npm - @griffin-app/griffin-executor - Versions diffs - 0.1.0 - Mend

@griffin-app/griffin-executor 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (153) hide show

package/README.md +152 -0
package/dist/adapters/axios.d.ts +5 -0
package/dist/adapters/axios.d.ts.map +1 -0
package/dist/adapters/axios.js +36 -0
package/dist/adapters/axios.js.map +1 -0
package/dist/adapters/index.d.ts +3 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +3 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/stub.d.ts +22 -0
package/dist/adapters/stub.d.ts.map +1 -0
package/dist/adapters/stub.js +36 -0
package/dist/adapters/stub.js.map +1 -0
package/dist/events/adapters/in-memory.d.ts +52 -0
package/dist/events/adapters/in-memory.d.ts.map +1 -0
package/dist/events/adapters/in-memory.js +70 -0
package/dist/events/adapters/in-memory.js.map +1 -0
package/dist/events/adapters/in-memory.test.d.ts +2 -0
package/dist/events/adapters/in-memory.test.d.ts.map +1 -0
package/dist/events/adapters/in-memory.test.js +109 -0
package/dist/events/adapters/in-memory.test.js.map +1 -0
package/dist/events/adapters/index.d.ts +9 -0
package/dist/events/adapters/index.d.ts.map +1 -0
package/dist/events/adapters/index.js +9 -0
package/dist/events/adapters/index.js.map +1 -0
package/dist/events/adapters/kinesis.d.ts +91 -0
package/dist/events/adapters/kinesis.d.ts.map +1 -0
package/dist/events/adapters/kinesis.js +136 -0
package/dist/events/adapters/kinesis.js.map +1 -0
package/dist/events/adapters/kinesis.test.d.ts +2 -0
package/dist/events/adapters/kinesis.test.d.ts.map +1 -0
package/dist/events/adapters/kinesis.test.js +249 -0
package/dist/events/adapters/kinesis.test.js.map +1 -0
package/dist/events/emitter.d.ts +68 -0
package/dist/events/emitter.d.ts.map +1 -0
package/dist/events/emitter.js +83 -0
package/dist/events/emitter.js.map +1 -0
package/dist/events/emitter.test.d.ts +2 -0
package/dist/events/emitter.test.d.ts.map +1 -0
package/dist/events/emitter.test.js +262 -0
package/dist/events/emitter.test.js.map +1 -0
package/dist/events/index.d.ts +4 -0
package/dist/events/index.d.ts.map +1 -0
package/dist/events/index.js +4 -0
package/dist/events/index.js.map +1 -0
package/dist/events/types.d.ts +112 -0
package/dist/events/types.d.ts.map +1 -0
package/dist/events/types.js +9 -0
package/dist/events/types.js.map +1 -0
package/dist/executor.d.ts +4 -0
package/dist/executor.d.ts.map +1 -0
package/dist/executor.js +799 -0
package/dist/executor.js.map +1 -0
package/dist/executor.test.d.ts +2 -0
package/dist/executor.test.d.ts.map +1 -0
package/dist/executor.test.js +1584 -0
package/dist/executor.test.js.map +1 -0
package/dist/index.d.ts +9 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +15 -0
package/dist/index.js.map +1 -0
package/dist/secrets/factory.d.ts +121 -0
package/dist/secrets/factory.d.ts.map +1 -0
package/dist/secrets/factory.js +137 -0
package/dist/secrets/factory.js.map +1 -0
package/dist/secrets/index.d.ts +14 -0
package/dist/secrets/index.d.ts.map +1 -0
package/dist/secrets/index.js +18 -0
package/dist/secrets/index.js.map +1 -0
package/dist/secrets/providers/aws.d.ts +63 -0
package/dist/secrets/providers/aws.d.ts.map +1 -0
package/dist/secrets/providers/aws.js +110 -0
package/dist/secrets/providers/aws.js.map +1 -0
package/dist/secrets/providers/env.d.ts +36 -0
package/dist/secrets/providers/env.d.ts.map +1 -0
package/dist/secrets/providers/env.js +37 -0
package/dist/secrets/providers/env.js.map +1 -0
package/dist/secrets/providers/index.d.ts +7 -0
package/dist/secrets/providers/index.d.ts.map +1 -0
package/dist/secrets/providers/index.js +7 -0
package/dist/secrets/providers/index.js.map +1 -0
package/dist/secrets/providers/vault.d.ts +75 -0
package/dist/secrets/providers/vault.d.ts.map +1 -0
package/dist/secrets/providers/vault.js +143 -0
package/dist/secrets/providers/vault.js.map +1 -0
package/dist/secrets/registry.d.ts +39 -0
package/dist/secrets/registry.d.ts.map +1 -0
package/dist/secrets/registry.js +134 -0
package/dist/secrets/registry.js.map +1 -0
package/dist/secrets/resolver.d.ts +45 -0
package/dist/secrets/resolver.d.ts.map +1 -0
package/dist/secrets/resolver.js +188 -0
package/dist/secrets/resolver.js.map +1 -0
package/dist/secrets/secrets.test.d.ts +2 -0
package/dist/secrets/secrets.test.d.ts.map +1 -0
package/dist/secrets/secrets.test.js +317 -0
package/dist/secrets/secrets.test.js.map +1 -0
package/dist/secrets/types.d.ts +70 -0
package/dist/secrets/types.d.ts.map +1 -0
package/dist/secrets/types.js +42 -0
package/dist/secrets/types.js.map +1 -0
package/dist/shared.d.ts +8 -0
package/dist/shared.d.ts.map +1 -0
package/dist/shared.js +30 -0
package/dist/shared.js.map +1 -0
package/dist/test-monitor-types.d.ts +43 -0
package/dist/test-monitor-types.d.ts.map +1 -0
package/dist/test-monitor-types.js +2 -0
package/dist/test-monitor-types.js.map +1 -0
package/dist/test-plan-types.d.ts +43 -0
package/dist/test-plan-types.d.ts.map +1 -0
package/dist/test-plan-types.js +2 -0
package/dist/test-plan-types.js.map +1 -0
package/dist/types.d.ts +93 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +3 -0
package/dist/types.js.map +1 -0
package/dist/utils/dates.d.ts +11 -0
package/dist/utils/dates.d.ts.map +1 -0
package/dist/utils/dates.js +13 -0
package/dist/utils/dates.js.map +1 -0
package/package.json +39 -0
package/src/adapters/axios.ts +39 -0
package/src/adapters/index.ts +2 -0
package/src/adapters/stub.ts +47 -0
package/src/events/adapters/README.md +144 -0
package/src/events/adapters/in-memory.test.ts +146 -0
package/src/events/adapters/in-memory.ts +93 -0
package/src/events/adapters/index.ts +9 -0
package/src/events/adapters/kinesis.test.ts +323 -0
package/src/events/adapters/kinesis.ts +211 -0
package/src/events/emitter.test.ts +327 -0
package/src/events/emitter.ts +133 -0
package/src/events/index.ts +3 -0
package/src/events/types.ts +136 -0
package/src/executor.test.ts +1732 -0
package/src/executor.ts +1075 -0
package/src/index.ts +81 -0
package/src/secrets/factory.ts +248 -0
package/src/secrets/index.ts +48 -0
package/src/secrets/providers/aws.ts +178 -0
package/src/secrets/providers/env.ts +66 -0
package/src/secrets/providers/index.ts +15 -0
package/src/secrets/providers/vault.ts +257 -0
package/src/secrets/resolver.ts +269 -0
package/src/secrets/secrets.test.ts +402 -0
package/src/secrets/types.ts +106 -0
package/src/shared.ts +46 -0
package/src/test-monitor-types.ts +49 -0
package/src/types.ts +114 -0
package/src/utils/dates.ts +13 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +14 -0

package/src/secrets/providers/vault.ts ADDED Viewed

@@ -0,0 +1,257 @@
+/**
+ * HashiCorp Vault secret provider.
+ *
+ * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
+ * Supports field extraction from JSON secrets.
+ *
+ * Usage in DSL:
+ *   secret("vault:secret/data/myapp/config")
+ *   secret("vault:secret/data/myapp/config", { field: "api_key" })
+ *   secret("vault:secret/data/myapp/config", { version: "2" })
+ */
+import type { SecretProvider, SecretResolveOptions } from "../types.js";
+import { SecretResolutionError } from "../types.js";
+/**
+ * HTTP client interface for Vault API calls.
+ * This allows dependency injection without requiring a specific HTTP library.
+ */
+export interface VaultHttpClient {
+  get(
+    url: string,
+    options: { headers: Record<string, string> },
+  ): Promise<{
+    status: number;
+    data: unknown;
+  }>;
+}
+export interface VaultProviderOptions {
+  /**
+   * Vault server address (e.g., "https://vault.example.com:8200").
+   */
+  address: string;
+  /**
+   * Authentication token.
+   */
+  token: string;
+  /**
+   * HTTP client for making requests to Vault.
+   */
+  httpClient: VaultHttpClient;
+  /**
+   * Optional namespace for Vault Enterprise.
+   */
+  namespace?: string;
+  /**
+   * KV secrets engine version (1 or 2).
+   * Defaults to 2.
+   */
+  kvVersion?: 1 | 2;
+  /**
+   * Optional prefix for secret paths.
+   */
+  prefix?: string;
+}
+export class VaultProvider implements SecretProvider {
+  readonly name = "vault";
+  private readonly address: string;
+  private readonly token: string;
+  private readonly httpClient: VaultHttpClient;
+  private readonly namespace?: string;
+  private readonly kvVersion: 1 | 2;
+  private readonly prefix: string;
+  // Simple in-memory cache with TTL
+  private cache = new Map<
+    string,
+    { value: Record<string, unknown>; expires: number }
+  >();
+  private readonly cacheTtlMs = 5 * 60 * 1000; // 5 minutes
+  constructor(options: VaultProviderOptions) {
+    this.address = options.address.replace(/\/$/, ""); // Remove trailing slash
+    this.token = options.token;
+    this.httpClient = options.httpClient;
+    this.namespace = options.namespace;
+    this.kvVersion = options.kvVersion ?? 2;
+    this.prefix = options.prefix ?? "";
+  }
+  async resolve(ref: string, options?: SecretResolveOptions): Promise<string> {
+    const secretPath = this.prefix + ref;
+    const version = options?.version;
+    const cacheKey = `${secretPath}:${version ?? "latest"}`;
+    // Check cache
+    const cached = this.cache.get(cacheKey);
+    if (cached && cached.expires > Date.now()) {
+      return this.extractField(cached.value, options?.field, ref);
+    }
+    try {
+      // Build request URL
+      let url = `${this.address}/v1/${secretPath}`;
+      if (this.kvVersion === 2 && version) {
+        url += `?version=${version}`;
+      }
+      // Build headers
+      const headers: Record<string, string> = {
+        "X-Vault-Token": this.token,
+      };
+      if (this.namespace) {
+        headers["X-Vault-Namespace"] = this.namespace;
+      }
+      const response = await this.httpClient.get(url, { headers });
+      if (response.status === 404) {
+        throw new SecretResolutionError(
+          `Secret "${secretPath}" not found in Vault`,
+          { ref },
+        );
+      }
+      if (response.status === 403) {
+        throw new SecretResolutionError(
+          `Access denied to secret "${secretPath}". Check Vault policies.`,
+          { ref },
+        );
+      }
+      if (response.status !== 200) {
+        throw new SecretResolutionError(
+          `Vault returned status ${response.status} for secret "${secretPath}"`,
+          { ref },
+        );
+      }
+      // Parse response based on KV version
+      const data = response.data as {
+        data?: Record<string, unknown> | { data?: Record<string, unknown> };
+      };
+      let secretData: Record<string, unknown>;
+      if (this.kvVersion === 2) {
+        // KV v2 wraps data in an extra "data" object
+        const kvData = data?.data as
+          | { data?: Record<string, unknown> }
+          | undefined;
+        if (!kvData?.data) {
+          throw new SecretResolutionError(
+            `Invalid KV v2 response structure for secret "${secretPath}"`,
+            { ref },
+          );
+        }
+        secretData = kvData.data;
+      } else {
+        // KV v1 has data directly
+        if (!data?.data || typeof data.data !== "object") {
+          throw new SecretResolutionError(
+            `Invalid KV v1 response structure for secret "${secretPath}"`,
+            { ref },
+          );
+        }
+        secretData = data.data as Record<string, unknown>;
+      }
+      // Cache the secret data
+      this.cache.set(cacheKey, {
+        value: secretData,
+        expires: Date.now() + this.cacheTtlMs,
+      });
+      return this.extractField(secretData, options?.field, ref);
+    } catch (error) {
+      if (error instanceof SecretResolutionError) {
+        throw error;
+      }
+      throw new SecretResolutionError(
+        `Failed to retrieve secret "${secretPath}" from Vault: ${
+          error instanceof Error ? error.message : String(error)
+        }`,
+        { ref, cause: error },
+      );
+    }
+  }
+  /**
+   * Extract a field from the secret data.
+   * If no field is specified, returns the entire data as JSON string.
+   */
+  private extractField(
+    secretData: Record<string, unknown>,
+    field: string | undefined,
+    ref: string,
+  ): string {
+    if (!field) {
+      // Return entire secret as JSON if no field specified
+      return JSON.stringify(secretData);
+    }
+    const value = secretData[field];
+    if (value === undefined) {
+      throw new SecretResolutionError(
+        `Field "${field}" not found in secret "${ref}"`,
+        { ref },
+      );
+    }
+    // Convert to string if not already
+    return typeof value === "string" ? value : JSON.stringify(value);
+  }
+  async validate(): Promise<void> {
+    // Verify we can authenticate with Vault
+    try {
+      const headers: Record<string, string> = {
+        "X-Vault-Token": this.token,
+      };
+      if (this.namespace) {
+        headers["X-Vault-Namespace"] = this.namespace;
+      }
+      const response = await this.httpClient.get(
+        `${this.address}/v1/auth/token/lookup-self`,
+        { headers },
+      );
+      if (response.status === 403) {
+        throw new Error("Invalid or expired Vault token");
+      }
+      if (response.status !== 200) {
+        throw new Error(
+          `Vault authentication check failed with status ${response.status}`,
+        );
+      }
+    } catch (error) {
+      if (error instanceof Error && error.message.includes("Vault")) {
+        throw error;
+      }
+      throw new Error(
+        `Failed to connect to Vault at ${this.address}: ${
+          error instanceof Error ? error.message : String(error)
+        }`,
+      );
+    }
+  }
+  /**
+   * Clear the cache. Useful for testing or forced refresh.
+   */
+  clearCache(): void {
+    this.cache.clear();
+  }
+}

package/src/secrets/resolver.ts ADDED Viewed

@@ -0,0 +1,269 @@
+/**
+ * Secret resolution utilities for test monitors.
+ */
+import { type MonitorV1 } from "@griffin-app/griffin-hub-sdk";
+import type { SecretProvider } from "./types.js";
+import type { SecretRef, SecretRefData } from "./types.js";
+import { isSecretRef, isStringLiteral, SecretResolutionError } from "./types.js";
+/**
+ * Collected secret references and literals from a monitor.
+ */
+interface CollectedSecrets {
+  /** All unique secret references found */
+  refs: SecretRefData[];
+  /** Paths where secrets were found (for substitution) */
+  paths: Array<{
+    path: (string | number)[];
+    secretRef: SecretRefData;
+  }>;
+  /** Paths where string literals were found (for unwrapping) */
+  literalPaths: Array<{
+    path: (string | number)[];
+    value: string;
+  }>;
+}
+/**
+ * Recursively collect all secret references and string literals from a value.
+ * @param value - The value to scan
+ * @param currentPath - Current path in the object tree
+ * @param collected - Accumulator for found secrets and literals
+ */
+function collectSecretsFromValue(
+  value: unknown,
+  currentPath: (string | number)[],
+  collected: CollectedSecrets,
+): void {
+  if (value === null || value === undefined) {
+    return;
+  }
+  if (isSecretRef(value)) {
+    collected.refs.push(value.$secret);
+    collected.paths.push({
+      path: [...currentPath],
+      secretRef: value.$secret,
+    });
+    return;
+  }
+  if (isStringLiteral(value)) {
+    collected.literalPaths.push({
+      path: [...currentPath],
+      value: value.$literal,
+    });
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      collectSecretsFromValue(value[i], [...currentPath, i], collected);
+    }
+    return;
+  }
+  if (typeof value === "object") {
+    for (const [key, val] of Object.entries(value)) {
+      collectSecretsFromValue(val, [...currentPath, key], collected);
+    }
+  }
+}
+/**
+ * Collect all secret references and string literals from a test monitor.
+ * Scans endpoint headers and bodies for $secret markers and $literal wrappers.
+ */
+export function collectSecretsFromMonitor(
+  monitor: MonitorV1,
+): CollectedSecrets {
+  const collected: CollectedSecrets = {
+    refs: [],
+    paths: [],
+    literalPaths: [],
+  };
+  for (let nodeIndex = 0; nodeIndex < monitor.nodes.length; nodeIndex++) {
+    const node = monitor.nodes[nodeIndex];
+    // Only endpoints can have secrets (in headers and body)
+    if (node.type !== "HTTP_REQUEST") {
+      continue;
+    }
+    //const endpoint = node;
+    // Scan headers
+    if (node.headers) {
+      for (const [headerKey, headerValue] of Object.entries(node.headers)) {
+        collectSecretsFromValue(
+          headerValue,
+          ["nodes", nodeIndex, "headers", headerKey],
+          collected,
+        );
+      }
+    }
+    // Scan body
+    if (node.body !== undefined) {
+      collectSecretsFromValue(
+        node.body,
+        ["nodes", nodeIndex, "body"],
+        collected,
+      );
+    }
+  }
+  // Deduplicate refs by creating a unique key
+  const seen = new Set<string>();
+  const uniqueRefs: SecretRefData[] = [];
+  for (const ref of collected.refs) {
+    const key = `${ref.ref}:${ref.version || ""}:${ref.field || ""}`;
+    if (!seen.has(key)) {
+      seen.add(key);
+      uniqueRefs.push(ref);
+    }
+  }
+  collected.refs = uniqueRefs;
+  return collected;
+}
+/**
+ * Set a value at a path in an object.
+ * Creates intermediate objects/arrays as needed.
+ */
+function setAtPath(
+  obj: unknown,
+  path: (string | number)[],
+  value: unknown,
+): void {
+  if (path.length === 0) {
+    return;
+  }
+  let current: any = obj;
+  for (let i = 0; i < path.length - 1; i++) {
+    const key = path[i];
+    if (current[key] === undefined) {
+      // Create intermediate object or array based on next key type
+      current[key] = typeof path[i + 1] === "number" ? [] : {};
+    }
+    current = current[key];
+  }
+  current[path[path.length - 1]] = value;
+}
+/**
+ * Deep clone a value.
+ */
+function deepClone<T>(value: T): T {
+  if (value === null || value === undefined) {
+    return value;
+  }
+  return JSON.parse(JSON.stringify(value));
+}
+/**
+ * Resolve all secrets and unwrap string literals in a monitor and return a new monitor with substituted values.
+ * The original monitor is not modified.
+ *
+ * @param monitor - The test monitor containing secret references and string literals
+ * @param provider - The secret provider (required when monitor contains secret refs)
+ * @returns A new monitor with all secrets resolved to their values and literals unwrapped
+ * @throws SecretResolutionError if any secret cannot be resolved (fail-fast)
+ */
+export async function resolveSecretsInMonitor(
+  monitor: MonitorV1,
+  provider: SecretProvider | null,
+): Promise<MonitorV1> {
+  // Collect all secret references and string literals
+  const collected = collectSecretsFromMonitor(monitor);
+  if (collected.refs.length === 0 && collected.literalPaths.length === 0) {
+    // No secrets or literals to resolve
+    return monitor;
+  }
+  // Resolve secrets when we have refs (provider required)
+  if (collected.refs.length > 0 && !provider) {
+    throw new SecretResolutionError(
+      "Monitor contains secret references but no secret provider was provided",
+      { ref: "unknown" },
+    );
+  }
+  // Clone the monitor for modification
+  const resolvedMonitor = deepClone(monitor);
+  // Substitute resolved secret values at each path
+  if (provider) {
+    for (const { path, secretRef } of collected.paths) {
+      const value = await provider.resolve(secretRef.ref, {
+        version: secretRef.version,
+        field: secretRef.field,
+      });
+      setAtPath(resolvedMonitor, path, value);
+    }
+  }
+  // Unwrap string literals at each path
+  for (const { path, value } of collected.literalPaths) {
+    setAtPath(resolvedMonitor, path, value);
+  }
+  return resolvedMonitor;
+}
+/**
+ * Check if a monitor contains any secret references or string literals that need resolution.
+ * Useful for short-circuiting resolution when no secrets or literals are present.
+ */
+export function planHasSecrets(monitor: MonitorV1): boolean {
+  for (const node of monitor.nodes) {
+    if (node.type !== "HTTP_REQUEST") {
+      continue;
+    }
+    // Check headers
+    if (node.headers) {
+      for (const headerValue of Object.values(node.headers)) {
+        if (isSecretRef(headerValue) || isStringLiteral(headerValue)) {
+          return true;
+        }
+      }
+    }
+    // Check body (recursive check)
+    if (node.body !== undefined && containsSecretOrLiteral(node.body)) {
+      return true;
+    }
+  }
+  return false;
+}
+/**
+ * Recursively check if a value contains any secret references or string literals.
+ */
+function containsSecretOrLiteral(value: unknown): boolean {
+  if (value === null || value === undefined) {
+    return false;
+  }
+  if (isSecretRef(value) || isStringLiteral(value)) {
+    return true;
+  }
+  if (Array.isArray(value)) {
+    return value.some(containsSecretOrLiteral);
+  }
+  if (typeof value === "object") {
+    return Object.values(value).some(containsSecretOrLiteral);
+  }
+  return false;
+}