@nest-omni/core 3.1.1-16 → 3.1.1-18

package/common/abstract.entity.d.ts

@@ -1,11 +1,13 @@
 import type { AbstractDto, AbstractTranslationDto } from './dto/abstract.dto';
 import { LanguageCode } from '../constants';
-export declare abstract class AbstractBaseEntity<DTO, O> {
-    createdAt: Date;
-    updatedAt: Date;
+export declare abstract class AbstractDtoEntity<DTO, O = never> {
     translations?: AbstractTranslationEntity[];
     toDto(options?: O): DTO;
 }
+export declare abstract class AbstractBaseEntity<DTO, O> extends AbstractDtoEntity<DTO, O> {
+    createdAt: Date;
+    updatedAt: Date;
+}
 export declare class AbstractEntity<DTO extends AbstractDto = AbstractDto, O = never> extends AbstractBaseEntity<DTO, O> {
     id: number;
 }

package/common/abstract.entity.js

@@ -9,12 +9,12 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AbstractUuidPrimaryEntity = exports.AbstractTranslationEntity = exports.AbstractEntity = exports.AbstractBaseEntity = void 0;
+exports.AbstractUuidPrimaryEntity = exports.AbstractTranslationEntity = exports.AbstractEntity = exports.AbstractBaseEntity = exports.AbstractDtoEntity = void 0;
 const typeorm_1 = require("typeorm");
 const decorators_1 = require("../decorators");
 const constants_1 = require("../constants");
 const uuid_1 = require("uuid");
-class AbstractBaseEntity {
+class AbstractDtoEntity {
     toDto(options) {
         const dtoClass = Object.getPrototypeOf(this).dtoClass;
         if (!dtoClass) {
@@ -23,6 +23,9 @@ class AbstractBaseEntity {
         return new dtoClass(this, options);
     }
 }
+exports.AbstractDtoEntity = AbstractDtoEntity;
+class AbstractBaseEntity extends AbstractDtoEntity {
+}
 exports.AbstractBaseEntity = AbstractBaseEntity;
 __decorate([
     (0, typeorm_1.CreateDateColumn)({

package/common/boilerplate.polyfill.d.ts

@@ -9,10 +9,10 @@ import type { PageOptionsDto } from './dto/page-options.dto';
 import type { LanguageCode } from '../constants/language-code';
 import type { KeyOfType } from './types';
 declare global {
-    export type Uuid = string & {
+    type Uuid = string & {
         _uuidBrand: undefined;
     };
-    export type Todo = any & {
+    type Todo = any & {
         _todoBrand: undefined;
     };
     interface Array<T> {
@@ -31,6 +31,12 @@ declare module 'typeorm' {
             takeAll: boolean;
             skipCount: boolean;
         }>): Promise<[Entity[], PageMetaDto]>;
+        paginateAndMap<Dto extends AbstractDto, DtoOptions = unknown>(this: SelectQueryBuilder<Entity>, pageOptionsDto: PageOptionsDto, options?: Partial<{
+            dtoOptions: DtoOptions;
+            skipCount: boolean;
+            takeAll: boolean;
+            transform: (items: Entity[]) => Entity[] | Promise<Entity[]>;
+        }>): Promise<PageDto<Dto>>;
         leftJoinAndSelect<AliasEntity extends AbstractEntity, A extends string>(this: SelectQueryBuilder<Entity>, property: `${A}.${Exclude<KeyOfType<AliasEntity, AbstractEntity>, symbol>}`, alias: string, condition?: string, parameters?: ObjectLiteral): this;
         leftJoin<AliasEntity extends AbstractEntity, A extends string>(this: SelectQueryBuilder<Entity>, property: `${A}.${Exclude<KeyOfType<AliasEntity, AbstractEntity>, symbol>}`, alias: string, condition?: string, parameters?: ObjectLiteral): this;
         innerJoinAndSelect<AliasEntity extends AbstractEntity, A extends string>(this: SelectQueryBuilder<Entity>, property: `${A}.${Exclude<KeyOfType<AliasEntity, AbstractEntity>, symbol>}`, alias: string, condition?: string, parameters?: ObjectLiteral): this;

package/common/boilerplate.polyfill.js

@@ -29,7 +29,12 @@ const page_dto_1 = require("./dto/page.dto");
 const page_meta_dto_1 = require("./dto/page-meta.dto");
 const providers_1 = require("../providers");
 Array.prototype.toDtos = function (options) {
-    return (0, lodash_1.compact)((0, lodash_1.map)(this, (item) => item.toDto(options)));
+    return (0, lodash_1.compact)((0, lodash_1.map)(this, (item) => {
+        if (item && typeof item.toDto === 'function') {
+            return item.toDto(options);
+        }
+        return undefined;
+    }));
 };
 Array.prototype.getByLanguage = function (languageCode) {
     return this.find((translation) => languageCode === translation.languageCode)
@@ -72,6 +77,19 @@ typeorm_1.SelectQueryBuilder.prototype.paginate = function (pageOptionsDto, opti
         return [entities, pageMetaDto];
     });
 };
+typeorm_1.SelectQueryBuilder.prototype.paginateAndMap = function (pageOptionsDto, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const [entities, pageMetaDto] = yield this.paginate(pageOptionsDto, {
+            skipCount: options === null || options === void 0 ? void 0 : options.skipCount,
+            takeAll: options === null || options === void 0 ? void 0 : options.takeAll,
+        });
+        let transformedEntities = entities;
+        if (options === null || options === void 0 ? void 0 : options.transform) {
+            transformedEntities = yield options.transform(entities);
+        }
+        return transformedEntities.toPageDto(pageMetaDto, options === null || options === void 0 ? void 0 : options.dtoOptions);
+    });
+};
 typeorm_1.SelectQueryBuilder.prototype.withTenant = function (tenantId, tenantFieldName = 'tenantId') {
     var _a;
     if (!tenantId) {

package/index.d.ts

@@ -12,5 +12,6 @@ export * from './validator-json';
 export * from './helpers';
 export * from './providers';
 export * from './cache';
+export * from './vault';
 export * from './setup';
 export * from './health-checker';

package/index.js

@@ -28,5 +28,6 @@ __exportStar(require("./validator-json"), exports);
 __exportStar(require("./helpers"), exports);
 __exportStar(require("./providers"), exports);
 __exportStar(require("./cache"), exports);
+__exportStar(require("./vault"), exports);
 __exportStar(require("./setup"), exports);
 __exportStar(require("./health-checker"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nest-omni/core",
-  "version": "3.1.1-16",
+  "version": "3.1.1-18",
   "description": "A comprehensive NestJS framework for building enterprise-grade applications with best practices",
   "main": "index.js",
   "types": "index.d.ts",
@@ -41,116 +41,62 @@
   },
   "devDependencies": {
     "@types/compression": "^1.8.1",
-    "@types/express": "^5.0.3",
+    "@types/express": "^5.0.4",
     "@types/express-session": "^1.18.2",
     "@types/lodash": "^4.17.20",
     "@types/node": "^24.9.1",
     "@types/sprintf-js": "^1.1.4",
-    "@types/uuid": "^10.0.0",
+    "@types/uuid": "^11.0.0",
     "typescript": "^5.9.3"
   },
   "dependencies": {
+    "@dataui/crud": "^5.3.4",
+    "@dataui/crud-typeorm": "^5.3.4",
     "@nestjs-cls/transactional": "^3.1.0",
     "@nestjs-cls/transactional-adapter-typeorm": "^1.3.0",
-    "@sentry/nestjs": "^10.21.0",
-    "@sentry/profiling-node": "^10.21.0",
+    "@nestjs/bull": "^11.0.4",
+    "@nestjs/common": "^11.1.7",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/core": "^11.1.7",
+    "@nestjs/platform-express": "^11.1.7",
+    "@nestjs/schedule": "^6.0.1",
+    "@nestjs/swagger": "^11.2.1",
+    "@nestjs/terminus": "^11.0.0",
+    "@nestjs/typeorm": "^11.0.0",
+    "@sentry/nestjs": "^10.22.0",
+    "@sentry/profiling-node": "^10.22.0",
+    "@songkeys/nestjs-redis": "^11.0.0",
+    "@songkeys/nestjs-redis-health": "^11.0.0",
     "axios": "^1.12.2",
     "axios-retry": "^4.5.0",
+    "bcrypt": "^6.0.0",
+    "body-parser": "^2.2.0",
+    "bull": "^4.16.5",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.2",
     "compression": "^1.8.1",
+    "connect-redis": "^9.0.0",
+    "dotenv": "^17.2.3",
+    "express": "^5.1.0",
+    "express-session": "^1.18.2",
     "hygen": "^6.2.11",
-    "libphonenumber-js": "^1.12.24",
+    "ioredis": "^5.8.2",
+    "libphonenumber-js": "^1.12.25",
     "lodash": "^4.17.21",
+    "mime-types": "^3.0.1",
     "moment": "^2.30.1",
+    "mysql2": "^3.15.3",
+    "nestjs-cls": "^6.0.1",
+    "nestjs-i18n": "^10.5.1",
+    "nestjs-pino": "^4.4.1",
+    "pino-http": "^11.0.0",
+    "pino-pretty": "^13.1.2",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.2",
-    "sprintf-js": "^1.1.3",
-    "uuid": "^13.0.0"
-  },
-  "peerDependencies": {
-    "@dataui/crud": "^5.3.0",
-    "@dataui/crud-typeorm": "^5.3.0",
-    "@nestjs/bull": "^11.0.0",
-    "@nestjs/common": "^11.0.0",
-    "@nestjs/config": "^4.0.0",
-    "@nestjs/core": "^11.0.0",
-    "@nestjs/platform-express": "^11.0.0",
-    "@nestjs/schedule": "^6.0.0",
-    "@nestjs/swagger": "^11.0.0",
-    "@nestjs/terminus": "^11.0.0",
-    "@nestjs/typeorm": "^11.0.0",
-    "@songkeys/nestjs-redis": "^11.0.0",
-    "@songkeys/nestjs-redis-health": "^11.0.0",
-    "bcrypt": "^6.0.0",
-    "bull": "^4.16.0",
-    "connect-redis": "^9.0.0",
-    "express": "^5.0.0",
-    "express-session": "^1.18.0",
-    "mime-types": "^3.0.0",
-    "mysql2": "^3.0.0",
-    "nestjs-cls": "^6.0.0",
-    "nestjs-i18n": "^10.5.0",
-    "nestjs-pino": "^4.0.0",
-    "pino-http": "^11.0.0",
-    "pino-pretty": "^13.0.0",
     "source-map-support": "^0.5.21",
-    "typeorm": "^0.3.20"
-  },
-  "peerDependenciesMeta": {
-    "@dataui/crud": {
-      "optional": false
-    },
-    "@dataui/crud-typeorm": {
-      "optional": false
-    },
-    "@songkeys/nestjs-redis": {
-      "optional": true
-    },
-    "@songkeys/nestjs-redis-health": {
-      "optional": true
-    },
-    "@nestjs/bull": {
-      "optional": false
-    },
-    "@nestjs/schedule": {
-      "optional": false
-    },
-    "@nestjs/swagger": {
-      "optional": true
-    },
-    "bcrypt": {
-      "optional": false
-    },
-    "bull": {
-      "optional": false
-    },
-    "connect-redis": {
-      "optional": false
-    },
-    "express-session": {
-      "optional": false
-    },
-    "mysql2": {
-      "optional": false
-    },
-    "nestjs-cls": {
-      "optional": false
-    },
-    "nestjs-i18n": {
-      "optional": false
-    },
-    "nestjs-pino": {
-      "optional": false
-    },
-    "pino-http": {
-      "optional": false
-    },
-    "pino-pretty": {
-      "optional": false
-    },
-    "typeorm": {
-      "optional": false
-    }
+    "sprintf-js": "^1.1.3",
+    "typeorm": "^0.3.27",
+    "uuid": "^13.0.0",
+    "node-vault": "^0.10.9"
   }
 }

package/setup/bootstrap.setup.js

@@ -79,17 +79,6 @@ Sentry.init({
     integrations: [profiling_node_1.nodeProfilingIntegration],
 });
 const crud_1 = require("@dataui/crud");
-const core_1 = require("@nestjs/core");
-const nestjs_pino_1 = require("nestjs-pino");
-const session = require("express-session");
-const bodyParse = require("body-parser");
-const compression = require("compression");
-const __1 = require("../");
-const common_1 = require("@nestjs/common");
-const nestjs_i18n_1 = require("nestjs-i18n");
-const nestjs_cls_1 = require("nestjs-cls");
-const class_validator_1 = require("class-validator");
-const setup_1 = require("@sentry/nestjs/setup");
 crud_1.CrudConfigService.load({
     auth: {
         property: 'user',
@@ -117,8 +106,21 @@ crud_1.CrudConfigService.load({
         },
     },
 });
+const core_1 = require("@nestjs/core");
+const nestjs_pino_1 = require("nestjs-pino");
+const session = require("express-session");
+const bodyParse = require("body-parser");
+const compression = require("compression");
+const __1 = require("../");
+const common_1 = require("@nestjs/common");
+const nestjs_i18n_1 = require("nestjs-i18n");
+const nestjs_cls_1 = require("nestjs-cls");
+const class_validator_1 = require("class-validator");
+const setup_1 = require("@sentry/nestjs/setup");
+const vault_1 = require("../vault");
 function bootstrapSetup(AppModule, SetupSwagger) {
     return __awaiter(this, void 0, void 0, function* () {
+        yield vault_1.VaultConfigLoader.loadVaultConfig();
         const shouldStartHttp = (0, mode_setup_1.shouldStartHttpServer)();
         const app = yield core_1.NestFactory.create(AppModule, {
             bufferLogs: true,

package/shared/serviceRegistryModule.js

@@ -36,6 +36,7 @@ const services_1 = require("./services");
 const nestjs_cls_1 = require("nestjs-cls");
 const redis_lock_1 = require("../redis-lock");
 const typeorm_2 = require("typeorm");
+const vault_1 = require("../vault");
 const providers = [
     services_1.ApiConfigService,
     services_1.ValidatorService,
@@ -48,6 +49,7 @@ if (!((_a = process === null || process === void 0 ? void 0 : process.env) === n
 services_1.ApiConfigService.rootPath = process.env.ROOT_PATH;
 const modules = [
     setup_1.SentryModule.forRoot(),
+    vault_1.VaultModule,
     config_1.ConfigModule.forRoot({
         isGlobal: true,
         cache: true,

package/vault/index.d.ts

@@ -0,0 +1,4 @@
+export * from './vault-config.loader';
+export * from './vault-config.service';
+export * from './vault.module';
+export * from './interfaces/vault-options.interface';

package/vault/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./vault-config.loader"), exports);
+__exportStar(require("./vault-config.service"), exports);
+__exportStar(require("./vault.module"), exports);
+__exportStar(require("./interfaces/vault-options.interface"), exports);

package/vault/interfaces/vault-options.interface.d.ts

@@ -0,0 +1,22 @@
+export interface VaultAuthOptions {
+    token?: string;
+    roleId?: string;
+    secretId?: string;
+    k8sRole?: string;
+    k8sServiceAccountToken?: string;
+}
+export interface VaultOptions {
+    endpoint: string;
+    auth: VaultAuthOptions;
+    secretPaths: string[];
+    namespace?: string;
+    apiVersion?: 'v1' | 'v2';
+    timeout?: number;
+    enableHotReload?: boolean;
+    hotReloadInterval?: number;
+    failOnError?: boolean;
+}
+export interface VaultConfig {
+    enabled: boolean;
+    options?: VaultOptions;
+}

package/vault/interfaces/vault-options.interface.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/vault/vault-config.loader.d.ts

@@ -0,0 +1,13 @@
+export declare class VaultConfigLoader {
+    private static readonly logger;
+    private static vaultClient;
+    private static hotReloadTimer;
+    private static buildVaultOptions;
+    private static initializeVaultClient;
+    private static readSecrets;
+    static loadVaultConfig(): Promise<void>;
+    private static startHotReload;
+    static stopHotReload(): void;
+    static getVaultClient(): any;
+    static isConnected(): boolean;
+}

package/vault/vault-config.loader.js

@@ -0,0 +1,246 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultConfigLoader = void 0;
+const common_1 = require("@nestjs/common");
+class VaultConfigLoader {
+    static buildVaultOptions() {
+        var _a;
+        const enabled = process.env.VAULT_ENABLED === 'true';
+        if (!enabled) {
+            this.logger.log('Vault is disabled (VAULT_ENABLED != true)');
+            return null;
+        }
+        const endpoint = process.env.VAULT_ENDPOINT;
+        const secretPaths = ((_a = process.env.VAULT_SECRET_PATHS) === null || _a === void 0 ? void 0 : _a.split(',').map(p => p.trim())) || [];
+        if (!endpoint) {
+            this.logger.warn('Vault enabled but VAULT_ENDPOINT is not set');
+            return null;
+        }
+        if (secretPaths.length === 0) {
+            this.logger.warn('Vault enabled but VAULT_SECRET_PATHS is empty');
+            return null;
+        }
+        const auth = {};
+        if (process.env.VAULT_TOKEN) {
+            auth.token = process.env.VAULT_TOKEN;
+            this.logger.log('Using Vault Token authentication');
+        }
+        else if (process.env.VAULT_ROLE_ID && process.env.VAULT_SECRET_ID) {
+            auth.roleId = process.env.VAULT_ROLE_ID;
+            auth.secretId = process.env.VAULT_SECRET_ID;
+            this.logger.log('Using Vault AppRole authentication');
+        }
+        else if (process.env.VAULT_K8S_ROLE) {
+            auth.k8sRole = process.env.VAULT_K8S_ROLE;
+            auth.k8sServiceAccountToken = process.env.VAULT_K8S_SA_TOKEN;
+            this.logger.log('Using Vault Kubernetes authentication');
+        }
+        else {
+            this.logger.warn('Vault enabled but no valid authentication method configured');
+            return null;
+        }
+        const options = {
+            endpoint,
+            auth,
+            secretPaths,
+            namespace: process.env.VAULT_NAMESPACE,
+            apiVersion: process.env.VAULT_API_VERSION || 'v2',
+            timeout: parseInt(process.env.VAULT_TIMEOUT || '5000', 10),
+            enableHotReload: process.env.VAULT_HOT_RELOAD === 'true',
+            hotReloadInterval: parseInt(process.env.VAULT_HOT_RELOAD_INTERVAL || '300', 10),
+            failOnError: process.env.VAULT_FAIL_ON_ERROR !== 'false',
+        };
+        this.logger.log(`Vault configuration loaded: ${secretPaths.length} secret path(s)`);
+        return options;
+    }
+    static initializeVaultClient(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let vault;
+            try {
+                vault = yield Promise.resolve().then(() => require('node-vault'));
+                vault = vault.default || vault;
+            }
+            catch (error) {
+                throw new Error('node-vault package not installed. Run: npm install node-vault');
+            }
+            const client = vault({
+                endpoint: options.endpoint,
+                namespace: options.namespace,
+                requestOptions: {
+                    timeout: options.timeout,
+                },
+            });
+            try {
+                if (options.auth.token) {
+                    client.token = options.auth.token;
+                    this.logger.log('Vault Token authentication configured');
+                }
+                else if (options.auth.roleId && options.auth.secretId) {
+                    const result = yield client.approleLogin({
+                        role_id: options.auth.roleId,
+                        secret_id: options.auth.secretId,
+                    });
+                    client.token = result.auth.client_token;
+                    this.logger.log('Vault AppRole authentication successful');
+                }
+                else if (options.auth.k8sRole) {
+                    let jwt = options.auth.k8sServiceAccountToken;
+                    if (!jwt) {
+                        const fs = yield Promise.resolve().then(() => require('fs'));
+                        const K8S_SA_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token';
+                        if (fs.existsSync(K8S_SA_TOKEN_PATH)) {
+                            jwt = fs.readFileSync(K8S_SA_TOKEN_PATH, 'utf8');
+                        }
+                        else {
+                            throw new Error('Kubernetes service account token not found');
+                        }
+                    }
+                    const result = yield client.kubernetesLogin({
+                        role: options.auth.k8sRole,
+                        jwt,
+                    });
+                    client.token = result.auth.client_token;
+                    this.logger.log('Vault Kubernetes authentication successful');
+                }
+                else {
+                    throw new Error('No valid Vault authentication method configured');
+                }
+                yield client.tokenLookupSelf();
+                this.logger.log('Vault authentication verified');
+                return client;
+            }
+            catch (error) {
+                this.logger.error('Vault authentication failed', error);
+                throw error;
+            }
+        });
+    }
+    static readSecrets(client, secretPath, apiVersion) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                this.logger.debug(`Reading secrets from: ${secretPath}`);
+                const result = yield client.read(secretPath);
+                if (!result || !result.data) {
+                    this.logger.warn(`No data found at path: ${secretPath}`);
+                    return {};
+                }
+                const secrets = apiVersion === 'v2' ? result.data.data : result.data;
+                if (!secrets || typeof secrets !== 'object') {
+                    this.logger.warn(`Invalid secret format at path: ${secretPath}`);
+                    return {};
+                }
+                const secretCount = Object.keys(secrets).length;
+                this.logger.log(`Loaded ${secretCount} secret(s) from ${secretPath}`);
+                return secrets;
+            }
+            catch (error) {
+                this.logger.error(`Failed to read secrets from path: ${secretPath}`, error.message);
+                return {};
+            }
+        });
+    }
+    static loadVaultConfig() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const options = this.buildVaultOptions();
+            if (!options) {
+                this.logger.log('Skipping Vault configuration loading');
+                return;
+            }
+            try {
+                this.logger.log(`Connecting to Vault at ${options.endpoint}`);
+                this.vaultClient = yield this.initializeVaultClient(options);
+                const allSecrets = {};
+                for (const secretPath of options.secretPaths) {
+                    const secrets = yield this.readSecrets(this.vaultClient, secretPath, options.apiVersion);
+                    Object.assign(allSecrets, secrets);
+                }
+                let injectedCount = 0;
+                let overriddenCount = 0;
+                for (const [key, value] of Object.entries(allSecrets)) {
+                    const hadPreviousValue = key in process.env;
+                    process.env[key] = String(value);
+                    if (hadPreviousValue) {
+                        overriddenCount++;
+                        this.logger.debug(`Override ${key} with Vault value`);
+                    }
+                    else {
+                        injectedCount++;
+                    }
+                }
+                this.logger.log(`Vault configuration loaded: ${injectedCount} new, ${overriddenCount} overridden`);
+                if (options.enableHotReload) {
+                    this.startHotReload(options);
+                }
+            }
+            catch (error) {
+                this.logger.error('Failed to load Vault configuration', error.message);
+                if (options.failOnError) {
+                    this.logger.error('Application startup failed due to Vault error');
+                    throw error;
+                }
+                else {
+                    this.logger.warn('Continuing without Vault configuration (VAULT_FAIL_ON_ERROR=false)');
+                }
+            }
+        });
+    }
+    static startHotReload(options) {
+        this.logger.log(`Starting Vault hot reload with interval: ${options.hotReloadInterval}s`);
+        if (this.hotReloadTimer) {
+            clearInterval(this.hotReloadTimer);
+        }
+        this.hotReloadTimer = setInterval(() => __awaiter(this, void 0, void 0, function* () {
+            try {
+                this.logger.debug('Reloading Vault configuration...');
+                const allSecrets = {};
+                for (const secretPath of options.secretPaths) {
+                    const secrets = yield this.readSecrets(this.vaultClient, secretPath, options.apiVersion);
+                    Object.assign(allSecrets, secrets);
+                }
+                let changedCount = 0;
+                for (const [key, value] of Object.entries(allSecrets)) {
+                    const newValue = String(value);
+                    if (process.env[key] !== newValue) {
+                        this.logger.log(`Configuration changed: ${key}`);
+                        process.env[key] = newValue;
+                        changedCount++;
+                    }
+                }
+                if (changedCount > 0) {
+                    this.logger.log(`Hot reload completed: ${changedCount} configuration(s) updated`);
+                }
+                else {
+                    this.logger.debug('Hot reload completed: no changes detected');
+                }
+            }
+            catch (error) {
+                this.logger.error('Failed to reload Vault configuration', error.message);
+            }
+        }), options.hotReloadInterval * 1000);
+    }
+    static stopHotReload() {
+        if (this.hotReloadTimer) {
+            clearInterval(this.hotReloadTimer);
+            this.hotReloadTimer = null;
+            this.logger.log('Vault hot reload stopped');
+        }
+    }
+    static getVaultClient() {
+        return this.vaultClient;
+    }
+    static isConnected() {
+        return this.vaultClient !== null && this.vaultClient !== undefined;
+    }
+}
+exports.VaultConfigLoader = VaultConfigLoader;
+VaultConfigLoader.logger = new common_1.Logger(VaultConfigLoader.name);
+VaultConfigLoader.hotReloadTimer = null;

package/vault/vault-config.service.d.ts

@@ -0,0 +1,18 @@
+export declare class VaultConfigService {
+    private readonly logger;
+    private vaultClient;
+    constructor();
+    isAvailable(): boolean;
+    getSecret(path: string, key?: string): Promise<any>;
+    setSecret(path: string, data: Record<string, any>): Promise<void>;
+    deleteSecret(path: string): Promise<void>;
+    listSecrets(path: string): Promise<string[]>;
+    healthCheck(): Promise<boolean>;
+    getStatus(): Promise<{
+        initialized: boolean;
+        sealed: boolean;
+        standby: boolean;
+        version: string;
+    } | null>;
+    renewToken(increment?: number): Promise<void>;
+}

package/vault/vault-config.service.js

@@ -0,0 +1,174 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var VaultConfigService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultConfigService = void 0;
+const common_1 = require("@nestjs/common");
+const vault_config_loader_1 = require("./vault-config.loader");
+let VaultConfigService = VaultConfigService_1 = class VaultConfigService {
+    constructor() {
+        this.logger = new common_1.Logger(VaultConfigService_1.name);
+        this.vaultClient = vault_config_loader_1.VaultConfigLoader.getVaultClient();
+        if (!this.vaultClient) {
+            this.logger.warn('Vault client not initialized. VaultConfigService methods will throw errors.');
+        }
+    }
+    isAvailable() {
+        return vault_config_loader_1.VaultConfigLoader.isConnected();
+    }
+    getSecret(path, key) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                throw new Error('Vault client not initialized. Check VAULT_ENABLED configuration.');
+            }
+            try {
+                const apiVersion = process.env.VAULT_API_VERSION || 'v2';
+                const result = yield this.vaultClient.read(path);
+                if (!result || !result.data) {
+                    throw new Error(`No data found at path: ${path}`);
+                }
+                const data = apiVersion === 'v2' ? result.data.data : result.data;
+                if (!data || typeof data !== 'object') {
+                    throw new Error(`Invalid secret format at path: ${path}`);
+                }
+                if (key) {
+                    if (!(key in data)) {
+                        throw new Error(`Key '${key}' not found in secret at path: ${path}`);
+                    }
+                    return data[key];
+                }
+                return data;
+            }
+            catch (error) {
+                this.logger.error(`Failed to read secret from Vault: ${path}`, error.message);
+                throw error;
+            }
+        });
+    }
+    setSecret(path, data) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                throw new Error('Vault client not initialized. Check VAULT_ENABLED configuration.');
+            }
+            try {
+                const apiVersion = process.env.VAULT_API_VERSION || 'v2';
+                if (apiVersion === 'v2') {
+                    yield this.vaultClient.write(path, { data });
+                }
+                else {
+                    yield this.vaultClient.write(path, data);
+                }
+                this.logger.log(`Successfully wrote secret to Vault: ${path}`);
+            }
+            catch (error) {
+                this.logger.error(`Failed to write secret to Vault: ${path}`, error.message);
+                throw error;
+            }
+        });
+    }
+    deleteSecret(path) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                throw new Error('Vault client not initialized. Check VAULT_ENABLED configuration.');
+            }
+            try {
+                yield this.vaultClient.delete(path);
+                this.logger.log(`Successfully deleted secret from Vault: ${path}`);
+            }
+            catch (error) {
+                this.logger.error(`Failed to delete secret from Vault: ${path}`, error.message);
+                throw error;
+            }
+        });
+    }
+    listSecrets(path) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                throw new Error('Vault client not initialized. Check VAULT_ENABLED configuration.');
+            }
+            try {
+                const result = yield this.vaultClient.list(path);
+                if (!result || !result.data || !result.data.keys) {
+                    return [];
+                }
+                return result.data.keys;
+            }
+            catch (error) {
+                this.logger.error(`Failed to list secrets from Vault: ${path}`, error.message);
+                throw error;
+            }
+        });
+    }
+    healthCheck() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                return false;
+            }
+            try {
+                const health = yield this.vaultClient.health();
+                return health && !health.sealed;
+            }
+            catch (error) {
+                this.logger.error('Vault health check failed', error.message);
+                return false;
+            }
+        });
+    }
+    getStatus() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                return null;
+            }
+            try {
+                const health = yield this.vaultClient.health();
+                return {
+                    initialized: health.initialized || false,
+                    sealed: health.sealed || false,
+                    standby: health.standby || false,
+                    version: health.version || 'unknown',
+                };
+            }
+            catch (error) {
+                this.logger.error('Failed to get Vault status', error.message);
+                return null;
+            }
+        });
+    }
+    renewToken(increment) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.vaultClient) {
+                throw new Error('Vault client not initialized. Check VAULT_ENABLED configuration.');
+            }
+            try {
+                yield this.vaultClient.tokenRenewSelf({ increment });
+                this.logger.log('Vault token renewed successfully');
+            }
+            catch (error) {
+                this.logger.error('Failed to renew Vault token', error.message);
+                throw error;
+            }
+        });
+    }
+};
+exports.VaultConfigService = VaultConfigService;
+exports.VaultConfigService = VaultConfigService = VaultConfigService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [])
+], VaultConfigService);

package/vault/vault.module.d.ts

@@ -0,0 +1,2 @@
+export declare class VaultModule {
+}

package/vault/vault.module.js

@@ -0,0 +1,21 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VaultModule = void 0;
+const common_1 = require("@nestjs/common");
+const vault_config_service_1 = require("./vault-config.service");
+let VaultModule = class VaultModule {
+};
+exports.VaultModule = VaultModule;
+exports.VaultModule = VaultModule = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({
+        providers: [vault_config_service_1.VaultConfigService],
+        exports: [vault_config_service_1.VaultConfigService],
+    })
+], VaultModule);