Low-priority follow-ups from the 2026-07 repository audit, collected in one place. None of these block the other audit issues (#104, #105, #106, #107, #108, #109, #110); pick them up opportunistically or when touching the surrounding code.
Untested paths
Code quality
Dependencies & release process
Considered and rejected (do not build)
Generic middleware/plugin chain for the request pipeline; a generic secret-scrubbing log framework; TTL-based mount re-detection; aspirational coverage targets; README TOC generation tooling. The codebase is ~1.9k LOC — bespoke abstractions cost more than the duplication they remove.
Filed from the 2026-07-02 repository audit of commit 4225f9b.
Low-priority follow-ups from the 2026-07 repository audit, collected in one place. None of these block the other audit issues (#104, #105, #106, #107, #108, #109, #110); pick them up opportunistically or when touching the surrounding code.
Untested paths
VaultKubernetesAuth:fs.readFileSyncthrow path (missing/unreadable service-account token file — the most realistic real-world failure)VaultIAMAuth: default AWS credential-chain path (construction without explicit credentials) is never invoked in teststest/auth.base.test.mjs"reschedules when a renewal fails": assert the timer actually re-armsVaultNodeConfig.deepMerge— a deliberate security control with zero test coverageLease.getMetadata()testVaultApiClientnon-2xx handling: asserterr.errorcontents and the non-JSON-body fallbackCode quality
VaultErrorhierarchy —VaultApiClientcurrently throws a plainErrorwith ad-hoc.statusCode/.error, so callers cannotinstanceof-check HTTP failures. Keep the existing field shape for compatibility.role,role_id, …) consistently across auth backends — onlyVaultTokenAuthvalidates its input today. Note: stricter validation is a behavior change; flag as a minor bump.VaultBaseAuth.__authTokenholds either aPromise<AuthToken>or a resolvedAuthToken, discriminated byinstanceof— consider separating into two fields for clarity.Dependencies & release process
long-timeout@0.1.1is unmaintained (last release 2016, ~50 LOC): document the decision to keep it, or inline the codeVaultApiClient— do this after the catch/log/rethrow wrapper from Refactor: unify the 4x copy-pasted request pipeline in VaultClient #110 to avoid double-loggingConsidered and rejected (do not build)
Generic middleware/plugin chain for the request pipeline; a generic secret-scrubbing log framework; TTL-based mount re-detection; aspirational coverage targets; README TOC generation tooling. The codebase is ~1.9k LOC — bespoke abstractions cost more than the duplication they remove.
Filed from the 2026-07-02 repository audit of commit 4225f9b.