fix: yaml.v3 map types in merge and NATS operators

  - Add support for map[string]interface{} in merge logic to handle yaml.v3 parsing
  - Fix NATS KV/object store YAML type conversion for yaml.v2 compatibility
  - Preserve string values with special characters in NATS KV store
  - Parse .yaml/.yml files from object store when no content-type is set
  - Handle empty KV values explicitly to return empty string instead of nil

  Fixes test failures in TestExamples, TestVaultNatsEdgeCases, and TestNatsOperator

Author: wayneeseguin

Makefile

@@ -1,16 +1,32 @@
+.PHONY: all vet test colortest clitests build integration help
+
+# Default target shows help
+.DEFAULT_GOAL := help
+
 all: vet test build clitests
 
-vet:
+help: ## Show this help message
+	@echo "Available targets:"
+	@echo ""
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'
+	@echo ""
+	@echo "Use 'make <target>' to run a specific target."
+
+vet: ## Run go vet on all packages
 	go list ./... | grep -v vendor | xargs go vet
 
-test:
+test: ## Run all unit tests
 	go list ./... | grep -v vendor | xargs go test
 
-colortest: build
+colortest: build ## Test color output functionality
 	./assets/color_tester
 
-clitests: build
+clitests: build ## Run CLI integration tests
 	./assets/cli_tests
 
-build:
+build: ## Build the graft binary
 	go build ./cmd/graft
+
+integration: build ## Run integration tests with external services (Vault, NATS)
+	@echo "Running integration tests..."
+	@scripts/integration

assets/vault-nats/base-config.yml

@@ -0,0 +1,23 @@
+# Base configuration with references to vault and nats
+app:
+  name: "myapp"
+  environment: (( grab meta.environment ))
+
+database:
+  host: (( grab meta.db_host ))
+  port: (( grab meta.db_port ))
+  username: (( vault "secret/database:username" ))
+  password: (( vault "secret/database:password" ))
+
+cache:
+  type: "redis"
+  host: (( nats "kv:config/cache/host" ))
+  port: (( nats "kv:config/cache/port" ))
+  auth:
+    enabled: true
+    token: (( vault "secret/redis:auth_token" ))
+
+meta:
+  environment: "dev"
+  db_host: "localhost"
+  db_port: 5432

assets/vault-nats/conditional-sources.yml

@@ -0,0 +1,25 @@
+# Testing conditional use of vault vs nats based on environment
+meta:
+  use_vault: (( grab $USE_VAULT || false ))
+  use_nats: (( grab $USE_NATS || true ))
+  env: (( grab $ENVIRONMENT || "dev" ))
+
+secrets:
+  database:
+    # Use vault if enabled, otherwise use nats
+    username: (( ternary meta.use_vault (vault "secret/db:username") (nats "kv:secrets/db/username") ))
+    password: (( ternary meta.use_vault (vault "secret/db:password") (nats "kv:secrets/db/password") ))
+  
+  api_keys:
+    # Try vault first, fallback to nats
+    primary: (( vault "secret/api:primary_key" || nats "kv:api/keys/primary" ))
+    secondary: (( vault "secret/api:secondary_key" || nats "kv:api/keys/secondary" ))
+
+config:
+  # Always use NATS for configuration
+  app_settings: (( nats "obj:configs/app-settings.yaml" ))
+  
+  # Use vault for sensitive feature flags
+  feature_flags:
+    premium_features: (( vault (concat "secret/features/" meta.env ":premium") ))
+    beta_features: (( nats (concat "kv:features/" meta.env "/beta") ))

assets/vault-nats/dynamic-paths.yml

@@ -0,0 +1,31 @@
+# Testing dynamic path construction with vault and nats
+environments:
+  - name: "dev"
+    config:
+      database:
+        host: (( nats (concat "kv:env/" environments.0.name "/database/host") ))
+        credentials: (( vault (concat "secret/" environments.0.name "/database:credentials") ))
+      features:
+        debug: true
+        
+  - name: "staging"
+    config:
+      database:
+        host: (( nats (concat "kv:env/" environments.1.name "/database/host") ))
+        credentials: (( vault (concat "secret/" environments.1.name "/database:credentials") ))
+      features:
+        debug: false
+
+  - name: "production"
+    config:
+      database:
+        host: (( nats (concat "kv:env/" environments.2.name "/database/host") ))
+        credentials: (( vault (concat "secret/" environments.2.name "/database:credentials") ))
+      features:
+        debug: false
+
+# Reference to dynamic environment
+current_env:
+  name: (( grab meta.target_env || "dev" ))
+  database:
+    connection_string: (( concat "postgresql://" (vault (concat "secret/" current_env.name "/db:username")) ":" (vault (concat "secret/" current_env.name "/db:password")) "@" (nats (concat "kv:env/" current_env.name "/database/host")) "/" (nats (concat "kv:env/" current_env.name "/database/name")) ))

assets/vault-nats/multi-source.yml

@@ -0,0 +1,19 @@
+# Testing multiple vault/nats sources with fallbacks
+api:
+  endpoints:
+    - name: "auth"
+      url: (( concat "https://" (nats "kv:services/auth/host") "/v1/auth" ))
+      api_key: (( vault "secret/api/auth:key; secret/api/fallback:key" ))
+    - name: "users"
+      url: (( concat "https://" (nats "kv:services/users/host") "/v1/users" ))
+      api_key: (( vault "secret/api/users:key" ))
+
+monitoring:
+  datadog:
+    enabled: (( nats "kv:features/monitoring/datadog" ))
+    api_key: (( vault "secret/datadog:api_key" ))
+    app_key: (( vault "secret/datadog:app_key" ))
+  
+  prometheus:
+    enabled: (( nats "kv:features/monitoring/prometheus" ))
+    endpoint: (( concat "http://" (nats "kv:services/prometheus/host") ":" (nats "kv:services/prometheus/port") ))

assets/vault-nats/targets-integration.yml

@@ -0,0 +1,39 @@
+# Testing vault and nats with target-specific configurations
+defaults:
+  database:
+    port: 5432
+    ssl: true
+
+# Target-specific configurations
+production:
+  database:
+    host: (( nats@production "kv:database/prod/host" ))
+    username: (( vault@production "secret/prod/db:username" ))
+    password: (( vault@production "secret/prod/db:password" ))
+    ssl_cert: (( vault@production:nocache "secret/prod/db:ssl_cert" ))
+
+staging:
+  database:
+    host: (( nats@staging "kv:database/staging/host" ))
+    username: (( vault@staging "secret/staging/db:username" ))
+    password: (( vault@staging "secret/staging/db:password" ))
+    ssl: false
+
+development:
+  database:
+    host: "localhost"
+    username: "dev_user"
+    password: "dev_pass"
+    ssl: false
+
+# Merge based on target
+database:
+  host: (( grab (concat meta.target ".database.host") || defaults.database.host ))
+  port: (( grab (concat meta.target ".database.port") || defaults.database.port ))
+  username: (( grab (concat meta.target ".database.username") ))
+  password: (( grab (concat meta.target ".database.password") ))
+  ssl: (( grab (concat meta.target ".database.ssl") || defaults.database.ssl ))
+  ssl_cert: (( grab (concat meta.target ".database.ssl_cert") || null ))
+
+meta:
+  target: (( grab $TARGET || "development" ))

Dockerfile docker/DockerfileDockerfile renamed to docker/Dockerfile

@@ -0,0 +1,142 @@
+# Integration Testing
+
+This document describes how to run integration tests for graft's external operators (Vault and NATS).
+
+## Overview
+
+The integration tests verify that graft correctly interacts with external services like HashiCorp Vault and NATS. These tests use Docker containers to spin up real instances of the services, populate them with test data, and then run graft commands to verify the operators work correctly.
+
+## Prerequisites
+
+- Docker must be installed and running
+- The `graft` binary must be built (`make build`)
+- Ports 8200 (Vault) and 4222 (NATS) must be available
+- For NATS tests: `nats` CLI tool (will be auto-installed if missing)
+
+## Running Tests
+
+### Run All Integration Tests
+
+```bash
+make integration
+```
+
+### Run Specific Tests
+
+```bash
+# Run only Vault tests
+scripts/integration --no-nats
+
+# Run only NATS tests  
+scripts/integration --no-vault
+
+# Run with verbose output
+scripts/integration -v
+
+# Keep containers running after tests (for debugging)
+scripts/integration --keep
+```
+
+## Test Coverage
+
+### Vault Operator Tests
+
+1. **Basic secret retrieval** - Fetches username/password from Vault
+2. **Secret with specific key** - Uses `:key` syntax to get specific fields
+3. **Multiple vault references** - Tests multiple operators in one document
+4. **Vault with defaults** - Tests `||` operator for fallback values
+5. **Invalid path handling** - Verifies error handling for missing secrets
+6. **Target-specific vault** - Tests `@target` syntax for multi-instance support
+7. **Vault in complex merge** - Tests vault operators across merged documents
+
+### NATS Operator Tests
+
+1. **Basic KV retrieval** - Fetches values from JetStream KV store
+2. **Object store YAML retrieval** - Fetches and parses YAML from object store
+3. **Multiple NATS references** - Tests multiple operators in one document
+4. **Invalid key handling** - Verifies error handling for missing keys
+5. **Target-specific NATS** - Tests `@target` syntax for multi-instance support
+6. **NATS with timeout** - Tests custom timeout configuration
+
+## Test Data
+
+### Vault Test Data
+
+The integration tests create the following secrets in Vault:
+
+- `secret/test/credentials` - Contains username, password, api_key
+- `secret/test/database` - Contains host, port, name
+- `secret/test/features` - Contains enabled (bool), max_users (int), tier (string)
+
+### NATS Test Data
+
+The integration tests create:
+
+**KV Store (`test-bucket`)**:
+- `config.host` = "api.example.com"
+- `config.port` = "8080"
+- `config.timeout` = "30"
+- `features.auth` = "enabled"
+- `features.cache` = "true"
+
+**Object Store (`test-objects`)**:
+- `config.yml` - A YAML file with version, app, and env fields
+
+## Environment Variables
+
+The integration tests use these environment variables:
+
+### Vault
+- `VAULT_ADDR` - Vault server address (default: http://localhost:8200)
+- `VAULT_TOKEN` - Vault authentication token
+- `VAULT_<TARGET>_ADDR` - Target-specific Vault address
+- `VAULT_<TARGET>_TOKEN` - Target-specific Vault token
+
+### NATS
+- `NATS_URL` - NATS server URL (default: nats://localhost:4222)
+- `NATS_TIMEOUT` - Connection timeout
+- `NATS_<TARGET>_URL` - Target-specific NATS URL
+
+## Output Format
+
+The tests use TAP (Test Anything Protocol) format for output:
+
+```
+1..7 # Vault operator tests
+ok 1 - Vault basic secret retrieval
+ok 2 - Retrieved correct username
+ok 3 - Retrieved correct password
+...
+```
+
+## Troubleshooting
+
+### Port Already in Use
+
+If you see "Port 8200 is already in use" or similar:
+- Check for running Vault/NATS instances: `docker ps`
+- Stop conflicting services or use different ports
+
+### Docker Not Found
+
+Ensure Docker is installed and the Docker daemon is running:
+```bash
+docker --version
+docker ps
+```
+
+### Tests Fail to Connect
+
+If tests fail with connection errors:
+1. Check Docker is running
+2. Verify no firewall is blocking localhost connections
+3. Run with `-v` flag for verbose output
+4. Use `--keep` to inspect running containers
+
+### Debugging Failed Tests
+
+To debug failing tests:
+1. Run with verbose mode: `scripts/integration -v`
+2. Keep containers running: `scripts/integration --keep`
+3. Inspect container logs: `docker logs graft-test-vault-<PID>`
+4. Manually test with graft: `VAULT_ADDR=http://localhost:8200 VAULT_TOKEN=root-token-for-testing ./graft merge test.yml`

docs/development/integration-testing.md

@@ -140,6 +140,11 @@ func (op *Opcall) Where() *tree.Cursor {
 	return op.where
 }
 
+// SetWhere sets the cursor location for this operator call
+func (op *Opcall) SetWhere(cursor *tree.Cursor) {
+	op.where = cursor
+}
+
 // Src returns the source string for this operator call
 func (op *Opcall) Src() string {
 	return op.src