Add automatic token and lease renewal with event-based lifecycle management

[Copilot]

The library exposes tokenRenewSelf() and renew() but provides no automatic scheduling or notification mechanism for dynamic credentials. Users managing short-lived tokens or database credential leases (e.g., TTL: 1h, MAX_TTL: 24h) must implement their own renewal loops and handle credential rotation manually.

Changes

• Client is now an EventEmitter — enables on/once/off for lifecycle events
• Token renewal — startTokenRenewal(opts) / stopTokenRenewal() schedule tokenRenewSelf at a configurable fraction of TTL (default 80%). TTL can be passed directly or auto-detected via tokenLookupSelf().
• Lease renewal — startLeaseRenewal(leaseId, duration, opts) / stopLeaseRenewal(leaseId) / stopAllRenewals() for managing dynamic secret leases independently
• Events: token:renewed, token:expired, token:error:renew, lease:renewed, lease:expired, lease:error:renew
• TypeScript definitions updated with TokenRenewalOptions, LeaseRenewalOptions, EventEmitter methods, and new API signatures
• Timers are unref()'d to avoid keeping the process alive

Usage

const vault = require('node-vault')({ endpoint, token });

// After authentication
const auth = await vault.approleLogin({ role_id, secret_id });
vault.startTokenRenewal({ ttl: auth.auth.lease_duration });

vault.on('token:renewed', (res) => console.log('new TTL:', res.auth.lease_duration));
vault.on('token:expired', () => { /* re-authenticate */ });
vault.on('token:error:renew', (err) => { /* handle failure */ });

// For dynamic credentials (e.g., database)
const creds = await vault.generateDatabaseCredentials({ name: 'my-role' });
vault.startLeaseRenewal(creds.lease_id, creds.lease_duration);

vault.on('lease:expired', ({ leaseId }) => { /* fetch new creds, reconnect pool */ });

// Cleanup
vault.stopAllRenewals();

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dynamic Credentials?</issue_title>
<issue_description>We have a need to use dynamic credentials (example: TTL: 1h; MAX_TTL: 24h) in a nodejs application. This library appear to provide access to static credentials, but it does not appear to support dynamic credentials. Please correct me if I am wrong (as I am certainly not a developer)...

• After authentication, the authentication token does not appear to be "handled" (lease renewal) automatically.
• Reading credential tokens also does not appear to pay attention to the leases.

If the authentication token or credential lease is not maintained, then Vault will revoke the credentials to the leased credential, in this case MongoDB.

Additionally, when we hit the "max" TTL, the authentication credential will need to be replaced, and there didn't appear to be any sort of "callback" mechanism to notify the rest of the application (db pool?)

Thanks,
Tommy</issue_description>

<agent_instructions>address this issue,
there's may be a PR open - close it if needed </agent_instructions>

Comments on the Issue (you are @copilot in this section)

@aviadhahami Hi @TJM - feel free to PR this :D @aviadhahami Hey @TJM not sure wdym; do u mind elaborating? @aviadhahami To ensure I understand, you'd like this lib to handle credential rotations throughout its lifespan. is this correct? @aviadhahami Hey @TJM ! I understand the issue better now - thx for the explanation

I do have limited amount of time tho, so I am not sure when I'll be able to attend this
Please feel free to start a draft PR and I'll join your efforts 🙇‍♂️

• Fixes Dynamic Credentials? #197

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.