feat(fn-secrets): add package for resolving function secrets from database

[theothersideofgod]

Summary

• Add @constructive-io/fn-secrets package for resolving encrypted secrets at runtime via GraphQL
• Supports per-tenant secret overrides with fallback to global defaults

Changes

Commit 1: feat(fn-secrets): add package

• resolveSecrets(context, functionName) — returns SecretsMap for easy use
• resolveSecretsRaw(options) — returns full secret details with source
• 10 unit tests covering all error cases

Commit 2: refactor(fn-secrets): reuse context.client

• resolveSecrets() now uses context.client with per-request header override
• Add schemata option for custom schema access (default: infra_private,infra_public)
• resolveSecretsRaw() still creates standalone client for direct usage
• 11 tests total (added header override verification)

API

import { resolveSecrets } from '@constructive-io/fn-secrets';

// In a function handler:
const secrets = await resolveSecrets(context, 'send-sms');
// → { TWILIO_ACCOUNT_SID: 'AC...', TWILIO_AUTH_TOKEN: '...' }

// With custom options:
const secrets = await resolveSecrets(context, 'send-sms', {
  schemata: 'custom_private,custom_public'
});

Test Plan

• Unit tests pass (11 tests)
• Integration test with live GraphQL server
• Verify secret resolution for send-sms function

---

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​agentic-kit/​ollama@​1.2.0
	npm/​makage@​0.3.0
	npm/​@​constructive-io/​graphql-query@​3.25.5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm markdown-it is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/markdown-it@14.1.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[pyramation]

we don't use dist/ like this! see our pnpm constructive-skills

and fix ALL packages that do this please

[pyramation]

where is this even a real GraphQL option in our code?

[pyramation]

why is this .cjs? can it be like our other packages in other repos?

[theothersideofgod]

Thanks for the review! Fixed in bec6bf7:

1. package.json structure ✅

• Changed to dist-folder publishing pattern per constructive-pnpm skill
• main: "index.js", types: "index.d.ts", publishConfig.directory: "dist"
• Switched to makage build

2. GraphQL queries ✅

• defaultFunctionDefinitions exists: constructive-db/packages/infra/schemas/infra_public/tables/default_function_definitions/
• resolveFunctionSecrets exists: constructive-db/packages/infra-secrets/schemas/infra_private/procedures/resolve_function_secrets.sql

3. jest.config.cjs → jest.config.js ✅

• Renamed to match ecosystem pattern