@clef-sh/broker 0.1.7-beta.45 → 0.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +73 -0
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# @clef-sh/broker
|
|
2
|
+
|
|
3
|
+
Runtime harness for [Clef](https://clef.sh) dynamic credential brokers. Write a `create()` function that generates credentials — the SDK handles age encryption, KMS wrapping, envelope construction, response caching, and graceful shutdown.
|
|
4
|
+
|
|
5
|
+
## Install
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
npm install @clef-sh/broker
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
## Quick start
|
|
12
|
+
|
|
13
|
+
```typescript
|
|
14
|
+
import { createHandler } from "@clef-sh/broker";
|
|
15
|
+
|
|
16
|
+
const broker = createHandler({
|
|
17
|
+
create: async (config) => ({
|
|
18
|
+
data: { DB_TOKEN: await generateRdsIamToken(config.DB_ENDPOINT) },
|
|
19
|
+
ttl: 900,
|
|
20
|
+
}),
|
|
21
|
+
});
|
|
22
|
+
|
|
23
|
+
// Lambda
|
|
24
|
+
export const handler = () => broker.invoke();
|
|
25
|
+
process.on("SIGTERM", () => broker.shutdown());
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
The broker works in any JavaScript context — Lambda, Cloud Functions, Azure Functions, containers, plain Node.
|
|
29
|
+
|
|
30
|
+
## Features
|
|
31
|
+
|
|
32
|
+
- **`createHandler()`** — returns a `BrokerInvoker` with `invoke()` and `shutdown()` methods
|
|
33
|
+
- **`serve()`** — convenience HTTP server wrapper for containers/VMs
|
|
34
|
+
- **`packEnvelope()`** — standalone envelope construction for advanced use
|
|
35
|
+
- **`validateBroker()`** — test harness for registry contributions
|
|
36
|
+
- **Response caching** — caches envelopes for 80% of TTL, matching the agent's polling schedule
|
|
37
|
+
- **Tier 2 revocation** — automatically calls `revoke()` on rotation and shutdown
|
|
38
|
+
- **Structured logging** — `onLog(level, message, context)` for observability
|
|
39
|
+
- **KMS envelope encryption** — AWS KMS, GCP Cloud KMS, Azure Key Vault
|
|
40
|
+
|
|
41
|
+
## Configuration
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
CLEF_BROKER_IDENTITY=api-gateway # Envelope identity
|
|
45
|
+
CLEF_BROKER_ENVIRONMENT=production # Envelope environment
|
|
46
|
+
CLEF_BROKER_KMS_PROVIDER=aws # aws | gcp | azure
|
|
47
|
+
CLEF_BROKER_KMS_KEY_ID=arn:aws:kms:... # KMS key for wrapping
|
|
48
|
+
|
|
49
|
+
# Handler config (prefix stripped, passed to create())
|
|
50
|
+
CLEF_BROKER_HANDLER_DB_ENDPOINT=mydb.cluster-abc.rds.amazonaws.com
|
|
51
|
+
CLEF_BROKER_HANDLER_DB_USER=clef_readonly
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
## Broker Registry
|
|
55
|
+
|
|
56
|
+
Browse and install ready-made broker templates:
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
clef search # List available brokers
|
|
60
|
+
clef install rds-iam # Download a broker template
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
Official brokers: [registry.clef.sh](https://registry.clef.sh)
|
|
64
|
+
|
|
65
|
+
## Documentation
|
|
66
|
+
|
|
67
|
+
- [Dynamic Secrets guide](https://docs.clef.sh/guide/dynamic-secrets)
|
|
68
|
+
- [Broker Registry](https://registry.clef.sh)
|
|
69
|
+
- [Contributing a broker](https://registry.clef.sh/contributing)
|
|
70
|
+
|
|
71
|
+
## License
|
|
72
|
+
|
|
73
|
+
MIT
|