npm - @happyvertical/smrt-secrets - Versions diffs - 0.30.0 - Mend

@happyvertical/smrt-secrets 0.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/AGENTS.md +66 -0
package/CLAUDE.md +1 -0
package/LICENSE +7 -0
package/README.md +144 -0
package/dist/__smrt-register__.d.ts +2 -0
package/dist/__smrt-register__.d.ts.map +1 -0
package/dist/chunks/SecretService-C91H6WJK.js +1275 -0
package/dist/chunks/SecretService-C91H6WJK.js.map +1 -0
package/dist/chunks/TenantKey-DzglnpAV.js +377 -0
package/dist/chunks/TenantKey-DzglnpAV.js.map +1 -0
package/dist/collections/SecretAuditLogCollection.d.ts +71 -0
package/dist/collections/SecretAuditLogCollection.d.ts.map +1 -0
package/dist/collections/SecretCollection.d.ts +63 -0
package/dist/collections/SecretCollection.d.ts.map +1 -0
package/dist/collections/TenantKeyCollection.d.ts +42 -0
package/dist/collections/TenantKeyCollection.d.ts.map +1 -0
package/dist/collections/index.d.ts +8 -0
package/dist/collections/index.d.ts.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +26 -0
package/dist/index.js.map +1 -0
package/dist/manifest.json +1272 -0
package/dist/models/Secret.d.ts +104 -0
package/dist/models/Secret.d.ts.map +1 -0
package/dist/models/SecretAuditLog.d.ts +123 -0
package/dist/models/SecretAuditLog.d.ts.map +1 -0
package/dist/models/TenantKey.d.ts +101 -0
package/dist/models/TenantKey.d.ts.map +1 -0
package/dist/models/index.d.ts +4 -0
package/dist/models/index.d.ts.map +1 -0
package/dist/models/index.js +8 -0
package/dist/models/index.js.map +1 -0
package/dist/services/SecretService.d.ts +266 -0
package/dist/services/SecretService.d.ts.map +1 -0
package/dist/services/SecretService.js +9 -0
package/dist/services/SecretService.js.map +1 -0
package/dist/smrt-knowledge.json +447 -0
package/package.json +71 -0

package/dist/chunks/SecretService-C91H6WJK.js ADDED Viewed

@@ -0,0 +1,1275 @@
+import { a as SecretAuditLog, S as Secret, T as TenantKey, c as createAuditEntry } from "./TenantKey-DzglnpAV.js";
+import { loadEnvConfig } from "@happyvertical/utils";
+import { getSecretStore, EnvelopeEncryption, AMKUnavailableError, TenantKeyMissingError, EncryptionError, DecryptionError } from "@happyvertical/secrets";
+import { requireTenantId, withTenant, getCurrentTenant } from "@happyvertical/smrt-tenancy";
+import { SmrtCollection } from "@happyvertical/smrt-core";
+class SecretAuditLogCollection extends SmrtCollection {
+  static _itemClass = SecretAuditLog;
+  /**
+   * List audit logs with filtering options
+   */
+  async listLogs(options = {}) {
+    const where = {};
+    if (options.tenantId) {
+      where.tenantId = options.tenantId;
+    }
+    if (options.secretName) {
+      where.secretName = options.secretName;
+    }
+    if (options.userId) {
+      where.userId = options.userId;
+    }
+    if (options.action) {
+      where.action = options.action;
+    }
+    if (options.result) {
+      where.result = options.result;
+    }
+    if (options.since) {
+      where["created_at >"] = options.since.toISOString();
+    }
+    if (options.until) {
+      where["created_at <"] = options.until.toISOString();
+    }
+    return this.list({
+      where,
+      limit: options.limit ?? 100,
+      offset: options.offset,
+      orderBy: "created_at DESC"
+    });
+  }
+  /**
+   * Get audit logs for a specific secret
+   */
+  async getSecretHistory(secretName, limit = 50) {
+    return this.listLogs({ secretName, limit });
+  }
+  /**
+   * Get audit logs for a specific user
+   */
+  async getUserActivity(userId, limit = 50) {
+    return this.listLogs({ userId, limit });
+  }
+  /**
+   * Get recent failures
+   */
+  async getRecentFailures(limit = 20) {
+    return this.listLogs({ result: "failure", limit });
+  }
+  /**
+   * Get recent denied access attempts
+   */
+  async getRecentDenials(limit = 20) {
+    return this.listLogs({ result: "denied", limit });
+  }
+  /**
+   * Count operations by action type
+   */
+  async countByAction(since) {
+    const logs = await this.listLogs({ since, limit: 1e4 });
+    const counts = {
+      create: 0,
+      read: 0,
+      update: 0,
+      delete: 0,
+      rotate_key: 0,
+      disable: 0,
+      enable: 0,
+      expire: 0
+    };
+    for (const log of logs) {
+      counts[log.action]++;
+    }
+    return counts;
+  }
+  /**
+   * Count operations by result
+   */
+  async countByResult(since) {
+    const logs = await this.listLogs({ since, limit: 1e4 });
+    const counts = {
+      success: 0,
+      failure: 0,
+      denied: 0
+    };
+    for (const log of logs) {
+      counts[log.result]++;
+    }
+    return counts;
+  }
+  /**
+   * Delete old audit logs
+   * @param olderThanDays Delete logs older than this many days
+   */
+  async cleanup(olderThanDays = 365) {
+    const cutoffDate = /* @__PURE__ */ new Date();
+    cutoffDate.setDate(cutoffDate.getDate() - olderThanDays);
+    const oldLogs = await this.list({
+      where: {
+        "created_at <": cutoffDate.toISOString()
+      }
+    });
+    let count = 0;
+    for (const log of oldLogs) {
+      await log.delete();
+      count++;
+    }
+    return count;
+  }
+}
+class SecretCollection extends SmrtCollection {
+  static _itemClass = Secret;
+  /**
+   * Find a secret by name within the given tenant
+   */
+  async findByName(tenantId, name) {
+    return this.get({ name, tenantId });
+  }
+  /**
+   * List secrets for a tenant with filtering options
+   */
+  async listSecrets(tenantId, options = {}) {
+    const where = { tenantId };
+    if (options.category) {
+      where.category = options.category;
+    }
+    if (options.status) {
+      where.status = options.status;
+    }
+    const secrets = await this.list({
+      where,
+      limit: options.limit,
+      offset: options.offset,
+      orderBy: "name ASC"
+    });
+    if (!options.includeExpired) {
+      return secrets.filter((secret) => !secret.isExpired());
+    }
+    return secrets;
+  }
+  /**
+   * List all active secrets for a tenant
+   */
+  async listActive(tenantId) {
+    return this.listSecrets(tenantId, { status: "active" });
+  }
+  /**
+   * List a tenant's secrets by category
+   */
+  async listByCategory(tenantId, category) {
+    return this.listSecrets(tenantId, { category, status: "active" });
+  }
+  /**
+   * List a tenant's secrets that need attention (expired or about to expire)
+   */
+  async listExpiring(tenantId, daysAhead = 30) {
+    const futureDate = /* @__PURE__ */ new Date();
+    futureDate.setDate(futureDate.getDate() + daysAhead);
+    const secrets = await this.list({
+      where: {
+        tenantId,
+        status: "active",
+        "expiresAt !=": null,
+        "expiresAt <": futureDate.toISOString()
+      },
+      orderBy: "expiresAt ASC"
+    });
+    return secrets;
+  }
+  /**
+   * Get categories used in a tenant's secrets
+   */
+  async getCategories(tenantId) {
+    const secrets = await this.list({ where: { tenantId } });
+    const categories = new Set(secrets.map((s) => s.category).filter(Boolean));
+    return Array.from(categories).sort();
+  }
+  /**
+   * Count a tenant's secrets by status
+   */
+  async countByStatus(tenantId) {
+    const secrets = await this.list({ where: { tenantId } });
+    const counts = {
+      active: 0,
+      disabled: 0,
+      expired: 0
+    };
+    for (const secret of secrets) {
+      if (secret.isExpired()) {
+        counts.expired++;
+      } else {
+        counts[secret.status]++;
+      }
+    }
+    return counts;
+  }
+  /**
+   * Delete a tenant's secret by name
+   */
+  async deleteByName(tenantId, name) {
+    const secret = await this.findByName(tenantId, name);
+    if (!secret) return false;
+    await secret.delete();
+    return true;
+  }
+}
+class TenantKeyCollection extends SmrtCollection {
+  static _itemClass = TenantKey;
+  /**
+   * Get the active key for a tenant
+   */
+  async getActiveKey(tenantId) {
+    return this.get({
+      tenantId,
+      status: "active"
+    });
+  }
+  /**
+   * List all key versions for a tenant
+   */
+  async listKeyVersions(tenantId) {
+    return this.list({
+      where: { tenantId },
+      orderBy: "version DESC"
+    });
+  }
+  /**
+   * Get a specific key version for a tenant
+   */
+  async getKeyVersion(tenantId, version) {
+    return this.get({
+      tenantId,
+      version
+    });
+  }
+  /**
+   * Find keys that need rotation
+   */
+  async findKeysNeedingRotation() {
+    const now = /* @__PURE__ */ new Date();
+    return this.list({
+      where: {
+        status: "active",
+        "rotateAfter !=": null,
+        "rotateAfter <": now.toISOString()
+      },
+      orderBy: "rotateAfter ASC"
+    });
+  }
+  /**
+   * List all active keys across all tenants
+   */
+  async listAllActiveKeys() {
+    return this.list({
+      where: { status: "active" },
+      orderBy: "created_at DESC"
+    });
+  }
+  /**
+   * Count keys by status
+   */
+  async countByStatus() {
+    const keys = await this.list({});
+    const counts = {
+      active: 0,
+      rotating: 0,
+      retired: 0,
+      compromised: 0
+    };
+    for (const key of keys) {
+      counts[key.status]++;
+    }
+    return counts;
+  }
+  /**
+   * Mark a key as compromised (should trigger re-encryption)
+   */
+  async markCompromised(tenantId, keyId) {
+    const key = await this.get({
+      id: keyId,
+      tenantId
+    });
+    if (!key) return false;
+    key.markCompromised();
+    await key.save();
+    return true;
+  }
+  /**
+   * Delete old retired keys that are no longer needed
+   * @param olderThanDays Delete keys retired more than this many days ago
+   */
+  async cleanupRetiredKeys(olderThanDays = 90) {
+    const cutoffDate = /* @__PURE__ */ new Date();
+    cutoffDate.setDate(cutoffDate.getDate() - olderThanDays);
+    const oldKeys = await this.list({
+      where: {
+        status: "retired",
+        "retiredAt <": cutoffDate.toISOString()
+      }
+    });
+    let count = 0;
+    for (const key of oldKeys) {
+      await key.delete();
+      count++;
+    }
+    return count;
+  }
+}
+class ConsoleLogger {
+  constructor(level = "info") {
+    this.level = level;
+  }
+  static LEVELS = [
+    "debug",
+    "info",
+    "warn",
+    "error"
+  ];
+  /**
+   * Check if a log level should be output
+   *
+   * @param level - Log level to check
+   * @returns True if level meets threshold
+   */
+  shouldLog(level) {
+    const currentIndex = ConsoleLogger.LEVELS.indexOf(this.level);
+    const messageIndex = ConsoleLogger.LEVELS.indexOf(level);
+    return messageIndex >= currentIndex;
+  }
+  /**
+   * Format context for console output
+   *
+   * @param context - Structured metadata
+   * @returns Formatted context string
+   */
+  formatContext(context) {
+    if (!context || Object.keys(context).length === 0) {
+      return "";
+    }
+    return ` ${JSON.stringify(context)}`;
+  }
+  debug(message, context) {
+    if (this.shouldLog("debug")) {
+      console.debug(`[DEBUG] ${message}${this.formatContext(context)}`);
+    }
+  }
+  info(message, context) {
+    if (this.shouldLog("info")) {
+      console.info(`[INFO] ${message}${this.formatContext(context)}`);
+    }
+  }
+  warn(message, context) {
+    if (this.shouldLog("warn")) {
+      console.warn(`[WARN] ${message}${this.formatContext(context)}`);
+    }
+  }
+  error(message, context) {
+    if (this.shouldLog("error")) {
+      console.error(`[ERROR] ${message}${this.formatContext(context)}`);
+    }
+  }
+}
+class NoopLogger {
+  debug(_message, _context) {
+  }
+  info(_message, _context) {
+  }
+  warn(_message, _context) {
+  }
+  error(_message, _context) {
+  }
+}
+function createLogger(config) {
+  if (typeof config === "boolean") {
+    if (!config) {
+      return new NoopLogger();
+    }
+    const envConfig = loadEnvConfig(
+      {},
+      {
+        packageName: "logger",
+        schema: { level: "string" }
+      }
+    );
+    return new ConsoleLogger(envConfig.level || "info");
+  }
+  const mergedConfig = loadEnvConfig(config, {
+    packageName: "logger",
+    schema: { level: "string" }
+  });
+  const level = mergedConfig.level || "info";
+  return new ConsoleLogger(level);
+}
+const logger = createLogger({ level: "info" });
+class SecretKeyDriftError extends Error {
+  code = "SECRET_KEY_DRIFT";
+  tenantId;
+  report;
+  cause;
+  constructor(message, tenantId, report, cause) {
+    super(message);
+    this.name = "SecretKeyDriftError";
+    this.tenantId = tenantId;
+    this.report = report;
+    this.cause = cause;
+  }
+}
+class SecretService {
+  db;
+  secretStore;
+  secrets;
+  tenantKeys;
+  auditLogs;
+  auditEnabled;
+  amkEnvVar;
+  amkKeyId;
+  constructor(db, secretStore, secrets, tenantKeys, auditLogs, auditEnabled, amkEnvVar, amkKeyId) {
+    this.db = db;
+    this.secretStore = secretStore;
+    this.secrets = secrets;
+    this.tenantKeys = tenantKeys;
+    this.auditLogs = auditLogs;
+    this.auditEnabled = auditEnabled;
+    this.amkEnvVar = amkEnvVar;
+    this.amkKeyId = amkKeyId;
+  }
+  /**
+   * Create a new SecretService instance
+   */
+  static async create(options) {
+    const {
+      db,
+      amkEnvVar = "SMRT_SECRET_MASTER_KEY",
+      amkKeyId = "smrt-amk-v1",
+      auditEnabled = true
+    } = options;
+    const secretStore = await getSecretStore({
+      type: "database",
+      db,
+      amk: {
+        provider: "env",
+        keyEnvVar: amkEnvVar,
+        keyId: amkKeyId
+      }
+    });
+    const baseOptions = { db };
+    const secrets = await SecretCollection.create(baseOptions);
+    const tenantKeys = await TenantKeyCollection.create(baseOptions);
+    const auditLogs = await SecretAuditLogCollection.create(baseOptions);
+    return new SecretService(
+      db,
+      secretStore,
+      secrets,
+      tenantKeys,
+      auditLogs,
+      auditEnabled,
+      amkEnvVar,
+      amkKeyId
+    );
+  }
+  /**
+   * Store a secret for the current tenant
+   */
+  async store(name, value, options = {}) {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    let isUpdate = false;
+    try {
+      let existing = await this.secrets.findByName(tenantId, name);
+      if (existing && existing.tenantId !== tenantId) {
+        existing = null;
+      }
+      isUpdate = existing !== null;
+      const envelope = await this.secretStore.encrypt(tenantId, name, value, {
+        metadata: options.metadata ? this.serializeMetadata(options.metadata) : void 0
+      });
+      if (existing) {
+        existing.encryptedValue = JSON.stringify(envelope);
+        existing.description = options.description ?? existing.description;
+        existing.category = options.category ?? existing.category;
+        existing.expiresAt = options.expiresAt ?? existing.expiresAt;
+        existing.metadata = options.metadata ?? existing.metadata;
+        await existing.save();
+        await this.audit(
+          existing.id ?? null,
+          name,
+          userId,
+          "update",
+          "success"
+        );
+        return existing;
+      }
+      const secret = await this.secrets.create({
+        name,
+        description: options.description ?? "",
+        category: options.category ?? "",
+        encryptedValue: JSON.stringify(envelope),
+        keyVersion: 1,
+        status: "active",
+        expiresAt: options.expiresAt ?? null,
+        metadata: options.metadata ?? {},
+        context: tenantId,
+        // Per-tenant uniqueness
+        tenantId
+      });
+      await this.audit(secret.id ?? null, name, userId, "create", "success");
+      return secret;
+    } catch (error) {
+      const classifiedError = await this.classifyTenantKeyFailure(
+        tenantId,
+        name,
+        error
+      );
+      await this.audit(
+        null,
+        name,
+        userId,
+        isUpdate ? "update" : "create",
+        "failure",
+        {
+          error: classifiedError.message
+        }
+      );
+      throw classifiedError;
+    }
+  }
+  /**
+   * Store a secret for a specific tenant.
+   *
+   * This is useful for integrations that already resolved tenant ownership but
+   * may be running outside the application's ambient tenant context.
+   */
+  async storeForTenant(tenantId, name, value, options = {}) {
+    return withTenant({ tenantId }, () => this.store(name, value, options));
+  }
+  /**
+   * Retrieve a secret for the current tenant
+   */
+  async retrieve(name) {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    let audited = false;
+    try {
+      const secret = await this.secrets.findByName(tenantId, name);
+      if (!secret || secret.tenantId !== tenantId) {
+        await this.audit(null, name, userId, "read", "failure", {
+          error: "Secret not found"
+        });
+        audited = true;
+        throw new Error(`Secret '${name}' not found`);
+      }
+      if (!secret.isUsable()) {
+        const reason = secret.isExpired() ? "Secret expired" : "Secret disabled";
+        await this.audit(secret.id ?? null, name, userId, "read", "failure", {
+          error: reason
+        });
+        audited = true;
+        throw new Error(reason);
+      }
+      const envelope = JSON.parse(secret.encryptedValue);
+      const decrypted = await this.secretStore.decrypt(tenantId, envelope);
+      const previousLastAccessedAt = secret.lastAccessedAt;
+      const previousAccessCount = secret.accessCount;
+      try {
+        secret.recordAccess();
+        await secret.save();
+      } catch (trackingError) {
+        secret.lastAccessedAt = previousLastAccessedAt;
+        secret.accessCount = previousAccessCount;
+        logger.error("Failed to update secret access tracking", {
+          error: trackingError
+        });
+      }
+      await this.audit(secret.id ?? null, name, userId, "read", "success");
+      return {
+        value: decrypted.value,
+        name: secret.name,
+        description: secret.description,
+        category: secret.category,
+        expiresAt: secret.expiresAt,
+        createdAt: secret.created_at ?? /* @__PURE__ */ new Date(),
+        lastAccessedAt: secret.lastAccessedAt,
+        accessCount: secret.accessCount,
+        metadata: secret.metadata
+      };
+    } catch (error) {
+      const classifiedError = await this.classifyTenantKeyFailure(
+        tenantId,
+        name,
+        error
+      );
+      if (!audited) {
+        await this.audit(null, name, userId, "read", "failure", {
+          error: classifiedError.message
+        });
+      }
+      throw classifiedError;
+    }
+  }
+  /**
+   * Retrieve a secret for a specific tenant.
+   */
+  async retrieveForTenant(tenantId, name) {
+    return withTenant({ tenantId }, () => this.retrieve(name));
+  }
+  /**
+   * Diagnose tenant secret/key drift without exposing decrypted values.
+   */
+  async diagnoseTenantSecretKeyDrift(tenantId, options = {}) {
+    const activeSecrets = await this.listActiveSecretRowsForDiagnosis(
+      tenantId,
+      options.secretNames
+    );
+    const tenantEncryptionKeys = await this.listTenantEncryptionKeyRows(tenantId);
+    const smrtTenantKeyRows = await this.listSmrtTenantKeysForDiagnosis(tenantId);
+    const smrtTenantKeys = smrtTenantKeyRows.keys;
+    const issues = [];
+    const activeTenantEncryptionKeys = tenantEncryptionKeys.filter(
+      (key) => key.status === "active"
+    );
+    const activeSmrtTenantKeys = smrtTenantKeys.filter(
+      (key) => key.status === "active"
+    );
+    const amk = this.getConfiguredAmkForDiagnosis();
+    if (!amk.usable) {
+      issues.push({
+        code: "amk_unavailable",
+        severity: "error",
+        message: amk.error ?? `AMK ${this.amkEnvVar} is unavailable`,
+        repairAction: "none",
+        details: {
+          amkEnvVar: this.amkEnvVar,
+          amkKeyId: this.amkKeyId
+        }
+      });
+    }
+    if (activeSecrets.length > 0 && activeTenantEncryptionKeys.length === 0) {
+      issues.push({
+        code: "missing_active_tenant_encryption_key",
+        severity: "error",
+        message: "Active tenant secrets exist, but tenant_encryption_keys has no active key for encryption.",
+        repairAction: "store-fresh-secret-value",
+        sourceTable: "tenant_encryption_keys",
+        details: {
+          activeSecretCount: activeSecrets.length
+        }
+      });
+    }
+    if (smrtTenantKeyRows.error) {
+      issues.push({
+        code: "smrt_tenant_keys_query_failed",
+        severity: "error",
+        message: "Unable to query SMRT tenant_keys while diagnosing tenant secret key drift.",
+        repairAction: "none",
+        sourceTable: "tenant_keys",
+        details: {
+          error: smrtTenantKeyRows.error.message
+        }
+      });
+    }
+    if (activeTenantEncryptionKeys.length > 1) {
+      issues.push({
+        code: "multiple_active_tenant_encryption_keys",
+        severity: "error",
+        message: "tenant_encryption_keys has multiple active keys for this tenant; encryption may use an arbitrary active key.",
+        repairAction: "none",
+        sourceTable: "tenant_encryption_keys",
+        details: {
+          activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length
+        }
+      });
+    }
+    const activeKeyChecks = [];
+    for (const key of tenantEncryptionKeys) {
+      const check = amk.value ? this.checkWrappedKey(key.wrapped_key, amk.value) : { usable: false, error: amk.error };
+      if (key.status === "active") {
+        activeKeyChecks.push(check);
+      }
+      if (key.status === "active" && key.amk_key_id !== this.amkKeyId) {
+        issues.push({
+          code: "active_tenant_encryption_key_amk_mismatch",
+          severity: "warning",
+          message: "Active tenant_encryption_keys row was wrapped by a different AMK key id than this SecretService is configured to use.",
+          repairAction: "none",
+          keyId: key.id,
+          sourceTable: "tenant_encryption_keys",
+          details: {
+            rowAmkKeyId: key.amk_key_id,
+            configuredAmkKeyId: this.amkKeyId
+          }
+        });
+      }
+      if (key.status === "active" && !check.usable && amk.value) {
+        issues.push({
+          code: "active_tenant_encryption_key_unwrap_failed",
+          severity: "error",
+          message: "Active tenant_encryption_keys row cannot be unwrapped by the currently configured AMK.",
+          repairAction: "delete-unusable-tenant-encryption-key",
+          keyId: key.id,
+          sourceTable: "tenant_encryption_keys",
+          details: {
+            version: key.version,
+            error: check.error ?? null
+          }
+        });
+      }
+    }
+    const usableActiveTenantEncryptionKeyCount = activeKeyChecks.filter(
+      (check) => check.usable
+    ).length;
+    if (activeSecrets.length > 0 && usableActiveTenantEncryptionKeyCount === 0) {
+      issues.push({
+        code: "active_secrets_without_usable_active_key",
+        severity: "error",
+        message: "Active secrets exist, but no active tenant_encryption_keys row can be used with the current AMK.",
+        repairAction: "store-fresh-secret-value",
+        sourceTable: "tenant_encryption_keys",
+        details: {
+          activeSecretCount: activeSecrets.length,
+          activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length
+        }
+      });
+    }
+    const keyFingerprintToRow = /* @__PURE__ */ new Map();
+    for (const key of tenantEncryptionKeys) {
+      const fingerprint = this.getWrappedKeyFingerprint(key.wrapped_key);
+      if (fingerprint) {
+        keyFingerprintToRow.set(fingerprint, key);
+      }
+    }
+    for (const secret of activeSecrets) {
+      const envelope = this.parseSecretEnvelopeForDiagnosis(secret, issues);
+      if (!envelope) continue;
+      const envelopeFingerprint = this.getWrappedKeyFingerprint(
+        envelope.wrappedKey
+      );
+      const envelopeCheck = amk.value ? this.checkWrappedKey(envelope.wrappedKey, amk.value) : {
+        usable: false,
+        error: amk.error,
+        fingerprint: envelopeFingerprint
+      };
+      if (!envelopeCheck.fingerprint) {
+        issues.push({
+          code: "secret_envelope_invalid_wrapped_key",
+          severity: "error",
+          message: "Secret encryptedValue contains an invalid wrapped key format.",
+          repairAction: "delete-unrecoverable-secret",
+          secretId: secret.id,
+          secretName: secret.name,
+          sourceTable: "secrets",
+          details: {
+            error: envelopeCheck.error ?? null
+          }
+        });
+        continue;
+      }
+      const matchingKey = keyFingerprintToRow.get(envelopeCheck.fingerprint);
+      if (!matchingKey) {
+        issues.push({
+          code: "secret_envelope_missing_tenant_encryption_key",
+          severity: "error",
+          message: "Secret envelope does not match any tenant_encryption_keys row for this tenant.",
+          repairAction: !amk.value ? "none" : envelopeCheck.usable ? "none" : "delete-unrecoverable-secret",
+          secretId: secret.id,
+          secretName: secret.name,
+          sourceTable: "secrets"
+        });
+      }
+      if (!envelopeCheck.usable && amk.value) {
+        issues.push({
+          code: "secret_envelope_unwrap_failed",
+          severity: "error",
+          message: "Secret envelope cannot be unwrapped by the currently configured AMK.",
+          repairAction: "delete-unrecoverable-secret",
+          secretId: secret.id,
+          secretName: secret.name,
+          keyId: matchingKey?.id,
+          sourceTable: "secrets",
+          details: {
+            error: envelopeCheck.error ?? null
+          }
+        });
+      }
+    }
+    if (activeSecrets.length > 0 && tenantEncryptionKeys.length > 0 && smrtTenantKeys.length === 0 && !smrtTenantKeyRows.error) {
+      issues.push({
+        code: "smrt_tenant_keys_not_mirrored",
+        severity: "info",
+        message: "SMRT tenant_keys has no rows for this tenant, while the lower-level tenant_encryption_keys table does. SecretService uses tenant_encryption_keys for encryption.",
+        repairAction: "none",
+        sourceTable: "tenant_keys"
+      });
+    }
+    return {
+      tenantId,
+      checkedAt: /* @__PURE__ */ new Date(),
+      ok: !issues.some((issue) => issue.severity === "error"),
+      summary: {
+        activeSecretCount: activeSecrets.length,
+        tenantEncryptionKeyCount: tenantEncryptionKeys.length,
+        activeTenantEncryptionKeyCount: activeTenantEncryptionKeys.length,
+        usableActiveTenantEncryptionKeyCount,
+        smrtTenantKeyCount: smrtTenantKeys.length,
+        activeSmrtTenantKeyCount: activeSmrtTenantKeys.length
+      },
+      issues
+    };
+  }
+  /**
+   * Diagnose drift for the current tenant context.
+   */
+  async diagnoseCurrentTenantSecretKeyDrift(options = {}) {
+    return this.diagnoseTenantSecretKeyDrift(requireTenantId(), options);
+  }
+  /**
+   * Delete unrecoverable secret/key rows identified by diagnosis.
+   *
+   * This never attempts to recover or expose secret values. Use dryRun first
+   * to preview destructive changes.
+   */
+  async repairTenantSecretKeyDrift(tenantId, options = {}) {
+    const dryRun = options.dryRun ?? false;
+    const before = await this.diagnoseTenantSecretKeyDrift(tenantId, options);
+    const secretIds = /* @__PURE__ */ new Set();
+    const secretNames = /* @__PURE__ */ new Map();
+    const tenantEncryptionKeyIds = /* @__PURE__ */ new Set();
+    for (const issue of before.issues) {
+      if (issue.repairAction === "delete-unrecoverable-secret" && issue.secretId) {
+        secretIds.add(issue.secretId);
+        if (issue.secretName) {
+          secretNames.set(issue.secretId, issue.secretName);
+        }
+      }
+      if (issue.repairAction === "delete-unusable-tenant-encryption-key" && issue.keyId) {
+        tenantEncryptionKeyIds.add(issue.keyId);
+      }
+    }
+    const wouldDeleteSecrets = secretIds.size;
+    const wouldDeleteTenantEncryptionKeys = tenantEncryptionKeyIds.size;
+    const wouldDeleteUnrecoverableData = wouldDeleteSecrets + wouldDeleteTenantEncryptionKeys > 0;
+    if (!dryRun && wouldDeleteUnrecoverableData && !options.confirmDeleteUnrecoverableData) {
+      throw new Error(
+        "repairTenantSecretKeyDrift requires confirmDeleteUnrecoverableData: true before deleting encrypted secrets or tenant key rows."
+      );
+    }
+    let deletedSecrets = 0;
+    let deletedTenantEncryptionKeys = 0;
+    if (!dryRun) {
+      const runDeletes = async (db) => {
+        const deletedSecretRows = await this.deleteRowsByIds(
+          "secrets",
+          tenantId,
+          secretIds,
+          db
+        );
+        const deletedTenantEncryptionKeyRows = await this.deleteRowsByIds(
+          "tenant_encryption_keys",
+          tenantId,
+          tenantEncryptionKeyIds,
+          db
+        );
+        return {
+          deletedSecrets: deletedSecretRows,
+          deletedTenantEncryptionKeys: deletedTenantEncryptionKeyRows
+        };
+      };
+      const txDb = this.db;
+      const deleteResult = typeof txDb.transaction === "function" ? await txDb.transaction((db) => runDeletes(db)) : await runDeletes(this.db);
+      deletedSecrets = deleteResult.deletedSecrets;
+      deletedTenantEncryptionKeys = deleteResult.deletedTenantEncryptionKeys;
+      await this.auditSecretDriftRepairDeletes(
+        tenantId,
+        secretIds,
+        secretNames
+      );
+    }
+    const after = dryRun ? before : await this.diagnoseTenantSecretKeyDrift(tenantId, options);
+    return {
+      tenantId,
+      dryRun,
+      issuesBefore: before.issues,
+      remainingIssues: after.issues,
+      wouldDeleteSecrets,
+      wouldDeleteTenantEncryptionKeys,
+      deletedSecrets,
+      deletedTenantEncryptionKeys,
+      secretNames: Array.from(secretNames.values()).sort(),
+      tenantEncryptionKeyIds: Array.from(tenantEncryptionKeyIds).sort()
+    };
+  }
+  /**
+   * List secrets for the current tenant (names only, not values)
+   */
+  async list(options = {}) {
+    return this.secrets.listSecrets(requireTenantId(), {
+      category: options.category,
+      status: "active"
+    });
+  }
+  /**
+   * Delete a secret
+   */
+  async delete(name) {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    const secret = await this.secrets.findByName(tenantId, name);
+    if (!secret || secret.tenantId !== tenantId) {
+      return false;
+    }
+    try {
+      await secret.delete();
+      await this.audit(secret.id ?? null, name, userId, "delete", "success");
+      return true;
+    } catch (error) {
+      await this.audit(secret.id ?? null, name, userId, "delete", "failure", {
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  /**
+   * Disable a secret (soft delete)
+   */
+  async disable(name) {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    const secret = await this.secrets.findByName(tenantId, name);
+    if (!secret || secret.tenantId !== tenantId) {
+      return false;
+    }
+    secret.disable();
+    await secret.save();
+    await this.audit(secret.id ?? null, name, userId, "disable", "success");
+    return true;
+  }
+  /**
+   * Enable a disabled secret
+   */
+  async enable(name) {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    const secret = await this.secrets.findByName(tenantId, name);
+    if (!secret || secret.tenantId !== tenantId) {
+      return false;
+    }
+    secret.enable();
+    await secret.save();
+    await this.audit(secret.id ?? null, name, userId, "enable", "success");
+    return true;
+  }
+  /**
+   * Rotate the tenant's encryption key
+   *
+   * This creates a new TDEK and marks the old one as retired.
+   * Existing secrets remain encrypted with the old key and can still
+   * be decrypted (the old key is kept in retired state).
+   *
+   * For full re-encryption, call reencryptAll() after rotation.
+   */
+  async rotateKey() {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    try {
+      await this.secretStore.rotateTenantKey(tenantId);
+      await this.audit(null, "", userId, "rotate_key", "success", {
+        tenantId
+      });
+    } catch (error) {
+      await this.audit(null, "", userId, "rotate_key", "failure", {
+        tenantId,
+        error: error.message
+      });
+      throw error;
+    }
+  }
+  /**
+   * Re-encrypt all secrets with the current active key
+   *
+   * Call this after key rotation to ensure all secrets use the new key.
+   * This is optional but recommended for security.
+   */
+  async reencryptAll() {
+    const tenantId = requireTenantId();
+    const userId = this.getCurrentUserId();
+    const secrets = await this.secrets.list({ where: { tenantId } });
+    let success = 0;
+    let failed = 0;
+    for (const secret of secrets) {
+      try {
+        const envelope = JSON.parse(secret.encryptedValue);
+        const decrypted = await this.secretStore.decrypt(tenantId, envelope);
+        const newEnvelope = await this.secretStore.encrypt(
+          tenantId,
+          secret.name,
+          decrypted.value
+        );
+        secret.encryptedValue = JSON.stringify(newEnvelope);
+        await secret.save();
+        success++;
+      } catch (error) {
+        failed++;
+        await this.audit(
+          secret.id ?? null,
+          secret.name,
+          userId,
+          "update",
+          "failure",
+          {
+            action: "reencrypt",
+            error: error.message
+          }
+        );
+      }
+    }
+    return { success, failed };
+  }
+  /**
+   * Get audit logs for the current tenant
+   */
+  async getAuditLogs(options = {}) {
+    return this.auditLogs.listLogs({
+      // Scope to the current tenant (issue #1501): audit logs reference
+      // secret names and must not leak across tenants.
+      tenantId: requireTenantId(),
+      secretName: options.secretName,
+      limit: options.limit ?? 100
+    });
+  }
+  /**
+   * Get secret categories for the current tenant
+   */
+  async getCategories() {
+    return this.secrets.getCategories(requireTenantId());
+  }
+  /**
+   * Check if a secret exists for the current tenant
+   */
+  async exists(name) {
+    const tenantId = requireTenantId();
+    const secret = await this.secrets.findByName(tenantId, name);
+    return secret !== null && secret.tenantId === tenantId;
+  }
+  // Private methods
+  async listActiveSecretRowsForDiagnosis(tenantId, secretNames) {
+    const params = [tenantId];
+    let nameFilter = "";
+    if (secretNames && secretNames.length > 0) {
+      const placeholders = secretNames.map(() => "?").join(", ");
+      nameFilter = ` AND name IN (${placeholders})`;
+      params.push(...secretNames);
+    }
+    const result = await this.db.query(
+      `
+        SELECT id, name, encrypted_value, status, tenant_id
+        FROM "secrets"
+        WHERE tenant_id = ? AND status = 'active'${nameFilter}
+        ORDER BY name ASC
+      `,
+      ...params
+    );
+    return this.rowsFromResult(result);
+  }
+  async listTenantEncryptionKeyRows(tenantId) {
+    const result = await this.db.query(
+      `
+        SELECT id, tenant_id, wrapped_key, amk_key_id, status, version,
+          rotate_after, retired_at, created_at, updated_at
+        FROM "tenant_encryption_keys"
+        WHERE tenant_id = ?
+        ORDER BY version DESC
+      `,
+      tenantId
+    );
+    return this.rowsFromResult(result);
+  }
+  async listSmrtTenantKeysForDiagnosis(tenantId) {
+    try {
+      return { keys: await this.tenantKeys.listKeyVersions(tenantId) };
+    } catch (error) {
+      return { keys: [], error: this.toError(error) };
+    }
+  }
+  getConfiguredAmkForDiagnosis() {
+    const keyHex = process.env[this.amkEnvVar];
+    if (!keyHex) {
+      return {
+        usable: false,
+        error: `Application Master Key not found in environment variable: ${this.amkEnvVar}`
+      };
+    }
+    try {
+      return {
+        usable: true,
+        value: EnvelopeEncryption.parseHexKey(keyHex)
+      };
+    } catch (error) {
+      return {
+        usable: false,
+        error: `Invalid AMK in ${this.amkEnvVar}: ${this.toError(error).message}`
+      };
+    }
+  }
+  checkWrappedKey(wrappedKey, amk) {
+    const fingerprint = this.getWrappedKeyFingerprint(wrappedKey);
+    try {
+      const parsed = EnvelopeEncryption.parseWrappedKey(wrappedKey);
+      const dataKey = EnvelopeEncryption.unwrapKey(
+        parsed.wrappedKey,
+        parsed.iv,
+        parsed.authTag,
+        amk
+      );
+      dataKey.fill(0);
+      return { usable: true, fingerprint };
+    } catch (error) {
+      return {
+        usable: false,
+        fingerprint,
+        error: this.toError(error).message
+      };
+    }
+  }
+  getWrappedKeyFingerprint(wrappedKey) {
+    try {
+      return EnvelopeEncryption.parseWrappedKey(wrappedKey).wrappedKey;
+    } catch {
+      return void 0;
+    }
+  }
+  parseSecretEnvelopeForDiagnosis(secret, issues) {
+    try {
+      return JSON.parse(secret.encrypted_value);
+    } catch (error) {
+      issues.push({
+        code: "secret_envelope_invalid_json",
+        severity: "error",
+        message: "Secret encryptedValue is not valid EncryptedEnvelope JSON.",
+        repairAction: "delete-unrecoverable-secret",
+        secretId: secret.id,
+        secretName: secret.name,
+        sourceTable: "secrets",
+        details: {
+          error: this.toError(error).message
+        }
+      });
+      return null;
+    }
+  }
+  async deleteRowsByIds(tableName, tenantId, ids, db = this.db) {
+    if (ids.size === 0) return 0;
+    const idList = Array.from(ids);
+    const placeholders = idList.map(() => "?").join(", ");
+    const result = await db.query(
+      `DELETE FROM "${tableName}" WHERE tenant_id = ? AND id IN (${placeholders})`,
+      tenantId,
+      ...idList
+    );
+    return typeof result.rowCount === "number" ? result.rowCount : idList.length;
+  }
+  async auditSecretDriftRepairDeletes(tenantId, secretIds, secretNames) {
+    if (secretIds.size === 0) return;
+    const userId = this.getCurrentUserId();
+    await withTenant({ tenantId }, async () => {
+      for (const secretId of secretIds) {
+        await this.audit(
+          secretId,
+          secretNames.get(secretId) ?? "",
+          userId,
+          "delete",
+          "success",
+          {
+            action: "repairTenantSecretKeyDrift",
+            reason: "unrecoverable-secret-key-drift"
+          }
+        );
+      }
+    });
+  }
+  rowsFromResult(result) {
+    if (Array.isArray(result)) return result;
+    if (result && typeof result === "object" && Array.isArray(result.rows)) {
+      return result.rows;
+    }
+    return [];
+  }
+  async classifyTenantKeyFailure(tenantId, secretName, error) {
+    const normalized = this.toError(error);
+    if (!this.shouldClassifyTenantKeyFailure(normalized)) {
+      return normalized;
+    }
+    try {
+      const report = await this.diagnoseTenantSecretKeyDrift(tenantId, {
+        secretNames: [secretName]
+      });
+      const errorCodes = report.issues.filter((issue) => issue.severity === "error").map((issue) => issue.code);
+      if (errorCodes.length === 0) {
+        return normalized;
+      }
+      return new SecretKeyDriftError(
+        `Secret '${secretName}' for tenant '${tenantId}' failed because secret key drift was detected: ${[
+          ...new Set(errorCodes)
+        ].join(
+          ", "
+        )}. Run diagnoseTenantSecretKeyDrift() for details and repairTenantSecretKeyDrift() for explicit cleanup of unrecoverable rows.`,
+        tenantId,
+        report,
+        normalized
+      );
+    } catch {
+      return normalized;
+    }
+  }
+  shouldClassifyTenantKeyFailure(error) {
+    const code = this.getSecretErrorCode(error);
+    if (error instanceof AMKUnavailableError || code === "AMK_UNAVAILABLE") {
+      return false;
+    }
+    return error instanceof TenantKeyMissingError || error instanceof EncryptionError || error instanceof DecryptionError || code === "TENANT_KEY_MISSING" || code === "ENCRYPTION_FAILED" || code === "DECRYPTION_FAILED";
+  }
+  getSecretErrorCode(error) {
+    const code = error.code;
+    return typeof code === "string" ? code : void 0;
+  }
+  toError(error) {
+    return error instanceof Error ? error : new Error(String(error));
+  }
+  getCurrentUserId() {
+    const ctx = getCurrentTenant();
+    return ctx?.userId ?? "system";
+  }
+  async audit(secretId, secretName, userId, action, result, details) {
+    if (!this.auditEnabled) return;
+    try {
+      const tenantId = getCurrentTenant()?.tenantId ?? null;
+      const log = await this.auditLogs.create(
+        createAuditEntry({
+          secretId,
+          secretName,
+          userId,
+          action,
+          result,
+          details,
+          tenantId
+        })
+      );
+      await log.save();
+    } catch (error) {
+      logger.error("Failed to write audit log", { error });
+    }
+  }
+  serializeMetadata(metadata) {
+    const result = {};
+    for (const [key, value] of Object.entries(metadata)) {
+      result[key] = typeof value === "string" ? value : JSON.stringify(value);
+    }
+    return result;
+  }
+}
+export {
+  SecretAuditLogCollection as S,
+  TenantKeyCollection as T,
+  SecretCollection as a,
+  SecretKeyDriftError as b,
+  SecretService as c
+};
+//# sourceMappingURL=SecretService-C91H6WJK.js.map