npm - @reaatech/media-pipeline-mcp-keyvault - Versions diffs - 0.3.0 - Mend

@reaatech/media-pipeline-mcp-keyvault 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Media Pipeline MCP Contributors
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,194 @@
+# @reaatech/media-pipeline-mcp-keyvault
+[![npm version](https://img.shields.io/npm/v/@reaatech/media-pipeline-mcp-keyvault)](https://www.npmjs.com/package/@reaatech/media-pipeline-mcp-keyvault)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/reaatech/media-pipeline-mcp/blob/main/LICENSE)
+[![CI](https://github.com/reaatech/media-pipeline-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/reaatech/media-pipeline-mcp/actions/workflows/ci.yml)
+> **Status:** Pre-1.0 — APIs may change in minor versions. Pin to a specific version in production.
+Multi-tenant API key vault with AWS Secrets Manager, GCP Secret Manager, environment-variable, and in-memory backends. Provides tenant-scoped provider credential resolution with caching and health checks.
+## Installation
+```bash
+npm install @reaatech/media-pipeline-mcp-keyvault
+```
+```bash
+pnpm add @reaatech/media-pipeline-mcp-keyvault
+```
+Cloud backends require optional peer dependencies:
+```bash
+# AWS Secrets Manager
+pnpm add @aws-sdk/client-secrets-manager
+# GCP Secret Manager
+pnpm add @google-cloud/secret-manager
+```
+## Feature Overview
+- Four vault backends: in-memory (dev/testing), environment variables, AWS Secrets Manager, GCP Secret Manager
+- Per-tenant provider credential resolution with budget caps, allowed provider/model lists, and metadata
+- LRU-style TTL caching to avoid secret manager round-trips on every call
+- Health check probes per backend
+- Tenant resolution strategies for multi-protocol tenant identification (header, JWT, OAuth scope, mTLS CN, static)
+## Quick Start
+```typescript
+import { InMemoryKeyVault, EnvKeyVault } from '@reaatech/media-pipeline-mcp-keyvault';
+// Development / testing: seed keys programmatically
+const vault = new InMemoryKeyVault();
+vault.set('acme', {
+  openai: 'sk-...',
+  stability: 'sk-...',
+});
+// Production-style: read from environment
+// Expects ACME_OPENAI_API_KEY, ACME_STABILITY_API_KEY env vars
+const envVault = new EnvKeyVault();
+// Resolve all credentials for a tenant
+const ctx = await vault.resolve('acme');
+console.log(ctx.tenantId);
+// → 'acme'
+console.log(ctx.providerKeys.get('openai'));
+// → 'sk-...'
+// Get a single key
+const key = await vault.get('acme', 'openai');
+// Check backend health
+const { healthy, latencyMs } = await vault.health();
+```
+### AWS Secrets Manager
+```typescript
+import { AwsSecretsManagerKeyVault } from '@reaatech/media-pipeline-mcp-keyvault';
+const vault = new AwsSecretsManagerKeyVault({
+  region: 'us-east-1',
+  secretPrefix: 'mp/tenants', // defaults to 'mp/tenants'
+  cacheTtlMs: 300_000,         // 5 min — default
+});
+// Secret stored at mp/tenants/acme:
+// {
+//   "openai": "sk-...",
+//   "stability": "sk-...",
+//   "budgetCaps": { "dailyUsd": 50 },
+//   "allowedProviders": ["openai", "stability"],
+//   "metadata": { "tier": "enterprise" }
+// }
+const ctx = await vault.resolve('acme');
+console.log(ctx.budgetCaps?.dailyUsd); // 50
+console.log(ctx.allowedProviders);      // ['openai', 'stability']
+```
+### GCP Secret Manager
+```typescript
+import { GcpSecretManagerKeyVault } from '@reaatech/media-pipeline-mcp-keyvault';
+const vault = new GcpSecretManagerKeyVault({
+  projectId: 'my-gcp-project',
+  secretPrefix: 'mp-tenants', // defaults to 'mp-tenants'
+  cacheTtlMs: 300_000,
+});
+// Secret stored at projects/my-gcp-project/secrets/mp-tenants-acme/versions/latest
+// Same JSON shape as AWS above.
+```
+## API Reference
+### Types
+| Type | Description |
+|------|-------------|
+| `TenantContext` | Resolved tenant: `tenantId`, `providerKeys` (ReadonlyMap), optional `budgetCaps`, `allowedProviders`, `allowedModels`, `metadata` |
+| `KeyVault` | Interface: `resolve(tenantId)`, `get(tenantId, key)`, `health()` |
+| `TenantResolutionStrategy` | Discriminated union of tenant identification strategies: `header`, `jwt`, `oauth-scope`, `mtls-cn`, `static`, `custom` |
+### Classes
+| Class | Description |
+|-------|-------------|
+| `InMemoryKeyVault` | Programmatic seed for development and testing. Call `set(tenantId, keys, overrides?)` to register tenants. |
+| `EnvKeyVault` | Reads keys from env vars matching `${TENANT_ID}_${PROVIDER}_API_KEY` (case-insensitive). Provider list is discovered dynamically. |
+| `AwsSecretsManagerKeyVault` | AWS Secrets Manager backend. One secret per tenant at `${prefix}/${tenantId}`, JSON payload. Supports configurable region, credentials, and cache TTL. |
+| `GcpSecretManagerKeyVault` | GCP Secret Manager backend. One secret per tenant at `projects/${projectId}/secrets/${prefix}-${tenantId}`, latest version. Supports service-account key file and cache TTL. |
+**`AwsSecretsManagerKeyVaultConfig`:**
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `region` | `string` | _(required)_ | AWS region |
+| `secretPrefix` | `string` | `'mp/tenants'` | Path prefix for tenant secrets |
+| `cacheTtlMs` | `number` | `300_000` | Cache lifetime in ms |
+| `credentials` | `object` | _(none)_ | Explicit AWS credentials (accessKeyId, secretAccessKey, sessionToken) |
+**`GcpSecretManagerKeyVaultConfig`:**
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `projectId` | `string` | _(required)_ | GCP project ID |
+| `secretPrefix` | `string` | `'mp-tenants'` | Prefix segment before `-${tenantId}` |
+| `cacheTtlMs` | `number` | `300_000` | Cache lifetime in ms |
+| `keyFilename` | `string` | _(none)_ | Service account key file path |
+### Secret Payload Format
+All cloud backends expect the same JSON shape per tenant secret:
+```json
+{
+  "openai": "sk-...",
+  "stability": "sk-...",
+  "replicate": "r8_...",
+  "budgetCaps": { "dailyUsd": 100, "monthlyUsd": 3000 },
+  "allowedProviders": ["openai", "stability"],
+  "allowedModels": ["gpt-4o-mini", "sd3"],
+  "metadata": { "tier": "premium" }
+}
+```
+Top-level string values are treated as provider API keys. The reserved keys `budgetCaps`, `allowedProviders`, `allowedModels`, and `metadata` populate the corresponding `TenantContext` fields.
+## Usage Patterns
+### Multi-Provider Tenant Setup
+```typescript
+const vault = new InMemoryKeyVault();
+vault.set('enterprise', {
+  openai: process.env.OPENAI_KEY,
+  anthropic: process.env.ANTHROPIC_KEY,
+  google: process.env.GOOGLE_KEY,
+}, {
+  budgetCaps: { dailyUsd: 500, monthlyUsd: 10000 },
+  allowedProviders: ['openai', 'anthropic', 'google'],
+  allowedModels: ['gpt-4o', 'claude-3-opus', 'gemini-1.5-pro'],
+  metadata: { tier: 'enterprise' },
+});
+```
+### Health Check
+The `health()` method returns `{ healthy, latencyMs }`. Cloud backends issue a synthetic secret lookup and treat `NOT_FOUND` / `ResourceNotFoundException` as healthy (the service responded); other errors indicate unavailability.
+## Related Packages
+- [@reaatech/media-pipeline-mcp-core](https://www.npmjs.com/package/@reaatech/media-pipeline-mcp-core) — `TenantNotFoundError` and `KeyVaultUnavailableError` types
+- [@reaatech/media-pipeline-mcp-cost](https://www.npmjs.com/package/@reaatech/media-pipeline-mcp-cost) — Budget caps resolved from this vault feed into cost preflight checks
+- [@reaatech/media-pipeline-mcp](https://www.npmjs.com/package/@reaatech/media-pipeline-mcp) — Full MCP server consuming tenant credentials from this vault
+## License
+[MIT](https://github.com/reaatech/media-pipeline-mcp/blob/main/LICENSE)

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,288 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AwsSecretsManagerKeyVault: () => AwsSecretsManagerKeyVault,
+  EnvKeyVault: () => EnvKeyVault,
+  GcpSecretManagerKeyVault: () => GcpSecretManagerKeyVault,
+  InMemoryKeyVault: () => InMemoryKeyVault
+});
+module.exports = __toCommonJS(index_exports);
+// src/vaults.ts
+var import_media_pipeline_mcp_core = require("@reaatech/media-pipeline-mcp-core");
+var InMemoryKeyVault = class {
+  tenants = /* @__PURE__ */ new Map();
+  set(tenantId, keys, overrides) {
+    this.tenants.set(tenantId, { keys, overrides });
+  }
+  async resolve(tenantId) {
+    const entry = this.tenants.get(tenantId);
+    if (!entry) throw new import_media_pipeline_mcp_core.TenantNotFoundError();
+    return {
+      tenantId,
+      providerKeys: new Map(Object.entries(entry.keys)),
+      ...entry.overrides
+    };
+  }
+  async get(tenantId, key) {
+    const entry = this.tenants.get(tenantId);
+    return entry?.keys[key] ?? null;
+  }
+  async health() {
+    return { healthy: true, latencyMs: 0 };
+  }
+};
+var EnvKeyVault = class {
+  async resolve(tenantId) {
+    const keys = {};
+    const prefix = `${tenantId.toUpperCase()}_`;
+    const suffix = "_API_KEY";
+    for (const [envKey, val] of Object.entries(process.env)) {
+      if (envKey.startsWith(prefix) && envKey.endsWith(suffix) && typeof val === "string") {
+        const provider = envKey.slice(prefix.length, envKey.length - suffix.length).toLowerCase();
+        if (provider.length > 0) keys[provider] = val;
+      }
+    }
+    if (Object.keys(keys).length === 0) {
+      throw new import_media_pipeline_mcp_core.TenantNotFoundError();
+    }
+    return {
+      tenantId,
+      providerKeys: new Map(Object.entries(keys))
+    };
+  }
+  async get(tenantId, key) {
+    const envKey = `${tenantId.toUpperCase()}_${key.toUpperCase()}`;
+    return process.env[envKey] ?? null;
+  }
+  async health() {
+    return { healthy: true, latencyMs: 0 };
+  }
+};
+// src/aws-secrets-vault.ts
+var import_client_secrets_manager = require("@aws-sdk/client-secrets-manager");
+var import_media_pipeline_mcp_core2 = require("@reaatech/media-pipeline-mcp-core");
+var AwsSecretsManagerKeyVault = class {
+  client;
+  cache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  secretPrefix;
+  constructor(config) {
+    this.cacheTtlMs = config.cacheTtlMs ?? 3e5;
+    this.secretPrefix = config.secretPrefix ?? "mp/tenants";
+    this.client = new import_client_secrets_manager.SecretsManagerClient({
+      region: config.region,
+      ...config.credentials ? { credentials: config.credentials } : {}
+    });
+  }
+  secretName(tenantId) {
+    return `${this.secretPrefix}/${tenantId}`;
+  }
+  async resolve(tenantId) {
+    const now = Date.now();
+    const cached = this.cache.get(tenantId);
+    if (cached && cached.expiresAtMs > now) {
+      return cached.context;
+    }
+    let payload;
+    try {
+      const response = await this.client.send(
+        new import_client_secrets_manager.GetSecretValueCommand({ SecretId: this.secretName(tenantId) })
+      );
+      payload = response.SecretString;
+    } catch (err) {
+      const name = err?.name;
+      if (name === "ResourceNotFoundException") {
+        throw new import_media_pipeline_mcp_core2.TenantNotFoundError();
+      }
+      throw new import_media_pipeline_mcp_core2.KeyVaultUnavailableError();
+    }
+    if (!payload) {
+      throw new import_media_pipeline_mcp_core2.TenantNotFoundError();
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch {
+      throw new import_media_pipeline_mcp_core2.KeyVaultUnavailableError();
+    }
+    const { providerKeys, extras } = splitTenantPayload(parsed);
+    const context = {
+      tenantId,
+      providerKeys,
+      ...extras.budgetCaps ? { budgetCaps: extras.budgetCaps } : {},
+      ...extras.allowedProviders ? { allowedProviders: extras.allowedProviders } : {},
+      ...extras.allowedModels ? { allowedModels: extras.allowedModels } : {},
+      ...extras.metadata ? { metadata: extras.metadata } : {}
+    };
+    this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });
+    return context;
+  }
+  async get(tenantId, key) {
+    try {
+      const context = await this.resolve(tenantId);
+      return context.providerKeys.get(key) ?? null;
+    } catch (err) {
+      if (err instanceof import_media_pipeline_mcp_core2.TenantNotFoundError) return null;
+      throw err;
+    }
+  }
+  async health() {
+    const start = Date.now();
+    try {
+      await this.client.send(
+        new import_client_secrets_manager.GetSecretValueCommand({ SecretId: `${this.secretPrefix}/__health_probe__` })
+      );
+      return { healthy: true, latencyMs: Date.now() - start };
+    } catch (err) {
+      const name = err?.name;
+      if (name === "ResourceNotFoundException") {
+        return { healthy: true, latencyMs: Date.now() - start };
+      }
+      return { healthy: false, latencyMs: Date.now() - start };
+    }
+  }
+};
+function splitTenantPayload(parsed) {
+  const reserved = /* @__PURE__ */ new Set(["budgetCaps", "allowedProviders", "allowedModels", "metadata"]);
+  const providerKeys = /* @__PURE__ */ new Map();
+  const extras = {};
+  for (const [k, v] of Object.entries(parsed)) {
+    if (reserved.has(k)) {
+      extras[k] = v;
+    } else if (typeof v === "string") {
+      providerKeys.set(k, v);
+    }
+  }
+  return { providerKeys, extras };
+}
+// src/gcp-secret-vault.ts
+var import_secret_manager = require("@google-cloud/secret-manager");
+var import_media_pipeline_mcp_core3 = require("@reaatech/media-pipeline-mcp-core");
+var GcpSecretManagerKeyVault = class {
+  client;
+  cache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  projectId;
+  secretPrefix;
+  constructor(config) {
+    this.cacheTtlMs = config.cacheTtlMs ?? 3e5;
+    this.projectId = config.projectId;
+    this.secretPrefix = config.secretPrefix ?? "mp-tenants";
+    this.client = new import_secret_manager.SecretManagerServiceClient(
+      config.keyFilename ? { keyFilename: config.keyFilename } : void 0
+    );
+  }
+  secretVersionName(tenantId) {
+    return `projects/${this.projectId}/secrets/${this.secretPrefix}-${tenantId}/versions/latest`;
+  }
+  async resolve(tenantId) {
+    const now = Date.now();
+    const cached = this.cache.get(tenantId);
+    if (cached && cached.expiresAtMs > now) {
+      return cached.context;
+    }
+    let payload;
+    try {
+      const [response] = await this.client.accessSecretVersion({
+        name: this.secretVersionName(tenantId)
+      });
+      const data = response?.payload?.data;
+      if (data) {
+        payload = typeof data === "string" ? data : Buffer.from(data).toString("utf8");
+      }
+    } catch (err) {
+      const code = err?.code;
+      if (code === 5 || code === "NOT_FOUND") {
+        throw new import_media_pipeline_mcp_core3.TenantNotFoundError();
+      }
+      throw new import_media_pipeline_mcp_core3.KeyVaultUnavailableError();
+    }
+    if (!payload) {
+      throw new import_media_pipeline_mcp_core3.TenantNotFoundError();
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch {
+      throw new import_media_pipeline_mcp_core3.KeyVaultUnavailableError();
+    }
+    const { providerKeys, extras } = splitTenantPayload2(parsed);
+    const context = {
+      tenantId,
+      providerKeys,
+      ...extras.budgetCaps ? { budgetCaps: extras.budgetCaps } : {},
+      ...extras.allowedProviders ? { allowedProviders: extras.allowedProviders } : {},
+      ...extras.allowedModels ? { allowedModels: extras.allowedModels } : {},
+      ...extras.metadata ? { metadata: extras.metadata } : {}
+    };
+    this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });
+    return context;
+  }
+  async get(tenantId, key) {
+    try {
+      const context = await this.resolve(tenantId);
+      return context.providerKeys.get(key) ?? null;
+    } catch (err) {
+      if (err instanceof import_media_pipeline_mcp_core3.TenantNotFoundError) return null;
+      throw err;
+    }
+  }
+  async health() {
+    const start = Date.now();
+    try {
+      await this.client.accessSecretVersion({
+        name: this.secretVersionName("__health_probe__")
+      });
+      return { healthy: true, latencyMs: Date.now() - start };
+    } catch (err) {
+      const code = err?.code;
+      if (code === 5 || code === "NOT_FOUND") {
+        return { healthy: true, latencyMs: Date.now() - start };
+      }
+      return { healthy: false, latencyMs: Date.now() - start };
+    }
+  }
+};
+function splitTenantPayload2(parsed) {
+  const reserved = /* @__PURE__ */ new Set(["budgetCaps", "allowedProviders", "allowedModels", "metadata"]);
+  const providerKeys = /* @__PURE__ */ new Map();
+  const extras = {};
+  for (const [k, v] of Object.entries(parsed)) {
+    if (reserved.has(k)) {
+      extras[k] = v;
+    } else if (typeof v === "string") {
+      providerKeys.set(k, v);
+    }
+  }
+  return { providerKeys, extras };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AwsSecretsManagerKeyVault,
+  EnvKeyVault,
+  GcpSecretManagerKeyVault,
+  InMemoryKeyVault
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts","../src/vaults.ts","../src/aws-secrets-vault.ts","../src/gcp-secret-vault.ts"],"sourcesContent":["export { InMemoryKeyVault, EnvKeyVault } from './vaults.js';\nexport { AwsSecretsManagerKeyVault } from './aws-secrets-vault.js';\nexport type { AwsSecretsManagerKeyVaultConfig } from './aws-secrets-vault.js';\nexport { GcpSecretManagerKeyVault } from './gcp-secret-vault.js';\nexport type { GcpSecretManagerKeyVaultConfig } from './gcp-secret-vault.js';\nexport * from './types.js';\n","import { TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport class InMemoryKeyVault implements KeyVault {\n private tenants = new Map<\n string,\n { keys: Record<string, string>; overrides?: Partial<TenantContext> }\n >();\n\n set(tenantId: string, keys: Record<string, string>, overrides?: Partial<TenantContext>): void {\n this.tenants.set(tenantId, { keys, overrides });\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const entry = this.tenants.get(tenantId);\n // Missing tenant → TenantNotFoundError (non-retryable, caller error). The earlier\n // KeyVaultUnavailableError was wrong: that signals infra outage and is retryable.\n if (!entry) throw new TenantNotFoundError();\n return {\n tenantId,\n providerKeys: new Map(Object.entries(entry.keys)),\n ...entry.overrides,\n };\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n const entry = this.tenants.get(tenantId);\n return entry?.keys[key] ?? null;\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n return { healthy: true, latencyMs: 0 };\n }\n}\n\n/**\n * Reads per-tenant provider keys from environment variables matching\n * `${TENANT_ID}_${PROVIDER}_API_KEY` (e.g. `ACME_OPENAI_API_KEY`). Provider list is\n * discovered dynamically from env vars matching the pattern — adding a new provider\n * just means setting `${TENANT_ID}_${NEWPROVIDER}_API_KEY` without code changes.\n */\nexport class EnvKeyVault implements KeyVault {\n async resolve(tenantId: string): Promise<TenantContext> {\n const keys: Record<string, string> = {};\n const prefix = `${tenantId.toUpperCase()}_`;\n const suffix = '_API_KEY';\n for (const [envKey, val] of Object.entries(process.env)) {\n if (envKey.startsWith(prefix) && envKey.endsWith(suffix) && typeof val === 'string') {\n const provider = envKey.slice(prefix.length, envKey.length - suffix.length).toLowerCase();\n if (provider.length > 0) keys[provider] = val;\n }\n }\n if (Object.keys(keys).length === 0) {\n throw new TenantNotFoundError();\n }\n return {\n tenantId,\n providerKeys: new Map(Object.entries(keys)),\n };\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n const envKey = `${tenantId.toUpperCase()}_${key.toUpperCase()}`;\n return process.env[envKey] ?? null;\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n return { healthy: true, latencyMs: 0 };\n }\n}\n","import { GetSecretValueCommand, SecretsManagerClient } from '@aws-sdk/client-secrets-manager';\nimport { KeyVaultUnavailableError, TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport interface AwsSecretsManagerKeyVaultConfig {\n region: string;\n /** Secret name pattern with `${tenantId}` placeholder. Default: `mp/tenants/${tenantId}`. */\n secretPrefix?: string;\n /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */\n cacheTtlMs?: number;\n /** Optional AWS credentials override. Falls back to default credential chain. */\n credentials?: { accessKeyId: string; secretAccessKey: string; sessionToken?: string };\n}\n\ninterface CacheEntry {\n context: TenantContext;\n expiresAtMs: number;\n}\n\n/**\n * Resolves per-tenant provider keys from AWS Secrets Manager.\n *\n * Storage convention: one secret per tenant at `${secretPrefix}/${tenantId}` (default\n * `mp/tenants/${tenantId}`), value is JSON `{ \"openai\": \"sk-...\", \"anthropic\": \"sk-...\" }`.\n * Extended fields are passed through to `TenantContext.metadata`.\n */\nexport class AwsSecretsManagerKeyVault implements KeyVault {\n private client: SecretsManagerClient;\n private cache = new Map<string, CacheEntry>();\n private cacheTtlMs: number;\n private secretPrefix: string;\n\n constructor(config: AwsSecretsManagerKeyVaultConfig) {\n this.cacheTtlMs = config.cacheTtlMs ?? 300_000;\n this.secretPrefix = config.secretPrefix ?? 'mp/tenants';\n this.client = new SecretsManagerClient({\n region: config.region,\n ...(config.credentials ? { credentials: config.credentials } : {}),\n });\n }\n\n private secretName(tenantId: string): string {\n return `${this.secretPrefix}/${tenantId}`;\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const now = Date.now();\n const cached = this.cache.get(tenantId);\n if (cached && cached.expiresAtMs > now) {\n return cached.context;\n }\n\n let payload: string | undefined;\n try {\n const response = await this.client.send(\n new GetSecretValueCommand({ SecretId: this.secretName(tenantId) }),\n );\n payload = response.SecretString;\n } catch (err) {\n const name = (err as Error & { name?: string })?.name;\n // The AWS SDK throws ResourceNotFoundException for unknown secrets — that's a\n // tenant-not-found signal, not infra unavailability.\n if (name === 'ResourceNotFoundException') {\n throw new TenantNotFoundError();\n }\n throw new KeyVaultUnavailableError();\n }\n\n if (!payload) {\n throw new TenantNotFoundError();\n }\n\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(payload) as Record<string, unknown>;\n } catch {\n throw new KeyVaultUnavailableError();\n }\n\n const { providerKeys, extras } = splitTenantPayload(parsed);\n const context: TenantContext = {\n tenantId,\n providerKeys,\n ...(extras.budgetCaps\n ? { budgetCaps: extras.budgetCaps as TenantContext['budgetCaps'] }\n : {}),\n ...(extras.allowedProviders ? { allowedProviders: extras.allowedProviders as string[] } : {}),\n ...(extras.allowedModels ? { allowedModels: extras.allowedModels as string[] } : {}),\n ...(extras.metadata ? { metadata: extras.metadata as Record<string, unknown> } : {}),\n };\n\n this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });\n return context;\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n try {\n const context = await this.resolve(tenantId);\n return context.providerKeys.get(key) ?? null;\n } catch (err) {\n if (err instanceof TenantNotFoundError) return null;\n throw err;\n }\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n const start = Date.now();\n try {\n // No cheap \"list\" API in Secrets Manager — issue a dummy GetSecretValue and treat\n // ResourceNotFoundException as healthy (the service responded). Anything else\n // (auth failure, network) is unhealthy.\n await this.client.send(\n new GetSecretValueCommand({ SecretId: `${this.secretPrefix}/__health_probe__` }),\n );\n return { healthy: true, latencyMs: Date.now() - start };\n } catch (err) {\n const name = (err as Error & { name?: string })?.name;\n if (name === 'ResourceNotFoundException') {\n return { healthy: true, latencyMs: Date.now() - start };\n }\n return { healthy: false, latencyMs: Date.now() - start };\n }\n }\n}\n\n/**\n * Split the parsed secret payload into the `providerKeys` map and the optional\n * TenantContext extras. The convention is: top-level string values are provider keys;\n * the reserved keys `budgetCaps`, `allowedProviders`, `allowedModels`, `metadata` are\n * passed through to the TenantContext.\n */\nfunction splitTenantPayload(parsed: Record<string, unknown>): {\n providerKeys: Map<string, string>;\n extras: Record<string, unknown>;\n} {\n const reserved = new Set(['budgetCaps', 'allowedProviders', 'allowedModels', 'metadata']);\n const providerKeys = new Map<string, string>();\n const extras: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(parsed)) {\n if (reserved.has(k)) {\n extras[k] = v;\n } else if (typeof v === 'string') {\n providerKeys.set(k, v);\n }\n }\n return { providerKeys, extras };\n}\n","import { SecretManagerServiceClient } from '@google-cloud/secret-manager';\nimport { KeyVaultUnavailableError, TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport interface GcpSecretManagerKeyVaultConfig {\n projectId: string;\n /** Secret name pattern (the trailing segment under `projects/<id>/secrets/`). Default `mp-tenants`. */\n secretPrefix?: string;\n /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */\n cacheTtlMs?: number;\n /** Optional service-account key file path. Falls back to default credentials. */\n keyFilename?: string;\n}\n\ninterface CacheEntry {\n context: TenantContext;\n expiresAtMs: number;\n}\n\n/**\n * Resolves per-tenant provider keys from GCP Secret Manager.\n *\n * Storage convention: one secret per tenant at `projects/${projectId}/secrets/${secretPrefix}-${tenantId}`,\n * latest version's payload is JSON `{ \"openai\": \"sk-...\", ... }` plus optional reserved\n * keys (budgetCaps, allowedProviders, allowedModels, metadata).\n */\nexport class GcpSecretManagerKeyVault implements KeyVault {\n private client: SecretManagerServiceClient;\n private cache = new Map<string, CacheEntry>();\n private cacheTtlMs: number;\n private projectId: string;\n private secretPrefix: string;\n\n constructor(config: GcpSecretManagerKeyVaultConfig) {\n this.cacheTtlMs = config.cacheTtlMs ?? 300_000;\n this.projectId = config.projectId;\n this.secretPrefix = config.secretPrefix ?? 'mp-tenants';\n this.client = new SecretManagerServiceClient(\n config.keyFilename ? { keyFilename: config.keyFilename } : undefined,\n );\n }\n\n private secretVersionName(tenantId: string): string {\n return `projects/${this.projectId}/secrets/${this.secretPrefix}-${tenantId}/versions/latest`;\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const now = Date.now();\n const cached = this.cache.get(tenantId);\n if (cached && cached.expiresAtMs > now) {\n return cached.context;\n }\n\n let payload: string | undefined;\n try {\n const [response] = await this.client.accessSecretVersion({\n name: this.secretVersionName(tenantId),\n });\n const data = response?.payload?.data;\n if (data) {\n payload = typeof data === 'string' ? data : Buffer.from(data).toString('utf8');\n }\n } catch (err) {\n const code = (err as Error & { code?: number | string })?.code;\n // gRPC code 5 = NOT_FOUND. Treat as tenant-not-found; anything else as infra-down.\n if (code === 5 || code === 'NOT_FOUND') {\n throw new TenantNotFoundError();\n }\n throw new KeyVaultUnavailableError();\n }\n\n if (!payload) {\n throw new TenantNotFoundError();\n }\n\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(payload) as Record<string, unknown>;\n } catch {\n throw new KeyVaultUnavailableError();\n }\n\n const { providerKeys, extras } = splitTenantPayload(parsed);\n const context: TenantContext = {\n tenantId,\n providerKeys,\n ...(extras.budgetCaps\n ? { budgetCaps: extras.budgetCaps as TenantContext['budgetCaps'] }\n : {}),\n ...(extras.allowedProviders ? { allowedProviders: extras.allowedProviders as string[] } : {}),\n ...(extras.allowedModels ? { allowedModels: extras.allowedModels as string[] } : {}),\n ...(extras.metadata ? { metadata: extras.metadata as Record<string, unknown> } : {}),\n };\n\n this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });\n return context;\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n try {\n const context = await this.resolve(tenantId);\n return context.providerKeys.get(key) ?? null;\n } catch (err) {\n if (err instanceof TenantNotFoundError) return null;\n throw err;\n }\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n const start = Date.now();\n try {\n // Probe with a synthetic tenantId. NOT_FOUND means the service is reachable.\n await this.client.accessSecretVersion({\n name: this.secretVersionName('__health_probe__'),\n });\n return { healthy: true, latencyMs: Date.now() - start };\n } catch (err) {\n const code = (err as Error & { code?: number | string })?.code;\n if (code === 5 || code === 'NOT_FOUND') {\n return { healthy: true, latencyMs: Date.now() - start };\n }\n return { healthy: false, latencyMs: Date.now() - start };\n }\n }\n}\n\nfunction splitTenantPayload(parsed: Record<string, unknown>): {\n providerKeys: Map<string, string>;\n extras: Record<string, unknown>;\n} {\n const reserved = new Set(['budgetCaps', 'allowedProviders', 'allowedModels', 'metadata']);\n const providerKeys = new Map<string, string>();\n const extras: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(parsed)) {\n if (reserved.has(k)) {\n extras[k] = v;\n } else if (typeof v === 'string') {\n providerKeys.set(k, v);\n }\n }\n return { providerKeys, extras };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACAA,qCAAoC;AAG7B,IAAM,mBAAN,MAA2C;AAAA,EACxC,UAAU,oBAAI,IAGpB;AAAA,EAEF,IAAI,UAAkB,MAA8B,WAA0C;AAC5F,SAAK,QAAQ,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAAA,EAChD;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,QAAQ,KAAK,QAAQ,IAAI,QAAQ;AAGvC,QAAI,CAAC,MAAO,OAAM,IAAI,mDAAoB;AAC1C,WAAO;AAAA,MACL;AAAA,MACA,cAAc,IAAI,IAAI,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAChD,GAAG,MAAM;AAAA,IACX;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,UAAM,QAAQ,KAAK,QAAQ,IAAI,QAAQ;AACvC,WAAO,OAAO,KAAK,GAAG,KAAK;AAAA,EAC7B;AAAA,EAEA,MAAM,SAA2D;AAC/D,WAAO,EAAE,SAAS,MAAM,WAAW,EAAE;AAAA,EACvC;AACF;AAQO,IAAM,cAAN,MAAsC;AAAA,EAC3C,MAAM,QAAQ,UAA0C;AACtD,UAAM,OAA+B,CAAC;AACtC,UAAM,SAAS,GAAG,SAAS,YAAY,CAAC;AACxC,UAAM,SAAS;AACf,eAAW,CAAC,QAAQ,GAAG,KAAK,OAAO,QAAQ,QAAQ,GAAG,GAAG;AACvD,UAAI,OAAO,WAAW,MAAM,KAAK,OAAO,SAAS,MAAM,KAAK,OAAO,QAAQ,UAAU;AACnF,cAAM,WAAW,OAAO,MAAM,OAAO,QAAQ,OAAO,SAAS,OAAO,MAAM,EAAE,YAAY;AACxF,YAAI,SAAS,SAAS,EAAG,MAAK,QAAQ,IAAI;AAAA,MAC5C;AAAA,IACF;AACA,QAAI,OAAO,KAAK,IAAI,EAAE,WAAW,GAAG;AAClC,YAAM,IAAI,mDAAoB;AAAA,IAChC;AACA,WAAO;AAAA,MACL;AAAA,MACA,cAAc,IAAI,IAAI,OAAO,QAAQ,IAAI,CAAC;AAAA,IAC5C;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,UAAM,SAAS,GAAG,SAAS,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC;AAC7D,WAAO,QAAQ,IAAI,MAAM,KAAK;AAAA,EAChC;AAAA,EAEA,MAAM,SAA2D;AAC/D,WAAO,EAAE,SAAS,MAAM,WAAW,EAAE;AAAA,EACvC;AACF;;;ACrEA,oCAA4D;AAC5D,IAAAA,kCAA8D;AAyBvD,IAAM,4BAAN,MAAoD;AAAA,EACjD;AAAA,EACA,QAAQ,oBAAI,IAAwB;AAAA,EACpC;AAAA,EACA;AAAA,EAER,YAAY,QAAyC;AACnD,SAAK,aAAa,OAAO,cAAc;AACvC,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,SAAS,IAAI,mDAAqB;AAAA,MACrC,QAAQ,OAAO;AAAA,MACf,GAAI,OAAO,cAAc,EAAE,aAAa,OAAO,YAAY,IAAI,CAAC;AAAA,IAClE,CAAC;AAAA,EACH;AAAA,EAEQ,WAAW,UAA0B;AAC3C,WAAO,GAAG,KAAK,YAAY,IAAI,QAAQ;AAAA,EACzC;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,cAAc,KAAK;AACtC,aAAO,OAAO;AAAA,IAChB;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,OAAO;AAAA,QACjC,IAAI,oDAAsB,EAAE,UAAU,KAAK,WAAW,QAAQ,EAAE,CAAC;AAAA,MACnE;AACA,gBAAU,SAAS;AAAA,IACrB,SAAS,KAAK;AACZ,YAAM,OAAQ,KAAmC;AAGjD,UAAI,SAAS,6BAA6B;AACxC,cAAM,IAAI,oDAAoB;AAAA,MAChC;AACA,YAAM,IAAI,yDAAyB;AAAA,IACrC;AAEA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,oDAAoB;AAAA,IAChC;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,OAAO;AAAA,IAC7B,QAAQ;AACN,YAAM,IAAI,yDAAyB;AAAA,IACrC;AAEA,UAAM,EAAE,cAAc,OAAO,IAAI,mBAAmB,MAAM;AAC1D,UAAM,UAAyB;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,GAAI,OAAO,aACP,EAAE,YAAY,OAAO,WAA0C,IAC/D,CAAC;AAAA,MACL,GAAI,OAAO,mBAAmB,EAAE,kBAAkB,OAAO,iBAA6B,IAAI,CAAC;AAAA,MAC3F,GAAI,OAAO,gBAAgB,EAAE,eAAe,OAAO,cAA0B,IAAI,CAAC;AAAA,MAClF,GAAI,OAAO,WAAW,EAAE,UAAU,OAAO,SAAoC,IAAI,CAAC;AAAA,IACpF;AAEA,SAAK,MAAM,IAAI,UAAU,EAAE,SAAS,aAAa,MAAM,KAAK,WAAW,CAAC;AACxE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,QAAI;AACF,YAAM,UAAU,MAAM,KAAK,QAAQ,QAAQ;AAC3C,aAAO,QAAQ,aAAa,IAAI,GAAG,KAAK;AAAA,IAC1C,SAAS,KAAK;AACZ,UAAI,eAAe,oDAAqB,QAAO;AAC/C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,SAA2D;AAC/D,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AAIF,YAAM,KAAK,OAAO;AAAA,QAChB,IAAI,oDAAsB,EAAE,UAAU,GAAG,KAAK,YAAY,oBAAoB,CAAC;AAAA,MACjF;AACA,aAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACxD,SAAS,KAAK;AACZ,YAAM,OAAQ,KAAmC;AACjD,UAAI,SAAS,6BAA6B;AACxC,eAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,MACxD;AACA,aAAO,EAAE,SAAS,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACzD;AAAA,EACF;AACF;AAQA,SAAS,mBAAmB,QAG1B;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,cAAc,oBAAoB,iBAAiB,UAAU,CAAC;AACxF,QAAM,eAAe,oBAAI,IAAoB;AAC7C,QAAM,SAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,GAAG;AAC3C,QAAI,SAAS,IAAI,CAAC,GAAG;AACnB,aAAO,CAAC,IAAI;AAAA,IACd,WAAW,OAAO,MAAM,UAAU;AAChC,mBAAa,IAAI,GAAG,CAAC;AAAA,IACvB;AAAA,EACF;AACA,SAAO,EAAE,cAAc,OAAO;AAChC;;;AClJA,4BAA2C;AAC3C,IAAAC,kCAA8D;AAyBvD,IAAM,2BAAN,MAAmD;AAAA,EAChD;AAAA,EACA,QAAQ,oBAAI,IAAwB;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAY,QAAwC;AAClD,SAAK,aAAa,OAAO,cAAc;AACvC,SAAK,YAAY,OAAO;AACxB,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,SAAS,IAAI;AAAA,MAChB,OAAO,cAAc,EAAE,aAAa,OAAO,YAAY,IAAI;AAAA,IAC7D;AAAA,EACF;AAAA,EAEQ,kBAAkB,UAA0B;AAClD,WAAO,YAAY,KAAK,SAAS,YAAY,KAAK,YAAY,IAAI,QAAQ;AAAA,EAC5E;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,cAAc,KAAK;AACtC,aAAO,OAAO;AAAA,IAChB;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,CAAC,QAAQ,IAAI,MAAM,KAAK,OAAO,oBAAoB;AAAA,QACvD,MAAM,KAAK,kBAAkB,QAAQ;AAAA,MACvC,CAAC;AACD,YAAM,OAAO,UAAU,SAAS;AAChC,UAAI,MAAM;AACR,kBAAU,OAAO,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,EAAE,SAAS,MAAM;AAAA,MAC/E;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,OAAQ,KAA4C;AAE1D,UAAI,SAAS,KAAK,SAAS,aAAa;AACtC,cAAM,IAAI,oDAAoB;AAAA,MAChC;AACA,YAAM,IAAI,yDAAyB;AAAA,IACrC;AAEA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,oDAAoB;AAAA,IAChC;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,OAAO;AAAA,IAC7B,QAAQ;AACN,YAAM,IAAI,yDAAyB;AAAA,IACrC;AAEA,UAAM,EAAE,cAAc,OAAO,IAAIC,oBAAmB,MAAM;AAC1D,UAAM,UAAyB;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,GAAI,OAAO,aACP,EAAE,YAAY,OAAO,WAA0C,IAC/D,CAAC;AAAA,MACL,GAAI,OAAO,mBAAmB,EAAE,kBAAkB,OAAO,iBAA6B,IAAI,CAAC;AAAA,MAC3F,GAAI,OAAO,gBAAgB,EAAE,eAAe,OAAO,cAA0B,IAAI,CAAC;AAAA,MAClF,GAAI,OAAO,WAAW,EAAE,UAAU,OAAO,SAAoC,IAAI,CAAC;AAAA,IACpF;AAEA,SAAK,MAAM,IAAI,UAAU,EAAE,SAAS,aAAa,MAAM,KAAK,WAAW,CAAC;AACxE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,QAAI;AACF,YAAM,UAAU,MAAM,KAAK,QAAQ,QAAQ;AAC3C,aAAO,QAAQ,aAAa,IAAI,GAAG,KAAK;AAAA,IAC1C,SAAS,KAAK;AACZ,UAAI,eAAe,oDAAqB,QAAO;AAC/C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,SAA2D;AAC/D,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AAEF,YAAM,KAAK,OAAO,oBAAoB;AAAA,QACpC,MAAM,KAAK,kBAAkB,kBAAkB;AAAA,MACjD,CAAC;AACD,aAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACxD,SAAS,KAAK;AACZ,YAAM,OAAQ,KAA4C;AAC1D,UAAI,SAAS,KAAK,SAAS,aAAa;AACtC,eAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,MACxD;AACA,aAAO,EAAE,SAAS,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACzD;AAAA,EACF;AACF;AAEA,SAASA,oBAAmB,QAG1B;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,cAAc,oBAAoB,iBAAiB,UAAU,CAAC;AACxF,QAAM,eAAe,oBAAI,IAAoB;AAC7C,QAAM,SAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,GAAG;AAC3C,QAAI,SAAS,IAAI,CAAC,GAAG;AACnB,aAAO,CAAC,IAAI;AAAA,IACd,WAAW,OAAO,MAAM,UAAU;AAChC,mBAAa,IAAI,GAAG,CAAC;AAAA,IACvB;AAAA,EACF;AACA,SAAO,EAAE,cAAc,OAAO;AAChC;","names":["import_media_pipeline_mcp_core","import_media_pipeline_mcp_core","splitTenantPayload"]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,134 @@
+interface TenantContext {
+    tenantId: string;
+    providerKeys: ReadonlyMap<string, string>;
+    budgetCaps?: {
+        dailyUsd?: number;
+        monthlyUsd?: number;
+    };
+    allowedProviders?: string[];
+    allowedModels?: string[];
+    metadata?: Record<string, unknown>;
+}
+interface KeyVault {
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+type TenantResolutionStrategy = {
+    kind: 'header';
+    headerName: string;
+} | {
+    kind: 'jwt';
+    jwksUri: string;
+    claim: string;
+} | {
+    kind: 'oauth-scope';
+    scope: string;
+} | {
+    kind: 'mtls-cn';
+} | {
+    kind: 'static';
+    tenantId: string;
+} | {
+    kind: 'custom';
+    resolver: {
+        resolve(request: unknown): Promise<TenantContext | null>;
+    };
+};
+declare class InMemoryKeyVault implements KeyVault {
+    private tenants;
+    set(tenantId: string, keys: Record<string, string>, overrides?: Partial<TenantContext>): void;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+/**
+ * Reads per-tenant provider keys from environment variables matching
+ * `${TENANT_ID}_${PROVIDER}_API_KEY` (e.g. `ACME_OPENAI_API_KEY`). Provider list is
+ * discovered dynamically from env vars matching the pattern — adding a new provider
+ * just means setting `${TENANT_ID}_${NEWPROVIDER}_API_KEY` without code changes.
+ */
+declare class EnvKeyVault implements KeyVault {
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+interface AwsSecretsManagerKeyVaultConfig {
+    region: string;
+    /** Secret name pattern with `${tenantId}` placeholder. Default: `mp/tenants/${tenantId}`. */
+    secretPrefix?: string;
+    /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */
+    cacheTtlMs?: number;
+    /** Optional AWS credentials override. Falls back to default credential chain. */
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+    };
+}
+/**
+ * Resolves per-tenant provider keys from AWS Secrets Manager.
+ *
+ * Storage convention: one secret per tenant at `${secretPrefix}/${tenantId}` (default
+ * `mp/tenants/${tenantId}`), value is JSON `{ "openai": "sk-...", "anthropic": "sk-..." }`.
+ * Extended fields are passed through to `TenantContext.metadata`.
+ */
+declare class AwsSecretsManagerKeyVault implements KeyVault {
+    private client;
+    private cache;
+    private cacheTtlMs;
+    private secretPrefix;
+    constructor(config: AwsSecretsManagerKeyVaultConfig);
+    private secretName;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+interface GcpSecretManagerKeyVaultConfig {
+    projectId: string;
+    /** Secret name pattern (the trailing segment under `projects/<id>/secrets/`). Default `mp-tenants`. */
+    secretPrefix?: string;
+    /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */
+    cacheTtlMs?: number;
+    /** Optional service-account key file path. Falls back to default credentials. */
+    keyFilename?: string;
+}
+/**
+ * Resolves per-tenant provider keys from GCP Secret Manager.
+ *
+ * Storage convention: one secret per tenant at `projects/${projectId}/secrets/${secretPrefix}-${tenantId}`,
+ * latest version's payload is JSON `{ "openai": "sk-...", ... }` plus optional reserved
+ * keys (budgetCaps, allowedProviders, allowedModels, metadata).
+ */
+declare class GcpSecretManagerKeyVault implements KeyVault {
+    private client;
+    private cache;
+    private cacheTtlMs;
+    private projectId;
+    private secretPrefix;
+    constructor(config: GcpSecretManagerKeyVaultConfig);
+    private secretVersionName;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+export { AwsSecretsManagerKeyVault, type AwsSecretsManagerKeyVaultConfig, EnvKeyVault, GcpSecretManagerKeyVault, type GcpSecretManagerKeyVaultConfig, InMemoryKeyVault, type KeyVault, type TenantContext, type TenantResolutionStrategy };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,134 @@
+interface TenantContext {
+    tenantId: string;
+    providerKeys: ReadonlyMap<string, string>;
+    budgetCaps?: {
+        dailyUsd?: number;
+        monthlyUsd?: number;
+    };
+    allowedProviders?: string[];
+    allowedModels?: string[];
+    metadata?: Record<string, unknown>;
+}
+interface KeyVault {
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+type TenantResolutionStrategy = {
+    kind: 'header';
+    headerName: string;
+} | {
+    kind: 'jwt';
+    jwksUri: string;
+    claim: string;
+} | {
+    kind: 'oauth-scope';
+    scope: string;
+} | {
+    kind: 'mtls-cn';
+} | {
+    kind: 'static';
+    tenantId: string;
+} | {
+    kind: 'custom';
+    resolver: {
+        resolve(request: unknown): Promise<TenantContext | null>;
+    };
+};
+declare class InMemoryKeyVault implements KeyVault {
+    private tenants;
+    set(tenantId: string, keys: Record<string, string>, overrides?: Partial<TenantContext>): void;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+/**
+ * Reads per-tenant provider keys from environment variables matching
+ * `${TENANT_ID}_${PROVIDER}_API_KEY` (e.g. `ACME_OPENAI_API_KEY`). Provider list is
+ * discovered dynamically from env vars matching the pattern — adding a new provider
+ * just means setting `${TENANT_ID}_${NEWPROVIDER}_API_KEY` without code changes.
+ */
+declare class EnvKeyVault implements KeyVault {
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+interface AwsSecretsManagerKeyVaultConfig {
+    region: string;
+    /** Secret name pattern with `${tenantId}` placeholder. Default: `mp/tenants/${tenantId}`. */
+    secretPrefix?: string;
+    /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */
+    cacheTtlMs?: number;
+    /** Optional AWS credentials override. Falls back to default credential chain. */
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+    };
+}
+/**
+ * Resolves per-tenant provider keys from AWS Secrets Manager.
+ *
+ * Storage convention: one secret per tenant at `${secretPrefix}/${tenantId}` (default
+ * `mp/tenants/${tenantId}`), value is JSON `{ "openai": "sk-...", "anthropic": "sk-..." }`.
+ * Extended fields are passed through to `TenantContext.metadata`.
+ */
+declare class AwsSecretsManagerKeyVault implements KeyVault {
+    private client;
+    private cache;
+    private cacheTtlMs;
+    private secretPrefix;
+    constructor(config: AwsSecretsManagerKeyVaultConfig);
+    private secretName;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+interface GcpSecretManagerKeyVaultConfig {
+    projectId: string;
+    /** Secret name pattern (the trailing segment under `projects/<id>/secrets/`). Default `mp-tenants`. */
+    secretPrefix?: string;
+    /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */
+    cacheTtlMs?: number;
+    /** Optional service-account key file path. Falls back to default credentials. */
+    keyFilename?: string;
+}
+/**
+ * Resolves per-tenant provider keys from GCP Secret Manager.
+ *
+ * Storage convention: one secret per tenant at `projects/${projectId}/secrets/${secretPrefix}-${tenantId}`,
+ * latest version's payload is JSON `{ "openai": "sk-...", ... }` plus optional reserved
+ * keys (budgetCaps, allowedProviders, allowedModels, metadata).
+ */
+declare class GcpSecretManagerKeyVault implements KeyVault {
+    private client;
+    private cache;
+    private cacheTtlMs;
+    private projectId;
+    private secretPrefix;
+    constructor(config: GcpSecretManagerKeyVaultConfig);
+    private secretVersionName;
+    resolve(tenantId: string): Promise<TenantContext>;
+    get(tenantId: string, key: string): Promise<string | null>;
+    health(): Promise<{
+        healthy: boolean;
+        latencyMs: number;
+    }>;
+}
+export { AwsSecretsManagerKeyVault, type AwsSecretsManagerKeyVaultConfig, EnvKeyVault, GcpSecretManagerKeyVault, type GcpSecretManagerKeyVaultConfig, InMemoryKeyVault, type KeyVault, type TenantContext, type TenantResolutionStrategy };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,258 @@
+// src/vaults.ts
+import { TenantNotFoundError } from "@reaatech/media-pipeline-mcp-core";
+var InMemoryKeyVault = class {
+  tenants = /* @__PURE__ */ new Map();
+  set(tenantId, keys, overrides) {
+    this.tenants.set(tenantId, { keys, overrides });
+  }
+  async resolve(tenantId) {
+    const entry = this.tenants.get(tenantId);
+    if (!entry) throw new TenantNotFoundError();
+    return {
+      tenantId,
+      providerKeys: new Map(Object.entries(entry.keys)),
+      ...entry.overrides
+    };
+  }
+  async get(tenantId, key) {
+    const entry = this.tenants.get(tenantId);
+    return entry?.keys[key] ?? null;
+  }
+  async health() {
+    return { healthy: true, latencyMs: 0 };
+  }
+};
+var EnvKeyVault = class {
+  async resolve(tenantId) {
+    const keys = {};
+    const prefix = `${tenantId.toUpperCase()}_`;
+    const suffix = "_API_KEY";
+    for (const [envKey, val] of Object.entries(process.env)) {
+      if (envKey.startsWith(prefix) && envKey.endsWith(suffix) && typeof val === "string") {
+        const provider = envKey.slice(prefix.length, envKey.length - suffix.length).toLowerCase();
+        if (provider.length > 0) keys[provider] = val;
+      }
+    }
+    if (Object.keys(keys).length === 0) {
+      throw new TenantNotFoundError();
+    }
+    return {
+      tenantId,
+      providerKeys: new Map(Object.entries(keys))
+    };
+  }
+  async get(tenantId, key) {
+    const envKey = `${tenantId.toUpperCase()}_${key.toUpperCase()}`;
+    return process.env[envKey] ?? null;
+  }
+  async health() {
+    return { healthy: true, latencyMs: 0 };
+  }
+};
+// src/aws-secrets-vault.ts
+import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { KeyVaultUnavailableError, TenantNotFoundError as TenantNotFoundError2 } from "@reaatech/media-pipeline-mcp-core";
+var AwsSecretsManagerKeyVault = class {
+  client;
+  cache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  secretPrefix;
+  constructor(config) {
+    this.cacheTtlMs = config.cacheTtlMs ?? 3e5;
+    this.secretPrefix = config.secretPrefix ?? "mp/tenants";
+    this.client = new SecretsManagerClient({
+      region: config.region,
+      ...config.credentials ? { credentials: config.credentials } : {}
+    });
+  }
+  secretName(tenantId) {
+    return `${this.secretPrefix}/${tenantId}`;
+  }
+  async resolve(tenantId) {
+    const now = Date.now();
+    const cached = this.cache.get(tenantId);
+    if (cached && cached.expiresAtMs > now) {
+      return cached.context;
+    }
+    let payload;
+    try {
+      const response = await this.client.send(
+        new GetSecretValueCommand({ SecretId: this.secretName(tenantId) })
+      );
+      payload = response.SecretString;
+    } catch (err) {
+      const name = err?.name;
+      if (name === "ResourceNotFoundException") {
+        throw new TenantNotFoundError2();
+      }
+      throw new KeyVaultUnavailableError();
+    }
+    if (!payload) {
+      throw new TenantNotFoundError2();
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch {
+      throw new KeyVaultUnavailableError();
+    }
+    const { providerKeys, extras } = splitTenantPayload(parsed);
+    const context = {
+      tenantId,
+      providerKeys,
+      ...extras.budgetCaps ? { budgetCaps: extras.budgetCaps } : {},
+      ...extras.allowedProviders ? { allowedProviders: extras.allowedProviders } : {},
+      ...extras.allowedModels ? { allowedModels: extras.allowedModels } : {},
+      ...extras.metadata ? { metadata: extras.metadata } : {}
+    };
+    this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });
+    return context;
+  }
+  async get(tenantId, key) {
+    try {
+      const context = await this.resolve(tenantId);
+      return context.providerKeys.get(key) ?? null;
+    } catch (err) {
+      if (err instanceof TenantNotFoundError2) return null;
+      throw err;
+    }
+  }
+  async health() {
+    const start = Date.now();
+    try {
+      await this.client.send(
+        new GetSecretValueCommand({ SecretId: `${this.secretPrefix}/__health_probe__` })
+      );
+      return { healthy: true, latencyMs: Date.now() - start };
+    } catch (err) {
+      const name = err?.name;
+      if (name === "ResourceNotFoundException") {
+        return { healthy: true, latencyMs: Date.now() - start };
+      }
+      return { healthy: false, latencyMs: Date.now() - start };
+    }
+  }
+};
+function splitTenantPayload(parsed) {
+  const reserved = /* @__PURE__ */ new Set(["budgetCaps", "allowedProviders", "allowedModels", "metadata"]);
+  const providerKeys = /* @__PURE__ */ new Map();
+  const extras = {};
+  for (const [k, v] of Object.entries(parsed)) {
+    if (reserved.has(k)) {
+      extras[k] = v;
+    } else if (typeof v === "string") {
+      providerKeys.set(k, v);
+    }
+  }
+  return { providerKeys, extras };
+}
+// src/gcp-secret-vault.ts
+import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
+import { KeyVaultUnavailableError as KeyVaultUnavailableError2, TenantNotFoundError as TenantNotFoundError3 } from "@reaatech/media-pipeline-mcp-core";
+var GcpSecretManagerKeyVault = class {
+  client;
+  cache = /* @__PURE__ */ new Map();
+  cacheTtlMs;
+  projectId;
+  secretPrefix;
+  constructor(config) {
+    this.cacheTtlMs = config.cacheTtlMs ?? 3e5;
+    this.projectId = config.projectId;
+    this.secretPrefix = config.secretPrefix ?? "mp-tenants";
+    this.client = new SecretManagerServiceClient(
+      config.keyFilename ? { keyFilename: config.keyFilename } : void 0
+    );
+  }
+  secretVersionName(tenantId) {
+    return `projects/${this.projectId}/secrets/${this.secretPrefix}-${tenantId}/versions/latest`;
+  }
+  async resolve(tenantId) {
+    const now = Date.now();
+    const cached = this.cache.get(tenantId);
+    if (cached && cached.expiresAtMs > now) {
+      return cached.context;
+    }
+    let payload;
+    try {
+      const [response] = await this.client.accessSecretVersion({
+        name: this.secretVersionName(tenantId)
+      });
+      const data = response?.payload?.data;
+      if (data) {
+        payload = typeof data === "string" ? data : Buffer.from(data).toString("utf8");
+      }
+    } catch (err) {
+      const code = err?.code;
+      if (code === 5 || code === "NOT_FOUND") {
+        throw new TenantNotFoundError3();
+      }
+      throw new KeyVaultUnavailableError2();
+    }
+    if (!payload) {
+      throw new TenantNotFoundError3();
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch {
+      throw new KeyVaultUnavailableError2();
+    }
+    const { providerKeys, extras } = splitTenantPayload2(parsed);
+    const context = {
+      tenantId,
+      providerKeys,
+      ...extras.budgetCaps ? { budgetCaps: extras.budgetCaps } : {},
+      ...extras.allowedProviders ? { allowedProviders: extras.allowedProviders } : {},
+      ...extras.allowedModels ? { allowedModels: extras.allowedModels } : {},
+      ...extras.metadata ? { metadata: extras.metadata } : {}
+    };
+    this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });
+    return context;
+  }
+  async get(tenantId, key) {
+    try {
+      const context = await this.resolve(tenantId);
+      return context.providerKeys.get(key) ?? null;
+    } catch (err) {
+      if (err instanceof TenantNotFoundError3) return null;
+      throw err;
+    }
+  }
+  async health() {
+    const start = Date.now();
+    try {
+      await this.client.accessSecretVersion({
+        name: this.secretVersionName("__health_probe__")
+      });
+      return { healthy: true, latencyMs: Date.now() - start };
+    } catch (err) {
+      const code = err?.code;
+      if (code === 5 || code === "NOT_FOUND") {
+        return { healthy: true, latencyMs: Date.now() - start };
+      }
+      return { healthy: false, latencyMs: Date.now() - start };
+    }
+  }
+};
+function splitTenantPayload2(parsed) {
+  const reserved = /* @__PURE__ */ new Set(["budgetCaps", "allowedProviders", "allowedModels", "metadata"]);
+  const providerKeys = /* @__PURE__ */ new Map();
+  const extras = {};
+  for (const [k, v] of Object.entries(parsed)) {
+    if (reserved.has(k)) {
+      extras[k] = v;
+    } else if (typeof v === "string") {
+      providerKeys.set(k, v);
+    }
+  }
+  return { providerKeys, extras };
+}
+export {
+  AwsSecretsManagerKeyVault,
+  EnvKeyVault,
+  GcpSecretManagerKeyVault,
+  InMemoryKeyVault
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/vaults.ts","../src/aws-secrets-vault.ts","../src/gcp-secret-vault.ts"],"sourcesContent":["import { TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport class InMemoryKeyVault implements KeyVault {\n private tenants = new Map<\n string,\n { keys: Record<string, string>; overrides?: Partial<TenantContext> }\n >();\n\n set(tenantId: string, keys: Record<string, string>, overrides?: Partial<TenantContext>): void {\n this.tenants.set(tenantId, { keys, overrides });\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const entry = this.tenants.get(tenantId);\n // Missing tenant → TenantNotFoundError (non-retryable, caller error). The earlier\n // KeyVaultUnavailableError was wrong: that signals infra outage and is retryable.\n if (!entry) throw new TenantNotFoundError();\n return {\n tenantId,\n providerKeys: new Map(Object.entries(entry.keys)),\n ...entry.overrides,\n };\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n const entry = this.tenants.get(tenantId);\n return entry?.keys[key] ?? null;\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n return { healthy: true, latencyMs: 0 };\n }\n}\n\n/**\n * Reads per-tenant provider keys from environment variables matching\n * `${TENANT_ID}_${PROVIDER}_API_KEY` (e.g. `ACME_OPENAI_API_KEY`). Provider list is\n * discovered dynamically from env vars matching the pattern — adding a new provider\n * just means setting `${TENANT_ID}_${NEWPROVIDER}_API_KEY` without code changes.\n */\nexport class EnvKeyVault implements KeyVault {\n async resolve(tenantId: string): Promise<TenantContext> {\n const keys: Record<string, string> = {};\n const prefix = `${tenantId.toUpperCase()}_`;\n const suffix = '_API_KEY';\n for (const [envKey, val] of Object.entries(process.env)) {\n if (envKey.startsWith(prefix) && envKey.endsWith(suffix) && typeof val === 'string') {\n const provider = envKey.slice(prefix.length, envKey.length - suffix.length).toLowerCase();\n if (provider.length > 0) keys[provider] = val;\n }\n }\n if (Object.keys(keys).length === 0) {\n throw new TenantNotFoundError();\n }\n return {\n tenantId,\n providerKeys: new Map(Object.entries(keys)),\n };\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n const envKey = `${tenantId.toUpperCase()}_${key.toUpperCase()}`;\n return process.env[envKey] ?? null;\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n return { healthy: true, latencyMs: 0 };\n }\n}\n","import { GetSecretValueCommand, SecretsManagerClient } from '@aws-sdk/client-secrets-manager';\nimport { KeyVaultUnavailableError, TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport interface AwsSecretsManagerKeyVaultConfig {\n region: string;\n /** Secret name pattern with `${tenantId}` placeholder. Default: `mp/tenants/${tenantId}`. */\n secretPrefix?: string;\n /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */\n cacheTtlMs?: number;\n /** Optional AWS credentials override. Falls back to default credential chain. */\n credentials?: { accessKeyId: string; secretAccessKey: string; sessionToken?: string };\n}\n\ninterface CacheEntry {\n context: TenantContext;\n expiresAtMs: number;\n}\n\n/**\n * Resolves per-tenant provider keys from AWS Secrets Manager.\n *\n * Storage convention: one secret per tenant at `${secretPrefix}/${tenantId}` (default\n * `mp/tenants/${tenantId}`), value is JSON `{ \"openai\": \"sk-...\", \"anthropic\": \"sk-...\" }`.\n * Extended fields are passed through to `TenantContext.metadata`.\n */\nexport class AwsSecretsManagerKeyVault implements KeyVault {\n private client: SecretsManagerClient;\n private cache = new Map<string, CacheEntry>();\n private cacheTtlMs: number;\n private secretPrefix: string;\n\n constructor(config: AwsSecretsManagerKeyVaultConfig) {\n this.cacheTtlMs = config.cacheTtlMs ?? 300_000;\n this.secretPrefix = config.secretPrefix ?? 'mp/tenants';\n this.client = new SecretsManagerClient({\n region: config.region,\n ...(config.credentials ? { credentials: config.credentials } : {}),\n });\n }\n\n private secretName(tenantId: string): string {\n return `${this.secretPrefix}/${tenantId}`;\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const now = Date.now();\n const cached = this.cache.get(tenantId);\n if (cached && cached.expiresAtMs > now) {\n return cached.context;\n }\n\n let payload: string | undefined;\n try {\n const response = await this.client.send(\n new GetSecretValueCommand({ SecretId: this.secretName(tenantId) }),\n );\n payload = response.SecretString;\n } catch (err) {\n const name = (err as Error & { name?: string })?.name;\n // The AWS SDK throws ResourceNotFoundException for unknown secrets — that's a\n // tenant-not-found signal, not infra unavailability.\n if (name === 'ResourceNotFoundException') {\n throw new TenantNotFoundError();\n }\n throw new KeyVaultUnavailableError();\n }\n\n if (!payload) {\n throw new TenantNotFoundError();\n }\n\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(payload) as Record<string, unknown>;\n } catch {\n throw new KeyVaultUnavailableError();\n }\n\n const { providerKeys, extras } = splitTenantPayload(parsed);\n const context: TenantContext = {\n tenantId,\n providerKeys,\n ...(extras.budgetCaps\n ? { budgetCaps: extras.budgetCaps as TenantContext['budgetCaps'] }\n : {}),\n ...(extras.allowedProviders ? { allowedProviders: extras.allowedProviders as string[] } : {}),\n ...(extras.allowedModels ? { allowedModels: extras.allowedModels as string[] } : {}),\n ...(extras.metadata ? { metadata: extras.metadata as Record<string, unknown> } : {}),\n };\n\n this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });\n return context;\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n try {\n const context = await this.resolve(tenantId);\n return context.providerKeys.get(key) ?? null;\n } catch (err) {\n if (err instanceof TenantNotFoundError) return null;\n throw err;\n }\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n const start = Date.now();\n try {\n // No cheap \"list\" API in Secrets Manager — issue a dummy GetSecretValue and treat\n // ResourceNotFoundException as healthy (the service responded). Anything else\n // (auth failure, network) is unhealthy.\n await this.client.send(\n new GetSecretValueCommand({ SecretId: `${this.secretPrefix}/__health_probe__` }),\n );\n return { healthy: true, latencyMs: Date.now() - start };\n } catch (err) {\n const name = (err as Error & { name?: string })?.name;\n if (name === 'ResourceNotFoundException') {\n return { healthy: true, latencyMs: Date.now() - start };\n }\n return { healthy: false, latencyMs: Date.now() - start };\n }\n }\n}\n\n/**\n * Split the parsed secret payload into the `providerKeys` map and the optional\n * TenantContext extras. The convention is: top-level string values are provider keys;\n * the reserved keys `budgetCaps`, `allowedProviders`, `allowedModels`, `metadata` are\n * passed through to the TenantContext.\n */\nfunction splitTenantPayload(parsed: Record<string, unknown>): {\n providerKeys: Map<string, string>;\n extras: Record<string, unknown>;\n} {\n const reserved = new Set(['budgetCaps', 'allowedProviders', 'allowedModels', 'metadata']);\n const providerKeys = new Map<string, string>();\n const extras: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(parsed)) {\n if (reserved.has(k)) {\n extras[k] = v;\n } else if (typeof v === 'string') {\n providerKeys.set(k, v);\n }\n }\n return { providerKeys, extras };\n}\n","import { SecretManagerServiceClient } from '@google-cloud/secret-manager';\nimport { KeyVaultUnavailableError, TenantNotFoundError } from '@reaatech/media-pipeline-mcp-core';\nimport type { KeyVault, TenantContext } from './types.js';\n\nexport interface GcpSecretManagerKeyVaultConfig {\n projectId: string;\n /** Secret name pattern (the trailing segment under `projects/<id>/secrets/`). Default `mp-tenants`. */\n secretPrefix?: string;\n /** Cache resolved TenantContext for this many ms. Default 300_000 (5 min). */\n cacheTtlMs?: number;\n /** Optional service-account key file path. Falls back to default credentials. */\n keyFilename?: string;\n}\n\ninterface CacheEntry {\n context: TenantContext;\n expiresAtMs: number;\n}\n\n/**\n * Resolves per-tenant provider keys from GCP Secret Manager.\n *\n * Storage convention: one secret per tenant at `projects/${projectId}/secrets/${secretPrefix}-${tenantId}`,\n * latest version's payload is JSON `{ \"openai\": \"sk-...\", ... }` plus optional reserved\n * keys (budgetCaps, allowedProviders, allowedModels, metadata).\n */\nexport class GcpSecretManagerKeyVault implements KeyVault {\n private client: SecretManagerServiceClient;\n private cache = new Map<string, CacheEntry>();\n private cacheTtlMs: number;\n private projectId: string;\n private secretPrefix: string;\n\n constructor(config: GcpSecretManagerKeyVaultConfig) {\n this.cacheTtlMs = config.cacheTtlMs ?? 300_000;\n this.projectId = config.projectId;\n this.secretPrefix = config.secretPrefix ?? 'mp-tenants';\n this.client = new SecretManagerServiceClient(\n config.keyFilename ? { keyFilename: config.keyFilename } : undefined,\n );\n }\n\n private secretVersionName(tenantId: string): string {\n return `projects/${this.projectId}/secrets/${this.secretPrefix}-${tenantId}/versions/latest`;\n }\n\n async resolve(tenantId: string): Promise<TenantContext> {\n const now = Date.now();\n const cached = this.cache.get(tenantId);\n if (cached && cached.expiresAtMs > now) {\n return cached.context;\n }\n\n let payload: string | undefined;\n try {\n const [response] = await this.client.accessSecretVersion({\n name: this.secretVersionName(tenantId),\n });\n const data = response?.payload?.data;\n if (data) {\n payload = typeof data === 'string' ? data : Buffer.from(data).toString('utf8');\n }\n } catch (err) {\n const code = (err as Error & { code?: number | string })?.code;\n // gRPC code 5 = NOT_FOUND. Treat as tenant-not-found; anything else as infra-down.\n if (code === 5 || code === 'NOT_FOUND') {\n throw new TenantNotFoundError();\n }\n throw new KeyVaultUnavailableError();\n }\n\n if (!payload) {\n throw new TenantNotFoundError();\n }\n\n let parsed: Record<string, unknown>;\n try {\n parsed = JSON.parse(payload) as Record<string, unknown>;\n } catch {\n throw new KeyVaultUnavailableError();\n }\n\n const { providerKeys, extras } = splitTenantPayload(parsed);\n const context: TenantContext = {\n tenantId,\n providerKeys,\n ...(extras.budgetCaps\n ? { budgetCaps: extras.budgetCaps as TenantContext['budgetCaps'] }\n : {}),\n ...(extras.allowedProviders ? { allowedProviders: extras.allowedProviders as string[] } : {}),\n ...(extras.allowedModels ? { allowedModels: extras.allowedModels as string[] } : {}),\n ...(extras.metadata ? { metadata: extras.metadata as Record<string, unknown> } : {}),\n };\n\n this.cache.set(tenantId, { context, expiresAtMs: now + this.cacheTtlMs });\n return context;\n }\n\n async get(tenantId: string, key: string): Promise<string | null> {\n try {\n const context = await this.resolve(tenantId);\n return context.providerKeys.get(key) ?? null;\n } catch (err) {\n if (err instanceof TenantNotFoundError) return null;\n throw err;\n }\n }\n\n async health(): Promise<{ healthy: boolean; latencyMs: number }> {\n const start = Date.now();\n try {\n // Probe with a synthetic tenantId. NOT_FOUND means the service is reachable.\n await this.client.accessSecretVersion({\n name: this.secretVersionName('__health_probe__'),\n });\n return { healthy: true, latencyMs: Date.now() - start };\n } catch (err) {\n const code = (err as Error & { code?: number | string })?.code;\n if (code === 5 || code === 'NOT_FOUND') {\n return { healthy: true, latencyMs: Date.now() - start };\n }\n return { healthy: false, latencyMs: Date.now() - start };\n }\n }\n}\n\nfunction splitTenantPayload(parsed: Record<string, unknown>): {\n providerKeys: Map<string, string>;\n extras: Record<string, unknown>;\n} {\n const reserved = new Set(['budgetCaps', 'allowedProviders', 'allowedModels', 'metadata']);\n const providerKeys = new Map<string, string>();\n const extras: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(parsed)) {\n if (reserved.has(k)) {\n extras[k] = v;\n } else if (typeof v === 'string') {\n providerKeys.set(k, v);\n }\n }\n return { providerKeys, extras };\n}\n"],"mappings":";AAAA,SAAS,2BAA2B;AAG7B,IAAM,mBAAN,MAA2C;AAAA,EACxC,UAAU,oBAAI,IAGpB;AAAA,EAEF,IAAI,UAAkB,MAA8B,WAA0C;AAC5F,SAAK,QAAQ,IAAI,UAAU,EAAE,MAAM,UAAU,CAAC;AAAA,EAChD;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,QAAQ,KAAK,QAAQ,IAAI,QAAQ;AAGvC,QAAI,CAAC,MAAO,OAAM,IAAI,oBAAoB;AAC1C,WAAO;AAAA,MACL;AAAA,MACA,cAAc,IAAI,IAAI,OAAO,QAAQ,MAAM,IAAI,CAAC;AAAA,MAChD,GAAG,MAAM;AAAA,IACX;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,UAAM,QAAQ,KAAK,QAAQ,IAAI,QAAQ;AACvC,WAAO,OAAO,KAAK,GAAG,KAAK;AAAA,EAC7B;AAAA,EAEA,MAAM,SAA2D;AAC/D,WAAO,EAAE,SAAS,MAAM,WAAW,EAAE;AAAA,EACvC;AACF;AAQO,IAAM,cAAN,MAAsC;AAAA,EAC3C,MAAM,QAAQ,UAA0C;AACtD,UAAM,OAA+B,CAAC;AACtC,UAAM,SAAS,GAAG,SAAS,YAAY,CAAC;AACxC,UAAM,SAAS;AACf,eAAW,CAAC,QAAQ,GAAG,KAAK,OAAO,QAAQ,QAAQ,GAAG,GAAG;AACvD,UAAI,OAAO,WAAW,MAAM,KAAK,OAAO,SAAS,MAAM,KAAK,OAAO,QAAQ,UAAU;AACnF,cAAM,WAAW,OAAO,MAAM,OAAO,QAAQ,OAAO,SAAS,OAAO,MAAM,EAAE,YAAY;AACxF,YAAI,SAAS,SAAS,EAAG,MAAK,QAAQ,IAAI;AAAA,MAC5C;AAAA,IACF;AACA,QAAI,OAAO,KAAK,IAAI,EAAE,WAAW,GAAG;AAClC,YAAM,IAAI,oBAAoB;AAAA,IAChC;AACA,WAAO;AAAA,MACL;AAAA,MACA,cAAc,IAAI,IAAI,OAAO,QAAQ,IAAI,CAAC;AAAA,IAC5C;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,UAAM,SAAS,GAAG,SAAS,YAAY,CAAC,IAAI,IAAI,YAAY,CAAC;AAC7D,WAAO,QAAQ,IAAI,MAAM,KAAK;AAAA,EAChC;AAAA,EAEA,MAAM,SAA2D;AAC/D,WAAO,EAAE,SAAS,MAAM,WAAW,EAAE;AAAA,EACvC;AACF;;;ACrEA,SAAS,uBAAuB,4BAA4B;AAC5D,SAAS,0BAA0B,uBAAAA,4BAA2B;AAyBvD,IAAM,4BAAN,MAAoD;AAAA,EACjD;AAAA,EACA,QAAQ,oBAAI,IAAwB;AAAA,EACpC;AAAA,EACA;AAAA,EAER,YAAY,QAAyC;AACnD,SAAK,aAAa,OAAO,cAAc;AACvC,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,SAAS,IAAI,qBAAqB;AAAA,MACrC,QAAQ,OAAO;AAAA,MACf,GAAI,OAAO,cAAc,EAAE,aAAa,OAAO,YAAY,IAAI,CAAC;AAAA,IAClE,CAAC;AAAA,EACH;AAAA,EAEQ,WAAW,UAA0B;AAC3C,WAAO,GAAG,KAAK,YAAY,IAAI,QAAQ;AAAA,EACzC;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,cAAc,KAAK;AACtC,aAAO,OAAO;AAAA,IAChB;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,OAAO;AAAA,QACjC,IAAI,sBAAsB,EAAE,UAAU,KAAK,WAAW,QAAQ,EAAE,CAAC;AAAA,MACnE;AACA,gBAAU,SAAS;AAAA,IACrB,SAAS,KAAK;AACZ,YAAM,OAAQ,KAAmC;AAGjD,UAAI,SAAS,6BAA6B;AACxC,cAAM,IAAIA,qBAAoB;AAAA,MAChC;AACA,YAAM,IAAI,yBAAyB;AAAA,IACrC;AAEA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAIA,qBAAoB;AAAA,IAChC;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,OAAO;AAAA,IAC7B,QAAQ;AACN,YAAM,IAAI,yBAAyB;AAAA,IACrC;AAEA,UAAM,EAAE,cAAc,OAAO,IAAI,mBAAmB,MAAM;AAC1D,UAAM,UAAyB;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,GAAI,OAAO,aACP,EAAE,YAAY,OAAO,WAA0C,IAC/D,CAAC;AAAA,MACL,GAAI,OAAO,mBAAmB,EAAE,kBAAkB,OAAO,iBAA6B,IAAI,CAAC;AAAA,MAC3F,GAAI,OAAO,gBAAgB,EAAE,eAAe,OAAO,cAA0B,IAAI,CAAC;AAAA,MAClF,GAAI,OAAO,WAAW,EAAE,UAAU,OAAO,SAAoC,IAAI,CAAC;AAAA,IACpF;AAEA,SAAK,MAAM,IAAI,UAAU,EAAE,SAAS,aAAa,MAAM,KAAK,WAAW,CAAC;AACxE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,QAAI;AACF,YAAM,UAAU,MAAM,KAAK,QAAQ,QAAQ;AAC3C,aAAO,QAAQ,aAAa,IAAI,GAAG,KAAK;AAAA,IAC1C,SAAS,KAAK;AACZ,UAAI,eAAeA,qBAAqB,QAAO;AAC/C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,SAA2D;AAC/D,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AAIF,YAAM,KAAK,OAAO;AAAA,QAChB,IAAI,sBAAsB,EAAE,UAAU,GAAG,KAAK,YAAY,oBAAoB,CAAC;AAAA,MACjF;AACA,aAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACxD,SAAS,KAAK;AACZ,YAAM,OAAQ,KAAmC;AACjD,UAAI,SAAS,6BAA6B;AACxC,eAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,MACxD;AACA,aAAO,EAAE,SAAS,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACzD;AAAA,EACF;AACF;AAQA,SAAS,mBAAmB,QAG1B;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,cAAc,oBAAoB,iBAAiB,UAAU,CAAC;AACxF,QAAM,eAAe,oBAAI,IAAoB;AAC7C,QAAM,SAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,GAAG;AAC3C,QAAI,SAAS,IAAI,CAAC,GAAG;AACnB,aAAO,CAAC,IAAI;AAAA,IACd,WAAW,OAAO,MAAM,UAAU;AAChC,mBAAa,IAAI,GAAG,CAAC;AAAA,IACvB;AAAA,EACF;AACA,SAAO,EAAE,cAAc,OAAO;AAChC;;;AClJA,SAAS,kCAAkC;AAC3C,SAAS,4BAAAC,2BAA0B,uBAAAC,4BAA2B;AAyBvD,IAAM,2BAAN,MAAmD;AAAA,EAChD;AAAA,EACA,QAAQ,oBAAI,IAAwB;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EAER,YAAY,QAAwC;AAClD,SAAK,aAAa,OAAO,cAAc;AACvC,SAAK,YAAY,OAAO;AACxB,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,SAAS,IAAI;AAAA,MAChB,OAAO,cAAc,EAAE,aAAa,OAAO,YAAY,IAAI;AAAA,IAC7D;AAAA,EACF;AAAA,EAEQ,kBAAkB,UAA0B;AAClD,WAAO,YAAY,KAAK,SAAS,YAAY,KAAK,YAAY,IAAI,QAAQ;AAAA,EAC5E;AAAA,EAEA,MAAM,QAAQ,UAA0C;AACtD,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,SAAS,KAAK,MAAM,IAAI,QAAQ;AACtC,QAAI,UAAU,OAAO,cAAc,KAAK;AACtC,aAAO,OAAO;AAAA,IAChB;AAEA,QAAI;AACJ,QAAI;AACF,YAAM,CAAC,QAAQ,IAAI,MAAM,KAAK,OAAO,oBAAoB;AAAA,QACvD,MAAM,KAAK,kBAAkB,QAAQ;AAAA,MACvC,CAAC;AACD,YAAM,OAAO,UAAU,SAAS;AAChC,UAAI,MAAM;AACR,kBAAU,OAAO,SAAS,WAAW,OAAO,OAAO,KAAK,IAAI,EAAE,SAAS,MAAM;AAAA,MAC/E;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,OAAQ,KAA4C;AAE1D,UAAI,SAAS,KAAK,SAAS,aAAa;AACtC,cAAM,IAAIA,qBAAoB;AAAA,MAChC;AACA,YAAM,IAAID,0BAAyB;AAAA,IACrC;AAEA,QAAI,CAAC,SAAS;AACZ,YAAM,IAAIC,qBAAoB;AAAA,IAChC;AAEA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,OAAO;AAAA,IAC7B,QAAQ;AACN,YAAM,IAAID,0BAAyB;AAAA,IACrC;AAEA,UAAM,EAAE,cAAc,OAAO,IAAIE,oBAAmB,MAAM;AAC1D,UAAM,UAAyB;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,GAAI,OAAO,aACP,EAAE,YAAY,OAAO,WAA0C,IAC/D,CAAC;AAAA,MACL,GAAI,OAAO,mBAAmB,EAAE,kBAAkB,OAAO,iBAA6B,IAAI,CAAC;AAAA,MAC3F,GAAI,OAAO,gBAAgB,EAAE,eAAe,OAAO,cAA0B,IAAI,CAAC;AAAA,MAClF,GAAI,OAAO,WAAW,EAAE,UAAU,OAAO,SAAoC,IAAI,CAAC;AAAA,IACpF;AAEA,SAAK,MAAM,IAAI,UAAU,EAAE,SAAS,aAAa,MAAM,KAAK,WAAW,CAAC;AACxE,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAAkB,KAAqC;AAC/D,QAAI;AACF,YAAM,UAAU,MAAM,KAAK,QAAQ,QAAQ;AAC3C,aAAO,QAAQ,aAAa,IAAI,GAAG,KAAK;AAAA,IAC1C,SAAS,KAAK;AACZ,UAAI,eAAeD,qBAAqB,QAAO;AAC/C,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,SAA2D;AAC/D,UAAM,QAAQ,KAAK,IAAI;AACvB,QAAI;AAEF,YAAM,KAAK,OAAO,oBAAoB;AAAA,QACpC,MAAM,KAAK,kBAAkB,kBAAkB;AAAA,MACjD,CAAC;AACD,aAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACxD,SAAS,KAAK;AACZ,YAAM,OAAQ,KAA4C;AAC1D,UAAI,SAAS,KAAK,SAAS,aAAa;AACtC,eAAO,EAAE,SAAS,MAAM,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,MACxD;AACA,aAAO,EAAE,SAAS,OAAO,WAAW,KAAK,IAAI,IAAI,MAAM;AAAA,IACzD;AAAA,EACF;AACF;AAEA,SAASC,oBAAmB,QAG1B;AACA,QAAM,WAAW,oBAAI,IAAI,CAAC,cAAc,oBAAoB,iBAAiB,UAAU,CAAC;AACxF,QAAM,eAAe,oBAAI,IAAoB;AAC7C,QAAM,SAAkC,CAAC;AACzC,aAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,GAAG;AAC3C,QAAI,SAAS,IAAI,CAAC,GAAG;AACnB,aAAO,CAAC,IAAI;AAAA,IACd,WAAW,OAAO,MAAM,UAAU;AAChC,mBAAa,IAAI,GAAG,CAAC;AAAA,IACvB;AAAA,EACF;AACA,SAAO,EAAE,cAAc,OAAO;AAChC;","names":["TenantNotFoundError","KeyVaultUnavailableError","TenantNotFoundError","splitTenantPayload"]}

package/package.json ADDED Viewed

@@ -0,0 +1,46 @@
+{
+  "name": "@reaatech/media-pipeline-mcp-keyvault",
+  "version": "0.3.0",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@reaatech/media-pipeline-mcp-core": "0.3.0"
+  },
+  "peerDependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.0.0",
+    "@google-cloud/secret-manager": "^5.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@aws-sdk/client-secrets-manager": {
+      "optional": true
+    },
+    "@google-cloud/secret-manager": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.0.0",
+    "@google-cloud/secret-manager": "^5.0.0",
+    "@types/node": "^20.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^3.0.0"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --dts --format esm,cjs --sourcemap",
+    "test": "vitest run --passWithNoTests",
+    "typecheck": "tsc --noEmit"
+  }
+}