@clef-sh/runtime 0.1.6-beta.32 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -0
- package/dist/artifact-decryptor.d.ts +47 -0
- package/dist/artifact-decryptor.d.ts.map +1 -0
- package/dist/artifact-decryptor.js +151 -0
- package/dist/artifact-decryptor.js.map +1 -0
- package/dist/decrypt.d.ts.map +1 -1
- package/dist/decrypt.js +3 -1
- package/dist/decrypt.js.map +1 -1
- package/dist/disk-cache.d.ts +1 -0
- package/dist/disk-cache.d.ts.map +1 -1
- package/dist/disk-cache.js +5 -10
- package/dist/disk-cache.js.map +1 -1
- package/dist/encrypted-artifact-store.d.ts +27 -0
- package/dist/encrypted-artifact-store.d.ts.map +1 -0
- package/dist/encrypted-artifact-store.js +46 -0
- package/dist/encrypted-artifact-store.js.map +1 -0
- package/dist/index.d.ts +9 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -1
- package/dist/index.js.map +1 -1
- package/dist/kms/aws.d.ts +1 -0
- package/dist/kms/aws.d.ts.map +1 -1
- package/dist/kms/aws.js +14 -0
- package/dist/kms/aws.js.map +1 -1
- package/dist/kms/types.d.ts +2 -0
- package/dist/kms/types.d.ts.map +1 -1
- package/dist/poller.d.ts +47 -6
- package/dist/poller.d.ts.map +1 -1
- package/dist/poller.js +141 -71
- package/dist/poller.js.map +1 -1
- package/dist/secrets-cache.d.ts +1 -1
- package/dist/secrets-cache.d.ts.map +1 -1
- package/dist/secrets-cache.js +13 -1
- package/dist/secrets-cache.js.map +1 -1
- package/dist/signature.d.ts +44 -0
- package/dist/signature.d.ts.map +1 -0
- package/dist/signature.js +93 -0
- package/dist/signature.js.map +1 -0
- package/dist/sources/http.d.ts.map +1 -1
- package/dist/sources/http.js +12 -2
- package/dist/sources/http.js.map +1 -1
- package/package.json +1 -1
package/README.md
ADDED
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
# @clef-sh/runtime
|
|
2
|
+
|
|
3
|
+
Lightweight runtime secrets engine for [Clef](https://clef.sh). Fetches packed artifacts from VCS APIs, HTTP endpoints, or local files, decrypts with age (or KMS envelope encryption), and serves secrets from an in-memory cache.
|
|
4
|
+
|
|
5
|
+
Designed for production deployment with minimal dependencies. No SOPS binary, no git dependency, no plaintext on disk.
|
|
6
|
+
|
|
7
|
+
## Install
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
npm install @clef-sh/runtime
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
## Usage
|
|
14
|
+
|
|
15
|
+
```typescript
|
|
16
|
+
import { ClefRuntime } from "@clef-sh/runtime";
|
|
17
|
+
|
|
18
|
+
const runtime = new ClefRuntime({
|
|
19
|
+
source: "https://my-bucket.s3.amazonaws.com/clef/api-gateway/production.age.json",
|
|
20
|
+
// KMS envelope artifacts need no age key — the runtime calls kms:Decrypt
|
|
21
|
+
// For age-only artifacts:
|
|
22
|
+
// ageKey: "AGE-SECRET-KEY-1...",
|
|
23
|
+
});
|
|
24
|
+
|
|
25
|
+
await runtime.start();
|
|
26
|
+
runtime.startPolling();
|
|
27
|
+
|
|
28
|
+
// Read secrets
|
|
29
|
+
const dbUrl = runtime.get("DB_URL");
|
|
30
|
+
const all = runtime.getAll();
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
## Features
|
|
34
|
+
|
|
35
|
+
- **VCS providers**: GitHub, GitLab, Bitbucket — fetch artifacts directly from git repos
|
|
36
|
+
- **HTTP/file sources**: Fetch from S3, CDN, or local file paths
|
|
37
|
+
- **KMS envelope encryption**: AWS KMS, GCP Cloud KMS, Azure Key Vault — no static age key needed
|
|
38
|
+
- **Adaptive polling**: Refreshes at 80% of artifact TTL, content-hash short-circuit skips unnecessary decryption
|
|
39
|
+
- **Resilient caching**: In-memory primary cache with optional encrypted disk fallback
|
|
40
|
+
- **Revocation**: Detects `revokedAt` field and wipes cache immediately
|
|
41
|
+
|
|
42
|
+
## KMS Providers
|
|
43
|
+
|
|
44
|
+
KMS SDKs are optional dependencies — install only the one you need:
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
# AWS KMS
|
|
48
|
+
npm install @aws-sdk/client-kms
|
|
49
|
+
|
|
50
|
+
# GCP Cloud KMS
|
|
51
|
+
npm install @google-cloud/kms
|
|
52
|
+
|
|
53
|
+
# Azure Key Vault
|
|
54
|
+
npm install @azure/identity @azure/keyvault-keys
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
## Documentation
|
|
58
|
+
|
|
59
|
+
- [Runtime Agent guide](https://docs.clef.sh/guide/agent)
|
|
60
|
+
- [Dynamic Secrets guide](https://docs.clef.sh/guide/dynamic-secrets)
|
|
61
|
+
- [API reference](https://docs.clef.sh/api/)
|
|
62
|
+
|
|
63
|
+
## License
|
|
64
|
+
|
|
65
|
+
MIT
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import { TelemetryEmitter } from "./telemetry";
|
|
2
|
+
import type { ArtifactEnvelope } from "./poller";
|
|
3
|
+
/** Result of decrypting an artifact envelope. */
|
|
4
|
+
export interface DecryptedArtifact {
|
|
5
|
+
values: Record<string, string>;
|
|
6
|
+
keys: string[];
|
|
7
|
+
revision: string;
|
|
8
|
+
}
|
|
9
|
+
export interface ArtifactDecryptorOptions {
|
|
10
|
+
/** Age private key string. Optional for KMS envelope artifacts. */
|
|
11
|
+
privateKey?: string;
|
|
12
|
+
/** Optional telemetry emitter for decrypt error reporting. */
|
|
13
|
+
telemetry?: TelemetryEmitter;
|
|
14
|
+
}
|
|
15
|
+
/**
|
|
16
|
+
* Decrypts artifact envelopes into plaintext key-value pairs.
|
|
17
|
+
*
|
|
18
|
+
* Supports two paths:
|
|
19
|
+
* - **KMS envelope**: unwrap DEK via cloud KMS, then AES-256-GCM decrypt
|
|
20
|
+
* - **Age-only**: decrypt via the age private key
|
|
21
|
+
*
|
|
22
|
+
* The caller is responsible for validation (version, integrity, signature,
|
|
23
|
+
* expiry). This module handles only the cryptographic decryption and JSON
|
|
24
|
+
* parsing of the resulting plaintext.
|
|
25
|
+
*/
|
|
26
|
+
export declare class ArtifactDecryptor {
|
|
27
|
+
private readonly ageDecryptor;
|
|
28
|
+
private readonly privateKey?;
|
|
29
|
+
private telemetryOverride?;
|
|
30
|
+
private readonly initialTelemetry?;
|
|
31
|
+
constructor(options: ArtifactDecryptorOptions);
|
|
32
|
+
/** Set or replace the telemetry emitter. */
|
|
33
|
+
setTelemetry(emitter: TelemetryEmitter): void;
|
|
34
|
+
private get telemetry();
|
|
35
|
+
/**
|
|
36
|
+
* Decrypt an artifact envelope into plaintext key-value pairs.
|
|
37
|
+
*
|
|
38
|
+
* @throws On KMS unwrap failure, AES-GCM auth failure, age decrypt failure,
|
|
39
|
+
* missing private key (config error), or malformed plaintext JSON.
|
|
40
|
+
*/
|
|
41
|
+
decrypt(artifact: ArtifactEnvelope): Promise<DecryptedArtifact>;
|
|
42
|
+
/** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
|
|
43
|
+
private decryptKmsEnvelope;
|
|
44
|
+
/** Age-only: decrypt with the static private key. */
|
|
45
|
+
private decryptAge;
|
|
46
|
+
}
|
|
47
|
+
//# sourceMappingURL=artifact-decryptor.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"artifact-decryptor.d.ts","sourceRoot":"","sources":["../src/artifact-decryptor.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAEjD,iDAAiD;AACjD,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,wBAAwB;IACvC,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,gBAAgB,CAAC;CAC9B;AAED;;;;;;;;;;GAUG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAsB;IACnD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAS;IACrC,OAAO,CAAC,iBAAiB,CAAC,CAAmB;IAC7C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAmB;gBAEzC,OAAO,EAAE,wBAAwB;IAK7C,4CAA4C;IAC5C,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,IAAI;IAI7C,OAAO,KAAK,SAAS,GAEpB;IAED;;;;;OAKG;IACG,OAAO,CAAC,QAAQ,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyBrE,kEAAkE;YACpD,kBAAkB;IAiChC,qDAAqD;YACvC,UAAU;CAkBzB"}
|
|
@@ -0,0 +1,151 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.ArtifactDecryptor = void 0;
|
|
37
|
+
const crypto = __importStar(require("crypto"));
|
|
38
|
+
const decrypt_1 = require("./decrypt");
|
|
39
|
+
const kms_1 = require("./kms");
|
|
40
|
+
/**
|
|
41
|
+
* Decrypts artifact envelopes into plaintext key-value pairs.
|
|
42
|
+
*
|
|
43
|
+
* Supports two paths:
|
|
44
|
+
* - **KMS envelope**: unwrap DEK via cloud KMS, then AES-256-GCM decrypt
|
|
45
|
+
* - **Age-only**: decrypt via the age private key
|
|
46
|
+
*
|
|
47
|
+
* The caller is responsible for validation (version, integrity, signature,
|
|
48
|
+
* expiry). This module handles only the cryptographic decryption and JSON
|
|
49
|
+
* parsing of the resulting plaintext.
|
|
50
|
+
*/
|
|
51
|
+
class ArtifactDecryptor {
|
|
52
|
+
ageDecryptor = new decrypt_1.AgeDecryptor();
|
|
53
|
+
privateKey;
|
|
54
|
+
telemetryOverride;
|
|
55
|
+
initialTelemetry;
|
|
56
|
+
constructor(options) {
|
|
57
|
+
this.privateKey = options.privateKey;
|
|
58
|
+
this.initialTelemetry = options.telemetry;
|
|
59
|
+
}
|
|
60
|
+
/** Set or replace the telemetry emitter. */
|
|
61
|
+
setTelemetry(emitter) {
|
|
62
|
+
this.telemetryOverride = emitter;
|
|
63
|
+
}
|
|
64
|
+
get telemetry() {
|
|
65
|
+
return this.telemetryOverride ?? this.initialTelemetry;
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Decrypt an artifact envelope into plaintext key-value pairs.
|
|
69
|
+
*
|
|
70
|
+
* @throws On KMS unwrap failure, AES-GCM auth failure, age decrypt failure,
|
|
71
|
+
* missing private key (config error), or malformed plaintext JSON.
|
|
72
|
+
*/
|
|
73
|
+
async decrypt(artifact) {
|
|
74
|
+
let plaintext;
|
|
75
|
+
if (artifact.envelope) {
|
|
76
|
+
plaintext = await this.decryptKmsEnvelope(artifact);
|
|
77
|
+
}
|
|
78
|
+
else {
|
|
79
|
+
plaintext = await this.decryptAge(artifact);
|
|
80
|
+
}
|
|
81
|
+
let values;
|
|
82
|
+
try {
|
|
83
|
+
values = JSON.parse(plaintext);
|
|
84
|
+
}
|
|
85
|
+
catch (err) {
|
|
86
|
+
this.telemetry?.artifactInvalid({
|
|
87
|
+
reason: "payload_parse",
|
|
88
|
+
error: err instanceof Error ? err.message : String(err),
|
|
89
|
+
});
|
|
90
|
+
throw err;
|
|
91
|
+
}
|
|
92
|
+
finally {
|
|
93
|
+
plaintext = "";
|
|
94
|
+
}
|
|
95
|
+
return { values, keys: artifact.keys, revision: artifact.revision };
|
|
96
|
+
}
|
|
97
|
+
/** KMS envelope: unwrap DEK via KMS, then AES-256-GCM decrypt. */
|
|
98
|
+
async decryptKmsEnvelope(artifact) {
|
|
99
|
+
const envelope = artifact.envelope;
|
|
100
|
+
let dek;
|
|
101
|
+
try {
|
|
102
|
+
const kms = (0, kms_1.createKmsProvider)(envelope.provider);
|
|
103
|
+
const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
|
|
104
|
+
dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
|
|
105
|
+
}
|
|
106
|
+
catch (err) {
|
|
107
|
+
this.telemetry?.artifactInvalid({
|
|
108
|
+
reason: "kms_unwrap",
|
|
109
|
+
error: err instanceof Error ? err.message : String(err),
|
|
110
|
+
});
|
|
111
|
+
throw err;
|
|
112
|
+
}
|
|
113
|
+
try {
|
|
114
|
+
const iv = Buffer.from(envelope.iv, "base64");
|
|
115
|
+
const authTag = Buffer.from(envelope.authTag, "base64");
|
|
116
|
+
const ciphertextBuf = Buffer.from(artifact.ciphertext, "base64");
|
|
117
|
+
const decipher = crypto.createDecipheriv("aes-256-gcm", dek, iv);
|
|
118
|
+
decipher.setAuthTag(authTag);
|
|
119
|
+
return Buffer.concat([decipher.update(ciphertextBuf), decipher.final()]).toString("utf-8");
|
|
120
|
+
}
|
|
121
|
+
catch (err) {
|
|
122
|
+
this.telemetry?.artifactInvalid({
|
|
123
|
+
reason: "decrypt",
|
|
124
|
+
error: err instanceof Error ? err.message : String(err),
|
|
125
|
+
});
|
|
126
|
+
throw err;
|
|
127
|
+
}
|
|
128
|
+
finally {
|
|
129
|
+
dek.fill(0);
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
/** Age-only: decrypt with the static private key. */
|
|
133
|
+
async decryptAge(artifact) {
|
|
134
|
+
if (!this.privateKey) {
|
|
135
|
+
// Config error — NOT an artifact.invalid event
|
|
136
|
+
throw new Error("Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption.");
|
|
137
|
+
}
|
|
138
|
+
try {
|
|
139
|
+
return await this.ageDecryptor.decrypt(artifact.ciphertext, this.privateKey);
|
|
140
|
+
}
|
|
141
|
+
catch (err) {
|
|
142
|
+
this.telemetry?.artifactInvalid({
|
|
143
|
+
reason: err instanceof SyntaxError ? "payload_parse" : "decrypt",
|
|
144
|
+
error: err instanceof Error ? err.message : String(err),
|
|
145
|
+
});
|
|
146
|
+
throw err;
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
exports.ArtifactDecryptor = ArtifactDecryptor;
|
|
151
|
+
//# sourceMappingURL=artifact-decryptor.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"artifact-decryptor.js","sourceRoot":"","sources":["../src/artifact-decryptor.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AACjC,uCAAyC;AACzC,+BAA0C;AAkB1C;;;;;;;;;;GAUG;AACH,MAAa,iBAAiB;IACX,YAAY,GAAG,IAAI,sBAAY,EAAE,CAAC;IAClC,UAAU,CAAU;IAC7B,iBAAiB,CAAoB;IAC5B,gBAAgB,CAAoB;IAErD,YAAY,OAAiC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC;IAC5C,CAAC;IAED,4CAA4C;IAC5C,YAAY,CAAC,OAAyB;QACpC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC;IACnC,CAAC;IAED,IAAY,SAAS;QACnB,OAAO,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,gBAAgB,CAAC;IACzD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,QAA0B;QACtC,IAAI,SAAiB,CAAC;QAEtB,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,MAA8B,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,eAAe;gBACvB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,SAAS,GAAG,EAAE,CAAC;QACjB,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC;IACtE,CAAC;IAED,kEAAkE;IAC1D,KAAK,CAAC,kBAAkB,CAAC,QAA0B;QACzD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAS,CAAC;QACpC,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAC9D,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,YAAY;gBACpB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC9C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC7F,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,SAAS;gBACjB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,qDAAqD;IAC7C,KAAK,CAAC,UAAU,CAAC,QAA0B;QACjD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,+CAA+C;YAC/C,MAAM,IAAI,KAAK,CACb,8FAA8F,CAC/F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC/E,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,GAAG,YAAY,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;gBAChE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAxGD,8CAwGC"}
|
package/dist/decrypt.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,qBAAa,YAAY;IACvB;;;;;;OAMG;IACG,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,qBAAa,YAAY;IACvB;;;;;;OAMG;IACG,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAWtE;;;;;;OAMG;IACH,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM;CAazD"}
|
package/dist/decrypt.js
CHANGED
|
@@ -54,7 +54,9 @@ class AgeDecryptor {
|
|
|
54
54
|
const { Decrypter } = await Promise.resolve(`${"age-encryption"}`).then(s => __importStar(require(s)));
|
|
55
55
|
const d = new Decrypter();
|
|
56
56
|
d.addIdentity(privateKey);
|
|
57
|
-
|
|
57
|
+
// Ciphertext is base64-encoded binary age format. Decode to bytes
|
|
58
|
+
// before passing to the age library.
|
|
59
|
+
return d.decrypt(Buffer.from(ciphertext, "base64"), "text");
|
|
58
60
|
}
|
|
59
61
|
/**
|
|
60
62
|
* Resolve the age private key from either an inline value or a file path.
|
package/dist/decrypt.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB;;;;;GAKG;AACH,MAAa,YAAY;IACvB;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,UAAkB;QAClD,gHAAgH;QAChH,MAAM,EAAE,SAAS,EAAE,GAAG,yBAAa,gBAAuB,uCAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC;QAC1B,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB;;;;;GAKG;AACH,MAAa,YAAY;IACvB;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,UAAkB,EAAE,UAAkB;QAClD,gHAAgH;QAChH,MAAM,EAAE,SAAS,EAAE,GAAG,yBAAa,gBAAuB,uCAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC;QAC1B,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAE1B,kEAAkE;QAClE,qCAAqC;QACrC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,CAAC;IAC9D,CAAC;IAED;;;;;;OAMG;IACH,UAAU,CAAC,MAAe,EAAE,UAAmB;QAC7C,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5D,mEAAmE;YACnE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;YACjF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,UAAU,EAAE,CAAC,CAAC;YACpE,CAAC;YACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;IAClF,CAAC;CACF;AAvCD,oCAuCC"}
|
package/dist/disk-cache.d.ts
CHANGED
|
@@ -16,6 +16,7 @@ export declare class DiskCache {
|
|
|
16
16
|
getCachedSha(): string | undefined;
|
|
17
17
|
/** Get the fetchedAt timestamp from metadata, if available. */
|
|
18
18
|
getFetchedAt(): string | undefined;
|
|
19
|
+
private readMeta;
|
|
19
20
|
/** Remove cached artifact and metadata files. */
|
|
20
21
|
purge(): void;
|
|
21
22
|
}
|
package/dist/disk-cache.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"disk-cache.d.ts","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":"AAQA;;;;;GAKG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM;IAMpE,+EAA+E;IAC/E,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI;IActC,sEAAsE;IACtE,IAAI,IAAI,MAAM,GAAG,IAAI;IAQrB,0DAA0D;IAC1D,YAAY,IAAI,MAAM,GAAG,SAAS;
|
|
1
|
+
{"version":3,"file":"disk-cache.d.ts","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":"AAQA;;;;;GAKG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM;IAMpE,+EAA+E;IAC/E,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI;IActC,sEAAsE;IACtE,IAAI,IAAI,MAAM,GAAG,IAAI;IAQrB,0DAA0D;IAC1D,YAAY,IAAI,MAAM,GAAG,SAAS;IAIlC,+DAA+D;IAC/D,YAAY,IAAI,MAAM,GAAG,SAAS;IAIlC,OAAO,CAAC,QAAQ;IAShB,iDAAiD;IACjD,KAAK,IAAI,IAAI;CAYd"}
|
package/dist/disk-cache.js
CHANGED
|
@@ -73,21 +73,16 @@ class DiskCache {
|
|
|
73
73
|
}
|
|
74
74
|
/** Get the SHA from the cached metadata, if available. */
|
|
75
75
|
getCachedSha() {
|
|
76
|
-
|
|
77
|
-
const raw = fs.readFileSync(this.metaPath, "utf-8");
|
|
78
|
-
const meta = JSON.parse(raw);
|
|
79
|
-
return meta.sha;
|
|
80
|
-
}
|
|
81
|
-
catch {
|
|
82
|
-
return undefined;
|
|
83
|
-
}
|
|
76
|
+
return this.readMeta()?.sha;
|
|
84
77
|
}
|
|
85
78
|
/** Get the fetchedAt timestamp from metadata, if available. */
|
|
86
79
|
getFetchedAt() {
|
|
80
|
+
return this.readMeta()?.fetchedAt;
|
|
81
|
+
}
|
|
82
|
+
readMeta() {
|
|
87
83
|
try {
|
|
88
84
|
const raw = fs.readFileSync(this.metaPath, "utf-8");
|
|
89
|
-
|
|
90
|
-
return meta.fetchedAt;
|
|
85
|
+
return JSON.parse(raw);
|
|
91
86
|
}
|
|
92
87
|
catch {
|
|
93
88
|
return undefined;
|
package/dist/disk-cache.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"disk-cache.js","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAO7B;;;;;GAKG;AACH,MAAa,SAAS;IACH,YAAY,CAAS;IACrB,QAAQ,CAAS;IAElC,YAAY,SAAiB,EAAE,QAAgB,EAAE,WAAmB;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,WAAW,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,GAAW,EAAE,GAAY;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEvC,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,YAAY,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9D,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5C,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAE9C,MAAM,IAAI,GAAkB,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACzE,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,QAAQ,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QACzD,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,sEAAsE;IACtE,IAAI;QACF,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,YAAY;QACV,
|
|
1
|
+
{"version":3,"file":"disk-cache.js","sourceRoot":"","sources":["../src/disk-cache.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAO7B;;;;;GAKG;AACH,MAAa,SAAS;IACH,YAAY,CAAS;IACrB,QAAQ,CAAS;IAElC,YAAY,SAAiB,EAAE,QAAgB,EAAE,WAAmB;QAClE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,WAAW,CAAC,CAAC;QAC9D,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,+EAA+E;IAC/E,KAAK,CAAC,GAAW,EAAE,GAAY;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEvC,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,YAAY,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QAC9D,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC5C,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAE9C,MAAM,IAAI,GAAkB,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QACzE,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,QAAQ,QAAQ,OAAO,CAAC,GAAG,EAAE,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QACzD,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,sEAAsE;IACtE,IAAI;QACF,IAAI,CAAC;YACH,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,YAAY;QACV,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,GAAG,CAAC;IAC9B,CAAC;IAED,+DAA+D;IAC/D,YAAY;QACV,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,CAAC;IACpC,CAAC;IAEO,QAAQ;QACd,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,KAAK;QACH,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;QACD,IAAI,CAAC;YACH,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;CACF;AAlED,8BAkEC"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import type { ArtifactEnvelope } from "./poller";
|
|
2
|
+
/**
|
|
3
|
+
* Holds the latest validated-but-encrypted artifact envelope.
|
|
4
|
+
*
|
|
5
|
+
* In JIT mode (cacheTtl=0) the poller writes here after fetch+validate,
|
|
6
|
+
* and the HTTP server reads from here on each request to decrypt on demand.
|
|
7
|
+
* Key names and revision are readable without decryption (SOPS metadata).
|
|
8
|
+
*/
|
|
9
|
+
export declare class EncryptedArtifactStore {
|
|
10
|
+
private artifact;
|
|
11
|
+
private _storedAt;
|
|
12
|
+
/** Atomically replace the stored artifact. */
|
|
13
|
+
swap(artifact: ArtifactEnvelope): void;
|
|
14
|
+
/** Get the current encrypted artifact. Returns null if not yet loaded. */
|
|
15
|
+
get(): ArtifactEnvelope | null;
|
|
16
|
+
/** Whether an artifact has been stored. */
|
|
17
|
+
isReady(): boolean;
|
|
18
|
+
/** Epoch ms of last store, or null. */
|
|
19
|
+
getStoredAt(): number | null;
|
|
20
|
+
/** Get key names from the stored artifact metadata (no decryption needed). */
|
|
21
|
+
getKeys(): string[];
|
|
22
|
+
/** Get the revision from the stored artifact. */
|
|
23
|
+
getRevision(): string | null;
|
|
24
|
+
/** Clear the stored artifact (on revocation/expiry). */
|
|
25
|
+
wipe(): void;
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=encrypted-artifact-store.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"encrypted-artifact-store.d.ts","sourceRoot":"","sources":["../src/encrypted-artifact-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAEjD;;;;;;GAMG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAiC;IACjD,OAAO,CAAC,SAAS,CAAuB;IAExC,8CAA8C;IAC9C,IAAI,CAAC,QAAQ,EAAE,gBAAgB,GAAG,IAAI;IAKtC,0EAA0E;IAC1E,GAAG,IAAI,gBAAgB,GAAG,IAAI;IAI9B,2CAA2C;IAC3C,OAAO,IAAI,OAAO;IAIlB,uCAAuC;IACvC,WAAW,IAAI,MAAM,GAAG,IAAI;IAI5B,8EAA8E;IAC9E,OAAO,IAAI,MAAM,EAAE;IAInB,iDAAiD;IACjD,WAAW,IAAI,MAAM,GAAG,IAAI;IAI5B,wDAAwD;IACxD,IAAI,IAAI,IAAI;CAIb"}
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.EncryptedArtifactStore = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* Holds the latest validated-but-encrypted artifact envelope.
|
|
6
|
+
*
|
|
7
|
+
* In JIT mode (cacheTtl=0) the poller writes here after fetch+validate,
|
|
8
|
+
* and the HTTP server reads from here on each request to decrypt on demand.
|
|
9
|
+
* Key names and revision are readable without decryption (SOPS metadata).
|
|
10
|
+
*/
|
|
11
|
+
class EncryptedArtifactStore {
|
|
12
|
+
artifact = null;
|
|
13
|
+
_storedAt = null;
|
|
14
|
+
/** Atomically replace the stored artifact. */
|
|
15
|
+
swap(artifact) {
|
|
16
|
+
this.artifact = artifact;
|
|
17
|
+
this._storedAt = Date.now();
|
|
18
|
+
}
|
|
19
|
+
/** Get the current encrypted artifact. Returns null if not yet loaded. */
|
|
20
|
+
get() {
|
|
21
|
+
return this.artifact;
|
|
22
|
+
}
|
|
23
|
+
/** Whether an artifact has been stored. */
|
|
24
|
+
isReady() {
|
|
25
|
+
return this.artifact !== null;
|
|
26
|
+
}
|
|
27
|
+
/** Epoch ms of last store, or null. */
|
|
28
|
+
getStoredAt() {
|
|
29
|
+
return this._storedAt;
|
|
30
|
+
}
|
|
31
|
+
/** Get key names from the stored artifact metadata (no decryption needed). */
|
|
32
|
+
getKeys() {
|
|
33
|
+
return this.artifact ? [...this.artifact.keys] : [];
|
|
34
|
+
}
|
|
35
|
+
/** Get the revision from the stored artifact. */
|
|
36
|
+
getRevision() {
|
|
37
|
+
return this.artifact?.revision ?? null;
|
|
38
|
+
}
|
|
39
|
+
/** Clear the stored artifact (on revocation/expiry). */
|
|
40
|
+
wipe() {
|
|
41
|
+
this.artifact = null;
|
|
42
|
+
this._storedAt = null;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
exports.EncryptedArtifactStore = EncryptedArtifactStore;
|
|
46
|
+
//# sourceMappingURL=encrypted-artifact-store.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"encrypted-artifact-store.js","sourceRoot":"","sources":["../src/encrypted-artifact-store.ts"],"names":[],"mappings":";;;AAEA;;;;;;GAMG;AACH,MAAa,sBAAsB;IACzB,QAAQ,GAA4B,IAAI,CAAC;IACzC,SAAS,GAAkB,IAAI,CAAC;IAExC,8CAA8C;IAC9C,IAAI,CAAC,QAA0B;QAC7B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC9B,CAAC;IAED,0EAA0E;IAC1E,GAAG;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,2CAA2C;IAC3C,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC;IAChC,CAAC;IAED,uCAAuC;IACvC,WAAW;QACT,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,8EAA8E;IAC9E,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtD,CAAC;IAED,iDAAiD;IACjD,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC;IACzC,CAAC;IAED,wDAAwD;IACxD,IAAI;QACF,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;IACxB,CAAC;CACF;AAxCD,wDAwCC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -3,6 +3,9 @@ export { DiskCache } from "./disk-cache";
|
|
|
3
3
|
export { AgeDecryptor } from "./decrypt";
|
|
4
4
|
export { ArtifactPoller } from "./poller";
|
|
5
5
|
export type { PollerOptions, ArtifactEnvelope } from "./poller";
|
|
6
|
+
export { ArtifactDecryptor } from "./artifact-decryptor";
|
|
7
|
+
export type { DecryptedArtifact, ArtifactDecryptorOptions } from "./artifact-decryptor";
|
|
8
|
+
export { EncryptedArtifactStore } from "./encrypted-artifact-store";
|
|
6
9
|
export { TelemetryEmitter } from "./telemetry";
|
|
7
10
|
export type { TelemetryOptions, TelemetryEvent, AgentStartedEvent, AgentStoppedEvent, ArtifactRefreshedEvent, ArtifactRevokedEvent, ArtifactExpiredEvent, FetchFailedEvent, CacheExpiredEvent, ArtifactInvalidEvent, } from "./telemetry";
|
|
8
11
|
export type { VcsProvider, VcsProviderConfig, VcsFileResult } from "./vcs/types";
|
|
@@ -17,6 +20,7 @@ export type { ArtifactSource, ArtifactFetchResult } from "./sources/types";
|
|
|
17
20
|
export { HttpArtifactSource } from "./sources/http";
|
|
18
21
|
export { FileArtifactSource } from "./sources/file";
|
|
19
22
|
export { VcsArtifactSource } from "./sources/vcs";
|
|
23
|
+
export { buildSigningPayload, verifySignature } from "./signature";
|
|
20
24
|
import { SecretsCache } from "./secrets-cache";
|
|
21
25
|
import { ArtifactPoller } from "./poller";
|
|
22
26
|
import { TelemetryEmitter } from "./telemetry";
|
|
@@ -54,6 +58,11 @@ export interface RuntimeConfig {
|
|
|
54
58
|
cacheTtl?: number;
|
|
55
59
|
/** Optional telemetry emitter for event reporting. */
|
|
56
60
|
telemetry?: TelemetryEmitter;
|
|
61
|
+
/**
|
|
62
|
+
* Public key for artifact signature verification (base64-encoded DER SPKI).
|
|
63
|
+
* When set, unsigned or mis-signed artifacts are hard-rejected before decryption.
|
|
64
|
+
*/
|
|
65
|
+
verifyKey?: string;
|
|
57
66
|
}
|
|
58
67
|
/**
|
|
59
68
|
* High-level runtime for fetching and caching secrets.
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,YAAY,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AAGpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,sBAAsB,EACtB,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAGrB,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AACjF,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGhD,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG1C,YAAY,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGlD,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGnE,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG/C,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAM1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,WAAW,CAAC;IAC7C,mDAAmD;IACnD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iFAAiF;IACjF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,6EAA6E;IAC7E,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,0FAA0F;IAC1F,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,sDAAsD;IACtD,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAE7B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;GAMG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;gBAE3B,MAAM,EAAE,aAAa;IAgCjC,iEAAiE;IAC3D,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAI5B,yFAAyF;IACzF,YAAY,IAAI,IAAI;IAIpB,+BAA+B;IAC/B,WAAW,IAAI,IAAI;IAInB,wCAAwC;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAIpC,wCAAwC;IACxC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAIhC,0DAA0D;IAC1D,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAI7B,gCAAgC;IAChC,IAAI,IAAI,MAAM,EAAE;IAIhB,iCAAiC;IACjC,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,wCAAwC;IACxC,IAAI,KAAK,IAAI,OAAO,CAEnB;IAED,yDAAyD;IACzD,SAAS,IAAI,cAAc;IAI3B,wDAAwD;IACxD,QAAQ,IAAI,YAAY;IAIxB,OAAO,CAAC,aAAa;CA0CtB;AAED,2FAA2F;AAC3F,wBAAsB,IAAI,CAAC,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,CAItE"}
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.ClefRuntime = exports.VcsArtifactSource = exports.FileArtifactSource = exports.HttpArtifactSource = exports.createKmsProvider = exports.AwsKmsProvider = exports.createVcsProvider = exports.BitbucketProvider = exports.GitLabProvider = exports.GitHubProvider = exports.TelemetryEmitter = exports.ArtifactPoller = exports.AgeDecryptor = exports.DiskCache = exports.SecretsCache = void 0;
|
|
3
|
+
exports.ClefRuntime = exports.verifySignature = exports.buildSigningPayload = exports.VcsArtifactSource = exports.FileArtifactSource = exports.HttpArtifactSource = exports.createKmsProvider = exports.AwsKmsProvider = exports.createVcsProvider = exports.BitbucketProvider = exports.GitLabProvider = exports.GitHubProvider = exports.TelemetryEmitter = exports.EncryptedArtifactStore = exports.ArtifactDecryptor = exports.ArtifactPoller = exports.AgeDecryptor = exports.DiskCache = exports.SecretsCache = void 0;
|
|
4
4
|
exports.init = init;
|
|
5
5
|
// Core modules
|
|
6
6
|
var secrets_cache_1 = require("./secrets-cache");
|
|
@@ -11,6 +11,10 @@ var decrypt_1 = require("./decrypt");
|
|
|
11
11
|
Object.defineProperty(exports, "AgeDecryptor", { enumerable: true, get: function () { return decrypt_1.AgeDecryptor; } });
|
|
12
12
|
var poller_1 = require("./poller");
|
|
13
13
|
Object.defineProperty(exports, "ArtifactPoller", { enumerable: true, get: function () { return poller_1.ArtifactPoller; } });
|
|
14
|
+
var artifact_decryptor_1 = require("./artifact-decryptor");
|
|
15
|
+
Object.defineProperty(exports, "ArtifactDecryptor", { enumerable: true, get: function () { return artifact_decryptor_1.ArtifactDecryptor; } });
|
|
16
|
+
var encrypted_artifact_store_1 = require("./encrypted-artifact-store");
|
|
17
|
+
Object.defineProperty(exports, "EncryptedArtifactStore", { enumerable: true, get: function () { return encrypted_artifact_store_1.EncryptedArtifactStore; } });
|
|
14
18
|
// Telemetry
|
|
15
19
|
var telemetry_1 = require("./telemetry");
|
|
16
20
|
Object.defineProperty(exports, "TelemetryEmitter", { enumerable: true, get: function () { return telemetry_1.TelemetryEmitter; } });
|
|
@@ -32,6 +36,10 @@ var file_1 = require("./sources/file");
|
|
|
32
36
|
Object.defineProperty(exports, "FileArtifactSource", { enumerable: true, get: function () { return file_1.FileArtifactSource; } });
|
|
33
37
|
var vcs_1 = require("./sources/vcs");
|
|
34
38
|
Object.defineProperty(exports, "VcsArtifactSource", { enumerable: true, get: function () { return vcs_1.VcsArtifactSource; } });
|
|
39
|
+
// Signature verification
|
|
40
|
+
var signature_1 = require("./signature");
|
|
41
|
+
Object.defineProperty(exports, "buildSigningPayload", { enumerable: true, get: function () { return signature_1.buildSigningPayload; } });
|
|
42
|
+
Object.defineProperty(exports, "verifySignature", { enumerable: true, get: function () { return signature_1.verifySignature; } });
|
|
35
43
|
// High-level API
|
|
36
44
|
const secrets_cache_2 = require("./secrets-cache");
|
|
37
45
|
const disk_cache_2 = require("./disk-cache");
|
|
@@ -74,6 +82,7 @@ class ClefRuntime {
|
|
|
74
82
|
diskCache,
|
|
75
83
|
cacheTtl: config.cacheTtl,
|
|
76
84
|
telemetry: config.telemetry,
|
|
85
|
+
verifyKey: config.verifyKey,
|
|
77
86
|
});
|
|
78
87
|
}
|
|
79
88
|
/** Initial fetch + decrypt. Must be called before get/getAll. */
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAwPA,oBAIC;AA5PD,eAAe;AACf,iDAA+C;AAAtC,6GAAA,YAAY,OAAA;AACrB,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,qCAAyC;AAAhC,uGAAA,YAAY,OAAA;AACrB,mCAA0C;AAAjC,wGAAA,cAAc,OAAA;AAEvB,2DAAyD;AAAhD,uHAAA,iBAAiB,OAAA;AAE1B,uEAAoE;AAA3D,kIAAA,sBAAsB,OAAA;AAE/B,YAAY;AACZ,yCAA+C;AAAtC,6GAAA,gBAAgB,OAAA;AAgBzB,uCAA8C;AAArC,wGAAA,cAAc,OAAA;AACvB,uCAA8C;AAArC,wGAAA,cAAc,OAAA;AACvB,6CAAoD;AAA3C,8GAAA,iBAAiB,OAAA;AAC1B,qCAAgD;AAAvC,0GAAA,iBAAiB,OAAA;AAI1B,6BAAuC;AAA9B,qGAAA,cAAc,OAAA;AACvB,6BAA0C;AAAjC,wGAAA,iBAAiB,OAAA;AAI1B,uCAAoD;AAA3C,0GAAA,kBAAkB,OAAA;AAC3B,uCAAoD;AAA3C,0GAAA,kBAAkB,OAAA;AAC3B,qCAAkD;AAAzC,wGAAA,iBAAiB,OAAA;AAE1B,yBAAyB;AACzB,yCAAmE;AAA1D,gHAAA,mBAAmB,OAAA;AAAE,4GAAA,eAAe,OAAA;AAE7C,iBAAiB;AACjB,mDAA+C;AAC/C,6CAAyC;AACzC,uCAAyC;AACzC,qCAA0C;AAC1C,uCAAgD;AAChD,uCAAkD;AAClD,yCAAoD;AACpD,yCAAoD;AAkDpD;;;;;;GAMG;AACH,MAAa,WAAW;IACL,KAAK,GAAG,IAAI,4BAAY,EAAE,CAAC;IAC3B,MAAM,CAAiB;IACvB,MAAM,CAAgB;IAEvC,YAAY,MAAqB;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,8DAA8D;QAC9D,IAAI,UAA8B,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,sBAAY,EAAE,CAAC;YACrC,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,0DAA0D;QAC5D,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS;YAChC,CAAC,CAAC,IAAI,sBAAS,CACX,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,QAAQ,IAAI,SAAS,EAC5B,MAAM,CAAC,WAAW,IAAI,SAAS,CAChC;YACH,CAAC,CAAC,SAAS,CAAC;QAEd,IAAI,CAAC,MAAM,GAAG,IAAI,uBAAc,CAAC;YAC/B,MAAM;YACN,UAAU;YACV,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;IACtC,CAAC;IAED,yFAAyF;IACzF,YAAY;QACV,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;IAC7B,CAAC;IAED,+BAA+B;IAC/B,WAAW;QACT,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACrB,CAAC;IAED,wCAAwC;IACxC,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,wCAAwC;IACxC,MAAM;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,0DAA0D;IAC1D,GAAG;QACD,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC;IACvB,CAAC;IAED,gCAAgC;IAChC,IAAI;QACF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,iCAAiC;IACjC,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE,CAAC;IACxC,CAAC;IAED,wCAAwC;IACxC,IAAI,KAAK;QACP,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED,yDAAyD;IACzD,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,wDAAwD;IACxD,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAEO,aAAa,CAAC,MAAqB;QACzC,aAAa;QACb,MAAM,SAAS,GAAG;YAChB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,IAAI,KAAK,CACb,yCAAyC,OAAO,2GAA2G,CAC5J,CAAC;QACJ,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;YACxD,MAAM,QAAQ,GAAG,IAAA,yBAAiB,EAAC;gBACjC,QAAQ,EAAE,MAAM,CAAC,QAAS;gBAC1B,IAAI,EAAE,MAAM,CAAC,IAAK;gBAClB,KAAK,EAAE,MAAM,CAAC,KAAM;gBACpB,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;YACH,OAAO,IAAI,uBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAS,EAAE,MAAM,CAAC,WAAY,CAAC,CAAC;QAChF,CAAC;QAED,sBAAsB;QACtB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChF,OAAO,IAAI,yBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/C,CAAC;YACD,OAAO,IAAI,yBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,KAAK,CACb,wHAAwH,CACzH,CAAC;IACJ,CAAC;CACF;AAtID,kCAsIC;AAED,2FAA2F;AACpF,KAAK,UAAU,IAAI,CAAC,MAAqB;IAC9C,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IACtB,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
package/dist/kms/aws.d.ts
CHANGED
|
@@ -11,5 +11,6 @@ export declare class AwsKmsProvider implements KmsProvider {
|
|
|
11
11
|
private ensureClient;
|
|
12
12
|
wrap(keyId: string, plaintext: Buffer): Promise<KmsWrapResult>;
|
|
13
13
|
unwrap(keyId: string, wrappedKey: Buffer, algorithm: string): Promise<Buffer>;
|
|
14
|
+
sign(keyId: string, digest: Buffer): Promise<Buffer>;
|
|
14
15
|
}
|
|
15
16
|
//# sourceMappingURL=aws.d.ts.map
|
package/dist/kms/aws.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAErD;;;GAGG;AACH,qBAAa,cAAe,YAAW,WAAW;IAEhD,OAAO,CAAC,MAAM,CAAM;IAEpB,OAAO,CAAC,GAAG,CAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;gBAErB,MAAM,CAAC,EAAE,MAAM;YAIb,YAAY;IAYpB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB9D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAErD;;;GAGG;AACH,qBAAa,cAAe,YAAW,WAAW;IAEhD,OAAO,CAAC,MAAM,CAAM;IAEpB,OAAO,CAAC,GAAG,CAAM;IACjB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;gBAErB,MAAM,CAAC,EAAE,MAAM;YAIb,YAAY;IAYpB,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAmB9D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgB7E,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAgB3D"}
|
package/dist/kms/aws.js
CHANGED
|
@@ -87,6 +87,20 @@ class AwsKmsProvider {
|
|
|
87
87
|
}
|
|
88
88
|
return Buffer.from(response.Plaintext);
|
|
89
89
|
}
|
|
90
|
+
async sign(keyId, digest) {
|
|
91
|
+
await this.ensureClient();
|
|
92
|
+
const command = new this.sdk.SignCommand({
|
|
93
|
+
KeyId: keyId,
|
|
94
|
+
Message: digest,
|
|
95
|
+
MessageType: "DIGEST",
|
|
96
|
+
SigningAlgorithm: "ECDSA_SHA_256",
|
|
97
|
+
});
|
|
98
|
+
const response = await this.client.send(command);
|
|
99
|
+
if (!response.Signature) {
|
|
100
|
+
throw new Error("AWS KMS Sign returned no signature.");
|
|
101
|
+
}
|
|
102
|
+
return Buffer.from(response.Signature);
|
|
103
|
+
}
|
|
90
104
|
}
|
|
91
105
|
exports.AwsKmsProvider = AwsKmsProvider;
|
|
92
106
|
//# sourceMappingURL=aws.js.map
|
package/dist/kms/aws.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA;;;GAGG;AACH,MAAa,cAAc;IACzB,wFAAwF;IAChF,MAAM,CAAM;IACpB,wFAAwF;IAChF,GAAG,CAAM;IACA,MAAM,CAAU;IAEjC,YAAY,MAAe;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,GAAG,wDAAa,qBAAqB,GAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,SAAiB;QACzC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,SAAS;YACpB,mBAAmB,EAAE,mBAAmB;SACzC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChD,SAAS,EAAE,mBAAmB;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,UAAkB,EAAE,SAAiB;QAC/D,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,cAAc,EAAE,UAAU;YAC1B,mBAAmB,EAAE,SAAS;SAC/B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;CACF;
|
|
1
|
+
{"version":3,"file":"aws.js","sourceRoot":"","sources":["../../src/kms/aws.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEA;;;GAGG;AACH,MAAa,cAAc;IACzB,wFAAwF;IAChF,MAAM,CAAM;IACpB,wFAAwF;IAChF,GAAG,CAAM;IACA,MAAM,CAAU;IAEjC,YAAY,MAAe;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,GAAG,wDAAa,qBAAqB,GAAC,CAAC;YAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CACb,wFAAwF,CACzF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,SAAiB;QACzC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,SAAS,EAAE,SAAS;YACpB,mBAAmB,EAAE,mBAAmB;SACzC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChD,SAAS,EAAE,mBAAmB;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,UAAkB,EAAE,SAAiB;QAC/D,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC;YAC1C,KAAK,EAAE,KAAK;YACZ,cAAc,EAAE,UAAU;YAC1B,mBAAmB,EAAE,SAAS;SAC/B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,MAAc;QACtC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;YACvC,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,MAAM;YACf,WAAW,EAAE,QAAQ;YACrB,gBAAgB,EAAE,eAAe;SAClC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;CACF;AA1ED,wCA0EC"}
|
package/dist/kms/types.d.ts
CHANGED
|
@@ -6,5 +6,7 @@ export interface KmsWrapResult {
|
|
|
6
6
|
export interface KmsProvider {
|
|
7
7
|
wrap(keyId: string, plaintext: Buffer): Promise<KmsWrapResult>;
|
|
8
8
|
unwrap(keyId: string, wrappedKey: Buffer, algorithm: string): Promise<Buffer>;
|
|
9
|
+
/** Sign a SHA-256 digest with an asymmetric KMS key (ECDSA_SHA_256). Optional. */
|
|
10
|
+
sign?(keyId: string, digest: Buffer): Promise<Buffer>;
|
|
9
11
|
}
|
|
10
12
|
//# sourceMappingURL=types.d.ts.map
|
package/dist/kms/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/kms/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/kms/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAEtD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/D,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,kFAAkF;IAClF,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACvD"}
|