@noy-db/at-gcp-kms 0.2.0-pre.4 → 0.2.0-pre.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js.map +1 -1
- package/package.json +5 -5
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode
|
|
1
|
+
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode.\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is\n * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access\n * log of every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n * with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on GCP where a Cloud KMS key costs less than\n * engineering an equivalent audit trail.\n * - Any case where you want automatic key rotation without rotating your\n * app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a key ring and symmetric crypto key once:\n * gcloud kms keyrings create noy-db-ring --location global\n * gcloud kms keys create noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --purpose encryption\n * # Note the full resource name from the output.\n *\n * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:\n * gcloud kms keys add-iam-policy-binding noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \\\n * --role roles/cloudkms.cryptoKeyEncrypterDecrypter\n * # Credentials are picked up automatically via Application Default Credentials\n * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS\n * # env var, or `gcloud auth application-default login` for local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n * store,\n * user: 'alice',\n * passphraseMode: 'managed',\n * sealingKey: gcpKmsSealingProvider({\n * keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',\n * }),\n * shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport { KeyManagementServiceClient } from '@google-cloud/kms'\nimport type { protos } from '@google-cloud/kms'\n\ntype IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest\ntype IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest\ntype IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse\ntype IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse\n\n/** Minimal client surface required by {@link gcpKmsSealingProvider}. */\ninterface KmsClientLike {\n encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>\n decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>\n}\n\n/** Options for {@link gcpKmsSealingProvider}. */\nexport interface GcpKmsSealingProviderOptions {\n /**\n * Full crypto-key resource name, e.g.\n * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.\n */\n readonly keyName: string\n /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */\n readonly client?: KmsClientLike\n}\n\nfunction toUint8Array(value: Uint8Array | string | null | undefined): Uint8Array | undefined {\n if (value == null) return undefined\n if (value instanceof Uint8Array) return value\n // protobuf may return a base64 string in some environments\n return Buffer.from(value, 'base64')\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.\n *\n * Credentials are resolved via Application Default Credentials (ADC) — attached\n * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.\n * Never pass raw credentials in the options; inject a pre-configured client for\n * non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.\n */\nexport function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider {\n const client: KmsClientLike = opts.client ?? new KeyManagementServiceClient()\n return {\n id: `gcp-kms:${opts.keyName}`,\n\n async seal(passphrase) {\n const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase })\n const blob = toUint8Array(resp?.ciphertext)\n if (!blob) throw new Error('@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext')\n return blob\n },\n\n async unseal(sealed) {\n const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed })\n const pt = toUint8Array(resp?.plaintext)\n if (!pt) throw new Error('@noy-db/at-gcp-kms: KMS decrypt returned no plaintext')\n return pt\n },\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA8DA,iBAA2C;AAyB3C,SAAS,aAAa,OAAuE;AAC3F,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,WAAY,QAAO;AAExC,SAAO,OAAO,KAAK,OAAO,QAAQ;AACpC;AAcO,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAwB,KAAK,UAAU,IAAI,sCAA2B;AAC5E,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,OAAO;AAAA,IAE3B,MAAM,KAAK,YAAY;AACrB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,WAAW,WAAW,CAAC;AACjF,YAAM,OAAO,aAAa,MAAM,UAAU;AAC1C,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,wDAAwD;AACnF,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,YAAY,OAAO,CAAC;AAC9E,YAAM,KAAK,aAAa,MAAM,SAAS;AACvC,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}
|
package/dist/index.d.cts
CHANGED
|
@@ -3,7 +3,7 @@ import { protos } from '@google-cloud/kms';
|
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db
|
|
6
|
-
* managed-passphrase mode
|
|
6
|
+
* managed-passphrase mode.
|
|
7
7
|
*
|
|
8
8
|
* An `at-*` provider that seals and unseals the hub-generated random
|
|
9
9
|
* passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is
|
package/dist/index.d.ts
CHANGED
|
@@ -3,7 +3,7 @@ import { protos } from '@google-cloud/kms';
|
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db
|
|
6
|
-
* managed-passphrase mode
|
|
6
|
+
* managed-passphrase mode.
|
|
7
7
|
*
|
|
8
8
|
* An `at-*` provider that seals and unseals the hub-generated random
|
|
9
9
|
* passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode
|
|
1
|
+
{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode.\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is\n * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access\n * log of every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n * with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on GCP where a Cloud KMS key costs less than\n * engineering an equivalent audit trail.\n * - Any case where you want automatic key rotation without rotating your\n * app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a key ring and symmetric crypto key once:\n * gcloud kms keyrings create noy-db-ring --location global\n * gcloud kms keys create noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --purpose encryption\n * # Note the full resource name from the output.\n *\n * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:\n * gcloud kms keys add-iam-policy-binding noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \\\n * --role roles/cloudkms.cryptoKeyEncrypterDecrypter\n * # Credentials are picked up automatically via Application Default Credentials\n * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS\n * # env var, or `gcloud auth application-default login` for local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n * store,\n * user: 'alice',\n * passphraseMode: 'managed',\n * sealingKey: gcpKmsSealingProvider({\n * keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',\n * }),\n * shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport { KeyManagementServiceClient } from '@google-cloud/kms'\nimport type { protos } from '@google-cloud/kms'\n\ntype IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest\ntype IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest\ntype IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse\ntype IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse\n\n/** Minimal client surface required by {@link gcpKmsSealingProvider}. */\ninterface KmsClientLike {\n encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>\n decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>\n}\n\n/** Options for {@link gcpKmsSealingProvider}. */\nexport interface GcpKmsSealingProviderOptions {\n /**\n * Full crypto-key resource name, e.g.\n * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.\n */\n readonly keyName: string\n /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */\n readonly client?: KmsClientLike\n}\n\nfunction toUint8Array(value: Uint8Array | string | null | undefined): Uint8Array | undefined {\n if (value == null) return undefined\n if (value instanceof Uint8Array) return value\n // protobuf may return a base64 string in some environments\n return Buffer.from(value, 'base64')\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.\n *\n * Credentials are resolved via Application Default Credentials (ADC) — attached\n * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.\n * Never pass raw credentials in the options; inject a pre-configured client for\n * non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.\n */\nexport function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider {\n const client: KmsClientLike = opts.client ?? new KeyManagementServiceClient()\n return {\n id: `gcp-kms:${opts.keyName}`,\n\n async seal(passphrase) {\n const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase })\n const blob = toUint8Array(resp?.ciphertext)\n if (!blob) throw new Error('@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext')\n return blob\n },\n\n async unseal(sealed) {\n const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed })\n const pt = toUint8Array(resp?.plaintext)\n if (!pt) throw new Error('@noy-db/at-gcp-kms: KMS decrypt returned no plaintext')\n return pt\n },\n }\n}\n"],"mappings":";AA8DA,SAAS,kCAAkC;AAyB3C,SAAS,aAAa,OAAuE;AAC3F,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,WAAY,QAAO;AAExC,SAAO,OAAO,KAAK,OAAO,QAAQ;AACpC;AAcO,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAwB,KAAK,UAAU,IAAI,2BAA2B;AAC5E,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,OAAO;AAAA,IAE3B,MAAM,KAAK,YAAY;AACrB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,WAAW,WAAW,CAAC;AACjF,YAAM,OAAO,aAAa,MAAM,UAAU;AAC1C,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,wDAAwD;AACnF,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,YAAY,OAAO,CAAC;AAC9E,YAAM,KAAK,aAAa,MAAM,SAAS;AACvC,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@noy-db/at-gcp-kms",
|
|
3
|
-
"version": "0.2.0-pre.
|
|
3
|
+
"version": "0.2.0-pre.5",
|
|
4
4
|
"description": "Google Cloud KMS sealing key provider for noy-db managed-passphrase mode.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "vLannaAi <vicio@lanna.ai>",
|
|
@@ -40,14 +40,14 @@
|
|
|
40
40
|
},
|
|
41
41
|
"peerDependencies": {
|
|
42
42
|
"@google-cloud/kms": "^4.0.0",
|
|
43
|
-
"@noy-db/hub": "0.2.0-pre.
|
|
43
|
+
"@noy-db/hub": "0.2.0-pre.5"
|
|
44
44
|
},
|
|
45
45
|
"devDependencies": {
|
|
46
46
|
"@types/node": "^22.0.0",
|
|
47
47
|
"@google-cloud/kms": "^4.0.0",
|
|
48
|
-
"@noy-db/to-memory": "0.2.0-pre.
|
|
49
|
-
"@noy-db/
|
|
50
|
-
"@noy-db/
|
|
48
|
+
"@noy-db/to-memory": "0.2.0-pre.5",
|
|
49
|
+
"@noy-db/hub": "0.2.0-pre.5",
|
|
50
|
+
"@noy-db/on-shamir": "0.2.0-pre.5"
|
|
51
51
|
},
|
|
52
52
|
"keywords": [
|
|
53
53
|
"noy-db",
|