@datacules/agent-identity-store-azure 0.11.0 → 0.11.1

package/dist/esm/azure.test.js

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+// Mock Azure SDK modules — constructors return objects with vi.fn() methods.
+// vi.mock() calls are hoisted before imports by Vitest.
+vitest_1.vi.mock('@azure/identity', () => ({
+    DefaultAzureCredential: vitest_1.vi.fn(() => ({})),
+}));
+vitest_1.vi.mock('@azure/keyvault-secrets', () => ({
+    SecretClient: vitest_1.vi.fn(() => ({
+        getSecret: vitest_1.vi.fn(),
+        listPropertiesOfSecrets: vitest_1.vi.fn(),
+    })),
+}));
+vitest_1.vi.mock('@azure/data-tables', () => ({
+    TableClient: vitest_1.vi.fn(() => ({
+        getEntity: vitest_1.vi.fn(),
+        upsertEntity: vitest_1.vi.fn(),
+        deleteEntity: vitest_1.vi.fn(),
+    })),
+    odata: vitest_1.vi.fn((s) => s),
+}));
+const index_js_1 = require("./index.js");
+const makeCred = (overrides = {}) => ({
+    id: 'cred-openai',
+    kind: 'fixed',
+    name: 'OpenAI Key',
+    scope: 'global',
+    status: 'active',
+    provider: 'openai',
+    ref: 'openai-prod-slot',
+    ...overrides,
+});
+// Minimal secret response shape returned by SecretClient.getSecret()
+const makeSecretResponse = (cred) => ({
+    value: JSON.stringify(cred),
+    properties: { contentType: cred.status },
+});
+(0, vitest_1.describe)('AzureKeyVaultCredentialStore', () => {
+    let store;
+    let secretsMock;
+    let tableMock;
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        store = new index_js_1.AzureKeyVaultCredentialStore({
+            keyVaultUrl: 'https://test.vault.azure.net',
+            tablesEndpoint: 'https://test.table.core.windows.net',
+        });
+        // Access mock clients injected by the mocked SDK constructors
+        secretsMock = store.secrets;
+        tableMock = store.table;
+    });
+    // ─── constructor ────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('constructor', () => {
+        (0, vitest_1.it)('throws when keyVaultUrl is missing from both options and environment', () => {
+            delete process.env['AZURE_KEYVAULT_URL'];
+            (0, vitest_1.expect)(() => new index_js_1.AzureKeyVaultCredentialStore({
+                tablesEndpoint: 'https://test.table.core.windows.net',
+            })).toThrow('keyVaultUrl is required');
+        });
+        (0, vitest_1.it)('throws when tablesEndpoint is missing from both options and environment', () => {
+            delete process.env['AZURE_TABLES_ENDPOINT'];
+            (0, vitest_1.expect)(() => new index_js_1.AzureKeyVaultCredentialStore({
+                keyVaultUrl: 'https://test.vault.azure.net',
+            })).toThrow('tablesEndpoint is required');
+        });
+    });
+    // ─── findByRef() ────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('findByRef()', () => {
+        (0, vitest_1.it)('returns active credential when Key Vault returns a secret with contentType=active', async () => {
+            const cred = makeCred();
+            secretsMock.getSecret.mockResolvedValue(makeSecretResponse(cred));
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toEqual(cred);
+        });
+        (0, vitest_1.it)('returns null when contentType is not active (does not parse the value)', async () => {
+            const cred = makeCred({ status: 'pending' });
+            secretsMock.getSecret.mockResolvedValue({
+                value: JSON.stringify(cred),
+                properties: { contentType: 'pending' },
+            });
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toBeNull();
+        });
+        (0, vitest_1.it)('returns null when secret value is undefined', async () => {
+            secretsMock.getSecret.mockResolvedValue({
+                value: undefined,
+                properties: { contentType: 'active' },
+            });
+            (0, vitest_1.expect)(await store.findByRef('openai-prod-slot')).toBeNull();
+        });
+        (0, vitest_1.it)('returns null without throwing when getSecret throws', async () => {
+            secretsMock.getSecret.mockRejectedValue(new Error('SecretNotFound'));
+            (0, vitest_1.expect)(await store.findByRef('missing-ref')).toBeNull();
+        });
+    });
+    // ─── listActive() ───────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('listActive()', () => {
+        (0, vitest_1.it)('returns active credentials iterated from listPropertiesOfSecrets and fetched via getSecret', async () => {
+            const cred = makeCred();
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: true, name: 'openai-prod-slot' };
+            })());
+            secretsMock.getSecret.mockResolvedValue(makeSecretResponse(cred));
+            const results = await store.listActive();
+            (0, vitest_1.expect)(results).toHaveLength(1);
+            (0, vitest_1.expect)(results[0]).toEqual(cred);
+        });
+        (0, vitest_1.it)('skips secrets with contentType !== active without calling getSecret', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'pending', enabled: true, name: 'pending-slot' };
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toHaveLength(0);
+            (0, vitest_1.expect)(secretsMock.getSecret).not.toHaveBeenCalled();
+        });
+        (0, vitest_1.it)('skips secrets with enabled=false', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: false, name: 'disabled-slot' };
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toHaveLength(0);
+        });
+        (0, vitest_1.it)('returns empty array when listPropertiesOfSecrets throws (Key Vault unreachable)', async () => {
+            secretsMock.listPropertiesOfSecrets.mockReturnValue(
+            // eslint-disable-next-line require-yield
+            (async function* () {
+                throw new Error('KeyVaultUnavailable');
+            })());
+            (0, vitest_1.expect)(await store.listActive()).toEqual([]);
+        });
+    });
+    // ─── listByKind() ───────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('listByKind()', () => {
+        (0, vitest_1.it)('returns only credentials matching the requested kind', async () => {
+            const fixed = makeCred({ kind: 'fixed', id: 'cred-fixed', ref: 'fixed-slot' });
+            const delegated = makeCred({ kind: 'user-delegated', id: 'cred-user', ref: 'user-slot' });
+            secretsMock.listPropertiesOfSecrets.mockReturnValue((async function* () {
+                yield { contentType: 'active', enabled: true, name: 'fixed-slot' };
+                yield { contentType: 'active', enabled: true, name: 'user-slot' };
+            })());
+            secretsMock.getSecret
+                .mockResolvedValueOnce(makeSecretResponse(fixed))
+                .mockResolvedValueOnce(makeSecretResponse(delegated));
+            const result = await store.listByKind('fixed');
+            (0, vitest_1.expect)(result).toHaveLength(1);
+            (0, vitest_1.expect)(result[0].kind).toBe('fixed');
+        });
+    });
+    // ─── reserve() ──────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('reserve()', () => {
+        (0, vitest_1.it)('returns true when no existing lock is found (getEntity throws) and upsert succeeds', async () => {
+            tableMock.getEntity.mockRejectedValue(new Error('EntityNotFound'));
+            tableMock.upsertEntity.mockResolvedValue({});
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-1', 300)).toBe(true);
+        });
+        (0, vitest_1.it)('returns false when a different migration holds an unexpired lock', async () => {
+            const futureExpiry = Math.floor(Date.now() / 1000) + 600;
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'other-migration',
+                expiresAt: futureExpiry,
+            });
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-2', 300)).toBe(false);
+        });
+        (0, vitest_1.it)('returns true when the same migration re-acquires its own lock', async () => {
+            const futureExpiry = Math.floor(Date.now() / 1000) + 600;
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'mig-1',
+                expiresAt: futureExpiry,
+            });
+            tableMock.upsertEntity.mockResolvedValue({});
+            (0, vitest_1.expect)(await store.reserve('cred-ref', 'mig-1', 300)).toBe(true);
+        });
+    });
+    // ─── release() ──────────────────────────────────────────────────────────────
+    (0, vitest_1.describe)('release()', () => {
+        (0, vitest_1.it)('deletes the entity when migrationId matches the stored lock owner', async () => {
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'mig-1',
+                expiresAt: Math.floor(Date.now() / 1000) + 600,
+            });
+            tableMock.deleteEntity.mockResolvedValue({});
+            await store.release('cred-ref', 'mig-1');
+            (0, vitest_1.expect)(tableMock.deleteEntity).toHaveBeenCalledWith('lock', 'cred-ref');
+        });
+        (0, vitest_1.it)('does not call deleteEntity when migrationId does not match the stored lock', async () => {
+            tableMock.getEntity.mockResolvedValue({
+                migrationId: 'other-mig',
+                expiresAt: Math.floor(Date.now() / 1000) + 600,
+            });
+            await store.release('cred-ref', 'mig-1');
+            (0, vitest_1.expect)(tableMock.deleteEntity).not.toHaveBeenCalled();
+        });
+        (0, vitest_1.it)('resolves without throwing when getEntity throws (lock already released)', async () => {
+            tableMock.getEntity.mockRejectedValue(new Error('EntityNotFound'));
+            await (0, vitest_1.expect)(store.release('cred-ref', 'mig-1')).resolves.toBeUndefined();
+        });
+    });
+});
+//# sourceMappingURL=azure.test.js.map

package/dist/esm/azure.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.test.js","sourceRoot":"","sources":["../../src/azure.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAE9D,6EAA6E;AAC7E,wDAAwD;AACxD,WAAE,CAAC,IAAI,CAAC,iBAAiB,EAAE,GAAG,EAAE,CAAC,CAAC;IAChC,sBAAsB,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;CAC1C,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,YAAY,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACzB,SAAS,EAAE,WAAE,CAAC,EAAE,EAAE;QAClB,uBAAuB,EAAE,WAAE,CAAC,EAAE,EAAE;KACjC,CAAC,CAAC;CACJ,CAAC,CAAC,CAAC;AAEJ,WAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,WAAW,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACxB,SAAS,EAAE,WAAE,CAAC,EAAE,EAAE;QAClB,YAAY,EAAE,WAAE,CAAC,EAAE,EAAE;QACrB,YAAY,EAAE,WAAE,CAAC,EAAE,EAAE;KACtB,CAAC,CAAC;IACH,KAAK,EAAE,WAAE,CAAC,EAAE,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC;CAC/B,CAAC,CAAC,CAAC;AAEJ,yCAA0D;AAG1D,MAAM,QAAQ,GAAG,CAAC,YAAiC,EAAE,EAAc,EAAE,CAAC,CAAC;IACrE,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,OAAO;IACb,IAAI,EAAE,YAAY;IAClB,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,QAAQ,EAAE,QAAQ;IAClB,GAAG,EAAE,kBAAkB;IACvB,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,qEAAqE;AACrE,MAAM,kBAAkB,GAAG,CAAC,IAAgB,EAAE,EAAE,CAAC,CAAC;IAChD,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;IAC3B,UAAU,EAAE,EAAE,WAAW,EAAE,IAAI,CAAC,MAAM,EAAE;CACzC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;IAC5C,IAAI,KAAmC,CAAC;IACxC,IAAI,WAGH,CAAC;IACF,IAAI,SAIH,CAAC;IAEF,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,WAAE,CAAC,aAAa,EAAE,CAAC;QACnB,KAAK,GAAG,IAAI,uCAA4B,CAAC;YACvC,WAAW,EAAE,8BAA8B;YAC3C,cAAc,EAAE,qCAAqC;SACtD,CAAC,CAAC;QACH,8DAA8D;QAC9D,WAAW,GAAI,KAAa,CAAC,OAA6B,CAAC;QAC3D,SAAS,GAAI,KAAa,CAAC,KAAyB,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,sEAAsE,EAAE,GAAG,EAAE;YAC9E,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YACzC,IAAA,eAAM,EACJ,GAAG,EAAE,CACH,IAAI,uCAA4B,CAAC;gBAC/B,cAAc,EAAE,qCAAqC;aACtD,CAAC,CACL,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yEAAyE,EAAE,GAAG,EAAE;YACjF,OAAO,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YAC5C,IAAA,eAAM,EACJ,GAAG,EAAE,CACH,IAAI,uCAA4B,CAAC;gBAC/B,WAAW,EAAE,8BAA8B;aAC5C,CAAC,CACL,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,IAAA,WAAE,EAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;YACjG,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;YACxB,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACtF,MAAM,IAAI,GAAG,QAAQ,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;YAC7C,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACtC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;gBAC3B,UAAU,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE;aACvC,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACtC,KAAK,EAAE,SAAS;gBAChB,UAAU,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE;aACtC,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACrE,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC1D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,IAAA,WAAE,EAAC,4FAA4F,EAAE,KAAK,IAAI,EAAE;YAC1G,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;YACxB,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC;YAC3E,CAAC,CAAC,EAAE,CACL,CAAC;YACF,WAAW,CAAC,SAAS,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC;YACzC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAChC,IAAA,eAAM,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;YACnF,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;YACxE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YACjD,IAAA,eAAM,EAAC,WAAW,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC;YACzE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,KAAK,IAAI,EAAE;YAC/F,WAAW,CAAC,uBAAuB,CAAC,eAAe;YACjD,yCAAyC;YACzC,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;YACzC,CAAC,CAAC,EAAE,CACL,CAAC;YACF,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;QAC5B,IAAA,WAAE,EAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,KAAK,GAAG,QAAQ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,CAAC;YAC/E,MAAM,SAAS,GAAG,QAAQ,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;YAC1F,WAAW,CAAC,uBAAuB,CAAC,eAAe,CACjD,CAAC,KAAK,SAAS,CAAC;gBACd,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;gBACnE,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;YACpE,CAAC,CAAC,EAAE,CACL,CAAC;YACF,WAAW,CAAC,SAAS;iBAClB,qBAAqB,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;iBAChD,qBAAqB,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;YAC/B,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAA,WAAE,EAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;YAClG,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACnE,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAChF,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;YACzD,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,iBAAiB;gBAC9B,SAAS,EAAE,YAAY;aACxB,CAAC,CAAC;YACH,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC7E,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,CAAC;YACzD,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,OAAO;gBACpB,SAAS,EAAE,YAAY;aACxB,CAAC,CAAC;YACH,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,IAAA,eAAM,EAAC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAE/E,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAA,WAAE,EAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;YACjF,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,OAAO;gBACpB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG;aAC/C,CAAC,CAAC;YACH,SAAS,CAAC,YAAY,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;YAC7C,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,SAAS,CAAC,YAAY,CAAC,CAAC,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;YAC1F,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC;gBACpC,WAAW,EAAE,WAAW;gBACxB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG;aAC/C,CAAC,CAAC;YACH,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACzC,IAAA,eAAM,EAAC,SAAS,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,yEAAyE,EAAE,KAAK,IAAI,EAAE;YACvF,SAAS,CAAC,SAAS,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YACnE,MAAM,IAAA,eAAM,EAAC,KAAK,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC5E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/esm/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureKeyVaultCredentialStore = void 0;
+var AzureKeyVaultCredentialStore_1 = require("./AzureKeyVaultCredentialStore");
+Object.defineProperty(exports, "AzureKeyVaultCredentialStore", { enumerable: true, get: function () { return AzureKeyVaultCredentialStore_1.AzureKeyVaultCredentialStore; } });
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,+EAA8E;AAArE,4IAAA,4BAA4B,OAAA"}

package/dist/types/AzureKeyVaultCredentialStore.d.ts

@@ -0,0 +1,31 @@
+import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
+export interface AzureKeyVaultCredentialStoreOptions {
+    /**
+     * Full URL of the Azure Key Vault, e.g. https://my-vault.vault.azure.net
+     * Falls back to AZURE_KEYVAULT_URL environment variable.
+     */
+    keyVaultUrl?: string;
+    /**
+     * Full URL of the Azure Table Storage endpoint,
+     * e.g. https://myaccount.table.core.windows.net
+     * Falls back to AZURE_TABLES_ENDPOINT environment variable.
+     */
+    tablesEndpoint?: string;
+    /**
+     * Name of the Table Storage table used for migration locks.
+     * Default: 'agentidentitylocks'
+     * Note: Azure Table names may not contain hyphens.
+     */
+    locksTable?: string;
+}
+export declare class AzureKeyVaultCredentialStore implements CredentialStore {
+    private readonly secrets;
+    private readonly table;
+    constructor(options?: AzureKeyVaultCredentialStoreOptions);
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: CredentialKind): Promise<Credential[]>;
+    reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
+    release(ref: string, migrationId: string): Promise<void>;
+}
+//# sourceMappingURL=AzureKeyVaultCredentialStore.d.ts.map

package/dist/types/AzureKeyVaultCredentialStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AzureKeyVaultCredentialStore.d.ts","sourceRoot":"","sources":["../../src/AzureKeyVaultCredentialStore.ts"],"names":[],"mappings":"AAkCA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAE7F,MAAM,WAAW,mCAAmC;IAClD;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AASD,qBAAa,4BAA6B,YAAW,eAAe;IAClE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;IACvC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAc;gBAExB,OAAO,GAAE,mCAAwC;IA4BvD,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAalD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAwBnC,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAOvD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkC/E,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAU/D"}

package/dist/types/azure.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=azure.test.d.ts.map

package/dist/types/azure.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure.test.d.ts","sourceRoot":"","sources":["../../src/azure.test.ts"],"names":[],"mappings":""}

package/{src/index.ts → dist/types/index.d.ts}

@@ -1,2 +1,3 @@
 export { AzureKeyVaultCredentialStore } from './AzureKeyVaultCredentialStore';
 export type { AzureKeyVaultCredentialStoreOptions } from './AzureKeyVaultCredentialStore';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,gCAAgC,CAAC;AAC9E,YAAY,EAAE,mCAAmC,EAAE,MAAM,gCAAgC,CAAC"}

package/package.json

@@ -1,8 +1,23 @@
 {
   "name": "@datacules/agent-identity-store-azure",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "Azure Key Vault + Table Storage credential store for @datacules/agent-identity",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/stores/azure"
+  },
+  "keywords": [
+    "agent-identity",
+    "azure",
+    "key-vault",
+    "credential-store",
+    "ai-agents",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
@@ -23,7 +38,7 @@
     "@azure/identity": "^4.3.0"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "devDependencies": {
     "@datacules/agent-identity": "*",
@@ -31,6 +46,7 @@
   },
   "files": [
     "dist",
-    "src"
+    "README.md",
+    "LICENSE"
   ]
 }

package/src/AzureKeyVaultCredentialStore.ts

@@ -1,184 +0,0 @@
-/**
- * Azure Key Vault + Azure Table Storage CredentialStore implementation.
- *
- * Key Vault holds each credential as a secret whose name is the credential ref.
- * The secret value is the JSON-serialised Credential object.
- * The secret's "content-type" tag carries the status (active | pending | revoked)
- * so listActive() can skip inactive secrets without fetching their values.
- *
- * Table Storage holds migration reservation locks.
- * Table name: agent-identity-locks
- * Partition key: "lock"  (constant — all locks in one partition for simplicity)
- * Row key: the credential ref being locked
- * Columns: migrationId (string), expiresAt (number — Unix epoch seconds)
- *
- * Azure setup:
- *   1. Create an Azure Key Vault and store each Credential as a JSON secret.
- *      Set the secret's ContentType to "active", "pending", or "revoked".
- *   2. Create a Storage Account and a Table named "agentidentitylocks".
- *      (Table names may not contain hyphens — use "agentidentitylocks".)
- *   3. Grant the running identity:
- *        Key Vault Secrets User  (read secrets)
- *        Key Vault Secrets Officer  (only needed for write operations)
- *        Storage Table Data Contributor  (read + write locks table)
- *   4. Set AZURE_KEYVAULT_URL and AZURE_TABLES_ENDPOINT environment variables,
- *      or pass them as constructor options.
- *      DefaultAzureCredential resolves auth automatically from:
- *        - Managed Identity (production)
- *        - AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_CLIENT_SECRET env vars
- *        - Azure CLI (local development)
- *        - Workload Identity (AKS)
- */
-import { SecretClient } from '@azure/keyvault-secrets';
-import { TableClient, odata } from '@azure/data-tables';
-import { DefaultAzureCredential } from '@azure/identity';
-import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
-
-export interface AzureKeyVaultCredentialStoreOptions {
-  /**
-   * Full URL of the Azure Key Vault, e.g. https://my-vault.vault.azure.net
-   * Falls back to AZURE_KEYVAULT_URL environment variable.
-   */
-  keyVaultUrl?: string;
-  /**
-   * Full URL of the Azure Table Storage endpoint,
-   * e.g. https://myaccount.table.core.windows.net
-   * Falls back to AZURE_TABLES_ENDPOINT environment variable.
-   */
-  tablesEndpoint?: string;
-  /**
-   * Name of the Table Storage table used for migration locks.
-   * Default: 'agentidentitylocks'
-   * Note: Azure Table names may not contain hyphens.
-   */
-  locksTable?: string;
-}
-
-interface LockEntity {
-  partitionKey: string;
-  rowKey: string;
-  migrationId: string;
-  expiresAt: number;
-}
-
-export class AzureKeyVaultCredentialStore implements CredentialStore {
-  private readonly secrets: SecretClient;
-  private readonly table: TableClient;
-
-  constructor(options: AzureKeyVaultCredentialStoreOptions = {}) {
-    const vaultUrl =
-      options.keyVaultUrl ?? process.env['AZURE_KEYVAULT_URL'] ?? '';
-    if (!vaultUrl) {
-      throw new Error(
-        'AzureKeyVaultCredentialStore: keyVaultUrl is required. ' +
-          'Pass it as an option or set AZURE_KEYVAULT_URL.'
-      );
-    }
-
-    const tablesEndpoint =
-      options.tablesEndpoint ?? process.env['AZURE_TABLES_ENDPOINT'] ?? '';
-    if (!tablesEndpoint) {
-      throw new Error(
-        'AzureKeyVaultCredentialStore: tablesEndpoint is required. ' +
-          'Pass it as an option or set AZURE_TABLES_ENDPOINT.'
-      );
-    }
-
-    const locksTable = options.locksTable ?? 'agentidentitylocks';
-    const credential = new DefaultAzureCredential();
-
-    this.secrets = new SecretClient(vaultUrl, credential);
-    this.table = new TableClient(tablesEndpoint, locksTable, credential);
-  }
-
-  // ─── CredentialStore: reads ──────────────────────────────────────────────
-
-  async findByRef(ref: string): Promise<Credential | null> {
-    try {
-      const secret = await this.secrets.getSecret(ref);
-      if (!secret.value) return null;
-      // contentType carries status; skip non-active secrets without parsing JSON
-      if (secret.properties.contentType !== 'active') return null;
-      const cred: Credential = JSON.parse(secret.value);
-      return cred.status === 'active' ? cred : null;
-    } catch {
-      return null;
-    }
-  }
-
-  async listActive(): Promise<Credential[]> {
-    const results: Credential[] = [];
-    try {
-      for await (const secretProperties of this.secrets.listPropertiesOfSecrets()) {
-        // Only fetch value for secrets tagged as active
-        if (secretProperties.contentType !== 'active') continue;
-        if (!secretProperties.enabled) continue;
-        const name = secretProperties.name;
-        if (!name) continue;
-        try {
-          const secret = await this.secrets.getSecret(name);
-          if (!secret.value) continue;
-          const cred: Credential = JSON.parse(secret.value);
-          if (cred.status === 'active') results.push(cred);
-        } catch {
-          // malformed secret — skip
-        }
-      }
-    } catch {
-      // Key Vault unreachable — return empty rather than throw
-    }
-    return results;
-  }
-
-  async listByKind(kind: CredentialKind): Promise<Credential[]> {
-    const all = await this.listActive();
-    return all.filter((c) => c.kind === kind);
-  }
-
-  // ─── CredentialStore: migration locks ────────────────────────────────────
-
-  async reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean> {
-    const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
-    const nowSeconds = Math.floor(Date.now() / 1000);
-
-    // Check for an existing unexpired lock held by a different migration
-    try {
-      const existing = await this.table.getEntity<LockEntity>('lock', ref);
-      if (
-        existing.migrationId !== migrationId &&
-        existing.expiresAt > nowSeconds
-      ) {
-        return false; // locked by another migration and not yet expired
-      }
-    } catch {
-      // Entity does not exist — proceed to create
-    }
-
-    // Upsert the lock (merge semantics — overwrites existing row if present)
-    try {
-      await this.table.upsertEntity<LockEntity>(
-        {
-          partitionKey: 'lock',
-          rowKey: ref,
-          migrationId,
-          expiresAt,
-        },
-        'Replace'
-      );
-      return true;
-    } catch {
-      return false;
-    }
-  }
-
-  async release(ref: string, migrationId: string): Promise<void> {
-    try {
-      const existing = await this.table.getEntity<LockEntity>('lock', ref);
-      // Only delete if this migration owns the lock
-      if (existing.migrationId !== migrationId) return;
-      await this.table.deleteEntity('lock', ref);
-    } catch {
-      // Already released or never held — idempotent
-    }
-  }
-}