vaultkeeper 0.5.0 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +31 -13
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +29 -2
- package/dist/index.d.ts +29 -2
- package/dist/index.js +31 -14
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.d.cts
CHANGED
|
@@ -650,7 +650,7 @@ declare class VaultKeeper {
|
|
|
650
650
|
/** Run doctor checks without full initialization. */
|
|
651
651
|
static doctor(): Promise<PreflightResult>;
|
|
652
652
|
/**
|
|
653
|
-
*
|
|
653
|
+
* Retrieve a secret from the backend and return a JWE token that encapsulates it.
|
|
654
654
|
*
|
|
655
655
|
* @param secretName - Identifier for the secret
|
|
656
656
|
* @param options - Setup options
|
|
@@ -793,4 +793,31 @@ declare class VaultKeeper {
|
|
|
793
793
|
setDevelopmentMode(executablePath: string, enabled: boolean): Promise<void>;
|
|
794
794
|
}
|
|
795
795
|
|
|
796
|
-
|
|
796
|
+
/**
|
|
797
|
+
* Platform detection utilities.
|
|
798
|
+
*/
|
|
799
|
+
/**
|
|
800
|
+
* The OS platform identifier used for platform-specific behavior.
|
|
801
|
+
* @public
|
|
802
|
+
*/
|
|
803
|
+
type Platform = 'darwin' | 'win32' | 'linux';
|
|
804
|
+
|
|
805
|
+
/**
|
|
806
|
+
* Doctor runner: orchestrates platform-appropriate checks and aggregates results.
|
|
807
|
+
*/
|
|
808
|
+
|
|
809
|
+
/**
|
|
810
|
+
* Options for running the doctor.
|
|
811
|
+
* @public
|
|
812
|
+
*/
|
|
813
|
+
interface RunDoctorOptions {
|
|
814
|
+
/** Override the platform detection (useful for testing). */
|
|
815
|
+
platform?: Platform;
|
|
816
|
+
}
|
|
817
|
+
/**
|
|
818
|
+
* Run all platform-appropriate preflight checks and aggregate the results.
|
|
819
|
+
* @public
|
|
820
|
+
*/
|
|
821
|
+
declare function runDoctor(options?: RunDoctorOptions): Promise<PreflightResult>;
|
|
822
|
+
|
|
823
|
+
export { AuthorizationDeniedError, type BackendConfig, type BackendFactory, BackendLockedError, BackendRegistry, type BackendSetupFactory, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, type ExecRequest, type ExecResult, type FetchRequest, FilesystemError, IdentityMismatchError, InvalidAlgorithmError, KeyRevokedError, KeyRotatedError, type KeyStatus, type ListableBackend, type Platform, PluginNotFoundError, type PreflightCheck, type PreflightCheckStatus, type PreflightResult, RotationInProgressError, type RunDoctorOptions, type SecretAccessor, type SecretBackend, SecretNotFoundError, type SetupChoice, SetupError, type SetupOptions, type SetupQuestion, type SetupResult, type SignRequest, type SignResult, TokenExpiredError, TokenRevokedError, type TrustTier, UsageLimitExceededError, type VaultConfig, VaultError, VaultKeeper, type VaultKeeperOptions, type VaultResponse, type VerifyRequest, isListableBackend, runDoctor };
|
package/dist/index.d.ts
CHANGED
|
@@ -650,7 +650,7 @@ declare class VaultKeeper {
|
|
|
650
650
|
/** Run doctor checks without full initialization. */
|
|
651
651
|
static doctor(): Promise<PreflightResult>;
|
|
652
652
|
/**
|
|
653
|
-
*
|
|
653
|
+
* Retrieve a secret from the backend and return a JWE token that encapsulates it.
|
|
654
654
|
*
|
|
655
655
|
* @param secretName - Identifier for the secret
|
|
656
656
|
* @param options - Setup options
|
|
@@ -793,4 +793,31 @@ declare class VaultKeeper {
|
|
|
793
793
|
setDevelopmentMode(executablePath: string, enabled: boolean): Promise<void>;
|
|
794
794
|
}
|
|
795
795
|
|
|
796
|
-
|
|
796
|
+
/**
|
|
797
|
+
* Platform detection utilities.
|
|
798
|
+
*/
|
|
799
|
+
/**
|
|
800
|
+
* The OS platform identifier used for platform-specific behavior.
|
|
801
|
+
* @public
|
|
802
|
+
*/
|
|
803
|
+
type Platform = 'darwin' | 'win32' | 'linux';
|
|
804
|
+
|
|
805
|
+
/**
|
|
806
|
+
* Doctor runner: orchestrates platform-appropriate checks and aggregates results.
|
|
807
|
+
*/
|
|
808
|
+
|
|
809
|
+
/**
|
|
810
|
+
* Options for running the doctor.
|
|
811
|
+
* @public
|
|
812
|
+
*/
|
|
813
|
+
interface RunDoctorOptions {
|
|
814
|
+
/** Override the platform detection (useful for testing). */
|
|
815
|
+
platform?: Platform;
|
|
816
|
+
}
|
|
817
|
+
/**
|
|
818
|
+
* Run all platform-appropriate preflight checks and aggregate the results.
|
|
819
|
+
* @public
|
|
820
|
+
*/
|
|
821
|
+
declare function runDoctor(options?: RunDoctorOptions): Promise<PreflightResult>;
|
|
822
|
+
|
|
823
|
+
export { AuthorizationDeniedError, type BackendConfig, type BackendFactory, BackendLockedError, BackendRegistry, type BackendSetupFactory, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, type ExecRequest, type ExecResult, type FetchRequest, FilesystemError, IdentityMismatchError, InvalidAlgorithmError, KeyRevokedError, KeyRotatedError, type KeyStatus, type ListableBackend, type Platform, PluginNotFoundError, type PreflightCheck, type PreflightCheckStatus, type PreflightResult, RotationInProgressError, type RunDoctorOptions, type SecretAccessor, type SecretBackend, SecretNotFoundError, type SetupChoice, SetupError, type SetupOptions, type SetupQuestion, type SetupResult, type SignRequest, type SignResult, TokenExpiredError, TokenRevokedError, type TrustTier, UsageLimitExceededError, type VaultConfig, VaultError, VaultKeeper, type VaultKeeperOptions, type VaultResponse, type VerifyRequest, isListableBackend, runDoctor };
|
package/dist/index.js
CHANGED
|
@@ -1592,7 +1592,13 @@ function validateConfig(config) {
|
|
|
1592
1592
|
if (typeof config.defaults.ttlMinutes !== "number" || config.defaults.ttlMinutes <= 0) {
|
|
1593
1593
|
throw new Error("Config defaults.ttlMinutes must be a positive number");
|
|
1594
1594
|
}
|
|
1595
|
-
|
|
1595
|
+
let tier = config.defaults.trustTier;
|
|
1596
|
+
if (typeof tier === "string") {
|
|
1597
|
+
const parsed = Number(tier);
|
|
1598
|
+
if (!Number.isNaN(parsed)) {
|
|
1599
|
+
tier = parsed;
|
|
1600
|
+
}
|
|
1601
|
+
}
|
|
1596
1602
|
if (tier !== 1 && tier !== 2 && tier !== 3) {
|
|
1597
1603
|
throw new Error("Config defaults.trustTier must be 1, 2, or 3");
|
|
1598
1604
|
}
|
|
@@ -1994,7 +2000,6 @@ var SecretAccessorTarget = class {
|
|
|
1994
2000
|
};
|
|
1995
2001
|
function createSecretAccessor(secretValue) {
|
|
1996
2002
|
let consumed = false;
|
|
1997
|
-
const revokeHolder = { fn: void 0 };
|
|
1998
2003
|
function readImpl(callback) {
|
|
1999
2004
|
if (consumed) {
|
|
2000
2005
|
throw new Error("SecretAccessor has already been consumed \u2014 call getSecret() again to obtain a new accessor");
|
|
@@ -2005,7 +2010,6 @@ function createSecretAccessor(secretValue) {
|
|
|
2005
2010
|
callback(buf);
|
|
2006
2011
|
} finally {
|
|
2007
2012
|
buf.fill(0);
|
|
2008
|
-
revokeHolder.fn?.();
|
|
2009
2013
|
}
|
|
2010
2014
|
}
|
|
2011
2015
|
function inspectImpl() {
|
|
@@ -2063,9 +2067,7 @@ function createSecretAccessor(secretValue) {
|
|
|
2063
2067
|
return ["read", INSPECT_CUSTOM];
|
|
2064
2068
|
}
|
|
2065
2069
|
};
|
|
2066
|
-
|
|
2067
|
-
revokeHolder.fn = revoke;
|
|
2068
|
-
return proxy;
|
|
2070
|
+
return new Proxy(target, handler);
|
|
2069
2071
|
}
|
|
2070
2072
|
|
|
2071
2073
|
// src/access/sign-util.ts
|
|
@@ -2248,7 +2250,17 @@ function currentPlatform() {
|
|
|
2248
2250
|
|
|
2249
2251
|
// src/doctor/runner.ts
|
|
2250
2252
|
async function runDoctor(options) {
|
|
2251
|
-
|
|
2253
|
+
let platform;
|
|
2254
|
+
try {
|
|
2255
|
+
platform = options?.platform ?? currentPlatform();
|
|
2256
|
+
} catch {
|
|
2257
|
+
return {
|
|
2258
|
+
checks: [],
|
|
2259
|
+
ready: false,
|
|
2260
|
+
warnings: [],
|
|
2261
|
+
nextSteps: ["Unsupported platform. vaultkeeper supports macOS, Linux, and Windows."]
|
|
2262
|
+
};
|
|
2263
|
+
}
|
|
2252
2264
|
const entries = buildCheckList(platform);
|
|
2253
2265
|
const resolved = await Promise.all(
|
|
2254
2266
|
entries.map(async ({ check, required }) => {
|
|
@@ -2301,6 +2313,7 @@ function buildCheckList(platform) {
|
|
|
2301
2313
|
|
|
2302
2314
|
// src/vault.ts
|
|
2303
2315
|
var usageCounts = /* @__PURE__ */ new Map();
|
|
2316
|
+
var USAGE_MAP_MAX_SIZE = 1e4;
|
|
2304
2317
|
var VaultKeeper = class _VaultKeeper {
|
|
2305
2318
|
#config;
|
|
2306
2319
|
#keyManager;
|
|
@@ -2337,7 +2350,7 @@ var VaultKeeper = class _VaultKeeper {
|
|
|
2337
2350
|
return runDoctor();
|
|
2338
2351
|
}
|
|
2339
2352
|
/**
|
|
2340
|
-
*
|
|
2353
|
+
* Retrieve a secret from the backend and return a JWE token that encapsulates it.
|
|
2341
2354
|
*
|
|
2342
2355
|
* @param secretName - Identifier for the secret
|
|
2343
2356
|
* @param options - Setup options
|
|
@@ -2396,12 +2409,16 @@ var VaultKeeper = class _VaultKeeper {
|
|
|
2396
2409
|
const jti = claims.jti;
|
|
2397
2410
|
const currentCount = usageCounts.get(jti) ?? 0;
|
|
2398
2411
|
validateClaims(claims, currentCount);
|
|
2399
|
-
|
|
2400
|
-
|
|
2401
|
-
usageCounts.delete(jti);
|
|
2402
|
-
blockToken(jti);
|
|
2403
|
-
} else {
|
|
2412
|
+
if (claims.use !== null) {
|
|
2413
|
+
const newCount = currentCount + 1;
|
|
2404
2414
|
usageCounts.set(jti, newCount);
|
|
2415
|
+
if (usageCounts.size > USAGE_MAP_MAX_SIZE) {
|
|
2416
|
+
const oldest = usageCounts.keys().next().value;
|
|
2417
|
+
if (oldest !== void 0) {
|
|
2418
|
+
usageCounts.delete(oldest);
|
|
2419
|
+
blockToken(oldest);
|
|
2420
|
+
}
|
|
2421
|
+
}
|
|
2405
2422
|
}
|
|
2406
2423
|
const token = createCapabilityToken(claims);
|
|
2407
2424
|
const response = { keyStatus };
|
|
@@ -2636,6 +2653,6 @@ var VaultKeeper = class _VaultKeeper {
|
|
|
2636
2653
|
}
|
|
2637
2654
|
};
|
|
2638
2655
|
|
|
2639
|
-
export { AuthorizationDeniedError, BackendLockedError, BackendRegistry, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, FilesystemError, IdentityMismatchError, InvalidAlgorithmError, KeyRevokedError, KeyRotatedError, PluginNotFoundError, RotationInProgressError, SecretNotFoundError, SetupError, TokenExpiredError, TokenRevokedError, UsageLimitExceededError, VaultError, VaultKeeper, isListableBackend };
|
|
2656
|
+
export { AuthorizationDeniedError, BackendLockedError, BackendRegistry, BackendUnavailableError, CapabilityToken, DeviceNotPresentError, FilesystemError, IdentityMismatchError, InvalidAlgorithmError, KeyRevokedError, KeyRotatedError, PluginNotFoundError, RotationInProgressError, SecretNotFoundError, SetupError, TokenExpiredError, TokenRevokedError, UsageLimitExceededError, VaultError, VaultKeeper, isListableBackend, runDoctor };
|
|
2640
2657
|
//# sourceMappingURL=index.js.map
|
|
2641
2658
|
//# sourceMappingURL=index.js.map
|