Merge branch 'jill/validate-secret-reference' into jill/migrate-to-connect-sdk

src/utils.test.ts

@@ -549,7 +549,7 @@ describe("loadSecrets when using Service Account", () => {
 
 	describe("secret reference validation", () => {
 		it("fails with clear message when a secret reference is invalid", async () => {
-			process.env.MY_SECRET = "op://invalid/ref/form";
+			process.env.MY_SECRET = "op://x";
 			(Secrets.validateSecretReference as jest.Mock).mockImplementationOnce(
 				() => {
 					throw new Error("invalid reference format");
@@ -572,7 +572,6 @@ describe("loadSecrets when using Service Account", () => {
 					}
 				},
 			);
-			mockResolve.mockResolvedValue("value1");
 
 			await expect(loadSecrets(false)).rejects.toThrow(
 				"Invalid secret reference(s): OTHER",

src/utils.ts

@@ -281,7 +281,7 @@ export const getEnvVarNamesWithSecretRefs = (): string[] =>
 	);
 
 const validateSecretRefs = (envNames: string[]): void => {
-	const invalid: string[] = [];
+	const invalid: { name: string; message: string }[] = [];
 
 	for (const envName of envNames) {
 		const ref = process.env[envName];
@@ -291,15 +291,16 @@ const validateSecretRefs = (envNames: string[]): void => {
 
 		try {
 			Secrets.validateSecretReference(ref);
-		} catch {
-			invalid.push(envName);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			invalid.push({ name: envName, message });
 		}
 	}
 
 	// Throw an error if any secret references are invalid
 	if (invalid.length > 0) {
-		const names = invalid.join(", ");
-		throw new Error(`Invalid secret reference(s): ${names}`);
+		const details = invalid.map(({ name, message }) => `${name}: ${message}`).join("; ");
+		throw new Error(`Invalid secret reference(s): ${details}`);
 	}
 };