@datacules/agent-identity-store-vault 0.10.0 → 0.11.1

package/LICENSE

@@ -0,0 +1,109 @@
+Datacules Agent Identity License — Version 1.0
+Copyright (c) 2026 Datacules LLC. All rights reserved.
+
+─────────────────────────────────────────────────────────────────────────────
+PREAMBLE
+─────────────────────────────────────────────────────────────────────────────
+
+This software — Agent Identity & Auth Patterns — is developed and owned by
+Datacules LLC. It is made available to the public as open-source software
+under the permissive terms below.
+
+Datacules LLC retains ownership and authorship of this software while
+granting broad, royalty-free rights for anyone to use, copy, modify, and
+distribute it — in commercial or non-commercial contexts — without requiring
+that derivative works also become open source.
+
+─────────────────────────────────────────────────────────────────────────────
+TERMS AND CONDITIONS
+─────────────────────────────────────────────────────────────────────────────
+
+1. PERMISSION TO USE
+
+   Permission is hereby granted, free of charge, to any person or
+   organization obtaining a copy of this software and associated
+   documentation files (the "Software"), to use, copy, modify, merge,
+   publish, distribute, sublicense, and/or sell copies of the Software,
+   and to permit persons to whom the Software is furnished to do so,
+   subject to the conditions below.
+
+2. ATTRIBUTION
+
+   a. Redistributions of source code must retain this copyright notice,
+      this list of conditions, and the disclaimer below.
+
+   b. Redistributions in binary form or as a product must reproduce this
+      copyright notice, this list of conditions, and the disclaimer in the
+      documentation and/or other materials provided with the distribution.
+
+   c. Neither the name "Datacules LLC" nor the names of its contributors
+      may be used to endorse or promote products derived from this Software
+      without prior written permission from Datacules LLC.
+
+3. COMMERCIAL USE
+
+   Use of this Software in commercial products, SaaS platforms, internal
+   enterprise tools, or any revenue-generating context is explicitly
+   permitted without royalty, fee, or additional licensing agreement,
+   provided that the conditions in Section 2 (Attribution) are met.
+
+4. NO COPYLEFT / NO VIRAL REQUIREMENT
+
+   This license does NOT require that derivative works, modifications,
+   or software that uses or embeds this Software be made open source.
+   You may incorporate this Software into proprietary or closed-source
+   products under your own license terms.
+
+5. MODIFICATIONS
+
+   Modified versions of the Software may be distributed under the same
+   terms as this license or under any other permissive open-source
+   license (e.g. MIT, Apache 2.0, BSD), provided that:
+
+   a. The original copyright notice of Datacules LLC is preserved.
+   b. Modifications are clearly documented and distinguished from the
+      original work.
+
+6. COMPATIBILITY
+
+   This license is compatible with other permissive open-source licenses
+   such as MIT, BSD 2-Clause, BSD 3-Clause, and Apache License 2.0. It
+   is also GPL-compatible — this Software may coexist with GPL-licensed
+   code, though this Software itself is not distributed under the GPL.
+
+─────────────────────────────────────────────────────────────────────────────
+DISCLAIMER
+─────────────────────────────────────────────────────────────────────────────
+
+THIS SOFTWARE IS PROVIDED BY DATACULES LLC AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
+AND NON-INFRINGEMENT ARE DISCLAIMED.
+
+IN NO EVENT SHALL DATACULES LLC OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+─────────────────────────────────────────────────────────────────────────────
+SUMMARY (non-binding)
+─────────────────────────────────────────────────────────────────────────────
+
+  ✔  Use freely — commercial, proprietary, or open-source projects
+  ✔  Modify and distribute with or without changes
+  ✔  Sell products built on this Software
+  ✔  No royalties or fees
+  ✔  No requirement to open-source your own code
+  ✔  Attribution to Datacules LLC required in source and binary distributions
+  ✗  Do not use "Datacules LLC" to endorse derived products without permission
+
+─────────────────────────────────────────────────────────────────────────────
+CONTACT
+─────────────────────────────────────────────────────────────────────────────
+
+Datacules LLC
+For licensing enquiries: legal@datacules.com
+Product: https://github.com/hvrcharon1/agent-identity

package/dist/cjs/VaultCredentialStore.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultCredentialStore = void 0;
+class VaultCredentialStore {
+    constructor(options) {
+        this.address = options.address.replace(/\/$/, '');
+        this.token = options.token;
+        this.mountPath = options.mountPath ?? 'secret';
+        this.prefix = options.prefix ?? 'agent-identity';
+    }
+    get headers() {
+        return { 'X-Vault-Token': this.token, 'Content-Type': 'application/json' };
+    }
+    credPath(ref) {
+        return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/${ref}`;
+    }
+    lockPath(ref) {
+        return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`;
+    }
+    async findByRef(ref) {
+        try {
+            const res = await fetch(this.credPath(ref), { headers: this.headers });
+            if (!res.ok)
+                return null;
+            const body = (await res.json());
+            const cred = body.data?.data;
+            return cred?.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        try {
+            const res = await fetch(`${this.address}/v1/${this.mountPath}/metadata/${this.prefix}?list=true`, { headers: this.headers });
+            if (!res.ok)
+                return [];
+            const body = await res.json();
+            const keys = body.data?.keys ?? [];
+            const creds = await Promise.all(keys.map((k) => this.findByRef(k)));
+            return creds.filter((c) => c !== null);
+        }
+        catch {
+            return [];
+        }
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    async reserve(ref, migrationId, ttlSeconds) {
+        // Read existing lock
+        try {
+            const res = await fetch(this.lockPath(ref), { headers: this.headers });
+            if (res.ok) {
+                const body = (await res.json());
+                const lock = body.data?.data;
+                if (lock?.migrationId !== migrationId && lock?.expiresAt > Date.now() / 1000) {
+                    return false; // held by another migration
+                }
+            }
+        }
+        catch { /* no existing lock */ }
+        // Write lock
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        try {
+            const res = await fetch(this.lockPath(ref), {
+                method: 'POST',
+                headers: this.headers,
+                body: JSON.stringify({ data: { migrationId, expiresAt } }),
+            });
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            const res = await fetch(this.lockPath(ref), { headers: this.headers });
+            if (!res.ok)
+                return;
+            const body = (await res.json());
+            const lock = body.data?.data;
+            if (lock?.migrationId !== migrationId)
+                return;
+            await fetch(`${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`, {
+                method: 'DELETE',
+                headers: this.headers,
+            });
+        }
+        catch { /* idempotent */ }
+    }
+}
+exports.VaultCredentialStore = VaultCredentialStore;
+//# sourceMappingURL=VaultCredentialStore.js.map

package/dist/cjs/VaultCredentialStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"VaultCredentialStore.js","sourceRoot":"","sources":["../../src/VaultCredentialStore.ts"],"names":[],"mappings":";;;AAkCA,MAAa,oBAAoB;IAM/B,YAAY,OAAoC;QAC9C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC;QAC/C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;IACnD,CAAC;IAED,IAAY,OAAO;QACjB,OAAO,EAAE,eAAe,EAAE,IAAI,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC7E,CAAC;IAEO,QAAQ,CAAC,GAAW;QAC1B,OAAO,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;IAC3E,CAAC;IAEO,QAAQ,CAAC,GAAW;QAC1B,OAAO,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAC;YACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;YACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA6B,CAAC;YACtD,OAAO,IAAI,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,aAAa,IAAI,CAAC,MAAM,YAAY,EACxE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC1B,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAkC,CAAC;YAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAmB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,qBAAqB;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;gBACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA6D,CAAC;gBACtF,IAAI,IAAI,EAAE,WAAW,KAAK,WAAW,IAAI,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;oBAC7E,OAAO,KAAK,CAAC,CAAC,4BAA4B;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;QAElC,aAAa;QACb,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC;aAC3D,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO;YACpB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;YACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA0C,CAAC;YACnE,IAAI,IAAI,EAAE,WAAW,KAAK,WAAW;gBAAE,OAAO;YAC9C,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,WAAW,GAAG,EAAE,EAAE;gBACpF,MAAM,EAAE,QAAQ;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAC,gBAAgB,CAAC,CAAC;IAC9B,CAAC;CACF;AAlGD,oDAkGC"}

package/dist/cjs/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultCredentialStore = void 0;
+var VaultCredentialStore_1 = require("./VaultCredentialStore");
+Object.defineProperty(exports, "VaultCredentialStore", { enumerable: true, get: function () { return VaultCredentialStore_1.VaultCredentialStore; } });
+//# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,+DAA8D;AAArD,4HAAA,oBAAoB,OAAA"}

package/dist/esm/VaultCredentialStore.js

@@ -0,0 +1,92 @@
+export class VaultCredentialStore {
+    constructor(options) {
+        this.address = options.address.replace(/\/$/, '');
+        this.token = options.token;
+        this.mountPath = options.mountPath ?? 'secret';
+        this.prefix = options.prefix ?? 'agent-identity';
+    }
+    get headers() {
+        return { 'X-Vault-Token': this.token, 'Content-Type': 'application/json' };
+    }
+    credPath(ref) {
+        return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/${ref}`;
+    }
+    lockPath(ref) {
+        return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`;
+    }
+    async findByRef(ref) {
+        try {
+            const res = await fetch(this.credPath(ref), { headers: this.headers });
+            if (!res.ok)
+                return null;
+            const body = (await res.json());
+            const cred = body.data?.data;
+            return cred?.status === 'active' ? cred : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async listActive() {
+        try {
+            const res = await fetch(`${this.address}/v1/${this.mountPath}/metadata/${this.prefix}?list=true`, { headers: this.headers });
+            if (!res.ok)
+                return [];
+            const body = await res.json();
+            const keys = body.data?.keys ?? [];
+            const creds = await Promise.all(keys.map((k) => this.findByRef(k)));
+            return creds.filter((c) => c !== null);
+        }
+        catch {
+            return [];
+        }
+    }
+    async listByKind(kind) {
+        const all = await this.listActive();
+        return all.filter((c) => c.kind === kind);
+    }
+    async reserve(ref, migrationId, ttlSeconds) {
+        // Read existing lock
+        try {
+            const res = await fetch(this.lockPath(ref), { headers: this.headers });
+            if (res.ok) {
+                const body = (await res.json());
+                const lock = body.data?.data;
+                if (lock?.migrationId !== migrationId && lock?.expiresAt > Date.now() / 1000) {
+                    return false; // held by another migration
+                }
+            }
+        }
+        catch { /* no existing lock */ }
+        // Write lock
+        const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
+        try {
+            const res = await fetch(this.lockPath(ref), {
+                method: 'POST',
+                headers: this.headers,
+                body: JSON.stringify({ data: { migrationId, expiresAt } }),
+            });
+            return res.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async release(ref, migrationId) {
+        try {
+            const res = await fetch(this.lockPath(ref), { headers: this.headers });
+            if (!res.ok)
+                return;
+            const body = (await res.json());
+            const lock = body.data?.data;
+            if (lock?.migrationId !== migrationId)
+                return;
+            await fetch(`${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`, {
+                method: 'DELETE',
+                headers: this.headers,
+            });
+        }
+        catch { /* idempotent */ }
+    }
+}
+//# sourceMappingURL=VaultCredentialStore.js.map

package/dist/esm/VaultCredentialStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"VaultCredentialStore.js","sourceRoot":"","sources":["../../src/VaultCredentialStore.ts"],"names":[],"mappings":"AAkCA,MAAM,OAAO,oBAAoB;IAM/B,YAAY,OAAoC;QAC9C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,QAAQ,CAAC;QAC/C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,gBAAgB,CAAC;IACnD,CAAC;IAED,IAAY,OAAO;QACjB,OAAO,EAAE,eAAe,EAAE,IAAI,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;IAC7E,CAAC;IAEO,QAAQ,CAAC,GAAW;QAC1B,OAAO,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;IAC3E,CAAC;IAEO,QAAQ,CAAC,GAAW;QAC1B,OAAO,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;IAClF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAC;YACzB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;YACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA6B,CAAC;YACtD,OAAO,IAAI,EAAE,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,aAAa,IAAI,CAAC,MAAM,YAAY,EACxE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC1B,CAAC;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAkC,CAAC;YAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5E,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAmB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAoB;QACnC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB,EAAE,UAAkB;QAChE,qBAAqB;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;gBACX,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;gBACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA6D,CAAC;gBACtF,IAAI,IAAI,EAAE,WAAW,KAAK,WAAW,IAAI,IAAI,EAAE,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;oBAC7E,OAAO,KAAK,CAAC,CAAC,4BAA4B;gBAC5C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;QAElC,aAAa;QACb,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,UAAU,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC1C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,EAAE,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC;aAC3D,CAAC,CAAC;YACH,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW,EAAE,WAAmB;QAC5C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO;YACpB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAoB,CAAC;YACnD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,IAA0C,CAAC;YACnE,IAAI,IAAI,EAAE,WAAW,KAAK,WAAW;gBAAE,OAAO;YAC9C,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,MAAM,WAAW,GAAG,EAAE,EAAE;gBACpF,MAAM,EAAE,QAAQ;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC,CAAC,gBAAgB,CAAC,CAAC;IAC9B,CAAC;CACF"}

package/dist/esm/index.js

@@ -0,0 +1,2 @@
+export { VaultCredentialStore } from './VaultCredentialStore';
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/types/VaultCredentialStore.d.ts

@@ -0,0 +1,44 @@
+/**
+ * HashiCorp Vault KV v2 CredentialStore implementation.
+ *
+ * Each credential is stored as a JSON object under:
+ *   <mountPath>/data/<ref>
+ *
+ * Example write:
+ *   vault kv put secret/agent-identity/linear-service-account-slot \
+ *     id=cred-linear kind=fixed scope='All projects' status=active ref=linear-service-account-slot
+ *
+ * Vault reservation uses a separate KV path for migration locks:
+ *   <mountPath>/data/_locks/<ref>
+ *
+ * Required Vault policy:
+ *   path "secret/data/agent-identity/*" { capabilities = ["read", "list"] }
+ *   path "secret/data/agent-identity/_locks/*" { capabilities = ["create", "update", "delete", "read"] }
+ */
+import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
+export interface VaultCredentialStoreOptions {
+    /** Vault server address e.g. https://vault.example.com */
+    address: string;
+    /** Vault token or AppRole token */
+    token: string;
+    /** KV v2 mount path (default: 'secret') */
+    mountPath?: string;
+    /** Path prefix under mountPath (default: 'agent-identity') */
+    prefix?: string;
+}
+export declare class VaultCredentialStore implements CredentialStore {
+    private readonly address;
+    private readonly token;
+    private readonly mountPath;
+    private readonly prefix;
+    constructor(options: VaultCredentialStoreOptions);
+    private get headers();
+    private credPath;
+    private lockPath;
+    findByRef(ref: string): Promise<Credential | null>;
+    listActive(): Promise<Credential[]>;
+    listByKind(kind: CredentialKind): Promise<Credential[]>;
+    reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean>;
+    release(ref: string, migrationId: string): Promise<void>;
+}
+//# sourceMappingURL=VaultCredentialStore.d.ts.map

package/dist/types/VaultCredentialStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"VaultCredentialStore.d.ts","sourceRoot":"","sources":["../../src/VaultCredentialStore.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAE7F,MAAM,WAAW,2BAA2B;IAC1C,0DAA0D;IAC1D,OAAO,EAAE,MAAM,CAAC;IAChB,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAMD,qBAAa,oBAAqB,YAAW,eAAe;IAC1D,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBAEpB,OAAO,EAAE,2BAA2B;IAOhD,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,CAAC,QAAQ;IAIhB,OAAO,CAAC,QAAQ;IAIV,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAYlD,UAAU,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAgBnC,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAKvD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA2B/E,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAa/D"}

package/{src/index.ts → dist/types/index.d.ts}

@@ -1,2 +1,3 @@
 export { VaultCredentialStore } from './VaultCredentialStore';
 export type { VaultCredentialStoreOptions } from './VaultCredentialStore';
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,YAAY,EAAE,2BAA2B,EAAE,MAAM,wBAAwB,CAAC"}

package/package.json

@@ -1,17 +1,45 @@
 {
   "name": "@datacules/agent-identity-store-vault",
-  "version": "0.10.0",
+  "version": "0.11.1",
   "private": false,
   "description": "HashiCorp Vault KV v2 credential store for @datacules/agent-identity",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/stores/vault"
+  },
+  "keywords": [
+    "agent-identity",
+    "hashicorp",
+    "vault",
+    "credential-store",
+    "secrets",
+    "ai-agents",
+    "datacules"
+  ],
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "devDependencies": {
     "@datacules/agent-identity": "*",

package/src/VaultCredentialStore.ts

@@ -1,133 +0,0 @@
-/**
- * HashiCorp Vault KV v2 CredentialStore implementation.
- *
- * Each credential is stored as a JSON object under:
- *   <mountPath>/data/<ref>
- *
- * Example write:
- *   vault kv put secret/agent-identity/linear-service-account-slot \
- *     id=cred-linear kind=fixed scope='All projects' status=active ref=linear-service-account-slot
- *
- * Vault reservation uses a separate KV path for migration locks:
- *   <mountPath>/data/_locks/<ref>
- *
- * Required Vault policy:
- *   path "secret/data/agent-identity/*" { capabilities = ["read", "list"] }
- *   path "secret/data/agent-identity/_locks/*" { capabilities = ["create", "update", "delete", "read"] }
- */
-import type { Credential, CredentialKind, CredentialStore } from '@datacules/agent-identity';
-
-export interface VaultCredentialStoreOptions {
-  /** Vault server address e.g. https://vault.example.com */
-  address: string;
-  /** Vault token or AppRole token */
-  token: string;
-  /** KV v2 mount path (default: 'secret') */
-  mountPath?: string;
-  /** Path prefix under mountPath (default: 'agent-identity') */
-  prefix?: string;
-}
-
-interface VaultKVResponse {
-  data: { data: Record<string, unknown> };
-}
-
-export class VaultCredentialStore implements CredentialStore {
-  private readonly address: string;
-  private readonly token: string;
-  private readonly mountPath: string;
-  private readonly prefix: string;
-
-  constructor(options: VaultCredentialStoreOptions) {
-    this.address = options.address.replace(/\/$/, '');
-    this.token = options.token;
-    this.mountPath = options.mountPath ?? 'secret';
-    this.prefix = options.prefix ?? 'agent-identity';
-  }
-
-  private get headers(): Record<string, string> {
-    return { 'X-Vault-Token': this.token, 'Content-Type': 'application/json' };
-  }
-
-  private credPath(ref: string): string {
-    return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/${ref}`;
-  }
-
-  private lockPath(ref: string): string {
-    return `${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`;
-  }
-
-  async findByRef(ref: string): Promise<Credential | null> {
-    try {
-      const res = await fetch(this.credPath(ref), { headers: this.headers });
-      if (!res.ok) return null;
-      const body = (await res.json()) as VaultKVResponse;
-      const cred = body.data?.data as unknown as Credential;
-      return cred?.status === 'active' ? cred : null;
-    } catch {
-      return null;
-    }
-  }
-
-  async listActive(): Promise<Credential[]> {
-    try {
-      const res = await fetch(
-        `${this.address}/v1/${this.mountPath}/metadata/${this.prefix}?list=true`,
-        { headers: this.headers }
-      );
-      if (!res.ok) return [];
-      const body = await res.json() as { data: { keys: string[] } };
-      const keys = body.data?.keys ?? [];
-      const creds = await Promise.all(keys.map((k: string) => this.findByRef(k)));
-      return creds.filter((c): c is Credential => c !== null);
-    } catch {
-      return [];
-    }
-  }
-
-  async listByKind(kind: CredentialKind): Promise<Credential[]> {
-    const all = await this.listActive();
-    return all.filter((c) => c.kind === kind);
-  }
-
-  async reserve(ref: string, migrationId: string, ttlSeconds: number): Promise<boolean> {
-    // Read existing lock
-    try {
-      const res = await fetch(this.lockPath(ref), { headers: this.headers });
-      if (res.ok) {
-        const body = (await res.json()) as VaultKVResponse;
-        const lock = body.data?.data as unknown as { migrationId: string; expiresAt: number };
-        if (lock?.migrationId !== migrationId && lock?.expiresAt > Date.now() / 1000) {
-          return false; // held by another migration
-        }
-      }
-    } catch { /* no existing lock */ }
-
-    // Write lock
-    const expiresAt = Math.floor(Date.now() / 1000) + ttlSeconds;
-    try {
-      const res = await fetch(this.lockPath(ref), {
-        method: 'POST',
-        headers: this.headers,
-        body: JSON.stringify({ data: { migrationId, expiresAt } }),
-      });
-      return res.ok;
-    } catch {
-      return false;
-    }
-  }
-
-  async release(ref: string, migrationId: string): Promise<void> {
-    try {
-      const res = await fetch(this.lockPath(ref), { headers: this.headers });
-      if (!res.ok) return;
-      const body = (await res.json()) as VaultKVResponse;
-      const lock = body.data?.data as unknown as { migrationId: string };
-      if (lock?.migrationId !== migrationId) return;
-      await fetch(`${this.address}/v1/${this.mountPath}/data/${this.prefix}/_locks/${ref}`, {
-        method: 'DELETE',
-        headers: this.headers,
-      });
-    } catch { /* idempotent */ }
-  }
-}

package/src/vault.test.ts

@@ -1,173 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-import { VaultCredentialStore } from './index';
-
-// All HTTP calls are mocked via vi.stubGlobal('fetch', ...).
-// No live HashiCorp Vault instance is required to run these tests.
-const mockFetch = vi.fn();
-vi.stubGlobal('fetch', mockFetch);
-
-const VAULT_ADDR = 'http://vault:8200';
-const TOKEN = 'root-token';
-
-const CRED = {
-  id: 'cred-linear',
-  kind: 'fixed' as const,
-  name: 'Linear Service Account',
-  scope: 'read:all',
-  status: 'active' as const,
-  ref: 'linear-service-account-slot',
-  provider: 'openai' as const,
-};
-
-function makeStore() {
-  return new VaultCredentialStore({ address: VAULT_ADDR, token: TOKEN });
-}
-
-function jsonOk(data: unknown): Response {
-  return { ok: true, json: async () => data } as unknown as Response;
-}
-
-const CRED_VAULT_RESPONSE = { data: { data: CRED } };
-
-describe('VaultCredentialStore', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  // ── findByRef() ────────────────────────────────────────────────────────────
-
-  describe('findByRef()', () => {
-    it('returns the active credential on a 200 Vault KV v2 response', async () => {
-      mockFetch.mockResolvedValueOnce(jsonOk(CRED_VAULT_RESPONSE));
-      const result = await makeStore().findByRef(CRED.ref);
-      expect(result).toMatchObject({ id: 'cred-linear', status: 'active' });
-    });
-
-    it('sends the X-Vault-Token header with the configured token', async () => {
-      mockFetch.mockResolvedValueOnce(jsonOk(CRED_VAULT_RESPONSE));
-      await makeStore().findByRef(CRED.ref);
-      expect(mockFetch).toHaveBeenCalledWith(
-        `${VAULT_ADDR}/v1/secret/data/agent-identity/${CRED.ref}`,
-        expect.objectContaining({
-          headers: expect.objectContaining({ 'X-Vault-Token': TOKEN }),
-        })
-      );
-    });
-
-    it('returns null when the credential status is not active', async () => {
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { data: { ...CRED, status: 'revoked' } } })
-      );
-      expect(await makeStore().findByRef(CRED.ref)).toBeNull();
-    });
-
-    it('returns null on a non-ok Vault response (e.g. 404)', async () => {
-      mockFetch.mockResolvedValueOnce({ ok: false } as Response);
-      expect(await makeStore().findByRef('unknown-ref')).toBeNull();
-    });
-
-    it('returns null and does not throw when fetch throws a network error', async () => {
-      mockFetch.mockRejectedValueOnce(new Error('ECONNREFUSED'));
-      await expect(makeStore().findByRef(CRED.ref)).resolves.toBeNull();
-    });
-  });
-
-  // ── listActive() ──────────────────────────────────────────────────────────
-
-  describe('listActive()', () => {
-    it('returns all active credentials via metadata LIST then individual GETs', async () => {
-      // First call: metadata list
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { keys: [CRED.ref] } })
-      );
-      // Second call: individual credential GET
-      mockFetch.mockResolvedValueOnce(jsonOk(CRED_VAULT_RESPONSE));
-      const result = await makeStore().listActive();
-      expect(result).toHaveLength(1);
-      expect(result[0]).toMatchObject({ id: 'cred-linear', status: 'active' });
-    });
-
-    it('returns an empty array when the metadata list response is not ok', async () => {
-      mockFetch.mockResolvedValueOnce({ ok: false } as Response);
-      expect(await makeStore().listActive()).toEqual([]);
-    });
-
-    it('returns an empty array when fetch throws on the metadata call', async () => {
-      mockFetch.mockRejectedValueOnce(new Error('Vault unreachable'));
-      expect(await makeStore().listActive()).toEqual([]);
-    });
-  });
-
-  // ── listByKind() ──────────────────────────────────────────────────────────
-
-  describe('listByKind()', () => {
-    it('returns only credentials matching the requested kind', async () => {
-      mockFetch.mockResolvedValueOnce(jsonOk({ data: { keys: [CRED.ref] } }));
-      mockFetch.mockResolvedValueOnce(jsonOk(CRED_VAULT_RESPONSE)); // kind: 'fixed'
-      const result = await makeStore().listByKind('fixed');
-      expect(result).toHaveLength(1);
-      expect(result[0].kind).toBe('fixed');
-    });
-
-    it('returns an empty array when no credentials match the requested kind', async () => {
-      mockFetch.mockResolvedValueOnce(jsonOk({ data: { keys: [CRED.ref] } }));
-      mockFetch.mockResolvedValueOnce(jsonOk(CRED_VAULT_RESPONSE)); // kind: 'fixed'
-      // Asking for 'user-delegated' — the fixed credential should not appear
-      const result = await makeStore().listByKind('user-delegated');
-      expect(result).toHaveLength(0);
-    });
-  });
-
-  // ── reserve() ─────────────────────────────────────────────────────────────
-
-  describe('reserve()', () => {
-    it('returns true and writes the lock when no prior lock exists (read → 404)', async () => {
-      mockFetch.mockResolvedValueOnce({ ok: false } as Response); // read → not found
-      mockFetch.mockResolvedValueOnce({ ok: true } as Response);  // write → success
-      expect(await makeStore().reserve(CRED.ref, 'mig-1', 300)).toBe(true);
-      expect(mockFetch).toHaveBeenCalledTimes(2);
-    });
-
-    it('returns false when the lock is held by a different migration within TTL', async () => {
-      const expiresAt = Math.floor(Date.now() / 1000) + 9999;
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { data: { migrationId: 'other-mig', expiresAt } } })
-      );
-      expect(await makeStore().reserve(CRED.ref, 'mig-1', 300)).toBe(false);
-      expect(mockFetch).toHaveBeenCalledOnce(); // only the read — no write attempted
-    });
-
-    it('returns true when the same migration re-acquires its own active lock', async () => {
-      const expiresAt = Math.floor(Date.now() / 1000) + 9999;
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { data: { migrationId: 'mig-1', expiresAt } } })
-      );
-      mockFetch.mockResolvedValueOnce({ ok: true } as Response);
-      expect(await makeStore().reserve(CRED.ref, 'mig-1', 300)).toBe(true);
-    });
-  });
-
-  // ── release() ─────────────────────────────────────────────────────────────
-
-  describe('release()', () => {
-    it('issues a DELETE request when the migrationId matches the stored lock', async () => {
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { data: { migrationId: 'mig-1' } } })
-      );
-      mockFetch.mockResolvedValueOnce({ ok: true } as Response); // DELETE
-      await makeStore().release(CRED.ref, 'mig-1');
-      expect(mockFetch).toHaveBeenCalledTimes(2);
-    });
-
-    it('makes only one fetch (the read) when the migrationId does not match', async () => {
-      mockFetch.mockResolvedValueOnce(
-        jsonOk({ data: { data: { migrationId: 'other-mig' } } })
-      );
-      await makeStore().release(CRED.ref, 'mig-1');
-      expect(mockFetch).toHaveBeenCalledOnce();
-    });
-
-    it('resolves without throwing when the lock is already gone (fetch throws)', async () => {
-      mockFetch.mockRejectedValueOnce(new Error('404 Not Found'));
-      await expect(makeStore().release(CRED.ref, 'mig-1')).resolves.not.toThrow();
-    });
-  });
-});