npm - @lssm/integration.runtime - Versions diffs - 1.41.1 → 1.42.1 - Mend

@lssm/integration.runtime 1.41.1 → 1.42.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/LICENSE +21 -0
package/README.md +4 -1
package/dist/health.d.ts +22 -0
package/dist/health.d.ts.map +1 -0
package/dist/health.js +70 -0
package/dist/health.js.map +1 -0
package/dist/index.d.ts +8 -0
package/dist/index.js +9 -0
package/dist/runtime.d.ts +100 -0
package/dist/runtime.d.ts.map +1 -0
package/dist/runtime.js +187 -0
package/dist/runtime.js.map +1 -0
package/dist/secrets/env-secret-provider.d.ts +32 -0
package/dist/secrets/env-secret-provider.d.ts.map +1 -0
package/dist/secrets/env-secret-provider.js +82 -0
package/dist/secrets/env-secret-provider.js.map +1 -0
package/dist/secrets/gcp-secret-manager.d.ts +33 -0
package/dist/secrets/gcp-secret-manager.d.ts.map +1 -0
package/dist/secrets/gcp-secret-manager.js +230 -0
package/dist/secrets/gcp-secret-manager.js.map +1 -0
package/dist/secrets/index.d.ts +5 -0
package/dist/secrets/index.js +6 -0
package/dist/secrets/manager.d.ts +48 -0
package/dist/secrets/manager.d.ts.map +1 -0
package/dist/secrets/manager.js +104 -0
package/dist/secrets/manager.js.map +1 -0
package/dist/secrets/provider.d.ts +53 -0
package/dist/secrets/provider.d.ts.map +1 -0
package/dist/secrets/provider.js +59 -0
package/dist/secrets/provider.js.map +1 -0
package/package.json +23 -16
package/dist/index.d.mts +0 -267
package/dist/index.mjs +0 -714

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2025 Chaman Ventures, SASU
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md CHANGED Viewed

@@ -1,4 +1,7 @@
-# `@lssm/integration.runtime`
+# @lssm/integration.runtime
+Website: https://contractspec.lssm.tech/
 Runtime layer for ContractSpec integrations (secret providers, call guards, health checks).

package/dist/health.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { IntegrationContext, IntegrationTelemetryEmitter } from "./runtime.js";
+import { IntegrationConnectionHealth } from "@lssm/lib.contracts/integrations/connection";
+//#region src/health.d.ts
+interface IntegrationHealthCheckResult extends IntegrationConnectionHealth {
+  metadata?: Record<string, string>;
+}
+type IntegrationHealthCheckExecutor = (context: IntegrationContext) => Promise<void>;
+interface IntegrationHealthServiceOptions {
+  telemetry?: IntegrationTelemetryEmitter;
+  now?: () => Date;
+}
+declare class IntegrationHealthService {
+  private readonly telemetry?;
+  private readonly nowFn;
+  constructor(options?: IntegrationHealthServiceOptions);
+  check(context: IntegrationContext, executor: IntegrationHealthCheckExecutor): Promise<IntegrationHealthCheckResult>;
+  private emitTelemetry;
+}
+//#endregion
+export { IntegrationHealthCheckExecutor, IntegrationHealthCheckResult, IntegrationHealthService, IntegrationHealthServiceOptions };
+//# sourceMappingURL=health.d.ts.map

package/dist/health.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"health.d.ts","names":[],"sources":["../src/health.ts"],"sourcesContent":[],"mappings":";;;;UAQiB,4BAAA,SAAqC;aACzC;AADb;AAIY,KAAA,8BAAA,GAA8B,CAAA,OAC/B,EAAA,kBACN,EAAA,GAAA,OAAO,CAAA,IAAA,CAAA;AAEK,UAAA,+BAAA,CACH;EAID,SAAA,CAAA,EAJC,2BAIuB;EAId,GAAA,CAAA,EAAA,GAAA,GAPT,IAOS;;AAOT,cAXD,wBAAA,CAWC;EACD,iBAAA,SAAA;EAAR,iBAAA,KAAA;EAAO,WAAA,CAAA,OAAA,CAAA,EARW,+BAQX;iBAFC,8BACC,iCACT,QAAQ"}

package/dist/health.js ADDED Viewed

@@ -0,0 +1,70 @@
+//#region src/health.ts
+var IntegrationHealthService = class {
+	telemetry;
+	nowFn;
+	constructor(options = {}) {
+		this.telemetry = options.telemetry;
+		this.nowFn = options.now ?? (() => /* @__PURE__ */ new Date());
+	}
+	async check(context, executor) {
+		const start = this.nowFn();
+		try {
+			await executor(context);
+			const end = this.nowFn();
+			const result = {
+				status: "connected",
+				checkedAt: end,
+				latencyMs: end.getTime() - start.getTime()
+			};
+			this.emitTelemetry(context, result, "success");
+			return result;
+		} catch (error) {
+			const end = this.nowFn();
+			const message = error instanceof Error ? error.message : "Unknown error";
+			const code = extractErrorCode(error);
+			const result = {
+				status: "error",
+				checkedAt: end,
+				latencyMs: end.getTime() - start.getTime(),
+				errorMessage: message,
+				errorCode: code
+			};
+			this.emitTelemetry(context, result, "error", code, message);
+			return result;
+		}
+	}
+	emitTelemetry(context, result, status, errorCode, errorMessage) {
+		if (!this.telemetry) return;
+		this.telemetry.record({
+			tenantId: context.tenantId,
+			appId: context.appId,
+			environment: context.environment,
+			slotId: context.slotId,
+			integrationKey: context.spec.meta.key,
+			integrationVersion: context.spec.meta.version,
+			connectionId: context.connection.meta.id,
+			status,
+			durationMs: result.latencyMs,
+			errorCode,
+			errorMessage,
+			occurredAt: result.checkedAt ?? this.nowFn(),
+			metadata: {
+				...context.trace ? {
+					blueprint: `${context.trace.blueprintName}.v${context.trace.blueprintVersion}`,
+					configVersion: context.trace.configVersion
+				} : {},
+				status: result.status
+			}
+		});
+	}
+};
+function extractErrorCode(error) {
+	if (!error || typeof error !== "object") return void 0;
+	const candidate = error;
+	if (candidate.code == null) return void 0;
+	return String(candidate.code);
+}
+//#endregion
+export { IntegrationHealthService };
+//# sourceMappingURL=health.js.map

package/dist/health.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"health.js","names":["result: IntegrationHealthCheckResult"],"sources":["../src/health.ts"],"sourcesContent":["import type { IntegrationConnectionHealth } from '@lssm/lib.contracts/integrations/connection';\n\nimport type {\n IntegrationContext,\n IntegrationInvocationStatus,\n IntegrationTelemetryEmitter,\n} from './runtime';\n\nexport interface IntegrationHealthCheckResult extends IntegrationConnectionHealth {\n metadata?: Record<string, string>;\n}\n\nexport type IntegrationHealthCheckExecutor = (\n context: IntegrationContext\n) => Promise<void>;\n\nexport interface IntegrationHealthServiceOptions {\n telemetry?: IntegrationTelemetryEmitter;\n now?: () => Date;\n}\n\nexport class IntegrationHealthService {\n private readonly telemetry?: IntegrationTelemetryEmitter;\n private readonly nowFn: () => Date;\n\n constructor(options: IntegrationHealthServiceOptions = {}) {\n this.telemetry = options.telemetry;\n this.nowFn = options.now ?? (() => new Date());\n }\n\n async check(\n context: IntegrationContext,\n executor: IntegrationHealthCheckExecutor\n ): Promise<IntegrationHealthCheckResult> {\n const start = this.nowFn();\n try {\n await executor(context);\n const end = this.nowFn();\n const result: IntegrationHealthCheckResult = {\n status: 'connected',\n checkedAt: end,\n latencyMs: end.getTime() - start.getTime(),\n };\n this.emitTelemetry(context, result, 'success');\n return result;\n } catch (error) {\n const end = this.nowFn();\n const message = error instanceof Error ? error.message : 'Unknown error';\n const code = extractErrorCode(error);\n const result: IntegrationHealthCheckResult = {\n status: 'error',\n checkedAt: end,\n latencyMs: end.getTime() - start.getTime(),\n errorMessage: message,\n errorCode: code,\n };\n this.emitTelemetry(context, result, 'error', code, message);\n return result;\n }\n }\n\n private emitTelemetry(\n context: IntegrationContext,\n result: IntegrationHealthCheckResult,\n status: IntegrationInvocationStatus,\n errorCode?: string,\n errorMessage?: string\n ) {\n if (!this.telemetry) return;\n this.telemetry.record({\n tenantId: context.tenantId,\n appId: context.appId,\n environment: context.environment,\n slotId: context.slotId,\n integrationKey: context.spec.meta.key,\n integrationVersion: context.spec.meta.version,\n connectionId: context.connection.meta.id,\n status,\n durationMs: result.latencyMs,\n errorCode,\n errorMessage,\n occurredAt: result.checkedAt ?? this.nowFn(),\n metadata: {\n ...(context.trace\n ? {\n blueprint: `${context.trace.blueprintName}.v${context.trace.blueprintVersion}`,\n configVersion: context.trace.configVersion,\n }\n : {}),\n status: result.status,\n },\n });\n }\n}\n\nfunction extractErrorCode(error: unknown): string | undefined {\n if (!error || typeof error !== 'object') return undefined;\n const candidate = error as { code?: string | number };\n if (candidate.code == null) return undefined;\n return String(candidate.code);\n}\n"],"mappings":";AAqBA,IAAa,2BAAb,MAAsC;CACpC,AAAiB;CACjB,AAAiB;CAEjB,YAAY,UAA2C,EAAE,EAAE;AACzD,OAAK,YAAY,QAAQ;AACzB,OAAK,QAAQ,QAAQ,8BAAc,IAAI,MAAM;;CAG/C,MAAM,MACJ,SACA,UACuC;EACvC,MAAM,QAAQ,KAAK,OAAO;AAC1B,MAAI;AACF,SAAM,SAAS,QAAQ;GACvB,MAAM,MAAM,KAAK,OAAO;GACxB,MAAMA,SAAuC;IAC3C,QAAQ;IACR,WAAW;IACX,WAAW,IAAI,SAAS,GAAG,MAAM,SAAS;IAC3C;AACD,QAAK,cAAc,SAAS,QAAQ,UAAU;AAC9C,UAAO;WACA,OAAO;GACd,MAAM,MAAM,KAAK,OAAO;GACxB,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;GACzD,MAAM,OAAO,iBAAiB,MAAM;GACpC,MAAMA,SAAuC;IAC3C,QAAQ;IACR,WAAW;IACX,WAAW,IAAI,SAAS,GAAG,MAAM,SAAS;IAC1C,cAAc;IACd,WAAW;IACZ;AACD,QAAK,cAAc,SAAS,QAAQ,SAAS,MAAM,QAAQ;AAC3D,UAAO;;;CAIX,AAAQ,cACN,SACA,QACA,QACA,WACA,cACA;AACA,MAAI,CAAC,KAAK,UAAW;AACrB,OAAK,UAAU,OAAO;GACpB,UAAU,QAAQ;GAClB,OAAO,QAAQ;GACf,aAAa,QAAQ;GACrB,QAAQ,QAAQ;GAChB,gBAAgB,QAAQ,KAAK,KAAK;GAClC,oBAAoB,QAAQ,KAAK,KAAK;GACtC,cAAc,QAAQ,WAAW,KAAK;GACtC;GACA,YAAY,OAAO;GACnB;GACA;GACA,YAAY,OAAO,aAAa,KAAK,OAAO;GAC5C,UAAU;IACR,GAAI,QAAQ,QACR;KACE,WAAW,GAAG,QAAQ,MAAM,cAAc,IAAI,QAAQ,MAAM;KAC5D,eAAe,QAAQ,MAAM;KAC9B,GACD,EAAE;IACN,QAAQ,OAAO;IAChB;GACF,CAAC;;;AAIN,SAAS,iBAAiB,OAAoC;AAC5D,KAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;CAChD,MAAM,YAAY;AAClB,KAAI,UAAU,QAAQ,KAAM,QAAO;AACnC,QAAO,OAAO,UAAU,KAAK"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./secrets/provider.js";
+import { IntegrationCallContext, IntegrationCallError, IntegrationCallGuard, IntegrationCallGuardOptions, IntegrationCallResult, IntegrationContext, IntegrationInvocationStatus, IntegrationTelemetryEmitter, IntegrationTelemetryEvent, IntegrationTraceMetadata, connectionStatusLabel, ensureConnectionReady } from "./runtime.js";
+import { IntegrationHealthCheckExecutor, IntegrationHealthCheckResult, IntegrationHealthService, IntegrationHealthServiceOptions } from "./health.js";
+import { GcpSecretManagerProvider } from "./secrets/gcp-secret-manager.js";
+import { EnvSecretProvider } from "./secrets/env-secret-provider.js";
+import { SecretProviderManager, SecretProviderManagerOptions } from "./secrets/manager.js";
+import "./secrets/index.js";
+export { EnvSecretProvider, GcpSecretManagerProvider, IntegrationCallContext, IntegrationCallError, IntegrationCallGuard, IntegrationCallGuardOptions, IntegrationCallResult, IntegrationContext, IntegrationHealthCheckExecutor, IntegrationHealthCheckResult, IntegrationHealthService, IntegrationHealthServiceOptions, IntegrationInvocationStatus, IntegrationTelemetryEmitter, IntegrationTelemetryEvent, IntegrationTraceMetadata, ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, connectionStatusLabel, ensureConnectionReady, normalizeSecretPayload, parseSecretUri };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { IntegrationHealthService } from "./health.js";
+import { IntegrationCallGuard, connectionStatusLabel, ensureConnectionReady } from "./runtime.js";
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./secrets/provider.js";
+import { GcpSecretManagerProvider } from "./secrets/gcp-secret-manager.js";
+import { EnvSecretProvider } from "./secrets/env-secret-provider.js";
+import { SecretProviderManager } from "./secrets/manager.js";
+import "./secrets/index.js";
+export { EnvSecretProvider, GcpSecretManagerProvider, IntegrationCallGuard, IntegrationHealthService, SecretProviderError, SecretProviderManager, connectionStatusLabel, ensureConnectionReady, normalizeSecretPayload, parseSecretUri };

package/dist/runtime.d.ts ADDED Viewed

@@ -0,0 +1,100 @@
+import { SecretProvider } from "./secrets/provider.js";
+import { ConnectionStatus, IntegrationConnection } from "@lssm/lib.contracts/integrations/connection";
+import { ResolvedAppConfig, ResolvedIntegration } from "@lssm/lib.contracts/app-config/runtime";
+import { IntegrationSpec } from "@lssm/lib.contracts/integrations/spec";
+//#region src/runtime.d.ts
+interface IntegrationTraceMetadata {
+  blueprintName: string;
+  blueprintVersion: number;
+  configVersion: number;
+}
+interface IntegrationTelemetryEvent {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  slotId?: string;
+  integrationKey: string;
+  integrationVersion: number;
+  connectionId: string;
+  status: 'success' | 'error';
+  durationMs?: number;
+  errorCode?: string;
+  errorMessage?: string;
+  occurredAt: Date;
+  metadata?: Record<string, string | number | boolean>;
+}
+interface IntegrationTelemetryEmitter {
+  record(event: IntegrationTelemetryEvent): Promise<void> | void;
+}
+type IntegrationInvocationStatus = 'success' | 'error';
+interface IntegrationContext {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  slotId?: string;
+  spec: IntegrationSpec;
+  connection: IntegrationConnection;
+  secretProvider: SecretProvider;
+  secretReference: string;
+  trace: IntegrationTraceMetadata;
+  config?: Record<string, unknown>;
+}
+interface IntegrationCallContext {
+  tenantId: string;
+  appId: string;
+  environment?: string;
+  blueprintName: string;
+  blueprintVersion: number;
+  configVersion: number;
+  slotId: string;
+  operation: string;
+}
+interface IntegrationCallError {
+  code: string;
+  message: string;
+  retryable: boolean;
+  cause?: unknown;
+}
+interface IntegrationCallResult<T> {
+  success: boolean;
+  data?: T;
+  error?: IntegrationCallError;
+  metadata: {
+    latencyMs: number;
+    connectionId: string;
+    ownershipMode: IntegrationConnection['ownershipMode'];
+    attempts: number;
+  };
+}
+interface IntegrationCallGuardOptions {
+  telemetry?: IntegrationTelemetryEmitter;
+  maxAttempts?: number;
+  backoffMs?: number;
+  shouldRetry?: (error: unknown, attempt: number) => boolean;
+  sleep?: (ms: number) => Promise<void>;
+  now?: () => Date;
+}
+declare class IntegrationCallGuard {
+  private readonly secretProvider;
+  private readonly telemetry?;
+  private readonly maxAttempts;
+  private readonly backoffMs;
+  private readonly shouldRetry;
+  private readonly sleep;
+  private readonly now;
+  constructor(secretProvider: SecretProvider, options?: IntegrationCallGuardOptions);
+  executeWithGuards<T>(slotId: string, operation: string, _input: unknown, resolvedConfig: ResolvedAppConfig, executor: (connection: IntegrationConnection, secrets: Record<string, string>) => Promise<T>): Promise<IntegrationCallResult<T>>;
+  private findIntegration;
+  private fetchSecrets;
+  private parseSecret;
+  private emitTelemetry;
+  private failure;
+  private makeContext;
+  private errorCodeFor;
+}
+declare function ensureConnectionReady(integration: ResolvedIntegration): void;
+declare function connectionStatusLabel(status: ConnectionStatus): string;
+//#endregion
+export { IntegrationCallContext, IntegrationCallError, IntegrationCallGuard, IntegrationCallGuardOptions, IntegrationCallResult, IntegrationContext, IntegrationInvocationStatus, IntegrationTelemetryEmitter, IntegrationTelemetryEvent, IntegrationTraceMetadata, connectionStatusLabel, ensureConnectionReady };
+//# sourceMappingURL=runtime.d.ts.map

package/dist/runtime.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"runtime.d.ts","names":[],"sources":["../src/runtime.ts"],"sourcesContent":[],"mappings":";;;;;;UAaiB,wBAAA;;EAAA,gBAAA,EAAA,MAAA;EAMA,aAAA,EAAA,MAAA;AAgBjB;AAIY,UApBK,yBAAA,CAoBsB;EAEtB,QAAA,EAAA,MAAA;EAKT,KAAA,EAAA,MAAA;EACM,WAAA,CAAA,EAAA,MAAA;EACI,MAAA,CAAA,EAAA,MAAA;EAET,cAAA,EAAA,MAAA;EACE,kBAAA,EAAA,MAAA;EAAM,YAAA,EAAA,MAAA;EAGA,MAAA,EAAA,SAAA,GAAA,OAAsB;EAWtB,UAAA,CAAA,EAAA,MAAA;EAOA,SAAA,CAAA,EAAA,MAAA;EAER,YAAA,CAAA,EAAA,MAAA;EACC,UAAA,EA5CI,IA4CJ;EAIS,QAAA,CAAA,EA/CN,MA+CM,CAAA,MAAA,EAAA,MAAA,GAAA,MAAA,GAAA,OAAA,CAAA;;AAKF,UAjDA,2BAAA,CAiD2B;EAC9B,MAAA,CAAA,KAAA,EAjDE,yBAiDF,CAAA,EAjD8B,OAiD9B,CAAA,IAAA,CAAA,GAAA,IAAA;;AAKA,KAnDF,2BAAA,GAmDE,SAAA,GAAA,OAAA;AAAI,UAjDD,kBAAA,CAiDC;EAML,QAAA,EAAA,MAAA;EASwB,KAAA,EAAA,MAAA;EACxB,WAAA,CAAA,EAAA,MAAA;EAyBO,MAAA,CAAA,EAAA,MAAA;EAEF,IAAA,EAvFV,eAuFU;EACH,UAAA,EAvFD,qBAuFC;EACE,cAAA,EAvFC,cAuFD;EAAR,eAAA,EAAA,MAAA;EAC0B,KAAA,EAtF1B,wBAsF0B;EAAtB,MAAA,CAAA,EArFF,MAqFE,CAAA,MAAA,EAAA,OAAA,CAAA;;AAAD,UAlFK,sBAAA,CAkFL;EAiPI,QAAA,EAAA,MAAA;EASA,KAAA,EAAA,MAAA;;;;;;;;UAjUC,oBAAA;;;;;;UAOA;;SAER;UACC;;;;mBAIS;;;;UAKF,2BAAA;cACH;;;;0BAIY;cACZ;;cAMD,oBAAA;;;;;;;;8BASwB,0BACxB;2FAyBO,0CAEF,gCACH,2BACN,QAAQ,KACZ,QAAQ,sBAAsB;;;;;;;;;iBAiPnB,qBAAA,cAAmC;iBASnC,qBAAA,SAA8B"}

package/dist/runtime.js ADDED Viewed

@@ -0,0 +1,187 @@
+import { performance } from "node:perf_hooks";
+//#region src/runtime.ts
+const DEFAULT_MAX_ATTEMPTS = 3;
+const DEFAULT_BACKOFF_MS = 250;
+var IntegrationCallGuard = class {
+	telemetry;
+	maxAttempts;
+	backoffMs;
+	shouldRetry;
+	sleep;
+	now;
+	constructor(secretProvider, options = {}) {
+		this.secretProvider = secretProvider;
+		this.telemetry = options.telemetry;
+		this.maxAttempts = Math.max(1, options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS);
+		this.backoffMs = options.backoffMs ?? DEFAULT_BACKOFF_MS;
+		this.shouldRetry = options.shouldRetry ?? ((error) => typeof error === "object" && error !== null && "retryable" in error && Boolean(error.retryable));
+		this.sleep = options.sleep ?? ((ms) => ms <= 0 ? Promise.resolve() : new Promise((resolve) => setTimeout(resolve, ms)));
+		this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+	}
+	async executeWithGuards(slotId, operation, _input, resolvedConfig, executor) {
+		const integration = this.findIntegration(slotId, resolvedConfig);
+		if (!integration) return this.failure({
+			tenantId: resolvedConfig.tenantId,
+			appId: resolvedConfig.appId,
+			environment: resolvedConfig.environment,
+			blueprintName: resolvedConfig.blueprintName,
+			blueprintVersion: resolvedConfig.blueprintVersion,
+			configVersion: resolvedConfig.configVersion,
+			slotId,
+			operation
+		}, void 0, {
+			code: "SLOT_NOT_BOUND",
+			message: `Integration slot "${slotId}" is not bound for tenant "${resolvedConfig.tenantId}".`,
+			retryable: false
+		}, 0);
+		const status = integration.connection.status;
+		if (status === "disconnected" || status === "error") return this.failure(this.makeContext(slotId, operation, resolvedConfig), integration, {
+			code: "CONNECTION_NOT_READY",
+			message: `Integration connection "${integration.connection.meta.label}" is in status "${status}".`,
+			retryable: false
+		}, 0);
+		const secrets = await this.fetchSecrets(integration.connection);
+		let attempt = 0;
+		const started = performance.now();
+		while (attempt < this.maxAttempts) {
+			attempt += 1;
+			try {
+				const data = await executor(integration.connection, secrets);
+				const duration = performance.now() - started;
+				this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "success", duration);
+				return {
+					success: true,
+					data,
+					metadata: {
+						latencyMs: duration,
+						connectionId: integration.connection.meta.id,
+						ownershipMode: integration.connection.ownershipMode,
+						attempts: attempt
+					}
+				};
+			} catch (error) {
+				const duration = performance.now() - started;
+				this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "error", duration, this.errorCodeFor(error), error instanceof Error ? error.message : String(error));
+				const retryable = this.shouldRetry(error, attempt);
+				if (!retryable || attempt >= this.maxAttempts) return {
+					success: false,
+					error: {
+						code: this.errorCodeFor(error),
+						message: error instanceof Error ? error.message : String(error),
+						retryable,
+						cause: error
+					},
+					metadata: {
+						latencyMs: duration,
+						connectionId: integration.connection.meta.id,
+						ownershipMode: integration.connection.ownershipMode,
+						attempts: attempt
+					}
+				};
+				await this.sleep(this.backoffMs);
+			}
+		}
+		return {
+			success: false,
+			error: {
+				code: "UNKNOWN_ERROR",
+				message: "Integration call failed after retries.",
+				retryable: false
+			},
+			metadata: {
+				latencyMs: performance.now() - started,
+				connectionId: integration.connection.meta.id,
+				ownershipMode: integration.connection.ownershipMode,
+				attempts: this.maxAttempts
+			}
+		};
+	}
+	findIntegration(slotId, config) {
+		return config.integrations.find((integration) => integration.slot.slotId === slotId);
+	}
+	async fetchSecrets(connection) {
+		if (!this.secretProvider.canHandle(connection.secretRef)) throw new Error(`Secret provider "${this.secretProvider.id}" cannot handle reference "${connection.secretRef}".`);
+		const secret = await this.secretProvider.getSecret(connection.secretRef);
+		return this.parseSecret(secret);
+	}
+	parseSecret(secret) {
+		const text = new TextDecoder().decode(secret.data);
+		try {
+			const parsed = JSON.parse(text);
+			if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+				const entries = Object.entries(parsed).filter(([, value]) => typeof value === "string" || typeof value === "number" || typeof value === "boolean");
+				return Object.fromEntries(entries.map(([key, value]) => [key, String(value)]));
+			}
+		} catch {}
+		return { secret: text };
+	}
+	emitTelemetry(context, integration, status, durationMs, errorCode, errorMessage) {
+		if (!this.telemetry || !integration) return;
+		this.telemetry.record({
+			tenantId: context.tenantId,
+			appId: context.appId,
+			environment: context.environment,
+			slotId: context.slotId,
+			integrationKey: integration.connection.meta.integrationKey,
+			integrationVersion: integration.connection.meta.integrationVersion,
+			connectionId: integration.connection.meta.id,
+			status,
+			durationMs,
+			errorCode,
+			errorMessage,
+			occurredAt: this.now(),
+			metadata: {
+				blueprint: `${context.blueprintName}.v${context.blueprintVersion}`,
+				configVersion: context.configVersion,
+				operation: context.operation
+			}
+		});
+	}
+	failure(context, integration, error, attempts) {
+		if (integration) this.emitTelemetry(context, integration, "error", 0, error.code, error.message);
+		return {
+			success: false,
+			error,
+			metadata: {
+				latencyMs: 0,
+				connectionId: integration?.connection.meta.id ?? "unknown",
+				ownershipMode: integration?.connection.ownershipMode ?? "managed",
+				attempts
+			}
+		};
+	}
+	makeContext(slotId, operation, config) {
+		return {
+			tenantId: config.tenantId,
+			appId: config.appId,
+			environment: config.environment,
+			blueprintName: config.blueprintName,
+			blueprintVersion: config.blueprintVersion,
+			configVersion: config.configVersion,
+			slotId,
+			operation
+		};
+	}
+	errorCodeFor(error) {
+		if (typeof error === "object" && error !== null && "code" in error && typeof error.code === "string") return error.code;
+		return "PROVIDER_ERROR";
+	}
+};
+function ensureConnectionReady(integration) {
+	const status = integration.connection.status;
+	if (status === "disconnected" || status === "error") throw new Error(`Integration connection "${integration.connection.meta.label}" is in status "${status}".`);
+}
+function connectionStatusLabel(status) {
+	switch (status) {
+		case "connected": return "connected";
+		case "disconnected": return "disconnected";
+		case "error": return "error";
+		case "unknown":
+		default: return "unknown";
+	}
+}
+//#endregion
+export { IntegrationCallGuard, connectionStatusLabel, ensureConnectionReady };
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"runtime.js","names":["secretProvider: SecretProvider"],"sources":["../src/runtime.ts"],"sourcesContent":["import { performance } from 'node:perf_hooks';\n\nimport type {\n ResolvedAppConfig,\n ResolvedIntegration,\n} from '@lssm/lib.contracts/app-config/runtime';\nimport type {\n ConnectionStatus,\n IntegrationConnection,\n} from '@lssm/lib.contracts/integrations/connection';\nimport type { IntegrationSpec } from '@lssm/lib.contracts/integrations/spec';\nimport type { SecretProvider, SecretValue } from './secrets/provider';\n\nexport interface IntegrationTraceMetadata {\n blueprintName: string;\n blueprintVersion: number;\n configVersion: number;\n}\n\nexport interface IntegrationTelemetryEvent {\n tenantId: string;\n appId: string;\n environment?: string;\n slotId?: string;\n integrationKey: string;\n integrationVersion: number;\n connectionId: string;\n status: 'success' | 'error';\n durationMs?: number;\n errorCode?: string;\n errorMessage?: string;\n occurredAt: Date;\n metadata?: Record<string, string | number | boolean>;\n}\n\nexport interface IntegrationTelemetryEmitter {\n record(event: IntegrationTelemetryEvent): Promise<void> | void;\n}\n\nexport type IntegrationInvocationStatus = 'success' | 'error';\n\nexport interface IntegrationContext {\n tenantId: string;\n appId: string;\n environment?: string;\n slotId?: string;\n spec: IntegrationSpec;\n connection: IntegrationConnection;\n secretProvider: SecretProvider;\n secretReference: string;\n trace: IntegrationTraceMetadata;\n config?: Record<string, unknown>;\n}\n\nexport interface IntegrationCallContext {\n tenantId: string;\n appId: string;\n environment?: string;\n blueprintName: string;\n blueprintVersion: number;\n configVersion: number;\n slotId: string;\n operation: string;\n}\n\nexport interface IntegrationCallError {\n code: string;\n message: string;\n retryable: boolean;\n cause?: unknown;\n}\n\nexport interface IntegrationCallResult<T> {\n success: boolean;\n data?: T;\n error?: IntegrationCallError;\n metadata: {\n latencyMs: number;\n connectionId: string;\n ownershipMode: IntegrationConnection['ownershipMode'];\n attempts: number;\n };\n}\n\nexport interface IntegrationCallGuardOptions {\n telemetry?: IntegrationTelemetryEmitter;\n maxAttempts?: number;\n backoffMs?: number;\n shouldRetry?: (error: unknown, attempt: number) => boolean;\n sleep?: (ms: number) => Promise<void>;\n now?: () => Date;\n}\n\nconst DEFAULT_MAX_ATTEMPTS = 3;\nconst DEFAULT_BACKOFF_MS = 250;\n\nexport class IntegrationCallGuard {\n private readonly telemetry?: IntegrationTelemetryEmitter;\n private readonly maxAttempts: number;\n private readonly backoffMs: number;\n private readonly shouldRetry: (error: unknown, attempt: number) => boolean;\n private readonly sleep: (ms: number) => Promise<void>;\n private readonly now: () => Date;\n\n constructor(\n private readonly secretProvider: SecretProvider,\n options: IntegrationCallGuardOptions = {}\n ) {\n this.telemetry = options.telemetry;\n this.maxAttempts = Math.max(1, options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS);\n this.backoffMs = options.backoffMs ?? DEFAULT_BACKOFF_MS;\n this.shouldRetry =\n options.shouldRetry ??\n ((error: unknown) =>\n typeof error === 'object' &&\n error !== null &&\n 'retryable' in error &&\n Boolean((error as { retryable?: unknown }).retryable));\n this.sleep =\n options.sleep ??\n ((ms: number) =>\n ms <= 0\n ? Promise.resolve()\n : new Promise((resolve) => setTimeout(resolve, ms)));\n this.now = options.now ?? (() => new Date());\n }\n\n async executeWithGuards<T>(\n slotId: string,\n operation: string,\n _input: unknown,\n resolvedConfig: ResolvedAppConfig,\n executor: (\n connection: IntegrationConnection,\n secrets: Record<string, string>\n ) => Promise<T>\n ): Promise<IntegrationCallResult<T>> {\n const integration = this.findIntegration(slotId, resolvedConfig);\n if (!integration) {\n return this.failure(\n {\n tenantId: resolvedConfig.tenantId,\n appId: resolvedConfig.appId,\n environment: resolvedConfig.environment,\n blueprintName: resolvedConfig.blueprintName,\n blueprintVersion: resolvedConfig.blueprintVersion,\n configVersion: resolvedConfig.configVersion,\n slotId,\n operation,\n },\n undefined,\n {\n code: 'SLOT_NOT_BOUND',\n message: `Integration slot \"${slotId}\" is not bound for tenant \"${resolvedConfig.tenantId}\".`,\n retryable: false,\n },\n 0\n );\n }\n\n const status = integration.connection.status;\n if (status === 'disconnected' || status === 'error') {\n return this.failure(\n this.makeContext(slotId, operation, resolvedConfig),\n integration,\n {\n code: 'CONNECTION_NOT_READY',\n message: `Integration connection \"${integration.connection.meta.label}\" is in status \"${status}\".`,\n retryable: false,\n },\n 0\n );\n }\n\n const secrets = await this.fetchSecrets(integration.connection);\n\n let attempt = 0;\n const started = performance.now();\n while (attempt < this.maxAttempts) {\n attempt += 1;\n try {\n const data = await executor(integration.connection, secrets);\n const duration = performance.now() - started;\n this.emitTelemetry(\n this.makeContext(slotId, operation, resolvedConfig),\n integration,\n 'success',\n duration\n );\n return {\n success: true,\n data,\n metadata: {\n latencyMs: duration,\n connectionId: integration.connection.meta.id,\n ownershipMode: integration.connection.ownershipMode,\n attempts: attempt,\n },\n };\n } catch (error) {\n const duration = performance.now() - started;\n this.emitTelemetry(\n this.makeContext(slotId, operation, resolvedConfig),\n integration,\n 'error',\n duration,\n this.errorCodeFor(error),\n error instanceof Error ? error.message : String(error)\n );\n const retryable = this.shouldRetry(error, attempt);\n if (!retryable || attempt >= this.maxAttempts) {\n return {\n success: false,\n error: {\n code: this.errorCodeFor(error),\n message: error instanceof Error ? error.message : String(error),\n retryable,\n cause: error,\n },\n metadata: {\n latencyMs: duration,\n connectionId: integration.connection.meta.id,\n ownershipMode: integration.connection.ownershipMode,\n attempts: attempt,\n },\n };\n }\n await this.sleep(this.backoffMs);\n }\n }\n\n return {\n success: false,\n error: {\n code: 'UNKNOWN_ERROR',\n message: 'Integration call failed after retries.',\n retryable: false,\n },\n metadata: {\n latencyMs: performance.now() - started,\n connectionId: integration.connection.meta.id,\n ownershipMode: integration.connection.ownershipMode,\n attempts: this.maxAttempts,\n },\n };\n }\n\n private findIntegration(\n slotId: string,\n config: ResolvedAppConfig\n ): ResolvedIntegration | undefined {\n return config.integrations.find(\n (integration) => integration.slot.slotId === slotId\n );\n }\n\n private async fetchSecrets(\n connection: IntegrationConnection\n ): Promise<Record<string, string>> {\n if (!this.secretProvider.canHandle(connection.secretRef)) {\n throw new Error(\n `Secret provider \"${this.secretProvider.id}\" cannot handle reference \"${connection.secretRef}\".`\n );\n }\n const secret = await this.secretProvider.getSecret(connection.secretRef);\n return this.parseSecret(secret);\n }\n\n private parseSecret(secret: SecretValue): Record<string, string> {\n const text = new TextDecoder().decode(secret.data);\n try {\n const parsed = JSON.parse(text);\n if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {\n const entries = Object.entries(parsed).filter(\n ([, value]) =>\n typeof value === 'string' ||\n typeof value === 'number' ||\n typeof value === 'boolean'\n );\n return Object.fromEntries(\n entries.map(([key, value]) => [key, String(value)])\n );\n }\n } catch {\n // raw secret fallback\n }\n return { secret: text };\n }\n\n private emitTelemetry(\n context: IntegrationCallContext,\n integration: ResolvedIntegration | undefined,\n status: 'success' | 'error',\n durationMs: number,\n errorCode?: string,\n errorMessage?: string\n ) {\n if (!this.telemetry || !integration) return;\n this.telemetry.record({\n tenantId: context.tenantId,\n appId: context.appId,\n environment: context.environment,\n slotId: context.slotId,\n integrationKey: integration.connection.meta.integrationKey,\n integrationVersion: integration.connection.meta.integrationVersion,\n connectionId: integration.connection.meta.id,\n status,\n durationMs,\n errorCode,\n errorMessage,\n occurredAt: this.now(),\n metadata: {\n blueprint: `${context.blueprintName}.v${context.blueprintVersion}`,\n configVersion: context.configVersion,\n operation: context.operation,\n },\n });\n }\n\n private failure<T>(\n context: IntegrationCallContext,\n integration: ResolvedIntegration | undefined,\n error: IntegrationCallError,\n attempts: number\n ): IntegrationCallResult<T> {\n if (integration) {\n this.emitTelemetry(\n context,\n integration,\n 'error',\n 0,\n error.code,\n error.message\n );\n }\n return {\n success: false,\n error,\n metadata: {\n latencyMs: 0,\n connectionId: integration?.connection.meta.id ?? 'unknown',\n ownershipMode: integration?.connection.ownershipMode ?? 'managed',\n attempts,\n },\n };\n }\n\n private makeContext(\n slotId: string,\n operation: string,\n config: ResolvedAppConfig\n ): IntegrationCallContext {\n return {\n tenantId: config.tenantId,\n appId: config.appId,\n environment: config.environment,\n blueprintName: config.blueprintName,\n blueprintVersion: config.blueprintVersion,\n configVersion: config.configVersion,\n slotId,\n operation,\n };\n }\n\n private errorCodeFor(error: unknown): string {\n if (\n typeof error === 'object' &&\n error !== null &&\n 'code' in error &&\n typeof (error as { code?: unknown }).code === 'string'\n ) {\n return (error as { code: string }).code;\n }\n return 'PROVIDER_ERROR';\n }\n}\n\nexport function ensureConnectionReady(integration: ResolvedIntegration): void {\n const status = integration.connection.status;\n if (status === 'disconnected' || status === 'error') {\n throw new Error(\n `Integration connection \"${integration.connection.meta.label}\" is in status \"${status}\".`\n );\n }\n}\n\nexport function connectionStatusLabel(status: ConnectionStatus): string {\n switch (status) {\n case 'connected':\n return 'connected';\n case 'disconnected':\n return 'disconnected';\n case 'error':\n return 'error';\n case 'unknown':\n default:\n return 'unknown';\n }\n}\n"],"mappings":";;;AA6FA,MAAM,uBAAuB;AAC7B,MAAM,qBAAqB;AAE3B,IAAa,uBAAb,MAAkC;CAChC,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,YACE,AAAiBA,gBACjB,UAAuC,EAAE,EACzC;EAFiB;AAGjB,OAAK,YAAY,QAAQ;AACzB,OAAK,cAAc,KAAK,IAAI,GAAG,QAAQ,eAAe,qBAAqB;AAC3E,OAAK,YAAY,QAAQ,aAAa;AACtC,OAAK,cACH,QAAQ,iBACN,UACA,OAAO,UAAU,YACjB,UAAU,QACV,eAAe,SACf,QAAS,MAAkC,UAAU;AACzD,OAAK,QACH,QAAQ,WACN,OACA,MAAM,IACF,QAAQ,SAAS,GACjB,IAAI,SAAS,YAAY,WAAW,SAAS,GAAG,CAAC;AACzD,OAAK,MAAM,QAAQ,8BAAc,IAAI,MAAM;;CAG7C,MAAM,kBACJ,QACA,WACA,QACA,gBACA,UAImC;EACnC,MAAM,cAAc,KAAK,gBAAgB,QAAQ,eAAe;AAChE,MAAI,CAAC,YACH,QAAO,KAAK,QACV;GACE,UAAU,eAAe;GACzB,OAAO,eAAe;GACtB,aAAa,eAAe;GAC5B,eAAe,eAAe;GAC9B,kBAAkB,eAAe;GACjC,eAAe,eAAe;GAC9B;GACA;GACD,EACD,QACA;GACE,MAAM;GACN,SAAS,qBAAqB,OAAO,6BAA6B,eAAe,SAAS;GAC1F,WAAW;GACZ,EACD,EACD;EAGH,MAAM,SAAS,YAAY,WAAW;AACtC,MAAI,WAAW,kBAAkB,WAAW,QAC1C,QAAO,KAAK,QACV,KAAK,YAAY,QAAQ,WAAW,eAAe,EACnD,aACA;GACE,MAAM;GACN,SAAS,2BAA2B,YAAY,WAAW,KAAK,MAAM,kBAAkB,OAAO;GAC/F,WAAW;GACZ,EACD,EACD;EAGH,MAAM,UAAU,MAAM,KAAK,aAAa,YAAY,WAAW;EAE/D,IAAI,UAAU;EACd,MAAM,UAAU,YAAY,KAAK;AACjC,SAAO,UAAU,KAAK,aAAa;AACjC,cAAW;AACX,OAAI;IACF,MAAM,OAAO,MAAM,SAAS,YAAY,YAAY,QAAQ;IAC5D,MAAM,WAAW,YAAY,KAAK,GAAG;AACrC,SAAK,cACH,KAAK,YAAY,QAAQ,WAAW,eAAe,EACnD,aACA,WACA,SACD;AACD,WAAO;KACL,SAAS;KACT;KACA,UAAU;MACR,WAAW;MACX,cAAc,YAAY,WAAW,KAAK;MAC1C,eAAe,YAAY,WAAW;MACtC,UAAU;MACX;KACF;YACM,OAAO;IACd,MAAM,WAAW,YAAY,KAAK,GAAG;AACrC,SAAK,cACH,KAAK,YAAY,QAAQ,WAAW,eAAe,EACnD,aACA,SACA,UACA,KAAK,aAAa,MAAM,EACxB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,CACvD;IACD,MAAM,YAAY,KAAK,YAAY,OAAO,QAAQ;AAClD,QAAI,CAAC,aAAa,WAAW,KAAK,YAChC,QAAO;KACL,SAAS;KACT,OAAO;MACL,MAAM,KAAK,aAAa,MAAM;MAC9B,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM;MAC/D;MACA,OAAO;MACR;KACD,UAAU;MACR,WAAW;MACX,cAAc,YAAY,WAAW,KAAK;MAC1C,eAAe,YAAY,WAAW;MACtC,UAAU;MACX;KACF;AAEH,UAAM,KAAK,MAAM,KAAK,UAAU;;;AAIpC,SAAO;GACL,SAAS;GACT,OAAO;IACL,MAAM;IACN,SAAS;IACT,WAAW;IACZ;GACD,UAAU;IACR,WAAW,YAAY,KAAK,GAAG;IAC/B,cAAc,YAAY,WAAW,KAAK;IAC1C,eAAe,YAAY,WAAW;IACtC,UAAU,KAAK;IAChB;GACF;;CAGH,AAAQ,gBACN,QACA,QACiC;AACjC,SAAO,OAAO,aAAa,MACxB,gBAAgB,YAAY,KAAK,WAAW,OAC9C;;CAGH,MAAc,aACZ,YACiC;AACjC,MAAI,CAAC,KAAK,eAAe,UAAU,WAAW,UAAU,CACtD,OAAM,IAAI,MACR,oBAAoB,KAAK,eAAe,GAAG,6BAA6B,WAAW,UAAU,IAC9F;EAEH,MAAM,SAAS,MAAM,KAAK,eAAe,UAAU,WAAW,UAAU;AACxE,SAAO,KAAK,YAAY,OAAO;;CAGjC,AAAQ,YAAY,QAA6C;EAC/D,MAAM,OAAO,IAAI,aAAa,CAAC,OAAO,OAAO,KAAK;AAClD,MAAI;GACF,MAAM,SAAS,KAAK,MAAM,KAAK;AAC/B,OAAI,UAAU,OAAO,WAAW,YAAY,CAAC,MAAM,QAAQ,OAAO,EAAE;IAClE,MAAM,UAAU,OAAO,QAAQ,OAAO,CAAC,QACpC,GAAG,WACF,OAAO,UAAU,YACjB,OAAO,UAAU,YACjB,OAAO,UAAU,UACpB;AACD,WAAO,OAAO,YACZ,QAAQ,KAAK,CAAC,KAAK,WAAW,CAAC,KAAK,OAAO,MAAM,CAAC,CAAC,CACpD;;UAEG;AAGR,SAAO,EAAE,QAAQ,MAAM;;CAGzB,AAAQ,cACN,SACA,aACA,QACA,YACA,WACA,cACA;AACA,MAAI,CAAC,KAAK,aAAa,CAAC,YAAa;AACrC,OAAK,UAAU,OAAO;GACpB,UAAU,QAAQ;GAClB,OAAO,QAAQ;GACf,aAAa,QAAQ;GACrB,QAAQ,QAAQ;GAChB,gBAAgB,YAAY,WAAW,KAAK;GAC5C,oBAAoB,YAAY,WAAW,KAAK;GAChD,cAAc,YAAY,WAAW,KAAK;GAC1C;GACA;GACA;GACA;GACA,YAAY,KAAK,KAAK;GACtB,UAAU;IACR,WAAW,GAAG,QAAQ,cAAc,IAAI,QAAQ;IAChD,eAAe,QAAQ;IACvB,WAAW,QAAQ;IACpB;GACF,CAAC;;CAGJ,AAAQ,QACN,SACA,aACA,OACA,UAC0B;AAC1B,MAAI,YACF,MAAK,cACH,SACA,aACA,SACA,GACA,MAAM,MACN,MAAM,QACP;AAEH,SAAO;GACL,SAAS;GACT;GACA,UAAU;IACR,WAAW;IACX,cAAc,aAAa,WAAW,KAAK,MAAM;IACjD,eAAe,aAAa,WAAW,iBAAiB;IACxD;IACD;GACF;;CAGH,AAAQ,YACN,QACA,WACA,QACwB;AACxB,SAAO;GACL,UAAU,OAAO;GACjB,OAAO,OAAO;GACd,aAAa,OAAO;GACpB,eAAe,OAAO;GACtB,kBAAkB,OAAO;GACzB,eAAe,OAAO;GACtB;GACA;GACD;;CAGH,AAAQ,aAAa,OAAwB;AAC3C,MACE,OAAO,UAAU,YACjB,UAAU,QACV,UAAU,SACV,OAAQ,MAA6B,SAAS,SAE9C,QAAQ,MAA2B;AAErC,SAAO;;;AAIX,SAAgB,sBAAsB,aAAwC;CAC5E,MAAM,SAAS,YAAY,WAAW;AACtC,KAAI,WAAW,kBAAkB,WAAW,QAC1C,OAAM,IAAI,MACR,2BAA2B,YAAY,WAAW,KAAK,MAAM,kBAAkB,OAAO,IACvF;;AAIL,SAAgB,sBAAsB,QAAkC;AACtE,SAAQ,QAAR;EACE,KAAK,YACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK;EACL,QACE,QAAO"}

package/dist/secrets/env-secret-provider.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+//#region src/secrets/env-secret-provider.d.ts
+interface EnvSecretProviderOptions {
+  /**
+   * Optional map to alias secret references to environment variable names.
+   * Useful when referencing secrets from other providers (e.g. gcp://...)
+   * while still allowing local overrides.
+   */
+  aliases?: Record<string, string>;
+}
+/**
+ * Environment-variable backed secret provider. Read-only by design.
+ * Allows overriding other secret providers by deriving environment variable
+ * names from secret references (or by using explicit aliases).
+ */
+declare class EnvSecretProvider implements SecretProvider {
+  readonly id = "env";
+  private readonly aliases;
+  constructor(options?: EnvSecretProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference): Promise<SecretValue>;
+  setSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private resolveEnvKey;
+  private deriveEnvKey;
+  private forbiddenError;
+}
+//#endregion
+export { EnvSecretProvider };
+//# sourceMappingURL=env-secret-provider.d.ts.map

package/dist/secrets/env-secret-provider.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env-secret-provider.d.ts","names":[],"sources":["../../src/secrets/env-secret-provider.ts"],"sourcesContent":[],"mappings":";;;UASU,wBAAA;;AAHU;AAiBpB;;;EAc6B,OAAA,CAAA,EAtBjB,MAsBiB,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;;;AAwCd,cAtDF,iBAAA,YAA6B,cAsD3B,CAAA;EACD,SAAA,EAAA,GAAA,KAAA;EACD,iBAAA,OAAA;EAAR,WAAA,CAAA,OAAA,CAAA,EAnDkB,wBAmDlB;EAI2B,SAAA,CAAA,SAAA,EAnDT,eAmDS,CAAA,EAAA,OAAA;EAAkB,SAAA,CAAA,SAAA,EA9CrB,eA8CqB,CAAA,EA9CH,OA8CG,CA9CK,WA8CL,CAAA;EA5DR,SAAA,CAAA,SAAA,EA+C3B,eA/C2B,EAAA,QAAA,EAgD5B,kBAhD4B,CAAA,EAiDrC,OAjDqC,CAiD7B,oBAjD6B,CAAA;EAAc,YAAA,CAAA,SAAA,EAsDzC,eAtDyC,EAAA,QAAA,EAuD1C,kBAvD0C,CAAA,EAwDnD,OAxDmD,CAwD3C,oBAxD2C,CAAA;0BA4DxB,kBAAkB"}

package/dist/secrets/env-secret-provider.js ADDED Viewed

@@ -0,0 +1,82 @@
+import { SecretProviderError, parseSecretUri } from "./provider.js";
+//#region src/secrets/env-secret-provider.ts
+/**
+* Environment-variable backed secret provider. Read-only by design.
+* Allows overriding other secret providers by deriving environment variable
+* names from secret references (or by using explicit aliases).
+*/
+var EnvSecretProvider = class {
+	id = "env";
+	aliases;
+	constructor(options = {}) {
+		this.aliases = options.aliases ?? {};
+	}
+	canHandle(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		return envKey !== void 0 && process.env[envKey] !== void 0;
+	}
+	async getSecret(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		if (!envKey) throw new SecretProviderError({
+			message: `Unable to resolve environment variable for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const value = process.env[envKey];
+		if (value === void 0) throw new SecretProviderError({
+			message: `Environment variable "${envKey}" not found for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "NOT_FOUND"
+		});
+		return {
+			data: Buffer.from(value, "utf-8"),
+			version: "current",
+			metadata: {
+				source: "env",
+				envKey
+			},
+			retrievedAt: /* @__PURE__ */ new Date()
+		};
+	}
+	async setSecret(reference, _payload) {
+		throw this.forbiddenError("setSecret", reference);
+	}
+	async rotateSecret(reference, _payload) {
+		throw this.forbiddenError("rotateSecret", reference);
+	}
+	async deleteSecret(reference) {
+		throw this.forbiddenError("deleteSecret", reference);
+	}
+	resolveEnvKey(reference) {
+		if (!reference) return;
+		if (this.aliases[reference]) return this.aliases[reference];
+		if (!reference.includes("://")) return reference;
+		try {
+			const parsed = parseSecretUri(reference);
+			if (parsed.provider === "env") return parsed.path;
+			if (parsed.extras?.env) return parsed.extras.env;
+			return this.deriveEnvKey(parsed.path);
+		} catch {
+			return reference;
+		}
+	}
+	deriveEnvKey(path) {
+		if (!path) return void 0;
+		return path.split(/[/:\-.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
+	}
+	forbiddenError(operation, reference) {
+		return new SecretProviderError({
+			message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+	}
+};
+//#endregion
+export { EnvSecretProvider };
+//# sourceMappingURL=env-secret-provider.js.map

package/dist/secrets/env-secret-provider.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env-secret-provider.js","names":[],"sources":["../../src/secrets/env-secret-provider.ts"],"sourcesContent":["import type {\n SecretProvider,\n SecretReference,\n SecretRotationResult,\n SecretValue,\n SecretWritePayload,\n} from './provider';\nimport { parseSecretUri, SecretProviderError } from './provider';\n\ninterface EnvSecretProviderOptions {\n /**\n * Optional map to alias secret references to environment variable names.\n * Useful when referencing secrets from other providers (e.g. gcp://...)\n * while still allowing local overrides.\n */\n aliases?: Record<string, string>;\n}\n\n/**\n * Environment-variable backed secret provider. Read-only by design.\n * Allows overriding other secret providers by deriving environment variable\n * names from secret references (or by using explicit aliases).\n */\nexport class EnvSecretProvider implements SecretProvider {\n readonly id = 'env';\n\n private readonly aliases: Record<string, string>;\n\n constructor(options: EnvSecretProviderOptions = {}) {\n this.aliases = options.aliases ?? {};\n }\n\n canHandle(reference: SecretReference): boolean {\n const envKey = this.resolveEnvKey(reference);\n return envKey !== undefined && process.env[envKey] !== undefined;\n }\n\n async getSecret(reference: SecretReference): Promise<SecretValue> {\n const envKey = this.resolveEnvKey(reference);\n if (!envKey) {\n throw new SecretProviderError({\n message: `Unable to resolve environment variable for reference \"${reference}\".`,\n provider: this.id,\n reference,\n code: 'INVALID',\n });\n }\n\n const value = process.env[envKey];\n if (value === undefined) {\n throw new SecretProviderError({\n message: `Environment variable \"${envKey}\" not found for reference \"${reference}\".`,\n provider: this.id,\n reference,\n code: 'NOT_FOUND',\n });\n }\n\n return {\n data: Buffer.from(value, 'utf-8'),\n version: 'current',\n metadata: {\n source: 'env',\n envKey,\n },\n retrievedAt: new Date(),\n };\n }\n\n async setSecret(\n reference: SecretReference,\n _payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n throw this.forbiddenError('setSecret', reference);\n }\n\n async rotateSecret(\n reference: SecretReference,\n _payload: SecretWritePayload\n ): Promise<SecretRotationResult> {\n throw this.forbiddenError('rotateSecret', reference);\n }\n\n async deleteSecret(reference: SecretReference): Promise<void> {\n throw this.forbiddenError('deleteSecret', reference);\n }\n\n private resolveEnvKey(reference: SecretReference): string | undefined {\n if (!reference) {\n return undefined;\n }\n\n if (this.aliases[reference]) {\n return this.aliases[reference];\n }\n\n if (!reference.includes('://')) {\n return reference;\n }\n\n try {\n const parsed = parseSecretUri(reference);\n if (parsed.provider === 'env') {\n return parsed.path;\n }\n\n if (parsed.extras?.env) {\n return parsed.extras.env;\n }\n\n return this.deriveEnvKey(parsed.path);\n } catch {\n return reference;\n }\n }\n\n private deriveEnvKey(path: string): string | undefined {\n if (!path) return undefined;\n return path\n .split(/[/:\\-.]/)\n .filter(Boolean)\n .map((segment) =>\n segment\n .replace(/[^a-zA-Z0-9]/g, '_')\n .replace(/_{2,}/g, '_')\n .toUpperCase()\n )\n .join('_');\n }\n\n private forbiddenError(\n operation: string,\n reference: SecretReference\n ): SecretProviderError {\n return new SecretProviderError({\n message: `EnvSecretProvider is read-only. \"${operation}\" is not allowed for ${reference}.`,\n provider: this.id,\n reference,\n code: 'FORBIDDEN',\n });\n }\n}\n"],"mappings":";;;;;;;;AAuBA,IAAa,oBAAb,MAAyD;CACvD,AAAS,KAAK;CAEd,AAAiB;CAEjB,YAAY,UAAoC,EAAE,EAAE;AAClD,OAAK,UAAU,QAAQ,WAAW,EAAE;;CAGtC,UAAU,WAAqC;EAC7C,MAAM,SAAS,KAAK,cAAc,UAAU;AAC5C,SAAO,WAAW,UAAa,QAAQ,IAAI,YAAY;;CAGzD,MAAM,UAAU,WAAkD;EAChE,MAAM,SAAS,KAAK,cAAc,UAAU;AAC5C,MAAI,CAAC,OACH,OAAM,IAAI,oBAAoB;GAC5B,SAAS,yDAAyD,UAAU;GAC5E,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;EAGJ,MAAM,QAAQ,QAAQ,IAAI;AAC1B,MAAI,UAAU,OACZ,OAAM,IAAI,oBAAoB;GAC5B,SAAS,yBAAyB,OAAO,6BAA6B,UAAU;GAChF,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC;AAGJ,SAAO;GACL,MAAM,OAAO,KAAK,OAAO,QAAQ;GACjC,SAAS;GACT,UAAU;IACR,QAAQ;IACR;IACD;GACD,6BAAa,IAAI,MAAM;GACxB;;CAGH,MAAM,UACJ,WACA,UAC+B;AAC/B,QAAM,KAAK,eAAe,aAAa,UAAU;;CAGnD,MAAM,aACJ,WACA,UAC+B;AAC/B,QAAM,KAAK,eAAe,gBAAgB,UAAU;;CAGtD,MAAM,aAAa,WAA2C;AAC5D,QAAM,KAAK,eAAe,gBAAgB,UAAU;;CAGtD,AAAQ,cAAc,WAAgD;AACpE,MAAI,CAAC,UACH;AAGF,MAAI,KAAK,QAAQ,WACf,QAAO,KAAK,QAAQ;AAGtB,MAAI,CAAC,UAAU,SAAS,MAAM,CAC5B,QAAO;AAGT,MAAI;GACF,MAAM,SAAS,eAAe,UAAU;AACxC,OAAI,OAAO,aAAa,MACtB,QAAO,OAAO;AAGhB,OAAI,OAAO,QAAQ,IACjB,QAAO,OAAO,OAAO;AAGvB,UAAO,KAAK,aAAa,OAAO,KAAK;UAC/B;AACN,UAAO;;;CAIX,AAAQ,aAAa,MAAkC;AACrD,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,KACJ,MAAM,UAAU,CAChB,OAAO,QAAQ,CACf,KAAK,YACJ,QACG,QAAQ,iBAAiB,IAAI,CAC7B,QAAQ,UAAU,IAAI,CACtB,aAAa,CACjB,CACA,KAAK,IAAI;;CAGd,AAAQ,eACN,WACA,WACqB;AACrB,SAAO,IAAI,oBAAoB;GAC7B,SAAS,oCAAoC,UAAU,uBAAuB,UAAU;GACxF,UAAU,KAAK;GACf;GACA,MAAM;GACP,CAAC"}