npm - env-secrets - Versions diffs - 0.3.2 → 0.4.0 - Mend

env-secrets 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

package/.codex/rules/cicd.md +170 -0
package/.codex/rules/linting.md +174 -0
package/.codex/rules/local-dev-badges.md +93 -0
package/.codex/rules/local-dev-env.md +271 -0
package/.codex/rules/local-dev-license.md +104 -0
package/.codex/rules/local-dev-mcp.md +72 -0
package/.codex/rules/logging.md +358 -0
package/.codex/rules/observability.md +25 -0
package/.codex/rules/testing.md +133 -0
package/.github/workflows/lint.yaml +7 -8
package/.github/workflows/release.yml +1 -1
package/.github/workflows/unittests.yaml +1 -1
package/AGENTS.md +10 -4
package/README.md +14 -9
package/__e2e__/README.md +2 -5
package/__e2e__/index.test.ts +152 -1
package/__e2e__/utils/test-utils.ts +61 -1
package/__tests__/cli/helpers.test.ts +129 -0
package/__tests__/vaults/aws-config.test.ts +85 -0
package/__tests__/vaults/secretsmanager-admin.test.ts +312 -0
package/__tests__/vaults/secretsmanager.test.ts +57 -20
package/dist/cli/helpers.js +110 -0
package/dist/index.js +221 -2
package/dist/vaults/aws-config.js +29 -0
package/dist/vaults/secretsmanager-admin.js +240 -0
package/dist/vaults/secretsmanager.js +20 -16
package/docs/AWS.md +78 -3
package/eslint.config.js +67 -0
package/jest.e2e.config.js +1 -0
package/package.json +23 -13
package/src/cli/helpers.ts +144 -0
package/src/index.ts +287 -2
package/src/vaults/aws-config.ts +51 -0
package/src/vaults/secretsmanager-admin.ts +352 -0
package/src/vaults/secretsmanager.ts +32 -20
package/website/docs/cli-reference.mdx +67 -0
package/website/docs/examples.mdx +1 -1
package/website/docs/installation.mdx +1 -1
package/website/docs/providers/aws-secrets-manager.mdx +32 -0
package/.eslintignore +0 -4
package/.eslintrc +0 -18
package/.lintstagedrc +0 -4

package/__tests__/vaults/secretsmanager-admin.test.ts ADDED Viewed

@@ -0,0 +1,312 @@
+import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';
+import { STSClient } from '@aws-sdk/client-sts';
+import { fromIni } from '@aws-sdk/credential-providers';
+const mockSecretsManagerSend = jest.fn();
+const mockSTSSend = jest.fn();
+jest.mock('@aws-sdk/client-secrets-manager', () => {
+  return {
+    SecretsManagerClient: jest.fn().mockImplementation(() => ({
+      send: mockSecretsManagerSend
+    })),
+    CreateSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    UpdateSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    ListSecretsCommand: jest.fn().mockImplementation((input) => ({ input })),
+    DescribeSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    DeleteSecretCommand: jest.fn().mockImplementation((input) => ({ input }))
+  };
+});
+jest.mock('@aws-sdk/client-sts', () => {
+  return {
+    STSClient: jest.fn().mockImplementation(() => ({
+      send: mockSTSSend
+    })),
+    GetCallerIdentityCommand: jest
+      .fn()
+      .mockImplementation((input) => ({ input }))
+  };
+});
+jest.mock('@aws-sdk/credential-providers');
+import {
+  createSecret,
+  updateSecret,
+  listSecrets,
+  getSecretMetadata,
+  deleteSecret,
+  validateSecretName
+} from '../../src/vaults/secretsmanager-admin';
+const mockSecretsManagerClient = SecretsManagerClient as jest.MockedClass<
+  typeof SecretsManagerClient
+>;
+const mockSTSClient = STSClient as jest.MockedClass<typeof STSClient>;
+const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
+describe('secretsmanager-admin', () => {
+  let originalEnv: NodeJS.ProcessEnv;
+  beforeEach(() => {
+    jest.clearAllMocks();
+    originalEnv = { ...process.env };
+    process.env = { ...originalEnv };
+    mockSTSSend.mockResolvedValue({ Account: '123456789012' });
+  });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+  it('validates secret names', () => {
+    expect(() => validateSecretName('valid/name_1')).not.toThrow();
+    expect(() => validateSecretName('invalid name')).toThrow(
+      'Invalid secret name'
+    );
+  });
+  it('creates a secret with tags', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:test-secret',
+      VersionId: 'v1'
+    });
+    const result = await createSecret({
+      name: 'test-secret',
+      value: '{"API_KEY":"abc"}',
+      description: 'test',
+      tags: ['team=platform', 'env=dev'],
+      region: 'us-east-1'
+    });
+    expect(mockSTSClient).toHaveBeenCalled();
+    expect(mockSecretsManagerClient).toHaveBeenCalled();
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Name: 'test-secret',
+          SecretString: '{"API_KEY":"abc"}',
+          Tags: [
+            { Key: 'team', Value: 'platform' },
+            { Key: 'env', Value: 'dev' }
+          ]
+        })
+      })
+    );
+    expect(result).toEqual({
+      arn: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:test-secret',
+      name: 'test-secret',
+      versionId: 'v1'
+    });
+  });
+  it('supports tags with multiple equals signs', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v1'
+    });
+    await createSecret({
+      name: 'test-secret',
+      value: 'value',
+      tags: ['url=https://example.com?a=1'],
+      region: 'us-east-1'
+    });
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Tags: [{ Key: 'url', Value: 'https://example.com?a=1' }]
+        })
+      })
+    );
+  });
+  it('throws for malformed tags', async () => {
+    await expect(
+      createSecret({
+        name: 'test-secret',
+        value: 'value',
+        tags: ['invalid-tag'],
+        region: 'us-east-1'
+      })
+    ).rejects.toThrow('Invalid tag format');
+  });
+  it('omits tags when none are provided', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v1'
+    });
+    await createSecret({
+      name: 'test-secret',
+      value: 'value',
+      region: 'us-east-1'
+    });
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Tags: undefined
+        })
+      })
+    );
+  });
+  it('maps create secret AlreadyExistsException', async () => {
+    mockSecretsManagerSend.mockRejectedValueOnce({
+      name: 'AlreadyExistsException'
+    });
+    await expect(
+      createSecret({
+        name: 'existing-secret',
+        value: 'abc',
+        region: 'us-east-1'
+      })
+    ).rejects.toThrow('already exists');
+  });
+  it('updates a secret value and description', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v2'
+    });
+    const result = await updateSecret({
+      name: 'test-secret',
+      value: '{"API_KEY":"new"}',
+      description: 'updated',
+      region: 'us-east-1'
+    });
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          SecretId: 'test-secret',
+          SecretString: '{"API_KEY":"new"}',
+          Description: 'updated'
+        })
+      })
+    );
+    expect(result.versionId).toBe('v2');
+  });
+  it('lists secrets and applies prefix/tag filters', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretList: [
+        {
+          Name: 'app/one',
+          Description: 'One',
+          Tags: [{ Key: 'env', Value: 'dev' }],
+          LastChangedDate: new Date('2026-02-16T00:00:00.000Z')
+        },
+        {
+          Name: 'app/two',
+          Description: 'Two',
+          Tags: [{ Key: 'env', Value: 'prod' }],
+          LastChangedDate: new Date('2026-02-16T00:00:00.000Z')
+        }
+      ]
+    });
+    const result = await listSecrets({
+      prefix: 'app/',
+      tags: ['env=dev'],
+      region: 'us-east-1'
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0].name).toBe('app/one');
+  });
+  it('ignores invalid AWS tags during tag filtering', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretList: [
+        {
+          Name: 'app/one',
+          Tags: [{ Key: undefined, Value: 'dev' }]
+        },
+        {
+          Name: 'app/two',
+          Tags: [{ Key: 'env', Value: 'dev' }]
+        }
+      ]
+    });
+    const result = await listSecrets({
+      tags: ['env=dev'],
+      region: 'us-east-1'
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0].name).toBe('app/two');
+  });
+  it('returns secret metadata without secret value', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'app/meta',
+      ARN: 'arn:meta',
+      Description: 'Meta secret',
+      KmsKeyId: 'kms-key',
+      CreatedDate: new Date('2026-02-16T00:00:00.000Z'),
+      LastChangedDate: new Date('2026-02-16T01:00:00.000Z'),
+      VersionIdsToStages: { abc: ['AWSCURRENT'] },
+      Tags: [{ Key: 'env', Value: 'dev' }]
+    });
+    const result = await getSecretMetadata({
+      name: 'app/meta',
+      region: 'us-east-1'
+    });
+    expect(result).toEqual(
+      expect.objectContaining({
+        name: 'app/meta',
+        arn: 'arn:meta',
+        tags: { env: 'dev' },
+        versionIdsToStages: { abc: ['AWSCURRENT'] }
+      })
+    );
+    expect(Object.keys(result)).not.toContain('secretString');
+  });
+  it('deletes secret with recovery options', async () => {
+    const mockCredentials = jest.fn().mockResolvedValue({
+      accessKeyId: 'default',
+      secretAccessKey: 'default'
+    });
+    mockFromIni.mockReturnValue(mockCredentials);
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'app/delete',
+      ARN: 'arn:delete',
+      DeletionDate: new Date('2026-02-16T02:00:00.000Z')
+    });
+    const result = await deleteSecret({
+      name: 'app/delete',
+      recoveryDays: 7,
+      profile: 'test-profile',
+      region: 'us-east-1'
+    });
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'test-profile' });
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          SecretId: 'app/delete',
+          RecoveryWindowInDays: 7
+        })
+      })
+    );
+    expect(result.name).toBe('app/delete');
+  });
+});

package/__tests__/vaults/secretsmanager.test.ts CHANGED Viewed

@@ -1,13 +1,34 @@
-import {
-  SecretsManagerClient,
-  GetSecretValueCommand
-} from '@aws-sdk/client-secrets-manager';
-import { STSClient, GetCallerIdentityCommand } from '@aws-sdk/client-sts';
+import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';
+import { STSClient } from '@aws-sdk/client-sts';
 import { fromIni } from '@aws-sdk/credential-providers';
+// Mock send functions - must be declared before jest.mock calls
+const mockSecretsManagerSend = jest.fn();
+const mockSTSSend = jest.fn();
 // Mock the AWS SDK and dependencies
-jest.mock('@aws-sdk/client-secrets-manager');
-jest.mock('@aws-sdk/client-sts');
+jest.mock('@aws-sdk/client-secrets-manager', () => {
+  return {
+    SecretsManagerClient: jest.fn().mockImplementation(() => ({
+      send: mockSecretsManagerSend
+    })),
+    GetSecretValueCommand: jest.fn().mockImplementation((input) => ({
+      input
+    }))
+  };
+});
+jest.mock('@aws-sdk/client-sts', () => {
+  return {
+    STSClient: jest.fn().mockImplementation(() => ({
+      send: mockSTSSend
+    })),
+    GetCallerIdentityCommand: jest.fn().mockImplementation((input) => ({
+      input
+    }))
+  };
+});
 jest.mock('@aws-sdk/credential-providers');
 jest.mock('debug', () => {
   const mockDebug = jest.fn();
@@ -27,8 +48,6 @@ const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
 describe('secretsmanager', () => {
   let originalEnv: NodeJS.ProcessEnv;
-  let mockSecretsManagerSend: jest.MockedFunction<any>;
-  let mockSTSSend: jest.MockedFunction<any>;
   beforeEach(() => {
     // Clear all mocks
@@ -37,13 +56,6 @@ describe('secretsmanager', () => {
     // Reset process.env
     originalEnv = { ...process.env };
     process.env = { ...originalEnv };
-    // Setup AWS client mocks
-    mockSecretsManagerSend = jest.fn();
-    mockSTSSend = jest.fn();
-    mockSecretsManagerClient.prototype.send = mockSecretsManagerSend;
-    mockSTSClient.prototype.send = mockSTSSend;
   });
   afterEach(() => {
@@ -72,10 +84,10 @@ describe('secretsmanager', () => {
       });
       expect(mockSTSSend).toHaveBeenCalledWith(
-        expect.any(GetCallerIdentityCommand)
+        expect.objectContaining({ input: {} })
       );
       expect(mockSecretsManagerSend).toHaveBeenCalledWith(
-        expect.any(GetSecretValueCommand)
+        expect.objectContaining({ input: expect.anything() })
       );
       expect(result).toEqual({
         API_KEY: 'test-key',
@@ -93,11 +105,33 @@ describe('secretsmanager', () => {
       });
       expect(mockSTSSend).toHaveBeenCalledWith(
-        expect.any(GetCallerIdentityCommand)
+        expect.objectContaining({ input: {} })
       );
       expect(mockSecretsManagerSend).not.toHaveBeenCalled();
       expect(result).toEqual({});
     });
+    it('should surface a clean error when profile credentials cannot be loaded', async () => {
+      const consoleErrorSpy = jest
+        .spyOn(console, 'error')
+        .mockImplementation(() => undefined);
+      mockSTSSend.mockRejectedValueOnce({
+        name: 'CredentialsProviderError',
+        message: 'Could not load credentials from any providers'
+      });
+      const result = await secretsmanager({
+        secret: 'my-secret',
+        profile: 'missing-profile',
+        region: 'us-east-1'
+      });
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        'Could not load credentials from any providers'
+      );
+      expect(result).toEqual({});
+      expect(mockSecretsManagerSend).not.toHaveBeenCalled();
+    });
   });
   describe('credential handling', () => {
@@ -426,7 +460,10 @@ describe('secretsmanager', () => {
       });
       expect(mockFromIni).toHaveBeenCalledWith({ profile: 'production' });
-      expect(mockSTSClient).toHaveBeenCalledWith({ region: 'us-west-2' });
+      expect(mockSTSClient).toHaveBeenCalledWith({
+        region: 'us-west-2',
+        credentials: mockCredentials
+      });
       expect(mockSecretsManagerClient).toHaveBeenCalledWith({
         region: 'us-west-2',
         credentials: mockCredentials

package/dist/cli/helpers.js ADDED Viewed

@@ -0,0 +1,110 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveAwsScope = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
+const asOutputFormat = (value) => {
+    if (value !== 'json' && value !== 'table') {
+        throw new Error(`Invalid output format "${value}". Use "json" or "table".`);
+    }
+    return value;
+};
+exports.asOutputFormat = asOutputFormat;
+const renderTable = (headers, rows) => {
+    if (rows.length === 0) {
+        return 'No results.';
+    }
+    const widths = headers.map((header) => {
+        return Math.max(header.label.length, ...rows.map((row) => String(row[header.key] || '').length));
+    });
+    const headerLine = headers
+        .map((header, index) => header.label.padEnd(widths[index]))
+        .join('  ');
+    const divider = headers
+        .map((_, index) => '-'.repeat(widths[index]))
+        .join('  ');
+    const lines = rows.map((row) => headers
+        .map((header, index) => String(row[header.key] || '').padEnd(widths[index]))
+        .join('  '));
+    return [headerLine, divider, ...lines].join('\n');
+};
+exports.renderTable = renderTable;
+const printData = (format, headers, rows) => {
+    if (format === 'json') {
+        // eslint-disable-next-line no-console
+        console.log(JSON.stringify(rows, null, 2));
+        return;
+    }
+    // eslint-disable-next-line no-console
+    console.log((0, exports.renderTable)(headers, rows));
+};
+exports.printData = printData;
+const parseRecoveryDays = (value) => {
+    const parsed = Number(value);
+    if (!Number.isInteger(parsed) || parsed < 7 || parsed > 30) {
+        throw new Error('Recovery days must be an integer between 7 and 30.');
+    }
+    return parsed;
+};
+exports.parseRecoveryDays = parseRecoveryDays;
+const readStdin = (stdin = process.stdin) => __awaiter(void 0, void 0, void 0, function* () {
+    const chunks = [];
+    return yield new Promise((resolve, reject) => {
+        const onData = (chunk) => {
+            chunks.push(chunk);
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(Buffer.concat(chunks)
+                .toString('utf8')
+                .replace(/\r?\n$/, ''));
+        };
+        const onError = (error) => {
+            cleanup();
+            reject(error);
+        };
+        const cleanup = () => {
+            stdin.off('data', onData);
+            stdin.off('end', onEnd);
+            stdin.off('error', onError);
+        };
+        stdin.on('data', onData);
+        stdin.once('end', onEnd);
+        stdin.once('error', onError);
+    });
+});
+exports.readStdin = readStdin;
+const resolveSecretValue = (value, valueStdin) => __awaiter(void 0, void 0, void 0, function* () {
+    if (value && valueStdin) {
+        throw new Error('Use either --value or --value-stdin, not both.');
+    }
+    if (valueStdin) {
+        if (process.stdin.isTTY) {
+            throw new Error('No stdin detected. Pipe a value when using --value-stdin.');
+        }
+        return yield (0, exports.readStdin)();
+    }
+    return value;
+});
+exports.resolveSecretValue = resolveSecretValue;
+const resolveAwsScope = (options, command) => {
+    var _a;
+    const globalOptions = ((_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) || {};
+    const profile = options.profile ||
+        (typeof globalOptions.profile === 'string'
+            ? globalOptions.profile
+            : undefined);
+    const region = options.region ||
+        (typeof globalOptions.region === 'string'
+            ? globalOptions.region
+            : undefined);
+    return { profile, region };
+};
+exports.resolveAwsScope = resolveAwsScope;