npm - @datacules/agent-identity-store-azure - Versions diffs - 0.10.0 → 0.11.1 - Mend

@datacules/agent-identity-store-azure 0.10.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/LICENSE +109 -0
package/dist/cjs/AzureKeyVaultCredentialStore.js +148 -0
package/dist/cjs/AzureKeyVaultCredentialStore.js.map +1 -0
package/dist/cjs/azure.test.js +196 -0
package/dist/cjs/azure.test.js.map +1 -0
package/dist/cjs/index.js +6 -0
package/dist/cjs/index.js.map +1 -0
package/dist/esm/AzureKeyVaultCredentialStore.js +148 -0
package/dist/esm/AzureKeyVaultCredentialStore.js.map +1 -0
package/dist/esm/azure.test.js +196 -0
package/dist/esm/azure.test.js.map +1 -0
package/dist/esm/index.js +6 -0
package/dist/esm/index.js.map +1 -0
package/dist/types/AzureKeyVaultCredentialStore.d.ts +31 -0
package/dist/types/AzureKeyVaultCredentialStore.d.ts.map +1 -0
package/dist/types/azure.test.d.ts +2 -0
package/dist/types/azure.test.d.ts.map +1 -0
package/{src/index.ts → dist/types/index.d.ts} +1 -0
package/dist/types/index.d.ts.map +1 -0
package/package.json +19 -3
package/src/AzureKeyVaultCredentialStore.ts +0 -184
package/src/azure.test.ts +0 -247

package/LICENSE ADDED Viewed

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+1. PERMISSION TO USE
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+2. ATTRIBUTION
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+3. COMMERCIAL USE
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+5. MODIFICATIONS
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+6. COMPATIBILITY
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/AzureKeyVaultCredentialStore.js ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultCredentialStore = void 0;
+/**
+ * Azure Key Vault + Azure Table Storage CredentialStore implementation.
+ *
+ * Key Vault holds each credential as a secret whose name is the credential ref.
+ * The secret value is the JSON-serialised Credential object.
+ * The secret's "content-type" tag carries the status (active | pending | revoked)
+ * so listActive() can skip inactive secrets without fetching their values.
+ *
+ * Table Storage holds migration reservation locks.
+ * Table name: agent-identity-locks
+ * Partition key: "lock"  (constant — all locks in one partition for simplicity)
+ * Row key: the credential ref being locked
+ * Columns: migrationId (string), expiresAt (number — Unix epoch seconds)
+ *
+ * Azure setup:
+ *   1. Create an Azure Key Vault and store each Credential as a JSON secret.
+ *      Set the secret's ContentType to "active", "pending", or "revoked".
+ *   2. Create a Storage Account and a Table named "agentidentitylocks".
+ *      (Table names may not contain hyphens — use "agentidentitylocks".)
+ *   3. Grant the running identity:
+ *        Key Vault Secrets User  (read secrets)
+ *        Key Vault Secrets Officer  (only needed for write operations)
+ *        Storage Table Data Contributor  (read + write locks table)
+ *   4. Set AZURE_KEYVAULT_URL and AZURE_TABLES_ENDPOINT environment variables,
+ *      or pass them as constructor options.
+ *      DefaultAzureCredential resolves auth automatically from:
+ *        - Managed Identity (production)
+ *        - AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_CLIENT_SECRET env vars
+ *        - Azure CLI (local development)
+ *        - Workload Identity (AKS)
+ */
+const keyvault_secrets_1 = require("@azure/keyvault-secrets");
+const data_tables_1 = require("@azure/data-tables");
+const identity_1 = require("@azure/identity");
+class AzureKeyVaultCredentialStore {
+    constructor(options = {}) {
+        const vaultUrl = options.keyVaultUrl ?? process.env['AZURE_KEYVAULT_URL'] ?? '';
+        if (!vaultUrl) {
+            throw new Error('AzureKeyVaultCredentialStore: keyVaultUrl is required. ' +
+                'Pass it as an option or set AZURE_KEYVAULT_URL.');
+        }
+        const tablesEndpoint = options.tablesEndpoint ?? process.env['AZURE_TABLES_ENDPOINT'] ?? '';
+        if (!tablesEndpoint) {
+            throw new Error('AzureKeyVaultCredentialStore: tablesEndpoint is required. ' +
+                'Pass it as an option or set AZURE_TABLES_ENDPOINT.');
+        }
+        const locksTable = options.locksTable ?? 'agentidentitylocks';
+        const credential = new identity_1.DefaultAzureCredential();
+        this.secrets = new keyvault_secrets_1.SecretClient(vaultUrl, credential);
+        this.table = new data_tables_1.TableClient(tablesEndpoint, locksTable, credential);
+    }
+    // ─── CredentialStore: reads ──────────────────────────────────────────────
+    async findByRef(ref) {
+        try {
+            const secret = await this.secrets.getSecret(ref);
+            if (!secret.value)
+                return null;
+            // contentType carries status; skip non-active secrets without parsing JSON
+            if (secret.properties.contentType !== 'active')
+                return null;
+            const cred = JSON.parse(secret.value);
+            return cred.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        const results = [];
+        try {
+            for await (const secretProperties of this.secrets.listPropertiesOfSecrets()) {
+                // Only fetch value for secrets tagged as active
+                if (secretProperties.contentType !== 'active')
+                    continue;
+                if (!secretProperties.enabled)
+                    continue;
+                const name = secretProperties.name;
+                if (!name)
+                    continue;
+                try {
+                    const secret = await this.secrets.getSecret(name);
+                    if (!secret.value)
+                        continue;
+                    const cred = JSON.parse(secret.value);
+                    if (cred.status === 'active')
+                        results.push(cred);
+                }
+                catch {
+                    // malformed secret — skip
+                }
+            }
+        }
+        catch {
+            // Key Vault unreachable — return empty rather than throw
+        }
+        return results;
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    // ─── CredentialStore: migration locks ────────────────────────────────────
+    async reserve(ref, migrationId, ttlSeconds) {
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        const nowSeconds = Math.floor(Date.now() / 1000);
+        // Check for an existing unexpired lock held by a different migration
+        try {
+            const existing = await this.table.getEntity('lock', ref);
+            if (existing.migrationId !== migrationId &&
+                existing.expiresAt > nowSeconds) {
+                return false; // locked by another migration and not yet expired
+            }
+        }
+        catch {
+            // Entity does not exist — proceed to create
+        }
+        // Upsert the lock (merge semantics — overwrites existing row if present)
+        try {
+            await this.table.upsertEntity({
+                partitionKey: 'lock',
+                rowKey: ref,
+                migrationId,
+                expiresAt,
+            }, 'Replace');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            const existing = await this.table.getEntity('lock', ref);
+            // Only delete if this migration owns the lock
+            if (existing.migrationId !== migrationId)
+                return;
+            await this.table.deleteEntity('lock', ref);
+        }
+        catch {
+            // Already released or never held — idempotent
+        }
+    }
+}
+exports.AzureKeyVaultCredentialStore = AzureKeyVaultCredentialStore;
+//# sourceMappingURL=AzureKeyVaultCredentialStore.js.map

package/dist/cjs/AzureKeyVaultCredentialStore.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"AzureKeyVaultCredentialStore.js","sourceRoot":"","sources":["../../src/AzureKeyVaultCredentialStore.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,8DAAuD;AACvD,oDAAwD;AACxD,8CAAyD;AA8BzD,MAAa,4BAA4B;IAIvC,YAAY,UAA+C,EAAE;QAC3D,MAAM,QAAQ,GACZ,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC;QACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,yDAAyD;gBACvD,iDAAiD,CACpD,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAClB,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,IAAI,EAAE,CAAC;QACvE,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CACb,4DAA4D;gBAC1D,oDAAoD,CACvD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QAC9D,MAAM,UAAU,GAAG,IAAI,iCAAsB,EAAE,CAAC;QAEhD,IAAI,CAAC,OAAO,GAAG,IAAI,+BAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACtD,IAAI,CAAC,KAAK,GAAG,IAAI,yBAAW,CAAC,cAAc,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACvE,CAAC;IAED,4EAA4E;IAE5E,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACjD,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,OAAO,IAAI,CAAC;YAC/B,2EAA2E;YAC3E,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC5D,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClD,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,IAAI,KAAK,EAAE,MAAM,gBAAgB,IAAI,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,EAAE,CAAC;gBAC5E,gDAAgD;gBAChD,IAAI,gBAAgB,CAAC,WAAW,KAAK,QAAQ;oBAAE,SAAS;gBACxD,IAAI,CAAC,gBAAgB,CAAC,OAAO;oBAAE,SAAS;gBACxC,MAAM,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC;gBACnC,IAAI,CAAC,IAAI;oBAAE,SAAS;gBACpB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;oBAClD,IAAI,CAAC,MAAM,CAAC,KAAK;wBAAE,SAAS;oBAC5B,MAAM,IAAI,GAAe,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;oBAClD,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ;wBAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnD,CAAC;gBAAC,MAAM,CAAC;oBACP,0BAA0B;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,4EAA4E;IAE5E,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC;QAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAEjD,qEAAqE;QACrE,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAa,MAAM,EAAE,GAAG,CAAC,CAAC;YACrE,IACE,QAAQ,CAAC,WAAW,KAAK,WAAW;gBACpC,QAAQ,CAAC,SAAS,GAAG,UAAU,EAC/B,CAAC;gBACD,OAAO,KAAK,CAAC,CAAC,kDAAkD;YAClE,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,4CAA4C;QAC9C,CAAC;QAED,yEAAyE;QACzE,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAC3B;gBACE,YAAY,EAAE,MAAM;gBACpB,MAAM,EAAE,GAAG;gBACX,WAAW;gBACX,SAAS;aACV,EACD,SAAS,CACV,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAa,MAAM,EAAE,GAAG,CAAC,CAAC;YACrE,8CAA8C;YAC9C,IAAI,QAAQ,CAAC,WAAW,KAAK,WAAW;gBAAE,OAAO;YACjD,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;CACF;AAxHD,oEAwHC"}

package/dist/cjs/azure.test.js ADDED Viewed

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+// Mock Azure SDK modules — constructors return objects with vi.fn() methods.
+// vi.mock() calls are hoisted before imports by Vitest.
+vitest_1.vi.mock('@azure/identity', () => ({
+    DefaultAzureCredential: vitest_1.vi.fn(() => ({})),
+}));
+vitest_1.vi.mock('@azure/keyvault-secrets', () => ({
+    SecretClient: vitest_1.vi.fn(() => ({
+        getSecret: vitest_1.vi.fn(),
+        listPropertiesOfSecrets: vitest_1.vi.fn(),
+    })),
+}));
+vitest_1.vi.mock('@azure/data-tables', () => ({
+    TableClient: vitest_1.vi.fn(() => ({
+        getEntity: vitest_1.vi.fn(),
+        upsertEntity: vitest_1.vi.fn(),
+        deleteEntity: vitest_1.vi.fn(),
+    })),
+    odata: vitest_1.vi.fn((s) => s),
+}));
+const index_js_1 = require("./index.js");
+const makeCred = (overrides = {}) => ({
+    id: 'cred-openai',
+    kind: 'fixed',
+    name: 'OpenAI Key',
+    scope: 'global',
+    status: 'active',
+    provider: 'openai',
+    ref: 'openai-prod-slot',
+    ...overrides,
+});
+// Minimal secret response shape returned by SecretClient.getSecret()
+const makeSecretResponse = (cred) => ({
+    value: JSON.stringify(cred),
+    properties: { contentType: cred.status },
+});
+(0, vitest_1.describe)('AzureKeyVaultCredentialStore', () => {
+    let store;
+    let secretsMock;
+    let tableMock;
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        store = new index_js_1.AzureKeyVaultCredentialStore({
+            keyVaultUrl: 'https://test.vault.azure.net',
+            tablesEndpoint: 'https://test.table.core.windows.net',
+        });
+        // Access mock clients injected by the mocked SDK constructors
+        secretsMock = store.secrets;
+        tableMock = store.table;
+    });
+    // ─── constructor ────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('constructor', () => {
+        (0, vitest_1.it)('throws when keyVaultUrl is missing from both options and environment', () => {
+            delete process.env['AZURE_KEYVAULT_URL'];
+            (0, vitest_1.expect)(() => new index_js_1.AzureKeyVaultCredentialStore({
+                tablesEndpoint: 'https://test.table.core.windows.net',
+            })).toThrow('keyVaultUrl is required');
+        });
+        (0, vitest_1.it)('throws when tablesEndpoint is missing from both options and environment', () => {
+            delete process.env['AZURE_TABLES_ENDPOINT'];
+            (0, vitest_1.expect)(() => new index_js_1.AzureKeyVaultCredentialStore({
+                keyVaultUrl: 'https://test.vault.azure.net',
+            })).toThrow('tablesEndpoint is required');
+        });
+    });
+    // ─── findByRef() ────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('findByRef()', () => {
+        (0, vitest_1.it)('returns active credential when Key Vault returns a secret with contentType=active', async () => {
+            const cred = makeCred();
+            secretsMock.getSecret.mockResolvedValue(makeSecretResponse(cred));
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toEqual(cred);
+        });
+        (0, vitest_1.it)('returns null when contentType is not active (does not parse the value)', async () => {
+            const cred = makeCred({ status: 'pending' });
+            secretsMock.getSecret.mockResolvedValue({
+                value: JSON.stringify(cred),
+                properties: { contentType: 'pending' },
+            });
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toBeNull();
+        });
+        (0, vitest_1.it)('returns null when secret value is undefined', async () => {
+            secretsMock.getSecret.mockResolvedValue({
+                value: undefined,
+                properties: { contentType: 'active' },
+            });
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toBeNull();
+        });
+        (0, vitest_1.it)('returns null without throwing when getSecret throws', async () => {
+            secretsMock.getSecret.mockRejectedValue(new Error('SecretNotFound'));
+            (0, vitest_1.expect)(await store.findByRef('missing-ref')).toBeNull();
+        });
+    });
+    // ─── listActive() ───────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('listActive()', () => {
+        (0, vitest_1.it)('returns active credentials iterated from listPropertiesOfSecrets and fetched via getSecret', async () => {
+            const cred = makeCred();
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: true, name: 'openai-prod-slot' };
+            })());
+            secretsMock.getSecret.mockResolvedValue(makeSecretResponse(cred));
+            const results = await store.listActive();
+            (0, vitest_1.expect)(results).toHaveLength(1);
+            (0, vitest_1.expect)(results[0]).toEqual(cred);
+        });
+        (0, vitest_1.it)('skips secrets with contentType !== active without calling getSecret', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'pending', enabled: true, name: 'pending-slot' };
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toHaveLength(0);
+            (0, vitest_1.expect)(secretsMock.getSecret).not.toHaveBeenCalled();
+        });
+        (0, vitest_1.it)('skips secrets with enabled=false', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: false, name: 'disabled-slot' };
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toHaveLength(0);
+        });
+        (0, vitest_1.it)('returns empty array when listPropertiesOfSecrets throws (Key Vault unreachable)', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue(
+            // eslint-disable-next-line require-yield
+            (async function* () {
+                throw new Error('KeyVaultUnavailable');
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toEqual([]);
+        });
+    });
+    // ─── listByKind() ───────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('listByKind()', () => {
+        (0, vitest_1.it)('returns only credentials matching the requested kind', async () => {
+            const fixed = makeCred({ kind: 'fixed', id: 'cred-fixed', ref: 'fixed-slot' });
+            const delegated = makeCred({ kind: 'user-delegated', id: 'cred-user', ref: 'user-slot' });
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: true, name: 'fixed-slot' };
+                yield { contentType: 'active', enabled: true, name: 'user-slot' };
+            })());
+            secretsMock.getSecret
+                .mockResolvedValueOnce(makeSecretResponse(fixed))
+                .mockResolvedValueOnce(makeSecretResponse(delegated));
+            const result = await store.listByKind('fixed');
+            (0, vitest_1.expect)(result).toHaveLength(1);
+            (0, vitest_1.expect)(result[0].kind).toBe('fixed');
+        });
+    });
+    // ─── reserve() ──────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('reserve()', () => {
+        (0, vitest_1.it)('returns true when no existing lock is found (getEntity throws) and upsert succeeds', async () => {
+            tableMock.getEntity.mockRejectedValue(new Error('EntityNotFound'));
+            tableMock.upsertEntity.mockResolvedValue({});
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-1', 300)).toBe(true);
+        });
+        (0, vitest_1.it)('returns false when a different migration holds an unexpired lock', async () => {
+            const futureExpiry = Math.floor(Date.now() / 1000) + 600;
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'other-migration',
+                expiresAt: futureExpiry,
+            });
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-2', 300)).toBe(false);
+        });
+        (0, vitest_1.it)('returns true when the same migration re-acquires its own lock', async () => {
+            const futureExpiry = Math.floor(Date.now() / 1000) + 600;
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'mig-1',
+                expiresAt: futureExpiry,
+            });
+            tableMock.upsertEntity.mockResolvedValue({});
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-1', 300)).toBe(true);
+        });
+    });
+    // ─── release() ──────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('release()', () => {
+        (0, vitest_1.it)('deletes the entity when migrationId matches the stored lock owner', async () => {
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'mig-1',
+                expiresAt: Math.floor(Date.now() / 1000) + 600,
+            });
+            tableMock.deleteEntity.mockResolvedValue({});
+            await store.release('cred-ref', 'mig-1');
+            (0, vitest_1.expect)(tableMock.deleteEntity).toHaveBeenCalledWith('lock', 'cred-ref');
+        });
+        (0, vitest_1.it)('does not call deleteEntity when migrationId does not match the stored lock', async () => {
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'other-mig',
+                expiresAt: Math.floor(Date.now() / 1000) + 600,
+            });
+            await store.release('cred-ref', 'mig-1');
+            (0, vitest_1.expect)(tableMock.deleteEntity).not.toHaveBeenCalled();
+        });
+        (0, vitest_1.it)('resolves without throwing when getEntity throws (lock already released)', async () => {
+            tableMock.getEntity.mockRejectedValue(new Error('EntityNotFound'));
+            await (0, vitest_1.expect)(store.release('cred-ref', 'mig-1')).resolves.toBeUndefined();
+        });
+    });
+});
+//# sourceMappingURL=azure.test.js.map

package/dist/cjs/azure.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azure.test.js","sourceRoot":"","sources":["../../src/azure.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAE9D,6EAA6E;AAC7E,wDAAwD;AACxD,WAAE,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,EAAE,CAAC,CAAC;IAChC,sBAAsB,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;CAC1C,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,YAAY,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACzB,SAAS,EAAE,WAAE,CAAC,EAAE,EAAE;QAClB,uBAAuB,EAAE,WAAE,CAAC,EAAE,EAAE;KACjC,CAAC,CAAC;CACJ,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,WAAW,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACxB,SAAS,EAAE,WAAE,CAAC,EAAE,EAAE;QAClB,YAAY,EAAE,WAAE,CAAC,EAAE,EAAE;QACrB,YAAY,EAAE,WAAE,CAAC,EAAE,EAAE;KACtB,CAAC,CAAC;IACH,KAAK,EAAE,WAAE,CAAC,EAAE,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC;CAC/B,CAAC,CAAC,CAAC;AAEJ,yCAA0D;AAG1D,MAAM,QAAQ,GAAG,CAAC,YAAiC,EAAE,EAAc,EAAE,CAAC,CAAC;IACrE,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,YAAY;IAClB,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,QAAQ,EAAE,QAAQ;IAClB,GAAG,EAAE,kBAAkB;IACvB,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,qEAAqE;AACrE,MAAM,kBAAkB,GAAG,CAAC,IAAgB,EAAE,EAAE,CAAC,CAAC;IAChD,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;IAC3B,UAAU,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,MAAM,EAAE;CACzC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,KAAmC,CAAC;IACxC,IAAI,WAGH,CAAC;IACF,IAAI,SAIH,CAAC;IAEF,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,WAAE,CAAC,aAAa,EAAE,CAAC;QACnB,KAAK,GAAG,IAAI,uCAA4B,CAAC;YACvC,WAAW,EAAE,8BAA8B;YAC3C,cAAc,EAAE,qCAAqC;SACtD,CAAC,CAAC;QACH,8DAA8D;QAC9D,WAAW,GAAI,KAAa,CAAC,OAA6B,CAAC;QAC3D,SAAS,GAAI,KAAa,CAAC,KAAyB,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,sEAAsE,EAAE,GAAG,EAAE;YAC9E,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACzC,IAAA,eAAM,EACJ,GAAG,EAAE,CACH,IAAI,uCAA4B,CAAC;gBAC/B,cAAc,EAAE,qCAAqC;aACtD,CAAC,CACL,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yEAAyE,EAAE,GAAG,EAAE;YACjF,OAAO,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YAC5C,IAAA,eAAM,EACJ,GAAG,EAAE,CACH,IAAI,uCAA4B,CAAC;gBAC/B,WAAW,EAAE,8BAA8B;aAC5C,CAAC,CACL,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;YACjG,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;YACxB,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACtF,MAAM,IAAI,GAAG,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YAC7C,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACtC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;gBAC3B,UAAU,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE;aACvC,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACtC,KAAK,EAAE,SAAS;gBAChB,UAAU,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE;aACtC,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACrE,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC1D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,IAAA,WAAE,EAAC,4FAA4F,EAAE,KAAK,IAAI,EAAE;YAC1G,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;YACxB,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC;YAC3E,CAAC,CAAC,EAAE,CACL,CAAC;YACF,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC;YACzC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAChC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;YACnF,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;YACxE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,WAAW,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;YACzE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,KAAK,IAAI,EAAE;YAC/F,WAAW,CAAC,uBAAuB,CAAC,eAAe;YACjD,yCAAyC;YACzC,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,IAAA,WAAE,EAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,KAAK,GAAG,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,QAAQ,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;YAC1F,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;gBACnE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;YACpE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,WAAW,CAAC,SAAS;iBAClB,qBAAqB,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;iBAChD,qBAAqB,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAA,WAAE,EAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;YAClG,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACnE,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;YACzD,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,iBAAiB;gBAC9B,SAAS,EAAE,YAAY;aACxB,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC7E,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;YACzD,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,OAAO;gBACpB,SAAS,EAAE,YAAY;aACxB,CAAC,CAAC;YACH,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAA,WAAE,EAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;YACjF,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,OAAO;gBACpB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG;aAC/C,CAAC,CAAC;YACH,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,SAAS,CAAC,YAAY,CAAC,CAAC,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;YAC1F,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,WAAW;gBACxB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG;aAC/C,CAAC,CAAC;YACH,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,SAAS,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;YACvF,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACnE,MAAM,IAAA,eAAM,EAAC,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC5E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/cjs/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultCredentialStore = void 0;
+var AzureKeyVaultCredentialStore_1 = require("./AzureKeyVaultCredentialStore");
+Object.defineProperty(exports, "AzureKeyVaultCredentialStore", { enumerable: true, get: function () { return AzureKeyVaultCredentialStore_1.AzureKeyVaultCredentialStore; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,+EAA8E;AAArE,4IAAA,4BAA4B,OAAA"}

package/dist/esm/AzureKeyVaultCredentialStore.js ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultCredentialStore = void 0;
+/**
+ * Azure Key Vault + Azure Table Storage CredentialStore implementation.
+ *
+ * Key Vault holds each credential as a secret whose name is the credential ref.
+ * The secret value is the JSON-serialised Credential object.
+ * The secret's "content-type" tag carries the status (active | pending | revoked)
+ * so listActive() can skip inactive secrets without fetching their values.
+ *
+ * Table Storage holds migration reservation locks.
+ * Table name: agent-identity-locks
+ * Partition key: "lock"  (constant — all locks in one partition for simplicity)
+ * Row key: the credential ref being locked
+ * Columns: migrationId (string), expiresAt (number — Unix epoch seconds)
+ *
+ * Azure setup:
+ *   1. Create an Azure Key Vault and store each Credential as a JSON secret.
+ *      Set the secret's ContentType to "active", "pending", or "revoked".
+ *   2. Create a Storage Account and a Table named "agentidentitylocks".
+ *      (Table names may not contain hyphens — use "agentidentitylocks".)
+ *   3. Grant the running identity:
+ *        Key Vault Secrets User  (read secrets)
+ *        Key Vault Secrets Officer  (only needed for write operations)
+ *        Storage Table Data Contributor  (read + write locks table)
+ *   4. Set AZURE_KEYVAULT_URL and AZURE_TABLES_ENDPOINT environment variables,
+ *      or pass them as constructor options.
+ *      DefaultAzureCredential resolves auth automatically from:
+ *        - Managed Identity (production)
+ *        - AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_CLIENT_SECRET env vars
+ *        - Azure CLI (local development)
+ *        - Workload Identity (AKS)
+ */
+const keyvault_secrets_1 = require("@azure/keyvault-secrets");
+const data_tables_1 = require("@azure/data-tables");
+const identity_1 = require("@azure/identity");
+class AzureKeyVaultCredentialStore {
+    constructor(options = {}) {
+        const vaultUrl = options.keyVaultUrl ?? process.env['AZURE_KEYVAULT_URL'] ?? '';
+        if (!vaultUrl) {
+            throw new Error('AzureKeyVaultCredentialStore: keyVaultUrl is required. ' +
+                'Pass it as an option or set AZURE_KEYVAULT_URL.');
+        }
+        const tablesEndpoint = options.tablesEndpoint ?? process.env['AZURE_TABLES_ENDPOINT'] ?? '';
+        if (!tablesEndpoint) {
+            throw new Error('AzureKeyVaultCredentialStore: tablesEndpoint is required. ' +
+                'Pass it as an option or set AZURE_TABLES_ENDPOINT.');
+        }
+        const locksTable = options.locksTable ?? 'agentidentitylocks';
+        const credential = new identity_1.DefaultAzureCredential();
+        this.secrets = new keyvault_secrets_1.SecretClient(vaultUrl, credential);
+        this.table = new data_tables_1.TableClient(tablesEndpoint, locksTable, credential);
+    }
+    // ─── CredentialStore: reads ──────────────────────────────────────────────
+    async findByRef(ref) {
+        try {
+            const secret = await this.secrets.getSecret(ref);
+            if (!secret.value)
+                return null;
+            // contentType carries status; skip non-active secrets without parsing JSON
+            if (secret.properties.contentType !== 'active')
+                return null;
+            const cred = JSON.parse(secret.value);
+            return cred.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        const results = [];
+        try {
+            for await (const secretProperties of this.secrets.listPropertiesOfSecrets()) {
+                // Only fetch value for secrets tagged as active
+                if (secretProperties.contentType !== 'active')
+                    continue;
+                if (!secretProperties.enabled)
+                    continue;
+                const name = secretProperties.name;
+                if (!name)
+                    continue;
+                try {
+                    const secret = await this.secrets.getSecret(name);
+                    if (!secret.value)
+                        continue;
+                    const cred = JSON.parse(secret.value);
+                    if (cred.status === 'active')
+                        results.push(cred);
+                }
+                catch {
+                    // malformed secret — skip
+                }
+            }
+        }
+        catch {
+            // Key Vault unreachable — return empty rather than throw
+        }
+        return results;
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    // ─── CredentialStore: migration locks ────────────────────────────────────
+    async reserve(ref, migrationId, ttlSeconds) {
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        const nowSeconds = Math.floor(Date.now() / 1000);
+        // Check for an existing unexpired lock held by a different migration
+        try {
+            const existing = await this.table.getEntity('lock', ref);
+            if (existing.migrationId !== migrationId &&
+                existing.expiresAt > nowSeconds) {
+                return false; // locked by another migration and not yet expired
+            }
+        }
+        catch {
+            // Entity does not exist — proceed to create
+        }
+        // Upsert the lock (merge semantics — overwrites existing row if present)
+        try {
+            await this.table.upsertEntity({
+                partitionKey: 'lock',
+                rowKey: ref,
+                migrationId,
+                expiresAt,
+            }, 'Replace');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            const existing = await this.table.getEntity('lock', ref);
+            // Only delete if this migration owns the lock
+            if (existing.migrationId !== migrationId)
+                return;
+            await this.table.deleteEntity('lock', ref);
+        }
+        catch {
+            // Already released or never held — idempotent
+        }
+    }
+}
+exports.AzureKeyVaultCredentialStore = AzureKeyVaultCredentialStore;
+//# sourceMappingURL=AzureKeyVaultCredentialStore.js.map

package/dist/esm/AzureKeyVaultCredentialStore.js.map ADDED Viewed

@@ -0,0 +1 @@