@noy-db/at-gcp-kms 0.2.0-pre.9 → 0.3.0-pre.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@noy-db/at-gcp-kms",
3
- "version": "0.2.0-pre.9",
3
+ "version": "0.3.0-pre.2",
4
4
  "description": "Google Cloud KMS sealing key provider for noy-db managed-passphrase mode.",
5
5
  "license": "MIT",
6
6
  "author": "vLannaAi <vicio@lanna.ai>",
@@ -17,17 +17,10 @@
17
17
  "sideEffects": false,
18
18
  "exports": {
19
19
  ".": {
20
- "import": {
21
- "types": "./dist/index.d.ts",
22
- "default": "./dist/index.js"
23
- },
24
- "require": {
25
- "types": "./dist/index.d.cts",
26
- "default": "./dist/index.cjs"
27
- }
20
+ "types": "./dist/index.d.ts",
21
+ "default": "./dist/index.js"
28
22
  }
29
23
  },
30
- "main": "./dist/index.cjs",
31
24
  "module": "./dist/index.js",
32
25
  "types": "./dist/index.d.ts",
33
26
  "files": [
@@ -36,18 +29,18 @@
36
29
  "LICENSE"
37
30
  ],
38
31
  "engines": {
39
- "node": ">=18.0.0"
32
+ "node": ">=22.0.0"
40
33
  },
41
34
  "peerDependencies": {
42
35
  "@google-cloud/kms": "^4.0.0",
43
- "@noy-db/hub": "0.2.0-pre.9"
36
+ "@noy-db/hub": "0.3.0-pre.2"
44
37
  },
45
38
  "devDependencies": {
46
39
  "@types/node": "^22.0.0",
47
40
  "@google-cloud/kms": "^4.0.0",
48
- "@noy-db/hub": "0.2.0-pre.9",
49
- "@noy-db/to-memory": "0.2.0-pre.9",
50
- "@noy-db/on-shamir": "0.2.0-pre.9"
41
+ "@noy-db/hub": "0.3.0-pre.2",
42
+ "@noy-db/to-memory": "0.3.0-pre.2",
43
+ "@noy-db/on-shamir": "0.3.0-pre.2"
51
44
  },
52
45
  "keywords": [
53
46
  "noy-db",
package/dist/index.cjs DELETED
@@ -1,54 +0,0 @@
1
- "use strict";
2
- var __defProp = Object.defineProperty;
3
- var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
- var __getOwnPropNames = Object.getOwnPropertyNames;
5
- var __hasOwnProp = Object.prototype.hasOwnProperty;
6
- var __export = (target, all) => {
7
- for (var name in all)
8
- __defProp(target, name, { get: all[name], enumerable: true });
9
- };
10
- var __copyProps = (to, from, except, desc) => {
11
- if (from && typeof from === "object" || typeof from === "function") {
12
- for (let key of __getOwnPropNames(from))
13
- if (!__hasOwnProp.call(to, key) && key !== except)
14
- __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
15
- }
16
- return to;
17
- };
18
- var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
-
20
- // src/index.ts
21
- var index_exports = {};
22
- __export(index_exports, {
23
- gcpKmsSealingProvider: () => gcpKmsSealingProvider
24
- });
25
- module.exports = __toCommonJS(index_exports);
26
- var import_kms = require("@google-cloud/kms");
27
- function toUint8Array(value) {
28
- if (value == null) return void 0;
29
- if (value instanceof Uint8Array) return value;
30
- return Buffer.from(value, "base64");
31
- }
32
- function gcpKmsSealingProvider(opts) {
33
- const client = opts.client ?? new import_kms.KeyManagementServiceClient();
34
- return {
35
- id: `gcp-kms:${opts.keyName}`,
36
- async seal(passphrase) {
37
- const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase });
38
- const blob = toUint8Array(resp?.ciphertext);
39
- if (!blob) throw new Error("@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext");
40
- return blob;
41
- },
42
- async unseal(sealed) {
43
- const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed });
44
- const pt = toUint8Array(resp?.plaintext);
45
- if (!pt) throw new Error("@noy-db/at-gcp-kms: KMS decrypt returned no plaintext");
46
- return pt;
47
- }
48
- };
49
- }
50
- // Annotate the CommonJS export names for ESM import in node:
51
- 0 && (module.exports = {
52
- gcpKmsSealingProvider
53
- });
54
- //# sourceMappingURL=index.cjs.map
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db\n * managed-passphrase mode.\n *\n * An `at-*` provider that seals and unseals the hub-generated random\n * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is\n * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access\n * log of every time a user's vault is opened — no additional instrumentation\n * required.\n *\n * ## When to use\n *\n * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA\n * with managed-encryption requirements, SOC 2 Type II).\n * - Workloads already running on GCP where a Cloud KMS key costs less than\n * engineering an equivalent audit trail.\n * - Any case where you want automatic key rotation without rotating your\n * app's sealing key material manually.\n *\n * ## Setup\n *\n * ```bash\n * # 1. Create a key ring and symmetric crypto key once:\n * gcloud kms keyrings create noy-db-ring --location global\n * gcloud kms keys create noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --purpose encryption\n * # Note the full resource name from the output.\n *\n * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:\n * gcloud kms keys add-iam-policy-binding noy-db-sealing \\\n * --location global \\\n * --keyring noy-db-ring \\\n * --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \\\n * --role roles/cloudkms.cryptoKeyEncrypterDecrypter\n * # Credentials are picked up automatically via Application Default Credentials\n * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS\n * # env var, or `gcloud auth application-default login` for local dev.\n * ```\n *\n * ```ts\n * // 3. In your app:\n * import { createNoydb } from '@noy-db/hub'\n * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'\n * import { shamirRecoveryProvider } from '@noy-db/on-shamir'\n *\n * const db = await createNoydb({\n * store,\n * user: 'alice',\n * passphraseMode: 'managed',\n * sealingKey: gcpKmsSealingProvider({\n * keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',\n * }),\n * shamirRecovery: shamirRecoveryProvider(),\n * })\n * ```\n *\n * @packageDocumentation\n */\n\nimport type { SealingKeyProvider } from '@noy-db/hub'\nimport { KeyManagementServiceClient } from '@google-cloud/kms'\nimport type { protos } from '@google-cloud/kms'\n\ntype IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest\ntype IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest\ntype IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse\ntype IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse\n\n/** Minimal client surface required by {@link gcpKmsSealingProvider}. */\ninterface KmsClientLike {\n encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>\n decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>\n}\n\n/** Options for {@link gcpKmsSealingProvider}. */\nexport interface GcpKmsSealingProviderOptions {\n /**\n * Full crypto-key resource name, e.g.\n * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.\n */\n readonly keyName: string\n /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */\n readonly client?: KmsClientLike\n}\n\nfunction toUint8Array(value: Uint8Array | string | null | undefined): Uint8Array | undefined {\n if (value == null) return undefined\n if (value instanceof Uint8Array) return value\n // protobuf may return a base64 string in some environments\n return Buffer.from(value, 'base64')\n}\n\n/**\n * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.\n *\n * Credentials are resolved via Application Default Credentials (ADC) — attached\n * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.\n * Never pass raw credentials in the options; inject a pre-configured client for\n * non-default auth instead.\n *\n * @throws Error when KMS returns no ciphertext or no plaintext (guards\n * against unexpected SDK-response shapes).\n * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.\n */\nexport function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider {\n const client: KmsClientLike = opts.client ?? new KeyManagementServiceClient()\n return {\n id: `gcp-kms:${opts.keyName}`,\n\n async seal(passphrase) {\n const [resp] = await client.encrypt({ name: opts.keyName, plaintext: passphrase })\n const blob = toUint8Array(resp?.ciphertext)\n if (!blob) throw new Error('@noy-db/at-gcp-kms: KMS encrypt returned no ciphertext')\n return blob\n },\n\n async unseal(sealed) {\n const [resp] = await client.decrypt({ name: opts.keyName, ciphertext: sealed })\n const pt = toUint8Array(resp?.plaintext)\n if (!pt) throw new Error('@noy-db/at-gcp-kms: KMS decrypt returned no plaintext')\n return pt\n },\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AA8DA,iBAA2C;AAyB3C,SAAS,aAAa,OAAuE;AAC3F,MAAI,SAAS,KAAM,QAAO;AAC1B,MAAI,iBAAiB,WAAY,QAAO;AAExC,SAAO,OAAO,KAAK,OAAO,QAAQ;AACpC;AAcO,SAAS,sBAAsB,MAAwD;AAC5F,QAAM,SAAwB,KAAK,UAAU,IAAI,sCAA2B;AAC5E,SAAO;AAAA,IACL,IAAI,WAAW,KAAK,OAAO;AAAA,IAE3B,MAAM,KAAK,YAAY;AACrB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,WAAW,WAAW,CAAC;AACjF,YAAM,OAAO,aAAa,MAAM,UAAU;AAC1C,UAAI,CAAC,KAAM,OAAM,IAAI,MAAM,wDAAwD;AACnF,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,OAAO,QAAQ;AACnB,YAAM,CAAC,IAAI,IAAI,MAAM,OAAO,QAAQ,EAAE,MAAM,KAAK,SAAS,YAAY,OAAO,CAAC;AAC9E,YAAM,KAAK,aAAa,MAAM,SAAS;AACvC,UAAI,CAAC,GAAI,OAAM,IAAI,MAAM,uDAAuD;AAChF,aAAO;AAAA,IACT;AAAA,EACF;AACF;","names":[]}
package/dist/index.d.cts DELETED
@@ -1,98 +0,0 @@
1
- import { SealingKeyProvider } from '@noy-db/hub';
2
- import { protos } from '@google-cloud/kms';
3
-
4
- /**
5
- * **@noy-db/at-gcp-kms** — Google Cloud KMS sealing key provider for noy-db
6
- * managed-passphrase mode.
7
- *
8
- * An `at-*` provider that seals and unseals the hub-generated random
9
- * passphrase via Google Cloud KMS Encrypt / Decrypt. Every seal and unseal is
10
- * an authenticated KMS API call, giving you a Cloud Audit Logs-backed access
11
- * log of every time a user's vault is opened — no additional instrumentation
12
- * required.
13
- *
14
- * ## When to use
15
- *
16
- * - Compliance regimes requiring auditable key access logs (FedRAMP, HIPAA
17
- * with managed-encryption requirements, SOC 2 Type II).
18
- * - Workloads already running on GCP where a Cloud KMS key costs less than
19
- * engineering an equivalent audit trail.
20
- * - Any case where you want automatic key rotation without rotating your
21
- * app's sealing key material manually.
22
- *
23
- * ## Setup
24
- *
25
- * ```bash
26
- * # 1. Create a key ring and symmetric crypto key once:
27
- * gcloud kms keyrings create noy-db-ring --location global
28
- * gcloud kms keys create noy-db-sealing \
29
- * --location global \
30
- * --keyring noy-db-ring \
31
- * --purpose encryption
32
- * # Note the full resource name from the output.
33
- *
34
- * # 2. Grant your host's service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
35
- * gcloud kms keys add-iam-policy-binding noy-db-sealing \
36
- * --location global \
37
- * --keyring noy-db-ring \
38
- * --member serviceAccount:HOST_SA@PROJECT.iam.gserviceaccount.com \
39
- * --role roles/cloudkms.cryptoKeyEncrypterDecrypter
40
- * # Credentials are picked up automatically via Application Default Credentials
41
- * # (ADC): service account attached to GCE/GKE, GOOGLE_APPLICATION_CREDENTIALS
42
- * # env var, or `gcloud auth application-default login` for local dev.
43
- * ```
44
- *
45
- * ```ts
46
- * // 3. In your app:
47
- * import { createNoydb } from '@noy-db/hub'
48
- * import { gcpKmsSealingProvider } from '@noy-db/at-gcp-kms'
49
- * import { shamirRecoveryProvider } from '@noy-db/on-shamir'
50
- *
51
- * const db = await createNoydb({
52
- * store,
53
- * user: 'alice',
54
- * passphraseMode: 'managed',
55
- * sealingKey: gcpKmsSealingProvider({
56
- * keyName: 'projects/my-project/locations/global/keyRings/noy-db-ring/cryptoKeys/noy-db-sealing',
57
- * }),
58
- * shamirRecovery: shamirRecoveryProvider(),
59
- * })
60
- * ```
61
- *
62
- * @packageDocumentation
63
- */
64
-
65
- type IEncryptRequest = protos.google.cloud.kms.v1.IEncryptRequest;
66
- type IDecryptRequest = protos.google.cloud.kms.v1.IDecryptRequest;
67
- type IEncryptResponse = protos.google.cloud.kms.v1.IEncryptResponse;
68
- type IDecryptResponse = protos.google.cloud.kms.v1.IDecryptResponse;
69
- /** Minimal client surface required by {@link gcpKmsSealingProvider}. */
70
- interface KmsClientLike {
71
- encrypt(request: IEncryptRequest): Promise<[IEncryptResponse, IEncryptRequest | undefined, unknown]>;
72
- decrypt(request: IDecryptRequest): Promise<[IDecryptResponse, IDecryptRequest | undefined, unknown]>;
73
- }
74
- /** Options for {@link gcpKmsSealingProvider}. */
75
- interface GcpKmsSealingProviderOptions {
76
- /**
77
- * Full crypto-key resource name, e.g.
78
- * `projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY`.
79
- */
80
- readonly keyName: string;
81
- /** Optional pre-built client (DI for tests). Default: `new KeyManagementServiceClient()` (ambient ADC). */
82
- readonly client?: KmsClientLike;
83
- }
84
- /**
85
- * Build a {@link SealingKeyProvider} backed by Google Cloud KMS Encrypt / Decrypt.
86
- *
87
- * Credentials are resolved via Application Default Credentials (ADC) — attached
88
- * service accounts, `GOOGLE_APPLICATION_CREDENTIALS`, or local gcloud login.
89
- * Never pass raw credentials in the options; inject a pre-configured client for
90
- * non-default auth instead.
91
- *
92
- * @throws Error when KMS returns no ciphertext or no plaintext (guards
93
- * against unexpected SDK-response shapes).
94
- * Any KMS API error (PermissionDenied, NotFound, etc.) propagates as-is.
95
- */
96
- declare function gcpKmsSealingProvider(opts: GcpKmsSealingProviderOptions): SealingKeyProvider;
97
-
98
- export { type GcpKmsSealingProviderOptions, gcpKmsSealingProvider };