[DEV-140033] retreive secrets based on dotenv files with sm:// paths

[tonitienda-rovtech]

Summary

Adds support for .env file sources with automatic AWS Secrets Manager resolution. Users can now reference secrets directly in env files using sm:// paths, and snagsby will automatically fetch and inject the secret values.

What Changed

New Feature: EnvFileResolver

• Added EnvFileResolver to support file:// scheme sources
• Parses standard .env file format (KEY=value pairs)
• Automatically resolves values prefixed with sm:// from AWS Secrets Manager
• Supports comments (#) and inline comments
• Preserves original file order in output

Usage Example

# Create an env file with secret references
cat > app.env << 'HEREDOC'
DATABASE_URL=sm://prod/db/connection-string
API_KEY=sm://prod/api/key
LOG_LEVEL=info
HEREDOC

# Snagsby will fetch secrets and export all values
./snagsby "file://./app.env?region=us-west-2"

Code Quality Improvements (from PR review)

Following TDD methodology, added tests first to demonstrate issues, then fixed the code:

1. Empty Key Validation

• Issue: Lines like =value were silently skipped without error
• Fix: Now returns error for malformed lines with empty keys
• Location: pkg/resolvers/envfile.go:47-49

2. Duplicate Key Detection with Normalization

• Issue: Keys like foo-bar and FOO_BAR weren't caught as duplicates, causing silent overwrites
• Fix: Normalize keys (uppercase + replace non-word chars) before duplicate checking to match final output
• Location: pkg/resolvers/envfile.go:54-83

3. Secret Key Deduplication

• Issue: Multiple env vars pointing to same sm:// path caused redundant API calls
• Fix: Deduplicate secret paths before calling GetSecrets to reduce AWS API load
• Location: pkg/resolvers/envfile.go:117-120

4. Relative File Path Support

• Issue: Relative paths like file://./pre-cache.env were incorrectly parsed
• Fix: Properly handle URL parsing for relative paths (., .., simple filenames)
• Location: pkg/resolvers/envfile.go:27-38

5. Test Coverage

• Added assertions for expectedSecretsRequested to verify secret resolution behavior
• Added file:// scheme test to TestResolveSource
• Added comprehensive tests for edge cases (empty keys, normalization, deduplication)

Testing

All changes follow TDD - tests written first to fail, then code fixed:

go test ./pkg/resolvers/...
# All 40+ tests pass

Files Changed

• pkg/resolvers/envfile.go - New resolver implementation
• pkg/resolvers/envfile_test.go - Comprehensive test coverage
• pkg/resolvers/resolvers.go - Added file scheme routing
• pkg/resolvers/resolvers_test.go - Added file scheme test
• pkg/connectors/secretsmanager.go - Exposed GetSecrets method
• pkg/connectors/testing/mocks.go - Added mock connector for testing

Related

Closes DEV-140033