fix(vault-secrets): use @adobe/fetch Response to restore .raw() compatibility

Abhishek Garg · Abhishek Garg · commit 64293f6e5f21 · 2026-04-23T16:00:41.000+05:30
The error response returned on Vault failure used the native Node.js
`new Response()` which produces native Web API Headers. Those headers
lack the `.raw()` method that `helix-universal`'s `aws-adapter.js`
calls unconditionally on every response.

When the dev Vault egress was blocked (403), every Lambda invocation
hit the vault error handler, returned a native Response, and crashed
in the adapter with `response.headers.raw is not a function` —
surfaced as HTTP 500 on all API endpoints.

Fix: import Response from `@adobe/fetch` (already a declared
dependency). Its Headers class implements `.raw()`, making it
compatible with the helix-universal adapter.

Added regression tests that assert `.raw()` is callable on the 502
error response, covering bootstrap failure, Vault 403, and secret
read failure scenarios.

Made-with: Cursor
diff --git a/packages/spacecat-shared-vault-secrets/src/vault-secrets-wrapper.js b/packages/spacecat-shared-vault-secrets/src/vault-secrets-wrapper.js
@@ -10,6 +10,8 @@
  * governing permissions and limitations under the License.
  */
 
+import { Response } from '@adobe/fetch';
+
 import VaultClient from './vault-client.js';
 import { loadBootstrapConfig } from './bootstrap.js';
 
diff --git a/packages/spacecat-shared-vault-secrets/test/vault-secrets-wrapper.test.js b/packages/spacecat-shared-vault-secrets/test/vault-secrets-wrapper.test.js
@@ -180,6 +180,97 @@ describe('vaultSecrets wrapper', () => {
       expect(innerFn.called).to.equal(false);
     });
 
+    it('502 response uses @adobe/fetch Headers — .raw() is available for helix-universal adapter', async () => {
+      // Regression test for: response.headers.raw is not a function
+      // helix-universal aws-adapter.js calls response.headers.raw() on every response.
+      // When vault fails, the wrapper must return a Response with @adobe/fetch Headers
+      // (which have .raw()), not native Node.js Headers (which do not).
+      nock(AWS_ENDPOINT)
+        .post('/')
+        .replyWithError('connection refused');
+
+      const ctx = makeContext();
+      const wrapped = vaultSecrets(sinon.stub(), { bootstrapPath: BOOTSTRAP_PATH });
+
+      const response = await wrapped(new Request('https://example.com'), ctx);
+
+      expect(response.status).to.equal(502);
+      // response.headers.raw must exist — native Node.js Headers lack it and break helix-universal
+      expect(typeof response.headers.raw).to.equal('function');
+      const raw = response.headers.raw();
+      expect(raw).to.be.an('object');
+      expect(raw['x-error']).to.equal('error fetching secrets.');
+    });
+
+    it('returns 502 when Vault AppRole login returns 403', async () => {
+      mockBootstrap();
+      nock(VAULT_ADDR)
+        .post('/v1/auth/approle/login')
+        .reply(403, { errors: ['permission denied'] });
+
+      const ctx = makeContext();
+      const innerFn = sinon.stub();
+      const wrapped = vaultSecrets(innerFn, { bootstrapPath: BOOTSTRAP_PATH });
+
+      const response = await wrapped(new Request('https://example.com'), ctx);
+
+      expect(response.status).to.equal(502);
+      expect(response.headers.get('x-error')).to.equal('error fetching secrets.');
+      expect(innerFn.called).to.equal(false);
+      expect(ctx.log.error.calledOnce).to.equal(true);
+    });
+
+    it('502 from Vault 403 also has @adobe/fetch Headers with .raw()', async () => {
+      // This is the exact production failure path:
+      // Vault NAT/WAF blocks egress → 403 → native Response → helix-universal crashes
+      mockBootstrap();
+      nock(VAULT_ADDR)
+        .post('/v1/auth/approle/login')
+        .reply(403, { errors: ['permission denied'] });
+
+      const ctx = makeContext();
+      const wrapped = vaultSecrets(sinon.stub(), { bootstrapPath: BOOTSTRAP_PATH });
+
+      const response = await wrapped(new Request('https://example.com'), ctx);
+
+      expect(response.status).to.equal(502);
+      expect(typeof response.headers.raw).to.equal('function');
+      const raw = response.headers.raw();
+      expect(raw['x-error']).to.equal('error fetching secrets.');
+    });
+
+    it('returns 502 when Vault secret read fails', async () => {
+      mockBootstrap();
+      mockAppRoleLogin();
+      nock(VAULT_ADDR)
+        .get(`/v1/${MOUNT_POINT}/data/prod/api-service`)
+        .reply(500, { errors: ['internal server error'] });
+
+      const ctx = makeContext();
+      const innerFn = sinon.stub();
+      const wrapped = vaultSecrets(innerFn, { bootstrapPath: BOOTSTRAP_PATH });
+
+      const response = await wrapped(new Request('https://example.com'), ctx);
+
+      expect(response.status).to.equal(502);
+      expect(response.headers.get('x-error')).to.equal('error fetching secrets.');
+      expect(innerFn.called).to.equal(false);
+    });
+
+    it('logs the error message when vault fails', async () => {
+      nock(AWS_ENDPOINT)
+        .post('/')
+        .replyWithError('ECONNREFUSED vault unreachable');
+
+      const ctx = makeContext();
+      const wrapped = vaultSecrets(sinon.stub(), { bootstrapPath: BOOTSTRAP_PATH });
+
+      await wrapped(new Request('https://example.com'), ctx);
+
+      expect(ctx.log.error.calledOnce).to.equal(true);
+      expect(ctx.log.error.firstCall.args[0]).to.include('Failed to load secrets:');
+    });
+
     it('returns empty object when VAULT_SECRETS_DISABLED is true', async () => {
       process.env.VAULT_SECRETS_DISABLED = 'true';
       const ctx = makeContext();
