| import type { OpenSkynetConfig } from "../config/config.js"; | |
| import type { SecretRef } from "../config/types.secrets.js"; | |
| export function selectRefsForExecPolicy(params: { refs: SecretRef[]; allowExec: boolean }): { | |
| refsToResolve: SecretRef[]; | |
| skippedExecRefs: SecretRef[]; | |
| } { | |
| const refsToResolve: SecretRef[] = []; | |
| const skippedExecRefs: SecretRef[] = []; | |
| for (const ref of params.refs) { | |
| if (ref.source === "exec" && !params.allowExec) { | |
| skippedExecRefs.push(ref); | |
| continue; | |
| } | |
| refsToResolve.push(ref); | |
| } | |
| return { refsToResolve, skippedExecRefs }; | |
| } | |
| export function getSkippedExecRefStaticError(params: { | |
| ref: SecretRef; | |
| config: OpenSkynetConfig; | |
| }): string | null { | |
| void params.config; | |
| if (params.ref.source !== "exec") { | |
| return null; | |
| } | |
| return `Exec SecretRef ${params.ref.provider}/${params.ref.id} was skipped because exec-backed secret resolution is disabled for this audit run.`; | |
| } | |