@griffin-app/griffin-executor 0.1.0

package/dist/secrets/providers/env.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Environment variable secret provider.
+ *
+ * Reads secrets from process.env. Useful for local development
+ * and simple deployments where secrets are injected as environment variables.
+ *
+ * Usage in DSL:
+ *   secret("env:MY_API_KEY")
+ *   secret("env:DATABASE_URL")
+ */
+import type { SecretProvider, SecretResolveOptions } from "../types.js";
+export interface EnvSecretProviderOptions {
+    /**
+     * Custom environment object to read from.
+     * Defaults to process.env.
+     */
+    env?: Record<string, string | undefined>;
+    /**
+     * Prefix to strip from secret refs.
+     * For example, if prefix is "APP_", then secret("env:API_KEY")
+     * will look for "APP_API_KEY" in the environment.
+     */
+    prefix?: string;
+}
+export declare class EnvSecretProvider implements SecretProvider {
+    readonly name = "env";
+    private readonly env;
+    private readonly prefix;
+    constructor(options?: EnvSecretProviderOptions);
+    resolve(ref: string, _options?: SecretResolveOptions): Promise<string>;
+    resolveMany(refs: Array<{
+        ref: string;
+        options?: SecretResolveOptions;
+    }>): Promise<Map<string, string>>;
+}
+//# sourceMappingURL=env.d.ts.map

package/dist/secrets/providers/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGxE,MAAM,WAAW,wBAAwB;IACvC;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAEzC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,iBAAkB,YAAW,cAAc;IACtD,QAAQ,CAAC,IAAI,SAAS;IACtB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqC;IACzD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,OAAO,GAAE,wBAA6B;IAK5C,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC;IActE,WAAW,CACf,IAAI,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,oBAAoB,CAAA;KAAE,CAAC,GAC3D,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAUhC"}

package/dist/secrets/providers/env.js

@@ -0,0 +1,37 @@
+/**
+ * Environment variable secret provider.
+ *
+ * Reads secrets from process.env. Useful for local development
+ * and simple deployments where secrets are injected as environment variables.
+ *
+ * Usage in DSL:
+ *   secret("env:MY_API_KEY")
+ *   secret("env:DATABASE_URL")
+ */
+import { SecretResolutionError } from "../types.js";
+export class EnvSecretProvider {
+    name = "env";
+    env;
+    prefix;
+    constructor(options = {}) {
+        this.env = options.env ?? process.env;
+        this.prefix = options.prefix ?? "";
+    }
+    async resolve(ref, _options) {
+        const envKey = this.prefix + ref;
+        const value = this.env[envKey];
+        if (value === undefined) {
+            throw new SecretResolutionError(`Environment variable "${envKey}" is not set`, { ref });
+        }
+        return value;
+    }
+    async resolveMany(refs) {
+        const results = new Map();
+        for (const { ref } of refs) {
+            const value = await this.resolve(ref);
+            results.set(ref, value);
+        }
+        return results;
+    }
+}
+//# sourceMappingURL=env.js.map

package/dist/secrets/providers/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../../src/secrets/providers/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAiBpD,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,KAAK,CAAC;IACL,GAAG,CAAqC;IACxC,MAAM,CAAS;IAEhC,YAAY,UAAoC,EAAE;QAChD,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,QAA+B;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE/B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,yBAAyB,MAAM,cAAc,EAC7C,EAAE,GAAG,EAAE,CACR,CAAC;QACJ,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,WAAW,CACf,IAA4D;QAE5D,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE1C,KAAK,MAAM,EAAE,GAAG,EAAE,IAAI,IAAI,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1B,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/secrets/providers/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Secret provider implementations.
+ */
+export { EnvSecretProvider, type EnvSecretProviderOptions } from "./env.js";
+export { AwsSecretsManagerProvider, type AwsSecretsManagerProviderOptions, type AwsSecretsManagerClient, } from "./aws.js";
+export { VaultProvider, type VaultProviderOptions, type VaultHttpClient, } from "./vault.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/providers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC;AAC5E,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,EACrC,KAAK,uBAAuB,GAC7B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,aAAa,EACb,KAAK,oBAAoB,EACzB,KAAK,eAAe,GACrB,MAAM,YAAY,CAAC"}

package/dist/secrets/providers/index.js

@@ -0,0 +1,7 @@
+/**
+ * Secret provider implementations.
+ */
+export { EnvSecretProvider } from "./env.js";
+export { AwsSecretsManagerProvider, } from "./aws.js";
+export { VaultProvider, } from "./vault.js";
+//# sourceMappingURL=index.js.map

package/dist/secrets/providers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAiC,MAAM,UAAU,CAAC;AAC5E,OAAO,EACL,yBAAyB,GAG1B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,aAAa,GAGd,MAAM,YAAY,CAAC"}

package/dist/secrets/providers/vault.d.ts

@@ -0,0 +1,75 @@
+/**
+ * HashiCorp Vault secret provider.
+ *
+ * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
+ * Supports field extraction from JSON secrets.
+ *
+ * Usage in DSL:
+ *   secret("vault:secret/data/myapp/config")
+ *   secret("vault:secret/data/myapp/config", { field: "api_key" })
+ *   secret("vault:secret/data/myapp/config", { version: "2" })
+ */
+import type { SecretProvider, SecretResolveOptions } from "../types.js";
+/**
+ * HTTP client interface for Vault API calls.
+ * This allows dependency injection without requiring a specific HTTP library.
+ */
+export interface VaultHttpClient {
+    get(url: string, options: {
+        headers: Record<string, string>;
+    }): Promise<{
+        status: number;
+        data: unknown;
+    }>;
+}
+export interface VaultProviderOptions {
+    /**
+     * Vault server address (e.g., "https://vault.example.com:8200").
+     */
+    address: string;
+    /**
+     * Authentication token.
+     */
+    token: string;
+    /**
+     * HTTP client for making requests to Vault.
+     */
+    httpClient: VaultHttpClient;
+    /**
+     * Optional namespace for Vault Enterprise.
+     */
+    namespace?: string;
+    /**
+     * KV secrets engine version (1 or 2).
+     * Defaults to 2.
+     */
+    kvVersion?: 1 | 2;
+    /**
+     * Optional prefix for secret paths.
+     */
+    prefix?: string;
+}
+export declare class VaultProvider implements SecretProvider {
+    readonly name = "vault";
+    private readonly address;
+    private readonly token;
+    private readonly httpClient;
+    private readonly namespace?;
+    private readonly kvVersion;
+    private readonly prefix;
+    private cache;
+    private readonly cacheTtlMs;
+    constructor(options: VaultProviderOptions);
+    resolve(ref: string, options?: SecretResolveOptions): Promise<string>;
+    /**
+     * Extract a field from the secret data.
+     * If no field is specified, returns the entire data as JSON string.
+     */
+    private extractField;
+    validate(): Promise<void>;
+    /**
+     * Clear the cache. Useful for testing or forced refresh.
+     */
+    clearCache(): void;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/secrets/providers/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGxE;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,CACD,GAAG,EAAE,MAAM,EACX,OAAO,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAC3C,OAAO,CAAC;QACT,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,OAAO,CAAC;KACf,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,UAAU,EAAE,eAAe,CAAC;IAE5B;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IAElB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,aAAc,YAAW,cAAc;IAClD,QAAQ,CAAC,IAAI,WAAW;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAkB;IAC7C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAQ;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAGhC,OAAO,CAAC,KAAK,CAGT;IACJ,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAiB;gBAEhC,OAAO,EAAE,oBAAoB;IASnC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC;IAoG3E;;;OAGG;IACH,OAAO,CAAC,YAAY;IAuBd,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAoC/B;;OAEG;IACH,UAAU,IAAI,IAAI;CAGnB"}

package/dist/secrets/providers/vault.js

@@ -0,0 +1,143 @@
+/**
+ * HashiCorp Vault secret provider.
+ *
+ * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
+ * Supports field extraction from JSON secrets.
+ *
+ * Usage in DSL:
+ *   secret("vault:secret/data/myapp/config")
+ *   secret("vault:secret/data/myapp/config", { field: "api_key" })
+ *   secret("vault:secret/data/myapp/config", { version: "2" })
+ */
+import { SecretResolutionError } from "../types.js";
+export class VaultProvider {
+    name = "vault";
+    address;
+    token;
+    httpClient;
+    namespace;
+    kvVersion;
+    prefix;
+    // Simple in-memory cache with TTL
+    cache = new Map();
+    cacheTtlMs = 5 * 60 * 1000; // 5 minutes
+    constructor(options) {
+        this.address = options.address.replace(/\/$/, ""); // Remove trailing slash
+        this.token = options.token;
+        this.httpClient = options.httpClient;
+        this.namespace = options.namespace;
+        this.kvVersion = options.kvVersion ?? 2;
+        this.prefix = options.prefix ?? "";
+    }
+    async resolve(ref, options) {
+        const secretPath = this.prefix + ref;
+        const version = options?.version;
+        const cacheKey = `${secretPath}:${version ?? "latest"}`;
+        // Check cache
+        const cached = this.cache.get(cacheKey);
+        if (cached && cached.expires > Date.now()) {
+            return this.extractField(cached.value, options?.field, ref);
+        }
+        try {
+            // Build request URL
+            let url = `${this.address}/v1/${secretPath}`;
+            if (this.kvVersion === 2 && version) {
+                url += `?version=${version}`;
+            }
+            // Build headers
+            const headers = {
+                "X-Vault-Token": this.token,
+            };
+            if (this.namespace) {
+                headers["X-Vault-Namespace"] = this.namespace;
+            }
+            const response = await this.httpClient.get(url, { headers });
+            if (response.status === 404) {
+                throw new SecretResolutionError(`Secret "${secretPath}" not found in Vault`, { ref });
+            }
+            if (response.status === 403) {
+                throw new SecretResolutionError(`Access denied to secret "${secretPath}". Check Vault policies.`, { ref });
+            }
+            if (response.status !== 200) {
+                throw new SecretResolutionError(`Vault returned status ${response.status} for secret "${secretPath}"`, { ref });
+            }
+            // Parse response based on KV version
+            const data = response.data;
+            let secretData;
+            if (this.kvVersion === 2) {
+                // KV v2 wraps data in an extra "data" object
+                const kvData = data?.data;
+                if (!kvData?.data) {
+                    throw new SecretResolutionError(`Invalid KV v2 response structure for secret "${secretPath}"`, { ref });
+                }
+                secretData = kvData.data;
+            }
+            else {
+                // KV v1 has data directly
+                if (!data?.data || typeof data.data !== "object") {
+                    throw new SecretResolutionError(`Invalid KV v1 response structure for secret "${secretPath}"`, { ref });
+                }
+                secretData = data.data;
+            }
+            // Cache the secret data
+            this.cache.set(cacheKey, {
+                value: secretData,
+                expires: Date.now() + this.cacheTtlMs,
+            });
+            return this.extractField(secretData, options?.field, ref);
+        }
+        catch (error) {
+            if (error instanceof SecretResolutionError) {
+                throw error;
+            }
+            throw new SecretResolutionError(`Failed to retrieve secret "${secretPath}" from Vault: ${error instanceof Error ? error.message : String(error)}`, { ref, cause: error });
+        }
+    }
+    /**
+     * Extract a field from the secret data.
+     * If no field is specified, returns the entire data as JSON string.
+     */
+    extractField(secretData, field, ref) {
+        if (!field) {
+            // Return entire secret as JSON if no field specified
+            return JSON.stringify(secretData);
+        }
+        const value = secretData[field];
+        if (value === undefined) {
+            throw new SecretResolutionError(`Field "${field}" not found in secret "${ref}"`, { ref });
+        }
+        // Convert to string if not already
+        return typeof value === "string" ? value : JSON.stringify(value);
+    }
+    async validate() {
+        // Verify we can authenticate with Vault
+        try {
+            const headers = {
+                "X-Vault-Token": this.token,
+            };
+            if (this.namespace) {
+                headers["X-Vault-Namespace"] = this.namespace;
+            }
+            const response = await this.httpClient.get(`${this.address}/v1/auth/token/lookup-self`, { headers });
+            if (response.status === 403) {
+                throw new Error("Invalid or expired Vault token");
+            }
+            if (response.status !== 200) {
+                throw new Error(`Vault authentication check failed with status ${response.status}`);
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes("Vault")) {
+                throw error;
+            }
+            throw new Error(`Failed to connect to Vault at ${this.address}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Clear the cache. Useful for testing or forced refresh.
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/secrets/providers/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/secrets/providers/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAiDpD,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,OAAO,CAAC;IACP,OAAO,CAAS;IAChB,KAAK,CAAS;IACd,UAAU,CAAkB;IAC5B,SAAS,CAAU;IACnB,SAAS,CAAQ;IACjB,MAAM,CAAS;IAEhC,kCAAkC;IAC1B,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACa,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;IAEzD,YAAY,OAA6B;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC3E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAA8B;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;QAExD,cAAc;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,UAAU,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;gBACpC,GAAG,IAAI,YAAY,OAAO,EAAE,CAAC;YAC/B,CAAC;YAED,gBAAgB;YAChB,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAE7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,WAAW,UAAU,sBAAsB,EAC3C,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,4BAA4B,UAAU,0BAA0B,EAChE,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,yBAAyB,QAAQ,CAAC,MAAM,gBAAgB,UAAU,GAAG,EACrE,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAErB,CAAC;YAEF,IAAI,UAAmC,CAAC;YAExC,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,EAAE,CAAC;gBACzB,6CAA6C;gBAC7C,MAAM,MAAM,GAAG,IAAI,EAAE,IAER,CAAC;gBACd,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;oBAClB,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,GAAG,EAAE,CACR,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,0BAA0B;gBAC1B,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACjD,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,GAAG,EAAE,CACR,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,IAAI,CAAC,IAA+B,CAAC;YACpD,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE;gBACvB,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;aACtC,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,IAAI,qBAAqB,CAC7B,8BAA8B,UAAU,iBACtC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAClB,UAAmC,EACnC,KAAyB,EACzB,GAAW;QAEX,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,qDAAqD;YACrD,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAEhC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,UAAU,KAAK,0BAA0B,GAAG,GAAG,EAC/C,EAAE,GAAG,EAAE,CACR,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,wCAAwC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACxC,GAAG,IAAI,CAAC,OAAO,4BAA4B,EAC3C,EAAE,OAAO,EAAE,CACZ,CAAC;YAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,iDAAiD,QAAQ,CAAC,MAAM,EAAE,CACnE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9D,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,OAAO,KAC3C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF"}

package/dist/secrets/registry.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Secret provider registry for managing the configured secret provider.
+ */
+import type { SecretProvider, SecretRefData } from "./types.js";
+/**
+ * Registry for the single configured secret provider.
+ */
+export declare class SecretProviderRegistry {
+    private provider;
+    /**
+     * Set the secret provider.
+     * @param provider - The provider to use for resolution
+     */
+    setProvider(provider: SecretProvider): void;
+    /**
+     * Resolve a secret reference using the configured provider.
+     * @param secretRef - The secret reference data
+     * @returns The resolved secret value
+     * @throws SecretResolutionError if resolution fails
+     */
+    resolve(secretRef: SecretRefData): Promise<string>;
+    /**
+     * Resolve multiple secrets using the configured provider.
+     * @param refs - Array of secret reference data
+     * @returns Map of key to resolved value
+     * @throws SecretResolutionError if any resolution fails (fail-fast)
+     */
+    resolveMany(refs: SecretRefData[]): Promise<Map<string, string>>;
+    /**
+     * Validate the configured provider.
+     * @throws Error if provider validation fails
+     */
+    validateAll(): Promise<void>;
+    /**
+     * Create a unique key for a secret reference (for caching/deduplication).
+     */
+    makeKey(secretRef: SecretRefData): string;
+}
+//# sourceMappingURL=registry.d.ts.map

package/dist/secrets/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,aAAa,EAEd,MAAM,YAAY,CAAC;AAGpB;;GAEG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAA+B;IAE/C;;;OAGG;IACH,WAAW,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAI3C;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IA4BxD;;;;;OAKG;IACG,WAAW,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA0EtE;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAclC;;OAEG;IACH,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM;CAM1C"}

package/dist/secrets/registry.js

@@ -0,0 +1,134 @@
+/**
+ * Secret provider registry for managing the configured secret provider.
+ */
+import { SecretResolutionError } from "./types.js";
+/**
+ * Registry for the single configured secret provider.
+ */
+export class SecretProviderRegistry {
+    provider = null;
+    /**
+     * Set the secret provider.
+     * @param provider - The provider to use for resolution
+     */
+    setProvider(provider) {
+        this.provider = provider;
+    }
+    /**
+     * Resolve a secret reference using the configured provider.
+     * @param secretRef - The secret reference data
+     * @returns The resolved secret value
+     * @throws SecretResolutionError if resolution fails
+     */
+    async resolve(secretRef) {
+        if (!this.provider) {
+            throw new SecretResolutionError("No secret provider configured", {
+                ref: secretRef.ref,
+            });
+        }
+        try {
+            return await this.provider.resolve(secretRef.ref, {
+                version: secretRef.version,
+                field: secretRef.field,
+            });
+        }
+        catch (error) {
+            if (error instanceof SecretResolutionError) {
+                throw error;
+            }
+            throw new SecretResolutionError(`Failed to resolve secret "${secretRef.ref}": ${error instanceof Error ? error.message : String(error)}`, {
+                ref: secretRef.ref,
+                cause: error,
+            });
+        }
+    }
+    /**
+     * Resolve multiple secrets using the configured provider.
+     * @param refs - Array of secret reference data
+     * @returns Map of key to resolved value
+     * @throws SecretResolutionError if any resolution fails (fail-fast)
+     */
+    async resolveMany(refs) {
+        if (refs.length === 0) {
+            return new Map();
+        }
+        if (!this.provider) {
+            throw new SecretResolutionError("No secret provider configured", {
+                ref: refs[0].ref,
+            });
+        }
+        const results = new Map();
+        if (this.provider.resolveMany) {
+            const batchRefs = refs.map((r) => ({
+                ref: r.ref,
+                options: {
+                    version: r.version,
+                    field: r.field,
+                },
+            }));
+            try {
+                const batchResults = await this.provider.resolveMany(batchRefs);
+                for (const secretRef of refs) {
+                    const value = batchResults.get(secretRef.ref);
+                    if (value === undefined) {
+                        throw new SecretResolutionError(`Secret "${secretRef.ref}" not found in batch results`, { ref: secretRef.ref });
+                    }
+                    results.set(this.makeKey(secretRef), value);
+                }
+            }
+            catch (error) {
+                if (error instanceof SecretResolutionError) {
+                    throw error;
+                }
+                throw new SecretResolutionError(`Batch resolution failed: ${error instanceof Error ? error.message : String(error)}`, {
+                    ref: refs[0].ref,
+                    cause: error,
+                });
+            }
+        }
+        else {
+            for (const secretRef of refs) {
+                try {
+                    const value = await this.provider.resolve(secretRef.ref, {
+                        version: secretRef.version,
+                        field: secretRef.field,
+                    });
+                    results.set(this.makeKey(secretRef), value);
+                }
+                catch (error) {
+                    if (error instanceof SecretResolutionError) {
+                        throw error;
+                    }
+                    throw new SecretResolutionError(`Failed to resolve secret "${secretRef.ref}": ${error instanceof Error ? error.message : String(error)}`, { ref: secretRef.ref, cause: error });
+                }
+            }
+        }
+        return results;
+    }
+    /**
+     * Validate the configured provider.
+     * @throws Error if provider validation fails
+     */
+    async validateAll() {
+        if (this.provider?.validate) {
+            try {
+                await this.provider.validate();
+            }
+            catch (error) {
+                throw new Error(`Provider validation failed: ${error instanceof Error ? error.message : String(error)}`);
+            }
+        }
+    }
+    /**
+     * Create a unique key for a secret reference (for caching/deduplication).
+     */
+    makeKey(secretRef) {
+        const parts = [secretRef.ref];
+        if (secretRef.version)
+            parts.push(`v:${secretRef.version}`);
+        if (secretRef.field)
+            parts.push(`f:${secretRef.field}`);
+        return parts.join(":");
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/secrets/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,OAAO,sBAAsB;IACzB,QAAQ,GAA0B,IAAI,CAAC;IAE/C;;;OAGG;IACH,WAAW,CAAC,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,SAAwB;QACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,EAAE;gBAC/D,GAAG,EAAE,SAAS,CAAC,GAAG;aACnB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;gBAChD,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,SAAS,CAAC,GAAG,MACxC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;gBACE,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,KAAK,EAAE,KAAK;aACb,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,IAAqB;QACrC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,EAAE;gBAC/D,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG;aACjB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE1C,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACjC,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,OAAO,EAAE;oBACP,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,KAAK,EAAE,CAAC,CAAC,KAAK;iBACS;aAC1B,CAAC,CAAC,CAAC;YAEJ,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;gBAEhE,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBAC9C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;wBACxB,MAAM,IAAI,qBAAqB,CAC7B,WAAW,SAAS,CAAC,GAAG,8BAA8B,EACtD,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,CACvB,CAAC;oBACJ,CAAC;oBACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC9C,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;oBAC3C,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,IAAI,qBAAqB,CAC7B,4BACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;oBACE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG;oBAChB,KAAK,EAAE,KAAK;iBACb,CACF,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;wBACvD,OAAO,EAAE,SAAS,CAAC,OAAO;wBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;qBACvB,CAAC,CAAC;oBACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC9C,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;wBAC3C,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,SAAS,CAAC,GAAG,MACxC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CACrC,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACjC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,+BACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAwB;QAC9B,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,SAAS,CAAC,OAAO;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,SAAS,CAAC,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF"}

package/dist/secrets/resolver.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Secret resolution utilities for test monitors.
+ */
+import { type MonitorV1 } from "@griffin-app/griffin-hub-sdk";
+import type { SecretProvider } from "./types.js";
+import type { SecretRefData } from "./types.js";
+/**
+ * Collected secret references and literals from a monitor.
+ */
+interface CollectedSecrets {
+    /** All unique secret references found */
+    refs: SecretRefData[];
+    /** Paths where secrets were found (for substitution) */
+    paths: Array<{
+        path: (string | number)[];
+        secretRef: SecretRefData;
+    }>;
+    /** Paths where string literals were found (for unwrapping) */
+    literalPaths: Array<{
+        path: (string | number)[];
+        value: string;
+    }>;
+}
+/**
+ * Collect all secret references and string literals from a test monitor.
+ * Scans endpoint headers and bodies for $secret markers and $literal wrappers.
+ */
+export declare function collectSecretsFromMonitor(monitor: MonitorV1): CollectedSecrets;
+/**
+ * Resolve all secrets and unwrap string literals in a monitor and return a new monitor with substituted values.
+ * The original monitor is not modified.
+ *
+ * @param monitor - The test monitor containing secret references and string literals
+ * @param provider - The secret provider (required when monitor contains secret refs)
+ * @returns A new monitor with all secrets resolved to their values and literals unwrapped
+ * @throws SecretResolutionError if any secret cannot be resolved (fail-fast)
+ */
+export declare function resolveSecretsInMonitor(monitor: MonitorV1, provider: SecretProvider | null): Promise<MonitorV1>;
+/**
+ * Check if a monitor contains any secret references or string literals that need resolution.
+ * Useful for short-circuiting resolution when no secrets or literals are present.
+ */
+export declare function planHasSecrets(monitor: MonitorV1): boolean;
+export {};
+//# sourceMappingURL=resolver.d.ts.map

package/dist/secrets/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,KAAK,EAAa,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3D;;GAEG;AACH,UAAU,gBAAgB;IACxB,yCAAyC;IACzC,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,wDAAwD;IACxD,KAAK,EAAE,KAAK,CAAC;QACX,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC;KAC1B,CAAC,CAAC;IACH,8DAA8D;IAC9D,YAAY,EAAE,KAAK,CAAC;QAClB,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAC1B,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;CACJ;AAgDD;;;GAGG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,SAAS,GACjB,gBAAgB,CAoDlB;AAsCD;;;;;;;;GAQG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,SAAS,EAClB,QAAQ,EAAE,cAAc,GAAG,IAAI,GAC9B,OAAO,CAAC,SAAS,CAAC,CAqCpB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,SAAS,GAAG,OAAO,CAsB1D"}