@absolutejs/secrets 0.0.1

package/LICENSE

@@ -0,0 +1,94 @@
+# Business Source License 1.1
+
+**Licensor:** Alex Kahn
+
+**Licensed Work:** @absolutejs/secrets (https://github.com/absolutejs/secrets)
+
+**Change Date:** May 29, 2030
+
+**Change License:** Apache License, Version 2.0
+
+---
+
+## Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, permitting limited production use.
+
+### Additional Use Grant
+
+You may use the Licensed Work in production, provided your use does not include
+any of the following:
+
+1. **Offering a Competing Service.** You may not offer the Licensed Work, or
+   any derivative or substantial portion of it, to third parties as a hosted or
+   managed service that competes with a hosted secrets-management,
+   credential-broker, or runtime-secrets-injection platform (including, but not
+   limited to, services like AWS Secrets Manager, HashiCorp Vault Cloud,
+   Doppler, 1Password Secrets, Infisical, GCP Secret Manager, Azure Key Vault,
+   Akeyless, Cloudflare Workers Secrets, Vercel Environment Variables as a
+   product, or any similar hosted offering whose primary value to its users is
+   secrets storage, secrets injection at request time, secrets rotation, or
+   secrets redaction). This includes any product whose primary value to its
+   users is the functionality the Licensed Work provides.
+
+2. **Resale or Redistribution as a Standalone Product.** You may not sell,
+   license, or distribute the Licensed Work, or any derivative or fork of it,
+   as a standalone commercial product.
+
+3. **Removal of Attribution.** Any derivative work, fork, or redistribution of
+   the Licensed Work must prominently credit AbsoluteJS and include a link to
+   the original project repository (https://github.com/absolutejs/secrets).
+
+For clarity, the following uses are expressly permitted:
+
+- Using the Licensed Work to build and operate your own applications, websites,
+  internal tools, or SaaS products (whether commercial or non-commercial), so
+  long as the Licensed Work itself is not the primary product you are selling.
+- Using the Licensed Work as a dependency in commercial software you build and
+  sell, as long as the software is not itself a competing managed service of
+  the kind described in clause 1.
+- Providing consulting, development, or professional services to clients using
+  the Licensed Work.
+- Forking and modifying the Licensed Work for your own internal use, provided
+  attribution is maintained.
+
+### Change Date and Change License
+
+On the Change Date specified above, or on such other date as the Licensor may
+specify by written notice, the Licensed Work will be made available under the
+Change License (Apache License, Version 2.0). Until the Change Date, the terms
+of this Business Source License 1.1 apply.
+
+### Trademark
+
+This license does not grant you any rights to use the "AbsoluteJS" or
+"@absolutejs" name, logo, or any related trademarks. Forks and derivative works
+must not be named or branded in a manner that suggests endorsement by or
+affiliation with AbsoluteJS or the Licensor.
+
+### Notices
+
+You must not remove or obscure any licensing, copyright, or other notices
+included in the Licensed Work.
+
+### No Warranty
+
+THE LICENSED WORK IS PROVIDED "AS IS". THE LICENSOR HEREBY DISCLAIMS ALL
+WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE LICENSOR BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR
+IN CONNECTION WITH THE LICENSED WORK OR THE USE OR OTHER DEALINGS IN THE
+LICENSED WORK.
+
+---
+
+## Contact
+
+For commercial licensing inquiries or additional permissions, contact:
+
+- **Alex Kahn**
+- alexkahndev@gmail.com
+- alexkahndev.github.io

package/README.md

@@ -0,0 +1,115 @@
+# @absolutejs/secrets
+
+Host-side secret broker for multi-tenant Bun runtimes. Three jobs, kept narrow:
+
+1. **Resolve** secrets through a pluggable adapter. The broker caches the
+   value, returns a `{ value, fingerprint }` pair where the fingerprint is
+   a sha256 prefix safe to log, and fires an audit event per call.
+2. **Redact** known cached secrets out of arbitrary strings (an error
+   message, a stdout line, a stack trace) before the text lands in any
+   log sink. Replacement: `[REDACTED:NAME]`.
+3. **Rotate** through the adapter, invalidate the cache, return the new
+   value.
+
+Pure logic, zero Bun / Elysia surface. The intended consumers inside the
+SB-6 substrate are `@absolutejs/sync`'s `bridgeFetch.authorization()` hook
+(host-side credential injection for sandboxed mutations) and `unsafeHost`
+declarations (per-customer host functions like Stripe charge, Slack ping,
+queue push).
+
+```ts
+import { createSecretBroker, envAdapter, inMemoryAdapter, compositeAdapter } from '@absolutejs/secrets';
+
+const broker = createSecretBroker({
+  adapter: compositeAdapter([
+    inMemoryAdapter({ initial: { TEST_KEY: 'sk_test_local_value' } }),
+    envAdapter({ prefix: 'ABS_SECRET_' }),
+  ]),
+  audit: (event) => observabilitySink.write(event),
+  cacheTtlMs: 60_000,
+});
+
+// In bridgeFetch.authorization():
+const { value, fingerprint } = (await broker.resolve('STRIPE_KEY'))!;
+logger.info('charging', { tenant, fingerprint });             // safe — no plaintext
+return { 'Authorization': `Bearer ${value}` };
+
+// In a log sink, before text leaves the host:
+const sanitized = broker.redact(line);                        // [REDACTED:STRIPE_KEY] replaces plaintext
+sinkToCustomerVisibleLog(sanitized);
+
+// Rotate:
+const next = await broker.rotate('STRIPE_KEY');
+notifyDependents(next.fingerprint);                            // tell consumers a new key is in cache
+```
+
+## v0.0.1 surface
+
+| API | Purpose |
+|---|---|
+| `createSecretBroker(options)` | Factory. Returns a `SecretBroker`. |
+| `broker.resolve(name)` | Returns `{ value, fingerprint } | null`. Uses cache within `cacheTtlMs`. |
+| `broker.fingerprint(value)` | Pure helper — sha256 prefix of any string. No adapter call. |
+| `broker.redact(text)` | Rewrite arbitrary text, replacing every cached value (longer-first) with `[REDACTED:NAME]`. Skips values shorter than `redactionMinLength`. |
+| `broker.rotate(name)` | Calls `adapter.rotate?`, caches the result, returns it. Throws if the adapter doesn't support rotation. |
+| `broker.invalidate(name?)` | Clear one entry or the whole cache. |
+| `broker.dispose()` | Tear down — clears cache; subsequent resolves return `null`. |
+
+### Bundled adapters
+
+| Adapter | Use |
+|---|---|
+| `inMemoryAdapter({ initial?, rotate? })` | Tests, dev, and starter templates. Supports every operation. Default rotate = random base36. |
+| `envAdapter({ prefix?, env? })` | Reads `process.env` (or any injected `env` map). Prefix-scoped to avoid leaking unrelated env vars via `list`. Read-only. |
+| `compositeAdapter([...])` | Fan-out / fallback. `fetch` falls through; writes go to the first writeable adapter. |
+
+AWS Secrets Manager / HashiCorp Vault / Doppler / Infisical / GCP Secret
+Manager / Azure Key Vault adapters ship later as siblings — they're the
+ones with real auth surface, so they don't belong in v0.0.1.
+
+### Audit
+
+Every `resolve`, `rotate`, and `invalidate` fires the `audit` hook with
+one of:
+
+- `{ event: 'resolve.hit', name, fingerprint, at }`
+- `{ event: 'resolve.miss', name, fingerprint?, at }` — fingerprint present when the miss turned into a cache write
+- `{ event: 'resolve.error', name, error, at }` — adapter threw
+- `{ event: 'rotate', name, fingerprint, at }`
+- `{ event: 'invalidate', name, at }` — `name` is `null` for a full clear
+
+A throwing or rejecting hook is logged + discarded. The broker is on the
+hot path for every credential lookup — one broken audit sink must not
+take everything down.
+
+### Why fingerprints
+
+`broker.fingerprint(value)` is a deterministic sha256 prefix. Two purposes:
+
+- **Logs.** Trace records can say "served credentials/abc12345" without
+  leaking the secret; if the same fingerprint shows up across two requests
+  you know they used the same key.
+- **Webhook verification.** Compare an inbound HMAC hex against
+  `fingerprint(expectedSecret)` to confirm rotation propagation without
+  ever putting the secret next to the comparison.
+
+It is NOT a security construct — 8 hex chars has only 32 bits of entropy.
+Treat it as a tag, not a token.
+
+## What v0.0.1 does NOT include
+
+- Vendored AWS / Vault / Doppler / Infisical adapters (siblings, later).
+- Encrypted on-disk cache.
+- Cross-process secret sharing.
+- Streaming key-rotation propagation to downstream sandboxes (caller wires that on top of `rotate`'s return).
+
+## Architectural role
+
+- **`@absolutejs/sync`** — `bridgeFetch.authorization()` and `unsafeHost` host functions ask the broker for credentials per call. The plaintext never crosses the sandbox boundary.
+- **`@absolutejs/runtime`** — passes the broker into the per-tenant process via the `env` it injects (or via a side-channel; the broker doesn't care).
+- **`@absolutejs/router`** — no direct relationship; runs upstream of the broker.
+- **`@absolutejs/metering`** — `audit` can sink directly into the metering pipeline so credential lookups are billable observability events.
+
+## License
+
+BSL 1.1 with a named carveout for the hosted secrets-management / credential-broker / runtime-secrets-injection category (AWS Secrets Manager, HashiCorp Vault Cloud, Doppler, 1Password Secrets, Infisical, GCP Secret Manager, Azure Key Vault, Akeyless, Cloudflare Workers Secrets, Vercel Environment Variables as a product). See [LICENSE](./LICENSE). Change Date: 4 years from first release; Change License: Apache 2.0.

package/dist/index.d.ts

@@ -0,0 +1,148 @@
+/**
+ * @absolutejs/secrets — host-side secret broker for multi-tenant Bun
+ * runtimes.
+ *
+ * Three responsibilities, kept narrow on purpose:
+ *
+ * 1. **Resolve.** A pluggable adapter fetches a secret by name. The broker
+ *    caches the answer, hands the caller back a `{ value, fingerprint }`
+ *    pair (fingerprint is a sha256 prefix safe to put in logs), and fires
+ *    an audit event for every lookup.
+ * 2. **Redact.** Walks every known cached secret out of an arbitrary string
+ *    before it leaves the host (e.g. an error message that contains the
+ *    leaked API key the host call just made). The replacement is
+ *    `[REDACTED:name]`; matches shorter than `redactionMinLength` are
+ *    skipped to avoid blanking coincidental short tokens.
+ * 3. **Rotate.** Delegates to `adapter.rotate?(name)` if the adapter
+ *    supports it, invalidates the cache entry. Caller is expected to
+ *    re-distribute to dependent surfaces.
+ *
+ * v0.0.1 ships three adapters: `inMemoryAdapter`, `envAdapter`,
+ * `compositeAdapter`. AWS Secrets Manager / Vault / Doppler / Infisical
+ * adapters ship later as siblings.
+ *
+ * The broker is bun/elysia-agnostic — same posture as router + meter.
+ */
+export type SecretValue = {
+    /** The plaintext secret. Treat as poison: never log, never serialize. */
+    value: string;
+    /**
+     * Short sha256-derived id (first 8 hex chars). Stable across calls for
+     * the same value; safe to print in logs and traces. Useful for "which
+     * version of the key did this request use?" diagnostics without leaking.
+     */
+    fingerprint: string;
+};
+export type SecretAdapter = {
+    /** Return the plaintext value for a name, or `null` if not stored here. */
+    fetch: (name: string) => Promise<string | null>;
+    /** Write a value. Optional — adapters may be read-only. */
+    put?: (name: string, value: string) => Promise<void>;
+    /** Delete a value. Optional. */
+    remove?: (name: string) => Promise<void>;
+    /** Rotate a value; return the NEW plaintext. Optional. */
+    rotate?: (name: string) => Promise<string>;
+    /** Enumerate names. Optional; default omitted to avoid leaking the index. */
+    list?: () => Promise<string[]>;
+};
+export type AuditEvent = {
+    event: 'resolve.hit';
+    name: string;
+    fingerprint: string;
+    at: number;
+} | {
+    event: 'resolve.miss';
+    name: string;
+    fingerprint?: string;
+    at: number;
+} | {
+    event: 'resolve.error';
+    name: string;
+    error: string;
+    at: number;
+} | {
+    event: 'rotate';
+    name: string;
+    fingerprint: string;
+    at: number;
+} | {
+    event: 'invalidate';
+    name: string | null;
+    at: number;
+};
+export type AuditHook = (event: AuditEvent) => void | Promise<void>;
+export type SecretBrokerOptions = {
+    /** The adapter the broker delegates fetch / rotate / put to. */
+    adapter: SecretAdapter;
+    /** Audit hook fired on every resolve / rotate / invalidate. */
+    audit?: AuditHook;
+    /**
+     * How long a cached secret stays fresh, in ms. After this, the next
+     * resolve re-hits the adapter. Default 60_000 (1 minute). Set to
+     * `Infinity` to disable TTL — only `rotate` / `invalidate` evict.
+     */
+    cacheTtlMs?: number;
+    /**
+     * Minimum length a cached value must have before `redact` will rewrite
+     * occurrences of it in arbitrary text. Default 8 — short values risk
+     * blanking out coincidental matches (e.g. a short password "abc1"
+     * appearing as a substring of unrelated text).
+     */
+    redactionMinLength?: number;
+    /** Override `Date.now` for tests. */
+    clock?: () => number;
+};
+export type SecretBroker = {
+    /**
+     * Resolve a secret by name. Returns `null` if the adapter reports
+     * no value. Caches the answer for `cacheTtlMs`.
+     */
+    resolve: (name: string) => Promise<SecretValue | null>;
+    /**
+     * Returns the fingerprint of a value WITHOUT touching the adapter.
+     * Useful for hashing a value the caller already has — e.g. a webhook
+     * payload — to compare against an audit log.
+     */
+    fingerprint: (value: string) => string;
+    /**
+     * Replace every cached secret value found in `text` with
+     * `[REDACTED:name]`. Returns the rewritten text. Subjects shorter than
+     * `redactionMinLength` are skipped.
+     */
+    redact: (text: string) => string;
+    /**
+     * Rotate a secret. Calls `adapter.rotate(name)`, invalidates the cache,
+     * returns the new `{ value, fingerprint }`. Throws if the adapter does
+     * not support rotation.
+     */
+    rotate: (name: string) => Promise<SecretValue>;
+    /**
+     * Invalidate one cache entry, or the whole cache when `name` is omitted.
+     */
+    invalidate: (name?: string) => void;
+    /** Tear down the broker — clears the cache; further resolves still hit the adapter. */
+    dispose: () => void;
+};
+export type InMemoryAdapterOptions = {
+    initial?: Record<string, string>;
+    /** Override the rotation strategy. Default = random 32-char base36 string. */
+    rotate?: (name: string, previous: string | null) => string;
+};
+export declare const inMemoryAdapter: (options?: InMemoryAdapterOptions) => SecretAdapter;
+export type EnvAdapterOptions = {
+    /**
+     * If set, lookups are prefixed before reading from env. e.g.
+     * `prefix: 'ABS_SECRET_'` and `resolve('STRIPE_KEY')` reads `ABS_SECRET_STRIPE_KEY`.
+     * Default `''` (no prefix).
+     */
+    prefix?: string;
+    /** The env object to read from. Default `process.env`. */
+    env?: Record<string, string | undefined>;
+};
+export declare const envAdapter: (options?: EnvAdapterOptions) => SecretAdapter;
+/**
+ * Compose adapters: `fetch` falls through to the first non-null result;
+ * `put` / `rotate` / `remove` go to the first adapter that implements them.
+ */
+export declare const compositeAdapter: (adapters: SecretAdapter[]) => SecretAdapter;
+export declare const createSecretBroker: (options: SecretBrokerOptions) => SecretBroker;

package/dist/index.js

@@ -0,0 +1,334 @@
+// @bun
+// src/index.ts
+var HEX = "0123456789abcdef";
+var sha256Hex = (input) => {
+  return sha256(input);
+};
+var ROUND_CONSTANTS = new Uint32Array([
+  1116352408,
+  1899447441,
+  3049323471,
+  3921009573,
+  961987163,
+  1508970993,
+  2453635748,
+  2870763221,
+  3624381080,
+  310598401,
+  607225278,
+  1426881987,
+  1925078388,
+  2162078206,
+  2614888103,
+  3248222580,
+  3835390401,
+  4022224774,
+  264347078,
+  604807628,
+  770255983,
+  1249150122,
+  1555081692,
+  1996064986,
+  2554220882,
+  2821834349,
+  2952996808,
+  3210313671,
+  3336571891,
+  3584528711,
+  113926993,
+  338241895,
+  666307205,
+  773529912,
+  1294757372,
+  1396182291,
+  1695183700,
+  1986661051,
+  2177026350,
+  2456956037,
+  2730485921,
+  2820302411,
+  3259730800,
+  3345764771,
+  3516065817,
+  3600352804,
+  4094571909,
+  275423344,
+  430227734,
+  506948616,
+  659060556,
+  883997877,
+  958139571,
+  1322822218,
+  1537002063,
+  1747873779,
+  1955562222,
+  2024104815,
+  2227730452,
+  2361852424,
+  2428436474,
+  2756734187,
+  3204031479,
+  3329325298
+]);
+var sha256 = (input) => {
+  const bytes = new TextEncoder().encode(input);
+  const bitLength = bytes.length * 8;
+  const padLength = (bytes.length + 9 + 63 & ~63) - bytes.length;
+  const padded = new Uint8Array(bytes.length + padLength);
+  padded.set(bytes);
+  padded[bytes.length] = 128;
+  const view = new DataView(padded.buffer);
+  view.setUint32(padded.length - 4, bitLength >>> 0);
+  view.setUint32(padded.length - 8, Math.floor(bitLength / 4294967296));
+  let h0 = 1779033703, h1 = 3144134277, h2 = 1013904242, h3 = 2773480762;
+  let h4 = 1359893119, h5 = 2600822924, h6 = 528734635, h7 = 1541459225;
+  const w = new Uint32Array(64);
+  for (let i = 0;i < padded.length; i += 64) {
+    for (let t = 0;t < 16; t++) {
+      w[t] = view.getUint32(i + t * 4);
+    }
+    for (let t = 16;t < 64; t++) {
+      const w15 = w[t - 15];
+      const w2 = w[t - 2];
+      const s0 = (w15 >>> 7 | w15 << 25) ^ (w15 >>> 18 | w15 << 14) ^ w15 >>> 3;
+      const s1 = (w2 >>> 17 | w2 << 15) ^ (w2 >>> 19 | w2 << 13) ^ w2 >>> 10;
+      w[t] = w[t - 16] + s0 + w[t - 7] + s1 >>> 0;
+    }
+    let a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;
+    for (let t = 0;t < 64; t++) {
+      const S1 = (e >>> 6 | e << 26) ^ (e >>> 11 | e << 21) ^ (e >>> 25 | e << 7);
+      const ch = e & f ^ ~e & g;
+      const T1 = h + S1 + ch + ROUND_CONSTANTS[t] + w[t] >>> 0;
+      const S0 = (a >>> 2 | a << 30) ^ (a >>> 13 | a << 19) ^ (a >>> 22 | a << 10);
+      const maj = a & b ^ a & c ^ b & c;
+      const T2 = S0 + maj >>> 0;
+      h = g;
+      g = f;
+      f = e;
+      e = d + T1 >>> 0;
+      d = c;
+      c = b;
+      b = a;
+      a = T1 + T2 >>> 0;
+    }
+    h0 = h0 + a >>> 0;
+    h1 = h1 + b >>> 0;
+    h2 = h2 + c >>> 0;
+    h3 = h3 + d >>> 0;
+    h4 = h4 + e >>> 0;
+    h5 = h5 + f >>> 0;
+    h6 = h6 + g >>> 0;
+    h7 = h7 + h >>> 0;
+  }
+  const toHex = (n) => {
+    let result = "";
+    for (let i = 7;i >= 0; i--) {
+      result += HEX[n >>> i * 4 & 15];
+    }
+    return result;
+  };
+  return toHex(h0) + toHex(h1) + toHex(h2) + toHex(h3) + toHex(h4) + toHex(h5) + toHex(h6) + toHex(h7);
+};
+var fingerprintOf = (value) => sha256Hex(value).slice(0, 8);
+var randomBase36 = (length) => {
+  let out = "";
+  while (out.length < length) {
+    out += Math.random().toString(36).slice(2);
+  }
+  return out.slice(0, length);
+};
+var inMemoryAdapter = (options = {}) => {
+  const store = new Map;
+  for (const [k, v] of Object.entries(options.initial ?? {}))
+    store.set(k, v);
+  const rotate = options.rotate ?? (() => randomBase36(32));
+  return {
+    fetch: async (name) => store.get(name) ?? null,
+    list: async () => Array.from(store.keys()),
+    put: async (name, value) => {
+      store.set(name, value);
+    },
+    remove: async (name) => {
+      store.delete(name);
+    },
+    rotate: async (name) => {
+      const next = rotate(name, store.get(name) ?? null);
+      store.set(name, next);
+      return next;
+    }
+  };
+};
+var envAdapter = (options = {}) => {
+  const prefix = options.prefix ?? "";
+  const env = options.env ?? globalThis.process?.env ?? {};
+  return {
+    fetch: async (name) => {
+      const key = `${prefix}${name}`;
+      const value = env[key];
+      return value === undefined ? null : value;
+    },
+    list: async () => {
+      if (!prefix)
+        return Object.keys(env);
+      const matches = [];
+      for (const key of Object.keys(env)) {
+        if (key.startsWith(prefix))
+          matches.push(key.slice(prefix.length));
+      }
+      return matches;
+    }
+  };
+};
+var compositeAdapter = (adapters) => {
+  const firstWith = (method) => adapters.find((adapter) => adapter[method] !== undefined);
+  return {
+    fetch: async (name) => {
+      for (const adapter of adapters) {
+        const value = await adapter.fetch(name);
+        if (value !== null)
+          return value;
+      }
+      return null;
+    },
+    list: async () => {
+      const seen = new Set;
+      for (const adapter of adapters) {
+        if (!adapter.list)
+          continue;
+        for (const name of await adapter.list())
+          seen.add(name);
+      }
+      return Array.from(seen);
+    },
+    put: async (name, value) => {
+      const target = firstWith("put");
+      if (!target?.put)
+        throw new Error("No adapter in the composite supports put()");
+      await target.put(name, value);
+    },
+    remove: async (name) => {
+      const target = firstWith("remove");
+      if (!target?.remove)
+        throw new Error("No adapter in the composite supports remove()");
+      await target.remove(name);
+    },
+    rotate: async (name) => {
+      const target = firstWith("rotate");
+      if (!target?.rotate)
+        throw new Error("No adapter in the composite supports rotate()");
+      return target.rotate(name);
+    }
+  };
+};
+var createSecretBroker = (options) => {
+  const clock = options.clock ?? Date.now;
+  const ttl = options.cacheTtlMs ?? 60000;
+  const minLen = options.redactionMinLength ?? 8;
+  const audit = options.audit;
+  const cache = new Map;
+  let disposed = false;
+  const fireAudit = (event) => {
+    if (!audit)
+      return;
+    try {
+      const result = audit(event);
+      if (result && typeof result.then === "function") {
+        result.catch((error) => {
+          console.error("[secrets] audit hook rejected:", error);
+        });
+      }
+    } catch (error) {
+      console.error("[secrets] audit hook threw:", error);
+    }
+  };
+  const cacheEntry = (name, value, now) => {
+    const entry = {
+      fingerprint: fingerprintOf(value),
+      storedAt: now,
+      value
+    };
+    cache.set(name, entry);
+    return entry;
+  };
+  const resolve = async (name) => {
+    if (disposed)
+      return null;
+    const now = clock();
+    const cached = cache.get(name);
+    if (cached && now - cached.storedAt < ttl) {
+      fireAudit({ at: now, event: "resolve.hit", fingerprint: cached.fingerprint, name });
+      return { fingerprint: cached.fingerprint, value: cached.value };
+    }
+    try {
+      const value = await options.adapter.fetch(name);
+      if (value === null) {
+        fireAudit({ at: now, event: "resolve.miss", name });
+        cache.delete(name);
+        return null;
+      }
+      const entry = cacheEntry(name, value, now);
+      fireAudit({ at: now, event: "resolve.miss", fingerprint: entry.fingerprint, name });
+      return { fingerprint: entry.fingerprint, value: entry.value };
+    } catch (error) {
+      fireAudit({
+        at: now,
+        error: error instanceof Error ? error.message : String(error),
+        event: "resolve.error",
+        name
+      });
+      throw error;
+    }
+  };
+  const rotate = async (name) => {
+    if (disposed)
+      throw new Error("Broker is disposed");
+    if (!options.adapter.rotate) {
+      throw new Error("Adapter does not support rotate()");
+    }
+    const next = await options.adapter.rotate(name);
+    const now = clock();
+    const entry = cacheEntry(name, next, now);
+    fireAudit({ at: now, event: "rotate", fingerprint: entry.fingerprint, name });
+    return { fingerprint: entry.fingerprint, value: entry.value };
+  };
+  const invalidate = (name) => {
+    if (name === undefined) {
+      cache.clear();
+    } else {
+      cache.delete(name);
+    }
+    fireAudit({ at: clock(), event: "invalidate", name: name ?? null });
+  };
+  const redact = (text) => {
+    if (text.length === 0 || cache.size === 0)
+      return text;
+    const ordered = Array.from(cache.entries()).filter(([, entry]) => entry.value.length >= minLen).sort(([, a], [, b]) => b.value.length - a.value.length);
+    let out = text;
+    for (const [name, entry] of ordered) {
+      if (!out.includes(entry.value))
+        continue;
+      out = out.split(entry.value).join(`[REDACTED:${name}]`);
+    }
+    return out;
+  };
+  return {
+    dispose: () => {
+      disposed = true;
+      cache.clear();
+    },
+    fingerprint: fingerprintOf,
+    invalidate,
+    redact,
+    resolve,
+    rotate
+  };
+};
+export {
+  inMemoryAdapter,
+  envAdapter,
+  createSecretBroker,
+  compositeAdapter
+};
+
+//# debugId=EE866E47E57910C764756E2164756E21
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1,10 @@
+{
+  "version": 3,
+  "sources": ["../src/index.ts"],
+  "sourcesContent": [
+    "/**\n * @absolutejs/secrets — host-side secret broker for multi-tenant Bun\n * runtimes.\n *\n * Three responsibilities, kept narrow on purpose:\n *\n * 1. **Resolve.** A pluggable adapter fetches a secret by name. The broker\n *    caches the answer, hands the caller back a `{ value, fingerprint }`\n *    pair (fingerprint is a sha256 prefix safe to put in logs), and fires\n *    an audit event for every lookup.\n * 2. **Redact.** Walks every known cached secret out of an arbitrary string\n *    before it leaves the host (e.g. an error message that contains the\n *    leaked API key the host call just made). The replacement is\n *    `[REDACTED:name]`; matches shorter than `redactionMinLength` are\n *    skipped to avoid blanking coincidental short tokens.\n * 3. **Rotate.** Delegates to `adapter.rotate?(name)` if the adapter\n *    supports it, invalidates the cache entry. Caller is expected to\n *    re-distribute to dependent surfaces.\n *\n * v0.0.1 ships three adapters: `inMemoryAdapter`, `envAdapter`,\n * `compositeAdapter`. AWS Secrets Manager / Vault / Doppler / Infisical\n * adapters ship later as siblings.\n *\n * The broker is bun/elysia-agnostic — same posture as router + meter.\n */\n\nexport type SecretValue = {\n\t/** The plaintext secret. Treat as poison: never log, never serialize. */\n\tvalue: string;\n\t/**\n\t * Short sha256-derived id (first 8 hex chars). Stable across calls for\n\t * the same value; safe to print in logs and traces. Useful for \"which\n\t * version of the key did this request use?\" diagnostics without leaking.\n\t */\n\tfingerprint: string;\n};\n\nexport type SecretAdapter = {\n\t/** Return the plaintext value for a name, or `null` if not stored here. */\n\tfetch: (name: string) => Promise<string | null>;\n\t/** Write a value. Optional — adapters may be read-only. */\n\tput?: (name: string, value: string) => Promise<void>;\n\t/** Delete a value. Optional. */\n\tremove?: (name: string) => Promise<void>;\n\t/** Rotate a value; return the NEW plaintext. Optional. */\n\trotate?: (name: string) => Promise<string>;\n\t/** Enumerate names. Optional; default omitted to avoid leaking the index. */\n\tlist?: () => Promise<string[]>;\n};\n\nexport type AuditEvent =\n\t| { event: 'resolve.hit'; name: string; fingerprint: string; at: number }\n\t| { event: 'resolve.miss'; name: string; fingerprint?: string; at: number }\n\t| { event: 'resolve.error'; name: string; error: string; at: number }\n\t| { event: 'rotate'; name: string; fingerprint: string; at: number }\n\t| { event: 'invalidate'; name: string | null; at: number };\n\nexport type AuditHook = (event: AuditEvent) => void | Promise<void>;\n\nexport type SecretBrokerOptions = {\n\t/** The adapter the broker delegates fetch / rotate / put to. */\n\tadapter: SecretAdapter;\n\t/** Audit hook fired on every resolve / rotate / invalidate. */\n\taudit?: AuditHook;\n\t/**\n\t * How long a cached secret stays fresh, in ms. After this, the next\n\t * resolve re-hits the adapter. Default 60_000 (1 minute). Set to\n\t * `Infinity` to disable TTL — only `rotate` / `invalidate` evict.\n\t */\n\tcacheTtlMs?: number;\n\t/**\n\t * Minimum length a cached value must have before `redact` will rewrite\n\t * occurrences of it in arbitrary text. Default 8 — short values risk\n\t * blanking out coincidental matches (e.g. a short password \"abc1\"\n\t * appearing as a substring of unrelated text).\n\t */\n\tredactionMinLength?: number;\n\t/** Override `Date.now` for tests. */\n\tclock?: () => number;\n};\n\nexport type SecretBroker = {\n\t/**\n\t * Resolve a secret by name. Returns `null` if the adapter reports\n\t * no value. Caches the answer for `cacheTtlMs`.\n\t */\n\tresolve: (name: string) => Promise<SecretValue | null>;\n\t/**\n\t * Returns the fingerprint of a value WITHOUT touching the adapter.\n\t * Useful for hashing a value the caller already has — e.g. a webhook\n\t * payload — to compare against an audit log.\n\t */\n\tfingerprint: (value: string) => string;\n\t/**\n\t * Replace every cached secret value found in `text` with\n\t * `[REDACTED:name]`. Returns the rewritten text. Subjects shorter than\n\t * `redactionMinLength` are skipped.\n\t */\n\tredact: (text: string) => string;\n\t/**\n\t * Rotate a secret. Calls `adapter.rotate(name)`, invalidates the cache,\n\t * returns the new `{ value, fingerprint }`. Throws if the adapter does\n\t * not support rotation.\n\t */\n\trotate: (name: string) => Promise<SecretValue>;\n\t/**\n\t * Invalidate one cache entry, or the whole cache when `name` is omitted.\n\t */\n\tinvalidate: (name?: string) => void;\n\t/** Tear down the broker — clears the cache; further resolves still hit the adapter. */\n\tdispose: () => void;\n};\n\n// -----------------------------------------------------------------------------\n// Fingerprint\n// -----------------------------------------------------------------------------\n\nconst HEX = '0123456789abcdef';\n\nconst sha256Hex = (input: string): string => {\n\t// 2026-era Bun: `crypto.subtle.digest` is the portable path. Synchronous\n\t// path via `Bun.CryptoHasher` is faster but requires Bun globals; we use\n\t// subtle to keep the broker runtime-agnostic at the cost of being async.\n\t// For the `fingerprint(value)` *public* method we want a synchronous\n\t// answer — so we use a tiny in-house sha256. It's slower than the native\n\t// digest but only runs on the secret value (small, ~ < 1KB), once per\n\t// distinct value over the broker's lifetime (memoized in the cache entry).\n\treturn sha256(input);\n};\n\n// Pure JS sha256, NIST FIPS 180-4. Small + dependency-free. Returns lowercase hex.\nconst ROUND_CONSTANTS = new Uint32Array([\n\t0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,\n\t0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,\n\t0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,\n\t0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,\n\t0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,\n\t0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,\n\t0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,\n\t0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,\n\t0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,\n\t0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,\n\t0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,\n]);\n\nconst sha256 = (input: string): string => {\n\tconst bytes = new TextEncoder().encode(input);\n\tconst bitLength = bytes.length * 8;\n\tconst padLength = ((bytes.length + 9 + 63) & ~63) - bytes.length;\n\tconst padded = new Uint8Array(bytes.length + padLength);\n\tpadded.set(bytes);\n\tpadded[bytes.length] = 0x80;\n\tconst view = new DataView(padded.buffer);\n\tview.setUint32(padded.length - 4, bitLength >>> 0);\n\tview.setUint32(padded.length - 8, Math.floor(bitLength / 0x1_0000_0000));\n\n\tlet h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a;\n\tlet h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;\n\tconst w = new Uint32Array(64);\n\tfor (let i = 0; i < padded.length; i += 64) {\n\t\tfor (let t = 0; t < 16; t++) {\n\t\t\tw[t] = view.getUint32(i + t * 4);\n\t\t}\n\t\tfor (let t = 16; t < 64; t++) {\n\t\t\tconst w15 = w[t - 15]!;\n\t\t\tconst w2 = w[t - 2]!;\n\t\t\tconst s0 = ((w15 >>> 7) | (w15 << 25)) ^ ((w15 >>> 18) | (w15 << 14)) ^ (w15 >>> 3);\n\t\t\tconst s1 = ((w2 >>> 17) | (w2 << 15)) ^ ((w2 >>> 19) | (w2 << 13)) ^ (w2 >>> 10);\n\t\t\tw[t] = (w[t - 16]! + s0 + w[t - 7]! + s1) >>> 0;\n\t\t}\n\t\tlet a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;\n\t\tfor (let t = 0; t < 64; t++) {\n\t\t\tconst S1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));\n\t\t\tconst ch = (e & f) ^ (~e & g);\n\t\t\tconst T1 = (h + S1 + ch + ROUND_CONSTANTS[t]! + w[t]!) >>> 0;\n\t\t\tconst S0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));\n\t\t\tconst maj = (a & b) ^ (a & c) ^ (b & c);\n\t\t\tconst T2 = (S0 + maj) >>> 0;\n\t\t\th = g;\n\t\t\tg = f;\n\t\t\tf = e;\n\t\t\te = (d + T1) >>> 0;\n\t\t\td = c;\n\t\t\tc = b;\n\t\t\tb = a;\n\t\t\ta = (T1 + T2) >>> 0;\n\t\t}\n\t\th0 = (h0 + a) >>> 0;\n\t\th1 = (h1 + b) >>> 0;\n\t\th2 = (h2 + c) >>> 0;\n\t\th3 = (h3 + d) >>> 0;\n\t\th4 = (h4 + e) >>> 0;\n\t\th5 = (h5 + f) >>> 0;\n\t\th6 = (h6 + g) >>> 0;\n\t\th7 = (h7 + h) >>> 0;\n\t}\n\tconst toHex = (n: number): string => {\n\t\tlet result = '';\n\t\tfor (let i = 7; i >= 0; i--) {\n\t\t\tresult += HEX[(n >>> (i * 4)) & 0xf];\n\t\t}\n\t\treturn result;\n\t};\n\treturn toHex(h0) + toHex(h1) + toHex(h2) + toHex(h3) + toHex(h4) + toHex(h5) + toHex(h6) + toHex(h7);\n};\n\nconst fingerprintOf = (value: string): string => sha256Hex(value).slice(0, 8);\n\n// -----------------------------------------------------------------------------\n// Bundled adapters\n// -----------------------------------------------------------------------------\n\nexport type InMemoryAdapterOptions = {\n\tinitial?: Record<string, string>;\n\t/** Override the rotation strategy. Default = random 32-char base36 string. */\n\trotate?: (name: string, previous: string | null) => string;\n};\n\nconst randomBase36 = (length: number): string => {\n\tlet out = '';\n\twhile (out.length < length) {\n\t\tout += Math.random().toString(36).slice(2);\n\t}\n\treturn out.slice(0, length);\n};\n\nexport const inMemoryAdapter = (\n\toptions: InMemoryAdapterOptions = {},\n): SecretAdapter => {\n\tconst store = new Map<string, string>();\n\tfor (const [k, v] of Object.entries(options.initial ?? {})) store.set(k, v);\n\tconst rotate = options.rotate ?? (() => randomBase36(32));\n\treturn {\n\t\tfetch: async (name) => store.get(name) ?? null,\n\t\tlist: async () => Array.from(store.keys()),\n\t\tput: async (name, value) => { store.set(name, value); },\n\t\tremove: async (name) => { store.delete(name); },\n\t\trotate: async (name) => {\n\t\t\tconst next = rotate(name, store.get(name) ?? null);\n\t\t\tstore.set(name, next);\n\t\t\treturn next;\n\t\t},\n\t};\n};\n\nexport type EnvAdapterOptions = {\n\t/**\n\t * If set, lookups are prefixed before reading from env. e.g.\n\t * `prefix: 'ABS_SECRET_'` and `resolve('STRIPE_KEY')` reads `ABS_SECRET_STRIPE_KEY`.\n\t * Default `''` (no prefix).\n\t */\n\tprefix?: string;\n\t/** The env object to read from. Default `process.env`. */\n\tenv?: Record<string, string | undefined>;\n};\n\nexport const envAdapter = (options: EnvAdapterOptions = {}): SecretAdapter => {\n\tconst prefix = options.prefix ?? '';\n\tconst env = options.env ?? (globalThis as { process?: { env?: Record<string, string | undefined> } }).process?.env ?? {};\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tconst key = `${prefix}${name}`;\n\t\t\tconst value = env[key];\n\t\t\treturn value === undefined ? null : value;\n\t\t},\n\t\tlist: async () => {\n\t\t\tif (!prefix) return Object.keys(env);\n\t\t\tconst matches: string[] = [];\n\t\t\tfor (const key of Object.keys(env)) {\n\t\t\t\tif (key.startsWith(prefix)) matches.push(key.slice(prefix.length));\n\t\t\t}\n\t\t\treturn matches;\n\t\t},\n\t};\n};\n\n/**\n * Compose adapters: `fetch` falls through to the first non-null result;\n * `put` / `rotate` / `remove` go to the first adapter that implements them.\n */\nexport const compositeAdapter = (adapters: SecretAdapter[]): SecretAdapter => {\n\tconst firstWith = <K extends keyof SecretAdapter>(method: K) =>\n\t\tadapters.find((adapter) => adapter[method] !== undefined);\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tconst value = await adapter.fetch(name);\n\t\t\t\tif (value !== null) return value;\n\t\t\t}\n\t\t\treturn null;\n\t\t},\n\t\tlist: async () => {\n\t\t\tconst seen = new Set<string>();\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tif (!adapter.list) continue;\n\t\t\t\tfor (const name of await adapter.list()) seen.add(name);\n\t\t\t}\n\t\t\treturn Array.from(seen);\n\t\t},\n\t\tput: async (name, value) => {\n\t\t\tconst target = firstWith('put');\n\t\t\tif (!target?.put) throw new Error('No adapter in the composite supports put()');\n\t\t\tawait target.put(name, value);\n\t\t},\n\t\tremove: async (name) => {\n\t\t\tconst target = firstWith('remove');\n\t\t\tif (!target?.remove) throw new Error('No adapter in the composite supports remove()');\n\t\t\tawait target.remove(name);\n\t\t},\n\t\trotate: async (name) => {\n\t\t\tconst target = firstWith('rotate');\n\t\t\tif (!target?.rotate) throw new Error('No adapter in the composite supports rotate()');\n\t\t\treturn target.rotate(name);\n\t\t},\n\t};\n};\n\n// -----------------------------------------------------------------------------\n// Broker\n// -----------------------------------------------------------------------------\n\ntype CacheEntry = {\n\tvalue: string;\n\tfingerprint: string;\n\tstoredAt: number;\n};\n\nexport const createSecretBroker = (options: SecretBrokerOptions): SecretBroker => {\n\tconst clock = options.clock ?? Date.now;\n\tconst ttl = options.cacheTtlMs ?? 60_000;\n\tconst minLen = options.redactionMinLength ?? 8;\n\tconst audit = options.audit;\n\tconst cache = new Map<string, CacheEntry>();\n\tlet disposed = false;\n\n\tconst fireAudit = (event: AuditEvent) => {\n\t\tif (!audit) return;\n\t\ttry {\n\t\t\tconst result = audit(event);\n\t\t\tif (result && typeof (result as Promise<void>).then === 'function') {\n\t\t\t\t(result as Promise<void>).catch((error) => {\n\t\t\t\t\tconsole.error('[secrets] audit hook rejected:', error);\n\t\t\t\t});\n\t\t\t}\n\t\t} catch (error) {\n\t\t\tconsole.error('[secrets] audit hook threw:', error);\n\t\t}\n\t};\n\n\tconst cacheEntry = (name: string, value: string, now: number): CacheEntry => {\n\t\tconst entry: CacheEntry = {\n\t\t\tfingerprint: fingerprintOf(value),\n\t\t\tstoredAt: now,\n\t\t\tvalue,\n\t\t};\n\t\tcache.set(name, entry);\n\t\treturn entry;\n\t};\n\n\tconst resolve: SecretBroker['resolve'] = async (name) => {\n\t\tif (disposed) return null;\n\t\tconst now = clock();\n\t\tconst cached = cache.get(name);\n\t\tif (cached && now - cached.storedAt < ttl) {\n\t\t\tfireAudit({ at: now, event: 'resolve.hit', fingerprint: cached.fingerprint, name });\n\t\t\treturn { fingerprint: cached.fingerprint, value: cached.value };\n\t\t}\n\t\ttry {\n\t\t\tconst value = await options.adapter.fetch(name);\n\t\t\tif (value === null) {\n\t\t\t\tfireAudit({ at: now, event: 'resolve.miss', name });\n\t\t\t\tcache.delete(name);\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tconst entry = cacheEntry(name, value, now);\n\t\t\tfireAudit({ at: now, event: 'resolve.miss', fingerprint: entry.fingerprint, name });\n\t\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t\t} catch (error) {\n\t\t\tfireAudit({\n\t\t\t\tat: now,\n\t\t\t\terror: error instanceof Error ? error.message : String(error),\n\t\t\t\tevent: 'resolve.error',\n\t\t\t\tname,\n\t\t\t});\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\tconst rotate: SecretBroker['rotate'] = async (name) => {\n\t\tif (disposed) throw new Error('Broker is disposed');\n\t\tif (!options.adapter.rotate) {\n\t\t\tthrow new Error('Adapter does not support rotate()');\n\t\t}\n\t\tconst next = await options.adapter.rotate(name);\n\t\tconst now = clock();\n\t\tconst entry = cacheEntry(name, next, now);\n\t\tfireAudit({ at: now, event: 'rotate', fingerprint: entry.fingerprint, name });\n\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t};\n\n\tconst invalidate: SecretBroker['invalidate'] = (name) => {\n\t\tif (name === undefined) {\n\t\t\tcache.clear();\n\t\t} else {\n\t\t\tcache.delete(name);\n\t\t}\n\t\tfireAudit({ at: clock(), event: 'invalidate', name: name ?? null });\n\t};\n\n\tconst redact: SecretBroker['redact'] = (text) => {\n\t\tif (text.length === 0 || cache.size === 0) return text;\n\t\t// Replace longest values first so a substring of a longer secret\n\t\t// isn't blanked before its full match is found.\n\t\tconst ordered = Array.from(cache.entries())\n\t\t\t.filter(([, entry]) => entry.value.length >= minLen)\n\t\t\t.sort(([, a], [, b]) => b.value.length - a.value.length);\n\t\tlet out = text;\n\t\tfor (const [name, entry] of ordered) {\n\t\t\tif (!out.includes(entry.value)) continue;\n\t\t\tout = out.split(entry.value).join(`[REDACTED:${name}]`);\n\t\t}\n\t\treturn out;\n\t};\n\n\treturn {\n\t\tdispose: () => {\n\t\t\tdisposed = true;\n\t\t\tcache.clear();\n\t\t},\n\t\tfingerprint: fingerprintOf,\n\t\tinvalidate,\n\t\tredact,\n\t\tresolve,\n\t\trotate,\n\t};\n};\n"
+  ],
+  "mappings": ";;AAqHA,IAAM,MAAM;AAEZ,IAAM,YAAY,CAAC,UAA0B;AAAA,EAQ5C,OAAO,OAAO,KAAK;AAAA;AAIpB,IAAM,kBAAkB,IAAI,YAAY;AAAA,EACvC;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AACrC,CAAC;AAED,IAAM,SAAS,CAAC,UAA0B;AAAA,EACzC,MAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAAA,EAC5C,MAAM,YAAY,MAAM,SAAS;AAAA,EACjC,MAAM,aAAc,MAAM,SAAS,IAAI,KAAM,CAAC,MAAM,MAAM;AAAA,EAC1D,MAAM,SAAS,IAAI,WAAW,MAAM,SAAS,SAAS;AAAA,EACtD,OAAO,IAAI,KAAK;AAAA,EAChB,OAAO,MAAM,UAAU;AAAA,EACvB,MAAM,OAAO,IAAI,SAAS,OAAO,MAAM;AAAA,EACvC,KAAK,UAAU,OAAO,SAAS,GAAG,cAAc,CAAC;AAAA,EACjD,KAAK,UAAU,OAAO,SAAS,GAAG,KAAK,MAAM,YAAY,UAAa,CAAC;AAAA,EAEvE,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,YAAY,KAAK;AAAA,EAC5D,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,WAAY,KAAK;AAAA,EAC5D,MAAM,IAAI,IAAI,YAAY,EAAE;AAAA,EAC5B,SAAS,IAAI,EAAG,IAAI,OAAO,QAAQ,KAAK,IAAI;AAAA,IAC3C,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,EAAE,KAAK,KAAK,UAAU,IAAI,IAAI,CAAC;AAAA,IAChC;AAAA,IACA,SAAS,IAAI,GAAI,IAAI,IAAI,KAAK;AAAA,MAC7B,MAAM,MAAM,EAAE,IAAI;AAAA,MAClB,MAAM,KAAK,EAAE,IAAI;AAAA,MACjB,MAAM,MAAO,QAAQ,IAAM,OAAO,OAAS,QAAQ,KAAO,OAAO,MAAQ,QAAQ;AAAA,MACjF,MAAM,MAAO,OAAO,KAAO,MAAM,OAAS,OAAO,KAAO,MAAM,MAAQ,OAAO;AAAA,MAC7E,EAAE,KAAM,EAAE,IAAI,MAAO,KAAK,EAAE,IAAI,KAAM,OAAQ;AAAA,IAC/C;AAAA,IACA,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI;AAAA,IAChE,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,KAAM,IAAI,IAAM,CAAC,IAAI;AAAA,MAC3B,MAAM,KAAM,IAAI,KAAK,KAAK,gBAAgB,KAAM,EAAE,OAAS;AAAA,MAC3D,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,MAAO,IAAI,IAAM,IAAI,IAAM,IAAI;AAAA,MACrC,MAAM,KAAM,KAAK,QAAS;AAAA,MAC1B,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,IAAI,OAAQ;AAAA,MACjB,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,KAAK,OAAQ;AAAA,IACnB;AAAA,IACA,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,EACnB;AAAA,EACA,MAAM,QAAQ,CAAC,MAAsB;AAAA,IACpC,IAAI,SAAS;AAAA,IACb,SAAS,IAAI,EAAG,KAAK,GAAG,KAAK;AAAA,MAC5B,UAAU,IAAK,MAAO,IAAI,IAAM;AAAA,IACjC;AAAA,IACA,OAAO;AAAA;AAAA,EAER,OAAO,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE;AAAA;AAGpG,IAAM,gBAAgB,CAAC,UAA0B,UAAU,KAAK,EAAE,MAAM,GAAG,CAAC;AAY5E,IAAM,eAAe,CAAC,WAA2B;AAAA,EAChD,IAAI,MAAM;AAAA,EACV,OAAO,IAAI,SAAS,QAAQ;AAAA,IAC3B,OAAO,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,CAAC;AAAA,EAC1C;AAAA,EACA,OAAO,IAAI,MAAM,GAAG,MAAM;AAAA;AAGpB,IAAM,kBAAkB,CAC9B,UAAkC,CAAC,MAChB;AAAA,EACnB,MAAM,QAAQ,IAAI;AAAA,EAClB,YAAY,GAAG,MAAM,OAAO,QAAQ,QAAQ,WAAW,CAAC,CAAC;AAAA,IAAG,MAAM,IAAI,GAAG,CAAC;AAAA,EAC1E,MAAM,SAAS,QAAQ,WAAW,MAAM,aAAa,EAAE;AAAA,EACvD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS,MAAM,IAAI,IAAI,KAAK;AAAA,IAC1C,MAAM,YAAY,MAAM,KAAK,MAAM,KAAK,CAAC;AAAA,IACzC,KAAK,OAAO,MAAM,UAAU;AAAA,MAAE,MAAM,IAAI,MAAM,KAAK;AAAA;AAAA,IACnD,QAAQ,OAAO,SAAS;AAAA,MAAE,MAAM,OAAO,IAAI;AAAA;AAAA,IAC3C,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,OAAO,OAAO,MAAM,MAAM,IAAI,IAAI,KAAK,IAAI;AAAA,MACjD,MAAM,IAAI,MAAM,IAAI;AAAA,MACpB,OAAO;AAAA;AAAA,EAET;AAAA;AAcM,IAAM,aAAa,CAAC,UAA6B,CAAC,MAAqB;AAAA,EAC7E,MAAM,SAAS,QAAQ,UAAU;AAAA,EACjC,MAAM,MAAM,QAAQ,OAAQ,WAA0E,SAAS,OAAO,CAAC;AAAA,EACvH,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,MAAM,MAAM,GAAG,SAAS;AAAA,MACxB,MAAM,QAAQ,IAAI;AAAA,MAClB,OAAO,UAAU,YAAY,OAAO;AAAA;AAAA,IAErC,MAAM,YAAY;AAAA,MACjB,IAAI,CAAC;AAAA,QAAQ,OAAO,OAAO,KAAK,GAAG;AAAA,MACnC,MAAM,UAAoB,CAAC;AAAA,MAC3B,WAAW,OAAO,OAAO,KAAK,GAAG,GAAG;AAAA,QACnC,IAAI,IAAI,WAAW,MAAM;AAAA,UAAG,QAAQ,KAAK,IAAI,MAAM,OAAO,MAAM,CAAC;AAAA,MAClE;AAAA,MACA,OAAO;AAAA;AAAA,EAET;AAAA;AAOM,IAAM,mBAAmB,CAAC,aAA6C;AAAA,EAC7E,MAAM,YAAY,CAAgC,WACjD,SAAS,KAAK,CAAC,YAAY,QAAQ,YAAY,SAAS;AAAA,EACzD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,WAAW,WAAW,UAAU;AAAA,QAC/B,MAAM,QAAQ,MAAM,QAAQ,MAAM,IAAI;AAAA,QACtC,IAAI,UAAU;AAAA,UAAM,OAAO;AAAA,MAC5B;AAAA,MACA,OAAO;AAAA;AAAA,IAER,MAAM,YAAY;AAAA,MACjB,MAAM,OAAO,IAAI;AAAA,MACjB,WAAW,WAAW,UAAU;AAAA,QAC/B,IAAI,CAAC,QAAQ;AAAA,UAAM;AAAA,QACnB,WAAW,QAAQ,MAAM,QAAQ,KAAK;AAAA,UAAG,KAAK,IAAI,IAAI;AAAA,MACvD;AAAA,MACA,OAAO,MAAM,KAAK,IAAI;AAAA;AAAA,IAEvB,KAAK,OAAO,MAAM,UAAU;AAAA,MAC3B,MAAM,SAAS,UAAU,KAAK;AAAA,MAC9B,IAAI,CAAC,QAAQ;AAAA,QAAK,MAAM,IAAI,MAAM,4CAA4C;AAAA,MAC9E,MAAM,OAAO,IAAI,MAAM,KAAK;AAAA;AAAA,IAE7B,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,MAAM,OAAO,OAAO,IAAI;AAAA;AAAA,IAEzB,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,OAAO,OAAO,OAAO,IAAI;AAAA;AAAA,EAE3B;AAAA;AAaM,IAAM,qBAAqB,CAAC,YAA+C;AAAA,EACjF,MAAM,QAAQ,QAAQ,SAAS,KAAK;AAAA,EACpC,MAAM,MAAM,QAAQ,cAAc;AAAA,EAClC,MAAM,SAAS,QAAQ,sBAAsB;AAAA,EAC7C,MAAM,QAAQ,QAAQ;AAAA,EACtB,MAAM,QAAQ,IAAI;AAAA,EAClB,IAAI,WAAW;AAAA,EAEf,MAAM,YAAY,CAAC,UAAsB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAO;AAAA,IACZ,IAAI;AAAA,MACH,MAAM,SAAS,MAAM,KAAK;AAAA,MAC1B,IAAI,UAAU,OAAQ,OAAyB,SAAS,YAAY;AAAA,QAClE,OAAyB,MAAM,CAAC,UAAU;AAAA,UAC1C,QAAQ,MAAM,kCAAkC,KAAK;AAAA,SACrD;AAAA,MACF;AAAA,MACC,OAAO,OAAO;AAAA,MACf,QAAQ,MAAM,+BAA+B,KAAK;AAAA;AAAA;AAAA,EAIpD,MAAM,aAAa,CAAC,MAAc,OAAe,QAA4B;AAAA,IAC5E,MAAM,QAAoB;AAAA,MACzB,aAAa,cAAc,KAAK;AAAA,MAChC,UAAU;AAAA,MACV;AAAA,IACD;AAAA,IACA,MAAM,IAAI,MAAM,KAAK;AAAA,IACrB,OAAO;AAAA;AAAA,EAGR,MAAM,UAAmC,OAAO,SAAS;AAAA,IACxD,IAAI;AAAA,MAAU,OAAO;AAAA,IACrB,MAAM,MAAM,MAAM;AAAA,IAClB,MAAM,SAAS,MAAM,IAAI,IAAI;AAAA,IAC7B,IAAI,UAAU,MAAM,OAAO,WAAW,KAAK;AAAA,MAC1C,UAAU,EAAE,IAAI,KAAK,OAAO,eAAe,aAAa,OAAO,aAAa,KAAK,CAAC;AAAA,MAClF,OAAO,EAAE,aAAa,OAAO,aAAa,OAAO,OAAO,MAAM;AAAA,IAC/D;AAAA,IACA,IAAI;AAAA,MACH,MAAM,QAAQ,MAAM,QAAQ,QAAQ,MAAM,IAAI;AAAA,MAC9C,IAAI,UAAU,MAAM;AAAA,QACnB,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,KAAK,CAAC;AAAA,QAClD,MAAM,OAAO,IAAI;AAAA,QACjB,OAAO;AAAA,MACR;AAAA,MACA,MAAM,QAAQ,WAAW,MAAM,OAAO,GAAG;AAAA,MACzC,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,MAClF,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA,MAC3D,OAAO,OAAO;AAAA,MACf,UAAU;AAAA,QACT,IAAI;AAAA,QACJ,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAC5D,OAAO;AAAA,QACP;AAAA,MACD,CAAC;AAAA,MACD,MAAM;AAAA;AAAA;AAAA,EAIR,MAAM,SAAiC,OAAO,SAAS;AAAA,IACtD,IAAI;AAAA,MAAU,MAAM,IAAI,MAAM,oBAAoB;AAAA,IAClD,IAAI,CAAC,QAAQ,QAAQ,QAAQ;AAAA,MAC5B,MAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AAAA,IACA,MAAM,OAAO,MAAM,QAAQ,QAAQ,OAAO,IAAI;AAAA,IAC9C,MAAM,MAAM,MAAM;AAAA,IAClB,MAAM,QAAQ,WAAW,MAAM,MAAM,GAAG;AAAA,IACxC,UAAU,EAAE,IAAI,KAAK,OAAO,UAAU,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,IAC5E,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA;AAAA,EAG7D,MAAM,aAAyC,CAAC,SAAS;AAAA,IACxD,IAAI,SAAS,WAAW;AAAA,MACvB,MAAM,MAAM;AAAA,IACb,EAAO;AAAA,MACN,MAAM,OAAO,IAAI;AAAA;AAAA,IAElB,UAAU,EAAE,IAAI,MAAM,GAAG,OAAO,cAAc,MAAM,QAAQ,KAAK,CAAC;AAAA;AAAA,EAGnE,MAAM,SAAiC,CAAC,SAAS;AAAA,IAChD,IAAI,KAAK,WAAW,KAAK,MAAM,SAAS;AAAA,MAAG,OAAO;AAAA,IAGlD,MAAM,UAAU,MAAM,KAAK,MAAM,QAAQ,CAAC,EACxC,OAAO,IAAI,WAAW,MAAM,MAAM,UAAU,MAAM,EAClD,KAAK,IAAI,OAAO,OAAO,EAAE,MAAM,SAAS,EAAE,MAAM,MAAM;AAAA,IACxD,IAAI,MAAM;AAAA,IACV,YAAY,MAAM,UAAU,SAAS;AAAA,MACpC,IAAI,CAAC,IAAI,SAAS,MAAM,KAAK;AAAA,QAAG;AAAA,MAChC,MAAM,IAAI,MAAM,MAAM,KAAK,EAAE,KAAK,aAAa,OAAO;AAAA,IACvD;AAAA,IACA,OAAO;AAAA;AAAA,EAGR,OAAO;AAAA,IACN,SAAS,MAAM;AAAA,MACd,WAAW;AAAA,MACX,MAAM,MAAM;AAAA;AAAA,IAEb,aAAa;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAAA;",
+  "debugId": "EE866E47E57910C764756E2164756E21",
+  "names": []
+}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@absolutejs/secrets",
+  "version": "0.0.1",
+  "description": "Host-side secret broker for multi-tenant Bun runtimes. Pluggable adapters (env-var, in-memory, composite); audit hook per resolve; safe fingerprints for logs; redact() walks known secrets out of arbitrary text before it lands in a log sink.",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/absolutejs/secrets.git"
+  },
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "type": "module",
+  "license": "BSL-1.1",
+  "author": "Alex Kahn",
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "absolutejs",
+    "bun",
+    "paas",
+    "multi-tenant",
+    "secrets",
+    "credential-broker",
+    "redaction",
+    "rotation"
+  ],
+  "scripts": {
+    "build": "rm -rf dist && bun build src/index.ts --outdir dist --sourcemap --target=bun && tsc --project tsconfig.build.json",
+    "test": "bun test tests/",
+    "typecheck": "tsc --noEmit",
+    "format": "prettier --write \"./**/*.{ts,json,md}\"",
+    "check:package": "bun run typecheck && bun run build && bun run test",
+    "release": "bun run format && bun run check:package && bun publish"
+  },
+  "peerDependencies": {
+    "bun-types": "^1.3.14"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.14",
+    "prettier": "^3.8.3",
+    "typescript": "^6.0.3"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": ["dist", "README.md"]
+}