@matimo/core 0.1.0-alpha.9 → 0.1.0

package/dist/mcp/secrets/resolver-chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolver-chain.js","sourceRoot":"","sources":["../../../src/mcp/secrets/resolver-chain.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD;;GAEG;AACH,SAAS,cAAc,CAAC,MAA4B;IAClD,QAAQ,MAAM,CAAC,IAAI,EAAE,CAAC;QACpB,KAAK,KAAK;YACR,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACjC,KAAK,QAAQ;YACX,OAAO,IAAI,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/C,KAAK,OAAO;YACV,OAAO,IAAI,mBAAmB,CAAC;gBAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL,KAAK,KAAK;YACR,OAAO,IAAI,yBAAyB,CAAC;gBACnC,MAAM,EAAE,MAAM,CAAC,MAAM;gBACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;QACL;YACE,MAAM,IAAI,KAAK,CAAC,iCAAkC,MAAkC,CAAC,IAAI,EAAE,CAAC,CAAC;IACjG,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IAI9B,YAAY,SAA2B;QAH9B,SAAI,GAAG,OAAO,CAAC;QAItB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC1C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,CAAC,oBAAoB,QAAQ,CAAC,IAAI,qBAAqB,GAAG,GAAG,EAAE;oBACxE,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;gBACH,4BAA4B;YAC9B,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAc;QAC7B,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;QAEhC,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,SAAS,CAAC,IAAI,KAAK,CAAC;gBAAE,MAAM;YAEhC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC;gBAC3D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACpD,IAAI,CAAC,CAAC,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC;wBACrB,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;wBACpB,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBACxB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;gBACvC,MAAM,CAAC,IAAI,CAAC,oBAAoB,QAAQ,CAAC,IAAI,yBAAyB,EAAE;oBACtE,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAC9D,CAAC,CAAC;gBACH,4BAA4B;YAC9B,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;QACvC,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAGtC,IACE,eAAe,IAAI,QAAQ;gBAC3B,OAAQ,QAA8B,CAAC,aAAa,KAAK,UAAU,EACnE,CAAC;gBACD,MAAM,OAAO,GAAI,QAA8B,CAAC,aAAa,EAAE,CAAC;gBAChE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBACnD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;wBACzB,MAAM,EAAE,CAAC;oBACX,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,UAAU,MAAM,0BAA0B,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAkC;IACpE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,mBAAmB,CAAC,CAAC,IAAI,iBAAiB,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACvD,OAAO,IAAI,mBAAmB,CAAC,SAAS,CAAC,CAAC;AAC5C,CAAC"}

package/dist/mcp/secrets/types.d.ts

@@ -0,0 +1,73 @@
+/**
+ * Secret Resolver Types for Matimo MCP Server
+ *
+ * Defines the interface that all secret resolvers implement.
+ * Env vars are the default; enterprise teams can plug in Vault, AWS SM, etc.
+ */
+/**
+ * Interface for resolving secrets from any backend.
+ *
+ * Implementations should be stateless per-call (caching is allowed internally).
+ * resolve() returns undefined for missing keys — the chain tries the next resolver.
+ */
+export interface SecretResolver {
+    /** Human-readable name for logging (e.g., 'env', 'vault', 'aws-sm') */
+    readonly name: string;
+    /**
+     * Resolve a single secret by key.
+     * @returns The secret value, or undefined if not found in this resolver.
+     */
+    resolve(key: string): Promise<string | undefined>;
+    /**
+     * Resolve multiple secrets at once.
+     * Default implementation calls resolve() for each key.
+     * Backends with batch APIs should override for efficiency.
+     */
+    resolveAll(keys: string[]): Promise<Record<string, string>>;
+    /**
+     * Optional cleanup (close connections, flush caches).
+     * Called when the MCP server shuts down.
+     */
+    dispose?(): Promise<void>;
+}
+export interface EnvResolverConfig {
+    type: 'env';
+}
+export interface DotenvResolverConfig {
+    type: 'dotenv';
+    /** Path to .env file. Defaults to `process.cwd()/.env` */
+    path?: string;
+}
+export interface VaultResolverConfig {
+    type: 'vault';
+    /** Vault server URL. Falls back to VAULT_ADDR env var. */
+    addr?: string;
+    /** Vault authentication token. Falls back to VAULT_TOKEN env var. */
+    token?: string;
+    /** KV v2 secret path. Default: 'secret/data/matimo' */
+    secretPath?: string;
+    /** Vault namespace (enterprise). Falls back to VAULT_NAMESPACE env var. */
+    namespace?: string;
+    /** TTL for cached secrets in ms. Default: 300_000 (5 min) */
+    cacheTtlMs?: number;
+}
+export interface AwsSecretsManagerResolverConfig {
+    type: 'aws';
+    /** AWS region. Falls back to AWS_REGION env var. Default: 'us-east-1' */
+    region?: string;
+    /** Secrets Manager secret ID. Default: 'matimo/credentials' */
+    secretId?: string;
+    /** TTL for cached secrets in ms. Default: 300_000 (5 min) */
+    cacheTtlMs?: number;
+}
+/** Union of all resolver configs */
+export type SecretResolverConfig = EnvResolverConfig | DotenvResolverConfig | VaultResolverConfig | AwsSecretsManagerResolverConfig;
+/**
+ * Configuration for the resolver chain.
+ * Resolvers are tried in order; first non-undefined value wins per key.
+ */
+export interface SecretResolverChainConfig {
+    /** Ordered list of resolvers to try. Default: [{ type: 'env' }] */
+    resolvers: SecretResolverConfig[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/mcp/secrets/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/mcp/secrets/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,uEAAuE;IACvE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;;OAGG;IACH,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAElD;;;;OAIG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAE5D;;;OAGG;IACH,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAID,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,KAAK,CAAC;CACb;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,QAAQ,CAAC;IACf,0DAA0D;IAC1D,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,OAAO,CAAC;IACd,0DAA0D;IAC1D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qEAAqE;IACrE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,+BAA+B;IAC9C,IAAI,EAAE,KAAK,CAAC;IACZ,yEAAyE;IACzE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,oCAAoC;AACpC,MAAM,MAAM,oBAAoB,GAC5B,iBAAiB,GACjB,oBAAoB,GACpB,mBAAmB,GACnB,+BAA+B,CAAC;AAEpC;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,mEAAmE;IACnE,SAAS,EAAE,oBAAoB,EAAE,CAAC;CACnC"}

package/dist/mcp/secrets/types.js

@@ -0,0 +1,8 @@
+/**
+ * Secret Resolver Types for Matimo MCP Server
+ *
+ * Defines the interface that all secret resolvers implement.
+ * Env vars are the default; enterprise teams can plug in Vault, AWS SM, etc.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/mcp/secrets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/mcp/secrets/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/mcp/secrets/vault-resolver.d.ts

@@ -0,0 +1,43 @@
+/**
+ * HashiCorp Vault Secret Resolver
+ *
+ * Reads secrets from Vault KV v2 engine.
+ * Lazy-imports node-vault — optional peer dependency.
+ * Implements TTL-based caching to support rotation without process restart.
+ *
+ * Required peer dep: node-vault >= 0.10.0
+ * Install: pnpm add node-vault
+ */
+import type { SecretResolver } from './types';
+export interface VaultResolverOptions {
+    addr?: string;
+    token?: string;
+    secretPath?: string;
+    namespace?: string;
+    cacheTtlMs?: number;
+}
+export declare class VaultSecretResolver implements SecretResolver {
+    readonly name = "vault";
+    private client;
+    private readonly addr;
+    private readonly token;
+    private readonly secretPath;
+    private readonly namespace?;
+    private readonly cacheTtlMs;
+    private cache;
+    private cacheTimestamp;
+    constructor(options?: VaultResolverOptions);
+    /**
+     * Lazy-import node-vault and create client.
+     * Throws a clear error if the package is not installed.
+     */
+    private getClient;
+    /**
+     * Fetch all secrets from Vault and cache them.
+     */
+    private fetchSecrets;
+    resolve(key: string): Promise<string | undefined>;
+    resolveAll(keys: string[]): Promise<Record<string, string>>;
+    dispose(): Promise<void>;
+}
+//# sourceMappingURL=vault-resolver.d.ts.map

package/dist/mcp/secrets/vault-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-resolver.d.ts","sourceRoot":"","sources":["../../../src/mcp/secrets/vault-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAa9C,MAAM,WAAW,oBAAoB;IACnC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,mBAAoB,YAAW,cAAc;IACxD,QAAQ,CAAC,IAAI,WAAW;IAExB,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAEpC,OAAO,CAAC,KAAK,CAAuC;IACpD,OAAO,CAAC,cAAc,CAAK;gBAEf,OAAO,GAAE,oBAAyB;IAQ9C;;;OAGG;YACW,SAAS;IAwCvB;;OAEG;YACW,YAAY;IAkDpB,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAKjD,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAW3D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;CAK/B"}

package/dist/mcp/secrets/vault-resolver.js

@@ -0,0 +1,127 @@
+/**
+ * HashiCorp Vault Secret Resolver
+ *
+ * Reads secrets from Vault KV v2 engine.
+ * Lazy-imports node-vault — optional peer dependency.
+ * Implements TTL-based caching to support rotation without process restart.
+ *
+ * Required peer dep: node-vault >= 0.10.0
+ * Install: pnpm add node-vault
+ */
+import { MatimoError, ErrorCode } from '../../errors/matimo-error';
+import { getGlobalMatimoLogger } from '../../logging';
+/** Default cache TTL: 5 minutes */
+const DEFAULT_CACHE_TTL_MS = 300000;
+/** Default KV v2 secret path */
+const DEFAULT_SECRET_PATH = 'secret/data/matimo';
+export class VaultSecretResolver {
+    constructor(options = {}) {
+        this.name = 'vault';
+        this.client = null;
+        this.cache = null;
+        this.cacheTimestamp = 0;
+        this.addr = options.addr ?? process.env.VAULT_ADDR ?? 'http://127.0.0.1:8200';
+        this.token = options.token ?? process.env.VAULT_TOKEN ?? '';
+        this.secretPath = options.secretPath ?? DEFAULT_SECRET_PATH;
+        this.namespace = options.namespace ?? process.env.VAULT_NAMESPACE;
+        this.cacheTtlMs = options.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+    }
+    /**
+     * Lazy-import node-vault and create client.
+     * Throws a clear error if the package is not installed.
+     */
+    async getClient() {
+        if (this.client) {
+            return this.client;
+        }
+        try {
+            // Dynamic import — only loaded when Vault resolver is actually used
+            // @ts-ignore — optional peer dependency, may not be installed
+            const vaultModule = await import('node-vault');
+            const vaultFactory = vaultModule.default ?? vaultModule;
+            const clientOptions = {
+                apiVersion: 'v1',
+                endpoint: this.addr,
+                token: this.token,
+            };
+            if (this.namespace) {
+                clientOptions.namespace = this.namespace;
+            }
+            this.client = vaultFactory(clientOptions);
+            return this.client;
+        }
+        catch (error) {
+            if (error instanceof Error &&
+                (error.message.includes('Cannot find module') ||
+                    error.message.includes('MODULE_NOT_FOUND') ||
+                    error.message.includes('ERR_MODULE_NOT_FOUND'))) {
+                throw new MatimoError('node-vault package is required for Vault secret resolution. Install: pnpm add node-vault', ErrorCode.AUTH_FAILED, { resolver: this.name });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Fetch all secrets from Vault and cache them.
+     */
+    async fetchSecrets() {
+        const now = Date.now();
+        // Return cache if still valid
+        if (this.cache && now - this.cacheTimestamp < this.cacheTtlMs) {
+            return this.cache;
+        }
+        const logger = getGlobalMatimoLogger();
+        logger.debug('Fetching secrets from Vault', {
+            resolver: this.name,
+            path: this.secretPath,
+            addr: this.addr,
+        });
+        try {
+            const client = await this.getClient();
+            const result = await client.read(this.secretPath);
+            // KV v2 returns data.data (first data is metadata wrapper)
+            this.cache = result.data.data;
+            this.cacheTimestamp = now;
+            logger.debug('Vault secrets loaded', {
+                resolver: this.name,
+                keyCount: Object.keys(this.cache).length,
+            });
+            return this.cache;
+        }
+        catch (error) {
+            // If it's our own MatimoError (missing package), re-throw
+            if (error instanceof MatimoError) {
+                throw error;
+            }
+            logger.warn('Vault resolver unreachable — falling back to next resolver', {
+                resolver: this.name,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            // Return stale cache if available, otherwise empty
+            if (this.cache) {
+                logger.warn('Using stale Vault cache', { resolver: this.name });
+                return this.cache;
+            }
+            return {};
+        }
+    }
+    async resolve(key) {
+        const secrets = await this.fetchSecrets();
+        return secrets[key];
+    }
+    async resolveAll(keys) {
+        const secrets = await this.fetchSecrets();
+        const result = {};
+        for (const key of keys) {
+            if (key in secrets) {
+                result[key] = secrets[key];
+            }
+        }
+        return result;
+    }
+    async dispose() {
+        this.cache = null;
+        this.cacheTimestamp = 0;
+        this.client = null;
+    }
+}
+//# sourceMappingURL=vault-resolver.js.map

package/dist/mcp/secrets/vault-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault-resolver.js","sourceRoot":"","sources":["../../../src/mcp/secrets/vault-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAEtD,mCAAmC;AACnC,MAAM,oBAAoB,GAAG,MAAO,CAAC;AACrC,gCAAgC;AAChC,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AAcjD,MAAM,OAAO,mBAAmB;IAa9B,YAAY,UAAgC,EAAE;QAZrC,SAAI,GAAG,OAAO,CAAC;QAEhB,WAAM,GAAuB,IAAI,CAAC;QAOlC,UAAK,GAAkC,IAAI,CAAC;QAC5C,mBAAc,GAAG,CAAC,CAAC;QAGzB,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,uBAAuB,CAAC;QAC9E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;QAC5D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,SAAS;QACrB,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAED,IAAI,CAAC;YACH,oEAAoE;YACpE,8DAA8D;YAC9D,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,IAAI,WAAW,CAAC;YAExD,MAAM,aAAa,GAA4B;gBAC7C,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC;YAEF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnB,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAC3C,CAAC;YAED,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,aAAa,CAAgB,CAAC;YACzD,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IACE,KAAK,YAAY,KAAK;gBACtB,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;oBAC3C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;oBAC1C,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC,EACjD,CAAC;gBACD,MAAM,IAAI,WAAW,CACnB,0FAA0F,EAC1F,SAAS,CAAC,WAAW,EACrB,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CACxB,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,YAAY;QACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,8BAA8B;QAC9B,IAAI,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE;YAC1C,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,IAAI,EAAE,IAAI,CAAC,UAAU;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAElD,2DAA2D;YAC3D,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;YAC9B,IAAI,CAAC,cAAc,GAAG,GAAG,CAAC;YAE1B,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACnC,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM;aACzC,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,0DAA0D;YAC1D,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,CAAC,IAAI,CAAC,4DAA4D,EAAE;gBACxE,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YAEH,mDAAmD;YACnD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAChE,OAAO,IAAI,CAAC,KAAK,CAAC;YACpB,CAAC;YAED,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1C,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAc;QAC7B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1C,MAAM,MAAM,GAA2B,EAAE,CAAC;QAC1C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;gBACnB,MAAM,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,cAAc,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,CAAC;CACF"}

package/dist/mcp/tool-converter.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Tool Schema Converter
+ *
+ * Converts Matimo ToolDefinition parameters to MCP-compatible Zod schemas.
+ * The MCP SDK's registerTool() accepts { [key]: ZodType } as inputSchema.
+ * Reuses the same parameterToZod logic as the LangChain integration.
+ */
+import { z } from 'zod';
+import type { Parameter } from '../core/types';
+import type { ToolDefinition } from '../core/schema';
+/**
+ * Convert a single Matimo Parameter to a Zod schema.
+ * Handles: string, number, boolean, array, object, enum, defaults, optionals.
+ */
+export declare function parameterToZod(param: Parameter): z.ZodType<unknown>;
+/**
+ * Convert a ToolDefinition's parameters to MCP inputSchema format.
+ * Excludes auth parameters — those are injected server-side.
+ *
+ * @returns A plain object mapping param names to Zod types,
+ *          which is what MCP SDK's registerTool() expects for inputSchema.
+ */
+export declare function convertParametersToMcpSchema(parameters: Record<string, Parameter>): Record<string, z.ZodTypeAny>;
+/**
+ * Build the full MCP tool registration metadata from a ToolDefinition.
+ *
+ * @returns Object ready for server.registerTool(name, metadata, handler)
+ */
+export declare function toolToMcpRegistration(tool: ToolDefinition): {
+    title: string;
+    description: string;
+    inputSchema: Record<string, z.ZodTypeAny>;
+};
+/**
+ * Extract auth placeholder names from a tool's execution config.
+ * These are the env var names the tool needs (e.g., SLACK_BOT_TOKEN, GITHUB_TOKEN).
+ * Used by `matimo mcp setup` to generate config templates.
+ */
+export declare function extractAuthPlaceholders(tool: ToolDefinition): string[];
+//# sourceMappingURL=tool-converter.d.ts.map

package/dist/mcp/tool-converter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-converter.d.ts","sourceRoot":"","sources":["../../src/mcp/tool-converter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAErD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,SAAS,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAgEnE;AAyBD;;;;;;GAMG;AACH,wBAAgB,4BAA4B,CAC1C,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GACpC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,CAY9B;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,cAAc,GAAG;IAC3D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC;CAC3C,CAiBA;AAED;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,cAAc,GAAG,MAAM,EAAE,CAyCtE"}

package/dist/mcp/tool-converter.js

@@ -0,0 +1,185 @@
+/**
+ * Tool Schema Converter
+ *
+ * Converts Matimo ToolDefinition parameters to MCP-compatible Zod schemas.
+ * The MCP SDK's registerTool() accepts { [key]: ZodType } as inputSchema.
+ * Reuses the same parameterToZod logic as the LangChain integration.
+ */
+import { z } from 'zod';
+/**
+ * Convert a single Matimo Parameter to a Zod schema.
+ * Handles: string, number, boolean, array, object, enum, defaults, optionals.
+ */
+export function parameterToZod(param) {
+    let schema;
+    // Handle enum constraints
+    if (param.enum && param.enum.length > 0) {
+        if (param.enum.length === 1) {
+            // z.union requires at least 2 schemas — handle single-value enum explicitly
+            schema = z.literal(param.enum[0]);
+        }
+        else {
+            const enumSchemas = param.enum.map((value) => z.literal(value));
+            schema = z.union(enumSchemas);
+        }
+    }
+    else {
+        switch (param.type) {
+            case 'string':
+                schema = z.string();
+                break;
+            case 'number':
+                schema = z.number();
+                break;
+            case 'boolean':
+                schema = z.boolean();
+                break;
+            case 'array': {
+                const itemSchema = param.items ? parameterToZod(param.items) : z.unknown();
+                schema = z.array(itemSchema);
+                break;
+            }
+            case 'object': {
+                if (param.properties) {
+                    const props = {};
+                    for (const [key, prop] of Object.entries(param.properties)) {
+                        props[key] = parameterToZod(prop);
+                    }
+                    schema = z.object(props);
+                }
+                else {
+                    schema = z.record(z.string(), z.unknown());
+                }
+                break;
+            }
+            default:
+                schema = z.unknown();
+        }
+    }
+    // Add description
+    if (param.description) {
+        schema = schema.describe(param.description);
+    }
+    // Make optional before applying default.
+    // Order matters: .optional().default(val) produces ZodDefault(ZodOptional(...)),
+    // so parse(undefined) triggers the default. Reversing the order wraps ZodDefault
+    // in ZodOptional, causing undefined to be absorbed before the default is reached.
+    if (!param.required) {
+        schema = schema.optional();
+    }
+    // Apply default after optional so parse(undefined) returns the default value.
+    if (param.default !== undefined) {
+        schema = schema.default(param.default);
+    }
+    return schema;
+}
+/**
+ * Auth-related parameter name patterns.
+ * Parameters matching these are excluded from the MCP input schema
+ * because they are injected server-side by the secret resolver.
+ */
+const AUTH_PATTERNS = ['token', 'key', 'secret', 'password', 'credential', 'auth', 'bearer'];
+/**
+ * Check if a parameter name looks like a secret/auth parameter.
+ * Normalises camelCase to segments first (e.g. apiKey → ['api','key']),
+ * then splits on word separators (_ - .) and checks each segment for an
+ * exact match against AUTH_PATTERNS, preventing false positives such as
+ * "monkey" matching "key" or "author" matching "auth".
+ */
+function isAuthParameter(paramName) {
+    const segments = paramName
+        .replace(/([a-z])([A-Z])/g, '$1_$2') // camelCase → snake_case (apiKey → api_Key)
+        .toLowerCase()
+        .split(/[_\-.]+/)
+        .filter(Boolean);
+    return segments.some((segment) => AUTH_PATTERNS.includes(segment));
+}
+/**
+ * Convert a ToolDefinition's parameters to MCP inputSchema format.
+ * Excludes auth parameters — those are injected server-side.
+ *
+ * @returns A plain object mapping param names to Zod types,
+ *          which is what MCP SDK's registerTool() expects for inputSchema.
+ */
+export function convertParametersToMcpSchema(parameters) {
+    const schema = {};
+    for (const [name, param] of Object.entries(parameters)) {
+        // Skip auth parameters — they are injected by the MCP server
+        if (isAuthParameter(name)) {
+            continue;
+        }
+        schema[name] = parameterToZod(param);
+    }
+    return schema;
+}
+/**
+ * Build the full MCP tool registration metadata from a ToolDefinition.
+ *
+ * @returns Object ready for server.registerTool(name, metadata, handler)
+ */
+export function toolToMcpRegistration(tool) {
+    const schema = convertParametersToMcpSchema(tool.parameters || {});
+    // Tools with requires_approval need the _matimo_approved parameter in
+    // the MCP schema so clients can confirm destructive operations.
+    if (tool.requires_approval) {
+        schema._matimo_approved = z
+            .boolean()
+            .optional()
+            .describe('Set to true to confirm execution of this approval-required tool');
+    }
+    return {
+        title: tool.name,
+        description: tool.description || tool.name,
+        inputSchema: schema,
+    };
+}
+/**
+ * Extract auth placeholder names from a tool's execution config.
+ * These are the env var names the tool needs (e.g., SLACK_BOT_TOKEN, GITHUB_TOKEN).
+ * Used by `matimo mcp setup` to generate config templates.
+ */
+export function extractAuthPlaceholders(tool) {
+    const placeholders = [];
+    // Use \w+ (word chars only) instead of [^}]+ to avoid polynomial backtracking (ReDoS) on
+    // uncontrolled input — placeholder names are always alphanumeric identifiers anyway.
+    const placeholderRegex = /\{(\w+)\}/g;
+    const execution = tool.execution;
+    const scanString = (str) => {
+        placeholderRegex.lastIndex = 0; // reset before each scan to avoid stale lastIndex from /g flag
+        let match;
+        while ((match = placeholderRegex.exec(str)) !== null) {
+            const name = match[1];
+            if (isAuthParameter(name) && !placeholders.includes(name)) {
+                placeholders.push(name);
+            }
+        }
+    };
+    const scanObject = (obj) => {
+        if (typeof obj === 'string') {
+            scanString(obj);
+        }
+        else if (obj && typeof obj === 'object') {
+            for (const value of Object.values(obj)) {
+                scanObject(value);
+            }
+        }
+    };
+    // Scan URL, headers, body, query_params
+    if ('url' in execution)
+        scanString(execution.url);
+    if ('headers' in execution && execution.headers)
+        scanObject(execution.headers);
+    if ('body' in execution && execution.body)
+        scanObject(execution.body);
+    if ('query_params' in execution && execution.query_params)
+        scanObject(execution.query_params);
+    if ('args' in execution && execution.args) {
+        for (const arg of execution.args) {
+            scanString(arg);
+        }
+    }
+    if ('command' in execution)
+        scanString(execution.command);
+    return placeholders;
+}
+//# sourceMappingURL=tool-converter.js.map

package/dist/mcp/tool-converter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-converter.js","sourceRoot":"","sources":["../../src/mcp/tool-converter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAgB;IAC7C,IAAI,MAA0B,CAAC;IAE/B,0BAA0B;IAC1B,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,4EAA4E;YAC5E,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;YAChE,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,WAA2D,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;SAAM,CAAC;QACN,QAAQ,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,KAAK,QAAQ;gBACX,MAAM,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;gBACpB,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;gBACrB,MAAM;YACR,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC3E,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;gBAC7B,MAAM;YACR,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;oBACrB,MAAM,KAAK,GAAuC,EAAE,CAAC;oBACrD,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;wBAC3D,KAAK,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;oBACpC,CAAC;oBACD,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC3B,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,MAAM;YACR,CAAC;YACD;gBACE,MAAM,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACzB,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QACtB,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IAC9C,CAAC;IAED,yCAAyC;IACzC,iFAAiF;IACjF,iFAAiF;IACjF,kFAAkF;IAClF,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QACpB,MAAM,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IAC7B,CAAC;IAED,8EAA8E;IAC9E,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;AAE7F;;;;;;GAMG;AACH,SAAS,eAAe,CAAC,SAAiB;IACxC,MAAM,QAAQ,GAAG,SAAS;SACvB,OAAO,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,4CAA4C;SAChF,WAAW,EAAE;SACb,KAAK,CAAC,SAAS,CAAC;SAChB,MAAM,CAAC,OAAO,CAAC,CAAC;IACnB,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,4BAA4B,CAC1C,UAAqC;IAErC,MAAM,MAAM,GAAiC,EAAE,CAAC;IAEhD,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACvD,6DAA6D;QAC7D,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,SAAS;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,KAAK,CAAiB,CAAC;IACvD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAoB;IAKxD,MAAM,MAAM,GAAG,4BAA4B,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;IAEnE,sEAAsE;IACtE,gEAAgE;IAChE,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC3B,MAAM,CAAC,gBAAgB,GAAG,CAAC;aACxB,OAAO,EAAE;aACT,QAAQ,EAAE;aACV,QAAQ,CAAC,iEAAiE,CAAC,CAAC;IACjF,CAAC;IAED,OAAO;QACL,KAAK,EAAE,IAAI,CAAC,IAAI;QAChB,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,IAAI;QAC1C,WAAW,EAAE,MAAM;KACpB,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAoB;IAC1D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,yFAAyF;IACzF,qFAAqF;IACrF,MAAM,gBAAgB,GAAG,YAAY,CAAC;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IAEjC,MAAM,UAAU,GAAG,CAAC,GAAW,EAAE,EAAE;QACjC,gBAAgB,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,+DAA+D;QAC/F,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACrD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1D,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,UAAU,GAAG,CAAC,GAAY,EAAE,EAAE;QAClC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,UAAU,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;aAAM,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,GAA8B,CAAC,EAAE,CAAC;gBAClE,UAAU,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC,CAAC;IAEF,wCAAwC;IACxC,IAAI,KAAK,IAAI,SAAS;QAAE,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,SAAS,IAAI,SAAS,IAAI,SAAS,CAAC,OAAO;QAAE,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC/E,IAAI,MAAM,IAAI,SAAS,IAAI,SAAS,CAAC,IAAI;QAAE,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACtE,IAAI,cAAc,IAAI,SAAS,IAAI,SAAS,CAAC,YAAY;QAAE,UAAU,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAC9F,IAAI,MAAM,IAAI,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;QAC1C,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,IAAI,SAAS,IAAI,SAAS;QAAE,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAE1D,OAAO,YAAY,CAAC;AACtB,CAAC"}

package/dist/policy/approval-manifest.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Approval Manifest for Matimo.
+ *
+ * Manages HMAC-signed approval records for agent-created tools.
+ * Prevents agent forgery of approvals via cryptographic verification.
+ */
+export interface ApprovalRecord {
+    name: string;
+    hash: string;
+    signature: string;
+    approvedAt: string;
+    approvedBy?: string;
+}
+export declare class ApprovalManifest {
+    private readonly secret;
+    private readonly manifestPath;
+    private cache;
+    private pendingSet;
+    private readonly ttlSeconds;
+    /**
+     * @param approvalDir - Directory where `.matimo-approvals.json` lives
+     * @param secret - HMAC secret. If not provided, reads `MATIMO_APPROVAL_SECRET`
+     *   from env. If that's also missing, generates one and logs it.
+     * @param ttlSeconds - Optional TTL in seconds. Approvals older than this are treated as expired.
+     */
+    constructor(approvalDir: string, secret?: string, ttlSeconds?: number);
+    /**
+     * Compute the HMAC signature for a tool approval.
+     */
+    private sign;
+    /**
+     * Compute SHA-256 hash of content.
+     */
+    computeHash(content: string): string;
+    /**
+     * Verify that an approval record has a valid HMAC signature and
+     * the stored hash matches the current YAML content hash.
+     */
+    isApproved(toolName: string, currentYamlHash: string): boolean;
+    /**
+     * Approve a tool. Creates an HMAC-signed record in the manifest.
+     */
+    approve(toolName: string, yamlHash: string, approvedBy?: string): void;
+    /**
+     * Revoke a tool's approval. Removes from both cache and pendingSet
+     * to ensure consistent state (tool no longer tracked as approved or pending).
+     */
+    revoke(toolName: string): boolean;
+    /**
+     * Get the approval record for a tool.
+     */
+    getApproval(toolName: string): ApprovalRecord | undefined;
+    /**
+     * List all approved tool names.
+     */
+    listApproved(): string[];
+    /**
+     * Mark a tool as pending approval. Called by matimo_create_tool after writing to disk.
+     */
+    markPending(toolName: string): void;
+    /**
+     * Return all tool names that have been proposed (written to disk) but not yet approved.
+     */
+    getPendingTools(): string[];
+    /**
+     * Load the manifest file from disk.
+     */
+    private loadFromDisk;
+    /**
+     * Save current approvals to disk using atomic write pattern.
+     * Writes to a temporary file first, then atomically renames it.
+     * This prevents data corruption if the process crashes mid-write.
+     */
+    private saveToDisk;
+}
+//# sourceMappingURL=approval-manifest.d.ts.map

package/dist/policy/approval-manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"approval-manifest.d.ts","sourceRoot":"","sources":["../../src/policy/approval-manifest.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAQD,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,KAAK,CAA0C;IACvD,OAAO,CAAC,UAAU,CAA0B;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAqB;IAEhD;;;;;OAKG;gBACS,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;IAkCrE;;OAEG;IACH,OAAO,CAAC,IAAI;IAIZ;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAIpC;;;OAGG;IACH,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO;IAsB9D;;OAEG;IACH,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI;IAatE;;;OAGG;IACH,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IASjC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAIzD;;OAEG;IACH,YAAY,IAAI,MAAM,EAAE;IAIxB;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAKnC;;OAEG;IACH,eAAe,IAAI,MAAM,EAAE;IAI3B;;OAEG;IACH,OAAO,CAAC,YAAY;IA+BpB;;;;OAIG;IACH,OAAO,CAAC,UAAU;CAoBnB"}