npm - @getrift/rift - Versions diffs - 0.0.0 → 0.1.0-beta.1 - Mend

@getrift/rift 0.0.0 → 0.1.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (651) hide show

package/README.dev.md +110 -0
package/dist/src/auth/keychain.d.ts +25 -0
package/dist/src/auth/keychain.d.ts.map +1 -0
package/dist/src/auth/keychain.js +113 -0
package/dist/src/auth/keychain.js.map +1 -0
package/dist/src/auth/middleware.d.ts +20 -0
package/dist/src/auth/middleware.d.ts.map +1 -0
package/dist/src/auth/middleware.js +49 -0
package/dist/src/auth/middleware.js.map +1 -0
package/dist/src/auth/rate-limit.d.ts +16 -0
package/dist/src/auth/rate-limit.d.ts.map +1 -0
package/dist/src/auth/rate-limit.js +38 -0
package/dist/src/auth/rate-limit.js.map +1 -0
package/dist/src/auth/rotation.d.ts +67 -0
package/dist/src/auth/rotation.d.ts.map +1 -0
package/dist/src/auth/rotation.js +190 -0
package/dist/src/auth/rotation.js.map +1 -0
package/dist/src/backfill/project-context-batch-constructor.d.ts +127 -0
package/dist/src/backfill/project-context-batch-constructor.d.ts.map +1 -0
package/dist/src/backfill/project-context-batch-constructor.js +210 -0
package/dist/src/backfill/project-context-batch-constructor.js.map +1 -0
package/dist/src/capture/auto-capture.d.ts +162 -0
package/dist/src/capture/auto-capture.d.ts.map +1 -0
package/dist/src/capture/auto-capture.js +601 -0
package/dist/src/capture/auto-capture.js.map +1 -0
package/dist/src/capture/batch-budget.d.ts +90 -0
package/dist/src/capture/batch-budget.d.ts.map +1 -0
package/dist/src/capture/batch-budget.js +148 -0
package/dist/src/capture/batch-budget.js.map +1 -0
package/dist/src/capture/codex-cli-triage-provider.d.ts +17 -0
package/dist/src/capture/codex-cli-triage-provider.d.ts.map +1 -0
package/dist/src/capture/codex-cli-triage-provider.js +109 -0
package/dist/src/capture/codex-cli-triage-provider.js.map +1 -0
package/dist/src/capture/observability.d.ts +42 -0
package/dist/src/capture/observability.d.ts.map +1 -0
package/dist/src/capture/observability.js +87 -0
package/dist/src/capture/observability.js.map +1 -0
package/dist/src/capture/openai-triage-provider.d.ts +92 -0
package/dist/src/capture/openai-triage-provider.d.ts.map +1 -0
package/dist/src/capture/openai-triage-provider.js +267 -0
package/dist/src/capture/openai-triage-provider.js.map +1 -0
package/dist/src/capture/review-queue-index.d.ts +51 -0
package/dist/src/capture/review-queue-index.d.ts.map +1 -0
package/dist/src/capture/review-queue-index.js +204 -0
package/dist/src/capture/review-queue-index.js.map +1 -0
package/dist/src/capture/review-queue.d.ts +43 -0
package/dist/src/capture/review-queue.d.ts.map +1 -0
package/dist/src/capture/review-queue.js +116 -0
package/dist/src/capture/review-queue.js.map +1 -0
package/dist/src/capture/sources.d.ts +7 -0
package/dist/src/capture/sources.d.ts.map +1 -0
package/dist/src/capture/sources.js +3 -0
package/dist/src/capture/sources.js.map +1 -0
package/dist/src/capture/triage-lane.d.ts +39 -0
package/dist/src/capture/triage-lane.d.ts.map +1 -0
package/dist/src/capture/triage-lane.js +217 -0
package/dist/src/capture/triage-lane.js.map +1 -0
package/dist/src/capture/triage-provider.d.ts +75 -0
package/dist/src/capture/triage-provider.d.ts.map +1 -0
package/dist/src/capture/triage-provider.js +120 -0
package/dist/src/capture/triage-provider.js.map +1 -0
package/dist/src/capture/triage.d.ts +30 -0
package/dist/src/capture/triage.d.ts.map +1 -0
package/dist/src/capture/triage.js +48 -0
package/dist/src/capture/triage.js.map +1 -0
package/dist/src/cli/commands/backfill.d.ts +3 -0
package/dist/src/cli/commands/backfill.d.ts.map +1 -0
package/dist/src/cli/commands/backfill.js +1376 -0
package/dist/src/cli/commands/backfill.js.map +1 -0
package/dist/src/cli/commands/bulk-ingest.d.ts +3 -0
package/dist/src/cli/commands/bulk-ingest.d.ts.map +1 -0
package/dist/src/cli/commands/bulk-ingest.js +126 -0
package/dist/src/cli/commands/bulk-ingest.js.map +1 -0
package/dist/src/cli/commands/capture.d.ts +12 -0
package/dist/src/cli/commands/capture.d.ts.map +1 -0
package/dist/src/cli/commands/capture.js +123 -0
package/dist/src/cli/commands/capture.js.map +1 -0
package/dist/src/cli/commands/compact.d.ts +3 -0
package/dist/src/cli/commands/compact.d.ts.map +1 -0
package/dist/src/cli/commands/compact.js +70 -0
package/dist/src/cli/commands/compact.js.map +1 -0
package/dist/src/cli/commands/feedback.d.ts +22 -0
package/dist/src/cli/commands/feedback.d.ts.map +1 -0
package/dist/src/cli/commands/feedback.js +125 -0
package/dist/src/cli/commands/feedback.js.map +1 -0
package/dist/src/cli/commands/hooks-install.d.ts +19 -0
package/dist/src/cli/commands/hooks-install.d.ts.map +1 -0
package/dist/src/cli/commands/hooks-install.js +103 -0
package/dist/src/cli/commands/hooks-install.js.map +1 -0
package/dist/src/cli/commands/import.d.ts +19 -0
package/dist/src/cli/commands/import.d.ts.map +1 -0
package/dist/src/cli/commands/import.js +258 -0
package/dist/src/cli/commands/import.js.map +1 -0
package/dist/src/cli/commands/ingest.d.ts +3 -0
package/dist/src/cli/commands/ingest.d.ts.map +1 -0
package/dist/src/cli/commands/ingest.js +80 -0
package/dist/src/cli/commands/ingest.js.map +1 -0
package/dist/src/cli/commands/mcp-install.d.ts +25 -0
package/dist/src/cli/commands/mcp-install.d.ts.map +1 -0
package/dist/src/cli/commands/mcp-install.js +134 -0
package/dist/src/cli/commands/mcp-install.js.map +1 -0
package/dist/src/cli/commands/onboard.d.ts +98 -0
package/dist/src/cli/commands/onboard.d.ts.map +1 -0
package/dist/src/cli/commands/onboard.js +823 -0
package/dist/src/cli/commands/onboard.js.map +1 -0
package/dist/src/cli/commands/rebuild.d.ts +12 -0
package/dist/src/cli/commands/rebuild.d.ts.map +1 -0
package/dist/src/cli/commands/rebuild.js +164 -0
package/dist/src/cli/commands/rebuild.js.map +1 -0
package/dist/src/cli/commands/reconcile.d.ts +3 -0
package/dist/src/cli/commands/reconcile.d.ts.map +1 -0
package/dist/src/cli/commands/reconcile.js +56 -0
package/dist/src/cli/commands/reconcile.js.map +1 -0
package/dist/src/cli/commands/reindex.d.ts +3 -0
package/dist/src/cli/commands/reindex.d.ts.map +1 -0
package/dist/src/cli/commands/reindex.js +66 -0
package/dist/src/cli/commands/reindex.js.map +1 -0
package/dist/src/cli/commands/review.d.ts +13 -0
package/dist/src/cli/commands/review.d.ts.map +1 -0
package/dist/src/cli/commands/review.js +383 -0
package/dist/src/cli/commands/review.js.map +1 -0
package/dist/src/cli/commands/save.d.ts +3 -0
package/dist/src/cli/commands/save.d.ts.map +1 -0
package/dist/src/cli/commands/save.js +111 -0
package/dist/src/cli/commands/save.js.map +1 -0
package/dist/src/cli/commands/search.d.ts +35 -0
package/dist/src/cli/commands/search.d.ts.map +1 -0
package/dist/src/cli/commands/search.js +88 -0
package/dist/src/cli/commands/search.js.map +1 -0
package/dist/src/cli/commands/stats.d.ts +3 -0
package/dist/src/cli/commands/stats.d.ts.map +1 -0
package/dist/src/cli/commands/stats.js +42 -0
package/dist/src/cli/commands/stats.js.map +1 -0
package/dist/src/cli/commands/status.d.ts +15 -0
package/dist/src/cli/commands/status.d.ts.map +1 -0
package/dist/src/cli/commands/status.js +89 -0
package/dist/src/cli/commands/status.js.map +1 -0
package/dist/src/cli/commands/token-issue.d.ts +3 -0
package/dist/src/cli/commands/token-issue.d.ts.map +1 -0
package/dist/src/cli/commands/token-issue.js +25 -0
package/dist/src/cli/commands/token-issue.js.map +1 -0
package/dist/src/cli/commands/triage.d.ts +3 -0
package/dist/src/cli/commands/triage.d.ts.map +1 -0
package/dist/src/cli/commands/triage.js +125 -0
package/dist/src/cli/commands/triage.js.map +1 -0
package/dist/src/cli/commands/uninstall.d.ts +3 -0
package/dist/src/cli/commands/uninstall.d.ts.map +1 -0
package/dist/src/cli/commands/uninstall.js +238 -0
package/dist/src/cli/commands/uninstall.js.map +1 -0
package/dist/src/cli/feedback/feedback-config.d.ts +21 -0
package/dist/src/cli/feedback/feedback-config.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-config.js +43 -0
package/dist/src/cli/feedback/feedback-config.js.map +1 -0
package/dist/src/cli/feedback/feedback-history.d.ts +4 -0
package/dist/src/cli/feedback/feedback-history.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-history.js +115 -0
package/dist/src/cli/feedback/feedback-history.js.map +1 -0
package/dist/src/cli/feedback/feedback-payload.d.ts +53 -0
package/dist/src/cli/feedback/feedback-payload.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-payload.js +10 -0
package/dist/src/cli/feedback/feedback-payload.js.map +1 -0
package/dist/src/cli/feedback/feedback-relay.d.ts +15 -0
package/dist/src/cli/feedback/feedback-relay.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-relay.js +47 -0
package/dist/src/cli/feedback/feedback-relay.js.map +1 -0
package/dist/src/cli/feedback/feedback-status.d.ts +11 -0
package/dist/src/cli/feedback/feedback-status.d.ts.map +1 -0
package/dist/src/cli/feedback/feedback-status.js +122 -0
package/dist/src/cli/feedback/feedback-status.js.map +1 -0
package/dist/src/cli/hooks-writers/claude-code-policy-script.d.ts +25 -0
package/dist/src/cli/hooks-writers/claude-code-policy-script.d.ts.map +1 -0
package/dist/src/cli/hooks-writers/claude-code-policy-script.js +85 -0
package/dist/src/cli/hooks-writers/claude-code-policy-script.js.map +1 -0
package/dist/src/cli/hooks-writers/claude-code.d.ts +12 -0
package/dist/src/cli/hooks-writers/claude-code.d.ts.map +1 -0
package/dist/src/cli/hooks-writers/claude-code.js +228 -0
package/dist/src/cli/hooks-writers/claude-code.js.map +1 -0
package/dist/src/cli/hooks-writers/errors.d.ts +16 -0
package/dist/src/cli/hooks-writers/errors.d.ts.map +1 -0
package/dist/src/cli/hooks-writers/errors.js +24 -0
package/dist/src/cli/hooks-writers/errors.js.map +1 -0
package/dist/src/cli/hooks-writers/index.d.ts +13 -0
package/dist/src/cli/hooks-writers/index.d.ts.map +1 -0
package/dist/src/cli/hooks-writers/index.js +26 -0
package/dist/src/cli/hooks-writers/index.js.map +1 -0
package/dist/src/cli/hooks-writers/types.d.ts +27 -0
package/dist/src/cli/hooks-writers/types.d.ts.map +1 -0
package/dist/src/cli/hooks-writers/types.js +9 -0
package/dist/src/cli/hooks-writers/types.js.map +1 -0
package/dist/src/cli/http-client.d.ts +36 -0
package/dist/src/cli/http-client.d.ts.map +1 -0
package/dist/src/cli/http-client.js +153 -0
package/dist/src/cli/http-client.js.map +1 -0
package/dist/src/cli/index.d.ts +4 -0
package/dist/src/cli/index.d.ts.map +1 -0
package/dist/src/cli/index.js +68 -0
package/dist/src/cli/index.js.map +1 -0
package/dist/src/cli/job-poller.d.ts +13 -0
package/dist/src/cli/job-poller.d.ts.map +1 -0
package/dist/src/cli/job-poller.js +29 -0
package/dist/src/cli/job-poller.js.map +1 -0
package/dist/src/cli/mcp-config-writers/codex-toml.d.ts +10 -0
package/dist/src/cli/mcp-config-writers/codex-toml.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/codex-toml.js +410 -0
package/dist/src/cli/mcp-config-writers/codex-toml.js.map +1 -0
package/dist/src/cli/mcp-config-writers/errors.d.ts +17 -0
package/dist/src/cli/mcp-config-writers/errors.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/errors.js +13 -0
package/dist/src/cli/mcp-config-writers/errors.js.map +1 -0
package/dist/src/cli/mcp-config-writers/index.d.ts +18 -0
package/dist/src/cli/mcp-config-writers/index.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/index.js +49 -0
package/dist/src/cli/mcp-config-writers/index.js.map +1 -0
package/dist/src/cli/mcp-config-writers/json-config.d.ts +12 -0
package/dist/src/cli/mcp-config-writers/json-config.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/json-config.js +177 -0
package/dist/src/cli/mcp-config-writers/json-config.js.map +1 -0
package/dist/src/cli/mcp-config-writers/redact.d.ts +28 -0
package/dist/src/cli/mcp-config-writers/redact.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/redact.js +48 -0
package/dist/src/cli/mcp-config-writers/redact.js.map +1 -0
package/dist/src/cli/mcp-config-writers/types.d.ts +32 -0
package/dist/src/cli/mcp-config-writers/types.d.ts.map +1 -0
package/dist/src/cli/mcp-config-writers/types.js +5 -0
package/dist/src/cli/mcp-config-writers/types.js.map +1 -0
package/dist/src/cli/output.d.ts +8 -0
package/dist/src/cli/output.d.ts.map +1 -0
package/dist/src/cli/output.js +34 -0
package/dist/src/cli/output.js.map +1 -0
package/dist/src/cli/status/friend-header.d.ts +33 -0
package/dist/src/cli/status/friend-header.d.ts.map +1 -0
package/dist/src/cli/status/friend-header.js +108 -0
package/dist/src/cli/status/friend-header.js.map +1 -0
package/dist/src/cli/status/local-signals.d.ts +14 -0
package/dist/src/cli/status/local-signals.d.ts.map +1 -0
package/dist/src/cli/status/local-signals.js +73 -0
package/dist/src/cli/status/local-signals.js.map +1 -0
package/dist/src/cli/token.d.ts +37 -0
package/dist/src/cli/token.d.ts.map +1 -0
package/dist/src/cli/token.js +105 -0
package/dist/src/cli/token.js.map +1 -0
package/dist/src/cli/uninstall/mcp-uninstall.d.ts +33 -0
package/dist/src/cli/uninstall/mcp-uninstall.d.ts.map +1 -0
package/dist/src/cli/uninstall/mcp-uninstall.js +181 -0
package/dist/src/cli/uninstall/mcp-uninstall.js.map +1 -0
package/dist/src/config/loader.d.ts +9 -0
package/dist/src/config/loader.d.ts.map +1 -0
package/dist/src/config/loader.js +73 -0
package/dist/src/config/loader.js.map +1 -0
package/dist/src/config/schema.d.ts +635 -0
package/dist/src/config/schema.d.ts.map +1 -0
package/dist/src/config/schema.js +208 -0
package/dist/src/config/schema.js.map +1 -0
package/dist/src/ingestion/bulk-ingest.d.ts +11 -0
package/dist/src/ingestion/bulk-ingest.d.ts.map +1 -0
package/dist/src/ingestion/bulk-ingest.js +11 -0
package/dist/src/ingestion/bulk-ingest.js.map +1 -0
package/dist/src/ingestion/extractor.d.ts +16 -0
package/dist/src/ingestion/extractor.d.ts.map +1 -0
package/dist/src/ingestion/extractor.js +85 -0
package/dist/src/ingestion/extractor.js.map +1 -0
package/dist/src/ingestion/extractors/docx.d.ts +3 -0
package/dist/src/ingestion/extractors/docx.d.ts.map +1 -0
package/dist/src/ingestion/extractors/docx.js +20 -0
package/dist/src/ingestion/extractors/docx.js.map +1 -0
package/dist/src/ingestion/extractors/pdf.d.ts +3 -0
package/dist/src/ingestion/extractors/pdf.d.ts.map +1 -0
package/dist/src/ingestion/extractors/pdf.js +32 -0
package/dist/src/ingestion/extractors/pdf.js.map +1 -0
package/dist/src/ingestion/historical-campaign.d.ts +340 -0
package/dist/src/ingestion/historical-campaign.d.ts.map +1 -0
package/dist/src/ingestion/historical-campaign.js +1010 -0
package/dist/src/ingestion/historical-campaign.js.map +1 -0
package/dist/src/ingestion/ignored-paths.d.ts +20 -0
package/dist/src/ingestion/ignored-paths.d.ts.map +1 -0
package/dist/src/ingestion/ignored-paths.js +45 -0
package/dist/src/ingestion/ignored-paths.js.map +1 -0
package/dist/src/ingestion/inbox-watcher.d.ts +12 -0
package/dist/src/ingestion/inbox-watcher.d.ts.map +1 -0
package/dist/src/ingestion/inbox-watcher.js +99 -0
package/dist/src/ingestion/inbox-watcher.js.map +1 -0
package/dist/src/ingestion/indexer.d.ts +32 -0
package/dist/src/ingestion/indexer.d.ts.map +1 -0
package/dist/src/ingestion/indexer.js +68 -0
package/dist/src/ingestion/indexer.js.map +1 -0
package/dist/src/ingestion/metadata-extraction.d.ts +53 -0
package/dist/src/ingestion/metadata-extraction.d.ts.map +1 -0
package/dist/src/ingestion/metadata-extraction.js +132 -0
package/dist/src/ingestion/metadata-extraction.js.map +1 -0
package/dist/src/ingestion/parsers/chatgpt-web.d.ts +29 -0
package/dist/src/ingestion/parsers/chatgpt-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/chatgpt-web.js +100 -0
package/dist/src/ingestion/parsers/chatgpt-web.js.map +1 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.d.ts +16 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.d.ts.map +1 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.js +123 -0
package/dist/src/ingestion/parsers/claude-code-jsonl.js.map +1 -0
package/dist/src/ingestion/parsers/claude-web.d.ts +24 -0
package/dist/src/ingestion/parsers/claude-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/claude-web.js +78 -0
package/dist/src/ingestion/parsers/claude-web.js.map +1 -0
package/dist/src/ingestion/parsers/codex-jsonl.d.ts +18 -0
package/dist/src/ingestion/parsers/codex-jsonl.d.ts.map +1 -0
package/dist/src/ingestion/parsers/codex-jsonl.js +125 -0
package/dist/src/ingestion/parsers/codex-jsonl.js.map +1 -0
package/dist/src/ingestion/parsers/gemini-web.d.ts +16 -0
package/dist/src/ingestion/parsers/gemini-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/gemini-web.js +170 -0
package/dist/src/ingestion/parsers/gemini-web.js.map +1 -0
package/dist/src/ingestion/parsers/grok-web.d.ts +40 -0
package/dist/src/ingestion/parsers/grok-web.d.ts.map +1 -0
package/dist/src/ingestion/parsers/grok-web.js +67 -0
package/dist/src/ingestion/parsers/grok-web.js.map +1 -0
package/dist/src/ingestion/parsers/types.d.ts +34 -0
package/dist/src/ingestion/parsers/types.d.ts.map +1 -0
package/dist/src/ingestion/parsers/types.js +26 -0
package/dist/src/ingestion/parsers/types.js.map +1 -0
package/dist/src/ingestion/scanner.d.ts +48 -0
package/dist/src/ingestion/scanner.d.ts.map +1 -0
package/dist/src/ingestion/scanner.js +131 -0
package/dist/src/ingestion/scanner.js.map +1 -0
package/dist/src/ingestion/staging.d.ts +109 -0
package/dist/src/ingestion/staging.d.ts.map +1 -0
package/dist/src/ingestion/staging.js +411 -0
package/dist/src/ingestion/staging.js.map +1 -0
package/dist/src/ingestion/watcher.d.ts +65 -0
package/dist/src/ingestion/watcher.d.ts.map +1 -0
package/dist/src/ingestion/watcher.js +182 -0
package/dist/src/ingestion/watcher.js.map +1 -0
package/dist/src/jobs/codex-override-handler.d.ts +3 -0
package/dist/src/jobs/codex-override-handler.d.ts.map +1 -0
package/dist/src/jobs/codex-override-handler.js +16 -0
package/dist/src/jobs/codex-override-handler.js.map +1 -0
package/dist/src/jobs/handlers/compact.d.ts +30 -0
package/dist/src/jobs/handlers/compact.d.ts.map +1 -0
package/dist/src/jobs/handlers/compact.js +329 -0
package/dist/src/jobs/handlers/compact.js.map +1 -0
package/dist/src/jobs/handlers/ingest.d.ts +13 -0
package/dist/src/jobs/handlers/ingest.d.ts.map +1 -0
package/dist/src/jobs/handlers/ingest.js +255 -0
package/dist/src/jobs/handlers/ingest.js.map +1 -0
package/dist/src/jobs/handlers/reconcile.d.ts +29 -0
package/dist/src/jobs/handlers/reconcile.d.ts.map +1 -0
package/dist/src/jobs/handlers/reconcile.js +476 -0
package/dist/src/jobs/handlers/reconcile.js.map +1 -0
package/dist/src/jobs/handlers/reindex.d.ts +38 -0
package/dist/src/jobs/handlers/reindex.d.ts.map +1 -0
package/dist/src/jobs/handlers/reindex.js +52 -0
package/dist/src/jobs/handlers/reindex.js.map +1 -0
package/dist/src/jobs/handlers/save.d.ts +10 -0
package/dist/src/jobs/handlers/save.d.ts.map +1 -0
package/dist/src/jobs/handlers/save.js +206 -0
package/dist/src/jobs/handlers/save.js.map +1 -0
package/dist/src/jobs/handlers/triage.d.ts +47 -0
package/dist/src/jobs/handlers/triage.d.ts.map +1 -0
package/dist/src/jobs/handlers/triage.js +95 -0
package/dist/src/jobs/handlers/triage.js.map +1 -0
package/dist/src/jobs/queue.d.ts +107 -0
package/dist/src/jobs/queue.d.ts.map +1 -0
package/dist/src/jobs/queue.js +319 -0
package/dist/src/jobs/queue.js.map +1 -0
package/dist/src/jobs/types.d.ts +39 -0
package/dist/src/jobs/types.d.ts.map +1 -0
package/dist/src/jobs/types.js +29 -0
package/dist/src/jobs/types.js.map +1 -0
package/dist/src/jobs/worker-entry.d.ts +10 -0
package/dist/src/jobs/worker-entry.d.ts.map +1 -0
package/dist/src/jobs/worker-entry.js +210 -0
package/dist/src/jobs/worker-entry.js.map +1 -0
package/dist/src/jobs/worker-process.d.ts +50 -0
package/dist/src/jobs/worker-process.d.ts.map +1 -0
package/dist/src/jobs/worker-process.js +186 -0
package/dist/src/jobs/worker-process.js.map +1 -0
package/dist/src/jobs/worker.d.ts +11 -0
package/dist/src/jobs/worker.d.ts.map +1 -0
package/dist/src/jobs/worker.js +14 -0
package/dist/src/jobs/worker.js.map +1 -0
package/dist/src/main.d.ts +2 -0
package/dist/src/main.d.ts.map +1 -0
package/dist/src/main.js +425 -0
package/dist/src/main.js.map +1 -0
package/dist/src/mcp/errors.d.ts +8 -0
package/dist/src/mcp/errors.d.ts.map +1 -0
package/dist/src/mcp/errors.js +50 -0
package/dist/src/mcp/errors.js.map +1 -0
package/dist/src/mcp/server.d.ts +10 -0
package/dist/src/mcp/server.d.ts.map +1 -0
package/dist/src/mcp/server.js +94 -0
package/dist/src/mcp/server.js.map +1 -0
package/dist/src/mcp/tools/context-pack.d.ts +35 -0
package/dist/src/mcp/tools/context-pack.d.ts.map +1 -0
package/dist/src/mcp/tools/context-pack.js +97 -0
package/dist/src/mcp/tools/context-pack.js.map +1 -0
package/dist/src/mcp/tools/conversations-search.d.ts +38 -0
package/dist/src/mcp/tools/conversations-search.d.ts.map +1 -0
package/dist/src/mcp/tools/conversations-search.js +73 -0
package/dist/src/mcp/tools/conversations-search.js.map +1 -0
package/dist/src/mcp/tools/save.d.ts +32 -0
package/dist/src/mcp/tools/save.d.ts.map +1 -0
package/dist/src/mcp/tools/save.js +60 -0
package/dist/src/mcp/tools/save.js.map +1 -0
package/dist/src/mcp/tools/search.d.ts +33 -0
package/dist/src/mcp/tools/search.d.ts.map +1 -0
package/dist/src/mcp/tools/search.js +58 -0
package/dist/src/mcp/tools/search.js.map +1 -0
package/dist/src/mcp/tools/status.d.ts +17 -0
package/dist/src/mcp/tools/status.d.ts.map +1 -0
package/dist/src/mcp/tools/status.js +12 -0
package/dist/src/mcp/tools/status.js.map +1 -0
package/dist/src/observability/coverage.d.ts +100 -0
package/dist/src/observability/coverage.d.ts.map +1 -0
package/dist/src/observability/coverage.js +180 -0
package/dist/src/observability/coverage.js.map +1 -0
package/dist/src/observability/rift-context.d.ts +47 -0
package/dist/src/observability/rift-context.d.ts.map +1 -0
package/dist/src/observability/rift-context.js +118 -0
package/dist/src/observability/rift-context.js.map +1 -0
package/dist/src/observability/staleness.d.ts +43 -0
package/dist/src/observability/staleness.d.ts.map +1 -0
package/dist/src/observability/staleness.js +74 -0
package/dist/src/observability/staleness.js.map +1 -0
package/dist/src/observability/tool-usage-stats.d.ts +23 -0
package/dist/src/observability/tool-usage-stats.d.ts.map +1 -0
package/dist/src/observability/tool-usage-stats.js +83 -0
package/dist/src/observability/tool-usage-stats.js.map +1 -0
package/dist/src/observability/tool-usage.d.ts +68 -0
package/dist/src/observability/tool-usage.d.ts.map +1 -0
package/dist/src/observability/tool-usage.js +207 -0
package/dist/src/observability/tool-usage.js.map +1 -0
package/dist/src/onboarding/daemon-control.d.ts +33 -0
package/dist/src/onboarding/daemon-control.d.ts.map +1 -0
package/dist/src/onboarding/daemon-control.js +92 -0
package/dist/src/onboarding/daemon-control.js.map +1 -0
package/dist/src/onboarding/env-file.d.ts +18 -0
package/dist/src/onboarding/env-file.d.ts.map +1 -0
package/dist/src/onboarding/env-file.js +89 -0
package/dist/src/onboarding/env-file.js.map +1 -0
package/dist/src/onboarding/voyage-validate.d.ts +16 -0
package/dist/src/onboarding/voyage-validate.d.ts.map +1 -0
package/dist/src/onboarding/voyage-validate.js +85 -0
package/dist/src/onboarding/voyage-validate.js.map +1 -0
package/dist/src/providers/anthropic-digest.d.ts +23 -0
package/dist/src/providers/anthropic-digest.d.ts.map +1 -0
package/dist/src/providers/anthropic-digest.js +91 -0
package/dist/src/providers/anthropic-digest.js.map +1 -0
package/dist/src/providers/codex-cli-digest.d.ts +12 -0
package/dist/src/providers/codex-cli-digest.d.ts.map +1 -0
package/dist/src/providers/codex-cli-digest.js +70 -0
package/dist/src/providers/codex-cli-digest.js.map +1 -0
package/dist/src/providers/codex-cli-metadata-extraction.d.ts +14 -0
package/dist/src/providers/codex-cli-metadata-extraction.d.ts.map +1 -0
package/dist/src/providers/codex-cli-metadata-extraction.js +101 -0
package/dist/src/providers/codex-cli-metadata-extraction.js.map +1 -0
package/dist/src/providers/codex-cli-runner.d.ts +14 -0
package/dist/src/providers/codex-cli-runner.d.ts.map +1 -0
package/dist/src/providers/codex-cli-runner.js +272 -0
package/dist/src/providers/codex-cli-runner.js.map +1 -0
package/dist/src/providers/conversation-generation.d.ts +10 -0
package/dist/src/providers/conversation-generation.d.ts.map +1 -0
package/dist/src/providers/conversation-generation.js +54 -0
package/dist/src/providers/conversation-generation.js.map +1 -0
package/dist/src/providers/ollama-embed.d.ts +22 -0
package/dist/src/providers/ollama-embed.d.ts.map +1 -0
package/dist/src/providers/ollama-embed.js +133 -0
package/dist/src/providers/ollama-embed.js.map +1 -0
package/dist/src/providers/ollama.d.ts +42 -0
package/dist/src/providers/ollama.d.ts.map +1 -0
package/dist/src/providers/ollama.js +169 -0
package/dist/src/providers/ollama.js.map +1 -0
package/dist/src/providers/openai-metadata-extraction.d.ts +73 -0
package/dist/src/providers/openai-metadata-extraction.d.ts.map +1 -0
package/dist/src/providers/openai-metadata-extraction.js +161 -0
package/dist/src/providers/openai-metadata-extraction.js.map +1 -0
package/dist/src/providers/operator-overrides.d.ts +24 -0
package/dist/src/providers/operator-overrides.d.ts.map +1 -0
package/dist/src/providers/operator-overrides.js +84 -0
package/dist/src/providers/operator-overrides.js.map +1 -0
package/dist/src/providers/stub.d.ts +17 -0
package/dist/src/providers/stub.d.ts.map +1 -0
package/dist/src/providers/stub.js +72 -0
package/dist/src/providers/stub.js.map +1 -0
package/dist/src/providers/types.d.ts +82 -0
package/dist/src/providers/types.d.ts.map +1 -0
package/dist/src/providers/types.js +52 -0
package/dist/src/providers/types.js.map +1 -0
package/dist/src/providers/voyage.d.ts +23 -0
package/dist/src/providers/voyage.d.ts.map +1 -0
package/dist/src/providers/voyage.js +135 -0
package/dist/src/providers/voyage.js.map +1 -0
package/dist/src/retrieval/compact.d.ts +89 -0
package/dist/src/retrieval/compact.d.ts.map +1 -0
package/dist/src/retrieval/compact.js +348 -0
package/dist/src/retrieval/compact.js.map +1 -0
package/dist/src/retrieval/context-pack.d.ts +123 -0
package/dist/src/retrieval/context-pack.d.ts.map +1 -0
package/dist/src/retrieval/context-pack.js +553 -0
package/dist/src/retrieval/context-pack.js.map +1 -0
package/dist/src/retrieval/cwd.d.ts +25 -0
package/dist/src/retrieval/cwd.d.ts.map +1 -0
package/dist/src/retrieval/cwd.js +48 -0
package/dist/src/retrieval/cwd.js.map +1 -0
package/dist/src/retrieval/degraded.d.ts +20 -0
package/dist/src/retrieval/degraded.d.ts.map +1 -0
package/dist/src/retrieval/degraded.js +43 -0
package/dist/src/retrieval/degraded.js.map +1 -0
package/dist/src/retrieval/hybrid.d.ts +38 -0
package/dist/src/retrieval/hybrid.d.ts.map +1 -0
package/dist/src/retrieval/hybrid.js +82 -0
package/dist/src/retrieval/hybrid.js.map +1 -0
package/dist/src/retrieval/lexical.d.ts +28 -0
package/dist/src/retrieval/lexical.d.ts.map +1 -0
package/dist/src/retrieval/lexical.js +301 -0
package/dist/src/retrieval/lexical.js.map +1 -0
package/dist/src/retrieval/post-filter.d.ts +32 -0
package/dist/src/retrieval/post-filter.d.ts.map +1 -0
package/dist/src/retrieval/post-filter.js +57 -0
package/dist/src/retrieval/post-filter.js.map +1 -0
package/dist/src/retrieval/reranker.d.ts +72 -0
package/dist/src/retrieval/reranker.d.ts.map +1 -0
package/dist/src/retrieval/reranker.js +129 -0
package/dist/src/retrieval/reranker.js.map +1 -0
package/dist/src/retrieval/vector.d.ts +47 -0
package/dist/src/retrieval/vector.d.ts.map +1 -0
package/dist/src/retrieval/vector.js +112 -0
package/dist/src/retrieval/vector.js.map +1 -0
package/dist/src/runtime/legacy-migration.d.ts +27 -0
package/dist/src/runtime/legacy-migration.d.ts.map +1 -0
package/dist/src/runtime/legacy-migration.js +140 -0
package/dist/src/runtime/legacy-migration.js.map +1 -0
package/dist/src/runtime/legacy-name-guard.d.ts +35 -0
package/dist/src/runtime/legacy-name-guard.d.ts.map +1 -0
package/dist/src/runtime/legacy-name-guard.js +58 -0
package/dist/src/runtime/legacy-name-guard.js.map +1 -0
package/dist/src/runtime/rift-env.d.ts +14 -0
package/dist/src/runtime/rift-env.d.ts.map +1 -0
package/dist/src/runtime/rift-env.js +79 -0
package/dist/src/runtime/rift-env.js.map +1 -0
package/dist/src/runtime/watcher-startup.d.ts +2 -0
package/dist/src/runtime/watcher-startup.d.ts.map +1 -0
package/dist/src/runtime/watcher-startup.js +4 -0
package/dist/src/runtime/watcher-startup.js.map +1 -0
package/dist/src/security/archive.d.ts +23 -0
package/dist/src/security/archive.d.ts.map +1 -0
package/dist/src/security/archive.js +163 -0
package/dist/src/security/archive.js.map +1 -0
package/dist/src/security/paths.d.ts +21 -0
package/dist/src/security/paths.d.ts.map +1 -0
package/dist/src/security/paths.js +67 -0
package/dist/src/security/paths.js.map +1 -0
package/dist/src/server/app.d.ts +29 -0
package/dist/src/server/app.d.ts.map +1 -0
package/dist/src/server/app.js +226 -0
package/dist/src/server/app.js.map +1 -0
package/dist/src/server/build-info.d.ts +8 -0
package/dist/src/server/build-info.d.ts.map +1 -0
package/dist/src/server/build-info.js +61 -0
package/dist/src/server/build-info.js.map +1 -0
package/dist/src/server/lifecycle.d.ts +30 -0
package/dist/src/server/lifecycle.d.ts.map +1 -0
package/dist/src/server/lifecycle.js +59 -0
package/dist/src/server/lifecycle.js.map +1 -0
package/dist/src/server/middleware/multipart.d.ts +51 -0
package/dist/src/server/middleware/multipart.d.ts.map +1 -0
package/dist/src/server/middleware/multipart.js +86 -0
package/dist/src/server/middleware/multipart.js.map +1 -0
package/dist/src/server/routes/compact.d.ts +37 -0
package/dist/src/server/routes/compact.d.ts.map +1 -0
package/dist/src/server/routes/compact.js +77 -0
package/dist/src/server/routes/compact.js.map +1 -0
package/dist/src/server/routes/context.d.ts +5 -0
package/dist/src/server/routes/context.d.ts.map +1 -0
package/dist/src/server/routes/context.js +50 -0
package/dist/src/server/routes/context.js.map +1 -0
package/dist/src/server/routes/conversations-search.d.ts +4 -0
package/dist/src/server/routes/conversations-search.d.ts.map +1 -0
package/dist/src/server/routes/conversations-search.js +243 -0
package/dist/src/server/routes/conversations-search.js.map +1 -0
package/dist/src/server/routes/friend-status.d.ts +72 -0
package/dist/src/server/routes/friend-status.d.ts.map +1 -0
package/dist/src/server/routes/friend-status.js +71 -0
package/dist/src/server/routes/friend-status.js.map +1 -0
package/dist/src/server/routes/ingest.d.ts +15 -0
package/dist/src/server/routes/ingest.d.ts.map +1 -0
package/dist/src/server/routes/ingest.js +139 -0
package/dist/src/server/routes/ingest.js.map +1 -0
package/dist/src/server/routes/jobs.d.ts +10 -0
package/dist/src/server/routes/jobs.d.ts.map +1 -0
package/dist/src/server/routes/jobs.js +29 -0
package/dist/src/server/routes/jobs.js.map +1 -0
package/dist/src/server/routes/mcp-usage.d.ts +13 -0
package/dist/src/server/routes/mcp-usage.d.ts.map +1 -0
package/dist/src/server/routes/mcp-usage.js +17 -0
package/dist/src/server/routes/mcp-usage.js.map +1 -0
package/dist/src/server/routes/reconcile.d.ts +4 -0
package/dist/src/server/routes/reconcile.d.ts.map +1 -0
package/dist/src/server/routes/reconcile.js +43 -0
package/dist/src/server/routes/reconcile.js.map +1 -0
package/dist/src/server/routes/reindex.d.ts +4 -0
package/dist/src/server/routes/reindex.d.ts.map +1 -0
package/dist/src/server/routes/reindex.js +74 -0
package/dist/src/server/routes/reindex.js.map +1 -0
package/dist/src/server/routes/save.d.ts +40 -0
package/dist/src/server/routes/save.d.ts.map +1 -0
package/dist/src/server/routes/save.js +112 -0
package/dist/src/server/routes/save.js.map +1 -0
package/dist/src/server/routes/search.d.ts +5 -0
package/dist/src/server/routes/search.d.ts.map +1 -0
package/dist/src/server/routes/search.js +400 -0
package/dist/src/server/routes/search.js.map +1 -0
package/dist/src/server/routes/stats.d.ts +10 -0
package/dist/src/server/routes/stats.d.ts.map +1 -0
package/dist/src/server/routes/stats.js +15 -0
package/dist/src/server/routes/stats.js.map +1 -0
package/dist/src/server/routes/status.d.ts +20 -0
package/dist/src/server/routes/status.d.ts.map +1 -0
package/dist/src/server/routes/status.js +31 -0
package/dist/src/server/routes/status.js.map +1 -0
package/dist/src/server/routes/triage.d.ts +4 -0
package/dist/src/server/routes/triage.d.ts.map +1 -0
package/dist/src/server/routes/triage.js +94 -0
package/dist/src/server/routes/triage.js.map +1 -0
package/dist/src/server/save-quality.d.ts +21 -0
package/dist/src/server/save-quality.d.ts.map +1 -0
package/dist/src/server/save-quality.js +51 -0
package/dist/src/server/save-quality.js.map +1 -0
package/dist/src/storage/atomic.d.ts +8 -0
package/dist/src/storage/atomic.d.ts.map +1 -0
package/dist/src/storage/atomic.js +22 -0
package/dist/src/storage/atomic.js.map +1 -0
package/dist/src/storage/db.d.ts +15 -0
package/dist/src/storage/db.d.ts.map +1 -0
package/dist/src/storage/db.js +43 -0
package/dist/src/storage/db.js.map +1 -0
package/dist/src/storage/integrity.d.ts +11 -0
package/dist/src/storage/integrity.d.ts.map +1 -0
package/dist/src/storage/integrity.js +66 -0
package/dist/src/storage/integrity.js.map +1 -0
package/dist/src/storage/rebuild.d.ts +37 -0
package/dist/src/storage/rebuild.d.ts.map +1 -0
package/dist/src/storage/rebuild.js +353 -0
package/dist/src/storage/rebuild.js.map +1 -0
package/dist/src/storage/shadow-swap.d.ts +20 -0
package/dist/src/storage/shadow-swap.d.ts.map +1 -0
package/dist/src/storage/shadow-swap.js +163 -0
package/dist/src/storage/shadow-swap.js.map +1 -0
package/dist/src/storage/tables.d.ts +77 -0
package/dist/src/storage/tables.d.ts.map +1 -0
package/dist/src/storage/tables.js +196 -0
package/dist/src/storage/tables.js.map +1 -0
package/package.json +45 -14
package/index.js +0 -3

package/README.dev.md ADDED Viewed

@@ -0,0 +1,110 @@
+# Rift (`rift`)
+Local-first personal memory + reasoning infrastructure. Captures local CLI sessions, web conversation exports, and project documents; routes them through triage, metadata extraction, and embedding; persists into LanceDB; exposes retrieval through a small MCP surface so agents can pull *capability, not payload*.
+Designed to feel like a built-in capability for whatever assistant is in front of it, not like a giant preloaded briefing.
+---
+## Architecture at a glance
+```
+┌─────────────────────────────────────────────────────────┐
+│  Live capture (claude_code, codex_cli session JSONLs)   │
+│  Web exports (chatgpt_web, claude_web, gemini, grok)    │
+│  Project docs (filesystem watchers / scheduled scans)   │
+└────────────────────┬────────────────────────────────────┘
+                     │
+                ┌────▼────┐
+                │ Triage  │   ← Codex CLI (default)
+                │  loop   │
+                └────┬────┘
+                     │ save / review / discard
+                     │
+                ┌────▼─────────────┐
+                │ Metadata extract │   ← Codex CLI (web/ingest path)
+                │  (POST /ingest)  │
+                └────┬─────────────┘
+                     │
+                ┌────▼──────────────────────────────────┐
+                │ Voyage AI embedding (voyage-3-lite)   │
+                └────┬──────────────────────────────────┘
+                     │
+                ┌────▼─────────────────────────────────┐
+                │ LanceDB                              │
+                │   conversations_hot / cold           │
+                │   structured_docs                    │
+                │   digests   ← Codex CLI digest job   │
+                └────┬─────────────────────────────────┘
+                     │
+                ┌────▼──────────────────────────┐
+                │ MCP server (life_*)           │
+                │ HTTP daemon on 127.0.0.1:3577 │
+                └───────────────────────────────┘
+```
+## Models & runtimes in use
+| Stage | Runtime | Model |
+|---|---|---|
+| Triage (decide save/review/discard) | local `codex` CLI | CLI default |
+| Metadata extraction (web/ingest path) | local `codex` CLI | CLI default |
+| Digest summarization (compact job) | local `codex` CLI | CLI default |
+| Embeddings | Voyage AI (cloud) | `voyage-3-lite` |
+| Local-LLM override (optional) | Ollama at `localhost:11434` | configurable (`metadata_model`, `digest_model`) |
+**Cloud mode (default)** — set `local_generation.enabled: false` in `config.json`. All LLM calls go through the operator's already-authenticated `codex` CLI. No Anthropic / OpenAI API key required.
+**Local-LLM override** — set `local_generation.enabled: true`. Metadata + digest go through the configured Ollama models. Triage still uses Codex CLI.
+The two modes are mutually exclusive — exactly one runtime owns LLM calls at a time.
+## CLI vs API surface
+**Local-only (no network)**:
+- `codex` CLI subprocess (every triage / metadata / digest call).
+- Filesystem watchers for project sources.
+- LanceDB on disk under `data/lancedb/`.
+- Daemon HTTP listens on `127.0.0.1:3577` (loopback only).
+- MCP server speaks JSON-RPC over stdio.
+**Network**:
+- Voyage embedding API (`api.voyageai.com`) — only consumer.
+**Provider classes preserved but not in the live default path** (kept for explicit batch/historical use): `OpenAITriageProvider`, `OpenAIMetadataExtractor`, `AnthropicDigestSummarizer`, `CliMetadataExtractor` (legacy Claude CLI subprocess).
+## Main commands
+```bash
+# Live capture (Claude Code + Codex CLI session files)
+rift capture                       # both sources
+rift capture --source codex_cli    # one source
+rift capture --dry-run             # preflight + triage, no saves
+# Status + telemetry
+rift status                        # daemon briefing + auto-capture summary
+rift stats                         # table counts, source coverage
+# Search
+rift search "..."
+# Daemon (managed by launchd)
+launchctl kickstart -k gui/$UID/com.rift.daemon
+launchctl print gui/$UID/com.rift.daemon
+```
+The macOS menu bar (SwiftBar plugin at `operator/swiftbar/rift.10s.sh`) shows daemon health and the live MCP-usage telemetry block (today / this week / this month / all-time call counts + tokens-saved estimate) at the top of its dropdown.
+## Pointers
+- [`TODO.md`](./TODO.md) — current/next/later tracker (updated end of every session).
+- [`PROJECT_STATE.md`](./PROJECT_STATE.md) — what's currently in flight.
+- [`CLAUDE.md`](./CLAUDE.md) — instructions for AI agents working in this repo.
+- [`docs/`](./docs/) — design docs (current system, API/MCP spec, capture contract, intelligence direction, etc.).
+## Conventions
+- TypeScript strict; `pnpm check` (or `npm run check`) before ship.
+- Vitest. Pretest generates fixtures.
+- Local-first, file-native storage under `data/`, `jobs/`, `reports/`.
+- Auto-capture triage depends on a working, authenticated `codex` CLI. Preflight failures here mean CLI auth/install/runtime issues (`codex login`, CLI upgrade/reinstall, or launchd PATH), not a missing `rift.openai` Keychain secret — that path was retired.

package/dist/src/auth/keychain.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * Low-level Keychain operations.
+ *
+ * Abstracted as an interface so rotation.ts can be tested with an
+ * in-memory implementation that never touches the real Keychain.
+ */
+export interface KeychainOps {
+    read(version: number): Promise<string | null>;
+    write(version: number, token: string): Promise<void>;
+    delete(version: number): Promise<void>;
+    findLatestVersion(): Promise<number>;
+}
+/**
+ * Production Keychain backend using the macOS `security` CLI.
+ *
+ * Token versioning: each version is stored as a separate generic-password
+ * entry. A metadata entry (`AUTH_TOKEN_CURRENT_VERSION`) tracks the
+ * latest version number so we avoid scanning the entire keychain.
+ *
+ * Error policy: only "item not found" (exit 44) is swallowed where
+ * appropriate. All other errors (locked keychain, permission denied,
+ * missing binary) propagate as thrown exceptions.
+ */
+export declare const macKeychain: KeychainOps;
+//# sourceMappingURL=keychain.d.ts.map

package/dist/src/auth/keychain.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../../src/auth/keychain.ts"],"names":[],"mappings":"AAaA;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC9C,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,iBAAiB,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CACtC;AAgBD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,WAAW,EAAE,WA0EzB,CAAC"}

package/dist/src/auth/keychain.js ADDED Viewed

@@ -0,0 +1,113 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const execFileAsync = promisify(execFile);
+const SERVICE = "com.getrift.daemon";
+/**
+ * macOS `security` CLI exit code for errSecItemNotFound.
+ * This is the only error we treat as "success with empty result".
+ * All other non-zero exits are real failures that must propagate.
+ */
+const ERR_SEC_ITEM_NOT_FOUND = 44;
+function accountName(version) {
+    return `AUTH_TOKEN_v${version}`;
+}
+/**
+ * Returns true only for the specific "item not found" error from
+ * the macOS `security` CLI. All other errors are real failures.
+ */
+function isItemNotFound(err) {
+    if (!(err instanceof Error))
+        return false;
+    const execErr = err;
+    return execErr.code === ERR_SEC_ITEM_NOT_FOUND;
+}
+/**
+ * Production Keychain backend using the macOS `security` CLI.
+ *
+ * Token versioning: each version is stored as a separate generic-password
+ * entry. A metadata entry (`AUTH_TOKEN_CURRENT_VERSION`) tracks the
+ * latest version number so we avoid scanning the entire keychain.
+ *
+ * Error policy: only "item not found" (exit 44) is swallowed where
+ * appropriate. All other errors (locked keychain, permission denied,
+ * missing binary) propagate as thrown exceptions.
+ */
+export const macKeychain = {
+    async read(version) {
+        try {
+            const { stdout } = await execFileAsync("security", [
+                "find-generic-password",
+                "-a",
+                accountName(version),
+                "-s",
+                SERVICE,
+                "-w",
+            ]);
+            return stdout.trim() || null;
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return null;
+            throw err;
+        }
+    },
+    async write(version, token) {
+        await execFileAsync("security", [
+            "add-generic-password",
+            "-a",
+            accountName(version),
+            "-s",
+            SERVICE,
+            "-w",
+            token,
+            "-U",
+        ]);
+        // Update version counter
+        await execFileAsync("security", [
+            "add-generic-password",
+            "-a",
+            "AUTH_TOKEN_CURRENT_VERSION",
+            "-s",
+            SERVICE,
+            "-w",
+            String(version),
+            "-U",
+        ]);
+    },
+    async delete(version) {
+        try {
+            await execFileAsync("security", [
+                "delete-generic-password",
+                "-a",
+                accountName(version),
+                "-s",
+                SERVICE,
+            ]);
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return; // Already gone — fine.
+            throw err;
+        }
+    },
+    async findLatestVersion() {
+        try {
+            const { stdout } = await execFileAsync("security", [
+                "find-generic-password",
+                "-a",
+                "AUTH_TOKEN_CURRENT_VERSION",
+                "-s",
+                SERVICE,
+                "-w",
+            ]);
+            const version = Number(stdout.trim());
+            return Number.isNaN(version) ? 0 : version;
+        }
+        catch (err) {
+            if (isItemNotFound(err))
+                return 0; // No tokens issued yet.
+            throw err;
+        }
+    },
+};
+//# sourceMappingURL=keychain.js.map

package/dist/src/auth/keychain.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../../src/auth/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC1C,MAAM,OAAO,GAAG,oBAAoB,CAAC;AAErC;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAelC,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,eAAe,OAAO,EAAE,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CAAC,GAAY;IAClC,IAAI,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,OAAO,GAAG,GAAwB,CAAC;IACzC,OAAO,OAAO,CAAC,IAAI,KAAK,sBAAsB,CAAC;AACjD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,KAAK,CAAC,IAAI,CAAC,OAAO;QAChB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;gBACjD,uBAAuB;gBACvB,IAAI;gBACJ,WAAW,CAAC,OAAO,CAAC;gBACpB,IAAI;gBACJ,OAAO;gBACP,IAAI;aACL,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;QAC/B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK;QACxB,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,sBAAsB;YACtB,IAAI;YACJ,WAAW,CAAC,OAAO,CAAC;YACpB,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,KAAK;YACL,IAAI;SACL,CAAC,CAAC;QACH,yBAAyB;QACzB,MAAM,aAAa,CAAC,UAAU,EAAE;YAC9B,sBAAsB;YACtB,IAAI;YACJ,4BAA4B;YAC5B,IAAI;YACJ,OAAO;YACP,IAAI;YACJ,MAAM,CAAC,OAAO,CAAC;YACf,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAO;QAClB,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,UAAU,EAAE;gBAC9B,yBAAyB;gBACzB,IAAI;gBACJ,WAAW,CAAC,OAAO,CAAC;gBACpB,IAAI;gBACJ,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,uBAAuB;YACxD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;gBACjD,uBAAuB;gBACvB,IAAI;gBACJ,4BAA4B;gBAC5B,IAAI;gBACJ,OAAO;gBACP,IAAI;aACL,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACtC,OAAO,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,OAAO,CAAC,CAAC,CAAC,wBAAwB;YAC3D,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/src/auth/middleware.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { FastifyInstance } from "fastify";
+import type { Config } from "../config/schema.js";
+import type { TokenManager } from "./rotation.js";
+import type { RateLimiter } from "./rate-limit.js";
+/**
+ * Register the bearer-token auth hook and per-token rate limiter.
+ *
+ * Auth is skipped for /health, /ready, /version, and /stats/mcp-usage
+ * (unauthenticated probes used by health/operator surfaces).
+ *
+ * Test-only bypass: when `NODE_ENV=test` AND `config.auth.test_token`
+ * is set AND the bearer matches it, the request is allowed without
+ * consulting the TokenManager. This is the ONLY way to bypass Keychain
+ * in tests — it is never active in production config.
+ *
+ * Rate limiting is skipped for `DELETE /auth/token` so a leaked token
+ * that has hit the rate-limit cap can still revoke itself.
+ */
+export declare function registerAuth(server: FastifyInstance, config: Config, tokenManager: TokenManager | null, rateLimiter: RateLimiter): void;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/src/auth/middleware.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAYnD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,YAAY,CAC1B,MAAM,EAAE,eAAe,EACvB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,YAAY,GAAG,IAAI,EACjC,WAAW,EAAE,WAAW,GACvB,IAAI,CA8BN"}

package/dist/src/auth/middleware.js ADDED Viewed

@@ -0,0 +1,49 @@
+const EXEMPT_ROUTES = new Set([
+    "/health",
+    "/ready",
+    "/version",
+    // SwiftBar polls this on every tick. Response carries only call counts
+    // and tool names — no user content — so unauthenticated is safe and
+    // matches the /health, /version posture.
+    "/stats/mcp-usage",
+]);
+/**
+ * Register the bearer-token auth hook and per-token rate limiter.
+ *
+ * Auth is skipped for /health, /ready, /version, and /stats/mcp-usage
+ * (unauthenticated probes used by health/operator surfaces).
+ *
+ * Test-only bypass: when `NODE_ENV=test` AND `config.auth.test_token`
+ * is set AND the bearer matches it, the request is allowed without
+ * consulting the TokenManager. This is the ONLY way to bypass Keychain
+ * in tests — it is never active in production config.
+ *
+ * Rate limiting is skipped for `DELETE /auth/token` so a leaked token
+ * that has hit the rate-limit cap can still revoke itself.
+ */
+export function registerAuth(server, config, tokenManager, rateLimiter) {
+    server.addHook("onRequest", async (request, reply) => {
+        const path = request.url.split("?")[0];
+        if (EXEMPT_ROUTES.has(path))
+            return;
+        const authHeader = request.headers.authorization;
+        if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            return reply.code(401).send({ error: "missing_token" });
+        }
+        const token = authHeader.slice(7);
+        // Test-only bypass — double-gated.
+        const isTestBypass = process.env.NODE_ENV === "test" &&
+            config.auth.test_token !== undefined &&
+            token === config.auth.test_token;
+        if (!isTestBypass && (tokenManager === null || !tokenManager.validate(token))) {
+            return reply.code(401).send({ error: "invalid_token" });
+        }
+        // Rate limit — but exempt DELETE /auth/token so a leaked token
+        // that has already hit the cap can still revoke itself.
+        const isRateLimitExempt = path === "/auth/token" && request.method === "DELETE";
+        if (!isRateLimitExempt && !rateLimiter.check(token)) {
+            return reply.code(429).send({ error: "rate_limit_exceeded" });
+        }
+    });
+}
+//# sourceMappingURL=middleware.js.map

package/dist/src/auth/middleware.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/auth/middleware.ts"],"names":[],"mappings":"AAKA,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,SAAS;IACT,QAAQ;IACR,UAAU;IACV,uEAAuE;IACvE,oEAAoE;IACpE,yCAAyC;IACzC,kBAAkB;CACnB,CAAC,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,YAAY,CAC1B,MAAuB,EACvB,MAAc,EACd,YAAiC,EACjC,WAAwB;IAExB,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACnD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,IAAI,aAAa,CAAC,GAAG,CAAC,IAAK,CAAC;YAAE,OAAO;QAErC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACrD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAElC,mCAAmC;QACnC,MAAM,YAAY,GAChB,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;YAC/B,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,SAAS;YACpC,KAAK,KAAK,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QAEnC,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,KAAK,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC9E,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,+DAA+D;QAC/D,wDAAwD;QACxD,MAAM,iBAAiB,GACrB,IAAI,KAAK,aAAa,IAAI,OAAO,CAAC,MAAM,KAAK,QAAQ,CAAC;QACxD,IAAI,CAAC,iBAAiB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/src/auth/rate-limit.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Per-token sliding-window rate limiter.
+ *
+ * Tracks request timestamps per token. On each call to `check()`,
+ * expired entries are pruned and the count is compared to the limit.
+ */
+export declare class RateLimiter {
+    private windowMs;
+    private maxRequests;
+    private windows;
+    constructor(windowMs: number, maxRequests: number);
+    /** Returns `true` if the request is allowed, `false` if rate-limited. */
+    check(token: string): boolean;
+    reset(): void;
+}
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/src/auth/rate-limit.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,qBAAa,WAAW;IAIpB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,WAAW;IAJrB,OAAO,CAAC,OAAO,CAA+B;gBAGpC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM;IAG7B,yEAAyE;IACzE,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAuB7B,KAAK,IAAI,IAAI;CAGd"}

package/dist/src/auth/rate-limit.js ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * Per-token sliding-window rate limiter.
+ *
+ * Tracks request timestamps per token. On each call to `check()`,
+ * expired entries are pruned and the count is compared to the limit.
+ */
+export class RateLimiter {
+    windowMs;
+    maxRequests;
+    windows = new Map();
+    constructor(windowMs, maxRequests) {
+        this.windowMs = windowMs;
+        this.maxRequests = maxRequests;
+    }
+    /** Returns `true` if the request is allowed, `false` if rate-limited. */
+    check(token) {
+        const now = Date.now();
+        const cutoff = now - this.windowMs;
+        let timestamps = this.windows.get(token);
+        if (!timestamps) {
+            timestamps = [];
+            this.windows.set(token, timestamps);
+        }
+        // Prune expired entries from the front.
+        while (timestamps.length > 0 && timestamps[0] < cutoff) {
+            timestamps.shift();
+        }
+        if (timestamps.length >= this.maxRequests) {
+            return false;
+        }
+        timestamps.push(now);
+        return true;
+    }
+    reset() {
+        this.windows.clear();
+    }
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/src/auth/rate-limit.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/auth/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,OAAO,WAAW;IAIZ;IACA;IAJF,OAAO,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE9C,YACU,QAAgB,EAChB,WAAmB;QADnB,aAAQ,GAAR,QAAQ,CAAQ;QAChB,gBAAW,GAAX,WAAW,CAAQ;IAC1B,CAAC;IAEJ,yEAAyE;IACzE,KAAK,CAAC,KAAa;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEnC,IAAI,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,EAAE,CAAC;YAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACtC,CAAC;QAED,wCAAwC;QACxC,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,UAAU,CAAC,CAAC,CAAE,GAAG,MAAM,EAAE,CAAC;YACxD,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF"}

package/dist/src/auth/rotation.d.ts ADDED Viewed

@@ -0,0 +1,67 @@
+import type { KeychainOps } from "./keychain.js";
+/**
+ * In-memory token state machine backed by a KeychainOps provider.
+ *
+ * Invariants:
+ * - At most 2 tokens are valid at once: current + grace (previous).
+ * - Grace expires after `gracePeriodMs` (default 60 s).
+ * - `load()` restores only the current version — no grace for old
+ *   tokens on daemon restart (PRD: timer does not survive restart).
+ * - `revokeAll()` immediately invalidates everything and deletes
+ *   ALL Keychain entries (versions 1..current) so revoked tokens
+ *   don't resurface on restart and old secrets don't accumulate.
+ * - `issue()` eagerly deletes any superseded grace version from
+ *   Keychain before setting up new grace, so rapid rotation
+ *   (v1→v2→v3 within one grace window) never leaves old secrets.
+ *   The latest grace version is cleaned up when its timer fires.
+ */
+export declare class TokenManager {
+    private keychain;
+    private gracePeriodMs;
+    private currentVersion;
+    private currentToken;
+    private graceToken;
+    private graceVersion;
+    private graceTimer;
+    constructor(keychain: KeychainOps, gracePeriodMs?: number);
+    /**
+     * Cold-load: restore the current token from keychain with no grace.
+     * Used at daemon startup — PRD: grace timer does not survive restart.
+     */
+    load(): Promise<void>;
+    /**
+     * Hot-reload: pick up a new token from keychain (e.g. after CLI
+     * issues a token and sends SIGHUP).
+     *
+     * When `noGrace` is false (default), the old token enters a 60 s
+     * grace window. When `noGrace` is true, the old token is immediately
+     * invalidated and its Keychain entry deleted — used by `token issue`
+     * to enforce single-active-credential semantics (PRD: "makes it the
+     * sole active token").
+     *
+     * If the version hasn't changed, just refreshes the current value.
+     */
+    reload(opts?: {
+        noGrace?: boolean;
+    }): Promise<void>;
+    /** Check if a token is currently valid (current or within grace). */
+    validate(token: string): boolean;
+    /** Issue a new token. Returns the new version number. */
+    issue(newToken: string): Promise<number>;
+    /**
+     * Immediately revoke all tokens. No grace period.
+     *
+     * Clears in-memory state first (immediate effect for the running
+     * daemon), then deletes ALL Keychain entries (versions 1..current)
+     * so revoked tokens cannot resurface on restart.
+     *
+     * Keychain delete errors propagate — the caller (route handler)
+     * should surface them so the operator knows cleanup may be incomplete.
+     */
+    revokeAll(): Promise<void>;
+    /** Clean up timers. Call on daemon shutdown. */
+    shutdown(): void;
+    private clearGraceTimer;
+    private clearGrace;
+}
+//# sourceMappingURL=rotation.d.ts.map

package/dist/src/auth/rotation.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rotation.d.ts","sourceRoot":"","sources":["../../../src/auth/rotation.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,aAAa;IARvB,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,UAAU,CAA8C;gBAGtD,QAAQ,EAAE,WAAW,EACrB,aAAa,SAAS;IAGhC;;;OAGG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAS3B;;;;;;;;;;;OAWG;IACG,MAAM,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAoEzD,qEAAqE;IACrE,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAMhC,yDAAyD;IACnD,KAAK,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6C9C;;;;;;;;;OASG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAWhC,gDAAgD;IAChD,QAAQ,IAAI,IAAI;IAIhB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,UAAU;CAKnB"}

package/dist/src/auth/rotation.js ADDED Viewed

@@ -0,0 +1,190 @@
+/**
+ * In-memory token state machine backed by a KeychainOps provider.
+ *
+ * Invariants:
+ * - At most 2 tokens are valid at once: current + grace (previous).
+ * - Grace expires after `gracePeriodMs` (default 60 s).
+ * - `load()` restores only the current version — no grace for old
+ *   tokens on daemon restart (PRD: timer does not survive restart).
+ * - `revokeAll()` immediately invalidates everything and deletes
+ *   ALL Keychain entries (versions 1..current) so revoked tokens
+ *   don't resurface on restart and old secrets don't accumulate.
+ * - `issue()` eagerly deletes any superseded grace version from
+ *   Keychain before setting up new grace, so rapid rotation
+ *   (v1→v2→v3 within one grace window) never leaves old secrets.
+ *   The latest grace version is cleaned up when its timer fires.
+ */
+export class TokenManager {
+    keychain;
+    gracePeriodMs;
+    currentVersion = 0;
+    currentToken = null;
+    graceToken = null;
+    graceVersion = 0;
+    graceTimer = null;
+    constructor(keychain, gracePeriodMs = 60_000) {
+        this.keychain = keychain;
+        this.gracePeriodMs = gracePeriodMs;
+    }
+    /**
+     * Cold-load: restore the current token from keychain with no grace.
+     * Used at daemon startup — PRD: grace timer does not survive restart.
+     */
+    async load() {
+        this.clearGrace();
+        this.currentVersion = await this.keychain.findLatestVersion();
+        this.currentToken =
+            this.currentVersion > 0
+                ? await this.keychain.read(this.currentVersion)
+                : null;
+    }
+    /**
+     * Hot-reload: pick up a new token from keychain (e.g. after CLI
+     * issues a token and sends SIGHUP).
+     *
+     * When `noGrace` is false (default), the old token enters a 60 s
+     * grace window. When `noGrace` is true, the old token is immediately
+     * invalidated and its Keychain entry deleted — used by `token issue`
+     * to enforce single-active-credential semantics (PRD: "makes it the
+     * sole active token").
+     *
+     * If the version hasn't changed, just refreshes the current value.
+     */
+    async reload(opts) {
+        const noGrace = opts?.noGrace ?? false;
+        const prevToken = this.currentToken;
+        const prevVersion = this.currentVersion;
+        const latestVersion = await this.keychain.findLatestVersion();
+        const latestToken = latestVersion > 0 ? await this.keychain.read(latestVersion) : null;
+        if (latestVersion === prevVersion) {
+            // Same version — just refresh the value (covers manual Keychain edit).
+            this.currentToken = latestToken;
+            return;
+        }
+        // Version changed — handle the outgoing token.
+        if (prevToken !== null) {
+            // Clean up any existing grace entry before replacing it.
+            if (this.graceVersion > 0) {
+                try {
+                    await this.keychain.delete(this.graceVersion);
+                }
+                catch (err) {
+                    process.stderr.write(`Warning: failed to clean up token v${this.graceVersion} from Keychain: ${err instanceof Error ? err.message : String(err)}\n`);
+                }
+            }
+            this.clearGraceTimer();
+            if (noGrace) {
+                // Immediate invalidation: no grace window, delete old entry now.
+                this.graceToken = null;
+                this.graceVersion = 0;
+                if (prevVersion > 0) {
+                    try {
+                        await this.keychain.delete(prevVersion);
+                    }
+                    catch (err) {
+                        process.stderr.write(`Warning: failed to clean up token v${prevVersion} from Keychain: ${err instanceof Error ? err.message : String(err)}\n`);
+                    }
+                }
+            }
+            else {
+                // Grace period: old token valid for gracePeriodMs.
+                this.graceToken = prevToken;
+                this.graceVersion = prevVersion;
+                const vToDelete = prevVersion;
+                this.graceTimer = setTimeout(() => {
+                    this.graceToken = null;
+                    this.graceTimer = null;
+                    this.graceVersion = 0;
+                    if (vToDelete > 0) {
+                        this.keychain.delete(vToDelete).catch((err) => {
+                            process.stderr.write(`Warning: failed to clean up token v${vToDelete} from Keychain: ${err instanceof Error ? err.message : String(err)}\n`);
+                        });
+                    }
+                }, this.gracePeriodMs);
+            }
+        }
+        this.currentVersion = latestVersion;
+        this.currentToken = latestToken;
+    }
+    /** Check if a token is currently valid (current or within grace). */
+    validate(token) {
+        if (this.currentToken !== null && token === this.currentToken)
+            return true;
+        if (this.graceToken !== null && token === this.graceToken)
+            return true;
+        return false;
+    }
+    /** Issue a new token. Returns the new version number. */
+    async issue(newToken) {
+        const previousVersion = this.currentVersion;
+        const newVersion = this.currentVersion + 1;
+        await this.keychain.write(newVersion, newToken);
+        // Start grace period for the outgoing token.
+        if (this.currentToken !== null) {
+            // If there's an existing grace token being superseded by this
+            // rotation, eagerly delete its Keychain entry now — it is no
+            // longer valid in memory and must not linger in the vault.
+            if (this.graceVersion > 0) {
+                try {
+                    await this.keychain.delete(this.graceVersion);
+                }
+                catch (err) {
+                    process.stderr.write(`Warning: failed to clean up token v${this.graceVersion} from Keychain: ${err instanceof Error ? err.message : String(err)}\n`);
+                }
+            }
+            this.clearGraceTimer();
+            this.graceToken = this.currentToken;
+            this.graceVersion = previousVersion;
+            // Timer cleans up THIS grace token's Keychain entry when it expires.
+            const vToDelete = previousVersion;
+            this.graceTimer = setTimeout(() => {
+                this.graceToken = null;
+                this.graceTimer = null;
+                this.graceVersion = 0;
+                if (vToDelete > 0) {
+                    this.keychain.delete(vToDelete).catch((err) => {
+                        process.stderr.write(`Warning: failed to clean up token v${vToDelete} from Keychain: ${err instanceof Error ? err.message : String(err)}\n`);
+                    });
+                }
+            }, this.gracePeriodMs);
+        }
+        this.currentVersion = newVersion;
+        this.currentToken = newToken;
+        return newVersion;
+    }
+    /**
+     * Immediately revoke all tokens. No grace period.
+     *
+     * Clears in-memory state first (immediate effect for the running
+     * daemon), then deletes ALL Keychain entries (versions 1..current)
+     * so revoked tokens cannot resurface on restart.
+     *
+     * Keychain delete errors propagate — the caller (route handler)
+     * should surface them so the operator knows cleanup may be incomplete.
+     */
+    async revokeAll() {
+        this.clearGrace();
+        this.currentToken = null;
+        const deletions = [];
+        for (let v = 1; v <= this.currentVersion; v++) {
+            deletions.push(this.keychain.delete(v));
+        }
+        await Promise.all(deletions);
+    }
+    /** Clean up timers. Call on daemon shutdown. */
+    shutdown() {
+        this.clearGrace();
+    }
+    clearGraceTimer() {
+        if (this.graceTimer !== null) {
+            clearTimeout(this.graceTimer);
+            this.graceTimer = null;
+        }
+    }
+    clearGrace() {
+        this.clearGraceTimer();
+        this.graceToken = null;
+        this.graceVersion = 0;
+    }
+}
+//# sourceMappingURL=rotation.js.map