secretless-ai 0.9.2 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +58 -2
- package/dist/backends/config.d.ts +1 -1
- package/dist/backends/config.d.ts.map +1 -1
- package/dist/backends/config.js +2 -2
- package/dist/backends/config.js.map +1 -1
- package/dist/backends/factory.d.ts.map +1 -1
- package/dist/backends/factory.js +4 -0
- package/dist/backends/factory.js.map +1 -1
- package/dist/backends/index.d.ts +1 -0
- package/dist/backends/index.d.ts.map +1 -1
- package/dist/backends/index.js +3 -1
- package/dist/backends/index.js.map +1 -1
- package/dist/backends/vault.d.ts +44 -0
- package/dist/backends/vault.d.ts.map +1 -0
- package/dist/backends/vault.js +195 -0
- package/dist/backends/vault.js.map +1 -0
- package/dist/broker/policy.d.ts.map +1 -1
- package/dist/broker/policy.js +15 -0
- package/dist/broker/policy.js.map +1 -1
- package/dist/broker/types.d.ts +2 -0
- package/dist/broker/types.d.ts.map +1 -1
- package/dist/cli.js +181 -4
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +2 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +15 -2
- package/dist/index.js.map +1 -1
- package/dist/scope/baselines.d.ts +33 -0
- package/dist/scope/baselines.d.ts.map +1 -0
- package/dist/scope/baselines.js +137 -0
- package/dist/scope/baselines.js.map +1 -0
- package/dist/scope/gcp.d.ts +48 -0
- package/dist/scope/gcp.d.ts.map +1 -0
- package/dist/scope/gcp.js +262 -0
- package/dist/scope/gcp.js.map +1 -0
- package/dist/scope/index.d.ts +38 -0
- package/dist/scope/index.d.ts.map +1 -0
- package/dist/scope/index.js +108 -0
- package/dist/scope/index.js.map +1 -0
- package/dist/scope/types.d.ts +53 -0
- package/dist/scope/types.d.ts.map +1 -0
- package/dist/scope/types.js +9 -0
- package/dist/scope/types.js.map +1 -0
- package/dist/scope/vault.d.ts +25 -0
- package/dist/scope/vault.d.ts.map +1 -0
- package/dist/scope/vault.js +128 -0
- package/dist/scope/vault.js.map +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -24,6 +24,7 @@ Secretless stores secrets in your choice of backend. Secrets are never in enviro
|
|
|
24
24
|
| `local` | AES-256-GCM encrypted file | None (single machine) | Filesystem | Quick start, simple setups |
|
|
25
25
|
| `keychain` | macOS Keychain / Linux Secret Service | Device-local | OS login | Native OS integration |
|
|
26
26
|
| `1password` | 1Password vault | Cross-device | Biometric (Touch ID) / Service Account | Teams, CI/CD, multi-device |
|
|
27
|
+
| `vault` | HashiCorp Vault KV v2 | Cross-device / cluster | Vault token | Enterprise, self-hosted, team secrets |
|
|
27
28
|
|
|
28
29
|
```bash
|
|
29
30
|
npx secretless-ai backend # Show available backends
|
|
@@ -51,6 +52,56 @@ npx secretless-ai backend set 1password # Switch backend
|
|
|
51
52
|
|
|
52
53
|
**CI/CD:** Set `OP_SERVICE_ACCOUNT_TOKEN` — same secrets, no code changes. No desktop app needed.
|
|
53
54
|
|
|
55
|
+
### HashiCorp Vault Backend
|
|
56
|
+
|
|
57
|
+
Stores secrets in a Vault KV v2 engine using the HTTP API. Zero SDK dependency — raw `fetch` calls.
|
|
58
|
+
|
|
59
|
+
**Setup:**
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
brew install vault # Install Vault CLI
|
|
63
|
+
vault server -dev # Start dev server (for testing)
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
export VAULT_ADDR=http://127.0.0.1:8200
|
|
68
|
+
export VAULT_TOKEN=<your-token>
|
|
69
|
+
npx secretless-ai backend set vault # Switch backend
|
|
70
|
+
npx secretless-ai secret set DB_PASSWORD=... # Stored in Vault KV v2
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Supports custom mount paths via backend config. Default mount: `secret`.
|
|
74
|
+
|
|
75
|
+
## Credential Scope Discovery
|
|
76
|
+
|
|
77
|
+
Credentials are not static — their effective permissions change when platforms evolve. Secretless detects when a credential's scope expands beyond its baseline, catching privilege escalation before it becomes a breach.
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
npx secretless-ai scope discover MY_CREDENTIAL # Discover current permissions, save baseline
|
|
81
|
+
npx secretless-ai scope check MY_CREDENTIAL # Compare to baseline, report drift
|
|
82
|
+
npx secretless-ai scope list # Show all baselines
|
|
83
|
+
npx secretless-ai scope reset MY_CREDENTIAL # Clear baseline
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Supported Providers
|
|
87
|
+
|
|
88
|
+
| Provider | Detection | API Used | Permissions Needed |
|
|
89
|
+
|----------|-----------|----------|-------------------|
|
|
90
|
+
| **GCP** | Service account key JSON | `testIamPermissions` (Cloud Resource Manager) | None (self-inspection) |
|
|
91
|
+
| **Vault** | Token prefix (`hvs.`, `s.`) | `capabilities-self` (Sys) | None (self-inspection) |
|
|
92
|
+
| **AWS** | Access key prefix (`AKIA`) | Planned | — |
|
|
93
|
+
|
|
94
|
+
### How It Works
|
|
95
|
+
|
|
96
|
+
1. Auto-detects the provider from credential format
|
|
97
|
+
2. Calls the provider's self-inspection API to discover current permissions
|
|
98
|
+
3. Compares against the stored baseline (`~/.secretless-ai/scope-baselines.json`)
|
|
99
|
+
4. Reports added/removed permissions and flags scope expansion
|
|
100
|
+
|
|
101
|
+
### Broker Integration
|
|
102
|
+
|
|
103
|
+
Add `scopeCheck: true` to any broker policy rule. The broker will block credential access if the credential's scope has expanded beyond its baseline.
|
|
104
|
+
|
|
54
105
|
## Secret Management
|
|
55
106
|
|
|
56
107
|
Store, list, and inject secrets without exposing them to AI tools.
|
|
@@ -289,10 +340,15 @@ npx secretless-ai hook uninstall # Remove pre-commit hook
|
|
|
289
340
|
| `mcp-unprotect` | Restore original MCP configs |
|
|
290
341
|
| **Backend Management** | |
|
|
291
342
|
| `backend` | Show current backend status |
|
|
292
|
-
| `backend set <TYPE>` | Set backend (local, keychain, 1password) |
|
|
343
|
+
| `backend set <TYPE>` | Set backend (local, keychain, 1password, vault) |
|
|
293
344
|
| `backend list` | List all stored entries |
|
|
294
345
|
| `backend purge [--prefix] [--yes]` | Delete entries from backend |
|
|
295
346
|
| `migrate --from TYPE --to TYPE` | Migrate secrets between backends |
|
|
347
|
+
| **Scope Discovery** | |
|
|
348
|
+
| `scope discover <NAME>` | Discover credential permissions and save baseline |
|
|
349
|
+
| `scope check <NAME>` | Compare current permissions to baseline |
|
|
350
|
+
| `scope list` | Show all scope baselines |
|
|
351
|
+
| `scope reset <NAME>` | Clear a scope baseline |
|
|
296
352
|
|
|
297
353
|
## Usage via OpenA2A CLI
|
|
298
354
|
|
|
@@ -356,7 +412,7 @@ For Claude Code, Secretless installs a PreToolUse hook that intercepts every `Re
|
|
|
356
412
|
|
|
357
413
|
```bash
|
|
358
414
|
npm run build # Compile TypeScript to dist/
|
|
359
|
-
npm test # Run tests (vitest,
|
|
415
|
+
npm test # Run tests (vitest, 638 tests)
|
|
360
416
|
npm run dev # Watch mode — recompile on file changes
|
|
361
417
|
npm run clean # Remove dist/ directory
|
|
362
418
|
```
|
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* Resolution priority: explicit CLI flag > config file > default ('local').
|
|
6
6
|
*/
|
|
7
7
|
/** Writable backend types that can be selected by the user. */
|
|
8
|
-
export type SelectableBackendType = 'local' | 'keychain' | '1password';
|
|
8
|
+
export type SelectableBackendType = 'local' | 'keychain' | '1password' | 'vault';
|
|
9
9
|
/** Default cache TTL: 5 minutes (in seconds). */
|
|
10
10
|
export declare const DEFAULT_CACHE_TTL_SECONDS = 300;
|
|
11
11
|
/** Read the current backend configuration. Returns undefined if no config file exists. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,+DAA+D;AAC/D,MAAM,MAAM,qBAAqB,GAAG,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,+DAA+D;AAC/D,MAAM,MAAM,qBAAqB,GAAG,OAAO,GAAG,UAAU,GAAG,WAAW,GAAG,OAAO,CAAC;AAKjF,iDAAiD;AACjD,eAAO,MAAM,yBAAyB,MAAM,CAAC;AAiB7C,0FAA0F;AAC1F,wBAAgB,iBAAiB,IAAI,qBAAqB,GAAG,SAAS,CAWrE;AAED,uDAAuD;AACvD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,qBAAqB,GAAG,IAAI,CAiBvE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAK/E;AAED,+EAA+E;AAC/E,wBAAgB,YAAY,IAAI,MAAM,CAWrC;AAED,yEAAyE;AACzE,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAiBtD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmBnD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAMjD"}
|
package/dist/backends/config.js
CHANGED
|
@@ -65,7 +65,7 @@ function readBackendConfig() {
|
|
|
65
65
|
try {
|
|
66
66
|
const raw = fs.readFileSync(configPath(), 'utf-8');
|
|
67
67
|
const config = JSON.parse(raw);
|
|
68
|
-
if (config.backend === 'local' || config.backend === 'keychain' || config.backend === '1password') {
|
|
68
|
+
if (config.backend === 'local' || config.backend === 'keychain' || config.backend === '1password' || config.backend === 'vault') {
|
|
69
69
|
return config.backend;
|
|
70
70
|
}
|
|
71
71
|
return undefined;
|
|
@@ -98,7 +98,7 @@ function writeBackendConfig(backend) {
|
|
|
98
98
|
* Priority: explicit flag > config file > default ('local').
|
|
99
99
|
*/
|
|
100
100
|
function resolveBackendType(explicitFlag) {
|
|
101
|
-
if (explicitFlag === 'local' || explicitFlag === 'keychain' || explicitFlag === '1password') {
|
|
101
|
+
if (explicitFlag === 'local' || explicitFlag === 'keychain' || explicitFlag === '1password' || explicitFlag === 'vault') {
|
|
102
102
|
return explicitFlag;
|
|
103
103
|
}
|
|
104
104
|
return readBackendConfig() ?? DEFAULT_BACKEND;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BH,8CAWC;AAGD,gDAiBC;AAOD,gDAKC;AAGD,oCAWC;AAGD,sCAiBC;AAOD,sCAmBC;AAKD,8BAMC;AA/ID,uCAAyB;AACzB,2CAA6B;AAM7B,MAAM,eAAe,GAAG,aAAa,CAAC;AACtC,MAAM,eAAe,GAA0B,OAAO,CAAC;AAEvD,iDAAiD;AACpC,QAAA,yBAAyB,GAAG,GAAG,CAAC;AAQ7C,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;IACnE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;AACjD,CAAC;AAED,0FAA0F;AAC1F,SAAgB,iBAAiB;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QACnD,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,UAAU,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BH,8CAWC;AAGD,gDAiBC;AAOD,gDAKC;AAGD,oCAWC;AAGD,sCAiBC;AAOD,sCAmBC;AAKD,8BAMC;AA/ID,uCAAyB;AACzB,2CAA6B;AAM7B,MAAM,eAAe,GAAG,aAAa,CAAC;AACtC,MAAM,eAAe,GAA0B,OAAO,CAAC;AAEvD,iDAAiD;AACpC,QAAA,yBAAyB,GAAG,GAAG,CAAC;AAQ7C,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;IACnE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;AACjD,CAAC;AAED,0FAA0F;AAC1F,SAAgB,iBAAiB;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QACnD,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,UAAU,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;YAChI,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,SAAgB,kBAAkB,CAAC,OAA8B;IAC/D,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEpD,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,IAAI,MAAM,GAAqB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACzC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,mDAAmD;IACrD,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,MAAM,OAAO,GAAG,EAAE,GAAG,MAAM,CAAC;IAC5B,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnF,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAAC,YAAqB;IACtD,IAAI,YAAY,KAAK,OAAO,IAAI,YAAY,KAAK,UAAU,IAAI,YAAY,KAAK,WAAW,IAAI,YAAY,KAAK,OAAO,EAAE,CAAC;QACxH,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,iBAAiB,EAAE,IAAI,eAAe,CAAC;AAChD,CAAC;AAED,+EAA+E;AAC/E,SAAgB,YAAY;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QACnD,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,IAAI,CAAC,EAAE,CAAC;YAChE,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QACD,OAAO,iCAAyB,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,iCAAyB,CAAC;IACnC,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,SAAgB,aAAa,CAAC,UAAkB;IAC9C,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEpD,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,IAAI,MAAM,GAAqB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACzC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,mDAAmD;IACrD,CAAC;IAED,MAAM,CAAC,QAAQ,GAAG,UAAU,CAAC;IAC7B,MAAM,OAAO,GAAG,EAAE,GAAG,MAAM,CAAC;IAC5B,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnF,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,KAAa;IACzC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,CAAC,CAAC;IAEnD,wBAAwB;IACxB,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAExD,gBAAgB;IAChB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,CAAC;IAEtB,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtC,QAAQ,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACjB,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC;QACxB,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,GAAG,EAAE,CAAC;QAC7B,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,GAAG,IAAI,CAAC;QAC/B,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,GAAG,KAAK,CAAC;QAChC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,SAAS,CAAC,OAAe;IACvC,IAAI,OAAO,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,IAAI,OAAO,GAAG,EAAE;QAAE,OAAO,GAAG,OAAO,GAAG,CAAC;IACvC,IAAI,OAAO,GAAG,IAAI;QAAE,OAAO,GAAG,OAAO,GAAG,EAAE,GAAG,CAAC;IAC9C,IAAI,OAAO,GAAG,KAAK;QAAE,OAAO,GAAG,OAAO,GAAG,IAAI,GAAG,CAAC;IACjD,OAAO,GAAG,OAAO,GAAG,KAAK,GAAG,CAAC;AAC/B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;
|
|
1
|
+
{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AAEtD;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,qBAAqB,EAC3B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,qBAAqB,CA4BvB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAgC/F;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAwBhF"}
|
package/dist/backends/factory.js
CHANGED
|
@@ -14,6 +14,7 @@ const local_1 = require("./local");
|
|
|
14
14
|
const keychain_macos_1 = require("./keychain-macos");
|
|
15
15
|
const keychain_linux_1 = require("./keychain-linux");
|
|
16
16
|
const onepassword_1 = require("./onepassword");
|
|
17
|
+
const vault_1 = require("./vault");
|
|
17
18
|
const cache_1 = require("./cache");
|
|
18
19
|
const config_1 = require("./config");
|
|
19
20
|
/**
|
|
@@ -31,6 +32,9 @@ function createBackend(type, config) {
|
|
|
31
32
|
case '1password':
|
|
32
33
|
backend = new onepassword_1.OnePasswordBackend(config);
|
|
33
34
|
break;
|
|
35
|
+
case 'vault':
|
|
36
|
+
backend = new vault_1.VaultBackend(config);
|
|
37
|
+
break;
|
|
34
38
|
case 'local':
|
|
35
39
|
default:
|
|
36
40
|
// Local backend uses file-based encryption — no OS prompts, no cache needed
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;
|
|
1
|
+
{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,sCA+BC;AAMD,kDAgCC;AAMD,wDAwBC;AAnHD,mCAAuC;AACvC,qDAAwD;AACxD,qDAAwD;AACxD,+CAAmD;AACnD,mCAAuC;AACvC,mCAAwC;AACxC,qCAAwC;AAIxC;;;;;GAKG;AACH,SAAgB,aAAa,CAC3B,IAA2B,EAC3B,MAAgC;IAEhC,IAAI,OAA8B,CAAC;IAEnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,UAAU;YACb,OAAO,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM;QAER,KAAK,WAAW;YACd,OAAO,GAAG,IAAI,gCAAkB,CAAC,MAAM,CAAC,CAAC;YACzC,MAAM;QAER,KAAK,OAAO;YACV,OAAO,GAAG,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;YACnC,MAAM;QAER,KAAK,OAAO,CAAC;QACb;YACE,4EAA4E;YAC5E,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,kFAAkF;IAClF,MAAM,UAAU,GAAG,IAAA,qBAAY,GAAE,CAAC;IAClC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACnB,OAAO,IAAI,qBAAa,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB;IACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;YAClD,YAAY,CAAC,UAAU,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;YAClD,YAAY,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC1D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,iDAAiD,EAAE,CAAC;QAC5G,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,4FAA4F;aACtG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,mCAAmC,QAAQ,kCAAkC;KACvF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAClD,YAAY,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,qFAAqF;SAC/F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAClD,YAAY,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9E,OAAO;YACL,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,2CAA2C;SACrD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,6FAA6F;SACvG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAgC;IAC7D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,IAAI,qCAAoB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,qCAAoB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,2DAA2D;IAC3D,OAAO,CAAC,KAAK,CACX,4CAA4C,QAAQ,4CAA4C,CACjG,CAAC;IACF,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC"}
|
package/dist/backends/index.d.ts
CHANGED
|
@@ -2,6 +2,7 @@ export type { SecretBackend, WritableSecretBackend, BackendHealth, BackendConfig
|
|
|
2
2
|
export { LocalBackend } from './local';
|
|
3
3
|
export { MacOSKeychainBackend } from './keychain-macos';
|
|
4
4
|
export { LinuxKeychainBackend } from './keychain-linux';
|
|
5
|
+
export { VaultBackend, type VaultBackendConfig } from './vault';
|
|
5
6
|
export { createBackend, isKeychainAvailable } from './factory';
|
|
6
7
|
export { readBackendConfig, writeBackendConfig, resolveBackendType, readCacheTtl, writeCacheTtl, parseDuration, formatTtl, DEFAULT_CACHE_TTL_SECONDS, type SelectableBackendType } from './config';
|
|
7
8
|
export { CachedBackend, clearCacheFile } from './cache';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,aAAa,EAAE,qBAAqB,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AACjI,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,yBAAyB,EAAE,KAAK,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACnM,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,WAAW,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,aAAa,EAAE,qBAAqB,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AACjI,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,KAAK,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,yBAAyB,EAAE,KAAK,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACnM,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACxD,OAAO,EAAE,cAAc,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,WAAW,CAAC"}
|
package/dist/backends/index.js
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.migrateSecrets = exports.clearCacheFile = exports.CachedBackend = exports.DEFAULT_CACHE_TTL_SECONDS = exports.formatTtl = exports.parseDuration = exports.writeCacheTtl = exports.readCacheTtl = exports.resolveBackendType = exports.writeBackendConfig = exports.readBackendConfig = exports.isKeychainAvailable = exports.createBackend = exports.LinuxKeychainBackend = exports.MacOSKeychainBackend = exports.LocalBackend = void 0;
|
|
3
|
+
exports.migrateSecrets = exports.clearCacheFile = exports.CachedBackend = exports.DEFAULT_CACHE_TTL_SECONDS = exports.formatTtl = exports.parseDuration = exports.writeCacheTtl = exports.readCacheTtl = exports.resolveBackendType = exports.writeBackendConfig = exports.readBackendConfig = exports.isKeychainAvailable = exports.createBackend = exports.VaultBackend = exports.LinuxKeychainBackend = exports.MacOSKeychainBackend = exports.LocalBackend = void 0;
|
|
4
4
|
var local_1 = require("./local");
|
|
5
5
|
Object.defineProperty(exports, "LocalBackend", { enumerable: true, get: function () { return local_1.LocalBackend; } });
|
|
6
6
|
var keychain_macos_1 = require("./keychain-macos");
|
|
7
7
|
Object.defineProperty(exports, "MacOSKeychainBackend", { enumerable: true, get: function () { return keychain_macos_1.MacOSKeychainBackend; } });
|
|
8
8
|
var keychain_linux_1 = require("./keychain-linux");
|
|
9
9
|
Object.defineProperty(exports, "LinuxKeychainBackend", { enumerable: true, get: function () { return keychain_linux_1.LinuxKeychainBackend; } });
|
|
10
|
+
var vault_1 = require("./vault");
|
|
11
|
+
Object.defineProperty(exports, "VaultBackend", { enumerable: true, get: function () { return vault_1.VaultBackend; } });
|
|
10
12
|
var factory_1 = require("./factory");
|
|
11
13
|
Object.defineProperty(exports, "createBackend", { enumerable: true, get: function () { return factory_1.createBackend; } });
|
|
12
14
|
Object.defineProperty(exports, "isKeychainAvailable", { enumerable: true, get: function () { return factory_1.isKeychainAvailable; } });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":";;;AACA,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AACrB,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAC7B,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAC7B,qCAA+D;AAAtD,wGAAA,aAAa,OAAA;AAAE,8GAAA,mBAAmB,OAAA;AAC3C,mCAAmM;AAA1L,2GAAA,iBAAiB,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAAE,sGAAA,YAAY,OAAA;AAAE,uGAAA,aAAa,OAAA;AAAE,uGAAA,aAAa,OAAA;AAAE,mGAAA,SAAS,OAAA;AAAE,mHAAA,yBAAyB,OAAA;AACpJ,iCAAwD;AAA/C,sGAAA,aAAa,OAAA;AAAE,uGAAA,cAAc,OAAA;AACtC,qCAAoF;AAA3E,yGAAA,cAAc,OAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":";;;AACA,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AACrB,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAC7B,mDAAwD;AAA/C,sHAAA,oBAAoB,OAAA;AAC7B,iCAAgE;AAAvD,qGAAA,YAAY,OAAA;AACrB,qCAA+D;AAAtD,wGAAA,aAAa,OAAA;AAAE,8GAAA,mBAAmB,OAAA;AAC3C,mCAAmM;AAA1L,2GAAA,iBAAiB,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAAE,sGAAA,YAAY,OAAA;AAAE,uGAAA,aAAa,OAAA;AAAE,uGAAA,aAAa,OAAA;AAAE,mGAAA,SAAS,OAAA;AAAE,mHAAA,yBAAyB,OAAA;AACpJ,iCAAwD;AAA/C,sGAAA,aAAa,OAAA;AAAE,uGAAA,cAAc,OAAA;AACtC,qCAAoF;AAA3E,yGAAA,cAAc,OAAA"}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* HashiCorp Vault secret backend.
|
|
3
|
+
*
|
|
4
|
+
* Implements WritableSecretBackend using the Vault KV v2 HTTP API.
|
|
5
|
+
* Zero SDK dependency -- raw fetch calls to the Vault server.
|
|
6
|
+
*
|
|
7
|
+
* Auth: VAULT_ADDR + VAULT_TOKEN from environment (standard Vault pattern).
|
|
8
|
+
* Engine: KV v2 (most common) -- secrets at /v1/{mount}/data/{key}.
|
|
9
|
+
*/
|
|
10
|
+
import type { WritableSecretBackend, BackendHealth } from './types';
|
|
11
|
+
export interface VaultBackendConfig {
|
|
12
|
+
/** Vault server address (overrides VAULT_ADDR env var). */
|
|
13
|
+
addr?: string;
|
|
14
|
+
/** Vault token (overrides VAULT_TOKEN env var). */
|
|
15
|
+
token?: string;
|
|
16
|
+
/** KV v2 mount path. Default: "secret". */
|
|
17
|
+
mountPath?: string;
|
|
18
|
+
}
|
|
19
|
+
export declare class VaultBackend implements WritableSecretBackend {
|
|
20
|
+
readonly name = "vault";
|
|
21
|
+
private addr;
|
|
22
|
+
private token;
|
|
23
|
+
private mountPath;
|
|
24
|
+
constructor(config?: VaultBackendConfig | Record<string, unknown>);
|
|
25
|
+
/**
|
|
26
|
+
* Resolve secrets from Vault.
|
|
27
|
+
*
|
|
28
|
+
* Matches the LocalBackend contract:
|
|
29
|
+
* - resolve("secret/KEY") returns { "secret/KEY": "value" }
|
|
30
|
+
* - resolve("secret") returns all keys under the "secret/" prefix
|
|
31
|
+
*/
|
|
32
|
+
resolve(path: string): Promise<Record<string, string>>;
|
|
33
|
+
/**
|
|
34
|
+
* List all keys under a prefix and read each one.
|
|
35
|
+
* Uses the KV v2 metadata LIST endpoint.
|
|
36
|
+
*/
|
|
37
|
+
private listPrefix;
|
|
38
|
+
store(key: string, value: string): Promise<void>;
|
|
39
|
+
delete(key: string): Promise<boolean>;
|
|
40
|
+
healthCheck(): Promise<BackendHealth>;
|
|
41
|
+
private ensureConfigured;
|
|
42
|
+
private request;
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=vault.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../src/backends/vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAKpE,MAAM,WAAW,kBAAkB;IACjC,2DAA2D;IAC3D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,mDAAmD;IACnD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,YAAa,YAAW,qBAAqB;IACxD,QAAQ,CAAC,IAAI,WAAW;IAExB,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAS;gBAEd,MAAM,CAAC,EAAE,kBAAkB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAOjE;;;;;;OAMG;IACG,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA8B5D;;;OAGG;YACW,UAAU;IAyClB,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBhD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAqBrC,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;IAyD3C,OAAO,CAAC,gBAAgB;YASV,OAAO;CA8BtB"}
|
|
@@ -0,0 +1,195 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* HashiCorp Vault secret backend.
|
|
4
|
+
*
|
|
5
|
+
* Implements WritableSecretBackend using the Vault KV v2 HTTP API.
|
|
6
|
+
* Zero SDK dependency -- raw fetch calls to the Vault server.
|
|
7
|
+
*
|
|
8
|
+
* Auth: VAULT_ADDR + VAULT_TOKEN from environment (standard Vault pattern).
|
|
9
|
+
* Engine: KV v2 (most common) -- secrets at /v1/{mount}/data/{key}.
|
|
10
|
+
*/
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.VaultBackend = void 0;
|
|
13
|
+
const DEFAULT_MOUNT_PATH = 'secret';
|
|
14
|
+
const REQUEST_TIMEOUT_MS = 10000;
|
|
15
|
+
class VaultBackend {
|
|
16
|
+
constructor(config) {
|
|
17
|
+
this.name = 'vault';
|
|
18
|
+
const c = (config ?? {});
|
|
19
|
+
this.addr = (c.addr ?? process.env.VAULT_ADDR ?? '').replace(/\/$/, '');
|
|
20
|
+
this.token = c.token ?? process.env.VAULT_TOKEN ?? '';
|
|
21
|
+
this.mountPath = c.mountPath ?? DEFAULT_MOUNT_PATH;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Resolve secrets from Vault.
|
|
25
|
+
*
|
|
26
|
+
* Matches the LocalBackend contract:
|
|
27
|
+
* - resolve("secret/KEY") returns { "secret/KEY": "value" }
|
|
28
|
+
* - resolve("secret") returns all keys under the "secret/" prefix
|
|
29
|
+
*/
|
|
30
|
+
async resolve(path) {
|
|
31
|
+
this.ensureConfigured();
|
|
32
|
+
// Try direct read first
|
|
33
|
+
const readUrl = `${this.addr}/v1/${this.mountPath}/data/${path}`;
|
|
34
|
+
const readResponse = await this.request('GET', readUrl);
|
|
35
|
+
if (readResponse.ok) {
|
|
36
|
+
const body = await readResponse.json();
|
|
37
|
+
const value = body.data?.data?.value;
|
|
38
|
+
if (value !== undefined) {
|
|
39
|
+
return { [path]: value };
|
|
40
|
+
}
|
|
41
|
+
return {};
|
|
42
|
+
}
|
|
43
|
+
if (readResponse.status === 403) {
|
|
44
|
+
throw new Error(`Vault: permission denied reading "${path}"`);
|
|
45
|
+
}
|
|
46
|
+
// 404 on direct read -- try listing keys under this prefix
|
|
47
|
+
if (readResponse.status === 404) {
|
|
48
|
+
return this.listPrefix(path);
|
|
49
|
+
}
|
|
50
|
+
throw new Error(`Vault: read failed (HTTP ${readResponse.status})`);
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* List all keys under a prefix and read each one.
|
|
54
|
+
* Uses the KV v2 metadata LIST endpoint.
|
|
55
|
+
*/
|
|
56
|
+
async listPrefix(prefix) {
|
|
57
|
+
const listUrl = `${this.addr}/v1/${this.mountPath}/metadata/${prefix}`;
|
|
58
|
+
const listResponse = await this.request('LIST', listUrl);
|
|
59
|
+
if (listResponse.status === 404) {
|
|
60
|
+
return {};
|
|
61
|
+
}
|
|
62
|
+
if (!listResponse.ok) {
|
|
63
|
+
return {};
|
|
64
|
+
}
|
|
65
|
+
const listBody = await listResponse.json();
|
|
66
|
+
const keys = listBody.data?.keys ?? [];
|
|
67
|
+
const results = {};
|
|
68
|
+
for (const key of keys) {
|
|
69
|
+
// Skip subdirectories (trailing /)
|
|
70
|
+
if (key.endsWith('/'))
|
|
71
|
+
continue;
|
|
72
|
+
const fullPath = `${prefix}/${key}`;
|
|
73
|
+
const readUrl = `${this.addr}/v1/${this.mountPath}/data/${fullPath}`;
|
|
74
|
+
const readResponse = await this.request('GET', readUrl);
|
|
75
|
+
if (readResponse.ok) {
|
|
76
|
+
const body = await readResponse.json();
|
|
77
|
+
const value = body.data?.data?.value;
|
|
78
|
+
if (value !== undefined) {
|
|
79
|
+
results[fullPath] = value;
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
}
|
|
83
|
+
return results;
|
|
84
|
+
}
|
|
85
|
+
async store(key, value) {
|
|
86
|
+
this.ensureConfigured();
|
|
87
|
+
const url = `${this.addr}/v1/${this.mountPath}/data/${key}`;
|
|
88
|
+
const response = await this.request('POST', url, {
|
|
89
|
+
data: { value },
|
|
90
|
+
});
|
|
91
|
+
if (response.status === 403) {
|
|
92
|
+
throw new Error(`Vault: permission denied writing "${key}"`);
|
|
93
|
+
}
|
|
94
|
+
if (!response.ok) {
|
|
95
|
+
throw new Error(`Vault: write failed (HTTP ${response.status})`);
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
async delete(key) {
|
|
99
|
+
this.ensureConfigured();
|
|
100
|
+
const url = `${this.addr}/v1/${this.mountPath}/data/${key}`;
|
|
101
|
+
const response = await this.request('DELETE', url);
|
|
102
|
+
if (response.status === 404) {
|
|
103
|
+
return false;
|
|
104
|
+
}
|
|
105
|
+
if (response.status === 403) {
|
|
106
|
+
throw new Error(`Vault: permission denied deleting "${key}"`);
|
|
107
|
+
}
|
|
108
|
+
if (response.status === 204 || response.ok) {
|
|
109
|
+
return true;
|
|
110
|
+
}
|
|
111
|
+
throw new Error(`Vault: delete failed (HTTP ${response.status})`);
|
|
112
|
+
}
|
|
113
|
+
async healthCheck() {
|
|
114
|
+
if (!this.addr) {
|
|
115
|
+
return { healthy: false, latencyMs: 0, message: 'VAULT_ADDR not configured' };
|
|
116
|
+
}
|
|
117
|
+
const start = Date.now();
|
|
118
|
+
try {
|
|
119
|
+
const url = `${this.addr}/v1/sys/health`;
|
|
120
|
+
const controller = new AbortController();
|
|
121
|
+
const timeout = setTimeout(() => controller.abort(), 5000);
|
|
122
|
+
try {
|
|
123
|
+
const response = await fetch(url, {
|
|
124
|
+
method: 'GET',
|
|
125
|
+
headers: { 'User-Agent': 'secretless-ai/1.0' },
|
|
126
|
+
signal: controller.signal,
|
|
127
|
+
});
|
|
128
|
+
const latencyMs = Date.now() - start;
|
|
129
|
+
// Vault health endpoint status codes:
|
|
130
|
+
// 200 = initialized, unsealed, active
|
|
131
|
+
// 429 = unsealed, standby
|
|
132
|
+
// 472 = data recovery replication secondary
|
|
133
|
+
// 473 = performance standby
|
|
134
|
+
// 501 = not initialized
|
|
135
|
+
// 503 = sealed
|
|
136
|
+
if (response.status === 200) {
|
|
137
|
+
return { healthy: true, latencyMs, message: 'Vault is healthy' };
|
|
138
|
+
}
|
|
139
|
+
if (response.status === 429 || response.status === 472 || response.status === 473) {
|
|
140
|
+
return { healthy: true, latencyMs, message: `Vault is healthy (standby, HTTP ${response.status})` };
|
|
141
|
+
}
|
|
142
|
+
if (response.status === 503) {
|
|
143
|
+
return { healthy: false, latencyMs, message: 'Vault is sealed' };
|
|
144
|
+
}
|
|
145
|
+
if (response.status === 501) {
|
|
146
|
+
return { healthy: false, latencyMs, message: 'Vault is not initialized' };
|
|
147
|
+
}
|
|
148
|
+
return { healthy: false, latencyMs, message: `Vault health check returned HTTP ${response.status}` };
|
|
149
|
+
}
|
|
150
|
+
finally {
|
|
151
|
+
clearTimeout(timeout);
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
catch (err) {
|
|
155
|
+
return {
|
|
156
|
+
healthy: false,
|
|
157
|
+
latencyMs: Date.now() - start,
|
|
158
|
+
message: err instanceof Error ? err.message : 'Connection failed',
|
|
159
|
+
};
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
ensureConfigured() {
|
|
163
|
+
if (!this.addr) {
|
|
164
|
+
throw new Error('Vault backend not configured: VAULT_ADDR is not set');
|
|
165
|
+
}
|
|
166
|
+
if (!this.token) {
|
|
167
|
+
throw new Error('Vault backend not configured: VAULT_TOKEN is not set');
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
async request(method, url, body) {
|
|
171
|
+
const controller = new AbortController();
|
|
172
|
+
const timeout = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
|
|
173
|
+
try {
|
|
174
|
+
const headers = {
|
|
175
|
+
'X-Vault-Token': this.token,
|
|
176
|
+
'User-Agent': 'secretless-ai/1.0',
|
|
177
|
+
};
|
|
178
|
+
const init = {
|
|
179
|
+
method,
|
|
180
|
+
headers,
|
|
181
|
+
signal: controller.signal,
|
|
182
|
+
};
|
|
183
|
+
if (body !== undefined) {
|
|
184
|
+
headers['Content-Type'] = 'application/json';
|
|
185
|
+
init.body = JSON.stringify(body);
|
|
186
|
+
}
|
|
187
|
+
return await fetch(url, init);
|
|
188
|
+
}
|
|
189
|
+
finally {
|
|
190
|
+
clearTimeout(timeout);
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
exports.VaultBackend = VaultBackend;
|
|
195
|
+
//# sourceMappingURL=vault.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/backends/vault.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAIH,MAAM,kBAAkB,GAAG,QAAQ,CAAC;AACpC,MAAM,kBAAkB,GAAG,KAAM,CAAC;AAWlC,MAAa,YAAY;IAOvB,YAAY,MAAqD;QANxD,SAAI,GAAG,OAAO,CAAC;QAOtB,MAAM,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAuB,CAAC;QAC/C,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACrD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,wBAAwB;QACxB,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,SAAS,SAAS,IAAI,EAAE,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAExD,IAAI,YAAY,CAAC,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,EAEnC,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;YACrC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC;YAC3B,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC;IACtE,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,UAAU,CAAC,MAAc;QACrC,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,SAAS,aAAa,MAAM,EAAE,CAAC;QACvE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEzD,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAChC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;YACrB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,IAAI,EAEvC,CAAC;QAEF,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;QACvC,MAAM,OAAO,GAA2B,EAAE,CAAC;QAE3C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,mCAAmC;YACnC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEhC,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC;YACpC,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,SAAS,SAAS,QAAQ,EAAE,CAAC;YACrE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YAExD,IAAI,YAAY,CAAC,EAAE,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,IAAI,EAEnC,CAAC;gBACF,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC;gBACrC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,CAAC,QAAQ,CAAC,GAAG,KAAK,CAAC;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,KAAa;QACpC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,SAAS,SAAS,GAAG,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE;YAC/C,IAAI,EAAE,EAAE,KAAK,EAAE;SAChB,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,GAAG,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAExB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,SAAS,SAAS,GAAG,EAAE,CAAC;QAC5D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAEnD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC;QAChF,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,gBAAgB,CAAC;YACzC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;YAE3D,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAChC,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,EAAE,YAAY,EAAE,mBAAmB,EAAE;oBAC9C,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;gBAErC,sCAAsC;gBACtC,sCAAsC;gBACtC,0BAA0B;gBAC1B,4CAA4C;gBAC5C,4BAA4B;gBAC5B,wBAAwB;gBACxB,eAAe;gBACf,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;gBACnE,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAClF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,mCAAmC,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC;gBACtG,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;gBACnE,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;gBAC5E,CAAC;gBAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,oCAAoC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;YACvG,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC7B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB;aAClE,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,gBAAgB;QACtB,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,GAAW,EACX,IAAc;QAEd,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,kBAAkB,CAAC,CAAC;QAEzE,IAAI,CAAC;YACH,MAAM,OAAO,GAA2B;gBACtC,eAAe,EAAE,IAAI,CAAC,KAAK;gBAC3B,YAAY,EAAE,mBAAmB;aAClC,CAAC;YAEF,MAAM,IAAI,GAAgB;gBACxB,MAAM;gBACN,OAAO;gBACP,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC;YAEF,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;gBAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YACnC,CAAC;YAED,OAAO,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAChC,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;CACF;AAtOD,oCAsOC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/broker/policy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAqB,aAAa,EAAE,MAAM,SAAS,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;
|
|
1
|
+
{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/broker/policy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAqB,aAAa,EAAE,MAAM,SAAS,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAK7C,MAAM,WAAW,gBAAgB;IAC/B,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,gEAAgE;IAChE,aAAa,EAAE,MAAM,CAAC;IACtB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAoB;IACjC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,WAAW,CAAA;KAAE;IAKxE;;;OAGG;IACH,YAAY,IAAI,MAAM;IAwBtB;;OAEG;IACH,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,IAAI;IAIpC;;;;;;;OAOG;IACH,QAAQ,CACN,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,EACtB,aAAa,CAAC,EAAE,aAAa,GAC5B,gBAAgB;IAmDnB,yCAAyC;IACzC,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,sCAAsC;IACtC,QAAQ,IAAI,UAAU,EAAE;IAIxB,OAAO,CAAC,gBAAgB;CAyEzB;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAYjE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CActE"}
|
package/dist/broker/policy.js
CHANGED
|
@@ -47,6 +47,7 @@ const fs = __importStar(require("fs"));
|
|
|
47
47
|
const path = __importStar(require("path"));
|
|
48
48
|
const os = __importStar(require("os"));
|
|
49
49
|
const rate_limiter_1 = require("./rate-limiter");
|
|
50
|
+
const baselines_1 = require("../scope/baselines");
|
|
50
51
|
const DEFAULT_POLICY_FILE = path.join(os.homedir(), '.secretless-ai', 'broker-policies.json');
|
|
51
52
|
class PolicyEngine {
|
|
52
53
|
constructor(options) {
|
|
@@ -181,6 +182,17 @@ class PolicyEngine {
|
|
|
181
182
|
};
|
|
182
183
|
}
|
|
183
184
|
}
|
|
185
|
+
// Scope check
|
|
186
|
+
if (constraints.scopeCheck) {
|
|
187
|
+
const scopeResult = (0, baselines_1.compareToBaseline)(credentialName, '', []);
|
|
188
|
+
// Only enforce if a baseline exists (baselinePermissions > 0 means we have a baseline)
|
|
189
|
+
if (scopeResult.baselinePermissions.length > 0 && scopeResult.hasExpanded) {
|
|
190
|
+
return {
|
|
191
|
+
passed: false,
|
|
192
|
+
reason: `Credential scope has expanded since baseline (+${scopeResult.added.length} permissions)`,
|
|
193
|
+
};
|
|
194
|
+
}
|
|
195
|
+
}
|
|
184
196
|
// Capability check
|
|
185
197
|
if (constraints.requireCapability) {
|
|
186
198
|
if (!agentIdentity) {
|
|
@@ -285,6 +297,9 @@ function validateRule(raw) {
|
|
|
285
297
|
if (typeof c.requireCapability === 'string') {
|
|
286
298
|
constraints.requireCapability = c.requireCapability;
|
|
287
299
|
}
|
|
300
|
+
if (typeof c.scopeCheck === 'boolean') {
|
|
301
|
+
constraints.scopeCheck = c.scopeCheck;
|
|
302
|
+
}
|
|
288
303
|
}
|
|
289
304
|
return {
|
|
290
305
|
id: r.id,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/broker/policy.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/broker/policy.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyNH,8BAYC;AAMD,gDAcC;AAvPD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAEzB,iDAA6C;AAC7C,kDAAuD;AAEvD,MAAM,mBAAmB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,gBAAgB,EAAE,sBAAsB,CAAC,CAAC;AAW9F,MAAa,YAAY;IAKvB,YAAY,OAA4D;QAJhE,UAAK,GAAiB,EAAE,CAAC;QAK/B,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,mBAAmB,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,OAAO,EAAE,WAAW,IAAI,IAAI,0BAAW,EAAE,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACH,YAAY;QACV,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAE/B,4DAA4D;YAC5D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;YACjF,CAAC;YAED,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAU,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;YACxD,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,UAAU,KAAK,OAAO,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,KAAmB;QAC3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;;;;;;OAOG;IACH,QAAQ,CACN,OAAe,EACf,cAAsB,EACtB,aAA6B;QAE7B,kCAAkC;QAClC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM;gBAAE,SAAS;YACrC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC;gBAAE,SAAS;YACtD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,kBAAkB,EAAE,cAAc,CAAC;gBAAE,SAAS;YAElE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,aAAa,EAAE,IAAI,CAAC,EAAE;gBACtB,MAAM,EAAE,mBAAmB,IAAI,CAAC,EAAE,GAAG;aACtC,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO;gBAAE,SAAS;YACtC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC;gBAAE,SAAS;YACtD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,kBAAkB,EAAE,cAAc,CAAC;gBAAE,SAAS;YAElE,oBAAoB;YACpB,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAC5C,IAAI,CAAC,WAAW,EAChB,OAAO,EACP,cAAc,EACd,aAAa,CACd,CAAC;YAEF,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC;gBAC7B,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,aAAa,EAAE,IAAI,CAAC,EAAE;oBACtB,MAAM,EAAE,gBAAgB,CAAC,MAAM;iBAChC,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,aAAa,EAAE,IAAI,CAAC,EAAE;gBACtB,MAAM,EAAE,oBAAoB,IAAI,CAAC,EAAE,GAAG;aACvC,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,aAAa,EAAE,EAAE;YACjB,MAAM,EAAE,uCAAuC;SAChD,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC;IAC3B,CAAC;IAED,sCAAsC;IACtC,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;IAEO,gBAAgB,CACtB,WAA8B,EAC9B,OAAe,EACf,cAAsB,EACtB,aAA6B;QAE7B,oBAAoB;QACpB,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAClF,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,gCAAgC,WAAW,CAAC,UAAU,CAAC,KAAK,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,GAAG;iBACtG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,SAAS,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,GAAG,OAAO,IAAI,cAAc,EAAE,CAAC;YAC3C,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,WAAW,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC;gBACrE,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,wBAAwB,WAAW,CAAC,SAAS,CAAC,YAAY,OAAO;iBAC1E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,6BAA6B,WAAW,CAAC,aAAa,mCAAmC;iBAClG,CAAC;YACJ,CAAC;YACD,IAAI,aAAa,CAAC,UAAU,GAAG,WAAW,CAAC,aAAa,EAAE,CAAC;gBACzD,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,eAAe,aAAa,CAAC,UAAU,kBAAkB,WAAW,CAAC,aAAa,EAAE;iBAC7F,CAAC;YACJ,CAAC;QACH,CAAC;QAED,cAAc;QACd,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YAC3B,MAAM,WAAW,GAAG,IAAA,6BAAiB,EAAC,cAAc,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;YAC9D,uFAAuF;YACvF,IAAI,WAAW,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,WAAW,EAAE,CAAC;gBAC1E,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,kDAAkD,WAAW,CAAC,KAAK,CAAC,MAAM,eAAe;iBAClG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,WAAW,CAAC,iBAAiB,EAAE,CAAC;YAClC,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,eAAe,WAAW,CAAC,iBAAiB,4CAA4C;iBACjG,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACxE,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,MAAM,EAAE,oCAAoC,WAAW,CAAC,iBAAiB,GAAG;iBAC7E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;CACF;AA/LD,oCA+LC;AAED;;;GAGG;AACH,SAAgB,SAAS,CAAC,OAAe,EAAE,KAAa;IACtD,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,OAAO,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAEnC,oEAAoE;IACpE,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC;SACpB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAEvB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,KAAa,EAAE,GAAW;IAC3D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,cAAc,GAAG,GAAG,CAAC,QAAQ,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC;IAE9D,MAAM,YAAY,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAE3C,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC/B,oCAAoC;QACpC,OAAO,cAAc,IAAI,YAAY,IAAI,cAAc,IAAI,UAAU,CAAC;IACxE,CAAC;SAAM,CAAC;QACN,uCAAuC;QACvC,OAAO,cAAc,IAAI,YAAY,IAAI,cAAc,IAAI,UAAU,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAY;IACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,mBAAmB,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,IAAI,OAAO,GAAG,CAAC,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;QAC7F,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,GAAG,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,KAAK,GAAG,EAAE,GAAG,OAAO,CAAC;AAC9B,CAAC;AAED,SAAS,YAAY,CAAC,GAAY;IAChC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,CAAC,GAAG,GAA8B,CAAC;IAEzC,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,mCAAmC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,CAAC,kBAAkB,KAAK,QAAQ,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,wCAAwC,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,KAAK,OAAO,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,qCAAqC,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,WAAW,GAAsB,EAAE,CAAC;IAC1C,IAAI,CAAC,CAAC,WAAW,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QACvD,MAAM,CAAC,GAAG,CAAC,CAAC,WAAsC,CAAC;QAEnD,IAAI,CAAC,CAAC,UAAU,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,EAAE,GAAG,CAAC,CAAC,UAAqC,CAAC;YACnD,IAAI,OAAO,EAAE,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,EAAE,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC/D,WAAW,CAAC,UAAU,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,IAAI,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACnD,MAAM,EAAE,GAAG,CAAC,CAAC,SAAoC,CAAC;YAClD,IAAI,OAAO,EAAE,CAAC,YAAY,KAAK,QAAQ,IAAI,EAAE,CAAC,YAAY,GAAG,CAAC,EAAE,CAAC;gBAC/D,WAAW,CAAC,SAAS,GAAG,EAAE,YAAY,EAAE,EAAE,CAAC,YAAY,EAAE,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,EAAE,CAAC;YACxC,WAAW,CAAC,aAAa,GAAG,CAAC,CAAC,aAAa,CAAC;QAC9C,CAAC;QAED,IAAI,OAAO,CAAC,CAAC,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC5C,WAAW,CAAC,iBAAiB,GAAG,CAAC,CAAC,iBAAiB,CAAC;QACtD,CAAC;QAED,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACtC,WAAW,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC;QACxC,CAAC;IACH,CAAC;IAED,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,aAAa,EAAE,CAAC,CAAC,aAAa;QAC9B,kBAAkB,EAAE,CAAC,CAAC,kBAAkB;QACxC,WAAW;QACX,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC;AACJ,CAAC"}
|
package/dist/broker/types.d.ts
CHANGED
|
@@ -59,6 +59,8 @@ export interface PolicyConstraints {
|
|
|
59
59
|
minTrustScore?: number;
|
|
60
60
|
/** AIM capability the agent must possess. */
|
|
61
61
|
requireCapability?: string;
|
|
62
|
+
/** Block if credential scope has expanded beyond baseline. */
|
|
63
|
+
scopeCheck?: boolean;
|
|
62
64
|
}
|
|
63
65
|
/** Audit log entry for credential access attempts. */
|
|
64
66
|
export interface AuditEntry {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/broker/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,mCAAmC;AACnC,MAAM,WAAW,YAAY;IAC3B,qEAAqE;IACrE,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,6DAA6D;IAC7D,OAAO,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,sCAAsC;AACtC,MAAM,WAAW,eAAe;IAC9B,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,iDAAiD;AACjD,MAAM,WAAW,UAAU;IACzB,8BAA8B;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,wEAAwE;IACxE,aAAa,EAAE,MAAM,CAAC;IACtB,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wDAAwD;IACxD,WAAW,EAAE,iBAAiB,CAAC;IAC/B,iDAAiD;IACjD,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;CAC1B;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,wFAAwF;IACxF,UAAU,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,iDAAiD;IACjD,SAAS,CAAC,EAAE;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,sDAAsD;IACtD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,iBAAiB,CAAC,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/broker/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,mCAAmC;AACnC,MAAM,WAAW,YAAY;IAC3B,qEAAqE;IACrE,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,QAAQ,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,mDAAmD;AACnD,MAAM,WAAW,cAAc;IAC7B,6DAA6D;IAC7D,OAAO,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,sCAAsC;AACtC,MAAM,WAAW,eAAe;IAC9B,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,0DAA0D;IAC1D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,iDAAiD;AACjD,MAAM,WAAW,UAAU;IACzB,8BAA8B;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,wEAAwE;IACxE,aAAa,EAAE,MAAM,CAAC;IACtB,0EAA0E;IAC1E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wDAAwD;IACxD,WAAW,EAAE,iBAAiB,CAAC;IAC/B,iDAAiD;IACjD,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;CAC1B;AAED,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAChC,wFAAwF;IACxF,UAAU,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,iDAAiD;IACjD,SAAS,CAAC,EAAE;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IACrC,sDAAsD;IACtD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8DAA8D;IAC9D,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,sDAAsD;AACtD,MAAM,WAAW,UAAU;IACzB,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,QAAQ,EAAE,MAAM,CAAC;IACjB,iDAAiD;IACjD,MAAM,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC7B,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,mEAAmE;AACnE,MAAM,WAAW,aAAa;IAC5B,wBAAwB;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,4CAA4C;IAC5C,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,4BAA4B;AAC5B,MAAM,WAAW,YAAY;IAC3B,yCAAyC;IACzC,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,gDAAgD;IAChD,YAAY,EAAE,MAAM,CAAC;IACrB,4CAA4C;IAC5C,YAAY,EAAE,OAAO,CAAC;IACtB,gCAAgC;IAChC,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,2CAA2C;AAC3C,MAAM,WAAW,YAAa,SAAQ,YAAY;IAChD,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;CAClB"}
|