@caplets/core 0.25.0 → 0.26.0

package/dist/caplet-source.js

@@ -770,7 +770,7 @@ function collectionFromPath(schema, path, value) {
 			const a = [];
 			a[k] = v;
 			v = a;
-		} else v = new Map([[k, v]]);
+		} else v = /* @__PURE__ */ new Map([[k, v]]);
 	}
 	return createNode(v, void 0, {
 		aliasDuplicateObjects: false,
@@ -1304,7 +1304,7 @@ function stringify(item, ctx, onComment, onChompKeep) {
 		if (ctx.resolvedAliases?.has(item)) throw new TypeError(`Cannot stringify circular structure without alias nodes`);
 		else {
 			if (ctx.resolvedAliases) ctx.resolvedAliases.add(item);
-			else ctx.resolvedAliases = new Set([item]);
+			else ctx.resolvedAliases = /* @__PURE__ */ new Set([item]);
 			item = item.resolve(ctx.doc);
 		}
 	}
@@ -2494,7 +2494,7 @@ const schema = [
 ];
 //#endregion
 //#region ../../node_modules/.pnpm/yaml@2.9.0/node_modules/yaml/browser/dist/schema/tags.js
-const schemas = new Map([
+const schemas = /* @__PURE__ */ new Map([
 	["core", schema$2],
 	["failsafe", [
 		map,
@@ -5878,7 +5878,10 @@ function assignProp(target, prop, value) {
 }
 function mergeDefs(...defs) {
 	const mergedDescriptors = {};
-	for (const def of defs) Object.assign(mergedDescriptors, Object.getOwnPropertyDescriptors(def));
+	for (const def of defs) {
+		const descriptors = Object.getOwnPropertyDescriptors(def);
+		Object.assign(mergedDescriptors, descriptors);
+	}
 	return Object.defineProperties({}, mergedDescriptors);
 }
 function esc(str) {
@@ -7309,13 +7312,13 @@ const $ZodObject = /*@__PURE__*/ $constructor("$ZodObject", (inst, def) => {
 		}
 		return propValues;
 	});
-	const isObject$1 = isObject;
+	const isObject$2 = isObject;
 	const catchall = def.catchall;
 	let value;
 	inst._zod.parse = (payload, ctx) => {
 		value ?? (value = _normalized.value);
 		const input = payload.value;
-		if (!isObject$1(input)) {
+		if (!isObject$2(input)) {
 			payload.issues.push({
 				expected: "object",
 				code: "invalid_type",
@@ -7438,7 +7441,7 @@ const $ZodObjectJIT = /*@__PURE__*/ $constructor("$ZodObjectJIT", (inst, def) =>
 		return (payload, ctx) => fn(shape, payload, ctx);
 	};
 	let fastpass;
-	const isObject$2 = isObject;
+	const isObject$1 = isObject;
 	const jit = !globalConfig.jitless;
 	const fastEnabled = jit && allowsEval.value;
 	const catchall = def.catchall;
@@ -7446,7 +7449,7 @@ const $ZodObjectJIT = /*@__PURE__*/ $constructor("$ZodObjectJIT", (inst, def) =>
 	inst._zod.parse = (payload, ctx) => {
 		value ?? (value = _normalized.value);
 		const input = payload.value;
-		if (!isObject$2(input)) {
+		if (!isObject$1(input)) {
 			payload.issues.push({
 				expected: "object",
 				code: "invalid_type",
@@ -7848,7 +7851,7 @@ const $ZodOptional = /*@__PURE__*/ $constructor("$ZodOptional", (inst, def) => {
 	inst._zod.optin = "optional";
 	inst._zod.optout = "optional";
 	defineLazy(inst._zod, "values", () => {
-		return def.innerType._zod.values ? new Set([...def.innerType._zod.values, void 0]) : void 0;
+		return def.innerType._zod.values ? /* @__PURE__ */ new Set([...def.innerType._zod.values, void 0]) : void 0;
 	});
 	defineLazy(inst._zod, "pattern", () => {
 		const pattern = def.innerType._zod.pattern;
@@ -7882,7 +7885,7 @@ const $ZodNullable = /*@__PURE__*/ $constructor("$ZodNullable", (inst, def) => {
 		return pattern ? new RegExp(`^(${cleanRegex(pattern.source)}|null)$`) : void 0;
 	});
 	defineLazy(inst._zod, "values", () => {
-		return def.innerType._zod.values ? new Set([...def.innerType._zod.values, null]) : void 0;
+		return def.innerType._zod.values ? /* @__PURE__ */ new Set([...def.innerType._zod.values, null]) : void 0;
 	});
 	inst._zod.parse = (payload, ctx) => {
 		if (payload.value === null) return payload;
@@ -10030,7 +10033,7 @@ function superRefine(fn, params) {
 const SERVER_ID_PATTERN = /^[a-zA-Z0-9_-]{1,64}$/;
 const HEADER_NAME_PATTERN = /^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$/;
 const HTTP_BASE_URL_PATTERN = /^(?![a-zA-Z][a-zA-Z0-9+.-]*:\/\/[^/?#]*@)[^?#]*$/;
-const FORBIDDEN_HEADERS = new Set([
+const FORBIDDEN_HEADERS = /* @__PURE__ */ new Set([
 	"accept",
 	"authorization",
 	"connection",
@@ -10240,7 +10243,7 @@ const capletMcpServerSchema = object({
 		path: ["url"],
 		message: "remote servers require url"
 	});
-	if (server.url && !hasEnvReference$2(server.url) && !isAllowedRemoteUrl(server.url)) ctx.addIssue({
+	if (server.url && !hasInterpolationReference(server.url) && !isAllowedRemoteUrl(server.url)) ctx.addIssue({
 		code: "custom",
 		path: ["url"],
 		message: "remote url must use https except loopback development urls"
@@ -10253,7 +10256,7 @@ const capletMcpServerSchema = object({
 		"redirectUri"
 	]) {
 		const value = server.auth[field];
-		if (value && !hasEnvReference$2(value) && !isUrl(value)) ctx.addIssue({
+		if (value && !hasInterpolationReference(value) && !isUrl(value)) ctx.addIssue({
 			code: "custom",
 			path: ["auth", field],
 			message: `${field} must be a URL or environment reference`
@@ -10287,12 +10290,12 @@ const capletOpenApiEndpointSchema = object({
 		code: "custom",
 		message: "openapiEndpoint must define exactly one spec source: specPath or specUrl"
 	});
-	if (endpoint.specUrl && !hasEnvReference$2(endpoint.specUrl) && !isAllowedRemoteUrl(endpoint.specUrl)) ctx.addIssue({
+	if (endpoint.specUrl && !hasInterpolationReference(endpoint.specUrl) && !isAllowedRemoteUrl(endpoint.specUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["specUrl"],
 		message: "OpenAPI specUrl must use https except loopback development urls"
 	});
-	if (endpoint.baseUrl && !hasEnvReference$2(endpoint.baseUrl) && !isAllowedRemoteUrl(endpoint.baseUrl)) ctx.addIssue({
+	if (endpoint.baseUrl && !hasInterpolationReference(endpoint.baseUrl) && !isAllowedRemoteUrl(endpoint.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "OpenAPI baseUrl must use https except loopback development urls"
@@ -10317,12 +10320,12 @@ const capletGoogleDiscoveryApiSchema = object({
 		code: "custom",
 		message: "googleDiscoveryApi must define exactly one discovery source: discoveryPath or discoveryUrl"
 	});
-	if (api.discoveryUrl && !hasEnvReference$2(api.discoveryUrl) && !isAllowedRemoteUrl(api.discoveryUrl)) ctx.addIssue({
+	if (api.discoveryUrl && !hasInterpolationReference(api.discoveryUrl) && !isAllowedRemoteUrl(api.discoveryUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["discoveryUrl"],
 		message: "Google Discovery discoveryUrl must use https except loopback development urls"
 	});
-	if (api.baseUrl && !hasEnvReference$2(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
+	if (api.baseUrl && !hasInterpolationReference(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "Google Discovery baseUrl must use https except loopback development urls and must not include credentials, query, or fragment"
@@ -10359,12 +10362,12 @@ const capletGraphQlEndpointSchema = object({
 		code: "custom",
 		message: "graphqlEndpoint must define exactly one schema source: schemaPath, schemaUrl, or introspection"
 	});
-	if (endpoint.endpointUrl && !hasEnvReference$2(endpoint.endpointUrl) && !isAllowedRemoteUrl(endpoint.endpointUrl)) ctx.addIssue({
+	if (endpoint.endpointUrl && !hasInterpolationReference(endpoint.endpointUrl) && !isAllowedRemoteUrl(endpoint.endpointUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["endpointUrl"],
 		message: "GraphQL endpointUrl must use https except loopback development urls"
 	});
-	if (endpoint.schemaUrl && !hasEnvReference$2(endpoint.schemaUrl) && !isAllowedRemoteUrl(endpoint.schemaUrl)) ctx.addIssue({
+	if (endpoint.schemaUrl && !hasInterpolationReference(endpoint.schemaUrl) && !isAllowedRemoteUrl(endpoint.schemaUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["schemaUrl"],
 		message: "GraphQL schemaUrl must use https except loopback development urls"
@@ -10408,7 +10411,7 @@ const capletHttpApiSchema = object({
 	projectBinding: capletProjectBindingSchema.optional(),
 	runtime: capletRuntimeRequirementsSchema.optional()
 }).strict().superRefine((api, ctx) => {
-	if (api.baseUrl && !hasEnvReference$2(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
+	if (api.baseUrl && !hasInterpolationReference(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
 		code: "custom",
 		path: ["baseUrl"],
 		message: "HTTP API baseUrl must use https except loopback development urls and must not include credentials, query, or fragment"
@@ -10713,7 +10716,7 @@ function normalizeGraphQlOperations(operations, baseDir, normalizePath) {
 	}]));
 }
 function normalizeBundleLocalPath(value, baseDir) {
-	if (!value || isMapAbsolutePath(value) || hasEnvReference$2(value)) return value;
+	if (!value || isMapAbsolutePath(value) || hasInterpolationReference(value)) return value;
 	const parts = [...baseDir ? baseDir.split("/") : [], ...value.split("/")];
 	const normalized = [];
 	for (const part of parts) {
@@ -10793,8 +10796,8 @@ function validateCapletId(id, path) {
 function errorMessage$1(error) {
 	return error instanceof Error ? error.message : String(error);
 }
-function hasEnvReference$2(value) {
-	return /\$\{[A-Za-z_][A-Za-z0-9_]*\}|\$env:[A-Za-z_][A-Za-z0-9_]*/.test(value);
+function hasInterpolationReference(value) {
+	return /\$\{[A-Za-z_][A-Za-z0-9_]*\}|\$env:[A-Za-z_][A-Za-z0-9_]*|\$\{vault:[^}]+\}|\$vault:[A-Za-z0-9_-]+/.test(value);
 }
 //#endregion
 //#region src/config-runtime.ts

package/dist/cli/auth.d.ts

@@ -70,6 +70,7 @@ export declare function localAuthTargets(options: {
 })[];
 export declare function localAuthConfigForTarget(options: {
     serverId: string;
+    authDir?: string | undefined;
     configPath?: string;
     projectConfigPath?: string;
     source: Exclude<AuthSource, "remote">;

package/dist/cli/commands.d.ts

@@ -31,8 +31,9 @@ export declare const cliCommands: {
     readonly complete: "complete";
     readonly config: "config";
     readonly auth: "auth";
+    readonly vault: "vault";
 };
-export declare const topLevelCommandNames: readonly ["serve", "daemon", "code-mode", "attach", "remote", "cloud", "init", "setup", "doctor", "list", "install", "add", "inspect", "check-backend", "list-tools", "search-tools", "get-tool", "call-tool", "list-resources", "search-resources", "list-resource-templates", "read-resource", "list-prompts", "search-prompts", "get-prompt", "complete", "config", "auth", "completion"];
+export declare const topLevelCommandNames: readonly ["serve", "daemon", "code-mode", "attach", "remote", "cloud", "init", "setup", "doctor", "list", "install", "add", "inspect", "check-backend", "list-tools", "search-tools", "get-tool", "call-tool", "list-resources", "search-resources", "list-resource-templates", "read-resource", "list-prompts", "search-prompts", "get-prompt", "complete", "config", "auth", "vault", "completion"];
 export declare const cliSubcommands: {
     readonly add: readonly ["cli", "mcp", "openapi", "google-discovery", "graphql", "http"];
     readonly auth: readonly ["login", "logout", "list", "refresh"];
@@ -43,11 +44,15 @@ export declare const cliSubcommands: {
     readonly config: readonly ["path", "paths"];
     readonly daemon: readonly ["install", "uninstall", "start", "restart", "stop", "status", "logs"];
     readonly setup: readonly ["codex", "claude-code", "opencode", "pi", "mcp-client"];
+    readonly vault: readonly ["set", "get", "list", "delete", "access"];
 };
 export declare const cliNestedSubcommands: {
     readonly remote: {
         readonly host: readonly ["pair", "clients", "revoke"];
     };
+    readonly vault: {
+        readonly access: readonly ["grant", "list", "revoke"];
+    };
 };
 export declare const capletIdCommands: Set<string>;
 export declare const qualifiedToolCommands: Set<string>;

package/dist/cli/doctor.d.ts

@@ -17,6 +17,7 @@ export type DoctorJsonReport = {
     sync: Record<string, unknown>;
     daemon: Record<string, unknown>;
     remoteLogin: Record<string, unknown>;
+    vault: Record<string, unknown>;
     exposure: Record<string, unknown>;
     codeMode: Record<string, unknown>;
 };

package/dist/cli/vault.d.ts

@@ -0,0 +1,7 @@
+import type { VaultAccessGrant, VaultDeleteStatus, VaultValueStatus } from "../vault";
+export declare function formatVaultValueStatus(status: VaultValueStatus, json?: boolean): string;
+export declare function formatVaultValueList(statuses: VaultValueStatus[], json?: boolean): string;
+export declare function formatVaultDeleteStatus(status: VaultDeleteStatus, json?: boolean): string;
+export declare function formatVaultAccessGrant(grant: VaultAccessGrant, json?: boolean): string;
+export declare function formatVaultAccessList(grants: VaultAccessGrant[], json?: boolean): string;
+export declare function formatVaultAccessRevoke(count: number, json?: boolean): string;

package/dist/cloud/client.d.ts

@@ -17,6 +17,49 @@ export type RegisterPresenceResult = {
     expiresAt: string;
 };
 export type HeartbeatPresenceResult = RegisterPresenceResult;
+export type CloudVaultValueStatus = {
+    key: string;
+    present: boolean;
+    valueBytes?: number | undefined;
+    createdAt?: string | undefined;
+    updatedAt?: string | undefined;
+};
+export type CloudVaultAccessGrant = {
+    storedKey: string;
+    referenceName: string;
+    capletId: string;
+    origin?: {
+        kind: string;
+        path: string;
+    } | undefined;
+    createdAt?: string | undefined;
+    updatedAt?: string | undefined;
+};
+export type CloudVaultSetInput = {
+    workspace: string;
+    name: string;
+    value: string;
+    force?: boolean | undefined;
+    grant?: string | undefined;
+    referenceName?: string | undefined;
+};
+export type CloudVaultNameInput = {
+    workspace: string;
+    name: string;
+};
+export type CloudVaultGetInput = CloudVaultNameInput & {
+    reveal?: boolean | undefined;
+    revealContext?: "human-cli" | undefined;
+};
+export type CloudVaultAccessGrantInput = CloudVaultNameInput & {
+    capletId: string;
+    referenceName?: string | undefined;
+};
+export type CloudVaultAccessListInput = {
+    workspace: string;
+    name?: string | undefined;
+    capletId?: string | undefined;
+};
 export declare class CapletsCloudClient {
     private readonly options;
     private readonly fetchImpl;
@@ -25,6 +68,22 @@ export declare class CapletsCloudClient {
     stopPresence(presenceId: string): Promise<void>;
     heartbeatPresence(presenceId: string): Promise<HeartbeatPresenceResult>;
     updatePresenceCaplets(presenceId: string, allowedCapletIds: string[]): Promise<void>;
+    setVaultValue(input: CloudVaultSetInput): Promise<CloudVaultValueStatus>;
+    getVaultValue(input: CloudVaultGetInput): Promise<CloudVaultValueStatus | {
+        key: string;
+        value: string;
+    }>;
+    listVaultValues(input: {
+        workspace: string;
+    }): Promise<CloudVaultValueStatus[]>;
+    deleteVaultValue(input: CloudVaultNameInput): Promise<{
+        key: string;
+        deleted: boolean;
+        grantsRetained?: number | undefined;
+    }>;
+    grantVaultAccess(input: CloudVaultAccessGrantInput): Promise<CloudVaultAccessGrant>;
+    listVaultAccess(input: CloudVaultAccessListInput): Promise<CloudVaultAccessGrant[]>;
+    revokeVaultAccess(input: CloudVaultAccessGrantInput): Promise<CloudVaultAccessGrant[]>;
     private headers;
     private endpoint;
 }