@noy-db/at-gcp-kms 0.2.0-pre.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vLannaAi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,92 @@
+# @noy-db/at-gcp-kms
+
+**Google Cloud KMS sealing key provider for noy-db [managed-passphrase mode](https://github.com/vLannaAi/noy-db/issues/14).**
+
+An `at-*` provider that seals and unseals the hub-generated random passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is an authenticated KMS API call — giving you a Cloud Audit Logs-backed access log of every time a user's vault is opened, with no additional instrumentation required.
+
+Like all `at-*` providers, this is a *trusted host* provider: the host you deploy it on CAN decrypt what it unseals. The security boundary is your GCP IAM policy — access is controlled by which service accounts hold `roles/cloudkms.cryptoKeyEncrypterDecrypter` on the KMS key, not by a secret the host keeps in memory.
+
+## Install
+
+```bash
+pnpm add @noy-db/hub @noy-db/at-gcp-kms @noy-db/on-shamir
+# or: npm install @noy-db/hub @noy-db/at-gcp-kms @noy-db/on-shamir
+```
+
+## Setup
+
+```bash
+# 1. Create a key ring and symmetric crypto key once:
+gcloud kms keyrings create noy-db-ring --location global
+gcloud kms keys create noy-db-sealing \
+  --location global \
+  --keyring noy-db-ring \
+  --purpose encryption
+# Note the full resource name from the output.
+
+# 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
+gcloud kms keys add-iam-policy-binding noy-db-sealing \
+  --location global \
+  --keyring noy-db-ring \
+  --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \
+  --role roles/cloudkms.cryptoKeyEncrypterDecrypter
+#    Credentials are resolved automatically via Application Default Credentials (ADC):
+#    service account attached to GCE/GKE node, Workload Identity for GKE,
+#    GOOGLE_APPLICATION_CREDENTIALS env var, or `gcloud auth application-default login`
+#    for local dev.
+```
+
+```ts
+// 3. In your app:
+import { createNoydb } from '@noy-db/hub'
+import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'
+import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+
+const db = await createNoydb({
+  store,
+  user: 'alice',
+  passphraseMode: 'managed',
+  sealingKey: gcpKmsSealingProvider({
+    keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',
+  }),
+  shamirRecovery: shamirRecoveryProvider(),
+})
+
+const vault = await db.openVault('acme')
+// Hub generated a 256-bit random on first open, sealed it via KMS Encrypt,
+// and persisted to _meta/sealed-passphrase. The user never sees a passphrase.
+// On reopen, at-gcp-kms calls KMS Decrypt transparently.
+// Cloud Audit Logs record every Encrypt/Decrypt call with caller identity + key resource name.
+```
+
+## When to use this provider
+
+- Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA with managed-encryption requirements, SOC 2 Type II).
+- Workloads already running on GCP where a Cloud KMS key costs less than engineering an equivalent audit trail.
+- Any case where you want automatic key version rotation without rotating app-side key material.
+
+## When NOT to use this provider
+
+- Non-GCP or multi-cloud deployments where adding a GCP dependency is undesirable. Use [`@noy-db/at-env`](../at-env) for a zero-extra-dependency option.
+- Local dev / CI where you don't want real KMS calls or GCP credentials in CI. Use [`@noy-db/at-env`](../at-env) or `MemorySealingKeyProvider` from `@noy-db/hub` instead.
+
+## Key rotation
+
+Cloud KMS supports automatic key version rotation for symmetric keys. Enable it on the crypto key and KMS handles the rest — your `keyName` stays the same, no app changes needed. Cross-key migration (moving sealed passphrases to a different key) requires manual re-sealing with `unseal` + `seal` under the new key.
+
+## API
+
+```ts
+function gcpKmsSealingProvider(opts: {
+  keyName: string                       // Full crypto-key resource name
+  client?: KmsClientLike                // optional pre-built client (useful for tests)
+}): SealingKeyProvider
+```
+
+Never pass raw GCP credentials in the options — inject a pre-configured `KeyManagementServiceClient` for non-default auth. The default `new KeyManagementServiceClient()` resolves credentials via Application Default Credentials.
+
+Returns a [`SealingKeyProvider`](../hub/src/team/managed-passphrase.ts) — the contract `@noy-db/hub`'s managed-passphrase mode consumes.
+
+## License
+
+MIT

package/dist/index.cjs

@@ -0,0 +1,54 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  gcpKmsSealingProvider: () => gcpKmsSealingProvider
+});
+module.exports = __toCommonJS(index_exports);
+var import_kms = require("@google-cloud/kms");
+function toUint8Array(value) {
+  if (value == null) return void 0;
+  if (value instanceof Uint8Array) return value;
+  return Buffer.from(value, "base64");
+}
+function gcpKmsSealingProvider(opts) {
+  const client = opts.client ?? new import_kms.KeyManagementServiceClient();
+  return {
+    id: `gcp-kms:${opts.keyName}`,
+    async seal(passphrase) {
+      const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase });
+      const blob = toUint8Array(resp?.ciphertext);
+      if (!blob) throw new Error("@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext");
+      return blob;
+    },
+    async unseal(sealed) {
+      const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed });
+      const pt = toUint8Array(resp?.plaintext);
+      if (!pt) throw new Error("@noy-db/at-gcp-kms: KMS decrypt returned no plaintext");
+      return pt;
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  gcpKmsSealingProvider
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode (#189).\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is\n * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access\n * log of every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n *   with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on GCP where a Cloud KMS key costs less than\n *   engineering an equivalent audit trail.\n * - Any case where you want automatic key rotation without rotating your\n *   app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a key ring and symmetric crypto key once:\n * gcloud kms keyrings create noy-db-ring --location global\n * gcloud kms keys create noy-db-sealing \\\n *   --location global \\\n *   --keyring noy-db-ring \\\n *   --purpose encryption\n * # Note the full resource name from the output.\n *\n * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:\n * gcloud kms keys add-iam-policy-binding noy-db-sealing \\\n *   --location global \\\n *   --keyring noy-db-ring \\\n *   --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \\\n *   --role roles/cloudkms.cryptoKeyEncrypterDecrypter\n * # Credentials are picked up automatically via Application Default Credentials\n * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS\n * # env var, or `gcloud auth application-default login` for local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n *   store,\n *   user: 'alice',\n *   passphraseMode: 'managed',\n *   sealingKey: gcpKmsSealingProvider({\n *     keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',\n *   }),\n *   shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport { KeyManagementServiceClient } from '@google-cloud/kms'\nimport type { protos } from '@google-cloud/kms'\n\ntype IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest\ntype IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest\ntype IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse\ntype IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse\n\n/** Minimal client surface required by {@link gcpKmsSealingProvider}. */\ninterface KmsClientLike {\n  encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>\n  decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>\n}\n\n/** Options for {@link gcpKmsSealingProvider}. */\nexport interface GcpKmsSealingProviderOptions {\n  /**\n   * Full crypto-key resource name, e.g.\n   * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.\n   */\n  readonly keyName: string\n  /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */\n  readonly client?: KmsClientLike\n}\n\nfunction toUint8Array(value: Uint8Array | string | null | undefined): Uint8Array | undefined {\n  if (value == null) return undefined\n  if (value instanceof Uint8Array) return value\n  // protobuf may return a base64 string in some environments\n  return Buffer.from(value, 'base64')\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.\n *\n * Credentials are resolved via Application Default Credentials (ADC) — attached\n * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.\n * Never pass raw credentials in the options; inject a pre-configured client for\n * non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.\n */\nexport function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider {\n  const client: KmsClientLike = opts.client ?? new KeyManagementServiceClient()\n  return {\n    id: `gcp-kms:${opts.keyName}`,\n\n    async seal(passphrase) {\n      const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase })\n      const blob = toUint8Array(resp?.ciphertext)\n      if (!blob) throw new Error('@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext')\n      return blob\n    },\n\n    async unseal(sealed) {\n      const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed })\n      const pt = toUint8Array(resp?.plaintext)\n      if (!pt) throw new Error('@noy-db/at-gcp-kms: KMS decrypt returned no plaintext')\n      return pt\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA8DA,iBAA2C;AAyB3C,SAAS,aAAa,OAAuE;AAC3F,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,WAAY,QAAO;AAExC,SAAO,OAAO,KAAK,OAAO,QAAQ;AACpC;AAcO,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAwB,KAAK,UAAU,IAAI,sCAA2B;AAC5E,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,OAAO;AAAA,IAE3B,MAAM,KAAK,YAAY;AACrB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,WAAW,WAAW,CAAC;AACjF,YAAM,OAAO,aAAa,MAAM,UAAU;AAC1C,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,wDAAwD;AACnF,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,YAAY,OAAO,CAAC;AAC9E,YAAM,KAAK,aAAa,MAAM,SAAS;AACvC,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}

package/dist/index.d.cts

@@ -0,0 +1,98 @@
+import { SealingKeyProvider } from '@noy-db/hub';
+import { protos } from '@google-cloud/kms';
+
+/**
+ * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db
+ * managed-passphrase mode (#189).
+ *
+ * An `at-*` provider that seals and unseals the hub-generated random
+ * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is
+ * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access
+ * log of every time a user's vault is opened — no additional instrumentation
+ * required.
+ *
+ * ## When to use
+ *
+ * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
+ *   with managed-encryption requirements, SOC 2 Type II).
+ * - Workloads already running on GCP where a Cloud KMS key costs less than
+ *   engineering an equivalent audit trail.
+ * - Any case where you want automatic key rotation without rotating your
+ *   app's sealing key material manually.
+ *
+ * ## Setup
+ *
+ * ```bash
+ * # 1. Create a key ring and symmetric crypto key once:
+ * gcloud kms keyrings create noy-db-ring --location global
+ * gcloud kms keys create noy-db-sealing \
+ *   --location global \
+ *   --keyring noy-db-ring \
+ *   --purpose encryption
+ * # Note the full resource name from the output.
+ *
+ * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
+ * gcloud kms keys add-iam-policy-binding noy-db-sealing \
+ *   --location global \
+ *   --keyring noy-db-ring \
+ *   --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \
+ *   --role roles/cloudkms.cryptoKeyEncrypterDecrypter
+ * # Credentials are picked up automatically via Application Default Credentials
+ * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS
+ * # env var, or `gcloud auth application-default login` for local dev.
+ * ```
+ *
+ * ```ts
+ * // 3. In your app:
+ * import { createNoydb } from '@noy-db/hub'
+ * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'
+ * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+ *
+ * const db = await createNoydb({
+ *   store,
+ *   user: 'alice',
+ *   passphraseMode: 'managed',
+ *   sealingKey: gcpKmsSealingProvider({
+ *     keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',
+ *   }),
+ *   shamirRecovery: shamirRecoveryProvider(),
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+type IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest;
+type IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest;
+type IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse;
+type IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse;
+/** Minimal client surface required by {@link gcpKmsSealingProvider}. */
+interface KmsClientLike {
+    encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>;
+    decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>;
+}
+/** Options for {@link gcpKmsSealingProvider}. */
+interface GcpKmsSealingProviderOptions {
+    /**
+     * Full crypto-key resource name, e.g.
+     * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.
+     */
+    readonly keyName: string;
+    /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */
+    readonly client?: KmsClientLike;
+}
+/**
+ * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.
+ *
+ * Credentials are resolved via Application Default Credentials (ADC) — attached
+ * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.
+ * Never pass raw credentials in the options; inject a pre-configured client for
+ * non-default auth instead.
+ *
+ * @throws Error when KMS returns no ciphertext or no plaintext (guards
+ * against unexpected SDK-response shapes).
+ * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.
+ */
+declare function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider;
+
+export { type GcpKmsSealingProviderOptions, gcpKmsSealingProvider };

package/dist/index.d.ts

@@ -0,0 +1,98 @@
+import { SealingKeyProvider } from '@noy-db/hub';
+import { protos } from '@google-cloud/kms';
+
+/**
+ * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db
+ * managed-passphrase mode (#189).
+ *
+ * An `at-*` provider that seals and unseals the hub-generated random
+ * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is
+ * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access
+ * log of every time a user's vault is opened — no additional instrumentation
+ * required.
+ *
+ * ## When to use
+ *
+ * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
+ *   with managed-encryption requirements, SOC 2 Type II).
+ * - Workloads already running on GCP where a Cloud KMS key costs less than
+ *   engineering an equivalent audit trail.
+ * - Any case where you want automatic key rotation without rotating your
+ *   app's sealing key material manually.
+ *
+ * ## Setup
+ *
+ * ```bash
+ * # 1. Create a key ring and symmetric crypto key once:
+ * gcloud kms keyrings create noy-db-ring --location global
+ * gcloud kms keys create noy-db-sealing \
+ *   --location global \
+ *   --keyring noy-db-ring \
+ *   --purpose encryption
+ * # Note the full resource name from the output.
+ *
+ * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
+ * gcloud kms keys add-iam-policy-binding noy-db-sealing \
+ *   --location global \
+ *   --keyring noy-db-ring \
+ *   --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \
+ *   --role roles/cloudkms.cryptoKeyEncrypterDecrypter
+ * # Credentials are picked up automatically via Application Default Credentials
+ * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS
+ * # env var, or `gcloud auth application-default login` for local dev.
+ * ```
+ *
+ * ```ts
+ * // 3. In your app:
+ * import { createNoydb } from '@noy-db/hub'
+ * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'
+ * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
+ *
+ * const db = await createNoydb({
+ *   store,
+ *   user: 'alice',
+ *   passphraseMode: 'managed',
+ *   sealingKey: gcpKmsSealingProvider({
+ *     keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',
+ *   }),
+ *   shamirRecovery: shamirRecoveryProvider(),
+ * })
+ * ```
+ *
+ * @packageDocumentation
+ */
+
+type IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest;
+type IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest;
+type IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse;
+type IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse;
+/** Minimal client surface required by {@link gcpKmsSealingProvider}. */
+interface KmsClientLike {
+    encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>;
+    decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>;
+}
+/** Options for {@link gcpKmsSealingProvider}. */
+interface GcpKmsSealingProviderOptions {
+    /**
+     * Full crypto-key resource name, e.g.
+     * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.
+     */
+    readonly keyName: string;
+    /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */
+    readonly client?: KmsClientLike;
+}
+/**
+ * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.
+ *
+ * Credentials are resolved via Application Default Credentials (ADC) — attached
+ * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.
+ * Never pass raw credentials in the options; inject a pre-configured client for
+ * non-default auth instead.
+ *
+ * @throws Error when KMS returns no ciphertext or no plaintext (guards
+ * against unexpected SDK-response shapes).
+ * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.
+ */
+declare function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider;
+
+export { type GcpKmsSealingProviderOptions, gcpKmsSealingProvider };

package/dist/index.js

@@ -0,0 +1,29 @@
+// src/index.ts
+import { KeyManagementServiceClient } from "@google-cloud/kms";
+function toUint8Array(value) {
+  if (value == null) return void 0;
+  if (value instanceof Uint8Array) return value;
+  return Buffer.from(value, "base64");
+}
+function gcpKmsSealingProvider(opts) {
+  const client = opts.client ?? new KeyManagementServiceClient();
+  return {
+    id: `gcp-kms:${opts.keyName}`,
+    async seal(passphrase) {
+      const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase });
+      const blob = toUint8Array(resp?.ciphertext);
+      if (!blob) throw new Error("@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext");
+      return blob;
+    },
+    async unseal(sealed) {
+      const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed });
+      const pt = toUint8Array(resp?.plaintext);
+      if (!pt) throw new Error("@noy-db/at-gcp-kms: KMS decrypt returned no plaintext");
+      return pt;
+    }
+  };
+}
+export {
+  gcpKmsSealingProvider
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode (#189).\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is\n * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access\n * log of every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n *   with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on GCP where a Cloud KMS key costs less than\n *   engineering an equivalent audit trail.\n * - Any case where you want automatic key rotation without rotating your\n *   app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a key ring and symmetric crypto key once:\n * gcloud kms keyrings create noy-db-ring --location global\n * gcloud kms keys create noy-db-sealing \\\n *   --location global \\\n *   --keyring noy-db-ring \\\n *   --purpose encryption\n * # Note the full resource name from the output.\n *\n * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:\n * gcloud kms keys add-iam-policy-binding noy-db-sealing \\\n *   --location global \\\n *   --keyring noy-db-ring \\\n *   --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \\\n *   --role roles/cloudkms.cryptoKeyEncrypterDecrypter\n * # Credentials are picked up automatically via Application Default Credentials\n * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS\n * # env var, or `gcloud auth application-default login` for local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n *   store,\n *   user: 'alice',\n *   passphraseMode: 'managed',\n *   sealingKey: gcpKmsSealingProvider({\n *     keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',\n *   }),\n *   shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport { KeyManagementServiceClient } from '@google-cloud/kms'\nimport type { protos } from '@google-cloud/kms'\n\ntype IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest\ntype IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest\ntype IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse\ntype IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse\n\n/** Minimal client surface required by {@link gcpKmsSealingProvider}. */\ninterface KmsClientLike {\n  encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>\n  decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>\n}\n\n/** Options for {@link gcpKmsSealingProvider}. */\nexport interface GcpKmsSealingProviderOptions {\n  /**\n   * Full crypto-key resource name, e.g.\n   * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.\n   */\n  readonly keyName: string\n  /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */\n  readonly client?: KmsClientLike\n}\n\nfunction toUint8Array(value: Uint8Array | string | null | undefined): Uint8Array | undefined {\n  if (value == null) return undefined\n  if (value instanceof Uint8Array) return value\n  // protobuf may return a base64 string in some environments\n  return Buffer.from(value, 'base64')\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.\n *\n * Credentials are resolved via Application Default Credentials (ADC) — attached\n * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.\n * Never pass raw credentials in the options; inject a pre-configured client for\n * non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.\n */\nexport function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider {\n  const client: KmsClientLike = opts.client ?? new KeyManagementServiceClient()\n  return {\n    id: `gcp-kms:${opts.keyName}`,\n\n    async seal(passphrase) {\n      const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase })\n      const blob = toUint8Array(resp?.ciphertext)\n      if (!blob) throw new Error('@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext')\n      return blob\n    },\n\n    async unseal(sealed) {\n      const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed })\n      const pt = toUint8Array(resp?.plaintext)\n      if (!pt) throw new Error('@noy-db/at-gcp-kms: KMS decrypt returned no plaintext')\n      return pt\n    },\n  }\n}\n"],"mappings":";AA8DA,SAAS,kCAAkC;AAyB3C,SAAS,aAAa,OAAuE;AAC3F,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,WAAY,QAAO;AAExC,SAAO,OAAO,KAAK,OAAO,QAAQ;AACpC;AAcO,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAwB,KAAK,UAAU,IAAI,2BAA2B;AAC5E,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,OAAO;AAAA,IAE3B,MAAM,KAAK,YAAY;AACrB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,WAAW,WAAW,CAAC;AACjF,YAAM,OAAO,aAAa,MAAM,UAAU;AAC1C,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,wDAAwD;AACnF,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,YAAY,OAAO,CAAC;AAC9E,YAAM,KAAK,aAAa,MAAM,SAAS;AACvC,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@noy-db/at-gcp-kms",
+  "version": "0.2.0-pre.1",
+  "description": "Google Cloud KMS sealing key provider for noy-db managed-passphrase mode.",
+  "license": "MIT",
+  "author": "vLannaAi <vicio@lanna.ai>",
+  "homepage": "https://github.com/vLannaAi/noy-db/tree/main/packages/at-gcp-kms#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vLannaAi/noy-db.git",
+    "directory": "packages/at-gcp-kms"
+  },
+  "bugs": {
+    "url": "https://github.com/vLannaAi/noy-db/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "@google-cloud/kms": "^4.0.0",
+    "@noy-db/hub": "0.2.0-pre.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@google-cloud/kms": "^4.0.0",
+    "@noy-db/hub": "0.2.0-pre.1",
+    "@noy-db/to-memory": "0.2.0-pre.1",
+    "@noy-db/on-shamir": "0.2.0-pre.1"
+  },
+  "keywords": [
+    "noy-db",
+    "at-gcp-kms",
+    "gcp-kms",
+    "kms",
+    "sealing-key-provider",
+    "managed-passphrase",
+    "encryption",
+    "zero-knowledge"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit"
+  }
+}