@zodal/dials-store-secret 0.1.0

package/README.md

@@ -0,0 +1,28 @@
+# @zodal/dials-store-secret
+
+The secret side of [zodal-dials](https://github.com/i2mint/zodal-dials)' content/metadata **bifurcation** — route secret values to a separate backend, never the config store.
+
+```bash
+npm i @zodal/dials-store-secret @zodal/dials-core
+```
+
+```ts
+import { createMemorySecretBackend, createSensitiveSettingsProvider, revealSetting } from '@zodal/dials-store-secret';
+import { createJsoncStore } from '@zodal/dials-store-jsonc';
+
+const secrets = createMemorySecretBackend();          // or an OS-keychain / Vault backend
+const provider = createSensitiveSettingsProvider({
+  config: createJsoncStore({ path: 'settings.jsonc' }),
+  secrets,
+  sensitivityFor: dials.sensitivityFor,
+});
+
+await provider.save(layer);   // non-secret -> config file; secret -> backend (JSON-encoded)
+await provider.load();        // config values + a masked SecretRef per secret (never plaintext)
+await revealSetting(secrets, 'network.apiKey'); // explicit, decoded reveal
+```
+
+- **`createMemorySecretBackend()`** — a reference `SecretBackend` (in-memory; dev/test). Real backends (keychain, Vault, encrypted file) implement the same interface.
+- **`createSensitiveSettingsProvider`** — a bifurcated `LayerStore`: splits the layer on save (secrets → backend, JSON-encoded so object-valued secrets survive; config → config store), surfaces masked `SecretRef`s on load. Secrets-first writes; throws (not silently drops) on a read-only config; `UNSET` deletes a secret.
+
+Part of the [zodal-dials](https://github.com/i2mint/zodal-dials) ecosystem.

package/dist/index.cjs

@@ -0,0 +1,91 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  createMemorySecretBackend: () => createMemorySecretBackend,
+  createSensitiveSettingsProvider: () => createSensitiveSettingsProvider,
+  revealSetting: () => revealSetting
+});
+module.exports = __toCommonJS(index_exports);
+var import_dials_core = require("@zodal/dials-core");
+function createMemorySecretBackend(initial = {}) {
+  const store = new Map(Object.entries(initial));
+  return {
+    has: (key) => Promise.resolve(store.has(key)),
+    get: (key) => Promise.resolve((0, import_dials_core.makeSecretRef)(key, store.has(key))),
+    reveal: (key) => Promise.resolve(store.get(key)),
+    set: (key, value) => {
+      store.set(key, value);
+      return Promise.resolve((0, import_dials_core.makeSecretRef)(key, true));
+    },
+    delete: (key) => {
+      store.delete(key);
+      return Promise.resolve();
+    },
+    list: () => Promise.resolve([...store.keys()])
+  };
+}
+async function revealSetting(secrets, key) {
+  const raw = await secrets.reveal(key);
+  if (raw === void 0) return void 0;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+function createSensitiveSettingsProvider(options) {
+  const { config, secrets, sensitivityFor } = options;
+  const scope = options.scope ?? config.scope;
+  return {
+    scope,
+    getCapabilities: () => {
+      const capabilities = config.getCapabilities();
+      return { readable: capabilities.readable, writable: capabilities.writable, watchable: capabilities.watchable };
+    },
+    async load() {
+      const layer = { ...await config.load() };
+      for (const key of await secrets.list()) {
+        layer[key] = await secrets.get(key);
+      }
+      return layer;
+    },
+    async save(layer) {
+      const { config: configPart, secrets: secretPart } = (0, import_dials_core.splitBySensitivity)(layer, sensitivityFor);
+      const hasConfigPart = Object.keys(configPart).length > 0;
+      if (hasConfigPart && !config.save) {
+        throw new Error("@zodal/dials-store-secret: the config store is read-only; cannot persist non-secret settings");
+      }
+      for (const [key, value] of Object.entries(secretPart)) {
+        if ((0, import_dials_core.isUnset)(value)) await secrets.delete(key);
+        else if (value !== void 0 && value !== null) await secrets.set(key, JSON.stringify(value));
+      }
+      if (hasConfigPart) await config.save?.(configPart);
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createMemorySecretBackend,
+  createSensitiveSettingsProvider,
+  revealSetting
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @zodal/dials-store-secret — the secret side of zodal-dials' content/metadata bifurcation.\n *\n * - `createMemorySecretBackend()` — a reference `SecretBackend` (in-memory; dev/test). A real backend\n *   (OS keychain, Vault, encrypted file) implements the same interface. A backend stores opaque\n *   string blobs; it is encoding-agnostic.\n * - `createSensitiveSettingsProvider({ config, secrets, sensitivityFor })` — composes a config\n *   `LayerStore` + a `SecretBackend` into ONE `LayerStore` that routes secret values to the backend\n *   (never to the config store). The provider stores each secret value JSON-ENCODED (so an object/\n *   array-valued secret — which the container fail-safe classification produces — survives losslessly);\n *   use `revealSetting` to decode it back. On `load`, config values come back plus a MASKED\n *   `SecretRef` for every secret the backend holds — never plaintext.\n *\n * Cross-store `save` is best-effort, not atomic: secrets are written first, so a secret-write failure\n * aborts before the visible config part is committed. A read-only config store causes `save` to throw\n * (rather than silently drop) when there is a non-secret part to persist.\n */\n\nimport { isUnset, makeSecretRef, splitBySensitivity } from '@zodal/dials-core';\nimport type { Layer, LayerStore, LayerStoreCapabilities, SecretBackend, Sensitivity, SettingKey } from '@zodal/dials-core';\n\n/** An in-memory `SecretBackend` (reference implementation; dev/test). Holds string blobs in a Map. */\nexport function createMemorySecretBackend(initial: Record<SettingKey, string> = {}): SecretBackend {\n  const store = new Map<SettingKey, string>(Object.entries(initial));\n  return {\n    has: (key) => Promise.resolve(store.has(key)),\n    get: (key) => Promise.resolve(makeSecretRef(key, store.has(key))),\n    reveal: (key) => Promise.resolve(store.get(key)),\n    set: (key, value) => {\n      store.set(key, value);\n      return Promise.resolve(makeSecretRef(key, true));\n    },\n    delete: (key) => {\n      store.delete(key);\n      return Promise.resolve();\n    },\n    list: () => Promise.resolve([...store.keys()]),\n  };\n}\n\n/**\n * Reveal a secret's ORIGINAL value (the inverse of how `createSensitiveSettingsProvider` stores it:\n * JSON-encoded). Returns undefined if the key is unset. Falls back to the raw string if it is not\n * valid JSON (tolerating values written outside the provider).\n */\nexport async function revealSetting(secrets: SecretBackend, key: SettingKey): Promise<unknown> {\n  const raw = await secrets.reveal(key);\n  if (raw === undefined) return undefined;\n  try {\n    return JSON.parse(raw);\n  } catch {\n    return raw;\n  }\n}\n\nexport interface SensitiveSettingsProviderOptions {\n  /** The config `LayerStore` for non-secret values. */\n  config: LayerStore;\n  /** The `SecretBackend` for secret values. */\n  secrets: SecretBackend;\n  /** Classify a setting's sensitivity (e.g. `dials.sensitivityFor`). */\n  sensitivityFor: (key: SettingKey) => Sensitivity;\n  /** Scope id. Default: the config store's scope. */\n  scope?: string;\n}\n\n/** Compose a config `LayerStore` + a `SecretBackend` into one bifurcated `LayerStore`. */\nexport function createSensitiveSettingsProvider(options: SensitiveSettingsProviderOptions): LayerStore {\n  const { config, secrets, sensitivityFor } = options;\n  const scope = options.scope ?? config.scope;\n\n  return {\n    scope,\n    getCapabilities: (): LayerStoreCapabilities => {\n      // The config store gates a FULL write (the non-secret part needs it); mirror it conservatively.\n      const capabilities = config.getCapabilities();\n      return { readable: capabilities.readable, writable: capabilities.writable, watchable: capabilities.watchable };\n    },\n\n    async load(): Promise<Layer> {\n      // Copy the config store's returned object — never mutate it (we overlay masked refs onto it).\n      const layer: Layer = { ...(await config.load()) };\n      // Overlay a MASKED SecretRef for every secret the backend holds (never plaintext).\n      for (const key of await secrets.list()) {\n        layer[key] = await secrets.get(key);\n      }\n      return layer;\n    },\n\n    async save(layer: Layer): Promise<void> {\n      const { config: configPart, secrets: secretPart } = splitBySensitivity(layer, sensitivityFor);\n      const hasConfigPart = Object.keys(configPart).length > 0;\n      if (hasConfigPart && !config.save) {\n        throw new Error('@zodal/dials-store-secret: the config store is read-only; cannot persist non-secret settings');\n      }\n      // Secrets first: a secret-write failure aborts before the visible config part is committed.\n      // Values are JSON-encoded so object/array-valued secrets survive losslessly (see revealSetting).\n      for (const [key, value] of Object.entries(secretPart)) {\n        if (isUnset(value)) await secrets.delete(key);\n        else if (value !== undefined && value !== null) await secrets.set(key, JSON.stringify(value));\n      }\n      if (hasConfigPart) await config.save?.(configPart);\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAkBA,wBAA2D;AAIpD,SAAS,0BAA0B,UAAsC,CAAC,GAAkB;AACjG,QAAM,QAAQ,IAAI,IAAwB,OAAO,QAAQ,OAAO,CAAC;AACjE,SAAO;AAAA,IACL,KAAK,CAAC,QAAQ,QAAQ,QAAQ,MAAM,IAAI,GAAG,CAAC;AAAA,IAC5C,KAAK,CAAC,QAAQ,QAAQ,YAAQ,iCAAc,KAAK,MAAM,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE,QAAQ,CAAC,QAAQ,QAAQ,QAAQ,MAAM,IAAI,GAAG,CAAC;AAAA,IAC/C,KAAK,CAAC,KAAK,UAAU;AACnB,YAAM,IAAI,KAAK,KAAK;AACpB,aAAO,QAAQ,YAAQ,iCAAc,KAAK,IAAI,CAAC;AAAA,IACjD;AAAA,IACA,QAAQ,CAAC,QAAQ;AACf,YAAM,OAAO,GAAG;AAChB,aAAO,QAAQ,QAAQ;AAAA,IACzB;AAAA,IACA,MAAM,MAAM,QAAQ,QAAQ,CAAC,GAAG,MAAM,KAAK,CAAC,CAAC;AAAA,EAC/C;AACF;AAOA,eAAsB,cAAc,SAAwB,KAAmC;AAC7F,QAAM,MAAM,MAAM,QAAQ,OAAO,GAAG;AACpC,MAAI,QAAQ,OAAW,QAAO;AAC9B,MAAI;AACF,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,gCAAgC,SAAuD;AACrG,QAAM,EAAE,QAAQ,SAAS,eAAe,IAAI;AAC5C,QAAM,QAAQ,QAAQ,SAAS,OAAO;AAEtC,SAAO;AAAA,IACL;AAAA,IACA,iBAAiB,MAA8B;AAE7C,YAAM,eAAe,OAAO,gBAAgB;AAC5C,aAAO,EAAE,UAAU,aAAa,UAAU,UAAU,aAAa,UAAU,WAAW,aAAa,UAAU;AAAA,IAC/G;AAAA,IAEA,MAAM,OAAuB;AAE3B,YAAM,QAAe,EAAE,GAAI,MAAM,OAAO,KAAK,EAAG;AAEhD,iBAAW,OAAO,MAAM,QAAQ,KAAK,GAAG;AACtC,cAAM,GAAG,IAAI,MAAM,QAAQ,IAAI,GAAG;AAAA,MACpC;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,KAAK,OAA6B;AACtC,YAAM,EAAE,QAAQ,YAAY,SAAS,WAAW,QAAI,sCAAmB,OAAO,cAAc;AAC5F,YAAM,gBAAgB,OAAO,KAAK,UAAU,EAAE,SAAS;AACvD,UAAI,iBAAiB,CAAC,OAAO,MAAM;AACjC,cAAM,IAAI,MAAM,8FAA8F;AAAA,MAChH;AAGA,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,UAAU,GAAG;AACrD,gBAAI,2BAAQ,KAAK,EAAG,OAAM,QAAQ,OAAO,GAAG;AAAA,iBACnC,UAAU,UAAa,UAAU,KAAM,OAAM,QAAQ,IAAI,KAAK,KAAK,UAAU,KAAK,CAAC;AAAA,MAC9F;AACA,UAAI,cAAe,OAAM,OAAO,OAAO,UAAU;AAAA,IACnD;AAAA,EACF;AACF;","names":[]}

package/dist/index.d.cts

@@ -0,0 +1,42 @@
+import { LayerStore, SecretBackend, SettingKey, Sensitivity } from '@zodal/dials-core';
+
+/**
+ * @zodal/dials-store-secret — the secret side of zodal-dials' content/metadata bifurcation.
+ *
+ * - `createMemorySecretBackend()` — a reference `SecretBackend` (in-memory; dev/test). A real backend
+ *   (OS keychain, Vault, encrypted file) implements the same interface. A backend stores opaque
+ *   string blobs; it is encoding-agnostic.
+ * - `createSensitiveSettingsProvider({ config, secrets, sensitivityFor })` — composes a config
+ *   `LayerStore` + a `SecretBackend` into ONE `LayerStore` that routes secret values to the backend
+ *   (never to the config store). The provider stores each secret value JSON-ENCODED (so an object/
+ *   array-valued secret — which the container fail-safe classification produces — survives losslessly);
+ *   use `revealSetting` to decode it back. On `load`, config values come back plus a MASKED
+ *   `SecretRef` for every secret the backend holds — never plaintext.
+ *
+ * Cross-store `save` is best-effort, not atomic: secrets are written first, so a secret-write failure
+ * aborts before the visible config part is committed. A read-only config store causes `save` to throw
+ * (rather than silently drop) when there is a non-secret part to persist.
+ */
+
+/** An in-memory `SecretBackend` (reference implementation; dev/test). Holds string blobs in a Map. */
+declare function createMemorySecretBackend(initial?: Record<SettingKey, string>): SecretBackend;
+/**
+ * Reveal a secret's ORIGINAL value (the inverse of how `createSensitiveSettingsProvider` stores it:
+ * JSON-encoded). Returns undefined if the key is unset. Falls back to the raw string if it is not
+ * valid JSON (tolerating values written outside the provider).
+ */
+declare function revealSetting(secrets: SecretBackend, key: SettingKey): Promise<unknown>;
+interface SensitiveSettingsProviderOptions {
+    /** The config `LayerStore` for non-secret values. */
+    config: LayerStore;
+    /** The `SecretBackend` for secret values. */
+    secrets: SecretBackend;
+    /** Classify a setting's sensitivity (e.g. `dials.sensitivityFor`). */
+    sensitivityFor: (key: SettingKey) => Sensitivity;
+    /** Scope id. Default: the config store's scope. */
+    scope?: string;
+}
+/** Compose a config `LayerStore` + a `SecretBackend` into one bifurcated `LayerStore`. */
+declare function createSensitiveSettingsProvider(options: SensitiveSettingsProviderOptions): LayerStore;
+
+export { type SensitiveSettingsProviderOptions, createMemorySecretBackend, createSensitiveSettingsProvider, revealSetting };

package/dist/index.d.ts

@@ -0,0 +1,42 @@
+import { LayerStore, SecretBackend, SettingKey, Sensitivity } from '@zodal/dials-core';
+
+/**
+ * @zodal/dials-store-secret — the secret side of zodal-dials' content/metadata bifurcation.
+ *
+ * - `createMemorySecretBackend()` — a reference `SecretBackend` (in-memory; dev/test). A real backend
+ *   (OS keychain, Vault, encrypted file) implements the same interface. A backend stores opaque
+ *   string blobs; it is encoding-agnostic.
+ * - `createSensitiveSettingsProvider({ config, secrets, sensitivityFor })` — composes a config
+ *   `LayerStore` + a `SecretBackend` into ONE `LayerStore` that routes secret values to the backend
+ *   (never to the config store). The provider stores each secret value JSON-ENCODED (so an object/
+ *   array-valued secret — which the container fail-safe classification produces — survives losslessly);
+ *   use `revealSetting` to decode it back. On `load`, config values come back plus a MASKED
+ *   `SecretRef` for every secret the backend holds — never plaintext.
+ *
+ * Cross-store `save` is best-effort, not atomic: secrets are written first, so a secret-write failure
+ * aborts before the visible config part is committed. A read-only config store causes `save` to throw
+ * (rather than silently drop) when there is a non-secret part to persist.
+ */
+
+/** An in-memory `SecretBackend` (reference implementation; dev/test). Holds string blobs in a Map. */
+declare function createMemorySecretBackend(initial?: Record<SettingKey, string>): SecretBackend;
+/**
+ * Reveal a secret's ORIGINAL value (the inverse of how `createSensitiveSettingsProvider` stores it:
+ * JSON-encoded). Returns undefined if the key is unset. Falls back to the raw string if it is not
+ * valid JSON (tolerating values written outside the provider).
+ */
+declare function revealSetting(secrets: SecretBackend, key: SettingKey): Promise<unknown>;
+interface SensitiveSettingsProviderOptions {
+    /** The config `LayerStore` for non-secret values. */
+    config: LayerStore;
+    /** The `SecretBackend` for secret values. */
+    secrets: SecretBackend;
+    /** Classify a setting's sensitivity (e.g. `dials.sensitivityFor`). */
+    sensitivityFor: (key: SettingKey) => Sensitivity;
+    /** Scope id. Default: the config store's scope. */
+    scope?: string;
+}
+/** Compose a config `LayerStore` + a `SecretBackend` into one bifurcated `LayerStore`. */
+declare function createSensitiveSettingsProvider(options: SensitiveSettingsProviderOptions): LayerStore;
+
+export { type SensitiveSettingsProviderOptions, createMemorySecretBackend, createSensitiveSettingsProvider, revealSetting };

package/dist/index.js

@@ -0,0 +1,64 @@
+// src/index.ts
+import { isUnset, makeSecretRef, splitBySensitivity } from "@zodal/dials-core";
+function createMemorySecretBackend(initial = {}) {
+  const store = new Map(Object.entries(initial));
+  return {
+    has: (key) => Promise.resolve(store.has(key)),
+    get: (key) => Promise.resolve(makeSecretRef(key, store.has(key))),
+    reveal: (key) => Promise.resolve(store.get(key)),
+    set: (key, value) => {
+      store.set(key, value);
+      return Promise.resolve(makeSecretRef(key, true));
+    },
+    delete: (key) => {
+      store.delete(key);
+      return Promise.resolve();
+    },
+    list: () => Promise.resolve([...store.keys()])
+  };
+}
+async function revealSetting(secrets, key) {
+  const raw = await secrets.reveal(key);
+  if (raw === void 0) return void 0;
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+function createSensitiveSettingsProvider(options) {
+  const { config, secrets, sensitivityFor } = options;
+  const scope = options.scope ?? config.scope;
+  return {
+    scope,
+    getCapabilities: () => {
+      const capabilities = config.getCapabilities();
+      return { readable: capabilities.readable, writable: capabilities.writable, watchable: capabilities.watchable };
+    },
+    async load() {
+      const layer = { ...await config.load() };
+      for (const key of await secrets.list()) {
+        layer[key] = await secrets.get(key);
+      }
+      return layer;
+    },
+    async save(layer) {
+      const { config: configPart, secrets: secretPart } = splitBySensitivity(layer, sensitivityFor);
+      const hasConfigPart = Object.keys(configPart).length > 0;
+      if (hasConfigPart && !config.save) {
+        throw new Error("@zodal/dials-store-secret: the config store is read-only; cannot persist non-secret settings");
+      }
+      for (const [key, value] of Object.entries(secretPart)) {
+        if (isUnset(value)) await secrets.delete(key);
+        else if (value !== void 0 && value !== null) await secrets.set(key, JSON.stringify(value));
+      }
+      if (hasConfigPart) await config.save?.(configPart);
+    }
+  };
+}
+export {
+  createMemorySecretBackend,
+  createSensitiveSettingsProvider,
+  revealSetting
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @zodal/dials-store-secret — the secret side of zodal-dials' content/metadata bifurcation.\n *\n * - `createMemorySecretBackend()` — a reference `SecretBackend` (in-memory; dev/test). A real backend\n *   (OS keychain, Vault, encrypted file) implements the same interface. A backend stores opaque\n *   string blobs; it is encoding-agnostic.\n * - `createSensitiveSettingsProvider({ config, secrets, sensitivityFor })` — composes a config\n *   `LayerStore` + a `SecretBackend` into ONE `LayerStore` that routes secret values to the backend\n *   (never to the config store). The provider stores each secret value JSON-ENCODED (so an object/\n *   array-valued secret — which the container fail-safe classification produces — survives losslessly);\n *   use `revealSetting` to decode it back. On `load`, config values come back plus a MASKED\n *   `SecretRef` for every secret the backend holds — never plaintext.\n *\n * Cross-store `save` is best-effort, not atomic: secrets are written first, so a secret-write failure\n * aborts before the visible config part is committed. A read-only config store causes `save` to throw\n * (rather than silently drop) when there is a non-secret part to persist.\n */\n\nimport { isUnset, makeSecretRef, splitBySensitivity } from '@zodal/dials-core';\nimport type { Layer, LayerStore, LayerStoreCapabilities, SecretBackend, Sensitivity, SettingKey } from '@zodal/dials-core';\n\n/** An in-memory `SecretBackend` (reference implementation; dev/test). Holds string blobs in a Map. */\nexport function createMemorySecretBackend(initial: Record<SettingKey, string> = {}): SecretBackend {\n  const store = new Map<SettingKey, string>(Object.entries(initial));\n  return {\n    has: (key) => Promise.resolve(store.has(key)),\n    get: (key) => Promise.resolve(makeSecretRef(key, store.has(key))),\n    reveal: (key) => Promise.resolve(store.get(key)),\n    set: (key, value) => {\n      store.set(key, value);\n      return Promise.resolve(makeSecretRef(key, true));\n    },\n    delete: (key) => {\n      store.delete(key);\n      return Promise.resolve();\n    },\n    list: () => Promise.resolve([...store.keys()]),\n  };\n}\n\n/**\n * Reveal a secret's ORIGINAL value (the inverse of how `createSensitiveSettingsProvider` stores it:\n * JSON-encoded). Returns undefined if the key is unset. Falls back to the raw string if it is not\n * valid JSON (tolerating values written outside the provider).\n */\nexport async function revealSetting(secrets: SecretBackend, key: SettingKey): Promise<unknown> {\n  const raw = await secrets.reveal(key);\n  if (raw === undefined) return undefined;\n  try {\n    return JSON.parse(raw);\n  } catch {\n    return raw;\n  }\n}\n\nexport interface SensitiveSettingsProviderOptions {\n  /** The config `LayerStore` for non-secret values. */\n  config: LayerStore;\n  /** The `SecretBackend` for secret values. */\n  secrets: SecretBackend;\n  /** Classify a setting's sensitivity (e.g. `dials.sensitivityFor`). */\n  sensitivityFor: (key: SettingKey) => Sensitivity;\n  /** Scope id. Default: the config store's scope. */\n  scope?: string;\n}\n\n/** Compose a config `LayerStore` + a `SecretBackend` into one bifurcated `LayerStore`. */\nexport function createSensitiveSettingsProvider(options: SensitiveSettingsProviderOptions): LayerStore {\n  const { config, secrets, sensitivityFor } = options;\n  const scope = options.scope ?? config.scope;\n\n  return {\n    scope,\n    getCapabilities: (): LayerStoreCapabilities => {\n      // The config store gates a FULL write (the non-secret part needs it); mirror it conservatively.\n      const capabilities = config.getCapabilities();\n      return { readable: capabilities.readable, writable: capabilities.writable, watchable: capabilities.watchable };\n    },\n\n    async load(): Promise<Layer> {\n      // Copy the config store's returned object — never mutate it (we overlay masked refs onto it).\n      const layer: Layer = { ...(await config.load()) };\n      // Overlay a MASKED SecretRef for every secret the backend holds (never plaintext).\n      for (const key of await secrets.list()) {\n        layer[key] = await secrets.get(key);\n      }\n      return layer;\n    },\n\n    async save(layer: Layer): Promise<void> {\n      const { config: configPart, secrets: secretPart } = splitBySensitivity(layer, sensitivityFor);\n      const hasConfigPart = Object.keys(configPart).length > 0;\n      if (hasConfigPart && !config.save) {\n        throw new Error('@zodal/dials-store-secret: the config store is read-only; cannot persist non-secret settings');\n      }\n      // Secrets first: a secret-write failure aborts before the visible config part is committed.\n      // Values are JSON-encoded so object/array-valued secrets survive losslessly (see revealSetting).\n      for (const [key, value] of Object.entries(secretPart)) {\n        if (isUnset(value)) await secrets.delete(key);\n        else if (value !== undefined && value !== null) await secrets.set(key, JSON.stringify(value));\n      }\n      if (hasConfigPart) await config.save?.(configPart);\n    },\n  };\n}\n"],"mappings":";AAkBA,SAAS,SAAS,eAAe,0BAA0B;AAIpD,SAAS,0BAA0B,UAAsC,CAAC,GAAkB;AACjG,QAAM,QAAQ,IAAI,IAAwB,OAAO,QAAQ,OAAO,CAAC;AACjE,SAAO;AAAA,IACL,KAAK,CAAC,QAAQ,QAAQ,QAAQ,MAAM,IAAI,GAAG,CAAC;AAAA,IAC5C,KAAK,CAAC,QAAQ,QAAQ,QAAQ,cAAc,KAAK,MAAM,IAAI,GAAG,CAAC,CAAC;AAAA,IAChE,QAAQ,CAAC,QAAQ,QAAQ,QAAQ,MAAM,IAAI,GAAG,CAAC;AAAA,IAC/C,KAAK,CAAC,KAAK,UAAU;AACnB,YAAM,IAAI,KAAK,KAAK;AACpB,aAAO,QAAQ,QAAQ,cAAc,KAAK,IAAI,CAAC;AAAA,IACjD;AAAA,IACA,QAAQ,CAAC,QAAQ;AACf,YAAM,OAAO,GAAG;AAChB,aAAO,QAAQ,QAAQ;AAAA,IACzB;AAAA,IACA,MAAM,MAAM,QAAQ,QAAQ,CAAC,GAAG,MAAM,KAAK,CAAC,CAAC;AAAA,EAC/C;AACF;AAOA,eAAsB,cAAc,SAAwB,KAAmC;AAC7F,QAAM,MAAM,MAAM,QAAQ,OAAO,GAAG;AACpC,MAAI,QAAQ,OAAW,QAAO;AAC9B,MAAI;AACF,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAcO,SAAS,gCAAgC,SAAuD;AACrG,QAAM,EAAE,QAAQ,SAAS,eAAe,IAAI;AAC5C,QAAM,QAAQ,QAAQ,SAAS,OAAO;AAEtC,SAAO;AAAA,IACL;AAAA,IACA,iBAAiB,MAA8B;AAE7C,YAAM,eAAe,OAAO,gBAAgB;AAC5C,aAAO,EAAE,UAAU,aAAa,UAAU,UAAU,aAAa,UAAU,WAAW,aAAa,UAAU;AAAA,IAC/G;AAAA,IAEA,MAAM,OAAuB;AAE3B,YAAM,QAAe,EAAE,GAAI,MAAM,OAAO,KAAK,EAAG;AAEhD,iBAAW,OAAO,MAAM,QAAQ,KAAK,GAAG;AACtC,cAAM,GAAG,IAAI,MAAM,QAAQ,IAAI,GAAG;AAAA,MACpC;AACA,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,KAAK,OAA6B;AACtC,YAAM,EAAE,QAAQ,YAAY,SAAS,WAAW,IAAI,mBAAmB,OAAO,cAAc;AAC5F,YAAM,gBAAgB,OAAO,KAAK,UAAU,EAAE,SAAS;AACvD,UAAI,iBAAiB,CAAC,OAAO,MAAM;AACjC,cAAM,IAAI,MAAM,8FAA8F;AAAA,MAChH;AAGA,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,UAAU,GAAG;AACrD,YAAI,QAAQ,KAAK,EAAG,OAAM,QAAQ,OAAO,GAAG;AAAA,iBACnC,UAAU,UAAa,UAAU,KAAM,OAAM,QAAQ,IAAI,KAAK,KAAK,UAAU,KAAK,CAAC;AAAA,MAC9F;AACA,UAAI,cAAe,OAAM,OAAO,OAAO,UAAU;AAAA,IACnD;AAAA,EACF;AACF;","names":[]}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@zodal/dials-store-secret",
+  "version": "0.1.0",
+  "description": "Secret backend + bifurcation provider for zodal-dials — routes secret values to a separate backend (content/metadata bifurcation)",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "@zodal/core": "^0.1.2",
+    "@zodal/dials-core": "^0.1.0"
+  },
+  "devDependencies": {
+    "@zodal/core": "^0.1.2",
+    "tsup": "^8.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0",
+    "@zodal/dials-core": "0.1.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit"
+  }
+}