@clef-sh/runtime 0.1.6-beta.32 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -0
- package/dist/artifact-decryptor.d.ts +47 -0
- package/dist/artifact-decryptor.d.ts.map +1 -0
- package/dist/artifact-decryptor.js +151 -0
- package/dist/artifact-decryptor.js.map +1 -0
- package/dist/decrypt.d.ts.map +1 -1
- package/dist/decrypt.js +3 -1
- package/dist/decrypt.js.map +1 -1
- package/dist/disk-cache.d.ts +1 -0
- package/dist/disk-cache.d.ts.map +1 -1
- package/dist/disk-cache.js +5 -10
- package/dist/disk-cache.js.map +1 -1
- package/dist/encrypted-artifact-store.d.ts +27 -0
- package/dist/encrypted-artifact-store.d.ts.map +1 -0
- package/dist/encrypted-artifact-store.js +46 -0
- package/dist/encrypted-artifact-store.js.map +1 -0
- package/dist/index.d.ts +9 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +10 -1
- package/dist/index.js.map +1 -1
- package/dist/kms/aws.d.ts +1 -0
- package/dist/kms/aws.d.ts.map +1 -1
- package/dist/kms/aws.js +14 -0
- package/dist/kms/aws.js.map +1 -1
- package/dist/kms/types.d.ts +2 -0
- package/dist/kms/types.d.ts.map +1 -1
- package/dist/poller.d.ts +47 -6
- package/dist/poller.d.ts.map +1 -1
- package/dist/poller.js +141 -71
- package/dist/poller.js.map +1 -1
- package/dist/secrets-cache.d.ts +1 -1
- package/dist/secrets-cache.d.ts.map +1 -1
- package/dist/secrets-cache.js +13 -1
- package/dist/secrets-cache.js.map +1 -1
- package/dist/signature.d.ts +44 -0
- package/dist/signature.d.ts.map +1 -0
- package/dist/signature.js +93 -0
- package/dist/signature.js.map +1 -0
- package/dist/sources/http.d.ts.map +1 -1
- package/dist/sources/http.js +12 -2
- package/dist/sources/http.js.map +1 -1
- package/package.json +1 -1
package/dist/poller.d.ts
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
import { SecretsCache } from "./secrets-cache";
|
|
2
2
|
import { ArtifactSource } from "./sources/types";
|
|
3
3
|
import { DiskCache } from "./disk-cache";
|
|
4
|
+
import { EncryptedArtifactStore } from "./encrypted-artifact-store";
|
|
5
|
+
import { ArtifactDecryptor } from "./artifact-decryptor";
|
|
4
6
|
import { TelemetryEmitter } from "./telemetry";
|
|
5
7
|
/** KMS envelope metadata for artifacts using KMS envelope encryption. */
|
|
6
8
|
export interface ArtifactKmsEnvelope {
|
|
@@ -8,6 +10,10 @@ export interface ArtifactKmsEnvelope {
|
|
|
8
10
|
keyId: string;
|
|
9
11
|
wrappedKey: string;
|
|
10
12
|
algorithm: string;
|
|
13
|
+
/** Base64-encoded 12-byte AES-GCM initialization vector. */
|
|
14
|
+
iv: string;
|
|
15
|
+
/** Base64-encoded 16-byte AES-GCM authentication tag. */
|
|
16
|
+
authTag: string;
|
|
11
17
|
}
|
|
12
18
|
/** Shape of a packed artifact JSON envelope. */
|
|
13
19
|
export interface ArtifactEnvelope {
|
|
@@ -24,6 +30,10 @@ export interface ArtifactEnvelope {
|
|
|
24
30
|
expiresAt?: string;
|
|
25
31
|
/** ISO-8601 revocation timestamp. Present when the artifact has been revoked. */
|
|
26
32
|
revokedAt?: string;
|
|
33
|
+
/** Base64-encoded cryptographic signature over the canonical artifact payload. */
|
|
34
|
+
signature?: string;
|
|
35
|
+
/** Algorithm used to produce the signature (e.g. "Ed25519", "ECDSA_SHA256"). */
|
|
36
|
+
signatureAlgorithm?: string;
|
|
27
37
|
}
|
|
28
38
|
export interface PollerOptions {
|
|
29
39
|
/** Artifact source strategy. */
|
|
@@ -38,10 +48,17 @@ export interface PollerOptions {
|
|
|
38
48
|
onRefresh?: (revision: string) => void;
|
|
39
49
|
/** Optional error callback for logging. */
|
|
40
50
|
onError?: (err: Error) => void;
|
|
41
|
-
/** Max seconds the cache may be served without a successful refresh. */
|
|
51
|
+
/** Max seconds the cache may be served without a successful refresh. 0 = JIT mode. */
|
|
42
52
|
cacheTtl?: number;
|
|
43
53
|
/** Optional telemetry emitter for event reporting. */
|
|
44
54
|
telemetry?: TelemetryEmitter;
|
|
55
|
+
/**
|
|
56
|
+
* Public key for artifact signature verification (base64-encoded DER SPKI).
|
|
57
|
+
* When set, artifacts without a valid signature are hard-rejected before decryption.
|
|
58
|
+
*/
|
|
59
|
+
verifyKey?: string;
|
|
60
|
+
/** Encrypted artifact store for JIT mode. When set, enables fetch-only polling. */
|
|
61
|
+
encryptedStore?: EncryptedArtifactStore;
|
|
45
62
|
}
|
|
46
63
|
export declare class ArtifactPoller {
|
|
47
64
|
private timer;
|
|
@@ -50,17 +67,41 @@ export declare class ArtifactPoller {
|
|
|
50
67
|
private lastExpiresAt;
|
|
51
68
|
private readonly decryptor;
|
|
52
69
|
private readonly options;
|
|
70
|
+
private readonly jitMode;
|
|
53
71
|
private telemetryOverride?;
|
|
54
72
|
constructor(options: PollerOptions);
|
|
73
|
+
/** Get the decryptor instance (for JIT mode server wiring). */
|
|
74
|
+
getDecryptor(): ArtifactDecryptor;
|
|
55
75
|
/** Set or replace the telemetry emitter (e.g. after resolving token from secrets). */
|
|
56
76
|
setTelemetry(emitter: TelemetryEmitter): void;
|
|
57
77
|
private get telemetry();
|
|
58
|
-
/**
|
|
78
|
+
/**
|
|
79
|
+
* Fetch, validate, decrypt, and cache the artifact.
|
|
80
|
+
* Used in cached mode (cacheTtl > 0).
|
|
81
|
+
*/
|
|
59
82
|
fetchAndDecrypt(): Promise<void>;
|
|
60
83
|
/**
|
|
61
|
-
*
|
|
62
|
-
*
|
|
63
|
-
*
|
|
84
|
+
* Fetch and validate the artifact without decrypting.
|
|
85
|
+
* Stores the validated envelope in the encryptedStore for on-demand decryption.
|
|
86
|
+
* Used in JIT mode (cacheTtl = 0).
|
|
87
|
+
*/
|
|
88
|
+
fetchAndValidate(): Promise<void>;
|
|
89
|
+
/**
|
|
90
|
+
* Fetch the raw artifact from the source (with disk cache fallback),
|
|
91
|
+
* parse JSON, and check for revocation.
|
|
92
|
+
*
|
|
93
|
+
* Returns null when the content hash is unchanged (short-circuit).
|
|
94
|
+
*/
|
|
95
|
+
private fetchRaw;
|
|
96
|
+
/**
|
|
97
|
+
* Validate the artifact envelope: version, required fields, expiry,
|
|
98
|
+
* revision dedup, integrity hash, and signature.
|
|
99
|
+
* Emits `artifact.invalid` / `artifact.expired` telemetry on failure.
|
|
100
|
+
* Returns the validated artifact, or throws.
|
|
101
|
+
*/
|
|
102
|
+
private validateArtifact;
|
|
103
|
+
/**
|
|
104
|
+
* Validate then decrypt and cache. Used by fetchAndDecrypt (cached mode).
|
|
64
105
|
*/
|
|
65
106
|
private validateDecryptAndCache;
|
|
66
107
|
/** Start the polling loop. Performs an initial fetch immediately. */
|
|
@@ -75,6 +116,6 @@ export declare class ArtifactPoller {
|
|
|
75
116
|
private scheduleNext;
|
|
76
117
|
/** Compute ms until next poll: 80% of expiresAt remaining, or cacheTtl / 10 fallback. */
|
|
77
118
|
private computeNextPollMs;
|
|
78
|
-
private
|
|
119
|
+
private validateEnvelope;
|
|
79
120
|
}
|
|
80
121
|
//# sourceMappingURL=poller.d.ts.map
|
package/dist/poller.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"poller.d.ts","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"poller.d.ts","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG/C,yEAAyE;AACzE,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,gDAAgD;AAChD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,CAAC,EAAE,mBAAmB,CAAC;IAC/B,uEAAuE;IACvE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iFAAiF;IACjF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gFAAgF;IAChF,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,MAAM,EAAE,cAAc,CAAC;IACvB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,KAAK,EAAE,YAAY,CAAC;IACpB,wCAAwC;IACxC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,+CAA+C;IAC/C,SAAS,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,2CAA2C;IAC3C,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC;IAC/B,sFAAsF;IACtF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sDAAsD;IACtD,SAAS,CAAC,EAAE,gBAAgB,CAAC;IAC7B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mFAAmF;IACnF,cAAc,CAAC,EAAE,sBAAsB,CAAC;CACzC;AAaD,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAA8C;IAC3D,OAAO,CAAC,eAAe,CAAuB;IAC9C,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,aAAa,CAAuB;IAC5C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAoB;IAC9C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgB;IACxC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,iBAAiB,CAAC,CAAmB;gBAEjC,OAAO,EAAE,aAAa;IASlC,+DAA+D;IAC/D,YAAY,IAAI,iBAAiB;IAIjC,sFAAsF;IACtF,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,IAAI;IAK7C,OAAO,KAAK,SAAS,GAEpB;IAED;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAMtC;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBvC;;;;;OAKG;YACW,QAAQ;IA2FtB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAkFxB;;OAEG;YACW,uBAAuB;IAyBrC,qEAAqE;IAC/D,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAS5B,0DAA0D;IAC1D,YAAY,IAAI,IAAI;IAKpB,6BAA6B;IAC7B,IAAI,IAAI,IAAI;IAOZ,+CAA+C;IAC/C,SAAS,IAAI,OAAO;IAIpB,wDAAwD;IACxD,OAAO,CAAC,YAAY;IAiBpB,yFAAyF;IACzF,OAAO,CAAC,iBAAiB;IAoBzB,OAAO,CAAC,gBAAgB;CAsBzB"}
|
package/dist/poller.js
CHANGED
|
@@ -35,11 +35,15 @@ var __importStar = (this && this.__importStar) || (function () {
|
|
|
35
35
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
36
|
exports.ArtifactPoller = void 0;
|
|
37
37
|
const crypto = __importStar(require("crypto"));
|
|
38
|
-
const
|
|
39
|
-
const
|
|
38
|
+
const artifact_decryptor_1 = require("./artifact-decryptor");
|
|
39
|
+
const signature_1 = require("./signature");
|
|
40
40
|
/**
|
|
41
41
|
* Periodically fetches a published artifact, decrypts it, and swaps the
|
|
42
42
|
* secrets cache when a new revision is detected.
|
|
43
|
+
*
|
|
44
|
+
* In JIT mode (cacheTtl=0 with encryptedStore), the poller fetches and
|
|
45
|
+
* validates the artifact but does NOT decrypt. The encrypted artifact is
|
|
46
|
+
* stored for on-demand decryption by the request handler.
|
|
43
47
|
*/
|
|
44
48
|
/** Minimum poll interval in milliseconds (floor for all scheduling). */
|
|
45
49
|
const MIN_POLL_MS = 5_000;
|
|
@@ -48,21 +52,68 @@ class ArtifactPoller {
|
|
|
48
52
|
lastContentHash = null;
|
|
49
53
|
lastRevision = null;
|
|
50
54
|
lastExpiresAt = null;
|
|
51
|
-
decryptor
|
|
55
|
+
decryptor;
|
|
52
56
|
options;
|
|
57
|
+
jitMode;
|
|
53
58
|
telemetryOverride;
|
|
54
59
|
constructor(options) {
|
|
55
60
|
this.options = options;
|
|
61
|
+
this.jitMode = !!options.encryptedStore;
|
|
62
|
+
this.decryptor = new artifact_decryptor_1.ArtifactDecryptor({
|
|
63
|
+
privateKey: options.privateKey,
|
|
64
|
+
telemetry: options.telemetry,
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
/** Get the decryptor instance (for JIT mode server wiring). */
|
|
68
|
+
getDecryptor() {
|
|
69
|
+
return this.decryptor;
|
|
56
70
|
}
|
|
57
71
|
/** Set or replace the telemetry emitter (e.g. after resolving token from secrets). */
|
|
58
72
|
setTelemetry(emitter) {
|
|
59
73
|
this.telemetryOverride = emitter;
|
|
74
|
+
this.decryptor.setTelemetry(emitter);
|
|
60
75
|
}
|
|
61
76
|
get telemetry() {
|
|
62
77
|
return this.telemetryOverride ?? this.options.telemetry;
|
|
63
78
|
}
|
|
64
|
-
/**
|
|
79
|
+
/**
|
|
80
|
+
* Fetch, validate, decrypt, and cache the artifact.
|
|
81
|
+
* Used in cached mode (cacheTtl > 0).
|
|
82
|
+
*/
|
|
65
83
|
async fetchAndDecrypt() {
|
|
84
|
+
const result = await this.fetchRaw();
|
|
85
|
+
if (!result)
|
|
86
|
+
return; // short-circuited (unchanged hash)
|
|
87
|
+
await this.validateDecryptAndCache(result.artifact, result.contentHash);
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* Fetch and validate the artifact without decrypting.
|
|
91
|
+
* Stores the validated envelope in the encryptedStore for on-demand decryption.
|
|
92
|
+
* Used in JIT mode (cacheTtl = 0).
|
|
93
|
+
*/
|
|
94
|
+
async fetchAndValidate() {
|
|
95
|
+
const result = await this.fetchRaw();
|
|
96
|
+
if (!result)
|
|
97
|
+
return; // short-circuited (unchanged hash)
|
|
98
|
+
const artifact = this.validateArtifact(result.artifact);
|
|
99
|
+
this.options.encryptedStore.swap(artifact);
|
|
100
|
+
this.lastRevision = artifact.revision;
|
|
101
|
+
this.lastContentHash = result.contentHash ?? null;
|
|
102
|
+
this.lastExpiresAt = artifact.expiresAt ?? null;
|
|
103
|
+
this.options.onRefresh?.(artifact.revision);
|
|
104
|
+
this.telemetry?.artifactRefreshed({
|
|
105
|
+
revision: artifact.revision,
|
|
106
|
+
keyCount: artifact.keys.length,
|
|
107
|
+
kmsEnvelope: !!artifact.envelope,
|
|
108
|
+
});
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Fetch the raw artifact from the source (with disk cache fallback),
|
|
112
|
+
* parse JSON, and check for revocation.
|
|
113
|
+
*
|
|
114
|
+
* Returns null when the content hash is unchanged (short-circuit).
|
|
115
|
+
*/
|
|
116
|
+
async fetchRaw() {
|
|
66
117
|
let raw;
|
|
67
118
|
let contentHash;
|
|
68
119
|
try {
|
|
@@ -71,7 +122,7 @@ class ArtifactPoller {
|
|
|
71
122
|
contentHash = result.contentHash;
|
|
72
123
|
// Content-hash short-circuit: skip parse+decrypt if unchanged
|
|
73
124
|
if (contentHash && contentHash === this.lastContentHash)
|
|
74
|
-
return;
|
|
125
|
+
return null;
|
|
75
126
|
// Write to disk cache on successful fetch
|
|
76
127
|
this.options.diskCache?.write(raw, contentHash);
|
|
77
128
|
}
|
|
@@ -85,8 +136,8 @@ class ArtifactPoller {
|
|
|
85
136
|
if (this.options.diskCache) {
|
|
86
137
|
const cached = this.options.diskCache.read();
|
|
87
138
|
if (cached) {
|
|
88
|
-
// Check if disk cache has also expired
|
|
89
|
-
if (ttl !== undefined) {
|
|
139
|
+
// Check if disk cache has also expired (skip TTL check in JIT mode)
|
|
140
|
+
if (ttl !== undefined && ttl > 0) {
|
|
90
141
|
const fetchedAt = this.options.diskCache.getFetchedAt();
|
|
91
142
|
if (fetchedAt && (Date.now() - new Date(fetchedAt).getTime()) / 1000 > ttl) {
|
|
92
143
|
this.options.cache.wipe();
|
|
@@ -102,11 +153,11 @@ class ArtifactPoller {
|
|
|
102
153
|
contentHash = this.options.diskCache.getCachedSha();
|
|
103
154
|
// If the cached hash matches, still skip
|
|
104
155
|
if (contentHash && contentHash === this.lastContentHash)
|
|
105
|
-
return;
|
|
156
|
+
return null;
|
|
106
157
|
}
|
|
107
158
|
else {
|
|
108
|
-
// No disk cache content — check in-memory TTL
|
|
109
|
-
if (ttl !== undefined && this.options.cache.isExpired(ttl)) {
|
|
159
|
+
// No disk cache content — check in-memory TTL (skip in JIT mode)
|
|
160
|
+
if (ttl !== undefined && ttl > 0 && this.options.cache.isExpired(ttl)) {
|
|
110
161
|
this.options.cache.wipe();
|
|
111
162
|
this.telemetry?.cacheExpired({
|
|
112
163
|
cacheTtlSeconds: ttl,
|
|
@@ -118,8 +169,8 @@ class ArtifactPoller {
|
|
|
118
169
|
}
|
|
119
170
|
}
|
|
120
171
|
else {
|
|
121
|
-
// No disk cache configured — check in-memory TTL
|
|
122
|
-
if (ttl !== undefined && this.options.cache.isExpired(ttl)) {
|
|
172
|
+
// No disk cache configured — check in-memory TTL (skip in JIT mode)
|
|
173
|
+
if (ttl !== undefined && ttl > 0 && this.options.cache.isExpired(ttl)) {
|
|
123
174
|
this.options.cache.wipe();
|
|
124
175
|
this.telemetry?.cacheExpired({
|
|
125
176
|
cacheTtlSeconds: ttl,
|
|
@@ -130,11 +181,11 @@ class ArtifactPoller {
|
|
|
130
181
|
throw err;
|
|
131
182
|
}
|
|
132
183
|
}
|
|
133
|
-
// Check for revocation before full validation — a revoked artifact
|
|
134
|
-
// won't have ciphertext/revision fields.
|
|
135
184
|
const parsed = JSON.parse(raw);
|
|
185
|
+
// Check for revocation before full validation
|
|
136
186
|
if (parsed.revokedAt) {
|
|
137
187
|
this.options.cache.wipe();
|
|
188
|
+
this.options.encryptedStore?.wipe();
|
|
138
189
|
this.options.diskCache?.purge();
|
|
139
190
|
this.lastRevision = null;
|
|
140
191
|
this.lastContentHash = null;
|
|
@@ -143,18 +194,18 @@ class ArtifactPoller {
|
|
|
143
194
|
});
|
|
144
195
|
throw new Error(`Artifact revoked: ${parsed.identity}/${parsed.environment} at ${parsed.revokedAt}`);
|
|
145
196
|
}
|
|
146
|
-
|
|
147
|
-
await this.validateDecryptAndCache(raw, contentHash);
|
|
197
|
+
return { artifact: parsed, contentHash };
|
|
148
198
|
}
|
|
149
199
|
/**
|
|
150
|
-
* Validate the artifact
|
|
151
|
-
*
|
|
152
|
-
*
|
|
200
|
+
* Validate the artifact envelope: version, required fields, expiry,
|
|
201
|
+
* revision dedup, integrity hash, and signature.
|
|
202
|
+
* Emits `artifact.invalid` / `artifact.expired` telemetry on failure.
|
|
203
|
+
* Returns the validated artifact, or throws.
|
|
153
204
|
*/
|
|
154
|
-
|
|
205
|
+
validateArtifact(parsed) {
|
|
155
206
|
let artifact;
|
|
156
207
|
try {
|
|
157
|
-
artifact = this.
|
|
208
|
+
artifact = this.validateEnvelope(parsed);
|
|
158
209
|
}
|
|
159
210
|
catch (err) {
|
|
160
211
|
this.telemetry?.artifactInvalid({
|
|
@@ -166,13 +217,14 @@ class ArtifactPoller {
|
|
|
166
217
|
// Check artifact-level expiry
|
|
167
218
|
if (artifact.expiresAt && Date.now() > new Date(artifact.expiresAt).getTime()) {
|
|
168
219
|
this.options.cache.wipe();
|
|
220
|
+
this.options.encryptedStore?.wipe();
|
|
169
221
|
this.options.diskCache?.purge();
|
|
170
222
|
this.telemetry?.artifactExpired({ expiresAt: artifact.expiresAt });
|
|
171
223
|
throw new Error(`Artifact expired at ${artifact.expiresAt}`);
|
|
172
224
|
}
|
|
173
225
|
// Skip if revision unchanged
|
|
174
226
|
if (artifact.revision === this.lastRevision)
|
|
175
|
-
return;
|
|
227
|
+
return artifact;
|
|
176
228
|
// Verify integrity
|
|
177
229
|
const hash = crypto.createHash("sha256").update(artifact.ciphertext).digest("hex");
|
|
178
230
|
if (hash !== artifact.ciphertextHash) {
|
|
@@ -183,65 +235,72 @@ class ArtifactPoller {
|
|
|
183
235
|
});
|
|
184
236
|
throw err;
|
|
185
237
|
}
|
|
186
|
-
//
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
238
|
+
// Verify signature when a verify key is configured (hard reject)
|
|
239
|
+
if (this.options.verifyKey) {
|
|
240
|
+
if (!artifact.signature) {
|
|
241
|
+
const err = new Error("Artifact signature verification failed: artifact is unsigned but a verify key is configured. " +
|
|
242
|
+
"Only signed artifacts are accepted when signature verification is enabled.");
|
|
243
|
+
this.telemetry?.artifactInvalid({
|
|
244
|
+
reason: "signature_missing",
|
|
245
|
+
error: err.message,
|
|
246
|
+
});
|
|
247
|
+
throw err;
|
|
248
|
+
}
|
|
249
|
+
const payload = (0, signature_1.buildSigningPayload)(artifact);
|
|
250
|
+
let valid;
|
|
190
251
|
try {
|
|
191
|
-
|
|
192
|
-
const wrappedKey = Buffer.from(artifact.envelope.wrappedKey, "base64");
|
|
193
|
-
const unwrapped = await kms.unwrap(artifact.envelope.keyId, wrappedKey, artifact.envelope.algorithm);
|
|
194
|
-
// Note: unwrapped Buffer is zeroed below, but the resulting JS string is
|
|
195
|
-
// immutable and cannot be cleared (inherent V8/Node.js limitation). Accepted risk.
|
|
196
|
-
agePrivateKey = unwrapped.toString("utf-8");
|
|
197
|
-
unwrapped.fill(0);
|
|
252
|
+
valid = (0, signature_1.verifySignature)(payload, artifact.signature, this.options.verifyKey);
|
|
198
253
|
}
|
|
199
|
-
catch (
|
|
254
|
+
catch (sigErr) {
|
|
255
|
+
const err = new Error(`Artifact signature verification error: ${sigErr instanceof Error ? sigErr.message : String(sigErr)}`);
|
|
200
256
|
this.telemetry?.artifactInvalid({
|
|
201
|
-
reason: "
|
|
202
|
-
error: err
|
|
257
|
+
reason: "signature_error",
|
|
258
|
+
error: err.message,
|
|
203
259
|
});
|
|
204
260
|
throw err;
|
|
205
261
|
}
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
if (!this.options.privateKey) {
|
|
210
|
-
throw new Error("Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption.");
|
|
211
|
-
}
|
|
212
|
-
agePrivateKey = this.options.privateKey;
|
|
213
|
-
}
|
|
214
|
-
// Decrypt
|
|
215
|
-
try {
|
|
216
|
-
const plaintext = await this.decryptor.decrypt(artifact.ciphertext, agePrivateKey);
|
|
217
|
-
const values = JSON.parse(plaintext);
|
|
218
|
-
// Atomic swap
|
|
219
|
-
this.options.cache.swap(values, artifact.keys, artifact.revision);
|
|
220
|
-
this.lastRevision = artifact.revision;
|
|
221
|
-
this.lastContentHash = contentHash ?? null;
|
|
222
|
-
this.lastExpiresAt = artifact.expiresAt ?? null;
|
|
223
|
-
this.options.onRefresh?.(artifact.revision);
|
|
224
|
-
this.telemetry?.artifactRefreshed({
|
|
225
|
-
revision: artifact.revision,
|
|
226
|
-
keyCount: artifact.keys.length,
|
|
227
|
-
kmsEnvelope: !!artifact.envelope,
|
|
228
|
-
});
|
|
229
|
-
}
|
|
230
|
-
catch (err) {
|
|
231
|
-
// Don't double-emit for errors already classified above
|
|
232
|
-
if (err instanceof Error && !err.message.includes("integrity check failed")) {
|
|
262
|
+
if (!valid) {
|
|
263
|
+
const err = new Error("Artifact signature verification failed: signature does not match the verify key. " +
|
|
264
|
+
"The artifact may have been tampered with or signed by a different key.");
|
|
233
265
|
this.telemetry?.artifactInvalid({
|
|
234
|
-
reason:
|
|
266
|
+
reason: "signature_invalid",
|
|
235
267
|
error: err.message,
|
|
236
268
|
});
|
|
269
|
+
throw err;
|
|
237
270
|
}
|
|
238
|
-
throw err;
|
|
239
271
|
}
|
|
272
|
+
return artifact;
|
|
273
|
+
}
|
|
274
|
+
/**
|
|
275
|
+
* Validate then decrypt and cache. Used by fetchAndDecrypt (cached mode).
|
|
276
|
+
*/
|
|
277
|
+
async validateDecryptAndCache(parsed, contentHash) {
|
|
278
|
+
const artifact = this.validateArtifact(parsed);
|
|
279
|
+
// Skip if revision unchanged (validateArtifact returns but doesn't throw)
|
|
280
|
+
if (artifact.revision === this.lastRevision)
|
|
281
|
+
return;
|
|
282
|
+
// Delegate decryption to the ArtifactDecryptor
|
|
283
|
+
const { values } = await this.decryptor.decrypt(artifact);
|
|
284
|
+
// Atomic swap
|
|
285
|
+
this.options.cache.swap(values, artifact.keys, artifact.revision);
|
|
286
|
+
this.lastRevision = artifact.revision;
|
|
287
|
+
this.lastContentHash = contentHash ?? null;
|
|
288
|
+
this.lastExpiresAt = artifact.expiresAt ?? null;
|
|
289
|
+
this.options.onRefresh?.(artifact.revision);
|
|
290
|
+
this.telemetry?.artifactRefreshed({
|
|
291
|
+
revision: artifact.revision,
|
|
292
|
+
keyCount: artifact.keys.length,
|
|
293
|
+
kmsEnvelope: !!artifact.envelope,
|
|
294
|
+
});
|
|
240
295
|
}
|
|
241
296
|
/** Start the polling loop. Performs an initial fetch immediately. */
|
|
242
297
|
async start() {
|
|
243
|
-
|
|
244
|
-
|
|
298
|
+
if (this.jitMode) {
|
|
299
|
+
await this.fetchAndValidate();
|
|
300
|
+
}
|
|
301
|
+
else {
|
|
302
|
+
await this.fetchAndDecrypt();
|
|
303
|
+
}
|
|
245
304
|
this.scheduleNext();
|
|
246
305
|
}
|
|
247
306
|
/** Start only the polling schedule (no initial fetch). */
|
|
@@ -267,7 +326,12 @@ class ArtifactPoller {
|
|
|
267
326
|
this.timer = setTimeout(async () => {
|
|
268
327
|
this.timer = null;
|
|
269
328
|
try {
|
|
270
|
-
|
|
329
|
+
if (this.jitMode) {
|
|
330
|
+
await this.fetchAndValidate();
|
|
331
|
+
}
|
|
332
|
+
else {
|
|
333
|
+
await this.fetchAndDecrypt();
|
|
334
|
+
}
|
|
271
335
|
}
|
|
272
336
|
catch (err) {
|
|
273
337
|
this.options.onError?.(err instanceof Error ? err : new Error(String(err)));
|
|
@@ -286,6 +350,9 @@ class ArtifactPoller {
|
|
|
286
350
|
// Already expired — poll immediately (with floor)
|
|
287
351
|
return MIN_POLL_MS;
|
|
288
352
|
}
|
|
353
|
+
// JIT mode: 5s interval for fast recovery after rotate + re-enable IAM
|
|
354
|
+
if (this.jitMode)
|
|
355
|
+
return MIN_POLL_MS;
|
|
289
356
|
// Fallback: derive from cacheTtl (default 30s if no TTL configured)
|
|
290
357
|
const ttl = this.options.cacheTtl;
|
|
291
358
|
if (ttl !== undefined) {
|
|
@@ -293,8 +360,7 @@ class ArtifactPoller {
|
|
|
293
360
|
}
|
|
294
361
|
return 30_000;
|
|
295
362
|
}
|
|
296
|
-
|
|
297
|
-
const artifact = JSON.parse(raw);
|
|
363
|
+
validateEnvelope(artifact) {
|
|
298
364
|
if (artifact.version !== 1) {
|
|
299
365
|
throw new Error(`Unsupported artifact version: ${artifact.version}`);
|
|
300
366
|
}
|
|
@@ -305,7 +371,9 @@ class ArtifactPoller {
|
|
|
305
371
|
if (!artifact.envelope.provider ||
|
|
306
372
|
!artifact.envelope.keyId ||
|
|
307
373
|
!artifact.envelope.wrappedKey ||
|
|
308
|
-
!artifact.envelope.algorithm
|
|
374
|
+
!artifact.envelope.algorithm ||
|
|
375
|
+
!artifact.envelope.iv ||
|
|
376
|
+
!artifact.envelope.authTag) {
|
|
309
377
|
throw new Error("Invalid artifact: incomplete envelope fields.");
|
|
310
378
|
}
|
|
311
379
|
}
|
|
@@ -324,6 +392,8 @@ function classifyValidationError(err) {
|
|
|
324
392
|
return "missing_fields";
|
|
325
393
|
if (msg.includes("incomplete envelope"))
|
|
326
394
|
return "incomplete_envelope";
|
|
395
|
+
if (msg.includes("signature"))
|
|
396
|
+
return "signature";
|
|
327
397
|
return "unknown";
|
|
328
398
|
}
|
|
329
399
|
//# sourceMappingURL=poller.js.map
|
package/dist/poller.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"poller.js","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAEjC,uCAAyC;AAGzC,+BAA0C;AA+C1C;;;GAGG;AACH,wEAAwE;AACxE,MAAM,WAAW,GAAG,KAAK,CAAC;AAE1B,MAAa,cAAc;IACjB,KAAK,GAAyC,IAAI,CAAC;IACnD,eAAe,GAAkB,IAAI,CAAC;IACtC,YAAY,GAAkB,IAAI,CAAC;IACnC,aAAa,GAAkB,IAAI,CAAC;IAC3B,SAAS,GAAG,IAAI,sBAAY,EAAE,CAAC;IAC/B,OAAO,CAAgB;IAChC,iBAAiB,CAAoB;IAE7C,YAAY,OAAsB;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED,sFAAsF;IACtF,YAAY,CAAC,OAAyB;QACpC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC;IACnC,CAAC;IAED,IAAY,SAAS;QACnB,OAAO,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1D,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,eAAe;QACnB,IAAI,GAAW,CAAC;QAChB,IAAI,WAA+B,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACjD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YACjB,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;YAEjC,8DAA8D;YAC9D,IAAI,WAAW,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe;gBAAE,OAAO;YAEhE,0CAA0C;YAC1C,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC;gBAC1B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvD,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE;aACrD,CAAC,CAAC;YAEH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAClC,8BAA8B;YAC9B,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBAC7C,IAAI,MAAM,EAAE,CAAC;oBACX,uCAAuC;oBACvC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;wBACtB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;wBACxD,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC;4BAC3E,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;4BAC1B,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;4BAC/B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;gCAC3B,eAAe,EAAE,GAAG;gCACpB,eAAe,EAAE,IAAI;6BACtB,CAAC,CAAC;4BACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;wBAC7E,CAAC;oBACH,CAAC;oBACD,GAAG,GAAG,MAAM,CAAC;oBACb,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;oBACpD,yCAAyC;oBACzC,IAAI,WAAW,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe;wBAAE,OAAO;gBAClE,CAAC;qBAAM,CAAC;oBACN,8CAA8C;oBAC9C,IAAI,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC3D,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;wBAC1B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;4BAC3B,eAAe,EAAE,GAAG;4BACpB,eAAe,EAAE,KAAK;yBACvB,CAAC,CAAC;wBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;oBAC7E,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,iDAAiD;gBACjD,IAAI,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC3D,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;oBAC1B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;wBAC3B,eAAe,EAAE,GAAG;wBACpB,eAAe,EAAE,KAAK;qBACvB,CAAC,CAAC;oBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;gBAC7E,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,yCAAyC;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YACzB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;aACpC,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,WAAW,OAAO,MAAM,CAAC,SAAS,EAAE,CACpF,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,MAAM,IAAI,CAAC,uBAAuB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACvD,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,uBAAuB,CACnC,GAAW,EACX,WAA+B;QAE/B,IAAI,QAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,uBAAuB,CAAC,GAAG,CAAC;gBACpC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAC9E,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,6BAA6B;QAC7B,IAAI,QAAQ,CAAC,QAAQ,KAAK,IAAI,CAAC,YAAY;YAAE,OAAO;QAEpD,mBAAmB;QACnB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnF,IAAI,IAAI,KAAK,QAAQ,CAAC,cAAc,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,kDAAkD,QAAQ,CAAC,cAAc,SAAS,IAAI,EAAE,CACzF,CAAC;YACF,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,WAAW;gBACnB,KAAK,EAAE,GAAG,CAAC,OAAO;aACnB,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,8BAA8B;QAC9B,IAAI,aAAqB,CAAC;QAC1B,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,yDAAyD;YACzD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC1D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;gBACvE,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,MAAM,CAChC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EACvB,UAAU,EACV,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAC5B,CAAC;gBACF,yEAAyE;gBACzE,mFAAmF;gBACnF,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAC5C,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;oBAC9B,MAAM,EAAE,YAAY;oBACpB,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,4EAA4E;YAC5E,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CACb,8FAA8F,CAC/F,CAAC;YACJ,CAAC;YACD,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC;QAC1C,CAAC;QAED,UAAU;QACV,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;YACnF,MAAM,MAAM,GAA2B,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAE7D,cAAc;YACd,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAClE,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;YACtC,IAAI,CAAC,eAAe,GAAG,WAAW,IAAI,IAAI,CAAC;YAC3C,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC;YAChD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;gBAChC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM;gBAC9B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ;aACjC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,wDAAwD;YACxD,IAAI,GAAG,YAAY,KAAK,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;gBAC5E,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;oBAC9B,MAAM,EAAE,GAAG,YAAY,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;oBAChE,KAAK,EAAE,GAAG,CAAC,OAAO;iBACnB,CAAC,CAAC;YACL,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,KAAK;QACT,qDAAqD;QACrD,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC7B,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,0DAA0D;IAC1D,YAAY;QACV,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QACvB,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,6BAA6B;IAC7B,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAC7B,CAAC;IAED,wDAAwD;IAChD,YAAY;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;YACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAC/B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC9E,CAAC;YACD,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,CAAC,EAAE,OAAO,CAAC,CAAC;IACd,CAAC;IAED,yFAAyF;IACjF,iBAAiB;QACvB,qEAAqE;QACrE,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACxE,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC,GAAG,CAAC,WAAW,GAAG,GAAG,EAAE,WAAW,CAAC,CAAC;YAClD,CAAC;YACD,kDAAkD;YAClD,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,oEAAoE;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QAClC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,gBAAgB,CAAC,GAAW;QAClC,MAAM,QAAQ,GAAqB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QAEvE,IAAI,QAAQ,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,IACE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ;gBAC3B,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK;gBACxB,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU;gBAC7B,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAC5B,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAzSD,wCAySC;AAED,wFAAwF;AACxF,SAAS,uBAAuB,CAAC,GAAY;IAC3C,IAAI,GAAG,YAAY,WAAW;QAAE,OAAO,YAAY,CAAC;IACpD,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,IAAI,GAAG,CAAC,QAAQ,CAAC,8BAA8B,CAAC;QAAE,OAAO,qBAAqB,CAAC;IAC/E,IAAI,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACrE,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QAAE,OAAO,qBAAqB,CAAC;IACtE,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
|
1
|
+
{"version":3,"file":"poller.js","sourceRoot":"","sources":["../src/poller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAiC;AAKjC,6DAAyD;AAEzD,2CAAmE;AA6DnE;;;;;;;GAOG;AACH,wEAAwE;AACxE,MAAM,WAAW,GAAG,KAAK,CAAC;AAE1B,MAAa,cAAc;IACjB,KAAK,GAAyC,IAAI,CAAC;IACnD,eAAe,GAAkB,IAAI,CAAC;IACtC,YAAY,GAAkB,IAAI,CAAC;IACnC,aAAa,GAAkB,IAAI,CAAC;IAC3B,SAAS,CAAoB;IAC7B,OAAO,CAAgB;IACvB,OAAO,CAAU;IAC1B,iBAAiB,CAAoB;IAE7C,YAAY,OAAsB;QAChC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC;QACxC,IAAI,CAAC,SAAS,GAAG,IAAI,sCAAiB,CAAC;YACrC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,sFAAsF;IACtF,YAAY,CAAC,OAAyB;QACpC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC;QACjC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,IAAY,SAAS;QACnB,OAAO,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;IAC1D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe;QACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM;YAAE,OAAO,CAAC,mCAAmC;QACxD,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IAC1E,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACrC,IAAI,CAAC,MAAM;YAAE,OAAO,CAAC,mCAAmC;QAExD,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAExD,IAAI,CAAC,OAAO,CAAC,cAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC;QAClD,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;YAChC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM;YAC9B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ;SACjC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,QAAQ;QAIpB,IAAI,GAAW,CAAC;QAChB,IAAI,WAA+B,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACjD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YACjB,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;YAEjC,8DAA8D;YAC9D,IAAI,WAAW,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe;gBAAE,OAAO,IAAI,CAAC;YAErE,0CAA0C;YAC1C,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC;gBAC1B,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvD,kBAAkB,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE;aACrD,CAAC,CAAC;YAEH,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;YAClC,8BAA8B;YAC9B,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;gBAC7C,IAAI,MAAM,EAAE,CAAC;oBACX,oEAAoE;oBACpE,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;wBACjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;wBACxD,IAAI,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC;4BAC3E,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;4BAC1B,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;4BAC/B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;gCAC3B,eAAe,EAAE,GAAG;gCACpB,eAAe,EAAE,IAAI;6BACtB,CAAC,CAAC;4BACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;wBAC7E,CAAC;oBACH,CAAC;oBACD,GAAG,GAAG,MAAM,CAAC;oBACb,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC;oBACpD,yCAAyC;oBACzC,IAAI,WAAW,IAAI,WAAW,KAAK,IAAI,CAAC,eAAe;wBAAE,OAAO,IAAI,CAAC;gBACvE,CAAC;qBAAM,CAAC;oBACN,iEAAiE;oBACjE,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;wBACtE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;wBAC1B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;4BAC3B,eAAe,EAAE,GAAG;4BACpB,eAAe,EAAE,KAAK;yBACvB,CAAC,CAAC;wBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;oBAC7E,CAAC;oBACD,MAAM,GAAG,CAAC;gBACZ,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,oEAAoE;gBACpE,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;oBAC1B,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC;wBAC3B,eAAe,EAAE,GAAG;wBACpB,eAAe,EAAE,KAAK;qBACvB,CAAC,CAAC;oBACH,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;gBAC7E,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAE1D,8CAA8C;QAC9C,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;YACzB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC;aACpC,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CACb,qBAAqB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,WAAW,OAAO,MAAM,CAAC,SAAS,EAAE,CACpF,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,MAAqC,EAAE,WAAW,EAAE,CAAC;IAC1E,CAAC;IAED;;;;;OAKG;IACK,gBAAgB,CAAC,MAAwB;QAC/C,IAAI,QAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,uBAAuB,CAAC,GAAG,CAAC;gBACpC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,8BAA8B;QAC9B,IAAI,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAC9E,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC;YACpC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC;YAChC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACnE,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/D,CAAC;QAED,6BAA6B;QAC7B,IAAI,QAAQ,CAAC,QAAQ,KAAK,IAAI,CAAC,YAAY;YAAE,OAAO,QAAQ,CAAC;QAE7D,mBAAmB;QACnB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnF,IAAI,IAAI,KAAK,QAAQ,CAAC,cAAc,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,kDAAkD,QAAQ,CAAC,cAAc,SAAS,IAAI,EAAE,CACzF,CAAC;YACF,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;gBAC9B,MAAM,EAAE,WAAW;gBACnB,KAAK,EAAE,GAAG,CAAC,OAAO;aACnB,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,iEAAiE;QACjE,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,+FAA+F;oBAC7F,4EAA4E,CAC/E,CAAC;gBACF,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;oBAC9B,MAAM,EAAE,mBAAmB;oBAC3B,KAAK,EAAE,GAAG,CAAC,OAAO;iBACnB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,MAAM,OAAO,GAAG,IAAA,+BAAmB,EAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,KAAc,CAAC;YACnB,IAAI,CAAC;gBACH,KAAK,GAAG,IAAA,2BAAe,EAAC,OAAO,EAAE,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC/E,CAAC;YAAC,OAAO,MAAM,EAAE,CAAC;gBAChB,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,0CAA0C,MAAM,YAAY,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CACtG,CAAC;gBACF,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;oBAC9B,MAAM,EAAE,iBAAiB;oBACzB,KAAK,EAAE,GAAG,CAAC,OAAO;iBACnB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,GAAG,GAAG,IAAI,KAAK,CACnB,mFAAmF;oBACjF,wEAAwE,CAC3E,CAAC;gBACF,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC;oBAC9B,MAAM,EAAE,mBAAmB;oBAC3B,KAAK,EAAE,GAAG,CAAC,OAAO;iBACnB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,uBAAuB,CACnC,MAAwB,EACxB,WAA+B;QAE/B,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAE/C,0EAA0E;QAC1E,IAAI,QAAQ,CAAC,QAAQ,KAAK,IAAI,CAAC,YAAY;YAAE,OAAO;QAEpD,+CAA+C;QAC/C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAE1D,cAAc;QACd,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;QACtC,IAAI,CAAC,eAAe,GAAG,WAAW,IAAI,IAAI,CAAC;QAC3C,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC,SAAS,IAAI,IAAI,CAAC;QAChD,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC;YAChC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM;YAC9B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ;SACjC,CAAC,CAAC;IACL,CAAC;IAED,qEAAqE;IACrE,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,0DAA0D;IAC1D,YAAY;QACV,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QACvB,IAAI,CAAC,YAAY,EAAE,CAAC;IACtB,CAAC;IAED,6BAA6B;IAC7B,IAAI;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,SAAS;QACP,OAAO,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC;IAC7B,CAAC;IAED,wDAAwD;IAChD,YAAY;QAClB,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzC,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;YACjC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YAClB,IAAI,CAAC;gBACH,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAChC,CAAC;qBAAM,CAAC;oBACN,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC/B,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC9E,CAAC;YACD,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,CAAC,EAAE,OAAO,CAAC,CAAC;IACd,CAAC;IAED,yFAAyF;IACjF,iBAAiB;QACvB,qEAAqE;QACrE,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACxE,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC,GAAG,CAAC,WAAW,GAAG,GAAG,EAAE,WAAW,CAAC,CAAC;YAClD,CAAC;YACD,kDAAkD;YAClD,OAAO,WAAW,CAAC;QACrB,CAAC;QACD,uEAAuE;QACvE,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,WAAW,CAAC;QACrC,oEAAoE;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QAClC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,IAAI,EAAE,WAAW,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,gBAAgB,CAAC,QAA0B;QACjD,IAAI,QAAQ,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,iCAAiC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3E,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,IACE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ;gBAC3B,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK;gBACxB,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU;gBAC7B,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS;gBAC5B,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;gBACrB,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,EAC1B,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAlXD,wCAkXC;AAED,wFAAwF;AACxF,SAAS,uBAAuB,CAAC,GAAY;IAC3C,IAAI,GAAG,YAAY,WAAW;QAAE,OAAO,YAAY,CAAC;IACpD,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,IAAI,GAAG,CAAC,QAAQ,CAAC,8BAA8B,CAAC;QAAE,OAAO,qBAAqB,CAAC;IAC/E,IAAI,GAAG,CAAC,QAAQ,CAAC,yBAAyB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACrE,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC;QAAE,OAAO,qBAAqB,CAAC;IACtE,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,WAAW,CAAC;IAClD,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
package/dist/secrets-cache.d.ts
CHANGED
|
@@ -5,7 +5,7 @@ export declare class SecretsCache {
|
|
|
5
5
|
swap(values: Record<string, string>, keys: string[], revision: string): void;
|
|
6
6
|
/** Whether the cache has exceeded the given TTL (seconds). */
|
|
7
7
|
isExpired(ttlSeconds: number): boolean;
|
|
8
|
-
/** Clear the cached snapshot. */
|
|
8
|
+
/** Clear the cached snapshot, zeroing values first (best-effort). */
|
|
9
9
|
wipe(): void;
|
|
10
10
|
/** Epoch ms when the cache was last swapped, or null if never loaded. */
|
|
11
11
|
getSwappedAt(): number | null;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-cache.d.ts","sourceRoot":"","sources":["../src/secrets-cache.ts"],"names":[],"mappings":"AAOA,0DAA0D;AAC1D,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAA8B;IAE9C,mEAAmE;IACnE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;
|
|
1
|
+
{"version":3,"file":"secrets-cache.d.ts","sourceRoot":"","sources":["../src/secrets-cache.ts"],"names":[],"mappings":"AAOA,0DAA0D;AAC1D,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAA8B;IAE9C,mEAAmE;IACnE,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAW5E,8DAA8D;IAC9D,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO;IAKtC,qEAAqE;IACrE,IAAI,IAAI,IAAI;IASZ,yEAAyE;IACzE,YAAY,IAAI,MAAM,GAAG,IAAI;IAI7B,wFAAwF;IACxF,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAIpC,oEAAoE;IACpE,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI;IAMvC,kDAAkD;IAClD,OAAO,IAAI,MAAM,EAAE;IAKnB,gEAAgE;IAChE,WAAW,IAAI,MAAM,GAAG,IAAI;IAI5B,uDAAuD;IACvD,OAAO,IAAI,OAAO;CAGnB"}
|
package/dist/secrets-cache.js
CHANGED
|
@@ -6,6 +6,13 @@ class SecretsCache {
|
|
|
6
6
|
snapshot = null;
|
|
7
7
|
/** Replace the cached secrets in a single reference assignment. */
|
|
8
8
|
swap(values, keys, revision) {
|
|
9
|
+
// Zero old values before dropping the reference — defense-in-depth
|
|
10
|
+
// against plaintext lingering in the heap until GC.
|
|
11
|
+
if (this.snapshot) {
|
|
12
|
+
for (const k of Object.keys(this.snapshot.values)) {
|
|
13
|
+
this.snapshot.values[k] = "";
|
|
14
|
+
}
|
|
15
|
+
}
|
|
9
16
|
this.snapshot = { values: { ...values }, keys: [...keys], revision, swappedAt: Date.now() };
|
|
10
17
|
}
|
|
11
18
|
/** Whether the cache has exceeded the given TTL (seconds). */
|
|
@@ -14,8 +21,13 @@ class SecretsCache {
|
|
|
14
21
|
return false;
|
|
15
22
|
return (Date.now() - this.snapshot.swappedAt) / 1000 > ttlSeconds;
|
|
16
23
|
}
|
|
17
|
-
/** Clear the cached snapshot. */
|
|
24
|
+
/** Clear the cached snapshot, zeroing values first (best-effort). */
|
|
18
25
|
wipe() {
|
|
26
|
+
if (this.snapshot) {
|
|
27
|
+
for (const k of Object.keys(this.snapshot.values)) {
|
|
28
|
+
this.snapshot.values[k] = "";
|
|
29
|
+
}
|
|
30
|
+
}
|
|
19
31
|
this.snapshot = null;
|
|
20
32
|
}
|
|
21
33
|
/** Epoch ms when the cache was last swapped, or null if never loaded. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-cache.js","sourceRoot":"","sources":["../src/secrets-cache.ts"],"names":[],"mappings":";;;AAOA,0DAA0D;AAC1D,MAAa,YAAY;IACf,QAAQ,GAAyB,IAAI,CAAC;IAE9C,mEAAmE;IACnE,IAAI,CAAC,MAA8B,EAAE,IAAc,EAAE,QAAgB;QACnE,IAAI,CAAC,QAAQ,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC9F,CAAC;IAED,8DAA8D;IAC9D,SAAS,CAAC,UAAkB;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,IAAI,GAAG,UAAU,CAAC;IACpE,CAAC;IAED,
|
|
1
|
+
{"version":3,"file":"secrets-cache.js","sourceRoot":"","sources":["../src/secrets-cache.ts"],"names":[],"mappings":";;;AAOA,0DAA0D;AAC1D,MAAa,YAAY;IACf,QAAQ,GAAyB,IAAI,CAAC;IAE9C,mEAAmE;IACnE,IAAI,CAAC,MAA8B,EAAE,IAAc,EAAE,QAAgB;QACnE,mEAAmE;QACnE,oDAAoD;QACpD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC9F,CAAC;IAED,8DAA8D;IAC9D,SAAS,CAAC,UAAkB;QAC1B,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,IAAI,GAAG,UAAU,CAAC;IACpE,CAAC;IAED,qEAAqE;IACrE,IAAI;QACF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,yEAAyE;IACzE,YAAY;QACV,OAAO,IAAI,CAAC,QAAQ,EAAE,SAAS,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,wFAAwF;IACxF,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,oEAAoE;IACpE,MAAM;QACJ,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxB,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpB,OAAO,EAAE,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IACzB,CAAC;IAED,kDAAkD;IAClD,OAAO;QACL,MAAM,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxB,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9B,CAAC;IAED,gEAAgE;IAChE,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC;IACzC,CAAC;IAED,uDAAuD;IACvD,OAAO;QACL,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC;IAChC,CAAC;CACF;AA/DD,oCA+DC"}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal artifact shape for signature payload construction.
|
|
3
|
+
* Mirrors the fields from ArtifactEnvelope that the signature covers.
|
|
4
|
+
*/
|
|
5
|
+
interface SignableArtifact {
|
|
6
|
+
version: number;
|
|
7
|
+
identity: string;
|
|
8
|
+
environment: string;
|
|
9
|
+
revision: string;
|
|
10
|
+
packedAt: string;
|
|
11
|
+
ciphertextHash: string;
|
|
12
|
+
keys: string[];
|
|
13
|
+
expiresAt?: string;
|
|
14
|
+
envelope?: {
|
|
15
|
+
provider: string;
|
|
16
|
+
keyId: string;
|
|
17
|
+
wrappedKey: string;
|
|
18
|
+
algorithm: string;
|
|
19
|
+
iv?: string;
|
|
20
|
+
authTag?: string;
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Build the canonical signing payload from an artifact.
|
|
25
|
+
*
|
|
26
|
+
* Must produce the same output as the core signer's buildSigningPayload
|
|
27
|
+
* to enable cross-package sign/verify. The format is a deterministic
|
|
28
|
+
* newline-separated string of all security-relevant fields.
|
|
29
|
+
*/
|
|
30
|
+
export declare function buildSigningPayload(artifact: SignableArtifact): Buffer;
|
|
31
|
+
/**
|
|
32
|
+
* Verify a signature against a public key.
|
|
33
|
+
*
|
|
34
|
+
* The algorithm is derived from the key's type (Ed25519 or EC), not from
|
|
35
|
+
* the artifact's claimed signatureAlgorithm field.
|
|
36
|
+
*
|
|
37
|
+
* @param payload - Canonical signing payload
|
|
38
|
+
* @param signatureBase64 - Base64-encoded signature to verify
|
|
39
|
+
* @param publicKeyBase64 - Base64-encoded DER SPKI public key
|
|
40
|
+
* @returns true if the signature is valid
|
|
41
|
+
*/
|
|
42
|
+
export declare function verifySignature(payload: Buffer, signatureBase64: string, publicKeyBase64: string): boolean;
|
|
43
|
+
export {};
|
|
44
|
+
//# sourceMappingURL=signature.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"signature.d.ts","sourceRoot":"","sources":["../src/signature.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,UAAU,gBAAgB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,EAAE,MAAM,CAAC;QACnB,SAAS,EAAE,MAAM,CAAC;QAClB,EAAE,CAAC,EAAE,MAAM,CAAC;QACZ,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,CAmBtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,EACvB,eAAe,EAAE,MAAM,GACtB,OAAO,CAgBT"}
|