/** * KeyPersistence - Unified key management with storage abstraction. * * Provides a high-level API for storing and retrieving cryptographic keys * with any storage backend (memory, filesystem, Redis, etc.). * * @module @frontmcp/utils/key-persistence */ import type { StorageAdapter } from '../../storage/types'; import type { AnyKeyData, SecretKeyData, AsymmetricKeyData, KeyPersistenceOptions, CreateSecretOptions } from './types'; /** * KeyPersistence provides a unified API for storing and retrieving * cryptographic keys with any storage backend. * * Features: * - Type-safe key storage with Zod validation * - In-memory caching for fast reads * - Support for symmetric secrets and asymmetric key pairs * - Works with any StorageAdapter (Memory, FileSystem, Redis, etc.) * * @example * ```typescript * import { KeyPersistence, MemoryStorageAdapter } from '@frontmcp/utils'; * * const storage = new MemoryStorageAdapter(); * await storage.connect(); * * const keys = new KeyPersistence({ storage }); * * // Get or create a secret * const secret = await keys.getOrCreateSecret('encryption-key'); * console.log(secret.secret); // base64url string * * // Store a custom key * await keys.set({ * type: 'secret', * kid: 'my-key', * secret: 'abc...', * bytes: 32, * createdAt: Date.now(), * version: 1, * }); * * // List all keys * const kids = await keys.list(); * ``` */ export declare class KeyPersistence { private readonly storage; private readonly cache; private readonly enableCache; private readonly throwOnInvalid; constructor(options: KeyPersistenceOptions); /** * Get a key by ID. * * @param kid - Key identifier * @returns Key data or null if not found */ get(kid: string): Promise; /** * Get a secret key by ID. * * @param kid - Key identifier * @returns Secret key data or null if not found or wrong type */ getSecret(kid: string): Promise; /** * Get an asymmetric key by ID. * * @param kid - Key identifier * @returns Asymmetric key data or null if not found or wrong type */ getAsymmetric(kid: string): Promise; /** * Store a key. * * @param key - Key data to store */ set(key: AnyKeyData): Promise; /** * Delete a key. * * @param kid - Key identifier * @returns true if key existed and was deleted */ delete(kid: string): Promise; /** * Check if a key exists. * * @param kid - Key identifier * @returns true if key exists */ has(kid: string): Promise; /** * List all key IDs. * * @returns Array of key identifiers */ list(): Promise; /** * Get or create a secret key. * * If a key with the given ID exists and is a valid secret key, * it is returned. Otherwise, a new secret key is generated. * * @param kid - Key identifier * @param options - Options for key creation * @returns Secret key data * * @example * ```typescript * const secret = await keys.getOrCreateSecret('encryption-key'); * const bytes = base64urlDecode(secret.secret); * ``` */ getOrCreateSecret(kid: string, options?: CreateSecretOptions): Promise; /** * Clear the in-memory cache. * * Useful when you want to force a reload from storage. */ clearCache(): void; /** * Clear cache for a specific key. * * @param kid - Key identifier */ clearCacheFor(kid: string): void; /** * Check if a key is in the cache. * * @param kid - Key identifier * @returns true if key is cached */ isCached(kid: string): boolean; /** * Get the underlying storage adapter. * * Use with caution - direct storage access bypasses validation. */ getAdapter(): StorageAdapter; }