@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.12

package/dist/providers/vault/dist/index.cjs

@@ -0,0 +1,405 @@
+const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.cjs');
+const require_encrypted_file = require('./encrypted-file.cjs');
+const require_decorate = require('./_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs');
+const require_key_resolver = require('./key-resolver.cjs');
+let ufo = require("ufo");
+let _aigne_afs = require("@aigne/afs");
+let zod = require("zod");
+let _aigne_afs_provider = require("@aigne/afs/provider");
+
+//#region ../../providers/vault/dist/index.mjs
+/**
+* AFS Vault Provider — Encrypted secret storage.
+*
+* Tree: /vault/{group}/{name} → secret value (string)
+* Encryption: AES-256-GCM, master key from keychain/env/passphrase
+* Security: admin (readwrite) + system (readonly) profiles
+* No exec — vault is passive storage.
+*/
+const afsVaultOptionsSchema = zod.z.object({
+	name: zod.z.string().optional().describe("Module name"),
+	description: zod.z.string().optional().describe("Module description"),
+	vaultPath: zod.z.string().describe("Path to the encrypted vault file"),
+	accessMode: zod.z.enum(["readonly", "readwrite"]).optional().describe("Access mode")
+});
+/** Prototype pollution guard — reject dangerous path segments. */
+const DANGEROUS_NAMES = new Set([
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
+function assertSafeName(segment) {
+	if (DANGEROUS_NAMES.has(segment)) throw new Error(`Forbidden path segment: ${segment}`);
+}
+var AFSVault = class AFSVault extends _aigne_afs_provider.AFSBaseProvider {
+	name;
+	description;
+	accessMode;
+	vaultPath;
+	_masterKey;
+	_data = null;
+	_loaded = false;
+	constructor(options) {
+		super();
+		this.name = options.name || "vault";
+		this.description = options.description || "Encrypted secret storage";
+		this.accessMode = options.accessMode || "readwrite";
+		this.vaultPath = options.vaultPath;
+		this._masterKey = options.masterKey;
+	}
+	static securityProfiles() {
+		return {
+			admin: {
+				actionPolicy: "full",
+				accessMode: "readwrite"
+			},
+			system: {
+				actionPolicy: "full",
+				accessMode: "readonly"
+			}
+		};
+	}
+	static schema() {
+		return afsVaultOptionsSchema;
+	}
+	static treeSchema() {
+		return {
+			operations: [
+				"list",
+				"read",
+				"write",
+				"delete",
+				"search",
+				"stat",
+				"explain"
+			],
+			tree: {
+				"/": {
+					kind: "vault:root",
+					operations: ["list", "read"]
+				},
+				"/{group}": {
+					kind: "vault:group",
+					operations: [
+						"list",
+						"read",
+						"delete"
+					],
+					destructive: ["delete"]
+				},
+				"/{group}/{name}": {
+					kind: "vault:secret",
+					operations: [
+						"read",
+						"write",
+						"delete"
+					],
+					destructive: ["delete"]
+				}
+			},
+			auth: {
+				type: "custom",
+				env: ["AFS_VAULT_KEY"]
+			},
+			bestFor: ["secret storage", "API key management"],
+			notFor: ["large file storage"]
+		};
+	}
+	static manifest() {
+		return {
+			name: "vault",
+			description: "Encrypted secret storage.\n- Store API keys, tokens, and passwords with AES-256-GCM encryption\n- Secrets organized in groups: /vault/{group}/{name}\n- Security profiles: admin (readwrite), system (readonly)",
+			uriTemplate: "vault://{vaultPath+}",
+			category: "security",
+			schema: zod.z.object({ vaultPath: zod.z.string() }),
+			tags: [
+				"vault",
+				"secrets",
+				"encryption",
+				"credentials"
+			],
+			capabilityTags: [
+				"read-write",
+				"crud",
+				"search",
+				"auth:none",
+				"local"
+			],
+			security: {
+				riskLevel: "local",
+				resourceAccess: ["local-filesystem"],
+				dataSensitivity: ["credentials"],
+				notes: ["Stores encrypted secrets in a local file (AES-256-GCM)", "Master key stored in OS keychain or derived from passphrase"]
+			},
+			capabilities: {
+				filesystem: {
+					read: true,
+					write: true
+				},
+				secrets: ["vault/master-key"]
+			}
+		};
+	}
+	static async load({ config } = {}) {
+		return new AFSVault(afsVaultOptionsSchema.parse(config || {}));
+	}
+	async ensureLoaded() {
+		if (!this._loaded && this._masterKey) {
+			this._data = await require_encrypted_file.readEncryptedVault(this.vaultPath, this._masterKey);
+			this._loaded = true;
+		}
+		if (!this._data) {
+			this._data = { secrets: {} };
+			this._loaded = true;
+		}
+		return this._data;
+	}
+	async save() {
+		if (!this._masterKey) throw new Error("Vault master key not set — cannot write");
+		if (!this._data) return;
+		await require_encrypted_file.writeEncryptedVault(this.vaultPath, this._data, this._masterKey);
+	}
+	/** Set the master key at runtime (for lazy initialization). */
+	setMasterKey(key) {
+		this._masterKey = key;
+		this._loaded = false;
+	}
+	buildGroupEntry(group, secrets) {
+		return this.buildEntry((0, ufo.joinURL)("/", group), { meta: { childrenCount: Object.keys(secrets).length } });
+	}
+	buildSecretEntry(group, name, value, includeContent = false) {
+		return this.buildEntry((0, ufo.joinURL)("/", group, name), {
+			content: includeContent ? value : void 0,
+			meta: { size: value.length }
+		});
+	}
+	buildRootEntry(data) {
+		return this.buildEntry("/", { meta: {
+			childrenCount: Object.keys(data.secrets).length,
+			provider: "vault",
+			encrypted: true
+		} });
+	}
+	parsePath(ctx) {
+		return (ctx.params?.path || "").split("/").filter(Boolean);
+	}
+	async handleMeta(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		const metaPath = parts.length === 0 ? "/.meta" : (0, ufo.joinURL)("/", ...parts, ".meta");
+		if (parts.length === 0) return this.buildEntry(metaPath, { meta: {
+			childrenCount: Object.keys(data.secrets).length,
+			provider: "vault",
+			encrypted: true
+		} });
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group));
+			return this.buildEntry(metaPath, { meta: { childrenCount: Object.keys(secrets).length } });
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group, name));
+			return this.buildEntry(metaPath, { meta: { size: secrets[name].length } });
+		}
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleList(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: Object.keys(data.secrets).sort().map((g) => this.buildGroupEntry(g, data.secrets[g])) };
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group));
+			return { data: Object.keys(secrets).sort().map((n) => this.buildSecretEntry(group, n, secrets[n], false)) };
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group, name));
+			return { data: [] };
+		}
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleReadCapabilities() {
+		const operations = this.getOperationsDeclaration();
+		const manifest = {
+			schemaVersion: 1,
+			provider: this.name,
+			description: this.description,
+			tools: [],
+			actions: [],
+			operations
+		};
+		return this.buildEntry("/.meta/.capabilities", {
+			content: manifest,
+			meta: {
+				kind: "afs:capabilities",
+				operations
+			}
+		});
+	}
+	async handleRead(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return this.buildRootEntry(data);
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group));
+			return this.buildGroupEntry(group, secrets);
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group, name));
+			return this.buildSecretEntry(group, name, secrets[name], true);
+		}
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleStat(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: this.buildRootEntry(data) };
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group));
+			return { data: this.buildGroupEntry(group, secrets) };
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group, name));
+			return { data: this.buildSecretEntry(group, name, secrets[name], false) };
+		}
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleWrite(ctx, payload) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		const name = ctx.params.name;
+		assertSafeName(group);
+		assertSafeName(name);
+		const content = payload?.content;
+		if (typeof content !== "string") throw new Error("Vault secrets must be string values");
+		if (!data.secrets[group]) data.secrets[group] = {};
+		data.secrets[group][name] = content;
+		await this.save();
+		return { data: this.buildSecretEntry(group, name, content, true) };
+	}
+	async handleDelete(ctx) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		const name = ctx.params.name;
+		const secrets = data.secrets[group];
+		if (!secrets || !(name in secrets)) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group, name));
+		delete secrets[name];
+		if (Object.keys(secrets).length === 0) delete data.secrets[group];
+		await this.save();
+		return { message: `Deleted secret: ${(0, ufo.joinURL)("/", group, name)}` };
+	}
+	async handleDeleteGroup(ctx) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		if (!data.secrets[group]) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", group));
+		delete data.secrets[group];
+		await this.save();
+		return { message: `Deleted group: ${(0, ufo.joinURL)("/", group)}` };
+	}
+	async handleSearch(ctx, query, options) {
+		const data = await this.ensureLoaded();
+		const pattern = (query || "").toLowerCase();
+		const groupFilter = this.parsePath(ctx)[0];
+		const limit = options?.limit;
+		const results = [];
+		const groups = groupFilter ? [groupFilter] : Object.keys(data.secrets);
+		for (const group of groups) {
+			const secrets = data.secrets[group];
+			if (!secrets) continue;
+			if (!groupFilter && group.toLowerCase().includes(pattern)) {
+				results.push(this.buildGroupEntry(group, secrets));
+				if (limit && results.length >= limit) break;
+			}
+			for (const name of Object.keys(secrets)) {
+				if (limit && results.length >= limit) break;
+				if (name.toLowerCase().includes(pattern)) results.push(this.buildSecretEntry(group, name, secrets[name], false));
+			}
+			if (limit && results.length >= limit) break;
+		}
+		return { data: limit ? results.slice(0, limit) : results };
+	}
+	async handleExplain(ctx) {
+		const parts = this.parsePath(ctx);
+		let content;
+		if (parts.length >= 2) content = `Secret "${parts[1]}" in group "${parts[0]}". Read to get the secret value.`;
+		else if (parts.length === 1) content = `Secret group "${parts[0]}". List to see available secrets.`;
+		else content = "AFS Vault — encrypted secret storage. List to see secret groups.";
+		return {
+			format: "text",
+			content
+		};
+	}
+	/** Get a secret value directly (bypasses AFS routing). */
+	async getSecret(group, name) {
+		return (await this.ensureLoaded()).secrets[group]?.[name];
+	}
+	/** Set a secret value directly. */
+	async setSecret(group, name, value) {
+		const data = await this.ensureLoaded();
+		if (!data.secrets[group]) data.secrets[group] = {};
+		data.secrets[group][name] = value;
+		await this.save();
+	}
+	/** Delete a secret directly. */
+	async deleteSecret(group, name) {
+		const data = await this.ensureLoaded();
+		const secrets = data.secrets[group];
+		if (!secrets || !(name in secrets)) return false;
+		delete secrets[name];
+		if (Object.keys(secrets).length === 0) delete data.secrets[group];
+		await this.save();
+		return true;
+	}
+	/** List all groups, or all secrets in a group. */
+	async listSecrets(group) {
+		const data = await this.ensureLoaded();
+		if (!group) return Object.keys(data.secrets).sort();
+		const secrets = data.secrets[group];
+		if (!secrets) return [];
+		return Object.keys(secrets).sort();
+	}
+	/** Get all secrets as flat map: "group/name" → value. Used for migration. */
+	async getAllSecrets() {
+		const data = await this.ensureLoaded();
+		const result = {};
+		for (const [group, secrets] of Object.entries(data.secrets)) for (const [name, value] of Object.entries(secrets)) result[`${group}/${name}`] = value;
+		return result;
+	}
+};
+require_decorate.__decorate([(0, _aigne_afs_provider.Meta)("/:path*")], AFSVault.prototype, "handleMeta", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.List)("/:path*")], AFSVault.prototype, "handleList", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Read)("/.meta/.capabilities")], AFSVault.prototype, "handleReadCapabilities", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Read)("/:path*")], AFSVault.prototype, "handleRead", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Stat)("/:path*")], AFSVault.prototype, "handleStat", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Write)("/:group/:name")], AFSVault.prototype, "handleWrite", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Delete)("/:group/:name")], AFSVault.prototype, "handleDelete", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Delete)("/:group")], AFSVault.prototype, "handleDeleteGroup", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Search)("/:path*")], AFSVault.prototype, "handleSearch", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Explain)("/:path*")], AFSVault.prototype, "handleExplain", null);
+AFSVault.load = AFSVault.load;
+
+//#endregion
+exports.AFSVault = AFSVault;
+exports.generateMasterKey = require_encrypted_file.generateMasterKey;
+exports.resolveMasterKey = require_key_resolver.resolveMasterKey;
+exports.storeKeychain = require_key_resolver.storeKeychain;
+exports.vaultFileExists = require_encrypted_file.vaultFileExists;
+exports.writeEncryptedVault = require_encrypted_file.writeEncryptedVault;