@shellicar/build-azure-local-settings 1.0.0 → 1.0.1

package/CHANGELOG.md

@@ -0,0 +1,21 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.1] - 2026-04-15
+
+### Changed
+
+- Updated dependencies to latest versions
+
+## [1.0.0] - 2026-03-11
+
+### Added
+
+- Initial release.
+
+[1.0.1]: https://github.com/shellicar/ecosystem/releases/tag/build-azure-local-settings@1.0.1
+[1.0.0]: https://github.com/shellicar/ecosystem/releases/tag/1.0.0

package/README.md

@@ -1,6 +1,13 @@
 # @shellicar/build-azure-local-settings
 
-> Build plugin that loads Azure `local.settings.json` with Key Vault reference resolution for non-Azure-Functions apps.
+[![npm package](https://img.shields.io/npm/v/@shellicar/build-azure-local-settings.svg)](https://npmjs.com/package/@shellicar/build-azure-local-settings)
+[![build status](https://github.com/shellicar/ecosystem/actions/workflows/node.js.yml/badge.svg)](https://github.com/shellicar/ecosystem/actions/workflows/node.js.yml)
+
+Build plugin that loads Azure `local.settings.json` with [Key Vault reference](https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references) resolution for non-Azure-Functions apps.
+
+- **Loads `local.settings.json`** - Reads values and sets them as `process.env` variables before your app starts
+- **Resolves Key Vault references** - Fetches secrets from Azure Key Vault using `DefaultAzureCredential` (e.g. Azure CLI)
+- **Local development only** - Controlled via the `loadLocalSettings` option, typically tied to watch/dev mode
 
 ## Installation & Quick Start
 
@@ -12,27 +19,45 @@ npm i --save-dev @shellicar/build-azure-local-settings
 pnpm add -D @shellicar/build-azure-local-settings
 ```
 
+### esbuild
+
 ```ts
-// tsup.config.ts
+// build.ts
 import plugin from '@shellicar/build-azure-local-settings/esbuild';
-import { defineConfig } from 'tsup';
+import esbuild from 'esbuild';
 
-export default defineConfig({
-  esbuildPlugins: [
+const watch = process.argv.includes('--watch');
+
+const ctx = await esbuild.context({
+  outdir: 'dist',
+  bundle: true,
+  platform: 'node',
+  format: 'esm',
+  plugins: [
     plugin({
       mainModule: './src/main.ts',
+      loadLocalSettings: watch,
     }),
   ],
 });
+
+if (watch) {
+  await ctx.watch();
+} else {
+  await ctx.rebuild();
+  ctx.dispose();
+}
 ```
 
+### tsup
+
 ```ts
-// build.ts (esbuild)
+// tsup.config.ts
 import plugin from '@shellicar/build-azure-local-settings/esbuild';
+import { defineConfig } from 'tsup';
 
-await build({
-  bundle: true,
-  plugins: [
+export default defineConfig({
+  esbuildPlugins: [
     plugin({
       mainModule: './src/main.ts',
     }),
@@ -40,6 +65,77 @@ await build({
 });
 ```
 
-## Documentation
+## How It Works
+
+The plugin generates a virtual entry point that:
+
+1. Reads `local.settings.json` from the working directory
+2. Resolves any [Key Vault references](https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references) to their secret values
+3. Sets the resolved values as `process.env` variables
+4. Imports and runs your main module
+
+Your application code accesses the values through `process.env` as normal:
+
+```ts
+// src/main.ts
+export default async () => {
+  console.log('Greeting:', process.env.GREETING_MESSAGE);
+};
+```
+
+See [examples](../../examples/build-azure-local-settings) for full working implementations.
+
+<!-- BEGIN_ECOSYSTEM -->
+
+## @shellicar TypeScript Ecosystem
+
+### Core Libraries
+
+- [`@shellicar/core-config`](https://github.com/shellicar/ecosystem/tree/main/packages/core-config) - A library for securely handling sensitive configuration values like connection strings, URLs, and secrets.
+- [`@shellicar/core-di`](https://github.com/shellicar/ecosystem/tree/main/packages/core-di) - A basic dependency injection library.
+
+### Reference Architectures
+
+- [`@shellicar/reference-foundation`](https://github.com/shellicar/reference-foundation) - A comprehensive starter repository. Illustrates individual concepts.
+- [`@shellicar/reference-enterprise`](https://github.com/shellicar/reference-enterprise) - A comprehensive starter repository. Can be used as the basis for creating a new Azure application workload.
+
+### Build Tools
+
+- [`@shellicar/build-azure-local-settings`](https://github.com/shellicar/ecosystem/tree/main/packages/build-azure-local-settings) - Build plugin that loads Azure `local.settings.json` with Key Vault reference resolution.
+- [`@shellicar/build-clean`](https://github.com/shellicar/ecosystem/tree/main/packages/build-clean) - Build plugin that automatically cleans unused files from output directories.
+- [`@shellicar/build-version`](https://github.com/shellicar/ecosystem/tree/main/packages/build-version) - Build plugin that calculates and exposes version information through a virtual module import.
+- [`@shellicar/build-graphql`](https://github.com/shellicar/ecosystem/tree/main/packages/build-graphql) - Build plugin that loads GraphQL files and makes them available through a virtual module import.
+- [`@shellicar/graphql-codegen-treeshake`](https://github.com/shellicar/ecosystem/tree/main/packages/graphql-codegen-treeshake) - A graphql-codegen preset that tree-shakes unused types from TypeScript output.
+
+### Framework
+
+- [`@shellicar/svelte-adapter-azure-functions`](https://github.com/shellicar/ecosystem/tree/main/packages/svelte-adapter-azure-functions) - A [SvelteKit adapter](https://kit.svelte.dev/docs/adapters) that builds your app into an Azure Function.
+- [`@shellicar/cosmos-query-builder`](https://github.com/shellicar/ecosystem/tree/main/packages/cosmos-query-builder) - Helper class for type safe advanced queries for Cosmos DB (Sql Core).
+- [`@shellicar/ui-shadcn`](https://github.com/shellicar/ui-shadcn) - Shared Svelte 5 component library built on shadcn-svelte with Tailwind CSS v4 theming.
+
+### Logging & Monitoring
+
+- [`@shellicar/winston-azure-application-insights`](https://github.com/shellicar/ecosystem/tree/main/packages/winston-azure-application-insights) - An [Azure Application Insights](https://azure.microsoft.com/en-us/services/application-insights/) transport for [Winston](https://github.com/winstonjs/winston) logging library.
+- [`@shellicar/pino-applicationinsights-transport`](https://github.com/shellicar/pino-applicationinsights-transport) - [Azure Application Insights](https://azure.microsoft.com/en-us/services/application-insights) transport for [pino](https://github.com/pinojs/pino)
+
+<!-- END_ECOSYSTEM -->
+
+## Motivation
+
+Azure Functions automatically loads `local.settings.json` and resolves Key Vault references during local development. Azure App Services and other Node.js apps don't have this capability.
+
+This plugin brings that same behaviour to non-Functions apps, so you can:
+
+- Use the same `local.settings.json` config approach across Functions and App Services
+- Commit Key Vault references instead of secrets
+- Set up local dev with just Azure CLI access to Key Vault
+
+## Options
+
+See [types.ts](./src/types.ts) for detailed options documentation.
+
+## Credits
 
-For full documentation, visit [the GitHub repository](https://github.com/shellicar/build-azure-local-settings).
+- [Azure Functions Core Tools](https://github.com/Azure/azure-functions-core-tools) - Key Vault reference resolution logic ported from the .NET source
+- [esbuild](https://github.com/evanw/esbuild)
+- [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault)

package/dist/cjs/chunks/StartHostAction-PUOHB3U4.cjs

@@ -0,0 +1,344 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; } var _class; var _class2; var _class3;
+
+var _chunkX6BO6XFBcjs = require('./chunk-X6BO6XFB.cjs');
+
+// src/local-settings/StartHostAction.ts
+var _nodeprocess = require('node:process');
+
+// src/local-settings/KeyVaultReferencesManager.ts
+var _identity = require('@azure/identity');
+var _keyvaultsecrets = require('@azure/keyvault-secrets');
+
+// src/local-settings/KeyVaultIdentifier.ts
+var KeyVaultIdentifier = (_class = class _KeyVaultIdentifier {
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "KeyVaultIdentifier");
+  }
+  static __initStatic() {this.SecretsCollection = "secrets"}
+  static __initStatic2() {this.KeysCollection = "keys"}
+  static __initStatic3() {this.CertificatesCollection = "certificates"}
+  
+  
+  
+  
+  
+  constructor() {
+    this.id = new URL("http://localhost");
+    this.vaultUri = new URL("http://localhost");
+    this.name = "";
+    this.collection = "";
+    this.version = null;
+  }
+  static parse(id) {
+    if (id === null || id === void 0) {
+      throw new Error("id cannot be null");
+    }
+    const result = _KeyVaultIdentifier.tryParse(id);
+    if (!result.success) {
+      throw new Error(`Invalid ObjectIdentifier: ${id}. Bad number of segments: ${id.pathname.split("/").length}`);
+    }
+    return result.identifier;
+  }
+  static parseWithCollection(id, collection) {
+    const identifier = _KeyVaultIdentifier.parse(id);
+    if (identifier.collection.toLowerCase() !== collection.toLowerCase()) {
+      throw new Error(`Invalid ObjectIdentifier: ${id}. segment [1] should be '${collection}/', found '${identifier.collection}'`);
+    }
+    return identifier;
+  }
+  static tryParse(id) {
+    if (id === null) {
+      return { success: false };
+    }
+    const segments = id.pathname.split("/");
+    if (segments.length !== 3 && segments.length !== 4) {
+      return { success: false };
+    }
+    const identifier = new _KeyVaultIdentifier();
+    identifier.id = id;
+    identifier.vaultUri = new URL(`${id.protocol}//${id.host}`);
+    identifier.collection = segments[1].replace(/\/$/, "");
+    identifier.name = segments[2].replace(/\/$/, "");
+    identifier.version = segments.length === 4 ? segments[3].replace(/\/$/, "") : null;
+    return { success: true, identifier };
+  }
+}, _class.__initStatic(), _class.__initStatic2(), _class.__initStatic3(), _class);
+
+// src/local-settings/KeyVaultSecretIdentifier.ts
+var KeyVaultSecretIdentifier = class {
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "KeyVaultSecretIdentifier");
+  }
+  /**
+   * Gets the source URL passed to KeyVaultSecretIdentifier constructor.
+   */
+  
+  /**
+   * Gets the URL of the Key Vault.
+   */
+  
+  /**
+   * Gets the name of the secret.
+   */
+  
+  /**
+   * Gets the optional version of the secret.
+   */
+  
+  /**
+   * Creates a new instance of the KeyVaultSecretIdentifier class.
+   * @param id The URL to a secret or deleted secret.
+   * @throws Error if id is not a valid Key Vault secret ID.
+   */
+  constructor(id) {
+    if (id === null || id === void 0) {
+      throw new Error("id cannot be null");
+    }
+    const result = KeyVaultIdentifier.tryParse(id);
+    if (result.success && result.identifier) {
+      this.sourceId = id;
+      this.vaultUri = result.identifier.vaultUri;
+      this.name = result.identifier.name;
+      this.version = result.identifier.version;
+    } else {
+      throw new Error(`${id} is not a valid secret ID`);
+    }
+  }
+};
+
+// src/local-settings/KeyVaultReferencesManager.ts
+var KeyVaultReferencesManager = (_class2 = class _KeyVaultReferencesManager {constructor() { _class2.prototype.__init.call(this);_class2.prototype.__init2.call(this); }
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "KeyVaultReferencesManager");
+  }
+  static __initStatic4() {this.VaultUriSuffix = "vault.azure.net"}
+  static __initStatic5() {this._basicKeyVaultReferenceRegex = /^@Microsoft\.KeyVault\((?<ReferenceString>.*)\)$/}
+  __init() {this._clients = /* @__PURE__ */ new Map()}
+  __init2() {this._credential = new (0, _identity.DefaultAzureCredential)()}
+  // CodeQL [SM05137] This is never deployed to production, only used in CLI context in a local dev environment.
+  async resolveKeyVaultReferences(settings) {
+    const keys = Object.keys(settings);
+    for (const key of keys) {
+      try {
+        const keyVaultValue = await this.getSecretValue(key, settings[key]);
+        if (keyVaultValue != null) {
+          settings[key] = keyVaultValue;
+        }
+      } catch (e) {
+      }
+    }
+  }
+  async getSecretValue(key, value) {
+    const result = this.parseSecret(key, value);
+    if (result != null) {
+      const client = this.getSecretClient(result.uri);
+      const secret = await client.getSecret(result.name, result.version ? { version: result.version } : void 0);
+      return secret.value;
+    }
+    return null;
+  }
+  parseSecret(key, value) {
+    if (value == null) {
+      return null;
+    }
+    const keyVaultReferenceMatch = _KeyVaultReferencesManager._basicKeyVaultReferenceRegex.exec(value);
+    if (_optionalChain([keyVaultReferenceMatch, 'optionalAccess', _ => _.groups])) {
+      const referenceString = keyVaultReferenceMatch.groups["ReferenceString"];
+      let result = null;
+      try {
+        if (referenceString != null) {
+          result = this.parseVaultReference(referenceString);
+        }
+      } catch (e2) {
+      }
+      if (result == null) {
+        console.warn(`Unable to parse the Key Vault reference for setting: ${key}`);
+      }
+      return result;
+    }
+    return null;
+  }
+  parseVaultReference(vaultReference) {
+    const secretUriString = this.getValueFromVaultReference("SecretUri", vaultReference);
+    if (secretUriString && secretUriString.length > 0) {
+      const secretUri = new URL(secretUriString);
+      const secretIdentifier = new KeyVaultSecretIdentifier(secretUri);
+      return new _KeyVaultReferencesManager.ParseSecretResult(secretIdentifier.vaultUri, secretIdentifier.name, secretIdentifier.version);
+    }
+    const vaultName = this.getValueFromVaultReference("VaultName", vaultReference);
+    const secretName = this.getValueFromVaultReference("SecretName", vaultReference);
+    const version = this.getValueFromVaultReference("SecretVersion", vaultReference);
+    if (vaultName && vaultName.length > 0 && secretName && secretName.length > 0) {
+      return new _KeyVaultReferencesManager.ParseSecretResult(new URL(`https://${vaultName}.${_KeyVaultReferencesManager.VaultUriSuffix}`), secretName, version);
+    }
+    return null;
+  }
+  getValueFromVaultReference(key, vaultReference) {
+    const regex = new RegExp(key + "=(?<Value>[^;]+)(;|$)");
+    const match = regex.exec(vaultReference);
+    if (_optionalChain([match, 'optionalAccess', _2 => _2.groups])) {
+      return _nullishCoalesce(match.groups["Value"], () => ( null));
+    }
+    return null;
+  }
+  getSecretClient(vaultUri) {
+    const uriString = vaultUri.toString();
+    let client = this._clients.get(uriString);
+    if (!client) {
+      client = new (0, _keyvaultsecrets.SecretClient)(uriString, this._credential);
+      this._clients.set(uriString, client);
+    }
+    return client;
+  }
+}, _class2.__initStatic4(), _class2.__initStatic5(), _class2);
+((KeyVaultReferencesManager2) => {
+  class ParseSecretResult {
+    static {
+      _chunkX6BO6XFBcjs.__name.call(void 0, this, "ParseSecretResult");
+    }
+    
+    
+    
+    constructor(uri, name, version) {
+      this.uri = uri;
+      this.name = name;
+      this.version = version;
+    }
+  }
+  KeyVaultReferencesManager2.ParseSecretResult = ParseSecretResult;
+})(KeyVaultReferencesManager || (KeyVaultReferencesManager = {}));
+
+// src/local-settings/SecretsManager.ts
+var _nodepath = require('node:path');
+
+// src/local-settings/AppSettingsFile.ts
+var _nodefs = require('node:fs');
+var AppSettingsFile = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+    this.values = {};
+    this.connectionStrings = {};
+    this.isEncrypted = true;
+    try {
+      const content = _nodefs.readFileSync.call(void 0, this.filePath, "utf8");
+      const appSettings = JSON.parse(content);
+      this.isEncrypted = _nullishCoalesce(appSettings.IsEncrypted, () => ( true));
+      this.values = _nullishCoalesce(appSettings.Values, () => ( {}));
+      this.connectionStrings = _nullishCoalesce(appSettings.ConnectionStrings, () => ( {}));
+      this.host = _nullishCoalesce(appSettings.Host, () => ( {}));
+    } catch (ex) {
+      console.warn(`Failed to read app settings file at '${this.filePath}'. Ensure it is a valid JSON file.`, ex);
+      this.values = {};
+      this.connectionStrings = {};
+      this.isEncrypted = true;
+    }
+  }
+  
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "AppSettingsFile");
+  }
+  
+  
+  
+  
+  getValues() {
+    if (this.isEncrypted) {
+      throw new Error("Encrypted settings are not supported in this TypeScript port.");
+    }
+    return { ...this.values };
+  }
+  getConnectionStrings() {
+    return [];
+  }
+};
+
+// src/local-settings/SecretsManager.ts
+var SecretsManager = (_class3 = class _SecretsManager {
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "SecretsManager");
+  }
+  static __initStatic6() {this._lazySettings = null}
+  static get Settings() {
+    if (!_SecretsManager._lazySettings) {
+      _SecretsManager._lazySettings = new AppSettingsFile(_SecretsManager.AppSettingsFilePath);
+    }
+    return _SecretsManager._lazySettings;
+  }
+  static get AppSettingsFilePath() {
+    const secretsFile = "local.settings.json";
+    const rootPath = process.cwd();
+    const secretsFilePath = _nodepath.join.call(void 0, rootPath, secretsFile);
+    console.log(`'${secretsFile}' found in root directory (${rootPath}).`);
+    return secretsFilePath;
+  }
+  static get AppSettingsFileName() {
+    return "local.settings.json";
+  }
+  getSecrets(refreshSecrets = false) {
+    if (refreshSecrets) {
+      return new AppSettingsFile(_SecretsManager.AppSettingsFilePath).getValues();
+    }
+    return _SecretsManager.Settings.getValues();
+  }
+  getConnectionStrings() {
+    return _SecretsManager.Settings.getConnectionStrings();
+  }
+}, _class3.__initStatic6(), _class3);
+
+// src/local-settings/StartHostAction.ts
+var StartHostAction = class {
+  static {
+    _chunkX6BO6XFBcjs.__name.call(void 0, this, "StartHostAction");
+  }
+  
+  
+  constructor() {
+    this._secretsManager = new SecretsManager();
+    this._keyVaultReferencesManager = new KeyVaultReferencesManager();
+  }
+  async buildWebHost() {
+    const settings = await this.getConfigurationSettings("", new URL("http://localhost:7071"));
+    await this._keyVaultReferencesManager.resolveKeyVaultReferences(settings);
+    this.updateEnvironmentVariables(settings);
+  }
+  async getConfigurationSettings(scriptPath, uri) {
+    const settings = this._secretsManager.getSecrets();
+    settings["WebsiteHostname"] = uri.host;
+    const connectionStrings = this._secretsManager.getConnectionStrings();
+    for (const connectionString of connectionStrings) {
+      settings[`ConnectionStrings:${connectionString.name}`] = connectionString.value;
+    }
+    settings["AzureWebJobsScriptRoot"] = scriptPath;
+    const environment = {};
+    for (const [key, value] of Object.entries(_nodeprocess.env)) {
+      if (typeof value === "string") {
+        environment[key] = value;
+      }
+    }
+    if (settings["AZURE_FUNCTIONS_ENVIRONMENT"]) {
+      const oldValue = settings["AZURE_FUNCTIONS_ENVIRONMENT"];
+      console.warn(`AZURE_FUNCTIONS_ENVIRONMENT already exists with value '${oldValue}', overriding to 'Development'.`);
+    }
+    settings["AZURE_FUNCTIONS_ENVIRONMENT"] = "Development";
+    return settings;
+  }
+  updateEnvironmentVariables(secrets) {
+    for (const [key, value] of Object.entries(secrets)) {
+      if (!key) {
+        console.warn("Skipping local setting with empty key.");
+      } else if (_nodeprocess.env[key] !== void 0) {
+        console.warn(`Skipping '${key}' from local settings as it's already defined in current environment variables.`);
+      } else if (value) {
+        _nodeprocess.env[key] = value;
+      } else if (value === "") {
+        _nodeprocess.env[key] = "";
+      } else {
+        console.warn(`Skipping '${key}' because value is null`);
+      }
+    }
+  }
+};
+
+
+exports.StartHostAction = StartHostAction;
+//# sourceMappingURL=StartHostAction-PUOHB3U4.cjs.map

package/dist/cjs/chunks/StartHostAction-PUOHB3U4.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/home/runner/work/ecosystem/ecosystem/packages/build-azure-local-settings/dist/cjs/chunks/StartHostAction-PUOHB3U4.cjs","../../../src/local-settings/StartHostAction.ts","../../../src/local-settings/KeyVaultReferencesManager.ts","../../../src/local-settings/KeyVaultIdentifier.ts","../../../src/local-settings/KeyVaultSecretIdentifier.ts","../../../src/local-settings/SecretsManager.ts","../../../src/local-settings/AppSettingsFile.ts"],"names":[],"mappings":"AAAA;AACE;AACF,wDAA6B;AAC7B;AACA;ACCA,2CAAoB;ADCpB;AACA;AECA,2CAA6D;AAC7D,0DAA6B;AFC7B;AACA;AGFO,IAAM,mBAAA,YAAN,MAAM,oBAAmB;AAAA,EAThC,OASgC;AAAA,IAAA,sCAAA,IAAA,EAAA,oBAAA,CAAA;AAAA,EAAA;AAAA,EAC9B,4BAAuB,kBAAA,EAAoB,UAAA;AAAA,EAC3C,6BAAuB,eAAA,EAAiB,OAAA;AAAA,EACxC,6BAAuB,uBAAA,EAAyB,eAAA;AAAA,EAEzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEP,WAAA,CAAA,EAAc;AAEZ,IAAA,IAAA,CAAK,GAAA,EAAK,IAAI,GAAA,CAAI,kBAAkB,CAAA;AACpC,IAAA,IAAA,CAAK,SAAA,EAAW,IAAI,GAAA,CAAI,kBAAkB,CAAA;AAC1C,IAAA,IAAA,CAAK,KAAA,EAAO,EAAA;AACZ,IAAA,IAAA,CAAK,WAAA,EAAa,EAAA;AAClB,IAAA,IAAA,CAAK,QAAA,EAAU,IAAA;AAAA,EACjB;AAAA,EAEA,OAAc,KAAA,CAAM,EAAA,EAA6B;AAC/C,IAAA,GAAA,CAAI,GAAA,IAAO,KAAA,GAAQ,GAAA,IAAO,KAAA,CAAA,EAAW;AACnC,MAAA,MAAM,IAAI,KAAA,CAAM,mBAAmB,CAAA;AAAA,IACrC;AAEA,IAAA,MAAM,OAAA,EAAS,mBAAA,CAAmB,QAAA,CAAS,EAAE,CAAA;AAC7C,IAAA,GAAA,CAAI,CAAC,MAAA,CAAO,OAAA,EAAS;AACnB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0BAAA,EAA6B,EAAE,CAAA,0BAAA,EAA6B,EAAA,CAAG,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA,CAAE,MAAM,CAAA,CAAA;AAC3G,IAAA;AAEc,IAAA;AAChB,EAAA;AAEmF,EAAA;AACnC,IAAA;AACwB,IAAA;AAC+B,MAAA;AACrG,IAAA;AACO,IAAA;AACT,EAAA;AAE8F,EAAA;AAC3E,IAAA;AACS,MAAA;AAC1B,IAAA;AAGsC,IAAA;AACc,IAAA;AAC1B,MAAA;AAC1B,IAAA;AAE0C,IAAA;AAC1B,IAAA;AAC0C,IAAA;AAEJ,IAAA;AAEN,IAAA;AAE+B,IAAA;AAE5C,IAAA;AACrC,EAAA;AACF;AHRgH;AACA;AIpD1E;AAAA,EAAA;AAAA,IAAA;AAAA,EAAA;AAAA;AAAA;AAAA;AAI7B,EAAA;AAAA;AAAA;AAAA;AAKA,EAAA;AAAA;AAAA;AAAA;AAKA,EAAA;AAAA;AAAA;AAAA;AAKA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOqB,EAAA;AACW,IAAA;AACA,MAAA;AACrC,IAAA;AAE6C,IAAA;AACJ,IAAA;AACvB,MAAA;AACkB,MAAA;AACJ,MAAA;AACG,MAAA;AAC5B,IAAA;AAC2C,MAAA;AAClD,IAAA;AACF,EAAA;AACF;AJoDgH;AACA;AEhGzE;AAAA,EAAA;AAAA,IAAA;AAAA,EAAA;AACI,EAAA;AACc,EAAA;AAEG,iBAAA;AACiB,kBAAA;AAAA;AAE4B,EAAA;AACpE,IAAA;AAET,IAAA;AAClB,MAAA;AACgE,QAAA;AACvC,QAAA;AACT,UAAA;AAClB,QAAA;AACM,MAAA;AAAC,MAAA;AACX,IAAA;AACF,EAAA;AAE6F,EAAA;AACjD,IAAA;AAEtB,IAAA;AAC4B,MAAA;AAC6D,MAAA;AAE7F,MAAA;AAChB,IAAA;AAEO,IAAA;AACT,EAAA;AAE+G,EAAA;AAK1F,IAAA;AACV,MAAA;AACT,IAAA;AAGgG,IAAA;AAC5D,IAAA;AACqC,MAAA;AACN,MAAA;AAC7D,MAAA;AAC2B,QAAA;AACsB,UAAA;AACnD,QAAA;AACM,MAAA;AAER,MAAA;AAIoB,MAAA;AACwD,QAAA;AAC5E,MAAA;AAEO,MAAA;AACT,IAAA;AAEO,IAAA;AACT,EAAA;AAEuG,EAAA;AAClB,IAAA;AAChC,IAAA;AACR,MAAA;AACsB,MAAA;AAC0C,MAAA;AAC3G,IAAA;AAE6E,IAAA;AACE,IAAA;AACA,IAAA;AACD,IAAA;AACW,MAAA;AACzF,IAAA;AAEO,IAAA;AACT,EAAA;AAEsF,EAAA;AAC9B,IAAA;AACf,IAAA;AACpB,IAAA;AACe,MAAA;AAClC,IAAA;AAEO,IAAA;AACT,EAAA;AAEqD,EAAA;AACf,IAAA;AACI,IAAA;AAC3B,IAAA;AAC0C,MAAA;AAClB,MAAA;AACrC,IAAA;AACO,IAAA;AACT,EAAA;AACF;AAEO;AAC0B,EAAA;AAAA,IAAA;AAAA,MAAA;AAAA,IAAA;AACtB,IAAA;AACA,IAAA;AACA,IAAA;AAEqD,IAAA;AAC/C,MAAA;AACC,MAAA;AACG,MAAA;AACjB,IAAA;AACF,EAAA;AAVa,EAAA;AADE;AF2F+F;AACA;AK7M3F;AL+M2F;AACA;AMhNnF;AASA;AAMW,EAAA;AAAlB,IAAA;AACH,IAAA;AACW,IAAA;AACP,IAAA;AAEf,IAAA;AACgD,MAAA;AACO,MAAA;AAEX,MAAA;AACT,MAAA;AACsB,MAAA;AAC1B,MAAA;AACtB,IAAA;AAC+F,MAAA;AAC3F,MAAA;AACW,MAAA;AACP,MAAA;AACrB,IAAA;AACF,EAAA;AAnBoB,EAAA;AANO,EAAA;AAAA,IAAA;AAAA,EAAA;AACpB,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AAuBoC,EAAA;AACnB,IAAA;AAC2D,MAAA;AACjF,IAAA;AACwB,IAAA;AAC1B,EAAA;AAEqC,EAAA;AAC3B,IAAA;AACV,EAAA;AACF;AN0MgH;AACA;AKtPpF;AAAA,EAAA;AAAA,IAAA;AAAA,EAAA;AAC6B,EAAA;AAER,EAAA;AACV,IAAA;AACoD,MAAA;AACvF,IAAA;AACsB,IAAA;AACxB,EAAA;AAEgD,EAAA;AAC1B,IAAA;AACS,IAAA;AACqB,IAAA;AAEmB,IAAA;AAC9D,IAAA;AACT,EAAA;AAEgD,EAAA;AACvC,IAAA;AACT,EAAA;AAEkE,EAAA;AAC5C,IAAA;AACuD,MAAA;AAC3E,IAAA;AAEyC,IAAA;AAC3C,EAAA;AAEqC,EAAA;AACiB,IAAA;AACtD,EAAA;AACF;ALoPgH;AACA;ACtRnF;AAAA,EAAA;AAAA,IAAA;AAAA,EAAA;AACV,EAAA;AACA,EAAA;AAEH,EAAA;AAC8B,IAAA;AACsB,IAAA;AAClE,EAAA;AAE2C,EAAA;AACgD,IAAA;AACjB,IAAA;AAChC,IAAA;AAC1C,EAAA;AAEsG,EAAA;AACnD,IAAA;AACf,IAAA;AAEkC,IAAA;AAClB,IAAA;AAC0B,MAAA;AAC5E,IAAA;AACqC,IAAA;AAEQ,IAAA;AACG,IAAA;AACf,MAAA;AACV,QAAA;AACrB,MAAA;AACF,IAAA;AAE6C,IAAA;AACY,MAAA;AACwB,MAAA;AACjF,IAAA;AAE0C,IAAA;AAEnC,IAAA;AACT,EAAA;AAE0E,EAAA;AACpB,IAAA;AACxC,MAAA;AAC6C,QAAA;AACpB,MAAA;AACJ,QAAA;AACb,MAAA;AACL,QAAA;AACY,MAAA;AACZ,QAAA;AACN,MAAA;AACiD,QAAA;AACxD,MAAA;AACF,IAAA;AACF,EAAA;AACF;ADkRgH;AACA;AACA","file":"/home/runner/work/ecosystem/ecosystem/packages/build-azure-local-settings/dist/cjs/chunks/StartHostAction-PUOHB3U4.cjs","sourcesContent":[null,"/**\n * Port of StartHostAction from Azure Functions Core Tools (partial)\n * @see https://github.com/Azure/azure-functions-core-tools/blob/b367a5155d7bf299c4719dc37051082ae8ddebaf/src/Cli/func/Actions/HostActions/StartHostAction.cs\n */\n\nimport { env } from 'node:process';\nimport { KeyVaultReferencesManager } from './KeyVaultReferencesManager';\nimport { SecretsManager } from './SecretsManager';\n\nexport class StartHostAction {\n  private readonly _secretsManager: SecretsManager;\n  private readonly _keyVaultReferencesManager: KeyVaultReferencesManager;\n\n  constructor() {\n    this._secretsManager = new SecretsManager();\n    this._keyVaultReferencesManager = new KeyVaultReferencesManager();\n  }\n\n  public async buildWebHost(): Promise<void> {\n    const settings = await this.getConfigurationSettings('', new URL('http://localhost:7071'));\n    await this._keyVaultReferencesManager.resolveKeyVaultReferences(settings);\n    this.updateEnvironmentVariables(settings);\n  }\n\n  private async getConfigurationSettings(scriptPath: string, uri: URL): Promise<Record<string, string>> {\n    const settings = this._secretsManager.getSecrets();\n    settings['WebsiteHostname'] = uri.host;\n\n    const connectionStrings = this._secretsManager.getConnectionStrings();\n    for (const connectionString of connectionStrings) {\n      settings[`ConnectionStrings:${connectionString.name}`] = connectionString.value;\n    }\n    settings['AzureWebJobsScriptRoot'] = scriptPath;\n\n    const environment: Record<string, string> = {};\n    for (const [key, value] of Object.entries(env)) {\n      if (typeof value === 'string') {\n        environment[key] = value;\n      }\n    }\n\n    if (settings['AZURE_FUNCTIONS_ENVIRONMENT']) {\n      const oldValue = settings['AZURE_FUNCTIONS_ENVIRONMENT'];\n      console.warn(`AZURE_FUNCTIONS_ENVIRONMENT already exists with value '${oldValue}', overriding to 'Development'.`);\n    }\n\n    settings['AZURE_FUNCTIONS_ENVIRONMENT'] = 'Development';\n\n    return settings;\n  }\n\n  private updateEnvironmentVariables(secrets: Record<string, string>): void {\n    for (const [key, value] of Object.entries(secrets)) {\n      if (!key) {\n        console.warn('Skipping local setting with empty key.');\n      } else if (env[key] !== undefined) {\n        console.warn(`Skipping '${key}' from local settings as it's already defined in current environment variables.`);\n      } else if (value) {\n        env[key] = value;\n      } else if (value === '') {\n        env[key] = '';\n      } else {\n        console.warn(`Skipping '${key}' because value is null`);\n      }\n    }\n  }\n}\n","/**\n * Port of azure-functions-core-tools reading from local.settings.json\n * @see https://github.com/Azure/azure-functions-core-tools/blob/b367a5155d7bf299c4719dc37051082ae8ddebaf/src/Cli/func/Common/KeyVaultReferencesManager.cs\n */\n\n// Copyright (c) .NET Foundation. All rights reserved.\n// Licensed under the MIT License. See LICENSE in the project root for license information.\n\nimport { DefaultAzureCredential, type TokenCredential } from '@azure/identity';\nimport { SecretClient } from '@azure/keyvault-secrets';\nimport { KeyVaultSecretIdentifier } from './KeyVaultSecretIdentifier';\n\nexport class KeyVaultReferencesManager {\n  private static readonly VaultUriSuffix = 'vault.azure.net';\n  private static readonly _basicKeyVaultReferenceRegex = /^@Microsoft\\.KeyVault\\((?<ReferenceString>.*)\\)$/;\n\n  private readonly _clients = new Map<string, SecretClient>();\n  private readonly _credential: TokenCredential = new DefaultAzureCredential(); // CodeQL [SM05137] This is never deployed to production, only used in CLI context in a local dev environment.\n\n  public async resolveKeyVaultReferences(settings: { [key: string]: string | undefined }): Promise<void> {\n    const keys = Object.keys(settings);\n\n    for (const key of keys) {\n      try {\n        const keyVaultValue = await this.getSecretValue(key, settings[key]);\n        if (keyVaultValue != null) {\n          settings[key] = keyVaultValue;\n        }\n      } catch {}\n    }\n  }\n\n  private async getSecretValue(key: string, value: string | undefined): Promise<string | null> {\n    const result = this.parseSecret(key, value);\n\n    if (result != null) {\n      const client = this.getSecretClient(result.uri);\n      const secret = await client.getSecret(result.name, result.version ? { version: result.version } : undefined);\n      // biome-ignore lint/style/noNonNullAssertion: Key Vault SDK types value as optional but a successfully retrieved secret always has a value in local dev context\n      return secret.value!;\n    }\n\n    return null;\n  }\n\n  public parseSecret(key: string, value: string | undefined): KeyVaultReferencesManager.ParseSecretResult | null {\n    // If the value is null, then we return nothing, as the subsequent call to\n    // UpdateEnvironmentVariables(settings) will log to the user that the setting\n    // is skipped. We check here, because Regex.Match throws when supplied with a\n    // null value.\n    if (value == null) {\n      return null;\n    }\n\n    // Determine if the secret value is attempting to use a key vault reference\n    const keyVaultReferenceMatch = KeyVaultReferencesManager._basicKeyVaultReferenceRegex.exec(value);\n    if (keyVaultReferenceMatch?.groups) {\n      const referenceString = keyVaultReferenceMatch.groups['ReferenceString'];\n      let result: KeyVaultReferencesManager.ParseSecretResult | null = null;\n      try {\n        if (referenceString != null) {\n          result = this.parseVaultReference(referenceString);\n        }\n      } catch {\n        // ignore and show warning below\n      }\n\n      // If we detect that a key vault reference was attempted, but did not match any of\n      // the supported formats, we write a warning to the console.\n      if (result == null) {\n        console.warn(`Unable to parse the Key Vault reference for setting: ${key}`);\n      }\n\n      return result;\n    }\n\n    return null;\n  }\n\n  public parseVaultReference(vaultReference: string): KeyVaultReferencesManager.ParseSecretResult | null {\n    const secretUriString = this.getValueFromVaultReference('SecretUri', vaultReference);\n    if (secretUriString && secretUriString.length > 0) {\n      const secretUri = new URL(secretUriString);\n      const secretIdentifier = new KeyVaultSecretIdentifier(secretUri);\n      return new KeyVaultReferencesManager.ParseSecretResult(secretIdentifier.vaultUri, secretIdentifier.name, secretIdentifier.version);\n    }\n\n    const vaultName = this.getValueFromVaultReference('VaultName', vaultReference);\n    const secretName = this.getValueFromVaultReference('SecretName', vaultReference);\n    const version = this.getValueFromVaultReference('SecretVersion', vaultReference);\n    if (vaultName && vaultName.length > 0 && secretName && secretName.length > 0) {\n      return new KeyVaultReferencesManager.ParseSecretResult(new URL(`https://${vaultName}.${KeyVaultReferencesManager.VaultUriSuffix}`), secretName, version);\n    }\n\n    return null;\n  }\n\n  public getValueFromVaultReference(key: string, vaultReference: string): string | null {\n    const regex = new RegExp(key + '=(?<Value>[^;]+)(;|$)');\n    const match = regex.exec(vaultReference);\n    if (match?.groups) {\n      return match.groups['Value'] ?? null;\n    }\n\n    return null;\n  }\n\n  private getSecretClient(vaultUri: URL): SecretClient {\n    const uriString = vaultUri.toString();\n    let client = this._clients.get(uriString);\n    if (!client) {\n      client = new SecretClient(uriString, this._credential);\n      this._clients.set(uriString, client);\n    }\n    return client;\n  }\n}\n\nexport namespace KeyVaultReferencesManager {\n  export class ParseSecretResult {\n    public uri: URL;\n    public name: string;\n    public version: string | null;\n\n    constructor(uri: URL, name: string, version: string | null) {\n      this.uri = uri;\n      this.name = name;\n      this.version = version;\n    }\n  }\n}\n","/**\n * Port of KeyVaultIdentifier from Azure SDK for .NET\n * @see https://github.com/Azure/azure-sdk-for-net/blob/3dad5181b332bf12d5298810f73347ee1bc9980b/sdk/keyvault/Azure.Security.KeyVault.Shared/src/KeyVaultIdentifier.cs\n */\n\n// Copyright (c) Microsoft Corporation. All rights reserved.\n// Licensed under the MIT License.\n\n// Ported from sdk/keyvault/Azure.Security.KeyVault.Shared/src/KeyVaultIdentifier.cs\nexport class KeyVaultIdentifier {\n  public static readonly SecretsCollection = 'secrets';\n  public static readonly KeysCollection = 'keys';\n  public static readonly CertificatesCollection = 'certificates';\n\n  public id: URL;\n  public vaultUri: URL;\n  public name: string;\n  public collection: string;\n  public version: string | null;\n\n  constructor() {\n    // Initialize with defaults - will be set by static methods\n    this.id = new URL('http://localhost');\n    this.vaultUri = new URL('http://localhost');\n    this.name = '';\n    this.collection = '';\n    this.version = null;\n  }\n\n  public static parse(id: URL): KeyVaultIdentifier {\n    if (id === null || id === undefined) {\n      throw new Error('id cannot be null');\n    }\n\n    const result = KeyVaultIdentifier.tryParse(id);\n    if (!result.success) {\n      throw new Error(`Invalid ObjectIdentifier: ${id}. Bad number of segments: ${id.pathname.split('/').length}`);\n    }\n    // biome-ignore lint/style/noNonNullAssertion: tryParse sets identifier when success is true, guarded by the throw above\n    return result.identifier!;\n  }\n\n  public static parseWithCollection(id: URL, collection: string): KeyVaultIdentifier {\n    const identifier = KeyVaultIdentifier.parse(id);\n    if (identifier.collection.toLowerCase() !== collection.toLowerCase()) {\n      throw new Error(`Invalid ObjectIdentifier: ${id}. segment [1] should be '${collection}/', found '${identifier.collection}'`);\n    }\n    return identifier;\n  }\n\n  public static tryParse(id: URL | null): { success: boolean; identifier?: KeyVaultIdentifier } {\n    if (id === null) {\n      return { success: false };\n    }\n\n    // We expect an identifier with either 3 or 4 segments: host + collection + name [+ version]\n    const segments = id.pathname.split('/');\n    if (segments.length !== 3 && segments.length !== 4) {\n      return { success: false };\n    }\n\n    const identifier = new KeyVaultIdentifier();\n    identifier.id = id;\n    identifier.vaultUri = new URL(`${id.protocol}//${id.host}`);\n    // biome-ignore lint/style/noNonNullAssertion: length check above guarantees segments[1..3] exist\n    identifier.collection = segments[1]!.replace(/\\/$/, ''); // Trim '/'\n    // biome-ignore lint/style/noNonNullAssertion: length check above guarantees segments[1..3] exist\n    identifier.name = segments[2]!.replace(/\\/$/, ''); // Trim '/'\n    // biome-ignore lint/style/noNonNullAssertion: length check above guarantees segments[3] exists when length is 4\n    identifier.version = segments.length === 4 ? segments[3]!.replace(/\\/$/, '') : null; // TrimEnd '/'\n\n    return { success: true, identifier };\n  }\n}\n","/**\n * Port of KeyVaultSecretIdentifier from Azure SDK for .NET\n * @see https://github.com/Azure/azure-sdk-for-net/blob/3dad5181b332bf12d5298810f73347ee1bc9980b/sdk/keyvault/Azure.Security.KeyVault.Secrets/src/KeyVaultSecretIdentifier.cs\n */\n\n// Copyright (c) Microsoft Corporation. All rights reserved.\n// Licensed under the MIT License.\n\nimport { KeyVaultIdentifier } from './KeyVaultIdentifier';\n\n/**\n * Information about a KeyVault Secret parsed from a URL.\n * You can use this information when calling methods of a SecretClient.\n */\nexport class KeyVaultSecretIdentifier {\n  /**\n   * Gets the source URL passed to KeyVaultSecretIdentifier constructor.\n   */\n  public sourceId: URL;\n\n  /**\n   * Gets the URL of the Key Vault.\n   */\n  public vaultUri: URL;\n\n  /**\n   * Gets the name of the secret.\n   */\n  public name: string;\n\n  /**\n   * Gets the optional version of the secret.\n   */\n  public version: string | null;\n\n  /**\n   * Creates a new instance of the KeyVaultSecretIdentifier class.\n   * @param id The URL to a secret or deleted secret.\n   * @throws Error if id is not a valid Key Vault secret ID.\n   */\n  public constructor(id: URL) {\n    if (id === null || id === undefined) {\n      throw new Error('id cannot be null');\n    }\n\n    const result = KeyVaultIdentifier.tryParse(id);\n    if (result.success && result.identifier) {\n      this.sourceId = id;\n      this.vaultUri = result.identifier.vaultUri;\n      this.name = result.identifier.name;\n      this.version = result.identifier.version;\n    } else {\n      throw new Error(`${id} is not a valid secret ID`);\n    }\n  }\n}\n","/**\n * Port of SecretsManager from Azure Functions Core Tools\n * @see https://github.com/Azure/azure-functions-core-tools/blob/b367a5155d7bf299c4719dc37051082ae8ddebaf/src/Cli/func/Common/SecretsManager.cs\n */\n\nimport { join } from 'node:path';\nimport { AppSettingsFile } from './AppSettingsFile';\n\nexport class SecretsManager {\n  private static _lazySettings: AppSettingsFile | null = null;\n\n  private static get Settings(): AppSettingsFile {\n    if (!SecretsManager._lazySettings) {\n      SecretsManager._lazySettings = new AppSettingsFile(SecretsManager.AppSettingsFilePath);\n    }\n    return SecretsManager._lazySettings;\n  }\n\n  public static get AppSettingsFilePath(): string {\n    const secretsFile = 'local.settings.json';\n    const rootPath = process.cwd();\n    const secretsFilePath = join(rootPath, secretsFile);\n\n    console.log(`'${secretsFile}' found in root directory (${rootPath}).`);\n    return secretsFilePath;\n  }\n\n  public static get AppSettingsFileName(): string {\n    return 'local.settings.json';\n  }\n\n  public getSecrets(refreshSecrets = false): Record<string, string> {\n    if (refreshSecrets) {\n      return new AppSettingsFile(SecretsManager.AppSettingsFilePath).getValues();\n    }\n\n    return SecretsManager.Settings.getValues();\n  }\n\n  public getConnectionStrings(): any[] {\n    return SecretsManager.Settings.getConnectionStrings();\n  }\n}\n","/**\n * Port of AppSettingsFile from Azure Functions Core Tools\n * @see https://github.com/Azure/azure-functions-core-tools/blob/b367a5155d7bf299c4719dc37051082ae8ddebaf/src/Cli/func/Common/AppSettingsFile.cs\n */\n\nimport { readFileSync } from 'node:fs';\n\ninterface LocalSettingsJson {\n  IsEncrypted?: boolean;\n  Values?: Record<string, string>;\n  ConnectionStrings?: Record<string, any>;\n  Host?: any;\n}\n\nexport class AppSettingsFile {\n  public isEncrypted: boolean;\n  public values: Record<string, string>;\n  public connectionStrings: Record<string, any>;\n  public host: any;\n\n  constructor(private filePath: string) {\n    this.values = {};\n    this.connectionStrings = {};\n    this.isEncrypted = true;\n\n    try {\n      const content = readFileSync(this.filePath, 'utf8');\n      const appSettings: LocalSettingsJson = JSON.parse(content);\n\n      this.isEncrypted = appSettings.IsEncrypted ?? true;\n      this.values = appSettings.Values ?? {};\n      this.connectionStrings = appSettings.ConnectionStrings ?? {};\n      this.host = appSettings.Host ?? {};\n    } catch (ex) {\n      console.warn(`Failed to read app settings file at '${this.filePath}'. Ensure it is a valid JSON file.`, ex);\n      this.values = {};\n      this.connectionStrings = {};\n      this.isEncrypted = true;\n    }\n  }\n\n  public getValues(): Record<string, string> {\n    if (this.isEncrypted) {\n      throw new Error('Encrypted settings are not supported in this TypeScript port.');\n    }\n    return { ...this.values };\n  }\n\n  public getConnectionStrings(): any[] {\n    return [];\n  }\n}\n"]}