0nmcp 1.4.0 → 1.6.0

package/cli.js

@@ -12,6 +12,7 @@
  *   npx 0nmcp connect      Interactive connection setup
  *   npx 0nmcp list         List connected services
  *   npx 0nmcp migrate      Migrate from ~/.0nmcp to ~/.0n
+ *   npx 0nmcp engine       Engine commands (import, verify, platforms, export, open)
  * 
  * ═══════════════════════════════════════════════════════════════════════════
  */
@@ -78,6 +79,14 @@ ${c.bright}Usage:${c.reset}
   ${c.cyan}npx 0nmcp list${c.reset}         List connected services
   ${c.cyan}npx 0nmcp migrate${c.reset}      Migrate from ~/.0nmcp to ~/.0n
 
+${c.bright}Engine commands:${c.reset}
+
+  ${c.cyan}npx 0nmcp engine import <file>${c.reset}    Import credentials from .env/CSV/JSON
+  ${c.cyan}npx 0nmcp engine verify${c.reset}           Verify all connected API keys
+  ${c.cyan}npx 0nmcp engine platforms${c.reset}        Generate AI platform configs
+  ${c.cyan}npx 0nmcp engine export${c.reset}           Export .0n bundle (AI Brain)
+  ${c.cyan}npx 0nmcp engine open <bundle>${c.reset}    Open/inspect a .0n bundle
+
 ${c.bright}Serve options:${c.reset}
 
   ${c.cyan}npx 0nmcp serve --port 3000 --host 0.0.0.0${c.reset}
@@ -208,6 +217,13 @@ ${c.bright}Links:${c.reset}
     }
   }
 
+  // Engine
+  if (command === 'engine') {
+    console.log(BANNER);
+    await handleEngine(args.slice(1));
+    return;
+  }
+
   // Migrate
   if (command === 'migrate') {
     console.log(BANNER);
@@ -421,4 +437,244 @@ async function interactiveConnect() {
   console.log(`  Saved to: ${filePath}`);
 }
 
+async function handleEngine(args) {
+  const sub = args[0];
+
+  if (!sub || sub === 'help') {
+    console.log(`${c.bright}Engine — .0n Conversion Engine${c.reset}\n`);
+    console.log(`  ${c.cyan}import <file>${c.reset}     Import credentials from .env, CSV, or JSON`);
+    console.log(`  ${c.cyan}verify${c.reset}            Verify all connected API keys`);
+    console.log(`  ${c.cyan}platforms${c.reset}         Generate AI platform configs`);
+    console.log(`  ${c.cyan}export${c.reset}            Export .0n bundle (AI Brain)`);
+    console.log(`  ${c.cyan}open <bundle>${c.reset}     Open/inspect a .0n bundle file\n`);
+    return;
+  }
+
+  if (sub === 'import') {
+    const source = args[1];
+    if (!source) {
+      console.log(`${c.red}Usage: npx 0nmcp engine import <file>${c.reset}`);
+      process.exit(1);
+    }
+    try {
+      const { parseFile } = await import('./engine/parser.js');
+      const { mapEnvVars, groupByService, validateMapping } = await import('./engine/mapper.js');
+      const { entries } = parseFile(source);
+      const { mapped, unmapped } = mapEnvVars(entries);
+      const groups = groupByService(mapped);
+
+      console.log(`${c.bright}Import Results:${c.reset}\n`);
+      console.log(`  Entries found:  ${entries.length}`);
+      console.log(`  Mapped:         ${mapped.length}`);
+      console.log(`  Unmapped:       ${unmapped.length}\n`);
+
+      console.log(`${c.bright}Services Detected:${c.reset}\n`);
+      for (const [service, group] of Object.entries(groups)) {
+        const validation = validateMapping(service, group.credentials);
+        const status = validation.valid ? `${c.green}complete${c.reset}` : `${c.yellow}missing: ${validation.missing.join(', ')}${c.reset}`;
+        console.log(`  ${c.green}●${c.reset} ${c.bright}${service}${c.reset} — ${Object.keys(group.credentials).length} credentials (${status})`);
+      }
+
+      if (unmapped.length > 0) {
+        console.log(`\n${c.yellow}Unmapped variables:${c.reset} ${unmapped.map(u => u.key).join(', ')}`);
+      }
+
+      console.log(`\n${c.bright}Next:${c.reset} Run ${c.cyan}npx 0nmcp engine export${c.reset} to create a portable .0n bundle.`);
+    } catch (err) {
+      console.log(`${c.red}Error: ${err.message}${c.reset}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  if (sub === 'verify') {
+    try {
+      const { verifyAll } = await import('./engine/validator.js');
+      const { existsSync, readdirSync, readFileSync } = await import('fs');
+      const connectionsDir = path.join(DOT_ON_DIR, 'connections');
+
+      if (!existsSync(connectionsDir)) {
+        console.log(`${c.yellow}No connections found. Run ${c.cyan}npx 0nmcp connect${c.reset} first.`);
+        return;
+      }
+
+      const files = readdirSync(connectionsDir).filter(f => f.endsWith('.0n') || f.endsWith('.0n.json'));
+      const connections = {};
+      for (const file of files) {
+        try {
+          const data = JSON.parse(readFileSync(path.join(connectionsDir, file), 'utf8'));
+          if (data.$0n?.sealed) continue;
+          connections[data.service] = { credentials: data.auth?.credentials || {} };
+        } catch { /* skip */ }
+      }
+
+      if (Object.keys(connections).length === 0) {
+        console.log(`${c.yellow}No unsealed connections to verify.${c.reset}`);
+        return;
+      }
+
+      console.log(`${c.bright}Verifying ${Object.keys(connections).length} connections...${c.reset}\n`);
+
+      const { results, summary } = await verifyAll(connections);
+      for (const [service, result] of Object.entries(results)) {
+        const icon = result.valid ? `${c.green}✓` : `${c.red}✗`;
+        const latency = result.latency_ms ? ` (${result.latency_ms}ms)` : '';
+        console.log(`  ${icon}${c.reset} ${c.bright}${service}${c.reset}${latency}${result.error ? ` — ${result.error}` : ''}`);
+      }
+
+      console.log(`\n${c.bright}Summary:${c.reset} ${summary.valid}/${summary.total} valid`);
+    } catch (err) {
+      console.log(`${c.red}Error: ${err.message}${c.reset}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  if (sub === 'platforms') {
+    try {
+      const { getPlatformInfo, generatePlatformConfig } = await import('./engine/platforms.js');
+      const platform = args[1];
+
+      if (platform) {
+        const config = generatePlatformConfig(platform);
+        console.log(`${c.bright}${config.name} Configuration:${c.reset}\n`);
+        console.log(`  Config path: ${config.path || '(HTTP only)'}`);
+        console.log(`  Format: ${config.format}\n`);
+        console.log(typeof config.config === 'string' ? config.config : JSON.stringify(config.config, null, 2));
+      } else {
+        const info = getPlatformInfo();
+        console.log(`${c.bright}Supported AI Platforms:${c.reset}\n`);
+        for (const p of info) {
+          const status = p.installed ? `${c.green}installed${c.reset}` : `${c.yellow}not installed${c.reset}`;
+          console.log(`  ${p.installed ? c.green + '●' : c.blue + '○'}${c.reset} ${c.bright}${p.name}${c.reset} (${status})`);
+          if (p.configPath) console.log(`    ${p.configPath}`);
+        }
+        console.log(`\n${c.bright}Tip:${c.reset} Run ${c.cyan}npx 0nmcp engine platforms <name>${c.reset} to see config for a specific platform.`);
+        console.log(`     Names: claude_desktop, cursor, windsurf, gemini, continue, cline, openai`);
+      }
+    } catch (err) {
+      console.log(`${c.red}Error: ${err.message}${c.reset}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  if (sub === 'export') {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+
+    try {
+      const passphrase = await ask('Bundle passphrase: ');
+      if (!passphrase) {
+        console.log(`${c.red}Passphrase required.${c.reset}`);
+        rl.close();
+        process.exit(1);
+      }
+      const name = await ask(`Bundle name (default: 0n AI Brain): `) || '0n AI Brain';
+      rl.close();
+
+      const { createBundle } = await import('./engine/bundler.js');
+      const { existsSync, readdirSync, readFileSync } = await import('fs');
+      const connectionsDir = path.join(DOT_ON_DIR, 'connections');
+
+      if (!existsSync(connectionsDir)) {
+        console.log(`${c.yellow}No connections found.${c.reset}`);
+        return;
+      }
+
+      const files = readdirSync(connectionsDir).filter(f => f.endsWith('.0n') || f.endsWith('.0n.json'));
+      const connections = {};
+      for (const file of files) {
+        try {
+          const data = JSON.parse(readFileSync(path.join(connectionsDir, file), 'utf8'));
+          if (data.$0n?.sealed) continue;
+          connections[data.service] = {
+            credentials: data.auth?.credentials || {},
+            name: data.$0n?.name || data.service,
+            authType: data.auth?.type || 'api_key',
+            environment: data.environment || 'production',
+          };
+        } catch { /* skip */ }
+      }
+
+      if (Object.keys(connections).length === 0) {
+        console.log(`${c.yellow}No exportable connections found.${c.reset}`);
+        return;
+      }
+
+      console.log(`\n${c.bright}Creating AI Brain bundle...${c.reset}\n`);
+
+      const result = createBundle({ connections, passphrase, name, platforms: 'all' });
+
+      console.log(`${c.green}${c.bright}Bundle created!${c.reset}\n`);
+      console.log(`  Path:        ${result.path}`);
+      console.log(`  Services:    ${result.manifest.services.join(', ')}`);
+      console.log(`  Connections: ${result.manifest.connection_count}`);
+      console.log(`  Platforms:   ${result.manifest.platform_count}`);
+      console.log(`  Encryption:  ${result.manifest.encryption.method}`);
+      console.log(`\n${c.bright}Share this file — recipient opens with:${c.reset} ${c.cyan}npx 0nmcp engine open <bundle>${c.reset}`);
+    } catch (err) {
+      console.log(`${c.red}Error: ${err.message}${c.reset}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  if (sub === 'open') {
+    const bundlePath = args[1];
+    if (!bundlePath) {
+      console.log(`${c.red}Usage: npx 0nmcp engine open <bundle.0n>${c.reset}`);
+      process.exit(1);
+    }
+
+    try {
+      const { inspectBundle, openBundle } = await import('./engine/bundler.js');
+
+      // First inspect
+      const info = inspectBundle(bundlePath);
+      console.log(`${c.bright}Bundle: ${info.name}${c.reset}\n`);
+      console.log(`  Created:  ${info.created}`);
+      console.log(`  Services: ${info.services.map(s => s.service).join(', ')}`);
+      console.log(`  Platforms: ${info.platforms.join(', ')}`);
+      if (info.includes.length > 0) {
+        console.log(`  Includes: ${info.includes.map(i => i.name).join(', ')}`);
+      }
+
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      const ask = (q) => new Promise(resolve => rl.question(q, resolve));
+
+      const passphrase = await ask('\nPassphrase to decrypt (leave empty to inspect only): ');
+      rl.close();
+
+      if (!passphrase) {
+        console.log(`\n${c.yellow}Inspect only — no credentials extracted.${c.reset}`);
+        return;
+      }
+
+      const result = openBundle(bundlePath, passphrase);
+
+      console.log(`\n${c.green}${c.bright}Bundle opened!${c.reset}\n`);
+      console.log(`  Connections imported: ${result.connections.join(', ')}`);
+      if (result.includes.length > 0) {
+        console.log(`  Files extracted: ${result.includes.join(', ')}`);
+      }
+      if (result.errors.length > 0) {
+        console.log(`\n${c.red}Errors:${c.reset}`);
+        for (const err of result.errors) {
+          console.log(`  ${c.red}●${c.reset} ${err}`);
+        }
+      }
+      console.log(`\n${c.bright}Tip:${c.reset} Run ${c.cyan}npx 0nmcp engine platforms${c.reset} to install AI platform configs.`);
+    } catch (err) {
+      console.log(`${c.red}Error: ${err.message}${c.reset}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  console.log(`${c.red}Unknown engine command: ${sub}${c.reset}`);
+  console.log(`Run ${c.cyan}npx 0nmcp engine help${c.reset} for usage`);
+  process.exit(1);
+}
+
 main().catch(console.error);

package/connections.js

@@ -244,8 +244,12 @@ export class ConnectionManager {
 
   /**
    * Get credentials for a service.
+   * Checks vault unsealed cache first for sealed connections.
    */
   getCredentials(serviceKey) {
+    // Check if vault has unsealed credentials in memory
+    const unsealed = this._vaultCache?.get(serviceKey);
+    if (unsealed) return unsealed;
     return this.connections[serviceKey]?.credentials || null;
   }
 

package/engine/bundler.js

@@ -0,0 +1,395 @@
+// ============================================================
+// 0nMCP — Engine: Bundle Creator/Opener
+// ============================================================
+// Creates and opens portable .0n bundle files — the "Alpha
+// AI Brain" format. Bundles contain encrypted connections,
+// platform configs, and optional include files.
+//
+// Portable encryption: passphrase-only (no machine binding).
+// After import, optionally re-seal with vault for machine lock.
+//
+// Patent Pending: US Provisional Patent Application #63/968,814
+// ============================================================
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join, basename } from "path";
+import { createHash } from "crypto";
+import { homedir } from "os";
+import { sealPortable, unsealPortable } from "./cipher-portable.js";
+import { generateAllPlatformConfigs } from "./platforms.js";
+import { CONNECTIONS_PATH } from "../connections.js";
+
+const BUNDLES_DIR = join(homedir(), ".0n", "bundles");
+
+/**
+ * Compute SHA-256 checksum of a string.
+ */
+function sha256(data) {
+  return createHash("sha256").update(data).digest("hex");
+}
+
+/**
+ * Create a .0n bundle file.
+ *
+ * @param {object} options
+ * @param {Record<string, { credentials: Record<string, string>, authType?: string }>} options.connections
+ * @param {string} options.passphrase
+ * @param {string} [options.outputPath]
+ * @param {string} [options.name]
+ * @param {string} [options.description]
+ * @param {string[]|"all"} [options.platforms] - Platform keys or "all"
+ * @param {Array<{ path: string, type?: string, name?: string }>} [options.includes]
+ * @param {boolean} [options.seal] - Default true
+ * @returns {{ bundle: object, path: string, manifest: object }}
+ */
+export function createBundle(options) {
+  const {
+    connections,
+    passphrase,
+    outputPath,
+    name = "0n Bundle",
+    description = "",
+    platforms = "all",
+    includes = [],
+    seal = true,
+  } = options;
+
+  const now = new Date().toISOString();
+
+  // Build connections array
+  const bundleConnections = [];
+  for (const [service, conn] of Object.entries(connections)) {
+    const credJson = JSON.stringify(conn.credentials);
+
+    if (seal) {
+      const { sealed } = sealPortable(credJson, passphrase);
+      bundleConnections.push({
+        service,
+        name: conn.name || service,
+        environment: conn.environment || "production",
+        auth_type: conn.authType || "api_key",
+        credential_keys: Object.keys(conn.credentials),
+        sealed: true,
+        vault: {
+          data: sealed,
+          algorithm: "aes-256-gcm",
+          kdf: "pbkdf2-sha512-100k",
+          portable: true,
+        },
+      });
+    } else {
+      bundleConnections.push({
+        service,
+        name: conn.name || service,
+        environment: conn.environment || "production",
+        auth_type: conn.authType || "api_key",
+        credential_keys: Object.keys(conn.credentials),
+        sealed: false,
+        credentials: conn.credentials,
+      });
+    }
+  }
+
+  // Generate platform configs
+  let platformConfigs = {};
+  if (platforms === "all" || (Array.isArray(platforms) && platforms.length > 0)) {
+    const allConfigs = generateAllPlatformConfigs({});
+    if (platforms === "all") {
+      platformConfigs = {};
+      for (const [key, cfg] of Object.entries(allConfigs)) {
+        platformConfigs[key] = {
+          format: cfg.format,
+          config_path: cfg.path,
+          config: cfg.config,
+        };
+      }
+    } else {
+      for (const key of platforms) {
+        if (allConfigs[key]) {
+          platformConfigs[key] = {
+            format: allConfigs[key].format,
+            config_path: allConfigs[key].path,
+            config: allConfigs[key].config,
+          };
+        }
+      }
+    }
+  }
+
+  // Process include files
+  const bundleIncludes = [];
+  for (const inc of includes) {
+    if (!existsSync(inc.path)) continue;
+    const content = readFileSync(inc.path);
+    const data = content.toString("base64");
+    bundleIncludes.push({
+      name: inc.name || basename(inc.path),
+      type: inc.type || detectIncludeType(inc.path),
+      target: inc.target || detectTarget(inc.path),
+      data,
+      checksum: `sha256:${sha256(content.toString())}`,
+      size: content.length,
+    });
+  }
+
+  // Build manifest
+  const connectionsStr = JSON.stringify(bundleConnections);
+  const platformsStr = JSON.stringify(platformConfigs);
+  const includesStr = JSON.stringify(bundleIncludes);
+
+  const manifest = {
+    bundle_version: "1.0.0",
+    generator: "0nmcp-engine/1.6.0",
+    connection_count: bundleConnections.length,
+    platform_count: Object.keys(platformConfigs).length,
+    include_count: bundleIncludes.length,
+    services: bundleConnections.map(c => c.service),
+    encryption: seal
+      ? { method: "portable", algorithm: "aes-256-gcm", kdf: "pbkdf2-sha512-100k" }
+      : { method: "none" },
+    checksums: {
+      connections: `sha256:${sha256(connectionsStr)}`,
+      platforms: `sha256:${sha256(platformsStr)}`,
+      includes: `sha256:${sha256(includesStr)}`,
+    },
+  };
+
+  // Assemble bundle
+  const bundle = {
+    $0n: {
+      type: "bundle",
+      version: "1.0.0",
+      created: now,
+      updated: now,
+      name,
+      description,
+    },
+    connections: bundleConnections,
+    platforms: platformConfigs,
+    includes: bundleIncludes,
+    manifest,
+  };
+
+  // Write to file
+  if (!existsSync(BUNDLES_DIR)) mkdirSync(BUNDLES_DIR, { recursive: true });
+  const ts = now.replace(/[:.]/g, "-").slice(0, 19);
+  const outPath = outputPath || join(BUNDLES_DIR, `bundle-${ts}.0n`);
+  const outDir = join(outPath, "..");
+  if (!existsSync(outDir)) mkdirSync(outDir, { recursive: true });
+
+  writeFileSync(outPath, JSON.stringify(bundle, null, 2));
+
+  return { bundle, path: outPath, manifest };
+}
+
+/**
+ * Open a .0n bundle and extract connections.
+ *
+ * @param {string} bundlePath
+ * @param {string} passphrase
+ * @param {object} [options]
+ * @param {boolean} [options.installConnections] - Write to ~/.0n/connections/ (default true)
+ * @param {boolean} [options.dryRun] - Preview without writing (default false)
+ * @returns {{ connections: string[], platforms: string[], includes: string[], errors: string[] }}
+ */
+export function openBundle(bundlePath, passphrase, options = {}) {
+  const { installConnections = true, dryRun = false } = options;
+
+  const raw = readFileSync(bundlePath, "utf-8");
+  const bundle = JSON.parse(raw);
+
+  if (!bundle.$0n || bundle.$0n.type !== "bundle") {
+    throw new Error("Not a valid .0n bundle file.");
+  }
+
+  const results = { connections: [], platforms: [], includes: [], errors: [] };
+
+  // Extract connections
+  for (const conn of bundle.connections || []) {
+    try {
+      let credentials;
+
+      if (conn.sealed && conn.vault?.data) {
+        const decrypted = unsealPortable(conn.vault.data, passphrase);
+        credentials = JSON.parse(decrypted);
+      } else if (conn.credentials) {
+        credentials = conn.credentials;
+      } else {
+        results.errors.push(`${conn.service}: No credentials found`);
+        continue;
+      }
+
+      if (installConnections && !dryRun) {
+        // Write as standard .0n connection file
+        const connFile = {
+          $0n: {
+            type: "connection",
+            version: "1.0.0",
+            created: new Date().toISOString(),
+            name: conn.name || conn.service,
+          },
+          service: conn.service,
+          environment: conn.environment || "production",
+          auth: {
+            type: conn.auth_type || "api_key",
+            credentials,
+          },
+          metadata: {
+            imported_from: basename(bundlePath),
+            imported_at: new Date().toISOString(),
+          },
+        };
+
+        if (!existsSync(CONNECTIONS_PATH)) mkdirSync(CONNECTIONS_PATH, { recursive: true });
+        const filePath = join(CONNECTIONS_PATH, `${conn.service}.0n`);
+        writeFileSync(filePath, JSON.stringify(connFile, null, 2));
+      }
+
+      results.connections.push(conn.service);
+    } catch (err) {
+      results.errors.push(`${conn.service}: ${err.message}`);
+    }
+  }
+
+  // Extract includes
+  for (const inc of bundle.includes || []) {
+    try {
+      if (dryRun) {
+        results.includes.push(inc.name);
+        continue;
+      }
+
+      const target = inc.target
+        ? inc.target.replace("~", homedir())
+        : join(homedir(), ".0n", inc.type === "workflow" ? "workflows" : "plugins", inc.name);
+
+      const dir = join(target, "..");
+      if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+      const data = Buffer.from(inc.data, "base64");
+
+      // Verify checksum
+      if (inc.checksum) {
+        const expected = inc.checksum.replace("sha256:", "");
+        const actual = sha256(data.toString());
+        if (actual !== expected) {
+          results.errors.push(`${inc.name}: Checksum mismatch`);
+          continue;
+        }
+      }
+
+      writeFileSync(target, data);
+      results.includes.push(inc.name);
+    } catch (err) {
+      results.errors.push(`${inc.name}: ${err.message}`);
+    }
+  }
+
+  // List platforms
+  for (const key of Object.keys(bundle.platforms || {})) {
+    results.platforms.push(key);
+  }
+
+  return results;
+}
+
+/**
+ * Inspect a bundle without passphrase — shows metadata only, no credentials.
+ * @param {string} bundlePath
+ * @returns {object} Bundle metadata and service list
+ */
+export function inspectBundle(bundlePath) {
+  const raw = readFileSync(bundlePath, "utf-8");
+  const bundle = JSON.parse(raw);
+
+  if (!bundle.$0n || bundle.$0n.type !== "bundle") {
+    throw new Error("Not a valid .0n bundle file.");
+  }
+
+  return {
+    name: bundle.$0n.name,
+    description: bundle.$0n.description,
+    created: bundle.$0n.created,
+    version: bundle.$0n.version,
+    services: (bundle.connections || []).map(c => ({
+      service: c.service,
+      name: c.name,
+      sealed: c.sealed,
+      credential_keys: c.credential_keys,
+    })),
+    platforms: Object.keys(bundle.platforms || {}),
+    includes: (bundle.includes || []).map(i => ({
+      name: i.name,
+      type: i.type,
+      size: i.size,
+    })),
+    manifest: bundle.manifest,
+  };
+}
+
+/**
+ * Verify bundle integrity: checksums + passphrase test.
+ * @param {string} bundlePath
+ * @param {string} passphrase
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function verifyBundle(bundlePath, passphrase) {
+  const raw = readFileSync(bundlePath, "utf-8");
+  const bundle = JSON.parse(raw);
+  const errors = [];
+
+  if (!bundle.$0n || bundle.$0n.type !== "bundle") {
+    return { valid: false, errors: ["Not a valid .0n bundle file."] };
+  }
+
+  // Verify manifest checksums
+  const checksums = bundle.manifest?.checksums || {};
+  if (checksums.connections) {
+    const actual = sha256(JSON.stringify(bundle.connections));
+    const expected = checksums.connections.replace("sha256:", "");
+    if (actual !== expected) errors.push("Connections checksum mismatch");
+  }
+  if (checksums.platforms) {
+    const actual = sha256(JSON.stringify(bundle.platforms));
+    const expected = checksums.platforms.replace("sha256:", "");
+    if (actual !== expected) errors.push("Platforms checksum mismatch");
+  }
+
+  // Try to unseal each connection
+  for (const conn of bundle.connections || []) {
+    if (conn.sealed && conn.vault?.data) {
+      try {
+        unsealPortable(conn.vault.data, passphrase);
+      } catch {
+        errors.push(`${conn.service}: Failed to unseal — wrong passphrase`);
+      }
+    }
+  }
+
+  return { valid: errors.length === 0, errors };
+}
+
+/**
+ * Detect include file type from path.
+ */
+function detectIncludeType(filePath) {
+  if (filePath.endsWith(".0n")) return "workflow";
+  if (filePath.endsWith(".js") || filePath.endsWith(".mjs")) return "skill";
+  if (filePath.endsWith(".json")) return "config";
+  if (filePath.endsWith(".md")) return "doc";
+  return "file";
+}
+
+/**
+ * Detect target directory for include files.
+ */
+function detectTarget(filePath) {
+  const type = detectIncludeType(filePath);
+  const name = basename(filePath);
+  switch (type) {
+    case "workflow": return `~/.0n/workflows/${name}`;
+    case "skill": return `~/.0n/plugins/${name}`;
+    case "config": return `~/.0n/${name}`;
+    default: return `~/.0n/includes/${name}`;
+  }
+}