@elizaos/vault 2.0.0-alpha.537

package/dist/external-credentials.js

@@ -0,0 +1,335 @@
+/**
+ * External credential adapters for password-manager backends.
+ *
+ * Reads Login items out of `op` (1Password) and `bw` (Bitwarden) using the
+ * session token persisted by the secrets-manager installer at
+ * `pm.<backend>.session`. Returns a uniform shape so the manager layer can
+ * merge them with the in-house saved-logins list.
+ *
+ *   list*  → metadata only, never returns passwords
+ *   reveal* → explicit second step, returns username + password (+ totp)
+ *
+ * The CLI is shelled out via an injected `ExecFn` so tests can stub the
+ * subprocess without spawning real processes.
+ */
+export class BackendNotSignedInError extends Error {
+    source;
+    constructor(source) {
+        super(`[${source}] not signed in — sign in via Settings → Secrets storage`);
+        this.source = source;
+        this.name = "BackendNotSignedInError";
+    }
+}
+export async function listOnePasswordLogins(vault, exec) {
+    const sessionArgs = await readOnePasswordSessionArgs(vault, exec);
+    // Step 1: list Login items as JSON. `--format=json` is the documented
+    // machine-readable form; the example in `op item list --help` chains it
+    // into `op item get -` which is what we do for username enrichment.
+    // When 1Password desktop integration is active, `sessionArgs` is empty
+    // and the CLI authenticates via the desktop app.
+    const listOut = await exec("op", [...sessionArgs, "item", "list", "--categories", "Login", "--format=json"], { timeoutMs: 10_000 });
+    const items = parseJsonArray(listOut.stdout);
+    if (items.length === 0)
+        return [];
+    // The 1Password CLI exposes the username as `additional_information` on
+    // every Login item summary. No per-item enrichment needed for the list
+    // view. Reveal still calls `op item get <id>` to fetch the password.
+    const out = [];
+    for (const item of items) {
+        const url = pickPrimaryUrl(item.urls);
+        const username = typeof item.additional_information === "string"
+            ? item.additional_information
+            : "";
+        out.push({
+            source: "1password",
+            externalId: item.id,
+            title: typeof item.title === "string" && item.title.length > 0
+                ? item.title
+                : item.id,
+            username,
+            domain: url ? extractHostname(url) : null,
+            url: url ?? null,
+            updatedAt: parseDate(item.updated_at),
+        });
+    }
+    return out;
+}
+export async function revealOnePasswordLogin(vault, exec, externalId) {
+    if (!externalId)
+        throw new TypeError("revealOnePasswordLogin: externalId required");
+    const sessionArgs = await readOnePasswordSessionArgs(vault, exec);
+    // `op item get <id> --format=json` includes the full `fields` array with
+    // values for username/password/totp.
+    const out = await exec("op", [...sessionArgs, "item", "get", externalId, "--format=json"], { timeoutMs: 10_000 });
+    const item = parseJsonObject(out.stdout);
+    const username = pickOnePasswordUsername(item) ?? "";
+    const password = pickOnePasswordField(item, "password") ?? "";
+    const totp = pickOnePasswordField(item, "one-time password") ??
+        pickOnePasswordField(item, "totp");
+    const url = pickPrimaryUrl(item.urls);
+    if (!password) {
+        throw new Error(`[1password] item ${externalId} has no password field`);
+    }
+    const reveal = {
+        source: "1password",
+        externalId: item.id,
+        title: typeof item.title === "string" && item.title.length > 0
+            ? item.title
+            : item.id,
+        username,
+        domain: url ? extractHostname(url) : null,
+        url: url ?? null,
+        updatedAt: parseDate(item.updated_at),
+        password,
+        ...(totp ? { totp } : {}),
+    };
+    return reveal;
+}
+function pickOnePasswordUsername(item) {
+    if (!item?.fields)
+        return null;
+    // `purpose: "USERNAME"` is the canonical marker for the Login.username slot.
+    const byPurpose = item.fields.find((f) => f.purpose === "USERNAME" && typeof f.value === "string");
+    if (byPurpose?.value)
+        return byPurpose.value;
+    // Fallback: label-based match for older CLIs.
+    const byLabel = item.fields.find((f) => f.label === "username" && typeof f.value === "string");
+    return byLabel?.value ?? null;
+}
+function pickOnePasswordField(item, label) {
+    if (!item.fields)
+        return null;
+    if (label === "password") {
+        const byPurpose = item.fields.find((f) => f.purpose === "PASSWORD" && typeof f.value === "string");
+        if (byPurpose?.value)
+            return byPurpose.value;
+    }
+    const lowered = label.toLowerCase();
+    const match = item.fields.find((f) => typeof f.label === "string" &&
+        f.label.toLowerCase() === lowered &&
+        typeof f.value === "string");
+    return match?.value ?? null;
+}
+export async function listBitwardenLogins(vault, exec) {
+    const session = await readSessionToken(vault, "bitwarden");
+    // `bw list items` returns ALL items (logins, secure notes, cards, etc.).
+    // Filter to type === 1 (login) on the JS side; bw doesn't accept a category
+    // filter on the list command.
+    const out = await exec("bw", ["list", "items"], {
+        env: { ...process.env, BW_SESSION: session },
+        timeoutMs: 15_000,
+    });
+    const items = parseJsonArray(out.stdout);
+    const result = [];
+    for (const item of items) {
+        if (item.type !== 1 || !item.login)
+            continue;
+        const url = pickBitwardenUrl(item.login.uris ?? null);
+        result.push({
+            source: "bitwarden",
+            externalId: item.id,
+            title: typeof item.name === "string" && item.name.length > 0
+                ? item.name
+                : item.id,
+            username: typeof item.login.username === "string" ? item.login.username : "",
+            domain: url ? extractHostname(url) : null,
+            url: url ?? null,
+            updatedAt: parseDate(item.revisionDate),
+        });
+    }
+    return result;
+}
+export async function revealBitwardenLogin(vault, exec, externalId) {
+    if (!externalId)
+        throw new TypeError("revealBitwardenLogin: externalId required");
+    const session = await readSessionToken(vault, "bitwarden");
+    const out = await exec("bw", ["get", "item", externalId], {
+        env: { ...process.env, BW_SESSION: session },
+        timeoutMs: 10_000,
+    });
+    const item = parseJsonObject(out.stdout);
+    if (item.type !== 1 || !item.login) {
+        throw new Error(`[bitwarden] item ${externalId} is not a login`);
+    }
+    const password = item.login.password ?? "";
+    if (!password) {
+        throw new Error(`[bitwarden] item ${externalId} has no password`);
+    }
+    const url = pickBitwardenUrl(item.login.uris ?? null);
+    return {
+        source: "bitwarden",
+        externalId: item.id,
+        title: typeof item.name === "string" && item.name.length > 0
+            ? item.name
+            : item.id,
+        username: typeof item.login.username === "string" ? item.login.username : "",
+        domain: url ? extractHostname(url) : null,
+        url: url ?? null,
+        updatedAt: parseDate(item.revisionDate),
+        password,
+        ...(item.login.totp ? { totp: item.login.totp } : {}),
+    };
+}
+function pickBitwardenUrl(uris) {
+    if (!uris || uris.length === 0)
+        return null;
+    for (const u of uris) {
+        if (typeof u.uri === "string" && u.uri.length > 0)
+            return u.uri;
+    }
+    return null;
+}
+// ── Shared helpers ────────────────────────────────────────────────────
+async function readSessionToken(vault, source) {
+    const key = `pm.${source}.session`;
+    if (!(await vault.has(key)))
+        throw new BackendNotSignedInError(source);
+    const token = (await vault.get(key)).trim();
+    if (!token)
+        throw new BackendNotSignedInError(source);
+    return token;
+}
+/**
+ * Resolve op-invocation args (account + session) for one CLI call.
+ *
+ * 1Password 8's `op` CLI refuses to pick a default account when more than
+ * one is registered — `op whoami` exits 1 with "account is not signed in"
+ * even when the desktop app integration is fully active. The fix: probe
+ * `op account list` once, pick the first registered account's shorthand,
+ * and pass `--account=<shorthand>` on every subsequent call. Then desktop
+ * integration triggers the normal Touch ID flow and the session-token
+ * fallback is only used when no account is registered at all.
+ *
+ * Returns `["--account=<sh>"]` for desktop-app and
+ * `["--account=<sh>", "--session=<token>"]` for session-token.
+ */
+async function readOnePasswordSessionArgs(vault, exec) {
+    const account = await readDefaultOpAccount(exec);
+    const accountArg = account ? [`--account=${account}`] : [];
+    if (await isOnePasswordDesktopActiveWithExec(exec, accountArg)) {
+        return accountArg;
+    }
+    const session = await readSessionToken(vault, "1password");
+    return [...accountArg, `--session=${session}`];
+}
+async function readDefaultOpAccount(exec) {
+    try {
+        const out = await exec("op", ["account", "list", "--format=json"], {
+            timeoutMs: 3000,
+        });
+        const accounts = parseJsonArray(out.stdout);
+        for (const a of accounts) {
+            if (typeof a.shorthand === "string" && a.shorthand.length > 0) {
+                return a.shorthand;
+            }
+            // Fall back to the URL hostname as the shorthand 1Password generates
+            // (e.g. "my" for my.1password.com) when shorthand is absent.
+            if (typeof a.url === "string") {
+                const sub = a.url.split(".")[0];
+                if (sub)
+                    return sub;
+            }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+async function isOnePasswordDesktopActiveWithExec(exec, accountArg) {
+    // `op whoami` is special — even with desktop integration active, it
+    // refuses to run without a session token. A real vault query (e.g.
+    // `op vault list --format=json`) IS handled by desktop session
+    // delegation. Probe with that instead.
+    if (accountArg.length === 0)
+        return false;
+    try {
+        await exec("op", [...accountArg, "vault", "list", "--format=json"], {
+            timeoutMs: 3000,
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function pickPrimaryUrl(urls) {
+    if (!urls || urls.length === 0)
+        return null;
+    const primary = urls.find((u) => u.primary === true && typeof u.href === "string");
+    if (primary?.href)
+        return primary.href;
+    for (const u of urls) {
+        if (typeof u.href === "string" && u.href.length > 0)
+            return u.href;
+    }
+    return null;
+}
+function extractHostname(url) {
+    try {
+        const parsed = new URL(url.includes("://") ? url : `https://${url}`);
+        const host = parsed.hostname.toLowerCase();
+        return host.length > 0 ? host : null;
+    }
+    catch {
+        return null;
+    }
+}
+function parseDate(value) {
+    if (!value)
+        return 0;
+    const ms = Date.parse(value);
+    return Number.isFinite(ms) ? ms : 0;
+}
+function parseJsonArray(raw) {
+    const trimmed = raw.trim();
+    if (trimmed.length === 0)
+        return [];
+    const parsed = JSON.parse(trimmed);
+    if (!Array.isArray(parsed)) {
+        throw new Error("expected JSON array, got non-array");
+    }
+    return parsed;
+}
+function parseJsonObject(raw) {
+    const trimmed = raw.trim();
+    if (trimmed.length === 0)
+        throw new Error("expected JSON object, got empty output");
+    const parsed = JSON.parse(trimmed);
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("expected JSON object, got non-object");
+    }
+    return parsed;
+}
+/**
+ * Production `ExecFn` wrapping `node:child_process.execFile`. Tests inject
+ * stubs instead of using this. Lives here so callers can `import` a single
+ * default rather than wiring `child_process` themselves.
+ */
+export function defaultExecFn() {
+    // Lazy require so the test environment doesn't accidentally run real
+    // subprocesses if a test forgets to inject a stub.
+    return async (cmd, args, opts) => {
+        const childProcess = await import("node:child_process");
+        return new Promise((resolve, reject) => {
+            const child = childProcess.execFile(cmd, [...args], {
+                ...(opts.env ? { env: opts.env } : {}),
+                timeout: opts.timeoutMs ?? 10_000,
+                maxBuffer: 16 * 1024 * 1024,
+                encoding: "utf8",
+            }, (error, stdout, stderr) => {
+                if (error) {
+                    reject(error);
+                    return;
+                }
+                // `encoding: "utf8"` forces stdout/stderr to strings.
+                resolve({ stdout, stderr });
+            });
+            if (opts.stdin !== undefined && child.stdin) {
+                child.stdin.write(opts.stdin);
+                child.stdin.end();
+            }
+        });
+    };
+}
+//# sourceMappingURL=external-credentials.js.map

package/dist/external-credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-credentials.js","sourceRoot":"","sources":["../src/external-credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAwBH,MAAM,OAAO,uBAAwB,SAAQ,KAAK;IAC3B;IAArB,YAAqB,MAA2B;QAC9C,KAAK,CAAC,IAAI,MAAM,0DAA0D,CAAC,CAAC;QADzD,WAAM,GAAN,MAAM,CAAqB;QAE9C,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;IACxC,CAAC;CACF;AAiDD,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAY,EACZ,IAAY;IAEZ,MAAM,WAAW,GAAG,MAAM,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAElE,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,uEAAuE;IACvE,iDAAiD;IACjD,MAAM,OAAO,GAAG,MAAM,IAAI,CACxB,IAAI,EACJ,CAAC,GAAG,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,eAAe,CAAC,EAC1E,EAAE,SAAS,EAAE,MAAM,EAAE,CACtB,CAAC;IACF,MAAM,KAAK,GAAG,cAAc,CAAsB,OAAO,CAAC,MAAM,CAAC,CAAC;IAElE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAElC,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,MAAM,GAAG,GAA6B,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,QAAQ,GACZ,OAAO,IAAI,CAAC,sBAAsB,KAAK,QAAQ;YAC7C,CAAC,CAAC,IAAI,CAAC,sBAAsB;YAC7B,CAAC,CAAC,EAAE,CAAC;QACT,GAAG,CAAC,IAAI,CAAC;YACP,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,IAAI,CAAC,EAAE;YACnB,KAAK,EACH,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;gBACrD,CAAC,CAAC,IAAI,CAAC,KAAK;gBACZ,CAAC,CAAC,IAAI,CAAC,EAAE;YACb,QAAQ;YACR,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;YACzC,GAAG,EAAE,GAAG,IAAI,IAAI;YAChB,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;SACtC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAY,EACZ,IAAY,EACZ,UAAkB;IAElB,IAAI,CAAC,UAAU;QACb,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;IACrE,MAAM,WAAW,GAAG,MAAM,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAElE,yEAAyE;IACzE,qCAAqC;IACrC,MAAM,GAAG,GAAG,MAAM,IAAI,CACpB,IAAI,EACJ,CAAC,GAAG,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,eAAe,CAAC,EAC5D,EAAE,SAAS,EAAE,MAAM,EAAE,CACtB,CAAC;IACF,MAAM,IAAI,GAAG,eAAe,CAA0B,GAAG,CAAC,MAAM,CAAC,CAAC;IAElE,MAAM,QAAQ,GAAG,uBAAuB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,QAAQ,GAAG,oBAAoB,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC;IAC9D,MAAM,IAAI,GACR,oBAAoB,CAAC,IAAI,EAAE,mBAAmB,CAAC;QAC/C,oBAAoB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEtC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,oBAAoB,UAAU,wBAAwB,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,MAAM,GAAwB;QAClC,MAAM,EAAE,WAAW;QACnB,UAAU,EAAE,IAAI,CAAC,EAAE;QACnB,KAAK,EACH,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;YACrD,CAAC,CAAC,IAAI,CAAC,KAAK;YACZ,CAAC,CAAC,IAAI,CAAC,EAAE;QACb,QAAQ;QACR,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QACzC,GAAG,EAAE,GAAG,IAAI,IAAI;QAChB,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC;QACrC,QAAQ;QACR,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1B,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,uBAAuB,CAC9B,IAAyC;IAEzC,IAAI,CAAC,IAAI,EAAE,MAAM;QAAE,OAAO,IAAI,CAAC;IAC/B,6EAA6E;IAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAC/D,CAAC;IACF,IAAI,SAAS,EAAE,KAAK;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC;IAC7C,8CAA8C;IAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,UAAU,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAC7D,CAAC;IACF,OAAO,OAAO,EAAE,KAAK,IAAI,IAAI,CAAC;AAChC,CAAC;AAED,SAAS,oBAAoB,CAC3B,IAA6B,EAC7B,KAAa;IAEb,IAAI,CAAC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAC9B,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,UAAU,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAC/D,CAAC;QACF,IAAI,SAAS,EAAE,KAAK;YAAE,OAAO,SAAS,CAAC,KAAK,CAAC;IAC/C,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;QAC3B,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,OAAO;QACjC,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,CAC9B,CAAC;IACF,OAAO,KAAK,EAAE,KAAK,IAAI,IAAI,CAAC;AAC9B,CAAC;AAiBD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAY,EACZ,IAAY;IAEZ,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAE3D,yEAAyE;IACzE,4EAA4E;IAC5E,8BAA8B;IAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE;QAC9C,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE;QAC5C,SAAS,EAAE,MAAM;KAClB,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,cAAc,CAAgB,GAAG,CAAC,MAAM,CAAC,CAAC;IAExD,MAAM,MAAM,GAA6B,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,SAAS;QAC7C,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC;YACV,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,IAAI,CAAC,EAAE;YACnB,KAAK,EACH,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;gBACnD,CAAC,CAAC,IAAI,CAAC,IAAI;gBACX,CAAC,CAAC,IAAI,CAAC,EAAE;YACb,QAAQ,EACN,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;YACpE,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;YACzC,GAAG,EAAE,GAAG,IAAI,IAAI;YAChB,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC;SACxC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAAY,EACZ,IAAY,EACZ,UAAkB;IAElB,IAAI,CAAC,UAAU;QACb,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAE3D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE;QACxD,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE;QAC5C,SAAS,EAAE,MAAM;KAClB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAgB,GAAG,CAAC,MAAM,CAAC,CAAC;IACxD,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,oBAAoB,UAAU,iBAAiB,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,oBAAoB,UAAU,kBAAkB,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,GAAG,GAAG,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;IACtD,OAAO;QACL,MAAM,EAAE,WAAW;QACnB,UAAU,EAAE,IAAI,CAAC,EAAE;QACnB,KAAK,EACH,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;YACnD,CAAC,CAAC,IAAI,CAAC,IAAI;YACX,CAAC,CAAC,IAAI,CAAC,EAAE;QACb,QAAQ,EACN,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;QACpE,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;QACzC,GAAG,EAAE,GAAG,IAAI,IAAI;QAChB,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC;QACvC,QAAQ;QACR,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,IAAqD;IAErD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC,GAAG,CAAC;IAClE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yEAAyE;AAEzE,KAAK,UAAU,gBAAgB,CAC7B,KAAY,EACZ,MAA2B;IAE3B,MAAM,GAAG,GAAG,MAAM,MAAM,UAAU,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAAE,MAAM,IAAI,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,uBAAuB,CAAC,MAAM,CAAC,CAAC;IACtD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,0BAA0B,CACvC,KAAY,EACZ,IAAY;IAEZ,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,aAAa,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3D,IAAI,MAAM,kCAAkC,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,CAAC;QAC/D,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,UAAU,EAAE,aAAa,OAAO,EAAE,CAAC,CAAC;AACjD,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,IAAY;IAC9C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE;YACjE,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,cAAc,CAI5B,GAAG,CAAC,MAAM,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9D,OAAO,CAAC,CAAC,SAAS,CAAC;YACrB,CAAC;YACD,qEAAqE;YACrE,6DAA6D;YAC7D,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC9B,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChC,IAAI,GAAG;oBAAE,OAAO,GAAG,CAAC;YACtB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kCAAkC,CAC/C,IAAY,EACZ,UAA6B;IAE7B,oEAAoE;IACpE,mEAAmE;IACnE,+DAA+D;IAC/D,uCAAuC;IACvC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,UAAU,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,EAAE;YAClE,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CACrB,IAEa;IAEb,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CACvB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CACxD,CAAC;IACF,IAAI,OAAO,EAAE,IAAI;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,CAAC,IAAI,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC;IACrB,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC7B,OAAO,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,cAAc,CAAI,GAAW;IACpC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,MAAsB,CAAC;AAChC,CAAC;AAED,SAAS,eAAe,CAAI,GAAW;IACrC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC5C,IAAI,MAAM,KAAK,IAAI,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3E,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,MAAW,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,qEAAqE;IACrE,mDAAmD;IACnD,OAAO,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC/B,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACxD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CACjC,GAAG,EACH,CAAC,GAAG,IAAI,CAAC,EACT;gBACE,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,SAAS,IAAI,MAAM;gBACjC,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;gBAC3B,QAAQ,EAAE,MAAM;aACjB,EACD,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;gBACxB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,KAAK,CAAC,CAAC;oBACd,OAAO;gBACT,CAAC;gBACD,sDAAsD;gBACtD,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YAC9B,CAAC,CACF,CAAC;YACF,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC5C,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC9B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;YACpB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * @elizaos/vault — simple secrets/config vault.
+ *
+ *   import { createVault } from "@elizaos/vault";
+ *
+ *   const vault = createVault();
+ *   await vault.set("openrouter.apiKey", "sk-or-v1-...", { sensitive: true });
+ *   await vault.set("ui.theme", "dark");
+ *   const apiKey = await vault.get("openrouter.apiKey");
+ *
+ * One API for sensitive credentials and non-sensitive config. Sensitive
+ * values encrypted at rest with the master key in the OS keychain.
+ * Password-manager references (1Password, Proton Pass) are first-class
+ * — the value lives there, the vault stores only the reference.
+ */
+export { createVault, VaultMissError } from "./vault.js";
+export type { CreateVaultOptions, SetOptions, Vault, } from "./vault.js";
+export { defaultMasterKey, inMemoryMasterKey, MasterKeyUnavailableError, osKeychainMasterKey, passphraseMasterKey, passphraseMasterKeyFromEnv, } from "./master-key.js";
+export type { MasterKeyResolver, OsKeychainOptions, PassphraseOptions, } from "./master-key.js";
+export { encrypt, decrypt, generateMasterKey, KEY_BYTES, CryptoError, } from "./crypto.js";
+export { PasswordManagerError, resolveReference, } from "./password-managers.js";
+export { createManager, DEFAULT_PREFERENCES, } from "./manager.js";
+export type { BackendId, BackendStatus, CreateManagerOptions, ListAllSavedLoginsOptions, ManagerPreferences, ManagerSetOptions, SecretsManager, UnifiedLoginListEntry, UnifiedLoginListResult, UnifiedLoginReveal, } from "./manager.js";
+export { BackendNotSignedInError, defaultExecFn, listBitwardenLogins, listOnePasswordLogins, revealBitwardenLogin, revealOnePasswordLogin, } from "./external-credentials.js";
+export type { ExecFn, ExternalLoginListEntry, ExternalLoginReveal, ExternalLoginSource, } from "./external-credentials.js";
+export { BACKEND_INSTALL_SPECS, buildInstallCommand, currentPlatform, detectPackageManagers, resetInstallerCache, resolveRunnableMethods, } from "./install.js";
+export type { BackendInstallSpec, InstallMethod, InstallMethodKind, PackageManagerAvailability, SupportedPlatform, } from "./install.js";
+export type { AuditRecord, PasswordManagerReference, VaultDescriptor, VaultLogger, VaultStats, } from "./types.js";
+export { deleteSavedLogin, getAutofillAllowed, getSavedLogin, listSavedLogins, setAutofillAllowed, setSavedLogin, } from "./credentials.js";
+export type { SavedLogin, SavedLoginSummary } from "./credentials.js";
+export { categorizeKey, inferProviderId, listVaultInventory, META_PREFIX, profileStorageKey, PROFILE_SEGMENT, readEntryMeta, removeEntryMeta, ROUTING_KEY, setEntryMeta, } from "./inventory.js";
+export type { VaultEntryCategory, VaultEntryMeta, VaultEntryMetaRecord, VaultEntryMetaUpdate, VaultEntryProfile, } from "./inventory.js";
+export { readRoutingConfig, resolveActiveValue, writeRoutingConfig, } from "./profiles.js";
+export type { ResolutionContext, RoutingConfig, RoutingRule, RoutingScope, RoutingScopeKind, } from "./profiles.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACzD,YAAY,EACV,kBAAkB,EAClB,UAAU,EACV,KAAK,GACN,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,iBAAiB,EACjB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,SAAS,EACT,WAAW,GACZ,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,aAAa,EACb,mBAAmB,GACpB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,SAAS,EACT,aAAa,EACb,oBAAoB,EACpB,yBAAyB,EACzB,kBAAkB,EAClB,iBAAiB,EACjB,cAAc,EACd,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,GACnB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,uBAAuB,EACvB,aAAa,EACb,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC;AACnC,YAAY,EACV,MAAM,EACN,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,0BAA0B,EAC1B,iBAAiB,GAClB,MAAM,cAAc,CAAC;AAEtB,YAAY,EACV,WAAW,EACX,wBAAwB,EACxB,eAAe,EACf,WAAW,EACX,UAAU,GACX,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,aAAa,GACd,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAEtE,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,eAAe,EACf,WAAW,EACX,YAAY,GACb,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,oBAAoB,EACpB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,YAAY,EACZ,gBAAgB,GACjB,MAAM,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,26 @@
+/**
+ * @elizaos/vault — simple secrets/config vault.
+ *
+ *   import { createVault } from "@elizaos/vault";
+ *
+ *   const vault = createVault();
+ *   await vault.set("openrouter.apiKey", "sk-or-v1-...", { sensitive: true });
+ *   await vault.set("ui.theme", "dark");
+ *   const apiKey = await vault.get("openrouter.apiKey");
+ *
+ * One API for sensitive credentials and non-sensitive config. Sensitive
+ * values encrypted at rest with the master key in the OS keychain.
+ * Password-manager references (1Password, Proton Pass) are first-class
+ * — the value lives there, the vault stores only the reference.
+ */
+export { createVault, VaultMissError } from "./vault.js";
+export { defaultMasterKey, inMemoryMasterKey, MasterKeyUnavailableError, osKeychainMasterKey, passphraseMasterKey, passphraseMasterKeyFromEnv, } from "./master-key.js";
+export { encrypt, decrypt, generateMasterKey, KEY_BYTES, CryptoError, } from "./crypto.js";
+export { PasswordManagerError, resolveReference, } from "./password-managers.js";
+export { createManager, DEFAULT_PREFERENCES, } from "./manager.js";
+export { BackendNotSignedInError, defaultExecFn, listBitwardenLogins, listOnePasswordLogins, revealBitwardenLogin, revealOnePasswordLogin, } from "./external-credentials.js";
+export { BACKEND_INSTALL_SPECS, buildInstallCommand, currentPlatform, detectPackageManagers, resetInstallerCache, resolveRunnableMethods, } from "./install.js";
+export { deleteSavedLogin, getAutofillAllowed, getSavedLogin, listSavedLogins, setAutofillAllowed, setSavedLogin, } from "./credentials.js";
+export { categorizeKey, inferProviderId, listVaultInventory, META_PREFIX, profileStorageKey, PROFILE_SEGMENT, readEntryMeta, removeEntryMeta, ROUTING_KEY, setEntryMeta, } from "./inventory.js";
+export { readRoutingConfig, resolveActiveValue, writeRoutingConfig, } from "./profiles.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAOzD,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,yBAAyB,EACzB,mBAAmB,EACnB,mBAAmB,EACnB,0BAA0B,GAC3B,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EACL,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,SAAS,EACT,WAAW,GACZ,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,aAAa,EACb,mBAAmB,GACpB,MAAM,cAAc,CAAC;AActB,OAAO,EACL,uBAAuB,EACvB,aAAa,EACb,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,2BAA2B,CAAC;AAQnC,OAAO,EACL,qBAAqB,EACrB,mBAAmB,EACnB,eAAe,EACf,qBAAqB,EACrB,mBAAmB,EACnB,sBAAsB,GACvB,MAAM,cAAc,CAAC;AAiBtB,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,aAAa,GACd,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,WAAW,EACX,iBAAiB,EACjB,eAAe,EACf,aAAa,EACb,eAAe,EACf,WAAW,EACX,YAAY,GACb,MAAM,gBAAgB,CAAC;AASxB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,eAAe,CAAC"}

package/dist/install.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Install spec — what install methods exist for each external secrets-manager
+ * backend on which OS, and how to detect whether a given package manager is
+ * present on the host.
+ *
+ * Detection-only. The actual `child_process` execution and streaming live in
+ * the consumer (app-core's `secrets-manager-installer`); this module is pure
+ * data + small async checks so it stays usable from the vault package
+ * without pulling in spawn/PTY machinery.
+ */
+import type { BackendId } from "./manager.js";
+/** A concrete way to install one CLI on one OS. */
+export type InstallMethod = {
+    readonly kind: "brew";
+    /** brew formula or cask name. */
+    readonly package: string;
+    /** True for `brew install --cask <package>`. */
+    readonly cask: boolean;
+} | {
+    readonly kind: "npm";
+    /** npm package name to install with `-g`. */
+    readonly package: string;
+} | {
+    readonly kind: "manual";
+    readonly instructions: string;
+    readonly url: string;
+};
+export type InstallMethodKind = InstallMethod["kind"];
+export type SupportedPlatform = "darwin" | "linux" | "win32";
+/** Per-OS install methods for one backend. */
+export interface BackendInstallSpec {
+    readonly id: BackendId;
+    /** First entry in each platform list is the preferred default. */
+    readonly methods: Readonly<Partial<Record<SupportedPlatform, readonly InstallMethod[]>>>;
+}
+/**
+ * Install specs for each external backend.
+ *
+ * Sources:
+ *   - 1Password CLI: `brew install --cask 1password-cli`
+ *     (https://developer.1password.com/docs/cli/get-started)
+ *   - Bitwarden CLI: `brew install bitwarden-cli` (formula, not cask) or
+ *     `npm install -g @bitwarden/cli`
+ *     (https://bitwarden.com/help/cli/)
+ *   - Proton Pass CLI: vendor CLI is in beta, no automated install path yet.
+ */
+export declare const BACKEND_INSTALL_SPECS: Readonly<Record<Exclude<BackendId, "in-house">, BackendInstallSpec>>;
+export interface PackageManagerAvailability {
+    readonly brew: boolean;
+    readonly npm: boolean;
+}
+export declare function detectPackageManagers(): Promise<PackageManagerAvailability>;
+export declare function resetInstallerCache(): void;
+/**
+ * Resolve the install methods that are *runnable on this host* for a given
+ * backend. Manual methods are always returned (so the UI can show the doc
+ * link); brew/npm methods are filtered to those whose tool is present.
+ */
+export declare function resolveRunnableMethods(id: Exclude<BackendId, "in-house">, platform?: SupportedPlatform): Promise<readonly InstallMethod[]>;
+export declare function currentPlatform(): SupportedPlatform;
+/**
+ * Build the argv for a given install method. Caller spawns directly with
+ * argv (no shell interpolation). Returns null for `manual` — those have no
+ * automated execution path.
+ */
+export declare function buildInstallCommand(method: InstallMethod): {
+    command: string;
+    args: readonly string[];
+} | null;
+//# sourceMappingURL=install.d.ts.map

package/dist/install.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../src/install.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAI9C,mDAAmD;AACnD,MAAM,MAAM,aAAa,GACrB;IACE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,gDAAgD;IAChD,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;CACxB,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB,CAAC;AAEN,MAAM,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;AAEtD,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,CAAC;AAE7D,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,kEAAkE;IAClE,QAAQ,CAAC,OAAO,EAAE,QAAQ,CACxB,OAAO,CAAC,MAAM,CAAC,iBAAiB,EAAE,SAAS,aAAa,EAAE,CAAC,CAAC,CAC7D,CAAC;CACH;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,EAAE,QAAQ,CAC1C,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,kBAAkB,CAAC,CAwE3D,CAAC;AASF,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;CACvB;AAED,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,0BAA0B,CAAC,CAQjF;AAED,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AAWD;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,EAAE,EAAE,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,EAClC,QAAQ,GAAE,iBAAqC,GAC9C,OAAO,CAAC,SAAS,aAAa,EAAE,CAAC,CAUnC;AAED,wBAAgB,eAAe,IAAI,iBAAiB,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,aAAa,GACpB;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,SAAS,MAAM,EAAE,CAAA;CAAE,GAAG,IAAI,CAWrD"}