@zodal/dials-store-secret
v0.1.0
Published
Secret backend + bifurcation provider for zodal-dials — routes secret values to a separate backend (content/metadata bifurcation)
Readme
@zodal/dials-store-secret
The secret side of zodal-dials' content/metadata bifurcation — route secret values to a separate backend, never the config store.
npm i @zodal/dials-store-secret @zodal/dials-coreimport { createMemorySecretBackend, createSensitiveSettingsProvider, revealSetting } from '@zodal/dials-store-secret';
import { createJsoncStore } from '@zodal/dials-store-jsonc';
const secrets = createMemorySecretBackend(); // or an OS-keychain / Vault backend
const provider = createSensitiveSettingsProvider({
config: createJsoncStore({ path: 'settings.jsonc' }),
secrets,
sensitivityFor: dials.sensitivityFor,
});
await provider.save(layer); // non-secret -> config file; secret -> backend (JSON-encoded)
await provider.load(); // config values + a masked SecretRef per secret (never plaintext)
await revealSetting(secrets, 'network.apiKey'); // explicit, decoded revealcreateMemorySecretBackend()— a referenceSecretBackend(in-memory; dev/test). Real backends (keychain, Vault, encrypted file) implement the same interface.createSensitiveSettingsProvider— a bifurcatedLayerStore: splits the layer on save (secrets → backend, JSON-encoded so object-valued secrets survive; config → config store), surfaces maskedSecretRefs on load. Secrets-first writes; throws (not silently drops) on a read-only config;UNSETdeletes a secret.
Part of the zodal-dials ecosystem.
