@http-forge/core 0.3.3 → 0.4.0

package/dist/infrastructure/config/config.interface.d.ts

@@ -110,6 +110,36 @@ export interface ProxyConfig {
     /** List of hosts to bypass proxy */
     bypass?: string[];
 }
+/**
+ * Cloud secret provider configuration (used in SecretsConfig.providers)
+ */
+export interface SecretProviderEntry {
+    /** Provider type */
+    provider: 'aws' | 'azure' | 'gcp' | 'vault' | '1password' | 'doppler';
+    /** AWS region (aws only) */
+    region?: string;
+    /** Azure Key Vault URL (azure only) */
+    vaultUrl?: string;
+    /** GCP project ID (gcp only) */
+    projectId?: string;
+    /** Vault server address (vault only) */
+    address?: string;
+    /** Vault mount path (vault only, default "secret") */
+    mountPath?: string;
+    /** Vault namespace (vault only, Enterprise/HCP) */
+    namespace?: string;
+    /** 1Password vault name (1password only) */
+    vault?: string;
+    /** Doppler service token (doppler only; falls back to DOPPLER_TOKEN env var) */
+    serviceToken?: string;
+}
+/**
+ * Top-level secrets block in http-forge.config.json
+ * Configures named cloud secret providers for {{secret:alias/path}} tokens.
+ */
+export interface SecretsConfig {
+    providers: Record<string, SecretProviderEntry>;
+}
 /**
  * Main HTTP Forge configuration (http-forge.config.json)
  */
@@ -132,6 +162,8 @@ export interface HttpForgeConfig {
     mcp?: McpConfig;
     /** Proxy configuration (optional) */
     proxy?: ProxyConfig | null;
+    /** Cloud secret provider configuration (optional) */
+    secrets?: SecretsConfig;
 }
 /**
  * Configuration service interface

package/dist/infrastructure/environment/environment-config-service.d.ts

@@ -5,13 +5,14 @@
  * VS Code's workspaceState/globalState.
  */
 import type { IEnvironmentConfigService, ImportedEnvironment, LocalConfig, ResolvedEnvironment, SharedConfig } from '../../types/environment-config';
-import { IFileWatcherFactory, IKeyValueStore } from '../../types/platform';
+import { IFileWatcherFactory, IKeyValueStore, ISecretStore } from '../../types/platform';
 import { IConfigService } from '../config';
 export declare class EnvironmentConfigService implements IEnvironmentConfigService {
     private workspaceFolder;
     private workspaceStore;
     private configService;
     private fileWatcherFactory?;
+    private secretStore?;
     private environmentsPath;
     private sharedConfigPath;
     private localConfigPath;
@@ -27,12 +28,14 @@ export declare class EnvironmentConfigService implements IEnvironmentConfigServi
      */
     private localGlobalValues;
     private localEnvironmentValues;
+    /** In-memory cache of secret values fetched from SecretStorage — keyed by envName */
+    private secretValuesCache;
     /**
      * Callback invoked when environment files change on disk.
      * Set by the extension host to refresh tree views and panels.
      */
     onEnvironmentsChanged?: () => void;
-    constructor(workspaceFolder: string, workspaceStore: IKeyValueStore, configService: IConfigService, fileWatcherFactory?: IFileWatcherFactory | undefined);
+    constructor(workspaceFolder: string, workspaceStore: IKeyValueStore, configService: IConfigService, fileWatcherFactory?: IFileWatcherFactory | undefined, secretStore?: ISecretStore | undefined);
     private setupFileWatcher;
     dispose(): void;
     getWorkspaceFolder(): string;
@@ -83,6 +86,27 @@ export declare class EnvironmentConfigService implements IEnvironmentConfigServi
     /** @deprecated Use getEnvironmentVariableLocal instead */
     hasSessionVariable(key: string): boolean;
     getResolvedEnvironment(envName?: string): ResolvedEnvironment | null;
+    /**
+     * Retrieve a secret variable value from SecretStorage.
+     * Returns undefined when no SecretStorage is available (e.g. CLI context).
+     */
+    getSecretVariable(envName: string, key: string): Promise<string | undefined>;
+    /**
+     * Store a secret variable value in SecretStorage.
+     * No-op when no SecretStorage is available (e.g. CLI context).
+     */
+    setSecretVariable(envName: string, key: string, value: string): Promise<void>;
+    /**
+     * Delete a secret variable from SecretStorage.
+     * No-op when no SecretStorage is available (e.g. CLI context).
+     */
+    deleteSecretVariable(envName: string, key: string): Promise<void>;
+    /**
+     * Pre-load all secret values for an environment into the in-memory cache.
+     * Call this when switching environments or on extension activation so that
+     * the synchronous getResolvedEnvironment() always has secret values available.
+     */
+    loadSecretVariables(envName?: string): Promise<void>;
     resolveVariables(input: string, envName?: string): string;
     exportEnvironmentsToFolder(outDir: string, mergeGlobals?: boolean): void;
     resolveVariablesWithExtra(input: string, extraVariables: Record<string, string>, envName?: string): string;

package/dist/infrastructure/environment/environment-file-loader.d.ts

@@ -28,6 +28,11 @@ export interface EnvironmentEntry {
     description?: string;
     requiresConfirmation?: boolean;
     variables: Record<string, string>;
+    /**
+     * Names of variables whose values are stored in SecretStorage, not in the JSON file.
+     * These names are persisted in the JSON; the values are never written to disk.
+     */
+    secretVariables?: string[];
 }
 /**
  * Determine whether a filename is a system/meta file (not an environment file).

package/dist/infrastructure/execution/request-preparer.d.ts

@@ -15,6 +15,7 @@ import { ExecutionRequest, PreparedRequest } from '../../types/types';
 import { IOAuth2TokenManager } from '../auth/interfaces';
 import { IHttpRequestService } from '../http/interfaces';
 import { IRequestPreprocessor } from '../http/request-preprocessor';
+import { SecretResolverRegistry } from '../secrets/secret-resolver-registry';
 import { IRequestPreparer } from './request-preparer-interfaces';
 /**
  * RequestPreparer implementation
@@ -28,7 +29,8 @@ export declare class RequestPreparer implements IRequestPreparer {
     private readonly preprocessor;
     private readonly tokenManager?;
     private readonly appInfo?;
-    constructor(envConfigService: IEnvironmentConfigService, httpService: IHttpRequestService, preprocessor: IRequestPreprocessor, tokenManager?: IOAuth2TokenManager | undefined, appInfo?: IApplicationInfo | undefined);
+    private readonly secretRegistry?;
+    constructor(envConfigService: IEnvironmentConfigService, httpService: IHttpRequestService, preprocessor: IRequestPreprocessor, tokenManager?: IOAuth2TokenManager | undefined, appInfo?: IApplicationInfo | undefined, secretRegistry?: SecretResolverRegistry | undefined);
     prepareRequest(input: ExecutionRequest, environment: string, resolvedEnv: ResolvedEnvironment, extraVariables?: Record<string, string>): Promise<PreparedRequest>;
     private applyOAuth2;
     private applyApiKey;

package/dist/infrastructure/secrets/aws-secret-resolver.d.ts

@@ -0,0 +1,18 @@
+/**
+ * AWS Secrets Manager resolver
+ *
+ * Uses the AWS SDK v3 credential chain — no credentials are stored in HTTP Forge config.
+ * Order: env vars → ~/.aws/credentials → IAM instance role → ECS task role
+ *
+ * Token syntax: {{secret:aws/<secretId>}}
+ * e.g.          {{secret:aws/myapp/prod/db-password}}
+ *               {{secret:aws/myapp/prod/api-key#field}}  (JSON secret field)
+ */
+import type { AwsSecretsConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class AwsSecretResolver implements ISecretResolver {
+    readonly providerName = "aws";
+    private readonly region;
+    private readonly moduleRequire;
+    constructor(config: AwsSecretsConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/azure-keyvault-resolver.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Azure Key Vault resolver
+ *
+ * Uses DefaultAzureCredential — no credentials stored in HTTP Forge config.
+ * Order: env vars (AZURE_*) → managed identity → Azure CLI login → VS Code login
+ *
+ * Token syntax: {{secret:azure/<secretName>}}
+ * e.g.          {{secret:azure/my-api-key}}
+ *               {{secret:azure/my-api-key/1.0}}  (specific version)
+ *
+ * Config requires vaultUrl, e.g. "https://myvault.vault.azure.net"
+ */
+import type { AzureKeyVaultConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class AzureKeyVaultResolver implements ISecretResolver {
+    readonly providerName = "azure";
+    private readonly vaultUrl;
+    private readonly moduleRequire;
+    constructor(config: AzureKeyVaultConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/doppler-resolver.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Doppler secret resolver
+ *
+ * Uses the Doppler REST API — no SDK required, just a service token.
+ * Credentials: DOPPLER_TOKEN env var (or serviceToken in config for per-project override)
+ *
+ * Token syntax: {{secret:doppler/<secretName>}}
+ * e.g.          {{secret:doppler/API_KEY}}
+ *               {{secret:doppler/DATABASE_URL}}
+ *
+ * The Doppler project/config are baked into the service token itself —
+ * no project or config fields needed in http-forge.config.json.
+ *
+ * Prerequisites: none (uses Node.js built-in https)
+ */
+import type { DopplerConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class DopplerResolver implements ISecretResolver {
+    readonly providerName = "doppler";
+    private readonly token;
+    constructor(config: DopplerConfig);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/gcp-secret-resolver.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Google Cloud Secret Manager resolver
+ *
+ * Uses Application Default Credentials — no credentials stored in HTTP Forge config.
+ * Order: GOOGLE_APPLICATION_CREDENTIALS env var → gcloud CLI login → Workload Identity (GKE)
+ *        → Metadata server (Cloud Run, Compute Engine)
+ *
+ * Token syntax: {{secret:gcp/<secretName>}}
+ *               {{secret:gcp/<secretName>/versions/<version>}}  (specific version, default: latest)
+ *
+ * Config: { "provider": "gcp", "projectId": "my-project" }
+ * projectId falls back to GOOGLE_CLOUD_PROJECT / GCLOUD_PROJECT env vars.
+ */
+import type { GcpSecretsConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class GcpSecretResolver implements ISecretResolver {
+    readonly providerName = "gcp";
+    private readonly projectId;
+    private readonly moduleRequire;
+    constructor(config: GcpSecretsConfig, moduleRequire?: (name: string) => any);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/hashicorp-vault-resolver.d.ts

@@ -0,0 +1,25 @@
+/**
+ * HashiCorp Vault resolver
+ *
+ * Credentials are NEVER stored in HTTP Forge config.
+ * Authentication uses:
+ *   VAULT_TOKEN     env var (token auth)
+ *   VAULT_ADDR      env var (server address, overrides config)
+ *   VAULT_NAMESPACE env var (Enterprise/HCP namespace, overridden by config.namespace)
+ *
+ * Token syntax: {{secret:vault/<mountPath>/<secretPath>#<field>}}
+ * e.g.          {{secret:vault/secret/myapp/prod#db_password}}
+ *               {{secret:vault/kv/myapp/config#api_key}}
+ *
+ * The path format after the provider prefix: <mount>/<path>#<field>
+ * If no field is specified and the secret has a single key "value", that is returned.
+ */
+import type { HashiCorpVaultConfig, ISecretResolver } from '../../types/secret-resolver';
+export declare class HashiCorpVaultResolver implements ISecretResolver {
+    readonly providerName = "vault";
+    private readonly address;
+    private readonly mountPath;
+    private readonly namespace;
+    constructor(config: HashiCorpVaultConfig);
+    resolve(path: string): Promise<string | undefined>;
+}

package/dist/infrastructure/secrets/onepassword-resolver.d.ts

@@ -0,0 +1,26 @@
+/**
+ * 1Password Connect / Service Account resolver
+ *
+ * Credentials are NEVER stored in HTTP Forge config.
+ * Authentication uses:
+ *   OP_SERVICE_ACCOUNT_TOKEN  env var  (1Password Service Account — recommended for CI)
+ *   OP_CONNECT_TOKEN + OP_CONNECT_HOST env vars  (1Password Connect Server)
+ *
+ * Token syntax: {{secret:1password/<vault>/<item>/<field>}}
+ * e.g.          {{secret:1password/MyVault/MyApp/api_key}}
+ *               {{secret:1password/Shared/prod-db/password}}
+ *
+ * If `vault` is specified in the provider config, the token path may omit it:
+ *   {{secret:1password/<item>/<field>}}
+ *
+ * Uses the 1Password CLI (`op`) via child_process if SDK is unavailable.
+ */
+import type { ISecretResolver, OnePasswordConfig } from '../../types/secret-resolver';
+export declare class OnePasswordResolver implements ISecretResolver {
+    readonly providerName = "1password";
+    private readonly defaultVault;
+    constructor(config: OnePasswordConfig);
+    resolve(path: string): Promise<string | undefined>;
+    private tryResolveSdk;
+    private resolveViaCli;
+}

package/dist/infrastructure/secrets/secret-resolver-registry.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Secret Resolver Registry — Phase 3
+ *
+ * Builds and caches ISecretResolver instances from config, and provides
+ * async pre-resolution of {{secret:provider/path}} tokens in template strings.
+ *
+ * Design:
+ * - Registry is created once at startup from IConfigService
+ * - resolveSecretTokens() is called BEFORE variable interpolation per-request
+ * - Resolved values are injected as extraVariables so the sync VariableResolver
+ *   picks them up transparently
+ * - Results are cached within a single request lifetime to avoid redundant API calls
+ */
+import type { IConfigService } from '../config/config.interface';
+export declare class SecretResolverRegistry {
+    private readonly resolvers;
+    /**
+     * Require function rooted at the user's project (via config `scripts.modulePaths`),
+     * so optional cloud SDKs resolve from the same place users install custom script
+     * modules — not from the extension's own bundle.
+     */
+    private readonly moduleRequire;
+    constructor(configService?: IConfigService);
+    /**
+     * Scan a string (or recursively, any object) for {{secret:alias/path}} tokens
+     * and resolve them all in parallel.
+     *
+     * Returns a flat map of  "secret:alias/path" → plaintext value
+     * suitable for injection as extraVariables into VariableResolver.
+     */
+    resolveSecretTokens(input: any, cache?: Map<string, string>): Promise<Record<string, string>>;
+    /** Whether any providers are configured */
+    get hasProviders(): boolean;
+    private collectTokens;
+    private createResolver;
+    /**
+     * Build a `require` function rooted at the user's project, so optional cloud SDKs
+     * resolve from the same `node_modules` where users install custom script modules
+     * (via config `scripts.modulePaths`). Falls back to the default `require` so the
+     * CLI (which lists SDKs in optionalDependencies) still works without modulePaths.
+     */
+    private buildModuleRequire;
+}

package/dist/types/environment-config.d.ts

@@ -11,6 +11,11 @@ export interface EnvironmentConfig {
     description?: string;
     requiresConfirmation?: boolean;
     variables?: Record<string, string>;
+    /**
+     * Names of variables whose values are stored in SecretStorage rather than the JSON file.
+     * The JSON file stores the variable name only; the value is fetched at resolution time.
+     */
+    secretVariables?: string[];
 }
 /**
  * Shared configuration file structure
@@ -115,6 +120,14 @@ export interface IVariableManager {
 export interface IEnvironmentConfigService extends IEnvironmentConfigReader, IEnvironmentConfigWriter, IEnvironmentSelector, IVariableResolver, IVariableManager {
     loadConfigs(): void;
     exportEnvironmentsToFolder(outDir: string, mergeGlobals?: boolean): void;
+    /** Read a single secret variable from SecretStorage. */
+    getSecretVariable(envName: string, key: string): Promise<string | undefined>;
+    /** Store a secret variable value in SecretStorage. */
+    setSecretVariable(envName: string, key: string, value: string): Promise<void>;
+    /** Delete a secret variable from SecretStorage. */
+    deleteSecretVariable(envName: string, key: string): Promise<void>;
+    /** Load all secrets for an environment (or current) into cache. */
+    loadSecretVariables(envName?: string): Promise<void>;
 }
 /**
  * Interface for storing and retrieving environment variables

package/dist/types/secret-resolver.d.ts

@@ -0,0 +1,106 @@
+/**
+ * Cloud Secret Resolver — Phase 3
+ *
+ * Defines the ISecretResolver abstraction and the per-provider configuration
+ * types used in http-forge.config.json under the `secrets` key.
+ *
+ * Token syntax resolved by this interface: {{secret:provider/path}}
+ *   e.g.  {{secret:aws/myapp/prod/db-password}}
+ *         {{secret:azure/https://myvault.vault.azure.net/secrets/apiKey}}
+ *         {{secret:vault/secret/data/myapp#password}}
+ *         {{secret:1password/MyVault/MyItem/password}}
+ *
+ * Credentials are NEVER stored in HTTP Forge config.
+ * Each provider uses its SDK's default credential chain:
+ *   - AWS   → SDK credential chain (env vars / ~/.aws / IAM role)
+ *   - Azure → DefaultAzureCredential (env / managed identity / CLI login)
+ *   - Vault → VAULT_TOKEN / VAULT_ADDR env vars
+ *   - 1Password → OP_SERVICE_ACCOUNT_TOKEN env var
+ */
+export interface ISecretResolver {
+    /**
+     * Resolve a secret by its provider-relative path.
+     * @param path  The path after the provider prefix, e.g. "myapp/prod/apiKey"
+     * @returns     The plaintext secret value, or undefined if not found
+     */
+    resolve(path: string): Promise<string | undefined>;
+    /**
+     * Human-readable provider name, e.g. "aws", "azure", "vault", "1password"
+     */
+    readonly providerName: string;
+}
+export interface AwsSecretsConfig {
+    provider: 'aws';
+    /** AWS region, e.g. "us-east-1". Falls back to AWS_DEFAULT_REGION env var. */
+    region?: string;
+}
+export interface AzureKeyVaultConfig {
+    provider: 'azure';
+    /**
+     * Key Vault URL, e.g. "https://myvault.vault.azure.net"
+     * The path portion of the token is used as the secret name.
+     */
+    vaultUrl: string;
+}
+export interface HashiCorpVaultConfig {
+    provider: 'vault';
+    /**
+     * Vault server address, e.g. "https://vault.example.com:8200"
+     * Falls back to VAULT_ADDR env var.
+     */
+    address?: string;
+    /** Mount path prefix, e.g. "secret". Defaults to "secret". */
+    mountPath?: string;
+    /**
+     * Vault namespace (Enterprise / HCP Vault), e.g. "admin" or "admin/team-a".
+     * Sent as the X-Vault-Namespace header. Falls back to VAULT_NAMESPACE env var.
+     */
+    namespace?: string;
+}
+export interface OnePasswordConfig {
+    provider: '1password';
+    /**
+     * Vault name to search, e.g. "MyVault".
+     * If omitted, the path is expected to include vault/item/field.
+     */
+    vault?: string;
+}
+export interface GcpSecretsConfig {
+    provider: 'gcp';
+    /**
+     * GCP project ID, e.g. "my-project-123".
+     * Falls back to GOOGLE_CLOUD_PROJECT / GCLOUD_PROJECT env vars.
+     */
+    projectId?: string;
+}
+export interface DopplerConfig {
+    provider: 'doppler';
+    /**
+     * Doppler service token. Falls back to DOPPLER_TOKEN env var.
+     * The project/config are baked into the service token itself.
+     */
+    serviceToken?: string;
+}
+export type SecretProviderConfig = AwsSecretsConfig | AzureKeyVaultConfig | HashiCorpVaultConfig | OnePasswordConfig | GcpSecretsConfig | DopplerConfig;
+/**
+ * Top-level `secrets` block in http-forge.config.json
+ */
+export interface SecretsConfig {
+    /**
+     * Named provider configs. Keys are provider aliases used in the token:
+     * {{secret:<alias>/<path>}}
+     *
+     * Example:
+     * ```json
+     * {
+     *   "secrets": {
+     *     "providers": {
+     *       "aws":    { "provider": "aws", "region": "us-east-1" },
+     *       "vault":  { "provider": "vault", "address": "https://vault.example.com" }
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    providers: Record<string, SecretProviderConfig>;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@http-forge/core",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "description": "Headless HTTP testing engine with Postman collection support, dynamic variables, and script-based automation.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -59,6 +59,18 @@
     "uuid": "^14.0.0",
     "yaml": "^2.7.0"
   },
+  "peerDependencies": {
+    "@aws-sdk/client-secrets-manager": ">=3.0.0",
+    "@azure/keyvault-secrets": ">=4.0.0",
+    "@azure/identity": ">=3.0.0",
+    "node-vault": ">=0.9.0"
+  },
+  "peerDependenciesMeta": {
+    "@aws-sdk/client-secrets-manager": { "optional": true },
+    "@azure/keyvault-secrets": { "optional": true },
+    "@azure/identity": { "optional": true },
+    "node-vault": { "optional": true }
+  },
   "devDependencies": {
     "@types/lodash": "^4.14.202",
     "@types/node": "^20.10.0",