@slaw-ai/server 2026.611.0

package/dist/services/secrets.js

@@ -0,0 +1,1781 @@
+import { and, desc, eq, inArray, like, ne, notInArray, sql } from "drizzle-orm";
+import { agents, squadSecretBindings, squadSecretProviderConfigs, squadSecrets, squadSecretVersions, environments, heartbeatRuns, issues, projects, routines, secretAccessEvents, } from "@slaw-ai/db";
+import { createSecretProviderConfigSchema, deriveProjectUrlKey, envBindingSchema, isUuidLike, normalizeAgentUrlKey, secretProviderConfigPayloadSchema, secretProviderConfigDiscoveryPreviewSchema, updateSecretProviderConfigSchema, } from "@slaw-ai/shared";
+import { conflict, HttpError, notFound, unprocessable } from "../errors.js";
+import { logger } from "../middleware/logger.js";
+import { checkSecretProviders, getSecretProvider, listSecretProviders, } from "../secrets/provider-registry.js";
+import { isSecretProviderClientError } from "../secrets/types.js";
+const ENV_KEY_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const SENSITIVE_ENV_KEY_RE = /(api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)/i;
+const REDACTED_SENTINEL = "***REDACTED***";
+const COMING_SOON_SECRET_PROVIDERS = new Set([
+    "gcp_secret_manager",
+    "vault",
+]);
+function remoteProviderHttpError(error, context) {
+    if (isSecretProviderClientError(error)) {
+        logger.warn({
+            err: error,
+            squadId: context.squadId,
+            provider: context.provider,
+            providerConfigId: context.providerConfigId,
+            operation: context.operation,
+            providerErrorCode: error.code,
+        }, "remote secret provider request failed");
+        return new HttpError(error.status, error.message, { code: error.code });
+    }
+    if (error instanceof HttpError)
+        return error;
+    logger.warn({
+        err: error,
+        squadId: context.squadId,
+        provider: context.provider,
+        providerConfigId: context.providerConfigId,
+        operation: context.operation,
+        providerErrorCode: "provider_error",
+    }, "remote secret provider request failed");
+    return new HttpError(502, "Remote secret provider request failed.", { code: "provider_error" });
+}
+function remoteImportRowFailureReason(error, fallback, context) {
+    if (isSecretProviderClientError(error)) {
+        logger.warn({
+            err: error,
+            squadId: context.squadId,
+            provider: context.provider,
+            providerConfigId: context.providerConfigId,
+            operation: context.operation,
+            providerErrorCode: error.code,
+        }, "remote secret import row provider failure");
+        return error.message;
+    }
+    if (error instanceof HttpError && error.status < 500)
+        return error.message;
+    logger.warn({
+        err: error,
+        squadId: context.squadId,
+        provider: context.provider,
+        providerConfigId: context.providerConfigId,
+        operation: context.operation,
+        providerErrorCode: "provider_error",
+    }, "remote secret import row failed");
+    return fallback;
+}
+async function cleanupPreparedProviderWrite(input) {
+    try {
+        await input.provider.deleteOrArchive({
+            material: input.prepared.material,
+            externalRef: input.prepared.externalRef,
+            providerConfig: input.providerConfig,
+            context: input.context,
+            mode: input.mode,
+        });
+        return true;
+    }
+    catch (cleanupError) {
+        logger.warn({
+            err: cleanupError,
+            squadId: input.context.squadId,
+            provider: input.provider.id,
+            providerConfigId: input.providerConfig?.id ?? null,
+            operation: input.operation,
+        }, "remote secret provider cleanup failed after db write failure");
+        return false;
+    }
+}
+function asRecord(value) {
+    if (typeof value !== "object" || value === null || Array.isArray(value))
+        return null;
+    return value;
+}
+function isSensitiveEnvKey(key) {
+    return SENSITIVE_ENV_KEY_RE.test(key);
+}
+function normalizeSecretKey(input) {
+    return input
+        .trim()
+        .toLowerCase()
+        .replace(/[^a-z0-9_.-]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 120);
+}
+function deriveSecretNameFromExternalRef(externalRef) {
+    const trimmed = externalRef.trim();
+    const arnMatch = /^arn:[^:]+:secretsmanager:[^:]*:[^:]*:secret:(.+)$/i.exec(trimmed);
+    const name = arnMatch?.[1] ?? trimmed;
+    return name.split("/").filter(Boolean).at(-1) ?? name;
+}
+function canonicalizeBinding(binding) {
+    if (typeof binding === "string") {
+        return { type: "plain", value: binding };
+    }
+    if (binding.type === "plain") {
+        return { type: "plain", value: String(binding.value) };
+    }
+    return {
+        type: "secret_ref",
+        secretId: binding.secretId,
+        version: binding.version ?? "latest",
+    };
+}
+function defaultProviderConfigStatus(provider) {
+    return COMING_SOON_SECRET_PROVIDERS.has(provider) ? "coming_soon" : "ready";
+}
+function secretResolutionErrorCode(error) {
+    if (isSecretProviderClientError(error))
+        return "provider_error";
+    if (error instanceof HttpError) {
+        const details = asRecord(error.details);
+        switch (details?.code) {
+            case "binding_missing":
+            case "secret_deleted":
+            case "secret_inactive":
+            case "version_missing":
+            case "version_inactive":
+            case "provider_error":
+                return details.code;
+        }
+        if (error.message === "Secret is not active")
+            return "secret_inactive";
+        if (error.message === "Secret version not found")
+            return "version_missing";
+        if (error.message === "Secret version is not active")
+            return "version_inactive";
+        if (error.message === "Secret resolution requires a binding config path" ||
+            error.message.startsWith("Secret is not bound to ")) {
+            return "binding_missing";
+        }
+        if (error.status >= 500)
+            return "provider_error";
+    }
+    return "provider_error";
+}
+function assertSelectableProviderConfig(config, squadId, provider) {
+    if (config.squadId !== squadId)
+        throw unprocessable("Provider vault must belong to same squad");
+    if (config.provider !== provider)
+        throw unprocessable("Provider vault must match the secret provider");
+    if (config.status === "coming_soon") {
+        throw unprocessable("Provider vault is locked while coming soon");
+    }
+    if (config.status === "disabled") {
+        throw unprocessable("Provider vault is disabled");
+    }
+}
+export function secretService(db) {
+    async function getById(id, source = db) {
+        return source
+            .select()
+            .from(squadSecrets)
+            .where(eq(squadSecrets.id, id))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function getByName(squadId, name) {
+        return db
+            .select()
+            .from(squadSecrets)
+            .where(and(eq(squadSecrets.squadId, squadId), eq(squadSecrets.name, name), ne(squadSecrets.status, "deleted")))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function getSecretVersion(secretId, version) {
+        return db
+            .select()
+            .from(squadSecretVersions)
+            .where(and(eq(squadSecretVersions.secretId, secretId), eq(squadSecretVersions.version, version)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function getBinding(input) {
+        return db
+            .select()
+            .from(squadSecretBindings)
+            .where(and(eq(squadSecretBindings.squadId, input.squadId), eq(squadSecretBindings.secretId, input.secretId), eq(squadSecretBindings.targetType, input.consumerType), eq(squadSecretBindings.targetId, input.consumerId), eq(squadSecretBindings.configPath, input.configPath)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function assertBindingContext(squadId, secretId, context) {
+        if (!context)
+            return;
+        if (!context.configPath) {
+            throw unprocessable("Secret resolution requires a binding config path", { code: "binding_missing" });
+        }
+        const binding = await getBinding({
+            squadId,
+            secretId,
+            consumerType: context.consumerType,
+            consumerId: context.consumerId,
+            configPath: context.configPath,
+        });
+        if (!binding) {
+            throw unprocessable(`Secret is not bound to ${context.consumerType}:${context.consumerId} at ${context.configPath}`, { code: "binding_missing" });
+        }
+    }
+    async function recordAccessEvent(input) {
+        if (!input.context)
+            return;
+        await db.insert(secretAccessEvents).values({
+            squadId: input.squadId,
+            secretId: input.secretId,
+            version: input.version,
+            provider: input.provider,
+            actorType: input.context.actorType ?? "system",
+            actorId: input.context.actorId ?? null,
+            consumerType: input.context.consumerType,
+            consumerId: input.context.consumerId,
+            configPath: input.context.configPath ?? null,
+            issueId: input.context.issueId ?? null,
+            heartbeatRunId: input.context.heartbeatRunId ?? null,
+            pluginId: input.context.pluginId ?? null,
+            outcome: input.outcome,
+            errorCode: input.errorCode ?? null,
+        });
+    }
+    async function assertSecretInSquad(squadId, secretId, source = db) {
+        const secret = await getById(secretId, source);
+        if (!secret)
+            throw notFound("Secret not found");
+        if (secret.status === "deleted")
+            throw notFound("Secret not found");
+        if (secret.squadId !== squadId)
+            throw unprocessable("Secret must belong to same squad");
+        return secret;
+    }
+    async function getProviderConfigById(id) {
+        return db
+            .select()
+            .from(squadSecretProviderConfigs)
+            .where(eq(squadSecretProviderConfigs.id, id))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function assertProviderConfigForSecret(squadId, provider, providerConfigId) {
+        if (!providerConfigId)
+            return null;
+        const providerConfig = await getProviderConfigById(providerConfigId);
+        if (!providerConfig)
+            throw notFound("Provider vault not found");
+        assertSelectableProviderConfig(providerConfig, squadId, provider);
+        return providerConfig;
+    }
+    function toProviderVaultRuntimeConfig(providerConfig) {
+        if (!providerConfig)
+            return null;
+        return {
+            id: providerConfig.id,
+            provider: providerConfig.provider,
+            status: providerConfig.status,
+            config: providerConfig.config ?? {},
+        };
+    }
+    async function getSelectableRuntimeProviderConfig(input) {
+        const providerConfig = await assertProviderConfigForSecret(input.squadId, input.provider, input.providerConfigId);
+        return toProviderVaultRuntimeConfig(providerConfig);
+    }
+    function validateProviderConfigPayload(provider, config) {
+        const parsed = secretProviderConfigPayloadSchema.safeParse({ provider, config });
+        if (!parsed.success) {
+            throw unprocessable("Invalid provider vault config", parsed.error.flatten());
+        }
+        return parsed.data.config;
+    }
+    function toDraftProviderVaultRuntimeConfig(input) {
+        return {
+            id: `discovery-preview-${input.squadId}`,
+            provider: input.provider,
+            status: "ready",
+            config: validateProviderConfigPayload(input.provider, input.config),
+        };
+    }
+    function providerConfigHealth(input) {
+        if (input.status === "disabled") {
+            return {
+                configId: input.id,
+                provider: input.provider,
+                status: "disabled",
+                message: "Provider vault is disabled.",
+                details: { code: "disabled", message: "Provider vault is disabled." },
+            };
+        }
+        if (input.status === "coming_soon" || COMING_SOON_SECRET_PROVIDERS.has(input.provider)) {
+            return {
+                configId: input.id,
+                provider: input.provider,
+                status: "coming_soon",
+                message: "Provider vault runtime is locked while coming soon.",
+                details: {
+                    code: "runtime_locked",
+                    message: "Provider vault runtime is locked while coming soon.",
+                    guidance: ["Draft metadata may be saved, but create, rotate, and resolve stay unavailable."],
+                },
+            };
+        }
+        return null;
+    }
+    function mapProviderModuleHealth(input) {
+        const status = input.health.status === "ok"
+            ? input.providerStatus === "warning" ? "warning" : "ready"
+            : input.health.status === "error"
+                ? "error"
+                : "warning";
+        const guidance = [
+            ...(input.health.warnings ?? []),
+            ...(input.health.backupGuidance ?? []),
+        ];
+        return {
+            configId: input.configId,
+            provider: input.provider,
+            status,
+            message: input.health.message,
+            details: {
+                code: input.health.status === "ok" ? "provider_ready" : "provider_needs_attention",
+                message: input.health.message,
+                guidance: guidance.length > 0 ? guidance : undefined,
+            },
+        };
+    }
+    async function resolveSecretValueInternal(squadId, secretId, version, context) {
+        const secret = await getById(secretId);
+        if (!secret)
+            throw notFound("Secret not found");
+        if (secret.squadId !== squadId)
+            throw unprocessable("Secret must belong to same squad");
+        const resolvedVersion = version === "latest" ? secret.latestVersion : version;
+        const providerId = secret.provider;
+        const configPath = context?.configPath ?? null;
+        try {
+            if (secret.status === "deleted") {
+                throw new HttpError(404, "Secret not found", { code: "secret_deleted" });
+            }
+            if (secret.status !== "active") {
+                throw unprocessable("Secret is not active", { code: "secret_inactive" });
+            }
+            await assertBindingContext(squadId, secret.id, context);
+            const versionRow = await getSecretVersion(secret.id, resolvedVersion);
+            if (!versionRow)
+                throw new HttpError(404, "Secret version not found", { code: "version_missing" });
+            if (versionRow.status === "disabled" || versionRow.status === "destroyed" || versionRow.revokedAt) {
+                throw unprocessable("Secret version is not active", { code: "version_inactive" });
+            }
+            const provider = getSecretProvider(providerId);
+            const providerConfig = await getSelectableRuntimeProviderConfig({
+                squadId,
+                provider: providerId,
+                providerConfigId: secret.providerConfigId,
+            });
+            const value = await provider.resolveVersion({
+                material: versionRow.material,
+                externalRef: secret.externalRef,
+                providerVersionRef: versionRow.providerVersionRef,
+                providerConfig,
+                context: {
+                    squadId,
+                    secretId: secret.id,
+                    secretKey: secret.key,
+                    version: resolvedVersion,
+                },
+            });
+            await Promise.all([
+                db
+                    .update(squadSecrets)
+                    .set({ lastResolvedAt: new Date(), updatedAt: new Date() })
+                    .where(eq(squadSecrets.id, secret.id))
+                    .catch(() => undefined),
+                recordAccessEvent({
+                    squadId,
+                    secretId: secret.id,
+                    version: resolvedVersion,
+                    provider: providerId,
+                    context,
+                    outcome: "success",
+                }).catch(() => undefined),
+            ]);
+            return {
+                value,
+                manifestEntry: {
+                    configPath: configPath ?? "",
+                    envKey: configPath?.startsWith("env.") ? configPath.slice("env.".length) : null,
+                    secretId: secret.id,
+                    secretKey: secret.key,
+                    version: resolvedVersion,
+                    provider: providerId,
+                    outcome: "success",
+                },
+            };
+        }
+        catch (err) {
+            const errorCode = secretResolutionErrorCode(err);
+            await recordAccessEvent({
+                squadId,
+                secretId: secret.id,
+                version: resolvedVersion,
+                provider: providerId,
+                context,
+                outcome: "failure",
+                errorCode,
+            }).catch(() => undefined);
+            throw err;
+        }
+    }
+    async function resolveSecretValue(squadId, secretId, version, context) {
+        return (await resolveSecretValueInternal(squadId, secretId, version, context)).value;
+    }
+    async function normalizeEnvConfig(squadId, envValue, opts) {
+        const record = asRecord(envValue);
+        if (!record)
+            throw unprocessable(`${opts?.fieldPath ?? "env"} must be an object`);
+        const normalized = {};
+        for (const [key, rawBinding] of Object.entries(record)) {
+            if (!ENV_KEY_RE.test(key)) {
+                throw unprocessable(`Invalid environment variable name: ${key}`);
+            }
+            const parsed = envBindingSchema.safeParse(rawBinding);
+            if (!parsed.success) {
+                throw unprocessable(`Invalid environment binding for key: ${key}`);
+            }
+            const binding = canonicalizeBinding(parsed.data);
+            if (binding.type === "plain") {
+                if (opts?.strictMode && isSensitiveEnvKey(key) && binding.value.trim().length > 0) {
+                    throw unprocessable(`Strict secret mode requires secret references for sensitive key: ${key}`);
+                }
+                if (binding.value === REDACTED_SENTINEL) {
+                    throw unprocessable(`Refusing to persist redacted placeholder for key: ${key}`);
+                }
+                normalized[key] = binding;
+                continue;
+            }
+            await assertSecretInSquad(squadId, binding.secretId);
+            normalized[key] = {
+                type: "secret_ref",
+                secretId: binding.secretId,
+                version: binding.version,
+            };
+        }
+        return normalized;
+    }
+    async function normalizeAdapterConfigForPersistenceInternal(squadId, adapterConfig, opts) {
+        const normalized = { ...adapterConfig };
+        if (!Object.prototype.hasOwnProperty.call(adapterConfig, "env")) {
+            return normalized;
+        }
+        normalized.env = await normalizeEnvConfig(squadId, adapterConfig.env, opts);
+        return normalized;
+    }
+    function collectTargetIds(bindings, targetType, opts) {
+        return [
+            ...new Set(bindings
+                .filter((binding) => binding.targetType === targetType)
+                .map((binding) => binding.targetId)
+                .filter((id) => !opts?.uuidOnly || isUuidLike(id))),
+        ];
+    }
+    function fallbackBindingTarget(binding) {
+        return {
+            type: binding.targetType,
+            id: binding.targetId,
+            label: binding.targetId,
+            href: null,
+            status: null,
+        };
+    }
+    async function buildBindingTargetMap(squadId, bindings) {
+        const targetMap = new Map();
+        const setTarget = (target) => {
+            targetMap.set(`${target.type}:${target.id}`, target);
+        };
+        const agentIds = collectTargetIds(bindings, "agent", { uuidOnly: true });
+        if (agentIds.length > 0) {
+            const rows = await db
+                .select({
+                id: agents.id,
+                name: agents.name,
+                title: agents.title,
+                status: agents.status,
+            })
+                .from(agents)
+                .where(and(eq(agents.squadId, squadId), inArray(agents.id, agentIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "agent",
+                    id: row.id,
+                    label: row.title ? `${row.name} (${row.title})` : row.name,
+                    href: `/agents/${normalizeAgentUrlKey(row.name) ?? row.id}`,
+                    status: row.status,
+                });
+            }
+        }
+        const projectIds = collectTargetIds(bindings, "project", { uuidOnly: true });
+        if (projectIds.length > 0) {
+            const rows = await db
+                .select({
+                id: projects.id,
+                name: projects.name,
+                status: projects.status,
+            })
+                .from(projects)
+                .where(and(eq(projects.squadId, squadId), inArray(projects.id, projectIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "project",
+                    id: row.id,
+                    label: row.name,
+                    href: `/projects/${deriveProjectUrlKey(row.name, row.id)}`,
+                    status: row.status,
+                });
+            }
+        }
+        const environmentIds = collectTargetIds(bindings, "environment", { uuidOnly: true });
+        if (environmentIds.length > 0) {
+            const rows = await db
+                .select({
+                id: environments.id,
+                name: environments.name,
+                status: environments.status,
+            })
+                .from(environments)
+                .where(and(eq(environments.squadId, squadId), inArray(environments.id, environmentIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "environment",
+                    id: row.id,
+                    label: row.name,
+                    href: "/squad/settings/environments",
+                    status: row.status,
+                });
+            }
+        }
+        const routineIds = collectTargetIds(bindings, "routine", { uuidOnly: true });
+        if (routineIds.length > 0) {
+            const rows = await db
+                .select({
+                id: routines.id,
+                title: routines.title,
+                status: routines.status,
+            })
+                .from(routines)
+                .where(and(eq(routines.squadId, squadId), inArray(routines.id, routineIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "routine",
+                    id: row.id,
+                    label: row.title,
+                    href: `/routines/${row.id}`,
+                    status: row.status,
+                });
+            }
+        }
+        const issueIds = collectTargetIds(bindings, "issue", { uuidOnly: true });
+        if (issueIds.length > 0) {
+            const rows = await db
+                .select({
+                id: issues.id,
+                identifier: issues.identifier,
+                title: issues.title,
+                status: issues.status,
+            })
+                .from(issues)
+                .where(and(eq(issues.squadId, squadId), inArray(issues.id, issueIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "issue",
+                    id: row.id,
+                    label: row.identifier ? `${row.identifier} ${row.title}` : row.title,
+                    href: `/issues/${row.identifier ?? row.id}`,
+                    status: row.status,
+                });
+            }
+        }
+        const runIds = collectTargetIds(bindings, "run", { uuidOnly: true });
+        if (runIds.length > 0) {
+            const rows = await db
+                .select({
+                id: heartbeatRuns.id,
+                agentId: heartbeatRuns.agentId,
+                status: heartbeatRuns.status,
+            })
+                .from(heartbeatRuns)
+                .where(and(eq(heartbeatRuns.squadId, squadId), inArray(heartbeatRuns.id, runIds)));
+            for (const row of rows) {
+                setTarget({
+                    type: "run",
+                    id: row.id,
+                    label: `Run ${row.id.slice(0, 8)}`,
+                    href: `/agents/${row.agentId}/runs/${row.id}`,
+                    status: row.status,
+                });
+            }
+        }
+        return targetMap;
+    }
+    async function buildRemoteImportConflictMaps(squadId, provider) {
+        const activeSecrets = await db
+            .select({
+            id: squadSecrets.id,
+            name: squadSecrets.name,
+            key: squadSecrets.key,
+            provider: squadSecrets.provider,
+            providerConfigId: squadSecrets.providerConfigId,
+            externalRef: squadSecrets.externalRef,
+            status: squadSecrets.status,
+        })
+            .from(squadSecrets)
+            .where(and(eq(squadSecrets.squadId, squadId), ne(squadSecrets.status, "deleted")));
+        return {
+            byProviderConfigExternalRef: new Map(activeSecrets
+                .filter((secret) => secret.provider === provider &&
+                typeof secret.externalRef === "string" &&
+                secret.externalRef.trim())
+                .map((secret) => [
+                remoteImportExternalRefKey(secret.providerConfigId, secret.externalRef),
+                secret,
+            ])),
+            byName: new Map(activeSecrets.map((secret) => [secret.name, secret])),
+            byKey: new Map(activeSecrets.map((secret) => [secret.key, secret])),
+        };
+    }
+    function remoteImportExternalRefKey(providerConfigId, externalRef) {
+        return `${providerConfigId ?? "default"}\0${externalRef.trim()}`;
+    }
+    function sanitizeRemoteProviderMetadata(provider, metadata) {
+        if (!metadata || provider !== "aws_secrets_manager")
+            return null;
+        const safe = {};
+        for (const key of ["createdDate", "lastAccessedDate", "lastChangedDate", "deletedDate"]) {
+            const value = metadata[key];
+            if (typeof value === "string" || value === null)
+                safe[key] = value;
+        }
+        for (const key of ["hasDescription", "hasKmsKey", "tagCount"]) {
+            const value = metadata[key];
+            if (typeof value === "boolean" || typeof value === "number")
+                safe[key] = value;
+        }
+        return Object.keys(safe).length > 0 ? safe : null;
+    }
+    function remoteImportConflictsFor(input) {
+        const conflicts = [];
+        const duplicate = input.maps.byProviderConfigExternalRef.get(remoteImportExternalRefKey(input.providerConfigId, input.externalRef));
+        if (duplicate) {
+            conflicts.push({
+                type: "exact_reference",
+                existingSecretId: duplicate.id,
+                message: "An existing secret already links this exact provider reference.",
+            });
+            return conflicts;
+        }
+        const nameConflict = input.maps.byName.get(input.name);
+        if (nameConflict) {
+            conflicts.push({
+                type: "name",
+                existingSecretId: nameConflict.id,
+                message: `Secret name already exists: ${input.name}`,
+            });
+        }
+        const keyConflict = input.maps.byKey.get(input.key);
+        if (keyConflict) {
+            conflicts.push({
+                type: "key",
+                existingSecretId: keyConflict.id,
+                message: `Secret key already exists: ${input.key}`,
+            });
+        }
+        return conflicts;
+    }
+    async function getRemoteImportProviderConfig(squadId, providerConfigId) {
+        const providerConfig = await getProviderConfigById(providerConfigId);
+        if (!providerConfig)
+            throw notFound("Provider vault not found");
+        const provider = providerConfig.provider;
+        assertSelectableProviderConfig(providerConfig, squadId, provider);
+        return { providerConfig, provider, runtimeConfig: toProviderVaultRuntimeConfig(providerConfig) };
+    }
+    return {
+        listProviders: () => listSecretProviders(),
+        checkProviders: () => checkSecretProviders(),
+        previewProviderConfigDiscovery: async (squadId, input) => {
+            const parsed = secretProviderConfigDiscoveryPreviewSchema.safeParse({
+                provider: input.provider,
+                config: input.config ?? {},
+                query: input.query,
+                nextToken: input.nextToken,
+                pageSize: input.pageSize,
+            });
+            if (!parsed.success) {
+                throw unprocessable("Invalid provider vault discovery config", parsed.error.flatten());
+            }
+            const providerId = parsed.data.provider;
+            const provider = getSecretProvider(providerId);
+            if (!provider.discoverProviderConfigs) {
+                throw unprocessable(`${providerId} provider does not support provider vault discovery`);
+            }
+            const runtimeConfig = toDraftProviderVaultRuntimeConfig({
+                squadId,
+                provider: providerId,
+                config: parsed.data.config,
+            });
+            try {
+                return await provider.discoverProviderConfigs({
+                    squadId,
+                    providerConfig: runtimeConfig,
+                    query: parsed.data.query,
+                    nextToken: parsed.data.nextToken,
+                    pageSize: parsed.data.pageSize,
+                });
+            }
+            catch (error) {
+                throw remoteProviderHttpError(error, {
+                    squadId,
+                    provider: providerId,
+                    providerConfigId: "discovery-preview",
+                    operation: "secret_provider_config.discovery.preview",
+                });
+            }
+        },
+        listProviderConfigs: (squadId) => db
+            .select()
+            .from(squadSecretProviderConfigs)
+            .where(eq(squadSecretProviderConfigs.squadId, squadId))
+            .orderBy(desc(squadSecretProviderConfigs.createdAt)),
+        getProviderConfigById,
+        createProviderConfig: async (squadId, input, actor) => {
+            const parsed = createSecretProviderConfigSchema.safeParse(input);
+            if (!parsed.success)
+                throw unprocessable("Invalid provider vault config", parsed.error.flatten());
+            const status = input.status ?? defaultProviderConfigStatus(input.provider);
+            if ((status === "coming_soon" || status === "disabled") && input.isDefault) {
+                throw unprocessable("Only ready or warning provider vaults can be default");
+            }
+            const normalizedConfig = validateProviderConfigPayload(input.provider, input.config ?? {});
+            return db.transaction(async (tx) => {
+                if (input.isDefault) {
+                    await tx
+                        .update(squadSecretProviderConfigs)
+                        .set({ isDefault: false, updatedAt: new Date() })
+                        .where(and(eq(squadSecretProviderConfigs.squadId, squadId), eq(squadSecretProviderConfigs.provider, input.provider)));
+                }
+                return tx
+                    .insert(squadSecretProviderConfigs)
+                    .values({
+                    squadId,
+                    provider: input.provider,
+                    displayName: input.displayName.trim(),
+                    status,
+                    isDefault: input.isDefault ?? false,
+                    config: normalizedConfig,
+                    disabledAt: status === "disabled" ? new Date() : null,
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                })
+                    .returning()
+                    .then((rows) => rows[0]);
+            });
+        },
+        updateProviderConfig: async (id, patch) => {
+            const existing = await getProviderConfigById(id);
+            if (!existing)
+                return null;
+            const parsed = updateSecretProviderConfigSchema.safeParse(patch);
+            if (!parsed.success)
+                throw unprocessable("Invalid provider vault config", parsed.error.flatten());
+            const provider = existing.provider;
+            const status = patch.status ?? existing.status;
+            if (COMING_SOON_SECRET_PROVIDERS.has(provider) && status !== "coming_soon" && status !== "disabled") {
+                throw unprocessable(`${provider} provider vaults are locked while coming soon`);
+            }
+            if ((status === "coming_soon" || status === "disabled") && patch.isDefault) {
+                throw unprocessable("Only ready or warning provider vaults can be default");
+            }
+            const normalizedConfig = patch.config === undefined
+                ? existing.config
+                : validateProviderConfigPayload(provider, patch.config);
+            return db.transaction(async (tx) => {
+                if (patch.isDefault) {
+                    await tx
+                        .update(squadSecretProviderConfigs)
+                        .set({ isDefault: false, updatedAt: new Date() })
+                        .where(and(eq(squadSecretProviderConfigs.squadId, existing.squadId), eq(squadSecretProviderConfigs.provider, existing.provider)));
+                }
+                return tx
+                    .update(squadSecretProviderConfigs)
+                    .set({
+                    displayName: patch.displayName?.trim() ?? existing.displayName,
+                    status,
+                    isDefault: status === "disabled" || status === "coming_soon" ? false : patch.isDefault ?? existing.isDefault,
+                    config: normalizedConfig,
+                    disabledAt: status === "disabled" ? existing.disabledAt ?? new Date() : null,
+                    updatedAt: new Date(),
+                })
+                    .where(eq(squadSecretProviderConfigs.id, id))
+                    .returning()
+                    .then((rows) => rows[0] ?? null);
+            });
+        },
+        disableProviderConfig: async (id) => {
+            const existing = await getProviderConfigById(id);
+            if (!existing)
+                return null;
+            return db
+                .update(squadSecretProviderConfigs)
+                .set({
+                status: "disabled",
+                isDefault: false,
+                disabledAt: existing.disabledAt ?? new Date(),
+                updatedAt: new Date(),
+            })
+                .where(eq(squadSecretProviderConfigs.id, id))
+                .returning()
+                .then((rows) => rows[0] ?? null);
+        },
+        removeProviderConfig: async (id) => db
+            .delete(squadSecretProviderConfigs)
+            .where(eq(squadSecretProviderConfigs.id, id))
+            .returning()
+            .then((rows) => rows[0] ?? null),
+        setDefaultProviderConfig: async (id) => {
+            const existing = await getProviderConfigById(id);
+            if (!existing)
+                return null;
+            if (existing.status === "coming_soon" || existing.status === "disabled") {
+                throw unprocessable("Only ready or warning provider vaults can be default");
+            }
+            return db.transaction(async (tx) => {
+                const current = await tx
+                    .select()
+                    .from(squadSecretProviderConfigs)
+                    .where(eq(squadSecretProviderConfigs.id, id))
+                    .then((rows) => rows[0] ?? null);
+                if (!current)
+                    return null;
+                if (current.status === "coming_soon" || current.status === "disabled") {
+                    throw unprocessable("Only ready or warning provider vaults can be default");
+                }
+                await tx
+                    .update(squadSecretProviderConfigs)
+                    .set({ isDefault: false, updatedAt: new Date() })
+                    .where(and(eq(squadSecretProviderConfigs.squadId, current.squadId), eq(squadSecretProviderConfigs.provider, current.provider)));
+                const updated = await tx
+                    .update(squadSecretProviderConfigs)
+                    .set({ isDefault: true, updatedAt: new Date() })
+                    .where(and(eq(squadSecretProviderConfigs.id, id), notInArray(squadSecretProviderConfigs.status, ["coming_soon", "disabled"])))
+                    .returning()
+                    .then((rows) => rows[0] ?? null);
+                if (!updated)
+                    throw unprocessable("Only ready or warning provider vaults can be default");
+                return updated;
+            });
+        },
+        checkProviderConfigHealth: async (id) => {
+            const existing = await getProviderConfigById(id);
+            if (!existing)
+                return null;
+            const checkedAt = new Date();
+            const staticHealth = providerConfigHealth({
+                id: existing.id,
+                provider: existing.provider,
+                status: existing.status,
+                config: existing.config ?? {},
+            });
+            const provider = getSecretProvider(existing.provider);
+            const health = staticHealth ?? mapProviderModuleHealth({
+                configId: existing.id,
+                provider: existing.provider,
+                providerStatus: existing.status,
+                health: await provider.healthCheck({
+                    providerConfig: toProviderVaultRuntimeConfig(existing),
+                }),
+            });
+            await db
+                .update(squadSecretProviderConfigs)
+                .set({
+                healthStatus: health.status,
+                healthCheckedAt: checkedAt,
+                healthMessage: health.message,
+                healthDetails: health.details,
+                updatedAt: new Date(),
+            })
+                .where(eq(squadSecretProviderConfigs.id, id));
+            return { ...health, checkedAt };
+        },
+        list: async (squadId) => {
+            const [secrets, referenceCounts] = await Promise.all([
+                db
+                    .select()
+                    .from(squadSecrets)
+                    .where(and(eq(squadSecrets.squadId, squadId), ne(squadSecrets.status, "deleted")))
+                    .orderBy(desc(squadSecrets.createdAt)),
+                db
+                    .select({
+                    secretId: squadSecretBindings.secretId,
+                    count: sql `count(*)::int`,
+                })
+                    .from(squadSecretBindings)
+                    .where(eq(squadSecretBindings.squadId, squadId))
+                    .groupBy(squadSecretBindings.secretId),
+            ]);
+            const countsBySecretId = new Map(referenceCounts.map((row) => [row.secretId, row.count]));
+            return secrets.map((secret) => ({
+                ...secret,
+                referenceCount: countsBySecretId.get(secret.id) ?? 0,
+            }));
+        },
+        listBindings: (squadId, secretId) => db
+            .select()
+            .from(squadSecretBindings)
+            .where(secretId
+            ? and(eq(squadSecretBindings.squadId, squadId), eq(squadSecretBindings.secretId, secretId))
+            : eq(squadSecretBindings.squadId, squadId))
+            .orderBy(desc(squadSecretBindings.createdAt)),
+        listBindingReferences: async (squadId, secretId) => {
+            const bindings = await db
+                .select()
+                .from(squadSecretBindings)
+                .where(and(eq(squadSecretBindings.squadId, squadId), eq(squadSecretBindings.secretId, secretId)))
+                .orderBy(desc(squadSecretBindings.createdAt));
+            const targetMap = await buildBindingTargetMap(squadId, bindings);
+            return bindings.map((binding) => ({
+                ...binding,
+                target: targetMap.get(`${binding.targetType}:${binding.targetId}`) ??
+                    fallbackBindingTarget(binding),
+            }));
+        },
+        listAccessEvents: (squadId, secretId) => db
+            .select()
+            .from(secretAccessEvents)
+            .where(and(eq(secretAccessEvents.squadId, squadId), eq(secretAccessEvents.secretId, secretId)))
+            .orderBy(desc(secretAccessEvents.createdAt)),
+        previewRemoteImport: async (squadId, input) => {
+            const { providerConfig, provider: providerId, runtimeConfig } = await getRemoteImportProviderConfig(squadId, input.providerConfigId);
+            const provider = getSecretProvider(providerId);
+            if (!provider.listRemoteSecrets) {
+                throw unprocessable(`${providerId} provider does not support remote import listing`);
+            }
+            let listed;
+            try {
+                listed = await provider.listRemoteSecrets({
+                    providerConfig: runtimeConfig,
+                    query: input.query,
+                    nextToken: input.nextToken,
+                    pageSize: input.pageSize,
+                });
+            }
+            catch (error) {
+                throw remoteProviderHttpError(error, {
+                    squadId,
+                    provider: providerId,
+                    providerConfigId: providerConfig.id,
+                    operation: "remote_import.preview",
+                });
+            }
+            const maps = await buildRemoteImportConflictMaps(squadId, providerId);
+            const candidates = [];
+            for (const remote of listed.secrets) {
+                const externalRef = remote.externalRef.trim();
+                const remoteName = remote.name.trim() || deriveSecretNameFromExternalRef(externalRef);
+                const name = remoteName || deriveSecretNameFromExternalRef(externalRef);
+                const key = normalizeSecretKey(name);
+                let canonicalExternalRef = externalRef;
+                const conflicts = [];
+                try {
+                    const prepared = await provider.linkExternalSecret({
+                        externalRef,
+                        providerVersionRef: remote.providerVersionRef ?? null,
+                        providerConfig: runtimeConfig,
+                        context: {
+                            squadId,
+                            secretKey: key || "remote-import-preview",
+                            secretName: name,
+                            version: 1,
+                        },
+                    });
+                    canonicalExternalRef = prepared.externalRef ?? externalRef;
+                }
+                catch (error) {
+                    conflicts.push({
+                        type: "provider_guardrail",
+                        message: remoteImportRowFailureReason(error, "Provider rejected this external reference", {
+                            squadId,
+                            provider: providerId,
+                            providerConfigId: providerConfig.id,
+                            operation: "remote_import.preview.link_external_reference",
+                        }),
+                    });
+                }
+                conflicts.push(...remoteImportConflictsFor({
+                    providerConfigId: providerConfig.id,
+                    externalRef: canonicalExternalRef,
+                    name,
+                    key,
+                    maps,
+                }));
+                const hasDuplicate = conflicts.some((conflict) => conflict.type === "exact_reference");
+                const hasConflict = conflicts.length > 0;
+                candidates.push({
+                    externalRef,
+                    remoteName,
+                    name,
+                    key,
+                    providerVersionRef: remote.providerVersionRef ?? null,
+                    providerMetadata: sanitizeRemoteProviderMetadata(providerId, remote.metadata),
+                    status: hasDuplicate ? "duplicate" : hasConflict ? "conflict" : "ready",
+                    importable: !hasConflict,
+                    conflicts,
+                });
+            }
+            return {
+                providerConfigId: providerConfig.id,
+                provider: providerId,
+                nextToken: listed.nextToken ?? null,
+                candidates,
+            };
+        },
+        importRemoteSecrets: async (squadId, input, actor) => {
+            const { providerConfig, provider: providerId, runtimeConfig } = await getRemoteImportProviderConfig(squadId, input.providerConfigId);
+            const provider = getSecretProvider(providerId);
+            if (provider.descriptor().supportsExternalReferences === false) {
+                throw unprocessable(`${providerId} provider does not support linked external references`);
+            }
+            const maps = await buildRemoteImportConflictMaps(squadId, providerId);
+            const results = [];
+            for (const selection of input.secrets) {
+                const externalRef = selection.externalRef.trim();
+                const name = selection.name?.trim() || deriveSecretNameFromExternalRef(externalRef);
+                const key = normalizeSecretKey(selection.key?.trim() || name);
+                const description = selection.description?.trim() || null;
+                let prepared;
+                const conflicts = remoteImportConflictsFor({
+                    providerConfigId: providerConfig.id,
+                    externalRef,
+                    name,
+                    key,
+                    maps,
+                });
+                if (!key) {
+                    results.push({
+                        externalRef,
+                        name,
+                        key,
+                        status: "error",
+                        reason: "Secret key is required",
+                        secretId: null,
+                        conflicts,
+                    });
+                    continue;
+                }
+                if (conflicts.length === 0) {
+                    try {
+                        prepared = await provider.linkExternalSecret({
+                            externalRef,
+                            providerVersionRef: selection.providerVersionRef ?? null,
+                            providerConfig: runtimeConfig,
+                            context: {
+                                squadId,
+                                secretKey: key,
+                                secretName: name,
+                                version: 1,
+                            },
+                        });
+                        const canonicalDuplicate = maps.byProviderConfigExternalRef.get(remoteImportExternalRefKey(providerConfig.id, prepared.externalRef ?? externalRef));
+                        if (canonicalDuplicate) {
+                            conflicts.push({
+                                type: "exact_reference",
+                                existingSecretId: canonicalDuplicate.id,
+                                message: "An existing secret already links this exact provider reference.",
+                            });
+                        }
+                    }
+                    catch (error) {
+                        results.push({
+                            externalRef,
+                            name,
+                            key,
+                            status: "error",
+                            reason: remoteImportRowFailureReason(error, "Provider rejected this external reference", {
+                                squadId,
+                                provider: providerId,
+                                providerConfigId: providerConfig.id,
+                                operation: "remote_import.prepare_external_reference",
+                            }),
+                            secretId: null,
+                            conflicts: [],
+                        });
+                        continue;
+                    }
+                }
+                if (conflicts.length > 0) {
+                    results.push({
+                        externalRef,
+                        name,
+                        key,
+                        status: "skipped",
+                        reason: conflicts.some((conflict) => conflict.type === "exact_reference")
+                            ? "exact_reference_duplicate"
+                            : "name_or_key_conflict",
+                        secretId: null,
+                        conflicts,
+                    });
+                    continue;
+                }
+                try {
+                    if (!prepared) {
+                        prepared = await provider.linkExternalSecret({
+                            externalRef,
+                            providerVersionRef: selection.providerVersionRef ?? null,
+                            providerConfig: runtimeConfig,
+                            context: {
+                                squadId,
+                                secretKey: key,
+                                secretName: name,
+                                version: 1,
+                            },
+                        });
+                    }
+                    if (!prepared) {
+                        throw unprocessable("Provider rejected this external reference");
+                    }
+                    const preparedSecret = prepared;
+                    const secret = await db.transaction(async (tx) => {
+                        const inserted = await tx
+                            .insert(squadSecrets)
+                            .values({
+                            squadId,
+                            key,
+                            name,
+                            provider: providerId,
+                            providerConfigId: providerConfig.id,
+                            status: "active",
+                            managedMode: "external_reference",
+                            externalRef: preparedSecret.externalRef,
+                            providerMetadata: null,
+                            latestVersion: 1,
+                            description,
+                            lastRotatedAt: new Date(),
+                            createdByAgentId: actor?.agentId ?? null,
+                            createdByUserId: actor?.userId ?? null,
+                        })
+                            .returning()
+                            .then((rows) => rows[0]);
+                        await tx.insert(squadSecretVersions).values({
+                            secretId: inserted.id,
+                            version: 1,
+                            material: preparedSecret.material,
+                            valueSha256: preparedSecret.valueSha256,
+                            fingerprintSha256: preparedSecret.fingerprintSha256 ?? preparedSecret.valueSha256,
+                            providerVersionRef: preparedSecret.providerVersionRef ?? null,
+                            status: "current",
+                            createdByAgentId: actor?.agentId ?? null,
+                            createdByUserId: actor?.userId ?? null,
+                        });
+                        return inserted;
+                    });
+                    maps.byProviderConfigExternalRef.set(remoteImportExternalRefKey(providerConfig.id, preparedSecret.externalRef ?? externalRef), secret);
+                    maps.byName.set(name, secret);
+                    maps.byKey.set(key, secret);
+                    results.push({
+                        externalRef,
+                        name,
+                        key,
+                        status: "imported",
+                        reason: null,
+                        secretId: secret.id,
+                        conflicts: [],
+                    });
+                }
+                catch (error) {
+                    results.push({
+                        externalRef,
+                        name,
+                        key,
+                        status: "error",
+                        reason: remoteImportRowFailureReason(error, "Import failed", {
+                            squadId,
+                            provider: providerId,
+                            providerConfigId: providerConfig.id,
+                            operation: "remote_import.commit",
+                        }),
+                        secretId: null,
+                        conflicts: [],
+                    });
+                }
+            }
+            return {
+                providerConfigId: providerConfig.id,
+                provider: providerId,
+                importedCount: results.filter((result) => result.status === "imported").length,
+                skippedCount: results.filter((result) => result.status === "skipped").length,
+                errorCount: results.filter((result) => result.status === "error").length,
+                results,
+            };
+        },
+        getById,
+        getByName,
+        resolveSecretValue,
+        create: async (squadId, input, actor) => {
+            const existing = await getByName(squadId, input.name);
+            if (existing)
+                throw conflict(`Secret already exists: ${input.name}`);
+            const key = normalizeSecretKey(input.key ?? input.name);
+            if (!key)
+                throw unprocessable("Secret key is required");
+            const duplicateKey = await db
+                .select()
+                .from(squadSecrets)
+                .where(and(eq(squadSecrets.squadId, squadId), eq(squadSecrets.key, key), ne(squadSecrets.status, "deleted")))
+                .then((rows) => rows[0] ?? null);
+            if (duplicateKey)
+                throw conflict(`Secret key already exists: ${key}`);
+            const managedMode = input.managedMode ?? "slaw_managed";
+            const provider = getSecretProvider(input.provider);
+            const providerConfig = await getSelectableRuntimeProviderConfig({
+                squadId,
+                provider: input.provider,
+                providerConfigId: input.providerConfigId,
+            });
+            if (managedMode === "external_reference" && !input.externalRef?.trim()) {
+                throw unprocessable("External reference secrets require externalRef");
+            }
+            if (managedMode === "slaw_managed" && input.externalRef?.trim()) {
+                throw unprocessable("Managed secrets cannot override externalRef");
+            }
+            if (managedMode === "slaw_managed" && !input.value?.trim()) {
+                throw unprocessable("Managed secrets require value");
+            }
+            const providerWriteContext = {
+                squadId,
+                secretKey: key,
+                secretName: input.name,
+                version: 1,
+            };
+            const reservedSecret = await db
+                .insert(squadSecrets)
+                .values({
+                squadId,
+                key,
+                name: input.name,
+                provider: input.provider,
+                providerConfigId: input.providerConfigId ?? null,
+                status: "archived",
+                managedMode,
+                externalRef: null,
+                providerMetadata: input.providerMetadata ?? null,
+                latestVersion: 0,
+                description: input.description ?? null,
+                createdByAgentId: actor?.agentId ?? null,
+                createdByUserId: actor?.userId ?? null,
+            })
+                .returning()
+                .then((rows) => rows[0]);
+            let prepared;
+            try {
+                prepared =
+                    managedMode === "external_reference"
+                        ? await provider.linkExternalSecret({
+                            externalRef: input.externalRef ?? "",
+                            providerVersionRef: input.providerVersionRef ?? null,
+                            providerConfig,
+                            context: providerWriteContext,
+                        })
+                        : await provider.createSecret({
+                            value: input.value ?? "",
+                            externalRef: null,
+                            providerConfig,
+                            context: providerWriteContext,
+                        });
+            }
+            catch (error) {
+                await db.delete(squadSecrets).where(eq(squadSecrets.id, reservedSecret.id)).catch(() => undefined);
+                throw error;
+            }
+            try {
+                await db
+                    .update(squadSecrets)
+                    .set({
+                    externalRef: prepared.externalRef,
+                    latestVersion: 1,
+                    updatedAt: new Date(),
+                })
+                    .where(eq(squadSecrets.id, reservedSecret.id));
+                await db.insert(squadSecretVersions).values({
+                    secretId: reservedSecret.id,
+                    version: 1,
+                    material: prepared.material,
+                    valueSha256: prepared.valueSha256,
+                    fingerprintSha256: prepared.fingerprintSha256 ?? prepared.valueSha256,
+                    providerVersionRef: prepared.providerVersionRef ?? null,
+                    status: "disabled",
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                });
+            }
+            catch (error) {
+                if (managedMode === "slaw_managed") {
+                    const cleaned = await cleanupPreparedProviderWrite({
+                        provider,
+                        prepared,
+                        providerConfig,
+                        context: providerWriteContext,
+                        mode: "delete",
+                        operation: "create.prepare_rollback",
+                    });
+                    if (cleaned) {
+                        await db.delete(squadSecrets).where(eq(squadSecrets.id, reservedSecret.id)).catch(() => undefined);
+                    }
+                }
+                else {
+                    await db.delete(squadSecrets).where(eq(squadSecrets.id, reservedSecret.id)).catch(() => undefined);
+                }
+                throw error;
+            }
+            try {
+                return await db.transaction(async (tx) => {
+                    await tx
+                        .update(squadSecretVersions)
+                        .set({ status: "current" })
+                        .where(and(eq(squadSecretVersions.secretId, reservedSecret.id), eq(squadSecretVersions.version, 1)));
+                    const secret = await tx
+                        .update(squadSecrets)
+                        .set({
+                        status: "active",
+                        externalRef: prepared.externalRef,
+                        latestVersion: 1,
+                        lastRotatedAt: new Date(),
+                        updatedAt: new Date(),
+                    })
+                        .where(eq(squadSecrets.id, reservedSecret.id))
+                        .returning()
+                        .then((rows) => rows[0]);
+                    if (!secret)
+                        throw notFound("Secret not found");
+                    return secret;
+                });
+            }
+            catch (error) {
+                if (managedMode === "slaw_managed") {
+                    const cleaned = await cleanupPreparedProviderWrite({
+                        provider,
+                        prepared,
+                        providerConfig,
+                        context: providerWriteContext,
+                        mode: "delete",
+                        operation: "create.rollback",
+                    });
+                    if (cleaned) {
+                        await db.delete(squadSecrets).where(eq(squadSecrets.id, reservedSecret.id)).catch(() => undefined);
+                    }
+                }
+                else {
+                    await db.delete(squadSecrets).where(eq(squadSecrets.id, reservedSecret.id)).catch(() => undefined);
+                }
+                throw error;
+            }
+        },
+        rotate: async (secretId, input, actor) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                throw notFound("Secret not found");
+            if (secret.status !== "active")
+                throw unprocessable("Cannot rotate a non-active secret");
+            const providerId = secret.provider;
+            const provider = getSecretProvider(providerId);
+            const providerConfigId = input.providerConfigId === undefined ? secret.providerConfigId : input.providerConfigId;
+            const providerConfig = await getSelectableRuntimeProviderConfig({
+                squadId: secret.squadId,
+                provider: providerId,
+                providerConfigId,
+            });
+            const nextVersion = secret.latestVersion + 1;
+            if (secret.managedMode === "external_reference" && !(input.externalRef ?? secret.externalRef)?.trim()) {
+                throw unprocessable("External reference secrets require externalRef");
+            }
+            if (secret.managedMode !== "external_reference" && input.externalRef?.trim()) {
+                throw unprocessable("Managed secrets cannot override externalRef");
+            }
+            if (secret.managedMode !== "external_reference" && !input.value?.trim()) {
+                throw unprocessable("Managed secrets require value");
+            }
+            const providerWriteContext = {
+                squadId: secret.squadId,
+                secretKey: secret.key,
+                secretName: secret.name,
+                version: nextVersion,
+            };
+            const prepared = secret.managedMode === "external_reference"
+                ? await provider.linkExternalSecret({
+                    externalRef: input.externalRef ?? secret.externalRef ?? "",
+                    providerVersionRef: input.providerVersionRef ?? null,
+                    providerConfig,
+                    context: providerWriteContext,
+                })
+                : await provider.createVersion({
+                    value: input.value ?? "",
+                    externalRef: secret.externalRef ?? null,
+                    providerConfig,
+                    context: providerWriteContext,
+                });
+            try {
+                await db.insert(squadSecretVersions).values({
+                    secretId: secret.id,
+                    version: nextVersion,
+                    material: prepared.material,
+                    valueSha256: prepared.valueSha256,
+                    fingerprintSha256: prepared.fingerprintSha256 ?? prepared.valueSha256,
+                    providerVersionRef: prepared.providerVersionRef ?? null,
+                    status: "disabled",
+                    createdByAgentId: actor?.agentId ?? null,
+                    createdByUserId: actor?.userId ?? null,
+                });
+            }
+            catch (error) {
+                if (secret.managedMode !== "external_reference") {
+                    await cleanupPreparedProviderWrite({
+                        provider,
+                        prepared,
+                        providerConfig,
+                        context: providerWriteContext,
+                        mode: "archive",
+                        operation: "rotate.prepare_rollback",
+                    });
+                }
+                throw error;
+            }
+            try {
+                return await db.transaction(async (tx) => {
+                    await tx
+                        .update(squadSecretVersions)
+                        .set({ status: "previous" })
+                        .where(and(eq(squadSecretVersions.secretId, secret.id), ne(squadSecretVersions.version, nextVersion)));
+                    await tx
+                        .update(squadSecretVersions)
+                        .set({ status: "current" })
+                        .where(and(eq(squadSecretVersions.secretId, secret.id), eq(squadSecretVersions.version, nextVersion)));
+                    const updated = await tx
+                        .update(squadSecrets)
+                        .set({
+                        latestVersion: nextVersion,
+                        externalRef: prepared.externalRef,
+                        providerConfigId,
+                        lastRotatedAt: new Date(),
+                        updatedAt: new Date(),
+                    })
+                        .where(eq(squadSecrets.id, secret.id))
+                        .returning()
+                        .then((rows) => rows[0] ?? null);
+                    if (!updated)
+                        throw notFound("Secret not found");
+                    return updated;
+                });
+            }
+            catch (error) {
+                if (secret.managedMode !== "external_reference") {
+                    const cleaned = await cleanupPreparedProviderWrite({
+                        provider,
+                        prepared,
+                        providerConfig,
+                        context: providerWriteContext,
+                        mode: "archive",
+                        operation: "rotate.rollback",
+                    });
+                    if (cleaned) {
+                        await db
+                            .delete(squadSecretVersions)
+                            .where(and(eq(squadSecretVersions.secretId, secret.id), eq(squadSecretVersions.version, nextVersion)))
+                            .catch(() => undefined);
+                    }
+                }
+                throw error;
+            }
+        },
+        update: async (secretId, patch) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                throw notFound("Secret not found");
+            if (secret.status === "deleted")
+                throw notFound("Secret not found");
+            if (patch.name && patch.name !== secret.name) {
+                const duplicate = await getByName(secret.squadId, patch.name);
+                if (duplicate && duplicate.id !== secret.id) {
+                    throw conflict(`Secret already exists: ${patch.name}`);
+                }
+            }
+            const nextKey = patch.key ? normalizeSecretKey(patch.key) : secret.key;
+            if (!nextKey)
+                throw unprocessable("Secret key is required");
+            if (nextKey !== secret.key) {
+                const duplicateKey = await db
+                    .select()
+                    .from(squadSecrets)
+                    .where(and(eq(squadSecrets.squadId, secret.squadId), eq(squadSecrets.key, nextKey), ne(squadSecrets.status, "deleted")))
+                    .then((rows) => rows[0] ?? null);
+                if (duplicateKey && duplicateKey.id !== secret.id) {
+                    throw conflict(`Secret key already exists: ${nextKey}`);
+                }
+            }
+            const deleting = patch.status === "deleted";
+            if (deleting && secret.managedMode === "slaw_managed") {
+                throw unprocessable("Managed secrets must be deleted through DELETE /secrets/:id");
+            }
+            if (secret.managedMode !== "external_reference" && patch.externalRef !== undefined) {
+                throw unprocessable("Managed secrets cannot override externalRef");
+            }
+            if (secret.managedMode === "external_reference" &&
+                patch.externalRef !== undefined &&
+                patch.externalRef !== secret.externalRef) {
+                throw unprocessable("External reference secrets cannot be retargeted through generic update");
+            }
+            if (secret.managedMode === "external_reference" &&
+                patch.providerConfigId !== undefined &&
+                patch.providerConfigId !== secret.providerConfigId) {
+                throw unprocessable("External reference secrets cannot change provider vault through generic update");
+            }
+            if (secret.managedMode === "slaw_managed" &&
+                patch.providerConfigId !== undefined &&
+                patch.providerConfigId !== secret.providerConfigId) {
+                throw unprocessable("Managed secrets cannot change provider vault through PATCH; use rotate() to migrate to a new vault");
+            }
+            if (patch.providerConfigId !== undefined) {
+                await assertProviderConfigForSecret(secret.squadId, secret.provider, patch.providerConfigId);
+            }
+            return db
+                .update(squadSecrets)
+                .set({
+                key: deleting ? `${secret.key}__deleted__${secret.id}` : nextKey,
+                name: deleting ? `${secret.name}__deleted__${secret.id}` : patch.name ?? secret.name,
+                status: patch.status ?? secret.status,
+                providerConfigId: patch.providerConfigId === undefined ? secret.providerConfigId : patch.providerConfigId,
+                description: patch.description === undefined ? secret.description : patch.description,
+                externalRef: patch.externalRef === undefined ? secret.externalRef : patch.externalRef,
+                providerMetadata: patch.providerMetadata === undefined ? secret.providerMetadata : patch.providerMetadata,
+                deletedAt: deleting ? new Date() : secret.deletedAt,
+                updatedAt: new Date(),
+            })
+                .where(eq(squadSecrets.id, secret.id))
+                .returning()
+                .then((rows) => rows[0] ?? null);
+        },
+        createBinding: async (input) => {
+            await assertSecretInSquad(input.squadId, input.secretId);
+            const existing = await db
+                .select()
+                .from(squadSecretBindings)
+                .where(and(eq(squadSecretBindings.squadId, input.squadId), eq(squadSecretBindings.targetType, input.targetType), eq(squadSecretBindings.targetId, input.targetId), eq(squadSecretBindings.configPath, input.configPath)))
+                .then((rows) => rows[0] ?? null);
+            if (existing)
+                throw conflict(`Secret binding already exists at ${input.configPath}`);
+            return db
+                .insert(squadSecretBindings)
+                .values({
+                squadId: input.squadId,
+                secretId: input.secretId,
+                targetType: input.targetType,
+                targetId: input.targetId,
+                configPath: input.configPath,
+                versionSelector: String(input.versionSelector ?? "latest"),
+                required: input.required ?? true,
+                label: input.label ?? null,
+            })
+                .returning()
+                .then((rows) => rows[0]);
+        },
+        syncSecretRefsForTarget: async (squadId, target, refs) => {
+            const normalizedRefs = [];
+            for (const ref of refs) {
+                await assertSecretInSquad(squadId, ref.secretId);
+                normalizedRefs.push({
+                    secretId: ref.secretId,
+                    configPath: ref.configPath,
+                    versionSelector: ref.versionSelector ?? "latest",
+                    required: ref.required ?? true,
+                    label: ref.label ?? null,
+                });
+            }
+            const pathPrefixes = [...new Set(normalizedRefs.map((ref) => ref.configPath.split(".")[0]))];
+            await db.transaction(async (tx) => {
+                if (pathPrefixes.length > 0) {
+                    for (const pathPrefix of pathPrefixes) {
+                        await tx
+                            .delete(squadSecretBindings)
+                            .where(and(eq(squadSecretBindings.squadId, squadId), eq(squadSecretBindings.targetType, target.targetType), eq(squadSecretBindings.targetId, target.targetId), like(squadSecretBindings.configPath, `${pathPrefix}.%`)));
+                    }
+                }
+                else {
+                    await tx
+                        .delete(squadSecretBindings)
+                        .where(and(eq(squadSecretBindings.squadId, squadId), eq(squadSecretBindings.targetType, target.targetType), eq(squadSecretBindings.targetId, target.targetId)));
+                }
+                if (normalizedRefs.length === 0)
+                    return;
+                await tx.insert(squadSecretBindings).values(normalizedRefs.map((ref) => ({
+                    squadId,
+                    secretId: ref.secretId,
+                    targetType: target.targetType,
+                    targetId: target.targetId,
+                    configPath: ref.configPath,
+                    versionSelector: String(ref.versionSelector),
+                    required: ref.required,
+                    label: ref.label,
+                })));
+            });
+            return normalizedRefs;
+        },
+        syncEnvBindingsForTarget: async (squadId, target, envValue, options) => {
+            const record = asRecord(envValue) ?? {};
+            const refs = [];
+            const pathPrefix = target.pathPrefix ?? "env";
+            const bindingDb = options?.db ?? db;
+            for (const [key, rawBinding] of Object.entries(record)) {
+                const parsed = envBindingSchema.safeParse(rawBinding);
+                if (!parsed.success)
+                    continue;
+                const binding = canonicalizeBinding(parsed.data);
+                if (binding.type !== "secret_ref")
+                    continue;
+                await assertSecretInSquad(squadId, binding.secretId, bindingDb);
+                refs.push({
+                    secretId: binding.secretId,
+                    configPath: `${pathPrefix}.${key}`,
+                    versionSelector: binding.version,
+                });
+            }
+            const writeBindings = async (targetDb) => {
+                await targetDb
+                    .delete(squadSecretBindings)
+                    .where(and(eq(squadSecretBindings.squadId, squadId), eq(squadSecretBindings.targetType, target.targetType), eq(squadSecretBindings.targetId, target.targetId), like(squadSecretBindings.configPath, `${pathPrefix}.%`)));
+                if (refs.length === 0)
+                    return;
+                await targetDb.insert(squadSecretBindings).values(refs.map((ref) => ({
+                    squadId,
+                    secretId: ref.secretId,
+                    targetType: target.targetType,
+                    targetId: target.targetId,
+                    configPath: ref.configPath,
+                    versionSelector: String(ref.versionSelector),
+                    required: true,
+                })));
+            };
+            if (options?.db) {
+                await writeBindings(options.db);
+            }
+            else {
+                await db.transaction(async (tx) => writeBindings(tx));
+            }
+            return refs;
+        },
+        remove: async (secretId) => {
+            const secret = await getById(secretId);
+            if (!secret)
+                return null;
+            const versionRow = await getSecretVersion(secret.id, secret.latestVersion);
+            const providerId = secret.provider;
+            const provider = getSecretProvider(providerId);
+            if (secret.status !== "deleted") {
+                await db
+                    .update(squadSecrets)
+                    .set({
+                    key: `${secret.key}__deleted__${secret.id}`,
+                    name: `${secret.name}__deleted__${secret.id}`,
+                    status: "deleted",
+                    deletedAt: secret.deletedAt ?? new Date(),
+                    updatedAt: new Date(),
+                })
+                    .where(eq(squadSecrets.id, secretId));
+            }
+            const providerConfig = secret.providerConfigId
+                ? await getProviderConfigById(secret.providerConfigId)
+                : null;
+            const providerRuntimeConfig = providerConfig && providerConfig.status !== "disabled" && providerConfig.status !== "coming_soon"
+                ? toProviderVaultRuntimeConfig(providerConfig)
+                : null;
+            if (!secret.providerConfigId || providerRuntimeConfig) {
+                try {
+                    await provider.deleteOrArchive({
+                        material: versionRow?.material,
+                        externalRef: secret.externalRef,
+                        providerConfig: providerRuntimeConfig,
+                        context: {
+                            squadId: secret.squadId,
+                            secretKey: secret.key,
+                            secretName: secret.name,
+                            version: secret.latestVersion,
+                        },
+                        mode: "delete",
+                    });
+                }
+                catch (error) {
+                    if (!isSecretProviderClientError(error) || error.code !== "not_found") {
+                        throw error;
+                    }
+                }
+            }
+            await db.delete(squadSecrets).where(eq(squadSecrets.id, secretId));
+            return secret;
+        },
+        normalizeAdapterConfigForPersistence: async (squadId, adapterConfig, opts) => normalizeAdapterConfigForPersistenceInternal(squadId, adapterConfig, opts),
+        normalizeEnvBindingsForPersistence: async (squadId, envValue, opts) => normalizeEnvConfig(squadId, envValue, opts),
+        normalizeHireApprovalPayloadForPersistence: async (squadId, payload, opts) => {
+            const normalized = { ...payload };
+            const adapterConfig = asRecord(payload.adapterConfig);
+            if (adapterConfig) {
+                normalized.adapterConfig = await normalizeAdapterConfigForPersistenceInternal(squadId, adapterConfig, opts);
+            }
+            return normalized;
+        },
+        resolveEnvBindings: async (squadId, envValue, context) => {
+            const record = asRecord(envValue);
+            if (!record)
+                return { env: {}, secretKeys: new Set(), manifest: [] };
+            const resolved = {};
+            const secretKeys = new Set();
+            const manifest = [];
+            for (const [key, rawBinding] of Object.entries(record)) {
+                if (!ENV_KEY_RE.test(key)) {
+                    throw unprocessable(`Invalid environment variable name: ${key}`);
+                }
+                const parsed = envBindingSchema.safeParse(rawBinding);
+                if (!parsed.success) {
+                    throw unprocessable(`Invalid environment binding for key: ${key}`);
+                }
+                const binding = canonicalizeBinding(parsed.data);
+                if (binding.type === "plain") {
+                    resolved[key] = binding.value;
+                }
+                else {
+                    const secretResolution = await resolveSecretValueInternal(squadId, binding.secretId, binding.version, context ? { ...context, configPath: `env.${key}` } : undefined);
+                    resolved[key] = secretResolution.value;
+                    manifest.push(secretResolution.manifestEntry);
+                    secretKeys.add(key);
+                }
+            }
+            return { env: resolved, secretKeys, manifest };
+        },
+        resolveAdapterConfigForRuntime: async (squadId, adapterConfig, context) => {
+            const resolved = { ...adapterConfig };
+            const secretKeys = new Set();
+            const manifest = [];
+            if (!Object.prototype.hasOwnProperty.call(adapterConfig, "env")) {
+                return { config: resolved, secretKeys, manifest };
+            }
+            const record = asRecord(adapterConfig.env);
+            if (!record) {
+                resolved.env = {};
+                return { config: resolved, secretKeys, manifest };
+            }
+            const env = {};
+            for (const [key, rawBinding] of Object.entries(record)) {
+                if (!ENV_KEY_RE.test(key)) {
+                    throw unprocessable(`Invalid environment variable name: ${key}`);
+                }
+                const parsed = envBindingSchema.safeParse(rawBinding);
+                if (!parsed.success) {
+                    throw unprocessable(`Invalid environment binding for key: ${key}`);
+                }
+                const binding = canonicalizeBinding(parsed.data);
+                if (binding.type === "plain") {
+                    env[key] = binding.value;
+                }
+                else {
+                    const secretResolution = await resolveSecretValueInternal(squadId, binding.secretId, binding.version, context ? { ...context, configPath: `env.${key}` } : undefined);
+                    env[key] = secretResolution.value;
+                    manifest.push(secretResolution.manifestEntry);
+                    secretKeys.add(key);
+                }
+            }
+            resolved.env = env;
+            return { config: resolved, secretKeys, manifest };
+        },
+    };
+}
+//# sourceMappingURL=secrets.js.map