@sirrlock/node 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 SirrVault
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,151 @@
+# @sirrlock/node
+
+[![CI](https://github.com/sirrlock/node/actions/workflows/ci.yml/badge.svg)](https://github.com/sirrlock/node/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@sirrlock/node)](https://www.npmjs.com/package/@sirrlock/node)
+[![npm downloads](https://img.shields.io/npm/dm/@sirrlock/node)](https://www.npmjs.com/package/@sirrlock/node)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5-blue)](https://www.typescriptlang.org/)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D18-brightgreen)](https://nodejs.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+**Node.js client and npx CLI for [Sirr](https://github.com/sirrlock/sirr) — ephemeral secret management.**
+
+Give AI agents exactly the credentials they need, for exactly as long as they need them. Read once and it's gone. Expired by time and you never have to clean anything up.
+
+## Install
+
+```bash
+npm install @sirrlock/node
+```
+
+Or use without installing:
+
+```bash
+npx @sirrlock/node push DB_URL="postgres://..." --reads 1 --ttl 1h
+```
+
+## CLI
+
+```bash
+# Push a secret that burns after one read
+sirr push DB_URL="postgres://..." --reads 1 --ttl 1h
+
+# Retrieve (burns on read if reads=1)
+sirr get DB_URL
+
+# Push entire .env — expires in 24h
+sirr push .env --ttl 24h   # not yet implemented, use key=value form
+
+# Manage
+sirr list
+sirr delete API_KEY
+sirr prune
+sirr health
+```
+
+Config via env vars:
+```bash
+export SIRR_SERVER=http://localhost:8080
+export SIRR_TOKEN=your-master-key
+```
+
+## Programmatic API
+
+```typescript
+import { SirrClient, SirrError } from '@sirrlock/node'
+
+const sirr = new SirrClient({
+  server: process.env.SIRR_SERVER ?? 'http://localhost:8080',
+  token: process.env.SIRR_TOKEN!,
+})
+
+// Push a one-time secret
+await sirr.push('API_KEY', 'sk-...', { ttl: 3600, reads: 1 })
+
+// Retrieve — null if burned or expired
+const value = await sirr.get('API_KEY')
+
+// Pull all secrets into a plain object
+const secrets = await sirr.pullAll()
+
+// Inject all secrets as env vars for the duration of a callback
+await sirr.withSecrets(async () => {
+  // process.env.API_KEY is set here
+  await runAgentTask()
+})
+
+// Delete immediately
+await sirr.delete('API_KEY')
+
+// List active secrets (metadata only — no values)
+const list = await sirr.list()
+```
+
+### Error Handling
+
+```typescript
+import { SirrError } from '@sirrlock/node'
+
+try {
+  await sirr.push('KEY', 'value')
+} catch (e) {
+  if (e instanceof SirrError) {
+    console.error(`API error ${e.status}: ${e.message}`)
+  }
+}
+```
+
+## AI Workflows
+
+### LangChain.js tool with scoped credential
+
+```typescript
+import { DynamicTool } from 'langchain/tools'
+
+const dbTool = new DynamicTool({
+  name: 'query_database',
+  description: 'Run a SQL query against the production database',
+  func: async (query) => {
+    const connStr = await sirr.get('AGENT_DB')
+    if (!connStr) throw new Error('DB credential expired or burned')
+    return runQuery(connStr, query)
+  },
+})
+```
+
+### Inject secrets into a subprocess
+
+```typescript
+await sirr.withSecrets(async () => {
+  await execa('python', ['agent.py'])
+})
+```
+
+### CI/CD: one-time deploy credential
+
+```typescript
+await sirr.push('DEPLOY_TOKEN', process.env.PERMANENT_TOKEN!, { reads: 1 })
+await execa('sirr', ['run', '--', './deploy.sh'])
+// DEPLOY_TOKEN was read once and is now deleted
+```
+
+### pytest-style fixture for Node.js tests
+
+```typescript
+beforeAll(async () => {
+  await sirr.withSecrets(async () => {
+    // All vault secrets set as process.env for the test suite
+    await runTestSuite()
+  })
+})
+```
+
+## Related
+
+| Package | Description |
+|---------|-------------|
+| [sirr](https://github.com/sirrlock/sirr) | Rust monorepo: `sirrd` server + `sirr` CLI |
+| [@sirrlock/mcp](https://github.com/sirrlock/mcp) | MCP server for AI assistants |
+| [sirr (PyPI)](https://github.com/sirrlock/python) | Python SDK |
+| [Sirr.Client (NuGet)](https://github.com/sirrlock/dotnet) | .NET SDK |
+| [sirr.dev](https://sirr.dev) | Documentation |
+| [sirrlock.com](https://sirrlock.com) | Managed cloud + license keys |

package/dist/cli.d.ts

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+/**
+ * Sirr CLI — thin Node.js wrapper for use via `npx sirr` or `npm i -g sirr`.
+ *
+ * Reads SIRR_SERVER (default: http://localhost:8080) and SIRR_TOKEN.
+ */
+export declare function parseArgs(argv: string[]): Record<string, string | number | boolean>;
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;GAIG;AAiCH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,CAqBnF"}

package/dist/cli.js

@@ -0,0 +1,246 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Sirr CLI — thin Node.js wrapper for use via `npx sirr` or `npm i -g sirr`.
+ *
+ * Reads SIRR_SERVER (default: http://localhost:8080) and SIRR_TOKEN.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseArgs = parseArgs;
+const index_1 = require("./index");
+const server = process.env.SIRR_SERVER ?? "http://localhost:8080";
+const token = process.env.SIRR_TOKEN ?? "";
+function usage() {
+    console.error(`
+Usage: sirr <command> [options]
+
+Commands:
+  push KEY=value [--ttl <secs>] [--reads <n>]
+  get KEY
+  list
+  delete KEY
+  prune
+  health
+  audit [--since <ts>] [--action <action>] [--limit <n>]
+  webhooks list
+  webhooks add <url> [--events <csv>]
+  webhooks remove <id>
+  keys list
+  keys create <label> [--permissions <csv>]
+  keys remove <id>
+
+Environment:
+  SIRR_SERVER   Server URL (default: http://localhost:8080)
+  SIRR_TOKEN    Bearer token
+`);
+    process.exit(1);
+}
+function parseArgs(argv) {
+    const result = {};
+    const positional = [];
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        if (arg.startsWith("--")) {
+            const key = arg.slice(2);
+            const next = argv[i + 1];
+            if (next && !next.startsWith("--")) {
+                result[key] = next;
+                i++;
+            }
+            else {
+                result[key] = true;
+            }
+        }
+        else {
+            positional.push(arg);
+            result[`_${positional.length - 1}`] = arg;
+        }
+    }
+    result._count = positional.length;
+    return result;
+}
+async function main() {
+    const [, , subcmd, ...rest] = process.argv;
+    if (!subcmd)
+        usage();
+    const args = parseArgs(rest);
+    const client = new index_1.SirrClient({ server, token });
+    try {
+        switch (subcmd) {
+            case "health": {
+                const r = await client.health();
+                console.log(JSON.stringify(r));
+                break;
+            }
+            case "push": {
+                const target = args._0;
+                if (!target)
+                    usage();
+                const ttlArg = args.ttl;
+                const readsArg = args.reads;
+                if (!target.includes("=")) {
+                    console.error("push: expected KEY=value");
+                    process.exit(1);
+                }
+                const eqIdx = target.indexOf("=");
+                const key = target.slice(0, eqIdx);
+                const value = target.slice(eqIdx + 1);
+                await client.push(key, value, {
+                    ttl: ttlArg ? Number.parseInt(ttlArg, 10) : undefined,
+                    reads: readsArg ? Number.parseInt(readsArg, 10) : undefined,
+                });
+                console.log(`✓ pushed ${key}`);
+                break;
+            }
+            case "get": {
+                const key = args._0;
+                if (!key)
+                    usage();
+                const value = await client.get(key);
+                if (value === null) {
+                    console.error("not found or expired");
+                    process.exit(1);
+                }
+                console.log(value);
+                break;
+            }
+            case "list": {
+                const metas = await client.list();
+                if (metas.length === 0) {
+                    console.log("(no active secrets)");
+                }
+                else {
+                    for (const m of metas) {
+                        console.log(`  ${m.key} — reads: ${m.read_count}${m.max_reads != null ? `/${m.max_reads}` : ""}`);
+                    }
+                }
+                break;
+            }
+            case "delete": {
+                const key = args._0;
+                if (!key)
+                    usage();
+                const existed = await client.delete(key);
+                console.log(existed ? `✓ deleted ${key}` : "not found");
+                break;
+            }
+            case "prune": {
+                const n = await client.prune();
+                console.log(`pruned ${n} expired secret(s)`);
+                break;
+            }
+            case "audit": {
+                const events = await client.getAuditLog({
+                    since: args.since ? Number(args.since) : undefined,
+                    action: args.action,
+                    limit: args.limit ? Number(args.limit) : undefined,
+                });
+                if (events.length === 0) {
+                    console.log("(no audit events)");
+                }
+                else {
+                    for (const e of events) {
+                        console.log(`  [${e.timestamp}] ${e.action} key=${e.key ?? "-"} ip=${e.source_ip} ${e.success ? "ok" : "FAIL"}`);
+                    }
+                }
+                break;
+            }
+            case "webhooks": {
+                const sub = args._0;
+                if (!sub)
+                    usage();
+                switch (sub) {
+                    case "list": {
+                        const wh = await client.listWebhooks();
+                        if (wh.length === 0) {
+                            console.log("(no webhooks)");
+                        }
+                        else {
+                            for (const w of wh) {
+                                console.log(`  ${w.id}  ${w.url}  [${w.events.join(",")}]`);
+                            }
+                        }
+                        break;
+                    }
+                    case "add": {
+                        const url = args._1;
+                        if (!url)
+                            usage();
+                        const eventsArg = args.events;
+                        const events = eventsArg ? eventsArg.split(",") : undefined;
+                        const result = await client.createWebhook(url, { events });
+                        console.log("webhook registered");
+                        console.log(`  id:     ${result.id}`);
+                        console.log(`  secret: ${result.secret}`);
+                        break;
+                    }
+                    case "remove": {
+                        const id = args._1;
+                        if (!id)
+                            usage();
+                        await client.deleteWebhook(id);
+                        console.log(`webhook ${id} removed`);
+                        break;
+                    }
+                    default:
+                        usage();
+                }
+                break;
+            }
+            case "keys": {
+                const sub = args._0;
+                if (!sub)
+                    usage();
+                switch (sub) {
+                    case "list": {
+                        const keys = await client.listApiKeys();
+                        if (keys.length === 0) {
+                            console.log("(no API keys)");
+                        }
+                        else {
+                            for (const k of keys) {
+                                console.log(`  ${k.id}  ${k.label}  [${k.permissions.join(",")}]  prefix=${k.prefix ?? "*"}`);
+                            }
+                        }
+                        break;
+                    }
+                    case "create": {
+                        const label = args._1;
+                        if (!label)
+                            usage();
+                        const permsArg = args.permissions;
+                        const permissions = permsArg ? permsArg.split(",") : ["read", "write"];
+                        const prefix = args.prefix;
+                        const result = await client.createApiKey({ label, permissions, prefix });
+                        console.log("API key created");
+                        console.log(`  id:  ${result.id}`);
+                        console.log(`  key: ${result.key}`);
+                        console.log(`  (save the key — it won't be shown again)`);
+                        break;
+                    }
+                    case "remove": {
+                        const id = args._1;
+                        if (!id)
+                            usage();
+                        await client.deleteApiKey(id);
+                        console.log(`API key ${id} removed`);
+                        break;
+                    }
+                    default:
+                        usage();
+                }
+                break;
+            }
+            default:
+                usage();
+        }
+    }
+    catch (e) {
+        console.error(e.message ?? String(e));
+        process.exit(1);
+    }
+}
+if (require.main === module) {
+    main();
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;AACA;;;;GAIG;;AAiCH,8BAqBC;AApDD,mCAAqC;AAErC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,uBAAuB,CAAC;AAClE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;AAE3C,SAAS,KAAK;IACZ,OAAO,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;CAqBf,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAgB,SAAS,CAAC,IAAc;IACtC,MAAM,MAAM,GAA8C,EAAE,CAAC;IAC7D,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAW,CAAC;QAC9B,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;gBACnB,CAAC,EAAE,CAAC;YACN,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;YACrB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrB,MAAM,CAAC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IAClC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,EAAE,AAAD,EAAG,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAC3C,IAAI,CAAC,MAAM;QAAE,KAAK,EAAE,CAAC;IAErB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAI,kBAAU,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjD,IAAI,CAAC;QACH,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC/B,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,MAAM,GAAG,IAAI,CAAC,EAAwB,CAAC;gBAC7C,IAAI,CAAC,MAAM;oBAAE,KAAK,EAAE,CAAC;gBACrB,MAAM,MAAM,GAAG,IAAI,CAAC,GAAyB,CAAC;gBAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,KAA2B,CAAC;gBAElD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;oBAC1C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAClC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;gBACnC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;gBACtC,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE;oBAC5B,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;oBACrD,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS;iBAC5D,CAAC,CAAC;gBACH,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,EAAE,CAAC,CAAC;gBAC/B,MAAM;YACR,CAAC;YAED,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,MAAM,GAAG,GAAG,IAAI,CAAC,EAAwB,CAAC;gBAC1C,IAAI,CAAC,GAAG;oBAAE,KAAK,EAAE,CAAC;gBAClB,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACpC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;oBACnB,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;oBACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACnB,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gBAClC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;gBACrC,CAAC;qBAAM,CAAC;oBACN,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CACrF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,GAAG,GAAG,IAAI,CAAC,EAAwB,CAAC;gBAC1C,IAAI,CAAC,GAAG;oBAAE,KAAK,EAAE,CAAC;gBAClB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACzC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;gBACxD,MAAM;YACR,CAAC;YAED,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;gBAC7C,MAAM;YACR,CAAC;YAED,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC;oBACtC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;oBAClD,MAAM,EAAE,IAAI,CAAC,MAA4B;oBACzC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;iBACnD,CAAC,CAAC;gBACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACxB,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBACnC,CAAC;qBAAM,CAAC;oBACN,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;wBACvB,OAAO,CAAC,GAAG,CACT,MAAM,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,MAAM,QAAQ,CAAC,CAAC,GAAG,IAAI,GAAG,OAAO,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CACpG,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAwB,CAAC;gBAC1C,IAAI,CAAC,GAAG;oBAAE,KAAK,EAAE,CAAC;gBAClB,QAAQ,GAAG,EAAE,CAAC;oBACZ,KAAK,MAAM,CAAC,CAAC,CAAC;wBACZ,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;wBACvC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BACpB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;wBAC/B,CAAC;6BAAM,CAAC;4BACN,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;gCACnB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;4BAC9D,CAAC;wBACH,CAAC;wBACD,MAAM;oBACR,CAAC;oBACD,KAAK,KAAK,CAAC,CAAC,CAAC;wBACX,MAAM,GAAG,GAAG,IAAI,CAAC,EAAwB,CAAC;wBAC1C,IAAI,CAAC,GAAG;4BAAE,KAAK,EAAE,CAAC;wBAClB,MAAM,SAAS,GAAG,IAAI,CAAC,MAA4B,CAAC;wBACpD,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;wBAC5D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;wBAC3D,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;wBAClC,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;wBACtC,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;wBAC1C,MAAM;oBACR,CAAC;oBACD,KAAK,QAAQ,CAAC,CAAC,CAAC;wBACd,MAAM,EAAE,GAAG,IAAI,CAAC,EAAwB,CAAC;wBACzC,IAAI,CAAC,EAAE;4BAAE,KAAK,EAAE,CAAC;wBACjB,MAAM,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;wBAC/B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;wBACrC,MAAM;oBACR,CAAC;oBACD;wBACE,KAAK,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,GAAG,GAAG,IAAI,CAAC,EAAwB,CAAC;gBAC1C,IAAI,CAAC,GAAG;oBAAE,KAAK,EAAE,CAAC;gBAClB,QAAQ,GAAG,EAAE,CAAC;oBACZ,KAAK,MAAM,CAAC,CAAC,CAAC;wBACZ,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;wBACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BACtB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;wBAC/B,CAAC;6BAAM,CAAC;4BACN,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gCACrB,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,MAAM,IAAI,GAAG,EAAE,CACjF,CAAC;4BACJ,CAAC;wBACH,CAAC;wBACD,MAAM;oBACR,CAAC;oBACD,KAAK,QAAQ,CAAC,CAAC,CAAC;wBACd,MAAM,KAAK,GAAG,IAAI,CAAC,EAAwB,CAAC;wBAC5C,IAAI,CAAC,KAAK;4BAAE,KAAK,EAAE,CAAC;wBACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAiC,CAAC;wBACxD,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;wBACvE,MAAM,MAAM,GAAG,IAAI,CAAC,MAA4B,CAAC;wBACjD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;wBACzE,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;wBAC/B,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;wBACnC,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;wBACpC,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;wBAC1D,MAAM;oBACR,CAAC;oBACD,KAAK,QAAQ,CAAC,CAAC,CAAC;wBACd,MAAM,EAAE,GAAG,IAAI,CAAC,EAAwB,CAAC;wBACzC,IAAI,CAAC,EAAE;4BAAE,KAAK,EAAE,CAAC;wBACjB,MAAM,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;wBAC9B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;wBACrC,MAAM;oBACR,CAAC;oBACD;wBACE,KAAK,EAAE,CAAC;gBACZ,CAAC;gBACD,MAAM;YACR,CAAC;YAED;gBACE,KAAK,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAE,CAAW,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;IAC5B,IAAI,EAAE,CAAC;AACT,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,130 @@
+/**
+ * @sirrlock/node — Sirr Node.js client
+ *
+ * Thin fetch wrapper around the Sirr HTTP API.
+ * No native dependencies. Works in Node 18+.
+ */
+export interface SirrClientOptions {
+    /** Sirr server base URL. Default: http://localhost:8080 */
+    server?: string;
+    /** Bearer token (SIRR_MASTER_KEY on the server side). */
+    token: string;
+}
+export interface PushOptions {
+    /** TTL in seconds. */
+    ttl?: number;
+    /** Maximum number of reads before the secret self-destructs. */
+    reads?: number;
+}
+export interface SecretMeta {
+    key: string;
+    created_at: number;
+    expires_at: number | null;
+    max_reads: number | null;
+    read_count: number;
+}
+export interface AuditEvent {
+    id: number;
+    timestamp: number;
+    action: string;
+    key: string | null;
+    source_ip: string;
+    success: boolean;
+    detail: string | null;
+}
+export interface AuditOptions {
+    since?: number;
+    until?: number;
+    action?: string;
+    limit?: number;
+}
+export interface Webhook {
+    id: string;
+    url: string;
+    events: string[];
+    created_at: number;
+}
+export interface WebhookCreateResult {
+    id: string;
+    secret: string;
+}
+export interface ApiKey {
+    id: string;
+    label: string;
+    permissions: string[];
+    prefix: string | null;
+    created_at: number;
+}
+export interface ApiKeyCreateResult {
+    id: string;
+    key: string;
+    label: string;
+    permissions: string[];
+    prefix: string | null;
+}
+export interface CreateApiKeyOptions {
+    label: string;
+    permissions: string[];
+    prefix?: string;
+}
+export declare class SirrError extends Error {
+    readonly status: number;
+    constructor(status: number, message: string);
+}
+export declare class SirrClient {
+    private readonly server;
+    private readonly token;
+    constructor(opts: SirrClientOptions);
+    private headers;
+    private request;
+    /** Check server health. Does not require authentication. */
+    health(): Promise<{
+        status: string;
+    }>;
+    /**
+     * Push a secret to the vault.
+     *
+     * @param key   Secret key name
+     * @param value Secret value
+     * @param opts  TTL (seconds) and/or max read count
+     */
+    push(key: string, value: string, opts?: PushOptions): Promise<void>;
+    /**
+     * Retrieve a secret by key. Increments the read counter.
+     * Returns `null` if the secret does not exist or has expired/burned.
+     */
+    get(key: string): Promise<string | null>;
+    /** List metadata for all active secrets. Values are never returned. */
+    list(): Promise<SecretMeta[]>;
+    /** Delete a secret immediately. Returns true if it existed. */
+    delete(key: string): Promise<boolean>;
+    /**
+     * Retrieve all secrets and return them as a key→value map.
+     * Each GET increments the respective read counter.
+     */
+    pullAll(): Promise<Record<string, string>>;
+    /** Trigger an immediate sweep of expired secrets on the server. */
+    prune(): Promise<number>;
+    /**
+     * Inject all vault secrets as process.env variables, then invoke `fn`.
+     * Useful in test harnesses and scripts.
+     */
+    withSecrets<T>(fn: () => Promise<T>): Promise<T>;
+    /** Query the audit log. */
+    getAuditLog(opts?: AuditOptions): Promise<AuditEvent[]>;
+    /** Register a webhook. Returns the ID and signing secret. */
+    createWebhook(url: string, opts?: {
+        events?: string[];
+    }): Promise<WebhookCreateResult>;
+    /** List registered webhooks. Signing secrets are redacted. */
+    listWebhooks(): Promise<Webhook[]>;
+    /** Delete a webhook by ID. Returns false if not found. */
+    deleteWebhook(id: string): Promise<boolean>;
+    /** Create a scoped API key. The raw key is returned once. */
+    createApiKey(opts: CreateApiKeyOptions): Promise<ApiKeyCreateResult>;
+    /** List all scoped API keys. Key hashes are never returned. */
+    listApiKeys(): Promise<ApiKey[]>;
+    /** Delete an API key by ID. Returns false if not found. */
+    deleteApiKey(id: string): Promise<boolean>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,iBAAiB;IAChC,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yDAAyD;IACzD,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,WAAW;IAC1B,sBAAsB;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gEAAgE;IAChE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,qBAAa,SAAU,SAAQ,KAAK;aAEhB,MAAM,EAAE,MAAM;gBAAd,MAAM,EAAE,MAAM,EAC9B,OAAO,EAAE,MAAM;CAKlB;AAQD,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;gBAEnB,IAAI,EAAE,iBAAiB;IAQnC,OAAO,CAAC,OAAO;YAOD,OAAO;IA0BrB,4DAA4D;IACtD,MAAM,IAAI,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IAQ3C;;;;;;OAMG;IACG,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,GAAE,WAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAU7E;;;OAGG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAc9C,uEAAuE;IACjE,IAAI,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;IAKnC,+DAA+D;IACzD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAW3C;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAYhD,mEAAmE;IAC7D,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IAK9B;;;OAGG;IACG,WAAW,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAiBtD,2BAA2B;IACrB,WAAW,CAAC,IAAI,GAAE,YAAiB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAWjE,6DAA6D;IACvD,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAM5F,8DAA8D;IACxD,YAAY,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;IAKxC,0DAA0D;IACpD,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUjD,6DAA6D;IACvD,YAAY,CAAC,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAI1E,+DAA+D;IACzD,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAKtC,2DAA2D;IACrD,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CASjD"}

package/dist/index.js

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * @sirrlock/node — Sirr Node.js client
+ *
+ * Thin fetch wrapper around the Sirr HTTP API.
+ * No native dependencies. Works in Node 18+.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SirrClient = exports.SirrError = void 0;
+class SirrError extends Error {
+    constructor(status, message) {
+        super(`Sirr API error ${status}: ${message}`);
+        this.status = status;
+        this.name = "SirrError";
+    }
+}
+exports.SirrError = SirrError;
+function validateKey(key) {
+    if (!key) {
+        throw new Error("Secret key must not be empty");
+    }
+}
+class SirrClient {
+    constructor(opts) {
+        if (!opts.token) {
+            throw new Error("SirrClient requires a non-empty token");
+        }
+        this.server = (opts.server ?? "http://localhost:8080").replace(/\/$/, "");
+        this.token = opts.token;
+    }
+    headers() {
+        return {
+            Authorization: `Bearer ${this.token}`,
+            "Content-Type": "application/json",
+        };
+    }
+    async request(method, path, body) {
+        const res = await fetch(`${this.server}${path}`, {
+            method,
+            headers: this.headers(),
+            body: body !== undefined ? JSON.stringify(body) : undefined,
+        });
+        if (!res.ok) {
+            let message = "unknown error";
+            try {
+                const json = (await res.json());
+                message = json.error ?? message;
+            }
+            catch {
+                try {
+                    const text = await res.text();
+                    if (text)
+                        message = text.slice(0, 200);
+                }
+                catch {
+                    // body already consumed or unreadable — keep default message
+                }
+            }
+            throw new SirrError(res.status, message);
+        }
+        return (await res.json());
+    }
+    /** Check server health. Does not require authentication. */
+    async health() {
+        const res = await fetch(`${this.server}/health`);
+        if (!res.ok) {
+            throw new SirrError(res.status, "health check failed");
+        }
+        return res.json();
+    }
+    /**
+     * Push a secret to the vault.
+     *
+     * @param key   Secret key name
+     * @param value Secret value
+     * @param opts  TTL (seconds) and/or max read count
+     */
+    async push(key, value, opts = {}) {
+        validateKey(key);
+        await this.request("POST", "/secrets", {
+            key,
+            value,
+            ttl_seconds: opts.ttl ?? null,
+            max_reads: opts.reads ?? null,
+        });
+    }
+    /**
+     * Retrieve a secret by key. Increments the read counter.
+     * Returns `null` if the secret does not exist or has expired/burned.
+     */
+    async get(key) {
+        validateKey(key);
+        try {
+            const data = await this.request("GET", `/secrets/${encodeURIComponent(key)}`);
+            return data.value;
+        }
+        catch (e) {
+            if (e instanceof SirrError && e.status === 404)
+                return null;
+            throw e;
+        }
+    }
+    /** List metadata for all active secrets. Values are never returned. */
+    async list() {
+        const data = await this.request("GET", "/secrets");
+        return data.secrets;
+    }
+    /** Delete a secret immediately. Returns true if it existed. */
+    async delete(key) {
+        validateKey(key);
+        try {
+            await this.request("DELETE", `/secrets/${encodeURIComponent(key)}`);
+            return true;
+        }
+        catch (e) {
+            if (e instanceof SirrError && e.status === 404)
+                return false;
+            throw e;
+        }
+    }
+    /**
+     * Retrieve all secrets and return them as a key→value map.
+     * Each GET increments the respective read counter.
+     */
+    async pullAll() {
+        const metas = await this.list();
+        const result = {};
+        await Promise.all(metas.map(async (m) => {
+            const value = await this.get(m.key);
+            if (value !== null)
+                result[m.key] = value;
+        }));
+        return result;
+    }
+    /** Trigger an immediate sweep of expired secrets on the server. */
+    async prune() {
+        const data = await this.request("POST", "/prune");
+        return data.pruned;
+    }
+    /**
+     * Inject all vault secrets as process.env variables, then invoke `fn`.
+     * Useful in test harnesses and scripts.
+     */
+    async withSecrets(fn) {
+        const secrets = await this.pullAll();
+        const originals = {};
+        for (const [k, v] of Object.entries(secrets)) {
+            originals[k] = process.env[k];
+            process.env[k] = v;
+        }
+        try {
+            return await fn();
+        }
+        finally {
+            for (const [k, orig] of Object.entries(originals)) {
+                if (orig === undefined)
+                    delete process.env[k];
+                else
+                    process.env[k] = orig;
+            }
+        }
+    }
+    /** Query the audit log. */
+    async getAuditLog(opts = {}) {
+        const params = new URLSearchParams();
+        if (opts.since != null)
+            params.set("since", String(opts.since));
+        if (opts.until != null)
+            params.set("until", String(opts.until));
+        if (opts.action != null)
+            params.set("action", opts.action);
+        if (opts.limit != null)
+            params.set("limit", String(opts.limit));
+        const qs = params.toString();
+        const data = await this.request("GET", `/audit${qs ? `?${qs}` : ""}`);
+        return data.events;
+    }
+    /** Register a webhook. Returns the ID and signing secret. */
+    async createWebhook(url, opts) {
+        const body = { url };
+        if (opts?.events)
+            body.events = opts.events;
+        return this.request("POST", "/webhooks", body);
+    }
+    /** List registered webhooks. Signing secrets are redacted. */
+    async listWebhooks() {
+        const data = await this.request("GET", "/webhooks");
+        return data.webhooks;
+    }
+    /** Delete a webhook by ID. Returns false if not found. */
+    async deleteWebhook(id) {
+        try {
+            await this.request("DELETE", `/webhooks/${encodeURIComponent(id)}`);
+            return true;
+        }
+        catch (e) {
+            if (e instanceof SirrError && e.status === 404)
+                return false;
+            throw e;
+        }
+    }
+    /** Create a scoped API key. The raw key is returned once. */
+    async createApiKey(opts) {
+        return this.request("POST", "/keys", opts);
+    }
+    /** List all scoped API keys. Key hashes are never returned. */
+    async listApiKeys() {
+        const data = await this.request("GET", "/keys");
+        return data.keys;
+    }
+    /** Delete an API key by ID. Returns false if not found. */
+    async deleteApiKey(id) {
+        try {
+            await this.request("DELETE", `/keys/${encodeURIComponent(id)}`);
+            return true;
+        }
+        catch (e) {
+            if (e instanceof SirrError && e.status === 404)
+                return false;
+            throw e;
+        }
+    }
+}
+exports.SirrClient = SirrClient;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AA2EH,MAAa,SAAU,SAAQ,KAAK;IAClC,YACkB,MAAc,EAC9B,OAAe;QAEf,KAAK,CAAC,kBAAkB,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC;QAH9B,WAAM,GAAN,MAAM,CAAQ;QAI9B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AARD,8BAQC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;AACH,CAAC;AAED,MAAa,UAAU;IAIrB,YAAY,IAAuB;QACjC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,uBAAuB,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC1E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IAC1B,CAAC;IAEO,OAAO;QACb,OAAO;YACL,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;YACrC,cAAc,EAAE,kBAAkB;SACnC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,MAAc,EAAE,IAAY,EAAE,IAAc;QACnE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,EAAE;YAC/C,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;YACvB,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC5D,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,OAAO,GAAG,eAAe,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;gBAC3D,OAAO,GAAI,IAAI,CAAC,KAAgB,IAAI,OAAO,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;oBAC9B,IAAI,IAAI;wBAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBACzC,CAAC;gBAAC,MAAM,CAAC;oBACP,6DAA6D;gBAC/D,CAAC;YACH,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;IACjC,CAAC;IAED,4DAA4D;IAC5D,KAAK,CAAC,MAAM;QACV,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,SAAS,CAAC,CAAC;QACjD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,GAAG,CAAC,IAAI,EAAiC,CAAC;IACnD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,IAAI,CAAC,GAAW,EAAE,KAAa,EAAE,OAAoB,EAAE;QAC3D,WAAW,CAAC,GAAG,CAAC,CAAC;QACjB,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE;YACrC,GAAG;YACH,KAAK;YACL,WAAW,EAAE,IAAI,CAAC,GAAG,IAAI,IAAI;YAC7B,SAAS,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI;SAC9B,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,WAAW,CAAC,GAAG,CAAC,CAAC;QACjB,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAC7B,KAAK,EACL,YAAY,kBAAkB,CAAC,GAAG,CAAC,EAAE,CACtC,CAAC;YACF,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YAC5D,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAA4B,KAAK,EAAE,UAAU,CAAC,CAAC;QAC9E,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,WAAW,CAAC,GAAG,CAAC,CAAC;QACjB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,YAAY,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC7D,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;YACpB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,KAAK,KAAK,IAAI;gBAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC5C,CAAC,CAAC,CACH,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAqB,MAAM,EAAE,QAAQ,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAI,EAAoB;QACvC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,SAAS,GAAuC,EAAE,CAAC;QACzD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7C,SAAS,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACT,KAAK,MAAM,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClD,IAAI,IAAI,KAAK,SAAS;oBAAE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;;oBACzC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;YAC7B,CAAC;QACH,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK,CAAC,WAAW,CAAC,OAAqB,EAAE;QACvC,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI;YAAE,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3D,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAA2B,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChG,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,IAA4B;QAC3D,MAAM,IAAI,GAA4B,EAAE,GAAG,EAAE,CAAC;QAC9C,IAAI,IAAI,EAAE,MAAM;YAAE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC5C,OAAO,IAAI,CAAC,OAAO,CAAsB,MAAM,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IACtE,CAAC;IAED,8DAA8D;IAC9D,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAA0B,KAAK,EAAE,WAAW,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,aAAa,CAAC,EAAU;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACpE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC7D,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,YAAY,CAAC,IAAyB;QAC1C,OAAO,IAAI,CAAC,OAAO,CAAqB,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACjE,CAAC;IAED,+DAA+D;IAC/D,KAAK,CAAC,WAAW;QACf,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAqB,KAAK,EAAE,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,YAAY,CAAC,EAAU;QAC3B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,SAAS,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC7D,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;CACF;AA/MD,gCA+MC"}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@sirrlock/node",
+  "version": "0.1.0",
+  "description": "Sirr (سر) — Node.js client and npx CLI for the ephemeral secret vault",
+  "license": "MIT",
+  "author": "sirrlock",
+  "homepage": "https://github.com/sirrlock/node#readme",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sirrlock/node"
+  },
+  "bugs": {
+    "url": "https://github.com/sirrlock/node/issues"
+  },
+  "keywords": [
+    "sirr",
+    "secrets",
+    "ephemeral",
+    "vault",
+    "secret-management",
+    "burn-after-reading",
+    "ai-agents",
+    "mcp"
+  ],
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "require": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "bin": {
+    "sirr": "dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "jest",
+    "lint": "biome check src/",
+    "lint:fix": "biome check --write src/",
+    "prepublishOnly": "npm run lint && npm run build && npm test"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "@biomejs/biome": "^1.9.0",
+    "@jest/globals": "^30.0.0",
+    "@types/node": "^20.0.0",
+    "esbuild": "^0.25.0",
+    "jest": "^30.0.0",
+    "ts-jest": "^29.0.0",
+    "typescript": "^5.4.0"
+  },
+  "jest": {
+    "preset": "ts-jest",
+    "testEnvironment": "node",
+    "testPathIgnorePatterns": ["/node_modules/", "/dist/"]
+  }
+}