npm - @i4ctime/q-ring - Versions diffs - 0.4.0 → 0.9.2 - Mend

@i4ctime/q-ring 0.4.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +341 -10
package/dist/{chunk-IGNU622R.js → chunk-5JBU7TWN.js} +715 -124
package/dist/chunk-5JBU7TWN.js.map +1 -0
package/dist/chunk-WG4ZKN7Q.js +1632 -0
package/dist/chunk-WG4ZKN7Q.js.map +1 -0
package/dist/{dashboard-32PCZF7D.js → dashboard-JT5ZNLT5.js} +41 -16
package/dist/dashboard-JT5ZNLT5.js.map +1 -0
package/dist/{dashboard-HVIQO6NT.js → dashboard-Q5OQRQCX.js} +41 -16
package/dist/dashboard-Q5OQRQCX.js.map +1 -0
package/dist/index.js +1213 -39
package/dist/index.js.map +1 -1
package/dist/mcp.js +1066 -48
package/dist/mcp.js.map +1 -1
package/package.json +1 -1
package/dist/chunk-6IQ5SFLI.js +0 -967
package/dist/chunk-6IQ5SFLI.js.map +0 -1
package/dist/chunk-IGNU622R.js.map +0 -1
package/dist/dashboard-32PCZF7D.js.map +0 -1
package/dist/dashboard-HVIQO6NT.js.map +0 -1

package/dist/chunk-WG4ZKN7Q.js ADDED Viewed

@@ -0,0 +1,1632 @@
+#!/usr/bin/env node
+// src/core/envelope.ts
+function createEnvelope(value, opts) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  let expiresAt = opts?.expiresAt;
+  if (!expiresAt && opts?.ttlSeconds) {
+    expiresAt = new Date(Date.now() + opts.ttlSeconds * 1e3).toISOString();
+  }
+  return {
+    v: 1,
+    value: opts?.states ? void 0 : value,
+    states: opts?.states,
+    defaultEnv: opts?.defaultEnv,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      expiresAt,
+      ttlSeconds: opts?.ttlSeconds,
+      description: opts?.description,
+      tags: opts?.tags,
+      entangled: opts?.entangled,
+      accessCount: 0,
+      rotationFormat: opts?.rotationFormat,
+      rotationPrefix: opts?.rotationPrefix,
+      provider: opts?.provider,
+      requiresApproval: opts?.requiresApproval,
+      jitProvider: opts?.jitProvider
+    }
+  };
+}
+function parseEnvelope(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed && typeof parsed === "object" && parsed.v === 1) {
+      return parsed;
+    }
+  } catch {
+  }
+  return null;
+}
+function wrapLegacy(rawValue) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    v: 1,
+    value: rawValue,
+    meta: {
+      createdAt: now,
+      updatedAt: now,
+      accessCount: 0
+    }
+  };
+}
+function serializeEnvelope(envelope) {
+  return JSON.stringify(envelope);
+}
+function collapseValue(envelope, env) {
+  if (envelope.states) {
+    const targetEnv = env ?? envelope.defaultEnv;
+    if (targetEnv && envelope.states[targetEnv]) {
+      return envelope.states[targetEnv];
+    }
+    if (envelope.defaultEnv && envelope.states[envelope.defaultEnv]) {
+      return envelope.states[envelope.defaultEnv];
+    }
+    const keys = Object.keys(envelope.states);
+    if (keys.length > 0) {
+      return envelope.states[keys[0]];
+    }
+    return null;
+  }
+  return envelope.value ?? null;
+}
+function checkDecay(envelope) {
+  if (!envelope.meta.expiresAt) {
+    return {
+      isExpired: false,
+      isStale: false,
+      lifetimePercent: 0,
+      secondsRemaining: null,
+      timeRemaining: null
+    };
+  }
+  const now = Date.now();
+  const expires = new Date(envelope.meta.expiresAt).getTime();
+  const created = new Date(envelope.meta.createdAt).getTime();
+  const totalLifetime = expires - created;
+  const elapsed = now - created;
+  const remaining = expires - now;
+  const lifetimePercent = totalLifetime > 0 ? Math.round(elapsed / totalLifetime * 100) : 100;
+  const secondsRemaining = Math.floor(remaining / 1e3);
+  let timeRemaining = null;
+  if (remaining > 0) {
+    const days = Math.floor(remaining / 864e5);
+    const hours = Math.floor(remaining % 864e5 / 36e5);
+    const minutes = Math.floor(remaining % 36e5 / 6e4);
+    if (days > 0) timeRemaining = `${days}d ${hours}h`;
+    else if (hours > 0) timeRemaining = `${hours}h ${minutes}m`;
+    else timeRemaining = `${minutes}m`;
+  } else {
+    timeRemaining = "expired";
+  }
+  return {
+    isExpired: remaining <= 0,
+    isStale: lifetimePercent >= 75,
+    lifetimePercent,
+    secondsRemaining,
+    timeRemaining
+  };
+}
+function recordAccess(envelope) {
+  return {
+    ...envelope,
+    meta: {
+      ...envelope.meta,
+      accessCount: envelope.meta.accessCount + 1,
+      lastAccessedAt: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  };
+}
+// src/core/collapse.ts
+import { execSync } from "child_process";
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+var BRANCH_ENV_MAP = {
+  main: "prod",
+  master: "prod",
+  production: "prod",
+  develop: "dev",
+  development: "dev",
+  dev: "dev",
+  staging: "staging",
+  stage: "staging",
+  test: "test",
+  testing: "test"
+};
+function detectGitBranch(cwd) {
+  try {
+    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
+      cwd: cwd ?? process.cwd(),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8",
+      timeout: 3e3
+    }).trim();
+    return branch || null;
+  } catch {
+    return null;
+  }
+}
+function readProjectConfig(projectPath) {
+  const configPath = join(projectPath ?? process.cwd(), ".q-ring.json");
+  try {
+    if (existsSync(configPath)) {
+      return JSON.parse(readFileSync(configPath, "utf8"));
+    }
+  } catch {
+  }
+  return null;
+}
+function collapseEnvironment(ctx = {}) {
+  if (ctx.explicit) {
+    return { env: ctx.explicit, source: "explicit" };
+  }
+  const qringEnv = process.env.QRING_ENV;
+  if (qringEnv) {
+    return { env: qringEnv, source: "QRING_ENV" };
+  }
+  const nodeEnv = process.env.NODE_ENV;
+  if (nodeEnv) {
+    const mapped = mapEnvName(nodeEnv);
+    return { env: mapped, source: "NODE_ENV" };
+  }
+  const config = readProjectConfig(ctx.projectPath);
+  if (config?.env) {
+    return { env: config.env, source: "project-config" };
+  }
+  const branch = detectGitBranch(ctx.projectPath);
+  if (branch) {
+    const branchMap = { ...BRANCH_ENV_MAP, ...config?.branchMap };
+    const mapped = branchMap[branch] ?? matchGlob(branchMap, branch);
+    if (mapped) {
+      return { env: mapped, source: "git-branch" };
+    }
+  }
+  if (config?.defaultEnv) {
+    return { env: config.defaultEnv, source: "project-config" };
+  }
+  return null;
+}
+function matchGlob(branchMap, branch) {
+  for (const [pattern, env] of Object.entries(branchMap)) {
+    if (!pattern.includes("*")) continue;
+    const regex = new RegExp(
+      "^" + pattern.replace(/\*/g, ".*") + "$"
+    );
+    if (regex.test(branch)) return env;
+  }
+  return void 0;
+}
+function mapEnvName(raw) {
+  const lower = raw.toLowerCase();
+  if (lower === "production") return "prod";
+  if (lower === "development") return "dev";
+  return lower;
+}
+// src/core/observer.ts
+import { existsSync as existsSync2, mkdirSync, appendFileSync, readFileSync as readFileSync2, openSync, fstatSync, readSync, closeSync } from "fs";
+import { join as join2 } from "path";
+import { homedir } from "os";
+import { createHash } from "crypto";
+function getAuditDir() {
+  const dir = join2(homedir(), ".config", "q-ring");
+  if (!existsSync2(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  return dir;
+}
+function getAuditPath() {
+  return join2(getAuditDir(), "audit.jsonl");
+}
+function getLastLineHash() {
+  const path = getAuditPath();
+  if (!existsSync2(path)) return void 0;
+  try {
+    const fd = openSync(path, "r");
+    const stat = fstatSync(fd);
+    if (stat.size === 0) {
+      closeSync(fd);
+      return void 0;
+    }
+    const tailSize = Math.min(stat.size, 8192);
+    const buf = Buffer.alloc(tailSize);
+    readSync(fd, buf, 0, tailSize, stat.size - tailSize);
+    closeSync(fd);
+    const tail = buf.toString("utf8");
+    const lines = tail.split("\n").filter((l) => l.trim());
+    if (lines.length === 0) return void 0;
+    const lastLine = lines[lines.length - 1];
+    return createHash("sha256").update(lastLine).digest("hex");
+  } catch {
+    return void 0;
+  }
+}
+function logAudit(event) {
+  const prevHash = getLastLineHash();
+  const full = {
+    ...event,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    pid: process.pid,
+    prevHash
+  };
+  try {
+    appendFileSync(getAuditPath(), JSON.stringify(full) + "\n");
+  } catch {
+  }
+}
+function queryAudit(query = {}) {
+  const path = getAuditPath();
+  if (!existsSync2(path)) return [];
+  try {
+    const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
+    let events = lines.map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    }).filter((e) => e !== null);
+    if (query.key) events = events.filter((e) => e.key === query.key);
+    if (query.action) events = events.filter((e) => e.action === query.action);
+    if (query.source) events = events.filter((e) => e.source === query.source);
+    if (query.correlationId) events = events.filter((e) => e.correlationId === query.correlationId);
+    if (query.since) {
+      const since = new Date(query.since).getTime();
+      events = events.filter((e) => new Date(e.timestamp).getTime() >= since);
+    }
+    events.sort(
+      (a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime()
+    );
+    if (query.limit) events = events.slice(0, query.limit);
+    return events;
+  } catch {
+    return [];
+  }
+}
+function verifyAuditChain() {
+  const path = getAuditPath();
+  if (!existsSync2(path)) {
+    return { totalEvents: 0, validEvents: 0, intact: true };
+  }
+  const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
+  if (lines.length === 0) {
+    return { totalEvents: 0, validEvents: 0, intact: true };
+  }
+  let validEvents = 0;
+  for (let i = 0; i < lines.length; i++) {
+    let event;
+    try {
+      event = JSON.parse(lines[i]);
+    } catch {
+      return {
+        totalEvents: lines.length,
+        validEvents,
+        brokenAt: i,
+        intact: false
+      };
+    }
+    if (i === 0) {
+      validEvents++;
+      continue;
+    }
+    const expectedHash = createHash("sha256").update(lines[i - 1]).digest("hex");
+    if (event.prevHash !== expectedHash) {
+      return {
+        totalEvents: lines.length,
+        validEvents,
+        brokenAt: i,
+        brokenEvent: event,
+        intact: false
+      };
+    }
+    validEvents++;
+  }
+  return { totalEvents: lines.length, validEvents, intact: true };
+}
+function exportAudit(opts = {}) {
+  const path = getAuditPath();
+  if (!existsSync2(path)) return opts.format === "json" ? "[]" : "";
+  const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
+  let events = lines.map((l) => {
+    try {
+      return JSON.parse(l);
+    } catch {
+      return null;
+    }
+  }).filter((e) => e !== null);
+  if (opts.since) {
+    const since = new Date(opts.since).getTime();
+    events = events.filter((e) => new Date(e.timestamp).getTime() >= since);
+  }
+  if (opts.until) {
+    const until = new Date(opts.until).getTime();
+    events = events.filter((e) => new Date(e.timestamp).getTime() <= until);
+  }
+  if (opts.format === "json") {
+    return JSON.stringify(events, null, 2);
+  }
+  if (opts.format === "csv") {
+    const header = "timestamp,action,key,scope,env,source,pid,correlationId,detail";
+    const rows = events.map(
+      (e) => `${e.timestamp},${e.action},${e.key ?? ""},${e.scope ?? ""},${e.env ?? ""},${e.source},${e.pid},${e.correlationId ?? ""},${(e.detail ?? "").replace(/,/g, ";")}`
+    );
+    return [header, ...rows].join("\n");
+  }
+  return events.map((e) => JSON.stringify(e)).join("\n");
+}
+function detectAnomalies(key) {
+  const recent = queryAudit({
+    key,
+    action: "read",
+    since: new Date(Date.now() - 36e5).toISOString()
+  });
+  const anomalies = [];
+  if (key && recent.length > 50) {
+    anomalies.push({
+      type: "burst",
+      description: `${recent.length} reads of "${key}" in the last hour`,
+      events: recent.slice(0, 10)
+    });
+  }
+  const nightAccess = recent.filter((e) => {
+    const hour = new Date(e.timestamp).getHours();
+    return hour >= 1 && hour < 5;
+  });
+  if (nightAccess.length > 0) {
+    anomalies.push({
+      type: "unusual-hour",
+      description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`,
+      events: nightAccess
+    });
+  }
+  const verification = verifyAuditChain();
+  if (!verification.intact) {
+    anomalies.push({
+      type: "tampered",
+      description: `Audit chain broken at event #${verification.brokenAt}`,
+      events: verification.brokenEvent ? [verification.brokenEvent] : []
+    });
+  }
+  return anomalies;
+}
+// src/core/entanglement.ts
+import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir2 } from "os";
+function getRegistryPath() {
+  const dir = join3(homedir2(), ".config", "q-ring");
+  if (!existsSync3(dir)) {
+    mkdirSync2(dir, { recursive: true });
+  }
+  return join3(dir, "entanglement.json");
+}
+function loadRegistry() {
+  const path = getRegistryPath();
+  if (!existsSync3(path)) {
+    return { pairs: [] };
+  }
+  try {
+    return JSON.parse(readFileSync3(path, "utf8"));
+  } catch {
+    return { pairs: [] };
+  }
+}
+function saveRegistry(registry2) {
+  writeFileSync2(getRegistryPath(), JSON.stringify(registry2, null, 2));
+}
+function entangle(source, target) {
+  const registry2 = loadRegistry();
+  const exists = registry2.pairs.some(
+    (p) => p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key
+  );
+  if (!exists) {
+    registry2.pairs.push({
+      source,
+      target,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    registry2.pairs.push({
+      source: target,
+      target: source,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    saveRegistry(registry2);
+  }
+}
+function disentangle(source, target) {
+  const registry2 = loadRegistry();
+  registry2.pairs = registry2.pairs.filter(
+    (p) => !(p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key || p.source.service === target.service && p.source.key === target.key && p.target.service === source.service && p.target.key === source.key)
+  );
+  saveRegistry(registry2);
+}
+function findEntangled(source) {
+  const registry2 = loadRegistry();
+  return registry2.pairs.filter(
+    (p) => p.source.service === source.service && p.source.key === source.key
+  ).map((p) => p.target);
+}
+function listEntanglements() {
+  return loadRegistry().pairs;
+}
+// src/core/keyring.ts
+import { Entry, findCredentials } from "@napi-rs/keyring";
+// src/utils/hash.ts
+import { createHash as createHash2 } from "crypto";
+function hashProjectPath(projectPath) {
+  return createHash2("sha256").update(projectPath).digest("hex").slice(0, 12);
+}
+// src/core/scope.ts
+var SERVICE_PREFIX = "q-ring";
+function globalService() {
+  return `${SERVICE_PREFIX}:global`;
+}
+function projectService(projectPath) {
+  const hash = hashProjectPath(projectPath);
+  return `${SERVICE_PREFIX}:project:${hash}`;
+}
+function teamService(teamId) {
+  return `${SERVICE_PREFIX}:team:${teamId}`;
+}
+function orgService(orgId) {
+  return `${SERVICE_PREFIX}:org:${orgId}`;
+}
+function resolveScope(opts) {
+  const { scope, projectPath, teamId, orgId } = opts;
+  if (scope === "global") {
+    return [{ scope: "global", service: globalService() }];
+  }
+  if (scope === "project") {
+    if (!projectPath) throw new Error("Project path is required for project scope");
+    return [{ scope: "project", service: projectService(projectPath), projectPath }];
+  }
+  if (scope === "team") {
+    if (!teamId) throw new Error("Team ID is required for team scope");
+    return [{ scope: "team", service: teamService(teamId), teamId }];
+  }
+  if (scope === "org") {
+    if (!orgId) throw new Error("Org ID is required for org scope");
+    return [{ scope: "org", service: orgService(orgId), orgId }];
+  }
+  const chain = [];
+  if (projectPath) {
+    chain.push({ scope: "project", service: projectService(projectPath), projectPath });
+  }
+  if (teamId) {
+    chain.push({ scope: "team", service: teamService(teamId), teamId });
+  }
+  if (orgId) {
+    chain.push({ scope: "org", service: orgService(orgId), orgId });
+  }
+  chain.push({ scope: "global", service: globalService() });
+  return chain;
+}
+// src/core/hooks.ts
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { join as join4 } from "path";
+import { homedir as homedir3 } from "os";
+import { exec } from "child_process";
+import { randomUUID } from "crypto";
+import { lookup } from "dns/promises";
+// src/utils/http-request.ts
+import { request as httpsRequest } from "https";
+import { request as httpRequest } from "http";
+var DEFAULT_TIMEOUT_MS = 1e4;
+var DEFAULT_MAX_RESPONSE_BYTES = 65536;
+function httpRequest_(opts) {
+  const {
+    url,
+    method = "GET",
+    headers = {},
+    body,
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    maxResponseBytes = DEFAULT_MAX_RESPONSE_BYTES
+  } = opts;
+  return new Promise((resolve, reject) => {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      reject(new Error(`Unsupported URL protocol: ${parsed.protocol}`));
+      return;
+    }
+    const reqFn = parsed.protocol === "https:" ? httpsRequest : httpRequest;
+    const reqHeaders = { ...headers };
+    if (body && !reqHeaders["Content-Length"]) {
+      reqHeaders["Content-Length"] = Buffer.byteLength(body);
+    }
+    const req = reqFn(
+      url,
+      { method, headers: reqHeaders, timeout: timeoutMs },
+      (res) => {
+        const chunks = [];
+        let totalBytes = 0;
+        let truncated = false;
+        res.on("data", (chunk) => {
+          totalBytes += chunk.length;
+          if (totalBytes > maxResponseBytes) {
+            truncated = true;
+            res.destroy();
+            return;
+          }
+          chunks.push(chunk);
+        });
+        let settled = false;
+        const settle = (result) => {
+          if (!settled) {
+            settled = true;
+            resolve(result);
+          }
+        };
+        const fail = (err) => {
+          if (!settled) {
+            settled = true;
+            reject(err);
+          }
+        };
+        res.on("error", (err) => fail(new Error(`Response error: ${err.message}`)));
+        res.on("end", () => {
+          settle({
+            statusCode: res.statusCode ?? 0,
+            body: Buffer.concat(chunks).toString("utf8"),
+            truncated
+          });
+        });
+        res.on("close", () => {
+          settle({
+            statusCode: res.statusCode ?? 0,
+            body: Buffer.concat(chunks).toString("utf8"),
+            truncated
+          });
+        });
+      }
+    );
+    req.on("error", (err) => reject(new Error(`Network error: ${err.message}`)));
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("Request timed out"));
+    });
+    if (body) req.write(body);
+    req.end();
+  });
+}
+// src/core/hooks.ts
+function getRegistryPath2() {
+  const dir = join4(homedir3(), ".config", "q-ring");
+  if (!existsSync4(dir)) {
+    mkdirSync3(dir, { recursive: true });
+  }
+  return join4(dir, "hooks.json");
+}
+function loadRegistry2() {
+  const path = getRegistryPath2();
+  if (!existsSync4(path)) {
+    return { hooks: [] };
+  }
+  try {
+    return JSON.parse(readFileSync4(path, "utf8"));
+  } catch {
+    return { hooks: [] };
+  }
+}
+function saveRegistry2(registry2) {
+  writeFileSync3(getRegistryPath2(), JSON.stringify(registry2, null, 2));
+}
+function registerHook(entry) {
+  const registry2 = loadRegistry2();
+  const hook = {
+    ...entry,
+    id: randomUUID().slice(0, 8),
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  registry2.hooks.push(hook);
+  saveRegistry2(registry2);
+  return hook;
+}
+function removeHook(id) {
+  const registry2 = loadRegistry2();
+  const before = registry2.hooks.length;
+  registry2.hooks = registry2.hooks.filter((h) => h.id !== id);
+  if (registry2.hooks.length < before) {
+    saveRegistry2(registry2);
+    return true;
+  }
+  return false;
+}
+function listHooks() {
+  return loadRegistry2().hooks;
+}
+function enableHook(id) {
+  const registry2 = loadRegistry2();
+  const hook = registry2.hooks.find((h) => h.id === id);
+  if (!hook) return false;
+  hook.enabled = true;
+  saveRegistry2(registry2);
+  return true;
+}
+function disableHook(id) {
+  const registry2 = loadRegistry2();
+  const hook = registry2.hooks.find((h) => h.id === id);
+  if (!hook) return false;
+  hook.enabled = false;
+  saveRegistry2(registry2);
+  return true;
+}
+function matchesHook(hook, payload, tags) {
+  if (!hook.enabled) return false;
+  const m = hook.match;
+  if (m.action?.length && !m.action.includes(payload.action)) return false;
+  if (m.key && m.key !== payload.key) return false;
+  if (m.keyPattern) {
+    const regex = new RegExp(
+      "^" + m.keyPattern.replace(/\*/g, ".*") + "$",
+      "i"
+    );
+    if (!regex.test(payload.key)) return false;
+  }
+  if (m.tag && (!tags || !tags.includes(m.tag))) return false;
+  if (m.scope && m.scope !== payload.scope) return false;
+  return true;
+}
+function executeShell(command, payload) {
+  return new Promise((resolve) => {
+    const env = {
+      ...process.env,
+      QRING_HOOK_KEY: payload.key,
+      QRING_HOOK_ACTION: payload.action,
+      QRING_HOOK_SCOPE: payload.scope
+    };
+    exec(command, { timeout: 3e4, env }, (err, stdout, stderr) => {
+      if (err) {
+        resolve({ hookId: "", success: false, message: `Shell error: ${err.message}` });
+      } else {
+        resolve({ hookId: "", success: true, message: stdout.trim() || "OK" });
+      }
+    });
+  });
+}
+function isPrivateIP(ip) {
+  const octet = "(?:25[0-5]|2[0-4]\\d|1?\\d{1,2})";
+  const ipv4Re = new RegExp(`^::ffff:(${octet}\\.${octet}\\.${octet}\\.${octet})$`, "i");
+  const ipv4Mapped = ip.match(ipv4Re);
+  if (ipv4Mapped) return isPrivateIP(ipv4Mapped[1]);
+  if (/^127\./.test(ip)) return true;
+  if (/^10\./.test(ip)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(ip)) return true;
+  if (/^192\.168\./.test(ip)) return true;
+  if (/^169\.254\./.test(ip)) return true;
+  if (ip === "0.0.0.0") return true;
+  if (ip === "::1" || ip === "::") return true;
+  if (/^f[cd][0-9a-f]{2}:/i.test(ip)) return true;
+  if (/^fe80:/i.test(ip)) return true;
+  return false;
+}
+async function checkSSRF(url) {
+  if (process.env.Q_RING_ALLOW_PRIVATE_HOOKS === "1") return null;
+  try {
+    const parsed = new URL(url);
+    const hostname = parsed.hostname.replace(/^\[|\]$/g, "");
+    if (isPrivateIP(hostname)) {
+      return `Blocked: hook URL resolves to private address (${hostname}). Set Q_RING_ALLOW_PRIVATE_HOOKS=1 to override.`;
+    }
+    const results = await lookup(hostname, { all: true });
+    for (const { address } of results) {
+      if (isPrivateIP(address)) {
+        return `Blocked: hook URL "${hostname}" resolves to private address ${address}. Set Q_RING_ALLOW_PRIVATE_HOOKS=1 to override.`;
+      }
+    }
+  } catch {
+  }
+  return null;
+}
+async function executeHttp(url, payload) {
+  const ssrfBlock = await checkSSRF(url);
+  if (ssrfBlock) {
+    logAudit({
+      action: "policy_deny",
+      key: payload.key,
+      scope: payload.scope,
+      source: payload.source,
+      detail: `hook SSRF blocked: ${url}`
+    });
+    return { hookId: "", success: false, message: ssrfBlock };
+  }
+  try {
+    const body = JSON.stringify(payload);
+    const res = await httpRequest_({
+      url,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "User-Agent": "q-ring-hooks/1.0"
+      },
+      body,
+      timeoutMs: 1e4
+    });
+    return {
+      hookId: "",
+      success: res.statusCode >= 200 && res.statusCode < 300,
+      message: `HTTP ${res.statusCode}`
+    };
+  } catch (err) {
+    return {
+      hookId: "",
+      success: false,
+      message: err instanceof Error ? err.message : "HTTP error"
+    };
+  }
+}
+function executeSignal(target, signal = "SIGHUP") {
+  return new Promise((resolve) => {
+    const pid = parseInt(target, 10);
+    if (!isNaN(pid)) {
+      try {
+        process.kill(pid, signal);
+        resolve({ hookId: "", success: true, message: `Signal ${signal} sent to PID ${pid}` });
+      } catch (err) {
+        resolve({ hookId: "", success: false, message: `Signal error: ${err instanceof Error ? err.message : String(err)}` });
+      }
+      return;
+    }
+    exec(`pgrep -f "${target}"`, { timeout: 5e3 }, (err, stdout) => {
+      if (err || !stdout.trim()) {
+        resolve({ hookId: "", success: false, message: `Process "${target}" not found` });
+        return;
+      }
+      const pids = stdout.trim().split("\n").map((p) => parseInt(p.trim(), 10)).filter((p) => !isNaN(p));
+      let sent = 0;
+      for (const p of pids) {
+        try {
+          process.kill(p, signal);
+          sent++;
+        } catch {
+        }
+      }
+      resolve({ hookId: "", success: sent > 0, message: `Signal ${signal} sent to ${sent} process(es)` });
+    });
+  });
+}
+async function executeHook(hook, payload) {
+  let result;
+  switch (hook.type) {
+    case "shell":
+      result = hook.command ? await executeShell(hook.command, payload) : { hookId: hook.id, success: false, message: "No command specified" };
+      break;
+    case "http":
+      result = hook.url ? await executeHttp(hook.url, payload) : { hookId: hook.id, success: false, message: "No URL specified" };
+      break;
+    case "signal":
+      result = hook.signal ? await executeSignal(hook.signal.target, hook.signal.signal) : { hookId: hook.id, success: false, message: "No signal target specified" };
+      break;
+    default:
+      result = { hookId: hook.id, success: false, message: `Unknown hook type: ${hook.type}` };
+  }
+  result.hookId = hook.id;
+  return result;
+}
+async function fireHooks(payload, tags) {
+  const hooks = listHooks();
+  const matching = hooks.filter((h) => matchesHook(h, payload, tags));
+  if (matching.length === 0) return [];
+  const results = await Promise.allSettled(
+    matching.map((h) => executeHook(h, payload))
+  );
+  const hookResults = [];
+  for (const r of results) {
+    if (r.status === "fulfilled") {
+      hookResults.push(r.value);
+    } else {
+      hookResults.push({
+        hookId: "unknown",
+        success: false,
+        message: r.reason?.message ?? "Hook execution failed"
+      });
+    }
+  }
+  for (const r of hookResults) {
+    try {
+      logAudit({
+        action: "write",
+        key: payload.key,
+        scope: payload.scope,
+        source: payload.source,
+        detail: `hook:${r.hookId} ${r.success ? "ok" : "fail"} \u2014 ${r.message}`
+      });
+    } catch {
+    }
+  }
+  return hookResults;
+}
+// src/core/approval.ts
+import { existsSync as existsSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync4, mkdirSync as mkdirSync4 } from "fs";
+import { join as join5 } from "path";
+import { homedir as homedir4 } from "os";
+import { createHmac, randomBytes } from "crypto";
+function getHmacSecret() {
+  const secretPath = join5(homedir4(), ".config", "q-ring", ".approval-key");
+  const dir = join5(homedir4(), ".config", "q-ring");
+  if (!existsSync5(dir)) mkdirSync4(dir, { recursive: true });
+  if (existsSync5(secretPath)) {
+    return readFileSync5(secretPath, "utf8").trim();
+  }
+  const secret = randomBytes(32).toString("hex");
+  writeFileSync4(secretPath, secret, { mode: 384 });
+  return secret;
+}
+function computeHmac(entry) {
+  const payload = `${entry.id}|${entry.key}|${entry.scope}|${entry.reason}|${entry.grantedBy}|${entry.grantedAt}|${entry.expiresAt}`;
+  return createHmac("sha256", getHmacSecret()).update(payload).digest("hex");
+}
+function verifyHmac(entry) {
+  const expected = computeHmac(entry);
+  return expected === entry.hmac;
+}
+function getRegistryPath3() {
+  const dir = join5(homedir4(), ".config", "q-ring");
+  if (!existsSync5(dir)) {
+    mkdirSync4(dir, { recursive: true });
+  }
+  return join5(dir, "approvals.json");
+}
+function loadRegistry3() {
+  const path = getRegistryPath3();
+  if (!existsSync5(path)) {
+    return { approvals: [] };
+  }
+  try {
+    return JSON.parse(readFileSync5(path, "utf8"));
+  } catch {
+    return { approvals: [] };
+  }
+}
+function saveRegistry3(registry2) {
+  writeFileSync4(getRegistryPath3(), JSON.stringify(registry2, null, 2), { mode: 384 });
+}
+function cleanup(registry2) {
+  const now = Date.now();
+  registry2.approvals = registry2.approvals.filter(
+    (a) => new Date(a.expiresAt).getTime() > now
+  );
+}
+function grantApproval(key, scope, ttlSeconds = 3600, grantOpts = {}) {
+  const registry2 = loadRegistry3();
+  cleanup(registry2);
+  const id = randomBytes(8).toString("hex");
+  const grantedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const expiresAt = new Date(Date.now() + ttlSeconds * 1e3).toISOString();
+  const partial = {
+    id,
+    key,
+    scope,
+    reason: grantOpts.reason ?? "no reason provided",
+    grantedBy: grantOpts.grantedBy ?? "cli-user",
+    grantedAt,
+    expiresAt,
+    workspace: grantOpts.workspace,
+    sessionId: grantOpts.sessionId
+  };
+  const entry = { ...partial, hmac: computeHmac(partial) };
+  const existingIdx = registry2.approvals.findIndex(
+    (a) => a.key === key && a.scope === scope
+  );
+  if (existingIdx >= 0) {
+    registry2.approvals[existingIdx] = entry;
+  } else {
+    registry2.approvals.push(entry);
+  }
+  saveRegistry3(registry2);
+  return entry;
+}
+function revokeApproval(key, scope) {
+  const registry2 = loadRegistry3();
+  const before = registry2.approvals.length;
+  registry2.approvals = registry2.approvals.filter(
+    (a) => !(a.key === key && a.scope === scope)
+  );
+  saveRegistry3(registry2);
+  return registry2.approvals.length < before;
+}
+function hasApproval(key, scope) {
+  const registry2 = loadRegistry3();
+  const entry = registry2.approvals.find(
+    (a) => a.key === key && a.scope === scope
+  );
+  if (!entry) return false;
+  if (new Date(entry.expiresAt).getTime() < Date.now()) return false;
+  if (!verifyHmac(entry)) return false;
+  return true;
+}
+function listApprovals() {
+  const registry2 = loadRegistry3();
+  const now = Date.now();
+  return registry2.approvals.map((a) => ({
+    ...a,
+    valid: new Date(a.expiresAt).getTime() > now,
+    tampered: !verifyHmac(a)
+  }));
+}
+// src/core/provision.ts
+import { execFileSync, spawnSync } from "child_process";
+var ProvisionRegistry = class {
+  providers = /* @__PURE__ */ new Map();
+  register(provider) {
+    this.providers.set(provider.name, provider);
+  }
+  get(name) {
+    return this.providers.get(name);
+  }
+  listProviders() {
+    return [...this.providers.values()];
+  }
+};
+var awsStsProvider = {
+  name: "aws-sts",
+  description: "AWS STS AssumeRole (requires existing local AWS CLI credentials)",
+  provision(configRaw) {
+    let config;
+    try {
+      config = JSON.parse(configRaw);
+    } catch {
+      throw new Error('aws-sts requires valid JSON config (e.g. {"roleArn":"arn:aws:..."})');
+    }
+    const roleArn = config.roleArn;
+    const sessionName = config.sessionName || "q-ring-agent";
+    const duration = config.durationSeconds || 3600;
+    if (!roleArn) throw new Error("aws-sts requires roleArn in config");
+    try {
+      const output = execFileSync("aws", [
+        "sts",
+        "assume-role",
+        "--role-arn",
+        roleArn,
+        "--role-session-name",
+        sessionName,
+        "--duration-seconds",
+        String(duration),
+        "--output",
+        "json"
+      ], { encoding: "utf8" });
+      const parsed = JSON.parse(output);
+      const creds = parsed.Credentials;
+      const value = JSON.stringify({
+        AWS_ACCESS_KEY_ID: creds.AccessKeyId,
+        AWS_SECRET_ACCESS_KEY: creds.SecretAccessKey,
+        AWS_SESSION_TOKEN: creds.SessionToken
+      });
+      return {
+        value,
+        expiresAt: creds.Expiration
+      };
+    } catch (err) {
+      throw new Error(`AWS STS provision failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+var httpProvider = {
+  name: "http",
+  description: "Generic HTTP token endpoint using Node.js http/https",
+  provision(configRaw) {
+    let config;
+    try {
+      config = JSON.parse(configRaw);
+    } catch {
+      throw new Error("http provider requires valid JSON config");
+    }
+    const url = config.url;
+    const method = config.method || "POST";
+    const valuePath = config.valuePath || "token";
+    const expiresInSeconds = config.expiresInSeconds || 3600;
+    if (!url) throw new Error("http provider requires url in config");
+    const headers = {
+      "User-Agent": "q-ring-jit/1.0",
+      ...config.headers ?? {}
+    };
+    let bodyStr;
+    if (config.body) {
+      headers["Content-Type"] = "application/json";
+      bodyStr = JSON.stringify(config.body);
+    }
+    const scriptConfig = JSON.stringify({ url, method, headers, bodyStr });
+    const script = `
+const cfg = JSON.parse(process.env.__QRING_HTTP_CFG);
+const parsedUrl = new URL(cfg.url);
+const http = require(parsedUrl.protocol === "https:" ? "node:https" : "node:http");
+const req = http.request(cfg.url, { method: cfg.method, headers: cfg.headers, timeout: 30000 }, (res) => {
+  let body = "";
+  res.on("data", (chunk) => body += chunk);
+  res.on("end", () => process.stdout.write(body));
+});
+req.on("error", (e) => { process.stderr.write(e.message); process.exit(1); });
+if (cfg.bodyStr) req.write(cfg.bodyStr);
+req.end();
+`;
+    try {
+      const result = spawnSync("node", ["-e", script], {
+        encoding: "utf8",
+        timeout: 35e3,
+        env: { ...process.env, __QRING_HTTP_CFG: scriptConfig }
+      });
+      if (result.status !== 0) {
+        throw new Error(result.stderr || "HTTP request failed");
+      }
+      const parsed = JSON.parse(result.stdout);
+      let val = parsed;
+      for (const key of valuePath.split(".")) {
+        val = val[key];
+      }
+      return {
+        value: String(val),
+        expiresAt: new Date(Date.now() + expiresInSeconds * 1e3).toISOString()
+      };
+    } catch (err) {
+      throw new Error(`HTTP provision failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+};
+var registry = new ProvisionRegistry();
+registry.register(awsStsProvider);
+registry.register(httpProvider);
+// src/core/policy.ts
+var cachedPolicy = null;
+function loadPolicy(projectPath) {
+  const pp = projectPath ?? process.cwd();
+  if (cachedPolicy && cachedPolicy.path === pp) {
+    return cachedPolicy.policy;
+  }
+  const config = readProjectConfig(pp);
+  const policy = config?.policy ?? {};
+  cachedPolicy = { path: pp, policy };
+  return policy;
+}
+function checkKeyReadPolicy(key, tags, projectPath) {
+  const policy = loadPolicy(projectPath);
+  if (!policy.mcp) return { allowed: true, policySource: "no-policy" };
+  if (policy.mcp.deniedKeys?.includes(key)) {
+    return {
+      allowed: false,
+      reason: `Key "${key}" is denied by project policy`,
+      policySource: ".q-ring.json policy.mcp.deniedKeys"
+    };
+  }
+  if (policy.mcp.readableKeys && !policy.mcp.readableKeys.includes(key)) {
+    return {
+      allowed: false,
+      reason: `Key "${key}" is not in the readable keys allowlist`,
+      policySource: ".q-ring.json policy.mcp.readableKeys"
+    };
+  }
+  if (tags && policy.mcp.deniedTags) {
+    const blocked = tags.find((t) => policy.mcp.deniedTags.includes(t));
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tag "${blocked}" is denied by project policy`,
+        policySource: ".q-ring.json policy.mcp.deniedTags"
+      };
+    }
+  }
+  return { allowed: true, policySource: ".q-ring.json" };
+}
+function checkExecPolicy(command, projectPath) {
+  const policy = loadPolicy(projectPath);
+  if (!policy.exec) return { allowed: true, policySource: "no-policy" };
+  if (policy.exec.denyCommands) {
+    const denied = policy.exec.denyCommands.find((d) => command.includes(d));
+    if (denied) {
+      return {
+        allowed: false,
+        reason: `Command containing "${denied}" is denied by project policy`,
+        policySource: ".q-ring.json policy.exec.denyCommands"
+      };
+    }
+  }
+  if (policy.exec.allowCommands) {
+    const allowed = policy.exec.allowCommands.some((a) => command.startsWith(a));
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Command "${command}" is not in the exec allowlist`,
+        policySource: ".q-ring.json policy.exec.allowCommands"
+      };
+    }
+  }
+  return { allowed: true, policySource: ".q-ring.json" };
+}
+function getExecMaxRuntime(projectPath) {
+  return loadPolicy(projectPath).exec?.maxRuntimeSeconds;
+}
+function getPolicySummary(projectPath) {
+  const policy = loadPolicy(projectPath);
+  return {
+    hasMcpPolicy: !!policy.mcp,
+    hasExecPolicy: !!policy.exec,
+    hasSecretPolicy: !!policy.secrets,
+    details: policy
+  };
+}
+// src/core/keyring.ts
+function readEnvelope(service, key) {
+  const entry = new Entry(service, key);
+  const raw = entry.getPassword();
+  if (raw === null) return null;
+  const envelope = parseEnvelope(raw);
+  return envelope ?? wrapLegacy(raw);
+}
+function writeEnvelope(service, key, envelope) {
+  const entry = new Entry(service, key);
+  entry.setPassword(serializeEnvelope(envelope));
+}
+function resolveEnv(opts) {
+  if (opts.env) return opts.env;
+  const result = collapseEnvironment({ projectPath: opts.projectPath });
+  return result?.env;
+}
+function resolveTemplates(value, opts, seen) {
+  if (!value.includes("{{") || !value.includes("}}")) return value;
+  return value.replace(/\{\{([^}]+)\}\}/g, (match, refKeyRaw) => {
+    const refKey = refKeyRaw.trim();
+    const refValue = getSecret(refKey, { ...opts, _seen: seen });
+    if (refValue === null) {
+      throw new Error(`Template resolution failed: referenced secret "${refKey}" not found`);
+    }
+    return refValue;
+  });
+}
+function resolveTemplatesOffline(value, rawValues, seen) {
+  if (!value.includes("{{") || !value.includes("}}")) return value;
+  return value.replace(/\{\{([^}]+)\}\}/g, (match, refKeyRaw) => {
+    const refKey = refKeyRaw.trim();
+    if (seen.has(refKey)) {
+      throw new Error(`Circular dependency detected: ${[...seen].join(" -> ")} -> ${refKey}`);
+    }
+    const rawRef = rawValues.get(refKey);
+    if (rawRef === void 0) {
+      throw new Error(`Template resolution failed: referenced secret "${refKey}" not found`);
+    }
+    const nextSeen = new Set(seen);
+    nextSeen.add(refKey);
+    return resolveTemplatesOffline(rawRef, rawValues, nextSeen);
+  });
+}
+function getSecret(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  const env = resolveEnv(opts);
+  const source = opts.source ?? "cli";
+  const seen = opts._seen ?? /* @__PURE__ */ new Set();
+  if (source === "mcp") {
+    const policyDecision = checkKeyReadPolicy(key, void 0, opts.projectPath);
+    if (!policyDecision.allowed) {
+      throw new Error(`Policy Denied: ${policyDecision.reason}`);
+    }
+  }
+  if (seen.has(key)) {
+    throw new Error(`Circular dependency detected: ${[...seen].join(" -> ")} -> ${key}`);
+  }
+  const nextSeen = new Set(seen);
+  nextSeen.add(key);
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (!envelope) continue;
+    const decay = checkDecay(envelope);
+    if (decay.isExpired) {
+      if (!opts.silent) {
+        logAudit({
+          action: "read",
+          key,
+          scope,
+          source,
+          detail: "blocked: secret expired (quantum decay)"
+        });
+      }
+      continue;
+    }
+    if (envelope.meta.requiresApproval && source === "mcp") {
+      if (!hasApproval(key, scope)) {
+        if (!opts.silent) {
+          logAudit({
+            action: "read",
+            key,
+            scope,
+            source,
+            detail: "blocked: requires user approval"
+          });
+        }
+        throw new Error(`Access Denied: This secret requires user approval. Please ask the user to run 'qring approve ${key}'`);
+      }
+    }
+    let value = collapseValue(envelope, env);
+    if (value === null) continue;
+    if (envelope.meta.jitProvider) {
+      const provider = registry.get(envelope.meta.jitProvider);
+      if (provider) {
+        let isExpired = true;
+        if (envelope.states && envelope.states["jit"] && envelope.meta.jitExpiresAt) {
+          isExpired = new Date(envelope.meta.jitExpiresAt).getTime() <= Date.now();
+        }
+        if (isExpired) {
+          const result = provider.provision(value);
+          envelope.states = envelope.states ?? {};
+          envelope.states["jit"] = result.value;
+          envelope.meta.jitExpiresAt = result.expiresAt;
+          writeEnvelope(service, key, envelope);
+        }
+        value = envelope.states["jit"];
+      }
+    }
+    value = resolveTemplates(value, { ...opts, _seen: nextSeen }, nextSeen);
+    if (!opts.silent) {
+      const updated = recordAccess(envelope);
+      writeEnvelope(service, key, updated);
+      logAudit({ action: "read", key, scope, env, source });
+    }
+    return value;
+  }
+  return null;
+}
+function getEnvelope(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  for (const { service, scope } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (envelope) return { envelope, scope };
+  }
+  return null;
+}
+function setSecret(key, value, opts = {}) {
+  const scope = opts.scope ?? "global";
+  const scopes = resolveScope({ ...opts, scope });
+  const { service } = scopes[0];
+  const source = opts.source ?? "cli";
+  const existing = readEnvelope(service, key);
+  let envelope;
+  const rotFmt = opts.rotationFormat ?? existing?.meta.rotationFormat;
+  const rotPfx = opts.rotationPrefix ?? existing?.meta.rotationPrefix;
+  const prov = opts.provider ?? existing?.meta.provider;
+  const reqApp = opts.requiresApproval ?? existing?.meta.requiresApproval;
+  const jitProv = opts.jitProvider ?? existing?.meta.jitProvider;
+  if (opts.states) {
+    envelope = createEnvelope("", {
+      states: opts.states,
+      defaultEnv: opts.defaultEnv,
+      description: opts.description,
+      tags: opts.tags,
+      ttlSeconds: opts.ttlSeconds,
+      expiresAt: opts.expiresAt,
+      entangled: existing?.meta.entangled,
+      rotationFormat: rotFmt,
+      rotationPrefix: rotPfx,
+      provider: prov,
+      requiresApproval: reqApp,
+      jitProvider: jitProv
+    });
+  } else {
+    envelope = createEnvelope(value, {
+      description: opts.description,
+      tags: opts.tags,
+      ttlSeconds: opts.ttlSeconds,
+      expiresAt: opts.expiresAt,
+      entangled: existing?.meta.entangled,
+      rotationFormat: rotFmt,
+      rotationPrefix: rotPfx,
+      provider: prov,
+      requiresApproval: reqApp,
+      jitProvider: jitProv
+    });
+  }
+  if (existing) {
+    envelope.meta.createdAt = existing.meta.createdAt;
+    envelope.meta.accessCount = existing.meta.accessCount;
+  }
+  writeEnvelope(service, key, envelope);
+  logAudit({ action: "write", key, scope, source });
+  const entangled = findEntangled({ service, key });
+  for (const target of entangled) {
+    try {
+      const targetEnvelope = readEnvelope(target.service, target.key);
+      if (targetEnvelope) {
+        if (opts.states) {
+          targetEnvelope.states = opts.states;
+        } else {
+          targetEnvelope.value = value;
+        }
+        targetEnvelope.meta.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+        writeEnvelope(target.service, target.key, targetEnvelope);
+        logAudit({
+          action: "entangle",
+          key: target.key,
+          scope: "global",
+          source,
+          detail: `propagated from ${key}`
+        });
+      }
+    } catch {
+    }
+  }
+  fireHooks({
+    action: "write",
+    key,
+    scope,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    source
+  }, envelope.meta.tags).catch(() => {
+  });
+}
+function deleteSecret(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  const source = opts.source ?? "cli";
+  let deleted = false;
+  for (const { service, scope } of scopes) {
+    const entry = new Entry(service, key);
+    try {
+      if (entry.deleteCredential()) {
+        deleted = true;
+        logAudit({ action: "delete", key, scope, source });
+        fireHooks({
+          action: "delete",
+          key,
+          scope,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          source
+        }).catch(() => {
+        });
+      }
+    } catch {
+    }
+  }
+  return deleted;
+}
+function hasSecret(key, opts = {}) {
+  const scopes = resolveScope(opts);
+  for (const { service } of scopes) {
+    const envelope = readEnvelope(service, key);
+    if (envelope) {
+      const decay = checkDecay(envelope);
+      if (!decay.isExpired) return true;
+    }
+  }
+  return false;
+}
+function listSecrets(opts = {}) {
+  const source = opts.source ?? "cli";
+  const services = [];
+  if (!opts.scope || opts.scope === "global") {
+    services.push({ service: globalService(), scope: "global" });
+  }
+  if ((!opts.scope || opts.scope === "project") && opts.projectPath) {
+    services.push({
+      service: projectService(opts.projectPath),
+      scope: "project"
+    });
+  }
+  if ((!opts.scope || opts.scope === "team") && opts.teamId) {
+    services.push({ service: teamService(opts.teamId), scope: "team" });
+  }
+  if ((!opts.scope || opts.scope === "org") && opts.orgId) {
+    services.push({ service: orgService(opts.orgId), scope: "org" });
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const { service, scope } of services) {
+    try {
+      const credentials = findCredentials(service);
+      for (const cred of credentials) {
+        const id = `${scope}:${cred.account}`;
+        if (seen.has(id)) continue;
+        seen.add(id);
+        const envelope = parseEnvelope(cred.password) ?? wrapLegacy(cred.password);
+        const decay = checkDecay(envelope);
+        results.push({
+          key: cred.account,
+          scope,
+          envelope,
+          decay
+        });
+      }
+    } catch {
+    }
+  }
+  if (!opts.silent) {
+    logAudit({ action: "list", source });
+  }
+  return results.sort((a, b) => a.key.localeCompare(b.key));
+}
+function exportSecrets(opts = {}) {
+  const format = opts.format ?? "env";
+  const env = resolveEnv(opts);
+  let entries = listSecrets(opts);
+  const source = opts.source ?? "cli";
+  if (opts.keys?.length) {
+    const keySet = new Set(opts.keys);
+    entries = entries.filter((e) => keySet.has(e.key));
+  }
+  if (opts.tags?.length) {
+    entries = entries.filter(
+      (e) => opts.tags.some((t) => e.envelope?.meta.tags?.includes(t))
+    );
+  }
+  const rawValues = /* @__PURE__ */ new Map();
+  const globalEntries = entries.filter((e) => e.scope === "global");
+  const orgEntries = entries.filter((e) => e.scope === "org");
+  const teamEntries = entries.filter((e) => e.scope === "team");
+  const projectEntries = entries.filter((e) => e.scope === "project");
+  for (const entry of [...globalEntries, ...orgEntries, ...teamEntries, ...projectEntries]) {
+    if (entry.envelope) {
+      const decay = checkDecay(entry.envelope);
+      if (decay.isExpired) continue;
+      const value = collapseValue(entry.envelope, env);
+      if (value !== null) {
+        rawValues.set(entry.key, value);
+      }
+    }
+  }
+  const merged = /* @__PURE__ */ new Map();
+  for (const [key, value] of rawValues) {
+    try {
+      const resolved = resolveTemplatesOffline(value, rawValues, /* @__PURE__ */ new Set([key]));
+      merged.set(key, resolved);
+    } catch (err) {
+      console.warn(`Warning: skipped exporting ${key} due to template error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  logAudit({ action: "export", source, detail: `format=${format}` });
+  if (format === "json") {
+    const obj = {};
+    for (const [key, value] of merged) {
+      obj[key] = value;
+    }
+    return JSON.stringify(obj, null, 2);
+  }
+  const lines = [];
+  for (const [key, value] of merged) {
+    const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
+    lines.push(`${key}="${escaped}"`);
+  }
+  return lines.join("\n");
+}
+function entangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
+  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
+  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
+  const source = { service: sourceScopes[0].service, key: sourceKey };
+  const target = { service: targetScopes[0].service, key: targetKey };
+  entangle(source, target);
+  logAudit({
+    action: "entangle",
+    key: sourceKey,
+    source: sourceOpts.source ?? "cli",
+    detail: `entangled with ${targetKey}`
+  });
+}
+function disentangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
+  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
+  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
+  const source = { service: sourceScopes[0].service, key: sourceKey };
+  const target = { service: targetScopes[0].service, key: targetKey };
+  disentangle(source, target);
+  logAudit({
+    action: "entangle",
+    key: sourceKey,
+    source: sourceOpts.source ?? "cli",
+    detail: `disentangled from ${targetKey}`
+  });
+}
+// src/core/tunnel.ts
+var tunnelStore = /* @__PURE__ */ new Map();
+var cleanupInterval = null;
+function ensureCleanup() {
+  if (cleanupInterval) return;
+  cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [id, entry] of tunnelStore) {
+      if (entry.expiresAt && now >= entry.expiresAt) {
+        tunnelStore.delete(id);
+      }
+    }
+    if (tunnelStore.size === 0 && cleanupInterval) {
+      clearInterval(cleanupInterval);
+      cleanupInterval = null;
+    }
+  }, 5e3);
+  if (cleanupInterval && typeof cleanupInterval === "object" && "unref" in cleanupInterval) {
+    cleanupInterval.unref();
+  }
+}
+function tunnelCreate(value, opts = {}) {
+  const id = `tun_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+  const now = Date.now();
+  tunnelStore.set(id, {
+    value,
+    createdAt: now,
+    expiresAt: opts.ttlSeconds ? now + opts.ttlSeconds * 1e3 : void 0,
+    accessCount: 0,
+    maxReads: opts.maxReads
+  });
+  ensureCleanup();
+  return id;
+}
+function tunnelRead(id) {
+  const entry = tunnelStore.get(id);
+  if (!entry) return null;
+  if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+    tunnelStore.delete(id);
+    return null;
+  }
+  entry.accessCount++;
+  if (entry.maxReads && entry.accessCount >= entry.maxReads) {
+    const value = entry.value;
+    tunnelStore.delete(id);
+    return value;
+  }
+  return entry.value;
+}
+function tunnelDestroy(id) {
+  return tunnelStore.delete(id);
+}
+function tunnelList() {
+  const now = Date.now();
+  const result = [];
+  for (const [id, entry] of tunnelStore) {
+    if (entry.expiresAt && now >= entry.expiresAt) {
+      tunnelStore.delete(id);
+      continue;
+    }
+    result.push({
+      id,
+      createdAt: entry.createdAt,
+      expiresAt: entry.expiresAt,
+      accessCount: entry.accessCount,
+      maxReads: entry.maxReads
+    });
+  }
+  return result;
+}
+export {
+  checkDecay,
+  readProjectConfig,
+  collapseEnvironment,
+  logAudit,
+  queryAudit,
+  verifyAuditChain,
+  exportAudit,
+  detectAnomalies,
+  listEntanglements,
+  httpRequest_,
+  registerHook,
+  removeHook,
+  listHooks,
+  enableHook,
+  disableHook,
+  fireHooks,
+  grantApproval,
+  revokeApproval,
+  listApprovals,
+  registry,
+  checkExecPolicy,
+  getExecMaxRuntime,
+  getPolicySummary,
+  getSecret,
+  getEnvelope,
+  setSecret,
+  deleteSecret,
+  hasSecret,
+  listSecrets,
+  exportSecrets,
+  entangleSecrets,
+  disentangleSecrets,
+  tunnelCreate,
+  tunnelRead,
+  tunnelDestroy,
+  tunnelList
+};
+//# sourceMappingURL=chunk-WG4ZKN7Q.js.map