payment-kit 1.29.1 → 1.29.3

package/api/src/libs/drivers/locks.ts

@@ -0,0 +1,226 @@
+// Phase 8 (W2-1a): locks slot driver contract.
+//
+// W1 §2.2 exempts the `locks` table from an instance_did column: tenant
+// isolation for locks is achieved by prefixing the lock NAME, not by a column.
+// `scopedLockName` is the single place that prefix is applied, so both drivers
+// (and the libs/lock facade) stay consistent.
+//
+// Two implementations conform to the contract:
+//   - memory driver: the original in-process EventEmitter lock (Blocklet Server
+//     single-process Node.js). Semantics unchanged — Phase 8 wraps, never
+//     rewrites.
+//   - d1 driver: the Cloudflare D1-backed lock (atomic INSERT OR IGNORE + TTL
+//     expiry + owner token), relocated here from the previously-orphaned
+//     cloudflare/shims/lock.ts so the worker wires it through the locks slot.
+
+// the two lock classes are the two driver implementations — cohesive in one module
+/* eslint-disable max-classes-per-file */
+
+import type { D1Binding } from './db';
+
+export interface LockHandle {
+  name: string;
+  /** whether this handle currently holds the lock — used by singleton start guards */
+  locked: boolean;
+  /**
+   * Acquire the lock. `maxWaitMs` is a bounded-wait hint: the d1 driver enforces
+   * it as a hard timeout (and rejects on expiry) because a holder lives in a
+   * different isolate and may crash; the in-process memory driver waits until
+   * release and does not time out — single process means there is no
+   * crashed-holder / cross-isolate-wait scenario. The shared parity cases
+   * (acquire-when-free, block-until-release) hold on both; TTL-expiry and
+   * timeout are d1-only capabilities (see drivers/locks.spec.ts).
+   */
+  acquire(maxWaitMs?: number): Promise<true>;
+  release(): void;
+}
+
+export type LocksDriverKind = 'memory' | 'd1';
+
+export interface LocksDriver {
+  kind: LocksDriverKind;
+  getLock(name: string, options?: { ttl?: number }): LockHandle;
+}
+
+export type LockScope = 'tenant' | 'global';
+
+/**
+ * Apply the tenant prefix to a lock name. Tenant-scoped locks (the default for
+ * per-resource locks) are isolated per deployment/tenant; global-scoped locks
+ * (process-level singleton guards like queue start guards) are intentionally
+ * shared and keep their bare name. In single-tenant mode the prefix is the
+ * constant deployment app DID, so lock identity is unchanged in practice.
+ */
+export function scopedLockName(name: string, instanceDid: string | null, scope: LockScope): string {
+  if (scope === 'global') return name;
+  if (!instanceDid) {
+    // tenant scope requires a tenant — callers resolve it fail-closed before
+    // reaching here (see libs/lock.ts). Guard anyway so a programming error is
+    // loud rather than silently producing a cross-tenant-shared lock.
+    throw new Error('scopedLockName: tenant-scoped lock requires a non-empty instanceDid');
+  }
+  return `tenant:${instanceDid}::${name}`;
+}
+
+// ---------------------------------------------------------------------------
+// memory driver — original in-process lock semantics
+// ---------------------------------------------------------------------------
+
+const { EventEmitter } = require('events');
+
+export class MemoryLock implements LockHandle {
+  name: string;
+  locked: boolean;
+  private events: any;
+
+  constructor(name: string) {
+    this.name = name;
+    this.locked = false;
+    this.events = new EventEmitter();
+  }
+
+  acquire(): Promise<true> {
+    return new Promise((resolve) => {
+      if (this.locked) {
+        const tryAcquire = () => {
+          if (!this.locked) {
+            this.locked = true;
+            this.events.removeListener('release', tryAcquire);
+            resolve(true);
+          }
+        };
+        this.events.on('release', tryAcquire);
+      } else {
+        this.locked = true;
+        resolve(true);
+      }
+    });
+  }
+
+  release(): void {
+    this.locked = false;
+    setImmediate(() => this.events.emit('release'));
+  }
+}
+
+export function createMemoryLocksDriver(): LocksDriver {
+  const locks = new Map<string, MemoryLock>();
+  return {
+    kind: 'memory',
+    getLock(name: string): LockHandle {
+      const exist = locks.get(name);
+      if (exist instanceof MemoryLock) return exist;
+      const lock = new MemoryLock(name);
+      locks.set(name, lock);
+      return lock;
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// d1 driver — D1-backed cross-isolate lock (relocated from shims/lock.ts)
+// ---------------------------------------------------------------------------
+
+let nanoidCounter = 0;
+function simpleId(): string {
+  nanoidCounter += 1;
+  return `${Date.now().toString(36)}-${nanoidCounter.toString(36)}-${Math.random().toString(36).slice(2, 6)}`;
+}
+
+class D1Lock implements LockHandle {
+  name: string;
+  owner: string;
+  locked: boolean;
+  ttl: number;
+  private getBinding: () => D1Binding;
+
+  constructor(getBinding: () => D1Binding, name: string, options?: { ttl?: number }) {
+    this.getBinding = getBinding;
+    this.name = name;
+    this.owner = simpleId();
+    this.locked = false;
+    this.ttl = options?.ttl || 5000;
+  }
+
+  async acquire(maxWaitMs = 10000): Promise<true> {
+    const db: any = this.getBinding();
+    const deadline = Date.now() + maxWaitMs;
+    let delay = 30;
+
+    while (Date.now() < deadline) {
+      const now = Date.now();
+      try {
+        // eslint-disable-next-line no-await-in-loop -- polling retry until acquired or timed out
+        const batchResult = await db.batch([
+          db.prepare('DELETE FROM _locks WHERE name = ? AND expires_at < ?').bind(this.name, now),
+          db
+            .prepare('INSERT OR IGNORE INTO _locks (name, owner, expires_at) VALUES (?, ?, ?)')
+            .bind(this.name, this.owner, now + this.ttl),
+          db.prepare('SELECT owner FROM _locks WHERE name = ?').bind(this.name),
+        ]);
+        const row = batchResult[2]?.results?.[0] as { owner: string } | undefined;
+        if (row?.owner === this.owner) {
+          this.locked = true;
+          return true;
+        }
+      } catch (err: any) {
+        // eslint-disable-next-line no-console
+        console.error(`[D1Lock] acquire error for "${this.name}":`, err?.message || err);
+      }
+      // backoff with jitter, capped — captured into a const so the closure does
+      // not reference the mutated `delay`
+      const waitMs = delay + Math.random() * delay * 0.3;
+      // eslint-disable-next-line no-await-in-loop, no-promise-executor-return
+      await new Promise((r) => setTimeout(r, waitMs));
+      delay = Math.min(delay * 2, 500);
+    }
+    throw new Error(`[D1Lock] Failed to acquire lock "${this.name}" within ${maxWaitMs}ms`);
+  }
+
+  release(): void {
+    if (!this.locked) return;
+    this.locked = false;
+    try {
+      const db: any = this.getBinding();
+      const promise = db
+        .prepare('DELETE FROM _locks WHERE name = ? AND owner = ?')
+        .bind(this.name, this.owner)
+        .run()
+        // eslint-disable-next-line no-console
+        .catch((err: any) => console.error(`[D1Lock] release error for "${this.name}":`, err?.message || err));
+
+      // release is fire-and-forget; the worker shell flushes the pending delete
+      // before responding. This depends on ambient worker globals
+      // (__cfHttpContext__ / __cfWaitUntil__ / __cfPendingJobs__) set by the CF
+      // request handler — a host injecting the d1 locks driver must provide the
+      // same flush hooks (Phase 9 formalizes the flush contract). Outside a
+      // worker (e.g. the consistency suite) the delete still runs; it is simply
+      // not registered for flushing.
+      const isHttp = (globalThis as any).__cfHttpContext__;
+      if (isHttp) {
+        const waitUntil = (globalThis as any).__cfWaitUntil__;
+        if (typeof waitUntil === 'function') waitUntil(promise);
+      } else {
+        const pending = (globalThis as any).__cfPendingJobs__;
+        if (Array.isArray(pending)) pending.push(promise);
+      }
+    } catch (err: any) {
+      // eslint-disable-next-line no-console
+      console.error(`[D1Lock] release setup error for "${this.name}":`, err?.message || err);
+    }
+  }
+}
+
+/**
+ * D1-backed locks driver. `getBinding` is a getter (the binding is resolved
+ * lazily per request in the worker). Each call returns a fresh lock — isolates
+ * never share instances, matching the original shim's behavior.
+ */
+export function createD1LocksDriver(getBinding: () => D1Binding): LocksDriver {
+  return {
+    kind: 'd1',
+    getLock(name: string, options?: { ttl?: number }): LockHandle {
+      return new D1Lock(getBinding, name, options);
+    },
+  };
+}

package/api/src/libs/drivers/migrate-runner.ts

@@ -0,0 +1,70 @@
+// Phase 11 (W2′): runtime-neutral SQL migration runner — the migration-driver
+// boundary. The library provisions the embedded D1 schema by applying the D1 SQL
+// migrations through the host's db driver (its `exec`), NEVER by shelling out to
+// the wrangler CLI. `wrangler d1 migrations apply` stays the CF-native local-dev
+// / deploy provisioning mechanism for the SAME .sql files; this runner is the
+// in-process path arc-node (and any non-CF host) uses via lifecycle/host wiring.
+//
+// Idempotent: applied migrations are tracked in `_sql_migrations`, so re-running
+// is a no-op (the .sql contain non-IF-NOT-EXISTS DDL like ALTER ... ADD COLUMN).
+//
+// NOTE: this tracker (`_sql_migrations`) is independent of wrangler's own
+// `d1_migrations` table. That is safe because the two provisioning paths target
+// DIFFERENT databases — arc-node's embedded SQLite (this runner) vs the CF
+// worker's bound D1 (wrangler) — and never share one. Do NOT run both paths
+// against the SAME database: the runner is blind to `d1_migrations`, so it would
+// re-apply everything and the non-idempotent ALTER ... ADD COLUMN would fail.
+
+import type { DbDriver, DbBatchOp } from './db';
+
+export interface SqlMigration {
+  /** stable id (the migration filename) — the idempotency key */
+  name: string;
+  /** the migration body; may contain multiple `;`-separated statements */
+  sql: string;
+}
+
+/** Strip line comments and split a migration body into individual statements. */
+export function splitStatements(sql: string): string[] {
+  return sql
+    .split('\n')
+    .filter((line) => !line.trim().startsWith('--'))
+    .join('\n')
+    .split(';')
+    .map((s) => s.trim())
+    .filter((s) => s.length > 0);
+}
+
+/**
+ * Apply pending SQL migrations through the db driver, in order. Returns the
+ * names actually applied this run (empty on a fully-migrated db). No wrangler.
+ *
+ * Each migration is applied ATOMICALLY: all of its statements PLUS the tracker
+ * insert run in a single `driver.batch(...)` (the contract's all-or-nothing
+ * transactional primitive). So a mid-migration failure rolls the whole migration
+ * back AND leaves the tracker unwritten — a re-run retries that migration from a
+ * clean slate, never replaying half-applied (non-IF-NOT-EXISTS) DDL like
+ * `ALTER ... ADD COLUMN`. This satisfies "中断后重跑不丢已迁移状态（幂等 + 事务边界）".
+ */
+export async function applySqlMigrations(driver: DbDriver, migrations: SqlMigration[]): Promise<string[]> {
+  await driver.exec('CREATE TABLE IF NOT EXISTS _sql_migrations (name TEXT PRIMARY KEY, applied_at TEXT NOT NULL)');
+  const rows = await driver.all<{ name: string }>('SELECT name FROM _sql_migrations');
+  const applied = new Set(rows.map((r) => r.name));
+
+  const ran: string[] = [];
+  const pending = migrations.filter((m) => !applied.has(m.name));
+  /* eslint-disable no-await-in-loop -- migrations are ordered + must apply sequentially */
+  for (const m of pending) {
+    const ops: DbBatchOp[] = splitStatements(m.sql).map((sql) => ({ sql }));
+    // tracker insert is the LAST op in the same batch — committed iff every
+    // schema statement of this migration committed (atomic boundary).
+    ops.push({
+      sql: 'INSERT INTO _sql_migrations (name, applied_at) VALUES (?, ?)',
+      params: [m.name, new Date().toISOString()],
+    });
+    await driver.batch(ops);
+    ran.push(m.name);
+  }
+  /* eslint-enable no-await-in-loop */
+  return ran;
+}

package/api/src/libs/drivers/queue.ts

@@ -0,0 +1,104 @@
+// Phase 9 (W2-1b): queue slot driver contract.
+//
+// The queue contract is the WHOLE semantics the two engines share, not just
+// enqueue:
+//   - jobs table (createQueueStore) = persistent scheduler / source of truth
+//   - immediate vs delayed dispatch (delayed rows wait for the due-poll)
+//   - consumer ack + failure re-delivery (retry_count up to maxRetries, then
+//     failed; nonRetryable errors fail immediately)
+//   - pushAndWait inline execution (caller awaits the result)
+//   - host flush hook (CF flushes pending push/timer work before responding;
+//     the Node long-lived process is a no-op)
+//   - tenant is carried in the payload (Phase 5/6); the contract layer passes
+//     it through and NEVER resolves Host on the background path
+//
+// ONE engine (api/src/libs/queue) serves every runtime (Phase 12b, option A):
+// the host swaps only the EXECUTOR (real fastq on node, cloudflare/shims/fastq
+// in the worker) and the TRIGGER (in-process poll loop on node, CF scheduled()
+// calling the engine's dispatchDueJobs() in the worker — see
+// api/src/libs/queue/runtime.ts). Persistence, retry policy and tenant handling
+// are shared because there is no second engine. The old cloudflare/shims/queue.ts
+// duplicate engine was removed in Phase 12c.
+
+import type EventEmitter from 'events';
+
+export interface QueueOptions<T> {
+  id?: (job: T) => string;
+  concurrency?: number;
+  maxRetries?: number;
+  maxTimeout?: number;
+  retryDelay?: number;
+  enableScheduledJob?: boolean;
+}
+
+export interface PushParams<T> {
+  job: T;
+  id?: string;
+  persist?: boolean;
+  /** seconds */
+  delay?: number;
+  /** unix timestamp in seconds */
+  runAt?: number;
+  skipDuplicateCheck?: boolean;
+  /**
+   * Internal re-delivery flag for rows already persisted (startup / scheduled
+   * recovery). Skips the enqueue tenant gate so the execution-side legacy
+   * strategy applies. NEVER set from application code.
+   */
+  fromStore?: boolean;
+}
+
+/** the per-job event channel returned by push (emits queued/finished/failed/retry/cancelled) */
+export type JobEvents = EventEmitter & { id?: string };
+
+export interface QueueHandle<T = any> {
+  push(params: PushParams<T>): JobEvents;
+  pushAndWait(params: PushParams<T>): Promise<{ id: string; job: T; result: any }>;
+  get(id: string): Promise<T | null>;
+  delete(id: string, knownExists?: boolean): Promise<boolean>;
+  cancel(id: string): Promise<T | null>;
+  update(id: string, updates: any): Promise<any>;
+  /**
+   * D2 teardown: stop this queue's node poll loop (clears its sleep timer).
+   * No-op when the queue is not scheduled or on a workerd host (no loop runs).
+   * The Node host tears every queue down via lifecycle.stop() → stopAllQueues().
+   */
+  stop?(): void;
+  options: Required<Omit<QueueOptions<T>, 'id'>>;
+}
+
+/** factory shape both engines export as default */
+export type QueueFactory = <T = any>(params: {
+  name: string;
+  onJob: (job: T) => Promise<any>;
+  options?: QueueOptions<T>;
+}) => QueueHandle<T> & EventEmitter;
+
+/**
+ * Host flush hook. CF must flush pending push/timer work before returning the
+ * response (the isolate is torn down after); a long-lived Node process never
+ * needs to and uses the no-op below.
+ */
+export interface QueueHostHooks {
+  flush(): Promise<void>;
+}
+
+/** Node host: long-lived process, nothing to flush before a response. */
+export const nodeQueueHostHooks: QueueHostHooks = {
+  async flush() {
+    /* no-op — the process stays alive, in-flight jobs continue */
+  },
+};
+
+// Active host hooks — injectable by the factory's `queue` slot; defaults to the
+// Node no-op. The worker shell injects hooks that flush pending push/timer work
+// before responding.
+let activeQueueHostHooks: QueueHostHooks = nodeQueueHostHooks;
+
+export function setQueueHostHooks(hooks: QueueHostHooks): void {
+  activeQueueHostHooks = hooks;
+}
+
+export function getQueueHostHooks(): QueueHostHooks {
+  return activeQueueHostHooks;
+}

package/api/src/libs/drivers/secrets.ts

@@ -0,0 +1,194 @@
+// Phase 11 (W2-3): secrets slot driver contract — per-tenant keyring.
+//
+// Replaces the process-level single key (cloudflare/shims/blocklet-sdk/security
+// `_password`, initialized once from APP_PID's EK). Each tenant gets its own
+// encryption key derived from its own EK, so one tenant's key can never decrypt
+// another's ciphertext.
+//
+// Two surfaces, because the payment hot path (PaymentMethod.encrypt/decrypt
+// Settings, getStripeClient, ~50 sync call sites) cannot become async without a
+// large, risky ripple:
+//   - encrypt/decrypt (async): the full contract — lazy EK fetch + cache + TTL,
+//     and decrypt-failure forces one EK re-fetch (tolerates identity-side EK
+//     rotation). Hosts use this.
+//   - encryptSync/decryptSync: the hot path — uses an already-resolved key
+//     (default driver: the process key; keyring driver: the cached password,
+//     warmed via warmup()). Throws if the keyring key is cold (fail-closed).
+//   - warmup(instanceDid): async pre-resolve so the sync path is a cache hit
+//     (no-op for the single-tenant default driver).
+//
+// single mode (Blocklet Server) uses the default driver = the existing process
+// `@blocklet/sdk/lib/security`, so existing ciphertext stays decryptable and
+// behavior is unchanged.
+
+/* eslint-disable max-classes-per-file */
+import crypto from 'crypto';
+
+import type { IdentityDriver } from './identity';
+
+// crypto-js ships no type declarations; required untyped (same AES chain as the
+// prior process security so ciphertext is interchangeable)
+// eslint-disable-next-line @typescript-eslint/no-var-requires, global-require, import/no-extraneous-dependencies
+const CryptoJS: any = require('crypto-js');
+
+export interface SecretsDriver {
+  /** async per-tenant encrypt — lazy-resolves the tenant key on first use */
+  encrypt(instanceDid: string, value: string): Promise<string>;
+  /** async per-tenant decrypt — re-fetches the EK once on failure (EK rotation tolerance) */
+  decrypt(instanceDid: string, value: string): Promise<string>;
+  /** sync hot path — requires the tenant key already resolved (warmup first for the keyring) */
+  encryptSync(instanceDid: string, value: string): string;
+  decryptSync(instanceDid: string, value: string): string;
+  /** pre-resolve the tenant key so the sync path is a cache hit (no-op for the default driver) */
+  warmup(instanceDid: string): Promise<void>;
+}
+
+// ---------------------------------------------------------------------------
+// default driver — single-tenant, delegates to the process @blocklet/sdk security
+// ---------------------------------------------------------------------------
+
+class DefaultSecretsDriver implements SecretsDriver {
+  // lazily required so importing this module stays side-effect-free
+  private security() {
+    // eslint-disable-next-line global-require, import/no-extraneous-dependencies
+    return require('@blocklet/sdk/lib/security').default ?? require('@blocklet/sdk/lib/security');
+  }
+
+  encryptSync(_instanceDid: string, value: string): string {
+    return this.security().encrypt(value);
+  }
+
+  decryptSync(_instanceDid: string, value: string): string {
+    return this.security().decrypt(value);
+  }
+
+  // eslint-disable-next-line require-await -- async contract; the single key is sync
+  async encrypt(instanceDid: string, value: string): Promise<string> {
+    return this.encryptSync(instanceDid, value);
+  }
+
+  // eslint-disable-next-line require-await -- async contract; the single key is sync
+  async decrypt(instanceDid: string, value: string): Promise<string> {
+    return this.decryptSync(instanceDid, value);
+  }
+
+  async warmup(): Promise<void> {
+    /* single key is always available — nothing to warm */
+  }
+}
+
+export function createDefaultSecretsDriver(): SecretsDriver {
+  return new DefaultSecretsDriver();
+}
+
+// ---------------------------------------------------------------------------
+// keyring driver — per-tenant key derived from each tenant's EK
+// ---------------------------------------------------------------------------
+
+const DEFAULT_TTL_MS = 10 * 60 * 1000; // 10 min
+
+type CacheEntry = { password: string; expiresAt: number };
+
+// AES decrypt with a wrong key can throw "Malformed UTF-8" or return empty,
+// depending on the ciphertext bytes. Normalize both to '' so a wrong key is a
+// deterministic failure (never the plaintext, never a crash) — this is what
+// drives the decrypt-retry and what keeps cross-tenant decryption safe.
+function safeUtf8(decrypted: any): string {
+  try {
+    return decrypted.toString(CryptoJS.enc.Utf8);
+  } catch {
+    return '';
+  }
+}
+
+function derivePassword(appEk: string, instanceDid: string): string {
+  // identical chain to the prior process security: PBKDF2(EK, salt) -> AES key.
+  // salt = the tenant DID (== blockletDid in single mode), so single-mode
+  // ciphertext written by the old path stays decryptable when the same EK is
+  // returned by identity.getAppEk(instanceDid).
+  return crypto.pbkdf2Sync(appEk, instanceDid, 256, 32, 'sha512').toString('hex');
+}
+
+class KeyringSecretsDriver implements SecretsDriver {
+  private identity: IdentityDriver;
+  private ttlMs: number;
+  private cache = new Map<string, CacheEntry>();
+
+  constructor(identity: IdentityDriver, opts?: { ttlMs?: number }) {
+    if (typeof identity.getAppEk !== 'function') {
+      throw new Error('createKeyringSecretsDriver: identity driver must provide getAppEk(instanceDid)');
+    }
+    this.identity = identity;
+    this.ttlMs = opts?.ttlMs ?? DEFAULT_TTL_MS;
+  }
+
+  private fresh(instanceDid: string): string | null {
+    const entry = this.cache.get(instanceDid);
+    if (entry && entry.expiresAt > Date.now()) return entry.password;
+    return null;
+  }
+
+  private async resolvePassword(instanceDid: string, force = false): Promise<string> {
+    if (!force) {
+      const cached = this.fresh(instanceDid);
+      if (cached) return cached;
+    }
+    const appEk = await this.identity.getAppEk!(instanceDid);
+    if (!appEk) {
+      throw new Error(`secrets: no EK for tenant ${instanceDid}`);
+    }
+    const password = derivePassword(appEk, instanceDid);
+    this.cache.set(instanceDid, { password, expiresAt: Date.now() + this.ttlMs });
+    return password;
+  }
+
+  async warmup(instanceDid: string): Promise<void> {
+    await this.resolvePassword(instanceDid);
+  }
+
+  encryptSync(instanceDid: string, value: string): string {
+    const password = this.fresh(instanceDid);
+    if (!password) throw new Error(`secrets: key for tenant ${instanceDid} is not warmed (call warmup first)`);
+    return CryptoJS.AES.encrypt(value, password).toString();
+  }
+
+  decryptSync(instanceDid: string, value: string): string {
+    const password = this.fresh(instanceDid);
+    if (!password) throw new Error(`secrets: key for tenant ${instanceDid} is not warmed (call warmup first)`);
+    return safeUtf8(CryptoJS.AES.decrypt(value, password));
+  }
+
+  async encrypt(instanceDid: string, value: string): Promise<string> {
+    const password = await this.resolvePassword(instanceDid);
+    return CryptoJS.AES.encrypt(value, password).toString();
+  }
+
+  async decrypt(instanceDid: string, value: string): Promise<string> {
+    let password = await this.resolvePassword(instanceDid);
+    let plain = safeUtf8(CryptoJS.AES.decrypt(value, password));
+    if (!plain) {
+      // empty result == wrong key (likely rotated EK) -> force one re-fetch + retry
+      password = await this.resolvePassword(instanceDid, true);
+      plain = safeUtf8(CryptoJS.AES.decrypt(value, password));
+    }
+    return plain;
+  }
+}
+
+export function createKeyringSecretsDriver(identity: IdentityDriver, opts?: { ttlMs?: number }): SecretsDriver {
+  return new KeyringSecretsDriver(identity, opts);
+}
+
+// ---------------------------------------------------------------------------
+// active driver + tenant-aware facade (resolves tenant from TenantContext)
+// ---------------------------------------------------------------------------
+
+let activeSecretsDriver: SecretsDriver = createDefaultSecretsDriver();
+
+export function setSecretsDriver(driver: SecretsDriver): void {
+  activeSecretsDriver = driver;
+}
+
+export function getSecretsDriver(): SecretsDriver {
+  return activeSecretsDriver;
+}