@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.12

package/dist/providers/vault/dist/index.mjs

@@ -0,0 +1,400 @@
+import { deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, vaultFileExists, writeEncryptedVault } from "./encrypted-file.mjs";
+import { __decorate } from "./_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs";
+import { resolveMasterKey, storeKeychain } from "./key-resolver.mjs";
+import { joinURL } from "ufo";
+import { AFSNotFoundError } from "@aigne/afs";
+import { z } from "zod";
+import { AFSBaseProvider, Delete, Explain, List, Meta, Read, Search, Stat, Write } from "@aigne/afs/provider";
+
+//#region ../../providers/vault/dist/index.mjs
+/**
+* AFS Vault Provider — Encrypted secret storage.
+*
+* Tree: /vault/{group}/{name} → secret value (string)
+* Encryption: AES-256-GCM, master key from keychain/env/passphrase
+* Security: admin (readwrite) + system (readonly) profiles
+* No exec — vault is passive storage.
+*/
+const afsVaultOptionsSchema = z.object({
+	name: z.string().optional().describe("Module name"),
+	description: z.string().optional().describe("Module description"),
+	vaultPath: z.string().describe("Path to the encrypted vault file"),
+	accessMode: z.enum(["readonly", "readwrite"]).optional().describe("Access mode")
+});
+/** Prototype pollution guard — reject dangerous path segments. */
+const DANGEROUS_NAMES = new Set([
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
+function assertSafeName(segment) {
+	if (DANGEROUS_NAMES.has(segment)) throw new Error(`Forbidden path segment: ${segment}`);
+}
+var AFSVault = class AFSVault extends AFSBaseProvider {
+	name;
+	description;
+	accessMode;
+	vaultPath;
+	_masterKey;
+	_data = null;
+	_loaded = false;
+	constructor(options) {
+		super();
+		this.name = options.name || "vault";
+		this.description = options.description || "Encrypted secret storage";
+		this.accessMode = options.accessMode || "readwrite";
+		this.vaultPath = options.vaultPath;
+		this._masterKey = options.masterKey;
+	}
+	static securityProfiles() {
+		return {
+			admin: {
+				actionPolicy: "full",
+				accessMode: "readwrite"
+			},
+			system: {
+				actionPolicy: "full",
+				accessMode: "readonly"
+			}
+		};
+	}
+	static schema() {
+		return afsVaultOptionsSchema;
+	}
+	static treeSchema() {
+		return {
+			operations: [
+				"list",
+				"read",
+				"write",
+				"delete",
+				"search",
+				"stat",
+				"explain"
+			],
+			tree: {
+				"/": {
+					kind: "vault:root",
+					operations: ["list", "read"]
+				},
+				"/{group}": {
+					kind: "vault:group",
+					operations: [
+						"list",
+						"read",
+						"delete"
+					],
+					destructive: ["delete"]
+				},
+				"/{group}/{name}": {
+					kind: "vault:secret",
+					operations: [
+						"read",
+						"write",
+						"delete"
+					],
+					destructive: ["delete"]
+				}
+			},
+			auth: {
+				type: "custom",
+				env: ["AFS_VAULT_KEY"]
+			},
+			bestFor: ["secret storage", "API key management"],
+			notFor: ["large file storage"]
+		};
+	}
+	static manifest() {
+		return {
+			name: "vault",
+			description: "Encrypted secret storage.\n- Store API keys, tokens, and passwords with AES-256-GCM encryption\n- Secrets organized in groups: /vault/{group}/{name}\n- Security profiles: admin (readwrite), system (readonly)",
+			uriTemplate: "vault://{vaultPath+}",
+			category: "security",
+			schema: z.object({ vaultPath: z.string() }),
+			tags: [
+				"vault",
+				"secrets",
+				"encryption",
+				"credentials"
+			],
+			capabilityTags: [
+				"read-write",
+				"crud",
+				"search",
+				"auth:none",
+				"local"
+			],
+			security: {
+				riskLevel: "local",
+				resourceAccess: ["local-filesystem"],
+				dataSensitivity: ["credentials"],
+				notes: ["Stores encrypted secrets in a local file (AES-256-GCM)", "Master key stored in OS keychain or derived from passphrase"]
+			},
+			capabilities: {
+				filesystem: {
+					read: true,
+					write: true
+				},
+				secrets: ["vault/master-key"]
+			}
+		};
+	}
+	static async load({ config } = {}) {
+		return new AFSVault(afsVaultOptionsSchema.parse(config || {}));
+	}
+	async ensureLoaded() {
+		if (!this._loaded && this._masterKey) {
+			this._data = await readEncryptedVault(this.vaultPath, this._masterKey);
+			this._loaded = true;
+		}
+		if (!this._data) {
+			this._data = { secrets: {} };
+			this._loaded = true;
+		}
+		return this._data;
+	}
+	async save() {
+		if (!this._masterKey) throw new Error("Vault master key not set — cannot write");
+		if (!this._data) return;
+		await writeEncryptedVault(this.vaultPath, this._data, this._masterKey);
+	}
+	/** Set the master key at runtime (for lazy initialization). */
+	setMasterKey(key) {
+		this._masterKey = key;
+		this._loaded = false;
+	}
+	buildGroupEntry(group, secrets) {
+		return this.buildEntry(joinURL("/", group), { meta: { childrenCount: Object.keys(secrets).length } });
+	}
+	buildSecretEntry(group, name, value, includeContent = false) {
+		return this.buildEntry(joinURL("/", group, name), {
+			content: includeContent ? value : void 0,
+			meta: { size: value.length }
+		});
+	}
+	buildRootEntry(data) {
+		return this.buildEntry("/", { meta: {
+			childrenCount: Object.keys(data.secrets).length,
+			provider: "vault",
+			encrypted: true
+		} });
+	}
+	parsePath(ctx) {
+		return (ctx.params?.path || "").split("/").filter(Boolean);
+	}
+	async handleMeta(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		const metaPath = parts.length === 0 ? "/.meta" : joinURL("/", ...parts, ".meta");
+		if (parts.length === 0) return this.buildEntry(metaPath, { meta: {
+			childrenCount: Object.keys(data.secrets).length,
+			provider: "vault",
+			encrypted: true
+		} });
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new AFSNotFoundError(joinURL("/", group));
+			return this.buildEntry(metaPath, { meta: { childrenCount: Object.keys(secrets).length } });
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL("/", group, name));
+			return this.buildEntry(metaPath, { meta: { size: secrets[name].length } });
+		}
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleList(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: Object.keys(data.secrets).sort().map((g) => this.buildGroupEntry(g, data.secrets[g])) };
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new AFSNotFoundError(joinURL("/", group));
+			return { data: Object.keys(secrets).sort().map((n) => this.buildSecretEntry(group, n, secrets[n], false)) };
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL("/", group, name));
+			return { data: [] };
+		}
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleReadCapabilities() {
+		const operations = this.getOperationsDeclaration();
+		const manifest = {
+			schemaVersion: 1,
+			provider: this.name,
+			description: this.description,
+			tools: [],
+			actions: [],
+			operations
+		};
+		return this.buildEntry("/.meta/.capabilities", {
+			content: manifest,
+			meta: {
+				kind: "afs:capabilities",
+				operations
+			}
+		});
+	}
+	async handleRead(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return this.buildRootEntry(data);
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new AFSNotFoundError(joinURL("/", group));
+			return this.buildGroupEntry(group, secrets);
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL("/", group, name));
+			return this.buildSecretEntry(group, name, secrets[name], true);
+		}
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleStat(ctx) {
+		const data = await this.ensureLoaded();
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: this.buildRootEntry(data) };
+		if (parts.length === 1) {
+			const group = parts[0];
+			const secrets = data.secrets[group];
+			if (!secrets) throw new AFSNotFoundError(joinURL("/", group));
+			return { data: this.buildGroupEntry(group, secrets) };
+		}
+		if (parts.length === 2) {
+			const group = parts[0];
+			const name = parts[1];
+			const secrets = data.secrets[group];
+			if (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL("/", group, name));
+			return { data: this.buildSecretEntry(group, name, secrets[name], false) };
+		}
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleWrite(ctx, payload) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		const name = ctx.params.name;
+		assertSafeName(group);
+		assertSafeName(name);
+		const content = payload?.content;
+		if (typeof content !== "string") throw new Error("Vault secrets must be string values");
+		if (!data.secrets[group]) data.secrets[group] = {};
+		data.secrets[group][name] = content;
+		await this.save();
+		return { data: this.buildSecretEntry(group, name, content, true) };
+	}
+	async handleDelete(ctx) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		const name = ctx.params.name;
+		const secrets = data.secrets[group];
+		if (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL("/", group, name));
+		delete secrets[name];
+		if (Object.keys(secrets).length === 0) delete data.secrets[group];
+		await this.save();
+		return { message: `Deleted secret: ${joinURL("/", group, name)}` };
+	}
+	async handleDeleteGroup(ctx) {
+		const data = await this.ensureLoaded();
+		const group = ctx.params.group;
+		if (!data.secrets[group]) throw new AFSNotFoundError(joinURL("/", group));
+		delete data.secrets[group];
+		await this.save();
+		return { message: `Deleted group: ${joinURL("/", group)}` };
+	}
+	async handleSearch(ctx, query, options) {
+		const data = await this.ensureLoaded();
+		const pattern = (query || "").toLowerCase();
+		const groupFilter = this.parsePath(ctx)[0];
+		const limit = options?.limit;
+		const results = [];
+		const groups = groupFilter ? [groupFilter] : Object.keys(data.secrets);
+		for (const group of groups) {
+			const secrets = data.secrets[group];
+			if (!secrets) continue;
+			if (!groupFilter && group.toLowerCase().includes(pattern)) {
+				results.push(this.buildGroupEntry(group, secrets));
+				if (limit && results.length >= limit) break;
+			}
+			for (const name of Object.keys(secrets)) {
+				if (limit && results.length >= limit) break;
+				if (name.toLowerCase().includes(pattern)) results.push(this.buildSecretEntry(group, name, secrets[name], false));
+			}
+			if (limit && results.length >= limit) break;
+		}
+		return { data: limit ? results.slice(0, limit) : results };
+	}
+	async handleExplain(ctx) {
+		const parts = this.parsePath(ctx);
+		let content;
+		if (parts.length >= 2) content = `Secret "${parts[1]}" in group "${parts[0]}". Read to get the secret value.`;
+		else if (parts.length === 1) content = `Secret group "${parts[0]}". List to see available secrets.`;
+		else content = "AFS Vault — encrypted secret storage. List to see secret groups.";
+		return {
+			format: "text",
+			content
+		};
+	}
+	/** Get a secret value directly (bypasses AFS routing). */
+	async getSecret(group, name) {
+		return (await this.ensureLoaded()).secrets[group]?.[name];
+	}
+	/** Set a secret value directly. */
+	async setSecret(group, name, value) {
+		const data = await this.ensureLoaded();
+		if (!data.secrets[group]) data.secrets[group] = {};
+		data.secrets[group][name] = value;
+		await this.save();
+	}
+	/** Delete a secret directly. */
+	async deleteSecret(group, name) {
+		const data = await this.ensureLoaded();
+		const secrets = data.secrets[group];
+		if (!secrets || !(name in secrets)) return false;
+		delete secrets[name];
+		if (Object.keys(secrets).length === 0) delete data.secrets[group];
+		await this.save();
+		return true;
+	}
+	/** List all groups, or all secrets in a group. */
+	async listSecrets(group) {
+		const data = await this.ensureLoaded();
+		if (!group) return Object.keys(data.secrets).sort();
+		const secrets = data.secrets[group];
+		if (!secrets) return [];
+		return Object.keys(secrets).sort();
+	}
+	/** Get all secrets as flat map: "group/name" → value. Used for migration. */
+	async getAllSecrets() {
+		const data = await this.ensureLoaded();
+		const result = {};
+		for (const [group, secrets] of Object.entries(data.secrets)) for (const [name, value] of Object.entries(secrets)) result[`${group}/${name}`] = value;
+		return result;
+	}
+};
+__decorate([Meta("/:path*")], AFSVault.prototype, "handleMeta", null);
+__decorate([List("/:path*")], AFSVault.prototype, "handleList", null);
+__decorate([Read("/.meta/.capabilities")], AFSVault.prototype, "handleReadCapabilities", null);
+__decorate([Read("/:path*")], AFSVault.prototype, "handleRead", null);
+__decorate([Stat("/:path*")], AFSVault.prototype, "handleStat", null);
+__decorate([Write("/:group/:name")], AFSVault.prototype, "handleWrite", null);
+__decorate([Delete("/:group/:name")], AFSVault.prototype, "handleDelete", null);
+__decorate([Delete("/:group")], AFSVault.prototype, "handleDeleteGroup", null);
+__decorate([Search("/:path*")], AFSVault.prototype, "handleSearch", null);
+__decorate([Explain("/:path*")], AFSVault.prototype, "handleExplain", null);
+AFSVault.load = AFSVault.load;
+
+//#endregion
+export { AFSVault, generateMasterKey, resolveMasterKey, storeKeychain, vaultFileExists, writeEncryptedVault };
+//# sourceMappingURL=index.mjs.map

package/dist/providers/vault/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../../../../providers/vault/dist/index.mjs"],"sourcesContent":["import { deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, vaultFileExists, writeEncryptedVault } from \"./encrypted-file.mjs\";\nimport { __decorate } from \"./_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs\";\nimport { _resetCachedKeyForTesting, deleteKeychain, resolveMasterKey, storeKeychain } from \"./key-resolver.mjs\";\nimport { AFSNotFoundError } from \"@aigne/afs\";\nimport { AFSBaseProvider, Delete, Explain, List, Meta, Read, Search, Stat, Write } from \"@aigne/afs/provider\";\nimport { joinURL } from \"ufo\";\nimport { z } from \"zod\";\n\n//#region src/index.ts\n/**\n* AFS Vault Provider — Encrypted secret storage.\n*\n* Tree: /vault/{group}/{name} → secret value (string)\n* Encryption: AES-256-GCM, master key from keychain/env/passphrase\n* Security: admin (readwrite) + system (readonly) profiles\n* No exec — vault is passive storage.\n*/\nconst afsVaultOptionsSchema = z.object({\n\tname: z.string().optional().describe(\"Module name\"),\n\tdescription: z.string().optional().describe(\"Module description\"),\n\tvaultPath: z.string().describe(\"Path to the encrypted vault file\"),\n\taccessMode: z.enum([\"readonly\", \"readwrite\"]).optional().describe(\"Access mode\")\n});\n/** Prototype pollution guard — reject dangerous path segments. */\nconst DANGEROUS_NAMES = new Set([\n\t\"__proto__\",\n\t\"constructor\",\n\t\"prototype\"\n]);\nfunction assertSafeName(segment) {\n\tif (DANGEROUS_NAMES.has(segment)) throw new Error(`Forbidden path segment: ${segment}`);\n}\nvar AFSVault = class AFSVault extends AFSBaseProvider {\n\tname;\n\tdescription;\n\taccessMode;\n\tvaultPath;\n\t_masterKey;\n\t_data = null;\n\t_loaded = false;\n\tconstructor(options) {\n\t\tsuper();\n\t\tthis.name = options.name || \"vault\";\n\t\tthis.description = options.description || \"Encrypted secret storage\";\n\t\tthis.accessMode = options.accessMode || \"readwrite\";\n\t\tthis.vaultPath = options.vaultPath;\n\t\tthis._masterKey = options.masterKey;\n\t}\n\tstatic securityProfiles() {\n\t\treturn {\n\t\t\tadmin: {\n\t\t\t\tactionPolicy: \"full\",\n\t\t\t\taccessMode: \"readwrite\"\n\t\t\t},\n\t\t\tsystem: {\n\t\t\t\tactionPolicy: \"full\",\n\t\t\t\taccessMode: \"readonly\"\n\t\t\t}\n\t\t};\n\t}\n\tstatic schema() {\n\t\treturn afsVaultOptionsSchema;\n\t}\n\tstatic treeSchema() {\n\t\treturn {\n\t\t\toperations: [\n\t\t\t\t\"list\",\n\t\t\t\t\"read\",\n\t\t\t\t\"write\",\n\t\t\t\t\"delete\",\n\t\t\t\t\"search\",\n\t\t\t\t\"stat\",\n\t\t\t\t\"explain\"\n\t\t\t],\n\t\t\ttree: {\n\t\t\t\t\"/\": {\n\t\t\t\t\tkind: \"vault:root\",\n\t\t\t\t\toperations: [\"list\", \"read\"]\n\t\t\t\t},\n\t\t\t\t\"/{group}\": {\n\t\t\t\t\tkind: \"vault:group\",\n\t\t\t\t\toperations: [\n\t\t\t\t\t\t\"list\",\n\t\t\t\t\t\t\"read\",\n\t\t\t\t\t\t\"delete\"\n\t\t\t\t\t],\n\t\t\t\t\tdestructive: [\"delete\"]\n\t\t\t\t},\n\t\t\t\t\"/{group}/{name}\": {\n\t\t\t\t\tkind: \"vault:secret\",\n\t\t\t\t\toperations: [\n\t\t\t\t\t\t\"read\",\n\t\t\t\t\t\t\"write\",\n\t\t\t\t\t\t\"delete\"\n\t\t\t\t\t],\n\t\t\t\t\tdestructive: [\"delete\"]\n\t\t\t\t}\n\t\t\t},\n\t\t\tauth: {\n\t\t\t\ttype: \"custom\",\n\t\t\t\tenv: [\"AFS_VAULT_KEY\"]\n\t\t\t},\n\t\t\tbestFor: [\"secret storage\", \"API key management\"],\n\t\t\tnotFor: [\"large file storage\"]\n\t\t};\n\t}\n\tstatic manifest() {\n\t\treturn {\n\t\t\tname: \"vault\",\n\t\t\tdescription: \"Encrypted secret storage.\\n- Store API keys, tokens, and passwords with AES-256-GCM encryption\\n- Secrets organized in groups: /vault/{group}/{name}\\n- Security profiles: admin (readwrite), system (readonly)\",\n\t\t\turiTemplate: \"vault://{vaultPath+}\",\n\t\t\tcategory: \"security\",\n\t\t\tschema: z.object({ vaultPath: z.string() }),\n\t\t\ttags: [\n\t\t\t\t\"vault\",\n\t\t\t\t\"secrets\",\n\t\t\t\t\"encryption\",\n\t\t\t\t\"credentials\"\n\t\t\t],\n\t\t\tcapabilityTags: [\n\t\t\t\t\"read-write\",\n\t\t\t\t\"crud\",\n\t\t\t\t\"search\",\n\t\t\t\t\"auth:none\",\n\t\t\t\t\"local\"\n\t\t\t],\n\t\t\tsecurity: {\n\t\t\t\triskLevel: \"local\",\n\t\t\t\tresourceAccess: [\"local-filesystem\"],\n\t\t\t\tdataSensitivity: [\"credentials\"],\n\t\t\t\tnotes: [\"Stores encrypted secrets in a local file (AES-256-GCM)\", \"Master key stored in OS keychain or derived from passphrase\"]\n\t\t\t},\n\t\t\tcapabilities: {\n\t\t\t\tfilesystem: {\n\t\t\t\t\tread: true,\n\t\t\t\t\twrite: true\n\t\t\t\t},\n\t\t\t\tsecrets: [\"vault/master-key\"]\n\t\t\t}\n\t\t};\n\t}\n\tstatic async load({ config } = {}) {\n\t\treturn new AFSVault(afsVaultOptionsSchema.parse(config || {}));\n\t}\n\tasync ensureLoaded() {\n\t\tif (!this._loaded && this._masterKey) {\n\t\t\tthis._data = await readEncryptedVault(this.vaultPath, this._masterKey);\n\t\t\tthis._loaded = true;\n\t\t}\n\t\tif (!this._data) {\n\t\t\tthis._data = { secrets: {} };\n\t\t\tthis._loaded = true;\n\t\t}\n\t\treturn this._data;\n\t}\n\tasync save() {\n\t\tif (!this._masterKey) throw new Error(\"Vault master key not set — cannot write\");\n\t\tif (!this._data) return;\n\t\tawait writeEncryptedVault(this.vaultPath, this._data, this._masterKey);\n\t}\n\t/** Set the master key at runtime (for lazy initialization). */\n\tsetMasterKey(key) {\n\t\tthis._masterKey = key;\n\t\tthis._loaded = false;\n\t}\n\tbuildGroupEntry(group, secrets) {\n\t\treturn this.buildEntry(joinURL(\"/\", group), { meta: { childrenCount: Object.keys(secrets).length } });\n\t}\n\tbuildSecretEntry(group, name, value, includeContent = false) {\n\t\treturn this.buildEntry(joinURL(\"/\", group, name), {\n\t\t\tcontent: includeContent ? value : void 0,\n\t\t\tmeta: { size: value.length }\n\t\t});\n\t}\n\tbuildRootEntry(data) {\n\t\treturn this.buildEntry(\"/\", { meta: {\n\t\t\tchildrenCount: Object.keys(data.secrets).length,\n\t\t\tprovider: \"vault\",\n\t\t\tencrypted: true\n\t\t} });\n\t}\n\tparsePath(ctx) {\n\t\treturn (ctx.params?.path || \"\").split(\"/\").filter(Boolean);\n\t}\n\tasync handleMeta(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst parts = this.parsePath(ctx);\n\t\tconst metaPath = parts.length === 0 ? \"/.meta\" : joinURL(\"/\", ...parts, \".meta\");\n\t\tif (parts.length === 0) return this.buildEntry(metaPath, { meta: {\n\t\t\tchildrenCount: Object.keys(data.secrets).length,\n\t\t\tprovider: \"vault\",\n\t\t\tencrypted: true\n\t\t} });\n\t\tif (parts.length === 1) {\n\t\t\tconst group = parts[0];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets) throw new AFSNotFoundError(joinURL(\"/\", group));\n\t\t\treturn this.buildEntry(metaPath, { meta: { childrenCount: Object.keys(secrets).length } });\n\t\t}\n\t\tif (parts.length === 2) {\n\t\t\tconst group = parts[0];\n\t\t\tconst name = parts[1];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL(\"/\", group, name));\n\t\t\treturn this.buildEntry(metaPath, { meta: { size: secrets[name].length } });\n\t\t}\n\t\tthrow new AFSNotFoundError(joinURL(\"/\", ...parts));\n\t}\n\tasync handleList(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst parts = this.parsePath(ctx);\n\t\tif (parts.length === 0) return { data: Object.keys(data.secrets).sort().map((g) => this.buildGroupEntry(g, data.secrets[g])) };\n\t\tif (parts.length === 1) {\n\t\t\tconst group = parts[0];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets) throw new AFSNotFoundError(joinURL(\"/\", group));\n\t\t\treturn { data: Object.keys(secrets).sort().map((n) => this.buildSecretEntry(group, n, secrets[n], false)) };\n\t\t}\n\t\tif (parts.length === 2) {\n\t\t\tconst group = parts[0];\n\t\t\tconst name = parts[1];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL(\"/\", group, name));\n\t\t\treturn { data: [] };\n\t\t}\n\t\tthrow new AFSNotFoundError(joinURL(\"/\", ...parts));\n\t}\n\tasync handleReadCapabilities() {\n\t\tconst operations = this.getOperationsDeclaration();\n\t\tconst manifest = {\n\t\t\tschemaVersion: 1,\n\t\t\tprovider: this.name,\n\t\t\tdescription: this.description,\n\t\t\ttools: [],\n\t\t\tactions: [],\n\t\t\toperations\n\t\t};\n\t\treturn this.buildEntry(\"/.meta/.capabilities\", {\n\t\t\tcontent: manifest,\n\t\t\tmeta: {\n\t\t\t\tkind: \"afs:capabilities\",\n\t\t\t\toperations\n\t\t\t}\n\t\t});\n\t}\n\tasync handleRead(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst parts = this.parsePath(ctx);\n\t\tif (parts.length === 0) return this.buildRootEntry(data);\n\t\tif (parts.length === 1) {\n\t\t\tconst group = parts[0];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets) throw new AFSNotFoundError(joinURL(\"/\", group));\n\t\t\treturn this.buildGroupEntry(group, secrets);\n\t\t}\n\t\tif (parts.length === 2) {\n\t\t\tconst group = parts[0];\n\t\t\tconst name = parts[1];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL(\"/\", group, name));\n\t\t\treturn this.buildSecretEntry(group, name, secrets[name], true);\n\t\t}\n\t\tthrow new AFSNotFoundError(joinURL(\"/\", ...parts));\n\t}\n\tasync handleStat(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst parts = this.parsePath(ctx);\n\t\tif (parts.length === 0) return { data: this.buildRootEntry(data) };\n\t\tif (parts.length === 1) {\n\t\t\tconst group = parts[0];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets) throw new AFSNotFoundError(joinURL(\"/\", group));\n\t\t\treturn { data: this.buildGroupEntry(group, secrets) };\n\t\t}\n\t\tif (parts.length === 2) {\n\t\t\tconst group = parts[0];\n\t\t\tconst name = parts[1];\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL(\"/\", group, name));\n\t\t\treturn { data: this.buildSecretEntry(group, name, secrets[name], false) };\n\t\t}\n\t\tthrow new AFSNotFoundError(joinURL(\"/\", ...parts));\n\t}\n\tasync handleWrite(ctx, payload) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst group = ctx.params.group;\n\t\tconst name = ctx.params.name;\n\t\tassertSafeName(group);\n\t\tassertSafeName(name);\n\t\tconst content = payload?.content;\n\t\tif (typeof content !== \"string\") throw new Error(\"Vault secrets must be string values\");\n\t\tif (!data.secrets[group]) data.secrets[group] = {};\n\t\tdata.secrets[group][name] = content;\n\t\tawait this.save();\n\t\treturn { data: this.buildSecretEntry(group, name, content, true) };\n\t}\n\tasync handleDelete(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst group = ctx.params.group;\n\t\tconst name = ctx.params.name;\n\t\tconst secrets = data.secrets[group];\n\t\tif (!secrets || !(name in secrets)) throw new AFSNotFoundError(joinURL(\"/\", group, name));\n\t\tdelete secrets[name];\n\t\tif (Object.keys(secrets).length === 0) delete data.secrets[group];\n\t\tawait this.save();\n\t\treturn { message: `Deleted secret: ${joinURL(\"/\", group, name)}` };\n\t}\n\tasync handleDeleteGroup(ctx) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst group = ctx.params.group;\n\t\tif (!data.secrets[group]) throw new AFSNotFoundError(joinURL(\"/\", group));\n\t\tdelete data.secrets[group];\n\t\tawait this.save();\n\t\treturn { message: `Deleted group: ${joinURL(\"/\", group)}` };\n\t}\n\tasync handleSearch(ctx, query, options) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst pattern = (query || \"\").toLowerCase();\n\t\tconst groupFilter = this.parsePath(ctx)[0];\n\t\tconst limit = options?.limit;\n\t\tconst results = [];\n\t\tconst groups = groupFilter ? [groupFilter] : Object.keys(data.secrets);\n\t\tfor (const group of groups) {\n\t\t\tconst secrets = data.secrets[group];\n\t\t\tif (!secrets) continue;\n\t\t\tif (!groupFilter && group.toLowerCase().includes(pattern)) {\n\t\t\t\tresults.push(this.buildGroupEntry(group, secrets));\n\t\t\t\tif (limit && results.length >= limit) break;\n\t\t\t}\n\t\t\tfor (const name of Object.keys(secrets)) {\n\t\t\t\tif (limit && results.length >= limit) break;\n\t\t\t\tif (name.toLowerCase().includes(pattern)) results.push(this.buildSecretEntry(group, name, secrets[name], false));\n\t\t\t}\n\t\t\tif (limit && results.length >= limit) break;\n\t\t}\n\t\treturn { data: limit ? results.slice(0, limit) : results };\n\t}\n\tasync handleExplain(ctx) {\n\t\tconst parts = this.parsePath(ctx);\n\t\tlet content;\n\t\tif (parts.length >= 2) content = `Secret \"${parts[1]}\" in group \"${parts[0]}\". Read to get the secret value.`;\n\t\telse if (parts.length === 1) content = `Secret group \"${parts[0]}\". List to see available secrets.`;\n\t\telse content = \"AFS Vault — encrypted secret storage. List to see secret groups.\";\n\t\treturn {\n\t\t\tformat: \"text\",\n\t\t\tcontent\n\t\t};\n\t}\n\t/** Get a secret value directly (bypasses AFS routing). */\n\tasync getSecret(group, name) {\n\t\treturn (await this.ensureLoaded()).secrets[group]?.[name];\n\t}\n\t/** Set a secret value directly. */\n\tasync setSecret(group, name, value) {\n\t\tconst data = await this.ensureLoaded();\n\t\tif (!data.secrets[group]) data.secrets[group] = {};\n\t\tdata.secrets[group][name] = value;\n\t\tawait this.save();\n\t}\n\t/** Delete a secret directly. */\n\tasync deleteSecret(group, name) {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst secrets = data.secrets[group];\n\t\tif (!secrets || !(name in secrets)) return false;\n\t\tdelete secrets[name];\n\t\tif (Object.keys(secrets).length === 0) delete data.secrets[group];\n\t\tawait this.save();\n\t\treturn true;\n\t}\n\t/** List all groups, or all secrets in a group. */\n\tasync listSecrets(group) {\n\t\tconst data = await this.ensureLoaded();\n\t\tif (!group) return Object.keys(data.secrets).sort();\n\t\tconst secrets = data.secrets[group];\n\t\tif (!secrets) return [];\n\t\treturn Object.keys(secrets).sort();\n\t}\n\t/** Get all secrets as flat map: \"group/name\" → value. Used for migration. */\n\tasync getAllSecrets() {\n\t\tconst data = await this.ensureLoaded();\n\t\tconst result = {};\n\t\tfor (const [group, secrets] of Object.entries(data.secrets)) for (const [name, value] of Object.entries(secrets)) result[`${group}/${name}`] = value;\n\t\treturn result;\n\t}\n};\n__decorate([Meta(\"/:path*\")], AFSVault.prototype, \"handleMeta\", null);\n__decorate([List(\"/:path*\")], AFSVault.prototype, \"handleList\", null);\n__decorate([Read(\"/.meta/.capabilities\")], AFSVault.prototype, \"handleReadCapabilities\", null);\n__decorate([Read(\"/:path*\")], AFSVault.prototype, \"handleRead\", null);\n__decorate([Stat(\"/:path*\")], AFSVault.prototype, \"handleStat\", null);\n__decorate([Write(\"/:group/:name\")], AFSVault.prototype, \"handleWrite\", null);\n__decorate([Delete(\"/:group/:name\")], AFSVault.prototype, \"handleDelete\", null);\n__decorate([Delete(\"/:group\")], AFSVault.prototype, \"handleDeleteGroup\", null);\n__decorate([Search(\"/:path*\")], AFSVault.prototype, \"handleSearch\", null);\n__decorate([Explain(\"/:path*\")], AFSVault.prototype, \"handleExplain\", null);\nAFSVault.load = AFSVault.load;\n\n//#endregion\nexport { AFSVault, _resetCachedKeyForTesting, deleteKeychain, deriveKeyFromPassphrase, generateMasterKey, readEncryptedVault, resolveMasterKey, storeKeychain, vaultFileExists, writeEncryptedVault };\n//# sourceMappingURL=index.mjs.map"],"mappings":";;;;;;;;;;;;;;;;;AAiBA,MAAM,wBAAwB,EAAE,OAAO;CACtC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,cAAc;CACnD,aAAa,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,qBAAqB;CACjE,WAAW,EAAE,QAAQ,CAAC,SAAS,mCAAmC;CAClE,YAAY,EAAE,KAAK,CAAC,YAAY,YAAY,CAAC,CAAC,UAAU,CAAC,SAAS,cAAc;CAChF,CAAC;;AAEF,MAAM,kBAAkB,IAAI,IAAI;CAC/B;CACA;CACA;CACA,CAAC;AACF,SAAS,eAAe,SAAS;AAChC,KAAI,gBAAgB,IAAI,QAAQ,CAAE,OAAM,IAAI,MAAM,2BAA2B,UAAU;;AAExF,IAAI,WAAW,MAAM,iBAAiB,gBAAgB;CACrD;CACA;CACA;CACA;CACA;CACA,QAAQ;CACR,UAAU;CACV,YAAY,SAAS;AACpB,SAAO;AACP,OAAK,OAAO,QAAQ,QAAQ;AAC5B,OAAK,cAAc,QAAQ,eAAe;AAC1C,OAAK,aAAa,QAAQ,cAAc;AACxC,OAAK,YAAY,QAAQ;AACzB,OAAK,aAAa,QAAQ;;CAE3B,OAAO,mBAAmB;AACzB,SAAO;GACN,OAAO;IACN,cAAc;IACd,YAAY;IACZ;GACD,QAAQ;IACP,cAAc;IACd,YAAY;IACZ;GACD;;CAEF,OAAO,SAAS;AACf,SAAO;;CAER,OAAO,aAAa;AACnB,SAAO;GACN,YAAY;IACX;IACA;IACA;IACA;IACA;IACA;IACA;IACA;GACD,MAAM;IACL,KAAK;KACJ,MAAM;KACN,YAAY,CAAC,QAAQ,OAAO;KAC5B;IACD,YAAY;KACX,MAAM;KACN,YAAY;MACX;MACA;MACA;MACA;KACD,aAAa,CAAC,SAAS;KACvB;IACD,mBAAmB;KAClB,MAAM;KACN,YAAY;MACX;MACA;MACA;MACA;KACD,aAAa,CAAC,SAAS;KACvB;IACD;GACD,MAAM;IACL,MAAM;IACN,KAAK,CAAC,gBAAgB;IACtB;GACD,SAAS,CAAC,kBAAkB,qBAAqB;GACjD,QAAQ,CAAC,qBAAqB;GAC9B;;CAEF,OAAO,WAAW;AACjB,SAAO;GACN,MAAM;GACN,aAAa;GACb,aAAa;GACb,UAAU;GACV,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,CAAC;GAC3C,MAAM;IACL;IACA;IACA;IACA;IACA;GACD,gBAAgB;IACf;IACA;IACA;IACA;IACA;IACA;GACD,UAAU;IACT,WAAW;IACX,gBAAgB,CAAC,mBAAmB;IACpC,iBAAiB,CAAC,cAAc;IAChC,OAAO,CAAC,0DAA0D,8DAA8D;IAChI;GACD,cAAc;IACb,YAAY;KACX,MAAM;KACN,OAAO;KACP;IACD,SAAS,CAAC,mBAAmB;IAC7B;GACD;;CAEF,aAAa,KAAK,EAAE,WAAW,EAAE,EAAE;AAClC,SAAO,IAAI,SAAS,sBAAsB,MAAM,UAAU,EAAE,CAAC,CAAC;;CAE/D,MAAM,eAAe;AACpB,MAAI,CAAC,KAAK,WAAW,KAAK,YAAY;AACrC,QAAK,QAAQ,MAAM,mBAAmB,KAAK,WAAW,KAAK,WAAW;AACtE,QAAK,UAAU;;AAEhB,MAAI,CAAC,KAAK,OAAO;AAChB,QAAK,QAAQ,EAAE,SAAS,EAAE,EAAE;AAC5B,QAAK,UAAU;;AAEhB,SAAO,KAAK;;CAEb,MAAM,OAAO;AACZ,MAAI,CAAC,KAAK,WAAY,OAAM,IAAI,MAAM,0CAA0C;AAChF,MAAI,CAAC,KAAK,MAAO;AACjB,QAAM,oBAAoB,KAAK,WAAW,KAAK,OAAO,KAAK,WAAW;;;CAGvE,aAAa,KAAK;AACjB,OAAK,aAAa;AAClB,OAAK,UAAU;;CAEhB,gBAAgB,OAAO,SAAS;AAC/B,SAAO,KAAK,WAAW,QAAQ,KAAK,MAAM,EAAE,EAAE,MAAM,EAAE,eAAe,OAAO,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;;CAEtG,iBAAiB,OAAO,MAAM,OAAO,iBAAiB,OAAO;AAC5D,SAAO,KAAK,WAAW,QAAQ,KAAK,OAAO,KAAK,EAAE;GACjD,SAAS,iBAAiB,QAAQ,KAAK;GACvC,MAAM,EAAE,MAAM,MAAM,QAAQ;GAC5B,CAAC;;CAEH,eAAe,MAAM;AACpB,SAAO,KAAK,WAAW,KAAK,EAAE,MAAM;GACnC,eAAe,OAAO,KAAK,KAAK,QAAQ,CAAC;GACzC,UAAU;GACV,WAAW;GACX,EAAE,CAAC;;CAEL,UAAU,KAAK;AACd,UAAQ,IAAI,QAAQ,QAAQ,IAAI,MAAM,IAAI,CAAC,OAAO,QAAQ;;CAE3D,MAAM,WAAW,KAAK;EACrB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,KAAK,UAAU,IAAI;EACjC,MAAM,WAAW,MAAM,WAAW,IAAI,WAAW,QAAQ,KAAK,GAAG,OAAO,QAAQ;AAChF,MAAI,MAAM,WAAW,EAAG,QAAO,KAAK,WAAW,UAAU,EAAE,MAAM;GAChE,eAAe,OAAO,KAAK,KAAK,QAAQ,CAAC;GACzC,UAAU;GACV,WAAW;GACX,EAAE,CAAC;AACJ,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,QAAS,OAAM,IAAI,iBAAiB,QAAQ,KAAK,MAAM,CAAC;AAC7D,UAAO,KAAK,WAAW,UAAU,EAAE,MAAM,EAAE,eAAe,OAAO,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;;AAE3F,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,OAAO,MAAM;GACnB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,OAAM,IAAI,iBAAiB,QAAQ,KAAK,OAAO,KAAK,CAAC;AACzF,UAAO,KAAK,WAAW,UAAU,EAAE,MAAM,EAAE,MAAM,QAAQ,MAAM,QAAQ,EAAE,CAAC;;AAE3E,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAEnD,MAAM,WAAW,KAAK;EACrB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,KAAK,UAAU,IAAI;AACjC,MAAI,MAAM,WAAW,EAAG,QAAO,EAAE,MAAM,OAAO,KAAK,KAAK,QAAQ,CAAC,MAAM,CAAC,KAAK,MAAM,KAAK,gBAAgB,GAAG,KAAK,QAAQ,GAAG,CAAC,EAAE;AAC9H,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,QAAS,OAAM,IAAI,iBAAiB,QAAQ,KAAK,MAAM,CAAC;AAC7D,UAAO,EAAE,MAAM,OAAO,KAAK,QAAQ,CAAC,MAAM,CAAC,KAAK,MAAM,KAAK,iBAAiB,OAAO,GAAG,QAAQ,IAAI,MAAM,CAAC,EAAE;;AAE5G,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,OAAO,MAAM;GACnB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,OAAM,IAAI,iBAAiB,QAAQ,KAAK,OAAO,KAAK,CAAC;AACzF,UAAO,EAAE,MAAM,EAAE,EAAE;;AAEpB,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAEnD,MAAM,yBAAyB;EAC9B,MAAM,aAAa,KAAK,0BAA0B;EAClD,MAAM,WAAW;GAChB,eAAe;GACf,UAAU,KAAK;GACf,aAAa,KAAK;GAClB,OAAO,EAAE;GACT,SAAS,EAAE;GACX;GACA;AACD,SAAO,KAAK,WAAW,wBAAwB;GAC9C,SAAS;GACT,MAAM;IACL,MAAM;IACN;IACA;GACD,CAAC;;CAEH,MAAM,WAAW,KAAK;EACrB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,KAAK,UAAU,IAAI;AACjC,MAAI,MAAM,WAAW,EAAG,QAAO,KAAK,eAAe,KAAK;AACxD,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,QAAS,OAAM,IAAI,iBAAiB,QAAQ,KAAK,MAAM,CAAC;AAC7D,UAAO,KAAK,gBAAgB,OAAO,QAAQ;;AAE5C,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,OAAO,MAAM;GACnB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,OAAM,IAAI,iBAAiB,QAAQ,KAAK,OAAO,KAAK,CAAC;AACzF,UAAO,KAAK,iBAAiB,OAAO,MAAM,QAAQ,OAAO,KAAK;;AAE/D,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAEnD,MAAM,WAAW,KAAK;EACrB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,KAAK,UAAU,IAAI;AACjC,MAAI,MAAM,WAAW,EAAG,QAAO,EAAE,MAAM,KAAK,eAAe,KAAK,EAAE;AAClE,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,QAAS,OAAM,IAAI,iBAAiB,QAAQ,KAAK,MAAM,CAAC;AAC7D,UAAO,EAAE,MAAM,KAAK,gBAAgB,OAAO,QAAQ,EAAE;;AAEtD,MAAI,MAAM,WAAW,GAAG;GACvB,MAAM,QAAQ,MAAM;GACpB,MAAM,OAAO,MAAM;GACnB,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,OAAM,IAAI,iBAAiB,QAAQ,KAAK,OAAO,KAAK,CAAC;AACzF,UAAO,EAAE,MAAM,KAAK,iBAAiB,OAAO,MAAM,QAAQ,OAAO,MAAM,EAAE;;AAE1E,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAEnD,MAAM,YAAY,KAAK,SAAS;EAC/B,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,IAAI,OAAO;EACzB,MAAM,OAAO,IAAI,OAAO;AACxB,iBAAe,MAAM;AACrB,iBAAe,KAAK;EACpB,MAAM,UAAU,SAAS;AACzB,MAAI,OAAO,YAAY,SAAU,OAAM,IAAI,MAAM,sCAAsC;AACvF,MAAI,CAAC,KAAK,QAAQ,OAAQ,MAAK,QAAQ,SAAS,EAAE;AAClD,OAAK,QAAQ,OAAO,QAAQ;AAC5B,QAAM,KAAK,MAAM;AACjB,SAAO,EAAE,MAAM,KAAK,iBAAiB,OAAO,MAAM,SAAS,KAAK,EAAE;;CAEnE,MAAM,aAAa,KAAK;EACvB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,IAAI,OAAO;EACzB,MAAM,OAAO,IAAI,OAAO;EACxB,MAAM,UAAU,KAAK,QAAQ;AAC7B,MAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,OAAM,IAAI,iBAAiB,QAAQ,KAAK,OAAO,KAAK,CAAC;AACzF,SAAO,QAAQ;AACf,MAAI,OAAO,KAAK,QAAQ,CAAC,WAAW,EAAG,QAAO,KAAK,QAAQ;AAC3D,QAAM,KAAK,MAAM;AACjB,SAAO,EAAE,SAAS,mBAAmB,QAAQ,KAAK,OAAO,KAAK,IAAI;;CAEnE,MAAM,kBAAkB,KAAK;EAC5B,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,QAAQ,IAAI,OAAO;AACzB,MAAI,CAAC,KAAK,QAAQ,OAAQ,OAAM,IAAI,iBAAiB,QAAQ,KAAK,MAAM,CAAC;AACzE,SAAO,KAAK,QAAQ;AACpB,QAAM,KAAK,MAAM;AACjB,SAAO,EAAE,SAAS,kBAAkB,QAAQ,KAAK,MAAM,IAAI;;CAE5D,MAAM,aAAa,KAAK,OAAO,SAAS;EACvC,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,WAAW,SAAS,IAAI,aAAa;EAC3C,MAAM,cAAc,KAAK,UAAU,IAAI,CAAC;EACxC,MAAM,QAAQ,SAAS;EACvB,MAAM,UAAU,EAAE;EAClB,MAAM,SAAS,cAAc,CAAC,YAAY,GAAG,OAAO,KAAK,KAAK,QAAQ;AACtE,OAAK,MAAM,SAAS,QAAQ;GAC3B,MAAM,UAAU,KAAK,QAAQ;AAC7B,OAAI,CAAC,QAAS;AACd,OAAI,CAAC,eAAe,MAAM,aAAa,CAAC,SAAS,QAAQ,EAAE;AAC1D,YAAQ,KAAK,KAAK,gBAAgB,OAAO,QAAQ,CAAC;AAClD,QAAI,SAAS,QAAQ,UAAU,MAAO;;AAEvC,QAAK,MAAM,QAAQ,OAAO,KAAK,QAAQ,EAAE;AACxC,QAAI,SAAS,QAAQ,UAAU,MAAO;AACtC,QAAI,KAAK,aAAa,CAAC,SAAS,QAAQ,CAAE,SAAQ,KAAK,KAAK,iBAAiB,OAAO,MAAM,QAAQ,OAAO,MAAM,CAAC;;AAEjH,OAAI,SAAS,QAAQ,UAAU,MAAO;;AAEvC,SAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,GAAG,MAAM,GAAG,SAAS;;CAE3D,MAAM,cAAc,KAAK;EACxB,MAAM,QAAQ,KAAK,UAAU,IAAI;EACjC,IAAI;AACJ,MAAI,MAAM,UAAU,EAAG,WAAU,WAAW,MAAM,GAAG,cAAc,MAAM,GAAG;WACnE,MAAM,WAAW,EAAG,WAAU,iBAAiB,MAAM,GAAG;MAC5D,WAAU;AACf,SAAO;GACN,QAAQ;GACR;GACA;;;CAGF,MAAM,UAAU,OAAO,MAAM;AAC5B,UAAQ,MAAM,KAAK,cAAc,EAAE,QAAQ,SAAS;;;CAGrD,MAAM,UAAU,OAAO,MAAM,OAAO;EACnC,MAAM,OAAO,MAAM,KAAK,cAAc;AACtC,MAAI,CAAC,KAAK,QAAQ,OAAQ,MAAK,QAAQ,SAAS,EAAE;AAClD,OAAK,QAAQ,OAAO,QAAQ;AAC5B,QAAM,KAAK,MAAM;;;CAGlB,MAAM,aAAa,OAAO,MAAM;EAC/B,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,UAAU,KAAK,QAAQ;AAC7B,MAAI,CAAC,WAAW,EAAE,QAAQ,SAAU,QAAO;AAC3C,SAAO,QAAQ;AACf,MAAI,OAAO,KAAK,QAAQ,CAAC,WAAW,EAAG,QAAO,KAAK,QAAQ;AAC3D,QAAM,KAAK,MAAM;AACjB,SAAO;;;CAGR,MAAM,YAAY,OAAO;EACxB,MAAM,OAAO,MAAM,KAAK,cAAc;AACtC,MAAI,CAAC,MAAO,QAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,MAAM;EACnD,MAAM,UAAU,KAAK,QAAQ;AAC7B,MAAI,CAAC,QAAS,QAAO,EAAE;AACvB,SAAO,OAAO,KAAK,QAAQ,CAAC,MAAM;;;CAGnC,MAAM,gBAAgB;EACrB,MAAM,OAAO,MAAM,KAAK,cAAc;EACtC,MAAM,SAAS,EAAE;AACjB,OAAK,MAAM,CAAC,OAAO,YAAY,OAAO,QAAQ,KAAK,QAAQ,CAAE,MAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,QAAQ,CAAE,QAAO,GAAG,MAAM,GAAG,UAAU;AAC/I,SAAO;;;AAGT,WAAW,CAAC,KAAK,UAAU,CAAC,EAAE,SAAS,WAAW,cAAc,KAAK;AACrE,WAAW,CAAC,KAAK,UAAU,CAAC,EAAE,SAAS,WAAW,cAAc,KAAK;AACrE,WAAW,CAAC,KAAK,uBAAuB,CAAC,EAAE,SAAS,WAAW,0BAA0B,KAAK;AAC9F,WAAW,CAAC,KAAK,UAAU,CAAC,EAAE,SAAS,WAAW,cAAc,KAAK;AACrE,WAAW,CAAC,KAAK,UAAU,CAAC,EAAE,SAAS,WAAW,cAAc,KAAK;AACrE,WAAW,CAAC,MAAM,gBAAgB,CAAC,EAAE,SAAS,WAAW,eAAe,KAAK;AAC7E,WAAW,CAAC,OAAO,gBAAgB,CAAC,EAAE,SAAS,WAAW,gBAAgB,KAAK;AAC/E,WAAW,CAAC,OAAO,UAAU,CAAC,EAAE,SAAS,WAAW,qBAAqB,KAAK;AAC9E,WAAW,CAAC,OAAO,UAAU,CAAC,EAAE,SAAS,WAAW,gBAAgB,KAAK;AACzE,WAAW,CAAC,QAAQ,UAAU,CAAC,EAAE,SAAS,WAAW,iBAAiB,KAAK;AAC3E,SAAS,OAAO,SAAS"}

package/dist/providers/vault/dist/key-resolver.cjs

@@ -0,0 +1,181 @@
+const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.cjs');
+const require_encrypted_file = require('./encrypted-file.cjs');
+let node_crypto = require("node:crypto");
+let node_child_process = require("node:child_process");
+let node_os = require("node:os");
+let node_util = require("node:util");
+
+//#region ../../providers/vault/dist/key-resolver.mjs
+/**
+* Master key resolution chain.
+*
+* Priority (first available wins):
+* 1. AFS_VAULT_KEY environment variable (hex-encoded) — explicit override for CI/automation
+* 2. OS Keychain (macOS Keychain / Linux Secret Service) — desktop default
+* 3. Passphrase prompt (key derived via crypto.scrypt, cached in memory)
+*
+* No native dependencies — uses system CLIs for keychain access.
+*/
+const execFileAsync = (0, node_util.promisify)(node_child_process.execFile);
+const SERVICE_NAME = "afs-vault";
+const ACCOUNT_NAME = "master-key";
+const KEY_LENGTH = 32;
+/** Cached key for the process lifetime (avoids repeated prompts). */
+let cachedKey = null;
+/**
+* Resolve master key using the priority chain.
+*
+* @param interactive - If true, allows passphrase prompt. Default true.
+* @param vaultPath - Path to vault file (used for per-file salt in passphrase mode).
+* @returns 32-byte master key buffer.
+*/
+async function resolveMasterKey(interactive = true, vaultPath) {
+	if (cachedKey) return cachedKey;
+	const envKey = process.env.AFS_VAULT_KEY;
+	if (envKey) {
+		const buf = Buffer.from(envKey, "hex");
+		if (buf.length !== KEY_LENGTH) throw new Error("AFS_VAULT_KEY must be a 64-character hex string (32 bytes)");
+		cachedKey = buf;
+		return buf;
+	}
+	const keychainKey = await readKeychain();
+	if (keychainKey) {
+		cachedKey = keychainKey;
+		return keychainKey;
+	}
+	if (!interactive) throw new Error("No vault master key found. Set AFS_VAULT_KEY environment variable (64-char hex),\nor run in interactive mode to enter a passphrase.");
+	const key = require_encrypted_file.deriveKeyFromPassphrase(await promptPassphrase(), (vaultPath ? await require_encrypted_file.readVaultSalt(vaultPath) : null) ?? await readPassphraseSalt());
+	cachedKey = key;
+	return key;
+}
+/**
+* Store a master key in the OS keychain.
+* Returns true on success, false if keychain is unavailable.
+*/
+async function storeKeychain(masterKey) {
+	const hexKey = masterKey.toString("hex");
+	const os = (0, node_os.platform)();
+	try {
+		if (os === "darwin") {
+			await execFileAsync("security", [
+				"add-generic-password",
+				"-s",
+				SERVICE_NAME,
+				"-a",
+				ACCOUNT_NAME,
+				"-w",
+				hexKey,
+				"-U"
+			]);
+			return true;
+		}
+		if (os === "linux") {
+			const { spawn } = await import("node:child_process");
+			return new Promise((resolve) => {
+				const proc = spawn("secret-tool", [
+					"store",
+					"--label",
+					"AFS Vault Master Key",
+					"service",
+					SERVICE_NAME,
+					"account",
+					ACCOUNT_NAME
+				]);
+				proc.stdin.write(hexKey);
+				proc.stdin.end();
+				proc.on("close", (code) => resolve(code === 0));
+				proc.on("error", () => resolve(false));
+			});
+		}
+		return false;
+	} catch {
+		return false;
+	}
+}
+/**
+* Read master key from OS keychain.
+* Returns null if not found or keychain unavailable.
+*/
+async function readKeychain() {
+	const os = (0, node_os.platform)();
+	try {
+		if (os === "darwin") {
+			const { stdout } = await execFileAsync("security", [
+				"find-generic-password",
+				"-s",
+				SERVICE_NAME,
+				"-a",
+				ACCOUNT_NAME,
+				"-w"
+			]);
+			const hex = stdout.trim();
+			if (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, "hex");
+			return null;
+		}
+		if (os === "linux") {
+			const { stdout } = await execFileAsync("secret-tool", [
+				"lookup",
+				"service",
+				SERVICE_NAME,
+				"account",
+				ACCOUNT_NAME
+			]);
+			const hex = stdout.trim();
+			if (hex.length === KEY_LENGTH * 2) return Buffer.from(hex, "hex");
+			return null;
+		}
+		return null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Prompt user for passphrase via stdin (no echo).
+*/
+async function promptPassphrase() {
+	const { createInterface } = await import("node:readline");
+	return new Promise((resolve, reject) => {
+		const rl = createInterface({
+			input: process.stdin,
+			output: process.stderr,
+			terminal: true
+		});
+		if (process.stdin.isTTY) {
+			process.stderr.write("Vault passphrase: ");
+			rl._writeToOutput = () => {};
+		}
+		rl.question("", (answer) => {
+			rl.close();
+			if (process.stdin.isTTY) process.stderr.write("\n");
+			if (!answer || answer.trim() === "") {
+				reject(/* @__PURE__ */ new Error("Passphrase cannot be empty"));
+				return;
+			}
+			resolve(answer);
+		});
+	});
+}
+/**
+* Read or create the passphrase salt file.
+*
+* The salt is stored alongside the vault file to enable consistent
+* key derivation from the same passphrase.
+*/
+async function readPassphraseSalt() {
+	const { homedir } = await import("node:os");
+	const { join } = await import("node:path");
+	const { readFile, writeFile, mkdir } = await import("node:fs/promises");
+	const saltPath = join(homedir(), ".afs-config", "vault-salt");
+	try {
+		const data = await readFile(saltPath);
+		if (data.length === 32) return data;
+	} catch {}
+	const salt = (0, node_crypto.randomBytes)(32);
+	await mkdir(join(homedir(), ".afs-config"), { recursive: true });
+	await writeFile(saltPath, salt, { mode: 384 });
+	return salt;
+}
+
+//#endregion
+exports.resolveMasterKey = resolveMasterKey;
+exports.storeKeychain = storeKeychain;