@inkeep/agents-core 0.0.0-dev-20250910233133

package/dist/credential-stores/keychain-store.d.ts

@@ -0,0 +1,100 @@
+import type { CredentialStore } from '../types/server';
+/**
+ * KeyChainStore - Cross-platform system keychain credential storage
+ *
+ * Uses the native OS credential storage:
+ * - macOS: Keychain
+ * - Windows: Credential Vault
+ * - Linux: Secret Service API/libsecret
+ *
+ * Requires the 'keytar' npm package to be installed.
+ * Falls back gracefully if keytar is not available.
+ *
+ * ## macOS Permission Handling
+ *
+ * On macOS, when your Node.js app first calls keytar operations:
+ * - `setPassword()` creates a new Keychain item (no prompt required)
+ * - `getPassword()` may prompt the user for permission on first access
+ * - Users can click "Allow", "Always Allow", or "Deny"
+ * - If denied, keytar returns `null` which this implementation handles gracefully
+ * - The calling binary (usually `node`) will be shown in the permission prompt
+ * - For better UX in packaged apps, consider code signing and app bundling
+ *
+ * This implementation handles all permission scenarios gracefully:
+ * - Returns `null` when access is denied or credentials don't exist
+ * - Logs errors for debugging permission issues
+ * - Never throws on permission denial, only on system-level errors
+ */
+export declare class KeyChainStore implements CredentialStore {
+    readonly id: string;
+    readonly type = "keychain";
+    private readonly service;
+    private readonly logger;
+    private keytarAvailable;
+    private keytar;
+    private initializationPromise;
+    constructor(id: string, servicePrefix?: string);
+    /**
+     * Initialize keytar dynamically to handle optional availability
+     */
+    private initializeKeytar;
+    /**
+     * Get a credential from the keychain
+     */
+    get(key: string): Promise<string | null>;
+    /**
+     * Set a credential in the keychain
+     */
+    set(key: string, value: string): Promise<void>;
+    /**
+     * Check if a credential exists in the keychain
+     */
+    has(key: string): Promise<boolean>;
+    /**
+     * Delete a credential from the keychain
+     */
+    delete(key: string): Promise<boolean>;
+    /**
+     * Find all credentials for this service
+     * Useful for debugging and listing stored credentials
+     */
+    findAllCredentials(): Promise<Array<{
+        account: string;
+        password: string;
+    }>>;
+    /**
+     * Clear all credentials for this service
+     * WARNING: This will delete all credentials stored under this service
+     */
+    clearAll(): Promise<number>;
+}
+/**
+ * Factory function to create KeyChainStore
+ * Provides consistent initialization and optional configuration
+ *
+ * ## Usage Recommendations for macOS Permission Handling
+ *
+ * 1. **First-time setup**: Inform users that they may see permission prompts
+ * 2. **Error handling**: Check for `null` returns from `get()` operations
+ * 3. **User guidance**: If credentials can't be retrieved, guide users to:
+ *    - Check Keychain Access app for denied permissions
+ *    - Re-run the application if they accidentally clicked "Deny"
+ * 4. **Development**: Use a consistent `servicePrefix` to avoid permission prompt spam
+ * 5. **Production**: Consider code-signing your distributed app for better permission prompts
+ *
+ * Example usage with permission handling:
+ * ```typescript
+ * const store = createKeyChainStore('my-app');
+ *
+ * // Always check for null when retrieving
+ * const apiKey = await store.get('api-key');
+ * if (!apiKey) {
+ *   console.log('API key not found or access denied');
+ *   // Guide user to check permissions or re-enter credentials
+ * }
+ * ```
+ */
+export declare function createKeyChainStore(id: string, options?: {
+    servicePrefix?: string;
+}): KeyChainStore;
+//# sourceMappingURL=keychain-store.d.ts.map

package/dist/credential-stores/keychain-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-store.d.ts","sourceRoot":"","sources":["../../src/credential-stores/keychain-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAGvD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,aAAc,YAAW,eAAe;IACnD,SAAgB,EAAE,EAAE,MAAM,CAAC;IAC3B,SAAgB,IAAI,cAAc;IAClC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA8B;IACrD,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,MAAM,CAAoB;IAClC,OAAO,CAAC,qBAAqB,CAAgB;gBAEjC,EAAE,EAAE,MAAM,EAAE,aAAa,SAA2B;IAOhE;;OAEG;YACW,gBAAgB;IA4B9B;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAiC9C;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA+BpD;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxC;;OAEG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsC3C;;;OAGG;IACG,kBAAkB,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAuBjF;;;OAGG;IACG,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;CAwBlC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,mBAAmB,CACjC,EAAE,EAAE,MAAM,EACV,OAAO,CAAC,EAAE;IACR,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,GACA,aAAa,CAEf"}

package/dist/credential-stores/keychain-store.js

@@ -0,0 +1,225 @@
+import { getLogger } from '../utils/logger';
+/**
+ * KeyChainStore - Cross-platform system keychain credential storage
+ *
+ * Uses the native OS credential storage:
+ * - macOS: Keychain
+ * - Windows: Credential Vault
+ * - Linux: Secret Service API/libsecret
+ *
+ * Requires the 'keytar' npm package to be installed.
+ * Falls back gracefully if keytar is not available.
+ *
+ * ## macOS Permission Handling
+ *
+ * On macOS, when your Node.js app first calls keytar operations:
+ * - `setPassword()` creates a new Keychain item (no prompt required)
+ * - `getPassword()` may prompt the user for permission on first access
+ * - Users can click "Allow", "Always Allow", or "Deny"
+ * - If denied, keytar returns `null` which this implementation handles gracefully
+ * - The calling binary (usually `node`) will be shown in the permission prompt
+ * - For better UX in packaged apps, consider code signing and app bundling
+ *
+ * This implementation handles all permission scenarios gracefully:
+ * - Returns `null` when access is denied or credentials don't exist
+ * - Logs errors for debugging permission issues
+ * - Never throws on permission denial, only on system-level errors
+ */
+export class KeyChainStore {
+    id;
+    type = 'keychain';
+    service;
+    logger = getLogger('KeyChainStore');
+    keytarAvailable = false;
+    keytar = null;
+    initializationPromise;
+    constructor(id, servicePrefix = 'inkeep-agent-framework') {
+        this.id = id;
+        // Use service prefix to isolate credentials by store ID
+        this.service = `${servicePrefix}-${id}`;
+        this.initializationPromise = this.initializeKeytar();
+    }
+    /**
+     * Initialize keytar dynamically to handle optional availability
+     */
+    async initializeKeytar() {
+        if (this.keytar) {
+            this.keytarAvailable = true;
+            return;
+        }
+        try {
+            this.keytar = (await import('keytar')).default;
+            this.keytarAvailable = true;
+            this.logger.info({
+                storeId: this.id,
+                service: this.service,
+            }, 'Keytar initialized successfully');
+        }
+        catch (error) {
+            this.logger.warn({
+                storeId: this.id,
+                error: error instanceof Error ? error.message : 'Unknown error',
+            }, 'Keytar not available - KeyChainStore will return null for all operations');
+            this.keytarAvailable = false;
+        }
+    }
+    /**
+     * Get a credential from the keychain
+     */
+    async get(key) {
+        await this.initializationPromise;
+        if (!this.keytarAvailable || !this.keytar) {
+            this.logger.debug({ storeId: this.id, key }, 'Keytar not available, returning null');
+            return null;
+        }
+        try {
+            const password = await this.keytar.getPassword(this.service, key);
+            if (password === null) {
+                this.logger.debug({ storeId: this.id, service: this.service, account: key }, 'No credential found in keychain');
+            }
+            return password;
+        }
+        catch (error) {
+            this.logger.error({
+                storeId: this.id,
+                service: this.service,
+                account: key,
+                error: error instanceof Error ? error.message : 'Unknown error',
+            }, 'Error getting credential from keychain');
+            return null;
+        }
+    }
+    /**
+     * Set a credential in the keychain
+     */
+    async set(key, value) {
+        await this.initializationPromise;
+        if (!this.keytarAvailable || !this.keytar) {
+            this.logger.warn({ storeId: this.id, key }, 'Keytar not available, cannot set credential');
+            throw new Error('Keytar not available - cannot store credentials in system keychain');
+        }
+        try {
+            await this.keytar.setPassword(this.service, key, value);
+            this.logger.debug({ storeId: this.id, service: this.service, account: key }, 'Credential stored in keychain');
+        }
+        catch (error) {
+            this.logger.error({
+                storeId: this.id,
+                service: this.service,
+                account: key,
+                error: error instanceof Error ? error.message : 'Unknown error',
+            }, 'Error setting credential in keychain');
+            throw new Error(`Failed to store credential in keychain: ${error instanceof Error ? error.message : 'Unknown error'}`);
+        }
+    }
+    /**
+     * Check if a credential exists in the keychain
+     */
+    async has(key) {
+        const credential = await this.get(key);
+        return credential !== null;
+    }
+    /**
+     * Delete a credential from the keychain
+     */
+    async delete(key) {
+        await this.initializationPromise;
+        if (!this.keytarAvailable || !this.keytar) {
+            this.logger.warn({ storeId: this.id, key }, 'Keytar not available, cannot delete credential');
+            return false;
+        }
+        try {
+            const result = await this.keytar.deletePassword(this.service, key);
+            if (result) {
+                this.logger.debug({ storeId: this.id, service: this.service, account: key }, 'Credential deleted from keychain');
+            }
+            else {
+                this.logger.debug({ storeId: this.id, service: this.service, account: key }, 'Credential not found in keychain for deletion');
+            }
+            return result;
+        }
+        catch (error) {
+            this.logger.error({
+                storeId: this.id,
+                service: this.service,
+                account: key,
+                error: error instanceof Error ? error.message : 'Unknown error',
+            }, 'Error deleting credential from keychain');
+            return false;
+        }
+    }
+    /**
+     * Find all credentials for this service
+     * Useful for debugging and listing stored credentials
+     */
+    async findAllCredentials() {
+        await this.initializationPromise;
+        if (!this.keytarAvailable || !this.keytar) {
+            return [];
+        }
+        try {
+            const credentials = await this.keytar.findCredentials(this.service);
+            return credentials || [];
+        }
+        catch (error) {
+            this.logger.error({
+                storeId: this.id,
+                service: this.service,
+                error: error instanceof Error ? error.message : 'Unknown error',
+            }, 'Error finding credentials in keychain');
+            return [];
+        }
+    }
+    /**
+     * Clear all credentials for this service
+     * WARNING: This will delete all credentials stored under this service
+     */
+    async clearAll() {
+        const credentials = await this.findAllCredentials();
+        let deletedCount = 0;
+        for (const cred of credentials) {
+            const deleted = await this.delete(cred.account);
+            if (deleted) {
+                deletedCount++;
+            }
+        }
+        if (deletedCount > 0) {
+            this.logger.info({
+                storeId: this.id,
+                service: this.service,
+                deletedCount,
+            }, 'Cleared all credentials from keychain');
+        }
+        return deletedCount;
+    }
+}
+/**
+ * Factory function to create KeyChainStore
+ * Provides consistent initialization and optional configuration
+ *
+ * ## Usage Recommendations for macOS Permission Handling
+ *
+ * 1. **First-time setup**: Inform users that they may see permission prompts
+ * 2. **Error handling**: Check for `null` returns from `get()` operations
+ * 3. **User guidance**: If credentials can't be retrieved, guide users to:
+ *    - Check Keychain Access app for denied permissions
+ *    - Re-run the application if they accidentally clicked "Deny"
+ * 4. **Development**: Use a consistent `servicePrefix` to avoid permission prompt spam
+ * 5. **Production**: Consider code-signing your distributed app for better permission prompts
+ *
+ * Example usage with permission handling:
+ * ```typescript
+ * const store = createKeyChainStore('my-app');
+ *
+ * // Always check for null when retrieving
+ * const apiKey = await store.get('api-key');
+ * if (!apiKey) {
+ *   console.log('API key not found or access denied');
+ *   // Guide user to check permissions or re-enter credentials
+ * }
+ * ```
+ */
+export function createKeyChainStore(id, options) {
+    return new KeyChainStore(id, options?.servicePrefix);
+}
+//# sourceMappingURL=keychain-store.js.map

package/dist/credential-stores/keychain-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain-store.js","sourceRoot":"","sources":["../../src/credential-stores/keychain-store.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,OAAO,aAAa;IACR,EAAE,CAAS;IACX,IAAI,GAAG,UAAU,CAAC;IACjB,OAAO,CAAS;IAChB,MAAM,GAAG,SAAS,CAAC,eAAe,CAAC,CAAC;IAC7C,eAAe,GAAG,KAAK,CAAC;IACxB,MAAM,GAAe,IAAI,CAAC;IAC1B,qBAAqB,CAAgB;IAE7C,YAAY,EAAU,EAAE,aAAa,GAAG,wBAAwB;QAC9D,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,wDAAwD;QACxD,IAAI,CAAC,OAAO,GAAG,GAAG,aAAa,IAAI,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;IACvD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB;QAC5B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,QAAe,CAAC,CAAC,CAAC,OAAO,CAAC;YACtD,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,EACD,iCAAiC,CAClC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EACD,0EAA0E,CAC3E,CAAC;YACF,IAAI,CAAC,eAAe,GAAG,KAAK,CAAC;QAC/B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,IAAI,CAAC,qBAAqB,CAAC;QAEjC,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,sCAAsC,CAAC,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAElE,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,EACzD,iCAAiC,CAClC,CAAC;YACJ,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,OAAO,EAAE,GAAG;gBACZ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EACD,wCAAwC,CACzC,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,MAAM,IAAI,CAAC,qBAAqB,CAAC;QAEjC,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,6CAA6C,CAAC,CAAC;YAC3F,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;YAExD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,EACzD,+BAA+B,CAChC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,OAAO,EAAE,GAAG;gBACZ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EACD,sCAAsC,CACvC,CAAC;YACF,MAAM,IAAI,KAAK,CACb,2CAA2C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACtG,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,UAAU,KAAK,IAAI,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,IAAI,CAAC,qBAAqB,CAAC;QAEjC,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,EAAE,gDAAgD,CAAC,CAAC;YAC9F,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAEnE,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,EACzD,kCAAkC,CACnC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,EACzD,+CAA+C,CAChD,CAAC;YACJ,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,OAAO,EAAE,GAAG;gBACZ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EACD,yCAAyC,CAC1C,CAAC;YACF,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,kBAAkB;QACtB,MAAM,IAAI,CAAC,qBAAqB,CAAC;QAEjC,IAAI,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpE,OAAO,WAAW,IAAI,EAAE,CAAC;QAC3B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;aAChE,EACD,uCAAuC,CACxC,CAAC;YACF,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACpD,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,IAAI,OAAO,EAAE,CAAC;gBACZ,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAED,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CACd;gBACE,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,YAAY;aACb,EACD,uCAAuC,CACxC,CAAC;QACJ,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,mBAAmB,CACjC,EAAU,EACV,OAEC;IAED,OAAO,IAAI,aAAa,CAAC,EAAE,EAAE,OAAO,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC"}

package/dist/credential-stores/memory-store.d.ts

@@ -0,0 +1,39 @@
+import type { CredentialStore } from '../types/server';
+/**
+ * In-memory credential store implementation
+ * Automatically loads environment variables prefixed with CREDENTIAL_STORE_ on initialization
+ * Note: Runtime credentials are lost when the server restarts, but env vars are reloaded
+ */
+export declare class InMemoryCredentialStore implements CredentialStore {
+    readonly id: string;
+    readonly type = "memory";
+    private credentials;
+    constructor(id?: string);
+    /**
+     * Get a credential from the in memory store.
+     * If the key is not found in the in memory store then it is loaded from environment variables.
+     * If the key is not found in the environment variables or in the in memory store then returns null.
+     * @param key - The key of the credential to get
+     * @returns The credential value or null if not found
+     */
+    get(key: string): Promise<string | null>;
+    /**
+     * Set a credential in the in memory store.
+     * @param key - The key of the credential to set
+     * @param value - The value of the credential to set
+     */
+    set(key: string, value: string): Promise<void>;
+    /**
+     * Check if a credential exists in the in memory store.
+     * @param key - The key of the credential to check
+     * @returns True if the credential exists, false otherwise
+     */
+    has(key: string): Promise<boolean>;
+    /**
+     * Delete a credential from the in memory store.
+     * @param key - The key of the credential to delete
+     * @returns True if the credential was deleted, false otherwise
+     */
+    delete(key: string): Promise<boolean>;
+}
+//# sourceMappingURL=memory-store.d.ts.map

package/dist/credential-stores/memory-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-store.d.ts","sourceRoot":"","sources":["../../src/credential-stores/memory-store.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEvD;;;;GAIG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,SAAgB,EAAE,EAAE,MAAM,CAAC;IAC3B,SAAgB,IAAI,YAAY;IAChC,OAAO,CAAC,WAAW,CAA6B;gBAEpC,EAAE,SAAmB;IAIjC;;;;;;OAMG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAgB9C;;;;OAIG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD;;;;OAIG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIxC;;;;OAIG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAG5C"}

package/dist/credential-stores/memory-store.js

@@ -0,0 +1,58 @@
+/**
+ * In-memory credential store implementation
+ * Automatically loads environment variables prefixed with CREDENTIAL_STORE_ on initialization
+ * Note: Runtime credentials are lost when the server restarts, but env vars are reloaded
+ */
+export class InMemoryCredentialStore {
+    id;
+    type = 'memory';
+    credentials = new Map();
+    constructor(id = 'memory-default') {
+        this.id = id;
+    }
+    /**
+     * Get a credential from the in memory store.
+     * If the key is not found in the in memory store then it is loaded from environment variables.
+     * If the key is not found in the environment variables or in the in memory store then returns null.
+     * @param key - The key of the credential to get
+     * @returns The credential value or null if not found
+     */
+    async get(key) {
+        const credential = this.credentials.get(key);
+        if (!credential) {
+            // Try loading from environment variables
+            const envValue = process.env[key];
+            if (envValue) {
+                this.credentials.set(key, envValue);
+                return envValue;
+            }
+            return null;
+        }
+        return credential;
+    }
+    /**
+     * Set a credential in the in memory store.
+     * @param key - The key of the credential to set
+     * @param value - The value of the credential to set
+     */
+    async set(key, value) {
+        this.credentials.set(key, value);
+    }
+    /**
+     * Check if a credential exists in the in memory store.
+     * @param key - The key of the credential to check
+     * @returns True if the credential exists, false otherwise
+     */
+    async has(key) {
+        return this.credentials.has(key);
+    }
+    /**
+     * Delete a credential from the in memory store.
+     * @param key - The key of the credential to delete
+     * @returns True if the credential was deleted, false otherwise
+     */
+    async delete(key) {
+        return this.credentials.delete(key);
+    }
+}
+//# sourceMappingURL=memory-store.js.map

package/dist/credential-stores/memory-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-store.js","sourceRoot":"","sources":["../../src/credential-stores/memory-store.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,MAAM,OAAO,uBAAuB;IAClB,EAAE,CAAS;IACX,IAAI,GAAG,QAAQ,CAAC;IACxB,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEhD,YAAY,EAAE,GAAG,gBAAgB;QAC/B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;IACf,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE7C,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,yCAAyC;YACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;gBACpC,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;CACF"}

package/dist/credential-stores/nango-store.d.ts

@@ -0,0 +1,59 @@
+import type { CredentialStore } from '../types/server';
+export interface NangoConfig {
+    secretKey: string;
+    apiUrl?: string;
+}
+/**
+ * Nango-specific credential data with additional properties
+ */
+export interface NangoCredentialData {
+    connectionId: string;
+    providerConfigKey: string;
+    secretKey: string;
+    provider: string;
+    token?: string;
+    metadata?: Record<string, any>;
+}
+/**
+ * Nango-based CredentialStore that fetches OAuth credentials from Nango API
+ * Uses connectionId and providerConfigKey from metadata to fetch live credentials
+ */
+export declare class NangoCredentialStore implements CredentialStore {
+    readonly id: string;
+    readonly type = "nango";
+    private nangoConfig;
+    private nangoClient;
+    constructor(id: string, config: NangoConfig);
+    private getAccessToken;
+    private sanitizeMetadata;
+    /**
+     * Fetch credentials from Nango API using connection information
+     * @param connectionId - The connection ID for the Nango connection
+     * @param providerConfigKey - The provider config key for the Nango connection
+     * @returns The credential data or null if the credentials are not found
+     */
+    private fetchCredentialsFromNango;
+    /**
+     * Get credentials by key - implements CredentialStore interface
+     * Key format: JSON string with connectionId and providerConfigKey
+     */
+    get(key: string): Promise<string | null>;
+    /**
+     * Set credentials - not supported for Nango (OAuth flow handles this)
+     */
+    set(_key: string, _value: string): Promise<void>;
+    /**
+     * Check if credentials exist by attempting to fetch them
+     */
+    has(key: string): Promise<boolean>;
+    /**
+     * Delete credentials - not supported for Nango (revoke through Nango dashboard)
+     */
+    delete(key: string): Promise<boolean>;
+}
+/**
+ * Factory function to create NangoCredentialStore
+ * Automatically reads NANGO_SECRET_KEY from environment and validates it
+ */
+export declare function createNangoCredentialStore(id: string, config?: Partial<NangoConfig>): NangoCredentialStore;
+//# sourceMappingURL=nango-store.d.ts.map

package/dist/credential-stores/nango-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nango-store.d.ts","sourceRoot":"","sources":["../../src/credential-stores/nango-store.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAWvD,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAChC;AAqBD;;;GAGG;AACH,qBAAa,oBAAqB,YAAW,eAAe;IAC1D,SAAgB,EAAE,EAAE,MAAM,CAAC;IAC3B,SAAgB,IAAI,WAAW;IAC/B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,WAAW,CAAQ;gBAEf,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW;IAS3C,OAAO,CAAC,cAAc;IAsDtB,OAAO,CAAC,gBAAgB;IAYxB;;;;;OAKG;YACW,yBAAyB;IAoCvC;;;OAGG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAuD9C;;OAEG;IACG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBxC;;OAEG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAgD5C;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,EAAE,EAAE,MAAM,EACV,MAAM,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,GAC5B,oBAAoB,CAkBtB"}