vaultkeeper 0.5.1 → 0.5.3

package/dist/index.cjs

@@ -1617,7 +1617,13 @@ function validateConfig(config) {
   if (typeof config.defaults.ttlMinutes !== "number" || config.defaults.ttlMinutes <= 0) {
     throw new Error("Config defaults.ttlMinutes must be a positive number");
   }
-  const tier = config.defaults.trustTier;
+  let tier = config.defaults.trustTier;
+  if (typeof tier === "string") {
+    const parsed = Number(tier);
+    if (!Number.isNaN(parsed)) {
+      tier = parsed;
+    }
+  }
   if (tier !== 1 && tier !== 2 && tier !== 3) {
     throw new Error("Config defaults.trustTier must be 1, 2, or 3");
   }
@@ -2019,7 +2025,6 @@ var SecretAccessorTarget = class {
 };
 function createSecretAccessor(secretValue) {
   let consumed = false;
-  const revokeHolder = { fn: void 0 };
   function readImpl(callback) {
     if (consumed) {
       throw new Error("SecretAccessor has already been consumed \u2014 call getSecret() again to obtain a new accessor");
@@ -2030,7 +2035,6 @@ function createSecretAccessor(secretValue) {
       callback(buf);
     } finally {
       buf.fill(0);
-      revokeHolder.fn?.();
     }
   }
   function inspectImpl() {
@@ -2088,9 +2092,7 @@ function createSecretAccessor(secretValue) {
       return ["read", INSPECT_CUSTOM];
     }
   };
-  const { proxy, revoke } = Proxy.revocable(target, handler);
-  revokeHolder.fn = revoke;
-  return proxy;
+  return new Proxy(target, handler);
 }
 
 // src/access/sign-util.ts
@@ -2284,7 +2286,8 @@ async function runDoctor(options) {
       nextSteps: ["Unsupported platform. vaultkeeper supports macOS, Linux, and Windows."]
     };
   }
-  const entries = buildCheckList(platform);
+  const enabledTypes = enabledBackendTypes(options?.backends);
+  const entries = buildCheckList(platform, enabledTypes);
   const resolved = await Promise.all(
     entries.map(async ({ check, required }) => {
       const result = await check();
@@ -2318,24 +2321,48 @@ async function runDoctor(options) {
   const checks = resolved.map(({ result }) => result);
   return { checks, ready, warnings, nextSteps };
 }
-function buildCheckList(platform) {
+function enabledBackendTypes(backends) {
+  if (backends === void 0) return null;
+  const types = /* @__PURE__ */ new Set();
+  for (const b of backends) {
+    if (b.enabled) types.add(b.type);
+  }
+  return types;
+}
+function buildCheckList(platform, enabledTypes) {
   const entries = [{ check: checkOpenssl, required: true }];
   if (platform === "darwin") {
-    entries.push({ check: checkSecurity, required: true });
+    entries.push({
+      check: checkSecurity,
+      required: enabledTypes === null || enabledTypes.has("keychain")
+    });
     entries.push({ check: checkBash, required: false });
   } else if (platform === "win32") {
-    entries.push({ check: checkPowershell, required: true });
+    entries.push({
+      check: checkPowershell,
+      required: enabledTypes === null || enabledTypes.has("dpapi")
+    });
   } else {
     entries.push({ check: checkBash, required: true });
-    entries.push({ check: checkSecretTool, required: true });
+    entries.push({
+      check: checkSecretTool,
+      required: enabledTypes === null || enabledTypes.has("secret-tool")
+    });
   }
-  entries.push({ check: checkOp, required: false });
-  entries.push({ check: checkYkman, required: false });
+  entries.push({
+    check: checkOp,
+    required: enabledTypes?.has("1password") ?? false
+  });
+  entries.push({
+    check: checkYkman,
+    required: enabledTypes?.has("yubikey") ?? false
+  });
   return entries;
 }
 
 // src/vault.ts
 var usageCounts = /* @__PURE__ */ new Map();
+var USAGE_MAP_MAX_SIZE = 1e4;
 var VaultKeeper = class _VaultKeeper {
   #config;
   #keyManager;
@@ -2351,23 +2378,29 @@ var VaultKeeper = class _VaultKeeper {
    * Runs doctor checks (unless skipped), loads config, and sets up the key manager.
    */
   static async init(options) {
+    const configDir = options?.configDir ?? getDefaultConfigDir();
+    const config = options?.config ?? await loadConfig(configDir);
     if (options?.skipDoctor !== true) {
-      const doctorResult = await runDoctor();
+      const doctorResult = await runDoctor({ backends: config.backends });
       if (!doctorResult.ready) {
         throw new VaultError(
           `System not ready: ${doctorResult.nextSteps.join("; ")}`
         );
       }
     }
-    const configDir = options?.configDir ?? getDefaultConfigDir();
-    const config = options?.config ?? await loadConfig(configDir);
     const keyManager = new KeyManager();
     await keyManager.init();
     const vault = new _VaultKeeper(config, keyManager, configDir);
     vault.#backend = vault.#resolveBackend();
     return vault;
   }
-  /** Run doctor checks without full initialization. */
+  /**
+   * Run doctor checks without full initialization.
+   *
+   * Uses conservative platform defaults — all platform-native dependency
+   * checks are treated as required regardless of any backend configuration.
+   * For config-aware scoping, call `runDoctor({ backends })` directly.
+   */
   static async doctor() {
     return runDoctor();
   }
@@ -2431,12 +2464,16 @@ var VaultKeeper = class _VaultKeeper {
     const jti = claims.jti;
     const currentCount = usageCounts.get(jti) ?? 0;
     validateClaims(claims, currentCount);
-    const newCount = currentCount + 1;
-    if (claims.use !== null && newCount >= claims.use) {
-      usageCounts.delete(jti);
-      blockToken(jti);
-    } else {
+    if (claims.use !== null) {
+      const newCount = currentCount + 1;
       usageCounts.set(jti, newCount);
+      if (usageCounts.size > USAGE_MAP_MAX_SIZE) {
+        const oldest = usageCounts.keys().next().value;
+        if (oldest !== void 0) {
+          usageCounts.delete(oldest);
+          blockToken(oldest);
+        }
+      }
     }
     const token = createCapabilityToken(claims);
     const response = { keyStatus };