@griffin-app/griffin-plan-executor 0.1.0

package/dist/secrets/providers/vault.js

@@ -0,0 +1,143 @@
+/**
+ * HashiCorp Vault secret provider.
+ *
+ * Reads secrets from HashiCorp Vault KV secrets engine (v1 and v2).
+ * Supports field extraction from JSON secrets.
+ *
+ * Usage in DSL:
+ *   secret("vault:secret/data/myapp/config")
+ *   secret("vault:secret/data/myapp/config", { field: "api_key" })
+ *   secret("vault:secret/data/myapp/config", { version: "2" })
+ */
+import { SecretResolutionError } from "../types.js";
+export class VaultProvider {
+    name = "vault";
+    address;
+    token;
+    httpClient;
+    namespace;
+    kvVersion;
+    prefix;
+    // Simple in-memory cache with TTL
+    cache = new Map();
+    cacheTtlMs = 5 * 60 * 1000; // 5 minutes
+    constructor(options) {
+        this.address = options.address.replace(/\/$/, ""); // Remove trailing slash
+        this.token = options.token;
+        this.httpClient = options.httpClient;
+        this.namespace = options.namespace;
+        this.kvVersion = options.kvVersion ?? 2;
+        this.prefix = options.prefix ?? "";
+    }
+    async resolve(ref, options) {
+        const secretPath = this.prefix + ref;
+        const version = options?.version;
+        const cacheKey = `${secretPath}:${version ?? "latest"}`;
+        // Check cache
+        const cached = this.cache.get(cacheKey);
+        if (cached && cached.expires > Date.now()) {
+            return this.extractField(cached.value, options?.field, ref);
+        }
+        try {
+            // Build request URL
+            let url = `${this.address}/v1/${secretPath}`;
+            if (this.kvVersion === 2 && version) {
+                url += `?version=${version}`;
+            }
+            // Build headers
+            const headers = {
+                "X-Vault-Token": this.token,
+            };
+            if (this.namespace) {
+                headers["X-Vault-Namespace"] = this.namespace;
+            }
+            const response = await this.httpClient.get(url, { headers });
+            if (response.status === 404) {
+                throw new SecretResolutionError(`Secret "${secretPath}" not found in Vault`, { provider: this.name, ref });
+            }
+            if (response.status === 403) {
+                throw new SecretResolutionError(`Access denied to secret "${secretPath}". Check Vault policies.`, { provider: this.name, ref });
+            }
+            if (response.status !== 200) {
+                throw new SecretResolutionError(`Vault returned status ${response.status} for secret "${secretPath}"`, { provider: this.name, ref });
+            }
+            // Parse response based on KV version
+            const data = response.data;
+            let secretData;
+            if (this.kvVersion === 2) {
+                // KV v2 wraps data in an extra "data" object
+                const kvData = data?.data;
+                if (!kvData?.data) {
+                    throw new SecretResolutionError(`Invalid KV v2 response structure for secret "${secretPath}"`, { provider: this.name, ref });
+                }
+                secretData = kvData.data;
+            }
+            else {
+                // KV v1 has data directly
+                if (!data?.data || typeof data.data !== "object") {
+                    throw new SecretResolutionError(`Invalid KV v1 response structure for secret "${secretPath}"`, { provider: this.name, ref });
+                }
+                secretData = data.data;
+            }
+            // Cache the secret data
+            this.cache.set(cacheKey, {
+                value: secretData,
+                expires: Date.now() + this.cacheTtlMs,
+            });
+            return this.extractField(secretData, options?.field, ref);
+        }
+        catch (error) {
+            if (error instanceof SecretResolutionError) {
+                throw error;
+            }
+            throw new SecretResolutionError(`Failed to retrieve secret "${secretPath}" from Vault: ${error instanceof Error ? error.message : String(error)}`, { provider: this.name, ref, cause: error });
+        }
+    }
+    /**
+     * Extract a field from the secret data.
+     * If no field is specified, returns the entire data as JSON string.
+     */
+    extractField(secretData, field, ref) {
+        if (!field) {
+            // Return entire secret as JSON if no field specified
+            return JSON.stringify(secretData);
+        }
+        const value = secretData[field];
+        if (value === undefined) {
+            throw new SecretResolutionError(`Field "${field}" not found in secret "${ref}"`, { provider: this.name, ref });
+        }
+        // Convert to string if not already
+        return typeof value === "string" ? value : JSON.stringify(value);
+    }
+    async validate() {
+        // Verify we can authenticate with Vault
+        try {
+            const headers = {
+                "X-Vault-Token": this.token,
+            };
+            if (this.namespace) {
+                headers["X-Vault-Namespace"] = this.namespace;
+            }
+            const response = await this.httpClient.get(`${this.address}/v1/auth/token/lookup-self`, { headers });
+            if (response.status === 403) {
+                throw new Error("Invalid or expired Vault token");
+            }
+            if (response.status !== 200) {
+                throw new Error(`Vault authentication check failed with status ${response.status}`);
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes("Vault")) {
+                throw error;
+            }
+            throw new Error(`Failed to connect to Vault at ${this.address}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    /**
+     * Clear the cache. Useful for testing or forced refresh.
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/secrets/providers/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/secrets/providers/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAiDpD,MAAM,OAAO,aAAa;IACf,IAAI,GAAG,OAAO,CAAC;IACP,OAAO,CAAS;IAChB,KAAK,CAAS;IACd,UAAU,CAAkB;IAC5B,SAAS,CAAU;IACnB,SAAS,CAAQ;IACjB,MAAM,CAAS;IAEhC,kCAAkC;IAC1B,KAAK,GAAG,IAAI,GAAG,EAGpB,CAAC;IACa,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;IAEzD,YAAY,OAA6B;QACvC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC3E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,OAA8B;QACvD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,UAAU,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;QAExD,cAAc;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,IAAI,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,UAAU,EAAE,CAAC;YAC7C,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;gBACpC,GAAG,IAAI,YAAY,OAAO,EAAE,CAAC;YAC/B,CAAC;YAED,gBAAgB;YAChB,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YAE7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,WAAW,UAAU,sBAAsB,EAC3C,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,4BAA4B,UAAU,0BAA0B,EAChE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,qBAAqB,CAC7B,yBAAyB,QAAQ,CAAC,MAAM,gBAAgB,UAAU,GAAG,EACrE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;YACJ,CAAC;YAED,qCAAqC;YACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAErB,CAAC;YAEF,IAAI,UAAmC,CAAC;YAExC,IAAI,IAAI,CAAC,SAAS,KAAK,CAAC,EAAE,CAAC;gBACzB,6CAA6C;gBAC7C,MAAM,MAAM,GAAG,IAAI,EAAE,IAER,CAAC;gBACd,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;oBAClB,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACN,0BAA0B;gBAC1B,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACjD,MAAM,IAAI,qBAAqB,CAC7B,gDAAgD,UAAU,GAAG,EAC7D,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;gBACJ,CAAC;gBACD,UAAU,GAAG,IAAI,CAAC,IAA+B,CAAC;YACpD,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE;gBACvB,KAAK,EAAE,UAAU;gBACjB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;aACtC,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,IAAI,qBAAqB,CAC7B,8BAA8B,UAAU,iBACtC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAC3C,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAClB,UAAmC,EACnC,KAAyB,EACzB,GAAW;QAEX,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,qDAAqD;YACrD,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAEhC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,qBAAqB,CAC7B,UAAU,KAAK,0BAA0B,GAAG,GAAG,EAC/C,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAC7B,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnE,CAAC;IAED,KAAK,CAAC,QAAQ;QACZ,wCAAwC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;aAC5B,CAAC;YACF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAChD,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CACxC,GAAG,IAAI,CAAC,OAAO,4BAA4B,EAC3C,EAAE,OAAO,EAAE,CACZ,CAAC;YAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACpD,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,iDAAiD,QAAQ,CAAC,MAAM,EAAE,CACnE,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9D,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,KAAK,CACb,iCAAiC,IAAI,CAAC,OAAO,KAC3C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF"}

package/dist/secrets/registry.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Secret provider registry for managing multiple secret providers.
+ */
+import type { SecretProvider, SecretRefData } from "./types.js";
+/**
+ * Registry for managing and accessing secret providers.
+ * Supports multiple providers simultaneously (e.g., env + aws + vault).
+ */
+export declare class SecretProviderRegistry {
+    private providers;
+    /**
+     * Register a secret provider.
+     * @param provider - The provider to register
+     * @throws Error if a provider with the same name is already registered
+     */
+    register(provider: SecretProvider): void;
+    /**
+     * Unregister a secret provider by name.
+     * @param name - The provider name to remove
+     * @returns true if the provider was removed, false if it wasn't registered
+     */
+    unregister(name: string): boolean;
+    /**
+     * Get a registered provider by name.
+     * @param name - The provider name
+     * @throws Error if the provider is not registered
+     */
+    get(name: string): SecretProvider;
+    /**
+     * Check if a provider is registered.
+     */
+    has(name: string): boolean;
+    /**
+     * Get all registered provider names.
+     */
+    getProviderNames(): string[];
+    /**
+     * Resolve a secret reference using the appropriate provider.
+     * @param secretRef - The secret reference data
+     * @returns The resolved secret value
+     * @throws SecretResolutionError if resolution fails
+     */
+    resolve(secretRef: SecretRefData): Promise<string>;
+    /**
+     * Resolve multiple secrets, grouped by provider for efficiency.
+     * @param refs - Array of secret reference data
+     * @returns Map of "provider:ref" to resolved value
+     * @throws SecretResolutionError if any resolution fails (fail-fast)
+     */
+    resolveMany(refs: SecretRefData[]): Promise<Map<string, string>>;
+    /**
+     * Validate all registered providers.
+     * @throws Error if any provider validation fails
+     */
+    validateAll(): Promise<void>;
+    /**
+     * Create a unique key for a secret reference (for caching/deduplication).
+     */
+    makeKey(secretRef: SecretRefData): string;
+}
+//# sourceMappingURL=registry.d.ts.map

package/dist/secrets/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,aAAa,EAEd,MAAM,YAAY,CAAC;AAGpB;;;GAGG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,SAAS,CAAqC;IAEtD;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,EAAE,cAAc,GAAG,IAAI;IASxC;;;;OAIG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;;;OAIG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,cAAc;IAcjC;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAI1B;;OAEG;IACH,gBAAgB,IAAI,MAAM,EAAE;IAI5B;;;;;OAKG;IACG,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;IAyBxD;;;;;OAKG;IACG,WAAW,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA6FtE;;;OAGG;IACG,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAgBlC;;OAEG;IACH,OAAO,CAAC,SAAS,EAAE,aAAa,GAAG,MAAM;CAM1C"}

package/dist/secrets/registry.js

@@ -0,0 +1,182 @@
+/**
+ * Secret provider registry for managing multiple secret providers.
+ */
+import { SecretResolutionError } from "./types.js";
+/**
+ * Registry for managing and accessing secret providers.
+ * Supports multiple providers simultaneously (e.g., env + aws + vault).
+ */
+export class SecretProviderRegistry {
+    providers = new Map();
+    /**
+     * Register a secret provider.
+     * @param provider - The provider to register
+     * @throws Error if a provider with the same name is already registered
+     */
+    register(provider) {
+        if (this.providers.has(provider.name)) {
+            throw new Error(`Secret provider "${provider.name}" is already registered`);
+        }
+        this.providers.set(provider.name, provider);
+    }
+    /**
+     * Unregister a secret provider by name.
+     * @param name - The provider name to remove
+     * @returns true if the provider was removed, false if it wasn't registered
+     */
+    unregister(name) {
+        return this.providers.delete(name);
+    }
+    /**
+     * Get a registered provider by name.
+     * @param name - The provider name
+     * @throws Error if the provider is not registered
+     */
+    get(name) {
+        const provider = this.providers.get(name);
+        if (!provider) {
+            const available = [...this.providers.keys()];
+            throw new SecretResolutionError(`Secret provider "${name}" is not configured. Available providers: ${available.length > 0 ? available.join(", ") : "(none)"}`, { provider: name, ref: "" });
+        }
+        return provider;
+    }
+    /**
+     * Check if a provider is registered.
+     */
+    has(name) {
+        return this.providers.has(name);
+    }
+    /**
+     * Get all registered provider names.
+     */
+    getProviderNames() {
+        return [...this.providers.keys()];
+    }
+    /**
+     * Resolve a secret reference using the appropriate provider.
+     * @param secretRef - The secret reference data
+     * @returns The resolved secret value
+     * @throws SecretResolutionError if resolution fails
+     */
+    async resolve(secretRef) {
+        const provider = this.get(secretRef.provider);
+        try {
+            return await provider.resolve(secretRef.ref, {
+                version: secretRef.version,
+                field: secretRef.field,
+            });
+        }
+        catch (error) {
+            if (error instanceof SecretResolutionError) {
+                throw error;
+            }
+            throw new SecretResolutionError(`Failed to resolve secret "${secretRef.provider}:${secretRef.ref}": ${error instanceof Error ? error.message : String(error)}`, {
+                provider: secretRef.provider,
+                ref: secretRef.ref,
+                cause: error,
+            });
+        }
+    }
+    /**
+     * Resolve multiple secrets, grouped by provider for efficiency.
+     * @param refs - Array of secret reference data
+     * @returns Map of "provider:ref" to resolved value
+     * @throws SecretResolutionError if any resolution fails (fail-fast)
+     */
+    async resolveMany(refs) {
+        if (refs.length === 0) {
+            return new Map();
+        }
+        // Group refs by provider
+        const byProvider = new Map();
+        for (const secretRef of refs) {
+            const key = this.makeKey(secretRef);
+            const group = byProvider.get(secretRef.provider) || [];
+            group.push({
+                ref: secretRef.ref,
+                options: {
+                    version: secretRef.version,
+                    field: secretRef.field,
+                },
+                key,
+            });
+            byProvider.set(secretRef.provider, group);
+        }
+        // Resolve each provider's secrets
+        const results = new Map();
+        for (const [providerName, providerRefs] of byProvider) {
+            const provider = this.get(providerName);
+            // Use batch resolution if available, otherwise resolve individually
+            if (provider.resolveMany) {
+                const batchRefs = providerRefs.map((r) => ({
+                    ref: r.ref,
+                    options: r.options,
+                }));
+                try {
+                    const batchResults = await provider.resolveMany(batchRefs);
+                    for (const providerRef of providerRefs) {
+                        const value = batchResults.get(providerRef.ref);
+                        if (value === undefined) {
+                            throw new SecretResolutionError(`Secret "${providerName}:${providerRef.ref}" not found in batch results`, { provider: providerName, ref: providerRef.ref });
+                        }
+                        results.set(providerRef.key, value);
+                    }
+                }
+                catch (error) {
+                    if (error instanceof SecretResolutionError) {
+                        throw error;
+                    }
+                    throw new SecretResolutionError(`Batch resolution failed for provider "${providerName}": ${error instanceof Error ? error.message : String(error)}`, {
+                        provider: providerName,
+                        ref: providerRefs[0]?.ref || "",
+                        cause: error,
+                    });
+                }
+            }
+            else {
+                // Resolve individually (fail-fast on first error)
+                for (const providerRef of providerRefs) {
+                    try {
+                        const value = await provider.resolve(providerRef.ref, providerRef.options);
+                        results.set(providerRef.key, value);
+                    }
+                    catch (error) {
+                        if (error instanceof SecretResolutionError) {
+                            throw error;
+                        }
+                        throw new SecretResolutionError(`Failed to resolve secret "${providerName}:${providerRef.ref}": ${error instanceof Error ? error.message : String(error)}`, { provider: providerName, ref: providerRef.ref, cause: error });
+                    }
+                }
+            }
+        }
+        return results;
+    }
+    /**
+     * Validate all registered providers.
+     * @throws Error if any provider validation fails
+     */
+    async validateAll() {
+        for (const [name, provider] of this.providers) {
+            if (provider.validate) {
+                try {
+                    await provider.validate();
+                }
+                catch (error) {
+                    throw new Error(`Provider "${name}" validation failed: ${error instanceof Error ? error.message : String(error)}`);
+                }
+            }
+        }
+    }
+    /**
+     * Create a unique key for a secret reference (for caching/deduplication).
+     */
+    makeKey(secretRef) {
+        const parts = [secretRef.provider, secretRef.ref];
+        if (secretRef.version)
+            parts.push(`v:${secretRef.version}`);
+        if (secretRef.field)
+            parts.push(`f:${secretRef.field}`);
+        return parts.join(":");
+    }
+}
+//# sourceMappingURL=registry.js.map

package/dist/secrets/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/secrets/registry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAEnD;;;GAGG;AACH,MAAM,OAAO,sBAAsB;IACzB,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;IAEtD;;;;OAIG;IACH,QAAQ,CAAC,QAAwB;QAC/B,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CACb,oBAAoB,QAAQ,CAAC,IAAI,yBAAyB,CAC3D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,UAAU,CAAC,IAAY;QACrB,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACH,GAAG,CAAC,IAAY;QACd,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC7C,MAAM,IAAI,qBAAqB,CAC7B,oBAAoB,IAAI,6CACtB,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAChD,EAAE,EACF,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,CAC5B,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,SAAwB;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAE9C,IAAI,CAAC;YACH,OAAO,MAAM,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE;gBAC3C,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;aACvB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;gBAC3C,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,GAAG,MAC9D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;gBACE,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,KAAK,EAAE,KAAK;aACb,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,WAAW,CAAC,IAAqB;QACrC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,yBAAyB;QACzB,MAAM,UAAU,GAAG,IAAI,GAAG,EAGvB,CAAC;QAEJ,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACvD,KAAK,CAAC,IAAI,CAAC;gBACT,GAAG,EAAE,SAAS,CAAC,GAAG;gBAClB,OAAO,EAAE;oBACP,OAAO,EAAE,SAAS,CAAC,OAAO;oBAC1B,KAAK,EAAE,SAAS,CAAC,KAAK;iBACvB;gBACD,GAAG;aACJ,CAAC,CAAC;YACH,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,kCAAkC;QAClC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;QAE1C,KAAK,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,IAAI,UAAU,EAAE,CAAC;YACtD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAExC,oEAAoE;YACpE,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACzB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACzC,GAAG,EAAE,CAAC,CAAC,GAAG;oBACV,OAAO,EAAE,CAAC,CAAC,OAAO;iBACnB,CAAC,CAAC,CAAC;gBAEJ,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;oBAE3D,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;wBACvC,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;wBAChD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;4BACxB,MAAM,IAAI,qBAAqB,CAC7B,WAAW,YAAY,IAAI,WAAW,CAAC,GAAG,8BAA8B,EACxE,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,CACjD,CAAC;wBACJ,CAAC;wBACD,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACtC,CAAC;gBACH,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;wBAC3C,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,MAAM,IAAI,qBAAqB,CAC7B,yCAAyC,YAAY,MACnD,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF;wBACE,QAAQ,EAAE,YAAY;wBACtB,GAAG,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE;wBAC/B,KAAK,EAAE,KAAK;qBACb,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,kDAAkD;gBAClD,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;oBACvC,IAAI,CAAC;wBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAClC,WAAW,CAAC,GAAG,EACf,WAAW,CAAC,OAAO,CACpB,CAAC;wBACF,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACtC,CAAC;oBAAC,OAAO,KAAK,EAAE,CAAC;wBACf,IAAI,KAAK,YAAY,qBAAqB,EAAE,CAAC;4BAC3C,MAAM,KAAK,CAAC;wBACd,CAAC;wBACD,MAAM,IAAI,qBAAqB,CAC7B,6BAA6B,YAAY,IAAI,WAAW,CAAC,GAAG,MAC1D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,EACF,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW;QACf,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAC9C,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACtB,IAAI,CAAC;oBACH,MAAM,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBAC5B,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,IAAI,KAAK,CACb,aAAa,IAAI,wBACf,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,SAAwB;QAC9B,MAAM,KAAK,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,SAAS,CAAC,OAAO;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,SAAS,CAAC,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;CACF"}

package/dist/secrets/resolver.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Secret resolution utilities for test plans.
+ */
+import { TestPlanV1 } from "griffin/types";
+import type { SecretProviderRegistry } from "./registry.js";
+import type { SecretRefData } from "./types.js";
+/**
+ * Collected secret references from a plan.
+ */
+interface CollectedSecrets {
+    /** All unique secret references found */
+    refs: SecretRefData[];
+    /** Paths where secrets were found (for substitution) */
+    paths: Array<{
+        path: (string | number)[];
+        secretRef: SecretRefData;
+    }>;
+}
+/**
+ * Collect all secret references from a test plan.
+ * Scans endpoint headers and bodies for $secret markers.
+ */
+export declare function collectSecretsFromPlan(plan: TestPlanV1): CollectedSecrets;
+/**
+ * Resolve all secrets in a plan and return a new plan with substituted values.
+ * The original plan is not modified.
+ *
+ * @param plan - The test plan containing secret references
+ * @param registry - The secret provider registry
+ * @returns A new plan with all secrets resolved to their values
+ * @throws SecretResolutionError if any secret cannot be resolved (fail-fast)
+ */
+export declare function resolveSecretsInPlan(plan: TestPlanV1, registry: SecretProviderRegistry): Promise<TestPlanV1>;
+/**
+ * Check if a plan contains any secret references.
+ * Useful for short-circuiting resolution when no secrets are present.
+ */
+export declare function planHasSecrets(plan: TestPlanV1): boolean;
+export {};
+//# sourceMappingURL=resolver.d.ts.map

package/dist/secrets/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAQ,MAAM,eAAe,CAAC;AAEjD,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAC5D,OAAO,KAAK,EAAa,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3D;;GAEG;AACH,UAAU,gBAAgB;IACxB,yCAAyC;IACzC,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,wDAAwD;IACxD,KAAK,EAAE,KAAK,CAAC;QACX,IAAI,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC;QAC1B,SAAS,EAAE,aAAa,CAAC;KAC1B,CAAC,CAAC;CACJ;AAwCD;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,UAAU,GAAG,gBAAgB,CAmDzE;AAsCD;;;;;;;;GAQG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,sBAAsB,GAC/B,OAAO,CAAC,UAAU,CAAC,CA+BrB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAsBxD"}

package/dist/secrets/resolver.js

@@ -0,0 +1,178 @@
+/**
+ * Secret resolution utilities for test plans.
+ */
+import { NodeType } from "griffin/schema";
+import { isSecretRef } from "./types.js";
+/**
+ * Recursively collect all secret references from a value.
+ * @param value - The value to scan
+ * @param currentPath - Current path in the object tree
+ * @param collected - Accumulator for found secrets
+ */
+function collectSecretsFromValue(value, currentPath, collected) {
+    if (value === null || value === undefined) {
+        return;
+    }
+    if (isSecretRef(value)) {
+        collected.refs.push(value.$secret);
+        collected.paths.push({
+            path: [...currentPath],
+            secretRef: value.$secret,
+        });
+        return;
+    }
+    if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+            collectSecretsFromValue(value[i], [...currentPath, i], collected);
+        }
+        return;
+    }
+    if (typeof value === "object") {
+        for (const [key, val] of Object.entries(value)) {
+            collectSecretsFromValue(val, [...currentPath, key], collected);
+        }
+    }
+}
+/**
+ * Collect all secret references from a test plan.
+ * Scans endpoint headers and bodies for $secret markers.
+ */
+export function collectSecretsFromPlan(plan) {
+    const collected = {
+        refs: [],
+        paths: [],
+    };
+    for (let nodeIndex = 0; nodeIndex < plan.nodes.length; nodeIndex++) {
+        const node = plan.nodes[nodeIndex];
+        // Only endpoints can have secrets (in headers and body)
+        if (node.type !== NodeType.ENDPOINT) {
+            continue;
+        }
+        //const endpoint = node;
+        // Scan headers
+        if (node.headers) {
+            for (const [headerKey, headerValue] of Object.entries(node.headers)) {
+                collectSecretsFromValue(headerValue, ["nodes", nodeIndex, "headers", headerKey], collected);
+            }
+        }
+        // Scan body
+        if (node.body !== undefined) {
+            collectSecretsFromValue(node.body, ["nodes", nodeIndex, "body"], collected);
+        }
+    }
+    // Deduplicate refs by creating a unique key
+    const seen = new Set();
+    const uniqueRefs = [];
+    for (const ref of collected.refs) {
+        const key = `${ref.provider}:${ref.ref}:${ref.version || ""}:${ref.field || ""}`;
+        if (!seen.has(key)) {
+            seen.add(key);
+            uniqueRefs.push(ref);
+        }
+    }
+    collected.refs = uniqueRefs;
+    return collected;
+}
+/**
+ * Set a value at a path in an object.
+ * Creates intermediate objects/arrays as needed.
+ */
+function setAtPath(obj, path, value) {
+    if (path.length === 0) {
+        return;
+    }
+    let current = obj;
+    for (let i = 0; i < path.length - 1; i++) {
+        const key = path[i];
+        if (current[key] === undefined) {
+            // Create intermediate object or array based on next key type
+            current[key] = typeof path[i + 1] === "number" ? [] : {};
+        }
+        current = current[key];
+    }
+    current[path[path.length - 1]] = value;
+}
+/**
+ * Deep clone a value.
+ */
+function deepClone(value) {
+    if (value === null || value === undefined) {
+        return value;
+    }
+    return JSON.parse(JSON.stringify(value));
+}
+/**
+ * Resolve all secrets in a plan and return a new plan with substituted values.
+ * The original plan is not modified.
+ *
+ * @param plan - The test plan containing secret references
+ * @param registry - The secret provider registry
+ * @returns A new plan with all secrets resolved to their values
+ * @throws SecretResolutionError if any secret cannot be resolved (fail-fast)
+ */
+export async function resolveSecretsInPlan(plan, registry) {
+    // Collect all secret references
+    const collected = collectSecretsFromPlan(plan);
+    if (collected.refs.length === 0) {
+        // No secrets to resolve
+        return plan;
+    }
+    // Resolve all secrets (fail-fast on any error)
+    const resolved = await registry.resolveMany(collected.refs);
+    // Clone the plan for modification
+    const resolvedPlan = deepClone(plan);
+    // Substitute resolved values at each path
+    for (const { path, secretRef } of collected.paths) {
+        const key = registry.makeKey(secretRef);
+        const value = resolved.get(key);
+        if (value === undefined) {
+            // This shouldn't happen if resolveMany worked correctly
+            throw new Error(`Internal error: resolved value not found for secret "${secretRef.provider}:${secretRef.ref}"`);
+        }
+        setAtPath(resolvedPlan, path, value);
+    }
+    return resolvedPlan;
+}
+/**
+ * Check if a plan contains any secret references.
+ * Useful for short-circuiting resolution when no secrets are present.
+ */
+export function planHasSecrets(plan) {
+    for (const node of plan.nodes) {
+        if (node.type !== NodeType.ENDPOINT) {
+            continue;
+        }
+        // Check headers
+        if (node.headers) {
+            for (const headerValue of Object.values(node.headers)) {
+                if (isSecretRef(headerValue)) {
+                    return true;
+                }
+            }
+        }
+        // Check body (recursive check)
+        if (node.body !== undefined && containsSecretRef(node.body)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Recursively check if a value contains any secret references.
+ */
+function containsSecretRef(value) {
+    if (value === null || value === undefined) {
+        return false;
+    }
+    if (isSecretRef(value)) {
+        return true;
+    }
+    if (Array.isArray(value)) {
+        return value.some(containsSecretRef);
+    }
+    if (typeof value === "object") {
+        return Object.values(value).some(containsSecretRef);
+    }
+    return false;
+}
+//# sourceMappingURL=resolver.js.map

package/dist/secrets/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/secrets/resolver.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAG1C,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAezC;;;;;GAKG;AACH,SAAS,uBAAuB,CAC9B,KAAc,EACd,WAAgC,EAChC,SAA2B;IAE3B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO;IACT,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC;YACnB,IAAI,EAAE,CAAC,GAAG,WAAW,CAAC;YACtB,SAAS,EAAE,KAAK,CAAC,OAAO;SACzB,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,uBAAuB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpE,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC/C,uBAAuB,CAAC,GAAG,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,CAAC,EAAE,SAAS,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAAgB;IACrD,MAAM,SAAS,GAAqB;QAClC,IAAI,EAAE,EAAE;QACR,KAAK,EAAE,EAAE;KACV,CAAC;IAEF,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;QACnE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAEnC,wDAAwD;QACxD,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QAED,wBAAwB;QAExB,eAAe;QACf,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,KAAK,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpE,uBAAuB,CACrB,WAAW,EACX,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,EAC1C,SAAS,CACV,CAAC;YACJ,CAAC;QACH,CAAC;QAED,YAAY;QACZ,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC5B,uBAAuB,CACrB,IAAI,CAAC,IAAI,EACT,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,EAC5B,SAAS,CACV,CAAC;QACJ,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,UAAU,GAAoB,EAAE,CAAC;IAEvC,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,IAAI,GAAG,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QACjF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACnB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACd,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,SAAS,CAAC,IAAI,GAAG,UAAU,CAAC;IAC5B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAChB,GAAY,EACZ,IAAyB,EACzB,KAAc;IAEd,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO;IACT,CAAC;IAED,IAAI,OAAO,GAAQ,GAAG,CAAC;IACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC/B,6DAA6D;YAC7D,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAI,KAAQ;IAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAgB,EAChB,QAAgC;IAEhC,gCAAgC;IAChC,MAAM,SAAS,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,wBAAwB;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+CAA+C;IAC/C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAE5D,kCAAkC;IAClC,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAErC,0CAA0C;IAC1C,KAAK,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;QAClD,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEhC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,wDAAwD;YACxD,MAAM,IAAI,KAAK,CACb,wDAAwD,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,GAAG,GAAG,CAC/F,CAAC;QACJ,CAAC;QAED,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,IAAgB;IAC7C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QAED,gBAAgB;QAChB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtD,IAAI,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC7B,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAc;IACvC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/secrets/secrets.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=secrets.test.d.ts.map

package/dist/secrets/secrets.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.test.d.ts","sourceRoot":"","sources":["../../src/secrets/secrets.test.ts"],"names":[],"mappings":""}