npm - vaultkeeper - Versions diffs - 0.5.1 → 0.5.3 - Mend

vaultkeeper 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -647,7 +647,13 @@ declare class VaultKeeper {
      * Runs doctor checks (unless skipped), loads config, and sets up the key manager.
      */
     static init(options?: VaultKeeperOptions): Promise<VaultKeeper>;
-    /** Run doctor checks without full initialization. */
+    /**
+     * Run doctor checks without full initialization.
+     *
+     * Uses conservative platform defaults — all platform-native dependency
+     * checks are treated as required regardless of any backend configuration.
+     * For config-aware scoping, call `runDoctor({ backends })` directly.
+     */
     static doctor(): Promise<PreflightResult>;
     /**
      * Retrieve a secret from the backend and return a JWE token that encapsulates it.
@@ -813,6 +819,18 @@ type Platform = 'darwin' | 'win32' | 'linux';
 interface RunDoctorOptions {
     /** Override the platform detection (useful for testing). */
     platform?: Platform;
+    /**
+     * When provided, doctor checks are scoped to the given backends.
+     * Platform-native dependency checks (e.g. `secret-tool`, `security`,
+     * `powershell`) are demoted from required to optional when the
+     * corresponding backend is not enabled. Plugin tool checks (`op`,
+     * `ykman`) are promoted from optional to required when their backend
+     * (`1password`, `yubikey`) is explicitly enabled.
+     *
+     * When omitted, all platform-default checks are treated as required
+     * (backward-compatible behavior).
+     */
+    backends?: BackendConfig[];
 }
 /**
  * Run all platform-appropriate preflight checks and aggregate the results.

package/dist/index.d.ts CHANGED Viewed

@@ -647,7 +647,13 @@ declare class VaultKeeper {
      * Runs doctor checks (unless skipped), loads config, and sets up the key manager.
      */
     static init(options?: VaultKeeperOptions): Promise<VaultKeeper>;
-    /** Run doctor checks without full initialization. */
+    /**
+     * Run doctor checks without full initialization.
+     *
+     * Uses conservative platform defaults — all platform-native dependency
+     * checks are treated as required regardless of any backend configuration.
+     * For config-aware scoping, call `runDoctor({ backends })` directly.
+     */
     static doctor(): Promise<PreflightResult>;
     /**
      * Retrieve a secret from the backend and return a JWE token that encapsulates it.
@@ -813,6 +819,18 @@ type Platform = 'darwin' | 'win32' | 'linux';
 interface RunDoctorOptions {
     /** Override the platform detection (useful for testing). */
     platform?: Platform;
+    /**
+     * When provided, doctor checks are scoped to the given backends.
+     * Platform-native dependency checks (e.g. `secret-tool`, `security`,
+     * `powershell`) are demoted from required to optional when the
+     * corresponding backend is not enabled. Plugin tool checks (`op`,
+     * `ykman`) are promoted from optional to required when their backend
+     * (`1password`, `yubikey`) is explicitly enabled.
+     *
+     * When omitted, all platform-default checks are treated as required
+     * (backward-compatible behavior).
+     */
+    backends?: BackendConfig[];
 }
 /**
  * Run all platform-appropriate preflight checks and aggregate the results.

package/dist/index.js CHANGED Viewed

@@ -1592,7 +1592,13 @@ function validateConfig(config) {
   if (typeof config.defaults.ttlMinutes !== "number" || config.defaults.ttlMinutes <= 0) {
     throw new Error("Config defaults.ttlMinutes must be a positive number");
   }
-  const tier = config.defaults.trustTier;
+  let tier = config.defaults.trustTier;
+  if (typeof tier === "string") {
+    const parsed = Number(tier);
+    if (!Number.isNaN(parsed)) {
+      tier = parsed;
+    }
+  }
   if (tier !== 1 && tier !== 2 && tier !== 3) {
     throw new Error("Config defaults.trustTier must be 1, 2, or 3");
   }
@@ -1994,7 +2000,6 @@ var SecretAccessorTarget = class {
 };
 function createSecretAccessor(secretValue) {
   let consumed = false;
-  const revokeHolder = { fn: void 0 };
   function readImpl(callback) {
     if (consumed) {
       throw new Error("SecretAccessor has already been consumed \u2014 call getSecret() again to obtain a new accessor");
@@ -2005,7 +2010,6 @@ function createSecretAccessor(secretValue) {
       callback(buf);
     } finally {
       buf.fill(0);
-      revokeHolder.fn?.();
     }
   }
   function inspectImpl() {
@@ -2063,9 +2067,7 @@ function createSecretAccessor(secretValue) {
       return ["read", INSPECT_CUSTOM];
     }
   };
-  const { proxy, revoke } = Proxy.revocable(target, handler);
-  revokeHolder.fn = revoke;
-  return proxy;
+  return new Proxy(target, handler);
 }
 // src/access/sign-util.ts
@@ -2259,7 +2261,8 @@ async function runDoctor(options) {
       nextSteps: ["Unsupported platform. vaultkeeper supports macOS, Linux, and Windows."]
     };
   }
-  const entries = buildCheckList(platform);
+  const enabledTypes = enabledBackendTypes(options?.backends);
+  const entries = buildCheckList(platform, enabledTypes);
   const resolved = await Promise.all(
     entries.map(async ({ check, required }) => {
       const result = await check();
@@ -2293,24 +2296,48 @@ async function runDoctor(options) {
   const checks = resolved.map(({ result }) => result);
   return { checks, ready, warnings, nextSteps };
 }
-function buildCheckList(platform) {
+function enabledBackendTypes(backends) {
+  if (backends === void 0) return null;
+  const types = /* @__PURE__ */ new Set();
+  for (const b of backends) {
+    if (b.enabled) types.add(b.type);
+  }
+  return types;
+}
+function buildCheckList(platform, enabledTypes) {
   const entries = [{ check: checkOpenssl, required: true }];
   if (platform === "darwin") {
-    entries.push({ check: checkSecurity, required: true });
+    entries.push({
+      check: checkSecurity,
+      required: enabledTypes === null || enabledTypes.has("keychain")
+    });
     entries.push({ check: checkBash, required: false });
   } else if (platform === "win32") {
-    entries.push({ check: checkPowershell, required: true });
+    entries.push({
+      check: checkPowershell,
+      required: enabledTypes === null || enabledTypes.has("dpapi")
+    });
   } else {
     entries.push({ check: checkBash, required: true });
-    entries.push({ check: checkSecretTool, required: true });
+    entries.push({
+      check: checkSecretTool,
+      required: enabledTypes === null || enabledTypes.has("secret-tool")
+    });
   }
-  entries.push({ check: checkOp, required: false });
-  entries.push({ check: checkYkman, required: false });
+  entries.push({
+    check: checkOp,
+    required: enabledTypes?.has("1password") ?? false
+  });
+  entries.push({
+    check: checkYkman,
+    required: enabledTypes?.has("yubikey") ?? false
+  });
   return entries;
 }
 // src/vault.ts
 var usageCounts = /* @__PURE__ */ new Map();
+var USAGE_MAP_MAX_SIZE = 1e4;
 var VaultKeeper = class _VaultKeeper {
   #config;
   #keyManager;
@@ -2326,23 +2353,29 @@ var VaultKeeper = class _VaultKeeper {
    * Runs doctor checks (unless skipped), loads config, and sets up the key manager.
    */
   static async init(options) {
+    const configDir = options?.configDir ?? getDefaultConfigDir();
+    const config = options?.config ?? await loadConfig(configDir);
     if (options?.skipDoctor !== true) {
-      const doctorResult = await runDoctor();
+      const doctorResult = await runDoctor({ backends: config.backends });
       if (!doctorResult.ready) {
         throw new VaultError(
           `System not ready: ${doctorResult.nextSteps.join("; ")}`
         );
       }
     }
-    const configDir = options?.configDir ?? getDefaultConfigDir();
-    const config = options?.config ?? await loadConfig(configDir);
     const keyManager = new KeyManager();
     await keyManager.init();
     const vault = new _VaultKeeper(config, keyManager, configDir);
     vault.#backend = vault.#resolveBackend();
     return vault;
   }
-  /** Run doctor checks without full initialization. */
+  /**
+   * Run doctor checks without full initialization.
+   *
+   * Uses conservative platform defaults — all platform-native dependency
+   * checks are treated as required regardless of any backend configuration.
+   * For config-aware scoping, call `runDoctor({ backends })` directly.
+   */
   static async doctor() {
     return runDoctor();
   }
@@ -2406,12 +2439,16 @@ var VaultKeeper = class _VaultKeeper {
     const jti = claims.jti;
     const currentCount = usageCounts.get(jti) ?? 0;
     validateClaims(claims, currentCount);
-    const newCount = currentCount + 1;
-    if (claims.use !== null && newCount >= claims.use) {
-      usageCounts.delete(jti);
-      blockToken(jti);
-    } else {
+    if (claims.use !== null) {
+      const newCount = currentCount + 1;
       usageCounts.set(jti, newCount);
+      if (usageCounts.size > USAGE_MAP_MAX_SIZE) {
+        const oldest = usageCounts.keys().next().value;
+        if (oldest !== void 0) {
+          usageCounts.delete(oldest);
+          blockToken(oldest);
+        }
+      }
     }
     const token = createCapabilityToken(claims);
     const response = { keyStatus };