@griffin-app/griffin-executor 0.1.2 → 0.1.4

package/dist/index.d.ts

@@ -5,5 +5,5 @@ export { AxiosAdapter, StubAdapter, type StubResponse, } from "./adapters/index.
 export { LocalEventEmitter, DurableEventEmitter, type ExecutionEventEmitter, type DurableEventBusAdapter, } from "./events/emitter.js";
 export type { ExecutionEvent, BaseEvent, MonitorStartEvent, MonitorEndEvent, NodeStartEvent, NodeEndEvent, HttpRequestEvent, HttpResponseEvent, HttpRetryEvent, AssertionResultEvent, WaitStartEvent, NodeStreamEvent, ErrorEvent, } from "./events/types.js";
 export { KinesisAdapter, type KinesisAdapterOptions, InMemoryAdapter, } from "./events/adapters/index.js";
-export { type SecretProvider, type SecretRef, type SecretRefData, type SecretResolveOptions, SecretResolutionError, isSecretRef, resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, EnvSecretProvider, type EnvSecretProviderOptions, createSecretProvider, type SecretProviderConfig, type EnvProviderConfig, } from "./secrets/index.js";
+export { type SecretProvider, type SecretRef, type SecretRefData, type SecretResolveOptions, SecretResolutionError, isSecretRef, resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, EnvSecretProvider, type EnvSecretProviderOptions, HubSecretProvider, createSecretProvider, type SecretProviderConfig, type EnvProviderConfig, } from "./secrets/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,YAAY,EACV,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,YAAY,EACZ,eAAe,EACf,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,WAAW,EACX,WAAW,IAAI,eAAe,EAC9B,QAAQ,EACR,aAAa,EACb,IAAI,GACL,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,YAAY,EACZ,WAAW,EACX,KAAK,YAAY,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,cAAc,EACd,SAAS,EACT,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,eAAe,EACf,UAAU,GACX,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAEL,cAAc,EACd,KAAK,qBAAqB,EAC1B,eAAe,GAChB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,WAAW,EAEX,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,EAEd,iBAAiB,EACjB,KAAK,wBAAwB,EAE7B,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,YAAY,EACV,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,YAAY,EACZ,eAAe,EACf,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,WAAW,EACX,WAAW,IAAI,eAAe,EAC9B,QAAQ,EACR,aAAa,EACb,IAAI,GACL,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,YAAY,EACZ,WAAW,EACX,KAAK,YAAY,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,KAAK,qBAAqB,EAC1B,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,cAAc,EACd,SAAS,EACT,iBAAiB,EACjB,eAAe,EACf,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EACjB,cAAc,EACd,oBAAoB,EACpB,cAAc,EACd,eAAe,EACf,UAAU,GACX,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAEL,cAAc,EACd,KAAK,qBAAqB,EAC1B,eAAe,GAChB,MAAM,4BAA4B,CAAC;AAGpC,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,WAAW,EAEX,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,EAEd,iBAAiB,EACjB,KAAK,wBAAwB,EAC7B,iBAAiB,EAEjB,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,oBAAoB,CAAC"}

package/dist/index.js

@@ -9,7 +9,7 @@ export { SecretResolutionError, isSecretRef,
 // Resolution utilities
 resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, 
 // Providers
-EnvSecretProvider, 
+EnvSecretProvider, HubSecretProvider, 
 // Factory functions
 createSecretProvider, } from "./secrets/index.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAkBjD,OAAO,EACL,YAAY,EACZ,WAAW,GAEZ,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,iBAAiB,EACjB,mBAAmB,GAGpB,MAAM,qBAAqB,CAAC;AAgB7B,OAAO;AACL,qBAAqB;AACrB,cAAc,EAEd,eAAe,GAChB,MAAM,4BAA4B,CAAC;AAEpC,wBAAwB;AACxB,OAAO,EAML,qBAAqB,EACrB,WAAW;AACX,uBAAuB;AACvB,uBAAuB,EACvB,yBAAyB,EACzB,cAAc;AACd,YAAY;AACZ,iBAAiB;AAEjB,oBAAoB;AACpB,oBAAoB,GAGrB,MAAM,oBAAoB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAkBjD,OAAO,EACL,YAAY,EACZ,WAAW,GAEZ,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,iBAAiB,EACjB,mBAAmB,GAGpB,MAAM,qBAAqB,CAAC;AAgB7B,OAAO;AACL,qBAAqB;AACrB,cAAc,EAEd,eAAe,GAChB,MAAM,4BAA4B,CAAC;AAEpC,wBAAwB;AACxB,OAAO,EAML,qBAAqB,EACrB,WAAW;AACX,uBAAuB;AACvB,uBAAuB,EACvB,yBAAyB,EACzB,cAAc;AACd,YAAY;AACZ,iBAAiB,EAEjB,iBAAiB;AACjB,oBAAoB;AACpB,oBAAoB,GAGrB,MAAM,oBAAoB,CAAC"}

package/dist/secrets/index.d.ts

@@ -11,6 +11,6 @@
  */
 export { type SecretProvider, type SecretRef, type SecretRefData, type SecretResolveOptions, SecretResolutionError, isSecretRef, isStringLiteral, } from "./types.js";
 export { resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, } from "./resolver.js";
-export { EnvSecretProvider, type EnvSecretProviderOptions, } from "./providers/index.js";
+export { EnvSecretProvider, type EnvSecretProviderOptions, HubSecretProvider, } from "./providers/index.js";
 export { createSecretProvider, type SecretProviderConfig, type EnvProviderConfig, } from "./factory.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,EAC7B,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,oBAAoB,EACpB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC"}

package/dist/secrets/index.js

@@ -14,7 +14,7 @@ export { SecretResolutionError, isSecretRef, isStringLiteral, } from "./types.js
 // Resolution utilities
 export { resolveSecretsInMonitor, collectSecretsFromMonitor, planHasSecrets, } from "./resolver.js";
 // Providers
-export { EnvSecretProvider, } from "./providers/index.js";
+export { EnvSecretProvider, HubSecretProvider, } from "./providers/index.js";
 // Factory functions
 export { createSecretProvider, } from "./factory.js";
 //# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,aAAa;AACb,OAAO,EAKL,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,uBAAuB;AACvB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,YAAY;AACZ,OAAO,EACL,iBAAiB,GAElB,MAAM,sBAAsB,CAAC;AAE9B,oBAAoB;AACpB,OAAO,EACL,oBAAoB,GAGrB,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,aAAa;AACb,OAAO,EAKL,qBAAqB,EACrB,WAAW,EACX,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,uBAAuB;AACvB,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,cAAc,GACf,MAAM,eAAe,CAAC;AAEvB,YAAY;AACZ,OAAO,EACL,iBAAiB,EAEjB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAE9B,oBAAoB;AACpB,OAAO,EACL,oBAAoB,GAGrB,MAAM,cAAc,CAAC"}

package/dist/secrets/providers/hub.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Hub secret provider.
+ *
+ * Resolves secrets via the hub's POST /secrets/resolve endpoint.
+ * The hub is the sole gateway for AWS Secrets Manager — no credentials leave the hub.
+ */
+import type { GriffinHubSdk } from "@griffin-app/griffin-hub-sdk";
+import type { SecretProvider, SecretResolveOptions } from "../types.js";
+export declare class HubSecretProvider implements SecretProvider {
+    readonly name = "hub";
+    private readonly sdk;
+    private readonly environment;
+    private readonly cache?;
+    private readonly cacheExpires?;
+    private readonly ttlMs;
+    constructor(sdk: GriffinHubSdk, environment: string, cache?: Map<string, string>, ttlMs?: number);
+    resolve(ref: string, options?: SecretResolveOptions): Promise<string>;
+}
+//# sourceMappingURL=hub.d.ts.map

package/dist/secrets/providers/hub.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hub.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/hub.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,KAAK,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAQxE,qBAAa,iBAAkB,YAAW,cAAc;IACtD,QAAQ,CAAC,IAAI,SAAS;IACtB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAgB;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAsB;IAC7C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAsB;IACpD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;gBAG7B,GAAG,EAAE,aAAa,EAClB,WAAW,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,KAAK,CAAC,EAAE,MAAM;IAWV,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC;CAkC5E"}

package/dist/secrets/providers/hub.js

@@ -0,0 +1,60 @@
+/**
+ * Hub secret provider.
+ *
+ * Resolves secrets via the hub's POST /secrets/resolve endpoint.
+ * The hub is the sole gateway for AWS Secrets Manager — no credentials leave the hub.
+ */
+import { SecretResolutionError } from "../types.js";
+function cacheKey(ref, options) {
+    if (!options?.version && !options?.field)
+        return ref;
+    return `${ref}\0${options.version ?? ""}\0${options.field ?? ""}`;
+}
+export class HubSecretProvider {
+    name = "hub";
+    sdk;
+    environment;
+    cache;
+    cacheExpires;
+    ttlMs;
+    constructor(sdk, environment, cache, ttlMs) {
+        this.sdk = sdk;
+        this.environment = environment;
+        this.cache = cache;
+        this.ttlMs = ttlMs ?? 0;
+        if (this.cache != null && this.ttlMs > 0) {
+            this.cacheExpires = new Map();
+        }
+    }
+    async resolve(ref, options) {
+        const key = cacheKey(ref, options);
+        if (this.cache != null) {
+            const expiresAt = this.cacheExpires?.get(key);
+            const now = Date.now();
+            if (expiresAt == null || now < expiresAt) {
+                const cached = this.cache.get(key);
+                if (cached !== undefined)
+                    return cached;
+            }
+            else {
+                this.cache.delete(key);
+                this.cacheExpires?.delete(key);
+            }
+        }
+        const response = await this.sdk.postSecretsResolve({
+            body: { name: ref, environment: this.environment },
+        });
+        const value = response.data?.data?.value;
+        if (value === undefined) {
+            throw new SecretResolutionError(`Secret "${ref}" not found for environment "${this.environment}"`, { ref });
+        }
+        if (this.cache != null) {
+            this.cache.set(key, value);
+            if (this.cacheExpires != null && this.ttlMs > 0) {
+                this.cacheExpires.set(key, Date.now() + this.ttlMs);
+            }
+        }
+        return value;
+    }
+}
+//# sourceMappingURL=hub.js.map

package/dist/secrets/providers/hub.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hub.js","sourceRoot":"","sources":["../../../src/secrets/providers/hub.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,SAAS,QAAQ,CAAC,GAAW,EAAE,OAA8B;IAC3D,IAAI,CAAC,OAAO,EAAE,OAAO,IAAI,CAAC,OAAO,EAAE,KAAK;QAAE,OAAO,GAAG,CAAC;IACrD,OAAO,GAAG,GAAG,KAAK,OAAO,CAAC,OAAO,IAAI,EAAE,KAAK,OAAO,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,OAAO,iBAAiB;IACnB,IAAI,GAAG,KAAK,CAAC;IACL,GAAG,CAAgB;IACnB,WAAW,CAAS;IACpB,KAAK,CAAuB;IAC5B,YAAY,CAAuB;IACnC,KAAK,CAAS;IAE/B,YACE,GAAkB,EAClB,WAAmB,EACnB,KAA2B,EAC3B,KAAc;QAEd,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,CAAC,CAAC;QACxB,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,EAAE,CAAC;QAChC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAA8B;QACvD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACnC,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,SAAS,IAAI,IAAI,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;gBACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACnC,IAAI,MAAM,KAAK,SAAS;oBAAE,OAAO,MAAM,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACvB,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC;YACjD,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,EAAE;SACnD,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;QACzC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,WAAW,GAAG,gCAAgC,IAAI,CAAC,WAAW,GAAG,EACjE,EAAE,GAAG,EAAE,CACR,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC3B,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/secrets/providers/index.d.ts

@@ -2,4 +2,5 @@
  * Secret provider implementations.
  */
 export { EnvSecretProvider, type EnvSecretProviderOptions } from "./env.js";
+export { HubSecretProvider } from "./hub.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/secrets/providers/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC"}

package/dist/secrets/providers/index.js

@@ -2,4 +2,5 @@
  * Secret provider implementations.
  */
 export { EnvSecretProvider } from "./env.js";
+export { HubSecretProvider } from "./hub.js";
 //# sourceMappingURL=index.js.map

package/dist/secrets/providers/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAiC,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,iBAAiB,EAAiC,MAAM,UAAU,CAAC;AAC5E,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@griffin-app/griffin-executor",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Executor for griffin JSON test monitors",
   "type": "module",
   "main": "dist/index.js",
@@ -22,8 +22,6 @@
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-kinesis": "^3.975.0",
-    "@aws-sdk/client-secrets-manager": "^3.981.0",
-    "@aws-sdk/client-sts": "^3.981.0",
     "@griffin-app/griffin-hub-sdk": "1.0.27",
     "@griffin-app/griffin-core": "0.2.2",
     "axios": "^1.13.2",

package/src/index.ts

@@ -66,6 +66,7 @@ export {
   // Providers
   EnvSecretProvider,
   type EnvSecretProviderOptions,
+  HubSecretProvider,
   // Factory functions
   createSecretProvider,
   type SecretProviderConfig,

package/src/secrets/index.ts

@@ -32,6 +32,7 @@ export {
 export {
   EnvSecretProvider,
   type EnvSecretProviderOptions,
+  HubSecretProvider,
 } from "./providers/index.js";
 
 // Factory functions

package/src/secrets/providers/hub.ts

@@ -0,0 +1,74 @@
+/**
+ * Hub secret provider.
+ *
+ * Resolves secrets via the hub's POST /secrets/resolve endpoint.
+ * The hub is the sole gateway for AWS Secrets Manager — no credentials leave the hub.
+ */
+
+import type { GriffinHubSdk } from "@griffin-app/griffin-hub-sdk";
+import type { SecretProvider, SecretResolveOptions } from "../types.js";
+import { SecretResolutionError } from "../types.js";
+
+function cacheKey(ref: string, options?: SecretResolveOptions): string {
+  if (!options?.version && !options?.field) return ref;
+  return `${ref}\0${options.version ?? ""}\0${options.field ?? ""}`;
+}
+
+export class HubSecretProvider implements SecretProvider {
+  readonly name = "hub";
+  private readonly sdk: GriffinHubSdk;
+  private readonly environment: string;
+  private readonly cache?: Map<string, string>;
+  private readonly cacheExpires?: Map<string, number>;
+  private readonly ttlMs: number;
+
+  constructor(
+    sdk: GriffinHubSdk,
+    environment: string,
+    cache?: Map<string, string>,
+    ttlMs?: number,
+  ) {
+    this.sdk = sdk;
+    this.environment = environment;
+    this.cache = cache;
+    this.ttlMs = ttlMs ?? 0;
+    if (this.cache != null && this.ttlMs > 0) {
+      this.cacheExpires = new Map();
+    }
+  }
+
+  async resolve(ref: string, options?: SecretResolveOptions): Promise<string> {
+    const key = cacheKey(ref, options);
+    if (this.cache != null) {
+      const expiresAt = this.cacheExpires?.get(key);
+      const now = Date.now();
+      if (expiresAt == null || now < expiresAt) {
+        const cached = this.cache.get(key);
+        if (cached !== undefined) return cached;
+      } else {
+        this.cache.delete(key);
+        this.cacheExpires?.delete(key);
+      }
+    }
+
+    const response = await this.sdk.postSecretsResolve({
+      body: { name: ref, environment: this.environment },
+    });
+
+    const value = response.data?.data?.value;
+    if (value === undefined) {
+      throw new SecretResolutionError(
+        `Secret "${ref}" not found for environment "${this.environment}"`,
+        { ref },
+      );
+    }
+
+    if (this.cache != null) {
+      this.cache.set(key, value);
+      if (this.cacheExpires != null && this.ttlMs > 0) {
+        this.cacheExpires.set(key, Date.now() + this.ttlMs);
+      }
+    }
+    return value;
+  }
+}

package/src/secrets/providers/index.ts

@@ -3,3 +3,4 @@
  */
 
 export { EnvSecretProvider, type EnvSecretProviderOptions } from "./env.js";
+export { HubSecretProvider } from "./hub.js";

package/tsconfig.tsbuildinfo

@@ -1 +0,0 @@
-{"root":["./src/executor.test.ts","./src/executor.ts","./src/index.ts","./src/shared.ts","./src/test-monitor-types.ts","./src/types.ts","./src/adapters/axios.ts","./src/adapters/index.ts","./src/adapters/stub.ts","./src/events/emitter.test.ts","./src/events/emitter.ts","./src/events/index.ts","./src/events/types.ts","./src/events/adapters/in-memory.test.ts","./src/events/adapters/in-memory.ts","./src/events/adapters/index.ts","./src/events/adapters/kinesis.test.ts","./src/events/adapters/kinesis.ts","./src/secrets/factory.ts","./src/secrets/index.ts","./src/secrets/resolver.ts","./src/secrets/secrets.test.ts","./src/secrets/types.ts","./src/secrets/providers/aws.ts","./src/secrets/providers/env.ts","./src/secrets/providers/index.ts","./src/secrets/providers/vault.ts","./src/utils/dates.ts"],"version":"5.9.3"}