@marktoflow/core 2.0.0-alpha.15 → 2.0.0-alpha.16

package/dist/secret-providers/secret-manager.js

@@ -0,0 +1,226 @@
+/**
+ * Secret Manager
+ *
+ * Coordinates access to external secret managers with caching support.
+ */
+export class SecretNotFoundError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SecretNotFoundError';
+    }
+}
+export class SecretProviderError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SecretProviderError';
+    }
+}
+export class SecretManager {
+    providers = new Map();
+    cache = new Map();
+    options;
+    constructor(options) {
+        this.options = {
+            providers: options.providers,
+            defaultCacheTTL: options.defaultCacheTTL ?? 300, // 5 minutes
+            referencePrefix: options.referencePrefix ?? 'secret:',
+            throwOnNotFound: options.throwOnNotFound ?? true,
+        };
+    }
+    /**
+     * Register a secret provider
+     */
+    registerProvider(type, provider) {
+        this.providers.set(type, provider);
+    }
+    /**
+     * Initialize all configured providers
+     */
+    async initialize() {
+        for (const [type, provider] of this.providers.entries()) {
+            try {
+                await provider.initialize();
+            }
+            catch (error) {
+                throw new SecretProviderError(`Failed to initialize ${type} provider: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            }
+        }
+    }
+    /**
+     * Get a secret from the appropriate provider
+     */
+    async getSecret(reference) {
+        const parsed = this.parseReference(reference);
+        // Check cache first
+        if (this.options.providers.find((p) => p.cacheEnabled !== false)) {
+            const cached = this.getCached(reference);
+            if (cached) {
+                return cached;
+            }
+        }
+        // Get provider
+        const provider = this.providers.get(parsed.provider);
+        if (!provider) {
+            throw new SecretProviderError(`Provider '${parsed.provider}' not configured`);
+        }
+        // Fetch secret
+        try {
+            const secret = await provider.getSecret(parsed.path);
+            // Extract key if specified
+            if (parsed.key && typeof secret.value === 'object') {
+                const keyValue = this.extractKey(secret.value, parsed.key);
+                secret.value = keyValue;
+            }
+            // Cache the secret
+            this.cacheSecret(reference, secret);
+            return secret;
+        }
+        catch (error) {
+            if (this.options.throwOnNotFound) {
+                throw new SecretNotFoundError(`Secret not found: ${reference} - ${error instanceof Error ? error.message : 'Unknown error'}`);
+            }
+            // Return empty secret if not throwing
+            return { value: '' };
+        }
+    }
+    /**
+     * Parse a secret reference
+     * Formats:
+     *   ${secret:vault://path/to/secret}
+     *   ${secret:aws://secret-name}
+     *   ${secret:azure://secret-name}
+     *   ${secret:vault://path/to/secret#key}
+     */
+    parseReference(reference) {
+        // Remove ${secret: and } if present
+        let cleaned = reference.trim();
+        if (cleaned.startsWith('${')) {
+            cleaned = cleaned.slice(2, -1);
+        }
+        if (cleaned.startsWith(this.options.referencePrefix)) {
+            cleaned = cleaned.slice(this.options.referencePrefix.length);
+        }
+        // Parse provider://path#key format
+        const match = cleaned.match(/^([^:]+):\/\/([^#]+)(#(.+))?$/);
+        if (!match) {
+            throw new SecretProviderError(`Invalid secret reference format: ${reference}`);
+        }
+        return {
+            raw: reference,
+            provider: match[1],
+            path: match[2],
+            key: match[4],
+        };
+    }
+    /**
+     * Extract a key from a JSON secret
+     */
+    extractKey(value, key) {
+        const parts = key.split('.');
+        let current = value;
+        for (const part of parts) {
+            if (typeof current === 'object' && current !== null && part in current) {
+                current = current[part];
+            }
+            else {
+                throw new SecretNotFoundError(`Key '${key}' not found in secret`);
+            }
+        }
+        if (typeof current === 'string') {
+            return current;
+        }
+        if (typeof current === 'number' || typeof current === 'boolean') {
+            return String(current);
+        }
+        return JSON.stringify(current);
+    }
+    /**
+     * Get secret from cache if not expired
+     */
+    getCached(reference) {
+        const cached = this.cache.get(reference);
+        if (!cached)
+            return null;
+        if (cached.expiresAt < new Date()) {
+            this.cache.delete(reference);
+            return null;
+        }
+        return cached.value;
+    }
+    /**
+     * Cache a secret
+     */
+    cacheSecret(reference, secret) {
+        const now = new Date();
+        const ttl = this.options.defaultCacheTTL * 1000; // Convert to ms
+        const expiresAt = new Date(now.getTime() + ttl);
+        this.cache.set(reference, {
+            value: secret,
+            fetchedAt: now,
+            expiresAt,
+        });
+    }
+    /**
+     * Clear cache
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+    /**
+     * Clear expired cache entries
+     */
+    clearExpiredCache() {
+        const now = new Date();
+        for (const [key, cached] of this.cache.entries()) {
+            if (cached.expiresAt < now) {
+                this.cache.delete(key);
+            }
+        }
+    }
+    /**
+     * Check if a reference looks like a secret reference
+     */
+    static isSecretReference(value) {
+        return value.includes('secret:') && value.includes('://');
+    }
+    /**
+     * Replace secret references in a string
+     */
+    async resolveSecrets(value) {
+        // Find all secret references
+        const regex = /\$\{secret:[^}]+\}/g;
+        const matches = value.match(regex);
+        if (!matches) {
+            return value;
+        }
+        let result = value;
+        for (const match of matches) {
+            try {
+                const secret = await this.getSecret(match);
+                const secretValue = typeof secret.value === 'string' ? secret.value : JSON.stringify(secret.value);
+                result = result.replace(match, secretValue);
+            }
+            catch (error) {
+                if (this.options.throwOnNotFound) {
+                    throw error;
+                }
+                // Replace with empty string if not throwing
+                result = result.replace(match, '');
+            }
+        }
+        return result;
+    }
+    /**
+     * Clean up resources
+     */
+    async destroy() {
+        for (const provider of this.providers.values()) {
+            if (provider.destroy) {
+                await provider.destroy();
+            }
+        }
+        this.providers.clear();
+        this.cache.clear();
+    }
+}
+//# sourceMappingURL=secret-manager.js.map

package/dist/secret-providers/secret-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-manager.js","sourceRoot":"","sources":["../../src/secret-providers/secret-manager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAUH,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAC5C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,MAAM,OAAO,aAAa;IAChB,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;IAC9C,KAAK,GAAG,IAAI,GAAG,EAAwB,CAAC;IACxC,OAAO,CAAiC;IAEhD,YAAY,OAA6B;QACvC,IAAI,CAAC,OAAO,GAAG;YACb,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,GAAG,EAAE,YAAY;YAC7D,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,SAAS;YACrD,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,IAAI;SACjD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,IAAY,EAAE,QAAwB;QACrD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;YACxD,IAAI,CAAC;gBACH,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;YAC9B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,mBAAmB,CAC3B,wBAAwB,IAAI,cAAc,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACrG,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,SAAiB;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC;QAE9C,oBAAoB;QACpB,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,KAAK,KAAK,CAAC,EAAE,CAAC;YACjE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,eAAe;QACf,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACrD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,mBAAmB,CAAC,aAAa,MAAM,CAAC,QAAQ,kBAAkB,CAAC,CAAC;QAChF,CAAC;QAED,eAAe;QACf,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAErD,2BAA2B;YAC3B,IAAI,MAAM,CAAC,GAAG,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC3D,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC;YAC1B,CAAC;YAED,mBAAmB;YACnB,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YAEpC,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;gBACjC,MAAM,IAAI,mBAAmB,CAC3B,qBAAqB,SAAS,MAAM,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAC/F,CAAC;YACJ,CAAC;YACD,sCAAsC;YACtC,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACvB,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,cAAc,CAAC,SAAiB;QAC9B,oCAAoC;QACpC,IAAI,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;YACrD,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAC/D,CAAC;QAED,mCAAmC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC7D,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,mBAAmB,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;QACjF,CAAC;QAED,OAAO;YACL,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC;YAClB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;SACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,KAA8B,EAAE,GAAW;QAC5D,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,OAAO,GAAY,KAAK,CAAC;QAE7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI,IAAI,IAAI,IAAI,OAAO,EAAE,CAAC;gBACvE,OAAO,GAAI,OAAmC,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,mBAAmB,CAAC,QAAQ,GAAG,uBAAuB,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAED,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,OAAO,KAAK,SAAS,EAAE,CAAC;YAChE,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,SAAiB;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,SAAiB,EAAE,MAAc;QACnD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,gBAAgB;QACjE,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACxB,KAAK,EAAE,MAAM;YACb,SAAS,EAAE,GAAG;YACd,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YACjD,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;gBAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,iBAAiB,CAAC,KAAa;QACpC,OAAO,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,KAAa;QAChC,6BAA6B;QAC7B,MAAM,KAAK,GAAG,qBAAqB,CAAC;QACpC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBAC3C,MAAM,WAAW,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACnG,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;YAC9C,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;oBACjC,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,4CAA4C;gBAC5C,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACX,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;YAC/C,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF"}

package/dist/secret-providers/types.d.ts

@@ -0,0 +1,105 @@
+/**
+ * External Secrets Management Types
+ *
+ * Provides integration with external secret managers like HashiCorp Vault,
+ * AWS Secrets Manager, Azure Key Vault, etc.
+ */
+export interface SecretMetadata {
+    version?: string;
+    createdAt?: Date;
+    updatedAt?: Date;
+    expiresAt?: Date;
+    tags?: Record<string, string>;
+}
+export interface Secret {
+    value: string | Record<string, unknown>;
+    metadata?: SecretMetadata;
+}
+export interface SecretProviderConfig {
+    type: 'vault' | 'aws' | 'azure' | 'gcp' | 'env';
+    cacheEnabled?: boolean;
+    cacheTTL?: number;
+    config?: Record<string, unknown>;
+}
+export interface VaultConfig {
+    address: string;
+    token?: string;
+    namespace?: string;
+    roleId?: string;
+    secretId?: string;
+    kvVersion?: 1 | 2;
+    mountPath?: string;
+}
+export interface AWSSecretsManagerConfig {
+    region?: string;
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    sessionToken?: string;
+    useIAMRole?: boolean;
+}
+export interface AzureKeyVaultConfig {
+    vaultUrl: string;
+    tenantId?: string;
+    clientId?: string;
+    clientSecret?: string;
+    useManagedIdentity?: boolean;
+}
+export interface GCPSecretManagerConfig {
+    projectId: string;
+    credentials?: string | Record<string, unknown>;
+    useADC?: boolean;
+}
+/**
+ * Secret Provider Interface
+ *
+ * All secret managers must implement this interface
+ */
+export interface SecretProvider {
+    /**
+     * Get a secret by path/name
+     */
+    getSecret(path: string): Promise<Secret>;
+    /**
+     * Check if a secret exists
+     */
+    exists(path: string): Promise<boolean>;
+    /**
+     * List secrets at a path (optional)
+     */
+    listSecrets?(path: string): Promise<string[]>;
+    /**
+     * Initialize the provider
+     */
+    initialize(): Promise<void>;
+    /**
+     * Clean up resources
+     */
+    destroy?(): Promise<void>;
+}
+/**
+ * Secret Cache Entry
+ */
+export interface CachedSecret {
+    value: Secret;
+    fetchedAt: Date;
+    expiresAt: Date;
+}
+/**
+ * Secret Manager Options
+ */
+export interface SecretManagerOptions {
+    providers: SecretProviderConfig[];
+    defaultCacheTTL?: number;
+    referencePrefix?: string;
+    throwOnNotFound?: boolean;
+}
+/**
+ * Parse result for secret references
+ */
+export interface SecretReference {
+    raw: string;
+    provider: string;
+    path: string;
+    key?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/secret-providers/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/secret-providers/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,cAAc;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B;AAED,MAAM,WAAW,MAAM;IACrB,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxC,QAAQ,CAAC,EAAE,cAAc,CAAC;CAC3B;AAED,MAAM,WAAW,oBAAoB;IAEnC,IAAI,EAAE,OAAO,GAAG,KAAK,GAAG,OAAO,GAAG,KAAK,GAAG,KAAK,CAAC;IAGhD,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IAGnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAGlB,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IAGjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAGlB,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAG/C,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEvC;;OAEG;IACH,WAAW,CAAC,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE9C;;OAEG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B;;OAEG;IACH,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,oBAAoB,EAAE,CAAC;IAGlC,eAAe,CAAC,EAAE,MAAM,CAAC;IAGzB,eAAe,CAAC,EAAE,MAAM,CAAC;IAGzB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;CACd"}

package/dist/secret-providers/types.js

@@ -0,0 +1,8 @@
+/**
+ * External Secrets Management Types
+ *
+ * Provides integration with external secret managers like HashiCorp Vault,
+ * AWS Secrets Manager, Azure Key Vault, etc.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/secret-providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/secret-providers/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/secrets/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * External Secrets Management
+ *
+ * Provides integration with external secret managers.
+ */
+export { SecretManager, SecretNotFoundError, SecretProviderError } from './secret-manager.js';
+export { VaultProvider } from './providers/vault.js';
+export { AWSSecretsManagerProvider } from './providers/aws.js';
+export { AzureKeyVaultProvider } from './providers/azure.js';
+export { EnvProvider } from './providers/env.js';
+export type { Secret, SecretMetadata, SecretProvider, SecretProviderConfig, SecretManagerOptions, SecretReference, CachedSecret, VaultConfig, AWSSecretsManagerConfig, AzureKeyVaultConfig, GCPSecretManagerConfig, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE9F,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,YAAY,EACV,MAAM,EACN,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,WAAW,EACX,uBAAuB,EACvB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,YAAY,CAAC"}

package/dist/secrets/index.js

@@ -0,0 +1,11 @@
+/**
+ * External Secrets Management
+ *
+ * Provides integration with external secret managers.
+ */
+export { SecretManager, SecretNotFoundError, SecretProviderError } from './secret-manager.js';
+export { VaultProvider } from './providers/vault.js';
+export { AWSSecretsManagerProvider } from './providers/aws.js';
+export { AzureKeyVaultProvider } from './providers/azure.js';
+export { EnvProvider } from './providers/env.js';
+//# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE9F,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/secrets/providers/aws.d.ts

@@ -0,0 +1,32 @@
+/**
+ * AWS Secrets Manager Provider
+ *
+ * Supports IAM authentication and explicit credentials.
+ */
+import type { SecretProvider, Secret, AWSSecretsManagerConfig } from '../types.js';
+export declare class AWSSecretsManagerProvider implements SecretProvider {
+    private config;
+    private initialized;
+    constructor(config: AWSSecretsManagerConfig);
+    initialize(): Promise<void>;
+    /**
+     * Get a secret from AWS Secrets Manager
+     */
+    getSecret(secretName: string): Promise<Secret>;
+    /**
+     * Check if a secret exists
+     */
+    exists(secretName: string): Promise<boolean>;
+    /**
+     * List secrets (returns secret ARNs)
+     */
+    listSecrets(): Promise<string[]>;
+    /**
+     * Call AWS Secrets Manager API
+     *
+     * This is a simplified implementation. In production, use @aws-sdk/client-secrets-manager
+     */
+    private callAWSAPI;
+    destroy(): Promise<void>;
+}
+//# sourceMappingURL=aws.d.ts.map

package/dist/secrets/providers/aws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAEnF,qBAAa,yBAA0B,YAAW,cAAc;IAC9D,OAAO,CAAC,MAAM,CAAoC;IAClD,OAAO,CAAC,WAAW,CAAS;gBAEhB,MAAM,EAAE,uBAAuB;IAUrC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAejC;;OAEG;IACG,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCpD;;OAEG;IACG,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYlD;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IActC;;;;OAIG;YACW,UAAU;IAelB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAG/B"}

package/dist/secrets/providers/aws.js

@@ -0,0 +1,118 @@
+/**
+ * AWS Secrets Manager Provider
+ *
+ * Supports IAM authentication and explicit credentials.
+ */
+export class AWSSecretsManagerProvider {
+    config;
+    initialized = false;
+    constructor(config) {
+        this.config = {
+            region: config.region ?? process.env.AWS_REGION ?? 'us-east-1',
+            accessKeyId: config.accessKeyId ?? process.env.AWS_ACCESS_KEY_ID ?? '',
+            secretAccessKey: config.secretAccessKey ?? process.env.AWS_SECRET_ACCESS_KEY ?? '',
+            sessionToken: config.sessionToken ?? process.env.AWS_SESSION_TOKEN ?? '',
+            useIAMRole: config.useIAMRole ?? false,
+        };
+    }
+    async initialize() {
+        if (this.initialized)
+            return;
+        // If using IAM role, credentials will be fetched automatically by AWS SDK
+        if (!this.config.useIAMRole) {
+            if (!this.config.accessKeyId || !this.config.secretAccessKey) {
+                throw new Error('AWS Secrets Manager requires accessKeyId and secretAccessKey, or useIAMRole must be true');
+            }
+        }
+        this.initialized = true;
+    }
+    /**
+     * Get a secret from AWS Secrets Manager
+     */
+    async getSecret(secretName) {
+        if (!this.initialized) {
+            await this.initialize();
+        }
+        try {
+            // Use AWS SDK v3 style API call via fetch
+            const result = await this.callAWSAPI('GetSecretValue', { SecretId: secretName });
+            const secretString = String(result.SecretString || '');
+            let value;
+            // Try to parse as JSON
+            try {
+                value = JSON.parse(secretString);
+            }
+            catch {
+                value = secretString;
+            }
+            const metadata = {};
+            if (result.VersionId) {
+                metadata.version = String(result.VersionId);
+            }
+            if (result.CreatedDate && typeof result.CreatedDate === 'string') {
+                metadata.createdAt = new Date(result.CreatedDate);
+            }
+            return {
+                value,
+                metadata,
+            };
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('ResourceNotFoundException')) {
+                throw new Error(`Secret not found: ${secretName}`);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Check if a secret exists
+     */
+    async exists(secretName) {
+        try {
+            await this.callAWSAPI('DescribeSecret', { SecretId: secretName });
+            return true;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('ResourceNotFoundException')) {
+                return false;
+            }
+            throw error;
+        }
+    }
+    /**
+     * List secrets (returns secret ARNs)
+     */
+    async listSecrets() {
+        if (!this.initialized) {
+            await this.initialize();
+        }
+        try {
+            const result = await this.callAWSAPI('ListSecrets', {});
+            const secretList = result.SecretList;
+            return secretList?.map((s) => s.Name) || [];
+        }
+        catch (error) {
+            throw new Error(`Failed to list secrets: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Call AWS Secrets Manager API
+     *
+     * This is a simplified implementation. In production, use @aws-sdk/client-secrets-manager
+     */
+    async callAWSAPI(_action, _params) {
+        // This is a placeholder - real implementation would use AWS SDK
+        // For now, throw an error indicating AWS SDK is needed
+        throw new Error(`AWS Secrets Manager integration requires @aws-sdk/client-secrets-manager package. ` +
+            `Install it with: npm install @aws-sdk/client-secrets-manager`);
+        // Production implementation would use:
+        // import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
+        // const client = new SecretsManagerClient({ region: this.config.region, credentials: this.credentials });
+        // const command = new GetSecretValueCommand({ SecretId: secretName });
+        // const response = await client.send(command);
+    }
+    async destroy() {
+        this.initialized = false;
+    }
+}
+//# sourceMappingURL=aws.js.map

package/dist/secrets/providers/aws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../../src/secrets/providers/aws.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,OAAO,yBAAyB;IAC5B,MAAM,CAAoC;IAC1C,WAAW,GAAG,KAAK,CAAC;IAE5B,YAAY,MAA+B;QACzC,IAAI,CAAC,MAAM,GAAG;YACZ,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW;YAC9D,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE;YACtE,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE;YAClF,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE;YACxE,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;SACvC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,0EAA0E;QAC1E,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC7D,MAAM,IAAI,KAAK,CACb,0FAA0F,CAC3F,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,UAAkB;QAChC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC;YACvD,IAAI,KAAuC,CAAC;YAE5C,uBAAuB;YACvB,IAAI,CAAC;gBACH,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,KAAK,GAAG,YAAY,CAAC;YACvB,CAAC;YAED,MAAM,QAAQ,GAA2C,EAAE,CAAC;YAC5D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC9C,CAAC;YACD,IAAI,MAAM,CAAC,WAAW,IAAI,OAAO,MAAM,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;gBACjE,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YACpD,CAAC;YAED,OAAO;gBACL,KAAK;gBACL,QAAQ;aACT,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;gBAClF,MAAM,IAAI,KAAK,CAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC;YACrD,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,UAAkB;QAC7B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;gBAClF,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YACxD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAiD,CAAC;YAC5E,OAAO,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;QACzG,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,UAAU,CAAC,OAAe,EAAE,OAAgC;QACxE,gEAAgE;QAChE,uDAAuD;QACvD,MAAM,IAAI,KAAK,CACb,oFAAoF;YAClF,8DAA8D,CACjE,CAAC;QAEF,uCAAuC;QACvC,iGAAiG;QACjG,0GAA0G;QAC1G,uEAAuE;QACvE,+CAA+C;IACjD,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;IAC3B,CAAC;CACF"}

package/dist/secrets/providers/azure.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Azure Key Vault Secret Provider
+ *
+ * Supports service principal and managed identity authentication.
+ */
+import type { SecretProvider, Secret, AzureKeyVaultConfig } from '../types.js';
+export declare class AzureKeyVaultProvider implements SecretProvider {
+    private config;
+    private accessToken?;
+    private tokenExpiresAt?;
+    private initialized;
+    constructor(config: AzureKeyVaultConfig);
+    initialize(): Promise<void>;
+    /**
+     * Get or refresh access token
+     */
+    private refreshAccessToken;
+    /**
+     * Authenticate using service principal
+     */
+    private authenticateWithServicePrincipal;
+    /**
+     * Authenticate using managed identity
+     */
+    private authenticateWithManagedIdentity;
+    /**
+     * Get a secret from Azure Key Vault
+     */
+    getSecret(secretName: string): Promise<Secret>;
+    /**
+     * Check if a secret exists
+     */
+    exists(secretName: string): Promise<boolean>;
+    /**
+     * List secrets
+     */
+    listSecrets(): Promise<string[]>;
+    destroy(): Promise<void>;
+}
+//# sourceMappingURL=azure.d.ts.map

package/dist/secrets/providers/azure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/azure.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAE/E,qBAAa,qBAAsB,YAAW,cAAc;IAC1D,OAAO,CAAC,MAAM,CAAgC;IAC9C,OAAO,CAAC,WAAW,CAAC,CAAS;IAC7B,OAAO,CAAC,cAAc,CAAC,CAAO;IAC9B,OAAO,CAAC,WAAW,CAAS;gBAEhB,MAAM,EAAE,mBAAmB;IAUjC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBjC;;OAEG;YACW,kBAAkB;IAahC;;OAEG;YACW,gCAAgC;IA0B9C;;OAEG;YACW,+BAA+B;IAc7C;;OAEG;IACG,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAqDpD;;OAEG;IACG,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYlD;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IA2BhC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAI/B"}