@agent-native/core 0.7.2 → 0.7.4

package/dist/secrets/routes.js

@@ -0,0 +1,275 @@
+/**
+ * H3 event handlers for the framework secrets registry.
+ *
+ * Mounted under `/_agent-native/secrets/*` by `core-routes-plugin`.
+ *
+ * NEVER return a secret's plain-text value from any of these handlers.
+ */
+import { defineEventHandler, getMethod, setResponseStatus, } from "h3";
+import { readBody } from "../server/h3-helpers.js";
+import { getSession } from "../server/auth.js";
+import { getOrgContext } from "../org/context.js";
+import { hasOAuthTokens } from "../oauth-tokens/store.js";
+import { listRequiredSecrets, getRequiredSecret, } from "./register.js";
+import { writeAppSecret, deleteAppSecret, getAppSecretMeta, readAppSecret, } from "./storage.js";
+/** Resolve the scopeId for a given scope, given the current session. */
+async function resolveScopeId(event, scope, override) {
+    if (override && typeof override === "string" && override.trim()) {
+        return { scopeId: override.trim() };
+    }
+    if (scope === "user") {
+        const session = await getSession(event).catch(() => null);
+        if (!session?.email) {
+            return { scopeId: null, reason: "Authentication required" };
+        }
+        return { scopeId: session.email };
+    }
+    // workspace
+    const ctx = await getOrgContext(event).catch(() => null);
+    if (ctx?.orgId)
+        return { scopeId: ctx.orgId };
+    // Fall back to session email in solo/dev mode so secrets still work without
+    // an active organisation.
+    const session = await getSession(event).catch(() => null);
+    if (session?.email)
+        return { scopeId: `solo:${session.email}` };
+    return { scopeId: null, reason: "No workspace or session context" };
+}
+/** GET /_agent-native/secrets — list registered secrets with status. */
+export function createListSecretsHandler() {
+    return defineEventHandler(async (event) => {
+        if (getMethod(event) !== "GET") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const secrets = listRequiredSecrets();
+        const payload = [];
+        for (const secret of secrets) {
+            const base = {
+                key: secret.key,
+                label: secret.label,
+                description: secret.description,
+                docsUrl: secret.docsUrl,
+                scope: secret.scope,
+                kind: secret.kind,
+                required: !!secret.required,
+                status: "unset",
+            };
+            if (secret.kind === "oauth") {
+                base.oauthProvider = secret.oauthProvider;
+                base.oauthConnectUrl = secret.oauthConnectUrl;
+                if (secret.oauthProvider) {
+                    try {
+                        const has = await hasOAuthTokens(secret.oauthProvider);
+                        base.status = has ? "set" : "unset";
+                    }
+                    catch {
+                        base.status = "unset";
+                    }
+                }
+                payload.push(base);
+                continue;
+            }
+            // api-key: look up the stored row in app_secrets.
+            const { scopeId } = await resolveScopeId(event, secret.scope);
+            if (!scopeId) {
+                payload.push(base);
+                continue;
+            }
+            const meta = await getAppSecretMeta({
+                key: secret.key,
+                scope: secret.scope,
+                scopeId,
+            }).catch(() => null);
+            if (meta) {
+                base.status = "set";
+                base.last4 = meta.last4;
+                base.updatedAt = meta.updatedAt;
+            }
+            payload.push(base);
+        }
+        return payload;
+    });
+}
+/** POST /_agent-native/secrets/:key — write a secret. */
+export function createWriteSecretHandler() {
+    return defineEventHandler(async (event) => {
+        const method = getMethod(event);
+        const key = extractKeyFromEvent(event);
+        if (!key) {
+            setResponseStatus(event, 400);
+            return { error: "Secret key required" };
+        }
+        const secret = getRequiredSecret(key);
+        if (!secret) {
+            setResponseStatus(event, 404);
+            return { error: `Secret "${key}" is not registered` };
+        }
+        if (method === "POST" || method === "PUT") {
+            return handleWrite(event, secret);
+        }
+        if (method === "DELETE") {
+            return handleDelete(event, secret);
+        }
+        setResponseStatus(event, 405);
+        return { error: "Method not allowed" };
+    });
+}
+async function handleWrite(event, secret) {
+    if (secret.kind === "oauth") {
+        setResponseStatus(event, 400);
+        return {
+            error: `"${secret.key}" is an OAuth-kind secret — connect via ${secret.oauthConnectUrl ?? "the OAuth flow"} instead`,
+        };
+    }
+    const body = (await readBody(event).catch(() => ({})));
+    const value = typeof body.value === "string" ? body.value.trim() : "";
+    if (!value) {
+        setResponseStatus(event, 400);
+        return { error: "value is required" };
+    }
+    const scope = typeof body.scope === "string" &&
+        (body.scope === "user" || body.scope === "workspace")
+        ? body.scope
+        : secret.scope;
+    const { scopeId, reason } = await resolveScopeId(event, scope, typeof body.scopeId === "string" ? body.scopeId : undefined);
+    if (!scopeId) {
+        setResponseStatus(event, 401);
+        return { error: reason ?? "Unable to resolve scope" };
+    }
+    // Run validator if registered — return the validator's error on failure.
+    if (secret.validator) {
+        try {
+            const result = await secret.validator(value);
+            const ok = typeof result === "boolean" ? result : result?.ok === true;
+            if (!ok) {
+                setResponseStatus(event, 400);
+                const err = typeof result === "object" && result && result.error
+                    ? String(result.error)
+                    : "Validator rejected the value";
+                return { error: err };
+            }
+        }
+        catch (err) {
+            setResponseStatus(event, 400);
+            return {
+                error: err instanceof Error
+                    ? `Validator threw: ${err.message}`
+                    : "Validator threw",
+            };
+        }
+    }
+    try {
+        await writeAppSecret({ key: secret.key, value, scope, scopeId });
+    }
+    catch (err) {
+        // Scrub: never surface the value in any error path.
+        setResponseStatus(event, 500);
+        return {
+            error: err instanceof Error
+                ? `Failed to save secret: ${err.message}`
+                : "Failed to save secret",
+        };
+    }
+    return { ok: true, status: "set" };
+}
+async function handleDelete(event, secret) {
+    if (secret.kind === "oauth") {
+        setResponseStatus(event, 400);
+        return {
+            error: `"${secret.key}" is an OAuth-kind secret — disconnect via the OAuth flow instead`,
+        };
+    }
+    const { scopeId, reason } = await resolveScopeId(event, secret.scope);
+    if (!scopeId) {
+        setResponseStatus(event, 401);
+        return { error: reason ?? "Unable to resolve scope" };
+    }
+    const removed = await deleteAppSecret({
+        key: secret.key,
+        scope: secret.scope,
+        scopeId,
+    });
+    return { ok: true, removed };
+}
+/**
+ * POST /_agent-native/secrets/:key/test — re-run the validator against the
+ * current stored value without changing anything. Useful for the "Test" button.
+ */
+export function createTestSecretHandler() {
+    return defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const key = extractKeyFromEvent(event, { suffix: "/test" });
+        if (!key) {
+            setResponseStatus(event, 400);
+            return { error: "Secret key required" };
+        }
+        const secret = getRequiredSecret(key);
+        if (!secret) {
+            setResponseStatus(event, 404);
+            return { error: `Secret "${key}" is not registered` };
+        }
+        if (secret.kind === "oauth") {
+            // For OAuth we just report whether tokens exist.
+            const has = secret.oauthProvider
+                ? await hasOAuthTokens(secret.oauthProvider).catch(() => false)
+                : false;
+            return { ok: has };
+        }
+        if (!secret.validator) {
+            return { ok: true, note: "No validator registered" };
+        }
+        const { scopeId } = await resolveScopeId(event, secret.scope);
+        if (!scopeId) {
+            setResponseStatus(event, 401);
+            return { error: "Unable to resolve scope" };
+        }
+        const stored = await readAppSecret({
+            key: secret.key,
+            scope: secret.scope,
+            scopeId,
+        });
+        if (!stored) {
+            setResponseStatus(event, 404);
+            return { error: "No value stored" };
+        }
+        try {
+            const result = await secret.validator(stored.value);
+            const ok = typeof result === "boolean" ? result : result?.ok === true;
+            if (!ok) {
+                const err = typeof result === "object" && result && result.error
+                    ? String(result.error)
+                    : "Validator rejected the value";
+                return { ok: false, error: err };
+            }
+            return { ok: true };
+        }
+        catch (err) {
+            return {
+                ok: false,
+                error: err instanceof Error
+                    ? `Validator threw: ${err.message}`
+                    : "Validator threw",
+            };
+        }
+    });
+}
+/** Extract the key from `/:key` or `/:key/test` after the `/secrets` prefix strip. */
+function extractKeyFromEvent(event, opts = {}) {
+    const pathname = (event.url?.pathname || "")
+        .replace(/^\/+/, "")
+        .replace(/\/+$/, "");
+    if (!pathname)
+        return null;
+    const parts = pathname.split("/");
+    if (opts.suffix === "/test") {
+        if (parts.length < 2 || parts[parts.length - 1] !== "test")
+            return null;
+        return parts[0];
+    }
+    return parts[0];
+}
+//# sourceMappingURL=routes.js.map

package/dist/secrets/routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.js","sourceRoot":"","sources":["../../src/secrets/routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EACL,mBAAmB,EACnB,iBAAiB,GAGlB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,aAAa,GACd,MAAM,cAAc,CAAC;AAwBtB,wEAAwE;AACxE,KAAK,UAAU,cAAc,CAC3B,KAAc,EACd,KAAkB,EAClB,QAAiB;IAEjB,IAAI,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;QAChE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC;IACtC,CAAC;IACD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAC;QAC9D,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;IACpC,CAAC;IACD,YAAY;IACZ,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,GAAG,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;IAC9C,4EAA4E;IAC5E,0BAA0B;IAC1B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,OAAO,EAAE,KAAK;QAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iCAAiC,EAAE,CAAC;AACtE,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,EAAE,CAAC;QACtC,MAAM,OAAO,GAA0B,EAAE,CAAC;QAE1C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAwB;gBAChC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ;gBAC3B,MAAM,EAAE,OAAO;aAChB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC5B,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;gBAC1C,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;gBAC9C,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;oBACzB,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;wBACvD,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;oBACtC,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC;oBACxB,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC;gBAClC,GAAG,EAAE,MAAM,CAAC,GAAG;gBACf,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO;aACR,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;YACrB,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;gBACpB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAClC,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,wBAAwB;IACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAEvC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC1C,OAAO,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxB,OAAO,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC;QACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,KAAc,EAAE,MAAwB;IACjE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,2CAA2C,MAAM,CAAC,eAAe,IAAI,gBAAgB,UAAU;SACrH,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAIpD,CAAC;IAEF,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACtE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACxC,CAAC;IAED,MAAM,KAAK,GACT,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;QAC9B,CAAC,IAAI,CAAC,KAAK,KAAK,MAAM,IAAI,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC;QACnD,CAAC,CAAE,IAAI,CAAC,KAAqB;QAC7B,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;IAEnB,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAC9C,KAAK,EACL,KAAK,EACL,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAC5D,CAAC;IACF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IAED,yEAAyE;IACzE,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC7C,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO;gBACL,KAAK,EACH,GAAG,YAAY,KAAK;oBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;oBACnC,CAAC,CAAC,iBAAiB;aACxB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,cAAc,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IACnE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oDAAoD;QACpD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,GAAG,YAAY,KAAK;gBAClB,CAAC,CAAC,0BAA0B,GAAG,CAAC,OAAO,EAAE;gBACzC,CAAC,CAAC,uBAAuB;SAC9B,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAc,EAAE,MAAwB;IAClE,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EAAE,IAAI,MAAM,CAAC,GAAG,mEAAmE;SACzF,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,KAAK,EAAE,MAAM,IAAI,yBAAyB,EAAE,CAAC;IACxD,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC;QACpC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO;KACR,CAAC,CAAC;IACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,GAAG,qBAAqB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,iDAAiD;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,aAAa;gBAC9B,CAAC,CAAC,MAAM,cAAc,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC;gBAC/D,CAAC,CAAC,KAAK,CAAC;YACV,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,yBAAyB,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,OAAO;SACR,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,OAAO,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,IAAI,CAAC;YACtE,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,GAAG,GACP,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK;oBAClD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;oBACtB,CAAC,CAAC,8BAA8B,CAAC;gBACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;YACnC,CAAC;YACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EACH,GAAG,YAAY,KAAK;oBAClB,CAAC,CAAC,oBAAoB,GAAG,CAAC,OAAO,EAAE;oBACnC,CAAC,CAAC,iBAAiB;aACxB,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,sFAAsF;AACtF,SAAS,mBAAmB,CAC1B,KAAc,EACd,OAA4B,EAAE;IAE9B,MAAM,QAAQ,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;SACzC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACxE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/secrets/schema.d.ts

@@ -0,0 +1,154 @@
+/**
+ * Drizzle schema for the framework secrets registry.
+ *
+ * The `app_secrets` table stores API keys and service credentials that
+ * templates register via `registerRequiredSecret()`. Values are always
+ * stored encrypted at rest — see `storage.ts` for the crypto layer.
+ *
+ * Rows are scoped either to a user (by email) or a workspace / organization
+ * (by orgId). OAuth-kind secrets never create a row here — they surface via
+ * `@agent-native/core/oauth-tokens` instead.
+ */
+export declare const appSecrets: import("drizzle-orm/sqlite-core").SQLiteTableWithColumns<{
+    name: "app_secrets";
+    schema: undefined;
+    columns: {
+        id: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "id";
+            tableName: "app_secrets";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: true;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        scope: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "scope";
+            tableName: "app_secrets";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        scopeId: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "scope_id";
+            tableName: "app_secrets";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        key: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "key";
+            tableName: "app_secrets";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        encryptedValue: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "encrypted_value";
+            tableName: "app_secrets";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number;
+        }>;
+        createdAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "created_at";
+            tableName: "app_secrets";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+        updatedAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "updated_at";
+            tableName: "app_secrets";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "sqlite";
+}>;
+/**
+ * Raw SQL for creating the app_secrets table. Used by the on-demand
+ * `ensureTable()` path in `storage.ts` and by any template-level migration
+ * that wants to create the table up-front.
+ */
+export declare const APP_SECRETS_CREATE_SQL = "CREATE TABLE IF NOT EXISTS app_secrets (\n  id TEXT PRIMARY KEY,\n  scope TEXT NOT NULL,\n  scope_id TEXT NOT NULL,\n  key TEXT NOT NULL,\n  encrypted_value TEXT NOT NULL,\n  created_at INTEGER NOT NULL,\n  updated_at INTEGER NOT NULL,\n  UNIQUE(scope, scope_id, key)\n)";
+//# sourceMappingURL=schema.d.ts.map

package/dist/secrets/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/secrets/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAYrB,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mRASjC,CAAC"}

package/dist/secrets/schema.js

@@ -0,0 +1,41 @@
+/**
+ * Drizzle schema for the framework secrets registry.
+ *
+ * The `app_secrets` table stores API keys and service credentials that
+ * templates register via `registerRequiredSecret()`. Values are always
+ * stored encrypted at rest — see `storage.ts` for the crypto layer.
+ *
+ * Rows are scoped either to a user (by email) or a workspace / organization
+ * (by orgId). OAuth-kind secrets never create a row here — they surface via
+ * `@agent-native/core/oauth-tokens` instead.
+ */
+import { table, text, integer } from "../db/schema.js";
+export const appSecrets = table("app_secrets", {
+    id: text("id").primaryKey(),
+    /** "user" or "workspace" — who the secret is scoped to. */
+    scope: text("scope").notNull(),
+    /** Session email for user-scope, orgId for workspace-scope. */
+    scopeId: text("scope_id").notNull(),
+    /** The registered secret key (e.g. "OPENAI_API_KEY"). */
+    key: text("key").notNull(),
+    /** Encrypted value — never return this through any API. */
+    encryptedValue: text("encrypted_value").notNull(),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+});
+/**
+ * Raw SQL for creating the app_secrets table. Used by the on-demand
+ * `ensureTable()` path in `storage.ts` and by any template-level migration
+ * that wants to create the table up-front.
+ */
+export const APP_SECRETS_CREATE_SQL = `CREATE TABLE IF NOT EXISTS app_secrets (
+  id TEXT PRIMARY KEY,
+  scope TEXT NOT NULL,
+  scope_id TEXT NOT NULL,
+  key TEXT NOT NULL,
+  encrypted_value TEXT NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  UNIQUE(scope, scope_id, key)
+)`;
+//# sourceMappingURL=schema.js.map

package/dist/secrets/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/secrets/schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,CAAC,MAAM,UAAU,GAAG,KAAK,CAAC,aAAa,EAAE;IAC7C,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,2DAA2D;IAC3D,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE;IAC9B,+DAA+D;IAC/D,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE;IACnC,yDAAyD;IACzD,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE;IAC1B,2DAA2D;IAC3D,cAAc,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE;IACjD,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IAC1C,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;CAC3C,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG;;;;;;;;;EASpC,CAAC"}

package/dist/secrets/storage.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Storage layer for the framework secrets registry.
+ *
+ * Values are encrypted at rest with AES-256-GCM. The encryption key is
+ * derived from `SECRETS_ENCRYPTION_KEY` (preferred) or the existing
+ * `BETTER_AUTH_SECRET` env var (fallback so templates don't need a second
+ * secret during development). If neither is set in production we fall back
+ * to a machine-local key derived from the cwd — the secret is still only
+ * readable on this machine, but consider setting `SECRETS_ENCRYPTION_KEY`
+ * for a stable, rotatable key.
+ *
+ * Secret values are NEVER logged and NEVER returned from any route handler.
+ */
+import type { SecretScope } from "./register.js";
+/**
+ * Return the last 4 characters of a secret, with any leading characters
+ * masked. Used to show a preview without leaking the value.
+ */
+export declare function last4(value: string): string;
+export interface SecretRef {
+    key: string;
+    scope: SecretScope;
+    scopeId: string;
+}
+export interface WriteSecretArgs extends SecretRef {
+    value: string;
+}
+/**
+ * Write (insert or update) a secret. The value is encrypted before being
+ * stored — the caller's plaintext is never persisted. Returns the new
+ * record's id.
+ */
+export declare function writeAppSecret(args: WriteSecretArgs): Promise<string>;
+export interface ReadSecretResult {
+    value: string;
+    last4: string;
+    updatedAt: number;
+}
+/**
+ * Read a secret's plaintext value. Returns null when not found. The caller
+ * is responsible for never logging the returned value.
+ */
+export declare function readAppSecret(ref: SecretRef): Promise<ReadSecretResult | null>;
+/**
+ * Return just the metadata for a secret (no value). Used by the list route so
+ * the UI can show the "Set" pill and last-4 without the decrypted value going
+ * over the wire.
+ */
+export declare function getAppSecretMeta(ref: SecretRef): Promise<{
+    last4: string;
+    updatedAt: number;
+} | null>;
+export declare function deleteAppSecret(ref: SecretRef): Promise<boolean>;
+//# sourceMappingURL=storage.d.ts.map

package/dist/secrets/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/secrets/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAWH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AA0FjD;;;GAGG;AACH,wBAAgB,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAI3C;AAMD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,eAAgB,SAAQ,SAAS;IAChD,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAgC3E;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,SAAS,GACb,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAqBlC;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,SAAS,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,CAItD;AAED,wBAAsB,eAAe,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAStE"}