identity and trustpackages/iam/vault

vault package

Application-layer envelope encryption for customer secrets — AES-256-GCM, per-tenant DEK, KMS-wrapped. Audit-logged read/decrypt, zero plaintext at rest.

Open docs

Stability: Stable
Scope: Tenant-scoped
Boundary: packages/iam/vault
Owners: @nebutra/iam

secrets12 secrets · 3 tenants

rotation policy

OpenAI API Key

sk-•••••••••••8847

acme-prodkms/9f2arotated 3 days ago

Stripe Webhook Secret

whsec_•••••••••••1c4d

acme-prodkms/9f2arotated 12 days ago

Database Password

pg://•••••••••••a31f

lumen-devkms/4b7erotated 27 days ago

PlaintextDEKKEK (KMS)

AES-256-GCM · per-tenant DEK · KMS-wrapped

Usagevault.ts

typescript

vault.ts

1import { getVault } from "@nebutra/vault";
2
3const vault = await getVault();
4
5// Envelope encryption — AWS KMS unwraps the DEK per-record.
6const encrypted = await vault.encrypt(secretKey, {
7  tenantId: org.id,
8  name: "OpenAI API Key",
9});
10
11const plaintext = await vault.decrypt(encrypted);

More in domain · identity and trustView domain

auditPackage

packages/iam/audit

Hash-chained, SHA-256 append-only audit log for actor/tenant actions. SOC 2-grade tamper detection, streaming export, and replay-safe queries.

Explore

authPackage

packages/iam/auth

Multi-provider auth — Clerk, Better Auth, or NextAuth. Same React surface, swap providers via preset config. MFA-enforced, session HMAC-signed.

Explore

captchaPackage

packages/iam/captcha

Bot challenge with Cloudflare Turnstile / hCaptcha / reCAPTCHA behind one verify() call. Server-side scoring, per-route enable, no third-party tracker on the client.

Explore

identityPackage

packages/iam/identity

Shared actor primitive — usr_/svc_/api_ ID space, role/membership lookup, tenant attachment. The single identity object every iam package reads.

Explore

vault packagepackage

vault package