@agentick/secrets 0.7.0

package/README.md

@@ -0,0 +1,152 @@
+# @agentick/secrets
+
+Platform-native secret storage for Agentick agents. Stores credentials in
+the OS keychain on macOS and Linux, with env var fallback everywhere else.
+
+## Install
+
+```sh
+pnpm add @agentick/secrets
+```
+
+## Quick Start
+
+```typescript
+import { createSecretStore } from "@agentick/secrets";
+
+const secrets = await createSecretStore();
+
+await secrets.set("telegram.token", "bot123:ABC-xyz");
+const token = await secrets.get("telegram.token");
+```
+
+`createSecretStore()` auto-detects the best backend for the current platform.
+
+## How It Works
+
+```
+createSecretStore()
+    |
+    v
+Platform detection
+    |
+    +-- macOS ------> Keychain (security CLI)
+    +-- Linux ------> libsecret (secret-tool CLI)
+    +-- Fallback ---> Environment variables
+```
+
+All keychain operations use `execFile` with argument arrays — no shell
+interpolation, no injection risk.
+
+## Backends
+
+### Keychain (macOS)
+
+Stores secrets in the macOS Keychain via the `security` CLI. Secrets are
+encrypted at rest, protected by the login keychain, and accessible to
+Keychain Access.app.
+
+```typescript
+import { createKeychainStore } from "@agentick/secrets";
+
+const secrets = createKeychainStore({ service: "my-agent" });
+```
+
+The `service` parameter scopes secrets (default: `"agentick"`). A manifest
+key tracks all stored keys for `list()`.
+
+### libsecret (Linux)
+
+Stores secrets via `secret-tool`, the CLI for GNOME Keyring / KWallet.
+Requires `libsecret` and a running secret service.
+
+```typescript
+import { createLibsecretStore } from "@agentick/secrets";
+
+const secrets = createLibsecretStore({ service: "my-agent" });
+```
+
+`list()` uses `secret-tool search` natively — no manifest needed.
+
+### Environment Variables
+
+Reads from `process.env`. Dot-path keys are normalized to `UPPER_SNAKE_CASE`.
+
+```typescript
+import { createEnvStore } from "@agentick/secrets";
+
+const secrets = createEnvStore({ prefix: "MYAGENT" });
+
+// secrets.get("telegram.token") → process.env.MYAGENT_TELEGRAM_TOKEN
+```
+
+Without a prefix, keys map directly: `telegram.token` → `TELEGRAM_TOKEN`.
+
+### Memory
+
+In-memory Map. For testing.
+
+```typescript
+import { createMemoryStore } from "@agentick/secrets";
+
+const secrets = createMemoryStore({ "api.key": "test-value" });
+```
+
+## Explicit Backend Selection
+
+Override auto-detection when needed.
+
+```typescript
+const secrets = await createSecretStore({ backend: "env", envPrefix: "MYAPP" });
+const secrets = await createSecretStore({ backend: "keychain", service: "my-agent" });
+const secrets = await createSecretStore({ backend: "memory" });
+```
+
+## Use with Connectors
+
+Pass a secret store to connectors instead of hardcoding tokens.
+
+```typescript
+import { createSecretStore } from "@agentick/secrets";
+import { TelegramPlatform } from "@agentick/connector-telegram";
+
+const secrets = await createSecretStore();
+const token = await secrets.get("telegram.token");
+
+const platform = new TelegramPlatform({ token: token! });
+```
+
+## SecretStore Interface
+
+Defined in `@agentick/shared` so any package can accept it as a dependency.
+
+```typescript
+interface SecretStore {
+  get(key: string): Promise<string | null>;
+  set(key: string, value: string): Promise<void>;
+  delete(key: string): Promise<boolean>;
+  has(key: string): Promise<boolean>;
+  list(): Promise<string[]>;
+  readonly backend: string;
+}
+```
+
+## Exports
+
+```typescript
+// Factory (auto-detects backend)
+export { createSecretStore } from "./create-secret-store.js";
+export type { CreateSecretStoreOptions, SecretStoreBackend } from "./create-secret-store.js";
+
+// Backends
+export { createKeychainStore } from "./keychain-store.js";
+export { createLibsecretStore } from "./libsecret-store.js";
+export { createEnvStore } from "./env-store.js";
+export { createMemoryStore } from "./memory-store.js";
+export type { KeychainStoreOptions } from "./keychain-store.js";
+export type { LibsecretStoreOptions } from "./libsecret-store.js";
+export type { EnvStoreOptions } from "./env-store.js";
+
+// Interface (re-exported from @agentick/shared)
+export type { SecretStore } from "@agentick/shared";
+```

package/dist/create-secret-store.d.ts

@@ -0,0 +1,9 @@
+import type { SecretStore } from "@agentick/shared";
+export type SecretStoreBackend = "keychain" | "libsecret" | "env" | "memory" | "auto";
+export interface CreateSecretStoreOptions {
+    backend?: SecretStoreBackend;
+    service?: string;
+    envPrefix?: string;
+}
+export declare function createSecretStore(options?: CreateSecretStoreOptions): Promise<SecretStore>;
+//# sourceMappingURL=create-secret-store.d.ts.map

package/dist/create-secret-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-secret-store.d.ts","sourceRoot":"","sources":["../src/create-secret-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,WAAW,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEtF,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAiBD,wBAAsB,iBAAiB,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,WAAW,CAAC,CAkBhG"}

package/dist/create-secret-store.js

@@ -0,0 +1,35 @@
+import { exec } from "./shell.js";
+import { createKeychainStore } from "./keychain-store.js";
+import { createLibsecretStore } from "./libsecret-store.js";
+import { createEnvStore } from "./env-store.js";
+async function isAvailable(cmd) {
+    const result = await exec("which", [cmd]);
+    return result.exitCode === 0;
+}
+async function detectBackend() {
+    if (process.platform === "darwin") {
+        return "keychain";
+    }
+    if (process.platform === "linux" && (await isAvailable("secret-tool"))) {
+        return "libsecret";
+    }
+    return "env";
+}
+export async function createSecretStore(options) {
+    const backend = options?.backend === "auto" || !options?.backend ? await detectBackend() : options.backend;
+    switch (backend) {
+        case "keychain":
+            return createKeychainStore({ service: options?.service });
+        case "libsecret":
+            return createLibsecretStore({ service: options?.service });
+        case "env":
+            return createEnvStore({ prefix: options?.envPrefix });
+        case "memory": {
+            const { createMemoryStore } = await import("./memory-store.js");
+            return createMemoryStore();
+        }
+        default:
+            throw new Error(`Unknown secret store backend: ${backend}`);
+    }
+}
+//# sourceMappingURL=create-secret-store.js.map

package/dist/create-secret-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-secret-store.js","sourceRoot":"","sources":["../src/create-secret-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAClC,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAUhD,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1C,OAAO,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,aAAa;IAC1B,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,MAAM,WAAW,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QACvE,OAAO,WAAW,CAAC;IACrB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAkC;IACxE,MAAM,OAAO,GACX,OAAO,EAAE,OAAO,KAAK,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,aAAa,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAE7F,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,mBAAmB,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QAC5D,KAAK,WAAW;YACd,OAAO,oBAAoB,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7D,KAAK,KAAK;YACR,OAAO,cAAc,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;QACxD,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,iBAAiB,EAAE,CAAC;QAC7B,CAAC;QACD;YACE,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;IAChE,CAAC;AACH,CAAC"}

package/dist/env-store.d.ts

@@ -0,0 +1,6 @@
+import type { SecretStore } from "@agentick/shared";
+export interface EnvStoreOptions {
+    prefix?: string;
+}
+export declare function createEnvStore(options?: EnvStoreOptions): SecretStore;
+//# sourceMappingURL=env-store.d.ts.map

package/dist/env-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-store.d.ts","sourceRoot":"","sources":["../src/env-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAOD,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,eAAe,GAAG,WAAW,CAmCrE"}

package/dist/env-store.js

@@ -0,0 +1,36 @@
+function toEnvKey(key, prefix) {
+    const normalized = key.toUpperCase().replace(/[^A-Z0-9]+/g, "_");
+    return prefix ? `${prefix}_${normalized}` : normalized;
+}
+export function createEnvStore(options) {
+    const prefix = options?.prefix?.toUpperCase();
+    return {
+        backend: "env",
+        async get(key) {
+            return process.env[toEnvKey(key, prefix)] ?? null;
+        },
+        async set(key, value) {
+            process.env[toEnvKey(key, prefix)] = value;
+        },
+        async delete(key) {
+            const envKey = toEnvKey(key, prefix);
+            if (envKey in process.env) {
+                delete process.env[envKey];
+                return true;
+            }
+            return false;
+        },
+        async has(key) {
+            return toEnvKey(key, prefix) in process.env;
+        },
+        async list() {
+            const target = prefix ? `${prefix}_` : "";
+            if (!target)
+                return Object.keys(process.env);
+            return Object.keys(process.env)
+                .filter((k) => k.startsWith(target))
+                .map((k) => k.slice(target.length).toLowerCase().replace(/_/g, "."));
+        },
+    };
+}
+//# sourceMappingURL=env-store.js.map

package/dist/env-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-store.js","sourceRoot":"","sources":["../src/env-store.ts"],"names":[],"mappings":"AAMA,SAAS,QAAQ,CAAC,GAAW,EAAE,MAAe;IAC5C,MAAM,UAAU,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IACjE,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAyB;IACtD,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAE9C,OAAO;QACL,OAAO,EAAE,KAAK;QAEd,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,IAAI,IAAI,CAAC;QACpD,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK;YAClB,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC;QAC7C,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,GAAG;YACd,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YACrC,IAAI,MAAM,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC3B,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC;QAC9C,CAAC;QAED,KAAK,CAAC,IAAI;YACR,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;iBAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;iBACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QACzE,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export type { SecretStore } from "@agentick/shared";
+export { createSecretStore, type CreateSecretStoreOptions, type SecretStoreBackend, } from "./create-secret-store.js";
+export { createKeychainStore, type KeychainStoreOptions } from "./keychain-store.js";
+export { createLibsecretStore, type LibsecretStoreOptions } from "./libsecret-store.js";
+export { createEnvStore, type EnvStoreOptions } from "./env-store.js";
+export { createMemoryStore } from "./memory-store.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,EAC7B,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,mBAAmB,EAAE,KAAK,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AACrF,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAE,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+export { createSecretStore, } from "./create-secret-store.js";
+export { createKeychainStore } from "./keychain-store.js";
+export { createLibsecretStore } from "./libsecret-store.js";
+export { createEnvStore } from "./env-store.js";
+export { createMemoryStore } from "./memory-store.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,iBAAiB,GAGlB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,mBAAmB,EAA6B,MAAM,qBAAqB,CAAC;AACrF,OAAO,EAAE,oBAAoB,EAA8B,MAAM,sBAAsB,CAAC;AACxF,OAAO,EAAE,cAAc,EAAwB,MAAM,gBAAgB,CAAC;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/keychain-store.d.ts

@@ -0,0 +1,6 @@
+import type { SecretStore } from "@agentick/shared";
+export interface KeychainStoreOptions {
+    service?: string;
+}
+export declare function createKeychainStore(options?: KeychainStoreOptions): SecretStore;
+//# sourceMappingURL=keychain-store.d.ts.map

package/dist/keychain-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-store.d.ts","sourceRoot":"","sources":["../src/keychain-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAMpD,MAAM,WAAW,oBAAoB;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,WAAW,CAsF/E"}

package/dist/keychain-store.js

@@ -0,0 +1,83 @@
+import { exec } from "./shell.js";
+const SERVICE = "agentick";
+const MANIFEST_KEY = "__manifest__";
+export function createKeychainStore(options) {
+    const service = options?.service ?? SERVICE;
+    async function getManifest() {
+        const raw = await rawGet(MANIFEST_KEY);
+        if (!raw)
+            return [];
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return [];
+        }
+    }
+    async function saveManifest(keys) {
+        await rawSet(MANIFEST_KEY, JSON.stringify(keys));
+    }
+    async function rawGet(key) {
+        const result = await exec("security", [
+            "find-generic-password",
+            "-s",
+            service,
+            "-a",
+            key,
+            "-w",
+        ]);
+        if (result.exitCode !== 0)
+            return null;
+        return result.stdout;
+    }
+    async function rawSet(key, value) {
+        // Delete first to avoid "already exists" error, then add
+        await exec("security", ["delete-generic-password", "-s", service, "-a", key]);
+        const result = await exec("security", [
+            "add-generic-password",
+            "-s",
+            service,
+            "-a",
+            key,
+            "-w",
+            value,
+        ]);
+        if (result.exitCode !== 0) {
+            throw new Error(`Keychain set failed for "${key}": ${result.stderr}`);
+        }
+    }
+    async function rawDelete(key) {
+        const result = await exec("security", ["delete-generic-password", "-s", service, "-a", key]);
+        return result.exitCode === 0;
+    }
+    return {
+        backend: "keychain",
+        async get(key) {
+            return rawGet(key);
+        },
+        async set(key, value) {
+            await rawSet(key, value);
+            const manifest = await getManifest();
+            if (!manifest.includes(key)) {
+                manifest.push(key);
+                await saveManifest(manifest);
+            }
+        },
+        async delete(key) {
+            const deleted = await rawDelete(key);
+            if (deleted) {
+                const manifest = await getManifest();
+                const updated = manifest.filter((k) => k !== key);
+                await saveManifest(updated);
+            }
+            return deleted;
+        },
+        async has(key) {
+            return (await rawGet(key)) !== null;
+        },
+        async list() {
+            return getManifest();
+        },
+    };
+}
+//# sourceMappingURL=keychain-store.js.map

package/dist/keychain-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-store.js","sourceRoot":"","sources":["../src/keychain-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAElC,MAAM,OAAO,GAAG,UAAU,CAAC;AAC3B,MAAM,YAAY,GAAG,cAAc,CAAC;AAMpC,MAAM,UAAU,mBAAmB,CAAC,OAA8B;IAChE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC;IAE5C,KAAK,UAAU,WAAW;QACxB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QACvC,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,IAAc;QACxC,MAAM,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,UAAU,MAAM,CAAC,GAAW;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE;YACpC,uBAAuB;YACvB,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,GAAG;YACH,IAAI;SACL,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,UAAU,MAAM,CAAC,GAAW,EAAE,KAAa;QAC9C,yDAAyD;QACzD,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QAC9E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE;YACpC,sBAAsB;YACtB,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,GAAG;YACH,IAAI;YACJ,KAAK;SACN,CAAC,CAAC;QACH,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,4BAA4B,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,KAAK,UAAU,SAAS,CAAC,GAAW;QAClC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7F,OAAO,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,OAAO,EAAE,UAAU;QAEnB,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK;YAClB,MAAM,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACzB,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;YACrC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACnB,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,GAAG;YACd,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;gBACrC,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;gBAClD,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;YAC9B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC;QACtC,CAAC;QAED,KAAK,CAAC,IAAI;YACR,OAAO,WAAW,EAAE,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/libsecret-store.d.ts

@@ -0,0 +1,6 @@
+import type { SecretStore } from "@agentick/shared";
+export interface LibsecretStoreOptions {
+    service?: string;
+}
+export declare function createLibsecretStore(options?: LibsecretStoreOptions): SecretStore;
+//# sourceMappingURL=libsecret-store.d.ts.map

package/dist/libsecret-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"libsecret-store.d.ts","sourceRoot":"","sources":["../src/libsecret-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAKpD,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,WAAW,CA4CjF"}

package/dist/libsecret-store.js

@@ -0,0 +1,41 @@
+import { exec, execWithStdin } from "./shell.js";
+const SERVICE = "agentick";
+export function createLibsecretStore(options) {
+    const service = options?.service ?? SERVICE;
+    return {
+        backend: "libsecret",
+        async get(key) {
+            const result = await exec("secret-tool", ["lookup", "service", service, "key", key]);
+            if (result.exitCode !== 0 || !result.stdout)
+                return null;
+            return result.stdout;
+        },
+        async set(key, value) {
+            const result = await execWithStdin("secret-tool", ["store", `--label=${service}: ${key}`, "service", service, "key", key], value);
+            if (result.exitCode !== 0) {
+                throw new Error(`libsecret set failed for "${key}": ${result.stderr}`);
+            }
+        },
+        async delete(key) {
+            const result = await exec("secret-tool", ["clear", "service", service, "key", key]);
+            return result.exitCode === 0;
+        },
+        async has(key) {
+            const result = await exec("secret-tool", ["lookup", "service", service, "key", key]);
+            return result.exitCode === 0 && result.stdout !== "";
+        },
+        async list() {
+            const result = await exec("secret-tool", ["search", "service", service]);
+            if (result.exitCode !== 0 || !result.stdout)
+                return [];
+            const keys = [];
+            for (const line of result.stdout.split("\n")) {
+                const match = line.match(/^attribute\.key = (.+)$/);
+                if (match)
+                    keys.push(match[1]);
+            }
+            return keys;
+        },
+    };
+}
+//# sourceMappingURL=libsecret-store.js.map

package/dist/libsecret-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"libsecret-store.js","sourceRoot":"","sources":["../src/libsecret-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEjD,MAAM,OAAO,GAAG,UAAU,CAAC;AAM3B,MAAM,UAAU,oBAAoB,CAAC,OAA+B;IAClE,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC;IAE5C,OAAO;QACL,OAAO,EAAE,WAAW;QAEpB,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;YACrF,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO,IAAI,CAAC;YACzD,OAAO,MAAM,CAAC,MAAM,CAAC;QACvB,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK;YAClB,MAAM,MAAM,GAAG,MAAM,aAAa,CAChC,aAAa,EACb,CAAC,OAAO,EAAE,WAAW,OAAO,KAAK,GAAG,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,EACvE,KAAK,CACN,CAAC;YACF,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,GAAG;YACd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;YACpF,OAAO,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAC;QAC/B,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC;YACrF,OAAO,MAAM,CAAC,QAAQ,KAAK,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,CAAC;QACvD,CAAC;QAED,KAAK,CAAC,IAAI;YACR,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YACzE,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM;gBAAE,OAAO,EAAE,CAAC;YACvD,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;gBACpD,IAAI,KAAK;oBAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/memory-store.d.ts

@@ -0,0 +1,3 @@
+import type { SecretStore } from "@agentick/shared";
+export declare function createMemoryStore(initial?: Record<string, string>): SecretStore;
+//# sourceMappingURL=memory-store.d.ts.map

package/dist/memory-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-store.d.ts","sourceRoot":"","sources":["../src/memory-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,wBAAgB,iBAAiB,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,WAAW,CA0B/E"}

package/dist/memory-store.js

@@ -0,0 +1,22 @@
+export function createMemoryStore(initial) {
+    const secrets = new Map(initial ? Object.entries(initial) : []);
+    return {
+        backend: "memory",
+        async get(key) {
+            return secrets.get(key) ?? null;
+        },
+        async set(key, value) {
+            secrets.set(key, value);
+        },
+        async delete(key) {
+            return secrets.delete(key);
+        },
+        async has(key) {
+            return secrets.has(key);
+        },
+        async list() {
+            return [...secrets.keys()];
+        },
+    };
+}
+//# sourceMappingURL=memory-store.js.map

package/dist/memory-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-store.js","sourceRoot":"","sources":["../src/memory-store.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,iBAAiB,CAAC,OAAgC;IAChE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAiB,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAEhF,OAAO;QACL,OAAO,EAAE,QAAQ;QAEjB,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;QAClC,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK;YAClB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1B,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,GAAG;YACd,OAAO,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7B,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG;YACX,OAAO,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QAED,KAAK,CAAC,IAAI;YACR,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7B,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/shell.d.ts

@@ -0,0 +1,8 @@
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+export declare function exec(cmd: string, args: string[]): Promise<ExecResult>;
+export declare function execWithStdin(cmd: string, args: string[], input: string): Promise<ExecResult>;
+//# sourceMappingURL=shell.d.ts.map

package/dist/shell.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell.d.ts","sourceRoot":"","sources":["../src/shell.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAgBD,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,CAUrE;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAY7F"}

package/dist/shell.js

@@ -0,0 +1,43 @@
+import { execFile as execFileCb } from "node:child_process";
+function extractExitCode(error) {
+    if (!error)
+        return 0;
+    // ENOENT = command not found
+    if (error.code === "ENOENT")
+        return -1;
+    // ExecException: .status holds the exit code on macOS/Linux
+    const status = error.status;
+    if (typeof status === "number")
+        return status;
+    // Fallback: .code might be the exit code as a number
+    const code = error.code;
+    if (typeof code === "number")
+        return code;
+    // Error exists but no exit code found — assume non-zero
+    return 1;
+}
+export function exec(cmd, args) {
+    return new Promise((resolve) => {
+        execFileCb(cmd, args, { encoding: "utf-8" }, (error, stdout, stderr) => {
+            resolve({
+                stdout: (stdout ?? "").trim(),
+                stderr: (stderr ?? "").trim(),
+                exitCode: extractExitCode(error),
+            });
+        });
+    });
+}
+export function execWithStdin(cmd, args, input) {
+    return new Promise((resolve) => {
+        const child = execFileCb(cmd, args, { encoding: "utf-8" }, (error, stdout, stderr) => {
+            resolve({
+                stdout: (stdout ?? "").trim(),
+                stderr: (stderr ?? "").trim(),
+                exitCode: extractExitCode(error),
+            });
+        });
+        child.stdin?.write(input);
+        child.stdin?.end();
+    });
+}
+//# sourceMappingURL=shell.js.map

package/dist/shell.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell.js","sourceRoot":"","sources":["../src/shell.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQ5D,SAAS,eAAe,CAAC,KAAmB;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC;IACrB,6BAA6B;IAC7B,IAAK,KAAa,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,CAAC;IAChD,4DAA4D;IAC5D,MAAM,MAAM,GAAI,KAAa,CAAC,MAAM,CAAC;IACrC,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,MAAM,CAAC;IAC9C,qDAAqD;IACrD,MAAM,IAAI,GAAI,KAAa,CAAC,IAAI,CAAC;IACjC,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC1C,wDAAwD;IACxD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAW,EAAE,IAAc;IAC9C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACrE,OAAO,CAAC;gBACN,MAAM,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;gBAC7B,MAAM,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;gBAC7B,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC;aACjC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,IAAc,EAAE,KAAa;IACtE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACnF,OAAO,CAAC;gBACN,MAAM,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;gBAC7B,MAAM,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;gBAC7B,QAAQ,EAAE,eAAe,CAAC,KAAK,CAAC;aACjC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QAC1B,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@agentick/secrets",
+  "version": "0.7.0",
+  "description": "Platform-native secret storage for Agentick agents",
+  "keywords": [
+    "agent",
+    "ai",
+    "credentials",
+    "keychain",
+    "secrets"
+  ],
+  "license": "MIT",
+  "author": "Ryan Lindgren",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agenticklabs/agentick.git",
+    "directory": "packages/secrets"
+  },
+  "files": [
+    "dist"
+  ],
+  "type": "module",
+  "main": "src/index.ts",
+  "exports": {
+    ".": "./src/index.ts"
+  },
+  "publishConfig": {
+    "access": "public",
+    "exports": {
+      ".": {
+        "types": "./dist/index.d.ts",
+        "import": "./dist/index.js"
+      }
+    },
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "test": "echo \"Tests run from workspace root\"",
+    "typecheck": "tsc -p tsconfig.build.json --noEmit",
+    "lint": "oxlint src/",
+    "format:check": "oxfmt --check src/",
+    "clean": "rm -rf dist tsconfig.build.tsbuildinfo",
+    "prepublishOnly": "pnpm build",
+    "dev": "tsc --watch"
+  },
+  "dependencies": {
+    "@agentick/shared": "workspace:*"
+  },
+  "devDependencies": {
+    "typescript": "^5.8.3"
+  }
+}

package/src/index.ts

@@ -0,0 +1,10 @@
+export type { SecretStore } from "@agentick/shared";
+export {
+  createSecretStore,
+  type CreateSecretStoreOptions,
+  type SecretStoreBackend,
+} from "./create-secret-store.js";
+export { createKeychainStore, type KeychainStoreOptions } from "./keychain-store.js";
+export { createLibsecretStore, type LibsecretStoreOptions } from "./libsecret-store.js";
+export { createEnvStore, type EnvStoreOptions } from "./env-store.js";
+export { createMemoryStore } from "./memory-store.js";