@tinycloud/sdk-services 2.1.0-beta.4 → 2.2.0-beta.10

package/dist/index.cjs

@@ -37,8 +37,10 @@ __export(index_exports, {
   KVService: () => KVService,
   PrefixedKVService: () => PrefixedKVService,
   RetryPolicySchema: () => RetryPolicySchema,
+  SECRET_NAME_RE: () => SECRET_NAME_RE,
   SQLAction: () => SQLAction,
   SQLService: () => SQLService,
+  SecretsService: () => SecretsService,
   ServiceContext: () => ServiceContext,
   ServiceErrorEventSchema: () => ServiceErrorEventSchema,
   ServiceErrorSchema: () => ServiceErrorSchema,
@@ -54,6 +56,7 @@ __export(index_exports, {
   authExpiredError: () => authExpiredError,
   authRequiredError: () => authRequiredError,
   authUnauthorizedError: () => authUnauthorizedError,
+  canonicalizeSecretScope: () => canonicalizeSecretScope,
   createKVResponseSchema: () => createKVResponseSchema,
   createResultSchema: () => createResultSchema,
   createVaultCrypto: () => createVaultCrypto,
@@ -65,6 +68,7 @@ __export(index_exports, {
   ok: () => ok,
   parseAuthError: () => parseAuthError,
   permissionDeniedError: () => permissionDeniedError,
+  resolveSecretPath: () => resolveSecretPath,
   serviceError: () => serviceError,
   storageLimitReachedError: () => storageLimitReachedError,
   storageQuotaExceededError: () => storageQuotaExceededError,
@@ -3844,6 +3848,127 @@ function createVaultCrypto(wasm) {
     sha256: (data) => wasm.vault_sha256(data)
   };
 }
+
+// src/secrets/paths.ts
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var SECRET_PREFIX = "secrets/";
+var SCOPED_SECRET_PREFIX = "secrets/scoped/";
+var RESERVED_SECRET_SCOPES = /* @__PURE__ */ new Set(["default", "global"]);
+function canonicalizeSecretScope(scope) {
+  if (scope === void 0) {
+    return void 0;
+  }
+  const trimmed = scope.trim();
+  if (trimmed === "") {
+    throw new Error("Secret scope must be non-empty; omit scope for global secrets.");
+  }
+  const canonical = trimmed.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (canonical === "") {
+    throw new Error("Secret scope must contain at least one letter or number.");
+  }
+  if (RESERVED_SECRET_SCOPES.has(canonical)) {
+    throw new Error(
+      `Secret scope ${JSON.stringify(scope)} is reserved; omit scope for global secrets.`
+    );
+  }
+  return canonical;
+}
+function resolveSecretPath(name, options = {}) {
+  const normalizedName = name.trim();
+  if (!SECRET_NAME_RE.test(normalizedName)) {
+    throw new Error(
+      `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+    );
+  }
+  const scope = canonicalizeSecretScope(options.scope);
+  const vaultKey = scope === void 0 ? `${SECRET_PREFIX}${normalizedName}` : `${SCOPED_SECRET_PREFIX}${scope}/${normalizedName}`;
+  return {
+    name: normalizedName,
+    ...scope !== void 0 ? { scope } : {},
+    vaultKey,
+    permissionPaths: {
+      keys: `keys/${vaultKey}`,
+      vault: `vault/${vaultKey}`
+    }
+  };
+}
+
+// src/secrets/SecretsService.ts
+function invalidSecretInput(message) {
+  return err({
+    code: ErrorCodes.INVALID_INPUT,
+    service: "secrets",
+    message
+  });
+}
+function resolveSecretPathResult(name, options) {
+  try {
+    return resolveSecretPath(name, options);
+  } catch (error) {
+    return invalidSecretInput(error instanceof Error ? error.message : String(error));
+  }
+}
+var SecretsService = class {
+  constructor(vault) {
+    this.getVault = typeof vault === "function" ? vault : () => vault;
+  }
+  get vault() {
+    return this.getVault();
+  }
+  get isUnlocked() {
+    return this.vault.isUnlocked;
+  }
+  unlock(signer) {
+    return this.vault.unlock(signer);
+  }
+  lock() {
+    this.vault.lock();
+  }
+  async get(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const result = await this.vault.get(secretPath.vaultKey);
+    if (!result.ok) {
+      return result;
+    }
+    return { ok: true, data: result.data.value.value };
+  }
+  async put(name, value, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    return this.vault.put(secretPath.vaultKey, {
+      value,
+      createdAt: now,
+      updatedAt: now
+    });
+  }
+  async delete(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    return this.vault.delete(secretPath.vaultKey);
+  }
+  async list(options) {
+    let prefix;
+    try {
+      const scope = canonicalizeSecretScope(options?.scope);
+      prefix = scope === void 0 ? "secrets/" : `secrets/scoped/${scope}/`;
+    } catch (error) {
+      return invalidSecretInput(error instanceof Error ? error.message : String(error));
+    }
+    const result = await this.vault.list({
+      prefix,
+      removePrefix: true
+    });
+    if (!result.ok) {
+      return result;
+    }
+    return {
+      ok: true,
+      data: result.data.filter((name) => SECRET_NAME_RE.test(name))
+    };
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BaseService,
@@ -3863,8 +3988,10 @@ function createVaultCrypto(wasm) {
   KVService,
   PrefixedKVService,
   RetryPolicySchema,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
+  SecretsService,
   ServiceContext,
   ServiceErrorEventSchema,
   ServiceErrorSchema,
@@ -3880,6 +4007,7 @@ function createVaultCrypto(wasm) {
   authExpiredError,
   authRequiredError,
   authUnauthorizedError,
+  canonicalizeSecretScope,
   createKVResponseSchema,
   createResultSchema,
   createVaultCrypto,
@@ -3891,6 +4019,7 @@ function createVaultCrypto(wasm) {
   ok,
   parseAuthError,
   permissionDeniedError,
+  resolveSecretPath,
   serviceError,
   storageLimitReachedError,
   storageQuotaExceededError,