@noy-db/at-aws-kms 0.2.0-pre.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vLannaAi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,79 @@
+# @noy-db/at-aws-kms
+
+**AWS KMS sealing key provider for noy-db [managed-passphrase mode](https://github.com/vLannaAi/noy-db/issues/14).**
+
+An `at-*` provider that seals and unseals the hub-generated random passphrase via AWS KMS Encrypt / Decrypt. Every seal and unseal is an authenticated KMS API call — giving you a CloudTrail-backed access log of every time a user's vault is opened, with no additional instrumentation required.
+
+Like all `at-*` providers, this is a *trusted host* provider: the host you deploy it on CAN decrypt what it unseals. The security boundary is your AWS IAM policy — access is controlled by which roles hold `kms:Decrypt` on the KMS key, not by a secret the host keeps in memory.
+
+## Install
+
+```bash
+pnpm add @noy-db/hub @noy-db/at-aws-kms @noy-db/on-shamir
+# or: npm install @noy-db/hub @noy-db/at-aws-kms @noy-db/on-shamir
+```
+
+## Setup
+
+```bash
+# 1. Create a KMS key once (or reuse an existing ENCRYPT_DECRYPT key):
+aws kms create-key --description "noy-db sealing key"
+# Note the KeyId or ARN from the output.
+
+# 2. Grant your host's IAM role kms:Encrypt + kms:Decrypt on that key.
+#    Credentials are picked up automatically from the SDK's ambient chain
+#    (IAM instance role, ECS task role, ~/.aws/credentials, env vars, etc.).
+```
+
+```ts
+// 3. In your app:
+import { createNoydb } from '@noy-db/hub'
+import { awsKmsSealingProvider } from '@noy-db/at-aws-kms'
+import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+
+const db = await createNoydb({
+  store,
+  user: 'alice',
+  passphraseMode: 'managed',
+  sealingKey: awsKmsSealingProvider({ keyId: 'arn:aws:kms:us-east-1:123456789012:key/abc' }),
+  shamirRecovery: shamirRecoveryProvider(),
+})
+
+const vault = await db.openVault('acme')
+// Hub generated a 256-bit random on first open, sealed it via KMS Encrypt,
+// and persisted to _meta/sealed-passphrase. The user never sees a passphrase.
+// On reopen, at-aws-kms calls KMS Decrypt transparently.
+// CloudTrail logs every Encrypt/Decrypt call with caller identity + key ARN.
+```
+
+## When to use this provider
+
+- ✅ Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA with managed-encryption requirements, SOC 2 Type II).
+- ✅ Workloads already running on AWS where a KMS key costs less than engineering an equivalent audit trail.
+- ✅ Any case where you want automatic CMK rotation without rotating app-side key material.
+
+## When NOT to use this provider
+
+- ❌ Non-AWS or multi-cloud deployments where adding an AWS dependency is undesirable. Use [`@noy-db/at-env`](../at-env) for a zero-extra-dependency option.
+- ❌ Local dev / CI where you don't want real KMS calls or AWS credentials in CI. Use [`@noy-db/at-env`](../at-env) or `MemorySealingKeyProvider` from `@noy-db/hub` instead.
+
+## Key rotation
+
+KMS supports automatic key rotation for symmetric keys. Enable it on the CMK and KMS handles the rest — your `keyId` stays the same, no app changes needed. Cross-key migration (moving sealed passphrases to a different CMK) requires manual re-sealing with `unseal` + `seal` under the new key.
+
+## API
+
+```ts
+function awsKmsSealingProvider(opts: {
+  keyId: string                    // KMS key id or full ARN
+  client?: Pick<KMSClient, 'send'> // optional pre-built client (useful for tests)
+}): SealingKeyProvider
+```
+
+Never pass raw AWS credentials in the options — inject a pre-configured `KMSClient` for non-default auth. The default `new KMSClient({})` resolves credentials via the SDK's ambient chain.
+
+Returns a [`SealingKeyProvider`](../hub/src/team/managed-passphrase.ts) — the contract `@noy-db/hub`'s managed-passphrase mode consumes.
+
+## License
+
+MIT

package/dist/index.cjs

@@ -0,0 +1,53 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  awsKmsSealingProvider: () => awsKmsSealingProvider
+});
+module.exports = __toCommonJS(index_exports);
+var import_client_kms = require("@aws-sdk/client-kms");
+function awsKmsSealingProvider(opts) {
+  const client = opts.client ?? new import_client_kms.KMSClient({});
+  return {
+    id: `aws-kms:${opts.keyId}`,
+    async seal(passphrase) {
+      const out = await client.send(
+        new import_client_kms.EncryptCommand({ KeyId: opts.keyId, Plaintext: passphrase })
+      );
+      const blob = out.CiphertextBlob;
+      if (!blob) throw new Error("@noy-db/at-aws-kms: KMS Encrypt returned no CiphertextBlob");
+      return blob instanceof Uint8Array ? blob : new Uint8Array(blob);
+    },
+    async unseal(sealed) {
+      const out = await client.send(
+        new import_client_kms.DecryptCommand({ CiphertextBlob: sealed, KeyId: opts.keyId })
+      );
+      const pt = out.Plaintext;
+      if (!pt) throw new Error("@noy-db/at-aws-kms: KMS Decrypt returned no Plaintext");
+      return pt instanceof Uint8Array ? pt : new Uint8Array(pt);
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  awsKmsSealingProvider
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-aws-kms** — AWS KMS sealing key provider for noy-db\n * managed-passphrase mode (#188).\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via AWS KMS Encrypt / Decrypt. Every seal and unseal is an\n * authenticated KMS API call, giving you a CloudTrail-backed access log of\n * every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n *   with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on AWS where a KMS key costs less than\n *   engineering an equivalent audit trail.\n * - Any case where you want automatic CMK rotation without rotating your\n *   app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a KMS key (one-time, in your AWS console or CLI):\n * aws kms create-key --description \"noy-db sealing key\"\n * # Note the KeyId/ARN from the output.\n *\n * # 2. Grant the host's IAM role kms:Encrypt + kms:Decrypt on that key.\n * # Credentials are picked up automatically from the SDK's ambient chain\n * # (IAM role, ~/.aws/credentials, env vars — see AWS SDK docs).\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { awsKmsSealingProvider } from '@noy-db/at-aws-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n *   store,\n *   user: 'alice',\n *   passphraseMode: 'managed',\n *   sealingKey: awsKmsSealingProvider({ keyId: 'arn:aws:kms:us-east-1:123:key/abc' }),\n *   shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport {\n  KMSClient,\n  EncryptCommand,\n  DecryptCommand,\n  type EncryptCommandOutput,\n  type DecryptCommandOutput,\n} from '@aws-sdk/client-kms'\n\n/** Options for {@link awsKmsSealingProvider}. */\nexport interface AwsKmsSealingProviderOptions {\n  /** KMS key id or ARN (e.g. `arn:aws:kms:us-east-1:123:key/abc`). */\n  readonly keyId: string\n  /** Optional pre-built client (DI for tests). Default `new KMSClient({})` (ambient creds). */\n  readonly client?: Pick<KMSClient, 'send'>\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by AWS KMS Encrypt / Decrypt.\n *\n * Credentials are resolved by the SDK's ambient chain — IAM instance roles,\n * environment variables, or `~/.aws/credentials`. Never pass raw credentials\n * in the options; inject a pre-configured client for non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (AccessDenied, InvalidKeyUsage, etc.) propagates as-is.\n */\nexport function awsKmsSealingProvider(opts: AwsKmsSealingProviderOptions): SealingKeyProvider {\n  const client = opts.client ?? new KMSClient({})\n  return {\n    id: `aws-kms:${opts.keyId}`,\n\n    async seal(passphrase) {\n      const out: EncryptCommandOutput = await client.send(\n        new EncryptCommand({ KeyId: opts.keyId, Plaintext: passphrase }),\n      )\n      const blob = out.CiphertextBlob\n      if (!blob) throw new Error('@noy-db/at-aws-kms: KMS Encrypt returned no CiphertextBlob')\n      return blob instanceof Uint8Array ? blob : new Uint8Array(blob)\n    },\n\n    async unseal(sealed) {\n      const out: DecryptCommandOutput = await client.send(\n        new DecryptCommand({ CiphertextBlob: sealed, KeyId: opts.keyId }),\n      )\n      const pt = out.Plaintext\n      if (!pt) throw new Error('@noy-db/at-aws-kms: KMS Decrypt returned no Plaintext')\n      return pt instanceof Uint8Array ? pt : new Uint8Array(pt)\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAkDA,wBAMO;AAqBA,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAS,KAAK,UAAU,IAAI,4BAAU,CAAC,CAAC;AAC9C,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,KAAK;AAAA,IAEzB,MAAM,KAAK,YAAY;AACrB,YAAM,MAA4B,MAAM,OAAO;AAAA,QAC7C,IAAI,iCAAe,EAAE,OAAO,KAAK,OAAO,WAAW,WAAW,CAAC;AAAA,MACjE;AACA,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,4DAA4D;AACvF,aAAO,gBAAgB,aAAa,OAAO,IAAI,WAAW,IAAI;AAAA,IAChE;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,MAA4B,MAAM,OAAO;AAAA,QAC7C,IAAI,iCAAe,EAAE,gBAAgB,QAAQ,OAAO,KAAK,MAAM,CAAC;AAAA,MAClE;AACA,YAAM,KAAK,IAAI;AACf,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO,cAAc,aAAa,KAAK,IAAI,WAAW,EAAE;AAAA,IAC1D;AAAA,EACF;AACF;","names":[]}

package/dist/index.d.cts

@@ -0,0 +1,73 @@
+import { SealingKeyProvider } from '@noy-db/hub';
+import { KMSClient } from '@aws-sdk/client-kms';
+
+/**
+ * **@noy-db/at-aws-kms** — AWS KMS sealing key provider for noy-db
+ * managed-passphrase mode (#188).
+ *
+ * An `at-*` provider that seals and unseals the hub-generated random
+ * passphrase via AWS KMS Encrypt / Decrypt. Every seal and unseal is an
+ * authenticated KMS API call, giving you a CloudTrail-backed access log of
+ * every time a user's vault is opened — no additional instrumentation
+ * required.
+ *
+ * ## When to use
+ *
+ * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
+ *   with managed-encryption requirements, SOC 2 Type II).
+ * - Workloads already running on AWS where a KMS key costs less than
+ *   engineering an equivalent audit trail.
+ * - Any case where you want automatic CMK rotation without rotating your
+ *   app's sealing key material manually.
+ *
+ * ## Setup
+ *
+ * ```bash
+ * # 1. Create a KMS key (one-time, in your AWS console or CLI):
+ * aws kms create-key --description "noy-db sealing key"
+ * # Note the KeyId/ARN from the output.
+ *
+ * # 2. Grant the host's IAM role kms:Encrypt + kms:Decrypt on that key.
+ * # Credentials are picked up automatically from the SDK's ambient chain
+ * # (IAM role, ~/.aws/credentials, env vars — see AWS SDK docs).
+ * ```
+ *
+ * ```ts
+ * // 3. In your app:
+ * import { createNoydb } from '@noy-db/hub'
+ * import { awsKmsSealingProvider } from '@noy-db/at-aws-kms'
+ * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+ *
+ * const db = await createNoydb({
+ *   store,
+ *   user: 'alice',
+ *   passphraseMode: 'managed',
+ *   sealingKey: awsKmsSealingProvider({ keyId: 'arn:aws:kms:us-east-1:123:key/abc' }),
+ *   shamirRecovery: shamirRecoveryProvider(),
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+/** Options for {@link awsKmsSealingProvider}. */
+interface AwsKmsSealingProviderOptions {
+    /** KMS key id or ARN (e.g. `arn:aws:kms:us-east-1:123:key/abc`). */
+    readonly keyId: string;
+    /** Optional pre-built client (DI for tests). Default `new KMSClient({})` (ambient creds). */
+    readonly client?: Pick<KMSClient, 'send'>;
+}
+/**
+ * Build a {@link SealingKeyProvider} backed by AWS KMS Encrypt / Decrypt.
+ *
+ * Credentials are resolved by the SDK's ambient chain — IAM instance roles,
+ * environment variables, or `~/.aws/credentials`. Never pass raw credentials
+ * in the options; inject a pre-configured client for non-default auth instead.
+ *
+ * @throws Error when KMS returns no ciphertext or no plaintext (guards
+ * against unexpected SDK-response shapes).
+ * Any KMS API error (AccessDenied, InvalidKeyUsage, etc.) propagates as-is.
+ */
+declare function awsKmsSealingProvider(opts: AwsKmsSealingProviderOptions): SealingKeyProvider;
+
+export { type AwsKmsSealingProviderOptions, awsKmsSealingProvider };

package/dist/index.d.ts

@@ -0,0 +1,73 @@
+import { SealingKeyProvider } from '@noy-db/hub';
+import { KMSClient } from '@aws-sdk/client-kms';
+
+/**
+ * **@noy-db/at-aws-kms** — AWS KMS sealing key provider for noy-db
+ * managed-passphrase mode (#188).
+ *
+ * An `at-*` provider that seals and unseals the hub-generated random
+ * passphrase via AWS KMS Encrypt / Decrypt. Every seal and unseal is an
+ * authenticated KMS API call, giving you a CloudTrail-backed access log of
+ * every time a user's vault is opened — no additional instrumentation
+ * required.
+ *
+ * ## When to use
+ *
+ * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
+ *   with managed-encryption requirements, SOC 2 Type II).
+ * - Workloads already running on AWS where a KMS key costs less than
+ *   engineering an equivalent audit trail.
+ * - Any case where you want automatic CMK rotation without rotating your
+ *   app's sealing key material manually.
+ *
+ * ## Setup
+ *
+ * ```bash
+ * # 1. Create a KMS key (one-time, in your AWS console or CLI):
+ * aws kms create-key --description "noy-db sealing key"
+ * # Note the KeyId/ARN from the output.
+ *
+ * # 2. Grant the host's IAM role kms:Encrypt + kms:Decrypt on that key.
+ * # Credentials are picked up automatically from the SDK's ambient chain
+ * # (IAM role, ~/.aws/credentials, env vars — see AWS SDK docs).
+ * ```
+ *
+ * ```ts
+ * // 3. In your app:
+ * import { createNoydb } from '@noy-db/hub'
+ * import { awsKmsSealingProvider } from '@noy-db/at-aws-kms'
+ * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+ *
+ * const db = await createNoydb({
+ *   store,
+ *   user: 'alice',
+ *   passphraseMode: 'managed',
+ *   sealingKey: awsKmsSealingProvider({ keyId: 'arn:aws:kms:us-east-1:123:key/abc' }),
+ *   shamirRecovery: shamirRecoveryProvider(),
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+/** Options for {@link awsKmsSealingProvider}. */
+interface AwsKmsSealingProviderOptions {
+    /** KMS key id or ARN (e.g. `arn:aws:kms:us-east-1:123:key/abc`). */
+    readonly keyId: string;
+    /** Optional pre-built client (DI for tests). Default `new KMSClient({})` (ambient creds). */
+    readonly client?: Pick<KMSClient, 'send'>;
+}
+/**
+ * Build a {@link SealingKeyProvider} backed by AWS KMS Encrypt / Decrypt.
+ *
+ * Credentials are resolved by the SDK's ambient chain — IAM instance roles,
+ * environment variables, or `~/.aws/credentials`. Never pass raw credentials
+ * in the options; inject a pre-configured client for non-default auth instead.
+ *
+ * @throws Error when KMS returns no ciphertext or no plaintext (guards
+ * against unexpected SDK-response shapes).
+ * Any KMS API error (AccessDenied, InvalidKeyUsage, etc.) propagates as-is.
+ */
+declare function awsKmsSealingProvider(opts: AwsKmsSealingProviderOptions): SealingKeyProvider;
+
+export { type AwsKmsSealingProviderOptions, awsKmsSealingProvider };

package/dist/index.js

@@ -0,0 +1,32 @@
+// src/index.ts
+import {
+  KMSClient,
+  EncryptCommand,
+  DecryptCommand
+} from "@aws-sdk/client-kms";
+function awsKmsSealingProvider(opts) {
+  const client = opts.client ?? new KMSClient({});
+  return {
+    id: `aws-kms:${opts.keyId}`,
+    async seal(passphrase) {
+      const out = await client.send(
+        new EncryptCommand({ KeyId: opts.keyId, Plaintext: passphrase })
+      );
+      const blob = out.CiphertextBlob;
+      if (!blob) throw new Error("@noy-db/at-aws-kms: KMS Encrypt returned no CiphertextBlob");
+      return blob instanceof Uint8Array ? blob : new Uint8Array(blob);
+    },
+    async unseal(sealed) {
+      const out = await client.send(
+        new DecryptCommand({ CiphertextBlob: sealed, KeyId: opts.keyId })
+      );
+      const pt = out.Plaintext;
+      if (!pt) throw new Error("@noy-db/at-aws-kms: KMS Decrypt returned no Plaintext");
+      return pt instanceof Uint8Array ? pt : new Uint8Array(pt);
+    }
+  };
+}
+export {
+  awsKmsSealingProvider
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-aws-kms** — AWS KMS sealing key provider for noy-db\n * managed-passphrase mode (#188).\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via AWS KMS Encrypt / Decrypt. Every seal and unseal is an\n * authenticated KMS API call, giving you a CloudTrail-backed access log of\n * every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n *   with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on AWS where a KMS key costs less than\n *   engineering an equivalent audit trail.\n * - Any case where you want automatic CMK rotation without rotating your\n *   app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a KMS key (one-time, in your AWS console or CLI):\n * aws kms create-key --description \"noy-db sealing key\"\n * # Note the KeyId/ARN from the output.\n *\n * # 2. Grant the host's IAM role kms:Encrypt + kms:Decrypt on that key.\n * # Credentials are picked up automatically from the SDK's ambient chain\n * # (IAM role, ~/.aws/credentials, env vars — see AWS SDK docs).\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { awsKmsSealingProvider } from '@noy-db/at-aws-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n *   store,\n *   user: 'alice',\n *   passphraseMode: 'managed',\n *   sealingKey: awsKmsSealingProvider({ keyId: 'arn:aws:kms:us-east-1:123:key/abc' }),\n *   shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport {\n  KMSClient,\n  EncryptCommand,\n  DecryptCommand,\n  type EncryptCommandOutput,\n  type DecryptCommandOutput,\n} from '@aws-sdk/client-kms'\n\n/** Options for {@link awsKmsSealingProvider}. */\nexport interface AwsKmsSealingProviderOptions {\n  /** KMS key id or ARN (e.g. `arn:aws:kms:us-east-1:123:key/abc`). */\n  readonly keyId: string\n  /** Optional pre-built client (DI for tests). Default `new KMSClient({})` (ambient creds). */\n  readonly client?: Pick<KMSClient, 'send'>\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by AWS KMS Encrypt / Decrypt.\n *\n * Credentials are resolved by the SDK's ambient chain — IAM instance roles,\n * environment variables, or `~/.aws/credentials`. Never pass raw credentials\n * in the options; inject a pre-configured client for non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (AccessDenied, InvalidKeyUsage, etc.) propagates as-is.\n */\nexport function awsKmsSealingProvider(opts: AwsKmsSealingProviderOptions): SealingKeyProvider {\n  const client = opts.client ?? new KMSClient({})\n  return {\n    id: `aws-kms:${opts.keyId}`,\n\n    async seal(passphrase) {\n      const out: EncryptCommandOutput = await client.send(\n        new EncryptCommand({ KeyId: opts.keyId, Plaintext: passphrase }),\n      )\n      const blob = out.CiphertextBlob\n      if (!blob) throw new Error('@noy-db/at-aws-kms: KMS Encrypt returned no CiphertextBlob')\n      return blob instanceof Uint8Array ? blob : new Uint8Array(blob)\n    },\n\n    async unseal(sealed) {\n      const out: DecryptCommandOutput = await client.send(\n        new DecryptCommand({ CiphertextBlob: sealed, KeyId: opts.keyId }),\n      )\n      const pt = out.Plaintext\n      if (!pt) throw new Error('@noy-db/at-aws-kms: KMS Decrypt returned no Plaintext')\n      return pt instanceof Uint8Array ? pt : new Uint8Array(pt)\n    },\n  }\n}\n"],"mappings":";AAkDA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OAGK;AAqBA,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAS,KAAK,UAAU,IAAI,UAAU,CAAC,CAAC;AAC9C,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,KAAK;AAAA,IAEzB,MAAM,KAAK,YAAY;AACrB,YAAM,MAA4B,MAAM,OAAO;AAAA,QAC7C,IAAI,eAAe,EAAE,OAAO,KAAK,OAAO,WAAW,WAAW,CAAC;AAAA,MACjE;AACA,YAAM,OAAO,IAAI;AACjB,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,4DAA4D;AACvF,aAAO,gBAAgB,aAAa,OAAO,IAAI,WAAW,IAAI;AAAA,IAChE;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,MAA4B,MAAM,OAAO;AAAA,QAC7C,IAAI,eAAe,EAAE,gBAAgB,QAAQ,OAAO,KAAK,MAAM,CAAC;AAAA,MAClE;AACA,YAAM,KAAK,IAAI;AACf,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO,cAAc,aAAa,KAAK,IAAI,WAAW,EAAE;AAAA,IAC1D;AAAA,EACF;AACF;","names":[]}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@noy-db/at-aws-kms",
+  "version": "0.2.0-pre.1",
+  "description": "AWS KMS sealing key provider for noy-db managed-passphrase mode — seal/unseal via KMS Encrypt/Decrypt, with KMS access logs.",
+  "license": "MIT",
+  "author": "vLannaAi <vicio@lanna.ai>",
+  "homepage": "https://github.com/vLannaAi/noy-db/tree/main/packages/at-aws-kms#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vLannaAi/noy-db.git",
+    "directory": "packages/at-aws-kms"
+  },
+  "bugs": {
+    "url": "https://github.com/vLannaAi/noy-db/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "@aws-sdk/client-kms": "^3.0.0",
+    "@noy-db/hub": "0.2.0-pre.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@aws-sdk/client-kms": "^3.0.0",
+    "@noy-db/on-shamir": "0.2.0-pre.1",
+    "@noy-db/hub": "0.2.0-pre.1",
+    "@noy-db/to-memory": "0.2.0-pre.1"
+  },
+  "keywords": [
+    "noy-db",
+    "at-aws-kms",
+    "aws-kms",
+    "kms",
+    "sealing-key-provider",
+    "managed-passphrase",
+    "encryption",
+    "zero-knowledge"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit"
+  }
+}