@startsimpli/api 0.5.19 → 0.5.20

package/src/lib/vault-api.ts

@@ -0,0 +1,155 @@
+/** Vault API client — environments, secrets, access keys, audit (startsim-d30.3.1).
+
+Mirrors the other @startsimpli/api wrappers. The client auto-transforms
+snake_case <-> camelCase, so types here are camelCase. Secret values are
+write-only on create/update and only returned by `revealSecret`.
+*/
+
+import type { PaginatedResponse } from '../types';
+import type { ApiClient } from './api-client';
+
+const E = {
+  environments: 'api/v1/vault/environments',
+  environment: (slug: string) => `api/v1/vault/environments/${slug}`,
+  secrets: (slug: string) => `api/v1/vault/environments/${slug}/secrets`,
+  secret: (slug: string, id: string) => `api/v1/vault/environments/${slug}/secrets/${id}`,
+  reveal: (slug: string, id: string) => `api/v1/vault/environments/${slug}/secrets/${id}/reveal`,
+  accessKeys: (slug: string) => `api/v1/vault/environments/${slug}/access-keys`,
+  accessKey: (slug: string, id: string) => `api/v1/vault/environments/${slug}/access-keys/${id}`,
+  audit: (slug: string) => `api/v1/vault/environments/${slug}/audit`,
+};
+
+export interface VaultEnvironment {
+  id: string;
+  slug: string;
+  name: string;
+  description: string;
+  secretCount: number;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface VaultEnvironmentInput {
+  slug: string;
+  name: string;
+  description?: string;
+}
+
+export interface VaultSecret {
+  id: string;
+  key: string;
+  hasValue: boolean;
+  valueType: string;
+  metadata: Record<string, unknown>;
+  lastRotatedAt: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface VaultSecretInput {
+  key: string;
+  value?: string;
+  valueType?: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface VaultSecretReveal {
+  key: string;
+  value: string;
+}
+
+export interface VaultAccessKey {
+  id: string;
+  name: string;
+  prefix: string;
+  scopes: string[];
+  isActive: boolean;
+  lastUsedAt: string | null;
+  expiresAt: string | null;
+  createdAt: string;
+}
+
+/** Returned only by createAccessKey — carries the raw key, shown exactly once. */
+export interface VaultAccessKeyCreated extends VaultAccessKey {
+  key: string;
+}
+
+export interface VaultAccessKeyInput {
+  name: string;
+  scopes?: string[];
+  expiresAt?: string | null;
+}
+
+export interface VaultAuditEntry {
+  id: string;
+  action: string;
+  secretKey: string | null;
+  actorEmail: string | null;
+  accessKeyName: string | null;
+  ipAddress: string | null;
+  metadata: Record<string, unknown>;
+  createdAt: string;
+}
+
+export interface VaultListParams {
+  page?: number;
+  pageSize?: number;
+  search?: string;
+  ordering?: string;
+  // Index signature so this satisfies the client's query-params type.
+  [key: string]: unknown;
+}
+
+export class VaultApi {
+  constructor(private client: ApiClient) {}
+
+  // --- Environments ---
+  listEnvironments(params?: VaultListParams): Promise<PaginatedResponse<VaultEnvironment>> {
+    return this.client.fetch.get<PaginatedResponse<VaultEnvironment>>(E.environments, { params });
+  }
+  getEnvironment(slug: string): Promise<VaultEnvironment> {
+    return this.client.fetch.get<VaultEnvironment>(E.environment(slug));
+  }
+  createEnvironment(data: VaultEnvironmentInput): Promise<VaultEnvironment> {
+    return this.client.fetch.post<VaultEnvironment>(E.environments, data);
+  }
+  updateEnvironment(slug: string, data: Partial<VaultEnvironmentInput>): Promise<VaultEnvironment> {
+    return this.client.fetch.patch<VaultEnvironment>(E.environment(slug), data);
+  }
+  deleteEnvironment(slug: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.environment(slug));
+  }
+
+  // --- Secrets (value write-only; reveal is separate + audited) ---
+  listSecrets(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultSecret>> {
+    return this.client.fetch.get<PaginatedResponse<VaultSecret>>(E.secrets(slug), { params });
+  }
+  createSecret(slug: string, data: VaultSecretInput): Promise<VaultSecret> {
+    return this.client.fetch.post<VaultSecret>(E.secrets(slug), data);
+  }
+  updateSecret(slug: string, id: string, data: Partial<VaultSecretInput>): Promise<VaultSecret> {
+    return this.client.fetch.patch<VaultSecret>(E.secret(slug, id), data);
+  }
+  deleteSecret(slug: string, id: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.secret(slug, id));
+  }
+  revealSecret(slug: string, id: string): Promise<VaultSecretReveal> {
+    return this.client.fetch.get<VaultSecretReveal>(E.reveal(slug, id));
+  }
+
+  // --- Access keys ---
+  listAccessKeys(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultAccessKey>> {
+    return this.client.fetch.get<PaginatedResponse<VaultAccessKey>>(E.accessKeys(slug), { params });
+  }
+  createAccessKey(slug: string, data: VaultAccessKeyInput): Promise<VaultAccessKeyCreated> {
+    return this.client.fetch.post<VaultAccessKeyCreated>(E.accessKeys(slug), data);
+  }
+  deleteAccessKey(slug: string, id: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.accessKey(slug, id));
+  }
+
+  // --- Audit ---
+  listAudit(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultAuditEntry>> {
+    return this.client.fetch.get<PaginatedResponse<VaultAuditEntry>>(E.audit(slug), { params });
+  }
+}

package/src/types/api.ts

@@ -15,6 +15,12 @@ export interface ApiError {
   errors?: Record<string, string[]>;
   status?: number;
   statusText?: string;
+  /** Machine-readable code from the standardized response (limit_reached,
+   * no_company, …). Set when the backend uses apps.core.exceptions. */
+  code?: string;
+  /** Extra structured context attached to the error (e.g. limit_reached
+   * carries { feature_key, limit, current }). */
+  details?: Record<string, unknown>;
 }
 
 export interface PaginationParams {