@multiplayer-app/ai-agent-node 0.1.0-beta.70 → 0.1.0-beta.72

package/dist/cjs/services/TenantCredentialResolver.cjs

@@ -0,0 +1,136 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantCredentialResolver = void 0;
+exports.getTenantKey = getTenantKey;
+const crypto_1 = require("crypto");
+const logger_1 = require("../libs/logger/index.cjs");
+const ENCRYPTION_VERSION = 'v1';
+function getTenantKey(tenants) {
+    const entries = Object.entries(tenants)
+        .filter(([key, value]) => key.trim().length > 0 && value.trim().length > 0)
+        .sort(([left], [right]) => left.localeCompare(right));
+    return entries.map(([key, value]) => `${key}=${value}`).join('|');
+}
+function mapProviderToConfigField(provider) {
+    switch (provider) {
+        case 'openai':
+            return 'openaiApiKey';
+        case 'anthropic':
+            return 'anthropicApiKey';
+        case 'google':
+            return 'googleApiKey';
+        case 'openrouter':
+            return 'openrouterApiKey';
+    }
+}
+function mapProviderToBaseUrlField(provider) {
+    switch (provider) {
+        case 'openai':
+            return 'openaiBaseUrl';
+        case 'anthropic':
+            return 'anthropicBaseUrl';
+        case 'google':
+            return 'googleBaseUrl';
+        case 'openrouter':
+            return 'openrouterBaseUrl';
+    }
+}
+class TenantCredentialResolver {
+    constructor(repository, baseConfig) {
+        this.repository = repository;
+        this.baseConfig = baseConfig;
+    }
+    getKeyMaterial() {
+        const secret = this.baseConfig.credentialsEncryptionKey;
+        if (!secret || secret.length < 16) {
+            throw new Error('Missing MP_AI_CREDENTIALS_ENCRYPTION_KEY. Set at least 16 characters.');
+        }
+        return (0, crypto_1.createHash)('sha256').update(secret).digest();
+    }
+    encryptApiKey(apiKey) {
+        const iv = (0, crypto_1.randomBytes)(12);
+        const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', this.getKeyMaterial(), iv);
+        const encrypted = Buffer.concat([cipher.update(apiKey, 'utf8'), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return `${ENCRYPTION_VERSION}:${iv.toString('base64')}:${tag.toString('base64')}:${encrypted.toString('base64')}`;
+    }
+    decryptApiKey(encryptedApiKey) {
+        const [version, iv64, tag64, payload64] = encryptedApiKey.split(':');
+        if (version !== ENCRYPTION_VERSION || !iv64 || !tag64 || !payload64) {
+            throw new Error('Unsupported credential encryption format');
+        }
+        const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', this.getKeyMaterial(), Buffer.from(iv64, 'base64'));
+        decipher.setAuthTag(Buffer.from(tag64, 'base64'));
+        const decrypted = Buffer.concat([
+            decipher.update(Buffer.from(payload64, 'base64')),
+            decipher.final(),
+        ]);
+        return decrypted.toString('utf8');
+    }
+    async resolveCredentials(tenants) {
+        if (!this.repository || !tenants || Object.keys(tenants).length === 0) {
+            return {};
+        }
+        const tenantKey = getTenantKey(tenants);
+        if (!tenantKey) {
+            return {};
+        }
+        const credentials = await this.repository.findByTenantKey(tenantKey);
+        return credentials.reduce((acc, credential) => {
+            try {
+                const field = mapProviderToConfigField(credential.provider);
+                acc[field] = this.decryptApiKey(credential.encryptedApiKey);
+                if (credential.baseUrl) {
+                    const baseUrlField = mapProviderToBaseUrlField(credential.provider);
+                    acc[baseUrlField] = credential.baseUrl;
+                }
+            }
+            catch (error) {
+                logger_1.logger.warn({
+                    error: error instanceof Error ? error.message : 'Unknown error',
+                    provider: credential.provider,
+                    tenantKey,
+                }, 'Failed to decrypt tenant credential; skipping provider');
+            }
+            return acc;
+        }, {});
+    }
+    async upsertCredential(params) {
+        if (!this.repository) {
+            throw new Error('Tenant credential repository is not configured');
+        }
+        const tenantKey = getTenantKey(params.tenants);
+        if (!tenantKey) {
+            throw new Error('tenants must include at least one non-empty key/value');
+        }
+        const encryptedApiKey = this.encryptApiKey(params.apiKey);
+        await this.repository.upsertByTenantKeyAndProvider(tenantKey, params.tenants, params.provider, encryptedApiKey, params.baseUrl);
+        return { tenantKey, provider: params.provider };
+    }
+    async listProviders(tenants) {
+        if (!this.repository) {
+            return { tenantKey: '', providers: [] };
+        }
+        const tenantKey = getTenantKey(tenants);
+        if (!tenantKey) {
+            return { tenantKey: '', providers: [] };
+        }
+        const credentials = await this.repository.findByTenantKey(tenantKey);
+        return {
+            tenantKey,
+            providers: credentials.map((credential) => credential.provider),
+        };
+    }
+    async deleteCredential(params) {
+        if (!this.repository) {
+            return false;
+        }
+        const tenantKey = getTenantKey(params.tenants);
+        if (!tenantKey) {
+            return false;
+        }
+        return this.repository.deleteByTenantKeyAndProvider(tenantKey, params.provider);
+    }
+}
+exports.TenantCredentialResolver = TenantCredentialResolver;
+//# sourceMappingURL=TenantCredentialResolver.js.map

package/dist/cjs/services/TenantCredentialResolver.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"TenantCredentialResolver.js","sourceRoot":"","sources":["../../../src/services/TenantCredentialResolver.ts"],"names":[],"mappings":";;;AAoBA,oCAKC;AAzBD,mCAAmF;AAInF,2CAAwC;AAcxC,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAEhC,SAAgB,YAAY,CAAC,OAA+B;IAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;SACpC,MAAM,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;SAC1E,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACxD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,wBAAwB,CAAC,QAAoB;IACpD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,cAAc,CAAC;QACxB,KAAK,WAAW;YACd,OAAO,iBAAiB,CAAC;QAC3B,KAAK,QAAQ;YACX,OAAO,cAAc,CAAC;QACxB,KAAK,YAAY;YACf,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,QAAoB;IACrD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,eAAe,CAAC;QACzB,KAAK,WAAW;YACd,OAAO,kBAAkB,CAAC;QAC5B,KAAK,QAAQ;YACX,OAAO,eAAe,CAAC;QACzB,KAAK,YAAY;YACf,OAAO,mBAAmB,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAa,wBAAwB;IACnC,YACmB,UAAoD,EACpD,UAAwB;QADxB,eAAU,GAAV,UAAU,CAA0C;QACpD,eAAU,GAAV,UAAU,CAAc;IACxC,CAAC;IAEI,cAAc;QACpB,MAAM,MAAM,GAAG,IAAI,CAAC,UAAU,CAAC,wBAAwB,CAAC;QACxD,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;QAC3F,CAAC;QACD,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;IACtD,CAAC;IAED,aAAa,CAAC,MAAc;QAC1B,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,aAAa,EAAE,IAAI,CAAC,cAAc,EAAE,EAAE,EAAE,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,OAAO,GAAG,kBAAkB,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IACpH,CAAC;IAED,aAAa,CAAC,eAAuB;QACnC,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrE,IAAI,OAAO,KAAK,kBAAkB,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACpE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAC/B,aAAa,EACb,IAAI,CAAC,cAAc,EAAE,EACrB,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,CAC5B,CAAC;QACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACjD,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAC;QACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,OAAgC;QACvD,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtE,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACrE,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,UAAU,EAAE,EAAE;YAC5C,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,wBAAwB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAC5D,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;gBAC5D,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;oBACvB,MAAM,YAAY,GAAG,yBAAyB,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;oBACpE,GAAG,CAAC,YAAY,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC;gBACzC,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,eAAM,CAAC,IAAI,CACT;oBACE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;oBAC/D,QAAQ,EAAE,UAAU,CAAC,QAAQ;oBAC7B,SAAS;iBACV,EACD,wDAAwD,CACzD,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAmB,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAKtB;QACC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QACD,MAAM,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAChD,SAAS,EACT,MAAM,CAAC,OAAO,EACd,MAAM,CAAC,QAAQ,EACf,eAAe,EACf,MAAM,CAAC,OAAO,CACf,CAAC;QACF,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA+B;QACjD,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QACD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QACrE,OAAO;YACL,SAAS;YACT,SAAS,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;SAChE,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,MAAiE;QACtF,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClF,CAAC;CACF;AAzHD,4DAyHC"}

package/dist/cjs/services/TenantCredentialResolver.d.ts

@@ -0,0 +1,32 @@
+import type { AIProvider } from '@multiplayer-app/ai-agent-types';
+import type { TenantAICredentialRepository } from '@multiplayer-app/ai-agent-db';
+import type { Config } from '../config';
+export type AICredentials = Partial<Pick<Config['ai'], 'openaiApiKey' | 'anthropicApiKey' | 'googleApiKey' | 'openrouterApiKey' | 'openaiBaseUrl' | 'anthropicBaseUrl' | 'googleBaseUrl' | 'openrouterBaseUrl'>>;
+export declare function getTenantKey(tenants: Record<string, string>): string;
+export declare class TenantCredentialResolver {
+    private readonly repository;
+    private readonly baseConfig;
+    constructor(repository: TenantAICredentialRepository | undefined, baseConfig: Config['ai']);
+    private getKeyMaterial;
+    encryptApiKey(apiKey: string): string;
+    decryptApiKey(encryptedApiKey: string): string;
+    resolveCredentials(tenants?: Record<string, string>): Promise<AICredentials>;
+    upsertCredential(params: {
+        tenants: Record<string, string>;
+        provider: AIProvider;
+        apiKey: string;
+        baseUrl?: string;
+    }): Promise<{
+        tenantKey: string;
+        provider: AIProvider;
+    }>;
+    listProviders(tenants: Record<string, string>): Promise<{
+        tenantKey: string;
+        providers: AIProvider[];
+    }>;
+    deleteCredential(params: {
+        tenants: Record<string, string>;
+        provider: AIProvider;
+    }): Promise<boolean>;
+}
+//# sourceMappingURL=TenantCredentialResolver.d.ts.map

package/dist/cjs/services/TenantCredentialResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TenantCredentialResolver.d.ts","sourceRoot":"","sources":["../../../src/services/TenantCredentialResolver.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAGxC,MAAM,MAAM,aAAa,GAAG,OAAO,CAAC,IAAI,CACtC,MAAM,CAAC,IAAI,CAAC,EACV,cAAc,GACd,iBAAiB,GACjB,cAAc,GACd,kBAAkB,GAClB,eAAe,GACf,kBAAkB,GAClB,eAAe,GACf,mBAAmB,CACtB,CAAC,CAAC;AAIH,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAKpE;AA4BD,qBAAa,wBAAwB;IAEjC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,UAAU;gBADV,UAAU,EAAE,4BAA4B,GAAG,SAAS,EACpD,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC;IAG3C,OAAO,CAAC,cAAc;IAQtB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAQrC,aAAa,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM;IAkBxC,kBAAkB,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC;IAgC5E,gBAAgB,CAAC,MAAM,EAAE;QAC7B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChC,QAAQ,EAAE,UAAU,CAAC;QACrB,MAAM,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,UAAU,CAAA;KAAE,CAAC;IAmBlD,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,UAAU,EAAE,CAAA;KAAE,CAAC;IAevG,gBAAgB,CAAC,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,QAAQ,EAAE,UAAU,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC;CAU5G"}

package/dist/cjs/services/TenantCredentialResolver.test.cjs

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const TenantCredentialResolver_1 = require("./TenantCredentialResolver.cjs");
+(0, vitest_1.describe)('TenantCredentialResolver', () => {
+    let repository;
+    let resolver;
+    (0, vitest_1.beforeEach)(() => {
+        repository = {
+            findByTenantKey: vitest_1.vi.fn(),
+            findByTenantKeyAndProvider: vitest_1.vi.fn(),
+            upsertByTenantKeyAndProvider: vitest_1.vi.fn(),
+            deleteByTenantKeyAndProvider: vitest_1.vi.fn(),
+            findById: vitest_1.vi.fn(),
+            find: vitest_1.vi.fn(),
+            findOne: vitest_1.vi.fn(),
+            create: vitest_1.vi.fn(),
+            update: vitest_1.vi.fn(),
+            delete: vitest_1.vi.fn(),
+            exists: vitest_1.vi.fn(),
+            count: vitest_1.vi.fn(),
+        };
+        resolver = new TenantCredentialResolver_1.TenantCredentialResolver(repository, {
+            credentialsEncryptionKey: '0123456789abcdef0123456789abcdef',
+        });
+    });
+    (0, vitest_1.it)('creates stable tenantKey from sorted non-empty entries', () => {
+        const tenantKey = (0, TenantCredentialResolver_1.getTenantKey)({
+            accountId: 'acme',
+            orgId: 'north',
+            ignored: '',
+        });
+        (0, vitest_1.expect)(tenantKey).toBe('accountId=acme|orgId=north');
+    });
+    (0, vitest_1.it)('upserts encrypted api key with optional baseUrl', async () => {
+        repository.upsertByTenantKeyAndProvider.mockResolvedValue({
+            id: 'cred-1',
+        });
+        await resolver.upsertCredential({
+            tenants: { accountId: 'acme' },
+            provider: 'openai',
+            apiKey: 'raw-openai-key',
+            baseUrl: 'https://tenant.openai.local',
+        });
+        (0, vitest_1.expect)(repository.upsertByTenantKeyAndProvider).toHaveBeenCalledTimes(1);
+        const callArgs = repository.upsertByTenantKeyAndProvider.mock.calls[0];
+        (0, vitest_1.expect)(callArgs[0]).toBe('accountId=acme');
+        (0, vitest_1.expect)(callArgs[1]).toEqual({ accountId: 'acme' });
+        (0, vitest_1.expect)(callArgs[2]).toBe('openai');
+        (0, vitest_1.expect)(callArgs[3]).not.toBe('raw-openai-key');
+        (0, vitest_1.expect)(String(callArgs[3])).toMatch(/^v1:/);
+        (0, vitest_1.expect)(callArgs[4]).toBe('https://tenant.openai.local');
+    });
+    (0, vitest_1.it)('resolves api keys and optional baseUrls by provider', async () => {
+        const encryptedOpenAIKey = resolver.encryptApiKey('tenant-openai-key');
+        const encryptedAnthropicKey = resolver.encryptApiKey('tenant-anthropic-key');
+        repository.findByTenantKey.mockResolvedValue([
+            {
+                id: 'cred-openai',
+                tenantKey: 'accountId=acme',
+                tenants: { accountId: 'acme' },
+                provider: 'openai',
+                encryptedApiKey: encryptedOpenAIKey,
+                baseUrl: 'https://tenant.openai.local',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+            {
+                id: 'cred-anthropic',
+                tenantKey: 'accountId=acme',
+                tenants: { accountId: 'acme' },
+                provider: 'anthropic',
+                encryptedApiKey: encryptedAnthropicKey,
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+        ]);
+        const result = await resolver.resolveCredentials({ accountId: 'acme' });
+        (0, vitest_1.expect)(result).toEqual({
+            openaiApiKey: 'tenant-openai-key',
+            openaiBaseUrl: 'https://tenant.openai.local',
+            anthropicApiKey: 'tenant-anthropic-key',
+        });
+    });
+    (0, vitest_1.it)('skips malformed encrypted records and still resolves valid credentials', async () => {
+        const encryptedOpenAIKey = resolver.encryptApiKey('tenant-openai-key');
+        repository.findByTenantKey.mockResolvedValue([
+            {
+                id: 'cred-bad',
+                tenantKey: 'accountId=acme',
+                tenants: { accountId: 'acme' },
+                provider: 'google',
+                encryptedApiKey: 'malformed',
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+            {
+                id: 'cred-good',
+                tenantKey: 'accountId=acme',
+                tenants: { accountId: 'acme' },
+                provider: 'openai',
+                encryptedApiKey: encryptedOpenAIKey,
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            },
+        ]);
+        const result = await resolver.resolveCredentials({ accountId: 'acme' });
+        (0, vitest_1.expect)(result).toEqual({
+            openaiApiKey: 'tenant-openai-key',
+        });
+    });
+});
+//# sourceMappingURL=TenantCredentialResolver.test.js.map

package/dist/cjs/services/TenantCredentialResolver.test.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"TenantCredentialResolver.test.js","sourceRoot":"","sources":["../../../src/services/TenantCredentialResolver.test.ts"],"names":[],"mappings":";;AAAA,mCAA8D;AAC9D,yEAAoF;AAGpF,IAAA,iBAAQ,EAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,IAAI,UAAwC,CAAC;IAC7C,IAAI,QAAkC,CAAC;IAEvC,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,UAAU,GAAG;YACX,eAAe,EAAE,WAAE,CAAC,EAAE,EAAE;YACxB,0BAA0B,EAAE,WAAE,CAAC,EAAE,EAAE;YACnC,4BAA4B,EAAE,WAAE,CAAC,EAAE,EAAE;YACrC,4BAA4B,EAAE,WAAE,CAAC,EAAE,EAAE;YACrC,QAAQ,EAAE,WAAE,CAAC,EAAE,EAAE;YACjB,IAAI,EAAE,WAAE,CAAC,EAAE,EAAE;YACb,OAAO,EAAE,WAAE,CAAC,EAAE,EAAE;YAChB,MAAM,EAAE,WAAE,CAAC,EAAE,EAAE;YACf,MAAM,EAAE,WAAE,CAAC,EAAE,EAAE;YACf,MAAM,EAAE,WAAE,CAAC,EAAE,EAAE;YACf,MAAM,EAAE,WAAE,CAAC,EAAE,EAAE;YACf,KAAK,EAAE,WAAE,CAAC,EAAE,EAAE;SAC4B,CAAC;QAE7C,QAAQ,GAAG,IAAI,mDAAwB,CAAC,UAAU,EAAE;YAClD,wBAAwB,EAAE,kCAAkC;SAC7D,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,SAAS,GAAG,IAAA,uCAAY,EAAC;YAC7B,SAAS,EAAE,MAAM;YACjB,KAAK,EAAE,OAAO;YACd,OAAO,EAAE,EAAE;SACZ,CAAC,CAAC;QAEH,IAAA,eAAM,EAAC,SAAS,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC9D,UAAU,CAAC,4BAAoE,CAAC,iBAAiB,CAAC;YACjG,EAAE,EAAE,QAAQ;SACb,CAAC,CAAC;QAEH,MAAM,QAAQ,CAAC,gBAAgB,CAAC;YAC9B,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,gBAAgB;YACxB,OAAO,EAAE,6BAA6B;SACvC,CAAC,CAAC;QAEH,IAAA,eAAM,EAAC,UAAU,CAAC,4BAA4B,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QACzE,MAAM,QAAQ,GAAI,UAAU,CAAC,4BAAoE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAChH,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,kBAAkB,GAAG,QAAQ,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QACvE,MAAM,qBAAqB,GAAG,QAAQ,CAAC,aAAa,CAAC,sBAAsB,CAAC,CAAC;QAE5E,UAAU,CAAC,eAAuD,CAAC,iBAAiB,CAAC;YACpF;gBACE,EAAE,EAAE,aAAa;gBACjB,SAAS,EAAE,gBAAgB;gBAC3B,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,QAAQ,EAAE,QAAQ;gBAClB,eAAe,EAAE,kBAAkB;gBACnC,OAAO,EAAE,6BAA6B;gBACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;YACD;gBACE,EAAE,EAAE,gBAAgB;gBACpB,SAAS,EAAE,gBAAgB;gBAC3B,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,QAAQ,EAAE,WAAW;gBACrB,eAAe,EAAE,qBAAqB;gBACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAExE,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,YAAY,EAAE,mBAAmB;YACjC,aAAa,EAAE,6BAA6B;YAC5C,eAAe,EAAE,sBAAsB;SACxC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,MAAM,kBAAkB,GAAG,QAAQ,CAAC,aAAa,CAAC,mBAAmB,CAAC,CAAC;QAEtE,UAAU,CAAC,eAAuD,CAAC,iBAAiB,CAAC;YACpF;gBACE,EAAE,EAAE,UAAU;gBACd,SAAS,EAAE,gBAAgB;gBAC3B,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,QAAQ,EAAE,QAAQ;gBAClB,eAAe,EAAE,WAAW;gBAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;YACD;gBACE,EAAE,EAAE,WAAW;gBACf,SAAS,EAAE,gBAAgB;gBAC3B,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;gBAC9B,QAAQ,EAAE,QAAQ;gBAClB,eAAe,EAAE,kBAAkB;gBACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,kBAAkB,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;QAExE,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,OAAO,CAAC;YACrB,YAAY,EAAE,mBAAmB;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/cjs/services/TenantCredentialResolver.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=TenantCredentialResolver.test.d.ts.map

package/dist/cjs/services/TenantCredentialResolver.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TenantCredentialResolver.test.d.ts","sourceRoot":"","sources":["../../../src/services/TenantCredentialResolver.test.ts"],"names":[],"mappings":""}

package/dist/cjs/services/index.cjs

@@ -15,8 +15,13 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./AIService.cjs"), exports);
+__exportStar(require("./ExecutionContext.cjs"), exports);
+__exportStar(require("./CredentialProvider.cjs"), exports);
+__exportStar(require("./ProviderClientFactory.cjs"), exports);
+__exportStar(require("./ModelAccessPolicy.cjs"), exports);
 __exportStar(require("./RedisService.cjs"), exports);
 __exportStar(require("./SocketService.cjs"), exports);
 __exportStar(require("./ModelFetcher.cjs"), exports);
 __exportStar(require("./InternalEventsHandler.cjs"), exports);
+__exportStar(require("./TenantCredentialResolver.cjs"), exports);
 //# sourceMappingURL=index.js.map

package/dist/cjs/services/index.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/services/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,iDAA+B;AAC/B,kDAAgC;AAChC,iDAA+B;AAC/B,0DAAwC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/services/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA4B;AAC5B,qDAAmC;AACnC,uDAAqC;AACrC,0DAAwC;AACxC,sDAAoC;AACpC,iDAA+B;AAC/B,kDAAgC;AAChC,iDAA+B;AAC/B,0DAAwC;AACxC,6DAA2C"}

package/dist/cjs/services/index.d.ts

@@ -1,6 +1,11 @@
 export * from './AIService';
+export * from './ExecutionContext';
+export * from './CredentialProvider';
+export * from './ProviderClientFactory';
+export * from './ModelAccessPolicy';
 export * from './RedisService';
 export * from './SocketService';
 export * from './ModelFetcher';
 export * from './InternalEventsHandler';
+export * from './TenantCredentialResolver';
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/services/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,iBAAiB,CAAC;AAChC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,iBAAiB,CAAC;AAChC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,yBAAyB,CAAC;AACxC,cAAc,4BAA4B,CAAC"}