@cipherstash/stack 0.1.0

package/dist/secrets/index.d.cts

@@ -0,0 +1,227 @@
+import { h as Encrypted } from '../types-public-BCj1L4fi.cjs';
+import { Result } from '@byteslice/result';
+import 'zod';
+import 'evlog';
+import '@cipherstash/protect-ffi';
+
+/**
+ * Placeholder: Corrected Secrets client interface
+ *
+ * This file reflects the actual dashboard API endpoints as implemented in:
+ *   apps/dashboard/src/app/api/secrets/{get,set,list,get-many,delete}/route.ts
+ *
+ * Key corrections from the original interface:
+ *   1. get, list, get-many are GET endpoints (not POST) with query params
+ *   2. get-many takes a comma-separated `names` string (not a JSON array)
+ *   3. set and delete return { success, message } (not void)
+ *   4. SecretMetadata fields (id, createdAt, updatedAt) are non-optional
+ *   5. GetSecretResponse fields (createdAt, updatedAt) are non-optional
+ *   6. get-many enforces min 2 names (comma required) and max 100 names
+ */
+
+type SecretName = string;
+type SecretValue = string;
+/**
+ * Discriminated error type for secrets operations.
+ */
+type SecretsErrorType = 'ApiError' | 'NetworkError' | 'ClientError' | 'EncryptionError' | 'DecryptionError';
+/**
+ * Error returned by secrets operations.
+ */
+interface SecretsError {
+    type: SecretsErrorType;
+    message: string;
+}
+/**
+ * Configuration options for initializing the Stash client
+ */
+interface SecretsConfig {
+    workspaceCRN: string;
+    clientId: string;
+    clientKey: string;
+    environment: string;
+    apiKey: string;
+    accessKey?: string;
+}
+/**
+ * Secret metadata returned from the API (list endpoint).
+ * All fields are always present in API responses.
+ */
+interface SecretMetadata {
+    id: string;
+    name: string;
+    environment: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * API response for listing secrets.
+ * GET /api/secrets/list?workspaceId=...&environment=...
+ */
+interface ListSecretsResponse {
+    environment: string;
+    secrets: SecretMetadata[];
+}
+/**
+ * API response for getting a single secret.
+ * GET /api/secrets/get?workspaceId=...&environment=...&name=...
+ *
+ * The `encryptedValue` is the raw value stored in the vault's `value` column,
+ * which is the `{ data: Encrypted }` object that was passed to the set endpoint.
+ */
+interface GetSecretResponse {
+    name: string;
+    environment: string;
+    encryptedValue: {
+        data: Encrypted;
+    };
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * API response for getting multiple secrets.
+ * GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...
+ *
+ * Returns an array of GetSecretResponse objects.
+ * Constraints:
+ *   - `names` must be comma-separated (minimum 2 names)
+ *   - Maximum 100 names per request
+ */
+type GetManySecretsResponse = GetSecretResponse[];
+/**
+ * API response for setting a secret.
+ * POST /api/secrets/set
+ */
+interface SetSecretResponse {
+    success: true;
+    message: string;
+}
+/**
+ * API request body for setting a secret.
+ * POST /api/secrets/set
+ */
+interface SetSecretRequest {
+    workspaceId: string;
+    environment: string;
+    name: string;
+    encryptedValue: {
+        data: Encrypted;
+    };
+}
+/**
+ * API response for deleting a secret.
+ * POST /api/secrets/delete
+ */
+interface DeleteSecretResponse {
+    success: true;
+    message: string;
+}
+/**
+ * API request body for deleting a secret.
+ * POST /api/secrets/delete
+ */
+interface DeleteSecretRequest {
+    workspaceId: string;
+    environment: string;
+    name: string;
+}
+/**
+ * API error response for plan limit violations (403).
+ * Returned by POST /api/secrets/set when the workspace has reached its secret limit.
+ */
+interface PlanLimitError {
+    error: string;
+    code: 'PLAN_LIMIT_REACHED';
+}
+interface DecryptedSecretResponse {
+    name: string;
+    environment: string;
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * The Secrets client provides a high-level API for managing encrypted secrets
+ * stored in CipherStash. Secrets are encrypted locally before being sent to
+ * the API, ensuring end-to-end encryption.
+ */
+declare class Secrets {
+    private encryptionClient;
+    private config;
+    private readonly apiBaseUrl;
+    private readonly secretsSchema;
+    constructor(config: SecretsConfig);
+    private initPromise;
+    /**
+     * Initialize the Secrets client and underlying Encryption client
+     */
+    private ensureInitialized;
+    private _doInit;
+    /**
+     * Get the authorization header for API requests
+     */
+    private getAuthHeader;
+    /**
+     * Make an API request with error handling.
+     *
+     * For GET requests, `params` are appended as URL query parameters.
+     * For POST requests, `body` is sent as JSON in the request body.
+     */
+    private apiRequest;
+    /**
+     * Store an encrypted secret in the vault.
+     * The value is encrypted locally before being sent to the API.
+     *
+     * API: POST /api/secrets/set
+     *
+     * @param name - The name of the secret
+     * @param value - The plaintext value to encrypt and store
+     * @returns A Result containing the API response or an error
+     */
+    set(name: SecretName, value: SecretValue): Promise<Result<SetSecretResponse, SecretsError>>;
+    /**
+     * Retrieve and decrypt a secret from the vault.
+     * The secret is decrypted locally after retrieval.
+     *
+     * API: GET /api/secrets/get?workspaceId=...&environment=...&name=...
+     *
+     * @param name - The name of the secret to retrieve
+     * @returns A Result containing the decrypted value or an error
+     */
+    get(name: SecretName): Promise<Result<SecretValue, SecretsError>>;
+    /**
+     * Retrieve and decrypt many secrets from the vault.
+     * The secrets are decrypted locally after retrieval.
+     * This method only triggers a single network request to the ZeroKMS.
+     *
+     * API: GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...
+     *
+     * Constraints:
+     *   - Minimum 2 secret names required
+     *   - Maximum 100 secret names per request
+     *
+     * @param names - The names of the secrets to retrieve (min 2, max 100)
+     * @returns A Result containing an object mapping secret names to their decrypted values
+     */
+    getMany(names: SecretName[]): Promise<Result<Record<SecretName, SecretValue>, SecretsError>>;
+    /**
+     * List all secrets in the environment.
+     * Only names and metadata are returned; values remain encrypted.
+     *
+     * API: GET /api/secrets/list?workspaceId=...&environment=...
+     *
+     * @returns A Result containing the list of secrets or an error
+     */
+    list(): Promise<Result<SecretMetadata[], SecretsError>>;
+    /**
+     * Delete a secret from the vault.
+     *
+     * API: POST /api/secrets/delete
+     *
+     * @param name - The name of the secret to delete
+     * @returns A Result containing the API response or an error
+     */
+    delete(name: SecretName): Promise<Result<DeleteSecretResponse, SecretsError>>;
+}
+
+export { type DecryptedSecretResponse, type DeleteSecretRequest, type DeleteSecretResponse, type GetManySecretsResponse, type GetSecretResponse, type ListSecretsResponse, type PlanLimitError, type SecretMetadata, type SecretName, type SecretValue, Secrets, type SecretsConfig, type SecretsError, type SecretsErrorType, type SetSecretRequest, type SetSecretResponse };

package/dist/secrets/index.d.ts

@@ -0,0 +1,227 @@
+import { h as Encrypted } from '../types-public-BCj1L4fi.js';
+import { Result } from '@byteslice/result';
+import 'zod';
+import 'evlog';
+import '@cipherstash/protect-ffi';
+
+/**
+ * Placeholder: Corrected Secrets client interface
+ *
+ * This file reflects the actual dashboard API endpoints as implemented in:
+ *   apps/dashboard/src/app/api/secrets/{get,set,list,get-many,delete}/route.ts
+ *
+ * Key corrections from the original interface:
+ *   1. get, list, get-many are GET endpoints (not POST) with query params
+ *   2. get-many takes a comma-separated `names` string (not a JSON array)
+ *   3. set and delete return { success, message } (not void)
+ *   4. SecretMetadata fields (id, createdAt, updatedAt) are non-optional
+ *   5. GetSecretResponse fields (createdAt, updatedAt) are non-optional
+ *   6. get-many enforces min 2 names (comma required) and max 100 names
+ */
+
+type SecretName = string;
+type SecretValue = string;
+/**
+ * Discriminated error type for secrets operations.
+ */
+type SecretsErrorType = 'ApiError' | 'NetworkError' | 'ClientError' | 'EncryptionError' | 'DecryptionError';
+/**
+ * Error returned by secrets operations.
+ */
+interface SecretsError {
+    type: SecretsErrorType;
+    message: string;
+}
+/**
+ * Configuration options for initializing the Stash client
+ */
+interface SecretsConfig {
+    workspaceCRN: string;
+    clientId: string;
+    clientKey: string;
+    environment: string;
+    apiKey: string;
+    accessKey?: string;
+}
+/**
+ * Secret metadata returned from the API (list endpoint).
+ * All fields are always present in API responses.
+ */
+interface SecretMetadata {
+    id: string;
+    name: string;
+    environment: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * API response for listing secrets.
+ * GET /api/secrets/list?workspaceId=...&environment=...
+ */
+interface ListSecretsResponse {
+    environment: string;
+    secrets: SecretMetadata[];
+}
+/**
+ * API response for getting a single secret.
+ * GET /api/secrets/get?workspaceId=...&environment=...&name=...
+ *
+ * The `encryptedValue` is the raw value stored in the vault's `value` column,
+ * which is the `{ data: Encrypted }` object that was passed to the set endpoint.
+ */
+interface GetSecretResponse {
+    name: string;
+    environment: string;
+    encryptedValue: {
+        data: Encrypted;
+    };
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * API response for getting multiple secrets.
+ * GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...
+ *
+ * Returns an array of GetSecretResponse objects.
+ * Constraints:
+ *   - `names` must be comma-separated (minimum 2 names)
+ *   - Maximum 100 names per request
+ */
+type GetManySecretsResponse = GetSecretResponse[];
+/**
+ * API response for setting a secret.
+ * POST /api/secrets/set
+ */
+interface SetSecretResponse {
+    success: true;
+    message: string;
+}
+/**
+ * API request body for setting a secret.
+ * POST /api/secrets/set
+ */
+interface SetSecretRequest {
+    workspaceId: string;
+    environment: string;
+    name: string;
+    encryptedValue: {
+        data: Encrypted;
+    };
+}
+/**
+ * API response for deleting a secret.
+ * POST /api/secrets/delete
+ */
+interface DeleteSecretResponse {
+    success: true;
+    message: string;
+}
+/**
+ * API request body for deleting a secret.
+ * POST /api/secrets/delete
+ */
+interface DeleteSecretRequest {
+    workspaceId: string;
+    environment: string;
+    name: string;
+}
+/**
+ * API error response for plan limit violations (403).
+ * Returned by POST /api/secrets/set when the workspace has reached its secret limit.
+ */
+interface PlanLimitError {
+    error: string;
+    code: 'PLAN_LIMIT_REACHED';
+}
+interface DecryptedSecretResponse {
+    name: string;
+    environment: string;
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * The Secrets client provides a high-level API for managing encrypted secrets
+ * stored in CipherStash. Secrets are encrypted locally before being sent to
+ * the API, ensuring end-to-end encryption.
+ */
+declare class Secrets {
+    private encryptionClient;
+    private config;
+    private readonly apiBaseUrl;
+    private readonly secretsSchema;
+    constructor(config: SecretsConfig);
+    private initPromise;
+    /**
+     * Initialize the Secrets client and underlying Encryption client
+     */
+    private ensureInitialized;
+    private _doInit;
+    /**
+     * Get the authorization header for API requests
+     */
+    private getAuthHeader;
+    /**
+     * Make an API request with error handling.
+     *
+     * For GET requests, `params` are appended as URL query parameters.
+     * For POST requests, `body` is sent as JSON in the request body.
+     */
+    private apiRequest;
+    /**
+     * Store an encrypted secret in the vault.
+     * The value is encrypted locally before being sent to the API.
+     *
+     * API: POST /api/secrets/set
+     *
+     * @param name - The name of the secret
+     * @param value - The plaintext value to encrypt and store
+     * @returns A Result containing the API response or an error
+     */
+    set(name: SecretName, value: SecretValue): Promise<Result<SetSecretResponse, SecretsError>>;
+    /**
+     * Retrieve and decrypt a secret from the vault.
+     * The secret is decrypted locally after retrieval.
+     *
+     * API: GET /api/secrets/get?workspaceId=...&environment=...&name=...
+     *
+     * @param name - The name of the secret to retrieve
+     * @returns A Result containing the decrypted value or an error
+     */
+    get(name: SecretName): Promise<Result<SecretValue, SecretsError>>;
+    /**
+     * Retrieve and decrypt many secrets from the vault.
+     * The secrets are decrypted locally after retrieval.
+     * This method only triggers a single network request to the ZeroKMS.
+     *
+     * API: GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...
+     *
+     * Constraints:
+     *   - Minimum 2 secret names required
+     *   - Maximum 100 secret names per request
+     *
+     * @param names - The names of the secrets to retrieve (min 2, max 100)
+     * @returns A Result containing an object mapping secret names to their decrypted values
+     */
+    getMany(names: SecretName[]): Promise<Result<Record<SecretName, SecretValue>, SecretsError>>;
+    /**
+     * List all secrets in the environment.
+     * Only names and metadata are returned; values remain encrypted.
+     *
+     * API: GET /api/secrets/list?workspaceId=...&environment=...
+     *
+     * @returns A Result containing the list of secrets or an error
+     */
+    list(): Promise<Result<SecretMetadata[], SecretsError>>;
+    /**
+     * Delete a secret from the vault.
+     *
+     * API: POST /api/secrets/delete
+     *
+     * @param name - The name of the secret to delete
+     * @returns A Result containing the API response or an error
+     */
+    delete(name: SecretName): Promise<Result<DeleteSecretResponse, SecretsError>>;
+}
+
+export { type DecryptedSecretResponse, type DeleteSecretRequest, type DeleteSecretResponse, type GetManySecretsResponse, type GetSecretResponse, type ListSecretsResponse, type PlanLimitError, type SecretMetadata, type SecretName, type SecretValue, Secrets, type SecretsConfig, type SecretsError, type SecretsErrorType, type SetSecretRequest, type SetSecretResponse };