@noy-db/at-azure-keyvault 0.2.0-pre.9 → 0.3.0-pre.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@noy-db/at-azure-keyvault",
3
- "version": "0.2.0-pre.9",
3
+ "version": "0.3.0-pre.2",
4
4
  "description": "Azure Key Vault sealing key provider for noy-db managed-passphrase mode.",
5
5
  "license": "MIT",
6
6
  "author": "vLannaAi <vicio@lanna.ai>",
@@ -17,17 +17,10 @@
17
17
  "sideEffects": false,
18
18
  "exports": {
19
19
  ".": {
20
- "import": {
21
- "types": "./dist/index.d.ts",
22
- "default": "./dist/index.js"
23
- },
24
- "require": {
25
- "types": "./dist/index.d.cts",
26
- "default": "./dist/index.cjs"
27
- }
20
+ "types": "./dist/index.d.ts",
21
+ "default": "./dist/index.js"
28
22
  }
29
23
  },
30
- "main": "./dist/index.cjs",
31
24
  "module": "./dist/index.js",
32
25
  "types": "./dist/index.d.ts",
33
26
  "files": [
@@ -36,20 +29,20 @@
36
29
  "LICENSE"
37
30
  ],
38
31
  "engines": {
39
- "node": ">=18.0.0"
32
+ "node": ">=22.0.0"
40
33
  },
41
34
  "peerDependencies": {
42
35
  "@azure/keyvault-keys": "^4.0.0",
43
36
  "@azure/identity": "^4.0.0",
44
- "@noy-db/hub": "0.2.0-pre.9"
37
+ "@noy-db/hub": "0.3.0-pre.2"
45
38
  },
46
39
  "devDependencies": {
47
40
  "@types/node": "^22.0.0",
48
41
  "@azure/keyvault-keys": "^4.0.0",
49
42
  "@azure/identity": "^4.0.0",
50
- "@noy-db/on-shamir": "0.2.0-pre.9",
51
- "@noy-db/to-memory": "0.2.0-pre.9",
52
- "@noy-db/hub": "0.2.0-pre.9"
43
+ "@noy-db/hub": "0.3.0-pre.2",
44
+ "@noy-db/to-memory": "0.3.0-pre.2",
45
+ "@noy-db/on-shamir": "0.3.0-pre.2"
53
46
  },
54
47
  "keywords": [
55
48
  "noy-db",
package/dist/index.cjs DELETED
@@ -1,51 +0,0 @@
1
- "use strict";
2
- var __defProp = Object.defineProperty;
3
- var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
- var __getOwnPropNames = Object.getOwnPropertyNames;
5
- var __hasOwnProp = Object.prototype.hasOwnProperty;
6
- var __export = (target, all) => {
7
- for (var name in all)
8
- __defProp(target, name, { get: all[name], enumerable: true });
9
- };
10
- var __copyProps = (to, from, except, desc) => {
11
- if (from && typeof from === "object" || typeof from === "function") {
12
- for (let key of __getOwnPropNames(from))
13
- if (!__hasOwnProp.call(to, key) && key !== except)
14
- __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
15
- }
16
- return to;
17
- };
18
- var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
-
20
- // src/index.ts
21
- var index_exports = {};
22
- __export(index_exports, {
23
- azureKeyVaultSealingProvider: () => azureKeyVaultSealingProvider
24
- });
25
- module.exports = __toCommonJS(index_exports);
26
- var import_keyvault_keys = require("@azure/keyvault-keys");
27
- var import_identity = require("@azure/identity");
28
- function azureKeyVaultSealingProvider(opts) {
29
- const algorithm = opts.algorithm ?? "RSA-OAEP-256";
30
- const client = opts.cryptographyClient ?? new import_keyvault_keys.CryptographyClient(opts.keyId, new import_identity.DefaultAzureCredential());
31
- return {
32
- id: `azure-kv:${opts.keyId}`,
33
- async seal(passphrase) {
34
- const res = await client.encrypt({ algorithm, plaintext: passphrase });
35
- const c = res?.result;
36
- if (!c) throw new Error("@noy-db/at-azure-keyvault: Key Vault encrypt returned no result");
37
- return c instanceof Uint8Array ? c : new Uint8Array(c);
38
- },
39
- async unseal(sealed) {
40
- const res = await client.decrypt({ algorithm, ciphertext: sealed });
41
- const p = res?.result;
42
- if (!p) throw new Error("@noy-db/at-azure-keyvault: Key Vault decrypt returned no result");
43
- return p instanceof Uint8Array ? p : new Uint8Array(p);
44
- }
45
- };
46
- }
47
- // Annotate the CommonJS export names for ESM import in node:
48
- 0 && (module.exports = {
49
- azureKeyVaultSealingProvider
50
- });
51
- //# sourceMappingURL=index.cjs.map
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-azure-keyvault** — Azure Key Vault sealing key provider for noy-db\n * managed-passphrase mode.\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Azure Key Vault Encrypt / Decrypt. Every seal and unseal is\n * an authenticated Key Vault API call, giving you an Azure Monitor / Key Vault\n * audit-log-backed access record of every time a user's vault is opened —\n * no additional instrumentation required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n * with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on Azure where a Key Vault RSA key costs less\n * than engineering an equivalent audit trail.\n * - Any case where you need an auditable, Azure-native key custody record\n * for every vault open.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a Key Vault and an RSA key (one-time):\n * az keyvault create --name my-noydb-vault --resource-group my-rg --location eastus\n * az keyvault key create --vault-name my-noydb-vault --name noydb-sealing --kty RSA --size 2048\n * # Note the full key identifier URL from the output (id field).\n *\n * # 2. Grant the host's managed identity or service principal the\n * # encrypt + decrypt (or wrapKey + unwrapKey) permissions on the key:\n * az keyvault set-policy --name my-noydb-vault \\\n * --object-id <MANAGED_IDENTITY_OBJECT_ID> \\\n * --key-permissions encrypt decrypt\n * # Credentials are resolved automatically via DefaultAzureCredential:\n * # managed identity attached to the Azure host, AZURE_CLIENT_ID /\n * # AZURE_TENANT_ID / AZURE_CLIENT_SECRET env vars, or `az login` for\n * # local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { azureKeyVaultSealingProvider } from '@noy-db/at-azure-keyvault'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n * store,\n * user: 'alice',\n * passphraseMode: 'managed',\n * sealingKey: azureKeyVaultSealingProvider({\n * keyId: 'https://my-noydb-vault.vault.azure.net/keys/noydb-sealing/<version>',\n * }),\n * shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport {\n CryptographyClient,\n type EncryptResult,\n type DecryptResult,\n type RsaEncryptParameters,\n type RsaDecryptParameters,\n} from '@azure/keyvault-keys'\nimport { DefaultAzureCredential } from '@azure/identity'\n\n/** Minimal client surface required by {@link azureKeyVaultSealingProvider}. */\ninterface CryptoLike {\n encrypt(params: RsaEncryptParameters): Promise<EncryptResult>\n decrypt(params: RsaDecryptParameters): Promise<DecryptResult>\n}\n\n/** Options for {@link azureKeyVaultSealingProvider}. */\nexport interface AzureKeyVaultSealingProviderOptions {\n /**\n * Full **versioned** key identifier URL, e.g.\n * `https://<vault>.vault.azure.net/keys/<name>/<version>`.\n *\n * Azure RSA decrypt is version-bound: the `CryptographyClient` resolves the\n * key version at construction time and every decrypt call is pinned to it.\n * A versionless URL (`.../keys/<name>`) resolves to \"latest\" — if the key\n * auto-rotates, all passphrases sealed under the previous version become\n * **permanently undecryptable**. Always pin to an explicit version.\n */\n readonly keyId: string\n /** RSA encryption algorithm. Defaults to `'RSA-OAEP-256'`. */\n readonly algorithm?: 'RSA-OAEP-256' | 'RSA-OAEP'\n /**\n * Optional pre-built CryptographyClient (DI for tests).\n * Default: builds one with `DefaultAzureCredential`.\n * Never pass raw Azure credentials in these options.\n */\n readonly cryptographyClient?: CryptoLike\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Azure Key Vault Encrypt / Decrypt.\n *\n * Credentials are resolved via `DefaultAzureCredential` — managed identities\n * on Azure hosts, `AZURE_CLIENT_ID` / `AZURE_TENANT_ID` / `AZURE_CLIENT_SECRET`\n * env vars, or `az login` for local dev. Never pass raw credentials in the\n * options; inject a pre-configured `CryptographyClient` for non-default auth\n * instead.\n *\n * @throws Error when Key Vault returns no result (guards against unexpected\n * SDK-response shapes). Any Key Vault API error (Forbidden, NotFound, etc.)\n * propagates as-is.\n */\nexport function azureKeyVaultSealingProvider(opts: AzureKeyVaultSealingProviderOptions): SealingKeyProvider {\n const algorithm = opts.algorithm ?? 'RSA-OAEP-256'\n const client: CryptoLike = opts.cryptographyClient\n ?? new CryptographyClient(opts.keyId, new DefaultAzureCredential())\n\n return {\n id: `azure-kv:${opts.keyId}`,\n\n async seal(passphrase) {\n const res = await client.encrypt({ algorithm, plaintext: passphrase })\n const c = res?.result\n if (!c) throw new Error('@noy-db/at-azure-keyvault: Key Vault encrypt returned no result')\n return c instanceof Uint8Array ? c : new Uint8Array(c)\n },\n\n async unseal(sealed) {\n const res = await client.decrypt({ algorithm, ciphertext: sealed })\n const p = res?.result\n if (!p) throw new Error('@noy-db/at-azure-keyvault: Key Vault decrypt returned no result')\n return p instanceof Uint8Array ? p : new Uint8Array(p)\n },\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA2DA,2BAMO;AACP,sBAAuC;AA4ChC,SAAS,6BAA6B,MAA+D;AAC1G,QAAM,YAAY,KAAK,aAAa;AACpC,QAAM,SAAqB,KAAK,sBAC3B,IAAI,wCAAmB,KAAK,OAAO,IAAI,uCAAuB,CAAC;AAEpE,SAAO;AAAA,IACL,IAAI,YAAY,KAAK,KAAK;AAAA,IAE1B,MAAM,KAAK,YAAY;AACrB,YAAM,MAAM,MAAM,OAAO,QAAQ,EAAE,WAAW,WAAW,WAAW,CAAC;AACrE,YAAM,IAAI,KAAK;AACf,UAAI,CAAC,EAAG,OAAM,IAAI,MAAM,iEAAiE;AACzF,aAAO,aAAa,aAAa,IAAI,IAAI,WAAW,CAAC;AAAA,IACvD;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,MAAM,MAAM,OAAO,QAAQ,EAAE,WAAW,YAAY,OAAO,CAAC;AAClE,YAAM,IAAI,KAAK;AACf,UAAI,CAAC,EAAG,OAAM,IAAI,MAAM,iEAAiE;AACzF,aAAO,aAAa,aAAa,IAAI,IAAI,WAAW,CAAC;AAAA,IACvD;AAAA,EACF;AACF;","names":[]}
package/dist/index.d.cts DELETED
@@ -1,104 +0,0 @@
1
- import { SealingKeyProvider } from '@noy-db/hub';
2
- import { RsaEncryptParameters, EncryptResult, RsaDecryptParameters, DecryptResult } from '@azure/keyvault-keys';
3
-
4
- /**
5
- * **@noy-db/at-azure-keyvault** — Azure Key Vault sealing key provider for noy-db
6
- * managed-passphrase mode.
7
- *
8
- * An `at-*` provider that seals and unseals the hub-generated random
9
- * passphrase via Azure Key Vault Encrypt / Decrypt. Every seal and unseal is
10
- * an authenticated Key Vault API call, giving you an Azure Monitor / Key Vault
11
- * audit-log-backed access record of every time a user's vault is opened —
12
- * no additional instrumentation required.
13
- *
14
- * ## When to use
15
- *
16
- * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
17
- * with managed-encryption requirements, SOC 2 Type II).
18
- * - Workloads already running on Azure where a Key Vault RSA key costs less
19
- * than engineering an equivalent audit trail.
20
- * - Any case where you need an auditable, Azure-native key custody record
21
- * for every vault open.
22
- *
23
- * ## Setup
24
- *
25
- * ```bash
26
- * # 1. Create a Key Vault and an RSA key (one-time):
27
- * az keyvault create --name my-noydb-vault --resource-group my-rg --location eastus
28
- * az keyvault key create --vault-name my-noydb-vault --name noydb-sealing --kty RSA --size 2048
29
- * # Note the full key identifier URL from the output (id field).
30
- *
31
- * # 2. Grant the host's managed identity or service principal the
32
- * # encrypt + decrypt (or wrapKey + unwrapKey) permissions on the key:
33
- * az keyvault set-policy --name my-noydb-vault \
34
- * --object-id <MANAGED_IDENTITY_OBJECT_ID> \
35
- * --key-permissions encrypt decrypt
36
- * # Credentials are resolved automatically via DefaultAzureCredential:
37
- * # managed identity attached to the Azure host, AZURE_CLIENT_ID /
38
- * # AZURE_TENANT_ID / AZURE_CLIENT_SECRET env vars, or `az login` for
39
- * # local dev.
40
- * ```
41
- *
42
- * ```ts
43
- * // 3. In your app:
44
- * import { createNoydb } from '@noy-db/hub'
45
- * import { azureKeyVaultSealingProvider } from '@noy-db/at-azure-keyvault'
46
- * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
47
- *
48
- * const db = await createNoydb({
49
- * store,
50
- * user: 'alice',
51
- * passphraseMode: 'managed',
52
- * sealingKey: azureKeyVaultSealingProvider({
53
- * keyId: 'https://my-noydb-vault.vault.azure.net/keys/noydb-sealing/<version>',
54
- * }),
55
- * shamirRecovery: shamirRecoveryProvider(),
56
- * })
57
- * ```
58
- *
59
- * @packageDocumentation
60
- */
61
-
62
- /** Minimal client surface required by {@link azureKeyVaultSealingProvider}. */
63
- interface CryptoLike {
64
- encrypt(params: RsaEncryptParameters): Promise<EncryptResult>;
65
- decrypt(params: RsaDecryptParameters): Promise<DecryptResult>;
66
- }
67
- /** Options for {@link azureKeyVaultSealingProvider}. */
68
- interface AzureKeyVaultSealingProviderOptions {
69
- /**
70
- * Full **versioned** key identifier URL, e.g.
71
- * `https://<vault>.vault.azure.net/keys/<name>/<version>`.
72
- *
73
- * Azure RSA decrypt is version-bound: the `CryptographyClient` resolves the
74
- * key version at construction time and every decrypt call is pinned to it.
75
- * A versionless URL (`.../keys/<name>`) resolves to "latest" — if the key
76
- * auto-rotates, all passphrases sealed under the previous version become
77
- * **permanently undecryptable**. Always pin to an explicit version.
78
- */
79
- readonly keyId: string;
80
- /** RSA encryption algorithm. Defaults to `'RSA-OAEP-256'`. */
81
- readonly algorithm?: 'RSA-OAEP-256' | 'RSA-OAEP';
82
- /**
83
- * Optional pre-built CryptographyClient (DI for tests).
84
- * Default: builds one with `DefaultAzureCredential`.
85
- * Never pass raw Azure credentials in these options.
86
- */
87
- readonly cryptographyClient?: CryptoLike;
88
- }
89
- /**
90
- * Build a {@link SealingKeyProvider} backed by Azure Key Vault Encrypt / Decrypt.
91
- *
92
- * Credentials are resolved via `DefaultAzureCredential` — managed identities
93
- * on Azure hosts, `AZURE_CLIENT_ID` / `AZURE_TENANT_ID` / `AZURE_CLIENT_SECRET`
94
- * env vars, or `az login` for local dev. Never pass raw credentials in the
95
- * options; inject a pre-configured `CryptographyClient` for non-default auth
96
- * instead.
97
- *
98
- * @throws Error when Key Vault returns no result (guards against unexpected
99
- * SDK-response shapes). Any Key Vault API error (Forbidden, NotFound, etc.)
100
- * propagates as-is.
101
- */
102
- declare function azureKeyVaultSealingProvider(opts: AzureKeyVaultSealingProviderOptions): SealingKeyProvider;
103
-
104
- export { type AzureKeyVaultSealingProviderOptions, azureKeyVaultSealingProvider };