@geminixiang/mama 0.2.0-beta.1 → 0.2.0-beta.10

package/dist/vault.d.ts

@@ -1,31 +1,6 @@
 import type { SandboxConfig } from "./sandbox.js";
-/** Shape of workspace/vaults/vault.json */
-export interface VaultConfig {
-    vaults: Record<string, VaultEntry>;
-}
-/** Per-user vault mount entry in vault.json */
-export interface VaultMountEntry {
-    source: string;
-    target?: string;
-}
-/** Per-user vault entry in vault.json */
-export interface VaultEntry {
-    displayName: string;
-    platform?: "slack" | "discord" | "telegram";
-    /** Subdirs/files in vault dir to mount into sandbox (e.g. [".gcloud", ".ssh", ".kube"]) */
-    mounts?: Array<string | VaultMountEntry>;
-    /** Whether to load env file as environment variables (default: true if env file exists) */
-    envFile?: boolean;
-    /** Per-user sandbox config override */
-    sandbox?: {
-        type?: "image" | "firecracker" | "host" | "container" | "docker";
-        container?: string;
-        image?: string;
-        vmId?: string;
-        sshUser?: string;
-        sshPort?: number;
-    };
-}
+export declare function normalizeSharedVaultName(name: string): string | undefined;
+export declare function sharedVaultKey(name: string): string | undefined;
 export interface ResolvedVaultMount {
     source: string;
     target: string;
@@ -40,35 +15,31 @@ export interface ResolvedVault {
     mounts: ResolvedVaultMount[];
     /** Parsed from env file */
     env: Record<string, string>;
-    sandboxOverride?: VaultEntry["sandbox"];
 }
 export interface VaultManager {
-    /** Return true when vault.json contains this exact key. */
+    /** Return true when a vault directory exists for this exact key. */
     hasEntry(key: string): boolean;
-    /** Resolve vault for a user; returns undefined when no entry exists. */
+    /** Resolve vault for a user; returns undefined when no directory exists. */
     resolve(userId: string): ResolvedVault | undefined;
     /** Get sandbox config with credential injection for a user */
     getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;
-    /** List all configured vaults */
+    /** List all vaults discovered under vaults/. */
     list(): ResolvedVault[];
-    /** Re-read vault.json without restart */
-    reload(): void;
-    /** Check if vault system is enabled (vault.json exists) */
+    /** Check if the vaults directory exists. */
     isEnabled(): boolean;
-    /**
-     * Add a vault entry and persist to disk.
-     * No-op if the key already exists (idempotent).
-     */
-    addEntry(key: string, entry: VaultEntry): void;
-    /**
-     * Ensure a vault entry has image sandbox metadata.
-     * Creates the entry when missing and upgrades existing entries that lack sandbox.type.
-     */
-    ensureImageSandboxEntry(key: string, entry: VaultEntry): void;
     /** Merge environment variables into vaults/<key>/env and persist them to disk. */
     upsertEnv(key: string, env: Record<string, string>): void;
     /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */
     upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;
+    /** List named shared login profiles under vaults/shared/. */
+    listSharedVaults(): string[];
+    /** Delete a shared login profile's directory. Returns true when it existed. */
+    deleteSharedVault(name: string): boolean;
+    /** Copy a shared login profile's files into another vault directory. */
+    copySharedVaultTo(name: string, targetKey: string): {
+        filesCopied: number;
+        envKeysCopied: number;
+    };
 }
 /**
  * Parse a KEY=VALUE env file. Supports:
@@ -80,27 +51,22 @@ export interface VaultManager {
  */
 export declare function parseEnvFile(content: string): Record<string, string>;
 export declare class FileVaultManager implements VaultManager {
-    private config;
     private readonly vaultsDir;
-    private readonly configPath;
     constructor(stateDir: string);
-    reload(): void;
-    /** Warn for legacy or insecure vault sandbox overrides that are no longer allowed. */
-    private warnUnsupportedSandboxTypes;
     isEnabled(): boolean;
     hasEntry(key: string): boolean;
+    listSharedVaults(): string[];
+    deleteSharedVault(name: string): boolean;
+    copySharedVaultTo(name: string, targetKey: string): {
+        filesCopied: number;
+        envKeysCopied: number;
+    };
     resolve(userId: string): ResolvedVault | undefined;
     getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;
     list(): ResolvedVault[];
-    addEntry(key: string, entry: VaultEntry): void;
-    ensureImageSandboxEntry(key: string, entry: VaultEntry): void;
     upsertEnv(key: string, env: Record<string, string>): void;
     upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;
-    private persistConfig;
-    private readConfigFromDisk;
-    private ensureMountEntry;
     private buildResolved;
-    private resolveMountEntry;
 }
 export declare function defaultVaultTargetPath(relativePath: string): string;
 //# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAOlD,2CAA2C;AAC3C,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;CACpC;AAED,+CAA+C;AAC/C,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,yCAAyC;AACzC,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,OAAO,GAAG,SAAS,GAAG,UAAU,CAAC;IAC5C,2FAA2F;IAC3F,MAAM,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;IACzC,2FAA2F;IAC3F,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,uCAAuC;IACvC,OAAO,CAAC,EAAE;QACR,IAAI,CAAC,EAAE,OAAO,GAAG,aAAa,GAAG,MAAM,GAAG,WAAW,GAAG,QAAQ,CAAC;QACjE,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,8CAA8C;AAC9C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAC7B,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,eAAe,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,YAAY;IAC3B,2DAA2D;IAC3D,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/B,wEAAwE;IACxE,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;IACnD,8DAA8D;IAC9D,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAAC;IAC3E,iCAAiC;IACjC,IAAI,IAAI,aAAa,EAAE,CAAC;IACxB,yCAAyC;IACzC,MAAM,IAAI,IAAI,CAAC;IACf,2DAA2D;IAC3D,SAAS,IAAI,OAAO,CAAC;IACrB;;;OAGG;IACH,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/C;;;OAGG;IACH,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CAAC;IAC9D,kFAAkF;IAClF,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IAC1D,yFAAyF;IACzF,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3F;AAID;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA4BpE;AAID,qBAAa,gBAAiB,YAAW,YAAY;IACnD,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAEpC,YAAY,QAAQ,EAAE,MAAM,EAI3B;IAED,MAAM,IAAI,IAAI,CA2Bb;IAED,sFAAsF;IACtF,OAAO,CAAC,2BAA2B;IAkBnC,SAAS,IAAI,OAAO,CAEnB;IAED,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7B;IAED,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAIjD;IAED,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAkDzE;IAED,IAAI,IAAI,aAAa,EAAE,CAQtB;IAED,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CAQ7C;IAED,uBAAuB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CA8C5D;IAED,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAexD;IAED,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAgBxF;IAID,OAAO,CAAC,aAAa;IAmBrB,OAAO,CAAC,kBAAkB;IAkB1B,OAAO,CAAC,gBAAgB;IAwBxB,OAAO,CAAC,aAAa;IA2BrB,OAAO,CAAC,iBAAiB;CAsB1B;AAyED,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAGnE","sourcesContent":["import {\n  chmodSync,\n  closeSync,\n  constants as fsConstants,\n  existsSync,\n  mkdirSync,\n  openSync,\n  readFileSync,\n  renameSync,\n  unlinkSync,\n  writeSync,\n} from \"fs\";\nimport { randomBytes } from \"crypto\";\nimport { basename, dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport type { SandboxConfig } from \"./sandbox.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst PRIVATE_FILE_MODE = 0o600;\n\n// ── Types ──────────────────────────────────────────────────────────────────────\n\n/** Shape of workspace/vaults/vault.json */\nexport interface VaultConfig {\n  vaults: Record<string, VaultEntry>;\n}\n\n/** Per-user vault mount entry in vault.json */\nexport interface VaultMountEntry {\n  source: string;\n  target?: string;\n}\n\n/** Per-user vault entry in vault.json */\nexport interface VaultEntry {\n  displayName: string;\n  platform?: \"slack\" | \"discord\" | \"telegram\";\n  /** Subdirs/files in vault dir to mount into sandbox (e.g. [\".gcloud\", \".ssh\", \".kube\"]) */\n  mounts?: Array<string | VaultMountEntry>;\n  /** Whether to load env file as environment variables (default: true if env file exists) */\n  envFile?: boolean;\n  /** Per-user sandbox config override */\n  sandbox?: {\n    type?: \"image\" | \"firecracker\" | \"host\" | \"container\" | \"docker\";\n    container?: string;\n    image?: string;\n    vmId?: string;\n    sshUser?: string;\n    sshPort?: number;\n  };\n}\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n  sandboxOverride?: VaultEntry[\"sandbox\"];\n}\n\nexport interface VaultManager {\n  /** Return true when vault.json contains this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no entry exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all configured vaults */\n  list(): ResolvedVault[];\n  /** Re-read vault.json without restart */\n  reload(): void;\n  /** Check if vault system is enabled (vault.json exists) */\n  isEnabled(): boolean;\n  /**\n   * Add a vault entry and persist to disk.\n   * No-op if the key already exists (idempotent).\n   */\n  addEntry(key: string, entry: VaultEntry): void;\n  /**\n   * Ensure a vault entry has image sandbox metadata.\n   * Creates the entry when missing and upgrades existing entries that lack sandbox.type.\n   */\n  ensureImageSandboxEntry(key: string, entry: VaultEntry): void;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n}\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    // Strip matching quotes\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private config: VaultConfig | null = null;\n  private readonly vaultsDir: string;\n  private readonly configPath: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n    this.configPath = join(this.vaultsDir, \"vault.json\");\n    this.reload();\n  }\n\n  reload(): void {\n    if (!existsSync(this.configPath)) {\n      this.config = null;\n      return;\n    }\n\n    try {\n      const raw = readFileSync(this.configPath, \"utf-8\");\n      const parsed = JSON.parse(raw);\n\n      if (\n        !parsed ||\n        typeof parsed !== \"object\" ||\n        !parsed.vaults ||\n        typeof parsed.vaults !== \"object\"\n      ) {\n        console.error(`vault: malformed vault.json — expected { vaults: { ... } }`);\n        this.config = null;\n        return;\n      }\n\n      this.config = parsed as VaultConfig;\n      this.warnUnsupportedSandboxTypes();\n    } catch (err) {\n      console.error(`vault: failed to read ${this.configPath}:`, err);\n      this.config = null;\n    }\n  }\n\n  /** Warn for legacy or insecure vault sandbox overrides that are no longer allowed. */\n  private warnUnsupportedSandboxTypes(): void {\n    if (!this.config) return;\n    for (const [key, entry] of Object.entries(this.config.vaults)) {\n      if (entry.sandbox?.type === \"host\") {\n        console.error(\n          `vault: \"${key}\" uses sandbox.type=host, which is blocked for credential isolation. ` +\n            \"Use sandbox.type=image or sandbox.type=firecracker.\",\n        );\n      }\n      if (entry.sandbox?.type === \"container\" || entry.sandbox?.type === \"docker\") {\n        console.error(\n          `vault: \"${key}\" uses sandbox.type=${entry.sandbox.type}, which is blocked for credential isolation. ` +\n            \"Use sandbox.type=image for per-user containers or sandbox.type=firecracker.\",\n        );\n      }\n    }\n  }\n\n  isEnabled(): boolean {\n    return this.config !== null;\n  }\n\n  hasEntry(key: string): boolean {\n    return !!this.config?.vaults[key];\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const entry = this.config?.vaults[userId];\n    if (!entry) return undefined;\n    return this.buildResolved(userId, entry);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    const vault = this.resolve(userId);\n    if (!vault?.sandboxOverride) return baseConfig;\n\n    const override = vault.sandboxOverride;\n\n    if (override.type === \"image\") {\n      if (baseConfig.type !== \"image\") {\n        throw new Error(\n          `vault \"${userId}\" sets sandbox.type=image, but base sandbox is \"${baseConfig.type}\". ` +\n            \"Use --sandbox=image:<image> to enable per-user managed containers.\",\n        );\n      }\n      const container = override.container || `mama-sandbox-${userId}`;\n      return { type: \"container\", container };\n    }\n\n    if (override.type === \"firecracker\") {\n      if (!override.vmId) return baseConfig;\n      if (baseConfig.type !== \"firecracker\") {\n        throw new Error(\n          `vault \"${userId}\" sets sandbox.type=firecracker, but base sandbox is \"${baseConfig.type}\". ` +\n            \"Use --sandbox=firecracker:<vm-id>:<host-path> so /workspace stays mapped to the real workspace.\",\n        );\n      }\n      return {\n        type: \"firecracker\",\n        vmId: override.vmId,\n        hostPath: baseConfig.hostPath,\n        sshUser: override.sshUser,\n        sshPort: override.sshPort,\n      };\n    }\n\n    if (override.type === \"host\") {\n      throw new Error(\n        `vault \"${userId}\" uses sandbox.type=host, which is blocked for credential isolation. ` +\n          \"Use sandbox.type=image or sandbox.type=firecracker.\",\n      );\n    }\n\n    if (override.type === \"container\" || override.type === \"docker\") {\n      throw new Error(\n        `vault \"${userId}\" uses sandbox.type=${override.type}, which is blocked for credential isolation. ` +\n          \"Use sandbox.type=image for per-user containers or sandbox.type=firecracker.\",\n      );\n    }\n\n    // No type override — return base config unchanged\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!this.config) return [];\n\n    const results: ResolvedVault[] = [];\n    for (const [key, entry] of Object.entries(this.config.vaults)) {\n      results.push(this.buildResolved(key, entry));\n    }\n    return results;\n  }\n\n  addEntry(key: string, entry: VaultEntry): void {\n    if (!this.config) {\n      this.config = { vaults: {} };\n    }\n    // Idempotent: skip if already exists\n    if (this.config.vaults[key]) return;\n    this.config.vaults[key] = entry;\n    this.persistConfig();\n  }\n\n  ensureImageSandboxEntry(key: string, entry: VaultEntry): void {\n    if (entry.sandbox?.type !== \"image\") {\n      throw new Error(`vault: ensureImageSandboxEntry requires sandbox.type=image for \"${key}\"`);\n    }\n\n    if (!this.config) {\n      this.config = { vaults: {} };\n    }\n\n    const existing = this.config.vaults[key];\n    if (!existing) {\n      this.config.vaults[key] = entry;\n      this.persistConfig();\n      return;\n    }\n\n    let nextEntry = existing;\n    let changed = false;\n\n    if (!existing.platform && entry.platform) {\n      nextEntry = { ...nextEntry, platform: entry.platform };\n      changed = true;\n    }\n\n    const existingSandbox = existing.sandbox;\n    if (!existingSandbox?.type) {\n      nextEntry = { ...nextEntry, sandbox: entry.sandbox };\n      changed = true;\n    } else if (\n      existingSandbox.type === \"image\" &&\n      !existingSandbox.container &&\n      entry.sandbox.container\n    ) {\n      nextEntry = {\n        ...nextEntry,\n        sandbox: { ...existingSandbox, container: entry.sandbox.container },\n      };\n      changed = true;\n    }\n\n    if (!changed) {\n      return;\n    }\n\n    this.config.vaults[key] = nextEntry;\n    this.persistConfig();\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existing = existsSync(envPath)\n      ? parseEnvFile(readFileSync(envPath, \"utf-8\"))\n      : ({} as Record<string, string>);\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .sort(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    const normalizedTarget = normalizeVaultTargetPath(targetPath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizedTarget)) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    atomicWritePrivateFile(filePath, content);\n    this.ensureMountEntry(key, normalizedPath, normalizedTarget);\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private persistConfig(): void {\n    ensurePrivateDir(this.vaultsDir);\n\n    // Preserve concurrent external edits: pull in any entries that appear on\n    // disk but not in our in-memory view, so a background edit (e.g. another\n    // admin adding a user) is not silently dropped by the next upsert here.\n    // Individual field edits still follow last-writer-wins per key.\n    const onDisk = this.readConfigFromDisk();\n    if (onDisk && this.config) {\n      for (const [key, entry] of Object.entries(onDisk.vaults)) {\n        if (!(key in this.config.vaults)) {\n          this.config.vaults[key] = entry;\n        }\n      }\n    }\n\n    atomicWritePrivateFile(this.configPath, JSON.stringify(this.config, null, 2) + \"\\n\");\n  }\n\n  private readConfigFromDisk(): VaultConfig | null {\n    if (!existsSync(this.configPath)) return null;\n    try {\n      const parsed = JSON.parse(readFileSync(this.configPath, \"utf-8\"));\n      if (\n        !parsed ||\n        typeof parsed !== \"object\" ||\n        !parsed.vaults ||\n        typeof parsed.vaults !== \"object\"\n      ) {\n        return null;\n      }\n      return parsed as VaultConfig;\n    } catch {\n      return null;\n    }\n  }\n\n  private ensureMountEntry(key: string, relativePath: string, targetPath?: string): void {\n    if (!this.config?.vaults[key]) {\n      throw new Error(`vault: cannot add mount \"${relativePath}\" for missing entry \"${key}\"`);\n    }\n\n    const existing = this.config.vaults[key];\n    const mounts = existing.mounts ?? [];\n    if (\n      mounts.some((mount) =>\n        typeof mount === \"string\"\n          ? mount === relativePath && !targetPath\n          : mount.source === relativePath && mount.target === targetPath,\n      )\n    ) {\n      return;\n    }\n\n    this.config.vaults[key] = {\n      ...existing,\n      mounts: [...mounts, targetPath ? { source: relativePath, target: targetPath } : relativePath],\n    };\n    this.persistConfig();\n  }\n\n  private buildResolved(key: string, entry: VaultEntry): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n\n    const mounts = (entry.mounts ?? [])\n      .map((mount) => this.resolveMountEntry(dir, mount))\n      .filter((mount): mount is ResolvedVaultMount => mount !== undefined);\n\n    let env: Record<string, string> = {};\n    const envPath = join(dir, \"env\");\n    if (entry.envFile !== false && existsSync(envPath)) {\n      try {\n        env = parseEnvFile(readFileSync(envPath, \"utf-8\"));\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: entry.displayName,\n      dir,\n      mounts,\n      env,\n      sandboxOverride: entry.sandbox,\n    };\n  }\n\n  private resolveMountEntry(\n    dir: string,\n    mount: string | VaultMountEntry,\n  ): ResolvedVaultMount | undefined {\n    if (typeof mount === \"string\") {\n      const normalizedSource = normalizeVaultRelativePath(mount);\n      if (!normalizedSource) return undefined;\n      return {\n        source: join(dir, normalizedSource),\n        target: defaultVaultTargetPath(normalizedSource),\n      };\n    }\n\n    if (!mount || typeof mount !== \"object\") return undefined;\n    const normalizedSource = normalizeVaultRelativePath(mount.source);\n    if (!normalizedSource) return undefined;\n    const normalizedTarget = normalizeVaultTargetPath(mount.target);\n    return {\n      source: join(dir, normalizedSource),\n      target: normalizedTarget ?? defaultVaultTargetPath(normalizedSource),\n    };\n  }\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\n/**\n * Write `content` to `targetPath` with mode 0600, even when `targetPath`\n * already exists. Uses O_CREAT|O_EXCL on a temp sibling (so the kernel\n * guarantees permissions at creation, not after a racy chmod) and then\n * rename(2) into place for atomicity. Readers never see a torn write.\n */\nfunction atomicWritePrivateFile(targetPath: string, content: string): void {\n  const dir = dirname(targetPath);\n  const tmpPath = join(\n    dir,\n    `.${basename(targetPath)}.${process.pid}.${randomBytes(8).toString(\"hex\")}.tmp`,\n  );\n  const fd = openSync(\n    tmpPath,\n    fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n    PRIVATE_FILE_MODE,\n  );\n  try {\n    writeSync(fd, content);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore — original error is more informative\n    }\n    throw err;\n  } finally {\n    closeSync(fd);\n  }\n  try {\n    renameSync(tmpPath, targetPath);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore\n    }\n    throw err;\n  }\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) {\n    return undefined;\n  }\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) {\n    return undefined;\n  }\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n"]}
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAMlD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAIzE;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAG/D;AAaD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,8CAA8C;AAC9C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAC7B,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/B,4EAA4E;IAC5E,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;IACnD,8DAA8D;IAC9D,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAAC;IAC3E,gDAAgD;IAChD,IAAI,IAAI,aAAa,EAAE,CAAC;IACxB,4CAA4C;IAC5C,SAAS,IAAI,OAAO,CAAC;IACrB,kFAAkF;IAClF,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IAC1D,yFAAyF;IACzF,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1F,6DAA6D;IAC7D,gBAAgB,IAAI,MAAM,EAAE,CAAC;IAC7B,+EAA+E;IAC/E,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,wEAAwE;IACxE,iBAAiB,CACf,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;CACnD;AAID;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2BpE;AAID,qBAAa,gBAAiB,YAAW,YAAY;IACnD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IAEnC,YAAY,QAAQ,EAAE,MAAM,EAE3B;IAED,SAAS,IAAI,OAAO,CAEnB;IAED,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7B;IAED,gBAAgB,IAAI,MAAM,EAAE,CAO3B;IAED,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOvC;IAED,iBAAiB,CACf,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAUhD;IAED,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAIjD;IAED,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAQzE;IAED,IAAI,IAAI,aAAa,EAAE,CAOtB;IAED,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAcxD;IAED,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAcxF;IAID,OAAO,CAAC,aAAa;CAsBtB;AAuFD,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAGnE","sourcesContent":["import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, rmSync } from \"fs\";\nimport { dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport { readTextFileIfExists } from \"./file-guards.js\";\nimport type { SandboxConfig } from \"./sandbox.js\";\nimport { atomicWritePrivateFile } from \"./fs-atomic.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst SHARED_VAULT_DIR = \"shared\";\n\nexport function normalizeSharedVaultName(name: string): string | undefined {\n  const trimmed = name.trim();\n  if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) return undefined;\n  return trimmed;\n}\n\nexport function sharedVaultKey(name: string): string | undefined {\n  const normalized = normalizeSharedVaultName(name);\n  return normalized ? `${SHARED_VAULT_DIR}/${normalized}` : undefined;\n}\n\nfunction sanitizeCloudflareSandboxId(value: string): string {\n  return (\n    value\n      .toLowerCase()\n      .replace(/[^a-z0-9-]+/g, \"-\")\n      .replace(/^-+|-+$/g, \"\") || \"unknown\"\n  );\n}\n\n// ── Types ──────────────────────────────────────────────────────────────────────\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n}\n\nexport interface VaultManager {\n  /** Return true when a vault directory exists for this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no directory exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all vaults discovered under vaults/. */\n  list(): ResolvedVault[];\n  /** Check if the vaults directory exists. */\n  isEnabled(): boolean;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n  /** List named shared login profiles under vaults/shared/. */\n  listSharedVaults(): string[];\n  /** Delete a shared login profile's directory. Returns true when it existed. */\n  deleteSharedVault(name: string): boolean;\n  /** Copy a shared login profile's files into another vault directory. */\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number };\n}\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private readonly vaultsDir: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n  }\n\n  isEnabled(): boolean {\n    return existsSync(this.vaultsDir);\n  }\n\n  hasEntry(key: string): boolean {\n    return existsSync(join(this.vaultsDir, key));\n  }\n\n  listSharedVaults(): string[] {\n    const sharedDir = join(this.vaultsDir, SHARED_VAULT_DIR);\n    if (!existsSync(sharedDir)) return [];\n    return readdirSync(sharedDir, { withFileTypes: true })\n      .filter((entry) => entry.isDirectory() && normalizeSharedVaultName(entry.name) === entry.name)\n      .map((entry) => entry.name)\n      .toSorted((left, right) => left.localeCompare(right));\n  }\n\n  deleteSharedVault(name: string): boolean {\n    const key = sharedVaultKey(name);\n    if (!key) throw new Error(`vault: invalid shared login name: ${name}`);\n    const dir = join(this.vaultsDir, key);\n    const existed = existsSync(dir);\n    rmSync(dir, { recursive: true, force: true });\n    return existed;\n  }\n\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number } {\n    const sourceKey = sharedVaultKey(name);\n    if (!sourceKey) throw new Error(`vault: invalid shared login name: ${name}`);\n    const sourceDir = join(this.vaultsDir, sourceKey);\n    if (!existsSync(sourceDir)) throw new Error(`vault: shared login \"${name}\" does not exist`);\n\n    const targetDir = join(this.vaultsDir, targetKey);\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(targetDir);\n    return copyVaultDir(sourceDir, targetDir);\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const dir = join(this.vaultsDir, userId);\n    if (!existsSync(dir)) return undefined;\n    return this.buildResolved(userId);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    if (baseConfig.type === \"cloudflare\") {\n      return {\n        type: \"cloudflare\",\n        sandboxId: `${baseConfig.sandboxId}-${sanitizeCloudflareSandboxId(userId)}`,\n      };\n    }\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!existsSync(this.vaultsDir)) return [];\n    const keys = new Set<string>();\n    for (const entry of readdirSync(this.vaultsDir, { withFileTypes: true })) {\n      if (entry.isDirectory()) keys.add(entry.name);\n    }\n    return Array.from(keys, (key) => this.buildResolved(key));\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existingContent = readTextFileIfExists(envPath);\n    const existing = existingContent ? parseEnvFile(existingContent) : {};\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .toSorted(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizeVaultTargetPath(targetPath))) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    atomicWritePrivateFile(filePath, content);\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private buildResolved(key: string): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n    const mounts = inferMountsFromDir(dir);\n\n    let env: Record<string, string> = {};\n    const envContent = readTextFileIfExists(join(dir, \"env\"));\n    if (envContent !== undefined) {\n      try {\n        env = parseEnvFile(envContent);\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: key,\n      dir,\n      mounts,\n      env,\n    };\n  }\n}\n\nfunction inferMountsFromDir(dir: string): ResolvedVaultMount[] {\n  if (!existsSync(dir)) return [];\n\n  const mounts: ResolvedVaultMount[] = [];\n  for (const entry of readdirSync(dir, { withFileTypes: true })) {\n    if (entry.name === \"env\") continue;\n    const source = join(dir, entry.name);\n    const target = inferredVaultTargetPath(entry.name);\n    if (!target) continue;\n    mounts.push({ source, target });\n  }\n  return mounts;\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\nfunction copyVaultDir(\n  sourceDir: string,\n  targetDir: string,\n): {\n  filesCopied: number;\n  envKeysCopied: number;\n} {\n  let filesCopied = 0;\n  let envKeysCopied = 0;\n\n  for (const entry of readdirSync(sourceDir, { withFileTypes: true })) {\n    const sourcePath = join(sourceDir, entry.name);\n    const targetPath = join(targetDir, entry.name);\n\n    if (entry.name === \"env\" && entry.isFile()) {\n      const sourceEnv = parseEnvFile(readTextFileIfExists(sourcePath) ?? \"\");\n      const targetEnv = parseEnvFile(readTextFileIfExists(targetPath) ?? \"\");\n      const merged = { ...targetEnv, ...sourceEnv };\n      const content =\n        Object.entries(merged)\n          .toSorted(([left], [right]) => left.localeCompare(right))\n          .map(([envKey, value]) => `${envKey}=${value}`)\n          .join(\"\\n\") + \"\\n\";\n      atomicWritePrivateFile(targetPath, content);\n      envKeysCopied += Object.keys(sourceEnv).length;\n      continue;\n    }\n\n    if (entry.isDirectory()) {\n      ensurePrivateDir(targetPath);\n      const nested = copyVaultDir(sourcePath, targetPath);\n      filesCopied += nested.filesCopied;\n      envKeysCopied += nested.envKeysCopied;\n      continue;\n    }\n\n    if (!entry.isFile()) continue;\n    copyFileSync(sourcePath, targetPath);\n    chmodSync(targetPath, 0o600);\n    filesCopied++;\n  }\n\n  return { filesCopied, envKeysCopied };\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) return undefined;\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n\nfunction inferredVaultTargetPath(relativePath: string): string | undefined {\n  const normalized = normalizeVaultRelativePath(relativePath);\n  if (!normalized) return undefined;\n\n  if (normalized === \"gws.json\") {\n    return \"/root/.config/gws/credentials.json\";\n  }\n  if (normalized === \".ssh\" || normalized.startsWith(\".ssh/\")) {\n    return \"/root/.ssh\";\n  }\n  if (normalized === \".kube\" || normalized.startsWith(\".kube/\")) {\n    return \"/root/.kube\";\n  }\n  if (normalized === \".config/gh\" || normalized.startsWith(\".config/gh/\")) {\n    return \"/root/.config/gh\";\n  }\n\n  return defaultVaultTargetPath(normalized);\n}\n"]}