PersistentAI API Documentation / @persistent-ai/fireflow-trpc / server / VaultService
Class: VaultService
Defined in: packages/fireflow-trpc/server/vault/service.ts:20
VaultService sits above ISecretsProvider and adds:
- ECDH re-encryption for execution transit
- Schema validation before storage
- Secret type validation against secretTypeSchemas
- Provider routing (which provider handles which secret)
Constructors
Constructor
new VaultService(
defaultProvider,providers?):VaultService
Defined in: packages/fireflow-trpc/server/vault/service.ts:21
Parameters
defaultProvider
providers?
Map<string, ISecretsProvider> = ...
Returns
VaultService
Methods
createSecret()
createSecret(
params):Promise<string>
Defined in: packages/fireflow-trpc/server/vault/service.ts:29
Create a new secret. Validates type + value against secretTypeSchemas.
Parameters
params
Returns
Promise<string>
deleteSecret()
deleteSecret(
secretId,ownerId):Promise<void>
Defined in: packages/fireflow-trpc/server/vault/service.ts:65
Delete a secret.
Parameters
secretId
string
ownerId
string
Returns
Promise<void>
getSecretForExecution()
getSecretForExecution(
secretId,ownerId,ecdhPublicKeyBase64):Promise<{encrypted:string;hkdfNonce:string;publicKey:string;secretType:string; }>
Defined in: packages/fireflow-trpc/server/vault/service.ts:85
Get secret re-encrypted for execution transit (ECDH).
- Resolves plaintext from provider
- Re-encrypts using ECDH (Web Crypto API)
- Returns data compatible with wrapSecret()
Plaintext exists ONLY momentarily in server memory.
Parameters
secretId
string
ownerId
string
ecdhPublicKeyBase64
string
Returns
Promise<{ encrypted: string; hkdfNonce: string; publicKey: string; secretType: string; }>
getSecretMetadata()
getSecretMetadata(
secretId,ownerId):Promise<SecretMetadata|null>
Defined in: packages/fireflow-trpc/server/vault/service.ts:38
Get secret metadata (no value).
Parameters
secretId
string
ownerId
string
Returns
Promise<SecretMetadata | null>
listSecrets()
listSecrets(
ownerId,filter?):Promise<SecretMetadata[]>
Defined in: packages/fireflow-trpc/server/vault/service.ts:45
List secrets for an owner (metadata only).
Parameters
ownerId
string
filter?
Returns
Promise<SecretMetadata[]>
resolveExternalSecret()
resolveExternalSecret(
providerId,secretRef,ecdhPublicKeyBase64):Promise<{encrypted:string;hkdfNonce:string;publicKey:string;secretType:string; }>
Defined in: packages/fireflow-trpc/server/vault/service.ts:128
Resolve a secret from an external vault provider (Phase 2).
Parameters
providerId
string
secretRef
string
ecdhPublicKeyBase64
string
Returns
Promise<{ encrypted: string; hkdfNonce: string; publicKey: string; secretType: string; }>
resolveSecretPlaintext()
resolveSecretPlaintext(
secretId,ownerId):Promise<Record<string,string>>
Defined in: packages/fireflow-trpc/server/vault/service.ts:117
Resolve a secret's plaintext value for trusted server-side operations.
Used for cases where the server itself needs the secret value — e.g., Telegram HMAC verification (need bot token), signed URL validation (need signing secret).
NEVER expose plaintext to clients. This is for server-side crypto only.
Parameters
secretId
string
ownerId
string
Returns
Promise<Record<string, string>>
secretExists()
secretExists(
ownerId,name,secretType):Promise<boolean>
Defined in: packages/fireflow-trpc/server/vault/service.ts:72
Check if secret name+type exists for an owner.
Parameters
ownerId
string
name
string
secretType
string
Returns
Promise<boolean>
updateSecret()
updateSecret(
secretId,ownerId,value):Promise<void>
Defined in: packages/fireflow-trpc/server/vault/service.ts:52
Update a secret's value. Re-validates against schema.
Parameters
secretId
string
ownerId
string
value
Record<string, string>
Returns
Promise<void>