@datacules/agent-identity-store-dynamic 0.9.0 → 0.11.0

package/README.md

@@ -1,6 +1,10 @@
+<p align="center">
+  <img src="../../../assets/logo.svg" alt="Agent Identity — by Datacules LLC" width="360"/>
+</p>
+
 # `@datacules/agent-identity-store-dynamic`
 
-Just-in-time credential provisioning for [`@datacules/agent-identity`](../../core). Credentials don't exist until the agent requests them — minted on demand with a short TTL, revoked automatically by the upstream system.
+JIT (Just-in-Time) credential provisioning store for the agent-identity framework. Mints short-lived secrets on demand via Vault dynamic secrets, AWS IAM Roles Anywhere, or Azure Managed Identity. Zero static secrets at rest.
 
 ## Install
 
@@ -8,74 +12,56 @@ Just-in-time credential provisioning for [`@datacules/agent-identity`](../../cor
 npm install @datacules/agent-identity-store-dynamic
 ```
 
-## Why JIT?
-
-With static credential stores, long-lived secrets sit at rest — if the store is compromised, every credential in it is exposed. With JIT provisioning, there are no stored secrets: the store calls your vault on every resolution and gets back a short-lived lease. After the TTL (15–60 minutes) the upstream system revokes the secret automatically. The blast radius of any store compromise collapses to a single active session at most.
-
 ## Usage
 
-### Vault dynamic secrets
-
 ```typescript
-import { DynamicCredentialStore, VaultDynamicProvisioner } from '@datacules/agent-identity-store-dynamic';
-import { createRouterFromStore } from '@datacules/agent-identity';
+import { DynamicCredentialStore }  from '@datacules/agent-identity-store-dynamic';
+import { createRouterFromStore }  from '@datacules/agent-identity';
 
+// Vault dynamic secrets
 const store = new DynamicCredentialStore({
-  provisioner: new VaultDynamicProvisioner({
-    vaultAddr: 'http://vault:8200',
-    token: process.env.VAULT_TOKEN!,
-    mount: 'database',
-    role: 'crm-readonly',
-    ttl: '30m',
-  }),
+  provisioner: 'vault-dynamic',
+  vaultAddr:   process.env.VAULT_ADDR!,
+  vaultToken:  process.env.VAULT_TOKEN!,
+  roleName:    'agent-identity-db-role',
+  ttl:         '1h',
 });
 
-const router = createRouterFromStore(store, rules, logger);
-const resolved = await router.resolveAsync(ctx);
-// resolved.ref → Vault lease ID — use this to fetch the actual secret server-side
-// resolved.expiresAt → when the lease expires
-```
-
-### AWS IAM Roles Anywhere
-
-```typescript
-import { DynamicCredentialStore, AwsRolesAnywhereProvisioner } from '@datacules/agent-identity-store-dynamic';
+// AWS IAM Roles Anywhere
+const store = new DynamicCredentialStore({
+  provisioner:     'aws-iam-roles-anywhere',
+  profileArn:      'arn:aws:rolesanywhere:us-east-1:...',
+  roleArn:         'arn:aws:iam::...:role/AgentIdentityRole',
+  trustAnchorArn:  'arn:aws:rolesanywhere:us-east-1:...',
+  certificatePath: '/run/spire/svid.pem',
+  privateKeyPath:  '/run/spire/svid-key.pem',
+});
 
+// Azure Managed Identity
 const store = new DynamicCredentialStore({
-  provisioner: new AwsRolesAnywhereProvisioner({
-    profileArn: 'arn:aws:rolesanywhere:us-east-1:...',
-    roleArn: 'arn:aws:iam::...:role/agent-role',
-    trustAnchorArn: 'arn:aws:rolesanywhere:us-east-1:...',
-    region: 'us-east-1',
-    durationSeconds: 3600,
-  }),
+  provisioner: 'azure-managed-identity',
+  resource:    'https://management.azure.com/',
+  clientId:    process.env.AZURE_CLIENT_ID, // optional for user-assigned MI
 });
+
+const router = createRouterFromStore(store, rules, logger);
 ```
 
-### Custom provisioner
+## How it works
 
-```typescript
-import type { DynamicProvisioner, ProvisionedSecret } from '@datacules/agent-identity-store-dynamic';
-
-class MyProvisioner implements DynamicProvisioner {
-  id = 'my-vault';
-
-  async provision(ref: string): Promise<ProvisionedSecret> {
-    // Call your secret management system here
-    const { leaseId, ttlSeconds, secret } = await myVault.issue(ref);
-    return {
-      leaseId,
-      expiresAt: new Date(Date.now() + ttlSeconds * 1000).toISOString(),
-      secret,
-    };
-  }
-
-  async revoke(leaseId: string): Promise<void> {
-    await myVault.revoke(leaseId);
-  }
-}
-```
+1. On the first `findByRef(ref)` call for a slot, the provisioner mints a new secret (DB password, IAM session token, etc.) from the backend.
+2. The minted credential is cached in-memory until 60 seconds before its TTL expires.
+3. On expiry, the next `findByRef()` call provisions a fresh secret automatically.
+4. A full store compromise reveals only the cached in-flight secrets — no long-lived secrets exist anywhere.
+
+## TTL considerations
+
+| Provisioner | Typical TTL | Backend revocation |
+|-------------|-------------|--------------------|
+| Vault dynamic secrets | 1 h (configurable) | Vault lease revocation API |
+| AWS IAM Roles Anywhere | 1 h (max 12 h) | IAM session revocation |
+| Azure Managed Identity | 24 h | Azure AD token revocation |
 
-## Caching
+---
 
-By default, unexpired leases are cached in memory and reused until 60 seconds before expiry (configurable via `renewBeforeExpireSeconds`). Set `cache: false` to provision a fresh lease on every resolution.
+Part of the [agent-identity monorepo](https://github.com/hvrcharon1/agent-identity) by [Datacules LLC](https://datacules.com).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@datacules/agent-identity-store-dynamic",
-  "version": "0.9.0",
+  "version": "0.11.0",
   "private": false,
   "description": "Just-in-time credential provisioning store for @datacules/agent-identity — mints short-lived secrets on demand via Vault dynamic secrets or AWS IAM Roles Anywhere",
   "author": "Datacules LLC",