@enactprotocol/secrets 2.0.0 → 2.0.2

package/dist/env/writer.d.ts

@@ -0,0 +1,68 @@
+/**
+ * .env file writer
+ *
+ * Writes .env files while preserving comments and formatting
+ */
+import type { ParsedEnvFile } from "../types";
+/**
+ * Write a parsed env file to disk
+ *
+ * @param path - Path to write to
+ * @param parsed - Parsed env file to write
+ */
+export declare function writeEnvFile(path: string, parsed: ParsedEnvFile): void;
+/**
+ * Write a vars object to an .env file
+ *
+ * @param path - Path to write to
+ * @param vars - Key-value pairs to write
+ */
+export declare function writeEnvVars(path: string, vars: Record<string, string>): void;
+/**
+ * Set an environment variable in a file
+ * Creates file if it doesn't exist, preserves existing content
+ *
+ * @param path - Path to the .env file
+ * @param key - Variable key
+ * @param value - Variable value
+ */
+export declare function setEnvVar(path: string, key: string, value: string): void;
+/**
+ * Delete an environment variable from a file
+ *
+ * @param path - Path to the .env file
+ * @param key - Variable key to delete
+ * @returns true if variable existed and was deleted
+ */
+export declare function deleteEnvVar(path: string, key: string): boolean;
+/**
+ * Set a global environment variable (~/.enact/.env)
+ *
+ * @param key - Variable key
+ * @param value - Variable value
+ */
+export declare function setGlobalEnvVar(key: string, value: string): void;
+/**
+ * Set a local environment variable (.enact/.env)
+ *
+ * @param key - Variable key
+ * @param value - Variable value
+ * @param cwd - Current working directory (defaults to process.cwd())
+ */
+export declare function setLocalEnvVar(key: string, value: string, cwd?: string): void;
+/**
+ * Delete a global environment variable
+ *
+ * @param key - Variable key to delete
+ * @returns true if variable existed and was deleted
+ */
+export declare function deleteGlobalEnvVar(key: string): boolean;
+/**
+ * Delete a local environment variable
+ *
+ * @param key - Variable key to delete
+ * @param cwd - Current working directory (defaults to process.cwd())
+ * @returns true if variable existed and was deleted
+ */
+export declare function deleteLocalEnvVar(key: string, cwd?: string): boolean;
+//# sourceMappingURL=writer.d.ts.map

package/dist/env/writer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.d.ts","sourceRoot":"","sources":["../../src/env/writer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAc9C;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,IAAI,CAItE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAI7E;AAED;;;;;;;GAOG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAIxE;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAQ/D;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAEhE;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAE7E;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAEpE"}

package/dist/env/writer.js

@@ -0,0 +1,108 @@
+/**
+ * .env file writer
+ *
+ * Writes .env files while preserving comments and formatting
+ */
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { dirname } from "node:path";
+import { createEnvContent, removeEnvVar, serializeEnvFile, updateEnvVar } from "./parser";
+import { getGlobalEnvPath, getLocalEnvPath, readEnvFile } from "./reader";
+/**
+ * Ensure directory exists for a file path
+ */
+function ensureDirectory(filePath) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true });
+    }
+}
+/**
+ * Write a parsed env file to disk
+ *
+ * @param path - Path to write to
+ * @param parsed - Parsed env file to write
+ */
+export function writeEnvFile(path, parsed) {
+    ensureDirectory(path);
+    const content = serializeEnvFile(parsed);
+    writeFileSync(path, content, "utf-8");
+}
+/**
+ * Write a vars object to an .env file
+ *
+ * @param path - Path to write to
+ * @param vars - Key-value pairs to write
+ */
+export function writeEnvVars(path, vars) {
+    ensureDirectory(path);
+    const content = createEnvContent(vars);
+    writeFileSync(path, content, "utf-8");
+}
+/**
+ * Set an environment variable in a file
+ * Creates file if it doesn't exist, preserves existing content
+ *
+ * @param path - Path to the .env file
+ * @param key - Variable key
+ * @param value - Variable value
+ */
+export function setEnvVar(path, key, value) {
+    const parsed = readEnvFile(path);
+    const updated = updateEnvVar(parsed, key, value);
+    writeEnvFile(path, updated);
+}
+/**
+ * Delete an environment variable from a file
+ *
+ * @param path - Path to the .env file
+ * @param key - Variable key to delete
+ * @returns true if variable existed and was deleted
+ */
+export function deleteEnvVar(path, key) {
+    const parsed = readEnvFile(path);
+    if (!(key in parsed.vars)) {
+        return false;
+    }
+    const updated = removeEnvVar(parsed, key);
+    writeEnvFile(path, updated);
+    return true;
+}
+/**
+ * Set a global environment variable (~/.enact/.env)
+ *
+ * @param key - Variable key
+ * @param value - Variable value
+ */
+export function setGlobalEnvVar(key, value) {
+    setEnvVar(getGlobalEnvPath(), key, value);
+}
+/**
+ * Set a local environment variable (.enact/.env)
+ *
+ * @param key - Variable key
+ * @param value - Variable value
+ * @param cwd - Current working directory (defaults to process.cwd())
+ */
+export function setLocalEnvVar(key, value, cwd) {
+    setEnvVar(getLocalEnvPath(cwd), key, value);
+}
+/**
+ * Delete a global environment variable
+ *
+ * @param key - Variable key to delete
+ * @returns true if variable existed and was deleted
+ */
+export function deleteGlobalEnvVar(key) {
+    return deleteEnvVar(getGlobalEnvPath(), key);
+}
+/**
+ * Delete a local environment variable
+ *
+ * @param key - Variable key to delete
+ * @param cwd - Current working directory (defaults to process.cwd())
+ * @returns true if variable existed and was deleted
+ */
+export function deleteLocalEnvVar(key, cwd) {
+    return deleteEnvVar(getLocalEnvPath(cwd), key);
+}
+//# sourceMappingURL=writer.js.map

package/dist/env/writer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"writer.js","sourceRoot":"","sources":["../../src/env/writer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAC1F,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAE1E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,MAAqB;IAC9D,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACzC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACxC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,IAA4B;IACrE,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACvC,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,SAAS,CAAC,IAAY,EAAE,GAAW,EAAE,KAAa;IAChE,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACjD,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,GAAW;IACpD,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,CAAC,CAAC,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1C,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,KAAa;IACxD,SAAS,CAAC,gBAAgB,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,KAAa,EAAE,GAAY;IACrE,SAAS,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,OAAO,YAAY,CAAC,gBAAgB,EAAE,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,GAAY;IACzD,OAAO,YAAY,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC;AACjD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * @enactprotocol/secrets
+ *
+ * OS keyring integration and environment variable management for Enact.
+ * Provides secure secret storage using platform-native keychains.
+ */
+export declare const version = "0.1.0";
+export type { SecretResolution, SecretNotFound, SecretResolutionResult, SecretMetadata, SecretTrace, SecretTraceEntry, EnvScope, EnvFileLocation, EnvironmentVariable, EnvResolution, ParsedEnvFile, EnvFileLine, DaggerSecretScheme, DaggerSecretUri, GetSecretOptions, SecretObject, } from "./types";
+export { KEYRING_SERVICE } from "./types";
+export { buildAccount, parseAccount, setSecret, getSecret, deleteSecret, listSecrets, listAllSecrets, secretExists, isKeyringAvailable, } from "./keyring";
+export { getNamespaceChain, resolveSecret, traceSecretResolution, resolveSecrets, checkRequiredSecrets, } from "./resolver";
+export { parseEnvFile, parseEnvContent, serializeEnvFile, createEnvContent, updateEnvVar, removeEnvVar, getGlobalEnvPath, getLocalEnvPath, readEnvFile, readEnvVars, loadGlobalEnv, loadLocalEnv, loadGlobalEnvFile, loadLocalEnvFile, globalEnvExists, localEnvExists, writeEnvFile, writeEnvVars, setEnvVar, deleteEnvVar, setGlobalEnvVar, setLocalEnvVar, deleteGlobalEnvVar, deleteLocalEnvVar, setEnv, getEnv, getEnvValue, deleteEnv, listEnv, resolveAllEnv, resolveToolEnv, hasLocalEnv, hasGlobalEnv, } from "./env";
+export { parseSecretUri, resolveSecretUri, isSecretUri, getSupportedSchemes, getSecretObject, getSecretObjects, parseSecretOverride, parseSecretOverrides, } from "./dagger";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,UAAU,CAAC;AAM/B,YAAY,EACV,gBAAgB,EAChB,cAAc,EACd,sBAAsB,EACtB,cAAc,EACd,WAAW,EACX,gBAAgB,EAChB,QAAQ,EACR,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,aAAa,EACb,WAAW,EACX,kBAAkB,EAClB,eAAe,EACf,gBAAgB,EAChB,YAAY,GACb,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAM1C,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,YAAY,EACZ,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAMnB,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,qBAAqB,EACrB,cAAc,EACd,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAMpB,OAAO,EAEL,YAAY,EACZ,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EAEZ,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,WAAW,EACX,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc,EAEd,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,YAAY,EACZ,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,iBAAiB,EAEjB,MAAM,EACN,MAAM,EACN,WAAW,EACX,SAAS,EACT,OAAO,EACP,aAAa,EACb,cAAc,EACd,WAAW,EACX,YAAY,GACb,MAAM,OAAO,CAAC;AAMf,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,GACrB,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,33 @@
+/**
+ * @enactprotocol/secrets
+ *
+ * OS keyring integration and environment variable management for Enact.
+ * Provides secure secret storage using platform-native keychains.
+ */
+export const version = "0.1.0";
+export { KEYRING_SERVICE } from "./types";
+// ============================================================================
+// Keyring Functions
+// ============================================================================
+export { buildAccount, parseAccount, setSecret, getSecret, deleteSecret, listSecrets, listAllSecrets, secretExists, isKeyringAvailable, } from "./keyring";
+// ============================================================================
+// Secret Resolution
+// ============================================================================
+export { getNamespaceChain, resolveSecret, traceSecretResolution, resolveSecrets, checkRequiredSecrets, } from "./resolver";
+// ============================================================================
+// Environment Variables
+// ============================================================================
+export { 
+// Parser
+parseEnvFile, parseEnvContent, serializeEnvFile, createEnvContent, updateEnvVar, removeEnvVar, 
+// Reader
+getGlobalEnvPath, getLocalEnvPath, readEnvFile, readEnvVars, loadGlobalEnv, loadLocalEnv, loadGlobalEnvFile, loadLocalEnvFile, globalEnvExists, localEnvExists, 
+// Writer
+writeEnvFile, writeEnvVars, setEnvVar, deleteEnvVar, setGlobalEnvVar, setLocalEnvVar, deleteGlobalEnvVar, deleteLocalEnvVar, 
+// Manager (high-level API)
+setEnv, getEnv, getEnvValue, deleteEnv, listEnv, resolveAllEnv, resolveToolEnv, hasLocalEnv, hasGlobalEnv, } from "./env";
+// ============================================================================
+// Dagger Secret Integration
+// ============================================================================
+export { parseSecretUri, resolveSecretUri, isSecretUri, getSupportedSchemes, getSecretObject, getSecretObjects, parseSecretOverride, parseSecretOverrides, } from "./dagger";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAyB/B,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAE1C,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,cAAc,EACd,YAAY,EACZ,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAEnB,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,OAAO,EACL,iBAAiB,EACjB,aAAa,EACb,qBAAqB,EACrB,cAAc,EACd,oBAAoB,GACrB,MAAM,YAAY,CAAC;AAEpB,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E,OAAO;AACL,SAAS;AACT,YAAY,EACZ,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,YAAY;AACZ,SAAS;AACT,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,WAAW,EACX,aAAa,EACb,YAAY,EACZ,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,cAAc;AACd,SAAS;AACT,YAAY,EACZ,YAAY,EACZ,SAAS,EACT,YAAY,EACZ,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,iBAAiB;AACjB,2BAA2B;AAC3B,MAAM,EACN,MAAM,EACN,WAAW,EACX,SAAS,EACT,OAAO,EACP,aAAa,EACb,cAAc,EACd,WAAW,EACX,YAAY,GACb,MAAM,OAAO,CAAC;AAEf,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,mBAAmB,EACnB,oBAAoB,GACrB,MAAM,UAAU,CAAC"}

package/dist/keyring.d.ts

@@ -0,0 +1,77 @@
+/**
+ * OS Keyring integration for secure secret storage
+ *
+ * Uses the system keychain:
+ * - macOS: Keychain
+ * - Windows: Credential Manager
+ * - Linux: Secret Service (libsecret)
+ *
+ * All secrets are stored with:
+ * - Service: "enact-cli"
+ * - Account: "{namespace}:{SECRET_NAME}"
+ */
+import { type SecretMetadata } from "./types";
+/**
+ * Build the account string for keyring storage
+ * Format: "namespace:SECRET_NAME"
+ */
+export declare function buildAccount(namespace: string, secretName: string): string;
+/**
+ * Parse an account string back to namespace and secret name
+ */
+export declare function parseAccount(account: string): {
+    namespace: string;
+    secretName: string;
+};
+/**
+ * Store a secret in the OS keyring
+ *
+ * @param namespace - The namespace for the secret (e.g., "alice/api")
+ * @param name - The secret name (e.g., "API_TOKEN")
+ * @param value - The secret value to store
+ */
+export declare function setSecret(namespace: string, name: string, value: string): Promise<void>;
+/**
+ * Retrieve a secret from the OS keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns The secret value, or null if not found
+ */
+export declare function getSecret(namespace: string, name: string): Promise<string | null>;
+/**
+ * Delete a secret from the OS keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns true if deleted, false if not found
+ */
+export declare function deleteSecret(namespace: string, name: string): Promise<boolean>;
+/**
+ * List all secrets for a namespace
+ *
+ * @param namespace - The namespace to list secrets for
+ * @returns Array of secret names in the namespace
+ */
+export declare function listSecrets(namespace: string): Promise<string[]>;
+/**
+ * List all secrets across all namespaces
+ *
+ * @returns Array of secret metadata
+ */
+export declare function listAllSecrets(): Promise<SecretMetadata[]>;
+/**
+ * Check if a secret exists in the keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns true if the secret exists
+ */
+export declare function secretExists(namespace: string, name: string): Promise<boolean>;
+/**
+ * Check if the keyring is available on this system
+ *
+ * @returns true if keyring operations are available
+ */
+export declare function isKeyringAvailable(): Promise<boolean>;
+//# sourceMappingURL=keyring.d.ts.map

package/dist/keyring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../src/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAmB,KAAK,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/D;;;GAGG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAE1E;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG;IAC7C,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB,CASA;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAG7F;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAIvF;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGpF;AAED;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAOtE;AAED;;;;GAIG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,CAUhE;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGpF;AAED;;;;GAIG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,OAAO,CAAC,CAQ3D"}

package/dist/keyring.js

@@ -0,0 +1,123 @@
+/**
+ * OS Keyring integration for secure secret storage
+ *
+ * Uses the system keychain:
+ * - macOS: Keychain
+ * - Windows: Credential Manager
+ * - Linux: Secret Service (libsecret)
+ *
+ * All secrets are stored with:
+ * - Service: "enact-cli"
+ * - Account: "{namespace}:{SECRET_NAME}"
+ */
+import { keyring } from "@zowe/secrets-for-zowe-sdk";
+import { KEYRING_SERVICE } from "./types";
+/**
+ * Build the account string for keyring storage
+ * Format: "namespace:SECRET_NAME"
+ */
+export function buildAccount(namespace, secretName) {
+    return `${namespace}:${secretName}`;
+}
+/**
+ * Parse an account string back to namespace and secret name
+ */
+export function parseAccount(account) {
+    const colonIndex = account.lastIndexOf(":");
+    if (colonIndex === -1) {
+        throw new Error(`Invalid account format: ${account}`);
+    }
+    return {
+        namespace: account.slice(0, colonIndex),
+        secretName: account.slice(colonIndex + 1),
+    };
+}
+/**
+ * Store a secret in the OS keyring
+ *
+ * @param namespace - The namespace for the secret (e.g., "alice/api")
+ * @param name - The secret name (e.g., "API_TOKEN")
+ * @param value - The secret value to store
+ */
+export async function setSecret(namespace, name, value) {
+    const account = buildAccount(namespace, name);
+    await keyring.setPassword(KEYRING_SERVICE, account, value);
+}
+/**
+ * Retrieve a secret from the OS keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns The secret value, or null if not found
+ */
+export async function getSecret(namespace, name) {
+    const account = buildAccount(namespace, name);
+    const value = await keyring.getPassword(KEYRING_SERVICE, account);
+    return value ?? null;
+}
+/**
+ * Delete a secret from the OS keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns true if deleted, false if not found
+ */
+export async function deleteSecret(namespace, name) {
+    const account = buildAccount(namespace, name);
+    return await keyring.deletePassword(KEYRING_SERVICE, account);
+}
+/**
+ * List all secrets for a namespace
+ *
+ * @param namespace - The namespace to list secrets for
+ * @returns Array of secret names in the namespace
+ */
+export async function listSecrets(namespace) {
+    const credentials = await keyring.findCredentials(KEYRING_SERVICE);
+    const prefix = `${namespace}:`;
+    return credentials
+        .filter((cred) => cred.account.startsWith(prefix))
+        .map((cred) => cred.account.slice(prefix.length));
+}
+/**
+ * List all secrets across all namespaces
+ *
+ * @returns Array of secret metadata
+ */
+export async function listAllSecrets() {
+    const credentials = await keyring.findCredentials(KEYRING_SERVICE);
+    return credentials.map((cred) => {
+        const { namespace, secretName } = parseAccount(cred.account);
+        return {
+            key: secretName,
+            namespace,
+        };
+    });
+}
+/**
+ * Check if a secret exists in the keyring
+ *
+ * @param namespace - The namespace for the secret
+ * @param name - The secret name
+ * @returns true if the secret exists
+ */
+export async function secretExists(namespace, name) {
+    const value = await getSecret(namespace, name);
+    return value !== null;
+}
+/**
+ * Check if the keyring is available on this system
+ *
+ * @returns true if keyring operations are available
+ */
+export async function isKeyringAvailable() {
+    try {
+        // Try to list credentials - this will fail if keyring is not available
+        await keyring.findCredentials(KEYRING_SERVICE);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=keyring.js.map

package/dist/keyring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../src/keyring.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AACrD,OAAO,EAAE,eAAe,EAAuB,MAAM,SAAS,CAAC;AAE/D;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE,UAAkB;IAChE,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAI1C,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;IACxD,CAAC;IACD,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC;QACvC,UAAU,EAAE,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,IAAY,EAAE,KAAa;IAC5E,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,IAAY;IAC7D,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IAClE,OAAO,KAAK,IAAI,IAAI,CAAC;AACvB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE,IAAY;IAChE,MAAM,OAAO,GAAG,YAAY,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC9C,OAAO,MAAM,OAAO,CAAC,cAAc,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;AAChE,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,SAAiB;IACjD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,GAAG,SAAS,GAAG,CAAC;IAE/B,OAAO,WAAW;SACf,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;SACjD,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnE,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7D,OAAO;YACL,GAAG,EAAE,UAAU;YACf,SAAS;SACV,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE,IAAY;IAChE,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/C,OAAO,KAAK,KAAK,IAAI,CAAC;AACxB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,IAAI,CAAC;QACH,uEAAuE;QACvE,MAAM,OAAO,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/resolver.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Secret resolution with namespace inheritance
+ *
+ * When a tool requests a secret, we walk up the namespace path:
+ * Tool: alice/api/slack/notifier
+ * Needs: API_TOKEN
+ *
+ * Lookup:
+ *   1. alice/api/slack:API_TOKEN
+ *   2. alice/api:API_TOKEN ✓ found
+ *   3. alice:API_TOKEN
+ *
+ * First match wins.
+ */
+import type { SecretResolution, SecretResolutionResult, SecretTrace } from "./types";
+/**
+ * Get the namespace chain for a tool path
+ * Walks up the path segments from most specific to least specific
+ *
+ * @param toolPath - The full tool path (e.g., "alice/api/slack")
+ * @returns Array of namespaces to check in order
+ *
+ * @example
+ * getNamespaceChain("alice/api/slack")
+ * // Returns: ["alice/api/slack", "alice/api", "alice"]
+ */
+export declare function getNamespaceChain(toolPath: string): string[];
+/**
+ * Resolve a secret using namespace inheritance
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretName - The secret name to find
+ * @returns Resolution result with namespace info, or not-found result
+ */
+export declare function resolveSecret(toolPath: string, secretName: string): Promise<SecretResolutionResult>;
+/**
+ * Trace secret resolution for debugging
+ * Shows which namespaces were checked and where the secret was found
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretName - The secret name to find
+ * @returns Full trace with all namespaces checked
+ */
+export declare function traceSecretResolution(toolPath: string, secretName: string): Promise<SecretTrace>;
+/**
+ * Resolve multiple secrets for a tool
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretNames - Array of secret names to resolve
+ * @returns Map of secret name to resolution result
+ */
+export declare function resolveSecrets(toolPath: string, secretNames: string[]): Promise<Map<string, SecretResolutionResult>>;
+/**
+ * Check if all required secrets are available for a tool
+ *
+ * @param toolPath - The tool path to check
+ * @param requiredSecrets - Array of required secret names
+ * @returns Object with available and missing secrets
+ */
+export declare function checkRequiredSecrets(toolPath: string, requiredSecrets: string[]): Promise<{
+    allFound: boolean;
+    found: SecretResolution[];
+    missing: string[];
+}>;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../src/resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EACV,gBAAgB,EAChB,sBAAsB,EACtB,WAAW,EAEZ,MAAM,SAAS,CAAC;AAEjB;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAS5D;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,sBAAsB,CAAC,CAuBjC;AAED;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,WAAW,CAAC,CAqCtB;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EAAE,GACpB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAS9C;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,QAAQ,EAAE,MAAM,EAChB,eAAe,EAAE,MAAM,EAAE,GACxB,OAAO,CAAC;IACT,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,EAAE,gBAAgB,EAAE,CAAC;IAC1B,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC,CAkBD"}

package/dist/resolver.js

@@ -0,0 +1,144 @@
+/**
+ * Secret resolution with namespace inheritance
+ *
+ * When a tool requests a secret, we walk up the namespace path:
+ * Tool: alice/api/slack/notifier
+ * Needs: API_TOKEN
+ *
+ * Lookup:
+ *   1. alice/api/slack:API_TOKEN
+ *   2. alice/api:API_TOKEN ✓ found
+ *   3. alice:API_TOKEN
+ *
+ * First match wins.
+ */
+import { getSecret } from "./keyring";
+/**
+ * Get the namespace chain for a tool path
+ * Walks up the path segments from most specific to least specific
+ *
+ * @param toolPath - The full tool path (e.g., "alice/api/slack")
+ * @returns Array of namespaces to check in order
+ *
+ * @example
+ * getNamespaceChain("alice/api/slack")
+ * // Returns: ["alice/api/slack", "alice/api", "alice"]
+ */
+export function getNamespaceChain(toolPath) {
+    const segments = toolPath.split("/").filter(Boolean);
+    const chain = [];
+    for (let i = segments.length; i > 0; i--) {
+        chain.push(segments.slice(0, i).join("/"));
+    }
+    return chain;
+}
+/**
+ * Resolve a secret using namespace inheritance
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretName - The secret name to find
+ * @returns Resolution result with namespace info, or not-found result
+ */
+export async function resolveSecret(toolPath, secretName) {
+    const namespaces = getNamespaceChain(toolPath);
+    const searchedNamespaces = [];
+    for (const namespace of namespaces) {
+        searchedNamespaces.push(namespace);
+        const value = await getSecret(namespace, secretName);
+        if (value !== null) {
+            return {
+                namespace,
+                value,
+                key: secretName,
+                found: true,
+            };
+        }
+    }
+    return {
+        key: secretName,
+        found: false,
+        searchedNamespaces,
+    };
+}
+/**
+ * Trace secret resolution for debugging
+ * Shows which namespaces were checked and where the secret was found
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretName - The secret name to find
+ * @returns Full trace with all namespaces checked
+ */
+export async function traceSecretResolution(toolPath, secretName) {
+    const namespaces = getNamespaceChain(toolPath);
+    const entries = [];
+    let result = null;
+    for (const namespace of namespaces) {
+        const account = `${namespace}:${secretName}`;
+        const value = await getSecret(namespace, secretName);
+        const found = value !== null;
+        entries.push({ namespace, account, found });
+        if (found && !result) {
+            result = {
+                namespace,
+                value,
+                key: secretName,
+                found: true,
+            };
+        }
+    }
+    // If not found anywhere
+    if (!result) {
+        result = {
+            key: secretName,
+            found: false,
+            searchedNamespaces: namespaces,
+        };
+    }
+    return {
+        key: secretName,
+        toolPath,
+        entries,
+        result,
+    };
+}
+/**
+ * Resolve multiple secrets for a tool
+ *
+ * @param toolPath - The tool path to resolve secrets for
+ * @param secretNames - Array of secret names to resolve
+ * @returns Map of secret name to resolution result
+ */
+export async function resolveSecrets(toolPath, secretNames) {
+    const results = new Map();
+    for (const name of secretNames) {
+        const result = await resolveSecret(toolPath, name);
+        results.set(name, result);
+    }
+    return results;
+}
+/**
+ * Check if all required secrets are available for a tool
+ *
+ * @param toolPath - The tool path to check
+ * @param requiredSecrets - Array of required secret names
+ * @returns Object with available and missing secrets
+ */
+export async function checkRequiredSecrets(toolPath, requiredSecrets) {
+    const found = [];
+    const missing = [];
+    for (const name of requiredSecrets) {
+        const result = await resolveSecret(toolPath, name);
+        if (result.found) {
+            found.push(result);
+        }
+        else {
+            missing.push(name);
+        }
+    }
+    return {
+        allFound: missing.length === 0,
+        found,
+        missing,
+    };
+}
+//# sourceMappingURL=resolver.js.map