@id-wispera/core 0.1.0

package/README.md

@@ -0,0 +1,268 @@
+# @id-wispera/core
+
+Core governance engine for ID Wispera - the Identity Whisperer for AI Agents.
+
+## Installation
+
+```bash
+npm install @id-wispera/core
+```
+
+## Features
+
+- **Type Definitions**: Complete TypeScript types for passports, visas, and policies
+- **Encrypted Vault**: AES-256-GCM encrypted local storage with Argon2id key derivation
+- **Passport Management**: CRUD operations for credential passports
+- **Credential Detection**: Regex + heuristic patterns for detecting exposed credentials
+- **Audit Trail**: Append-only audit log for compliance
+- **Policy Engine**: Cedar-inspired declarative policy evaluation
+- **Secure Sharing**: Zero-knowledge credential sharing
+
+## Quick Start
+
+```typescript
+import { initVault, createPassport, detectCredentials } from '@id-wispera/core';
+
+// Initialize encrypted vault
+const vault = await initVault('your-master-passphrase');
+
+// Create a passport for a credential
+const passport = await createPassport(vault, {
+  name: 'OpenAI Production',
+  credentialType: 'api-key',
+  credentialValue: 'sk-...',
+  visaType: 'access',
+  platforms: ['openai'],
+  scope: ['chat', 'completions'],
+  humanOwner: 'alice@company.com',
+});
+
+// Detect exposed credentials in text
+const results = detectCredentials(`
+  API_KEY=sk-proj-abc123...
+  AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+`);
+// Returns array of detected credentials with type and position
+```
+
+## API Reference
+
+### Auth
+
+The auth module provides the zero-plaintext credential architecture. No credential material is ever exposed in environment variables, CLI arguments, or logs.
+
+```typescript
+import {
+  PassphraseProvider,
+  SessionTokenManager,
+  KeychainProvider,
+} from '@id-wispera/core/auth';
+
+// PassphraseProvider — interactive login, derives vault key from passphrase
+const pp = new PassphraseProvider();
+const vaultKey = await pp.deriveKey(passphrase);
+
+// KeychainProvider — caches derived key in the OS keychain (macOS Keychain, libsecret, Windows Credential Manager)
+const kc = new KeychainProvider();
+await kc.store(vaultKey);
+const cached = await kc.retrieve();
+
+// SessionTokenManager — create, validate, and revoke scoped session tokens for headless/CI use
+const stm = new SessionTokenManager(vault);
+const token = await stm.create({ name: 'ci-deploy', scope: ['read', 'list'], ttl: '24h' });
+const session = await stm.validate(token);
+await stm.revoke(token.id);
+const tokens = await stm.list();
+```
+
+| Export | Purpose |
+|--------|---------|
+| `PassphraseProvider` | Derive vault key from passphrase (interactive login) |
+| `SessionTokenManager` | Create / validate / revoke / list scoped session tokens |
+| `KeychainProvider` | Cache vault key in the OS keychain for session persistence |
+
+### Vault
+
+```typescript
+import { initVault, unlockVault, lockVault } from '@id-wispera/core/vault';
+
+// Initialize a new vault
+const vault = await initVault(passphrase, storagePath?);
+
+// Unlock existing vault
+const vault = await unlockVault(passphrase);
+
+// Lock vault (clears keys from memory)
+lockVault(vault);
+```
+
+### Passport Management
+
+```typescript
+import { createPassport, getPassport, listPassports, revokePassport } from '@id-wispera/core/passport';
+
+// Create passport
+const passport = await createPassport(vault, input);
+
+// Get by ID
+const passport = await getPassport(vault, id);
+
+// List with filters
+const passports = await listPassports(vault, { status: 'active', platform: 'openai' });
+
+// Revoke
+const revoked = await revokePassport(vault, id, 'Security concern', 'admin@company.com');
+```
+
+### Credential Detection
+
+```typescript
+import { detectCredentials, classifyCredential } from '@id-wispera/core/detection';
+
+// Detect credentials in text
+const results = detectCredentials(text);
+// Returns: { type, value, position, confidence }[]
+
+// Classify a known credential
+const type = classifyCredential('sk-proj-abc123...');
+// Returns: 'api-key'
+```
+
+### Policy Engine
+
+```typescript
+import { evaluatePolicy, validatePassport } from '@id-wispera/core/policy';
+
+const rules = [
+  {
+    id: 'max-validity',
+    name: 'Maximum Validity Period',
+    condition: { maxValidityDays: 90 },
+    effect: 'deny',
+  },
+];
+
+// Evaluate a specific action
+const decision = evaluatePolicy(passport, 'access', rules);
+
+// Validate passport against all rules
+const violations = validatePassport(passport, rules);
+```
+
+### Audit Trail
+
+```typescript
+import { logAction, getAuditLog } from '@id-wispera/core/audit';
+
+// Log an action
+await logAction(vault, {
+  passportId: passport.id,
+  action: 'accessed',
+  actor: 'claude-agent',
+  platform: 'mcp',
+});
+
+// Get audit log
+const entries = await getAuditLog(vault, passportId?, filters?);
+```
+
+### Secure Sharing
+
+```typescript
+import { createShareLink, resolveShareLink } from '@id-wispera/core/sharing';
+
+// Create encrypted share payload
+const { payload, key } = createShareLink(passport, {
+  scope: 'read-only',
+  expiresAt: '2024-12-31',
+  maxViews: 1,
+});
+
+// Resolve (decrypt) shared passport
+const passport = resolveShareLink(payload, key);
+```
+
+### Credential Provisioning
+
+Programmatically create API keys at vendor APIs and wrap them as governed passports.
+
+```typescript
+import { provisionAndCreatePassport, listProviders } from '@id-wispera/core/provisioning';
+
+// List all 8 supported providers
+const providers = listProviders();
+// → openai, aws, google-cloud, azure-entra, github, twilio, sendgrid, anthropic
+
+// Provision and govern in one step
+const { credential, passport } = await provisionAndCreatePassport(vault, {
+  provider: 'openai',
+  name: 'Agent Key',
+  humanOwner: 'alice@company.com',
+  config: { provider: 'openai', organizationId: 'org-xxx', projectId: 'proj-xxx', keyType: 'service-account' },
+}, { type: 'api-key', key: 'sk-admin-...' });
+```
+
+#### AdminPassport
+
+`AdminPassport` is a special passport type used to authenticate provisioning operations. Instead of passing raw admin credentials, wrap them in an `AdminPassport` for audit-trail coverage and policy enforcement:
+
+```typescript
+import { AdminPassport } from '@id-wispera/core/provisioning';
+
+// Create an admin passport for provider operations
+const adminPassport = new AdminPassport(vault, {
+  provider: 'openai',
+  credentialName: 'openai-admin-key',
+});
+
+// Use it for provisioning — the admin credential is never exposed as plaintext
+const { credential, passport } = await provisionAndCreatePassport(vault, request, adminPassport);
+```
+
+| Provider | Create | Rotate | Revoke | List | Scoped | Expiry |
+|---|---|---|---|---|---|---|
+| OpenAI | Yes | Yes | Yes | Yes | Yes | No |
+| AWS | Yes | Yes | Yes | Yes | Yes | Yes |
+| Google Cloud | Yes | Yes | Yes | Yes | Yes | Yes |
+| Azure Entra | Yes | Yes | Yes | Yes | Yes | Yes |
+| GitHub | Yes | Yes | No | No | Yes | Yes |
+| Twilio | Yes | Yes | Yes | Yes | Yes | No |
+| SendGrid | Yes | Yes | Yes | Yes | Yes | No |
+| Anthropic | No | No | Yes | Yes | No | No |
+
+See [Provisioning docs](../../docs/provisioning.md) for full provider examples and authentication details.
+
+### Framework Integrations
+
+Governed credential access for AI agent frameworks. Every access is cached, audited, and policy-enforced.
+
+```typescript
+import { WisperaCredentialProvider, WisperaOpenAIAgentProvider } from '@id-wispera/core';
+
+// Base provider -- works with any framework
+const provider = new WisperaCredentialProvider({ vault });
+const key = await provider.getOpenAIKey('openai-prod');
+
+// OpenAI Agents SDK -- agent keys, tool auth, handoffs
+const agents = new WisperaOpenAIAgentProvider({ vault });
+const agentKey = await agents.getAgentKey('openai-prod');
+const toolAuth = await agents.getToolAuth('serper-key');
+```
+
+| Integration | Class | What It Does |
+|---|---|---|
+| Base | `WisperaCredentialProvider` | Get, cache, and audit any credential |
+| LangChain.js | `WisperaLangChainProvider` | API keys for LangChain LLM constructors |
+| OpenAI Agents | `WisperaOpenAIAgentProvider` | Agent keys, tool auth, handoff scoping |
+| Google A2A | `WisperaA2AProvider` | Agent Card credentials, auth validation |
+| Slack | `WisperaSlackProvider` | Bot tokens, webhooks, Socket Mode |
+
+See [Integrations docs](../../docs/integrations.md) for full examples in TypeScript, Python, and Go.
+
+## Types
+
+See [types.ts](./src/types.ts) for complete type definitions.
+
+## License
+
+MIT

package/dist/audit.d.ts

@@ -0,0 +1,68 @@
+/**
+ * ID Wispera Audit Trail
+ * Append-only audit log for compliance and visibility
+ */
+import { AuditEntry, AuditFilters, AuditAction, Platform } from './types.js';
+import { Vault } from './vault.js';
+/**
+ * Input for logging an action
+ */
+export interface LogActionInput {
+    passportId: string;
+    action: AuditAction;
+    actor: string;
+    platform?: Platform;
+    details?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Log an action to the audit trail
+ */
+export declare function logAction(vault: Vault, input: LogActionInput): Promise<AuditEntry>;
+/**
+ * Get audit log entries with optional filters
+ */
+export declare function getAuditLog(vault: Vault, passportId?: string, filters?: AuditFilters): Promise<AuditEntry[]>;
+/**
+ * Export audit log to a file format
+ */
+export declare function exportAuditLog(vault: Vault, format: 'json' | 'csv', filters?: AuditFilters): Promise<string>;
+/**
+ * Get audit statistics for a passport
+ */
+export declare function getAuditStats(vault: Vault, passportId?: string): Promise<{
+    totalActions: number;
+    byAction: Record<AuditAction, number>;
+    byActor: Record<string, number>;
+    byPlatform: Record<string, number>;
+    firstAction?: AuditEntry;
+    lastAction?: AuditEntry;
+    actionsLast24h: number;
+    actionsLast7d: number;
+}>;
+/**
+ * Get recent activity across all passports
+ */
+export declare function getRecentActivity(vault: Vault, limit?: number): Promise<AuditEntry[]>;
+/**
+ * Get access history for a specific passport
+ */
+export declare function getAccessHistory(vault: Vault, passportId: string): Promise<AuditEntry[]>;
+/**
+ * Check if a passport has been accessed recently
+ */
+export declare function wasAccessedRecently(vault: Vault, passportId: string, withinMinutes?: number): Promise<boolean>;
+/**
+ * Search audit log by text in details
+ */
+export declare function searchAuditLog(vault: Vault, searchTerm: string, passportId?: string): Promise<AuditEntry[]>;
+/**
+ * Get suspicious activity patterns
+ * Returns entries that might indicate security concerns
+ */
+export declare function getSuspiciousActivity(vault: Vault, passportId?: string): Promise<{
+    rapidAccess: AuditEntry[];
+    unusualActors: AuditEntry[];
+    afterHoursAccess: AuditEntry[];
+}>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAC7E,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAMnC;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,WAAW,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,KAAK,EACZ,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,UAAU,CAAC,CAcrB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,KAAK,EACZ,UAAU,CAAC,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,UAAU,EAAE,CAAC,CAgDvB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,GAAG,KAAK,EACtB,OAAO,CAAC,EAAE,YAAY,GACrB,OAAO,CAAC,MAAM,CAAC,CAyCjB;AAMD;;GAEG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,KAAK,EACZ,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC;IACT,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACtC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC,CAgED;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,KAAK,EACZ,KAAK,GAAE,MAAW,GACjB,OAAO,CAAC,UAAU,EAAE,CAAC,CAEvB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,KAAK,EACZ,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,UAAU,EAAE,CAAC,CAEvB;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,KAAK,EACZ,UAAU,EAAE,MAAM,EAClB,aAAa,GAAE,MAAU,GACxB,OAAO,CAAC,OAAO,CAAC,CAQlB;AAMD;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,KAAK,EACZ,UAAU,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,UAAU,EAAE,CAAC,CAWvB;AAMD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,KAAK,EACZ,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC;IACT,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,aAAa,EAAE,UAAU,EAAE,CAAC;IAC5B,gBAAgB,EAAE,UAAU,EAAE,CAAC;CAChC,CAAC,CA8CD"}

package/dist/audit.js

@@ -0,0 +1,252 @@
+/**
+ * ID Wispera Audit Trail
+ * Append-only audit log for compliance and visibility
+ */
+/**
+ * Log an action to the audit trail
+ */
+export async function logAction(vault, input) {
+    const entry = {
+        id: crypto.randomUUID(),
+        passportId: input.passportId,
+        action: input.action,
+        actor: input.actor,
+        timestamp: new Date().toISOString(),
+        platform: input.platform,
+        details: input.details,
+        metadata: input.metadata,
+    };
+    await vault.addAuditEntry(entry);
+    return entry;
+}
+/**
+ * Get audit log entries with optional filters
+ */
+export async function getAuditLog(vault, passportId, filters) {
+    let entries = await vault.getAuditLog(passportId);
+    if (!filters) {
+        return entries.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    }
+    // Apply filters
+    if (filters.action) {
+        const actions = Array.isArray(filters.action) ? filters.action : [filters.action];
+        entries = entries.filter((e) => actions.includes(e.action));
+    }
+    if (filters.actor) {
+        entries = entries.filter((e) => e.actor === filters.actor);
+    }
+    if (filters.platform) {
+        entries = entries.filter((e) => e.platform === filters.platform);
+    }
+    if (filters.startDate) {
+        const start = new Date(filters.startDate);
+        entries = entries.filter((e) => new Date(e.timestamp) >= start);
+    }
+    if (filters.endDate) {
+        const end = new Date(filters.endDate);
+        entries = entries.filter((e) => new Date(e.timestamp) <= end);
+    }
+    // Sort by timestamp (newest first)
+    entries.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    // Apply pagination
+    if (filters.offset) {
+        entries = entries.slice(filters.offset);
+    }
+    if (filters.limit) {
+        entries = entries.slice(0, filters.limit);
+    }
+    return entries;
+}
+/**
+ * Export audit log to a file format
+ */
+export async function exportAuditLog(vault, format, filters) {
+    const entries = await getAuditLog(vault, undefined, filters);
+    if (format === 'json') {
+        return JSON.stringify({
+            auditLog: entries,
+            exportedAt: new Date().toISOString(),
+            totalEntries: entries.length,
+        }, null, 2);
+    }
+    // CSV format
+    const headers = [
+        'id',
+        'passportId',
+        'action',
+        'actor',
+        'timestamp',
+        'platform',
+        'details',
+    ];
+    const rows = entries.map((e) => [
+        e.id,
+        e.passportId,
+        e.action,
+        e.actor,
+        e.timestamp,
+        e.platform ?? '',
+        (e.details ?? '').replace(/,/g, ';').replace(/\n/g, ' '),
+    ]
+        .map((v) => `"${v}"`)
+        .join(','));
+    return [headers.join(','), ...rows].join('\n');
+}
+// ============================================================================
+// Audit Statistics
+// ============================================================================
+/**
+ * Get audit statistics for a passport
+ */
+export async function getAuditStats(vault, passportId) {
+    const entries = await getAuditLog(vault, passportId);
+    const byAction = {
+        created: 0,
+        viewed: 0,
+        shared: 0,
+        modified: 0,
+        revoked: 0,
+        renewed: 0,
+        accessed: 0,
+        'policy-checked': 0,
+        detected: 0,
+        exported: 0,
+        imported: 0,
+    };
+    const byActor = {};
+    const byPlatform = {};
+    const now = new Date();
+    const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000);
+    const sevenDaysAgo = new Date(now.getTime() - 7 * 24 * 60 * 60 * 1000);
+    let actionsLast24h = 0;
+    let actionsLast7d = 0;
+    let firstAction;
+    let lastAction;
+    let firstTimestamp = Infinity;
+    let lastTimestamp = -Infinity;
+    for (const entry of entries) {
+        byAction[entry.action]++;
+        byActor[entry.actor] = (byActor[entry.actor] ?? 0) + 1;
+        if (entry.platform) {
+            byPlatform[entry.platform] = (byPlatform[entry.platform] ?? 0) + 1;
+        }
+        const entryDate = new Date(entry.timestamp);
+        if (entryDate >= oneDayAgo)
+            actionsLast24h++;
+        if (entryDate >= sevenDaysAgo)
+            actionsLast7d++;
+        const entryTime = new Date(entry.timestamp).getTime();
+        if (entryTime < firstTimestamp) {
+            firstTimestamp = entryTime;
+            firstAction = entry;
+        }
+        if (entryTime > lastTimestamp) {
+            lastTimestamp = entryTime;
+            lastAction = entry;
+        }
+    }
+    return {
+        totalActions: entries.length,
+        byAction,
+        byActor,
+        byPlatform,
+        firstAction,
+        lastAction,
+        actionsLast24h,
+        actionsLast7d,
+    };
+}
+/**
+ * Get recent activity across all passports
+ */
+export async function getRecentActivity(vault, limit = 20) {
+    return getAuditLog(vault, undefined, { limit });
+}
+/**
+ * Get access history for a specific passport
+ */
+export async function getAccessHistory(vault, passportId) {
+    return getAuditLog(vault, passportId, { action: 'accessed' });
+}
+/**
+ * Check if a passport has been accessed recently
+ */
+export async function wasAccessedRecently(vault, passportId, withinMinutes = 5) {
+    const entries = await getAuditLog(vault, passportId, { action: 'accessed' });
+    if (entries.length === 0)
+        return false;
+    const mostRecent = entries[0];
+    if (!mostRecent)
+        return false;
+    const threshold = new Date(Date.now() - withinMinutes * 60 * 1000);
+    return new Date(mostRecent.timestamp) >= threshold;
+}
+// ============================================================================
+// Audit Search
+// ============================================================================
+/**
+ * Search audit log by text in details
+ */
+export async function searchAuditLog(vault, searchTerm, passportId) {
+    const entries = await getAuditLog(vault, passportId);
+    const term = searchTerm.toLowerCase();
+    return entries.filter((e) => {
+        if (e.details?.toLowerCase().includes(term))
+            return true;
+        if (e.actor.toLowerCase().includes(term))
+            return true;
+        if (e.action.toLowerCase().includes(term))
+            return true;
+        if (e.platform?.toLowerCase().includes(term))
+            return true;
+        return false;
+    });
+}
+// ============================================================================
+// Audit Alerting Helpers
+// ============================================================================
+/**
+ * Get suspicious activity patterns
+ * Returns entries that might indicate security concerns
+ */
+export async function getSuspiciousActivity(vault, passportId) {
+    const entries = await getAuditLog(vault, passportId);
+    const accessEntries = entries.filter((e) => e.action === 'accessed');
+    // Rapid access: multiple accesses within 1 minute
+    const rapidAccessSet = new Set();
+    const rapidAccess = [];
+    for (let i = 1; i < accessEntries.length; i++) {
+        const current = accessEntries[i];
+        const previous = accessEntries[i - 1];
+        if (current && previous) {
+            const timeDiff = new Date(previous.timestamp).getTime() - new Date(current.timestamp).getTime();
+            if (timeDiff < 60000) {
+                if (!rapidAccessSet.has(previous.id)) {
+                    rapidAccessSet.add(previous.id);
+                    rapidAccess.push(previous);
+                }
+                if (!rapidAccessSet.has(current.id)) {
+                    rapidAccessSet.add(current.id);
+                    rapidAccess.push(current);
+                }
+            }
+        }
+    }
+    // Unusual actors: actors that appear only once
+    const actorCounts = {};
+    for (const entry of accessEntries) {
+        actorCounts[entry.actor] = (actorCounts[entry.actor] ?? 0) + 1;
+    }
+    const unusualActors = accessEntries.filter((e) => actorCounts[e.actor] === 1);
+    // After hours access (between 10 PM and 6 AM)
+    const afterHoursAccess = accessEntries.filter((e) => {
+        const hour = new Date(e.timestamp).getHours();
+        return hour >= 22 || hour < 6;
+    });
+    return {
+        rapidAccess,
+        unusualActors,
+        afterHoursAccess,
+    };
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAqBH;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAY,EACZ,KAAqB;IAErB,MAAM,KAAK,GAAe;QACxB,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;QACvB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;KACzB,CAAC;IAEF,MAAM,KAAK,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACjC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAY,EACZ,UAAmB,EACnB,OAAsB;IAEtB,IAAI,OAAO,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IAElD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAC3B,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;IACJ,CAAC;IAED,gBAAgB;IAChB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAClF,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC1C,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACtC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,mCAAmC;IACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACpB,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;IAEF,mBAAmB;IACnB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAY,EACZ,MAAsB,EACtB,OAAsB;IAEtB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAE7D,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CACnB;YACE,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,YAAY,EAAE,OAAO,CAAC,MAAM;SAC7B,EACD,IAAI,EACJ,CAAC,CACF,CAAC;IACJ,CAAC;IAED,aAAa;IACb,MAAM,OAAO,GAAG;QACd,IAAI;QACJ,YAAY;QACZ,QAAQ;QACR,OAAO;QACP,WAAW;QACX,UAAU;QACV,SAAS;KACV,CAAC;IAEF,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7B;QACE,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC,UAAU;QACZ,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,QAAQ,IAAI,EAAE;QAChB,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;KACzD;SACE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;SACpB,IAAI,CAAC,GAAG,CAAC,CACb,CAAC;IAEF,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjD,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAY,EACZ,UAAmB;IAWnB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAErD,MAAM,QAAQ,GAAgC;QAC5C,OAAO,EAAE,CAAC;QACV,MAAM,EAAE,CAAC;QACT,MAAM,EAAE,CAAC;QACT,QAAQ,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;QACV,QAAQ,EAAE,CAAC;QACX,gBAAgB,EAAE,CAAC;QACnB,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,CAAC;QACX,QAAQ,EAAE,CAAC;KACZ,CAAC;IAEF,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEvE,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,aAAa,GAAG,CAAC,CAAC;IAEtB,IAAI,WAAmC,CAAC;IACxC,IAAI,UAAkC,CAAC;IACvC,IAAI,cAAc,GAAG,QAAQ,CAAC;IAC9B,IAAI,aAAa,GAAG,CAAC,QAAQ,CAAC;IAE9B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC5C,IAAI,SAAS,IAAI,SAAS;YAAE,cAAc,EAAE,CAAC;QAC7C,IAAI,SAAS,IAAI,YAAY;YAAE,aAAa,EAAE,CAAC;QAE/C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QACtD,IAAI,SAAS,GAAG,cAAc,EAAE,CAAC;YAC/B,cAAc,GAAG,SAAS,CAAC;YAC3B,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;QACD,IAAI,SAAS,GAAG,aAAa,EAAE,CAAC;YAC9B,aAAa,GAAG,SAAS,CAAC;YAC1B,UAAU,GAAG,KAAK,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,MAAM;QAC5B,QAAQ;QACR,OAAO;QACP,UAAU;QACV,WAAW;QACX,UAAU;QACV,cAAc;QACd,aAAa;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAY,EACZ,QAAgB,EAAE;IAElB,OAAO,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAY,EACZ,UAAkB;IAElB,OAAO,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAY,EACZ,UAAkB,EAClB,gBAAwB,CAAC;IAEzB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;IAC7E,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACnE,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;AACrD,CAAC;AAED,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAY,EACZ,UAAkB,EAClB,UAAmB;IAEnB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;IAEtC,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC1B,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACtD,IAAI,CAAC,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACvD,IAAI,CAAC,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAY,EACZ,UAAmB;IAMnB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;IAErE,kDAAkD;IAClD,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACzC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,OAAO,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtC,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;YACxB,MAAM,QAAQ,GACZ,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;YACjF,IAAI,QAAQ,GAAG,KAAK,EAAE,CAAC;gBACrB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;oBACrC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;oBAChC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC7B,CAAC;gBACD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;oBACpC,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;oBAC/B,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,MAAM,WAAW,GAA2B,EAAE,CAAC;IAC/C,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,aAAa,GAAG,aAAa,CAAC,MAAM,CACxC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAClC,CAAC;IAEF,8CAA8C;IAC9C,MAAM,gBAAgB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClD,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC9C,OAAO,IAAI,IAAI,EAAE,IAAI,IAAI,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,WAAW;QACX,aAAa;QACb,gBAAgB;KACjB,CAAC;AACJ,CAAC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * ID Wispera Auth Module
+ * Secure passphrase resolution and session token management.
+ */
+export { PassphraseProvider, type PassphraseProviderOptions, type PassphraseSource, type PassphraseResult, } from './passphraseProvider.js';
+export { SessionTokenManager, SESSION_TOKEN_ENV_VAR, type SidecarEntry, type SidecarFile, type TokenInfo, } from './sessionTokenManager.js';
+export { KeychainProvider } from './keychainProvider.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,kBAAkB,EAClB,KAAK,yBAAyB,EAC9B,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,SAAS,GACf,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/auth/index.js

@@ -0,0 +1,8 @@
+/**
+ * ID Wispera Auth Module
+ * Secure passphrase resolution and session token management.
+ */
+export { PassphraseProvider, } from './passphraseProvider.js';
+export { SessionTokenManager, SESSION_TOKEN_ENV_VAR, } from './sessionTokenManager.js';
+export { KeychainProvider } from './keychainProvider.js';
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EACL,kBAAkB,GAInB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GAItB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/auth/keychainProvider.d.ts

@@ -0,0 +1,40 @@
+/**
+ * ID Wispera Keychain Provider
+ * Optional OS keychain integration for secure passphrase storage.
+ *
+ * Uses `keytar` when available (macOS Keychain, Windows Credential Manager,
+ * Linux Secret Service). Degrades gracefully — returns null if keytar is
+ * not installed or the OS keychain is unavailable.
+ */
+/**
+ * Thin wrapper around the OS keychain.  Every public method catches import
+ * and runtime errors so callers never need to know whether keytar is present.
+ */
+export declare class KeychainProvider {
+    private keytar;
+    private loadAttempted;
+    /**
+     * Lazily try to load keytar.  Called once — result is cached.
+     */
+    private loadKeytar;
+    /**
+     * Whether the keychain backend is available on this system.
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Store the vault passphrase in the OS keychain.
+     * Returns `true` on success, `false` if the keychain is unavailable.
+     */
+    store(passphrase: string): Promise<boolean>;
+    /**
+     * Retrieve the vault passphrase from the OS keychain.
+     * Returns `null` if unavailable or no entry exists.
+     */
+    retrieve(): Promise<string | null>;
+    /**
+     * Remove the vault passphrase from the OS keychain.
+     * Returns `true` if deleted, `false` if unavailable or nothing to delete.
+     */
+    remove(): Promise<boolean>;
+}
+//# sourceMappingURL=keychainProvider.d.ts.map

package/dist/auth/keychainProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychainProvider.d.ts","sourceRoot":"","sources":["../../src/auth/keychainProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH;;;GAGG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAwC;IACtD,OAAO,CAAC,aAAa,CAAS;IAE9B;;OAEG;YACW,UAAU;IAaxB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAcrC;;;OAGG;IACG,KAAK,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYjD;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAWxC;;;OAGG;IACG,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC;CAUjC"}