@zincapp/znvault-cli 2.16.5 → 2.17.0

package/dist/lib/client.js

@@ -1,1002 +1,13 @@
-import https from 'node:https';
-import http from 'node:http';
-import { getConfig, getCredentials, getApiKey, hasApiKey, storeCredentials, isTokenExpired, getEnvCredentials, hasEnvCredentials, } from './config.js';
+// Path: src/lib/client.ts
 /**
- * Convert seconds to human-readable duration (e.g., 86400 -> "24h")
- * Prefers hours for durations up to 7 days, then uses days
+ * Backward compatibility re-export
+ *
+ * This file maintains the original import path for existing code:
+ *   import { client, VaultClient } from './lib/client.js';
+ *
+ * The implementation has been moved to src/lib/client/ for better organization.
  */
-function formatSecondsToHuman(seconds) {
-    const WEEK_IN_SECONDS = 7 * 24 * 60 * 60;
-    const DAY_IN_SECONDS = 24 * 60 * 60;
-    const HOUR_IN_SECONDS = 60 * 60;
-    const MINUTE_IN_SECONDS = 60;
-    // Use days only for 7+ days and evenly divisible
-    if (seconds >= WEEK_IN_SECONDS && seconds % DAY_IN_SECONDS === 0) {
-        return `${seconds / DAY_IN_SECONDS}d`;
-    }
-    // Use hours if evenly divisible by hours
-    if (seconds >= HOUR_IN_SECONDS && seconds % HOUR_IN_SECONDS === 0) {
-        return `${seconds / HOUR_IN_SECONDS}h`;
-    }
-    // Use minutes if evenly divisible
-    if (seconds >= MINUTE_IN_SECONDS && seconds % MINUTE_IN_SECONDS === 0) {
-        return `${seconds / MINUTE_IN_SECONDS}m`;
-    }
-    return `${seconds}s`;
-}
-class VaultClient {
-    baseUrl;
-    insecure;
-    timeout;
-    constructor() {
-        const config = getConfig();
-        this.baseUrl = config.url;
-        this.insecure = config.insecure;
-        this.timeout = config.timeout;
-    }
-    /**
-     * Update client configuration
-     */
-    configure(url, insecure) {
-        if (url)
-            this.baseUrl = url;
-        if (insecure !== undefined)
-            this.insecure = insecure;
-    }
-    /**
-     * Make an HTTP request
-     */
-    async request(options) {
-        const url = new URL(this.baseUrl);
-        url.pathname = options.path;
-        if (options.query) {
-            for (const [key, value] of Object.entries(options.query)) {
-                if (value !== undefined) {
-                    url.searchParams.set(key, String(value));
-                }
-            }
-        }
-        const headers = {
-            'Accept': 'application/json',
-        };
-        // Only set Content-Type for requests with a body
-        if (options.body !== undefined && options.body !== null) {
-            headers['Content-Type'] = 'application/json';
-        }
-        // Add authentication
-        if (!options.skipAuth) {
-            const apiKey = getApiKey();
-            if (hasApiKey() && apiKey) {
-                headers['X-API-Key'] = apiKey;
-            }
-            else {
-                const credentials = getCredentials();
-                if (credentials) {
-                    // Check if token is expired and try to refresh
-                    if (isTokenExpired() && credentials.refreshToken) {
-                        await this.refreshToken();
-                    }
-                    const updatedCredentials = getCredentials();
-                    if (updatedCredentials) {
-                        headers.Authorization = `Bearer ${updatedCredentials.accessToken}`;
-                    }
-                }
-                else if (hasEnvCredentials()) {
-                    // Auto-login with env credentials
-                    const envCreds = getEnvCredentials();
-                    if (envCreds) {
-                        await this.login(envCreds.username, envCreds.password);
-                        const newCredentials = getCredentials();
-                        if (newCredentials) {
-                            headers.Authorization = `Bearer ${newCredentials.accessToken}`;
-                        }
-                    }
-                }
-            }
-        }
-        const requestOptions = {
-            hostname: url.hostname,
-            port: url.port || (url.protocol === 'https:' ? 443 : 80),
-            path: url.pathname + url.search,
-            method: options.method,
-            headers,
-            timeout: this.timeout,
-            rejectUnauthorized: !this.insecure,
-        };
-        return new Promise((resolve, reject) => {
-            const protocol = url.protocol === 'https:' ? https : http;
-            const req = protocol.request(requestOptions, (res) => {
-                let data = '';
-                res.on('data', (chunk) => (data += String(chunk)));
-                res.on('end', () => {
-                    try {
-                        const parsed = data ? JSON.parse(data) : {};
-                        if (res.statusCode && res.statusCode >= 400) {
-                            const error = parsed;
-                            reject(new Error(error.message || `Request failed with status ${res.statusCode}`));
-                        }
-                        else {
-                            resolve(parsed);
-                        }
-                    }
-                    catch {
-                        if (res.statusCode && res.statusCode >= 400) {
-                            reject(new Error(`Request failed with status ${res.statusCode}`));
-                        }
-                        else {
-                            resolve(data);
-                        }
-                    }
-                });
-            });
-            req.on('error', reject);
-            req.on('timeout', () => {
-                req.destroy();
-                reject(new Error('Request timeout'));
-            });
-            if (options.body !== undefined && options.body !== null) {
-                req.write(JSON.stringify(options.body));
-            }
-            req.end();
-        });
-    }
-    // ============ Authentication ============
-    async login(username, password, totp) {
-        const response = await this.request({
-            method: 'POST',
-            path: '/auth/login',
-            body: { username, password, totpCode: totp },
-            skipAuth: true,
-        });
-        // Store credentials
-        storeCredentials({
-            accessToken: response.accessToken,
-            refreshToken: response.refreshToken,
-            expiresAt: Date.now() + response.expiresIn * 1000,
-            userId: response.user.id,
-            username: response.user.username,
-            role: response.user.role,
-            tenantId: response.user.tenantId,
-        });
-        return response;
-    }
-    async refreshToken() {
-        const credentials = getCredentials();
-        if (!credentials?.refreshToken) {
-            throw new Error('No refresh token available');
-        }
-        const response = await this.request({
-            method: 'POST',
-            path: '/auth/refresh',
-            body: { refreshToken: credentials.refreshToken },
-            skipAuth: true,
-        });
-        storeCredentials({
-            ...credentials,
-            accessToken: response.accessToken,
-            refreshToken: response.refreshToken,
-            expiresAt: Date.now() + response.expiresIn * 1000,
-        });
-    }
-    // ============ Health ============
-    async health() {
-        return this.request({
-            method: 'GET',
-            path: '/v1/health',
-            skipAuth: true,
-        });
-    }
-    async leaderHealth() {
-        return this.request({
-            method: 'GET',
-            path: '/v1/health/leader',
-            skipAuth: true,
-        });
-    }
-    // ============ Cluster ============
-    async clusterStatus() {
-        return this.request({
-            method: 'GET',
-            path: '/v1/admin/cluster',
-        });
-    }
-    async clusterTakeover() {
-        return this.request({
-            method: 'POST',
-            path: '/v1/admin/cluster/takeover',
-        });
-    }
-    async clusterPromote(nodeId) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/admin/cluster/nodes/${nodeId}/promote`,
-        });
-    }
-    async clusterRelease() {
-        return this.request({
-            method: 'POST',
-            path: '/v1/admin/cluster/release',
-        });
-    }
-    async clusterMaintenance(enable) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/admin/cluster/maintenance',
-            body: { enable },
-        });
-    }
-    // ============ Tenants ============
-    async listTenants(options) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/v1/tenants',
-            query: {
-                status: options?.status,
-                withUsage: options?.withUsage,
-                pageSize: 1000,
-            },
-        });
-        return response.items;
-    }
-    async createTenant(data) {
-        const response = await this.request({
-            method: 'POST',
-            path: '/v1/tenants',
-            body: data,
-        });
-        return response.data;
-    }
-    async getTenant(id, withUsage) {
-        const response = await this.request({
-            method: 'GET',
-            path: `/v1/tenants/${id}`,
-            query: { withUsage },
-        });
-        return response.data;
-    }
-    async updateTenant(id, data) {
-        const response = await this.request({
-            method: 'PATCH',
-            path: `/v1/tenants/${id}`,
-            body: data,
-        });
-        return response.data;
-    }
-    async deleteTenant(id) {
-        await this.request({
-            method: 'DELETE',
-            path: `/v1/tenants/${id}`,
-        });
-    }
-    async getTenantUsage(id) {
-        return this.request({
-            method: 'GET',
-            path: `/v1/tenants/${id}/usage`,
-        });
-    }
-    // ============ Users ============
-    async listUsers(options) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/v1/users',
-            query: {
-                tenantId: options?.tenantId,
-                role: options?.role,
-                status: options?.status,
-                pageSize: 1000,
-            },
-        });
-        return response.items;
-    }
-    async createUser(data) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/users',
-            body: data,
-        });
-    }
-    async getUser(id) {
-        return this.request({
-            method: 'GET',
-            path: `/v1/users/${id}`,
-        });
-    }
-    async updateUser(id, data) {
-        return this.request({
-            method: 'PUT',
-            path: `/v1/users/${id}`,
-            body: data,
-        });
-    }
-    async deleteUser(id) {
-        await this.request({
-            method: 'DELETE',
-            path: `/v1/users/${id}`,
-        });
-    }
-    async unlockUser(id) {
-        return this.request({
-            method: 'PUT',
-            path: `/v1/users/${id}`,
-            body: { status: 'active', failedAttempts: 0, lockedUntil: null },
-        });
-    }
-    async resetUserPassword(id, newPassword) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/users/${id}/reset-password`,
-            body: { newPassword },
-        });
-    }
-    async disableUserTotp(id) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/users/${id}/totp/disable`,
-        });
-    }
-    // ============ Superadmins ============
-    async listSuperadmins() {
-        const users = await this.listUsers({ role: 'superadmin' });
-        return users.map(u => ({
-            id: u.id,
-            username: u.username,
-            email: u.email,
-            status: u.status,
-            totpEnabled: u.totpEnabled,
-            failedAttempts: u.failedAttempts,
-            lockedUntil: u.lockedUntil,
-            lastLogin: u.lastLogin,
-            createdAt: u.createdAt,
-        }));
-    }
-    async createSuperadmin(data) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/superadmins',
-            body: data,
-        });
-    }
-    async resetSuperadminPassword(username, password) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/superadmins/${username}/password`,
-            body: { password },
-        });
-    }
-    async unlockSuperadmin(username) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/superadmins/${username}/unlock`,
-        });
-    }
-    async disableSuperadmin(username) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/superadmins/${username}/disable`,
-        });
-    }
-    async enableSuperadmin(username) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/superadmins/${username}/enable`,
-        });
-    }
-    // ============ Lockdown ============
-    async getLockdownStatus() {
-        return this.request({
-            method: 'GET',
-            path: '/v1/admin/lockdown/status',
-        });
-    }
-    async triggerLockdown(level, reason) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/admin/lockdown/trigger',
-            body: { level, reason },
-        });
-    }
-    async clearLockdown(reason) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/admin/lockdown/clear',
-            body: { reason },
-        });
-    }
-    async getLockdownHistory(limit) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/v1/admin/lockdown/history',
-            query: { limit: limit ?? 50 },
-        });
-        return response.items;
-    }
-    async getThreats(options) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/v1/admin/lockdown/threats',
-            query: {
-                category: options?.category,
-                since: options?.since,
-                limit: options?.limit ?? 100,
-            },
-        });
-        return response.items;
-    }
-    // ============ Audit ============
-    async listAudit(options) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/v1/audit',
-            query: {
-                client_cn: options?.user,
-                action: options?.action,
-                start_date: options?.startDate,
-                end_date: options?.endDate,
-                limit: options?.limit ?? 100,
-            },
-        });
-        return response.items;
-    }
-    async verifyAuditChain() {
-        return this.request({
-            method: 'GET',
-            path: '/v1/audit/verify',
-        });
-    }
-    async exportAudit(options) {
-        return this.request({
-            method: 'GET',
-            path: '/v1/audit',
-            query: {
-                format: options?.format ?? 'json',
-                start_date: options?.startDate,
-                end_date: options?.endDate,
-                limit: 10000,
-            },
-        });
-    }
-    // ============ API Keys (Independent, tenant-scoped) ============
-    async createApiKey(data) {
-        return this.request({
-            method: 'POST',
-            path: '/auth/api-keys',
-            query: data.tenantId ? { tenantId: data.tenantId } : undefined,
-            body: {
-                name: data.name,
-                description: data.description,
-                expiresInDays: data.expiresInDays,
-                permissions: data.permissions,
-                ipAllowlist: data.ipAllowlist,
-                conditions: data.conditions,
-            },
-        });
-    }
-    async listApiKeys(tenantId) {
-        return this.request({
-            method: 'GET',
-            path: '/auth/api-keys',
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async getApiKey(id, tenantId) {
-        return this.request({
-            method: 'GET',
-            path: `/auth/api-keys/${id}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async deleteApiKey(id, tenantId) {
-        await this.request({
-            method: 'DELETE',
-            path: `/auth/api-keys/${id}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async rotateApiKey(id, name, tenantId) {
-        return this.request({
-            method: 'POST',
-            path: `/auth/api-keys/${id}/rotate`,
-            query: tenantId ? { tenantId } : undefined,
-            body: name ? { name } : {},
-        });
-    }
-    async updateApiKeyPermissions(id, permissions, tenantId) {
-        const response = await this.request({
-            method: 'PATCH',
-            path: `/auth/api-keys/${id}/permissions`,
-            query: tenantId ? { tenantId } : undefined,
-            body: { permissions },
-        });
-        return response.apiKey;
-    }
-    async updateApiKeyConditions(id, conditions, tenantId) {
-        const response = await this.request({
-            method: 'PATCH',
-            path: `/auth/api-keys/${id}/conditions`,
-            query: tenantId ? { tenantId } : undefined,
-            body: { conditions },
-        });
-        return response.apiKey;
-    }
-    async setApiKeyEnabled(id, enabled, tenantId) {
-        const response = await this.request({
-            method: 'PATCH',
-            path: `/auth/api-keys/${id}/enabled`,
-            query: tenantId ? { tenantId } : undefined,
-            body: { enabled },
-        });
-        return response.apiKey;
-    }
-    // =========================================================================
-    // Permissions API
-    // =========================================================================
-    /**
-     * Get all available permissions from the database
-     * This is the single source of truth for valid permission IDs
-     */
-    async getPermissions(category) {
-        return this.request({
-            method: 'GET',
-            path: '/v1/permissions',
-            query: category ? { category } : undefined,
-        });
-    }
-    /**
-     * Validate a list of permission IDs against the database
-     */
-    async validatePermissions(permissions) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/permissions/validate',
-            body: { permissions },
-        });
-    }
-    async getApiKeyPolicies(id, tenantId) {
-        return this.request({
-            method: 'GET',
-            path: `/auth/api-keys/${id}/policies`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async attachApiKeyPolicy(keyId, policyId, tenantId) {
-        return this.request({
-            method: 'POST',
-            path: `/auth/api-keys/${keyId}/policies/${policyId}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async detachApiKeyPolicy(keyId, policyId, tenantId) {
-        return this.request({
-            method: 'DELETE',
-            path: `/auth/api-keys/${keyId}/policies/${policyId}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    async getApiKeySelf() {
-        return this.request({
-            method: 'GET',
-            path: '/auth/api-keys/self',
-        });
-    }
-    async rotateApiKeySelf(name) {
-        return this.request({
-            method: 'POST',
-            path: '/auth/api-keys/self/rotate',
-            body: name ? { name } : {},
-        });
-    }
-    // ============ Managed API Keys ============
-    async createManagedApiKey(data) {
-        const response = await this.request({
-            method: 'POST',
-            path: '/auth/api-keys',
-            query: data.tenantId ? { tenantId: data.tenantId } : undefined,
-            body: {
-                name: data.name,
-                description: data.description,
-                expiresInDays: data.expiresInDays,
-                permissions: data.permissions,
-                ipAllowlist: data.ipAllowlist,
-                conditions: data.conditions,
-                managed: data.managed,
-            },
-        });
-        // Transform server response to CLI format
-        const serverKey = response.apiKey;
-        return {
-            apiKey: {
-                id: serverKey.id,
-                tenant_id: serverKey.tenant_id,
-                created_by: serverKey.created_by,
-                name: serverKey.name,
-                description: serverKey.description,
-                prefix: serverKey.prefix,
-                expires_at: serverKey.expires_at,
-                last_used: null,
-                created_at: serverKey.created_at,
-                ip_allowlist: null,
-                permissions: serverKey.permissions,
-                conditions: serverKey.conditions,
-                created_by_username: undefined,
-                enabled: serverKey.enabled,
-                rotation_count: serverKey.rotation_count,
-                last_rotation: serverKey.last_rotation,
-                is_managed: serverKey.is_managed,
-                rotation_mode: serverKey.rotation_mode,
-                rotation_interval: serverKey.rotation_interval_seconds ? formatSecondsToHuman(serverKey.rotation_interval_seconds) : undefined,
-                grace_period: formatSecondsToHuman(serverKey.grace_period_seconds),
-                notify_before: serverKey.notify_before,
-                webhook_url: serverKey.webhook_url,
-                next_rotation_at: serverKey.next_rotation_at,
-                last_bound_at: serverKey.last_bound_at,
-            },
-            message: response.message,
-        };
-    }
-    async listManagedApiKeys(tenantId) {
-        const response = await this.request({
-            method: 'GET',
-            path: '/auth/api-keys/managed',
-            query: tenantId ? { tenantId } : undefined,
-        });
-        // Transform each key
-        return {
-            items: response.items.map(key => ({
-                id: key.id,
-                tenant_id: key.tenant_id,
-                created_by: key.created_by,
-                name: key.name,
-                description: key.description,
-                prefix: key.prefix,
-                expires_at: key.expires_at,
-                last_used: key.last_used,
-                created_at: key.created_at,
-                ip_allowlist: null,
-                permissions: key.permissions,
-                conditions: key.conditions,
-                created_by_username: key.created_by_username,
-                enabled: key.enabled,
-                rotation_count: key.rotation_count,
-                last_rotation: key.last_rotation,
-                is_managed: key.is_managed,
-                rotation_mode: key.rotation_mode,
-                rotation_interval: key.rotation_interval_seconds ? formatSecondsToHuman(key.rotation_interval_seconds) : undefined,
-                grace_period: formatSecondsToHuman(key.grace_period_seconds),
-                notify_before: key.notify_before,
-                webhook_url: key.rotation_webhook_url ?? undefined,
-                next_rotation_at: key.next_rotation_at,
-                last_bound_at: key.first_used_at ?? undefined,
-            })),
-            pagination: response.pagination,
-        };
-    }
-    async getManagedApiKey(name, tenantId) {
-        const info = await this.request({
-            method: 'GET',
-            path: `/auth/api-keys/managed/${encodeURIComponent(name)}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-        // Transform to CLI's ManagedAPIKey format (snake_case)
-        return {
-            id: info.id,
-            tenant_id: info.tenantId,
-            created_by: info.createdBy ?? null,
-            name: info.name,
-            description: info.description ?? null,
-            prefix: info.prefix,
-            expires_at: info.expiresAt ?? '',
-            last_used: info.lastUsed ?? null,
-            created_at: info.createdAt ?? '',
-            ip_allowlist: null, // Not returned by server
-            permissions: info.permissions,
-            conditions: undefined,
-            created_by_username: info.createdByUsername,
-            enabled: info.enabled,
-            rotation_count: info.rotationCount,
-            last_rotation: info.lastRotatedAt ?? null,
-            is_managed: info.isManaged,
-            rotation_mode: info.rotationMode,
-            rotation_interval: info.rotationIntervalSeconds ? formatSecondsToHuman(info.rotationIntervalSeconds) : undefined,
-            grace_period: formatSecondsToHuman(info.gracePeriodSeconds),
-            notify_before: info.notifyBefore,
-            webhook_url: info.webhookUrl,
-            next_rotation_at: info.nextRotationAt,
-            last_bound_at: info.lastBoundAt,
-        };
-    }
-    async bindManagedApiKey(name, tenantId) {
-        return this.request({
-            method: 'POST',
-            path: `/auth/api-keys/managed/${encodeURIComponent(name)}/bind`,
-            query: tenantId ? { tenantId } : undefined,
-            body: {},
-        });
-    }
-    async rotateManagedApiKey(name, tenantId) {
-        return this.request({
-            method: 'POST',
-            path: `/auth/api-keys/managed/${encodeURIComponent(name)}/rotate`,
-            query: tenantId ? { tenantId } : undefined,
-            body: {},
-        });
-    }
-    async updateManagedApiKeyConfig(name, config, tenantId) {
-        const info = await this.request({
-            method: 'PATCH',
-            path: `/auth/api-keys/managed/${encodeURIComponent(name)}/config`,
-            query: tenantId ? { tenantId } : undefined,
-            body: config,
-        });
-        // Transform to CLI's ManagedAPIKey format (snake_case)
-        return {
-            id: info.id,
-            tenant_id: info.tenantId,
-            created_by: info.createdBy ?? null,
-            name: info.name,
-            description: info.description ?? null,
-            prefix: info.prefix,
-            expires_at: info.expiresAt ?? '',
-            last_used: info.lastUsed ?? null,
-            created_at: info.createdAt ?? '',
-            ip_allowlist: null,
-            permissions: info.permissions,
-            conditions: undefined,
-            created_by_username: info.createdByUsername,
-            enabled: info.enabled,
-            rotation_count: info.rotationCount,
-            last_rotation: info.lastRotatedAt ?? null,
-            is_managed: info.isManaged,
-            rotation_mode: info.rotationMode,
-            rotation_interval: info.rotationIntervalSeconds ? formatSecondsToHuman(info.rotationIntervalSeconds) : undefined,
-            grace_period: formatSecondsToHuman(info.gracePeriodSeconds),
-            notify_before: info.notifyBefore,
-            webhook_url: info.webhookUrl,
-            next_rotation_at: info.nextRotationAt,
-            last_bound_at: info.lastBoundAt,
-        };
-    }
-    async deleteManagedApiKey(name, tenantId) {
-        // First get the managed key to find its ID
-        const key = await this.getManagedApiKey(name, tenantId);
-        // Then delete via the standard API key delete endpoint
-        await this.request({
-            method: 'DELETE',
-            path: `/auth/api-keys/${encodeURIComponent(key.id)}`,
-            query: tenantId ? { tenantId } : undefined,
-        });
-    }
-    // ============ ABAC Policies ============
-    async listPolicies(options) {
-        return this.request({
-            method: 'GET',
-            path: '/v1/policies',
-            query: {
-                tenantId: options?.tenantId,
-                enabled: options?.enabled,
-                effect: options?.effect,
-                search: options?.search,
-                page: options?.page,
-                pageSize: options?.pageSize ?? 100,
-            },
-        });
-    }
-    async getPolicy(id) {
-        return this.request({
-            method: 'GET',
-            path: `/v1/policies/${id}`,
-        });
-    }
-    async createPolicy(data) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/policies',
-            body: data,
-        });
-    }
-    async updatePolicy(id, data) {
-        return this.request({
-            method: 'PATCH',
-            path: `/v1/policies/${id}`,
-            body: data,
-        });
-    }
-    async deletePolicy(id) {
-        await this.request({
-            method: 'DELETE',
-            path: `/v1/policies/${id}`,
-        });
-    }
-    async togglePolicy(id, enabled) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/policies/${id}/toggle`,
-            body: { enabled },
-        });
-    }
-    async validatePolicy(policy) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/policies/validate',
-            body: policy,
-        });
-    }
-    async getPolicyAttachments(policyId) {
-        return this.request({
-            method: 'GET',
-            path: `/v1/policies/${policyId}/attachments`,
-        });
-    }
-    async attachPolicyToUser(policyId, userId) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/policies/${policyId}/attach/user`,
-            body: { userId },
-        });
-    }
-    async attachPolicyToRole(policyId, roleId) {
-        return this.request({
-            method: 'POST',
-            path: `/v1/policies/${policyId}/attach/role`,
-            body: { roleId },
-        });
-    }
-    async detachPolicyFromUser(policyId, userId) {
-        return this.request({
-            method: 'DELETE',
-            path: `/v1/policies/${policyId}/attach/user/${userId}`,
-        });
-    }
-    async detachPolicyFromRole(policyId, roleId) {
-        return this.request({
-            method: 'DELETE',
-            path: `/v1/policies/${policyId}/attach/role/${roleId}`,
-        });
-    }
-    async getUserPolicies(userId) {
-        const response = await this.request({
-            method: 'GET',
-            path: `/v1/users/${userId}/policies`,
-        });
-        return response.policies;
-    }
-    async getRolePolicies(roleId) {
-        const response = await this.request({
-            method: 'GET',
-            path: `/v1/roles/${roleId}/policies`,
-        });
-        return response.policies;
-    }
-    async testPolicy(request) {
-        return this.request({
-            method: 'POST',
-            path: '/v1/policies/test',
-            body: request,
-        });
-    }
-    // ============ Generic methods for arbitrary endpoints ============
-    /**
-     * Generic GET request
-     * @param path - Path may include query string (e.g., '/v1/secrets?tenant=foo')
-     */
-    async get(path) {
-        // Handle paths that include query strings
-        const [basePath, queryString] = path.split('?');
-        const query = {};
-        if (queryString) {
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params.entries()) {
-                query[key] = value;
-            }
-        }
-        return this.request({ method: 'GET', path: basePath, query: Object.keys(query).length > 0 ? query : undefined });
-    }
-    /**
-     * Generic POST request
-     * @param path - Path may include query string (e.g., '/v1/sso/apps?tenantId=foo')
-     */
-    async post(path, body) {
-        const [basePath, queryString] = path.split('?');
-        const query = {};
-        if (queryString) {
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params.entries()) {
-                query[key] = value;
-            }
-        }
-        return this.request({ method: 'POST', path: basePath, body, query: Object.keys(query).length > 0 ? query : undefined });
-    }
-    /**
-     * Generic DELETE request
-     * @param path - Path may include query string
-     */
-    async delete(path) {
-        const [basePath, queryString] = path.split('?');
-        const query = {};
-        if (queryString) {
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params.entries()) {
-                query[key] = value;
-            }
-        }
-        return this.request({ method: 'DELETE', path: basePath, query: Object.keys(query).length > 0 ? query : undefined });
-    }
-    /**
-     * Generic PUT request
-     * @param path - Path may include query string
-     */
-    async put(path, body) {
-        const [basePath, queryString] = path.split('?');
-        const query = {};
-        if (queryString) {
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params.entries()) {
-                query[key] = value;
-            }
-        }
-        return this.request({ method: 'PUT', path: basePath, body, query: Object.keys(query).length > 0 ? query : undefined });
-    }
-    /**
-     * Generic PATCH request
-     * @param path - Path may include query string
-     */
-    async patch(path, body) {
-        const [basePath, queryString] = path.split('?');
-        const query = {};
-        if (queryString) {
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params.entries()) {
-                query[key] = value;
-            }
-        }
-        return this.request({ method: 'PATCH', path: basePath, body, query: Object.keys(query).length > 0 ? query : undefined });
-    }
-    /**
-     * Get WebSocket URL for a given endpoint path
-     */
-    getWebSocketUrl(wsPath) {
-        const url = new URL(this.baseUrl);
-        url.protocol = url.protocol === 'https:' ? 'wss:' : 'ws:';
-        url.pathname = wsPath;
-        return url.toString();
-    }
-    /**
-     * Get authentication headers for WebSocket connection
-     */
-    async getAuthHeaders() {
-        const headers = {};
-        const apiKey = getApiKey();
-        if (hasApiKey() && apiKey) {
-            headers['X-API-Key'] = apiKey;
-        }
-        else {
-            const credentials = getCredentials();
-            if (credentials) {
-                // Check if token is expired and try to refresh
-                if (isTokenExpired() && credentials.refreshToken) {
-                    await this.refreshToken();
-                }
-                const updatedCredentials = getCredentials();
-                if (updatedCredentials) {
-                    headers.Authorization = `Bearer ${updatedCredentials.accessToken}`;
-                }
-            }
-            else if (hasEnvCredentials()) {
-                // Auto-login with env credentials
-                const envCreds = getEnvCredentials();
-                if (envCreds) {
-                    await this.login(envCreds.username, envCreds.password);
-                    const newCredentials = getCredentials();
-                    if (newCredentials) {
-                        headers.Authorization = `Bearer ${newCredentials.accessToken}`;
-                    }
-                }
-            }
-        }
-        return headers;
-    }
-}
-// Export singleton instance
-export const client = new VaultClient();
-// Export class for testing
-export { VaultClient };
+export { client, VaultClient } from './client/index.js';
+// Re-export all domain clients for advanced use cases
+export { HttpClient, HealthClient, ClusterClient, TenantsClient, UsersClient, SuperadminsClient, LockdownClient, AuditClient, ApiKeysClient, ManagedKeysClient, PoliciesClient, PermissionsClient, } from './client/index.js';
 //# sourceMappingURL=client.js.map