@lssm/lib.contracts 0.0.0-canary-20251217062943 → 0.0.0-canary-20251217072406

package/dist/integrations/runtime.js

@@ -1 +1,186 @@
-import{performance as e}from"node:perf_hooks";var t=class{telemetry;maxAttempts;backoffMs;shouldRetry;sleep;now;constructor(e,t={}){this.secretProvider=e,this.telemetry=t.telemetry,this.maxAttempts=Math.max(1,t.maxAttempts??3),this.backoffMs=t.backoffMs??250,this.shouldRetry=t.shouldRetry??(e=>typeof e==`object`&&!!e&&`retryable`in e&&!!e.retryable),this.sleep=t.sleep??(e=>e<=0?Promise.resolve():new Promise(t=>setTimeout(t,e))),this.now=t.now??(()=>new Date)}async executeWithGuards(t,n,r,i,a){let o=this.findIntegration(t,i);if(!o)return this.failure({tenantId:i.tenantId,appId:i.appId,environment:i.environment,blueprintName:i.blueprintName,blueprintVersion:i.blueprintVersion,configVersion:i.configVersion,slotId:t,operation:n},void 0,{code:`SLOT_NOT_BOUND`,message:`Integration slot "${t}" is not bound for tenant "${i.tenantId}".`,retryable:!1},0);let s=o.connection.status;if(s===`disconnected`||s===`error`)return this.failure(this.makeContext(t,n,i),o,{code:`CONNECTION_NOT_READY`,message:`Integration connection "${o.connection.meta.label}" is in status "${s}".`,retryable:!1},0);let c=await this.fetchSecrets(o.connection),l=0,u=e.now();for(;l<this.maxAttempts;){l+=1;try{let r=await a(o.connection,c),s=e.now()-u;return this.emitTelemetry(this.makeContext(t,n,i),o,`success`,s),{success:!0,data:r,metadata:{latencyMs:s,connectionId:o.connection.meta.id,ownershipMode:o.connection.ownershipMode,attempts:l}}}catch(r){let a=e.now()-u;this.emitTelemetry(this.makeContext(t,n,i),o,`error`,a,this.errorCodeFor(r),r instanceof Error?r.message:String(r));let s=this.shouldRetry(r,l);if(!s||l>=this.maxAttempts)return{success:!1,error:{code:this.errorCodeFor(r),message:r instanceof Error?r.message:String(r),retryable:s,cause:r},metadata:{latencyMs:a,connectionId:o.connection.meta.id,ownershipMode:o.connection.ownershipMode,attempts:l}};await this.sleep(this.backoffMs)}}return{success:!1,error:{code:`UNKNOWN_ERROR`,message:`Integration call failed after retries.`,retryable:!1},metadata:{latencyMs:e.now()-u,connectionId:o.connection.meta.id,ownershipMode:o.connection.ownershipMode,attempts:this.maxAttempts}}}findIntegration(e,t){return t.integrations.find(t=>t.slot.slotId===e)}async fetchSecrets(e){if(!this.secretProvider.canHandle(e.secretRef))throw Error(`Secret provider "${this.secretProvider.id}" cannot handle reference "${e.secretRef}".`);let t=await this.secretProvider.getSecret(e.secretRef);return this.parseSecret(t)}parseSecret(e){let t=new TextDecoder().decode(e.data);try{let e=JSON.parse(t);if(e&&typeof e==`object`&&!Array.isArray(e)){let t=Object.entries(e).filter(([,e])=>typeof e==`string`||typeof e==`number`||typeof e==`boolean`);return Object.fromEntries(t.map(([e,t])=>[e,String(t)]))}}catch{}return{secret:t}}emitTelemetry(e,t,n,r,i,a){!this.telemetry||!t||this.telemetry.record({tenantId:e.tenantId,appId:e.appId,environment:e.environment,slotId:e.slotId,integrationKey:t.connection.meta.integrationKey,integrationVersion:t.connection.meta.integrationVersion,connectionId:t.connection.meta.id,status:n,durationMs:r,errorCode:i,errorMessage:a,occurredAt:this.now(),metadata:{blueprint:`${e.blueprintName}.v${e.blueprintVersion}`,configVersion:e.configVersion,operation:e.operation}})}failure(e,t,n,r){return t&&this.emitTelemetry(e,t,`error`,0,n.code,n.message),{success:!1,error:n,metadata:{latencyMs:0,connectionId:t?.connection.meta.id??`unknown`,ownershipMode:t?.connection.ownershipMode??`managed`,attempts:r}}}makeContext(e,t,n){return{tenantId:n.tenantId,appId:n.appId,environment:n.environment,blueprintName:n.blueprintName,blueprintVersion:n.blueprintVersion,configVersion:n.configVersion,slotId:e,operation:t}}errorCodeFor(e){return typeof e==`object`&&e&&`code`in e&&typeof e.code==`string`?e.code:`PROVIDER_ERROR`}};function n(e){let t=e.connection.status;if(t===`disconnected`||t===`error`)throw Error(`Integration connection "${e.connection.meta.label}" is in status "${t}".`)}function r(e){switch(e){case`connected`:return`connected`;case`disconnected`:return`disconnected`;case`error`:return`error`;case`unknown`:default:return`unknown`}}export{t as IntegrationCallGuard,r as connectionStatusLabel,n as ensureConnectionReady};
+import { performance } from "node:perf_hooks";
+
+//#region src/integrations/runtime.ts
+const DEFAULT_MAX_ATTEMPTS = 3;
+const DEFAULT_BACKOFF_MS = 250;
+var IntegrationCallGuard = class {
+	telemetry;
+	maxAttempts;
+	backoffMs;
+	shouldRetry;
+	sleep;
+	now;
+	constructor(secretProvider, options = {}) {
+		this.secretProvider = secretProvider;
+		this.telemetry = options.telemetry;
+		this.maxAttempts = Math.max(1, options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS);
+		this.backoffMs = options.backoffMs ?? DEFAULT_BACKOFF_MS;
+		this.shouldRetry = options.shouldRetry ?? ((error) => typeof error === "object" && error !== null && "retryable" in error && Boolean(error.retryable));
+		this.sleep = options.sleep ?? ((ms) => ms <= 0 ? Promise.resolve() : new Promise((resolve) => setTimeout(resolve, ms)));
+		this.now = options.now ?? (() => /* @__PURE__ */ new Date());
+	}
+	async executeWithGuards(slotId, operation, input, resolvedConfig, executor) {
+		const integration = this.findIntegration(slotId, resolvedConfig);
+		if (!integration) return this.failure({
+			tenantId: resolvedConfig.tenantId,
+			appId: resolvedConfig.appId,
+			environment: resolvedConfig.environment,
+			blueprintName: resolvedConfig.blueprintName,
+			blueprintVersion: resolvedConfig.blueprintVersion,
+			configVersion: resolvedConfig.configVersion,
+			slotId,
+			operation
+		}, void 0, {
+			code: "SLOT_NOT_BOUND",
+			message: `Integration slot "${slotId}" is not bound for tenant "${resolvedConfig.tenantId}".`,
+			retryable: false
+		}, 0);
+		const status = integration.connection.status;
+		if (status === "disconnected" || status === "error") return this.failure(this.makeContext(slotId, operation, resolvedConfig), integration, {
+			code: "CONNECTION_NOT_READY",
+			message: `Integration connection "${integration.connection.meta.label}" is in status "${status}".`,
+			retryable: false
+		}, 0);
+		const secrets = await this.fetchSecrets(integration.connection);
+		let attempt = 0;
+		const started = performance.now();
+		while (attempt < this.maxAttempts) {
+			attempt += 1;
+			try {
+				const data = await executor(integration.connection, secrets);
+				const duration = performance.now() - started;
+				this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "success", duration);
+				return {
+					success: true,
+					data,
+					metadata: {
+						latencyMs: duration,
+						connectionId: integration.connection.meta.id,
+						ownershipMode: integration.connection.ownershipMode,
+						attempts: attempt
+					}
+				};
+			} catch (error) {
+				const duration = performance.now() - started;
+				this.emitTelemetry(this.makeContext(slotId, operation, resolvedConfig), integration, "error", duration, this.errorCodeFor(error), error instanceof Error ? error.message : String(error));
+				const retryable = this.shouldRetry(error, attempt);
+				if (!retryable || attempt >= this.maxAttempts) return {
+					success: false,
+					error: {
+						code: this.errorCodeFor(error),
+						message: error instanceof Error ? error.message : String(error),
+						retryable,
+						cause: error
+					},
+					metadata: {
+						latencyMs: duration,
+						connectionId: integration.connection.meta.id,
+						ownershipMode: integration.connection.ownershipMode,
+						attempts: attempt
+					}
+				};
+				await this.sleep(this.backoffMs);
+			}
+		}
+		return {
+			success: false,
+			error: {
+				code: "UNKNOWN_ERROR",
+				message: "Integration call failed after retries.",
+				retryable: false
+			},
+			metadata: {
+				latencyMs: performance.now() - started,
+				connectionId: integration.connection.meta.id,
+				ownershipMode: integration.connection.ownershipMode,
+				attempts: this.maxAttempts
+			}
+		};
+	}
+	findIntegration(slotId, config) {
+		return config.integrations.find((integration) => integration.slot.slotId === slotId);
+	}
+	async fetchSecrets(connection) {
+		if (!this.secretProvider.canHandle(connection.secretRef)) throw new Error(`Secret provider "${this.secretProvider.id}" cannot handle reference "${connection.secretRef}".`);
+		const secret = await this.secretProvider.getSecret(connection.secretRef);
+		return this.parseSecret(secret);
+	}
+	parseSecret(secret) {
+		const text = new TextDecoder().decode(secret.data);
+		try {
+			const parsed = JSON.parse(text);
+			if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+				const entries = Object.entries(parsed).filter(([, value]) => typeof value === "string" || typeof value === "number" || typeof value === "boolean");
+				return Object.fromEntries(entries.map(([key, value]) => [key, String(value)]));
+			}
+		} catch {}
+		return { secret: text };
+	}
+	emitTelemetry(context, integration, status, durationMs, errorCode, errorMessage) {
+		if (!this.telemetry || !integration) return;
+		this.telemetry.record({
+			tenantId: context.tenantId,
+			appId: context.appId,
+			environment: context.environment,
+			slotId: context.slotId,
+			integrationKey: integration.connection.meta.integrationKey,
+			integrationVersion: integration.connection.meta.integrationVersion,
+			connectionId: integration.connection.meta.id,
+			status,
+			durationMs,
+			errorCode,
+			errorMessage,
+			occurredAt: this.now(),
+			metadata: {
+				blueprint: `${context.blueprintName}.v${context.blueprintVersion}`,
+				configVersion: context.configVersion,
+				operation: context.operation
+			}
+		});
+	}
+	failure(context, integration, error, attempts) {
+		if (integration) this.emitTelemetry(context, integration, "error", 0, error.code, error.message);
+		return {
+			success: false,
+			error,
+			metadata: {
+				latencyMs: 0,
+				connectionId: integration?.connection.meta.id ?? "unknown",
+				ownershipMode: integration?.connection.ownershipMode ?? "managed",
+				attempts
+			}
+		};
+	}
+	makeContext(slotId, operation, config) {
+		return {
+			tenantId: config.tenantId,
+			appId: config.appId,
+			environment: config.environment,
+			blueprintName: config.blueprintName,
+			blueprintVersion: config.blueprintVersion,
+			configVersion: config.configVersion,
+			slotId,
+			operation
+		};
+	}
+	errorCodeFor(error) {
+		if (typeof error === "object" && error !== null && "code" in error && typeof error.code === "string") return error.code;
+		return "PROVIDER_ERROR";
+	}
+};
+function ensureConnectionReady(integration) {
+	const status = integration.connection.status;
+	if (status === "disconnected" || status === "error") throw new Error(`Integration connection "${integration.connection.meta.label}" is in status "${status}".`);
+}
+function connectionStatusLabel(status) {
+	switch (status) {
+		case "connected": return "connected";
+		case "disconnected": return "disconnected";
+		case "error": return "error";
+		case "unknown":
+		default: return "unknown";
+	}
+}
+
+//#endregion
+export { IntegrationCallGuard, connectionStatusLabel, ensureConnectionReady };

package/dist/integrations/secrets/aws-secret-manager.js

@@ -1 +1,231 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{Buffer as r}from"node:buffer";import{CreateSecretCommand as i,DeleteSecretCommand as a,GetSecretValueCommand as o,PutSecretValueCommand as s,SecretsManagerClient as c}from"@aws-sdk/client-secrets-manager";var l=class{id=`aws-secrets-manager`;explicitRegion;injectedClient;clientConfig;clientsByRegion=new Map;constructor(e={}){this.explicitRegion=e.region,this.injectedClient=e.client,this.clientConfig=e.clientConfig}canHandle(e){try{let t=n(e);return t.provider===`aws`&&(t.path===`secretsmanager`||t.path.startsWith(`secretsmanager/`))}catch{return!1}}async getSecret(e,t){let n=this.parseReference(e),r=this.getClient(n.region),i=t?.version??n.stage??n.version,a={SecretId:n.secretId,...this.buildVersionSelector(i)};try{let t=await r.send(new o(a));return{data:u(t,e,this.id),version:typeof t.VersionId==`string`&&t.VersionId?t.VersionId:i,metadata:{region:n.region,secretId:n.secretId,...i?{requestedVersion:i}:{}},retrievedAt:new Date}}catch(t){throw p({error:t,provider:this.id,reference:e,operation:`getSecret`})}}async setSecret(n,r){let a=this.parseReference(n),o=this.getClient(a.region),c=t(r);try{let e=await o.send(new s({SecretId:a.secretId,SecretBinary:c})),t=typeof e.VersionId==`string`&&e.VersionId?e.VersionId:`latest`;return{reference:this.buildReference(a.region,a.secretId,{version:t}),version:t}}catch(t){if(!f(t))throw p({error:t,provider:this.id,reference:n,operation:`putSecretValue`});if(d(a.secretId))throw new e({message:`Secret not found: ${a.secretId}`,provider:this.id,reference:n,code:`NOT_FOUND`,cause:t});try{let e=await o.send(new i({Name:a.secretId,SecretBinary:c})),t=typeof e.VersionId==`string`&&e.VersionId?e.VersionId:`latest`;return{reference:this.buildReference(a.region,a.secretId,{version:t}),version:t}}catch(e){throw p({error:e,provider:this.id,reference:n,operation:`createSecret`})}}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),n=this.getClient(t.region);try{await n.send(new a({SecretId:t.secretId,RecoveryWindowInDays:7}))}catch(t){throw p({error:t,provider:this.id,reference:e,operation:`deleteSecret`})}}getClient(e){if(this.injectedClient)return this.injectedClient;let t=this.clientsByRegion.get(e);if(t)return t;let n=new c({...this.clientConfig??{},region:e});return this.clientsByRegion.set(e,n),n}parseReference(t){let r=n(t);if(r.provider!==`aws`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<3||i[0]!==`secretsmanager`)throw new e({message:`Expected secret reference format aws://secretsmanager/{region}/{secretIdOrArn}[?version=...]`,provider:this.id,reference:t,code:`INVALID`});let a=i[1],o=this.resolveRegion(a),s=i.slice(2).join(`/`);if(!s)throw new e({message:`Unable to resolve secret id from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});return{region:o,secretId:s,version:r.extras?.version,stage:r.extras?.stage}}resolveRegion(t){let n=t??this.explicitRegion??process.env.AWS_REGION??process.env.AWS_DEFAULT_REGION;if(!n)throw new e({message:`AWS region must be provided either in reference (aws://secretsmanager/{region}/...) or via AWS_REGION/AWS_DEFAULT_REGION.`,provider:this.id,reference:`aws://secretsmanager//`,code:`INVALID`});return n}buildVersionSelector(e){return e?e===`latest`||e===`current`?{VersionStage:`AWSCURRENT`}:e.startsWith(`AWS`)?{VersionStage:e}:{VersionId:e}:{}}buildReference(e,t,n){let r=`aws://secretsmanager/${e}/${t}`,i=n?Object.entries(n).filter(([,e])=>!!e).map(([e,t])=>`${encodeURIComponent(e)}=${encodeURIComponent(t)}`).join(`&`):``;return i?`${r}?${i}`:r}};function u(t,n,i){if(!t||typeof t!=`object`)throw new e({message:`Invalid AWS Secrets Manager response`,provider:i,reference:n,code:`UNKNOWN`,cause:t});let a=t;if(a.SecretBinary instanceof Uint8Array)return a.SecretBinary;if(typeof a.SecretBinary==`string`)return r.from(a.SecretBinary,`base64`);if(typeof a.SecretString==`string`)return r.from(a.SecretString,`utf-8`);throw new e({message:`AWS secret value is empty`,provider:i,reference:n,code:`NOT_FOUND`,cause:t})}function d(e){return e.startsWith(`arn:aws:secretsmanager:`)}function f(e){if(!e||typeof e!=`object`)return!1;let t=e;return typeof t.$metadata?.httpStatusCode==`number`?t.$metadata.httpStatusCode===404:t.name===`ResourceNotFoundException`}function p(t){let{error:n,provider:r,reference:i,operation:a}=t;if(n instanceof e)return n;let o=typeof n==`object`&&!!n&&`$metadata`in n&&typeof n.$metadata==`object`&&n.$metadata?.httpStatusCode,s=o===404?`NOT_FOUND`:o===401||o===403?`FORBIDDEN`:o===400?`INVALID`:`UNKNOWN`;return new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n})}export{l as AwsSecretsManagerProvider};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { Buffer } from "node:buffer";
+import { CreateSecretCommand, DeleteSecretCommand, GetSecretValueCommand, PutSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+
+//#region src/integrations/secrets/aws-secret-manager.ts
+const DEFAULT_DELETE_RECOVERY_DAYS = 7;
+var AwsSecretsManagerProvider = class {
+	id = "aws-secrets-manager";
+	explicitRegion;
+	injectedClient;
+	clientConfig;
+	clientsByRegion = /* @__PURE__ */ new Map();
+	constructor(options = {}) {
+		this.explicitRegion = options.region;
+		this.injectedClient = options.client;
+		this.clientConfig = options.clientConfig;
+	}
+	canHandle(reference) {
+		try {
+			const parsed = parseSecretUri(reference);
+			return parsed.provider === "aws" && (parsed.path === "secretsmanager" || parsed.path.startsWith("secretsmanager/"));
+		} catch {
+			return false;
+		}
+	}
+	async getSecret(reference, options) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		const requestedVersion = options?.version ?? location.stage ?? location.version;
+		const input = {
+			SecretId: location.secretId,
+			...this.buildVersionSelector(requestedVersion)
+		};
+		try {
+			const result = await client.send(new GetSecretValueCommand(input));
+			return {
+				data: extractAwsSecretBytes(result, reference, this.id),
+				version: typeof result.VersionId === "string" && result.VersionId ? result.VersionId : requestedVersion,
+				metadata: {
+					region: location.region,
+					secretId: location.secretId,
+					...requestedVersion ? { requestedVersion } : {}
+				},
+				retrievedAt: /* @__PURE__ */ new Date()
+			};
+		} catch (error) {
+			throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "getSecret"
+			});
+		}
+	}
+	async setSecret(reference, payload) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		const bytes = normalizeSecretPayload(payload);
+		try {
+			const result = await client.send(new PutSecretValueCommand({
+				SecretId: location.secretId,
+				SecretBinary: bytes
+			}));
+			const versionId = typeof result.VersionId === "string" && result.VersionId ? result.VersionId : "latest";
+			return {
+				reference: this.buildReference(location.region, location.secretId, { version: versionId }),
+				version: versionId
+			};
+		} catch (error) {
+			if (!isAwsNotFound(error)) throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "putSecretValue"
+			});
+			if (looksLikeAwsArn(location.secretId)) throw new SecretProviderError({
+				message: `Secret not found: ${location.secretId}`,
+				provider: this.id,
+				reference,
+				code: "NOT_FOUND",
+				cause: error
+			});
+			try {
+				const created = await client.send(new CreateSecretCommand({
+					Name: location.secretId,
+					SecretBinary: bytes
+				}));
+				const versionId = typeof created.VersionId === "string" && created.VersionId ? created.VersionId : "latest";
+				return {
+					reference: this.buildReference(location.region, location.secretId, { version: versionId }),
+					version: versionId
+				};
+			} catch (creationError) {
+				throw toAwsSecretProviderError({
+					error: creationError,
+					provider: this.id,
+					reference,
+					operation: "createSecret"
+				});
+			}
+		}
+	}
+	async rotateSecret(reference, payload) {
+		return this.setSecret(reference, payload);
+	}
+	async deleteSecret(reference) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		try {
+			await client.send(new DeleteSecretCommand({
+				SecretId: location.secretId,
+				RecoveryWindowInDays: DEFAULT_DELETE_RECOVERY_DAYS
+			}));
+		} catch (error) {
+			throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "deleteSecret"
+			});
+		}
+	}
+	getClient(region) {
+		if (this.injectedClient) return this.injectedClient;
+		const cached = this.clientsByRegion.get(region);
+		if (cached) return cached;
+		const client = new SecretsManagerClient({
+			...this.clientConfig ?? {},
+			region
+		});
+		this.clientsByRegion.set(region, client);
+		return client;
+	}
+	parseReference(reference) {
+		const parsed = parseSecretUri(reference);
+		if (parsed.provider !== "aws") throw new SecretProviderError({
+			message: `Unsupported secret provider: ${parsed.provider}`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const segments = parsed.path.split("/").filter(Boolean);
+		if (segments.length < 3 || segments[0] !== "secretsmanager") throw new SecretProviderError({
+			message: "Expected secret reference format aws://secretsmanager/{region}/{secretIdOrArn}[?version=...]",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const regionCandidate = segments[1];
+		const region = this.resolveRegion(regionCandidate);
+		const secretId = segments.slice(2).join("/");
+		if (!secretId) throw new SecretProviderError({
+			message: `Unable to resolve secret id from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		return {
+			region,
+			secretId,
+			version: parsed.extras?.version,
+			stage: parsed.extras?.stage
+		};
+	}
+	resolveRegion(regionCandidate) {
+		const region = regionCandidate ?? this.explicitRegion ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION;
+		if (!region) throw new SecretProviderError({
+			message: "AWS region must be provided either in reference (aws://secretsmanager/{region}/...) or via AWS_REGION/AWS_DEFAULT_REGION.",
+			provider: this.id,
+			reference: "aws://secretsmanager//",
+			code: "INVALID"
+		});
+		return region;
+	}
+	buildVersionSelector(version) {
+		if (!version) return {};
+		if (version === "latest" || version === "current") return { VersionStage: "AWSCURRENT" };
+		if (version.startsWith("AWS")) return { VersionStage: version };
+		return { VersionId: version };
+	}
+	buildReference(region, secretId, extras) {
+		const base = `aws://secretsmanager/${region}/${secretId}`;
+		const query = extras ? Object.entries(extras).filter(([, value]) => Boolean(value)).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&") : "";
+		return query ? `${base}?${query}` : base;
+	}
+};
+function extractAwsSecretBytes(result, reference, provider) {
+	if (!result || typeof result !== "object") throw new SecretProviderError({
+		message: "Invalid AWS Secrets Manager response",
+		provider,
+		reference,
+		code: "UNKNOWN",
+		cause: result
+	});
+	const record = result;
+	if (record.SecretBinary instanceof Uint8Array) return record.SecretBinary;
+	if (typeof record.SecretBinary === "string") return Buffer.from(record.SecretBinary, "base64");
+	if (typeof record.SecretString === "string") return Buffer.from(record.SecretString, "utf-8");
+	throw new SecretProviderError({
+		message: "AWS secret value is empty",
+		provider,
+		reference,
+		code: "NOT_FOUND",
+		cause: result
+	});
+}
+function looksLikeAwsArn(secretId) {
+	return secretId.startsWith("arn:aws:secretsmanager:");
+}
+function isAwsNotFound(error) {
+	if (!error || typeof error !== "object") return false;
+	const err = error;
+	if (typeof err.$metadata?.httpStatusCode === "number") return err.$metadata.httpStatusCode === 404;
+	return err.name === "ResourceNotFoundException";
+}
+function toAwsSecretProviderError(params) {
+	const { error, provider, reference, operation } = params;
+	if (error instanceof SecretProviderError) return error;
+	const httpStatusCode = typeof error === "object" && error !== null && "$metadata" in error && typeof error.$metadata === "object" && error.$metadata?.httpStatusCode;
+	const code = httpStatusCode === 404 ? "NOT_FOUND" : httpStatusCode === 401 || httpStatusCode === 403 ? "FORBIDDEN" : httpStatusCode === 400 ? "INVALID" : "UNKNOWN";
+	return new SecretProviderError({
+		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
+		provider,
+		reference,
+		code,
+		cause: error
+	});
+}
+
+//#endregion
+export { AwsSecretsManagerProvider };

package/dist/integrations/secrets/env-secret-provider.js

@@ -1 +1,81 @@
-import{SecretProviderError as e,parseSecretUri as t}from"./provider.js";var n=class{id=`env`;aliases;constructor(e={}){this.aliases=e.aliases??{}}canHandle(e){let t=this.resolveEnvKey(e);return t!==void 0&&process.env[t]!==void 0}async getSecret(t){let n=this.resolveEnvKey(t);if(!n)throw new e({message:`Unable to resolve environment variable for reference "${t}".`,provider:this.id,reference:t,code:`INVALID`});let r=process.env[n];if(r===void 0)throw new e({message:`Environment variable "${n}" not found for reference "${t}".`,provider:this.id,reference:t,code:`NOT_FOUND`});return{data:Buffer.from(r,`utf-8`),version:`current`,metadata:{source:`env`,envKey:n},retrievedAt:new Date}}async setSecret(e,t){throw this.forbiddenError(`setSecret`,e)}async rotateSecret(e,t){throw this.forbiddenError(`rotateSecret`,e)}async deleteSecret(e){throw this.forbiddenError(`deleteSecret`,e)}resolveEnvKey(e){if(e){if(this.aliases[e])return this.aliases[e];if(!e.includes(`://`))return e;try{let n=t(e);return n.provider===`env`?n.path:n.extras?.env?n.extras.env:this.deriveEnvKey(n.path)}catch{return e}}}deriveEnvKey(e){if(e)return e.split(/[\/:\-\.]/).filter(Boolean).map(e=>e.replace(/[^a-zA-Z0-9]/g,`_`).replace(/_{2,}/g,`_`).toUpperCase()).join(`_`)}forbiddenError(t,n){return new e({message:`EnvSecretProvider is read-only. "${t}" is not allowed for ${n}.`,provider:this.id,reference:n,code:`FORBIDDEN`})}};export{n as EnvSecretProvider};
+import { SecretProviderError, parseSecretUri } from "./provider.js";
+
+//#region src/integrations/secrets/env-secret-provider.ts
+/**
+* Environment-variable backed secret provider. Read-only by design.
+* Allows overriding other secret providers by deriving environment variable
+* names from secret references (or by using explicit aliases).
+*/
+var EnvSecretProvider = class {
+	id = "env";
+	aliases;
+	constructor(options = {}) {
+		this.aliases = options.aliases ?? {};
+	}
+	canHandle(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		return envKey !== void 0 && process.env[envKey] !== void 0;
+	}
+	async getSecret(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		if (!envKey) throw new SecretProviderError({
+			message: `Unable to resolve environment variable for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const value = process.env[envKey];
+		if (value === void 0) throw new SecretProviderError({
+			message: `Environment variable "${envKey}" not found for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "NOT_FOUND"
+		});
+		return {
+			data: Buffer.from(value, "utf-8"),
+			version: "current",
+			metadata: {
+				source: "env",
+				envKey
+			},
+			retrievedAt: /* @__PURE__ */ new Date()
+		};
+	}
+	async setSecret(reference, _payload) {
+		throw this.forbiddenError("setSecret", reference);
+	}
+	async rotateSecret(reference, _payload) {
+		throw this.forbiddenError("rotateSecret", reference);
+	}
+	async deleteSecret(reference) {
+		throw this.forbiddenError("deleteSecret", reference);
+	}
+	resolveEnvKey(reference) {
+		if (!reference) return;
+		if (this.aliases[reference]) return this.aliases[reference];
+		if (!reference.includes("://")) return reference;
+		try {
+			const parsed = parseSecretUri(reference);
+			if (parsed.provider === "env") return parsed.path;
+			if (parsed.extras?.env) return parsed.extras.env;
+			return this.deriveEnvKey(parsed.path);
+		} catch {
+			return reference;
+		}
+	}
+	deriveEnvKey(path) {
+		if (!path) return void 0;
+		return path.split(/[\/:\-\.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
+	}
+	forbiddenError(operation, reference) {
+		return new SecretProviderError({
+			message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+	}
+};
+
+//#endregion
+export { EnvSecretProvider };