deepline 0.1.67 → 0.1.69

package/dist/index.d.mts

@@ -1110,6 +1110,18 @@ type PlaySheetRowsResult = {
     customerDbUrl?: string;
     deltaCursor?: number;
 };
+type PlaySecretMetadata = {
+    _id: string;
+    orgId: string;
+    scope: 'org' | 'play';
+    playName?: string;
+    name: string;
+    status: string;
+    hasValue: boolean;
+    createdAt: number;
+    updatedAt: number;
+    lastUsedAt?: number;
+};
 type RunsNamespace = {
     get: (runId: string, options?: {
         full?: boolean;
@@ -1166,6 +1178,8 @@ declare class DeeplineClient {
     private playCloneEditStarter;
     private summarizePlayListItem;
     private summarizePlayDetail;
+    listSecrets(): Promise<PlaySecretMetadata[]>;
+    checkSecret(name: string): Promise<PlaySecretMetadata | null>;
     /**
      * List all available tools.
      *
@@ -2076,6 +2090,29 @@ type PlayBindings = {
         /** IANA timezone (e.g. `'America/New_York'`). Defaults to UTC. */
         timezone?: string;
     };
+    /**
+     * Customer-authored play secrets this play is allowed to use at runtime.
+     * Values are never bundled or exposed by the SDK; access them with
+     * `ctx.secrets.get("NAME")` and approved helpers such as
+     * `ctx.secrets.bearer(handle)`.
+     */
+    secrets?: readonly string[];
+};
+declare const SECRET_HANDLE_BRAND: unique symbol;
+type SecretHandle = {
+    readonly [SECRET_HANDLE_BRAND]: never;
+    readonly name: string;
+    toString(): string;
+    toJSON(): never;
+};
+type SecretAuth = {
+    readonly kind: 'bearer' | 'header';
+    readonly secret: SecretHandle;
+    readonly header?: string;
+};
+type SecretAwareRequestInit = Omit<RequestInit, 'headers'> & {
+    headers?: HeadersInit;
+    auth?: SecretAuth;
 };
 type LoosePlayObject = {
     [key: string]: LoosePlayObject;
@@ -2377,7 +2414,7 @@ interface DeeplinePlayRuntimeContext {
      * @param init - Fetch options.
      * @returns Recorded response.
      */
-    fetch(key: string, url: string | URL, init?: RequestInit, options?: {
+    fetch(key: string, url: string | URL, init?: SecretAwareRequestInit, options?: {
         staleAfterSeconds?: number;
     }): Promise<{
         ok: boolean;
@@ -2388,6 +2425,11 @@ interface DeeplinePlayRuntimeContext {
         bodyText: string;
         json: unknown | null;
     }>;
+    secrets: {
+        get(name: string): SecretHandle;
+        bearer(secret: SecretHandle): SecretAuth;
+        header(header: string, secret: SecretHandle): SecretAuth;
+    };
     runPlay<TOutput = unknown>(key: string, playRef: string | PlayReferenceLike, input: Record<string, unknown>, options: {
         description?: string;
         staleAfterSeconds?: number;

package/dist/index.d.ts

@@ -1110,6 +1110,18 @@ type PlaySheetRowsResult = {
     customerDbUrl?: string;
     deltaCursor?: number;
 };
+type PlaySecretMetadata = {
+    _id: string;
+    orgId: string;
+    scope: 'org' | 'play';
+    playName?: string;
+    name: string;
+    status: string;
+    hasValue: boolean;
+    createdAt: number;
+    updatedAt: number;
+    lastUsedAt?: number;
+};
 type RunsNamespace = {
     get: (runId: string, options?: {
         full?: boolean;
@@ -1166,6 +1178,8 @@ declare class DeeplineClient {
     private playCloneEditStarter;
     private summarizePlayListItem;
     private summarizePlayDetail;
+    listSecrets(): Promise<PlaySecretMetadata[]>;
+    checkSecret(name: string): Promise<PlaySecretMetadata | null>;
     /**
      * List all available tools.
      *
@@ -2076,6 +2090,29 @@ type PlayBindings = {
         /** IANA timezone (e.g. `'America/New_York'`). Defaults to UTC. */
         timezone?: string;
     };
+    /**
+     * Customer-authored play secrets this play is allowed to use at runtime.
+     * Values are never bundled or exposed by the SDK; access them with
+     * `ctx.secrets.get("NAME")` and approved helpers such as
+     * `ctx.secrets.bearer(handle)`.
+     */
+    secrets?: readonly string[];
+};
+declare const SECRET_HANDLE_BRAND: unique symbol;
+type SecretHandle = {
+    readonly [SECRET_HANDLE_BRAND]: never;
+    readonly name: string;
+    toString(): string;
+    toJSON(): never;
+};
+type SecretAuth = {
+    readonly kind: 'bearer' | 'header';
+    readonly secret: SecretHandle;
+    readonly header?: string;
+};
+type SecretAwareRequestInit = Omit<RequestInit, 'headers'> & {
+    headers?: HeadersInit;
+    auth?: SecretAuth;
 };
 type LoosePlayObject = {
     [key: string]: LoosePlayObject;
@@ -2377,7 +2414,7 @@ interface DeeplinePlayRuntimeContext {
      * @param init - Fetch options.
      * @returns Recorded response.
      */
-    fetch(key: string, url: string | URL, init?: RequestInit, options?: {
+    fetch(key: string, url: string | URL, init?: SecretAwareRequestInit, options?: {
         staleAfterSeconds?: number;
     }): Promise<{
         ok: boolean;
@@ -2388,6 +2425,11 @@ interface DeeplinePlayRuntimeContext {
         bodyText: string;
         json: unknown | null;
     }>;
+    secrets: {
+        get(name: string): SecretHandle;
+        bearer(secret: SecretHandle): SecretAuth;
+        header(header: string, secret: SecretHandle): SecretAuth;
+    };
     runPlay<TOutput = unknown>(key: string, playRef: string | PlayReferenceLike, input: Record<string, unknown>, options: {
         description?: string;
         staleAfterSeconds?: number;

package/dist/index.js

@@ -241,10 +241,10 @@ var import_node_path2 = require("path");
 
 // src/release.ts
 var SDK_RELEASE = {
-  version: "0.1.67",
+  version: "0.1.69",
   apiContract: "2026-05-play-bootstrap-dataset-summary",
   supportPolicy: {
-    latest: "0.1.67",
+    latest: "0.1.69",
     minimumSupported: "0.1.53",
     deprecatedBelow: "0.1.53"
   }
@@ -838,6 +838,22 @@ var DeeplineClient = class {
     };
   }
   // ——————————————————————————————————————————————————————————
+  // Secrets
+  // ——————————————————————————————————————————————————————————
+  async listSecrets() {
+    const response = await this.http.get(
+      "/api/v2/secrets"
+    );
+    return Array.isArray(response.secrets) ? response.secrets : [];
+  }
+  async checkSecret(name) {
+    const normalized = name.trim().toUpperCase();
+    const secrets = await this.listSecrets();
+    return secrets.find(
+      (secret) => secret.name === normalized && secret.status === "active" && secret.hasValue
+    ) ?? null;
+  }
+  // ——————————————————————————————————————————————————————————
   // Tools
   // ——————————————————————————————————————————————————————————
   /**

package/dist/index.mjs

@@ -179,10 +179,10 @@ import { join as join2 } from "path";
 
 // src/release.ts
 var SDK_RELEASE = {
-  version: "0.1.67",
+  version: "0.1.69",
   apiContract: "2026-05-play-bootstrap-dataset-summary",
   supportPolicy: {
-    latest: "0.1.67",
+    latest: "0.1.69",
     minimumSupported: "0.1.53",
     deprecatedBelow: "0.1.53"
   }
@@ -776,6 +776,22 @@ var DeeplineClient = class {
     };
   }
   // ——————————————————————————————————————————————————————————
+  // Secrets
+  // ——————————————————————————————————————————————————————————
+  async listSecrets() {
+    const response = await this.http.get(
+      "/api/v2/secrets"
+    );
+    return Array.isArray(response.secrets) ? response.secrets : [];
+  }
+  async checkSecret(name) {
+    const normalized = name.trim().toUpperCase();
+    const secrets = await this.listSecrets();
+    return secrets.find(
+      (secret) => secret.name === normalized && secret.status === "active" && secret.hasValue
+    ) ?? null;
+  }
+  // ——————————————————————————————————————————————————————————
   // Tools
   // ——————————————————————————————————————————————————————————
   /**

package/dist/repo/apps/play-runner-workers/src/entry.ts

@@ -128,6 +128,19 @@ import {
 } from '../../../shared_libs/play-runtime/csv-rename';
 import { coordinatorRequestHeaders } from '../../../shared_libs/play-runtime/coordinator-headers';
 import { normalizePlayRunFailure } from '../../../shared_libs/play-runtime/run-failure';
+import { createSecretRedactionContext } from '../../../shared_libs/play-runtime/secret-redaction';
+import {
+  assertNoSecretTaint,
+  createBearerSecretAuth,
+  createHeaderSecretAuth,
+  createSecretHandle,
+  isSecretAuth,
+  secretAuthHeaderMarkers,
+  valueContainsSecret,
+  type SecretAuth,
+  type SecretAwareRequestInit,
+  type SecretHandle,
+} from '../../../shared_libs/play-runtime/secret-capability';
 import type {
   LiveNodeProgressMap,
   LiveNodeProgressSnapshot,
@@ -3183,6 +3196,39 @@ function createMinimalWorkerCtx(
   const inFlightChildCallsByPlayName: Record<string, number> = {};
   let inFlightChildPlayCalls = 0;
   const childPlaySlotWaiters: Array<() => void> = [];
+  const secretRedactor = createSecretRedactionContext();
+
+  const resolveSecretAuth = async (auth?: SecretAuth) => {
+    if (!auth) return {};
+    const response = await fetchRuntimeApi(
+      req.baseUrl,
+      '/api/v2/plays/internal/runtime',
+      {
+        method: 'POST',
+        headers: {
+          authorization: `Bearer ${req.executorToken}`,
+          'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+          action: 'resolve_secret',
+          name: auth.secret.name,
+          playName: req.playName,
+        }),
+      },
+    );
+    if (!response.ok) {
+      throw new Error(`Secret ${auth.secret.name} is not available to this run.`);
+    }
+    const payload = (await response.json()) as { value?: unknown };
+    const value = typeof payload.value === 'string' ? payload.value : null;
+    if (!value) {
+      throw new Error(`Secret ${auth.secret.name} is not available to this run.`);
+    }
+    secretRedactor.register(value);
+    return auth.kind === 'bearer'
+      ? { authorization: `Bearer ${value}` }
+      : { [auth.header.toLowerCase()]: value };
+  };
 
   const acquireChildPlaySlot = async (): Promise<() => void> => {
     while (
@@ -4007,6 +4053,7 @@ function createMinimalWorkerCtx(
      */
     signal: abortSignal ?? new AbortController().signal,
     log(message: string) {
+      assertNoSecretTaint(message, 'ctx.log');
       emitEvent({
         type: 'log',
         level: 'info',
@@ -4184,10 +4231,11 @@ function createMinimalWorkerCtx(
         'ctx.map(key, rows, fields, options) was removed. Use ctx.map(key, rows).step(...).run(options).',
       );
     },
-    tools: {
-      async execute(requestArg: unknown): Promise<unknown> {
+	    tools: {
+	      async execute(requestArg: unknown): Promise<unknown> {
         assertNotAborted(abortSignal);
         const request = normalizeToolExecuteArgs(requestArg);
+	        assertNoSecretTaint(request.input, 'ctx.tools.execute input');
         return await executeWithRuntimeReceipt(
           `tool:${request.id}:${deriveToolRequestIdentity({
             toolId: request.toolId,
@@ -4257,9 +4305,10 @@ function createMinimalWorkerCtx(
         timeoutMs?: number;
         staleAfterSeconds?: number;
       },
-    ): Promise<unknown> {
-      const normalizedKey = normalizeContextKey(key, 'runPlay');
-      const resolvedName = resolvePlayRefName(playRef);
+	    ): Promise<unknown> {
+	      const normalizedKey = normalizeContextKey(key, 'runPlay');
+	      const resolvedName = resolvePlayRefName(playRef);
+      assertNoSecretTaint(input, 'ctx.runPlay input');
       if (!resolvedName) {
         throw new Error('ctx.runPlay(...) requires a resolvable play name.');
       }
@@ -4498,17 +4547,37 @@ function createMinimalWorkerCtx(
         }
       });
     },
-    async fetch(
-      key: string,
-      input: string | URL,
-      init: RequestInit = {},
-      options?: { staleAfterSeconds?: number },
-    ): Promise<WorkerFetchResponse> {
-      assertNotAborted(abortSignal);
-      const normalizedKey = normalizeContextKey(key, 'fetch');
-      const url = input.toString();
-      const method = (init.method ?? 'GET').toUpperCase();
-      const safeHeaders = normalizeFetchHeaders(init.headers);
+	    async fetch(
+	      key: string,
+	      input: string | URL,
+	      init: SecretAwareRequestInit = {},
+	      options?: { staleAfterSeconds?: number },
+	    ): Promise<WorkerFetchResponse> {
+	      assertNotAborted(abortSignal);
+	      const normalizedKey = normalizeContextKey(key, 'fetch');
+      if (
+        valueContainsSecret(input) ||
+        valueContainsSecret(init.body)
+      ) {
+        throw new Error(
+          'ctx.fetch does not allow secrets in the URL or body. Use an approved secret auth helper.',
+        );
+      }
+      if (valueContainsSecret(init.headers)) {
+        throw new Error(
+          'ctx.fetch does not allow raw secret headers. Use ctx.secrets.bearer(...) or ctx.secrets.header(...).',
+        );
+      }
+      if (init.auth !== undefined && !isSecretAuth(init.auth)) {
+        throw new Error('ctx.fetch auth must come from ctx.secrets.');
+      }
+	      const url = input.toString();
+	      const method = (init.method ?? 'GET').toUpperCase();
+      const secretHeaderMarkers = secretAuthHeaderMarkers(init.auth);
+	      const safeHeaders = {
+        ...normalizeFetchHeaders(init.headers),
+        ...secretHeaderMarkers,
+      };
       const body = fetchBodyIdentity(init.body);
       const hasIdempotencyKey =
         safeHeaders['idempotency-key'] !== undefined ||
@@ -4524,20 +4593,44 @@ function createMinimalWorkerCtx(
         safeHeaders,
         url,
       })}${staleRuntimeSuffix(options?.staleAfterSeconds)}`;
-      return await executeWithRuntimeReceipt(receiptKey, async () => {
-        const response = await fetch(url, init);
-        assertNotAborted(abortSignal);
-        const bodyText = await response.text();
-        return {
-          ok: response.ok,
-          status: response.status,
-          statusText: response.statusText,
-          url: response.url,
-          headers: Object.fromEntries(response.headers.entries()),
-          bodyText,
-          json: parseFetchJsonOrNull(bodyText),
+	      return await executeWithRuntimeReceipt(receiptKey, async () => {
+        const secretHeaders = await resolveSecretAuth(init.auth);
+        const headers = {
+          ...normalizeFetchHeaders(init.headers),
+          ...secretHeaders,
         };
-      });
+        const fetchInit = { ...init, headers };
+        delete fetchInit.auth;
+	        const response = await fetch(url, fetchInit);
+	        assertNotAborted(abortSignal);
+	        const bodyText = await response.text();
+        const redactedBodyText = secretRedactor.redactString(bodyText);
+	        return {
+	          ok: response.ok,
+	          status: response.status,
+	          statusText: response.statusText,
+	          url: response.url,
+	          headers: secretRedactor.redact(
+              Object.fromEntries(response.headers.entries()),
+            ) as Record<string, string>,
+	          bodyText: redactedBodyText,
+	          json: secretRedactor.redact(parseFetchJsonOrNull(bodyText)),
+	        };
+	      });
+	    },
+    secrets: {
+      get(name: string): SecretHandle {
+        if (typeof name !== 'string' || !name.trim()) {
+          throw new Error('ctx.secrets.get(name) requires a non-empty name.');
+        }
+        return createSecretHandle(name.trim());
+      },
+      bearer(secret: SecretHandle): SecretAuth {
+        return createBearerSecretAuth(secret);
+      },
+      header(header: string, secret: SecretHandle): SecretAuth {
+        return createHeaderSecretAuth(header, secret);
+      },
     },
     async waitForEvent(
       eventType: string,

package/dist/repo/sdk/src/client.ts

@@ -161,6 +161,19 @@ export type PlaySheetRowsResult = {
   deltaCursor?: number;
 };
 
+export type PlaySecretMetadata = {
+  _id: string;
+  orgId: string;
+  scope: 'org' | 'play';
+  playName?: string;
+  name: string;
+  status: string;
+  hasValue: boolean;
+  createdAt: number;
+  updatedAt: number;
+  lastUsedAt?: number;
+};
+
 export type RunsNamespace = {
   get: (runId: string, options?: { full?: boolean }) => Promise<PlayStatus>;
   list: (options: RunsListOptions) => Promise<PlayRunListItem[]>;
@@ -574,6 +587,30 @@ export class DeeplineClient {
     };
   }
 
+  // ——————————————————————————————————————————————————————————
+  // Secrets
+  // ——————————————————————————————————————————————————————————
+
+  async listSecrets(): Promise<PlaySecretMetadata[]> {
+    const response = await this.http.get<{ secrets?: PlaySecretMetadata[] }>(
+      '/api/v2/secrets',
+    );
+    return Array.isArray(response.secrets) ? response.secrets : [];
+  }
+
+  async checkSecret(name: string): Promise<PlaySecretMetadata | null> {
+    const normalized = name.trim().toUpperCase();
+    const secrets = await this.listSecrets();
+    return (
+      secrets.find(
+        (secret) =>
+          secret.name === normalized &&
+          secret.status === 'active' &&
+          secret.hasValue,
+      ) ?? null
+    );
+  }
+
   // ——————————————————————————————————————————————————————————
   // Tools
   // ——————————————————————————————————————————————————————————

package/dist/repo/sdk/src/play.ts

@@ -146,6 +146,33 @@ export type PlayBindings = {
     /** IANA timezone (e.g. `'America/New_York'`). Defaults to UTC. */
     timezone?: string;
   };
+  /**
+   * Customer-authored play secrets this play is allowed to use at runtime.
+   * Values are never bundled or exposed by the SDK; access them with
+   * `ctx.secrets.get("NAME")` and approved helpers such as
+   * `ctx.secrets.bearer(handle)`.
+   */
+  secrets?: readonly string[];
+};
+
+declare const SECRET_HANDLE_BRAND: unique symbol;
+
+export type SecretHandle = {
+  readonly [SECRET_HANDLE_BRAND]: never;
+  readonly name: string;
+  toString(): string;
+  toJSON(): never;
+};
+
+export type SecretAuth = {
+  readonly kind: 'bearer' | 'header';
+  readonly secret: SecretHandle;
+  readonly header?: string;
+};
+
+export type SecretAwareRequestInit = Omit<RequestInit, 'headers'> & {
+  headers?: HeadersInit;
+  auth?: SecretAuth;
 };
 
 export type LoosePlayObject = {
@@ -523,7 +550,7 @@ export interface DeeplinePlayRuntimeContext {
   fetch(
     key: string,
     url: string | URL,
-    init?: RequestInit,
+    init?: SecretAwareRequestInit,
     options?: { staleAfterSeconds?: number },
   ): Promise<{
     ok: boolean;
@@ -534,6 +561,11 @@ export interface DeeplinePlayRuntimeContext {
     bodyText: string;
     json: unknown | null;
   }>;
+  secrets: {
+    get(name: string): SecretHandle;
+    bearer(secret: SecretHandle): SecretAuth;
+    header(header: string, secret: SecretHandle): SecretAuth;
+  };
   runPlay<TOutput = unknown>(
     key: string,
     playRef: string | PlayReferenceLike,

package/dist/repo/sdk/src/plays/bundle-play-file.ts

@@ -17,6 +17,7 @@ import {
   type PlayArtifactKind,
 } from '../../../shared_libs/play-runtime/backend.js';
 import { resolveExecutionProfile } from '../../../shared_libs/play-runtime/profiles.js';
+import { validatePlaySourceFilesHaveNoInlineSecrets } from '../../../shared_libs/plays/secret-guardrails.js';
 import { discoverPackagedLocalFiles } from './local-file-discovery.js';
 
 export type {
@@ -149,11 +150,13 @@ export async function bundlePlayFile(
   filePath: string,
   options: BundlePlayFileOptions = {},
 ): Promise<BundledPlayFileResult> {
-  return bundlePlayFileCore(filePath, {
+  const result = await bundlePlayFileCore(filePath, {
     target: options.target ?? defaultPlayBundleTarget(),
     exportName: options.exportName,
     adapter: createSdkPlayBundlingAdapter(),
   });
+  if (result.success) validatePlaySourceFilesHaveNoInlineSecrets(result.sourceFiles);
+  return result;
 }
 
 export { PLAY_ARTIFACT_KINDS };

package/dist/repo/sdk/src/release.ts

@@ -50,10 +50,10 @@ export type SdkRelease = {
 };
 
 export const SDK_RELEASE = {
-  version: '0.1.67',
+  version: '0.1.69',
   apiContract: '2026-05-play-bootstrap-dataset-summary',
   supportPolicy: {
-    latest: '0.1.67',
+    latest: '0.1.69',
     minimumSupported: '0.1.53',
     deprecatedBelow: '0.1.53',
   },

package/dist/repo/shared_libs/play-runtime/secret-capability.ts

@@ -0,0 +1,103 @@
+const SECRET_HANDLE_BRAND = Symbol.for('deepline.secret.handle');
+const SECRET_AUTH_BRAND = Symbol.for('deepline.secret.auth');
+const SECRET_HANDLE_MARKER_RE = /\[secret:[A-Z0-9_ -]+\]/i;
+
+export type SecretHandle = {
+  readonly [SECRET_HANDLE_BRAND]: true;
+  readonly name: string;
+  toString(): string;
+  toJSON(): never;
+};
+
+export type SecretAuth =
+  | {
+      readonly [SECRET_AUTH_BRAND]: true;
+      readonly kind: 'bearer';
+      readonly secret: SecretHandle;
+    }
+  | {
+      readonly [SECRET_AUTH_BRAND]: true;
+      readonly kind: 'header';
+      readonly header: string;
+      readonly secret: SecretHandle;
+    };
+
+export type SecretAwareRequestInit = RequestInit & {
+  auth?: SecretAuth;
+};
+
+function isRecord(value: unknown): value is Record<string | symbol, unknown> {
+  return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+}
+
+export function isSecretHandle(value: unknown): value is SecretHandle {
+  return isRecord(value) && value[SECRET_HANDLE_BRAND] === true;
+}
+
+export function isSecretAuth(value: unknown): value is SecretAuth {
+  return isRecord(value) && value[SECRET_AUTH_BRAND] === true;
+}
+
+export function valueContainsSecret(value: unknown): boolean {
+  if (isSecretHandle(value) || isSecretAuth(value)) return true;
+  if (typeof value === 'string') return SECRET_HANDLE_MARKER_RE.test(value);
+  if (Array.isArray(value)) return value.some(valueContainsSecret);
+  if (isRecord(value)) return Object.values(value).some(valueContainsSecret);
+  return false;
+}
+
+export function createSecretHandle(name: string): SecretHandle {
+  return {
+    [SECRET_HANDLE_BRAND]: true,
+    name,
+    toString: () => `[secret:${name}]`,
+    toJSON: () => {
+      throw new Error(
+        `Secret ${name} cannot be serialized. Use an approved ctx.secrets helper.`,
+      );
+    },
+  };
+}
+
+export function createBearerSecretAuth(secret: SecretHandle): SecretAuth {
+  if (!isSecretHandle(secret)) {
+    throw new Error('ctx.secrets.bearer(...) requires a SecretHandle.');
+  }
+  return { [SECRET_AUTH_BRAND]: true, kind: 'bearer', secret };
+}
+
+export function createHeaderSecretAuth(
+  header: string,
+  secret: SecretHandle,
+): SecretAuth {
+  if (!isSecretHandle(secret)) {
+    throw new Error('ctx.secrets.header(...) requires a SecretHandle.');
+  }
+  if (typeof header !== 'string' || !header.trim()) {
+    throw new Error('ctx.secrets.header(...) requires a header name.');
+  }
+  return {
+    [SECRET_AUTH_BRAND]: true,
+    kind: 'header',
+    header: header.trim(),
+    secret,
+  };
+}
+
+export function secretAuthHeaderMarkers(
+  auth: SecretAuth | undefined,
+): Record<string, string> {
+  if (!auth) return {};
+  if (auth.kind === 'bearer') {
+    return { authorization: `[secret:${auth.secret.name}]` };
+  }
+  return { [auth.header.toLowerCase()]: `[secret:${auth.secret.name}]` };
+}
+
+export function assertNoSecretTaint(value: unknown, sink: string): void {
+  if (valueContainsSecret(value)) {
+    throw new Error(
+      `${sink} cannot receive secret handles or secret-tainted values. Use an approved ctx.secrets helper.`,
+    );
+  }
+}