Update dists

Add secret ref validation

src/utils.test.ts

@@ -356,7 +356,7 @@ describe("loadSecrets when using Service Account", () => {
 
 	describe("secret reference validation", () => {
 		it("fails with clear message when a secret reference is invalid", async () => {
-			process.env.MY_SECRET = "op://invalid/ref/form";
+			process.env.MY_SECRET = "op://x";
 			(Secrets.validateSecretReference as jest.Mock).mockImplementationOnce(
 				() => {
 					throw new Error("invalid reference format");
@@ -379,7 +379,6 @@ describe("loadSecrets when using Service Account", () => {
 					}
 				},
 			);
-			mockResolve.mockResolvedValue("value1");
 
 			await expect(loadSecrets(false)).rejects.toThrow(
 				"Invalid secret reference(s): OTHER",

src/utils.ts

@@ -38,7 +38,7 @@ const getEnvVarNamesWithSecretRefs = (): string[] =>
 	);
 
 const validateSecretRefs = (envNames: string[]): void => {
-	const invalid: string[] = [];
+	const invalid: { name: string; message: string }[] = [];
 
 	for (const envName of envNames) {
 		const ref = process.env[envName];
@@ -48,15 +48,18 @@ const validateSecretRefs = (envNames: string[]): void => {
 
 		try {
 			Secrets.validateSecretReference(ref);
-		} catch {
-			invalid.push(envName);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			invalid.push({ name: envName, message });
 		}
 	}
 
 	// Throw an error if any secret references are invalid
 	if (invalid.length > 0) {
-		const names = invalid.join(", ");
-		throw new Error(`Invalid secret reference(s): ${names}`);
+		const details = invalid
+			.map(({ name, message }) => `${name}: ${message}`)
+			.join("; ");
+		throw new Error(`Invalid secret reference(s): ${details}`);
 	}
 };