@nextclaw/channel-plugin-feishu 0.2.29-beta.0 → 0.2.29-beta.1

package/dist/src/nextclaw-sdk/history.js

@@ -0,0 +1,69 @@
+//#region src/nextclaw-sdk/history.ts
+const HISTORY_CONTEXT_MARKER = "[Chat messages since your last reply - for context]";
+const CURRENT_MESSAGE_MARKER = "[Current message]";
+const MAX_HISTORY_KEYS = 1e3;
+function evictOldHistoryKeys(historyMap, maxKeys = MAX_HISTORY_KEYS) {
+	if (historyMap.size <= maxKeys) return;
+	const keysToDelete = historyMap.size - maxKeys;
+	const iterator = historyMap.keys();
+	for (let index = 0; index < keysToDelete; index += 1) {
+		const key = iterator.next().value;
+		if (key !== void 0) historyMap.delete(key);
+	}
+}
+function buildHistoryContext(params) {
+	const lineBreak = params.lineBreak ?? "\n";
+	if (!params.historyText.trim()) return params.currentMessage;
+	return [
+		HISTORY_CONTEXT_MARKER,
+		params.historyText,
+		"",
+		CURRENT_MESSAGE_MARKER,
+		params.currentMessage
+	].join(lineBreak);
+}
+function appendHistoryEntry(params) {
+	if (params.limit <= 0) return [];
+	const history = params.historyMap.get(params.historyKey) ?? [];
+	history.push(params.entry);
+	while (history.length > params.limit) history.shift();
+	if (params.historyMap.has(params.historyKey)) params.historyMap.delete(params.historyKey);
+	params.historyMap.set(params.historyKey, history);
+	evictOldHistoryKeys(params.historyMap);
+	return history;
+}
+function buildHistoryContextFromEntries(params) {
+	const lineBreak = params.lineBreak ?? "\n";
+	const entries = params.excludeLast === false ? params.entries : params.entries.slice(0, -1);
+	if (entries.length === 0) return params.currentMessage;
+	return buildHistoryContext({
+		historyText: entries.map(params.formatEntry).join(lineBreak),
+		currentMessage: params.currentMessage,
+		lineBreak
+	});
+}
+function recordPendingHistoryEntryIfEnabled(params) {
+	if (!params.entry || params.limit <= 0) return [];
+	return appendHistoryEntry({
+		historyMap: params.historyMap,
+		historyKey: params.historyKey,
+		entry: params.entry,
+		limit: params.limit
+	});
+}
+function buildPendingHistoryContextFromMap(params) {
+	if (params.limit <= 0) return params.currentMessage;
+	return buildHistoryContextFromEntries({
+		entries: params.historyMap.get(params.historyKey) ?? [],
+		currentMessage: params.currentMessage,
+		formatEntry: params.formatEntry,
+		lineBreak: params.lineBreak,
+		excludeLast: false
+	});
+}
+function clearHistoryEntriesIfEnabled(params) {
+	if (params.limit <= 0) return;
+	params.historyMap.set(params.historyKey, []);
+}
+//#endregion
+export { buildPendingHistoryContextFromMap, clearHistoryEntriesIfEnabled, recordPendingHistoryEntryIfEnabled };

package/dist/src/nextclaw-sdk/network-body.js

@@ -0,0 +1,180 @@
+//#region src/nextclaw-sdk/network-body.ts
+var RequestBodyLimitError = class extends Error {
+	code;
+	statusCode;
+	constructor(code) {
+		super(code);
+		this.name = "RequestBodyLimitError";
+		this.code = code;
+		this.statusCode = code === "PAYLOAD_TOO_LARGE" ? 413 : code === "REQUEST_BODY_TIMEOUT" ? 408 : 400;
+	}
+};
+function requestBodyErrorToText(code) {
+	switch (code) {
+		case "PAYLOAD_TOO_LARGE": return "Payload too large";
+		case "REQUEST_BODY_TIMEOUT": return "Request body timeout";
+		default: return "Connection closed";
+	}
+}
+function parseContentLengthHeader(req) {
+	const header = req.headers["content-length"];
+	const raw = Array.isArray(header) ? header[0] : header;
+	if (typeof raw !== "string") return null;
+	const parsed = Number.parseInt(raw, 10);
+	return Number.isFinite(parsed) && parsed >= 0 ? parsed : null;
+}
+async function readRequestBodyWithLimit(req, options) {
+	const maxBytes = Math.max(1, Math.floor(options.maxBytes));
+	const timeoutMs = typeof options.timeoutMs === "number" && options.timeoutMs > 0 ? Math.floor(options.timeoutMs) : 3e4;
+	const encoding = options.encoding ?? "utf-8";
+	const declaredLength = parseContentLengthHeader(req);
+	if (declaredLength !== null && declaredLength > maxBytes) throw new RequestBodyLimitError("PAYLOAD_TOO_LARGE");
+	return await new Promise((resolve, reject) => {
+		let done = false;
+		let ended = false;
+		let totalBytes = 0;
+		const chunks = [];
+		const finish = (cb) => {
+			if (done) return;
+			done = true;
+			req.removeListener("data", onData);
+			req.removeListener("end", onEnd);
+			req.removeListener("error", onError);
+			req.removeListener("close", onClose);
+			clearTimeout(timer);
+			cb();
+		};
+		const fail = (error) => finish(() => reject(error));
+		const onData = (chunk) => {
+			const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+			totalBytes += buffer.length;
+			if (totalBytes > maxBytes) {
+				if (!req.destroyed) req.destroy();
+				fail(new RequestBodyLimitError("PAYLOAD_TOO_LARGE"));
+				return;
+			}
+			chunks.push(buffer);
+		};
+		const onEnd = () => {
+			ended = true;
+			finish(() => resolve(Buffer.concat(chunks).toString(encoding)));
+		};
+		const onError = (error) => fail(error);
+		const onClose = () => {
+			if (!done && !ended) fail(new RequestBodyLimitError("CONNECTION_CLOSED"));
+		};
+		const timer = setTimeout(() => {
+			if (!req.destroyed) req.destroy();
+			fail(new RequestBodyLimitError("REQUEST_BODY_TIMEOUT"));
+		}, timeoutMs);
+		req.on("data", onData);
+		req.on("end", onEnd);
+		req.on("error", onError);
+		req.on("close", onClose);
+	});
+}
+async function readJsonBodyWithLimit(req, options) {
+	try {
+		const trimmed = (await readRequestBodyWithLimit(req, options)).trim();
+		if (!trimmed) {
+			if (options.emptyObjectOnEmpty === false) return {
+				ok: false,
+				code: "INVALID_JSON",
+				error: "empty payload"
+			};
+			return {
+				ok: true,
+				value: {}
+			};
+		}
+		try {
+			return {
+				ok: true,
+				value: JSON.parse(trimmed)
+			};
+		} catch (error) {
+			return {
+				ok: false,
+				code: "INVALID_JSON",
+				error: error instanceof Error ? error.message : String(error)
+			};
+		}
+	} catch (error) {
+		if (error instanceof RequestBodyLimitError) return {
+			ok: false,
+			code: error.code,
+			error: requestBodyErrorToText(error.code)
+		};
+		return {
+			ok: false,
+			code: "INVALID_JSON",
+			error: error instanceof Error ? error.message : String(error)
+		};
+	}
+}
+function installRequestBodyLimitGuard(req, res, options) {
+	const maxBytes = Math.max(1, Math.floor(options.maxBytes));
+	const timeoutMs = typeof options.timeoutMs === "number" && options.timeoutMs > 0 ? Math.floor(options.timeoutMs) : 3e4;
+	const responseFormat = options.responseFormat ?? "json";
+	let tripped = false;
+	let code = null;
+	let done = false;
+	let ended = false;
+	let totalBytes = 0;
+	const finish = () => {
+		if (done) return;
+		done = true;
+		req.removeListener("data", onData);
+		req.removeListener("end", onEnd);
+		req.removeListener("close", onClose);
+		req.removeListener("error", onError);
+		clearTimeout(timer);
+	};
+	const respond = (error) => {
+		if (res.headersSent) return;
+		const text = requestBodyErrorToText(error.code);
+		res.statusCode = error.statusCode;
+		if (responseFormat === "text") {
+			res.setHeader("Content-Type", "text/plain; charset=utf-8");
+			res.end(text);
+			return;
+		}
+		res.setHeader("Content-Type", "application/json; charset=utf-8");
+		res.end(JSON.stringify({ error: text }));
+	};
+	const trip = (error) => {
+		if (tripped) return;
+		tripped = true;
+		code = error.code;
+		finish();
+		respond(error);
+		if (!req.destroyed) req.destroy();
+	};
+	const onData = (chunk) => {
+		const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+		totalBytes += buffer.length;
+		if (totalBytes > maxBytes) trip(new RequestBodyLimitError("PAYLOAD_TOO_LARGE"));
+	};
+	const onEnd = () => {
+		ended = true;
+		finish();
+	};
+	const onClose = () => {
+		if (!ended) finish();
+	};
+	const onError = () => finish();
+	const timer = setTimeout(() => trip(new RequestBodyLimitError("REQUEST_BODY_TIMEOUT")), timeoutMs);
+	req.on("data", onData);
+	req.on("end", onEnd);
+	req.on("close", onClose);
+	req.on("error", onError);
+	const declaredLength = parseContentLengthHeader(req);
+	if (declaredLength !== null && declaredLength > maxBytes) trip(new RequestBodyLimitError("PAYLOAD_TOO_LARGE"));
+	return {
+		dispose: finish,
+		isTripped: () => tripped,
+		code: () => code
+	};
+}
+//#endregion
+export { installRequestBodyLimitGuard, readJsonBodyWithLimit };

package/dist/src/nextclaw-sdk/network-fetch.js

@@ -0,0 +1,63 @@
+import path from "node:path";
+import "node:crypto";
+import os from "node:os";
+import { mkdtemp, rm } from "node:fs/promises";
+//#region src/nextclaw-sdk/network-fetch.ts
+function sanitizePrefix(prefix) {
+	return prefix.replace(/[^a-zA-Z0-9_-]+/g, "-").replace(/^-+|-+$/g, "") || "tmp";
+}
+function sanitizeFileName(fileName) {
+	return path.basename(fileName).replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^-+|-+$/g, "") || "download.bin";
+}
+function resolveTempRoot(tmpDir) {
+	return tmpDir ?? process.env.NEXTCLAW_TMP_DIR?.trim() ?? os.tmpdir();
+}
+async function withTempDownloadPath(params, fn) {
+	const root = resolveTempRoot(params.tmpDir);
+	const dir = await mkdtemp(path.join(root, `${sanitizePrefix(params.prefix)}-`));
+	const tempPath = path.join(dir, sanitizeFileName(params.fileName ?? "download.bin"));
+	try {
+		return await fn(tempPath);
+	} finally {
+		try {
+			await rm(dir, {
+				recursive: true,
+				force: true
+			});
+		} catch {}
+	}
+}
+async function fetchWithSsrFGuard(params) {
+	const fetcher = params.fetchImpl ?? globalThis.fetch;
+	if (!fetcher) throw new Error("fetch is not available");
+	const parsed = new URL(params.url);
+	if (!["http:", "https:"].includes(parsed.protocol)) throw new Error("Invalid URL: must be http or https");
+	const allowedHostnames = params.policy?.allowedHostnames?.map((entry) => entry.trim()).filter(Boolean) ?? [];
+	if (allowedHostnames.length > 0 && !allowedHostnames.includes(parsed.hostname)) throw new Error(`${params.auditContext ?? "guarded-fetch"} blocked hostname "${parsed.hostname}"`);
+	const controller = new AbortController();
+	const timeoutId = params.timeoutMs && params.timeoutMs > 0 ? setTimeout(() => controller.abort(), params.timeoutMs) : void 0;
+	const relay = () => controller.abort();
+	if (params.signal) if (params.signal.aborted) controller.abort();
+	else params.signal.addEventListener("abort", relay, { once: true });
+	const response = await fetcher(parsed.toString(), {
+		...params.init ?? {},
+		signal: controller.signal
+	});
+	const finalUrl = response.url || parsed.toString();
+	const finalHostname = new URL(finalUrl).hostname;
+	if (allowedHostnames.length > 0 && !allowedHostnames.includes(finalHostname)) {
+		clearTimeout(timeoutId);
+		if (params.signal) params.signal.removeEventListener("abort", relay);
+		throw new Error(`${params.auditContext ?? "guarded-fetch"} blocked redirected hostname "${finalHostname}"`);
+	}
+	return {
+		response,
+		finalUrl,
+		release: async () => {
+			clearTimeout(timeoutId);
+			if (params.signal) params.signal.removeEventListener("abort", relay);
+		}
+	};
+}
+//#endregion
+export { fetchWithSsrFGuard, withTempDownloadPath };

package/dist/src/nextclaw-sdk/network-webhook.js

@@ -0,0 +1,126 @@
+//#region src/nextclaw-sdk/network-webhook.ts
+function pruneMapToMaxSize(map, maxSize) {
+	while (map.size > maxSize) {
+		const firstKey = map.keys().next().value;
+		if (firstKey === void 0) break;
+		map.delete(firstKey);
+	}
+}
+const WEBHOOK_RATE_LIMIT_DEFAULTS = Object.freeze({
+	windowMs: 6e4,
+	maxRequests: 120,
+	maxTrackedKeys: 4096
+});
+const WEBHOOK_ANOMALY_COUNTER_DEFAULTS = Object.freeze({
+	maxTrackedKeys: 4096,
+	ttlMs: 360 * 6e4,
+	logEvery: 25
+});
+function createFixedWindowRateLimiter(options) {
+	const state = /* @__PURE__ */ new Map();
+	const windowMs = Math.max(1, Math.floor(options.windowMs));
+	const maxRequests = Math.max(1, Math.floor(options.maxRequests));
+	const maxTrackedKeys = Math.max(1, Math.floor(options.maxTrackedKeys));
+	const pruneIntervalMs = Math.max(1, Math.floor(options.pruneIntervalMs ?? windowMs));
+	let lastPruneMs = 0;
+	const touch = (key, value) => {
+		state.delete(key);
+		state.set(key, value);
+	};
+	const prune = (nowMs) => {
+		for (const [key, entry] of state) if (nowMs - entry.windowStartMs >= windowMs) state.delete(key);
+	};
+	return {
+		isRateLimited(key, nowMs = Date.now()) {
+			if (!key) return false;
+			if (nowMs - lastPruneMs >= pruneIntervalMs) {
+				prune(nowMs);
+				lastPruneMs = nowMs;
+			}
+			const existing = state.get(key);
+			if (!existing || nowMs - existing.windowStartMs >= windowMs) {
+				touch(key, {
+					count: 1,
+					windowStartMs: nowMs
+				});
+				pruneMapToMaxSize(state, maxTrackedKeys);
+				return false;
+			}
+			const nextCount = existing.count + 1;
+			touch(key, {
+				count: nextCount,
+				windowStartMs: existing.windowStartMs
+			});
+			pruneMapToMaxSize(state, maxTrackedKeys);
+			return nextCount > maxRequests;
+		},
+		size: () => state.size,
+		clear: () => {
+			state.clear();
+			lastPruneMs = 0;
+		}
+	};
+}
+function createWebhookAnomalyTracker(options) {
+	const trackedStatusCodes = new Set(options?.trackedStatusCodes ?? [
+		400,
+		401,
+		408,
+		413,
+		415,
+		429
+	]);
+	const counters = /* @__PURE__ */ new Map();
+	const maxTrackedKeys = Math.max(1, Math.floor(options?.maxTrackedKeys ?? WEBHOOK_ANOMALY_COUNTER_DEFAULTS.maxTrackedKeys));
+	const ttlMs = Math.max(0, Math.floor(options?.ttlMs ?? WEBHOOK_ANOMALY_COUNTER_DEFAULTS.ttlMs));
+	const logEvery = Math.max(1, Math.floor(options?.logEvery ?? WEBHOOK_ANOMALY_COUNTER_DEFAULTS.logEvery));
+	const prune = (nowMs) => {
+		if (ttlMs <= 0) return;
+		for (const [key, entry] of counters) if (nowMs - entry.updatedAtMs >= ttlMs) counters.delete(key);
+	};
+	return {
+		record(params) {
+			if (!trackedStatusCodes.has(params.statusCode)) return 0;
+			const nowMs = params.nowMs ?? Date.now();
+			prune(nowMs);
+			const nextCount = (counters.get(params.key)?.count ?? 0) + 1;
+			counters.set(params.key, {
+				count: nextCount,
+				updatedAtMs: nowMs
+			});
+			pruneMapToMaxSize(counters, maxTrackedKeys);
+			if (params.log && (nextCount === 1 || nextCount % logEvery === 0)) params.log(params.message(nextCount));
+			return nextCount;
+		},
+		size: () => counters.size,
+		clear: () => counters.clear()
+	};
+}
+function isJsonContentType(value) {
+	const first = Array.isArray(value) ? value[0] : value;
+	if (!first) return false;
+	const mediaType = first.split(";", 1)[0]?.trim().toLowerCase();
+	return mediaType === "application/json" || Boolean(mediaType?.endsWith("+json"));
+}
+function applyBasicWebhookRequestGuards(params) {
+	const allowMethods = params.allowMethods?.length ? params.allowMethods : null;
+	if (allowMethods && !allowMethods.includes(params.req.method ?? "")) {
+		params.res.statusCode = 405;
+		params.res.setHeader("Allow", allowMethods.join(", "));
+		params.res.end("Method Not Allowed");
+		return false;
+	}
+	if (params.rateLimiter && params.rateLimitKey && params.rateLimiter.isRateLimited(params.rateLimitKey, params.nowMs ?? Date.now())) {
+		params.res.statusCode = 429;
+		params.res.end("Too Many Requests");
+		return false;
+	}
+	if (params.requireJsonContentType && params.req.method === "POST" && !isJsonContentType(params.req.headers["content-type"])) {
+		params.res.statusCode = 415;
+		params.res.end("Unsupported Media Type");
+		return false;
+	}
+	return true;
+}
+//#endregion
+export { WEBHOOK_ANOMALY_COUNTER_DEFAULTS, WEBHOOK_RATE_LIMIT_DEFAULTS, applyBasicWebhookRequestGuards, createFixedWindowRateLimiter, createWebhookAnomalyTracker };

package/dist/src/nextclaw-sdk/network.js

@@ -0,0 +1,4 @@
+import "./network-fetch.js";
+import "./network-webhook.js";
+import "./network-body.js";
+export {};

package/dist/src/nextclaw-sdk/runtime-store.js

@@ -0,0 +1,21 @@
+//#region src/nextclaw-sdk/runtime-store.ts
+function createPluginRuntimeStore(errorMessage) {
+	let runtime = null;
+	return {
+		setRuntime(next) {
+			runtime = next;
+		},
+		clearRuntime() {
+			runtime = null;
+		},
+		tryGetRuntime() {
+			return runtime;
+		},
+		getRuntime() {
+			if (!runtime) throw new Error(errorMessage);
+			return runtime;
+		}
+	};
+}
+//#endregion
+export { createPluginRuntimeStore };

package/dist/src/nextclaw-sdk/secrets-config.js

@@ -0,0 +1,65 @@
+//#region src/nextclaw-sdk/secrets-config.ts
+function mergeAllowFromEntries(current, additions) {
+	const merged = [...current ?? [], ...additions].map((entry) => String(entry).trim()).filter(Boolean);
+	return [...new Set(merged)];
+}
+function splitOnboardingEntries(raw) {
+	return raw.split(/[\n,;]+/g).map((entry) => entry.trim()).filter(Boolean);
+}
+function patchTopLevelChannelConfig(params) {
+	const channelConfig = params.cfg.channels?.[params.channel] ?? {};
+	return {
+		...params.cfg,
+		channels: {
+			...params.cfg.channels,
+			[params.channel]: {
+				...channelConfig,
+				...params.enabled ? { enabled: true } : {},
+				...params.patch
+			}
+		}
+	};
+}
+function addWildcardAllowFrom(allowFrom) {
+	const next = (allowFrom ?? []).map((entry) => String(entry).trim()).filter(Boolean);
+	if (!next.includes("*")) next.push("*");
+	return next;
+}
+function setTopLevelChannelAllowFrom(params) {
+	return patchTopLevelChannelConfig({
+		cfg: params.cfg,
+		channel: params.channel,
+		enabled: params.enabled,
+		patch: { allowFrom: params.allowFrom }
+	});
+}
+function setTopLevelChannelDmPolicyWithAllowFrom(params) {
+	const channelConfig = params.cfg.channels?.[params.channel] ?? {};
+	const existingAllowFrom = params.getAllowFrom?.(params.cfg) ?? channelConfig.allowFrom ?? void 0;
+	const allowFrom = params.dmPolicy === "open" ? addWildcardAllowFrom(existingAllowFrom) : void 0;
+	return patchTopLevelChannelConfig({
+		cfg: params.cfg,
+		channel: params.channel,
+		patch: {
+			dmPolicy: params.dmPolicy,
+			...allowFrom ? { allowFrom } : {}
+		}
+	});
+}
+function setTopLevelChannelGroupPolicy(params) {
+	return patchTopLevelChannelConfig({
+		cfg: params.cfg,
+		channel: params.channel,
+		enabled: params.enabled,
+		patch: { groupPolicy: params.groupPolicy }
+	});
+}
+function buildSingleChannelSecretPromptState(params) {
+	return {
+		accountConfigured: params.accountConfigured,
+		hasConfigToken: params.hasConfigToken,
+		canUseEnv: params.allowEnv && Boolean(params.envValue?.trim()) && !params.hasConfigToken
+	};
+}
+//#endregion
+export { buildSingleChannelSecretPromptState, mergeAllowFromEntries, setTopLevelChannelAllowFrom, setTopLevelChannelDmPolicyWithAllowFrom, setTopLevelChannelGroupPolicy, splitOnboardingEntries };

package/dist/src/nextclaw-sdk/secrets-core.d.ts

@@ -0,0 +1 @@
+export { };

package/dist/src/nextclaw-sdk/secrets-core.js

@@ -0,0 +1,68 @@
+import "zod";
+//#region src/nextclaw-sdk/secrets-core.ts
+const DEFAULT_SECRET_PROVIDER_ALIAS = "default";
+const ENV_SECRET_REF_ID_RE = /^[A-Z][A-Z0-9_]{0,127}$/;
+const ENV_SECRET_TEMPLATE_RE = /^\$\{([A-Z][A-Z0-9_]{0,127})\}$/;
+const FILE_SECRET_REF_SEGMENT_PATTERN = /^(?:[^~]|~0|~1)*$/;
+const EXEC_SECRET_REF_ID_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._:/-]{0,255}$/;
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isSecretRef(value) {
+	return isRecord(value) && (value.source === "env" || value.source === "file" || value.source === "exec") && typeof value.provider === "string" && value.provider.trim().length > 0 && typeof value.id === "string" && value.id.trim().length > 0;
+}
+function coerceSecretRef(value, defaults) {
+	if (isSecretRef(value)) return value;
+	if (typeof value === "string") {
+		const match = ENV_SECRET_TEMPLATE_RE.exec(value.trim());
+		if (match) return {
+			source: "env",
+			provider: defaults?.env ?? "default",
+			id: match[1]
+		};
+	}
+	if (!isRecord(value)) return null;
+	if ((value.source === "env" || value.source === "file" || value.source === "exec") && typeof value.id === "string" && value.id.trim().length > 0 && value.provider === void 0) {
+		const source = value.source;
+		return {
+			source,
+			provider: source === "env" ? defaults?.env ?? "default" : source === "file" ? defaults?.file ?? "default" : defaults?.exec ?? "default",
+			id: value.id
+		};
+	}
+	return null;
+}
+function resolveSecretInputRef(params) {
+	return coerceSecretRef(params.refValue, params.defaults) ?? coerceSecretRef(params.value, params.defaults);
+}
+function normalizeSecretInputString(value) {
+	if (typeof value !== "string") return;
+	return value.trim() || void 0;
+}
+function hasConfiguredSecretInput(value, defaults) {
+	return Boolean(normalizeSecretInputString(value) || coerceSecretRef(value, defaults));
+}
+function normalizeResolvedSecretInputString(params) {
+	const normalized = normalizeSecretInputString(params.value);
+	if (normalized) return normalized;
+	const ref = resolveSecretInputRef(params);
+	if (ref) throw new Error(`${params.path}: unresolved SecretRef "${ref.source}:${ref.provider}:${ref.id}".`);
+}
+function isValidFileSecretRefId(value) {
+	if (value === "value") return true;
+	if (!value.startsWith("/")) return false;
+	return value.slice(1).split("/").every((segment) => FILE_SECRET_REF_SEGMENT_PATTERN.test(segment));
+}
+function isValidExecSecretRefId(value) {
+	if (!EXEC_SECRET_REF_ID_PATTERN.test(value)) return false;
+	return value.split("/").every((segment) => segment !== "." && segment !== "..");
+}
+function formatExecSecretRefIdValidationMessage() {
+	return [
+		"Exec secret reference id must match /^[A-Za-z0-9][A-Za-z0-9._:/-]{0,255}$/",
+		"and must not include \".\" or \"..\" path segments",
+		"(example: \"vault/openai/api-key\")."
+	].join(" ");
+}
+//#endregion
+export { DEFAULT_SECRET_PROVIDER_ALIAS, ENV_SECRET_REF_ID_RE, formatExecSecretRefIdValidationMessage, hasConfiguredSecretInput, isValidExecSecretRefId, isValidFileSecretRefId, normalizeResolvedSecretInputString, normalizeSecretInputString };