updating-secrets 0.0.0 → 0.1.0

package/LICENSE-CC0

@@ -0,0 +1,121 @@
+CC0 1.0 Universal
+
+Creative Commons Legal Code
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

package/LICENSE-MIT

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 electrovir
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,122 @@
+# updating-secrets
+
+Automatically update secrets on an interval with support for seamless secret rotation.
+
+Reference docs: https://electrovir.github.io/updating-secrets
+
+## Install
+
+```sh
+npm i updating-secrets
+```
+
+### Usage
+
+#### Basics
+
+First, define your set of secrets:
+
+<!-- example-link: src/examples/define-secrets.example.ts -->
+
+```TypeScript
+import {defineSecrets, rotatableSecretShape} from 'updating-secrets';
+
+// example collection of secrets
+export const mySecrets = defineSecrets({
+    databaseCredentials: {
+        description: 'All credentials and access information needed for accessing the database.',
+        whereToFind:
+            'These values are automatically generated by RDS and only stored in AWS Secrets Manager.',
+        adapterConfig: {
+            aws: {
+                rootOf: 'prod/DatabaseCredentials',
+            },
+        },
+        shape: {
+            password: '',
+            dbname: '',
+            port: -1,
+            host: '',
+            username: '',
+        },
+    },
+    stripeSecret: {
+        description: 'Keys for accessing and authenticating with Stripe.',
+        whereToFind: 'Navigate to Developers > API keys > Standard keys > Secret key.',
+        adapterConfig: {
+            aws: {
+                keyIn: 'prod/BackendSecrets',
+            },
+        },
+    },
+    adminPassword: {
+        description:
+            'Password required by the admin to access sensitive information on the website.',
+        whereToFind: 'This is randomly generated and stored in AWS Secrets Manager.',
+        adapterConfig: {
+            aws: {
+                keyIn: 'prod/BackendSecrets',
+            },
+        },
+        shape: rotatableSecretShape,
+    },
+});
+```
+
+Second, choose your secrets adapters:
+
+-   [`AwsSecretsManagerAdapter`](https://electrovir.github.io/updating-secrets/classes/AwsSecretsManagerAdapter.html): loads secrets from AWS Secrets Manager.
+-   [`SecretsJsonFileAdapter`](https://electrovir.github.io/updating-secrets/classes/SecretsJsonFileAdapter.html): loads secrets from a JSON file.
+-   [`StaticSecretsAdapter`](https://electrovir.github.io/updating-secrets/classes/StaticSecretsAdapter.html): allows you to define all secrets values in-place.
+
+Or create your own:
+
+<!-- example-link: src/examples/custom-adapter.example.ts -->
+
+```TypeScript
+import {BaseSecretsAdapter, type ProcessedSecretDefinitions} from 'updating-secrets';
+
+export class MyCustomSecretsAdapter extends BaseSecretsAdapter {
+    constructor() {
+        super('MyCustomSecretsAdapter');
+    }
+
+    public override loadSecrets(secrets: Readonly<ProcessedSecretDefinitions>) {
+        // load secrets here
+        return {};
+    }
+}
+```
+
+Lastly, create an instance of [`UpdatingSecrets`](https://electrovir.github.io/updating-secrets/classes/UpdatingSecrets.html) (with [`createUpdatingSecrets`](https://electrovir.github.io/updating-secrets/functions/createUpdatingSecrets.html)):
+
+<!-- example-link: src/examples/updating-secrets.example.ts -->
+
+```TypeScript
+import {SecretsManager} from '@aws-sdk/client-secrets-manager';
+import {AwsSecretsManagerAdapter, createUpdatingSecrets} from 'updating-secrets';
+import {mySecrets} from './define-secrets.example.js';
+
+const updatingSecrets = await createUpdatingSecrets(mySecrets, [
+    new AwsSecretsManagerAdapter(
+        new SecretsManager({
+            region: 'us-east-1',
+        }),
+    ),
+]);
+```
+
+#### Rotatable secrets
+
+To create a seamlessly rotatable secret, use [`rotatableSecretShape`](https://electrovir.github.io/updating-secrets/variables/rotatableSecretShape.html) in the secret definition's shape property, either as the root (`shape: rotatableSecretShape`) or as a sub-property (`secret: {id: '', secret: rotatableSecretShape}`).
+
+Use this secret in the following way:
+
+-   always store the secret with JSON like `{current: 'latest-value'}`
+-   when rotation is needed, move the old value to the `legacy` property: `{current: 'new-value', legacy: 'old-value'}`
+-   in your code, always access the secret `.current`
+-   if you need to compare a third party's usage of the secret (for example, if the secret is an API key that you distributed to them), use [`UpdatingSecrets.compareRotatableSecret()`](https://electrovir.github.io/updating-secrets/classes/UpdatingSecrets.html#comparerotatablesecret) to allow both the current and the legacy secret to pass comparisons:
+    ```ts
+    // assuming the `apiKey` secret is defined with `shape: rotatableSecretShape`
+    updatingSecrets.compareRotatableSecret(request.headers.apiKey, updatingSecrets.get.apiKey);
+    ```

package/dist/adapters/all-adapters.d.ts

@@ -0,0 +1,13 @@
+import { AwsSecretsManagerAdapter } from './aws-secrets-manager.adapter.js';
+import { SecretsJsonFileAdapter } from './secrets-json-file.adapter.js';
+import { StaticSecretsAdapter } from './static-secrets.adapter.js';
+/**
+ * All built-in secrets adapters.
+ *
+ * @category Internal
+ */
+export declare const allSecretAdapters: {
+    AwsSecretsManagerAdapter: typeof AwsSecretsManagerAdapter;
+    SecretsJsonFileAdapter: typeof SecretsJsonFileAdapter;
+    StaticSecretsAdapter: typeof StaticSecretsAdapter;
+};

package/dist/adapters/all-adapters.js

@@ -0,0 +1,13 @@
+import { AwsSecretsManagerAdapter } from './aws-secrets-manager.adapter.js';
+import { SecretsJsonFileAdapter } from './secrets-json-file.adapter.js';
+import { StaticSecretsAdapter } from './static-secrets.adapter.js';
+/**
+ * All built-in secrets adapters.
+ *
+ * @category Internal
+ */
+export const allSecretAdapters = {
+    AwsSecretsManagerAdapter,
+    SecretsJsonFileAdapter,
+    StaticSecretsAdapter,
+};

package/dist/adapters/aws-secrets-manager.adapter.d.ts

@@ -0,0 +1,32 @@
+import { GetSecretValueCommandOutput, type GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
+import { ProcessedSecretDefinitions } from '../secrets-definition/define-secrets.js';
+import { BaseSecretsAdapter } from './base.adapter.js';
+/**
+ * Minimal subset of AWS's `SecretsManagerClient` from the
+ * [`@aws-sdk/client-secrets-manager`](https://www.npmjs.com/package/@aws-sdk/client-secrets-manager)
+ * package required for {@link AwsSecretsManagerAdapter}.
+ *
+ * For testing purposes use `MockAwsSecretsManagerClient` to create a mock instance of this.
+ *
+ * @category Internal
+ */
+export type NeededAwsSecretsManagerClient = {
+    /**
+     * Same as AWS's `SecretsManagerClient.send()` method but this only accepts the
+     * `GetSecretValueCommand` command.
+     */
+    send(command: GetSecretValueCommand): Promise<GetSecretValueCommandOutput>;
+};
+/**
+ * Loads secrets from AWS Secrets Manager. A `SecretsManagerClient` instance must be provided.
+ *
+ * @category Adapters
+ */
+export declare class AwsSecretsManagerAdapter extends BaseSecretsAdapter {
+    protected readonly awsSecretsManager: Readonly<NeededAwsSecretsManagerClient>;
+    constructor(awsSecretsManager: Readonly<NeededAwsSecretsManagerClient>);
+    /** Loads secrets from the provided `SecretsManagerClient`. */
+    loadSecrets(secrets: ProcessedSecretDefinitions): Promise<{
+        [x: string]: Error | Promise<any>;
+    }>;
+}

package/dist/adapters/aws-secrets-manager.adapter.js

@@ -0,0 +1,71 @@
+import { assert } from '@augment-vir/assert';
+import { ensureError, getOrSet, mapObjectValuesSync, parseWithJson5, wrapInTry, } from '@augment-vir/common';
+import { BaseSecretsAdapter } from './base.adapter.js';
+/**
+ * Loads secrets from AWS Secrets Manager. A `SecretsManagerClient` instance must be provided.
+ *
+ * @category Adapters
+ */
+export class AwsSecretsManagerAdapter extends BaseSecretsAdapter {
+    awsSecretsManager;
+    constructor(awsSecretsManager) {
+        super('AwsSecretsManagerAdapter');
+        this.awsSecretsManager = awsSecretsManager;
+    }
+    /** Loads secrets from the provided `SecretsManagerClient`. */
+    async loadSecrets(secrets) {
+        /* node:coverage ignore next 1: dynamic imports are not branches */
+        const { GetSecretValueCommand } = await import('@aws-sdk/client-secrets-manager');
+        const cachedSecrets = {};
+        return mapObjectValuesSync(secrets, (secretName, secretDefinition) => {
+            const awsConfig = secretDefinition.adapterConfig.aws;
+            if (!awsConfig) {
+                return new Error(`No AWS adapter config (required for using AwsSecretsManagerAdapter) defined for secret '${secretDefinition.secretName}'.`);
+            }
+            const awsSecretName = awsConfig.keyIn || awsConfig.rootOf;
+            if (!awsSecretName) {
+                return new Error(`Invalid AWS adapter key config for '${secretDefinition.secretName}'.`);
+            }
+            const secretValue = getOrSet(cachedSecrets, awsSecretName, () => {
+                const sendCommand = new GetSecretValueCommand({
+                    SecretId: awsSecretName,
+                });
+                return this.awsSecretsManager.send(sendCommand).then((result) => {
+                    try {
+                        const secretValue = result.SecretString;
+                        if (secretValue) {
+                            return wrapInTry(() => parseWithJson5(secretValue), {
+                                fallbackValue: secretValue,
+                            });
+                        }
+                        else {
+                            throw new Error(`AWS SecretsManager secret '${awsSecretName}' has no string value.`);
+                        }
+                    }
+                    catch (error) {
+                        return ensureError(error);
+                    }
+                });
+            });
+            return secretValue
+                .then((awsSecretValue) => {
+                if (awsSecretValue instanceof Error) {
+                    throw awsSecretValue;
+                }
+                else if (awsConfig.keyIn) {
+                    assert.isObject(awsSecretValue, `AWS secret at '${awsSecretName}' is not an object.`);
+                    return awsSecretValue[secretDefinition.secretName];
+                }
+                else if (secretDefinition.shapeDefinition) {
+                    return wrapInTry(() => parseWithJson5(awsSecretValue), {
+                        fallbackValue: awsSecretValue,
+                    });
+                }
+                else {
+                    return awsSecretValue;
+                }
+            })
+                .catch((reason) => ensureError(reason));
+        });
+    }
+}

package/dist/adapters/base.adapter.d.ts

@@ -0,0 +1,31 @@
+import type { JsonCompatibleValue, MaybePromise } from '@augment-vir/common';
+import { ProcessedSecretDefinitions } from '../secrets-definition/define-secrets.js';
+/**
+ * Raw secret values as returned by an adapter's `loadSecrets` method.
+ *
+ * @category Internal
+ */
+export type RawSecrets = {
+    [SecretName in string]: MaybePromise<JsonCompatibleValue | Error>;
+};
+/**
+ * This is the base secrets adapter class. This doesn't actually connect to anything. Only use it as
+ * a base class for adapters that _do_ connect to something.
+ *
+ * @category Internal
+ */
+export declare class BaseSecretsAdapter {
+    readonly adapterName: string;
+    constructor(adapterName: string);
+    /**
+     * Load secrets from the adapter. This base implementation should never be used and, thus,
+     * simply throws an error. It is expected that this class will be extended by actual adapters
+     * and this method will be overridden.
+     */
+    loadSecrets(secrets: Readonly<ProcessedSecretDefinitions>): MaybePromise<RawSecrets>;
+    /**
+     * Clean up all resources created by the adapter. This should not cause the adapter to destroy
+     * any resources passed to it in its constructor.
+     */
+    destroy(): void;
+}

package/dist/adapters/base.adapter.js

@@ -0,0 +1,29 @@
+/**
+ * This is the base secrets adapter class. This doesn't actually connect to anything. Only use it as
+ * a base class for adapters that _do_ connect to something.
+ *
+ * @category Internal
+ */
+export class BaseSecretsAdapter {
+    adapterName;
+    constructor(adapterName) {
+        this.adapterName = adapterName;
+        if (!adapterName) {
+            throw new Error(`Cannot have empty adapter name in '${this.constructor.name}'.`);
+        }
+    }
+    /**
+     * Load secrets from the adapter. This base implementation should never be used and, thus,
+     * simply throws an error. It is expected that this class will be extended by actual adapters
+     * and this method will be overridden.
+     */
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    loadSecrets(secrets) {
+        throw new Error('Do not try to load secrets from the base secrets adapter.');
+    }
+    /**
+     * Clean up all resources created by the adapter. This should not cause the adapter to destroy
+     * any resources passed to it in its constructor.
+     */
+    destroy() { }
+}

package/dist/adapters/secrets-json-file.adapter.d.ts

@@ -0,0 +1,51 @@
+import { type MaybePromise, type PartialWithUndefined } from '@augment-vir/common';
+import type { SecretDefinitions, SecretValues } from '../secrets-definition/define-secrets.js';
+import { BaseSecretsAdapter } from './base.adapter.js';
+/**
+ * Options for {@link SecretsJsonFileAdapter}.
+ *
+ * @category Internal
+ */
+export type SecretsJsonFileAdapterOptions<Secrets extends SecretDefinitions = any> = {
+    /**
+     * Optional override for Node.js's `fs` for mocking, testing, or other purposes.
+     *
+     * @default import * as fs from 'node:fs';
+     */
+    fsOverride: {
+        /** `'node:fs/promises'` */
+        promises: {
+            /** `readFile` from `'node:fs/promises'` */
+            readFile: (filePath: string) => Promise<string | Buffer>;
+            /** `writeFile` from `'node:fs/promises'` */
+            writeFile: (filePath: string, contents: string | Buffer) => Promise<void>;
+        };
+        /** `existsSync` from `'node:fs'` */
+        existsSync: (filePath: string) => boolean;
+    };
+    /**
+     * Optional function that will automatically generate and save new secrets if the JSON file is
+     * missing. This is particularly useful for dev or testing environments.
+     */
+    generateValues: (() => MaybePromise<SecretValues<Secrets>>) | undefined;
+};
+/**
+ * Loads all secrets from a single JSON file. This should rarely be used in production environments.
+ * Make sure that your secrets JSON file is not committed to your source code.
+ *
+ * This will not error out if any secrets are missing, but since `UpdatingSecrets` itself will, it's
+ * recommended to set the `lazyFailure` option on `UpdatingSecrets` when using this adapter (or use
+ * other adapters as well).
+ *
+ * @category Adapters
+ */
+export declare class SecretsJsonFileAdapter<const Secrets extends SecretDefinitions = any> extends BaseSecretsAdapter {
+    /** Path to the JSON */
+    protected readonly jsonFilePath: string;
+    protected readonly options: SecretsJsonFileAdapterOptions;
+    constructor(
+    /** Path to the JSON */
+    jsonFilePath: string, options?: PartialWithUndefined<SecretsJsonFileAdapterOptions<Secrets>>);
+    /** Loads secrets from the given JSON file path. */
+    loadSecrets(): Promise<any>;
+}

package/dist/adapters/secrets-json-file.adapter.js

@@ -0,0 +1,49 @@
+import { mergeDefinedProperties, parseWithJson5, } from '@augment-vir/common';
+import { existsSync as existsSyncImport } from 'node:fs';
+import { readFile as readFileImport, writeFile as writeFileImport } from 'node:fs/promises';
+import { BaseSecretsAdapter } from './base.adapter.js';
+const defaultSecretsJsonFileAdapterOptions = {
+    fsOverride: {
+        existsSync: existsSyncImport,
+        promises: {
+            readFile: readFileImport,
+            writeFile: writeFileImport,
+        },
+    },
+    generateValues: undefined,
+};
+/**
+ * Loads all secrets from a single JSON file. This should rarely be used in production environments.
+ * Make sure that your secrets JSON file is not committed to your source code.
+ *
+ * This will not error out if any secrets are missing, but since `UpdatingSecrets` itself will, it's
+ * recommended to set the `lazyFailure` option on `UpdatingSecrets` when using this adapter (or use
+ * other adapters as well).
+ *
+ * @category Adapters
+ */
+export class SecretsJsonFileAdapter extends BaseSecretsAdapter {
+    jsonFilePath;
+    options;
+    constructor(
+    /** Path to the JSON */
+    jsonFilePath, options = {}) {
+        super('SecretsJsonFileAdapter');
+        this.jsonFilePath = jsonFilePath;
+        this.options = mergeDefinedProperties(defaultSecretsJsonFileAdapterOptions, options);
+    }
+    /** Loads secrets from the given JSON file path. */
+    async loadSecrets() {
+        if (!this.options.fsOverride.existsSync(this.jsonFilePath)) {
+            if (this.options.generateValues) {
+                const newSecrets = await this.options.generateValues();
+                await this.options.fsOverride.promises.writeFile(this.jsonFilePath, JSON.stringify(newSecrets));
+            }
+            else {
+                throw new Error(`Missing secrets JSON file at '${this.jsonFilePath}'`);
+            }
+        }
+        const fileContents = String(await this.options.fsOverride.promises.readFile(this.jsonFilePath));
+        return parseWithJson5(fileContents);
+    }
+}

package/dist/adapters/static-secrets.adapter.d.ts

@@ -0,0 +1,23 @@
+import type { JsonCompatibleValue } from '@augment-vir/common';
+import { BaseSecretsAdapter } from './base.adapter.js';
+/**
+ * This adapter is constructed with a static set of secrets and that static set of secrets is always
+ * directly returned when loading secrets.
+ *
+ * This is primarily designed for the following use cases:
+ *
+ * - Providing default values for secrets, which are intended to be overridden in following adapters
+ *   (in the adapters array given to an instance of `UpdatingSecrets`).
+ * - Setting mock secret values for testing purposes.
+ *
+ * @category Adapters
+ */
+export declare class StaticSecretsAdapter extends BaseSecretsAdapter {
+    /** Static secrets that will always be directly returned as the latest set of loaded secrets. */
+    protected readonly staticSecrets: Record<string, JsonCompatibleValue>;
+    constructor(
+    /** Static secrets that will always be directly returned as the latest set of loaded secrets. */
+    staticSecrets: Record<string, JsonCompatibleValue>);
+    /** Directly returns the static secrets given. */
+    loadSecrets(): Record<string, JsonCompatibleValue>;
+}

package/dist/adapters/static-secrets.adapter.js

@@ -0,0 +1,26 @@
+import { BaseSecretsAdapter } from './base.adapter.js';
+/**
+ * This adapter is constructed with a static set of secrets and that static set of secrets is always
+ * directly returned when loading secrets.
+ *
+ * This is primarily designed for the following use cases:
+ *
+ * - Providing default values for secrets, which are intended to be overridden in following adapters
+ *   (in the adapters array given to an instance of `UpdatingSecrets`).
+ * - Setting mock secret values for testing purposes.
+ *
+ * @category Adapters
+ */
+export class StaticSecretsAdapter extends BaseSecretsAdapter {
+    staticSecrets;
+    constructor(
+    /** Static secrets that will always be directly returned as the latest set of loaded secrets. */
+    staticSecrets) {
+        super('StaticSecretsAdapter');
+        this.staticSecrets = staticSecrets;
+    }
+    /** Directly returns the static secrets given. */
+    loadSecrets() {
+        return this.staticSecrets;
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export * from './adapters/all-adapters.js';
+export * from './adapters/aws-secrets-manager.adapter.js';
+export * from './adapters/base.adapter.js';
+export * from './adapters/secrets-json-file.adapter.js';
+export * from './adapters/static-secrets.adapter.js';
+export * from './public-mocks/mock-aws-secrets-manager.js';
+export * from './public-mocks/mock-fs.js';
+export * from './secret-load.error.js';
+export * from './secrets-definition/define-secrets.js';
+export * from './updating-secrets.js';

package/dist/index.js

@@ -0,0 +1,10 @@
+export * from './adapters/all-adapters.js';
+export * from './adapters/aws-secrets-manager.adapter.js';
+export * from './adapters/base.adapter.js';
+export * from './adapters/secrets-json-file.adapter.js';
+export * from './adapters/static-secrets.adapter.js';
+export * from './public-mocks/mock-aws-secrets-manager.js';
+export * from './public-mocks/mock-fs.js';
+export * from './secret-load.error.js';
+export * from './secrets-definition/define-secrets.js';
+export * from './updating-secrets.js';