@vibesdotdev/infra-doks 0.0.1

package/dist/secrets/vault.descriptor.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Vault Backend Descriptor
+ *
+ * HashiCorp Vault KV v2 secrets store for staging/production.
+ * Only available on cloud hardware (inside K8s cluster).
+ */
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+declare const descriptor: SecretsStoreDescriptor;
+export default descriptor;
+//# sourceMappingURL=vault.descriptor.d.ts.map

package/dist/secrets/vault.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.descriptor.d.ts","sourceRoot":"","sources":["../../src/secrets/vault.descriptor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yCAAyC,CAAC;AAEtF,QAAA,MAAM,UAAU,EAAE,sBAgBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/secrets/vault.descriptor.js

@@ -0,0 +1,25 @@
+/**
+ * Vault Backend Descriptor
+ *
+ * HashiCorp Vault KV v2 secrets store for staging/production.
+ * Only available on cloud hardware (inside K8s cluster).
+ */
+const descriptor = {
+    id: 'vault',
+    kind: 'secrets/store',
+    name: 'HashiCorp Vault',
+    description: 'Vault KV v2 secrets engine for K8s-deployed environments',
+    tags: ['remote', 'vault', 'kubernetes'],
+    enabled: true,
+    hardware: ['cloud'],
+    backend: 'vault',
+    tiers: ['staging', 'production'],
+    priority: 30,
+    config: {
+        address: 'http://vault.observability.svc.cluster.local:8200',
+        mount: 'staging',
+        authMethod: 'kubernetes'
+    }
+};
+export default descriptor;
+//# sourceMappingURL=vault.descriptor.js.map

package/dist/secrets/vault.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.descriptor.js","sourceRoot":"","sources":["../../src/secrets/vault.descriptor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,UAAU,GAA2B;IAC1C,EAAE,EAAE,OAAO;IACX,IAAI,EAAE,eAAe;IACrB,IAAI,EAAE,iBAAiB;IACvB,WAAW,EAAE,0DAA0D;IACvE,IAAI,EAAE,CAAC,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC;IACvC,OAAO,EAAE,IAAI;IACb,QAAQ,EAAE,CAAC,OAAO,CAAC;IACnB,OAAO,EAAE,OAAO;IAChB,KAAK,EAAE,CAAC,SAAS,EAAE,YAAY,CAAC;IAChC,QAAQ,EAAE,EAAE;IACZ,MAAM,EAAE;QACP,OAAO,EAAE,mDAAmD;QAC5D,KAAK,EAAE,SAAS;QAChB,UAAU,EAAE,YAAY;KACxB;CACD,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/secrets/vault.impl.cloud.d.ts

@@ -0,0 +1,40 @@
+/**
+ * HashiCorp Vault KV v2 HTTP Client
+ *
+ * Communicates with Vault's KV v2 secrets engine.
+ * Supports Kubernetes auth (service account) and token auth.
+ */
+export interface VaultClientConfig {
+    address: string;
+    mount: string;
+    token?: string;
+}
+/** Read all key-value pairs at a path */
+export declare function readKVSecret(config: VaultClientConfig, path: string): Promise<Record<string, string>>;
+/** Write key-value pairs to a path (merges with existing) */
+export declare function writeKVSecret(config: VaultClientConfig, path: string, data: Record<string, string>): Promise<void>;
+/** Delete a specific key from a path (read, remove key, write back) */
+export declare function deleteKVKey(config: VaultClientConfig, path: string, key: string): Promise<void>;
+/** List sub-paths under a given path */
+export declare function listKVPaths(config: VaultClientConfig, path: string): Promise<string[]>;
+export interface VaultSealStatus {
+    type: string;
+    initialized: boolean;
+    sealed: boolean;
+    t: number;
+    n: number;
+    progress: number;
+    nonce: string;
+    version: string;
+}
+export interface VaultUnsealOptions {
+    address?: string;
+    ingressIp?: string;
+    dryRun?: boolean;
+    keys?: string[];
+    log?: (message: string) => void;
+    error?: (message: string) => void;
+}
+export declare function collectVaultUnsealKeysFromEnv(maxKeys?: number): string[];
+export declare function unsealVault(options?: VaultUnsealOptions): Promise<VaultSealStatus>;
+//# sourceMappingURL=vault.impl.cloud.d.ts.map

package/dist/secrets/vault.impl.cloud.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.impl.cloud.d.ts","sourceRoot":"","sources":["../../src/secrets/vault.impl.cloud.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,iBAAiB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CACf;AAgED,yCAAyC;AACzC,wBAAsB,YAAY,CACjC,MAAM,EAAE,iBAAiB,EACzB,IAAI,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAMjC;AAED,6DAA6D;AAC7D,wBAAsB,aAAa,CAClC,MAAM,EAAE,iBAAiB,EACzB,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC1B,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,uEAAuE;AACvE,wBAAsB,WAAW,CAChC,MAAM,EAAE,iBAAiB,EACzB,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,GACT,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wCAAwC;AACxC,wBAAsB,WAAW,CAChC,MAAM,EAAE,iBAAiB,EACzB,IAAI,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,EAAE,CAAC,CAWnB;AAED,MAAM,WAAW,eAAe;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,OAAO,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;IAChB,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IAClC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CAClC;AAuDD,wBAAgB,6BAA6B,CAAC,OAAO,SAAI,GAAG,MAAM,EAAE,CAOnE;AAED,wBAAsB,WAAW,CAAC,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,eAAe,CAAC,CAkE5F"}

package/dist/secrets/vault.impl.cloud.js

@@ -0,0 +1,178 @@
+/**
+ * HashiCorp Vault KV v2 HTTP Client
+ *
+ * Communicates with Vault's KV v2 secrets engine.
+ * Supports Kubernetes auth (service account) and token auth.
+ */
+import { readFile } from 'node:fs/promises';
+const K8S_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token';
+const K8S_AUTH_MOUNT = 'kubernetes';
+async function getVaultToken(config) {
+    if (config.token)
+        return config.token;
+    if (process.env.VAULT_TOKEN)
+        return process.env.VAULT_TOKEN;
+    // Kubernetes auth: exchange service account JWT for Vault token
+    try {
+        const jwt = await readFile(K8S_TOKEN_PATH, 'utf-8');
+        const role = process.env.VAULT_K8S_ROLE ?? 'staging-app';
+        const res = await fetch(`${config.address}/v1/auth/${K8S_AUTH_MOUNT}/login`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ jwt, role })
+        });
+        if (!res.ok) {
+            throw new Error(`Vault K8s auth failed: ${res.status}`);
+        }
+        const data = (await res.json());
+        return data.auth.client_token;
+    }
+    catch (e) {
+        throw new Error(`Cannot authenticate to Vault: ${e}. Set VAULT_TOKEN or run inside K8s.`);
+    }
+}
+async function vaultFetch(config, path, init) {
+    const token = await getVaultToken(config);
+    const url = `${config.address}${path}`;
+    const res = await fetch(url, {
+        ...init,
+        headers: {
+            'X-Vault-Token': token,
+            'Content-Type': 'application/json',
+            ...(init?.headers ?? {})
+        }
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Vault API error (${res.status}): ${body}`);
+    }
+    return (await res.json());
+}
+/** Read all key-value pairs at a path */
+export async function readKVSecret(config, path) {
+    const res = await vaultFetch(config, `/v1/${config.mount}/data/${path}`);
+    return res.data.data;
+}
+/** Write key-value pairs to a path (merges with existing) */
+export async function writeKVSecret(config, path, data) {
+    await vaultFetch(config, `/v1/${config.mount}/data/${path}`, {
+        method: 'POST',
+        body: JSON.stringify({ data })
+    });
+}
+/** Delete a specific key from a path (read, remove key, write back) */
+export async function deleteKVKey(config, path, key) {
+    const current = await readKVSecret(config, path);
+    delete current[key];
+    await writeKVSecret(config, path, current);
+}
+/** List sub-paths under a given path */
+export async function listKVPaths(config, path) {
+    try {
+        const res = await vaultFetch(config, `/v1/${config.mount}/metadata/${path}`, { method: 'LIST' });
+        return res.data.keys;
+    }
+    catch {
+        return [];
+    }
+}
+const DEFAULT_VAULT_ADDR = 'https://vault.vibes.dev';
+function hostFor(address) {
+    return new URL(address).host;
+}
+async function vaultOperatorFetch(address, ingressIp, path, init) {
+    const url = ingressIp
+        ? `${address.replace(hostFor(address), ingressIp)}${path}`
+        : `${address}${path}`;
+    const headers = new Headers(init?.headers);
+    if (ingressIp)
+        headers.set('Host', hostFor(address));
+    headers.set('Content-Type', 'application/json');
+    const res = await fetch(url, { ...init, headers });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Vault ${path} failed (${res.status}): ${body}`);
+    }
+    return (await res.json());
+}
+async function getSealStatus(address, ingressIp) {
+    return vaultOperatorFetch(address, ingressIp, '/v1/sys/seal-status');
+}
+async function submitUnsealKey(address, ingressIp, key) {
+    return vaultOperatorFetch(address, ingressIp, '/v1/sys/unseal', {
+        method: 'POST',
+        body: JSON.stringify({ key })
+    });
+}
+async function resetUnsealProgress(address, ingressIp) {
+    await vaultOperatorFetch(address, ingressIp, '/v1/sys/unseal', {
+        method: 'POST',
+        body: JSON.stringify({ reset: true })
+    });
+}
+export function collectVaultUnsealKeysFromEnv(maxKeys = 5) {
+    const keys = [];
+    for (let i = 1; i <= maxKeys; i++) {
+        const key = process.env[`VAULT_UNSEAL_KEY_${i}`];
+        if (key && key.length > 0)
+            keys.push(key);
+    }
+    return keys;
+}
+export async function unsealVault(options = {}) {
+    const address = options.address ?? process.env.VAULT_ADDR ?? DEFAULT_VAULT_ADDR;
+    const ingressIp = options.ingressIp ?? process.env.VAULT_INGRESS_IP;
+    const dryRun = options.dryRun === true;
+    const log = options.log ?? console.log;
+    const error = options.error ?? console.error;
+    const keys = options.keys ?? collectVaultUnsealKeysFromEnv();
+    log('\n=== Unseal Vault ===');
+    log(`  Address: ${address}`);
+    if (ingressIp)
+        log(`  Ingress override: ${ingressIp}`);
+    log(`  Dry run: ${dryRun}\n`);
+    let status = await getSealStatus(address, ingressIp);
+    log(`  Initialized: ${status.initialized}`);
+    log(`  Sealed:      ${status.sealed}`);
+    log(`  Threshold:   ${status.t} of ${status.n}`);
+    log(`  Progress:    ${status.progress}/${status.t}\n`);
+    if (!status.initialized) {
+        throw new Error('Vault is not initialized. Run `vault operator init` first.');
+    }
+    if (!status.sealed) {
+        log('  ✓ Vault already unsealed — nothing to do.\n');
+        return status;
+    }
+    if (keys.length < status.t) {
+        throw new Error(`Need ${status.t} unseal keys, have ${keys.length} (set VAULT_UNSEAL_KEY_1..${status.t}).`);
+    }
+    if (dryRun) {
+        log(`  [dry-run] Would submit ${status.t} of ${keys.length} available keys.\n`);
+        return status;
+    }
+    if (status.progress > 0) {
+        log('  Resetting prior partial-unseal progress...');
+        await resetUnsealProgress(address, ingressIp);
+    }
+    let submitted = 0;
+    for (const key of keys) {
+        if (!status.sealed)
+            break;
+        try {
+            status = await submitUnsealKey(address, ingressIp, key);
+            submitted++;
+            log(`  ✓ Key ${submitted} accepted — progress ${status.progress}/${status.t}, sealed=${status.sealed}`);
+        }
+        catch (err) {
+            error(`  ✗ Key ${submitted + 1} rejected: ${err.message}`);
+        }
+    }
+    if (status.sealed) {
+        error(`\n  Vault still sealed after submitting ${submitted} keys.`);
+        await resetUnsealProgress(address, ingressIp);
+        throw new Error('Unseal failed — keys may be wrong or out of order.');
+    }
+    log(`\n  ✓ Vault unsealed (used ${submitted} keys).\n`);
+    return status;
+}
+//# sourceMappingURL=vault.impl.cloud.js.map

package/dist/secrets/vault.impl.cloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.impl.cloud.js","sourceRoot":"","sources":["../../src/secrets/vault.impl.cloud.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAQ5C,MAAM,cAAc,GAAG,qDAAqD,CAAC;AAC7E,MAAM,cAAc,GAAG,YAAY,CAAC;AAEpC,KAAK,UAAU,aAAa,CAAC,MAAyB;IACrD,IAAI,MAAM,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC,KAAK,CAAC;IACtC,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IAE5D,gEAAgE;IAChE,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,aAAa,CAAC;QAEzD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,MAAM,CAAC,OAAO,YAAY,cAAc,QAAQ,EAAE;YAC5E,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuC,CAAC;QACtE,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,sCAAsC,CAAC,CAAC;IAC3F,CAAC;AACF,CAAC;AAED,KAAK,UAAU,UAAU,CACxB,MAAyB,EACzB,IAAY,EACZ,IAAkB;IAElB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC;IAEvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,GAAG,IAAI;QACP,OAAO,EAAE;YACR,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,kBAAkB;YAClC,GAAG,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;SACxB;KACD,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,oBAAoB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;AAChC,CAAC;AAUD,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,YAAY,CACjC,MAAyB,EACzB,IAAY;IAEZ,MAAM,GAAG,GAAG,MAAM,UAAU,CAC3B,MAAM,EACN,OAAO,MAAM,CAAC,KAAK,SAAS,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;AACtB,CAAC;AAED,6DAA6D;AAC7D,MAAM,CAAC,KAAK,UAAU,aAAa,CAClC,MAAyB,EACzB,IAAY,EACZ,IAA4B;IAE5B,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,MAAM,CAAC,KAAK,SAAS,IAAI,EAAE,EAAE;QAC5D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC;KAC9B,CAAC,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,WAAW,CAChC,MAAyB,EACzB,IAAY,EACZ,GAAW;IAEX,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACjD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;IACpB,MAAM,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,wCAAwC;AACxC,MAAM,CAAC,KAAK,UAAU,WAAW,CAChC,MAAyB,EACzB,IAAY;IAEZ,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,MAAM,UAAU,CAC3B,MAAM,EACN,OAAO,MAAM,CAAC,KAAK,aAAa,IAAI,EAAE,EACtC,EAAE,MAAM,EAAE,MAAM,EAAE,CAClB,CAAC;QACF,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,CAAC;IACX,CAAC;AACF,CAAC;AAsBD,MAAM,kBAAkB,GAAG,yBAAyB,CAAC;AAErD,SAAS,OAAO,CAAC,OAAe;IAC/B,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB,CAChC,OAAe,EACf,SAA6B,EAC7B,IAAY,EACZ,IAAkB;IAElB,MAAM,GAAG,GAAG,SAAS;QACpB,CAAC,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC,GAAG,IAAI,EAAE;QAC1D,CAAC,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;IAEvB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3C,IAAI,SAAS;QAAE,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAEhD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,SAAS,IAAI,YAAY,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;AAChC,CAAC;AAED,KAAK,UAAU,aAAa,CAC3B,OAAe,EACf,SAA6B;IAE7B,OAAO,kBAAkB,CAAkB,OAAO,EAAE,SAAS,EAAE,qBAAqB,CAAC,CAAC;AACvF,CAAC;AAED,KAAK,UAAU,eAAe,CAC7B,OAAe,EACf,SAA6B,EAC7B,GAAW;IAEX,OAAO,kBAAkB,CAAkB,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE;QAChF,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,CAAC;KAC7B,CAAC,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,OAAe,EAAE,SAA6B;IAChF,MAAM,kBAAkB,CAAC,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE;QAC9D,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;KACrC,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,OAAO,GAAG,CAAC;IACxD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACjD,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,UAA8B,EAAE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,kBAAkB,CAAC;IAChF,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACpE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC;IACvC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC;IAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,6BAA6B,EAAE,CAAC;IAE7D,GAAG,CAAC,wBAAwB,CAAC,CAAC;IAC9B,GAAG,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;IAC7B,IAAI,SAAS;QAAE,GAAG,CAAC,uBAAuB,SAAS,EAAE,CAAC,CAAC;IACvD,GAAG,CAAC,cAAc,MAAM,IAAI,CAAC,CAAC;IAE9B,IAAI,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IACrD,GAAG,CAAC,kBAAkB,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5C,GAAG,CAAC,kBAAkB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IACvC,GAAG,CAAC,kBAAkB,MAAM,CAAC,CAAC,OAAO,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;IACjD,GAAG,CAAC,kBAAkB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IAEvD,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACpB,GAAG,CAAC,+CAA+C,CAAC,CAAC;QACrD,OAAO,MAAM,CAAC;IACf,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACd,QAAQ,MAAM,CAAC,CAAC,sBAAsB,IAAI,CAAC,MAAM,6BAA6B,MAAM,CAAC,CAAC,IAAI,CAC1F,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACZ,GAAG,CAAC,4BAA4B,MAAM,CAAC,CAAC,OAAO,IAAI,CAAC,MAAM,oBAAoB,CAAC,CAAC;QAChF,OAAO,MAAM,CAAC;IACf,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,GAAG,CAAC,EAAE,CAAC;QACzB,GAAG,CAAC,8CAA8C,CAAC,CAAC;QACpD,MAAM,mBAAmB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,MAAM;QAC1B,IAAI,CAAC;YACJ,MAAM,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;YACxD,SAAS,EAAE,CAAC;YACZ,GAAG,CACF,WAAW,SAAS,wBAAwB,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC,YAAY,MAAM,CAAC,MAAM,EAAE,CAClG,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,KAAK,CAAC,WAAW,SAAS,GAAG,CAAC,cAAe,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACF,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,KAAK,CAAC,2CAA2C,SAAS,QAAQ,CAAC,CAAC;QACpE,MAAM,mBAAmB,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACvE,CAAC;IAED,GAAG,CAAC,8BAA8B,SAAS,WAAW,CAAC,CAAC;IACxD,OAAO,MAAM,CAAC;AACf,CAAC"}

package/dist/secrets/vault.impl.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Vault Backend Implementation
+ *
+ * Stores secrets in HashiCorp Vault KV v2 engine.
+ * Paths follow Helm chart conventions: {mount}/oauth, {mount}/app,
+ * {mount}/artifacts, {mount}/infrastructure.
+ *
+ * All secrets for an environment are stored under a single Vault path
+ * (e.g., staging/app) as a flat key-value map.
+ */
+import type { SecretsStoreDescriptor } from '@vibesdotdev/secrets/kinds/store.schema';
+import type { SecretsStoreImplementation, SecretEntry } from '@vibesdotdev/secrets/kinds/store.interface';
+declare class VaultStore implements SecretsStoreImplementation {
+    readonly id = "vault";
+    readonly descriptor: SecretsStoreDescriptor;
+    constructor(desc: SecretsStoreDescriptor);
+    list(environment: string): Promise<SecretEntry[]>;
+    get(environment: string, key: string): Promise<string | undefined>;
+    set(environment: string, key: string, value: string): Promise<void>;
+    unset(environment: string, key: string): Promise<void>;
+    getAll(environment: string): Promise<Record<string, string>>;
+    setAll(environment: string, secrets: Record<string, string>): Promise<void>;
+    private configForEnv;
+    private findPathForKey;
+    private safeRead;
+}
+export declare function createVaultStore(): import("@vibesdotdev/runtime").RuntimeImplementationWrapper<VaultStore>;
+export {};
+//# sourceMappingURL=vault.impl.d.ts.map

package/dist/secrets/vault.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.impl.d.ts","sourceRoot":"","sources":["../../src/secrets/vault.impl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,yCAAyC,CAAC;AACtF,OAAO,KAAK,EAAE,0BAA0B,EAAE,WAAW,EAAE,MAAM,4CAA4C,CAAC;AAqB1G,cAAM,UAAW,YAAW,0BAA0B;IACrD,QAAQ,CAAC,EAAE,WAAW;IACtB,QAAQ,CAAC,UAAU,EAAE,sBAAsB,CAAC;gBAEhC,IAAI,EAAE,sBAAsB;IAIlC,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAkBjD,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAalE,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASnE,KAAK,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQtD,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAgB5D,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjF,OAAO,CAAC,YAAY;YAKN,cAAc;YAYd,QAAQ;CAOtB;AAED,wBAAgB,gBAAgB,4EAQ/B"}

package/dist/secrets/vault.impl.js

@@ -0,0 +1,137 @@
+/**
+ * Vault Backend Implementation
+ *
+ * Stores secrets in HashiCorp Vault KV v2 engine.
+ * Paths follow Helm chart conventions: {mount}/oauth, {mount}/app,
+ * {mount}/artifacts, {mount}/infrastructure.
+ *
+ * All secrets for an environment are stored under a single Vault path
+ * (e.g., staging/app) as a flat key-value map.
+ */
+import { createRuntimeImplementation } from '@vibesdotdev/runtime/factory/implementation';
+import { readKVSecret, writeKVSecret, deleteKVKey } from './vault.impl.cloud.js';
+import descriptor from './vault.descriptor.js';
+/** Vault paths that correspond to Helm chart secret groups */
+const VAULT_PATHS = ['app', 'oauth', 'artifacts', 'infrastructure'];
+function getConfig(desc) {
+    return {
+        address: desc.config?.address ?? 'http://vault.observability.svc.cluster.local:8200',
+        mount: desc.config?.mount ?? 'staging',
+        token: process.env.VAULT_TOKEN
+    };
+}
+function getMountForEnvironment(desc, environment) {
+    if (environment === 'production')
+        return 'production';
+    if (environment === 'staging')
+        return 'staging';
+    return desc.config?.mount ?? environment;
+}
+class VaultStore {
+    id = 'vault';
+    descriptor;
+    constructor(desc) {
+        this.descriptor = desc;
+    }
+    async list(environment) {
+        const config = this.configForEnv(environment);
+        const entries = [];
+        for (const path of VAULT_PATHS) {
+            try {
+                const data = await readKVSecret(config, path);
+                for (const key of Object.keys(data)) {
+                    entries.push({ key, hasValue: data[key] !== '', source: `vault/${path}` });
+                }
+            }
+            catch {
+                // path may not exist yet
+            }
+        }
+        return entries;
+    }
+    async get(environment, key) {
+        const config = this.configForEnv(environment);
+        for (const path of VAULT_PATHS) {
+            try {
+                const data = await readKVSecret(config, path);
+                if (key in data)
+                    return data[key];
+            }
+            catch {
+                continue;
+            }
+        }
+        return undefined;
+    }
+    async set(environment, key, value) {
+        const config = this.configForEnv(environment);
+        // Default to 'app' path for new secrets
+        const targetPath = (await this.findPathForKey(config, key)) ?? 'app';
+        const current = await this.safeRead(config, targetPath);
+        current[key] = value;
+        await writeKVSecret(config, targetPath, current);
+    }
+    async unset(environment, key) {
+        const config = this.configForEnv(environment);
+        const targetPath = await this.findPathForKey(config, key);
+        if (targetPath) {
+            await deleteKVKey(config, targetPath, key);
+        }
+    }
+    async getAll(environment) {
+        const config = this.configForEnv(environment);
+        const all = {};
+        for (const path of VAULT_PATHS) {
+            try {
+                const data = await readKVSecret(config, path);
+                Object.assign(all, data);
+            }
+            catch {
+                continue;
+            }
+        }
+        return all;
+    }
+    async setAll(environment, secrets) {
+        const config = this.configForEnv(environment);
+        // Write all to the 'app' path by default
+        const current = await this.safeRead(config, 'app');
+        Object.assign(current, secrets);
+        await writeKVSecret(config, 'app', current);
+    }
+    configForEnv(environment) {
+        const base = getConfig(this.descriptor);
+        return { ...base, mount: getMountForEnvironment(this.descriptor, environment) };
+    }
+    async findPathForKey(config, key) {
+        for (const path of VAULT_PATHS) {
+            try {
+                const data = await readKVSecret(config, path);
+                if (key in data)
+                    return path;
+            }
+            catch {
+                continue;
+            }
+        }
+        return undefined;
+    }
+    async safeRead(config, path) {
+        try {
+            return await readKVSecret(config, path);
+        }
+        catch {
+            return {};
+        }
+    }
+}
+export function createVaultStore() {
+    const store = new VaultStore(descriptor);
+    return createRuntimeImplementation({
+        id: 'vault',
+        kind: 'secrets/store',
+        priority: 30,
+        implementation: store
+    });
+}
+//# sourceMappingURL=vault.impl.js.map

package/dist/secrets/vault.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.impl.js","sourceRoot":"","sources":["../../src/secrets/vault.impl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,6CAA6C,CAAC;AAG1F,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAA0B,MAAM,oBAAoB,CAAC;AACtG,OAAO,UAAU,MAAM,oBAAoB,CAAC;AAE5C,8DAA8D;AAC9D,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC;AAEpE,SAAS,SAAS,CAAC,IAA4B;IAC9C,OAAO;QACN,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,mDAAmD;QACpF,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,SAAS;QACtC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,WAAW;KAC9B,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,IAA4B,EAAE,WAAmB;IAChF,IAAI,WAAW,KAAK,YAAY;QAAE,OAAO,YAAY,CAAC;IACtD,IAAI,WAAW,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAChD,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,WAAW,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU;IACN,EAAE,GAAG,OAAO,CAAC;IACb,UAAU,CAAyB;IAE5C,YAAY,IAA4B;QACvC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,WAAmB;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAkB,EAAE,CAAC;QAElC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC9C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,SAAS,IAAI,EAAE,EAAE,CAAC,CAAC;gBAC5E,CAAC;YACF,CAAC;YAAC,MAAM,CAAC;gBACR,yBAAyB;YAC1B,CAAC;QACF,CAAC;QAED,OAAO,OAAO,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,WAAmB,EAAE,GAAW;QACzC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC9C,IAAI,GAAG,IAAI,IAAI;oBAAE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACR,SAAS;YACV,CAAC;QACF,CAAC;QACD,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,WAAmB,EAAE,GAAW,EAAE,KAAa;QACxD,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,wCAAwC;QACxC,MAAM,UAAU,GAAG,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC;QACrE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrB,MAAM,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,WAAmB,EAAE,GAAW;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1D,IAAI,UAAU,EAAE,CAAC;YAChB,MAAM,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC5C,CAAC;IACF,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,WAAmB;QAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,GAAG,GAA2B,EAAE,CAAC;QAEvC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC9C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAC1B,CAAC;YAAC,MAAM,CAAC;gBACR,SAAS;YACV,CAAC;QACF,CAAC;QAED,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,WAAmB,EAAE,OAA+B;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC9C,yCAAyC;QACzC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QACnD,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChC,MAAM,aAAa,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC7C,CAAC;IAEO,YAAY,CAAC,WAAmB;QACvC,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,sBAAsB,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC;IACjF,CAAC;IAEO,KAAK,CAAC,cAAc,CAAC,MAAyB,EAAE,GAAW;QAClE,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC;gBACJ,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;gBAC9C,IAAI,GAAG,IAAI,IAAI;oBAAE,OAAO,IAAI,CAAC;YAC9B,CAAC;YAAC,MAAM,CAAC;gBACR,SAAS;YACV,CAAC;QACF,CAAC;QACD,OAAO,SAAS,CAAC;IAClB,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,IAAY;QAC7D,IAAI,CAAC;YACJ,OAAO,MAAM,YAAY,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,EAAE,CAAC;QACX,CAAC;IACF,CAAC;CACD;AAED,MAAM,UAAU,gBAAgB;IAC/B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACzC,OAAO,2BAA2B,CAAC;QAClC,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,EAAE;QACZ,cAAc,EAAE,KAAK;KACrB,CAAC,CAAC;AACJ,CAAC"}