@datacules/agent-identity-store-aws 0.11.0 → 0.11.1

package/LICENSE

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+
+1. PERMISSION TO USE
+
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+
+2. ATTRIBUTION
+
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+
+3. COMMERCIAL USE
+
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+
+5. MODIFICATIONS
+
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+
+6. COMPATIBILITY
+
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/AwsCredentialStore.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsCredentialStore = void 0;
+/**
+ * AWS Secrets Manager + DynamoDB CredentialStore implementation.
+ *
+ * Secrets Manager holds the credential metadata JSON (id, kind, scope, status, ref).
+ * DynamoDB holds migration reservation locks (TTL-based, atomic conditional writes).
+ *
+ * Setup:
+ *   1. Store each Credential as a JSON string in Secrets Manager.
+ *      Tag it with  agent-identity-status: active|pending|revoked
+ *      so listActive() can filter via the tag API.
+ *   2. Create a DynamoDB table named 'agent-identity-locks' with
+ *      partition key 'ref' (String) and TTL attribute 'expiresAt' (Number).
+ *   3. Grant the IAM role: secretsmanager:GetSecretValue,
+ *      secretsmanager:ListSecrets, dynamodb:PutItem, dynamodb:DeleteItem.
+ */
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const client_dynamodb_1 = require("@aws-sdk/client-dynamodb");
+class AwsCredentialStore {
+    constructor(options = {}) {
+        const config = options.region ? { region: options.region } : {};
+        this.sm = new client_secrets_manager_1.SecretsManagerClient(config);
+        this.dynamo = new client_dynamodb_1.DynamoDBClient(config);
+        this.locksTable = options.locksTable ?? 'agent-identity-locks';
+    }
+    async findByRef(ref) {
+        try {
+            const res = await this.sm.send(new client_secrets_manager_1.GetSecretValueCommand({ SecretId: ref }));
+            if (!res.SecretString)
+                return null;
+            const cred = JSON.parse(res.SecretString);
+            return cred.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        const res = await this.sm.send(new client_secrets_manager_1.ListSecretsCommand({
+            Filters: [{ Key: 'tag-key', Values: ['agent-identity-status'] }],
+        }));
+        const results = [];
+        for (const s of res.SecretList ?? []) {
+            const tag = s.Tags?.find((t) => t.Key === 'agent-identity-status');
+            if (tag?.Value !== 'active')
+                continue;
+            try {
+                const cred = JSON.parse(s.Description ?? '{}');
+                results.push(cred);
+            }
+            catch {
+                // malformed description — skip
+            }
+        }
+        return results;
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    async reserve(ref, migrationId, ttlSeconds) {
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        try {
+            await this.dynamo.send(new client_dynamodb_1.PutItemCommand({
+                TableName: this.locksTable,
+                Item: {
+                    ref: { S: ref },
+                    migrationId: { S: migrationId },
+                    expiresAt: { N: String(expiresAt) },
+                },
+                // Succeed only if: no item exists, OR this migration already owns it, OR the TTL has expired
+                ConditionExpression: 'attribute_not_exists(#r) OR migrationId = :mid OR expiresAt < :now',
+                ExpressionAttributeNames: { '#r': 'ref' },
+                ExpressionAttributeValues: {
+                    ':mid': { S: migrationId },
+                    ':now': { N: String(Math.floor(Date.now() / 1000)) },
+                },
+            }));
+            return true;
+        }
+        catch {
+            return false; // ConditionalCheckFailedException — already locked
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            await this.dynamo.send(new client_dynamodb_1.DeleteItemCommand({
+                TableName: this.locksTable,
+                Key: { ref: { S: ref } },
+                ConditionExpression: 'migrationId = :mid',
+                ExpressionAttributeValues: { ':mid': { S: migrationId } },
+            }));
+        }
+        catch {
+            // Idempotent — already released or never held
+        }
+    }
+}
+exports.AwsCredentialStore = AwsCredentialStore;
+//# sourceMappingURL=AwsCredentialStore.js.map

package/dist/cjs/AwsCredentialStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AwsCredentialStore.js","sourceRoot":"","sources":["../../src/AwsCredentialStore.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;GAcG;AACH,4EAIyC;AACzC,8DAIkC;AAUlC,MAAa,kBAAkB;IAK7B,YAAY,UAAqC,EAAE;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,IAAI,CAAC,EAAE,GAAG,IAAI,6CAAoB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,gCAAc,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,sBAAsB,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,8CAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;YAC7E,IAAI,CAAC,GAAG,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC;YACnC,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAC5B,IAAI,2CAAkB,CAAC;YACrB,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC;SACjE,CAAC,CACH,CAAC;QACF,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,uBAAuB,CAAC,CAAC;YACnE,IAAI,GAAG,EAAE,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACtC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,+BAA+B;YACjC,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,gCAAc,CAAC;gBACjB,SAAS,EAAE,IAAI,CAAC,UAAU;gBAC1B,IAAI,EAAE;oBACJ,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE;oBACf,WAAW,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE;oBAC/B,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE;iBACpC;gBACD,6FAA6F;gBAC7F,mBAAmB,EACjB,oEAAoE;gBACtE,wBAAwB,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE;gBACzC,yBAAyB,EAAE;oBACzB,MAAM,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE;oBAC1B,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE;iBACrD;aACF,CAAC,CACH,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC,CAAC,mDAAmD;QACnE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,mCAAiB,CAAC;gBACpB,SAAS,EAAE,IAAI,CAAC,UAAU;gBAC1B,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE;gBACxB,mBAAmB,EAAE,oBAAoB;gBACzC,yBAAyB,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;CACF;AAzFD,gDAyFC"}

package/dist/cjs/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AwsCredentialStore = void 0;
+var AwsCredentialStore_1 = require("./AwsCredentialStore");
+Object.defineProperty(exports, "AwsCredentialStore", { enumerable: true, get: function () { return AwsCredentialStore_1.AwsCredentialStore; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,2DAA0D;AAAjD,wHAAA,kBAAkB,OAAA"}

package/dist/esm/AwsCredentialStore.js

@@ -0,0 +1,98 @@
+/**
+ * AWS Secrets Manager + DynamoDB CredentialStore implementation.
+ *
+ * Secrets Manager holds the credential metadata JSON (id, kind, scope, status, ref).
+ * DynamoDB holds migration reservation locks (TTL-based, atomic conditional writes).
+ *
+ * Setup:
+ *   1. Store each Credential as a JSON string in Secrets Manager.
+ *      Tag it with  agent-identity-status: active|pending|revoked
+ *      so listActive() can filter via the tag API.
+ *   2. Create a DynamoDB table named 'agent-identity-locks' with
+ *      partition key 'ref' (String) and TTL attribute 'expiresAt' (Number).
+ *   3. Grant the IAM role: secretsmanager:GetSecretValue,
+ *      secretsmanager:ListSecrets, dynamodb:PutItem, dynamodb:DeleteItem.
+ */
+import { SecretsManagerClient, GetSecretValueCommand, ListSecretsCommand, } from '@aws-sdk/client-secrets-manager';
+import { DynamoDBClient, PutItemCommand, DeleteItemCommand, } from '@aws-sdk/client-dynamodb';
+export class AwsCredentialStore {
+    constructor(options = {}) {
+        const config = options.region ? { region: options.region } : {};
+        this.sm = new SecretsManagerClient(config);
+        this.dynamo = new DynamoDBClient(config);
+        this.locksTable = options.locksTable ?? 'agent-identity-locks';
+    }
+    async findByRef(ref) {
+        try {
+            const res = await this.sm.send(new GetSecretValueCommand({ SecretId: ref }));
+            if (!res.SecretString)
+                return null;
+            const cred = JSON.parse(res.SecretString);
+            return cred.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        const res = await this.sm.send(new ListSecretsCommand({
+            Filters: [{ Key: 'tag-key', Values: ['agent-identity-status'] }],
+        }));
+        const results = [];
+        for (const s of res.SecretList ?? []) {
+            const tag = s.Tags?.find((t) => t.Key === 'agent-identity-status');
+            if (tag?.Value !== 'active')
+                continue;
+            try {
+                const cred = JSON.parse(s.Description ?? '{}');
+                results.push(cred);
+            }
+            catch {
+                // malformed description — skip
+            }
+        }
+        return results;
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    async reserve(ref, migrationId, ttlSeconds) {
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        try {
+            await this.dynamo.send(new PutItemCommand({
+                TableName: this.locksTable,
+                Item: {
+                    ref: { S: ref },
+                    migrationId: { S: migrationId },
+                    expiresAt: { N: String(expiresAt) },
+                },
+                // Succeed only if: no item exists, OR this migration already owns it, OR the TTL has expired
+                ConditionExpression: 'attribute_not_exists(#r) OR migrationId = :mid OR expiresAt < :now',
+                ExpressionAttributeNames: { '#r': 'ref' },
+                ExpressionAttributeValues: {
+                    ':mid': { S: migrationId },
+                    ':now': { N: String(Math.floor(Date.now() / 1000)) },
+                },
+            }));
+            return true;
+        }
+        catch {
+            return false; // ConditionalCheckFailedException — already locked
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            await this.dynamo.send(new DeleteItemCommand({
+                TableName: this.locksTable,
+                Key: { ref: { S: ref } },
+                ConditionExpression: 'migrationId = :mid',
+                ExpressionAttributeValues: { ':mid': { S: migrationId } },
+            }));
+        }
+        catch {
+            // Idempotent — already released or never held
+        }
+    }
+}
+//# sourceMappingURL=AwsCredentialStore.js.map

package/dist/esm/AwsCredentialStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AwsCredentialStore.js","sourceRoot":"","sources":["../../src/AwsCredentialStore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EACL,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,0BAA0B,CAAC;AAUlC,MAAM,OAAO,kBAAkB;IAK7B,YAAY,UAAqC,EAAE;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChE,IAAI,CAAC,EAAE,GAAG,IAAI,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,sBAAsB,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;YAC7E,IAAI,CAAC,GAAG,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC;YACnC,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,IAAI,CAC5B,IAAI,kBAAkB,CAAC;YACrB,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC;SACjE,CAAC,CACH,CAAC;QACF,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,uBAAuB,CAAC,CAAC;YACnE,IAAI,GAAG,EAAE,KAAK,KAAK,QAAQ;gBAAE,SAAS;YACtC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,IAAI,IAAI,CAAC,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;YAAC,MAAM,CAAC;gBACP,+BAA+B;YACjC,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,cAAc,CAAC;gBACjB,SAAS,EAAE,IAAI,CAAC,UAAU;gBAC1B,IAAI,EAAE;oBACJ,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE;oBACf,WAAW,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE;oBAC/B,SAAS,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE;iBACpC;gBACD,6FAA6F;gBAC7F,mBAAmB,EACjB,oEAAoE;gBACtE,wBAAwB,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE;gBACzC,yBAAyB,EAAE;oBACzB,MAAM,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE;oBAC1B,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,EAAE;iBACrD;aACF,CAAC,CACH,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC,CAAC,mDAAmD;QACnE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACpB,IAAI,iBAAiB,CAAC;gBACpB,SAAS,EAAE,IAAI,CAAC,UAAU;gBAC1B,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE;gBACxB,mBAAmB,EAAE,oBAAoB;gBACzC,yBAAyB,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,WAAW,EAAE,EAAE;aAC1D,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;CACF"}

package/dist/esm/index.js

@@ -0,0 +1,2 @@
+export { AwsCredentialStore } from './AwsCredentialStore';
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/types/AwsCredentialStore.d.ts

@@ -0,0 +1,19 @@
+import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
+export interface AwsCredentialStoreOptions {
+    /** AWS region (default: reads AWS_REGION env var) */
+    region?: string;
+    /** DynamoDB table name for migration locks (default: 'agent-identity-locks') */
+    locksTable?: string;
+}
+export declare class AwsCredentialStore implements CredentialStore {
+    private readonly sm;
+    private readonly dynamo;
+    private readonly locksTable;
+    constructor(options?: AwsCredentialStoreOptions);
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: CredentialKind): Promise<Credential[]>;
+    reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
+    release(ref: string, migrationId: string): Promise<void>;
+}
+//# sourceMappingURL=AwsCredentialStore.d.ts.map

package/dist/types/AwsCredentialStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AwsCredentialStore.d.ts","sourceRoot":"","sources":["../../src/AwsCredentialStore.ts"],"names":[],"mappings":"AAyBA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAE7F,MAAM,WAAW,yBAAyB;IACxC,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gFAAgF;IAChF,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,kBAAmB,YAAW,eAAe;IACxD,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAuB;IAC1C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiB;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,GAAE,yBAA8B;IAO7C,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAWlD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAoBnC,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAKvD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA2B/E,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAc/D"}

package/{src/index.ts → dist/types/index.d.ts}

@@ -1,2 +1,3 @@
 export { AwsCredentialStore } from './AwsCredentialStore';
 export type { AwsCredentialStoreOptions } from './AwsCredentialStore';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,YAAY,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC"}

package/package.json

@@ -1,13 +1,41 @@
 {
   "name": "@datacules/agent-identity-store-aws",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "AWS Secrets Manager + DynamoDB credential store for @datacules/agent-identity",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/stores/aws"
+  },
+  "keywords": [
+    "agent-identity",
+    "aws",
+    "secrets-manager",
+    "dynamodb",
+    "credential-store",
+    "ai-agents",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit"
   },
   "dependencies": {
@@ -15,7 +43,7 @@
     "@aws-sdk/client-dynamodb": "^3.600.0"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "devDependencies": {
     "@datacules/agent-identity": "*",

package/src/AwsCredentialStore.ts

@@ -1,124 +0,0 @@
-/**
- * AWS Secrets Manager + DynamoDB CredentialStore implementation.
- *
- * Secrets Manager holds the credential metadata JSON (id, kind, scope, status, ref).
- * DynamoDB holds migration reservation locks (TTL-based, atomic conditional writes).
- *
- * Setup:
- *   1. Store each Credential as a JSON string in Secrets Manager.
- *      Tag it with  agent-identity-status: active|pending|revoked
- *      so listActive() can filter via the tag API.
- *   2. Create a DynamoDB table named 'agent-identity-locks' with
- *      partition key 'ref' (String) and TTL attribute 'expiresAt' (Number).
- *   3. Grant the IAM role: secretsmanager:GetSecretValue,
- *      secretsmanager:ListSecrets, dynamodb:PutItem, dynamodb:DeleteItem.
- */
-import {
-  SecretsManagerClient,
-  GetSecretValueCommand,
-  ListSecretsCommand,
-} from '@aws-sdk/client-secrets-manager';
-import {
-  DynamoDBClient,
-  PutItemCommand,
-  DeleteItemCommand,
-} from '@aws-sdk/client-dynamodb';
-import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
-
-export interface AwsCredentialStoreOptions {
-  /** AWS region (default: reads AWS_REGION env var) */
-  region?: string;
-  /** DynamoDB table name for migration locks (default: 'agent-identity-locks') */
-  locksTable?: string;
-}
-
-export class AwsCredentialStore implements CredentialStore {
-  private readonly sm: SecretsManagerClient;
-  private readonly dynamo: DynamoDBClient;
-  private readonly locksTable: string;
-
-  constructor(options: AwsCredentialStoreOptions = {}) {
-    const config = options.region ? { region: options.region } : {};
-    this.sm = new SecretsManagerClient(config);
-    this.dynamo = new DynamoDBClient(config);
-    this.locksTable = options.locksTable ?? 'agent-identity-locks';
-  }
-
-  async findByRef(ref: string): Promise<Credential | null> {
-    try {
-      const res = await this.sm.send(new GetSecretValueCommand({ SecretId: ref }));
-      if (!res.SecretString) return null;
-      const cred: Credential = JSON.parse(res.SecretString);
-      return cred.status === 'active' ? cred : null;
-    } catch {
-      return null;
-    }
-  }
-
-  async listActive(): Promise<Credential[]> {
-    const res = await this.sm.send(
-      new ListSecretsCommand({
-        Filters: [{ Key: 'tag-key', Values: ['agent-identity-status'] }],
-      })
-    );
-    const results: Credential[] = [];
-    for (const s of res.SecretList ?? []) {
-      const tag = s.Tags?.find((t) => t.Key === 'agent-identity-status');
-      if (tag?.Value !== 'active') continue;
-      try {
-        const cred: Credential = JSON.parse(s.Description ?? '{}');
-        results.push(cred);
-      } catch {
-        // malformed description — skip
-      }
-    }
-    return results;
-  }
-
-  async listByKind(kind: CredentialKind): Promise<Credential[]> {
-    const all = await this.listActive();
-    return all.filter((c) => c.kind === kind);
-  }
-
-  async reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean> {
-    const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
-    try {
-      await this.dynamo.send(
-        new PutItemCommand({
-          TableName: this.locksTable,
-          Item: {
-            ref: { S: ref },
-            migrationId: { S: migrationId },
-            expiresAt: { N: String(expiresAt) },
-          },
-          // Succeed only if: no item exists, OR this migration already owns it, OR the TTL has expired
-          ConditionExpression:
-            'attribute_not_exists(#r) OR migrationId = :mid OR expiresAt < :now',
-          ExpressionAttributeNames: { '#r': 'ref' },
-          ExpressionAttributeValues: {
-            ':mid': { S: migrationId },
-            ':now': { N: String(Math.floor(Date.now() / 1000)) },
-          },
-        })
-      );
-      return true;
-    } catch {
-      return false; // ConditionalCheckFailedException — already locked
-    }
-  }
-
-  async release(ref: string, migrationId: string): Promise<void> {
-    try {
-      await this.dynamo.send(
-        new DeleteItemCommand({
-          TableName: this.locksTable,
-          Key: { ref: { S: ref } },
-          ConditionExpression: 'migrationId = :mid',
-          ExpressionAttributeValues: { ':mid': { S: migrationId } },
-        })
-      );
-    } catch {
-      // Idempotent — already released or never held
-    }
-  }
-}

package/src/aws.test.ts

@@ -1,196 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-
-// Mock AWS SDK modules — constructors return objects with vi.fn() send methods.
-// vi.mock() calls are hoisted before imports by Vitest.
-vi.mock('@aws-sdk/client-secrets-manager', () => ({
-  SecretsManagerClient: vi.fn(() => ({ send: vi.fn() })),
-  GetSecretValueCommand: vi.fn((input: unknown) => input),
-  ListSecretsCommand: vi.fn((input: unknown) => input),
-}));
-
-vi.mock('@aws-sdk/client-dynamodb', () => ({
-  DynamoDBClient: vi.fn(() => ({ send: vi.fn() })),
-  PutItemCommand: vi.fn((input: unknown) => input),
-  DeleteItemCommand: vi.fn((input: unknown) => input),
-}));
-
-import { AwsCredentialStore } from './index.js';
-import type { Credential } from '@datacules/agent-identity';
-
-const makeCred = (overrides: Partial<Credential> = {}): Credential => ({
-  id: 'cred-openai',
-  kind: 'fixed',
-  name: 'OpenAI API Key',
-  scope: 'global',
-  status: 'active',
-  provider: 'openai',
-  ref: 'openai-prod-slot',
-  ...overrides,
-});
-
-describe('AwsCredentialStore', () => {
-  let store: AwsCredentialStore;
-  let smSend: ReturnType<typeof vi.fn>;
-  let dynamoSend: ReturnType<typeof vi.fn>;
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    store = new AwsCredentialStore({ region: 'us-east-1', locksTable: 'test-locks' });
-    // Access mock send functions injected by the mocked constructors
-    smSend = (store as any).sm.send as ReturnType<typeof vi.fn>;
-    dynamoSend = (store as any).dynamo.send as ReturnType<typeof vi.fn>;
-  });
-
-  // ─── findByRef() ────────────────────────────────────────────────────────────
-
-  describe('findByRef()', () => {
-    it('returns active credential when SM returns active SecretString', async () => {
-      const cred = makeCred();
-      smSend.mockResolvedValue({ SecretString: JSON.stringify(cred) });
-      const result = await store.findByRef('openai-prod-slot');
-      expect(result).toEqual(cred);
-    });
-
-    it('returns null when credential status is not active', async () => {
-      const cred = makeCred({ status: 'pending' });
-      smSend.mockResolvedValue({ SecretString: JSON.stringify(cred) });
-      expect(await store.findByRef('openai-prod-slot')).toBeNull();
-    });
-
-    it('returns null when SecretString is absent on the SM response', async () => {
-      smSend.mockResolvedValue({ SecretString: undefined });
-      expect(await store.findByRef('openai-prod-slot')).toBeNull();
-    });
-
-    it('returns null without throwing when SM send throws', async () => {
-      smSend.mockRejectedValue(new Error('ResourceNotFoundException'));
-      expect(await store.findByRef('missing-ref')).toBeNull();
-    });
-
-    it('sends GetSecretValueCommand with the correct SecretId', async () => {
-      const cred = makeCred();
-      smSend.mockResolvedValue({ SecretString: JSON.stringify(cred) });
-      await store.findByRef('my-secret-ref');
-      expect(smSend).toHaveBeenCalledWith(
-        expect.objectContaining({ SecretId: 'my-secret-ref' })
-      );
-    });
-  });
-
-  // ─── listActive() ───────────────────────────────────────────────────────────
-
-  describe('listActive()', () => {
-    it('returns credentials where tag value is active, parsed from Description', async () => {
-      const cred = makeCred();
-      smSend.mockResolvedValue({
-        SecretList: [
-          {
-            Tags: [{ Key: 'agent-identity-status', Value: 'active' }],
-            Description: JSON.stringify(cred),
-          },
-        ],
-      });
-      const results = await store.listActive();
-      expect(results).toHaveLength(1);
-      expect(results[0]).toEqual(cred);
-    });
-
-    it('skips secrets where the agent-identity-status tag value is not active', async () => {
-      smSend.mockResolvedValue({
-        SecretList: [
-          {
-            Tags: [{ Key: 'agent-identity-status', Value: 'revoked' }],
-            Description: JSON.stringify(makeCred({ status: 'revoked' })),
-          },
-        ],
-      });
-      expect(await store.listActive()).toHaveLength(0);
-    });
-
-    it('returns empty array when SecretList is undefined', async () => {
-      smSend.mockResolvedValue({ SecretList: undefined });
-      expect(await store.listActive()).toEqual([]);
-    });
-
-    it('skips secrets with malformed Description JSON without throwing', async () => {
-      smSend.mockResolvedValue({
-        SecretList: [
-          {
-            Tags: [{ Key: 'agent-identity-status', Value: 'active' }],
-            Description: 'not-valid-json',
-          },
-        ],
-      });
-      expect(await store.listActive()).toHaveLength(0);
-    });
-  });
-
-  // ─── listByKind() ───────────────────────────────────────────────────────────
-
-  describe('listByKind()', () => {
-    it('returns only credentials matching the requested kind', async () => {
-      const fixed = makeCred({ kind: 'fixed', id: 'cred-fixed' });
-      const delegated = makeCred({ kind: 'user-delegated', id: 'cred-user', ref: 'user-slot' });
-      smSend.mockResolvedValue({
-        SecretList: [
-          { Tags: [{ Key: 'agent-identity-status', Value: 'active' }], Description: JSON.stringify(fixed) },
-          { Tags: [{ Key: 'agent-identity-status', Value: 'active' }], Description: JSON.stringify(delegated) },
-        ],
-      });
-      const result = await store.listByKind('fixed');
-      expect(result).toHaveLength(1);
-      expect(result[0].kind).toBe('fixed');
-    });
-
-    it('returns empty array when no credentials match the requested kind', async () => {
-      const fixed = makeCred({ kind: 'fixed' });
-      smSend.mockResolvedValue({
-        SecretList: [
-          { Tags: [{ Key: 'agent-identity-status', Value: 'active' }], Description: JSON.stringify(fixed) },
-        ],
-      });
-      expect(await store.listByKind('user-delegated')).toHaveLength(0);
-    });
-  });
-
-  // ─── reserve() ──────────────────────────────────────────────────────────────
-
-  describe('reserve()', () => {
-    it('returns true when DynamoDB PutItem succeeds (no conflicting lock)', async () => {
-      dynamoSend.mockResolvedValue({});
-      expect(await store.reserve('cred-ref', 'migration-1', 300)).toBe(true);
-    });
-
-    it('returns false when DynamoDB throws ConditionalCheckFailedException', async () => {
-      dynamoSend.mockRejectedValue(new Error('ConditionalCheckFailedException'));
-      expect(await store.reserve('cred-ref', 'migration-2', 300)).toBe(false);
-    });
-
-    it('sends PutItemCommand to the configured locksTable name', async () => {
-      dynamoSend.mockResolvedValue({});
-      await store.reserve('my-ref', 'mig-id', 600);
-      expect(dynamoSend).toHaveBeenCalledWith(
-        expect.objectContaining({ TableName: 'test-locks' })
-      );
-    });
-  });
-
-  // ─── release() ──────────────────────────────────────────────────────────────
-
-  describe('release()', () => {
-    it('issues a DeleteItemCommand with the correct ref key', async () => {
-      dynamoSend.mockResolvedValue({});
-      await store.release('cred-ref', 'migration-1');
-      expect(dynamoSend).toHaveBeenCalledWith(
-        expect.objectContaining({
-          Key: { ref: { S: 'cred-ref' } },
-        })
-      );
-    });
-
-    it('resolves without throwing when DeleteItem throws (idempotent release)', async () => {
-      dynamoSend.mockRejectedValue(new Error('ConditionalCheckFailedException'));
-      await expect(store.release('cred-ref', 'migration-x')).resolves.toBeUndefined();
-    });
-  });
-});