@lssm/lib.contracts 0.0.0-canary-20251217063201 → 0.0.0-canary-20251217073102

package/dist/integrations/secrets/gcp-secret-manager.js

@@ -1 +1,229 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{SecretManagerServiceClient as r,protos as i}from"@google-cloud/secret-manager";const a={automatic:{}};var o=class{id=`gcp-secret-manager`;client;explicitProjectId;replication;constructor(e={}){this.client=e.client??new r(e.clientOptions??{}),this.explicitProjectId=e.projectId,this.replication=e.defaultReplication??a}canHandle(e){try{return n(e).provider===`gcp`}catch{return!1}}async getSecret(t,n,r){let i=this.parseReference(t),a=this.buildVersionName(i,n?.version);try{let[n]=await this.client.accessSecretVersion({name:a},r??{}),i=n.payload;if(!i?.data)throw new e({message:`Secret payload empty for ${a}`,provider:this.id,reference:t,code:`UNKNOWN`});let o=s(n.name??a);return{data:i.data,version:o,metadata:i.dataCrc32c?{crc32c:i.dataCrc32c.toString()}:void 0,retrievedAt:new Date}}catch(e){throw c({error:e,provider:this.id,reference:t,operation:`access`})}}async setSecret(n,r){let i=this.parseReference(n),{secretName:a}=this.buildNames(i),o=t(r);await this.ensureSecretExists(i,r);try{let t=await this.client.addSecretVersion({parent:a,payload:{data:o}});if(!t)throw new e({message:`No version returned when adding secret version for ${a}`,provider:this.id,reference:n,code:`UNKNOWN`});let[r]=t,i=r?.name??`${a}/versions/latest`;return{reference:`gcp://${i}`,version:s(i)??`latest`}}catch(e){throw c({error:e,provider:this.id,reference:n,operation:`addSecretVersion`})}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),{secretName:n}=this.buildNames(t);try{await this.client.deleteSecret({name:n})}catch(t){throw c({error:t,provider:this.id,reference:e,operation:`delete`})}}parseReference(t){let r=n(t);if(r.provider!==`gcp`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<4||i[0]!==`projects`)throw new e({message:`Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let a=i[1]??this.explicitProjectId;if(!a)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let o=i.indexOf(`secrets`);if(o===-1||o+1>=i.length)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let s=a,c=i[o+1];if(!c)throw new e({message:`Unable to resolve secret ID from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let l=c,u=i.indexOf(`versions`);return{projectId:s,secretId:l,version:r.extras?.version??(u!==-1&&u+1<i.length?i[u+1]:void 0)}}buildNames(t){let n=t.projectId??this.explicitProjectId;if(!n)throw new e({message:`Project ID must be provided either in reference or provider configuration`,provider:this.id,reference:`gcp://projects//secrets/${t.secretId}`,code:`INVALID`});let r=`projects/${n}`;return{projectParent:r,secretName:`${r}/secrets/${t.secretId}`}}buildVersionName(e,t){let{secretName:n}=this.buildNames(e);return`${n}/versions/${t??e.version??`latest`}`}async ensureSecretExists(e,t){let{secretName:n,projectParent:r}=this.buildNames(e);try{await this.client.getSecret({name:n})}catch(i){let a=c({error:i,provider:this.id,reference:`gcp://${n}`,operation:`getSecret`,suppressThrow:!0});if(!a||a.code!==`NOT_FOUND`)throw a||i;try{await this.client.createSecret({parent:r,secretId:e.secretId,secret:{replication:this.replication,labels:t.labels}})}catch(e){throw c({error:e,provider:this.id,reference:`gcp://${n}`,operation:`createSecret`})}}}};function s(e){let t=e.split(`/`).filter(Boolean),n=t.indexOf(`versions`);if(!(n===-1||n+1>=t.length))return t[n+1]}function c(t){let{error:n,provider:r,reference:i,operation:a,suppressThrow:o}=t;if(n instanceof e)return n;let s=l(n),c=new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n});if(o)return c;throw c}function l(e){if(typeof e!=`object`||!e)return`UNKNOWN`;let t=e.code;return t===5||t===`NOT_FOUND`?`NOT_FOUND`:t===6||t===`ALREADY_EXISTS`?`INVALID`:t===7||t===`PERMISSION_DENIED`||t===403?`FORBIDDEN`:t===3||t===`INVALID_ARGUMENT`?`INVALID`:`UNKNOWN`}export{o as GcpSecretManagerProvider};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
+
+//#region src/integrations/secrets/gcp-secret-manager.ts
+const DEFAULT_REPLICATION = { automatic: {} };
+var GcpSecretManagerProvider = class {
+	id = "gcp-secret-manager";
+	client;
+	explicitProjectId;
+	replication;
+	constructor(options = {}) {
+		this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
+		this.explicitProjectId = options.projectId;
+		this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
+	}
+	canHandle(reference) {
+		try {
+			return parseSecretUri(reference).provider === "gcp";
+		} catch {
+			return false;
+		}
+	}
+	async getSecret(reference, options, callOptions) {
+		const location = this.parseReference(reference);
+		const secretVersionName = this.buildVersionName(location, options?.version);
+		try {
+			const [result] = await this.client.accessSecretVersion({ name: secretVersionName }, callOptions ?? {});
+			const payload = result.payload;
+			if (!payload?.data) throw new SecretProviderError({
+				message: `Secret payload empty for ${secretVersionName}`,
+				provider: this.id,
+				reference,
+				code: "UNKNOWN"
+			});
+			const version = extractVersionFromName(result.name ?? secretVersionName);
+			return {
+				data: payload.data,
+				version,
+				metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : void 0,
+				retrievedAt: /* @__PURE__ */ new Date()
+			};
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "access"
+			});
+		}
+	}
+	async setSecret(reference, payload) {
+		const location = this.parseReference(reference);
+		const { secretName } = this.buildNames(location);
+		const data = normalizeSecretPayload(payload);
+		await this.ensureSecretExists(location, payload);
+		try {
+			const response = await this.client.addSecretVersion({
+				parent: secretName,
+				payload: { data }
+			});
+			if (!response) throw new SecretProviderError({
+				message: `No version returned when adding secret version for ${secretName}`,
+				provider: this.id,
+				reference,
+				code: "UNKNOWN"
+			});
+			const [version] = response;
+			const versionName = version?.name ?? `${secretName}/versions/latest`;
+			return {
+				reference: `gcp://${versionName}`,
+				version: extractVersionFromName(versionName) ?? "latest"
+			};
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "addSecretVersion"
+			});
+		}
+	}
+	async rotateSecret(reference, payload) {
+		return this.setSecret(reference, payload);
+	}
+	async deleteSecret(reference) {
+		const location = this.parseReference(reference);
+		const { secretName } = this.buildNames(location);
+		try {
+			await this.client.deleteSecret({ name: secretName });
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "delete"
+			});
+		}
+	}
+	parseReference(reference) {
+		const parsed = parseSecretUri(reference);
+		if (parsed.provider !== "gcp") throw new SecretProviderError({
+			message: `Unsupported secret provider: ${parsed.provider}`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const segments = parsed.path.split("/").filter(Boolean);
+		if (segments.length < 4 || segments[0] !== "projects") throw new SecretProviderError({
+			message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const projectIdCandidate = segments[1] ?? this.explicitProjectId;
+		if (!projectIdCandidate) throw new SecretProviderError({
+			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const indexOfSecrets = segments.indexOf("secrets");
+		if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) throw new SecretProviderError({
+			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const resolvedProjectId = projectIdCandidate;
+		const secretIdCandidate = segments[indexOfSecrets + 1];
+		if (!secretIdCandidate) throw new SecretProviderError({
+			message: `Unable to resolve secret ID from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const secretId = secretIdCandidate;
+		const indexOfVersions = segments.indexOf("versions");
+		return {
+			projectId: resolvedProjectId,
+			secretId,
+			version: parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : void 0)
+		};
+	}
+	buildNames(location) {
+		const projectId = location.projectId ?? this.explicitProjectId;
+		if (!projectId) throw new SecretProviderError({
+			message: "Project ID must be provided either in reference or provider configuration",
+			provider: this.id,
+			reference: `gcp://projects//secrets/${location.secretId}`,
+			code: "INVALID"
+		});
+		const projectParent = `projects/${projectId}`;
+		return {
+			projectParent,
+			secretName: `${projectParent}/secrets/${location.secretId}`
+		};
+	}
+	buildVersionName(location, explicitVersion) {
+		const { secretName } = this.buildNames(location);
+		return `${secretName}/versions/${explicitVersion ?? location.version ?? "latest"}`;
+	}
+	async ensureSecretExists(location, payload) {
+		const { secretName, projectParent } = this.buildNames(location);
+		try {
+			await this.client.getSecret({ name: secretName });
+		} catch (error) {
+			const providerError = toSecretProviderError({
+				error,
+				provider: this.id,
+				reference: `gcp://${secretName}`,
+				operation: "getSecret",
+				suppressThrow: true
+			});
+			if (!providerError || providerError.code !== "NOT_FOUND") {
+				if (providerError) throw providerError;
+				throw error;
+			}
+			try {
+				await this.client.createSecret({
+					parent: projectParent,
+					secretId: location.secretId,
+					secret: {
+						replication: this.replication,
+						labels: payload.labels
+					}
+				});
+			} catch (creationError) {
+				throw toSecretProviderError({
+					error: creationError,
+					provider: this.id,
+					reference: `gcp://${secretName}`,
+					operation: "createSecret"
+				});
+			}
+		}
+	}
+};
+function extractVersionFromName(name) {
+	const segments = name.split("/").filter(Boolean);
+	const index = segments.indexOf("versions");
+	if (index === -1 || index + 1 >= segments.length) return;
+	return segments[index + 1];
+}
+function toSecretProviderError(params) {
+	const { error, provider, reference, operation, suppressThrow } = params;
+	if (error instanceof SecretProviderError) return error;
+	const code = deriveErrorCode(error);
+	const providerError = new SecretProviderError({
+		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
+		provider,
+		reference,
+		code,
+		cause: error
+	});
+	if (suppressThrow) return providerError;
+	throw providerError;
+}
+function deriveErrorCode(error) {
+	if (typeof error !== "object" || error === null) return "UNKNOWN";
+	const code = error.code;
+	if (code === 5 || code === "NOT_FOUND") return "NOT_FOUND";
+	if (code === 6 || code === "ALREADY_EXISTS") return "INVALID";
+	if (code === 7 || code === "PERMISSION_DENIED" || code === 403) return "FORBIDDEN";
+	if (code === 3 || code === "INVALID_ARGUMENT") return "INVALID";
+	return "UNKNOWN";
+}
+
+//#endregion
+export { GcpSecretManagerProvider };

package/dist/integrations/secrets/index.js

@@ -1 +1,8 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{AwsSecretsManagerProvider as r}from"./aws-secret-manager.js";import{EnvSecretProvider as i}from"./env-secret-provider.js";import{GcpSecretManagerProvider as a}from"./gcp-secret-manager.js";import{ScalewaySecretManagerProvider as o}from"./scaleway-secret-manager.js";import{SecretProviderManager as s}from"./manager.js";export{r as AwsSecretsManagerProvider,i as EnvSecretProvider,a as GcpSecretManagerProvider,o as ScalewaySecretManagerProvider,e as SecretProviderError,s as SecretProviderManager,t as normalizeSecretPayload,n as parseSecretUri};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { AwsSecretsManagerProvider } from "./aws-secret-manager.js";
+import { EnvSecretProvider } from "./env-secret-provider.js";
+import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
+import { ScalewaySecretManagerProvider } from "./scaleway-secret-manager.js";
+import { SecretProviderManager } from "./manager.js";
+
+export { AwsSecretsManagerProvider, EnvSecretProvider, GcpSecretManagerProvider, ScalewaySecretManagerProvider, SecretProviderError, SecretProviderManager, normalizeSecretPayload, parseSecretUri };

package/dist/integrations/secrets/manager.js

@@ -1 +1,103 @@
-import{SecretProviderError as e}from"./provider.js";var t=class{id;providers=[];registrationCounter=0;constructor(e={}){this.id=e.id??`secret-provider-manager`;let t=e.providers??[];for(let e of t)this.register(e.provider,{priority:e.priority})}register(e,t={}){return this.providers.push({provider:e,priority:t.priority??0,order:this.registrationCounter++}),this.providers.sort((e,t)=>e.priority===t.priority?e.order-t.order:t.priority-e.priority),this}canHandle(e){return this.providers.some(({provider:t})=>n(t,e))}async getSecret(t,r){let i=[];for(let{provider:a}of this.providers)if(n(a,t))try{return await a.getSecret(t,r)}catch(t){if(t instanceof e){if(i.push(t),t.code!==`NOT_FOUND`)break;continue}throw t}throw this.composeError(`getSecret`,t,i,r?.version)}async setSecret(e,t){return this.delegateToFirst(`setSecret`,e,n=>n.setSecret(e,t))}async rotateSecret(e,t){return this.delegateToFirst(`rotateSecret`,e,n=>n.rotateSecret(e,t))}async deleteSecret(e){await this.delegateToFirst(`deleteSecret`,e,t=>t.deleteSecret(e))}async delegateToFirst(t,r,i){let a=[];for(let{provider:t}of this.providers)if(n(t,r))try{return await i(t)}catch(t){if(t instanceof e){a.push(t);continue}throw t}throw this.composeError(t,r,a)}composeError(t,n,r,i){if(r.length===1){let[e]=r;if(e)return e}let a=[`No registered secret provider could ${t}`,`reference "${n}"`];return i&&a.push(`(version: ${i})`),r.length>1&&a.push(`Attempts: ${r.map(e=>`${e.provider}:${e.code}`).join(`, `)}`),new e({message:a.join(` `),provider:this.id,reference:n,code:r.length>0?r[r.length-1].code:`UNKNOWN`,cause:r})}};function n(e,t){try{return e.canHandle(t)}catch{return!1}}export{t as SecretProviderManager};
+import { SecretProviderError } from "./provider.js";
+
+//#region src/integrations/secrets/manager.ts
+/**
+* Composite secret provider that delegates to registered providers.
+* Providers are attempted in order of descending priority, respecting the
+* registration order for ties. This enables privileged overrides (e.g.
+* environment variables) while still supporting durable backends like GCP
+* Secret Manager.
+*/
+var SecretProviderManager = class {
+	id;
+	providers = [];
+	registrationCounter = 0;
+	constructor(options = {}) {
+		this.id = options.id ?? "secret-provider-manager";
+		const initialProviders = options.providers ?? [];
+		for (const entry of initialProviders) this.register(entry.provider, { priority: entry.priority });
+	}
+	register(provider, options = {}) {
+		this.providers.push({
+			provider,
+			priority: options.priority ?? 0,
+			order: this.registrationCounter++
+		});
+		this.providers.sort((a, b) => {
+			if (a.priority !== b.priority) return b.priority - a.priority;
+			return a.order - b.order;
+		});
+		return this;
+	}
+	canHandle(reference) {
+		return this.providers.some(({ provider }) => safeCanHandle(provider, reference));
+	}
+	async getSecret(reference, options) {
+		const errors = [];
+		for (const { provider } of this.providers) {
+			if (!safeCanHandle(provider, reference)) continue;
+			try {
+				return await provider.getSecret(reference, options);
+			} catch (error) {
+				if (error instanceof SecretProviderError) {
+					errors.push(error);
+					if (error.code !== "NOT_FOUND") break;
+					continue;
+				}
+				throw error;
+			}
+		}
+		throw this.composeError("getSecret", reference, errors, options?.version);
+	}
+	async setSecret(reference, payload) {
+		return this.delegateToFirst("setSecret", reference, (provider) => provider.setSecret(reference, payload));
+	}
+	async rotateSecret(reference, payload) {
+		return this.delegateToFirst("rotateSecret", reference, (provider) => provider.rotateSecret(reference, payload));
+	}
+	async deleteSecret(reference) {
+		await this.delegateToFirst("deleteSecret", reference, (provider) => provider.deleteSecret(reference));
+	}
+	async delegateToFirst(operation, reference, invoker) {
+		const errors = [];
+		for (const { provider } of this.providers) {
+			if (!safeCanHandle(provider, reference)) continue;
+			try {
+				return await invoker(provider);
+			} catch (error) {
+				if (error instanceof SecretProviderError) {
+					errors.push(error);
+					continue;
+				}
+				throw error;
+			}
+		}
+		throw this.composeError(operation, reference, errors);
+	}
+	composeError(operation, reference, errors, version) {
+		if (errors.length === 1) {
+			const [singleError] = errors;
+			if (singleError) return singleError;
+		}
+		const messageParts = [`No registered secret provider could ${operation}`, `reference "${reference}"`];
+		if (version) messageParts.push(`(version: ${version})`);
+		if (errors.length > 1) messageParts.push(`Attempts: ${errors.map((error) => `${error.provider}:${error.code}`).join(", ")}`);
+		return new SecretProviderError({
+			message: messageParts.join(" "),
+			provider: this.id,
+			reference,
+			code: errors.length > 0 ? errors[errors.length - 1].code : "UNKNOWN",
+			cause: errors
+		});
+	}
+};
+function safeCanHandle(provider, reference) {
+	try {
+		return provider.canHandle(reference);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+export { SecretProviderManager };

package/dist/integrations/secrets/provider.js

@@ -1 +1,58 @@
-import{Buffer as e}from"node:buffer";var t=class extends Error{provider;reference;code;cause;constructor(e){super(e.message),this.name=`SecretProviderError`,this.provider=e.provider,this.reference=e.reference,this.code=e.code??`UNKNOWN`,this.cause=e.cause}};function n(e){if(!e)throw new t({message:`Secret reference cannot be empty`,provider:`unknown`,reference:e,code:`INVALID`});let[n,r]=e.split(`://`);if(!n||!r)throw new t({message:`Invalid secret reference: ${e}`,provider:`unknown`,reference:e,code:`INVALID`});let i=r.indexOf(`?`);if(i===-1)return{provider:n,path:r};let a=r.slice(0,i),o=r.slice(i+1);return{provider:n,path:a,extras:Object.fromEntries(o.split(`&`).filter(Boolean).map(e=>{let[t,n]=e.split(`=`),r=t??``,i=n??``;return[decodeURIComponent(r),decodeURIComponent(i)]}))}}function r(t){return t.data instanceof Uint8Array?t.data:t.encoding===`base64`?e.from(t.data,`base64`):t.encoding===`binary`?e.from(t.data,`binary`):e.from(t.data,`utf-8`)}export{t as SecretProviderError,r as normalizeSecretPayload,n as parseSecretUri};
+import { Buffer } from "node:buffer";
+
+//#region src/integrations/secrets/provider.ts
+var SecretProviderError = class extends Error {
+	provider;
+	reference;
+	code;
+	cause;
+	constructor(params) {
+		super(params.message);
+		this.name = "SecretProviderError";
+		this.provider = params.provider;
+		this.reference = params.reference;
+		this.code = params.code ?? "UNKNOWN";
+		this.cause = params.cause;
+	}
+};
+function parseSecretUri(reference) {
+	if (!reference) throw new SecretProviderError({
+		message: "Secret reference cannot be empty",
+		provider: "unknown",
+		reference,
+		code: "INVALID"
+	});
+	const [scheme, rest] = reference.split("://");
+	if (!scheme || !rest) throw new SecretProviderError({
+		message: `Invalid secret reference: ${reference}`,
+		provider: "unknown",
+		reference,
+		code: "INVALID"
+	});
+	const queryIndex = rest.indexOf("?");
+	if (queryIndex === -1) return {
+		provider: scheme,
+		path: rest
+	};
+	const path = rest.slice(0, queryIndex);
+	const query = rest.slice(queryIndex + 1);
+	return {
+		provider: scheme,
+		path,
+		extras: Object.fromEntries(query.split("&").filter(Boolean).map((pair) => {
+			const [keyRaw, valueRaw] = pair.split("=");
+			const key = keyRaw ?? "";
+			const value = valueRaw ?? "";
+			return [decodeURIComponent(key), decodeURIComponent(value)];
+		}))
+	};
+}
+function normalizeSecretPayload(payload) {
+	if (payload.data instanceof Uint8Array) return payload.data;
+	if (payload.encoding === "base64") return Buffer.from(payload.data, "base64");
+	if (payload.encoding === "binary") return Buffer.from(payload.data, "binary");
+	return Buffer.from(payload.data, "utf-8");
+}
+
+//#endregion
+export { SecretProviderError, normalizeSecretPayload, parseSecretUri };

package/dist/integrations/secrets/scaleway-secret-manager.js

@@ -1 +1,247 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{Buffer as r}from"node:buffer";const i=/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;var a=class{id=`scaleway-secret-manager`;token;defaultRegion;defaultProjectId;baseUrl;fetchFn;constructor(e={}){this.token=e.token??process.env.SCW_SECRET_KEY??process.env.SCALEWAY_SECRET_KEY??``,this.defaultRegion=e.defaultRegion??process.env.SCW_DEFAULT_REGION??process.env.SCW_REGION,this.defaultProjectId=e.defaultProjectId??process.env.SCW_DEFAULT_PROJECT_ID??process.env.SCW_PROJECT_ID,this.baseUrl=e.baseUrl??`https://api.scaleway.com`,this.fetchFn=e.fetch??fetch}canHandle(e){try{let t=n(e);return t.provider===`scw`&&(t.path===`secret-manager`||t.path.startsWith(`secret-manager/`))}catch{return!1}}async getSecret(t,n){let a=this.parseReference(t);if(!this.token)throw new e({message:`Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).`,provider:this.id,reference:t,code:`FORBIDDEN`});if(!i.test(a.secretIdOrName))throw new e({message:`Scaleway getSecret requires a secretId (uuid) reference, not a secret name.`,provider:this.id,reference:t,code:`INVALID`});let s=n?.version??a.revision??`latest`,c=`${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(a.region)}/secrets/${encodeURIComponent(a.secretIdOrName)}/versions/${encodeURIComponent(s)}/access`,u=await this.fetchFn(c,{method:`GET`,headers:{"X-Auth-Token":this.token}});if(!u.ok)throw await l({response:u,provider:this.id,reference:t,operation:`getSecret`});let d=o(await u.json());return{data:r.from(d,`base64`),version:s,metadata:{region:a.region,secretId:a.secretIdOrName},retrievedAt:new Date}}async setSecret(n,a){let o=this.parseReference(n);if(!this.token)throw new e({message:`Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).`,provider:this.id,reference:n,code:`FORBIDDEN`});let s=t(a),c=r.from(s).toString(`base64`),l=i.test(o.secretIdOrName)?o.secretIdOrName:await this.createSecret({region:o.region,name:o.secretIdOrName,reference:n}),u=await this.createSecretVersion({region:o.region,secretId:l,dataB64:c,reference:n});return{reference:this.buildReference(o.region,l,{version:u}),version:u}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(t){let n=this.parseReference(t);if(!this.token)throw new e({message:`Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).`,provider:this.id,reference:t,code:`FORBIDDEN`});if(!i.test(n.secretIdOrName))throw new e({message:`Scaleway deleteSecret requires a secretId (uuid) reference, not a secret name.`,provider:this.id,reference:t,code:`INVALID`});let r=`${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(n.region)}/secrets/${encodeURIComponent(n.secretIdOrName)}`,a=await this.fetchFn(r,{method:`DELETE`,headers:{"X-Auth-Token":this.token}});if(!a.ok)throw await l({response:a,provider:this.id,reference:t,operation:`deleteSecret`})}parseReference(t){let r=n(t);if(r.provider!==`scw`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<2||i[0]!==`secret-manager`)throw new e({message:`Expected secret reference format scw://secret-manager/{region}/{secretIdOrName}[?version=...]`,provider:this.id,reference:t,code:`INVALID`});let a=i[1]??this.defaultRegion;if(!a)throw new e({message:`Scaleway region must be provided either in reference (scw://secret-manager/{region}/...) or via SCW_DEFAULT_REGION/SCW_REGION.`,provider:this.id,reference:t,code:`INVALID`});let o=i.slice(2).join(`/`);if(!o)throw new e({message:`Unable to resolve secret id/name from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});return{region:a,secretIdOrName:o,revision:r.extras?.version}}async createSecret(t){let n=this.defaultProjectId;if(!n)throw new e({message:`Scaleway project id is required to create secrets by name (set SCW_DEFAULT_PROJECT_ID/SCW_PROJECT_ID).`,provider:this.id,reference:t.reference,code:`INVALID`});let r=`${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(t.region)}/secrets`,i=await this.fetchFn(r,{method:`POST`,headers:{"Content-Type":`application/json`,"X-Auth-Token":this.token},body:JSON.stringify({name:t.name,project_id:n})});if(!i.ok)throw await l({response:i,provider:this.id,reference:t.reference,operation:`createSecret`});return s(await i.json())}async createSecretVersion(e){let t=`${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(e.region)}/secrets/${encodeURIComponent(e.secretId)}/versions`,n=await this.fetchFn(t,{method:`POST`,headers:{"Content-Type":`application/json`,"X-Auth-Token":this.token},body:JSON.stringify({data:e.dataB64})});if(!n.ok)throw await l({response:n,provider:this.id,reference:e.reference,operation:`createSecretVersion`});return c(await n.json())??`latest`}buildReference(e,t,n){let r=`scw://secret-manager/${e}/${t}`,i=n?Object.entries(n).filter(([,e])=>!!e).map(([e,t])=>`${encodeURIComponent(e)}=${encodeURIComponent(t)}`).join(`&`):``;return i?`${r}?${i}`:r}};function o(e){if(!e||typeof e!=`object`)throw Error(`Invalid scaleway secret payload`);let t=e;if(typeof t.data==`string`&&t.data)return t.data;throw Error(`Scaleway secret payload is missing data`)}function s(e){if(!e||typeof e!=`object`)throw Error(`Invalid scaleway createSecret payload`);let t=e;if(typeof t.id==`string`&&t.id)return t.id;throw Error(`Scaleway createSecret response is missing id`)}function c(e){if(!e||typeof e!=`object`)return;let t=e;if(typeof t.revision==`number`)return String(t.revision);if(typeof t.revision==`string`&&t.revision)return t.revision;if(typeof t.id==`string`&&t.id)return t.id}async function l(t){let{response:n,provider:r,reference:i,operation:a}=t,o=n.status===404?`NOT_FOUND`:n.status===401||n.status===403?`FORBIDDEN`:n.status>=400&&n.status<500?`INVALID`:`UNKNOWN`,s=await u(n);return new e({message:s?`Scaleway Secret Manager ${a} failed (${n.status}): ${s}`:`Scaleway Secret Manager ${a} failed (${n.status})`,provider:r,reference:i,code:o})}async function u(e){try{let t=(await e.text()).trim();return t.length?t:void 0}catch{return}}export{a as ScalewaySecretManagerProvider};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { Buffer } from "node:buffer";
+
+//#region src/integrations/secrets/scaleway-secret-manager.ts
+const UUID_V4_LIKE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var ScalewaySecretManagerProvider = class {
+	id = "scaleway-secret-manager";
+	token;
+	defaultRegion;
+	defaultProjectId;
+	baseUrl;
+	fetchFn;
+	constructor(options = {}) {
+		this.token = options.token ?? process.env.SCW_SECRET_KEY ?? process.env.SCALEWAY_SECRET_KEY ?? "";
+		this.defaultRegion = options.defaultRegion ?? process.env.SCW_DEFAULT_REGION ?? process.env.SCW_REGION;
+		this.defaultProjectId = options.defaultProjectId ?? process.env.SCW_DEFAULT_PROJECT_ID ?? process.env.SCW_PROJECT_ID;
+		this.baseUrl = options.baseUrl ?? "https://api.scaleway.com";
+		this.fetchFn = options.fetch ?? fetch;
+	}
+	canHandle(reference) {
+		try {
+			const parsed = parseSecretUri(reference);
+			return parsed.provider === "scw" && (parsed.path === "secret-manager" || parsed.path.startsWith("secret-manager/"));
+		} catch {
+			return false;
+		}
+	}
+	async getSecret(reference, options) {
+		const location = this.parseReference(reference);
+		if (!this.token) throw new SecretProviderError({
+			message: "Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).",
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+		if (!UUID_V4_LIKE.test(location.secretIdOrName)) throw new SecretProviderError({
+			message: "Scaleway getSecret requires a secretId (uuid) reference, not a secret name.",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const revision = options?.version ?? location.revision ?? "latest";
+		const url = `${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(location.region)}/secrets/${encodeURIComponent(location.secretIdOrName)}/versions/${encodeURIComponent(revision)}/access`;
+		const response = await this.fetchFn(url, {
+			method: "GET",
+			headers: { "X-Auth-Token": this.token }
+		});
+		if (!response.ok) throw await toScalewayError({
+			response,
+			provider: this.id,
+			reference,
+			operation: "getSecret"
+		});
+		const dataB64 = extractScalewayData(await response.json());
+		return {
+			data: Buffer.from(dataB64, "base64"),
+			version: revision,
+			metadata: {
+				region: location.region,
+				secretId: location.secretIdOrName
+			},
+			retrievedAt: /* @__PURE__ */ new Date()
+		};
+	}
+	async setSecret(reference, payload) {
+		const location = this.parseReference(reference);
+		if (!this.token) throw new SecretProviderError({
+			message: "Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).",
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+		const bytes = normalizeSecretPayload(payload);
+		const encoded = Buffer.from(bytes).toString("base64");
+		const secretId = UUID_V4_LIKE.test(location.secretIdOrName) ? location.secretIdOrName : await this.createSecret({
+			region: location.region,
+			name: location.secretIdOrName,
+			reference
+		});
+		const version = await this.createSecretVersion({
+			region: location.region,
+			secretId,
+			dataB64: encoded,
+			reference
+		});
+		return {
+			reference: this.buildReference(location.region, secretId, { version }),
+			version
+		};
+	}
+	async rotateSecret(reference, payload) {
+		return this.setSecret(reference, payload);
+	}
+	async deleteSecret(reference) {
+		const location = this.parseReference(reference);
+		if (!this.token) throw new SecretProviderError({
+			message: "Scaleway secret manager token is missing (set SCW_SECRET_KEY / SCALEWAY_SECRET_KEY).",
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+		if (!UUID_V4_LIKE.test(location.secretIdOrName)) throw new SecretProviderError({
+			message: "Scaleway deleteSecret requires a secretId (uuid) reference, not a secret name.",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const url = `${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(location.region)}/secrets/${encodeURIComponent(location.secretIdOrName)}`;
+		const response = await this.fetchFn(url, {
+			method: "DELETE",
+			headers: { "X-Auth-Token": this.token }
+		});
+		if (!response.ok) throw await toScalewayError({
+			response,
+			provider: this.id,
+			reference,
+			operation: "deleteSecret"
+		});
+	}
+	parseReference(reference) {
+		const parsed = parseSecretUri(reference);
+		if (parsed.provider !== "scw") throw new SecretProviderError({
+			message: `Unsupported secret provider: ${parsed.provider}`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const segments = parsed.path.split("/").filter(Boolean);
+		if (segments.length < 2 || segments[0] !== "secret-manager") throw new SecretProviderError({
+			message: "Expected secret reference format scw://secret-manager/{region}/{secretIdOrName}[?version=...]",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const region = segments[1] ?? this.defaultRegion;
+		if (!region) throw new SecretProviderError({
+			message: "Scaleway region must be provided either in reference (scw://secret-manager/{region}/...) or via SCW_DEFAULT_REGION/SCW_REGION.",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const secretIdOrName = segments.slice(2).join("/");
+		if (!secretIdOrName) throw new SecretProviderError({
+			message: `Unable to resolve secret id/name from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		return {
+			region,
+			secretIdOrName,
+			revision: parsed.extras?.version
+		};
+	}
+	async createSecret(params) {
+		const projectId = this.defaultProjectId;
+		if (!projectId) throw new SecretProviderError({
+			message: "Scaleway project id is required to create secrets by name (set SCW_DEFAULT_PROJECT_ID/SCW_PROJECT_ID).",
+			provider: this.id,
+			reference: params.reference,
+			code: "INVALID"
+		});
+		const url = `${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(params.region)}/secrets`;
+		const response = await this.fetchFn(url, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				"X-Auth-Token": this.token
+			},
+			body: JSON.stringify({
+				name: params.name,
+				project_id: projectId
+			})
+		});
+		if (!response.ok) throw await toScalewayError({
+			response,
+			provider: this.id,
+			reference: params.reference,
+			operation: "createSecret"
+		});
+		return extractScalewaySecretId(await response.json());
+	}
+	async createSecretVersion(params) {
+		const url = `${this.baseUrl}/secret-manager/v1beta1/regions/${encodeURIComponent(params.region)}/secrets/${encodeURIComponent(params.secretId)}/versions`;
+		const response = await this.fetchFn(url, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				"X-Auth-Token": this.token
+			},
+			body: JSON.stringify({ data: params.dataB64 })
+		});
+		if (!response.ok) throw await toScalewayError({
+			response,
+			provider: this.id,
+			reference: params.reference,
+			operation: "createSecretVersion"
+		});
+		return extractScalewayRevision(await response.json()) ?? "latest";
+	}
+	buildReference(region, secretId, extras) {
+		const base = `scw://secret-manager/${region}/${secretId}`;
+		const query = extras ? Object.entries(extras).filter(([, value]) => Boolean(value)).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&") : "";
+		return query ? `${base}?${query}` : base;
+	}
+};
+function extractScalewayData(payload) {
+	if (!payload || typeof payload !== "object") throw new Error("Invalid scaleway secret payload");
+	const record = payload;
+	if (typeof record.data === "string" && record.data) return record.data;
+	throw new Error("Scaleway secret payload is missing data");
+}
+function extractScalewaySecretId(payload) {
+	if (!payload || typeof payload !== "object") throw new Error("Invalid scaleway createSecret payload");
+	const record = payload;
+	if (typeof record.id === "string" && record.id) return record.id;
+	throw new Error("Scaleway createSecret response is missing id");
+}
+function extractScalewayRevision(payload) {
+	if (!payload || typeof payload !== "object") return;
+	const record = payload;
+	if (typeof record.revision === "number") return String(record.revision);
+	if (typeof record.revision === "string" && record.revision) return record.revision;
+	if (typeof record.id === "string" && record.id) return record.id;
+}
+async function toScalewayError(params) {
+	const { response, provider, reference, operation } = params;
+	const code = response.status === 404 ? "NOT_FOUND" : response.status === 401 || response.status === 403 ? "FORBIDDEN" : response.status >= 400 && response.status < 500 ? "INVALID" : "UNKNOWN";
+	const bodyText = await safeReadBody(response);
+	return new SecretProviderError({
+		message: bodyText ? `Scaleway Secret Manager ${operation} failed (${response.status}): ${bodyText}` : `Scaleway Secret Manager ${operation} failed (${response.status})`,
+		provider,
+		reference,
+		code
+	});
+}
+async function safeReadBody(response) {
+	try {
+		const trimmed = (await response.text()).trim();
+		return trimmed.length ? trimmed : void 0;
+	} catch {
+		return;
+	}
+}
+
+//#endregion
+export { ScalewaySecretManagerProvider };