@simonsbs/keylore 1.0.0-rc4

package/dist/adapters/onepassword-secret-adapter.js

@@ -0,0 +1,83 @@
+import { parseRef } from "./reference-utils.js";
+function pickTimestamp(payload, camel, snake) {
+    const value = payload[camel] ?? payload[snake];
+    return typeof value === "string" ? value : undefined;
+}
+function pickVersion(payload) {
+    const value = payload.version;
+    if (typeof value === "number") {
+        return String(value);
+    }
+    return typeof value === "string" ? value : undefined;
+}
+export class OnePasswordSecretAdapter {
+    commandRunner;
+    binary;
+    id = "1password";
+    constructor(commandRunner, binary) {
+        this.commandRunner = commandRunner;
+        this.binary = binary;
+    }
+    async resolve(credential) {
+        const result = await this.commandRunner.run(this.binary, ["read", credential.binding.ref], {
+            env: process.env,
+            timeoutMs: 10_000,
+        });
+        const secret = result.stdout.trimEnd();
+        if (!secret) {
+            throw new Error(`1Password returned no secret value for ${credential.binding.ref}.`);
+        }
+        return {
+            secret,
+            headerName: credential.binding.headerName,
+            headerValue: credential.binding.authType === "bearer"
+                ? `${credential.binding.headerPrefix ?? "Bearer "}${secret}`
+                : secret,
+            inspection: await this.inspect(credential),
+        };
+    }
+    async inspect(credential) {
+        const parsed = parseRef(credential.binding.ref);
+        const reference = new URL(parsed.resource);
+        const vault = reference.hostname;
+        const item = reference.pathname.split("/").filter(Boolean)[0];
+        const args = ["item", "get", item ?? "", "--vault", vault ?? "", "--format", "json"];
+        const result = await this.commandRunner.run(this.binary, args, {
+            env: process.env,
+            timeoutMs: 10_000,
+        });
+        const payload = JSON.parse(result.stdout);
+        return {
+            adapter: this.id,
+            ref: credential.binding.ref,
+            status: "ok",
+            resolved: true,
+            version: pickVersion(payload),
+            createdAt: pickTimestamp(payload, "createdAt", "created_at"),
+            updatedAt: pickTimestamp(payload, "updatedAt", "updated_at"),
+            notes: ["1Password inspection uses item metadata from the local op CLI session."],
+        };
+    }
+    async healthcheck() {
+        try {
+            await this.commandRunner.run(this.binary, ["--version"], {
+                env: process.env,
+                timeoutMs: 5_000,
+            });
+            return {
+                adapter: this.id,
+                available: true,
+                status: "ok",
+                details: `${this.binary} is available.`,
+            };
+        }
+        catch (error) {
+            return {
+                adapter: this.id,
+                available: false,
+                status: "error",
+                details: error instanceof Error ? error.message : "1Password CLI unavailable.",
+            };
+        }
+    }
+}

package/dist/adapters/reference-utils.js

@@ -0,0 +1,44 @@
+function splitRef(ref) {
+    const [pathPart = "", queryPart = ""] = ref.split("?", 2);
+    const [resource = "", field] = pathPart.split("#", 2);
+    return {
+        resource,
+        field: field || undefined,
+        query: new URLSearchParams(queryPart),
+    };
+}
+export function parseRef(ref) {
+    return splitRef(ref);
+}
+export function extractField(value, fieldPath) {
+    if (!fieldPath) {
+        if (typeof value === "string") {
+            return value;
+        }
+        if (value && typeof value === "object" && !Array.isArray(value)) {
+            const entries = Object.entries(value);
+            if (entries.length === 1 && typeof entries[0]?.[1] === "string") {
+                return entries[0][1];
+            }
+        }
+        throw new Error("Secret reference requires a field selector for structured data.");
+    }
+    const segments = fieldPath.split(".").filter(Boolean);
+    let current = value;
+    for (const segment of segments) {
+        if (!current || typeof current !== "object" || Array.isArray(current)) {
+            throw new Error(`Secret field not found: ${fieldPath}`);
+        }
+        current = current[segment];
+    }
+    if (typeof current !== "string") {
+        throw new Error(`Secret field is not a string: ${fieldPath}`);
+    }
+    return current;
+}
+export function daysUntil(timestamp) {
+    if (!timestamp) {
+        return null;
+    }
+    return Math.ceil((new Date(timestamp).getTime() - Date.now()) / 86_400_000);
+}

package/dist/adapters/types.js

@@ -0,0 +1 @@
+export {};

package/dist/adapters/vault-secret-adapter.js

@@ -0,0 +1,103 @@
+import { extractField, parseRef } from "./reference-utils.js";
+function normalizeTimestamp(value) {
+    return typeof value === "string" ? value : undefined;
+}
+export class VaultSecretAdapter {
+    addr;
+    token;
+    namespace;
+    id = "vault";
+    constructor(addr, token, namespace) {
+        this.addr = addr;
+        this.token = token;
+        this.namespace = namespace;
+    }
+    headers() {
+        if (!this.addr || !this.token) {
+            throw new Error("Vault adapter requires KEYLORE_VAULT_ADDR and KEYLORE_VAULT_TOKEN.");
+        }
+        const headers = new Headers({
+            "x-vault-token": this.token,
+        });
+        if (this.namespace) {
+            headers.set("x-vault-namespace", this.namespace);
+        }
+        return headers;
+    }
+    async read(credential) {
+        const parsed = parseRef(credential.binding.ref);
+        const version = parsed.query.get("version");
+        const target = `${this.addr}/v1/${parsed.resource.replace(/^\//, "")}`;
+        const url = version ? `${target}?version=${encodeURIComponent(version)}` : target;
+        const response = await fetch(url, {
+            headers: this.headers(),
+        });
+        if (!response.ok) {
+            throw new Error(`Vault request failed with ${response.status} for ${credential.binding.ref}.`);
+        }
+        return {
+            parsed,
+            payload: (await response.json()),
+        };
+    }
+    async resolve(credential) {
+        const { parsed, payload } = await this.read(credential);
+        const secret = extractField(payload.data?.data, parsed.field);
+        return {
+            secret,
+            headerName: credential.binding.headerName,
+            headerValue: credential.binding.authType === "bearer"
+                ? `${credential.binding.headerPrefix ?? "Bearer "}${secret}`
+                : secret,
+            inspection: await this.inspect(credential),
+        };
+    }
+    async inspect(credential) {
+        const { payload } = await this.read(credential);
+        const metadata = payload.data?.metadata ?? {};
+        return {
+            adapter: this.id,
+            ref: credential.binding.ref,
+            status: "ok",
+            resolved: true,
+            version: typeof metadata.version === "number"
+                ? String(metadata.version)
+                : typeof metadata.version === "string"
+                    ? metadata.version
+                    : undefined,
+            createdAt: normalizeTimestamp(metadata.created_time),
+            expiresAt: normalizeTimestamp(metadata.deletion_time),
+            state: metadata.destroyed === true ? "destroyed" : "active",
+            notes: ["Vault inspection reads KV v2 metadata from the bound secret path."],
+        };
+    }
+    async healthcheck() {
+        if (!this.addr || !this.token) {
+            return {
+                adapter: this.id,
+                available: false,
+                status: "error",
+                details: "Vault adapter is not configured.",
+            };
+        }
+        try {
+            const response = await fetch(`${this.addr}/v1/sys/health?standbyok=true&perfstandbyok=true`, {
+                headers: this.headers(),
+            });
+            return {
+                adapter: this.id,
+                available: response.ok,
+                status: response.ok ? "ok" : "error",
+                details: response.ok ? "Vault health endpoint responded." : `Vault health returned ${response.status}.`,
+            };
+        }
+        catch (error) {
+            return {
+                adapter: this.id,
+                available: false,
+                status: "error",
+                details: error instanceof Error ? error.message : "Vault healthcheck failed.",
+            };
+        }
+    }
+}

package/dist/app.js

@@ -0,0 +1,132 @@
+import pino from "pino";
+import { SecretAdapterRegistry } from "./adapters/adapter-registry.js";
+import { AwsSecretsManagerAdapter } from "./adapters/aws-secrets-manager-adapter.js";
+import { ExecFileCommandRunner } from "./adapters/command-runner.js";
+import { EnvSecretAdapter } from "./adapters/env-secret-adapter.js";
+import { LocalSecretAdapter } from "./adapters/local-secret-adapter.js";
+import { GcpSecretManagerAdapter } from "./adapters/gcp-secret-manager-adapter.js";
+import { OnePasswordSecretAdapter } from "./adapters/onepassword-secret-adapter.js";
+import { VaultSecretAdapter } from "./adapters/vault-secret-adapter.js";
+import { loadConfig } from "./config.js";
+import { PgAccessTokenRepository } from "./repositories/pg-access-token-repository.js";
+import { PgAuthorizationCodeRepository } from "./repositories/pg-authorization-code-repository.js";
+import { PgApprovalRepository } from "./repositories/pg-approval-repository.js";
+import { PgAuditLogService } from "./repositories/pg-audit-log.js";
+import { PgAuthClientRepository } from "./repositories/pg-auth-client-repository.js";
+import { PgBreakGlassRepository } from "./repositories/pg-break-glass-repository.js";
+import { PgCredentialRepository } from "./repositories/pg-credential-repository.js";
+import { PgOAuthClientAssertionRepository } from "./repositories/pg-oauth-client-assertion-repository.js";
+import { PgPolicyRepository } from "./repositories/pg-policy-repository.js";
+import { PgRefreshTokenRepository } from "./repositories/pg-refresh-token-repository.js";
+import { PgRotationRunRepository } from "./repositories/pg-rotation-run-repository.js";
+import { PgTenantRepository } from "./repositories/pg-tenant-repository.js";
+import { ApprovalService } from "./services/approval-service.js";
+import { AuthService } from "./services/auth-service.js";
+import { BackupService } from "./services/backup-service.js";
+import { BreakGlassService } from "./services/break-glass-service.js";
+import { BrokerService } from "./services/broker-service.js";
+import { CoreModeService } from "./services/core-mode-service.js";
+import { validateEgressTarget } from "./services/egress-policy.js";
+import { LocalSecretStore } from "./services/local-secret-store.js";
+import { MaintenanceService } from "./services/maintenance-service.js";
+import { NotificationService } from "./services/notification-service.js";
+import { PolicyEngine } from "./services/policy-engine.js";
+import { PgRateLimitService } from "./services/rate-limit-service.js";
+import { RotationService } from "./services/rotation-service.js";
+import { TelemetryService } from "./services/telemetry.js";
+import { TenantService } from "./services/tenant-service.js";
+import { TraceExportService } from "./services/trace-export-service.js";
+import { TraceService } from "./services/trace-service.js";
+import { bootstrapFromFiles } from "./storage/bootstrap.js";
+import { createPostgresDatabase } from "./storage/database.js";
+import { runMigrations } from "./storage/migrations.js";
+import { SandboxRunner } from "./runtime/sandbox-runner.js";
+export async function createKeyLoreApp() {
+    const config = loadConfig();
+    const logger = pino({ name: config.appName, level: config.logLevel });
+    const database = createPostgresDatabase(config);
+    const telemetry = new TelemetryService();
+    const traces = new TraceService(config.traceCaptureEnabled, config.traceRecentSpanLimit);
+    const traceExports = new TraceExportService(config.traceExportUrl, config.traceExportAuthHeader, config.traceExportBatchSize, config.traceExportIntervalMs, config.traceExportTimeoutMs, telemetry);
+    traces.attachExporter(traceExports);
+    await database.healthcheck();
+    await runMigrations(database, config.migrationsDir);
+    const credentialRepository = new PgCredentialRepository(database);
+    const policyRepository = new PgPolicyRepository(database);
+    const authClientRepository = new PgAuthClientRepository(database);
+    const tenantRepository = new PgTenantRepository(database);
+    const assertionRepository = new PgOAuthClientAssertionRepository(database);
+    const audit = new PgAuditLogService(database);
+    const accessTokens = new PgAccessTokenRepository(database);
+    const refreshTokens = new PgRefreshTokenRepository(database);
+    const authorizationCodes = new PgAuthorizationCodeRepository(database);
+    const approvals = new PgApprovalRepository(database);
+    const breakGlassRepository = new PgBreakGlassRepository(database);
+    const rotationRuns = new PgRotationRunRepository(database);
+    const notificationService = new NotificationService(config.notificationWebhookUrl, config.notificationSigningSecret, config.notificationTimeoutMs, audit, telemetry, traces);
+    const rateLimits = new PgRateLimitService(database, config.rateLimitWindowMs, config.rateLimitMaxRequests, telemetry);
+    const localSecrets = new LocalSecretStore(config.localSecretsFilePath, config.localSecretsKeyPath);
+    const commandRunner = new ExecFileCommandRunner();
+    const adapterRegistry = new SecretAdapterRegistry([
+        new LocalSecretAdapter(localSecrets),
+        new EnvSecretAdapter(),
+        new VaultSecretAdapter(config.vaultAddr, config.vaultToken, config.vaultNamespace),
+        new OnePasswordSecretAdapter(commandRunner, config.opBinary),
+        new AwsSecretsManagerAdapter(commandRunner, config.awsBinary),
+        new GcpSecretManagerAdapter(commandRunner, config.gcloudBinary),
+    ], config, telemetry);
+    await credentialRepository.ensureInitialized();
+    await policyRepository.ensureInitialized();
+    await authClientRepository.ensureInitialized();
+    await tenantRepository.ensureInitialized();
+    const authService = new AuthService(authClientRepository, accessTokens, refreshTokens, authorizationCodes, assertionRepository, tenantRepository, audit, config.oauthIssuerUrl, config.publicBaseUrl, config.accessTokenTtlSeconds, config.authorizationCodeTtlSeconds, config.refreshTokenTtlSeconds, telemetry);
+    const tenantService = new TenantService(tenantRepository, database, audit, authService);
+    const approvalService = new ApprovalService(approvals, audit, config.approvalTtlSeconds, config.approvalReviewQuorum, notificationService, traces);
+    const breakGlassService = new BreakGlassService(breakGlassRepository, audit, config.breakGlassMaxDurationSeconds, config.breakGlassReviewQuorum, notificationService, traces);
+    const rotationService = new RotationService(rotationRuns, credentialRepository, adapterRegistry, audit, notificationService, traces, config.rotationPlanningHorizonDays);
+    if (config.bootstrapFromFiles) {
+        await bootstrapFromFiles(credentialRepository, policyRepository, authClientRepository, tenantRepository, config.bootstrapCatalogPath, config.bootstrapPolicyPath, config.bootstrapAuthClientsPath);
+    }
+    const broker = new BrokerService(credentialRepository, policyRepository, audit, adapterRegistry, new PolicyEngine(), approvalService, breakGlassService, tenantRepository, new SandboxRunner(config), validateEgressTarget, config);
+    const coreMode = new CoreModeService(broker, policyRepository, localSecrets, config.defaultPrincipal);
+    await coreMode.reconcileLocalCredentialPolicies();
+    const maintenance = new MaintenanceService(config.maintenanceEnabled, config.maintenanceIntervalMs, approvals, breakGlassRepository, accessTokens, refreshTokens, rateLimits, authorizationCodes, assertionRepository, telemetry);
+    traceExports.start();
+    maintenance.start();
+    const backup = new BackupService(database, config.version, audit);
+    return {
+        config,
+        logger,
+        broker,
+        auth: authService,
+        tenants: tenantService,
+        rotations: rotationService,
+        approvals: approvalService,
+        breakGlass: breakGlassService,
+        coreMode,
+        database,
+        telemetry,
+        traces,
+        traceExports,
+        rateLimits,
+        maintenance,
+        backup,
+        health: {
+            readiness: async () => {
+                await database.healthcheck();
+                const credentialCount = await broker.countCredentials();
+                return {
+                    status: "ready",
+                    environment: config.environment,
+                    credentialCount,
+                    maintenance: maintenance.status(),
+                };
+            },
+        },
+        close: async () => {
+            await traceExports.stop();
+            await maintenance.stop();
+            await database.close();
+        },
+    };
+}

package/dist/cli/args.js

@@ -0,0 +1,51 @@
+function normalizeFlagName(flag) {
+    return flag.replace(/^--/, "");
+}
+export function parseCliArgs(argv) {
+    const positionals = [];
+    const flags = new Map();
+    for (let index = 0; index < argv.length; index += 1) {
+        const token = argv[index];
+        if (token === undefined) {
+            continue;
+        }
+        if (!token.startsWith("--")) {
+            positionals.push(token);
+            continue;
+        }
+        const trimmed = normalizeFlagName(token);
+        if (trimmed.includes("=")) {
+            const equalsIndex = trimmed.indexOf("=");
+            const name = trimmed.slice(0, equalsIndex);
+            const value = trimmed.slice(equalsIndex + 1);
+            flags.set(name, value);
+            continue;
+        }
+        const next = argv[index + 1];
+        if (!next || next.startsWith("--")) {
+            flags.set(trimmed, true);
+            continue;
+        }
+        flags.set(trimmed, next);
+        index += 1;
+    }
+    return { positionals, flags };
+}
+export function readStringFlag(flags, name) {
+    const value = flags.get(name);
+    return typeof value === "string" ? value : undefined;
+}
+export function readBooleanFlag(flags, name) {
+    return flags.get(name) === true;
+}
+export function readNumberFlag(flags, name) {
+    const value = readStringFlag(flags, name);
+    if (!value) {
+        return undefined;
+    }
+    const parsed = Number.parseInt(value, 10);
+    if (Number.isNaN(parsed)) {
+        throw new Error(`Flag --${name} must be an integer.`);
+    }
+    return parsed;
+}