@geminixiang/mikan 0.3.2 → 0.4.0

package/dist/utils/date.js

@@ -0,0 +1,23 @@
+/**
+ * Format a Date as a local-timezone timestamp string: YYYY-MM-DD HH:MM:SS±HH:MM
+ * Returns null when the date is invalid (non-finite time value).
+ *
+ * This format is used both when writing user messages (agent.ts) and when
+ * reading history back into sessions (chat-session-manager.ts). Keeping it
+ * in one place ensures normalizeComparableText's regex stays valid.
+ */
+export function formatLocalTimestamp(date) {
+    const time = date.getTime();
+    if (!Number.isFinite(time))
+        return null;
+    const offset = -date.getTimezoneOffset();
+    const sign = offset >= 0 ? "+" : "-";
+    const abs = Math.abs(offset);
+    return (`${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())} ` +
+        `${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}` +
+        `${sign}${pad(Math.floor(abs / 60))}:${pad(abs % 60)}`);
+}
+function pad(n) {
+    return n.toString().padStart(2, "0");
+}
+//# sourceMappingURL=date.js.map

package/dist/utils/date.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"date.js","sourceRoot":"","sources":["../../src/utils/date.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAU;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC7B,OAAO,CACL,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,GAAG;QAC3E,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE;QAC7E,GAAG,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,CACvD,CAAC;AACJ,CAAC;AAED,SAAS,GAAG,CAAC,CAAS;IACpB,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACvC,CAAC","sourcesContent":["/**\n * Format a Date as a local-timezone timestamp string: YYYY-MM-DD HH:MM:SS±HH:MM\n * Returns null when the date is invalid (non-finite time value).\n *\n * This format is used both when writing user messages (agent.ts) and when\n * reading history back into sessions (chat-session-manager.ts). Keeping it\n * in one place ensures normalizeComparableText's regex stays valid.\n */\nexport function formatLocalTimestamp(date: Date): string | null {\n  const time = date.getTime();\n  if (!Number.isFinite(time)) return null;\n\n  const offset = -date.getTimezoneOffset();\n  const sign = offset >= 0 ? \"+\" : \"-\";\n  const abs = Math.abs(offset);\n  return (\n    `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())} ` +\n    `${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}` +\n    `${sign}${pad(Math.floor(abs / 60))}:${pad(abs % 60)}`\n  );\n}\n\nfunction pad(n: number): string {\n  return n.toString().padStart(2, \"0\");\n}\n"]}

package/dist/utils/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/utils/env.ts"],"names":[],"mappings":"AAAA,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAMxD;AAED,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAG/D","sourcesContent":["export function readEnv(name: string): string | undefined {\n  const raw = process.env[name]?.trim();\n  if (raw) return raw;\n\n  const prefixed = process.env[`MIKAN_${name}`]?.trim();\n  return prefixed || undefined;\n}\n\nexport function setEnvAliases(name: string, value: string): void {\n  process.env[name] = value;\n  process.env[`MIKAN_${name}`] = value;\n}\n"]}

package/dist/utils/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/utils/env.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC;IACtC,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC;IAEpB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IACtD,OAAO,QAAQ,IAAI,SAAS,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,KAAa;IACvD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IAC1B,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC;AACvC,CAAC","sourcesContent":["export function readEnv(name: string): string | undefined {\n  const raw = process.env[name]?.trim();\n  if (raw) return raw;\n\n  const prefixed = process.env[`MIKAN_${name}`]?.trim();\n  return prefixed || undefined;\n}\n\nexport function setEnvAliases(name: string, value: string): void {\n  process.env[name] = value;\n  process.env[`MIKAN_${name}`] = value;\n}\n"]}

package/dist/utils/file-guards.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-guards.d.ts","sourceRoot":"","sources":["../../src/utils/file-guards.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAIzD,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAEjD;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CASrE;AAED,wBAAgB,oBAAoB,CAAC,CAAC,EACpC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,KAAK,IAAI,CAAC,EACxC,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAC3C,CAAC,GAAG,SAAS,CAGf;AAED,wBAAgB,0BAA0B,CAAC,CAAC,SAAS,OAAO,EAC1D,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,CAAC,EACT,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAC3C,MAAM,CAAC,CAAC,CAAC,GAAG,SAAS,CAGvB;AAWD,wBAAgB,cAAc,CAAC,CAAC,EAC9B,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,KAAK,IAAI,CAAC,EACxC,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAC3C,CAAC,CAMH;AAED,wBAAgB,oBAAoB,CAAC,CAAC,SAAS,OAAO,EACpD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,CAAC,EACT,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,GAC3C,MAAM,CAAC,CAAC,CAAC,CAeX;AAED,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzE","sourcesContent":["import type { Static, TSchema } from \"@sinclair/typebox\";\nimport { Value } from \"@sinclair/typebox/value\";\nimport { mkdirSync, readFileSync } from \"fs\";\n\nexport function ensureDirExists(dir: string): void {\n  mkdirSync(dir, { recursive: true });\n}\n\nexport function readTextFileIfExists(path: string): string | undefined {\n  try {\n    return readFileSync(path, \"utf-8\");\n  } catch (err) {\n    if (err instanceof Error && \"code\" in err && err.code === \"ENOENT\") {\n      return undefined;\n    }\n    throw err;\n  }\n}\n\nexport function readJsonFileIfExists<T>(\n  path: string,\n  validate: (value: unknown) => value is T,\n  malformedMessage: (detail: string) => string,\n): T | undefined {\n  const raw = readTextFileIfExists(path);\n  return raw === undefined ? undefined : parseJsonValue(raw, validate, malformedMessage);\n}\n\nexport function readJsonSchemaFileIfExists<T extends TSchema>(\n  path: string,\n  schema: T,\n  malformedMessage: (detail: string) => string,\n): Static<T> | undefined {\n  const raw = readTextFileIfExists(path);\n  return raw === undefined ? undefined : parseJsonSchemaValue(raw, schema, malformedMessage);\n}\n\nfunction parseJson(raw: string, malformedMessage: (detail: string) => string): unknown {\n  try {\n    return JSON.parse(raw);\n  } catch (err) {\n    const detail = err instanceof Error ? err.message : String(err);\n    throw new Error(malformedMessage(detail), { cause: err });\n  }\n}\n\nexport function parseJsonValue<T>(\n  raw: string,\n  validate: (value: unknown) => value is T,\n  malformedMessage: (detail: string) => string,\n): T {\n  const parsed = parseJson(raw, malformedMessage);\n  if (!validate(parsed)) {\n    throw new Error(malformedMessage(\"unexpected JSON shape\"));\n  }\n  return parsed;\n}\n\nexport function parseJsonSchemaValue<T extends TSchema>(\n  raw: string,\n  schema: T,\n  malformedMessage: (detail: string) => string,\n): Static<T> {\n  const parsed = parseJson(raw, malformedMessage);\n  if (!Value.Check(schema, parsed)) {\n    let firstError: { path: string; message: string } | undefined;\n    for (const err of Value.Errors(schema, parsed)) {\n      firstError = err;\n      break;\n    }\n    const detail =\n      !firstError || firstError.path === \"\" || firstError.path === \"/\"\n        ? \"unexpected JSON shape\"\n        : `${firstError.path}: ${firstError.message}`;\n    throw new Error(malformedMessage(detail));\n  }\n  return parsed;\n}\n\nexport function isRecord(value: unknown): value is Record<string, unknown> {\n  return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n"]}

package/dist/utils/file-guards.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-guards.js","sourceRoot":"","sources":["../../src/utils/file-guards.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAE7C,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACnE,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,IAAY,EACZ,QAAwC,EACxC,gBAA4C;IAE5C,MAAM,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AACzF,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,IAAY,EACZ,MAAS,EACT,gBAA4C;IAE5C,MAAM,GAAG,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,gBAA4C;IAC1E,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,GAAW,EACX,QAAwC,EACxC,gBAA4C;IAE5C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,uBAAuB,CAAC,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,MAAS,EACT,gBAA4C;IAE5C,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;QACjC,IAAI,UAAyD,CAAC;QAC9D,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;YAC/C,UAAU,GAAG,GAAG,CAAC;YACjB,MAAM;QACR,CAAC;QACD,MAAM,MAAM,GACV,CAAC,UAAU,IAAI,UAAU,CAAC,IAAI,KAAK,EAAE,IAAI,UAAU,CAAC,IAAI,KAAK,GAAG;YAC9D,CAAC,CAAC,uBAAuB;YACzB,CAAC,CAAC,GAAG,UAAU,CAAC,IAAI,KAAK,UAAU,CAAC,OAAO,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC","sourcesContent":["import type { Static, TSchema } from \"@sinclair/typebox\";\nimport { Value } from \"@sinclair/typebox/value\";\nimport { mkdirSync, readFileSync } from \"fs\";\n\nexport function ensureDirExists(dir: string): void {\n  mkdirSync(dir, { recursive: true });\n}\n\nexport function readTextFileIfExists(path: string): string | undefined {\n  try {\n    return readFileSync(path, \"utf-8\");\n  } catch (err) {\n    if (err instanceof Error && \"code\" in err && err.code === \"ENOENT\") {\n      return undefined;\n    }\n    throw err;\n  }\n}\n\nexport function readJsonFileIfExists<T>(\n  path: string,\n  validate: (value: unknown) => value is T,\n  malformedMessage: (detail: string) => string,\n): T | undefined {\n  const raw = readTextFileIfExists(path);\n  return raw === undefined ? undefined : parseJsonValue(raw, validate, malformedMessage);\n}\n\nexport function readJsonSchemaFileIfExists<T extends TSchema>(\n  path: string,\n  schema: T,\n  malformedMessage: (detail: string) => string,\n): Static<T> | undefined {\n  const raw = readTextFileIfExists(path);\n  return raw === undefined ? undefined : parseJsonSchemaValue(raw, schema, malformedMessage);\n}\n\nfunction parseJson(raw: string, malformedMessage: (detail: string) => string): unknown {\n  try {\n    return JSON.parse(raw);\n  } catch (err) {\n    const detail = err instanceof Error ? err.message : String(err);\n    throw new Error(malformedMessage(detail), { cause: err });\n  }\n}\n\nexport function parseJsonValue<T>(\n  raw: string,\n  validate: (value: unknown) => value is T,\n  malformedMessage: (detail: string) => string,\n): T {\n  const parsed = parseJson(raw, malformedMessage);\n  if (!validate(parsed)) {\n    throw new Error(malformedMessage(\"unexpected JSON shape\"));\n  }\n  return parsed;\n}\n\nexport function parseJsonSchemaValue<T extends TSchema>(\n  raw: string,\n  schema: T,\n  malformedMessage: (detail: string) => string,\n): Static<T> {\n  const parsed = parseJson(raw, malformedMessage);\n  if (!Value.Check(schema, parsed)) {\n    let firstError: { path: string; message: string } | undefined;\n    for (const err of Value.Errors(schema, parsed)) {\n      firstError = err;\n      break;\n    }\n    const detail =\n      !firstError || firstError.path === \"\" || firstError.path === \"/\"\n        ? \"unexpected JSON shape\"\n        : `${firstError.path}: ${firstError.message}`;\n    throw new Error(malformedMessage(detail));\n  }\n  return parsed;\n}\n\nexport function isRecord(value: unknown): value is Record<string, unknown> {\n  return typeof value === \"object\" && value !== null && !Array.isArray(value);\n}\n"]}

package/dist/utils/fs-atomic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs-atomic.d.ts","sourceRoot":"","sources":["../../src/utils/fs-atomic.ts"],"names":[],"mappings":"AAaA;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAiChF","sourcesContent":["import {\n  closeSync,\n  constants as fsConstants,\n  openSync,\n  renameSync,\n  unlinkSync,\n  writeSync,\n} from \"fs\";\nimport { randomBytes } from \"crypto\";\nimport { basename, dirname, join } from \"path\";\n\nconst PRIVATE_FILE_MODE = 0o600;\n\n/**\n * Write `content` to `targetPath` with mode 0600, even when `targetPath`\n * already exists. Uses O_CREAT|O_EXCL on a temp sibling (so the kernel\n * guarantees permissions at creation, not after a racy chmod) and then\n * rename(2) into place for atomicity. Readers never see a torn write,\n * and a crash mid-write leaves either the old file or a stray .tmp\n * (cleaned by the next attempt or manually) — never a half-written target.\n */\nexport function atomicWritePrivateFile(targetPath: string, content: string): void {\n  const dir = dirname(targetPath);\n  const tmpPath = join(\n    dir,\n    `.${basename(targetPath)}.${process.pid}.${randomBytes(8).toString(\"hex\")}.tmp`,\n  );\n  const fd = openSync(\n    tmpPath,\n    fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n    PRIVATE_FILE_MODE,\n  );\n  try {\n    writeSync(fd, content);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore — original error is more informative\n    }\n    throw err;\n  } finally {\n    closeSync(fd);\n  }\n  try {\n    renameSync(tmpPath, targetPath);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore\n    }\n    throw err;\n  }\n}\n"]}

package/dist/utils/fs-atomic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs-atomic.js","sourceRoot":"","sources":["../../src/utils/fs-atomic.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,SAAS,IAAI,WAAW,EACxB,QAAQ,EACR,UAAU,EACV,UAAU,EACV,SAAS,GACV,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE/C,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAEhC;;;;;;;GAOG;AACH,MAAM,UAAU,sBAAsB,CAAC,UAAkB,EAAE,OAAe;IACxE,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,CAClB,GAAG,EACH,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAChF,CAAC;IACF,MAAM,EAAE,GAAG,QAAQ,CACjB,OAAO,EACP,WAAW,CAAC,QAAQ,GAAG,WAAW,CAAC,OAAO,GAAG,WAAW,CAAC,MAAM,EAC/D,iBAAiB,CAClB,CAAC;IACF,IAAI,CAAC;QACH,SAAS,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YACH,UAAU,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;YAAS,CAAC;QACT,SAAS,CAAC,EAAE,CAAC,CAAC;IAChB,CAAC;IACD,IAAI,CAAC;QACH,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YACH,UAAU,CAAC,OAAO,CAAC,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC","sourcesContent":["import {\n  closeSync,\n  constants as fsConstants,\n  openSync,\n  renameSync,\n  unlinkSync,\n  writeSync,\n} from \"fs\";\nimport { randomBytes } from \"crypto\";\nimport { basename, dirname, join } from \"path\";\n\nconst PRIVATE_FILE_MODE = 0o600;\n\n/**\n * Write `content` to `targetPath` with mode 0600, even when `targetPath`\n * already exists. Uses O_CREAT|O_EXCL on a temp sibling (so the kernel\n * guarantees permissions at creation, not after a racy chmod) and then\n * rename(2) into place for atomicity. Readers never see a torn write,\n * and a crash mid-write leaves either the old file or a stray .tmp\n * (cleaned by the next attempt or manually) — never a half-written target.\n */\nexport function atomicWritePrivateFile(targetPath: string, content: string): void {\n  const dir = dirname(targetPath);\n  const tmpPath = join(\n    dir,\n    `.${basename(targetPath)}.${process.pid}.${randomBytes(8).toString(\"hex\")}.tmp`,\n  );\n  const fd = openSync(\n    tmpPath,\n    fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n    PRIVATE_FILE_MODE,\n  );\n  try {\n    writeSync(fd, content);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore — original error is more informative\n    }\n    throw err;\n  } finally {\n    closeSync(fd);\n  }\n  try {\n    renameSync(tmpPath, targetPath);\n  } catch (err) {\n    try {\n      unlinkSync(tmpPath);\n    } catch {\n      // ignore\n    }\n    throw err;\n  }\n}\n"]}

package/dist/utils/html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"html.d.ts","sourceRoot":"","sources":["../../src/utils/html.ts"],"names":[],"mappings":"AAAA,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKhD","sourcesContent":["export function escapeHtml(value: string): string {\n  return value.replace(\n    /[&<>\"']/g,\n    (c) => ({ \"&\": \"&amp;\", \"<\": \"&lt;\", \">\": \"&gt;\", '\"': \"&quot;\", \"'\": \"&#39;\" })[c]!,\n  );\n}\n"]}

package/dist/utils/html.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html.js","sourceRoot":"","sources":["../../src/utils/html.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,OAAO,CAClB,UAAU,EACV,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAE,CACrF,CAAC;AACJ,CAAC","sourcesContent":["export function escapeHtml(value: string): string {\n  return value.replace(\n    /[&<>\"']/g,\n    (c) => ({ \"&\": \"&amp;\", \"<\": \"&lt;\", \">\": \"&gt;\", '\"': \"&quot;\", \"'\": \"&#39;\" })[c]!,\n  );\n}\n"]}

package/dist/utils/http-body.d.ts

@@ -0,0 +1,10 @@
+import type { IncomingMessage, ServerResponse } from "http";
+/**
+ * Read and size-limit an HTTP request body.
+ *
+ * Responds with 413 and destroys the request if the body exceeds `maxBytes`.
+ * Resolves with the raw body string on success, or `null` if the size limit
+ * was exceeded (the response has already been sent in that case).
+ */
+export declare function readRawBody(req: IncomingMessage, res: ServerResponse, maxBytes: number): Promise<string | null>;
+//# sourceMappingURL=http-body.d.ts.map

package/dist/utils/http-body.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-body.d.ts","sourceRoot":"","sources":["../../src/utils/http-body.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,MAAM,CAAC;AAE5D;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB","sourcesContent":["import type { IncomingMessage, ServerResponse } from \"http\";\n\n/**\n * Read and size-limit an HTTP request body.\n *\n * Responds with 413 and destroys the request if the body exceeds `maxBytes`.\n * Resolves with the raw body string on success, or `null` if the size limit\n * was exceeded (the response has already been sent in that case).\n */\nexport function readRawBody(\n  req: IncomingMessage,\n  res: ServerResponse,\n  maxBytes: number,\n): Promise<string | null> {\n  return new Promise<string | null>((resolve) => {\n    let data = \"\";\n    let tooLarge = false;\n\n    req.on(\"data\", (chunk: Buffer) => {\n      if (tooLarge) return;\n      data += chunk.toString();\n      if (data.length > maxBytes) {\n        tooLarge = true;\n        res.writeHead(413);\n        res.end();\n        req.destroy();\n        resolve(null);\n      }\n    });\n    req.on(\"end\", () => {\n      if (!tooLarge) resolve(data);\n    });\n    req.on(\"error\", () => {\n      if (!tooLarge) resolve(data);\n    });\n  });\n}\n"]}

package/dist/utils/http-body.js

@@ -0,0 +1,34 @@
+/**
+ * Read and size-limit an HTTP request body.
+ *
+ * Responds with 413 and destroys the request if the body exceeds `maxBytes`.
+ * Resolves with the raw body string on success, or `null` if the size limit
+ * was exceeded (the response has already been sent in that case).
+ */
+export function readRawBody(req, res, maxBytes) {
+    return new Promise((resolve) => {
+        let data = "";
+        let tooLarge = false;
+        req.on("data", (chunk) => {
+            if (tooLarge)
+                return;
+            data += chunk.toString();
+            if (data.length > maxBytes) {
+                tooLarge = true;
+                res.writeHead(413);
+                res.end();
+                req.destroy();
+                resolve(null);
+            }
+        });
+        req.on("end", () => {
+            if (!tooLarge)
+                resolve(data);
+        });
+        req.on("error", () => {
+            if (!tooLarge)
+                resolve(data);
+        });
+    });
+}
+//# sourceMappingURL=http-body.js.map

package/dist/utils/http-body.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-body.js","sourceRoot":"","sources":["../../src/utils/http-body.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,GAAoB,EACpB,GAAmB,EACnB,QAAgB;IAEhB,OAAO,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,EAAE;QAC5C,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,QAAQ;gBAAE,OAAO;YACrB,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC;gBAC3B,QAAQ,GAAG,IAAI,CAAC;gBAChB,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBACnB,GAAG,CAAC,GAAG,EAAE,CAAC;gBACV,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC;QACH,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,CAAC,QAAQ;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACnB,IAAI,CAAC,QAAQ;gBAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { IncomingMessage, ServerResponse } from \"http\";\n\n/**\n * Read and size-limit an HTTP request body.\n *\n * Responds with 413 and destroys the request if the body exceeds `maxBytes`.\n * Resolves with the raw body string on success, or `null` if the size limit\n * was exceeded (the response has already been sent in that case).\n */\nexport function readRawBody(\n  req: IncomingMessage,\n  res: ServerResponse,\n  maxBytes: number,\n): Promise<string | null> {\n  return new Promise<string | null>((resolve) => {\n    let data = \"\";\n    let tooLarge = false;\n\n    req.on(\"data\", (chunk: Buffer) => {\n      if (tooLarge) return;\n      data += chunk.toString();\n      if (data.length > maxBytes) {\n        tooLarge = true;\n        res.writeHead(413);\n        res.end();\n        req.destroy();\n        resolve(null);\n      }\n    });\n    req.on(\"end\", () => {\n      if (!tooLarge) resolve(data);\n    });\n    req.on(\"error\", () => {\n      if (!tooLarge) resolve(data);\n    });\n  });\n}\n"]}

package/dist/vault/index.d.ts

@@ -0,0 +1,34 @@
+import type { SandboxConfig } from "../sandbox/index.js";
+export declare function normalizeSharedVaultName(name: string): string | undefined;
+export declare function sharedVaultKey(name: string): string | undefined;
+export type { ResolvedVault, VaultManager } from "./types.js";
+import type { ResolvedVault, VaultManager } from "./types.js";
+/**
+ * Parse a KEY=VALUE env file. Supports:
+ * - Lines starting with # are comments
+ * - Empty lines are skipped
+ * - Values can be quoted with single or double quotes (quotes are stripped)
+ * - No variable expansion
+ * - The value is everything after the first `=` to end of line (no inline comments)
+ */
+export declare function parseEnvFile(content: string): Record<string, string>;
+export declare class FileVaultManager implements VaultManager {
+    private readonly vaultsDir;
+    constructor(stateDir: string);
+    isEnabled(): boolean;
+    hasEntry(key: string): boolean;
+    listSharedVaults(): string[];
+    deleteSharedVault(name: string): boolean;
+    copySharedVaultTo(name: string, targetKey: string): {
+        filesCopied: number;
+        envKeysCopied: number;
+    };
+    resolve(userId: string): ResolvedVault | undefined;
+    getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;
+    list(): ResolvedVault[];
+    upsertEnv(key: string, env: Record<string, string>): void;
+    upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;
+    private buildResolved;
+}
+export declare function defaultVaultTargetPath(relativePath: string): string;
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAOzD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAIzE;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAG/D;AAWD,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAsB,YAAY,EAAE,MAAM,YAAY,CAAC;AAIlF;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2BpE;AAID,qBAAa,gBAAiB,YAAW,YAAY;IACnD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IAEnC,YAAY,QAAQ,EAAE,MAAM,EAE3B;IAED,SAAS,IAAI,OAAO,CAEnB;IAED,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE7B;IAED,gBAAgB,IAAI,MAAM,EAAE,CAO3B;IAED,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOvC;IAED,iBAAiB,CACf,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAUhD;IAED,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAIjD;IAED,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAQzE;IAED,IAAI,IAAI,aAAa,EAAE,CAOtB;IAED,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAcxD;IAED,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAcxF;IAID,OAAO,CAAC,aAAa;CA6BtB;AAuFD,wBAAgB,sBAAsB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAGnE","sourcesContent":["import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, rmSync } from \"fs\";\nimport { dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport { readTextFileIfExists } from \"../utils/file-guards.js\";\nimport type { SandboxConfig } from \"../sandbox/index.js\";\nimport { atomicWritePrivateFile } from \"../utils/fs-atomic.js\";\nimport { reportUserFacingError } from \"../observability/sentry.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst SHARED_VAULT_DIR = \"shared\";\n\nexport function normalizeSharedVaultName(name: string): string | undefined {\n  const trimmed = name.trim();\n  if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) return undefined;\n  return trimmed;\n}\n\nexport function sharedVaultKey(name: string): string | undefined {\n  const normalized = normalizeSharedVaultName(name);\n  return normalized ? `${SHARED_VAULT_DIR}/${normalized}` : undefined;\n}\n\nfunction sanitizeCloudflareSandboxId(value: string): string {\n  return (\n    value\n      .toLowerCase()\n      .replace(/[^a-z0-9-]+/g, \"-\")\n      .replace(/^-+|-+$/g, \"\") || \"unknown\"\n  );\n}\n\nexport type { ResolvedVault, VaultManager } from \"./types.js\";\nimport type { ResolvedVault, ResolvedVaultMount, VaultManager } from \"./types.js\";\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private readonly vaultsDir: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n  }\n\n  isEnabled(): boolean {\n    return existsSync(this.vaultsDir);\n  }\n\n  hasEntry(key: string): boolean {\n    return existsSync(join(this.vaultsDir, key));\n  }\n\n  listSharedVaults(): string[] {\n    const sharedDir = join(this.vaultsDir, SHARED_VAULT_DIR);\n    if (!existsSync(sharedDir)) return [];\n    return readdirSync(sharedDir, { withFileTypes: true })\n      .filter((entry) => entry.isDirectory() && normalizeSharedVaultName(entry.name) === entry.name)\n      .map((entry) => entry.name)\n      .toSorted((left, right) => left.localeCompare(right));\n  }\n\n  deleteSharedVault(name: string): boolean {\n    const key = sharedVaultKey(name);\n    if (!key) throw new Error(`vault: invalid shared login name: ${name}`);\n    const dir = join(this.vaultsDir, key);\n    const existed = existsSync(dir);\n    rmSync(dir, { recursive: true, force: true });\n    return existed;\n  }\n\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number } {\n    const sourceKey = sharedVaultKey(name);\n    if (!sourceKey) throw new Error(`vault: invalid shared login name: ${name}`);\n    const sourceDir = join(this.vaultsDir, sourceKey);\n    if (!existsSync(sourceDir)) throw new Error(`vault: shared login \"${name}\" does not exist`);\n\n    const targetDir = join(this.vaultsDir, targetKey);\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(targetDir);\n    return copyVaultDir(sourceDir, targetDir);\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const dir = join(this.vaultsDir, userId);\n    if (!existsSync(dir)) return undefined;\n    return this.buildResolved(userId);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    if (baseConfig.type === \"cloudflare\") {\n      return {\n        type: \"cloudflare\",\n        sandboxId: `${baseConfig.sandboxId}-${sanitizeCloudflareSandboxId(userId)}`,\n      };\n    }\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!existsSync(this.vaultsDir)) return [];\n    const keys = new Set<string>();\n    for (const entry of readdirSync(this.vaultsDir, { withFileTypes: true })) {\n      if (entry.isDirectory()) keys.add(entry.name);\n    }\n    return Array.from(keys, (key) => this.buildResolved(key));\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existingContent = readTextFileIfExists(envPath);\n    const existing = existingContent ? parseEnvFile(existingContent) : {};\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .toSorted(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizeVaultTargetPath(targetPath))) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    atomicWritePrivateFile(filePath, content);\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private buildResolved(key: string): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n    const mounts = inferMountsFromDir(dir);\n\n    let env: Record<string, string> = {};\n    const envContent = readTextFileIfExists(join(dir, \"env\"));\n    if (envContent !== undefined) {\n      try {\n        env = parseEnvFile(envContent);\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n        reportUserFacingError(err, {\n          domain: \"sandbox\",\n          surface: \"vault_injection\",\n          operation: \"parse_env\",\n          severity: \"warning\",\n          context: { vaultKey: key, fatal: false },\n        });\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: key,\n      dir,\n      mounts,\n      env,\n    };\n  }\n}\n\nfunction inferMountsFromDir(dir: string): ResolvedVaultMount[] {\n  if (!existsSync(dir)) return [];\n\n  const mounts: ResolvedVaultMount[] = [];\n  for (const entry of readdirSync(dir, { withFileTypes: true })) {\n    if (entry.name === \"env\") continue;\n    const source = join(dir, entry.name);\n    const target = inferredVaultTargetPath(entry.name);\n    if (!target) continue;\n    mounts.push({ source, target });\n  }\n  return mounts;\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\nfunction copyVaultDir(\n  sourceDir: string,\n  targetDir: string,\n): {\n  filesCopied: number;\n  envKeysCopied: number;\n} {\n  let filesCopied = 0;\n  let envKeysCopied = 0;\n\n  for (const entry of readdirSync(sourceDir, { withFileTypes: true })) {\n    const sourcePath = join(sourceDir, entry.name);\n    const targetPath = join(targetDir, entry.name);\n\n    if (entry.name === \"env\" && entry.isFile()) {\n      const sourceEnv = parseEnvFile(readTextFileIfExists(sourcePath) ?? \"\");\n      const targetEnv = parseEnvFile(readTextFileIfExists(targetPath) ?? \"\");\n      const merged = { ...targetEnv, ...sourceEnv };\n      const content =\n        Object.entries(merged)\n          .toSorted(([left], [right]) => left.localeCompare(right))\n          .map(([envKey, value]) => `${envKey}=${value}`)\n          .join(\"\\n\") + \"\\n\";\n      atomicWritePrivateFile(targetPath, content);\n      envKeysCopied += Object.keys(sourceEnv).length;\n      continue;\n    }\n\n    if (entry.isDirectory()) {\n      ensurePrivateDir(targetPath);\n      const nested = copyVaultDir(sourcePath, targetPath);\n      filesCopied += nested.filesCopied;\n      envKeysCopied += nested.envKeysCopied;\n      continue;\n    }\n\n    if (!entry.isFile()) continue;\n    copyFileSync(sourcePath, targetPath);\n    chmodSync(targetPath, 0o600);\n    filesCopied++;\n  }\n\n  return { filesCopied, envKeysCopied };\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) return undefined;\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n\nfunction inferredVaultTargetPath(relativePath: string): string | undefined {\n  const normalized = normalizeVaultRelativePath(relativePath);\n  if (!normalized) return undefined;\n\n  if (normalized === \"gws.json\") {\n    return \"/root/.config/gws/credentials.json\";\n  }\n  if (normalized === \"gcloud-adc.json\") {\n    return \"/root/.config/gcloud/application_default_credentials.json\";\n  }\n  if (normalized === \".ssh\" || normalized.startsWith(\".ssh/\")) {\n    return \"/root/.ssh\";\n  }\n  if (normalized === \".kube\" || normalized.startsWith(\".kube/\")) {\n    return \"/root/.kube\";\n  }\n  if (normalized === \".config/gh\" || normalized.startsWith(\".config/gh/\")) {\n    return \"/root/.config/gh\";\n  }\n\n  return defaultVaultTargetPath(normalized);\n}\n"]}

package/dist/{vault.js → vault/index.js}

@@ -1,8 +1,8 @@
 import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, rmSync } from "fs";
 import { dirname, isAbsolute, join, normalize, sep } from "path";
-import { readTextFileIfExists } from "./file-guards.js";
-import { atomicWritePrivateFile } from "./fs-atomic.js";
-import { reportUserFacingError } from "./sentry.js";
+import { readTextFileIfExists } from "../utils/file-guards.js";
+import { atomicWritePrivateFile } from "../utils/fs-atomic.js";
+import { reportUserFacingError } from "../observability/sentry.js";
 const PRIVATE_DIR_MODE = 0o700;
 const SHARED_VAULT_DIR = "shared";
 export function normalizeSharedVaultName(name) {
@@ -272,4 +272,4 @@ function inferredVaultTargetPath(relativePath) {
     }
     return defaultVaultTargetPath(normalized);
 }
-//# sourceMappingURL=vault.js.map
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,IAAI,CAAC;AACzF,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAE/D,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAEnE,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAC/B,MAAM,gBAAgB,GAAG,QAAQ,CAAC;AAElC,MAAM,UAAU,wBAAwB,CAAC,IAAY;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IACzE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,UAAU,CAAC,CAAC,CAAC,GAAG,gBAAgB,IAAI,UAAU,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACtE,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAa;IAChD,OAAO,CACL,KAAK;SACF,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,SAAS,CACxC,CAAC;AACJ,CAAC;AAKD,kFAAkF;AAElF;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE9E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;QAEvC,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,kFAAkF;AAElF,MAAM,OAAO,gBAAgB;IAG3B,YAAY,QAAgB;QAC1B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,SAAS;QACP,OAAO,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,gBAAgB;QACd,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;QACzD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,OAAO,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;aACnD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,wBAAwB,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC;aAC7F,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;aAC1B,QAAQ,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,iBAAiB,CAAC,IAAY;QAC5B,MAAM,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,iBAAiB,CACf,IAAY,EACZ,SAAiB;QAEjB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,EAAE,CAAC,CAAC;QAC7E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,kBAAkB,CAAC,CAAC;QAE5F,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAClD,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,SAAS,CAAC,CAAC;QAC5B,OAAO,YAAY,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,CAAC,MAAc;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC;QACvC,OAAO,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,gBAAgB,CAAC,MAAc,EAAE,UAAyB;QACxD,IAAI,UAAU,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrC,OAAO;gBACL,IAAI,EAAE,YAAY;gBAClB,SAAS,EAAE,GAAG,UAAU,CAAC,SAAS,IAAI,2BAA2B,CAAC,MAAM,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAI;QACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACzE,IAAI,KAAK,CAAC,WAAW,EAAE;gBAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,SAAS,CAAC,GAAW,EAAE,GAA2B;QAChD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,eAAe,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,GAAG,EAAE,CAAC;QACvC,MAAM,OAAO,GACX,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;aACnB,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;aACxD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;aAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;QACvB,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED,UAAU,CAAC,GAAW,EAAE,YAAoB,EAAE,OAAe,EAAE,UAAmB;QAChF,MAAM,cAAc,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;QAChE,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,KAAK,SAAS,IAAI,CAAC,wBAAwB,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC3F,MAAM,IAAI,KAAK,CAAC,iDAAiD,GAAG,MAAM,YAAY,EAAE,CAAC,CAAC;QAC5F,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;QAE3C,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACjC,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACtB,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,SAAS,KAAK,GAAG;YAAE,gBAAgB,CAAC,SAAS,CAAC,CAAC;QACnD,sBAAsB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED,8EAA8E;IAEtE,aAAa,CAAC,GAAW;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,GAAG,GAA2B,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC1D,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CAAC,wCAAwC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;gBACpE,qBAAqB,CAAC,GAAG,EAAE;oBACzB,MAAM,EAAE,SAAS;oBACjB,OAAO,EAAE,iBAAiB;oBAC1B,SAAS,EAAE,WAAW;oBACtB,QAAQ,EAAE,SAAS;oBACnB,OAAO,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE;iBACzC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,GAAG;YACX,WAAW,EAAE,GAAG;YAChB,GAAG;YACH,MAAM;YACN,GAAG;SACJ,CAAC;IACJ,CAAC;CACF;AAED,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAEhC,MAAM,MAAM,GAAyB,EAAE,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9D,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;YAAE,SAAS;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAC7D,SAAS,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,YAAY,CACnB,SAAiB,EACjB,SAAiB;IAKjB,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QACpE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,MAAM,SAAS,GAAG,YAAY,CAAC,oBAAoB,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,SAAS,GAAG,YAAY,CAAC,oBAAoB,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;YACvE,MAAM,MAAM,GAAG,EAAE,GAAG,SAAS,EAAE,GAAG,SAAS,EAAE,CAAC;YAC9C,MAAM,OAAO,GACX,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;iBACnB,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;iBACxD,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;iBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YACvB,sBAAsB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAC5C,aAAa,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;YAC/C,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,gBAAgB,CAAC,UAAU,CAAC,CAAC;YAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;YACpD,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC;YAClC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC;YACtC,SAAS;QACX,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAC9B,YAAY,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACrC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC7B,WAAW,EAAE,CAAC;IAChB,CAAC;IAED,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,0BAA0B,CAAC,YAAoB;IACtD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACpC,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,SAAS,CAAC;IAEtD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,IAAI,UAAU,KAAK,GAAG,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7F,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,wBAAwB,CAAC,UAAmB;IACnD,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAE/C,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAE3D,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3D,OAAO,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,YAAoB;IACzD,MAAM,UAAU,GAAG,0BAA0B,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAChG,OAAO,SAAS,UAAU,EAAE,CAAC;AAC/B,CAAC;AAED,SAAS,uBAAuB,CAAC,YAAoB;IACnD,MAAM,UAAU,GAAG,0BAA0B,CAAC,YAAY,CAAC,CAAC;IAC5D,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAElC,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC9B,OAAO,oCAAoC,CAAC;IAC9C,CAAC;IACD,IAAI,UAAU,KAAK,iBAAiB,EAAE,CAAC;QACrC,OAAO,2DAA2D,CAAC;IACrE,CAAC;IACD,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5D,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC9D,OAAO,aAAa,CAAC;IACvB,CAAC;IACD,IAAI,UAAU,KAAK,YAAY,IAAI,UAAU,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACxE,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAED,OAAO,sBAAsB,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC","sourcesContent":["import { chmodSync, copyFileSync, existsSync, mkdirSync, readdirSync, rmSync } from \"fs\";\nimport { dirname, isAbsolute, join, normalize, sep } from \"path\";\nimport { readTextFileIfExists } from \"../utils/file-guards.js\";\nimport type { SandboxConfig } from \"../sandbox/index.js\";\nimport { atomicWritePrivateFile } from \"../utils/fs-atomic.js\";\nimport { reportUserFacingError } from \"../observability/sentry.js\";\n\nconst PRIVATE_DIR_MODE = 0o700;\nconst SHARED_VAULT_DIR = \"shared\";\n\nexport function normalizeSharedVaultName(name: string): string | undefined {\n  const trimmed = name.trim();\n  if (!/^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(trimmed)) return undefined;\n  return trimmed;\n}\n\nexport function sharedVaultKey(name: string): string | undefined {\n  const normalized = normalizeSharedVaultName(name);\n  return normalized ? `${SHARED_VAULT_DIR}/${normalized}` : undefined;\n}\n\nfunction sanitizeCloudflareSandboxId(value: string): string {\n  return (\n    value\n      .toLowerCase()\n      .replace(/[^a-z0-9-]+/g, \"-\")\n      .replace(/^-+|-+$/g, \"\") || \"unknown\"\n  );\n}\n\nexport type { ResolvedVault, VaultManager } from \"./types.js\";\nimport type { ResolvedVault, ResolvedVaultMount, VaultManager } from \"./types.js\";\n\n// ── parseEnvFile ───────────────────────────────────────────────────────────────\n\n/**\n * Parse a KEY=VALUE env file. Supports:\n * - Lines starting with # are comments\n * - Empty lines are skipped\n * - Values can be quoted with single or double quotes (quotes are stripped)\n * - No variable expansion\n * - The value is everything after the first `=` to end of line (no inline comments)\n */\nexport function parseEnvFile(content: string): Record<string, string> {\n  const env: Record<string, string> = {};\n  const lines = content.replace(/\\r\\n/g, \"\\n\").replace(/\\r/g, \"\\n\").split(\"\\n\");\n\n  for (const line of lines) {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) continue;\n\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) continue;\n\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (!key) continue;\n\n    let value = trimmed.slice(eqIndex + 1);\n\n    if (\n      (value.startsWith('\"') && value.endsWith('\"')) ||\n      (value.startsWith(\"'\") && value.endsWith(\"'\"))\n    ) {\n      value = value.slice(1, -1);\n    }\n\n    env[key] = value;\n  }\n\n  return env;\n}\n\n// ── FileVaultManager ───────────────────────────────────────────────────────────\n\nexport class FileVaultManager implements VaultManager {\n  private readonly vaultsDir: string;\n\n  constructor(stateDir: string) {\n    this.vaultsDir = join(stateDir, \"vaults\");\n  }\n\n  isEnabled(): boolean {\n    return existsSync(this.vaultsDir);\n  }\n\n  hasEntry(key: string): boolean {\n    return existsSync(join(this.vaultsDir, key));\n  }\n\n  listSharedVaults(): string[] {\n    const sharedDir = join(this.vaultsDir, SHARED_VAULT_DIR);\n    if (!existsSync(sharedDir)) return [];\n    return readdirSync(sharedDir, { withFileTypes: true })\n      .filter((entry) => entry.isDirectory() && normalizeSharedVaultName(entry.name) === entry.name)\n      .map((entry) => entry.name)\n      .toSorted((left, right) => left.localeCompare(right));\n  }\n\n  deleteSharedVault(name: string): boolean {\n    const key = sharedVaultKey(name);\n    if (!key) throw new Error(`vault: invalid shared login name: ${name}`);\n    const dir = join(this.vaultsDir, key);\n    const existed = existsSync(dir);\n    rmSync(dir, { recursive: true, force: true });\n    return existed;\n  }\n\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number } {\n    const sourceKey = sharedVaultKey(name);\n    if (!sourceKey) throw new Error(`vault: invalid shared login name: ${name}`);\n    const sourceDir = join(this.vaultsDir, sourceKey);\n    if (!existsSync(sourceDir)) throw new Error(`vault: shared login \"${name}\" does not exist`);\n\n    const targetDir = join(this.vaultsDir, targetKey);\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(targetDir);\n    return copyVaultDir(sourceDir, targetDir);\n  }\n\n  resolve(userId: string): ResolvedVault | undefined {\n    const dir = join(this.vaultsDir, userId);\n    if (!existsSync(dir)) return undefined;\n    return this.buildResolved(userId);\n  }\n\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig {\n    if (baseConfig.type === \"cloudflare\") {\n      return {\n        type: \"cloudflare\",\n        sandboxId: `${baseConfig.sandboxId}-${sanitizeCloudflareSandboxId(userId)}`,\n      };\n    }\n    return baseConfig;\n  }\n\n  list(): ResolvedVault[] {\n    if (!existsSync(this.vaultsDir)) return [];\n    const keys = new Set<string>();\n    for (const entry of readdirSync(this.vaultsDir, { withFileTypes: true })) {\n      if (entry.isDirectory()) keys.add(entry.name);\n    }\n    return Array.from(keys, (key) => this.buildResolved(key));\n  }\n\n  upsertEnv(key: string, env: Record<string, string>): void {\n    const dir = join(this.vaultsDir, key);\n    const envPath = join(dir, \"env\");\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const existingContent = readTextFileIfExists(envPath);\n    const existing = existingContent ? parseEnvFile(existingContent) : {};\n    const merged = { ...existing, ...env };\n    const content =\n      Object.entries(merged)\n        .toSorted(([left], [right]) => left.localeCompare(right))\n        .map(([envKey, value]) => `${envKey}=${value}`)\n        .join(\"\\n\") + \"\\n\";\n    atomicWritePrivateFile(envPath, content);\n  }\n\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void {\n    const normalizedPath = normalizeVaultRelativePath(relativePath);\n    if (!normalizedPath || (targetPath !== undefined && !normalizeVaultTargetPath(targetPath))) {\n      throw new Error(`vault: invalid relative secret file path for \"${key}\": ${relativePath}`);\n    }\n\n    const dir = join(this.vaultsDir, key);\n    const filePath = join(dir, normalizedPath);\n\n    ensurePrivateDir(this.vaultsDir);\n    ensurePrivateDir(dir);\n    const parentDir = dirname(filePath);\n    if (parentDir !== dir) ensurePrivateDir(parentDir);\n    atomicWritePrivateFile(filePath, content);\n  }\n\n  // ── private ────────────────────────────────────────────────────────────────\n\n  private buildResolved(key: string): ResolvedVault {\n    const dir = join(this.vaultsDir, key);\n    const mounts = inferMountsFromDir(dir);\n\n    let env: Record<string, string> = {};\n    const envContent = readTextFileIfExists(join(dir, \"env\"));\n    if (envContent !== undefined) {\n      try {\n        env = parseEnvFile(envContent);\n      } catch (err) {\n        console.error(`vault: failed to parse env file for \"${key}\":`, err);\n        reportUserFacingError(err, {\n          domain: \"sandbox\",\n          surface: \"vault_injection\",\n          operation: \"parse_env\",\n          severity: \"warning\",\n          context: { vaultKey: key, fatal: false },\n        });\n      }\n    }\n\n    return {\n      userId: key,\n      displayName: key,\n      dir,\n      mounts,\n      env,\n    };\n  }\n}\n\nfunction inferMountsFromDir(dir: string): ResolvedVaultMount[] {\n  if (!existsSync(dir)) return [];\n\n  const mounts: ResolvedVaultMount[] = [];\n  for (const entry of readdirSync(dir, { withFileTypes: true })) {\n    if (entry.name === \"env\") continue;\n    const source = join(dir, entry.name);\n    const target = inferredVaultTargetPath(entry.name);\n    if (!target) continue;\n    mounts.push({ source, target });\n  }\n  return mounts;\n}\n\nfunction ensurePrivateDir(path: string): void {\n  mkdirSync(path, { recursive: true, mode: PRIVATE_DIR_MODE });\n  chmodSync(path, PRIVATE_DIR_MODE);\n}\n\nfunction copyVaultDir(\n  sourceDir: string,\n  targetDir: string,\n): {\n  filesCopied: number;\n  envKeysCopied: number;\n} {\n  let filesCopied = 0;\n  let envKeysCopied = 0;\n\n  for (const entry of readdirSync(sourceDir, { withFileTypes: true })) {\n    const sourcePath = join(sourceDir, entry.name);\n    const targetPath = join(targetDir, entry.name);\n\n    if (entry.name === \"env\" && entry.isFile()) {\n      const sourceEnv = parseEnvFile(readTextFileIfExists(sourcePath) ?? \"\");\n      const targetEnv = parseEnvFile(readTextFileIfExists(targetPath) ?? \"\");\n      const merged = { ...targetEnv, ...sourceEnv };\n      const content =\n        Object.entries(merged)\n          .toSorted(([left], [right]) => left.localeCompare(right))\n          .map(([envKey, value]) => `${envKey}=${value}`)\n          .join(\"\\n\") + \"\\n\";\n      atomicWritePrivateFile(targetPath, content);\n      envKeysCopied += Object.keys(sourceEnv).length;\n      continue;\n    }\n\n    if (entry.isDirectory()) {\n      ensurePrivateDir(targetPath);\n      const nested = copyVaultDir(sourcePath, targetPath);\n      filesCopied += nested.filesCopied;\n      envKeysCopied += nested.envKeysCopied;\n      continue;\n    }\n\n    if (!entry.isFile()) continue;\n    copyFileSync(sourcePath, targetPath);\n    chmodSync(targetPath, 0o600);\n    filesCopied++;\n  }\n\n  return { filesCopied, envKeysCopied };\n}\n\nfunction normalizeVaultRelativePath(relativePath: string): string | undefined {\n  const trimmed = relativePath.trim();\n  if (!trimmed || isAbsolute(trimmed)) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  if (!normalized || normalized === \".\" || normalized === \"..\" || normalized.startsWith(\"../\")) {\n    return undefined;\n  }\n  return normalized;\n}\n\nfunction normalizeVaultTargetPath(targetPath?: string): string | undefined {\n  if (targetPath === undefined) return undefined;\n\n  const trimmed = targetPath.trim();\n  if (!trimmed || !trimmed.startsWith(\"/\")) return undefined;\n\n  const normalized = normalize(trimmed).split(sep).join(\"/\");\n  return normalized.startsWith(\"/\") ? normalized : undefined;\n}\n\nexport function defaultVaultTargetPath(relativePath: string): string {\n  const normalized = normalizeVaultRelativePath(relativePath) ?? relativePath.replace(/^\\/+/, \"\");\n  return `/root/${normalized}`;\n}\n\nfunction inferredVaultTargetPath(relativePath: string): string | undefined {\n  const normalized = normalizeVaultRelativePath(relativePath);\n  if (!normalized) return undefined;\n\n  if (normalized === \"gws.json\") {\n    return \"/root/.config/gws/credentials.json\";\n  }\n  if (normalized === \"gcloud-adc.json\") {\n    return \"/root/.config/gcloud/application_default_credentials.json\";\n  }\n  if (normalized === \".ssh\" || normalized.startsWith(\".ssh/\")) {\n    return \"/root/.ssh\";\n  }\n  if (normalized === \".kube\" || normalized.startsWith(\".kube/\")) {\n    return \"/root/.kube\";\n  }\n  if (normalized === \".config/gh\" || normalized.startsWith(\".config/gh/\")) {\n    return \"/root/.config/gh\";\n  }\n\n  return defaultVaultTargetPath(normalized);\n}\n"]}

package/dist/{vault-routing.d.ts → vault/routing.d.ts}

@@ -1,3 +1,3 @@
-import type { SandboxConfig } from "./sandbox/index.js";
+import type { SandboxConfig } from "../sandbox/index.js";
 export declare function resolveActorVaultKey(baseConfig: SandboxConfig, userId: string, conversationId: string): string;
-//# sourceMappingURL=vault-routing.d.ts.map
+//# sourceMappingURL=routing.d.ts.map

package/dist/vault/routing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routing.d.ts","sourceRoot":"","sources":["../../src/vault/routing.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACzD,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,aAAa,EACzB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,GACrB,MAAM,CAcR","sourcesContent":["import { DockerContainerManager } from \"../provisioner.js\";\nimport type { SandboxConfig } from \"../sandbox/index.js\";\nexport function resolveActorVaultKey(\n  baseConfig: SandboxConfig,\n  userId: string,\n  conversationId: string,\n): string {\n  if (baseConfig.type === \"container\") {\n    return `container-${baseConfig.container}`;\n  }\n\n  if (\n    baseConfig.type === \"image\" ||\n    baseConfig.type === \"cloudflare\" ||\n    baseConfig.type === \"firecracker\"\n  ) {\n    return DockerContainerManager.sanitizeSegment(conversationId);\n  }\n\n  return userId;\n}\n"]}

package/dist/{vault-routing.js → vault/routing.js}

@@ -1,4 +1,4 @@
-import { DockerContainerManager } from "./provisioner.js";
+import { DockerContainerManager } from "../provisioner.js";
 export function resolveActorVaultKey(baseConfig, userId, conversationId) {
     if (baseConfig.type === "container") {
         return `container-${baseConfig.container}`;
@@ -10,4 +10,4 @@ export function resolveActorVaultKey(baseConfig, userId, conversationId) {
     }
     return userId;
 }
-//# sourceMappingURL=vault-routing.js.map
+//# sourceMappingURL=routing.js.map

package/dist/vault/routing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"routing.js","sourceRoot":"","sources":["../../src/vault/routing.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAE3D,MAAM,UAAU,oBAAoB,CAClC,UAAyB,EACzB,MAAc,EACd,cAAsB;IAEtB,IAAI,UAAU,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QACpC,OAAO,aAAa,UAAU,CAAC,SAAS,EAAE,CAAC;IAC7C,CAAC;IAED,IACE,UAAU,CAAC,IAAI,KAAK,OAAO;QAC3B,UAAU,CAAC,IAAI,KAAK,YAAY;QAChC,UAAU,CAAC,IAAI,KAAK,aAAa,EACjC,CAAC;QACD,OAAO,sBAAsB,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { DockerContainerManager } from \"../provisioner.js\";\nimport type { SandboxConfig } from \"../sandbox/index.js\";\nexport function resolveActorVaultKey(\n  baseConfig: SandboxConfig,\n  userId: string,\n  conversationId: string,\n): string {\n  if (baseConfig.type === \"container\") {\n    return `container-${baseConfig.container}`;\n  }\n\n  if (\n    baseConfig.type === \"image\" ||\n    baseConfig.type === \"cloudflare\" ||\n    baseConfig.type === \"firecracker\"\n  ) {\n    return DockerContainerManager.sanitizeSegment(conversationId);\n  }\n\n  return userId;\n}\n"]}

package/dist/{vault.d.ts → vault/types.d.ts}

@@ -1,7 +1,5 @@
-import type { SandboxConfig } from "./sandbox/index.js";
-export declare function normalizeSharedVaultName(name: string): string | undefined;
-export declare function sharedVaultKey(name: string): string | undefined;
-interface ResolvedVaultMount {
+import type { SandboxConfig } from "../sandbox/index.js";
+export interface ResolvedVaultMount {
     source: string;
     target: string;
 }
@@ -41,33 +39,4 @@ export interface VaultManager {
         envKeysCopied: number;
     };
 }
-/**
- * Parse a KEY=VALUE env file. Supports:
- * - Lines starting with # are comments
- * - Empty lines are skipped
- * - Values can be quoted with single or double quotes (quotes are stripped)
- * - No variable expansion
- * - The value is everything after the first `=` to end of line (no inline comments)
- */
-export declare function parseEnvFile(content: string): Record<string, string>;
-export declare class FileVaultManager implements VaultManager {
-    private readonly vaultsDir;
-    constructor(stateDir: string);
-    isEnabled(): boolean;
-    hasEntry(key: string): boolean;
-    listSharedVaults(): string[];
-    deleteSharedVault(name: string): boolean;
-    copySharedVaultTo(name: string, targetKey: string): {
-        filesCopied: number;
-        envKeysCopied: number;
-    };
-    resolve(userId: string): ResolvedVault | undefined;
-    getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;
-    list(): ResolvedVault[];
-    upsertEnv(key: string, env: Record<string, string>): void;
-    upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;
-    private buildResolved;
-}
-export declare function defaultVaultTargetPath(relativePath: string): string;
-export {};
-//# sourceMappingURL=vault.d.ts.map
+//# sourceMappingURL=types.d.ts.map

package/dist/vault/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,8CAA8C;AAC9C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAC7B,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,oEAAoE;IACpE,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/B,4EAA4E;IAC5E,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;IACnD,8DAA8D;IAC9D,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,aAAa,GAAG,aAAa,CAAC;IAC3E,gDAAgD;IAChD,IAAI,IAAI,aAAa,EAAE,CAAC;IACxB,4CAA4C;IAC5C,SAAS,IAAI,OAAO,CAAC;IACrB,kFAAkF;IAClF,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;IAC1D,yFAAyF;IACzF,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1F,6DAA6D;IAC7D,gBAAgB,IAAI,MAAM,EAAE,CAAC;IAC7B,+EAA+E;IAC/E,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,wEAAwE;IACxE,iBAAiB,CACf,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,GAChB;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;CACnD","sourcesContent":["import type { SandboxConfig } from \"../sandbox/index.js\";\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n}\n\nexport interface VaultManager {\n  /** Return true when a vault directory exists for this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no directory exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all vaults discovered under vaults/. */\n  list(): ResolvedVault[];\n  /** Check if the vaults directory exists. */\n  isEnabled(): boolean;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n  /** List named shared login profiles under vaults/shared/. */\n  listSharedVaults(): string[];\n  /** Delete a shared login profile's directory. Returns true when it existed. */\n  deleteSharedVault(name: string): boolean;\n  /** Copy a shared login profile's files into another vault directory. */\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number };\n}\n"]}

package/dist/vault/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/vault/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":"","sourcesContent":["import type { SandboxConfig } from \"../sandbox/index.js\";\n\nexport interface ResolvedVaultMount {\n  source: string;\n  target: string;\n}\n\n/** Resolved vault ready for use at runtime */\nexport interface ResolvedVault {\n  userId: string;\n  displayName: string;\n  /** Absolute path to vault directory */\n  dir: string;\n  /** Absolute mount specs */\n  mounts: ResolvedVaultMount[];\n  /** Parsed from env file */\n  env: Record<string, string>;\n}\n\nexport interface VaultManager {\n  /** Return true when a vault directory exists for this exact key. */\n  hasEntry(key: string): boolean;\n  /** Resolve vault for a user; returns undefined when no directory exists. */\n  resolve(userId: string): ResolvedVault | undefined;\n  /** Get sandbox config with credential injection for a user */\n  getSandboxConfig(userId: string, baseConfig: SandboxConfig): SandboxConfig;\n  /** List all vaults discovered under vaults/. */\n  list(): ResolvedVault[];\n  /** Check if the vaults directory exists. */\n  isEnabled(): boolean;\n  /** Merge environment variables into vaults/<key>/env and persist them to disk. */\n  upsertEnv(key: string, env: Record<string, string>): void;\n  /** Write a private file into vaults/<key>/ and ensure it is mounted into the sandbox. */\n  upsertFile(key: string, relativePath: string, content: string, targetPath?: string): void;\n  /** List named shared login profiles under vaults/shared/. */\n  listSharedVaults(): string[];\n  /** Delete a shared login profile's directory. Returns true when it existed. */\n  deleteSharedVault(name: string): boolean;\n  /** Copy a shared login profile's files into another vault directory. */\n  copySharedVaultTo(\n    name: string,\n    targetKey: string,\n  ): { filesCopied: number; envKeysCopied: number };\n}\n"]}

package/dist/web/admin/portal.d.ts

@@ -0,0 +1,5 @@
+import type { IncomingMessage, ServerResponse } from "http";
+export type { AdminRuntimeBridge, AdminServices } from "./types.js";
+import type { AdminServices } from "./types.js";
+export declare function handleAdminRequest(req: IncomingMessage, res: ServerResponse, url: URL, services: AdminServices): boolean;
+//# sourceMappingURL=portal.d.ts.map