vaultkeeper 0.3.0 → 1.0.0

package/dist/index.cjs

@@ -5,6 +5,7 @@ var fs5 = require('fs/promises');
 var path5 = require('path');
 var os4 = require('os');
 var crypto4 = require('crypto');
+require('url');
 var fs4 = require('fs');
 var jose = require('jose');
 
@@ -162,6 +163,22 @@ var IdentityMismatchError = class extends VaultError {
     this.currentHash = currentHash;
   }
 };
+var InvalidAlgorithmError = class extends VaultError {
+  /**
+   * The algorithm that was requested.
+   */
+  algorithm;
+  /**
+   * The set of algorithms that are allowed.
+   */
+  allowed;
+  constructor(message, algorithm, allowed) {
+    super(message);
+    this.name = "InvalidAlgorithmError";
+    this.algorithm = algorithm;
+    this.allowed = allowed;
+  }
+};
 var SetupError = class extends VaultError {
   /**
    * The name of the dependency that caused the setup failure.
@@ -205,6 +222,7 @@ function isListableBackend(backend) {
 // src/backend/registry.ts
 var BackendRegistry = class {
   static backends = /* @__PURE__ */ new Map();
+  static setups = /* @__PURE__ */ new Map();
   /**
    * Register a backend factory.
    * @param type - Backend type identifier
@@ -217,7 +235,7 @@ var BackendRegistry = class {
    * Create a backend instance by type.
    * @param type - Backend type identifier
    * @returns A SecretBackend instance
-   * @throws Error if the backend type is not registered
+   * @throws {@link BackendUnavailableError} if the backend type is not registered
    */
   static create(type) {
     const factory = this.backends.get(type);
@@ -264,6 +282,46 @@ var BackendRegistry = class {
     );
     return results.filter((type) => type !== null);
   }
+  /**
+   * Register a setup factory for a backend type.
+   * @param type - Backend type identifier
+   * @param factory - Factory function that creates a setup generator
+   */
+  static registerSetup(type, factory) {
+    this.setups.set(type, factory);
+  }
+  /**
+   * Get the setup factory for a backend type, if one is registered.
+   * @param type - Backend type identifier
+   * @returns The setup factory, or `undefined` if none is registered
+   */
+  static getSetup(type) {
+    return this.setups.get(type);
+  }
+  /**
+   * Check whether a setup factory is registered for the given backend type.
+   * @param type - Backend type identifier
+   * @returns `true` if a setup factory is registered
+   */
+  static hasSetup(type) {
+    return this.setups.has(type);
+  }
+  /**
+   * Clear all registered backend factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearBackends() {
+    this.backends.clear();
+  }
+  /**
+   * Clear all registered setup factories.
+   * Intended for use in tests only.
+   * @internal
+   */
+  static clearSetups() {
+    this.setups.clear();
+  }
 };
 async function execCommand(command, args, options) {
   const result = await execCommandFull(command, args);
@@ -513,6 +571,21 @@ function validateBackendEntry(entry, index) {
     }
     result.path = entry.path;
   }
+  if (entry.options !== void 0) {
+    if (!isObject(entry.options)) {
+      throw new Error(`backends[${String(index)}].options must be an object`);
+    }
+    const opts = {};
+    for (const [k, v] of Object.entries(entry.options)) {
+      if (typeof v !== "string") {
+        throw new Error(
+          `backends[${String(index)}].options["${k}"] must be a string`
+        );
+      }
+      opts[k] = v;
+    }
+    result.options = opts;
+  }
   return result;
 }
 function validateConfig(config) {
@@ -1016,6 +1089,55 @@ function createSecretAccessor(secretValue) {
   return proxy;
 }
 
+// src/access/sign-util.ts
+var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["sha256", "sha384", "sha512"]);
+function resolveAlgorithmForKey(key, override) {
+  const keyType = key.asymmetricKeyType;
+  if (keyType === "ed25519" || keyType === "ed448") {
+    return { signAlg: null, label: keyType };
+  }
+  const alg = (override ?? "sha256").toLowerCase();
+  if (!ALLOWED_ALGORITHMS.has(alg)) {
+    throw new InvalidAlgorithmError(
+      `Unsupported algorithm '${alg}'. Allowed: ${[...ALLOWED_ALGORITHMS].join(", ")}`,
+      alg,
+      [...ALLOWED_ALGORITHMS]
+    );
+  }
+  return { signAlg: alg, label: alg };
+}
+
+// src/access/delegated-sign.ts
+function delegatedSign(secretPem, request) {
+  const key = crypto4__namespace.createPrivateKey(secretPem);
+  const { signAlg, label } = resolveAlgorithmForKey(key, request.algorithm);
+  const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+  const signature = crypto4__namespace.sign(signAlg, data, key);
+  return {
+    signature: signature.toString("base64"),
+    algorithm: label
+  };
+}
+function delegatedVerify(request) {
+  let key;
+  try {
+    key = crypto4__namespace.createPublicKey(request.publicKey);
+  } catch {
+    return false;
+  }
+  if (typeof request.publicKey === "string" && request.publicKey.includes("PRIVATE KEY")) {
+    return false;
+  }
+  const { signAlg } = resolveAlgorithmForKey(key, request.algorithm);
+  const sig = Buffer.from(request.signature, "base64");
+  try {
+    const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+    return crypto4__namespace.verify(signAlg, data, key, sig);
+  } catch {
+    return false;
+  }
+}
+
 // src/doctor/checks.ts
 function parseVersion(raw) {
   const match = /(\d+)\.(\d+)\.(\d+)/.exec(raw);
@@ -1373,6 +1495,52 @@ var VaultKeeper = class _VaultKeeper {
     const claims = validateCapabilityToken(token);
     return createSecretAccessor(claims.val);
   }
+  /**
+   * Sign data using the private key embedded in a capability token.
+   *
+   * The signing key is extracted from the token's encrypted claims, used
+   * for a single `crypto.sign()` call, and never exposed to the caller.
+   * The algorithm is auto-detected from the key type unless overridden
+   * in the request.
+   *
+   * @param token - A `CapabilityToken` obtained from `authorize()`.
+   * @param request - The data to sign and optional algorithm override.
+   * @returns The base64-encoded signature and algorithm label, together
+   *   with the vault metadata (`vaultResponse`).
+   * @throws {VaultError} If `token` is invalid or was not created by this
+   *   vault instance.
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
+   */
+  async sign(token, request) {
+    const claims = validateCapabilityToken(token);
+    const result = delegatedSign(claims.val, request);
+    await Promise.resolve();
+    return {
+      result,
+      vaultResponse: { keyStatus: "current" }
+    };
+  }
+  /**
+   * Verify a signature using a public key.
+   *
+   * This is a static method — no VaultKeeper instance, secrets, or
+   * capability tokens are required. It is safe to call from CI or any
+   * context that has access to public key material.
+   *
+   * Returns `false` for invalid key material, malformed signatures, or
+   * any verification failure (except disallowed algorithms, which throw).
+   *
+   * @throws {InvalidAlgorithmError} If `request.algorithm` is not in the
+   *   allowed set (e.g. `'md5'`).
+   *
+   * @param request - The data, signature, public key, and optional
+   *   algorithm override.
+   * @returns `true` if the signature is valid, `false` otherwise.
+   */
+  static verify(request) {
+    return delegatedVerify(request);
+  }
   /**
    * Rotate the current encryption key.
    *
@@ -1497,6 +1665,7 @@ exports.CapabilityToken = CapabilityToken;
 exports.DeviceNotPresentError = DeviceNotPresentError;
 exports.FilesystemError = FilesystemError;
 exports.IdentityMismatchError = IdentityMismatchError;
+exports.InvalidAlgorithmError = InvalidAlgorithmError;
 exports.KeyRevokedError = KeyRevokedError;
 exports.KeyRotatedError = KeyRotatedError;
 exports.PluginNotFoundError = PluginNotFoundError;