npm - @chamesh2020/keystone - Versions diffs - 0.0.1 - Mend

@chamesh2020/keystone 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,94 @@
+/** Package version — kept in sync with package.json */
+declare const version = "0.0.1";
+/**
+ * Interface representing the key bundle structure.
+ */
+interface ProjectKeyBundle {
+    projectId: string;
+    auth: {
+        privateJwk: JsonWebKey;
+        publicJwk: JsonWebKey;
+    };
+    encryption: {
+        privateJwk: JsonWebKey;
+        publicJwk: JsonWebKey;
+    };
+}
+/**
+ * Validates that a parsed object conforms to the ProjectKeyBundle schema.
+ * Throws a descriptive error if the shape is invalid.
+ */
+declare function validateKeyBundle(data: unknown): ProjectKeyBundle;
+/**
+ * Generates an Ed25519 key pair for authentication and an RSA-OAEP key pair for encryption.
+ * Both are returned as JWK (JSON Web Key) objects.
+ */
+declare function generateProjectKeys(projectId: string): Promise<ProjectKeyBundle>;
+/**
+ * Encrypt plaintext using hybrid encryption (AES-256-GCM + RSA-OAEP envelope).
+ *
+ * 1. Generates a random 256-bit AES-GCM key
+ * 2. Encrypts the plaintext with AES-256-GCM (no size limit)
+ * 3. Wraps the AES key with RSA-OAEP (only 32 bytes — well within the 190-byte limit)
+ * 4. Returns `ks1:<base64(wrappedKey ‖ iv ‖ aesCiphertext)>`
+ */
+declare function encryptSecret(plainText: string, rsaPubJwk: JsonWebKey): Promise<string>;
+/**
+ * Decrypt ciphertext using hybrid decryption (AES-256-GCM + RSA-OAEP envelope).
+ * Supports both the new hybrid format (`ks1:` prefix) and legacy RSA-only format
+ * for backward compatibility with previously stored secrets.
+ */
+declare function decryptSecret(ciphertext: string, rsaPrivJwk: JsonWebKey): Promise<string>;
+/**
+ * Sign payload using Ed25519 private key
+ */
+declare function signMessage(messageStr: string, ed25519PrivJwk: JsonWebKey): Promise<string>;
+/**
+ * Sends the public verification and public encryption keys to create a new project namespace on the server.
+ */
+declare function initProject(projectId: string, keys: ProjectKeyBundle, baseUrl: string): Promise<{
+    message: string;
+}>;
+/**
+ * Encrypts the secret locally, signs the metadata package, and uploads it to the backend.
+ */
+declare function storeSecret(projectId: string, secretName: string, plainText: string, keys: ProjectKeyBundle, baseUrl: string): Promise<{
+    message: string;
+}>;
+/**
+ * Verifies identity with a signed timestamp, retrieves, and decrypts the secret.
+ */
+declare function retrieveSecret(projectId: string, secretName: string, keys: ProjectKeyBundle, baseUrl: string): Promise<string>;
+/**
+ * Parses a dotenv file content into key-value pairs.
+ */
+declare function parseDotEnv(content: string): Record<string, string>;
+/**
+ * Finds and loads .env and .env.local files in the current working directory,
+ * loading variables into process.env if they are not already set.
+ */
+declare function loadEnvFiles(cwd?: string): Promise<void>;
+interface LoadSecretsOptions {
+    credentialsPath?: string;
+    baseUrl?: string;
+    cwd?: string;
+}
+/**
+ * Loads .env files, reads credentials, and fetches secrets from the Keystone vault
+ * for any environment variables with value 'LOAD_FROM_KEYSTONE' or 'LOAD FROM KEYSTONE'.
+ */
+declare function loadSecrets(options?: LoadSecretsOptions): Promise<Record<string, string>>;
+/**
+ * Snake_case alias for loadSecrets
+ */
+declare const load_secrets: typeof loadSecrets;
+/**
+ * Appends or updates an environment variable key with 'LOAD_FROM_KEYSTONE' placeholder
+ * in the first found dotenv file (e.g. .env, .env.local) or creates a new .env file.
+ */
+declare function updateEnvFile(secretName: string, cwd?: string): Promise<void>;
+export { type ProjectKeyBundle, decryptSecret, encryptSecret, generateProjectKeys, initProject, loadEnvFiles, loadSecrets, load_secrets, parseDotEnv, retrieveSecret, signMessage, storeSecret, updateEnvFile, validateKeyBundle, version };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,432 @@
+// src/version.ts
+var version = "0.0.1";
+// src/crypto.ts
+import { webcrypto } from "crypto";
+var { subtle } = webcrypto;
+function validateKeyBundle(data) {
+  if (!data || typeof data !== "object") {
+    throw new Error("Invalid credentials: expected a JSON object");
+  }
+  const obj = data;
+  if (typeof obj.projectId !== "string" || !obj.projectId) {
+    throw new Error('Invalid credentials: missing or invalid "projectId"');
+  }
+  validateJwkPair(obj.auth, "auth");
+  validateJwkPair(obj.encryption, "encryption");
+  return data;
+}
+function validateJwkPair(pair, name) {
+  if (!pair || typeof pair !== "object") {
+    throw new Error(`Invalid credentials: missing "${name}" key pair`);
+  }
+  const p = pair;
+  if (!p.privateJwk || typeof p.privateJwk !== "object") {
+    throw new Error(`Invalid credentials: missing "${name}.privateJwk"`);
+  }
+  if (!p.publicJwk || typeof p.publicJwk !== "object") {
+    throw new Error(`Invalid credentials: missing "${name}.publicJwk"`);
+  }
+}
+async function generateProjectKeys(projectId) {
+  const authPair = await subtle.generateKey({ name: "Ed25519" }, true, [
+    "sign",
+    "verify"
+  ]);
+  const encPair = await subtle.generateKey(
+    {
+      name: "RSA-OAEP",
+      modulusLength: 2048,
+      publicExponent: new Uint8Array([1, 0, 1]),
+      hash: "SHA-256"
+    },
+    true,
+    ["encrypt", "decrypt"]
+  );
+  const authPrivateJwk = await subtle.exportKey("jwk", authPair.privateKey);
+  const authPublicJwk = await subtle.exportKey("jwk", authPair.publicKey);
+  delete authPrivateJwk.alg;
+  delete authPublicJwk.alg;
+  const encPrivateJwk = await subtle.exportKey("jwk", encPair.privateKey);
+  const encPublicJwk = await subtle.exportKey("jwk", encPair.publicKey);
+  delete encPrivateJwk.alg;
+  delete encPublicJwk.alg;
+  return {
+    projectId,
+    auth: {
+      privateJwk: authPrivateJwk,
+      publicJwk: authPublicJwk
+    },
+    encryption: {
+      privateJwk: encPrivateJwk,
+      publicJwk: encPublicJwk
+    }
+  };
+}
+function bufToHex(buffer) {
+  return Array.from(new Uint8Array(buffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var HYBRID_PREFIX = "ks1:";
+var RSA_CIPHERTEXT_LENGTH = 256;
+var AES_GCM_IV_LENGTH = 12;
+async function encryptSecret(plainText, rsaPubJwk) {
+  const rsaPublicKey = await subtle.importKey(
+    "jwk",
+    rsaPubJwk,
+    { name: "RSA-OAEP", hash: "SHA-256" },
+    false,
+    ["encrypt"]
+  );
+  const aesKey = await subtle.generateKey(
+    { name: "AES-GCM", length: 256 },
+    true,
+    ["encrypt"]
+  );
+  const iv = webcrypto.getRandomValues(new Uint8Array(AES_GCM_IV_LENGTH));
+  const encoder = new TextEncoder();
+  const aesCiphertext = new Uint8Array(
+    await subtle.encrypt(
+      { name: "AES-GCM", iv },
+      aesKey,
+      encoder.encode(plainText)
+    )
+  );
+  const rawAesKey = await subtle.exportKey("raw", aesKey);
+  const wrappedKey = new Uint8Array(
+    await subtle.encrypt({ name: "RSA-OAEP" }, rsaPublicKey, rawAesKey)
+  );
+  const packed = new Uint8Array(
+    wrappedKey.length + iv.length + aesCiphertext.length
+  );
+  packed.set(wrappedKey, 0);
+  packed.set(iv, wrappedKey.length);
+  packed.set(aesCiphertext, wrappedKey.length + iv.length);
+  return HYBRID_PREFIX + Buffer.from(packed).toString("base64");
+}
+async function decryptSecret(ciphertext, rsaPrivJwk) {
+  const rsaPrivateKey = await subtle.importKey(
+    "jwk",
+    rsaPrivJwk,
+    { name: "RSA-OAEP", hash: "SHA-256" },
+    false,
+    ["decrypt"]
+  );
+  if (ciphertext.startsWith(HYBRID_PREFIX)) {
+    const packed = Buffer.from(
+      ciphertext.slice(HYBRID_PREFIX.length),
+      "base64"
+    );
+    if (packed.length < RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH + 1) {
+      throw new Error("Invalid hybrid ciphertext: data too short");
+    }
+    const wrappedKey = packed.subarray(0, RSA_CIPHERTEXT_LENGTH);
+    const iv = packed.subarray(
+      RSA_CIPHERTEXT_LENGTH,
+      RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH
+    );
+    const aesCiphertext = packed.subarray(
+      RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH
+    );
+    const rawAesKey = await subtle.decrypt(
+      { name: "RSA-OAEP" },
+      rsaPrivateKey,
+      wrappedKey
+    );
+    const aesKey = await subtle.importKey(
+      "raw",
+      rawAesKey,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["decrypt"]
+    );
+    const decryptedBuffer2 = await subtle.decrypt(
+      { name: "AES-GCM", iv },
+      aesKey,
+      aesCiphertext
+    );
+    return new TextDecoder().decode(decryptedBuffer2);
+  }
+  const ciphertextBuffer = Buffer.from(ciphertext, "base64");
+  const decryptedBuffer = await subtle.decrypt(
+    { name: "RSA-OAEP" },
+    rsaPrivateKey,
+    ciphertextBuffer
+  );
+  return new TextDecoder().decode(decryptedBuffer);
+}
+async function signMessage(messageStr, ed25519PrivJwk) {
+  const privateKey = await subtle.importKey(
+    "jwk",
+    ed25519PrivJwk,
+    { name: "Ed25519" },
+    false,
+    ["sign"]
+  );
+  const encoder = new TextEncoder();
+  const sigBuffer = await subtle.sign(
+    { name: "Ed25519" },
+    privateKey,
+    encoder.encode(messageStr)
+  );
+  return bufToHex(sigBuffer);
+}
+// src/api.ts
+async function initProject(projectId, keys, baseUrl) {
+  const response = await fetch(`${baseUrl}/init?projectId=${projectId}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      authPubJwk: keys.auth.publicJwk,
+      encPubJwk: keys.encryption.publicJwk
+    })
+  });
+  if (!response.ok) {
+    let errorMessage;
+    try {
+      const err = await response.json();
+      errorMessage = err.error || response.statusText;
+    } catch {
+      errorMessage = `${response.status} ${response.statusText}`;
+    }
+    throw new Error(`Init Failed: ${errorMessage}`);
+  }
+  return await response.json();
+}
+async function storeSecret(projectId, secretName, plainText, keys, baseUrl) {
+  const ciphertext = await encryptSecret(plainText, keys.encryption.publicJwk);
+  const sigPayload = `store:${secretName}:${ciphertext}`;
+  const signature = await signMessage(sigPayload, keys.auth.privateJwk);
+  const response = await fetch(
+    `${baseUrl}/store?projectId=${projectId}&secretName=${secretName}`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ ciphertext, signature })
+    }
+  );
+  if (!response.ok) {
+    let errorMessage;
+    try {
+      const err = await response.json();
+      errorMessage = err.error || response.statusText;
+    } catch {
+      errorMessage = `${response.status} ${response.statusText}`;
+    }
+    throw new Error(`Store Failed: ${errorMessage}`);
+  }
+  return await response.json();
+}
+async function retrieveSecret(projectId, secretName, keys, baseUrl) {
+  const challenge = Date.now().toString();
+  const signature = await signMessage(challenge, keys.auth.privateJwk);
+  const response = await fetch(
+    `${baseUrl}/retrieve?projectId=${projectId}&secretName=${secretName}`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ challenge, signature })
+    }
+  );
+  if (!response.ok) {
+    let errorMessage;
+    try {
+      const err = await response.json();
+      errorMessage = err.error || response.statusText;
+    } catch {
+      errorMessage = `${response.status} ${response.statusText}`;
+    }
+    throw new Error(`Retrieve Failed: ${errorMessage}`);
+  }
+  const { ciphertext } = await response.json();
+  return await decryptSecret(ciphertext, keys.encryption.privateJwk);
+}
+// src/env.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+function parseDotEnv(content) {
+  const env = {};
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+    const cleanLine = trimmed.startsWith("export ") ? trimmed.substring(7).trim() : trimmed;
+    const match = cleanLine.match(/^([^=]+)=(.*)$/);
+    if (!match) {
+      continue;
+    }
+    const val1 = match[1];
+    const val2 = match[2];
+    if (val1 === void 0 || val2 === void 0) {
+      continue;
+    }
+    const key = val1.trim();
+    let value = val2.trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.substring(1, value.length - 1);
+    }
+    env[key] = value;
+  }
+  return env;
+}
+async function loadEnvFiles(cwd = process.cwd()) {
+  const originalEnv = { ...process.env };
+  const nodeEnv = process.env.NODE_ENV || "";
+  const filesToLoad = [".env"];
+  if (nodeEnv !== "test") {
+    filesToLoad.push(".env.local");
+  }
+  if (nodeEnv) {
+    filesToLoad.push(`.env.${nodeEnv}`);
+    filesToLoad.push(`.env.${nodeEnv}.local`);
+  }
+  const loadedEnv = {};
+  for (const file of filesToLoad) {
+    const filePath = path.join(cwd, file);
+    try {
+      const content = await fs.readFile(filePath, "utf-8");
+      const parsed = parseDotEnv(content);
+      for (const [key, val] of Object.entries(parsed)) {
+        loadedEnv[key] = val;
+      }
+    } catch {
+    }
+  }
+  for (const [key, val] of Object.entries(loadedEnv)) {
+    if (originalEnv[key] === void 0) {
+      process.env[key] = val;
+    }
+  }
+}
+async function loadSecrets(options = {}) {
+  const cwd = options.cwd || process.cwd();
+  await loadEnvFiles(cwd);
+  const credPath = options.credentialsPath || process.env.KEYSTONE_CREDENTIALS || path.join(cwd, ".keystone", "project-credentials.json");
+  const baseUrl = options.baseUrl || process.env.KEYSTONE_URL || "https://keystone.chames.dev";
+  const placeholders = [];
+  for (const [key, value] of Object.entries(process.env)) {
+    if (value) {
+      const upperVal = value.trim().toUpperCase();
+      if (upperVal === "LOAD_FROM_KEYSTONE" || upperVal === "LOAD FROM KEYSTONE") {
+        placeholders.push(key);
+      }
+    }
+  }
+  if (placeholders.length === 0) {
+    return {};
+  }
+  let keys;
+  try {
+    const credContent = await fs.readFile(credPath, "utf-8");
+    keys = validateKeyBundle(JSON.parse(credContent));
+  } catch (err) {
+    throw new Error(
+      `Failed to read credentials from ${credPath}: ${err.message}`
+    );
+  }
+  const loadedSecrets = {};
+  for (const key of placeholders) {
+    try {
+      const decrypted = await retrieveSecret(
+        keys.projectId,
+        key,
+        keys,
+        baseUrl
+      );
+      process.env[key] = decrypted;
+      loadedSecrets[key] = decrypted;
+    } catch (err) {
+      throw new Error(
+        `Failed to load secret '${key}' from Keystone: ${err.message}`
+      );
+    }
+  }
+  return loadedSecrets;
+}
+var load_secrets = loadSecrets;
+async function updateEnvFile(secretName, cwd = process.cwd()) {
+  const possibleFiles = [
+    ".env",
+    ".env.local",
+    ".env.development.local",
+    ".env.development",
+    ".env.dev"
+  ];
+  let targetFile = ".env";
+  let content = "";
+  let fileFound = false;
+  for (const file of possibleFiles) {
+    const filePath = path.join(cwd, file);
+    try {
+      content = await fs.readFile(filePath, "utf-8");
+      targetFile = file;
+      fileFound = true;
+      break;
+    } catch {
+    }
+  }
+  const targetPath = path.join(cwd, targetFile);
+  const placeholder = "LOAD_FROM_KEYSTONE";
+  if (!fileFound) {
+    await fs.writeFile(targetPath, `${secretName}=${placeholder}
+`, "utf-8");
+    console.error(
+      `Created ${targetFile} and added ${secretName}=${placeholder}`
+    );
+    return;
+  }
+  const lines = content.split(/\r?\n/);
+  let keyIndex = -1;
+  const keyRegex = new RegExp(`^(?:export\\s+)?${secretName}\\s*=`);
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line !== void 0 && keyRegex.test(line)) {
+      keyIndex = i;
+      break;
+    }
+  }
+  if (keyIndex !== -1) {
+    const line = lines[keyIndex];
+    if (line !== void 0) {
+      const parts = line.split("=");
+      const currentValue = parts.slice(1).join("=").trim();
+      const cleanValue = currentValue.startsWith('"') && currentValue.endsWith('"') || currentValue.startsWith("'") && currentValue.endsWith("'") ? currentValue.substring(1, currentValue.length - 1) : currentValue;
+      if (cleanValue.toUpperCase() !== placeholder) {
+        lines[keyIndex] = `${secretName}=${placeholder}`;
+        await fs.writeFile(targetPath, lines.join("\n"), "utf-8");
+        console.error(
+          `Updated ${secretName} to ${placeholder} in ${targetFile}`
+        );
+      }
+    }
+  } else {
+    const separator = content.endsWith("\n") || content === "" ? "" : "\n";
+    await fs.writeFile(
+      targetPath,
+      `${content}${separator}${secretName}=${placeholder}
+`,
+      "utf-8"
+    );
+    console.error(`Added ${secretName}=${placeholder} to ${targetFile}`);
+  }
+}
+export {
+  decryptSecret,
+  encryptSecret,
+  generateProjectKeys,
+  initProject,
+  loadEnvFiles,
+  loadSecrets,
+  load_secrets,
+  parseDotEnv,
+  retrieveSecret,
+  signMessage,
+  storeSecret,
+  updateEnvFile,
+  validateKeyBundle,
+  version
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/version.ts","../src/crypto.ts","../src/api.ts","../src/env.ts"],"sourcesContent":["/** Package version — kept in sync with package.json */\nexport const version = \"0.0.1\";\n","import { webcrypto } from \"crypto\";\nconst { subtle } = webcrypto;\n\n/**\n * Interface representing the key bundle structure.\n */\nexport interface ProjectKeyBundle {\n projectId: string;\n auth: {\n privateJwk: JsonWebKey;\n publicJwk: JsonWebKey;\n };\n encryption: {\n privateJwk: JsonWebKey;\n publicJwk: JsonWebKey;\n };\n}\n\n/**\n * Validates that a parsed object conforms to the ProjectKeyBundle schema.\n * Throws a descriptive error if the shape is invalid.\n */\nexport function validateKeyBundle(data: unknown): ProjectKeyBundle {\n if (!data || typeof data !== \"object\") {\n throw new Error(\"Invalid credentials: expected a JSON object\");\n }\n\n const obj = data as Record<string, unknown>;\n\n if (typeof obj.projectId !== \"string\" || !obj.projectId) {\n throw new Error('Invalid credentials: missing or invalid \"projectId\"');\n }\n\n validateJwkPair(obj.auth, \"auth\");\n validateJwkPair(obj.encryption, \"encryption\");\n\n return data as ProjectKeyBundle;\n}\n\nfunction validateJwkPair(pair: unknown, name: string): void {\n if (!pair || typeof pair !== \"object\") {\n throw new Error(`Invalid credentials: missing \"${name}\" key pair`);\n }\n const p = pair as Record<string, unknown>;\n if (!p.privateJwk || typeof p.privateJwk !== \"object\") {\n throw new Error(`Invalid credentials: missing \"${name}.privateJwk\"`);\n }\n if (!p.publicJwk || typeof p.publicJwk !== \"object\") {\n throw new Error(`Invalid credentials: missing \"${name}.publicJwk\"`);\n }\n}\n\n/**\n * Generates an Ed25519 key pair for authentication and an RSA-OAEP key pair for encryption.\n * Both are returned as JWK (JSON Web Key) objects.\n */\nexport async function generateProjectKeys(\n projectId: string,\n): Promise<ProjectKeyBundle> {\n // 1. Generate Auth Pair (Ed25519)\n const authPair = (await subtle.generateKey({ name: \"Ed25519\" }, true, [\n \"sign\",\n \"verify\",\n ])) as CryptoKeyPair;\n\n // 2. Generate Encryption Pair (RSA-OAEP 2048)\n const encPair = (await subtle.generateKey(\n {\n name: \"RSA-OAEP\",\n modulusLength: 2048,\n publicExponent: new Uint8Array([1, 0, 1]),\n hash: \"SHA-256\",\n },\n true,\n [\"encrypt\", \"decrypt\"],\n )) as CryptoKeyPair;\n\n const authPrivateJwk = await subtle.exportKey(\"jwk\", authPair.privateKey);\n const authPublicJwk = await subtle.exportKey(\"jwk\", authPair.publicKey);\n delete authPrivateJwk.alg;\n delete authPublicJwk.alg;\n\n const encPrivateJwk = await subtle.exportKey(\"jwk\", encPair.privateKey);\n const encPublicJwk = await subtle.exportKey(\"jwk\", encPair.publicKey);\n delete encPrivateJwk.alg;\n delete encPublicJwk.alg;\n\n return {\n projectId,\n auth: {\n privateJwk: authPrivateJwk,\n publicJwk: authPublicJwk,\n },\n encryption: {\n privateJwk: encPrivateJwk,\n publicJwk: encPublicJwk,\n },\n };\n}\n\n/**\n * Convert array buffer to Hex string\n */\nfunction bufToHex(buffer: ArrayBuffer): string {\n return Array.from(new Uint8Array(buffer))\n .map((b) => b.toString(16).padStart(2, \"0\"))\n .join(\"\");\n}\n\n/** Hybrid ciphertext format prefix — enables backward-compatible detection */\nconst HYBRID_PREFIX = \"ks1:\";\n\n/** RSA-2048 ciphertext is always 256 bytes */\nconst RSA_CIPHERTEXT_LENGTH = 256;\n\n/** AES-GCM uses a 12-byte IV (recommended by NIST) */\nconst AES_GCM_IV_LENGTH = 12;\n\n/**\n * Encrypt plaintext using hybrid encryption (AES-256-GCM + RSA-OAEP envelope).\n *\n * 1. Generates a random 256-bit AES-GCM key\n * 2. Encrypts the plaintext with AES-256-GCM (no size limit)\n * 3. Wraps the AES key with RSA-OAEP (only 32 bytes — well within the 190-byte limit)\n * 4. Returns `ks1:<base64(wrappedKey ‖ iv ‖ aesCiphertext)>`\n */\nexport async function encryptSecret(\n plainText: string,\n rsaPubJwk: JsonWebKey,\n): Promise<string> {\n // Import RSA public key for key wrapping\n const rsaPublicKey = await subtle.importKey(\n \"jwk\",\n rsaPubJwk,\n { name: \"RSA-OAEP\", hash: \"SHA-256\" },\n false,\n [\"encrypt\"],\n );\n\n // Generate a one-time AES-256-GCM key\n const aesKey = await subtle.generateKey(\n { name: \"AES-GCM\", length: 256 },\n true,\n [\"encrypt\"],\n );\n\n // Generate a random 12-byte IV\n const iv = webcrypto.getRandomValues(new Uint8Array(AES_GCM_IV_LENGTH));\n\n // Encrypt plaintext with AES-256-GCM\n const encoder = new TextEncoder();\n const aesCiphertext = new Uint8Array(\n await subtle.encrypt(\n { name: \"AES-GCM\", iv },\n aesKey,\n encoder.encode(plainText),\n ),\n );\n\n // Export AES key as raw 32 bytes and wrap it with RSA-OAEP\n const rawAesKey = await subtle.exportKey(\"raw\", aesKey);\n const wrappedKey = new Uint8Array(\n await subtle.encrypt({ name: \"RSA-OAEP\" }, rsaPublicKey, rawAesKey),\n );\n\n // Pack: wrappedKey (256 bytes) ‖ iv (12 bytes) ‖ aesCiphertext (variable)\n const packed = new Uint8Array(\n wrappedKey.length + iv.length + aesCiphertext.length,\n );\n packed.set(wrappedKey, 0);\n packed.set(iv, wrappedKey.length);\n packed.set(aesCiphertext, wrappedKey.length + iv.length);\n\n return HYBRID_PREFIX + Buffer.from(packed).toString(\"base64\");\n}\n\n/**\n * Decrypt ciphertext using hybrid decryption (AES-256-GCM + RSA-OAEP envelope).\n * Supports both the new hybrid format (`ks1:` prefix) and legacy RSA-only format\n * for backward compatibility with previously stored secrets.\n */\nexport async function decryptSecret(\n ciphertext: string,\n rsaPrivJwk: JsonWebKey,\n): Promise<string> {\n const rsaPrivateKey = await subtle.importKey(\n \"jwk\",\n rsaPrivJwk,\n { name: \"RSA-OAEP\", hash: \"SHA-256\" },\n false,\n [\"decrypt\"],\n );\n\n // Hybrid format: ks1:<base64(wrappedKey ‖ iv ‖ aesCiphertext)>\n if (ciphertext.startsWith(HYBRID_PREFIX)) {\n const packed = Buffer.from(\n ciphertext.slice(HYBRID_PREFIX.length),\n \"base64\",\n );\n\n if (packed.length < RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH + 1) {\n throw new Error(\"Invalid hybrid ciphertext: data too short\");\n }\n\n const wrappedKey = packed.subarray(0, RSA_CIPHERTEXT_LENGTH);\n const iv = packed.subarray(\n RSA_CIPHERTEXT_LENGTH,\n RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH,\n );\n const aesCiphertext = packed.subarray(\n RSA_CIPHERTEXT_LENGTH + AES_GCM_IV_LENGTH,\n );\n\n // Unwrap AES key with RSA-OAEP\n const rawAesKey = await subtle.decrypt(\n { name: \"RSA-OAEP\" },\n rsaPrivateKey,\n wrappedKey,\n );\n\n // Import AES key\n const aesKey = await subtle.importKey(\n \"raw\",\n rawAesKey,\n { name: \"AES-GCM\", length: 256 },\n false,\n [\"decrypt\"],\n );\n\n // Decrypt with AES-GCM\n const decryptedBuffer = await subtle.decrypt(\n { name: \"AES-GCM\", iv },\n aesKey,\n aesCiphertext,\n );\n\n return new TextDecoder().decode(decryptedBuffer);\n }\n\n // Legacy format: plain base64-encoded RSA ciphertext\n const ciphertextBuffer = Buffer.from(ciphertext, \"base64\");\n const decryptedBuffer = await subtle.decrypt(\n { name: \"RSA-OAEP\" },\n rsaPrivateKey,\n ciphertextBuffer,\n );\n\n return new TextDecoder().decode(decryptedBuffer);\n}\n\n/**\n * Sign payload using Ed25519 private key\n */\nexport async function signMessage(\n messageStr: string,\n ed25519PrivJwk: JsonWebKey,\n): Promise<string> {\n const privateKey = await subtle.importKey(\n \"jwk\",\n ed25519PrivJwk,\n { name: \"Ed25519\" },\n false,\n [\"sign\"],\n );\n\n const encoder = new TextEncoder();\n const sigBuffer = await subtle.sign(\n { name: \"Ed25519\" },\n privateKey,\n encoder.encode(messageStr),\n );\n\n return bufToHex(sigBuffer);\n}\n","import {\n encryptSecret,\n signMessage,\n decryptSecret,\n ProjectKeyBundle,\n} from \"./crypto.js\";\n\n/**\n * Sends the public verification and public encryption keys to create a new project namespace on the server.\n */\nexport async function initProject(\n projectId: string,\n keys: ProjectKeyBundle,\n baseUrl: string,\n): Promise<{ message: string }> {\n const response = await fetch(`${baseUrl}/init?projectId=${projectId}`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n authPubJwk: keys.auth.publicJwk,\n encPubJwk: keys.encryption.publicJwk,\n }),\n });\n\n if (!response.ok) {\n let errorMessage: string;\n try {\n const err = await response.json();\n errorMessage = err.error || response.statusText;\n } catch {\n errorMessage = `${response.status} ${response.statusText}`;\n }\n throw new Error(`Init Failed: ${errorMessage}`);\n }\n return await response.json();\n}\n\n/**\n * Encrypts the secret locally, signs the metadata package, and uploads it to the backend.\n */\nexport async function storeSecret(\n projectId: string,\n secretName: string,\n plainText: string,\n keys: ProjectKeyBundle,\n baseUrl: string,\n): Promise<{ message: string }> {\n const ciphertext = await encryptSecret(plainText, keys.encryption.publicJwk);\n const sigPayload = `store:${secretName}:${ciphertext}`;\n const signature = await signMessage(sigPayload, keys.auth.privateJwk);\n\n const response = await fetch(\n `${baseUrl}/store?projectId=${projectId}&secretName=${secretName}`,\n {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ ciphertext, signature }),\n },\n );\n\n if (!response.ok) {\n let errorMessage: string;\n try {\n const err = await response.json();\n errorMessage = err.error || response.statusText;\n } catch {\n errorMessage = `${response.status} ${response.statusText}`;\n }\n throw new Error(`Store Failed: ${errorMessage}`);\n }\n return await response.json();\n}\n\n/**\n * Verifies identity with a signed timestamp, retrieves, and decrypts the secret.\n */\nexport async function retrieveSecret(\n projectId: string,\n secretName: string,\n keys: ProjectKeyBundle,\n baseUrl: string,\n): Promise<string> {\n const challenge = Date.now().toString();\n const signature = await signMessage(challenge, keys.auth.privateJwk);\n\n const response = await fetch(\n `${baseUrl}/retrieve?projectId=${projectId}&secretName=${secretName}`,\n {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ challenge, signature }),\n },\n );\n\n if (!response.ok) {\n let errorMessage: string;\n try {\n const err = await response.json();\n errorMessage = err.error || response.statusText;\n } catch {\n errorMessage = `${response.status} ${response.statusText}`;\n }\n throw new Error(`Retrieve Failed: ${errorMessage}`);\n }\n\n const { ciphertext } = await response.json();\n return await decryptSecret(ciphertext, keys.encryption.privateJwk);\n}\n","import * as fs from \"fs/promises\";\nimport * as path from \"path\";\nimport { retrieveSecret } from \"./api.js\";\nimport { ProjectKeyBundle, validateKeyBundle } from \"./crypto.js\";\n\n/**\n * Parses a dotenv file content into key-value pairs.\n */\nexport function parseDotEnv(content: string): Record<string, string> {\n const env: Record<string, string> = {};\n const lines = content.split(/\\r?\\n/);\n for (const line of lines) {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) {\n continue;\n }\n // Handle 'export ' prefix\n const cleanLine = trimmed.startsWith(\"export \")\n ? trimmed.substring(7).trim()\n : trimmed;\n const match = cleanLine.match(/^([^=]+)=(.*)$/);\n if (!match) {\n continue;\n }\n const val1 = match[1];\n const val2 = match[2];\n if (val1 === undefined || val2 === undefined) {\n continue;\n }\n const key = val1.trim();\n let value = val2.trim();\n // Strip surrounding quotes\n if (\n (value.startsWith('\"') && value.endsWith('\"')) ||\n (value.startsWith(\"'\") && value.endsWith(\"'\"))\n ) {\n value = value.substring(1, value.length - 1);\n }\n env[key] = value;\n }\n return env;\n}\n\n/**\n * Finds and loads .env and .env.local files in the current working directory,\n * loading variables into process.env if they are not already set.\n */\nexport async function loadEnvFiles(cwd = process.cwd()): Promise<void> {\n const originalEnv = { ...process.env };\n const nodeEnv = process.env.NODE_ENV || \"\";\n\n // Define standard env files in order of increasing priority:\n // .env -> .env.local -> .env.${NODE_ENV} -> .env.${NODE_ENV}.local\n const filesToLoad: string[] = [\".env\"];\n if (nodeEnv !== \"test\") {\n filesToLoad.push(\".env.local\");\n }\n if (nodeEnv) {\n filesToLoad.push(`.env.${nodeEnv}`);\n filesToLoad.push(`.env.${nodeEnv}.local`);\n }\n\n const loadedEnv: Record<string, string> = {};\n\n for (const file of filesToLoad) {\n const filePath = path.join(cwd, file);\n try {\n const content = await fs.readFile(filePath, \"utf-8\");\n const parsed = parseDotEnv(content);\n for (const [key, val] of Object.entries(parsed)) {\n loadedEnv[key] = val; // later files override earlier ones\n }\n } catch {\n // Ignore if file does not exist\n }\n }\n\n // Set in process.env only if not set in original env\n for (const [key, val] of Object.entries(loadedEnv)) {\n if (originalEnv[key] === undefined) {\n process.env[key] = val;\n }\n }\n}\n\nexport interface LoadSecretsOptions {\n credentialsPath?: string;\n baseUrl?: string;\n cwd?: string;\n}\n\n/**\n * Loads .env files, reads credentials, and fetches secrets from the Keystone vault\n * for any environment variables with value 'LOAD_FROM_KEYSTONE' or 'LOAD FROM KEYSTONE'.\n */\nexport async function loadSecrets(\n options: LoadSecretsOptions = {},\n): Promise<Record<string, string>> {\n const cwd = options.cwd || process.cwd();\n\n // Load standard .env files first\n await loadEnvFiles(cwd);\n\n // Locate credentials path\n const credPath =\n options.credentialsPath ||\n process.env.KEYSTONE_CREDENTIALS ||\n path.join(cwd, \".keystone\", \"project-credentials.json\");\n\n // Locate base URL\n const baseUrl =\n options.baseUrl ||\n process.env.KEYSTONE_URL ||\n \"https://keystone.chames.dev\";\n\n // Scan process.env for placeholders\n const placeholders: string[] = [];\n for (const [key, value] of Object.entries(process.env)) {\n if (value) {\n const upperVal = value.trim().toUpperCase();\n if (\n upperVal === \"LOAD_FROM_KEYSTONE\" ||\n upperVal === \"LOAD FROM KEYSTONE\"\n ) {\n placeholders.push(key);\n }\n }\n }\n\n // If no placeholders found, we're done\n if (placeholders.length === 0) {\n return {};\n }\n\n // Read credentials file\n let keys: ProjectKeyBundle;\n try {\n const credContent = await fs.readFile(credPath, \"utf-8\");\n keys = validateKeyBundle(JSON.parse(credContent));\n } catch (err: any) {\n throw new Error(\n `Failed to read credentials from ${credPath}: ${err.message}`,\n );\n }\n\n const loadedSecrets: Record<string, string> = {};\n\n // Fetch each secret and inject into process.env\n for (const key of placeholders) {\n try {\n const decrypted = await retrieveSecret(\n keys.projectId,\n key,\n keys,\n baseUrl,\n );\n process.env[key] = decrypted;\n loadedSecrets[key] = decrypted;\n } catch (err: any) {\n throw new Error(\n `Failed to load secret '${key}' from Keystone: ${err.message}`,\n );\n }\n }\n\n return loadedSecrets;\n}\n\n/**\n * Snake_case alias for loadSecrets\n */\nexport const load_secrets = loadSecrets;\n\n/**\n * Appends or updates an environment variable key with 'LOAD_FROM_KEYSTONE' placeholder\n * in the first found dotenv file (e.g. .env, .env.local) or creates a new .env file.\n */\nexport async function updateEnvFile(\n secretName: string,\n cwd = process.cwd(),\n): Promise<void> {\n const possibleFiles = [\n \".env\",\n \".env.local\",\n \".env.development.local\",\n \".env.development\",\n \".env.dev\",\n ];\n\n let targetFile = \".env\";\n let content = \"\";\n let fileFound = false;\n\n for (const file of possibleFiles) {\n const filePath = path.join(cwd, file);\n try {\n content = await fs.readFile(filePath, \"utf-8\");\n targetFile = file;\n fileFound = true;\n break;\n } catch {\n // ignore, try next file\n }\n }\n\n const targetPath = path.join(cwd, targetFile);\n const placeholder = \"LOAD_FROM_KEYSTONE\";\n\n if (!fileFound) {\n await fs.writeFile(targetPath, `${secretName}=${placeholder}\\n`, \"utf-8\");\n console.error(\n `Created ${targetFile} and added ${secretName}=${placeholder}`,\n );\n return;\n }\n\n const lines = content.split(/\\r?\\n/);\n let keyIndex = -1;\n const keyRegex = new RegExp(`^(?:export\\\\s+)?${secretName}\\\\s*=`);\n\n for (let i = 0; i < lines.length; i++) {\n const line = lines[i];\n if (line !== undefined && keyRegex.test(line)) {\n keyIndex = i;\n break;\n }\n }\n\n if (keyIndex !== -1) {\n const line = lines[keyIndex];\n if (line !== undefined) {\n const parts = line.split(\"=\");\n const currentValue = parts.slice(1).join(\"=\").trim();\n const cleanValue =\n (currentValue.startsWith('\"') && currentValue.endsWith('\"')) ||\n (currentValue.startsWith(\"'\") && currentValue.endsWith(\"'\"))\n ? currentValue.substring(1, currentValue.length - 1)\n : currentValue;\n\n if (cleanValue.toUpperCase() !== placeholder) {\n lines[keyIndex] = `${secretName}=${placeholder}`;\n await fs.writeFile(targetPath, lines.join(\"\\n\"), \"utf-8\");\n console.error(\n `Updated ${secretName} to ${placeholder} in ${targetFile}`,\n );\n }\n }\n } else {\n const separator = content.endsWith(\"\\n\") || content === \"\" ? \"\" : \"\\n\";\n await fs.writeFile(\n targetPath,\n `${content}${separator}${secretName}=${placeholder}\\n`,\n \"utf-8\",\n );\n console.error(`Added ${secretName}=${placeholder} to ${targetFile}`);\n }\n}\n"],"mappings":";AACO,IAAM,UAAU;;;ACDvB,SAAS,iBAAiB;AAC1B,IAAM,EAAE,OAAO,IAAI;AAqBZ,SAAS,kBAAkB,MAAiC;AACjE,MAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AAEA,QAAM,MAAM;AAEZ,MAAI,OAAO,IAAI,cAAc,YAAY,CAAC,IAAI,WAAW;AACvD,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE;AAEA,kBAAgB,IAAI,MAAM,MAAM;AAChC,kBAAgB,IAAI,YAAY,YAAY;AAE5C,SAAO;AACT;AAEA,SAAS,gBAAgB,MAAe,MAAoB;AAC1D,MAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC,UAAM,IAAI,MAAM,iCAAiC,IAAI,YAAY;AAAA,EACnE;AACA,QAAM,IAAI;AACV,MAAI,CAAC,EAAE,cAAc,OAAO,EAAE,eAAe,UAAU;AACrD,UAAM,IAAI,MAAM,iCAAiC,IAAI,cAAc;AAAA,EACrE;AACA,MAAI,CAAC,EAAE,aAAa,OAAO,EAAE,cAAc,UAAU;AACnD,UAAM,IAAI,MAAM,iCAAiC,IAAI,aAAa;AAAA,EACpE;AACF;AAMA,eAAsB,oBACpB,WAC2B;AAE3B,QAAM,WAAY,MAAM,OAAO,YAAY,EAAE,MAAM,UAAU,GAAG,MAAM;AAAA,IACpE;AAAA,IACA;AAAA,EACF,CAAC;AAGD,QAAM,UAAW,MAAM,OAAO;AAAA,IAC5B;AAAA,MACE,MAAM;AAAA,MACN,eAAe;AAAA,MACf,gBAAgB,IAAI,WAAW,CAAC,GAAG,GAAG,CAAC,CAAC;AAAA,MACxC,MAAM;AAAA,IACR;AAAA,IACA;AAAA,IACA,CAAC,WAAW,SAAS;AAAA,EACvB;AAEA,QAAM,iBAAiB,MAAM,OAAO,UAAU,OAAO,SAAS,UAAU;AACxE,QAAM,gBAAgB,MAAM,OAAO,UAAU,OAAO,SAAS,SAAS;AACtE,SAAO,eAAe;AACtB,SAAO,cAAc;AAErB,QAAM,gBAAgB,MAAM,OAAO,UAAU,OAAO,QAAQ,UAAU;AACtE,QAAM,eAAe,MAAM,OAAO,UAAU,OAAO,QAAQ,SAAS;AACpE,SAAO,cAAc;AACrB,SAAO,aAAa;AAEpB,SAAO;AAAA,IACL;AAAA,IACA,MAAM;AAAA,MACJ,YAAY;AAAA,MACZ,WAAW;AAAA,IACb;AAAA,IACA,YAAY;AAAA,MACV,YAAY;AAAA,MACZ,WAAW;AAAA,IACb;AAAA,EACF;AACF;AAKA,SAAS,SAAS,QAA6B;AAC7C,SAAO,MAAM,KAAK,IAAI,WAAW,MAAM,CAAC,EACrC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAC1C,KAAK,EAAE;AACZ;AAGA,IAAM,gBAAgB;AAGtB,IAAM,wBAAwB;AAG9B,IAAM,oBAAoB;AAU1B,eAAsB,cACpB,WACA,WACiB;AAEjB,QAAM,eAAe,MAAM,OAAO;AAAA,IAChC;AAAA,IACA;AAAA,IACA,EAAE,MAAM,YAAY,MAAM,UAAU;AAAA,IACpC;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAGA,QAAM,SAAS,MAAM,OAAO;AAAA,IAC1B,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,IAC/B;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAGA,QAAM,KAAK,UAAU,gBAAgB,IAAI,WAAW,iBAAiB,CAAC;AAGtE,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,gBAAgB,IAAI;AAAA,IACxB,MAAM,OAAO;AAAA,MACX,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA,QAAQ,OAAO,SAAS;AAAA,IAC1B;AAAA,EACF;AAGA,QAAM,YAAY,MAAM,OAAO,UAAU,OAAO,MAAM;AACtD,QAAM,aAAa,IAAI;AAAA,IACrB,MAAM,OAAO,QAAQ,EAAE,MAAM,WAAW,GAAG,cAAc,SAAS;AAAA,EACpE;AAGA,QAAM,SAAS,IAAI;AAAA,IACjB,WAAW,SAAS,GAAG,SAAS,cAAc;AAAA,EAChD;AACA,SAAO,IAAI,YAAY,CAAC;AACxB,SAAO,IAAI,IAAI,WAAW,MAAM;AAChC,SAAO,IAAI,eAAe,WAAW,SAAS,GAAG,MAAM;AAEvD,SAAO,gBAAgB,OAAO,KAAK,MAAM,EAAE,SAAS,QAAQ;AAC9D;AAOA,eAAsB,cACpB,YACA,YACiB;AACjB,QAAM,gBAAgB,MAAM,OAAO;AAAA,IACjC;AAAA,IACA;AAAA,IACA,EAAE,MAAM,YAAY,MAAM,UAAU;AAAA,IACpC;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAGA,MAAI,WAAW,WAAW,aAAa,GAAG;AACxC,UAAM,SAAS,OAAO;AAAA,MACpB,WAAW,MAAM,cAAc,MAAM;AAAA,MACrC;AAAA,IACF;AAEA,QAAI,OAAO,SAAS,wBAAwB,oBAAoB,GAAG;AACjE,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC7D;AAEA,UAAM,aAAa,OAAO,SAAS,GAAG,qBAAqB;AAC3D,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA,wBAAwB;AAAA,IAC1B;AACA,UAAM,gBAAgB,OAAO;AAAA,MAC3B,wBAAwB;AAAA,IAC1B;AAGA,UAAM,YAAY,MAAM,OAAO;AAAA,MAC7B,EAAE,MAAM,WAAW;AAAA,MACnB;AAAA,MACA;AAAA,IACF;AAGA,UAAM,SAAS,MAAM,OAAO;AAAA,MAC1B;AAAA,MACA;AAAA,MACA,EAAE,MAAM,WAAW,QAAQ,IAAI;AAAA,MAC/B;AAAA,MACA,CAAC,SAAS;AAAA,IACZ;AAGA,UAAMA,mBAAkB,MAAM,OAAO;AAAA,MACnC,EAAE,MAAM,WAAW,GAAG;AAAA,MACtB;AAAA,MACA;AAAA,IACF;AAEA,WAAO,IAAI,YAAY,EAAE,OAAOA,gBAAe;AAAA,EACjD;AAGA,QAAM,mBAAmB,OAAO,KAAK,YAAY,QAAQ;AACzD,QAAM,kBAAkB,MAAM,OAAO;AAAA,IACnC,EAAE,MAAM,WAAW;AAAA,IACnB;AAAA,IACA;AAAA,EACF;AAEA,SAAO,IAAI,YAAY,EAAE,OAAO,eAAe;AACjD;AAKA,eAAsB,YACpB,YACA,gBACiB;AACjB,QAAM,aAAa,MAAM,OAAO;AAAA,IAC9B;AAAA,IACA;AAAA,IACA,EAAE,MAAM,UAAU;AAAA,IAClB;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AAEA,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,YAAY,MAAM,OAAO;AAAA,IAC7B,EAAE,MAAM,UAAU;AAAA,IAClB;AAAA,IACA,QAAQ,OAAO,UAAU;AAAA,EAC3B;AAEA,SAAO,SAAS,SAAS;AAC3B;;;ACvQA,eAAsB,YACpB,WACA,MACA,SAC8B;AAC9B,QAAM,WAAW,MAAM,MAAM,GAAG,OAAO,mBAAmB,SAAS,IAAI;AAAA,IACrE,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU;AAAA,MACnB,YAAY,KAAK,KAAK;AAAA,MACtB,WAAW,KAAK,WAAW;AAAA,IAC7B,CAAC;AAAA,EACH,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,KAAK;AAChC,qBAAe,IAAI,SAAS,SAAS;AAAA,IACvC,QAAQ;AACN,qBAAe,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,IAC1D;AACA,UAAM,IAAI,MAAM,gBAAgB,YAAY,EAAE;AAAA,EAChD;AACA,SAAO,MAAM,SAAS,KAAK;AAC7B;AAKA,eAAsB,YACpB,WACA,YACA,WACA,MACA,SAC8B;AAC9B,QAAM,aAAa,MAAM,cAAc,WAAW,KAAK,WAAW,SAAS;AAC3E,QAAM,aAAa,SAAS,UAAU,IAAI,UAAU;AACpD,QAAM,YAAY,MAAM,YAAY,YAAY,KAAK,KAAK,UAAU;AAEpE,QAAM,WAAW,MAAM;AAAA,IACrB,GAAG,OAAO,oBAAoB,SAAS,eAAe,UAAU;AAAA,IAChE;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,YAAY,UAAU,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,KAAK;AAChC,qBAAe,IAAI,SAAS,SAAS;AAAA,IACvC,QAAQ;AACN,qBAAe,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,IAC1D;AACA,UAAM,IAAI,MAAM,iBAAiB,YAAY,EAAE;AAAA,EACjD;AACA,SAAO,MAAM,SAAS,KAAK;AAC7B;AAKA,eAAsB,eACpB,WACA,YACA,MACA,SACiB;AACjB,QAAM,YAAY,KAAK,IAAI,EAAE,SAAS;AACtC,QAAM,YAAY,MAAM,YAAY,WAAW,KAAK,KAAK,UAAU;AAEnE,QAAM,WAAW,MAAM;AAAA,IACrB,GAAG,OAAO,uBAAuB,SAAS,eAAe,UAAU;AAAA,IACnE;AAAA,MACE,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,MAC9C,MAAM,KAAK,UAAU,EAAE,WAAW,UAAU,CAAC;AAAA,IAC/C;AAAA,EACF;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,QAAI;AACJ,QAAI;AACF,YAAM,MAAM,MAAM,SAAS,KAAK;AAChC,qBAAe,IAAI,SAAS,SAAS;AAAA,IACvC,QAAQ;AACN,qBAAe,GAAG,SAAS,MAAM,IAAI,SAAS,UAAU;AAAA,IAC1D;AACA,UAAM,IAAI,MAAM,oBAAoB,YAAY,EAAE;AAAA,EACpD;AAEA,QAAM,EAAE,WAAW,IAAI,MAAM,SAAS,KAAK;AAC3C,SAAO,MAAM,cAAc,YAAY,KAAK,WAAW,UAAU;AACnE;;;AC3GA,YAAY,QAAQ;AACpB,YAAY,UAAU;AAOf,SAAS,YAAY,SAAyC;AACnE,QAAM,MAA8B,CAAC;AACrC,QAAM,QAAQ,QAAQ,MAAM,OAAO;AACnC,aAAW,QAAQ,OAAO;AACxB,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,WAAW,QAAQ,WAAW,GAAG,GAAG;AACvC;AAAA,IACF;AAEA,UAAM,YAAY,QAAQ,WAAW,SAAS,IAC1C,QAAQ,UAAU,CAAC,EAAE,KAAK,IAC1B;AACJ,UAAM,QAAQ,UAAU,MAAM,gBAAgB;AAC9C,QAAI,CAAC,OAAO;AACV;AAAA,IACF;AACA,UAAM,OAAO,MAAM,CAAC;AACpB,UAAM,OAAO,MAAM,CAAC;AACpB,QAAI,SAAS,UAAa,SAAS,QAAW;AAC5C;AAAA,IACF;AACA,UAAM,MAAM,KAAK,KAAK;AACtB,QAAI,QAAQ,KAAK,KAAK;AAEtB,QACG,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,KAC3C,MAAM,WAAW,GAAG,KAAK,MAAM,SAAS,GAAG,GAC5C;AACA,cAAQ,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC;AAAA,IAC7C;AACA,QAAI,GAAG,IAAI;AAAA,EACb;AACA,SAAO;AACT;AAMA,eAAsB,aAAa,MAAM,QAAQ,IAAI,GAAkB;AACrE,QAAM,cAAc,EAAE,GAAG,QAAQ,IAAI;AACrC,QAAM,UAAU,QAAQ,IAAI,YAAY;AAIxC,QAAM,cAAwB,CAAC,MAAM;AACrC,MAAI,YAAY,QAAQ;AACtB,gBAAY,KAAK,YAAY;AAAA,EAC/B;AACA,MAAI,SAAS;AACX,gBAAY,KAAK,QAAQ,OAAO,EAAE;AAClC,gBAAY,KAAK,QAAQ,OAAO,QAAQ;AAAA,EAC1C;AAEA,QAAM,YAAoC,CAAC;AAE3C,aAAW,QAAQ,aAAa;AAC9B,UAAM,WAAgB,UAAK,KAAK,IAAI;AACpC,QAAI;AACF,YAAM,UAAU,MAAS,YAAS,UAAU,OAAO;AACnD,YAAM,SAAS,YAAY,OAAO;AAClC,iBAAW,CAAC,KAAK,GAAG,KAAK,OAAO,QAAQ,MAAM,GAAG;AAC/C,kBAAU,GAAG,IAAI;AAAA,MACnB;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAGA,aAAW,CAAC,KAAK,GAAG,KAAK,OAAO,QAAQ,SAAS,GAAG;AAClD,QAAI,YAAY,GAAG,MAAM,QAAW;AAClC,cAAQ,IAAI,GAAG,IAAI;AAAA,IACrB;AAAA,EACF;AACF;AAYA,eAAsB,YACpB,UAA8B,CAAC,GACE;AACjC,QAAM,MAAM,QAAQ,OAAO,QAAQ,IAAI;AAGvC,QAAM,aAAa,GAAG;AAGtB,QAAM,WACJ,QAAQ,mBACR,QAAQ,IAAI,wBACP,UAAK,KAAK,aAAa,0BAA0B;AAGxD,QAAM,UACJ,QAAQ,WACR,QAAQ,IAAI,gBACZ;AAGF,QAAM,eAAyB,CAAC;AAChC,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,QAAQ,GAAG,GAAG;AACtD,QAAI,OAAO;AACT,YAAM,WAAW,MAAM,KAAK,EAAE,YAAY;AAC1C,UACE,aAAa,wBACb,aAAa,sBACb;AACA,qBAAa,KAAK,GAAG;AAAA,MACvB;AAAA,IACF;AAAA,EACF;AAGA,MAAI,aAAa,WAAW,GAAG;AAC7B,WAAO,CAAC;AAAA,EACV;AAGA,MAAI;AACJ,MAAI;AACF,UAAM,cAAc,MAAS,YAAS,UAAU,OAAO;AACvD,WAAO,kBAAkB,KAAK,MAAM,WAAW,CAAC;AAAA,EAClD,SAAS,KAAU;AACjB,UAAM,IAAI;AAAA,MACR,mCAAmC,QAAQ,KAAK,IAAI,OAAO;AAAA,IAC7D;AAAA,EACF;AAEA,QAAM,gBAAwC,CAAC;AAG/C,aAAW,OAAO,cAAc;AAC9B,QAAI;AACF,YAAM,YAAY,MAAM;AAAA,QACtB,KAAK;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,cAAQ,IAAI,GAAG,IAAI;AACnB,oBAAc,GAAG,IAAI;AAAA,IACvB,SAAS,KAAU;AACjB,YAAM,IAAI;AAAA,QACR,0BAA0B,GAAG,oBAAoB,IAAI,OAAO;AAAA,MAC9D;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAKO,IAAM,eAAe;AAM5B,eAAsB,cACpB,YACA,MAAM,QAAQ,IAAI,GACH;AACf,QAAM,gBAAgB;AAAA,IACpB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,aAAa;AACjB,MAAI,UAAU;AACd,MAAI,YAAY;AAEhB,aAAW,QAAQ,eAAe;AAChC,UAAM,WAAgB,UAAK,KAAK,IAAI;AACpC,QAAI;AACF,gBAAU,MAAS,YAAS,UAAU,OAAO;AAC7C,mBAAa;AACb,kBAAY;AACZ;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,QAAM,aAAkB,UAAK,KAAK,UAAU;AAC5C,QAAM,cAAc;AAEpB,MAAI,CAAC,WAAW;AACd,UAAS,aAAU,YAAY,GAAG,UAAU,IAAI,WAAW;AAAA,GAAM,OAAO;AACxE,YAAQ;AAAA,MACN,WAAW,UAAU,cAAc,UAAU,IAAI,WAAW;AAAA,IAC9D;AACA;AAAA,EACF;AAEA,QAAM,QAAQ,QAAQ,MAAM,OAAO;AACnC,MAAI,WAAW;AACf,QAAM,WAAW,IAAI,OAAO,mBAAmB,UAAU,OAAO;AAEhE,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,UAAM,OAAO,MAAM,CAAC;AACpB,QAAI,SAAS,UAAa,SAAS,KAAK,IAAI,GAAG;AAC7C,iBAAW;AACX;AAAA,IACF;AAAA,EACF;AAEA,MAAI,aAAa,IAAI;AACnB,UAAM,OAAO,MAAM,QAAQ;AAC3B,QAAI,SAAS,QAAW;AACtB,YAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,YAAM,eAAe,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG,EAAE,KAAK;AACnD,YAAM,aACH,aAAa,WAAW,GAAG,KAAK,aAAa,SAAS,GAAG,KACzD,aAAa,WAAW,GAAG,KAAK,aAAa,SAAS,GAAG,IACtD,aAAa,UAAU,GAAG,aAAa,SAAS,CAAC,IACjD;AAEN,UAAI,WAAW,YAAY,MAAM,aAAa;AAC5C,cAAM,QAAQ,IAAI,GAAG,UAAU,IAAI,WAAW;AAC9C,cAAS,aAAU,YAAY,MAAM,KAAK,IAAI,GAAG,OAAO;AACxD,gBAAQ;AAAA,UACN,WAAW,UAAU,OAAO,WAAW,OAAO,UAAU;AAAA,QAC1D;AAAA,MACF;AAAA,IACF;AAAA,EACF,OAAO;AACL,UAAM,YAAY,QAAQ,SAAS,IAAI,KAAK,YAAY,KAAK,KAAK;AAClE,UAAS;AAAA,MACP;AAAA,MACA,GAAG,OAAO,GAAG,SAAS,GAAG,UAAU,IAAI,WAAW;AAAA;AAAA,MAClD;AAAA,IACF;AACA,YAAQ,MAAM,SAAS,UAAU,IAAI,WAAW,OAAO,UAAU,EAAE;AAAA,EACrE;AACF;","names":["decryptedBuffer"]}

package/package.json ADDED Viewed

@@ -0,0 +1,64 @@
+{
+  "name": "@chamesh2020/keystone",
+  "version": "0.0.1",
+  "description": "A CLI tool built with TypeScript",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "keystone": "./dist/cli.js"
+  },
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "eslint src/",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "prepublishOnly": "npm run build",
+    "clean": "rm -rf dist",
+    "release": "npm run build && npm publish --access public"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": ""
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.0.0",
+    "@types/node": "^22.20.0",
+    "@vitest/coverage-v8": "^3.2.6",
+    "eslint": "^9.0.0",
+    "prettier": "^3.4.0",
+    "tsup": "^8.4.0",
+    "typescript": "^5.7.0",
+    "typescript-eslint": "^8.0.0",
+    "vitest": "^3.0.0"
+  }
+}