@quiltdata/benchling-webhook 0.5.4 → 0.6.1-20251104T043302Z

package/dist/lib/utils/config-loader.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Configuration loading helpers for application startup
+ *
+ * Provides simplified configuration loading for both production (from AWS)
+ * and testing (from environment variables).
+ */
+import { type ResolvedConfig } from "./config-resolver";
+/**
+ * Load configuration for production (from AWS CloudFormation and Secrets Manager)
+ *
+ * Reads QuiltStackARN and BenchlingSecret from environment variables and
+ * resolves complete configuration by querying AWS APIs.
+ *
+ * @returns Complete resolved configuration
+ * @throws Error if required environment variables are missing
+ * @throws ConfigResolverError if AWS resolution fails
+ *
+ * @example
+ * // In production/container
+ * const config = await loadConfig();
+ * console.log(`Database: ${config.quiltDatabase}`);
+ */
+export declare function loadConfig(): Promise<ResolvedConfig>;
+/**
+ * Load configuration for testing (from environment variables directly)
+ *
+ * Only available when NODE_ENV=test. Provides backward compatibility
+ * with existing test suite by reading configuration from individual
+ * environment variables instead of AWS services.
+ *
+ * @returns Partial configuration from environment variables
+ * @throws Error if called outside test environment
+ *
+ * @example
+ * // In test files
+ * process.env.NODE_ENV = 'test';
+ * process.env.QUILT_CATALOG = 'test.catalog.com';
+ * const config = loadConfigForTesting();
+ */
+export declare function loadConfigForTesting(): Partial<ResolvedConfig>;
+/**
+ * Format ConfigResolverError for console output
+ *
+ * @param error - The error to format
+ * @returns Formatted error message
+ */
+export declare function formatConfigError(error: unknown): string;
+//# sourceMappingURL=config-loader.d.ts.map

package/dist/lib/utils/config-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-loader.d.ts","sourceRoot":"","sources":["../../../lib/utils/config-loader.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAkB,KAAK,cAAc,EAAuB,MAAM,mBAAmB,CAAC;AAE7F;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,cAAc,CAAC,CAyB1D;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAAC,cAAc,CAAC,CAgC9D;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAUxD"}

package/dist/lib/utils/config-loader.js

@@ -0,0 +1,109 @@
+"use strict";
+/**
+ * Configuration loading helpers for application startup
+ *
+ * Provides simplified configuration loading for both production (from AWS)
+ * and testing (from environment variables).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+exports.loadConfigForTesting = loadConfigForTesting;
+exports.formatConfigError = formatConfigError;
+const config_resolver_1 = require("./config-resolver");
+/**
+ * Load configuration for production (from AWS CloudFormation and Secrets Manager)
+ *
+ * Reads QuiltStackARN and BenchlingSecret from environment variables and
+ * resolves complete configuration by querying AWS APIs.
+ *
+ * @returns Complete resolved configuration
+ * @throws Error if required environment variables are missing
+ * @throws ConfigResolverError if AWS resolution fails
+ *
+ * @example
+ * // In production/container
+ * const config = await loadConfig();
+ * console.log(`Database: ${config.quiltDatabase}`);
+ */
+async function loadConfig() {
+    const quiltStackArn = process.env.QuiltStackARN;
+    const benchlingSecret = process.env.BenchlingSecret;
+    if (!quiltStackArn || !benchlingSecret) {
+        const missing = [];
+        if (!quiltStackArn)
+            missing.push("QuiltStackARN");
+        if (!benchlingSecret)
+            missing.push("BenchlingSecret");
+        throw new Error(`Missing required environment variables: ${missing.join(", ")}\n\n` +
+            "The container requires exactly 2 environment variables:\n" +
+            "  QuiltStackARN: ARN of your Quilt CloudFormation stack\n" +
+            "    Example: arn:aws:cloudformation:us-east-1:123456789012:stack/QuiltStack/abc-123\n\n" +
+            "  BenchlingSecret: Name or ARN of AWS Secrets Manager secret\n" +
+            "    Example: my-benchling-creds\n\n" +
+            "Documentation: https://github.com/quiltdata/benchling-webhook#configuration");
+    }
+    const resolver = new config_resolver_1.ConfigResolver();
+    return await resolver.resolve({
+        quiltStackArn,
+        benchlingSecret,
+    });
+}
+/**
+ * Load configuration for testing (from environment variables directly)
+ *
+ * Only available when NODE_ENV=test. Provides backward compatibility
+ * with existing test suite by reading configuration from individual
+ * environment variables instead of AWS services.
+ *
+ * @returns Partial configuration from environment variables
+ * @throws Error if called outside test environment
+ *
+ * @example
+ * // In test files
+ * process.env.NODE_ENV = 'test';
+ * process.env.QUILT_CATALOG = 'test.catalog.com';
+ * const config = loadConfigForTesting();
+ */
+function loadConfigForTesting() {
+    if (process.env.NODE_ENV !== "test") {
+        throw new Error("loadConfigForTesting() should only be used in test environment (NODE_ENV=test)");
+    }
+    return {
+        // AWS
+        awsRegion: process.env.AWS_REGION || process.env.CDK_DEFAULT_REGION || "us-east-1",
+        awsAccount: process.env.CDK_DEFAULT_ACCOUNT || "123456789012",
+        // Quilt
+        quiltCatalog: process.env.QUILT_CATALOG || "test.catalog.com",
+        quiltDatabase: process.env.QUILT_DATABASE || "test_db",
+        quiltUserBucket: process.env.QUILT_USER_BUCKET || "test-bucket",
+        queueArn: process.env.QUEUE_ARN || "arn:aws:sqs:us-east-1:123456789012:test-queue",
+        // Benchling
+        benchlingTenant: process.env.BENCHLING_TENANT || "test-tenant",
+        benchlingClientId: process.env.BENCHLING_CLIENT_ID || "test-client-id",
+        benchlingClientSecret: process.env.BENCHLING_CLIENT_SECRET || "test-client-secret",
+        benchlingAppDefinitionId: process.env.BENCHLING_APP_DEFINITION_ID,
+        benchlingApiUrl: process.env.BENCHLING_API_URL,
+        // Optional
+        pkgPrefix: process.env.PKG_PREFIX || "benchling",
+        pkgKey: process.env.PKG_KEY || "experiment_id",
+        logLevel: process.env.LOG_LEVEL || "INFO",
+        webhookAllowList: process.env.WEBHOOK_ALLOW_LIST,
+        enableWebhookVerification: process.env.ENABLE_WEBHOOK_VERIFICATION !== "false",
+    };
+}
+/**
+ * Format ConfigResolverError for console output
+ *
+ * @param error - The error to format
+ * @returns Formatted error message
+ */
+function formatConfigError(error) {
+    if (error instanceof config_resolver_1.ConfigResolverError) {
+        return error.format();
+    }
+    if (error instanceof Error) {
+        return `Error: ${error.message}`;
+    }
+    return `Unknown error: ${String(error)}`;
+}
+//# sourceMappingURL=config-loader.js.map

package/dist/lib/utils/config-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-loader.js","sourceRoot":"","sources":["../../../lib/utils/config-loader.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAmBH,gCAyBC;AAkBD,oDAgCC;AAQD,8CAUC;AA9GD,uDAA6F;AAE7F;;;;;;;;;;;;;;GAcG;AACI,KAAK,UAAU,UAAU;IAC5B,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAChD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAEpD,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,EAAE,CAAC;QACrC,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,CAAC,aAAa;YAAE,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAClD,IAAI,CAAC,eAAe;YAAE,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAEtD,MAAM,IAAI,KAAK,CACX,2CAA2C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM;YACzE,2DAA2D;YAC3D,2DAA2D;YAC3D,yFAAyF;YACzF,gEAAgE;YAChE,qCAAqC;YACrC,6EAA6E,CAC1E,CAAC;IACN,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,gCAAc,EAAE,CAAC;IACtC,OAAO,MAAM,QAAQ,CAAC,OAAO,CAAC;QAC1B,aAAa;QACb,eAAe;KAClB,CAAC,CAAC;AACP,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,oBAAoB;IAChC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACX,gFAAgF,CACnF,CAAC;IACN,CAAC;IAED,OAAO;QACP,MAAM;QACF,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,WAAW;QAClF,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,cAAc;QAE7D,QAAQ;QACR,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,kBAAkB;QAC7D,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,SAAS;QACtD,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,aAAa;QAC/D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,+CAA+C;QAElF,YAAY;QACZ,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,aAAa;QAC9D,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,gBAAgB;QACtE,qBAAqB,EAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB,IAAI,oBAAoB;QAClF,wBAAwB,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B;QACjE,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAE9C,WAAW;QACX,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW;QAChD,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,eAAe;QAC9C,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,MAAM;QACzC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAChD,yBAAyB,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,OAAO;KACjF,CAAC;AACN,CAAC;AAED;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,KAAc;IAC5C,IAAI,KAAK,YAAY,qCAAmB,EAAE,CAAC;QACvC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;IAC1B,CAAC;IAED,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QACzB,OAAO,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC;IACrC,CAAC;IAED,OAAO,kBAAkB,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AAC7C,CAAC"}

package/dist/lib/utils/config-resolver.d.ts

@@ -0,0 +1,138 @@
+/**
+ * Configuration Resolver for Secrets-Only Architecture
+ *
+ * This module resolves complete application configuration from just two sources:
+ * 1. QuiltStackARN - CloudFormation stack ARN for Quilt infrastructure
+ * 2. BenchlingSecret - AWS Secrets Manager secret containing Benchling credentials
+ *
+ * All other configuration is derived from these two sources by querying AWS APIs.
+ */
+import { CloudFormationClient } from "@aws-sdk/client-cloudformation";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { type BenchlingSecretData } from "./secrets";
+/**
+ * Complete resolved configuration for the application
+ */
+export interface ResolvedConfig {
+    awsRegion: string;
+    awsAccount: string;
+    quiltCatalog: string;
+    quiltDatabase: string;
+    quiltUserBucket: string;
+    queueArn: string;
+    benchlingTenant: string;
+    benchlingClientId: string;
+    benchlingClientSecret: string;
+    benchlingAppDefinitionId?: string;
+    benchlingApiUrl?: string;
+    pkgPrefix?: string;
+    pkgKey?: string;
+    logLevel?: string;
+    webhookAllowList?: string;
+    enableWebhookVerification?: boolean;
+}
+/**
+ * Options for ConfigResolver
+ */
+export interface ConfigResolverOptions {
+    quiltStackArn: string;
+    benchlingSecret: string;
+    mockCloudFormation?: CloudFormationClient;
+    mockSecretsManager?: SecretsManagerClient;
+}
+/**
+ * Parsed CloudFormation stack ARN
+ */
+export interface ParsedStackArn {
+    region: string;
+    account: string;
+    stackName: string;
+    stackId: string;
+}
+/**
+ * Custom error for configuration resolution failures
+ */
+export declare class ConfigResolverError extends Error {
+    readonly suggestion?: string | undefined;
+    readonly details?: string | undefined;
+    constructor(message: string, suggestion?: string | undefined, details?: string | undefined);
+    /**
+   * Format error for CLI/logs with suggestions
+   */
+    format(): string;
+}
+/**
+ * Parse CloudFormation stack ARN into components
+ *
+ * @param arn - CloudFormation stack ARN
+ * @returns Parsed ARN components
+ * @throws ConfigResolverError if ARN is invalid
+ *
+ * @example
+ * parseStackArn('arn:aws:cloudformation:us-east-1:123456789012:stack/QuiltStack/abc-123')
+ * // Returns: { region: 'us-east-1', account: '123456789012', stackName: 'QuiltStack', stackId: 'abc-123' }
+ */
+export declare function parseStackArn(arn: string): ParsedStackArn;
+/**
+ * Extract stack outputs from CloudFormation
+ *
+ * @param client - CloudFormation client
+ * @param stackName - Name of the stack
+ * @returns Map of output keys to values
+ * @throws ConfigResolverError if stack not found or inaccessible
+ */
+export declare function extractStackOutputs(client: CloudFormationClient, stackName: string): Promise<Record<string, string>>;
+/**
+ * Fetch and validate secret from AWS Secrets Manager
+ *
+ * @param client - Secrets Manager client
+ * @param region - AWS region
+ * @param secretIdentifier - Secret name or ARN
+ * @returns Validated secret data
+ * @throws ConfigResolverError if secret not found or invalid
+ */
+export declare function resolveAndFetchSecret(client: SecretsManagerClient, region: string, secretIdentifier: string): Promise<BenchlingSecretData>;
+/**
+ * Main configuration resolver class
+ *
+ * Resolves complete application configuration from CloudFormation and Secrets Manager.
+ * Implements caching to avoid repeated AWS API calls.
+ */
+export declare class ConfigResolver {
+    private cache;
+    /**
+   * Resolve complete configuration from AWS
+   *
+   * @param options - Configuration resolver options
+   * @returns Complete resolved configuration
+   * @throws ConfigResolverError if resolution fails
+   */
+    resolve(options: ConfigResolverOptions): Promise<ResolvedConfig>;
+    /**
+   * Validate that required CloudFormation outputs are present
+   *
+   * @param outputs - Stack outputs
+   * @throws ConfigResolverError if required outputs are missing
+   */
+    private validateRequiredOutputs;
+    /**
+   * Resolve catalog URL from stack outputs
+   *
+   * @param outputs - Stack outputs
+   * @returns Normalized catalog URL (hostname only)
+   * @throws ConfigResolverError if catalog URL cannot be determined
+   */
+    private resolveCatalogUrl;
+    /**
+   * Normalize catalog URL to hostname only (remove protocol and trailing slash)
+   *
+   * @param url - Catalog URL
+   * @returns Normalized hostname
+   */
+    private normalizeCatalogUrl;
+    /**
+   * Clear cached configuration (for testing only)
+   */
+    clearCache(): void;
+}
+//# sourceMappingURL=config-resolver.d.ts.map

package/dist/lib/utils/config-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-resolver.d.ts","sourceRoot":"","sources":["../../../lib/utils/config-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EACH,oBAAoB,EAEvB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACH,oBAAoB,EAEvB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAEH,KAAK,mBAAmB,EAC3B,MAAM,WAAW,CAAC;AAEnB;;GAEG;AACH,MAAM,WAAW,cAAc;IAE7B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IAGnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IAGjB,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,CAAC;IAGzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,yBAAyB,CAAC,EAAE,OAAO,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IAExB,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;IAC1C,kBAAkB,CAAC,EAAE,oBAAoB,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aAG1B,UAAU,CAAC,EAAE,MAAM;aACnB,OAAO,CAAC,EAAE,MAAM;gBAF5B,OAAO,EAAE,MAAM,EACH,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,OAAO,CAAC,EAAE,MAAM,YAAA;IAUhC;;KAEC;IACD,MAAM,IAAI,MAAM;CAanB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAqBzD;AAED;;;;;;;GAOG;AACH,wBAAsB,mBAAmB,CACrC,MAAM,EAAE,oBAAoB,EAC5B,SAAS,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAiCjC;AAED;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACvC,MAAM,EAAE,oBAAoB,EAC5B,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,GACzB,OAAO,CAAC,mBAAmB,CAAC,CAiE9B;AAED;;;;;GAKG;AACH,qBAAa,cAAc;IACvB,OAAO,CAAC,KAAK,CAA+B;IAE5C;;;;;;KAMC;IACK,OAAO,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,cAAc,CAAC;IAkEtE;;;;;KAKC;IACD,OAAO,CAAC,uBAAuB;IAmB/B;;;;;;KAMC;IACD,OAAO,CAAC,iBAAiB;IA0BzB;;;;;KAKC;IACD,OAAO,CAAC,mBAAmB;IAI3B;;KAEC;IACD,UAAU,IAAI,IAAI;CAGrB"}

package/dist/lib/utils/config-resolver.js

@@ -0,0 +1,272 @@
+"use strict";
+/**
+ * Configuration Resolver for Secrets-Only Architecture
+ *
+ * This module resolves complete application configuration from just two sources:
+ * 1. QuiltStackARN - CloudFormation stack ARN for Quilt infrastructure
+ * 2. BenchlingSecret - AWS Secrets Manager secret containing Benchling credentials
+ *
+ * All other configuration is derived from these two sources by querying AWS APIs.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigResolver = exports.ConfigResolverError = void 0;
+exports.parseStackArn = parseStackArn;
+exports.extractStackOutputs = extractStackOutputs;
+exports.resolveAndFetchSecret = resolveAndFetchSecret;
+const client_cloudformation_1 = require("@aws-sdk/client-cloudformation");
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const secrets_1 = require("./secrets");
+/**
+ * Custom error for configuration resolution failures
+ */
+class ConfigResolverError extends Error {
+    constructor(message, suggestion, details) {
+        super(message);
+        this.suggestion = suggestion;
+        this.details = details;
+        this.name = "ConfigResolverError";
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, ConfigResolverError);
+        }
+    }
+    /**
+   * Format error for CLI/logs with suggestions
+   */
+    format() {
+        let output = `❌ Configuration Error: ${this.message}`;
+        if (this.suggestion) {
+            output += `\n   💡 ${this.suggestion}`;
+        }
+        if (this.details) {
+            output += `\n   ℹ️  ${this.details}`;
+        }
+        return output;
+    }
+}
+exports.ConfigResolverError = ConfigResolverError;
+/**
+ * Parse CloudFormation stack ARN into components
+ *
+ * @param arn - CloudFormation stack ARN
+ * @returns Parsed ARN components
+ * @throws ConfigResolverError if ARN is invalid
+ *
+ * @example
+ * parseStackArn('arn:aws:cloudformation:us-east-1:123456789012:stack/QuiltStack/abc-123')
+ * // Returns: { region: 'us-east-1', account: '123456789012', stackName: 'QuiltStack', stackId: 'abc-123' }
+ */
+function parseStackArn(arn) {
+    const pattern = /^arn:aws:cloudformation:([a-z0-9-]+):(\d{12}):stack\/([^/]+)\/(.+)$/;
+    const match = arn.match(pattern);
+    if (!match) {
+        throw new ConfigResolverError("Invalid CloudFormation stack ARN format", "ARN must match: arn:aws:cloudformation:region:account:stack/name/id", `Received: ${arn}`);
+    }
+    const [, region, account, stackName, stackId] = match;
+    return {
+        region,
+        account,
+        stackName,
+        stackId,
+    };
+}
+/**
+ * Extract stack outputs from CloudFormation
+ *
+ * @param client - CloudFormation client
+ * @param stackName - Name of the stack
+ * @returns Map of output keys to values
+ * @throws ConfigResolverError if stack not found or inaccessible
+ */
+async function extractStackOutputs(client, stackName) {
+    const command = new client_cloudformation_1.DescribeStacksCommand({ StackName: stackName });
+    try {
+        const response = await client.send(command);
+        const stack = response.Stacks?.[0];
+        if (!stack) {
+            throw new ConfigResolverError(`Stack not found: ${stackName}`, "Ensure the CloudFormation stack exists and is accessible");
+        }
+        const outputs = stack.Outputs || [];
+        return Object.fromEntries(outputs.map((o) => [o.OutputKey, o.OutputValue]));
+    }
+    catch (error) {
+        if (error instanceof ConfigResolverError) {
+            throw error;
+        }
+        if (error.name === "ValidationError") {
+            throw new ConfigResolverError(`Invalid stack name: ${stackName}`, "Check that the stack name is correct");
+        }
+        throw new ConfigResolverError(`Failed to describe stack: ${error.message}`, "Check AWS credentials and permissions");
+    }
+}
+/**
+ * Fetch and validate secret from AWS Secrets Manager
+ *
+ * @param client - Secrets Manager client
+ * @param region - AWS region
+ * @param secretIdentifier - Secret name or ARN
+ * @returns Validated secret data
+ * @throws ConfigResolverError if secret not found or invalid
+ */
+async function resolveAndFetchSecret(client, region, secretIdentifier) {
+    try {
+        const command = new client_secrets_manager_1.GetSecretValueCommand({ SecretId: secretIdentifier });
+        const response = await client.send(command);
+        if (!response.SecretString) {
+            throw new ConfigResolverError("Secret does not contain string data", "Ensure secret is stored as JSON string, not binary");
+        }
+        // Parse JSON
+        let data;
+        try {
+            data = JSON.parse(response.SecretString);
+        }
+        catch (parseError) {
+            throw new ConfigResolverError("Secret contains invalid JSON", "Ensure secret value is valid JSON", `Parse error: ${parseError.message}`);
+        }
+        // Validate structure
+        const validation = (0, secrets_1.validateSecretData)(data);
+        if (!validation.valid) {
+            const errors = validation.errors
+                .map((e) => `${e.field}: ${e.message}`)
+                .join("; ");
+            throw new ConfigResolverError("Invalid secret structure", errors, "Expected format: {\"client_id\":\"...\",\"client_secret\":\"...\",\"tenant\":\"...\"}");
+        }
+        return data;
+    }
+    catch (error) {
+        if (error instanceof ConfigResolverError) {
+            throw error;
+        }
+        if (error.name === "ResourceNotFoundException") {
+            throw new ConfigResolverError(`Secret not found: ${secretIdentifier}`, "Ensure the secret exists in AWS Secrets Manager and is accessible", `Region: ${region}`);
+        }
+        if (error.name === "AccessDeniedException") {
+            throw new ConfigResolverError(`Access denied to secret: ${secretIdentifier}`, "Ensure the IAM role has secretsmanager:GetSecretValue permission", `Region: ${region}`);
+        }
+        throw new ConfigResolverError(`Failed to fetch secret: ${error.message}`, "Check AWS credentials and permissions");
+    }
+}
+/**
+ * Main configuration resolver class
+ *
+ * Resolves complete application configuration from CloudFormation and Secrets Manager.
+ * Implements caching to avoid repeated AWS API calls.
+ */
+class ConfigResolver {
+    constructor() {
+        this.cache = null;
+    }
+    /**
+   * Resolve complete configuration from AWS
+   *
+   * @param options - Configuration resolver options
+   * @returns Complete resolved configuration
+   * @throws ConfigResolverError if resolution fails
+   */
+    async resolve(options) {
+        // Return cached config if available
+        if (this.cache) {
+            return this.cache;
+        }
+        // Step 1: Parse stack ARN
+        const parsed = parseStackArn(options.quiltStackArn);
+        // Step 2: Create AWS clients (or use mocks for testing)
+        const cfnClient = options.mockCloudFormation ||
+            new client_cloudformation_1.CloudFormationClient({ region: parsed.region });
+        const smClient = options.mockSecretsManager ||
+            new client_secrets_manager_1.SecretsManagerClient({ region: parsed.region });
+        // Step 3: Fetch stack outputs
+        const outputs = await extractStackOutputs(cfnClient, parsed.stackName);
+        // Step 4: Validate required outputs
+        this.validateRequiredOutputs(outputs);
+        // Step 5: Fetch Benchling secret
+        const secret = await resolveAndFetchSecret(smClient, parsed.region, options.benchlingSecret);
+        // Step 6: Resolve catalog URL
+        const catalog = this.resolveCatalogUrl(outputs);
+        // Step 7: Assemble complete configuration
+        const config = {
+            // AWS
+            awsRegion: parsed.region,
+            awsAccount: parsed.account,
+            // Quilt
+            quiltCatalog: catalog,
+            quiltDatabase: outputs.UserAthenaDatabaseName,
+            quiltUserBucket: outputs.UserBucket || outputs.BucketName,
+            queueArn: outputs.PackagerQueueArn,
+            // Benchling
+            benchlingTenant: secret.tenant,
+            benchlingClientId: secret.client_id,
+            benchlingClientSecret: secret.client_secret,
+            benchlingAppDefinitionId: secret.app_definition_id,
+            benchlingApiUrl: secret.api_url,
+            // Optional defaults
+            pkgPrefix: "benchling",
+            pkgKey: "experiment_id",
+            logLevel: "INFO",
+            enableWebhookVerification: true,
+        };
+        // Cache for container lifetime
+        this.cache = config;
+        return config;
+    }
+    /**
+   * Validate that required CloudFormation outputs are present
+   *
+   * @param outputs - Stack outputs
+   * @throws ConfigResolverError if required outputs are missing
+   */
+    validateRequiredOutputs(outputs) {
+        const required = ["UserAthenaDatabaseName", "PackagerQueueArn"];
+        // UserBucket or BucketName (at least one required)
+        if (!outputs.UserBucket && !outputs.BucketName) {
+            required.push("UserBucket or BucketName");
+        }
+        const missing = required.filter((key) => !outputs[key]);
+        if (missing.length > 0) {
+            throw new ConfigResolverError(`Missing required CloudFormation outputs: ${missing.join(", ")}`, "Ensure your Quilt stack exports these outputs", `Available outputs: ${Object.keys(outputs).join(", ")}`);
+        }
+    }
+    /**
+   * Resolve catalog URL from stack outputs
+   *
+   * @param outputs - Stack outputs
+   * @returns Normalized catalog URL (hostname only)
+   * @throws ConfigResolverError if catalog URL cannot be determined
+   */
+    resolveCatalogUrl(outputs) {
+        // Option 1: Direct from Catalog or CatalogDomain output
+        if (outputs.Catalog) {
+            return this.normalizeCatalogUrl(outputs.Catalog);
+        }
+        if (outputs.CatalogDomain) {
+            return this.normalizeCatalogUrl(outputs.CatalogDomain);
+        }
+        // Option 2: Extract from API Gateway endpoint
+        if (outputs.ApiGatewayEndpoint) {
+            try {
+                const url = new URL(outputs.ApiGatewayEndpoint);
+                return url.hostname;
+            }
+            catch {
+                // Invalid URL, fall through to error
+            }
+        }
+        throw new ConfigResolverError("Cannot determine catalog URL", "Stack must export \"Catalog\", \"CatalogDomain\", or \"ApiGatewayEndpoint\"");
+    }
+    /**
+   * Normalize catalog URL to hostname only (remove protocol and trailing slash)
+   *
+   * @param url - Catalog URL
+   * @returns Normalized hostname
+   */
+    normalizeCatalogUrl(url) {
+        return url.replace(/^https?:\/\//, "").replace(/\/$/, "");
+    }
+    /**
+   * Clear cached configuration (for testing only)
+   */
+    clearCache() {
+        this.cache = null;
+    }
+}
+exports.ConfigResolver = ConfigResolver;
+//# sourceMappingURL=config-resolver.js.map

package/dist/lib/utils/config-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-resolver.js","sourceRoot":"","sources":["../../../lib/utils/config-resolver.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AA+GH,sCAqBC;AAUD,kDAoCC;AAWD,sDAqEC;AAhQD,0EAGwC;AACxC,4EAGyC;AACzC,uCAGmB;AAoDnB;;GAEG;AACH,MAAa,mBAAoB,SAAQ,KAAK;IAC1C,YACI,OAAe,EACH,UAAmB,EACnB,OAAgB;QAE5B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHH,eAAU,GAAV,UAAU,CAAS;QACnB,YAAO,GAAP,OAAO,CAAS;QAG5B,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAElC,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC1B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;QACvD,CAAC;IACL,CAAC;IAED;;KAEC;IACD,MAAM;QACF,IAAI,MAAM,GAAG,0BAA0B,IAAI,CAAC,OAAO,EAAE,CAAC;QAEtD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAClB,MAAM,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAC3C,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,MAAM,IAAI,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC;QACzC,CAAC;QAED,OAAO,MAAM,CAAC;IAClB,CAAC;CACJ;AA9BD,kDA8BC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,aAAa,CAAC,GAAW;IACrC,MAAM,OAAO,GACb,qEAAqE,CAAC;IACtE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEjC,IAAI,CAAC,KAAK,EAAE,CAAC;QACT,MAAM,IAAI,mBAAmB,CACzB,yCAAyC,EACzC,qEAAqE,EACrE,aAAa,GAAG,EAAE,CACrB,CAAC;IACN,CAAC;IAED,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IAEtD,OAAO;QACH,MAAM;QACN,OAAO;QACP,SAAS;QACT,OAAO;KACV,CAAC;AACN,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,mBAAmB,CACrC,MAA4B,EAC5B,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,6CAAqB,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;IAEpE,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;QAEnC,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,mBAAmB,CACzB,oBAAoB,SAAS,EAAE,EAC/B,0DAA0D,CAC7D,CAAC;QACN,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;QACpC,OAAO,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAU,EAAE,CAAC,CAAC,WAAY,CAAC,CAAC,CAAC,CAAC;IAClF,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACvC,MAAM,KAAK,CAAC;QAChB,CAAC;QAED,IAAK,KAAe,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YAC9C,MAAM,IAAI,mBAAmB,CACzB,uBAAuB,SAAS,EAAE,EAClC,sCAAsC,CACzC,CAAC;QACN,CAAC;QAED,MAAM,IAAI,mBAAmB,CACzB,6BAA8B,KAAe,CAAC,OAAO,EAAE,EACvD,uCAAuC,CAC1C,CAAC;IACN,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,qBAAqB,CACvC,MAA4B,EAC5B,MAAc,EACd,gBAAwB;IAExB,IAAI,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC1E,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5C,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,mBAAmB,CACzB,qCAAqC,EACrC,oDAAoD,CACvD,CAAC;QACN,CAAC;QAED,aAAa;QACb,IAAI,IAAa,CAAC;QAClB,IAAI,CAAC;YACD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,UAAU,EAAE,CAAC;YAClB,MAAM,IAAI,mBAAmB,CACzB,8BAA8B,EAC9B,mCAAmC,EACnC,gBAAiB,UAAoB,CAAC,OAAO,EAAE,CAClD,CAAC;QACN,CAAC;QAED,qBAAqB;QACrB,MAAM,UAAU,GAAG,IAAA,4BAAkB,EAAC,IAAI,CAAC,CAAC;QAE5C,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM;iBAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;iBACtC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChB,MAAM,IAAI,mBAAmB,CACzB,0BAA0B,EAC1B,MAAM,EACN,uFAAuF,CAC1F,CAAC;QACN,CAAC;QAED,OAAO,IAA2B,CAAC;IACvC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACtB,IAAI,KAAK,YAAY,mBAAmB,EAAE,CAAC;YACvC,MAAM,KAAK,CAAC;QAChB,CAAC;QAED,IAAK,KAAe,CAAC,IAAI,KAAK,2BAA2B,EAAE,CAAC;YACxD,MAAM,IAAI,mBAAmB,CACzB,qBAAqB,gBAAgB,EAAE,EACvC,mEAAmE,EACnE,WAAW,MAAM,EAAE,CACtB,CAAC;QACN,CAAC;QAED,IAAK,KAAe,CAAC,IAAI,KAAK,uBAAuB,EAAE,CAAC;YACpD,MAAM,IAAI,mBAAmB,CACzB,4BAA4B,gBAAgB,EAAE,EAC9C,kEAAkE,EAClE,WAAW,MAAM,EAAE,CACtB,CAAC;QACN,CAAC;QAED,MAAM,IAAI,mBAAmB,CACzB,2BAA4B,KAAe,CAAC,OAAO,EAAE,EACrD,uCAAuC,CAC1C,CAAC;IACN,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAa,cAAc;IAA3B;QACY,UAAK,GAA0B,IAAI,CAAC;IAqJhD,CAAC;IAnJG;;;;;;KAMC;IACD,KAAK,CAAC,OAAO,CAAC,OAA8B;QAC5C,oCAAoC;QAChC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,KAAK,CAAC;QACtB,CAAC;QAED,0BAA0B;QAC1B,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAEpD,wDAAwD;QACxD,MAAM,SAAS,GACjB,OAAO,CAAC,kBAAkB;YAC1B,IAAI,4CAAoB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAElD,MAAM,QAAQ,GAChB,OAAO,CAAC,kBAAkB;YAC1B,IAAI,6CAAoB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAElD,8BAA8B;QAC9B,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,SAAS,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;QAEvE,oCAAoC;QACpC,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;QAEtC,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,qBAAqB,CACtC,QAAQ,EACR,MAAM,CAAC,MAAM,EACb,OAAO,CAAC,eAAe,CAC1B,CAAC;QAEF,8BAA8B;QAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAEhD,0CAA0C;QAC1C,MAAM,MAAM,GAAmB;YAC3B,MAAM;YACN,SAAS,EAAE,MAAM,CAAC,MAAM;YACxB,UAAU,EAAE,MAAM,CAAC,OAAO;YAE1B,QAAQ;YACR,YAAY,EAAE,OAAO;YACrB,aAAa,EAAE,OAAO,CAAC,sBAAsB;YAC7C,eAAe,EAAE,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU;YACzD,QAAQ,EAAE,OAAO,CAAC,gBAAgB;YAElC,YAAY;YACZ,eAAe,EAAE,MAAM,CAAC,MAAM;YAC9B,iBAAiB,EAAE,MAAM,CAAC,SAAS;YACnC,qBAAqB,EAAE,MAAM,CAAC,aAAa;YAC3C,wBAAwB,EAAE,MAAM,CAAC,iBAAiB;YAClD,eAAe,EAAE,MAAM,CAAC,OAAO;YAE/B,oBAAoB;YACpB,SAAS,EAAE,WAAW;YACtB,MAAM,EAAE,eAAe;YACvB,QAAQ,EAAE,MAAM;YAChB,yBAAyB,EAAE,IAAI;SAClC,CAAC;QAEF,+BAA+B;QAC/B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;QAEpB,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;;;;KAKC;IACO,uBAAuB,CAAC,OAA+B;QAC3D,MAAM,QAAQ,GAAG,CAAC,wBAAwB,EAAE,kBAAkB,CAAC,CAAC;QAEhE,mDAAmD;QACnD,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAExD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,mBAAmB,CACzB,4CAA4C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAChE,+CAA+C,EAC/C,sBAAsB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1D,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;;;;KAMC;IACO,iBAAiB,CAAC,OAA+B;QACzD,wDAAwD;QACpD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAC3D,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;gBAChD,OAAO,GAAG,CAAC,QAAQ,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACL,qCAAqC;YACzC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,mBAAmB,CACzB,8BAA8B,EAC9B,6EAA6E,CAChF,CAAC;IACN,CAAC;IAED;;;;;KAKC;IACO,mBAAmB,CAAC,GAAW;QACnC,OAAO,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED;;KAEC;IACD,UAAU;QACN,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;IACtB,CAAC;CACJ;AAtJD,wCAsJC"}

package/dist/lib/utils/config.d.ts

@@ -1,4 +1,6 @@
 export interface Config {
+    quiltStackArn?: string;
+    benchlingSecret?: string;
     quiltCatalog: string;
     quiltUserBucket: string;
     quiltDatabase: string;
@@ -6,6 +8,7 @@ export interface Config {
     benchlingClientId: string;
     benchlingClientSecret: string;
     benchlingAppDefinitionId: string;
+    benchlingSecrets?: string;
     cdkAccount: string;
     cdkRegion: string;
     awsProfile?: string;
@@ -30,6 +33,7 @@ export interface ConfigOptions {
     profile?: string;
     region?: string;
     imageTag?: string;
+    benchlingSecrets?: string;
 }
 export interface ValidationResult {
     valid: boolean;
@@ -50,6 +54,52 @@ export declare function getQuilt3Catalog(): string | undefined;
  * Load .env file and expand variables
  */
 export declare function loadDotenv(filePath: string): Record<string, string>;
+/**
+ * Process benchling-secrets parameter, handling @file.json syntax
+ *
+ * Supports three input formats:
+ * - ARN: `arn:aws:secretsmanager:...` - passed through unchanged
+ * - JSON: `{"client_id":"...","client_secret":"...","tenant":"..."}` - passed through unchanged
+ * - File: `@secrets.json` - reads file content from path after @ symbol
+ *
+ * @param input - The benchling-secrets value (ARN, JSON, or @filepath)
+ * @returns Processed secret string (trimmed)
+ * @throws Error if file not found or not readable
+ *
+ * @example
+ * // Pass through ARN
+ * processBenchlingSecretsInput("arn:aws:secretsmanager:...")
+ * // Returns: "arn:aws:secretsmanager:..."
+ *
+ * @example
+ * // Pass through JSON
+ * processBenchlingSecretsInput('{"client_id":"...","client_secret":"...","tenant":"..."}')
+ * // Returns: '{"client_id":"...","client_secret":"...","tenant":"..."}'
+ *
+ * @example
+ * // Read from file
+ * processBenchlingSecretsInput("@secrets.json")
+ * // Returns: contents of secrets.json (trimmed)
+ */
+export declare function processBenchlingSecretsInput(input: string): string;
+/**
+ * Mask sensitive parts of ARN for display
+ *
+ * Shows region and partial secret name, masks account ID for security.
+ * Account ID is masked as ****XXXX where XXXX are the last 4 digits.
+ *
+ * @param arn - AWS Secrets Manager ARN to mask
+ * @returns Masked ARN string or original input if not valid ARN format
+ *
+ * @example
+ * maskArn("arn:aws:secretsmanager:us-east-1:123456789012:secret:name")
+ * // Returns: "arn:aws:secretsmanager:us-east-1:****9012:secret:name"
+ *
+ * @example
+ * maskArn("not-an-arn")
+ * // Returns: "not-an-arn"
+ */
+export declare function maskArn(arn: string): string;
 /**
  * Load configuration from multiple sources with priority:
  * 1. CLI options (highest)