@http-forge/core 0.3.2 → 0.4.0

package/dist/infrastructure/config/config.interface.d.ts

@@ -110,6 +110,36 @@ export interface ProxyConfig {
     /** List of hosts to bypass proxy */
     bypass?: string[];
 }
+/**
+ * Cloud secret provider configuration (used in SecretsConfig.providers)
+ */
+export interface SecretProviderEntry {
+    /** Provider type */
+    provider: 'aws' | 'azure' | 'gcp' | 'vault' | '1password' | 'doppler';
+    /** AWS region (aws only) */
+    region?: string;
+    /** Azure Key Vault URL (azure only) */
+    vaultUrl?: string;
+    /** GCP project ID (gcp only) */
+    projectId?: string;
+    /** Vault server address (vault only) */
+    address?: string;
+    /** Vault mount path (vault only, default "secret") */
+    mountPath?: string;
+    /** Vault namespace (vault only, Enterprise/HCP) */
+    namespace?: string;
+    /** 1Password vault name (1password only) */
+    vault?: string;
+    /** Doppler service token (doppler only; falls back to DOPPLER_TOKEN env var) */
+    serviceToken?: string;
+}
+/**
+ * Top-level secrets block in http-forge.config.json
+ * Configures named cloud secret providers for {{secret:alias/path}} tokens.
+ */
+export interface SecretsConfig {
+    providers: Record<string, SecretProviderEntry>;
+}
 /**
  * Main HTTP Forge configuration (http-forge.config.json)
  */
@@ -132,6 +162,8 @@ export interface HttpForgeConfig {
     mcp?: McpConfig;
     /** Proxy configuration (optional) */
     proxy?: ProxyConfig | null;
+    /** Cloud secret provider configuration (optional) */
+    secrets?: SecretsConfig;
 }
 /**
  * Configuration service interface

package/dist/infrastructure/environment/environment-config-service.d.ts

@@ -5,13 +5,14 @@
  * VS Code's workspaceState/globalState.
  */
 import type { IEnvironmentConfigService, ImportedEnvironment, LocalConfig, ResolvedEnvironment, SharedConfig } from '../../types/environment-config';
-import { IFileWatcherFactory, IKeyValueStore } from '../../types/platform';
+import { IFileWatcherFactory, IKeyValueStore, ISecretStore } from '../../types/platform';
 import { IConfigService } from '../config';
 export declare class EnvironmentConfigService implements IEnvironmentConfigService {
     private workspaceFolder;
     private workspaceStore;
     private configService;
     private fileWatcherFactory?;
+    private secretStore?;
     private environmentsPath;
     private sharedConfigPath;
     private localConfigPath;
@@ -27,12 +28,14 @@ export declare class EnvironmentConfigService implements IEnvironmentConfigServi
      */
     private localGlobalValues;
     private localEnvironmentValues;
+    /** In-memory cache of secret values fetched from SecretStorage — keyed by envName */
+    private secretValuesCache;
     /**
      * Callback invoked when environment files change on disk.
      * Set by the extension host to refresh tree views and panels.
      */
     onEnvironmentsChanged?: () => void;
-    constructor(workspaceFolder: string, workspaceStore: IKeyValueStore, configService: IConfigService, fileWatcherFactory?: IFileWatcherFactory | undefined);
+    constructor(workspaceFolder: string, workspaceStore: IKeyValueStore, configService: IConfigService, fileWatcherFactory?: IFileWatcherFactory | undefined, secretStore?: ISecretStore | undefined);
     private setupFileWatcher;
     dispose(): void;
     getWorkspaceFolder(): string;
@@ -83,6 +86,27 @@ export declare class EnvironmentConfigService implements IEnvironmentConfigServi
     /** @deprecated Use getEnvironmentVariableLocal instead */
     hasSessionVariable(key: string): boolean;
     getResolvedEnvironment(envName?: string): ResolvedEnvironment | null;
+    /**
+     * Retrieve a secret variable value from SecretStorage.
+     * Returns undefined when no SecretStorage is available (e.g. CLI context).
+     */
+    getSecretVariable(envName: string, key: string): Promise<string | undefined>;
+    /**
+     * Store a secret variable value in SecretStorage.
+     * No-op when no SecretStorage is available (e.g. CLI context).
+     */
+    setSecretVariable(envName: string, key: string, value: string): Promise<void>;
+    /**
+     * Delete a secret variable from SecretStorage.
+     * No-op when no SecretStorage is available (e.g. CLI context).
+     */
+    deleteSecretVariable(envName: string, key: string): Promise<void>;
+    /**
+     * Pre-load all secret values for an environment into the in-memory cache.
+     * Call this when switching environments or on extension activation so that
+     * the synchronous getResolvedEnvironment() always has secret values available.
+     */
+    loadSecretVariables(envName?: string): Promise<void>;
     resolveVariables(input: string, envName?: string): string;
     exportEnvironmentsToFolder(outDir: string, mergeGlobals?: boolean): void;
     resolveVariablesWithExtra(input: string, extraVariables: Record<string, string>, envName?: string): string;

package/dist/infrastructure/environment/environment-file-loader.d.ts

@@ -28,6 +28,11 @@ export interface EnvironmentEntry {
     description?: string;
     requiresConfirmation?: boolean;
     variables: Record<string, string>;
+    /**
+     * Names of variables whose values are stored in SecretStorage, not in the JSON file.
+     * These names are persisted in the JSON; the values are never written to disk.
+     */
+    secretVariables?: string[];
 }
 /**
  * Determine whether a filename is a system/meta file (not an environment file).

package/dist/infrastructure/execution/request-preparer.d.ts

@@ -15,6 +15,7 @@ import { ExecutionRequest, PreparedRequest } from '../../types/types';
 import { IOAuth2TokenManager } from '../auth/interfaces';
 import { IHttpRequestService } from '../http/interfaces';
 import { IRequestPreprocessor } from '../http/request-preprocessor';
+import { SecretResolverRegistry } from '../secrets/secret-resolver-registry';
 import { IRequestPreparer } from './request-preparer-interfaces';
 /**
  * RequestPreparer implementation
@@ -28,7 +29,8 @@ export declare class RequestPreparer implements IRequestPreparer {
     private readonly preprocessor;
     private readonly tokenManager?;
     private readonly appInfo?;
-    constructor(envConfigService: IEnvironmentConfigService, httpService: IHttpRequestService, preprocessor: IRequestPreprocessor, tokenManager?: IOAuth2TokenManager | undefined, appInfo?: IApplicationInfo | undefined);
+    private readonly secretRegistry?;
+    constructor(envConfigService: IEnvironmentConfigService, httpService: IHttpRequestService, preprocessor: IRequestPreprocessor, tokenManager?: IOAuth2TokenManager | undefined, appInfo?: IApplicationInfo | undefined, secretRegistry?: SecretResolverRegistry | undefined);
     prepareRequest(input: ExecutionRequest, environment: string, resolvedEnv: ResolvedEnvironment, extraVariables?: Record<string, string>): Promise<PreparedRequest>;
     private applyOAuth2;
     private applyApiKey;

package/dist/infrastructure/secrets/aws-secret-resolver.d.ts

@@ -0,0 +1,18 @@
+/**
+ * AWS Secrets Manager resolver
+ *
+ * Uses the AWS SDK v3 credential chain — no credentials are stored in HTTP Forge config.
+ * Order: env vars → ~/.aws/credentials → IAM instance role → ECS task role
+ *
+ * Token syntax: {{secret:aws/<secretId>}}
+ * e.g.          {{secret:aws/myapp/prod/db-password}}
+ *               {{secret:aws/myapp/prod/api-key#field}}  (JSON secret field)
+ */
+import type { AwsSecretsConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class AwsSecretResolver implements ISecretResolver {
+    readonly providerName = "aws";
+    private readonly region;
+    private readonly moduleRequire;
+    constructor(config: AwsSecretsConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/azure-keyvault-resolver.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Azure Key Vault resolver
+ *
+ * Uses DefaultAzureCredential — no credentials stored in HTTP Forge config.
+ * Order: env vars (AZURE_*) → managed identity → Azure CLI login → VS Code login
+ *
+ * Token syntax: {{secret:azure/<secretName>}}
+ * e.g.          {{secret:azure/my-api-key}}
+ *               {{secret:azure/my-api-key/1.0}}  (specific version)
+ *
+ * Config requires vaultUrl, e.g. "https://myvault.vault.azure.net"
+ */
+import type { AzureKeyVaultConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class AzureKeyVaultResolver implements ISecretResolver {
+    readonly providerName = "azure";
+    private readonly vaultUrl;
+    private readonly moduleRequire;
+    constructor(config: AzureKeyVaultConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/doppler-resolver.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Doppler secret resolver
+ *
+ * Uses the Doppler REST API — no SDK required, just a service token.
+ * Credentials: DOPPLER_TOKEN env var (or serviceToken in config for per-project override)
+ *
+ * Token syntax: {{secret:doppler/<secretName>}}
+ * e.g.          {{secret:doppler/API_KEY}}
+ *               {{secret:doppler/DATABASE_URL}}
+ *
+ * The Doppler project/config are baked into the service token itself —
+ * no project or config fields needed in http-forge.config.json.
+ *
+ * Prerequisites: none (uses Node.js built-in https)
+ */
+import type { DopplerConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class DopplerResolver implements ISecretResolver {
+    readonly providerName = "doppler";
+    private readonly token;
+    constructor(config: DopplerConfig);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/gcp-secret-resolver.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Google Cloud Secret Manager resolver
+ *
+ * Uses Application Default Credentials — no credentials stored in HTTP Forge config.
+ * Order: GOOGLE_APPLICATION_CREDENTIALS env var → gcloud CLI login → Workload Identity (GKE)
+ *        → Metadata server (Cloud Run, Compute Engine)
+ *
+ * Token syntax: {{secret:gcp/<secretName>}}
+ *               {{secret:gcp/<secretName>/versions/<version>}}  (specific version, default: latest)
+ *
+ * Config: { "provider": "gcp", "projectId": "my-project" }
+ * projectId falls back to GOOGLE_CLOUD_PROJECT / GCLOUD_PROJECT env vars.
+ */
+import type { GcpSecretsConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class GcpSecretResolver implements ISecretResolver {
+    readonly providerName = "gcp";
+    private readonly projectId;
+    private readonly moduleRequire;
+    constructor(config: GcpSecretsConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/hashicorp-vault-resolver.d.ts

@@ -0,0 +1,25 @@
+/**
+ * HashiCorp Vault resolver
+ *
+ * Credentials are NEVER stored in HTTP Forge config.
+ * Authentication uses:
+ *   VAULT_TOKEN     env var (token auth)
+ *   VAULT_ADDR      env var (server address, overrides config)
+ *   VAULT_NAMESPACE env var (Enterprise/HCP namespace, overridden by config.namespace)
+ *
+ * Token syntax: {{secret:vault/<mountPath>/<secretPath>#<field>}}
+ * e.g.          {{secret:vault/secret/myapp/prod#db_password}}
+ *               {{secret:vault/kv/myapp/config#api_key}}
+ *
+ * The path format after the provider prefix: <mount>/<path>#<field>
+ * If no field is specified and the secret has a single key "value", that is returned.
+ */
+import type { HashiCorpVaultConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class HashiCorpVaultResolver implements ISecretResolver {
+    readonly providerName = "vault";
+    private readonly address;
+    private readonly mountPath;
+    private readonly namespace;
+    constructor(config: HashiCorpVaultConfig);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/onepassword-resolver.d.ts

@@ -0,0 +1,26 @@
+/**
+ * 1Password Connect / Service Account resolver
+ *
+ * Credentials are NEVER stored in HTTP Forge config.
+ * Authentication uses:
+ *   OP_SERVICE_ACCOUNT_TOKEN  env var  (1Password Service Account — recommended for CI)
+ *   OP_CONNECT_TOKEN + OP_CONNECT_HOST env vars  (1Password Connect Server)
+ *
+ * Token syntax: {{secret:1password/<vault>/<item>/<field>}}
+ * e.g.          {{secret:1password/MyVault/MyApp/api_key}}
+ *               {{secret:1password/Shared/prod-db/password}}
+ *
+ * If `vault` is specified in the provider config, the token path may omit it:
+ *   {{secret:1password/<item>/<field>}}
+ *
+ * Uses the 1Password CLI (`op`) via child_process if SDK is unavailable.
+ */
+import type { ISecretResolver, OnePasswordConfig } from '../../types/secret-resolver';
+export declare class OnePasswordResolver implements ISecretResolver {
+    readonly providerName = "1password";
+    private readonly defaultVault;
+    constructor(config: OnePasswordConfig);
+    resolve(path: string): Promise<string | undefined>;
+    private tryResolveSdk;
+    private resolveViaCli;
+}

package/dist/infrastructure/secrets/secret-resolver-registry.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Secret Resolver Registry — Phase 3
+ *
+ * Builds and caches ISecretResolver instances from config, and provides
+ * async pre-resolution of {{secret:provider/path}} tokens in template strings.
+ *
+ * Design:
+ * - Registry is created once at startup from IConfigService
+ * - resolveSecretTokens() is called BEFORE variable interpolation per-request
+ * - Resolved values are injected as extraVariables so the sync VariableResolver
+ *   picks them up transparently
+ * - Results are cached within a single request lifetime to avoid redundant API calls
+ */
+import type { IConfigService } from '../config/config.interface';
+export declare class SecretResolverRegistry {
+    private readonly resolvers;
+    /**
+     * Require function rooted at the user's project (via config `scripts.modulePaths`),
+     * so optional cloud SDKs resolve from the same place users install custom script
+     * modules — not from the extension's own bundle.
+     */
+    private readonly moduleRequire;
+    constructor(configService?: IConfigService);
+    /**
+     * Scan a string (or recursively, any object) for {{secret:alias/path}} tokens
+     * and resolve them all in parallel.
+     *
+     * Returns a flat map of  "secret:alias/path" → plaintext value
+     * suitable for injection as extraVariables into VariableResolver.
+     */
+    resolveSecretTokens(input: any, cache?: Map<string, string>): Promise<Record<string, string>>;
+    /** Whether any providers are configured */
+    get hasProviders(): boolean;
+    private collectTokens;
+    private createResolver;
+    /**
+     * Build a `require` function rooted at the user's project, so optional cloud SDKs
+     * resolve from the same `node_modules` where users install custom script modules
+     * (via config `scripts.modulePaths`). Falls back to the default `require` so the
+     * CLI (which lists SDKs in optionalDependencies) still works without modulePaths.
+     */
+    private buildModuleRequire;
+}

package/dist/infrastructure/security/sensitive-data-redactor.d.ts

@@ -16,6 +16,17 @@ import { FullResultDetails } from '../test-suite/result-storage';
  * Returns a shallow copy with sensitive header values replaced.
  */
 export declare function redactHeaders(headers: Record<string, string | string[]>): Record<string, string | string[]>;
+/**
+ * Redact sensitive values from a cookie array.
+ * Cookies with sensitive names have their values replaced.
+ */
+export declare function redactCookies(cookies?: Array<{
+    name?: string;
+    value?: string;
+}>): Array<{
+    name?: string;
+    value?: string;
+}>;
 /**
  * Redact sensitive query parameters from a URL string.
  * E.g. `?token=abc&name=foo` → `?token=[REDACTED]&name=foo`

package/dist/runtime/direct-execution.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Direct Execution APIs
+ *
+ * Execute requests, collections, and suites without requiring MCP server.
+ * Uses shared execution logic from core executors.
+ *
+ * Used by:
+ * - CLI commands (run-request, run-collection, run-suite)
+ * - Third-party Node apps that want to execute HTTP Forge collections programmatically
+ */
+import type { RunCollectionOptions, RunRequestOptions, RunSuiteOptions } from './runtime-contracts';
+/**
+ * Execute a single request without MCP server overhead.
+ * Returns typed result; never calls process.exit.
+ */
+export declare function runRequest(options: RunRequestOptions): Promise<unknown>;
+/**
+ * Execute a collection without MCP server overhead.
+ * Runs all enabled requests in sequence.
+ * Returns typed result; never calls process.exit.
+ */
+export declare function runCollection(options: RunCollectionOptions): Promise<unknown>;
+/**
+ * Execute a test suite without MCP server overhead.
+ * Returns typed result; never calls process.exit.
+ */
+export declare function runSuite(options: RunSuiteOptions): Promise<unknown>;

package/dist/runtime/mcp-runtime.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Embeddable MCP Runtime
+ *
+ * Factory and lifecycle management for MCP runtime that can be embedded in Node.js apps.
+ * Supports:
+ * - In-process tool execution via executeTool()
+ * - Optional lightweight HTTP endpoint for external callers
+ */
+import type { McpRuntimeHandle, McpRuntimeOptions } from './runtime-contracts';
+/**
+ * Create an embeddable MCP runtime instance.
+ *
+ * The returned handle provides lifecycle control and tool execution.
+ * Multiple instances can coexist with different ports and workspaces.
+ *
+ * @param options Configuration for the runtime
+ * @returns Handle for controlling the runtime
+ */
+export declare function createMcpRuntime(options: McpRuntimeOptions): Promise<McpRuntimeHandle>;

package/dist/runtime/node-adapters.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Node.js Platform Adapters
+ *
+ * Implementations of platform abstractions for Node.js environments.
+ * Used by CLI and external third-party Node apps that don't have VS Code context.
+ */
+import type { IFileWatcher, IFileWatcherFactory, IKeyValueStore, INotificationService } from '../types/platform';
+export declare class NodeFileWatcherFactory implements IFileWatcherFactory {
+    createFileWatcher(base: string, glob: string): IFileWatcher;
+}
+export declare class NodeKeyValueStore implements IKeyValueStore {
+    private data;
+    private storeFile;
+    constructor(storePath: string);
+    private load;
+    private save;
+    get<T>(key: string, defaultValue?: T): T | undefined;
+    update(key: string, value: unknown): Promise<void>;
+}
+export declare class NodeNotificationService implements INotificationService {
+    showInformation(message: string): Promise<string | undefined>;
+    showWarning(message: string): Promise<string | undefined>;
+    showError(message: string): Promise<string | undefined>;
+}

package/dist/runtime/node-bootstrap.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Node.js Bootstrap
+ *
+ * Initialize HTTP Forge core services for Node.js environments (CLI, third-party apps).
+ * Provides a factory that creates initialized service containers with Node-specific adapters.
+ */
+import { ServiceContainer } from '../di/service-container';
+export interface NodeBootstrapOptions {
+    /** Workspace root folder path */
+    workspaceFolder: string;
+    /** Optional application info (name, version) */
+    appInfo?: {
+        name: string;
+        version: string;
+    };
+}
+/**
+ * Bootstrap HTTP Forge core services for Node.js environment.
+ * Creates and initializes a service container with Node-native platform adapters.
+ *
+ * @param options Bootstrap configuration
+ * @returns Initialized service container ready for use
+ */
+export declare function bootstrapNodeRuntime(options: NodeBootstrapOptions): ServiceContainer;
+/**
+ * Create and initialize service container for CLI or direct API use.
+ * This is a convenience wrapper that combines bootstrap and returns the container.
+ */
+export declare function createNodeContainer(workspaceFolder: string): ServiceContainer;

package/dist/runtime/runtime-contracts.d.ts

@@ -0,0 +1,125 @@
+/**
+ * HTTP Forge Runtime Contracts
+ *
+ * Public API surface for embeddable MCP runtime and direct execution.
+ * Used by CLI, third-party Node apps, and external integrations.
+ *
+ * Three consumption modes:
+ * 1. Embeddable MCP: createMcpRuntime() + lifecycle handle
+ * 2. Direct execution: runRequest/runCollection/runSuite without MCP
+ * 3. CLI: subcommands that use modes 1 and 2
+ */
+/**
+ * Configuration for creating an embeddable MCP runtime instance.
+ */
+export interface McpRuntimeOptions {
+    /** Workspace root folder path */
+    workspaceFolder: string;
+    /** Port to listen on (default: 3100) */
+    port?: number;
+    /** Host to bind to (default: 127.0.0.1) */
+    host?: string;
+    /** Config field overrides (e.g. { 'mcp.port': 3200 }) */
+    configOverrides?: Record<string, unknown>;
+}
+/**
+ * Handle for controlling an embeddable MCP runtime instance.
+ */
+export interface McpRuntimeHandle {
+    /** Start the MCP server */
+    start(): Promise<void>;
+    /** Stop the MCP server */
+    stop(): Promise<void>;
+    /** Check if server is running */
+    isRunning(): boolean;
+    /** Get the port the server is listening on */
+    getPort(): number;
+    /** Execute a tool in-process (no protocol overhead) */
+    executeTool(name: string, args?: Record<string, unknown>): Promise<unknown>;
+}
+/**
+ * Factory to create and manage embeddable MCP runtime instances.
+ */
+export declare function createMcpRuntime(options: McpRuntimeOptions): Promise<McpRuntimeHandle>;
+/**
+ * Options for directly executing a single request without MCP.
+ */
+export interface RunRequestOptions {
+    /** Workspace root folder path */
+    workspaceFolder: string;
+    /** Collection ID containing the request */
+    collectionId: string;
+    /** Request ID to execute */
+    requestId: string;
+    /** Environment name (defaults to currently selected) */
+    environment?: string;
+    /** Extra variables to inject into execution */
+    variables?: Record<string, unknown>;
+    /** Override or add request headers */
+    headers?: Record<string, string>;
+    /** Override query parameters */
+    query?: Record<string, string>;
+    /** Replace request body (JSON string) */
+    body?: string;
+    /** Extra response fields to include: headers, cookies, tests, consoleOutput, report */
+    include?: string[];
+}
+/**
+ * Options for directly executing all requests in a collection without MCP.
+ */
+export interface RunCollectionOptions {
+    /** Workspace root folder path */
+    workspaceFolder: string;
+    /** Collection ID to execute */
+    collectionId: string;
+    /** Environment name (defaults to currently selected) */
+    environment?: string;
+    /** Extra variables injected into every request */
+    variables?: Record<string, unknown>;
+    /** Number of iterations (default: 1) */
+    iterations?: number;
+    /** Stop on first failure (default: false) */
+    stopOnError?: boolean;
+    /** Delay between requests in milliseconds (default: 0) */
+    delay?: number;
+    /** Extra response fields to include: perRequest, failedOnly, consoleOutput */
+    include?: string[];
+}
+/**
+ * Options for directly executing a test suite without MCP.
+ */
+export interface RunSuiteOptions {
+    /** Workspace root folder path */
+    workspaceFolder: string;
+    /** Suite ID to execute */
+    suiteId: string;
+    /** Environment name (defaults to currently selected) */
+    environment?: string;
+    /** Extra variables injected into every request */
+    variables?: Record<string, unknown>;
+    /** Number of iterations (overrides suite default) */
+    iterations?: number;
+    /** Stop on first failure (overrides suite default) */
+    stopOnError?: boolean;
+    /** Delay between requests in ms (overrides suite default) */
+    delay?: number;
+    /** Run only requests whose names match one of these strings (case-insensitive) */
+    requestFilter?: string[];
+    /** Extra response fields to include: perRequest, failedOnly, consoleOutput */
+    include?: string[];
+}
+/**
+ * Execute a single request directly without MCP server.
+ * Returns typed result object; never calls process.exit.
+ */
+export declare function runRequest(options: RunRequestOptions): Promise<unknown>;
+/**
+ * Execute a collection directly without MCP server.
+ * Returns typed result object; never calls process.exit.
+ */
+export declare function runCollection(options: RunCollectionOptions): Promise<unknown>;
+/**
+ * Execute a test suite directly without MCP server.
+ * Returns typed result object; never calls process.exit.
+ */
+export declare function runSuite(options: RunSuiteOptions): Promise<unknown>;

package/dist/types/environment-config.d.ts

@@ -11,6 +11,11 @@ export interface EnvironmentConfig {
     description?: string;
     requiresConfirmation?: boolean;
     variables?: Record<string, string>;
+    /**
+     * Names of variables whose values are stored in SecretStorage rather than the JSON file.
+     * The JSON file stores the variable name only; the value is fetched at resolution time.
+     */
+    secretVariables?: string[];
 }
 /**
  * Shared configuration file structure
@@ -115,6 +120,14 @@ export interface IVariableManager {
 export interface IEnvironmentConfigService extends IEnvironmentConfigReader, IEnvironmentConfigWriter, IEnvironmentSelector, IVariableResolver, IVariableManager {
     loadConfigs(): void;
     exportEnvironmentsToFolder(outDir: string, mergeGlobals?: boolean): void;
+    /** Read a single secret variable from SecretStorage. */
+    getSecretVariable(envName: string, key: string): Promise<string | undefined>;
+    /** Store a secret variable value in SecretStorage. */
+    setSecretVariable(envName: string, key: string, value: string): Promise<void>;
+    /** Delete a secret variable from SecretStorage. */
+    deleteSecretVariable(envName: string, key: string): Promise<void>;
+    /** Load all secrets for an environment (or current) into cache. */
+    loadSecretVariables(envName?: string): Promise<void>;
 }
 /**
  * Interface for storing and retrieving environment variables