npm - @elizaos/vault - Versions diffs - 2.0.0-alpha.537 - Mend

@elizaos/vault 2.0.0-alpha.537

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

package/README.md +159 -0
package/dist/audit.d.ts +14 -0
package/dist/audit.d.ts.map +1 -0
package/dist/audit.js +27 -0
package/dist/audit.js.map +1 -0
package/dist/credentials.d.ts +58 -0
package/dist/credentials.d.ts.map +1 -0
package/dist/credentials.js +157 -0
package/dist/credentials.js.map +1 -0
package/dist/crypto.d.ts +18 -0
package/dist/crypto.d.ts.map +1 -0
package/dist/crypto.js +67 -0
package/dist/crypto.js.map +1 -0
package/dist/external-credentials.d.ts +62 -0
package/dist/external-credentials.d.ts.map +1 -0
package/dist/external-credentials.js +335 -0
package/dist/external-credentials.js.map +1 -0
package/dist/index.d.ts +35 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +26 -0
package/dist/index.js.map +1 -0
package/dist/install.d.ts +70 -0
package/dist/install.d.ts.map +1 -0
package/dist/install.js +163 -0
package/dist/install.js.map +1 -0
package/dist/inventory.d.ts +140 -0
package/dist/inventory.d.ts.map +1 -0
package/dist/inventory.js +319 -0
package/dist/inventory.js.map +1 -0
package/dist/manager.d.ts +161 -0
package/dist/manager.d.ts.map +1 -0
package/dist/manager.js +466 -0
package/dist/manager.js.map +1 -0
package/dist/master-key.d.ts +86 -0
package/dist/master-key.d.ts.map +1 -0
package/dist/master-key.js +247 -0
package/dist/master-key.js.map +1 -0
package/dist/password-managers.d.ts +17 -0
package/dist/password-managers.d.ts.map +1 -0
package/dist/password-managers.js +59 -0
package/dist/password-managers.js.map +1 -0
package/dist/profiles.d.ts +68 -0
package/dist/profiles.d.ts.map +1 -0
package/dist/profiles.js +189 -0
package/dist/profiles.js.map +1 -0
package/dist/store.d.ts +22 -0
package/dist/store.d.ts.map +1 -0
package/dist/store.js +137 -0
package/dist/store.js.map +1 -0
package/dist/testing.d.ts +32 -0
package/dist/testing.d.ts.map +1 -0
package/dist/testing.js +70 -0
package/dist/testing.js.map +1 -0
package/dist/types.d.ts +56 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +12 -0
package/dist/types.js.map +1 -0
package/dist/vault.d.ts +77 -0
package/dist/vault.d.ts.map +1 -0
package/dist/vault.js +269 -0
package/dist/vault.js.map +1 -0
package/package.json +59 -0

package/dist/profiles.js ADDED Viewed

@@ -0,0 +1,189 @@
+/**
+ * Profile resolution + per-context routing on top of `Vault`.
+ *
+ * Two layers:
+ *
+ * 1. Per-key active profile.
+ *    A key K can have multiple named profiles (e.g. work, personal,
+ *    throwaway). Each profile's value lives at `K.profile.<profileId>`;
+ *    the meta blob (`_meta.K`) tracks the profile list and which one
+ *    is currently active for bare reads. When no meta is present the
+ *    legacy storage path is used (the value lives at K itself).
+ *
+ * 2. Per-context routing rules.
+ *    A user can declare "for OPENROUTER_API_KEY, when agentId=X use the
+ *    work profile". Rules are walked in order; the first match wins.
+ *    Falls back to the key's `activeProfile`, then to the global
+ *    `defaultProfile`, then to the legacy bare-key value.
+ *
+ * The vault stays dumb: every read goes through `Vault.get/has`. The
+ * only routing logic lives here so the vault contract is unchanged.
+ */
+import { META_PREFIX, profileStorageKey, readEntryMeta, ROUTING_KEY, } from "./inventory.js";
+const EMPTY_ROUTING = { rules: [] };
+// ── Public API ─────────────────────────────────────────────────────
+/**
+ * Resolve `key` against (a) per-context routing rules, (b) the key's
+ * `activeProfile`, (c) the global `defaultProfile`, then (d) the bare
+ * key value.
+ *
+ * Throws when none of the above resolves to a stored value — callers
+ * decide how to surface the miss (e.g. inventory routes return 404,
+ * runtime callers fall back to env var).
+ */
+export async function resolveActiveValue(vault, key, ctx) {
+    const meta = await readEntryMeta(vault, key);
+    const profiles = meta?.profiles ?? [];
+    const hasProfiles = profiles.length > 0;
+    if (hasProfiles) {
+        const routing = await readRoutingConfig(vault);
+        const ruled = pickRule(routing.rules, key, ctx);
+        const candidateOrder = [
+            ruled?.profileId,
+            meta?.activeProfile,
+            routing.defaultProfile,
+        ].filter((v) => typeof v === "string" && v.length > 0);
+        const allowed = new Set(profiles.map((p) => p.id));
+        for (const candidate of candidateOrder) {
+            if (!allowed.has(candidate))
+                continue;
+            const profileKey = profileStorageKey(key, candidate);
+            if (await vault.has(profileKey)) {
+                return vault.get(profileKey);
+            }
+        }
+        // Fall through to the bare key — preserves backwards compat for
+        // keys whose `meta.profiles` exists but the chosen profile blob
+        // is missing (a partial migration). This is intentional: the
+        // bare key is the legacy "default" location.
+    }
+    return vault.get(key);
+}
+/**
+ * Read the routing config blob from the vault. Missing or malformed
+ * entries return `EMPTY_ROUTING` — routing is best-effort overlay,
+ * not a load-bearing contract.
+ */
+export async function readRoutingConfig(vault) {
+    if (!(await vault.has(ROUTING_KEY)))
+        return EMPTY_ROUTING;
+    const raw = await vault.get(ROUTING_KEY);
+    return parseRoutingConfig(raw);
+}
+/** Persist the routing config blob. Caller-validated input. */
+export async function writeRoutingConfig(vault, config) {
+    const normalized = normalizeRoutingConfig(config);
+    await vault.set(ROUTING_KEY, JSON.stringify(normalized));
+}
+// ── Internals ───────────────────────────────────────────────────────
+function pickRule(rules, key, ctx) {
+    if (!ctx)
+        return null;
+    for (const rule of rules) {
+        if (rule.keyPattern !== key)
+            continue;
+        if (matchesScope(rule.scope, ctx))
+            return rule;
+    }
+    return null;
+}
+function matchesScope(scope, ctx) {
+    if (scope.kind === "agent") {
+        return (typeof scope.agentId === "string" &&
+            typeof ctx.agentId === "string" &&
+            scope.agentId === ctx.agentId);
+    }
+    if (scope.kind === "app") {
+        return (typeof scope.appName === "string" &&
+            typeof ctx.appName === "string" &&
+            scope.appName === ctx.appName);
+    }
+    if (scope.kind === "skill") {
+        return (typeof scope.skillId === "string" &&
+            typeof ctx.skillId === "string" &&
+            scope.skillId === ctx.skillId);
+    }
+    return false;
+}
+function parseRoutingConfig(raw) {
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return EMPTY_ROUTING;
+    }
+    const obj = parsed;
+    const rules = [];
+    if (Array.isArray(obj.rules)) {
+        for (const r of obj.rules) {
+            const normalized = normalizeRule(r);
+            if (normalized)
+                rules.push(normalized);
+        }
+    }
+    const out = {
+        rules,
+        ...(typeof obj.defaultProfile === "string" && obj.defaultProfile.length > 0
+            ? { defaultProfile: obj.defaultProfile }
+            : {}),
+    };
+    return out;
+}
+function normalizeRoutingConfig(config) {
+    const rules = [];
+    for (const r of config.rules ?? []) {
+        const normalized = normalizeRule(r);
+        if (normalized)
+            rules.push(normalized);
+    }
+    return {
+        rules,
+        ...(typeof config.defaultProfile === "string" &&
+            config.defaultProfile.length > 0
+            ? { defaultProfile: config.defaultProfile }
+            : {}),
+    };
+}
+function normalizeRule(r) {
+    if (!r || typeof r !== "object")
+        return null;
+    const rec = r;
+    if (typeof rec.keyPattern !== "string" || rec.keyPattern.length === 0) {
+        return null;
+    }
+    if (rec.keyPattern.startsWith(META_PREFIX) ||
+        rec.keyPattern === ROUTING_KEY) {
+        return null; // never route an internal key
+    }
+    if (typeof rec.profileId !== "string" || rec.profileId.length === 0) {
+        return null;
+    }
+    const scope = rec.scope;
+    if (!scope || typeof scope !== "object")
+        return null;
+    const scopeRec = scope;
+    const kind = scopeRec.kind;
+    if (kind !== "agent" && kind !== "app" && kind !== "skill")
+        return null;
+    if (kind === "agent" && typeof scopeRec.agentId === "string") {
+        return {
+            keyPattern: rec.keyPattern,
+            scope: { kind: "agent", agentId: scopeRec.agentId },
+            profileId: rec.profileId,
+        };
+    }
+    if (kind === "app" && typeof scopeRec.appName === "string") {
+        return {
+            keyPattern: rec.keyPattern,
+            scope: { kind: "app", appName: scopeRec.appName },
+            profileId: rec.profileId,
+        };
+    }
+    if (kind === "skill" && typeof scopeRec.skillId === "string") {
+        return {
+            keyPattern: rec.keyPattern,
+            scope: { kind: "skill", skillId: scopeRec.skillId },
+            profileId: rec.profileId,
+        };
+    }
+    return null;
+}
+//# sourceMappingURL=profiles.js.map

package/dist/profiles.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"profiles.js","sourceRoot":"","sources":["../src/profiles.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,aAAa,EACb,WAAW,GACZ,MAAM,gBAAgB,CAAC;AA+BxB,MAAM,aAAa,GAAkB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;AAQnD,sEAAsE;AAEtE;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAY,EACZ,GAAW,EACX,GAAuB;IAEvB,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,EAAE,CAAC;IACtC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAExC,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG;YACrB,KAAK,EAAE,SAAS;YAChB,IAAI,EAAE,aAAa;YACnB,OAAO,CAAC,cAAc;SACvB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACpE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACnD,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;YACvC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YACtC,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACrD,IAAI,MAAM,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,OAAO,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,gEAAgE;QAChE,gEAAgE;QAChE,6DAA6D;QAC7D,6CAA6C;IAC/C,CAAC;IAED,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AACxB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,KAAY;IAClD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAAE,OAAO,aAAa,CAAC;IAC1D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzC,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAY,EACZ,MAAqB;IAErB,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,uEAAuE;AAEvE,SAAS,QAAQ,CACf,KAAiC,EACjC,GAAW,EACX,GAAkC;IAElC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,UAAU,KAAK,GAAG;YAAE,SAAS;QACtC,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,KAAmB,EAAE,GAAsB;IAC/D,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,CACL,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;YACjC,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;YAC/B,KAAK,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,CAC9B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACzB,OAAO,CACL,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;YACjC,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;YAC/B,KAAK,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,CAC9B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,CACL,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;YACjC,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ;YAC/B,KAAK,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,CAC9B,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACpC,IAAI,UAAU;gBAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IACD,MAAM,GAAG,GAAkB;QACzB,KAAK;QACL,GAAG,CAAC,OAAO,GAAG,CAAC,cAAc,KAAK,QAAQ,IAAI,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YACzE,CAAC,CAAC,EAAE,cAAc,EAAE,GAAG,CAAC,cAAc,EAAE;YACxC,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;IACF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAqB;IACnD,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,IAAI,UAAU;YAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IACD,OAAO;QACL,KAAK;QACL,GAAG,CAAC,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ;YAC7C,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC;YAC9B,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,cAAc,EAAE;YAC3C,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,CAAU;IAC/B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC7C,MAAM,GAAG,GAAG,CAA4B,CAAC;IACzC,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,WAAW,CAAC;QACtC,GAAG,CAAC,UAAU,KAAK,WAAW,EAC9B,CAAC;QACD,OAAO,IAAI,CAAC,CAAC,8BAA8B;IAC7C,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;IACxB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAgC,CAAC;IAClD,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAExE,IAAI,IAAI,KAAK,OAAO,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC7D,OAAO;YACL,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE;YACnD,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,KAAK,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3D,OAAO;YACL,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE;YACjD,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,OAAO,IAAI,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC7D,OAAO;YACL,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE;YACnD,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/store.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import type { StoredEntry } from "./types.js";
+/**
+ * On-disk representation of the vault.
+ *
+ * One file: `<workDir>/vault.json` mode 0600. Atomic writes via temp +
+ * rename. No nested structures, no migration scaffolding, no version
+ * gates beyond a single integer.
+ */
+export declare const STORE_VERSION = 1;
+export interface StoreData {
+    readonly version: number;
+    readonly entries: Readonly<Record<string, StoredEntry>>;
+}
+export declare class StoreFormatError extends Error {
+    constructor(message: string);
+}
+export declare function emptyStore(): StoreData;
+export declare function readStore(path: string): Promise<StoreData>;
+export declare function writeStore(path: string, data: StoreData): Promise<void>;
+export declare function setEntry(data: StoreData, key: string, entry: StoredEntry): StoreData;
+export declare function removeEntry(data: StoreData, key: string): StoreData;
+//# sourceMappingURL=store.d.ts.map

package/dist/store.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C;;;;;;GAMG;AAEH,eAAO,MAAM,aAAa,IAAI,CAAC;AAE/B,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;CACzD;AAED,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AAED,wBAAgB,UAAU,IAAI,SAAS,CAEtC;AAED,wBAAsB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAiBhE;AAED,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB7E;AAED,wBAAgB,QAAQ,CACtB,IAAI,EAAE,SAAS,EACf,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,WAAW,GACjB,SAAS,CAKX;AAED,wBAAgB,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,GAAG,SAAS,CAKnE"}

package/dist/store.js ADDED Viewed

@@ -0,0 +1,137 @@
+import { randomBytes } from "node:crypto";
+import { promises as fs } from "node:fs";
+import { dirname } from "node:path";
+/**
+ * On-disk representation of the vault.
+ *
+ * One file: `<workDir>/vault.json` mode 0600. Atomic writes via temp +
+ * rename. No nested structures, no migration scaffolding, no version
+ * gates beyond a single integer.
+ */
+export const STORE_VERSION = 1;
+export class StoreFormatError extends Error {
+    constructor(message) {
+        super(`vault store: ${message}`);
+        this.name = "StoreFormatError";
+    }
+}
+export function emptyStore() {
+    return { version: STORE_VERSION, entries: {} };
+}
+export async function readStore(path) {
+    let raw;
+    try {
+        raw = await fs.readFile(path, "utf8");
+    }
+    catch (err) {
+        if (err.code === "ENOENT")
+            return emptyStore();
+        throw err;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        throw new StoreFormatError(`parse error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    return validateShape(parsed);
+}
+export async function writeStore(path, data) {
+    await fs.mkdir(dirname(path), { recursive: true });
+    // Per-write tmp filename so two VaultImpl instances cannot collide on the
+    // same `${path}.tmp` and silently clobber each other's writes. pid + 8
+    // random bytes is overkill for collision avoidance but keeps the cost
+    // negligible vs the rest of the write.
+    const tmp = `${path}.tmp.${process.pid}.${randomBytes(8).toString("hex")}`;
+    const body = `${JSON.stringify(data, null, 2)}\n`;
+    // mode 0o600 on the tmp file, before rename. POSIX rename preserves mode,
+    // so the final file inherits 0o600 with no observable window where it sat
+    // at the umask default.
+    await fs.writeFile(tmp, body, { mode: 0o600, flag: "w" });
+    try {
+        await fs.rename(tmp, path);
+    }
+    catch (renameErr) {
+        // rename failure (cross-device, EROFS, ENOSPC) leaves the tmp file
+        // behind. Best-effort cleanup so future writes aren't blocked by stale
+        // junk under the same per-pid prefix.
+        await fs.rm(tmp, { force: true }).catch(() => { });
+        throw renameErr;
+    }
+}
+export function setEntry(data, key, entry) {
+    return {
+        version: data.version,
+        entries: { ...data.entries, [key]: entry },
+    };
+}
+export function removeEntry(data, key) {
+    if (!(key in data.entries))
+        return data;
+    const next = { ...data.entries };
+    delete next[key];
+    return { version: data.version, entries: next };
+}
+function validateShape(parsed) {
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new StoreFormatError("root must be an object");
+    }
+    const root = parsed;
+    if (typeof root.version !== "number") {
+        throw new StoreFormatError("version must be a number");
+    }
+    const version = root.version;
+    if (version > STORE_VERSION) {
+        throw new StoreFormatError(`version ${version} is newer than supported (${STORE_VERSION})`);
+    }
+    if (!root.entries ||
+        typeof root.entries !== "object" ||
+        Array.isArray(root.entries)) {
+        throw new StoreFormatError("entries must be an object");
+    }
+    const entriesRaw = root.entries;
+    const entries = {};
+    for (const [key, value] of Object.entries(entriesRaw)) {
+        entries[key] = validateEntry(key, value);
+    }
+    return { version: STORE_VERSION, entries };
+}
+function validateEntry(key, raw) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        throw new StoreFormatError(`entry ${key}: must be an object`);
+    }
+    const e = raw;
+    if (typeof e.lastModified !== "number") {
+        throw new StoreFormatError(`entry ${key}: lastModified must be a number`);
+    }
+    const lastModified = e.lastModified;
+    if (e.kind === "value") {
+        if (typeof e.value !== "string") {
+            throw new StoreFormatError(`entry ${key}: value must be a string`);
+        }
+        return { kind: "value", value: e.value, lastModified };
+    }
+    if (e.kind === "secret") {
+        if (typeof e.ciphertext !== "string" || e.ciphertext.length === 0) {
+            throw new StoreFormatError(`entry ${key}: missing ciphertext`);
+        }
+        return { kind: "secret", ciphertext: e.ciphertext, lastModified };
+    }
+    if (e.kind === "reference") {
+        if (e.source !== "1password" && e.source !== "protonpass") {
+            throw new StoreFormatError(`entry ${key}: invalid reference source`);
+        }
+        if (typeof e.path !== "string" || e.path.length === 0) {
+            throw new StoreFormatError(`entry ${key}: missing reference path`);
+        }
+        return {
+            kind: "reference",
+            source: e.source,
+            path: e.path,
+            lastModified,
+        };
+    }
+    throw new StoreFormatError(`entry ${key}: unknown kind ${JSON.stringify(e.kind)}`);
+}
+//# sourceMappingURL=store.js.map

package/dist/store.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"store.js","sourceRoot":"","sources":["../src/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC;AAO/B,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,gBAAgB,OAAO,EAAE,CAAC,CAAC;QACjC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AAED,MAAM,UAAU,UAAU;IACxB,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;AACjD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,IAAY;IAC1C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,UAAU,EAAE,CAAC;QAC1E,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,gBAAgB,CACxB,gBAAgB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnE,CAAC;IACJ,CAAC;IACD,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,IAAe;IAC5D,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,0EAA0E;IAC1E,uEAAuE;IACvE,sEAAsE;IACtE,uCAAuC;IACvC,MAAM,GAAG,GAAG,GAAG,IAAI,QAAQ,OAAO,CAAC,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC3E,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;IAClD,0EAA0E;IAC1E,0EAA0E;IAC1E,wBAAwB;IACxB,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;IAC1D,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,SAAS,EAAE,CAAC;QACnB,mEAAmE;QACnE,uEAAuE;QACvE,sCAAsC;QACtC,MAAM,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAClD,MAAM,SAAS,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,IAAe,EACf,GAAW,EACX,KAAkB;IAElB,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE;KAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAe,EAAE,GAAW;IACtD,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,MAAM,IAAI,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IACjC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;IACjB,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,aAAa,CAAC,MAAe;IACpC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,IAAI,GAAG,MAAiC,CAAC;IAC/C,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,gBAAgB,CAAC,0BAA0B,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAC7B,IAAI,OAAO,GAAG,aAAa,EAAE,CAAC;QAC5B,MAAM,IAAI,gBAAgB,CACxB,WAAW,OAAO,6BAA6B,aAAa,GAAG,CAChE,CAAC;IACJ,CAAC;IACD,IACE,CAAC,IAAI,CAAC,OAAO;QACb,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAChC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAC3B,CAAC;QACD,MAAM,IAAI,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC;IAChC,MAAM,OAAO,GAAgC,EAAE,CAAC;IAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CACvC,UAAqC,CACtC,EAAE,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC;AAC7C,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,GAAY;IAC9C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,qBAAqB,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,iCAAiC,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC;IACpC,IAAI,CAAC,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACvB,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,0BAA0B,CAAC,CAAC;QACrE,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,YAAY,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACxB,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClE,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,sBAAsB,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YAC1D,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,4BAA4B,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,gBAAgB,CAAC,SAAS,GAAG,0BAA0B,CAAC,CAAC;QACrE,CAAC;QACD,OAAO;YACL,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,YAAY;SACb,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,gBAAgB,CACxB,SAAS,GAAG,kBAAkB,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CACvD,CAAC;AACJ,CAAC"}

package/dist/testing.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Testing utilities for @elizaos/vault.
+ *
+ *   import { createTestVault } from "@elizaos/vault/testing";
+ *
+ *   const test = await createTestVault({ "ui.theme": "dark" });
+ *   await test.vault.set("openrouter.apiKey", "k", { sensitive: true });
+ *   await test.dispose();
+ */
+import { type Vault } from "./vault.js";
+import type { AuditRecord } from "./types.js";
+export interface TestVault {
+    readonly vault: Vault;
+    readonly storePath: string;
+    readonly auditLogPath: string;
+    /** All audit entries written so far. */
+    getAuditRecords(): Promise<readonly AuditRecord[]>;
+    /** Truncate the audit log between assertion phases. */
+    clearAuditLog(): Promise<void>;
+    /** Cleanup. Removes the temp directory. */
+    dispose(): Promise<void>;
+}
+export interface CreateTestVaultOptions {
+    /** Pre-seed non-sensitive values. */
+    readonly values?: Readonly<Record<string, string>>;
+    /** Pre-seed sensitive values (encrypted as if production). */
+    readonly secrets?: Readonly<Record<string, string>>;
+    /** Override the temp dir (default: mkdtemp + auto-cleanup). */
+    readonly workDir?: string;
+}
+export declare function createTestVault(opts?: CreateTestVaultOptions): Promise<TestVault>;
+//# sourceMappingURL=testing.d.ts.map

package/dist/testing.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"testing.d.ts","sourceRoot":"","sources":["../src/testing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,YAAY,CAAC;AAGrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,wCAAwC;IACxC,eAAe,IAAI,OAAO,CAAC,SAAS,WAAW,EAAE,CAAC,CAAC;IACnD,uDAAuD;IACvD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,2CAA2C;IAC3C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED,MAAM,WAAW,sBAAsB;IACrC,qCAAqC;IACrC,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,8DAA8D;IAC9D,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,wBAAsB,eAAe,CACnC,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,SAAS,CAAC,CAkDpB"}

package/dist/testing.js ADDED Viewed

@@ -0,0 +1,70 @@
+/**
+ * Testing utilities for @elizaos/vault.
+ *
+ *   import { createTestVault } from "@elizaos/vault/testing";
+ *
+ *   const test = await createTestVault({ "ui.theme": "dark" });
+ *   await test.vault.set("openrouter.apiKey", "k", { sensitive: true });
+ *   await test.dispose();
+ */
+import { promises as fs } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { createVault } from "./vault.js";
+import { generateMasterKey } from "./crypto.js";
+import { inMemoryMasterKey } from "./master-key.js";
+export async function createTestVault(opts = {}) {
+    const ownsWorkDir = !opts.workDir;
+    const workDir = opts.workDir ?? (await fs.mkdtemp(join(tmpdir(), "eliza-vault-")));
+    const storePath = join(workDir, "vault.json");
+    const auditLogPath = join(workDir, "audit", "vault.jsonl");
+    const vault = createVault({
+        workDir,
+        masterKey: inMemoryMasterKey(generateMasterKey()),
+    });
+    if (opts.values) {
+        for (const [key, value] of Object.entries(opts.values)) {
+            await vault.set(key, value);
+        }
+    }
+    if (opts.secrets) {
+        for (const [key, value] of Object.entries(opts.secrets)) {
+            await vault.set(key, value, { sensitive: true });
+        }
+    }
+    return {
+        vault,
+        storePath,
+        auditLogPath,
+        async getAuditRecords() {
+            let raw;
+            try {
+                raw = await fs.readFile(auditLogPath, "utf8");
+            }
+            catch (err) {
+                if (err.code === "ENOENT")
+                    return [];
+                throw err;
+            }
+            return raw
+                .split("\n")
+                .filter((l) => l.trim().length > 0)
+                .map((l) => JSON.parse(l));
+        },
+        async clearAuditLog() {
+            try {
+                await fs.writeFile(auditLogPath, "", { mode: 0o600 });
+            }
+            catch (err) {
+                if (err.code !== "ENOENT")
+                    throw err;
+            }
+        },
+        async dispose() {
+            if (ownsWorkDir) {
+                await fs.rm(workDir, { recursive: true, force: true });
+            }
+        },
+    };
+}
+//# sourceMappingURL=testing.js.map

package/dist/testing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"testing.js","sourceRoot":"","sources":["../src/testing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,WAAW,EAAc,MAAM,YAAY,CAAC;AACrD,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAwBpD,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAA+B,EAAE;IAEjC,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC;IAClC,MAAM,OAAO,GACX,IAAI,CAAC,OAAO,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,WAAW,CAAC;QACxB,OAAO;QACP,SAAS,EAAE,iBAAiB,CAAC,iBAAiB,EAAE,CAAC;KAClD,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACvD,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IACD,OAAO;QACL,KAAK;QACL,SAAS;QACT,YAAY;QACZ,KAAK,CAAC,eAAe;YACnB,IAAI,GAAW,CAAC;YAChB,IAAI,CAAC;gBACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;oBAAE,OAAO,EAAE,CAAC;gBAChE,MAAM,GAAG,CAAC;YACZ,CAAC;YACD,OAAO,GAAG;iBACP,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;iBAClC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAgB,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK,CAAC,aAAa;YACjB,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;oBAAE,MAAM,GAAG,CAAC;YAClE,CAAC;QACH,CAAC;QACD,KAAK,CAAC,OAAO;YACX,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * Public types for @elizaos/vault.
+ *
+ * The vault holds two kinds of things keyed by a string:
+ *   - sensitive values (API keys, tokens, private keys) — encrypted at rest
+ *   - non-sensitive values (config: theme, model preferences, flags) — plaintext
+ *
+ * The same `set/get/has/describe/list/remove` API serves both; the caller
+ * declares sensitivity at write time. Reads don't need to know.
+ */
+/** Reference to a value held in an external password manager. */
+export interface PasswordManagerReference {
+    readonly source: "1password" | "protonpass";
+    /** Vendor-specific path. e.g., "Personal/OpenRouter/api-key" for op://. */
+    readonly path: string;
+}
+/** Internal storage shape. Consumers use `describe()` to inspect, never see this directly. */
+export type StoredEntry = {
+    readonly kind: "value";
+    readonly value: string;
+    readonly lastModified: number;
+} | {
+    readonly kind: "secret";
+    /** AES-256-GCM ciphertext: `v1:nonce:tag:ct` (all base64). */
+    readonly ciphertext: string;
+    readonly lastModified: number;
+} | {
+    readonly kind: "reference";
+    readonly source: PasswordManagerReference["source"];
+    readonly path: string;
+    readonly lastModified: number;
+};
+export interface VaultDescriptor {
+    readonly key: string;
+    readonly source: "file" | "keychain-encrypted" | "1password" | "protonpass";
+    readonly sensitive: boolean;
+    readonly lastModified: number;
+}
+export interface VaultStats {
+    readonly total: number;
+    readonly sensitive: number;
+    readonly nonSensitive: number;
+    readonly references: number;
+}
+export interface AuditRecord {
+    readonly ts: number;
+    readonly action: "set" | "setReference" | "get" | "reveal" | "remove";
+    readonly key: string;
+    /** Caller-supplied identifier for who's asking. Optional. */
+    readonly caller?: string;
+}
+export interface VaultLogger {
+    readonly warn: (msg: string, ctx?: unknown) => void;
+    readonly error: (msg: string, ctx?: unknown) => void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,iEAAiE;AACjE,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,MAAM,EAAE,WAAW,GAAG,YAAY,CAAC;IAC5C,2EAA2E;IAC3E,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED,8FAA8F;AAC9F,MAAM,MAAM,WAAW,GACnB;IACE,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,8DAA8D;IAC9D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B,GACD;IACE,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IACpD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B,CAAC;AAEN,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,GAAG,WAAW,GAAG,YAAY,CAAC;IAC5E,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,KAAK,GAAG,cAAc,GAAG,KAAK,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACtE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;IACpD,QAAQ,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;CACtD"}

package/dist/types.js ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Public types for @elizaos/vault.
+ *
+ * The vault holds two kinds of things keyed by a string:
+ *   - sensitive values (API keys, tokens, private keys) — encrypted at rest
+ *   - non-sensitive values (config: theme, model preferences, flags) — plaintext
+ *
+ * The same `set/get/has/describe/list/remove` API serves both; the caller
+ * declares sensitivity at write time. Reads don't need to know.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}

package/dist/vault.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { type MasterKeyResolver } from "./master-key.js";
+import type { PasswordManagerReference, VaultDescriptor, VaultLogger, VaultStats } from "./types.js";
+/**
+ * Simple secrets/config vault.
+ *
+ * One API serves both sensitive credentials and non-sensitive config:
+ *   await vault.set("openrouter.apiKey", "sk-or-...", { sensitive: true });
+ *   await vault.set("ui.theme", "dark");
+ *   const v = await vault.get("openrouter.apiKey");
+ *
+ * Sensitive values are AES-256-GCM encrypted with the vault key as AAD;
+ * the master key lives in the OS keychain. Non-sensitive values are
+ * stored plaintext in `vault.json` (mode 0600). References to external
+ * password managers (1Password, Proton Pass) are first-class — the
+ * vault stores only the reference and resolves at use time.
+ */
+export interface Vault {
+    /** Store a value. Sensitive values are encrypted at rest. */
+    set(key: string, value: string, opts?: SetOptions): Promise<void>;
+    /**
+     * Store a reference to a password-manager item. The actual value
+     * lives there, never copied to disk by this vault.
+     */
+    setReference(key: string, ref: PasswordManagerReference): Promise<void>;
+    /** Read a value. Resolves through the password manager if needed. */
+    get(key: string): Promise<string>;
+    /**
+     * Read with audit trail. Use this for "show / reveal" UI affordances
+     * — every reveal is recorded with the caller id so users can see who
+     * read what.
+     */
+    reveal(key: string, caller?: string): Promise<string>;
+    /** Existence check. Does NOT reveal the value. */
+    has(key: string): Promise<boolean>;
+    /** Remove. Idempotent. */
+    remove(key: string): Promise<void>;
+    /** List keys. Optional prefix filter. Does NOT reveal values. */
+    list(prefix?: string): Promise<readonly string[]>;
+    /** Describe a key without revealing it. */
+    describe(key: string): Promise<VaultDescriptor | null>;
+    /** Aggregate counts. */
+    stats(): Promise<VaultStats>;
+}
+export interface SetOptions {
+    /** True if the value is a credential. Sensitive values are encrypted. */
+    readonly sensitive?: boolean;
+    /** Optional caller id for the audit log. */
+    readonly caller?: string;
+}
+export interface CreateVaultOptions {
+    /**
+     * Working directory. Resolution order (first non-empty wins):
+     *
+     *   1. `opts.workDir` — explicit caller override (tests, embedded use).
+     *   2. `$ELIZA_STATE_DIR` — Eliza's state-dir override.
+     *   3. `$ELIZA_STATE_DIR` — elizaOS-compatible state-dir override.
+     *   4. `~/$ELIZA_NAMESPACE` with a leading dot (`~/.eliza` by default).
+     *
+     * The vault writes `vault.json` and `audit/vault.jsonl` inside the
+     * resolved directory.
+     */
+    readonly workDir?: string;
+    /**
+     * Master key resolver. Default: OS keychain via `@napi-rs/keyring`.
+     * Override with `inMemoryMasterKey(buffer)` for tests.
+     */
+    readonly masterKey?: MasterKeyResolver;
+    /** Optional logger for non-fatal warnings. */
+    readonly logger?: VaultLogger;
+}
+export declare function createVault(opts?: CreateVaultOptions): Vault;
+export declare class VaultMissError extends Error {
+    readonly key: string;
+    constructor(key: string);
+}
+export { emptyStore } from "./store.js";
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAIA,OAAO,EAAoB,KAAK,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAW3E,OAAO,KAAK,EAEV,wBAAwB,EAExB,eAAe,EACf,WAAW,EACX,UAAU,EACX,MAAM,YAAY,CAAC;AAEpB;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,KAAK;IACpB,6DAA6D;IAC7D,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAElE;;;OAGG;IACH,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAExE,qEAAqE;IACrE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAElC;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEtD,kDAAkD;IAClD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEnC,0BAA0B;IAC1B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC,iEAAiE;IACjE,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;IAElD,2CAA2C;IAC3C,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IAEvD,wBAAwB;IACxB,KAAK,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,yEAAyE;IACzE,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;;;OAUG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,iBAAiB,CAAC;IACvC,8CAA8C;IAC9C,QAAQ,CAAC,MAAM,CAAC,EAAE,WAAW,CAAC;CAC/B;AAED,wBAAgB,WAAW,CAAC,IAAI,GAAE,kBAAuB,GAAG,KAAK,CAShE;AAwMD,qBAAa,cAAe,SAAQ,KAAK;IAC3B,QAAQ,CAAC,GAAG,EAAE,MAAM;gBAAX,GAAG,EAAE,MAAM;CAIjC;AAgBD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC"}