@getaegis/cli 0.8.0 → 0.9.0

package/dist/vault/shamir.js

@@ -0,0 +1,174 @@
+import * as crypto from 'node:crypto';
+/**
+ * Shamir's Secret Sharing over GF(256).
+ *
+ * Splits a secret into N shares such that any K shares can reconstruct it,
+ * but K−1 shares reveal nothing about the secret. Uses the finite field
+ * GF(2^8) with the AES irreducible polynomial x^8 + x^4 + x^3 + x + 1.
+ */
+// ─── GF(256) Arithmetic ───────────────────────────────────────────
+/** Lookup tables for GF(256) multiplication via discrete logarithm. */
+const EXP = new Uint8Array(256);
+const LOG = new Uint8Array(256);
+/**
+ * Initialize exp/log tables using generator g = 0x03.
+ * EXP[i] = g^i mod P(x) where P(x) = x^8 + x^4 + x^3 + x + 1 (0x11B).
+ */
+function initTables() {
+    let x = 1;
+    for (let i = 0; i < 255; i++) {
+        EXP[i] = x;
+        LOG[x] = i;
+        // Multiply by generator 3: x * 3 = x * 2 XOR x
+        // x * 2 = left shift with conditional reduction by 0x1B
+        const x2 = (x << 1) ^ (x & 0x80 ? 0x1b : 0);
+        x = (x2 ^ x) & 0xff;
+    }
+    EXP[255] = EXP[0]; // Wrap for modular arithmetic convenience
+}
+initTables();
+/** Addition in GF(256) — XOR. */
+function gfAdd(a, b) {
+    return a ^ b;
+}
+/** Multiplication in GF(256) using log/exp tables. */
+function gfMul(a, b) {
+    if (a === 0 || b === 0)
+        return 0;
+    return EXP[(LOG[a] + LOG[b]) % 255];
+}
+/** Division in GF(256) using log/exp tables. */
+function gfDiv(a, b) {
+    if (b === 0)
+        throw new Error('Division by zero in GF(256).');
+    if (a === 0)
+        return 0;
+    return EXP[(LOG[a] - LOG[b] + 255) % 255];
+}
+// ─── Polynomial Evaluation ────────────────────────────────────────
+/**
+ * Evaluate a polynomial at point x in GF(256) using Horner's method.
+ * coeffs[0] = constant term (the secret byte), coeffs[t−1] = leading term.
+ */
+function evalPoly(coeffs, x) {
+    let result = 0;
+    for (let i = coeffs.length - 1; i >= 0; i--) {
+        result = gfAdd(gfMul(result, x), coeffs[i]);
+    }
+    return result;
+}
+/** Generate a random non-zero byte using rejection sampling. */
+function randomNonZero() {
+    let b;
+    do {
+        b = crypto.randomBytes(1)[0];
+    } while (b === 0);
+    return b;
+}
+/**
+ * Split a secret into `totalShares` shares, requiring `threshold` to reconstruct.
+ *
+ * @param secret      The secret to split (arbitrary-length Buffer).
+ * @param threshold   Minimum shares needed for reconstruction (2 ≤ t ≤ n).
+ * @param totalShares Number of shares to produce (t ≤ n ≤ 255).
+ * @returns Array of shares, each with a unique index and data.
+ */
+export function split(secret, threshold, totalShares) {
+    if (threshold < 2)
+        throw new Error('Threshold must be at least 2.');
+    if (totalShares < threshold)
+        throw new Error('Total shares must be ≥ threshold.');
+    if (totalShares > 255)
+        throw new Error('Maximum 255 shares supported.');
+    if (secret.length === 0)
+        throw new Error('Secret must not be empty.');
+    // Initialize empty shares
+    const shares = Array.from({ length: totalShares }, (_, i) => ({
+        index: i + 1,
+        data: Buffer.alloc(secret.length),
+    }));
+    // For each byte of the secret, create a random polynomial and evaluate at each share index
+    for (let b = 0; b < secret.length; b++) {
+        const coeffs = new Array(threshold);
+        coeffs[0] = secret[b]; // constant term = the secret byte
+        // Random non-zero coefficients ensure polynomial has full degree
+        for (let c = 1; c < threshold; c++) {
+            coeffs[c] = randomNonZero();
+        }
+        for (let s = 0; s < totalShares; s++) {
+            shares[s].data[b] = evalPoly(coeffs, shares[s].index);
+        }
+    }
+    return shares;
+}
+/**
+ * Reconstruct a secret from shares using Lagrange interpolation at x = 0.
+ *
+ * @param shares  At least `threshold` shares with unique indices.
+ * @returns The reconstructed secret.
+ */
+export function combine(shares) {
+    if (shares.length < 2)
+        throw new Error('At least 2 shares required.');
+    const len = shares[0].data.length;
+    if (!shares.every((s) => s.data.length === len)) {
+        throw new Error('All shares must have the same data length.');
+    }
+    const indices = new Set(shares.map((s) => s.index));
+    if (indices.size !== shares.length) {
+        throw new Error('Duplicate share indices.');
+    }
+    const secret = Buffer.alloc(len);
+    for (let b = 0; b < len; b++) {
+        let value = 0;
+        for (let i = 0; i < shares.length; i++) {
+            const xi = shares[i].index;
+            const yi = shares[i].data[b];
+            // Lagrange basis polynomial L_i(0)
+            let basis = 1;
+            for (let j = 0; j < shares.length; j++) {
+                if (i === j)
+                    continue;
+                const xj = shares[j].index;
+                // L_i(0) = Π_{j≠i} (0 − x_j) / (x_i − x_j)
+                // In GF(256): subtraction = addition = XOR, and 0 − x_j = x_j
+                basis = gfMul(basis, gfDiv(xj, gfAdd(xi, xj)));
+            }
+            value = gfAdd(value, gfMul(yi, basis));
+        }
+        secret[b] = value;
+    }
+    return secret;
+}
+/**
+ * Encode a share as a human-readable string.
+ * Format: `aegis_share_<index_hex>_<data_hex>`
+ */
+export function encodeShare(share) {
+    const idx = share.index.toString(16).padStart(2, '0');
+    return `aegis_share_${idx}_${share.data.toString('hex')}`;
+}
+/**
+ * Decode a share from its string representation.
+ */
+export function decodeShare(encoded) {
+    const prefix = 'aegis_share_';
+    if (!encoded.startsWith(prefix)) {
+        throw new Error('Invalid share format: must start with "aegis_share_".');
+    }
+    const rest = encoded.slice(prefix.length);
+    const sep = rest.indexOf('_');
+    if (sep === -1) {
+        throw new Error('Invalid share format: missing data separator.');
+    }
+    const index = Number.parseInt(rest.slice(0, sep), 16);
+    if (Number.isNaN(index) || index < 1 || index > 255) {
+        throw new Error('Invalid share index: must be 1–255.');
+    }
+    const data = Buffer.from(rest.slice(sep + 1), 'hex');
+    if (data.length === 0) {
+        throw new Error('Invalid share: empty data.');
+    }
+    return { index, data };
+}
+//# sourceMappingURL=shamir.js.map

package/dist/vault/shamir.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shamir.js","sourceRoot":"","sources":["../../src/vault/shamir.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC;;;;;;GAMG;AAEH,qEAAqE;AAErE,uEAAuE;AACvE,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAChC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAEhC;;;GAGG;AACH,SAAS,UAAU;IACjB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACX,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACX,+CAA+C;QAC/C,wDAAwD;QACxD,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;IACtB,CAAC;IACD,GAAG,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,0CAA0C;AAC/D,CAAC;AAED,UAAU,EAAE,CAAC;AAEb,iCAAiC;AACjC,SAAS,KAAK,CAAC,CAAS,EAAE,CAAS;IACjC,OAAO,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,sDAAsD;AACtD,SAAS,KAAK,CAAC,CAAS,EAAE,CAAS;IACjC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,gDAAgD;AAChD,SAAS,KAAK,CAAC,CAAS,EAAE,CAAS;IACjC,IAAI,CAAC,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACtB,OAAO,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED,qEAAqE;AAErE;;;GAGG;AACH,SAAS,QAAQ,CAAC,MAAgB,EAAE,CAAS;IAC3C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,SAAS,aAAa;IACpB,IAAI,CAAS,CAAC;IACd,GAAG,CAAC;QACF,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;IAClB,OAAO,CAAC,CAAC;AACX,CAAC;AAYD;;;;;;;GAOG;AACH,MAAM,UAAU,KAAK,CAAC,MAAc,EAAE,SAAiB,EAAE,WAAmB;IAC1E,IAAI,SAAS,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACpE,IAAI,WAAW,GAAG,SAAS;QAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IAClF,IAAI,WAAW,GAAG,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAEtE,0BAA0B;IAC1B,MAAM,MAAM,GAAkB,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3E,KAAK,EAAE,CAAC,GAAG,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC;KAClC,CAAC,CAAC,CAAC;IAEJ,2FAA2F;IAC3F,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,KAAK,CAAS,SAAS,CAAC,CAAC;QAC5C,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,kCAAkC;QAEzD,iEAAiE;QACjE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,GAAG,aAAa,EAAE,CAAC;QAC9B,CAAC;QAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,MAAqB;IAC3C,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IAEtE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC;IAClC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,KAAK,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACpD,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YAC3B,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAE7B,mCAAmC;YACnC,IAAI,KAAK,GAAG,CAAC,CAAC;YACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,IAAI,CAAC,KAAK,CAAC;oBAAE,SAAS;gBACtB,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;gBAC3B,2CAA2C;gBAC3C,8DAA8D;gBAC9D,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;YACjD,CAAC;YAED,KAAK,GAAG,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;QACzC,CAAC;QAED,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC;IACpB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAkB;IAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtD,OAAO,eAAe,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,MAAM,MAAM,GAAG,cAAc,CAAC;IAC9B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACrD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC"}

package/dist/vault/vault-manager.d.ts

@@ -0,0 +1,62 @@
+import Database from 'better-sqlite3-multiple-ciphers';
+/**
+ * Metadata for a named vault (stored in the registry).
+ * Master keys are NEVER stored — the user must provide them.
+ */
+export interface VaultInfo {
+    /** Unique vault name (e.g. "production", "staging") */
+    name: string;
+    /** Database file path relative to the data directory */
+    dbPath: string;
+    /** Hex-encoded PBKDF2 salt (unique per vault) */
+    salt: string;
+    /** ISO timestamp of when the vault was created */
+    createdAt: string;
+}
+/**
+ * Manages multiple named vaults, each with its own SQLite database
+ * and encryption key. The registry tracks vault metadata but NEVER
+ * stores master keys.
+ *
+ * Layout:
+ *   .aegis/vaults/<name>.db    — all vaults (including "default")
+ *   .aegis/vaults.json         — vault registry
+ */
+export declare class VaultManager {
+    private dataDir;
+    private registryPath;
+    private vaultsDir;
+    constructor(dataDir: string);
+    /**
+     * Create a new named vault with its own database and salt.
+     * Returns the generated salt (the caller provides the master key).
+     */
+    create(name: string, masterKey?: string): {
+        salt: string;
+        dbPath: string;
+    };
+    /**
+     * List all registered vaults.
+     */
+    list(): VaultInfo[];
+    /**
+     * Remove a named vault and delete its database file.
+     */
+    remove(name: string): void;
+    /**
+     * Get metadata for a named vault.
+     */
+    getVaultInfo(name: string): VaultInfo | undefined;
+    /**
+     * Open the SQLite database for a named vault.
+     * Caller is responsible for closing the returned database.
+     */
+    openDb(name: string, masterKey?: string): Database.Database;
+    /**
+     * Get the salt for a named vault.
+     */
+    getSalt(name: string): string;
+    private loadRegistry;
+    private saveRegistry;
+}
+//# sourceMappingURL=vault-manager.d.ts.map

package/dist/vault/vault-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.d.ts","sourceRoot":"","sources":["../../src/vault/vault-manager.ts"],"names":[],"mappings":"AAEA,OAAO,QAAQ,MAAM,iCAAiC,CAAC;AAIvD;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;CACnB;AAMD;;;;;;;;GAQG;AACH,qBAAa,YAAY;IAIX,OAAO,CAAC,OAAO;IAH3B,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,SAAS,CAAS;gBAEN,OAAO,EAAE,MAAM;IAKnC;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE;IAgD1E;;OAEG;IACH,IAAI,IAAI,SAAS,EAAE;IAInB;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IA2B1B;;OAEG;IACH,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAIjD;;;OAGG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC,QAAQ;IA0B3D;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAU7B,OAAO,CAAC,YAAY;IAQpB,OAAO,CAAC,YAAY;CAMrB"}

package/dist/vault/vault-manager.js

@@ -0,0 +1,151 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import Database from 'better-sqlite3-multiple-ciphers';
+import { deriveDbKey, migrate } from '../db.js';
+import { generateSalt } from './crypto.js';
+/**
+ * Manages multiple named vaults, each with its own SQLite database
+ * and encryption key. The registry tracks vault metadata but NEVER
+ * stores master keys.
+ *
+ * Layout:
+ *   .aegis/vaults/<name>.db    — all vaults (including "default")
+ *   .aegis/vaults.json         — vault registry
+ */
+export class VaultManager {
+    dataDir;
+    registryPath;
+    vaultsDir;
+    constructor(dataDir) {
+        this.dataDir = dataDir;
+        this.registryPath = path.join(dataDir, 'vaults.json');
+        this.vaultsDir = path.join(dataDir, 'vaults');
+    }
+    /**
+     * Create a new named vault with its own database and salt.
+     * Returns the generated salt (the caller provides the master key).
+     */
+    create(name, masterKey) {
+        if (!name) {
+            throw new Error('Vault name is required.');
+        }
+        if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
+            throw new Error('Vault name must contain only letters, numbers, hyphens, and underscores.');
+        }
+        const registry = this.loadRegistry();
+        if (registry.vaults.some((v) => v.name === name)) {
+            throw new Error(`Vault "${name}" already exists.`);
+        }
+        // Ensure vaults directory exists
+        if (!fs.existsSync(this.vaultsDir)) {
+            fs.mkdirSync(this.vaultsDir, { recursive: true });
+        }
+        const dbPath = path.join('vaults', `${name}.db`);
+        const absoluteDbPath = path.join(this.dataDir, dbPath);
+        const salt = generateSalt();
+        // Create and initialize the database with the full schema
+        const db = new Database(absoluteDbPath);
+        // Encrypt the new vault database from creation
+        if (masterKey) {
+            const dbKey = deriveDbKey(masterKey, salt);
+            db.pragma(`key="x'${dbKey.toString('hex')}'"`);
+        }
+        db.pragma('journal_mode = WAL');
+        migrate(db);
+        db.close();
+        // Register the vault
+        const info = {
+            name,
+            dbPath,
+            salt,
+            createdAt: new Date().toISOString(),
+        };
+        registry.vaults.push(info);
+        this.saveRegistry(registry);
+        return { salt, dbPath };
+    }
+    /**
+     * List all registered vaults.
+     */
+    list() {
+        return this.loadRegistry().vaults;
+    }
+    /**
+     * Remove a named vault and delete its database file.
+     */
+    remove(name) {
+        if (!name) {
+            throw new Error('Vault name is required.');
+        }
+        const registry = this.loadRegistry();
+        const index = registry.vaults.findIndex((v) => v.name === name);
+        if (index === -1) {
+            throw new Error(`Vault "${name}" not found.`);
+        }
+        const vaultInfo = registry.vaults[index];
+        const absoluteDbPath = path.join(this.dataDir, vaultInfo.dbPath);
+        // Remove database files (main, WAL, SHM)
+        for (const suffix of ['', '-wal', '-shm']) {
+            const filePath = `${absoluteDbPath}${suffix}`;
+            if (fs.existsSync(filePath)) {
+                fs.unlinkSync(filePath);
+            }
+        }
+        // Remove from registry
+        registry.vaults.splice(index, 1);
+        this.saveRegistry(registry);
+    }
+    /**
+     * Get metadata for a named vault.
+     */
+    getVaultInfo(name) {
+        return this.loadRegistry().vaults.find((v) => v.name === name);
+    }
+    /**
+     * Open the SQLite database for a named vault.
+     * Caller is responsible for closing the returned database.
+     */
+    openDb(name, masterKey) {
+        const info = this.getVaultInfo(name);
+        if (!info) {
+            throw new Error(`Vault "${name}" not found. Create it with: aegis vault create --name ${name}`);
+        }
+        const absoluteDbPath = path.join(this.dataDir, info.dbPath);
+        if (!fs.existsSync(absoluteDbPath)) {
+            throw new Error(`Vault database file not found: ${absoluteDbPath}`);
+        }
+        const db = new Database(absoluteDbPath);
+        // Decrypt the vault database when a master key is available
+        if (masterKey) {
+            const dbKey = deriveDbKey(masterKey, info.salt);
+            db.pragma(`key="x'${dbKey.toString('hex')}'"`);
+        }
+        db.pragma('journal_mode = WAL');
+        migrate(db);
+        return db;
+    }
+    /**
+     * Get the salt for a named vault.
+     */
+    getSalt(name) {
+        const info = this.getVaultInfo(name);
+        if (!info) {
+            throw new Error(`Vault "${name}" not found. Create it with: aegis vault create --name ${name}`);
+        }
+        return info.salt;
+    }
+    loadRegistry() {
+        if (!fs.existsSync(this.registryPath)) {
+            return { vaults: [] };
+        }
+        const content = fs.readFileSync(this.registryPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    saveRegistry(registry) {
+        if (!fs.existsSync(this.dataDir)) {
+            fs.mkdirSync(this.dataDir, { recursive: true });
+        }
+        fs.writeFileSync(this.registryPath, JSON.stringify(registry, null, 2), 'utf-8');
+    }
+}
+//# sourceMappingURL=vault-manager.js.map

package/dist/vault/vault-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-manager.js","sourceRoot":"","sources":["../../src/vault/vault-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,QAAQ,MAAM,iCAAiC,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAqB3C;;;;;;;;GAQG;AACH,MAAM,OAAO,YAAY;IAIH;IAHZ,YAAY,CAAS;IACrB,SAAS,CAAS;IAE1B,YAAoB,OAAe;QAAf,YAAO,GAAP,OAAO,CAAQ;QACjC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACtD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAY,EAAE,SAAkB;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;QAC9F,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACrC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,mBAAmB,CAAC,CAAC;QACrD,CAAC;QAED,iCAAiC;QACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACnC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,IAAI,KAAK,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAE5B,0DAA0D;QAC1D,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,cAAc,CAAC,CAAC;QAExC,+CAA+C;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAC3C,EAAE,CAAC,MAAM,CAAC,UAAU,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjD,CAAC;QAED,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAChC,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,EAAE,CAAC,KAAK,EAAE,CAAC;QAEX,qBAAqB;QACrB,MAAM,IAAI,GAAc;YACtB,IAAI;YACJ,MAAM;YACN,IAAI;YACJ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QACF,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAE5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,IAAI;QACF,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC,MAAM,CAAC;IACpC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,IAAY;QACjB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAChE,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,cAAc,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzC,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;QAEjE,yCAAyC;QACzC,KAAK,MAAM,MAAM,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC;YAC1C,MAAM,QAAQ,GAAG,GAAG,cAAc,GAAG,MAAM,EAAE,CAAC;YAC9C,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,IAAY;QACvB,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACjE,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,IAAY,EAAE,SAAkB;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,0DAA0D,IAAI,EAAE,CAC/E,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,kCAAkC,cAAc,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,cAAc,CAAC,CAAC;QAExC,4DAA4D;QAC5D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,EAAE,CAAC,MAAM,CAAC,UAAU,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjD,CAAC;QAED,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QAChC,OAAO,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAY;QAClB,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CACb,UAAU,IAAI,0DAA0D,IAAI,EAAE,CAC/E,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAEO,YAAY;QAClB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxB,CAAC;QACD,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAkB,CAAC;IAC9C,CAAC;IAEO,YAAY,CAAC,QAAuB;QAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,CAAC;QACD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAClF,CAAC;CACF"}

package/dist/vault/vault.d.ts

@@ -0,0 +1,104 @@
+import type Database from 'better-sqlite3-multiple-ciphers';
+import type { BodyInspectionMode } from '../gate/body-inspector.js';
+export type AuthType = 'bearer' | 'header' | 'query' | 'basic';
+export interface Credential {
+    id: string;
+    name: string;
+    service: string;
+    authType: AuthType;
+    headerName?: string;
+    domains: string[];
+    scopes: string[];
+    expiresAt?: string;
+    rateLimit?: string;
+    bodyInspection: BodyInspectionMode;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface CredentialWithSecret extends Credential {
+    secret: string;
+}
+export declare class Vault {
+    private db;
+    /** Cached derived key — PBKDF2 runs once in the constructor. */
+    private derivedKey;
+    constructor(db: Database.Database, masterKey: string, salt?: Buffer | string);
+    /**
+     * Verify the master key by attempting to decrypt the first stored credential.
+     * Throws a clear error if the key is wrong (AES-256-GCM auth tag mismatch).
+     * Silently succeeds if the vault is empty (nothing to verify against).
+     */
+    private verifyKey;
+    /**
+     * Store a new credential in the vault.
+     */
+    /** Maximum credential secret size: 512 KB. */
+    static readonly MAX_SECRET_BYTES: number;
+    /** Maximum credential name length: 128 characters. */
+    static readonly MAX_NAME_LENGTH = 128;
+    add(params: {
+        name: string;
+        service: string;
+        secret: string;
+        authType?: AuthType;
+        headerName?: string;
+        domains: string[];
+        scopes?: string[];
+        ttlDays?: number;
+        rateLimit?: string;
+        bodyInspection?: BodyInspectionMode;
+    }): Credential;
+    /**
+     * Rotate a credential's secret. The old secret is saved to credential_history
+     * with an optional grace period during which it remains valid.
+     */
+    rotate(params: {
+        name: string;
+        newSecret: string;
+        gracePeriodHours?: number;
+    }): Credential;
+    /**
+     * Update a credential's metadata (domains, scopes, auth type, header name)
+     * without re-entering the secret.
+     */
+    update(params: {
+        name: string;
+        domains?: string[];
+        scopes?: string[];
+        authType?: AuthType;
+        headerName?: string;
+        rateLimit?: string | null;
+        bodyInspection?: BodyInspectionMode;
+    }): Credential;
+    /**
+     * Check if a credential has expired based on its expiresAt field.
+     */
+    isExpired(credential: Credential): boolean;
+    /**
+     * List all credentials (without secrets).
+     */
+    list(): Credential[];
+    /**
+     * Get a credential by name, including the decrypted secret.
+     */
+    getByName(name: string): CredentialWithSecret | null;
+    /**
+     * Get a credential by service name, including the decrypted secret.
+     */
+    getByService(service: string): CredentialWithSecret | null;
+    /**
+     * Find a credential whose allowed domains match a given hostname.
+     */
+    findByDomain(hostname: string): CredentialWithSecret | null;
+    /**
+     * Remove a credential by name.
+     */
+    remove(name: string): boolean;
+    /**
+     * Check if a hostname matches any of the allowed domain patterns.
+     * Supports wildcards: *.slack.com matches api.slack.com
+     */
+    domainMatches(hostname: string, allowedDomains: string[]): boolean;
+    private rowToCredential;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../src/vault/vault.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,QAAQ,MAAM,iCAAiC,CAAC;AAC5D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAIpE,MAAM,MAAM,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,CAAC;AAE/D,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,kBAAkB,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,oBAAqB,SAAQ,UAAU;IACtD,MAAM,EAAE,MAAM,CAAC;CAChB;AAoBD,qBAAa,KAAK;IAKd,OAAO,CAAC,EAAE;IAJZ,gEAAgE;IAChE,OAAO,CAAC,UAAU,CAAS;gBAGjB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAC7B,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,MAAM,GAAG,MAAyB;IAW1C;;;;OAIG;IACH,OAAO,CAAC,SAAS;IAkBjB;;OAEG;IACH,8CAA8C;IAC9C,MAAM,CAAC,QAAQ,CAAC,gBAAgB,SAAc;IAE9C,sDAAsD;IACtD,MAAM,CAAC,QAAQ,CAAC,eAAe,OAAO;IAEtC,GAAG,CAAC,MAAM,EAAE;QACV,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,cAAc,CAAC,EAAE,kBAAkB,CAAC;KACrC,GAAG,UAAU;IAgEd;;;OAGG;IACH,MAAM,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,UAAU;IAoD1F;;;OAGG;IACH,MAAM,CAAC,MAAM,EAAE;QACb,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,QAAQ,CAAC,EAAE,QAAQ,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,cAAc,CAAC,EAAE,kBAAkB,CAAC;KACrC,GAAG,UAAU;IA2Cd;;OAEG;IACH,SAAS,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO;IAK1C;;OAEG;IACH,IAAI,IAAI,UAAU,EAAE;IAQpB;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,GAAG,IAAI;IAmBpD;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,oBAAoB,GAAG,IAAI;IAmB1D;;OAEG;IACH,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,oBAAoB,GAAG,IAAI;IAqB3D;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAK7B;;;OAGG;IACH,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,OAAO;IAiBlE,OAAO,CAAC,eAAe;CAgBxB"}