@griffin-app/griffin-executor 0.1.4 → 0.1.6

package/dist/secrets/providers/vault.js

@@ -1,143 +0,0 @@
-/**
- * HashiCorp Vault secret provider.
- *
- * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
- * Supports field extraction from JSON secrets.
- *
- * Usage in DSL:
- *   secret("vault:secret/data/myapp/config")
- *   secret("vault:secret/data/myapp/config", { field: "api_key" })
- *   secret("vault:secret/data/myapp/config", { version: "2" })
- */
-import { SecretResolutionError } from "../types.js";
-export class VaultProvider {
-    name = "vault";
-    address;
-    token;
-    httpClient;
-    namespace;
-    kvVersion;
-    prefix;
-    // Simple in-memory cache with TTL
-    cache = new Map();
-    cacheTtlMs = 5 * 60 * 1000; // 5 minutes
-    constructor(options) {
-        this.address = options.address.replace(/\/$/, ""); // Remove trailing slash
-        this.token = options.token;
-        this.httpClient = options.httpClient;
-        this.namespace = options.namespace;
-        this.kvVersion = options.kvVersion ?? 2;
-        this.prefix = options.prefix ?? "";
-    }
-    async resolve(ref, options) {
-        const secretPath = this.prefix + ref;
-        const version = options?.version;
-        const cacheKey = `${secretPath}:${version ?? "latest"}`;
-        // Check cache
-        const cached = this.cache.get(cacheKey);
-        if (cached && cached.expires > Date.now()) {
-            return this.extractField(cached.value, options?.field, ref);
-        }
-        try {
-            // Build request URL
-            let url = `${this.address}/v1/${secretPath}`;
-            if (this.kvVersion === 2 && version) {
-                url += `?version=${version}`;
-            }
-            // Build headers
-            const headers = {
-                "X-Vault-Token": this.token,
-            };
-            if (this.namespace) {
-                headers["X-Vault-Namespace"] = this.namespace;
-            }
-            const response = await this.httpClient.get(url, { headers });
-            if (response.status === 404) {
-                throw new SecretResolutionError(`Secret "${secretPath}" not found in Vault`, { ref });
-            }
-            if (response.status === 403) {
-                throw new SecretResolutionError(`Access denied to secret "${secretPath}". Check Vault policies.`, { ref });
-            }
-            if (response.status !== 200) {
-                throw new SecretResolutionError(`Vault returned status ${response.status} for secret "${secretPath}"`, { ref });
-            }
-            // Parse response based on KV version
-            const data = response.data;
-            let secretData;
-            if (this.kvVersion === 2) {
-                // KV v2 wraps data in an extra "data" object
-                const kvData = data?.data;
-                if (!kvData?.data) {
-                    throw new SecretResolutionError(`Invalid KV v2 response structure for secret "${secretPath}"`, { ref });
-                }
-                secretData = kvData.data;
-            }
-            else {
-                // KV v1 has data directly
-                if (!data?.data || typeof data.data !== "object") {
-                    throw new SecretResolutionError(`Invalid KV v1 response structure for secret "${secretPath}"`, { ref });
-                }
-                secretData = data.data;
-            }
-            // Cache the secret data
-            this.cache.set(cacheKey, {
-                value: secretData,
-                expires: Date.now() + this.cacheTtlMs,
-            });
-            return this.extractField(secretData, options?.field, ref);
-        }
-        catch (error) {
-            if (error instanceof SecretResolutionError) {
-                throw error;
-            }
-            throw new SecretResolutionError(`Failed to retrieve secret "${secretPath}" from Vault: ${error instanceof Error ? error.message : String(error)}`, { ref, cause: error });
-        }
-    }
-    /**
-     * Extract a field from the secret data.
-     * If no field is specified, returns the entire data as JSON string.
-     */
-    extractField(secretData, field, ref) {
-        if (!field) {
-            // Return entire secret as JSON if no field specified
-            return JSON.stringify(secretData);
-        }
-        const value = secretData[field];
-        if (value === undefined) {
-            throw new SecretResolutionError(`Field "${field}" not found in secret "${ref}"`, { ref });
-        }
-        // Convert to string if not already
-        return typeof value === "string" ? value : JSON.stringify(value);
-    }
-    async validate() {
-        // Verify we can authenticate with Vault
-        try {
-            const headers = {
-                "X-Vault-Token": this.token,
-            };
-            if (this.namespace) {
-                headers["X-Vault-Namespace"] = this.namespace;
-            }
-            const response = await this.httpClient.get(`${this.address}/v1/auth/token/lookup-self`, { headers });
-            if (response.status === 403) {
-                throw new Error("Invalid or expired Vault token");
-            }
-            if (response.status !== 200) {
-                throw new Error(`Vault authentication check failed with status ${response.status}`);
-            }
-        }
-        catch (error) {
-            if (error instanceof Error && error.message.includes("Vault")) {
-                throw error;
-            }
-            throw new Error(`Failed to connect to Vault at ${this.address}: ${error instanceof Error ? error.message : String(error)}`);
-        }
-    }
-    /**
-     * Clear the cache. Useful for testing or forced refresh.
-     */
-    clearCache() {
-        this.cache.clear();
-    }
-}
-//# sourceMappingURL=vault.js.map

package/dist/secrets/providers/vault.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/secrets/providers/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAiDpD,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,OAAO,CAAC;IACP,OAAO,CAAS;IAChB,KAAK,CAAS;IACd,UAAU,CAAkB;IAC5B,SAAS,CAAU;IACnB,SAAS,CAAQ;IACjB,MAAM,CAAS;IAEhC,kCAAkC;IAC1B,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACa,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;IAEzD,YAAY,OAA6B;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC3E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAA8B;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;QAExD,cAAc;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,UAAU,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;gBACpC,GAAG,IAAI,YAAY,OAAO,EAAE,CAAC;YAC/B,CAAC;YAED,gBAAgB;YAChB,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAE7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,WAAW,UAAU,sBAAsB,EAC3C,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,4BAA4B,UAAU,0BAA0B,EAChE,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,yBAAyB,QAAQ,CAAC,MAAM,gBAAgB,UAAU,GAAG,EACrE,EAAE,GAAG,EAAE,CACR,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAErB,CAAC;YAEF,IAAI,UAAmC,CAAC;YAExC,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,EAAE,CAAC;gBACzB,6CAA6C;gBAC7C,MAAM,MAAM,GAAG,IAAI,EAAE,IAER,CAAC;gBACd,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;oBAClB,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,GAAG,EAAE,CACR,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,0BAA0B;gBAC1B,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACjD,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,GAAG,EAAE,CACR,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,IAAI,CAAC,IAA+B,CAAC;YACpD,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE;gBACvB,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;aACtC,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,IAAI,qBAAqB,CAC7B,8BAA8B,UAAU,iBACtC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CACtB,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAClB,UAAmC,EACnC,KAAyB,EACzB,GAAW;QAEX,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,qDAAqD;YACrD,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAEhC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,UAAU,KAAK,0BAA0B,GAAG,GAAG,EAC/C,EAAE,GAAG,EAAE,CACR,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,wCAAwC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACxC,GAAG,IAAI,CAAC,OAAO,4BAA4B,EAC3C,EAAE,OAAO,EAAE,CACZ,CAAC;YAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,iDAAiD,QAAQ,CAAC,MAAM,EAAE,CACnE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9D,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,OAAO,KAC3C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF"}

package/dist/secrets/registry.d.ts

@@ -1,39 +0,0 @@
-/**
- * Secret provider registry for managing the configured secret provider.
- */
-import type { SecretProvider, SecretRefData } from "./types.js";
-/**
- * Registry for the single configured secret provider.
- */
-export declare class SecretProviderRegistry {
-    private provider;
-    /**
-     * Set the secret provider.
-     * @param provider - The provider to use for resolution
-     */
-    setProvider(provider: SecretProvider): void;
-    /**
-     * Resolve a secret reference using the configured provider.
-     * @param secretRef - The secret reference data
-     * @returns The resolved secret value
-     * @throws SecretResolutionError if resolution fails
-     */
-    resolve(secretRef: SecretRefData): Promise<string>;
-    /**
-     * Resolve multiple secrets using the configured provider.
-     * @param refs - Array of secret reference data
-     * @returns Map of key to resolved value
-     * @throws SecretResolutionError if any resolution fails (fail-fast)
-     */
-    resolveMany(refs: SecretRefData[]): Promise<Map<string, string>>;
-    /**
-     * Validate the configured provider.
-     * @throws Error if provider validation fails
-     */
-    validateAll(): Promise<void>;
-    /**
-     * Create a unique key for a secret reference (for caching/deduplication).
-     */
-    makeKey(secretRef: SecretRefData): string;
-}
-//# sourceMappingURL=registry.d.ts.map

package/dist/secrets/registry.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,aAAa,EAEd,MAAM,YAAY,CAAC;AAGpB;;GAEG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAA+B;IAE/C;;;OAGG;IACH,WAAW,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IAI3C;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IA4BxD;;;;;OAKG;IACG,WAAW,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA0EtE;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAclC;;OAEG;IACH,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM;CAM1C"}

package/dist/secrets/registry.js

@@ -1,134 +0,0 @@
-/**
- * Secret provider registry for managing the configured secret provider.
- */
-import { SecretResolutionError } from "./types.js";
-/**
- * Registry for the single configured secret provider.
- */
-export class SecretProviderRegistry {
-    provider = null;
-    /**
-     * Set the secret provider.
-     * @param provider - The provider to use for resolution
-     */
-    setProvider(provider) {
-        this.provider = provider;
-    }
-    /**
-     * Resolve a secret reference using the configured provider.
-     * @param secretRef - The secret reference data
-     * @returns The resolved secret value
-     * @throws SecretResolutionError if resolution fails
-     */
-    async resolve(secretRef) {
-        if (!this.provider) {
-            throw new SecretResolutionError("No secret provider configured", {
-                ref: secretRef.ref,
-            });
-        }
-        try {
-            return await this.provider.resolve(secretRef.ref, {
-                version: secretRef.version,
-                field: secretRef.field,
-            });
-        }
-        catch (error) {
-            if (error instanceof SecretResolutionError) {
-                throw error;
-            }
-            throw new SecretResolutionError(`Failed to resolve secret "${secretRef.ref}": ${error instanceof Error ? error.message : String(error)}`, {
-                ref: secretRef.ref,
-                cause: error,
-            });
-        }
-    }
-    /**
-     * Resolve multiple secrets using the configured provider.
-     * @param refs - Array of secret reference data
-     * @returns Map of key to resolved value
-     * @throws SecretResolutionError if any resolution fails (fail-fast)
-     */
-    async resolveMany(refs) {
-        if (refs.length === 0) {
-            return new Map();
-        }
-        if (!this.provider) {
-            throw new SecretResolutionError("No secret provider configured", {
-                ref: refs[0].ref,
-            });
-        }
-        const results = new Map();
-        if (this.provider.resolveMany) {
-            const batchRefs = refs.map((r) => ({
-                ref: r.ref,
-                options: {
-                    version: r.version,
-                    field: r.field,
-                },
-            }));
-            try {
-                const batchResults = await this.provider.resolveMany(batchRefs);
-                for (const secretRef of refs) {
-                    const value = batchResults.get(secretRef.ref);
-                    if (value === undefined) {
-                        throw new SecretResolutionError(`Secret "${secretRef.ref}" not found in batch results`, { ref: secretRef.ref });
-                    }
-                    results.set(this.makeKey(secretRef), value);
-                }
-            }
-            catch (error) {
-                if (error instanceof SecretResolutionError) {
-                    throw error;
-                }
-                throw new SecretResolutionError(`Batch resolution failed: ${error instanceof Error ? error.message : String(error)}`, {
-                    ref: refs[0].ref,
-                    cause: error,
-                });
-            }
-        }
-        else {
-            for (const secretRef of refs) {
-                try {
-                    const value = await this.provider.resolve(secretRef.ref, {
-                        version: secretRef.version,
-                        field: secretRef.field,
-                    });
-                    results.set(this.makeKey(secretRef), value);
-                }
-                catch (error) {
-                    if (error instanceof SecretResolutionError) {
-                        throw error;
-                    }
-                    throw new SecretResolutionError(`Failed to resolve secret "${secretRef.ref}": ${error instanceof Error ? error.message : String(error)}`, { ref: secretRef.ref, cause: error });
-                }
-            }
-        }
-        return results;
-    }
-    /**
-     * Validate the configured provider.
-     * @throws Error if provider validation fails
-     */
-    async validateAll() {
-        if (this.provider?.validate) {
-            try {
-                await this.provider.validate();
-            }
-            catch (error) {
-                throw new Error(`Provider validation failed: ${error instanceof Error ? error.message : String(error)}`);
-            }
-        }
-    }
-    /**
-     * Create a unique key for a secret reference (for caching/deduplication).
-     */
-    makeKey(secretRef) {
-        const parts = [secretRef.ref];
-        if (secretRef.version)
-            parts.push(`v:${secretRef.version}`);
-        if (secretRef.field)
-            parts.push(`f:${secretRef.field}`);
-        return parts.join(":");
-    }
-}
-//# sourceMappingURL=registry.js.map

package/dist/secrets/registry.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD;;GAEG;AACH,MAAM,OAAO,sBAAsB;IACzB,QAAQ,GAA0B,IAAI,CAAC;IAE/C;;;OAGG;IACH,WAAW,CAAC,QAAwB;QAClC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,SAAwB;QACpC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,EAAE;gBAC/D,GAAG,EAAE,SAAS,CAAC,GAAG;aACnB,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;gBAChD,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,SAAS,CAAC,GAAG,MACxC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;gBACE,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,KAAK,EAAE,KAAK;aACb,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,IAAqB;QACrC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,qBAAqB,CAAC,+BAA+B,EAAE;gBAC/D,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG;aACjB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE1C,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACjC,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,OAAO,EAAE;oBACP,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,KAAK,EAAE,CAAC,CAAC,KAAK;iBACS;aAC1B,CAAC,CAAC,CAAC;YAEJ,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;gBAEhE,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;oBAC9C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;wBACxB,MAAM,IAAI,qBAAqB,CAC7B,WAAW,SAAS,CAAC,GAAG,8BAA8B,EACtD,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,CACvB,CAAC;oBACJ,CAAC;oBACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC9C,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;oBAC3C,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,IAAI,qBAAqB,CAC7B,4BACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;oBACE,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG;oBAChB,KAAK,EAAE,KAAK;iBACb,CACF,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;wBACvD,OAAO,EAAE,SAAS,CAAC,OAAO;wBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;qBACvB,CAAC,CAAC;oBACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;gBAC9C,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;wBAC3C,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,SAAS,CAAC,GAAG,MACxC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CACrC,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACjC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,+BACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAwB;QAC9B,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,SAAS,CAAC,OAAO;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,SAAS,CAAC,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF"}

package/dist/test-plan-types.d.ts

@@ -1,43 +0,0 @@
-export type HttpMethod = "GET" | "POST" | "PUT" | "DELETE" | "PATCH";
-export type ResponseFormat = "JSON" | "XML" | "TEXT";
-export interface HttpRequest {
-    id: string;
-    type: "HTTP_REQUEST";
-    method: HttpMethod;
-    path: string;
-    response_format: ResponseFormat;
-    headers?: Record<string, string>;
-    body?: any;
-}
-export interface WaitNode {
-    id: string;
-    type: "WAIT";
-    duration_ms: number;
-}
-export interface AssertionNode {
-    id: string;
-    type: "ASSERTION";
-    assertions: Assertion[];
-}
-export interface Assertion {
-    type: string;
-    expected?: any;
-    actual?: any;
-    message?: string;
-}
-export interface Edge {
-    from: string;
-    to: string;
-}
-export interface Frequency {
-    every: number;
-    unit: "minute" | "hour" | "day";
-}
-export interface TestPlan {
-    name: string;
-    endpoint_host: string;
-    frequency?: Frequency;
-    nodes: (HttpRequest | WaitNode | AssertionNode)[];
-    edges: Edge[];
-}
-//# sourceMappingURL=test-plan-types.d.ts.map

package/dist/test-plan-types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"test-plan-types.d.ts","sourceRoot":"","sources":["../src/test-plan-types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,OAAO,CAAC;AACrE,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,KAAK,GAAG,MAAM,CAAC;AAErD,MAAM,WAAW,WAAW;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,cAAc,CAAC;IACrB,MAAM,EAAE,UAAU,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,cAAc,CAAC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,GAAG,CAAC;CACZ;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,WAAW,CAAC;IAClB,UAAU,EAAE,SAAS,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,MAAM,CAAC,EAAE,GAAG,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAC;CACjC;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,KAAK,EAAE,CAAC,WAAW,GAAG,QAAQ,GAAG,aAAa,CAAC,EAAE,CAAC;IAClD,KAAK,EAAE,IAAI,EAAE,CAAC;CACf"}

package/dist/test-plan-types.js

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=test-plan-types.js.map

package/dist/test-plan-types.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"test-plan-types.js","sourceRoot":"","sources":["../src/test-plan-types.ts"],"names":[],"mappings":""}

package/src/secrets/providers/vault.ts

@@ -1,257 +0,0 @@
-/**
- * HashiCorp Vault secret provider.
- *
- * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
- * Supports field extraction from JSON secrets.
- *
- * Usage in DSL:
- *   secret("vault:secret/data/myapp/config")
- *   secret("vault:secret/data/myapp/config", { field: "api_key" })
- *   secret("vault:secret/data/myapp/config", { version: "2" })
- */
-
-import type { SecretProvider, SecretResolveOptions } from "../types.js";
-import { SecretResolutionError } from "../types.js";
-
-/**
- * HTTP client interface for Vault API calls.
- * This allows dependency injection without requiring a specific HTTP library.
- */
-export interface VaultHttpClient {
-  get(
-    url: string,
-    options: { headers: Record<string, string> },
-  ): Promise<{
-    status: number;
-    data: unknown;
-  }>;
-}
-
-export interface VaultProviderOptions {
-  /**
-   * Vault server address (e.g., "https://vault.example.com:8200").
-   */
-  address: string;
-
-  /**
-   * Authentication token.
-   */
-  token: string;
-
-  /**
-   * HTTP client for making requests to Vault.
-   */
-  httpClient: VaultHttpClient;
-
-  /**
-   * Optional namespace for Vault Enterprise.
-   */
-  namespace?: string;
-
-  /**
-   * KV secrets engine version (1 or 2).
-   * Defaults to 2.
-   */
-  kvVersion?: 1 | 2;
-
-  /**
-   * Optional prefix for secret paths.
-   */
-  prefix?: string;
-}
-
-export class VaultProvider implements SecretProvider {
-  readonly name = "vault";
-  private readonly address: string;
-  private readonly token: string;
-  private readonly httpClient: VaultHttpClient;
-  private readonly namespace?: string;
-  private readonly kvVersion: 1 | 2;
-  private readonly prefix: string;
-
-  // Simple in-memory cache with TTL
-  private cache = new Map<
-    string,
-    { value: Record<string, unknown>; expires: number }
-  >();
-  private readonly cacheTtlMs = 5 * 60 * 1000; // 5 minutes
-
-  constructor(options: VaultProviderOptions) {
-    this.address = options.address.replace(/\/$/, ""); // Remove trailing slash
-    this.token = options.token;
-    this.httpClient = options.httpClient;
-    this.namespace = options.namespace;
-    this.kvVersion = options.kvVersion ?? 2;
-    this.prefix = options.prefix ?? "";
-  }
-
-  async resolve(ref: string, options?: SecretResolveOptions): Promise<string> {
-    const secretPath = this.prefix + ref;
-    const version = options?.version;
-    const cacheKey = `${secretPath}:${version ?? "latest"}`;
-
-    // Check cache
-    const cached = this.cache.get(cacheKey);
-    if (cached && cached.expires > Date.now()) {
-      return this.extractField(cached.value, options?.field, ref);
-    }
-
-    try {
-      // Build request URL
-      let url = `${this.address}/v1/${secretPath}`;
-      if (this.kvVersion === 2 && version) {
-        url += `?version=${version}`;
-      }
-
-      // Build headers
-      const headers: Record<string, string> = {
-        "X-Vault-Token": this.token,
-      };
-      if (this.namespace) {
-        headers["X-Vault-Namespace"] = this.namespace;
-      }
-
-      const response = await this.httpClient.get(url, { headers });
-
-      if (response.status === 404) {
-        throw new SecretResolutionError(
-          `Secret "${secretPath}" not found in Vault`,
-          { ref },
-        );
-      }
-
-      if (response.status === 403) {
-        throw new SecretResolutionError(
-          `Access denied to secret "${secretPath}". Check Vault policies.`,
-          { ref },
-        );
-      }
-
-      if (response.status !== 200) {
-        throw new SecretResolutionError(
-          `Vault returned status ${response.status} for secret "${secretPath}"`,
-          { ref },
-        );
-      }
-
-      // Parse response based on KV version
-      const data = response.data as {
-        data?: Record<string, unknown> | { data?: Record<string, unknown> };
-      };
-
-      let secretData: Record<string, unknown>;
-
-      if (this.kvVersion === 2) {
-        // KV v2 wraps data in an extra "data" object
-        const kvData = data?.data as
-          | { data?: Record<string, unknown> }
-          | undefined;
-        if (!kvData?.data) {
-          throw new SecretResolutionError(
-            `Invalid KV v2 response structure for secret "${secretPath}"`,
-            { ref },
-          );
-        }
-        secretData = kvData.data;
-      } else {
-        // KV v1 has data directly
-        if (!data?.data || typeof data.data !== "object") {
-          throw new SecretResolutionError(
-            `Invalid KV v1 response structure for secret "${secretPath}"`,
-            { ref },
-          );
-        }
-        secretData = data.data as Record<string, unknown>;
-      }
-
-      // Cache the secret data
-      this.cache.set(cacheKey, {
-        value: secretData,
-        expires: Date.now() + this.cacheTtlMs,
-      });
-
-      return this.extractField(secretData, options?.field, ref);
-    } catch (error) {
-      if (error instanceof SecretResolutionError) {
-        throw error;
-      }
-
-      throw new SecretResolutionError(
-        `Failed to retrieve secret "${secretPath}" from Vault: ${
-          error instanceof Error ? error.message : String(error)
-        }`,
-        { ref, cause: error },
-      );
-    }
-  }
-
-  /**
-   * Extract a field from the secret data.
-   * If no field is specified, returns the entire data as JSON string.
-   */
-  private extractField(
-    secretData: Record<string, unknown>,
-    field: string | undefined,
-    ref: string,
-  ): string {
-    if (!field) {
-      // Return entire secret as JSON if no field specified
-      return JSON.stringify(secretData);
-    }
-
-    const value = secretData[field];
-
-    if (value === undefined) {
-      throw new SecretResolutionError(
-        `Field "${field}" not found in secret "${ref}"`,
-        { ref },
-      );
-    }
-
-    // Convert to string if not already
-    return typeof value === "string" ? value : JSON.stringify(value);
-  }
-
-  async validate(): Promise<void> {
-    // Verify we can authenticate with Vault
-    try {
-      const headers: Record<string, string> = {
-        "X-Vault-Token": this.token,
-      };
-      if (this.namespace) {
-        headers["X-Vault-Namespace"] = this.namespace;
-      }
-
-      const response = await this.httpClient.get(
-        `${this.address}/v1/auth/token/lookup-self`,
-        { headers },
-      );
-
-      if (response.status === 403) {
-        throw new Error("Invalid or expired Vault token");
-      }
-
-      if (response.status !== 200) {
-        throw new Error(
-          `Vault authentication check failed with status ${response.status}`,
-        );
-      }
-    } catch (error) {
-      if (error instanceof Error && error.message.includes("Vault")) {
-        throw error;
-      }
-      throw new Error(
-        `Failed to connect to Vault at ${this.address}: ${
-          error instanceof Error ? error.message : String(error)
-        }`,
-      );
-    }
-  }
-
-  /**
-   * Clear the cache. Useful for testing or forced refresh.
-   */
-  clearCache(): void {
-    this.cache.clear();
-  }
-}