@axtary/cli 0.0.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/LICENSE +202 -0
  2. package/README.md +140 -6
  3. package/dist/bin.js +10 -0
  4. package/dist/bin.js.map +1 -1
  5. package/dist/claude-code-hook.d.ts +65 -0
  6. package/dist/claude-code-hook.d.ts.map +1 -0
  7. package/dist/claude-code-hook.js +326 -0
  8. package/dist/claude-code-hook.js.map +1 -0
  9. package/dist/codex-hook.d.ts +48 -0
  10. package/dist/codex-hook.d.ts.map +1 -0
  11. package/dist/codex-hook.js +259 -0
  12. package/dist/codex-hook.js.map +1 -0
  13. package/dist/credentials.d.ts +101 -0
  14. package/dist/credentials.d.ts.map +1 -0
  15. package/dist/credentials.js +277 -0
  16. package/dist/credentials.js.map +1 -0
  17. package/dist/cursor-hook.d.ts +51 -0
  18. package/dist/cursor-hook.d.ts.map +1 -0
  19. package/dist/cursor-hook.js +214 -0
  20. package/dist/cursor-hook.js.map +1 -0
  21. package/dist/hook-install.d.ts +21 -0
  22. package/dist/hook-install.d.ts.map +1 -0
  23. package/dist/hook-install.js +179 -0
  24. package/dist/hook-install.js.map +1 -0
  25. package/dist/index.d.ts +897 -5
  26. package/dist/index.d.ts.map +1 -1
  27. package/dist/index.js +6750 -513
  28. package/dist/index.js.map +1 -1
  29. package/dist/mcp-fs-normalize.d.ts +18 -0
  30. package/dist/mcp-fs-normalize.d.ts.map +1 -0
  31. package/dist/mcp-fs-normalize.js +39 -0
  32. package/dist/mcp-fs-normalize.js.map +1 -0
  33. package/dist/mcp-oauth.d.ts +67 -0
  34. package/dist/mcp-oauth.d.ts.map +1 -0
  35. package/dist/mcp-oauth.js +242 -0
  36. package/dist/mcp-oauth.js.map +1 -0
  37. package/dist/oauth.d.ts +90 -0
  38. package/dist/oauth.d.ts.map +1 -0
  39. package/dist/oauth.js +339 -0
  40. package/dist/oauth.js.map +1 -0
  41. package/dist/render.d.ts +103 -0
  42. package/dist/render.d.ts.map +1 -0
  43. package/dist/render.js +172 -0
  44. package/dist/render.js.map +1 -0
  45. package/dist/shell-file-normalize.d.ts +21 -0
  46. package/dist/shell-file-normalize.d.ts.map +1 -0
  47. package/dist/shell-file-normalize.js +269 -0
  48. package/dist/shell-file-normalize.js.map +1 -0
  49. package/package.json +17 -13
@@ -0,0 +1,101 @@
1
+ import { spawnSync } from "node:child_process";
2
+ export declare const CREDENTIALS_SCHEMA_VERSION = "axtary.credentials.v0";
3
+ export type CredentialSecretBackendName = "keychain" | "file";
4
+ /** Non-secret record of a connected provider. Safe to print / show in a UI. */
5
+ export type CredentialMetadata = {
6
+ provider: string;
7
+ type: "oauth" | "token";
8
+ source: "oauth" | "manual";
9
+ scopes: string[];
10
+ obtainedAt: string;
11
+ expiresAt: string | null;
12
+ /** A non-secret label like a Slack team id or workspace name. */
13
+ account: string | null;
14
+ /** Non-secret provider routing data, for example Jira cloudId and siteUrl. */
15
+ context?: Record<string, string>;
16
+ secretBackend: CredentialSecretBackendName;
17
+ };
18
+ /** Full credential including the secret material. Never logged or serialized to status output. */
19
+ export type StoredCredential = CredentialMetadata & {
20
+ accessToken: string;
21
+ refreshToken: string | null;
22
+ };
23
+ export type CredentialSecret = {
24
+ accessToken: string;
25
+ refreshToken: string | null;
26
+ };
27
+ /** Pluggable secret storage so the keychain can be swapped for a file (or an in-memory fake in tests). */
28
+ export type CredentialSecretBackend = {
29
+ readonly name: CredentialSecretBackendName;
30
+ get(provider: string): Promise<CredentialSecret | null>;
31
+ set(provider: string, secret: CredentialSecret): Promise<void>;
32
+ delete(provider: string): Promise<void>;
33
+ };
34
+ /** True when the macOS `security` keychain CLI is usable. */
35
+ export declare function macKeychainAvailable(platform?: NodeJS.Platform, run?: typeof spawnSync): boolean;
36
+ /** macOS keychain-backed secret store (generic passwords under a per-provider service). */
37
+ export declare function createMacKeychainSecretBackend(run?: typeof spawnSync): CredentialSecretBackend;
38
+ export type CredentialStoreOptions = {
39
+ baseDir?: string;
40
+ secretBackend?: CredentialSecretBackend;
41
+ platform?: NodeJS.Platform;
42
+ run?: typeof spawnSync;
43
+ };
44
+ export declare class CredentialStore {
45
+ private readonly baseDir;
46
+ private readonly filePath;
47
+ private readonly secretBackend;
48
+ constructor(options?: CredentialStoreOptions);
49
+ /** The backend chosen for new writes (so callers can report where secrets land). */
50
+ secretBackendName(): CredentialSecretBackendName;
51
+ get(provider: string): Promise<StoredCredential | null>;
52
+ set(input: {
53
+ provider: string;
54
+ type: CredentialMetadata["type"];
55
+ source: CredentialMetadata["source"];
56
+ accessToken: string;
57
+ refreshToken?: string | null;
58
+ scopes?: string[];
59
+ expiresAt?: string | null;
60
+ account?: string | null;
61
+ context?: Record<string, string>;
62
+ }): Promise<CredentialMetadata>;
63
+ /**
64
+ * Write the secret to the preferred backend, then read it back and confirm it
65
+ * round-trips. If the keychain write did not actually persist a readable
66
+ * secret — e.g. macOS `security add-generic-password -w` reads the password
67
+ * from the controlling TTY rather than our piped stdin, storing garbage — fall
68
+ * back to the portable 0600 file backend instead of silently storing an
69
+ * unreadable credential. The secret value is never placed on a process argv.
70
+ */
71
+ private writeSecretVerified;
72
+ delete(provider: string): Promise<boolean>;
73
+ /** Metadata only — never returns secret material. */
74
+ list(): Promise<CredentialMetadata[]>;
75
+ private fileSecretBackend;
76
+ private read;
77
+ private write;
78
+ }
79
+ /** True once an OAuth credential has lapsed (with a small safety skew). */
80
+ export declare function credentialExpired(credential: Pick<StoredCredential, "expiresAt">, now?: number, skewMs?: number): boolean;
81
+ /**
82
+ * Resolve a provider token with the broker taking precedence over a raw env
83
+ * var. A connected, non-expired stored credential wins; otherwise we fall back
84
+ * to `env[tokenEnv]` (which itself may be populated by a secret manager — see
85
+ * https://docs.axtary.com/credentials). Returns the token and where it came from.
86
+ */
87
+ export declare function resolveProviderToken(input: {
88
+ provider: string;
89
+ tokenEnv: string;
90
+ env: Record<string, string | undefined>;
91
+ store: CredentialStore | null;
92
+ now?: number;
93
+ }): Promise<{
94
+ token: string | undefined;
95
+ source: "broker" | "env" | "missing";
96
+ }>;
97
+ export declare function loadCredentialStore(options?: CredentialStoreOptions): CredentialStore;
98
+ export declare function credentialsBaseDir(): string;
99
+ export declare function credentialsLocation(baseDir?: string): string;
100
+ export declare function removeCredentialsFile(baseDir: string): Promise<void>;
101
+ //# sourceMappingURL=credentials.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAgB/C,eAAO,MAAM,0BAA0B,0BAA0B,CAAC;AAElE,MAAM,MAAM,2BAA2B,GAAG,UAAU,GAAG,MAAM,CAAC;AAE9D,+EAA+E;AAC/E,MAAM,MAAM,kBAAkB,GAAG;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC;IACxB,MAAM,EAAE,OAAO,GAAG,QAAQ,CAAC;IAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,iEAAiE;IACjE,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,aAAa,EAAE,2BAA2B,CAAC;CAC5C,CAAC;AAEF,kGAAkG;AAClG,MAAM,MAAM,gBAAgB,GAAG,kBAAkB,GAAG;IAClD,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,gBAAgB,GAAG;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B,CAAC;AAEF,0GAA0G;AAC1G,MAAM,MAAM,uBAAuB,GAAG;IACpC,QAAQ,CAAC,IAAI,EAAE,2BAA2B,CAAC;IAC3C,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAAC;IACxD,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/D,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzC,CAAC;AAoBF,6DAA6D;AAC7D,wBAAgB,oBAAoB,CAClC,QAAQ,GAAE,MAAM,CAAC,QAA2B,EAC5C,GAAG,GAAE,OAAO,SAAqB,GAChC,OAAO,CAIT;AAED,2FAA2F;AAC3F,wBAAgB,8BAA8B,CAC5C,GAAG,GAAE,OAAO,SAAqB,GAChC,uBAAuB,CAmDzB;AAED,MAAM,MAAM,sBAAsB,GAAG;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,uBAAuB,CAAC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B,GAAG,CAAC,EAAE,OAAO,SAAS,CAAC;CACxB,CAAC;AAmBF,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA0B;gBAE5C,OAAO,GAAE,sBAA2B;IAMhD,oFAAoF;IACpF,iBAAiB,IAAI,2BAA2B;IAI1C,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAiBvD,GAAG,CAAC,KAAK,EAAE;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;QACjC,MAAM,EAAE,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACrC,WAAW,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC7B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAClC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA4B/B;;;;;;;OAOG;YACW,mBAAmB;IAmC3B,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAehD,qDAAqD;IAC/C,IAAI,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAK3C,OAAO,CAAC,iBAAiB;YAuBX,IAAI;YAiBJ,KAAK;CAQpB;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,EAC/C,GAAG,GAAE,MAAmB,EACxB,MAAM,SAAS,GACd,OAAO,CAGT;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,KAAK,EAAE;IAChD,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACxC,KAAK,EAAE,eAAe,GAAG,IAAI,CAAC;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAAC,MAAM,EAAE,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAA;CAAE,CAAC,CAU/E;AAED,wBAAgB,mBAAmB,CAAC,OAAO,GAAE,sBAA2B,GAAG,eAAe,CAEzF;AAED,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED,wBAAgB,mBAAmB,CAAC,OAAO,GAAE,MAAyB,GAAG,MAAM,CAE9E;AAGD,wBAAsB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAG1E"}
@@ -0,0 +1,277 @@
1
+ import { spawnSync } from "node:child_process";
2
+ import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
3
+ import { homedir } from "node:os";
4
+ import { dirname, join } from "node:path";
5
+ // Axtary local credential broker.
6
+ //
7
+ // PRD §10.1: the credential broker runs locally so provider secrets stay on the
8
+ // customer's machine and never reach the hosted control plane. This module is
9
+ // that broker's storage layer: it keeps a 0600 metadata file (which providers
10
+ // are connected, scopes, expiry — never the secret) and stores the actual access
11
+ // tokens in the OS keychain when available, falling back to the same 0600 file.
12
+ //
13
+ // The metadata/secret split means `axtary connections` (status) is secret-safe
14
+ // by construction: it only ever reads metadata, never a token.
15
+ export const CREDENTIALS_SCHEMA_VERSION = "axtary.credentials.v0";
16
+ const KEYCHAIN_SERVICE_PREFIX = "axtary:credential:";
17
+ const KEYCHAIN_ACCOUNT = "axtary";
18
+ function defaultBaseDir() {
19
+ return process.env.AXTARY_HOME ?? join(homedir(), ".axtary");
20
+ }
21
+ function credentialsFilePath(baseDir) {
22
+ return join(baseDir, "credentials.json");
23
+ }
24
+ /** True when the macOS `security` keychain CLI is usable. */
25
+ export function macKeychainAvailable(platform = process.platform, run = spawnSync) {
26
+ if (platform !== "darwin")
27
+ return false;
28
+ const probe = run("security", ["help"], { stdio: "ignore" });
29
+ return probe.status === 0 || probe.status === 1; // `security help` exits non-zero but exists
30
+ }
31
+ /** macOS keychain-backed secret store (generic passwords under a per-provider service). */
32
+ export function createMacKeychainSecretBackend(run = spawnSync) {
33
+ const service = (provider) => `${KEYCHAIN_SERVICE_PREFIX}${provider}`;
34
+ return {
35
+ name: "keychain",
36
+ async get(provider) {
37
+ const result = run("security", ["find-generic-password", "-a", KEYCHAIN_ACCOUNT, "-s", service(provider), "-w"], { encoding: "utf8" });
38
+ if (result.status !== 0 || typeof result.stdout !== "string")
39
+ return null;
40
+ try {
41
+ return JSON.parse(result.stdout.trim());
42
+ }
43
+ catch {
44
+ return null;
45
+ }
46
+ },
47
+ async set(provider, secret) {
48
+ // Pass the secret on stdin, never on argv. `-w` with no value makes
49
+ // `security` read the password from the prompt (here, stdin), which
50
+ // prompts twice ("password" + "retype"), so the payload is written twice.
51
+ // This keeps the token off the `security` process command line, where
52
+ // `ps` would otherwise expose it to any same-user process. `-U` updates an
53
+ // existing item.
54
+ const payload = JSON.stringify(secret);
55
+ const result = run("security", [
56
+ "add-generic-password",
57
+ "-U",
58
+ "-a",
59
+ KEYCHAIN_ACCOUNT,
60
+ "-s",
61
+ service(provider),
62
+ "-w",
63
+ ], { input: `${payload}\n${payload}\n`, stdio: ["pipe", "ignore", "ignore"] });
64
+ if (result.status !== 0) {
65
+ throw new Error("credential_keychain_write_failed");
66
+ }
67
+ },
68
+ async delete(provider) {
69
+ run("security", ["delete-generic-password", "-a", KEYCHAIN_ACCOUNT, "-s", service(provider)], { stdio: "ignore" });
70
+ },
71
+ };
72
+ }
73
+ /**
74
+ * Resolve the secret backend: explicit override wins; otherwise keychain on
75
+ * macOS when available, else the 0600 file. `AXTARY_CREDENTIAL_BACKEND=file`
76
+ * forces the portable file backend (useful in CI / containers).
77
+ */
78
+ function resolveSecretBackend(options, fileBackend) {
79
+ if (options.secretBackend)
80
+ return options.secretBackend;
81
+ if (process.env.AXTARY_CREDENTIAL_BACKEND === "file")
82
+ return fileBackend;
83
+ if (macKeychainAvailable(options.platform, options.run)) {
84
+ return createMacKeychainSecretBackend(options.run);
85
+ }
86
+ return fileBackend;
87
+ }
88
+ export class CredentialStore {
89
+ baseDir;
90
+ filePath;
91
+ secretBackend;
92
+ constructor(options = {}) {
93
+ this.baseDir = options.baseDir ?? defaultBaseDir();
94
+ this.filePath = credentialsFilePath(this.baseDir);
95
+ this.secretBackend = resolveSecretBackend(options, this.fileSecretBackend());
96
+ }
97
+ /** The backend chosen for new writes (so callers can report where secrets land). */
98
+ secretBackendName() {
99
+ return this.secretBackend.name;
100
+ }
101
+ async get(provider) {
102
+ const file = await this.read();
103
+ const metadata = file.credentials[provider];
104
+ if (!metadata)
105
+ return null;
106
+ const backend = metadata.secretBackend === this.secretBackend.name
107
+ ? this.secretBackend
108
+ : metadata.secretBackend === "file"
109
+ ? this.fileSecretBackend()
110
+ : createMacKeychainSecretBackend();
111
+ const secret = await backend.get(provider);
112
+ if (!secret)
113
+ return null;
114
+ return { ...metadata, accessToken: secret.accessToken, refreshToken: secret.refreshToken };
115
+ }
116
+ async set(input) {
117
+ const usedBackend = await this.writeSecretVerified(input.provider, {
118
+ accessToken: input.accessToken,
119
+ refreshToken: input.refreshToken ?? null,
120
+ });
121
+ const metadata = {
122
+ provider: input.provider,
123
+ type: input.type,
124
+ source: input.source,
125
+ scopes: input.scopes ?? [],
126
+ obtainedAt: new Date().toISOString(),
127
+ expiresAt: input.expiresAt ?? null,
128
+ account: input.account ?? null,
129
+ context: input.context,
130
+ secretBackend: usedBackend.name,
131
+ };
132
+ const file = await this.read();
133
+ file.credentials[input.provider] = metadata;
134
+ if (usedBackend.name !== "file" && file.secrets) {
135
+ delete file.secrets[input.provider];
136
+ }
137
+ await this.write(file);
138
+ return metadata;
139
+ }
140
+ /**
141
+ * Write the secret to the preferred backend, then read it back and confirm it
142
+ * round-trips. If the keychain write did not actually persist a readable
143
+ * secret — e.g. macOS `security add-generic-password -w` reads the password
144
+ * from the controlling TTY rather than our piped stdin, storing garbage — fall
145
+ * back to the portable 0600 file backend instead of silently storing an
146
+ * unreadable credential. The secret value is never placed on a process argv.
147
+ */
148
+ async writeSecretVerified(provider, secret) {
149
+ const primary = this.secretBackend;
150
+ try {
151
+ await primary.set(provider, secret);
152
+ const readBack = await primary.get(provider);
153
+ if (readBack &&
154
+ readBack.accessToken === secret.accessToken &&
155
+ (readBack.refreshToken ?? null) === (secret.refreshToken ?? null)) {
156
+ return primary;
157
+ }
158
+ }
159
+ catch {
160
+ // Fall through to the file backend below.
161
+ }
162
+ if (primary.name === "file") {
163
+ throw new Error("credential_secret_write_failed");
164
+ }
165
+ // The preferred backend did not round-trip. Remove any partial item it left,
166
+ // then store the secret in the verifiable 0600 file backend.
167
+ try {
168
+ await primary.delete(provider);
169
+ }
170
+ catch {
171
+ // best-effort cleanup
172
+ }
173
+ const fileBackend = this.fileSecretBackend();
174
+ await fileBackend.set(provider, secret);
175
+ return fileBackend;
176
+ }
177
+ async delete(provider) {
178
+ const file = await this.read();
179
+ const metadata = file.credentials[provider];
180
+ if (!metadata)
181
+ return false;
182
+ const backend = metadata.secretBackend === "file" ? this.fileSecretBackend() : createMacKeychainSecretBackend();
183
+ await backend.delete(provider);
184
+ delete file.credentials[provider];
185
+ if (file.secrets)
186
+ delete file.secrets[provider];
187
+ await this.write(file);
188
+ return true;
189
+ }
190
+ /** Metadata only — never returns secret material. */
191
+ async list() {
192
+ const file = await this.read();
193
+ return Object.values(file.credentials).sort((a, b) => a.provider.localeCompare(b.provider));
194
+ }
195
+ fileSecretBackend() {
196
+ return {
197
+ name: "file",
198
+ get: async (provider) => {
199
+ const file = await this.read();
200
+ return file.secrets?.[provider] ?? null;
201
+ },
202
+ set: async (provider, secret) => {
203
+ const file = await this.read();
204
+ file.secrets = file.secrets ?? {};
205
+ file.secrets[provider] = secret;
206
+ await this.write(file);
207
+ },
208
+ delete: async (provider) => {
209
+ const file = await this.read();
210
+ if (file.secrets) {
211
+ delete file.secrets[provider];
212
+ await this.write(file);
213
+ }
214
+ },
215
+ };
216
+ }
217
+ async read() {
218
+ try {
219
+ const raw = await readFile(this.filePath, "utf8");
220
+ const parsed = JSON.parse(raw);
221
+ return {
222
+ version: parsed.version ?? CREDENTIALS_SCHEMA_VERSION,
223
+ credentials: parsed.credentials ?? {},
224
+ secrets: parsed.secrets,
225
+ };
226
+ }
227
+ catch (error) {
228
+ if (error.code === "ENOENT") {
229
+ return { version: CREDENTIALS_SCHEMA_VERSION, credentials: {} };
230
+ }
231
+ throw error;
232
+ }
233
+ }
234
+ async write(file) {
235
+ await mkdir(this.baseDir, { recursive: true, mode: 0o700 });
236
+ await writeFile(this.filePath, `${JSON.stringify({ ...file, version: CREDENTIALS_SCHEMA_VERSION }, null, 2)}\n`, { mode: 0o600 });
237
+ }
238
+ }
239
+ /** True once an OAuth credential has lapsed (with a small safety skew). */
240
+ export function credentialExpired(credential, now = Date.now(), skewMs = 30_000) {
241
+ if (!credential.expiresAt)
242
+ return false;
243
+ return new Date(credential.expiresAt).getTime() - skewMs <= now;
244
+ }
245
+ /**
246
+ * Resolve a provider token with the broker taking precedence over a raw env
247
+ * var. A connected, non-expired stored credential wins; otherwise we fall back
248
+ * to `env[tokenEnv]` (which itself may be populated by a secret manager — see
249
+ * https://docs.axtary.com/credentials). Returns the token and where it came from.
250
+ */
251
+ export async function resolveProviderToken(input) {
252
+ if (input.store) {
253
+ const credential = await input.store.get(input.provider);
254
+ if (credential && !credentialExpired(credential, input.now)) {
255
+ return { token: credential.accessToken, source: "broker" };
256
+ }
257
+ }
258
+ const envToken = input.env[input.tokenEnv];
259
+ if (envToken)
260
+ return { token: envToken, source: "env" };
261
+ return { token: undefined, source: "missing" };
262
+ }
263
+ export function loadCredentialStore(options = {}) {
264
+ return new CredentialStore(options);
265
+ }
266
+ export function credentialsBaseDir() {
267
+ return defaultBaseDir();
268
+ }
269
+ export function credentialsLocation(baseDir = defaultBaseDir()) {
270
+ return credentialsFilePath(baseDir);
271
+ }
272
+ // Re-exported for callers that need to clean up a base dir in tests.
273
+ export async function removeCredentialsFile(baseDir) {
274
+ await rm(credentialsFilePath(baseDir), { force: true });
275
+ await rm(dirname(credentialsFilePath(baseDir)), { force: true, recursive: true });
276
+ }
277
+ //# sourceMappingURL=credentials.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,kCAAkC;AAClC,EAAE;AACF,gFAAgF;AAChF,8EAA8E;AAC9E,8EAA8E;AAC9E,iFAAiF;AACjF,gFAAgF;AAChF,EAAE;AACF,+EAA+E;AAC/E,+DAA+D;AAE/D,MAAM,CAAC,MAAM,0BAA0B,GAAG,uBAAuB,CAAC;AA6ClE,MAAM,uBAAuB,GAAG,oBAAoB,CAAC;AACrD,MAAM,gBAAgB,GAAG,QAAQ,CAAC;AAElC,SAAS,cAAc;IACrB,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAe;IAC1C,OAAO,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;AAC3C,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,oBAAoB,CAClC,WAA4B,OAAO,CAAC,QAAQ,EAC5C,MAAwB,SAAS;IAEjC,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC7D,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,4CAA4C;AAC/F,CAAC;AAED,2FAA2F;AAC3F,MAAM,UAAU,8BAA8B,CAC5C,MAAwB,SAAS;IAEjC,MAAM,OAAO,GAAG,CAAC,QAAgB,EAAE,EAAE,CAAC,GAAG,uBAAuB,GAAG,QAAQ,EAAE,CAAC;IAE9E,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,CAAC,GAAG,CAAC,QAAQ;YAChB,MAAM,MAAM,GAAG,GAAG,CAChB,UAAU,EACV,CAAC,uBAAuB,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,EAChF,EAAE,QAAQ,EAAE,MAAM,EAAE,CACrB,CAAC;YACF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC1E,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAqB,CAAC;YAC9D,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM;YACxB,oEAAoE;YACpE,oEAAoE;YACpE,0EAA0E;YAC1E,sEAAsE;YACtE,2EAA2E;YAC3E,iBAAiB;YACjB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,GAAG,CAChB,UAAU,EACV;gBACE,sBAAsB;gBACtB,IAAI;gBACJ,IAAI;gBACJ,gBAAgB;gBAChB,IAAI;gBACJ,OAAO,CAAC,QAAQ,CAAC;gBACjB,IAAI;aACL,EACD,EAAE,KAAK,EAAE,GAAG,OAAO,KAAK,OAAO,IAAI,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAC3E,CAAC;YACF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,QAAQ;YACnB,GAAG,CACD,UAAU,EACV,CAAC,yBAAyB,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC,EAC5E,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AASD;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,OAA+B,EAC/B,WAAoC;IAEpC,IAAI,OAAO,CAAC,aAAa;QAAE,OAAO,OAAO,CAAC,aAAa,CAAC;IACxD,IAAI,OAAO,CAAC,GAAG,CAAC,yBAAyB,KAAK,MAAM;QAAE,OAAO,WAAW,CAAC;IACzE,IAAI,oBAAoB,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,8BAA8B,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,MAAM,OAAO,eAAe;IACT,OAAO,CAAS;IAChB,QAAQ,CAAS;IACjB,aAAa,CAA0B;IAExD,YAAY,UAAkC,EAAE;QAC9C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,cAAc,EAAE,CAAC;QACnD,IAAI,CAAC,QAAQ,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,aAAa,GAAG,oBAAoB,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,oFAAoF;IACpF,iBAAiB;QACf,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAAgB;QACxB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3B,MAAM,OAAO,GACX,QAAQ,CAAC,aAAa,KAAK,IAAI,CAAC,aAAa,CAAC,IAAI;YAChD,CAAC,CAAC,IAAI,CAAC,aAAa;YACpB,CAAC,CAAC,QAAQ,CAAC,aAAa,KAAK,MAAM;gBACjC,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE;gBAC1B,CAAC,CAAC,8BAA8B,EAAE,CAAC;QACzC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,OAAO,EAAE,GAAG,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,YAAY,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,KAUT;QACC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,QAAQ,EAAE;YACjE,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,IAAI;SACzC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAuB;YACnC,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE;YAC1B,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;YAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;YAC9B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,aAAa,EAAE,WAAW,CAAC,IAAI;SAChC,CAAC;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;QAC5C,IAAI,WAAW,CAAC,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACtC,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;;;OAOG;IACK,KAAK,CAAC,mBAAmB,CAC/B,QAAgB,EAChB,MAAwB;QAExB,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC7C,IACE,QAAQ;gBACR,QAAQ,CAAC,WAAW,KAAK,MAAM,CAAC,WAAW;gBAC3C,CAAC,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,IAAI,IAAI,CAAC,EACjE,CAAC;gBACD,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;QAC5C,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,6EAA6E;QAC7E,6DAA6D;QAC7D,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;QACxB,CAAC;QACD,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,MAAM,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACxC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAE5B,MAAM,OAAO,GACX,QAAQ,CAAC,aAAa,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,CAAC,CAAC,8BAA8B,EAAE,CAAC;QAClG,MAAM,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE/B,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9F,CAAC;IAEO,iBAAiB;QACvB,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACtB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;YAC1C,CAAC;YACD,GAAG,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE;gBAC9B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;gBAClC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC;gBAChC,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzB,CAAC;YACD,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE;gBACzB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;oBAC9B,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;SACF,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,IAAI;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,0BAA0B;gBACrD,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE;gBACrC,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACvD,OAAO,EAAE,OAAO,EAAE,0BAA0B,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;YAClE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,KAAK,CAAC,IAAoB;QACtC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5D,MAAM,SAAS,CACb,IAAI,CAAC,QAAQ,EACb,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,0BAA0B,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAChF,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;IACJ,CAAC;CACF;AAED,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB,CAC/B,UAA+C,EAC/C,MAAc,IAAI,CAAC,GAAG,EAAE,EACxB,MAAM,GAAG,MAAM;IAEf,IAAI,CAAC,UAAU,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IACxC,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,MAAM,IAAI,GAAG,CAAC;AAClE,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAM1C;IACC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QACzD,IAAI,UAAU,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAC7D,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3C,IAAI,QAAQ;QAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IACxD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,UAAkC,EAAE;IACtE,OAAO,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,cAAc,EAAE,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,UAAkB,cAAc,EAAE;IACpE,OAAO,mBAAmB,CAAC,OAAO,CAAC,CAAC;AACtC,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,OAAe;IACzD,MAAM,EAAE,CAAC,mBAAmB,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,MAAM,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACpF,CAAC"}
@@ -0,0 +1,51 @@
1
+ import { type JsonValue, type NormalizedAction } from "@axtary/actionpass";
2
+ export declare const CURSOR_HOOK_SCHEMA_VERSION = "axtary.cursor_hook.v0";
3
+ export type CursorHookPayload = {
4
+ hookEventName: string | null;
5
+ conversationId: string | null;
6
+ toolName: string;
7
+ toolInput: Record<string, JsonValue>;
8
+ /** MCP server identity for a remote (`url`) or local (`command`) server. */
9
+ url: string | null;
10
+ command: string | null;
11
+ workspaceRoot: string | null;
12
+ userEmail: string | null;
13
+ };
14
+ export type CursorHookPermission = "allow" | "deny" | "ask";
15
+ export type CursorNormalization = {
16
+ mapped: true;
17
+ action: NormalizedAction;
18
+ } | {
19
+ mapped: false;
20
+ reason: string;
21
+ };
22
+ export type CursorNormalizeOptions = {
23
+ repoResource?: string;
24
+ humanOwner?: string;
25
+ branch?: string;
26
+ };
27
+ export type CursorHookRunInput = {
28
+ payloadText: string;
29
+ proxyUrl?: string;
30
+ repoResource?: string;
31
+ humanOwner?: string;
32
+ branch?: string;
33
+ timeoutMs?: number;
34
+ fetch?: typeof fetch;
35
+ };
36
+ export type CursorHookRunResult = {
37
+ schemaVersion: typeof CURSOR_HOOK_SCHEMA_VERSION;
38
+ /** Internal decision; `no_opinion` emits no permission so Cursor proceeds. */
39
+ status: "allow" | "ask" | "deny" | "no_opinion";
40
+ tool: string | null;
41
+ normalizedTool: string | null;
42
+ reason: string | null;
43
+ /** JSON to write to stdout. */
44
+ output: string;
45
+ /** Always 0: Cursor fails open on non-zero exits, so decisions live in JSON. */
46
+ exitCode: number;
47
+ };
48
+ export declare function parseCursorHookPayload(payloadText: string): CursorHookPayload;
49
+ export declare function normalizeCursorToolCall(payload: CursorHookPayload, options?: CursorNormalizeOptions): CursorNormalization;
50
+ export declare function runCursorHook(input: CursorHookRunInput): Promise<CursorHookRunResult>;
51
+ //# sourceMappingURL=cursor-hook.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"cursor-hook.d.ts","sourceRoot":"","sources":["../src/cursor-hook.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,SAAS,EACd,KAAK,gBAAgB,EACtB,MAAM,oBAAoB,CAAC;AAuB5B,eAAO,MAAM,0BAA0B,0BAA0B,CAAC;AAElE,MAAM,MAAM,iBAAiB,GAAG;IAC9B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACrC,4EAA4E;IAC5E,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,CAAC;AAE5D,MAAM,MAAM,mBAAmB,GAC3B;IAAE,MAAM,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,gBAAgB,CAAA;CAAE,GAC1C;IAAE,MAAM,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAEtC,MAAM,MAAM,sBAAsB,GAAG;IACnC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,aAAa,EAAE,OAAO,0BAA0B,CAAC;IACjD,8EAA8E;IAC9E,MAAM,EAAE,OAAO,GAAG,KAAK,GAAG,MAAM,GAAG,YAAY,CAAC;IAChD,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,gFAAgF;IAChF,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,iBAAiB,CA6C7E;AAED,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,iBAAiB,EAC1B,OAAO,GAAE,sBAA2B,GACnC,mBAAmB,CA4ErB;AAED,wBAAsB,aAAa,CACjC,KAAK,EAAE,kBAAkB,GACxB,OAAO,CAAC,mBAAmB,CAAC,CAyF9B"}