@clawmasons/credential-service 0.1.0

package/README.md

@@ -0,0 +1,7 @@
+# @clawmasons/credential-service
+
+Credential resolution and distribution service for Mason
+
+## More Information
+
+This package is part of the [Mason](https://github.com/clawmasons/mason) monorepo. See the [README](https://github.com/clawmasons/mason/blob/main/README.md) for full documentation.

package/dist/audit.d.ts

@@ -0,0 +1,36 @@
+import Database from "better-sqlite3";
+export interface CredentialAuditEntry {
+    id: string;
+    timestamp: string;
+    agent_id: string;
+    role: string;
+    session_id: string;
+    credential_key: string;
+    outcome: "granted" | "denied" | "error";
+    deny_reason: string | null;
+    source: string | null;
+}
+export interface CredentialAuditFilters {
+    agent_id?: string;
+    credential_key?: string;
+    outcome?: string;
+    session_id?: string;
+    limit?: number;
+}
+/**
+ * Open the credential audit database and ensure the table exists.
+ */
+export declare function openCredentialDatabase(dbPath?: string): Database.Database;
+/**
+ * Insert a credential audit entry.
+ */
+export declare function insertCredentialAudit(db: Database.Database, entry: CredentialAuditEntry): void;
+/**
+ * Query credential audit entries with optional filters.
+ */
+export declare function queryCredentialAudit(db: Database.Database, filters?: CredentialAuditFilters): CredentialAuditEntry[];
+/**
+ * Generate a unique ID for audit entries.
+ */
+export declare function generateAuditId(): string;
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AAQtC,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,SAAS,GAAG,QAAQ,GAAG,OAAO,CAAC;IACxC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAsBD;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,GAAE,MAAwB,GAC/B,QAAQ,CAAC,QAAQ,CASnB;AAID;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,KAAK,EAAE,oBAAoB,GAC1B,IAAI,CAUN;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACrB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,oBAAoB,EAAE,CAiCxB;AAED;;GAEG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC"}

package/dist/audit.js

@@ -0,0 +1,88 @@
+import Database from "better-sqlite3";
+import { mkdirSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+import { randomUUID } from "node:crypto";
+// ── Schema ─────────────────────────────────────────────────────────────
+const CREATE_CREDENTIAL_AUDIT = `
+CREATE TABLE IF NOT EXISTS credential_audit (
+  id              TEXT PRIMARY KEY,
+  timestamp       TEXT NOT NULL,
+  agent_id        TEXT NOT NULL,
+  role            TEXT NOT NULL,
+  session_id      TEXT NOT NULL,
+  credential_key  TEXT NOT NULL,
+  outcome         TEXT NOT NULL,
+  deny_reason     TEXT,
+  source          TEXT
+)`;
+// ── Database ───────────────────────────────────────────────────────────
+const DEFAULT_DB_PATH = process.env.CREDENTIAL_DB_PATH
+    ?? join(homedir(), ".chapter", "data", "chapter.db");
+/**
+ * Open the credential audit database and ensure the table exists.
+ */
+export function openCredentialDatabase(dbPath = DEFAULT_DB_PATH) {
+    if (dbPath !== ":memory:") {
+        mkdirSync(dirname(dbPath), { recursive: true });
+    }
+    const db = new Database(dbPath);
+    db.pragma("journal_mode = WAL");
+    db.exec(CREATE_CREDENTIAL_AUDIT);
+    return db;
+}
+// ── Operations ─────────────────────────────────────────────────────────
+/**
+ * Insert a credential audit entry.
+ */
+export function insertCredentialAudit(db, entry) {
+    const stmt = db.prepare(`
+    INSERT INTO credential_audit (id, timestamp, agent_id, role, session_id, credential_key, outcome, deny_reason, source)
+    VALUES (@id, @timestamp, @agent_id, @role, @session_id, @credential_key, @outcome, @deny_reason, @source)
+  `);
+    stmt.run({
+        ...entry,
+        deny_reason: entry.deny_reason ?? null,
+        source: entry.source ?? null,
+    });
+}
+/**
+ * Query credential audit entries with optional filters.
+ */
+export function queryCredentialAudit(db, filters) {
+    const conditions = [];
+    const params = {};
+    if (filters?.agent_id) {
+        conditions.push("agent_id = @agent_id");
+        params.agent_id = filters.agent_id;
+    }
+    if (filters?.credential_key) {
+        conditions.push("credential_key = @credential_key");
+        params.credential_key = filters.credential_key;
+    }
+    if (filters?.outcome) {
+        conditions.push("outcome = @outcome");
+        params.outcome = filters.outcome;
+    }
+    if (filters?.session_id) {
+        conditions.push("session_id = @session_id");
+        params.session_id = filters.session_id;
+    }
+    let sql = "SELECT * FROM credential_audit";
+    if (conditions.length > 0) {
+        sql += " WHERE " + conditions.join(" AND ");
+    }
+    sql += " ORDER BY timestamp DESC";
+    if (filters?.limit) {
+        sql += " LIMIT @limit";
+        params.limit = filters.limit;
+    }
+    return db.prepare(sql).all(params);
+}
+/**
+ * Generate a unique ID for audit entries.
+ */
+export function generateAuditId() {
+    return randomUUID();
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAwBzC,0EAA0E;AAE1E,MAAM,uBAAuB,GAAG;;;;;;;;;;;EAW9B,CAAC;AAEH,0EAA0E;AAE1E,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB;OACjD,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AAEvD;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,SAAiB,eAAe;IAEhC,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;QAC1B,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;IAChC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAChC,EAAE,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACjC,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,0EAA0E;AAE1E;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,EAAqB,EACrB,KAA2B;IAE3B,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC;;;GAGvB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC;QACP,GAAG,KAAK;QACR,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;QACtC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;KAC7B,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,EAAqB,EACrB,OAAgC;IAEhC,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,MAAM,GAAoC,EAAE,CAAC;IAEnD,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,UAAU,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACxC,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACrC,CAAC;IACD,IAAI,OAAO,EAAE,cAAc,EAAE,CAAC;QAC5B,UAAU,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACpD,MAAM,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IACjD,CAAC;IACD,IAAI,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,UAAU,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,EAAE,UAAU,EAAE,CAAC;QACxB,UAAU,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC5C,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACzC,CAAC;IAED,IAAI,GAAG,GAAG,gCAAgC,CAAC;IAC3C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,GAAG,IAAI,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IACD,GAAG,IAAI,0BAA0B,CAAC;IAElC,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,GAAG,IAAI,eAAe,CAAC;QACvB,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC/B,CAAC;IAED,OAAO,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAA2B,CAAC;AAC/D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+import { CredentialResolver } from "./resolver.js";
+import { CredentialService } from "./service.js";
+import { CredentialWSClient } from "./ws-client.js";
+async function main() {
+    const proxyUrl = process.env.CREDENTIAL_PROXY_URL;
+    const proxyToken = process.env.CREDENTIAL_PROXY_TOKEN;
+    const dbPath = process.env.CREDENTIAL_DB_PATH;
+    const envFilePath = process.env.CREDENTIAL_ENV_FILE;
+    const keychainService = process.env.CREDENTIAL_KEYCHAIN_SERVICE ?? "clawmasons";
+    if (!proxyUrl) {
+        console.error("CREDENTIAL_PROXY_URL is required");
+        process.exit(1);
+    }
+    if (!proxyToken) {
+        console.error("CREDENTIAL_PROXY_TOKEN is required");
+        process.exit(1);
+    }
+    const resolver = new CredentialResolver({
+        envFilePath,
+        keychainService,
+    });
+    const service = new CredentialService({ dbPath, envFilePath, keychainService }, resolver);
+    // Apply session overrides if provided (from ACP proxy)
+    const sessionOverridesJson = process.env.CREDENTIAL_SESSION_OVERRIDES;
+    if (sessionOverridesJson) {
+        try {
+            const overrides = JSON.parse(sessionOverridesJson);
+            service.setSessionOverrides(overrides);
+            console.log(`[credential-service] Loaded ${Object.keys(overrides).length} session credential override(s).`);
+        }
+        catch (err) {
+            console.error("[credential-service] Invalid CREDENTIAL_SESSION_OVERRIDES JSON:", err);
+            service.close();
+            process.exit(1);
+        }
+    }
+    const client = new CredentialWSClient(service);
+    console.log(`[credential-service] Connecting to proxy at ${proxyUrl}...`);
+    try {
+        await client.connect(proxyUrl, proxyToken);
+        console.log("[credential-service] Connected to proxy.");
+    }
+    catch (err) {
+        console.error("[credential-service] Failed to connect to proxy:", err);
+        service.close();
+        process.exit(1);
+    }
+    // Handle shutdown
+    const shutdown = () => {
+        console.log("[credential-service] Shutting down...");
+        client.disconnect();
+        service.close();
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+}
+main().catch((err) => {
+    console.error("[credential-service] Fatal error:", err);
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEpD,KAAK,UAAU,IAAI;IACjB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAClD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACpD,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,YAAY,CAAC;IAEhF,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CAAC;QACtC,WAAW;QACX,eAAe;KAChB,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,iBAAiB,CACnC,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,EACxC,QAAQ,CACT,CAAC;IAEF,uDAAuD;IACvD,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;IACtE,IAAI,oBAAoB,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAA2B,CAAC;YAC7E,OAAO,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;YACvC,OAAO,CAAC,GAAG,CACT,+BAA+B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,kCAAkC,CAC/F,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,iEAAiE,EAAE,GAAG,CAAC,CAAC;YACtF,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE/C,OAAO,CAAC,GAAG,CAAC,+CAA+C,QAAQ,KAAK,CAAC,CAAC;IAE1E,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kDAAkD,EAAE,GAAG,CAAC,CAAC;QACvE,OAAO,CAAC,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,kBAAkB;IAClB,MAAM,QAAQ,GAAG,GAAS,EAAE;QAC1B,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,MAAM,CAAC,UAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/env-file.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Parse a .env file into a key-value record.
+ *
+ * Handles:
+ * - KEY=VALUE lines
+ * - Blank lines and comments (lines starting with #)
+ * - Single-quoted, double-quoted, and unquoted values
+ * - Inline comments after unquoted values
+ *
+ * Copied from @clawmasons/proxy to avoid cross-package dependency.
+ */
+export declare function loadEnvFile(filePath: string): Record<string, string>;
+//# sourceMappingURL=env-file.d.ts.map

package/dist/env-file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-file.d.ts","sourceRoot":"","sources":["../src/env-file.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,wBAAgB,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAwCpE"}

package/dist/env-file.js

@@ -0,0 +1,47 @@
+import { readFileSync, existsSync } from "node:fs";
+/**
+ * Parse a .env file into a key-value record.
+ *
+ * Handles:
+ * - KEY=VALUE lines
+ * - Blank lines and comments (lines starting with #)
+ * - Single-quoted, double-quoted, and unquoted values
+ * - Inline comments after unquoted values
+ *
+ * Copied from @clawmasons/proxy to avoid cross-package dependency.
+ */
+export function loadEnvFile(filePath) {
+    if (!existsSync(filePath)) {
+        return {};
+    }
+    const content = readFileSync(filePath, "utf-8");
+    const result = {};
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        // Skip blank lines and comments
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eqIndex = trimmed.indexOf("=");
+        if (eqIndex === -1)
+            continue;
+        const key = trimmed.slice(0, eqIndex).trim();
+        if (!key)
+            continue;
+        let value = trimmed.slice(eqIndex + 1).trim();
+        // Handle quoted values
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        else {
+            // Strip inline comments for unquoted values
+            const commentIndex = value.indexOf(" #");
+            if (commentIndex !== -1) {
+                value = value.slice(0, commentIndex).trim();
+            }
+        }
+        result[key] = value;
+    }
+    return result;
+}
+//# sourceMappingURL=env-file.js.map

package/dist/env-file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-file.js","sourceRoot":"","sources":["../src/env-file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAEnD;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CAAC,QAAgB;IAC1C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE9C,uBAAuB;QACvB,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,4CAA4C;YAC5C,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACzC,IAAI,YAAY,KAAK,CAAC,CAAC,EAAE,CAAC;gBACxB,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { CredentialResolver, type CredentialResolverConfig, type ResolveResult, type ResolveSuccess, type ResolveError, } from "./resolver.js";
+export { loadEnvFile } from "./env-file.js";
+export { credentialRequestSchema, credentialResponseSchema, credentialSuccessSchema, credentialErrorSchema, credentialServiceConfigSchema, type CredentialRequest, type CredentialResponse, type CredentialServiceConfig, } from "./schemas.js";
+export { CredentialService } from "./service.js";
+export { CredentialWSClient, type CredentialWSClientOptions } from "./ws-client.js";
+export { openCredentialDatabase, insertCredentialAudit, queryCredentialAudit, generateAuditId, type CredentialAuditEntry, type CredentialAuditFilters, } from "./audit.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,KAAK,wBAAwB,EAC7B,KAAK,aAAa,EAClB,KAAK,cAAc,EACnB,KAAK,YAAY,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAG5C,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,EACvB,qBAAqB,EACrB,6BAA6B,EAC7B,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,GAC7B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAGjD,OAAO,EAAE,kBAAkB,EAAE,KAAK,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAGpF,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,EACf,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,GAC5B,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+// Resolver (from CHANGE 2)
+export { CredentialResolver, } from "./resolver.js";
+export { loadEnvFile } from "./env-file.js";
+// Schemas
+export { credentialRequestSchema, credentialResponseSchema, credentialSuccessSchema, credentialErrorSchema, credentialServiceConfigSchema, } from "./schemas.js";
+// Service (SDK mode)
+export { CredentialService } from "./service.js";
+// WebSocket client
+export { CredentialWSClient } from "./ws-client.js";
+// Audit
+export { openCredentialDatabase, insertCredentialAudit, queryCredentialAudit, generateAuditId, } from "./audit.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,OAAO,EACL,kBAAkB,GAKnB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,UAAU;AACV,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,EACvB,qBAAqB,EACrB,6BAA6B,GAI9B,MAAM,cAAc,CAAC;AAEtB,qBAAqB;AACrB,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEjD,mBAAmB;AACnB,OAAO,EAAE,kBAAkB,EAAkC,MAAM,gBAAgB,CAAC;AAEpF,QAAQ;AACR,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,GAGhB,MAAM,YAAY,CAAC"}

package/dist/keychain.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Query macOS Keychain for a credential value by service and account.
+ *
+ * Uses `security find-generic-password` to look up the value.
+ * Returns `undefined` if the key is not found or on any error.
+ */
+export declare function queryKeychain(service: string, account: string): Promise<string | undefined>;
+/**
+ * Query macOS Keychain for a credential value by service name only.
+ *
+ * Uses `security find-generic-password -s <service> -w` without an account.
+ * Used for system credentials like Claude Code that store under a service name.
+ * Returns `undefined` if not found or on any error.
+ */
+export declare function queryKeychainByService(service: string): Promise<string | undefined>;
+//# sourceMappingURL=keychain.d.ts.map

package/dist/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../src/keychain.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoB7B;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAoB7B"}

package/dist/keychain.js

@@ -0,0 +1,49 @@
+import { execFile } from "node:child_process";
+/**
+ * Query macOS Keychain for a credential value by service and account.
+ *
+ * Uses `security find-generic-password` to look up the value.
+ * Returns `undefined` if the key is not found or on any error.
+ */
+export function queryKeychain(service, account) {
+    return new Promise((resolve) => {
+        execFile("security", ["find-generic-password", "-s", service, "-a", account, "-w"], { timeout: 5000 }, (error, stdout) => {
+            if (error) {
+                resolve(undefined);
+                return;
+            }
+            const value = stdout.trim();
+            if (value) {
+                resolve(value);
+            }
+            else {
+                resolve(undefined);
+            }
+        });
+    });
+}
+/**
+ * Query macOS Keychain for a credential value by service name only.
+ *
+ * Uses `security find-generic-password -s <service> -w` without an account.
+ * Used for system credentials like Claude Code that store under a service name.
+ * Returns `undefined` if not found or on any error.
+ */
+export function queryKeychainByService(service) {
+    return new Promise((resolve) => {
+        execFile("security", ["find-generic-password", "-s", service, "-w"], { timeout: 5000 }, (error, stdout) => {
+            if (error) {
+                resolve(undefined);
+                return;
+            }
+            const value = stdout.trim();
+            if (value) {
+                resolve(value);
+            }
+            else {
+                resolve(undefined);
+            }
+        });
+    });
+}
+//# sourceMappingURL=keychain.js.map

package/dist/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../src/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAe,EACf,OAAe;IAEf,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,QAAQ,CACN,UAAU,EACV,CAAC,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAC7D,EAAE,OAAO,EAAE,IAAI,EAAE,EACjB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChB,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,SAAS,CAAC,CAAC;gBACnB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,SAAS,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAe;IAEf,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,QAAQ,CACN,UAAU,EACV,CAAC,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAC9C,EAAE,OAAO,EAAE,IAAI,EAAE,EACjB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAChB,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,SAAS,CAAC,CAAC;gBACnB,OAAO;YACT,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,KAAK,CAAC,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,SAAS,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/resolver.d.ts

@@ -0,0 +1,72 @@
+/** Successful credential resolution. */
+export interface ResolveSuccess {
+    value: string;
+    source: "env" | "keychain" | "dotenv" | "session";
+}
+/** Failed credential resolution. */
+export interface ResolveError {
+    error: string;
+    code: "NOT_FOUND" | "ACCESS_DENIED";
+    sourcesAttempted: string[];
+}
+/** Result of a credential resolution attempt. */
+export type ResolveResult = ResolveSuccess | ResolveError;
+/** Configuration for the credential resolver. */
+export interface CredentialResolverConfig {
+    /** Path to the .env file. Defaults to ".env" in cwd. */
+    envFilePath?: string;
+    /** macOS Keychain service name. Defaults to "clawmasons". */
+    keychainService?: string;
+}
+/**
+ * Resolves credential values from multiple sources in priority order:
+ * 0. Session overrides (set via setSessionOverrides, used by ACP proxy)
+ * 1. Security key allowlist (for security.* keys — keychain or fallback file)
+ * 2. Environment variables (process.env)
+ * 3. macOS Keychain (darwin only)
+ * 4. .env file
+ */
+export declare class CredentialResolver {
+    private readonly envFilePath;
+    private readonly keychainService;
+    private dotenvCache;
+    private sessionOverrides;
+    constructor(config?: CredentialResolverConfig);
+    /**
+     * Set session-scoped credential overrides.
+     *
+     * Session overrides take highest priority during resolution,
+     * checked before env, keychain, and dotenv sources. Used by the
+     * ACP proxy to inject credentials extracted from ACP client configs.
+     */
+    setSessionOverrides(overrides: Record<string, string>): void;
+    /**
+     * Clear all session-scoped credential overrides.
+     */
+    clearSessionOverrides(): void;
+    /**
+     * Resolve a credential key from available sources.
+     *
+     * Checks sources in priority order:
+     * session overrides → security.* allowlist → env → keychain → dotenv.
+     *
+     * Returns the value and source on success, or an error with
+     * the list of sources attempted on failure.
+     */
+    resolve(key: string): Promise<ResolveResult>;
+    /**
+     * Resolve a security.* prefixed credential key.
+     *
+     * Only keys in SECURITY_KEY_ALLOWLIST are permitted.
+     * On macOS: queries the keychain using the mapped service name.
+     * On other platforms: reads the fallback file contents.
+     */
+    private resolveSecurityKey;
+    /** Check process environment variables. */
+    private resolveFromEnv;
+    /** Query macOS Keychain via `security find-generic-password`. */
+    private resolveFromKeychain;
+    /** Look up the key in the parsed .env file. */
+    private resolveFromDotenv;
+}
+//# sourceMappingURL=resolver.d.ts.map

package/dist/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../src/resolver.ts"],"names":[],"mappings":"AAIA,wCAAwC;AACxC,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,KAAK,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAC;CACnD;AAED,oCAAoC;AACpC,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,WAAW,GAAG,eAAe,CAAC;IACpC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,iDAAiD;AACjD,MAAM,MAAM,aAAa,GAAG,cAAc,GAAG,YAAY,CAAC;AAE1D,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACvC,wDAAwD;IACxD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAaD;;;;;;;GAOG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,WAAW,CAAuC;IAC1D,OAAO,CAAC,gBAAgB,CAA8B;gBAE1C,MAAM,GAAE,wBAA6B;IAKjD;;;;;;OAMG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI;IAI5D;;OAEG;IACH,qBAAqB,IAAI,IAAI;IAI7B;;;;;;;;OAQG;IACG,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IA4ClD;;;;;;OAMG;YACW,kBAAkB;IAuChC,2CAA2C;IAC3C,OAAO,CAAC,cAAc;IAQtB,iEAAiE;IACjE,OAAO,CAAC,mBAAmB;IAI3B,+CAA+C;IAC/C,OAAO,CAAC,iBAAiB;CAU1B"}

package/dist/resolver.js

@@ -0,0 +1,159 @@
+import * as fs from "node:fs";
+import { loadEnvFile } from "./env-file.js";
+import { queryKeychain, queryKeychainByService } from "./keychain.js";
+/**
+ * Allowlisted security.* credential keys and their keychain service mappings.
+ *
+ * Only keys in this map can be resolved via the security.* prefix.
+ * Any other security.* key is rejected with ACCESS_DENIED.
+ *
+ * Currently empty — reserved for future security-sensitive credentials
+ * that require keychain lookup rather than plain env var resolution.
+ */
+const SECURITY_KEY_ALLOWLIST = {};
+/**
+ * Resolves credential values from multiple sources in priority order:
+ * 0. Session overrides (set via setSessionOverrides, used by ACP proxy)
+ * 1. Security key allowlist (for security.* keys — keychain or fallback file)
+ * 2. Environment variables (process.env)
+ * 3. macOS Keychain (darwin only)
+ * 4. .env file
+ */
+export class CredentialResolver {
+    envFilePath;
+    keychainService;
+    dotenvCache = null;
+    sessionOverrides = {};
+    constructor(config = {}) {
+        this.envFilePath = config.envFilePath ?? ".env";
+        this.keychainService = config.keychainService ?? "clawmasons";
+    }
+    /**
+     * Set session-scoped credential overrides.
+     *
+     * Session overrides take highest priority during resolution,
+     * checked before env, keychain, and dotenv sources. Used by the
+     * ACP proxy to inject credentials extracted from ACP client configs.
+     */
+    setSessionOverrides(overrides) {
+        this.sessionOverrides = { ...overrides };
+    }
+    /**
+     * Clear all session-scoped credential overrides.
+     */
+    clearSessionOverrides() {
+        this.sessionOverrides = {};
+    }
+    /**
+     * Resolve a credential key from available sources.
+     *
+     * Checks sources in priority order:
+     * session overrides → security.* allowlist → env → keychain → dotenv.
+     *
+     * Returns the value and source on success, or an error with
+     * the list of sources attempted on failure.
+     */
+    async resolve(key) {
+        // 0. Session overrides (highest priority)
+        const sessionValue = this.sessionOverrides[key];
+        if (sessionValue !== undefined) {
+            return { value: sessionValue, source: "session" };
+        }
+        // 1. Security key handling (security.* prefix)
+        if (key.startsWith("security.")) {
+            return this.resolveSecurityKey(key);
+        }
+        const sourcesAttempted = [];
+        // 2. Environment variables
+        sourcesAttempted.push("env");
+        const envValue = this.resolveFromEnv(key);
+        if (envValue !== undefined) {
+            return { value: envValue, source: "env" };
+        }
+        // 3. macOS Keychain (skipped on non-macOS)
+        if (process.platform === "darwin") {
+            sourcesAttempted.push("keychain");
+            const keychainValue = await this.resolveFromKeychain(key);
+            if (keychainValue !== undefined) {
+                return { value: keychainValue, source: "keychain" };
+            }
+        }
+        // 4. .env file
+        sourcesAttempted.push("dotenv");
+        const dotenvValue = this.resolveFromDotenv(key);
+        if (dotenvValue !== undefined) {
+            return { value: dotenvValue, source: "dotenv" };
+        }
+        return {
+            error: `Credential "${key}" not found in any source`,
+            code: "NOT_FOUND",
+            sourcesAttempted,
+        };
+    }
+    /**
+     * Resolve a security.* prefixed credential key.
+     *
+     * Only keys in SECURITY_KEY_ALLOWLIST are permitted.
+     * On macOS: queries the keychain using the mapped service name.
+     * On other platforms: reads the fallback file contents.
+     */
+    async resolveSecurityKey(key) {
+        const mapping = SECURITY_KEY_ALLOWLIST[key];
+        if (!mapping) {
+            return {
+                error: `Security key "${key}" is not in the allowlist`,
+                code: "ACCESS_DENIED",
+                sourcesAttempted: ["security-allowlist"],
+            };
+        }
+        const sourcesAttempted = [];
+        if (process.platform === "darwin") {
+            // macOS: query keychain by service name
+            sourcesAttempted.push("keychain");
+            const value = await queryKeychainByService(mapping.keychainService);
+            if (value !== undefined) {
+                return { value, source: "keychain" };
+            }
+        }
+        // Fallback: read from file
+        sourcesAttempted.push("file");
+        try {
+            const value = fs.readFileSync(mapping.fallbackFile, "utf-8");
+            if (value.trim()) {
+                return { value: value.trim(), source: "dotenv" };
+            }
+        }
+        catch {
+            // File not found or unreadable
+        }
+        return {
+            error: `Credential "${key}" not found in any source`,
+            code: "NOT_FOUND",
+            sourcesAttempted,
+        };
+    }
+    /** Check process environment variables. */
+    resolveFromEnv(key) {
+        const value = process.env[key];
+        if (value !== undefined && value !== "") {
+            return value;
+        }
+        return undefined;
+    }
+    /** Query macOS Keychain via `security find-generic-password`. */
+    resolveFromKeychain(key) {
+        return queryKeychain(this.keychainService, key);
+    }
+    /** Look up the key in the parsed .env file. */
+    resolveFromDotenv(key) {
+        if (this.dotenvCache === null) {
+            this.dotenvCache = loadEnvFile(this.envFilePath);
+        }
+        const value = this.dotenvCache[key];
+        if (value !== undefined) {
+            return value;
+        }
+        return undefined;
+    }
+}
+//# sourceMappingURL=resolver.js.map

package/dist/resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../src/resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AA0BtE;;;;;;;;GAQG;AACH,MAAM,sBAAsB,GAAsE,EAAE,CAAC;AAErG;;;;;;;GAOG;AACH,MAAM,OAAO,kBAAkB;IACZ,WAAW,CAAS;IACpB,eAAe,CAAS;IACjC,WAAW,GAAkC,IAAI,CAAC;IAClD,gBAAgB,GAA2B,EAAE,CAAC;IAEtD,YAAY,SAAmC,EAAE;QAC/C,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC;QAChD,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,eAAe,IAAI,YAAY,CAAC;IAChE,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,CAAC,SAAiC;QACnD,IAAI,CAAC,gBAAgB,GAAG,EAAE,GAAG,SAAS,EAAE,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,qBAAqB;QACnB,IAAI,CAAC,gBAAgB,GAAG,EAAE,CAAC;IAC7B,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,0CAA0C;QAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAChD,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;YAC/B,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;QACpD,CAAC;QAED,+CAA+C;QAC/C,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;QAEtC,2BAA2B;QAC3B,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,2CAA2C;QAC3C,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAClC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAClC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC1D,IAAI,aAAa,KAAK,SAAS,EAAE,CAAC;gBAChC,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;YACtD,CAAC;QACH,CAAC;QAED,eAAe;QACf,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAChC,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAChD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QAClD,CAAC;QAED,OAAO;YACL,KAAK,EAAE,eAAe,GAAG,2BAA2B;YACpD,IAAI,EAAE,WAAW;YACjB,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,kBAAkB,CAAC,GAAW;QAC1C,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO;gBACL,KAAK,EAAE,iBAAiB,GAAG,2BAA2B;gBACtD,IAAI,EAAE,eAAe;gBACrB,gBAAgB,EAAE,CAAC,oBAAoB,CAAC;aACzC,CAAC;QACJ,CAAC;QAED,MAAM,gBAAgB,GAAa,EAAE,CAAC;QAEtC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAClC,wCAAwC;YACxC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAClC,MAAM,KAAK,GAAG,MAAM,sBAAsB,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YACpE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;YACvC,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;YAC7D,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;gBACjB,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YACnD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;QAED,OAAO;YACL,KAAK,EAAE,eAAe,GAAG,2BAA2B;YACpD,IAAI,EAAE,WAAW;YACjB,gBAAgB;SACjB,CAAC;IACJ,CAAC;IAED,2CAA2C;IACnC,cAAc,CAAC,GAAW;QAChC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,iEAAiE;IACzD,mBAAmB,CAAC,GAAW;QACrC,OAAO,aAAa,CAAC,IAAI,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAClD,CAAC;IAED,+CAA+C;IACvC,iBAAiB,CAAC,GAAW;QACnC,IAAI,IAAI,CAAC,WAAW,KAAK,IAAI,EAAE,CAAC;YAC9B,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;CACF"}

package/dist/schemas.d.ts

@@ -0,0 +1,116 @@
+import { z } from "zod";
+export declare const credentialRequestSchema: z.ZodObject<{
+    /** Unique request ID for correlating request/response over WebSocket. */
+    id: z.ZodString;
+    /** The credential key being requested. */
+    key: z.ZodString;
+    /** The requesting agent's slug. */
+    agentId: z.ZodString;
+    /** The agent's role slug. */
+    role: z.ZodString;
+    /** The session identifier. */
+    sessionId: z.ZodString;
+    /** The agent's full list of declared credential keys (populated by proxy). */
+    declaredCredentials: z.ZodArray<z.ZodString, "many">;
+    /** ISO 8601 timestamp (Phase 2 signing). */
+    timestamp: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    id: string;
+    key: string;
+    agentId: string;
+    role: string;
+    sessionId: string;
+    declaredCredentials: string[];
+    timestamp?: string | undefined;
+}, {
+    id: string;
+    key: string;
+    agentId: string;
+    role: string;
+    sessionId: string;
+    declaredCredentials: string[];
+    timestamp?: string | undefined;
+}>;
+export type CredentialRequest = z.infer<typeof credentialRequestSchema>;
+export declare const credentialSuccessSchema: z.ZodObject<{
+    id: z.ZodString;
+    key: z.ZodString;
+    value: z.ZodString;
+    source: z.ZodEnum<["env", "keychain", "dotenv", "session"]>;
+}, "strip", z.ZodTypeAny, {
+    value: string;
+    source: "env" | "keychain" | "dotenv" | "session";
+    id: string;
+    key: string;
+}, {
+    value: string;
+    source: "env" | "keychain" | "dotenv" | "session";
+    id: string;
+    key: string;
+}>;
+export declare const credentialErrorSchema: z.ZodObject<{
+    id: z.ZodString;
+    key: z.ZodString;
+    error: z.ZodString;
+    code: z.ZodEnum<["NOT_FOUND", "ACCESS_DENIED", "INVALID_SESSION"]>;
+}, "strip", z.ZodTypeAny, {
+    error: string;
+    code: "NOT_FOUND" | "ACCESS_DENIED" | "INVALID_SESSION";
+    id: string;
+    key: string;
+}, {
+    error: string;
+    code: "NOT_FOUND" | "ACCESS_DENIED" | "INVALID_SESSION";
+    id: string;
+    key: string;
+}>;
+export declare const credentialResponseSchema: z.ZodUnion<[z.ZodObject<{
+    id: z.ZodString;
+    key: z.ZodString;
+    value: z.ZodString;
+    source: z.ZodEnum<["env", "keychain", "dotenv", "session"]>;
+}, "strip", z.ZodTypeAny, {
+    value: string;
+    source: "env" | "keychain" | "dotenv" | "session";
+    id: string;
+    key: string;
+}, {
+    value: string;
+    source: "env" | "keychain" | "dotenv" | "session";
+    id: string;
+    key: string;
+}>, z.ZodObject<{
+    id: z.ZodString;
+    key: z.ZodString;
+    error: z.ZodString;
+    code: z.ZodEnum<["NOT_FOUND", "ACCESS_DENIED", "INVALID_SESSION"]>;
+}, "strip", z.ZodTypeAny, {
+    error: string;
+    code: "NOT_FOUND" | "ACCESS_DENIED" | "INVALID_SESSION";
+    id: string;
+    key: string;
+}, {
+    error: string;
+    code: "NOT_FOUND" | "ACCESS_DENIED" | "INVALID_SESSION";
+    id: string;
+    key: string;
+}>]>;
+export type CredentialResponse = z.infer<typeof credentialResponseSchema>;
+export declare const credentialServiceConfigSchema: z.ZodObject<{
+    /** Path to the SQLite database. Defaults to ~/.chapter/data/chapter.db. */
+    dbPath: z.ZodOptional<z.ZodString>;
+    /** Path to the .env file for dotenv credential resolution. */
+    envFilePath: z.ZodOptional<z.ZodString>;
+    /** macOS Keychain service name. */
+    keychainService: z.ZodDefault<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    keychainService: string;
+    dbPath?: string | undefined;
+    envFilePath?: string | undefined;
+}, {
+    dbPath?: string | undefined;
+    envFilePath?: string | undefined;
+    keychainService?: string | undefined;
+}>;
+export type CredentialServiceConfig = z.infer<typeof credentialServiceConfigSchema>;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,uBAAuB;IAClC,yEAAyE;;IAEzE,0CAA0C;;IAE1C,mCAAmC;;IAEnC,6BAA6B;;IAE7B,8BAA8B;;IAE9B,8EAA8E;;IAE9E,4CAA4C;;;;;;;;;;;;;;;;;;EAE5C,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAIxE,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;EAKlC,CAAC;AAEH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;EAKhC,CAAC;AAEH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGnC,CAAC;AAEH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAI1E,eAAO,MAAM,6BAA6B;IACxC,2EAA2E;;IAE3E,8DAA8D;;IAE9D,mCAAmC;;;;;;;;;;EAEnC,CAAC;AAEH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC"}

package/dist/schemas.js

@@ -0,0 +1,45 @@
+import { z } from "zod";
+// ── Credential Request ──────────────────────────────────────────────────
+export const credentialRequestSchema = z.object({
+    /** Unique request ID for correlating request/response over WebSocket. */
+    id: z.string(),
+    /** The credential key being requested. */
+    key: z.string(),
+    /** The requesting agent's slug. */
+    agentId: z.string(),
+    /** The agent's role slug. */
+    role: z.string(),
+    /** The session identifier. */
+    sessionId: z.string(),
+    /** The agent's full list of declared credential keys (populated by proxy). */
+    declaredCredentials: z.array(z.string()),
+    /** ISO 8601 timestamp (Phase 2 signing). */
+    timestamp: z.string().optional(),
+});
+// ── Credential Response ─────────────────────────────────────────────────
+export const credentialSuccessSchema = z.object({
+    id: z.string(),
+    key: z.string(),
+    value: z.string(),
+    source: z.enum(["env", "keychain", "dotenv", "session"]),
+});
+export const credentialErrorSchema = z.object({
+    id: z.string(),
+    key: z.string(),
+    error: z.string(),
+    code: z.enum(["NOT_FOUND", "ACCESS_DENIED", "INVALID_SESSION"]),
+});
+export const credentialResponseSchema = z.union([
+    credentialSuccessSchema,
+    credentialErrorSchema,
+]);
+// ── Service Config ──────────────────────────────────────────────────────
+export const credentialServiceConfigSchema = z.object({
+    /** Path to the SQLite database. Defaults to ~/.chapter/data/chapter.db. */
+    dbPath: z.string().optional(),
+    /** Path to the .env file for dotenv credential resolution. */
+    envFilePath: z.string().optional(),
+    /** macOS Keychain service name. */
+    keychainService: z.string().default("clawmasons"),
+});
+//# sourceMappingURL=schemas.js.map

package/dist/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,2EAA2E;AAE3E,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,yEAAyE;IACzE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,0CAA0C;IAC1C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,mCAAmC;IACnC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;IACnB,6BAA6B;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;IAChB,8BAA8B;IAC9B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;IACrB,8EAA8E;IAC9E,mBAAmB,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACxC,4CAA4C;IAC5C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACjC,CAAC,CAAC;AAIH,2EAA2E;AAE3E,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;CACzD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE;IACd,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;IACjB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,eAAe,EAAE,iBAAiB,CAAC,CAAC;CAChE,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC;IAC9C,uBAAuB;IACvB,qBAAqB;CACtB,CAAC,CAAC;AAIH,2EAA2E;AAE3E,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,2EAA2E;IAC3E,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,8DAA8D;IAC9D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,mCAAmC;IACnC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC;CAClD,CAAC,CAAC"}

package/dist/service.d.ts

@@ -0,0 +1,41 @@
+import type BetterSqlite3 from "better-sqlite3";
+import type { CredentialRequest, CredentialResponse, CredentialServiceConfig } from "./schemas.js";
+import { CredentialResolver } from "./resolver.js";
+/**
+ * The credential service handles credential requests: validates access,
+ * resolves credentials, and logs audit entries.
+ *
+ * Can be used in SDK mode (in-process, no WebSocket) or behind the
+ * WebSocket client for production Docker deployments.
+ */
+export declare class CredentialService {
+    private readonly resolver;
+    private readonly db;
+    constructor(config: CredentialServiceConfig, resolver?: CredentialResolver);
+    /**
+     * Handle a credential request: validate access → resolve → audit → respond.
+     */
+    handleRequest(request: CredentialRequest): Promise<CredentialResponse>;
+    /**
+     * Set session-scoped credential overrides.
+     *
+     * Session overrides take highest priority during credential resolution,
+     * checked before env, keychain, and dotenv sources. Used by the ACP proxy
+     * to inject credentials extracted from ACP client `mcpServers` env fields.
+     */
+    setSessionOverrides(overrides: Record<string, string>): void;
+    /**
+     * Clear all session-scoped credential overrides.
+     */
+    clearSessionOverrides(): void;
+    /**
+     * Close the database connection.
+     */
+    close(): void;
+    /**
+     * Get the underlying database (for testing/querying audit entries).
+     */
+    getDatabase(): BetterSqlite3.Database;
+    private audit;
+}
+//# sourceMappingURL=service.d.ts.map

package/dist/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,aAAa,MAAM,gBAAgB,CAAC;AAChD,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACnG,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAMnD;;;;;;GAMG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqB;IAC9C,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAyB;gBAEhC,MAAM,EAAE,uBAAuB,EAAE,QAAQ,CAAC,EAAE,kBAAkB;IAQ1E;;OAEG;IACG,aAAa,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAuC5E;;;;;;OAMG;IACH,mBAAmB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI;IAI5D;;OAEG;IACH,qBAAqB,IAAI,IAAI;IAI7B;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,WAAW,IAAI,aAAa,CAAC,QAAQ;IAIrC,OAAO,CAAC,KAAK;CAmBd"}

package/dist/service.js

@@ -0,0 +1,99 @@
+import { CredentialResolver } from "./resolver.js";
+import { openCredentialDatabase, insertCredentialAudit, } from "./audit.js";
+/**
+ * The credential service handles credential requests: validates access,
+ * resolves credentials, and logs audit entries.
+ *
+ * Can be used in SDK mode (in-process, no WebSocket) or behind the
+ * WebSocket client for production Docker deployments.
+ */
+export class CredentialService {
+    resolver;
+    db;
+    constructor(config, resolver) {
+        this.resolver = resolver ?? new CredentialResolver({
+            envFilePath: config.envFilePath,
+            keychainService: config.keychainService,
+        });
+        this.db = openCredentialDatabase(config.dbPath);
+    }
+    /**
+     * Handle a credential request: validate access → resolve → audit → respond.
+     */
+    async handleRequest(request) {
+        const { id, key, agentId, declaredCredentials } = request;
+        // 1. Access validation — check key is in agent's declared credentials
+        if (!declaredCredentials.includes(key)) {
+            const reason = `Agent "${agentId}" has not declared credential "${key}"`;
+            this.audit(id, request, "denied", reason, null);
+            return {
+                id,
+                key,
+                error: reason,
+                code: "ACCESS_DENIED",
+            };
+        }
+        // 2. Resolve credential
+        const result = await this.resolver.resolve(key);
+        if ("error" in result) {
+            // Resolution failed — credential not found in any source
+            this.audit(id, request, "error", result.error, null);
+            return {
+                id,
+                key,
+                error: result.error,
+                code: "NOT_FOUND",
+            };
+        }
+        // 3. Success — return resolved value
+        this.audit(id, request, "granted", null, result.source);
+        return {
+            id,
+            key,
+            value: result.value,
+            source: result.source,
+        };
+    }
+    /**
+     * Set session-scoped credential overrides.
+     *
+     * Session overrides take highest priority during credential resolution,
+     * checked before env, keychain, and dotenv sources. Used by the ACP proxy
+     * to inject credentials extracted from ACP client `mcpServers` env fields.
+     */
+    setSessionOverrides(overrides) {
+        this.resolver.setSessionOverrides(overrides);
+    }
+    /**
+     * Clear all session-scoped credential overrides.
+     */
+    clearSessionOverrides() {
+        this.resolver.clearSessionOverrides();
+    }
+    /**
+     * Close the database connection.
+     */
+    close() {
+        this.db.close();
+    }
+    /**
+     * Get the underlying database (for testing/querying audit entries).
+     */
+    getDatabase() {
+        return this.db;
+    }
+    audit(id, request, outcome, denyReason, source) {
+        insertCredentialAudit(this.db, {
+            id,
+            timestamp: new Date().toISOString(),
+            agent_id: request.agentId,
+            role: request.role,
+            session_id: request.sessionId,
+            credential_key: request.key,
+            outcome,
+            deny_reason: denyReason,
+            source,
+        });
+    }
+}
+//# sourceMappingURL=service.js.map

package/dist/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../src/service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EACL,sBAAsB,EACtB,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAEpB;;;;;;GAMG;AACH,MAAM,OAAO,iBAAiB;IACX,QAAQ,CAAqB;IAC7B,EAAE,CAAyB;IAE5C,YAAY,MAA+B,EAAE,QAA6B;QACxE,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,IAAI,kBAAkB,CAAC;YACjD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,GAAG,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,OAA0B;QAC5C,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC;QAE1D,sEAAsE;QACtE,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,UAAU,OAAO,kCAAkC,GAAG,GAAG,CAAC;YACzE,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAChD,OAAO;gBACL,EAAE;gBACF,GAAG;gBACH,KAAK,EAAE,MAAM;gBACb,IAAI,EAAE,eAAe;aACtB,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;YACtB,yDAAyD;YACzD,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YACrD,OAAO;gBACL,EAAE;gBACF,GAAG;gBACH,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,IAAI,EAAE,WAAW;aAClB,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACxD,OAAO;YACL,EAAE;YACF,GAAG;YACH,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,CAAC,SAAiC;QACnD,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,qBAAqB;QACnB,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,EAAE,CAAC;IACjB,CAAC;IAEO,KAAK,CACX,EAAU,EACV,OAA0B,EAC1B,OAAuC,EACvC,UAAyB,EACzB,MAAqB;QAErB,qBAAqB,CAAC,IAAI,CAAC,EAAE,EAAE;YAC7B,EAAE;YACF,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,QAAQ,EAAE,OAAO,CAAC,OAAO;YACzB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,UAAU,EAAE,OAAO,CAAC,SAAS;YAC7B,cAAc,EAAE,OAAO,CAAC,GAAG;YAC3B,OAAO;YACP,WAAW,EAAE,UAAU;YACvB,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/ws-client.d.ts

@@ -0,0 +1,39 @@
+import type { CredentialService } from "./service.js";
+export interface CredentialWSClientOptions {
+    /** Maximum number of reconnect attempts. */
+    maxRetries?: number;
+    /** Delay between reconnect attempts in milliseconds. */
+    retryDelayMs?: number;
+}
+/**
+ * WebSocket client that connects to the proxy and handles credential
+ * requests relayed from agents.
+ */
+export declare class CredentialWSClient {
+    private readonly service;
+    private readonly maxRetries;
+    private readonly retryDelayMs;
+    private ws;
+    private retryCount;
+    private proxyUrl;
+    private token;
+    private closed;
+    constructor(service: CredentialService, options?: CredentialWSClientOptions);
+    /**
+     * Connect to the proxy WebSocket endpoint.
+     *
+     * Resolves when the connection is established.
+     * Rejects if the connection fails after all retries.
+     */
+    connect(proxyUrl: string, token: string): Promise<void>;
+    /**
+     * Disconnect from the proxy.
+     */
+    disconnect(): void;
+    private attemptConnect;
+    private setupReconnectHandler;
+    private handleMessage;
+    private handleReconnect;
+    private delay;
+}
+//# sourceMappingURL=ws-client.d.ts.map

package/dist/ws-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws-client.d.ts","sourceRoot":"","sources":["../src/ws-client.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEtD,MAAM,WAAW,yBAAyB;IACxC,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wDAAwD;IACxD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoB;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,EAAE,CAA0B;IACpC,OAAO,CAAC,UAAU,CAAK;IACvB,OAAO,CAAC,QAAQ,CAAM;IACtB,OAAO,CAAC,KAAK,CAAM;IACnB,OAAO,CAAC,MAAM,CAAS;gBAEX,OAAO,EAAE,iBAAiB,EAAE,OAAO,GAAE,yBAA8B;IAM/E;;;;;OAKG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAyB7D;;OAEG;IACH,UAAU,IAAI,IAAI;IAQlB,OAAO,CAAC,cAAc;IA2BtB,OAAO,CAAC,qBAAqB;YAUf,aAAa;YAuBb,eAAe;IA4B7B,OAAO,CAAC,KAAK;CAGd"}

package/dist/ws-client.js

@@ -0,0 +1,134 @@
+import WebSocket from "ws";
+import { credentialRequestSchema } from "./schemas.js";
+/**
+ * WebSocket client that connects to the proxy and handles credential
+ * requests relayed from agents.
+ */
+export class CredentialWSClient {
+    service;
+    maxRetries;
+    retryDelayMs;
+    ws = null;
+    retryCount = 0;
+    proxyUrl = "";
+    token = "";
+    closed = false;
+    constructor(service, options = {}) {
+        this.service = service;
+        this.maxRetries = options.maxRetries ?? 3;
+        this.retryDelayMs = options.retryDelayMs ?? 1000;
+    }
+    /**
+     * Connect to the proxy WebSocket endpoint.
+     *
+     * Resolves when the connection is established.
+     * Rejects if the connection fails after all retries.
+     */
+    async connect(proxyUrl, token) {
+        this.proxyUrl = proxyUrl;
+        this.token = token;
+        this.closed = false;
+        this.retryCount = 0;
+        while (!this.closed) {
+            try {
+                await this.attemptConnect();
+                return; // Connected successfully
+            }
+            catch {
+                this.retryCount++;
+                if (this.retryCount > this.maxRetries) {
+                    throw new Error(`Max connection attempts (${this.maxRetries}) reached. Giving up.`);
+                }
+                console.log(`[credential-service] Reconnecting (attempt ${this.retryCount}/${this.maxRetries})...`);
+                await this.delay(this.retryDelayMs);
+            }
+        }
+    }
+    /**
+     * Disconnect from the proxy.
+     */
+    disconnect() {
+        this.closed = true;
+        if (this.ws) {
+            this.ws.close();
+            this.ws = null;
+        }
+    }
+    attemptConnect() {
+        return new Promise((resolve, reject) => {
+            const ws = new WebSocket(this.proxyUrl, {
+                headers: {
+                    Authorization: `Bearer ${this.token}`,
+                },
+            });
+            ws.on("open", () => {
+                this.ws = ws;
+                this.retryCount = 0;
+                this.setupReconnectHandler(ws);
+                resolve();
+            });
+            ws.on("message", (data) => {
+                this.handleMessage(data).catch((err) => {
+                    console.error("[credential-service] Error handling message:", err);
+                });
+            });
+            ws.on("error", (err) => {
+                reject(err);
+            });
+        });
+    }
+    setupReconnectHandler(ws) {
+        ws.on("close", () => {
+            if (!this.closed) {
+                this.handleReconnect().catch((err) => {
+                    console.error("[credential-service] Reconnect failed:", err);
+                });
+            }
+        });
+    }
+    async handleMessage(data) {
+        const raw = data.toString("utf-8");
+        let parsed;
+        try {
+            parsed = JSON.parse(raw);
+        }
+        catch {
+            console.error("[credential-service] Invalid JSON received:", raw);
+            return;
+        }
+        const result = credentialRequestSchema.safeParse(parsed);
+        if (!result.success) {
+            console.error("[credential-service] Invalid request:", result.error.message);
+            return;
+        }
+        const response = await this.service.handleRequest(result.data);
+        if (this.ws && this.ws.readyState === WebSocket.OPEN) {
+            this.ws.send(JSON.stringify(response));
+        }
+    }
+    async handleReconnect() {
+        if (this.closed)
+            return;
+        this.retryCount = 0;
+        while (!this.closed) {
+            this.retryCount++;
+            if (this.retryCount > this.maxRetries) {
+                console.error(`[credential-service] Max reconnect attempts (${this.maxRetries}) reached. Giving up.`);
+                return;
+            }
+            console.log(`[credential-service] Reconnecting (attempt ${this.retryCount}/${this.maxRetries})...`);
+            await this.delay(this.retryDelayMs);
+            try {
+                await this.attemptConnect();
+                return; // Reconnected successfully
+            }
+            catch {
+                // Will retry in next iteration
+            }
+        }
+    }
+    delay(ms) {
+        return new Promise((resolve) => setTimeout(resolve, ms));
+    }
+}
+//# sourceMappingURL=ws-client.js.map

package/dist/ws-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws-client.js","sourceRoot":"","sources":["../src/ws-client.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,IAAI,CAAC;AAC3B,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAUvD;;;GAGG;AACH,MAAM,OAAO,kBAAkB;IACZ,OAAO,CAAoB;IAC3B,UAAU,CAAS;IACnB,YAAY,CAAS;IAC9B,EAAE,GAAqB,IAAI,CAAC;IAC5B,UAAU,GAAG,CAAC,CAAC;IACf,QAAQ,GAAG,EAAE,CAAC;IACd,KAAK,GAAG,EAAE,CAAC;IACX,MAAM,GAAG,KAAK,CAAC;IAEvB,YAAY,OAA0B,EAAE,UAAqC,EAAE;QAC7E,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,KAAa;QAC3C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAEpB,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC5B,OAAO,CAAC,yBAAyB;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,UAAU,EAAE,CAAC;gBAClB,IAAI,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;oBACtC,MAAM,IAAI,KAAK,CACb,4BAA4B,IAAI,CAAC,UAAU,uBAAuB,CACnE,CAAC;gBACJ,CAAC;gBACD,OAAO,CAAC,GAAG,CACT,8CAA8C,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,MAAM,CACvF,CAAC;gBACF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAEO,cAAc;QACpB,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC3C,MAAM,EAAE,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE;gBACtC,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;iBACtC;aACF,CAAC,CAAC;YAEH,EAAE,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE;gBACjB,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;gBACb,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;gBACpB,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;gBAC/B,OAAO,EAAE,CAAC;YACZ,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,IAAuB,EAAE,EAAE;gBAC3C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACrC,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,GAAG,CAAC,CAAC;gBACrE,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;gBAC5B,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,qBAAqB,CAAC,EAAa;QACzC,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YAClB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACjB,IAAI,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBACnC,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;gBAC/D,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,IAAuB;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,uBAAuB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,uCAAuC,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC7E,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAE/D,IAAI,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,KAAK,SAAS,CAAC,IAAI,EAAE,CAAC;YACrD,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO;QAExB,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACpB,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,UAAU,EAAE,CAAC;YAClB,IAAI,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtC,OAAO,CAAC,KAAK,CACX,gDAAgD,IAAI,CAAC,UAAU,uBAAuB,CACvF,CAAC;gBACF,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CACT,8CAA8C,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,MAAM,CACvF,CAAC;YAEF,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAEpC,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC5B,OAAO,CAAC,2BAA2B;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,+BAA+B;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,EAAU;QACtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;CACF"}

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@clawmasons/credential-service",
+  "version": "0.1.0",
+  "description": "Credential resolution and distribution service for Clawmasons Chapter",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "bin": {
+    "credential-service": "./dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "typecheck": "tsc --noEmit"
+  },
+  "files": [
+    "dist"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "better-sqlite3": "^12.6.2",
+    "ws": "^8.19.0",
+    "zod": "^3.24.0"
+  }
+}