@happyvertical/smrt-secrets 0.30.0

package/dist/models/Secret.d.ts

@@ -0,0 +1,104 @@
+import { SmrtObject } from '@happyvertical/smrt-core';
+/**
+ * Secret status values
+ */
+export type SecretStatus = 'active' | 'disabled' | 'expired';
+/**
+ * Secret represents an encrypted value stored per-tenant.
+ *
+ * Secrets are tenant-scoped and use envelope encryption:
+ * - Each tenant has their own Data Encryption Key (TDEK)
+ * - The TDEK is wrapped by the Application Master Key (AMK)
+ * - Secret values are encrypted by the unwrapped TDEK
+ *
+ * **Security**: This model deliberately excludes API and MCP exposure
+ * to prevent accidental secret leakage. Secrets are only accessible
+ * via CLI commands or direct service calls.
+ *
+ * @example
+ * ```typescript
+ * import { SecretService } from '@happyvertical/smrt-secrets';
+ *
+ * const service = await SecretService.create({ db });
+ *
+ * await withTenant({ tenantId: 'tenant-123' }, async () => {
+ *   // Store a secret
+ *   await service.store('api-key', 'sk_live_xxx', { category: 'stripe' });
+ *
+ *   // Retrieve (auto-decrypts)
+ *   const apiKey = await service.retrieve('api-key');
+ * });
+ * ```
+ */
+export declare class Secret extends SmrtObject {
+    /**
+     * Tenant that owns this secret. Also stored in context for per-tenant name uniqueness.
+     */
+    tenantId: string;
+    /**
+     * Unique name for the secret within the tenant
+     */
+    name: string;
+    /**
+     * Human-readable description
+     */
+    description: string;
+    /**
+     * Category for organization (e.g., 'database', 'api-key', 'oauth')
+     */
+    category: string;
+    /**
+     * JSON-encoded EncryptedEnvelope from @happyvertical/secrets
+     */
+    encryptedValue: string;
+    /**
+     * Version of the tenant key used to encrypt this secret
+     */
+    keyVersion: number;
+    /**
+     * Current status of the secret
+     */
+    status: SecretStatus;
+    /**
+     * Optional expiration date
+     */
+    expiresAt: Date | null;
+    /**
+     * Last time this secret was accessed (decrypted)
+     */
+    lastAccessedAt: Date | null;
+    /**
+     * Number of times this secret has been accessed
+     */
+    accessCount: number;
+    /**
+     * Additional metadata stored with the secret
+     */
+    metadata: Record<string, unknown>;
+    constructor(options?: any);
+    /**
+     * Check if the secret is currently active
+     */
+    isActive(): boolean;
+    /**
+     * Check if the secret has expired
+     */
+    isExpired(): boolean;
+    /**
+     * Check if the secret can be used (active and not expired)
+     */
+    isUsable(): boolean;
+    /**
+     * Record an access to this secret
+     */
+    recordAccess(): void;
+    /**
+     * Disable the secret
+     */
+    disable(): void;
+    /**
+     * Enable the secret
+     */
+    enable(): void;
+}
+//# sourceMappingURL=Secret.d.ts.map

package/dist/models/Secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Secret.d.ts","sourceRoot":"","sources":["../../src/models/Secret.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAWH,qBASa,MAAO,SAAQ,UAAU;IACpC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAM;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAM;IAEzB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,cAAc,EAAE,MAAM,CAAM;IAE5B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAK;IAEvB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAY;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;IAE9B;;OAEG;IACH,cAAc,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEnC;;OAEG;IACH,WAAW,EAAE,MAAM,CAAK;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE3B,OAAO,GAAE,GAAQ;IAgC7B;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,SAAS,IAAI,OAAO;IAKpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,IAAI;IAKpB;;OAEG;IACH,OAAO,IAAI,IAAI;IAIf;;OAEG;IACH,MAAM,IAAI,IAAI;CAGf"}

package/dist/models/SecretAuditLog.d.ts

@@ -0,0 +1,123 @@
+import { SmrtCreateInput, SmrtObject } from '@happyvertical/smrt-core';
+/**
+ * Secret audit action types
+ */
+export type SecretAuditAction = 'create' | 'read' | 'update' | 'delete' | 'rotate_key' | 'disable' | 'enable' | 'expire';
+/**
+ * Audit result types
+ */
+export type SecretAuditResult = 'success' | 'failure' | 'denied';
+/**
+ * SecretAuditLog records all operations on secrets for compliance
+ * and security monitoring.
+ *
+ * Every secret operation (create, read, update, delete, key rotation)
+ * is logged with the user, action, result, and relevant details.
+ *
+ * **Retention**: Audit logs should be retained according to your
+ * compliance requirements (typically 1-7 years).
+ *
+ * @example
+ * ```typescript
+ * // Query recent audit logs
+ * const logs = await auditLogs.list({
+ *   where: { tenantId: 'tenant-123' },
+ *   orderBy: 'created_at DESC',
+ *   limit: 100
+ * });
+ *
+ * // Filter by action
+ * const reads = await auditLogs.list({
+ *   where: {
+ *     tenantId: 'tenant-123',
+ *     action: 'read'
+ *   }
+ * });
+ *
+ * // Filter by secret name
+ * const apiKeyLogs = await auditLogs.list({
+ *   where: {
+ *     tenantId: 'tenant-123',
+ *     secretName: 'stripe-api-key'
+ *   }
+ * });
+ * ```
+ */
+export declare class SecretAuditLog extends SmrtObject {
+    /**
+     * Tenant associated with the audited secret operation.
+     */
+    tenantId: string | null;
+    /**
+     * ID of the secret (may be null for deleted secrets)
+     */
+    secretId: string | null;
+    /**
+     * Name of the secret at the time of the operation
+     */
+    secretName: string;
+    /**
+     * ID of the user who performed the action
+     */
+    userId: string;
+    /**
+     * The action that was performed
+     */
+    action: SecretAuditAction;
+    /**
+     * Result of the operation
+     */
+    result: SecretAuditResult;
+    /**
+     * IP address of the client (if available)
+     */
+    ipAddress: string;
+    /**
+     * User agent string (if available)
+     */
+    userAgent: string;
+    /**
+     * Additional context about the operation
+     */
+    details: Record<string, unknown>;
+    constructor(options?: any);
+    /**
+     * Check if this was a successful operation
+     */
+    isSuccess(): boolean;
+    /**
+     * Check if this was a failed operation
+     */
+    isFailure(): boolean;
+    /**
+     * Check if this was a denied operation (permission denied)
+     */
+    isDenied(): boolean;
+    /**
+     * Check if this is a read operation
+     */
+    isReadAction(): boolean;
+    /**
+     * Check if this is a write operation (create, update, delete)
+     */
+    isWriteAction(): boolean;
+    /**
+     * Check if this is a key operation
+     */
+    isKeyOperation(): boolean;
+}
+/**
+ * Create an audit log entry for a secret operation
+ */
+export declare function createAuditEntry(params: {
+    secretId?: string | null;
+    secretName: string;
+    tenantId?: string | null;
+    userId: string;
+    action: SecretAuditAction;
+    result: SecretAuditResult;
+    ipAddress?: string;
+    userAgent?: string;
+    details?: Record<string, unknown>;
+}): SmrtCreateInput<SecretAuditLog>;
+//# sourceMappingURL=SecretAuditLog.d.ts.map

package/dist/models/SecretAuditLog.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecretAuditLog.d.ts","sourceRoot":"","sources":["../../src/models/SecretAuditLog.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAGL,UAAU,EAEX,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,QAAQ,CAAC;AAEb;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAUH,qBAQa,cAAe,SAAQ,UAAU;IAC5C;;OAEG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IAEH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IAEH,MAAM,EAAE,MAAM,CAAM;IAEpB;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAU;IAEnC;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAa;IAEtC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE1B,OAAO,GAAE,GAAQ;IAe7B;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,OAAO;IAIvB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;OAEG;IACH,cAAc,IAAI,OAAO;CAG1B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,GAAG,eAAe,CAAC,cAAc,CAAC,CAkBlC"}

package/dist/models/TenantKey.d.ts

@@ -0,0 +1,101 @@
+import { SmrtObject } from '@happyvertical/smrt-core';
+/**
+ * Key status values
+ */
+export type TenantKeyStatus = 'active' | 'rotating' | 'retired' | 'compromised';
+/**
+ * TenantKey tracks the per-tenant Data Encryption Keys (TDEKs).
+ *
+ * Each tenant has one or more TDEKs stored in wrapped form. The wrapped key
+ * can only be decrypted using the Application Master Key (AMK).
+ *
+ * **Key Lifecycle**:
+ * 1. `active` - Current key used for encryption
+ * 2. `rotating` - Transitional state during rotation
+ * 3. `retired` - Old key kept for decryption of existing secrets
+ * 4. `compromised` - Key marked as compromised, should not be used
+ *
+ * **Note**: This model is NOT tenant-scoped itself because it tracks
+ * keys FOR tenants, not secrets owned BY tenants.
+ *
+ * @example
+ * ```typescript
+ * // Get active key for a tenant
+ * const key = await tenantKeys.get({
+ *   tenantId: 'tenant-123',
+ *   status: 'active'
+ * });
+ *
+ * // List all key versions for a tenant
+ * const versions = await tenantKeys.list({
+ *   where: { tenantId: 'tenant-123' },
+ *   orderBy: 'version DESC'
+ * });
+ * ```
+ */
+export declare class TenantKey extends SmrtObject {
+    /**
+     * Tenant ID this key belongs to
+     */
+    tenantId: string;
+    /**
+     * Wrapped key data (format: wrappedKey:iv:authTag)
+     */
+    wrappedKey: string;
+    /**
+     * ID of the AMK used to wrap this key
+     */
+    amkKeyId: string;
+    /**
+     * Current status of the key
+     */
+    status: TenantKeyStatus;
+    /**
+     * Version number (increments on rotation)
+     */
+    version: number;
+    /**
+     * Recommended rotation date
+     */
+    rotateAfter: Date | null;
+    /**
+     * When the key was retired (if applicable)
+     */
+    retiredAt: Date | null;
+    constructor(options?: any);
+    /**
+     * Check if this key is currently active
+     */
+    isActive(): boolean;
+    /**
+     * Check if this key needs rotation
+     */
+    needsRotation(): boolean;
+    /**
+     * Check if this key is retired
+     */
+    isRetired(): boolean;
+    /**
+     * Check if this key is compromised
+     */
+    isCompromised(): boolean;
+    /**
+     * Check if this key can be used for decryption
+     * (active or retired keys can decrypt)
+     */
+    canDecrypt(): boolean;
+    /**
+     * Check if this key can be used for encryption
+     * (only active keys should encrypt)
+     */
+    canEncrypt(): boolean;
+    /**
+     * Mark this key as retired
+     */
+    retire(): void;
+    /**
+     * Mark this key as compromised
+     */
+    markCompromised(): void;
+}
+//# sourceMappingURL=TenantKey.d.ts.map

package/dist/models/TenantKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TenantKey.d.ts","sourceRoot":"","sources":["../../src/models/TenantKey.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AASH,qBAQa,SAAU,SAAQ,UAAU;IACvC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,MAAM,EAAE,eAAe,CAAY;IAEnC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAK;IAEpB;;OAEG;IACH,WAAW,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;gBAElB,OAAO,GAAE,GAAQ;IAyB7B;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,aAAa,IAAI,OAAO;IAKxB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,MAAM,IAAI,IAAI;IAKd;;OAEG;IACH,eAAe,IAAI,IAAI;CAGxB"}

package/dist/models/index.d.ts

@@ -0,0 +1,4 @@
+export { Secret, type SecretStatus } from './Secret.js';
+export { createAuditEntry, type SecretAuditAction, SecretAuditLog, type SecretAuditResult, } from './SecretAuditLog.js';
+export { TenantKey, type TenantKeyStatus } from './TenantKey.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/models/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/models/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,yBAAyB,CAAC;AAEjC,OAAO,EAAE,MAAM,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EACL,gBAAgB,EAChB,KAAK,iBAAiB,EACtB,cAAc,EACd,KAAK,iBAAiB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/models/index.js

@@ -0,0 +1,8 @@
+import { S, a, T, c } from "../chunks/TenantKey-DzglnpAV.js";
+export {
+  S as Secret,
+  a as SecretAuditLog,
+  T as TenantKey,
+  c as createAuditEntry
+};
+//# sourceMappingURL=index.js.map

package/dist/models/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sources":[],"sourcesContent":[],"names":[],"mappings":";"}

package/dist/services/SecretService.d.ts

@@ -0,0 +1,266 @@
+import { DatabaseInterface } from '@happyvertical/sql';
+import { Secret } from '../models/Secret.js';
+import { SecretAuditLog } from '../models/SecretAuditLog.js';
+/**
+ * Options for creating a SecretService
+ */
+export interface SecretServiceOptions {
+    /** Database connection */
+    db: DatabaseInterface;
+    /** Environment variable containing the AMK (64 hex chars) */
+    amkEnvVar?: string;
+    /** AMK key identifier */
+    amkKeyId?: string;
+    /** Enable audit logging (default: true) */
+    auditEnabled?: boolean;
+}
+/**
+ * Options for storing a secret
+ */
+export interface StoreSecretOptions {
+    /** Human-readable description */
+    description?: string;
+    /** Category for organization */
+    category?: string;
+    /** Optional expiration date */
+    expiresAt?: Date;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Result of retrieving a secret
+ */
+export interface RetrievedSecret {
+    /** The decrypted secret value */
+    value: string;
+    /** Secret metadata */
+    name: string;
+    description: string;
+    category: string;
+    expiresAt: Date | null;
+    createdAt: Date;
+    lastAccessedAt: Date | null;
+    accessCount: number;
+    metadata: Record<string, unknown>;
+}
+export type SecretKeyDriftIssueSeverity = 'info' | 'warning' | 'error';
+export type SecretKeyDriftIssueCode = 'amk_unavailable' | 'active_secrets_without_usable_active_key' | 'missing_active_tenant_encryption_key' | 'multiple_active_tenant_encryption_keys' | 'active_tenant_encryption_key_amk_mismatch' | 'active_tenant_encryption_key_unwrap_failed' | 'secret_envelope_invalid_json' | 'secret_envelope_invalid_wrapped_key' | 'secret_envelope_missing_tenant_encryption_key' | 'secret_envelope_unwrap_failed' | 'smrt_tenant_keys_query_failed' | 'smrt_tenant_keys_not_mirrored';
+export type SecretKeyDriftRepairAction = 'delete-unrecoverable-secret' | 'delete-unusable-tenant-encryption-key' | 'store-fresh-secret-value' | 'none';
+export interface SecretKeyDriftIssue {
+    code: SecretKeyDriftIssueCode;
+    severity: SecretKeyDriftIssueSeverity;
+    message: string;
+    repairAction: SecretKeyDriftRepairAction;
+    secretId?: string;
+    secretName?: string;
+    keyId?: string;
+    sourceTable?: 'secrets' | 'tenant_encryption_keys' | 'tenant_keys';
+    details?: Record<string, string | number | boolean | null>;
+}
+export interface DiagnoseTenantSecretKeyDriftOptions {
+    /**
+     * Limit secret-envelope checks to these names. Tenant key checks still run.
+     */
+    secretNames?: string[];
+}
+export interface SecretKeyDriftReport {
+    tenantId: string;
+    checkedAt: Date;
+    ok: boolean;
+    summary: {
+        activeSecretCount: number;
+        tenantEncryptionKeyCount: number;
+        activeTenantEncryptionKeyCount: number;
+        usableActiveTenantEncryptionKeyCount: number;
+        smrtTenantKeyCount: number;
+        activeSmrtTenantKeyCount: number;
+    };
+    issues: SecretKeyDriftIssue[];
+}
+export interface RepairTenantSecretKeyDriftOptions extends DiagnoseTenantSecretKeyDriftOptions {
+    /**
+     * Preview affected rows without deleting anything.
+     */
+    dryRun?: boolean;
+    /**
+     * Required for destructive repair. This deletes encrypted values/key rows
+     * that cannot be used with the currently configured AMK.
+     */
+    confirmDeleteUnrecoverableData?: boolean;
+}
+export interface SecretKeyDriftRepairResult {
+    tenantId: string;
+    dryRun: boolean;
+    issuesBefore: SecretKeyDriftIssue[];
+    remainingIssues: SecretKeyDriftIssue[];
+    wouldDeleteSecrets: number;
+    wouldDeleteTenantEncryptionKeys: number;
+    deletedSecrets: number;
+    deletedTenantEncryptionKeys: number;
+    secretNames: string[];
+    tenantEncryptionKeyIds: string[];
+}
+export declare class SecretKeyDriftError extends Error {
+    readonly code = "SECRET_KEY_DRIFT";
+    readonly tenantId: string;
+    readonly report: SecretKeyDriftReport;
+    readonly cause?: Error;
+    constructor(message: string, tenantId: string, report: SecretKeyDriftReport, cause?: Error);
+}
+/**
+ * SecretService provides high-level operations for managing per-tenant secrets.
+ *
+ * It integrates with:
+ * - `@happyvertical/secrets` for envelope encryption
+ * - `@happyvertical/smrt-tenancy` for tenant context
+ * - Audit logging for compliance
+ *
+ * @example
+ * ```typescript
+ * import { SecretService } from '@happyvertical/smrt-secrets';
+ * import { withTenant } from '@happyvertical/smrt-tenancy';
+ *
+ * const service = await SecretService.create({ db });
+ *
+ * await withTenant({ tenantId: 'tenant-123' }, async () => {
+ *   // Store a secret
+ *   await service.store('stripe-api-key', 'sk_live_xxx', {
+ *     category: 'api-keys',
+ *     description: 'Stripe production API key'
+ *   });
+ *
+ *   // Retrieve the secret
+ *   const secret = await service.retrieve('stripe-api-key');
+ *   console.log(secret.value); // 'sk_live_xxx'
+ *
+ *   // List secret names (without values)
+ *   const secrets = await service.list();
+ *
+ *   // Rotate tenant's encryption key
+ *   await service.rotateKey();
+ *
+ *   // Delete a secret
+ *   await service.delete('stripe-api-key');
+ * });
+ * ```
+ */
+export declare class SecretService {
+    private db;
+    private secretStore;
+    private secrets;
+    private tenantKeys;
+    private auditLogs;
+    private auditEnabled;
+    private amkEnvVar;
+    private amkKeyId;
+    private constructor();
+    /**
+     * Create a new SecretService instance
+     */
+    static create(options: SecretServiceOptions): Promise<SecretService>;
+    /**
+     * Store a secret for the current tenant
+     */
+    store(name: string, value: string, options?: StoreSecretOptions): Promise<Secret>;
+    /**
+     * Store a secret for a specific tenant.
+     *
+     * This is useful for integrations that already resolved tenant ownership but
+     * may be running outside the application's ambient tenant context.
+     */
+    storeForTenant(tenantId: string, name: string, value: string, options?: StoreSecretOptions): Promise<Secret>;
+    /**
+     * Retrieve a secret for the current tenant
+     */
+    retrieve(name: string): Promise<RetrievedSecret>;
+    /**
+     * Retrieve a secret for a specific tenant.
+     */
+    retrieveForTenant(tenantId: string, name: string): Promise<RetrievedSecret>;
+    /**
+     * Diagnose tenant secret/key drift without exposing decrypted values.
+     */
+    diagnoseTenantSecretKeyDrift(tenantId: string, options?: DiagnoseTenantSecretKeyDriftOptions): Promise<SecretKeyDriftReport>;
+    /**
+     * Diagnose drift for the current tenant context.
+     */
+    diagnoseCurrentTenantSecretKeyDrift(options?: DiagnoseTenantSecretKeyDriftOptions): Promise<SecretKeyDriftReport>;
+    /**
+     * Delete unrecoverable secret/key rows identified by diagnosis.
+     *
+     * This never attempts to recover or expose secret values. Use dryRun first
+     * to preview destructive changes.
+     */
+    repairTenantSecretKeyDrift(tenantId: string, options?: RepairTenantSecretKeyDriftOptions): Promise<SecretKeyDriftRepairResult>;
+    /**
+     * List secrets for the current tenant (names only, not values)
+     */
+    list(options?: {
+        category?: string;
+    }): Promise<Secret[]>;
+    /**
+     * Delete a secret
+     */
+    delete(name: string): Promise<boolean>;
+    /**
+     * Disable a secret (soft delete)
+     */
+    disable(name: string): Promise<boolean>;
+    /**
+     * Enable a disabled secret
+     */
+    enable(name: string): Promise<boolean>;
+    /**
+     * Rotate the tenant's encryption key
+     *
+     * This creates a new TDEK and marks the old one as retired.
+     * Existing secrets remain encrypted with the old key and can still
+     * be decrypted (the old key is kept in retired state).
+     *
+     * For full re-encryption, call reencryptAll() after rotation.
+     */
+    rotateKey(): Promise<void>;
+    /**
+     * Re-encrypt all secrets with the current active key
+     *
+     * Call this after key rotation to ensure all secrets use the new key.
+     * This is optional but recommended for security.
+     */
+    reencryptAll(): Promise<{
+        success: number;
+        failed: number;
+    }>;
+    /**
+     * Get audit logs for the current tenant
+     */
+    getAuditLogs(options?: {
+        secretName?: string;
+        limit?: number;
+    }): Promise<SecretAuditLog[]>;
+    /**
+     * Get secret categories for the current tenant
+     */
+    getCategories(): Promise<string[]>;
+    /**
+     * Check if a secret exists for the current tenant
+     */
+    exists(name: string): Promise<boolean>;
+    private listActiveSecretRowsForDiagnosis;
+    private listTenantEncryptionKeyRows;
+    private listSmrtTenantKeysForDiagnosis;
+    private getConfiguredAmkForDiagnosis;
+    private checkWrappedKey;
+    private getWrappedKeyFingerprint;
+    private parseSecretEnvelopeForDiagnosis;
+    private deleteRowsByIds;
+    private auditSecretDriftRepairDeletes;
+    private rowsFromResult;
+    private classifyTenantKeyFailure;
+    private shouldClassifyTenantKeyFailure;
+    private getSecretErrorCode;
+    private toError;
+    private getCurrentUserId;
+    private audit;
+    private serializeMetadata;
+}
+//# sourceMappingURL=SecretService.d.ts.map

package/dist/services/SecretService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecretService.d.ts","sourceRoot":"","sources":["../../src/services/SecretService.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,yBAAyB,CAAC;AAkBjC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAI5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAGL,KAAK,cAAc,EACpB,MAAM,6BAA6B,CAAC;AAKrC;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,0BAA0B;IAC1B,EAAE,EAAE,iBAAiB,CAAC;IACtB,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,iCAAiC;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+BAA+B;IAC/B,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,SAAS,EAAE,IAAI,CAAC;IAChB,cAAc,EAAE,IAAI,GAAG,IAAI,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,MAAM,2BAA2B,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;AAEvE,MAAM,MAAM,uBAAuB,GAC/B,iBAAiB,GACjB,0CAA0C,GAC1C,sCAAsC,GACtC,wCAAwC,GACxC,2CAA2C,GAC3C,4CAA4C,GAC5C,8BAA8B,GAC9B,qCAAqC,GACrC,+CAA+C,GAC/C,+BAA+B,GAC/B,+BAA+B,GAC/B,+BAA+B,CAAC;AAEpC,MAAM,MAAM,0BAA0B,GAClC,6BAA6B,GAC7B,uCAAuC,GACvC,0BAA0B,GAC1B,MAAM,CAAC;AAEX,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,uBAAuB,CAAC;IAC9B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,0BAA0B,CAAC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,SAAS,GAAG,wBAAwB,GAAG,aAAa,CAAC;IACnE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED,MAAM,WAAW,mCAAmC;IAClD;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,CAAC;IAChB,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE;QACP,iBAAiB,EAAE,MAAM,CAAC;QAC1B,wBAAwB,EAAE,MAAM,CAAC;QACjC,8BAA8B,EAAE,MAAM,CAAC;QACvC,oCAAoC,EAAE,MAAM,CAAC;QAC7C,kBAAkB,EAAE,MAAM,CAAC;QAC3B,wBAAwB,EAAE,MAAM,CAAC;KAClC,CAAC;IACF,MAAM,EAAE,mBAAmB,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,iCACf,SAAQ,mCAAmC;IAC3C;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;;OAGG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,EAAE,mBAAmB,EAAE,CAAC;IACpC,eAAe,EAAE,mBAAmB,EAAE,CAAC;IACvC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,+BAA+B,EAAE,MAAM,CAAC;IACxC,cAAc,EAAE,MAAM,CAAC;IACvB,2BAA2B,EAAE,MAAM,CAAC;IACpC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,sBAAsB,EAAE,MAAM,EAAE,CAAC;CAClC;AAED,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,oBAAoB,CAAC;IACtC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;gBAGrB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,oBAAoB,EAC5B,KAAK,CAAC,EAAE,KAAK;CAQhB;AAwCD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,EAAE,CAAoB;IAC9B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,OAAO,CAAmB;IAClC,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,SAAS,CAA2B;IAC5C,OAAO,CAAC,YAAY,CAAU;IAC9B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,QAAQ,CAAS;IAEzB,OAAO;IAoBP;;OAEG;WACU,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;IAqC1E;;OAEG;IACG,KAAK,CACT,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,CAAC;IAqFlB;;;;;OAKG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,MAAM,CAAC;IAIlB;;OAEG;IACG,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IA+EtD;;OAEG;IACG,iBAAiB,CACrB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,eAAe,CAAC;IAI3B;;OAEG;IACG,4BAA4B,CAChC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,mCAAwC,GAChD,OAAO,CAAC,oBAAoB,CAAC;IAyPhC;;OAEG;IACG,mCAAmC,CACvC,OAAO,GAAE,mCAAwC,GAChD,OAAO,CAAC,oBAAoB,CAAC;IAIhC;;;;;OAKG;IACG,0BAA0B,CAC9B,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,iCAAsC,GAC9C,OAAO,CAAC,0BAA0B,CAAC;IAgGtC;;OAEG;IACG,IAAI,CAAC,OAAO,GAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAOlE;;OAEG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsB5C;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB7C;;OAEG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgB5C;;;;;;;;OAQG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAkBhC;;;;;OAKG;IACG,YAAY,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA8ClE;;OAEG;IACG,YAAY,CAChB,OAAO,GAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACpD,OAAO,CAAC,cAAc,EAAE,CAAC;IAU5B;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAIxC;;OAEG;IACG,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;YAQ9B,gCAAgC;YA0BhC,2BAA2B;YAiB3B,8BAA8B;IAU5C,OAAO,CAAC,4BAA4B;IA0BpC,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,wBAAwB;IAQhC,OAAO,CAAC,+BAA+B;YAuBzB,eAAe;YAqBf,6BAA6B;IAyB3C,OAAO,CAAC,cAAc;YAYR,wBAAwB;IAqCtC,OAAO,CAAC,8BAA8B;IAgBtC,OAAO,CAAC,kBAAkB;IAK1B,OAAO,CAAC,OAAO;IAIf,OAAO,CAAC,gBAAgB;YAKV,KAAK;IA8BnB,OAAO,CAAC,iBAAiB;CAS1B"}

package/dist/services/SecretService.js

@@ -0,0 +1,9 @@
+import "../chunks/TenantKey-DzglnpAV.js";
+import { b, c } from "../chunks/SecretService-C91H6WJK.js";
+import "@happyvertical/secrets";
+import "@happyvertical/smrt-tenancy";
+export {
+  b as SecretKeyDriftError,
+  c as SecretService
+};
+//# sourceMappingURL=SecretService.js.map

package/dist/services/SecretService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecretService.js","sources":[],"sourcesContent":[],"names":[],"mappings":";;;;"}