@openape/apes 1.31.0 → 1.31.2

package/dist/chunk-3LH4FT4R.js

@@ -0,0 +1,138 @@
+#!/usr/bin/env node
+
+// src/errors.ts
+var CliError = class extends Error {
+  constructor(message, exitCode = 1) {
+    super(message);
+    this.exitCode = exitCode;
+    this.name = "CliError";
+  }
+  exitCode;
+};
+var CliExit = class extends Error {
+  constructor(exitCode = 0) {
+    super("");
+    this.exitCode = exitCode;
+    this.name = "CliExit";
+  }
+  exitCode;
+};
+
+// src/duration.ts
+function parseDuration(value) {
+  const match = value.match(/^(\d+)\s*([smhd])$/);
+  if (!match) {
+    throw new Error(`Invalid duration format: "${value}". Use e.g. 30m, 1h, 7d`);
+  }
+  const amount = Number.parseInt(match[1], 10);
+  switch (match[2]) {
+    case "s":
+      return amount;
+    case "m":
+      return amount * 60;
+    case "h":
+      return amount * 3600;
+    case "d":
+      return amount * 86400;
+    default:
+      throw new Error(`Unknown duration unit: ${match[2]}`);
+  }
+}
+
+// src/lib/agent-secrets-runtime.ts
+import { existsSync, mkdirSync, readdirSync, readFileSync, statSync, watch, writeFileSync } from "fs";
+import { homedir } from "os";
+import { dirname, join } from "path";
+import { openString } from "@openape/core";
+var CONFIG_DIR = join(homedir(), ".config", "openape");
+var SECRETS_DIR = join(CONFIG_DIR, "secrets.d");
+var X25519_KEY_PATH = join(CONFIG_DIR, "agent-x25519.key");
+var X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`;
+function envNameFromFile(file) {
+  if (!file.endsWith(".blob")) return null;
+  const env = file.slice(0, -".blob".length);
+  return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null;
+}
+function readAgentEncryptionKey(keyPath = X25519_KEY_PATH) {
+  if (!existsSync(keyPath)) return null;
+  const k = readFileSync(keyPath, "utf8").trim();
+  return k.length > 0 ? k : null;
+}
+function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH) {
+  if (!existsSync(pubPath)) return null;
+  const k = readFileSync(pubPath, "utf8").trim();
+  return k.length > 0 ? k : null;
+}
+function materializeSecrets(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const env = opts.env ?? process.env;
+  const log = opts.log ?? (() => {
+  });
+  const applied = [];
+  const failed = [];
+  const key = readAgentEncryptionKey(opts.keyPath);
+  const files = key && existsSync(dir) ? readdirSync(dir) : [];
+  for (const file of files) {
+    const name = envNameFromFile(file);
+    if (!name) continue;
+    try {
+      const box = JSON.parse(readFileSync(join(dir, file), "utf8"));
+      const plaintext = openString(box, key);
+      const target = typeof box.materializeTo === "string" ? box.materializeTo : null;
+      if (target) {
+        const blobMtime = statSync(join(dir, file)).mtimeMs;
+        if (!existsSync(target) || statSync(target).mtimeMs < blobMtime) {
+          mkdirSync(dirname(target), { recursive: true });
+          writeFileSync(target, plaintext, { mode: 384 });
+        }
+      } else {
+        env[name] = plaintext;
+      }
+      applied.push(name);
+    } catch (e) {
+      failed.push(file);
+      log(`secrets: failed to open ${file}: ${e.message}`);
+    }
+  }
+  const live = new Set(applied);
+  for (const prev of opts.previouslyApplied ?? []) {
+    if (!live.has(prev)) {
+      delete env[prev];
+      log(`secrets: revoked ${prev}`);
+    }
+  }
+  return { applied, failed };
+}
+function startSecretsWatcher(opts = {}) {
+  const dir = opts.dir ?? SECRETS_DIR;
+  const log = opts.log ?? (() => {
+  });
+  let appliedNames = /* @__PURE__ */ new Set();
+  const run = () => {
+    const r = materializeSecrets({ ...opts, previouslyApplied: appliedNames });
+    appliedNames = new Set(r.applied);
+  };
+  run();
+  if (!existsSync(dir)) return () => {
+  };
+  let timer = null;
+  const watcher = watch(dir, () => {
+    if (timer) clearTimeout(timer);
+    timer = setTimeout(run, 150);
+  });
+  watcher.on("error", (err) => log(`secrets: watcher error: ${err.message}`));
+  return () => {
+    if (timer) clearTimeout(timer);
+    watcher.close();
+  };
+}
+
+export {
+  CliError,
+  CliExit,
+  parseDuration,
+  readAgentEncryptionPublicKey,
+  materializeSecrets,
+  startSecretsWatcher
+};
+//# sourceMappingURL=chunk-3LH4FT4R.js.map

package/dist/chunk-3LH4FT4R.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/errors.ts","../src/duration.ts","../src/lib/agent-secrets-runtime.ts"],"sourcesContent":["export class CliError extends Error {\n  constructor(message: string, public exitCode: number = 1) {\n    super(message)\n    this.name = 'CliError'\n  }\n}\n\nexport class CliExit extends Error {\n  constructor(public exitCode: number = 0) {\n    super('')\n    this.name = 'CliExit'\n  }\n}\n","/**\n * Parse a human-readable duration string into seconds.\n * Supported formats: 30s, 5m, 1h, 7d\n */\nexport function parseDuration(value: string): number {\n  const match = value.match(/^(\\d+)\\s*([smhd])$/)\n  if (!match) {\n    throw new Error(`Invalid duration format: \"${value}\". Use e.g. 30m, 1h, 7d`)\n  }\n  const amount = Number.parseInt(match[1]!, 10)\n  switch (match[2]) {\n    case 's': return amount\n    case 'm': return amount * 60\n    case 'h': return amount * 3600\n    case 'd': return amount * 86400\n    default: throw new Error(`Unknown duration unit: ${match[2]}`)\n  }\n}\n","import type { SealedBox } from '@openape/core'\nimport { existsSync, mkdirSync, readdirSync, readFileSync, statSync, watch, writeFileSync } from 'node:fs'\nimport { homedir } from 'node:os'\nimport { dirname, join } from 'node:path'\nimport { openString } from '@openape/core'\n\n// Agent-side of the capability broker. troop seals a secret to this\n// agent's X25519 pubkey (M2a/M2c); nest drops the opaque blob into\n// ~/.config/openape/secrets.d/<ENV>.blob (M2d). Here the agent — the\n// ONLY place plaintext exists — opens it with its private key and\n// injects it into process.env so its tools (bash etc.) see it. Revoke\n// = blob removed → the env var is dropped on the next materialize.\n// See plans.openape.ai 01KRTAE8 (M2e).\n\nconst CONFIG_DIR = join(homedir(), '.config', 'openape')\nexport const SECRETS_DIR = join(CONFIG_DIR, 'secrets.d')\nexport const X25519_KEY_PATH = join(CONFIG_DIR, 'agent-x25519.key')\n// Public half written alongside the private key at spawn (agent-bootstrap).\n// Reported to troop on sync so the capability broker can seal secrets to it.\nexport const X25519_PUBKEY_PATH = `${X25519_KEY_PATH}.pub`\n\nfunction envNameFromFile(file: string): string | null {\n  if (!file.endsWith('.blob')) return null\n  const env = file.slice(0, -'.blob'.length)\n  return /^[A-Z][A-Z0-9_]*$/.test(env) ? env : null\n}\n\nexport function readAgentEncryptionKey(keyPath = X25519_KEY_PATH): string | null {\n  if (!existsSync(keyPath)) return null\n  const k = readFileSync(keyPath, 'utf8').trim()\n  return k.length > 0 ? k : null\n}\n\nexport function readAgentEncryptionPublicKey(pubPath = X25519_PUBKEY_PATH): string | null {\n  if (!existsSync(pubPath)) return null\n  const k = readFileSync(pubPath, 'utf8').trim()\n  return k.length > 0 ? k : null\n}\n\nexport interface MaterializeOptions {\n  dir?: string\n  keyPath?: string\n  /** Target env map (defaults to process.env). Injected in tests. */\n  env?: NodeJS.ProcessEnv\n  /** Env names applied by a previous materialize, to drop on revoke. */\n  previouslyApplied?: Iterable<string>\n  log?: (line: string) => void\n}\n\nexport interface MaterializeResult {\n  applied: string[]\n  failed: string[]\n}\n\n/**\n * Open every sealed blob in the secrets dir and set the corresponding\n * env var. Any env that was applied before but whose blob is now gone\n * (revoke) is deleted. Best-effort per blob — a corrupt/foreign blob\n * is logged and skipped, never throws.\n */\nexport function materializeSecrets(opts: MaterializeOptions = {}): MaterializeResult {\n  const dir = opts.dir ?? SECRETS_DIR\n  const env = opts.env ?? process.env\n  const log = opts.log ?? (() => {})\n  const applied: string[] = []\n  const failed: string[] = []\n\n  const key = readAgentEncryptionKey(opts.keyPath)\n  const files = key && existsSync(dir) ? readdirSync(dir) : []\n\n  for (const file of files) {\n    const name = envNameFromFile(file)\n    if (!name) continue\n    try {\n      const box = JSON.parse(readFileSync(join(dir, file), 'utf8')) as SealedBox & { materializeTo?: unknown }\n      const plaintext = openString(box, key!)\n      const target = typeof box.materializeTo === 'string' ? box.materializeTo : null\n      if (target) {\n        // Seed-once: write only on first seed or a newer blob (re-verify).\n        // Never clobber a file litellm refreshed in place (file > blob mtime).\n        const blobMtime = statSync(join(dir, file)).mtimeMs\n        if (!existsSync(target) || statSync(target).mtimeMs < blobMtime) {\n          mkdirSync(dirname(target), { recursive: true })\n          writeFileSync(target, plaintext, { mode: 0o600 })\n        }\n      }\n      else {\n        env[name] = plaintext\n      }\n      applied.push(name)\n    }\n    catch (e) {\n      failed.push(file)\n      log(`secrets: failed to open ${file}: ${(e as Error).message}`)\n    }\n  }\n\n  // Revoke: env names we set last time but that have no blob now.\n  const live = new Set(applied)\n  for (const prev of opts.previouslyApplied ?? []) {\n    if (!live.has(prev)) {\n      delete env[prev]\n      log(`secrets: revoked ${prev}`)\n    }\n  }\n\n  return { applied, failed }\n}\n\n/**\n * Materialize once, then fs.watch the secrets dir and re-materialize\n * on any change (rotate/revoke take effect live — the user's M2 v1\n * choice). Returns a stop function. Safe to call when the dir doesn't\n * exist yet (watch attaches once it appears on the next agent start).\n */\nexport function startSecretsWatcher(opts: MaterializeOptions = {}): () => void {\n  const dir = opts.dir ?? SECRETS_DIR\n  const log = opts.log ?? (() => {})\n  let appliedNames = new Set<string>()\n\n  const run = () => {\n    const r = materializeSecrets({ ...opts, previouslyApplied: appliedNames })\n    appliedNames = new Set(r.applied)\n  }\n\n  run()\n  if (!existsSync(dir)) return () => {}\n\n  let timer: NodeJS.Timeout | null = null\n  const watcher = watch(dir, () => {\n    // Debounce — a single rotate is several fs events (create, write).\n    if (timer) clearTimeout(timer)\n    timer = setTimeout(run, 150)\n  })\n  watcher.on('error', err => log(`secrets: watcher error: ${err.message}`))\n\n  return () => {\n    if (timer) clearTimeout(timer)\n    watcher.close()\n  }\n}\n"],"mappings":";;;AAAO,IAAM,WAAN,cAAuB,MAAM;AAAA,EAClC,YAAY,SAAwB,WAAmB,GAAG;AACxD,UAAM,OAAO;AADqB;AAElC,SAAK,OAAO;AAAA,EACd;AAAA,EAHoC;AAItC;AAEO,IAAM,UAAN,cAAsB,MAAM;AAAA,EACjC,YAAmB,WAAmB,GAAG;AACvC,UAAM,EAAE;AADS;AAEjB,SAAK,OAAO;AAAA,EACd;AAAA,EAHmB;AAIrB;;;ACRO,SAAS,cAAc,OAAuB;AACnD,QAAM,QAAQ,MAAM,MAAM,oBAAoB;AAC9C,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,6BAA6B,KAAK,yBAAyB;AAAA,EAC7E;AACA,QAAM,SAAS,OAAO,SAAS,MAAM,CAAC,GAAI,EAAE;AAC5C,UAAQ,MAAM,CAAC,GAAG;AAAA,IAChB,KAAK;AAAK,aAAO;AAAA,IACjB,KAAK;AAAK,aAAO,SAAS;AAAA,IAC1B,KAAK;AAAK,aAAO,SAAS;AAAA,IAC1B,KAAK;AAAK,aAAO,SAAS;AAAA,IAC1B;AAAS,YAAM,IAAI,MAAM,0BAA0B,MAAM,CAAC,CAAC,EAAE;AAAA,EAC/D;AACF;;;AChBA,SAAS,YAAY,WAAW,aAAa,cAAc,UAAU,OAAO,qBAAqB;AACjG,SAAS,eAAe;AACxB,SAAS,SAAS,YAAY;AAC9B,SAAS,kBAAkB;AAU3B,IAAM,aAAa,KAAK,QAAQ,GAAG,WAAW,SAAS;AAChD,IAAM,cAAc,KAAK,YAAY,WAAW;AAChD,IAAM,kBAAkB,KAAK,YAAY,kBAAkB;AAG3D,IAAM,qBAAqB,GAAG,eAAe;AAEpD,SAAS,gBAAgB,MAA6B;AACpD,MAAI,CAAC,KAAK,SAAS,OAAO,EAAG,QAAO;AACpC,QAAM,MAAM,KAAK,MAAM,GAAG,CAAC,QAAQ,MAAM;AACzC,SAAO,oBAAoB,KAAK,GAAG,IAAI,MAAM;AAC/C;AAEO,SAAS,uBAAuB,UAAU,iBAAgC;AAC/E,MAAI,CAAC,WAAW,OAAO,EAAG,QAAO;AACjC,QAAM,IAAI,aAAa,SAAS,MAAM,EAAE,KAAK;AAC7C,SAAO,EAAE,SAAS,IAAI,IAAI;AAC5B;AAEO,SAAS,6BAA6B,UAAU,oBAAmC;AACxF,MAAI,CAAC,WAAW,OAAO,EAAG,QAAO;AACjC,QAAM,IAAI,aAAa,SAAS,MAAM,EAAE,KAAK;AAC7C,SAAO,EAAE,SAAS,IAAI,IAAI;AAC5B;AAuBO,SAAS,mBAAmB,OAA2B,CAAC,GAAsB;AACnF,QAAM,MAAM,KAAK,OAAO;AACxB,QAAM,MAAM,KAAK,OAAO,QAAQ;AAChC,QAAM,MAAM,KAAK,QAAQ,MAAM;AAAA,EAAC;AAChC,QAAM,UAAoB,CAAC;AAC3B,QAAM,SAAmB,CAAC;AAE1B,QAAM,MAAM,uBAAuB,KAAK,OAAO;AAC/C,QAAM,QAAQ,OAAO,WAAW,GAAG,IAAI,YAAY,GAAG,IAAI,CAAC;AAE3D,aAAW,QAAQ,OAAO;AACxB,UAAM,OAAO,gBAAgB,IAAI;AACjC,QAAI,CAAC,KAAM;AACX,QAAI;AACF,YAAM,MAAM,KAAK,MAAM,aAAa,KAAK,KAAK,IAAI,GAAG,MAAM,CAAC;AAC5D,YAAM,YAAY,WAAW,KAAK,GAAI;AACtC,YAAM,SAAS,OAAO,IAAI,kBAAkB,WAAW,IAAI,gBAAgB;AAC3E,UAAI,QAAQ;AAGV,cAAM,YAAY,SAAS,KAAK,KAAK,IAAI,CAAC,EAAE;AAC5C,YAAI,CAAC,WAAW,MAAM,KAAK,SAAS,MAAM,EAAE,UAAU,WAAW;AAC/D,oBAAU,QAAQ,MAAM,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9C,wBAAc,QAAQ,WAAW,EAAE,MAAM,IAAM,CAAC;AAAA,QAClD;AAAA,MACF,OACK;AACH,YAAI,IAAI,IAAI;AAAA,MACd;AACA,cAAQ,KAAK,IAAI;AAAA,IACnB,SACO,GAAG;AACR,aAAO,KAAK,IAAI;AAChB,UAAI,2BAA2B,IAAI,KAAM,EAAY,OAAO,EAAE;AAAA,IAChE;AAAA,EACF;AAGA,QAAM,OAAO,IAAI,IAAI,OAAO;AAC5B,aAAW,QAAQ,KAAK,qBAAqB,CAAC,GAAG;AAC/C,QAAI,CAAC,KAAK,IAAI,IAAI,GAAG;AACnB,aAAO,IAAI,IAAI;AACf,UAAI,oBAAoB,IAAI,EAAE;AAAA,IAChC;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,OAAO;AAC3B;AAQO,SAAS,oBAAoB,OAA2B,CAAC,GAAe;AAC7E,QAAM,MAAM,KAAK,OAAO;AACxB,QAAM,MAAM,KAAK,QAAQ,MAAM;AAAA,EAAC;AAChC,MAAI,eAAe,oBAAI,IAAY;AAEnC,QAAM,MAAM,MAAM;AAChB,UAAM,IAAI,mBAAmB,EAAE,GAAG,MAAM,mBAAmB,aAAa,CAAC;AACzE,mBAAe,IAAI,IAAI,EAAE,OAAO;AAAA,EAClC;AAEA,MAAI;AACJ,MAAI,CAAC,WAAW,GAAG,EAAG,QAAO,MAAM;AAAA,EAAC;AAEpC,MAAI,QAA+B;AACnC,QAAM,UAAU,MAAM,KAAK,MAAM;AAE/B,QAAI,MAAO,cAAa,KAAK;AAC7B,YAAQ,WAAW,KAAK,GAAG;AAAA,EAC7B,CAAC;AACD,UAAQ,GAAG,SAAS,SAAO,IAAI,2BAA2B,IAAI,OAAO,EAAE,CAAC;AAExE,SAAO,MAAM;AACX,QAAI,MAAO,cAAa,KAAK;AAC7B,YAAQ,MAAM;AAAA,EAChB;AACF;","names":[]}