@lssm/lib.contracts 1.41.1 → 1.42.2

package/dist/integrations/secrets/aws-secret-manager.js

@@ -1 +1,231 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{Buffer as r}from"node:buffer";import{CreateSecretCommand as i,DeleteSecretCommand as a,GetSecretValueCommand as o,PutSecretValueCommand as s,SecretsManagerClient as c}from"@aws-sdk/client-secrets-manager";var l=class{id=`aws-secrets-manager`;explicitRegion;injectedClient;clientConfig;clientsByRegion=new Map;constructor(e={}){this.explicitRegion=e.region,this.injectedClient=e.client,this.clientConfig=e.clientConfig}canHandle(e){try{let t=n(e);return t.provider===`aws`&&(t.path===`secretsmanager`||t.path.startsWith(`secretsmanager/`))}catch{return!1}}async getSecret(e,t){let n=this.parseReference(e),r=this.getClient(n.region),i=t?.version??n.stage??n.version,a={SecretId:n.secretId,...this.buildVersionSelector(i)};try{let t=await r.send(new o(a));return{data:u(t,e,this.id),version:typeof t.VersionId==`string`&&t.VersionId?t.VersionId:i,metadata:{region:n.region,secretId:n.secretId,...i?{requestedVersion:i}:{}},retrievedAt:new Date}}catch(t){throw p({error:t,provider:this.id,reference:e,operation:`getSecret`})}}async setSecret(n,r){let a=this.parseReference(n),o=this.getClient(a.region),c=t(r);try{let e=await o.send(new s({SecretId:a.secretId,SecretBinary:c})),t=typeof e.VersionId==`string`&&e.VersionId?e.VersionId:`latest`;return{reference:this.buildReference(a.region,a.secretId,{version:t}),version:t}}catch(t){if(!f(t))throw p({error:t,provider:this.id,reference:n,operation:`putSecretValue`});if(d(a.secretId))throw new e({message:`Secret not found: ${a.secretId}`,provider:this.id,reference:n,code:`NOT_FOUND`,cause:t});try{let e=await o.send(new i({Name:a.secretId,SecretBinary:c})),t=typeof e.VersionId==`string`&&e.VersionId?e.VersionId:`latest`;return{reference:this.buildReference(a.region,a.secretId,{version:t}),version:t}}catch(e){throw p({error:e,provider:this.id,reference:n,operation:`createSecret`})}}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),n=this.getClient(t.region);try{await n.send(new a({SecretId:t.secretId,RecoveryWindowInDays:7}))}catch(t){throw p({error:t,provider:this.id,reference:e,operation:`deleteSecret`})}}getClient(e){if(this.injectedClient)return this.injectedClient;let t=this.clientsByRegion.get(e);if(t)return t;let n=new c({...this.clientConfig??{},region:e});return this.clientsByRegion.set(e,n),n}parseReference(t){let r=n(t);if(r.provider!==`aws`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<3||i[0]!==`secretsmanager`)throw new e({message:`Expected secret reference format aws://secretsmanager/{region}/{secretIdOrArn}[?version=...]`,provider:this.id,reference:t,code:`INVALID`});let a=i[1],o=this.resolveRegion(a),s=i.slice(2).join(`/`);if(!s)throw new e({message:`Unable to resolve secret id from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});return{region:o,secretId:s,version:r.extras?.version,stage:r.extras?.stage}}resolveRegion(t){let n=t??this.explicitRegion??process.env.AWS_REGION??process.env.AWS_DEFAULT_REGION;if(!n)throw new e({message:`AWS region must be provided either in reference (aws://secretsmanager/{region}/...) or via AWS_REGION/AWS_DEFAULT_REGION.`,provider:this.id,reference:`aws://secretsmanager//`,code:`INVALID`});return n}buildVersionSelector(e){return e?e===`latest`||e===`current`?{VersionStage:`AWSCURRENT`}:e.startsWith(`AWS`)?{VersionStage:e}:{VersionId:e}:{}}buildReference(e,t,n){let r=`aws://secretsmanager/${e}/${t}`,i=n?Object.entries(n).filter(([,e])=>!!e).map(([e,t])=>`${encodeURIComponent(e)}=${encodeURIComponent(t)}`).join(`&`):``;return i?`${r}?${i}`:r}};function u(t,n,i){if(!t||typeof t!=`object`)throw new e({message:`Invalid AWS Secrets Manager response`,provider:i,reference:n,code:`UNKNOWN`,cause:t});let a=t;if(a.SecretBinary instanceof Uint8Array)return a.SecretBinary;if(typeof a.SecretBinary==`string`)return r.from(a.SecretBinary,`base64`);if(typeof a.SecretString==`string`)return r.from(a.SecretString,`utf-8`);throw new e({message:`AWS secret value is empty`,provider:i,reference:n,code:`NOT_FOUND`,cause:t})}function d(e){return e.startsWith(`arn:aws:secretsmanager:`)}function f(e){if(!e||typeof e!=`object`)return!1;let t=e;return typeof t.$metadata?.httpStatusCode==`number`?t.$metadata.httpStatusCode===404:t.name===`ResourceNotFoundException`}function p(t){let{error:n,provider:r,reference:i,operation:a}=t;if(n instanceof e)return n;let o=typeof n==`object`&&!!n&&`$metadata`in n&&typeof n.$metadata==`object`&&n.$metadata?.httpStatusCode,s=o===404?`NOT_FOUND`:o===401||o===403?`FORBIDDEN`:o===400?`INVALID`:`UNKNOWN`;return new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n})}export{l as AwsSecretsManagerProvider};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { Buffer } from "node:buffer";
+import { CreateSecretCommand, DeleteSecretCommand, GetSecretValueCommand, PutSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+
+//#region src/integrations/secrets/aws-secret-manager.ts
+const DEFAULT_DELETE_RECOVERY_DAYS = 7;
+var AwsSecretsManagerProvider = class {
+	id = "aws-secrets-manager";
+	explicitRegion;
+	injectedClient;
+	clientConfig;
+	clientsByRegion = /* @__PURE__ */ new Map();
+	constructor(options = {}) {
+		this.explicitRegion = options.region;
+		this.injectedClient = options.client;
+		this.clientConfig = options.clientConfig;
+	}
+	canHandle(reference) {
+		try {
+			const parsed = parseSecretUri(reference);
+			return parsed.provider === "aws" && (parsed.path === "secretsmanager" || parsed.path.startsWith("secretsmanager/"));
+		} catch {
+			return false;
+		}
+	}
+	async getSecret(reference, options) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		const requestedVersion = options?.version ?? location.stage ?? location.version;
+		const input = {
+			SecretId: location.secretId,
+			...this.buildVersionSelector(requestedVersion)
+		};
+		try {
+			const result = await client.send(new GetSecretValueCommand(input));
+			return {
+				data: extractAwsSecretBytes(result, reference, this.id),
+				version: typeof result.VersionId === "string" && result.VersionId ? result.VersionId : requestedVersion,
+				metadata: {
+					region: location.region,
+					secretId: location.secretId,
+					...requestedVersion ? { requestedVersion } : {}
+				},
+				retrievedAt: /* @__PURE__ */ new Date()
+			};
+		} catch (error) {
+			throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "getSecret"
+			});
+		}
+	}
+	async setSecret(reference, payload) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		const bytes = normalizeSecretPayload(payload);
+		try {
+			const result = await client.send(new PutSecretValueCommand({
+				SecretId: location.secretId,
+				SecretBinary: bytes
+			}));
+			const versionId = typeof result.VersionId === "string" && result.VersionId ? result.VersionId : "latest";
+			return {
+				reference: this.buildReference(location.region, location.secretId, { version: versionId }),
+				version: versionId
+			};
+		} catch (error) {
+			if (!isAwsNotFound(error)) throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "putSecretValue"
+			});
+			if (looksLikeAwsArn(location.secretId)) throw new SecretProviderError({
+				message: `Secret not found: ${location.secretId}`,
+				provider: this.id,
+				reference,
+				code: "NOT_FOUND",
+				cause: error
+			});
+			try {
+				const created = await client.send(new CreateSecretCommand({
+					Name: location.secretId,
+					SecretBinary: bytes
+				}));
+				const versionId = typeof created.VersionId === "string" && created.VersionId ? created.VersionId : "latest";
+				return {
+					reference: this.buildReference(location.region, location.secretId, { version: versionId }),
+					version: versionId
+				};
+			} catch (creationError) {
+				throw toAwsSecretProviderError({
+					error: creationError,
+					provider: this.id,
+					reference,
+					operation: "createSecret"
+				});
+			}
+		}
+	}
+	async rotateSecret(reference, payload) {
+		return this.setSecret(reference, payload);
+	}
+	async deleteSecret(reference) {
+		const location = this.parseReference(reference);
+		const client = this.getClient(location.region);
+		try {
+			await client.send(new DeleteSecretCommand({
+				SecretId: location.secretId,
+				RecoveryWindowInDays: DEFAULT_DELETE_RECOVERY_DAYS
+			}));
+		} catch (error) {
+			throw toAwsSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "deleteSecret"
+			});
+		}
+	}
+	getClient(region) {
+		if (this.injectedClient) return this.injectedClient;
+		const cached = this.clientsByRegion.get(region);
+		if (cached) return cached;
+		const client = new SecretsManagerClient({
+			...this.clientConfig ?? {},
+			region
+		});
+		this.clientsByRegion.set(region, client);
+		return client;
+	}
+	parseReference(reference) {
+		const parsed = parseSecretUri(reference);
+		if (parsed.provider !== "aws") throw new SecretProviderError({
+			message: `Unsupported secret provider: ${parsed.provider}`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const segments = parsed.path.split("/").filter(Boolean);
+		if (segments.length < 3 || segments[0] !== "secretsmanager") throw new SecretProviderError({
+			message: "Expected secret reference format aws://secretsmanager/{region}/{secretIdOrArn}[?version=...]",
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const regionCandidate = segments[1];
+		const region = this.resolveRegion(regionCandidate);
+		const secretId = segments.slice(2).join("/");
+		if (!secretId) throw new SecretProviderError({
+			message: `Unable to resolve secret id from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		return {
+			region,
+			secretId,
+			version: parsed.extras?.version,
+			stage: parsed.extras?.stage
+		};
+	}
+	resolveRegion(regionCandidate) {
+		const region = regionCandidate ?? this.explicitRegion ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION;
+		if (!region) throw new SecretProviderError({
+			message: "AWS region must be provided either in reference (aws://secretsmanager/{region}/...) or via AWS_REGION/AWS_DEFAULT_REGION.",
+			provider: this.id,
+			reference: "aws://secretsmanager//",
+			code: "INVALID"
+		});
+		return region;
+	}
+	buildVersionSelector(version) {
+		if (!version) return {};
+		if (version === "latest" || version === "current") return { VersionStage: "AWSCURRENT" };
+		if (version.startsWith("AWS")) return { VersionStage: version };
+		return { VersionId: version };
+	}
+	buildReference(region, secretId, extras) {
+		const base = `aws://secretsmanager/${region}/${secretId}`;
+		const query = extras ? Object.entries(extras).filter(([, value]) => Boolean(value)).map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join("&") : "";
+		return query ? `${base}?${query}` : base;
+	}
+};
+function extractAwsSecretBytes(result, reference, provider) {
+	if (!result || typeof result !== "object") throw new SecretProviderError({
+		message: "Invalid AWS Secrets Manager response",
+		provider,
+		reference,
+		code: "UNKNOWN",
+		cause: result
+	});
+	const record = result;
+	if (record.SecretBinary instanceof Uint8Array) return record.SecretBinary;
+	if (typeof record.SecretBinary === "string") return Buffer.from(record.SecretBinary, "base64");
+	if (typeof record.SecretString === "string") return Buffer.from(record.SecretString, "utf-8");
+	throw new SecretProviderError({
+		message: "AWS secret value is empty",
+		provider,
+		reference,
+		code: "NOT_FOUND",
+		cause: result
+	});
+}
+function looksLikeAwsArn(secretId) {
+	return secretId.startsWith("arn:aws:secretsmanager:");
+}
+function isAwsNotFound(error) {
+	if (!error || typeof error !== "object") return false;
+	const err = error;
+	if (typeof err.$metadata?.httpStatusCode === "number") return err.$metadata.httpStatusCode === 404;
+	return err.name === "ResourceNotFoundException";
+}
+function toAwsSecretProviderError(params) {
+	const { error, provider, reference, operation } = params;
+	if (error instanceof SecretProviderError) return error;
+	const httpStatusCode = typeof error === "object" && error !== null && "$metadata" in error && typeof error.$metadata === "object" && error.$metadata?.httpStatusCode;
+	const code = httpStatusCode === 404 ? "NOT_FOUND" : httpStatusCode === 401 || httpStatusCode === 403 ? "FORBIDDEN" : httpStatusCode === 400 ? "INVALID" : "UNKNOWN";
+	return new SecretProviderError({
+		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
+		provider,
+		reference,
+		code,
+		cause: error
+	});
+}
+
+//#endregion
+export { AwsSecretsManagerProvider };

package/dist/integrations/secrets/env-secret-provider.d.ts

@@ -0,0 +1,31 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+
+//#region src/integrations/secrets/env-secret-provider.d.ts
+interface EnvSecretProviderOptions {
+  /**
+   * Optional map to alias secret references to environment variable names.
+   * Useful when referencing secrets from other providers (e.g. gcp://...)
+   * while still allowing local overrides.
+   */
+  aliases?: Record<string, string>;
+}
+/**
+ * Environment-variable backed secret provider. Read-only by design.
+ * Allows overriding other secret providers by deriving environment variable
+ * names from secret references (or by using explicit aliases).
+ */
+declare class EnvSecretProvider implements SecretProvider {
+  readonly id = "env";
+  private readonly aliases;
+  constructor(options?: EnvSecretProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference): Promise<SecretValue>;
+  setSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, _payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private resolveEnvKey;
+  private deriveEnvKey;
+  private forbiddenError;
+}
+//#endregion
+export { EnvSecretProvider };

package/dist/integrations/secrets/env-secret-provider.js

@@ -1 +1,81 @@
-import{SecretProviderError as e,parseSecretUri as t}from"./provider.js";var n=class{id=`env`;aliases;constructor(e={}){this.aliases=e.aliases??{}}canHandle(e){let t=this.resolveEnvKey(e);return t!==void 0&&process.env[t]!==void 0}async getSecret(t){let n=this.resolveEnvKey(t);if(!n)throw new e({message:`Unable to resolve environment variable for reference "${t}".`,provider:this.id,reference:t,code:`INVALID`});let r=process.env[n];if(r===void 0)throw new e({message:`Environment variable "${n}" not found for reference "${t}".`,provider:this.id,reference:t,code:`NOT_FOUND`});return{data:Buffer.from(r,`utf-8`),version:`current`,metadata:{source:`env`,envKey:n},retrievedAt:new Date}}async setSecret(e,t){throw this.forbiddenError(`setSecret`,e)}async rotateSecret(e,t){throw this.forbiddenError(`rotateSecret`,e)}async deleteSecret(e){throw this.forbiddenError(`deleteSecret`,e)}resolveEnvKey(e){if(e){if(this.aliases[e])return this.aliases[e];if(!e.includes(`://`))return e;try{let n=t(e);return n.provider===`env`?n.path:n.extras?.env?n.extras.env:this.deriveEnvKey(n.path)}catch{return e}}}deriveEnvKey(e){if(e)return e.split(/[\/:\-\.]/).filter(Boolean).map(e=>e.replace(/[^a-zA-Z0-9]/g,`_`).replace(/_{2,}/g,`_`).toUpperCase()).join(`_`)}forbiddenError(t,n){return new e({message:`EnvSecretProvider is read-only. "${t}" is not allowed for ${n}.`,provider:this.id,reference:n,code:`FORBIDDEN`})}};export{n as EnvSecretProvider};
+import { SecretProviderError, parseSecretUri } from "./provider.js";
+
+//#region src/integrations/secrets/env-secret-provider.ts
+/**
+* Environment-variable backed secret provider. Read-only by design.
+* Allows overriding other secret providers by deriving environment variable
+* names from secret references (or by using explicit aliases).
+*/
+var EnvSecretProvider = class {
+	id = "env";
+	aliases;
+	constructor(options = {}) {
+		this.aliases = options.aliases ?? {};
+	}
+	canHandle(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		return envKey !== void 0 && process.env[envKey] !== void 0;
+	}
+	async getSecret(reference) {
+		const envKey = this.resolveEnvKey(reference);
+		if (!envKey) throw new SecretProviderError({
+			message: `Unable to resolve environment variable for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const value = process.env[envKey];
+		if (value === void 0) throw new SecretProviderError({
+			message: `Environment variable "${envKey}" not found for reference "${reference}".`,
+			provider: this.id,
+			reference,
+			code: "NOT_FOUND"
+		});
+		return {
+			data: Buffer.from(value, "utf-8"),
+			version: "current",
+			metadata: {
+				source: "env",
+				envKey
+			},
+			retrievedAt: /* @__PURE__ */ new Date()
+		};
+	}
+	async setSecret(reference, _payload) {
+		throw this.forbiddenError("setSecret", reference);
+	}
+	async rotateSecret(reference, _payload) {
+		throw this.forbiddenError("rotateSecret", reference);
+	}
+	async deleteSecret(reference) {
+		throw this.forbiddenError("deleteSecret", reference);
+	}
+	resolveEnvKey(reference) {
+		if (!reference) return;
+		if (this.aliases[reference]) return this.aliases[reference];
+		if (!reference.includes("://")) return reference;
+		try {
+			const parsed = parseSecretUri(reference);
+			if (parsed.provider === "env") return parsed.path;
+			if (parsed.extras?.env) return parsed.extras.env;
+			return this.deriveEnvKey(parsed.path);
+		} catch {
+			return reference;
+		}
+	}
+	deriveEnvKey(path) {
+		if (!path) return void 0;
+		return path.split(/[\/:\-\.]/).filter(Boolean).map((segment) => segment.replace(/[^a-zA-Z0-9]/g, "_").replace(/_{2,}/g, "_").toUpperCase()).join("_");
+	}
+	forbiddenError(operation, reference) {
+		return new SecretProviderError({
+			message: `EnvSecretProvider is read-only. "${operation}" is not allowed for ${reference}.`,
+			provider: this.id,
+			reference,
+			code: "FORBIDDEN"
+		});
+	}
+};
+
+//#endregion
+export { EnvSecretProvider };

package/dist/integrations/secrets/gcp-secret-manager.d.ts

@@ -0,0 +1,32 @@
+import { SecretProvider, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload } from "./provider.js";
+import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
+import { CallOptions } from "google-gax";
+
+//#region src/integrations/secrets/gcp-secret-manager.d.ts
+type SecretManagerClient = SecretManagerServiceClient;
+interface GcpSecretManagerProviderOptions {
+  projectId?: string;
+  client?: SecretManagerClient;
+  clientOptions?: ConstructorParameters<typeof SecretManagerServiceClient>[0];
+  defaultReplication?: protos.google.cloud.secretmanager.v1.IReplication;
+}
+declare class GcpSecretManagerProvider implements SecretProvider {
+  readonly id = "gcp-secret-manager";
+  private readonly client;
+  private readonly explicitProjectId?;
+  private readonly replication;
+  constructor(options?: GcpSecretManagerProviderOptions);
+  canHandle(reference: SecretReference): boolean;
+  getSecret(reference: SecretReference, options?: {
+    version?: string;
+  }, callOptions?: CallOptions): Promise<SecretValue>;
+  setSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  rotateSecret(reference: SecretReference, payload: SecretWritePayload): Promise<SecretRotationResult>;
+  deleteSecret(reference: SecretReference): Promise<void>;
+  private parseReference;
+  private buildNames;
+  private buildVersionName;
+  private ensureSecretExists;
+}
+//#endregion
+export { GcpSecretManagerProvider };

package/dist/integrations/secrets/gcp-secret-manager.js

@@ -1 +1,229 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{SecretManagerServiceClient as r}from"@google-cloud/secret-manager";const i={automatic:{}};var a=class{id=`gcp-secret-manager`;client;explicitProjectId;replication;constructor(e={}){this.client=e.client??new r(e.clientOptions??{}),this.explicitProjectId=e.projectId,this.replication=e.defaultReplication??i}canHandle(e){try{return n(e).provider===`gcp`}catch{return!1}}async getSecret(t,n,r){let i=this.parseReference(t),a=this.buildVersionName(i,n?.version);try{let[n]=await this.client.accessSecretVersion({name:a},r??{}),i=n.payload;if(!i?.data)throw new e({message:`Secret payload empty for ${a}`,provider:this.id,reference:t,code:`UNKNOWN`});let s=o(n.name??a);return{data:i.data,version:s,metadata:i.dataCrc32c?{crc32c:i.dataCrc32c.toString()}:void 0,retrievedAt:new Date}}catch(e){throw s({error:e,provider:this.id,reference:t,operation:`access`})}}async setSecret(n,r){let i=this.parseReference(n),{secretName:a}=this.buildNames(i),c=t(r);await this.ensureSecretExists(i,r);try{let t=await this.client.addSecretVersion({parent:a,payload:{data:c}});if(!t)throw new e({message:`No version returned when adding secret version for ${a}`,provider:this.id,reference:n,code:`UNKNOWN`});let[r]=t,i=r?.name??`${a}/versions/latest`;return{reference:`gcp://${i}`,version:o(i)??`latest`}}catch(e){throw s({error:e,provider:this.id,reference:n,operation:`addSecretVersion`})}}async rotateSecret(e,t){return this.setSecret(e,t)}async deleteSecret(e){let t=this.parseReference(e),{secretName:n}=this.buildNames(t);try{await this.client.deleteSecret({name:n})}catch(t){throw s({error:t,provider:this.id,reference:e,operation:`delete`})}}parseReference(t){let r=n(t);if(r.provider!==`gcp`)throw new e({message:`Unsupported secret provider: ${r.provider}`,provider:this.id,reference:t,code:`INVALID`});let i=r.path.split(`/`).filter(Boolean);if(i.length<4||i[0]!==`projects`)throw new e({message:`Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let a=i[1]??this.explicitProjectId;if(!a)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let o=i.indexOf(`secrets`);if(o===-1||o+1>=i.length)throw new e({message:`Unable to resolve project or secret from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let s=a,c=i[o+1];if(!c)throw new e({message:`Unable to resolve secret ID from reference "${r.path}"`,provider:this.id,reference:t,code:`INVALID`});let l=c,u=i.indexOf(`versions`);return{projectId:s,secretId:l,version:r.extras?.version??(u!==-1&&u+1<i.length?i[u+1]:void 0)}}buildNames(t){let n=t.projectId??this.explicitProjectId;if(!n)throw new e({message:`Project ID must be provided either in reference or provider configuration`,provider:this.id,reference:`gcp://projects//secrets/${t.secretId}`,code:`INVALID`});let r=`projects/${n}`;return{projectParent:r,secretName:`${r}/secrets/${t.secretId}`}}buildVersionName(e,t){let{secretName:n}=this.buildNames(e);return`${n}/versions/${t??e.version??`latest`}`}async ensureSecretExists(e,t){let{secretName:n,projectParent:r}=this.buildNames(e);try{await this.client.getSecret({name:n})}catch(i){let a=s({error:i,provider:this.id,reference:`gcp://${n}`,operation:`getSecret`,suppressThrow:!0});if(!a||a.code!==`NOT_FOUND`)throw a||i;try{await this.client.createSecret({parent:r,secretId:e.secretId,secret:{replication:this.replication,labels:t.labels}})}catch(e){throw s({error:e,provider:this.id,reference:`gcp://${n}`,operation:`createSecret`})}}}};function o(e){let t=e.split(`/`).filter(Boolean),n=t.indexOf(`versions`);if(!(n===-1||n+1>=t.length))return t[n+1]}function s(t){let{error:n,provider:r,reference:i,operation:a,suppressThrow:o}=t;if(n instanceof e)return n;let s=c(n),l=new e({message:n instanceof Error?n.message:`Unknown error during ${a}`,provider:r,reference:i,code:s,cause:n});if(o)return l;throw l}function c(e){if(typeof e!=`object`||!e)return`UNKNOWN`;let t=e.code;return t===5||t===`NOT_FOUND`?`NOT_FOUND`:t===6||t===`ALREADY_EXISTS`?`INVALID`:t===7||t===`PERMISSION_DENIED`||t===403?`FORBIDDEN`:t===3||t===`INVALID_ARGUMENT`?`INVALID`:`UNKNOWN`}export{a as GcpSecretManagerProvider};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { SecretManagerServiceClient, protos } from "@google-cloud/secret-manager";
+
+//#region src/integrations/secrets/gcp-secret-manager.ts
+const DEFAULT_REPLICATION = { automatic: {} };
+var GcpSecretManagerProvider = class {
+	id = "gcp-secret-manager";
+	client;
+	explicitProjectId;
+	replication;
+	constructor(options = {}) {
+		this.client = options.client ?? new SecretManagerServiceClient(options.clientOptions ?? {});
+		this.explicitProjectId = options.projectId;
+		this.replication = options.defaultReplication ?? DEFAULT_REPLICATION;
+	}
+	canHandle(reference) {
+		try {
+			return parseSecretUri(reference).provider === "gcp";
+		} catch {
+			return false;
+		}
+	}
+	async getSecret(reference, options, callOptions) {
+		const location = this.parseReference(reference);
+		const secretVersionName = this.buildVersionName(location, options?.version);
+		try {
+			const [result] = await this.client.accessSecretVersion({ name: secretVersionName }, callOptions ?? {});
+			const payload = result.payload;
+			if (!payload?.data) throw new SecretProviderError({
+				message: `Secret payload empty for ${secretVersionName}`,
+				provider: this.id,
+				reference,
+				code: "UNKNOWN"
+			});
+			const version = extractVersionFromName(result.name ?? secretVersionName);
+			return {
+				data: payload.data,
+				version,
+				metadata: payload.dataCrc32c ? { crc32c: payload.dataCrc32c.toString() } : void 0,
+				retrievedAt: /* @__PURE__ */ new Date()
+			};
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "access"
+			});
+		}
+	}
+	async setSecret(reference, payload) {
+		const location = this.parseReference(reference);
+		const { secretName } = this.buildNames(location);
+		const data = normalizeSecretPayload(payload);
+		await this.ensureSecretExists(location, payload);
+		try {
+			const response = await this.client.addSecretVersion({
+				parent: secretName,
+				payload: { data }
+			});
+			if (!response) throw new SecretProviderError({
+				message: `No version returned when adding secret version for ${secretName}`,
+				provider: this.id,
+				reference,
+				code: "UNKNOWN"
+			});
+			const [version] = response;
+			const versionName = version?.name ?? `${secretName}/versions/latest`;
+			return {
+				reference: `gcp://${versionName}`,
+				version: extractVersionFromName(versionName) ?? "latest"
+			};
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "addSecretVersion"
+			});
+		}
+	}
+	async rotateSecret(reference, payload) {
+		return this.setSecret(reference, payload);
+	}
+	async deleteSecret(reference) {
+		const location = this.parseReference(reference);
+		const { secretName } = this.buildNames(location);
+		try {
+			await this.client.deleteSecret({ name: secretName });
+		} catch (error) {
+			throw toSecretProviderError({
+				error,
+				provider: this.id,
+				reference,
+				operation: "delete"
+			});
+		}
+	}
+	parseReference(reference) {
+		const parsed = parseSecretUri(reference);
+		if (parsed.provider !== "gcp") throw new SecretProviderError({
+			message: `Unsupported secret provider: ${parsed.provider}`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const segments = parsed.path.split("/").filter(Boolean);
+		if (segments.length < 4 || segments[0] !== "projects") throw new SecretProviderError({
+			message: `Expected secret reference format gcp://projects/{project}/secrets/{secret}[(/versions/{version})] but received "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const projectIdCandidate = segments[1] ?? this.explicitProjectId;
+		if (!projectIdCandidate) throw new SecretProviderError({
+			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const indexOfSecrets = segments.indexOf("secrets");
+		if (indexOfSecrets === -1 || indexOfSecrets + 1 >= segments.length) throw new SecretProviderError({
+			message: `Unable to resolve project or secret from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const resolvedProjectId = projectIdCandidate;
+		const secretIdCandidate = segments[indexOfSecrets + 1];
+		if (!secretIdCandidate) throw new SecretProviderError({
+			message: `Unable to resolve secret ID from reference "${parsed.path}"`,
+			provider: this.id,
+			reference,
+			code: "INVALID"
+		});
+		const secretId = secretIdCandidate;
+		const indexOfVersions = segments.indexOf("versions");
+		return {
+			projectId: resolvedProjectId,
+			secretId,
+			version: parsed.extras?.version ?? (indexOfVersions !== -1 && indexOfVersions + 1 < segments.length ? segments[indexOfVersions + 1] : void 0)
+		};
+	}
+	buildNames(location) {
+		const projectId = location.projectId ?? this.explicitProjectId;
+		if (!projectId) throw new SecretProviderError({
+			message: "Project ID must be provided either in reference or provider configuration",
+			provider: this.id,
+			reference: `gcp://projects//secrets/${location.secretId}`,
+			code: "INVALID"
+		});
+		const projectParent = `projects/${projectId}`;
+		return {
+			projectParent,
+			secretName: `${projectParent}/secrets/${location.secretId}`
+		};
+	}
+	buildVersionName(location, explicitVersion) {
+		const { secretName } = this.buildNames(location);
+		return `${secretName}/versions/${explicitVersion ?? location.version ?? "latest"}`;
+	}
+	async ensureSecretExists(location, payload) {
+		const { secretName, projectParent } = this.buildNames(location);
+		try {
+			await this.client.getSecret({ name: secretName });
+		} catch (error) {
+			const providerError = toSecretProviderError({
+				error,
+				provider: this.id,
+				reference: `gcp://${secretName}`,
+				operation: "getSecret",
+				suppressThrow: true
+			});
+			if (!providerError || providerError.code !== "NOT_FOUND") {
+				if (providerError) throw providerError;
+				throw error;
+			}
+			try {
+				await this.client.createSecret({
+					parent: projectParent,
+					secretId: location.secretId,
+					secret: {
+						replication: this.replication,
+						labels: payload.labels
+					}
+				});
+			} catch (creationError) {
+				throw toSecretProviderError({
+					error: creationError,
+					provider: this.id,
+					reference: `gcp://${secretName}`,
+					operation: "createSecret"
+				});
+			}
+		}
+	}
+};
+function extractVersionFromName(name) {
+	const segments = name.split("/").filter(Boolean);
+	const index = segments.indexOf("versions");
+	if (index === -1 || index + 1 >= segments.length) return;
+	return segments[index + 1];
+}
+function toSecretProviderError(params) {
+	const { error, provider, reference, operation, suppressThrow } = params;
+	if (error instanceof SecretProviderError) return error;
+	const code = deriveErrorCode(error);
+	const providerError = new SecretProviderError({
+		message: error instanceof Error ? error.message : `Unknown error during ${operation}`,
+		provider,
+		reference,
+		code,
+		cause: error
+	});
+	if (suppressThrow) return providerError;
+	throw providerError;
+}
+function deriveErrorCode(error) {
+	if (typeof error !== "object" || error === null) return "UNKNOWN";
+	const code = error.code;
+	if (code === 5 || code === "NOT_FOUND") return "NOT_FOUND";
+	if (code === 6 || code === "ALREADY_EXISTS") return "INVALID";
+	if (code === 7 || code === "PERMISSION_DENIED" || code === 403) return "FORBIDDEN";
+	if (code === 3 || code === "INVALID_ARGUMENT") return "INVALID";
+	return "UNKNOWN";
+}
+
+//#endregion
+export { GcpSecretManagerProvider };

package/dist/integrations/secrets/index.d.ts

@@ -0,0 +1,7 @@
+import { ParsedSecretUri, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { AwsSecretsManagerProvider } from "./aws-secret-manager.js";
+import { EnvSecretProvider } from "./env-secret-provider.js";
+import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
+import { ScalewaySecretManagerProvider } from "./scaleway-secret-manager.js";
+import { SecretProviderManager, SecretProviderManagerOptions } from "./manager.js";
+export { AwsSecretsManagerProvider, EnvSecretProvider, GcpSecretManagerProvider, ParsedSecretUri, ScalewaySecretManagerProvider, SecretFetchOptions, SecretPayloadEncoding, SecretProvider, SecretProviderError, SecretProviderManager, SecretProviderManagerOptions, SecretReference, SecretRotationResult, SecretValue, SecretWritePayload, normalizeSecretPayload, parseSecretUri };

package/dist/integrations/secrets/index.js

@@ -1 +1,8 @@
-import{SecretProviderError as e,normalizeSecretPayload as t,parseSecretUri as n}from"./provider.js";import{AwsSecretsManagerProvider as r}from"./aws-secret-manager.js";import{EnvSecretProvider as i}from"./env-secret-provider.js";import{GcpSecretManagerProvider as a}from"./gcp-secret-manager.js";import{ScalewaySecretManagerProvider as o}from"./scaleway-secret-manager.js";import{SecretProviderManager as s}from"./manager.js";export{r as AwsSecretsManagerProvider,i as EnvSecretProvider,a as GcpSecretManagerProvider,o as ScalewaySecretManagerProvider,e as SecretProviderError,s as SecretProviderManager,t as normalizeSecretPayload,n as parseSecretUri};
+import { SecretProviderError, normalizeSecretPayload, parseSecretUri } from "./provider.js";
+import { AwsSecretsManagerProvider } from "./aws-secret-manager.js";
+import { EnvSecretProvider } from "./env-secret-provider.js";
+import { GcpSecretManagerProvider } from "./gcp-secret-manager.js";
+import { ScalewaySecretManagerProvider } from "./scaleway-secret-manager.js";
+import { SecretProviderManager } from "./manager.js";
+
+export { AwsSecretsManagerProvider, EnvSecretProvider, GcpSecretManagerProvider, ScalewaySecretManagerProvider, SecretProviderError, SecretProviderManager, normalizeSecretPayload, parseSecretUri };