@kustodian/plugin-doppler 1.1.0 → 2.0.0

package/dist/executor.d.ts

@@ -0,0 +1,38 @@
+import type { KustodianErrorType } from '@kustodian/core';
+import { type ResultType } from '@kustodian/core';
+import { type DopplerPluginOptionsType } from './types.js';
+/**
+ * Result of a command execution.
+ */
+export interface CommandResultType {
+    stdout: string;
+    stderr: string;
+    exit_code: number;
+}
+/**
+ * Options for command execution.
+ */
+export interface ExecOptionsType {
+    cwd?: string | undefined;
+    timeout?: number | undefined;
+    env?: Record<string, string> | undefined;
+}
+/**
+ * Executes a command and returns the result.
+ * Uses execFile for security (no shell invocation).
+ */
+export declare function exec_command(command: string, args?: string[], options?: ExecOptionsType): Promise<ResultType<CommandResultType, KustodianErrorType>>;
+/**
+ * Checks if doppler CLI is available in the system PATH.
+ */
+export declare function check_doppler_available(): Promise<ResultType<string, KustodianErrorType>>;
+/**
+ * Fetches all secrets for a project/config combination.
+ * Returns a JSON object of all secrets.
+ */
+export declare function doppler_secrets_download(project: string, config: string, options?: DopplerPluginOptionsType): Promise<ResultType<Record<string, string>, KustodianErrorType>>;
+/**
+ * Fetches a single secret value from Doppler.
+ */
+export declare function doppler_secret_get(project: string, config: string, secret_name: string, options?: DopplerPluginOptionsType): Promise<ResultType<string, KustodianErrorType>>;
+//# sourceMappingURL=executor.d.ts.map

package/dist/executor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../src/executor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAU,KAAK,UAAU,EAAoB,MAAM,iBAAiB,CAAC;AAE5E,OAAO,EAAmB,KAAK,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAI5E;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;CAC1C;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAM,EAAO,EACnB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAC,CAwB5D;AA6BD;;GAEG;AACH,wBAAsB,uBAAuB,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAc/F;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAgEjE;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CA+CjD"}

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { type CommandResultType, check_doppler_available, doppler_secret_get, doppler_secrets_download, type ExecOptionsType, exec_command, } from './executor.js';
+export { create_doppler_plugin, plugin, plugin as default } from './plugin.js';
+export { resolve_doppler_substitutions } from './resolver.js';
+export { create_cache_key, DEFAULT_TIMEOUT, type DopplerCacheKeyType, type DopplerPluginOptionsType, type DopplerRefType, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,KAAK,iBAAiB,EACtB,uBAAuB,EACvB,kBAAkB,EAClB,wBAAwB,EACxB,KAAK,eAAe,EACpB,YAAY,GACb,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,aAAa,CAAC;AAG/E,OAAO,EAAE,6BAA6B,EAAE,MAAM,eAAe,CAAC;AAG9D,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,cAAc,GACpB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,489 @@
+// src/executor.ts
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+// ../../packages/core/dist/index.js
+function create_error(code, message, cause) {
+  return { code, message, cause };
+}
+var ErrorCodes = {
+  UNKNOWN: "UNKNOWN",
+  INVALID_ARGUMENT: "INVALID_ARGUMENT",
+  NOT_FOUND: "NOT_FOUND",
+  ALREADY_EXISTS: "ALREADY_EXISTS",
+  FILE_NOT_FOUND: "FILE_NOT_FOUND",
+  FILE_READ_ERROR: "FILE_READ_ERROR",
+  FILE_WRITE_ERROR: "FILE_WRITE_ERROR",
+  DIRECTORY_NOT_FOUND: "DIRECTORY_NOT_FOUND",
+  PARSE_ERROR: "PARSE_ERROR",
+  YAML_PARSE_ERROR: "YAML_PARSE_ERROR",
+  JSON_PARSE_ERROR: "JSON_PARSE_ERROR",
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  SCHEMA_VALIDATION_ERROR: "SCHEMA_VALIDATION_ERROR",
+  CONFIG_NOT_FOUND: "CONFIG_NOT_FOUND",
+  CONFIG_INVALID: "CONFIG_INVALID",
+  TEMPLATE_NOT_FOUND: "TEMPLATE_NOT_FOUND",
+  CLUSTER_NOT_FOUND: "CLUSTER_NOT_FOUND",
+  PROFILE_NOT_FOUND: "PROFILE_NOT_FOUND",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  CONNECTION_REFUSED: "CONNECTION_REFUSED",
+  TIMEOUT: "TIMEOUT",
+  SSH_CONNECTION_ERROR: "SSH_CONNECTION_ERROR",
+  SSH_AUTH_ERROR: "SSH_AUTH_ERROR",
+  SSH_COMMAND_ERROR: "SSH_COMMAND_ERROR",
+  K8S_CONNECTION_ERROR: "K8S_CONNECTION_ERROR",
+  K8S_API_ERROR: "K8S_API_ERROR",
+  NODE_NOT_READY: "NODE_NOT_READY",
+  BOOTSTRAP_ERROR: "BOOTSTRAP_ERROR",
+  BOOTSTRAP_STATE_ERROR: "BOOTSTRAP_STATE_ERROR",
+  CLUSTER_PROVIDER_ERROR: "CLUSTER_PROVIDER_ERROR",
+  PLUGIN_NOT_FOUND: "PLUGIN_NOT_FOUND",
+  PLUGIN_LOAD_ERROR: "PLUGIN_LOAD_ERROR",
+  PLUGIN_EXECUTION_ERROR: "PLUGIN_EXECUTION_ERROR",
+  DEPENDENCY_CYCLE: "DEPENDENCY_CYCLE",
+  DEPENDENCY_MISSING: "DEPENDENCY_MISSING",
+  DEPENDENCY_SELF_REFERENCE: "DEPENDENCY_SELF_REFERENCE",
+  DEPENDENCY_VALIDATION_ERROR: "DEPENDENCY_VALIDATION_ERROR",
+  SECRET_CLI_NOT_FOUND: "SECRET_CLI_NOT_FOUND",
+  SECRET_NOT_FOUND: "SECRET_NOT_FOUND",
+  SECRET_AUTH_ERROR: "SECRET_AUTH_ERROR",
+  SECRET_TIMEOUT: "SECRET_TIMEOUT",
+  SOURCE_FETCH_ERROR: "SOURCE_FETCH_ERROR",
+  SOURCE_AUTH_ERROR: "SOURCE_AUTH_ERROR",
+  SOURCE_TIMEOUT: "SOURCE_TIMEOUT",
+  SOURCE_CHECKSUM_MISMATCH: "SOURCE_CHECKSUM_MISMATCH",
+  SOURCE_VERSION_NOT_FOUND: "SOURCE_VERSION_NOT_FOUND",
+  CACHE_READ_ERROR: "CACHE_READ_ERROR",
+  CACHE_WRITE_ERROR: "CACHE_WRITE_ERROR",
+  CACHE_CORRUPT: "CACHE_CORRUPT"
+};
+var Errors = {
+  unknown(message, cause) {
+    return create_error(ErrorCodes.UNKNOWN, message, cause);
+  },
+  invalid_argument(argument, reason) {
+    return create_error(ErrorCodes.INVALID_ARGUMENT, `Invalid argument '${argument}': ${reason}`);
+  },
+  not_found(resource, identifier) {
+    return create_error(ErrorCodes.NOT_FOUND, `${resource} '${identifier}' not found`);
+  },
+  already_exists(resource, identifier) {
+    return create_error(ErrorCodes.ALREADY_EXISTS, `${resource} '${identifier}' already exists`);
+  },
+  file_not_found(path) {
+    return create_error(ErrorCodes.FILE_NOT_FOUND, `File not found: ${path}`);
+  },
+  file_read_error(path, cause) {
+    return create_error(ErrorCodes.FILE_READ_ERROR, `Failed to read file: ${path}`, cause);
+  },
+  file_write_error(path, cause) {
+    return create_error(ErrorCodes.FILE_WRITE_ERROR, `Failed to write file: ${path}`, cause);
+  },
+  parse_error(format, message, cause) {
+    return create_error(ErrorCodes.PARSE_ERROR, `Failed to parse ${format}: ${message}`, cause);
+  },
+  yaml_parse_error(message, cause) {
+    return create_error(ErrorCodes.YAML_PARSE_ERROR, `YAML parse error: ${message}`, cause);
+  },
+  validation_error(message, cause) {
+    return create_error(ErrorCodes.VALIDATION_ERROR, message, cause);
+  },
+  schema_validation_error(errors) {
+    return create_error(ErrorCodes.SCHEMA_VALIDATION_ERROR, `Schema validation failed:
+${errors.map((e) => `  - ${e}`).join(`
+`)}`);
+  },
+  config_not_found(config_type, path) {
+    return create_error(ErrorCodes.CONFIG_NOT_FOUND, `${config_type} configuration not found at: ${path}`);
+  },
+  template_not_found(name) {
+    return create_error(ErrorCodes.TEMPLATE_NOT_FOUND, `Template '${name}' not found`);
+  },
+  cluster_not_found(name) {
+    return create_error(ErrorCodes.CLUSTER_NOT_FOUND, `Cluster '${name}' not found`);
+  },
+  profile_not_found(name) {
+    return create_error(ErrorCodes.PROFILE_NOT_FOUND, `Node profile '${name}' not found`);
+  },
+  ssh_connection_error(host, cause) {
+    return create_error(ErrorCodes.SSH_CONNECTION_ERROR, `Failed to connect to ${host} via SSH`, cause);
+  },
+  ssh_auth_error(host, cause) {
+    return create_error(ErrorCodes.SSH_AUTH_ERROR, `SSH authentication failed for ${host}`, cause);
+  },
+  bootstrap_error(message, cause) {
+    return create_error(ErrorCodes.BOOTSTRAP_ERROR, `Bootstrap failed: ${message}`, cause);
+  },
+  plugin_not_found(name) {
+    return create_error(ErrorCodes.PLUGIN_NOT_FOUND, `Plugin '${name}' not found`);
+  },
+  plugin_load_error(name, cause) {
+    return create_error(ErrorCodes.PLUGIN_LOAD_ERROR, `Failed to load plugin '${name}'`, cause);
+  },
+  dependency_cycle(cycle) {
+    const cycle_str = cycle.join(" → ");
+    return create_error(ErrorCodes.DEPENDENCY_CYCLE, `Dependency cycle detected: ${cycle_str}`);
+  },
+  dependency_missing(source, target) {
+    return create_error(ErrorCodes.DEPENDENCY_MISSING, `Kustomization '${source}' depends on '${target}' which does not exist`);
+  },
+  dependency_self_reference(node) {
+    return create_error(ErrorCodes.DEPENDENCY_SELF_REFERENCE, `Kustomization '${node}' cannot depend on itself`);
+  },
+  dependency_validation_error(errors) {
+    return create_error(ErrorCodes.DEPENDENCY_VALIDATION_ERROR, `Dependency validation failed:
+${errors.map((e) => `  - ${e}`).join(`
+`)}`);
+  },
+  secret_cli_not_found(provider, cli_name) {
+    return create_error(ErrorCodes.SECRET_CLI_NOT_FOUND, `${provider} CLI (${cli_name}) not found. Please install it first.`);
+  },
+  secret_not_found(provider, ref) {
+    return create_error(ErrorCodes.SECRET_NOT_FOUND, `Secret not found in ${provider}: ${ref}`);
+  },
+  secret_auth_error(provider, cause) {
+    return create_error(ErrorCodes.SECRET_AUTH_ERROR, `${provider} authentication failed. Check your credentials.`, cause);
+  },
+  secret_timeout(provider, timeout) {
+    return create_error(ErrorCodes.SECRET_TIMEOUT, `${provider} operation timed out after ${timeout}ms`);
+  },
+  source_fetch_error(source, cause) {
+    return create_error(ErrorCodes.SOURCE_FETCH_ERROR, `Failed to fetch template source '${source}'`, cause);
+  },
+  source_auth_error(source, cause) {
+    return create_error(ErrorCodes.SOURCE_AUTH_ERROR, `Authentication failed for source '${source}'`, cause);
+  },
+  source_timeout(source, timeout) {
+    return create_error(ErrorCodes.SOURCE_TIMEOUT, `Source '${source}' operation timed out after ${timeout}ms`);
+  },
+  source_checksum_mismatch(source, expected, actual) {
+    return create_error(ErrorCodes.SOURCE_CHECKSUM_MISMATCH, `Checksum mismatch for '${source}': expected ${expected}, got ${actual}`);
+  },
+  source_version_not_found(source, version) {
+    return create_error(ErrorCodes.SOURCE_VERSION_NOT_FOUND, `Version '${version}' not found for source '${source}'`);
+  },
+  cache_read_error(path, cause) {
+    return create_error(ErrorCodes.CACHE_READ_ERROR, `Failed to read cache at: ${path}`, cause);
+  },
+  cache_write_error(path, cause) {
+    return create_error(ErrorCodes.CACHE_WRITE_ERROR, `Failed to write cache at: ${path}`, cause);
+  },
+  cache_corrupt(path) {
+    return create_error(ErrorCodes.CACHE_CORRUPT, `Cache is corrupt at: ${path}`);
+  }
+};
+function success(value) {
+  return { success: true, value };
+}
+function failure(error) {
+  return { success: false, error };
+}
+
+// src/types.ts
+var DEFAULT_TIMEOUT = 30000;
+function create_cache_key(project, config) {
+  return `${project}/${config}`;
+}
+
+// src/executor.ts
+var exec_file_async = promisify(execFile);
+async function exec_command(command, args = [], options = {}) {
+  try {
+    const { stdout, stderr } = await exec_file_async(command, args, {
+      cwd: options.cwd,
+      timeout: options.timeout,
+      env: { ...process.env, ...options.env }
+    });
+    return success({
+      stdout,
+      stderr,
+      exit_code: 0
+    });
+  } catch (error) {
+    if (is_exec_error(error)) {
+      return success({
+        stdout: error.stdout ?? "",
+        stderr: error.stderr ?? "",
+        exit_code: error.code ?? 1
+      });
+    }
+    return failure(Errors.unknown(`Failed to execute command: ${command}`, error));
+  }
+}
+function is_exec_error(error) {
+  return typeof error === "object" && error !== null && (("stdout" in error) || ("stderr" in error) || ("code" in error));
+}
+function get_doppler_auth_env(options) {
+  const env = {};
+  const token = options.token ?? process.env["DOPPLER_TOKEN"];
+  if (token) {
+    env["DOPPLER_TOKEN"] = token;
+  }
+  return env;
+}
+async function check_doppler_available() {
+  const result = await exec_command("doppler", ["--version"]);
+  if (!result.success) {
+    return result;
+  }
+  if (result.value.exit_code !== 0) {
+    return failure(Errors.secret_cli_not_found("Doppler", "doppler"));
+  }
+  const version = result.value.stdout.trim();
+  return success(version);
+}
+async function doppler_secrets_download(project, config, options = {}) {
+  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  const env = get_doppler_auth_env(options);
+  const result = await exec_command("doppler", [
+    "secrets",
+    "download",
+    "--project",
+    project,
+    "--config",
+    config,
+    "--format",
+    "json",
+    "--no-file"
+  ], {
+    timeout,
+    env
+  });
+  if (!result.success) {
+    return result;
+  }
+  const { stdout, stderr, exit_code } = result.value;
+  if (exit_code !== 0) {
+    const stderr_lower = stderr.toLowerCase();
+    if (stderr_lower.includes("not found") || stderr_lower.includes("doesn't exist") || stderr_lower.includes("no project") || stderr_lower.includes("no config")) {
+      return failure(Errors.secret_not_found("Doppler", `${project}/${config}`));
+    }
+    if (stderr_lower.includes("unauthorized") || stderr_lower.includes("authentication") || stderr_lower.includes("invalid token") || stderr_lower.includes("access denied")) {
+      return failure(Errors.secret_auth_error("Doppler", stderr));
+    }
+    if (stderr_lower.includes("timeout")) {
+      return failure(Errors.secret_timeout("Doppler", timeout));
+    }
+    return failure(Errors.unknown(`Doppler error: ${stderr}`));
+  }
+  try {
+    const secrets = JSON.parse(stdout);
+    return success(secrets);
+  } catch (error) {
+    return failure(Errors.unknown("Failed to parse Doppler secrets output", error));
+  }
+}
+async function doppler_secret_get(project, config, secret_name, options = {}) {
+  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  const env = get_doppler_auth_env(options);
+  const result = await exec_command("doppler", ["secrets", "get", secret_name, "--project", project, "--config", config, "--plain"], {
+    timeout,
+    env
+  });
+  if (!result.success) {
+    return result;
+  }
+  const { stdout, stderr, exit_code } = result.value;
+  if (exit_code !== 0) {
+    const stderr_lower = stderr.toLowerCase();
+    if (stderr_lower.includes("not found") || stderr_lower.includes("doesn't exist") || stderr_lower.includes("no secret")) {
+      return failure(Errors.secret_not_found("Doppler", `${project}/${config}/${secret_name}`));
+    }
+    if (stderr_lower.includes("unauthorized") || stderr_lower.includes("authentication") || stderr_lower.includes("invalid token")) {
+      return failure(Errors.secret_auth_error("Doppler", stderr));
+    }
+    if (stderr_lower.includes("timeout")) {
+      return failure(Errors.secret_timeout("Doppler", timeout));
+    }
+    return failure(Errors.unknown(`Doppler error: ${stderr}`));
+  }
+  return success(stdout.trim());
+}
+// src/plugin.ts
+var manifest = {
+  name: "@kustodian/plugin-doppler",
+  version: "0.1.0",
+  description: "Doppler secret provider for Kustodian",
+  capabilities: ["commands", "hooks"]
+};
+function create_doppler_plugin(options = {}) {
+  return {
+    manifest,
+    async activate() {
+      const check_result = await check_doppler_available();
+      if (!check_result.success) {
+        console.warn("Doppler CLI not found - secret resolution may fail");
+      }
+      return success(undefined);
+    },
+    async deactivate() {
+      return success(undefined);
+    },
+    get_commands() {
+      const doppler_command = {
+        name: "doppler",
+        description: "Doppler secret management commands",
+        subcommands: [
+          {
+            name: "check",
+            description: "Check Doppler CLI availability and authentication",
+            handler: async () => {
+              const result = await check_doppler_available();
+              if (result.success) {
+                console.log(`Doppler CLI version: ${result.value}`);
+                return success(undefined);
+              }
+              console.error("Doppler CLI not available");
+              return result;
+            }
+          },
+          {
+            name: "test",
+            description: "Test reading a secret from Doppler",
+            arguments: [
+              { name: "project", description: "Doppler project", required: true },
+              { name: "config", description: "Doppler config", required: true },
+              { name: "secret", description: "Secret name", required: true }
+            ],
+            handler: async (ctx) => {
+              const [project, config, secret] = ctx.args;
+              if (!project || !config || !secret) {
+                console.error("Missing required arguments: project, config, secret");
+                return success(undefined);
+              }
+              const result = await doppler_secret_get(project, config, secret, options);
+              if (result.success) {
+                console.log("Secret retrieved successfully (value hidden)");
+                console.log(`Length: ${result.value.length} characters`);
+                return success(undefined);
+              }
+              console.error(`Failed to read secret: ${result.error.message}`);
+              return result;
+            }
+          },
+          {
+            name: "list-secrets",
+            description: "List available secrets in a Doppler config",
+            arguments: [
+              { name: "project", description: "Doppler project", required: true },
+              { name: "config", description: "Doppler config", required: true }
+            ],
+            handler: async (ctx) => {
+              const [project, config] = ctx.args;
+              if (!project || !config) {
+                console.error("Missing required arguments: project, config");
+                return success(undefined);
+              }
+              const result = await doppler_secrets_download(project, config, options);
+              if (result.success) {
+                console.log("Available secrets:");
+                for (const key of Object.keys(result.value)) {
+                  console.log(`  - ${key}`);
+                }
+                return success(undefined);
+              }
+              console.error(`Failed to list secrets: ${result.error.message}`);
+              return result;
+            }
+          }
+        ]
+      };
+      return [{ command: doppler_command }];
+    },
+    get_hooks() {
+      return [
+        {
+          event: "generator:after_resolve",
+          priority: 50,
+          handler: async (_event, ctx) => {
+            return success(ctx);
+          }
+        }
+      ];
+    }
+  };
+}
+var plugin = create_doppler_plugin();
+// src/resolver.ts
+async function resolve_doppler_substitutions(substitutions, options = {}) {
+  if (substitutions.length === 0) {
+    return success({});
+  }
+  const resolved_subs = [];
+  for (const sub of substitutions) {
+    const project = sub.project ?? options.cluster_defaults?.project;
+    const config = sub.config ?? options.cluster_defaults?.config;
+    if (!project || !config) {
+      return failure({
+        code: "MISSING_DOPPLER_CONFIG",
+        message: `Doppler substitution '${sub.name}' missing project/config and no cluster defaults configured`
+      });
+    }
+    resolved_subs.push({
+      ...sub,
+      project,
+      config
+    });
+  }
+  const groups = new Map;
+  for (const sub of resolved_subs) {
+    const key = create_cache_key(sub.project, sub.config);
+    const group = groups.get(key) ?? [];
+    group.push(sub);
+    groups.set(key, group);
+  }
+  const secrets_cache = new Map;
+  const results = {};
+  for (const [key, subs] of groups) {
+    const first = subs[0];
+    if (!first) {
+      continue;
+    }
+    let secrets = secrets_cache.get(key);
+    if (!secrets) {
+      const download_result = await doppler_secrets_download(first.project, first.config, options);
+      if (!download_result.success) {
+        let all_have_defaults = true;
+        for (const sub of subs) {
+          if (sub.default !== undefined) {
+            results[sub.name] = sub.default;
+          } else if (options.fail_on_missing !== false) {
+            all_have_defaults = false;
+          }
+        }
+        if (!all_have_defaults) {
+          return failure(download_result.error);
+        }
+        continue;
+      }
+      secrets = download_result.value;
+      secrets_cache.set(key, secrets);
+    }
+    for (const sub of subs) {
+      const value = secrets[sub.secret];
+      if (value !== undefined) {
+        results[sub.name] = value;
+      } else if (sub.default !== undefined) {
+        results[sub.name] = sub.default;
+      } else if (options.fail_on_missing !== false) {
+        return failure({
+          code: "SECRET_NOT_FOUND",
+          message: `Secret not found in Doppler: ${sub.project}/${sub.config}/${sub.secret}`
+        });
+      }
+    }
+  }
+  return success(results);
+}
+export {
+  resolve_doppler_substitutions,
+  plugin,
+  exec_command,
+  doppler_secrets_download,
+  doppler_secret_get,
+  plugin as default,
+  create_doppler_plugin,
+  create_cache_key,
+  check_doppler_available,
+  DEFAULT_TIMEOUT
+};

package/dist/plugin.d.ts

@@ -0,0 +1,12 @@
+import type { KustodianPluginType } from '@kustodian/plugins';
+import type { DopplerPluginOptionsType } from './types.js';
+/**
+ * Creates the Doppler plugin.
+ */
+export declare function create_doppler_plugin(options?: DopplerPluginOptionsType): KustodianPluginType;
+/**
+ * Default plugin export.
+ */
+export declare const plugin: KustodianPluginType;
+export default plugin;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAIV,mBAAmB,EAIpB,MAAM,oBAAoB,CAAC;AAO5B,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAY3D;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,wBAA6B,GAAG,mBAAmB,CA0GjG;AAED;;GAEG;AACH,eAAO,MAAM,MAAM,qBAA0B,CAAC;AAE9C,eAAe,MAAM,CAAC"}

package/dist/resolver.d.ts

@@ -0,0 +1,12 @@
+import type { KustodianErrorType } from '@kustodian/core';
+import { type ResultType } from '@kustodian/core';
+import type { DopplerSubstitutionType } from '@kustodian/schema';
+import { type DopplerPluginOptionsType } from './types.js';
+/**
+ * Resolves Doppler substitutions to actual secret values.
+ * Groups by project/config to minimize API calls.
+ * Uses cluster-level defaults when project/config are not specified.
+ * Returns a map from substitution name to resolved value.
+ */
+export declare function resolve_doppler_substitutions(substitutions: DopplerSubstitutionType[], options?: DopplerPluginOptionsType): Promise<ResultType<Record<string, string>, KustodianErrorType>>;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../src/resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,KAAK,UAAU,EAAoB,MAAM,iBAAiB,CAAC;AACpE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AAGjE,OAAO,EAEL,KAAK,wBAAwB,EAE9B,MAAM,YAAY,CAAC;AAEpB;;;;;GAKG;AACH,wBAAsB,6BAA6B,CACjD,aAAa,EAAE,uBAAuB,EAAE,EACxC,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,CAAC,CAAC,CA+FjE"}

package/dist/types.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Cluster-level Doppler defaults.
+ */
+export interface DopplerClusterDefaultsType {
+    /** Default project name */
+    project?: string | undefined;
+    /** Default config name */
+    config?: string | undefined;
+}
+/**
+ * Options for the Doppler plugin.
+ */
+export interface DopplerPluginOptionsType {
+    /** Doppler service token (can also be set via DOPPLER_TOKEN env var) */
+    token?: string | undefined;
+    /** Timeout for CLI operations in milliseconds (default: 30000) */
+    timeout?: number | undefined;
+    /** Whether to fail on missing secrets (default: true) */
+    fail_on_missing?: boolean | undefined;
+    /** Cluster-level defaults for project/config */
+    cluster_defaults?: DopplerClusterDefaultsType | undefined;
+}
+/**
+ * Parsed Doppler secret reference.
+ */
+export interface DopplerRefType {
+    project: string;
+    config: string;
+    secret: string;
+}
+/**
+ * Cache key for Doppler project/config combination.
+ */
+export type DopplerCacheKeyType = `${string}/${string}`;
+/**
+ * Default timeout for Doppler CLI operations.
+ */
+export declare const DEFAULT_TIMEOUT = 30000;
+/**
+ * Creates a cache key for a Doppler project/config combination.
+ */
+export declare function create_cache_key(project: string, config: string): DopplerCacheKeyType;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,wEAAwE;IACxE,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,yDAAyD;IACzD,eAAe,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACtC,gDAAgD;IAChD,gBAAgB,CAAC,EAAE,0BAA0B,GAAG,SAAS,CAAC;CAC3D;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAExD;;GAEG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAErC;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAErF"}

package/package.json

@@ -1,23 +1,25 @@
 {
   "name": "@kustodian/plugin-doppler",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "description": "Doppler secret provider plugin for Kustodian",
   "type": "module",
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./src/index.ts",
-      "import": "./src/index.ts"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     }
   },
   "files": [
-    "src"
+    "dist"
   ],
   "scripts": {
     "test": "bun test",
     "test:watch": "bun test --watch",
-    "typecheck": "bun run tsc --noEmit"
+    "typecheck": "bun run tsc --noEmit",
+    "build": "bun build src/index.ts --outdir dist --target node --format esm && tsc --emitDeclarationOnly --outDir dist",
+    "prepublishOnly": "bun run build"
   },
   "keywords": [
     "kustodian",
@@ -34,12 +36,13 @@
     "directory": "plugins/doppler"
   },
   "publishConfig": {
-    "registry": "https://npm.pkg.github.com"
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
   },
   "dependencies": {
-    "@kustodian/core": "1.1.0",
-    "@kustodian/plugins": "1.0.1",
-    "@kustodian/schema": "1.3.0"
+    "@kustodian/core": "2.0.0",
+    "@kustodian/plugins": "2.0.0",
+    "@kustodian/schema": "2.0.0"
   },
   "devDependencies": {}
 }

package/src/executor.ts

@@ -1,238 +0,0 @@
-import { execFile } from 'node:child_process';
-import { promisify } from 'node:util';
-
-import { Errors, type ResultType, failure, success } from '@kustodian/core';
-import type { KustodianErrorType } from '@kustodian/core';
-
-import { DEFAULT_TIMEOUT, type DopplerPluginOptionsType } from './types.js';
-
-const exec_file_async = promisify(execFile);
-
-/**
- * Result of a command execution.
- */
-export interface CommandResultType {
-  stdout: string;
-  stderr: string;
-  exit_code: number;
-}
-
-/**
- * Options for command execution.
- */
-export interface ExecOptionsType {
-  cwd?: string | undefined;
-  timeout?: number | undefined;
-  env?: Record<string, string> | undefined;
-}
-
-/**
- * Executes a command and returns the result.
- * Uses execFile for security (no shell invocation).
- */
-export async function exec_command(
-  command: string,
-  args: string[] = [],
-  options: ExecOptionsType = {},
-): Promise<ResultType<CommandResultType, KustodianErrorType>> {
-  try {
-    const { stdout, stderr } = await exec_file_async(command, args, {
-      cwd: options.cwd,
-      timeout: options.timeout,
-      env: { ...process.env, ...options.env },
-    });
-
-    return success({
-      stdout,
-      stderr,
-      exit_code: 0,
-    });
-  } catch (error) {
-    if (is_exec_error(error)) {
-      return success({
-        stdout: error.stdout ?? '',
-        stderr: error.stderr ?? '',
-        exit_code: error.code ?? 1,
-      });
-    }
-
-    return failure(Errors.unknown(`Failed to execute command: ${command}`, error));
-  }
-}
-
-/**
- * Type guard for exec errors.
- */
-function is_exec_error(
-  error: unknown,
-): error is { stdout?: string; stderr?: string; code?: number } {
-  return (
-    typeof error === 'object' &&
-    error !== null &&
-    ('stdout' in error || 'stderr' in error || 'code' in error)
-  );
-}
-
-/**
- * Gets environment variables for Doppler CLI authentication.
- */
-function get_doppler_auth_env(options: DopplerPluginOptionsType): Record<string, string> {
-  const env: Record<string, string> = {};
-
-  const token = options.token ?? process.env['DOPPLER_TOKEN'];
-  if (token) {
-    env['DOPPLER_TOKEN'] = token;
-  }
-
-  return env;
-}
-
-/**
- * Checks if doppler CLI is available in the system PATH.
- */
-export async function check_doppler_available(): Promise<ResultType<string, KustodianErrorType>> {
-  const result = await exec_command('doppler', ['--version']);
-
-  if (!result.success) {
-    return result;
-  }
-
-  if (result.value.exit_code !== 0) {
-    return failure(Errors.secret_cli_not_found('Doppler', 'doppler'));
-  }
-
-  // Parse version from output (e.g., "v3.68.0")
-  const version = result.value.stdout.trim();
-  return success(version);
-}
-
-/**
- * Fetches all secrets for a project/config combination.
- * Returns a JSON object of all secrets.
- */
-export async function doppler_secrets_download(
-  project: string,
-  config: string,
-  options: DopplerPluginOptionsType = {},
-): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
-  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
-  const env = get_doppler_auth_env(options);
-
-  const result = await exec_command(
-    'doppler',
-    [
-      'secrets',
-      'download',
-      '--project',
-      project,
-      '--config',
-      config,
-      '--format',
-      'json',
-      '--no-file',
-    ],
-    {
-      timeout,
-      env,
-    },
-  );
-
-  if (!result.success) {
-    return result;
-  }
-
-  const { stdout, stderr, exit_code } = result.value;
-
-  if (exit_code !== 0) {
-    // Parse specific error types from stderr
-    const stderr_lower = stderr.toLowerCase();
-
-    if (
-      stderr_lower.includes('not found') ||
-      stderr_lower.includes("doesn't exist") ||
-      stderr_lower.includes('no project') ||
-      stderr_lower.includes('no config')
-    ) {
-      return failure(Errors.secret_not_found('Doppler', `${project}/${config}`));
-    }
-
-    if (
-      stderr_lower.includes('unauthorized') ||
-      stderr_lower.includes('authentication') ||
-      stderr_lower.includes('invalid token') ||
-      stderr_lower.includes('access denied')
-    ) {
-      return failure(Errors.secret_auth_error('Doppler', stderr));
-    }
-
-    if (stderr_lower.includes('timeout')) {
-      return failure(Errors.secret_timeout('Doppler', timeout));
-    }
-
-    return failure(Errors.unknown(`Doppler error: ${stderr}`));
-  }
-
-  try {
-    const secrets = JSON.parse(stdout) as Record<string, string>;
-    return success(secrets);
-  } catch (error) {
-    return failure(Errors.unknown('Failed to parse Doppler secrets output', error));
-  }
-}
-
-/**
- * Fetches a single secret value from Doppler.
- */
-export async function doppler_secret_get(
-  project: string,
-  config: string,
-  secret_name: string,
-  options: DopplerPluginOptionsType = {},
-): Promise<ResultType<string, KustodianErrorType>> {
-  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
-  const env = get_doppler_auth_env(options);
-
-  const result = await exec_command(
-    'doppler',
-    ['secrets', 'get', secret_name, '--project', project, '--config', config, '--plain'],
-    {
-      timeout,
-      env,
-    },
-  );
-
-  if (!result.success) {
-    return result;
-  }
-
-  const { stdout, stderr, exit_code } = result.value;
-
-  if (exit_code !== 0) {
-    // Parse specific error types from stderr
-    const stderr_lower = stderr.toLowerCase();
-
-    if (
-      stderr_lower.includes('not found') ||
-      stderr_lower.includes("doesn't exist") ||
-      stderr_lower.includes('no secret')
-    ) {
-      return failure(Errors.secret_not_found('Doppler', `${project}/${config}/${secret_name}`));
-    }
-
-    if (
-      stderr_lower.includes('unauthorized') ||
-      stderr_lower.includes('authentication') ||
-      stderr_lower.includes('invalid token')
-    ) {
-      return failure(Errors.secret_auth_error('Doppler', stderr));
-    }
-
-    if (stderr_lower.includes('timeout')) {
-      return failure(Errors.secret_timeout('Doppler', timeout));
-    }
-
-    return failure(Errors.unknown(`Doppler error: ${stderr}`));
-  }
-
-  return success(stdout.trim());
-}

package/src/index.ts

@@ -1,25 +0,0 @@
-// Plugin exports
-export { create_doppler_plugin, plugin } from './plugin.js';
-export { plugin as default } from './plugin.js';
-
-// Executor exports
-export {
-  check_doppler_available,
-  exec_command,
-  doppler_secret_get,
-  doppler_secrets_download,
-  type CommandResultType,
-  type ExecOptionsType,
-} from './executor.js';
-
-// Resolver exports
-export { resolve_doppler_substitutions } from './resolver.js';
-
-// Types
-export {
-  create_cache_key,
-  DEFAULT_TIMEOUT,
-  type DopplerCacheKeyType,
-  type DopplerPluginOptionsType,
-  type DopplerRefType,
-} from './types.js';

package/src/plugin.ts

@@ -1,145 +0,0 @@
-import { success } from '@kustodian/core';
-import type {
-  CommandType,
-  HookContextType,
-  HookEventType,
-  KustodianPluginType,
-  PluginCommandContributionType,
-  PluginHookContributionType,
-  PluginManifestType,
-} from '@kustodian/plugins';
-
-import {
-  check_doppler_available,
-  doppler_secret_get,
-  doppler_secrets_download,
-} from './executor.js';
-import type { DopplerPluginOptionsType } from './types.js';
-
-/**
- * Doppler plugin manifest.
- */
-const manifest: PluginManifestType = {
-  name: '@kustodian/plugin-doppler',
-  version: '0.1.0',
-  description: 'Doppler secret provider for Kustodian',
-  capabilities: ['commands', 'hooks'],
-};
-
-/**
- * Creates the Doppler plugin.
- */
-export function create_doppler_plugin(options: DopplerPluginOptionsType = {}): KustodianPluginType {
-  return {
-    manifest,
-
-    async activate() {
-      // Verify CLI availability on activation (warning only)
-      const check_result = await check_doppler_available();
-      if (!check_result.success) {
-        console.warn('Doppler CLI not found - secret resolution may fail');
-      }
-      return success(undefined);
-    },
-
-    async deactivate() {
-      return success(undefined);
-    },
-
-    get_commands(): PluginCommandContributionType[] {
-      const doppler_command: CommandType = {
-        name: 'doppler',
-        description: 'Doppler secret management commands',
-        subcommands: [
-          {
-            name: 'check',
-            description: 'Check Doppler CLI availability and authentication',
-            handler: async () => {
-              const result = await check_doppler_available();
-              if (result.success) {
-                console.log(`Doppler CLI version: ${result.value}`);
-                return success(undefined);
-              }
-              console.error('Doppler CLI not available');
-              return result;
-            },
-          },
-          {
-            name: 'test',
-            description: 'Test reading a secret from Doppler',
-            arguments: [
-              { name: 'project', description: 'Doppler project', required: true },
-              { name: 'config', description: 'Doppler config', required: true },
-              { name: 'secret', description: 'Secret name', required: true },
-            ],
-            handler: async (ctx) => {
-              const [project, config, secret] = ctx.args;
-              if (!project || !config || !secret) {
-                console.error('Missing required arguments: project, config, secret');
-                return success(undefined);
-              }
-
-              const result = await doppler_secret_get(project, config, secret, options);
-              if (result.success) {
-                console.log('Secret retrieved successfully (value hidden)');
-                console.log(`Length: ${result.value.length} characters`);
-                return success(undefined);
-              }
-
-              console.error(`Failed to read secret: ${result.error.message}`);
-              return result;
-            },
-          },
-          {
-            name: 'list-secrets',
-            description: 'List available secrets in a Doppler config',
-            arguments: [
-              { name: 'project', description: 'Doppler project', required: true },
-              { name: 'config', description: 'Doppler config', required: true },
-            ],
-            handler: async (ctx) => {
-              const [project, config] = ctx.args;
-              if (!project || !config) {
-                console.error('Missing required arguments: project, config');
-                return success(undefined);
-              }
-
-              const result = await doppler_secrets_download(project, config, options);
-              if (result.success) {
-                console.log('Available secrets:');
-                for (const key of Object.keys(result.value)) {
-                  console.log(`  - ${key}`);
-                }
-                return success(undefined);
-              }
-
-              console.error(`Failed to list secrets: ${result.error.message}`);
-              return result;
-            },
-          },
-        ],
-      };
-      return [{ command: doppler_command }];
-    },
-
-    get_hooks(): PluginHookContributionType[] {
-      return [
-        {
-          event: 'generator:after_resolve',
-          priority: 50, // Run before default (100) to inject secrets early
-          handler: async (_event: HookEventType, ctx: HookContextType) => {
-            // Hook for secret injection will be implemented in generator integration
-            return success(ctx);
-          },
-        },
-      ];
-    },
-  };
-}
-
-/**
- * Default plugin export.
- */
-export const plugin = create_doppler_plugin();
-
-export default plugin;

package/src/resolver.ts

@@ -1,116 +0,0 @@
-import { type ResultType, failure, success } from '@kustodian/core';
-import type { KustodianErrorType } from '@kustodian/core';
-import type { DopplerSubstitutionType } from '@kustodian/schema';
-
-import { doppler_secrets_download } from './executor.js';
-import {
-  type DopplerCacheKeyType,
-  type DopplerPluginOptionsType,
-  create_cache_key,
-} from './types.js';
-
-/**
- * Resolves Doppler substitutions to actual secret values.
- * Groups by project/config to minimize API calls.
- * Uses cluster-level defaults when project/config are not specified.
- * Returns a map from substitution name to resolved value.
- */
-export async function resolve_doppler_substitutions(
-  substitutions: DopplerSubstitutionType[],
-  options: DopplerPluginOptionsType = {},
-): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
-  if (substitutions.length === 0) {
-    return success({});
-  }
-
-  // Validate and apply cluster defaults
-  const resolved_subs: Array<DopplerSubstitutionType & { project: string; config: string }> = [];
-
-  for (const sub of substitutions) {
-    const project = sub.project ?? options.cluster_defaults?.project;
-    const config = sub.config ?? options.cluster_defaults?.config;
-
-    if (!project || !config) {
-      return failure({
-        code: 'MISSING_DOPPLER_CONFIG',
-        message: `Doppler substitution '${sub.name}' missing project/config and no cluster defaults configured`,
-      });
-    }
-
-    resolved_subs.push({
-      ...sub,
-      project,
-      config,
-    });
-  }
-
-  // Group substitutions by project/config to minimize API calls
-  const groups = new Map<DopplerCacheKeyType, typeof resolved_subs>();
-
-  for (const sub of resolved_subs) {
-    const key = create_cache_key(sub.project, sub.config);
-    const group = groups.get(key) ?? [];
-    group.push(sub);
-    groups.set(key, group);
-  }
-
-  // Cache for downloaded secrets per project/config
-  const secrets_cache = new Map<DopplerCacheKeyType, Record<string, string>>();
-
-  const results: Record<string, string> = {};
-
-  // Fetch secrets for each group
-  for (const [key, subs] of groups) {
-    // Get project and config from the first substitution in the group
-    const first = subs[0];
-    if (!first) {
-      continue;
-    }
-
-    // Check if we already have the secrets cached
-    let secrets = secrets_cache.get(key);
-
-    if (!secrets) {
-      const download_result = await doppler_secrets_download(first.project, first.config, options);
-
-      if (!download_result.success) {
-        // If we can't download secrets, try to use defaults
-        let all_have_defaults = true;
-        for (const sub of subs) {
-          if (sub.default !== undefined) {
-            results[sub.name] = sub.default;
-          } else if (options.fail_on_missing !== false) {
-            all_have_defaults = false;
-          }
-        }
-
-        if (!all_have_defaults) {
-          return failure(download_result.error);
-        }
-
-        continue;
-      }
-
-      secrets = download_result.value;
-      secrets_cache.set(key, secrets);
-    }
-
-    // Extract the requested secrets
-    for (const sub of subs) {
-      const value = secrets[sub.secret];
-
-      if (value !== undefined) {
-        results[sub.name] = value;
-      } else if (sub.default !== undefined) {
-        results[sub.name] = sub.default;
-      } else if (options.fail_on_missing !== false) {
-        return failure({
-          code: 'SECRET_NOT_FOUND',
-          message: `Secret not found in Doppler: ${sub.project}/${sub.config}/${sub.secret}`,
-        });
-      }
-    }
-  }
-
-  return success(results);
-}

package/src/types.ts

@@ -1,49 +0,0 @@
-/**
- * Cluster-level Doppler defaults.
- */
-export interface DopplerClusterDefaultsType {
-  /** Default project name */
-  project?: string | undefined;
-  /** Default config name */
-  config?: string | undefined;
-}
-
-/**
- * Options for the Doppler plugin.
- */
-export interface DopplerPluginOptionsType {
-  /** Doppler service token (can also be set via DOPPLER_TOKEN env var) */
-  token?: string | undefined;
-  /** Timeout for CLI operations in milliseconds (default: 30000) */
-  timeout?: number | undefined;
-  /** Whether to fail on missing secrets (default: true) */
-  fail_on_missing?: boolean | undefined;
-  /** Cluster-level defaults for project/config */
-  cluster_defaults?: DopplerClusterDefaultsType | undefined;
-}
-
-/**
- * Parsed Doppler secret reference.
- */
-export interface DopplerRefType {
-  project: string;
-  config: string;
-  secret: string;
-}
-
-/**
- * Cache key for Doppler project/config combination.
- */
-export type DopplerCacheKeyType = `${string}/${string}`;
-
-/**
- * Default timeout for Doppler CLI operations.
- */
-export const DEFAULT_TIMEOUT = 30000;
-
-/**
- * Creates a cache key for a Doppler project/config combination.
- */
-export function create_cache_key(project: string, config: string): DopplerCacheKeyType {
-  return `${project}/${config}`;
-}