@workglow/storage 0.0.103 → 0.0.104

package/dist/common.d.ts

@@ -21,4 +21,5 @@ export * from "./util/HybridSubscriptionManager";
 export * from "./util/PollingSubscriptionManager";
 export * from "./vector/InMemoryVectorStorage";
 export * from "./vector/IVectorStorage";
+export * from "./credentials/EncryptedKvCredentialStore";
 //# sourceMappingURL=common.d.ts.map

package/dist/common.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../src/common.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,8BAA8B,CAAC;AAC7C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kCAAkC,CAAC;AAEjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,wBAAwB,CAAC;AACvC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AAEzC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,uBAAuB,CAAC;AAEtC,cAAc,4CAA4C,CAAC;AAC3D,cAAc,qCAAqC,CAAC;AAEpD,cAAc,kCAAkC,CAAC;AACjD,cAAc,mCAAmC,CAAC;AAElD,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"common.d.ts","sourceRoot":"","sources":["../src/common.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,8BAA8B,CAAC;AAC7C,cAAc,gCAAgC,CAAC;AAC/C,cAAc,qCAAqC,CAAC;AACpD,cAAc,kCAAkC,CAAC;AACjD,cAAc,2BAA2B,CAAC;AAC1C,cAAc,kCAAkC,CAAC;AAEjD,cAAc,iBAAiB,CAAC;AAChC,cAAc,wBAAwB,CAAC;AACvC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,0BAA0B,CAAC;AAEzC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,uBAAuB,CAAC;AAEtC,cAAc,4CAA4C,CAAC;AAC3D,cAAc,qCAAqC,CAAC;AAEpD,cAAc,kCAAkC,CAAC;AACjD,cAAc,mCAAmC,CAAC;AAElD,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AAExC,cAAc,0CAA0C,CAAC"}

package/dist/credentials/EncryptedKvCredentialStore.d.ts

@@ -0,0 +1,52 @@
+/**
+ * @license
+ * Copyright 2025 Steven Roussey <sroussey@gmail.com>
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import type { CredentialPutOptions, ICredentialStore } from "@workglow/util";
+import type { IKvStorage } from "../kv/IKvStorage";
+/**
+ * Serialized form of a credential stored in the KV backend
+ */
+interface StoredCredential {
+    readonly encrypted: string;
+    readonly iv: string;
+    readonly label: string | undefined;
+    readonly provider: string | undefined;
+    readonly createdAt: string;
+    readonly updatedAt: string;
+    readonly expiresAt: string | undefined;
+}
+/**
+ * Credential store that encrypts values with AES-256-GCM before persisting
+ * them to an {@link IKvStorage} backend.
+ *
+ * Works with any KV backend (SQLite, PostgreSQL, IndexedDB, in-memory, etc.).
+ * Uses the Web Crypto API (available in Node 20+, Bun, and browsers).
+ *
+ * @example
+ * ```ts
+ * import { SqliteKvStorage } from "@workglow/storage";
+ *
+ * const kv = new SqliteKvStorage(":memory:");
+ * const store = new EncryptedKvCredentialStore(kv, "my-encryption-key");
+ *
+ * await store.put("openai-api-key", "sk-...", { provider: "openai" });
+ * const key = await store.get("openai-api-key"); // "sk-..."
+ * ```
+ */
+export declare class EncryptedKvCredentialStore implements ICredentialStore {
+    private readonly kv;
+    private readonly passphrase;
+    /** Per-instance cache of derived CryptoKey instances keyed by base64(salt). */
+    private readonly keyCache;
+    constructor(kv: IKvStorage<string, StoredCredential>, passphrase: string);
+    get(key: string): Promise<string | undefined>;
+    put(key: string, value: string, options?: CredentialPutOptions): Promise<void>;
+    delete(key: string): Promise<boolean>;
+    has(key: string): Promise<boolean>;
+    keys(): Promise<readonly string[]>;
+    deleteAll(): Promise<void>;
+}
+export {};
+//# sourceMappingURL=EncryptedKvCredentialStore.d.ts.map

package/dist/credentials/EncryptedKvCredentialStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EncryptedKvCredentialStore.d.ts","sourceRoot":"","sources":["../../src/credentials/EncryptedKvCredentialStore.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,oBAAoB,EACpB,gBAAgB,EACjB,MAAM,gBAAgB,CAAC;AAExB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEnD;;GAEG;AACH,UAAU,gBAAgB;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IACtC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CACxC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,0BAA2B,YAAW,gBAAgB;IAK/D,OAAO,CAAC,QAAQ,CAAC,EAAE;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAL7B,+EAA+E;IAC/E,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAgC;gBAGtC,EAAE,EAAE,UAAU,CAAC,MAAM,EAAE,gBAAgB,CAAC,EACxC,UAAU,EAAE,MAAM;IAO/B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAY7C,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAmB9E,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAQrC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAWlC,IAAI,IAAI,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC;IAgBlC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;CAGjC"}

package/dist/node.js

@@ -1694,6 +1694,81 @@ class InMemoryVectorStorage extends InMemoryTabularStorage {
     return topResults;
   }
 }
+// src/credentials/EncryptedKvCredentialStore.ts
+import { decrypt, encrypt } from "@workglow/util";
+
+class EncryptedKvCredentialStore {
+  kv;
+  passphrase;
+  keyCache = new Map;
+  constructor(kv, passphrase) {
+    this.kv = kv;
+    this.passphrase = passphrase;
+    if (!passphrase) {
+      throw new Error("EncryptedKvCredentialStore requires a non-empty passphrase.");
+    }
+  }
+  async get(key) {
+    const raw = await this.kv.get(key);
+    if (!raw)
+      return;
+    if (raw.expiresAt && new Date(raw.expiresAt) <= new Date) {
+      await this.kv.delete(key);
+      return;
+    }
+    return decrypt(raw.encrypted, raw.iv, this.passphrase, this.keyCache);
+  }
+  async put(key, value, options) {
+    const now = new Date;
+    const existing = await this.kv.get(key);
+    const { encrypted, iv } = await encrypt(value, this.passphrase, this.keyCache);
+    const stored = {
+      encrypted,
+      iv,
+      label: options?.label ?? existing?.label,
+      provider: options?.provider ?? existing?.provider,
+      createdAt: existing?.createdAt ?? now.toISOString(),
+      updatedAt: now.toISOString(),
+      expiresAt: options?.expiresAt ? options.expiresAt.toISOString() : existing?.expiresAt
+    };
+    await this.kv.put(key, stored);
+  }
+  async delete(key) {
+    const exists = await this.kv.get(key) !== undefined;
+    if (exists) {
+      await this.kv.delete(key);
+    }
+    return exists;
+  }
+  async has(key) {
+    const raw = await this.kv.get(key);
+    if (!raw)
+      return false;
+    if (raw.expiresAt && new Date(raw.expiresAt) <= new Date) {
+      await this.kv.delete(key);
+      return false;
+    }
+    return true;
+  }
+  async keys() {
+    const all = await this.kv.getAll();
+    if (!all)
+      return [];
+    const now = new Date;
+    const result = [];
+    for (const entry of all) {
+      if (entry.value.expiresAt && new Date(entry.value.expiresAt) <= now) {
+        await this.kv.delete(entry.key);
+        continue;
+      }
+      result.push(entry.key);
+    }
+    return result;
+  }
+  async deleteAll() {
+    await this.kv.deleteAll();
+  }
+}
 // src/tabular/FsFolderTabularStorage.ts
 import {
   createServiceToken as createServiceToken12,
@@ -7278,6 +7353,7 @@ export {
   FS_FOLDER_TABULAR_REPOSITORY,
   FS_FOLDER_KV_REPOSITORY,
   FS_FOLDER_JSON_KV_REPOSITORY,
+  EncryptedKvCredentialStore,
   DefaultKeyValueSchema,
   DefaultKeyValueKey,
   CachedTabularStorage,
@@ -7285,4 +7361,4 @@ export {
   BaseTabularStorage
 };
 
-//# debugId=24D8B8B9BAD9862964756E2164756E21
+//# debugId=2D59BEA4EF2DA70564756E2164756E21