@simonsbs/keylore 1.0.0-rc4

package/data/auth-clients.json

@@ -0,0 +1,54 @@
+{
+  "version": 1,
+  "clients": [
+    {
+      "clientId": "keylore-admin-local",
+      "displayName": "KeyLore Local Admin",
+      "secretRef": "KEYLORE_BOOTSTRAP_ADMIN_CLIENT_SECRET",
+      "roles": [
+        "admin",
+        "auth_admin",
+        "operator",
+        "maintenance_operator",
+        "backup_operator",
+        "breakglass_operator",
+        "auditor",
+        "approver"
+      ],
+      "allowedScopes": [
+        "catalog:read",
+        "catalog:write",
+        "admin:read",
+        "admin:write",
+        "auth:read",
+        "auth:write",
+        "broker:use",
+        "sandbox:run",
+        "audit:read",
+        "approval:read",
+        "approval:review",
+        "system:read",
+        "system:write",
+        "backup:read",
+        "backup:write",
+        "breakglass:request",
+        "breakglass:read",
+        "breakglass:review",
+        "mcp:use"
+      ],
+      "status": "active"
+    },
+    {
+      "clientId": "keylore-consumer-local",
+      "displayName": "KeyLore Local Consumer",
+      "secretRef": "KEYLORE_BOOTSTRAP_CONSUMER_CLIENT_SECRET",
+      "roles": ["consumer"],
+      "allowedScopes": [
+        "catalog:read",
+        "broker:use",
+        "mcp:use"
+      ],
+      "status": "active"
+    }
+  ]
+}

package/data/catalog.json

@@ -0,0 +1,53 @@
+{
+  "version": 1,
+  "credentials": [
+    {
+      "id": "github-readonly-demo",
+      "displayName": "GitHub Read-Only Demo Token",
+      "service": "github",
+      "owner": "platform",
+      "scopeTier": "read_only",
+      "sensitivity": "high",
+      "allowedDomains": ["api.github.com"],
+      "permittedOperations": ["http.get"],
+      "expiresAt": null,
+      "rotationPolicy": "Rotate every 90 days",
+      "lastValidatedAt": "2026-03-13T00:00:00.000Z",
+      "selectionNotes": "Use for repository metadata, issue lookup, and release inspection. Never use for write operations.",
+      "binding": {
+        "adapter": "env",
+        "ref": "KEYLORE_SECRET_GITHUB_READONLY",
+        "authType": "bearer",
+        "headerName": "Authorization",
+        "headerPrefix": "Bearer ",
+        "injectionEnvName": "GITHUB_TOKEN"
+      },
+      "tags": ["github", "readonly", "demo"],
+      "status": "active"
+    },
+    {
+      "id": "npm-readonly-demo",
+      "displayName": "npm Registry Read-Only Demo Token",
+      "service": "npm",
+      "owner": "platform",
+      "scopeTier": "read_only",
+      "sensitivity": "high",
+      "allowedDomains": ["registry.npmjs.org"],
+      "permittedOperations": ["http.get"],
+      "expiresAt": null,
+      "rotationPolicy": "Rotate every 90 days",
+      "lastValidatedAt": "2026-03-13T00:00:00.000Z",
+      "selectionNotes": "Use for package metadata inspection only. Publishing is intentionally excluded from the default demo policy.",
+      "binding": {
+        "adapter": "env",
+        "ref": "KEYLORE_SECRET_NPM_READONLY",
+        "authType": "bearer",
+        "headerName": "Authorization",
+        "headerPrefix": "Bearer ",
+        "injectionEnvName": "NPM_TOKEN"
+      },
+      "tags": ["npm", "readonly", "demo"],
+      "status": "active"
+    }
+  ]
+}

package/data/policies.json

@@ -0,0 +1,25 @@
+{
+  "version": 1,
+  "rules": [
+    {
+      "id": "allow-local-github-read",
+      "effect": "allow",
+      "description": "Allow the local operator to inspect GitHub repository metadata via the proxy.",
+      "principals": ["local-operator"],
+      "credentialIds": ["github-readonly-demo"],
+      "operations": ["http.get"],
+      "domainPatterns": ["api.github.com"],
+      "environments": ["development", "production"]
+    },
+    {
+      "id": "allow-local-npm-read",
+      "effect": "allow",
+      "description": "Allow the local operator to inspect npm package metadata via the proxy.",
+      "principals": ["local-operator"],
+      "credentialIds": ["npm-readonly-demo"],
+      "operations": ["http.get"],
+      "domainPatterns": ["registry.npmjs.org"],
+      "environments": ["development", "production"]
+    }
+  ]
+}

package/dist/adapters/adapter-registry.js

@@ -0,0 +1,143 @@
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function transientError(error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return /(timeout|timed out|ETIMEDOUT|ECONNRESET|ECONNREFUSED|EAI_AGAIN|ENETUNREACH|503|502|504)/i.test(message);
+}
+export class SecretAdapterRegistry {
+    config;
+    telemetry;
+    adapters = new Map();
+    state = new Map();
+    constructor(adapters, config, telemetry) {
+        this.config = config;
+        this.telemetry = telemetry;
+        for (const adapter of adapters) {
+            this.adapters.set(adapter.id, adapter);
+            this.state.set(adapter.id, { consecutiveFailures: 0 });
+        }
+    }
+    adapterFor(credential) {
+        const adapter = this.adapters.get(credential.binding.adapter);
+        if (!adapter) {
+            throw new Error(`Unsupported secret adapter: ${credential.binding.adapter}`);
+        }
+        return adapter;
+    }
+    stateFor(adapterId) {
+        let state = this.state.get(adapterId);
+        if (!state) {
+            state = { consecutiveFailures: 0 };
+            this.state.set(adapterId, state);
+        }
+        return state;
+    }
+    circuitOpen(adapterId) {
+        const state = this.stateFor(adapterId);
+        if (state.circuitOpenUntil && state.circuitOpenUntil > Date.now()) {
+            return state;
+        }
+        if (state.circuitOpenUntil && state.circuitOpenUntil <= Date.now()) {
+            state.circuitOpenUntil = undefined;
+        }
+        return undefined;
+    }
+    markSuccess(adapterId) {
+        const state = this.stateFor(adapterId);
+        state.consecutiveFailures = 0;
+        state.lastError = undefined;
+        state.lastSuccessAt = new Date().toISOString();
+        state.circuitOpenUntil = undefined;
+    }
+    markFailure(adapterId, error) {
+        const state = this.stateFor(adapterId);
+        state.consecutiveFailures += 1;
+        state.lastError = error instanceof Error ? error.message : "Unknown adapter error.";
+        if (state.consecutiveFailures >= this.config.adapterCircuitBreakerThreshold) {
+            state.circuitOpenUntil = Date.now() + this.config.adapterCircuitBreakerCooldownMs;
+        }
+        return state;
+    }
+    async execute(adapter, operation, task) {
+        const openCircuit = this.circuitOpen(adapter.id);
+        if (openCircuit && operation !== "healthcheck") {
+            this.telemetry.recordAdapterOperation(adapter.id, operation, "open_circuit");
+            throw new Error(`Adapter circuit is open for ${adapter.id} until ${new Date(openCircuit.circuitOpenUntil ?? Date.now()).toISOString()}.`);
+        }
+        for (let attempt = 1; attempt <= this.config.adapterMaxAttempts; attempt += 1) {
+            try {
+                const result = await task();
+                this.markSuccess(adapter.id);
+                this.telemetry.recordAdapterOperation(adapter.id, operation, "success");
+                return result;
+            }
+            catch (error) {
+                const state = this.markFailure(adapter.id, error);
+                const shouldRetry = attempt < this.config.adapterMaxAttempts &&
+                    transientError(error) &&
+                    !state.circuitOpenUntil;
+                if (shouldRetry) {
+                    this.telemetry.recordAdapterOperation(adapter.id, operation, "retry");
+                    await sleep(this.config.adapterRetryDelayMs * attempt);
+                    continue;
+                }
+                this.telemetry.recordAdapterOperation(adapter.id, operation, "error");
+                throw error;
+            }
+        }
+        throw new Error(`Adapter operation failed unexpectedly: ${adapter.id}`);
+    }
+    async resolve(credential) {
+        const adapter = this.adapterFor(credential);
+        return this.execute(adapter, "resolve", () => adapter.resolve(credential));
+    }
+    async inspectCredential(credential) {
+        const adapter = this.adapterFor(credential);
+        try {
+            return await this.execute(adapter, "inspect", () => adapter.inspect(credential));
+        }
+        catch (error) {
+            return {
+                adapter: credential.binding.adapter,
+                ref: credential.binding.ref,
+                status: "error",
+                resolved: false,
+                notes: [],
+                error: error instanceof Error ? error.message : "Inspection failed.",
+            };
+        }
+    }
+    async healthchecks() {
+        return Promise.all(Array.from(this.adapters.values(), async (adapter) => {
+            const state = this.stateFor(adapter.id);
+            if (this.circuitOpen(adapter.id)) {
+                return {
+                    adapter: adapter.id,
+                    available: false,
+                    status: "error",
+                    details: `Circuit open after repeated failures: ${state.lastError ?? "unknown error"}`,
+                };
+            }
+            try {
+                const health = await this.execute(adapter, "healthcheck", () => adapter.healthcheck());
+                if (state.consecutiveFailures > 0 && health.status === "ok") {
+                    return {
+                        ...health,
+                        status: "warning",
+                        details: `${health.details} Recent failures: ${state.consecutiveFailures}.`,
+                    };
+                }
+                return health;
+            }
+            catch (error) {
+                return {
+                    adapter: adapter.id,
+                    available: false,
+                    status: "error",
+                    details: error instanceof Error ? error.message : "Adapter healthcheck failed.",
+                };
+            }
+        }));
+    }
+}

package/dist/adapters/aws-secrets-manager-adapter.js

@@ -0,0 +1,99 @@
+import { extractField, parseRef } from "./reference-utils.js";
+export class AwsSecretsManagerAdapter {
+    commandRunner;
+    binary;
+    id = "aws_secrets_manager";
+    constructor(commandRunner, binary) {
+        this.commandRunner = commandRunner;
+        this.binary = binary;
+    }
+    args(baseCommand, credential) {
+        const parsed = parseRef(credential.binding.ref);
+        const args = ["secretsmanager", baseCommand, "--secret-id", parsed.resource, "--output", "json"];
+        const versionId = parsed.query.get("versionId");
+        const versionStage = parsed.query.get("versionStage");
+        const region = parsed.query.get("region");
+        if (versionId) {
+            args.push("--version-id", versionId);
+        }
+        if (versionStage) {
+            args.push("--version-stage", versionStage);
+        }
+        if (region) {
+            args.push("--region", region);
+        }
+        return args;
+    }
+    async resolve(credential) {
+        const parsed = parseRef(credential.binding.ref);
+        const result = await this.commandRunner.run(this.binary, this.args("get-secret-value", credential), {
+            env: process.env,
+            timeoutMs: 15_000,
+        });
+        const payload = JSON.parse(result.stdout);
+        let secret;
+        if (typeof payload.SecretString === "string") {
+            try {
+                secret = extractField(JSON.parse(payload.SecretString), parsed.field);
+            }
+            catch {
+                secret = parsed.field ? extractField({ value: payload.SecretString }, parsed.field) : payload.SecretString;
+            }
+        }
+        else if (typeof payload.SecretBinary === "string") {
+            secret = Buffer.from(payload.SecretBinary, "base64").toString("utf8");
+        }
+        else {
+            throw new Error(`AWS Secrets Manager returned no usable secret for ${credential.binding.ref}.`);
+        }
+        return {
+            secret,
+            headerName: credential.binding.headerName,
+            headerValue: credential.binding.authType === "bearer"
+                ? `${credential.binding.headerPrefix ?? "Bearer "}${secret}`
+                : secret,
+            inspection: await this.inspect(credential),
+        };
+    }
+    async inspect(credential) {
+        const result = await this.commandRunner.run(this.binary, this.args("describe-secret", credential), {
+            env: process.env,
+            timeoutMs: 15_000,
+        });
+        const payload = JSON.parse(result.stdout);
+        return {
+            adapter: this.id,
+            ref: credential.binding.ref,
+            status: "ok",
+            resolved: true,
+            updatedAt: typeof payload.LastChangedDate === "string" ? payload.LastChangedDate : undefined,
+            expiresAt: typeof payload.DeletedDate === "string" ? payload.DeletedDate : undefined,
+            nextRotationAt: typeof payload.NextRotationDate === "string" ? payload.NextRotationDate : undefined,
+            rotationEnabled: typeof payload.RotationEnabled === "boolean" ? payload.RotationEnabled : undefined,
+            state: typeof payload.DeletedDate === "string" ? "scheduled_for_deletion" : "active",
+            notes: ["AWS inspection uses describe-secret metadata from the local aws CLI context."],
+        };
+    }
+    async healthcheck() {
+        try {
+            await this.commandRunner.run(this.binary, ["--version"], {
+                env: process.env,
+                timeoutMs: 5_000,
+            });
+            return {
+                adapter: this.id,
+                available: true,
+                status: "ok",
+                details: `${this.binary} is available.`,
+            };
+        }
+        catch (error) {
+            return {
+                adapter: this.id,
+                available: false,
+                status: "error",
+                details: error instanceof Error ? error.message : "AWS CLI unavailable.",
+            };
+        }
+    }
+}

package/dist/adapters/command-runner.js

@@ -0,0 +1,17 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+export class ExecFileCommandRunner {
+    async run(command, args, options) {
+        const result = await execFileAsync(command, args, {
+            env: options?.env,
+            timeout: options?.timeoutMs,
+            maxBuffer: 1024 * 1024,
+            encoding: "utf8",
+        });
+        return {
+            stdout: result.stdout,
+            stderr: result.stderr,
+        };
+    }
+}

package/dist/adapters/env-secret-adapter.js

@@ -0,0 +1,42 @@
+export class EnvSecretAdapter {
+    id = "env";
+    async resolve(credential) {
+        const { ref, authType, headerName, headerPrefix } = credential.binding;
+        const secret = process.env[ref];
+        if (!secret) {
+            throw new Error(`Missing secret material in environment variable ${ref}.`);
+        }
+        const headerValue = authType === "bearer" ? `${headerPrefix ?? "Bearer "}${secret}` : secret;
+        return {
+            secret,
+            headerName,
+            headerValue,
+            inspection: {
+                adapter: "env",
+                ref,
+                status: "warning",
+                resolved: true,
+                notes: ["Environment bindings expose no remote rotation or expiry metadata."],
+            },
+        };
+    }
+    async inspect(credential) {
+        const secret = process.env[credential.binding.ref];
+        return {
+            adapter: "env",
+            ref: credential.binding.ref,
+            status: secret ? "warning" : "error",
+            resolved: Boolean(secret),
+            notes: ["Environment bindings expose no remote rotation or expiry metadata."],
+            error: secret ? undefined : `Missing secret material in environment variable ${credential.binding.ref}.`,
+        };
+    }
+    async healthcheck() {
+        return {
+            adapter: "env",
+            available: true,
+            status: "warning",
+            details: "Environment adapter is always available but provides no source-side health metadata.",
+        };
+    }
+}

package/dist/adapters/gcp-secret-manager-adapter.js

@@ -0,0 +1,129 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { extractField, parseRef } from "./reference-utils.js";
+export class GcpSecretManagerAdapter {
+    commandRunner;
+    binary;
+    id = "gcp_secret_manager";
+    constructor(commandRunner, binary) {
+        this.commandRunner = commandRunner;
+        this.binary = binary;
+    }
+    parsed(credential) {
+        const parsed = parseRef(credential.binding.ref);
+        return {
+            parsed,
+            secret: parsed.resource,
+            version: parsed.query.get("version") ?? "latest",
+            project: parsed.query.get("project") ?? undefined,
+            location: parsed.query.get("location") ?? undefined,
+        };
+    }
+    async resolve(credential) {
+        const { parsed, secret, version, project, location } = this.parsed(credential);
+        const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "keylore-gcp-"));
+        const outFile = path.join(tempDir, "secret.txt");
+        try {
+            const args = ["secrets", "versions", "access", version, `--secret=${secret}`, `--out-file=${outFile}`, "--quiet"];
+            if (project) {
+                args.push(`--project=${project}`);
+            }
+            if (location) {
+                args.push(`--location=${location}`);
+            }
+            await this.commandRunner.run(this.binary, args, {
+                env: process.env,
+                timeoutMs: 15_000,
+            });
+            const raw = await fs.readFile(outFile, "utf8");
+            let secretValue;
+            try {
+                secretValue = extractField(JSON.parse(raw), parsed.field);
+            }
+            catch {
+                secretValue = parsed.field ? extractField({ value: raw }, parsed.field) : raw;
+            }
+            return {
+                secret: secretValue,
+                headerName: credential.binding.headerName,
+                headerValue: credential.binding.authType === "bearer"
+                    ? `${credential.binding.headerPrefix ?? "Bearer "}${secretValue}`
+                    : secretValue,
+                inspection: await this.inspect(credential),
+            };
+        }
+        finally {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+    }
+    async inspect(credential) {
+        const { secret, version, project, location } = this.parsed(credential);
+        const secretArgs = ["secrets", "describe", secret, "--format=json", "--quiet"];
+        const versionArgs = [
+            "secrets",
+            "versions",
+            "describe",
+            version,
+            `--secret=${secret}`,
+            "--format=json",
+            "--quiet",
+        ];
+        if (project) {
+            secretArgs.push(`--project=${project}`);
+            versionArgs.push(`--project=${project}`);
+        }
+        if (location) {
+            secretArgs.push(`--location=${location}`);
+            versionArgs.push(`--location=${location}`);
+        }
+        const [secretResult, versionResult] = await Promise.all([
+            this.commandRunner.run(this.binary, secretArgs, {
+                env: process.env,
+                timeoutMs: 15_000,
+            }),
+            this.commandRunner.run(this.binary, versionArgs, {
+                env: process.env,
+                timeoutMs: 15_000,
+            }),
+        ]);
+        const secretPayload = JSON.parse(secretResult.stdout);
+        const versionPayload = JSON.parse(versionResult.stdout);
+        const rotation = secretPayload.rotation;
+        return {
+            adapter: this.id,
+            ref: credential.binding.ref,
+            status: "ok",
+            resolved: true,
+            createdAt: typeof versionPayload.createTime === "string" ? versionPayload.createTime : undefined,
+            expiresAt: typeof secretPayload.expireTime === "string" ? secretPayload.expireTime : undefined,
+            nextRotationAt: rotation && typeof rotation === "object" && typeof rotation.nextRotationTime === "string"
+                ? rotation.nextRotationTime
+                : undefined,
+            state: typeof versionPayload.state === "string" ? versionPayload.state : undefined,
+            notes: ["GCP inspection uses gcloud secret and version metadata from the local gcloud context."],
+        };
+    }
+    async healthcheck() {
+        try {
+            await this.commandRunner.run(this.binary, ["--version"], {
+                env: process.env,
+                timeoutMs: 5_000,
+            });
+            return {
+                adapter: this.id,
+                available: true,
+                status: "ok",
+                details: `${this.binary} is available.`,
+            };
+        }
+        catch (error) {
+            return {
+                adapter: this.id,
+                available: false,
+                status: "error",
+                details: error instanceof Error ? error.message : "gcloud CLI unavailable.",
+            };
+        }
+    }
+}

package/dist/adapters/local-secret-adapter.js

@@ -0,0 +1,54 @@
+export class LocalSecretAdapter {
+    store;
+    id = "local";
+    constructor(store) {
+        this.store = store;
+    }
+    async resolve(credential) {
+        const { ref, authType, headerName, headerPrefix } = credential.binding;
+        const secret = await this.store.get(ref);
+        if (!secret) {
+            throw new Error(`Missing secret material in local secret store for ${ref}.`);
+        }
+        const headerValue = authType === "bearer" ? `${headerPrefix ?? "Bearer "}${secret}` : secret;
+        return {
+            secret,
+            headerName,
+            headerValue,
+            inspection: {
+                adapter: "local",
+                ref,
+                status: "ok",
+                resolved: true,
+                notes: ["Secret is stored in the local encrypted file store."],
+            },
+        };
+    }
+    async inspect(credential) {
+        const inspection = await this.store.inspect(credential.binding.ref);
+        return {
+            adapter: "local",
+            ref: credential.binding.ref,
+            status: inspection.resolved ? "ok" : "error",
+            resolved: inspection.resolved,
+            notes: inspection.resolved
+                ? [
+                    "Secret is stored in the local encrypted file store.",
+                    inspection.updatedAt ? `Updated at ${inspection.updatedAt}.` : "Update time unavailable.",
+                ]
+                : ["Secret is not present in the local encrypted file store."],
+            error: inspection.resolved
+                ? undefined
+                : `Missing secret material in local secret store for ${credential.binding.ref}.`,
+        };
+    }
+    async healthcheck() {
+        await this.store.healthcheck();
+        return {
+            adapter: "local",
+            available: true,
+            status: "ok",
+            details: "Local encrypted file secret store is available.",
+        };
+    }
+}