@happyvertical/secrets 0.74.8

package/dist/index.js

@@ -0,0 +1,736 @@
+import { syncSchema } from "@happyvertical/sql";
+import { createId } from "@happyvertical/utils";
+import * as crypto from "node:crypto";
+class EnvelopeEncryption {
+  static ALGORITHM = "aes-256-gcm";
+  static KEY_LENGTH = 32;
+  // 256 bits
+  static IV_LENGTH = 12;
+  // 96 bits for GCM (recommended)
+  static AUTH_TAG_LENGTH = 16;
+  // 128 bits
+  /**
+   * Generate a new random data encryption key
+   *
+   * @returns A 32-byte (256-bit) random key
+   */
+  static generateDataKey() {
+    return crypto.randomBytes(EnvelopeEncryption.KEY_LENGTH);
+  }
+  /**
+   * Generate a random IV for encryption
+   *
+   * @returns A 12-byte (96-bit) random IV
+   */
+  static generateIV() {
+    return crypto.randomBytes(EnvelopeEncryption.IV_LENGTH);
+  }
+  /**
+   * Wrap (encrypt) a data encryption key with a master key
+   *
+   * @param dataKey - The data key to wrap (32 bytes)
+   * @param masterKey - The master key to wrap with (32 bytes)
+   * @returns Object containing wrapped key, IV, and auth tag (all base64-encoded)
+   */
+  static wrapKey(dataKey, masterKey) {
+    EnvelopeEncryption.validateKeyLength(dataKey);
+    EnvelopeEncryption.validateKeyLength(masterKey);
+    const iv = EnvelopeEncryption.generateIV();
+    const cipher = crypto.createCipheriv(
+      EnvelopeEncryption.ALGORITHM,
+      masterKey,
+      iv
+    );
+    const encrypted = Buffer.concat([cipher.update(dataKey), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return {
+      wrappedKey: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      authTag: authTag.toString("base64")
+    };
+  }
+  /**
+   * Unwrap (decrypt) a data encryption key with a master key
+   *
+   * @param wrappedKey - Base64-encoded wrapped key
+   * @param iv - Base64-encoded IV
+   * @param authTag - Base64-encoded authentication tag
+   * @param masterKey - The master key to unwrap with (32 bytes)
+   * @returns The unwrapped data key (32 bytes)
+   * @throws Error if decryption fails (invalid key, tampered data, etc.)
+   */
+  static unwrapKey(wrappedKey, iv, authTag, masterKey) {
+    EnvelopeEncryption.validateKeyLength(masterKey);
+    const decipher = crypto.createDecipheriv(
+      EnvelopeEncryption.ALGORITHM,
+      masterKey,
+      Buffer.from(iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(authTag, "base64"));
+    return Buffer.concat([
+      decipher.update(Buffer.from(wrappedKey, "base64")),
+      decipher.final()
+    ]);
+  }
+  /**
+   * Encrypt data with a data encryption key
+   *
+   * @param plaintext - The plaintext string to encrypt
+   * @param dataKey - The data encryption key (32 bytes)
+   * @returns Object containing ciphertext, IV, and auth tag (all base64-encoded)
+   */
+  static encryptData(plaintext, dataKey) {
+    EnvelopeEncryption.validateKeyLength(dataKey);
+    const iv = EnvelopeEncryption.generateIV();
+    const cipher = crypto.createCipheriv(
+      EnvelopeEncryption.ALGORITHM,
+      dataKey,
+      iv
+    );
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const authTag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      authTag: authTag.toString("base64")
+    };
+  }
+  /**
+   * Decrypt data with a data encryption key
+   *
+   * @param ciphertext - Base64-encoded ciphertext
+   * @param iv - Base64-encoded IV
+   * @param authTag - Base64-encoded authentication tag
+   * @param dataKey - The data encryption key (32 bytes)
+   * @returns The decrypted plaintext string
+   * @throws Error if decryption fails (invalid key, tampered data, etc.)
+   */
+  static decryptData(ciphertext, iv, authTag, dataKey) {
+    EnvelopeEncryption.validateKeyLength(dataKey);
+    const decipher = crypto.createDecipheriv(
+      EnvelopeEncryption.ALGORITHM,
+      dataKey,
+      Buffer.from(iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(authTag, "base64"));
+    return Buffer.concat([
+      decipher.update(Buffer.from(ciphertext, "base64")),
+      decipher.final()
+    ]).toString("utf8");
+  }
+  /**
+   * Create a full encrypted envelope
+   *
+   * This combines key wrapping and data encryption into a single envelope
+   * that can be stored and later decrypted.
+   *
+   * @param plaintext - The plaintext string to encrypt
+   * @param dataKey - The data encryption key (32 bytes)
+   * @param wrappedKeyInfo - The wrapped key info (from wrapKey)
+   * @param amkKeyId - The ID of the AMK used to wrap the key
+   * @param metadata - Optional metadata to include in the envelope
+   * @returns A complete encrypted envelope
+   */
+  static createEnvelope(plaintext, dataKey, wrappedKeyInfo, amkKeyId, metadata) {
+    const encrypted = EnvelopeEncryption.encryptData(plaintext, dataKey);
+    const combinedWrappedKey = `${wrappedKeyInfo.wrappedKey}:${wrappedKeyInfo.iv}:${wrappedKeyInfo.authTag}`;
+    return {
+      version: 1,
+      algorithm: "aes-256-gcm",
+      wrappedKey: combinedWrappedKey,
+      amkKeyId,
+      iv: encrypted.iv,
+      authTag: encrypted.authTag,
+      ciphertext: encrypted.ciphertext,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      metadata
+    };
+  }
+  /**
+   * Parse a combined wrapped key string
+   *
+   * @param combinedWrappedKey - The combined wrapped key string (wrappedKey:iv:authTag)
+   * @returns Object with wrappedKey, iv, and authTag
+   */
+  static parseWrappedKey(combinedWrappedKey) {
+    const parts = combinedWrappedKey.split(":");
+    if (parts.length !== 3) {
+      throw new Error(
+        "Invalid wrapped key format: expected wrappedKey:iv:authTag"
+      );
+    }
+    const [wrappedKey, iv, authTag] = parts;
+    if (!wrappedKey || !iv || !authTag) {
+      throw new Error(
+        "Invalid wrapped key format: wrappedKey, iv, and authTag must all be non-empty"
+      );
+    }
+    return { wrappedKey, iv, authTag };
+  }
+  /**
+   * Decrypt a full envelope
+   *
+   * @param envelope - The encrypted envelope
+   * @param masterKey - The master key to unwrap the data key
+   * @returns The decrypted plaintext string
+   */
+  static decryptEnvelope(envelope, masterKey) {
+    const {
+      wrappedKey,
+      iv: keyIv,
+      authTag: keyAuthTag
+    } = EnvelopeEncryption.parseWrappedKey(envelope.wrappedKey);
+    const dataKey = EnvelopeEncryption.unwrapKey(
+      wrappedKey,
+      keyIv,
+      keyAuthTag,
+      masterKey
+    );
+    return EnvelopeEncryption.decryptData(
+      envelope.ciphertext,
+      envelope.iv,
+      envelope.authTag,
+      dataKey
+    );
+  }
+  /**
+   * Validate that a key is the correct length
+   *
+   * @param key - The key to validate
+   * @param expectedLength - Expected length in bytes (default: 32)
+   * @throws Error if key length is invalid
+   */
+  static validateKeyLength(key, expectedLength = EnvelopeEncryption.KEY_LENGTH) {
+    if (key.length !== expectedLength) {
+      throw new Error(
+        `Invalid key length: expected ${expectedLength} bytes, got ${key.length} bytes`
+      );
+    }
+  }
+  /**
+   * Parse a hex-encoded key from string
+   *
+   * @param hexKey - Hex-encoded key string (64 chars for 32 bytes)
+   * @returns The key as a Buffer
+   * @throws Error if the hex string is invalid
+   */
+  static parseHexKey(hexKey) {
+    if (!/^[0-9a-fA-F]+$/.test(hexKey)) {
+      throw new Error("Invalid hex key: contains non-hex characters");
+    }
+    const key = Buffer.from(hexKey, "hex");
+    EnvelopeEncryption.validateKeyLength(key);
+    return key;
+  }
+}
+class SecretError extends Error {
+  code;
+  adapterType;
+  cause;
+  constructor(message, code, options) {
+    super(message);
+    this.name = "SecretError";
+    this.code = code;
+    this.adapterType = options?.adapterType;
+    this.cause = options?.cause;
+  }
+}
+class KeyNotFoundError extends SecretError {
+  constructor(keyId, adapterType) {
+    super(`Key not found: ${keyId}`, "KEY_NOT_FOUND", { adapterType });
+    this.name = "KeyNotFoundError";
+  }
+}
+class DecryptionError extends SecretError {
+  constructor(message, adapterType, cause) {
+    super(message, "DECRYPTION_FAILED", { adapterType, cause });
+    this.name = "DecryptionError";
+  }
+}
+class EncryptionError extends SecretError {
+  constructor(message, adapterType, cause) {
+    super(message, "ENCRYPTION_FAILED", { adapterType, cause });
+    this.name = "EncryptionError";
+  }
+}
+class KeyRotationError extends SecretError {
+  constructor(message, adapterType, cause) {
+    super(message, "KEY_ROTATION_FAILED", { adapterType, cause });
+    this.name = "KeyRotationError";
+  }
+}
+class TenantKeyMissingError extends SecretError {
+  constructor(tenantId) {
+    super(
+      `No active encryption key for tenant: ${tenantId}`,
+      "TENANT_KEY_MISSING"
+    );
+    this.name = "TenantKeyMissingError";
+  }
+}
+class AMKUnavailableError extends SecretError {
+  constructor(message) {
+    super(message, "AMK_UNAVAILABLE");
+    this.name = "AMKUnavailableError";
+  }
+}
+class StoreNotInitializedError extends SecretError {
+  constructor(adapterType) {
+    super("Secret store not initialized", "STORE_NOT_INITIALIZED", {
+      adapterType
+    });
+    this.name = "StoreNotInitializedError";
+  }
+}
+class InvalidKeyFormatError extends SecretError {
+  constructor(message, adapterType) {
+    super(message, "INVALID_KEY_FORMAT", { adapterType });
+    this.name = "InvalidKeyFormatError";
+  }
+}
+const DEFAULT_ROTATION_PERIOD_MS = 90 * 24 * 60 * 60 * 1e3;
+class DatabaseSecretStore {
+  db;
+  keysTable;
+  amkConfig;
+  cachedAmk = null;
+  initialized = false;
+  listeners = [];
+  constructor(options) {
+    this.db = options.db;
+    const tableName = options.keysTable ?? "tenant_encryption_keys";
+    if (!/^[A-Za-z0-9_]+$/.test(tableName)) {
+      throw new Error(
+        `Invalid keysTable name "${tableName}". Table name must contain only alphanumeric characters and underscores.`
+      );
+    }
+    this.keysTable = tableName;
+    this.amkConfig = options.amk;
+  }
+  /**
+   * Initialize the store (create schema if needed)
+   */
+  async initialize() {
+    if (this.initialized) return;
+    const schema = `
+      CREATE TABLE IF NOT EXISTS "${this.keysTable}" (
+        id TEXT PRIMARY KEY,
+        tenant_id TEXT NOT NULL,
+        wrapped_key TEXT NOT NULL,
+        amk_key_id TEXT NOT NULL,
+        status TEXT NOT NULL DEFAULT 'active',
+        version INTEGER NOT NULL DEFAULT 1,
+        rotate_after TEXT,
+        retired_at TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS "idx_${this.keysTable}_tenant_status"
+        ON "${this.keysTable}" (tenant_id, status);
+
+      CREATE INDEX IF NOT EXISTS "idx_${this.keysTable}_rotate_after"
+        ON "${this.keysTable}" (rotate_after)
+        WHERE status = 'active';
+    `;
+    await syncSchema({ db: this.db, schema });
+    this.initialized = true;
+  }
+  /**
+   * Get the Application Master Key from environment
+   */
+  getAMK() {
+    if (this.cachedAmk) {
+      return this.cachedAmk;
+    }
+    const keyHex = process.env[this.amkConfig.keyEnvVar];
+    if (!keyHex) {
+      throw new AMKUnavailableError(
+        `Application Master Key not found in environment variable: ${this.amkConfig.keyEnvVar}`
+      );
+    }
+    try {
+      const key = EnvelopeEncryption.parseHexKey(keyHex);
+      this.cachedAmk = key;
+      return key;
+    } catch (error) {
+      throw new AMKUnavailableError(
+        `Invalid AMK in ${this.amkConfig.keyEnvVar}: ${error.message}`
+      );
+    }
+  }
+  /**
+   * Ensure the store is initialized
+   */
+  ensureInitialized() {
+    if (!this.initialized) {
+      throw new StoreNotInitializedError("database");
+    }
+  }
+  /**
+   * Emit an event to all listeners
+   */
+  async emitEvent(event) {
+    for (const listener of this.listeners) {
+      await listener(event);
+    }
+  }
+  /**
+   * Subscribe to store events
+   */
+  subscribe(listener) {
+    this.listeners.push(listener);
+    return () => {
+      const index = this.listeners.indexOf(listener);
+      if (index !== -1) {
+        this.listeners.splice(index, 1);
+      }
+    };
+  }
+  async encrypt(tenantId, secretName, plaintext, options) {
+    this.ensureInitialized();
+    if (typeof tenantId !== "string" || tenantId.trim().length === 0) {
+      throw new EncryptionError(
+        "Invalid tenantId provided for encryption",
+        "database"
+      );
+    }
+    if (typeof secretName !== "string" || secretName.trim().length === 0) {
+      throw new EncryptionError(
+        "Invalid secretName provided for encryption",
+        "database"
+      );
+    }
+    let dataKey = null;
+    try {
+      let tenantKey = await this.getTenantKey(tenantId);
+      if (!tenantKey) {
+        tenantKey = await this.createTenantKey(tenantId);
+      }
+      const amk = this.getAMK();
+      const {
+        wrappedKey,
+        iv: keyIv,
+        authTag: keyAuthTag
+      } = EnvelopeEncryption.parseWrappedKey(tenantKey.wrappedKey);
+      dataKey = EnvelopeEncryption.unwrapKey(
+        wrappedKey,
+        keyIv,
+        keyAuthTag,
+        amk
+      );
+      const envelope = EnvelopeEncryption.createEnvelope(
+        plaintext,
+        dataKey,
+        { wrappedKey, iv: keyIv, authTag: keyAuthTag },
+        tenantKey.amkKeyId,
+        options?.metadata
+      );
+      await this.emitEvent({
+        type: "secret.encrypted",
+        tenantId,
+        keyId: tenantKey.keyId,
+        secretName,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+      return envelope;
+    } catch (error) {
+      if (error instanceof AMKUnavailableError || error instanceof TenantKeyMissingError) {
+        throw error;
+      }
+      throw new EncryptionError(
+        `Failed to encrypt secret '${secretName}' for tenant ${tenantId}: ${error.message}`,
+        "database",
+        error instanceof Error ? error : void 0
+      );
+    } finally {
+      if (dataKey && Buffer.isBuffer(dataKey)) {
+        dataKey.fill(0);
+      }
+    }
+  }
+  async decrypt(tenantId, envelope) {
+    this.ensureInitialized();
+    if (typeof tenantId !== "string" || tenantId.trim().length === 0) {
+      throw new DecryptionError(
+        "Invalid tenantId provided for decryption",
+        "database"
+      );
+    }
+    const tenantKeys = await this.listKeyVersions(tenantId);
+    if (tenantKeys.length === 0) {
+      throw new TenantKeyMissingError(tenantId);
+    }
+    const envelopeWrappedKeyParts = envelope.wrappedKey.split(":");
+    const envelopeWrappedKey = envelopeWrappedKeyParts[0];
+    const matchingKey = tenantKeys.find((key) => {
+      const keyParts = key.wrappedKey.split(":");
+      return keyParts[0] === envelopeWrappedKey;
+    });
+    if (!matchingKey) {
+      throw new DecryptionError(
+        `Envelope was not encrypted with a key belonging to tenant ${tenantId}`,
+        "database"
+      );
+    }
+    try {
+      const amk = this.getAMK();
+      const plaintext = EnvelopeEncryption.decryptEnvelope(envelope, amk);
+      await this.emitEvent({
+        type: "secret.decrypted",
+        tenantId,
+        keyId: matchingKey.keyId,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+      return {
+        value: plaintext,
+        keyId: matchingKey.keyId,
+        createdAt: new Date(envelope.createdAt),
+        metadata: envelope.metadata
+      };
+    } catch (error) {
+      if (error instanceof AMKUnavailableError) {
+        throw error;
+      }
+      throw new DecryptionError(
+        `Failed to decrypt secret for tenant ${tenantId}: ${error.message}`,
+        "database",
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  async getTenantKey(tenantId) {
+    this.ensureInitialized();
+    const row = await this.db.get(this.keysTable, {
+      tenant_id: tenantId,
+      status: "active"
+    });
+    if (!row) return null;
+    return this.parseKeyRow(row);
+  }
+  async createTenantKey(tenantId) {
+    this.ensureInitialized();
+    const amk = this.getAMK();
+    const dataKey = EnvelopeEncryption.generateDataKey();
+    const wrapped = EnvelopeEncryption.wrapKey(dataKey, amk);
+    const keyId = createId();
+    const wrappedKeyStr = `${wrapped.wrappedKey}:${wrapped.iv}:${wrapped.authTag}`;
+    const now = /* @__PURE__ */ new Date();
+    const rotateAfter = new Date(now.getTime() + DEFAULT_ROTATION_PERIOD_MS);
+    await this.db.insert(this.keysTable, {
+      id: keyId,
+      tenant_id: tenantId,
+      wrapped_key: wrappedKeyStr,
+      amk_key_id: this.amkConfig.keyId,
+      status: "active",
+      version: 1,
+      rotate_after: rotateAfter.toISOString(),
+      created_at: now.toISOString(),
+      updated_at: now.toISOString()
+    });
+    await this.emitEvent({
+      type: "key.created",
+      tenantId,
+      keyId,
+      timestamp: now
+    });
+    return {
+      keyId,
+      tenantId,
+      wrappedKey: wrappedKeyStr,
+      amkKeyId: this.amkConfig.keyId,
+      status: "active",
+      version: 1,
+      createdAt: now,
+      rotateAfter
+    };
+  }
+  async rotateTenantKey(tenantId) {
+    this.ensureInitialized();
+    const currentKey = await this.getTenantKey(tenantId);
+    if (!currentKey) {
+      throw new TenantKeyMissingError(tenantId);
+    }
+    const now = /* @__PURE__ */ new Date();
+    try {
+      await this.db.update(
+        this.keysTable,
+        { id: currentKey.keyId },
+        { status: "rotating", updated_at: now.toISOString() }
+      );
+      const amk = this.getAMK();
+      const dataKey = EnvelopeEncryption.generateDataKey();
+      const wrapped = EnvelopeEncryption.wrapKey(dataKey, amk);
+      const newKeyId = createId();
+      const wrappedKeyStr = `${wrapped.wrappedKey}:${wrapped.iv}:${wrapped.authTag}`;
+      const rotateAfter = new Date(now.getTime() + DEFAULT_ROTATION_PERIOD_MS);
+      await this.db.insert(this.keysTable, {
+        id: newKeyId,
+        tenant_id: tenantId,
+        wrapped_key: wrappedKeyStr,
+        amk_key_id: this.amkConfig.keyId,
+        status: "active",
+        version: currentKey.version + 1,
+        rotate_after: rotateAfter.toISOString(),
+        created_at: now.toISOString(),
+        updated_at: now.toISOString()
+      });
+      await this.db.update(
+        this.keysTable,
+        { id: currentKey.keyId },
+        {
+          status: "retired",
+          retired_at: now.toISOString(),
+          updated_at: now.toISOString()
+        }
+      );
+      await this.emitEvent({
+        type: "key.rotated",
+        tenantId,
+        keyId: newKeyId,
+        timestamp: now
+      });
+      return {
+        keyId: newKeyId,
+        tenantId,
+        wrappedKey: wrappedKeyStr,
+        amkKeyId: this.amkConfig.keyId,
+        status: "active",
+        version: currentKey.version + 1,
+        createdAt: now,
+        rotateAfter
+      };
+    } catch (error) {
+      throw new KeyRotationError(
+        `Failed to rotate key for tenant ${tenantId}: ${error.message}`,
+        "database",
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  async retireTenantKey(tenantId, keyId) {
+    this.ensureInitialized();
+    const now = /* @__PURE__ */ new Date();
+    await this.db.update(
+      this.keysTable,
+      { id: keyId, tenant_id: tenantId },
+      {
+        status: "retired",
+        retired_at: now.toISOString(),
+        updated_at: now.toISOString()
+      }
+    );
+    await this.emitEvent({
+      type: "key.retired",
+      tenantId,
+      keyId,
+      timestamp: now
+    });
+  }
+  async getActiveAMK() {
+    this.getAMK();
+    return {
+      keyId: this.amkConfig.keyId,
+      description: `AMK from env var ${this.amkConfig.keyEnvVar}`,
+      status: "active",
+      provider: "env",
+      keyReference: this.amkConfig.keyEnvVar,
+      createdAt: /* @__PURE__ */ new Date()
+    };
+  }
+  async rewrapTenantKey(_tenantId, _newAmkKeyId) {
+    throw new Error(
+      "AMK rotation not supported for env-based keys. Use AWS KMS, Vault, or Azure Key Vault for AMK rotation support."
+    );
+  }
+  async listKeyVersions(tenantId) {
+    this.ensureInitialized();
+    const { rows } = await this.db.query(
+      `SELECT * FROM "${this.keysTable}" WHERE tenant_id = ? ORDER BY version DESC`,
+      tenantId
+    );
+    return rows.map((row) => this.parseKeyRow(row));
+  }
+  /**
+   * Parse a database row into a TenantDataEncryptionKey
+   */
+  parseKeyRow(row) {
+    return {
+      keyId: row.id,
+      tenantId: row.tenant_id,
+      wrappedKey: row.wrapped_key,
+      amkKeyId: row.amk_key_id,
+      status: row.status,
+      version: row.version,
+      createdAt: new Date(row.created_at),
+      rotateAfter: row.rotate_after ? new Date(row.rotate_after) : void 0,
+      retiredAt: row.retired_at ? new Date(row.retired_at) : void 0
+    };
+  }
+}
+const database = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
+  __proto__: null,
+  DatabaseSecretStore
+}, Symbol.toStringTag, { value: "Module" }));
+function isDatabaseOptions(opts) {
+  return opts.type === "database";
+}
+function isAWSKMSOptions(opts) {
+  return opts.type === "aws-kms";
+}
+function isVaultOptions(opts) {
+  return opts.type === "vault";
+}
+function isAzureKeyVaultOptions(opts) {
+  return opts.type === "azure-keyvault";
+}
+async function getSecretStore(options) {
+  if (isDatabaseOptions(options)) {
+    const { DatabaseSecretStore: DatabaseSecretStore2 } = await Promise.resolve().then(() => database);
+    const store = new DatabaseSecretStore2(options);
+    await store.initialize();
+    return store;
+  }
+  if (isAWSKMSOptions(options)) {
+    throw new Error(
+      "AWS KMS adapter not yet implemented. Coming in a future release."
+    );
+  }
+  if (isVaultOptions(options)) {
+    throw new Error(
+      "HashiCorp Vault adapter not yet implemented. Coming in a future release."
+    );
+  }
+  if (isAzureKeyVaultOptions(options)) {
+    throw new Error(
+      "Azure Key Vault adapter not yet implemented. Coming in a future release."
+    );
+  }
+  throw new Error(
+    `Unsupported secret store type: ${options.type}`
+  );
+}
+const PACKAGE_VERSION_INITIALIZED = true;
+export {
+  AMKUnavailableError,
+  DatabaseSecretStore,
+  DecryptionError,
+  EncryptionError,
+  EnvelopeEncryption,
+  InvalidKeyFormatError,
+  KeyNotFoundError,
+  KeyRotationError,
+  PACKAGE_VERSION_INITIALIZED,
+  SecretError,
+  StoreNotInitializedError,
+  TenantKeyMissingError,
+  getSecretStore,
+  isAWSKMSOptions,
+  isAzureKeyVaultOptions,
+  isDatabaseOptions,
+  isVaultOptions
+};
+//# sourceMappingURL=index.js.map