feat(fn-secrets): add package for resolving function secrets from database

[theothersideofgod]

Summary

Adds @constructive-io/fn-secrets package that enables cloud functions to resolve encrypted secrets at runtime via GraphQL instead of relying on environment variables.

• resolveSecrets(context, functionName) - Returns Record<string, string> of resolved secrets
• resolveSecretsRaw(options) - Returns full details including secretSource (database/global)

Motivation

Cloud functions need access to secrets (e.g., Twilio credentials) that:

1. May differ per-tenant (database-scoped overrides)
2. Should be stored encrypted in database, not in env vars
3. Need fallback to global defaults when tenant-specific not set

How it works

import { resolveSecrets } from '@constructive-io/fn-secrets';

const handler = async (params, context) => {
  const secrets = await resolveSecrets(context, 'send-sms');
  // secrets = { TWILIO_ACCOUNT_SID: '...', TWILIO_AUTH_TOKEN: '...' }
};

Internally:

1. Creates GraphQL client with X-Database-Id and X-Schemata: infra_private,infra_public
2. Looks up function ID from default_function_definitions
3. Calls resolveFunctionSecrets() which checks:
   • namespace = database_id (tenant-specific) first
   • Falls back to namespace = 'default' (global)

Files

File	Description
src/resolve.ts	Core resolution logic
src/types.ts	TypeScript types
src/index.ts	Public exports
__tests__/resolve.test.ts	10 unit tests

Test plan

• pnpm test - 10 tests passing
• pnpm build - TypeScript compiles
• Integration test with live database (future PR)

🤖 Generated with Claude Code