Resolve a credential value that may be a $ENV:VAR reference.
Literal strings pass through unchanged.
$ENV:VAR reads process.env.VAR and returns it. Throws
MissingEnvSecretError with reason: 'unset' if the variable
is not set, and reason: 'empty' if it is set to the empty string.
We treat empty as missing to catch .env typos — a compliance run
should loudly fail rather than silently POST an empty secret.
Whitespace around the variable name ($ENV: FOO) is tolerated — a common
copy/paste mistake that we don't want to punish at runtime.
Resolve a credential value that may be a
$ENV:VARreference.$ENV:VARreadsprocess.env.VARand returns it. Throws MissingEnvSecretError withreason: 'unset'if the variable is not set, andreason: 'empty'if it is set to the empty string. We treat empty as missing to catch.envtypos — a compliance run should loudly fail rather than silently POST an empty secret.Whitespace around the variable name (
$ENV: FOO) is tolerated — a common copy/paste mistake that we don't want to punish at runtime.