@orangecheck/vault-core

---

@orangecheck/vault-core / OcVault

Class: OcVault

Defined in: vault-core/src/vault.ts:32

Properties

Property	Modifier	Type	Description	Defined in
<a id="property-entries"></a> entries	readonly	DecryptedEntry[]	Every live (non-trashed) decrypted entry.	vault-core/src/vault.ts:37
<a id="property-identity"></a> identity	readonly	string | null	The OrangeCheck identity this vault belongs to, when known.	vault-core/src/vault.ts:39
<a id="property-key"></a> key	readonly	Uint8Array	The unwrapped 32-byte vault key. In-memory only.	vault-core/src/vault.ts:35

Methods

find()

find(item: string): DecryptedEntry | null;

Defined in: vault-core/src/vault.ts:105

Find one decrypted entry by its id or its name (case-insensitive).

Parameters

Parameter	Type
item	string

Returns

DecryptedEntry | null

---

list()

list(): VaultEntrySummary[];

Defined in: vault-core/src/vault.ts:100

Metadata summaries for every entry — no secret values.

Returns

VaultEntrySummary[]

---

resolve()

resolve(ref: string | SecretRef): string;

Defined in: vault-core/src/vault.ts:115

Resolve one ocv:// reference to its value.

Parameters

Parameter	Type
ref	string | SecretRef

Returns

string

---

resolveAll()

resolveAll(refs: Record<string, string>): Record<string, string>;

Defined in: vault-core/src/vault.ts:129

Resolve a map of { name: ocv://reference } to { name: value } — the shape an .env-style file or a CI matrix uses.

Parameters

Parameter	Type
refs	Record<string, string>

Returns

Record<string, string>

---

fromEntries()

static fromEntries(entries: VaultEntry[], key: Uint8Array): OcVault;

Defined in: vault-core/src/vault.ts:77

Open from entries and a raw key you already hold (e.g. the extension).

Parameters

Parameter	Type
entries	VaultEntry[]
key	Uint8Array

Returns

OcVault

---

fromExport()

static fromExport(
   exportFile: string | VaultExport, 
   escrow: WrappedKey, 
   passphrase: string): OcVault;

Defined in: vault-core/src/vault.ts:63

Open from a portable export file — fully offline, no network. The export holds ciphertext only, so the escrowed WrappedKey and the passphrase are still required to derive the key.

Parameters

Parameter	Type
exportFile	string | VaultExport
escrow	WrappedKey
passphrase	string

Returns

OcVault

---

open()

static open(opts: {
  client: VaultClient;
  passphrase: string;
}): Promise<OcVault>;

Defined in: vault-core/src/vault.ts:46

Open a live vault over a VaultClient: fetch the escrow, unwrap the key with the passphrase, pull every blob, decrypt.

Parameters

Parameter	Type
opts	{ client: VaultClient; passphrase: string; }
opts.client	VaultClient
opts.passphrase	string

Returns

Promise<OcVault>