Merge pull request #3 from git-stunts/deno-and-bun

Deno and bun

Author: flyingrobots

.gitignore

@@ -1,3 +1,4 @@
 node_modules/
 .DS_Store
 .vite/
+*.tgz

ARCHITECTURE.md

@@ -10,10 +10,18 @@ The core logic for managing secrets, independent of the underlying OS.
 - **Services**: `VaultService` orchestrates secret retrieval, storage, and resolution strategies (env vars vs vault).
 - **Errors**: Domain-specific errors (`VaultError`, `SecretNotFoundError`) to abstract low-level failures.
 
+### Ports (`src/ports/`)
+Interfaces for the domain to talk to hosting platforms without knowing the details.
+
+- **CommandRunnerPort**: Synchronous command execution (used by `KeychainAdapter`).
+
 ### Infrastructure Layer (`src/infrastructure/`)
 Adapters for external systems.
 
-- **Adapters**: `KeychainAdapter` handles the specific OS commands (`security`, `secret-tool`, `PowerShell`) to interact with the native keychain.
+- **Adapters**: `KeychainAdapter` orchestrates platform-agnostic command flow while relying on injected ports.
+- **Node adapter**: `NodeCommandRunner` plus `createNodeKeychainAdapter` wire up the Node runtime (child_process, default platform detection).
+- **Bun adapter**: `BunCommandRunner`/`createBunKeychainAdapter` execute commands via `Bun.spawnSync` when Bun is detected.
+- **Deno adapter**: `DenoCommandRunner`/`createDenoKeychainAdapter` rely on `Deno.Command` so the same domain logic can run inside Deno.
 
 ## 📂 Directory Structure
 
@@ -22,8 +30,13 @@ src/
 ├── domain/
 │   ├── errors/         # VaultError, etc.
 │   └── services/       # VaultService
+├── ports/              # CommandRunnerPort
 └── infrastructure/
-    └── adapters/       # KeychainAdapter
+    └── adapters/
+        ├── KeychainAdapter.js
+        ├── node/       # NodeCommandRunner, factories
+        ├── bun/        # BunCommandRunner, factories
+        └── deno/       # DenoCommandRunner, factories
 ```
 
 ## 🔐 Security Principles

Dockerfile.bun

@@ -0,0 +1,8 @@
+FROM oven/bun:1.3.4
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+COPY plumbing /plumbing
+COPY vault /app
+RUN bun install --ignore-scripts
+ENV GIT_STUNTS_DOCKER=1
+CMD ["bun", "run", "vitest", "run", "test/unit"]

Dockerfile.deno

@@ -0,0 +1,26 @@
+FROM denoland/deno:2.6.3@sha256:075c8d994cf1e44f10d98ea86f6693037e9c66eb83e9b5fa6a534147372de3fb
+
+ARG NODE_VERSION=20.19.6
+ENV NODE_VERSION=${NODE_VERSION}
+RUN deno run --allow-net --allow-write --allow-env - <<'EOF'
+const version = Deno.env.get('NODE_VERSION');
+const arch = Deno.build.arch === 'x86_64' ? 'x64' : 'arm64';
+const url = `https://nodejs.org/dist/v${version}/node-v${version}-linux-${arch}.tar.gz`;
+const response = await fetch(url);
+if (!response.ok) {
+  throw new Error(`Failed to download Node ${version}`);
+}
+const arrayBuffer = await response.arrayBuffer();
+await Deno.writeFile('/tmp/node.tar.gz', new Uint8Array(arrayBuffer));
+EOF
+RUN tar -xzf /tmp/node.tar.gz -C /usr/local --strip-components=1 && rm -f /tmp/node.tar.gz
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --ignore-scripts
+
+COPY . ./
+
+ENV GIT_STUNTS_DOCKER=1
+CMD ["deno", "task", "test"]

README.md

@@ -21,6 +21,19 @@ Storing API keys or encryption secrets in `.env` files is a security risk. `vaul
 - **Linux**: Requires `libsecret` (e.g., `sudo apt install libsecret-tools`).
 - **Windows**: Requires the `CredentialManager` PowerShell module.
 
+## Runtime-specific adapters
+
+- **Node (default)**: `Vault` auto-detects Bun and Deno globals and falls back to the Node adapter when neither is present.
+- **Bun**: Import `createBunKeychainAdapter` (or rely on the auto-detection) to execute commands with `Bun.spawnSync` when running under Bun.
+- **Deno**: Import `createDenoKeychainAdapter` and run via `Deno.Command`. See `deno.json` and `Dockerfile.deno` for a working setup.
+
+The `plumbing/` folder contains the reference Dockerfiles for each runtime (`Dockerfile.bun`, `Dockerfile.deno`, etc.), so you can see how the ports are wired together in an end-to-end image.
+
+## Docker-based tests
+
+- `npm test` runs `scripts/run-multi-runtime-tests.sh`, which in turn brings up the `node-test`, `bun-test`, and `deno-test` containers defined in `docker-compose.yml`.
+- Each container uses the respective Dockerfile (`Dockerfile`, `Dockerfile.bun`, `Dockerfile.deno`) so you can reproduce the same setup locally or in CI.
+
 ## Usage
 
 ```javascript
@@ -44,8 +57,13 @@ const apiKey = vault.resolveSecret({
 });
 ```
 
+## Docker images
+
+- `Dockerfile` (Node) mirrors the repository root workflow and runs `npm test`.
+- `Dockerfile.bun` copies both projects, installs with Bun, and runs `bun run vitest test/unit`.
+- `Dockerfile.deno` relies on `deno task test` defined in `deno.json`, which proxies back to the npm test stack via the shared script.
+
 ## License
 
 Apache-2.0
 Copyright © 2026 [James Ross](https://github.com/flyingrobots)
-

deno.json

@@ -0,0 +1,5 @@
+{
+  "tasks": {
+    "test": "npm run test:local"
+  }
+}

docker-compose.yml

@@ -1,7 +1,21 @@
 services:
-  test:
+  node-test:
     build:
       context: ..
       dockerfile: vault/Dockerfile
     environment:
       - GIT_STUNTS_DOCKER=1
+
+  bun-test:
+    build:
+      context: ..
+      dockerfile: vault/Dockerfile.bun
+    environment:
+      - GIT_STUNTS_DOCKER=1
+
+  deno-test:
+    build:
+      context: ..
+      dockerfile: vault/Dockerfile.deno
+    environment:
+      - GIT_STUNTS_DOCKER=1

index.js

@@ -6,12 +6,61 @@ import VaultService from './src/domain/services/VaultService.js';
 import VaultError from './src/domain/errors/VaultError.js';
 import PlatformNotSupportedError from './src/domain/errors/PlatformNotSupportedError.js';
 import SecretNotFoundError from './src/domain/errors/SecretNotFoundError.js';
+import { createBunKeychainAdapter } from './src/infrastructure/adapters/bun/index.js';
+import { createDenoKeychainAdapter } from './src/infrastructure/adapters/deno/index.js';
+import { defaultRuntime } from './src/runtime/index.js';
+
+const isNodeRuntime =
+  typeof process !== 'undefined' &&
+  typeof process.versions?.node === 'string' &&
+  process.release?.name === 'node';
+
+let nodeRequire;
+if (isNodeRuntime) {
+  const { createRequire } = await import('module');
+  nodeRequire = createRequire(import.meta.url);
+}
+
+const loadNodeAdapterModule = () => {
+  if (!nodeRequire) {
+    throw new Error('Node runtime is required for the Node keychain adapter');
+  }
+  return nodeRequire('./src/infrastructure/adapters/node/index.js');
+};
+
+/**
+ * Create a keychain adapter backed by the Node runtime.
+ * @param {Object} [options]
+ * @param {string} [options.account] - Account/scope for the secrets.
+ * @returns {KeychainAdapter}
+ */
+export function createNodeKeychainAdapter(options) {
+  return loadNodeAdapterModule().createNodeKeychainAdapter(options);
+}
+
+/**
+ * Detect the environment and instantiate the matching keychain adapter.
+ * @param {Object} params
+ * @param {string} [params.account]
+ * @returns {KeychainAdapter}
+ */
+const detectAdapter = ({ account }) => {
+  if (typeof Bun !== 'undefined' && typeof Bun.spawnSync === 'function') {
+    return createBunKeychainAdapter({ account });
+  }
+  if (typeof Deno !== 'undefined' && typeof Deno.Command === 'function') {
+    return createDenoKeychainAdapter({ account });
+  }
+  return createNodeKeychainAdapter({ account });
+};
 
 export {
   VaultService,
   VaultError,
   PlatformNotSupportedError,
-  SecretNotFoundError
+  SecretNotFoundError,
+  createBunKeychainAdapter,
+  createDenoKeychainAdapter
 };
 
 /**
@@ -22,25 +71,31 @@ export default class Vault {
   /**
    * @param {Object} options
    * @param {string} [options.account='git-stunts']
+   * @param {Function} [options.adapterFactory]
    */
-  constructor({ account = 'git-stunts' } = {}) {
-    this.service = new VaultService({ account });
+  constructor({ account = 'git-stunts', adapterFactory } = {}) {
+    if (adapterFactory != null && typeof adapterFactory !== 'function') {
+      throw new TypeError('adapterFactory must be a function');
+    }
+    const adapter =
+      adapterFactory ? adapterFactory({ account }) : detectAdapter({ account });
+    this.service = new VaultService({ account, adapter });
   }
 
   get account() {
     return this.service.account;
   }
 
   get isMac() {
-    return process.platform === 'darwin';
+    return defaultRuntime.getPlatform() === 'darwin';
   }
 
   get isLinux() {
-    return process.platform === 'linux';
+    return defaultRuntime.getPlatform() === 'linux';
   }
 
   get isWindows() {
-    return process.platform === 'win32';
+    return defaultRuntime.getPlatform() === 'win32';
   }
 
   getSecret({ target }) {
@@ -51,15 +106,35 @@ export default class Vault {
     this.service.setSecret(target, value);
   }
 
+  /**
+   * Remove the secret for the requested target.
+   * @param {Object} params
+   * @param {string} params.target
+   * @returns {boolean}
+   */
   deleteSecret({ target }) {
     return this.service.deleteSecret(target);
   }
 
+  /**
+   * Resolve a value from the vault or environment variables.
+   * @param {Object} params
+   * @param {string} params.envKey
+   * @param {string} params.vaultTarget
+   * @returns {string|undefined}
+   */
   resolveSecret({ envKey, vaultTarget }) {
     return this.service.resolveSecret({ envKey, vaultTarget });
   }
 
+  /**
+   * Ensure a secret exists, prompting if configured.
+   * @param {Object} params
+   * @param {string} params.target
+   * @param {string} [params.promptMessage]
+   * @returns {Promise<string>}
+   */
   async ensureSecret({ target, promptMessage }) {
     return this.service.ensureSecret({ target, promptMessage });
   }
-}
+}