npm - @cosmicdrift/kumiko-framework - Versions diffs - 0.1.0 - Mend

@cosmicdrift/kumiko-framework 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/README.md +159 -0
package/package.json +91 -0
package/src/__tests__/anonymous-access.integration.ts +325 -0
package/src/__tests__/error-contract.integration.ts +435 -0
package/src/__tests__/field-access.integration.ts +269 -0
package/src/__tests__/full-stack.integration.ts +914 -0
package/src/__tests__/ownership.integration.ts +449 -0
package/src/__tests__/reference-data.integration.ts +198 -0
package/src/__tests__/transition-guard.integration.ts +340 -0
package/src/api/__tests__/api.test.ts +337 -0
package/src/api/__tests__/auth-middleware-transport.test.ts +80 -0
package/src/api/__tests__/auth-routes-cookie.test.ts +179 -0
package/src/api/__tests__/batch.integration.ts +404 -0
package/src/api/__tests__/body-limit.test.ts +88 -0
package/src/api/__tests__/csrf-middleware.test.ts +97 -0
package/src/api/__tests__/dispatcher-live.integration.ts +216 -0
package/src/api/__tests__/metrics-endpoint.test.ts +126 -0
package/src/api/__tests__/nested-write.integration.ts +213 -0
package/src/api/__tests__/readiness.test.ts +76 -0
package/src/api/__tests__/request-id-middleware.test.ts +72 -0
package/src/api/__tests__/sse-broker.test.ts +58 -0
package/src/api/__tests__/sse-route.test.ts +112 -0
package/src/api/anonymous-cookie.ts +60 -0
package/src/api/api-constants.ts +64 -0
package/src/api/auth-middleware.ts +418 -0
package/src/api/auth-routes.ts +982 -0
package/src/api/csrf-middleware.ts +77 -0
package/src/api/index.ts +31 -0
package/src/api/jwt.ts +66 -0
package/src/api/observability-middleware.ts +89 -0
package/src/api/readiness.ts +132 -0
package/src/api/request-context.ts +49 -0
package/src/api/request-id-middleware.ts +50 -0
package/src/api/route-registrars.ts +195 -0
package/src/api/routes.ts +135 -0
package/src/api/server.ts +640 -0
package/src/api/sse-broker.ts +71 -0
package/src/api/sse-route.ts +62 -0
package/src/api/tokens.ts +16 -0
package/src/db/__tests__/apply-entity-event-tenant.integration.ts +159 -0
package/src/db/__tests__/compound-types.test.ts +114 -0
package/src/db/__tests__/connection-options.test.ts +68 -0
package/src/db/__tests__/cursor.test.ts +41 -0
package/src/db/__tests__/db-helpers.test.ts +369 -0
package/src/db/__tests__/dialect-instant.test.ts +50 -0
package/src/db/__tests__/drizzle-helpers.integration.ts +186 -0
package/src/db/__tests__/drizzle-table-types.test.ts +162 -0
package/src/db/__tests__/encryption.test.ts +39 -0
package/src/db/__tests__/event-store-executor-list.integration.ts +313 -0
package/src/db/__tests__/event-store-executor.integration.ts +235 -0
package/src/db/__tests__/implicit-projection-equivalence.integration.ts +304 -0
package/src/db/__tests__/located-timestamp.test.ts +184 -0
package/src/db/__tests__/money.test.ts +199 -0
package/src/db/__tests__/multi-row-insert.integration.ts +76 -0
package/src/db/__tests__/parse-auto-verb.test.ts +70 -0
package/src/db/__tests__/required-not-null-migration-safety.integration.ts +105 -0
package/src/db/__tests__/row-helpers.test.ts +59 -0
package/src/db/__tests__/schema-migration.integration.ts +273 -0
package/src/db/__tests__/table-builder-indexes.test.ts +153 -0
package/src/db/__tests__/table-builder-required.test.ts +216 -0
package/src/db/__tests__/tenant-db.integration.ts +606 -0
package/src/db/__tests__/unique-violation-mapping.integration.ts +166 -0
package/src/db/apply-entity-event.ts +188 -0
package/src/db/assert-exists-in.ts +59 -0
package/src/db/compound-types.ts +47 -0
package/src/db/connection.ts +104 -0
package/src/db/cursor.ts +83 -0
package/src/db/dialect.ts +109 -0
package/src/db/eagerload.ts +174 -0
package/src/db/encryption.ts +39 -0
package/src/db/event-store-executor.ts +906 -0
package/src/db/index.ts +55 -0
package/src/db/located-timestamp.ts +114 -0
package/src/db/money.ts +120 -0
package/src/db/pg-error.ts +46 -0
package/src/db/reference-data.ts +77 -0
package/src/db/row-helpers.ts +53 -0
package/src/db/schema-inspection.ts +25 -0
package/src/db/table-builder.ts +475 -0
package/src/db/tenant-db.ts +434 -0
package/src/engine/__tests__/auth-claims-registrar.test.ts +74 -0
package/src/engine/__tests__/boot-validator-located-timestamps.test.ts +108 -0
package/src/engine/__tests__/boot-validator.test.ts +1865 -0
package/src/engine/__tests__/build-app-schema.test.ts +154 -0
package/src/engine/__tests__/claim-keys.test.ts +274 -0
package/src/engine/__tests__/config-helpers.test.ts +236 -0
package/src/engine/__tests__/effective-features.test.ts +86 -0
package/src/engine/__tests__/engine.test.ts +1461 -0
package/src/engine/__tests__/entity-handlers.test.ts +274 -0
package/src/engine/__tests__/event-helpers.test.ts +68 -0
package/src/engine/__tests__/extends-registrar.test.ts +159 -0
package/src/engine/__tests__/factories-long-text.test.ts +84 -0
package/src/engine/__tests__/factories-time.test.ts +158 -0
package/src/engine/__tests__/field-predicates.test.ts +48 -0
package/src/engine/__tests__/hook-phases.test.ts +132 -0
package/src/engine/__tests__/identifiers.test.ts +35 -0
package/src/engine/__tests__/lifecycle-hooks.test.ts +237 -0
package/src/engine/__tests__/nav.test.ts +267 -0
package/src/engine/__tests__/ownership.test.ts +421 -0
package/src/engine/__tests__/parse-ref-target.test.ts +43 -0
package/src/engine/__tests__/projection-helpers.test.ts +62 -0
package/src/engine/__tests__/projection.test.ts +191 -0
package/src/engine/__tests__/qualified-name.test.ts +264 -0
package/src/engine/__tests__/resolve-config-or-param.test.ts +315 -0
package/src/engine/__tests__/run-in.test.ts +38 -0
package/src/engine/__tests__/schema-builder.test.ts +380 -0
package/src/engine/__tests__/screen.test.ts +408 -0
package/src/engine/__tests__/state-machine.test.ts +148 -0
package/src/engine/__tests__/system-user.test.ts +57 -0
package/src/engine/__tests__/validation-hooks.test.ts +71 -0
package/src/engine/access.ts +23 -0
package/src/engine/boot-validator.ts +1528 -0
package/src/engine/build-app-schema.ts +125 -0
package/src/engine/config-helpers.ts +115 -0
package/src/engine/constants.ts +85 -0
package/src/engine/create-app.ts +98 -0
package/src/engine/define-feature.ts +702 -0
package/src/engine/define-handler.ts +78 -0
package/src/engine/define-roles.ts +19 -0
package/src/engine/effective-features.ts +87 -0
package/src/engine/entity-handlers.ts +364 -0
package/src/engine/event-helpers.ts +73 -0
package/src/engine/factories.ts +328 -0
package/src/engine/feature-ast/__tests__/canonical-form.test.ts +416 -0
package/src/engine/feature-ast/__tests__/parse-happy-path.test.ts +197 -0
package/src/engine/feature-ast/__tests__/parse-real-features.test.ts +128 -0
package/src/engine/feature-ast/__tests__/parse.test.ts +888 -0
package/src/engine/feature-ast/__tests__/patch.test.ts +360 -0
package/src/engine/feature-ast/__tests__/patcher.test.ts +469 -0
package/src/engine/feature-ast/__tests__/render-roundtrip.test.ts +287 -0
package/src/engine/feature-ast/extractors.ts +2562 -0
package/src/engine/feature-ast/index.ts +105 -0
package/src/engine/feature-ast/parse.ts +369 -0
package/src/engine/feature-ast/patch.ts +525 -0
package/src/engine/feature-ast/patcher.ts +518 -0
package/src/engine/feature-ast/patterns.ts +434 -0
package/src/engine/feature-ast/render.ts +602 -0
package/src/engine/feature-ast/source-location.ts +45 -0
package/src/engine/field-access.ts +120 -0
package/src/engine/index.ts +254 -0
package/src/engine/ownership.ts +337 -0
package/src/engine/parse-ref-target.ts +22 -0
package/src/engine/pattern-library/__tests__/library.test.ts +351 -0
package/src/engine/pattern-library/index.ts +24 -0
package/src/engine/pattern-library/library.ts +1117 -0
package/src/engine/pattern-library/types.ts +255 -0
package/src/engine/projection-helpers.ts +85 -0
package/src/engine/qualified-name.ts +122 -0
package/src/engine/read-claim.ts +31 -0
package/src/engine/registry.ts +1325 -0
package/src/engine/resolve-config-or-param.ts +153 -0
package/src/engine/run-in.ts +29 -0
package/src/engine/schema-builder.ts +175 -0
package/src/engine/screen-filter-ops.ts +51 -0
package/src/engine/state-machine.ts +70 -0
package/src/engine/system-user.ts +32 -0
package/src/engine/types/config.ts +306 -0
package/src/engine/types/event-type-map.ts +37 -0
package/src/engine/types/feature.ts +574 -0
package/src/engine/types/fields.ts +422 -0
package/src/engine/types/handlers.ts +742 -0
package/src/engine/types/hooks.ts +142 -0
package/src/engine/types/http-route.ts +54 -0
package/src/engine/types/identifiers.ts +47 -0
package/src/engine/types/index.ts +208 -0
package/src/engine/types/nav.ts +46 -0
package/src/engine/types/projection.ts +132 -0
package/src/engine/types/relations.ts +51 -0
package/src/engine/types/screen.ts +452 -0
package/src/engine/types/workspace.ts +42 -0
package/src/engine/validation.ts +33 -0
package/src/entrypoint/__tests__/entrypoint-job-wiring.integration.ts +173 -0
package/src/entrypoint/__tests__/split-deploy.integration.ts +297 -0
package/src/entrypoint/index.ts +442 -0
package/src/errors/__tests__/classes.test.ts +371 -0
package/src/errors/__tests__/write-failures.test.ts +109 -0
package/src/errors/classes.ts +249 -0
package/src/errors/i18n/de.yaml +83 -0
package/src/errors/i18n/en.yaml +80 -0
package/src/errors/index.ts +41 -0
package/src/errors/kumiko-error.ts +67 -0
package/src/errors/reasons.ts +36 -0
package/src/errors/serialize.ts +136 -0
package/src/errors/transition-details.ts +30 -0
package/src/errors/write-error-info.ts +123 -0
package/src/errors/zod-bridge.ts +49 -0
package/src/event-store/__tests__/admin-api.integration.ts +361 -0
package/src/event-store/__tests__/event-store.integration.ts +584 -0
package/src/event-store/__tests__/get-stream-version-perf.integration.ts +83 -0
package/src/event-store/__tests__/perf.integration.ts +255 -0
package/src/event-store/__tests__/snapshot.integration.ts +267 -0
package/src/event-store/__tests__/upcaster-dead-letter.integration.ts +204 -0
package/src/event-store/__tests__/upcaster.integration.ts +460 -0
package/src/event-store/admin-api.ts +257 -0
package/src/event-store/archive.ts +106 -0
package/src/event-store/errors.ts +35 -0
package/src/event-store/event-store.ts +405 -0
package/src/event-store/events-schema.ts +90 -0
package/src/event-store/index.ts +50 -0
package/src/event-store/snapshot.ts +210 -0
package/src/event-store/upcaster-dead-letter.ts +119 -0
package/src/event-store/upcaster.ts +147 -0
package/src/files/__tests__/content-disposition.test.ts +123 -0
package/src/files/__tests__/file-field-column.integration.ts +103 -0
package/src/files/__tests__/file-field-pipeline.integration.ts +211 -0
package/src/files/__tests__/file-handle.test.ts +122 -0
package/src/files/__tests__/files.integration.ts +830 -0
package/src/files/__tests__/storage-tracking.integration.ts +153 -0
package/src/files/content-disposition.ts +55 -0
package/src/files/file-handle.ts +63 -0
package/src/files/file-ref-table.ts +22 -0
package/src/files/file-routes.ts +353 -0
package/src/files/in-memory-provider.ts +62 -0
package/src/files/index.ts +29 -0
package/src/files/local-provider.ts +35 -0
package/src/files/storage-tracking.ts +60 -0
package/src/files/types.ts +118 -0
package/src/i18n/__tests__/i18n.test.ts +72 -0
package/src/i18n/index.ts +29 -0
package/src/jobs/__tests__/job-event-trigger.integration.ts +172 -0
package/src/jobs/__tests__/job-multi-trigger.integration.ts +144 -0
package/src/jobs/__tests__/jobs.integration.ts +566 -0
package/src/jobs/index.ts +2 -0
package/src/jobs/job-runner.ts +574 -0
package/src/lifecycle/__tests__/create-test-lifecycle.ts +19 -0
package/src/lifecycle/__tests__/lifecycle-server.integration.ts +108 -0
package/src/lifecycle/__tests__/lifecycle.test.ts +212 -0
package/src/lifecycle/__tests__/signal-handlers.test.ts +106 -0
package/src/lifecycle/index.ts +13 -0
package/src/lifecycle/lifecycle.ts +160 -0
package/src/lifecycle/signal-handlers.ts +62 -0
package/src/logging/__tests__/pino-trace-bridge.test.ts +50 -0
package/src/logging/index.ts +3 -0
package/src/logging/pino-logger.ts +64 -0
package/src/logging/types.ts +7 -0
package/src/migrations/__tests__/compare-snapshots.test.ts +150 -0
package/src/migrations/__tests__/detect-drift.integration.ts +320 -0
package/src/migrations/__tests__/detect-projections-to-rebuild.integration.ts +134 -0
package/src/migrations/__tests__/rebuild-marker.test.ts +79 -0
package/src/migrations/index.ts +28 -0
package/src/migrations/projection-detection.ts +149 -0
package/src/migrations/rebuild-marker.ts +64 -0
package/src/migrations/schema-drift.ts +395 -0
package/src/observability/__tests__/console-provider.test.ts +67 -0
package/src/observability/__tests__/metric-validator.test.ts +87 -0
package/src/observability/__tests__/noop-provider.test.ts +82 -0
package/src/observability/__tests__/observability.integration.ts +559 -0
package/src/observability/__tests__/prometheus-meter.test.ts +144 -0
package/src/observability/__tests__/recording-meter.test.ts +101 -0
package/src/observability/__tests__/recording-tracer.test.ts +110 -0
package/src/observability/__tests__/sensitive-filter.test.ts +98 -0
package/src/observability/console-provider.ts +130 -0
package/src/observability/context.ts +26 -0
package/src/observability/fallback.ts +34 -0
package/src/observability/ids.ts +25 -0
package/src/observability/index.ts +79 -0
package/src/observability/metric-validator.ts +86 -0
package/src/observability/metrics-handle.ts +56 -0
package/src/observability/noop-provider.ts +146 -0
package/src/observability/prometheus-meter.ts +284 -0
package/src/observability/recording-meter.ts +156 -0
package/src/observability/recording-tracer.ts +198 -0
package/src/observability/redis-wrapper.ts +132 -0
package/src/observability/sensitive-filter.ts +108 -0
package/src/observability/standard-metrics.ts +213 -0
package/src/observability/types/index.ts +29 -0
package/src/observability/types/metric.ts +56 -0
package/src/observability/types/provider.ts +32 -0
package/src/observability/types/span.ts +64 -0
package/src/pipeline/__tests__/archive-stream.integration.ts +220 -0
package/src/pipeline/__tests__/auth-claims-resolver.test.ts +279 -0
package/src/pipeline/__tests__/cascade-handler.integration.ts +419 -0
package/src/pipeline/__tests__/cascade-handler.test.ts +52 -0
package/src/pipeline/__tests__/causation-chain.integration.ts +206 -0
package/src/pipeline/__tests__/ctx-bridge.integration.ts +234 -0
package/src/pipeline/__tests__/dispatcher.test.ts +379 -0
package/src/pipeline/__tests__/distributed-lock.integration.ts +67 -0
package/src/pipeline/__tests__/domain-events-projections.integration.ts +323 -0
package/src/pipeline/__tests__/event-dedup.integration.ts +153 -0
package/src/pipeline/__tests__/event-define-event-strict.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-lifecycle.integration.ts +220 -0
package/src/pipeline/__tests__/event-dispatcher-multi-instance.integration.ts +423 -0
package/src/pipeline/__tests__/event-dispatcher-pg-listen.integration.ts +123 -0
package/src/pipeline/__tests__/event-dispatcher-recovery.integration.ts +202 -0
package/src/pipeline/__tests__/event-dispatcher-second-audit.integration.ts +290 -0
package/src/pipeline/__tests__/event-dispatcher-strict.test.ts +65 -0
package/src/pipeline/__tests__/event-dispatcher.integration.ts +287 -0
package/src/pipeline/__tests__/event-retention.integration.ts +239 -0
package/src/pipeline/__tests__/fetch-for-writing.integration.ts +281 -0
package/src/pipeline/__tests__/lifecycle-pipeline.test.ts +430 -0
package/src/pipeline/__tests__/load-aggregate-query.integration.ts +266 -0
package/src/pipeline/__tests__/msp-error-mode.integration.ts +149 -0
package/src/pipeline/__tests__/msp-multi-hop.integration.ts +228 -0
package/src/pipeline/__tests__/msp-rebuild.integration.ts +368 -0
package/src/pipeline/__tests__/multi-stream-projection.integration.ts +341 -0
package/src/pipeline/__tests__/perf-rebuild.integration.ts +147 -0
package/src/pipeline/__tests__/projection-rebuild.integration.ts +551 -0
package/src/pipeline/__tests__/query-projection.integration.ts +201 -0
package/src/pipeline/__tests__/redis-pipeline.integration.ts +306 -0
package/src/pipeline/append-event-core.ts +117 -0
package/src/pipeline/auth-claims-resolver.ts +103 -0
package/src/pipeline/cascade-handler.ts +113 -0
package/src/pipeline/dispatcher.ts +1585 -0
package/src/pipeline/distributed-lock.ts +37 -0
package/src/pipeline/entity-cache.ts +113 -0
package/src/pipeline/event-consumer-state.ts +108 -0
package/src/pipeline/event-dedup.ts +23 -0
package/src/pipeline/event-dispatcher.ts +1016 -0
package/src/pipeline/event-retention.ts +154 -0
package/src/pipeline/idempotency.ts +76 -0
package/src/pipeline/index.ts +66 -0
package/src/pipeline/lifecycle-pipeline.ts +409 -0
package/src/pipeline/msp-rebuild.ts +242 -0
package/src/pipeline/multi-stream-apply-context.ts +115 -0
package/src/pipeline/projection-rebuild.ts +334 -0
package/src/pipeline/projection-state.ts +72 -0
package/src/pipeline/projections-runner.ts +56 -0
package/src/pipeline/redis-keys.ts +11 -0
package/src/pipeline/system-hooks.ts +190 -0
package/src/random/__tests__/generate.test.ts +149 -0
package/src/random/generate.ts +141 -0
package/src/random/index.ts +8 -0
package/src/random/words.ts +392 -0
package/src/rate-limit/__tests__/dispatcher-l3.integration.ts +111 -0
package/src/rate-limit/__tests__/middleware.integration.ts +189 -0
package/src/rate-limit/__tests__/resolver.integration.ts +189 -0
package/src/rate-limit/bucket.ts +36 -0
package/src/rate-limit/index.ts +14 -0
package/src/rate-limit/middleware.ts +152 -0
package/src/rate-limit/resolver.ts +267 -0
package/src/redis/__tests__/redis-options.test.ts +54 -0
package/src/redis/index.ts +74 -0
package/src/search/__tests__/meilisearch-adapter.integration.ts +236 -0
package/src/search/__tests__/search-adapter.test.ts +256 -0
package/src/search/in-memory-adapter.ts +123 -0
package/src/search/index.ts +12 -0
package/src/search/meilisearch-adapter.ts +106 -0
package/src/search/types.ts +39 -0
package/src/secrets/__tests__/dek-cache.test.ts +213 -0
package/src/secrets/__tests__/env-master-key-provider.test.ts +119 -0
package/src/secrets/__tests__/envelope.test.ts +74 -0
package/src/secrets/__tests__/leak-guard.test.ts +92 -0
package/src/secrets/__tests__/rotation.test.ts +149 -0
package/src/secrets/dek-cache.ts +116 -0
package/src/secrets/env-master-key-provider.ts +162 -0
package/src/secrets/envelope.ts +55 -0
package/src/secrets/index.ts +19 -0
package/src/secrets/leak-guard.ts +87 -0
package/src/secrets/rotation.ts +34 -0
package/src/secrets/types.ts +107 -0
package/src/stack/db.ts +104 -0
package/src/stack/event-collector.ts +23 -0
package/src/stack/index.ts +32 -0
package/src/stack/redis.ts +44 -0
package/src/stack/request-helper.ts +168 -0
package/src/stack/table-helpers.ts +104 -0
package/src/stack/test-stack.ts +357 -0
package/src/stack/test-users.ts +37 -0
package/src/testing/__tests__/e2e-generator.test.ts +230 -0
package/src/testing/__tests__/ensure-entity-table.integration.ts +54 -0
package/src/testing/access-assertions.ts +15 -0
package/src/testing/assertions.ts +35 -0
package/src/testing/e2e-generator.ts +465 -0
package/src/testing/expect-error.ts +25 -0
package/src/testing/handler-context.ts +125 -0
package/src/testing/http-cookies.ts +52 -0
package/src/testing/index.ts +41 -0
package/src/testing/late-bound.ts +39 -0
package/src/testing/mutable-master-key-provider.ts +31 -0
package/src/testing/observability-recorder.ts +54 -0
package/src/testing/shared-entities.ts +49 -0
package/src/testing/utils.ts +1 -0
package/src/testing/wait-for.ts +31 -0
package/src/time/__tests__/polyfill.test.ts +73 -0
package/src/time/__tests__/tz-context.test.ts +121 -0
package/src/time/index.ts +21 -0
package/src/time/polyfill.ts +70 -0
package/src/time/tz-context.ts +107 -0
package/src/ui-types/app-schema.ts +57 -0
package/src/ui-types/index.ts +65 -0
package/src/utils/__tests__/assert.test.ts +17 -0
package/src/utils/__tests__/env-parse.test.ts +54 -0
package/src/utils/assert.ts +18 -0
package/src/utils/env-parse.ts +16 -0
package/src/utils/ids.ts +16 -0
package/src/utils/index.ts +5 -0
package/src/utils/safe-json.ts +30 -0
package/src/utils/serialization.ts +7 -0

package/src/secrets/__tests__/leak-guard.test.ts ADDED Viewed

@@ -0,0 +1,92 @@
+import { describe, expect, test } from "vitest";
+import { assertNoSecretLeak } from "../leak-guard";
+import { createSecret } from "../types";
+describe("assertNoSecretLeak — walks the response tree for branded values", () => {
+  test("plain data passes through silently", () => {
+    expect(() =>
+      assertNoSecretLeak({
+        id: "42",
+        title: "foo",
+        tags: ["a", "b"],
+        nested: { deep: { value: 12 } },
+      }),
+    ).not.toThrow();
+  });
+  test("throws when Secret<> sits at the root", () => {
+    const s = createSecret("plaintext-api-key");
+    expect(() => assertNoSecretLeak(s)).toThrow(/leaked.*at \$/);
+  });
+  test("throws when Secret<> is nested in an object", () => {
+    const payload = {
+      id: "42",
+      apiKey: createSecret("leak-me"),
+    };
+    expect(() => assertNoSecretLeak(payload)).toThrow(/leaked.*at \$\.apiKey/);
+  });
+  test("throws when Secret<> is inside an array", () => {
+    const payload = {
+      keys: [createSecret("one"), "two"],
+    };
+    expect(() => assertNoSecretLeak(payload)).toThrow(/leaked.*at \$\.keys\[0\]/);
+  });
+  test("reports path to the first offending node", () => {
+    const payload = {
+      outer: {
+        middle: [null, { deeper: createSecret("gotcha") }],
+      },
+    };
+    expect(() => assertNoSecretLeak(payload)).toThrow(/leaked.*at \$\.outer\.middle\[1\]\.deeper/);
+  });
+  test("skips opaque class instances (Date, Buffer) so they don't false-positive", () => {
+    // Date and Buffer have internal slots the walker can't introspect — non-
+    // plain prototype, no entry-iterator we trust. Stopping here is the
+    // conservative call. Map and Set are NOT in this list (see next two tests):
+    // they have well-defined iteration and a toJSON-via-custom-serializer can
+    // expand them onto the wire, so we walk them.
+    const payload = {
+      createdAt: new Date("2024-01-01"),
+      binary: Buffer.from("hello"),
+    };
+    expect(() => assertNoSecretLeak(payload)).not.toThrow();
+  });
+  test("walks Set entries and throws when Secret<> sits inside", () => {
+    const payload = {
+      keys: new Set([createSecret("hidden")]),
+    };
+    expect(() => assertNoSecretLeak(payload)).toThrow(/leaked.*at \$\.keys\.<set\[0\]>/);
+  });
+  test("walks Map values and throws when Secret<> sits inside", () => {
+    const payload = {
+      registry: new Map([["api", createSecret("hidden")]]),
+    };
+    expect(() => assertNoSecretLeak(payload)).toThrow(/leaked.*at \$\.registry\.<map\[0\]\.val>/);
+  });
+  test("Set of plain values stays silent — walking doesn't false-positive", () => {
+    const payload = {
+      ids: new Set(["a", "b"]),
+      tags: new Map([["env", "prod"]]),
+    };
+    expect(() => assertNoSecretLeak(payload)).not.toThrow();
+  });
+  test("stops at MAX_DEPTH so cyclic or pathologically-deep input can't hang", () => {
+    // Build a cyclic object — without the depth cap this would recurse forever.
+    const root: Record<string, unknown> = { id: "root" };
+    root["self"] = root;
+    expect(() => assertNoSecretLeak(root)).not.toThrow();
+  });
+  test("undefined and null are no-ops", () => {
+    expect(() => assertNoSecretLeak(undefined)).not.toThrow();
+    expect(() => assertNoSecretLeak(null)).not.toThrow();
+  });
+});

package/src/secrets/__tests__/rotation.test.ts ADDED Viewed

@@ -0,0 +1,149 @@
+import { randomBytes } from "node:crypto";
+import { describe, expect, test } from "vitest";
+import { createEnvMasterKeyProvider } from "../env-master-key-provider";
+import { decryptValue, encryptValue } from "../envelope";
+import { rewrapDek } from "../rotation";
+// Shared KEK bytes across provider reconstructions — mimics ops setting
+// the same env var across deploys. This is how we model "the KEK didn't
+// change but CURRENT_VERSION did" in a single test process.
+const KEK_V1 = randomBytes(32);
+const KEK_V2 = randomBytes(32);
+function providerWithCurrent(
+  v: number,
+  extraKeys: boolean = true,
+): ReturnType<typeof createEnvMasterKeyProvider> {
+  const envVars: Record<string, string> = {
+    KUMIKO_SECRETS_MASTER_KEY_V1: KEK_V1.toString("base64"),
+    KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: String(v),
+  };
+  if (extraKeys) {
+    envVars["KUMIKO_SECRETS_MASTER_KEY_V2"] = KEK_V2.toString("base64");
+  }
+  return createEnvMasterKeyProvider({ env: envVars });
+}
+describe("rotation — the whole point of the multi-version keyring", () => {
+  test("a value encrypted with V1 stays readable after CURRENT flips to V2", async () => {
+    // Day 1: ops has only V1 deployed, current=1. We encrypt a secret.
+    const day1 = providerWithCurrent(1, /* extraKeys */ false);
+    const envelope = await encryptValue("my-stripe-key", day1);
+    expect(envelope.kekVersion).toBe(1);
+    // Day 3: ops deployed V2 ENV too, and has now flipped current=2.
+    // The keyring still contains V1 so old rows must keep reading.
+    const day3 = providerWithCurrent(2);
+    const back = await decryptValue(envelope, day3);
+    expect(back).toBe("my-stripe-key");
+  });
+  test("after rotation, new writes land on the new version", async () => {
+    const day3 = providerWithCurrent(2);
+    const envelope = await encryptValue("fresh secret", day3);
+    // The point: without touching rewrap logic at all, simply having
+    // flipped CURRENT_VERSION means new values use V2.
+    expect(envelope.kekVersion).toBe(2);
+  });
+  test("rewrapDek migrates a V1-envelope to V2 without touching ciphertext", async () => {
+    // Encrypt under V1 (no V2 yet) so we have a pure V1 row.
+    const day1 = providerWithCurrent(1, /* extraKeys */ false);
+    const originalEnvelope = await encryptValue("sensitive", day1);
+    expect(originalEnvelope.kekVersion).toBe(1);
+    // Later, ops has rolled V2 and flipped current.
+    const day3 = providerWithCurrent(2);
+    const rotated = await rewrapDek(originalEnvelope, day3);
+    // Key property: DEK got re-wrapped, ciphertext untouched. This is
+    // WHY envelope rotation is cheap — we only rewrite a ~60-byte blob
+    // per row, never the potentially large ciphertext.
+    expect(rotated.kekVersion).toBe(2);
+    expect(rotated.ciphertext.equals(originalEnvelope.ciphertext)).toBe(true);
+    expect(rotated.iv.equals(originalEnvelope.iv)).toBe(true);
+    expect(rotated.authTag.equals(originalEnvelope.authTag)).toBe(true);
+    // The wrapped DEK DID change — it's now wrapped with KEK V2.
+    expect(rotated.encryptedDek.equals(originalEnvelope.encryptedDek)).toBe(false);
+    // Most important: the rotated envelope still decrypts correctly.
+    expect(await decryptValue(rotated, day3)).toBe("sensitive");
+  });
+  test("rewrapDek is a no-op when the envelope is already current", async () => {
+    const day3 = providerWithCurrent(2);
+    const envelope = await encryptValue("already-v2", day3);
+    expect(envelope.kekVersion).toBe(2);
+    const rotated = await rewrapDek(envelope, day3);
+    // Same reference — no work was done.
+    expect(rotated).toBe(envelope);
+  });
+  test("rewrap requires the OLD version to still be in the keyring", async () => {
+    // Encrypt under V1
+    const day1 = providerWithCurrent(1, /* extraKeys */ false);
+    const envelope = await encryptValue("stranded", day1);
+    // Day 5: ops RETIRED V1 — env no longer has KUMIKO_SECRETS_MASTER_KEY_V1,
+    // only V2. An old row with kekVersion=1 is now unreadable.
+    const dayRetired = createEnvMasterKeyProvider({
+      env: {
+        KUMIKO_SECRETS_MASTER_KEY_V2: KEK_V2.toString("base64"),
+        KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "2",
+      },
+    });
+    await expect(rewrapDek(envelope, dayRetired)).rejects.toThrow(/no KEK for version 1/);
+    // Lesson: ops MUST rotate all rows off V1 before deleting V1 from env.
+  });
+  test("full rotation drill: encrypt V1 → staging V1+V2 → promote to V2 → rewrap → retire V1", async () => {
+    // Simulates the canonical rotation sequence end-to-end.
+    // --- Day 1: only V1, CURRENT=1 ---
+    const day1 = providerWithCurrent(1, /* extraKeys */ false);
+    const envA = await encryptValue("value-A", day1);
+    const envB = await encryptValue("value-B", day1);
+    expect(envA.kekVersion).toBe(1);
+    expect(envB.kekVersion).toBe(1);
+    // --- Day 2: V1+V2 deployed, CURRENT still 1 (staging) ---
+    const day2 = providerWithCurrent(1, /* extraKeys */ true);
+    // Both old rows still read
+    expect(await decryptValue(envA, day2)).toBe("value-A");
+    expect(await decryptValue(envB, day2)).toBe("value-B");
+    // New writes: still V1 — crucial! CURRENT hasn't flipped.
+    const envC = await encryptValue("value-C", day2);
+    expect(envC.kekVersion).toBe(1);
+    // --- Day 3: CURRENT flipped to 2 ---
+    const day3 = providerWithCurrent(2, /* extraKeys */ true);
+    // Old rows still readable
+    expect(await decryptValue(envA, day3)).toBe("value-A");
+    // New writes now land on V2
+    const envD = await encryptValue("value-D", day3);
+    expect(envD.kekVersion).toBe(2);
+    // --- Day 4: rotation job migrates all V1 rows ---
+    const rotA = await rewrapDek(envA, day3);
+    const rotB = await rewrapDek(envB, day3);
+    const rotC = await rewrapDek(envC, day3);
+    expect(rotA.kekVersion).toBe(2);
+    expect(rotB.kekVersion).toBe(2);
+    expect(rotC.kekVersion).toBe(2);
+    expect(await decryptValue(rotA, day3)).toBe("value-A");
+    // --- Day 5: V1 retired from env ---
+    const day5 = createEnvMasterKeyProvider({
+      env: {
+        KUMIKO_SECRETS_MASTER_KEY_V2: KEK_V2.toString("base64"),
+        KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION: "2",
+      },
+    });
+    // All rotated rows still decrypt
+    expect(await decryptValue(rotA, day5)).toBe("value-A");
+    expect(await decryptValue(rotB, day5)).toBe("value-B");
+    expect(await decryptValue(rotC, day5)).toBe("value-C");
+    expect(await decryptValue(envD, day5)).toBe("value-D");
+  });
+});

package/src/secrets/dek-cache.ts ADDED Viewed

@@ -0,0 +1,116 @@
+// In-memory cache for unwrapped DEKs. Cloud-KMS unwrap calls are expensive
+// ($ + network). Caching for a short TTL amortises the cost across reads
+// of the same secret. The TTL bounds the time plaintext DEKs live in the
+// process — shorter is safer, longer is cheaper.
+//
+// Two bounds are enforced so the cache can't leak memory under adversarial
+// or skewed workloads:
+//   - TTL per entry (default 5min): old DEKs expire even if never reused.
+//   - maxEntries (default 1000): LRU eviction kicks in on insert when full.
+import { createHash } from "node:crypto";
+import type { MasterKeyProvider } from "./types";
+const DEFAULT_TTL_MS = 5 * 60 * 1000; // 5 minutes
+const DEFAULT_MAX_ENTRIES = 1000;
+export type DekCacheOptions = {
+  readonly ttlMs?: number;
+  // Cap on the number of cached DEKs. On overflow, least-recently-used
+  // entries are evicted (their bytes zeroed).
+  readonly maxEntries?: number;
+  // Injectable clock for deterministic tests.
+  readonly now?: () => number;
+};
+export type DekCache = {
+  // Unwrap via the provider, caching the result. Second call within TTL
+  // returns the cached DEK without hitting the provider.
+  unwrapDek(encryptedDek: Buffer, kekVersion: number, provider: MasterKeyProvider): Promise<Buffer>;
+  // Drop every entry. Call after KEK rotation so old cached DEKs (still
+  // valid, but referencing the old kekVersion) don't serve reads that
+  // could otherwise detect the version change.
+  clear(): void;
+  // Observability: how many entries are live right now (pre-TTL-prune).
+  size(): number;
+};
+export function createDekCache(opts: DekCacheOptions = {}): DekCache {
+  const ttlMs = opts.ttlMs ?? DEFAULT_TTL_MS;
+  const maxEntries = opts.maxEntries ?? DEFAULT_MAX_ENTRIES;
+  const now = opts.now ?? (() => Date.now());
+  // Key is a SHA-256 hash of (encryptedDek || kekVersion). Hashing avoids
+  // keeping the raw wrapped bytes as the Map key (which would pin them
+  // in memory) and ensures version is part of the identity — same
+  // encryptedDek at different versions cannot collide.
+  //
+  // JS Map keeps insertion order — we exploit that for LRU: on hit we
+  // delete+re-insert the entry, which moves it to the "most recent" end.
+  // On overflow the first key (oldest) gets evicted.
+  const entries = new Map<string, { dek: Buffer; expiresAt: number }>();
+  function cacheKey(encryptedDek: Buffer, kekVersion: number): string {
+    // kekVersion as 4 bytes — handles realistic rotation counts without
+    // truncating (1-byte would wrap at 256, which IS achievable over a
+    // decade of weekly rotations).
+    const versionBuf = Buffer.alloc(4);
+    versionBuf.writeUInt32BE(kekVersion);
+    return createHash("sha256").update(encryptedDek).update(versionBuf).digest("hex");
+  }
+  function evictOldestIfFull(): void {
+    // skip: under cap, no eviction needed.
+    if (entries.size < maxEntries) return;
+    // First key is the least-recently-inserted / least-recently-touched
+    // thanks to the delete+set dance below. iterator().next() is O(1).
+    const oldestKey = entries.keys().next().value;
+    // skip: Map was empty mid-check — no entry to evict.
+    if (oldestKey === undefined) return;
+    const oldest = entries.get(oldestKey);
+    if (oldest) oldest.dek.fill(0);
+    entries.delete(oldestKey);
+  }
+  return {
+    async unwrapDek(encryptedDek, kekVersion, provider) {
+      const key = cacheKey(encryptedDek, kekVersion);
+      const hit = entries.get(key);
+      if (hit && hit.expiresAt > now()) {
+        // Touch: re-insert to move to the "most recent" end of the Map.
+        // Without this the LRU would collapse into FIFO.
+        entries.delete(key);
+        entries.set(key, hit);
+        // Return a copy so callers that .fill(0) after use don't wipe the
+        // cached buffer for everyone else.
+        return Buffer.from(hit.dek);
+      }
+      // Prune the expired entry on miss to bound memory.
+      if (hit) {
+        hit.dek.fill(0);
+        entries.delete(key);
+      }
+      const dek = await provider.unwrapDek(encryptedDek, kekVersion);
+      evictOldestIfFull();
+      // Store a copy — caller can zero its own buffer after use.
+      entries.set(key, { dek: Buffer.from(dek), expiresAt: now() + ttlMs });
+      return dek;
+    },
+    clear() {
+      // Zero the DEK bytes before dropping references. Best-effort —
+      // Node can't guarantee secure erase, but clearing now prevents
+      // stale key material from lingering in heap snapshots.
+      for (const { dek } of entries.values()) {
+        dek.fill(0);
+      }
+      entries.clear();
+    },
+    size() {
+      return entries.size;
+    },
+  };
+}

package/src/secrets/env-master-key-provider.ts ADDED Viewed

@@ -0,0 +1,162 @@
+// Default MasterKeyProvider for deployments without a dedicated KMS. Reads
+// KEK material from env, supports a multi-version keyring so rotation runs
+// without a maintenance window. See loadKeyring + resolveCurrentVersion at
+// the bottom for the env contract.
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { InternalError } from "../errors";
+import type { MasterKeyProvider } from "./types";
+const ALGORITHM = "aes-256-gcm";
+const KEK_LENGTH = 32; // AES-256
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+export type EnvMasterKeyProviderOptions = {
+  // Env accessor (injectable for tests). Defaults to process.env.
+  readonly env?: Readonly<Record<string, string | undefined>>;
+};
+// A parsed keyring: version number → raw KEK bytes. Kept separate from
+// the provider closure so loadKeyring is unit-testable in isolation.
+export type Keyring = ReadonlyMap<number, Buffer>;
+export function createEnvMasterKeyProvider(
+  opts: EnvMasterKeyProviderOptions = {},
+): MasterKeyProvider {
+  const env = opts.env ?? process.env;
+  const keyring = loadKeyring(env);
+  const current = resolveCurrentVersion(env);
+  // --- Boot validation (after keyring + current are known) -------------
+  if (!keyring.has(current)) {
+    throw new InternalError({
+      message:
+        `[secrets] currentVersion=${current} not present in keyring ` +
+        `(have versions: ${[...keyring.keys()].sort().join(",")}). ` +
+        `Check KUMIKO_SECRETS_MASTER_KEY_V${current} is set.`,
+    });
+  }
+  // --- KEK-wrap / unwrap boilerplate (AES-256-GCM) ---------------------
+  // The DEK is the plaintext here; we encrypt it with the KEK. Same
+  // algorithm as the value encryption, just a different role.
+  return {
+    async wrapDek(dek) {
+      const kek = keyring.get(current);
+      if (!kek) {
+        // Should never reach here — boot validation above guarantees the
+        // current KEK exists. Defensive throw so a surprise at runtime is
+        // surfaceable instead of silently coercing to zero-bytes.
+        throw new InternalError({
+          message: `[secrets] missing KEK for current version ${current}`,
+        });
+      }
+      const iv = randomBytes(IV_LENGTH);
+      const cipher = createCipheriv(ALGORITHM, kek, iv);
+      const wrapped = Buffer.concat([cipher.update(dek), cipher.final()]);
+      const tag = cipher.getAuthTag();
+      // Pack into a single buffer: iv || tag || ciphertext. The kekVersion
+      // is returned separately — it lives on the Envelope row, not inside
+      // encryptedDek, so ops can inspect it with `SELECT kekVersion FROM …`.
+      return {
+        encryptedDek: Buffer.concat([iv, tag, wrapped]),
+        kekVersion: current,
+      };
+    },
+    async unwrapDek(encryptedDek, kekVersion) {
+      const kek = keyring.get(kekVersion);
+      if (!kek) {
+        throw new InternalError({
+          message:
+            `[secrets] no KEK for version ${kekVersion} — ` +
+            `keyring has [${[...keyring.keys()].sort().join(",")}]. ` +
+            `If you retired an old version, you must rotate rows off it first.`,
+        });
+      }
+      const iv = encryptedDek.subarray(0, IV_LENGTH);
+      const tag = encryptedDek.subarray(IV_LENGTH, IV_LENGTH + TAG_LENGTH);
+      const ciphertext = encryptedDek.subarray(IV_LENGTH + TAG_LENGTH);
+      const decipher = createDecipheriv(ALGORITHM, kek, iv);
+      decipher.setAuthTag(tag);
+      return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    },
+    currentVersion() {
+      return current;
+    },
+    async isAvailable() {
+      // Env-backed provider is always "available" once boot passed — the
+      // check already verified keyring presence. Real KMS providers would
+      // ping the service here.
+      return true;
+    },
+  };
+}
+// ENV schema (Decision 1 — per-version variables):
+//   KUMIKO_SECRETS_MASTER_KEY_V1=<base64 32 bytes>
+//   KUMIKO_SECRETS_MASTER_KEY_V2=<base64 32 bytes>
+//   ...
+// Rationale: k8s secrets map 1:1 per env var, so ops rotate single versions
+// without rewriting a JSON blob. A typo blasts only one key, not the ring.
+const KEY_VAR_PATTERN = /^KUMIKO_SECRETS_MASTER_KEY_V(\d+)$/;
+function loadKeyring(env: Readonly<Record<string, string | undefined>>): Keyring {
+  const keyring = new Map<number, Buffer>();
+  for (const [name, value] of Object.entries(env)) {
+    const match = name.match(KEY_VAR_PATTERN);
+    if (!match || !value) continue;
+    // biome-ignore lint/style/noNonNullAssertion: regex group 1 always present
+    const version = Number.parseInt(match[1]!, 10);
+    if (!Number.isFinite(version) || version < 1) {
+      throw new InternalError({
+        message: `[secrets] invalid KEK version in ${name} (must be positive integer)`,
+      });
+    }
+    const kek = Buffer.from(value, "base64");
+    if (kek.length !== KEK_LENGTH) {
+      throw new InternalError({
+        message: `[secrets] ${name}: KEK must decode to exactly ${KEK_LENGTH} bytes (got ${kek.length})`,
+      });
+    }
+    keyring.set(version, kek);
+  }
+  if (keyring.size === 0) {
+    throw new InternalError({
+      message: "[secrets] no KEK found in environment — set at least KUMIKO_SECRETS_MASTER_KEY_V1",
+    });
+  }
+  return keyring;
+}
+// currentVersion resolution (Decision 2 — explicit env var):
+//   KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION=2
+// Rationale: adding a new KEK to the keyring must NOT auto-promote it to
+// "wrap with this one". Staging window — ops deploys V2 alongside V1, runs
+// a canary rotation job, then flips CURRENT_VERSION only after validation.
+// AWS KMS, GCP KMS, Azure Key Vault all separate "known-keys" from
+// "active-key-id" for the same reason.
+const CURRENT_VERSION_VAR = "KUMIKO_SECRETS_MASTER_KEY_CURRENT_VERSION";
+function resolveCurrentVersion(env: Readonly<Record<string, string | undefined>>): number {
+  const raw = env[CURRENT_VERSION_VAR];
+  if (!raw) {
+    throw new InternalError({
+      message:
+        `[secrets] ${CURRENT_VERSION_VAR} not set — explicit current-version ` +
+        "required so adding a new KEK to the env doesn't auto-promote it",
+    });
+  }
+  const version = Number.parseInt(raw, 10);
+  if (!Number.isFinite(version) || version < 1 || String(version) !== raw.trim()) {
+    throw new InternalError({
+      message: `[secrets] ${CURRENT_VERSION_VAR}="${raw}" must be a positive integer`,
+    });
+  }
+  return version;
+}

package/src/secrets/envelope.ts ADDED Viewed

@@ -0,0 +1,55 @@
+// Envelope encryption primitives. Combines a freshly-generated DEK + the
+// central KEK (via MasterKeyProvider) into a self-contained Envelope that
+// carries everything needed to decrypt later.
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import type { Envelope, MasterKeyProvider } from "./types";
+const ALGORITHM = "aes-256-gcm";
+const DEK_LENGTH = 32; // AES-256
+const IV_LENGTH = 12; // GCM standard nonce length
+// Encrypts plaintext with a new random DEK, then wraps the DEK with the
+// current KEK. The returned Envelope is safe to store at rest.
+export async function encryptValue(
+  plaintext: string,
+  provider: MasterKeyProvider,
+): Promise<Envelope> {
+  // Fresh DEK per value. Reusing DEKs across rows would break forward
+  // secrecy (one compromised ciphertext-IV pair leaks information about
+  // others encrypted with the same DEK).
+  const dek = randomBytes(DEK_LENGTH);
+  try {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, dek, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const { encryptedDek, kekVersion } = await provider.wrapDek(dek);
+    return { ciphertext, iv, authTag, encryptedDek, kekVersion };
+  } finally {
+    // Zero the DEK on best effort regardless of success — if provider.wrapDek
+    // threw, the plaintext DEK must still not linger in the heap waiting
+    // for GC. Node can't guarantee secure erase, but clearing the bytes
+    // removes the obvious window.
+    dek.fill(0);
+  }
+}
+// Decrypts an Envelope. Throws if the authTag doesn't match — tampered
+// ciphertexts cannot round-trip.
+export async function decryptValue(
+  envelope: Envelope,
+  provider: MasterKeyProvider,
+): Promise<string> {
+  const dek = await provider.unwrapDek(envelope.encryptedDek, envelope.kekVersion);
+  try {
+    const decipher = createDecipheriv(ALGORITHM, dek, envelope.iv);
+    decipher.setAuthTag(envelope.authTag);
+    const plaintext = Buffer.concat([decipher.update(envelope.ciphertext), decipher.final()]);
+    return plaintext.toString("utf8");
+  } finally {
+    dek.fill(0);
+  }
+}

package/src/secrets/index.ts ADDED Viewed

@@ -0,0 +1,19 @@
+export { createDekCache, type DekCache, type DekCacheOptions } from "./dek-cache";
+export {
+  createEnvMasterKeyProvider,
+  type EnvMasterKeyProviderOptions,
+  type Keyring,
+} from "./env-master-key-provider";
+export { decryptValue, encryptValue } from "./envelope";
+export { assertNoSecretLeak } from "./leak-guard";
+export { rewrapDek } from "./rotation";
+export {
+  createSecret,
+  type Envelope,
+  isSecret,
+  type MasterKeyProvider,
+  type Secret,
+  type SecretAuditContext,
+  type SecretKeyRef,
+  type SecretsContext,
+} from "./types";

package/src/secrets/leak-guard.ts ADDED Viewed

@@ -0,0 +1,87 @@
+// Response-leak guard. Walks a handler-result tree and throws the moment it
+// finds a Secret<> branded value — the dispatcher calls this after every
+// handler returns, so accidentally including a plaintext secret in the
+// response body becomes a runtime error at the handler boundary rather
+// than a silent exfiltration to the client.
+import { InternalError } from "../errors";
+import { isSecret } from "./types";
+// Maximum depth the walker descends. A legitimate result tree is rarely
+// deeper than a few levels; the cap is a safety net against cyclic or
+// pathologically-deep user input smuggled into a response.
+const MAX_DEPTH = 12;
+export function assertNoSecretLeak(value: unknown, path = "$", depth = 0): void {
+  // skip: nothing to walk at null/undefined leaves.
+  if (value === null || value === undefined) return;
+  if (isSecret(value)) {
+    throw new InternalError({
+      message:
+        `[secrets] Secret<> leaked into response at ${path}. ` +
+        "Feature code must call .reveal() and use the plaintext in an " +
+        "external call (SMTP, HTTP header, etc.) — never return the branded " +
+        "value, even unwrapped, unless you've stripped it from the response first.",
+    });
+  }
+  // skip: hit the recursion cap. Cyclic or pathologically-deep input is
+  // more likely than a legitimate 12-level-deep secret — trade coverage
+  // for termination guarantees.
+  if (depth >= MAX_DEPTH) return;
+  const t = typeof value;
+  // skip: primitives already handled by the isSecret check above — strings,
+  // numbers, booleans can't hold a brand.
+  if (t !== "object") return;
+  // Map and Set get walked through their entries — a feature could legitimately
+  // build either, and a custom toJSON could expand them onto the wire.
+  // JSON.stringify-by-default produces "{}" for both, which would mask the
+  // leak silently; we'd rather throw at the boundary than rely on that
+  // accident.
+  if (value instanceof Map) {
+    let i = 0;
+    for (const [k, v] of value) {
+      assertNoSecretLeak(k, `${path}.<map[${i}].key>`, depth + 1);
+      assertNoSecretLeak(v, `${path}.<map[${i}].val>`, depth + 1);
+      i++;
+    }
+    // skip: map fully walked, nothing else at this level.
+    return;
+  }
+  if (value instanceof Set) {
+    let i = 0;
+    for (const v of value) {
+      assertNoSecretLeak(v, `${path}.<set[${i}]>`, depth + 1);
+      i++;
+    }
+    // skip: set fully walked, nothing else at this level.
+    return;
+  }
+  // Skip remaining class instances we can't introspect safely (Date, Buffer,
+  // Temporal.Instant, custom domain classes, etc.). Plain objects have
+  // Object.prototype or null prototype — that's what handler responses
+  // serialize to JSON from.
+  const proto = Object.getPrototypeOf(value);
+  // skip: non-plain object (class instance). Brand check at entry already
+  // verified it's not a Secret<>; anything else is opaque to us.
+  if (proto !== null && proto !== Object.prototype && !Array.isArray(value)) {
+    return;
+  }
+  if (Array.isArray(value)) {
+    for (let i = 0; i < value.length; i++) {
+      assertNoSecretLeak(value[i], `${path}[${i}]`, depth + 1);
+    }
+    // skip: array fully walked, nothing else at this level.
+    return;
+  }
+  for (const [k, v] of Object.entries(value as Record<string, unknown>)) {
+    // @cast-boundary recursive-walk
+    assertNoSecretLeak(v, `${path}.${k}`, depth + 1);
+  }
+}