@apralabs/apra-fleet 0.2.2

package/dist/services/cloud/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/services/cloud/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GACrB,SAAS,GACT,SAAS,GACT,UAAU,GACV,SAAS,GACT,eAAe,GACf,YAAY,CAAC;AAEjB,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,KAAK,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,4EAA4E;IAC5E,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,gBAAgB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9D,aAAa,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACjD,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,cAAc,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,WAAW,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,kBAAkB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC,CAAC;CACxE"}

package/dist/services/cloud/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/services/cloud/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/services/cloud/types.ts"],"names":[],"mappings":""}

package/dist/services/credential-cleanup.d.ts

@@ -0,0 +1,4 @@
+export declare function scheduleCredentialCleanup(agentId: string, expiresAt?: string): void;
+export declare function cancelCredentialCleanup(agentId: string): void;
+export declare function _getCleanupTimers(): Map<string, ReturnType<typeof setTimeout>>;
+//# sourceMappingURL=credential-cleanup.d.ts.map

package/dist/services/credential-cleanup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-cleanup.d.ts","sourceRoot":"","sources":["../../src/services/credential-cleanup.ts"],"names":[],"mappings":"AAmBA,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAqCnF;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAM7D;AAED,wBAAgB,iBAAiB,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC,CAE9E"}

package/dist/services/credential-cleanup.js

@@ -0,0 +1,61 @@
+import { getAllAgents } from './registry.js';
+import { getStrategy } from './strategy.js';
+import { getOsCommands } from '../os/index.js';
+import { getAgentOS } from '../utils/agent-helpers.js';
+import { githubProvider } from './vcs/github.js';
+import { bitbucketProvider } from './vcs/bitbucket.js';
+import { azureDevOpsProvider } from './vcs/azure-devops.js';
+const DEFAULT_TTL_MS = 55 * 60 * 1000; // 55 minutes
+const cleanupTimers = new Map();
+const providers = {
+    github: githubProvider,
+    bitbucket: bitbucketProvider,
+    'azure-devops': azureDevOpsProvider,
+};
+export function scheduleCredentialCleanup(agentId, expiresAt) {
+    cancelCredentialCleanup(agentId);
+    let delayMs = DEFAULT_TTL_MS;
+    if (expiresAt) {
+        const expiresMs = new Date(expiresAt).getTime();
+        if (!isNaN(expiresMs)) {
+            delayMs = Math.max(0, expiresMs - Date.now());
+        }
+    }
+    const timer = setTimeout(async () => {
+        cleanupTimers.delete(agentId);
+        try {
+            const agents = getAllAgents();
+            const agent = agents.find(a => a.id === agentId);
+            if (!agent?.vcsProvider)
+                return;
+            const service = providers[agent.vcsProvider];
+            if (!service)
+                return;
+            const strategy = getStrategy(agent);
+            const conn = await strategy.testConnection();
+            if (!conn.ok)
+                return;
+            const cmds = getOsCommands(getAgentOS(agent));
+            const exec = async (cmd) => {
+                const result = await strategy.execCommand(cmd, 15000);
+                return result.stdout;
+            };
+            await service.revoke(agent, cmds, exec);
+        }
+        catch { /* silent — best-effort cleanup */ }
+    }, delayMs);
+    if (timer.unref)
+        timer.unref();
+    cleanupTimers.set(agentId, timer);
+}
+export function cancelCredentialCleanup(agentId) {
+    const timer = cleanupTimers.get(agentId);
+    if (timer !== undefined) {
+        clearTimeout(timer);
+        cleanupTimers.delete(agentId);
+    }
+}
+export function _getCleanupTimers() {
+    return cleanupTimers;
+}
+//# sourceMappingURL=credential-cleanup.js.map

package/dist/services/credential-cleanup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-cleanup.js","sourceRoot":"","sources":["../../src/services/credential-cleanup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAG5D,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;AAEpD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAyC,CAAC;AAEvE,MAAM,SAAS,GAAuC;IACpD,MAAM,EAAE,cAAc;IACtB,SAAS,EAAE,iBAAiB;IAC5B,cAAc,EAAE,mBAAmB;CACpC,CAAC;AAEF,MAAM,UAAU,yBAAyB,CAAC,OAAe,EAAE,SAAkB;IAC3E,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAEjC,IAAI,OAAO,GAAG,cAAc,CAAC;IAC7B,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAChD,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YACtB,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,IAAI,EAAE;QAClC,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,KAAK,EAAE,WAAW;gBAAE,OAAO;YAEhC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC7C,IAAI,CAAC,OAAO;gBAAE,OAAO;YAErB,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YACpC,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;gBAAE,OAAO;YAErB,MAAM,IAAI,GAAG,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;gBACjC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBACtD,OAAO,MAAM,CAAC,MAAM,CAAC;YACvB,CAAC,CAAC;YAEF,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC,CAAC,kCAAkC,CAAC,CAAC;IAChD,CAAC,EAAE,OAAO,CAAC,CAAC;IAEZ,IAAI,KAAK,CAAC,KAAK;QAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAC/B,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,aAAa,CAAC;AACvB,CAAC"}

package/dist/services/credential-store.d.ts

@@ -0,0 +1,56 @@
+export interface CredentialMeta {
+    name: string;
+    scope: 'session' | 'persistent';
+    network_policy: 'allow' | 'confirm' | 'deny';
+    created_at: string;
+    allowedMembers: string[] | '*';
+    expiresAt?: string;
+}
+export declare function credentialSet(name: string, plaintext: string, persist: boolean, network_policy: 'allow' | 'confirm' | 'deny', allowedMembers?: string[] | '*', ttl_seconds?: number): CredentialMeta;
+export declare function credentialList(): CredentialMeta[];
+export declare function credentialDelete(name: string): boolean;
+interface TaskCredential {
+    name: string;
+    plaintext: string;
+}
+export declare function registerTaskCredentials(taskId: string, credentials: {
+    name: string;
+    plaintext: string;
+}[]): void;
+export declare function getTaskCredentials(taskId: string): TaskCredential[];
+/**
+ * Resolve a credential name to its plaintext value.
+ * Persistent store takes precedence over session store.
+ *
+ * Returns:
+ *   - { plaintext, meta } on success
+ *   - { denied } if callingMember is not in allowedMembers
+ *   - { expired } if the credential has passed its TTL (entry is also deleted)
+ *   - null if the credential does not exist
+ */
+export declare function credentialResolve(name: string, callingMember?: string): {
+    plaintext: string;
+    meta: CredentialMeta;
+} | {
+    denied: string;
+} | {
+    expired: string;
+} | null;
+export interface CredentialUpdatePatch {
+    members?: string;
+    expiresAt?: number | null;
+    network_policy?: 'allow' | 'confirm' | 'deny';
+}
+export interface CredentialUpdateResult {
+    members: string;
+    network_policy: 'allow' | 'confirm' | 'deny';
+    expiresAt?: number;
+}
+export declare function credentialUpdate(name: string, patch: CredentialUpdatePatch): CredentialUpdateResult | null;
+/**
+ * Purge expired credentials from the persistent store.
+ * Called at server startup to clean up stale entries.
+ */
+export declare function purgeExpiredCredentials(): void;
+export {};
+//# sourceMappingURL=credential-store.d.ts.map

package/dist/services/credential-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../src/services/credential-store.ts"],"names":[],"mappings":"AAqCA,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,SAAS,GAAG,YAAY,CAAC;IAChC,cAAc,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA4DD,wBAAgB,aAAa,CAC3B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,cAAc,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,EAC5C,cAAc,GAAE,MAAM,EAAE,GAAG,GAAS,EACpC,WAAW,CAAC,EAAE,MAAM,GACnB,cAAc,CAyBhB;AAED,wBAAgB,cAAc,IAAI,cAAc,EAAE,CA0BjD;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CActD;AAKD,UAAU,cAAc;IAAG,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;CAAE;AAG7D,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,EAAE,GAAG,IAAI,CAIhH;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,EAAE,CAEnE;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,MAAM,EACZ,aAAa,CAAC,EAAE,MAAM,GACrB;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,cAAc,CAAA;CAAE,GAAG;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CA8D/F;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;CAC/C;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAUD,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,qBAAqB,GAAG,sBAAsB,GAAG,IAAI,CA0C1G;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,IAAI,CAyB9C"}

package/dist/services/credential-store.js

@@ -0,0 +1,280 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import path from 'node:path';
+import { encryptPassword, decryptPassword } from '../utils/crypto.js';
+import { enforceOwnerOnly } from '../utils/file-permissions.js';
+import { FLEET_DIR } from '../paths.js';
+// ---------------------------------------------------------------------------
+// Session-tier encryption (AES-256-GCM, key lives only in this process)
+// ---------------------------------------------------------------------------
+const SESSION_KEY = crypto.randomBytes(32);
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+function sessionEncrypt(plaintext) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, SESSION_KEY, iv);
+    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+function sessionDecrypt(ciphertext) {
+    const [ivHex, authTagHex, encrypted] = ciphertext.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, SESSION_KEY, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
+// ---------------------------------------------------------------------------
+// Session store (in-memory)
+// ---------------------------------------------------------------------------
+const sessionStore = new Map();
+// ---------------------------------------------------------------------------
+// Persistent store (credentials.json)
+// ---------------------------------------------------------------------------
+function getCredentialsPath() {
+    const dataDir = process.env.APRA_FLEET_DATA_DIR ?? FLEET_DIR;
+    return path.join(dataDir, 'credentials.json');
+}
+function loadCredentialFile() {
+    const credentialsPath = getCredentialsPath();
+    const dataDir = path.dirname(credentialsPath);
+    if (!fs.existsSync(dataDir)) {
+        fs.mkdirSync(dataDir, { recursive: true, mode: 0o700 });
+    }
+    if (!fs.existsSync(credentialsPath)) {
+        return { version: '1.0', credentials: {} };
+    }
+    return JSON.parse(fs.readFileSync(credentialsPath, 'utf-8'));
+}
+function saveCredentialFile(file) {
+    const credentialsPath = getCredentialsPath();
+    const dataDir = path.dirname(credentialsPath);
+    if (!fs.existsSync(dataDir)) {
+        fs.mkdirSync(dataDir, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(credentialsPath, JSON.stringify(file, null, 2), { mode: 0o600 });
+    enforceOwnerOnly(credentialsPath);
+}
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export function credentialSet(name, plaintext, persist, network_policy, allowedMembers = '*', ttl_seconds) {
+    const created_at = new Date().toISOString();
+    const expiresAt = ttl_seconds !== undefined
+        ? new Date(Date.now() + ttl_seconds * 1000).toISOString()
+        : undefined;
+    if (persist) {
+        const file = loadCredentialFile();
+        file.credentials[name] = { name, network_policy, created_at, encryptedValue: encryptPassword(plaintext), allowedMembers, expiresAt };
+        saveCredentialFile(file);
+        // Persistent supersedes session
+        sessionStore.delete(name);
+        return { name, scope: 'persistent', network_policy, created_at, allowedMembers, expiresAt };
+    }
+    sessionStore.set(name, {
+        name,
+        scope: 'session',
+        network_policy,
+        created_at,
+        encryptedValue: sessionEncrypt(plaintext),
+        allowedMembers,
+        expiresAt,
+    });
+    return { name, scope: 'session', network_policy, created_at, allowedMembers, expiresAt };
+}
+export function credentialList() {
+    const results = [];
+    for (const entry of sessionStore.values()) {
+        results.push({ name: entry.name, scope: entry.scope, network_policy: entry.network_policy, created_at: entry.created_at, allowedMembers: entry.allowedMembers, expiresAt: entry.expiresAt });
+    }
+    const file = loadCredentialFile();
+    for (const record of Object.values(file.credentials)) {
+        const existing = results.findIndex(r => r.name === record.name);
+        const meta = {
+            name: record.name,
+            scope: 'persistent',
+            network_policy: record.network_policy,
+            created_at: record.created_at,
+            allowedMembers: record.allowedMembers ?? '*',
+            expiresAt: record.expiresAt,
+        };
+        if (existing !== -1) {
+            results[existing] = meta;
+        }
+        else {
+            results.push(meta);
+        }
+    }
+    return results;
+}
+export function credentialDelete(name) {
+    // Remove from both tiers unconditionally (M1)
+    let found = false;
+    if (sessionStore.has(name)) {
+        sessionStore.delete(name);
+        found = true;
+    }
+    const file = loadCredentialFile();
+    if (name in file.credentials) {
+        delete file.credentials[name];
+        saveCredentialFile(file);
+        found = true;
+    }
+    return found;
+}
+const taskCredentials = new Map();
+export function registerTaskCredentials(taskId, credentials) {
+    if (credentials.length > 0) {
+        taskCredentials.set(taskId, credentials.map(c => ({ name: c.name, plaintext: c.plaintext })));
+    }
+}
+export function getTaskCredentials(taskId) {
+    return taskCredentials.get(taskId) ?? [];
+}
+/**
+ * Resolve a credential name to its plaintext value.
+ * Persistent store takes precedence over session store.
+ *
+ * Returns:
+ *   - { plaintext, meta } on success
+ *   - { denied } if callingMember is not in allowedMembers
+ *   - { expired } if the credential has passed its TTL (entry is also deleted)
+ *   - null if the credential does not exist
+ */
+export function credentialResolve(name, callingMember) {
+    // Persistent wins
+    const file = loadCredentialFile();
+    const persistent = file.credentials[name];
+    if (persistent) {
+        const allowedMembers = persistent.allowedMembers ?? '*';
+        // TTL check
+        if (persistent.expiresAt && Date.now() > new Date(persistent.expiresAt).getTime()) {
+            delete file.credentials[name];
+            saveCredentialFile(file);
+            sessionStore.delete(name);
+            return { expired: `Credential '${name}' has expired. Re-set with credential_store_set.` };
+        }
+        // Scoping check ('*' as callingMember is a fleet-operator bypass)
+        if (callingMember !== undefined && callingMember !== '*' && allowedMembers !== '*' && !allowedMembers.includes(callingMember)) {
+            return { denied: `Credential '${name}' is not accessible to member '${callingMember}'. Allowed: ${allowedMembers.join(', ')}` };
+        }
+        return {
+            plaintext: decryptPassword(persistent.encryptedValue),
+            meta: {
+                name: persistent.name,
+                scope: 'persistent',
+                network_policy: persistent.network_policy,
+                created_at: persistent.created_at,
+                allowedMembers,
+                expiresAt: persistent.expiresAt,
+            },
+        };
+    }
+    const session = sessionStore.get(name);
+    if (session) {
+        const allowedMembers = session.allowedMembers;
+        // TTL check
+        if (session.expiresAt && Date.now() > new Date(session.expiresAt).getTime()) {
+            sessionStore.delete(name);
+            return { expired: `Credential '${name}' has expired. Re-set with credential_store_set.` };
+        }
+        // Scoping check ('*' as callingMember is a fleet-operator bypass)
+        if (callingMember !== undefined && callingMember !== '*' && allowedMembers !== '*' && !allowedMembers.includes(callingMember)) {
+            return { denied: `Credential '${name}' is not accessible to member '${callingMember}'. Allowed: ${allowedMembers.join(', ')}` };
+        }
+        return {
+            plaintext: sessionDecrypt(session.encryptedValue),
+            meta: {
+                name: session.name,
+                scope: 'session',
+                network_policy: session.network_policy,
+                created_at: session.created_at,
+                allowedMembers: session.allowedMembers,
+                expiresAt: session.expiresAt,
+            },
+        };
+    }
+    return null;
+}
+function membersToAllowed(members) {
+    return members === '*' ? '*' : members.split(',').map(m => m.trim()).filter(Boolean);
+}
+function allowedToMembers(allowed) {
+    return allowed === '*' ? '*' : allowed.join(',');
+}
+export function credentialUpdate(name, patch) {
+    const file = loadCredentialFile();
+    const persistent = file.credentials[name];
+    if (persistent) {
+        if (patch.members !== undefined) {
+            persistent.allowedMembers = membersToAllowed(patch.members);
+        }
+        if (patch.network_policy !== undefined) {
+            persistent.network_policy = patch.network_policy;
+        }
+        if (patch.expiresAt !== undefined) {
+            persistent.expiresAt = patch.expiresAt === null ? undefined : new Date(patch.expiresAt).toISOString();
+        }
+        file.credentials[name] = persistent;
+        saveCredentialFile(file);
+        return {
+            members: allowedToMembers(persistent.allowedMembers),
+            network_policy: persistent.network_policy,
+            expiresAt: persistent.expiresAt ? new Date(persistent.expiresAt).getTime() : undefined,
+        };
+    }
+    const session = sessionStore.get(name);
+    if (session) {
+        if (patch.members !== undefined) {
+            session.allowedMembers = membersToAllowed(patch.members);
+        }
+        if (patch.network_policy !== undefined) {
+            session.network_policy = patch.network_policy;
+        }
+        if (patch.expiresAt !== undefined) {
+            session.expiresAt = patch.expiresAt === null ? undefined : new Date(patch.expiresAt).toISOString();
+        }
+        sessionStore.set(name, session);
+        return {
+            members: allowedToMembers(session.allowedMembers),
+            network_policy: session.network_policy,
+            expiresAt: session.expiresAt ? new Date(session.expiresAt).getTime() : undefined,
+        };
+    }
+    return null;
+}
+/**
+ * Purge expired credentials from the persistent store.
+ * Called at server startup to clean up stale entries.
+ */
+export function purgeExpiredCredentials() {
+    let file;
+    try {
+        file = loadCredentialFile();
+    }
+    catch {
+        return;
+    }
+    const now = Date.now();
+    let changed = false;
+    for (const [name, record] of Object.entries(file.credentials)) {
+        if (record.expiresAt && now > new Date(record.expiresAt).getTime()) {
+            delete file.credentials[name];
+            sessionStore.delete(name);
+            changed = true;
+        }
+    }
+    if (changed) {
+        try {
+            saveCredentialFile(file);
+        }
+        catch {
+            // best-effort
+        }
+    }
+}
+//# sourceMappingURL=credential-store.js.map

package/dist/services/credential-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.js","sourceRoot":"","sources":["../../src/services/credential-store.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAC9E,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;AAC3C,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,SAAS,cAAc,CAAC,SAAiB;IACvC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACjE,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACxD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;AACzE,CAAC;AAED,SAAS,cAAc,CAAC,UAAkB;IACxC,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7D,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IACrE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAiCD,8EAA8E;AAC9E,4BAA4B;AAC5B,8EAA8E;AAC9E,MAAM,YAAY,GAAG,IAAI,GAAG,EAAwB,CAAC;AAErD,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAC9E,SAAS,kBAAkB;IACzB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,SAAS,CAAC;IAC7D,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;IAC7C,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAmB,CAAC;AACjF,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAoB;IAC9C,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClF,gBAAgB,CAAC,eAAe,CAAC,CAAC;AACpC,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,UAAU,aAAa,CAC3B,IAAY,EACZ,SAAiB,EACjB,OAAgB,EAChB,cAA4C,EAC5C,iBAAiC,GAAG,EACpC,WAAoB;IAEpB,MAAM,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,WAAW,KAAK,SAAS;QACzC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACzD,CAAC,CAAC,SAAS,CAAC;IAEd,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;QAClC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,cAAc,EAAE,UAAU,EAAE,cAAc,EAAE,eAAe,CAAC,SAAS,CAAC,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;QACrI,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACzB,gCAAgC;QAChC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;IAC9F,CAAC;IAED,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE;QACrB,IAAI;QACJ,KAAK,EAAE,SAAS;QAChB,cAAc;QACd,UAAU;QACV,cAAc,EAAE,cAAc,CAAC,SAAS,CAAC;QACzC,cAAc;QACd,SAAS;KACV,CAAC,CAAC;IACH,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,UAAU,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;AAC3F,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,KAAK,IAAI,YAAY,CAAC,MAAM,EAAE,EAAE,CAAC;QAC1C,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;IAC/L,CAAC;IAED,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC;QAChE,MAAM,IAAI,GAAmB;YAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,KAAK,EAAE,YAAY;YACnB,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,GAAG;YAC5C,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC;QACF,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,8CAA8C;IAC9C,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1B,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IACD,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,IAAI,IAAI,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC9B,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACzB,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAMD,MAAM,eAAe,GAAG,IAAI,GAAG,EAA4B,CAAC;AAE5D,MAAM,UAAU,uBAAuB,CAAC,MAAc,EAAE,WAAkD;IACxG,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC;IAChG,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,OAAO,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAY,EACZ,aAAsB;IAEtB,kBAAkB;IAClB,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,IAAI,GAAG,CAAC;QAExD,YAAY;QACZ,IAAI,UAAU,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAClF,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YAC9B,kBAAkB,CAAC,IAAI,CAAC,CAAC;YACzB,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,OAAO,EAAE,OAAO,EAAE,eAAe,IAAI,kDAAkD,EAAE,CAAC;QAC5F,CAAC;QAED,kEAAkE;QAClE,IAAI,aAAa,KAAK,SAAS,IAAI,aAAa,KAAK,GAAG,IAAI,cAAc,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9H,OAAO,EAAE,MAAM,EAAE,eAAe,IAAI,kCAAkC,aAAa,eAAe,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QAClI,CAAC;QAED,OAAO;YACL,SAAS,EAAE,eAAe,CAAC,UAAU,CAAC,cAAc,CAAC;YACrD,IAAI,EAAE;gBACJ,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,KAAK,EAAE,YAAY;gBACnB,cAAc,EAAE,UAAU,CAAC,cAAc;gBACzC,UAAU,EAAE,UAAU,CAAC,UAAU;gBACjC,cAAc;gBACd,SAAS,EAAE,UAAU,CAAC,SAAS;aAChC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAE9C,YAAY;QACZ,IAAI,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YAC5E,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,OAAO,EAAE,OAAO,EAAE,eAAe,IAAI,kDAAkD,EAAE,CAAC;QAC5F,CAAC;QAED,kEAAkE;QAClE,IAAI,aAAa,KAAK,SAAS,IAAI,aAAa,KAAK,GAAG,IAAI,cAAc,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9H,OAAO,EAAE,MAAM,EAAE,eAAe,IAAI,kCAAkC,aAAa,eAAe,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QAClI,CAAC;QAED,OAAO;YACL,SAAS,EAAE,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC;YACjD,IAAI,EAAE;gBACJ,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,KAAK,EAAE,SAAS;gBAChB,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAcD,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACvF,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAuB;IAC/C,OAAO,OAAO,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,KAA4B;IACzE,MAAM,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAClC,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAChC,UAAU,CAAC,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC9D,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACvC,UAAU,CAAC,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;QACnD,CAAC;QACD,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAClC,UAAU,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QACxG,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC;QACpC,kBAAkB,CAAC,IAAI,CAAC,CAAC;QACzB,OAAO;YACL,OAAO,EAAE,gBAAgB,CAAC,UAAU,CAAC,cAAc,CAAC;YACpD,cAAc,EAAE,UAAU,CAAC,cAAc;YACzC,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS;SACvF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAChC,OAAO,CAAC,cAAc,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,KAAK,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACvC,OAAO,CAAC,cAAc,GAAG,KAAK,CAAC,cAAc,CAAC;QAChD,CAAC;QACD,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QACrG,CAAC;QACD,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAChC,OAAO;YACL,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC,cAAc,CAAC;YACjD,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,SAAS;SACjF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,IAAI,IAAoB,CAAC;IACzB,IAAI,CAAC;QACH,IAAI,GAAG,kBAAkB,EAAE,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC9D,IAAI,MAAM,CAAC,SAAS,IAAI,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC;YACnE,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YAC9B,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YAC1B,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,kBAAkB,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/services/file-transfer.d.ts

@@ -0,0 +1,22 @@
+import type { Agent } from '../types.js';
+/**
+ * Upload files to a remote agent via SFTP.
+ */
+export declare function uploadFiles(agent: Agent, localPaths: string[], destinationPath?: string, abortSignal?: AbortSignal): Promise<{
+    success: string[];
+    failed: {
+        path: string;
+        error: string;
+    }[];
+}>;
+/**
+ * Download files from a remote agent via SFTP.
+ */
+export declare function downloadFiles(agent: Agent, remotePaths: string[], localDestination: string, abortSignal?: AbortSignal): Promise<{
+    success: string[];
+    failed: {
+        path: string;
+        error: string;
+    }[];
+}>;
+//# sourceMappingURL=file-transfer.d.ts.map

package/dist/services/file-transfer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-transfer.d.ts","sourceRoot":"","sources":["../../src/services/file-transfer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAGzC;;GAEG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,KAAK,EACZ,UAAU,EAAE,MAAM,EAAE,EACpB,eAAe,CAAC,EAAE,MAAM,EACxB,WAAW,CAAC,EAAE,WAAW,GACxB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,CAAC,CAE3E;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,MAAM,EAAE,EACrB,gBAAgB,EAAE,MAAM,EACxB,WAAW,CAAC,EAAE,WAAW,GACxB,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAAE,CAAC,CAE3E"}

package/dist/services/file-transfer.js

@@ -0,0 +1,14 @@
+import { uploadViaSFTP, downloadViaSFTP } from './sftp.js';
+/**
+ * Upload files to a remote agent via SFTP.
+ */
+export async function uploadFiles(agent, localPaths, destinationPath, abortSignal) {
+    return uploadViaSFTP(agent, localPaths, destinationPath, abortSignal);
+}
+/**
+ * Download files from a remote agent via SFTP.
+ */
+export async function downloadFiles(agent, remotePaths, localDestination, abortSignal) {
+    return downloadViaSFTP(agent, remotePaths, localDestination, abortSignal);
+}
+//# sourceMappingURL=file-transfer.js.map

package/dist/services/file-transfer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-transfer.js","sourceRoot":"","sources":["../../src/services/file-transfer.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE3D;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAY,EACZ,UAAoB,EACpB,eAAwB,EACxB,WAAyB;IAEzB,OAAO,aAAa,CAAC,KAAK,EAAE,UAAU,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAY,EACZ,WAAqB,EACrB,gBAAwB,EACxB,WAAyB;IAEzB,OAAO,eAAe,CAAC,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC;AAC5E,CAAC"}

package/dist/services/git-config.d.ts

@@ -0,0 +1,6 @@
+import type { FleetGitConfig, GitHubAppConfig } from '../types.js';
+export declare function loadGitConfig(): FleetGitConfig;
+export declare function saveGitConfig(config: FleetGitConfig): void;
+export declare function getGitHubApp(): GitHubAppConfig | undefined;
+export declare function setGitHubApp(config: GitHubAppConfig): void;
+//# sourceMappingURL=git-config.d.ts.map

package/dist/services/git-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-config.d.ts","sourceRoot":"","sources":["../../src/services/git-config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAWnE,wBAAgB,aAAa,IAAI,cAAc,CAK9C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAI1D;AAED,wBAAgB,YAAY,IAAI,eAAe,GAAG,SAAS,CAE1D;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI,CAI1D"}

package/dist/services/git-config.js

@@ -0,0 +1,31 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { enforceOwnerOnly } from '../utils/file-permissions.js';
+import { FLEET_DIR } from '../paths.js';
+const GIT_CONFIG_PATH = path.join(FLEET_DIR, 'git-config.json');
+function ensureFleetDir() {
+    if (!fs.existsSync(FLEET_DIR)) {
+        fs.mkdirSync(FLEET_DIR, { recursive: true, mode: 0o700 });
+    }
+}
+export function loadGitConfig() {
+    ensureFleetDir();
+    if (!fs.existsSync(GIT_CONFIG_PATH))
+        return { version: '1.0' };
+    const raw = fs.readFileSync(GIT_CONFIG_PATH, 'utf-8');
+    return JSON.parse(raw);
+}
+export function saveGitConfig(config) {
+    ensureFleetDir();
+    fs.writeFileSync(GIT_CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+    enforceOwnerOnly(GIT_CONFIG_PATH);
+}
+export function getGitHubApp() {
+    return loadGitConfig().github;
+}
+export function setGitHubApp(config) {
+    const gitConfig = loadGitConfig();
+    gitConfig.github = config;
+    saveGitConfig(gitConfig);
+}
+//# sourceMappingURL=git-config.js.map

package/dist/services/git-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-config.js","sourceRoot":"","sources":["../../src/services/git-config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;AAEhE,SAAS,cAAc;IACrB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,cAAc,EAAE,CAAC;IACjB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC/D,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IACtD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAsB;IAClD,cAAc,EAAE,CAAC;IACjB,EAAE,CAAC,aAAa,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpF,gBAAgB,CAAC,eAAe,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,aAAa,EAAE,CAAC,MAAM,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAuB;IAClD,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;IAClC,SAAS,CAAC,MAAM,GAAG,MAAM,CAAC;IAC1B,aAAa,CAAC,SAAS,CAAC,CAAC;AAC3B,CAAC"}

package/dist/services/github-app.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Read and validate a PEM private key file.
+ */
+export declare function loadPrivateKey(keyPath: string): string;
+/**
+ * Create a JWT for GitHub App authentication (RS256).
+ * Valid for 10 minutes, backdated 60 seconds for clock skew.
+ */
+export declare function createAppJWT(appId: string, privateKey: string): string;
+/**
+ * Verify GitHub App connectivity: authenticate as the app, then check the installation exists.
+ */
+export declare function verifyAppConnectivity(appId: string, privateKey: string, installationId: number): Promise<{
+    ok: boolean;
+    error?: string;
+    appName?: string;
+    orgName?: string;
+}>;
+/**
+ * Map fleet access levels to GitHub App installation token permissions.
+ */
+export declare function mapAccessLevel(level: string): Record<string, string>;
+/**
+ * Mint a scoped, short-lived installation access token.
+ */
+export declare function mintGitToken(appId: string, privateKey: string, installationId: number, repos: string[], permissions: Record<string, string>): Promise<{
+    token: string;
+    expiresAt: string;
+}>;
+//# sourceMappingURL=github-app.d.ts.map

package/dist/services/github-app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-app.d.ts","sourceRoot":"","sources":["../../src/services/github-app.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAStD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAMtE;AAUD;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAkB9E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CASpE;AAED;;GAEG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAClC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CA+B/C"}