@getaegis/cli 0.8.0 → 0.9.0

package/dist/key-storage/key-storage.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Cross-platform key storage abstraction.
+ *
+ * Provides a unified interface for storing the Aegis master key in
+ * OS-managed credential stores, keeping it out of plaintext files.
+ *
+ * Resolution order (auto-detect):
+ *   macOS   → Keychain (`security` CLI)
+ *   Windows → Credential Manager (`cmdkey` + PowerShell)
+ *   Linux   → Secret Service (`secret-tool` / libsecret)
+ *   Fallback → File (.aegis/.master-key, mode 0600)
+ */
+/** Backend identifier for display and diagnostics. */
+export type KeyStorageBackend = 'macos-keychain' | 'windows-credential-manager' | 'linux-secret-service' | 'file';
+/** Abstract key storage interface. All methods are synchronous to keep config loading simple. */
+export interface KeyStorage {
+    /** Human-readable backend name (e.g. "macOS Keychain"). */
+    readonly name: string;
+    /** Machine-readable backend identifier. */
+    readonly backend: KeyStorageBackend;
+    /** Check whether this backend is available on the current system. */
+    isAvailable(): boolean;
+    /** Retrieve the master key. Returns undefined if not stored. */
+    getKey(): string | undefined;
+    /** Store the master key (creates or replaces). */
+    setKey(key: string): void;
+    /** Delete the stored master key. No-op if not present. */
+    deleteKey(): void;
+}
+/** Check whether a CLI tool exists on PATH. Results are cached per process. */
+export declare function commandExists(command: string): boolean;
+/** Clear the commandExists cache (for testing). */
+export declare function clearCommandExistsCache(): void;
+/**
+ * Auto-detect the best available key storage backend for the current platform.
+ *
+ * @param dataDir  Path to the .aegis data directory (used by file fallback).
+ * @returns        A KeyStorage implementation.
+ */
+export declare function getKeyStorage(dataDir: string): KeyStorage;
+//# sourceMappingURL=key-storage.d.ts.map

package/dist/key-storage/key-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-storage.d.ts","sourceRoot":"","sources":["../../src/key-storage/key-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAWH,sDAAsD;AACtD,MAAM,MAAM,iBAAiB,GACzB,gBAAgB,GAChB,4BAA4B,GAC5B,sBAAsB,GACtB,MAAM,CAAC;AAEX,iGAAiG;AACjG,MAAM,WAAW,UAAU;IACzB,2DAA2D;IAC3D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,2CAA2C;IAC3C,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAC;IAEpC,qEAAqE;IACrE,WAAW,IAAI,OAAO,CAAC;IAEvB,gEAAgE;IAChE,MAAM,IAAI,MAAM,GAAG,SAAS,CAAC;IAE7B,kDAAkD;IAClD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1B,0DAA0D;IAC1D,SAAS,IAAI,IAAI,CAAC;CACnB;AAOD,+EAA+E;AAC/E,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAetD;AAED,mDAAmD;AACnD,wBAAgB,uBAAuB,IAAI,IAAI,CAE9C;AAID;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAoBzD"}

package/dist/key-storage/key-storage.js

@@ -0,0 +1,70 @@
+/**
+ * Cross-platform key storage abstraction.
+ *
+ * Provides a unified interface for storing the Aegis master key in
+ * OS-managed credential stores, keeping it out of plaintext files.
+ *
+ * Resolution order (auto-detect):
+ *   macOS   → Keychain (`security` CLI)
+ *   Windows → Credential Manager (`cmdkey` + PowerShell)
+ *   Linux   → Secret Service (`secret-tool` / libsecret)
+ *   Fallback → File (.aegis/.master-key, mode 0600)
+ */
+import { execFileSync } from 'node:child_process';
+import * as os from 'node:os';
+import { WindowsCredentialStorage } from './credential-manager-windows.js';
+import { FileFallbackStorage } from './file-fallback.js';
+import { MacOSKeychainStorage } from './keychain-macos.js';
+import { LinuxSecretServiceStorage } from './secret-service-linux.js';
+// ─── Helpers ──────────────────────────────────────────────────────
+/** Cache for commandExists results — avoids redundant subprocess calls. */
+const commandExistsCache = new Map();
+/** Check whether a CLI tool exists on PATH. Results are cached per process. */
+export function commandExists(command) {
+    const cached = commandExistsCache.get(command);
+    if (cached !== undefined)
+        return cached;
+    let exists;
+    try {
+        const which = os.platform() === 'win32' ? 'where' : 'which';
+        execFileSync(which, [command], { stdio: 'pipe' });
+        exists = true;
+    }
+    catch {
+        exists = false;
+    }
+    commandExistsCache.set(command, exists);
+    return exists;
+}
+/** Clear the commandExists cache (for testing). */
+export function clearCommandExistsCache() {
+    commandExistsCache.clear();
+}
+// ─── Factory ──────────────────────────────────────────────────────
+/**
+ * Auto-detect the best available key storage backend for the current platform.
+ *
+ * @param dataDir  Path to the .aegis data directory (used by file fallback).
+ * @returns        A KeyStorage implementation.
+ */
+export function getKeyStorage(dataDir) {
+    const platform = os.platform();
+    if (platform === 'darwin') {
+        const backend = new MacOSKeychainStorage();
+        if (backend.isAvailable())
+            return backend;
+    }
+    if (platform === 'win32') {
+        const backend = new WindowsCredentialStorage();
+        if (backend.isAvailable())
+            return backend;
+    }
+    if (platform === 'linux') {
+        const backend = new LinuxSecretServiceStorage();
+        if (backend.isAvailable())
+            return backend;
+    }
+    // Fallback: file-based storage
+    return new FileFallbackStorage(dataDir);
+}
+//# sourceMappingURL=key-storage.js.map

package/dist/key-storage/key-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-storage.js","sourceRoot":"","sources":["../../src/key-storage/key-storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,wBAAwB,EAAE,MAAM,iCAAiC,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,2BAA2B,CAAC;AAgCtE,qEAAqE;AAErE,2EAA2E;AAC3E,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAmB,CAAC;AAEtD,+EAA+E;AAC/E,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC;IAExC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,EAAE,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAC5D,YAAY,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAClD,MAAM,GAAG,IAAI,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,GAAG,KAAK,CAAC;IACjB,CAAC;IAED,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,uBAAuB;IACrC,kBAAkB,CAAC,KAAK,EAAE,CAAC;AAC7B,CAAC;AAED,qEAAqE;AAErE;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAE/B,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,IAAI,oBAAoB,EAAE,CAAC;QAC3C,IAAI,OAAO,CAAC,WAAW,EAAE;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,wBAAwB,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,WAAW,EAAE;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,yBAAyB,EAAE,CAAC;QAChD,IAAI,OAAO,CAAC,WAAW,EAAE;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IAED,+BAA+B;IAC/B,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC"}

package/dist/key-storage/keychain-macos.d.ts

@@ -0,0 +1,19 @@
+/**
+ * macOS Keychain backend via the `security` CLI.
+ *
+ * Uses `security add-generic-password` / `find-generic-password` /
+ * `delete-generic-password` which ship with every macOS install.
+ *
+ * The key is stored in the user's login keychain under:
+ *   service: "aegis"   account: "master-key"
+ */
+import type { KeyStorage, KeyStorageBackend } from './key-storage.js';
+export declare class MacOSKeychainStorage implements KeyStorage {
+    readonly name = "macOS Keychain";
+    readonly backend: KeyStorageBackend;
+    isAvailable(): boolean;
+    getKey(): string | undefined;
+    setKey(key: string): void;
+    deleteKey(): void;
+}
+//# sourceMappingURL=keychain-macos.d.ts.map

package/dist/key-storage/keychain-macos.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-macos.d.ts","sourceRoot":"","sources":["../../src/key-storage/keychain-macos.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAMtE,qBAAa,oBAAqB,YAAW,UAAU;IACrD,QAAQ,CAAC,IAAI,oBAAoB;IACjC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAoB;IAEvD,WAAW,IAAI,OAAO;IAItB,MAAM,IAAI,MAAM,GAAG,SAAS;IAe5B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAazB,SAAS,IAAI,IAAI;CASlB"}

package/dist/key-storage/keychain-macos.js

@@ -0,0 +1,51 @@
+/**
+ * macOS Keychain backend via the `security` CLI.
+ *
+ * Uses `security add-generic-password` / `find-generic-password` /
+ * `delete-generic-password` which ship with every macOS install.
+ *
+ * The key is stored in the user's login keychain under:
+ *   service: "aegis"   account: "master-key"
+ */
+import { execFileSync } from 'node:child_process';
+import { commandExists } from './key-storage.js';
+const SERVICE = 'aegis';
+const ACCOUNT = 'master-key';
+export class MacOSKeychainStorage {
+    name = 'macOS Keychain';
+    backend = 'macos-keychain';
+    isAvailable() {
+        return process.platform === 'darwin' && commandExists('security');
+    }
+    getKey() {
+        try {
+            const result = execFileSync('security', ['find-generic-password', '-a', ACCOUNT, '-s', SERVICE, '-w'], { stdio: ['pipe', 'pipe', 'pipe'], encoding: 'utf-8' });
+            const key = result.trim();
+            return key || undefined;
+        }
+        catch {
+            // Item not found (exit code 44) or other error
+            return undefined;
+        }
+    }
+    setKey(key) {
+        // -U flag updates if the item already exists (prevents "already exists" error)
+        try {
+            execFileSync('security', ['add-generic-password', '-a', ACCOUNT, '-s', SERVICE, '-w', key, '-U'], { stdio: 'pipe' });
+        }
+        catch (err) {
+            throw new Error(`Failed to store key in macOS Keychain: ${err.message}`);
+        }
+    }
+    deleteKey() {
+        try {
+            execFileSync('security', ['delete-generic-password', '-a', ACCOUNT, '-s', SERVICE], {
+                stdio: 'pipe',
+            });
+        }
+        catch {
+            // Item not found — nothing to delete
+        }
+    }
+}
+//# sourceMappingURL=keychain-macos.js.map

package/dist/key-storage/keychain-macos.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-macos.js","sourceRoot":"","sources":["../../src/key-storage/keychain-macos.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,OAAO,GAAG,OAAO,CAAC;AACxB,MAAM,OAAO,GAAG,YAAY,CAAC;AAE7B,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,gBAAgB,CAAC;IACxB,OAAO,GAAsB,gBAAgB,CAAC;IAEvD,WAAW;QACT,OAAO,OAAO,CAAC,QAAQ,KAAK,QAAQ,IAAI,aAAa,CAAC,UAAU,CAAC,CAAC;IACpE,CAAC;IAED,MAAM;QACJ,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CACzB,UAAU,EACV,CAAC,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAC7D,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,CACvD,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;YAC1B,OAAO,GAAG,IAAI,SAAS,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;YAC/C,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,GAAW;QAChB,+EAA+E;QAC/E,IAAI,CAAC;YACH,YAAY,CACV,UAAU,EACV,CAAC,sBAAsB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,EACvE,EAAE,KAAK,EAAE,MAAM,EAAE,CAClB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,0CAA2C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,SAAS;QACP,IAAI,CAAC;YACH,YAAY,CAAC,UAAU,EAAE,CAAC,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,EAAE;gBAClF,KAAK,EAAE,MAAM;aACd,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;CACF"}

package/dist/key-storage/secret-service-linux.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Linux Secret Service backend via `secret-tool` (libsecret).
+ *
+ * Works with GNOME Keyring, KDE Wallet, KeePassXC, or any implementation
+ * of the freedesktop.org Secret Service D-Bus API.
+ *
+ * The key is stored with attributes:
+ *   application=aegis  type=master-key
+ */
+import type { KeyStorage, KeyStorageBackend } from './key-storage.js';
+export declare class LinuxSecretServiceStorage implements KeyStorage {
+    readonly name = "Linux Secret Service";
+    readonly backend: KeyStorageBackend;
+    isAvailable(): boolean;
+    getKey(): string | undefined;
+    setKey(key: string): void;
+    deleteKey(): void;
+}
+//# sourceMappingURL=secret-service-linux.d.ts.map

package/dist/key-storage/secret-service-linux.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-service-linux.d.ts","sourceRoot":"","sources":["../../src/key-storage/secret-service-linux.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAMtE,qBAAa,yBAA0B,YAAW,UAAU;IAC1D,QAAQ,CAAC,IAAI,0BAA0B;IACvC,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAA0B;IAE7D,WAAW,IAAI,OAAO;IAItB,MAAM,IAAI,MAAM,GAAG,SAAS;IAc5B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAYzB,SAAS,IAAI,IAAI;CAOlB"}

package/dist/key-storage/secret-service-linux.js

@@ -0,0 +1,55 @@
+/**
+ * Linux Secret Service backend via `secret-tool` (libsecret).
+ *
+ * Works with GNOME Keyring, KDE Wallet, KeePassXC, or any implementation
+ * of the freedesktop.org Secret Service D-Bus API.
+ *
+ * The key is stored with attributes:
+ *   application=aegis  type=master-key
+ */
+import { execFileSync } from 'node:child_process';
+import { commandExists } from './key-storage.js';
+const ATTRS = ['application', 'aegis', 'type', 'master-key'];
+const LABEL = 'Aegis Master Key';
+export class LinuxSecretServiceStorage {
+    name = 'Linux Secret Service';
+    backend = 'linux-secret-service';
+    isAvailable() {
+        return process.platform === 'linux' && commandExists('secret-tool');
+    }
+    getKey() {
+        try {
+            const result = execFileSync('secret-tool', ['lookup', ...ATTRS], {
+                stdio: ['pipe', 'pipe', 'pipe'],
+                encoding: 'utf-8',
+            });
+            const key = result.trim();
+            return key || undefined;
+        }
+        catch {
+            // Secret not found or D-Bus not available
+            return undefined;
+        }
+    }
+    setKey(key) {
+        try {
+            // secret-tool reads the password from stdin
+            execFileSync('secret-tool', ['store', '--label', LABEL, ...ATTRS], {
+                input: key,
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+        }
+        catch (err) {
+            throw new Error(`Failed to store key in Secret Service: ${err.message}`);
+        }
+    }
+    deleteKey() {
+        try {
+            execFileSync('secret-tool', ['clear', ...ATTRS], { stdio: 'pipe' });
+        }
+        catch {
+            // Secret not found — nothing to delete
+        }
+    }
+}
+//# sourceMappingURL=secret-service-linux.js.map

package/dist/key-storage/secret-service-linux.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-service-linux.js","sourceRoot":"","sources":["../../src/key-storage/secret-service-linux.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEjD,MAAM,KAAK,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;AAC7D,MAAM,KAAK,GAAG,kBAAkB,CAAC;AAEjC,MAAM,OAAO,yBAAyB;IAC3B,IAAI,GAAG,sBAAsB,CAAC;IAC9B,OAAO,GAAsB,sBAAsB,CAAC;IAE7D,WAAW;QACT,OAAO,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,aAAa,CAAC,aAAa,CAAC,CAAC;IACtE,CAAC;IAED,MAAM;QACJ,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,GAAG,KAAK,CAAC,EAAE;gBAC/D,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;YAC1B,OAAO,GAAG,IAAI,SAAS,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;YAC1C,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,GAAW;QAChB,IAAI,CAAC;YACH,4CAA4C;YAC5C,YAAY,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE;gBACjE,KAAK,EAAE,GAAG;gBACV,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,0CAA2C,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,SAAS;QACP,IAAI,CAAC;YACH,YAAY,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;IACH,CAAC;CACF"}

package/dist/ledger/index.d.ts

@@ -0,0 +1,3 @@
+export type { AuditEntry, LedgerQuery } from './ledger.js';
+export { Ledger } from './ledger.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/ledger/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/ledger/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC"}

package/dist/ledger/index.js

@@ -0,0 +1,2 @@
+export { Ledger } from './ledger.js';
+//# sourceMappingURL=index.js.map

package/dist/ledger/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/ledger/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC"}

package/dist/ledger/ledger.d.ts

@@ -0,0 +1,98 @@
+import type Database from 'better-sqlite3-multiple-ciphers';
+export type AuditChannel = 'gate' | 'mcp';
+export interface AuditEntry {
+    id: number;
+    timestamp: string;
+    credentialId: string | null;
+    credentialName: string | null;
+    service: string;
+    targetDomain: string;
+    method: string;
+    path: string;
+    status: 'allowed' | 'blocked' | 'system';
+    blockedReason: string | null;
+    responseCode: number | null;
+    agentName: string | null;
+    agentTokenPrefix: string | null;
+    channel: AuditChannel;
+}
+export interface LedgerQuery {
+    service?: string;
+    credentialName?: string;
+    status?: 'allowed' | 'blocked' | 'system';
+    since?: string;
+    limit?: number;
+    agentName?: string;
+}
+export declare class Ledger {
+    private db;
+    constructor(db: Database.Database);
+    /**
+     * Record an allowed request.
+     */
+    logAllowed(params: {
+        credentialId: string;
+        credentialName: string;
+        service: string;
+        targetDomain: string;
+        method: string;
+        path: string;
+        responseCode?: number;
+        agentName?: string;
+        agentTokenPrefix?: string;
+        channel?: AuditChannel;
+    }): void;
+    /**
+     * Record a blocked request.
+     */
+    logBlocked(params: {
+        service: string;
+        targetDomain: string;
+        method: string;
+        path: string;
+        reason: string;
+        agentName?: string;
+        agentTokenPrefix?: string;
+        channel?: AuditChannel;
+    }): void;
+    /**
+     * Record a system lifecycle event (startup, shutdown, seal/unseal).
+     */
+    logSystem(params: {
+        service: string;
+        targetDomain: string;
+        method: string;
+        path: string;
+        reason: string;
+        channel?: AuditChannel;
+    }): void;
+    /**
+     * Query the audit log with optional filters.
+     */
+    query(params?: LedgerQuery): AuditEntry[];
+    /**
+     * Get summary stats for a time period, optionally filtered by agent.
+     */
+    stats(since?: string, agentName?: string): {
+        total: number;
+        allowed: number;
+        blocked: number;
+        system: number;
+        byService: Record<string, number>;
+    };
+    /**
+     * Export audit log as CSV.
+     */
+    exportCsv(params?: LedgerQuery): string;
+    /**
+     * Export audit log as a JSON array string.
+     */
+    exportJson(params?: LedgerQuery): string;
+    /**
+     * Export audit log as streaming JSON Lines (one JSON object per line).
+     * Each line is a self-contained JSON object — ideal for piping into
+     * SIEM systems, log aggregators, or processing with tools like jq.
+     */
+    exportJsonLines(params?: LedgerQuery): string;
+}
+//# sourceMappingURL=ledger.d.ts.map

package/dist/ledger/ledger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.d.ts","sourceRoot":"","sources":["../../src/ledger/ledger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,iCAAiC,CAAC;AAE5D,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,KAAK,CAAC;AAE1C,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IACzC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,OAAO,EAAE,YAAY,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,MAAM;IACL,OAAO,CAAC,EAAE;gBAAF,EAAE,EAAE,QAAQ,CAAC,QAAQ;IAEzC;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE;QACjB,YAAY,EAAE,MAAM,CAAC;QACrB,cAAc,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,OAAO,CAAC,EAAE,YAAY,CAAC;KACxB,GAAG,IAAI;IAoBR;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE;QACjB,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,OAAO,CAAC,EAAE,YAAY,CAAC;KACxB,GAAG,IAAI;IAkBR;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,YAAY,CAAC;KACxB,GAAG,IAAI;IAgBR;;OAEG;IACH,KAAK,CAAC,MAAM,GAAE,WAAgB,GAAG,UAAU,EAAE;IAiE7C;;OAEG;IACH,KAAK,CACH,KAAK,CAAC,EAAE,MAAM,EACd,SAAS,CAAC,EAAE,MAAM,GACjB;QACD,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACnC;IA4CD;;OAEG;IACH,SAAS,CAAC,MAAM,GAAE,WAAgB,GAAG,MAAM;IAW3C;;OAEG;IACH,UAAU,CAAC,MAAM,GAAE,WAAgB,GAAG,MAAM;IAK5C;;;;OAIG;IACH,eAAe,CAAC,MAAM,GAAE,WAAgB,GAAG,MAAM;CAIlD"}

package/dist/ledger/ledger.js

@@ -0,0 +1,145 @@
+export class Ledger {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /**
+     * Record an allowed request.
+     */
+    logAllowed(params) {
+        this.db
+            .prepare(`INSERT INTO audit_log (credential_id, credential_name, service, target_domain, method, path, status, response_code, agent_name, agent_token_prefix, channel)
+       VALUES (?, ?, ?, ?, ?, ?, 'allowed', ?, ?, ?, ?)`)
+            .run(params.credentialId, params.credentialName, params.service, params.targetDomain, params.method, params.path, params.responseCode ?? null, params.agentName ?? null, params.agentTokenPrefix ?? null, params.channel ?? 'gate');
+    }
+    /**
+     * Record a blocked request.
+     */
+    logBlocked(params) {
+        this.db
+            .prepare(`INSERT INTO audit_log (service, target_domain, method, path, status, blocked_reason, agent_name, agent_token_prefix, channel)
+       VALUES (?, ?, ?, ?, 'blocked', ?, ?, ?, ?)`)
+            .run(params.service, params.targetDomain, params.method, params.path, params.reason, params.agentName ?? null, params.agentTokenPrefix ?? null, params.channel ?? 'gate');
+    }
+    /**
+     * Record a system lifecycle event (startup, shutdown, seal/unseal).
+     */
+    logSystem(params) {
+        this.db
+            .prepare(`INSERT INTO audit_log (service, target_domain, method, path, status, blocked_reason, channel)
+       VALUES (?, ?, ?, ?, 'system', ?, ?)`)
+            .run(params.service, params.targetDomain, params.method, params.path, params.reason, params.channel ?? 'gate');
+    }
+    /**
+     * Query the audit log with optional filters.
+     */
+    query(params = {}) {
+        const conditions = [];
+        const values = [];
+        if (params.service) {
+            conditions.push('service = ?');
+            values.push(params.service);
+        }
+        if (params.credentialName) {
+            conditions.push('credential_name = ?');
+            values.push(params.credentialName);
+        }
+        if (params.status) {
+            conditions.push('status = ?');
+            values.push(params.status);
+        }
+        if (params.since) {
+            conditions.push('timestamp >= ?');
+            values.push(params.since);
+        }
+        if (params.agentName) {
+            conditions.push('agent_name = ?');
+            values.push(params.agentName);
+        }
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+        const limit = params.limit ?? 50;
+        const rows = this.db
+            .prepare(`SELECT * FROM audit_log ${where} ORDER BY timestamp DESC LIMIT ?`)
+            .all(...values, limit);
+        return rows.map((row) => ({
+            id: row.id,
+            timestamp: row.timestamp,
+            credentialId: row.credential_id,
+            credentialName: row.credential_name,
+            service: row.service,
+            targetDomain: row.target_domain,
+            method: row.method,
+            path: row.path,
+            status: row.status,
+            blockedReason: row.blocked_reason,
+            responseCode: row.response_code,
+            agentName: row.agent_name,
+            agentTokenPrefix: row.agent_token_prefix,
+            channel: (row.channel ?? 'gate'),
+        }));
+    }
+    /**
+     * Get summary stats for a time period, optionally filtered by agent.
+     */
+    stats(since, agentName) {
+        const conditions = [];
+        const params = [];
+        if (since) {
+            conditions.push('timestamp >= ?');
+            params.push(since);
+        }
+        if (agentName) {
+            conditions.push('agent_name = ?');
+            params.push(agentName);
+        }
+        const whereClause = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+        const totals = this.db
+            .prepare(`SELECT
+        COUNT(*) as total,
+        SUM(CASE WHEN status = 'allowed' THEN 1 ELSE 0 END) as allowed,
+        SUM(CASE WHEN status = 'blocked' THEN 1 ELSE 0 END) as blocked,
+        SUM(CASE WHEN status = 'system' THEN 1 ELSE 0 END) as system
+       FROM audit_log ${whereClause}`)
+            .get(...params);
+        const services = this.db
+            .prepare(`SELECT service, COUNT(*) as count FROM audit_log ${whereClause} GROUP BY service`)
+            .all(...params);
+        const byService = {};
+        for (const row of services) {
+            byService[row.service] = row.count;
+        }
+        return {
+            total: totals.total ?? 0,
+            allowed: totals.allowed ?? 0,
+            blocked: totals.blocked ?? 0,
+            system: totals.system ?? 0,
+            byService,
+        };
+    }
+    /**
+     * Export audit log as CSV.
+     */
+    exportCsv(params = {}) {
+        const entries = this.query({ ...params, limit: params.limit ?? Number.MAX_SAFE_INTEGER });
+        const header = 'timestamp,credential,service,domain,method,path,status,reason,response_code,channel';
+        const rows = entries.map((e) => `${e.timestamp},${e.credentialName ?? ''},${e.service},${e.targetDomain},${e.method},${e.path},${e.status},${e.blockedReason ?? ''},${e.responseCode ?? ''},${e.channel}`);
+        return [header, ...rows].join('\n');
+    }
+    /**
+     * Export audit log as a JSON array string.
+     */
+    exportJson(params = {}) {
+        const entries = this.query({ ...params, limit: params.limit ?? Number.MAX_SAFE_INTEGER });
+        return JSON.stringify(entries, null, 2);
+    }
+    /**
+     * Export audit log as streaming JSON Lines (one JSON object per line).
+     * Each line is a self-contained JSON object — ideal for piping into
+     * SIEM systems, log aggregators, or processing with tools like jq.
+     */
+    exportJsonLines(params = {}) {
+        const entries = this.query({ ...params, limit: params.limit ?? Number.MAX_SAFE_INTEGER });
+        return entries.map((e) => JSON.stringify(e)).join('\n');
+    }
+}
+//# sourceMappingURL=ledger.js.map

package/dist/ledger/ledger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ledger.js","sourceRoot":"","sources":["../../src/ledger/ledger.ts"],"names":[],"mappings":"AA8BA,MAAM,OAAO,MAAM;IACG;IAApB,YAAoB,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAE7C;;OAEG;IACH,UAAU,CAAC,MAWV;QACC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;wDACgD,CACjD;aACA,GAAG,CACF,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,cAAc,EACrB,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,YAAY,IAAI,IAAI,EAC3B,MAAM,CAAC,SAAS,IAAI,IAAI,EACxB,MAAM,CAAC,gBAAgB,IAAI,IAAI,EAC/B,MAAM,CAAC,OAAO,IAAI,MAAM,CACzB,CAAC;IACN,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,MASV;QACC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;kDAC0C,CAC3C;aACA,GAAG,CACF,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,SAAS,IAAI,IAAI,EACxB,MAAM,CAAC,gBAAgB,IAAI,IAAI,EAC/B,MAAM,CAAC,OAAO,IAAI,MAAM,CACzB,CAAC;IACN,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAOT;QACC,IAAI,CAAC,EAAE;aACJ,OAAO,CACN;2CACmC,CACpC;aACA,GAAG,CACF,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,OAAO,IAAI,MAAM,CACzB,CAAC;IACN,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAsB,EAAE;QAC5B,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAc,EAAE,CAAC;QAE7B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9B,CAAC;QACD,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,UAAU,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC;QACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QAEjC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,2BAA2B,KAAK,kCAAkC,CAAC;aAC3E,GAAG,CAAC,GAAG,MAAM,EAAE,KAAK,CAerB,CAAC;QAEH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,YAAY,EAAE,GAAG,CAAC,aAAa;YAC/B,cAAc,EAAE,GAAG,CAAC,eAAe;YACnC,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,YAAY,EAAE,GAAG,CAAC,aAAa;YAC/B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAA0C;YACtD,aAAa,EAAE,GAAG,CAAC,cAAc;YACjC,YAAY,EAAE,GAAG,CAAC,aAAa;YAC/B,SAAS,EAAE,GAAG,CAAC,UAAU;YACzB,gBAAgB,EAAE,GAAG,CAAC,kBAAkB;YACxC,OAAO,EAAE,CAAC,GAAG,CAAC,OAAO,IAAI,MAAM,CAAiB;SACjD,CAAC,CAAC,CAAC;IACN,CAAC;IAED;;OAEG;IACH,KAAK,CACH,KAAc,EACd,SAAkB;QAQlB,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,IAAI,SAAS,EAAE,CAAC;YACd,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAErF,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,OAAO,CACN;;;;;wBAKgB,WAAW,EAAE,CAC9B;aACA,GAAG,CAAC,GAAG,MAAM,CAAwE,CAAC;QAEzF,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE;aACrB,OAAO,CAAC,oDAAoD,WAAW,mBAAmB,CAAC;aAC3F,GAAG,CAAC,GAAG,MAAM,CAA8C,CAAC;QAE/D,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;QACrC,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,CAAC;YACxB,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,CAAC;YAC5B,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,CAAC;YAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC;YAC1B,SAAS;SACV,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,SAAsB,EAAE;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;QAC1F,MAAM,MAAM,GACV,qFAAqF,CAAC;QACxF,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CACtB,CAAC,CAAC,EAAE,EAAE,CACJ,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,cAAc,IAAI,EAAE,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,aAAa,IAAI,EAAE,IAAI,CAAC,CAAC,YAAY,IAAI,EAAE,IAAI,CAAC,CAAC,OAAO,EAAE,CAC5K,CAAC;QACF,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAsB,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;QAC1F,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACH,eAAe,CAAC,SAAsB,EAAE;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;QAC1F,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,CAAC;CACF"}

package/dist/logger/index.d.ts

@@ -0,0 +1,3 @@
+export type { LoggerOptions, LogLevel } from './logger.js';
+export { createLogger, generateRequestId, safeMeta, scrubString } from './logger.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/logger/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/logger/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}

package/dist/logger/index.js

@@ -0,0 +1,2 @@
+export { createLogger, generateRequestId, safeMeta, scrubString } from './logger.js';
+//# sourceMappingURL=index.js.map

package/dist/logger/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/logger/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}

package/dist/logger/logger.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Aegis Logger — structured logging with pino.
+ *
+ * Central logger factory for all Aegis modules. Provides:
+ * - Structured JSON output in production, pretty-print in development
+ * - Declarative field-level redaction (secrets, tokens, passwords)
+ * - Pattern-based scrubbing for credential-like strings in log values
+ * - Request correlation IDs via child loggers
+ * - stderr output support (required for MCP stdio transport)
+ *
+ * SECURITY: This is a security product — secrets must NEVER appear in logs.
+ * The logger enforces this through three layers:
+ *   1. Pino's `redact` option censors known sensitive field paths
+ *   2. Custom serializers scrub credential-like patterns from string values
+ *   3. The `safeMeta()` helper strips sensitive fields from ad-hoc objects
+ */
+import pino from 'pino';
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error' | 'fatal' | 'silent';
+export interface LoggerOptions {
+    /** Minimum log level (default: 'info') */
+    level?: LogLevel;
+    /** Module name — appears as `module` field in every log entry (e.g. 'gate', 'mcp', 'vault') */
+    module?: string;
+    /** Use pretty-print instead of JSON (default: auto-detect from NODE_ENV) */
+    pretty?: boolean;
+    /** Write to stderr instead of stdout (required for MCP stdio transport) */
+    stderr?: boolean;
+}
+/**
+ * Scrub credential-like patterns from a string value.
+ * Replaces matches with [REDACTED] to prevent accidental exposure.
+ */
+export declare function scrubString(value: string): string;
+/**
+ * Strip sensitive fields from an arbitrary object before logging.
+ * Use this for ad-hoc metadata objects that aren't covered by pino's redact paths.
+ */
+export declare function safeMeta(obj: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Create a pino logger instance for an Aegis module.
+ *
+ * @example
+ * ```ts
+ * const logger = createLogger({ module: 'gate', level: 'debug' });
+ * logger.info({ service: 'slack', method: 'GET' }, 'Request proxied');
+ *
+ * // Child logger with request correlation ID
+ * const reqLogger = logger.child({ requestId: generateRequestId() });
+ * reqLogger.info({ status: 200 }, 'Response sent');
+ * ```
+ */
+export declare function createLogger(options?: LoggerOptions): pino.Logger;
+/**
+ * Generate a unique request correlation ID.
+ * Included in all log entries for a given request, and stored in Ledger records.
+ */
+export declare function generateRequestId(): string;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/logger/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,IAAI,MAAM,MAAM,CAAC;AAIxB,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEhF,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,KAAK,CAAC,EAAE,QAAQ,CAAC;IACjB,+FAA+F;IAC/F,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA8ED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQjD;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAgC9E;AAID;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CAAC,MAAM,CA2CrE;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}