@griffin-app/griffin-plan-executor 0.1.13 → 0.1.15

package/src/secrets/registry.ts

@@ -1,5 +1,5 @@
 /**
- * Secret provider registry for managing multiple secret providers.
+ * Secret provider registry for managing the configured secret provider.
  */
 
 import type {
@@ -10,79 +10,34 @@ import type {
 import { SecretResolutionError } from "./types.js";
 
 /**
- * Registry for managing and accessing secret providers.
- * Supports multiple providers simultaneously (e.g., env + aws + vault).
+ * Registry for the single configured secret provider.
  */
 export class SecretProviderRegistry {
-  private providers = new Map<string, SecretProvider>();
+  private provider: SecretProvider | null = null;
 
   /**
-   * Register a secret provider.
-   * @param provider - The provider to register
-   * @throws Error if a provider with the same name is already registered
+   * Set the secret provider.
+   * @param provider - The provider to use for resolution
    */
-  register(provider: SecretProvider): void {
-    if (this.providers.has(provider.name)) {
-      throw new Error(
-        `Secret provider "${provider.name}" is already registered`,
-      );
-    }
-    this.providers.set(provider.name, provider);
+  setProvider(provider: SecretProvider): void {
+    this.provider = provider;
   }
 
   /**
-   * Unregister a secret provider by name.
-   * @param name - The provider name to remove
-   * @returns true if the provider was removed, false if it wasn't registered
-   */
-  unregister(name: string): boolean {
-    return this.providers.delete(name);
-  }
-
-  /**
-   * Get a registered provider by name.
-   * @param name - The provider name
-   * @throws Error if the provider is not registered
-   */
-  get(name: string): SecretProvider {
-    const provider = this.providers.get(name);
-    if (!provider) {
-      const available = [...this.providers.keys()];
-      throw new SecretResolutionError(
-        `Secret provider "${name}" is not configured. Available providers: ${
-          available.length > 0 ? available.join(", ") : "(none)"
-        }`,
-        { provider: name, ref: "" },
-      );
-    }
-    return provider;
-  }
-
-  /**
-   * Check if a provider is registered.
-   */
-  has(name: string): boolean {
-    return this.providers.has(name);
-  }
-
-  /**
-   * Get all registered provider names.
-   */
-  getProviderNames(): string[] {
-    return [...this.providers.keys()];
-  }
-
-  /**
-   * Resolve a secret reference using the appropriate provider.
+   * Resolve a secret reference using the configured provider.
    * @param secretRef - The secret reference data
    * @returns The resolved secret value
    * @throws SecretResolutionError if resolution fails
    */
   async resolve(secretRef: SecretRefData): Promise<string> {
-    const provider = this.get(secretRef.provider);
+    if (!this.provider) {
+      throw new SecretResolutionError("No secret provider configured", {
+        ref: secretRef.ref,
+      });
+    }
 
     try {
-      return await provider.resolve(secretRef.ref, {
+      return await this.provider.resolve(secretRef.ref, {
         version: secretRef.version,
         field: secretRef.field,
       });
@@ -91,11 +46,10 @@ export class SecretProviderRegistry {
         throw error;
       }
       throw new SecretResolutionError(
-        `Failed to resolve secret "${secretRef.provider}:${secretRef.ref}": ${
+        `Failed to resolve secret "${secretRef.ref}": ${
           error instanceof Error ? error.message : String(error)
         }`,
         {
-          provider: secretRef.provider,
           ref: secretRef.ref,
           cause: error,
         },
@@ -104,9 +58,9 @@ export class SecretProviderRegistry {
   }
 
   /**
-   * Resolve multiple secrets, grouped by provider for efficiency.
+   * Resolve multiple secrets using the configured provider.
    * @param refs - Array of secret reference data
-   * @returns Map of "provider:ref" to resolved value
+   * @returns Map of key to resolved value
    * @throws SecretResolutionError if any resolution fails (fail-fast)
    */
   async resolveMany(refs: SecretRefData[]): Promise<Map<string, string>> {
@@ -114,88 +68,69 @@ export class SecretProviderRegistry {
       return new Map();
     }
 
-    // Group refs by provider
-    const byProvider = new Map<
-      string,
-      Array<{ ref: string; options?: SecretResolveOptions; key: string }>
-    >();
-
-    for (const secretRef of refs) {
-      const key = this.makeKey(secretRef);
-      const group = byProvider.get(secretRef.provider) || [];
-      group.push({
-        ref: secretRef.ref,
-        options: {
-          version: secretRef.version,
-          field: secretRef.field,
-        },
-        key,
+    if (!this.provider) {
+      throw new SecretResolutionError("No secret provider configured", {
+        ref: refs[0].ref,
       });
-      byProvider.set(secretRef.provider, group);
     }
 
-    // Resolve each provider's secrets
     const results = new Map<string, string>();
 
-    for (const [providerName, providerRefs] of byProvider) {
-      const provider = this.get(providerName);
-
-      // Use batch resolution if available, otherwise resolve individually
-      if (provider.resolveMany) {
-        const batchRefs = providerRefs.map((r) => ({
-          ref: r.ref,
-          options: r.options,
-        }));
+    if (this.provider.resolveMany) {
+      const batchRefs = refs.map((r) => ({
+        ref: r.ref,
+        options: {
+          version: r.version,
+          field: r.field,
+        } as SecretResolveOptions,
+      }));
 
-        try {
-          const batchResults = await provider.resolveMany(batchRefs);
+      try {
+        const batchResults = await this.provider.resolveMany(batchRefs);
 
-          for (const providerRef of providerRefs) {
-            const value = batchResults.get(providerRef.ref);
-            if (value === undefined) {
-              throw new SecretResolutionError(
-                `Secret "${providerName}:${providerRef.ref}" not found in batch results`,
-                { provider: providerName, ref: providerRef.ref },
-              );
-            }
-            results.set(providerRef.key, value);
+        for (const secretRef of refs) {
+          const value = batchResults.get(secretRef.ref);
+          if (value === undefined) {
+            throw new SecretResolutionError(
+              `Secret "${secretRef.ref}" not found in batch results`,
+              { ref: secretRef.ref },
+            );
           }
+          results.set(this.makeKey(secretRef), value);
+        }
+      } catch (error) {
+        if (error instanceof SecretResolutionError) {
+          throw error;
+        }
+        throw new SecretResolutionError(
+          `Batch resolution failed: ${
+            error instanceof Error ? error.message : String(error)
+          }`,
+          {
+            ref: refs[0].ref,
+            cause: error,
+          },
+        );
+      }
+    } else {
+      for (const secretRef of refs) {
+        try {
+          const value = await this.provider.resolve(secretRef.ref, {
+            version: secretRef.version,
+            field: secretRef.field,
+          });
+          results.set(this.makeKey(secretRef), value);
         } catch (error) {
           if (error instanceof SecretResolutionError) {
             throw error;
           }
           throw new SecretResolutionError(
-            `Batch resolution failed for provider "${providerName}": ${
+            `Failed to resolve secret "${secretRef.ref}": ${
               error instanceof Error ? error.message : String(error)
             }`,
-            {
-              provider: providerName,
-              ref: providerRefs[0]?.ref || "",
-              cause: error,
-            },
+            { ref: secretRef.ref, cause: error },
           );
         }
-      } else {
-        // Resolve individually (fail-fast on first error)
-        for (const providerRef of providerRefs) {
-          try {
-            const value = await provider.resolve(
-              providerRef.ref,
-              providerRef.options,
-            );
-            results.set(providerRef.key, value);
-          } catch (error) {
-            if (error instanceof SecretResolutionError) {
-              throw error;
-            }
-            throw new SecretResolutionError(
-              `Failed to resolve secret "${providerName}:${providerRef.ref}": ${
-                error instanceof Error ? error.message : String(error)
-              }`,
-              { provider: providerName, ref: providerRef.ref, cause: error },
-            );
-          }
-        }
       }
     }
 
@@ -203,21 +138,19 @@ export class SecretProviderRegistry {
   }
 
   /**
-   * Validate all registered providers.
-   * @throws Error if any provider validation fails
+   * Validate the configured provider.
+   * @throws Error if provider validation fails
    */
   async validateAll(): Promise<void> {
-    for (const [name, provider] of this.providers) {
-      if (provider.validate) {
-        try {
-          await provider.validate();
-        } catch (error) {
-          throw new Error(
-            `Provider "${name}" validation failed: ${
-              error instanceof Error ? error.message : String(error)
-            }`,
-          );
-        }
+    if (this.provider?.validate) {
+      try {
+        await this.provider.validate();
+      } catch (error) {
+        throw new Error(
+          `Provider validation failed: ${
+            error instanceof Error ? error.message : String(error)
+          }`,
+        );
       }
     }
   }
@@ -226,7 +159,7 @@ export class SecretProviderRegistry {
    * Create a unique key for a secret reference (for caching/deduplication).
    */
   makeKey(secretRef: SecretRefData): string {
-    const parts = [secretRef.provider, secretRef.ref];
+    const parts = [secretRef.ref];
     if (secretRef.version) parts.push(`v:${secretRef.version}`);
     if (secretRef.field) parts.push(`f:${secretRef.field}`);
     return parts.join(":");

package/src/secrets/resolver.ts

@@ -1,13 +1,13 @@
 /**
- * Secret resolution utilities for test plans.
+ * Secret resolution utilities for test monitors.
  */
-import { type PlanV1 } from "@griffin-app/griffin-hub-sdk";
+import { type MonitorV1 } from "@griffin-app/griffin-hub-sdk";
 import type { SecretProviderRegistry } from "./registry.js";
 import type { SecretRef, SecretRefData } from "./types.js";
 import { isSecretRef, isStringLiteral } from "./types.js";
 
 /**
- * Collected secret references and literals from a plan.
+ * Collected secret references and literals from a monitor.
  */
 interface CollectedSecrets {
   /** All unique secret references found */
@@ -71,18 +71,20 @@ function collectSecretsFromValue(
 }
 
 /**
- * Collect all secret references and string literals from a test plan.
+ * Collect all secret references and string literals from a test monitor.
  * Scans endpoint headers and bodies for $secret markers and $literal wrappers.
  */
-export function collectSecretsFromPlan(plan: PlanV1): CollectedSecrets {
+export function collectSecretsFromMonitor(
+  monitor: MonitorV1,
+): CollectedSecrets {
   const collected: CollectedSecrets = {
     refs: [],
     paths: [],
     literalPaths: [],
   };
 
-  for (let nodeIndex = 0; nodeIndex < plan.nodes.length; nodeIndex++) {
-    const node = plan.nodes[nodeIndex];
+  for (let nodeIndex = 0; nodeIndex < monitor.nodes.length; nodeIndex++) {
+    const node = monitor.nodes[nodeIndex];
 
     // Only endpoints can have secrets (in headers and body)
     if (node.type !== "HTTP_REQUEST") {
@@ -117,7 +119,7 @@ export function collectSecretsFromPlan(plan: PlanV1): CollectedSecrets {
   const uniqueRefs: SecretRefData[] = [];
 
   for (const ref of collected.refs) {
-    const key = `${ref.provider}:${ref.ref}:${ref.version || ""}:${ref.field || ""}`;
+    const key = `${ref.ref}:${ref.version || ""}:${ref.field || ""}`;
     if (!seen.has(key)) {
       seen.add(key);
       uniqueRefs.push(ref);
@@ -165,24 +167,24 @@ function deepClone<T>(value: T): T {
 }
 
 /**
- * Resolve all secrets and unwrap string literals in a plan and return a new plan with substituted values.
- * The original plan is not modified.
+ * Resolve all secrets and unwrap string literals in a monitor and return a new monitor with substituted values.
+ * The original monitor is not modified.
  *
- * @param plan - The test plan containing secret references and string literals
+ * @param monitor - The test monitor containing secret references and string literals
  * @param registry - The secret provider registry
- * @returns A new plan with all secrets resolved to their values and literals unwrapped
+ * @returns A new monitor with all secrets resolved to their values and literals unwrapped
  * @throws SecretResolutionError if any secret cannot be resolved (fail-fast)
  */
-export async function resolveSecretsInPlan(
-  plan: PlanV1,
+export async function resolveSecretsInMonitor(
+  monitor: MonitorV1,
   registry: SecretProviderRegistry,
-): Promise<PlanV1> {
+): Promise<MonitorV1> {
   // Collect all secret references and string literals
-  const collected = collectSecretsFromPlan(plan);
+  const collected = collectSecretsFromMonitor(monitor);
 
   if (collected.refs.length === 0 && collected.literalPaths.length === 0) {
     // No secrets or literals to resolve
-    return plan;
+    return monitor;
   }
 
   // Resolve all secrets (fail-fast on any error)
@@ -191,8 +193,8 @@ export async function resolveSecretsInPlan(
       ? await registry.resolveMany(collected.refs)
       : new Map();
 
-  // Clone the plan for modification
-  const resolvedPlan = deepClone(plan);
+  // Clone the monitor for modification
+  const resolvedMonitor = deepClone(monitor);
 
   // Substitute resolved secret values at each path
   for (const { path, secretRef } of collected.paths) {
@@ -202,27 +204,27 @@ export async function resolveSecretsInPlan(
     if (value === undefined) {
       // This shouldn't happen if resolveMany worked correctly
       throw new Error(
-        `Internal error: resolved value not found for secret "${secretRef.provider}:${secretRef.ref}"`,
+        `Internal error: resolved value not found for secret "${secretRef.ref}"`,
       );
     }
 
-    setAtPath(resolvedPlan, path, value);
+    setAtPath(resolvedMonitor, path, value);
   }
 
   // Unwrap string literals at each path
   for (const { path, value } of collected.literalPaths) {
-    setAtPath(resolvedPlan, path, value);
+    setAtPath(resolvedMonitor, path, value);
   }
 
-  return resolvedPlan;
+  return resolvedMonitor;
 }
 
 /**
- * Check if a plan contains any secret references or string literals that need resolution.
+ * Check if a monitor contains any secret references or string literals that need resolution.
  * Useful for short-circuiting resolution when no secrets or literals are present.
  */
-export function planHasSecrets(plan: PlanV1): boolean {
-  for (const node of plan.nodes) {
+export function planHasSecrets(monitor: MonitorV1): boolean {
+  for (const node of monitor.nodes) {
     if (node.type !== "HTTP_REQUEST") {
       continue;
     }