npm - @aigne/afs-rotation - Versions diffs - 1.11.0-beta.12 - Mend

@aigne/afs-rotation 1.11.0-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/LICENSE.md +26 -0
package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs +11 -0
package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs +10 -0
package/dist/index.cjs +406 -0
package/dist/index.d.cts +115 -0
package/dist/index.d.cts.map +1 -0
package/dist/index.d.mts +115 -0
package/dist/index.d.mts.map +1 -0
package/dist/index.mjs +407 -0
package/dist/index.mjs.map +1 -0
package/package.json +58 -0

package/LICENSE.md ADDED Viewed

@@ -0,0 +1,26 @@
+# Proprietary License
+Copyright (c) 2024-2025 ArcBlock, Inc. All Rights Reserved.
+This software and associated documentation files (the "Software") are proprietary
+and confidential. Unauthorized copying, modification, distribution, or use of
+this Software, via any medium, is strictly prohibited.
+The Software is provided for internal use only within ArcBlock, Inc. and its
+authorized affiliates.
+## No License Granted
+No license, express or implied, is granted to any party for any purpose.
+All rights are reserved by ArcBlock, Inc.
+## Public Artifact Distribution
+Portions of this Software may be released publicly under separate open-source
+licenses (such as MIT License) through designated public repositories. Such
+public releases are governed by their respective licenses and do not affect
+the proprietary nature of this repository.
+## Contact
+For licensing inquiries, contact: legal@arcblock.io

package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs ADDED Viewed

@@ -0,0 +1,11 @@
+//#region \0@oxc-project+runtime@0.108.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+exports.__decorate = __decorate;

package/dist/_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs ADDED Viewed

@@ -0,0 +1,10 @@
+//#region \0@oxc-project+runtime@0.108.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+//#endregion
+export { __decorate };

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,406 @@
+const require_decorate = require('./_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.cjs');
+let _aigne_afs = require("@aigne/afs");
+let _aigne_afs_provider = require("@aigne/afs/provider");
+let ufo = require("ufo");
+let zod = require("zod");
+//#region src/index.ts
+/**
+* AFS Rotation Provider — OAuth2 token rotation with vault integration.
+*
+* Tree: /rotation/{config-name} → rotation config and status
+* Actions: rotate (per config), rotate-all (root)
+* Reads refresh tokens from vault, calls OAuth2 token endpoint, writes new tokens back.
+* No scheduler — on-demand only. Scheduling is external infrastructure.
+*/
+const rotationConfigSchema = zod.z.object({
+	name: zod.z.string(),
+	refreshTokenPath: zod.z.string(),
+	accessTokenPath: zod.z.string(),
+	tokenEndpoint: zod.z.string().url(),
+	clientId: zod.z.string(),
+	clientSecretPath: zod.z.string().optional(),
+	grantType: zod.z.string().optional(),
+	extraParams: zod.z.record(zod.z.string(), zod.z.string()).optional(),
+	rotateRefreshToken: zod.z.boolean().optional()
+});
+const afsRotationOptionsSchema = zod.z.object({
+	name: zod.z.string().optional().describe("Module name"),
+	description: zod.z.string().optional().describe("Module description"),
+	accessMode: zod.z.enum(["readonly", "readwrite"]).optional().describe("Access mode"),
+	configs: zod.z.array(rotationConfigSchema).describe("Rotation configurations")
+});
+function parseVaultPath(vaultPath) {
+	const parts = vaultPath.split("/").filter(Boolean);
+	if (parts.length !== 2) throw new Error(`Invalid vault path "${vaultPath}" — expected "group/name"`);
+	return {
+		group: parts[0],
+		name: parts[1]
+	};
+}
+var AFSRotation = class extends _aigne_afs_provider.AFSBaseProvider {
+	name;
+	description;
+	accessMode;
+	vault;
+	configs;
+	statuses;
+	fetchFn;
+	constructor(options) {
+		super();
+		this.name = options.name || "rotation";
+		this.description = options.description || "OAuth2 token rotation";
+		this.accessMode = options.accessMode || "readwrite";
+		this.vault = options.vault;
+		this.fetchFn = options.fetchFn || globalThis.fetch;
+		this.configs = /* @__PURE__ */ new Map();
+		this.statuses = /* @__PURE__ */ new Map();
+		for (const cfg of options.configs) {
+			rotationConfigSchema.parse(cfg);
+			this.configs.set(cfg.name, cfg);
+			this.statuses.set(cfg.name, {
+				configName: cfg.name,
+				lastRotation: null,
+				lastResult: null,
+				lastError: null,
+				rotationCount: 0
+			});
+		}
+	}
+	static securityProfiles() {
+		return {
+			admin: {
+				actionPolicy: "full",
+				accessMode: "readwrite"
+			},
+			system: {
+				actionPolicy: "safe",
+				accessMode: "readonly"
+			}
+		};
+	}
+	static schema() {
+		return afsRotationOptionsSchema;
+	}
+	static treeSchema() {
+		return {
+			operations: [
+				"list",
+				"read",
+				"exec",
+				"stat",
+				"explain"
+			],
+			tree: {
+				"/": {
+					kind: "rotation:root",
+					operations: [
+						"list",
+						"read",
+						"exec"
+					],
+					actions: ["rotate-all"]
+				},
+				"/{name}": {
+					kind: "rotation:config",
+					operations: [
+						"list",
+						"read",
+						"exec"
+					],
+					actions: ["rotate"]
+				},
+				"/{name}/status": {
+					kind: "rotation:status",
+					operations: ["read"]
+				}
+			},
+			auth: { type: "custom" },
+			bestFor: ["OAuth2 token rotation", "credential refresh"],
+			notFor: ["secret storage"]
+		};
+	}
+	static manifest() {
+		return {
+			name: "rotation",
+			description: "OAuth2 token rotation.\n- Reads refresh tokens from vault, calls token endpoints, writes new tokens back\n- On-demand rotation via actions\n- Security profiles: admin (readwrite), system (readonly)",
+			uriTemplate: "rotation://",
+			category: "security",
+			schema: afsRotationOptionsSchema,
+			tags: [
+				"rotation",
+				"oauth",
+				"tokens",
+				"secrets"
+			],
+			capabilityTags: [
+				"read-write",
+				"auth:none",
+				"local"
+			],
+			security: {
+				riskLevel: "external",
+				resourceAccess: ["internet"],
+				dataSensitivity: ["credentials"],
+				notes: ["Makes HTTP requests to OAuth2 token endpoints", "Reads and writes secrets in vault"]
+			},
+			capabilities: { network: { egress: true } }
+		};
+	}
+	static async load({ config } = {}) {
+		afsRotationOptionsSchema.parse(config || {});
+		throw new Error("AFSRotation requires a vault instance — use `new AFSRotation({ vault, configs })` directly");
+	}
+	getConfig(name) {
+		const cfg = this.configs.get(name);
+		if (!cfg) throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", name));
+		return cfg;
+	}
+	getStatus(name) {
+		return this.statuses.get(name) || {
+			configName: name,
+			lastRotation: null,
+			lastResult: null,
+			lastError: null,
+			rotationCount: 0
+		};
+	}
+	parsePath(ctx) {
+		return (ctx.params?.path || "").split("/").filter(Boolean);
+	}
+	buildConfigEntry(name) {
+		const status = this.getStatus(name);
+		const cfg = this.configs.get(name);
+		return this.buildEntry((0, ufo.joinURL)("/", name), { meta: {
+			childrenCount: 1,
+			configName: name,
+			tokenEndpoint: cfg.tokenEndpoint,
+			lastRotation: status.lastRotation,
+			lastResult: status.lastResult
+		} });
+	}
+	buildStatusEntry(name) {
+		const status = this.getStatus(name);
+		return this.buildEntry((0, ufo.joinURL)("/", name, "status"), {
+			content: status,
+			meta: {
+				kind: "rotation:status",
+				lastRotation: status.lastRotation,
+				lastResult: status.lastResult,
+				rotationCount: status.rotationCount
+			}
+		});
+	}
+	buildRootEntry() {
+		return this.buildEntry("/", { meta: {
+			childrenCount: this.configs.size,
+			provider: "rotation",
+			configCount: this.configs.size
+		} });
+	}
+	async rotate(configName) {
+		const cfg = this.getConfig(configName);
+		const status = this.getStatus(configName);
+		try {
+			const refreshRef = parseVaultPath(cfg.refreshTokenPath);
+			const refreshToken = await this.vault.getSecret(refreshRef.group, refreshRef.name);
+			if (!refreshToken) throw new Error(`Refresh token not found at vault path: ${cfg.refreshTokenPath}`);
+			let clientSecret;
+			if (cfg.clientSecretPath) {
+				const secretRef = parseVaultPath(cfg.clientSecretPath);
+				clientSecret = await this.vault.getSecret(secretRef.group, secretRef.name);
+				if (!clientSecret) throw new Error(`Client secret not found at vault path: ${cfg.clientSecretPath}`);
+			}
+			const params = new URLSearchParams();
+			params.set("grant_type", cfg.grantType || "refresh_token");
+			params.set("refresh_token", refreshToken);
+			params.set("client_id", cfg.clientId);
+			if (clientSecret) params.set("client_secret", clientSecret);
+			if (cfg.extraParams) for (const [k, v] of Object.entries(cfg.extraParams)) params.set(k, v);
+			const response = await this.fetchFn(cfg.tokenEndpoint, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: params.toString()
+			});
+			if (!response.ok) {
+				const body = await response.text();
+				throw new Error(`Token endpoint returned ${response.status}: ${body}`);
+			}
+			const tokenResponse = await response.json();
+			const accessToken = tokenResponse.access_token;
+			if (!accessToken) throw new Error("Token response missing access_token field");
+			const accessRef = parseVaultPath(cfg.accessTokenPath);
+			await this.vault.setSecret(accessRef.group, accessRef.name, accessToken);
+			if (cfg.rotateRefreshToken && tokenResponse.refresh_token) await this.vault.setSecret(refreshRef.group, refreshRef.name, tokenResponse.refresh_token);
+			status.lastRotation = Date.now();
+			status.lastResult = "success";
+			status.lastError = null;
+			status.rotationCount++;
+			this.statuses.set(configName, status);
+			return status;
+		} catch (err) {
+			status.lastRotation = Date.now();
+			status.lastResult = "error";
+			status.lastError = err instanceof Error ? err.message : String(err);
+			this.statuses.set(configName, status);
+			throw err;
+		}
+	}
+	async rotateAll() {
+		const results = {};
+		for (const [name] of this.configs) try {
+			results[name] = await this.rotate(name);
+		} catch {
+			results[name] = this.getStatus(name);
+		}
+		return results;
+	}
+	async handleMeta(ctx) {
+		const parts = this.parsePath(ctx);
+		const metaPath = parts.length === 0 ? "/.meta" : (0, ufo.joinURL)("/", ...parts, ".meta");
+		if (parts.length === 0) return this.buildEntry(metaPath, { meta: {
+			childrenCount: this.configs.size,
+			provider: "rotation",
+			configCount: this.configs.size
+		} });
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return this.buildEntry(metaPath, { meta: {
+				childrenCount: 1,
+				configName: name
+			} });
+		}
+		if (parts.length === 2 && parts[1] === "status") {
+			const status = this.getStatus(parts[0]);
+			return this.buildEntry(metaPath, { meta: {
+				kind: "rotation:status",
+				lastResult: status.lastResult
+			} });
+		}
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleList(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: [...this.configs.keys()].sort().map((n) => this.buildConfigEntry(n)) };
+		if (parts.length === 1) {
+			this.getConfig(parts[0]);
+			return { data: [this.buildStatusEntry(parts[0])] };
+		}
+		if (parts.length === 2 && parts[1] === "status") return { data: [] };
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleReadCapabilities() {
+		const operations = this.getOperationsDeclaration();
+		const manifest = {
+			schemaVersion: 1,
+			provider: this.name,
+			description: this.description,
+			tools: [],
+			actions: [],
+			operations
+		};
+		return this.buildEntry("/.meta/.capabilities", {
+			content: manifest,
+			meta: {
+				kind: "afs:capabilities",
+				operations
+			}
+		});
+	}
+	async handleRead(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return this.buildRootEntry();
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return this.buildConfigEntry(name);
+		}
+		if (parts.length === 2 && parts[1] === "status") return this.buildStatusEntry(parts[0]);
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async handleStat(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: this.buildRootEntry() };
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return { data: this.buildConfigEntry(name) };
+		}
+		if (parts.length === 2 && parts[1] === "status") return { data: this.buildStatusEntry(parts[0]) };
+		throw new _aigne_afs.AFSNotFoundError((0, ufo.joinURL)("/", ...parts));
+	}
+	async listConfigActions(ctx) {
+		const name = ctx.params.name;
+		this.getConfig(name);
+		return { data: [{
+			id: "rotate",
+			path: (0, ufo.joinURL)("/", name, ".actions", "rotate"),
+			meta: {
+				kind: "action",
+				description: `Rotate tokens for ${name}`,
+				childrenCount: 0
+			}
+		}] };
+	}
+	async execRotate(ctx) {
+		const name = ctx.params.name;
+		return {
+			success: true,
+			data: await this.rotate(name)
+		};
+	}
+	async listRootActions() {
+		return { data: [{
+			id: "rotate-all",
+			path: (0, ufo.joinURL)("/", ".actions", "rotate-all"),
+			meta: {
+				kind: "action",
+				description: "Rotate tokens for all configurations",
+				childrenCount: 0
+			}
+		}] };
+	}
+	async execRotateAll() {
+		const results = await this.rotateAll();
+		return {
+			success: Object.values(results).every((s) => s.lastResult === "success"),
+			data: results
+		};
+	}
+	async handleExplain(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length >= 1) {
+			const name = parts[0];
+			const cfg = this.configs.get(name);
+			if (cfg) {
+				const status = this.getStatus(name);
+				return {
+					format: "text",
+					content: `Rotation config "${name}".\nToken endpoint: ${cfg.tokenEndpoint}\nClient ID: ${cfg.clientId}\nLast rotation: ${status.lastRotation ? new Date(status.lastRotation).toISOString() : "never"}\nStatus: ${status.lastResult || "pending"}`
+				};
+			}
+		}
+		return {
+			format: "text",
+			content: `AFS Rotation — OAuth2 token rotation. ${this.configs.size} config(s). Use actions to trigger rotation.`
+		};
+	}
+};
+require_decorate.__decorate([(0, _aigne_afs_provider.Meta)("/:path*")], AFSRotation.prototype, "handleMeta", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.List)("/:path*")], AFSRotation.prototype, "handleList", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Read)("/.meta/.capabilities")], AFSRotation.prototype, "handleReadCapabilities", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Read)("/:path*")], AFSRotation.prototype, "handleRead", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Stat)("/:path*")], AFSRotation.prototype, "handleStat", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Actions)("/:name")], AFSRotation.prototype, "listConfigActions", null);
+require_decorate.__decorate([_aigne_afs_provider.Actions.Exec("/:name", "rotate", "Rotate tokens for this config")], AFSRotation.prototype, "execRotate", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Actions)("/")], AFSRotation.prototype, "listRootActions", null);
+require_decorate.__decorate([_aigne_afs_provider.Actions.Exec("/", "rotate-all", "Rotate all configured tokens")], AFSRotation.prototype, "execRotateAll", null);
+require_decorate.__decorate([(0, _aigne_afs_provider.Explain)("/:path*")], AFSRotation.prototype, "handleExplain", null);
+AFSRotation.load = AFSRotation.load;
+//#endregion
+exports.AFSRotation = AFSRotation;

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,115 @@
+import { AFSAccessMode, AFSEntry, AFSExplainResult, AFSListResult, AFSModuleLoadParams, AFSStatResult, ProviderManifest, ProviderTreeSchema, SecurityProfile } from "@aigne/afs";
+import { AFSBaseProvider, RouteContext } from "@aigne/afs/provider";
+import { z } from "zod";
+//#region src/index.d.ts
+interface RotationConfig {
+  /** Config name (used as path segment). */
+  name: string;
+  /** Vault secret path: "group/name" for the refresh token. */
+  refreshTokenPath: string;
+  /** Vault secret path: "group/name" for the access token to update. */
+  accessTokenPath: string;
+  /** OAuth2 token endpoint URL. */
+  tokenEndpoint: string;
+  /** OAuth2 client ID. */
+  clientId: string;
+  /** Vault secret path for client secret (confidential clients). */
+  clientSecretPath?: string;
+  /** OAuth2 grant type. Default: "refresh_token". */
+  grantType?: string;
+  /** Additional parameters to include in the token request. */
+  extraParams?: Record<string, string>;
+  /** Optional: also write the new refresh token if returned. */
+  rotateRefreshToken?: boolean;
+}
+interface RotationStatus {
+  configName: string;
+  lastRotation: number | null;
+  lastResult: "success" | "error" | null;
+  lastError: string | null;
+  rotationCount: number;
+}
+/** Interface for vault access — decoupled from AFSVault class. */
+interface VaultAccess {
+  getSecret(group: string, name: string): Promise<string | undefined>;
+  setSecret(group: string, name: string, value: string): Promise<void>;
+}
+interface AFSRotationOptions {
+  name?: string;
+  description?: string;
+  accessMode?: AFSAccessMode;
+  /** Vault access for reading/writing secrets. */
+  vault: VaultAccess;
+  /** Rotation configurations. */
+  configs: RotationConfig[];
+  /** Custom fetch function (for testing). */
+  fetchFn?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}
+declare class AFSRotation extends AFSBaseProvider {
+  readonly name: string;
+  readonly description: string;
+  readonly accessMode: AFSAccessMode;
+  private vault;
+  private configs;
+  private statuses;
+  private fetchFn;
+  constructor(options: AFSRotationOptions);
+  static securityProfiles(): Record<string, SecurityProfile>;
+  static schema(): z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    accessMode: z.ZodOptional<z.ZodEnum<{
+      readonly: "readonly";
+      readwrite: "readwrite";
+    }>>;
+    configs: z.ZodArray<z.ZodObject<{
+      name: z.ZodString;
+      refreshTokenPath: z.ZodString;
+      accessTokenPath: z.ZodString;
+      tokenEndpoint: z.ZodString;
+      clientId: z.ZodString;
+      clientSecretPath: z.ZodOptional<z.ZodString>;
+      grantType: z.ZodOptional<z.ZodString>;
+      extraParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+      rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+  }, z.core.$strip>;
+  static treeSchema(): ProviderTreeSchema;
+  static manifest(): ProviderManifest;
+  static load({
+    config
+  }?: AFSModuleLoadParams): Promise<AFSRotation>;
+  private getConfig;
+  private getStatus;
+  private parsePath;
+  private buildConfigEntry;
+  private buildStatusEntry;
+  private buildRootEntry;
+  rotate(configName: string): Promise<RotationStatus>;
+  rotateAll(): Promise<Record<string, RotationStatus>>;
+  handleMeta(ctx: RouteContext): Promise<AFSEntry | undefined>;
+  handleList(ctx: RouteContext): Promise<AFSListResult>;
+  handleReadCapabilities(): Promise<AFSEntry | undefined>;
+  handleRead(ctx: RouteContext): Promise<AFSEntry | undefined>;
+  handleStat(ctx: RouteContext): Promise<AFSStatResult>;
+  listConfigActions(ctx: RouteContext<{
+    name: string;
+  }>): Promise<AFSListResult>;
+  execRotate(ctx: RouteContext<{
+    name: string;
+    action: string;
+  }>): Promise<{
+    success: boolean;
+    data?: unknown;
+  }>;
+  listRootActions(): Promise<AFSListResult>;
+  execRotateAll(): Promise<{
+    success: boolean;
+    data?: unknown;
+  }>;
+  handleExplain(ctx: RouteContext): Promise<AFSExplainResult>;
+}
+//#endregion
+export { AFSRotation, AFSRotationOptions, RotationConfig, RotationStatus, VaultAccess };
+//# sourceMappingURL=index.d.cts.map

package/dist/index.d.cts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.cts","names":[],"sources":["../src/index.ts"],"mappings":";;;;;UAsCiB,cAAA;EAQf;EANA,IAAA;EAUA;EARA,gBAAA;EAYA;EAVA,eAAA;EAYA;EAVA,aAAA;EAUkB;EARlB,QAAA;EAW6B;EAT7B,gBAAA;EAS6B;EAP7B,SAAA;EASA;EAPA,WAAA,GAAc,MAAA;EASd;EAPA,kBAAA;AAAA;AAAA,UAGe,cAAA;EACf,UAAA;EACA,YAAA;EACA,UAAA;EACA,SAAA;EACA,aAAA;AAAA;;UAIe,WAAA;EACf,SAAA,CAAU,KAAA,UAAe,IAAA,WAAe,OAAA;EACxC,SAAA,CAAU,KAAA,UAAe,IAAA,UAAc,KAAA,WAAgB,OAAA;AAAA;AAAA,UAGxC,kBAAA;EACf,IAAA;EACA,WAAA;EACA,UAAA,GAAa,aAAA;EAHE;EAKf,KAAA,EAAO,WAAA;;EAEP,OAAA,EAAS,cAAA;EAFF;EAIP,OAAA,IAAW,KAAA,EAAO,WAAA,GAAc,GAAA,EAAK,IAAA,GAAO,WAAA,KAAgB,OAAA,CAAQ,QAAA;AAAA;AAAA,cAkCzD,WAAA,SAAoB,eAAA;EAAA,SACtB,IAAA;EAAA,SACA,WAAA;EAAA,SACA,UAAA,EAAY,aAAA;EAAA,QAEb,KAAA;EAAA,QACA,OAAA;EAAA,QACA,QAAA;EAAA,QACA,OAAA;cAEI,OAAA,EAAS,kBAAA;EAAA,OAuBd,gBAAA,CAAA,GAAoB,MAAA,SAAe,eAAA;EAAA,OAanC,MAAA,CAAA,GAAM,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;SAIN,UAAA,CAAA,GAAc,kBAAA;EAAA,OAsBd,QAAA,CAAA,GAAY,gBAAA;EAAA,OAyBN,IAAA,CAAA;IAAO;EAAA,IAAU,mBAAA,GAA2B,OAAA,CAAQ,WAAA;EAAA,QAUzD,SAAA;EAAA,QAMA,SAAA;EAAA,QAYA,SAAA;EAAA,QAKA,gBAAA;EAAA,QAcA,gBAAA;EAAA,QAaA,cAAA;EAYF,MAAA,CAAO,UAAA,WAAqB,OAAA,CAAQ,cAAA;EAqFpC,SAAA,CAAA,GAAa,OAAA,CAAQ,MAAA,SAAe,cAAA;EAepC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,QAAA;EA4BvC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,aAAA;EAkBvC,sBAAA,CAAA,GAA0B,OAAA,CAAQ,QAAA;EAiBlC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,QAAA;EAgBvC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,aAAA;EAkBvC,iBAAA,CAAkB,GAAA,EAAK,YAAA;IAAe,IAAA;EAAA,KAAkB,OAAA,CAAQ,aAAA;EAmBhE,UAAA,CACJ,GAAA,EAAK,YAAA;IAAe,IAAA;IAAc,MAAA;EAAA,KACjC,OAAA;IAAU,OAAA;IAAkB,IAAA;EAAA;EASzB,eAAA,CAAA,GAAmB,OAAA,CAAQ,aAAA;EAiB3B,aAAA,CAAA,GAAiB,OAAA;IAAU,OAAA;IAAkB,IAAA;EAAA;EAS7C,aAAA,CAAc,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,gBAAA;AAAA"}

package/dist/index.d.mts ADDED Viewed

@@ -0,0 +1,115 @@
+import { AFSAccessMode, AFSEntry, AFSExplainResult, AFSListResult, AFSModuleLoadParams, AFSStatResult, ProviderManifest, ProviderTreeSchema, SecurityProfile } from "@aigne/afs";
+import { AFSBaseProvider, RouteContext } from "@aigne/afs/provider";
+import { z } from "zod";
+//#region src/index.d.ts
+interface RotationConfig {
+  /** Config name (used as path segment). */
+  name: string;
+  /** Vault secret path: "group/name" for the refresh token. */
+  refreshTokenPath: string;
+  /** Vault secret path: "group/name" for the access token to update. */
+  accessTokenPath: string;
+  /** OAuth2 token endpoint URL. */
+  tokenEndpoint: string;
+  /** OAuth2 client ID. */
+  clientId: string;
+  /** Vault secret path for client secret (confidential clients). */
+  clientSecretPath?: string;
+  /** OAuth2 grant type. Default: "refresh_token". */
+  grantType?: string;
+  /** Additional parameters to include in the token request. */
+  extraParams?: Record<string, string>;
+  /** Optional: also write the new refresh token if returned. */
+  rotateRefreshToken?: boolean;
+}
+interface RotationStatus {
+  configName: string;
+  lastRotation: number | null;
+  lastResult: "success" | "error" | null;
+  lastError: string | null;
+  rotationCount: number;
+}
+/** Interface for vault access — decoupled from AFSVault class. */
+interface VaultAccess {
+  getSecret(group: string, name: string): Promise<string | undefined>;
+  setSecret(group: string, name: string, value: string): Promise<void>;
+}
+interface AFSRotationOptions {
+  name?: string;
+  description?: string;
+  accessMode?: AFSAccessMode;
+  /** Vault access for reading/writing secrets. */
+  vault: VaultAccess;
+  /** Rotation configurations. */
+  configs: RotationConfig[];
+  /** Custom fetch function (for testing). */
+  fetchFn?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}
+declare class AFSRotation extends AFSBaseProvider {
+  readonly name: string;
+  readonly description: string;
+  readonly accessMode: AFSAccessMode;
+  private vault;
+  private configs;
+  private statuses;
+  private fetchFn;
+  constructor(options: AFSRotationOptions);
+  static securityProfiles(): Record<string, SecurityProfile>;
+  static schema(): z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    description: z.ZodOptional<z.ZodString>;
+    accessMode: z.ZodOptional<z.ZodEnum<{
+      readonly: "readonly";
+      readwrite: "readwrite";
+    }>>;
+    configs: z.ZodArray<z.ZodObject<{
+      name: z.ZodString;
+      refreshTokenPath: z.ZodString;
+      accessTokenPath: z.ZodString;
+      tokenEndpoint: z.ZodString;
+      clientId: z.ZodString;
+      clientSecretPath: z.ZodOptional<z.ZodString>;
+      grantType: z.ZodOptional<z.ZodString>;
+      extraParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+      rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
+    }, z.core.$strip>>;
+  }, z.core.$strip>;
+  static treeSchema(): ProviderTreeSchema;
+  static manifest(): ProviderManifest;
+  static load({
+    config
+  }?: AFSModuleLoadParams): Promise<AFSRotation>;
+  private getConfig;
+  private getStatus;
+  private parsePath;
+  private buildConfigEntry;
+  private buildStatusEntry;
+  private buildRootEntry;
+  rotate(configName: string): Promise<RotationStatus>;
+  rotateAll(): Promise<Record<string, RotationStatus>>;
+  handleMeta(ctx: RouteContext): Promise<AFSEntry | undefined>;
+  handleList(ctx: RouteContext): Promise<AFSListResult>;
+  handleReadCapabilities(): Promise<AFSEntry | undefined>;
+  handleRead(ctx: RouteContext): Promise<AFSEntry | undefined>;
+  handleStat(ctx: RouteContext): Promise<AFSStatResult>;
+  listConfigActions(ctx: RouteContext<{
+    name: string;
+  }>): Promise<AFSListResult>;
+  execRotate(ctx: RouteContext<{
+    name: string;
+    action: string;
+  }>): Promise<{
+    success: boolean;
+    data?: unknown;
+  }>;
+  listRootActions(): Promise<AFSListResult>;
+  execRotateAll(): Promise<{
+    success: boolean;
+    data?: unknown;
+  }>;
+  handleExplain(ctx: RouteContext): Promise<AFSExplainResult>;
+}
+//#endregion
+export { AFSRotation, AFSRotationOptions, RotationConfig, RotationStatus, VaultAccess };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.mts","names":[],"sources":["../src/index.ts"],"mappings":";;;;;UAsCiB,cAAA;EAQf;EANA,IAAA;EAUA;EARA,gBAAA;EAYA;EAVA,eAAA;EAYA;EAVA,aAAA;EAUkB;EARlB,QAAA;EAW6B;EAT7B,gBAAA;EAS6B;EAP7B,SAAA;EASA;EAPA,WAAA,GAAc,MAAA;EASd;EAPA,kBAAA;AAAA;AAAA,UAGe,cAAA;EACf,UAAA;EACA,YAAA;EACA,UAAA;EACA,SAAA;EACA,aAAA;AAAA;;UAIe,WAAA;EACf,SAAA,CAAU,KAAA,UAAe,IAAA,WAAe,OAAA;EACxC,SAAA,CAAU,KAAA,UAAe,IAAA,UAAc,KAAA,WAAgB,OAAA;AAAA;AAAA,UAGxC,kBAAA;EACf,IAAA;EACA,WAAA;EACA,UAAA,GAAa,aAAA;EAHE;EAKf,KAAA,EAAO,WAAA;;EAEP,OAAA,EAAS,cAAA;EAFF;EAIP,OAAA,IAAW,KAAA,EAAO,WAAA,GAAc,GAAA,EAAK,IAAA,GAAO,WAAA,KAAgB,OAAA,CAAQ,QAAA;AAAA;AAAA,cAkCzD,WAAA,SAAoB,eAAA;EAAA,SACtB,IAAA;EAAA,SACA,WAAA;EAAA,SACA,UAAA,EAAY,aAAA;EAAA,QAEb,KAAA;EAAA,QACA,OAAA;EAAA,QACA,QAAA;EAAA,QACA,OAAA;cAEI,OAAA,EAAS,kBAAA;EAAA,OAuBd,gBAAA,CAAA,GAAoB,MAAA,SAAe,eAAA;EAAA,OAanC,MAAA,CAAA,GAAM,CAAA,CAAA,SAAA;;;;;;;;;;;;;;;;;;;SAIN,UAAA,CAAA,GAAc,kBAAA;EAAA,OAsBd,QAAA,CAAA,GAAY,gBAAA;EAAA,OAyBN,IAAA,CAAA;IAAO;EAAA,IAAU,mBAAA,GAA2B,OAAA,CAAQ,WAAA;EAAA,QAUzD,SAAA;EAAA,QAMA,SAAA;EAAA,QAYA,SAAA;EAAA,QAKA,gBAAA;EAAA,QAcA,gBAAA;EAAA,QAaA,cAAA;EAYF,MAAA,CAAO,UAAA,WAAqB,OAAA,CAAQ,cAAA;EAqFpC,SAAA,CAAA,GAAa,OAAA,CAAQ,MAAA,SAAe,cAAA;EAepC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,QAAA;EA4BvC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,aAAA;EAkBvC,sBAAA,CAAA,GAA0B,OAAA,CAAQ,QAAA;EAiBlC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,QAAA;EAgBvC,UAAA,CAAW,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,aAAA;EAkBvC,iBAAA,CAAkB,GAAA,EAAK,YAAA;IAAe,IAAA;EAAA,KAAkB,OAAA,CAAQ,aAAA;EAmBhE,UAAA,CACJ,GAAA,EAAK,YAAA;IAAe,IAAA;IAAc,MAAA;EAAA,KACjC,OAAA;IAAU,OAAA;IAAkB,IAAA;EAAA;EASzB,eAAA,CAAA,GAAmB,OAAA,CAAQ,aAAA;EAiB3B,aAAA,CAAA,GAAiB,OAAA;IAAU,OAAA;IAAkB,IAAA;EAAA;EAS7C,aAAA,CAAc,GAAA,EAAK,YAAA,GAAe,OAAA,CAAQ,gBAAA;AAAA"}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,407 @@
+import { __decorate } from "./_virtual/_@oxc-project_runtime@0.108.0/helpers/decorate.mjs";
+import { AFSNotFoundError } from "@aigne/afs";
+import { AFSBaseProvider, Actions, Explain, List, Meta, Read, Stat } from "@aigne/afs/provider";
+import { joinURL } from "ufo";
+import { z } from "zod";
+//#region src/index.ts
+/**
+* AFS Rotation Provider — OAuth2 token rotation with vault integration.
+*
+* Tree: /rotation/{config-name} → rotation config and status
+* Actions: rotate (per config), rotate-all (root)
+* Reads refresh tokens from vault, calls OAuth2 token endpoint, writes new tokens back.
+* No scheduler — on-demand only. Scheduling is external infrastructure.
+*/
+const rotationConfigSchema = z.object({
+	name: z.string(),
+	refreshTokenPath: z.string(),
+	accessTokenPath: z.string(),
+	tokenEndpoint: z.string().url(),
+	clientId: z.string(),
+	clientSecretPath: z.string().optional(),
+	grantType: z.string().optional(),
+	extraParams: z.record(z.string(), z.string()).optional(),
+	rotateRefreshToken: z.boolean().optional()
+});
+const afsRotationOptionsSchema = z.object({
+	name: z.string().optional().describe("Module name"),
+	description: z.string().optional().describe("Module description"),
+	accessMode: z.enum(["readonly", "readwrite"]).optional().describe("Access mode"),
+	configs: z.array(rotationConfigSchema).describe("Rotation configurations")
+});
+function parseVaultPath(vaultPath) {
+	const parts = vaultPath.split("/").filter(Boolean);
+	if (parts.length !== 2) throw new Error(`Invalid vault path "${vaultPath}" — expected "group/name"`);
+	return {
+		group: parts[0],
+		name: parts[1]
+	};
+}
+var AFSRotation = class extends AFSBaseProvider {
+	name;
+	description;
+	accessMode;
+	vault;
+	configs;
+	statuses;
+	fetchFn;
+	constructor(options) {
+		super();
+		this.name = options.name || "rotation";
+		this.description = options.description || "OAuth2 token rotation";
+		this.accessMode = options.accessMode || "readwrite";
+		this.vault = options.vault;
+		this.fetchFn = options.fetchFn || globalThis.fetch;
+		this.configs = /* @__PURE__ */ new Map();
+		this.statuses = /* @__PURE__ */ new Map();
+		for (const cfg of options.configs) {
+			rotationConfigSchema.parse(cfg);
+			this.configs.set(cfg.name, cfg);
+			this.statuses.set(cfg.name, {
+				configName: cfg.name,
+				lastRotation: null,
+				lastResult: null,
+				lastError: null,
+				rotationCount: 0
+			});
+		}
+	}
+	static securityProfiles() {
+		return {
+			admin: {
+				actionPolicy: "full",
+				accessMode: "readwrite"
+			},
+			system: {
+				actionPolicy: "safe",
+				accessMode: "readonly"
+			}
+		};
+	}
+	static schema() {
+		return afsRotationOptionsSchema;
+	}
+	static treeSchema() {
+		return {
+			operations: [
+				"list",
+				"read",
+				"exec",
+				"stat",
+				"explain"
+			],
+			tree: {
+				"/": {
+					kind: "rotation:root",
+					operations: [
+						"list",
+						"read",
+						"exec"
+					],
+					actions: ["rotate-all"]
+				},
+				"/{name}": {
+					kind: "rotation:config",
+					operations: [
+						"list",
+						"read",
+						"exec"
+					],
+					actions: ["rotate"]
+				},
+				"/{name}/status": {
+					kind: "rotation:status",
+					operations: ["read"]
+				}
+			},
+			auth: { type: "custom" },
+			bestFor: ["OAuth2 token rotation", "credential refresh"],
+			notFor: ["secret storage"]
+		};
+	}
+	static manifest() {
+		return {
+			name: "rotation",
+			description: "OAuth2 token rotation.\n- Reads refresh tokens from vault, calls token endpoints, writes new tokens back\n- On-demand rotation via actions\n- Security profiles: admin (readwrite), system (readonly)",
+			uriTemplate: "rotation://",
+			category: "security",
+			schema: afsRotationOptionsSchema,
+			tags: [
+				"rotation",
+				"oauth",
+				"tokens",
+				"secrets"
+			],
+			capabilityTags: [
+				"read-write",
+				"auth:none",
+				"local"
+			],
+			security: {
+				riskLevel: "external",
+				resourceAccess: ["internet"],
+				dataSensitivity: ["credentials"],
+				notes: ["Makes HTTP requests to OAuth2 token endpoints", "Reads and writes secrets in vault"]
+			},
+			capabilities: { network: { egress: true } }
+		};
+	}
+	static async load({ config } = {}) {
+		afsRotationOptionsSchema.parse(config || {});
+		throw new Error("AFSRotation requires a vault instance — use `new AFSRotation({ vault, configs })` directly");
+	}
+	getConfig(name) {
+		const cfg = this.configs.get(name);
+		if (!cfg) throw new AFSNotFoundError(joinURL("/", name));
+		return cfg;
+	}
+	getStatus(name) {
+		return this.statuses.get(name) || {
+			configName: name,
+			lastRotation: null,
+			lastResult: null,
+			lastError: null,
+			rotationCount: 0
+		};
+	}
+	parsePath(ctx) {
+		return (ctx.params?.path || "").split("/").filter(Boolean);
+	}
+	buildConfigEntry(name) {
+		const status = this.getStatus(name);
+		const cfg = this.configs.get(name);
+		return this.buildEntry(joinURL("/", name), { meta: {
+			childrenCount: 1,
+			configName: name,
+			tokenEndpoint: cfg.tokenEndpoint,
+			lastRotation: status.lastRotation,
+			lastResult: status.lastResult
+		} });
+	}
+	buildStatusEntry(name) {
+		const status = this.getStatus(name);
+		return this.buildEntry(joinURL("/", name, "status"), {
+			content: status,
+			meta: {
+				kind: "rotation:status",
+				lastRotation: status.lastRotation,
+				lastResult: status.lastResult,
+				rotationCount: status.rotationCount
+			}
+		});
+	}
+	buildRootEntry() {
+		return this.buildEntry("/", { meta: {
+			childrenCount: this.configs.size,
+			provider: "rotation",
+			configCount: this.configs.size
+		} });
+	}
+	async rotate(configName) {
+		const cfg = this.getConfig(configName);
+		const status = this.getStatus(configName);
+		try {
+			const refreshRef = parseVaultPath(cfg.refreshTokenPath);
+			const refreshToken = await this.vault.getSecret(refreshRef.group, refreshRef.name);
+			if (!refreshToken) throw new Error(`Refresh token not found at vault path: ${cfg.refreshTokenPath}`);
+			let clientSecret;
+			if (cfg.clientSecretPath) {
+				const secretRef = parseVaultPath(cfg.clientSecretPath);
+				clientSecret = await this.vault.getSecret(secretRef.group, secretRef.name);
+				if (!clientSecret) throw new Error(`Client secret not found at vault path: ${cfg.clientSecretPath}`);
+			}
+			const params = new URLSearchParams();
+			params.set("grant_type", cfg.grantType || "refresh_token");
+			params.set("refresh_token", refreshToken);
+			params.set("client_id", cfg.clientId);
+			if (clientSecret) params.set("client_secret", clientSecret);
+			if (cfg.extraParams) for (const [k, v] of Object.entries(cfg.extraParams)) params.set(k, v);
+			const response = await this.fetchFn(cfg.tokenEndpoint, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: params.toString()
+			});
+			if (!response.ok) {
+				const body = await response.text();
+				throw new Error(`Token endpoint returned ${response.status}: ${body}`);
+			}
+			const tokenResponse = await response.json();
+			const accessToken = tokenResponse.access_token;
+			if (!accessToken) throw new Error("Token response missing access_token field");
+			const accessRef = parseVaultPath(cfg.accessTokenPath);
+			await this.vault.setSecret(accessRef.group, accessRef.name, accessToken);
+			if (cfg.rotateRefreshToken && tokenResponse.refresh_token) await this.vault.setSecret(refreshRef.group, refreshRef.name, tokenResponse.refresh_token);
+			status.lastRotation = Date.now();
+			status.lastResult = "success";
+			status.lastError = null;
+			status.rotationCount++;
+			this.statuses.set(configName, status);
+			return status;
+		} catch (err) {
+			status.lastRotation = Date.now();
+			status.lastResult = "error";
+			status.lastError = err instanceof Error ? err.message : String(err);
+			this.statuses.set(configName, status);
+			throw err;
+		}
+	}
+	async rotateAll() {
+		const results = {};
+		for (const [name] of this.configs) try {
+			results[name] = await this.rotate(name);
+		} catch {
+			results[name] = this.getStatus(name);
+		}
+		return results;
+	}
+	async handleMeta(ctx) {
+		const parts = this.parsePath(ctx);
+		const metaPath = parts.length === 0 ? "/.meta" : joinURL("/", ...parts, ".meta");
+		if (parts.length === 0) return this.buildEntry(metaPath, { meta: {
+			childrenCount: this.configs.size,
+			provider: "rotation",
+			configCount: this.configs.size
+		} });
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return this.buildEntry(metaPath, { meta: {
+				childrenCount: 1,
+				configName: name
+			} });
+		}
+		if (parts.length === 2 && parts[1] === "status") {
+			const status = this.getStatus(parts[0]);
+			return this.buildEntry(metaPath, { meta: {
+				kind: "rotation:status",
+				lastResult: status.lastResult
+			} });
+		}
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleList(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: [...this.configs.keys()].sort().map((n) => this.buildConfigEntry(n)) };
+		if (parts.length === 1) {
+			this.getConfig(parts[0]);
+			return { data: [this.buildStatusEntry(parts[0])] };
+		}
+		if (parts.length === 2 && parts[1] === "status") return { data: [] };
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleReadCapabilities() {
+		const operations = this.getOperationsDeclaration();
+		const manifest = {
+			schemaVersion: 1,
+			provider: this.name,
+			description: this.description,
+			tools: [],
+			actions: [],
+			operations
+		};
+		return this.buildEntry("/.meta/.capabilities", {
+			content: manifest,
+			meta: {
+				kind: "afs:capabilities",
+				operations
+			}
+		});
+	}
+	async handleRead(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return this.buildRootEntry();
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return this.buildConfigEntry(name);
+		}
+		if (parts.length === 2 && parts[1] === "status") return this.buildStatusEntry(parts[0]);
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async handleStat(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length === 0) return { data: this.buildRootEntry() };
+		if (parts.length === 1) {
+			const name = parts[0];
+			this.getConfig(name);
+			return { data: this.buildConfigEntry(name) };
+		}
+		if (parts.length === 2 && parts[1] === "status") return { data: this.buildStatusEntry(parts[0]) };
+		throw new AFSNotFoundError(joinURL("/", ...parts));
+	}
+	async listConfigActions(ctx) {
+		const name = ctx.params.name;
+		this.getConfig(name);
+		return { data: [{
+			id: "rotate",
+			path: joinURL("/", name, ".actions", "rotate"),
+			meta: {
+				kind: "action",
+				description: `Rotate tokens for ${name}`,
+				childrenCount: 0
+			}
+		}] };
+	}
+	async execRotate(ctx) {
+		const name = ctx.params.name;
+		return {
+			success: true,
+			data: await this.rotate(name)
+		};
+	}
+	async listRootActions() {
+		return { data: [{
+			id: "rotate-all",
+			path: joinURL("/", ".actions", "rotate-all"),
+			meta: {
+				kind: "action",
+				description: "Rotate tokens for all configurations",
+				childrenCount: 0
+			}
+		}] };
+	}
+	async execRotateAll() {
+		const results = await this.rotateAll();
+		return {
+			success: Object.values(results).every((s) => s.lastResult === "success"),
+			data: results
+		};
+	}
+	async handleExplain(ctx) {
+		const parts = this.parsePath(ctx);
+		if (parts.length >= 1) {
+			const name = parts[0];
+			const cfg = this.configs.get(name);
+			if (cfg) {
+				const status = this.getStatus(name);
+				return {
+					format: "text",
+					content: `Rotation config "${name}".\nToken endpoint: ${cfg.tokenEndpoint}\nClient ID: ${cfg.clientId}\nLast rotation: ${status.lastRotation ? new Date(status.lastRotation).toISOString() : "never"}\nStatus: ${status.lastResult || "pending"}`
+				};
+			}
+		}
+		return {
+			format: "text",
+			content: `AFS Rotation — OAuth2 token rotation. ${this.configs.size} config(s). Use actions to trigger rotation.`
+		};
+	}
+};
+__decorate([Meta("/:path*")], AFSRotation.prototype, "handleMeta", null);
+__decorate([List("/:path*")], AFSRotation.prototype, "handleList", null);
+__decorate([Read("/.meta/.capabilities")], AFSRotation.prototype, "handleReadCapabilities", null);
+__decorate([Read("/:path*")], AFSRotation.prototype, "handleRead", null);
+__decorate([Stat("/:path*")], AFSRotation.prototype, "handleStat", null);
+__decorate([Actions("/:name")], AFSRotation.prototype, "listConfigActions", null);
+__decorate([Actions.Exec("/:name", "rotate", "Rotate tokens for this config")], AFSRotation.prototype, "execRotate", null);
+__decorate([Actions("/")], AFSRotation.prototype, "listRootActions", null);
+__decorate([Actions.Exec("/", "rotate-all", "Rotate all configured tokens")], AFSRotation.prototype, "execRotateAll", null);
+__decorate([Explain("/:path*")], AFSRotation.prototype, "handleExplain", null);
+AFSRotation.load = AFSRotation.load;
+//#endregion
+export { AFSRotation };
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.mjs","names":[],"sources":["../src/index.ts"],"sourcesContent":["/**\n * AFS Rotation Provider — OAuth2 token rotation with vault integration.\n *\n * Tree: /rotation/{config-name} → rotation config and status\n * Actions: rotate (per config), rotate-all (root)\n * Reads refresh tokens from vault, calls OAuth2 token endpoint, writes new tokens back.\n * No scheduler — on-demand only. Scheduling is external infrastructure.\n */\n\nimport {\n type AFSAccessMode,\n type AFSEntry,\n type AFSExplainResult,\n type AFSListResult,\n type AFSModuleClass,\n type AFSModuleLoadParams,\n AFSNotFoundError,\n type AFSStatResult,\n type CapabilitiesManifest,\n type ProviderManifest,\n type ProviderTreeSchema,\n type SecurityProfile,\n} from \"@aigne/afs\";\nimport {\n Actions,\n AFSBaseProvider,\n Explain,\n List,\n Meta,\n Read,\n type RouteContext,\n Stat,\n} from \"@aigne/afs/provider\";\nimport { joinURL } from \"ufo\";\nimport { z } from \"zod\";\n\n// ─── Types ───────────────────────────────────────────────────────────\n\nexport interface RotationConfig {\n /** Config name (used as path segment). */\n name: string;\n /** Vault secret path: \"group/name\" for the refresh token. */\n refreshTokenPath: string;\n /** Vault secret path: \"group/name\" for the access token to update. */\n accessTokenPath: string;\n /** OAuth2 token endpoint URL. */\n tokenEndpoint: string;\n /** OAuth2 client ID. */\n clientId: string;\n /** Vault secret path for client secret (confidential clients). */\n clientSecretPath?: string;\n /** OAuth2 grant type. Default: \"refresh_token\". */\n grantType?: string;\n /** Additional parameters to include in the token request. */\n extraParams?: Record<string, string>;\n /** Optional: also write the new refresh token if returned. */\n rotateRefreshToken?: boolean;\n}\n\nexport interface RotationStatus {\n configName: string;\n lastRotation: number | null;\n lastResult: \"success\" | \"error\" | null;\n lastError: string | null;\n rotationCount: number;\n}\n\n/** Interface for vault access — decoupled from AFSVault class. */\nexport interface VaultAccess {\n getSecret(group: string, name: string): Promise<string | undefined>;\n setSecret(group: string, name: string, value: string): Promise<void>;\n}\n\nexport interface AFSRotationOptions {\n name?: string;\n description?: string;\n accessMode?: AFSAccessMode;\n /** Vault access for reading/writing secrets. */\n vault: VaultAccess;\n /** Rotation configurations. */\n configs: RotationConfig[];\n /** Custom fetch function (for testing). */\n fetchFn?: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;\n}\n\nconst rotationConfigSchema = z.object({\n name: z.string(),\n refreshTokenPath: z.string(),\n accessTokenPath: z.string(),\n tokenEndpoint: z.string().url(),\n clientId: z.string(),\n clientSecretPath: z.string().optional(),\n grantType: z.string().optional(),\n extraParams: z.record(z.string(), z.string()).optional(),\n rotateRefreshToken: z.boolean().optional(),\n});\n\nconst afsRotationOptionsSchema = z.object({\n name: z.string().optional().describe(\"Module name\"),\n description: z.string().optional().describe(\"Module description\"),\n accessMode: z.enum([\"readonly\", \"readwrite\"]).optional().describe(\"Access mode\"),\n configs: z.array(rotationConfigSchema).describe(\"Rotation configurations\"),\n});\n\n// ─── Helper ──────────────────────────────────────────────────────────\n\nfunction parseVaultPath(vaultPath: string): { group: string; name: string } {\n const parts = vaultPath.split(\"/\").filter(Boolean);\n if (parts.length !== 2) {\n throw new Error(`Invalid vault path \"${vaultPath}\" — expected \"group/name\"`);\n }\n return { group: parts[0]!, name: parts[1]! };\n}\n\n// ─── Provider ────────────────────────────────────────────────────────\n\nexport class AFSRotation extends AFSBaseProvider {\n readonly name: string;\n readonly description: string;\n readonly accessMode: AFSAccessMode;\n\n private vault: VaultAccess;\n private configs: Map<string, RotationConfig>;\n private statuses: Map<string, RotationStatus>;\n private fetchFn: (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;\n\n constructor(options: AFSRotationOptions) {\n super();\n this.name = options.name || \"rotation\";\n this.description = options.description || \"OAuth2 token rotation\";\n this.accessMode = options.accessMode || \"readwrite\";\n this.vault = options.vault;\n this.fetchFn = options.fetchFn || globalThis.fetch;\n\n this.configs = new Map();\n this.statuses = new Map();\n for (const cfg of options.configs) {\n rotationConfigSchema.parse(cfg);\n this.configs.set(cfg.name, cfg);\n this.statuses.set(cfg.name, {\n configName: cfg.name,\n lastRotation: null,\n lastResult: null,\n lastError: null,\n rotationCount: 0,\n });\n }\n }\n\n static securityProfiles(): Record<string, SecurityProfile> {\n return {\n admin: {\n actionPolicy: \"full\",\n accessMode: \"readwrite\",\n },\n system: {\n actionPolicy: \"safe\",\n accessMode: \"readonly\",\n },\n };\n }\n\n static schema() {\n return afsRotationOptionsSchema;\n }\n\n static treeSchema(): ProviderTreeSchema {\n return {\n operations: [\"list\", \"read\", \"exec\", \"stat\", \"explain\"],\n tree: {\n \"/\": {\n kind: \"rotation:root\",\n operations: [\"list\", \"read\", \"exec\"],\n actions: [\"rotate-all\"],\n },\n \"/{name}\": {\n kind: \"rotation:config\",\n operations: [\"list\", \"read\", \"exec\"],\n actions: [\"rotate\"],\n },\n \"/{name}/status\": { kind: \"rotation:status\", operations: [\"read\"] },\n },\n auth: { type: \"custom\" },\n bestFor: [\"OAuth2 token rotation\", \"credential refresh\"],\n notFor: [\"secret storage\"],\n };\n }\n\n static manifest(): ProviderManifest {\n return {\n name: \"rotation\",\n description:\n \"OAuth2 token rotation.\\n- Reads refresh tokens from vault, calls token endpoints, writes new tokens back\\n- On-demand rotation via actions\\n- Security profiles: admin (readwrite), system (readonly)\",\n uriTemplate: \"rotation://\",\n category: \"security\",\n schema: afsRotationOptionsSchema,\n tags: [\"rotation\", \"oauth\", \"tokens\", \"secrets\"],\n capabilityTags: [\"read-write\", \"auth:none\", \"local\"],\n security: {\n riskLevel: \"external\",\n resourceAccess: [\"internet\"],\n dataSensitivity: [\"credentials\"],\n notes: [\n \"Makes HTTP requests to OAuth2 token endpoints\",\n \"Reads and writes secrets in vault\",\n ],\n },\n capabilities: {\n network: { egress: true },\n },\n };\n }\n\n static async load({ config }: AFSModuleLoadParams = {}): Promise<AFSRotation> {\n const _parsed = afsRotationOptionsSchema.parse(config || {});\n // Vault must be injected — cannot be loaded from config alone\n throw new Error(\n \"AFSRotation requires a vault instance — use `new AFSRotation({ vault, configs })` directly\",\n );\n }\n\n // ─── Helpers ─────────────────────────────────────────────────────\n\n private getConfig(name: string): RotationConfig {\n const cfg = this.configs.get(name);\n if (!cfg) throw new AFSNotFoundError(joinURL(\"/\", name));\n return cfg;\n }\n\n private getStatus(name: string): RotationStatus {\n return (\n this.statuses.get(name) || {\n configName: name,\n lastRotation: null,\n lastResult: null,\n lastError: null,\n rotationCount: 0,\n }\n );\n }\n\n private parsePath(ctx: RouteContext): string[] {\n const pathStr = (ctx.params as Record<string, string | undefined>)?.path || \"\";\n return pathStr.split(\"/\").filter(Boolean);\n }\n\n private buildConfigEntry(name: string): AFSEntry {\n const status = this.getStatus(name);\n const cfg = this.configs.get(name)!;\n return this.buildEntry(joinURL(\"/\", name), {\n meta: {\n childrenCount: 1,\n configName: name,\n tokenEndpoint: cfg.tokenEndpoint,\n lastRotation: status.lastRotation,\n lastResult: status.lastResult,\n },\n });\n }\n\n private buildStatusEntry(name: string): AFSEntry {\n const status = this.getStatus(name);\n return this.buildEntry(joinURL(\"/\", name, \"status\"), {\n content: status,\n meta: {\n kind: \"rotation:status\",\n lastRotation: status.lastRotation,\n lastResult: status.lastResult,\n rotationCount: status.rotationCount,\n },\n });\n }\n\n private buildRootEntry(): AFSEntry {\n return this.buildEntry(\"/\", {\n meta: {\n childrenCount: this.configs.size,\n provider: \"rotation\",\n configCount: this.configs.size,\n },\n });\n }\n\n // ─── Core Rotation Logic ─────────────────────────────────────────\n\n async rotate(configName: string): Promise<RotationStatus> {\n const cfg = this.getConfig(configName);\n const status = this.getStatus(configName);\n\n try {\n // 1. Read refresh token from vault\n const refreshRef = parseVaultPath(cfg.refreshTokenPath);\n const refreshToken = await this.vault.getSecret(refreshRef.group, refreshRef.name);\n if (!refreshToken) {\n throw new Error(`Refresh token not found at vault path: ${cfg.refreshTokenPath}`);\n }\n\n // 2. Read client secret if configured\n let clientSecret: string | undefined;\n if (cfg.clientSecretPath) {\n const secretRef = parseVaultPath(cfg.clientSecretPath);\n clientSecret = await this.vault.getSecret(secretRef.group, secretRef.name);\n if (!clientSecret) {\n throw new Error(`Client secret not found at vault path: ${cfg.clientSecretPath}`);\n }\n }\n\n // 3. Build token request\n const params = new URLSearchParams();\n params.set(\"grant_type\", cfg.grantType || \"refresh_token\");\n params.set(\"refresh_token\", refreshToken);\n params.set(\"client_id\", cfg.clientId);\n if (clientSecret) params.set(\"client_secret\", clientSecret);\n if (cfg.extraParams) {\n for (const [k, v] of Object.entries(cfg.extraParams)) {\n params.set(k, v);\n }\n }\n\n // 4. Call token endpoint\n const response = await this.fetchFn(cfg.tokenEndpoint, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n Accept: \"application/json\",\n },\n body: params.toString(),\n });\n\n if (!response.ok) {\n const body = await response.text();\n throw new Error(`Token endpoint returned ${response.status}: ${body}`);\n }\n\n const tokenResponse = (await response.json()) as Record<string, unknown>;\n const accessToken = tokenResponse.access_token as string | undefined;\n if (!accessToken) {\n throw new Error(\"Token response missing access_token field\");\n }\n\n // 5. Write new access token to vault\n const accessRef = parseVaultPath(cfg.accessTokenPath);\n await this.vault.setSecret(accessRef.group, accessRef.name, accessToken);\n\n // 6. Optionally rotate refresh token too\n if (cfg.rotateRefreshToken && tokenResponse.refresh_token) {\n await this.vault.setSecret(\n refreshRef.group,\n refreshRef.name,\n tokenResponse.refresh_token as string,\n );\n }\n\n // 7. Update status\n status.lastRotation = Date.now();\n status.lastResult = \"success\";\n status.lastError = null;\n status.rotationCount++;\n this.statuses.set(configName, status);\n\n return status;\n } catch (err) {\n status.lastRotation = Date.now();\n status.lastResult = \"error\";\n status.lastError = err instanceof Error ? err.message : String(err);\n this.statuses.set(configName, status);\n throw err;\n }\n }\n\n async rotateAll(): Promise<Record<string, RotationStatus>> {\n const results: Record<string, RotationStatus> = {};\n for (const [name] of this.configs) {\n try {\n results[name] = await this.rotate(name);\n } catch {\n results[name] = this.getStatus(name);\n }\n }\n return results;\n }\n\n // ─── Route Handlers ───────────────────────────────────────────────\n\n @Meta(\"/:path*\")\n async handleMeta(ctx: RouteContext): Promise<AFSEntry | undefined> {\n const parts = this.parsePath(ctx);\n const metaPath = parts.length === 0 ? \"/.meta\" : joinURL(\"/\", ...parts, \".meta\");\n\n if (parts.length === 0) {\n return this.buildEntry(metaPath, {\n meta: {\n childrenCount: this.configs.size,\n provider: \"rotation\",\n configCount: this.configs.size,\n },\n });\n }\n if (parts.length === 1) {\n const name = parts[0]!;\n this.getConfig(name);\n return this.buildEntry(metaPath, { meta: { childrenCount: 1, configName: name } });\n }\n if (parts.length === 2 && parts[1] === \"status\") {\n const status = this.getStatus(parts[0]!);\n return this.buildEntry(metaPath, {\n meta: { kind: \"rotation:status\", lastResult: status.lastResult },\n });\n }\n throw new AFSNotFoundError(joinURL(\"/\", ...parts));\n }\n\n @List(\"/:path*\")\n async handleList(ctx: RouteContext): Promise<AFSListResult> {\n const parts = this.parsePath(ctx);\n\n if (parts.length === 0) {\n const children = [...this.configs.keys()].sort().map((n) => this.buildConfigEntry(n));\n return { data: children };\n }\n if (parts.length === 1) {\n this.getConfig(parts[0]!);\n return { data: [this.buildStatusEntry(parts[0]!)] };\n }\n if (parts.length === 2 && parts[1] === \"status\") {\n return { data: [] }; // leaf node\n }\n throw new AFSNotFoundError(joinURL(\"/\", ...parts));\n }\n\n @Read(\"/.meta/.capabilities\")\n async handleReadCapabilities(): Promise<AFSEntry | undefined> {\n const operations = this.getOperationsDeclaration();\n const manifest: CapabilitiesManifest = {\n schemaVersion: 1,\n provider: this.name,\n description: this.description,\n tools: [],\n actions: [],\n operations,\n };\n return this.buildEntry(\"/.meta/.capabilities\", {\n content: manifest,\n meta: { kind: \"afs:capabilities\", operations },\n });\n }\n\n @Read(\"/:path*\")\n async handleRead(ctx: RouteContext): Promise<AFSEntry | undefined> {\n const parts = this.parsePath(ctx);\n\n if (parts.length === 0) return this.buildRootEntry();\n if (parts.length === 1) {\n const name = parts[0]!;\n this.getConfig(name);\n return this.buildConfigEntry(name);\n }\n if (parts.length === 2 && parts[1] === \"status\") {\n return this.buildStatusEntry(parts[0]!);\n }\n throw new AFSNotFoundError(joinURL(\"/\", ...parts));\n }\n\n @Stat(\"/:path*\")\n async handleStat(ctx: RouteContext): Promise<AFSStatResult> {\n const parts = this.parsePath(ctx);\n\n if (parts.length === 0) return { data: this.buildRootEntry() };\n if (parts.length === 1) {\n const name = parts[0]!;\n this.getConfig(name);\n return { data: this.buildConfigEntry(name) };\n }\n if (parts.length === 2 && parts[1] === \"status\") {\n return { data: this.buildStatusEntry(parts[0]!) };\n }\n throw new AFSNotFoundError(joinURL(\"/\", ...parts));\n }\n\n // ── Actions: per-config rotate ────────────────────────────────\n\n @Actions(\"/:name\")\n async listConfigActions(ctx: RouteContext<{ name: string }>): Promise<AFSListResult> {\n const name = ctx.params.name;\n this.getConfig(name);\n return {\n data: [\n {\n id: \"rotate\",\n path: joinURL(\"/\", name, \".actions\", \"rotate\"),\n meta: {\n kind: \"action\",\n description: `Rotate tokens for ${name}`,\n childrenCount: 0,\n },\n },\n ],\n };\n }\n\n @Actions.Exec(\"/:name\", \"rotate\", \"Rotate tokens for this config\")\n async execRotate(\n ctx: RouteContext<{ name: string; action: string }>,\n ): Promise<{ success: boolean; data?: unknown }> {\n const name = ctx.params.name;\n const status = await this.rotate(name);\n return { success: true, data: status };\n }\n\n // ── Actions: root rotate-all ──────────────────────────────────\n\n @Actions(\"/\")\n async listRootActions(): Promise<AFSListResult> {\n return {\n data: [\n {\n id: \"rotate-all\",\n path: joinURL(\"/\", \".actions\", \"rotate-all\"),\n meta: {\n kind: \"action\",\n description: \"Rotate tokens for all configurations\",\n childrenCount: 0,\n },\n },\n ],\n };\n }\n\n @Actions.Exec(\"/\", \"rotate-all\", \"Rotate all configured tokens\")\n async execRotateAll(): Promise<{ success: boolean; data?: unknown }> {\n const results = await this.rotateAll();\n const allSuccess = Object.values(results).every((s) => s.lastResult === \"success\");\n return { success: allSuccess, data: results };\n }\n\n // ── Search ────────────────────────────────────────────────────\n\n @Explain(\"/:path*\")\n async handleExplain(ctx: RouteContext): Promise<AFSExplainResult> {\n const parts = this.parsePath(ctx);\n\n if (parts.length >= 1) {\n const name = parts[0]!;\n const cfg = this.configs.get(name);\n if (cfg) {\n const status = this.getStatus(name);\n return {\n format: \"text\",\n content:\n `Rotation config \"${name}\".\\n` +\n `Token endpoint: ${cfg.tokenEndpoint}\\n` +\n `Client ID: ${cfg.clientId}\\n` +\n `Last rotation: ${status.lastRotation ? new Date(status.lastRotation).toISOString() : \"never\"}\\n` +\n `Status: ${status.lastResult || \"pending\"}`,\n };\n }\n }\n return {\n format: \"text\",\n content: `AFS Rotation — OAuth2 token rotation. ${this.configs.size} config(s). Use actions to trigger rotation.`,\n };\n }\n}\n\n// Register as loadable module\n(AFSRotation as unknown as AFSModuleClass).load = AFSRotation.load;\n"],"mappings":";;;;;;;;;;;;;;;AAqFA,MAAM,uBAAuB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ;CAChB,kBAAkB,EAAE,QAAQ;CAC5B,iBAAiB,EAAE,QAAQ;CAC3B,eAAe,EAAE,QAAQ,CAAC,KAAK;CAC/B,UAAU,EAAE,QAAQ;CACpB,kBAAkB,EAAE,QAAQ,CAAC,UAAU;CACvC,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,UAAU;CACxD,oBAAoB,EAAE,SAAS,CAAC,UAAU;CAC3C,CAAC;AAEF,MAAM,2BAA2B,EAAE,OAAO;CACxC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,cAAc;CACnD,aAAa,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,qBAAqB;CACjE,YAAY,EAAE,KAAK,CAAC,YAAY,YAAY,CAAC,CAAC,UAAU,CAAC,SAAS,cAAc;CAChF,SAAS,EAAE,MAAM,qBAAqB,CAAC,SAAS,0BAA0B;CAC3E,CAAC;AAIF,SAAS,eAAe,WAAoD;CAC1E,MAAM,QAAQ,UAAU,MAAM,IAAI,CAAC,OAAO,QAAQ;AAClD,KAAI,MAAM,WAAW,EACnB,OAAM,IAAI,MAAM,uBAAuB,UAAU,2BAA2B;AAE9E,QAAO;EAAE,OAAO,MAAM;EAAK,MAAM,MAAM;EAAK;;AAK9C,IAAa,cAAb,cAAiC,gBAAgB;CAC/C,AAAS;CACT,AAAS;CACT,AAAS;CAET,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,SAA6B;AACvC,SAAO;AACP,OAAK,OAAO,QAAQ,QAAQ;AAC5B,OAAK,cAAc,QAAQ,eAAe;AAC1C,OAAK,aAAa,QAAQ,cAAc;AACxC,OAAK,QAAQ,QAAQ;AACrB,OAAK,UAAU,QAAQ,WAAW,WAAW;AAE7C,OAAK,0BAAU,IAAI,KAAK;AACxB,OAAK,2BAAW,IAAI,KAAK;AACzB,OAAK,MAAM,OAAO,QAAQ,SAAS;AACjC,wBAAqB,MAAM,IAAI;AAC/B,QAAK,QAAQ,IAAI,IAAI,MAAM,IAAI;AAC/B,QAAK,SAAS,IAAI,IAAI,MAAM;IAC1B,YAAY,IAAI;IAChB,cAAc;IACd,YAAY;IACZ,WAAW;IACX,eAAe;IAChB,CAAC;;;CAIN,OAAO,mBAAoD;AACzD,SAAO;GACL,OAAO;IACL,cAAc;IACd,YAAY;IACb;GACD,QAAQ;IACN,cAAc;IACd,YAAY;IACb;GACF;;CAGH,OAAO,SAAS;AACd,SAAO;;CAGT,OAAO,aAAiC;AACtC,SAAO;GACL,YAAY;IAAC;IAAQ;IAAQ;IAAQ;IAAQ;IAAU;GACvD,MAAM;IACJ,KAAK;KACH,MAAM;KACN,YAAY;MAAC;MAAQ;MAAQ;MAAO;KACpC,SAAS,CAAC,aAAa;KACxB;IACD,WAAW;KACT,MAAM;KACN,YAAY;MAAC;MAAQ;MAAQ;MAAO;KACpC,SAAS,CAAC,SAAS;KACpB;IACD,kBAAkB;KAAE,MAAM;KAAmB,YAAY,CAAC,OAAO;KAAE;IACpE;GACD,MAAM,EAAE,MAAM,UAAU;GACxB,SAAS,CAAC,yBAAyB,qBAAqB;GACxD,QAAQ,CAAC,iBAAiB;GAC3B;;CAGH,OAAO,WAA6B;AAClC,SAAO;GACL,MAAM;GACN,aACE;GACF,aAAa;GACb,UAAU;GACV,QAAQ;GACR,MAAM;IAAC;IAAY;IAAS;IAAU;IAAU;GAChD,gBAAgB;IAAC;IAAc;IAAa;IAAQ;GACpD,UAAU;IACR,WAAW;IACX,gBAAgB,CAAC,WAAW;IAC5B,iBAAiB,CAAC,cAAc;IAChC,OAAO,CACL,iDACA,oCACD;IACF;GACD,cAAc,EACZ,SAAS,EAAE,QAAQ,MAAM,EAC1B;GACF;;CAGH,aAAa,KAAK,EAAE,WAAgC,EAAE,EAAwB;AAC5D,2BAAyB,MAAM,UAAU,EAAE,CAAC;AAE5D,QAAM,IAAI,MACR,6FACD;;CAKH,AAAQ,UAAU,MAA8B;EAC9C,MAAM,MAAM,KAAK,QAAQ,IAAI,KAAK;AAClC,MAAI,CAAC,IAAK,OAAM,IAAI,iBAAiB,QAAQ,KAAK,KAAK,CAAC;AACxD,SAAO;;CAGT,AAAQ,UAAU,MAA8B;AAC9C,SACE,KAAK,SAAS,IAAI,KAAK,IAAI;GACzB,YAAY;GACZ,cAAc;GACd,YAAY;GACZ,WAAW;GACX,eAAe;GAChB;;CAIL,AAAQ,UAAU,KAA6B;AAE7C,UADiB,IAAI,QAA+C,QAAQ,IAC7D,MAAM,IAAI,CAAC,OAAO,QAAQ;;CAG3C,AAAQ,iBAAiB,MAAwB;EAC/C,MAAM,SAAS,KAAK,UAAU,KAAK;EACnC,MAAM,MAAM,KAAK,QAAQ,IAAI,KAAK;AAClC,SAAO,KAAK,WAAW,QAAQ,KAAK,KAAK,EAAE,EACzC,MAAM;GACJ,eAAe;GACf,YAAY;GACZ,eAAe,IAAI;GACnB,cAAc,OAAO;GACrB,YAAY,OAAO;GACpB,EACF,CAAC;;CAGJ,AAAQ,iBAAiB,MAAwB;EAC/C,MAAM,SAAS,KAAK,UAAU,KAAK;AACnC,SAAO,KAAK,WAAW,QAAQ,KAAK,MAAM,SAAS,EAAE;GACnD,SAAS;GACT,MAAM;IACJ,MAAM;IACN,cAAc,OAAO;IACrB,YAAY,OAAO;IACnB,eAAe,OAAO;IACvB;GACF,CAAC;;CAGJ,AAAQ,iBAA2B;AACjC,SAAO,KAAK,WAAW,KAAK,EAC1B,MAAM;GACJ,eAAe,KAAK,QAAQ;GAC5B,UAAU;GACV,aAAa,KAAK,QAAQ;GAC3B,EACF,CAAC;;CAKJ,MAAM,OAAO,YAA6C;EACxD,MAAM,MAAM,KAAK,UAAU,WAAW;EACtC,MAAM,SAAS,KAAK,UAAU,WAAW;AAEzC,MAAI;GAEF,MAAM,aAAa,eAAe,IAAI,iBAAiB;GACvD,MAAM,eAAe,MAAM,KAAK,MAAM,UAAU,WAAW,OAAO,WAAW,KAAK;AAClF,OAAI,CAAC,aACH,OAAM,IAAI,MAAM,0CAA0C,IAAI,mBAAmB;GAInF,IAAI;AACJ,OAAI,IAAI,kBAAkB;IACxB,MAAM,YAAY,eAAe,IAAI,iBAAiB;AACtD,mBAAe,MAAM,KAAK,MAAM,UAAU,UAAU,OAAO,UAAU,KAAK;AAC1E,QAAI,CAAC,aACH,OAAM,IAAI,MAAM,0CAA0C,IAAI,mBAAmB;;GAKrF,MAAM,SAAS,IAAI,iBAAiB;AACpC,UAAO,IAAI,cAAc,IAAI,aAAa,gBAAgB;AAC1D,UAAO,IAAI,iBAAiB,aAAa;AACzC,UAAO,IAAI,aAAa,IAAI,SAAS;AACrC,OAAI,aAAc,QAAO,IAAI,iBAAiB,aAAa;AAC3D,OAAI,IAAI,YACN,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,IAAI,YAAY,CAClD,QAAO,IAAI,GAAG,EAAE;GAKpB,MAAM,WAAW,MAAM,KAAK,QAAQ,IAAI,eAAe;IACrD,QAAQ;IACR,SAAS;KACP,gBAAgB;KAChB,QAAQ;KACT;IACD,MAAM,OAAO,UAAU;IACxB,CAAC;AAEF,OAAI,CAAC,SAAS,IAAI;IAChB,MAAM,OAAO,MAAM,SAAS,MAAM;AAClC,UAAM,IAAI,MAAM,2BAA2B,SAAS,OAAO,IAAI,OAAO;;GAGxE,MAAM,gBAAiB,MAAM,SAAS,MAAM;GAC5C,MAAM,cAAc,cAAc;AAClC,OAAI,CAAC,YACH,OAAM,IAAI,MAAM,4CAA4C;GAI9D,MAAM,YAAY,eAAe,IAAI,gBAAgB;AACrD,SAAM,KAAK,MAAM,UAAU,UAAU,OAAO,UAAU,MAAM,YAAY;AAGxE,OAAI,IAAI,sBAAsB,cAAc,cAC1C,OAAM,KAAK,MAAM,UACf,WAAW,OACX,WAAW,MACX,cAAc,cACf;AAIH,UAAO,eAAe,KAAK,KAAK;AAChC,UAAO,aAAa;AACpB,UAAO,YAAY;AACnB,UAAO;AACP,QAAK,SAAS,IAAI,YAAY,OAAO;AAErC,UAAO;WACA,KAAK;AACZ,UAAO,eAAe,KAAK,KAAK;AAChC,UAAO,aAAa;AACpB,UAAO,YAAY,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AACnE,QAAK,SAAS,IAAI,YAAY,OAAO;AACrC,SAAM;;;CAIV,MAAM,YAAqD;EACzD,MAAM,UAA0C,EAAE;AAClD,OAAK,MAAM,CAAC,SAAS,KAAK,QACxB,KAAI;AACF,WAAQ,QAAQ,MAAM,KAAK,OAAO,KAAK;UACjC;AACN,WAAQ,QAAQ,KAAK,UAAU,KAAK;;AAGxC,SAAO;;CAKT,MACM,WAAW,KAAkD;EACjE,MAAM,QAAQ,KAAK,UAAU,IAAI;EACjC,MAAM,WAAW,MAAM,WAAW,IAAI,WAAW,QAAQ,KAAK,GAAG,OAAO,QAAQ;AAEhF,MAAI,MAAM,WAAW,EACnB,QAAO,KAAK,WAAW,UAAU,EAC/B,MAAM;GACJ,eAAe,KAAK,QAAQ;GAC5B,UAAU;GACV,aAAa,KAAK,QAAQ;GAC3B,EACF,CAAC;AAEJ,MAAI,MAAM,WAAW,GAAG;GACtB,MAAM,OAAO,MAAM;AACnB,QAAK,UAAU,KAAK;AACpB,UAAO,KAAK,WAAW,UAAU,EAAE,MAAM;IAAE,eAAe;IAAG,YAAY;IAAM,EAAE,CAAC;;AAEpF,MAAI,MAAM,WAAW,KAAK,MAAM,OAAO,UAAU;GAC/C,MAAM,SAAS,KAAK,UAAU,MAAM,GAAI;AACxC,UAAO,KAAK,WAAW,UAAU,EAC/B,MAAM;IAAE,MAAM;IAAmB,YAAY,OAAO;IAAY,EACjE,CAAC;;AAEJ,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAGpD,MACM,WAAW,KAA2C;EAC1D,MAAM,QAAQ,KAAK,UAAU,IAAI;AAEjC,MAAI,MAAM,WAAW,EAEnB,QAAO,EAAE,MADQ,CAAC,GAAG,KAAK,QAAQ,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,MAAM,KAAK,iBAAiB,EAAE,CAAC,EAC5D;AAE3B,MAAI,MAAM,WAAW,GAAG;AACtB,QAAK,UAAU,MAAM,GAAI;AACzB,UAAO,EAAE,MAAM,CAAC,KAAK,iBAAiB,MAAM,GAAI,CAAC,EAAE;;AAErD,MAAI,MAAM,WAAW,KAAK,MAAM,OAAO,SACrC,QAAO,EAAE,MAAM,EAAE,EAAE;AAErB,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAGpD,MACM,yBAAwD;EAC5D,MAAM,aAAa,KAAK,0BAA0B;EAClD,MAAM,WAAiC;GACrC,eAAe;GACf,UAAU,KAAK;GACf,aAAa,KAAK;GAClB,OAAO,EAAE;GACT,SAAS,EAAE;GACX;GACD;AACD,SAAO,KAAK,WAAW,wBAAwB;GAC7C,SAAS;GACT,MAAM;IAAE,MAAM;IAAoB;IAAY;GAC/C,CAAC;;CAGJ,MACM,WAAW,KAAkD;EACjE,MAAM,QAAQ,KAAK,UAAU,IAAI;AAEjC,MAAI,MAAM,WAAW,EAAG,QAAO,KAAK,gBAAgB;AACpD,MAAI,MAAM,WAAW,GAAG;GACtB,MAAM,OAAO,MAAM;AACnB,QAAK,UAAU,KAAK;AACpB,UAAO,KAAK,iBAAiB,KAAK;;AAEpC,MAAI,MAAM,WAAW,KAAK,MAAM,OAAO,SACrC,QAAO,KAAK,iBAAiB,MAAM,GAAI;AAEzC,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAGpD,MACM,WAAW,KAA2C;EAC1D,MAAM,QAAQ,KAAK,UAAU,IAAI;AAEjC,MAAI,MAAM,WAAW,EAAG,QAAO,EAAE,MAAM,KAAK,gBAAgB,EAAE;AAC9D,MAAI,MAAM,WAAW,GAAG;GACtB,MAAM,OAAO,MAAM;AACnB,QAAK,UAAU,KAAK;AACpB,UAAO,EAAE,MAAM,KAAK,iBAAiB,KAAK,EAAE;;AAE9C,MAAI,MAAM,WAAW,KAAK,MAAM,OAAO,SACrC,QAAO,EAAE,MAAM,KAAK,iBAAiB,MAAM,GAAI,EAAE;AAEnD,QAAM,IAAI,iBAAiB,QAAQ,KAAK,GAAG,MAAM,CAAC;;CAKpD,MACM,kBAAkB,KAA6D;EACnF,MAAM,OAAO,IAAI,OAAO;AACxB,OAAK,UAAU,KAAK;AACpB,SAAO,EACL,MAAM,CACJ;GACE,IAAI;GACJ,MAAM,QAAQ,KAAK,MAAM,YAAY,SAAS;GAC9C,MAAM;IACJ,MAAM;IACN,aAAa,qBAAqB;IAClC,eAAe;IAChB;GACF,CACF,EACF;;CAGH,MACM,WACJ,KAC+C;EAC/C,MAAM,OAAO,IAAI,OAAO;AAExB,SAAO;GAAE,SAAS;GAAM,MADT,MAAM,KAAK,OAAO,KAAK;GACA;;CAKxC,MACM,kBAA0C;AAC9C,SAAO,EACL,MAAM,CACJ;GACE,IAAI;GACJ,MAAM,QAAQ,KAAK,YAAY,aAAa;GAC5C,MAAM;IACJ,MAAM;IACN,aAAa;IACb,eAAe;IAChB;GACF,CACF,EACF;;CAGH,MACM,gBAA+D;EACnE,MAAM,UAAU,MAAM,KAAK,WAAW;AAEtC,SAAO;GAAE,SADU,OAAO,OAAO,QAAQ,CAAC,OAAO,MAAM,EAAE,eAAe,UAAU;GACpD,MAAM;GAAS;;CAK/C,MACM,cAAc,KAA8C;EAChE,MAAM,QAAQ,KAAK,UAAU,IAAI;AAEjC,MAAI,MAAM,UAAU,GAAG;GACrB,MAAM,OAAO,MAAM;GACnB,MAAM,MAAM,KAAK,QAAQ,IAAI,KAAK;AAClC,OAAI,KAAK;IACP,MAAM,SAAS,KAAK,UAAU,KAAK;AACnC,WAAO;KACL,QAAQ;KACR,SACE,oBAAoB,KAAK,sBACN,IAAI,cAAc,eACvB,IAAI,SAAS,mBACT,OAAO,eAAe,IAAI,KAAK,OAAO,aAAa,CAAC,aAAa,GAAG,QAAQ,YACnF,OAAO,cAAc;KACnC;;;AAGL,SAAO;GACL,QAAQ;GACR,SAAS,yCAAyC,KAAK,QAAQ,KAAK;GACrE;;;YAhLF,KAAK,UAAU;YA4Bf,KAAK,UAAU;YAkBf,KAAK,uBAAuB;YAiB5B,KAAK,UAAU;YAgBf,KAAK,UAAU;YAkBf,QAAQ,SAAS;YAmBjB,QAAQ,KAAK,UAAU,UAAU,gCAAgC;YAWjE,QAAQ,IAAI;YAiBZ,QAAQ,KAAK,KAAK,cAAc,+BAA+B;YAS/D,QAAQ,UAAU;AA4BrB,AAAC,YAA0C,OAAO,YAAY"}

package/package.json ADDED Viewed

@@ -0,0 +1,58 @@
+{
+  "name": "@aigne/afs-rotation",
+  "version": "1.11.0-beta.12",
+  "description": "AFS Rotation provider — OAuth2 token rotation with vault integration",
+  "license": "UNLICENSED",
+  "publishConfig": {
+    "access": "public"
+  },
+  "author": "Arcblock <blocklet@arcblock.io> https://github.com/arcblock",
+  "homepage": "https://github.com/arcblock/afs",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/arcblock/afs"
+  },
+  "bugs": {
+    "url": "https://github.com/arcblock/afs/issues"
+  },
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.cts",
+  "exports": {
+    ".": {
+      "require": "./dist/index.cjs",
+      "import": "./dist/index.mjs"
+    },
+    "./*": "./*"
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md",
+    "CHANGELOG.md"
+  ],
+  "dependencies": {
+    "ufo": "^1.6.3",
+    "zod": "^4.0.0",
+    "@aigne/afs": "^1.11.0-beta.12"
+  },
+  "devDependencies": {
+    "@types/bun": "^1.3.6",
+    "npm-run-all": "^4.1.5",
+    "rimraf": "^6.1.2",
+    "tsdown": "0.20.0-beta.3",
+    "typescript": "5.9.2",
+    "@aigne/scripts": "0.0.0",
+    "@aigne/typescript-config": "0.0.0",
+    "@aigne/afs-testing": "1.11.0-beta.12",
+    "@aigne/afs-vault": "1.11.0-beta.12"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "check-types": "tsc --noEmit",
+    "clean": "rimraf dist coverage",
+    "test": "bun test",
+    "test:coverage": "bun test --coverage --coverage-reporter=lcov --coverage-reporter=text"
+  }
+}