env-secrets 0.5.2 → 0.5.4

package/__tests__/index.test.ts

@@ -39,6 +39,24 @@ const mockObjectToExport = objectToExport as jest.MockedFunction<
   typeof objectToExport
 >;
 
+// Build a ChildProcess-like mock that records event handlers
+function makeChildMock() {
+  const handlers: Record<string, ((...args: unknown[]) => void)[]> = {};
+  const child = {
+    stdio: 'inherit',
+    on: jest.fn((event: string, cb: (...args: unknown[]) => void) => {
+      if (!handlers[event]) handlers[event] = [];
+      handlers[event].push(cb);
+      return child;
+    }),
+    emit(event: string, ...args: unknown[]) {
+      (handlers[event] ?? []).forEach((cb) => cb(...args));
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  } as any;
+  return child;
+}
+
 describe('index.ts CLI functionality', () => {
   beforeEach(() => {
     jest.clearAllMocks();
@@ -94,43 +112,67 @@ describe('index.ts CLI functionality', () => {
       );
     });
 
-    it('should spawn a program when provided', async () => {
+    it('should spawn using shell (default) with joined command string', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1', 'arg2'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
         });
       }
 
-      expect(mockSpawn).toHaveBeenCalledWith(
-        'node',
-        ['script.js', 'arg1', 'arg2'],
-        {
-          stdio: 'inherit',
-          shell: true,
-          env: expect.objectContaining({
-            SECRET_KEY: 'secret_value'
-          })
+      expect(mockSpawn).toHaveBeenCalledWith('node script.js arg1 arg2', [], {
+        stdio: 'inherit',
+        shell: true,
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
+    });
+
+    it('should spawn without shell when --no-shell is passed', async () => {
+      const mockEnv = { SECRET_KEY: 'secret_value' };
+      mockSecretsmanager.mockResolvedValue(mockEnv);
+
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const program = ['node', 'script.js', 'arg1'];
+      const options = { secret: 'my-secret', shell: false };
+
+      let env = await mockSecretsmanager(options);
+      env = Object.assign({}, process.env, env);
+
+      if (program && program.length > 0) {
+        if (options.shell) {
+          mockSpawn(program.join(' '), [], {
+            stdio: 'inherit',
+            shell: true,
+            env
+          });
+        } else {
+          mockSpawn(program[0], program.slice(1), { stdio: 'inherit', env });
         }
-      );
+      }
+
+      expect(mockSpawn).toHaveBeenCalledWith('node', ['script.js', 'arg1'], {
+        stdio: 'inherit',
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
     });
 
     it('should not spawn a program when no program is provided', async () => {
@@ -143,7 +185,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -163,7 +205,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -173,26 +215,21 @@ describe('index.ts CLI functionality', () => {
       expect(mockSpawn).not.toHaveBeenCalled();
     });
 
-    it('should handle single program argument', async () => {
+    it('should handle single program argument (shell mode)', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['echo'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -219,13 +256,12 @@ describe('index.ts CLI functionality', () => {
 
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -247,13 +283,12 @@ describe('index.ts CLI functionality', () => {
     it('should handle secretsmanager returning empty object', async () => {
       mockSecretsmanager.mockResolvedValue({});
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -276,6 +311,128 @@ describe('index.ts CLI functionality', () => {
         'AWS connection failed'
       );
     });
+
+    describe('ChildProcess error and exit handling', () => {
+      beforeEach(() => {
+        jest.spyOn(process, 'exit').mockImplementation(() => {
+          throw new Error('process.exit called');
+        });
+        jest.spyOn(console, 'error').mockImplementation(() => undefined);
+      });
+
+      afterEach(() => {
+        jest.restoreAllMocks();
+      });
+
+      it('should print error message and exit 1 on child process error', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        const program = ['nonexistent-cmd'];
+        mockSpawn(program.join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        // Simulate attaching handlers as src/index.ts does
+        child.on('error', (err: Error) => {
+          // eslint-disable-next-line no-console
+          console.error(`Failed to start process: ${err.message}`);
+          process.exit(1);
+        });
+
+        expect(() => child.emit('error', new Error('spawn ENOENT'))).toThrow(
+          'process.exit called'
+        );
+
+        // eslint-disable-next-line no-console
+        expect(console.error).toHaveBeenCalledWith(
+          'Failed to start process: spawn ENOENT'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+
+      it('should propagate child exit code 0', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(0)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 0, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(0);
+      });
+
+      it('should propagate non-zero child exit code', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(42)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 42, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(42);
+      });
+
+      it('should exit 1 when child is killed by a signal', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn('sleep 10', [], { stdio: 'inherit', shell: true, env });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', null, 'SIGTERM')).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+    });
   });
 
   describe('Debug logging', () => {
@@ -314,12 +471,8 @@ describe('index.ts CLI functionality', () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1'];
 
@@ -331,7 +484,7 @@ describe('index.ts CLI functionality', () => {
         // Simulate debug logging
         mockDebugInstance(`${program[0]} ${program.slice(1).join(' ')}`);
 
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -438,16 +591,12 @@ describe('index.ts CLI functionality', () => {
       const mockSecrets = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
-
-      const options: { secret: string; output?: string } = {
-        secret: 'my-secret'
-        // No output option
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const options: { secret: string; output?: string; shell: boolean } = {
+        secret: 'my-secret',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -474,7 +623,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env
@@ -483,7 +632,7 @@ describe('index.ts CLI functionality', () => {
       }
 
       expect(mockSecretsmanager).toHaveBeenCalledWith(options);
-      expect(mockSpawn).toHaveBeenCalledWith('echo', ['hello'], {
+      expect(mockSpawn).toHaveBeenCalledWith('echo hello', [], {
         stdio: 'inherit',
         shell: true,
         env: expect.objectContaining({
@@ -538,9 +687,10 @@ describe('index.ts CLI functionality', () => {
       mockObjectToExport.mockReturnValue(mockEnvContent);
       mockExistsSync.mockReturnValue(false);
 
-      const options: { secret: string; output: string } = {
+      const options: { secret: string; output: string; shell: boolean } = {
         secret: 'my-secret',
-        output: '/tmp/secrets.env'
+        output: '/tmp/secrets.env',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -566,7 +716,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env

package/dist/cli/helpers.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveAwsScope = exports.parseEnvSecretsFile = exports.parseEnvSecrets = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
+exports.resolveAwsScope = exports.resolveOutputFormat = exports.parseEnvSecretsFile = exports.parseEnvSecrets = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
 const promises_1 = require("node:fs/promises");
 const asOutputFormat = (value) => {
     if (value !== 'json' && value !== 'table') {
@@ -156,6 +156,18 @@ const parseEnvSecretsFile = (path) => __awaiter(void 0, void 0, void 0, function
     return (0, exports.parseEnvSecrets)(content);
 });
 exports.parseEnvSecretsFile = parseEnvSecretsFile;
+const resolveOutputFormat = (options, command) => {
+    var _a, _b;
+    if (options.output) {
+        return (0, exports.asOutputFormat)(options.output);
+    }
+    const globalOutput = (_b = (_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) === null || _b === void 0 ? void 0 : _b.output;
+    if (globalOutput === 'json' || globalOutput === 'table') {
+        return globalOutput;
+    }
+    return 'table';
+};
+exports.resolveOutputFormat = resolveOutputFormat;
 const resolveAwsScope = (options, command) => {
     var _a;
     const globalOptions = ((_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) || {};

package/dist/index.js

@@ -91,6 +91,7 @@ const awsCommand = program
     .option('-p, --profile <profile>', 'profile to use')
     .option('-r, --region <region>', 'region to use')
     .option('-o, --output <file>', 'output secrets to file instead of environment variables')
+    .option('--no-shell', 'run program directly without a shell (disables shell expansion)')
     .action((program, options) => __awaiter(void 0, void 0, void 0, function* () {
     if (!options.secret) {
         exitWithError(new Error('Missing required option --secret for this command.'));
@@ -123,10 +124,20 @@ const awsCommand = program
                 console.log(JSON.stringify(env));
                 return;
             }
-            (0, node_child_process_1.spawn)(program[0], program.slice(1), {
-                stdio: 'inherit',
-                shell: true,
-                env
+            const child = options.shell
+                ? (0, node_child_process_1.spawn)(program.join(' '), [], {
+                    stdio: 'inherit',
+                    shell: true,
+                    env
+                })
+                : (0, node_child_process_1.spawn)(program[0], program.slice(1), { stdio: 'inherit', env });
+            child.on('error', (err) => {
+                // eslint-disable-next-line no-console
+                console.error(`Failed to start process: ${err.message}`);
+                process.exit(1);
+            });
+            child.on('exit', (code, signal) => {
+                process.exit(signal ? 1 : code !== null && code !== void 0 ? code : 0);
             });
         }
     }
@@ -148,13 +159,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_a = options.output) !== null && _a !== void 0 ? _a : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value) {
             throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
@@ -192,13 +199,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _b;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_b = options.output) !== null && _b !== void 0 ? _b : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value && !options.description && !options.kmsKeyId) {
             throw new Error('Nothing to update. Provide --value/--value-stdin/--file, --description, or --kms-key-id.');
@@ -234,13 +237,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _c;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const parsed = yield (0, helpers_1.parseEnvSecretsFile)(options.file);
         if (parsed.entries.length === 0) {
             throw new Error('No env entries found. Include lines like KEY=value or export KEY=value.');
@@ -346,13 +345,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _d;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value) {
             throw new Error('Append value is required. Provide --value, --value-stdin, or --file.');
@@ -393,13 +388,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _e;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const keys = options.key;
         const current = yield (0, secretsmanager_admin_1.getSecretString)({
             name: options.name,
@@ -450,13 +441,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _f;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_f = options.output) !== null && _f !== void 0 ? _f : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const result = yield (0, secretsmanager_admin_1.listSecrets)({
             prefix: options.prefix,
             tags: options.tag,
@@ -486,13 +473,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _g;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_g = options.output) !== null && _g !== void 0 ? _g : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const result = yield (0, secretsmanager_admin_1.getSecretMetadata)({
             name: options.name,
             profile,
@@ -521,6 +504,77 @@ secretCommand
         exitWithError(error);
     }
 }));
+secretCommand
+    .command('value')
+    .description('get the values of a secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('--reveal', 'reveal secret values in table output (values are masked by default)', false)
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
+        let secretString;
+        try {
+            secretString = yield (0, secretsmanager_admin_1.getSecretString)({
+                name: options.name,
+                profile,
+                region
+            });
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            if (msg.includes('cannot be edited with append/remove')) {
+                throw new Error(`Secret "${options.name}" is stored as binary and cannot be displayed as text.`);
+            }
+            throw error;
+        }
+        let jsonEntries;
+        try {
+            const parsed = JSON.parse(secretString);
+            if (parsed && !Array.isArray(parsed) && typeof parsed === 'object') {
+                jsonEntries = Object.entries(parsed).map(([key, value]) => ({ key, value }));
+            }
+            else {
+                jsonEntries = [{ key: options.name, value: secretString }];
+            }
+        }
+        catch (_a) {
+            jsonEntries = [{ key: options.name, value: secretString }];
+        }
+        if (output === 'json') {
+            if (process.stdout.isTTY) {
+                // eslint-disable-next-line no-console
+                console.error('Warning: displaying sensitive secret values.');
+            }
+            const result = Object.fromEntries(jsonEntries.map(({ key, value }) => [key, value]));
+            // eslint-disable-next-line no-console
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        if (options.reveal) {
+            // eslint-disable-next-line no-console
+            console.error('Warning: displaying sensitive secret values.');
+        }
+        const rows = jsonEntries.map(({ key, value }) => ({
+            key,
+            value: options.reveal
+                ? typeof value === 'string'
+                    ? value
+                    : JSON.stringify(value)
+                : '****'
+        }));
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'key', label: 'Key' },
+            { key: 'value', label: 'Value' }
+        ], rows);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
 secretCommand
     .command('delete')
     .description('delete a secret in AWS Secrets Manager')
@@ -532,13 +586,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _h;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_h = options.output) !== null && _h !== void 0 ? _h : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         if (!options.yes) {
             throw new Error('Delete requires --yes confirmation.');
         }

package/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   localstack:
     container_name: 'localstack'
-    image: localstack/localstack:latest
+    image: localstack/localstack:3
     ports:
       - '4566:4566' # LocalStack Gateway
     environment: