npm - @getaegis/cli - Versions diffs - 0.8.0 → 0.8.1 - Mend

@getaegis/cli 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/README.md +5 -0
package/dist/agent/agent.d.ts +98 -0
package/dist/agent/agent.d.ts.map +1 -0
package/dist/agent/agent.js +212 -0
package/dist/agent/agent.js.map +1 -0
package/dist/agent/index.d.ts +3 -0
package/dist/agent/index.d.ts.map +1 -0
package/dist/agent/index.js +2 -0
package/dist/agent/index.js.map +1 -0
package/dist/cli/auth.d.ts +19 -0
package/dist/cli/auth.d.ts.map +1 -0
package/dist/cli/auth.js +44 -0
package/dist/cli/auth.js.map +1 -0
package/dist/cli/commands/agent.d.ts +6 -0
package/dist/cli/commands/agent.d.ts.map +1 -0
package/dist/cli/commands/agent.js +241 -0
package/dist/cli/commands/agent.js.map +1 -0
package/dist/cli/commands/config.d.ts +6 -0
package/dist/cli/commands/config.d.ts.map +1 -0
package/dist/cli/commands/config.js +125 -0
package/dist/cli/commands/config.js.map +1 -0
package/dist/cli/commands/dashboard.d.ts +6 -0
package/dist/cli/commands/dashboard.d.ts.map +1 -0
package/dist/cli/commands/dashboard.js +189 -0
package/dist/cli/commands/dashboard.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +6 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +39 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/gate.d.ts +6 -0
package/dist/cli/commands/gate.d.ts.map +1 -0
package/dist/cli/commands/gate.js +196 -0
package/dist/cli/commands/gate.js.map +1 -0
package/dist/cli/commands/init.d.ts +6 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +109 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/ledger.d.ts +6 -0
package/dist/cli/commands/ledger.d.ts.map +1 -0
package/dist/cli/commands/ledger.js +140 -0
package/dist/cli/commands/ledger.js.map +1 -0
package/dist/cli/commands/mcp.d.ts +6 -0
package/dist/cli/commands/mcp.d.ts.map +1 -0
package/dist/cli/commands/mcp.js +224 -0
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/policy.d.ts +6 -0
package/dist/cli/commands/policy.d.ts.map +1 -0
package/dist/cli/commands/policy.js +126 -0
package/dist/cli/commands/policy.js.map +1 -0
package/dist/cli/commands/user.d.ts +6 -0
package/dist/cli/commands/user.d.ts.map +1 -0
package/dist/cli/commands/user.js +150 -0
package/dist/cli/commands/user.js.map +1 -0
package/dist/cli/commands/vault-manager.d.ts +6 -0
package/dist/cli/commands/vault-manager.d.ts.map +1 -0
package/dist/cli/commands/vault-manager.js +240 -0
package/dist/cli/commands/vault-manager.js.map +1 -0
package/dist/cli/commands/vault.d.ts +6 -0
package/dist/cli/commands/vault.d.ts.map +1 -0
package/dist/cli/commands/vault.js +241 -0
package/dist/cli/commands/vault.js.map +1 -0
package/dist/cli/commands/webhook.d.ts +6 -0
package/dist/cli/commands/webhook.d.ts.map +1 -0
package/dist/cli/commands/webhook.js +151 -0
package/dist/cli/commands/webhook.js.map +1 -0
package/dist/cli/helpers.d.ts +12 -0
package/dist/cli/helpers.d.ts.map +1 -0
package/dist/cli/helpers.js +61 -0
package/dist/cli/helpers.js.map +1 -0
package/dist/cli/index.d.ts +17 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +17 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/validation.d.ts +37 -0
package/dist/cli/validation.d.ts.map +1 -0
package/dist/cli/validation.js +104 -0
package/dist/cli/validation.js.map +1 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +30 -0
package/dist/cli.js.map +1 -0
package/dist/config.d.ts +108 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +355 -0
package/dist/config.js.map +1 -0
package/dist/dashboard/dashboard-server.d.ts +95 -0
package/dist/dashboard/dashboard-server.d.ts.map +1 -0
package/dist/dashboard/dashboard-server.js +329 -0
package/dist/dashboard/dashboard-server.js.map +1 -0
package/dist/dashboard/index.d.ts +3 -0
package/dist/dashboard/index.d.ts.map +1 -0
package/dist/dashboard/index.js +2 -0
package/dist/dashboard/index.js.map +1 -0
package/dist/dashboard/public/assets/index-CpMruPNh.css +1 -0
package/dist/dashboard/public/assets/index-DkHiw9_f.js +148 -0
package/dist/dashboard/public/favicon.svg +6 -0
package/dist/dashboard/public/index.html +14 -0
package/dist/db.d.ts +15 -0
package/dist/db.d.ts.map +1 -0
package/dist/db.js +190 -0
package/dist/db.js.map +1 -0
package/dist/doctor.d.ts +37 -0
package/dist/doctor.d.ts.map +1 -0
package/dist/doctor.js +196 -0
package/dist/doctor.js.map +1 -0
package/dist/gate/body-inspector.d.ts +31 -0
package/dist/gate/body-inspector.d.ts.map +1 -0
package/dist/gate/body-inspector.js +193 -0
package/dist/gate/body-inspector.js.map +1 -0
package/dist/gate/gate.d.ts +168 -0
package/dist/gate/gate.d.ts.map +1 -0
package/dist/gate/gate.js +1016 -0
package/dist/gate/gate.js.map +1 -0
package/dist/gate/index.d.ts +7 -0
package/dist/gate/index.d.ts.map +1 -0
package/dist/gate/index.js +4 -0
package/dist/gate/index.js.map +1 -0
package/dist/gate/rate-limiter.d.ts +59 -0
package/dist/gate/rate-limiter.d.ts.map +1 -0
package/dist/gate/rate-limiter.js +120 -0
package/dist/gate/rate-limiter.js.map +1 -0
package/dist/index.d.ts +26 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/ledger/index.d.ts +3 -0
package/dist/ledger/index.d.ts.map +1 -0
package/dist/ledger/index.js +2 -0
package/dist/ledger/index.js.map +1 -0
package/dist/ledger/ledger.d.ts +98 -0
package/dist/ledger/ledger.d.ts.map +1 -0
package/dist/ledger/ledger.js +145 -0
package/dist/ledger/ledger.js.map +1 -0
package/dist/logger/index.d.ts +3 -0
package/dist/logger/index.d.ts.map +1 -0
package/dist/logger/index.js +2 -0
package/dist/logger/index.js.map +1 -0
package/dist/logger/logger.d.ts +58 -0
package/dist/logger/logger.d.ts.map +1 -0
package/dist/logger/logger.js +201 -0
package/dist/logger/logger.js.map +1 -0
package/dist/mcp/index.d.ts +3 -0
package/dist/mcp/index.d.ts.map +1 -0
package/dist/mcp/index.js +2 -0
package/dist/mcp/index.js.map +1 -0
package/dist/mcp/mcp-server.d.ts +130 -0
package/dist/mcp/mcp-server.d.ts.map +1 -0
package/dist/mcp/mcp-server.js +775 -0
package/dist/mcp/mcp-server.js.map +1 -0
package/dist/metrics/index.d.ts +3 -0
package/dist/metrics/index.d.ts.map +1 -0
package/dist/metrics/index.js +2 -0
package/dist/metrics/index.js.map +1 -0
package/dist/metrics/metrics.d.ts +88 -0
package/dist/metrics/metrics.d.ts.map +1 -0
package/dist/metrics/metrics.js +179 -0
package/dist/metrics/metrics.js.map +1 -0
package/dist/policy/index.d.ts +3 -0
package/dist/policy/index.d.ts.map +1 -0
package/dist/policy/index.js +2 -0
package/dist/policy/index.js.map +1 -0
package/dist/policy/policy.d.ts +119 -0
package/dist/policy/policy.d.ts.map +1 -0
package/dist/policy/policy.js +426 -0
package/dist/policy/policy.js.map +1 -0
package/dist/user/index.d.ts +3 -0
package/dist/user/index.d.ts.map +1 -0
package/dist/user/index.js +2 -0
package/dist/user/index.js.map +1 -0
package/dist/user/user.d.ts +102 -0
package/dist/user/user.d.ts.map +1 -0
package/dist/user/user.js +216 -0
package/dist/user/user.js.map +1 -0
package/dist/vault/crypto.d.ts +28 -0
package/dist/vault/crypto.d.ts.map +1 -0
package/dist/vault/crypto.js +44 -0
package/dist/vault/crypto.js.map +1 -0
package/dist/vault/index.d.ts +10 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +6 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/seal.d.ts +68 -0
package/dist/vault/seal.d.ts.map +1 -0
package/dist/vault/seal.js +110 -0
package/dist/vault/seal.js.map +1 -0
package/dist/vault/shamir.d.ts +33 -0
package/dist/vault/shamir.d.ts.map +1 -0
package/dist/vault/shamir.js +174 -0
package/dist/vault/shamir.js.map +1 -0
package/dist/vault/vault-manager.d.ts +62 -0
package/dist/vault/vault-manager.d.ts.map +1 -0
package/dist/vault/vault-manager.js +141 -0
package/dist/vault/vault-manager.js.map +1 -0
package/dist/vault/vault.d.ts +104 -0
package/dist/vault/vault.d.ts.map +1 -0
package/dist/vault/vault.js +259 -0
package/dist/vault/vault.js.map +1 -0
package/dist/version.d.ts +3 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +18 -0
package/dist/version.js.map +1 -0
package/dist/webhook/index.d.ts +3 -0
package/dist/webhook/index.d.ts.map +1 -0
package/dist/webhook/index.js +2 -0
package/dist/webhook/index.js.map +1 -0
package/dist/webhook/webhook.d.ts +114 -0
package/dist/webhook/webhook.d.ts.map +1 -0
package/dist/webhook/webhook.js +269 -0
package/dist/webhook/webhook.js.map +1 -0
package/package.json +7 -3

package/dist/user/user.js ADDED Viewed

@@ -0,0 +1,216 @@
+import * as crypto from 'node:crypto';
+export const VALID_ROLES = ['admin', 'operator', 'viewer'];
+/**
+ * Role → permission mapping.
+ * More privileged roles include all permissions from less privileged ones.
+ */
+const ROLE_PERMISSIONS = {
+    admin: new Set([
+        'vault:read',
+        'vault:write',
+        'vault:manage',
+        'agent:read',
+        'agent:write',
+        'ledger:read',
+        'ledger:export',
+        'gate:start',
+        'policy:read',
+        'policy:write',
+        'webhook:read',
+        'webhook:write',
+        'user:read',
+        'user:write',
+        'dashboard:view',
+        'doctor:run',
+    ]),
+    operator: new Set([
+        'vault:read',
+        'agent:read',
+        'agent:write',
+        'ledger:read',
+        'ledger:export',
+        'gate:start',
+        'policy:read',
+        'webhook:read',
+        'dashboard:view',
+        'doctor:run',
+    ]),
+    viewer: new Set(['vault:read', 'ledger:read', 'dashboard:view', 'doctor:run']),
+};
+/**
+ * Check if a role has a specific permission.
+ */
+export function hasPermission(role, permission) {
+    return ROLE_PERMISSIONS[role].has(permission);
+}
+/**
+ * Get all permissions for a role.
+ */
+export function getPermissions(role) {
+    return ROLE_PERMISSIONS[role];
+}
+// ─── User Registry ──────────────────────────────────────────────
+/**
+ * User Registry — manages user identities, authentication, and role-based access control.
+ *
+ * Users are authenticated via API keys (same pattern as agent tokens):
+ * - Token format: aegis_user_{uuid}_{hmac_prefix}
+ * - Tokens are SHA-256 hashed for fast lookup — hash-only, no recovery
+ * - Prefixed (first 17 chars: "aegis_user_" + 6) for safe logging
+ *
+ * Security: Same hash-only storage as agent tokens. If a token is lost,
+ * use regenerateToken() to issue a new one.
+ */
+export class UserRegistry {
+    db;
+    derivedKey;
+    constructor(db, derivedKey) {
+        this.db = db;
+        this.derivedKey = derivedKey;
+    }
+    /**
+     * Register a new user. Returns the user with their API key (shown once).
+     *
+     * Token format: aegis_user_{uuid}_{hmac_prefix}
+     */
+    add(params) {
+        if (!VALID_ROLES.includes(params.role)) {
+            throw new Error(`Invalid role "${params.role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        }
+        const id = crypto.randomUUID();
+        const uuid = crypto.randomUUID();
+        // Create HMAC of the UUID using the derived key for token integrity
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_user_${uuid}_${hmac}`;
+        // Hash the full token for fast lookup (hash-only — no recovery, only regeneration)
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 17); // "aegis_user_" + 6 chars
+        this.db
+            .prepare(`INSERT INTO users (id, name, role, token_hash, token_prefix)
+         VALUES (?, ?, ?, ?, ?)`)
+            .run(id, params.name, params.role, tokenHash, tokenPrefix);
+        return {
+            id,
+            name: params.name,
+            role: params.role,
+            tokenPrefix,
+            token,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * List all registered users (without tokens).
+     */
+    list() {
+        const rows = this.db.prepare('SELECT * FROM users ORDER BY created_at DESC').all();
+        return rows.map((row) => this.rowToUser(row));
+    }
+    /**
+     * Get a user by name (without token).
+     */
+    getByName(name) {
+        const row = this.db.prepare('SELECT * FROM users WHERE name = ?').get(name);
+        return row ? this.rowToUser(row) : null;
+    }
+    /**
+     * Validate a user API key. Returns the user if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for O(1) lookup.
+     */
+    validateToken(token) {
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const row = this.db.prepare('SELECT * FROM users WHERE token_hash = ?').get(tokenHash);
+        return row ? this.rowToUser(row) : null;
+    }
+    /**
+     * Remove a user by name.
+     */
+    remove(name) {
+        const result = this.db.prepare('DELETE FROM users WHERE name = ?').run(name);
+        return result.changes > 0;
+    }
+    /**
+     * Update a user's role.
+     */
+    updateRole(params) {
+        if (!VALID_ROLES.includes(params.role)) {
+            throw new Error(`Invalid role "${params.role}". Must be one of: ${VALID_ROLES.join(', ')}`);
+        }
+        const user = this.getByName(params.name);
+        if (!user) {
+            throw new Error(`No user found with name "${params.name}"`);
+        }
+        this.db
+            .prepare("UPDATE users SET role = ?, updated_at = datetime('now') WHERE name = ?")
+            .run(params.role, params.name);
+        return {
+            ...user,
+            role: params.role,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Regenerate a user's token. Issues a new token, invalidates the old one.
+     *
+     * The user keeps their identity (id, name, role).
+     * Only the token changes.
+     *
+     * Returns the user with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name) {
+        const user = this.getByName(name);
+        if (!user)
+            return null;
+        const uuid = crypto.randomUUID();
+        const hmac = crypto
+            .createHmac('sha256', this.derivedKey)
+            .update(uuid)
+            .digest('hex')
+            .slice(0, 16);
+        const token = `aegis_user_${uuid}_${hmac}`;
+        const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+        const tokenPrefix = token.slice(0, 17);
+        this.db
+            .prepare(`UPDATE users SET token_hash = ?, token_prefix = ?, updated_at = datetime('now') WHERE id = ?`)
+            .run(tokenHash, tokenPrefix, user.id);
+        return {
+            ...user,
+            tokenPrefix,
+            token,
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    /**
+     * Check if a user has a specific permission.
+     */
+    checkPermission(name, permission) {
+        const user = this.getByName(name);
+        if (!user)
+            return false;
+        return hasPermission(user.role, permission);
+    }
+    /**
+     * Count users. Used by init to determine if initial admin setup is needed.
+     */
+    count() {
+        const row = this.db.prepare('SELECT COUNT(*) as count FROM users').get();
+        return row.count;
+    }
+    // ─── Internal ───────────────────────────────────────────────────
+    rowToUser(row) {
+        return {
+            id: row.id,
+            name: row.name,
+            role: row.role,
+            tokenPrefix: row.token_prefix,
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
+        };
+    }
+}
+//# sourceMappingURL=user.js.map

package/dist/user/user.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/user/user.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAatC,MAAM,CAAC,MAAM,WAAW,GAAwB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAU,CAAC;AAwBzF;;;GAGG;AACH,MAAM,gBAAgB,GAA8C;IAClE,KAAK,EAAE,IAAI,GAAG,CAAa;QACzB,YAAY;QACZ,aAAa;QACb,cAAc;QACd,YAAY;QACZ,aAAa;QACb,aAAa;QACb,eAAe;QACf,YAAY;QACZ,aAAa;QACb,cAAc;QACd,cAAc;QACd,eAAe;QACf,WAAW;QACX,YAAY;QACZ,gBAAgB;QAChB,YAAY;KACb,CAAC;IACF,QAAQ,EAAE,IAAI,GAAG,CAAa;QAC5B,YAAY;QACZ,YAAY;QACZ,aAAa;QACb,aAAa;QACb,eAAe;QACf,YAAY;QACZ,aAAa;QACb,cAAc;QACd,gBAAgB;QAChB,YAAY;KACb,CAAC;IACF,MAAM,EAAE,IAAI,GAAG,CAAa,CAAC,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAC;CAC3F,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAc,EAAE,UAAsB;IAClE,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAc;IAC3C,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AA2BD,mEAAmE;AAEnE;;;;;;;;;;GAUG;AACH,MAAM,OAAO,YAAY;IAIb;IAHF,UAAU,CAAS;IAE3B,YACU,EAAqB,EAC7B,UAAkB;QADV,OAAE,GAAF,EAAE,CAAmB;QAG7B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;;OAIG;IACH,GAAG,CAAC,MAAwC;QAC1C,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,iBAAiB,MAAM,CAAC,IAAI,sBAAsB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEjC,oEAAoE;QACpE,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,cAAc,IAAI,IAAI,IAAI,EAAE,CAAC;QAE3C,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,0BAA0B;QAElE,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;gCACwB,CACzB;aACA,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;QAE7D,OAAO;YACL,EAAE;YACF,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,WAAW;YACX,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI;QACF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC,GAAG,EAAe,CAAC;QAEhG,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC,GAAG,CAAC,IAAI,CAE7D,CAAC;QACd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,aAAa,CAAC,KAAa;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,0CAA0C,CAAC,CAAC,GAAG,CAAC,SAAS,CAExE,CAAC;QAEd,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,kCAAkC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7E,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MAAwC;QACjD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,iBAAiB,MAAM,CAAC,IAAI,sBAAsB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,wEAAwE,CAAC;aACjF,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAEjC,OAAO;YACL,GAAG,IAAI;YACP,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,eAAe,CAAC,IAAY;QAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM;aAChB,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC;aACrC,MAAM,CAAC,IAAI,CAAC;aACZ,MAAM,CAAC,KAAK,CAAC;aACb,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,cAAc,IAAI,IAAI,IAAI,EAAE,CAAC;QAE3C,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1E,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAEvC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN,8FAA8F,CAC/F;aACA,GAAG,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;QAExC,OAAO;YACL,GAAG,IAAI;YACP,WAAW;YACX,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,IAAY,EAAE,UAAsB;QAClD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QACxB,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,KAAK;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,EAAuB,CAAC;QAC9F,OAAO,GAAG,CAAC,KAAK,CAAC;IACnB,CAAC;IAED,mEAAmE;IAE3D,SAAS,CAAC,GAAY;QAC5B,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAgB;YAC1B,WAAW,EAAE,GAAG,CAAC,YAAY;YAC7B,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,SAAS,EAAE,GAAG,CAAC,UAAU;SAC1B,CAAC;IACJ,CAAC;CACF"}

package/dist/vault/crypto.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Generate a cryptographically random salt for PBKDF2 key derivation.
+ * Should be called once during `aegis init` and persisted alongside the master key.
+ */
+export declare function generateSalt(): string;
+/**
+ * Derives a 256-bit encryption key from the master key using PBKDF2.
+ *
+ * @param masterKey  High-entropy master secret
+ * @param salt       Per-deployment salt (use {@link generateSalt} to create one)
+ */
+export declare function deriveKey(masterKey: string, salt?: Buffer | string): Buffer;
+export interface EncryptedData {
+    encrypted: Buffer;
+    iv: Buffer;
+    authTag: Buffer;
+}
+/**
+ * Encrypts a plaintext credential using AES-256-GCM.
+ * Accepts a pre-derived key so callers can cache the expensive PBKDF2 result.
+ */
+export declare function encrypt(plaintext: string, key: Buffer): EncryptedData;
+/**
+ * Decrypts an AES-256-GCM encrypted credential.
+ * Accepts a pre-derived key so callers can cache the expensive PBKDF2 result.
+ */
+export declare function decrypt(data: EncryptedData, key: Buffer): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/vault/crypto.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AASA;;;GAGG;AACH,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,GAAG,MAAqB,GAAG,MAAM,CAEzF;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,aAAa,CAQrE;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAMhE"}

package/dist/vault/crypto.js ADDED Viewed

@@ -0,0 +1,44 @@
+import * as crypto from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+/** Default salt kept for backward-compatibility with pre-v0.2 vaults. */
+const DEFAULT_SALT = 'aegis-vault-v1';
+/**
+ * Generate a cryptographically random salt for PBKDF2 key derivation.
+ * Should be called once during `aegis init` and persisted alongside the master key.
+ */
+export function generateSalt() {
+    return crypto.randomBytes(32).toString('hex');
+}
+/**
+ * Derives a 256-bit encryption key from the master key using PBKDF2.
+ *
+ * @param masterKey  High-entropy master secret
+ * @param salt       Per-deployment salt (use {@link generateSalt} to create one)
+ */
+export function deriveKey(masterKey, salt = DEFAULT_SALT) {
+    return crypto.pbkdf2Sync(masterKey, salt, 100_000, KEY_LENGTH, 'sha512');
+}
+/**
+ * Encrypts a plaintext credential using AES-256-GCM.
+ * Accepts a pre-derived key so callers can cache the expensive PBKDF2 result.
+ */
+export function encrypt(plaintext, key) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return { encrypted, iv, authTag };
+}
+/**
+ * Decrypts an AES-256-GCM encrypted credential.
+ * Accepts a pre-derived key so callers can cache the expensive PBKDF2 result.
+ */
+export function decrypt(data, key) {
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, data.iv);
+    decipher.setAuthTag(data.authTag);
+    const decrypted = Buffer.concat([decipher.update(data.encrypted), decipher.final()]);
+    return decrypted.toString('utf-8');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/vault/crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,yEAAyE;AACzE,MAAM,YAAY,GAAG,gBAAgB,CAAC;AAEtC;;;GAGG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,SAAS,CAAC,SAAiB,EAAE,OAAwB,YAAY;IAC/E,OAAO,MAAM,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AAC3E,CAAC;AAQD;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAEzD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAmB,EAAE,GAAW;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IAClE,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAElC,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,OAAO,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC"}

package/dist/vault/index.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+export { decrypt, deriveKey, encrypt, generateSalt } from './crypto.js';
+export type { SealConfig } from './seal.js';
+export { SealManager } from './seal.js';
+export type { ShamirShare } from './shamir.js';
+export { combine, decodeShare, encodeShare, split } from './shamir.js';
+export type { AuthType, Credential, CredentialWithSecret, } from './vault.js';
+export { Vault } from './vault.js';
+export type { VaultInfo } from './vault-manager.js';
+export { VaultManager } from './vault-manager.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxE,YAAY,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACxC,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACvE,YAAY,EACV,QAAQ,EACR,UAAU,EACV,oBAAoB,GACrB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/vault/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+export { decrypt, deriveKey, encrypt, generateSalt } from './crypto.js';
+export { SealManager } from './seal.js';
+export { combine, decodeShare, encodeShare, split } from './shamir.js';
+export { Vault } from './vault.js';
+export { VaultManager } from './vault-manager.js';
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAExE,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAExC,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAMvE,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/vault/seal.d.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Persistent seal configuration (stored in .aegis/.seal-config.json).
+ * Tracks threshold, total share count, and a key hash for verification.
+ * Never stores the master key or shares.
+ */
+export interface SealConfig {
+    /** Minimum shares required to reconstruct the master key. */
+    threshold: number;
+    /** Total shares that were generated. */
+    totalShares: number;
+    /** SHA-256 hash of the master key (hex) — used to verify reconstruction. */
+    keyHash: string;
+    /** ISO timestamp of when key splitting was configured. */
+    createdAt: string;
+}
+/**
+ * Manages vault seal state — key splitting configuration, unseal key
+ * storage, and sealed/unsealed transitions.
+ *
+ * Modelled after HashiCorp Vault's seal/unseal mechanism, adapted for
+ * CLI (non-daemon) usage: the reconstructed key is persisted to a
+ * restricted file instead of held in memory.
+ *
+ * Files managed:
+ *   .aegis/.seal-config.json  — threshold, share count, key hash
+ *   .aegis/.unseal-key        — reconstructed master key (mode 0600)
+ */
+export declare class SealManager {
+    private dataDir;
+    private configPath;
+    private unsealKeyPath;
+    constructor(dataDir: string);
+    /**
+     * Enable key splitting — stores threshold, share count, and a SHA-256
+     * hash of the master key for post-reconstruction verification.
+     */
+    enableSplit(threshold: number, totalShares: number, masterKey: string): void;
+    /** Read seal configuration, or null if key splitting is not configured. */
+    getSealConfig(): SealConfig | null;
+    /** Whether key splitting has been configured for this deployment. */
+    isSplitEnabled(): boolean;
+    /**
+     * Verify a reconstructed master key against the stored hash.
+     * Uses timing-safe comparison to prevent side-channel leaks.
+     */
+    verifyKey(masterKey: string): boolean;
+    /**
+     * Write the reconstructed master key to the unseal key file.
+     * File is created with mode 0600 (owner read/write only).
+     */
+    writeUnsealKey(masterKey: string): void;
+    /** Read the unseal key, or null if the vault is sealed. */
+    readUnsealKey(): string | null;
+    /** Whether the vault is currently unsealed (unseal key file exists). */
+    isUnsealed(): boolean;
+    /**
+     * Seal the vault — securely remove the unseal key file.
+     * Overwrites the file with zeros before unlinking (defense in depth
+     * against filesystem journal recovery).
+     */
+    seal(): void;
+    /**
+     * Remove seal configuration entirely — reverts to standard master key mode.
+     * Also removes any existing unseal key.
+     */
+    removeSealConfig(): void;
+}
+//# sourceMappingURL=seal.d.ts.map

package/dist/vault/seal.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"seal.d.ts","sourceRoot":"","sources":["../../src/vault/seal.ts"],"names":[],"mappings":"AAIA;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC;IAClB,wCAAwC;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,4EAA4E;IAC5E,OAAO,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,WAAW;IAIV,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAS;gBAEV,OAAO,EAAE,MAAM;IAKnC;;;OAGG;IACH,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAiB5E,2EAA2E;IAC3E,aAAa,IAAI,UAAU,GAAG,IAAI;IAMlC,qEAAqE;IACrE,cAAc,IAAI,OAAO;IAIzB;;;OAGG;IACH,SAAS,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAOrC;;;OAGG;IACH,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAOvC,2DAA2D;IAC3D,aAAa,IAAI,MAAM,GAAG,IAAI;IAK9B,wEAAwE;IACxE,UAAU,IAAI,OAAO;IAIrB;;;;OAIG;IACH,IAAI,IAAI,IAAI;IAQZ;;;OAGG;IACH,gBAAgB,IAAI,IAAI;CAMzB"}

package/dist/vault/seal.js ADDED Viewed

@@ -0,0 +1,110 @@
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+/**
+ * Manages vault seal state — key splitting configuration, unseal key
+ * storage, and sealed/unsealed transitions.
+ *
+ * Modelled after HashiCorp Vault's seal/unseal mechanism, adapted for
+ * CLI (non-daemon) usage: the reconstructed key is persisted to a
+ * restricted file instead of held in memory.
+ *
+ * Files managed:
+ *   .aegis/.seal-config.json  — threshold, share count, key hash
+ *   .aegis/.unseal-key        — reconstructed master key (mode 0600)
+ */
+export class SealManager {
+    dataDir;
+    configPath;
+    unsealKeyPath;
+    constructor(dataDir) {
+        this.dataDir = dataDir;
+        this.configPath = path.join(dataDir, '.seal-config.json');
+        this.unsealKeyPath = path.join(dataDir, '.unseal-key');
+    }
+    /**
+     * Enable key splitting — stores threshold, share count, and a SHA-256
+     * hash of the master key for post-reconstruction verification.
+     */
+    enableSplit(threshold, totalShares, masterKey) {
+        if (threshold < 2)
+            throw new Error('Threshold must be at least 2.');
+        if (totalShares < threshold)
+            throw new Error('Total shares must be ≥ threshold.');
+        const config = {
+            threshold,
+            totalShares,
+            keyHash: crypto.createHash('sha256').update(masterKey).digest('hex'),
+            createdAt: new Date().toISOString(),
+        };
+        if (!fs.existsSync(this.dataDir)) {
+            fs.mkdirSync(this.dataDir, { recursive: true });
+        }
+        fs.writeFileSync(this.configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    }
+    /** Read seal configuration, or null if key splitting is not configured. */
+    getSealConfig() {
+        if (!fs.existsSync(this.configPath))
+            return null;
+        const content = fs.readFileSync(this.configPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    /** Whether key splitting has been configured for this deployment. */
+    isSplitEnabled() {
+        return this.getSealConfig() !== null;
+    }
+    /**
+     * Verify a reconstructed master key against the stored hash.
+     * Uses timing-safe comparison to prevent side-channel leaks.
+     */
+    verifyKey(masterKey) {
+        const config = this.getSealConfig();
+        if (!config)
+            return false;
+        const hash = crypto.createHash('sha256').update(masterKey).digest('hex');
+        return crypto.timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(config.keyHash, 'hex'));
+    }
+    /**
+     * Write the reconstructed master key to the unseal key file.
+     * File is created with mode 0600 (owner read/write only).
+     */
+    writeUnsealKey(masterKey) {
+        if (!fs.existsSync(this.dataDir)) {
+            fs.mkdirSync(this.dataDir, { recursive: true });
+        }
+        fs.writeFileSync(this.unsealKeyPath, masterKey, { mode: 0o600 });
+    }
+    /** Read the unseal key, or null if the vault is sealed. */
+    readUnsealKey() {
+        if (!fs.existsSync(this.unsealKeyPath))
+            return null;
+        return fs.readFileSync(this.unsealKeyPath, 'utf-8').trim();
+    }
+    /** Whether the vault is currently unsealed (unseal key file exists). */
+    isUnsealed() {
+        return fs.existsSync(this.unsealKeyPath);
+    }
+    /**
+     * Seal the vault — securely remove the unseal key file.
+     * Overwrites the file with zeros before unlinking (defense in depth
+     * against filesystem journal recovery).
+     */
+    seal() {
+        if (fs.existsSync(this.unsealKeyPath)) {
+            const stat = fs.statSync(this.unsealKeyPath);
+            fs.writeFileSync(this.unsealKeyPath, Buffer.alloc(stat.size, 0));
+            fs.unlinkSync(this.unsealKeyPath);
+        }
+    }
+    /**
+     * Remove seal configuration entirely — reverts to standard master key mode.
+     * Also removes any existing unseal key.
+     */
+    removeSealConfig() {
+        if (fs.existsSync(this.configPath)) {
+            fs.unlinkSync(this.configPath);
+        }
+        this.seal();
+    }
+}
+//# sourceMappingURL=seal.js.map

package/dist/vault/seal.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"seal.js","sourceRoot":"","sources":["../../src/vault/seal.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAkBlC;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,WAAW;IAIF;IAHZ,UAAU,CAAS;IACnB,aAAa,CAAS;IAE9B,YAAoB,OAAe;QAAf,YAAO,GAAP,OAAO,CAAQ;QACjC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;QAC1D,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACzD,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,SAAiB,EAAE,WAAmB,EAAE,SAAiB;QACnE,IAAI,SAAS,GAAG,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACpE,IAAI,WAAW,GAAG,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAElF,MAAM,MAAM,GAAe;YACzB,SAAS;YACT,WAAW;YACX,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;YACpE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QAEF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,2EAA2E;IAC3E,aAAa;QACX,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QACjD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;IAC3C,CAAC;IAED,qEAAqE;IACrE,cAAc;QACZ,OAAO,IAAI,CAAC,aAAa,EAAE,KAAK,IAAI,CAAC;IACvC,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,SAAiB;QACzB,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzE,OAAO,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9F,CAAC;IAED;;;OAGG;IACH,cAAc,CAAC,SAAiB;QAC9B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,2DAA2D;IAC3D,aAAa;QACX,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC;YAAE,OAAO,IAAI,CAAC;QACpD,OAAO,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7D,CAAC;IAED,wEAAwE;IACxE,UAAU;QACR,OAAO,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC3C,CAAC;IAED;;;;OAIG;IACH,IAAI;QACF,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC7C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACjE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,gBAAgB;QACd,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;CACF"}

package/dist/vault/shamir.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/** A single share from Shamir's Secret Sharing. */
+export interface ShamirShare {
+    /** Share index (1–255). Each share must have a unique index. */
+    index: number;
+    /** Share data — same length as the original secret. */
+    data: Buffer;
+}
+/**
+ * Split a secret into `totalShares` shares, requiring `threshold` to reconstruct.
+ *
+ * @param secret      The secret to split (arbitrary-length Buffer).
+ * @param threshold   Minimum shares needed for reconstruction (2 ≤ t ≤ n).
+ * @param totalShares Number of shares to produce (t ≤ n ≤ 255).
+ * @returns Array of shares, each with a unique index and data.
+ */
+export declare function split(secret: Buffer, threshold: number, totalShares: number): ShamirShare[];
+/**
+ * Reconstruct a secret from shares using Lagrange interpolation at x = 0.
+ *
+ * @param shares  At least `threshold` shares with unique indices.
+ * @returns The reconstructed secret.
+ */
+export declare function combine(shares: ShamirShare[]): Buffer;
+/**
+ * Encode a share as a human-readable string.
+ * Format: `aegis_share_<index_hex>_<data_hex>`
+ */
+export declare function encodeShare(share: ShamirShare): string;
+/**
+ * Decode a share from its string representation.
+ */
+export declare function decodeShare(encoded: string): ShamirShare;
+//# sourceMappingURL=shamir.d.ts.map

package/dist/vault/shamir.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"shamir.d.ts","sourceRoot":"","sources":["../../src/vault/shamir.ts"],"names":[],"mappings":"AA8EA,mDAAmD;AACnD,MAAM,WAAW,WAAW;IAC1B,gEAAgE;IAChE,KAAK,EAAE,MAAM,CAAC;IACd,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;GAOG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,WAAW,EAAE,CA4B3F;AAED;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAuCrD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,WAAW,GAAG,MAAM,CAGtD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,WAAW,CAuBxD"}