...",
|
|
117
|
-
* kvVersion: 2,
|
|
118
|
-
* });
|
|
119
23
|
*/
|
|
120
24
|
export declare function createSecretProvider(config: SecretProviderConfig): Promise<SecretProvider>;
|
|
121
25
|
//# sourceMappingURL=factory.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/secrets/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/secrets/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAGjD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,CAAC;AAErD;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAAC,cAAc,CAAC,CAWzB"}
|
package/dist/secrets/factory.js
CHANGED
|
@@ -2,48 +2,12 @@
|
|
|
2
2
|
* Factory for creating SecretProvider instances from configuration.
|
|
3
3
|
*
|
|
4
4
|
* This module provides pure factory functions that construct providers
|
|
5
|
-
* from config objects.
|
|
6
|
-
*
|
|
5
|
+
* from config objects. The only provider available in the executor is `env`.
|
|
6
|
+
* AWS secrets are resolved via the hub's POST /secrets/resolve endpoint.
|
|
7
7
|
*/
|
|
8
8
|
import { EnvSecretProvider } from "./providers/env.js";
|
|
9
|
-
import { AwsSecretsManagerProvider } from "./providers/aws.js";
|
|
10
|
-
import { VaultProvider } from "./providers/vault.js";
|
|
11
|
-
import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
|
|
12
|
-
import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts";
|
|
13
9
|
/**
|
|
14
10
|
* Create a SecretProvider from configuration.
|
|
15
|
-
*
|
|
16
|
-
* This is a pure factory function - it does not access environment variables
|
|
17
|
-
* or external state. All configuration must be provided by the caller.
|
|
18
|
-
*
|
|
19
|
-
* @example
|
|
20
|
-
* // Environment provider
|
|
21
|
-
* const envProvider = await createSecretProvider({
|
|
22
|
-
* provider: "env",
|
|
23
|
-
* prefix: "APP_",
|
|
24
|
-
* env: process.env,
|
|
25
|
-
* });
|
|
26
|
-
*
|
|
27
|
-
* @example
|
|
28
|
-
* // AWS provider with credentials
|
|
29
|
-
* const awsProvider = await createSecretProvider({
|
|
30
|
-
* provider: "aws",
|
|
31
|
-
* region: "us-east-1",
|
|
32
|
-
* prefix: "myapp/",
|
|
33
|
-
* credentials: {
|
|
34
|
-
* accessKeyId: "...",
|
|
35
|
-
* secretAccessKey: "...",
|
|
36
|
-
* },
|
|
37
|
-
* });
|
|
38
|
-
*
|
|
39
|
-
* @example
|
|
40
|
-
* // Vault provider
|
|
41
|
-
* const vaultProvider = await createSecretProvider({
|
|
42
|
-
* provider: "vault",
|
|
43
|
-
* address: "https://vault.example.com",
|
|
44
|
-
* token: "...",
|
|
45
|
-
* kvVersion: 2,
|
|
46
|
-
* });
|
|
47
11
|
*/
|
|
48
12
|
export async function createSecretProvider(config) {
|
|
49
13
|
switch (config.provider) {
|
|
@@ -52,86 +16,8 @@ export async function createSecretProvider(config) {
|
|
|
52
16
|
prefix: config.prefix,
|
|
53
17
|
env: config.env,
|
|
54
18
|
});
|
|
55
|
-
case "aws":
|
|
56
|
-
return createAwsProvider(config);
|
|
57
|
-
case "vault":
|
|
58
|
-
return createVaultProvider(config);
|
|
59
19
|
default:
|
|
60
|
-
|
|
61
|
-
throw new Error(`Unknown provider type: ${exhaustive.provider}`);
|
|
62
|
-
}
|
|
63
|
-
}
|
|
64
|
-
/**
|
|
65
|
-
* Create AWS Secrets Manager provider with SDK client.
|
|
66
|
-
*/
|
|
67
|
-
async function createAwsProvider(config) {
|
|
68
|
-
const clientConfig = { region: config.region };
|
|
69
|
-
// Handle role assumption if roleArn is provided
|
|
70
|
-
if (config.roleArn) {
|
|
71
|
-
const stsClient = new STSClient({ region: config.region });
|
|
72
|
-
const assumeRoleResponse = await stsClient.send(new AssumeRoleCommand({
|
|
73
|
-
RoleArn: config.roleArn,
|
|
74
|
-
RoleSessionName: "griffin-executor",
|
|
75
|
-
ExternalId: config.externalId,
|
|
76
|
-
}));
|
|
77
|
-
if (assumeRoleResponse.Credentials) {
|
|
78
|
-
clientConfig.credentials = {
|
|
79
|
-
accessKeyId: assumeRoleResponse.Credentials.AccessKeyId ?? "",
|
|
80
|
-
secretAccessKey: assumeRoleResponse.Credentials.SecretAccessKey ?? "",
|
|
81
|
-
sessionToken: assumeRoleResponse.Credentials.SessionToken,
|
|
82
|
-
};
|
|
83
|
-
}
|
|
84
|
-
}
|
|
85
|
-
else if (config.credentials) {
|
|
86
|
-
clientConfig.credentials = config.credentials;
|
|
20
|
+
throw new Error(`Unknown provider type: ${config.provider}`);
|
|
87
21
|
}
|
|
88
|
-
// Otherwise uses ambient AWS credentials (IAM role, environment variables, etc)
|
|
89
|
-
const smClient = new SecretsManagerClient(clientConfig);
|
|
90
|
-
// Wrap SDK client with the interface expected by AwsSecretsManagerProvider
|
|
91
|
-
const client = {
|
|
92
|
-
async getSecretValue(params) {
|
|
93
|
-
const command = new GetSecretValueCommand({
|
|
94
|
-
SecretId: params.SecretId,
|
|
95
|
-
VersionStage: params.VersionStage,
|
|
96
|
-
});
|
|
97
|
-
const response = await smClient.send(command);
|
|
98
|
-
return {
|
|
99
|
-
SecretString: response.SecretString,
|
|
100
|
-
SecretBinary: response.SecretBinary,
|
|
101
|
-
};
|
|
102
|
-
},
|
|
103
|
-
};
|
|
104
|
-
return new AwsSecretsManagerProvider({
|
|
105
|
-
client,
|
|
106
|
-
prefix: config.prefix,
|
|
107
|
-
});
|
|
108
|
-
}
|
|
109
|
-
/**
|
|
110
|
-
* Create Vault provider with HTTP client.
|
|
111
|
-
*/
|
|
112
|
-
function createVaultProvider(config) {
|
|
113
|
-
// Create HTTP client for Vault API calls
|
|
114
|
-
const httpClient = {
|
|
115
|
-
async get(url, options) {
|
|
116
|
-
// Import axios dynamically to avoid bundling it when not needed
|
|
117
|
-
const axios = await import("axios");
|
|
118
|
-
const response = await axios.default.get(url, {
|
|
119
|
-
headers: options.headers,
|
|
120
|
-
validateStatus: () => true, // Don't throw on non-2xx
|
|
121
|
-
});
|
|
122
|
-
return {
|
|
123
|
-
status: response.status,
|
|
124
|
-
data: response.data,
|
|
125
|
-
};
|
|
126
|
-
},
|
|
127
|
-
};
|
|
128
|
-
return new VaultProvider({
|
|
129
|
-
address: config.address,
|
|
130
|
-
token: config.token,
|
|
131
|
-
httpClient,
|
|
132
|
-
namespace: config.namespace,
|
|
133
|
-
kvVersion: config.kvVersion ?? 2,
|
|
134
|
-
prefix: config.prefix,
|
|
135
|
-
});
|
|
136
22
|
}
|
|
137
23
|
//# sourceMappingURL=factory.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/secrets/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/secrets/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAgBvD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA4B;IAE5B,QAAQ,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxB,KAAK,KAAK;YACR,OAAO,IAAI,iBAAiB,CAAC;gBAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,GAAG,EAAE,MAAM,CAAC,GAAG;aAChB,CAAC,CAAC;QAEL;YACE,MAAM,IAAI,KAAK,CAAC,0BAA2B,MAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC"}
|
package/dist/secrets/index.d.ts
CHANGED
|
@@ -4,11 +4,13 @@
|
|
|
4
4
|
* This module provides:
|
|
5
5
|
* - SecretProvider interface for implementing custom providers
|
|
6
6
|
* - Secret resolution utilities for test monitors
|
|
7
|
-
* - Built-in
|
|
7
|
+
* - Built-in provider: env
|
|
8
8
|
* - Factory functions for creating providers from configuration
|
|
9
|
+
*
|
|
10
|
+
* AWS secrets are resolved via the hub's POST /secrets/resolve endpoint.
|
|
9
11
|
*/
|
|
10
12
|
export { type SecretProvider, type SecretRef, type SecretRefData, type SecretResolveOptions, SecretResolutionError, isSecretRef, isStringLiteral, } from "./types.js";
|
|
11
13
|
export { resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, } from "./resolver.js";
|
|
12
|
-
export { EnvSecretProvider, type EnvSecretProviderOptions,
|
|
13
|
-
export { createSecretProvider, type SecretProviderConfig, type EnvProviderConfig,
|
|
14
|
+
export { EnvSecretProvider, type EnvSecretProviderOptions, } from "./providers/index.js";
|
|
15
|
+
export { createSecretProvider, type SecretProviderConfig, type EnvProviderConfig, } from "./factory.js";
|
|
14
16
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC"}
|
package/dist/secrets/index.js
CHANGED
|
@@ -4,15 +4,17 @@
|
|
|
4
4
|
* This module provides:
|
|
5
5
|
* - SecretProvider interface for implementing custom providers
|
|
6
6
|
* - Secret resolution utilities for test monitors
|
|
7
|
-
* - Built-in
|
|
7
|
+
* - Built-in provider: env
|
|
8
8
|
* - Factory functions for creating providers from configuration
|
|
9
|
+
*
|
|
10
|
+
* AWS secrets are resolved via the hub's POST /secrets/resolve endpoint.
|
|
9
11
|
*/
|
|
10
12
|
// Core types
|
|
11
13
|
export { SecretResolutionError, isSecretRef, isStringLiteral, } from "./types.js";
|
|
12
14
|
// Resolution utilities
|
|
13
15
|
export { resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, } from "./resolver.js";
|
|
14
16
|
// Providers
|
|
15
|
-
export { EnvSecretProvider,
|
|
17
|
+
export { EnvSecretProvider, } from "./providers/index.js";
|
|
16
18
|
// Factory functions
|
|
17
19
|
export { createSecretProvider, } from "./factory.js";
|
|
18
20
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,aAAa;AACb,OAAO,EAKL,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,uBAAuB;AACvB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,YAAY;AACZ,OAAO,EACL,iBAAiB,GAElB,MAAM,sBAAsB,CAAC;AAE9B,oBAAoB;AACpB,OAAO,EACL,oBAAoB,GAGrB,MAAM,cAAc,CAAC"}
|
|
@@ -1,13 +1,12 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* AWS Secrets Manager secret provider.
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
4
|
+
* Resolves secrets from a single consolidated AWS Secrets Manager secret
|
|
5
|
+
* whose value is a JSON KV map. The secret is identified by `secretId`
|
|
6
|
+
* (e.g. "orgId/environment") and individual secret names are keys in that map.
|
|
6
7
|
*
|
|
7
8
|
* Usage in DSL:
|
|
8
|
-
* secret("aws:
|
|
9
|
-
* secret("aws:prod/api-keys", { field: "stripe" })
|
|
10
|
-
* secret("aws:my-secret", { version: "AWSPREVIOUS" })
|
|
9
|
+
* secret("aws:MY_SECRET")
|
|
11
10
|
*/
|
|
12
11
|
import type { SecretProvider, SecretResolveOptions } from "../types.js";
|
|
13
12
|
/**
|
|
@@ -30,11 +29,10 @@ export interface AwsSecretsManagerProviderOptions {
|
|
|
30
29
|
*/
|
|
31
30
|
client: AwsSecretsManagerClient;
|
|
32
31
|
/**
|
|
33
|
-
*
|
|
34
|
-
*
|
|
35
|
-
* will look for "myapp/api-key" in Secrets Manager.
|
|
32
|
+
* The full Secrets Manager secret ID (e.g. "orgId/environment").
|
|
33
|
+
* All secrets for this org+env are stored as a JSON KV map in this single secret.
|
|
36
34
|
*/
|
|
37
|
-
|
|
35
|
+
secretId: string;
|
|
38
36
|
/**
|
|
39
37
|
* Default version stage to use if not specified.
|
|
40
38
|
* Defaults to "AWSCURRENT".
|
|
@@ -44,16 +42,16 @@ export interface AwsSecretsManagerProviderOptions {
|
|
|
44
42
|
export declare class AwsSecretsManagerProvider implements SecretProvider {
|
|
45
43
|
readonly name = "aws";
|
|
46
44
|
private readonly client;
|
|
47
|
-
private readonly
|
|
45
|
+
private readonly secretId;
|
|
48
46
|
private readonly defaultVersionStage;
|
|
49
47
|
private cache;
|
|
50
48
|
private readonly cacheTtlMs;
|
|
51
49
|
constructor(options: AwsSecretsManagerProviderOptions);
|
|
52
50
|
resolve(ref: string, options?: SecretResolveOptions): Promise<string>;
|
|
53
51
|
/**
|
|
54
|
-
*
|
|
52
|
+
* Fetch and cache the entire KV map from the consolidated SM secret.
|
|
55
53
|
*/
|
|
56
|
-
private
|
|
54
|
+
private fetchKvMap;
|
|
57
55
|
validate(): Promise<void>;
|
|
58
56
|
/**
|
|
59
57
|
* Clear the cache. Useful for testing or forced refresh.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGxE;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC,cAAc,CAAC,MAAM,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAC3E,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,YAAY,CAAC,EAAE,UAAU,CAAC;KAC3B,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,gCAAgC;IAC/C;;;OAGG;IACH,MAAM,EAAE,uBAAuB,CAAC;IAEhC;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,QAAQ,CAAC,IAAI,SAAS;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA0B;IACjD,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;IAG7C,OAAO,CAAC,KAAK,CACN;IACP,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAiB;gBAEhC,OAAO,EAAE,gCAAgC;IAM/C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC;IAgB3E;;OAEG;YACW,UAAU;IAoElB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAI/B;;OAEG;IACH,UAAU,IAAI,IAAI;CAGnB"}
|
|
@@ -1,110 +1,96 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* AWS Secrets Manager secret provider.
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
4
|
+
* Resolves secrets from a single consolidated AWS Secrets Manager secret
|
|
5
|
+
* whose value is a JSON KV map. The secret is identified by `secretId`
|
|
6
|
+
* (e.g. "orgId/environment") and individual secret names are keys in that map.
|
|
6
7
|
*
|
|
7
8
|
* Usage in DSL:
|
|
8
|
-
* secret("aws:
|
|
9
|
-
* secret("aws:prod/api-keys", { field: "stripe" })
|
|
10
|
-
* secret("aws:my-secret", { version: "AWSPREVIOUS" })
|
|
9
|
+
* secret("aws:MY_SECRET")
|
|
11
10
|
*/
|
|
12
11
|
import { SecretResolutionError } from "../types.js";
|
|
13
12
|
export class AwsSecretsManagerProvider {
|
|
14
13
|
name = "aws";
|
|
15
14
|
client;
|
|
16
|
-
|
|
15
|
+
secretId;
|
|
17
16
|
defaultVersionStage;
|
|
18
|
-
//
|
|
19
|
-
cache =
|
|
17
|
+
// Cache the entire KV map with TTL
|
|
18
|
+
cache = null;
|
|
20
19
|
cacheTtlMs = 5 * 60 * 1000; // 5 minutes
|
|
21
20
|
constructor(options) {
|
|
22
21
|
this.client = options.client;
|
|
23
|
-
this.
|
|
22
|
+
this.secretId = options.secretId;
|
|
24
23
|
this.defaultVersionStage = options.defaultVersionStage ?? "AWSCURRENT";
|
|
25
24
|
}
|
|
26
25
|
async resolve(ref, options) {
|
|
27
|
-
const
|
|
28
|
-
const
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
26
|
+
const kvMap = await this.fetchKvMap(options?.version ?? this.defaultVersionStage);
|
|
27
|
+
const value = kvMap[ref];
|
|
28
|
+
if (value === undefined) {
|
|
29
|
+
throw new SecretResolutionError(`Secret key "${ref}" not found in consolidated secret "${this.secretId}"`, { ref });
|
|
30
|
+
}
|
|
31
|
+
return value;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Fetch and cache the entire KV map from the consolidated SM secret.
|
|
35
|
+
*/
|
|
36
|
+
async fetchKvMap(versionStage) {
|
|
37
|
+
if (this.cache && this.cache.expires > Date.now()) {
|
|
38
|
+
return this.cache.value;
|
|
34
39
|
}
|
|
35
40
|
try {
|
|
36
41
|
const response = await this.client.getSecretValue({
|
|
37
|
-
SecretId: secretId,
|
|
42
|
+
SecretId: this.secretId,
|
|
38
43
|
VersionStage: versionStage,
|
|
39
44
|
});
|
|
40
45
|
if (!response.SecretString) {
|
|
41
|
-
throw new SecretResolutionError(`Secret "${secretId}" does not contain a string value (binary secrets are not supported)`, { ref });
|
|
46
|
+
throw new SecretResolutionError(`Secret "${this.secretId}" does not contain a string value (binary secrets are not supported)`, { ref: this.secretId });
|
|
47
|
+
}
|
|
48
|
+
let parsed;
|
|
49
|
+
try {
|
|
50
|
+
parsed = JSON.parse(response.SecretString);
|
|
51
|
+
}
|
|
52
|
+
catch {
|
|
53
|
+
throw new SecretResolutionError(`Secret "${this.secretId}" is not valid JSON`, { ref: this.secretId });
|
|
42
54
|
}
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
55
|
+
if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
|
|
56
|
+
throw new SecretResolutionError(`Secret "${this.secretId}" is not a JSON object`, { ref: this.secretId });
|
|
57
|
+
}
|
|
58
|
+
const kvMap = parsed;
|
|
59
|
+
this.cache = {
|
|
60
|
+
value: kvMap,
|
|
46
61
|
expires: Date.now() + this.cacheTtlMs,
|
|
47
|
-
}
|
|
48
|
-
return
|
|
62
|
+
};
|
|
63
|
+
return kvMap;
|
|
49
64
|
}
|
|
50
65
|
catch (error) {
|
|
51
66
|
if (error instanceof SecretResolutionError) {
|
|
52
67
|
throw error;
|
|
53
68
|
}
|
|
54
|
-
// Handle common AWS errors
|
|
55
69
|
const awsError = error;
|
|
56
|
-
let message = `Failed to retrieve secret "${secretId}"`;
|
|
70
|
+
let message = `Failed to retrieve secret "${this.secretId}"`;
|
|
57
71
|
if (awsError.name === "ResourceNotFoundException") {
|
|
58
|
-
message = `Secret "${secretId}" not found in AWS Secrets Manager`;
|
|
72
|
+
message = `Secret "${this.secretId}" not found in AWS Secrets Manager`;
|
|
59
73
|
}
|
|
60
74
|
else if (awsError.name === "AccessDeniedException") {
|
|
61
|
-
message = `Access denied to secret "${secretId}". Check IAM permissions.`;
|
|
75
|
+
message = `Access denied to secret "${this.secretId}". Check IAM permissions.`;
|
|
62
76
|
}
|
|
63
77
|
else if (awsError.message) {
|
|
64
78
|
message = `${message}: ${awsError.message}`;
|
|
65
79
|
}
|
|
66
80
|
throw new SecretResolutionError(message, {
|
|
67
|
-
ref,
|
|
81
|
+
ref: this.secretId,
|
|
68
82
|
cause: error,
|
|
69
83
|
});
|
|
70
84
|
}
|
|
71
85
|
}
|
|
72
|
-
/**
|
|
73
|
-
* Extract a field from a JSON secret string.
|
|
74
|
-
*/
|
|
75
|
-
extractField(secretValue, field, ref) {
|
|
76
|
-
if (!field) {
|
|
77
|
-
return secretValue;
|
|
78
|
-
}
|
|
79
|
-
try {
|
|
80
|
-
const parsed = JSON.parse(secretValue);
|
|
81
|
-
if (typeof parsed !== "object" || parsed === null) {
|
|
82
|
-
throw new SecretResolutionError(`Secret "${ref}" is not a JSON object, cannot extract field "${field}"`, { ref });
|
|
83
|
-
}
|
|
84
|
-
const value = parsed[field];
|
|
85
|
-
if (value === undefined) {
|
|
86
|
-
throw new SecretResolutionError(`Field "${field}" not found in secret "${ref}"`, { ref });
|
|
87
|
-
}
|
|
88
|
-
// Convert to string if not already
|
|
89
|
-
return typeof value === "string" ? value : JSON.stringify(value);
|
|
90
|
-
}
|
|
91
|
-
catch (error) {
|
|
92
|
-
if (error instanceof SecretResolutionError) {
|
|
93
|
-
throw error;
|
|
94
|
-
}
|
|
95
|
-
throw new SecretResolutionError(`Failed to parse secret "${ref}" as JSON for field extraction: ${error instanceof Error ? error.message : String(error)}`, { ref, cause: error });
|
|
96
|
-
}
|
|
97
|
-
}
|
|
98
86
|
async validate() {
|
|
99
|
-
//
|
|
100
|
-
// This is a no-op if the client is properly configured
|
|
101
|
-
// The actual validation happens on first secret access
|
|
87
|
+
// Validation happens on first secret access
|
|
102
88
|
}
|
|
103
89
|
/**
|
|
104
90
|
* Clear the cache. Useful for testing or forced refresh.
|
|
105
91
|
*/
|
|
106
92
|
clearCache() {
|
|
107
|
-
this.cache
|
|
93
|
+
this.cache = null;
|
|
108
94
|
}
|
|
109
95
|
}
|
|
110
96
|
//# sourceMappingURL=aws.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAiCpD,MAAM,OAAO,yBAAyB;IAC3B,IAAI,GAAG,KAAK,CAAC;IACL,MAAM,CAA0B;IAChC,QAAQ,CAAS;IACjB,mBAAmB,CAAS;IAE7C,mCAAmC;IAC3B,KAAK,GACX,IAAI,CAAC;IACU,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;IAEzD,YAAY,OAAyC;QACnD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,YAAY,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAA8B;QACvD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CACjC,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC,mBAAmB,CAC7C,CAAC;QAEF,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,eAAe,GAAG,uCAAuC,IAAI,CAAC,QAAQ,GAAG,EACzE,EAAE,GAAG,EAAE,CACR,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CACtB,YAAoB;QAEpB,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;gBAChD,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,YAAY,EAAE,YAAY;aAC3B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;gBAC3B,MAAM,IAAI,qBAAqB,CAC7B,WAAW,IAAI,CAAC,QAAQ,sEAAsE,EAC9F,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,CACvB,CAAC;YACJ,CAAC;YAED,IAAI,MAAe,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,qBAAqB,CAC7B,WAAW,IAAI,CAAC,QAAQ,qBAAqB,EAC7C,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,CACvB,CAAC;YACJ,CAAC;YAED,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,qBAAqB,CAC7B,WAAW,IAAI,CAAC,QAAQ,wBAAwB,EAChD,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,EAAE,CACvB,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,MAAgC,CAAC;YAE/C,IAAI,CAAC,KAAK,GAAG;gBACX,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;aACtC,CAAC;YAEF,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,QAAQ,GAAG,KAA4C,CAAC;YAC9D,IAAI,OAAO,GAAG,8BAA8B,IAAI,CAAC,QAAQ,GAAG,CAAC;YAE7D,IAAI,QAAQ,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;gBAClD,OAAO,GAAG,WAAW,IAAI,CAAC,QAAQ,oCAAoC,CAAC;YACzE,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;gBACrD,OAAO,GAAG,4BAA4B,IAAI,CAAC,QAAQ,2BAA2B,CAAC;YACjF,CAAC;iBAAM,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBAC5B,OAAO,GAAG,GAAG,OAAO,KAAK,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC9C,CAAC;YAED,MAAM,IAAI,qBAAqB,CAAC,OAAO,EAAE;gBACvC,GAAG,EAAE,IAAI,CAAC,QAAQ;gBAClB,KAAK,EAAE,KAAK;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,4CAA4C;IAC9C,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACpB,CAAC;CACF"}
|
|
@@ -2,6 +2,4 @@
|
|
|
2
2
|
* Secret provider implementations.
|
|
3
3
|
*/
|
|
4
4
|
export { EnvSecretProvider, type EnvSecretProviderOptions } from "./env.js";
|
|
5
|
-
export { AwsSecretsManagerProvider, type AwsSecretsManagerProviderOptions, type AwsSecretsManagerClient, } from "./aws.js";
|
|
6
|
-
export { VaultProvider, type VaultProviderOptions, type VaultHttpClient, } from "./vault.js";
|
|
7
5
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAiC,MAAM,UAAU,CAAC
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAiC,MAAM,UAAU,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,KAAK,EAAa,aAAa,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,KAAK,EAAa,aAAa,EAAE,MAAM,YAAY,CAAC;AAO3D;;GAEG;AACH,UAAU,gBAAgB;IACxB,yCAAyC;IACzC,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,wDAAwD;IACxD,KAAK,EAAE,KAAK,CAAC;QACX,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC;KAC1B,CAAC,CAAC;IACH,8DAA8D;IAC9D,YAAY,EAAE,KAAK,CAAC;QAClB,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAC1B,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAgDD;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,SAAS,GACjB,gBAAgB,CAoDlB;AAsCD;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,SAAS,EAClB,QAAQ,EAAE,cAAc,GAAG,IAAI,GAC9B,OAAO,CAAC,SAAS,CAAC,CAqCpB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,SAAS,GAAG,OAAO,CAsB1D"}
|
package/dist/secrets/resolver.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { isSecretRef, isStringLiteral, SecretResolutionError } from "./types.js";
|
|
1
|
+
import { isSecretRef, isStringLiteral, SecretResolutionError, } from "./types.js";
|
|
2
2
|
/**
|
|
3
3
|
* Recursively collect all secret references and string literals from a value.
|
|
4
4
|
* @param value - The value to scan
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAMA,OAAO,
|
|
1
|
+
{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAMA,OAAO,EACL,WAAW,EACX,eAAe,EACf,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAoBpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAC9B,KAAc,EACd,WAAgC,EAChC,SAA2B;IAE3B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO;IACT,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC;YACnB,IAAI,EAAE,CAAC,GAAG,WAAW,CAAC;YACtB,SAAS,EAAE,KAAK,CAAC,OAAO;SACzB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,YAAY,CAAC,IAAI,CAAC;YAC1B,IAAI,EAAE,CAAC,GAAG,WAAW,CAAC;YACtB,KAAK,EAAE,KAAK,CAAC,QAAQ;SACtB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/C,uBAAuB,CAAC,GAAG,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAkB;IAElB,MAAM,SAAS,GAAqB;QAClC,IAAI,EAAE,EAAE;QACR,KAAK,EAAE,EAAE;QACT,YAAY,EAAE,EAAE;KACjB,CAAC;IAEF,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;QACtE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAEtC,wDAAwD;QACxD,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QAED,wBAAwB;QAExB,eAAe;QACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpE,uBAAuB,CACrB,WAAW,EACX,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,EAC1C,SAAS,CACV,CAAC;YACJ,CAAC;QACH,CAAC;QAED,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC5B,uBAAuB,CACrB,IAAI,CAAC,IAAI,EACT,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,EAC5B,SAAS,CACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,UAAU,GAAoB,EAAE,CAAC;IAEvC,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,IAAI,GAAG,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QACjE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACd,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,SAAS,CAAC,IAAI,GAAG,UAAU,CAAC;IAC5B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAChB,GAAY,EACZ,IAAyB,EACzB,KAAc;IAEd,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,OAAO,GAAQ,GAAG,CAAC;IACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC/B,6DAA6D;YAC7D,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAI,KAAQ;IAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAkB,EAClB,QAA+B;IAE/B,oDAAoD;IACpD,MAAM,SAAS,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAErD,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvE,oCAAoC;QACpC,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,wDAAwD;IACxD,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC3C,MAAM,IAAI,qBAAqB,CAC7B,wEAAwE,EACxE,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,MAAM,eAAe,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAE3C,iDAAiD;IACjD,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;gBAClD,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB,CAAC,CAAC;YACH,SAAS,CAAC,eAAe,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC;QACrD,SAAS,CAAC,eAAe,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAkB;IAC/C,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACjC,SAAS;QACX,CAAC;QAED,gBAAgB;QAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtD,IAAI,WAAW,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC7D,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,KAAc;IAC7C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,IAAI,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|