@ciq-dev/neoiq-foundation-node 1.0.2 → 1.1.0-beta.0

package/dist/index.js

@@ -1,5 +1,5 @@
 "use strict";
-const require_tracing = require('./tracing-CMXNnEXN.js');
+const require_tracing = require('./tracing-MhJ1fEY_.js');
 const __opentelemetry_resources = require_tracing.__toESM(require("@opentelemetry/resources"));
 const __opentelemetry_semantic_conventions = require_tracing.__toESM(require("@opentelemetry/semantic-conventions"));
 const __opentelemetry_api = require_tracing.__toESM(require("@opentelemetry/api"));
@@ -734,109 +734,100 @@ function createHttpClient(options) {
 
 //#endregion
 //#region src/features/vault.ts
+const DEFAULTS = {
+	address: "https://vault.beta.commerceiq.ai",
+	authMethod: "kubernetes",
+	mountPoint: "secret",
+	tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token",
+	k8sAuthMount: "kubernetes"
+};
+function stripSlashes(value) {
+	return value.replace(/^\/+|\/+$/g, "");
+}
 async function loadNodeVault() {
 	try {
 		const mod = await import("node-vault");
 		return mod.default ?? mod;
 	} catch {
-		throw new Error("node-vault is not installed. Install the optional peer dependency: npm install node-vault");
+		throw new Error("node-vault is not installed. Install it as a peer dependency: npm install node-vault");
 	}
 }
 var VaultClient = class {
-	client = null;
+	logger;
+	address;
+	authMethod;
+	role;
+	mountPoint;
+	tokenPath;
+	k8sAuthMount;
+	namespace;
 	clientPromise;
 	authenticated = false;
-	cache = new Map();
-	config;
-	logger;
-	cacheEnabled;
-	cacheTtlMs;
+	/** In-flight auth so concurrent getSecret() calls don't all trigger kubernetesLogin. */
+	authPromise = null;
 	constructor(options) {
-		this.config = {
-			address: "https://vault.beta.commerceiq.ai/",
-			authMethod: "kubernetes",
-			role: "",
-			mountPoint: "secret",
-			tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token",
-			...options.config
-		};
 		this.logger = options.logger;
-		this.cacheEnabled = this.config.cache?.enabled !== false;
-		this.cacheTtlMs = (this.config.cache?.ttlSeconds ?? 300) * 1e3;
-		this.clientPromise = this.initClient();
-	}
-	async initClient() {
-		const nodeVault = await loadNodeVault();
-		const client = nodeVault({
+		const cfg = options.config;
+		this.address = (cfg.address ?? DEFAULTS.address).replace(/\/+$/, "");
+		this.authMethod = cfg.authMethod ?? DEFAULTS.authMethod;
+		this.role = cfg.role;
+		this.mountPoint = stripSlashes(cfg.mountPoint ?? DEFAULTS.mountPoint);
+		this.tokenPath = cfg.tokenPath ?? DEFAULTS.tokenPath;
+		this.k8sAuthMount = cfg.k8sAuthMount ?? DEFAULTS.k8sAuthMount;
+		this.namespace = cfg.namespace;
+		const factory = options.nodeVaultFactory ? Promise.resolve(options.nodeVaultFactory) : loadNodeVault();
+		this.clientPromise = factory.then((create) => create({
 			apiVersion: "v1",
-			endpoint: this.config.address,
-			namespace: this.config.namespace
-		});
-		this.client = client;
-		return client;
+			endpoint: this.address,
+			namespace: this.namespace
+		}));
 	}
 	async authenticate() {
 		if (this.authenticated) return;
+		if (this.authPromise) return this.authPromise;
+		this.authPromise = this.doAuthenticate().finally(() => {
+			if (!this.authenticated) this.authPromise = null;
+		});
+		return this.authPromise;
+	}
+	async doAuthenticate() {
 		const client = await this.clientPromise;
-		if (this.config.authMethod === "token") {
+		if (this.authMethod === "token") {
 			const token = process.env.VAULT_TOKEN;
-			if (!token) throw new Error("VAULT_TOKEN environment variable is required for token-based authentication");
+			if (!token) throw new Error("VAULT_TOKEN env var is required for token auth");
 			client.token = token;
 			this.authenticated = true;
 			this.logger.info({ authMethod: "token" }, "Vault authenticated via token");
 			return;
 		}
-		const role = this.config.role;
-		if (!role) throw new Error("Vault role is required for Kubernetes authentication. Set vault.role in config or VAULT_AUTH_ROLE env var.");
+		if (!this.role) throw new Error("Vault role is required for Kubernetes auth (set vault.role or VAULT_AUTH_ROLE)");
 		let jwt;
 		try {
-			jwt = await (0, node_fs_promises.readFile)(this.config.tokenPath, "utf8");
+			jwt = await (0, node_fs_promises.readFile)(this.tokenPath, "utf8");
 		} catch (err) {
-			const message = err instanceof Error ? err.message : String(err);
-			throw new Error(`Failed to read Kubernetes service account token from ${this.config.tokenPath}: ${message}`);
+			const msg = err instanceof Error ? err.message : String(err);
+			throw new Error(`Failed to read service-account token at ${this.tokenPath}: ${msg}`);
 		}
 		const result = await client.kubernetesLogin({
-			role,
-			jwt
+			role: this.role,
+			jwt,
+			mount_point: this.k8sAuthMount
 		});
 		client.token = result.auth.client_token;
 		this.authenticated = true;
 		this.logger.info({
 			authMethod: "kubernetes",
-			role,
+			role: this.role,
 			leaseDuration: result.auth.lease_duration
 		}, "Vault authenticated via Kubernetes service account");
 	}
 	async getSecret(path) {
-		const cacheKey = path;
-		if (this.cacheEnabled) {
-			const cached = this.cache.get(cacheKey);
-			if (cached && cached.expiresAt > Date.now()) {
-				this.logger.debug({
-					path,
-					cache: "hit"
-				}, "Vault secret cache hit");
-				return cached.data;
-			}
-		}
 		await this.authenticate();
 		const client = await this.clientPromise;
-		const fullPath = `${this.config.mountPoint}/data/${path}`;
+		const fullPath = `${this.mountPoint}/data/${stripSlashes(path)}`;
 		this.logger.debug({ path: fullPath }, "Reading secret from Vault");
 		const response = await client.read(fullPath);
-		const data = response.data.data;
-		if (this.cacheEnabled) {
-			this.cache.set(cacheKey, {
-				data,
-				expiresAt: Date.now() + this.cacheTtlMs
-			});
-			this.logger.debug({
-				path,
-				cache: "miss",
-				ttlMs: this.cacheTtlMs
-			}, "Vault secret cached");
-		}
-		return data;
+		return response.data.data;
 	}
 	async getSecretValue(path, key) {
 		const secrets = await this.getSecret(path);
@@ -845,10 +836,6 @@ var VaultClient = class {
 	isAuthenticated() {
 		return this.authenticated;
 	}
-	clearCache() {
-		this.cache.clear();
-		this.logger.debug({}, "Vault secret cache cleared");
-	}
 	async checkHealth() {
 		try {
 			await this.authenticate();
@@ -879,12 +866,11 @@ function warnDeprecation(oldPath, newPath, logger) {
 function createFoundation(input) {
 	const startTime = Date.now();
 	const config = require_tracing.parseConfig(input);
-	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig, redaction: redactionConfig, shutdown: shutdownConfig, vault: vaultConfig } = config;
+	const { serviceName, serviceVersion, environment, features: featuresConfig, otel, logging: loggingConfig, requestLogging: requestLoggingConfig, redaction: redactionConfig, shutdown: shutdownConfig } = config;
 	const features = {
 		tracing: featuresConfig.tracing ?? true,
 		metrics: featuresConfig.metrics ?? true,
-		logging: featuresConfig.logging ?? true,
-		vault: vaultConfig.enabled ?? false
+		logging: featuresConfig.logging ?? true
 	};
 	const contextManager = createContextManager();
 	let logger;
@@ -962,22 +948,6 @@ function createFoundation(input) {
 		metricsError = err.message;
 		logger.error({ error: metricsError }, "Metrics setup failed - continuing without metrics");
 	}
-	let vaultClient = null;
-	let vaultError;
-	if (features.vault) try {
-		vaultClient = createVaultClient({
-			config: vaultConfig,
-			logger
-		});
-		logger.info({
-			feature: "vault",
-			address: vaultConfig.address,
-			authMethod: vaultConfig.authMethod
-		}, "Vault client created (lazy auth on first secret read)");
-	} catch (err) {
-		vaultError = err.message;
-		logger.error({ error: vaultError }, "Vault setup failed - continuing without vault");
-	}
 	logger.info({
 		serviceName,
 		serviceVersion,
@@ -1045,45 +1015,50 @@ function createFoundation(input) {
 		...options,
 		foundation
 	}) };
-	const secretsModule = vaultClient;
+	let secrets = null;
+	if (config.vault?.enabled) try {
+		secrets = createVaultClient({
+			config: config.vault,
+			logger
+		});
+		logger.info({
+			address: config.vault.address,
+			authMethod: config.vault.authMethod
+		}, "Vault secrets module initialized");
+	} catch (err) {
+		logger.error({ error: err.message }, "Vault initialization failed - continuing without secrets");
+	}
 	const buildHealthStatus = () => {
 		const tracingUp = !features.tracing || !tracingError && require_tracing.isTracingEnabled();
 		const metricsUp = !features.metrics || !metricsError && isMetricsEnabled();
 		const loggingUp = !loggingError;
-		const vaultUp = !features.vault || !vaultError && !!vaultClient;
-		const allUp = tracingUp && metricsUp && loggingUp && vaultUp;
-		const allDown = (!tracingUp || !features.tracing) && (!metricsUp || !features.metrics) && (!vaultUp || !features.vault) && !loggingUp;
+		const allUp = tracingUp && metricsUp && loggingUp;
+		const allDown = (!tracingUp || !features.tracing) && (!metricsUp || !features.metrics) && !loggingUp;
 		let status = "healthy";
 		if (!allUp) status = allDown ? "unhealthy" : "degraded";
-		const components = {
-			tracing: {
-				enabled: features.tracing,
-				status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
-				message: tracingError
-			},
-			metrics: {
-				enabled: features.metrics,
-				status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
-				message: metricsError
-			},
-			logging: {
-				enabled: features.logging,
-				status: loggingError ? "down" : "up",
-				message: loggingError
-			}
-		};
-		if (features.vault) components.vault = {
-			enabled: true,
-			status: vaultError ? "down" : "up",
-			message: vaultError
-		};
 		return {
 			status,
 			timestamp: new Date().toISOString(),
 			service: serviceName,
 			version: serviceVersion,
 			uptime: Math.floor((Date.now() - startTime) / 1e3),
-			components
+			components: {
+				tracing: {
+					enabled: features.tracing,
+					status: !features.tracing ? "disabled" : tracingError ? "down" : "up",
+					message: tracingError
+				},
+				metrics: {
+					enabled: features.metrics,
+					status: !features.metrics ? "disabled" : metricsError ? "down" : "up",
+					message: metricsError
+				},
+				logging: {
+					enabled: features.logging,
+					status: loggingError ? "down" : "up",
+					message: loggingError
+				}
+			}
 		};
 	};
 	const shutdownFn = async () => {
@@ -1091,7 +1066,6 @@ function createFoundation(input) {
 		const promises = [];
 		if (features.tracing && require_tracing.isTracingEnabled()) promises.push(require_tracing.shutdownTracing());
 		if (features.metrics && isMetricsEnabled()) promises.push(shutdownMetrics());
-		if (vaultClient) vaultClient.clearCache();
 		await Promise.all(promises);
 		logger.info({}, "Foundation shutdown complete");
 	};
@@ -1124,7 +1098,7 @@ function createFoundation(input) {
 		observability,
 		http: httpModule,
 		lifecycle,
-		secrets: secretsModule,
+		secrets,
 		logger,
 		context: contextManager,
 		fastifyPlugin: createObservabilityPlugin({
@@ -1482,7 +1456,6 @@ exports.RedactionConfigSchema = require_tracing.RedactionConfigSchema
 exports.RequestLoggingConfigSchema = require_tracing.RequestLoggingConfigSchema
 exports.ShutdownConfigSchema = require_tracing.ShutdownConfigSchema
 exports.SpanStatusCode = __opentelemetry_api.SpanStatusCode
-exports.VaultCacheConfigSchema = require_tracing.VaultCacheConfigSchema
 exports.VaultClient = VaultClient
 exports.VaultConfigSchema = require_tracing.VaultConfigSchema
 exports.buildPinoRedactConfig = buildPinoRedactConfig