@ciq-dev/neoiq-foundation-node 1.0.1 → 1.0.2-0

package/dist/index.js

@@ -1,5 +1,5 @@
 "use strict";
-const require_tracing = require('./tracing-B8-Ntcll.js');
+const require_tracing = require('./tracing-CMXNnEXN.js');
 const __opentelemetry_resources = require_tracing.__toESM(require("@opentelemetry/resources"));
 const __opentelemetry_semantic_conventions = require_tracing.__toESM(require("@opentelemetry/semantic-conventions"));
 const __opentelemetry_api = require_tracing.__toESM(require("@opentelemetry/api"));
@@ -12,6 +12,7 @@ const crypto = require_tracing.__toESM(require("crypto"));
 const axios = require_tracing.__toESM(require("axios"));
 const axios_retry = require_tracing.__toESM(require("axios-retry"));
 const opossum = require_tracing.__toESM(require("opossum"));
+const node_fs_promises = require_tracing.__toESM(require("node:fs/promises"));
 const node_crypto = require_tracing.__toESM(require("node:crypto"));
 const node_stream = require_tracing.__toESM(require("node:stream"));
 
@@ -731,6 +732,136 @@ function createHttpClient(options) {
 	return client;
 }
 
+//#endregion
+//#region src/features/vault.ts
+async function loadNodeVault() {
+	try {
+		const mod = await import("node-vault");
+		return mod.default ?? mod;
+	} catch {
+		throw new Error("node-vault is not installed. Install the optional peer dependency: npm install node-vault");
+	}
+}
+var VaultClient = class {
+	client = null;
+	clientPromise;
+	authenticated = false;
+	cache = new Map();
+	config;
+	logger;
+	cacheEnabled;
+	cacheTtlMs;
+	constructor(options) {
+		this.config = {
+			address: "https://vault.beta.commerceiq.ai/",
+			authMethod: "kubernetes",
+			role: "",
+			mountPoint: "secret",
+			tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+			...options.config
+		};
+		this.logger = options.logger;
+		this.cacheEnabled = this.config.cache?.enabled !== false;
+		this.cacheTtlMs = (this.config.cache?.ttlSeconds ?? 300) * 1e3;
+		this.clientPromise = this.initClient();
+	}
+	async initClient() {
+		const nodeVault = await loadNodeVault();
+		const client = nodeVault({
+			apiVersion: "v1",
+			endpoint: this.config.address,
+			namespace: this.config.namespace
+		});
+		this.client = client;
+		return client;
+	}
+	async authenticate() {
+		if (this.authenticated) return;
+		const client = await this.clientPromise;
+		if (this.config.authMethod === "token") {
+			const token = process.env.VAULT_TOKEN;
+			if (!token) throw new Error("VAULT_TOKEN environment variable is required for token-based authentication");
+			client.token = token;
+			this.authenticated = true;
+			this.logger.info({ authMethod: "token" }, "Vault authenticated via token");
+			return;
+		}
+		const role = this.config.role;
+		if (!role) throw new Error("Vault role is required for Kubernetes authentication. Set vault.role in config or VAULT_AUTH_ROLE env var.");
+		let jwt;
+		try {
+			jwt = await (0, node_fs_promises.readFile)(this.config.tokenPath, "utf8");
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			throw new Error(`Failed to read Kubernetes service account token from ${this.config.tokenPath}: ${message}`);
+		}
+		const result = await client.kubernetesLogin({
+			role,
+			jwt
+		});
+		client.token = result.auth.client_token;
+		this.authenticated = true;
+		this.logger.info({
+			authMethod: "kubernetes",
+			role,
+			leaseDuration: result.auth.lease_duration
+		}, "Vault authenticated via Kubernetes service account");
+	}
+	async getSecret(path) {
+		const cacheKey = path;
+		if (this.cacheEnabled) {
+			const cached = this.cache.get(cacheKey);
+			if (cached && cached.expiresAt > Date.now()) {
+				this.logger.debug({
+					path,
+					cache: "hit"
+				}, "Vault secret cache hit");
+				return cached.data;
+			}
+		}
+		await this.authenticate();
+		const client = await this.clientPromise;
+		const fullPath = `${this.config.mountPoint}/data/${path}`;
+		this.logger.debug({ path: fullPath }, "Reading secret from Vault");
+		const response = await client.read(fullPath);
+		const data = response.data.data;
+		if (this.cacheEnabled) {
+			this.cache.set(cacheKey, {
+				data,
+				expiresAt: Date.now() + this.cacheTtlMs
+			});
+			this.logger.debug({
+				path,
+				cache: "miss",
+				ttlMs: this.cacheTtlMs
+			}, "Vault secret cached");
+		}
+		return data;
+	}
+	async getSecretValue(path, key) {
+		const secrets = await this.getSecret(path);
+		return secrets[key];
+	}
+	isAuthenticated() {
+		return this.authenticated;
+	}
+	clearCache() {
+		this.cache.clear();
+		this.logger.debug({}, "Vault secret cache cleared");
+	}
+	async checkHealth() {
+		try {
+			await this.authenticate();
+			return true;
+		} catch {
+			return false;
+		}
+	}
+};
+function createVaultClient(options) {
+	return new VaultClient(options);
+}
+
 //#endregion
 //#region src/foundation.ts
 const deprecationWarnings = new Set();
@@ -748,11 +879,12 @@ function warnDeprecation(oldPath, newPath, logger) {
 function createFoundation(input) {
 	const startTime = Date.now();
 	const config = require_tracing.parseConfig(input);
-	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig, redaction: redactionConfig, shutdown: shutdownConfig } = config;
+	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig, redaction: redactionConfig, shutdown: shutdownConfig, vault: vaultConfig } = config;
 	const features = {
 		tracing: featuresConfig.tracing ?? true,
 		metrics: featuresConfig.metrics ?? true,
-		logging: featuresConfig.logging ?? true
+		logging: featuresConfig.logging ?? true,
+		vault: vaultConfig.enabled ?? false
 	};
 	const contextManager = createContextManager();
 	let logger;
@@ -830,6 +962,22 @@ function createFoundation(input) {
 		metricsError = err.message;
 		logger.error({ error: metricsError }, "Metrics setup failed - continuing without metrics");
 	}
+	let vaultClient = null;
+	let vaultError;
+	if (features.vault) try {
+		vaultClient = createVaultClient({
+			config: vaultConfig,
+			logger
+		});
+		logger.info({
+			feature: "vault",
+			address: vaultConfig.address,
+			authMethod: vaultConfig.authMethod
+		}, "Vault client created (lazy auth on first secret read)");
+	} catch (err) {
+		vaultError = err.message;
+		logger.error({ error: vaultError }, "Vault setup failed - continuing without vault");
+	}
 	logger.info({
 		serviceName,
 		serviceVersion,
@@ -897,37 +1045,45 @@ function createFoundation(input) {
 		...options,
 		foundation
 	}) };
+	const secretsModule = vaultClient;
 	const buildHealthStatus = () => {
 		const tracingUp = !features.tracing || !tracingError && require_tracing.isTracingEnabled();
 		const metricsUp = !features.metrics || !metricsError && isMetricsEnabled();
 		const loggingUp = !loggingError;
-		const allUp = tracingUp && metricsUp && loggingUp;
-		const allDown = (!tracingUp || !features.tracing) && (!metricsUp || !features.metrics) && !loggingUp;
+		const vaultUp = !features.vault || !vaultError && !!vaultClient;
+		const allUp = tracingUp && metricsUp && loggingUp && vaultUp;
+		const allDown = (!tracingUp || !features.tracing) && (!metricsUp || !features.metrics) && (!vaultUp || !features.vault) && !loggingUp;
 		let status = "healthy";
 		if (!allUp) status = allDown ? "unhealthy" : "degraded";
+		const components = {
+			tracing: {
+				enabled: features.tracing,
+				status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
+				message: tracingError
+			},
+			metrics: {
+				enabled: features.metrics,
+				status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
+				message: metricsError
+			},
+			logging: {
+				enabled: features.logging,
+				status: loggingError ? "down" : "up",
+				message: loggingError
+			}
+		};
+		if (features.vault) components.vault = {
+			enabled: true,
+			status: vaultError ? "down" : "up",
+			message: vaultError
+		};
 		return {
 			status,
 			timestamp: new Date().toISOString(),
 			service: serviceName,
 			version: serviceVersion,
 			uptime: Math.floor((Date.now() - startTime) / 1e3),
-			components: {
-				tracing: {
-					enabled: features.tracing,
-					status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
-					message: tracingError
-				},
-				metrics: {
-					enabled: features.metrics,
-					status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
-					message: metricsError
-				},
-				logging: {
-					enabled: features.logging,
-					status: loggingError ? "down" : "up",
-					message: loggingError
-				}
-			}
+			components
 		};
 	};
 	const shutdownFn = async () => {
@@ -935,6 +1091,7 @@ function createFoundation(input) {
 		const promises = [];
 		if (features.tracing && require_tracing.isTracingEnabled()) promises.push(require_tracing.shutdownTracing());
 		if (features.metrics && isMetricsEnabled()) promises.push(shutdownMetrics());
+		if (vaultClient) vaultClient.clearCache();
 		await Promise.all(promises);
 		logger.info({}, "Foundation shutdown complete");
 	};
@@ -967,6 +1124,7 @@ function createFoundation(input) {
 		observability,
 		http: httpModule,
 		lifecycle,
+		secrets: secretsModule,
 		logger,
 		context: contextManager,
 		fastifyPlugin: createObservabilityPlugin({
@@ -1324,6 +1482,9 @@ exports.RedactionConfigSchema = require_tracing.RedactionConfigSchema
 exports.RequestLoggingConfigSchema = require_tracing.RequestLoggingConfigSchema
 exports.ShutdownConfigSchema = require_tracing.ShutdownConfigSchema
 exports.SpanStatusCode = __opentelemetry_api.SpanStatusCode
+exports.VaultCacheConfigSchema = require_tracing.VaultCacheConfigSchema
+exports.VaultClient = VaultClient
+exports.VaultConfigSchema = require_tracing.VaultConfigSchema
 exports.buildPinoRedactConfig = buildPinoRedactConfig
 exports.context = __opentelemetry_api.context
 exports.createContextManager = createContextManager
@@ -1332,6 +1493,7 @@ exports.createFoundation = createFoundation
 exports.createHttpClient = createHttpClient
 exports.createLogger = createLogger
 exports.createObservabilityPlugin = createObservabilityPlugin
+exports.createVaultClient = createVaultClient
 exports.getActiveSpan = require_tracing.getActiveSpan
 exports.getDefaultOtelEndpoint = require_tracing.getDefaultOtelEndpoint
 exports.getGlobalLogger = getGlobalLogger