@ewimsatt/agent-vault 0.1.0

package/README.md

@@ -0,0 +1,95 @@
+# agent-vault — Node.js SDK
+
+Zero-trust credential manager for AI agents. This is the read-only Node.js/TypeScript SDK for retrieving secrets from an agent-vault repository.
+
+Secrets are encrypted locally using [age encryption](https://age-encryption.org/) and synced via Git. No server, no SaaS -- the Git repo is an untrusted encrypted blob store. All crypto happens locally.
+
+## Installation
+
+```bash
+npm install agent-vault
+```
+
+Requires Node.js 20 or later.
+
+## Quick Start
+
+```typescript
+import { Vault } from "agent-vault";
+
+const vault = new Vault({
+  repoPath: "/path/to/repo",
+  keyPath: "~/.agent-vault/agents/my-agent.key",
+});
+
+// Decrypt a secret (pulls latest from Git first)
+const apiKey = await vault.get("stripe/api-key");
+```
+
+## API
+
+### `new Vault(options)`
+
+Create a read-only vault instance.
+
+| Option     | Type      | Default | Description                                      |
+|------------|-----------|---------|--------------------------------------------------|
+| `repoPath` | `string`  | -       | Path to the Git repository containing the vault.  |
+| `keyPath`  | `string?` | -       | Path to the age private key file.                 |
+| `keyStr`   | `string?` | -       | Raw age private key string. Overrides `keyPath`.  |
+| `autoPull` | `boolean` | `true`  | Whether to `git pull` before each `get()` call.  |
+
+Key resolution order:
+1. `keyStr` option
+2. `keyPath` option
+3. `AGENT_VAULT_KEY` environment variable
+4. `~/.agent-vault/owner.key`
+
+### `vault.get(secretPath): Promise<string>`
+
+Decrypt and return a secret value. The secret path follows the format `group/name` (e.g., `stripe/api-key`).
+
+Throws `SecretNotFoundError` if the secret does not exist. Throws `NotAuthorizedError` if the key cannot decrypt it.
+
+### `vault.listSecrets(group?): SecretMetadata[]`
+
+List secret metadata without decrypting. Optionally filter by group name.
+
+### `vault.pull(): void`
+
+Manually trigger a `git pull`. Failures are logged to stderr but do not throw.
+
+### `vault.listAgents(): Array<{ name: string; groups: string[] }>`
+
+List all agents and their group memberships from the manifest.
+
+### `vault.reload(): void`
+
+Reload the manifest from disk (useful after a pull).
+
+## Error Types
+
+```typescript
+import {
+  VaultError,          // Base error
+  VaultNotFoundError,  // No vault or key found
+  SecretNotFoundError, // Secret path does not exist
+  NotAuthorizedError,  // Key cannot decrypt the secret
+  ManifestError,       // Manifest parsing failure
+} from "agent-vault";
+```
+
+## Environment Variables
+
+- `AGENT_VAULT_KEY` -- Raw age secret key string (used if no `keyPath`/`keyStr` provided)
+
+## How It Works
+
+1. The vault reads encrypted `.enc` files from `.agent-vault/secrets/` in the repo.
+2. It decrypts them in memory using the [age-encryption](https://www.npmjs.com/package/age-encryption) package.
+3. Decrypted values are never written to disk -- they exist only in memory.
+4. Metadata (`.meta` YAML files) can be browsed without decryption.
+
+## License
+
+MIT

package/dist/errors.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Error types for agent-vault.
+ */
+/** Base error for all vault operations. */
+export declare class VaultError extends Error {
+    constructor(message: string);
+}
+/** No .agent-vault directory found at the given path. */
+export declare class VaultNotFoundError extends VaultError {
+    constructor(message: string);
+}
+/** The requested secret does not exist in the vault. */
+export declare class SecretNotFoundError extends VaultError {
+    constructor(message: string);
+}
+/** The provided key cannot decrypt the requested secret. */
+export declare class NotAuthorizedError extends VaultError {
+    constructor(message: string);
+}
+/** Error parsing or querying the manifest. */
+export declare class ManifestError extends VaultError {
+    constructor(message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,2CAA2C;AAC3C,qBAAa,UAAW,SAAQ,KAAK;gBACvB,OAAO,EAAE,MAAM;CAK5B;AAED,yDAAyD;AACzD,qBAAa,kBAAmB,SAAQ,UAAU;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAED,wDAAwD;AACxD,qBAAa,mBAAoB,SAAQ,UAAU;gBACrC,OAAO,EAAE,MAAM;CAI5B;AAED,4DAA4D;AAC5D,qBAAa,kBAAmB,SAAQ,UAAU;gBACpC,OAAO,EAAE,MAAM;CAI5B;AAED,8CAA8C;AAC9C,qBAAa,aAAc,SAAQ,UAAU;gBAC/B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/errors.js

@@ -0,0 +1,40 @@
+/**
+ * Error types for agent-vault.
+ */
+/** Base error for all vault operations. */
+export class VaultError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "VaultError";
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+/** No .agent-vault directory found at the given path. */
+export class VaultNotFoundError extends VaultError {
+    constructor(message) {
+        super(message);
+        this.name = "VaultNotFoundError";
+    }
+}
+/** The requested secret does not exist in the vault. */
+export class SecretNotFoundError extends VaultError {
+    constructor(message) {
+        super(message);
+        this.name = "SecretNotFoundError";
+    }
+}
+/** The provided key cannot decrypt the requested secret. */
+export class NotAuthorizedError extends VaultError {
+    constructor(message) {
+        super(message);
+        this.name = "NotAuthorizedError";
+    }
+}
+/** Error parsing or querying the manifest. */
+export class ManifestError extends VaultError {
+    constructor(message) {
+        super(message);
+        this.name = "ManifestError";
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,2CAA2C;AAC3C,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAED,yDAAyD;AACzD,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,wDAAwD;AACxD,MAAM,OAAO,mBAAoB,SAAQ,UAAU;IACjD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,4DAA4D;AAC5D,MAAM,OAAO,kBAAmB,SAAQ,UAAU;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,8CAA8C;AAC9C,MAAM,OAAO,aAAc,SAAQ,UAAU;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * agent-vault: Zero-trust credential manager for AI agents — Node.js SDK.
+ *
+ * @packageDocumentation
+ */
+export { Vault, type VaultOptions } from "./vault.js";
+export { VaultError, VaultNotFoundError, SecretNotFoundError, NotAuthorizedError, ManifestError, } from "./errors.js";
+export { type SecretMetadata, parseMetadataFile, parseMetadata } from "./metadata.js";
+export { Manifest, type ManifestAgent, type ManifestGroup } from "./manifest.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAE,KAAK,YAAY,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,EACL,UAAU,EACV,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,KAAK,cAAc,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACtF,OAAO,EAAE,QAAQ,EAAE,KAAK,aAAa,EAAE,KAAK,aAAa,EAAE,MAAM,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,10 @@
+/**
+ * agent-vault: Zero-trust credential manager for AI agents — Node.js SDK.
+ *
+ * @packageDocumentation
+ */
+export { Vault } from "./vault.js";
+export { VaultError, VaultNotFoundError, SecretNotFoundError, NotAuthorizedError, ManifestError, } from "./errors.js";
+export { parseMetadataFile, parseMetadata } from "./metadata.js";
+export { Manifest } from "./manifest.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,KAAK,EAAqB,MAAM,YAAY,CAAC;AACtD,OAAO,EACL,UAAU,EACV,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,aAAa,GACd,MAAM,aAAa,CAAC;AACrB,OAAO,EAAuB,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACtF,OAAO,EAAE,QAAQ,EAA0C,MAAM,eAAe,CAAC"}

package/dist/manifest.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Manifest parsing for vault access control.
+ *
+ * The manifest.yaml file defines which agents can access which groups of secrets.
+ * It contains no secret material — only plaintext policy.
+ */
+/** A single agent entry in the manifest. */
+export interface ManifestAgent {
+    name: string;
+    groups: string[];
+}
+/** A secret group entry in the manifest. */
+export interface ManifestGroup {
+    name: string;
+    secrets: string[];
+}
+/** Parsed manifest data. */
+interface ManifestData {
+    version?: number;
+    owners?: Array<{
+        name: string;
+        public_key?: string;
+    }>;
+    agents?: Array<{
+        name: string;
+        groups?: string[];
+    }>;
+    groups?: Array<{
+        name: string;
+        secrets?: string[];
+    }>;
+}
+/**
+ * Parsed manifest.yaml — access control policy.
+ */
+export declare class Manifest {
+    private readonly _data;
+    private readonly _agents;
+    private readonly _groups;
+    constructor(data: ManifestData);
+    /**
+     * Load a manifest from a YAML file.
+     *
+     * @param filePath - Absolute path to manifest.yaml.
+     * @returns Parsed Manifest.
+     * @throws ManifestError if the file is missing or invalid.
+     */
+    static load(filePath: string): Manifest;
+    /** Return the list of groups an agent belongs to. */
+    agentGroups(agentName: string): string[];
+    /** Return the list of secret paths in a group. */
+    groupSecrets(groupName: string): string[];
+    /** Return agent names authorized for a given secret. */
+    agentsForSecret(secretPath: string): string[];
+    /** Return all agents with their group memberships. */
+    listAgents(): ManifestAgent[];
+    /** Return all group names. */
+    listGroups(): string[];
+    /**
+     * Return all secret paths, optionally filtered by group.
+     *
+     * @param group - Optional group name to filter by.
+     */
+    listSecrets(group?: string): string[];
+}
+export {};
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,4CAA4C;AAC5C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,4CAA4C;AAC5C,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,4BAA4B;AAC5B,UAAU,YAAY;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACtD,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;IACpD,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CACtD;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6B;IACrD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA6B;gBAEzC,IAAI,EAAE,YAAY;IAoB9B;;;;;;OAMG;IACH,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ;IAsBvC,qDAAqD;IACrD,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE;IAKxC,kDAAkD;IAClD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,EAAE;IAKzC,wDAAwD;IACxD,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,EAAE;IAc7C,sDAAsD;IACtD,UAAU,IAAI,aAAa,EAAE;IAI7B,8BAA8B;IAC9B,UAAU,IAAI,MAAM,EAAE;IAItB;;;;OAIG;IACH,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;CAUtC"}

package/dist/manifest.js

@@ -0,0 +1,106 @@
+/**
+ * Manifest parsing for vault access control.
+ *
+ * The manifest.yaml file defines which agents can access which groups of secrets.
+ * It contains no secret material — only plaintext policy.
+ */
+import { readFileSync } from "node:fs";
+import yaml from "js-yaml";
+import { ManifestError } from "./errors.js";
+/**
+ * Parsed manifest.yaml — access control policy.
+ */
+export class Manifest {
+    _data;
+    _agents;
+    _groups;
+    constructor(data) {
+        this._data = data;
+        this._agents = new Map();
+        for (const a of data.agents ?? []) {
+            this._agents.set(a.name, {
+                name: a.name,
+                groups: [...(a.groups ?? [])],
+            });
+        }
+        this._groups = new Map();
+        for (const g of data.groups ?? []) {
+            this._groups.set(g.name, {
+                name: g.name,
+                secrets: [...(g.secrets ?? [])],
+            });
+        }
+    }
+    /**
+     * Load a manifest from a YAML file.
+     *
+     * @param filePath - Absolute path to manifest.yaml.
+     * @returns Parsed Manifest.
+     * @throws ManifestError if the file is missing or invalid.
+     */
+    static load(filePath) {
+        let content;
+        try {
+            content = readFileSync(filePath, "utf-8");
+        }
+        catch (err) {
+            throw new ManifestError(`Manifest not found: ${filePath}`);
+        }
+        let data;
+        try {
+            data = yaml.load(content) ?? {};
+        }
+        catch (err) {
+            throw new ManifestError(`Invalid manifest YAML: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        return new Manifest(data);
+    }
+    /** Return the list of groups an agent belongs to. */
+    agentGroups(agentName) {
+        const agent = this._agents.get(agentName);
+        return agent ? [...agent.groups] : [];
+    }
+    /** Return the list of secret paths in a group. */
+    groupSecrets(groupName) {
+        const group = this._groups.get(groupName);
+        return group ? [...group.secrets] : [];
+    }
+    /** Return agent names authorized for a given secret. */
+    agentsForSecret(secretPath) {
+        const agents = [];
+        for (const [agentName, agent] of this._agents) {
+            for (const groupName of agent.groups) {
+                const group = this._groups.get(groupName);
+                if (group && group.secrets.includes(secretPath)) {
+                    agents.push(agentName);
+                    break;
+                }
+            }
+        }
+        return agents;
+    }
+    /** Return all agents with their group memberships. */
+    listAgents() {
+        return Array.from(this._agents.values());
+    }
+    /** Return all group names. */
+    listGroups() {
+        return Array.from(this._groups.keys());
+    }
+    /**
+     * Return all secret paths, optionally filtered by group.
+     *
+     * @param group - Optional group name to filter by.
+     */
+    listSecrets(group) {
+        if (group !== undefined) {
+            return this.groupSecrets(group);
+        }
+        const secrets = [];
+        for (const g of this._groups.values()) {
+            secrets.push(...g.secrets);
+        }
+        return secrets;
+    }
+}
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAsB5C;;GAEG;AACH,MAAM,OAAO,QAAQ;IACF,KAAK,CAAe;IACpB,OAAO,CAA6B;IACpC,OAAO,CAA6B;IAErD,YAAY,IAAkB;QAC5B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAElB,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;gBACvB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;gBACvB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,IAAI,CAAC,QAAgB;QAC1B,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,aAAa,CACrB,uBAAuB,QAAQ,EAAE,CAClC,CAAC;QACJ,CAAC;QAED,IAAI,IAAkB,CAAC;QACvB,IAAI,CAAC;YACH,IAAI,GAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAkB,IAAI,EAAE,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,aAAa,CACrB,0BAA0B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7E,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAED,qDAAqD;IACrD,WAAW,CAAC,SAAiB;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACxC,CAAC;IAED,kDAAkD;IAClD,YAAY,CAAC,SAAiB;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACzC,CAAC;IAED,wDAAwD;IACxD,eAAe,CAAC,UAAkB;QAChC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAC9C,KAAK,MAAM,SAAS,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACrC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC1C,IAAI,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBAChD,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACvB,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sDAAsD;IACtD,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,8BAA8B;IAC9B,UAAU;QACR,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,KAAc;QACxB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}

package/dist/metadata.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Secret metadata parsing.
+ */
+/** Plaintext metadata for a single secret. */
+export interface SecretMetadata {
+    /** Secret name identifier. */
+    name: string;
+    /** Group this secret belongs to. */
+    group: string;
+    /** When the secret was first created. */
+    createdAt: Date;
+    /** When the secret was last rotated. */
+    rotatedAt: Date;
+    /** Optional expiration date. */
+    expiresAt?: Date;
+    /** List of agent names authorized to access this secret. */
+    authorizedAgents: string[];
+}
+/**
+ * Parse a .meta YAML file into a SecretMetadata object.
+ *
+ * @param filePath - Absolute path to the .meta file.
+ * @returns Parsed SecretMetadata.
+ */
+export declare function parseMetadataFile(filePath: string): SecretMetadata;
+/**
+ * Parse metadata from a YAML string.
+ *
+ * @param content - YAML string content.
+ * @returns Parsed SecretMetadata.
+ */
+export declare function parseMetadata(content: string): SecretMetadata;
+//# sourceMappingURL=metadata.d.ts.map

package/dist/metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.d.ts","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,8CAA8C;AAC9C,MAAM,WAAW,cAAc;IAC7B,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,yCAAyC;IACzC,SAAS,EAAE,IAAI,CAAC;IAChB,wCAAwC;IACxC,SAAS,EAAE,IAAI,CAAC;IAChB,gCAAgC;IAChC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,4DAA4D;IAC5D,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAkBD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,CAGlE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,CAa7D"}

package/dist/metadata.js

@@ -0,0 +1,50 @@
+/**
+ * Secret metadata parsing.
+ */
+import { readFileSync } from "node:fs";
+import yaml from "js-yaml";
+/**
+ * Parse a datetime value from YAML, which may be a Date object or ISO string.
+ */
+function parseDate(val) {
+    if (val instanceof Date) {
+        return val;
+    }
+    if (typeof val === "string") {
+        const d = new Date(val);
+        if (!isNaN(d.getTime())) {
+            return d;
+        }
+    }
+    return new Date(0);
+}
+/**
+ * Parse a .meta YAML file into a SecretMetadata object.
+ *
+ * @param filePath - Absolute path to the .meta file.
+ * @returns Parsed SecretMetadata.
+ */
+export function parseMetadataFile(filePath) {
+    const content = readFileSync(filePath, "utf-8");
+    return parseMetadata(content);
+}
+/**
+ * Parse metadata from a YAML string.
+ *
+ * @param content - YAML string content.
+ * @returns Parsed SecretMetadata.
+ */
+export function parseMetadata(content) {
+    const data = yaml.load(content) ?? {};
+    return {
+        name: typeof data.name === "string" ? data.name : "",
+        group: typeof data.group === "string" ? data.group : "",
+        createdAt: parseDate(data.created),
+        rotatedAt: parseDate(data.rotated),
+        expiresAt: data.expires ? parseDate(data.expires) : undefined,
+        authorizedAgents: Array.isArray(data.authorized_agents)
+            ? data.authorized_agents
+            : [],
+    };
+}
+//# sourceMappingURL=metadata.js.map

package/dist/metadata.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadata.js","sourceRoot":"","sources":["../src/metadata.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,SAAS,CAAC;AAkB3B;;GAEG;AACH,SAAS,SAAS,CAAC,GAAY;IAC7B,IAAI,GAAG,YAAY,IAAI,EAAE,CAAC;QACxB,OAAO,GAAG,CAAC;IACb,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,OAAO,aAAa,CAAC,OAAO,CAAC,CAAC;AAChC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,MAAM,IAAI,GAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAA6B,IAAI,EAAE,CAAC;IAEnE,OAAO;QACL,IAAI,EAAE,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;QACpD,KAAK,EAAE,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;QACvD,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAClC,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC;QAClC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7D,gBAAgB,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC;YACrD,CAAC,CAAE,IAAI,CAAC,iBAA8B;YACtC,CAAC,CAAC,EAAE;KACP,CAAC;AACJ,CAAC"}

package/dist/vault.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Main Vault class — read-only agent access to secrets.
+ *
+ * The Vault handles key loading, Git synchronization, and age decryption.
+ * Decrypted material is never written to disk — it stays in memory only.
+ */
+import { Manifest } from "./manifest.js";
+import { type SecretMetadata } from "./metadata.js";
+/** Options for constructing a Vault instance. */
+export interface VaultOptions {
+    /** Path to the Git repository containing the vault. */
+    repoPath: string;
+    /**
+     * Path to the age private key file.
+     * Falls back to AGENT_VAULT_KEY env var, then ~/.agent-vault/owner.key.
+     */
+    keyPath?: string;
+    /** Raw age private key string. Overrides keyPath. */
+    keyStr?: string;
+    /** Whether to git pull before each get() call. Defaults to true. */
+    autoPull?: boolean;
+}
+/**
+ * Read-only vault for agents to retrieve secrets.
+ *
+ * @example
+ * ```typescript
+ * const vault = new Vault({
+ *   repoPath: "/path/to/repo",
+ *   keyPath: "~/.agent-vault/agents/my-agent.key",
+ * });
+ * const apiKey = await vault.get("stripe/api-key");
+ * ```
+ */
+export declare class Vault {
+    private readonly _repoPath;
+    private readonly _vaultDir;
+    private readonly _identity;
+    private readonly _autoPull;
+    private _manifest;
+    constructor(options: VaultOptions);
+    /**
+     * Resolve and load the age identity (private key).
+     *
+     * Priority:
+     *   1. keyStr option (raw string)
+     *   2. keyPath option (file path)
+     *   3. AGENT_VAULT_KEY env var (raw string)
+     *   4. ~/.agent-vault/owner.key (default file)
+     */
+    private _loadIdentity;
+    /**
+     * Pull latest changes from the Git remote (best-effort).
+     *
+     * Failures are logged to stderr but do not throw. The vault continues
+     * with whatever local state is available.
+     */
+    pull(): void;
+    /**
+     * Retrieve and decrypt a secret.
+     *
+     * @param secretPath - The secret path (e.g. "stripe/api-key").
+     * @returns The decrypted plaintext value.
+     * @throws SecretNotFoundError if the secret does not exist.
+     * @throws NotAuthorizedError if the key cannot decrypt the secret.
+     */
+    get(secretPath: string): Promise<string>;
+    /**
+     * List secret metadata without decrypting.
+     *
+     * @param group - Optional group name to filter by.
+     * @returns Array of SecretMetadata objects.
+     */
+    listSecrets(group?: string): SecretMetadata[];
+    /**
+     * List all agents and their group memberships.
+     */
+    listAgents(): Array<{
+        name: string;
+        groups: string[];
+    }>;
+    /** Access the parsed manifest. */
+    get manifest(): Manifest;
+    /**
+     * Reload the manifest from disk (e.g. after a pull).
+     */
+    reload(): void;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAqB,KAAK,cAAc,EAAE,MAAM,eAAe,CAAC;AAEvE,iDAAiD;AACjD,MAAM,WAAW,YAAY;IAC3B,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAsDD;;;;;;;;;;;GAWG;AACH,qBAAa,KAAK;IAChB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAU;IACpC,OAAO,CAAC,SAAS,CAAW;gBAEhB,OAAO,EAAE,YAAY;IAkBjC;;;;;;;;OAQG;IACH,OAAO,CAAC,aAAa;IAkCrB;;;;;OAKG;IACH,IAAI,IAAI,IAAI;IAeZ;;;;;;;OAOG;IACG,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6B9C;;;;;OAKG;IACH,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,cAAc,EAAE;IAwB7C;;OAEG;IACH,UAAU,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAIvD,kCAAkC;IAClC,IAAI,QAAQ,IAAI,QAAQ,CAEvB;IAED;;OAEG;IACH,MAAM,IAAI,IAAI;CAGf"}

package/dist/vault.js

@@ -0,0 +1,215 @@
+/**
+ * Main Vault class — read-only agent access to secrets.
+ *
+ * The Vault handles key loading, Git synchronization, and age decryption.
+ * Decrypted material is never written to disk — it stays in memory only.
+ */
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { execSync } from "node:child_process";
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+import * as age from "age-encryption";
+import { VaultNotFoundError, SecretNotFoundError, NotAuthorizedError, } from "./errors.js";
+import { Manifest } from "./manifest.js";
+import { parseMetadataFile } from "./metadata.js";
+/**
+ * Extract the AGE-SECRET-KEY line from key file contents.
+ * Key files may contain comments (lines starting with #) and blank lines.
+ */
+function extractIdentity(content) {
+    const lines = content.split("\n");
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith("AGE-SECRET-KEY-")) {
+            return trimmed;
+        }
+    }
+    throw new VaultNotFoundError("No valid age identity found. Expected a line starting with AGE-SECRET-KEY-.");
+}
+/**
+ * Convert a secret path like "stripe/api-key" to a relative file path.
+ * "stripe/api-key" becomes "stripe/api-key.enc" (or .meta).
+ */
+function toFilePath(secretPath, suffix) {
+    const parts = secretPath.split("/");
+    if (parts.length < 2) {
+        return parts[0] + suffix;
+    }
+    const dir = parts.slice(0, -1).join("/");
+    const file = parts[parts.length - 1] + suffix;
+    return join(dir, file);
+}
+/**
+ * Recursively find all files matching a glob suffix in a directory.
+ */
+function findFiles(dir, suffix) {
+    const results = [];
+    if (!existsSync(dir)) {
+        return results;
+    }
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...findFiles(fullPath, suffix));
+        }
+        else if (entry.name.endsWith(suffix)) {
+            results.push(fullPath);
+        }
+    }
+    return results;
+}
+/**
+ * Read-only vault for agents to retrieve secrets.
+ *
+ * @example
+ * ```typescript
+ * const vault = new Vault({
+ *   repoPath: "/path/to/repo",
+ *   keyPath: "~/.agent-vault/agents/my-agent.key",
+ * });
+ * const apiKey = await vault.get("stripe/api-key");
+ * ```
+ */
+export class Vault {
+    _repoPath;
+    _vaultDir;
+    _identity;
+    _autoPull;
+    _manifest;
+    constructor(options) {
+        this._repoPath = resolve(options.repoPath);
+        this._vaultDir = join(this._repoPath, ".agent-vault");
+        this._autoPull = options.autoPull ?? true;
+        if (!existsSync(this._vaultDir) || !statSync(this._vaultDir).isDirectory()) {
+            throw new VaultNotFoundError(`No vault found at ${this._repoPath}. Run 'agent-vault init' first.`);
+        }
+        // Load identity (private key)
+        this._identity = this._loadIdentity(options);
+        // Load manifest
+        this._manifest = Manifest.load(join(this._vaultDir, "manifest.yaml"));
+    }
+    /**
+     * Resolve and load the age identity (private key).
+     *
+     * Priority:
+     *   1. keyStr option (raw string)
+     *   2. keyPath option (file path)
+     *   3. AGENT_VAULT_KEY env var (raw string)
+     *   4. ~/.agent-vault/owner.key (default file)
+     */
+    _loadIdentity(options) {
+        if (options.keyStr) {
+            return extractIdentity(options.keyStr);
+        }
+        if (options.keyPath) {
+            const resolvedPath = options.keyPath.startsWith("~")
+                ? join(homedir(), options.keyPath.slice(1))
+                : resolve(options.keyPath);
+            if (!existsSync(resolvedPath)) {
+                throw new VaultNotFoundError(`Key file not found: ${resolvedPath}`);
+            }
+            return extractIdentity(readFileSync(resolvedPath, "utf-8"));
+        }
+        const envKey = process.env.AGENT_VAULT_KEY;
+        if (envKey) {
+            return extractIdentity(envKey);
+        }
+        const defaultKeyPath = join(homedir(), ".agent-vault", "owner.key");
+        if (existsSync(defaultKeyPath)) {
+            return extractIdentity(readFileSync(defaultKeyPath, "utf-8"));
+        }
+        throw new VaultNotFoundError("No key provided. Pass keyPath, keyStr, set the AGENT_VAULT_KEY " +
+            "environment variable, or ensure ~/.agent-vault/owner.key exists.");
+    }
+    /**
+     * Pull latest changes from the Git remote (best-effort).
+     *
+     * Failures are logged to stderr but do not throw. The vault continues
+     * with whatever local state is available.
+     */
+    pull() {
+        try {
+            execSync("git pull", {
+                cwd: this._repoPath,
+                stdio: ["ignore", "ignore", "pipe"],
+                timeout: 30_000,
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            process.stderr.write(`Warning: git pull failed (continuing with local state): ${message}\n`);
+        }
+    }
+    /**
+     * Retrieve and decrypt a secret.
+     *
+     * @param secretPath - The secret path (e.g. "stripe/api-key").
+     * @returns The decrypted plaintext value.
+     * @throws SecretNotFoundError if the secret does not exist.
+     * @throws NotAuthorizedError if the key cannot decrypt the secret.
+     */
+    async get(secretPath) {
+        if (this._autoPull) {
+            this.pull();
+        }
+        const encPath = join(this._vaultDir, "secrets", toFilePath(secretPath, ".enc"));
+        if (!existsSync(encPath)) {
+            throw new SecretNotFoundError(`Secret not found: ${secretPath}`);
+        }
+        const ciphertext = readFileSync(encPath);
+        try {
+            const d = new age.Decrypter();
+            d.addIdentity(this._identity);
+            const plaintext = await d.decrypt(ciphertext, "text");
+            return plaintext;
+        }
+        catch (err) {
+            throw new NotAuthorizedError(`Cannot decrypt '${secretPath}': ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    /**
+     * List secret metadata without decrypting.
+     *
+     * @param group - Optional group name to filter by.
+     * @returns Array of SecretMetadata objects.
+     */
+    listSecrets(group) {
+        const secretsDir = join(this._vaultDir, "secrets");
+        if (!existsSync(secretsDir)) {
+            return [];
+        }
+        const metaFiles = findFiles(secretsDir, ".meta").sort();
+        const results = [];
+        for (const metaPath of metaFiles) {
+            try {
+                const meta = parseMetadataFile(metaPath);
+                if (group === undefined || meta.group === group) {
+                    results.push(meta);
+                }
+            }
+            catch {
+                // Skip unparseable metadata files
+                continue;
+            }
+        }
+        return results;
+    }
+    /**
+     * List all agents and their group memberships.
+     */
+    listAgents() {
+        return this._manifest.listAgents();
+    }
+    /** Access the parsed manifest. */
+    get manifest() {
+        return this._manifest;
+    }
+    /**
+     * Reload the manifest from disk (e.g. after a pull).
+     */
+    reload() {
+        this._manifest = Manifest.load(join(this._vaultDir, "manifest.yaml"));
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC1E,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAuB,MAAM,eAAe,CAAC;AAiBvE;;;GAGG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC1C,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,kBAAkB,CAC1B,6EAA6E,CAC9E,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,UAAkB,EAAE,MAAc;IACpD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC;IAC3B,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC;IAC9C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,GAAW,EAAE,MAAc;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,KAAK;IACC,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,SAAS,CAAS;IAClB,SAAS,CAAU;IAC5B,SAAS,CAAW;IAE5B,YAAY,OAAqB;QAC/B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QACtD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC;QAE1C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;YAC3E,MAAM,IAAI,kBAAkB,CAC1B,qBAAqB,IAAI,CAAC,SAAS,iCAAiC,CACrE,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAE7C,gBAAgB;QAChB,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;OAQG;IACK,aAAa,CAAC,OAAqB;QACzC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAClD,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC3C,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAE7B,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC9B,MAAM,IAAI,kBAAkB,CAC1B,uBAAuB,YAAY,EAAE,CACtC,CAAC;YACJ,CAAC;YACD,OAAO,eAAe,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9D,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;QACpE,IAAI,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YAC/B,OAAO,eAAe,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,IAAI,kBAAkB,CAC1B,iEAAiE;YACjE,kEAAkE,CACnE,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,IAAI;QACF,IAAI,CAAC;YACH,QAAQ,CAAC,UAAU,EAAE;gBACnB,GAAG,EAAE,IAAI,CAAC,SAAS;gBACnB,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC;gBACnC,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2DAA2D,OAAO,IAAI,CACvE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,GAAG,CAAC,UAAkB;QAC1B,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAClB,IAAI,CAAC,SAAS,EACd,SAAS,EACT,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,CAC/B,CAAC;QAEF,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,mBAAmB,CAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAC9B,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACtD,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,kBAAkB,CAC1B,mBAAmB,UAAU,MAAM,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACtF,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,WAAW,CAAC,KAAc;QACxB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,SAAS,GAAG,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACxD,MAAM,OAAO,GAAqB,EAAE,CAAC;QAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;gBACzC,IAAI,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;oBAChD,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,kCAAkC;gBAClC,SAAS;YACX,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;IACrC,CAAC;IAED,kCAAkC;IAClC,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC,CAAC;IACxE,CAAC;CACF"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@ewimsatt/agent-vault",
+  "version": "0.1.0",
+  "description": "Zero-trust credential manager for AI agents — Node.js SDK",
+  "license": "MIT",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "age-encryption": "^0.2.4",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^22.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ewimsatt/agent-vault.git",
+    "directory": "node-sdk"
+  },
+  "homepage": "https://github.com/ewimsatt/agent-vault",
+  "bugs": {
+    "url": "https://github.com/ewimsatt/agent-vault/issues"
+  },
+  "keywords": [
+    "security",
+    "encryption",
+    "credentials",
+    "ai-agents",
+    "age",
+    "mcp",
+    "zero-trust",
+    "secret-management"
+  ],
+  "author": "agent-vault contributors"
+}