@lssm/integration.runtime 0.0.0-canary-20251217083314 → 1.41.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +267 -0
- package/dist/index.mjs +714 -0
- package/package.json +13 -13
- package/dist/health.d.ts +0 -21
- package/dist/health.js +0 -69
- package/dist/index.d.ts +0 -8
- package/dist/index.js +0 -9
- package/dist/runtime.d.ts +0 -99
- package/dist/runtime.js +0 -186
- package/dist/secrets/env-secret-provider.d.ts +0 -31
- package/dist/secrets/env-secret-provider.js +0 -81
- package/dist/secrets/gcp-secret-manager.d.ts +0 -32
- package/dist/secrets/gcp-secret-manager.js +0 -229
- package/dist/secrets/index.d.ts +0 -5
- package/dist/secrets/index.js +0 -6
- package/dist/secrets/manager.d.ts +0 -47
- package/dist/secrets/manager.js +0 -103
- package/dist/secrets/provider.d.ts +0 -52
- package/dist/secrets/provider.js +0 -58
package/dist/index.d.mts
ADDED
|
@@ -0,0 +1,267 @@
|
|
|
1
|
+
import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
|
|
2
|
+
import { ResolvedAppConfig, ResolvedIntegration } from "@lssm/lib.contracts/app-config/runtime";
|
|
3
|
+
import { ConnectionStatus, IntegrationConnection, IntegrationConnectionHealth } from "@lssm/lib.contracts/integrations/connection";
|
|
4
|
+
import { IntegrationSpec } from "@lssm/lib.contracts/integrations/spec";
|
|
5
|
+
import { CallOptions } from "google-gax";
|
|
6
|
+
|
|
7
|
+
//#region src/secrets/provider.d.ts
|
|
8
|
+
type SecretReference = string;
|
|
9
|
+
interface SecretValue {
|
|
10
|
+
data: Uint8Array;
|
|
11
|
+
version?: string;
|
|
12
|
+
metadata?: Record<string, string>;
|
|
13
|
+
retrievedAt: Date;
|
|
14
|
+
}
|
|
15
|
+
interface SecretFetchOptions {
|
|
16
|
+
version?: string;
|
|
17
|
+
}
|
|
18
|
+
type SecretPayloadEncoding = 'utf-8' | 'base64' | 'binary';
|
|
19
|
+
interface SecretWritePayload {
|
|
20
|
+
data: string | Uint8Array;
|
|
21
|
+
encoding?: SecretPayloadEncoding;
|
|
22
|
+
contentType?: string;
|
|
23
|
+
labels?: Record<string, string>;
|
|
24
|
+
}
|
|
25
|
+
interface SecretRotationResult {
|
|
26
|
+
reference: SecretReference;
|
|
27
|
+
version: string;
|
|
28
|
+
}
|
|
29
|
+
interface SecretProvider {
|
|
30
|
+
readonly id: string;
|
|
31
|
+
canHandle(reference: SecretReference): boolean;
|
|
32
|
+
getSecret(reference: SecretReference, options?: SecretFetchOptions): Promise<SecretValue>;
|
|
33
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
34
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
35
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
36
|
+
}
|
|
37
|
+
interface ParsedSecretUri {
|
|
38
|
+
provider: string;
|
|
39
|
+
path: string;
|
|
40
|
+
extras?: Record<string, string>;
|
|
41
|
+
}
|
|
42
|
+
declare class SecretProviderError extends Error {
|
|
43
|
+
readonly provider: string;
|
|
44
|
+
readonly reference: SecretReference;
|
|
45
|
+
readonly code: 'NOT_FOUND' | 'FORBIDDEN' | 'INVALID' | 'UNKNOWN';
|
|
46
|
+
readonly cause?: unknown;
|
|
47
|
+
constructor(params: {
|
|
48
|
+
message: string;
|
|
49
|
+
provider: string;
|
|
50
|
+
reference: SecretReference;
|
|
51
|
+
code?: SecretProviderError['code'];
|
|
52
|
+
cause?: unknown;
|
|
53
|
+
});
|
|
54
|
+
}
|
|
55
|
+
declare function parseSecretUri(reference: SecretReference): ParsedSecretUri;
|
|
56
|
+
declare function normalizeSecretPayload(payload: SecretWritePayload): Uint8Array;
|
|
57
|
+
//#endregion
|
|
58
|
+
//#region src/runtime.d.ts
|
|
59
|
+
interface IntegrationTraceMetadata {
|
|
60
|
+
blueprintName: string;
|
|
61
|
+
blueprintVersion: number;
|
|
62
|
+
configVersion: number;
|
|
63
|
+
}
|
|
64
|
+
interface IntegrationTelemetryEvent {
|
|
65
|
+
tenantId: string;
|
|
66
|
+
appId: string;
|
|
67
|
+
environment?: string;
|
|
68
|
+
slotId?: string;
|
|
69
|
+
integrationKey: string;
|
|
70
|
+
integrationVersion: number;
|
|
71
|
+
connectionId: string;
|
|
72
|
+
status: 'success' | 'error';
|
|
73
|
+
durationMs?: number;
|
|
74
|
+
errorCode?: string;
|
|
75
|
+
errorMessage?: string;
|
|
76
|
+
occurredAt: Date;
|
|
77
|
+
metadata?: Record<string, string | number | boolean>;
|
|
78
|
+
}
|
|
79
|
+
interface IntegrationTelemetryEmitter {
|
|
80
|
+
record(event: IntegrationTelemetryEvent): Promise<void> | void;
|
|
81
|
+
}
|
|
82
|
+
type IntegrationInvocationStatus = 'success' | 'error';
|
|
83
|
+
interface IntegrationContext {
|
|
84
|
+
tenantId: string;
|
|
85
|
+
appId: string;
|
|
86
|
+
environment?: string;
|
|
87
|
+
slotId?: string;
|
|
88
|
+
spec: IntegrationSpec;
|
|
89
|
+
connection: IntegrationConnection;
|
|
90
|
+
secretProvider: SecretProvider;
|
|
91
|
+
secretReference: string;
|
|
92
|
+
trace: IntegrationTraceMetadata;
|
|
93
|
+
config?: Record<string, unknown>;
|
|
94
|
+
}
|
|
95
|
+
interface IntegrationCallContext {
|
|
96
|
+
tenantId: string;
|
|
97
|
+
appId: string;
|
|
98
|
+
environment?: string;
|
|
99
|
+
blueprintName: string;
|
|
100
|
+
blueprintVersion: number;
|
|
101
|
+
configVersion: number;
|
|
102
|
+
slotId: string;
|
|
103
|
+
operation: string;
|
|
104
|
+
}
|
|
105
|
+
interface IntegrationCallError {
|
|
106
|
+
code: string;
|
|
107
|
+
message: string;
|
|
108
|
+
retryable: boolean;
|
|
109
|
+
cause?: unknown;
|
|
110
|
+
}
|
|
111
|
+
interface IntegrationCallResult<T> {
|
|
112
|
+
success: boolean;
|
|
113
|
+
data?: T;
|
|
114
|
+
error?: IntegrationCallError;
|
|
115
|
+
metadata: {
|
|
116
|
+
latencyMs: number;
|
|
117
|
+
connectionId: string;
|
|
118
|
+
ownershipMode: IntegrationConnection['ownershipMode'];
|
|
119
|
+
attempts: number;
|
|
120
|
+
};
|
|
121
|
+
}
|
|
122
|
+
interface IntegrationCallGuardOptions {
|
|
123
|
+
telemetry?: IntegrationTelemetryEmitter;
|
|
124
|
+
maxAttempts?: number;
|
|
125
|
+
backoffMs?: number;
|
|
126
|
+
shouldRetry?: (error: unknown, attempt: number) => boolean;
|
|
127
|
+
sleep?: (ms: number) => Promise<void>;
|
|
128
|
+
now?: () => Date;
|
|
129
|
+
}
|
|
130
|
+
declare class IntegrationCallGuard {
|
|
131
|
+
private readonly secretProvider;
|
|
132
|
+
private readonly telemetry?;
|
|
133
|
+
private readonly maxAttempts;
|
|
134
|
+
private readonly backoffMs;
|
|
135
|
+
private readonly shouldRetry;
|
|
136
|
+
private readonly sleep;
|
|
137
|
+
private readonly now;
|
|
138
|
+
constructor(secretProvider: SecretProvider, options?: IntegrationCallGuardOptions);
|
|
139
|
+
executeWithGuards<T>(slotId: string, operation: string, _input: unknown, resolvedConfig: ResolvedAppConfig, executor: (connection: IntegrationConnection, secrets: Record<string, string>) => Promise<T>): Promise<IntegrationCallResult<T>>;
|
|
140
|
+
private findIntegration;
|
|
141
|
+
private fetchSecrets;
|
|
142
|
+
private parseSecret;
|
|
143
|
+
private emitTelemetry;
|
|
144
|
+
private failure;
|
|
145
|
+
private makeContext;
|
|
146
|
+
private errorCodeFor;
|
|
147
|
+
}
|
|
148
|
+
declare function ensureConnectionReady(integration: ResolvedIntegration): void;
|
|
149
|
+
declare function connectionStatusLabel(status: ConnectionStatus): string;
|
|
150
|
+
//#endregion
|
|
151
|
+
//#region src/health.d.ts
|
|
152
|
+
interface IntegrationHealthCheckResult extends IntegrationConnectionHealth {
|
|
153
|
+
metadata?: Record<string, string>;
|
|
154
|
+
}
|
|
155
|
+
type IntegrationHealthCheckExecutor = (context: IntegrationContext) => Promise<void>;
|
|
156
|
+
interface IntegrationHealthServiceOptions {
|
|
157
|
+
telemetry?: IntegrationTelemetryEmitter;
|
|
158
|
+
now?: () => Date;
|
|
159
|
+
}
|
|
160
|
+
declare class IntegrationHealthService {
|
|
161
|
+
private readonly telemetry?;
|
|
162
|
+
private readonly nowFn;
|
|
163
|
+
constructor(options?: IntegrationHealthServiceOptions);
|
|
164
|
+
check(context: IntegrationContext, executor: IntegrationHealthCheckExecutor): Promise<IntegrationHealthCheckResult>;
|
|
165
|
+
private emitTelemetry;
|
|
166
|
+
}
|
|
167
|
+
//#endregion
|
|
168
|
+
//#region src/secrets/gcp-secret-manager.d.ts
|
|
169
|
+
type SecretManagerClient = SecretManagerServiceClient;
|
|
170
|
+
interface GcpSecretManagerProviderOptions {
|
|
171
|
+
projectId?: string;
|
|
172
|
+
client?: SecretManagerClient;
|
|
173
|
+
clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];
|
|
174
|
+
defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;
|
|
175
|
+
}
|
|
176
|
+
declare class GcpSecretManagerProvider implements SecretProvider {
|
|
177
|
+
readonly id = "gcp-secret-manager";
|
|
178
|
+
private readonly client;
|
|
179
|
+
private readonly explicitProjectId?;
|
|
180
|
+
private readonly replication;
|
|
181
|
+
constructor(options?: GcpSecretManagerProviderOptions);
|
|
182
|
+
canHandle(reference: SecretReference): boolean;
|
|
183
|
+
getSecret(reference: SecretReference, options?: {
|
|
184
|
+
version?: string;
|
|
185
|
+
}, callOptions?: CallOptions): Promise<SecretValue>;
|
|
186
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
187
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
188
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
189
|
+
private parseReference;
|
|
190
|
+
private buildNames;
|
|
191
|
+
private buildVersionName;
|
|
192
|
+
private ensureSecretExists;
|
|
193
|
+
}
|
|
194
|
+
//#endregion
|
|
195
|
+
//#region src/secrets/env-secret-provider.d.ts
|
|
196
|
+
interface EnvSecretProviderOptions {
|
|
197
|
+
/**
|
|
198
|
+
* Optional map to alias secret references to environment variable names.
|
|
199
|
+
* Useful when referencing secrets from other providers (e.g. gcp://...)
|
|
200
|
+
* while still allowing local overrides.
|
|
201
|
+
*/
|
|
202
|
+
aliases?: Record<string, string>;
|
|
203
|
+
}
|
|
204
|
+
/**
|
|
205
|
+
* Environment-variable backed secret provider. Read-only by design.
|
|
206
|
+
* Allows overriding other secret providers by deriving environment variable
|
|
207
|
+
* names from secret references (or by using explicit aliases).
|
|
208
|
+
*/
|
|
209
|
+
declare class EnvSecretProvider implements SecretProvider {
|
|
210
|
+
readonly id = "env";
|
|
211
|
+
private readonly aliases;
|
|
212
|
+
constructor(options?: EnvSecretProviderOptions);
|
|
213
|
+
canHandle(reference: SecretReference): boolean;
|
|
214
|
+
getSecret(reference: SecretReference): Promise<SecretValue>;
|
|
215
|
+
setSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
216
|
+
rotateSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
217
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
218
|
+
private resolveEnvKey;
|
|
219
|
+
private deriveEnvKey;
|
|
220
|
+
private forbiddenError;
|
|
221
|
+
}
|
|
222
|
+
//#endregion
|
|
223
|
+
//#region src/secrets/manager.d.ts
|
|
224
|
+
interface RegisterOptions {
|
|
225
|
+
/**
|
|
226
|
+
* Larger priority values are attempted first. Defaults to 0.
|
|
227
|
+
*/
|
|
228
|
+
priority?: number;
|
|
229
|
+
}
|
|
230
|
+
interface SecretProviderManagerOptions {
|
|
231
|
+
/**
|
|
232
|
+
* Override manager identifier. Defaults to "secret-provider-manager".
|
|
233
|
+
*/
|
|
234
|
+
id?: string;
|
|
235
|
+
/**
|
|
236
|
+
* Providers to pre-register. They are registered in array order with
|
|
237
|
+
* descending priority (first entry wins ties).
|
|
238
|
+
*/
|
|
239
|
+
providers?: {
|
|
240
|
+
provider: SecretProvider;
|
|
241
|
+
priority?: number;
|
|
242
|
+
}[];
|
|
243
|
+
}
|
|
244
|
+
/**
|
|
245
|
+
* Composite secret provider that delegates to registered providers.
|
|
246
|
+
* Providers are attempted in order of descending priority, respecting the
|
|
247
|
+
* registration order for ties. This enables privileged overrides (e.g.
|
|
248
|
+
* environment variables) while still supporting durable backends like GCP
|
|
249
|
+
* Secret Manager.
|
|
250
|
+
*/
|
|
251
|
+
declare class SecretProviderManager implements SecretProvider {
|
|
252
|
+
readonly id: string;
|
|
253
|
+
private readonly providers;
|
|
254
|
+
private registrationCounter;
|
|
255
|
+
constructor(options?: SecretProviderManagerOptions);
|
|
256
|
+
register(provider: SecretProvider, options?: RegisterOptions): this;
|
|
257
|
+
canHandle(reference: SecretReference): boolean;
|
|
258
|
+
getSecret(reference: SecretReference, options?: SecretFetchOptions$1): Promise<SecretValue>;
|
|
259
|
+
setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
260
|
+
rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
|
|
261
|
+
deleteSecret(reference: SecretReference): Promise<void>;
|
|
262
|
+
private delegateToFirst;
|
|
263
|
+
private composeError;
|
|
264
|
+
}
|
|
265
|
+
type SecretFetchOptions$1 = Parameters<SecretProvider['getSecret']>[1];
|
|
266
|
+
//#endregion
|
|
267
|
+
export { EnvSecretProvider, GcpSecretManagerProvider, IntegrationCallContext, IntegrationCallError, IntegrationCallGuard, IntegrationCallGuardOptions, IntegrationCallResult, IntegrationContext, IntegrationHealthCheckExecutor, IntegrationHealthCheckResult, IntegrationHealthService, IntegrationHealthServiceOptions, IntegrationInvocationStatus, IntegrationTelemetryEmitter, IntegrationTelemetryEvent, IntegrationTraceMetadata, ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, connectionStatusLabel, ensureConnectionReady, normalizeSecretPayload, parseSecretUri };
|