@ouro.bot/cli 0.1.0-alpha.43 → 0.1.0-alpha.430

package/dist/repertoire/vault-setup.js

@@ -0,0 +1,246 @@
+"use strict";
+/**
+ * Vault setup module — Bitwarden/Vaultwarden account creation.
+ *
+ * Implements the Bitwarden registration protocol using Node.js crypto:
+ * - PBKDF2-SHA256 for master key derivation
+ * - HKDF-SHA256 for key stretching
+ * - AES-256-CBC for symmetric key protection
+ * - RSA-2048 keypair for asymmetric encryption
+ *
+ * All crypto follows the Bitwarden security whitepaper:
+ * https://bitwarden.com/help/bitwarden-security-white-paper/
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveMasterKey = deriveMasterKey;
+exports.deriveMasterPasswordHash = deriveMasterPasswordHash;
+exports.deriveStretchedMasterKey = deriveStretchedMasterKey;
+exports.makeProtectedSymmetricKey = makeProtectedSymmetricKey;
+exports.createVaultAccount = createVaultAccount;
+const crypto = __importStar(require("node:crypto"));
+const runtime_1 = require("../nerves/runtime");
+// ---------------------------------------------------------------------------
+// Crypto primitives
+// ---------------------------------------------------------------------------
+/**
+ * Derive the master key from password and email using PBKDF2-SHA256.
+ * Email is lowercased and used as the salt per Bitwarden spec.
+ */
+function deriveMasterKey(password, email, iterations) {
+    return new Promise((resolve, reject) => {
+        crypto.pbkdf2(password, email.toLowerCase(), iterations, 32, "sha256", (err, key) => {
+            /* v8 ignore next -- defensive: pbkdf2 rejects on invalid input @preserve */
+            if (err)
+                reject(err);
+            else
+                resolve(key);
+        });
+    });
+}
+/**
+ * Derive the master password hash: PBKDF2-SHA256(masterKey, password, 1 iteration).
+ * This hash is sent to the server for authentication — it never sees the master key.
+ */
+function deriveMasterPasswordHash(masterKey, password) {
+    return new Promise((resolve, reject) => {
+        crypto.pbkdf2(masterKey, password, 1, 32, "sha256", (err, hash) => {
+            /* v8 ignore next -- defensive: pbkdf2 rejects on invalid input @preserve */
+            if (err)
+                reject(err);
+            else
+                resolve(hash.toString("base64"));
+        });
+    });
+}
+/**
+ * Stretch the master key using HKDF-Expand-only (RFC 5869 §2.3) to produce a 64-byte key.
+ * First 32 bytes = encryption key, last 32 bytes = MAC key.
+ *
+ * CRITICAL: Bitwarden uses HKDF-Expand ONLY (no Extract step).
+ * Node.js crypto.hkdfSync() does Extract+Expand which produces DIFFERENT output.
+ * Reference: https://github.com/bitwarden/sdk-internal/blob/main/crates/bitwarden-crypto/src/util.rs
+ * Bitwarden calls Hkdf::<Sha256>::from_prk(masterKey).expand(info, output) — Expand only.
+ */
+function deriveStretchedMasterKey(masterKey) {
+    const encKey = hkdfExpandOnly(masterKey, "enc", 32);
+    const macKey = hkdfExpandOnly(masterKey, "mac", 32);
+    return Buffer.concat([encKey, macKey]);
+}
+/**
+ * HKDF-Expand only (RFC 5869 §2.3) — no Extract step.
+ * Matches Bitwarden's Hkdf::from_prk(prk).expand(info).
+ */
+function hkdfExpandOnly(prk, info, length) {
+    const hashLen = 32; // SHA-256
+    const n = Math.ceil(length / hashLen);
+    let okm = Buffer.alloc(0);
+    let t = Buffer.alloc(0);
+    for (let i = 1; i <= n; i++) {
+        t = crypto.createHmac("sha256", prk)
+            .update(Buffer.concat([t, Buffer.from(info, "utf8"), Buffer.from([i])]))
+            .digest();
+        okm = Buffer.concat([okm, t]);
+    }
+    return okm.subarray(0, length);
+}
+/**
+ * Encrypt data with AES-256-CBC and HMAC-SHA256 MAC.
+ * Returns a Bitwarden "type 2" cipherstring: "2.<iv>|<ct>|<mac>"
+ */
+function encryptWithStretchedKey(data, stretchedKey) {
+    const encKey = stretchedKey.subarray(0, 32);
+    const macKey = stretchedKey.subarray(32, 64);
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv("aes-256-cbc", encKey, iv);
+    const ct = Buffer.concat([cipher.update(data), cipher.final()]);
+    // MAC covers iv + ct
+    const mac = crypto.createHmac("sha256", macKey)
+        .update(iv)
+        .update(ct)
+        .digest();
+    return `2.${iv.toString("base64")}|${ct.toString("base64")}|${mac.toString("base64")}`;
+}
+/**
+ * Generate a 64-byte symmetric key, encrypt it with the stretched master key.
+ * Returns the "protected symmetric key" cipherstring.
+ */
+function makeProtectedSymmetricKey(stretchedMasterKey) {
+    const symKey = crypto.randomBytes(64);
+    return encryptWithStretchedKey(symKey, stretchedMasterKey);
+}
+/**
+ * Generate an RSA-2048 keypair.
+ * Returns { publicKey: base64-DER, privateKeyDer: Buffer }.
+ */
+function generateRsaKeypair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "der" },
+        privateKeyEncoding: { type: "pkcs8", format: "der" },
+    });
+    return {
+        publicKeyB64: publicKey.toString("base64"),
+        privateKeyDer: privateKey,
+    };
+}
+// ---------------------------------------------------------------------------
+// Registration
+// ---------------------------------------------------------------------------
+const KDF_PBKDF2 = 0;
+const KDF_ITERATIONS = 600000;
+const REGISTER_ACCOUNT_PATH = "/identity/accounts/register";
+/**
+ * Create a Bitwarden account on the configured Vaultwarden server.
+ * Uses the Bitwarden registration API with standard KDF implementation.
+ */
+async function createVaultAccount(agentName, serverUrl, email, masterPassword) {
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.vault_setup_start",
+        component: "repertoire",
+        message: `creating vault account for ${agentName}`,
+        meta: { agentName, serverUrl, email },
+    });
+    try {
+        // Step 1: Derive keys
+        const masterKey = await deriveMasterKey(masterPassword, email, KDF_ITERATIONS);
+        const masterPasswordHash = await deriveMasterPasswordHash(masterKey, masterPassword);
+        const stretchedKey = deriveStretchedMasterKey(masterKey);
+        // Step 2: Generate symmetric key (64 bytes = 32 enc + 32 mac), encrypt with stretched key
+        const symKey = crypto.randomBytes(64);
+        const protectedSymKey = encryptWithStretchedKey(symKey, stretchedKey);
+        // Step 3: Generate RSA keypair, encrypt private key with the symmetric key
+        const { publicKeyB64, privateKeyDer } = generateRsaKeypair();
+        const encryptedPrivateKey = encryptWithStretchedKey(privateKeyDer, symKey);
+        // Step 4: POST registration
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const res = await fetch(registrationUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                name: agentName,
+                email,
+                masterPasswordHash,
+                masterPasswordHint: null,
+                key: protectedSymKey,
+                kdf: KDF_PBKDF2,
+                kdfIterations: KDF_ITERATIONS,
+                keys: {
+                    publicKey: publicKeyB64,
+                    encryptedPrivateKey,
+                },
+            }),
+        });
+        if (!res.ok) {
+            let errorDetail;
+            try {
+                const body = await res.json();
+                errorDetail = body.message ?? `HTTP ${res.status} ${res.statusText}`;
+            }
+            catch {
+                errorDetail = `HTTP ${res.status} ${res.statusText}`;
+            }
+            const endpointAwareError = `${errorDetail} from ${registrationUrl}. Check --server; Ouro expects a Bitwarden/Vaultwarden identity API.`;
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "repertoire.vault_setup_error",
+                component: "repertoire",
+                message: `vault registration failed: ${endpointAwareError}`,
+                meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
+            });
+            return { success: false, email, serverUrl, error: endpointAwareError };
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.vault_setup_end",
+            component: "repertoire",
+            message: `vault account created for ${agentName}`,
+            meta: { agentName, serverUrl, email },
+        });
+        return { success: true, email, serverUrl };
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        const registrationUrl = `${serverUrl}${REGISTER_ACCOUNT_PATH}`;
+        const endpointAwareError = `cannot reach vault registration endpoint ${registrationUrl}: ${reason}. Check network, DNS/TLS, and --server.`;
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "repertoire.vault_setup_error",
+            component: "repertoire",
+            message: `vault setup failed: ${endpointAwareError}`,
+            meta: { agentName, serverUrl, email, registrationUrl, reason: endpointAwareError },
+        });
+        return { success: false, email, serverUrl, error: endpointAwareError };
+    }
+}

package/dist/repertoire/vault-unlock.js

@@ -0,0 +1,421 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vaultUnlockReplaceRecoverFix = vaultUnlockReplaceRecoverFix;
+exports.credentialVaultNotConfiguredError = credentialVaultNotConfiguredError;
+exports.isCredentialVaultNotConfiguredError = isCredentialVaultNotConfiguredError;
+exports.vaultCreateRecoverFix = vaultCreateRecoverFix;
+exports.promptConfirmedVaultUnlockSecret = promptConfirmedVaultUnlockSecret;
+exports.resolveVaultUnlockStore = resolveVaultUnlockStore;
+exports.readVaultUnlockSecret = readVaultUnlockSecret;
+exports.storeVaultUnlockSecret = storeVaultUnlockSecret;
+exports.getVaultUnlockStatus = getVaultUnlockStatus;
+const node_child_process_1 = require("node:child_process");
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const os = __importStar(require("node:os"));
+const path = __importStar(require("node:path"));
+const runtime_1 = require("../nerves/runtime");
+const VAULT_UNLOCK_SERVICE = "ouro.vault";
+const CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX = "credential vault is not configured in ";
+const PLAINTEXT_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock");
+const WINDOWS_DPAPI_UNLOCK_DIR = path.join(".ouro-cli", "vault-unlock-dpapi");
+const SUPPORTED_STORES = ["auto", "macos-keychain", "windows-dpapi", "linux-secret-service", "plaintext-file"];
+function platform(deps) {
+    return deps.platform ?? process.platform;
+}
+function spawnSync(deps) {
+    return deps.spawnSync ?? node_child_process_1.spawnSync;
+}
+function homeDir(deps) {
+    return deps.homeDir ?? os.homedir();
+}
+function vaultKey(config) {
+    return `${config.serverUrl}:${config.email}`;
+}
+function vaultLabel(config) {
+    return `${config.email} at ${config.serverUrl}`;
+}
+function plaintextUnlockPath(config, deps) {
+    const digest = crypto.createHash("sha256").update(vaultKey(config)).digest("hex").slice(0, 24);
+    return path.join(homeDir(deps), PLAINTEXT_UNLOCK_DIR, `${digest}.secret`);
+}
+function windowsDpapiUnlockPath(config, deps) {
+    const digest = crypto.createHash("sha256").update(vaultKey(config)).digest("hex").slice(0, 24);
+    const localAppData = process.env.LOCALAPPDATA;
+    const baseDir = localAppData && platform(deps) === "win32"
+        ? path.join(localAppData, "Ouro")
+        : path.join(homeDir(deps), WINDOWS_DPAPI_UNLOCK_DIR);
+    return path.join(baseDir, "vault-unlock", `${digest}.dpapi`);
+}
+function commandExists(command, deps) {
+    const result = spawnSync(deps)(command, ["--version"], { encoding: "utf8" });
+    const code = result.error?.code;
+    return code !== "ENOENT";
+}
+function missingSecureStoreMessage(config) {
+    const agentPart = config.agentName ? ` for ${config.agentName}` : "";
+    return [
+        `No supported secure local secret store was found on this machine${agentPart}.`,
+        "",
+        `Ouro knows the credential vault is ${vaultLabel(config)}, but it cannot cache the vault unlock secret here yet.`,
+        "",
+        "On macOS, Ouro uses Keychain automatically.",
+        "On Windows, Ouro uses a CurrentUser DPAPI-encrypted local file automatically.",
+        "On Linux/WSL, install and configure Secret Service/libsecret, or choose the explicit plaintext fallback on a trusted machine.",
+        "",
+        config.agentName
+            ? `Run \`ouro vault unlock --agent ${config.agentName} --store plaintext-file\` to store the vault unlock secret in a chmod 0600 local file.`
+            : "Run `ouro vault unlock --store plaintext-file` to store the vault unlock secret in a chmod 0600 local file.",
+    ].join("\n");
+}
+function vaultUnlockReplaceRecoverFix(agentName, _nextStep) {
+    return `Run 'ouro vault unlock --agent ${agentName}' or 'ouro vault replace --agent ${agentName}' if the secret is lost.`;
+}
+function credentialVaultNotConfiguredError(agentName, configPath) {
+    return (`${CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX}${configPath}. ` +
+        `Run 'ouro vault create --agent ${agentName}' to create this agent's vault before loading or storing credentials.`);
+}
+function isCredentialVaultNotConfiguredError(message) {
+    return message.includes(CREDENTIAL_VAULT_NOT_CONFIGURED_PREFIX);
+}
+function vaultCreateRecoverFix(agentName, _nextStep) {
+    return `Run 'ouro vault create --agent ${agentName}' to set up this agent's vault.`;
+}
+function vaultUnlockSecretStrengthIssues(secret) {
+    const issues = [];
+    if (secret.length < 8)
+        issues.push("at least 8 characters");
+    if (!/[a-z]/.test(secret))
+        issues.push("a lowercase letter");
+    if (!/[A-Z]/.test(secret))
+        issues.push("an uppercase letter");
+    if (!/[0-9]/.test(secret))
+        issues.push("a number");
+    if (!/[^A-Za-z0-9]/.test(secret))
+        issues.push("a special character");
+    return issues;
+}
+async function promptConfirmedVaultUnlockSecret(input) {
+    const secret = (await input.promptSecret(input.question)).trim();
+    if (!secret) {
+        throw new Error(input.emptyError);
+    }
+    const issues = vaultUnlockSecretStrengthIssues(secret);
+    if (issues.length > 0) {
+        throw new Error(`vault unlock secret is too weak: add ${issues.join(", ")}. Use at least 8 characters with uppercase and lowercase letters, one number, and one special character.`);
+    }
+    const confirmation = (await input.promptSecret(input.confirmQuestion)).trim();
+    if (secret !== confirmation) {
+        throw new Error("vault unlock secrets did not match. Re-run the command and enter the same secret twice.");
+    }
+    return secret;
+}
+function lostUnlockSecretGuidance(config) {
+    if (!config.agentName) {
+        return "If nobody saved that unlock secret, run `ouro vault replace --agent <agent>` to create a new empty vault and re-enter credentials. If you do have a local JSON credential export, run `ouro vault recover --agent <agent> --from <json>` to import it.";
+    }
+    return [
+        `If nobody saved that unlock secret, run \`ouro vault replace --agent ${config.agentName}\` to create a new empty vault and re-enter credentials.`,
+        `If you do have a local JSON credential export, run \`ouro vault recover --agent ${config.agentName} --from <json>\` to import it.`,
+    ].join(" ");
+}
+function lockedMessage(config, store) {
+    const agentPart = config.agentName ? ` for ${config.agentName}` : "";
+    const command = config.agentName
+        ? `ouro vault unlock --agent ${config.agentName}${store.kind === "plaintext-file" ? " --store plaintext-file" : ""}`
+        : `ouro vault unlock${store.kind === "plaintext-file" ? " --store plaintext-file" : ""}`;
+    return [
+        `Ouro credential vault is locked on this machine${agentPart}.`,
+        "",
+        `Vault: ${vaultLabel(config)}`,
+        `Local unlock store: ${store.kind} (${store.location})`,
+        "",
+        "Provider credentials are still stored in the agent vault.",
+        "This computer does not currently have usable local unlock material for that vault.",
+        "This can happen on a new computer, after a local profile or hostname migration, or if the local unlock entry was removed.",
+        "",
+        `Run \`${command}\` and enter the saved agent vault unlock secret from the human/operator who controls that vault.`,
+        lostUnlockSecretGuidance(config),
+    ].join("\n");
+}
+function validateStoreKind(store) {
+    const requested = store ?? "auto";
+    if (!SUPPORTED_STORES.includes(requested)) {
+        throw new Error(`unknown vault unlock store '${requested}'. Use auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file.`);
+    }
+    return requested;
+}
+function resolveVaultUnlockStore(config, deps = {}) {
+    const requested = validateStoreKind(deps.store);
+    const currentPlatform = platform(deps);
+    if (requested === "macos-keychain") {
+        if (currentPlatform !== "darwin") {
+            throw new Error(`macos-keychain unlock store is only available on macOS; this machine is ${currentPlatform}.`);
+        }
+        return { kind: "macos-keychain", secure: true, location: "macOS Keychain" };
+    }
+    if (requested === "linux-secret-service") {
+        if (currentPlatform !== "linux") {
+            throw new Error(`linux-secret-service unlock store is only available on Linux/WSL; this machine is ${currentPlatform}.`);
+        }
+        if (!commandExists("secret-tool", deps)) {
+            throw new Error("linux-secret-service unlock store requires the `secret-tool` command from libsecret.");
+        }
+        return { kind: "linux-secret-service", secure: true, location: "Secret Service via secret-tool" };
+    }
+    if (requested === "windows-dpapi") {
+        if (currentPlatform !== "win32") {
+            throw new Error(`windows-dpapi unlock store is only available on Windows; this machine is ${currentPlatform}.`);
+        }
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+    }
+    if (requested === "plaintext-file") {
+        return { kind: "plaintext-file", secure: false, location: plaintextUnlockPath(config, deps) };
+    }
+    if (currentPlatform === "darwin") {
+        return { kind: "macos-keychain", secure: true, location: "macOS Keychain" };
+    }
+    if (currentPlatform === "win32") {
+        return { kind: "windows-dpapi", secure: true, location: windowsDpapiUnlockPath(config, deps) };
+    }
+    if (currentPlatform === "linux" && commandExists("secret-tool", deps)) {
+        return { kind: "linux-secret-service", secure: true, location: "Secret Service via secret-tool" };
+    }
+    throw new Error(missingSecureStoreMessage(config));
+}
+function readFromMacosKeychain(config, deps) {
+    const result = spawnSync(deps)("security", [
+        "find-generic-password",
+        "-s",
+        VAULT_UNLOCK_SERVICE,
+        "-a",
+        vaultKey(config),
+        "-w",
+    ], { encoding: "utf8" });
+    const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
+    return result.status === 0 && secret ? secret : null;
+}
+function writeToMacosKeychain(config, secret, deps) {
+    const result = spawnSync(deps)("security", [
+        "add-generic-password",
+        "-U",
+        "-s",
+        VAULT_UNLOCK_SERVICE,
+        "-a",
+        vaultKey(config),
+        "-w",
+        secret,
+    ], { encoding: "utf8" });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        throw new Error(`failed to store vault unlock secret in macOS Keychain${stderr ? `: ${stderr}` : ""}`);
+    }
+}
+function readFromLinuxSecretService(config, deps) {
+    const result = spawnSync(deps)("secret-tool", [
+        "lookup",
+        "service",
+        VAULT_UNLOCK_SERVICE,
+        "account",
+        vaultKey(config),
+    ], { encoding: "utf8" });
+    const secret = typeof result.stdout === "string" ? result.stdout.trim() : "";
+    return result.status === 0 && secret ? secret : null;
+}
+function writeToLinuxSecretService(config, secret, deps) {
+    const result = spawnSync(deps)("secret-tool", [
+        "store",
+        "--label",
+        `Ouro credential vault ${vaultLabel(config)}`,
+        "service",
+        VAULT_UNLOCK_SERVICE,
+        "account",
+        vaultKey(config),
+    ], { encoding: "utf8", input: secret });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        throw new Error(`failed to store vault unlock secret in Linux Secret Service${stderr ? `: ${stderr}` : ""}`);
+    }
+}
+function runWindowsDpapi(mode, payload, deps) {
+    const script = `
+$ErrorActionPreference = "Stop"
+$inputJson = [Console]::In.ReadToEnd()
+$payload = $inputJson | ConvertFrom-Json
+Add-Type -AssemblyName System.Security
+if ($payload.mode -eq "protect") {
+  $bytes = [Text.Encoding]::UTF8.GetBytes([string]$payload.secret)
+  $protected = [Security.Cryptography.ProtectedData]::Protect($bytes, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
+  [Console]::Out.Write([Convert]::ToBase64String($protected))
+} elseif ($payload.mode -eq "unprotect") {
+  $protected = [Convert]::FromBase64String([string]$payload.ciphertext)
+  $bytes = [Security.Cryptography.ProtectedData]::Unprotect($protected, $null, [Security.Cryptography.DataProtectionScope]::CurrentUser)
+  [Console]::Out.Write([Text.Encoding]::UTF8.GetString($bytes))
+} else {
+  throw "unknown DPAPI mode"
+}
+`;
+    const result = spawnSync(deps)("powershell.exe", [
+        "-NoProfile",
+        "-NonInteractive",
+        "-ExecutionPolicy",
+        "Bypass",
+        "-Command",
+        script,
+    ], {
+        encoding: "utf8",
+        input: JSON.stringify({ mode, ...payload }),
+    });
+    if (result.status !== 0) {
+        const stderr = typeof result.stderr === "string" ? result.stderr.trim() : "";
+        const error = result.error instanceof Error ? result.error.message : stderr;
+        throw new Error(`Windows DPAPI ${mode} failed${error ? `: ${error}` : ""}`);
+    }
+    return typeof result.stdout === "string" ? result.stdout : "";
+}
+function readFromWindowsDpapi(config, deps) {
+    const filePath = windowsDpapiUnlockPath(config, deps);
+    if (!fs.existsSync(filePath))
+        return null;
+    const ciphertext = fs.readFileSync(filePath, "utf8").trim();
+    if (!ciphertext)
+        return null;
+    const secret = runWindowsDpapi("unprotect", { ciphertext }, deps).trim();
+    return secret || null;
+}
+function writeToWindowsDpapi(config, secret, deps) {
+    const filePath = windowsDpapiUnlockPath(config, deps);
+    const ciphertext = runWindowsDpapi("protect", { secret }, deps).trim();
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    fs.writeFileSync(filePath, `${ciphertext}\n`, "utf8");
+}
+function readFromPlaintextFile(config, deps) {
+    const filePath = plaintextUnlockPath(config, deps);
+    if (!fs.existsSync(filePath))
+        return null;
+    if (platform(deps) !== "win32") {
+        const mode = fs.statSync(filePath).mode & 0o777;
+        if ((mode & 0o077) !== 0) {
+            throw new Error(`refusing to read plaintext vault unlock file at ${filePath} because permissions are too broad; run chmod 600 ${filePath}`);
+        }
+    }
+    const secret = fs.readFileSync(filePath, "utf8").trim();
+    return secret || null;
+}
+function writeToPlaintextFile(config, secret, deps) {
+    const filePath = plaintextUnlockPath(config, deps);
+    fs.mkdirSync(path.dirname(filePath), { recursive: true, mode: 0o700 });
+    fs.writeFileSync(filePath, secret, { encoding: "utf8", mode: 0o600 });
+    if (platform(deps) !== "win32") {
+        fs.chmodSync(path.dirname(filePath), 0o700);
+        fs.chmodSync(filePath, 0o600);
+    }
+}
+function readFromStore(config, store, deps) {
+    if (store.kind === "macos-keychain")
+        return readFromMacosKeychain(config, deps);
+    if (store.kind === "windows-dpapi")
+        return readFromWindowsDpapi(config, deps);
+    if (store.kind === "linux-secret-service")
+        return readFromLinuxSecretService(config, deps);
+    return readFromPlaintextFile(config, deps);
+}
+function writeToStore(config, store, secret, deps) {
+    if (store.kind === "macos-keychain") {
+        writeToMacosKeychain(config, secret, deps);
+        return;
+    }
+    if (store.kind === "linux-secret-service") {
+        writeToLinuxSecretService(config, secret, deps);
+        return;
+    }
+    if (store.kind === "windows-dpapi") {
+        writeToWindowsDpapi(config, secret, deps);
+        return;
+    }
+    writeToPlaintextFile(config, secret, deps);
+}
+function readVaultUnlockSecret(config, deps = {}) {
+    const store = resolveVaultUnlockStore(config, deps);
+    const secret = readFromStore(config, store, deps);
+    if (!secret) {
+        throw new Error(lockedMessage(config, store));
+    }
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.vault_unlock_loaded",
+        message: "loaded vault unlock material from local store",
+        meta: { store: store.kind, secure: store.secure, hasAgentName: !!config.agentName },
+    });
+    return { secret, store };
+}
+function storeVaultUnlockSecret(config, secret, deps = {}) {
+    const trimmed = secret.trim();
+    if (!trimmed) {
+        throw new Error("vault unlock secret is required");
+    }
+    const store = resolveVaultUnlockStore(config, deps);
+    writeToStore(config, store, trimmed, deps);
+    (0, runtime_1.emitNervesEvent)({
+        component: "repertoire",
+        event: "repertoire.vault_unlock_stored",
+        message: "stored vault unlock material in local store",
+        meta: { store: store.kind, secure: store.secure, hasAgentName: !!config.agentName },
+    });
+    return store;
+}
+function getVaultUnlockStatus(config, deps = {}) {
+    try {
+        const store = resolveVaultUnlockStore(config, deps);
+        const stored = !!readFromStore(config, store, deps);
+        return {
+            configured: true,
+            stored,
+            store,
+            fix: stored
+                ? "Vault unlock secret is available on this machine."
+                : lockedMessage(config, store),
+        };
+    }
+    catch (error) {
+        return {
+            configured: false,
+            stored: false,
+            error: error instanceof Error ? error.message : String(error),
+            fix: error instanceof Error ? error.message : String(error),
+        };
+    }
+}