@gugananuvem/aws-local-simulator 1.0.15 → 1.0.16

package/src/services/secret-manager/index.js

@@ -1,80 +1,80 @@
-'use strict';
-
-/**
- * @fileoverview Secrets Manager Service
- * Porta padrão: 4001
- */
-
-const http = require('http');
-const path = require('path');
-const { SecretManagerSimulator } = require('./simulator');
-const { SecretManagerServer } = require('./server');
-const LocalStore = require('../../utils/local-store');
-
-class SecretManagerService {
-  constructor(config) {
-    this.config = config;
-    this.logger = require('../../utils/logger');
-    this.name = 'secret-manager';
-    this.port = config?.ports?.secretManager || config?.services?.secretManager?.port || 4001;
-    this.store = null;
-    this.simulator = null;
-    this.httpServer = null;
-    this.isRunning = false;
-  }
-
-  async initialize() {
-    this.logger.debug(`Inicializando Secrets Manager Service na porta ${this.port}...`);
-    const dataDir = process.env.AWS_LOCAL_SIMULATOR_DATA_DIR;
-    this.store = new LocalStore(path.join(dataDir, 'secret-manager'));
-    this.simulator = new SecretManagerSimulator(this.store, this.logger, this.config);
-    await this.simulator.initialize();
-    this.app = new SecretManagerServer(this.simulator, this.logger, this.config).getApp();
-    this.logger.debug('Secrets Manager Service inicializado');
-  }
-
-  injectDependencies(server) {
-    const ct = server.getService('cloudtrail');
-    if (ct?.simulator) this.simulator.audit.setTrail(ct.simulator);
-  }
-
-  async start() {
-    if (this.isRunning) return;
-    return new Promise((resolve, reject) => {
-      this.httpServer = http.createServer(this.app);
-      this.httpServer.listen(this.port, () => {
-        this.isRunning = true;
-        this.logger.debug(`Secrets Manager rodando na porta ${this.port}`);
-        resolve();
-      });
-      this.httpServer.on('error', reject);
-    });
-  }
-
-  async stop() {
-    if (!this.isRunning || !this.httpServer) return;
-    return new Promise((resolve) => {
-      this.httpServer.close(() => {
-        this.isRunning = false;
-        resolve();
-      });
-    });
-  }
-
-  async reset() {
-    await this.simulator.reset();
-  }
-
-  getStatus() {
-    return {
-      running: this.isRunning,
-      port: this.port,
-      endpoint: `http://localhost:${this.port}`,
-      secrets: this.simulator?.secrets.size || 0,
-    };
-  }
-
-  getSimulator() { return this.simulator; }
-}
-
-module.exports = { SecretManagerService };
+'use strict';
+
+/**
+ * @fileoverview Secrets Manager Service
+ * Porta padrão: 4001
+ */
+
+const http = require('http');
+const path = require('path');
+const { SecretManagerSimulator } = require('./simulator');
+const { SecretManagerServer } = require('./server');
+const LocalStore = require('../../utils/local-store');
+
+class SecretManagerService {
+  constructor(config) {
+    this.config = config;
+    this.logger = require('../../utils/logger');
+    this.name = 'secret-manager';
+    this.port = config?.ports?.secretManager || config?.services?.secretManager?.port || 4001;
+    this.store = null;
+    this.simulator = null;
+    this.httpServer = null;
+    this.isRunning = false;
+  }
+
+  async initialize() {
+    this.logger.debug(`Inicializando Secrets Manager Service na porta ${this.port}...`);
+    const dataDir = process.env.AWS_LOCAL_SIMULATOR_DATA_DIR;
+    this.store = new LocalStore(path.join(dataDir, 'secret-manager'));
+    this.simulator = new SecretManagerSimulator(this.store, this.logger, this.config);
+    await this.simulator.initialize();
+    this.app = new SecretManagerServer(this.simulator, this.logger, this.config).getApp();
+    this.logger.debug('Secrets Manager Service inicializado');
+  }
+
+  injectDependencies(server) {
+    const ct = server.getService('cloudtrail');
+    if (ct?.simulator) this.simulator.audit.setTrail(ct.simulator);
+  }
+
+  async start() {
+    if (this.isRunning) return;
+    return new Promise((resolve, reject) => {
+      this.httpServer = http.createServer(this.app);
+      this.httpServer.listen(this.port, () => {
+        this.isRunning = true;
+        this.logger.debug(`Secrets Manager rodando na porta ${this.port}`);
+        resolve();
+      });
+      this.httpServer.on('error', reject);
+    });
+  }
+
+  async stop() {
+    if (!this.isRunning || !this.httpServer) return;
+    return new Promise((resolve) => {
+      this.httpServer.close(() => {
+        this.isRunning = false;
+        resolve();
+      });
+    });
+  }
+
+  async reset() {
+    await this.simulator.reset();
+  }
+
+  getStatus() {
+    return {
+      running: this.isRunning,
+      port: this.port,
+      endpoint: `http://localhost:${this.port}`,
+      secrets: this.simulator?.secrets.size || 0,
+    };
+  }
+
+  getSimulator() { return this.simulator; }
+}
+
+module.exports = { SecretManagerService };

package/src/services/secret-manager/server.js

@@ -1,50 +1,50 @@
-'use strict';
-
-const express = require('express');
-const cors = require('cors');
-
-class SecretManagerServer {
-  constructor(simulator, logger, config) {
-    this.simulator = simulator; this.logger = logger; this.config = config;
-    this.app = express();
-    this._setupMiddleware(); this._setupRoutes();
-  }
-  _setupMiddleware() {
-    if (this.config.cors?.enabled !== false) this.app.use(cors({ origin: this.config.cors?.origin || '*' }));
-    this.app.use(express.json({ limit: '5mb', type: ['application/json', 'application/x-amz-json-1.1'] }));
-  }
-  _getOperation(target) {
-    const map = {
-      'secretsmanager.CreateSecret': 'createSecret',
-      'secretsmanager.GetSecretValue': 'getSecretValue',
-      'secretsmanager.PutSecretValue': 'putSecretValue',
-      'secretsmanager.UpdateSecret': 'updateSecret',
-      'secretsmanager.DeleteSecret': 'deleteSecret',
-      'secretsmanager.RestoreSecret': 'restoreSecret',
-      'secretsmanager.ListSecrets': 'listSecrets',
-      'secretsmanager.DescribeSecret': 'describeSecret',
-      'secretsmanager.RotateSecret': 'rotateSecret',
-      'secretsmanager.TagResource': 'tagResource',
-      'secretsmanager.UntagResource': 'untagResource',
-    };
-    return map[target];
-  }
-  _setupRoutes() {
-    this.app.get('/__admin/health', (req, res) => res.json({ status: 'healthy', service: 'secret-manager', timestamp: new Date().toISOString() }));
-    this.app.post('/', async (req, res) => {
-      const target = req.headers['x-amz-target'];
-      const operation = this._getOperation(target);
-      if (!operation) return res.status(400).json({ __type: 'UnknownOperationException', message: `Unknown: ${target}` });
-      try {
-        const result = await this.simulator[operation](req.body || {});
-        res.json(result || {});
-      } catch (err) {
-        this.logger.error(`SecretsManager ${target}: ${err.message}`, 'secret-manager');
-        res.status(err.code === 'ResourceNotFoundException' ? 404 : 400).json({ __type: err.code || 'InternalServiceError', Message: err.message });
-      }
-    });
-  }
-  getApp() { return this.app; }
-}
-
-module.exports = { SecretManagerServer };
+'use strict';
+
+const express = require('express');
+const cors = require('cors');
+
+class SecretManagerServer {
+  constructor(simulator, logger, config) {
+    this.simulator = simulator; this.logger = logger; this.config = config;
+    this.app = express();
+    this._setupMiddleware(); this._setupRoutes();
+  }
+  _setupMiddleware() {
+    if (this.config.cors?.enabled !== false) this.app.use(cors({ origin: this.config.cors?.origin || '*' }));
+    this.app.use(express.json({ limit: '5mb', type: ['application/json', 'application/x-amz-json-1.1'] }));
+  }
+  _getOperation(target) {
+    const map = {
+      'secretsmanager.CreateSecret': 'createSecret',
+      'secretsmanager.GetSecretValue': 'getSecretValue',
+      'secretsmanager.PutSecretValue': 'putSecretValue',
+      'secretsmanager.UpdateSecret': 'updateSecret',
+      'secretsmanager.DeleteSecret': 'deleteSecret',
+      'secretsmanager.RestoreSecret': 'restoreSecret',
+      'secretsmanager.ListSecrets': 'listSecrets',
+      'secretsmanager.DescribeSecret': 'describeSecret',
+      'secretsmanager.RotateSecret': 'rotateSecret',
+      'secretsmanager.TagResource': 'tagResource',
+      'secretsmanager.UntagResource': 'untagResource',
+    };
+    return map[target];
+  }
+  _setupRoutes() {
+    this.app.get('/__admin/health', (req, res) => res.json({ status: 'healthy', service: 'secret-manager', timestamp: new Date().toISOString() }));
+    this.app.post('/', async (req, res) => {
+      const target = req.headers['x-amz-target'];
+      const operation = this._getOperation(target);
+      if (!operation) return res.status(400).json({ __type: 'UnknownOperationException', message: `Unknown: ${target}` });
+      try {
+        const result = await this.simulator[operation](req.body || {});
+        res.json(result || {});
+      } catch (err) {
+        this.logger.error(`SecretsManager ${target}: ${err.message}`, 'secret-manager');
+        res.status(err.code === 'ResourceNotFoundException' ? 404 : 400).json({ __type: err.code || 'InternalServiceError', Message: err.message });
+      }
+    });
+  }
+  getApp() { return this.app; }
+}
+
+module.exports = { SecretManagerServer };

package/src/services/secret-manager/simulator.js

@@ -1,171 +1,171 @@
-'use strict';
-
-const crypto = require('crypto');
-const { v4: uuidv4 } = require('uuid');
-const { CloudTrailAudit } = require('../../utils/cloudtrail-audit');
-
-/**
- * Secrets Manager Simulator
- */
-class SecretManagerSimulator {
-  constructor(store, logger, config) {
-    this.store = store; this.logger = logger; this.config = config;
-    this.secrets = new Map();
-    this.audit = new CloudTrailAudit('secretsmanager.amazonaws.com');
-  }
-
-  async initialize() {
-    try {
-      const secrets = await this.store.read('secret-manager/secrets');
-      if (Array.isArray(secrets)) for (const s of secrets) this.secrets.set(s.Name, s);
-      this.logger.info('SecretsManager: dados carregados', 'secret-manager');
-    } catch { this.logger.debug('SecretsManager: sem dados anteriores', 'secret-manager'); }
-  }
-
-  async _persist() { await this.store.write('secret-manager/secrets', null, Array.from(this.secrets.values())); }
-
-  _requireSecret(id) {
-    const s = this.secrets.get(id) || Array.from(this.secrets.values()).find(s => s.ARN === id);
-    if (!s) { const err = new Error(`Secret not found: ${id}`); err.code = 'ResourceNotFoundException'; throw err; }
-    return s;
-  }
-
-  async createSecret(params) {
-    const { Name, SecretString, SecretBinary, Description, Tags = [], KmsKeyId } = params;
-    if (this.secrets.has(Name)) { const err = new Error(`Secret already exists: ${Name}`); err.code = 'ResourceExistsException'; throw err; }
-    const secretId = uuidv4();
-    const secret = {
-      ARN: `arn:aws:secretsmanager:local:000000000000:secret:${Name}-${secretId.slice(0, 6)}`,
-      Name, Description: Description || '', Tags,
-      KmsKeyId: KmsKeyId || 'aws/secretsmanager',
-      CreatedDate: new Date().toISOString(),
-      LastChangedDate: new Date().toISOString(),
-      LastAccessedDate: null,
-      RotationEnabled: false,
-      VersionsToStages: { [secretId]: ['AWSCURRENT'] },
-      _versions: { [secretId]: { SecretString, SecretBinary, CreatedDate: new Date().toISOString() } }
-    };
-    this.secrets.set(Name, secret);
-    await this._persist();
-    this.logger.info(`SecretsManager: secret criado: ${Name}`, 'secret-manager');
-    this.audit.record({ eventName: 'CreateSecret', readOnly: false, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { name: Name } });
-    return { ARN: secret.ARN, Name, VersionId: secretId };
-  }
-
-  async getSecretValue(params) {
-    const { SecretId, VersionId, VersionStage = 'AWSCURRENT' } = params;
-    const secret = this._requireSecret(SecretId);
-    secret.LastAccessedDate = new Date().toISOString();
-    let versionId = VersionId;
-    if (!versionId) {
-      versionId = Object.entries(secret.VersionsToStages).find(([, stages]) => stages.includes(VersionStage))?.[0];
-    }
-    const version = versionId ? secret._versions[versionId] : null;
-    if (!version) { const err = new Error('Secret version not found'); err.code = 'ResourceNotFoundException'; throw err; }
-    this.audit.record({ eventName: 'GetSecretValue', readOnly: true, isDataEvent: true, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { secretId: SecretId } });
-    return {
-      ARN: secret.ARN, Name: secret.Name, VersionId: versionId,
-      SecretString: version.SecretString, SecretBinary: version.SecretBinary,
-      VersionStages: secret.VersionsToStages[versionId] || [],
-      CreatedDate: version.CreatedDate
-    };
-  }
-
-  async putSecretValue(params) {
-    const { SecretId, SecretString, SecretBinary, VersionStages = ['AWSCURRENT'] } = params;
-    const secret = this._requireSecret(SecretId);
-    const versionId = uuidv4();
-    // Move AWSCURRENT to AWSPREVIOUS
-    for (const [vid, stages] of Object.entries(secret.VersionsToStages)) {
-      if (stages.includes('AWSCURRENT')) {
-        secret.VersionsToStages[vid] = stages.filter(s => s !== 'AWSCURRENT').concat(['AWSPREVIOUS']);
-      }
-    }
-    secret._versions[versionId] = { SecretString, SecretBinary, CreatedDate: new Date().toISOString() };
-    secret.VersionsToStages[versionId] = VersionStages;
-    secret.LastChangedDate = new Date().toISOString();
-    await this._persist();
-    return { ARN: secret.ARN, Name: secret.Name, VersionId: versionId, VersionStages };
-  }
-
-  async updateSecret(params) {
-    const { SecretId, SecretString, SecretBinary, Description, KmsKeyId } = params;
-    const secret = this._requireSecret(SecretId);
-    if (Description !== undefined) secret.Description = Description;
-    if (KmsKeyId !== undefined) secret.KmsKeyId = KmsKeyId;
-    if (SecretString !== undefined || SecretBinary !== undefined) {
-      return this.putSecretValue({ SecretId, SecretString, SecretBinary });
-    }
-    await this._persist();
-    return { ARN: secret.ARN, Name: secret.Name };
-  }
-
-  async deleteSecret(params) {
-    const { SecretId, RecoveryWindowInDays = 30, ForceDeleteWithoutRecovery } = params;
-    const secret = this._requireSecret(SecretId);
-    const deletionDate = ForceDeleteWithoutRecovery ? new Date().toISOString() : new Date(Date.now() + RecoveryWindowInDays * 86400000).toISOString();
-    secret.DeletedDate = new Date().toISOString();
-    secret.DeletionDate = deletionDate;
-    if (ForceDeleteWithoutRecovery) this.secrets.delete(secret.Name);
-    await this._persist();
-    this.audit.record({ eventName: 'DeleteSecret', readOnly: false, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { secretId: SecretId } });
-    return { ARN: secret.ARN, Name: secret.Name, DeletionDate: deletionDate };
-  }
-
-  async restoreSecret(params) {
-    const secret = this._requireSecret(params.SecretId);
-    delete secret.DeletedDate; delete secret.DeletionDate;
-    await this._persist();
-    return { ARN: secret.ARN, Name: secret.Name };
-  }
-
-  async listSecrets(params) {
-    const { MaxResults = 100, NextToken, Filters = [] } = params || {};
-    let secrets = Array.from(this.secrets.values());
-    for (const filter of Filters) {
-      if (filter.Key === 'name') secrets = secrets.filter(s => filter.Values.some(v => s.Name.includes(v)));
-    }
-    let startIdx = 0;
-    if (NextToken) startIdx = parseInt(NextToken);
-    const slice = secrets.slice(startIdx, startIdx + MaxResults);
-    return {
-      SecretList: slice.map(s => ({ ARN: s.ARN, Name: s.Name, Description: s.Description, CreatedDate: s.CreatedDate, LastChangedDate: s.LastChangedDate, Tags: s.Tags })),
-      NextToken: secrets.length > startIdx + MaxResults ? String(startIdx + MaxResults) : undefined
-    };
-  }
-
-  async describeSecret(params) {
-    const secret = this._requireSecret(params.SecretId);
-    const { _versions, ...clean } = secret;
-    return clean;
-  }
-
-  async rotateSecret(params) {
-    const { SecretId, RotationLambdaARN, RotationRules } = params;
-    const secret = this._requireSecret(SecretId);
-    secret.RotationEnabled = true;
-    secret.RotationLambdaARN = RotationLambdaARN;
-    secret.RotationRules = RotationRules;
-    secret.LastRotatedDate = new Date().toISOString();
-    await this._persist();
-    return { ARN: secret.ARN, Name: secret.Name };
-  }
-
-  async tagResource(params) {
-    const { SecretId, Tags } = params;
-    const secret = this._requireSecret(SecretId);
-    for (const tag of Tags) { const existing = secret.Tags.findIndex(t => t.Key === tag.Key); if (existing >= 0) secret.Tags[existing] = tag; else secret.Tags.push(tag); }
-    await this._persist(); return {};
-  }
-
-  async untagResource(params) {
-    const { SecretId, TagKeys } = params;
-    const secret = this._requireSecret(SecretId);
-    secret.Tags = secret.Tags.filter(t => !TagKeys.includes(t.Key));
-    await this._persist(); return {};
-  }
-
-  async reset() { this.secrets.clear(); await this.store.clear('secret-manager'); }
-}
-
-module.exports = { SecretManagerSimulator };
+'use strict';
+
+const crypto = require('crypto');
+const { v4: uuidv4 } = require('uuid');
+const { CloudTrailAudit } = require('../../utils/cloudtrail-audit');
+
+/**
+ * Secrets Manager Simulator
+ */
+class SecretManagerSimulator {
+  constructor(store, logger, config) {
+    this.store = store; this.logger = logger; this.config = config;
+    this.secrets = new Map();
+    this.audit = new CloudTrailAudit('secretsmanager.amazonaws.com');
+  }
+
+  async initialize() {
+    try {
+      const secrets = await this.store.read('secret-manager/secrets');
+      if (Array.isArray(secrets)) for (const s of secrets) this.secrets.set(s.Name, s);
+      this.logger.info('SecretsManager: dados carregados', 'secret-manager');
+    } catch { this.logger.debug('SecretsManager: sem dados anteriores', 'secret-manager'); }
+  }
+
+  async _persist() { await this.store.write('secret-manager/secrets', null, Array.from(this.secrets.values())); }
+
+  _requireSecret(id) {
+    const s = this.secrets.get(id) || Array.from(this.secrets.values()).find(s => s.ARN === id);
+    if (!s) { const err = new Error(`Secret not found: ${id}`); err.code = 'ResourceNotFoundException'; throw err; }
+    return s;
+  }
+
+  async createSecret(params) {
+    const { Name, SecretString, SecretBinary, Description, Tags = [], KmsKeyId } = params;
+    if (this.secrets.has(Name)) { const err = new Error(`Secret already exists: ${Name}`); err.code = 'ResourceExistsException'; throw err; }
+    const secretId = uuidv4();
+    const secret = {
+      ARN: `arn:aws:secretsmanager:local:000000000000:secret:${Name}-${secretId.slice(0, 6)}`,
+      Name, Description: Description || '', Tags,
+      KmsKeyId: KmsKeyId || 'aws/secretsmanager',
+      CreatedDate: new Date().toISOString(),
+      LastChangedDate: new Date().toISOString(),
+      LastAccessedDate: null,
+      RotationEnabled: false,
+      VersionsToStages: { [secretId]: ['AWSCURRENT'] },
+      _versions: { [secretId]: { SecretString, SecretBinary, CreatedDate: new Date().toISOString() } }
+    };
+    this.secrets.set(Name, secret);
+    await this._persist();
+    this.logger.info(`SecretsManager: secret criado: ${Name}`, 'secret-manager');
+    this.audit.record({ eventName: 'CreateSecret', readOnly: false, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { name: Name } });
+    return { ARN: secret.ARN, Name, VersionId: secretId };
+  }
+
+  async getSecretValue(params) {
+    const { SecretId, VersionId, VersionStage = 'AWSCURRENT' } = params;
+    const secret = this._requireSecret(SecretId);
+    secret.LastAccessedDate = new Date().toISOString();
+    let versionId = VersionId;
+    if (!versionId) {
+      versionId = Object.entries(secret.VersionsToStages).find(([, stages]) => stages.includes(VersionStage))?.[0];
+    }
+    const version = versionId ? secret._versions[versionId] : null;
+    if (!version) { const err = new Error('Secret version not found'); err.code = 'ResourceNotFoundException'; throw err; }
+    this.audit.record({ eventName: 'GetSecretValue', readOnly: true, isDataEvent: true, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { secretId: SecretId } });
+    return {
+      ARN: secret.ARN, Name: secret.Name, VersionId: versionId,
+      SecretString: version.SecretString, SecretBinary: version.SecretBinary,
+      VersionStages: secret.VersionsToStages[versionId] || [],
+      CreatedDate: version.CreatedDate
+    };
+  }
+
+  async putSecretValue(params) {
+    const { SecretId, SecretString, SecretBinary, VersionStages = ['AWSCURRENT'] } = params;
+    const secret = this._requireSecret(SecretId);
+    const versionId = uuidv4();
+    // Move AWSCURRENT to AWSPREVIOUS
+    for (const [vid, stages] of Object.entries(secret.VersionsToStages)) {
+      if (stages.includes('AWSCURRENT')) {
+        secret.VersionsToStages[vid] = stages.filter(s => s !== 'AWSCURRENT').concat(['AWSPREVIOUS']);
+      }
+    }
+    secret._versions[versionId] = { SecretString, SecretBinary, CreatedDate: new Date().toISOString() };
+    secret.VersionsToStages[versionId] = VersionStages;
+    secret.LastChangedDate = new Date().toISOString();
+    await this._persist();
+    return { ARN: secret.ARN, Name: secret.Name, VersionId: versionId, VersionStages };
+  }
+
+  async updateSecret(params) {
+    const { SecretId, SecretString, SecretBinary, Description, KmsKeyId } = params;
+    const secret = this._requireSecret(SecretId);
+    if (Description !== undefined) secret.Description = Description;
+    if (KmsKeyId !== undefined) secret.KmsKeyId = KmsKeyId;
+    if (SecretString !== undefined || SecretBinary !== undefined) {
+      return this.putSecretValue({ SecretId, SecretString, SecretBinary });
+    }
+    await this._persist();
+    return { ARN: secret.ARN, Name: secret.Name };
+  }
+
+  async deleteSecret(params) {
+    const { SecretId, RecoveryWindowInDays = 30, ForceDeleteWithoutRecovery } = params;
+    const secret = this._requireSecret(SecretId);
+    const deletionDate = ForceDeleteWithoutRecovery ? new Date().toISOString() : new Date(Date.now() + RecoveryWindowInDays * 86400000).toISOString();
+    secret.DeletedDate = new Date().toISOString();
+    secret.DeletionDate = deletionDate;
+    if (ForceDeleteWithoutRecovery) this.secrets.delete(secret.Name);
+    await this._persist();
+    this.audit.record({ eventName: 'DeleteSecret', readOnly: false, resources: [{ ARN: secret.ARN, type: 'AWS::SecretsManager::Secret' }], requestParameters: { secretId: SecretId } });
+    return { ARN: secret.ARN, Name: secret.Name, DeletionDate: deletionDate };
+  }
+
+  async restoreSecret(params) {
+    const secret = this._requireSecret(params.SecretId);
+    delete secret.DeletedDate; delete secret.DeletionDate;
+    await this._persist();
+    return { ARN: secret.ARN, Name: secret.Name };
+  }
+
+  async listSecrets(params) {
+    const { MaxResults = 100, NextToken, Filters = [] } = params || {};
+    let secrets = Array.from(this.secrets.values());
+    for (const filter of Filters) {
+      if (filter.Key === 'name') secrets = secrets.filter(s => filter.Values.some(v => s.Name.includes(v)));
+    }
+    let startIdx = 0;
+    if (NextToken) startIdx = parseInt(NextToken);
+    const slice = secrets.slice(startIdx, startIdx + MaxResults);
+    return {
+      SecretList: slice.map(s => ({ ARN: s.ARN, Name: s.Name, Description: s.Description, CreatedDate: s.CreatedDate, LastChangedDate: s.LastChangedDate, Tags: s.Tags })),
+      NextToken: secrets.length > startIdx + MaxResults ? String(startIdx + MaxResults) : undefined
+    };
+  }
+
+  async describeSecret(params) {
+    const secret = this._requireSecret(params.SecretId);
+    const { _versions, ...clean } = secret;
+    return clean;
+  }
+
+  async rotateSecret(params) {
+    const { SecretId, RotationLambdaARN, RotationRules } = params;
+    const secret = this._requireSecret(SecretId);
+    secret.RotationEnabled = true;
+    secret.RotationLambdaARN = RotationLambdaARN;
+    secret.RotationRules = RotationRules;
+    secret.LastRotatedDate = new Date().toISOString();
+    await this._persist();
+    return { ARN: secret.ARN, Name: secret.Name };
+  }
+
+  async tagResource(params) {
+    const { SecretId, Tags } = params;
+    const secret = this._requireSecret(SecretId);
+    for (const tag of Tags) { const existing = secret.Tags.findIndex(t => t.Key === tag.Key); if (existing >= 0) secret.Tags[existing] = tag; else secret.Tags.push(tag); }
+    await this._persist(); return {};
+  }
+
+  async untagResource(params) {
+    const { SecretId, TagKeys } = params;
+    const secret = this._requireSecret(SecretId);
+    secret.Tags = secret.Tags.filter(t => !TagKeys.includes(t.Key));
+    await this._persist(); return {};
+  }
+
+  async reset() { this.secrets.clear(); await this.store.clear('secret-manager'); }
+}
+
+module.exports = { SecretManagerSimulator };