@terreno/api 0.19.0 → 0.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/CHANGELOG.md +25 -0
  2. package/dist/auth.js +2 -2
  3. package/dist/configuration.test.js +289 -10
  4. package/dist/configurationApp.d.ts +72 -5
  5. package/dist/configurationApp.js +168 -48
  6. package/dist/configurationPlugin.d.ts +64 -7
  7. package/dist/configurationPlugin.js +161 -39
  8. package/dist/configurationPlugin.test.js +238 -1
  9. package/dist/secretProviders.d.ts +79 -2
  10. package/dist/secretProviders.js +178 -9
  11. package/dist/secretProviders.test.d.ts +1 -0
  12. package/dist/secretProviders.test.js +391 -0
  13. package/package.json +1 -1
  14. package/src/auth.ts +2 -2
  15. package/src/configuration.test.ts +171 -7
  16. package/src/configurationApp.ts +213 -30
  17. package/src/configurationPlugin.test.ts +174 -2
  18. package/src/configurationPlugin.ts +157 -28
  19. package/src/secretProviders.test.ts +186 -0
  20. package/src/secretProviders.ts +147 -5
package/src/secretProviders.ts CHANGED
@@ -1,3 +1,5 @@
1
+ import {DateTime} from "luxon";
2
+
1
3
  import type {SecretProvider} from "./configurationPlugin";
2
4
  import {APIError} from "./errors";
3
5
  import {logger} from "./logger";
@@ -28,7 +30,11 @@ interface SecretManagerModule {
28
30
  export class EnvSecretProvider implements SecretProvider {
29
31
  name = "env";
30
32
 
31
- async getSecret(secretName: string): Promise<string | null> {
33
+ /**
34
+ * Resolve a secret from an environment variable. Environment variables have no
35
+ * versions, so the optional `version` parameter is ignored.
36
+ */
37
+ async getSecret(secretName: string, _version?: string): Promise<string | null> {
32
38
  // Convert secret name to env var format: "openai-api-key" → "OPENAI_API_KEY"
33
39
  const envKey = secretName.replace(/[-.]/g, "_").toUpperCase();
34
40
  const value = process.env[envKey] ?? null;
@@ -96,16 +102,28 @@ export class GcpSecretProvider implements SecretProvider {
96
102
  return this.client;
97
103
  }
98
104
 
99
- async getSecret(secretName: string): Promise<string | null> {
105
+ /**
106
+ * Resolve a secret from Google Cloud Secret Manager.
107
+ *
108
+ * @param secretName - A short secret id (e.g. "openai-api-key") or a full
109
+ * resource path (e.g. "projects/p/secrets/s" or
110
+ * "projects/p/secrets/s/versions/3").
111
+ * @param version - Optional version to resolve when `secretName` is a short id
112
+ * (e.g. "3"). Defaults to "latest". Ignored when `secretName` already
113
+ * contains an explicit `/versions/...` suffix.
114
+ */
115
+ async getSecret(secretName: string, version?: string): Promise<string | null> {
100
116
  const client = await this.getClient();
101
117
 
118
+ const resolvedVersion = version ?? "latest";
102
119
  let resourceName: string;
103
120
  if (secretName.startsWith("projects/")) {
104
- resourceName = secretName.endsWith("/versions/latest")
121
+ // Honor a full resource path. Only append a version when one is not present.
122
+ resourceName = secretName.includes("/versions/")
105
123
  ? secretName
106
- : `${secretName}/versions/latest`;
124
+ : `${secretName}/versions/${resolvedVersion}`;
107
125
  } else {
108
- resourceName = `projects/${this.projectId}/secrets/${secretName}/versions/latest`;
126
+ resourceName = `projects/${this.projectId}/secrets/${secretName}/versions/${resolvedVersion}`;
109
127
  }
110
128
 
111
129
  try {
@@ -126,3 +144,127 @@ export class GcpSecretProvider implements SecretProvider {
126
144
  }
127
145
  }
128
146
  }
147
+
148
+ /**
149
+ * Secret provider that delegates to an ordered list of providers, returning the
150
+ * first non-null result.
151
+ *
152
+ * A provider that throws is warn-logged (secret name only — never the value) and
153
+ * resolution falls through to the next provider. This makes it easy to compose a
154
+ * primary provider with a fallback, e.g. GCP with an environment-variable
155
+ * fallback:
156
+ *
157
+ * @example
158
+ * ```typescript
159
+ * const provider = new CompositeSecretProvider([
160
+ * new GcpSecretProvider({projectId: "my-project"}),
161
+ * new EnvSecretProvider(),
162
+ * ]);
163
+ * const key = await provider.getSecret("openai-api-key");
164
+ * ```
165
+ */
166
+ export class CompositeSecretProvider implements SecretProvider {
167
+ name: string;
168
+ private providers: SecretProvider[];
169
+
170
+ constructor(providers: SecretProvider[]) {
171
+ if (!providers || providers.length === 0) {
172
+ throw new APIError({
173
+ status: 500,
174
+ title: "CompositeSecretProvider requires at least one provider",
175
+ });
176
+ }
177
+ this.providers = providers;
178
+ this.name = `composite(${providers.map((p) => p.name).join(",")})`;
179
+ }
180
+
181
+ async getSecret(secretName: string, version?: string): Promise<string | null> {
182
+ for (const provider of this.providers) {
183
+ try {
184
+ const value = await provider.getSecret(secretName, version);
185
+ if (value !== null) {
186
+ return value;
187
+ }
188
+ } catch (error: unknown) {
189
+ // Never log the secret value — only the name and which provider failed.
190
+ const message = error instanceof Error ? error.message : String(error);
191
+ logger.warn(
192
+ `CompositeSecretProvider: provider ${provider.name} failed for secret ${secretName}: ${message}`
193
+ );
194
+ }
195
+ }
196
+ return null;
197
+ }
198
+ }
199
+
200
+ /**
201
+ * Options for CachingSecretProvider.
202
+ */
203
+ export interface CachingSecretProviderOptions {
204
+ /** Time-to-live for cached values, in milliseconds. Defaults to 60_000 (1 minute). */
205
+ ttlMs?: number;
206
+ }
207
+
208
+ interface CacheEntry {
209
+ value: string | null;
210
+ expiresAt: number;
211
+ }
212
+
213
+ /**
214
+ * Secret provider that wraps any provider with an in-memory TTL cache.
215
+ *
216
+ * Cache entries are keyed by `secretName@version` so that pinned versions are
217
+ * cached independently. `null` results (secret not found) are cached too, to
218
+ * avoid hammering the underlying provider for missing secrets. Secret values are
219
+ * never logged.
220
+ *
221
+ * Use `clear()` to drop the entire cache (e.g. on rotation) or `clearKey()` to
222
+ * invalidate a single secret.
223
+ *
224
+ * @example
225
+ * ```typescript
226
+ * const provider = new CachingSecretProvider(
227
+ * new CompositeSecretProvider([gcp, env]),
228
+ * {ttlMs: 30_000}
229
+ * );
230
+ * ```
231
+ */
232
+ export class CachingSecretProvider implements SecretProvider {
233
+ name: string;
234
+ private provider: SecretProvider;
235
+ private ttlMs: number;
236
+ private cache = new Map<string, CacheEntry>();
237
+
238
+ constructor(provider: SecretProvider, options?: CachingSecretProviderOptions) {
239
+ this.provider = provider;
240
+ this.ttlMs = options?.ttlMs ?? 60_000;
241
+ this.name = `caching(${provider.name})`;
242
+ }
243
+
244
+ private cacheKey(secretName: string, version?: string): string {
245
+ return `${secretName}@${version ?? "latest"}`;
246
+ }
247
+
248
+ async getSecret(secretName: string, version?: string): Promise<string | null> {
249
+ const key = this.cacheKey(secretName, version);
250
+ const now = DateTime.now().toMillis();
251
+ const cached = this.cache.get(key);
252
+ if (cached && cached.expiresAt > now) {
253
+ return cached.value;
254
+ }
255
+
256
+ const value = await this.provider.getSecret(secretName, version);
257
+ this.cache.set(key, {expiresAt: now + this.ttlMs, value});
258
+ return value;
259
+ }
260
+
261
+ /** Clears the entire cache. Useful on secret rotation and in tests. */
262
+ clear(): void {
263
+ this.cache.clear();
264
+ }
265
+
266
+ /** Invalidates a single cached secret by name (and optional version). */
267
+ clearKey(secretName: string, version?: string): void {
268
+ this.cache.delete(this.cacheKey(secretName, version));
269
+ }
270
+ }