npm - @cipherstash/stack - Versions diffs - 0.1.0 - Mend

@cipherstash/stack 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

package/CHANGELOG.md +7 -0
package/LICENSE.md +21 -0
package/README.md +670 -0
package/dist/bin/stash.js +5049 -0
package/dist/bin/stash.js.map +1 -0
package/dist/chunk-2GZMIJFO.js +2400 -0
package/dist/chunk-2GZMIJFO.js.map +1 -0
package/dist/chunk-5DCT6YU2.js +138 -0
package/dist/chunk-5DCT6YU2.js.map +1 -0
package/dist/chunk-7XRPN2KX.js +336 -0
package/dist/chunk-7XRPN2KX.js.map +1 -0
package/dist/chunk-SJ7JO4ME.js +28 -0
package/dist/chunk-SJ7JO4ME.js.map +1 -0
package/dist/chunk-SUYMGQBY.js +67 -0
package/dist/chunk-SUYMGQBY.js.map +1 -0
package/dist/client-BxJG56Ey.d.cts +647 -0
package/dist/client-DtGq9dJp.d.ts +647 -0
package/dist/client.cjs +347 -0
package/dist/client.cjs.map +1 -0
package/dist/client.d.cts +7 -0
package/dist/client.d.ts +7 -0
package/dist/client.js +11 -0
package/dist/client.js.map +1 -0
package/dist/drizzle/index.cjs +1528 -0
package/dist/drizzle/index.cjs.map +1 -0
package/dist/drizzle/index.d.cts +350 -0
package/dist/drizzle/index.d.ts +350 -0
package/dist/drizzle/index.js +1212 -0
package/dist/drizzle/index.js.map +1 -0
package/dist/dynamodb/index.cjs +382 -0
package/dist/dynamodb/index.cjs.map +1 -0
package/dist/dynamodb/index.d.cts +125 -0
package/dist/dynamodb/index.d.ts +125 -0
package/dist/dynamodb/index.js +355 -0
package/dist/dynamodb/index.js.map +1 -0
package/dist/identity/index.cjs +271 -0
package/dist/identity/index.cjs.map +1 -0
package/dist/identity/index.d.cts +3 -0
package/dist/identity/index.d.ts +3 -0
package/dist/identity/index.js +117 -0
package/dist/identity/index.js.map +1 -0
package/dist/index-9-Ya3fDK.d.cts +169 -0
package/dist/index-9-Ya3fDK.d.ts +169 -0
package/dist/index.cjs +2915 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +22 -0
package/dist/index.d.ts +22 -0
package/dist/index.js +23 -0
package/dist/index.js.map +1 -0
package/dist/schema/index.cjs +368 -0
package/dist/schema/index.cjs.map +1 -0
package/dist/schema/index.d.cts +4 -0
package/dist/schema/index.d.ts +4 -0
package/dist/schema/index.js +23 -0
package/dist/schema/index.js.map +1 -0
package/dist/secrets/index.cjs +3207 -0
package/dist/secrets/index.cjs.map +1 -0
package/dist/secrets/index.d.cts +227 -0
package/dist/secrets/index.d.ts +227 -0
package/dist/secrets/index.js +323 -0
package/dist/secrets/index.js.map +1 -0
package/dist/supabase/index.cjs +1113 -0
package/dist/supabase/index.cjs.map +1 -0
package/dist/supabase/index.d.cts +144 -0
package/dist/supabase/index.d.ts +144 -0
package/dist/supabase/index.js +864 -0
package/dist/supabase/index.js.map +1 -0
package/dist/types-public-BCj1L4fi.d.cts +1013 -0
package/dist/types-public-BCj1L4fi.d.ts +1013 -0
package/dist/types-public.cjs +40 -0
package/dist/types-public.cjs.map +1 -0
package/dist/types-public.d.cts +4 -0
package/dist/types-public.d.ts +4 -0
package/dist/types-public.js +7 -0
package/dist/types-public.js.map +1 -0
package/package.json +202 -0

package/dist/secrets/index.js ADDED Viewed

@@ -0,0 +1,323 @@
+import {
+  Encryption
+} from "../chunk-2GZMIJFO.js";
+import {
+  encryptedToPgComposite
+} from "../chunk-SUYMGQBY.js";
+import "../chunk-SJ7JO4ME.js";
+import {
+  extractWorkspaceIdFromCrn
+} from "../chunk-5DCT6YU2.js";
+import {
+  encryptedColumn,
+  encryptedTable
+} from "../chunk-7XRPN2KX.js";
+// src/secrets/index.ts
+var Secrets = class {
+  encryptionClient = null;
+  config;
+  apiBaseUrl = process.env.STASH_API_URL || "https://dashboard.cipherstash.com/api/secrets";
+  secretsSchema = encryptedTable("secrets", {
+    value: encryptedColumn("value")
+  });
+  constructor(config) {
+    this.config = config;
+  }
+  initPromise = null;
+  /**
+   * Initialize the Secrets client and underlying Encryption client
+   */
+  async ensureInitialized() {
+    if (!this.initPromise) {
+      this.initPromise = this._doInit();
+    }
+    return this.initPromise;
+  }
+  async _doInit() {
+    this.encryptionClient = await Encryption({
+      schemas: [this.secretsSchema],
+      config: {
+        workspaceCrn: this.config.workspaceCRN,
+        clientId: this.config.clientId,
+        clientKey: this.config.clientKey,
+        accessKey: this.config.apiKey,
+        keyset: {
+          name: this.config.environment
+        }
+      }
+    });
+  }
+  /**
+   * Get the authorization header for API requests
+   */
+  getAuthHeader() {
+    return `Bearer ${this.config.apiKey}`;
+  }
+  /**
+   * Make an API request with error handling.
+   *
+   * For GET requests, `params` are appended as URL query parameters.
+   * For POST requests, `body` is sent as JSON in the request body.
+   */
+  async apiRequest(method, path, options) {
+    try {
+      let url = `${this.apiBaseUrl}${path}`;
+      if (options?.params) {
+        const searchParams = new URLSearchParams(options.params);
+        url = `${url}?${searchParams.toString()}`;
+      }
+      const headers = {
+        "Content-Type": "application/json",
+        Authorization: this.getAuthHeader()
+      };
+      const response = await fetch(url, {
+        method,
+        headers,
+        body: options?.body ? JSON.stringify(options.body) : void 0
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        let errorMessage = `API request failed with status ${response.status}`;
+        try {
+          const errorJson = JSON.parse(errorText);
+          errorMessage = errorJson.message || errorJson.error || errorMessage;
+        } catch {
+          errorMessage = errorText || errorMessage;
+        }
+        return {
+          failure: {
+            type: "ApiError",
+            message: errorMessage
+          }
+        };
+      }
+      const data = await response.json();
+      return { data };
+    } catch (error) {
+      return {
+        failure: {
+          type: "NetworkError",
+          message: error instanceof Error ? error.message : "Unknown network error occurred"
+        }
+      };
+    }
+  }
+  /**
+   * Store an encrypted secret in the vault.
+   * The value is encrypted locally before being sent to the API.
+   *
+   * API: POST /api/secrets/set
+   *
+   * @param name - The name of the secret
+   * @param value - The plaintext value to encrypt and store
+   * @returns A Result containing the API response or an error
+   */
+  async set(name, value) {
+    await this.ensureInitialized();
+    if (!this.encryptionClient) {
+      return {
+        failure: {
+          type: "ClientError",
+          message: "Failed to initialize Encryption client"
+        }
+      };
+    }
+    const encryptResult = await this.encryptionClient.encrypt(value, {
+      column: this.secretsSchema.value,
+      table: this.secretsSchema
+    });
+    if (encryptResult.failure) {
+      return {
+        failure: {
+          type: "EncryptionError",
+          message: encryptResult.failure.message
+        }
+      };
+    }
+    const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN);
+    return await this.apiRequest("POST", "/set", {
+      body: {
+        workspaceId,
+        environment: this.config.environment,
+        name,
+        encryptedValue: encryptedToPgComposite(encryptResult.data)
+      }
+    });
+  }
+  /**
+   * Retrieve and decrypt a secret from the vault.
+   * The secret is decrypted locally after retrieval.
+   *
+   * API: GET /api/secrets/get?workspaceId=...&environment=...&name=...
+   *
+   * @param name - The name of the secret to retrieve
+   * @returns A Result containing the decrypted value or an error
+   */
+  async get(name) {
+    await this.ensureInitialized();
+    if (!this.encryptionClient) {
+      return {
+        failure: {
+          type: "ClientError",
+          message: "Failed to initialize Encryption client"
+        }
+      };
+    }
+    const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN);
+    const apiResult = await this.apiRequest("GET", "/get", {
+      params: {
+        workspaceId,
+        environment: this.config.environment,
+        name
+      }
+    });
+    if (apiResult.failure) {
+      return apiResult;
+    }
+    const decryptResult = await this.encryptionClient.decrypt(
+      apiResult.data.encryptedValue.data
+    );
+    if (decryptResult.failure) {
+      return {
+        failure: {
+          type: "DecryptionError",
+          message: decryptResult.failure.message
+        }
+      };
+    }
+    if (typeof decryptResult.data !== "string") {
+      return {
+        failure: {
+          type: "DecryptionError",
+          message: "Decrypted value is not a string"
+        }
+      };
+    }
+    return { data: decryptResult.data };
+  }
+  /**
+   * Retrieve and decrypt many secrets from the vault.
+   * The secrets are decrypted locally after retrieval.
+   * This method only triggers a single network request to the ZeroKMS.
+   *
+   * API: GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...
+   *
+   * Constraints:
+   *   - Minimum 2 secret names required
+   *   - Maximum 100 secret names per request
+   *
+   * @param names - The names of the secrets to retrieve (min 2, max 100)
+   * @returns A Result containing an object mapping secret names to their decrypted values
+   */
+  async getMany(names) {
+    await this.ensureInitialized();
+    if (!this.encryptionClient) {
+      return {
+        failure: {
+          type: "ClientError",
+          message: "Failed to initialize Encryption client"
+        }
+      };
+    }
+    if (names.length < 2) {
+      return {
+        failure: {
+          type: "ClientError",
+          message: "At least 2 secret names are required for getMany"
+        }
+      };
+    }
+    if (names.length > 100) {
+      return {
+        failure: {
+          type: "ClientError",
+          message: "Maximum 100 secret names per request"
+        }
+      };
+    }
+    const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN);
+    const apiResult = await this.apiRequest(
+      "GET",
+      "/get-many",
+      {
+        params: {
+          workspaceId,
+          environment: this.config.environment,
+          names: names.join(",")
+        }
+      }
+    );
+    if (apiResult.failure) {
+      return apiResult;
+    }
+    const dataToDecrypt = apiResult.data.map((item) => ({
+      name: item.name,
+      value: item.encryptedValue.data
+    }));
+    const decryptResult = await this.encryptionClient.bulkDecryptModels(dataToDecrypt);
+    if (decryptResult.failure) {
+      return {
+        failure: {
+          type: "DecryptionError",
+          message: decryptResult.failure.message
+        }
+      };
+    }
+    const decryptedSecrets = decryptResult.data;
+    const secretsMap = {};
+    for (const secret of decryptedSecrets) {
+      if (secret.name && secret.value) {
+        secretsMap[secret.name] = secret.value;
+      }
+    }
+    return { data: secretsMap };
+  }
+  /**
+   * List all secrets in the environment.
+   * Only names and metadata are returned; values remain encrypted.
+   *
+   * API: GET /api/secrets/list?workspaceId=...&environment=...
+   *
+   * @returns A Result containing the list of secrets or an error
+   */
+  async list() {
+    const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN);
+    const apiResult = await this.apiRequest(
+      "GET",
+      "/list",
+      {
+        params: {
+          workspaceId,
+          environment: this.config.environment
+        }
+      }
+    );
+    if (apiResult.failure) {
+      return apiResult;
+    }
+    return { data: apiResult.data.secrets };
+  }
+  /**
+   * Delete a secret from the vault.
+   *
+   * API: POST /api/secrets/delete
+   *
+   * @param name - The name of the secret to delete
+   * @returns A Result containing the API response or an error
+   */
+  async delete(name) {
+    const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN);
+    return await this.apiRequest("POST", "/delete", {
+      body: {
+        workspaceId,
+        environment: this.config.environment,
+        name
+      }
+    });
+  }
+};
+export {
+  Secrets
+};
+//# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/secrets/index.ts"],"sourcesContent":["/**\n * Placeholder: Corrected Secrets client interface\n *\n * This file reflects the actual dashboard API endpoints as implemented in:\n * apps/dashboard/src/app/api/secrets/{get,set,list,get-many,delete}/route.ts\n *\n * Key corrections from the original interface:\n * 1. get, list, get-many are GET endpoints (not POST) with query params\n * 2. get-many takes a comma-separated `names` string (not a JSON array)\n * 3. set and delete return { success, message } (not void)\n * 4. SecretMetadata fields (id, createdAt, updatedAt) are non-optional\n * 5. GetSecretResponse fields (createdAt, updatedAt) are non-optional\n * 6. get-many enforces min 2 names (comma required) and max 100 names\n */\n\nimport type { EncryptionClient } from '@/encryption/ffi'\nimport { encryptedToPgComposite } from '@/encryption/helpers'\nimport { Encryption } from '@/index'\nimport { encryptedColumn, encryptedTable } from '@/schema'\nimport type { Encrypted } from '@/types'\nimport type { Result } from '@byteslice/result'\nimport { extractWorkspaceIdFromCrn } from '../utils/config/index.js'\n\nexport type SecretName = string\nexport type SecretValue = string\n\n/**\n * Discriminated error type for secrets operations.\n */\nexport type SecretsErrorType =\n | 'ApiError'\n | 'NetworkError'\n | 'ClientError'\n | 'EncryptionError'\n | 'DecryptionError'\n\n/**\n * Error returned by secrets operations.\n */\nexport interface SecretsError {\n type: SecretsErrorType\n message: string\n}\n\n/**\n * Configuration options for initializing the Stash client\n */\nexport interface SecretsConfig {\n workspaceCRN: string\n clientId: string\n clientKey: string\n environment: string\n apiKey: string\n accessKey?: string\n}\n\n/**\n * Secret metadata returned from the API (list endpoint).\n * All fields are always present in API responses.\n */\nexport interface SecretMetadata {\n id: string\n name: string\n environment: string\n createdAt: string\n updatedAt: string\n}\n\n/**\n * API response for listing secrets.\n * GET /api/secrets/list?workspaceId=...&environment=...\n */\nexport interface ListSecretsResponse {\n environment: string\n secrets: SecretMetadata[]\n}\n\n/**\n * API response for getting a single secret.\n * GET /api/secrets/get?workspaceId=...&environment=...&name=...\n *\n * The `encryptedValue` is the raw value stored in the vault's `value` column,\n * which is the `{ data: Encrypted }` object that was passed to the set endpoint.\n */\nexport interface GetSecretResponse {\n name: string\n environment: string\n encryptedValue: {\n data: Encrypted\n }\n createdAt: string\n updatedAt: string\n}\n\n/**\n * API response for getting multiple secrets.\n * GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...\n *\n * Returns an array of GetSecretResponse objects.\n * Constraints:\n * - `names` must be comma-separated (minimum 2 names)\n * - Maximum 100 names per request\n */\nexport type GetManySecretsResponse = GetSecretResponse[]\n\n/**\n * API response for setting a secret.\n * POST /api/secrets/set\n */\nexport interface SetSecretResponse {\n success: true\n message: string\n}\n\n/**\n * API request body for setting a secret.\n * POST /api/secrets/set\n */\nexport interface SetSecretRequest {\n workspaceId: string\n environment: string\n name: string\n encryptedValue: {\n data: Encrypted\n }\n}\n\n/**\n * API response for deleting a secret.\n * POST /api/secrets/delete\n */\nexport interface DeleteSecretResponse {\n success: true\n message: string\n}\n\n/**\n * API request body for deleting a secret.\n * POST /api/secrets/delete\n */\nexport interface DeleteSecretRequest {\n workspaceId: string\n environment: string\n name: string\n}\n\n/**\n * API error response for plan limit violations (403).\n * Returned by POST /api/secrets/set when the workspace has reached its secret limit.\n */\nexport interface PlanLimitError {\n error: string\n code: 'PLAN_LIMIT_REACHED'\n}\n\nexport interface DecryptedSecretResponse {\n name: string\n environment: string\n value: string\n createdAt: string\n updatedAt: string\n}\n\n/**\n * The Secrets client provides a high-level API for managing encrypted secrets\n * stored in CipherStash. Secrets are encrypted locally before being sent to\n * the API, ensuring end-to-end encryption.\n */\nexport class Secrets {\n private encryptionClient: EncryptionClient | null = null\n private config: SecretsConfig\n private readonly apiBaseUrl =\n process.env.STASH_API_URL || 'https://dashboard.cipherstash.com/api/secrets'\n private readonly secretsSchema = encryptedTable('secrets', {\n value: encryptedColumn('value'),\n })\n\n constructor(config: SecretsConfig) {\n this.config = config\n }\n\n private initPromise: Promise<void> | null = null\n\n /**\n * Initialize the Secrets client and underlying Encryption client\n */\n private async ensureInitialized(): Promise<void> {\n if (!this.initPromise) {\n this.initPromise = this._doInit()\n }\n return this.initPromise\n }\n\n private async _doInit(): Promise<void> {\n this.encryptionClient = await Encryption({\n schemas: [this.secretsSchema],\n config: {\n workspaceCrn: this.config.workspaceCRN,\n clientId: this.config.clientId,\n clientKey: this.config.clientKey,\n accessKey: this.config.apiKey,\n keyset: {\n name: this.config.environment,\n },\n },\n })\n }\n\n /**\n * Get the authorization header for API requests\n */\n private getAuthHeader(): string {\n return `Bearer ${this.config.apiKey}`\n }\n\n /**\n * Make an API request with error handling.\n *\n * For GET requests, `params` are appended as URL query parameters.\n * For POST requests, `body` is sent as JSON in the request body.\n */\n private async apiRequest<T>(\n method: 'GET' | 'POST',\n path: string,\n options?: {\n body?: unknown\n params?: Record<string, string>\n },\n ): Promise<Result<T, SecretsError>> {\n try {\n let url = `${this.apiBaseUrl}${path}`\n\n if (options?.params) {\n const searchParams = new URLSearchParams(options.params)\n url = `${url}?${searchParams.toString()}`\n }\n\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n Authorization: this.getAuthHeader(),\n }\n\n const response = await fetch(url, {\n method,\n headers,\n body: options?.body ? JSON.stringify(options.body) : undefined,\n })\n\n if (!response.ok) {\n const errorText = await response.text()\n let errorMessage = `API request failed with status ${response.status}`\n try {\n const errorJson = JSON.parse(errorText)\n errorMessage = errorJson.message || errorJson.error || errorMessage\n } catch {\n errorMessage = errorText || errorMessage\n }\n\n return {\n failure: {\n type: 'ApiError',\n message: errorMessage,\n },\n }\n }\n\n const data = await response.json()\n return { data }\n } catch (error) {\n return {\n failure: {\n type: 'NetworkError',\n message:\n error instanceof Error\n ? error.message\n : 'Unknown network error occurred',\n },\n }\n }\n }\n\n /**\n * Store an encrypted secret in the vault.\n * The value is encrypted locally before being sent to the API.\n *\n * API: POST /api/secrets/set\n *\n * @param name - The name of the secret\n * @param value - The plaintext value to encrypt and store\n * @returns A Result containing the API response or an error\n */\n async set(\n name: SecretName,\n value: SecretValue,\n ): Promise<Result<SetSecretResponse, SecretsError>> {\n await this.ensureInitialized()\n\n if (!this.encryptionClient) {\n return {\n failure: {\n type: 'ClientError',\n message: 'Failed to initialize Encryption client',\n },\n }\n }\n\n // Encrypt the value locally\n const encryptResult = await this.encryptionClient.encrypt(value, {\n column: this.secretsSchema.value,\n table: this.secretsSchema,\n })\n\n if (encryptResult.failure) {\n return {\n failure: {\n type: 'EncryptionError',\n message: encryptResult.failure.message,\n },\n }\n }\n\n // Extract workspaceId from CRN\n const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN)\n\n // Send encrypted value to API\n return await this.apiRequest<SetSecretResponse>('POST', '/set', {\n body: {\n workspaceId,\n environment: this.config.environment,\n name,\n encryptedValue: encryptedToPgComposite(encryptResult.data),\n },\n })\n }\n\n /**\n * Retrieve and decrypt a secret from the vault.\n * The secret is decrypted locally after retrieval.\n *\n * API: GET /api/secrets/get?workspaceId=...&environment=...&name=...\n *\n * @param name - The name of the secret to retrieve\n * @returns A Result containing the decrypted value or an error\n */\n async get(name: SecretName): Promise<Result<SecretValue, SecretsError>> {\n await this.ensureInitialized()\n\n if (!this.encryptionClient) {\n return {\n failure: {\n type: 'ClientError',\n message: 'Failed to initialize Encryption client',\n },\n }\n }\n\n // Extract workspaceId from CRN\n const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN)\n\n // Fetch encrypted value from API via GET with query params\n const apiResult = await this.apiRequest<GetSecretResponse>('GET', '/get', {\n params: {\n workspaceId,\n environment: this.config.environment,\n name,\n },\n })\n\n if (apiResult.failure) {\n return apiResult\n }\n\n // Decrypt the value locally\n const decryptResult = await this.encryptionClient.decrypt(\n apiResult.data.encryptedValue.data,\n )\n\n if (decryptResult.failure) {\n return {\n failure: {\n type: 'DecryptionError',\n message: decryptResult.failure.message,\n },\n }\n }\n\n if (typeof decryptResult.data !== 'string') {\n return {\n failure: {\n type: 'DecryptionError',\n message: 'Decrypted value is not a string',\n },\n }\n }\n\n return { data: decryptResult.data }\n }\n\n /**\n * Retrieve and decrypt many secrets from the vault.\n * The secrets are decrypted locally after retrieval.\n * This method only triggers a single network request to the ZeroKMS.\n *\n * API: GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...\n *\n * Constraints:\n * - Minimum 2 secret names required\n * - Maximum 100 secret names per request\n *\n * @param names - The names of the secrets to retrieve (min 2, max 100)\n * @returns A Result containing an object mapping secret names to their decrypted values\n */\n async getMany(\n names: SecretName[],\n ): Promise<Result<Record<SecretName, SecretValue>, SecretsError>> {\n await this.ensureInitialized()\n\n if (!this.encryptionClient) {\n return {\n failure: {\n type: 'ClientError',\n message: 'Failed to initialize Encryption client',\n },\n }\n }\n\n if (names.length < 2) {\n return {\n failure: {\n type: 'ClientError',\n message: 'At least 2 secret names are required for getMany',\n },\n }\n }\n\n if (names.length > 100) {\n return {\n failure: {\n type: 'ClientError',\n message: 'Maximum 100 secret names per request',\n },\n }\n }\n\n // Extract workspaceId from CRN\n const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN)\n\n // Fetch encrypted values from API via GET with comma-separated names\n const apiResult = await this.apiRequest<GetManySecretsResponse>(\n 'GET',\n '/get-many',\n {\n params: {\n workspaceId,\n environment: this.config.environment,\n names: names.join(','),\n },\n },\n )\n\n if (apiResult.failure) {\n return apiResult\n }\n\n const dataToDecrypt = apiResult.data.map((item) => ({\n name: item.name,\n value: item.encryptedValue.data,\n }))\n\n const decryptResult =\n await this.encryptionClient.bulkDecryptModels(dataToDecrypt)\n\n if (decryptResult.failure) {\n return {\n failure: {\n type: 'DecryptionError',\n message: decryptResult.failure.message,\n },\n }\n }\n\n // Transform array of decrypted secrets into an object keyed by secret name\n const decryptedSecrets =\n decryptResult.data as unknown as DecryptedSecretResponse[]\n const secretsMap: Record<SecretName, SecretValue> = {}\n\n for (const secret of decryptedSecrets) {\n if (secret.name && secret.value) {\n secretsMap[secret.name] = secret.value\n }\n }\n\n return { data: secretsMap }\n }\n\n /**\n * List all secrets in the environment.\n * Only names and metadata are returned; values remain encrypted.\n *\n * API: GET /api/secrets/list?workspaceId=...&environment=...\n *\n * @returns A Result containing the list of secrets or an error\n */\n async list(): Promise<Result<SecretMetadata[], SecretsError>> {\n // Extract workspaceId from CRN\n const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN)\n\n const apiResult = await this.apiRequest<ListSecretsResponse>(\n 'GET',\n '/list',\n {\n params: {\n workspaceId,\n environment: this.config.environment,\n },\n },\n )\n\n if (apiResult.failure) {\n return apiResult\n }\n\n return { data: apiResult.data.secrets }\n }\n\n /**\n * Delete a secret from the vault.\n *\n * API: POST /api/secrets/delete\n *\n * @param name - The name of the secret to delete\n * @returns A Result containing the API response or an error\n */\n async delete(\n name: SecretName,\n ): Promise<Result<DeleteSecretResponse, SecretsError>> {\n // Extract workspaceId from CRN\n const workspaceId = extractWorkspaceIdFromCrn(this.config.workspaceCRN)\n\n return await this.apiRequest<DeleteSecretResponse>('POST', '/delete', {\n body: {\n workspaceId,\n environment: this.config.environment,\n name,\n },\n })\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAwKO,IAAM,UAAN,MAAc;AAAA,EACX,mBAA4C;AAAA,EAC5C;AAAA,EACS,aACf,QAAQ,IAAI,iBAAiB;AAAA,EACd,gBAAgB,eAAe,WAAW;AAAA,IACzD,OAAO,gBAAgB,OAAO;AAAA,EAChC,CAAC;AAAA,EAED,YAAY,QAAuB;AACjC,SAAK,SAAS;AAAA,EAChB;AAAA,EAEQ,cAAoC;AAAA;AAAA;AAAA;AAAA,EAK5C,MAAc,oBAAmC;AAC/C,QAAI,CAAC,KAAK,aAAa;AACrB,WAAK,cAAc,KAAK,QAAQ;AAAA,IAClC;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAc,UAAyB;AACrC,SAAK,mBAAmB,MAAM,WAAW;AAAA,MACvC,SAAS,CAAC,KAAK,aAAa;AAAA,MAC5B,QAAQ;AAAA,QACN,cAAc,KAAK,OAAO;AAAA,QAC1B,UAAU,KAAK,OAAO;AAAA,QACtB,WAAW,KAAK,OAAO;AAAA,QACvB,WAAW,KAAK,OAAO;AAAA,QACvB,QAAQ;AAAA,UACN,MAAM,KAAK,OAAO;AAAA,QACpB;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAwB;AAC9B,WAAO,UAAU,KAAK,OAAO,MAAM;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,WACZ,QACA,MACA,SAIkC;AAClC,QAAI;AACF,UAAI,MAAM,GAAG,KAAK,UAAU,GAAG,IAAI;AAEnC,UAAI,SAAS,QAAQ;AACnB,cAAM,eAAe,IAAI,gBAAgB,QAAQ,MAAM;AACvD,cAAM,GAAG,GAAG,IAAI,aAAa,SAAS,CAAC;AAAA,MACzC;AAEA,YAAM,UAAkC;AAAA,QACtC,gBAAgB;AAAA,QAChB,eAAe,KAAK,cAAc;AAAA,MACpC;AAEA,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC;AAAA,QACA;AAAA,QACA,MAAM,SAAS,OAAO,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,MACvD,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK;AACtC,YAAI,eAAe,kCAAkC,SAAS,MAAM;AACpE,YAAI;AACF,gBAAM,YAAY,KAAK,MAAM,SAAS;AACtC,yBAAe,UAAU,WAAW,UAAU,SAAS;AAAA,QACzD,QAAQ;AACN,yBAAe,aAAa;AAAA,QAC9B;AAEA,eAAO;AAAA,UACL,SAAS;AAAA,YACP,MAAM;AAAA,YACN,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF;AAEA,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,aAAO,EAAE,KAAK;AAAA,IAChB,SAAS,OAAO;AACd,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SACE,iBAAiB,QACb,MAAM,UACN;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,IACJ,MACA,OACkD;AAClD,UAAM,KAAK,kBAAkB;AAE7B,QAAI,CAAC,KAAK,kBAAkB;AAC1B,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB,QAAQ,OAAO;AAAA,MAC/D,QAAQ,KAAK,cAAc;AAAA,MAC3B,OAAO,KAAK;AAAA,IACd,CAAC;AAED,QAAI,cAAc,SAAS;AACzB,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS,cAAc,QAAQ;AAAA,QACjC;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,0BAA0B,KAAK,OAAO,YAAY;AAGtE,WAAO,MAAM,KAAK,WAA8B,QAAQ,QAAQ;AAAA,MAC9D,MAAM;AAAA,QACJ;AAAA,QACA,aAAa,KAAK,OAAO;AAAA,QACzB;AAAA,QACA,gBAAgB,uBAAuB,cAAc,IAAI;AAAA,MAC3D;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,IAAI,MAA8D;AACtE,UAAM,KAAK,kBAAkB;AAE7B,QAAI,CAAC,KAAK,kBAAkB;AAC1B,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,0BAA0B,KAAK,OAAO,YAAY;AAGtE,UAAM,YAAY,MAAM,KAAK,WAA8B,OAAO,QAAQ;AAAA,MACxE,QAAQ;AAAA,QACN;AAAA,QACA,aAAa,KAAK,OAAO;AAAA,QACzB;AAAA,MACF;AAAA,IACF,CAAC;AAED,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,IACT;AAGA,UAAM,gBAAgB,MAAM,KAAK,iBAAiB;AAAA,MAChD,UAAU,KAAK,eAAe;AAAA,IAChC;AAEA,QAAI,cAAc,SAAS;AACzB,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS,cAAc,QAAQ;AAAA,QACjC;AAAA,MACF;AAAA,IACF;AAEA,QAAI,OAAO,cAAc,SAAS,UAAU;AAC1C,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,MAAM,cAAc,KAAK;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,QACJ,OACgE;AAChE,UAAM,KAAK,kBAAkB;AAE7B,QAAI,CAAC,KAAK,kBAAkB;AAC1B,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,GAAG;AACpB,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAEA,QAAI,MAAM,SAAS,KAAK;AACtB,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,0BAA0B,KAAK,OAAO,YAAY;AAGtE,UAAM,YAAY,MAAM,KAAK;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,UACN;AAAA,UACA,aAAa,KAAK,OAAO;AAAA,UACzB,OAAO,MAAM,KAAK,GAAG;AAAA,QACvB;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,IACT;AAEA,UAAM,gBAAgB,UAAU,KAAK,IAAI,CAAC,UAAU;AAAA,MAClD,MAAM,KAAK;AAAA,MACX,OAAO,KAAK,eAAe;AAAA,IAC7B,EAAE;AAEF,UAAM,gBACJ,MAAM,KAAK,iBAAiB,kBAAkB,aAAa;AAE7D,QAAI,cAAc,SAAS;AACzB,aAAO;AAAA,QACL,SAAS;AAAA,UACP,MAAM;AAAA,UACN,SAAS,cAAc,QAAQ;AAAA,QACjC;AAAA,MACF;AAAA,IACF;AAGA,UAAM,mBACJ,cAAc;AAChB,UAAM,aAA8C,CAAC;AAErD,eAAW,UAAU,kBAAkB;AACrC,UAAI,OAAO,QAAQ,OAAO,OAAO;AAC/B,mBAAW,OAAO,IAAI,IAAI,OAAO;AAAA,MACnC;AAAA,IACF;AAEA,WAAO,EAAE,MAAM,WAAW;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,OAAwD;AAE5D,UAAM,cAAc,0BAA0B,KAAK,OAAO,YAAY;AAEtE,UAAM,YAAY,MAAM,KAAK;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,UACN;AAAA,UACA,aAAa,KAAK,OAAO;AAAA,QAC3B;AAAA,MACF;AAAA,IACF;AAEA,QAAI,UAAU,SAAS;AACrB,aAAO;AAAA,IACT;AAEA,WAAO,EAAE,MAAM,UAAU,KAAK,QAAQ;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,OACJ,MACqD;AAErD,UAAM,cAAc,0BAA0B,KAAK,OAAO,YAAY;AAEtE,WAAO,MAAM,KAAK,WAAiC,QAAQ,WAAW;AAAA,MACpE,MAAM;AAAA,QACJ;AAAA,QACA,aAAa,KAAK,OAAO;AAAA,QACzB;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AACF;","names":[]}