npm - @tinycloud/sdk-services - Versions diffs - 2.1.0 → 2.2.0-beta.12 - Mend

@tinycloud/sdk-services 2.1.0 → 2.2.0-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -2,7 +2,7 @@ import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as
 export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-BiS6HRwE.cjs';
 import { z } from 'zod';
 import { IKVService } from './kv/index.cjs';
-export { IPrefixedKVService, KVAction, KVActionType, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService } from './kv/index.cjs';
+export { DEFAULT_SIGNED_READ_URL_EXPIRY_MS, IPrefixedKVService, KVAction, KVActionType, KVCreateSignedReadUrlOptions, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, KVSignedReadUrlResponse, PrefixedKVService } from './kv/index.cjs';
 export { BatchOptions, BatchResponse, DatabaseHandle, ExecuteOptions, ExecuteResponse, IDatabaseHandle, ISQLService, QueryOptions, QueryResponse, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SqlStatement, SqlValue } from './sql/index.cjs';
 /**
@@ -1937,4 +1937,55 @@ interface WasmVaultFunctions {
 }
 declare function createVaultCrypto(wasm: WasmVaultFunctions): VaultCrypto;
-export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, type SchemaInfo, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };
+declare const SECRET_NAME_RE: RegExp;
+interface SecretScopeOptions {
+    /** Optional logical scope. Omit for the global secret namespace. */
+    scope?: string;
+}
+interface ResolvedSecretPath {
+    /** Canonical env-style secret name. */
+    name: string;
+    /** Canonical scope. Undefined means global. */
+    scope?: string;
+    /** Key passed to the data vault service. */
+    vaultKey: string;
+    /** KV permission paths that back the encrypted vault entry. */
+    permissionPaths: {
+        keys: string;
+        vault: string;
+    };
+}
+declare function canonicalizeSecretScope(scope: string | undefined): string | undefined;
+declare function resolveSecretPath(name: string, options?: SecretScopeOptions): ResolvedSecretPath;
+interface SecretPayload {
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+type SecretsError = VaultError | ServiceError;
+interface ISecretsService {
+    readonly vault: IDataVaultService;
+    unlock(signer?: unknown): Promise<Result<void, VaultError>>;
+    lock(): void;
+    readonly isUnlocked: boolean;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
+}
+declare class SecretsService implements ISecretsService {
+    private readonly getVault;
+    constructor(vault: IDataVaultService | (() => IDataVaultService));
+    get vault(): IDataVaultService;
+    get isUnlocked(): boolean;
+    unlock(signer?: unknown): Promise<Result<void, VaultError>>;
+    lock(): void;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
+}
+export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, type ResolvedSecretPath, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, SECRET_NAME_RE, type SchemaInfo, type SecretPayload, type SecretScopeOptions, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, canonicalizeSecretScope, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, resolveSecretPath, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };

package/dist/index.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as
 export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-BiS6HRwE.js';
 import { z } from 'zod';
 import { IKVService } from './kv/index.js';
-export { IPrefixedKVService, KVAction, KVActionType, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService } from './kv/index.js';
+export { DEFAULT_SIGNED_READ_URL_EXPIRY_MS, IPrefixedKVService, KVAction, KVActionType, KVCreateSignedReadUrlOptions, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, KVSignedReadUrlResponse, PrefixedKVService } from './kv/index.js';
 export { BatchOptions, BatchResponse, DatabaseHandle, ExecuteOptions, ExecuteResponse, IDatabaseHandle, ISQLService, QueryOptions, QueryResponse, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SqlStatement, SqlValue } from './sql/index.js';
 /**
@@ -1937,4 +1937,55 @@ interface WasmVaultFunctions {
 }
 declare function createVaultCrypto(wasm: WasmVaultFunctions): VaultCrypto;
-export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, type SchemaInfo, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };
+declare const SECRET_NAME_RE: RegExp;
+interface SecretScopeOptions {
+    /** Optional logical scope. Omit for the global secret namespace. */
+    scope?: string;
+}
+interface ResolvedSecretPath {
+    /** Canonical env-style secret name. */
+    name: string;
+    /** Canonical scope. Undefined means global. */
+    scope?: string;
+    /** Key passed to the data vault service. */
+    vaultKey: string;
+    /** KV permission paths that back the encrypted vault entry. */
+    permissionPaths: {
+        keys: string;
+        vault: string;
+    };
+}
+declare function canonicalizeSecretScope(scope: string | undefined): string | undefined;
+declare function resolveSecretPath(name: string, options?: SecretScopeOptions): ResolvedSecretPath;
+interface SecretPayload {
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+type SecretsError = VaultError | ServiceError;
+interface ISecretsService {
+    readonly vault: IDataVaultService;
+    unlock(signer?: unknown): Promise<Result<void, VaultError>>;
+    lock(): void;
+    readonly isUnlocked: boolean;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
+}
+declare class SecretsService implements ISecretsService {
+    private readonly getVault;
+    constructor(vault: IDataVaultService | (() => IDataVaultService));
+    get vault(): IDataVaultService;
+    get isUnlocked(): boolean;
+    unlock(signer?: unknown): Promise<Result<void, VaultError>>;
+    lock(): void;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
+}
+export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, type ResolvedSecretPath, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, SECRET_NAME_RE, type SchemaInfo, type SecretPayload, type SecretScopeOptions, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, canonicalizeSecretScope, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, resolveSecretPath, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };

package/dist/index.js CHANGED Viewed

@@ -818,6 +818,13 @@ var PrefixedKVService = class _PrefixedKVService {
     const fullKey = this.getFullKey(key);
     return this._kv.head(fullKey, { ...options, prefix: "" });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    const fullKey = this.getFullKey(key);
+    return this._kv.createSignedReadUrl(fullKey, { ...options, prefix: "" });
+  }
   /**
    * Create a nested prefix-scoped view.
    */
@@ -829,6 +836,7 @@ var PrefixedKVService = class _PrefixedKVService {
 };
 // src/kv/types.ts
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = 5 * 60 * 1e3;
 var KVAction = {
   GET: "tinycloud.kv/get",
   PUT: "tinycloud.kv/put",
@@ -913,6 +921,15 @@ var KVService = class extends BaseService {
   get host() {
     return this.context.hosts[0];
   }
+  withJsonContentType(headers) {
+    if (Array.isArray(headers)) {
+      return [...headers, ["content-type", "application/json"]];
+    }
+    return {
+      ...headers,
+      "content-type": "application/json"
+    };
+  }
   /**
    * Execute an invoke operation.
    *
@@ -982,6 +999,48 @@ var KVService = class extends BaseService {
       return text;
     }
   }
+  async createSignedReadUrlError(response, key) {
+    let errorText = response.statusText;
+    try {
+      const text = await response.text();
+      if (text) {
+        errorText = text;
+      }
+    } catch {
+    }
+    if (response.status === 401 || response.status === 403) {
+      const { resource, action } = parseAuthError(errorText);
+      return err(authUnauthorizedError("kv", errorText, {
+        status: response.status,
+        ...action && { requiredAction: action },
+        ...resource && { resource }
+      }));
+    }
+    const code = response.status === 400 ? ErrorCodes.INVALID_INPUT : ErrorCodes.NETWORK_ERROR;
+    return err(
+      serviceError(
+        code,
+        `Failed to create signed read URL for key "${key}": ${response.status} - ${errorText}`,
+        "kv",
+        { meta: { status: response.status, statusText: response.statusText } }
+      )
+    );
+  }
+  normalizeSignedReadUrlResponse(data) {
+    if (!data || typeof data !== "object") {
+      return void 0;
+    }
+    const response = data;
+    if (typeof response.url !== "string" || typeof response.ticketId !== "string" || typeof response.expiresAt !== "string") {
+      return void 0;
+    }
+    return {
+      url: new URL(response.url, this.host).toString(),
+      relativeUrl: response.url,
+      ticketId: response.ticketId,
+      expiresAt: response.expiresAt
+    };
+  }
   /**
    * Get a value by key.
    */
@@ -1254,6 +1313,61 @@ var KVService = class extends BaseService {
       }
     });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    return this.withTelemetry("createSignedReadUrl", key, async () => {
+      if (!this.requireAuth()) {
+        return err(authRequiredError("kv"));
+      }
+      const path = this.getFullPath(key, options?.prefix);
+      const session = this.context.session;
+      const headers = this.context.invoke(
+        session,
+        "kv",
+        path,
+        KVAction.GET
+      );
+      const body = {
+        space: session.spaceId,
+        path,
+        ttl_seconds: options?.expiresInSeconds ?? Math.ceil(DEFAULT_SIGNED_READ_URL_EXPIRY_MS / 1e3)
+      };
+      if (options?.contentHash !== void 0) {
+        body.content_hash = options.contentHash;
+      }
+      if (options?.etag !== void 0) {
+        body.etag = options.etag;
+      }
+      try {
+        const response = await this.context.fetch(`${this.host}/signed/kv`, {
+          method: "POST",
+          headers: this.withJsonContentType(headers),
+          body: JSON.stringify(body),
+          signal: this.combineSignals(options?.signal)
+        });
+        if (!response.ok) {
+          return this.createSignedReadUrlError(response, key);
+        }
+        const signedUrl = this.normalizeSignedReadUrlResponse(
+          await response.json()
+        );
+        if (!signedUrl) {
+          return err(
+            serviceError(
+              ErrorCodes.NETWORK_ERROR,
+              "Signed read URL response did not include url, ticketId, and expiresAt",
+              "kv"
+            )
+          );
+        }
+        return ok(signedUrl);
+      } catch (error) {
+        return err(wrapError("kv", error));
+      }
+    });
+  }
   /**
    * Create a prefix-scoped view of this KV service.
    *
@@ -3762,8 +3876,130 @@ function createVaultCrypto(wasm) {
     sha256: (data) => wasm.vault_sha256(data)
   };
 }
+// src/secrets/paths.ts
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var SECRET_PREFIX = "secrets/";
+var SCOPED_SECRET_PREFIX = "secrets/scoped/";
+var RESERVED_SECRET_SCOPES = /* @__PURE__ */ new Set(["default", "global"]);
+function canonicalizeSecretScope(scope) {
+  if (scope === void 0) {
+    return void 0;
+  }
+  const trimmed = scope.trim();
+  if (trimmed === "") {
+    throw new Error("Secret scope must be non-empty; omit scope for global secrets.");
+  }
+  const canonical = trimmed.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (canonical === "") {
+    throw new Error("Secret scope must contain at least one letter or number.");
+  }
+  if (RESERVED_SECRET_SCOPES.has(canonical)) {
+    throw new Error(
+      `Secret scope ${JSON.stringify(scope)} is reserved; omit scope for global secrets.`
+    );
+  }
+  return canonical;
+}
+function resolveSecretPath(name, options = {}) {
+  const normalizedName = name.trim();
+  if (!SECRET_NAME_RE.test(normalizedName)) {
+    throw new Error(
+      `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+    );
+  }
+  const scope = canonicalizeSecretScope(options.scope);
+  const vaultKey = scope === void 0 ? `${SECRET_PREFIX}${normalizedName}` : `${SCOPED_SECRET_PREFIX}${scope}/${normalizedName}`;
+  return {
+    name: normalizedName,
+    ...scope !== void 0 ? { scope } : {},
+    vaultKey,
+    permissionPaths: {
+      keys: `keys/${vaultKey}`,
+      vault: `vault/${vaultKey}`
+    }
+  };
+}
+// src/secrets/SecretsService.ts
+function invalidSecretInput(message) {
+  return err({
+    code: ErrorCodes.INVALID_INPUT,
+    service: "secrets",
+    message
+  });
+}
+function resolveSecretPathResult(name, options) {
+  try {
+    return resolveSecretPath(name, options);
+  } catch (error) {
+    return invalidSecretInput(error instanceof Error ? error.message : String(error));
+  }
+}
+var SecretsService = class {
+  constructor(vault) {
+    this.getVault = typeof vault === "function" ? vault : () => vault;
+  }
+  get vault() {
+    return this.getVault();
+  }
+  get isUnlocked() {
+    return this.vault.isUnlocked;
+  }
+  unlock(signer) {
+    return this.vault.unlock(signer);
+  }
+  lock() {
+    this.vault.lock();
+  }
+  async get(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const result = await this.vault.get(secretPath.vaultKey);
+    if (!result.ok) {
+      return result;
+    }
+    return { ok: true, data: result.data.value.value };
+  }
+  async put(name, value, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    return this.vault.put(secretPath.vaultKey, {
+      value,
+      createdAt: now,
+      updatedAt: now
+    });
+  }
+  async delete(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    return this.vault.delete(secretPath.vaultKey);
+  }
+  async list(options) {
+    let prefix;
+    try {
+      const scope = canonicalizeSecretScope(options?.scope);
+      prefix = scope === void 0 ? "secrets/" : `secrets/scoped/${scope}/`;
+    } catch (error) {
+      return invalidSecretInput(error instanceof Error ? error.message : String(error));
+    }
+    const result = await this.vault.list({
+      prefix,
+      removePrefix: true
+    });
+    if (!result.ok) {
+      return result;
+    }
+    return {
+      ok: true,
+      data: result.data.filter((name) => SECRET_NAME_RE.test(name))
+    };
+  }
+};
 export {
   BaseService,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService,
   DatabaseHandle,
   DuckDbAction,
@@ -3780,8 +4016,10 @@ export {
   KVService,
   PrefixedKVService,
   RetryPolicySchema,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
+  SecretsService,
   ServiceContext,
   ServiceErrorEventSchema,
   ServiceErrorSchema,
@@ -3797,6 +4035,7 @@ export {
   authExpiredError,
   authRequiredError,
   authUnauthorizedError,
+  canonicalizeSecretScope,
   createKVResponseSchema,
   createResultSchema,
   createVaultCrypto,
@@ -3808,6 +4047,7 @@ export {
   ok,
   parseAuthError,
   permissionDeniedError,
+  resolveSecretPath,
   serviceError,
   storageLimitReachedError,
   storageQuotaExceededError,