@id-wispera/core 0.1.0

package/dist/exec/execManager.js

@@ -0,0 +1,226 @@
+/**
+ * ExecManager — Core Subprocess Credential Injection
+ *
+ * Handles the core exec logic independently of the CLI, so it can be
+ * reused by the MCP server or programmatic API in the future.
+ *
+ * Flow:
+ * 1. Resolve each passport (by ID or name)
+ * 2. Evaluate policy for each passport
+ * 3. Determine env var names (explicit, platform-map, or fallback)
+ * 4. Check for env var collisions
+ * 5. Inject into child process environment
+ * 6. Spawn the child process
+ * 7. Propagate signals (SIGTERM, SIGINT, SIGHUP)
+ * 8. Wait for exit
+ * 9. Log audit entries with process metadata
+ * 10. Return exit code
+ */
+import { spawn } from 'child_process';
+import { resolveEnvVarName } from '../integrations/envMapping.js';
+import { evaluatePolicy } from '../policy.js';
+import { logAction } from '../audit.js';
+/**
+ * Execute a command with vault credentials injected as environment variables.
+ */
+export async function execWithCredentials(options) {
+    const { command, passports: passportSpecs, vault, actor, inheritEnv = true, extraEnv = {}, cwd, dryRun = false, } = options;
+    if (command.length === 0) {
+        throw new Error('No command specified');
+    }
+    const startTime = Date.now();
+    const injectedVars = [];
+    const auditEntryIds = [];
+    const credentialEnv = {};
+    // --- Step 1 & 2: Resolve passports and evaluate policy ---
+    const resolvedPassports = [];
+    for (const spec of passportSpecs) {
+        // Resolve by ID first, then by name
+        let passport;
+        // Try by ID
+        try {
+            passport = await vault.retrievePassport(spec.passportRef);
+        }
+        catch {
+            // Not found by ID — try by name
+        }
+        // Try by name if ID lookup failed
+        if (!passport) {
+            const allPassports = await vault.getAllPassports();
+            passport = allPassports.find(p => p.name.toLowerCase() === spec.passportRef.toLowerCase());
+        }
+        if (!passport) {
+            throw new Error(`Passport not found: "${spec.passportRef}". Use 'idw list' to see available passports.`);
+        }
+        // Check passport status
+        if (passport.status === 'revoked') {
+            throw new Error(`Passport "${passport.name}" (${passport.id}) is revoked and cannot be used.`);
+        }
+        if (passport.status === 'expired') {
+            throw new Error(`Passport "${passport.name}" (${passport.id}) has expired.`);
+        }
+        if (passport.status === 'suspended') {
+            throw new Error(`Passport "${passport.name}" (${passport.id}) is suspended.`);
+        }
+        // Evaluate policy
+        const policyResult = evaluatePolicy(passport, 'exec');
+        if (policyResult.effect === 'deny') {
+            throw new Error(`Policy denied access to "${passport.name}": ${policyResult.reason}`);
+        }
+        if (policyResult.effect === 'require-approval') {
+            throw new Error(`Passport "${passport.name}" requires approval before use: ${policyResult.reason}\n` +
+                `Adjust policy rules or use a passport that does not require approval.`);
+        }
+        // Resolve env var name
+        const { envVarName, source } = resolveEnvVarName(passport, spec.envVarOverride);
+        resolvedPassports.push({ passport, envVar: envVarName, source });
+    }
+    // --- Step 3: Check for env var collisions ---
+    const envVarMap = new Map();
+    for (const { envVar, passport } of resolvedPassports) {
+        const existing = envVarMap.get(envVar) ?? [];
+        existing.push(passport.name);
+        envVarMap.set(envVar, existing);
+    }
+    for (const [envVar, passportNames] of envVarMap) {
+        if (passportNames.length > 1) {
+            throw new Error(`Environment variable collision: ${envVar} would be set by multiple passports: ${passportNames.join(', ')}. ` +
+                `Use --as to specify distinct env var names.`);
+        }
+    }
+    // --- Step 4: Build credential environment ---
+    for (const { passport, envVar, source } of resolvedPassports) {
+        credentialEnv[envVar] = passport.credentialValue;
+        injectedVars.push({
+            envVar,
+            passportId: passport.id,
+            passportName: passport.name,
+            source,
+        });
+    }
+    // --- Step 5: Dry run ---
+    if (dryRun) {
+        // Log audit entries for dry run too
+        for (const { passport } of resolvedPassports) {
+            const auditEntry = await logAction(vault, {
+                passportId: passport.id,
+                action: 'policy-checked',
+                actor,
+                details: `Dry run: exec ${command[0]}`,
+                metadata: { dryRun: true, command: command[0] },
+            });
+            auditEntryIds.push(auditEntry.id);
+        }
+        return {
+            exitCode: 0,
+            injectedVars,
+            duration: Date.now() - startTime,
+            auditEntryIds,
+        };
+    }
+    // --- Step 6: Log access and spawn ---
+    for (const { passport } of resolvedPassports) {
+        const auditEntry = await logAction(vault, {
+            passportId: passport.id,
+            action: 'accessed',
+            actor,
+            platform: passport.platforms[0],
+            details: `exec: ${command.join(' ')}`,
+            metadata: {
+                command: command[0],
+                args: command.slice(1),
+                pid: process.pid,
+                envVars: injectedVars.map(v => v.envVar),
+            },
+        });
+        auditEntryIds.push(auditEntry.id);
+    }
+    // Build child environment
+    const childEnv = {
+        ...(inheritEnv ? process.env : {}),
+        ...extraEnv,
+        ...credentialEnv,
+    };
+    // Remove IDW_PASSPHRASE and IDW_SESSION_TOKEN from child env
+    // (child should not inherit vault access)
+    delete childEnv['IDW_PASSPHRASE'];
+    delete childEnv['IDW_SESSION_TOKEN'];
+    const cmd = command[0];
+    const args = command.slice(1);
+    return new Promise((resolve, reject) => {
+        let child;
+        try {
+            child = spawn(cmd, args, {
+                env: childEnv,
+                cwd: cwd ?? process.cwd(),
+                stdio: 'inherit', // pipe stdin/stdout/stderr to parent
+                shell: process.platform === 'win32', // use shell on Windows for .cmd/.bat support
+            });
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            reject(new Error(`Failed to spawn "${cmd}": ${message}`));
+            return;
+        }
+        // --- Step 7: Signal propagation ---
+        const signalHandler = (signal) => {
+            if (child && !child.killed) {
+                child.kill(signal);
+            }
+        };
+        process.on('SIGTERM', signalHandler);
+        process.on('SIGINT', signalHandler);
+        process.on('SIGHUP', signalHandler);
+        const cleanup = () => {
+            process.removeListener('SIGTERM', signalHandler);
+            process.removeListener('SIGINT', signalHandler);
+            process.removeListener('SIGHUP', signalHandler);
+        };
+        child.on('error', (err) => {
+            cleanup();
+            reject(new Error(`Failed to execute "${cmd}": ${err.message}`));
+        });
+        child.on('close', (code, signal) => {
+            cleanup();
+            const duration = Date.now() - startTime;
+            // Log completion audit entries asynchronously (don't block on failure)
+            const logCompletions = resolvedPassports.map(async ({ passport }) => {
+                try {
+                    await logAction(vault, {
+                        passportId: passport.id,
+                        action: 'accessed',
+                        actor,
+                        details: `exec completed: ${command[0]} (exit=${code ?? 'signal'}, duration=${duration}ms)`,
+                        metadata: {
+                            command: command[0],
+                            exitCode: code,
+                            signal: signal ?? undefined,
+                            durationMs: duration,
+                        },
+                    });
+                }
+                catch {
+                    // Don't fail on audit logging errors
+                }
+            });
+            Promise.all(logCompletions).then(() => {
+                resolve({
+                    exitCode: code ?? 1,
+                    signal: signal ?? undefined,
+                    injectedVars,
+                    duration,
+                    auditEntryIds,
+                });
+            }).catch(() => {
+                resolve({
+                    exitCode: code ?? 1,
+                    signal: signal ?? undefined,
+                    injectedVars,
+                    duration,
+                    auditEntryIds,
+                });
+            });
+        });
+    });
+}
+//# sourceMappingURL=execManager.js.map

package/dist/exec/execManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"execManager.js","sourceRoot":"","sources":["../../src/exec/execManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAGtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAqCxC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,OAAoB;IAC5D,MAAM,EACJ,OAAO,EACP,SAAS,EAAE,aAAa,EACxB,KAAK,EACL,KAAK,EACL,UAAU,GAAG,IAAI,EACjB,QAAQ,GAAG,EAAE,EACb,GAAG,EACH,MAAM,GAAG,KAAK,GACf,GAAG,OAAO,CAAC;IAEZ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,YAAY,GAA+B,EAAE,CAAC;IACpD,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,aAAa,GAA2B,EAAE,CAAC;IAEjD,4DAA4D;IAC5D,MAAM,iBAAiB,GAIlB,EAAE,CAAC;IAER,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,oCAAoC;QACpC,IAAI,QAAqC,CAAC;QAE1C,YAAY;QACZ,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE,CAAC;YACnD,QAAQ,GAAG,YAAY,CAAC,IAAI,CAC1B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAC7D,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,wBAAwB,IAAI,CAAC,WAAW,+CAA+C,CACxF,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,EAAE,kCAAkC,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,EAAE,gBAAgB,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,QAAQ,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,aAAa,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,EAAE,iBAAiB,CAAC,CAAC;QAChF,CAAC;QAED,kBAAkB;QAClB,MAAM,YAAY,GAAG,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAEtD,IAAI,YAAY,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACb,4BAA4B,QAAQ,CAAC,IAAI,MAAM,YAAY,CAAC,MAAM,EAAE,CACrE,CAAC;QACJ,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,aAAa,QAAQ,CAAC,IAAI,mCAAmC,YAAY,CAAC,MAAM,IAAI;gBACpF,uEAAuE,CACxE,CAAC;QACJ,CAAC;QAED,uBAAuB;QACvB,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAEhF,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,+CAA+C;IAC/C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC9C,KAAK,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;QACrD,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7B,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,IAAI,SAAS,EAAE,CAAC;QAChD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,mCAAmC,MAAM,wCAAwC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;gBAC7G,6CAA6C,CAC9C,CAAC;QACJ,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,KAAK,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,iBAAiB,EAAE,CAAC;QAC7D,aAAa,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,eAAe,CAAC;QACjD,YAAY,CAAC,IAAI,CAAC;YAChB,MAAM;YACN,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,YAAY,EAAE,QAAQ,CAAC,IAAI;YAC3B,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,EAAE,CAAC;QACX,oCAAoC;QACpC,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;YAC7C,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE;gBACxC,UAAU,EAAE,QAAQ,CAAC,EAAE;gBACvB,MAAM,EAAE,gBAA+B;gBACvC,KAAK;gBACL,OAAO,EAAE,iBAAiB,OAAO,CAAC,CAAC,CAAC,EAAE;gBACtC,QAAQ,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE;aAChD,CAAC,CAAC;YACH,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,CAAC;YACX,YAAY;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,aAAa;SACd,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,KAAK,MAAM,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;QAC7C,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE;YACxC,UAAU,EAAE,QAAQ,CAAC,EAAE;YACvB,MAAM,EAAE,UAAyB;YACjC,KAAK;YACL,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YAC/B,OAAO,EAAE,SAAS,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;YACrC,QAAQ,EAAE;gBACR,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;gBACnB,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;gBACtB,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,OAAO,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;aACzC;SACF,CAAC,CAAC;QACH,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,CAAC;IAED,0BAA0B;IAC1B,MAAM,QAAQ,GAA2B;QACvC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,GAA6B,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,GAAG,QAAQ;QACX,GAAG,aAAa;KACjB,CAAC;IAEF,6DAA6D;IAC7D,0CAA0C;IAC1C,OAAO,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IAClC,OAAO,QAAQ,CAAC,mBAAmB,CAAC,CAAC;IAErC,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;IACxB,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE9B,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACjD,IAAI,KAAmB,CAAC;QAExB,IAAI,CAAC;YACH,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;gBACvB,GAAG,EAAE,QAAQ;gBACb,GAAG,EAAE,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE;gBACzB,KAAK,EAAE,SAAS,EAAE,qCAAqC;gBACvD,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,6CAA6C;aACnF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,GAAG,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC;YAC1D,OAAO;QACT,CAAC;QAED,qCAAqC;QACrC,MAAM,aAAa,GAAG,CAAC,MAAsB,EAAE,EAAE;YAC/C,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC;QAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;QACrC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QACpC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAEpC,MAAM,OAAO,GAAG,GAAG,EAAE;YACnB,OAAO,CAAC,cAAc,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YACjD,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,cAAc,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAClD,CAAC,CAAC;QAEF,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,OAAO,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,GAAG,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAClE,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YACjC,OAAO,EAAE,CAAC;YACV,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAExC,uEAAuE;YACvE,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAClE,IAAI,CAAC;oBACH,MAAM,SAAS,CAAC,KAAK,EAAE;wBACrB,UAAU,EAAE,QAAQ,CAAC,EAAE;wBACvB,MAAM,EAAE,UAAyB;wBACjC,KAAK;wBACL,OAAO,EAAE,mBAAmB,OAAO,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,QAAQ,cAAc,QAAQ,KAAK;wBAC3F,QAAQ,EAAE;4BACR,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;4BACnB,QAAQ,EAAE,IAAI;4BACd,MAAM,EAAE,MAAM,IAAI,SAAS;4BAC3B,UAAU,EAAE,QAAQ;yBACrB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAAC,MAAM,CAAC;oBACP,qCAAqC;gBACvC,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;gBACpC,OAAO,CAAC;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,MAAM,EAAE,MAAM,IAAI,SAAS;oBAC3B,YAAY;oBACZ,QAAQ;oBACR,aAAa;iBACd,CAAC,CAAC;YACL,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,OAAO,CAAC;oBACN,QAAQ,EAAE,IAAI,IAAI,CAAC;oBACnB,MAAM,EAAE,MAAM,IAAI,SAAS;oBAC3B,YAAY;oBACZ,QAAQ;oBACR,aAAa;iBACd,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/exec/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Exec Module — Secure credential injection via subprocess
+ */
+export { execWithCredentials } from './execManager.js';
+export type { ExecPassportSpec, ExecOptions, ExecResult } from './execManager.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/exec/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/exec/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,YAAY,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/exec/index.js

@@ -0,0 +1,5 @@
+/**
+ * Exec Module — Secure credential injection via subprocess
+ */
+export { execWithCredentials } from './execManager.js';
+//# sourceMappingURL=index.js.map

package/dist/exec/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/exec/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,35 @@
+/**
+ * ID Wispera Core
+ * The Identity Whisperer for AI Agents
+ *
+ * A credential governance platform using the passport/visa metaphor
+ * to manage, secure, and audit AI agent credentials.
+ */
+export * from './types.js';
+export { Vault, MemoryStorageBackend, FileSystemStorageBackend, initVault, unlockVault, lockVault, vaultExists, getDefaultVaultPath, migrateVault, SCRYPT_PARAMS, } from './vault.js';
+export type { StorageBackend } from './vault.js';
+export { createPassport, getPassport, listPassports, updatePassport, revokePassport, renewPassport, duplicatePassport, deletePassport, accessCredential, calculateStatus, refreshStatus, maskCredential, getExpiringPassports, getPassportStats, } from './passport.js';
+export { detectCredentials, classifyCredential, mightContainCredentials, maskCredentialsInText, getDetectionStats, } from './detection.js';
+export { logAction, getAuditLog, exportAuditLog, getAuditStats, getRecentActivity, getAccessHistory, wasAccessedRecently, searchAuditLog, getSuspiciousActivity, } from './audit.js';
+export type { LogActionInput } from './audit.js';
+export { evaluatePolicy, validatePassport, createPolicyRule, mergePolicyRules, getEnabledRules, hasValidHumanOwner, isWithinValidityPeriod, hasExcessiveDelegation, hasBroadScope, hasPrivilegedAccess, PolicyBuilder, policy, DEFAULT_POLICY_RULES, } from './policy.js';
+export { createShareLink, resolveShareLink, getShareInfo, isShareValid, createShareUrl, parseShareUrl, createOneTimeShare, createMetadataShare, } from './sharing.js';
+export { addDelegation, revokeDelegation, clearDelegations, getDelegationDepth, getCurrentHolder, getOriginalIssuer, getAllDelegationParties, isInDelegationChain, getDelegationPath, hasExpiredDelegation, getExpiredDelegations, getExpiringDelegations, getEffectiveScope, isScopePermitted, getScopeRestrictions, validateDelegationChain, } from './delegation.js';
+export { type RiskLevel, type CredentialClassification, type DiscoveredCredential, type LocationScanResult, type ProviderDefinition, type ProviderLocation, expandPath, getHomeDir, providers, getProvider, getProviderIds, detectInstalledProviders, getRiskEmoji, getRiskLabel, sortByRisk, openclawProvider, awsProvider, sshProvider, dockerProvider, npmProvider, kubernetesProvider, } from './locations.js';
+export { OPENCLAW_BASE_PATH, OPENCLAW_PATHS, isOpenClawInstalled, checkFilePermissions, checkDirectoryPermissions, scanOpenClaw, type OpenClawScanResult, toPassportInput, formatCredentialRow, } from './providers/openclaw.js';
+export { provisionAndCreatePassport, provision, rotateCredential, revokeAtSource, listProviderKeys, validateProviderAuth, getProviderCapabilities, listProviders, OpenAIProvider, AWSProvider, GoogleCloudProvider, AzureEntraProvider, GitHubProvider, TwilioProvider, SendGridProvider, AnthropicProvider, BaseProvisioningProvider, } from './provisioning/index.js';
+export type { IProvisioningProvider } from './provisioning/index.js';
+export type { ProvisioningProvider, ProviderCapabilities, ProviderAuth, ProvisioningRequest, ProvisioningResult, RotationResult, ProviderSpecificConfig, ProviderPermissions, OpenAIConfig, AWSConfig, GoogleCloudConfig, AzureEntraConfig, GitHubConfig, TwilioConfig, SendGridConfig, AnthropicConfig, OpenAIPermissions, AWSPermissions, GoogleCloudPermissions, AzureEntraPermissions, GitHubPermissions, TwilioPermissions, SendGridPermissions, } from './provisioning/types.js';
+export { WisperaCredentialProvider, WisperaLangChainProvider, WisperaOpenAIAgentProvider, WisperaA2AProvider, WisperaSlackProvider, } from './integrations/index.js';
+export { PLATFORM_ENV_MAP, resolveEnvVarName, getPlatformEnvVars, } from './integrations/index.js';
+export type { EnvVarMapping } from './integrations/index.js';
+export type { HandoffScope, ToolAuth } from './integrations/openai-agents.js';
+export type { IntegrationConfig, CredentialAccessOptions, CredentialResult, AvailableCredential, LLMConfig, SlackTokenType, SlackCredentialResult, A2AAgentCredentials, A2ATaskCredentials, } from './integrations/types.js';
+export { execWithCredentials } from './exec/index.js';
+export type { ExecPassportSpec, ExecOptions, ExecResult } from './exec/index.js';
+export { PassphraseProvider, SessionTokenManager, SESSION_TOKEN_ENV_VAR, KeychainProvider, } from './auth/index.js';
+export type { PassphraseProviderOptions, PassphraseSource, PassphraseResult, SidecarEntry, SidecarFile, TokenInfo, } from './auth/index.js';
+export { MS_PER_DAY, maskValue, capitalizeFirst, previewToken, toArray, getErrorMessage, pathExists, getRandomBytes, getCryptoSubtle, toBufferSource, } from './utils.js';
+export declare const VERSION = "0.1.0";
+export declare const PACKAGE_NAME = "@id-wispera/core";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,cAAc,YAAY,CAAC;AAM3B,OAAO,EACL,KAAK,EACL,oBAAoB,EACpB,wBAAwB,EACxB,SAAS,EACT,WAAW,EACX,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAMjD,OAAO,EACL,cAAc,EACd,WAAW,EACX,aAAa,EACb,cAAc,EACd,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAMvB,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,SAAS,EACT,WAAW,EACX,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,GACtB,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAMjD,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,MAAM,EACN,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAMrB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAMtB,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,EACvB,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EAEL,KAAK,SAAS,EACd,KAAK,wBAAwB,EAC7B,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EAErB,UAAU,EACV,UAAU,EAEV,SAAS,EACT,WAAW,EACX,cAAc,EACd,wBAAwB,EAExB,YAAY,EACZ,YAAY,EACZ,UAAU,EAEV,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,cAAc,EACd,WAAW,EACX,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EAEL,kBAAkB,EAClB,cAAc,EAEd,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB,EAEzB,YAAY,EACZ,KAAK,kBAAkB,EAEvB,eAAe,EACf,mBAAmB,GACpB,MAAM,yBAAyB,CAAC;AAMjC,OAAO,EAEL,0BAA0B,EAC1B,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,aAAa,EAEb,cAAc,EACd,WAAW,EACX,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AACrE,YAAY,EACV,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,EACZ,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,sBAAsB,EACtB,mBAAmB,EACnB,YAAY,EACZ,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,cAAc,EACd,sBAAsB,EACtB,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,yBAAyB,CAAC;AAMjC,OAAO,EAEL,yBAAyB,EAEzB,wBAAwB,EACxB,0BAA0B,EAC1B,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,iCAAiC,CAAC;AAC9E,YAAY,EACV,iBAAiB,EACjB,uBAAuB,EACvB,gBAAgB,EAChB,mBAAmB,EACnB,SAAS,EACT,cAAc,EACd,qBAAqB,EACrB,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAMjC,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,YAAY,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAMjF,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,YAAY,EACZ,WAAW,EACX,SAAS,GACV,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EACL,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,EACZ,OAAO,EACP,eAAe,EACf,UAAU,EACV,cAAc,EACd,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC;AAMpB,eAAO,MAAM,OAAO,UAAU,CAAC;AAC/B,eAAO,MAAM,YAAY,qBAAqB,CAAC"}

package/dist/index.js

@@ -0,0 +1,98 @@
+/**
+ * ID Wispera Core
+ * The Identity Whisperer for AI Agents
+ *
+ * A credential governance platform using the passport/visa metaphor
+ * to manage, secure, and audit AI agent credentials.
+ */
+// ============================================================================
+// Type Exports
+// ============================================================================
+export * from './types.js';
+// ============================================================================
+// Vault
+// ============================================================================
+export { Vault, MemoryStorageBackend, FileSystemStorageBackend, initVault, unlockVault, lockVault, vaultExists, getDefaultVaultPath, migrateVault, SCRYPT_PARAMS, } from './vault.js';
+// ============================================================================
+// Passport Management
+// ============================================================================
+export { createPassport, getPassport, listPassports, updatePassport, revokePassport, renewPassport, duplicatePassport, deletePassport, accessCredential, calculateStatus, refreshStatus, maskCredential, getExpiringPassports, getPassportStats, } from './passport.js';
+// ============================================================================
+// Credential Detection
+// ============================================================================
+export { detectCredentials, classifyCredential, mightContainCredentials, maskCredentialsInText, getDetectionStats, } from './detection.js';
+// ============================================================================
+// Audit Trail
+// ============================================================================
+export { logAction, getAuditLog, exportAuditLog, getAuditStats, getRecentActivity, getAccessHistory, wasAccessedRecently, searchAuditLog, getSuspiciousActivity, } from './audit.js';
+// ============================================================================
+// Policy Engine
+// ============================================================================
+export { evaluatePolicy, validatePassport, createPolicyRule, mergePolicyRules, getEnabledRules, hasValidHumanOwner, isWithinValidityPeriod, hasExcessiveDelegation, hasBroadScope, hasPrivilegedAccess, PolicyBuilder, policy, DEFAULT_POLICY_RULES, } from './policy.js';
+// ============================================================================
+// Secure Sharing
+// ============================================================================
+export { createShareLink, resolveShareLink, getShareInfo, isShareValid, createShareUrl, parseShareUrl, createOneTimeShare, createMetadataShare, } from './sharing.js';
+// ============================================================================
+// Delegation Management
+// ============================================================================
+export { addDelegation, revokeDelegation, clearDelegations, getDelegationDepth, getCurrentHolder, getOriginalIssuer, getAllDelegationParties, isInDelegationChain, getDelegationPath, hasExpiredDelegation, getExpiredDelegations, getExpiringDelegations, getEffectiveScope, isScopePermitted, getScopeRestrictions, validateDelegationChain, } from './delegation.js';
+// ============================================================================
+// Credential Locations & Provider Registry
+// ============================================================================
+export { 
+// Path helpers
+expandPath, getHomeDir, 
+// Provider registry
+providers, getProvider, getProviderIds, detectInstalledProviders, 
+// Risk helpers
+getRiskEmoji, getRiskLabel, sortByRisk, 
+// Built-in providers
+openclawProvider, awsProvider, sshProvider, dockerProvider, npmProvider, kubernetesProvider, } from './locations.js';
+// ============================================================================
+// OpenClaw Provider
+// ============================================================================
+export { 
+// Constants
+OPENCLAW_BASE_PATH, OPENCLAW_PATHS, 
+// Detection
+isOpenClawInstalled, checkFilePermissions, checkDirectoryPermissions, 
+// Scanning
+scanOpenClaw, 
+// Import helpers
+toPassportInput, formatCredentialRow, } from './providers/openclaw.js';
+// ============================================================================
+// Credential Provisioning
+// ============================================================================
+export { 
+// Unified interface
+provisionAndCreatePassport, provision, rotateCredential, revokeAtSource, listProviderKeys, validateProviderAuth, getProviderCapabilities, listProviders, 
+// Provider classes
+OpenAIProvider, AWSProvider, GoogleCloudProvider, AzureEntraProvider, GitHubProvider, TwilioProvider, SendGridProvider, AnthropicProvider, BaseProvisioningProvider, } from './provisioning/index.js';
+// ============================================================================
+// Framework Integrations
+// ============================================================================
+export { 
+// Base provider
+WisperaCredentialProvider, 
+// Framework-specific providers
+WisperaLangChainProvider, WisperaOpenAIAgentProvider, WisperaA2AProvider, WisperaSlackProvider, } from './integrations/index.js';
+export { PLATFORM_ENV_MAP, resolveEnvVarName, getPlatformEnvVars, } from './integrations/index.js';
+// ============================================================================
+// Exec — Secure credential injection via subprocess
+// ============================================================================
+export { execWithCredentials } from './exec/index.js';
+// ============================================================================
+// Authentication
+// ============================================================================
+export { PassphraseProvider, SessionTokenManager, SESSION_TOKEN_ENV_VAR, KeychainProvider, } from './auth/index.js';
+// ============================================================================
+// Utilities
+// ============================================================================
+export { MS_PER_DAY, maskValue, capitalizeFirst, previewToken, toArray, getErrorMessage, pathExists, getRandomBytes, getCryptoSubtle, toBufferSource, } from './utils.js';
+// ============================================================================
+// Package Info
+// ============================================================================
+export const VERSION = '0.1.0';
+export const PACKAGE_NAME = '@id-wispera/core';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E,cAAc,YAAY,CAAC;AAE3B,+EAA+E;AAC/E,QAAQ;AACR,+EAA+E;AAE/E,OAAO,EACL,KAAK,EACL,oBAAoB,EACpB,wBAAwB,EACxB,SAAS,EACT,WAAW,EACX,SAAS,EACT,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAGpB,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E,OAAO,EACL,cAAc,EACd,WAAW,EACX,aAAa,EACb,cAAc,EACd,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,aAAa,EACb,cAAc,EACd,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,eAAe,CAAC;AAEvB,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,uBAAuB,EACvB,qBAAqB,EACrB,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAExB,+EAA+E;AAC/E,cAAc;AACd,+EAA+E;AAE/E,OAAO,EACL,SAAS,EACT,WAAW,EACX,cAAc,EACd,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,cAAc,EACd,qBAAqB,GACtB,MAAM,YAAY,CAAC;AAGpB,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,sBAAsB,EACtB,sBAAsB,EACtB,aAAa,EACb,mBAAmB,EACnB,aAAa,EACb,MAAM,EACN,oBAAoB,GACrB,MAAM,aAAa,CAAC;AAErB,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,aAAa,EACb,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,EACvB,mBAAmB,EACnB,iBAAiB,EACjB,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,iBAAiB,EACjB,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC;AAEzB,+EAA+E;AAC/E,2CAA2C;AAC3C,+EAA+E;AAE/E,OAAO;AAQL,eAAe;AACf,UAAU,EACV,UAAU;AACV,oBAAoB;AACpB,SAAS,EACT,WAAW,EACX,cAAc,EACd,wBAAwB;AACxB,eAAe;AACf,YAAY,EACZ,YAAY,EACZ,UAAU;AACV,qBAAqB;AACrB,gBAAgB,EAChB,WAAW,EACX,WAAW,EACX,cAAc,EACd,WAAW,EACX,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AAExB,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E,OAAO;AACL,YAAY;AACZ,kBAAkB,EAClB,cAAc;AACd,YAAY;AACZ,mBAAmB,EACnB,oBAAoB,EACpB,yBAAyB;AACzB,WAAW;AACX,YAAY;AAEZ,iBAAiB;AACjB,eAAe,EACf,mBAAmB,GACpB,MAAM,yBAAyB,CAAC;AAEjC,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E,OAAO;AACL,oBAAoB;AACpB,0BAA0B,EAC1B,SAAS,EACT,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,aAAa;AACb,mBAAmB;AACnB,cAAc,EACd,WAAW,EACX,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,yBAAyB,CAAC;AA4BjC,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E,OAAO;AACL,gBAAgB;AAChB,yBAAyB;AACzB,+BAA+B;AAC/B,wBAAwB,EACxB,0BAA0B,EAC1B,kBAAkB,EAClB,oBAAoB,GACrB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAejC,+EAA+E;AAC/E,oDAAoD;AACpD,+EAA+E;AAE/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAGtD,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AAUzB,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,OAAO,EACL,UAAU,EACV,SAAS,EACT,eAAe,EACf,YAAY,EACZ,OAAO,EACP,eAAe,EACf,UAAU,EACV,cAAc,EACd,eAAe,EACf,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,+EAA+E;AAC/E,eAAe;AACf,+EAA+E;AAE/E,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAC/B,MAAM,CAAC,MAAM,YAAY,GAAG,kBAAkB,CAAC"}

package/dist/integrations/base.d.ts

@@ -0,0 +1,64 @@
+/**
+ * ID Wispera Base Integration Provider
+ * Common credential access logic shared by all framework integrations
+ */
+import type { Passport, Platform } from '../types.js';
+import type { Vault } from '../vault.js';
+import type { IntegrationConfig, CredentialAccessOptions, CredentialResult, AvailableCredential, LLMConfig } from './types.js';
+/**
+ * Base credential provider that all framework integrations extend.
+ * Handles vault access, caching, audit logging, and credential lookup.
+ */
+export declare class WisperaCredentialProvider {
+    protected vault: Vault;
+    protected actor: string;
+    protected enableCache: boolean;
+    protected logAccessDefault: boolean;
+    private cache;
+    constructor(config: IntegrationConfig);
+    /**
+     * Get a credential by passport name
+     */
+    get(passportName: string, options?: CredentialAccessOptions): Promise<CredentialResult>;
+    /**
+     * Get a credential value by passport name (convenience shorthand)
+     */
+    getValue(passportName: string, options?: CredentialAccessOptions): Promise<string>;
+    /**
+     * Get a credential filtered by platform
+     */
+    getByPlatform(passportName: string, platform: Platform): Promise<CredentialResult>;
+    /**
+     * Get OpenAI API key
+     */
+    getOpenAIKey(passportName?: string): Promise<string>;
+    /**
+     * Get Anthropic API key
+     */
+    getAnthropicKey(passportName?: string): Promise<string>;
+    /**
+     * Get Azure AI API key
+     */
+    getAzureKey(passportName?: string): Promise<string>;
+    /**
+     * Get LLM configuration for a credential
+     */
+    getLLMConfig(passportName: string, model?: string): Promise<LLMConfig>;
+    /**
+     * List available credentials
+     */
+    listAvailable(platform?: Platform): Promise<AvailableCredential[]>;
+    /**
+     * Clear the credential cache
+     */
+    clearCache(): void;
+    /**
+     * Find a passport by name with optional platform filter
+     */
+    protected findPassport(passportName: string, platform?: Platform): Promise<Passport>;
+    /**
+     * Detect LLM provider from platform list
+     */
+    protected detectProvider(platforms: Platform[]): string | null;
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/integrations/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../src/integrations/base.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAGzC,OAAO,KAAK,EACV,iBAAiB,EACjB,uBAAuB,EACvB,gBAAgB,EAChB,mBAAmB,EACnB,SAAS,EACV,MAAM,YAAY,CAAC;AAEpB;;;GAGG;AACH,qBAAa,yBAAyB;IACpC,SAAS,CAAC,KAAK,EAAE,KAAK,CAAC;IACvB,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC;IAC/B,SAAS,CAAC,gBAAgB,EAAE,OAAO,CAAC;IACpC,OAAO,CAAC,KAAK,CAA4C;gBAE7C,MAAM,EAAE,iBAAiB;IAOrC;;OAEG;IACG,GAAG,CACP,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,uBAAuB,GAChC,OAAO,CAAC,gBAAgB,CAAC;IAgC5B;;OAEG;IACG,QAAQ,CACZ,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,uBAAuB,GAChC,OAAO,CAAC,MAAM,CAAC;IAKlB;;OAEG;IACG,aAAa,CACjB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,gBAAgB,CAAC;IAI5B;;OAEG;IACG,YAAY,CAAC,YAAY,GAAE,MAAiB,GAAG,OAAO,CAAC,MAAM,CAAC;IAIpE;;OAEG;IACG,eAAe,CAAC,YAAY,GAAE,MAAoB,GAAG,OAAO,CAAC,MAAM,CAAC;IAI1E;;OAEG;IACG,WAAW,CAAC,YAAY,GAAE,MAAgB,GAAG,OAAO,CAAC,MAAM,CAAC;IAIlE;;OAEG;IACG,YAAY,CAChB,YAAY,EAAE,MAAM,EACpB,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,SAAS,CAAC;IAwBrB;;OAEG;IACG,aAAa,CAAC,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,mBAAmB,EAAE,CAAC;IAmBxE;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;cACa,YAAY,CAC1B,YAAY,EAAE,MAAM,EACpB,QAAQ,CAAC,EAAE,QAAQ,GAClB,OAAO,CAAC,QAAQ,CAAC;IAkBpB;;OAEG;IACH,SAAS,CAAC,cAAc,CAAC,SAAS,EAAE,QAAQ,EAAE,GAAG,MAAM,GAAG,IAAI;CAgB/D"}

package/dist/integrations/base.js

@@ -0,0 +1,173 @@
+/**
+ * ID Wispera Base Integration Provider
+ * Common credential access logic shared by all framework integrations
+ */
+import { listPassports } from '../passport.js';
+import { logAction } from '../audit.js';
+/**
+ * Base credential provider that all framework integrations extend.
+ * Handles vault access, caching, audit logging, and credential lookup.
+ */
+export class WisperaCredentialProvider {
+    vault;
+    actor;
+    enableCache;
+    logAccessDefault;
+    cache = new Map();
+    constructor(config) {
+        this.vault = config.vault;
+        this.actor = config.actor ?? 'integration';
+        this.enableCache = config.enableCache ?? true;
+        this.logAccessDefault = config.logAccess ?? true;
+    }
+    /**
+     * Get a credential by passport name
+     */
+    async get(passportName, options) {
+        const cacheKey = `${passportName}:${options?.platform ?? ''}`;
+        if (this.enableCache && this.cache.has(cacheKey)) {
+            return this.cache.get(cacheKey);
+        }
+        const passport = await this.findPassport(passportName, options?.platform);
+        const shouldLog = options?.logAccess ?? this.logAccessDefault;
+        if (shouldLog) {
+            await logAction(this.vault, {
+                passportId: passport.id,
+                action: 'accessed',
+                actor: this.actor,
+                platform: options?.platform ?? this.actor,
+                details: options?.purpose ?? `Credential accessed via ${this.actor} provider`,
+            });
+        }
+        const result = {
+            value: passport.credentialValue,
+            passport,
+        };
+        if (this.enableCache) {
+            this.cache.set(cacheKey, result);
+        }
+        return result;
+    }
+    /**
+     * Get a credential value by passport name (convenience shorthand)
+     */
+    async getValue(passportName, options) {
+        const result = await this.get(passportName, options);
+        return result.value;
+    }
+    /**
+     * Get a credential filtered by platform
+     */
+    async getByPlatform(passportName, platform) {
+        return this.get(passportName, { platform });
+    }
+    /**
+     * Get OpenAI API key
+     */
+    async getOpenAIKey(passportName = 'openai') {
+        return this.getValue(passportName, { platform: 'openai' });
+    }
+    /**
+     * Get Anthropic API key
+     */
+    async getAnthropicKey(passportName = 'anthropic') {
+        return this.getValue(passportName, { platform: 'anthropic' });
+    }
+    /**
+     * Get Azure AI API key
+     */
+    async getAzureKey(passportName = 'azure') {
+        return this.getValue(passportName, { platform: 'azure-ai' });
+    }
+    /**
+     * Get LLM configuration for a credential
+     */
+    async getLLMConfig(passportName, model) {
+        const result = await this.get(passportName);
+        const provider = this.detectProvider(result.passport.platforms);
+        const config = {
+            apiKey: result.value,
+            provider: provider ?? 'custom',
+        };
+        if (model) {
+            config.model = model;
+        }
+        else if (provider === 'openai') {
+            config.model = 'gpt-4';
+        }
+        else if (provider === 'anthropic') {
+            config.model = 'claude-sonnet-4-5-20250514';
+        }
+        else if (provider === 'azure') {
+            config.model = 'gpt-4';
+        }
+        else if (provider === 'google') {
+            config.model = 'gemini-pro';
+        }
+        return config;
+    }
+    /**
+     * List available credentials
+     */
+    async listAvailable(platform) {
+        const passports = await listPassports(this.vault);
+        return passports
+            .filter((p) => {
+            if (p.status !== 'active' && p.status !== 'expiring')
+                return false;
+            if (platform && !p.platforms.includes(platform))
+                return false;
+            return true;
+        })
+            .map((p) => ({
+            name: p.name,
+            id: p.id,
+            credentialType: p.credentialType,
+            platforms: p.platforms,
+            status: p.status,
+            tags: p.tags,
+        }));
+    }
+    /**
+     * Clear the credential cache
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+    /**
+     * Find a passport by name with optional platform filter
+     */
+    async findPassport(passportName, platform) {
+        const passports = await listPassports(this.vault);
+        for (const passport of passports) {
+            if (passport.name === passportName) {
+                if (platform && !passport.platforms.includes(platform)) {
+                    continue;
+                }
+                if (passport.status !== 'active' && passport.status !== 'expiring') {
+                    throw new Error(`Passport '${passportName}' is ${passport.status}`);
+                }
+                return passport;
+            }
+        }
+        throw new Error(`Passport not found: ${passportName}`);
+    }
+    /**
+     * Detect LLM provider from platform list
+     */
+    detectProvider(platforms) {
+        const providerMap = {
+            openai: 'openai',
+            anthropic: 'anthropic',
+            'azure-ai': 'azure',
+            'google-a2a': 'google',
+        };
+        for (const platform of platforms) {
+            if (platform in providerMap) {
+                return providerMap[platform];
+            }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=base.js.map