@mce-bt/microagents-vault 0.1.0

package/dist/crypto.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Encrypt plaintext using AES-256-GCM.
+ * Output format: base64(IV[16] + AuthTag[16] + Ciphertext)
+ */
+export declare function encrypt(plaintext: string, keyHex: string): string;
+/**
+ * Decrypt AES-256-GCM ciphertext.
+ * Input format: base64(IV[16] + AuthTag[16] + Ciphertext)
+ */
+export declare function decrypt(encoded: string, keyHex: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAOjE;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAS/D"}

package/dist/crypto.js

@@ -0,0 +1,31 @@
+import crypto from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+/**
+ * Encrypt plaintext using AES-256-GCM.
+ * Output format: base64(IV[16] + AuthTag[16] + Ciphertext)
+ */
+export function encrypt(plaintext, keyHex) {
+    const key = Buffer.from(keyHex, 'hex');
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return Buffer.concat([iv, authTag, encrypted]).toString('base64');
+}
+/**
+ * Decrypt AES-256-GCM ciphertext.
+ * Input format: base64(IV[16] + AuthTag[16] + Ciphertext)
+ */
+export function decrypt(encoded, keyHex) {
+    const key = Buffer.from(keyHex, 'hex');
+    const buf = Buffer.from(encoded, 'base64');
+    const iv = buf.subarray(0, IV_LENGTH);
+    const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+    const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    return decipher.update(ciphertext) + decipher.final('utf8');
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,MAAc;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,OAAe,EAAE,MAAc;IACrD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC9D,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { encrypt, decrypt } from './crypto.js';
+export { CredentialVault } from './vault.js';
+export type { VaultConfig, VaultAuditEntry, Credential, CredentialInput, DecryptedCredential, CredentialSummary, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,YAAY,EACV,WAAW,EACX,eAAe,EACf,UAAU,EACV,eAAe,EACf,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export { encrypt, decrypt } from './crypto.js';
+export { CredentialVault } from './vault.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,52 @@
+export interface VaultConfig {
+    pool: import('pg').Pool;
+    encryptionKeyHex: string;
+    /** Identifier recorded in the audit trail (e.g. agent id). */
+    actor?: string;
+}
+export interface VaultAuditEntry {
+    action: string;
+    platform: string;
+    label: string;
+    actor: string | null;
+    success: boolean;
+    created_at: Date;
+}
+export interface Credential {
+    id: string;
+    platform: string;
+    label: string;
+    username: string;
+    password_encrypted: string;
+    totp_secret_encrypted: string | null;
+    metadata: Record<string, unknown>;
+    created_at: Date;
+    updated_at: Date;
+}
+export interface CredentialInput {
+    platform: string;
+    label?: string;
+    username: string;
+    password: string;
+    totpSecret?: string;
+    metadata?: Record<string, unknown>;
+}
+export interface DecryptedCredential {
+    id: string;
+    platform: string;
+    label: string;
+    username: string;
+    password: string;
+    totpCode?: string;
+    metadata: Record<string, unknown>;
+}
+export interface CredentialSummary {
+    id: string;
+    platform: string;
+    label: string;
+    username: string;
+    has_totp: boolean;
+    created_at: Date;
+    updated_at: Date;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,OAAO,IAAI,EAAE,IAAI,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,8DAA8D;IAC9D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qBAAqB,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;CAClB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/vault.d.ts

@@ -0,0 +1,28 @@
+import type { VaultConfig, CredentialInput, DecryptedCredential, CredentialSummary, VaultAuditEntry } from './types.js';
+export declare class CredentialVault {
+    private readonly pool;
+    private readonly keyHex;
+    private readonly actor?;
+    constructor(config: VaultConfig);
+    /**
+     * Create the vault tables if they don't exist. Idempotent — safe to call
+     * on every boot.
+     */
+    ensureSchema(): Promise<void>;
+    store(input: CredentialInput): Promise<string>;
+    retrieve(platform: string, label?: string): Promise<DecryptedCredential | null>;
+    list(): Promise<CredentialSummary[]>;
+    remove(platform: string, label?: string): Promise<boolean>;
+    /**
+     * Read the access audit trail (most recent first).
+     */
+    auditLog(limit?: number): Promise<VaultAuditEntry[]>;
+    /**
+     * Record an access event. Audit failures are swallowed deliberately —
+     * a broken audit table must not block credential operations — but the
+     * audit table is created by ensureSchema(), so in practice this only
+     * fires when ensureSchema() was skipped.
+     */
+    private audit;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,WAAW,EAEX,eAAe,EACf,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EAChB,MAAM,YAAY,CAAC;AA2BpB,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAoB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAS;gBAEpB,MAAM,EAAE,WAAW;IAS/B;;;OAGG;IACG,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7B,KAAK,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IAuB9C,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAkC/E,IAAI,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;IAiBpC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUhE;;OAEG;IACG,QAAQ,CAAC,KAAK,SAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IASvD;;;;;OAKG;YACW,KAAK;CAWpB"}

package/dist/vault.js

@@ -0,0 +1,131 @@
+import * as OTPAuth from 'otpauth';
+import { encrypt, decrypt } from './crypto.js';
+const SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS public.credential_vault (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  platform TEXT NOT NULL,
+  label TEXT NOT NULL DEFAULT 'default',
+  username TEXT NOT NULL,
+  password_encrypted TEXT NOT NULL,
+  totp_secret_encrypted TEXT,
+  metadata JSONB NOT NULL DEFAULT '{}',
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (platform, label)
+);
+
+CREATE TABLE IF NOT EXISTS public.credential_vault_audit (
+  id BIGSERIAL PRIMARY KEY,
+  action TEXT NOT NULL,
+  platform TEXT NOT NULL,
+  label TEXT NOT NULL,
+  actor TEXT,
+  success BOOLEAN NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+`;
+export class CredentialVault {
+    pool;
+    keyHex;
+    actor;
+    constructor(config) {
+        if (!config.encryptionKeyHex || config.encryptionKeyHex.length !== 64) {
+            throw new Error('CREDENTIAL_VAULT_KEY must be a 64-char hex string (256 bits)');
+        }
+        this.pool = config.pool;
+        this.keyHex = config.encryptionKeyHex;
+        this.actor = config.actor;
+    }
+    /**
+     * Create the vault tables if they don't exist. Idempotent — safe to call
+     * on every boot.
+     */
+    async ensureSchema() {
+        await this.pool.query(SCHEMA_SQL);
+    }
+    async store(input) {
+        const label = input.label || 'default';
+        const passwordEnc = encrypt(input.password, this.keyHex);
+        const totpEnc = input.totpSecret ? encrypt(input.totpSecret, this.keyHex) : null;
+        const metadata = input.metadata || {};
+        const result = await this.pool.query(`INSERT INTO public.credential_vault (platform, label, username, password_encrypted, totp_secret_encrypted, metadata)
+       VALUES ($1, $2, $3, $4, $5, $6)
+       ON CONFLICT (platform, label) DO UPDATE SET
+         username = EXCLUDED.username,
+         password_encrypted = EXCLUDED.password_encrypted,
+         totp_secret_encrypted = EXCLUDED.totp_secret_encrypted,
+         metadata = EXCLUDED.metadata,
+         updated_at = NOW()
+       RETURNING id`, [input.platform, label, input.username, passwordEnc, totpEnc, JSON.stringify(metadata)]);
+        await this.audit('store', input.platform, label, true);
+        return result.rows[0].id;
+    }
+    async retrieve(platform, label) {
+        const row = await this.pool.query(`SELECT * FROM public.credential_vault WHERE platform = $1 AND label = $2`, [platform, label || 'default']);
+        if (row.rows.length === 0) {
+            await this.audit('retrieve', platform, label || 'default', false);
+            return null;
+        }
+        const cred = row.rows[0];
+        const password = decrypt(cred.password_encrypted, this.keyHex);
+        let totpCode;
+        if (cred.totp_secret_encrypted) {
+            const totpSecret = decrypt(cred.totp_secret_encrypted, this.keyHex);
+            const totp = new OTPAuth.TOTP({ secret: totpSecret, digits: 6, period: 30 });
+            totpCode = totp.generate();
+        }
+        await this.audit('retrieve', platform, cred.label, true);
+        return {
+            id: cred.id,
+            platform: cred.platform,
+            label: cred.label,
+            username: cred.username,
+            password,
+            totpCode,
+            metadata: cred.metadata,
+        };
+    }
+    async list() {
+        const result = await this.pool.query(`SELECT id, platform, label, username, totp_secret_encrypted, created_at, updated_at
+       FROM public.credential_vault ORDER BY platform, label`);
+        return result.rows.map((r) => ({
+            id: r.id,
+            platform: r.platform,
+            label: r.label,
+            username: r.username,
+            has_totp: r.totp_secret_encrypted !== null,
+            created_at: r.created_at,
+            updated_at: r.updated_at,
+        }));
+    }
+    async remove(platform, label) {
+        const result = await this.pool.query(`DELETE FROM public.credential_vault WHERE platform = $1 AND label = $2`, [platform, label || 'default']);
+        const removed = (result.rowCount ?? 0) > 0;
+        await this.audit('remove', platform, label || 'default', removed);
+        return removed;
+    }
+    /**
+     * Read the access audit trail (most recent first).
+     */
+    async auditLog(limit = 100) {
+        const result = await this.pool.query(`SELECT action, platform, label, actor, success, created_at
+       FROM public.credential_vault_audit ORDER BY created_at DESC LIMIT $1`, [limit]);
+        return result.rows;
+    }
+    /**
+     * Record an access event. Audit failures are swallowed deliberately —
+     * a broken audit table must not block credential operations — but the
+     * audit table is created by ensureSchema(), so in practice this only
+     * fires when ensureSchema() was skipped.
+     */
+    async audit(action, platform, label, success) {
+        try {
+            await this.pool.query(`INSERT INTO public.credential_vault_audit (action, platform, label, actor, success)
+         VALUES ($1, $2, $3, $4, $5)`, [action, platform, label, this.actor ?? null, success]);
+        }
+        catch {
+            // see docstring
+        }
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAU/C,MAAM,UAAU,GAAG;;;;;;;;;;;;;;;;;;;;;;;CAuBlB,CAAC;AAEF,MAAM,OAAO,eAAe;IACT,IAAI,CAAoB;IACxB,MAAM,CAAS;IACf,KAAK,CAAU;IAEhC,YAAY,MAAmB;QAC7B,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC;QACtC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC5B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,KAAsB;QAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,SAAS,CAAC;QACvC,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjF,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC;QAEtC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAClC;;;;;;;;oBAQc,EACd,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,KAAK,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CACxF,CAAC;QAEF,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QACvD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAAgB,EAAE,KAAc;QAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAC/B,0EAA0E,EAC1E,CAAC,QAAQ,EAAE,KAAK,IAAI,SAAS,CAAC,CAC/B,CAAC;QAEF,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,IAAI,SAAS,EAAE,KAAK,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QAE/D,IAAI,QAA4B,CAAC;QACjC,IAAI,IAAI,CAAC,qBAAqB,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,qBAAqB,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACpE,MAAM,IAAI,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;YAC7E,QAAQ,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAEzD,OAAO;YACL,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,QAAQ;YACR,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAClC;6DACuD,CACxD,CAAC;QAEF,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7B,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,qBAAqB,KAAK,IAAI;YAC1C,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,UAAU,EAAE,CAAC,CAAC,UAAU;SACzB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,KAAc;QAC3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAClC,wEAAwE,EACxE,CAAC,QAAQ,EAAE,KAAK,IAAI,SAAS,CAAC,CAC/B,CAAC;QACF,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3C,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,IAAI,SAAS,EAAE,OAAO,CAAC,CAAC;QAClE,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,KAAK,GAAG,GAAG;QACxB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAClC;4EACsE,EACtE,CAAC,KAAK,CAAC,CACR,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,KAAK,CAAC,MAAc,EAAE,QAAgB,EAAE,KAAa,EAAE,OAAgB;QACnF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CACnB;qCAC6B,EAC7B,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,OAAO,CAAC,CACvD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB;QAClB,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@mce-bt/microagents-vault",
+  "version": "0.1.0",
+  "description": "Encrypted credential vault — AES-256-GCM storage with TOTP support",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rm -rf dist tsconfig.tsbuildinfo",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "otpauth": "^9.3.0"
+  },
+  "devDependencies": {
+    "@types/pg": "^8.11.0"
+  },
+  "peerDependencies": {
+    "pg": "^8.0.0"
+  },
+  "license": "MIT",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cavillo/microagents.git",
+    "directory": "packages/vault"
+  },
+  "homepage": "https://github.com/cavillo/microagents#readme",
+  "bugs": {
+    "url": "https://github.com/cavillo/microagents/issues"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}