@super-repo/envx-plugins 0.2.3-b.4

package/dist/auto-preload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-preload.js","sourceRoot":"","sources":["../src/auto-preload.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAI7B,6DAA6D;AAE7D,yFAAyF;AACzF,MAAM,MAAM,GAAG,qCAAqC,CAAC;AAerD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAoC,EACpC,IAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,UAAU,GAA6B,IAAI,GAAG,EAAE,CAAC;IACvD,KAAK,MAAM,CAAC,IAAI,SAAS;QAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;IAE7D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACnE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAyB,CAAC;QAC9B,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;QACrB,OAAO,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAChB,IAAI,QAAQ,KAAK,SAAS,IAAI,EAAE,KAAK,SAAS;gBAAE,SAAS;YACzD,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACrC,IAAI,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAA6B,EAAE,CAAC;IAC/C,MAAM,OAAO,CAAC,GAAG,CACf,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACxB,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAChD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,OAAO;QACT,CAAC;QACD,MAAM,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrB,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;IAC1B,CAAC,CAAC,CACH,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,CAAC;AACvB,CAAC;AAED,6DAA6D;AAE7D,2DAA2D;AAE3D;;;;GAIG;AACH,MAAM,UAAU,WAAW,CACzB,SAAoC;IAEpC,MAAM,GAAG,GAAuD,EAAE,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,SAAS;QAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/D,OAAO,GAAG,CAAC;AACb,CAAC;AAED,6DAA6D"}

package/dist/aws.d.ts

@@ -0,0 +1,52 @@
+import { type SecretProvider } from "./types.js";
+export interface AwsSecretsOptions {
+    /** AWS region the secrets live in (e.g. "us-east-1"). */
+    readonly region: string;
+    /**
+     * Override the default SDK client. Useful for tests, for sharing a
+     * client across plugins, or when your environment needs a custom
+     * credential provider chain. The object only needs a `send(command)`
+     * method that returns a `{ SecretString?: string; SecretBinary?: Uint8Array }`.
+     */
+    readonly client?: {
+        send: (cmd: unknown) => Promise<{
+            SecretString?: string;
+            SecretBinary?: Uint8Array;
+        }>;
+    };
+    /**
+     * Custom name for this provider instance. Defaults to `"aws-secrets"`,
+     * matching the conventional `${aws-secrets:my-id}` reference shape. If
+     * you want multiple AWS regions to coexist, give each a distinct name
+     * (`"aws-us"`, `"aws-eu"`) and reference accordingly.
+     */
+    readonly name?: string;
+}
+/**
+ * AWS Secrets Manager provider.
+ *
+ * ```ts
+ * import { awsSecrets } from "@super-repo/envx-plugins/aws";
+ *
+ * const aws = awsSecrets({ region: "us-east-1" });
+ * await aws.preload(["prod/db", "prod/api-key"]);
+ *
+ * envx({
+ *   resolvers: { [aws.name]: aws.resolve },
+ * });
+ * ```
+ *
+ * Reference shape in `.env*`:
+ *
+ * ```
+ * DATABASE_URL=${aws-secrets:prod/db}
+ * API_KEY=${aws-secrets:prod/api-key}
+ * ```
+ *
+ * The plugin uses `@aws-sdk/client-secrets-manager` (lazy-loaded —
+ * only required when `preload()` runs). Install it in your app:
+ *
+ *     pnpm add @aws-sdk/client-secrets-manager
+ */
+export declare function awsSecrets(opts: AwsSecretsOptions): SecretProvider;
+//# sourceMappingURL=aws.d.ts.map

package/dist/aws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../src/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIjF,MAAM,WAAW,iBAAiB;IAChC,yDAAyD;IACzD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;YAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,YAAY,CAAC,EAAE,UAAU,CAAC;SAC3B,CAAC,CAAC;KACJ,CAAC;IACF;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,cAAc,CAkDlE"}

package/dist/aws.js

@@ -0,0 +1,68 @@
+import { buildProvider, MissingSdkError } from "./types.js";
+/**
+ * AWS Secrets Manager provider.
+ *
+ * ```ts
+ * import { awsSecrets } from "@super-repo/envx-plugins/aws";
+ *
+ * const aws = awsSecrets({ region: "us-east-1" });
+ * await aws.preload(["prod/db", "prod/api-key"]);
+ *
+ * envx({
+ *   resolvers: { [aws.name]: aws.resolve },
+ * });
+ * ```
+ *
+ * Reference shape in `.env*`:
+ *
+ * ```
+ * DATABASE_URL=${aws-secrets:prod/db}
+ * API_KEY=${aws-secrets:prod/api-key}
+ * ```
+ *
+ * The plugin uses `@aws-sdk/client-secrets-manager` (lazy-loaded —
+ * only required when `preload()` runs). Install it in your app:
+ *
+ *     pnpm add @aws-sdk/client-secrets-manager
+ */
+export function awsSecrets(opts) {
+    const name = opts.name ?? "aws-secrets";
+    const injected = opts.client;
+    let client = injected ?? null;
+    let GetSecretValueCommand = null;
+    return buildProvider(name, async (id) => {
+        // If the caller didn't inject a client, lazy-load the SDK. With an
+        // injected client the SDK is bypassed entirely — useful for tests
+        // and for users who want a custom credential chain.
+        if (!client) {
+            try {
+                // Indirected through a variable so TS doesn't try to resolve
+                // the optional SDK at compile time (it's a peer dep).
+                const specifier = "@aws-sdk/client-secrets-manager";
+                const sdk = (await import(/* @vite-ignore */ specifier));
+                client = new sdk.SecretsManagerClient({
+                    region: opts.region,
+                });
+                GetSecretValueCommand = sdk.GetSecretValueCommand;
+            }
+            catch {
+                throw new MissingSdkError("aws", "@aws-sdk/client-secrets-manager");
+            }
+        }
+        // For an injected client we hand `send()` a plain object — the test
+        // / custom client decides what to do with it. For the real SDK
+        // client we use the proper Command class.
+        const cmd = GetSecretValueCommand
+            ? new GetSecretValueCommand({ SecretId: id })
+            : { SecretId: id };
+        const r = await client.send(cmd);
+        if (typeof r.SecretString === "string")
+            return r.SecretString;
+        if (r.SecretBinary) {
+            return Buffer.from(r.SecretBinary).toString("utf8");
+        }
+        throw new Error(`secret '${id}' has neither SecretString nor SecretBinary`);
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=aws.js.map

package/dist/aws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.js","sourceRoot":"","sources":["../src/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAuB,MAAM,YAAY,CAAC;AA4BjF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,UAAU,CAAC,IAAuB;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,aAAa,CAAC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC;IAC7B,IAAI,MAAM,GAAuC,QAAQ,IAAI,IAAI,CAAC;IAClE,IAAI,qBAAqB,GAEd,IAAI,CAAC;IAEhB,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACtC,mEAAmE;QACnE,kEAAkE;QAClE,oDAAoD;QACpD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC;gBAWH,6DAA6D;gBAC7D,sDAAsD;gBACtD,MAAM,SAAS,GAAG,iCAAiC,CAAC;gBACpD,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAsB,CAAC;gBAC9E,MAAM,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC;oBACpC,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAA2C,CAAC;gBAC7C,qBAAqB,GAAG,GAAG,CAAC,qBAAqB,CAAC;YACpD,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,eAAe,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;YACtE,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,+DAA+D;QAC/D,0CAA0C;QAC1C,MAAM,GAAG,GAAG,qBAAqB;YAC/B,CAAC,CAAC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;YAC7C,CAAC,CAAE,EAAE,QAAQ,EAAE,EAAE,EAAc,CAAC;QAClC,MAAM,CAAC,GAAG,MAAM,MAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC,YAAY,CAAC;QAC9D,IAAI,CAAC,CAAC,YAAY,EAAE,CAAC;YACnB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACtD,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,WAAW,EAAE,6CAA6C,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}

package/dist/azure.d.ts

@@ -0,0 +1,46 @@
+import { type SecretProvider } from "./types.js";
+export interface AzureKeyVaultOptions {
+    /** Vault URL (e.g. "https://my-vault.vault.azure.net"). */
+    readonly vaultUrl: string;
+    /**
+     * Custom credential. Defaults to `new DefaultAzureCredential()` from
+     * `@azure/identity` — which walks env vars, managed identity, Azure
+     * CLI, etc. Override for tests or specialized credential chains.
+     */
+    readonly credential?: unknown;
+    /** Pre-built SecretClient for tests. */
+    readonly client?: {
+        getSecret: (name: string, opts?: {
+            version?: string;
+        }) => Promise<{
+            value?: string | null;
+        }>;
+    };
+    /** Provider name, defaults to `"azure-keyvault"`. */
+    readonly name?: string;
+}
+/**
+ * Azure Key Vault provider.
+ *
+ * ```ts
+ * import { azureKeyVault } from "@super-repo/envx-plugins/azure";
+ *
+ * const az = azureKeyVault({ vaultUrl: "https://my-vault.vault.azure.net" });
+ * await az.preload(["prod-db", "prod-api"]);
+ *
+ * envx({ resolvers: { [az.name]: az.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * DB_URL=${azure-keyvault:prod-db}
+ * API_KEY=${azure-keyvault:prod-api@<version>}
+ * ```
+ *
+ * Uses `@azure/keyvault-secrets` + `@azure/identity` (lazy-loaded):
+ *
+ *     pnpm add @azure/keyvault-secrets @azure/identity
+ */
+export declare function azureKeyVault(opts: AzureKeyVaultOptions): SecretProvider;
+//# sourceMappingURL=azure.d.ts.map

package/dist/azure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.d.ts","sourceRoot":"","sources":["../src/azure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIjF,MAAM,WAAW,oBAAoB;IACnC,2DAA2D;IAC3D,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,wCAAwC;IACxC,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,KAAK,OAAO,CAAC;YAChE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;SACvB,CAAC,CAAC;KACJ,CAAC;IACF,qDAAqD;IACrD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,oBAAoB,GAAG,cAAc,CAgDxE"}

package/dist/azure.js

@@ -0,0 +1,64 @@
+import { buildProvider, MissingSdkError } from "./types.js";
+/**
+ * Azure Key Vault provider.
+ *
+ * ```ts
+ * import { azureKeyVault } from "@super-repo/envx-plugins/azure";
+ *
+ * const az = azureKeyVault({ vaultUrl: "https://my-vault.vault.azure.net" });
+ * await az.preload(["prod-db", "prod-api"]);
+ *
+ * envx({ resolvers: { [az.name]: az.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * DB_URL=${azure-keyvault:prod-db}
+ * API_KEY=${azure-keyvault:prod-api@<version>}
+ * ```
+ *
+ * Uses `@azure/keyvault-secrets` + `@azure/identity` (lazy-loaded):
+ *
+ *     pnpm add @azure/keyvault-secrets @azure/identity
+ */
+export function azureKeyVault(opts) {
+    const name = opts.name ?? "azure-keyvault";
+    let client = opts.client ?? null;
+    return buildProvider(name, async (id) => {
+        if (!client) {
+            let secretsSdk = null;
+            let credential = opts.credential;
+            try {
+                const secretsSpecifier = "@azure/keyvault-secrets";
+                secretsSdk = (await import(/* @vite-ignore */ secretsSpecifier));
+            }
+            catch {
+                throw new MissingSdkError("azure", "@azure/keyvault-secrets");
+            }
+            if (!credential) {
+                try {
+                    const identitySpecifier = "@azure/identity";
+                    const identity = (await import(/* @vite-ignore */ identitySpecifier));
+                    credential = new identity.DefaultAzureCredential();
+                }
+                catch {
+                    throw new MissingSdkError("azure", "@azure/identity");
+                }
+            }
+            client = new secretsSdk.SecretClient(opts.vaultUrl, credential);
+        }
+        const at = id.indexOf("@");
+        const secretName = at >= 0 ? id.slice(0, at) : id;
+        const version = at >= 0 ? id.slice(at + 1) : undefined;
+        const result = version
+            ? await client.getSecret(secretName, { version })
+            : await client.getSecret(secretName);
+        if (typeof result.value !== "string") {
+            throw new Error(`secret '${id}' had no value`);
+        }
+        return result.value;
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=azure.js.map

package/dist/azure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.js","sourceRoot":"","sources":["../src/azure.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAuB,MAAM,YAAY,CAAC;AAuBjF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,aAAa,CAAC,IAA0B;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,gBAAgB,CAAC;IAC3C,IAAI,MAAM,GAA0C,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC;IAExE,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YASZ,IAAI,UAAU,GAA2B,IAAI,CAAC;YAC9C,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,gBAAgB,GAAG,yBAAyB,CAAC;gBACnD,UAAU,GAAG,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAA+B,CAAC;YACjG,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,eAAe,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;YAChE,CAAC;YACD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,IAAI,CAAC;oBACH,MAAM,iBAAiB,GAAG,iBAAiB,CAAC;oBAC5C,MAAM,QAAQ,GAAG,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,iBAAiB,CAAC,CAAgC,CAAC;oBACrG,UAAU,GAAG,IAAI,QAAQ,CAAC,sBAAsB,EAAE,CAAC;gBACrD,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,IAAI,eAAe,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;YACD,MAAM,GAAG,IAAI,UAAU,CAAC,YAAY,CAClC,IAAI,CAAC,QAAQ,EACb,UAAU,CACkC,CAAC;QACjD,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,UAAU,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,MAAM,OAAO,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACvD,MAAM,MAAM,GAAG,OAAO;YACpB,CAAC,CAAC,MAAM,MAAO,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC;YAClD,CAAC,CAAC,MAAM,MAAO,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACxC,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}

package/dist/doppler.d.ts

@@ -0,0 +1,36 @@
+import { type SecretProvider } from "./types.js";
+export interface DopplerOptions {
+    /** Doppler service token (per-config). Required. */
+    readonly token: string;
+    /** Override Doppler's REST endpoint (testing / self-hosted). */
+    readonly endpoint?: string;
+    /** Override the global fetch (testing). */
+    readonly fetchImpl?: typeof fetch;
+    /** Provider name, defaults to `"doppler"`. */
+    readonly name?: string;
+}
+/**
+ * Doppler provider — fetches secrets via the REST API using a service
+ * token. No SDK install required (uses native `fetch`).
+ *
+ * ```ts
+ * import { doppler } from "@super-repo/envx-plugins/doppler";
+ *
+ * const dop = doppler({ token: process.env.DOPPLER_TOKEN! });
+ * await dop.preload(["DATABASE_URL", "API_KEY"]);
+ *
+ * envx({ resolvers: { [dop.name]: dop.resolve } });
+ * ```
+ *
+ * Reference shape — IDs are Doppler secret names:
+ *
+ * ```
+ * DATABASE_URL=${doppler:DATABASE_URL}
+ * API_KEY=${doppler:API_KEY}
+ * ```
+ *
+ * Service-account tokens scope to one config (project + environment),
+ * so you typically don't need to specify project/config explicitly.
+ */
+export declare function doppler(opts: DopplerOptions): SecretProvider;
+//# sourceMappingURL=doppler.d.ts.map

package/dist/doppler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"doppler.d.ts","sourceRoot":"","sources":["../src/doppler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIhE,MAAM,WAAW,cAAc;IAC7B,oDAAoD;IACpD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,gEAAgE;IAChE,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,2CAA2C;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,8CAA8C;IAC9C,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,cAAc,CA0B5D"}

package/dist/doppler.js

@@ -0,0 +1,48 @@
+import { buildProvider } from "./types.js";
+/**
+ * Doppler provider — fetches secrets via the REST API using a service
+ * token. No SDK install required (uses native `fetch`).
+ *
+ * ```ts
+ * import { doppler } from "@super-repo/envx-plugins/doppler";
+ *
+ * const dop = doppler({ token: process.env.DOPPLER_TOKEN! });
+ * await dop.preload(["DATABASE_URL", "API_KEY"]);
+ *
+ * envx({ resolvers: { [dop.name]: dop.resolve } });
+ * ```
+ *
+ * Reference shape — IDs are Doppler secret names:
+ *
+ * ```
+ * DATABASE_URL=${doppler:DATABASE_URL}
+ * API_KEY=${doppler:API_KEY}
+ * ```
+ *
+ * Service-account tokens scope to one config (project + environment),
+ * so you typically don't need to specify project/config explicitly.
+ */
+export function doppler(opts) {
+    const name = opts.name ?? "doppler";
+    const endpoint = (opts.endpoint ?? "https://api.doppler.com").replace(/\/$/, "");
+    const doFetch = opts.fetchImpl ?? fetch;
+    const auth = "Basic " + Buffer.from(`${opts.token}:`).toString("base64");
+    return buildProvider(name, async (id) => {
+        const url = `${endpoint}/v3/configs/config/secret?name=${encodeURIComponent(id)}`;
+        const r = await doFetch(url, {
+            headers: { Authorization: auth, Accept: "application/json" },
+        });
+        if (!r.ok) {
+            const text = await r.text().catch(() => "");
+            throw new Error(`doppler GET ${url} → ${String(r.status)} ${r.statusText}${text ? `: ${text}` : ""}`);
+        }
+        const body = (await r.json());
+        const v = body.value?.computed ?? body.value?.raw;
+        if (typeof v !== "string") {
+            throw new Error(`doppler: secret '${id}' missing value.computed/raw`);
+        }
+        return v;
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=doppler.js.map

package/dist/doppler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"doppler.js","sourceRoot":"","sources":["../src/doppler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAuB,MAAM,YAAY,CAAC;AAehE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,OAAO,CAAC,IAAoB;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC;IACpC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,yBAAyB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjF,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IACxC,MAAM,IAAI,GAAG,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEzE,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACtC,MAAM,GAAG,GAAG,GAAG,QAAQ,kCAAkC,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC;QAClF,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE,kBAAkB,EAAE;SAC7D,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,eAAe,GAAG,MAAM,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACrF,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAE3B,CAAC;QACF,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,QAAQ,IAAI,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC;QAClD,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,oBAAoB,EAAE,8BAA8B,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}

package/dist/gcp.d.ts

@@ -0,0 +1,48 @@
+import { type SecretProvider } from "./types.js";
+export interface GcpSecretsOptions {
+    /** Google Cloud project ID (e.g. "acme-prod"). */
+    readonly projectId: string;
+    /**
+     * Default version alias. `"latest"` (the default) reads the most
+     * recent enabled version. Override per-id by including `@<version>`
+     * in the reference: `${gcp-secrets:my-secret@3}`.
+     */
+    readonly version?: string;
+    /** Optional pre-built SecretManagerServiceClient (e.g. for tests). */
+    readonly client?: {
+        accessSecretVersion: (req: {
+            name: string;
+        }) => Promise<[{
+            payload?: {
+                data?: Buffer | string | null;
+            };
+        } | null, ...unknown[]]>;
+    };
+    /** Provider name, defaults to `"gcp-secrets"`. */
+    readonly name?: string;
+}
+/**
+ * GCP Secret Manager provider.
+ *
+ * ```ts
+ * import { gcpSecrets } from "@super-repo/envx-plugins/gcp";
+ *
+ * const gcp = gcpSecrets({ projectId: "acme-prod" });
+ * await gcp.preload(["prod-db-url", "prod-api-key"]);
+ *
+ * envx({ resolvers: { [gcp.name]: gcp.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * DB_URL=${gcp-secrets:prod-db-url}            # uses default version (latest)
+ * API_KEY=${gcp-secrets:prod-api-key@3}        # pin to version 3
+ * ```
+ *
+ * Uses `@google-cloud/secret-manager` (lazy-loaded). Install:
+ *
+ *     pnpm add @google-cloud/secret-manager
+ */
+export declare function gcpSecrets(opts: GcpSecretsOptions): SecretProvider;
+//# sourceMappingURL=gcp.d.ts.map

package/dist/gcp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp.d.ts","sourceRoot":"","sources":["../src/gcp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIjF,MAAM,WAAW,iBAAiB;IAChC,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,sEAAsE;IACtE,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,mBAAmB,EAAE,CAAC,GAAG,EAAE;YACzB,IAAI,EAAE,MAAM,CAAC;SACd,KAAK,OAAO,CAAC,CAAC;YAAE,OAAO,CAAC,EAAE;gBAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAA;aAAE,CAAA;SAAE,GAAG,IAAI,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC;KACvF,CAAC;IACF,kDAAkD;IAClD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,cAAc,CAgClE"}

package/dist/gcp.js

@@ -0,0 +1,56 @@
+import { buildProvider, MissingSdkError } from "./types.js";
+/**
+ * GCP Secret Manager provider.
+ *
+ * ```ts
+ * import { gcpSecrets } from "@super-repo/envx-plugins/gcp";
+ *
+ * const gcp = gcpSecrets({ projectId: "acme-prod" });
+ * await gcp.preload(["prod-db-url", "prod-api-key"]);
+ *
+ * envx({ resolvers: { [gcp.name]: gcp.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * DB_URL=${gcp-secrets:prod-db-url}            # uses default version (latest)
+ * API_KEY=${gcp-secrets:prod-api-key@3}        # pin to version 3
+ * ```
+ *
+ * Uses `@google-cloud/secret-manager` (lazy-loaded). Install:
+ *
+ *     pnpm add @google-cloud/secret-manager
+ */
+export function gcpSecrets(opts) {
+    const name = opts.name ?? "gcp-secrets";
+    const defaultVersion = opts.version ?? "latest";
+    let client = opts.client ?? null;
+    return buildProvider(name, async (id) => {
+        if (!client) {
+            try {
+                const specifier = "@google-cloud/secret-manager";
+                const sdk = (await import(/* @vite-ignore */ specifier));
+                client = new sdk.SecretManagerServiceClient();
+            }
+            catch {
+                throw new MissingSdkError("gcp", "@google-cloud/secret-manager");
+            }
+        }
+        // `id` may include an `@<version>` suffix.
+        const at = id.indexOf("@");
+        const secretId = at >= 0 ? id.slice(0, at) : id;
+        const version = at >= 0 ? id.slice(at + 1) : defaultVersion;
+        const fullName = `projects/${opts.projectId}/secrets/${secretId}/versions/${version}`;
+        const [response] = await client.accessSecretVersion({ name: fullName });
+        const data = response?.payload?.data;
+        if (data === null || data === undefined) {
+            throw new Error(`secret '${id}' had empty payload`);
+        }
+        if (typeof data === "string")
+            return data;
+        return Buffer.from(data).toString("utf8");
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=gcp.js.map

package/dist/gcp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp.js","sourceRoot":"","sources":["../src/gcp.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAuB,MAAM,YAAY,CAAC;AAuBjF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,UAAU,CAAC,IAAuB;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,aAAa,CAAC;IACxC,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,IAAI,QAAQ,CAAC;IAChD,IAAI,MAAM,GAAuC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC;IAErE,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC;gBAIH,MAAM,SAAS,GAAG,8BAA8B,CAAC;gBACjD,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAsB,CAAC;gBAC9E,MAAM,GAAG,IAAI,GAAG,CAAC,0BAA0B,EAA4C,CAAC;YAC1F,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,eAAe,CAAC,KAAK,EAAE,8BAA8B,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,MAAM,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3B,MAAM,QAAQ,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChD,MAAM,OAAO,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC;QAC5D,MAAM,QAAQ,GAAG,YAAY,IAAI,CAAC,SAAS,YAAY,QAAQ,aAAa,OAAO,EAAE,CAAC;QACtF,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,MAAO,CAAC,mBAAmB,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzE,MAAM,IAAI,GAAG,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;QACrC,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;QACtD,CAAC;QACD,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { buildProvider, MissingSdkError, type SecretProvider, } from "./types.js";
+export { autoPreload, asResolvers, type AutoPreloadOptions } from "./auto-preload.js";
+export { createSecretRuntime, type SecretRuntime, type SecretRuntimeOptions, type SecretRuntimeStats, } from "./runtime.js";
+export { awsSecrets, type AwsSecretsOptions } from "./aws.js";
+export { gcpSecrets, type GcpSecretsOptions } from "./gcp.js";
+export { azureKeyVault, type AzureKeyVaultOptions } from "./azure.js";
+export { hcVault, type HcVaultOptions } from "./vault.js";
+export { onePassword, type OnePasswordOptions } from "./op.js";
+export { doppler, type DopplerOptions } from "./doppler.js";
+export { infisical, type InfisicalOptions } from "./infisical.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,aAAa,EACb,eAAe,EACf,KAAK,cAAc,GACpB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAMtF,OAAO,EACL,mBAAmB,EACnB,KAAK,aAAa,EAClB,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,GACxB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,KAAK,oBAAoB,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAE,KAAK,gBAAgB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+// #region -- @super-repo/envx-plugins ----------------------
+// Shared contract + helpers
+export { buildProvider, MissingSdkError, } from "./types.js";
+export { autoPreload, asResolvers } from "./auto-preload.js";
+// Per-provider re-exports for the convenience of single-line imports.
+// Subpath imports (`@super-repo/envx-plugins/aws`) skip the others'
+// dynamic-import code paths entirely, so they're preferred when bundle
+// size matters.
+export { createSecretRuntime, } from "./runtime.js";
+export { awsSecrets } from "./aws.js";
+export { gcpSecrets } from "./gcp.js";
+export { azureKeyVault } from "./azure.js";
+export { hcVault } from "./vault.js";
+export { onePassword } from "./op.js";
+export { doppler } from "./doppler.js";
+export { infisical } from "./infisical.js";
+// #endregion -----------------------------------------------
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAE7D,4BAA4B;AAC5B,OAAO,EACL,aAAa,EACb,eAAe,GAEhB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,WAAW,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAEtF,sEAAsE;AACtE,oEAAoE;AACpE,uEAAuE;AACvE,gBAAgB;AAChB,OAAO,EACL,mBAAmB,GAIpB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,UAAU,EAA0B,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,UAAU,EAA0B,MAAM,UAAU,CAAC;AAC9D,OAAO,EAAE,aAAa,EAA6B,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,OAAO,EAAuB,MAAM,YAAY,CAAC;AAC1D,OAAO,EAAE,WAAW,EAA2B,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAuB,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,SAAS,EAAyB,MAAM,gBAAgB,CAAC;AAElE,6DAA6D"}

package/dist/infisical.d.ts

@@ -0,0 +1,51 @@
+import { type SecretProvider } from "./types.js";
+export interface InfisicalOptions {
+    /**
+     * Service token or universal-auth access token. Required. Pass a
+     * universal-auth token from your machine identity flow, or a project
+     * service token for simpler setups.
+     */
+    readonly token: string;
+    /** Project ID (workspace ID, "workspaceId"). */
+    readonly projectId: string;
+    /** Environment slug — `dev`, `staging`, `prod`, etc. */
+    readonly environment: string;
+    /**
+     * Folder path inside the environment. Defaults to `/`.
+     */
+    readonly secretPath?: string;
+    /** Self-hosted Infisical endpoint. Defaults to the SaaS host. */
+    readonly endpoint?: string;
+    /** Override the global fetch (testing). */
+    readonly fetchImpl?: typeof fetch;
+    /** Provider name, defaults to `"infisical"`. */
+    readonly name?: string;
+}
+/**
+ * Infisical provider — uses the v3 REST API with a service / machine
+ * identity token. No SDK install required (uses native `fetch`).
+ *
+ * ```ts
+ * import { infisical } from "@super-repo/envx-plugins/infisical";
+ *
+ * const inf = infisical({
+ *   token: process.env.INFISICAL_TOKEN!,
+ *   projectId: process.env.INFISICAL_PROJECT_ID!,
+ *   environment: "prod",
+ * });
+ * await inf.preload(["DATABASE_URL", "API_KEY"]);
+ *
+ * envx({ resolvers: { [inf.name]: inf.resolve } });
+ * ```
+ *
+ * Reference shape — IDs are Infisical secret names:
+ *
+ * ```
+ * DATABASE_URL=${infisical:DATABASE_URL}
+ * API_KEY=${infisical:API_KEY}
+ * ```
+ *
+ * Self-hosted? Pass `endpoint: "https://infisical.example.com"`.
+ */
+export declare function infisical(opts: InfisicalOptions): SecretProvider;
+//# sourceMappingURL=infisical.d.ts.map

package/dist/infisical.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"infisical.d.ts","sourceRoot":"","sources":["../src/infisical.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIhE,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,wDAAwD;IACxD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B;;OAEG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,iEAAiE;IACjE,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,2CAA2C;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,gDAAgD;IAChD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,gBAAgB,GAAG,cAAc,CAkChE"}

package/dist/infisical.js

@@ -0,0 +1,59 @@
+import { buildProvider } from "./types.js";
+/**
+ * Infisical provider — uses the v3 REST API with a service / machine
+ * identity token. No SDK install required (uses native `fetch`).
+ *
+ * ```ts
+ * import { infisical } from "@super-repo/envx-plugins/infisical";
+ *
+ * const inf = infisical({
+ *   token: process.env.INFISICAL_TOKEN!,
+ *   projectId: process.env.INFISICAL_PROJECT_ID!,
+ *   environment: "prod",
+ * });
+ * await inf.preload(["DATABASE_URL", "API_KEY"]);
+ *
+ * envx({ resolvers: { [inf.name]: inf.resolve } });
+ * ```
+ *
+ * Reference shape — IDs are Infisical secret names:
+ *
+ * ```
+ * DATABASE_URL=${infisical:DATABASE_URL}
+ * API_KEY=${infisical:API_KEY}
+ * ```
+ *
+ * Self-hosted? Pass `endpoint: "https://infisical.example.com"`.
+ */
+export function infisical(opts) {
+    const name = opts.name ?? "infisical";
+    const endpoint = (opts.endpoint ?? "https://app.infisical.com").replace(/\/$/, "");
+    const secretPath = opts.secretPath ?? "/";
+    const doFetch = opts.fetchImpl ?? fetch;
+    return buildProvider(name, async (id) => {
+        const params = new URLSearchParams({
+            workspaceId: opts.projectId,
+            environment: opts.environment,
+            secretPath,
+        });
+        const url = `${endpoint}/api/v3/secrets/raw/${encodeURIComponent(id)}?${params.toString()}`;
+        const r = await doFetch(url, {
+            headers: {
+                Authorization: `Bearer ${opts.token}`,
+                Accept: "application/json",
+            },
+        });
+        if (!r.ok) {
+            const text = await r.text().catch(() => "");
+            throw new Error(`infisical GET ${url} → ${String(r.status)} ${r.statusText}${text ? `: ${text}` : ""}`);
+        }
+        const body = (await r.json());
+        const v = body.secret?.secretValue;
+        if (typeof v !== "string") {
+            throw new Error(`infisical: secret '${id}' missing secret.secretValue`);
+        }
+        return v;
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=infisical.js.map

package/dist/infisical.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"infisical.js","sourceRoot":"","sources":["../src/infisical.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAuB,MAAM,YAAY,CAAC;AA2BhE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,SAAS,CAAC,IAAsB;IAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,IAAI,2BAA2B,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACnF,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAExC,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,WAAW,EAAE,IAAI,CAAC,SAAS;YAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,UAAU;SACX,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,GAAG,QAAQ,uBAAuB,kBAAkB,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAC5F,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;gBACrC,MAAM,EAAE,kBAAkB;aAC3B;SACF,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5C,MAAM,IAAI,KAAK,CACb,iBAAiB,GAAG,MAAM,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACvF,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAE3B,CAAC;QACF,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC;QACnC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,sBAAsB,EAAE,8BAA8B,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}