npm - @aigne/afs-cli - Versions diffs - 1.11.0-beta.11 → 1.11.0-beta.12 - Mend

@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/dist/cli.cjs +3 -2
package/dist/cli.mjs +3 -2
package/dist/cli.mjs.map +1 -1
package/dist/config/afs-loader.cjs +64 -315
package/dist/config/afs-loader.d.cts.map +1 -1
package/dist/config/afs-loader.d.mts +2 -1
package/dist/config/afs-loader.d.mts.map +1 -1
package/dist/config/afs-loader.mjs +59 -310
package/dist/config/afs-loader.mjs.map +1 -1
package/dist/config/credential-helpers.cjs +291 -0
package/dist/config/credential-helpers.d.mts +2 -0
package/dist/config/credential-helpers.mjs +288 -0
package/dist/config/credential-helpers.mjs.map +1 -0
package/dist/config/loader.cjs +3 -1
package/dist/config/loader.mjs +3 -2
package/dist/config/loader.mjs.map +1 -1
package/dist/config/program-install.cjs +276 -0
package/dist/config/program-install.d.mts +1 -0
package/dist/config/program-install.mjs +273 -0
package/dist/config/program-install.mjs.map +1 -0
package/dist/core/commands/connect.cjs +53 -0
package/dist/core/commands/connect.d.mts +2 -0
package/dist/core/commands/connect.mjs +55 -0
package/dist/core/commands/connect.mjs.map +1 -0
package/dist/core/commands/daemon.cjs +207 -0
package/dist/core/commands/daemon.d.mts +2 -0
package/dist/core/commands/daemon.mjs +208 -0
package/dist/core/commands/daemon.mjs.map +1 -0
package/dist/core/commands/explain.cjs +3 -1
package/dist/core/commands/explain.mjs +3 -1
package/dist/core/commands/explain.mjs.map +1 -1
package/dist/core/commands/explore.cjs +47 -12
package/dist/core/commands/explore.mjs +47 -12
package/dist/core/commands/explore.mjs.map +1 -1
package/dist/core/commands/gen-agent-md.cjs +126 -0
package/dist/core/commands/gen-agent-md.d.mts +2 -0
package/dist/core/commands/gen-agent-md.mjs +125 -0
package/dist/core/commands/gen-agent-md.mjs.map +1 -0
package/dist/core/commands/index.cjs +13 -1
package/dist/core/commands/index.d.cts.map +1 -1
package/dist/core/commands/index.d.mts +6 -0
package/dist/core/commands/index.d.mts.map +1 -1
package/dist/core/commands/index.mjs +13 -1
package/dist/core/commands/index.mjs.map +1 -1
package/dist/core/commands/install.cjs +91 -0
package/dist/core/commands/install.d.mts +2 -0
package/dist/core/commands/install.mjs +92 -0
package/dist/core/commands/install.mjs.map +1 -0
package/dist/core/commands/ls.cjs +14 -2
package/dist/core/commands/ls.d.cts +2 -0
package/dist/core/commands/ls.d.cts.map +1 -1
package/dist/core/commands/ls.d.mts +2 -0
package/dist/core/commands/ls.d.mts.map +1 -1
package/dist/core/commands/ls.mjs +14 -2
package/dist/core/commands/ls.mjs.map +1 -1
package/dist/core/commands/mcp-bridge.cjs +201 -0
package/dist/core/commands/mcp-bridge.d.mts +2 -0
package/dist/core/commands/mcp-bridge.mjs +201 -0
package/dist/core/commands/mcp-bridge.mjs.map +1 -0
package/dist/core/commands/read.cjs +20 -7
package/dist/core/commands/read.d.cts +2 -0
package/dist/core/commands/read.d.cts.map +1 -1
package/dist/core/commands/read.d.mts +2 -0
package/dist/core/commands/read.d.mts.map +1 -1
package/dist/core/commands/read.mjs +20 -7
package/dist/core/commands/read.mjs.map +1 -1
package/dist/core/commands/search.cjs +5 -1
package/dist/core/commands/search.mjs +5 -1
package/dist/core/commands/search.mjs.map +1 -1
package/dist/core/commands/stat.mjs.map +1 -1
package/dist/core/commands/types.d.cts +2 -0
package/dist/core/commands/types.d.cts.map +1 -1
package/dist/core/commands/types.d.mts +2 -0
package/dist/core/commands/types.d.mts.map +1 -1
package/dist/core/commands/types.mjs.map +1 -1
package/dist/core/commands/vault.cjs +289 -0
package/dist/core/commands/vault.d.mts +2 -0
package/dist/core/commands/vault.mjs +289 -0
package/dist/core/commands/vault.mjs.map +1 -0
package/dist/core/commands/write.cjs +19 -6
package/dist/core/commands/write.d.cts +2 -1
package/dist/core/commands/write.d.cts.map +1 -1
package/dist/core/commands/write.d.mts +2 -1
package/dist/core/commands/write.d.mts.map +1 -1
package/dist/core/commands/write.mjs +19 -6
package/dist/core/commands/write.mjs.map +1 -1
package/dist/core/executor/index.cjs +95 -19
package/dist/core/executor/index.d.cts +4 -0
package/dist/core/executor/index.d.cts.map +1 -1
package/dist/core/executor/index.d.mts +4 -0
package/dist/core/executor/index.d.mts.map +1 -1
package/dist/core/executor/index.mjs +95 -19
package/dist/core/executor/index.mjs.map +1 -1
package/dist/core/formatters/index.d.mts +1 -0
package/dist/core/formatters/install.cjs +21 -0
package/dist/core/formatters/install.d.mts +1 -0
package/dist/core/formatters/install.mjs +19 -0
package/dist/core/formatters/install.mjs.map +1 -0
package/dist/core/formatters/vault.cjs +36 -0
package/dist/core/formatters/vault.mjs +32 -0
package/dist/core/formatters/vault.mjs.map +1 -0
package/dist/credential/index.d.mts +2 -1
package/dist/credential/mcp-auth-context.cjs +21 -5
package/dist/credential/mcp-auth-context.mjs +21 -5
package/dist/credential/mcp-auth-context.mjs.map +1 -1
package/dist/credential/resolver.cjs +7 -2
package/dist/credential/resolver.mjs +7 -2
package/dist/credential/resolver.mjs.map +1 -1
package/dist/credential/vault-store.d.mts +1 -0
package/dist/daemon/config-manager.cjs +279 -0
package/dist/daemon/config-manager.mjs +279 -0
package/dist/daemon/config-manager.mjs.map +1 -0
package/dist/daemon/manager.cjs +164 -0
package/dist/daemon/manager.mjs +157 -0
package/dist/daemon/manager.mjs.map +1 -0
package/dist/daemon/server.cjs +220 -0
package/dist/daemon/server.mjs +220 -0
package/dist/daemon/server.mjs.map +1 -0
package/dist/mcp/http-transport.cjs +14 -1
package/dist/mcp/http-transport.mjs +14 -1
package/dist/mcp/http-transport.mjs.map +1 -1
package/dist/mcp/server.cjs +4 -2
package/dist/mcp/server.mjs +4 -2
package/dist/mcp/server.mjs.map +1 -1
package/dist/mcp/tools.cjs +62 -12
package/dist/mcp/tools.mjs +62 -12
package/dist/mcp/tools.mjs.map +1 -1
package/dist/program/daemon-integration.cjs +46 -0
package/dist/program/daemon-integration.mjs +45 -0
package/dist/program/daemon-integration.mjs.map +1 -0
package/dist/program/program-manager.cjs +162 -0
package/dist/program/program-manager.mjs +162 -0
package/dist/program/program-manager.mjs.map +1 -0
package/dist/program/trigger-scanner.cjs +148 -0
package/dist/program/trigger-scanner.mjs +148 -0
package/dist/program/trigger-scanner.mjs.map +1 -0
package/dist/providers/vault/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs +11 -0
package/dist/providers/vault/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs +11 -0
package/dist/providers/vault/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs.map +1 -0
package/dist/providers/vault/dist/encrypted-file.cjs +158 -0
package/dist/providers/vault/dist/encrypted-file.mjs +153 -0
package/dist/providers/vault/dist/encrypted-file.mjs.map +1 -0
package/dist/providers/vault/dist/index.cjs +405 -0
package/dist/providers/vault/dist/index.mjs +400 -0
package/dist/providers/vault/dist/index.mjs.map +1 -0
package/dist/providers/vault/dist/key-resolver.cjs +181 -0
package/dist/providers/vault/dist/key-resolver.mjs +180 -0
package/dist/providers/vault/dist/key-resolver.mjs.map +1 -0
package/dist/repl.cjs +105 -14
package/dist/repl.d.cts.map +1 -1
package/dist/repl.d.mts.map +1 -1
package/dist/repl.mjs +105 -14
package/dist/repl.mjs.map +1 -1
package/package.json +29 -22

package/dist/providers/vault/dist/encrypted-file.cjs ADDED Viewed

@@ -0,0 +1,158 @@
+const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.cjs');
+let node_crypto = require("node:crypto");
+let node_fs_promises = require("node:fs/promises");
+let node_path = require("node:path");
+//#region ../../providers/vault/dist/encrypted-file.mjs
+/**
+* Encrypted file backend for vault storage.
+*
+* - AES-256-GCM encryption
+* - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+* - File format: JSON header + encrypted blob
+* - File permissions: 0600
+*/
+/** Encryption parameters */
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 32;
+const AUTH_TAG_LENGTH = 16;
+const SCRYPT_N = 2 ** 14;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+const SCRYPT_KEYLEN = KEY_LENGTH;
+const FILE_MODE = 384;
+/** Magic bytes to identify vault files */
+const MAGIC = "AFSVAULT";
+const FORMAT_VERSION = 1;
+/**
+* Generate a random 256-bit master key.
+*/
+function generateMasterKey() {
+	return (0, node_crypto.randomBytes)(KEY_LENGTH);
+}
+/**
+* Derive a master key from a passphrase using crypto.scrypt.
+*/
+function deriveKeyFromPassphrase(passphrase, salt) {
+	return (0, node_crypto.scryptSync)(passphrase, salt, SCRYPT_KEYLEN, {
+		N: SCRYPT_N,
+		r: SCRYPT_R,
+		p: SCRYPT_P
+	});
+}
+/**
+* Encrypt vault data and write to file.
+*/
+async function writeEncryptedVault(filePath, data, masterKey) {
+	const json = JSON.stringify(data);
+	const plaintext = Buffer.from(json, "utf-8");
+	const salt = (0, node_crypto.randomBytes)(SALT_LENGTH);
+	const iv = (0, node_crypto.randomBytes)(IV_LENGTH);
+	const cipher = (0, node_crypto.createCipheriv)("aes-256-gcm", masterKey, iv);
+	const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+	const authTag = cipher.getAuthTag();
+	const magic = Buffer.from(MAGIC, "ascii");
+	const version = Buffer.alloc(1);
+	version[0] = FORMAT_VERSION;
+	const fileContent = Buffer.concat([
+		magic,
+		version,
+		salt,
+		iv,
+		authTag,
+		encrypted
+	]);
+	await (0, node_fs_promises.mkdir)((0, node_path.dirname)(filePath), { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}`;
+	try {
+		await (0, node_fs_promises.writeFile)(tmpPath, fileContent, { mode: FILE_MODE });
+		await (0, node_fs_promises.rename)(tmpPath, filePath);
+	} catch (err) {
+		try {
+			const { unlink } = await import("node:fs/promises");
+			await unlink(tmpPath);
+		} catch {}
+		throw err;
+	}
+	try {
+		if (((await (0, node_fs_promises.stat)(filePath)).mode & 511) !== FILE_MODE) await (0, node_fs_promises.chmod)(filePath, FILE_MODE);
+	} catch {}
+}
+/**
+* Read and decrypt vault data from file.
+* Returns null if file does not exist.
+*/
+async function readEncryptedVault(filePath, masterKey) {
+	let fileContent;
+	try {
+		fileContent = await (0, node_fs_promises.readFile)(filePath);
+	} catch (err) {
+		if (err?.code === "ENOENT") return null;
+		throw err;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+	if (fileContent.length < minSize) throw new Error("Vault file is corrupted: too small");
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) throw new Error("Not a valid vault file");
+	const version = fileContent[magicLen];
+	if (version !== FORMAT_VERSION) throw new Error(`Unsupported vault format version: ${version}`);
+	let offset = magicLen + 1;
+	fileContent.subarray(offset, offset + SALT_LENGTH);
+	offset += SALT_LENGTH;
+	const iv = fileContent.subarray(offset, offset + IV_LENGTH);
+	offset += IV_LENGTH;
+	const authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);
+	offset += AUTH_TAG_LENGTH;
+	const ciphertext = fileContent.subarray(offset);
+	const decipher = (0, node_crypto.createDecipheriv)("aes-256-gcm", masterKey, iv);
+	decipher.setAuthTag(authTag);
+	let plaintext;
+	try {
+		plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+	} catch {
+		throw new Error("Vault decryption failed: wrong master key or corrupted data");
+	}
+	const json = plaintext.toString("utf-8");
+	try {
+		return JSON.parse(json);
+	} catch {
+		throw new Error("Vault data is corrupted: invalid JSON after decryption");
+	}
+}
+/**
+* Read the per-file salt from a vault file header.
+* Returns null if file does not exist or is not a valid vault file.
+*/
+async function readVaultSalt(filePath) {
+	let fileContent;
+	try {
+		fileContent = await (0, node_fs_promises.readFile)(filePath);
+	} catch {
+		return null;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH;
+	if (fileContent.length < minSize) return null;
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) return null;
+	return fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);
+}
+/**
+* Check if a vault file exists.
+*/
+async function vaultFileExists(filePath) {
+	try {
+		await (0, node_fs_promises.stat)(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+//#endregion
+exports.deriveKeyFromPassphrase = deriveKeyFromPassphrase;
+exports.generateMasterKey = generateMasterKey;
+exports.readEncryptedVault = readEncryptedVault;
+exports.readVaultSalt = readVaultSalt;
+exports.vaultFileExists = vaultFileExists;
+exports.writeEncryptedVault = writeEncryptedVault;

package/dist/providers/vault/dist/encrypted-file.mjs ADDED Viewed

@@ -0,0 +1,153 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "node:crypto";
+import { chmod, mkdir, readFile, rename, stat, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+//#region ../../providers/vault/dist/encrypted-file.mjs
+/**
+* Encrypted file backend for vault storage.
+*
+* - AES-256-GCM encryption
+* - Master key: 256-bit random or crypto.scrypt-derived from passphrase
+* - File format: JSON header + encrypted blob
+* - File permissions: 0600
+*/
+/** Encryption parameters */
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 32;
+const AUTH_TAG_LENGTH = 16;
+const SCRYPT_N = 2 ** 14;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+const SCRYPT_KEYLEN = KEY_LENGTH;
+const FILE_MODE = 384;
+/** Magic bytes to identify vault files */
+const MAGIC = "AFSVAULT";
+const FORMAT_VERSION = 1;
+/**
+* Generate a random 256-bit master key.
+*/
+function generateMasterKey() {
+	return randomBytes(KEY_LENGTH);
+}
+/**
+* Derive a master key from a passphrase using crypto.scrypt.
+*/
+function deriveKeyFromPassphrase(passphrase, salt) {
+	return scryptSync(passphrase, salt, SCRYPT_KEYLEN, {
+		N: SCRYPT_N,
+		r: SCRYPT_R,
+		p: SCRYPT_P
+	});
+}
+/**
+* Encrypt vault data and write to file.
+*/
+async function writeEncryptedVault(filePath, data, masterKey) {
+	const json = JSON.stringify(data);
+	const plaintext = Buffer.from(json, "utf-8");
+	const salt = randomBytes(SALT_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+	const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+	const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+	const authTag = cipher.getAuthTag();
+	const magic = Buffer.from(MAGIC, "ascii");
+	const version = Buffer.alloc(1);
+	version[0] = FORMAT_VERSION;
+	const fileContent = Buffer.concat([
+		magic,
+		version,
+		salt,
+		iv,
+		authTag,
+		encrypted
+	]);
+	await mkdir(dirname(filePath), { recursive: true });
+	const tmpPath = `${filePath}.tmp.${process.pid}`;
+	try {
+		await writeFile(tmpPath, fileContent, { mode: FILE_MODE });
+		await rename(tmpPath, filePath);
+	} catch (err) {
+		try {
+			const { unlink: unlink$1 } = await import("node:fs/promises");
+			await unlink$1(tmpPath);
+		} catch {}
+		throw err;
+	}
+	try {
+		if (((await stat(filePath)).mode & 511) !== FILE_MODE) await chmod(filePath, FILE_MODE);
+	} catch {}
+}
+/**
+* Read and decrypt vault data from file.
+* Returns null if file does not exist.
+*/
+async function readEncryptedVault(filePath, masterKey) {
+	let fileContent;
+	try {
+		fileContent = await readFile(filePath);
+	} catch (err) {
+		if (err?.code === "ENOENT") return null;
+		throw err;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
+	if (fileContent.length < minSize) throw new Error("Vault file is corrupted: too small");
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) throw new Error("Not a valid vault file");
+	const version = fileContent[magicLen];
+	if (version !== FORMAT_VERSION) throw new Error(`Unsupported vault format version: ${version}`);
+	let offset = magicLen + 1;
+	fileContent.subarray(offset, offset + SALT_LENGTH);
+	offset += SALT_LENGTH;
+	const iv = fileContent.subarray(offset, offset + IV_LENGTH);
+	offset += IV_LENGTH;
+	const authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);
+	offset += AUTH_TAG_LENGTH;
+	const ciphertext = fileContent.subarray(offset);
+	const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+	decipher.setAuthTag(authTag);
+	let plaintext;
+	try {
+		plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+	} catch {
+		throw new Error("Vault decryption failed: wrong master key or corrupted data");
+	}
+	const json = plaintext.toString("utf-8");
+	try {
+		return JSON.parse(json);
+	} catch {
+		throw new Error("Vault data is corrupted: invalid JSON after decryption");
+	}
+}
+/**
+* Read the per-file salt from a vault file header.
+* Returns null if file does not exist or is not a valid vault file.
+*/
+async function readVaultSalt(filePath) {
+	let fileContent;
+	try {
+		fileContent = await readFile(filePath);
+	} catch {
+		return null;
+	}
+	const magicLen = 8;
+	const minSize = magicLen + 1 + SALT_LENGTH;
+	if (fileContent.length < minSize) return null;
+	if (fileContent.subarray(0, magicLen).toString("ascii") !== MAGIC) return null;
+	return fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);
+}
+/**
+* Check if a vault file exists.
+*/
+async function vaultFileExists(filePath) {
+	try {
+		await stat(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+//#endregion
+export { deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, readVaultSalt, vaultFileExists, writeEncryptedVault };
+//# sourceMappingURL=encrypted-file.mjs.map

package/dist/providers/vault/dist/encrypted-file.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"encrypted-file.mjs","names":["unlink"],"sources":["../../../../../../providers/vault/dist/encrypted-file.mjs"],"sourcesContent":["import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport { chmod, mkdir, readFile, rename, stat, writeFile } from \"node:fs/promises\";\nimport { dirname } from \"node:path\";\n\n//#region src/encrypted-file.ts\n/**\n* Encrypted file backend for vault storage.\n*\n* - AES-256-GCM encryption\n* - Master key: 256-bit random or crypto.scrypt-derived from passphrase\n* - File format: JSON header + encrypted blob\n* - File permissions: 0600\n*/\n/** Encryption parameters */\nconst KEY_LENGTH = 32;\nconst IV_LENGTH = 12;\nconst SALT_LENGTH = 32;\nconst AUTH_TAG_LENGTH = 16;\nconst SCRYPT_N = 2 ** 14;\nconst SCRYPT_R = 8;\nconst SCRYPT_P = 1;\nconst SCRYPT_KEYLEN = KEY_LENGTH;\nconst FILE_MODE = 384;\n/** Magic bytes to identify vault files */\nconst MAGIC = \"AFSVAULT\";\nconst FORMAT_VERSION = 1;\n/**\n* Generate a random 256-bit master key.\n*/\nfunction generateMasterKey() {\n\treturn randomBytes(KEY_LENGTH);\n}\n/**\n* Derive a master key from a passphrase using crypto.scrypt.\n*/\nfunction deriveKeyFromPassphrase(passphrase, salt) {\n\treturn scryptSync(passphrase, salt, SCRYPT_KEYLEN, {\n\t\tN: SCRYPT_N,\n\t\tr: SCRYPT_R,\n\t\tp: SCRYPT_P\n\t});\n}\n/**\n* Encrypt vault data and write to file.\n*/\nasync function writeEncryptedVault(filePath, data, masterKey) {\n\tconst json = JSON.stringify(data);\n\tconst plaintext = Buffer.from(json, \"utf-8\");\n\tconst salt = randomBytes(SALT_LENGTH);\n\tconst iv = randomBytes(IV_LENGTH);\n\tconst cipher = createCipheriv(\"aes-256-gcm\", masterKey, iv);\n\tconst encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);\n\tconst authTag = cipher.getAuthTag();\n\tconst magic = Buffer.from(MAGIC, \"ascii\");\n\tconst version = Buffer.alloc(1);\n\tversion[0] = FORMAT_VERSION;\n\tconst fileContent = Buffer.concat([\n\t\tmagic,\n\t\tversion,\n\t\tsalt,\n\t\tiv,\n\t\tauthTag,\n\t\tencrypted\n\t]);\n\tawait mkdir(dirname(filePath), { recursive: true });\n\tconst tmpPath = `${filePath}.tmp.${process.pid}`;\n\ttry {\n\t\tawait writeFile(tmpPath, fileContent, { mode: FILE_MODE });\n\t\tawait rename(tmpPath, filePath);\n\t} catch (err) {\n\t\ttry {\n\t\t\tconst { unlink } = await import(\"node:fs/promises\");\n\t\t\tawait unlink(tmpPath);\n\t\t} catch {}\n\t\tthrow err;\n\t}\n\ttry {\n\t\tif (((await stat(filePath)).mode & 511) !== FILE_MODE) await chmod(filePath, FILE_MODE);\n\t} catch {}\n}\n/**\n* Read and decrypt vault data from file.\n* Returns null if file does not exist.\n*/\nasync function readEncryptedVault(filePath, masterKey) {\n\tlet fileContent;\n\ttry {\n\t\tfileContent = await readFile(filePath);\n\t} catch (err) {\n\t\tif (err?.code === \"ENOENT\") return null;\n\t\tthrow err;\n\t}\n\tconst magicLen = 8;\n\tconst minSize = magicLen + 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;\n\tif (fileContent.length < minSize) throw new Error(\"Vault file is corrupted: too small\");\n\tif (fileContent.subarray(0, magicLen).toString(\"ascii\") !== MAGIC) throw new Error(\"Not a valid vault file\");\n\tconst version = fileContent[magicLen];\n\tif (version !== FORMAT_VERSION) throw new Error(`Unsupported vault format version: ${version}`);\n\tlet offset = magicLen + 1;\n\tfileContent.subarray(offset, offset + SALT_LENGTH);\n\toffset += SALT_LENGTH;\n\tconst iv = fileContent.subarray(offset, offset + IV_LENGTH);\n\toffset += IV_LENGTH;\n\tconst authTag = fileContent.subarray(offset, offset + AUTH_TAG_LENGTH);\n\toffset += AUTH_TAG_LENGTH;\n\tconst ciphertext = fileContent.subarray(offset);\n\tconst decipher = createDecipheriv(\"aes-256-gcm\", masterKey, iv);\n\tdecipher.setAuthTag(authTag);\n\tlet plaintext;\n\ttry {\n\t\tplaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n\t} catch {\n\t\tthrow new Error(\"Vault decryption failed: wrong master key or corrupted data\");\n\t}\n\tconst json = plaintext.toString(\"utf-8\");\n\ttry {\n\t\treturn JSON.parse(json);\n\t} catch {\n\t\tthrow new Error(\"Vault data is corrupted: invalid JSON after decryption\");\n\t}\n}\n/**\n* Read the per-file salt from a vault file header.\n* Returns null if file does not exist or is not a valid vault file.\n*/\nasync function readVaultSalt(filePath) {\n\tlet fileContent;\n\ttry {\n\t\tfileContent = await readFile(filePath);\n\t} catch {\n\t\treturn null;\n\t}\n\tconst magicLen = 8;\n\tconst minSize = magicLen + 1 + SALT_LENGTH;\n\tif (fileContent.length < minSize) return null;\n\tif (fileContent.subarray(0, magicLen).toString(\"ascii\") !== MAGIC) return null;\n\treturn fileContent.subarray(magicLen + 1, magicLen + 1 + SALT_LENGTH);\n}\n/**\n* Check if a vault file exists.\n*/\nasync function vaultFileExists(filePath) {\n\ttry {\n\t\tawait stat(filePath);\n\t\treturn true;\n\t} catch {\n\t\treturn false;\n\t}\n}\n\n//#endregion\nexport { deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, readVaultSalt, vaultFileExists, writeEncryptedVault };\n//# sourceMappingURL=encrypted-file.mjs.map"],"mappings":";;;;;;;;;;;;;;AAcA,MAAM,aAAa;AACnB,MAAM,YAAY;AAClB,MAAM,cAAc;AACpB,MAAM,kBAAkB;AACxB,MAAM,WAAW,KAAK;AACtB,MAAM,WAAW;AACjB,MAAM,WAAW;AACjB,MAAM,gBAAgB;AACtB,MAAM,YAAY;;AAElB,MAAM,QAAQ;AACd,MAAM,iBAAiB;;;;AAIvB,SAAS,oBAAoB;AAC5B,QAAO,YAAY,WAAW;;;;;AAK/B,SAAS,wBAAwB,YAAY,MAAM;AAClD,QAAO,WAAW,YAAY,MAAM,eAAe;EAClD,GAAG;EACH,GAAG;EACH,GAAG;EACH,CAAC;;;;;AAKH,eAAe,oBAAoB,UAAU,MAAM,WAAW;CAC7D,MAAM,OAAO,KAAK,UAAU,KAAK;CACjC,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ;CAC5C,MAAM,OAAO,YAAY,YAAY;CACrC,MAAM,KAAK,YAAY,UAAU;CACjC,MAAM,SAAS,eAAe,eAAe,WAAW,GAAG;CAC3D,MAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,UAAU,EAAE,OAAO,OAAO,CAAC,CAAC;CAC3E,MAAM,UAAU,OAAO,YAAY;CACnC,MAAM,QAAQ,OAAO,KAAK,OAAO,QAAQ;CACzC,MAAM,UAAU,OAAO,MAAM,EAAE;AAC/B,SAAQ,KAAK;CACb,MAAM,cAAc,OAAO,OAAO;EACjC;EACA;EACA;EACA;EACA;EACA;EACA,CAAC;AACF,OAAM,MAAM,QAAQ,SAAS,EAAE,EAAE,WAAW,MAAM,CAAC;CACnD,MAAM,UAAU,GAAG,SAAS,OAAO,QAAQ;AAC3C,KAAI;AACH,QAAM,UAAU,SAAS,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1D,QAAM,OAAO,SAAS,SAAS;UACvB,KAAK;AACb,MAAI;GACH,MAAM,EAAE,qBAAW,MAAM,OAAO;AAChC,SAAMA,SAAO,QAAQ;UACd;AACR,QAAM;;AAEP,KAAI;AACH,QAAM,MAAM,KAAK,SAAS,EAAE,OAAO,SAAS,UAAW,OAAM,MAAM,UAAU,UAAU;SAChF;;;;;;AAMT,eAAe,mBAAmB,UAAU,WAAW;CACtD,IAAI;AACJ,KAAI;AACH,gBAAc,MAAM,SAAS,SAAS;UAC9B,KAAK;AACb,MAAI,KAAK,SAAS,SAAU,QAAO;AACnC,QAAM;;CAEP,MAAM,WAAW;CACjB,MAAM,UAAU,WAAW,IAAI,cAAc,YAAY;AACzD,KAAI,YAAY,SAAS,QAAS,OAAM,IAAI,MAAM,qCAAqC;AACvF,KAAI,YAAY,SAAS,GAAG,SAAS,CAAC,SAAS,QAAQ,KAAK,MAAO,OAAM,IAAI,MAAM,yBAAyB;CAC5G,MAAM,UAAU,YAAY;AAC5B,KAAI,YAAY,eAAgB,OAAM,IAAI,MAAM,qCAAqC,UAAU;CAC/F,IAAI,SAAS,WAAW;AACxB,aAAY,SAAS,QAAQ,SAAS,YAAY;AAClD,WAAU;CACV,MAAM,KAAK,YAAY,SAAS,QAAQ,SAAS,UAAU;AAC3D,WAAU;CACV,MAAM,UAAU,YAAY,SAAS,QAAQ,SAAS,gBAAgB;AACtE,WAAU;CACV,MAAM,aAAa,YAAY,SAAS,OAAO;CAC/C,MAAM,WAAW,iBAAiB,eAAe,WAAW,GAAG;AAC/D,UAAS,WAAW,QAAQ;CAC5B,IAAI;AACJ,KAAI;AACH,cAAY,OAAO,OAAO,CAAC,SAAS,OAAO,WAAW,EAAE,SAAS,OAAO,CAAC,CAAC;SACnE;AACP,QAAM,IAAI,MAAM,8DAA8D;;CAE/E,MAAM,OAAO,UAAU,SAAS,QAAQ;AACxC,KAAI;AACH,SAAO,KAAK,MAAM,KAAK;SAChB;AACP,QAAM,IAAI,MAAM,yDAAyD;;;;;;;AAO3E,eAAe,cAAc,UAAU;CACtC,IAAI;AACJ,KAAI;AACH,gBAAc,MAAM,SAAS,SAAS;SAC/B;AACP,SAAO;;CAER,MAAM,WAAW;CACjB,MAAM,UAAU,WAAW,IAAI;AAC/B,KAAI,YAAY,SAAS,QAAS,QAAO;AACzC,KAAI,YAAY,SAAS,GAAG,SAAS,CAAC,SAAS,QAAQ,KAAK,MAAO,QAAO;AAC1E,QAAO,YAAY,SAAS,WAAW,GAAG,WAAW,IAAI,YAAY;;;;;AAKtE,eAAe,gBAAgB,UAAU;AACxC,KAAI;AACH,QAAM,KAAK,SAAS;AACpB,SAAO;SACA;AACP,SAAO"}