@simonsbs/keylore 1.0.0-rc4

package/dist/services/rate-limit-service.js

@@ -0,0 +1,80 @@
+function toDate(value) {
+    return value instanceof Date ? value : new Date(value);
+}
+export class PgRateLimitService {
+    database;
+    windowMs;
+    maxRequests;
+    telemetry;
+    constructor(database, windowMs, maxRequests, telemetry) {
+        this.database = database;
+        this.windowMs = windowMs;
+        this.maxRequests = maxRequests;
+        this.telemetry = telemetry;
+    }
+    async check(bucketKey) {
+        const now = Date.now();
+        let row;
+        for (let attempt = 0; attempt < 2; attempt += 1) {
+            try {
+                row = await this.database.withTransaction(async (client) => {
+                    const existing = await client.query("SELECT request_count, window_started_at FROM request_rate_limits WHERE bucket_key = $1", [bucketKey]);
+                    if (!existing.rows[0]) {
+                        const inserted = await client.query(`INSERT INTO request_rate_limits (bucket_key, window_started_at, request_count, updated_at)
+               VALUES ($1, NOW(), 1, NOW())
+               RETURNING request_count, window_started_at`, [bucketKey]);
+                        return inserted.rows[0];
+                    }
+                    const current = existing.rows[0];
+                    const windowStartedAt = toDate(current.window_started_at).getTime();
+                    const expired = now - windowStartedAt >= this.windowMs;
+                    const updated = await client.query(`UPDATE request_rate_limits
+             SET request_count = $2,
+                 window_started_at = $3,
+                 updated_at = NOW()
+             WHERE bucket_key = $1
+             RETURNING request_count, window_started_at`, [
+                        bucketKey,
+                        expired ? 1 : Number(current.request_count) + 1,
+                        expired ? new Date(now).toISOString() : new Date(windowStartedAt).toISOString(),
+                    ]);
+                    return updated.rows[0];
+                });
+                break;
+            }
+            catch (error) {
+                const code = typeof error === "object" && error !== null && "code" in error
+                    ? String(error.code)
+                    : undefined;
+                if (code === "23505" && attempt === 0) {
+                    continue;
+                }
+                throw error;
+            }
+        }
+        if (!row) {
+            throw new Error("Failed to update rate limit state.");
+        }
+        const requestCount = Number(row.request_count);
+        const resetAt = toDate(row.window_started_at).getTime() + this.windowMs;
+        const limited = requestCount > this.maxRequests;
+        if (limited) {
+            this.telemetry.recordRateLimitBlock("http");
+        }
+        return {
+            limited,
+            retryAfterSeconds: limited ? Math.max(1, Math.ceil((resetAt - now) / 1000)) : undefined,
+            remaining: Math.max(0, this.maxRequests - requestCount),
+        };
+    }
+    async cleanup() {
+        const cutoff = new Date(Date.now() - this.windowMs * 4).toISOString();
+        const result = await this.database.query(`WITH deleted AS (
+         DELETE FROM request_rate_limits
+         WHERE window_started_at < $1
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM deleted`, [cutoff]);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}

package/dist/services/rotation-service.js

@@ -0,0 +1,271 @@
+import { randomUUID } from "node:crypto";
+import { rotationCreateInputSchema, rotationPlanInputSchema, rotationRunSchema, } from "../domain/types.js";
+function earliestDueDate(values) {
+    const parsed = values
+        .filter((value) => Boolean(value))
+        .map((value) => new Date(value))
+        .filter((value) => !Number.isNaN(value.getTime()))
+        .sort((left, right) => left.getTime() - right.getTime());
+    return parsed[0]?.toISOString();
+}
+function dueSource(credential, inspection) {
+    if (inspection.nextRotationAt) {
+        return "secret_rotation_window";
+    }
+    if (inspection.expiresAt) {
+        return "secret_expiry";
+    }
+    if (credential.expiresAt) {
+        return "catalog_expiry";
+    }
+    return undefined;
+}
+function tenantAllowed(context, tenantId) {
+    return !context.tenantId || context.tenantId === tenantId;
+}
+export class RotationService {
+    runs;
+    credentials;
+    adapters;
+    audit;
+    notifications;
+    traces;
+    defaultHorizonDays;
+    constructor(runs, credentials, adapters, audit, notifications, traces, defaultHorizonDays) {
+        this.runs = runs;
+        this.credentials = credentials;
+        this.adapters = adapters;
+        this.audit = audit;
+        this.notifications = notifications;
+        this.traces = traces;
+        this.defaultHorizonDays = defaultHorizonDays;
+    }
+    async createRun(input, actor) {
+        const created = await this.runs.create(rotationRunSchema.parse(input));
+        await this.audit.record({
+            type: "rotation.run",
+            action: "rotation.create",
+            outcome: "success",
+            tenantId: created.tenantId,
+            principal: actor.principal,
+            metadata: {
+                rotationId: created.id,
+                tenantId: created.tenantId,
+                credentialId: created.credentialId,
+                source: created.source,
+                dueAt: created.dueAt ?? null,
+            },
+        });
+        await this.notifications.send("rotation.created", {
+            rotationId: created.id,
+            credentialId: created.credentialId,
+            source: created.source,
+            dueAt: created.dueAt ?? null,
+        });
+        return created;
+    }
+    async list(filter) {
+        return this.runs.list(filter);
+    }
+    async createManual(context, input) {
+        const parsed = rotationCreateInputSchema.parse(input);
+        return this.traces.withSpan("rotation.create_manual", { credentialId: parsed.credentialId }, async () => {
+            const credential = await this.credentials.getById(parsed.credentialId);
+            if (!credential) {
+                throw new Error("Credential not found.");
+            }
+            if (!tenantAllowed(context, credential.tenantId)) {
+                throw new Error("Tenant access denied.");
+            }
+            const existing = await this.runs.findOpenByCredentialId(parsed.credentialId);
+            if (existing) {
+                throw new Error("An open rotation already exists for this credential.");
+            }
+            return this.createRun({
+                id: randomUUID(),
+                tenantId: credential.tenantId,
+                credentialId: parsed.credentialId,
+                status: "pending",
+                source: "manual",
+                reason: parsed.reason,
+                dueAt: parsed.dueAt,
+                plannedAt: new Date().toISOString(),
+                plannedBy: context.principal,
+                updatedBy: context.principal,
+                note: parsed.note,
+            }, context);
+        });
+    }
+    async planDue(context, input) {
+        const parsed = rotationPlanInputSchema.parse(input ?? { horizonDays: this.defaultHorizonDays });
+        return this.traces.withSpan("rotation.plan_due", { horizonDays: parsed.horizonDays }, async () => {
+            const credentials = await this.credentials.list();
+            const cutoff = Date.now() + parsed.horizonDays * 24 * 60 * 60 * 1000;
+            const created = [];
+            for (const credential of credentials) {
+                if (credential.status !== "active") {
+                    continue;
+                }
+                if (!tenantAllowed(context, credential.tenantId)) {
+                    continue;
+                }
+                if (parsed.credentialIds?.length && !parsed.credentialIds.includes(credential.id)) {
+                    continue;
+                }
+                if (await this.runs.findOpenByCredentialId(credential.id)) {
+                    continue;
+                }
+                const inspection = await this.adapters.inspectCredential(credential);
+                const dueAt = earliestDueDate([
+                    credential.expiresAt,
+                    inspection.expiresAt,
+                    inspection.nextRotationAt,
+                ]);
+                if (!dueAt || new Date(dueAt).getTime() > cutoff) {
+                    continue;
+                }
+                const source = dueSource(credential, inspection);
+                if (!source) {
+                    continue;
+                }
+                created.push(await this.createRun({
+                    id: randomUUID(),
+                    tenantId: credential.tenantId,
+                    credentialId: credential.id,
+                    status: "pending",
+                    source,
+                    reason: source === "catalog_expiry"
+                        ? "Credential catalogue expiry is approaching."
+                        : source === "secret_expiry"
+                            ? "Secret backend reports upcoming expiry."
+                            : "Secret backend reports upcoming rotation window.",
+                    dueAt,
+                    plannedAt: new Date().toISOString(),
+                    plannedBy: context.principal,
+                    updatedBy: context.principal,
+                }, context));
+            }
+            return created;
+        });
+    }
+    async start(id, context, note) {
+        return this.traces.withSpan("rotation.start", { rotationId: id }, async () => {
+            const existing = await this.runs.getById(id);
+            if (existing && !tenantAllowed(context, existing.tenantId)) {
+                throw new Error("Tenant access denied.");
+            }
+            const updated = await this.runs.transition(id, {
+                fromStatuses: ["pending"],
+                status: "in_progress",
+                updatedBy: context.principal,
+                note,
+            });
+            if (updated) {
+                await this.audit.record({
+                    type: "rotation.run",
+                    action: "rotation.start",
+                    outcome: "success",
+                    tenantId: updated.tenantId,
+                    principal: context.principal,
+                    metadata: {
+                        rotationId: updated.id,
+                        tenantId: updated.tenantId,
+                        credentialId: updated.credentialId,
+                    },
+                });
+                await this.notifications.send("rotation.started", {
+                    rotationId: updated.id,
+                    credentialId: updated.credentialId,
+                });
+            }
+            return updated;
+        });
+    }
+    async complete(id, context, input) {
+        return this.traces.withSpan("rotation.complete", { rotationId: id }, async () => {
+            const run = await this.runs.getById(id);
+            if (!run) {
+                return undefined;
+            }
+            if (!tenantAllowed(context, run.tenantId)) {
+                throw new Error("Tenant access denied.");
+            }
+            const credential = await this.credentials.getById(run.credentialId);
+            if (!credential) {
+                throw new Error("Credential not found.");
+            }
+            const nextLastValidatedAt = input.lastValidatedAt ?? new Date().toISOString();
+            const nextBinding = input.targetRef && input.targetRef !== credential.binding.ref
+                ? { ...credential.binding, ref: input.targetRef }
+                : undefined;
+            await this.credentials.update(credential.id, {
+                lastValidatedAt: nextLastValidatedAt,
+                expiresAt: input.expiresAt ?? credential.expiresAt,
+                ...(nextBinding ? { binding: nextBinding } : {}),
+            });
+            const updated = await this.runs.transition(id, {
+                fromStatuses: ["pending", "in_progress"],
+                status: "completed",
+                updatedBy: context.principal,
+                note: input.note,
+                targetRef: input.targetRef,
+                resultNote: input.note,
+            });
+            if (updated) {
+                await this.audit.record({
+                    type: "rotation.run",
+                    action: "rotation.complete",
+                    outcome: "success",
+                    tenantId: updated.tenantId,
+                    principal: context.principal,
+                    metadata: {
+                        rotationId: updated.id,
+                        tenantId: updated.tenantId,
+                        credentialId: updated.credentialId,
+                        targetRef: updated.targetRef ?? null,
+                    },
+                });
+                await this.notifications.send("rotation.completed", {
+                    rotationId: updated.id,
+                    credentialId: updated.credentialId,
+                    targetRef: updated.targetRef ?? null,
+                });
+            }
+            return updated;
+        });
+    }
+    async fail(id, context, note) {
+        return this.traces.withSpan("rotation.fail", { rotationId: id }, async () => {
+            const existing = await this.runs.getById(id);
+            if (existing && !tenantAllowed(context, existing.tenantId)) {
+                throw new Error("Tenant access denied.");
+            }
+            const updated = await this.runs.transition(id, {
+                fromStatuses: ["pending", "in_progress"],
+                status: "failed",
+                updatedBy: context.principal,
+                note,
+                resultNote: note,
+            });
+            if (updated) {
+                await this.audit.record({
+                    type: "rotation.run",
+                    action: "rotation.fail",
+                    outcome: "error",
+                    tenantId: updated.tenantId,
+                    principal: context.principal,
+                    metadata: {
+                        rotationId: updated.id,
+                        tenantId: updated.tenantId,
+                        credentialId: updated.credentialId,
+                    },
+                });
+                await this.notifications.send("rotation.failed", {
+                    rotationId: updated.id,
+                    credentialId: updated.credentialId,
+                });
+            }
+            return updated;
+        });
+    }
+}

package/dist/services/telemetry.js

@@ -0,0 +1,149 @@
+function labelKey(labels) {
+    return Object.entries(labels)
+        .sort(([left], [right]) => left.localeCompare(right))
+        .map(([key, value]) => `${key}=${value}`)
+        .join(",");
+}
+function renderLabels(labels) {
+    const entries = Object.entries(labels).sort(([left], [right]) => left.localeCompare(right));
+    if (entries.length === 0) {
+        return "";
+    }
+    const body = entries
+        .map(([key, value]) => `${key}="${value.replaceAll("\\", "\\\\").replaceAll("\"", "\\\"")}"`)
+        .join(",");
+    return `{${body}}`;
+}
+export class TelemetryService {
+    startedAt = Date.now();
+    counters = new Map();
+    gauges = new Map();
+    summaries = new Map();
+    getCounter(name) {
+        let metric = this.counters.get(name);
+        if (!metric) {
+            metric = new Map();
+            this.counters.set(name, metric);
+        }
+        return metric;
+    }
+    getGauge(name) {
+        let metric = this.gauges.get(name);
+        if (!metric) {
+            metric = new Map();
+            this.gauges.set(name, metric);
+        }
+        return metric;
+    }
+    getSummary(name) {
+        let metric = this.summaries.get(name);
+        if (!metric) {
+            metric = new Map();
+            this.summaries.set(name, metric);
+        }
+        return metric;
+    }
+    incrementCounter(name, labels = {}, value = 1) {
+        const metric = this.getCounter(name);
+        const key = labelKey(labels);
+        const current = metric.get(key);
+        metric.set(key, {
+            labels,
+            value: (current?.value ?? 0) + value,
+        });
+    }
+    setGauge(name, labels = {}, value) {
+        this.getGauge(name).set(labelKey(labels), {
+            labels,
+            value,
+        });
+    }
+    adjustGauge(name, labels = {}, delta) {
+        const metric = this.getGauge(name);
+        const key = labelKey(labels);
+        const current = metric.get(key);
+        metric.set(key, {
+            labels,
+            value: (current?.value ?? 0) + delta,
+        });
+    }
+    observeSummary(name, labels = {}, value) {
+        const metric = this.getSummary(name);
+        const key = labelKey(labels);
+        const current = metric.get(key);
+        metric.set(key, {
+            labels,
+            count: (current?.count ?? 0) + 1,
+            sum: (current?.sum ?? 0) + value,
+            max: Math.max(current?.max ?? value, value),
+        });
+    }
+    recordHttpRequest(route, method, statusCode, durationMs) {
+        const labels = {
+            route,
+            method,
+            status_class: `${Math.floor(statusCode / 100)}xx`,
+        };
+        this.incrementCounter("keylore_http_requests_total", labels);
+        this.observeSummary("keylore_http_request_duration_ms", labels, durationMs);
+    }
+    recordRateLimitBlock(scope) {
+        this.incrementCounter("keylore_rate_limit_blocks_total", { scope });
+    }
+    recordAuthTokenIssued(outcome) {
+        this.incrementCounter("keylore_auth_token_issuance_total", { outcome });
+    }
+    recordAuthTokenValidation(outcome) {
+        this.incrementCounter("keylore_auth_token_validation_total", { outcome });
+    }
+    recordAdapterOperation(adapter, operation, outcome) {
+        this.incrementCounter("keylore_adapter_operations_total", {
+            adapter,
+            operation,
+            outcome,
+        });
+    }
+    recordMaintenanceRun(task, outcome, durationMs) {
+        this.incrementCounter("keylore_maintenance_runs_total", { task, outcome });
+        this.observeSummary("keylore_maintenance_duration_ms", { task, outcome }, durationMs);
+        this.setGauge("keylore_maintenance_last_run_timestamp_seconds", { task }, Math.floor(Date.now() / 1000));
+    }
+    recordNotificationDelivery(eventType, outcome) {
+        this.incrementCounter("keylore_notification_deliveries_total", { event_type: eventType, outcome });
+    }
+    recordTraceExport(outcome, batchSize) {
+        this.incrementCounter("keylore_trace_exports_total", { outcome });
+        this.observeSummary("keylore_trace_export_batch_size", { outcome }, batchSize);
+    }
+    recordRotationRun(action, outcome) {
+        this.incrementCounter("keylore_rotation_runs_total", { action, outcome });
+    }
+    renderPrometheus() {
+        const lines = [
+            "# HELP keylore_process_start_time_seconds Process start time in Unix seconds.",
+            "# TYPE keylore_process_start_time_seconds gauge",
+            `keylore_process_start_time_seconds ${Math.floor(this.startedAt / 1000)}`,
+        ];
+        for (const [name, metric] of this.counters.entries()) {
+            lines.push(`# TYPE ${name} counter`);
+            for (const entry of metric.values()) {
+                lines.push(`${name}${renderLabels(entry.labels)} ${entry.value}`);
+            }
+        }
+        for (const [name, metric] of this.gauges.entries()) {
+            lines.push(`# TYPE ${name} gauge`);
+            for (const entry of metric.values()) {
+                lines.push(`${name}${renderLabels(entry.labels)} ${entry.value}`);
+            }
+        }
+        for (const [name, metric] of this.summaries.entries()) {
+            lines.push(`# TYPE ${name} summary`);
+            for (const entry of metric.values()) {
+                lines.push(`${name}_count${renderLabels(entry.labels)} ${entry.count}`);
+                lines.push(`${name}_sum${renderLabels(entry.labels)} ${entry.sum}`);
+                lines.push(`${name}_max${renderLabels(entry.labels)} ${entry.max}`);
+            }
+        }
+        return `${lines.join("\n")}\n`;
+    }
+}

package/dist/services/tenant-service.js

@@ -0,0 +1,127 @@
+import { authClientSecretOutputSchema, tenantSummarySchema, } from "../domain/types.js";
+function requireTenantAdmin(actor, tenantId) {
+    if (actor.tenantId && tenantId && actor.tenantId !== tenantId) {
+        throw new Error("Tenant access denied.");
+    }
+}
+export class TenantService {
+    tenants;
+    database;
+    audit;
+    auth;
+    constructor(tenants, database, audit, auth) {
+        this.tenants = tenants;
+        this.database = database;
+        this.audit = audit;
+        this.auth = auth;
+    }
+    async list(actor) {
+        const tenants = await this.tenants.list();
+        const visibleTenants = actor.tenantId
+            ? tenants.filter((tenant) => tenant.tenantId === actor.tenantId)
+            : tenants;
+        const summaries = await Promise.all(visibleTenants.map((tenant) => this.summaryFor(tenant)));
+        return summaries.map((summary) => tenantSummarySchema.parse(summary));
+    }
+    async get(actor, tenantId) {
+        requireTenantAdmin(actor, tenantId);
+        const tenant = await this.tenants.getById(tenantId);
+        if (!tenant) {
+            return undefined;
+        }
+        return tenantSummarySchema.parse(await this.summaryFor(tenant));
+    }
+    async requireActiveTenant(tenantId) {
+        const tenant = await this.tenants.getById(tenantId);
+        if (!tenant) {
+            throw new Error(`Unknown tenant: ${tenantId}`);
+        }
+        if (tenant.status !== "active") {
+            throw new Error(`Tenant is disabled: ${tenantId}`);
+        }
+        return tenant;
+    }
+    async create(actor, input) {
+        requireTenantAdmin(actor, input.tenantId);
+        const existing = await this.tenants.getById(input.tenantId);
+        if (existing) {
+            throw new Error(`Tenant already exists: ${input.tenantId}`);
+        }
+        const tenant = await this.tenants.create(input);
+        await this.audit.record({
+            type: "auth.client",
+            action: "tenant.create",
+            outcome: "success",
+            tenantId: tenant.tenantId,
+            principal: actor.principal,
+            metadata: {
+                tenantId: tenant.tenantId,
+                status: tenant.status,
+            },
+        });
+        return tenantSummarySchema.parse(await this.summaryFor(tenant));
+    }
+    async update(actor, tenantId, patch) {
+        requireTenantAdmin(actor, tenantId);
+        const tenant = await this.tenants.update(tenantId, patch);
+        if (!tenant) {
+            return undefined;
+        }
+        await this.audit.record({
+            type: "auth.client",
+            action: "tenant.update",
+            outcome: "success",
+            tenantId: tenant.tenantId,
+            principal: actor.principal,
+            metadata: {
+                tenantId: tenant.tenantId,
+                fields: Object.keys(patch),
+                status: tenant.status,
+            },
+        });
+        return tenantSummarySchema.parse(await this.summaryFor(tenant));
+    }
+    async bootstrap(actor, input) {
+        const tenant = await this.create(actor, input.tenant);
+        const clients = [];
+        for (const client of input.authClients) {
+            clients.push(authClientSecretOutputSchema.parse(await this.auth.createClient(actor, {
+                ...client,
+                tenantId: tenant.tenantId,
+            })));
+        }
+        const refreshedTenant = tenantSummarySchema.parse(await this.summaryFor({
+            tenantId: tenant.tenantId,
+            displayName: tenant.displayName,
+            description: tenant.description,
+            status: tenant.status,
+            createdAt: tenant.createdAt,
+            updatedAt: tenant.updatedAt,
+        }));
+        await this.audit.record({
+            type: "auth.client",
+            action: "tenant.bootstrap",
+            outcome: "success",
+            tenantId: refreshedTenant.tenantId,
+            principal: actor.principal,
+            metadata: {
+                tenantId: refreshedTenant.tenantId,
+                authClientCount: clients.length,
+            },
+        });
+        return { tenant: refreshedTenant, clients };
+    }
+    async summaryFor(tenant) {
+        const result = await this.database.query(`SELECT
+         (SELECT COUNT(*)::text FROM credentials WHERE tenant_id = $1) AS credential_count,
+         (SELECT COUNT(*)::text FROM oauth_clients WHERE tenant_id = $1) AS auth_client_count,
+         (SELECT COUNT(*)::text FROM access_tokens WHERE tenant_id = $1 AND status = 'active') AS active_token_count`, [tenant.tenantId]);
+        const row = result.rows[0];
+        return {
+            ...tenant,
+            credentialCount: Number.parseInt(row?.credential_count ?? "0", 10),
+            authClientCount: Number.parseInt(row?.auth_client_count ?? "0", 10),
+            activeTokenCount: Number.parseInt(row?.active_token_count ?? "0", 10),
+        };
+    }
+}