@lssm/integration.runtime 0.0.0-canary-20251217083314 → 1.41.0

package/dist/secrets/gcp-secret-manager.js

@@ -1,229 +0,0 @@
-import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
-import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
-
-//#region src/secrets/gcp-secret-manager.ts
-const DEFAULT_REPLICATION = { automatic: {} };
-var GcpSecretManagerProvider = class {
-	id = "gcp-secret-manager";
-	client;
-	explicitProjectId;
-	replication;
-	constructor(options = {}) {
-		this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
-		this.explicitProjectId = options.projectId;
-		this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
-	}
-	canHandle(reference) {
-		try {
-			return parseSecretUri(reference).provider === "gcp";
-		} catch {
-			return false;
-		}
-	}
-	async getSecret(reference, options, callOptions) {
-		const location = this.parseReference(reference);
-		const secretVersionName = this.buildVersionName(location, options?.version);
-		try {
-			const [result] = await this.client.accessSecretVersion({ name: secretVersionName }, callOptions ?? {});
-			const payload = result.payload;
-			if (!payload?.data) throw new SecretProviderError({
-				message: `Secret payload empty for ${secretVersionName}`,
-				provider: this.id,
-				reference,
-				code: "UNKNOWN"
-			});
-			const version = extractVersionFromName(result.name ?? secretVersionName);
-			return {
-				data: payload.data,
-				version,
-				metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : void 0,
-				retrievedAt: /* @__PURE__ */ new Date()
-			};
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "access"
-			});
-		}
-	}
-	async setSecret(reference, payload) {
-		const location = this.parseReference(reference);
-		const { secretName } = this.buildNames(location);
-		const data = normalizeSecretPayload(payload);
-		await this.ensureSecretExists(location, payload);
-		try {
-			const response = await this.client.addSecretVersion({
-				parent: secretName,
-				payload: { data }
-			});
-			if (!response) throw new SecretProviderError({
-				message: `No version returned when adding secret version for ${secretName}`,
-				provider: this.id,
-				reference,
-				code: "UNKNOWN"
-			});
-			const [version] = response;
-			const versionName = version?.name ?? `${secretName}/versions/latest`;
-			return {
-				reference: `gcp://${versionName}`,
-				version: extractVersionFromName(versionName) ?? "latest"
-			};
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "addSecretVersion"
-			});
-		}
-	}
-	async rotateSecret(reference, payload) {
-		return this.setSecret(reference, payload);
-	}
-	async deleteSecret(reference) {
-		const location = this.parseReference(reference);
-		const { secretName } = this.buildNames(location);
-		try {
-			await this.client.deleteSecret({ name: secretName });
-		} catch (error) {
-			throw toSecretProviderError({
-				error,
-				provider: this.id,
-				reference,
-				operation: "delete"
-			});
-		}
-	}
-	parseReference(reference) {
-		const parsed = parseSecretUri(reference);
-		if (parsed.provider !== "gcp") throw new SecretProviderError({
-			message: `Unsupported secret provider: ${parsed.provider}`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const segments = parsed.path.split("/").filter(Boolean);
-		if (segments.length < 4 || segments[0] !== "projects") throw new SecretProviderError({
-			message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const projectIdCandidate = segments[1] ?? this.explicitProjectId;
-		if (!projectIdCandidate) throw new SecretProviderError({
-			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const indexOfSecrets = segments.indexOf("secrets");
-		if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) throw new SecretProviderError({
-			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const resolvedProjectId = projectIdCandidate;
-		const secretIdCandidate = segments[indexOfSecrets + 1];
-		if (!secretIdCandidate) throw new SecretProviderError({
-			message: `Unable to resolve secret ID from reference "${parsed.path}"`,
-			provider: this.id,
-			reference,
-			code: "INVALID"
-		});
-		const secretId = secretIdCandidate;
-		const indexOfVersions = segments.indexOf("versions");
-		return {
-			projectId: resolvedProjectId,
-			secretId,
-			version: parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : void 0)
-		};
-	}
-	buildNames(location) {
-		const projectId = location.projectId ?? this.explicitProjectId;
-		if (!projectId) throw new SecretProviderError({
-			message: "Project ID must be provided either in reference or provider configuration",
-			provider: this.id,
-			reference: `gcp://projects//secrets/${location.secretId}`,
-			code: "INVALID"
-		});
-		const projectParent = `projects/${projectId}`;
-		return {
-			projectParent,
-			secretName: `${projectParent}/secrets/${location.secretId}`
-		};
-	}
-	buildVersionName(location, explicitVersion) {
-		const { secretName } = this.buildNames(location);
-		return `${secretName}/versions/${explicitVersion ?? location.version ?? "latest"}`;
-	}
-	async ensureSecretExists(location, payload) {
-		const { secretName, projectParent } = this.buildNames(location);
-		try {
-			await this.client.getSecret({ name: secretName });
-		} catch (error) {
-			const providerError = toSecretProviderError({
-				error,
-				provider: this.id,
-				reference: `gcp://${secretName}`,
-				operation: "getSecret",
-				suppressThrow: true
-			});
-			if (!providerError || providerError.code !== "NOT_FOUND") {
-				if (providerError) throw providerError;
-				throw error;
-			}
-			try {
-				await this.client.createSecret({
-					parent: projectParent,
-					secretId: location.secretId,
-					secret: {
-						replication: this.replication,
-						labels: payload.labels
-					}
-				});
-			} catch (creationError) {
-				throw toSecretProviderError({
-					error: creationError,
-					provider: this.id,
-					reference: `gcp://${secretName}`,
-					operation: "createSecret"
-				});
-			}
-		}
-	}
-};
-function extractVersionFromName(name) {
-	const segments = name.split("/").filter(Boolean);
-	const index = segments.indexOf("versions");
-	if (index === -1 || index + 1 >= segments.length) return;
-	return segments[index + 1];
-}
-function toSecretProviderError(params) {
-	const { error, provider, reference, operation, suppressThrow } = params;
-	if (error instanceof SecretProviderError) return error;
-	const code = deriveErrorCode(error);
-	const providerError = new SecretProviderError({
-		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
-		provider,
-		reference,
-		code,
-		cause: error
-	});
-	if (suppressThrow) return providerError;
-	throw providerError;
-}
-function deriveErrorCode(error) {
-	if (typeof error !== "object" || error === null) return "UNKNOWN";
-	const code = error.code;
-	if (code === 5 || code === "NOT_FOUND") return "NOT_FOUND";
-	if (code === 6 || code === "ALREADY_EXISTS") return "INVALID";
-	if (code === 7 || code === "PERMISSION_DENIED" || code === 403) return "FORBIDDEN";
-	if (code === 3 || code === "INVALID_ARGUMENT") return "INVALID";
-	return "UNKNOWN";
-}
-
-//#endregion
-export { GcpSecretManagerProvider };

package/dist/secrets/index.d.ts

@@ -1,5 +0,0 @@
-import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./provider.js";
-import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
-import { EnvSecretProvider } from "./env-secret-provider.js";
-import { SecretProviderManager, SecretProviderManagerOptions } from "./manager.js";
-export { EnvSecretProvider, GcpSecretManagerProvider, ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };

package/dist/secrets/index.js

@@ -1,6 +0,0 @@
-import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
-import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
-import { EnvSecretProvider } from "./env-secret-provider.js";
-import { SecretProviderManager } from "./manager.js";
-
-export { EnvSecretProvider, GcpSecretManagerProvider, SecretProviderError, SecretProviderManager, normalizeSecretPayload, parseSecretUri };

package/dist/secrets/manager.d.ts

@@ -1,47 +0,0 @@
-import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
-
-//#region src/secrets/manager.d.ts
-interface RegisterOptions {
-  /**
-   * Larger priority values are attempted first. Defaults to 0.
-   */
-  priority?: number;
-}
-interface SecretProviderManagerOptions {
-  /**
-   * Override manager identifier. Defaults to "secret-provider-manager".
-   */
-  id?: string;
-  /**
-   * Providers to pre-register. They are registered in array order with
-   * descending priority (first entry wins ties).
-   */
-  providers?: {
-    provider: SecretProvider;
-    priority?: number;
-  }[];
-}
-/**
- * Composite secret provider that delegates to registered providers.
- * Providers are attempted in order of descending priority, respecting the
- * registration order for ties. This enables privileged overrides (e.g.
- * environment variables) while still supporting durable backends like GCP
- * Secret Manager.
- */
-declare class SecretProviderManager implements SecretProvider {
-  readonly id: string;
-  private readonly providers;
-  private registrationCounter;
-  constructor(options?: SecretProviderManagerOptions);
-  register(provider: SecretProvider, options?: RegisterOptions): this;
-  canHandle(reference: SecretReference): boolean;
-  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
-  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
-  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
-  deleteSecret(reference: SecretReference): Promise<void>;
-  private delegateToFirst;
-  private composeError;
-}
-type SecretFetchOptions = Parameters<SecretProvider['getSecret']>[1];
-//#endregion
-export { SecretProviderManager, SecretProviderManagerOptions };

package/dist/secrets/manager.js

@@ -1,103 +0,0 @@
-import { SecretProviderError } from "./provider.js";
-
-//#region src/secrets/manager.ts
-/**
-* Composite secret provider that delegates to registered providers.
-* Providers are attempted in order of descending priority, respecting the
-* registration order for ties. This enables privileged overrides (e.g.
-* environment variables) while still supporting durable backends like GCP
-* Secret Manager.
-*/
-var SecretProviderManager = class {
-	id;
-	providers = [];
-	registrationCounter = 0;
-	constructor(options = {}) {
-		this.id = options.id ?? "secret-provider-manager";
-		const initialProviders = options.providers ?? [];
-		for (const entry of initialProviders) this.register(entry.provider, { priority: entry.priority });
-	}
-	register(provider, options = {}) {
-		this.providers.push({
-			provider,
-			priority: options.priority ?? 0,
-			order: this.registrationCounter++
-		});
-		this.providers.sort((a, b) => {
-			if (a.priority !== b.priority) return b.priority - a.priority;
-			return a.order - b.order;
-		});
-		return this;
-	}
-	canHandle(reference) {
-		return this.providers.some(({ provider }) => safeCanHandle(provider, reference));
-	}
-	async getSecret(reference, options) {
-		const errors = [];
-		for (const { provider } of this.providers) {
-			if (!safeCanHandle(provider, reference)) continue;
-			try {
-				return await provider.getSecret(reference, options);
-			} catch (error) {
-				if (error instanceof SecretProviderError) {
-					errors.push(error);
-					if (error.code !== "NOT_FOUND") break;
-					continue;
-				}
-				throw error;
-			}
-		}
-		throw this.composeError("getSecret", reference, errors, options?.version);
-	}
-	async setSecret(reference, payload) {
-		return this.delegateToFirst("setSecret", reference, (provider) => provider.setSecret(reference, payload));
-	}
-	async rotateSecret(reference, payload) {
-		return this.delegateToFirst("rotateSecret", reference, (provider) => provider.rotateSecret(reference, payload));
-	}
-	async deleteSecret(reference) {
-		await this.delegateToFirst("deleteSecret", reference, (provider) => provider.deleteSecret(reference));
-	}
-	async delegateToFirst(operation, reference, invoker) {
-		const errors = [];
-		for (const { provider } of this.providers) {
-			if (!safeCanHandle(provider, reference)) continue;
-			try {
-				return await invoker(provider);
-			} catch (error) {
-				if (error instanceof SecretProviderError) {
-					errors.push(error);
-					continue;
-				}
-				throw error;
-			}
-		}
-		throw this.composeError(operation, reference, errors);
-	}
-	composeError(operation, reference, errors, version) {
-		if (errors.length === 1) {
-			const [singleError] = errors;
-			if (singleError) return singleError;
-		}
-		const messageParts = [`No registered secret provider could ${operation}`, `reference "${reference}"`];
-		if (version) messageParts.push(`(version: ${version})`);
-		if (errors.length > 1) messageParts.push(`Attempts: ${errors.map((error) => `${error.provider}:${error.code}`).join(", ")}`);
-		return new SecretProviderError({
-			message: messageParts.join(" "),
-			provider: this.id,
-			reference,
-			code: errors.length > 0 ? errors[errors.length - 1].code : "UNKNOWN",
-			cause: errors
-		});
-	}
-};
-function safeCanHandle(provider, reference) {
-	try {
-		return provider.canHandle(reference);
-	} catch {
-		return false;
-	}
-}
-
-//#endregion
-export { SecretProviderManager };

package/dist/secrets/provider.d.ts

@@ -1,52 +0,0 @@
-//#region src/secrets/provider.d.ts
-type SecretReference = string;
-interface SecretValue {
-  data: Uint8Array;
-  version?: string;
-  metadata?: Record<string, string>;
-  retrievedAt: Date;
-}
-interface SecretFetchOptions {
-  version?: string;
-}
-type SecretPayloadEncoding = 'utf-8' | 'base64' | 'binary';
-interface SecretWritePayload {
-  data: string | Uint8Array;
-  encoding?: SecretPayloadEncoding;
-  contentType?: string;
-  labels?: Record<string, string>;
-}
-interface SecretRotationResult {
-  reference: SecretReference;
-  version: string;
-}
-interface SecretProvider {
-  readonly id: string;
-  canHandle(reference: SecretReference): boolean;
-  getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
-  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
-  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
-  deleteSecret(reference: SecretReference): Promise<void>;
-}
-interface ParsedSecretUri {
-  provider: string;
-  path: string;
-  extras?: Record<string, string>;
-}
-declare class SecretProviderError extends Error {
-  readonly provider: string;
-  readonly reference: SecretReference;
-  readonly code: 'NOT_FOUND' | 'FORBIDDEN' | 'INVALID' | 'UNKNOWN';
-  readonly cause?: unknown;
-  constructor(params: {
-    message: string;
-    provider: string;
-    reference: SecretReference;
-    code?: SecretProviderError['code'];
-    cause?: unknown;
-  });
-}
-declare function parseSecretUri(reference: SecretReference): ParsedSecretUri;
-declare function normalizeSecretPayload(payload: SecretWritePayload): Uint8Array;
-//#endregion
-export { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };

package/dist/secrets/provider.js

@@ -1,58 +0,0 @@
-import { Buffer } from "node:buffer";
-
-//#region src/secrets/provider.ts
-var SecretProviderError = class extends Error {
-	provider;
-	reference;
-	code;
-	cause;
-	constructor(params) {
-		super(params.message);
-		this.name = "SecretProviderError";
-		this.provider = params.provider;
-		this.reference = params.reference;
-		this.code = params.code ?? "UNKNOWN";
-		this.cause = params.cause;
-	}
-};
-function parseSecretUri(reference) {
-	if (!reference) throw new SecretProviderError({
-		message: "Secret reference cannot be empty",
-		provider: "unknown",
-		reference,
-		code: "INVALID"
-	});
-	const [scheme, rest] = reference.split("://");
-	if (!scheme || !rest) throw new SecretProviderError({
-		message: `Invalid secret reference: ${reference}`,
-		provider: "unknown",
-		reference,
-		code: "INVALID"
-	});
-	const queryIndex = rest.indexOf("?");
-	if (queryIndex === -1) return {
-		provider: scheme,
-		path: rest
-	};
-	const path = rest.slice(0, queryIndex);
-	const query = rest.slice(queryIndex + 1);
-	return {
-		provider: scheme,
-		path,
-		extras: Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
-			const [keyRaw, valueRaw] = pair.split("=");
-			const key = keyRaw ?? "";
-			const value = valueRaw ?? "";
-			return [decodeURIComponent(key), decodeURIComponent(value)];
-		}))
-	};
-}
-function normalizeSecretPayload(payload) {
-	if (payload.data instanceof Uint8Array) return payload.data;
-	if (payload.encoding === "base64") return Buffer.from(payload.data, "base64");
-	if (payload.encoding === "binary") return Buffer.from(payload.data, "binary");
-	return Buffer.from(payload.data, "utf-8");
-}
-
-//#endregion
-export { SecretProviderError, normalizeSecretPayload, parseSecretUri };