@i4ctime/q-ring 0.2.0

package/dist/mcp.js

@@ -0,0 +1,1339 @@
+// src/mcp.ts
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+
+// src/mcp/server.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+
+// src/core/keyring.ts
+import { Entry, findCredentials } from "@napi-rs/keyring";
+
+// src/utils/hash.ts
+import { createHash } from "crypto";
+function hashProjectPath(projectPath) {
+  return createHash("sha256").update(projectPath).digest("hex").slice(0, 12);
+}
+
+// src/core/scope.ts
+var SERVICE_PREFIX = "q-ring";
+function globalService() {
+  return `${SERVICE_PREFIX}:global`;
+}
+function projectService(projectPath) {
+  const hash = hashProjectPath(projectPath);
+  return `${SERVICE_PREFIX}:project:${hash}`;
+}
+function resolveScope(opts2) {
+  const { scope, projectPath } = opts2;
+  if (scope === "global") {
+    return [{ scope: "global", service: globalService() }];
+  }
+  if (scope === "project") {
+    if (!projectPath) {
+      throw new Error("Project path is required for project scope");
+    }
+    return [
+      { scope: "project", service: projectService(projectPath), projectPath }
+    ];
+  }
+  if (projectPath) {
+    return [
+      { scope: "project", service: projectService(projectPath), projectPath },
+      { scope: "global", service: globalService() }
+    ];
+  }
+  return [{ scope: "global", service: globalService() }];
+}
+
+// src/core/envelope.ts
+function createEnvelope(value, opts2) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let expiresAt = opts2?.expiresAt;
+  if (!expiresAt && opts2?.ttlSeconds) {
+    expiresAt = new Date(Date.now() + opts2.ttlSeconds * 1e3).toISOString();
+  }
+  return {
+    v: 1,
+    value: opts2?.states ? void 0 : value,
+    states: opts2?.states,
+    defaultEnv: opts2?.defaultEnv,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      expiresAt,
+      ttlSeconds: opts2?.ttlSeconds,
+      description: opts2?.description,
+      tags: opts2?.tags,
+      entangled: opts2?.entangled,
+      accessCount: 0
+    }
+  };
+}
+function parseEnvelope(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && parsed.v === 1) {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function wrapLegacy(rawValue) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    v: 1,
+    value: rawValue,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      accessCount: 0
+    }
+  };
+}
+function serializeEnvelope(envelope) {
+  return JSON.stringify(envelope);
+}
+function collapseValue(envelope, env) {
+  if (envelope.states) {
+    const targetEnv = env ?? envelope.defaultEnv;
+    if (targetEnv && envelope.states[targetEnv]) {
+      return envelope.states[targetEnv];
+    }
+    if (envelope.defaultEnv && envelope.states[envelope.defaultEnv]) {
+      return envelope.states[envelope.defaultEnv];
+    }
+    const keys = Object.keys(envelope.states);
+    if (keys.length > 0) {
+      return envelope.states[keys[0]];
+    }
+    return null;
+  }
+  return envelope.value ?? null;
+}
+function checkDecay(envelope) {
+  if (!envelope.meta.expiresAt) {
+    return {
+      isExpired: false,
+      isStale: false,
+      lifetimePercent: 0,
+      secondsRemaining: null,
+      timeRemaining: null
+    };
+  }
+  const now = Date.now();
+  const expires = new Date(envelope.meta.expiresAt).getTime();
+  const created = new Date(envelope.meta.createdAt).getTime();
+  const totalLifetime = expires - created;
+  const elapsed = now - created;
+  const remaining = expires - now;
+  const lifetimePercent = totalLifetime > 0 ? Math.round(elapsed / totalLifetime * 100) : 100;
+  const secondsRemaining = Math.floor(remaining / 1e3);
+  let timeRemaining = null;
+  if (remaining > 0) {
+    const days = Math.floor(remaining / 864e5);
+    const hours = Math.floor(remaining % 864e5 / 36e5);
+    const minutes = Math.floor(remaining % 36e5 / 6e4);
+    if (days > 0) timeRemaining = `${days}d ${hours}h`;
+    else if (hours > 0) timeRemaining = `${hours}h ${minutes}m`;
+    else timeRemaining = `${minutes}m`;
+  } else {
+    timeRemaining = "expired";
+  }
+  return {
+    isExpired: remaining <= 0,
+    isStale: lifetimePercent >= 75,
+    lifetimePercent,
+    secondsRemaining,
+    timeRemaining
+  };
+}
+function recordAccess(envelope) {
+  return {
+    ...envelope,
+    meta: {
+      ...envelope.meta,
+      accessCount: envelope.meta.accessCount + 1,
+      lastAccessedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+
+// src/core/collapse.ts
+import { execSync } from "child_process";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var BRANCH_ENV_MAP = {
+  main: "prod",
+  master: "prod",
+  production: "prod",
+  develop: "dev",
+  development: "dev",
+  dev: "dev",
+  staging: "staging",
+  stage: "staging",
+  test: "test",
+  testing: "test"
+};
+function detectGitBranch(cwd) {
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
+      cwd: cwd ?? process.cwd(),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8",
+      timeout: 3e3
+    }).trim();
+    return branch || null;
+  } catch {
+    return null;
+  }
+}
+function readProjectConfig(projectPath) {
+  const configPath = join(projectPath ?? process.cwd(), ".q-ring.json");
+  try {
+    if (existsSync(configPath)) {
+      return JSON.parse(readFileSync(configPath, "utf8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function collapseEnvironment(ctx = {}) {
+  if (ctx.explicit) {
+    return { env: ctx.explicit, source: "explicit" };
+  }
+  const qringEnv = process.env.QRING_ENV;
+  if (qringEnv) {
+    return { env: qringEnv, source: "QRING_ENV" };
+  }
+  const nodeEnv = process.env.NODE_ENV;
+  if (nodeEnv) {
+    const mapped = mapEnvName(nodeEnv);
+    return { env: mapped, source: "NODE_ENV" };
+  }
+  const config = readProjectConfig(ctx.projectPath);
+  if (config?.env) {
+    return { env: config.env, source: "project-config" };
+  }
+  const branch = detectGitBranch(ctx.projectPath);
+  if (branch) {
+    const branchMap = { ...BRANCH_ENV_MAP, ...config?.branchMap };
+    const mapped = branchMap[branch];
+    if (mapped) {
+      return { env: mapped, source: "git-branch" };
+    }
+  }
+  if (config?.defaultEnv) {
+    return { env: config.defaultEnv, source: "project-config" };
+  }
+  return null;
+}
+function mapEnvName(raw) {
+  const lower = raw.toLowerCase();
+  if (lower === "production") return "prod";
+  if (lower === "development") return "dev";
+  return lower;
+}
+
+// src/core/observer.ts
+import { existsSync as existsSync2, mkdirSync, appendFileSync, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+function getAuditDir() {
+  const dir = join2(homedir(), ".config", "q-ring");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+function getAuditPath() {
+  return join2(getAuditDir(), "audit.jsonl");
+}
+function logAudit(event) {
+  const full = {
+    ...event,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    pid: process.pid
+  };
+  try {
+    appendFileSync(getAuditPath(), JSON.stringify(full) + "\n");
+  } catch {
+  }
+}
+function queryAudit(query = {}) {
+  const path = getAuditPath();
+  if (!existsSync2(path)) return [];
+  try {
+    const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
+    let events = lines.map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    }).filter((e) => e !== null);
+    if (query.key) {
+      events = events.filter((e) => e.key === query.key);
+    }
+    if (query.action) {
+      events = events.filter((e) => e.action === query.action);
+    }
+    if (query.since) {
+      const since = new Date(query.since).getTime();
+      events = events.filter(
+        (e) => new Date(e.timestamp).getTime() >= since
+      );
+    }
+    events.sort(
+      (a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime()
+    );
+    if (query.limit) {
+      events = events.slice(0, query.limit);
+    }
+    return events;
+  } catch {
+    return [];
+  }
+}
+function detectAnomalies(key) {
+  const recent = queryAudit({
+    key,
+    action: "read",
+    since: new Date(Date.now() - 36e5).toISOString()
+    // last hour
+  });
+  const anomalies = [];
+  if (key && recent.length > 50) {
+    anomalies.push({
+      type: "burst",
+      description: `${recent.length} reads of "${key}" in the last hour`,
+      events: recent.slice(0, 10)
+    });
+  }
+  const nightAccess = recent.filter((e) => {
+    const hour = new Date(e.timestamp).getHours();
+    return hour >= 1 && hour < 5;
+  });
+  if (nightAccess.length > 0) {
+    anomalies.push({
+      type: "unusual-hour",
+      description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`,
+      events: nightAccess
+    });
+  }
+  return anomalies;
+}
+
+// src/core/entanglement.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+function getRegistryPath() {
+  const dir = join3(homedir2(), ".config", "q-ring");
+  if (!existsSync3(dir)) {
+    mkdirSync2(dir, { recursive: true });
+  }
+  return join3(dir, "entanglement.json");
+}
+function loadRegistry() {
+  const path = getRegistryPath();
+  if (!existsSync3(path)) {
+    return { pairs: [] };
+  }
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return { pairs: [] };
+  }
+}
+function saveRegistry(registry) {
+  writeFileSync(getRegistryPath(), JSON.stringify(registry, null, 2));
+}
+function entangle(source, target) {
+  const registry = loadRegistry();
+  const exists = registry.pairs.some(
+    (p) => p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key
+  );
+  if (!exists) {
+    registry.pairs.push({
+      source,
+      target,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    registry.pairs.push({
+      source: target,
+      target: source,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    saveRegistry(registry);
+  }
+}
+function findEntangled(source) {
+  const registry = loadRegistry();
+  return registry.pairs.filter(
+    (p) => p.source.service === source.service && p.source.key === source.key
+  ).map((p) => p.target);
+}
+
+// src/core/keyring.ts
+function readEnvelope(service, key) {
+  const entry = new Entry(service, key);
+  const raw = entry.getPassword();
+  if (raw === null) return null;
+  const envelope = parseEnvelope(raw);
+  return envelope ?? wrapLegacy(raw);
+}
+function writeEnvelope(service, key, envelope) {
+  const entry = new Entry(service, key);
+  entry.setPassword(serializeEnvelope(envelope));
+}
+function resolveEnv(opts2) {
+  if (opts2.env) return opts2.env;
+  const result = collapseEnvironment({ projectPath: opts2.projectPath });
+  return result?.env;
+}
+function getSecret(key, opts2 = {}) {
+  const scopes = resolveScope(opts2);
+  const env = resolveEnv(opts2);
+  const source = opts2.source ?? "cli";
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (!envelope) continue;
+    const decay = checkDecay(envelope);
+    if (decay.isExpired) {
+      logAudit({
+        action: "read",
+        key,
+        scope,
+        source,
+        detail: "blocked: secret expired (quantum decay)"
+      });
+      continue;
+    }
+    const value = collapseValue(envelope, env);
+    if (value === null) continue;
+    const updated = recordAccess(envelope);
+    writeEnvelope(service, key, updated);
+    logAudit({ action: "read", key, scope, env, source });
+    return value;
+  }
+  return null;
+}
+function getEnvelope(key, opts2 = {}) {
+  const scopes = resolveScope(opts2);
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (envelope) return { envelope, scope };
+  }
+  return null;
+}
+function setSecret(key, value, opts2 = {}) {
+  const scope = opts2.scope ?? "global";
+  const scopes = resolveScope({ ...opts2, scope });
+  const { service } = scopes[0];
+  const source = opts2.source ?? "cli";
+  const existing = readEnvelope(service, key);
+  let envelope;
+  if (opts2.states) {
+    envelope = createEnvelope("", {
+      states: opts2.states,
+      defaultEnv: opts2.defaultEnv,
+      description: opts2.description,
+      tags: opts2.tags,
+      ttlSeconds: opts2.ttlSeconds,
+      expiresAt: opts2.expiresAt,
+      entangled: existing?.meta.entangled
+    });
+  } else {
+    envelope = createEnvelope(value, {
+      description: opts2.description,
+      tags: opts2.tags,
+      ttlSeconds: opts2.ttlSeconds,
+      expiresAt: opts2.expiresAt,
+      entangled: existing?.meta.entangled
+    });
+  }
+  if (existing) {
+    envelope.meta.createdAt = existing.meta.createdAt;
+    envelope.meta.accessCount = existing.meta.accessCount;
+  }
+  writeEnvelope(service, key, envelope);
+  logAudit({ action: "write", key, scope, source });
+  const entangled = findEntangled({ service, key });
+  for (const target of entangled) {
+    try {
+      const targetEnvelope = readEnvelope(target.service, target.key);
+      if (targetEnvelope) {
+        if (opts2.states) {
+          targetEnvelope.states = opts2.states;
+        } else {
+          targetEnvelope.value = value;
+        }
+        targetEnvelope.meta.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+        writeEnvelope(target.service, target.key, targetEnvelope);
+        logAudit({
+          action: "entangle",
+          key: target.key,
+          scope: "global",
+          source,
+          detail: `propagated from ${key}`
+        });
+      }
+    } catch {
+    }
+  }
+}
+function deleteSecret(key, opts2 = {}) {
+  const scopes = resolveScope(opts2);
+  const source = opts2.source ?? "cli";
+  let deleted = false;
+  for (const { service, scope } of scopes) {
+    const entry = new Entry(service, key);
+    try {
+      if (entry.deleteCredential()) {
+        deleted = true;
+        logAudit({ action: "delete", key, scope, source });
+      }
+    } catch {
+    }
+  }
+  return deleted;
+}
+function hasSecret(key, opts2 = {}) {
+  const scopes = resolveScope(opts2);
+  for (const { service } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (envelope) {
+      const decay = checkDecay(envelope);
+      if (!decay.isExpired) return true;
+    }
+  }
+  return false;
+}
+function listSecrets(opts2 = {}) {
+  const source = opts2.source ?? "cli";
+  const services = [];
+  if (!opts2.scope || opts2.scope === "global") {
+    services.push({ service: globalService(), scope: "global" });
+  }
+  if ((!opts2.scope || opts2.scope === "project") && opts2.projectPath) {
+    services.push({
+      service: projectService(opts2.projectPath),
+      scope: "project"
+    });
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { service, scope } of services) {
+    try {
+      const credentials = findCredentials(service);
+      for (const cred of credentials) {
+        const id = `${scope}:${cred.account}`;
+        if (seen.has(id)) continue;
+        seen.add(id);
+        const envelope = parseEnvelope(cred.password) ?? wrapLegacy(cred.password);
+        const decay = checkDecay(envelope);
+        results.push({
+          key: cred.account,
+          scope,
+          envelope,
+          decay
+        });
+      }
+    } catch {
+    }
+  }
+  logAudit({ action: "list", source });
+  return results.sort((a, b) => a.key.localeCompare(b.key));
+}
+function entangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
+  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
+  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
+  const source = { service: sourceScopes[0].service, key: sourceKey };
+  const target = { service: targetScopes[0].service, key: targetKey };
+  entangle(source, target);
+  logAudit({
+    action: "entangle",
+    key: sourceKey,
+    source: sourceOpts.source ?? "cli",
+    detail: `entangled with ${targetKey}`
+  });
+}
+
+// src/core/noise.ts
+import { randomBytes, randomInt } from "crypto";
+var ALPHA_NUM = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+var PASSWORD_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?";
+function randomString(charset, length) {
+  let result = "";
+  for (let i = 0; i < length; i++) {
+    result += charset[randomInt(charset.length)];
+  }
+  return result;
+}
+function generateSecret(opts2 = {}) {
+  const format = opts2.format ?? "api-key";
+  switch (format) {
+    case "hex": {
+      const len = opts2.length ?? 32;
+      return randomBytes(len).toString("hex");
+    }
+    case "base64": {
+      const len = opts2.length ?? 32;
+      return randomBytes(len).toString("base64url");
+    }
+    case "alphanumeric": {
+      const len = opts2.length ?? 32;
+      return randomString(ALPHA_NUM, len);
+    }
+    case "uuid": {
+      const bytes = randomBytes(16);
+      bytes[6] = bytes[6] & 15 | 64;
+      bytes[8] = bytes[8] & 63 | 128;
+      const hex = bytes.toString("hex");
+      return [
+        hex.slice(0, 8),
+        hex.slice(8, 12),
+        hex.slice(12, 16),
+        hex.slice(16, 20),
+        hex.slice(20, 32)
+      ].join("-");
+    }
+    case "api-key": {
+      const prefix = opts2.prefix ?? "qr_";
+      const len = opts2.length ?? 48;
+      return prefix + randomString(ALPHA_NUM, len);
+    }
+    case "token": {
+      const prefix = opts2.prefix ?? "";
+      const len = opts2.length ?? 64;
+      return prefix + randomBytes(len).toString("base64url");
+    }
+    case "password": {
+      const len = opts2.length ?? 24;
+      let pw = randomString(PASSWORD_CHARS, len);
+      const hasUpper = /[A-Z]/.test(pw);
+      const hasLower = /[a-z]/.test(pw);
+      const hasDigit = /[0-9]/.test(pw);
+      const hasSpecial = /[^A-Za-z0-9]/.test(pw);
+      if (!hasUpper) pw = replaceAt(pw, randomInt(len), randomString("ABCDEFGHIJKLMNOPQRSTUVWXYZ", 1));
+      if (!hasLower) pw = replaceAt(pw, randomInt(len), randomString("abcdefghijklmnopqrstuvwxyz", 1));
+      if (!hasDigit) pw = replaceAt(pw, randomInt(len), randomString("0123456789", 1));
+      if (!hasSpecial) pw = replaceAt(pw, randomInt(len), randomString("!@#$%^&*()-_=+", 1));
+      return pw;
+    }
+    default:
+      return randomBytes(32).toString("hex");
+  }
+}
+function replaceAt(str, index, char) {
+  return str.slice(0, index) + char + str.slice(index + 1);
+}
+function estimateEntropy(secret) {
+  const charsets = [
+    { regex: /[a-z]/, size: 26 },
+    { regex: /[A-Z]/, size: 26 },
+    { regex: /[0-9]/, size: 10 },
+    { regex: /[^A-Za-z0-9]/, size: 32 }
+  ];
+  let poolSize = 0;
+  for (const { regex, size } of charsets) {
+    if (regex.test(secret)) poolSize += size;
+  }
+  return poolSize > 0 ? Math.floor(Math.log2(poolSize) * secret.length) : 0;
+}
+
+// src/utils/colors.ts
+var enabled = process.stdout.isTTY !== false && !process.env.NO_COLOR;
+
+// src/core/agent.ts
+function defaultConfig() {
+  return {
+    intervalSeconds: 60,
+    autoRotate: false,
+    projectPaths: [process.cwd()],
+    verbose: false
+  };
+}
+function runHealthScan(config = {}) {
+  const cfg = { ...defaultConfig(), ...config };
+  const report = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    totalSecrets: 0,
+    healthy: 0,
+    stale: 0,
+    expired: 0,
+    anomalies: 0,
+    rotated: [],
+    warnings: []
+  };
+  const globalEntries = listSecrets({ scope: "global", source: "agent" });
+  const projectEntries = cfg.projectPaths.flatMap(
+    (pp) => listSecrets({ scope: "project", projectPath: pp, source: "agent" })
+  );
+  const allEntries = [...globalEntries, ...projectEntries];
+  report.totalSecrets = allEntries.length;
+  for (const entry of allEntries) {
+    if (!entry.envelope) continue;
+    const decay = checkDecay(entry.envelope);
+    if (decay.isExpired) {
+      report.expired++;
+      report.warnings.push(
+        `EXPIRED: ${entry.key} [${entry.scope}] \u2014 expired ${decay.timeRemaining}`
+      );
+      if (cfg.autoRotate) {
+        const newValue = generateSecret({ format: "api-key" });
+        setSecret(entry.key, newValue, {
+          scope: entry.scope,
+          projectPath: cfg.projectPaths[0],
+          source: "agent"
+        });
+        report.rotated.push(entry.key);
+        logAudit({
+          action: "write",
+          key: entry.key,
+          scope: entry.scope,
+          source: "agent",
+          detail: "auto-rotated by agent (expired)"
+        });
+      }
+    } else if (decay.isStale) {
+      report.stale++;
+      report.warnings.push(
+        `STALE: ${entry.key} [${entry.scope}] \u2014 ${decay.lifetimePercent}% lifetime, ${decay.timeRemaining} remaining`
+      );
+    } else {
+      report.healthy++;
+    }
+  }
+  const anomalies = detectAnomalies();
+  report.anomalies = anomalies.length;
+  for (const a of anomalies) {
+    report.warnings.push(`ANOMALY [${a.type}]: ${a.description}`);
+  }
+  return report;
+}
+
+// src/core/tunnel.ts
+var tunnelStore = /* @__PURE__ */ new Map();
+var cleanupInterval = null;
+function ensureCleanup() {
+  if (cleanupInterval) return;
+  cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [id, entry] of tunnelStore) {
+      if (entry.expiresAt && now >= entry.expiresAt) {
+        tunnelStore.delete(id);
+      }
+    }
+    if (tunnelStore.size === 0 && cleanupInterval) {
+      clearInterval(cleanupInterval);
+      cleanupInterval = null;
+    }
+  }, 5e3);
+  if (cleanupInterval && typeof cleanupInterval === "object" && "unref" in cleanupInterval) {
+    cleanupInterval.unref();
+  }
+}
+function tunnelCreate(value, opts2 = {}) {
+  const id = `tun_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+  const now = Date.now();
+  tunnelStore.set(id, {
+    value,
+    createdAt: now,
+    expiresAt: opts2.ttlSeconds ? now + opts2.ttlSeconds * 1e3 : void 0,
+    accessCount: 0,
+    maxReads: opts2.maxReads
+  });
+  ensureCleanup();
+  return id;
+}
+function tunnelRead(id) {
+  const entry = tunnelStore.get(id);
+  if (!entry) return null;
+  if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+    tunnelStore.delete(id);
+    return null;
+  }
+  entry.accessCount++;
+  if (entry.maxReads && entry.accessCount >= entry.maxReads) {
+    const value = entry.value;
+    tunnelStore.delete(id);
+    return value;
+  }
+  return entry.value;
+}
+function tunnelDestroy(id) {
+  return tunnelStore.delete(id);
+}
+function tunnelList() {
+  const now = Date.now();
+  const result = [];
+  for (const [id, entry] of tunnelStore) {
+    if (entry.expiresAt && now >= entry.expiresAt) {
+      tunnelStore.delete(id);
+      continue;
+    }
+    result.push({
+      id,
+      createdAt: entry.createdAt,
+      expiresAt: entry.expiresAt,
+      accessCount: entry.accessCount,
+      maxReads: entry.maxReads
+    });
+  }
+  return result;
+}
+
+// src/core/teleport.ts
+import {
+  randomBytes as randomBytes2,
+  createCipheriv,
+  createDecipheriv,
+  pbkdf2Sync
+} from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var KEY_LENGTH = 32;
+var IV_LENGTH = 16;
+var SALT_LENGTH = 32;
+var PBKDF2_ITERATIONS = 1e5;
+function deriveKey(passphrase, salt) {
+  return pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha512");
+}
+function teleportPack(secrets, passphrase) {
+  const payload = {
+    secrets,
+    exportedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const plaintext = JSON.stringify(payload);
+  const salt = randomBytes2(SALT_LENGTH);
+  const iv = randomBytes2(IV_LENGTH);
+  const key = deriveKey(passphrase, salt);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  const bundle = {
+    v: 1,
+    data: encrypted.toString("base64"),
+    salt: salt.toString("base64"),
+    iv: iv.toString("base64"),
+    tag: tag.toString("base64"),
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    count: secrets.length
+  };
+  return Buffer.from(JSON.stringify(bundle)).toString("base64");
+}
+function teleportUnpack(encoded, passphrase) {
+  const bundleJson = Buffer.from(encoded, "base64").toString("utf8");
+  const bundle = JSON.parse(bundleJson);
+  if (bundle.v !== 1) {
+    throw new Error(`Unsupported teleport bundle version: ${bundle.v}`);
+  }
+  const salt = Buffer.from(bundle.salt, "base64");
+  const iv = Buffer.from(bundle.iv, "base64");
+  const tag = Buffer.from(bundle.tag, "base64");
+  const encrypted = Buffer.from(bundle.data, "base64");
+  const key = deriveKey(passphrase, salt);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return JSON.parse(decrypted.toString("utf8"));
+}
+
+// src/mcp/server.ts
+function text(t, isError = false) {
+  return {
+    content: [{ type: "text", text: t }],
+    ...isError ? { isError: true } : {}
+  };
+}
+function opts(params) {
+  return {
+    scope: params.scope,
+    projectPath: params.projectPath ?? process.cwd(),
+    env: params.env,
+    source: "mcp"
+  };
+}
+function createMcpServer() {
+  const server2 = new McpServer({
+    name: "q-ring",
+    version: "0.2.0"
+  });
+  const scopeSchema = z.enum(["global", "project"]).optional().describe("Scope: global or project");
+  const projectPathSchema = z.string().optional().describe("Project root path for project-scoped secrets");
+  const envSchema = z.string().optional().describe("Environment for superposition collapse (e.g., dev, staging, prod)");
+  server2.tool(
+    "get_secret",
+    "Retrieve a secret by key. Collapses superposition if the secret has multiple environment states. Records access in audit log (observer effect).",
+    {
+      key: z.string().describe("The secret key name"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema,
+      env: envSchema
+    },
+    async (params) => {
+      const value = getSecret(params.key, opts(params));
+      if (value === null) return text(`Secret "${params.key}" not found`, true);
+      return text(value);
+    }
+  );
+  server2.tool(
+    "list_secrets",
+    "List all secret keys with quantum metadata (scope, decay status, superposition states, entanglement, access count). Values are never exposed.",
+    {
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const entries = listSecrets(opts(params));
+      if (entries.length === 0) return text("No secrets found");
+      const lines = entries.map((e) => {
+        const parts = [`[${e.scope}] ${e.key}`];
+        if (e.envelope?.states) {
+          parts.push(`states:[${Object.keys(e.envelope.states).join(",")}]`);
+        }
+        if (e.decay?.isExpired) {
+          parts.push("EXPIRED");
+        } else if (e.decay?.isStale) {
+          parts.push(`stale(${e.decay.lifetimePercent}%)`);
+        }
+        if (e.decay?.timeRemaining && !e.decay.isExpired) {
+          parts.push(`ttl:${e.decay.timeRemaining}`);
+        }
+        if (e.envelope?.meta.entangled?.length) {
+          parts.push(`entangled:${e.envelope.meta.entangled.length}`);
+        }
+        if (e.envelope && e.envelope.meta.accessCount > 0) {
+          parts.push(`reads:${e.envelope.meta.accessCount}`);
+        }
+        return parts.join(" | ");
+      });
+      return text(lines.join("\n"));
+    }
+  );
+  server2.tool(
+    "set_secret",
+    "Store a secret with optional quantum metadata: TTL (decay), environment state (superposition), description, tags.",
+    {
+      key: z.string().describe("The secret key name"),
+      value: z.string().describe("The secret value"),
+      scope: scopeSchema.default("global"),
+      projectPath: projectPathSchema,
+      env: z.string().optional().describe("If provided, sets the value for this specific environment (superposition)"),
+      ttlSeconds: z.number().optional().describe("Time-to-live in seconds (quantum decay)"),
+      description: z.string().optional().describe("Human-readable description"),
+      tags: z.array(z.string()).optional().describe("Tags for organization")
+    },
+    async (params) => {
+      const o = opts(params);
+      if (params.env) {
+        const existing = getEnvelope(params.key, o);
+        const states = existing?.envelope?.states ?? {};
+        states[params.env] = params.value;
+        if (existing?.envelope?.value && !states["default"]) {
+          states["default"] = existing.envelope.value;
+        }
+        setSecret(params.key, "", {
+          ...o,
+          states,
+          defaultEnv: existing?.envelope?.defaultEnv ?? params.env,
+          ttlSeconds: params.ttlSeconds,
+          description: params.description,
+          tags: params.tags
+        });
+        return text(`[${params.scope ?? "global"}] ${params.key} set for env:${params.env}`);
+      }
+      setSecret(params.key, params.value, {
+        ...o,
+        ttlSeconds: params.ttlSeconds,
+        description: params.description,
+        tags: params.tags
+      });
+      return text(`[${params.scope ?? "global"}] ${params.key} saved`);
+    }
+  );
+  server2.tool(
+    "delete_secret",
+    "Remove a secret from the keyring.",
+    {
+      key: z.string().describe("The secret key name"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const deleted = deleteSecret(params.key, opts(params));
+      return text(
+        deleted ? `Deleted "${params.key}"` : `Secret "${params.key}" not found`,
+        !deleted
+      );
+    }
+  );
+  server2.tool(
+    "has_secret",
+    "Check if a secret exists. Returns boolean. Never reveals the value. Respects decay \u2014 expired secrets return false.",
+    {
+      key: z.string().describe("The secret key name"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      return text(hasSecret(params.key, opts(params)) ? "true" : "false");
+    }
+  );
+  server2.tool(
+    "inspect_secret",
+    "Show full quantum state of a secret: superposition states, decay status, entanglement links, access history. Never reveals the actual value.",
+    {
+      key: z.string().describe("The secret key name"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const result = getEnvelope(params.key, opts(params));
+      if (!result) return text(`Secret "${params.key}" not found`, true);
+      const { envelope, scope } = result;
+      const decay = checkDecay(envelope);
+      const info = {
+        key: params.key,
+        scope,
+        type: envelope.states ? "superposition" : "collapsed",
+        created: envelope.meta.createdAt,
+        updated: envelope.meta.updatedAt,
+        accessCount: envelope.meta.accessCount,
+        lastAccessed: envelope.meta.lastAccessedAt ?? "never"
+      };
+      if (envelope.states) {
+        info.environments = Object.keys(envelope.states);
+        info.defaultEnv = envelope.defaultEnv;
+      }
+      if (decay.timeRemaining) {
+        info.decay = {
+          expired: decay.isExpired,
+          stale: decay.isStale,
+          lifetimePercent: decay.lifetimePercent,
+          timeRemaining: decay.timeRemaining
+        };
+      }
+      if (envelope.meta.entangled?.length) {
+        info.entangled = envelope.meta.entangled;
+      }
+      if (envelope.meta.description) info.description = envelope.meta.description;
+      if (envelope.meta.tags?.length) info.tags = envelope.meta.tags;
+      return text(JSON.stringify(info, null, 2));
+    }
+  );
+  server2.tool(
+    "detect_environment",
+    "Detect the current environment context (wavefunction collapse). Returns the detected environment and its source (NODE_ENV, git branch, project config, etc.).",
+    {
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const result = collapseEnvironment({
+        projectPath: params.projectPath ?? process.cwd()
+      });
+      if (!result) {
+        return text(
+          "No environment detected. Set QRING_ENV, NODE_ENV, or create .q-ring.json"
+        );
+      }
+      return text(JSON.stringify(result, null, 2));
+    }
+  );
+  server2.tool(
+    "generate_secret",
+    "Generate a cryptographic secret (quantum noise). Formats: hex, base64, alphanumeric, uuid, api-key, token, password. Optionally save directly to the keyring.",
+    {
+      format: z.enum(["hex", "base64", "alphanumeric", "uuid", "api-key", "token", "password"]).optional().default("api-key").describe("Output format"),
+      length: z.number().optional().describe("Length in bytes or characters"),
+      prefix: z.string().optional().describe("Prefix for api-key/token format"),
+      saveAs: z.string().optional().describe("If provided, save the generated secret with this key name"),
+      scope: scopeSchema.default("global"),
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const secret = generateSecret({
+        format: params.format,
+        length: params.length,
+        prefix: params.prefix
+      });
+      if (params.saveAs) {
+        setSecret(params.saveAs, secret, {
+          ...opts(params),
+          description: `Generated ${params.format} secret`
+        });
+        const entropy = estimateEntropy(secret);
+        return text(
+          `Generated and saved as "${params.saveAs}" (${params.format}, ~${entropy} bits entropy)`
+        );
+      }
+      return text(secret);
+    }
+  );
+  server2.tool(
+    "entangle_secrets",
+    "Create a quantum entanglement between two secrets. When the source is rotated/updated, the target automatically receives the same value.",
+    {
+      sourceKey: z.string().describe("Source secret key"),
+      targetKey: z.string().describe("Target secret key"),
+      sourceScope: scopeSchema.default("global"),
+      targetScope: scopeSchema.default("global"),
+      sourceProjectPath: z.string().optional(),
+      targetProjectPath: z.string().optional()
+    },
+    async (params) => {
+      entangleSecrets(
+        params.sourceKey,
+        {
+          scope: params.sourceScope,
+          projectPath: params.sourceProjectPath ?? process.cwd(),
+          source: "mcp"
+        },
+        params.targetKey,
+        {
+          scope: params.targetScope,
+          projectPath: params.targetProjectPath ?? process.cwd(),
+          source: "mcp"
+        }
+      );
+      return text(`Entangled: ${params.sourceKey} <-> ${params.targetKey}`);
+    }
+  );
+  server2.tool(
+    "tunnel_create",
+    "Create an ephemeral secret that exists only in memory (quantum tunneling). Never persisted to disk. Optional TTL and max-reads for self-destruction.",
+    {
+      value: z.string().describe("The secret value"),
+      ttlSeconds: z.number().optional().describe("Auto-expire after N seconds"),
+      maxReads: z.number().optional().describe("Self-destruct after N reads")
+    },
+    async (params) => {
+      const id = tunnelCreate(params.value, {
+        ttlSeconds: params.ttlSeconds,
+        maxReads: params.maxReads
+      });
+      return text(id);
+    }
+  );
+  server2.tool(
+    "tunnel_read",
+    "Read an ephemeral tunneled secret by ID. May self-destruct if max-reads is reached.",
+    {
+      id: z.string().describe("Tunnel ID")
+    },
+    async (params) => {
+      const value = tunnelRead(params.id);
+      if (value === null) {
+        return text(`Tunnel "${params.id}" not found or expired`, true);
+      }
+      return text(value);
+    }
+  );
+  server2.tool(
+    "tunnel_list",
+    "List active tunneled secrets (IDs and metadata only, never values).",
+    {},
+    async () => {
+      const tunnels = tunnelList();
+      if (tunnels.length === 0) return text("No active tunnels");
+      const lines = tunnels.map((t) => {
+        const parts = [t.id];
+        parts.push(`reads:${t.accessCount}`);
+        if (t.maxReads) parts.push(`max:${t.maxReads}`);
+        if (t.expiresAt) {
+          const rem = Math.max(0, Math.floor((t.expiresAt - Date.now()) / 1e3));
+          parts.push(`expires:${rem}s`);
+        }
+        return parts.join(" | ");
+      });
+      return text(lines.join("\n"));
+    }
+  );
+  server2.tool(
+    "tunnel_destroy",
+    "Immediately destroy a tunneled secret.",
+    {
+      id: z.string().describe("Tunnel ID")
+    },
+    async (params) => {
+      const destroyed = tunnelDestroy(params.id);
+      return text(
+        destroyed ? `Destroyed ${params.id}` : `Tunnel "${params.id}" not found`,
+        !destroyed
+      );
+    }
+  );
+  server2.tool(
+    "teleport_pack",
+    "Pack secrets into an AES-256-GCM encrypted bundle for sharing between machines (quantum teleportation).",
+    {
+      keys: z.array(z.string()).optional().describe("Specific keys to pack (all if omitted)"),
+      passphrase: z.string().describe("Encryption passphrase"),
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const o = opts(params);
+      const entries = listSecrets(o);
+      const secrets = [];
+      for (const entry of entries) {
+        if (params.keys && !params.keys.includes(entry.key)) continue;
+        const value = getSecret(entry.key, { ...o, scope: entry.scope });
+        if (value !== null) {
+          secrets.push({ key: entry.key, value, scope: entry.scope });
+        }
+      }
+      if (secrets.length === 0) return text("No secrets to pack", true);
+      const bundle = teleportPack(secrets, params.passphrase);
+      return text(bundle);
+    }
+  );
+  server2.tool(
+    "teleport_unpack",
+    "Decrypt and import secrets from a teleport bundle.",
+    {
+      bundle: z.string().describe("Base64-encoded encrypted bundle"),
+      passphrase: z.string().describe("Decryption passphrase"),
+      scope: scopeSchema.default("global"),
+      projectPath: projectPathSchema,
+      dryRun: z.boolean().optional().default(false).describe("Preview without importing")
+    },
+    async (params) => {
+      try {
+        const payload = teleportUnpack(params.bundle, params.passphrase);
+        if (params.dryRun) {
+          const preview = payload.secrets.map((s) => `${s.key} [${s.scope ?? "global"}]`).join("\n");
+          return text(`Would import ${payload.secrets.length} secrets:
+${preview}`);
+        }
+        const o = opts(params);
+        for (const s of payload.secrets) {
+          setSecret(s.key, s.value, o);
+        }
+        return text(`Imported ${payload.secrets.length} secret(s) from teleport bundle`);
+      } catch {
+        return text("Failed to unpack: wrong passphrase or corrupted bundle", true);
+      }
+    }
+  );
+  server2.tool(
+    "audit_log",
+    "Query the audit log for secret access history (observer effect). Shows who accessed what and when.",
+    {
+      key: z.string().optional().describe("Filter by key"),
+      action: z.enum(["read", "write", "delete", "list", "export", "generate", "entangle", "tunnel", "teleport", "collapse"]).optional().describe("Filter by action"),
+      limit: z.number().optional().default(20).describe("Max events to return")
+    },
+    async (params) => {
+      const events = queryAudit({
+        key: params.key,
+        action: params.action,
+        limit: params.limit
+      });
+      if (events.length === 0) return text("No audit events found");
+      const lines = events.map((e) => {
+        const parts = [e.timestamp, e.action];
+        if (e.key) parts.push(e.key);
+        if (e.scope) parts.push(`[${e.scope}]`);
+        if (e.env) parts.push(`env:${e.env}`);
+        if (e.detail) parts.push(e.detail);
+        return parts.join(" | ");
+      });
+      return text(lines.join("\n"));
+    }
+  );
+  server2.tool(
+    "detect_anomalies",
+    "Scan for anomalous secret access patterns: burst reads, unusual-hour access. Returns findings and recommendations.",
+    {
+      key: z.string().optional().describe("Check anomalies for a specific key")
+    },
+    async (params) => {
+      const anomalies = detectAnomalies(params.key);
+      if (anomalies.length === 0) return text("No anomalies detected");
+      const lines = anomalies.map(
+        (a) => `[${a.type}] ${a.description}`
+      );
+      return text(lines.join("\n"));
+    }
+  );
+  server2.tool(
+    "health_check",
+    "Run a comprehensive health check on all secrets: decay status, staleness, anomalies, entropy assessment.",
+    {
+      scope: scopeSchema,
+      projectPath: projectPathSchema
+    },
+    async (params) => {
+      const entries = listSecrets(opts(params));
+      const anomalies = detectAnomalies();
+      let healthy = 0;
+      let stale = 0;
+      let expired = 0;
+      let noDecay = 0;
+      const issues = [];
+      for (const entry of entries) {
+        if (!entry.decay?.timeRemaining) {
+          noDecay++;
+          continue;
+        }
+        if (entry.decay.isExpired) {
+          expired++;
+          issues.push(`EXPIRED: ${entry.key}`);
+        } else if (entry.decay.isStale) {
+          stale++;
+          issues.push(
+            `STALE: ${entry.key} (${entry.decay.lifetimePercent}%, ${entry.decay.timeRemaining} left)`
+          );
+        } else {
+          healthy++;
+        }
+      }
+      const summary = [
+        `Secrets: ${entries.length} total`,
+        `Healthy: ${healthy} | Stale: ${stale} | Expired: ${expired} | No decay: ${noDecay}`,
+        `Anomalies: ${anomalies.length}`
+      ];
+      if (issues.length > 0) {
+        summary.push("", "Issues:", ...issues);
+      }
+      if (anomalies.length > 0) {
+        summary.push(
+          "",
+          "Anomalies:",
+          ...anomalies.map((a) => `[${a.type}] ${a.description}`)
+        );
+      }
+      return text(summary.join("\n"));
+    }
+  );
+  server2.tool(
+    "agent_scan",
+    "Run an autonomous agent health scan: checks decay, staleness, anomalies, and optionally auto-rotates expired secrets. Returns a structured report.",
+    {
+      autoRotate: z.boolean().optional().default(false).describe("Auto-rotate expired secrets with generated values"),
+      projectPaths: z.array(z.string()).optional().describe("Project paths to monitor")
+    },
+    async (params) => {
+      const report = runHealthScan({
+        autoRotate: params.autoRotate,
+        projectPaths: params.projectPaths ?? [process.cwd()]
+      });
+      return text(JSON.stringify(report, null, 2));
+    }
+  );
+  return server2;
+}
+
+// src/mcp.ts
+var server = createMcpServer();
+var transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=mcp.js.map