These packages give you a zero-downtime secret rotation engine that orchestrates the full lifecycle—generate, propagate, verify, activate, and revoke—across AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, and Vercel environment variables. You'd adopt them to solve the operational problem of rotating secrets in production without causing outages when consumers haven't picked up the new key yet. The most distinctive thing is the overlapping key window design combined with dual verification strategies (provider-level polling and consumer-level active verification), all exposed through a pluggable provider interface and an optional HTTP sidecar that runs with zero code.
A zero-downtime secret rotation engine that orchestrates the full lifecycle (generate → propagate → verify → activate → revoke) with overlapping key windows, dual verification strategies, and automatic rollback. Exports a `RotationManager` class that accepts a pluggable provider adapter (e.g., AWS, GCP, Vault) and optional key store, verifier, event emitter, and rate limiter.
A structured JSON logger and Prometheus-format metrics registry with zero runtime dependencies, providing `LoggerService` and `MetricsService` classes that implement the `Logger` interface from `@reaatech/secret-rotation-types`.
An AWS Secrets Manager adapter for the Secret Rotation Kit, implementing the `SecretProvider` interface with CRUD operations, version stage management (`AWSCURRENT`, `AWSPENDING`, `AWSPREVIOUS`), and rotation session support. Requires `@aws-sdk/client-secrets-manager` as a peer dependency.
GCP Secret Manager adapter for the Secret Rotation Kit, implementing the `SecretProvider` interface with CRUD, versioning, rotation sessions, and health checks via the `@google-cloud/secret-manager` SDK.
A HashiCorp Vault KV v2 adapter for the Secret Rotation Kit, implementing the `SecretProvider` interface with CRUD, versioning, rotation sessions, and health checks. It provides a `VaultProvider` class that pairs with `@reaatech/secret-rotation-core` and lazily loads the `node-vault` client at runtime.
A Vercel-specific `SecretProvider` implementation for the Secret Rotation Kit that manages environment variables via the Vercel REST API using only the global `fetch`. It provides a class (`VercelProvider`) that handles CRUD operations, rotation sessions, and health checks against Vercel projects, with support for multiple deployment targets and configurable environment variable types.
HTTP sidecar server that exposes secret rotation operations, health checks, Prometheus metrics, and SSE event streaming over a REST API, built on Node.js's built-in `http` module with zero framework dependencies. Ships as both a programmatic class (`SidecarServer`) and a standalone CLI binary configured via environment variables.
Type definitions, abstract interfaces, and error classes for the Secret Rotation Kit ecosystem, providing shared types like `SecretKey`, `RotationState`, `SecretProvider`, and `RotationConfig` as zero-dependency TypeScript exports.
