@aquaclawai/aquarium 1.0.0

package/dist/services/config-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.d.ts","sourceRoot":"","sources":["../../src/services/config-validator.ts"],"names":[],"mappings":"AAiBA,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAEzD;AAoBD,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,MAAM,EAClB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACrC,WAAW,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,EACzC,OAAO,CAAC,EAAE;IAAE,wBAAwB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC/C,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAuChD"}

package/dist/services/config-validator.js

@@ -0,0 +1,59 @@
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const Ajv = require('ajv').default;
+const ajv = new Ajv({ allErrors: true, strict: false });
+const validatorCache = new Map();
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+export function clearSchemaCache(instanceId) {
+    validatorCache.delete(instanceId);
+}
+// Platform-level fields stored in instance.config but NOT part of the gateway schema.
+// These must be stripped before validating against the gateway's JSON schema
+// (which uses additionalProperties: false).
+const PLATFORM_CONFIG_KEYS = new Set([
+    'defaultProvider', 'defaultModel', 'provider', 'model',
+    'billingMode', 'imageTag', 'securityProfile',
+]);
+function stripPlatformFields(config) {
+    const stripped = {};
+    for (const [key, value] of Object.entries(config)) {
+        if (!PLATFORM_CONFIG_KEYS.has(key)) {
+            stripped[key] = value;
+        }
+    }
+    return stripped;
+}
+export async function validateConfigPatch(instanceId, mergedConfig, fetchSchema, options) {
+    // For PATCH operations, skip strict gateway schema validation.
+    // The gateway validates on push via config.patch RPC.
+    if (options?.skipFullSchemaValidation) {
+        return { valid: true };
+    }
+    let cached = validatorCache.get(instanceId);
+    if (!cached || Date.now() - cached.cachedAt > CACHE_TTL_MS) {
+        let schema;
+        try {
+            schema = await fetchSchema();
+        }
+        catch {
+            // Schema fetch failed -- graceful degradation, allow the patch through
+            return { valid: true };
+        }
+        if (!schema) {
+            // No schema available -- skip validation (graceful degradation)
+            return { valid: true };
+        }
+        const validate = ajv.compile(schema);
+        cached = { validate, cachedAt: Date.now() };
+        validatorCache.set(instanceId, cached);
+    }
+    // Strip platform-only fields before validating against gateway schema
+    const gatewayConfig = stripPlatformFields(mergedConfig);
+    const valid = cached.validate(gatewayConfig);
+    if (!valid) {
+        const errors = (cached.validate.errors || []).map((e) => `${e.instancePath || '/'}: ${e.message}`);
+        return { valid: false, errors };
+    }
+    return { valid: true };
+}
+//# sourceMappingURL=config-validator.js.map

package/dist/services/config-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.js","sourceRoot":"","sources":["../../src/services/config-validator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAEvC,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,OAE1B,CAAC;AAEF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;AAExD,MAAM,cAAc,GAAG,IAAI,GAAG,EAG1B,CAAC;AAEL,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,YAAY;AAEhD,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,cAAc,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC;AAED,sFAAsF;AACtF,6EAA6E;AAC7E,4CAA4C;AAC5C,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,iBAAiB,EAAE,cAAc,EAAE,UAAU,EAAE,OAAO;IACtD,aAAa,EAAE,UAAU,EAAE,iBAAiB;CAC7C,CAAC,CAAC;AAEH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,UAAkB,EAClB,YAAqC,EACrC,WAAyC,EACzC,OAAgD;IAEhD,+DAA+D;IAC/D,sDAAsD;IACtD,IAAI,OAAO,EAAE,wBAAwB,EAAE,CAAC;QACtC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,IAAI,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAE5C,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,GAAG,YAAY,EAAE,CAAC;QAC3D,IAAI,MAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,WAAW,EAAE,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,gEAAgE;YAChE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzB,CAAC;QAED,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC5C,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,sEAAsE;IACtE,MAAM,aAAa,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAY,CAAC;IACxD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,GAAG,CAC/C,CAAC,CAAc,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,YAAY,IAAI,GAAG,KAAK,CAAC,CAAC,OAAO,EAAE,CAC7D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAClC,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC"}

package/dist/services/credential-audit.d.ts

@@ -0,0 +1,13 @@
+export type CredentialAuditAction = 'create' | 'read' | 'update' | 'delete' | 'resolve' | 'inject';
+export type CredentialAuditSource = 'api' | 'seed_config' | 'reseed';
+export interface CredentialAuditEntry {
+    action: CredentialAuditAction;
+    userId: string;
+    instanceId?: string | null;
+    provider: string;
+    credentialType: string;
+    source: CredentialAuditSource;
+    ipAddress?: string | null;
+}
+export declare function logCredentialAudit(entry: CredentialAuditEntry): Promise<void>;
+//# sourceMappingURL=credential-audit.d.ts.map

package/dist/services/credential-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-audit.d.ts","sourceRoot":"","sources":["../../src/services/credential-audit.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,GAAG,QAAQ,CAAC;AACnG,MAAM,MAAM,qBAAqB,GAAG,KAAK,GAAG,aAAa,GAAG,QAAQ,CAAC;AAErE,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,qBAAqB,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,MAAM,EAAE,qBAAqB,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAcnF"}

package/dist/services/credential-audit.js

@@ -0,0 +1,18 @@
+import { db } from '../db/index.js';
+export async function logCredentialAudit(entry) {
+    try {
+        await db('credential_audit_log').insert({
+            action: entry.action,
+            user_id: entry.userId,
+            instance_id: entry.instanceId ?? null,
+            provider: entry.provider,
+            credential_type: entry.credentialType,
+            source: entry.source,
+            ip_address: entry.ipAddress ?? null,
+        });
+    }
+    catch {
+        // Audit logging must never break the main flow
+    }
+}
+//# sourceMappingURL=credential-audit.js.map

package/dist/services/credential-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-audit.js","sourceRoot":"","sources":["../../src/services/credential-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAepC,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,KAA2B;IAClE,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,sBAAsB,CAAC,CAAC,MAAM,CAAC;YACtC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,OAAO,EAAE,KAAK,CAAC,MAAM;YACrB,WAAW,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;YACrC,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,eAAe,EAAE,KAAK,CAAC,cAAc;YACrC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;SACpC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;AACH,CAAC"}

package/dist/services/credential-store.d.ts

@@ -0,0 +1,28 @@
+import { type CredentialAuditSource } from './credential-audit.js';
+export interface CredentialAuditContext {
+    userId: string;
+    source: CredentialAuditSource;
+    ipAddress?: string | null;
+}
+export declare function encrypt(plaintext: string): string;
+export declare function decrypt(encoded: string): string;
+export interface StoredCredential {
+    id: string;
+    instance_id: string;
+    provider: string;
+    credential_type: string;
+    encrypted_value: string;
+    metadata: Record<string, unknown>;
+    created_at: string;
+    updated_at: string;
+}
+export declare function addCredential(instanceId: string, provider: string, credentialType: string, value: string, metadata?: Record<string, unknown>, audit?: CredentialAuditContext): Promise<StoredCredential>;
+export declare function listCredentials(instanceId: string): Promise<StoredCredential[]>;
+export declare function getDecryptedCredentials(instanceId: string): Promise<Array<{
+    provider: string;
+    credentialType: string;
+    value: string;
+    metadata?: Record<string, unknown>;
+}>>;
+export declare function deleteCredential(credentialId: string, instanceId: string, audit?: CredentialAuditContext): Promise<boolean>;
+//# sourceMappingURL=credential-store.d.ts.map

package/dist/services/credential-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../src/services/credential-store.ts"],"names":[],"mappings":"AAGA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAEvF,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,qBAAqB,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAWD,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAQjD;AAED,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAS/C;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,aAAa,CACjC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,EACtB,KAAK,EAAE,MAAM,EACb,QAAQ,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,EACtC,KAAK,CAAC,EAAE,sBAAsB,GAC7B,OAAO,CAAC,gBAAgB,CAAC,CAgC3B;AAED,wBAAsB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAErF;AAED,wBAAsB,uBAAuB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,cAAc,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,CAAC,CAQjL;AAED,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,sBAAsB,GAAG,OAAO,CAAC,OAAO,CAAC,CA4BjI"}

package/dist/services/credential-store.js

@@ -0,0 +1,99 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+import { db } from '../db/index.js';
+import { config } from '../config.js';
+import { logCredentialAudit } from './credential-audit.js';
+const ALGORITHM = 'aes-256-gcm';
+function deriveKey() {
+    // Pad or hash the encryption key to 32 bytes
+    const key = Buffer.alloc(32);
+    Buffer.from(config.encryptionKey).copy(key);
+    return key;
+}
+export function encrypt(plaintext) {
+    const key = deriveKey();
+    const iv = randomBytes(12);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    // Format: iv:tag:ciphertext (all hex)
+    return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`;
+}
+export function decrypt(encoded) {
+    const key = deriveKey();
+    const [ivHex, tagHex, dataHex] = encoded.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const tag = Buffer.from(tagHex, 'hex');
+    const data = Buffer.from(dataHex, 'hex');
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(data), decipher.final()]).toString('utf8');
+}
+export async function addCredential(instanceId, provider, credentialType, value, metadata = {}, audit) {
+    const encrypted = encrypt(value);
+    const [row] = await db('instance_credentials')
+        .insert({
+        instance_id: instanceId,
+        provider,
+        credential_type: credentialType,
+        encrypted_value: encrypted,
+        metadata: JSON.stringify(metadata),
+    })
+        .onConflict(['instance_id', 'provider', 'credential_type'])
+        .merge({
+        encrypted_value: encrypted,
+        metadata: JSON.stringify(metadata),
+        updated_at: db.fn.now(),
+    })
+        .returning('*');
+    if (audit) {
+        logCredentialAudit({
+            action: 'create',
+            userId: audit.userId,
+            instanceId,
+            provider,
+            credentialType,
+            source: audit.source,
+            ipAddress: audit.ipAddress,
+        });
+    }
+    return row;
+}
+export async function listCredentials(instanceId) {
+    return db('instance_credentials').where({ instance_id: instanceId }).orderBy('provider');
+}
+export async function getDecryptedCredentials(instanceId) {
+    const rows = await listCredentials(instanceId);
+    return rows.map(r => ({
+        provider: r.provider,
+        credentialType: r.credential_type,
+        value: decrypt(r.encrypted_value),
+        metadata: r.metadata ? (typeof r.metadata === 'string' ? JSON.parse(r.metadata) : r.metadata) : undefined,
+    }));
+}
+export async function deleteCredential(credentialId, instanceId, audit) {
+    let provider = '';
+    let credentialType = '';
+    if (audit) {
+        const existing = await db('instance_credentials').where({ id: credentialId, instance_id: instanceId }).first();
+        if (existing) {
+            provider = existing.provider;
+            credentialType = existing.credential_type;
+        }
+    }
+    const count = await db('instance_credentials')
+        .where({ id: credentialId, instance_id: instanceId })
+        .delete();
+    if (count > 0 && audit && provider) {
+        logCredentialAudit({
+            action: 'delete',
+            userId: audit.userId,
+            instanceId,
+            provider,
+            credentialType,
+            source: audit.source,
+            ipAddress: audit.ipAddress,
+        });
+    }
+    return count > 0;
+}
+//# sourceMappingURL=credential-store.js.map

package/dist/services/credential-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.js","sourceRoot":"","sources":["../../src/services/credential-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACvE,OAAO,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,kBAAkB,EAA8B,MAAM,uBAAuB,CAAC;AAQvF,MAAM,SAAS,GAAG,aAAa,CAAC;AAEhC,SAAS,SAAS;IAChB,6CAA6C;IAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,SAAiB;IACvC,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,sCAAsC;IACtC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,OAAe;IACrC,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACnF,CAAC;AAaD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,UAAkB,EAClB,QAAgB,EAChB,cAAsB,EACtB,KAAa,EACb,WAAoC,EAAE,EACtC,KAA8B;IAE9B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAEjC,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE,CAAC,sBAAsB,CAAC;SAC3C,MAAM,CAAC;QACN,WAAW,EAAE,UAAU;QACvB,QAAQ;QACR,eAAe,EAAE,cAAc;QAC/B,eAAe,EAAE,SAAS;QAC1B,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;KACnC,CAAC;SACD,UAAU,CAAC,CAAC,aAAa,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;SAC1D,KAAK,CAAC;QACL,eAAe,EAAE,SAAS;QAC1B,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;QAClC,UAAU,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE;KACxB,CAAC;SACD,SAAS,CAAC,GAAG,CAAC,CAAC;IAElB,IAAI,KAAK,EAAE,CAAC;QACV,kBAAkB,CAAC;YACjB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU;YACV,QAAQ;YACR,cAAc;YACd,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,UAAkB;IACtD,OAAO,EAAE,CAAC,sBAAsB,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;AAC3F,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,UAAkB;IAC9D,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC;IAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,cAAc,EAAE,CAAC,CAAC,eAAe;QACjC,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACjC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KAC1G,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,YAAoB,EAAE,UAAkB,EAAE,KAA8B;IAC7G,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,cAAc,GAAG,EAAE,CAAC;IACxB,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,sBAAsB,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC;QAC/G,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC;YAC7B,cAAc,GAAG,QAAQ,CAAC,eAAe,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,sBAAsB,CAAC;SAC3C,KAAK,CAAC,EAAE,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC;SACpD,MAAM,EAAE,CAAC;IAEZ,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACnC,kBAAkB,CAAC;YACjB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,UAAU;YACV,QAAQ;YACR,cAAc;YACd,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,GAAG,CAAC,CAAC;AACnB,CAAC"}

package/dist/services/dlp-scanner.d.ts

@@ -0,0 +1,9 @@
+export interface DlpFinding {
+    patternName: string;
+    filename: string;
+    lineNumber: number;
+    redacted: string;
+}
+export declare function scanContent(content: string, filename: string): DlpFinding[];
+export declare function scanWorkspaceFiles(files: Map<string, string>): DlpFinding[];
+//# sourceMappingURL=dlp-scanner.d.ts.map

package/dist/services/dlp-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlp-scanner.d.ts","sourceRoot":"","sources":["../../src/services/dlp-scanner.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAiED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU,EAAE,CA6B3E;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,UAAU,EAAE,CAS3E"}

package/dist/services/dlp-scanner.js

@@ -0,0 +1,90 @@
+const SENSITIVE_PATTERNS = [
+    {
+        name: 'OpenAI API Key',
+        pattern: /sk-[a-zA-Z0-9]{20,}/g,
+        minLength: 24,
+    },
+    {
+        name: 'Anthropic API Key',
+        pattern: /sk-ant-[a-zA-Z0-9-]{80,}/g,
+        minLength: 86,
+    },
+    {
+        name: 'GitHub PAT',
+        pattern: /ghp_[a-zA-Z0-9]{36}/g,
+    },
+    {
+        name: 'GitHub OAuth Token',
+        pattern: /gho_[a-zA-Z0-9]{36}/g,
+    },
+    {
+        name: 'GitHub Fine-grained PAT',
+        pattern: /github_pat_[a-zA-Z0-9_]{82}/g,
+    },
+    {
+        name: 'PEM Private Key',
+        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    },
+    {
+        name: 'AWS Access Key',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+    },
+    {
+        name: 'AWS Secret Key',
+        pattern: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*[A-Za-z0-9/+=]{40}/g,
+    },
+    {
+        name: 'Google API Key',
+        pattern: /AIza[0-9A-Za-z_-]{35}/g,
+    },
+    {
+        name: 'Stripe Secret Key',
+        pattern: /sk_live_[a-zA-Z0-9]{24,}/g,
+        minLength: 32,
+    },
+    {
+        name: 'Ethereum Private Key',
+        pattern: /(?:0x)?[0-9a-fA-F]{64}(?=\s|$|['"`,;)\]}])/g,
+    },
+];
+function redactMatch(match) {
+    if (match.length <= 8)
+        return '***';
+    const prefix = match.slice(0, 4);
+    const suffix = match.slice(-4);
+    return `${prefix}${'*'.repeat(Math.min(match.length - 8, 20))}${suffix}`;
+}
+export function scanContent(content, filename) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const sp of SENSITIVE_PATTERNS) {
+            // Reset lastIndex for global regexes
+            sp.pattern.lastIndex = 0;
+            let match;
+            while ((match = sp.pattern.exec(line)) !== null) {
+                const matchStr = match[0];
+                // Skip if too short (false positive filter)
+                if (sp.minLength && matchStr.length < sp.minLength)
+                    continue;
+                findings.push({
+                    patternName: sp.name,
+                    filename,
+                    lineNumber: i + 1,
+                    redacted: redactMatch(matchStr),
+                });
+            }
+        }
+    }
+    return findings;
+}
+export function scanWorkspaceFiles(files) {
+    const allFindings = [];
+    for (const [filename, content] of files) {
+        const findings = scanContent(content, filename);
+        allFindings.push(...findings);
+    }
+    return allFindings;
+}
+//# sourceMappingURL=dlp-scanner.js.map

package/dist/services/dlp-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dlp-scanner.js","sourceRoot":"","sources":["../../src/services/dlp-scanner.ts"],"names":[],"mappings":"AAaA,MAAM,kBAAkB,GAAuB;IAC7C;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,sBAAsB;QAC/B,SAAS,EAAE,EAAE;KACd;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,SAAS,EAAE,EAAE;KACd;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,sBAAsB;KAChC;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,sBAAsB;KAChC;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,8BAA8B;KACxC;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,yDAAyD;KACnE;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,mBAAmB;KAC7B;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,8EAA8E;KACxF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,wBAAwB;KAClC;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,SAAS,EAAE,EAAE;KACd;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,6CAA6C;KACvD;CACF,CAAC;AAEF,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAe,EAAE,QAAgB;IAC3D,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,KAAK,MAAM,EAAE,IAAI,kBAAkB,EAAE,CAAC;YACpC,qCAAqC;YACrC,EAAE,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAEzB,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAChD,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAE1B,4CAA4C;gBAC5C,IAAI,EAAE,CAAC,SAAS,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,SAAS;oBAAE,SAAS;gBAE7D,QAAQ,CAAC,IAAI,CAAC;oBACZ,WAAW,EAAE,EAAE,CAAC,IAAI;oBACpB,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAA0B;IAC3D,MAAM,WAAW,GAAiB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAChD,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/services/gateway-event-relay.d.ts

@@ -0,0 +1,53 @@
+import type { ExecApprovalRequest, SecurityProfile } from '@aquarium/shared';
+export declare function preloadDlpConfig(instanceId: string, profile: SecurityProfile): void;
+export declare function evictDlpConfig(instanceId: string): void;
+export interface ChatEventData {
+    sessionKey: string;
+    state: string;
+    content: unknown;
+    role?: string;
+    messageId?: string;
+}
+interface PendingApproval extends ExecApprovalRequest {
+    instanceId: string;
+    timer: ReturnType<typeof setTimeout>;
+}
+export declare function addPendingApproval(instanceId: string, req: ExecApprovalRequest): void;
+export declare function removePendingApproval(instanceId: string, approvalId: string): void;
+export declare function consumePendingApproval(instanceId: string, approvalId: string): PendingApproval | null;
+export declare function getPendingApprovalsForInstance(instanceId: string): ExecApprovalRequest[];
+declare class PersistentGatewayClient {
+    private readonly instanceId;
+    private readonly endpoint;
+    private readonly token;
+    private ws;
+    private connected;
+    private closed;
+    private retryCount;
+    private retryTimeout;
+    private pendingRequests;
+    constructor(instanceId: string, endpoint: string, token: string);
+    private connect;
+    private scheduleReconnect;
+    call(method: string, params?: Record<string, unknown>, timeoutMs?: number): Promise<unknown>;
+    get isConnected(): boolean;
+    get isExhausted(): boolean;
+    close(): void;
+}
+export declare function startGatewayEventRelay(): void;
+export declare function stopGatewayEventRelay(): void;
+export declare function connectGateway(instanceId: string, endpoint: string, token: string): void;
+export declare function disconnectGateway(instanceId: string): void;
+export declare function getGatewayClient(instanceId: string): PersistentGatewayClient | null;
+/**
+ * Register a one-time callback for a chat completion event.
+ * Resolves when the gateway emits a chat event with state === 'final'
+ * for the given instanceId + sessionKey combination.
+ */
+export declare function waitForChatCompletion(instanceId: string, sessionKey: string, timeoutMs?: number): Promise<ChatEventData>;
+/**
+ * Cancel a pending chat completion callback.
+ */
+export declare function cancelChatCompletion(instanceId: string, sessionKey: string): void;
+export {};
+//# sourceMappingURL=gateway-event-relay.d.ts.map

package/dist/services/gateway-event-relay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-event-relay.d.ts","sourceRoot":"","sources":["../../src/services/gateway-event-relay.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,mBAAmB,EAAE,eAAe,EAAa,MAAM,kBAAkB,CAAC;AASxF,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,IAAI,CAEnF;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAEvD;AAsCD,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAOD,UAAU,eAAgB,SAAQ,mBAAmB;IACnD,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,UAAU,CAAC,OAAO,UAAU,CAAC,CAAC;CACtC;AAQD,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,GAAG,IAAI,CAarF;AAED,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAOlF;AAED,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAOrG;AAED,wBAAgB,8BAA8B,CAAC,UAAU,EAAE,MAAM,GAAG,mBAAmB,EAAE,CAexF;AAOD,cAAM,uBAAuB;IASzB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;IAVxB,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAK;IACvB,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,eAAe,CAAqC;gBAGzC,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM;IAKhC,OAAO,CAAC,OAAO;IAgQf,OAAO,CAAC,iBAAiB;IAenB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAetG,IAAI,WAAW,IAAI,OAAO,CAEzB;IAED,IAAI,WAAW,IAAI,OAAO,CAEzB;IAED,KAAK,IAAI,IAAI;CA4Bd;AAoDD,wBAAgB,sBAAsB,IAAI,IAAI,CAY7C;AAED,wBAAgB,qBAAqB,IAAI,IAAI,CAY5C;AAED,wBAAgB,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAQxF;AAED,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAM1D;AAED,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,uBAAuB,GAAG,IAAI,CAGnF;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,SAAS,SAAU,GAClB,OAAO,CAAC,aAAa,CAAC,CAyBxB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAQjF"}