@happyvertical/smrt-secrets 0.35.0 → 0.35.1

package/dist/chunks/TenantKey-DzglnpAV.js.map

@@ -1 +1 @@
-{"version":3,"file":"TenantKey-DzglnpAV.js","sources":["../../src/__smrt-register__.ts","../../src/models/SecretAuditLog.ts","../../src/models/Secret.ts","../../src/models/TenantKey.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n  new URL('./manifest.json', import.meta.url),\n);\n","/**\n * SecretAuditLog model - Audit trail for secret operations\n * @packageDocumentation\n */\n\nimport type { SmrtCreateInput } from '@happyvertical/smrt-core';\nimport {\n  crossPackageRef,\n  foreignKey,\n  SmrtObject,\n  smrt,\n} from '@happyvertical/smrt-core';\n\n/**\n * Secret audit action types\n */\nexport type SecretAuditAction =\n  | 'create'\n  | 'read'\n  | 'update'\n  | 'delete'\n  | 'rotate_key'\n  | 'disable'\n  | 'enable'\n  | 'expire';\n\n/**\n * Audit result types\n */\nexport type SecretAuditResult = 'success' | 'failure' | 'denied';\n\n/**\n * SecretAuditLog records all operations on secrets for compliance\n * and security monitoring.\n *\n * Every secret operation (create, read, update, delete, key rotation)\n * is logged with the user, action, result, and relevant details.\n *\n * **Retention**: Audit logs should be retained according to your\n * compliance requirements (typically 1-7 years).\n *\n * @example\n * ```typescript\n * // Query recent audit logs\n * const logs = await auditLogs.list({\n *   where: { tenantId: 'tenant-123' },\n *   orderBy: 'created_at DESC',\n *   limit: 100\n * });\n *\n * // Filter by action\n * const reads = await auditLogs.list({\n *   where: {\n *     tenantId: 'tenant-123',\n *     action: 'read'\n *   }\n * });\n *\n * // Filter by secret name\n * const apiKeyLogs = await auditLogs.list({\n *   where: {\n *     tenantId: 'tenant-123',\n *     secretName: 'stripe-api-key'\n *   }\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `SecretAuditLog` uses the inline `tenantScoped: true` form on `@smrt()` rather than\n// the dedicated `@TenantScoped` decorator. Audit-trail queries are read-mostly and run\n// in mixed contexts — under a tenant for tenant-scoped reports, and (prospectively)\n// under super-admin bypass for compliance review. Cross-tenant audit queries should\n// be wrapped in `withSuperAdminBypass()` from `@happyvertical/smrt-tenancy` at the\n// call site; this package has no such call sites today, so the pattern is\n// prescriptive guidance for compliance tooling rather than current practice. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n  tenantScoped: true,\n  api: { include: [] }, // No API exposure\n  mcp: { include: [] }, // No MCP exposure\n  // CLI runs in-process for compliance review; HTTP exposure is intentionally\n  // excluded, so skipApiCheck acknowledges the cli.include / api.include divergence.\n  cli: { include: ['list'], skipApiCheck: true },\n})\nexport class SecretAuditLog extends SmrtObject {\n  /**\n   * Tenant associated with the audited secret operation.\n   */\n  tenantId: string | null = null;\n\n  /**\n   * ID of the secret (may be null for deleted secrets)\n   */\n  @foreignKey('Secret')\n  secretId: string | null = null;\n\n  /**\n   * Name of the secret at the time of the operation\n   */\n  secretName: string = '';\n\n  /**\n   * ID of the user who performed the action\n   */\n  @crossPackageRef('@happyvertical/smrt-users:User')\n  userId: string = '';\n\n  /**\n   * The action that was performed\n   */\n  action: SecretAuditAction = 'read';\n\n  /**\n   * Result of the operation\n   */\n  result: SecretAuditResult = 'success';\n\n  /**\n   * IP address of the client (if available)\n   */\n  ipAddress: string = '';\n\n  /**\n   * User agent string (if available)\n   */\n  userAgent: string = '';\n\n  /**\n   * Additional context about the operation\n   */\n  details: Record<string, unknown> = {};\n\n  constructor(options: any = {}) {\n    super(options);\n    if (options.tenantId !== undefined) {\n      this.tenantId = options.tenantId;\n    }\n    if (options.secretId !== undefined) this.secretId = options.secretId;\n    if (options.secretName !== undefined) this.secretName = options.secretName;\n    if (options.userId !== undefined) this.userId = options.userId;\n    if (options.action !== undefined) this.action = options.action;\n    if (options.result !== undefined) this.result = options.result;\n    if (options.ipAddress !== undefined) this.ipAddress = options.ipAddress;\n    if (options.userAgent !== undefined) this.userAgent = options.userAgent;\n    if (options.details !== undefined) this.details = options.details;\n  }\n\n  /**\n   * Check if this was a successful operation\n   */\n  isSuccess(): boolean {\n    return this.result === 'success';\n  }\n\n  /**\n   * Check if this was a failed operation\n   */\n  isFailure(): boolean {\n    return this.result === 'failure';\n  }\n\n  /**\n   * Check if this was a denied operation (permission denied)\n   */\n  isDenied(): boolean {\n    return this.result === 'denied';\n  }\n\n  /**\n   * Check if this is a read operation\n   */\n  isReadAction(): boolean {\n    return this.action === 'read';\n  }\n\n  /**\n   * Check if this is a write operation (create, update, delete)\n   */\n  isWriteAction(): boolean {\n    return ['create', 'update', 'delete'].includes(this.action);\n  }\n\n  /**\n   * Check if this is a key operation\n   */\n  isKeyOperation(): boolean {\n    return this.action === 'rotate_key';\n  }\n}\n\n/**\n * Create an audit log entry for a secret operation\n */\nexport function createAuditEntry(params: {\n  secretId?: string | null;\n  secretName: string;\n  tenantId?: string | null;\n  userId: string;\n  action: SecretAuditAction;\n  result: SecretAuditResult;\n  ipAddress?: string;\n  userAgent?: string;\n  details?: Record<string, unknown>;\n}): SmrtCreateInput<SecretAuditLog> {\n  const tenantId =\n    params.tenantId === undefined || params.tenantId === 'system'\n      ? null\n      : params.tenantId;\n\n  const entry: SmrtCreateInput<SecretAuditLog> = {\n    secretId: params.secretId ?? null,\n    secretName: params.secretName,\n    userId: params.userId,\n    action: params.action,\n    result: params.result,\n    ipAddress: params.ipAddress ?? '',\n    userAgent: params.userAgent ?? '',\n    details: params.details ?? {},\n    tenantId,\n  };\n  return entry;\n}\n","/**\n * Secret model - Tenant-scoped encrypted secrets storage\n * @packageDocumentation\n */\n\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Secret status values\n */\nexport type SecretStatus = 'active' | 'disabled' | 'expired';\n\n/**\n * Secret represents an encrypted value stored per-tenant.\n *\n * Secrets are tenant-scoped and use envelope encryption:\n * - Each tenant has their own Data Encryption Key (TDEK)\n * - The TDEK is wrapped by the Application Master Key (AMK)\n * - Secret values are encrypted by the unwrapped TDEK\n *\n * **Security**: This model deliberately excludes API and MCP exposure\n * to prevent accidental secret leakage. Secrets are only accessible\n * via CLI commands or direct service calls.\n *\n * @example\n * ```typescript\n * import { SecretService } from '@happyvertical/smrt-secrets';\n *\n * const service = await SecretService.create({ db });\n *\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n *   // Store a secret\n *   await service.store('api-key', 'sk_live_xxx', { category: 'stripe' });\n *\n *   // Retrieve (auto-decrypts)\n *   const apiKey = await service.retrieve('api-key');\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `Secret` uses the inline `tenantScoped: true` form on `@smrt()` rather than the\n// dedicated `@TenantScoped` decorator from `@happyvertical/smrt-tenancy`. The boolean\n// form gives us required-mode tenant scoping without depending on the tenancy package\n// at the model layer, while `SecretService` performs manual scoping by setting\n// `context = tenantId` on each row. The `(slug, context)` upsert key derived from the\n// base `SmrtObject` fields is what gives different tenants isolated namespaces for\n// secret names — switching to the decorator without changing the upsert key would\n// surface false-positive name collisions across tenants. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n  tenantScoped: true,\n  // NO API or MCP exposure for security\n  api: { include: [] },\n  mcp: { include: [] },\n  // CLI runs in-process; secrets must never be reachable over HTTP, so\n  // skipApiCheck acknowledges the cli.include / api.include divergence.\n  cli: { include: ['list'], skipApiCheck: true }, // Only list names, not values\n})\nexport class Secret extends SmrtObject {\n  /**\n   * Tenant that owns this secret. Also stored in context for per-tenant name uniqueness.\n   */\n  tenantId: string = '';\n\n  /**\n   * Unique name for the secret within the tenant\n   */\n  name: string = '';\n\n  /**\n   * Human-readable description\n   */\n  description: string = '';\n\n  /**\n   * Category for organization (e.g., 'database', 'api-key', 'oauth')\n   */\n  category: string = '';\n\n  /**\n   * JSON-encoded EncryptedEnvelope from @happyvertical/secrets\n   */\n  encryptedValue: string = '';\n\n  /**\n   * Version of the tenant key used to encrypt this secret\n   */\n  keyVersion: number = 1;\n\n  /**\n   * Current status of the secret\n   */\n  status: SecretStatus = 'active';\n\n  /**\n   * Optional expiration date\n   */\n  expiresAt: Date | null = null;\n\n  /**\n   * Last time this secret was accessed (decrypted)\n   */\n  lastAccessedAt: Date | null = null;\n\n  /**\n   * Number of times this secret has been accessed\n   */\n  accessCount: number = 0;\n\n  /**\n   * Additional metadata stored with the secret\n   */\n  metadata: Record<string, unknown> = {};\n\n  constructor(options: any = {}) {\n    super(options);\n    if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n    if (options.name !== undefined) this.name = options.name;\n    if (options.description !== undefined)\n      this.description = options.description;\n    if (options.category !== undefined) this.category = options.category;\n    if (options.encryptedValue !== undefined)\n      this.encryptedValue = options.encryptedValue;\n    if (options.keyVersion !== undefined) this.keyVersion = options.keyVersion;\n    if (options.status !== undefined) this.status = options.status;\n    if (options.expiresAt !== undefined) {\n      this.expiresAt =\n        options.expiresAt instanceof Date\n          ? options.expiresAt\n          : options.expiresAt\n            ? new Date(options.expiresAt)\n            : null;\n    }\n    if (options.lastAccessedAt !== undefined) {\n      this.lastAccessedAt =\n        options.lastAccessedAt instanceof Date\n          ? options.lastAccessedAt\n          : options.lastAccessedAt\n            ? new Date(options.lastAccessedAt)\n            : null;\n    }\n    if (options.accessCount !== undefined)\n      this.accessCount = options.accessCount;\n    if (options.metadata !== undefined) this.metadata = options.metadata;\n  }\n\n  /**\n   * Check if the secret is currently active\n   */\n  isActive(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Check if the secret has expired\n   */\n  isExpired(): boolean {\n    if (!this.expiresAt) return false;\n    return new Date() >= this.expiresAt;\n  }\n\n  /**\n   * Check if the secret can be used (active and not expired)\n   */\n  isUsable(): boolean {\n    return this.isActive() && !this.isExpired();\n  }\n\n  /**\n   * Record an access to this secret\n   */\n  recordAccess(): void {\n    this.lastAccessedAt = new Date();\n    this.accessCount += 1;\n  }\n\n  /**\n   * Disable the secret\n   */\n  disable(): void {\n    this.status = 'disabled';\n  }\n\n  /**\n   * Enable the secret\n   */\n  enable(): void {\n    this.status = 'active';\n  }\n}\n","/**\n * TenantKey model - Tracks per-tenant Data Encryption Keys (TDEKs)\n * @packageDocumentation\n */\n\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Key status values\n */\nexport type TenantKeyStatus = 'active' | 'rotating' | 'retired' | 'compromised';\n\n/**\n * TenantKey tracks the per-tenant Data Encryption Keys (TDEKs).\n *\n * Each tenant has one or more TDEKs stored in wrapped form. The wrapped key\n * can only be decrypted using the Application Master Key (AMK).\n *\n * **Key Lifecycle**:\n * 1. `active` - Current key used for encryption\n * 2. `rotating` - Transitional state during rotation\n * 3. `retired` - Old key kept for decryption of existing secrets\n * 4. `compromised` - Key marked as compromised, should not be used\n *\n * **Note**: This model is NOT tenant-scoped itself because it tracks\n * keys FOR tenants, not secrets owned BY tenants.\n *\n * @example\n * ```typescript\n * // Get active key for a tenant\n * const key = await tenantKeys.get({\n *   tenantId: 'tenant-123',\n *   status: 'active'\n * });\n *\n * // List all key versions for a tenant\n * const versions = await tenantKeys.list({\n *   where: { tenantId: 'tenant-123' },\n *   orderBy: 'version DESC'\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `TenantKey` is deliberately NOT tenant-scoped — neither via the decorator nor via\n// `tenantScoped: true` on `@smrt()`. The row carries a `tenantId` column because each\n// TDEK belongs to a tenant, but the model itself must remain queryable across tenants\n// (e.g. cross-tenant key-rotation tooling, AMK rewrap jobs, super-admin auditing).\n// Adding the tenancy interceptor here would silently filter out keys the rotation\n// service needs to inspect. See `packages/secrets/CLAUDE.md` \"Known exceptions to\n// monorepo standards\" for the full rationale.\n@smrt({\n  // NOT tenant-scoped - this model tracks keys FOR tenants\n  api: { include: [] }, // No API exposure\n  mcp: { include: [] }, // No MCP exposure\n  // CLI runs in-process for key-rotation tooling and audit; HTTP exposure is\n  // intentionally excluded, so skipApiCheck acknowledges the divergence.\n  cli: { include: ['list', 'get'], skipApiCheck: true },\n})\nexport class TenantKey extends SmrtObject {\n  /**\n   * Tenant ID this key belongs to\n   */\n  tenantId: string = '';\n\n  /**\n   * Wrapped key data (format: wrappedKey:iv:authTag)\n   */\n  wrappedKey: string = '';\n\n  /**\n   * ID of the AMK used to wrap this key\n   */\n  amkKeyId: string = '';\n\n  /**\n   * Current status of the key\n   */\n  status: TenantKeyStatus = 'active';\n\n  /**\n   * Version number (increments on rotation)\n   */\n  version: number = 1;\n\n  /**\n   * Recommended rotation date\n   */\n  rotateAfter: Date | null = null;\n\n  /**\n   * When the key was retired (if applicable)\n   */\n  retiredAt: Date | null = null;\n\n  constructor(options: any = {}) {\n    super(options);\n    if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n    if (options.wrappedKey !== undefined) this.wrappedKey = options.wrappedKey;\n    if (options.amkKeyId !== undefined) this.amkKeyId = options.amkKeyId;\n    if (options.status !== undefined) this.status = options.status;\n    if (options.version !== undefined) this.version = options.version;\n    if (options.rotateAfter !== undefined) {\n      this.rotateAfter =\n        options.rotateAfter instanceof Date\n          ? options.rotateAfter\n          : options.rotateAfter\n            ? new Date(options.rotateAfter)\n            : null;\n    }\n    if (options.retiredAt !== undefined) {\n      this.retiredAt =\n        options.retiredAt instanceof Date\n          ? options.retiredAt\n          : options.retiredAt\n            ? new Date(options.retiredAt)\n            : null;\n    }\n  }\n\n  /**\n   * Check if this key is currently active\n   */\n  isActive(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Check if this key needs rotation\n   */\n  needsRotation(): boolean {\n    if (!this.rotateAfter) return false;\n    return new Date() >= this.rotateAfter;\n  }\n\n  /**\n   * Check if this key is retired\n   */\n  isRetired(): boolean {\n    return this.status === 'retired';\n  }\n\n  /**\n   * Check if this key is compromised\n   */\n  isCompromised(): boolean {\n    return this.status === 'compromised';\n  }\n\n  /**\n   * Check if this key can be used for decryption\n   * (active or retired keys can decrypt)\n   */\n  canDecrypt(): boolean {\n    return this.status === 'active' || this.status === 'retired';\n  }\n\n  /**\n   * Check if this key can be used for encryption\n   * (only active keys should encrypt)\n   */\n  canEncrypt(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Mark this key as retired\n   */\n  retire(): void {\n    this.status = 'retired';\n    this.retiredAt = new Date();\n  }\n\n  /**\n   * Mark this key as compromised\n   */\n  markCompromised(): void {\n    this.status = 'compromised';\n  }\n}\n"],"names":["__decorateClass"],"mappings":";AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;;;;;;;;;;;AC4DO,IAAM,iBAAN,cAA6B,WAAW;AAAA;AAAA;AAAA;AAAA,EAI7C,WAA0B;AAAA,EAM1B,WAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,aAAqB;AAAA,EAMrB,SAAiB;AAAA;AAAA;AAAA;AAAA,EAKjB,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,UAAmC,CAAA;AAAA,EAEnC,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,QAAW;AAClC,WAAK,WAAW,QAAQ;AAAA,IAC1B;AACA,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAwB;AACtB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,CAAC,UAAU,UAAU,QAAQ,EAAE,SAAS,KAAK,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA0B;AACxB,WAAO,KAAK,WAAW;AAAA,EACzB;AACF;AA9FEA,kBAAA;AAAA,EADC,WAAW,QAAQ;AAAA,GATT,eAUX,WAAA,YAAA,CAAA;AAWAA,kBAAA;AAAA,EADC,gBAAgB,gCAAgC;AAAA,GApBtC,eAqBX,WAAA,UAAA,CAAA;AArBW,iBAANA,kBAAA;AAAA,EARN,KAAK;AAAA,IACJ,cAAc;AAAA,IACd,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA,EAAK,CAC9C;AAAA,GACY,cAAA;AA6GN,SAAS,iBAAiB,QAUG;AAClC,QAAM,WACJ,OAAO,aAAa,UAAa,OAAO,aAAa,WACjD,OACA,OAAO;AAEb,QAAM,QAAyC;AAAA,IAC7C,UAAU,OAAO,YAAY;AAAA,IAC7B,YAAY,OAAO;AAAA,IACnB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO,aAAa;AAAA,IAC/B,WAAW,OAAO,aAAa;AAAA,IAC/B,SAAS,OAAO,WAAW,CAAA;AAAA,IAC3B;AAAA,EAAA;AAEF,SAAO;AACT;;;;;;;;;ACnKO,IAAM,SAAN,cAAqB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIrC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,OAAe;AAAA;AAAA;AAAA;AAAA,EAKf,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,iBAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,SAAuB;AAAA;AAAA;AAAA;AAAA,EAKvB,YAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,iBAA8B;AAAA;AAAA;AAAA;AAAA,EAK9B,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAoC,CAAA;AAAA,EAEpC,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,SAAS,OAAW,MAAK,OAAO,QAAQ;AACpD,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,mBAAmB;AAC7B,WAAK,iBAAiB,QAAQ;AAChC,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AACA,QAAI,QAAQ,mBAAmB,QAAW;AACxC,WAAK,iBACH,QAAQ,0BAA0B,OAC9B,QAAQ,iBACR,QAAQ,iBACN,IAAI,KAAK,QAAQ,cAAc,IAC/B;AAAA,IACV;AACA,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,QAAI,CAAC,KAAK,UAAW,QAAO;AAC5B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,SAAA,KAAc,CAAC,KAAK,UAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,eAAqB;AACnB,SAAK,qCAAqB,KAAA;AAC1B,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAgB;AACd,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AAAA,EAChB;AACF;AAnIa,SAANA,kBAAA;AAAA,EATN,KAAK;AAAA,IACJ,cAAc;AAAA;AAAA,IAEd,KAAK,EAAE,SAAS,GAAC;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA;AAAA,EAAK,CAC9C;AAAA,GACY,MAAA;;;;;;;;;ACAN,IAAM,YAAN,cAAwB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIxC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,SAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,UAAkB;AAAA;AAAA;AAAA;AAAA,EAKlB,cAA2B;AAAA;AAAA;AAAA;AAAA,EAK3B,YAAyB;AAAA,EAEzB,YAAY,UAAe,IAAI;AAC7B,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAC1D,QAAI,QAAQ,gBAAgB,QAAW;AACrC,WAAK,cACH,QAAQ,uBAAuB,OAC3B,QAAQ,cACR,QAAQ,cACN,IAAI,KAAK,QAAQ,WAAW,IAC5B;AAAA,IACV;AACA,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,QAAI,CAAC,KAAK,YAAa,QAAO;AAC9B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW,YAAY,KAAK,WAAW;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AACd,SAAK,gCAAgB,KAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,SAAS;AAAA,EAChB;AACF;AAxHa,YAAN,gBAAA;AAAA,EARN,KAAK;AAAA;AAAA,IAEJ,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,QAAQ,KAAK,GAAG,cAAc,KAAA;AAAA,EAAK,CACrD;AAAA,GACY,SAAA;"}
+{"version":3,"file":"TenantKey-DzglnpAV.js","sources":["../../src/__smrt-register__.ts","../../src/models/SecretAuditLog.ts","../../src/models/Secret.ts","../../src/models/TenantKey.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n  new URL('./manifest.json', import.meta.url),\n);\n","/**\n * SecretAuditLog model - Audit trail for secret operations\n * @packageDocumentation\n */\n\nimport type {\n  SmrtCreateInput,\n  SmrtObjectOptions,\n} from '@happyvertical/smrt-core';\nimport {\n  crossPackageRef,\n  foreignKey,\n  SmrtObject,\n  smrt,\n} from '@happyvertical/smrt-core';\n\n/**\n * Secret audit action types\n */\nexport type SecretAuditAction =\n  | 'create'\n  | 'read'\n  | 'update'\n  | 'delete'\n  | 'rotate_key'\n  | 'disable'\n  | 'enable'\n  | 'expire';\n\n/**\n * Audit result types\n */\nexport type SecretAuditResult = 'success' | 'failure' | 'denied';\n\n/**\n * Constructor options for {@link SecretAuditLog}. Each field is optional and\n * mirrors a persisted column.\n */\nexport interface SecretAuditLogOptions extends SmrtObjectOptions {\n  tenantId?: string | null;\n  secretId?: string | null;\n  secretName?: string;\n  userId?: string;\n  action?: SecretAuditAction;\n  result?: SecretAuditResult;\n  ipAddress?: string;\n  userAgent?: string;\n  details?: Record<string, unknown>;\n}\n\n/**\n * SecretAuditLog records all operations on secrets for compliance\n * and security monitoring.\n *\n * Every secret operation (create, read, update, delete, key rotation)\n * is logged with the user, action, result, and relevant details.\n *\n * **Retention**: Audit logs should be retained according to your\n * compliance requirements (typically 1-7 years).\n *\n * @example\n * ```typescript\n * // Query recent audit logs\n * const logs = await auditLogs.list({\n *   where: { tenantId: 'tenant-123' },\n *   orderBy: 'created_at DESC',\n *   limit: 100\n * });\n *\n * // Filter by action\n * const reads = await auditLogs.list({\n *   where: {\n *     tenantId: 'tenant-123',\n *     action: 'read'\n *   }\n * });\n *\n * // Filter by secret name\n * const apiKeyLogs = await auditLogs.list({\n *   where: {\n *     tenantId: 'tenant-123',\n *     secretName: 'stripe-api-key'\n *   }\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `SecretAuditLog` uses the inline `tenantScoped: true` form on `@smrt()` rather than\n// the dedicated `@TenantScoped` decorator. Audit-trail queries are read-mostly and run\n// in mixed contexts — under a tenant for tenant-scoped reports, and (prospectively)\n// under super-admin bypass for compliance review. Cross-tenant audit queries should\n// be wrapped in `withSuperAdminBypass()` from `@happyvertical/smrt-tenancy` at the\n// call site; this package has no such call sites today, so the pattern is\n// prescriptive guidance for compliance tooling rather than current practice. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n  tenantScoped: true,\n  api: { include: [] }, // No API exposure\n  mcp: { include: [] }, // No MCP exposure\n  // CLI runs in-process for compliance review; HTTP exposure is intentionally\n  // excluded, so skipApiCheck acknowledges the cli.include / api.include divergence.\n  cli: { include: ['list'], skipApiCheck: true },\n})\nexport class SecretAuditLog extends SmrtObject {\n  /**\n   * Tenant associated with the audited secret operation.\n   */\n  tenantId: string | null = null;\n\n  /**\n   * ID of the secret (may be null for deleted secrets)\n   */\n  @foreignKey('Secret')\n  secretId: string | null = null;\n\n  /**\n   * Name of the secret at the time of the operation\n   */\n  secretName: string = '';\n\n  /**\n   * ID of the user who performed the action\n   */\n  @crossPackageRef('@happyvertical/smrt-users:User')\n  userId: string = '';\n\n  /**\n   * The action that was performed\n   */\n  action: SecretAuditAction = 'read';\n\n  /**\n   * Result of the operation\n   */\n  result: SecretAuditResult = 'success';\n\n  /**\n   * IP address of the client (if available)\n   */\n  ipAddress: string = '';\n\n  /**\n   * User agent string (if available)\n   */\n  userAgent: string = '';\n\n  /**\n   * Additional context about the operation\n   */\n  details: Record<string, unknown> = {};\n\n  constructor(options: SecretAuditLogOptions = {}) {\n    super(options);\n    if (options.tenantId !== undefined) {\n      this.tenantId = options.tenantId;\n    }\n    if (options.secretId !== undefined) this.secretId = options.secretId;\n    if (options.secretName !== undefined) this.secretName = options.secretName;\n    if (options.userId !== undefined) this.userId = options.userId;\n    if (options.action !== undefined) this.action = options.action;\n    if (options.result !== undefined) this.result = options.result;\n    if (options.ipAddress !== undefined) this.ipAddress = options.ipAddress;\n    if (options.userAgent !== undefined) this.userAgent = options.userAgent;\n    if (options.details !== undefined) this.details = options.details;\n  }\n\n  /**\n   * Check if this was a successful operation\n   */\n  isSuccess(): boolean {\n    return this.result === 'success';\n  }\n\n  /**\n   * Check if this was a failed operation\n   */\n  isFailure(): boolean {\n    return this.result === 'failure';\n  }\n\n  /**\n   * Check if this was a denied operation (permission denied)\n   */\n  isDenied(): boolean {\n    return this.result === 'denied';\n  }\n\n  /**\n   * Check if this is a read operation\n   */\n  isReadAction(): boolean {\n    return this.action === 'read';\n  }\n\n  /**\n   * Check if this is a write operation (create, update, delete)\n   */\n  isWriteAction(): boolean {\n    return ['create', 'update', 'delete'].includes(this.action);\n  }\n\n  /**\n   * Check if this is a key operation\n   */\n  isKeyOperation(): boolean {\n    return this.action === 'rotate_key';\n  }\n}\n\n/**\n * Create an audit log entry for a secret operation\n */\nexport function createAuditEntry(params: {\n  secretId?: string | null;\n  secretName: string;\n  tenantId?: string | null;\n  userId: string;\n  action: SecretAuditAction;\n  result: SecretAuditResult;\n  ipAddress?: string;\n  userAgent?: string;\n  details?: Record<string, unknown>;\n}): SmrtCreateInput<SecretAuditLog> {\n  const tenantId =\n    params.tenantId === undefined || params.tenantId === 'system'\n      ? null\n      : params.tenantId;\n\n  const entry: SmrtCreateInput<SecretAuditLog> = {\n    secretId: params.secretId ?? null,\n    secretName: params.secretName,\n    userId: params.userId,\n    action: params.action,\n    result: params.result,\n    ipAddress: params.ipAddress ?? '',\n    userAgent: params.userAgent ?? '',\n    details: params.details ?? {},\n    tenantId,\n  };\n  return entry;\n}\n","/**\n * Secret model - Tenant-scoped encrypted secrets storage\n * @packageDocumentation\n */\n\nimport type { SmrtObjectOptions } from '@happyvertical/smrt-core';\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Secret status values\n */\nexport type SecretStatus = 'active' | 'disabled' | 'expired';\n\n/**\n * Constructor options for {@link Secret}. Each field is optional and mirrors a\n * persisted column; date fields also accept the serialized forms accepted by\n * `new Date()` so hydrated rows coerce cleanly.\n */\nexport interface SecretOptions extends SmrtObjectOptions {\n  tenantId?: string;\n  name?: string;\n  description?: string;\n  category?: string;\n  encryptedValue?: string;\n  keyVersion?: number;\n  status?: SecretStatus;\n  expiresAt?: Date | string | number | null;\n  lastAccessedAt?: Date | string | number | null;\n  accessCount?: number;\n  metadata?: Record<string, unknown>;\n}\n\n/**\n * Secret represents an encrypted value stored per-tenant.\n *\n * Secrets are tenant-scoped and use envelope encryption:\n * - Each tenant has their own Data Encryption Key (TDEK)\n * - The TDEK is wrapped by the Application Master Key (AMK)\n * - Secret values are encrypted by the unwrapped TDEK\n *\n * **Security**: This model deliberately excludes API and MCP exposure\n * to prevent accidental secret leakage. Secrets are only accessible\n * via CLI commands or direct service calls.\n *\n * @example\n * ```typescript\n * import { SecretService } from '@happyvertical/smrt-secrets';\n *\n * const service = await SecretService.create({ db });\n *\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n *   // Store a secret\n *   await service.store('api-key', 'sk_live_xxx', { category: 'stripe' });\n *\n *   // Retrieve (auto-decrypts)\n *   const apiKey = await service.retrieve('api-key');\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `Secret` uses the inline `tenantScoped: true` form on `@smrt()` rather than the\n// dedicated `@TenantScoped` decorator from `@happyvertical/smrt-tenancy`. The boolean\n// form gives us required-mode tenant scoping without depending on the tenancy package\n// at the model layer, while `SecretService` performs manual scoping by setting\n// `context = tenantId` on each row. The `(slug, context)` upsert key derived from the\n// base `SmrtObject` fields is what gives different tenants isolated namespaces for\n// secret names — switching to the decorator without changing the upsert key would\n// surface false-positive name collisions across tenants. See\n// `packages/secrets/CLAUDE.md` \"Known exceptions to monorepo standards\" for context.\n@smrt({\n  tenantScoped: true,\n  // NO API or MCP exposure for security\n  api: { include: [] },\n  mcp: { include: [] },\n  // CLI runs in-process; secrets must never be reachable over HTTP, so\n  // skipApiCheck acknowledges the cli.include / api.include divergence.\n  cli: { include: ['list'], skipApiCheck: true }, // Only list names, not values\n})\nexport class Secret extends SmrtObject {\n  /**\n   * Tenant that owns this secret. Also stored in context for per-tenant name uniqueness.\n   */\n  tenantId: string = '';\n\n  /**\n   * Unique name for the secret within the tenant\n   */\n  name: string = '';\n\n  /**\n   * Human-readable description\n   */\n  description: string = '';\n\n  /**\n   * Category for organization (e.g., 'database', 'api-key', 'oauth')\n   */\n  category: string = '';\n\n  /**\n   * JSON-encoded EncryptedEnvelope from @happyvertical/secrets\n   */\n  encryptedValue: string = '';\n\n  /**\n   * Version of the tenant key used to encrypt this secret\n   */\n  keyVersion: number = 1;\n\n  /**\n   * Current status of the secret\n   */\n  status: SecretStatus = 'active';\n\n  /**\n   * Optional expiration date\n   */\n  expiresAt: Date | null = null;\n\n  /**\n   * Last time this secret was accessed (decrypted)\n   */\n  lastAccessedAt: Date | null = null;\n\n  /**\n   * Number of times this secret has been accessed\n   */\n  accessCount: number = 0;\n\n  /**\n   * Additional metadata stored with the secret\n   */\n  metadata: Record<string, unknown> = {};\n\n  constructor(options: SecretOptions = {}) {\n    super(options);\n    if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n    if (options.name !== undefined) this.name = options.name;\n    if (options.description !== undefined)\n      this.description = options.description;\n    if (options.category !== undefined) this.category = options.category;\n    if (options.encryptedValue !== undefined)\n      this.encryptedValue = options.encryptedValue;\n    if (options.keyVersion !== undefined) this.keyVersion = options.keyVersion;\n    if (options.status !== undefined) this.status = options.status;\n    if (options.expiresAt !== undefined) {\n      this.expiresAt =\n        options.expiresAt instanceof Date\n          ? options.expiresAt\n          : options.expiresAt\n            ? new Date(options.expiresAt)\n            : null;\n    }\n    if (options.lastAccessedAt !== undefined) {\n      this.lastAccessedAt =\n        options.lastAccessedAt instanceof Date\n          ? options.lastAccessedAt\n          : options.lastAccessedAt\n            ? new Date(options.lastAccessedAt)\n            : null;\n    }\n    if (options.accessCount !== undefined)\n      this.accessCount = options.accessCount;\n    if (options.metadata !== undefined) this.metadata = options.metadata;\n  }\n\n  /**\n   * Check if the secret is currently active\n   */\n  isActive(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Check if the secret has expired\n   */\n  isExpired(): boolean {\n    if (!this.expiresAt) return false;\n    return new Date() >= this.expiresAt;\n  }\n\n  /**\n   * Check if the secret can be used (active and not expired)\n   */\n  isUsable(): boolean {\n    return this.isActive() && !this.isExpired();\n  }\n\n  /**\n   * Record an access to this secret\n   */\n  recordAccess(): void {\n    this.lastAccessedAt = new Date();\n    this.accessCount += 1;\n  }\n\n  /**\n   * Disable the secret\n   */\n  disable(): void {\n    this.status = 'disabled';\n  }\n\n  /**\n   * Enable the secret\n   */\n  enable(): void {\n    this.status = 'active';\n  }\n}\n","/**\n * TenantKey model - Tracks per-tenant Data Encryption Keys (TDEKs)\n * @packageDocumentation\n */\n\nimport type { SmrtObjectOptions } from '@happyvertical/smrt-core';\nimport { SmrtObject, smrt } from '@happyvertical/smrt-core';\n\n/**\n * Key status values\n */\nexport type TenantKeyStatus = 'active' | 'rotating' | 'retired' | 'compromised';\n\n/**\n * Constructor options for {@link TenantKey}. Each field is optional and mirrors\n * a persisted column; date fields also accept the serialized forms accepted by\n * `new Date()` so hydrated rows coerce cleanly.\n */\nexport interface TenantKeyOptions extends SmrtObjectOptions {\n  tenantId?: string;\n  wrappedKey?: string;\n  amkKeyId?: string;\n  status?: TenantKeyStatus;\n  version?: number;\n  rotateAfter?: Date | string | number | null;\n  retiredAt?: Date | string | number | null;\n}\n\n/**\n * TenantKey tracks the per-tenant Data Encryption Keys (TDEKs).\n *\n * Each tenant has one or more TDEKs stored in wrapped form. The wrapped key\n * can only be decrypted using the Application Master Key (AMK).\n *\n * **Key Lifecycle**:\n * 1. `active` - Current key used for encryption\n * 2. `rotating` - Transitional state during rotation\n * 3. `retired` - Old key kept for decryption of existing secrets\n * 4. `compromised` - Key marked as compromised, should not be used\n *\n * **Note**: This model is NOT tenant-scoped itself because it tracks\n * keys FOR tenants, not secrets owned BY tenants.\n *\n * @example\n * ```typescript\n * // Get active key for a tenant\n * const key = await tenantKeys.get({\n *   tenantId: 'tenant-123',\n *   status: 'active'\n * });\n *\n * // List all key versions for a tenant\n * const versions = await tenantKeys.list({\n *   where: { tenantId: 'tenant-123' },\n *   orderBy: 'version DESC'\n * });\n * ```\n */\n// Intentional exception to standards.md §7 (`@TenantScoped({ mode: 'optional' })`):\n// `TenantKey` is deliberately NOT tenant-scoped — neither via the decorator nor via\n// `tenantScoped: true` on `@smrt()`. The row carries a `tenantId` column because each\n// TDEK belongs to a tenant, but the model itself must remain queryable across tenants\n// (e.g. cross-tenant key-rotation tooling, AMK rewrap jobs, super-admin auditing).\n// Adding the tenancy interceptor here would silently filter out keys the rotation\n// service needs to inspect. See `packages/secrets/CLAUDE.md` \"Known exceptions to\n// monorepo standards\" for the full rationale.\n@smrt({\n  // NOT tenant-scoped - this model tracks keys FOR tenants\n  api: { include: [] }, // No API exposure\n  mcp: { include: [] }, // No MCP exposure\n  // CLI runs in-process for key-rotation tooling and audit; HTTP exposure is\n  // intentionally excluded, so skipApiCheck acknowledges the divergence.\n  cli: { include: ['list', 'get'], skipApiCheck: true },\n})\nexport class TenantKey extends SmrtObject {\n  /**\n   * Tenant ID this key belongs to\n   */\n  tenantId: string = '';\n\n  /**\n   * Wrapped key data (format: wrappedKey:iv:authTag)\n   */\n  wrappedKey: string = '';\n\n  /**\n   * ID of the AMK used to wrap this key\n   */\n  amkKeyId: string = '';\n\n  /**\n   * Current status of the key\n   */\n  status: TenantKeyStatus = 'active';\n\n  /**\n   * Version number (increments on rotation)\n   */\n  version: number = 1;\n\n  /**\n   * Recommended rotation date\n   */\n  rotateAfter: Date | null = null;\n\n  /**\n   * When the key was retired (if applicable)\n   */\n  retiredAt: Date | null = null;\n\n  constructor(options: TenantKeyOptions = {}) {\n    super(options);\n    if (options.tenantId !== undefined) this.tenantId = options.tenantId;\n    if (options.wrappedKey !== undefined) this.wrappedKey = options.wrappedKey;\n    if (options.amkKeyId !== undefined) this.amkKeyId = options.amkKeyId;\n    if (options.status !== undefined) this.status = options.status;\n    if (options.version !== undefined) this.version = options.version;\n    if (options.rotateAfter !== undefined) {\n      this.rotateAfter =\n        options.rotateAfter instanceof Date\n          ? options.rotateAfter\n          : options.rotateAfter\n            ? new Date(options.rotateAfter)\n            : null;\n    }\n    if (options.retiredAt !== undefined) {\n      this.retiredAt =\n        options.retiredAt instanceof Date\n          ? options.retiredAt\n          : options.retiredAt\n            ? new Date(options.retiredAt)\n            : null;\n    }\n  }\n\n  /**\n   * Check if this key is currently active\n   */\n  isActive(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Check if this key needs rotation\n   */\n  needsRotation(): boolean {\n    if (!this.rotateAfter) return false;\n    return new Date() >= this.rotateAfter;\n  }\n\n  /**\n   * Check if this key is retired\n   */\n  isRetired(): boolean {\n    return this.status === 'retired';\n  }\n\n  /**\n   * Check if this key is compromised\n   */\n  isCompromised(): boolean {\n    return this.status === 'compromised';\n  }\n\n  /**\n   * Check if this key can be used for decryption\n   * (active or retired keys can decrypt)\n   */\n  canDecrypt(): boolean {\n    return this.status === 'active' || this.status === 'retired';\n  }\n\n  /**\n   * Check if this key can be used for encryption\n   * (only active keys should encrypt)\n   */\n  canEncrypt(): boolean {\n    return this.status === 'active';\n  }\n\n  /**\n   * Mark this key as retired\n   */\n  retire(): void {\n    this.status = 'retired';\n    this.retiredAt = new Date();\n  }\n\n  /**\n   * Mark this key as compromised\n   */\n  markCompromised(): void {\n    this.status = 'compromised';\n  }\n}\n"],"names":["__decorateClass"],"mappings":";AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;;;;;;;;;;;AC+EO,IAAM,iBAAN,cAA6B,WAAW;AAAA;AAAA;AAAA;AAAA,EAI7C,WAA0B;AAAA,EAM1B,WAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,aAAqB;AAAA,EAMrB,SAAiB;AAAA;AAAA;AAAA;AAAA,EAKjB,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,SAA4B;AAAA;AAAA;AAAA;AAAA,EAK5B,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,YAAoB;AAAA;AAAA;AAAA;AAAA,EAKpB,UAAmC,CAAA;AAAA,EAEnC,YAAY,UAAiC,IAAI;AAC/C,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,QAAW;AAClC,WAAK,WAAW,QAAQ;AAAA,IAC1B;AACA,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,cAAc,OAAW,MAAK,YAAY,QAAQ;AAC9D,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAwB;AACtB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,CAAC,UAAU,UAAU,QAAQ,EAAE,SAAS,KAAK,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,iBAA0B;AACxB,WAAO,KAAK,WAAW;AAAA,EACzB;AACF;AA9FEA,kBAAA;AAAA,EADC,WAAW,QAAQ;AAAA,GATT,eAUX,WAAA,YAAA,CAAA;AAWAA,kBAAA;AAAA,EADC,gBAAgB,gCAAgC;AAAA,GApBtC,eAqBX,WAAA,UAAA,CAAA;AArBW,iBAANA,kBAAA;AAAA,EARN,KAAK;AAAA,IACJ,cAAc;AAAA,IACd,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA,EAAK,CAC9C;AAAA,GACY,cAAA;AA6GN,SAAS,iBAAiB,QAUG;AAClC,QAAM,WACJ,OAAO,aAAa,UAAa,OAAO,aAAa,WACjD,OACA,OAAO;AAEb,QAAM,QAAyC;AAAA,IAC7C,UAAU,OAAO,YAAY;AAAA,IAC7B,YAAY,OAAO;AAAA,IACnB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,WAAW,OAAO,aAAa;AAAA,IAC/B,WAAW,OAAO,aAAa;AAAA,IAC/B,SAAS,OAAO,WAAW,CAAA;AAAA,IAC3B;AAAA,EAAA;AAEF,SAAO;AACT;;;;;;;;;AClKO,IAAM,SAAN,cAAqB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIrC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,OAAe;AAAA;AAAA;AAAA;AAAA,EAKf,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,iBAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,SAAuB;AAAA;AAAA;AAAA;AAAA,EAKvB,YAAyB;AAAA;AAAA;AAAA;AAAA,EAKzB,iBAA8B;AAAA;AAAA;AAAA;AAAA,EAK9B,cAAsB;AAAA;AAAA;AAAA;AAAA,EAKtB,WAAoC,CAAA;AAAA,EAEpC,YAAY,UAAyB,IAAI;AACvC,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,SAAS,OAAW,MAAK,OAAO,QAAQ;AACpD,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,mBAAmB;AAC7B,WAAK,iBAAiB,QAAQ;AAChC,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AACA,QAAI,QAAQ,mBAAmB,QAAW;AACxC,WAAK,iBACH,QAAQ,0BAA0B,OAC9B,QAAQ,iBACR,QAAQ,iBACN,IAAI,KAAK,QAAQ,cAAc,IAC/B;AAAA,IACV;AACA,QAAI,QAAQ,gBAAgB;AAC1B,WAAK,cAAc,QAAQ;AAC7B,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,QAAI,CAAC,KAAK,UAAW,QAAO;AAC5B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,SAAA,KAAc,CAAC,KAAK,UAAA;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA,EAKA,eAAqB;AACnB,SAAK,qCAAqB,KAAA;AAC1B,SAAK,eAAe;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAgB;AACd,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AAAA,EAChB;AACF;AAnIa,SAANA,kBAAA;AAAA,EATN,KAAK;AAAA,IACJ,cAAc;AAAA;AAAA,IAEd,KAAK,EAAE,SAAS,GAAC;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,MAAM,GAAG,cAAc,KAAA;AAAA;AAAA,EAAK,CAC9C;AAAA,GACY,MAAA;;;;;;;;;ACJN,IAAM,YAAN,cAAwB,WAAW;AAAA;AAAA;AAAA;AAAA,EAIxC,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,aAAqB;AAAA;AAAA;AAAA;AAAA,EAKrB,WAAmB;AAAA;AAAA;AAAA;AAAA,EAKnB,SAA0B;AAAA;AAAA;AAAA;AAAA,EAK1B,UAAkB;AAAA;AAAA;AAAA;AAAA,EAKlB,cAA2B;AAAA;AAAA;AAAA;AAAA,EAK3B,YAAyB;AAAA,EAEzB,YAAY,UAA4B,IAAI;AAC1C,UAAM,OAAO;AACb,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,eAAe,OAAW,MAAK,aAAa,QAAQ;AAChE,QAAI,QAAQ,aAAa,OAAW,MAAK,WAAW,QAAQ;AAC5D,QAAI,QAAQ,WAAW,OAAW,MAAK,SAAS,QAAQ;AACxD,QAAI,QAAQ,YAAY,OAAW,MAAK,UAAU,QAAQ;AAC1D,QAAI,QAAQ,gBAAgB,QAAW;AACrC,WAAK,cACH,QAAQ,uBAAuB,OAC3B,QAAQ,cACR,QAAQ,cACN,IAAI,KAAK,QAAQ,WAAW,IAC5B;AAAA,IACV;AACA,QAAI,QAAQ,cAAc,QAAW;AACnC,WAAK,YACH,QAAQ,qBAAqB,OACzB,QAAQ,YACR,QAAQ,YACN,IAAI,KAAK,QAAQ,SAAS,IAC1B;AAAA,IACV;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,WAAoB;AAClB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,QAAI,CAAC,KAAK,YAAa,QAAO;AAC9B,WAAO,oBAAI,UAAU,KAAK;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,YAAqB;AACnB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,gBAAyB;AACvB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW,YAAY,KAAK,WAAW;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,aAAsB;AACpB,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAe;AACb,SAAK,SAAS;AACd,SAAK,gCAAgB,KAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,kBAAwB;AACtB,SAAK,SAAS;AAAA,EAChB;AACF;AAxHa,YAAN,gBAAA;AAAA,EARN,KAAK;AAAA;AAAA,IAEJ,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA,IACjB,KAAK,EAAE,SAAS,GAAC;AAAA;AAAA;AAAA;AAAA,IAGjB,KAAK,EAAE,SAAS,CAAC,QAAQ,KAAK,GAAG,cAAc,KAAA;AAAA,EAAK,CACrD;AAAA,GACY,SAAA;"}

package/dist/manifest.json

@@ -1,8 +1,8 @@
 {
   "version": "1.0.0",
-  "timestamp": 1782330599956,
+  "timestamp": 1782335238161,
   "packageName": "@happyvertical/smrt-secrets",
-  "packageVersion": "0.35.0",
+  "packageVersion": "0.35.1",
   "objects": {
     "@happyvertical/smrt-secrets:SecretAuditLogCollection": {
       "name": "secretauditlogcollection",

package/dist/models/Secret.d.ts

@@ -1,8 +1,26 @@
-import { SmrtObject } from '@happyvertical/smrt-core';
+import { SmrtObjectOptions, SmrtObject } from '@happyvertical/smrt-core';
 /**
  * Secret status values
  */
 export type SecretStatus = 'active' | 'disabled' | 'expired';
+/**
+ * Constructor options for {@link Secret}. Each field is optional and mirrors a
+ * persisted column; date fields also accept the serialized forms accepted by
+ * `new Date()` so hydrated rows coerce cleanly.
+ */
+export interface SecretOptions extends SmrtObjectOptions {
+    tenantId?: string;
+    name?: string;
+    description?: string;
+    category?: string;
+    encryptedValue?: string;
+    keyVersion?: number;
+    status?: SecretStatus;
+    expiresAt?: Date | string | number | null;
+    lastAccessedAt?: Date | string | number | null;
+    accessCount?: number;
+    metadata?: Record<string, unknown>;
+}
 /**
  * Secret represents an encrypted value stored per-tenant.
  *
@@ -75,7 +93,7 @@ export declare class Secret extends SmrtObject {
      * Additional metadata stored with the secret
      */
     metadata: Record<string, unknown>;
-    constructor(options?: any);
+    constructor(options?: SecretOptions);
     /**
      * Check if the secret is currently active
      */

package/dist/models/Secret.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Secret.d.ts","sourceRoot":"","sources":["../../src/models/Secret.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AAE7D;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAWH,qBASa,MAAO,SAAQ,UAAU;IACpC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAM;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAM;IAEzB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,cAAc,EAAE,MAAM,CAAM;IAE5B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAK;IAEvB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAY;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;IAE9B;;OAEG;IACH,cAAc,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEnC;;OAEG;IACH,WAAW,EAAE,MAAM,CAAK;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE3B,OAAO,GAAE,GAAQ;IAgC7B;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,SAAS,IAAI,OAAO;IAKpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,IAAI;IAKpB;;OAEG;IACH,OAAO,IAAI,IAAI;IAIf;;OAEG;IACH,MAAM,IAAI,IAAI;CAGf"}
+{"version":3,"file":"Secret.d.ts","sourceRoot":"","sources":["../../src/models/Secret.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;AAE7D;;;;GAIG;AACH,MAAM,WAAW,aAAc,SAAQ,iBAAiB;IACtD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC1C,cAAc,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAWH,qBASa,MAAO,SAAQ,UAAU;IACpC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAM;IAElB;;OAEG;IACH,WAAW,EAAE,MAAM,CAAM;IAEzB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,cAAc,EAAE,MAAM,CAAM;IAE5B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAK;IAEvB;;OAEG;IACH,MAAM,EAAE,YAAY,CAAY;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;IAE9B;;OAEG;IACH,cAAc,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEnC;;OAEG;IACH,WAAW,EAAE,MAAM,CAAK;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE3B,OAAO,GAAE,aAAkB;IAgCvC;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,SAAS,IAAI,OAAO;IAKpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,IAAI;IAKpB;;OAEG;IACH,OAAO,IAAI,IAAI;IAIf;;OAEG;IACH,MAAM,IAAI,IAAI;CAGf"}

package/dist/models/SecretAuditLog.d.ts

@@ -1,4 +1,4 @@
-import { SmrtCreateInput, SmrtObject } from '@happyvertical/smrt-core';
+import { SmrtCreateInput, SmrtObjectOptions, SmrtObject } from '@happyvertical/smrt-core';
 /**
  * Secret audit action types
  */
@@ -7,6 +7,21 @@ export type SecretAuditAction = 'create' | 'read' | 'update' | 'delete' | 'rotat
  * Audit result types
  */
 export type SecretAuditResult = 'success' | 'failure' | 'denied';
+/**
+ * Constructor options for {@link SecretAuditLog}. Each field is optional and
+ * mirrors a persisted column.
+ */
+export interface SecretAuditLogOptions extends SmrtObjectOptions {
+    tenantId?: string | null;
+    secretId?: string | null;
+    secretName?: string;
+    userId?: string;
+    action?: SecretAuditAction;
+    result?: SecretAuditResult;
+    ipAddress?: string;
+    userAgent?: string;
+    details?: Record<string, unknown>;
+}
 /**
  * SecretAuditLog records all operations on secrets for compliance
  * and security monitoring.
@@ -80,7 +95,7 @@ export declare class SecretAuditLog extends SmrtObject {
      * Additional context about the operation
      */
     details: Record<string, unknown>;
-    constructor(options?: any);
+    constructor(options?: SecretAuditLogOptions);
     /**
      * Check if this was a successful operation
      */

package/dist/models/SecretAuditLog.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecretAuditLog.d.ts","sourceRoot":"","sources":["../../src/models/SecretAuditLog.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EAGL,UAAU,EAEX,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,QAAQ,CAAC;AAEb;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEjE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAUH,qBAQa,cAAe,SAAQ,UAAU;IAC5C;;OAEG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IAEH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IAEH,MAAM,EAAE,MAAM,CAAM;IAEpB;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAU;IAEnC;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAa;IAEtC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE1B,OAAO,GAAE,GAAQ;IAe7B;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,OAAO;IAIvB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;OAEG;IACH,cAAc,IAAI,OAAO;CAG1B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,GAAG,eAAe,CAAC,cAAc,CAAC,CAkBlC"}
+{"version":3,"file":"SecretAuditLog.d.ts","sourceRoot":"","sources":["../../src/models/SecretAuditLog.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,iBAAiB,EAClB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAGL,UAAU,EAEX,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,YAAY,GACZ,SAAS,GACT,QAAQ,GACR,QAAQ,CAAC;AAEb;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;AAEjE;;;GAGG;AACH,MAAM,WAAW,qBAAsB,SAAQ,iBAAiB;IAC9D,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAUH,qBAQa,cAAe,SAAQ,UAAU;IAC5C;;OAEG;IACH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IAEH,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAQ;IAE/B;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IAEH,MAAM,EAAE,MAAM,CAAM;IAEpB;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAU;IAEnC;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAa;IAEtC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAM;IAEvB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAM;gBAE1B,OAAO,GAAE,qBAA0B;IAe/C;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,YAAY,IAAI,OAAO;IAIvB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;OAEG;IACH,cAAc,IAAI,OAAO;CAG1B;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,EAAE,iBAAiB,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,GAAG,eAAe,CAAC,cAAc,CAAC,CAkBlC"}

package/dist/models/TenantKey.d.ts

@@ -1,8 +1,22 @@
-import { SmrtObject } from '@happyvertical/smrt-core';
+import { SmrtObjectOptions, SmrtObject } from '@happyvertical/smrt-core';
 /**
  * Key status values
  */
 export type TenantKeyStatus = 'active' | 'rotating' | 'retired' | 'compromised';
+/**
+ * Constructor options for {@link TenantKey}. Each field is optional and mirrors
+ * a persisted column; date fields also accept the serialized forms accepted by
+ * `new Date()` so hydrated rows coerce cleanly.
+ */
+export interface TenantKeyOptions extends SmrtObjectOptions {
+    tenantId?: string;
+    wrappedKey?: string;
+    amkKeyId?: string;
+    status?: TenantKeyStatus;
+    version?: number;
+    rotateAfter?: Date | string | number | null;
+    retiredAt?: Date | string | number | null;
+}
 /**
  * TenantKey tracks the per-tenant Data Encryption Keys (TDEKs).
  *
@@ -62,7 +76,7 @@ export declare class TenantKey extends SmrtObject {
      * When the key was retired (if applicable)
      */
     retiredAt: Date | null;
-    constructor(options?: any);
+    constructor(options?: TenantKeyOptions);
     /**
      * Check if this key is currently active
      */

package/dist/models/TenantKey.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"TenantKey.d.ts","sourceRoot":"","sources":["../../src/models/TenantKey.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AASH,qBAQa,SAAU,SAAQ,UAAU;IACvC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,MAAM,EAAE,eAAe,CAAY;IAEnC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAK;IAEpB;;OAEG;IACH,WAAW,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;gBAElB,OAAO,GAAE,GAAQ;IAyB7B;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,aAAa,IAAI,OAAO;IAKxB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,MAAM,IAAI,IAAI;IAKd;;OAEG;IACH,eAAe,IAAI,IAAI;CAGxB"}
+{"version":3,"file":"TenantKey.d.ts","sourceRoot":"","sources":["../../src/models/TenantKey.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,UAAU,EAAQ,MAAM,0BAA0B,CAAC;AAE5D;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,QAAQ,GAAG,UAAU,GAAG,SAAS,GAAG,aAAa,CAAC;AAEhF;;;;GAIG;AACH,MAAM,WAAW,gBAAiB,SAAQ,iBAAiB;IACzD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC5C,SAAS,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;CAC3C;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AASH,qBAQa,SAAU,SAAQ,UAAU;IACvC;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAM;IAExB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAM;IAEtB;;OAEG;IACH,MAAM,EAAE,eAAe,CAAY;IAEnC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAK;IAEpB;;OAEG;IACH,WAAW,EAAE,IAAI,GAAG,IAAI,CAAQ;IAEhC;;OAEG;IACH,SAAS,EAAE,IAAI,GAAG,IAAI,CAAQ;gBAElB,OAAO,GAAE,gBAAqB;IAyB1C;;OAEG;IACH,QAAQ,IAAI,OAAO;IAInB;;OAEG;IACH,aAAa,IAAI,OAAO;IAKxB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,aAAa,IAAI,OAAO;IAIxB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;;OAGG;IACH,UAAU,IAAI,OAAO;IAIrB;;OAEG;IACH,MAAM,IAAI,IAAI;IAKd;;OAEG;IACH,eAAe,IAAI,IAAI;CAGxB"}

package/dist/smrt-knowledge.json

@@ -1,13 +1,13 @@
 {
   "schemaVersion": 1,
-  "generatedAt": "2026-06-24T19:50:00.233Z",
+  "generatedAt": "2026-06-24T21:07:18.447Z",
   "packageName": "@happyvertical/smrt-secrets",
-  "packageVersion": "0.35.0",
+  "packageVersion": "0.35.1",
   "sourceManifestPath": "dist/manifest.json",
   "agentDocPath": "AGENTS.md",
   "sourceHashes": {
-    "manifest": "2a029c9892762cabd93eb5ef4bf47bced2fb5e4f4d48823ae87787442b3dc7e0",
-    "packageJson": "779d644f31fedc7de5b5fc8c038fd6b1cbb52a54b44ab35c245e72840d443d12",
+    "manifest": "f8fc7e22940e9fa0bdf71485744da7a178e18f2003cfededcb70e6bb6cf04c46",
+    "packageJson": "fb1c7bd7b1b9595dc9946c4c9f59df5ac9185efd90b18947efb0d371a5f0253f",
     "agents": "c2be546ffbe79a0df95401c10a60e23f4f31cb8232cb1349fcdb7e5682852d4a"
   },
   "exports": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@happyvertical/smrt-secrets",
-  "version": "0.35.0",
+  "version": "0.35.1",
   "description": "Per-tenant secret management with envelope encryption for SMRT",
   "type": "module",
   "main": "./dist/index.js",
@@ -31,15 +31,15 @@
     "@happyvertical/secrets": "^0.74.7",
     "@happyvertical/sql": "^0.74.7",
     "@happyvertical/utils": "^0.74.7",
-    "@happyvertical/smrt-core": "0.35.0",
-    "@happyvertical/smrt-tenancy": "0.35.0"
+    "@happyvertical/smrt-core": "0.35.1",
+    "@happyvertical/smrt-tenancy": "0.35.1"
   },
   "devDependencies": {
     "@types/node": "25.0.9",
     "typescript": "^5.9.3",
     "vite": "^7.3.1",
     "vitest": "^4.0.17",
-    "@happyvertical/smrt-vitest": "0.35.0"
+    "@happyvertical/smrt-vitest": "0.35.1"
   },
   "keywords": [
     "smrt",