@action-llama/action-llama 0.2.0 → 0.4.0

package/dist/setup/scaffold.js

@@ -1,8 +1,8 @@
 import { mkdirSync, writeFileSync, existsSync } from "fs";
 import { resolve } from "path";
 import { stringify as stringifyTOML } from "smol-toml";
-import { writeCredential } from "../shared/credentials.js";
-export { writeCredential };
+import { writeCredentialField, writeCredentialFields } from "../shared/credentials.js";
+export { writeCredentialField, writeCredentialFields };
 const PROJECT_AGENTS_MD = `# Action Llama Project
 
 This is an Action Llama project. It runs automated development agents triggered by cron schedules or webhooks.
@@ -11,47 +11,382 @@ This is an Action Llama project. It runs automated development agents triggered
 
 Each agent is a directory containing:
 
-- \`agent-config.toml\` — credentials, repos, model, schedule, webhooks, params
-- \`AGENTS.md\` — the system prompt that defines what the agent does
+- \`agent-config.toml\` — credentials, model, schedule, webhooks, params
+- \`PLAYBOOK.md\` — the system prompt (playbook) that defines what the agent does
+- \`Dockerfile\` (optional) — custom Docker image extending the base \`al-agent:latest\` (e.g. to install extra tools like \`gh\`)
 
 ## Creating an Agent
 
 1. Create a directory for your agent (e.g. \`my-agent/\`)
-2. Add \`agent-config.toml\` with credentials, repos, model config, and a schedule or webhook trigger
-3. Add \`AGENTS.md\` with the system prompt — instructions the LLM follows each run
-4. Verify with \`npx al status\`
-5. Run with \`npx al start\`
+2. Add \`agent-config.toml\` with credentials, model config, and a schedule or webhook trigger
+3. Add \`PLAYBOOK.md\` with the playbook — step-by-step instructions the LLM follows each run
+4. If running in Docker mode and your agent needs tools beyond what the base image provides (git, curl, openssh-client, node), add a \`Dockerfile\` — see Docker Mode section below
+5. Verify with \`npx al status\`
+6. Run with \`npx al start\`
 
-## Example \`agent-config.toml\`
+## Credential Reference
+
+Credentials are managed by the user via \`al doctor\` and stored in \`~/.action-llama-credentials/<type>/<instance>/<field>\`. Reference them in \`credentials\` arrays as \`"type:instance"\` (e.g. \`"github_token:default"\`). The \`:default\` instance suffix can be omitted.
+
+| Type | What it is | Fields | Runtime injection | What it enables |
+|------|-----------|--------|-------------------|----------------|
+| \`anthropic_key\` | Anthropic API key or OAuth token | \`token\` | Read directly by the agent SDK (not an env var) | LLM access — required for all agents |
+| \`github_token\` | GitHub PAT (repo + workflow scopes) | \`token\` | \`GITHUB_TOKEN\` and \`GH_TOKEN\` env vars | \`gh\` CLI, \`git\` over HTTPS, GitHub API |
+| \`git_ssh\` | SSH private key + git identity | \`id_rsa\`, \`username\`, \`email\` | SSH key mounted as file; \`GIT_SSH_COMMAND\` configured automatically; \`GIT_AUTHOR_NAME\`/\`GIT_AUTHOR_EMAIL\`/\`GIT_COMMITTER_NAME\`/\`GIT_COMMITTER_EMAIL\` set from \`username\`/\`email\` | \`git clone\`/\`push\` over SSH — **required for pushing to repos** |
+| \`sentry_token\` | Sentry auth token | \`token\` | \`SENTRY_AUTH_TOKEN\` env var | Sentry API via \`curl\` |
+| \`github_webhook_secret\` | Shared HMAC secret | \`secret\` | Used by gateway only (not injected into agents) | Validates GitHub webhook payloads |
+| \`sentry_client_secret\` | Sentry client secret | \`secret\` | Used by gateway only (not injected into agents) | Validates Sentry webhook payloads |
+
+**IMPORTANT:** Agents MUST NEVER ask users for credentials directly (API keys, tokens, passwords, etc.). Agents MUST NEVER run \`al doctor\` or interact with the credential system on behalf of the user. If a credential is missing at runtime, the agent should report the error and stop — the user will run \`al doctor\` and \`al start\` themselves.
+
+## Runtime Context
+
+Every agent prompt has these XML blocks injected automatically at runtime:
+
+### \`<agent-config>\`
+
+JSON object containing the agent's custom \`[params]\` from \`agent-config.toml\`. Example:
+
+\`\`\`json
+{"repos":["acme/app"],"triggerLabel":"agent","assignee":"bot-user"}
+\`\`\`
+
+(In this example, \`repos\` is a custom param defined in \`[params]\` — not a built-in field.)
+
+### \`<credential-context>\`
+
+Lists which env vars and tools are available based on the agent's \`credentials\` array. Includes anti-exfiltration policy. The agent can rely on env vars like \`GITHUB_TOKEN\`, \`GH_TOKEN\`, \`SENTRY_AUTH_TOKEN\` being already set — it does NOT need to set them.
+
+### \`<webhook-trigger>\` (webhook runs only)
+
+JSON object with the webhook event details. Only present when the agent is triggered by a webhook (not on scheduled runs). Schema:
+
+\`\`\`json
+{
+  "source": "github",
+  "event": "issues",
+  "action": "labeled",
+  "repo": "acme/app",
+  "number": 42,
+  "title": "Add dark mode",
+  "body": "Issue description...",
+  "url": "https://github.com/acme/app/issues/42",
+  "author": "user",
+  "assignee": "bot-user",
+  "labels": ["agent"],
+  "branch": null,
+  "comment": null,
+  "sender": "user",
+  "timestamp": "2025-01-15T10:30:00Z"
+}
+\`\`\`
+
+### \`<agent-trigger>\` (agent-triggered runs only)
+
+JSON object with the source agent name and context. Only present when the agent was triggered by another agent via a \`[TRIGGER]\` signal. Schema:
+
+\`\`\`json
+{
+  "source": "dev",
+  "context": "I just opened PR #42 on acme/app. Please review it."
+}
+\`\`\`
+
+### Triggering other agents
+
+An agent can trigger another agent by including a \`[TRIGGER]\` block in its output:
+
+\`\`\`
+[TRIGGER: reviewer]
+I just opened PR #42. Please review it.
+URL: https://github.com/acme/app/pull/42
+[/TRIGGER]
+\`\`\`
+
+The scheduler will run the target agent with the context injected as an \`<agent-trigger>\` block. Rules:
+- An agent cannot trigger itself
+- If the target is busy or does not exist, the trigger is skipped
+- Trigger chains are limited by \`maxTriggerDepth\` in \`config.toml\` (default: 3)
+
+## Webhook Reference
+
+### How webhooks work
+
+1. The gateway receives an HTTP POST from GitHub or Sentry at \`/webhooks/github\` or \`/webhooks/sentry\`
+2. The payload is validated using secrets loaded from the named credential instance (e.g. HMAC-SHA256 for GitHub using \`github_webhook_secret\`, client secret for Sentry using \`sentry_client_secret\`)
+3. The gateway matches the event against all agents' \`[[webhooks]]\` entries (AND logic — all specified fields must match; omitted fields are not checked)
+4. Matching agents are triggered with a \`<webhook-trigger>\` block injected into their prompt
+
+### GitHub webhook fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| \`type\` | string | Provider type — must be \`"github"\` (required) |
+| \`source\` | string | Credential instance name (optional, e.g. \`"MyOrg"\`) |
+| \`repos\` | string[] | Filter to specific repos (owner/repo format) |
+| \`events\` | string[] | Event types: \`issues\`, \`pull_request\`, \`push\`, \`issue_comment\`, etc. |
+| \`actions\` | string[] | Event actions: \`opened\`, \`labeled\`, \`closed\`, \`synchronize\`, etc. |
+| \`labels\` | string[] | Only trigger when the issue/PR has ALL of these labels |
+| \`assignee\` | string | Only trigger when assigned to this user |
+| \`author\` | string | Only trigger for events by this author |
+| \`branches\` | string[] | Only trigger for pushes/PRs on these branches |
+
+### Sentry webhook fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| \`type\` | string | Provider type — must be \`"sentry"\` (required) |
+| \`source\` | string | Credential instance name (optional) |
+| \`resources\` | string[] | Resource types: \`error\`, \`event_alert\`, \`metric_alert\`, \`issue\`, \`comment\` |
+
+### GitHub webhook setup
+
+In your GitHub repo settings, add a webhook:
+- **Payload URL:** \`http://<your-host>:8080/webhooks/github\`
+- **Content type:** \`application/json\`
+- **Secret:** the same secret stored as the \`github_webhook_secret\` credential
+
+### TOML syntax for webhooks
+
+Each webhook is a separate \`[[webhooks]]\` block (double brackets = array of tables):
+
+\`\`\`toml
+# Each [[webhooks]] is a separate array entry
+[[webhooks]]
+type = "github"
+repos = ["acme/app"]
+events = ["issues"]
+actions = ["labeled"]
+labels = ["agent"]
+
+[[webhooks]]
+type = "github"
+source = "MyOrg"          # optional — credential instance name
+repos = ["my-org/other-repo"]
+events = ["pull_request"]
+
+[[webhooks]]
+type = "sentry"
+resources = ["error", "event_alert"]
+\`\`\`
+
+\`type\` is the provider type (required). \`source\` is the credential instance name (optional — defaults to \`"default"\`).
+
+## \`agent-config.toml\` Complete Reference
+
+The config file uses TOML syntax. The agent name is derived from the directory name — do not include it in the config.
+
+### Minimal example (schedule only)
 
 \`\`\`toml
-credentials = ["anthropic-key", "github-token"]
+credentials = ["github_token:default", "git_ssh:default"]
+schedule = "*/5 * * * *"
+
+[params]
 repos = ["your-org/your-repo"]
+\`\`\`
+
+The \`[model]\` section is **optional** — agents inherit the default model from the project's \`config.toml\`. Only add \`[model]\` to an agent config if you want to override the default (e.g. use a different model or thinking level for that specific agent).
+
+### Full example (schedule + webhooks + params + model override)
+
+\`\`\`toml
+credentials = ["github_token:default", "git_ssh:default", "sentry_token:default"]
 schedule = "*/5 * * * *"
 
+# Optional: override the project default model for this agent
 [model]
 provider = "anthropic"
 model = "claude-sonnet-4-20250514"
 thinkingLevel = "medium"
 authType = "api_key"
+
+[[webhooks]]
+type = "github"
+repos = ["acme/app"]
+events = ["issues"]
+actions = ["labeled"]
+labels = ["agent"]
+
+[[webhooks]]
+type = "sentry"
+resources = ["error", "event_alert"]
+
+[params]
+repos = ["acme/app", "acme/api"]
+triggerLabel = "agent"
+assignee = "bot-user"
+sentryOrg = "acme"
+sentryProjects = ["web-app", "api"]
+\`\`\`
+
+### Field reference
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| \`credentials\` | string[] | Yes | Credential refs as \`"type:instance"\` (see Credential Reference above) |
+| \`schedule\` | string | No* | Cron expression (e.g. "*/5 * * * *") |
+| \`model\` | table | No | LLM model config — omit to inherit from project \`config.toml\` |
+| \`model.provider\` | string | Yes* | "anthropic" or "openai" |
+| \`model.model\` | string | Yes* | Model ID (e.g. "claude-sonnet-4-20250514") |
+| \`model.thinkingLevel\` | string | Yes* | off \\| minimal \\| low \\| medium \\| high \\| xhigh |
+| \`model.authType\` | string | Yes* | api_key \\| oauth_token \\| pi_auth |
+| \`webhooks[].type\` | string | Yes | Provider type: "github" or "sentry" |
+| \`webhooks[].source\` | string | No | Credential instance name (defaults to "default") |
+| \`webhooks[].repos\` | string[] | No | Filter to specific repos |
+| \`webhooks[].events\` | string[] | No | GitHub event types: issues, pull_request, push |
+| \`webhooks[].actions\` | string[] | No | GitHub actions: opened, labeled, closed |
+| \`webhooks[].labels\` | string[] | No | Only trigger for issues/PRs with these labels |
+| \`webhooks[].resources\` | string[] | No | Sentry resources: error, event_alert, metric_alert, issue, comment |
+| \`params.*\` | any | No | Custom key-value pairs injected into the prompt |
+
+*At least one of \`schedule\` or \`webhooks\` is required. *Required within \`[model]\` if the agent defines its own model block.
+
+### TOML syntax reminders
+
+- Strings: \`key = "value"\`
+- Arrays: \`key = ["a", "b"]\`
+- Tables (objects): \`[tableName]\` on its own line, followed by key-value pairs
+- Array of tables: \`[[arrayName]]\` on its own line — each block is one entry in the array
+- Comments: \`# comment\`
+
+## Example Playbook
+
+**Agent playbooks must be detailed and prescriptive with step-by-step commands. Copy this example and customize rather than writing from scratch.**
+
+The following is a complete, working PLAYBOOK.md for a developer agent. Use it as a template for all new agents:
+
+\`\`\`markdown
+# Developer Agent
+
+You are a developer agent. Your job is to pick up GitHub issues and implement the requested changes.
+
+Your configuration is in the \\\`<agent-config>\\\` block at the start of your prompt.
+Use those values for repos, triggerLabel, and assignee.
+
+\\\`GITHUB_TOKEN\\\` is already set in your environment. Use \\\`gh\\\` CLI and \\\`git\\\` directly.
+(Note: \\\`gh\\\` is not in the base Docker image — this agent needs a custom Dockerfile that installs it. See Docker Mode section.)
+
+**You MUST complete ALL steps below.** Do not stop after reading the issue — you must implement, commit, push, and open a PR.
+
+## Setup — ensure labels exist
+
+Before looking for work, ensure the required labels exist on each repo. Run the following for each repo (these are idempotent — they succeed silently if the label already exists):
+
+\\\`\\\`\\\`
+gh label create "<triggerLabel>" --repo <repo> --color 0E8A16 --description "Trigger label for dev agent" --force
+gh label create "in-progress" --repo <repo> --color FBCA04 --description "Agent is working on this" --force
+gh label create "agent-completed" --repo <repo> --color 1D76DB --description "Agent has opened a PR" --force
+\\\`\\\`\\\`
+
+## Finding work
+
+**Webhook trigger:** When you receive a \\\`<webhook-trigger>\\\` block, the issue details are already in the trigger context. Check the issue's labels and assignee against your \\\`triggerLabel\\\` and \\\`assignee\\\` params. If the issue matches (has your trigger label and is assigned to your assignee), proceed with implementation. If it does not match, respond \\\`[SILENT]\\\` and stop.
+
+**Scheduled trigger:** Run \\\`gh issue list --repo <repo> --label <triggerLabel> --assignee <assignee> --state open --json number,title,body,comments,labels --limit 1\\\`. If empty, respond \\\`[SILENT]\\\` and stop.
+
+## Workflow
+
+1. **Claim the issue** — run \\\`gh issue edit <number> --repo <repo> --add-label in-progress\\\` to mark it as claimed.
+
+2. **Clone and branch** — run \\\`git clone git@github.com:<repo>.git /workspace/repo && cd /workspace/repo && git checkout -b agent/<number>\\\`.
+
+3. **Understand the issue** — read the title, body, and comments. Note file paths, acceptance criteria, and linked issues.
+
+4. **Read project conventions** — in the repo, read \\\`PLAYBOOK.md\\\`, \\\`CLAUDE.md\\\`, \\\`CONTRIBUTING.md\\\`, and \\\`README.md\\\` if they exist. Follow any conventions found there.
+
+5. **Implement changes** — work in the repo. Make the minimum necessary changes, follow existing patterns, and write or update tests if the project has a test suite.
+
+6. **Validate** — run the project's test suite and linters (e.g., \\\`npm test\\\`). Fix failures before proceeding.
+
+7. **Commit** — \\\`git add -A && git commit -m "fix: <description> (closes #<number>)"\\\`
+
+8. **Push** — \\\`git push -u origin agent/<number>\\\`
+
+9. **Create a PR** — run \\\`gh pr create --repo <repo> --head agent/<number> --base main --title "<title>" --body "Closes #<number>\\\\n\\\\n<description>"\\\`.
+
+10. **Comment on the issue** — run \\\`gh issue comment <number> --repo <repo> --body "PR created: <pr_url>"\\\`.
+
+11. **Mark done** — run \\\`gh issue edit <number> --repo <repo> --remove-label in-progress --add-label agent-completed\\\`.
+
+## Rules
+
+- Work on exactly ONE issue per run
+- Never modify files outside the repo directory
+- **You MUST complete steps 7-11.** Do not stop early.
+- If tests fail after 2 attempts, create the PR anyway with a note about failing tests
+- If the issue is unclear, comment asking for clarification and stop
+\`\`\`
+
+## Docker Mode
+
+Docker container isolation is enabled by default. Each agent run launches an isolated container with a read-only root filesystem, dropped capabilities, non-root user, and resource limits. Use \`--no-docker\` to disable it for development.
+
+### Base image
+
+The base image (\`al-agent:latest\`) is built automatically on first run. It includes Node.js, git, curl, openssh-client, and ca-certificates — the minimum needed for any agent.
+
+### Custom agent images
+
+If your agent needs extra tools (e.g. \`gh\` CLI, Python, \`jq\`), add a \`Dockerfile\` to the agent directory that extends the base image:
+
+\`\`\`dockerfile
+FROM al-agent:latest
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends gh && rm -rf /var/lib/apt/lists/*
+USER node
 \`\`\`
 
-## Credentials
+Agent images are built automatically on startup. If no \`Dockerfile\` is present, the agent uses the base image.
+
+### Container filesystem
+
+| Path | Mode | Contents |
+|------|------|----------|
+| \`/app\` | read-only | Action Llama application + node_modules |
+| \`/credentials\` | read-only | Mounted credential files (\`/<type>/<instance>/<field>\`) |
+| \`/workspace\` | read-write (tmpfs, 2GB) | Working directory — repos are cloned here |
+| \`/tmp\` | read-write (tmpfs, 512MB) | Temporary files |
+| \`/home/node\` | read-write (tmpfs, 64MB) | User home — \`.ssh/\` for SSH keys |
+
+### Docker config options
+
+| Key | Default | Description |
+|-----|---------|-------------|
+| \`local.enabled\` | \`true\` | Enable Docker container isolation |
+| \`local.image\` | \`"al-agent:latest"\` | Base Docker image name |
+| \`local.memory\` | \`"4g"\` | Memory limit per container |
+| \`local.cpus\` | \`2\` | CPU limit per container |
+| \`local.timeout\` | \`3600\` | Max container runtime in seconds |
+
+## Running Agents
 
-Credentials are managed by the user via \`al setup\` and stored in \`~/.action-llama-credentials/\`.
+Start all agents with \`al start\` (or \`npx al start\`). This starts the scheduler which runs all discovered agents on their configured schedules/webhooks. There is no per-agent start command — \`al start\` always starts the entire project.
 
-**IMPORTANT:** Agents MUST NEVER ask users for credentials directly (API keys, tokens, passwords, etc.). Agents MUST NEVER run \`al setup\` or interact with the credential system on behalf of the user. If a credential is missing at runtime, the agent should report the error and stop — the user will run \`al setup\` and \`al start\` themselves.
+### Automatic re-runs
 
-## Documentation
+When a scheduled agent completes productive work (i.e. it does not respond with \`[SILENT]\`), the scheduler immediately re-runs it. This continues until the agent reports \`[SILENT]\` (no more work), hits an error, or reaches the \`maxReruns\` limit. This way an agent drains its work queue without waiting for the next cron tick.
 
-Full docs: https://github.com/action-llama/action-llama/tree/main/docs
+Set \`maxReruns\` in \`config.toml\` to control the limit (default: 10):
 
-- [Creating Agents](https://github.com/action-llama/action-llama/blob/main/docs/creating-agents.md)
-- [agent-config.toml Reference](https://github.com/action-llama/action-llama/blob/main/docs/agent-config-reference.md)
-- [CLI Commands](https://github.com/action-llama/action-llama/blob/main/docs/commands.md)
-- [Credentials](https://github.com/action-llama/action-llama/blob/main/docs/credentials.md)
-- [Webhooks](https://github.com/action-llama/action-llama/blob/main/docs/webhooks.md)
-- [Examples](https://github.com/action-llama/action-llama/tree/main/docs/examples)
+\`\`\`toml
+maxReruns = 5
+maxTriggerDepth = 3   # max depth for agent-to-agent trigger chains (default: 3)
+\`\`\`
+
+Webhook-triggered and agent-triggered runs do not re-run — they respond to a single event.
+
+## Further Documentation
+
+Full documentation is available on GitHub:
+
+- [Creating Agents](https://github.com/Action-Llama/action-llama/blob/main/docs/creating-agents.md)
+- [agent-config.toml Reference](https://github.com/Action-Llama/action-llama/blob/main/docs/agent-config-reference.md)
+- [Credentials](https://github.com/Action-Llama/action-llama/blob/main/docs/credentials.md)
+- [Webhooks](https://github.com/Action-Llama/action-llama/blob/main/docs/webhooks.md)
+- [Docker](https://github.com/Action-Llama/action-llama/blob/main/docs/docker.md) — custom Dockerfiles, standalone images, troubleshooting
+- [CLI Commands](https://github.com/Action-Llama/action-llama/blob/main/docs/commands.md)
+- [Example Agents](https://github.com/Action-Llama/action-llama/blob/main/docs/examples/dev-agent.md) — dev, reviewer, devops
 `;
 export function scaffoldAgent(projectPath, agent) {
     const agentPath = resolve(projectPath, agent.name);
@@ -59,10 +394,10 @@ export function scaffoldAgent(projectPath, agent) {
     // Strip `name` before serializing — it's derived from the directory name
     const { name: _, ...configToWrite } = agent.config;
     writeFileSync(resolve(agentPath, "agent-config.toml"), stringifyTOML(configToWrite) + "\n");
-    // Write a stub AGENTS.md if none exists
-    const agentsMdPath = resolve(agentPath, "AGENTS.md");
-    if (!existsSync(agentsMdPath)) {
-        writeFileSync(agentsMdPath, `# ${agent.name} Agent\n\nCustom agent.\n`);
+    // Write a stub PLAYBOOK.md if none exists
+    const playbookPath = resolve(agentPath, "PLAYBOOK.md");
+    if (!existsSync(playbookPath)) {
+        writeFileSync(playbookPath, `# ${agent.name} Agent\n\nCustom agent.\n`);
     }
 }
 export function scaffoldProject(projectPath, globalConfig, agents = [], projectName) {
@@ -82,7 +417,7 @@ export function scaffoldProject(projectPath, globalConfig, agents = [], projectN
     }
     // Write global config only if non-empty
     if (Object.keys(globalConfig).length > 0) {
-        writeFileSync(resolve(projectPath, "config.json"), JSON.stringify(globalConfig, null, 2) + "\n");
+        writeFileSync(resolve(projectPath, "config.toml"), stringifyTOML(globalConfig) + "\n");
     }
     for (const agent of agents) {
         scaffoldAgent(projectPath, agent);
@@ -97,7 +432,14 @@ export function scaffoldProject(projectPath, globalConfig, agents = [], projectN
     // Create .gitignore
     const gitignorePath = resolve(projectPath, ".gitignore");
     if (!existsSync(gitignorePath)) {
-        writeFileSync(gitignorePath, ".workspace/\nnode_modules/\n");
+        writeFileSync(gitignorePath, [
+            "node_modules/",
+            ".workspace/",
+            ".al/",
+            "*.log",
+            ".DS_Store",
+            "",
+        ].join("\n"));
     }
 }
 //# sourceMappingURL=scaffold.js.map

package/dist/setup/scaffold.js.map

@@ -1 +1 @@
-{"version":3,"file":"scaffold.js","sourceRoot":"","sources":["../../src/setup/scaffold.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,WAAW,CAAC;AAEvD,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAE3D,OAAO,EAAE,eAAe,EAAE,CAAC;AAE3B,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiDzB,CAAC;AAOF,MAAM,UAAU,aAAa,CAAC,WAAmB,EAAE,KAAoB;IACrE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IACnD,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,yEAAyE;IACzE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,aAAa,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC;IACnD,aAAa,CACX,OAAO,CAAC,SAAS,EAAE,mBAAmB,CAAC,EACvC,aAAa,CAAC,aAAwC,CAAC,GAAG,IAAI,CAC/D,CAAC;IAEF,wCAAwC;IACxC,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,aAAa,CAAC,YAAY,EAAE,KAAK,KAAK,CAAC,IAAI,2BAA2B,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,WAAmB,EACnB,YAA0B,EAC1B,SAA0B,EAAE,EAC5B,WAAoB;IAEpB,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5C,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG;YACV,IAAI,EAAE,WAAW,IAAI,YAAY;YACjC,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,QAAQ;YACd,YAAY,EAAE;gBACZ,4BAA4B,EAAE,QAAQ;aACvC;SACF,CAAC;QACF,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9D,CAAC;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzC,aAAa,CACX,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,EACnC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAC7C,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,aAAa,CAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC;IACjD,CAAC;IAED,6BAA6B;IAC7B,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEnE,oBAAoB;IACpB,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACzD,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAC/B,aAAa,CAAC,aAAa,EAAE,8BAA8B,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC"}
+{"version":3,"file":"scaffold.js","sourceRoot":"","sources":["../../src/setup/scaffold.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,WAAW,CAAC;AAEvD,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,0BAA0B,CAAC;AAEvF,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAC;AAEvD,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgYzB,CAAC;AAOF,MAAM,UAAU,aAAa,CAAC,WAAmB,EAAE,KAAoB;IACrE,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IACnD,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,yEAAyE;IACzE,MAAM,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,aAAa,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC;IACnD,aAAa,CACX,OAAO,CAAC,SAAS,EAAE,mBAAmB,CAAC,EACvC,aAAa,CAAC,aAAwC,CAAC,GAAG,IAAI,CAC/D,CAAC;IAEF,0CAA0C;IAC1C,MAAM,YAAY,GAAG,OAAO,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,aAAa,CAAC,YAAY,EAAE,KAAK,KAAK,CAAC,IAAI,2BAA2B,CAAC,CAAC;IAC1E,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,WAAmB,EACnB,YAA0B,EAC1B,SAA0B,EAAE,EAC5B,WAAoB;IAEpB,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE5C,iEAAiE;IACjE,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG;YACV,IAAI,EAAE,WAAW,IAAI,YAAY;YACjC,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,QAAQ;YACd,YAAY,EAAE;gBACZ,4BAA4B,EAAE,QAAQ;aACvC;SACF,CAAC;QACF,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC9D,CAAC;IAED,wCAAwC;IACxC,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzC,aAAa,CACX,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,EACnC,aAAa,CAAC,YAAuC,CAAC,GAAG,IAAI,CAC9D,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,aAAa,CAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC;IACjD,CAAC;IAED,6BAA6B;IAC7B,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEnE,oBAAoB;IACpB,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACzD,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAC/B,aAAa,CAAC,aAAa,EAAE;YAC3B,eAAe;YACf,aAAa;YACb,MAAM;YACN,OAAO;YACP,WAAW;YACX,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/setup/validators.d.ts

@@ -20,4 +20,18 @@ export declare function validateSentryProjects(token: string, org: string): Prom
 }>;
 export declare function validateAnthropicApiKey(key: string): Promise<boolean>;
 export declare function validateOAuthTokenFormat(token: string): boolean;
+export declare function validateNetlifyToken(token: string): Promise<{
+    user: string;
+    fullName: string | undefined;
+}>;
+export declare function validateXTwitterToken(bearerToken: string): Promise<{
+    user: string;
+    name: string;
+    id: string;
+}>;
+export declare function validateBugsnagToken(token: string): Promise<{
+    user: string;
+    name: string;
+    id: string;
+}>;
 //# sourceMappingURL=validators.d.ts.map

package/dist/setup/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/setup/validators.ts"],"names":[],"mappings":"AAAA,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM;;;;;;;GAetD;AAED,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM;;cAKJ,MAAM;cAAQ,MAAM;;GAEtE;AAED,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;;cAKhB,MAAM;cAAQ,MAAM;;GAE1E;AAED,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,MAAM,oBAmBxD;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,WAQrD"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/setup/validators.ts"],"names":[],"mappings":"AAAA,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM;;;;;;;GAetD;AAED,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,MAAM;;cAKJ,MAAM;cAAQ,MAAM;;GAEtE;AAED,wBAAsB,sBAAsB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;;cAKhB,MAAM;cAAQ,MAAM;;GAE1E;AAED,wBAAsB,uBAAuB,CAAC,GAAG,EAAE,MAAM,oBAmBxD;AAED,wBAAgB,wBAAwB,CAAC,KAAK,EAAE,MAAM,WAQrD;AAED,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,MAAM;;;GAmBvD;AAED,wBAAsB,qBAAqB,CAAC,WAAW,EAAE,MAAM;;;;GAiB9D;AAED,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,MAAM;;;;GAoBvD"}

package/dist/setup/validators.js

@@ -58,4 +58,57 @@ export function validateOAuthTokenFormat(token) {
     }
     return true;
 }
+export async function validateNetlifyToken(token) {
+    const res = await fetch("https://api.netlify.com/api/v1/user", {
+        headers: {
+            Authorization: `Bearer ${token}`,
+            "Content-Type": "application/json"
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Netlify auth failed (${res.status}): ${body}`);
+    }
+    const user = (await res.json());
+    return {
+        user: user.email,
+        fullName: user.full_name,
+    };
+}
+export async function validateXTwitterToken(bearerToken) {
+    const res = await fetch("https://api.x.com/2/users/me", {
+        headers: {
+            Authorization: `Bearer ${bearerToken}`,
+            "Content-Type": "application/json"
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`X (Twitter) API token validation failed (${res.status}): ${body}`);
+    }
+    const user = (await res.json());
+    return {
+        user: user.data.username,
+        name: user.data.name,
+        id: user.data.id,
+    };
+}
+export async function validateBugsnagToken(token) {
+    const res = await fetch("https://api.bugsnag.com/user", {
+        headers: {
+            Authorization: `token ${token}`,
+            "Content-Type": "application/json"
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Bugsnag auth failed (${res.status}): ${body}`);
+    }
+    const user = (await res.json());
+    return {
+        user: user.email,
+        name: user.name,
+        id: user.id,
+    };
+}
 //# sourceMappingURL=validators.js.map

package/dist/setup/validators.js.map

@@ -1 +1 @@
-{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/setup/validators.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAAa;IACrD,MAAM,OAAO,GAAG,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;IAE5F,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACxE,IAAI,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAsB,CAAC;IAEzD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6DAA6D,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACzG,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACnF,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyE,CAAC;IAE9G,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,KAAK;QAChB,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;KACzF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAAa;IACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,wCAAwC,EAAE;QAChE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;KAC9C,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0C,CAAC;IACzE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa,EAAE,GAAW;IACrE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,yCAAyC,GAAG,YAAY,EAAE;QAChF,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;KAC9C,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,MAAM,QAAQ,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0C,CAAC;IAC7E,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,GAAW;IACvD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,uCAAuC,EAAE;QAC/D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,WAAW,EAAE,GAAG;YAChB,mBAAmB,EAAE,YAAY;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,0BAA0B;YACjC,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;SAC5C,CAAC;KACH,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,KAAa;IACpD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,mFAAmF;YACnF,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/setup/validators.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAAa;IACrD,MAAM,OAAO,GAAG,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;IAE5F,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACxE,IAAI,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1E,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAsB,CAAC;IAEzD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6DAA6D,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACzG,IAAI,CAAC,QAAQ,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACnF,MAAM,KAAK,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyE,CAAC;IAE9G,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,KAAK;QAChB,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;KACzF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,KAAa;IACrD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,wCAAwC,EAAE;QAChE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;KAC9C,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0C,CAAC;IACzE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,KAAa,EAAE,GAAW;IACrE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,yCAAyC,GAAG,YAAY,EAAE;QAChF,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE;KAC9C,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5E,MAAM,QAAQ,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0C,CAAC;IAC7E,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,GAAW;IACvD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,uCAAuC,EAAE;QAC/D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,WAAW,EAAE,GAAG;YAChB,mBAAmB,EAAE,YAAY;YACjC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,0BAA0B;YACjC,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;SAC5C,CAAC;KACH,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,KAAa;IACpD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,mFAAmF;YACnF,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAAa;IACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;QAC7D,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,KAAK,EAAE;YAChC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA0C,CAAC;IAEzE,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,KAAK;QAChB,QAAQ,EAAE,IAAI,CAAC,SAAS;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,WAAmB;IAC7D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,EAAE;QACtD,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,WAAW,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4CAA4C,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA6D,CAAC;IAC5F,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;QACxB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;QACpB,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;KACjB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAAa;IACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,EAAE;QACtD,OAAO,EAAE;YACP,aAAa,EAAE,SAAS,KAAK,EAAE;YAC/B,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,wBAAwB,GAAG,CAAC,MAAM,MAAM,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAgD,CAAC;IAE/E,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,KAAK;QAChB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,EAAE,EAAE,IAAI,CAAC,EAAE;KACZ,CAAC;AACJ,CAAC"}

package/dist/shared/asm-backend.d.ts

@@ -0,0 +1,25 @@
+import type { CredentialBackend, CredentialEntry } from "./credential-backend.js";
+/**
+ * AWS Secrets Manager credential backend.
+ * Maps type/instance/field -> secret name: <prefix>/<type>/<instance>/<field>
+ *
+ * Uses the AWS SDK v3 with the default credential provider chain:
+ * 1. Environment variables (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY)
+ * 2. Shared credentials file (~/.aws/credentials)
+ * 3. SSO / IAM instance roles
+ */
+export declare class AwsSecretsManagerBackend implements CredentialBackend {
+    private client;
+    private prefix;
+    constructor(awsRegion: string, secretPrefix?: string);
+    private secretName;
+    private parseSecretName;
+    read(type: string, instance: string, field: string): Promise<string | undefined>;
+    write(type: string, instance: string, field: string, value: string): Promise<void>;
+    list(): Promise<CredentialEntry[]>;
+    exists(type: string, instance: string): Promise<boolean>;
+    readAll(type: string, instance: string): Promise<Record<string, string> | undefined>;
+    writeAll(type: string, instance: string, fields: Record<string, string>): Promise<void>;
+    listInstances(type: string): Promise<string[]>;
+}
+//# sourceMappingURL=asm-backend.d.ts.map

package/dist/shared/asm-backend.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"asm-backend.d.ts","sourceRoot":"","sources":["../../src/shared/asm-backend.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAGlF;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,YAAW,iBAAiB;IAChE,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,MAAM,CAAS;gBAEX,SAAS,EAAE,MAAM,EAAE,YAAY,SAAsC;IAKjF,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,eAAe;IAMjB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAYhF,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAalF,IAAI,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAwBlC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;IAapF,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAMvF,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAQrD"}