postmanlabs
diff --git a/‎lib/runner/extensions/event.command.js‎
Lines changed: 47 additions & 2 deletions b/‎lib/runner/extensions/event.command.js‎
Lines changed: 47 additions & 2 deletions
diff --git a/‎lib/runner/extensions/item.command.js‎
Lines changed: 18 additions & 11 deletions b/‎lib/runner/extensions/item.command.js‎
Lines changed: 18 additions & 11 deletions
diff --git a/‎lib/runner/extensions/request.command.js‎
Lines changed: 5 additions & 7 deletions b/‎lib/runner/extensions/request.command.js‎
Lines changed: 5 additions & 7 deletions
diff --git a/‎lib/runner/index.js‎
Lines changed: 12 additions & 9 deletions b/‎lib/runner/index.js‎
Lines changed: 12 additions & 9 deletions
@@ -38,7 +38,46 @@ var _ = require('lodash'),
 
     getCookieDomain, // fn
     postProcessContext, // fn
-    sanitizeFiles; // fn
+    sanitizeFiles, // fn
+    maskUnsafeSecrets; // fn
+
+/**
+ * Clones variable scopes and masks variables in unsafeSecretKeys (Set of "scopeName:variableKey").
+ * Used to hide non-safe secret values from scripts while keeping them available for request substitution.
+ *
+ * @param {Object} context - Context with environment, globals, collectionVariables
+ * @param {Set} unsafeSecretKeys - Set of "scopeName:variableKey" for secrets with safe=false
+ * @returns {Object} - Context with cloned, masked scopes
+ */
+maskUnsafeSecrets = function (context, unsafeSecretKeys) {
+    if (!unsafeSecretKeys || unsafeSecretKeys.size === 0) {
+        return context;
+    }
+
+    var scopeNames = ['environment', 'globals', 'collectionVariables'],
+        maskedContext = _.assign({}, context);
+
+    scopeNames.forEach(function (scopeName) {
+        var scope = context[scopeName],
+            maskedScope;
+
+        if (!scope || !sdk.VariableScope.isVariableScope(scope)) {
+            return;
+        }
+
+        maskedScope = new sdk.VariableScope(scope.toJSON ? scope.toJSON() : scope);
+
+        maskedScope.values.each(function (variable) {
+            if (variable && unsafeSecretKeys.has(scopeName + ':' + variable.key)) {
+                variable.set(undefined);
+            }
+        });
+
+        maskedContext[scopeName] = maskedScope;
+    });
+
+    return maskedContext;
+};
 
 postProcessContext = function (execution, failures) { // function determines whether the event needs to abort
     var error;
@@ -514,6 +553,12 @@ module.exports = {
                 const currentEventItem = event.parent && event.parent(),
 
                     executeScript = ({ resolvedPackages }, done) => {
+                        var contextToUse = _.pick(payload.context, SAFE_CONTEXT_VARIABLES);
+
+                        if (payload.context._unsafeSecretKeys) {
+                            contextToUse = maskUnsafeSecrets(contextToUse, payload.context._unsafeSecretKeys);
+                        }
+
                         // finally execute the script
                         this.host.execute(event, {
                             id: executionId,
@@ -522,7 +567,7 @@ module.exports = {
                             // @todo: Expose this as a property in Collection SDK's Script
                             timeout: payload.scriptTimeout,
                             cursor: scriptCursor,
-                            context: _.pick(payload.context, SAFE_CONTEXT_VARIABLES),
+                            context: contextToUse,
                             resolvedPackages: resolvedPackages,
 
                             disabledAPIs: !_.get(this, 'options.script.requestResolver') ?
 
@@ -124,7 +124,7 @@ module.exports = {
 
                 ctxTemplate,
                 self = this,
-                secretResolvers = this.state.secretResolvers,
+                secretResolver = this.state.secretResolver,
                 secretResolutionPayload,
                 executeItemFlow;
 
@@ -150,8 +150,11 @@ module.exports = {
 
             /**
              * Execute the main item flow (delay, prerequest, request, test)
+             *
+             * @param {Array} [secretResolutionErrors] - Errors from partial secret resolution
+             * @param {Set} [unsafeSecretKeys] - Set of scopeName:variableKey for secrets with safe=false
              */
-            executeItemFlow = function () {
+            executeItemFlow = function (secretResolutionErrors, unsafeSecretKeys) {
                 self.queueDelay(function () {
                 // create the context object for scripts to run
                     ctxTemplate = {
@@ -161,7 +164,8 @@ module.exports = {
                         globals: globals,
                         environment: environment,
                         data: data,
-                        request: item.request
+                        request: item.request,
+                        _unsafeSecretKeys: unsafeSecretKeys
                     };
 
                     // @todo make it less nested by coding Instruction.thenQueue
@@ -279,13 +283,17 @@ module.exports = {
                                             };
 
                                             // trigger an event saying that item has been processed
-                                            this.triggers.item(null, coords, item, visualizerResult);
+                                            this.triggers.item(null, coords, item, visualizerResult,
+                                                secretResolutionErrors && secretResolutionErrors.length ?
+                                                    { secretResolutionErrors } : undefined);
                                         }.bind(this));
                                 }
                                 else {
                                 // trigger an event saying that item has been processed
                                 // @todo - should this trigger receive error?
-                                    this.triggers.item(null, coords, item, null);
+                                    this.triggers.item(null, coords, item, null,
+                                        secretResolutionErrors && secretResolutionErrors.length ?
+                                            { secretResolutionErrors } : undefined);
                                 }
 
                                 // reset mutated request with original request instance
@@ -310,12 +318,11 @@ module.exports = {
             };
 
             // Resolve secrets before pre-request scripts so scripts can access resolved values via related pm APIs
-            if (secretResolvers) {
-                resolveSecrets(secretResolutionPayload, secretResolvers, function (err) {
+            if (secretResolver) {
+                resolveSecrets(secretResolutionPayload, secretResolver, function (err, secErrors, unsafeKeys) {
                     if (err) {
-                        // Secret resolution failed - this is fatal for the current item
-                        // (same pattern as pre-request script skip)
-                        self.triggers.item(err, coords, item, null, { isSecretResolutionFailed: true });
+                        // Fatal: stop immediately, request is never executed
+                        self.triggers.item(err, coords, item, null, { hasSecretResolutionFailed: true });
 
                         callback && callback.call(self, err, {
                             request: null
@@ -324,7 +331,7 @@ module.exports = {
                         return next();
                     }
 
-                    executeItemFlow();
+                    executeItemFlow(secErrors, unsafeKeys);
                 });
             }
             else {
 
@@ -12,23 +12,21 @@ module.exports = {
 
     process: {
         request (payload, next) {
-            var self = this,
-                abortOnError = _.has(payload, 'abortOnError') ? payload.abortOnError : this.options.abortOnError,
+            var abortOnError = _.has(payload, 'abortOnError') ? payload.abortOnError : this.options.abortOnError,
 
-                // helper function to trigger `response` callback and complete the command
+                // helper function to trigger `response` callback anc complete the command
                 complete = function (err, nextPayload) {
                     // nextPayload will be empty for unhandled errors
                     // trigger `response` callback
                     // nextPayload.response will be empty for error flows
                     // the `item` argument is resolved and mutated here
-                    nextPayload && self.triggers.response(err, nextPayload.coords, nextPayload.response,
+                    nextPayload && this.triggers.response(err, nextPayload.coords, nextPayload.response,
                         nextPayload.request, nextPayload.item, nextPayload.cookies, nextPayload.history);
 
                     // the error is passed twice to allow control between aborting the error vs just
                     // bubbling it up
                     return next(err && abortOnError ? err : null, nextPayload, err);
-                },
-
+                }.bind(this),
                 context = createItemContext(payload);
 
             // resolve variables in item and auth
@@ -40,7 +38,7 @@ module.exports = {
             // we do not queue `httprequest` instruction here,
             // queueing will unblock the item command to prepare for the next `event` instruction
             // at this moment request is not fulfilled, and we want to block it
-            self.immediate('httprequest', payload)
+            this.immediate('httprequest', payload)
                 .done(function (nextPayload, err) {
                     // change signature to error first
                     complete(err, nextPayload);
 
@@ -97,14 +97,17 @@ _.assign(Runner.prototype, {
      * @param {String} [options.entrypoint.lookupStrategy=idOrName] strategy to lookup the entrypoint [idOrName, path]
      * @param {Array<String>} [options.entrypoint.path] path to lookup
      * @param {Object} [options.run] Run-specific options, such as options related to the host
-     * @param {Object} [options.secretResolvers] - Object mapping provider names to resolver configs.
-     * Keys must match secret.source.provider (e.g. postman, azure, 1password, aws, hashicorp).
-     * Each resolver config may have:
-     *   - {String} id - (Required) Unique identifier for the resolver (same as secret.source.provider)
-     *   - {String} name - (Required) Human-readable name for the resolver
-     *   - {Function} resolver - (Required) Function(secret, context) that returns resolved value or Promise
-     *   - {Number} [timeout=5000] - (Optional) Timeout in milliseconds (default: 5000)
-     *   - {Number} [retryCount=0] - (Optional) Number of retry attempts on failure (default: 0)
+     * @param {Function} [options.secretResolver] - Function({ secrets, payload }, callback) that resolves secrets.
+     * Receives: secrets (array of { scopeName, scope, variable, context }), payload ({ item, environment,
+     * globals, collectionVariables }). Callback is (err, result).
+     * On fatal error: callback(err) — request execution stops.
+     * On success: callback(null, result) where result is Array<{ resolvedValue?: string,
+     *  error?: Error, safe?: boolean }>;
+     * result[i] corresponds to secrets[i].
+     * resolvedValue: resolved string (undefined if failed/skipped).
+     * error: Error when resolution failed for particular secret.
+     * safe: if true, value is exposed to scripts via pm.environment/pm.variables;
+     *       if false/undefined, masked from scripts. Runtime applies values.
      *
      * @param {Function} callback -
      */
@@ -156,7 +159,7 @@ _.assign(Runner.prototype, {
                 localVariables: options.localVariables,
                 certificates: options.certificates,
                 proxies: options.proxies,
-                secretResolvers: options.secretResolvers
+                secretResolver: options.secretResolver
             }, runOptions)));
         });
     }