@varlock/hashicorp-vault-plugin 0.0.0 → 0.0.2

package/dist/plugin.cjs

@@ -0,0 +1,1267 @@
+'use strict';
+
+var promises = require('fs/promises');
+var os = require('os');
+var path = require('path');
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/errors/HTTPError.js
+var HTTPError = class extends Error {
+  response;
+  request;
+  options;
+  constructor(response, request, options) {
+    const code = response.status || response.status === 0 ? response.status : "";
+    const title = response.statusText ?? "";
+    const status = `${code} ${title}`.trim();
+    const reason = status ? `status code ${status}` : "an unknown error";
+    super(`Request failed with ${reason}: ${request.method} ${request.url}`);
+    this.name = "HTTPError";
+    this.response = response;
+    this.request = request;
+    this.options = options;
+  }
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/errors/NonError.js
+var NonError = class extends Error {
+  name = "NonError";
+  value;
+  constructor(value) {
+    let message = "Non-error value was thrown";
+    try {
+      if (typeof value === "string") {
+        message = value;
+      } else if (value && typeof value === "object" && "message" in value && typeof value.message === "string") {
+        message = value.message;
+      }
+    } catch {
+    }
+    super(message);
+    this.value = value;
+  }
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/errors/ForceRetryError.js
+var ForceRetryError = class extends Error {
+  name = "ForceRetryError";
+  customDelay;
+  code;
+  customRequest;
+  constructor(options) {
+    const cause = options?.cause ? options.cause instanceof Error ? options.cause : new NonError(options.cause) : void 0;
+    super(options?.code ? `Forced retry: ${options.code}` : "Forced retry", cause ? { cause } : void 0);
+    this.customDelay = options?.delay;
+    this.code = options?.code;
+    this.customRequest = options?.request;
+  }
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/core/constants.js
+var supportsRequestStreams = (() => {
+  let duplexAccessed = false;
+  let hasContentType = false;
+  const supportsReadableStream = typeof globalThis.ReadableStream === "function";
+  const supportsRequest = typeof globalThis.Request === "function";
+  if (supportsReadableStream && supportsRequest) {
+    try {
+      hasContentType = new globalThis.Request("https://empty.invalid", {
+        body: new globalThis.ReadableStream(),
+        method: "POST",
+        // @ts-expect-error - Types are outdated.
+        get duplex() {
+          duplexAccessed = true;
+          return "half";
+        }
+      }).headers.has("Content-Type");
+    } catch (error) {
+      if (error instanceof Error && error.message === "unsupported BodyInit type") {
+        return false;
+      }
+      throw error;
+    }
+  }
+  return duplexAccessed && !hasContentType;
+})();
+var supportsAbortController = typeof globalThis.AbortController === "function";
+var supportsAbortSignal = typeof globalThis.AbortSignal === "function" && typeof globalThis.AbortSignal.any === "function";
+var supportsResponseStreams = typeof globalThis.ReadableStream === "function";
+var supportsFormData = typeof globalThis.FormData === "function";
+var requestMethods = ["get", "post", "put", "patch", "head", "delete"];
+var responseTypes = {
+  json: "application/json",
+  text: "text/*",
+  formData: "multipart/form-data",
+  arrayBuffer: "*/*",
+  blob: "*/*",
+  // Supported in modern Fetch implementations (for example, browsers and recent Node.js/undici).
+  // We still feature-check at runtime before exposing the shortcut.
+  bytes: "*/*"
+};
+var maxSafeTimeout = 2147483647;
+var usualFormBoundarySize = new TextEncoder().encode("------WebKitFormBoundaryaxpyiPgbbPti10Rw").length;
+var stop = /* @__PURE__ */ Symbol("stop");
+var RetryMarker = class {
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+};
+var retry = (options) => new RetryMarker(options);
+var kyOptionKeys = {
+  json: true,
+  parseJson: true,
+  stringifyJson: true,
+  searchParams: true,
+  prefixUrl: true,
+  retry: true,
+  timeout: true,
+  hooks: true,
+  throwHttpErrors: true,
+  onDownloadProgress: true,
+  onUploadProgress: true,
+  fetch: true,
+  context: true
+};
+var vendorSpecificOptions = {
+  next: true
+  // Next.js cache revalidation (revalidate, tags)
+};
+var requestOptionsRegistry = {
+  method: true,
+  headers: true,
+  body: true,
+  mode: true,
+  credentials: true,
+  cache: true,
+  redirect: true,
+  referrer: true,
+  referrerPolicy: true,
+  integrity: true,
+  keepalive: true,
+  signal: true,
+  window: true,
+  duplex: true
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/body.js
+var getBodySize = (body) => {
+  if (!body) {
+    return 0;
+  }
+  if (body instanceof FormData) {
+    let size = 0;
+    for (const [key, value] of body) {
+      size += usualFormBoundarySize;
+      size += new TextEncoder().encode(`Content-Disposition: form-data; name="${key}"`).length;
+      size += typeof value === "string" ? new TextEncoder().encode(value).length : value.size;
+    }
+    return size;
+  }
+  if (body instanceof Blob) {
+    return body.size;
+  }
+  if (body instanceof ArrayBuffer) {
+    return body.byteLength;
+  }
+  if (typeof body === "string") {
+    return new TextEncoder().encode(body).length;
+  }
+  if (body instanceof URLSearchParams) {
+    return new TextEncoder().encode(body.toString()).length;
+  }
+  if ("byteLength" in body) {
+    return body.byteLength;
+  }
+  if (typeof body === "object" && body !== null) {
+    try {
+      const jsonString = JSON.stringify(body);
+      return new TextEncoder().encode(jsonString).length;
+    } catch {
+      return 0;
+    }
+  }
+  return 0;
+};
+var withProgress = (stream, totalBytes, onProgress) => {
+  let previousChunk;
+  let transferredBytes = 0;
+  return stream.pipeThrough(new TransformStream({
+    transform(currentChunk, controller) {
+      controller.enqueue(currentChunk);
+      if (previousChunk) {
+        transferredBytes += previousChunk.byteLength;
+        let percent = totalBytes === 0 ? 0 : transferredBytes / totalBytes;
+        if (percent >= 1) {
+          percent = 1 - Number.EPSILON;
+        }
+        onProgress?.({ percent, totalBytes: Math.max(totalBytes, transferredBytes), transferredBytes }, previousChunk);
+      }
+      previousChunk = currentChunk;
+    },
+    flush() {
+      if (previousChunk) {
+        transferredBytes += previousChunk.byteLength;
+        onProgress?.({ percent: 1, totalBytes: Math.max(totalBytes, transferredBytes), transferredBytes }, previousChunk);
+      }
+    }
+  }));
+};
+var streamResponse = (response, onDownloadProgress) => {
+  if (!response.body) {
+    return response;
+  }
+  if (response.status === 204) {
+    return new Response(null, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: response.headers
+    });
+  }
+  const totalBytes = Math.max(0, Number(response.headers.get("content-length")) || 0);
+  return new Response(withProgress(response.body, totalBytes, onDownloadProgress), {
+    status: response.status,
+    statusText: response.statusText,
+    headers: response.headers
+  });
+};
+var streamRequest = (request, onUploadProgress, originalBody) => {
+  if (!request.body) {
+    return request;
+  }
+  const totalBytes = getBodySize(originalBody ?? request.body);
+  return new Request(request, {
+    // @ts-expect-error - Types are outdated.
+    duplex: "half",
+    body: withProgress(request.body, totalBytes, onUploadProgress)
+  });
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/is.js
+var isObject = (value) => value !== null && typeof value === "object";
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/merge.js
+var validateAndMerge = (...sources) => {
+  for (const source of sources) {
+    if ((!isObject(source) || Array.isArray(source)) && source !== void 0) {
+      throw new TypeError("The `options` argument must be an object");
+    }
+  }
+  return deepMerge({}, ...sources);
+};
+var mergeHeaders = (source1 = {}, source2 = {}) => {
+  const result = new globalThis.Headers(source1);
+  const isHeadersInstance = source2 instanceof globalThis.Headers;
+  const source = new globalThis.Headers(source2);
+  for (const [key, value] of source.entries()) {
+    if (isHeadersInstance && value === "undefined" || value === void 0) {
+      result.delete(key);
+    } else {
+      result.set(key, value);
+    }
+  }
+  return result;
+};
+function newHookValue(original, incoming, property) {
+  return Object.hasOwn(incoming, property) && incoming[property] === void 0 ? [] : deepMerge(original[property] ?? [], incoming[property] ?? []);
+}
+var mergeHooks = (original = {}, incoming = {}) => ({
+  beforeRequest: newHookValue(original, incoming, "beforeRequest"),
+  beforeRetry: newHookValue(original, incoming, "beforeRetry"),
+  afterResponse: newHookValue(original, incoming, "afterResponse"),
+  beforeError: newHookValue(original, incoming, "beforeError")
+});
+var appendSearchParameters = (target, source) => {
+  const result = new URLSearchParams();
+  for (const input of [target, source]) {
+    if (input === void 0) {
+      continue;
+    }
+    if (input instanceof URLSearchParams) {
+      for (const [key, value] of input.entries()) {
+        result.append(key, value);
+      }
+    } else if (Array.isArray(input)) {
+      for (const pair of input) {
+        if (!Array.isArray(pair) || pair.length !== 2) {
+          throw new TypeError("Array search parameters must be provided in [[key, value], ...] format");
+        }
+        result.append(String(pair[0]), String(pair[1]));
+      }
+    } else if (isObject(input)) {
+      for (const [key, value] of Object.entries(input)) {
+        if (value !== void 0) {
+          result.append(key, String(value));
+        }
+      }
+    } else {
+      const parameters = new URLSearchParams(input);
+      for (const [key, value] of parameters.entries()) {
+        result.append(key, value);
+      }
+    }
+  }
+  return result;
+};
+var deepMerge = (...sources) => {
+  let returnValue = {};
+  let headers = {};
+  let hooks = {};
+  let searchParameters;
+  const signals = [];
+  for (const source of sources) {
+    if (Array.isArray(source)) {
+      if (!Array.isArray(returnValue)) {
+        returnValue = [];
+      }
+      returnValue = [...returnValue, ...source];
+    } else if (isObject(source)) {
+      for (let [key, value] of Object.entries(source)) {
+        if (key === "signal" && value instanceof globalThis.AbortSignal) {
+          signals.push(value);
+          continue;
+        }
+        if (key === "context") {
+          if (value !== void 0 && value !== null && (!isObject(value) || Array.isArray(value))) {
+            throw new TypeError("The `context` option must be an object");
+          }
+          returnValue = {
+            ...returnValue,
+            context: value === void 0 || value === null ? {} : { ...returnValue.context, ...value }
+          };
+          continue;
+        }
+        if (key === "searchParams") {
+          if (value === void 0 || value === null) {
+            searchParameters = void 0;
+          } else {
+            searchParameters = searchParameters === void 0 ? value : appendSearchParameters(searchParameters, value);
+          }
+          continue;
+        }
+        if (isObject(value) && key in returnValue) {
+          value = deepMerge(returnValue[key], value);
+        }
+        returnValue = { ...returnValue, [key]: value };
+      }
+      if (isObject(source.hooks)) {
+        hooks = mergeHooks(hooks, source.hooks);
+        returnValue.hooks = hooks;
+      }
+      if (isObject(source.headers)) {
+        headers = mergeHeaders(headers, source.headers);
+        returnValue.headers = headers;
+      }
+    }
+  }
+  if (searchParameters !== void 0) {
+    returnValue.searchParams = searchParameters;
+  }
+  if (signals.length > 0) {
+    if (signals.length === 1) {
+      returnValue.signal = signals[0];
+    } else if (supportsAbortSignal) {
+      returnValue.signal = AbortSignal.any(signals);
+    } else {
+      returnValue.signal = signals.at(-1);
+    }
+  }
+  return returnValue;
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/normalize.js
+var normalizeRequestMethod = (input) => requestMethods.includes(input) ? input.toUpperCase() : input;
+var retryMethods = ["get", "put", "head", "delete", "options", "trace"];
+var retryStatusCodes = [408, 413, 429, 500, 502, 503, 504];
+var retryAfterStatusCodes = [413, 429, 503];
+var defaultRetryOptions = {
+  limit: 2,
+  methods: retryMethods,
+  statusCodes: retryStatusCodes,
+  afterStatusCodes: retryAfterStatusCodes,
+  maxRetryAfter: Number.POSITIVE_INFINITY,
+  backoffLimit: Number.POSITIVE_INFINITY,
+  delay: (attemptCount) => 0.3 * 2 ** (attemptCount - 1) * 1e3,
+  jitter: void 0,
+  retryOnTimeout: false
+};
+var normalizeRetryOptions = (retry2 = {}) => {
+  if (typeof retry2 === "number") {
+    return {
+      ...defaultRetryOptions,
+      limit: retry2
+    };
+  }
+  if (retry2.methods && !Array.isArray(retry2.methods)) {
+    throw new Error("retry.methods must be an array");
+  }
+  retry2.methods &&= retry2.methods.map((method) => method.toLowerCase());
+  if (retry2.statusCodes && !Array.isArray(retry2.statusCodes)) {
+    throw new Error("retry.statusCodes must be an array");
+  }
+  const normalizedRetry = Object.fromEntries(Object.entries(retry2).filter(([, value]) => value !== void 0));
+  return {
+    ...defaultRetryOptions,
+    ...normalizedRetry
+  };
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/errors/TimeoutError.js
+var TimeoutError = class extends Error {
+  request;
+  constructor(request) {
+    super(`Request timed out: ${request.method} ${request.url}`);
+    this.name = "TimeoutError";
+    this.request = request;
+  }
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/timeout.js
+async function timeout(request, init, abortController, options) {
+  return new Promise((resolve, reject) => {
+    const timeoutId = setTimeout(() => {
+      if (abortController) {
+        abortController.abort();
+      }
+      reject(new TimeoutError(request));
+    }, options.timeout);
+    void options.fetch(request, init).then(resolve).catch(reject).then(() => {
+      clearTimeout(timeoutId);
+    });
+  });
+}
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/delay.js
+async function delay(ms, { signal }) {
+  return new Promise((resolve, reject) => {
+    if (signal) {
+      signal.throwIfAborted();
+      signal.addEventListener("abort", abortHandler, { once: true });
+    }
+    function abortHandler() {
+      clearTimeout(timeoutId);
+      reject(signal.reason);
+    }
+    const timeoutId = setTimeout(() => {
+      signal?.removeEventListener("abort", abortHandler);
+      resolve();
+    }, ms);
+  });
+}
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/options.js
+var findUnknownOptions = (request, options) => {
+  const unknownOptions = {};
+  for (const key in options) {
+    if (!Object.hasOwn(options, key)) {
+      continue;
+    }
+    if (!(key in requestOptionsRegistry) && !(key in kyOptionKeys) && (!(key in request) || key in vendorSpecificOptions)) {
+      unknownOptions[key] = options[key];
+    }
+  }
+  return unknownOptions;
+};
+var hasSearchParameters = (search) => {
+  if (search === void 0) {
+    return false;
+  }
+  if (Array.isArray(search)) {
+    return search.length > 0;
+  }
+  if (search instanceof URLSearchParams) {
+    return search.size > 0;
+  }
+  if (typeof search === "object") {
+    return Object.keys(search).length > 0;
+  }
+  if (typeof search === "string") {
+    return search.trim().length > 0;
+  }
+  return Boolean(search);
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/utils/type-guards.js
+function isHTTPError(error) {
+  return error instanceof HTTPError || error?.name === HTTPError.name;
+}
+function isTimeoutError(error) {
+  return error instanceof TimeoutError || error?.name === TimeoutError.name;
+}
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/core/Ky.js
+var Ky = class _Ky {
+  static create(input, options) {
+    const ky2 = new _Ky(input, options);
+    const function_ = async () => {
+      if (typeof ky2.#options.timeout === "number" && ky2.#options.timeout > maxSafeTimeout) {
+        throw new RangeError(`The \`timeout\` option cannot be greater than ${maxSafeTimeout}`);
+      }
+      await Promise.resolve();
+      let response = await ky2.#fetch();
+      for (const hook of ky2.#options.hooks.afterResponse) {
+        const clonedResponse = ky2.#decorateResponse(response.clone());
+        let modifiedResponse;
+        try {
+          modifiedResponse = await hook(ky2.request, ky2.#getNormalizedOptions(), clonedResponse, { retryCount: ky2.#retryCount });
+        } catch (error) {
+          ky2.#cancelResponseBody(clonedResponse);
+          ky2.#cancelResponseBody(response);
+          throw error;
+        }
+        if (modifiedResponse instanceof RetryMarker) {
+          ky2.#cancelResponseBody(clonedResponse);
+          ky2.#cancelResponseBody(response);
+          throw new ForceRetryError(modifiedResponse.options);
+        }
+        const nextResponse = modifiedResponse instanceof globalThis.Response ? modifiedResponse : response;
+        if (clonedResponse !== nextResponse) {
+          ky2.#cancelResponseBody(clonedResponse);
+        }
+        if (response !== nextResponse) {
+          ky2.#cancelResponseBody(response);
+        }
+        response = nextResponse;
+      }
+      ky2.#decorateResponse(response);
+      if (!response.ok && (typeof ky2.#options.throwHttpErrors === "function" ? ky2.#options.throwHttpErrors(response.status) : ky2.#options.throwHttpErrors)) {
+        let error = new HTTPError(response, ky2.request, ky2.#getNormalizedOptions());
+        for (const hook of ky2.#options.hooks.beforeError) {
+          error = await hook(error, { retryCount: ky2.#retryCount });
+        }
+        throw error;
+      }
+      if (ky2.#options.onDownloadProgress) {
+        if (typeof ky2.#options.onDownloadProgress !== "function") {
+          throw new TypeError("The `onDownloadProgress` option must be a function");
+        }
+        if (!supportsResponseStreams) {
+          throw new Error("Streams are not supported in your environment. `ReadableStream` is missing.");
+        }
+        const progressResponse = response.clone();
+        ky2.#cancelResponseBody(response);
+        return streamResponse(progressResponse, ky2.#options.onDownloadProgress);
+      }
+      return response;
+    };
+    const result = ky2.#retry(function_).finally(() => {
+      const originalRequest = ky2.#originalRequest;
+      ky2.#cancelBody(originalRequest?.body ?? void 0);
+      ky2.#cancelBody(ky2.request.body ?? void 0);
+    });
+    for (const [type, mimeType] of Object.entries(responseTypes)) {
+      if (type === "bytes" && typeof globalThis.Response?.prototype?.bytes !== "function") {
+        continue;
+      }
+      result[type] = async () => {
+        ky2.request.headers.set("accept", ky2.request.headers.get("accept") || mimeType);
+        const response = await result;
+        if (type === "json") {
+          if (response.status === 204) {
+            return "";
+          }
+          const text = await response.text();
+          if (text === "") {
+            return "";
+          }
+          if (options.parseJson) {
+            return options.parseJson(text);
+          }
+          return JSON.parse(text);
+        }
+        return response[type]();
+      };
+    }
+    return result;
+  }
+  // eslint-disable-next-line unicorn/prevent-abbreviations
+  static #normalizeSearchParams(searchParams) {
+    if (searchParams && typeof searchParams === "object" && !Array.isArray(searchParams) && !(searchParams instanceof URLSearchParams)) {
+      return Object.fromEntries(Object.entries(searchParams).filter(([, value]) => value !== void 0));
+    }
+    return searchParams;
+  }
+  request;
+  #abortController;
+  #retryCount = 0;
+  // eslint-disable-next-line @typescript-eslint/prefer-readonly -- False positive: #input is reassigned on line 202
+  #input;
+  #options;
+  #originalRequest;
+  #userProvidedAbortSignal;
+  #cachedNormalizedOptions;
+  // eslint-disable-next-line complexity
+  constructor(input, options = {}) {
+    this.#input = input;
+    this.#options = {
+      ...options,
+      headers: mergeHeaders(this.#input.headers, options.headers),
+      hooks: mergeHooks({
+        beforeRequest: [],
+        beforeRetry: [],
+        beforeError: [],
+        afterResponse: []
+      }, options.hooks),
+      method: normalizeRequestMethod(options.method ?? this.#input.method ?? "GET"),
+      // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
+      prefixUrl: String(options.prefixUrl || ""),
+      retry: normalizeRetryOptions(options.retry),
+      throwHttpErrors: options.throwHttpErrors ?? true,
+      timeout: options.timeout ?? 1e4,
+      fetch: options.fetch ?? globalThis.fetch.bind(globalThis),
+      context: options.context ?? {}
+    };
+    if (typeof this.#input !== "string" && !(this.#input instanceof URL || this.#input instanceof globalThis.Request)) {
+      throw new TypeError("`input` must be a string, URL, or Request");
+    }
+    if (this.#options.prefixUrl && typeof this.#input === "string") {
+      if (this.#input.startsWith("/")) {
+        throw new Error("`input` must not begin with a slash when using `prefixUrl`");
+      }
+      if (!this.#options.prefixUrl.endsWith("/")) {
+        this.#options.prefixUrl += "/";
+      }
+      this.#input = this.#options.prefixUrl + this.#input;
+    }
+    if (supportsAbortController && supportsAbortSignal) {
+      this.#userProvidedAbortSignal = this.#options.signal ?? this.#input.signal;
+      this.#abortController = new globalThis.AbortController();
+      this.#options.signal = this.#userProvidedAbortSignal ? AbortSignal.any([this.#userProvidedAbortSignal, this.#abortController.signal]) : this.#abortController.signal;
+    }
+    if (supportsRequestStreams) {
+      this.#options.duplex = "half";
+    }
+    if (this.#options.json !== void 0) {
+      this.#options.body = this.#options.stringifyJson?.(this.#options.json) ?? JSON.stringify(this.#options.json);
+      this.#options.headers.set("content-type", this.#options.headers.get("content-type") ?? "application/json");
+    }
+    const userProvidedContentType = options.headers && new globalThis.Headers(options.headers).has("content-type");
+    if (this.#input instanceof globalThis.Request && (supportsFormData && this.#options.body instanceof globalThis.FormData || this.#options.body instanceof URLSearchParams) && !userProvidedContentType) {
+      this.#options.headers.delete("content-type");
+    }
+    this.request = new globalThis.Request(this.#input, this.#options);
+    if (hasSearchParameters(this.#options.searchParams)) {
+      const textSearchParams = typeof this.#options.searchParams === "string" ? this.#options.searchParams.replace(/^\?/, "") : new URLSearchParams(_Ky.#normalizeSearchParams(this.#options.searchParams)).toString();
+      const searchParams = "?" + textSearchParams;
+      const url = this.request.url.replace(/(?:\?.*?)?(?=#|$)/, searchParams);
+      this.request = new globalThis.Request(url, this.#options);
+    }
+    if (this.#options.onUploadProgress) {
+      if (typeof this.#options.onUploadProgress !== "function") {
+        throw new TypeError("The `onUploadProgress` option must be a function");
+      }
+      if (!supportsRequestStreams) {
+        throw new Error("Request streams are not supported in your environment. The `duplex` option for `Request` is not available.");
+      }
+      this.request = this.#wrapRequestWithUploadProgress(this.request, this.#options.body ?? void 0);
+    }
+  }
+  #calculateDelay() {
+    const retryDelay = this.#options.retry.delay(this.#retryCount);
+    let jitteredDelay = retryDelay;
+    if (this.#options.retry.jitter === true) {
+      jitteredDelay = Math.random() * retryDelay;
+    } else if (typeof this.#options.retry.jitter === "function") {
+      jitteredDelay = this.#options.retry.jitter(retryDelay);
+      if (!Number.isFinite(jitteredDelay) || jitteredDelay < 0) {
+        jitteredDelay = retryDelay;
+      }
+    }
+    const backoffLimit = this.#options.retry.backoffLimit ?? Number.POSITIVE_INFINITY;
+    return Math.min(backoffLimit, jitteredDelay);
+  }
+  async #calculateRetryDelay(error) {
+    this.#retryCount++;
+    if (this.#retryCount > this.#options.retry.limit) {
+      throw error;
+    }
+    const errorObject = error instanceof Error ? error : new NonError(error);
+    if (errorObject instanceof ForceRetryError) {
+      return errorObject.customDelay ?? this.#calculateDelay();
+    }
+    if (!this.#options.retry.methods.includes(this.request.method.toLowerCase())) {
+      throw error;
+    }
+    if (this.#options.retry.shouldRetry !== void 0) {
+      const result = await this.#options.retry.shouldRetry({ error: errorObject, retryCount: this.#retryCount });
+      if (result === false) {
+        throw error;
+      }
+      if (result === true) {
+        return this.#calculateDelay();
+      }
+    }
+    if (isTimeoutError(error) && !this.#options.retry.retryOnTimeout) {
+      throw error;
+    }
+    if (isHTTPError(error)) {
+      if (!this.#options.retry.statusCodes.includes(error.response.status)) {
+        throw error;
+      }
+      const retryAfter = error.response.headers.get("Retry-After") ?? error.response.headers.get("RateLimit-Reset") ?? error.response.headers.get("X-RateLimit-Retry-After") ?? error.response.headers.get("X-RateLimit-Reset") ?? error.response.headers.get("X-Rate-Limit-Reset");
+      if (retryAfter && this.#options.retry.afterStatusCodes.includes(error.response.status)) {
+        let after = Number(retryAfter) * 1e3;
+        if (Number.isNaN(after)) {
+          after = Date.parse(retryAfter) - Date.now();
+        } else if (after >= Date.parse("2024-01-01")) {
+          after -= Date.now();
+        }
+        const max = this.#options.retry.maxRetryAfter ?? after;
+        return after < max ? after : max;
+      }
+      if (error.response.status === 413) {
+        throw error;
+      }
+    }
+    return this.#calculateDelay();
+  }
+  #decorateResponse(response) {
+    if (this.#options.parseJson) {
+      response.json = async () => this.#options.parseJson(await response.text());
+    }
+    return response;
+  }
+  #cancelBody(body) {
+    if (!body) {
+      return;
+    }
+    void body.cancel().catch(() => void 0);
+  }
+  #cancelResponseBody(response) {
+    this.#cancelBody(response.body ?? void 0);
+  }
+  async #retry(function_) {
+    try {
+      return await function_();
+    } catch (error) {
+      const ms = Math.min(await this.#calculateRetryDelay(error), maxSafeTimeout);
+      if (this.#retryCount < 1) {
+        throw error;
+      }
+      await delay(ms, this.#userProvidedAbortSignal ? { signal: this.#userProvidedAbortSignal } : {});
+      if (error instanceof ForceRetryError && error.customRequest) {
+        const managedRequest = this.#options.signal ? new globalThis.Request(error.customRequest, { signal: this.#options.signal }) : new globalThis.Request(error.customRequest);
+        this.#assignRequest(managedRequest);
+      }
+      for (const hook of this.#options.hooks.beforeRetry) {
+        const hookResult = await hook({
+          request: this.request,
+          options: this.#getNormalizedOptions(),
+          error,
+          retryCount: this.#retryCount
+        });
+        if (hookResult instanceof globalThis.Request) {
+          this.#assignRequest(hookResult);
+          break;
+        }
+        if (hookResult instanceof globalThis.Response) {
+          return hookResult;
+        }
+        if (hookResult === stop) {
+          return;
+        }
+      }
+      return this.#retry(function_);
+    }
+  }
+  async #fetch() {
+    if (this.#abortController?.signal.aborted) {
+      this.#abortController = new globalThis.AbortController();
+      this.#options.signal = this.#userProvidedAbortSignal ? AbortSignal.any([this.#userProvidedAbortSignal, this.#abortController.signal]) : this.#abortController.signal;
+      this.request = new globalThis.Request(this.request, { signal: this.#options.signal });
+    }
+    for (const hook of this.#options.hooks.beforeRequest) {
+      const result = await hook(this.request, this.#getNormalizedOptions(), { retryCount: this.#retryCount });
+      if (result instanceof Response) {
+        return result;
+      }
+      if (result instanceof globalThis.Request) {
+        this.#assignRequest(result);
+        break;
+      }
+    }
+    const nonRequestOptions = findUnknownOptions(this.request, this.#options);
+    this.#originalRequest = this.request;
+    this.request = this.#originalRequest.clone();
+    if (this.#options.timeout === false) {
+      return this.#options.fetch(this.#originalRequest, nonRequestOptions);
+    }
+    return timeout(this.#originalRequest, nonRequestOptions, this.#abortController, this.#options);
+  }
+  #getNormalizedOptions() {
+    if (!this.#cachedNormalizedOptions) {
+      const { hooks, ...normalizedOptions } = this.#options;
+      this.#cachedNormalizedOptions = Object.freeze(normalizedOptions);
+    }
+    return this.#cachedNormalizedOptions;
+  }
+  #assignRequest(request) {
+    this.#cachedNormalizedOptions = void 0;
+    this.request = this.#wrapRequestWithUploadProgress(request);
+  }
+  #wrapRequestWithUploadProgress(request, originalBody) {
+    if (!this.#options.onUploadProgress || !request.body) {
+      return request;
+    }
+    return streamRequest(request, this.#options.onUploadProgress, originalBody ?? this.#options.body ?? void 0);
+  }
+};
+
+// ../../../node_modules/.bun/ky@1.14.3/node_modules/ky/distribution/index.js
+var createInstance = (defaults) => {
+  const ky2 = (input, options) => Ky.create(input, validateAndMerge(defaults, options));
+  for (const method of requestMethods) {
+    ky2[method] = (input, options) => Ky.create(input, validateAndMerge(defaults, options, { method }));
+  }
+  ky2.create = (newDefaults) => createInstance(validateAndMerge(newDefaults));
+  ky2.extend = (newDefaults) => {
+    if (typeof newDefaults === "function") {
+      newDefaults = newDefaults(defaults ?? {});
+    }
+    return createInstance(validateAndMerge(defaults, newDefaults));
+  };
+  ky2.stop = stop;
+  ky2.retry = retry;
+  return ky2;
+};
+var ky = createInstance();
+var distribution_default = ky;
+var { SchemaError, ResolutionError } = plugin.ERRORS;
+var VAULT_ICON = "simple-icons:vault";
+plugin.name = "vault";
+var { debug } = plugin;
+debug("init - version =", plugin.version);
+plugin.icon = VAULT_ICON;
+plugin.standardVars = {
+  initDecorator: "@initHcpVault",
+  params: {
+    url: { key: "VAULT_ADDR" },
+    token: { key: "VAULT_TOKEN", dataType: "vaultToken" },
+    namespace: { key: "VAULT_NAMESPACE" }
+  }
+};
+var FIX_AUTH_TIP = [
+  "Verify your Vault credentials are configured correctly. Use one of the following options:",
+  "  1. Provide a token explicitly via @initHcpVault(token=$VAULT_TOKEN)",
+  "  2. Use AppRole auth via @initHcpVault(roleId=..., secretId=...)",
+  "  3. Login via the vault CLI (vault login) - the ~/.vault-token file will be used automatically"
+].join("\n");
+var VaultPluginInstance = class {
+  constructor(id) {
+    this.id = id;
+    this.secretCache = /* @__PURE__ */ new Map();
+  }
+  setAuth(url, namespace, token, roleId, secretId, defaultPath, pathPrefix) {
+    this.url = url ? String(url).replace(/\/+$/, "") : void 0;
+    this.namespace = namespace ? String(namespace) : void 0;
+    this.token = token ? String(token) : void 0;
+    this.roleId = roleId ? String(roleId) : void 0;
+    this.secretId = secretId ? String(secretId) : void 0;
+    this.defaultPath = defaultPath ? String(defaultPath) : void 0;
+    this.pathPrefix = pathPrefix ? String(pathPrefix) : void 0;
+    debug(
+      "vault instance",
+      this.id,
+      "set auth - url:",
+      this.url,
+      "hasToken:",
+      !!this.token,
+      "hasRoleId:",
+      !!this.roleId,
+      "namespace:",
+      this.namespace,
+      "defaultPath:",
+      this.defaultPath,
+      "pathPrefix:",
+      this.pathPrefix
+    );
+  }
+  async getVaultToken() {
+    if (this.cachedToken && this.cachedToken.expiresAt > Date.now() + 3e4) {
+      debug("Using cached Vault token");
+      return this.cachedToken.token;
+    }
+    if (this.token) {
+      debug("Using explicitly provided Vault token");
+      return this.token;
+    }
+    if (this.roleId && this.secretId) {
+      return this.loginWithAppRole();
+    }
+    for (const tokenFile of [".vault-token", ".bao-token"]) {
+      try {
+        const tokenPath = path.join(os.homedir(), tokenFile);
+        const fileToken = (await promises.readFile(tokenPath, "utf-8")).trim();
+        if (fileToken) {
+          debug(`Using token from ~/${tokenFile}`);
+          return fileToken;
+        }
+      } catch {
+        debug(`Could not read ~/${tokenFile}`);
+      }
+    }
+    throw new SchemaError("No Vault authentication found", {
+      tip: FIX_AUTH_TIP
+    });
+  }
+  async loginWithAppRole() {
+    if (!this.url) throw new SchemaError("Vault URL is required for AppRole auth");
+    try {
+      const headers = {};
+      if (this.namespace) headers["X-Vault-Namespace"] = this.namespace;
+      const response = await distribution_default.post(`${this.url}/v1/auth/approle/login`, {
+        json: { role_id: this.roleId, secret_id: this.secretId },
+        headers
+      }).json();
+      const clientToken = response.auth.client_token;
+      const leaseDuration = response.auth.lease_duration;
+      this.cachedToken = {
+        token: clientToken,
+        expiresAt: Date.now() + leaseDuration * 1e3
+      };
+      debug("Successfully authenticated with AppRole");
+      return clientToken;
+    } catch (err) {
+      let errorMessage = "AppRole authentication failed";
+      let errorTip;
+      if (err.response) {
+        const status = err.response.status;
+        if (status === 400) {
+          errorMessage = "AppRole login failed - invalid role_id or secret_id";
+          errorTip = [
+            "Verify your AppRole credentials:",
+            "  - role_id: The UUID of the AppRole role",
+            "  - secret_id: A valid secret ID for the role",
+            "Generate a new secret_id: vault write -f auth/approle/role/<role>/secret-id"
+          ].join("\n");
+        } else if (status === 403) {
+          errorMessage = "AppRole login denied - insufficient permissions";
+          errorTip = "Ensure the AppRole auth method is enabled and the role exists";
+        } else {
+          errorMessage = `AppRole login failed (HTTP ${status})`;
+        }
+      } else if (err.message) {
+        errorMessage = `AppRole login error: ${err.message}`;
+      }
+      throw new SchemaError(errorMessage, { tip: errorTip });
+    }
+  }
+  buildPath(explicitPath) {
+    let basePath;
+    if (explicitPath) {
+      basePath = explicitPath;
+    } else if (this.defaultPath) {
+      basePath = this.defaultPath;
+    } else {
+      throw new ResolutionError("No path specified and no defaultPath configured", {
+        tip: "Either provide a path argument to vaultSecret() or set defaultPath in @initHcpVault()"
+      });
+    }
+    if (this.pathPrefix) {
+      const prefix = this.pathPrefix.replace(/\/+$/, "");
+      const path = basePath.replace(/^\/+/, "");
+      return `${prefix}/${path}`;
+    }
+    return basePath;
+  }
+  fetchSecretData(secretPath) {
+    const cached = this.secretCache.get(secretPath);
+    if (cached) {
+      debug(`Using cached fetch for: ${secretPath}`);
+      return cached;
+    }
+    const promise = this._fetchSecretData(secretPath);
+    this.secretCache.set(secretPath, promise);
+    promise.catch(() => this.secretCache.delete(secretPath));
+    return promise;
+  }
+  async _fetchSecretData(secretPath) {
+    if (!this.url) {
+      throw new SchemaError("Vault URL is required");
+    }
+    const token = await this.getVaultToken();
+    const slashIdx = secretPath.indexOf("/");
+    let mount;
+    let kvPath;
+    if (slashIdx === -1) {
+      mount = secretPath;
+      kvPath = "";
+    } else {
+      mount = secretPath.substring(0, slashIdx);
+      kvPath = secretPath.substring(slashIdx + 1);
+    }
+    const apiUrl = kvPath ? `${this.url}/v1/${mount}/data/${kvPath}` : `${this.url}/v1/${mount}/data`;
+    const headers = { "X-Vault-Token": token };
+    if (this.namespace) headers["X-Vault-Namespace"] = this.namespace;
+    try {
+      debug(`Fetching secret: ${secretPath}`);
+      const response = await distribution_default.get(apiUrl, { headers }).json();
+      const secretData = response.data?.data;
+      if (!secretData) {
+        throw new ResolutionError("Secret data is empty");
+      }
+      return secretData;
+    } catch (err) {
+      if (err instanceof ResolutionError) throw err;
+      let errorMessage = "Failed to fetch secret";
+      let errorTip;
+      if (err.response) {
+        const status = err.response.status;
+        if (status === 404) {
+          errorMessage = `Secret at path "${secretPath}" not found`;
+          errorTip = [
+            "Verify the secret exists in Vault:",
+            `  vault kv get ${secretPath}`,
+            "",
+            "Common issues:",
+            "  - The mount point may be wrong (first path segment)",
+            "  - The secret path may not exist",
+            "  - KV v1 secrets use a different API format"
+          ].join("\n");
+        } else if (status === 403) {
+          errorMessage = `Permission denied for path "${secretPath}"`;
+          errorTip = [
+            "Ensure your token has the correct policy. Required capability: read",
+            "Example policy:",
+            `  path "${mount}/data/${kvPath || "*"}" {`,
+            '    capabilities = ["read"]',
+            "  }"
+          ].join("\n");
+        } else if (status === 401) {
+          errorMessage = "Vault authentication failed";
+          errorTip = [
+            "Your token may be expired or invalid",
+            FIX_AUTH_TIP
+          ].join("\n");
+        } else if (status === 503) {
+          errorMessage = "Vault server is sealed or unavailable";
+          errorTip = "Check that the Vault server is running and unsealed";
+        } else {
+          try {
+            const errorBody = await err.response.json();
+            const errors = errorBody.errors?.join("; ") || "";
+            errorMessage = `Vault error (HTTP ${status}): ${errors || err.message}`;
+          } catch {
+            errorMessage = `Vault error (HTTP ${status})`;
+          }
+        }
+      } else if (err.message) {
+        errorMessage = `Network error: ${err.message}`;
+        errorTip = "Verify the Vault URL is correct and the server is reachable";
+      }
+      throw new ResolutionError(errorMessage, {
+        tip: errorTip
+      });
+    }
+  }
+  async getSecret(secretPath, jsonKey) {
+    const secretData = await this.fetchSecretData(secretPath);
+    if (jsonKey) {
+      if (!(jsonKey in secretData)) {
+        throw new ResolutionError(`Key "${jsonKey}" not found in secret`, {
+          tip: `Available keys: ${Object.keys(secretData).join(", ")}`
+        });
+      }
+      return String(secretData[jsonKey]);
+    }
+    const keys = Object.keys(secretData);
+    if (keys.length === 1) {
+      return String(secretData[keys[0]]);
+    }
+    return JSON.stringify(secretData);
+  }
+};
+var pluginInstances = {};
+plugin.registerRootDecorator({
+  name: "initHcpVault",
+  description: "Initialize a HashiCorp Vault plugin instance for vaultSecret() resolver",
+  isFunction: true,
+  async process(argsVal) {
+    const objArgs = argsVal.objArgs;
+    if (!objArgs) throw new SchemaError("Expected some args");
+    if (objArgs.id && !objArgs.id.isStatic) {
+      throw new SchemaError("Expected id to be static");
+    }
+    const id = String(objArgs?.id?.staticValue || "_default");
+    if (pluginInstances[id]) {
+      throw new SchemaError(`Instance with id "${id}" already initialized`);
+    }
+    if (!objArgs.url) {
+      throw new SchemaError("url parameter is required", {
+        tip: 'Provide your Vault server URL: @initHcpVault(url="https://vault.example.com:8200")'
+      });
+    }
+    pluginInstances[id] = new VaultPluginInstance(id);
+    return {
+      id,
+      urlResolver: objArgs.url,
+      namespaceResolver: objArgs.namespace,
+      tokenResolver: objArgs.token,
+      roleIdResolver: objArgs.roleId,
+      secretIdResolver: objArgs.secretId,
+      defaultPathResolver: objArgs.defaultPath,
+      pathPrefixResolver: objArgs.pathPrefix
+    };
+  },
+  async execute({
+    id,
+    urlResolver,
+    namespaceResolver,
+    tokenResolver,
+    roleIdResolver,
+    secretIdResolver,
+    defaultPathResolver,
+    pathPrefixResolver
+  }) {
+    const url = await urlResolver.resolve();
+    const namespace = await namespaceResolver?.resolve();
+    const token = await tokenResolver?.resolve();
+    const roleId = await roleIdResolver?.resolve();
+    const secretId = await secretIdResolver?.resolve();
+    const defaultPath = await defaultPathResolver?.resolve();
+    const pathPrefix = await pathPrefixResolver?.resolve();
+    pluginInstances[id].setAuth(url, namespace, token, roleId, secretId, defaultPath, pathPrefix);
+  }
+});
+plugin.registerDataType({
+  name: "vaultToken",
+  sensitive: true,
+  typeDescription: "HashiCorp Vault authentication token",
+  icon: VAULT_ICON,
+  docs: [
+    {
+      description: "Vault Tokens",
+      url: "https://developer.hashicorp.com/vault/docs/concepts/tokens"
+    }
+  ]
+});
+plugin.registerResolverFunction({
+  name: "vaultSecret",
+  label: "Fetch secret from HashiCorp Vault KV v2",
+  icon: VAULT_ICON,
+  argsSchema: {
+    type: "mixed",
+    arrayMinLength: 0,
+    arrayMaxLength: 2
+  },
+  process() {
+    let instanceId;
+    let secretRefResolver;
+    let keyResolver;
+    let returnJson = false;
+    if (this.objArgs?.key) {
+      keyResolver = this.objArgs.key;
+    }
+    if (this.objArgs?.raw) {
+      if (!this.objArgs.raw.isStatic || this.objArgs.raw.staticValue !== true) {
+        throw new SchemaError("Expected raw=true");
+      }
+      if (keyResolver) {
+        throw new SchemaError("Cannot use raw=true with key= parameter", {
+          tip: "Remove the key= parameter, or remove raw=true"
+        });
+      }
+      returnJson = true;
+    }
+    const parent = this.parent;
+    const itemKey = parent?.key || "";
+    if (!this.arrArgs || this.arrArgs.length === 0) {
+      instanceId = "_default";
+    } else if (this.arrArgs.length === 1) {
+      instanceId = "_default";
+      secretRefResolver = this.arrArgs[0];
+    } else if (this.arrArgs.length === 2) {
+      if (!this.arrArgs[0].isStatic) {
+        throw new SchemaError("Expected instance id to be a static value");
+      } else {
+        instanceId = String(this.arrArgs[0].staticValue);
+      }
+      secretRefResolver = this.arrArgs[1];
+    } else {
+      throw new SchemaError("Expected 0, 1, or 2 args");
+    }
+    if (!Object.values(pluginInstances).length) {
+      throw new SchemaError("No Vault plugin instances found", {
+        tip: "Initialize at least one Vault instance using the @initHcpVault() root decorator"
+      });
+    }
+    const selectedInstance = pluginInstances[instanceId];
+    if (!selectedInstance) {
+      if (instanceId === "_default") {
+        throw new SchemaError("Vault plugin instance (without id) not found", {
+          tip: [
+            "Either remove the `id` param from your @initHcpVault call",
+            "or use `vaultSecret(id, secretRef)` to select an instance by id.",
+            `Possible ids are: ${Object.keys(pluginInstances).join(", ")}`
+          ].join("\n")
+        });
+      } else {
+        throw new SchemaError(`Vault plugin instance id "${instanceId}" not found`, {
+          tip: [`Valid ids are: ${Object.keys(pluginInstances).join(", ")}`].join("\n")
+        });
+      }
+    }
+    return {
+      instanceId,
+      secretRefResolver,
+      keyResolver,
+      itemKey,
+      returnJson
+    };
+  },
+  async resolve({
+    instanceId,
+    secretRefResolver,
+    keyResolver,
+    itemKey,
+    returnJson
+  }) {
+    const selectedInstance = pluginInstances[instanceId];
+    let secretRef;
+    if (secretRefResolver) {
+      const resolved = await secretRefResolver.resolve();
+      if (typeof resolved !== "string") {
+        throw new SchemaError("Expected secret reference to resolve to a string");
+      }
+      secretRef = resolved;
+    }
+    let secretPath;
+    let explicitKey;
+    if (secretRef) {
+      const hashIndex = secretRef.indexOf("#");
+      if (hashIndex !== -1) {
+        secretPath = secretRef.substring(0, hashIndex);
+        explicitKey = secretRef.substring(hashIndex + 1);
+      } else {
+        secretPath = secretRef;
+      }
+    } else {
+      secretPath = "";
+    }
+    if (returnJson && explicitKey) {
+      throw new SchemaError("Cannot use raw=true with #KEY syntax", {
+        tip: "Remove the #KEY from the path, or remove raw=true"
+      });
+    }
+    let jsonKey;
+    if (keyResolver) {
+      const keyValue = await keyResolver.resolve();
+      if (typeof keyValue !== "string") {
+        throw new SchemaError("Expected key parameter to resolve to a string");
+      }
+      jsonKey = keyValue;
+    } else if (explicitKey) {
+      jsonKey = explicitKey;
+    } else if (!returnJson) {
+      jsonKey = itemKey || void 0;
+    }
+    const fullPath = selectedInstance.buildPath(secretPath || void 0);
+    return await selectedInstance.getSecret(fullPath, jsonKey);
+  }
+});
+/*! Bundled license information:
+
+ky/distribution/index.js:
+  (*! MIT License © Sindre Sorhus *)
+*/
+//# sourceMappingURL=plugin.cjs.map
+//# sourceMappingURL=plugin.cjs.map