@absolutejs/secrets 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts +62 -0
  2. package/dist/index.js +260 -8
  3. package/dist/index.js.map +5 -4
  4. package/package.json +6 -2
package/dist/index.d.ts CHANGED
@@ -23,6 +23,7 @@
23
23
  *
24
24
  * The broker is bun/elysia-agnostic — same posture as router + meter.
25
25
  */
26
+ import { type TracerProvider } from '@absolutejs/telemetry';
26
27
  export type SecretValue = {
27
28
  /** The plaintext secret. Treat as poison: never log, never serialize. */
28
29
  value: string;
@@ -106,6 +107,16 @@ export type SecretBrokerOptions = {
106
107
  redactionEncodings?: RedactionEncoding[];
107
108
  /** Override `Date.now` for tests. */
108
109
  clock?: () => number;
110
+ /**
111
+ * Optional OpenTelemetry tracer provider. When set, `broker.resolve`
112
+ * and `broker.rotate` are wrapped in `secrets.resolve` /
113
+ * `secrets.rotate` spans with `abs.secret.name` +
114
+ * `abs.secret.fingerprint` attributes. `broker.redact` is NOT
115
+ * traced — it's called per log line, which would explode span
116
+ * volume. When omitted, all tracing is a zero-allocation noop.
117
+ * Added in 0.3.0.
118
+ */
119
+ tracerProvider?: TracerProvider;
109
120
  };
110
121
  /** Listener registered via {@link SecretBroker.onRotate}. */
111
122
  export type RotationListener = (event: {
@@ -242,4 +253,55 @@ export declare const envAdapter: (options?: EnvAdapterOptions) => SecretAdapter;
242
253
  * `put` / `rotate` / `remove` go to the first adapter that implements them.
243
254
  */
244
255
  export declare const compositeAdapter: (adapters: SecretAdapter[]) => SecretAdapter;
256
+ /** Override for tests; defaults touch disk via `node:fs/promises`. */
257
+ export type EncryptedFileIO = {
258
+ readFile: (path: string) => Promise<string | undefined>;
259
+ writeFileAtomic: (path: string, contents: string) => Promise<void>;
260
+ };
261
+ export type EncryptedFileAdapterMasterKey = {
262
+ type: 'passphrase';
263
+ passphrase: string;
264
+ } | {
265
+ type: 'raw';
266
+ bytes: Uint8Array;
267
+ };
268
+ export type EncryptedFileAdapterOptions = {
269
+ /** Absolute or relative path to the encrypted JSON file. */
270
+ path: string;
271
+ /**
272
+ * Master key. Either a `passphrase` (KDF'd via PBKDF2-SHA256 with the
273
+ * salt stored in the file) or `raw` 32 bytes (no KDF — pass the key
274
+ * directly, useful when sourced from a vendor secret manager).
275
+ */
276
+ key: EncryptedFileAdapterMasterKey;
277
+ /**
278
+ * PBKDF2 iterations when `key.type === 'passphrase'`. Default 600_000
279
+ * (OWASP 2025 recommendation for SHA-256). The chosen value is stored
280
+ * in the file so future opens use it.
281
+ */
282
+ pbkdf2Iterations?: number;
283
+ /** Override the rotation strategy (matches `inMemoryAdapter`). */
284
+ rotate?: (name: string, previous: string | null) => string;
285
+ /** Override file IO (tests). */
286
+ io?: EncryptedFileIO;
287
+ };
288
+ /**
289
+ * Durable secret adapter that stores `name → value` in an encrypted
290
+ * JSON file (AES-256-GCM, per-value random IV). File is safe to commit
291
+ * to a private repo as long as the master key is kept separately
292
+ * (1Password, env var, hardware key, etc.).
293
+ *
294
+ * Two master-key shapes:
295
+ *
296
+ * - `{ type: 'passphrase', passphrase }` — PBKDF2-SHA256 from the
297
+ * passphrase, salt stored in the file. OWASP 2025 default (600k
298
+ * iterations); add a stronger one via `pbkdf2Iterations`.
299
+ * - `{ type: 'raw', bytes }` — 32 raw bytes. No KDF. Useful when the
300
+ * key comes from a vendor secret manager that already gave you
301
+ * random bytes.
302
+ *
303
+ * Caches decrypted values in memory after first read (consistent with
304
+ * the broker's caching layer above it).
305
+ */
306
+ export declare const encryptedFileAdapter: (options: EncryptedFileAdapterOptions) => SecretAdapter;
245
307
  export declare const createSecretBroker: (options: SecretBrokerOptions) => SecretBroker;
package/dist/index.js CHANGED
@@ -1,4 +1,59 @@
1
1
  // @bun
2
+ var __require = import.meta.require;
3
+
4
+ // node_modules/@absolutejs/telemetry/dist/index.js
5
+ var NOOP_SPAN_CONTEXT = {
6
+ spanId: "0000000000000000",
7
+ traceFlags: 0,
8
+ traceId: "00000000000000000000000000000000"
9
+ };
10
+ var noopSpan = {
11
+ addEvent: () => noopSpan,
12
+ end: () => {},
13
+ isRecording: () => false,
14
+ recordException: () => {},
15
+ setAttribute: () => noopSpan,
16
+ setAttributes: () => noopSpan,
17
+ setStatus: () => noopSpan,
18
+ spanContext: () => NOOP_SPAN_CONTEXT,
19
+ updateName: () => noopSpan
20
+ };
21
+ var startActiveSpanNoop = (_name, optionsOrFn, maybeFn) => {
22
+ const fn = typeof optionsOrFn === "function" ? optionsOrFn : maybeFn;
23
+ return fn(noopSpan);
24
+ };
25
+ var noopTracer = {
26
+ startActiveSpan: startActiveSpanNoop,
27
+ startSpan: () => noopSpan
28
+ };
29
+ var tracerOrNoop = (provider, name, version) => provider !== undefined ? provider.getTracer(name, version) : noopTracer;
30
+ var ABS_ATTRS = {
31
+ tenant: "abs.tenant",
32
+ shardId: "abs.shard.id",
33
+ engineId: "abs.engine.id",
34
+ collection: "abs.collection",
35
+ mutation: "abs.mutation",
36
+ mutationAttempt: "abs.mutation.attempt",
37
+ subscriptionId: "abs.subscription.id",
38
+ batchSize: "abs.batch.size",
39
+ clusterMessageOrigin: "abs.cluster.origin",
40
+ jobId: "abs.job.id",
41
+ jobKind: "abs.job.kind",
42
+ jobAttempt: "abs.job.attempt",
43
+ jobMaxAttempts: "abs.job.max_attempts",
44
+ workerId: "abs.worker.id",
45
+ runtimeKey: "abs.runtime.key",
46
+ runtimePid: "abs.runtime.pid",
47
+ runtimePort: "abs.runtime.port",
48
+ runtimeExitReason: "abs.runtime.exit_reason",
49
+ runtimeReadinessMs: "abs.runtime.readiness_ms",
50
+ routeShard: "abs.route.shard",
51
+ routeDecision: "abs.route.decision",
52
+ secretName: "abs.secret.name",
53
+ secretFingerprint: "abs.secret.fingerprint",
54
+ auditKind: "abs.audit.kind"
55
+ };
56
+
2
57
  // src/index.ts
3
58
  class BrokerDrainedError extends Error {
4
59
  constructor() {
@@ -226,6 +281,171 @@ var compositeAdapter = (adapters) => {
226
281
  }
227
282
  };
228
283
  };
284
+ var DEFAULT_PBKDF2_ITERATIONS = 600000;
285
+ var ENC_FILE_VERSION = 1;
286
+ var SALT_BYTES = 16;
287
+ var IV_BYTES = 12;
288
+ var KEY_BYTES = 32;
289
+ var bytesToBase64 = (bytes) => {
290
+ let bin = "";
291
+ for (const byte of bytes)
292
+ bin += String.fromCharCode(byte);
293
+ return btoa(bin);
294
+ };
295
+ var base64ToBytes = (b64) => {
296
+ const bin = atob(b64);
297
+ const out = new Uint8Array(bin.length);
298
+ for (let i = 0;i < bin.length; i += 1)
299
+ out[i] = bin.charCodeAt(i);
300
+ return out;
301
+ };
302
+ var defaultIo = () => ({
303
+ readFile: async (path) => {
304
+ try {
305
+ const text = await (await import("fs/promises")).readFile(path, "utf8");
306
+ return text;
307
+ } catch (error) {
308
+ if (error.code === "ENOENT")
309
+ return;
310
+ throw error;
311
+ }
312
+ },
313
+ writeFileAtomic: async (path, contents) => {
314
+ const fs = await import("fs/promises");
315
+ const tempPath = `${path}.tmp.${process.pid}`;
316
+ await fs.writeFile(tempPath, contents, { mode: 384 });
317
+ await fs.rename(tempPath, path);
318
+ }
319
+ });
320
+ var deriveKeyFromPassphrase = async (passphrase, salt, iterations) => {
321
+ const base = await crypto.subtle.importKey("raw", new TextEncoder().encode(passphrase), "PBKDF2", false, ["deriveKey"]);
322
+ return crypto.subtle.deriveKey({
323
+ hash: "SHA-256",
324
+ iterations,
325
+ name: "PBKDF2",
326
+ salt
327
+ }, base, { length: 256, name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
328
+ };
329
+ var importRawKey = async (bytes) => {
330
+ if (bytes.length !== KEY_BYTES) {
331
+ throw new Error(`[secrets/encrypted-file] raw key must be ${KEY_BYTES} bytes (got ${bytes.length})`);
332
+ }
333
+ return crypto.subtle.importKey("raw", bytes, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
334
+ };
335
+ var encryptedFileAdapter = (options) => {
336
+ const io = options.io ?? defaultIo();
337
+ const iterations = options.pbkdf2Iterations ?? DEFAULT_PBKDF2_ITERATIONS;
338
+ const rotate = options.rotate ?? (() => randomBase36(32));
339
+ let cache;
340
+ let derivedKey;
341
+ let salt;
342
+ const ensureKey = async () => {
343
+ if (derivedKey !== undefined)
344
+ return derivedKey;
345
+ if (options.key.type === "raw") {
346
+ derivedKey = await importRawKey(options.key.bytes);
347
+ return derivedKey;
348
+ }
349
+ if (salt === undefined) {
350
+ salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
351
+ }
352
+ derivedKey = await deriveKeyFromPassphrase(options.key.passphrase, salt, iterations);
353
+ return derivedKey;
354
+ };
355
+ const load = async () => {
356
+ if (cache !== undefined)
357
+ return cache;
358
+ const fileText = await io.readFile(options.path);
359
+ if (fileText === undefined) {
360
+ cache = new Map;
361
+ return cache;
362
+ }
363
+ let parsed;
364
+ try {
365
+ parsed = JSON.parse(fileText);
366
+ } catch (error) {
367
+ throw new Error(`[secrets/encrypted-file] could not parse ${options.path}: ${error.message}`);
368
+ }
369
+ if (parsed.version !== ENC_FILE_VERSION) {
370
+ throw new Error(`[secrets/encrypted-file] unsupported file version ${parsed.version} in ${options.path}`);
371
+ }
372
+ if (parsed.kdf !== undefined) {
373
+ if (options.key.type !== "passphrase") {
374
+ throw new Error(`[secrets/encrypted-file] file was written with a passphrase but raw key was supplied`);
375
+ }
376
+ salt = base64ToBytes(parsed.kdf.salt);
377
+ } else if (options.key.type === "passphrase") {
378
+ throw new Error(`[secrets/encrypted-file] file was written with a raw key but passphrase was supplied`);
379
+ }
380
+ const key = await ensureKey();
381
+ const decoded = new Map;
382
+ for (const [name, entry] of Object.entries(parsed.values)) {
383
+ try {
384
+ const iv = base64ToBytes(entry.iv);
385
+ const ct = base64ToBytes(entry.ct);
386
+ const pt = await crypto.subtle.decrypt({ iv, name: "AES-GCM" }, key, ct);
387
+ decoded.set(name, new TextDecoder().decode(pt));
388
+ } catch {
389
+ throw new Error(`[secrets/encrypted-file] failed to decrypt "${name}" in ${options.path} \u2014 wrong master key or corrupted file`);
390
+ }
391
+ }
392
+ cache = decoded;
393
+ return cache;
394
+ };
395
+ const save = async () => {
396
+ const data = cache ?? new Map;
397
+ const key = await ensureKey();
398
+ const values = {};
399
+ for (const [name, value] of data) {
400
+ const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
401
+ const ct = await crypto.subtle.encrypt({ iv, name: "AES-GCM" }, key, new TextEncoder().encode(value));
402
+ values[name] = {
403
+ ct: bytesToBase64(new Uint8Array(ct)),
404
+ iv: bytesToBase64(iv)
405
+ };
406
+ }
407
+ const file = {
408
+ values,
409
+ version: ENC_FILE_VERSION,
410
+ ...options.key.type === "passphrase" && salt !== undefined ? {
411
+ kdf: {
412
+ iterations,
413
+ salt: bytesToBase64(salt),
414
+ type: "pbkdf2-sha256"
415
+ }
416
+ } : {}
417
+ };
418
+ await io.writeFileAtomic(options.path, JSON.stringify(file, null, 2));
419
+ };
420
+ return {
421
+ fetch: async (name) => {
422
+ const data = await load();
423
+ return data.get(name) ?? null;
424
+ },
425
+ list: async () => {
426
+ const data = await load();
427
+ return Array.from(data.keys());
428
+ },
429
+ put: async (name, value) => {
430
+ const data = await load();
431
+ data.set(name, value);
432
+ await save();
433
+ },
434
+ remove: async (name) => {
435
+ const data = await load();
436
+ data.delete(name);
437
+ await save();
438
+ },
439
+ rotate: async (name) => {
440
+ const data = await load();
441
+ const previous = data.get(name) ?? null;
442
+ const next = rotate(name, previous);
443
+ data.set(name, next);
444
+ await save();
445
+ return next;
446
+ }
447
+ };
448
+ };
229
449
  var createSecretBroker = (options) => {
230
450
  const clock = options.clock ?? Date.now;
231
451
  const defaultTtl = options.cacheTtlMs ?? 60000;
@@ -237,6 +457,7 @@ var createSecretBroker = (options) => {
237
457
  const rotationListeners = new Map;
238
458
  let disposed = false;
239
459
  let draining = false;
460
+ const tracer = tracerOrNoop(options.tracerProvider, "@absolutejs/secrets");
240
461
  const counters = {
241
462
  invalidations: 0,
242
463
  redactCalls: 0,
@@ -295,24 +516,35 @@ var createSecretBroker = (options) => {
295
516
  return null;
296
517
  if (draining)
297
518
  throw new BrokerDrainedError;
519
+ const span = tracer.startSpan("secrets.resolve", {
520
+ attributes: { [ABS_ATTRS.secretName]: name }
521
+ });
298
522
  counters.resolves += 1;
299
523
  const now = clock();
300
- const cached = cache.get(name);
301
- if (cached && now - cached.storedAt < ttlFor(name)) {
302
- counters.resolveHits += 1;
303
- fireAudit({ at: now, event: "resolve.hit", fingerprint: cached.fingerprint, name });
304
- return { fingerprint: cached.fingerprint, value: cached.value };
305
- }
306
- counters.resolveMisses += 1;
307
524
  try {
525
+ const cached = cache.get(name);
526
+ if (cached && now - cached.storedAt < ttlFor(name)) {
527
+ counters.resolveHits += 1;
528
+ span.setAttribute(ABS_ATTRS.secretFingerprint, cached.fingerprint);
529
+ span.setAttribute("secrets.cache", "hit");
530
+ fireAudit({ at: now, event: "resolve.hit", fingerprint: cached.fingerprint, name });
531
+ span.setStatus({ code: 1 });
532
+ return { fingerprint: cached.fingerprint, value: cached.value };
533
+ }
534
+ counters.resolveMisses += 1;
535
+ span.setAttribute("secrets.cache", "miss");
308
536
  const value = await options.adapter.fetch(name);
309
537
  if (value === null) {
310
538
  fireAudit({ at: now, event: "resolve.miss", name });
311
539
  cache.delete(name);
540
+ span.setAttribute("secrets.found", false);
541
+ span.setStatus({ code: 1 });
312
542
  return null;
313
543
  }
314
544
  const entry = cacheEntry(name, value, now);
545
+ span.setAttribute(ABS_ATTRS.secretFingerprint, entry.fingerprint);
315
546
  fireAudit({ at: now, event: "resolve.miss", fingerprint: entry.fingerprint, name });
547
+ span.setStatus({ code: 1 });
316
548
  return { fingerprint: entry.fingerprint, value: entry.value };
317
549
  } catch (error) {
318
550
  counters.resolveErrors += 1;
@@ -322,7 +554,14 @@ var createSecretBroker = (options) => {
322
554
  event: "resolve.error",
323
555
  name
324
556
  });
557
+ span.recordException(error);
558
+ span.setStatus({
559
+ code: 2,
560
+ message: error instanceof Error ? error.message : String(error)
561
+ });
325
562
  throw error;
563
+ } finally {
564
+ span.end();
326
565
  }
327
566
  };
328
567
  const rotate = async (name) => {
@@ -333,17 +572,29 @@ var createSecretBroker = (options) => {
333
572
  if (!options.adapter.rotate) {
334
573
  throw new Error("Adapter does not support rotate()");
335
574
  }
575
+ const span = tracer.startSpan("secrets.rotate", {
576
+ attributes: { [ABS_ATTRS.secretName]: name }
577
+ });
336
578
  try {
337
579
  const next = await options.adapter.rotate(name);
338
580
  const now = clock();
339
581
  const entry = cacheEntry(name, next, now);
340
582
  counters.rotates += 1;
583
+ span.setAttribute(ABS_ATTRS.secretFingerprint, entry.fingerprint);
584
+ span.setStatus({ code: 1 });
341
585
  fireAudit({ at: now, event: "rotate", fingerprint: entry.fingerprint, name });
342
586
  fireRotation(name, entry.value, entry.fingerprint, now);
343
587
  return { fingerprint: entry.fingerprint, value: entry.value };
344
588
  } catch (error) {
345
589
  counters.rotateErrors += 1;
590
+ span.recordException(error);
591
+ span.setStatus({
592
+ code: 2,
593
+ message: error instanceof Error ? error.message : String(error)
594
+ });
346
595
  throw error;
596
+ } finally {
597
+ span.end();
347
598
  }
348
599
  };
349
600
  const invalidate = (name) => {
@@ -454,10 +705,11 @@ var createSecretBroker = (options) => {
454
705
  export {
455
706
  inMemoryAdapter,
456
707
  envAdapter,
708
+ encryptedFileAdapter,
457
709
  createSecretBroker,
458
710
  compositeAdapter,
459
711
  BrokerDrainedError
460
712
  };
461
713
 
462
- //# debugId=68E7DA7EF9820B8264756E2164756E21
714
+ //# debugId=AD0BCD644DBC747564756E2164756E21
463
715
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1,10 +1,11 @@
1
1
  {
2
2
  "version": 3,
3
- "sources": ["../src/index.ts"],
3
+ "sources": ["../node_modules/@absolutejs/telemetry/dist/index.js", "../src/index.ts"],
4
4
  "sourcesContent": [
5
- "/**\n * @absolutejs/secrets — host-side secret broker for multi-tenant Bun\n * runtimes.\n *\n * Three responsibilities, kept narrow on purpose:\n *\n * 1. **Resolve.** A pluggable adapter fetches a secret by name. The broker\n * caches the answer, hands the caller back a `{ value, fingerprint }`\n * pair (fingerprint is a sha256 prefix safe to put in logs), and fires\n * an audit event for every lookup.\n * 2. **Redact.** Walks every known cached secret out of an arbitrary string\n * before it leaves the host (e.g. an error message that contains the\n * leaked API key the host call just made). The replacement is\n * `[REDACTED:name]`; matches shorter than `redactionMinLength` are\n * skipped to avoid blanking coincidental short tokens.\n * 3. **Rotate.** Delegates to `adapter.rotate?(name)` if the adapter\n * supports it, invalidates the cache entry. Caller is expected to\n * re-distribute to dependent surfaces.\n *\n * v0.0.1 ships three adapters: `inMemoryAdapter`, `envAdapter`,\n * `compositeAdapter`. AWS Secrets Manager / Vault / Doppler / Infisical\n * adapters ship later as siblings.\n *\n * The broker is bun/elysia-agnostic — same posture as router + meter.\n */\n\nexport type SecretValue = {\n\t/** The plaintext secret. Treat as poison: never log, never serialize. */\n\tvalue: string;\n\t/**\n\t * Short sha256-derived id (first 8 hex chars). Stable across calls for\n\t * the same value; safe to print in logs and traces. Useful for \"which\n\t * version of the key did this request use?\" diagnostics without leaking.\n\t */\n\tfingerprint: string;\n};\n\nexport type SecretAdapter = {\n\t/** Return the plaintext value for a name, or `null` if not stored here. */\n\tfetch: (name: string) => Promise<string | null>;\n\t/** Write a value. Optional — adapters may be read-only. */\n\tput?: (name: string, value: string) => Promise<void>;\n\t/** Delete a value. Optional. */\n\tremove?: (name: string) => Promise<void>;\n\t/** Rotate a value; return the NEW plaintext. Optional. */\n\trotate?: (name: string) => Promise<string>;\n\t/** Enumerate names. Optional; default omitted to avoid leaking the index. */\n\tlist?: () => Promise<string[]>;\n};\n\nexport type AuditEvent =\n\t| { event: 'resolve.hit'; name: string; fingerprint: string; at: number }\n\t| { event: 'resolve.miss'; name: string; fingerprint?: string; at: number }\n\t| { event: 'resolve.error'; name: string; error: string; at: number }\n\t| { event: 'rotate'; name: string; fingerprint: string; at: number }\n\t| { event: 'invalidate'; name: string | null; at: number };\n\nexport type AuditHook = (event: AuditEvent) => void | Promise<void>;\n\nexport type RedactionEncoding = 'plain' | 'base64';\n\nexport type SecretBrokerOptions = {\n\t/** The adapter the broker delegates fetch / rotate / put to. */\n\tadapter: SecretAdapter;\n\t/** Audit hook fired on every resolve / rotate / invalidate. */\n\taudit?: AuditHook;\n\t/**\n\t * How long a cached secret stays fresh, in ms. After this, the next\n\t * resolve re-hits the adapter. Default 60_000 (1 minute). Set to\n\t * `Infinity` to disable TTL — only `rotate` / `invalidate` evict.\n\t */\n\tcacheTtlMs?: number;\n\t/**\n\t * Per-name TTL overrides. The override wins over `cacheTtlMs`. Use\n\t * a short TTL for high-blast-radius secrets (admin tokens, signing\n\t * keys) so a compromised value's lifetime is bounded by the override,\n\t * not the global default.\n\t */\n\tcacheTtlOverrides?: Record<string, number>;\n\t/**\n\t * Minimum length a cached value must have before `redact` will rewrite\n\t * occurrences of it in arbitrary text. Default 8 — short values risk\n\t * blanking out coincidental matches (e.g. a short password \"abc1\"\n\t * appearing as a substring of unrelated text).\n\t */\n\tredactionMinLength?: number;\n\t/**\n\t * Encodings to redact alongside the plaintext value. Default `['plain']`.\n\t * Add `'base64'` to also catch base64-encoded forms — useful when\n\t * secrets end up inside JWTs, cookies, or any payload that base64-wraps\n\t * a credential.\n\t */\n\tredactionEncodings?: RedactionEncoding[];\n\t/** Override `Date.now` for tests. */\n\tclock?: () => number;\n};\n\n/** Listener registered via {@link SecretBroker.onRotate}. */\nexport type RotationListener = (event: {\n\tname: string;\n\tvalue: string;\n\tfingerprint: string;\n\tat: number;\n}) => void | Promise<void>;\n\nexport type SecretBroker = {\n\t/**\n\t * Resolve a secret by name. Returns `null` if the adapter reports\n\t * no value. Caches the answer for `cacheTtlMs`.\n\t */\n\tresolve: (name: string) => Promise<SecretValue | null>;\n\t/**\n\t * Returns the fingerprint of a value WITHOUT touching the adapter.\n\t * Useful for hashing a value the caller already has — e.g. a webhook\n\t * payload — to compare against an audit log.\n\t */\n\tfingerprint: (value: string) => string;\n\t/**\n\t * Replace every cached secret value found in `text` with\n\t * `[REDACTED:name]`. Returns the rewritten text. Subjects shorter than\n\t * `redactionMinLength` are skipped.\n\t */\n\tredact: (text: string) => string;\n\t/**\n\t * Streaming variant of {@link redact}. Returns a `TransformStream`\n\t * that catches secrets even when they're split across chunks (a chunk\n\t * boundary in the middle of `sk_live_abc...` would otherwise miss). The\n\t * stream keeps a lookback buffer the size of the longest cached secret;\n\t * once the buffer outgrows that, the safe-region prefix is emitted.\n\t *\n\t * Use this on `process.stdout` / `process.stderr` / a tenant log forwarder\n\t * so plaintext secrets never reach the sink.\n\t */\n\tredactStream: () => TransformStream<string, string>;\n\t/**\n\t * Rotate a secret. Calls `adapter.rotate(name)`, invalidates the cache,\n\t * returns the new `{ value, fingerprint }`. Throws if the adapter does\n\t * not support rotation. Fires every `onRotate` listener registered for\n\t * this name.\n\t */\n\trotate: (name: string) => Promise<SecretValue>;\n\t/**\n\t * Subscribe to rotation events for a specific name. Listener fires\n\t * AFTER the new value is in the cache. Returns an unsubscribe handle.\n\t * Use this for long-lived connections (DB clients, AI provider SDKs)\n\t * that need to swap credentials in-place when rotation lands.\n\t */\n\tonRotate: (name: string, listener: RotationListener) => () => void;\n\t/**\n\t * Invalidate one cache entry, or the whole cache when `name` is omitted.\n\t */\n\tinvalidate: (name?: string) => void;\n\t/** Tear down the broker — clears the cache; further resolves still hit the adapter. */\n\tdispose: () => void;\n\t/**\n\t * Operator-shaped cumulative counters since `createSecretBroker()`.\n\t * Scrape on a 30s interval for tier monitoring + rotation cadence.\n\t * Added in 0.2.0.\n\t */\n\tmetrics: () => SecretBrokerMetrics;\n\t/**\n\t * Refuse new `resolve()` / `rotate()` calls (they reject with\n\t * `BrokerDrainedError`); in-flight adapter calls keep running. Use\n\t * during graceful shutdown so a tenant whose process is about to\n\t * stop doesn't issue a fresh fetch against the secret store mid-\n\t * teardown. Symmetric with `runtime.drain()` / `queue.drain()`.\n\t * Added in 0.2.0.\n\t */\n\tdrain: () => void;\n};\n\n/**\n * Returned by {@link SecretBroker.metrics}. All counters cumulative\n * since `createSecretBroker()`; cleared by neither `dispose()` nor\n * `drain()` (so the operator can see what happened pre-shutdown).\n * Added in 0.2.0.\n */\nexport type SecretBrokerMetrics = {\n\t/** `resolve()` calls — including cached hits, misses, and errors. */\n\tresolves: number;\n\t/** `resolve()` calls served from cache (no adapter hit). */\n\tresolveHits: number;\n\t/** `resolve()` calls that hit the adapter (cache miss OR expired). */\n\tresolveMisses: number;\n\t/** `resolve()` calls where the adapter threw. */\n\tresolveErrors: number;\n\t/** Successful `rotate()` calls. */\n\trotates: number;\n\t/** `rotate()` calls where the adapter threw. */\n\trotateErrors: number;\n\t/** `invalidate()` calls (per call, regardless of cache size). */\n\tinvalidations: number;\n\t/** `redact()` calls (whether anything was rewritten or not). */\n\tredactCalls: number;\n\t/**\n\t * Distinct (secret, encoding) pairs that triggered a replacement —\n\t * NOT total occurrences. A `redact()` call that rewrites the same\n\t * key three times in one string bumps this by 1. Useful for\n\t * \"is anything ever actually getting redacted, or are we configured\n\t * for nothing.\"\n\t */\n\tredactionsApplied: number;\n\t/** Subset of `redactionsApplied` for base64 encoding. */\n\tredactionsBase64: number;\n};\n\n/**\n * Thrown by `resolve()` / `rotate()` after `drain()` has been called.\n * Added in 0.2.0.\n */\nexport class BrokerDrainedError extends Error {\n\tconstructor() {\n\t\tsuper(\n\t\t\t'[secrets] Broker is draining — resolve/rotate refused. ' +\n\t\t\t\t'Use the broker before the shutdown handler fires.'\n\t\t);\n\t\tthis.name = 'BrokerDrainedError';\n\t}\n}\n\n// -----------------------------------------------------------------------------\n// Fingerprint\n// -----------------------------------------------------------------------------\n\nconst HEX = '0123456789abcdef';\n\nconst sha256Hex = (input: string): string => {\n\t// 2026-era Bun: `crypto.subtle.digest` is the portable path. Synchronous\n\t// path via `Bun.CryptoHasher` is faster but requires Bun globals; we use\n\t// subtle to keep the broker runtime-agnostic at the cost of being async.\n\t// For the `fingerprint(value)` *public* method we want a synchronous\n\t// answer — so we use a tiny in-house sha256. It's slower than the native\n\t// digest but only runs on the secret value (small, ~ < 1KB), once per\n\t// distinct value over the broker's lifetime (memoized in the cache entry).\n\treturn sha256(input);\n};\n\n// Pure JS sha256, NIST FIPS 180-4. Small + dependency-free. Returns lowercase hex.\nconst ROUND_CONSTANTS = new Uint32Array([\n\t0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,\n\t0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,\n\t0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,\n\t0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,\n\t0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,\n\t0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,\n\t0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,\n\t0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,\n\t0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,\n\t0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,\n\t0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,\n]);\n\nconst sha256 = (input: string): string => {\n\tconst bytes = new TextEncoder().encode(input);\n\tconst bitLength = bytes.length * 8;\n\tconst padLength = ((bytes.length + 9 + 63) & ~63) - bytes.length;\n\tconst padded = new Uint8Array(bytes.length + padLength);\n\tpadded.set(bytes);\n\tpadded[bytes.length] = 0x80;\n\tconst view = new DataView(padded.buffer);\n\tview.setUint32(padded.length - 4, bitLength >>> 0);\n\tview.setUint32(padded.length - 8, Math.floor(bitLength / 0x1_0000_0000));\n\n\tlet h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a;\n\tlet h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;\n\tconst w = new Uint32Array(64);\n\tfor (let i = 0; i < padded.length; i += 64) {\n\t\tfor (let t = 0; t < 16; t++) {\n\t\t\tw[t] = view.getUint32(i + t * 4);\n\t\t}\n\t\tfor (let t = 16; t < 64; t++) {\n\t\t\tconst w15 = w[t - 15]!;\n\t\t\tconst w2 = w[t - 2]!;\n\t\t\tconst s0 = ((w15 >>> 7) | (w15 << 25)) ^ ((w15 >>> 18) | (w15 << 14)) ^ (w15 >>> 3);\n\t\t\tconst s1 = ((w2 >>> 17) | (w2 << 15)) ^ ((w2 >>> 19) | (w2 << 13)) ^ (w2 >>> 10);\n\t\t\tw[t] = (w[t - 16]! + s0 + w[t - 7]! + s1) >>> 0;\n\t\t}\n\t\tlet a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;\n\t\tfor (let t = 0; t < 64; t++) {\n\t\t\tconst S1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));\n\t\t\tconst ch = (e & f) ^ (~e & g);\n\t\t\tconst T1 = (h + S1 + ch + ROUND_CONSTANTS[t]! + w[t]!) >>> 0;\n\t\t\tconst S0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));\n\t\t\tconst maj = (a & b) ^ (a & c) ^ (b & c);\n\t\t\tconst T2 = (S0 + maj) >>> 0;\n\t\t\th = g;\n\t\t\tg = f;\n\t\t\tf = e;\n\t\t\te = (d + T1) >>> 0;\n\t\t\td = c;\n\t\t\tc = b;\n\t\t\tb = a;\n\t\t\ta = (T1 + T2) >>> 0;\n\t\t}\n\t\th0 = (h0 + a) >>> 0;\n\t\th1 = (h1 + b) >>> 0;\n\t\th2 = (h2 + c) >>> 0;\n\t\th3 = (h3 + d) >>> 0;\n\t\th4 = (h4 + e) >>> 0;\n\t\th5 = (h5 + f) >>> 0;\n\t\th6 = (h6 + g) >>> 0;\n\t\th7 = (h7 + h) >>> 0;\n\t}\n\tconst toHex = (n: number): string => {\n\t\tlet result = '';\n\t\tfor (let i = 7; i >= 0; i--) {\n\t\t\tresult += HEX[(n >>> (i * 4)) & 0xf];\n\t\t}\n\t\treturn result;\n\t};\n\treturn toHex(h0) + toHex(h1) + toHex(h2) + toHex(h3) + toHex(h4) + toHex(h5) + toHex(h6) + toHex(h7);\n};\n\nconst fingerprintOf = (value: string): string => sha256Hex(value).slice(0, 8);\n\n// -----------------------------------------------------------------------------\n// Bundled adapters\n// -----------------------------------------------------------------------------\n\nexport type InMemoryAdapterOptions = {\n\tinitial?: Record<string, string>;\n\t/** Override the rotation strategy. Default = random 32-char base36 string. */\n\trotate?: (name: string, previous: string | null) => string;\n};\n\nconst randomBase36 = (length: number): string => {\n\tlet out = '';\n\twhile (out.length < length) {\n\t\tout += Math.random().toString(36).slice(2);\n\t}\n\treturn out.slice(0, length);\n};\n\nexport const inMemoryAdapter = (\n\toptions: InMemoryAdapterOptions = {},\n): SecretAdapter => {\n\tconst store = new Map<string, string>();\n\tfor (const [k, v] of Object.entries(options.initial ?? {})) store.set(k, v);\n\tconst rotate = options.rotate ?? (() => randomBase36(32));\n\treturn {\n\t\tfetch: async (name) => store.get(name) ?? null,\n\t\tlist: async () => Array.from(store.keys()),\n\t\tput: async (name, value) => { store.set(name, value); },\n\t\tremove: async (name) => { store.delete(name); },\n\t\trotate: async (name) => {\n\t\t\tconst next = rotate(name, store.get(name) ?? null);\n\t\t\tstore.set(name, next);\n\t\t\treturn next;\n\t\t},\n\t};\n};\n\nexport type EnvAdapterOptions = {\n\t/**\n\t * If set, lookups are prefixed before reading from env. e.g.\n\t * `prefix: 'ABS_SECRET_'` and `resolve('STRIPE_KEY')` reads `ABS_SECRET_STRIPE_KEY`.\n\t * Default `''` (no prefix).\n\t */\n\tprefix?: string;\n\t/** The env object to read from. Default `process.env`. */\n\tenv?: Record<string, string | undefined>;\n};\n\nexport const envAdapter = (options: EnvAdapterOptions = {}): SecretAdapter => {\n\tconst prefix = options.prefix ?? '';\n\tconst env = options.env ?? (globalThis as { process?: { env?: Record<string, string | undefined> } }).process?.env ?? {};\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tconst key = `${prefix}${name}`;\n\t\t\tconst value = env[key];\n\t\t\treturn value === undefined ? null : value;\n\t\t},\n\t\tlist: async () => {\n\t\t\tif (!prefix) return Object.keys(env);\n\t\t\tconst matches: string[] = [];\n\t\t\tfor (const key of Object.keys(env)) {\n\t\t\t\tif (key.startsWith(prefix)) matches.push(key.slice(prefix.length));\n\t\t\t}\n\t\t\treturn matches;\n\t\t},\n\t};\n};\n\n/**\n * Compose adapters: `fetch` falls through to the first non-null result;\n * `put` / `rotate` / `remove` go to the first adapter that implements them.\n */\nexport const compositeAdapter = (adapters: SecretAdapter[]): SecretAdapter => {\n\tconst firstWith = <K extends keyof SecretAdapter>(method: K) =>\n\t\tadapters.find((adapter) => adapter[method] !== undefined);\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tconst value = await adapter.fetch(name);\n\t\t\t\tif (value !== null) return value;\n\t\t\t}\n\t\t\treturn null;\n\t\t},\n\t\tlist: async () => {\n\t\t\tconst seen = new Set<string>();\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tif (!adapter.list) continue;\n\t\t\t\tfor (const name of await adapter.list()) seen.add(name);\n\t\t\t}\n\t\t\treturn Array.from(seen);\n\t\t},\n\t\tput: async (name, value) => {\n\t\t\tconst target = firstWith('put');\n\t\t\tif (!target?.put) throw new Error('No adapter in the composite supports put()');\n\t\t\tawait target.put(name, value);\n\t\t},\n\t\tremove: async (name) => {\n\t\t\tconst target = firstWith('remove');\n\t\t\tif (!target?.remove) throw new Error('No adapter in the composite supports remove()');\n\t\t\tawait target.remove(name);\n\t\t},\n\t\trotate: async (name) => {\n\t\t\tconst target = firstWith('rotate');\n\t\t\tif (!target?.rotate) throw new Error('No adapter in the composite supports rotate()');\n\t\t\treturn target.rotate(name);\n\t\t},\n\t};\n};\n\n// -----------------------------------------------------------------------------\n// Broker\n// -----------------------------------------------------------------------------\n\ntype CacheEntry = {\n\tvalue: string;\n\tfingerprint: string;\n\tstoredAt: number;\n};\n\nexport const createSecretBroker = (options: SecretBrokerOptions): SecretBroker => {\n\tconst clock = options.clock ?? Date.now;\n\tconst defaultTtl = options.cacheTtlMs ?? 60_000;\n\tconst ttlOverrides = options.cacheTtlOverrides ?? {};\n\tconst minLen = options.redactionMinLength ?? 8;\n\tconst encodings = options.redactionEncodings ?? ['plain'];\n\tconst audit = options.audit;\n\tconst cache = new Map<string, CacheEntry>();\n\tconst rotationListeners = new Map<string, Set<RotationListener>>();\n\tlet disposed = false;\n\tlet draining = false;\n\t// 0.2.0: cumulative operator counters. Survive `drain()` and\n\t// `dispose()` so the operator can read final state post-shutdown.\n\tconst counters: SecretBrokerMetrics = {\n\t\tinvalidations: 0,\n\t\tredactCalls: 0,\n\t\tredactionsApplied: 0,\n\t\tredactionsBase64: 0,\n\t\tresolveErrors: 0,\n\t\tresolveHits: 0,\n\t\tresolveMisses: 0,\n\t\tresolves: 0,\n\t\trotateErrors: 0,\n\t\trotates: 0\n\t};\n\n\tconst ttlFor = (name: string): number => ttlOverrides[name] ?? defaultTtl;\n\n\tconst fireRotation = (name: string, value: string, fingerprint: string, at: number) => {\n\t\tconst set = rotationListeners.get(name);\n\t\tif (!set || set.size === 0) return;\n\t\tfor (const listener of set) {\n\t\t\ttry {\n\t\t\t\tconst ret = listener({ at, fingerprint, name, value });\n\t\t\t\tif (ret && typeof (ret as Promise<void>).then === 'function') {\n\t\t\t\t\t(ret as Promise<void>).catch((error) => {\n\t\t\t\t\t\tconsole.error('[secrets] rotation listener rejected:', error);\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t} catch (error) {\n\t\t\t\tconsole.error('[secrets] rotation listener threw:', error);\n\t\t\t}\n\t\t}\n\t};\n\n\tconst fireAudit = (event: AuditEvent) => {\n\t\tif (!audit) return;\n\t\ttry {\n\t\t\tconst result = audit(event);\n\t\t\tif (result && typeof (result as Promise<void>).then === 'function') {\n\t\t\t\t(result as Promise<void>).catch((error) => {\n\t\t\t\t\tconsole.error('[secrets] audit hook rejected:', error);\n\t\t\t\t});\n\t\t\t}\n\t\t} catch (error) {\n\t\t\tconsole.error('[secrets] audit hook threw:', error);\n\t\t}\n\t};\n\n\tconst cacheEntry = (name: string, value: string, now: number): CacheEntry => {\n\t\tconst entry: CacheEntry = {\n\t\t\tfingerprint: fingerprintOf(value),\n\t\t\tstoredAt: now,\n\t\t\tvalue,\n\t\t};\n\t\tcache.set(name, entry);\n\t\treturn entry;\n\t};\n\n\tconst resolve: SecretBroker['resolve'] = async (name) => {\n\t\tif (disposed) return null;\n\t\tif (draining) throw new BrokerDrainedError();\n\t\tcounters.resolves += 1;\n\t\tconst now = clock();\n\t\tconst cached = cache.get(name);\n\t\tif (cached && now - cached.storedAt < ttlFor(name)) {\n\t\t\tcounters.resolveHits += 1;\n\t\t\tfireAudit({ at: now, event: 'resolve.hit', fingerprint: cached.fingerprint, name });\n\t\t\treturn { fingerprint: cached.fingerprint, value: cached.value };\n\t\t}\n\t\tcounters.resolveMisses += 1;\n\t\ttry {\n\t\t\tconst value = await options.adapter.fetch(name);\n\t\t\tif (value === null) {\n\t\t\t\tfireAudit({ at: now, event: 'resolve.miss', name });\n\t\t\t\tcache.delete(name);\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tconst entry = cacheEntry(name, value, now);\n\t\t\tfireAudit({ at: now, event: 'resolve.miss', fingerprint: entry.fingerprint, name });\n\t\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t\t} catch (error) {\n\t\t\tcounters.resolveErrors += 1;\n\t\t\tfireAudit({\n\t\t\t\tat: now,\n\t\t\t\terror: error instanceof Error ? error.message : String(error),\n\t\t\t\tevent: 'resolve.error',\n\t\t\t\tname,\n\t\t\t});\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\tconst rotate: SecretBroker['rotate'] = async (name) => {\n\t\tif (disposed) throw new Error('Broker is disposed');\n\t\tif (draining) throw new BrokerDrainedError();\n\t\tif (!options.adapter.rotate) {\n\t\t\tthrow new Error('Adapter does not support rotate()');\n\t\t}\n\t\ttry {\n\t\t\tconst next = await options.adapter.rotate(name);\n\t\t\tconst now = clock();\n\t\t\tconst entry = cacheEntry(name, next, now);\n\t\t\tcounters.rotates += 1;\n\t\t\tfireAudit({ at: now, event: 'rotate', fingerprint: entry.fingerprint, name });\n\t\t\tfireRotation(name, entry.value, entry.fingerprint, now);\n\t\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t\t} catch (error) {\n\t\t\tcounters.rotateErrors += 1;\n\t\t\tthrow error;\n\t\t}\n\t};\n\n\tconst invalidate: SecretBroker['invalidate'] = (name) => {\n\t\tif (name === undefined) {\n\t\t\tcache.clear();\n\t\t} else {\n\t\t\tcache.delete(name);\n\t\t}\n\t\tcounters.invalidations += 1;\n\t\tfireAudit({ at: clock(), event: 'invalidate', name: name ?? null });\n\t};\n\n\t// Returns every (representation, replacementLabel) pair currently in\n\t// the cache that's worth searching for. Longest-first so a longer\n\t// secret blanks BEFORE one of its substrings would.\n\tconst redactionPairs = (): Array<[string, string]> => {\n\t\tconst pairs: Array<[string, string]> = [];\n\t\tfor (const [name, entry] of cache) {\n\t\t\tif (entry.value.length < minLen) continue;\n\t\t\tfor (const enc of encodings) {\n\t\t\t\tif (enc === 'plain') {\n\t\t\t\t\tpairs.push([entry.value, `[REDACTED:${name}]`]);\n\t\t\t\t} else if (enc === 'base64') {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst encoded = btoa(entry.value);\n\t\t\t\t\t\t// Skip if encoding produces a too-short token to be safe.\n\t\t\t\t\t\tif (encoded.length >= minLen) {\n\t\t\t\t\t\t\tpairs.push([encoded, `[REDACTED:${name}:b64]`]);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\t// btoa rejects non-Latin-1; skip silently.\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tpairs.sort((a, b) => b[0].length - a[0].length);\n\t\treturn pairs;\n\t};\n\n\tconst redact: SecretBroker['redact'] = (text) => {\n\t\tcounters.redactCalls += 1;\n\t\tif (text.length === 0 || cache.size === 0) return text;\n\t\tlet out = text;\n\t\tfor (const [needle, replacement] of redactionPairs()) {\n\t\t\tif (!out.includes(needle)) continue;\n\t\t\tout = out.split(needle).join(replacement);\n\t\t\tcounters.redactionsApplied += 1;\n\t\t\tif (replacement.endsWith(':b64]')) counters.redactionsBase64 += 1;\n\t\t}\n\t\treturn out;\n\t};\n\n\tconst redactStream: SecretBroker['redactStream'] = () => {\n\t\t// Per-chunk algorithm:\n\t\t// 1. Append chunk to buffer.\n\t\t// 2. Redact the WHOLE buffer (complete secrets → labels).\n\t\t// 3. Hold back the last `lookback` chars — they might contain a\n\t\t// partial secret that completes on the next chunk. The next\n\t\t// chunk's redact() will catch it once the full secret arrives.\n\t\t// 4. Emit the safe prefix.\n\t\t// Without step 2 happening BEFORE the split, a secret straddling the\n\t\t// boundary would have its prefix emitted un-redacted before the suffix\n\t\t// even shows up.\n\t\tlet buffer = '';\n\t\tconst maxLen = () =>\n\t\t\tredactionPairs().reduce((max, [needle]) => Math.max(max, needle.length), 0);\n\t\treturn new TransformStream<string, string>({\n\t\t\ttransform: (chunk, controller) => {\n\t\t\t\tbuffer += chunk;\n\t\t\t\tconst lookback = maxLen();\n\t\t\t\tconst reduced = redact(buffer);\n\t\t\t\tif (reduced.length <= lookback) {\n\t\t\t\t\tbuffer = reduced;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst safe = reduced.slice(0, reduced.length - lookback);\n\t\t\t\tbuffer = reduced.slice(reduced.length - lookback);\n\t\t\t\tif (safe.length > 0) controller.enqueue(safe);\n\t\t\t},\n\t\t\tflush: (controller) => {\n\t\t\t\tif (buffer.length === 0) return;\n\t\t\t\tcontroller.enqueue(redact(buffer));\n\t\t\t\tbuffer = '';\n\t\t\t},\n\t\t});\n\t};\n\n\tconst onRotate: SecretBroker['onRotate'] = (name, listener) => {\n\t\tlet set = rotationListeners.get(name);\n\t\tif (!set) {\n\t\t\tset = new Set();\n\t\t\trotationListeners.set(name, set);\n\t\t}\n\t\tset.add(listener);\n\t\treturn () => {\n\t\t\tconst current = rotationListeners.get(name);\n\t\t\tif (!current) return;\n\t\t\tcurrent.delete(listener);\n\t\t\tif (current.size === 0) rotationListeners.delete(name);\n\t\t};\n\t};\n\n\treturn {\n\t\tdispose: () => {\n\t\t\tdisposed = true;\n\t\t\tcache.clear();\n\t\t\trotationListeners.clear();\n\t\t},\n\t\tdrain: () => {\n\t\t\tdraining = true;\n\t\t},\n\t\tfingerprint: fingerprintOf,\n\t\tinvalidate,\n\t\tmetrics: () => ({ ...counters }),\n\t\tonRotate,\n\t\tredact,\n\t\tredactStream,\n\t\tresolve,\n\t\trotate,\n\t};\n};\n"
5
+ "// @bun\n// src/index.ts\nvar SpanKind = {\n INTERNAL: 0,\n SERVER: 1,\n CLIENT: 2,\n PRODUCER: 3,\n CONSUMER: 4\n};\nvar SpanStatusCode = {\n UNSET: 0,\n OK: 1,\n ERROR: 2\n};\nvar NOOP_SPAN_CONTEXT = {\n spanId: \"0000000000000000\",\n traceFlags: 0,\n traceId: \"00000000000000000000000000000000\"\n};\nvar noopSpan = {\n addEvent: () => noopSpan,\n end: () => {},\n isRecording: () => false,\n recordException: () => {},\n setAttribute: () => noopSpan,\n setAttributes: () => noopSpan,\n setStatus: () => noopSpan,\n spanContext: () => NOOP_SPAN_CONTEXT,\n updateName: () => noopSpan\n};\nvar createNoopSpan = () => noopSpan;\nvar startActiveSpanNoop = (_name, optionsOrFn, maybeFn) => {\n const fn = typeof optionsOrFn === \"function\" ? optionsOrFn : maybeFn;\n return fn(noopSpan);\n};\nvar noopTracer = {\n startActiveSpan: startActiveSpanNoop,\n startSpan: () => noopSpan\n};\nvar createNoopTracer = () => noopTracer;\nvar createNoopTracerProvider = () => ({\n getTracer: () => noopTracer\n});\nvar tracerOrNoop = (provider, name, version) => provider !== undefined ? provider.getTracer(name, version) : noopTracer;\nvar ABS_ATTRS = {\n tenant: \"abs.tenant\",\n shardId: \"abs.shard.id\",\n engineId: \"abs.engine.id\",\n collection: \"abs.collection\",\n mutation: \"abs.mutation\",\n mutationAttempt: \"abs.mutation.attempt\",\n subscriptionId: \"abs.subscription.id\",\n batchSize: \"abs.batch.size\",\n clusterMessageOrigin: \"abs.cluster.origin\",\n jobId: \"abs.job.id\",\n jobKind: \"abs.job.kind\",\n jobAttempt: \"abs.job.attempt\",\n jobMaxAttempts: \"abs.job.max_attempts\",\n workerId: \"abs.worker.id\",\n runtimeKey: \"abs.runtime.key\",\n runtimePid: \"abs.runtime.pid\",\n runtimePort: \"abs.runtime.port\",\n runtimeExitReason: \"abs.runtime.exit_reason\",\n runtimeReadinessMs: \"abs.runtime.readiness_ms\",\n routeShard: \"abs.route.shard\",\n routeDecision: \"abs.route.decision\",\n secretName: \"abs.secret.name\",\n secretFingerprint: \"abs.secret.fingerprint\",\n auditKind: \"abs.audit.kind\"\n};\nvar withSpan = async (tracer, name, options, fn) => tracer.startActiveSpan(name, options, async (span) => {\n try {\n const result = await fn(span);\n span.setStatus({ code: SpanStatusCode.OK });\n return result;\n } catch (error) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: error instanceof Error ? error.message : String(error)\n });\n span.recordException(error);\n throw error;\n } finally {\n span.end();\n }\n});\nvar withSpanSync = (tracer, name, options, fn) => tracer.startActiveSpan(name, options, (span) => {\n try {\n const result = fn(span);\n span.setStatus({ code: SpanStatusCode.OK });\n return result;\n } catch (error) {\n span.setStatus({\n code: SpanStatusCode.ERROR,\n message: error instanceof Error ? error.message : String(error)\n });\n span.recordException(error);\n throw error;\n } finally {\n span.end();\n }\n});\nexport {\n withSpanSync,\n withSpan,\n tracerOrNoop,\n createNoopTracerProvider,\n createNoopTracer,\n createNoopSpan,\n SpanStatusCode,\n SpanKind,\n ABS_ATTRS\n};\n\n//# debugId=3038092490E875A764756E2164756E21\n//# sourceMappingURL=index.js.map\n",
6
+ "/**\n * @absolutejs/secrets — host-side secret broker for multi-tenant Bun\n * runtimes.\n *\n * Three responsibilities, kept narrow on purpose:\n *\n * 1. **Resolve.** A pluggable adapter fetches a secret by name. The broker\n * caches the answer, hands the caller back a `{ value, fingerprint }`\n * pair (fingerprint is a sha256 prefix safe to put in logs), and fires\n * an audit event for every lookup.\n * 2. **Redact.** Walks every known cached secret out of an arbitrary string\n * before it leaves the host (e.g. an error message that contains the\n * leaked API key the host call just made). The replacement is\n * `[REDACTED:name]`; matches shorter than `redactionMinLength` are\n * skipped to avoid blanking coincidental short tokens.\n * 3. **Rotate.** Delegates to `adapter.rotate?(name)` if the adapter\n * supports it, invalidates the cache entry. Caller is expected to\n * re-distribute to dependent surfaces.\n *\n * v0.0.1 ships three adapters: `inMemoryAdapter`, `envAdapter`,\n * `compositeAdapter`. AWS Secrets Manager / Vault / Doppler / Infisical\n * adapters ship later as siblings.\n *\n * The broker is bun/elysia-agnostic — same posture as router + meter.\n */\n\nimport {\n\tABS_ATTRS,\n\ttracerOrNoop,\n\ttype TracerProvider\n} from '@absolutejs/telemetry';\n\nexport type SecretValue = {\n\t/** The plaintext secret. Treat as poison: never log, never serialize. */\n\tvalue: string;\n\t/**\n\t * Short sha256-derived id (first 8 hex chars). Stable across calls for\n\t * the same value; safe to print in logs and traces. Useful for \"which\n\t * version of the key did this request use?\" diagnostics without leaking.\n\t */\n\tfingerprint: string;\n};\n\nexport type SecretAdapter = {\n\t/** Return the plaintext value for a name, or `null` if not stored here. */\n\tfetch: (name: string) => Promise<string | null>;\n\t/** Write a value. Optional — adapters may be read-only. */\n\tput?: (name: string, value: string) => Promise<void>;\n\t/** Delete a value. Optional. */\n\tremove?: (name: string) => Promise<void>;\n\t/** Rotate a value; return the NEW plaintext. Optional. */\n\trotate?: (name: string) => Promise<string>;\n\t/** Enumerate names. Optional; default omitted to avoid leaking the index. */\n\tlist?: () => Promise<string[]>;\n};\n\nexport type AuditEvent =\n\t| { event: 'resolve.hit'; name: string; fingerprint: string; at: number }\n\t| { event: 'resolve.miss'; name: string; fingerprint?: string; at: number }\n\t| { event: 'resolve.error'; name: string; error: string; at: number }\n\t| { event: 'rotate'; name: string; fingerprint: string; at: number }\n\t| { event: 'invalidate'; name: string | null; at: number };\n\nexport type AuditHook = (event: AuditEvent) => void | Promise<void>;\n\nexport type RedactionEncoding = 'plain' | 'base64';\n\nexport type SecretBrokerOptions = {\n\t/** The adapter the broker delegates fetch / rotate / put to. */\n\tadapter: SecretAdapter;\n\t/** Audit hook fired on every resolve / rotate / invalidate. */\n\taudit?: AuditHook;\n\t/**\n\t * How long a cached secret stays fresh, in ms. After this, the next\n\t * resolve re-hits the adapter. Default 60_000 (1 minute). Set to\n\t * `Infinity` to disable TTL — only `rotate` / `invalidate` evict.\n\t */\n\tcacheTtlMs?: number;\n\t/**\n\t * Per-name TTL overrides. The override wins over `cacheTtlMs`. Use\n\t * a short TTL for high-blast-radius secrets (admin tokens, signing\n\t * keys) so a compromised value's lifetime is bounded by the override,\n\t * not the global default.\n\t */\n\tcacheTtlOverrides?: Record<string, number>;\n\t/**\n\t * Minimum length a cached value must have before `redact` will rewrite\n\t * occurrences of it in arbitrary text. Default 8 — short values risk\n\t * blanking out coincidental matches (e.g. a short password \"abc1\"\n\t * appearing as a substring of unrelated text).\n\t */\n\tredactionMinLength?: number;\n\t/**\n\t * Encodings to redact alongside the plaintext value. Default `['plain']`.\n\t * Add `'base64'` to also catch base64-encoded forms — useful when\n\t * secrets end up inside JWTs, cookies, or any payload that base64-wraps\n\t * a credential.\n\t */\n\tredactionEncodings?: RedactionEncoding[];\n\t/** Override `Date.now` for tests. */\n\tclock?: () => number;\n\t/**\n\t * Optional OpenTelemetry tracer provider. When set, `broker.resolve`\n\t * and `broker.rotate` are wrapped in `secrets.resolve` /\n\t * `secrets.rotate` spans with `abs.secret.name` +\n\t * `abs.secret.fingerprint` attributes. `broker.redact` is NOT\n\t * traced — it's called per log line, which would explode span\n\t * volume. When omitted, all tracing is a zero-allocation noop.\n\t * Added in 0.3.0.\n\t */\n\ttracerProvider?: TracerProvider;\n};\n\n/** Listener registered via {@link SecretBroker.onRotate}. */\nexport type RotationListener = (event: {\n\tname: string;\n\tvalue: string;\n\tfingerprint: string;\n\tat: number;\n}) => void | Promise<void>;\n\nexport type SecretBroker = {\n\t/**\n\t * Resolve a secret by name. Returns `null` if the adapter reports\n\t * no value. Caches the answer for `cacheTtlMs`.\n\t */\n\tresolve: (name: string) => Promise<SecretValue | null>;\n\t/**\n\t * Returns the fingerprint of a value WITHOUT touching the adapter.\n\t * Useful for hashing a value the caller already has — e.g. a webhook\n\t * payload — to compare against an audit log.\n\t */\n\tfingerprint: (value: string) => string;\n\t/**\n\t * Replace every cached secret value found in `text` with\n\t * `[REDACTED:name]`. Returns the rewritten text. Subjects shorter than\n\t * `redactionMinLength` are skipped.\n\t */\n\tredact: (text: string) => string;\n\t/**\n\t * Streaming variant of {@link redact}. Returns a `TransformStream`\n\t * that catches secrets even when they're split across chunks (a chunk\n\t * boundary in the middle of `sk_live_abc...` would otherwise miss). The\n\t * stream keeps a lookback buffer the size of the longest cached secret;\n\t * once the buffer outgrows that, the safe-region prefix is emitted.\n\t *\n\t * Use this on `process.stdout` / `process.stderr` / a tenant log forwarder\n\t * so plaintext secrets never reach the sink.\n\t */\n\tredactStream: () => TransformStream<string, string>;\n\t/**\n\t * Rotate a secret. Calls `adapter.rotate(name)`, invalidates the cache,\n\t * returns the new `{ value, fingerprint }`. Throws if the adapter does\n\t * not support rotation. Fires every `onRotate` listener registered for\n\t * this name.\n\t */\n\trotate: (name: string) => Promise<SecretValue>;\n\t/**\n\t * Subscribe to rotation events for a specific name. Listener fires\n\t * AFTER the new value is in the cache. Returns an unsubscribe handle.\n\t * Use this for long-lived connections (DB clients, AI provider SDKs)\n\t * that need to swap credentials in-place when rotation lands.\n\t */\n\tonRotate: (name: string, listener: RotationListener) => () => void;\n\t/**\n\t * Invalidate one cache entry, or the whole cache when `name` is omitted.\n\t */\n\tinvalidate: (name?: string) => void;\n\t/** Tear down the broker — clears the cache; further resolves still hit the adapter. */\n\tdispose: () => void;\n\t/**\n\t * Operator-shaped cumulative counters since `createSecretBroker()`.\n\t * Scrape on a 30s interval for tier monitoring + rotation cadence.\n\t * Added in 0.2.0.\n\t */\n\tmetrics: () => SecretBrokerMetrics;\n\t/**\n\t * Refuse new `resolve()` / `rotate()` calls (they reject with\n\t * `BrokerDrainedError`); in-flight adapter calls keep running. Use\n\t * during graceful shutdown so a tenant whose process is about to\n\t * stop doesn't issue a fresh fetch against the secret store mid-\n\t * teardown. Symmetric with `runtime.drain()` / `queue.drain()`.\n\t * Added in 0.2.0.\n\t */\n\tdrain: () => void;\n};\n\n/**\n * Returned by {@link SecretBroker.metrics}. All counters cumulative\n * since `createSecretBroker()`; cleared by neither `dispose()` nor\n * `drain()` (so the operator can see what happened pre-shutdown).\n * Added in 0.2.0.\n */\nexport type SecretBrokerMetrics = {\n\t/** `resolve()` calls — including cached hits, misses, and errors. */\n\tresolves: number;\n\t/** `resolve()` calls served from cache (no adapter hit). */\n\tresolveHits: number;\n\t/** `resolve()` calls that hit the adapter (cache miss OR expired). */\n\tresolveMisses: number;\n\t/** `resolve()` calls where the adapter threw. */\n\tresolveErrors: number;\n\t/** Successful `rotate()` calls. */\n\trotates: number;\n\t/** `rotate()` calls where the adapter threw. */\n\trotateErrors: number;\n\t/** `invalidate()` calls (per call, regardless of cache size). */\n\tinvalidations: number;\n\t/** `redact()` calls (whether anything was rewritten or not). */\n\tredactCalls: number;\n\t/**\n\t * Distinct (secret, encoding) pairs that triggered a replacement —\n\t * NOT total occurrences. A `redact()` call that rewrites the same\n\t * key three times in one string bumps this by 1. Useful for\n\t * \"is anything ever actually getting redacted, or are we configured\n\t * for nothing.\"\n\t */\n\tredactionsApplied: number;\n\t/** Subset of `redactionsApplied` for base64 encoding. */\n\tredactionsBase64: number;\n};\n\n/**\n * Thrown by `resolve()` / `rotate()` after `drain()` has been called.\n * Added in 0.2.0.\n */\nexport class BrokerDrainedError extends Error {\n\tconstructor() {\n\t\tsuper(\n\t\t\t'[secrets] Broker is draining — resolve/rotate refused. ' +\n\t\t\t\t'Use the broker before the shutdown handler fires.'\n\t\t);\n\t\tthis.name = 'BrokerDrainedError';\n\t}\n}\n\n// -----------------------------------------------------------------------------\n// Fingerprint\n// -----------------------------------------------------------------------------\n\nconst HEX = '0123456789abcdef';\n\nconst sha256Hex = (input: string): string => {\n\t// 2026-era Bun: `crypto.subtle.digest` is the portable path. Synchronous\n\t// path via `Bun.CryptoHasher` is faster but requires Bun globals; we use\n\t// subtle to keep the broker runtime-agnostic at the cost of being async.\n\t// For the `fingerprint(value)` *public* method we want a synchronous\n\t// answer — so we use a tiny in-house sha256. It's slower than the native\n\t// digest but only runs on the secret value (small, ~ < 1KB), once per\n\t// distinct value over the broker's lifetime (memoized in the cache entry).\n\treturn sha256(input);\n};\n\n// Pure JS sha256, NIST FIPS 180-4. Small + dependency-free. Returns lowercase hex.\nconst ROUND_CONSTANTS = new Uint32Array([\n\t0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,\n\t0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,\n\t0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,\n\t0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,\n\t0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,\n\t0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,\n\t0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,\n\t0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,\n\t0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,\n\t0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,\n\t0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,\n]);\n\nconst sha256 = (input: string): string => {\n\tconst bytes = new TextEncoder().encode(input);\n\tconst bitLength = bytes.length * 8;\n\tconst padLength = ((bytes.length + 9 + 63) & ~63) - bytes.length;\n\tconst padded = new Uint8Array(bytes.length + padLength);\n\tpadded.set(bytes);\n\tpadded[bytes.length] = 0x80;\n\tconst view = new DataView(padded.buffer);\n\tview.setUint32(padded.length - 4, bitLength >>> 0);\n\tview.setUint32(padded.length - 8, Math.floor(bitLength / 0x1_0000_0000));\n\n\tlet h0 = 0x6a09e667, h1 = 0xbb67ae85, h2 = 0x3c6ef372, h3 = 0xa54ff53a;\n\tlet h4 = 0x510e527f, h5 = 0x9b05688c, h6 = 0x1f83d9ab, h7 = 0x5be0cd19;\n\tconst w = new Uint32Array(64);\n\tfor (let i = 0; i < padded.length; i += 64) {\n\t\tfor (let t = 0; t < 16; t++) {\n\t\t\tw[t] = view.getUint32(i + t * 4);\n\t\t}\n\t\tfor (let t = 16; t < 64; t++) {\n\t\t\tconst w15 = w[t - 15]!;\n\t\t\tconst w2 = w[t - 2]!;\n\t\t\tconst s0 = ((w15 >>> 7) | (w15 << 25)) ^ ((w15 >>> 18) | (w15 << 14)) ^ (w15 >>> 3);\n\t\t\tconst s1 = ((w2 >>> 17) | (w2 << 15)) ^ ((w2 >>> 19) | (w2 << 13)) ^ (w2 >>> 10);\n\t\t\tw[t] = (w[t - 16]! + s0 + w[t - 7]! + s1) >>> 0;\n\t\t}\n\t\tlet a = h0, b = h1, c = h2, d = h3, e = h4, f = h5, g = h6, h = h7;\n\t\tfor (let t = 0; t < 64; t++) {\n\t\t\tconst S1 = ((e >>> 6) | (e << 26)) ^ ((e >>> 11) | (e << 21)) ^ ((e >>> 25) | (e << 7));\n\t\t\tconst ch = (e & f) ^ (~e & g);\n\t\t\tconst T1 = (h + S1 + ch + ROUND_CONSTANTS[t]! + w[t]!) >>> 0;\n\t\t\tconst S0 = ((a >>> 2) | (a << 30)) ^ ((a >>> 13) | (a << 19)) ^ ((a >>> 22) | (a << 10));\n\t\t\tconst maj = (a & b) ^ (a & c) ^ (b & c);\n\t\t\tconst T2 = (S0 + maj) >>> 0;\n\t\t\th = g;\n\t\t\tg = f;\n\t\t\tf = e;\n\t\t\te = (d + T1) >>> 0;\n\t\t\td = c;\n\t\t\tc = b;\n\t\t\tb = a;\n\t\t\ta = (T1 + T2) >>> 0;\n\t\t}\n\t\th0 = (h0 + a) >>> 0;\n\t\th1 = (h1 + b) >>> 0;\n\t\th2 = (h2 + c) >>> 0;\n\t\th3 = (h3 + d) >>> 0;\n\t\th4 = (h4 + e) >>> 0;\n\t\th5 = (h5 + f) >>> 0;\n\t\th6 = (h6 + g) >>> 0;\n\t\th7 = (h7 + h) >>> 0;\n\t}\n\tconst toHex = (n: number): string => {\n\t\tlet result = '';\n\t\tfor (let i = 7; i >= 0; i--) {\n\t\t\tresult += HEX[(n >>> (i * 4)) & 0xf];\n\t\t}\n\t\treturn result;\n\t};\n\treturn toHex(h0) + toHex(h1) + toHex(h2) + toHex(h3) + toHex(h4) + toHex(h5) + toHex(h6) + toHex(h7);\n};\n\nconst fingerprintOf = (value: string): string => sha256Hex(value).slice(0, 8);\n\n// -----------------------------------------------------------------------------\n// Bundled adapters\n// -----------------------------------------------------------------------------\n\nexport type InMemoryAdapterOptions = {\n\tinitial?: Record<string, string>;\n\t/** Override the rotation strategy. Default = random 32-char base36 string. */\n\trotate?: (name: string, previous: string | null) => string;\n};\n\nconst randomBase36 = (length: number): string => {\n\tlet out = '';\n\twhile (out.length < length) {\n\t\tout += Math.random().toString(36).slice(2);\n\t}\n\treturn out.slice(0, length);\n};\n\nexport const inMemoryAdapter = (\n\toptions: InMemoryAdapterOptions = {},\n): SecretAdapter => {\n\tconst store = new Map<string, string>();\n\tfor (const [k, v] of Object.entries(options.initial ?? {})) store.set(k, v);\n\tconst rotate = options.rotate ?? (() => randomBase36(32));\n\treturn {\n\t\tfetch: async (name) => store.get(name) ?? null,\n\t\tlist: async () => Array.from(store.keys()),\n\t\tput: async (name, value) => { store.set(name, value); },\n\t\tremove: async (name) => { store.delete(name); },\n\t\trotate: async (name) => {\n\t\t\tconst next = rotate(name, store.get(name) ?? null);\n\t\t\tstore.set(name, next);\n\t\t\treturn next;\n\t\t},\n\t};\n};\n\nexport type EnvAdapterOptions = {\n\t/**\n\t * If set, lookups are prefixed before reading from env. e.g.\n\t * `prefix: 'ABS_SECRET_'` and `resolve('STRIPE_KEY')` reads `ABS_SECRET_STRIPE_KEY`.\n\t * Default `''` (no prefix).\n\t */\n\tprefix?: string;\n\t/** The env object to read from. Default `process.env`. */\n\tenv?: Record<string, string | undefined>;\n};\n\nexport const envAdapter = (options: EnvAdapterOptions = {}): SecretAdapter => {\n\tconst prefix = options.prefix ?? '';\n\tconst env = options.env ?? (globalThis as { process?: { env?: Record<string, string | undefined> } }).process?.env ?? {};\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tconst key = `${prefix}${name}`;\n\t\t\tconst value = env[key];\n\t\t\treturn value === undefined ? null : value;\n\t\t},\n\t\tlist: async () => {\n\t\t\tif (!prefix) return Object.keys(env);\n\t\t\tconst matches: string[] = [];\n\t\t\tfor (const key of Object.keys(env)) {\n\t\t\t\tif (key.startsWith(prefix)) matches.push(key.slice(prefix.length));\n\t\t\t}\n\t\t\treturn matches;\n\t\t},\n\t};\n};\n\n/**\n * Compose adapters: `fetch` falls through to the first non-null result;\n * `put` / `rotate` / `remove` go to the first adapter that implements them.\n */\nexport const compositeAdapter = (adapters: SecretAdapter[]): SecretAdapter => {\n\tconst firstWith = <K extends keyof SecretAdapter>(method: K) =>\n\t\tadapters.find((adapter) => adapter[method] !== undefined);\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tconst value = await adapter.fetch(name);\n\t\t\t\tif (value !== null) return value;\n\t\t\t}\n\t\t\treturn null;\n\t\t},\n\t\tlist: async () => {\n\t\t\tconst seen = new Set<string>();\n\t\t\tfor (const adapter of adapters) {\n\t\t\t\tif (!adapter.list) continue;\n\t\t\t\tfor (const name of await adapter.list()) seen.add(name);\n\t\t\t}\n\t\t\treturn Array.from(seen);\n\t\t},\n\t\tput: async (name, value) => {\n\t\t\tconst target = firstWith('put');\n\t\t\tif (!target?.put) throw new Error('No adapter in the composite supports put()');\n\t\t\tawait target.put(name, value);\n\t\t},\n\t\tremove: async (name) => {\n\t\t\tconst target = firstWith('remove');\n\t\t\tif (!target?.remove) throw new Error('No adapter in the composite supports remove()');\n\t\t\tawait target.remove(name);\n\t\t},\n\t\trotate: async (name) => {\n\t\t\tconst target = firstWith('rotate');\n\t\t\tif (!target?.rotate) throw new Error('No adapter in the composite supports rotate()');\n\t\t\treturn target.rotate(name);\n\t\t},\n\t};\n};\n\n// -----------------------------------------------------------------------------\n// encryptedFileAdapter — durable, AES-256-GCM, committable to private repo\n// -----------------------------------------------------------------------------\n\nconst DEFAULT_PBKDF2_ITERATIONS = 600_000;\nconst ENC_FILE_VERSION = 1;\nconst SALT_BYTES = 16;\nconst IV_BYTES = 12;\nconst KEY_BYTES = 32;\n\nconst bytesToBase64 = (bytes: Uint8Array): string => {\n\tlet bin = '';\n\tfor (const byte of bytes) bin += String.fromCharCode(byte);\n\treturn btoa(bin);\n};\n\nconst base64ToBytes = (b64: string): Uint8Array => {\n\tconst bin = atob(b64);\n\tconst out = new Uint8Array(bin.length);\n\tfor (let i = 0; i < bin.length; i += 1) out[i] = bin.charCodeAt(i);\n\treturn out;\n};\n\ntype EncryptedEntry = {\n\t/** Base64 12-byte IV. */\n\tiv: string;\n\t/** Base64 AES-GCM ciphertext (includes 16-byte tag at end). */\n\tct: string;\n};\n\ntype EncryptedFile = {\n\tversion: 1;\n\t/** Salt is omitted when the master key is supplied as raw bytes. */\n\tkdf?: {\n\t\ttype: 'pbkdf2-sha256';\n\t\titerations: number;\n\t\tsalt: string;\n\t};\n\tvalues: Record<string, EncryptedEntry>;\n};\n\n/** Override for tests; defaults touch disk via `node:fs/promises`. */\nexport type EncryptedFileIO = {\n\treadFile: (path: string) => Promise<string | undefined>;\n\twriteFileAtomic: (path: string, contents: string) => Promise<void>;\n};\n\nexport type EncryptedFileAdapterMasterKey =\n\t| { type: 'passphrase'; passphrase: string }\n\t| { type: 'raw'; bytes: Uint8Array };\n\nexport type EncryptedFileAdapterOptions = {\n\t/** Absolute or relative path to the encrypted JSON file. */\n\tpath: string;\n\t/**\n\t * Master key. Either a `passphrase` (KDF'd via PBKDF2-SHA256 with the\n\t * salt stored in the file) or `raw` 32 bytes (no KDF — pass the key\n\t * directly, useful when sourced from a vendor secret manager).\n\t */\n\tkey: EncryptedFileAdapterMasterKey;\n\t/**\n\t * PBKDF2 iterations when `key.type === 'passphrase'`. Default 600_000\n\t * (OWASP 2025 recommendation for SHA-256). The chosen value is stored\n\t * in the file so future opens use it.\n\t */\n\tpbkdf2Iterations?: number;\n\t/** Override the rotation strategy (matches `inMemoryAdapter`). */\n\trotate?: (name: string, previous: string | null) => string;\n\t/** Override file IO (tests). */\n\tio?: EncryptedFileIO;\n};\n\nconst defaultIo = (): EncryptedFileIO => ({\n\treadFile: async (path) => {\n\t\ttry {\n\t\t\tconst text = await (await import('node:fs/promises')).readFile(\n\t\t\t\tpath,\n\t\t\t\t'utf8'\n\t\t\t);\n\t\t\treturn text;\n\t\t} catch (error) {\n\t\t\tif ((error as { code?: string }).code === 'ENOENT') return undefined;\n\t\t\tthrow error;\n\t\t}\n\t},\n\twriteFileAtomic: async (path, contents) => {\n\t\tconst fs = await import('node:fs/promises');\n\t\tconst tempPath = `${path}.tmp.${process.pid}`;\n\t\tawait fs.writeFile(tempPath, contents, { mode: 0o600 });\n\t\tawait fs.rename(tempPath, path);\n\t}\n});\n\nconst deriveKeyFromPassphrase = async (\n\tpassphrase: string,\n\tsalt: Uint8Array,\n\titerations: number\n): Promise<CryptoKey> => {\n\tconst base = await crypto.subtle.importKey(\n\t\t'raw',\n\t\tnew TextEncoder().encode(passphrase) as BufferSource,\n\t\t'PBKDF2',\n\t\tfalse,\n\t\t['deriveKey']\n\t);\n\treturn crypto.subtle.deriveKey(\n\t\t{\n\t\t\thash: 'SHA-256',\n\t\t\titerations,\n\t\t\tname: 'PBKDF2',\n\t\t\tsalt: salt as BufferSource\n\t\t},\n\t\tbase,\n\t\t{ length: 256, name: 'AES-GCM' },\n\t\tfalse,\n\t\t['encrypt', 'decrypt']\n\t);\n};\n\nconst importRawKey = async (bytes: Uint8Array): Promise<CryptoKey> => {\n\tif (bytes.length !== KEY_BYTES) {\n\t\tthrow new Error(\n\t\t\t`[secrets/encrypted-file] raw key must be ${KEY_BYTES} bytes (got ${bytes.length})`\n\t\t);\n\t}\n\treturn crypto.subtle.importKey(\n\t\t'raw',\n\t\tbytes as BufferSource,\n\t\t{ name: 'AES-GCM' },\n\t\tfalse,\n\t\t['encrypt', 'decrypt']\n\t);\n};\n\n/**\n * Durable secret adapter that stores `name → value` in an encrypted\n * JSON file (AES-256-GCM, per-value random IV). File is safe to commit\n * to a private repo as long as the master key is kept separately\n * (1Password, env var, hardware key, etc.).\n *\n * Two master-key shapes:\n *\n * - `{ type: 'passphrase', passphrase }` — PBKDF2-SHA256 from the\n * passphrase, salt stored in the file. OWASP 2025 default (600k\n * iterations); add a stronger one via `pbkdf2Iterations`.\n * - `{ type: 'raw', bytes }` — 32 raw bytes. No KDF. Useful when the\n * key comes from a vendor secret manager that already gave you\n * random bytes.\n *\n * Caches decrypted values in memory after first read (consistent with\n * the broker's caching layer above it).\n */\nexport const encryptedFileAdapter = (\n\toptions: EncryptedFileAdapterOptions\n): SecretAdapter => {\n\tconst io = options.io ?? defaultIo();\n\tconst iterations = options.pbkdf2Iterations ?? DEFAULT_PBKDF2_ITERATIONS;\n\tconst rotate = options.rotate ?? (() => randomBase36(32));\n\n\tlet cache: Map<string, string> | undefined;\n\tlet derivedKey: CryptoKey | undefined;\n\tlet salt: Uint8Array | undefined;\n\n\tconst ensureKey = async (): Promise<CryptoKey> => {\n\t\tif (derivedKey !== undefined) return derivedKey;\n\t\tif (options.key.type === 'raw') {\n\t\t\tderivedKey = await importRawKey(options.key.bytes);\n\t\t\treturn derivedKey;\n\t\t}\n\t\tif (salt === undefined) {\n\t\t\tsalt = crypto.getRandomValues(new Uint8Array(SALT_BYTES));\n\t\t}\n\t\tderivedKey = await deriveKeyFromPassphrase(\n\t\t\toptions.key.passphrase,\n\t\t\tsalt,\n\t\t\titerations\n\t\t);\n\t\treturn derivedKey;\n\t};\n\n\tconst load = async (): Promise<Map<string, string>> => {\n\t\tif (cache !== undefined) return cache;\n\t\tconst fileText = await io.readFile(options.path);\n\t\tif (fileText === undefined) {\n\t\t\tcache = new Map();\n\t\t\treturn cache;\n\t\t}\n\t\tlet parsed: EncryptedFile;\n\t\ttry {\n\t\t\tparsed = JSON.parse(fileText) as EncryptedFile;\n\t\t} catch (error) {\n\t\t\tthrow new Error(\n\t\t\t\t`[secrets/encrypted-file] could not parse ${options.path}: ${\n\t\t\t\t\t(error as Error).message\n\t\t\t\t}`\n\t\t\t);\n\t\t}\n\t\tif (parsed.version !== ENC_FILE_VERSION) {\n\t\t\tthrow new Error(\n\t\t\t\t`[secrets/encrypted-file] unsupported file version ${parsed.version} in ${options.path}`\n\t\t\t);\n\t\t}\n\t\tif (parsed.kdf !== undefined) {\n\t\t\tif (options.key.type !== 'passphrase') {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[secrets/encrypted-file] file was written with a passphrase but raw key was supplied`\n\t\t\t\t);\n\t\t\t}\n\t\t\tsalt = base64ToBytes(parsed.kdf.salt);\n\t\t} else if (options.key.type === 'passphrase') {\n\t\t\tthrow new Error(\n\t\t\t\t`[secrets/encrypted-file] file was written with a raw key but passphrase was supplied`\n\t\t\t);\n\t\t}\n\t\tconst key = await ensureKey();\n\t\tconst decoded = new Map<string, string>();\n\t\tfor (const [name, entry] of Object.entries(parsed.values)) {\n\t\t\ttry {\n\t\t\t\tconst iv = base64ToBytes(entry.iv) as BufferSource;\n\t\t\t\tconst ct = base64ToBytes(entry.ct) as BufferSource;\n\t\t\t\tconst pt = await crypto.subtle.decrypt(\n\t\t\t\t\t{ iv, name: 'AES-GCM' },\n\t\t\t\t\tkey,\n\t\t\t\t\tct\n\t\t\t\t);\n\t\t\t\tdecoded.set(name, new TextDecoder().decode(pt));\n\t\t\t} catch {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`[secrets/encrypted-file] failed to decrypt \"${name}\" in ${options.path} — wrong master key or corrupted file`\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\tcache = decoded;\n\t\treturn cache;\n\t};\n\n\tconst save = async (): Promise<void> => {\n\t\tconst data = cache ?? new Map<string, string>();\n\t\tconst key = await ensureKey();\n\t\tconst values: Record<string, EncryptedEntry> = {};\n\t\tfor (const [name, value] of data) {\n\t\t\tconst iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));\n\t\t\tconst ct = await crypto.subtle.encrypt(\n\t\t\t\t{ iv: iv as BufferSource, name: 'AES-GCM' },\n\t\t\t\tkey,\n\t\t\t\tnew TextEncoder().encode(value) as BufferSource\n\t\t\t);\n\t\t\tvalues[name] = {\n\t\t\t\tct: bytesToBase64(new Uint8Array(ct)),\n\t\t\t\tiv: bytesToBase64(iv)\n\t\t\t};\n\t\t}\n\t\tconst file: EncryptedFile = {\n\t\t\tvalues,\n\t\t\tversion: ENC_FILE_VERSION,\n\t\t\t...(options.key.type === 'passphrase' && salt !== undefined\n\t\t\t\t? {\n\t\t\t\t\t\tkdf: {\n\t\t\t\t\t\t\titerations,\n\t\t\t\t\t\t\tsalt: bytesToBase64(salt),\n\t\t\t\t\t\t\ttype: 'pbkdf2-sha256'\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t: {})\n\t\t};\n\t\tawait io.writeFileAtomic(options.path, JSON.stringify(file, null, 2));\n\t};\n\n\treturn {\n\t\tfetch: async (name) => {\n\t\t\tconst data = await load();\n\t\t\treturn data.get(name) ?? null;\n\t\t},\n\t\tlist: async () => {\n\t\t\tconst data = await load();\n\t\t\treturn Array.from(data.keys());\n\t\t},\n\t\tput: async (name, value) => {\n\t\t\tconst data = await load();\n\t\t\tdata.set(name, value);\n\t\t\tawait save();\n\t\t},\n\t\tremove: async (name) => {\n\t\t\tconst data = await load();\n\t\t\tdata.delete(name);\n\t\t\tawait save();\n\t\t},\n\t\trotate: async (name) => {\n\t\t\tconst data = await load();\n\t\t\tconst previous = data.get(name) ?? null;\n\t\t\tconst next = rotate(name, previous);\n\t\t\tdata.set(name, next);\n\t\t\tawait save();\n\t\t\treturn next;\n\t\t}\n\t};\n};\n\n// -----------------------------------------------------------------------------\n// Broker\n// -----------------------------------------------------------------------------\n\ntype CacheEntry = {\n\tvalue: string;\n\tfingerprint: string;\n\tstoredAt: number;\n};\n\nexport const createSecretBroker = (options: SecretBrokerOptions): SecretBroker => {\n\tconst clock = options.clock ?? Date.now;\n\tconst defaultTtl = options.cacheTtlMs ?? 60_000;\n\tconst ttlOverrides = options.cacheTtlOverrides ?? {};\n\tconst minLen = options.redactionMinLength ?? 8;\n\tconst encodings = options.redactionEncodings ?? ['plain'];\n\tconst audit = options.audit;\n\tconst cache = new Map<string, CacheEntry>();\n\tconst rotationListeners = new Map<string, Set<RotationListener>>();\n\tlet disposed = false;\n\tlet draining = false;\n\t// 0.3.0: OTel tracer (noop when options.tracerProvider unset).\n\tconst tracer = tracerOrNoop(options.tracerProvider, '@absolutejs/secrets');\n\t// 0.2.0: cumulative operator counters. Survive `drain()` and\n\t// `dispose()` so the operator can read final state post-shutdown.\n\tconst counters: SecretBrokerMetrics = {\n\t\tinvalidations: 0,\n\t\tredactCalls: 0,\n\t\tredactionsApplied: 0,\n\t\tredactionsBase64: 0,\n\t\tresolveErrors: 0,\n\t\tresolveHits: 0,\n\t\tresolveMisses: 0,\n\t\tresolves: 0,\n\t\trotateErrors: 0,\n\t\trotates: 0\n\t};\n\n\tconst ttlFor = (name: string): number => ttlOverrides[name] ?? defaultTtl;\n\n\tconst fireRotation = (name: string, value: string, fingerprint: string, at: number) => {\n\t\tconst set = rotationListeners.get(name);\n\t\tif (!set || set.size === 0) return;\n\t\tfor (const listener of set) {\n\t\t\ttry {\n\t\t\t\tconst ret = listener({ at, fingerprint, name, value });\n\t\t\t\tif (ret && typeof (ret as Promise<void>).then === 'function') {\n\t\t\t\t\t(ret as Promise<void>).catch((error) => {\n\t\t\t\t\t\tconsole.error('[secrets] rotation listener rejected:', error);\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t} catch (error) {\n\t\t\t\tconsole.error('[secrets] rotation listener threw:', error);\n\t\t\t}\n\t\t}\n\t};\n\n\tconst fireAudit = (event: AuditEvent) => {\n\t\tif (!audit) return;\n\t\ttry {\n\t\t\tconst result = audit(event);\n\t\t\tif (result && typeof (result as Promise<void>).then === 'function') {\n\t\t\t\t(result as Promise<void>).catch((error) => {\n\t\t\t\t\tconsole.error('[secrets] audit hook rejected:', error);\n\t\t\t\t});\n\t\t\t}\n\t\t} catch (error) {\n\t\t\tconsole.error('[secrets] audit hook threw:', error);\n\t\t}\n\t};\n\n\tconst cacheEntry = (name: string, value: string, now: number): CacheEntry => {\n\t\tconst entry: CacheEntry = {\n\t\t\tfingerprint: fingerprintOf(value),\n\t\t\tstoredAt: now,\n\t\t\tvalue,\n\t\t};\n\t\tcache.set(name, entry);\n\t\treturn entry;\n\t};\n\n\tconst resolve: SecretBroker['resolve'] = async (name) => {\n\t\tif (disposed) return null;\n\t\tif (draining) throw new BrokerDrainedError();\n\t\t// 0.3.0: span the resolve. Attribute carries the secret NAME\n\t\t// (safe) and on cache hit also the FINGERPRINT (also safe —\n\t\t// it's sha256-derived, never the value).\n\t\tconst span = tracer.startSpan('secrets.resolve', {\n\t\t\tattributes: { [ABS_ATTRS.secretName]: name }\n\t\t});\n\t\tcounters.resolves += 1;\n\t\tconst now = clock();\n\t\ttry {\n\t\t\tconst cached = cache.get(name);\n\t\t\tif (cached && now - cached.storedAt < ttlFor(name)) {\n\t\t\t\tcounters.resolveHits += 1;\n\t\t\t\tspan.setAttribute(ABS_ATTRS.secretFingerprint, cached.fingerprint);\n\t\t\t\tspan.setAttribute('secrets.cache', 'hit');\n\t\t\t\tfireAudit({ at: now, event: 'resolve.hit', fingerprint: cached.fingerprint, name });\n\t\t\t\tspan.setStatus({ code: 1 /* OK */ });\n\t\t\t\treturn { fingerprint: cached.fingerprint, value: cached.value };\n\t\t\t}\n\t\t\tcounters.resolveMisses += 1;\n\t\t\tspan.setAttribute('secrets.cache', 'miss');\n\t\t\tconst value = await options.adapter.fetch(name);\n\t\t\tif (value === null) {\n\t\t\t\tfireAudit({ at: now, event: 'resolve.miss', name });\n\t\t\t\tcache.delete(name);\n\t\t\t\tspan.setAttribute('secrets.found', false);\n\t\t\t\tspan.setStatus({ code: 1 /* OK */ });\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tconst entry = cacheEntry(name, value, now);\n\t\t\tspan.setAttribute(ABS_ATTRS.secretFingerprint, entry.fingerprint);\n\t\t\tfireAudit({ at: now, event: 'resolve.miss', fingerprint: entry.fingerprint, name });\n\t\t\tspan.setStatus({ code: 1 /* OK */ });\n\t\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t\t} catch (error) {\n\t\t\tcounters.resolveErrors += 1;\n\t\t\tfireAudit({\n\t\t\t\tat: now,\n\t\t\t\terror: error instanceof Error ? error.message : String(error),\n\t\t\t\tevent: 'resolve.error',\n\t\t\t\tname,\n\t\t\t});\n\t\t\tspan.recordException(error);\n\t\t\tspan.setStatus({\n\t\t\t\tcode: 2 /* ERROR */,\n\t\t\t\tmessage: error instanceof Error ? error.message : String(error)\n\t\t\t});\n\t\t\tthrow error;\n\t\t} finally {\n\t\t\tspan.end();\n\t\t}\n\t};\n\n\tconst rotate: SecretBroker['rotate'] = async (name) => {\n\t\tif (disposed) throw new Error('Broker is disposed');\n\t\tif (draining) throw new BrokerDrainedError();\n\t\tif (!options.adapter.rotate) {\n\t\t\tthrow new Error('Adapter does not support rotate()');\n\t\t}\n\t\t// 0.3.0: span the rotation. The pre-rotation fingerprint isn't\n\t\t// known until after the cache lookup is done; attach the new\n\t\t// fingerprint on success.\n\t\tconst span = tracer.startSpan('secrets.rotate', {\n\t\t\tattributes: { [ABS_ATTRS.secretName]: name }\n\t\t});\n\t\ttry {\n\t\t\tconst next = await options.adapter.rotate(name);\n\t\t\tconst now = clock();\n\t\t\tconst entry = cacheEntry(name, next, now);\n\t\t\tcounters.rotates += 1;\n\t\t\tspan.setAttribute(ABS_ATTRS.secretFingerprint, entry.fingerprint);\n\t\t\tspan.setStatus({ code: 1 /* OK */ });\n\t\t\tfireAudit({ at: now, event: 'rotate', fingerprint: entry.fingerprint, name });\n\t\t\tfireRotation(name, entry.value, entry.fingerprint, now);\n\t\t\treturn { fingerprint: entry.fingerprint, value: entry.value };\n\t\t} catch (error) {\n\t\t\tcounters.rotateErrors += 1;\n\t\t\tspan.recordException(error);\n\t\t\tspan.setStatus({\n\t\t\t\tcode: 2 /* ERROR */,\n\t\t\t\tmessage: error instanceof Error ? error.message : String(error)\n\t\t\t});\n\t\t\tthrow error;\n\t\t} finally {\n\t\t\tspan.end();\n\t\t}\n\t};\n\n\tconst invalidate: SecretBroker['invalidate'] = (name) => {\n\t\tif (name === undefined) {\n\t\t\tcache.clear();\n\t\t} else {\n\t\t\tcache.delete(name);\n\t\t}\n\t\tcounters.invalidations += 1;\n\t\tfireAudit({ at: clock(), event: 'invalidate', name: name ?? null });\n\t};\n\n\t// Returns every (representation, replacementLabel) pair currently in\n\t// the cache that's worth searching for. Longest-first so a longer\n\t// secret blanks BEFORE one of its substrings would.\n\tconst redactionPairs = (): Array<[string, string]> => {\n\t\tconst pairs: Array<[string, string]> = [];\n\t\tfor (const [name, entry] of cache) {\n\t\t\tif (entry.value.length < minLen) continue;\n\t\t\tfor (const enc of encodings) {\n\t\t\t\tif (enc === 'plain') {\n\t\t\t\t\tpairs.push([entry.value, `[REDACTED:${name}]`]);\n\t\t\t\t} else if (enc === 'base64') {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst encoded = btoa(entry.value);\n\t\t\t\t\t\t// Skip if encoding produces a too-short token to be safe.\n\t\t\t\t\t\tif (encoded.length >= minLen) {\n\t\t\t\t\t\t\tpairs.push([encoded, `[REDACTED:${name}:b64]`]);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\t// btoa rejects non-Latin-1; skip silently.\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tpairs.sort((a, b) => b[0].length - a[0].length);\n\t\treturn pairs;\n\t};\n\n\tconst redact: SecretBroker['redact'] = (text) => {\n\t\tcounters.redactCalls += 1;\n\t\tif (text.length === 0 || cache.size === 0) return text;\n\t\tlet out = text;\n\t\tfor (const [needle, replacement] of redactionPairs()) {\n\t\t\tif (!out.includes(needle)) continue;\n\t\t\tout = out.split(needle).join(replacement);\n\t\t\tcounters.redactionsApplied += 1;\n\t\t\tif (replacement.endsWith(':b64]')) counters.redactionsBase64 += 1;\n\t\t}\n\t\treturn out;\n\t};\n\n\tconst redactStream: SecretBroker['redactStream'] = () => {\n\t\t// Per-chunk algorithm:\n\t\t// 1. Append chunk to buffer.\n\t\t// 2. Redact the WHOLE buffer (complete secrets → labels).\n\t\t// 3. Hold back the last `lookback` chars — they might contain a\n\t\t// partial secret that completes on the next chunk. The next\n\t\t// chunk's redact() will catch it once the full secret arrives.\n\t\t// 4. Emit the safe prefix.\n\t\t// Without step 2 happening BEFORE the split, a secret straddling the\n\t\t// boundary would have its prefix emitted un-redacted before the suffix\n\t\t// even shows up.\n\t\tlet buffer = '';\n\t\tconst maxLen = () =>\n\t\t\tredactionPairs().reduce((max, [needle]) => Math.max(max, needle.length), 0);\n\t\treturn new TransformStream<string, string>({\n\t\t\ttransform: (chunk, controller) => {\n\t\t\t\tbuffer += chunk;\n\t\t\t\tconst lookback = maxLen();\n\t\t\t\tconst reduced = redact(buffer);\n\t\t\t\tif (reduced.length <= lookback) {\n\t\t\t\t\tbuffer = reduced;\n\t\t\t\t\treturn;\n\t\t\t\t}\n\t\t\t\tconst safe = reduced.slice(0, reduced.length - lookback);\n\t\t\t\tbuffer = reduced.slice(reduced.length - lookback);\n\t\t\t\tif (safe.length > 0) controller.enqueue(safe);\n\t\t\t},\n\t\t\tflush: (controller) => {\n\t\t\t\tif (buffer.length === 0) return;\n\t\t\t\tcontroller.enqueue(redact(buffer));\n\t\t\t\tbuffer = '';\n\t\t\t},\n\t\t});\n\t};\n\n\tconst onRotate: SecretBroker['onRotate'] = (name, listener) => {\n\t\tlet set = rotationListeners.get(name);\n\t\tif (!set) {\n\t\t\tset = new Set();\n\t\t\trotationListeners.set(name, set);\n\t\t}\n\t\tset.add(listener);\n\t\treturn () => {\n\t\t\tconst current = rotationListeners.get(name);\n\t\t\tif (!current) return;\n\t\t\tcurrent.delete(listener);\n\t\t\tif (current.size === 0) rotationListeners.delete(name);\n\t\t};\n\t};\n\n\treturn {\n\t\tdispose: () => {\n\t\t\tdisposed = true;\n\t\t\tcache.clear();\n\t\t\trotationListeners.clear();\n\t\t},\n\t\tdrain: () => {\n\t\t\tdraining = true;\n\t\t},\n\t\tfingerprint: fingerprintOf,\n\t\tinvalidate,\n\t\tmetrics: () => ({ ...counters }),\n\t\tonRotate,\n\t\tredact,\n\t\tredactStream,\n\t\tresolve,\n\t\trotate,\n\t};\n};\n"
6
7
  ],
7
- "mappings": ";;AAkNO,MAAM,2BAA2B,MAAM;AAAA,EAC7C,WAAW,GAAG;AAAA,IACb,MACC,iEACC,mDACF;AAAA,IACA,KAAK,OAAO;AAAA;AAEd;AAMA,IAAM,MAAM;AAEZ,IAAM,YAAY,CAAC,UAA0B;AAAA,EAQ5C,OAAO,OAAO,KAAK;AAAA;AAIpB,IAAM,kBAAkB,IAAI,YAAY;AAAA,EACvC;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AACrC,CAAC;AAED,IAAM,SAAS,CAAC,UAA0B;AAAA,EACzC,MAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAAA,EAC5C,MAAM,YAAY,MAAM,SAAS;AAAA,EACjC,MAAM,aAAc,MAAM,SAAS,IAAI,KAAM,CAAC,MAAM,MAAM;AAAA,EAC1D,MAAM,SAAS,IAAI,WAAW,MAAM,SAAS,SAAS;AAAA,EACtD,OAAO,IAAI,KAAK;AAAA,EAChB,OAAO,MAAM,UAAU;AAAA,EACvB,MAAM,OAAO,IAAI,SAAS,OAAO,MAAM;AAAA,EACvC,KAAK,UAAU,OAAO,SAAS,GAAG,cAAc,CAAC;AAAA,EACjD,KAAK,UAAU,OAAO,SAAS,GAAG,KAAK,MAAM,YAAY,UAAa,CAAC;AAAA,EAEvE,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,YAAY,KAAK;AAAA,EAC5D,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,WAAY,KAAK;AAAA,EAC5D,MAAM,IAAI,IAAI,YAAY,EAAE;AAAA,EAC5B,SAAS,IAAI,EAAG,IAAI,OAAO,QAAQ,KAAK,IAAI;AAAA,IAC3C,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,EAAE,KAAK,KAAK,UAAU,IAAI,IAAI,CAAC;AAAA,IAChC;AAAA,IACA,SAAS,IAAI,GAAI,IAAI,IAAI,KAAK;AAAA,MAC7B,MAAM,MAAM,EAAE,IAAI;AAAA,MAClB,MAAM,KAAK,EAAE,IAAI;AAAA,MACjB,MAAM,MAAO,QAAQ,IAAM,OAAO,OAAS,QAAQ,KAAO,OAAO,MAAQ,QAAQ;AAAA,MACjF,MAAM,MAAO,OAAO,KAAO,MAAM,OAAS,OAAO,KAAO,MAAM,MAAQ,OAAO;AAAA,MAC7E,EAAE,KAAM,EAAE,IAAI,MAAO,KAAK,EAAE,IAAI,KAAM,OAAQ;AAAA,IAC/C;AAAA,IACA,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI;AAAA,IAChE,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,KAAM,IAAI,IAAM,CAAC,IAAI;AAAA,MAC3B,MAAM,KAAM,IAAI,KAAK,KAAK,gBAAgB,KAAM,EAAE,OAAS;AAAA,MAC3D,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,MAAO,IAAI,IAAM,IAAI,IAAM,IAAI;AAAA,MACrC,MAAM,KAAM,KAAK,QAAS;AAAA,MAC1B,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,IAAI,OAAQ;AAAA,MACjB,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,KAAK,OAAQ;AAAA,IACnB;AAAA,IACA,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,EACnB;AAAA,EACA,MAAM,QAAQ,CAAC,MAAsB;AAAA,IACpC,IAAI,SAAS;AAAA,IACb,SAAS,IAAI,EAAG,KAAK,GAAG,KAAK;AAAA,MAC5B,UAAU,IAAK,MAAO,IAAI,IAAM;AAAA,IACjC;AAAA,IACA,OAAO;AAAA;AAAA,EAER,OAAO,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE;AAAA;AAGpG,IAAM,gBAAgB,CAAC,UAA0B,UAAU,KAAK,EAAE,MAAM,GAAG,CAAC;AAY5E,IAAM,eAAe,CAAC,WAA2B;AAAA,EAChD,IAAI,MAAM;AAAA,EACV,OAAO,IAAI,SAAS,QAAQ;AAAA,IAC3B,OAAO,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,CAAC;AAAA,EAC1C;AAAA,EACA,OAAO,IAAI,MAAM,GAAG,MAAM;AAAA;AAGpB,IAAM,kBAAkB,CAC9B,UAAkC,CAAC,MAChB;AAAA,EACnB,MAAM,QAAQ,IAAI;AAAA,EAClB,YAAY,GAAG,MAAM,OAAO,QAAQ,QAAQ,WAAW,CAAC,CAAC;AAAA,IAAG,MAAM,IAAI,GAAG,CAAC;AAAA,EAC1E,MAAM,SAAS,QAAQ,WAAW,MAAM,aAAa,EAAE;AAAA,EACvD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS,MAAM,IAAI,IAAI,KAAK;AAAA,IAC1C,MAAM,YAAY,MAAM,KAAK,MAAM,KAAK,CAAC;AAAA,IACzC,KAAK,OAAO,MAAM,UAAU;AAAA,MAAE,MAAM,IAAI,MAAM,KAAK;AAAA;AAAA,IACnD,QAAQ,OAAO,SAAS;AAAA,MAAE,MAAM,OAAO,IAAI;AAAA;AAAA,IAC3C,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,OAAO,OAAO,MAAM,MAAM,IAAI,IAAI,KAAK,IAAI;AAAA,MACjD,MAAM,IAAI,MAAM,IAAI;AAAA,MACpB,OAAO;AAAA;AAAA,EAET;AAAA;AAcM,IAAM,aAAa,CAAC,UAA6B,CAAC,MAAqB;AAAA,EAC7E,MAAM,SAAS,QAAQ,UAAU;AAAA,EACjC,MAAM,MAAM,QAAQ,OAAQ,WAA0E,SAAS,OAAO,CAAC;AAAA,EACvH,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,MAAM,MAAM,GAAG,SAAS;AAAA,MACxB,MAAM,QAAQ,IAAI;AAAA,MAClB,OAAO,UAAU,YAAY,OAAO;AAAA;AAAA,IAErC,MAAM,YAAY;AAAA,MACjB,IAAI,CAAC;AAAA,QAAQ,OAAO,OAAO,KAAK,GAAG;AAAA,MACnC,MAAM,UAAoB,CAAC;AAAA,MAC3B,WAAW,OAAO,OAAO,KAAK,GAAG,GAAG;AAAA,QACnC,IAAI,IAAI,WAAW,MAAM;AAAA,UAAG,QAAQ,KAAK,IAAI,MAAM,OAAO,MAAM,CAAC;AAAA,MAClE;AAAA,MACA,OAAO;AAAA;AAAA,EAET;AAAA;AAOM,IAAM,mBAAmB,CAAC,aAA6C;AAAA,EAC7E,MAAM,YAAY,CAAgC,WACjD,SAAS,KAAK,CAAC,YAAY,QAAQ,YAAY,SAAS;AAAA,EACzD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,WAAW,WAAW,UAAU;AAAA,QAC/B,MAAM,QAAQ,MAAM,QAAQ,MAAM,IAAI;AAAA,QACtC,IAAI,UAAU;AAAA,UAAM,OAAO;AAAA,MAC5B;AAAA,MACA,OAAO;AAAA;AAAA,IAER,MAAM,YAAY;AAAA,MACjB,MAAM,OAAO,IAAI;AAAA,MACjB,WAAW,WAAW,UAAU;AAAA,QAC/B,IAAI,CAAC,QAAQ;AAAA,UAAM;AAAA,QACnB,WAAW,QAAQ,MAAM,QAAQ,KAAK;AAAA,UAAG,KAAK,IAAI,IAAI;AAAA,MACvD;AAAA,MACA,OAAO,MAAM,KAAK,IAAI;AAAA;AAAA,IAEvB,KAAK,OAAO,MAAM,UAAU;AAAA,MAC3B,MAAM,SAAS,UAAU,KAAK;AAAA,MAC9B,IAAI,CAAC,QAAQ;AAAA,QAAK,MAAM,IAAI,MAAM,4CAA4C;AAAA,MAC9E,MAAM,OAAO,IAAI,MAAM,KAAK;AAAA;AAAA,IAE7B,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,MAAM,OAAO,OAAO,IAAI;AAAA;AAAA,IAEzB,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,OAAO,OAAO,OAAO,IAAI;AAAA;AAAA,EAE3B;AAAA;AAaM,IAAM,qBAAqB,CAAC,YAA+C;AAAA,EACjF,MAAM,QAAQ,QAAQ,SAAS,KAAK;AAAA,EACpC,MAAM,aAAa,QAAQ,cAAc;AAAA,EACzC,MAAM,eAAe,QAAQ,qBAAqB,CAAC;AAAA,EACnD,MAAM,SAAS,QAAQ,sBAAsB;AAAA,EAC7C,MAAM,YAAY,QAAQ,sBAAsB,CAAC,OAAO;AAAA,EACxD,MAAM,QAAQ,QAAQ;AAAA,EACtB,MAAM,QAAQ,IAAI;AAAA,EAClB,MAAM,oBAAoB,IAAI;AAAA,EAC9B,IAAI,WAAW;AAAA,EACf,IAAI,WAAW;AAAA,EAGf,MAAM,WAAgC;AAAA,IACrC,eAAe;AAAA,IACf,aAAa;AAAA,IACb,mBAAmB;AAAA,IACnB,kBAAkB;AAAA,IAClB,eAAe;AAAA,IACf,aAAa;AAAA,IACb,eAAe;AAAA,IACf,UAAU;AAAA,IACV,cAAc;AAAA,IACd,SAAS;AAAA,EACV;AAAA,EAEA,MAAM,SAAS,CAAC,SAAyB,aAAa,SAAS;AAAA,EAE/D,MAAM,eAAe,CAAC,MAAc,OAAe,aAAqB,OAAe;AAAA,IACtF,MAAM,MAAM,kBAAkB,IAAI,IAAI;AAAA,IACtC,IAAI,CAAC,OAAO,IAAI,SAAS;AAAA,MAAG;AAAA,IAC5B,WAAW,YAAY,KAAK;AAAA,MAC3B,IAAI;AAAA,QACH,MAAM,MAAM,SAAS,EAAE,IAAI,aAAa,MAAM,MAAM,CAAC;AAAA,QACrD,IAAI,OAAO,OAAQ,IAAsB,SAAS,YAAY;AAAA,UAC5D,IAAsB,MAAM,CAAC,UAAU;AAAA,YACvC,QAAQ,MAAM,yCAAyC,KAAK;AAAA,WAC5D;AAAA,QACF;AAAA,QACC,OAAO,OAAO;AAAA,QACf,QAAQ,MAAM,sCAAsC,KAAK;AAAA;AAAA,IAE3D;AAAA;AAAA,EAGD,MAAM,YAAY,CAAC,UAAsB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAO;AAAA,IACZ,IAAI;AAAA,MACH,MAAM,SAAS,MAAM,KAAK;AAAA,MAC1B,IAAI,UAAU,OAAQ,OAAyB,SAAS,YAAY;AAAA,QAClE,OAAyB,MAAM,CAAC,UAAU;AAAA,UAC1C,QAAQ,MAAM,kCAAkC,KAAK;AAAA,SACrD;AAAA,MACF;AAAA,MACC,OAAO,OAAO;AAAA,MACf,QAAQ,MAAM,+BAA+B,KAAK;AAAA;AAAA;AAAA,EAIpD,MAAM,aAAa,CAAC,MAAc,OAAe,QAA4B;AAAA,IAC5E,MAAM,QAAoB;AAAA,MACzB,aAAa,cAAc,KAAK;AAAA,MAChC,UAAU;AAAA,MACV;AAAA,IACD;AAAA,IACA,MAAM,IAAI,MAAM,KAAK;AAAA,IACrB,OAAO;AAAA;AAAA,EAGR,MAAM,UAAmC,OAAO,SAAS;AAAA,IACxD,IAAI;AAAA,MAAU,OAAO;AAAA,IACrB,IAAI;AAAA,MAAU,MAAM,IAAI;AAAA,IACxB,SAAS,YAAY;AAAA,IACrB,MAAM,MAAM,MAAM;AAAA,IAClB,MAAM,SAAS,MAAM,IAAI,IAAI;AAAA,IAC7B,IAAI,UAAU,MAAM,OAAO,WAAW,OAAO,IAAI,GAAG;AAAA,MACnD,SAAS,eAAe;AAAA,MACxB,UAAU,EAAE,IAAI,KAAK,OAAO,eAAe,aAAa,OAAO,aAAa,KAAK,CAAC;AAAA,MAClF,OAAO,EAAE,aAAa,OAAO,aAAa,OAAO,OAAO,MAAM;AAAA,IAC/D;AAAA,IACA,SAAS,iBAAiB;AAAA,IAC1B,IAAI;AAAA,MACH,MAAM,QAAQ,MAAM,QAAQ,QAAQ,MAAM,IAAI;AAAA,MAC9C,IAAI,UAAU,MAAM;AAAA,QACnB,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,KAAK,CAAC;AAAA,QAClD,MAAM,OAAO,IAAI;AAAA,QACjB,OAAO;AAAA,MACR;AAAA,MACA,MAAM,QAAQ,WAAW,MAAM,OAAO,GAAG;AAAA,MACzC,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,MAClF,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA,MAC3D,OAAO,OAAO;AAAA,MACf,SAAS,iBAAiB;AAAA,MAC1B,UAAU;AAAA,QACT,IAAI;AAAA,QACJ,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAC5D,OAAO;AAAA,QACP;AAAA,MACD,CAAC;AAAA,MACD,MAAM;AAAA;AAAA;AAAA,EAIR,MAAM,SAAiC,OAAO,SAAS;AAAA,IACtD,IAAI;AAAA,MAAU,MAAM,IAAI,MAAM,oBAAoB;AAAA,IAClD,IAAI;AAAA,MAAU,MAAM,IAAI;AAAA,IACxB,IAAI,CAAC,QAAQ,QAAQ,QAAQ;AAAA,MAC5B,MAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AAAA,IACA,IAAI;AAAA,MACH,MAAM,OAAO,MAAM,QAAQ,QAAQ,OAAO,IAAI;AAAA,MAC9C,MAAM,MAAM,MAAM;AAAA,MAClB,MAAM,QAAQ,WAAW,MAAM,MAAM,GAAG;AAAA,MACxC,SAAS,WAAW;AAAA,MACpB,UAAU,EAAE,IAAI,KAAK,OAAO,UAAU,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,MAC5E,aAAa,MAAM,MAAM,OAAO,MAAM,aAAa,GAAG;AAAA,MACtD,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA,MAC3D,OAAO,OAAO;AAAA,MACf,SAAS,gBAAgB;AAAA,MACzB,MAAM;AAAA;AAAA;AAAA,EAIR,MAAM,aAAyC,CAAC,SAAS;AAAA,IACxD,IAAI,SAAS,WAAW;AAAA,MACvB,MAAM,MAAM;AAAA,IACb,EAAO;AAAA,MACN,MAAM,OAAO,IAAI;AAAA;AAAA,IAElB,SAAS,iBAAiB;AAAA,IAC1B,UAAU,EAAE,IAAI,MAAM,GAAG,OAAO,cAAc,MAAM,QAAQ,KAAK,CAAC;AAAA;AAAA,EAMnE,MAAM,iBAAiB,MAA+B;AAAA,IACrD,MAAM,QAAiC,CAAC;AAAA,IACxC,YAAY,MAAM,UAAU,OAAO;AAAA,MAClC,IAAI,MAAM,MAAM,SAAS;AAAA,QAAQ;AAAA,MACjC,WAAW,OAAO,WAAW;AAAA,QAC5B,IAAI,QAAQ,SAAS;AAAA,UACpB,MAAM,KAAK,CAAC,MAAM,OAAO,aAAa,OAAO,CAAC;AAAA,QAC/C,EAAO,SAAI,QAAQ,UAAU;AAAA,UAC5B,IAAI;AAAA,YACH,MAAM,UAAU,KAAK,MAAM,KAAK;AAAA,YAEhC,IAAI,QAAQ,UAAU,QAAQ;AAAA,cAC7B,MAAM,KAAK,CAAC,SAAS,aAAa,WAAW,CAAC;AAAA,YAC/C;AAAA,YACC,MAAM;AAAA,QAGT;AAAA,MACD;AAAA,IACD;AAAA,IACA,MAAM,KAAK,CAAC,GAAG,MAAM,EAAE,GAAG,SAAS,EAAE,GAAG,MAAM;AAAA,IAC9C,OAAO;AAAA;AAAA,EAGR,MAAM,SAAiC,CAAC,SAAS;AAAA,IAChD,SAAS,eAAe;AAAA,IACxB,IAAI,KAAK,WAAW,KAAK,MAAM,SAAS;AAAA,MAAG,OAAO;AAAA,IAClD,IAAI,MAAM;AAAA,IACV,YAAY,QAAQ,gBAAgB,eAAe,GAAG;AAAA,MACrD,IAAI,CAAC,IAAI,SAAS,MAAM;AAAA,QAAG;AAAA,MAC3B,MAAM,IAAI,MAAM,MAAM,EAAE,KAAK,WAAW;AAAA,MACxC,SAAS,qBAAqB;AAAA,MAC9B,IAAI,YAAY,SAAS,OAAO;AAAA,QAAG,SAAS,oBAAoB;AAAA,IACjE;AAAA,IACA,OAAO;AAAA;AAAA,EAGR,MAAM,eAA6C,MAAM;AAAA,IAWxD,IAAI,SAAS;AAAA,IACb,MAAM,SAAS,MACd,eAAe,EAAE,OAAO,CAAC,MAAM,YAAY,KAAK,IAAI,KAAK,OAAO,MAAM,GAAG,CAAC;AAAA,IAC3E,OAAO,IAAI,gBAAgC;AAAA,MAC1C,WAAW,CAAC,OAAO,eAAe;AAAA,QACjC,UAAU;AAAA,QACV,MAAM,WAAW,OAAO;AAAA,QACxB,MAAM,UAAU,OAAO,MAAM;AAAA,QAC7B,IAAI,QAAQ,UAAU,UAAU;AAAA,UAC/B,SAAS;AAAA,UACT;AAAA,QACD;AAAA,QACA,MAAM,OAAO,QAAQ,MAAM,GAAG,QAAQ,SAAS,QAAQ;AAAA,QACvD,SAAS,QAAQ,MAAM,QAAQ,SAAS,QAAQ;AAAA,QAChD,IAAI,KAAK,SAAS;AAAA,UAAG,WAAW,QAAQ,IAAI;AAAA;AAAA,MAE7C,OAAO,CAAC,eAAe;AAAA,QACtB,IAAI,OAAO,WAAW;AAAA,UAAG;AAAA,QACzB,WAAW,QAAQ,OAAO,MAAM,CAAC;AAAA,QACjC,SAAS;AAAA;AAAA,IAEX,CAAC;AAAA;AAAA,EAGF,MAAM,WAAqC,CAAC,MAAM,aAAa;AAAA,IAC9D,IAAI,MAAM,kBAAkB,IAAI,IAAI;AAAA,IACpC,IAAI,CAAC,KAAK;AAAA,MACT,MAAM,IAAI;AAAA,MACV,kBAAkB,IAAI,MAAM,GAAG;AAAA,IAChC;AAAA,IACA,IAAI,IAAI,QAAQ;AAAA,IAChB,OAAO,MAAM;AAAA,MACZ,MAAM,UAAU,kBAAkB,IAAI,IAAI;AAAA,MAC1C,IAAI,CAAC;AAAA,QAAS;AAAA,MACd,QAAQ,OAAO,QAAQ;AAAA,MACvB,IAAI,QAAQ,SAAS;AAAA,QAAG,kBAAkB,OAAO,IAAI;AAAA;AAAA;AAAA,EAIvD,OAAO;AAAA,IACN,SAAS,MAAM;AAAA,MACd,WAAW;AAAA,MACX,MAAM,MAAM;AAAA,MACZ,kBAAkB,MAAM;AAAA;AAAA,IAEzB,OAAO,MAAM;AAAA,MACZ,WAAW;AAAA;AAAA,IAEZ,aAAa;AAAA,IACb;AAAA,IACA,SAAS,OAAO,KAAK,SAAS;AAAA,IAC9B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAAA;",
8
- "debugId": "68E7DA7EF9820B8264756E2164756E21",
8
+ "mappings": ";;;;AAcA,IAAI,oBAAoB;AAAA,EACtB,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,SAAS;AACX;AACA,IAAI,WAAW;AAAA,EACb,UAAU,MAAM;AAAA,EAChB,KAAK,MAAM;AAAA,EACX,aAAa,MAAM;AAAA,EACnB,iBAAiB,MAAM;AAAA,EACvB,cAAc,MAAM;AAAA,EACpB,eAAe,MAAM;AAAA,EACrB,WAAW,MAAM;AAAA,EACjB,aAAa,MAAM;AAAA,EACnB,YAAY,MAAM;AACpB;AAEA,IAAI,sBAAsB,CAAC,OAAO,aAAa,YAAY;AAAA,EACzD,MAAM,KAAK,OAAO,gBAAgB,aAAa,cAAc;AAAA,EAC7D,OAAO,GAAG,QAAQ;AAAA;AAEpB,IAAI,aAAa;AAAA,EACf,iBAAiB;AAAA,EACjB,WAAW,MAAM;AACnB;AAKA,IAAI,eAAe,CAAC,UAAU,MAAM,YAAY,aAAa,YAAY,SAAS,UAAU,MAAM,OAAO,IAAI;AAC7G,IAAI,YAAY;AAAA,EACd,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,UAAU;AAAA,EACV,YAAY;AAAA,EACZ,UAAU;AAAA,EACV,iBAAiB;AAAA,EACjB,gBAAgB;AAAA,EAChB,WAAW;AAAA,EACX,sBAAsB;AAAA,EACtB,OAAO;AAAA,EACP,SAAS;AAAA,EACT,YAAY;AAAA,EACZ,gBAAgB;AAAA,EAChB,UAAU;AAAA,EACV,YAAY;AAAA,EACZ,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,mBAAmB;AAAA,EACnB,oBAAoB;AAAA,EACpB,YAAY;AAAA,EACZ,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,mBAAmB;AAAA,EACnB,WAAW;AACb;;;AC6JO,MAAM,2BAA2B,MAAM;AAAA,EAC7C,WAAW,GAAG;AAAA,IACb,MACC,iEACC,mDACF;AAAA,IACA,KAAK,OAAO;AAAA;AAEd;AAMA,IAAM,MAAM;AAEZ,IAAM,YAAY,CAAC,UAA0B;AAAA,EAQ5C,OAAO,OAAO,KAAK;AAAA;AAIpB,IAAM,kBAAkB,IAAI,YAAY;AAAA,EACvC;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AAAA,EAC5D;AAAA,EAAY;AAAA,EAAY;AAAA,EAAY;AACrC,CAAC;AAED,IAAM,SAAS,CAAC,UAA0B;AAAA,EACzC,MAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,KAAK;AAAA,EAC5C,MAAM,YAAY,MAAM,SAAS;AAAA,EACjC,MAAM,aAAc,MAAM,SAAS,IAAI,KAAM,CAAC,MAAM,MAAM;AAAA,EAC1D,MAAM,SAAS,IAAI,WAAW,MAAM,SAAS,SAAS;AAAA,EACtD,OAAO,IAAI,KAAK;AAAA,EAChB,OAAO,MAAM,UAAU;AAAA,EACvB,MAAM,OAAO,IAAI,SAAS,OAAO,MAAM;AAAA,EACvC,KAAK,UAAU,OAAO,SAAS,GAAG,cAAc,CAAC;AAAA,EACjD,KAAK,UAAU,OAAO,SAAS,GAAG,KAAK,MAAM,YAAY,UAAa,CAAC;AAAA,EAEvE,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,YAAY,KAAK;AAAA,EAC5D,IAAI,KAAK,YAAY,KAAK,YAAY,KAAK,WAAY,KAAK;AAAA,EAC5D,MAAM,IAAI,IAAI,YAAY,EAAE;AAAA,EAC5B,SAAS,IAAI,EAAG,IAAI,OAAO,QAAQ,KAAK,IAAI;AAAA,IAC3C,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,EAAE,KAAK,KAAK,UAAU,IAAI,IAAI,CAAC;AAAA,IAChC;AAAA,IACA,SAAS,IAAI,GAAI,IAAI,IAAI,KAAK;AAAA,MAC7B,MAAM,MAAM,EAAE,IAAI;AAAA,MAClB,MAAM,KAAK,EAAE,IAAI;AAAA,MACjB,MAAM,MAAO,QAAQ,IAAM,OAAO,OAAS,QAAQ,KAAO,OAAO,MAAQ,QAAQ;AAAA,MACjF,MAAM,MAAO,OAAO,KAAO,MAAM,OAAS,OAAO,KAAO,MAAM,MAAQ,OAAO;AAAA,MAC7E,EAAE,KAAM,EAAE,IAAI,MAAO,KAAK,EAAE,IAAI,KAAM,OAAQ;AAAA,IAC/C;AAAA,IACA,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI;AAAA,IAChE,SAAS,IAAI,EAAG,IAAI,IAAI,KAAK;AAAA,MAC5B,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,KAAM,IAAI,IAAM,CAAC,IAAI;AAAA,MAC3B,MAAM,KAAM,IAAI,KAAK,KAAK,gBAAgB,KAAM,EAAE,OAAS;AAAA,MAC3D,MAAM,MAAO,MAAM,IAAM,KAAK,OAAS,MAAM,KAAO,KAAK,OAAS,MAAM,KAAO,KAAK;AAAA,MACpF,MAAM,MAAO,IAAI,IAAM,IAAI,IAAM,IAAI;AAAA,MACrC,MAAM,KAAM,KAAK,QAAS;AAAA,MAC1B,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,IAAI,OAAQ;AAAA,MACjB,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAI;AAAA,MACJ,IAAK,KAAK,OAAQ;AAAA,IACnB;AAAA,IACA,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,IAClB,KAAM,KAAK,MAAO;AAAA,EACnB;AAAA,EACA,MAAM,QAAQ,CAAC,MAAsB;AAAA,IACpC,IAAI,SAAS;AAAA,IACb,SAAS,IAAI,EAAG,KAAK,GAAG,KAAK;AAAA,MAC5B,UAAU,IAAK,MAAO,IAAI,IAAM;AAAA,IACjC;AAAA,IACA,OAAO;AAAA;AAAA,EAER,OAAO,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE,IAAI,MAAM,EAAE;AAAA;AAGpG,IAAM,gBAAgB,CAAC,UAA0B,UAAU,KAAK,EAAE,MAAM,GAAG,CAAC;AAY5E,IAAM,eAAe,CAAC,WAA2B;AAAA,EAChD,IAAI,MAAM;AAAA,EACV,OAAO,IAAI,SAAS,QAAQ;AAAA,IAC3B,OAAO,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,CAAC;AAAA,EAC1C;AAAA,EACA,OAAO,IAAI,MAAM,GAAG,MAAM;AAAA;AAGpB,IAAM,kBAAkB,CAC9B,UAAkC,CAAC,MAChB;AAAA,EACnB,MAAM,QAAQ,IAAI;AAAA,EAClB,YAAY,GAAG,MAAM,OAAO,QAAQ,QAAQ,WAAW,CAAC,CAAC;AAAA,IAAG,MAAM,IAAI,GAAG,CAAC;AAAA,EAC1E,MAAM,SAAS,QAAQ,WAAW,MAAM,aAAa,EAAE;AAAA,EACvD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS,MAAM,IAAI,IAAI,KAAK;AAAA,IAC1C,MAAM,YAAY,MAAM,KAAK,MAAM,KAAK,CAAC;AAAA,IACzC,KAAK,OAAO,MAAM,UAAU;AAAA,MAAE,MAAM,IAAI,MAAM,KAAK;AAAA;AAAA,IACnD,QAAQ,OAAO,SAAS;AAAA,MAAE,MAAM,OAAO,IAAI;AAAA;AAAA,IAC3C,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,OAAO,OAAO,MAAM,MAAM,IAAI,IAAI,KAAK,IAAI;AAAA,MACjD,MAAM,IAAI,MAAM,IAAI;AAAA,MACpB,OAAO;AAAA;AAAA,EAET;AAAA;AAcM,IAAM,aAAa,CAAC,UAA6B,CAAC,MAAqB;AAAA,EAC7E,MAAM,SAAS,QAAQ,UAAU;AAAA,EACjC,MAAM,MAAM,QAAQ,OAAQ,WAA0E,SAAS,OAAO,CAAC;AAAA,EACvH,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,MAAM,MAAM,GAAG,SAAS;AAAA,MACxB,MAAM,QAAQ,IAAI;AAAA,MAClB,OAAO,UAAU,YAAY,OAAO;AAAA;AAAA,IAErC,MAAM,YAAY;AAAA,MACjB,IAAI,CAAC;AAAA,QAAQ,OAAO,OAAO,KAAK,GAAG;AAAA,MACnC,MAAM,UAAoB,CAAC;AAAA,MAC3B,WAAW,OAAO,OAAO,KAAK,GAAG,GAAG;AAAA,QACnC,IAAI,IAAI,WAAW,MAAM;AAAA,UAAG,QAAQ,KAAK,IAAI,MAAM,OAAO,MAAM,CAAC;AAAA,MAClE;AAAA,MACA,OAAO;AAAA;AAAA,EAET;AAAA;AAOM,IAAM,mBAAmB,CAAC,aAA6C;AAAA,EAC7E,MAAM,YAAY,CAAgC,WACjD,SAAS,KAAK,CAAC,YAAY,QAAQ,YAAY,SAAS;AAAA,EACzD,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,WAAW,WAAW,UAAU;AAAA,QAC/B,MAAM,QAAQ,MAAM,QAAQ,MAAM,IAAI;AAAA,QACtC,IAAI,UAAU;AAAA,UAAM,OAAO;AAAA,MAC5B;AAAA,MACA,OAAO;AAAA;AAAA,IAER,MAAM,YAAY;AAAA,MACjB,MAAM,OAAO,IAAI;AAAA,MACjB,WAAW,WAAW,UAAU;AAAA,QAC/B,IAAI,CAAC,QAAQ;AAAA,UAAM;AAAA,QACnB,WAAW,QAAQ,MAAM,QAAQ,KAAK;AAAA,UAAG,KAAK,IAAI,IAAI;AAAA,MACvD;AAAA,MACA,OAAO,MAAM,KAAK,IAAI;AAAA;AAAA,IAEvB,KAAK,OAAO,MAAM,UAAU;AAAA,MAC3B,MAAM,SAAS,UAAU,KAAK;AAAA,MAC9B,IAAI,CAAC,QAAQ;AAAA,QAAK,MAAM,IAAI,MAAM,4CAA4C;AAAA,MAC9E,MAAM,OAAO,IAAI,MAAM,KAAK;AAAA;AAAA,IAE7B,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,MAAM,OAAO,OAAO,IAAI;AAAA;AAAA,IAEzB,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,SAAS,UAAU,QAAQ;AAAA,MACjC,IAAI,CAAC,QAAQ;AAAA,QAAQ,MAAM,IAAI,MAAM,+CAA+C;AAAA,MACpF,OAAO,OAAO,OAAO,IAAI;AAAA;AAAA,EAE3B;AAAA;AAOD,IAAM,4BAA4B;AAClC,IAAM,mBAAmB;AACzB,IAAM,aAAa;AACnB,IAAM,WAAW;AACjB,IAAM,YAAY;AAElB,IAAM,gBAAgB,CAAC,UAA8B;AAAA,EACpD,IAAI,MAAM;AAAA,EACV,WAAW,QAAQ;AAAA,IAAO,OAAO,OAAO,aAAa,IAAI;AAAA,EACzD,OAAO,KAAK,GAAG;AAAA;AAGhB,IAAM,gBAAgB,CAAC,QAA4B;AAAA,EAClD,MAAM,MAAM,KAAK,GAAG;AAAA,EACpB,MAAM,MAAM,IAAI,WAAW,IAAI,MAAM;AAAA,EACrC,SAAS,IAAI,EAAG,IAAI,IAAI,QAAQ,KAAK;AAAA,IAAG,IAAI,KAAK,IAAI,WAAW,CAAC;AAAA,EACjE,OAAO;AAAA;AAoDR,IAAM,YAAY,OAAwB;AAAA,EACzC,UAAU,OAAO,SAAS;AAAA,IACzB,IAAI;AAAA,MACH,MAAM,OAAO,OAAO,MAAa,uBAAqB,SACrD,MACA,MACD;AAAA,MACA,OAAO;AAAA,MACN,OAAO,OAAO;AAAA,MACf,IAAK,MAA4B,SAAS;AAAA,QAAU;AAAA,MACpD,MAAM;AAAA;AAAA;AAAA,EAGR,iBAAiB,OAAO,MAAM,aAAa;AAAA,IAC1C,MAAM,KAAK,MAAa;AAAA,IACxB,MAAM,WAAW,GAAG,YAAY,QAAQ;AAAA,IACxC,MAAM,GAAG,UAAU,UAAU,UAAU,EAAE,MAAM,IAAM,CAAC;AAAA,IACtD,MAAM,GAAG,OAAO,UAAU,IAAI;AAAA;AAEhC;AAEA,IAAM,0BAA0B,OAC/B,YACA,MACA,eACwB;AAAA,EACxB,MAAM,OAAO,MAAM,OAAO,OAAO,UAChC,OACA,IAAI,YAAY,EAAE,OAAO,UAAU,GACnC,UACA,OACA,CAAC,WAAW,CACb;AAAA,EACA,OAAO,OAAO,OAAO,UACpB;AAAA,IACC,MAAM;AAAA,IACN;AAAA,IACA,MAAM;AAAA,IACN;AAAA,EACD,GACA,MACA,EAAE,QAAQ,KAAK,MAAM,UAAU,GAC/B,OACA,CAAC,WAAW,SAAS,CACtB;AAAA;AAGD,IAAM,eAAe,OAAO,UAA0C;AAAA,EACrE,IAAI,MAAM,WAAW,WAAW;AAAA,IAC/B,MAAM,IAAI,MACT,4CAA4C,wBAAwB,MAAM,SAC3E;AAAA,EACD;AAAA,EACA,OAAO,OAAO,OAAO,UACpB,OACA,OACA,EAAE,MAAM,UAAU,GAClB,OACA,CAAC,WAAW,SAAS,CACtB;AAAA;AAqBM,IAAM,uBAAuB,CACnC,YACmB;AAAA,EACnB,MAAM,KAAK,QAAQ,MAAM,UAAU;AAAA,EACnC,MAAM,aAAa,QAAQ,oBAAoB;AAAA,EAC/C,MAAM,SAAS,QAAQ,WAAW,MAAM,aAAa,EAAE;AAAA,EAEvD,IAAI;AAAA,EACJ,IAAI;AAAA,EACJ,IAAI;AAAA,EAEJ,MAAM,YAAY,YAAgC;AAAA,IACjD,IAAI,eAAe;AAAA,MAAW,OAAO;AAAA,IACrC,IAAI,QAAQ,IAAI,SAAS,OAAO;AAAA,MAC/B,aAAa,MAAM,aAAa,QAAQ,IAAI,KAAK;AAAA,MACjD,OAAO;AAAA,IACR;AAAA,IACA,IAAI,SAAS,WAAW;AAAA,MACvB,OAAO,OAAO,gBAAgB,IAAI,WAAW,UAAU,CAAC;AAAA,IACzD;AAAA,IACA,aAAa,MAAM,wBAClB,QAAQ,IAAI,YACZ,MACA,UACD;AAAA,IACA,OAAO;AAAA;AAAA,EAGR,MAAM,OAAO,YAA0C;AAAA,IACtD,IAAI,UAAU;AAAA,MAAW,OAAO;AAAA,IAChC,MAAM,WAAW,MAAM,GAAG,SAAS,QAAQ,IAAI;AAAA,IAC/C,IAAI,aAAa,WAAW;AAAA,MAC3B,QAAQ,IAAI;AAAA,MACZ,OAAO;AAAA,IACR;AAAA,IACA,IAAI;AAAA,IACJ,IAAI;AAAA,MACH,SAAS,KAAK,MAAM,QAAQ;AAAA,MAC3B,OAAO,OAAO;AAAA,MACf,MAAM,IAAI,MACT,4CAA4C,QAAQ,SAClD,MAAgB,SAEnB;AAAA;AAAA,IAED,IAAI,OAAO,YAAY,kBAAkB;AAAA,MACxC,MAAM,IAAI,MACT,qDAAqD,OAAO,cAAc,QAAQ,MACnF;AAAA,IACD;AAAA,IACA,IAAI,OAAO,QAAQ,WAAW;AAAA,MAC7B,IAAI,QAAQ,IAAI,SAAS,cAAc;AAAA,QACtC,MAAM,IAAI,MACT,sFACD;AAAA,MACD;AAAA,MACA,OAAO,cAAc,OAAO,IAAI,IAAI;AAAA,IACrC,EAAO,SAAI,QAAQ,IAAI,SAAS,cAAc;AAAA,MAC7C,MAAM,IAAI,MACT,sFACD;AAAA,IACD;AAAA,IACA,MAAM,MAAM,MAAM,UAAU;AAAA,IAC5B,MAAM,UAAU,IAAI;AAAA,IACpB,YAAY,MAAM,UAAU,OAAO,QAAQ,OAAO,MAAM,GAAG;AAAA,MAC1D,IAAI;AAAA,QACH,MAAM,KAAK,cAAc,MAAM,EAAE;AAAA,QACjC,MAAM,KAAK,cAAc,MAAM,EAAE;AAAA,QACjC,MAAM,KAAK,MAAM,OAAO,OAAO,QAC9B,EAAE,IAAI,MAAM,UAAU,GACtB,KACA,EACD;AAAA,QACA,QAAQ,IAAI,MAAM,IAAI,YAAY,EAAE,OAAO,EAAE,CAAC;AAAA,QAC7C,MAAM;AAAA,QACP,MAAM,IAAI,MACT,+CAA+C,YAAY,QAAQ,gDACpE;AAAA;AAAA,IAEF;AAAA,IACA,QAAQ;AAAA,IACR,OAAO;AAAA;AAAA,EAGR,MAAM,OAAO,YAA2B;AAAA,IACvC,MAAM,OAAO,SAAS,IAAI;AAAA,IAC1B,MAAM,MAAM,MAAM,UAAU;AAAA,IAC5B,MAAM,SAAyC,CAAC;AAAA,IAChD,YAAY,MAAM,UAAU,MAAM;AAAA,MACjC,MAAM,KAAK,OAAO,gBAAgB,IAAI,WAAW,QAAQ,CAAC;AAAA,MAC1D,MAAM,KAAK,MAAM,OAAO,OAAO,QAC9B,EAAE,IAAwB,MAAM,UAAU,GAC1C,KACA,IAAI,YAAY,EAAE,OAAO,KAAK,CAC/B;AAAA,MACA,OAAO,QAAQ;AAAA,QACd,IAAI,cAAc,IAAI,WAAW,EAAE,CAAC;AAAA,QACpC,IAAI,cAAc,EAAE;AAAA,MACrB;AAAA,IACD;AAAA,IACA,MAAM,OAAsB;AAAA,MAC3B;AAAA,MACA,SAAS;AAAA,SACL,QAAQ,IAAI,SAAS,gBAAgB,SAAS,YAC/C;AAAA,QACA,KAAK;AAAA,UACJ;AAAA,UACA,MAAM,cAAc,IAAI;AAAA,UACxB,MAAM;AAAA,QACP;AAAA,MACD,IACC,CAAC;AAAA,IACL;AAAA,IACA,MAAM,GAAG,gBAAgB,QAAQ,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AAAA;AAAA,EAGrE,OAAO;AAAA,IACN,OAAO,OAAO,SAAS;AAAA,MACtB,MAAM,OAAO,MAAM,KAAK;AAAA,MACxB,OAAO,KAAK,IAAI,IAAI,KAAK;AAAA;AAAA,IAE1B,MAAM,YAAY;AAAA,MACjB,MAAM,OAAO,MAAM,KAAK;AAAA,MACxB,OAAO,MAAM,KAAK,KAAK,KAAK,CAAC;AAAA;AAAA,IAE9B,KAAK,OAAO,MAAM,UAAU;AAAA,MAC3B,MAAM,OAAO,MAAM,KAAK;AAAA,MACxB,KAAK,IAAI,MAAM,KAAK;AAAA,MACpB,MAAM,KAAK;AAAA;AAAA,IAEZ,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,OAAO,MAAM,KAAK;AAAA,MACxB,KAAK,OAAO,IAAI;AAAA,MAChB,MAAM,KAAK;AAAA;AAAA,IAEZ,QAAQ,OAAO,SAAS;AAAA,MACvB,MAAM,OAAO,MAAM,KAAK;AAAA,MACxB,MAAM,WAAW,KAAK,IAAI,IAAI,KAAK;AAAA,MACnC,MAAM,OAAO,OAAO,MAAM,QAAQ;AAAA,MAClC,KAAK,IAAI,MAAM,IAAI;AAAA,MACnB,MAAM,KAAK;AAAA,MACX,OAAO;AAAA;AAAA,EAET;AAAA;AAaM,IAAM,qBAAqB,CAAC,YAA+C;AAAA,EACjF,MAAM,QAAQ,QAAQ,SAAS,KAAK;AAAA,EACpC,MAAM,aAAa,QAAQ,cAAc;AAAA,EACzC,MAAM,eAAe,QAAQ,qBAAqB,CAAC;AAAA,EACnD,MAAM,SAAS,QAAQ,sBAAsB;AAAA,EAC7C,MAAM,YAAY,QAAQ,sBAAsB,CAAC,OAAO;AAAA,EACxD,MAAM,QAAQ,QAAQ;AAAA,EACtB,MAAM,QAAQ,IAAI;AAAA,EAClB,MAAM,oBAAoB,IAAI;AAAA,EAC9B,IAAI,WAAW;AAAA,EACf,IAAI,WAAW;AAAA,EAEf,MAAM,SAAS,aAAa,QAAQ,gBAAgB,qBAAqB;AAAA,EAGzE,MAAM,WAAgC;AAAA,IACrC,eAAe;AAAA,IACf,aAAa;AAAA,IACb,mBAAmB;AAAA,IACnB,kBAAkB;AAAA,IAClB,eAAe;AAAA,IACf,aAAa;AAAA,IACb,eAAe;AAAA,IACf,UAAU;AAAA,IACV,cAAc;AAAA,IACd,SAAS;AAAA,EACV;AAAA,EAEA,MAAM,SAAS,CAAC,SAAyB,aAAa,SAAS;AAAA,EAE/D,MAAM,eAAe,CAAC,MAAc,OAAe,aAAqB,OAAe;AAAA,IACtF,MAAM,MAAM,kBAAkB,IAAI,IAAI;AAAA,IACtC,IAAI,CAAC,OAAO,IAAI,SAAS;AAAA,MAAG;AAAA,IAC5B,WAAW,YAAY,KAAK;AAAA,MAC3B,IAAI;AAAA,QACH,MAAM,MAAM,SAAS,EAAE,IAAI,aAAa,MAAM,MAAM,CAAC;AAAA,QACrD,IAAI,OAAO,OAAQ,IAAsB,SAAS,YAAY;AAAA,UAC5D,IAAsB,MAAM,CAAC,UAAU;AAAA,YACvC,QAAQ,MAAM,yCAAyC,KAAK;AAAA,WAC5D;AAAA,QACF;AAAA,QACC,OAAO,OAAO;AAAA,QACf,QAAQ,MAAM,sCAAsC,KAAK;AAAA;AAAA,IAE3D;AAAA;AAAA,EAGD,MAAM,YAAY,CAAC,UAAsB;AAAA,IACxC,IAAI,CAAC;AAAA,MAAO;AAAA,IACZ,IAAI;AAAA,MACH,MAAM,SAAS,MAAM,KAAK;AAAA,MAC1B,IAAI,UAAU,OAAQ,OAAyB,SAAS,YAAY;AAAA,QAClE,OAAyB,MAAM,CAAC,UAAU;AAAA,UAC1C,QAAQ,MAAM,kCAAkC,KAAK;AAAA,SACrD;AAAA,MACF;AAAA,MACC,OAAO,OAAO;AAAA,MACf,QAAQ,MAAM,+BAA+B,KAAK;AAAA;AAAA;AAAA,EAIpD,MAAM,aAAa,CAAC,MAAc,OAAe,QAA4B;AAAA,IAC5E,MAAM,QAAoB;AAAA,MACzB,aAAa,cAAc,KAAK;AAAA,MAChC,UAAU;AAAA,MACV;AAAA,IACD;AAAA,IACA,MAAM,IAAI,MAAM,KAAK;AAAA,IACrB,OAAO;AAAA;AAAA,EAGR,MAAM,UAAmC,OAAO,SAAS;AAAA,IACxD,IAAI;AAAA,MAAU,OAAO;AAAA,IACrB,IAAI;AAAA,MAAU,MAAM,IAAI;AAAA,IAIxB,MAAM,OAAO,OAAO,UAAU,mBAAmB;AAAA,MAChD,YAAY,GAAG,UAAU,aAAa,KAAK;AAAA,IAC5C,CAAC;AAAA,IACD,SAAS,YAAY;AAAA,IACrB,MAAM,MAAM,MAAM;AAAA,IAClB,IAAI;AAAA,MACH,MAAM,SAAS,MAAM,IAAI,IAAI;AAAA,MAC7B,IAAI,UAAU,MAAM,OAAO,WAAW,OAAO,IAAI,GAAG;AAAA,QACnD,SAAS,eAAe;AAAA,QACxB,KAAK,aAAa,UAAU,mBAAmB,OAAO,WAAW;AAAA,QACjE,KAAK,aAAa,iBAAiB,KAAK;AAAA,QACxC,UAAU,EAAE,IAAI,KAAK,OAAO,eAAe,aAAa,OAAO,aAAa,KAAK,CAAC;AAAA,QAClF,KAAK,UAAU,EAAE,MAAM,EAAW,CAAC;AAAA,QACnC,OAAO,EAAE,aAAa,OAAO,aAAa,OAAO,OAAO,MAAM;AAAA,MAC/D;AAAA,MACA,SAAS,iBAAiB;AAAA,MAC1B,KAAK,aAAa,iBAAiB,MAAM;AAAA,MACzC,MAAM,QAAQ,MAAM,QAAQ,QAAQ,MAAM,IAAI;AAAA,MAC9C,IAAI,UAAU,MAAM;AAAA,QACnB,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,KAAK,CAAC;AAAA,QAClD,MAAM,OAAO,IAAI;AAAA,QACjB,KAAK,aAAa,iBAAiB,KAAK;AAAA,QACxC,KAAK,UAAU,EAAE,MAAM,EAAW,CAAC;AAAA,QACnC,OAAO;AAAA,MACR;AAAA,MACA,MAAM,QAAQ,WAAW,MAAM,OAAO,GAAG;AAAA,MACzC,KAAK,aAAa,UAAU,mBAAmB,MAAM,WAAW;AAAA,MAChE,UAAU,EAAE,IAAI,KAAK,OAAO,gBAAgB,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,MAClF,KAAK,UAAU,EAAE,MAAM,EAAW,CAAC;AAAA,MACnC,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA,MAC3D,OAAO,OAAO;AAAA,MACf,SAAS,iBAAiB;AAAA,MAC1B,UAAU;AAAA,QACT,IAAI;AAAA,QACJ,OAAO,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAC5D,OAAO;AAAA,QACP;AAAA,MACD,CAAC;AAAA,MACD,KAAK,gBAAgB,KAAK;AAAA,MAC1B,KAAK,UAAU;AAAA,QACd,MAAM;AAAA,QACN,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,MAC/D,CAAC;AAAA,MACD,MAAM;AAAA,cACL;AAAA,MACD,KAAK,IAAI;AAAA;AAAA;AAAA,EAIX,MAAM,SAAiC,OAAO,SAAS;AAAA,IACtD,IAAI;AAAA,MAAU,MAAM,IAAI,MAAM,oBAAoB;AAAA,IAClD,IAAI;AAAA,MAAU,MAAM,IAAI;AAAA,IACxB,IAAI,CAAC,QAAQ,QAAQ,QAAQ;AAAA,MAC5B,MAAM,IAAI,MAAM,mCAAmC;AAAA,IACpD;AAAA,IAIA,MAAM,OAAO,OAAO,UAAU,kBAAkB;AAAA,MAC/C,YAAY,GAAG,UAAU,aAAa,KAAK;AAAA,IAC5C,CAAC;AAAA,IACD,IAAI;AAAA,MACH,MAAM,OAAO,MAAM,QAAQ,QAAQ,OAAO,IAAI;AAAA,MAC9C,MAAM,MAAM,MAAM;AAAA,MAClB,MAAM,QAAQ,WAAW,MAAM,MAAM,GAAG;AAAA,MACxC,SAAS,WAAW;AAAA,MACpB,KAAK,aAAa,UAAU,mBAAmB,MAAM,WAAW;AAAA,MAChE,KAAK,UAAU,EAAE,MAAM,EAAW,CAAC;AAAA,MACnC,UAAU,EAAE,IAAI,KAAK,OAAO,UAAU,aAAa,MAAM,aAAa,KAAK,CAAC;AAAA,MAC5E,aAAa,MAAM,MAAM,OAAO,MAAM,aAAa,GAAG;AAAA,MACtD,OAAO,EAAE,aAAa,MAAM,aAAa,OAAO,MAAM,MAAM;AAAA,MAC3D,OAAO,OAAO;AAAA,MACf,SAAS,gBAAgB;AAAA,MACzB,KAAK,gBAAgB,KAAK;AAAA,MAC1B,KAAK,UAAU;AAAA,QACd,MAAM;AAAA,QACN,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,MAC/D,CAAC;AAAA,MACD,MAAM;AAAA,cACL;AAAA,MACD,KAAK,IAAI;AAAA;AAAA;AAAA,EAIX,MAAM,aAAyC,CAAC,SAAS;AAAA,IACxD,IAAI,SAAS,WAAW;AAAA,MACvB,MAAM,MAAM;AAAA,IACb,EAAO;AAAA,MACN,MAAM,OAAO,IAAI;AAAA;AAAA,IAElB,SAAS,iBAAiB;AAAA,IAC1B,UAAU,EAAE,IAAI,MAAM,GAAG,OAAO,cAAc,MAAM,QAAQ,KAAK,CAAC;AAAA;AAAA,EAMnE,MAAM,iBAAiB,MAA+B;AAAA,IACrD,MAAM,QAAiC,CAAC;AAAA,IACxC,YAAY,MAAM,UAAU,OAAO;AAAA,MAClC,IAAI,MAAM,MAAM,SAAS;AAAA,QAAQ;AAAA,MACjC,WAAW,OAAO,WAAW;AAAA,QAC5B,IAAI,QAAQ,SAAS;AAAA,UACpB,MAAM,KAAK,CAAC,MAAM,OAAO,aAAa,OAAO,CAAC;AAAA,QAC/C,EAAO,SAAI,QAAQ,UAAU;AAAA,UAC5B,IAAI;AAAA,YACH,MAAM,UAAU,KAAK,MAAM,KAAK;AAAA,YAEhC,IAAI,QAAQ,UAAU,QAAQ;AAAA,cAC7B,MAAM,KAAK,CAAC,SAAS,aAAa,WAAW,CAAC;AAAA,YAC/C;AAAA,YACC,MAAM;AAAA,QAGT;AAAA,MACD;AAAA,IACD;AAAA,IACA,MAAM,KAAK,CAAC,GAAG,MAAM,EAAE,GAAG,SAAS,EAAE,GAAG,MAAM;AAAA,IAC9C,OAAO;AAAA;AAAA,EAGR,MAAM,SAAiC,CAAC,SAAS;AAAA,IAChD,SAAS,eAAe;AAAA,IACxB,IAAI,KAAK,WAAW,KAAK,MAAM,SAAS;AAAA,MAAG,OAAO;AAAA,IAClD,IAAI,MAAM;AAAA,IACV,YAAY,QAAQ,gBAAgB,eAAe,GAAG;AAAA,MACrD,IAAI,CAAC,IAAI,SAAS,MAAM;AAAA,QAAG;AAAA,MAC3B,MAAM,IAAI,MAAM,MAAM,EAAE,KAAK,WAAW;AAAA,MACxC,SAAS,qBAAqB;AAAA,MAC9B,IAAI,YAAY,SAAS,OAAO;AAAA,QAAG,SAAS,oBAAoB;AAAA,IACjE;AAAA,IACA,OAAO;AAAA;AAAA,EAGR,MAAM,eAA6C,MAAM;AAAA,IAWxD,IAAI,SAAS;AAAA,IACb,MAAM,SAAS,MACd,eAAe,EAAE,OAAO,CAAC,MAAM,YAAY,KAAK,IAAI,KAAK,OAAO,MAAM,GAAG,CAAC;AAAA,IAC3E,OAAO,IAAI,gBAAgC;AAAA,MAC1C,WAAW,CAAC,OAAO,eAAe;AAAA,QACjC,UAAU;AAAA,QACV,MAAM,WAAW,OAAO;AAAA,QACxB,MAAM,UAAU,OAAO,MAAM;AAAA,QAC7B,IAAI,QAAQ,UAAU,UAAU;AAAA,UAC/B,SAAS;AAAA,UACT;AAAA,QACD;AAAA,QACA,MAAM,OAAO,QAAQ,MAAM,GAAG,QAAQ,SAAS,QAAQ;AAAA,QACvD,SAAS,QAAQ,MAAM,QAAQ,SAAS,QAAQ;AAAA,QAChD,IAAI,KAAK,SAAS;AAAA,UAAG,WAAW,QAAQ,IAAI;AAAA;AAAA,MAE7C,OAAO,CAAC,eAAe;AAAA,QACtB,IAAI,OAAO,WAAW;AAAA,UAAG;AAAA,QACzB,WAAW,QAAQ,OAAO,MAAM,CAAC;AAAA,QACjC,SAAS;AAAA;AAAA,IAEX,CAAC;AAAA;AAAA,EAGF,MAAM,WAAqC,CAAC,MAAM,aAAa;AAAA,IAC9D,IAAI,MAAM,kBAAkB,IAAI,IAAI;AAAA,IACpC,IAAI,CAAC,KAAK;AAAA,MACT,MAAM,IAAI;AAAA,MACV,kBAAkB,IAAI,MAAM,GAAG;AAAA,IAChC;AAAA,IACA,IAAI,IAAI,QAAQ;AAAA,IAChB,OAAO,MAAM;AAAA,MACZ,MAAM,UAAU,kBAAkB,IAAI,IAAI;AAAA,MAC1C,IAAI,CAAC;AAAA,QAAS;AAAA,MACd,QAAQ,OAAO,QAAQ;AAAA,MACvB,IAAI,QAAQ,SAAS;AAAA,QAAG,kBAAkB,OAAO,IAAI;AAAA;AAAA;AAAA,EAIvD,OAAO;AAAA,IACN,SAAS,MAAM;AAAA,MACd,WAAW;AAAA,MACX,MAAM,MAAM;AAAA,MACZ,kBAAkB,MAAM;AAAA;AAAA,IAEzB,OAAO,MAAM;AAAA,MACZ,WAAW;AAAA;AAAA,IAEZ,aAAa;AAAA,IACb;AAAA,IACA,SAAS,OAAO,KAAK,SAAS;AAAA,IAC9B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAAA;",
9
+ "debugId": "AD0BCD644DBC747564756E2164756E21",
9
10
  "names": []
10
11
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@absolutejs/secrets",
3
- "version": "0.2.0",
4
- "description": "Host-side secret broker for multi-tenant Bun runtimes. Pluggable adapters (env-var, in-memory, composite); audit hook per resolve; safe fingerprints for logs; redact() walks known secrets out of arbitrary text before it lands in a log sink.",
3
+ "version": "0.4.0",
4
+ "description": "Host-side secret broker for multi-tenant Bun runtimes. Pluggable adapters (env-var, in-memory, composite, encrypted-file); audit hook per resolve; safe fingerprints for logs; redact() walks known secrets out of arbitrary text before it lands in a log sink.",
5
5
  "repository": {
6
6
  "type": "git",
7
7
  "url": "git+https://github.com/absolutejs/secrets.git"
@@ -33,10 +33,14 @@
33
33
  "check:package": "bun run typecheck && bun run build && bun run test",
34
34
  "release": "bun run format && bun run check:package && bun publish"
35
35
  },
36
+ "dependencies": {
37
+ "@absolutejs/telemetry": "^0.0.2"
38
+ },
36
39
  "peerDependencies": {
37
40
  "bun-types": "^1.3.14"
38
41
  },
39
42
  "devDependencies": {
43
+ "@absolutejs/telemetry": "^0.0.2",
40
44
  "@types/bun": "^1.3.14",
41
45
  "prettier": "^3.8.3",
42
46
  "typescript": "^6.0.3"