@palmyr/cli 1.0.0

package/dist/social-vault.d.ts

@@ -0,0 +1,118 @@
+export type Platform = 'twitter' | 'tiktok';
+export type AccountStatus = 'ready' | 'warming' | 'locked' | 'suspended' | 'dead';
+interface EncryptedBlob {
+    iv: string;
+    ciphertext: string;
+    tag: string;
+}
+export interface SocialCredentials {
+    /** What goes in the platform's login field — often an email, sometimes a username. */
+    login?: string;
+    password: string;
+    /** The bind/recovery email that comes with the account. Used to receive verification codes. */
+    email?: string;
+    /** Password for the bind email inbox, so automation can poll it for verification codes. */
+    email_password?: string;
+    /** RFC 4648 base32 TOTP seed (when 2FA is enabled). */
+    totp_seed?: string;
+    /** Recovery codes, if provided. */
+    recovery_codes?: string[];
+    /** Canonical profile URL from the seller. Optional, informational. */
+    profile_url?: string;
+    /** X session cookie — 40-char hex. If present, skip form login entirely. */
+    auth_token?: string;
+    /** X CSRF cookie — 160-char hex. Paired with auth_token. */
+    ct0?: string;
+    /** TikTok main auth cookie (hex). Required for TikTok cookie-injection login. */
+    tiktok_sessionid?: string;
+    /** TikTok CSRF token cookie. */
+    tiktok_csrf?: string;
+    /** TikTok device fingerprint cookie — preserves IP/device consistency. */
+    tiktok_webid?: string;
+}
+export interface SocialAccountFile {
+    id: string;
+    platform: Platform;
+    username: string;
+    previous_usernames: string[];
+    cred_crypto: EncryptedBlob;
+    /**
+     * Portable IPRoyal sticky-session key. Set when the account was seasoned
+     * server-side (e.g. pool accounts, where the first login happened before
+     * the buyer's vault existed). When present, every server op pins the
+     * residential IP to this key rather than the local `id` — so the buyer
+     * inherits the exact same IP the admin seasoned.
+     */
+    proxy_session_id?: string;
+    /**
+     * ISO-3166 alpha-2 country code (lowercase). Drives the proxy exit country
+     * AND the browser locale/timezone when the server opens a session for this
+     * account. Stored at the top level (not in the encrypted credentials) so
+     * the server can read it without decrypting the vault blob.
+     */
+    country?: string;
+    meta: {
+        acquired_at: string;
+        acquisition_source: 'import' | 'accsmarket' | 'pool' | string;
+        status: AccountStatus;
+        age_years?: number;
+        original_signup_country?: string;
+        last_action_at: string | null;
+        notes?: string;
+    };
+}
+export interface SocialAccountSummary {
+    id: string;
+    platform: Platform;
+    username: string;
+    status: AccountStatus;
+    acquired_at: string;
+    source: string;
+    last_action_at: string | null;
+    proxy_session_id?: string;
+    country?: string;
+}
+export declare function importAccount(platform: Platform, username: string, credentials: SocialCredentials, opts?: {
+    source?: string;
+    notes?: string;
+    proxy_session_id?: string;
+    country?: string;
+}): SocialAccountSummary;
+export declare function listAccounts(platform?: Platform): SocialAccountSummary[];
+export declare function getAccount(platform: Platform, username: string): SocialAccountSummary | undefined;
+export declare function removeAccount(platform: Platform, username: string): void;
+export declare function renameAccount(platform: Platform, oldUsername: string, newUsername: string): SocialAccountSummary;
+/**
+ * Decrypt and return credentials. Requires the session secret to be present
+ * in the OS credential store — i.e. the account must have been created on
+ * this machine. Use sparingly; prefer keeping creds out of memory.
+ */
+export declare function unlockCredentials(platform: Platform, username: string): SocialCredentials;
+/**
+ * Update the status / notes / last_action_at fields on an account. Doesn't
+ * touch the encrypted credentials.
+ */
+export declare function updateMeta(platform: Platform, username: string, patch: Partial<SocialAccountFile['meta']>): void;
+/**
+ * Return the proxy_session_id for an account, if any. Server ops include
+ * this so the residential IP lineage is preserved (essential for pool
+ * accounts where the admin seasoned the session from a specific IP).
+ */
+export declare function getProxySessionId(platform: Platform, username: string): string | undefined;
+/** Return the stored ISO country code for an account (lowercase), if any. */
+export declare function getCountry(platform: Platform, username: string): string | undefined;
+export interface SocialSession {
+    account_id: string;
+    platform: Platform;
+    cookies: any[];
+    captured_at: string;
+}
+/**
+ * Persist a login session. Cookies are AES-GCM encrypted with the same per-
+ * account session secret that protects credentials — an attacker with only
+ * read access to ~/.palmyr/social/sessions/ gets ciphertext, not cookies.
+ */
+export declare function saveSession(accountId: string, platform: Platform, cookies: any[]): SocialSession;
+export declare function loadSession(accountId: string): SocialSession | undefined;
+export declare function sessionAgeHours(accountId: string): number | undefined;
+export {};

package/dist/social-vault.js

@@ -0,0 +1,268 @@
+/**
+ * Local encrypted vault for social account credentials (X, TikTok, etc.).
+ *
+ * Each account is stored as a JSON file in ~/.palmyr/social/accounts/<id>.json
+ * with public metadata (id, platform, username, status) alongside an
+ * AES-256-GCM encrypted `cred_crypto` blob containing email + password +
+ * TOTP seed + recovery codes.
+ *
+ * The decryption key is a per-account 32-byte session secret held in the OS
+ * credential store. An attacker with only the file cannot decrypt it; an
+ * attacker with only the credential store entry has no ciphertext to decrypt.
+ */
+import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+import { existsSync, readFileSync, readdirSync, writeFileSync, mkdirSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { storeSecret, retrieveSecret, deleteSecret } from './credential-store.js';
+function getSocialDir() {
+    return process.env.PALMYR_SOCIAL_PATH || join(homedir(), '.palmyr', 'social');
+}
+function getAccountsDir() {
+    return join(getSocialDir(), 'accounts');
+}
+function ensureDirs() {
+    const root = getSocialDir();
+    if (!existsSync(root))
+        mkdirSync(root, { recursive: true });
+    const accounts = getAccountsDir();
+    if (!existsSync(accounts))
+        mkdirSync(accounts, { recursive: true });
+    const sessions = join(root, 'sessions');
+    if (!existsSync(sessions))
+        mkdirSync(sessions, { recursive: true });
+    const history = join(root, 'history');
+    if (!existsSync(history))
+        mkdirSync(history, { recursive: true });
+}
+function accountPath(id) {
+    return join(getAccountsDir(), `${id}.json`);
+}
+function newHexId() {
+    // 16 hex chars — unique enough for local scope, short enough to not be ugly.
+    return randomBytes(8).toString('hex');
+}
+function encrypt(plaintext, keyHex) {
+    const key = Buffer.from(keyHex, 'hex');
+    const iv = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        iv: iv.toString('hex'),
+        ciphertext: ciphertext.toString('hex'),
+        tag: tag.toString('hex'),
+    };
+}
+function decrypt(blob, keyHex) {
+    const key = Buffer.from(keyHex, 'hex');
+    const decipher = createDecipheriv('aes-256-gcm', key, Buffer.from(blob.iv, 'hex'));
+    decipher.setAuthTag(Buffer.from(blob.tag, 'hex'));
+    let plaintext = decipher.update(blob.ciphertext, 'hex', 'utf8');
+    plaintext += decipher.final('utf8');
+    return plaintext;
+}
+function readAllAccounts() {
+    ensureDirs();
+    const dir = getAccountsDir();
+    return readdirSync(dir)
+        .filter(f => f.endsWith('.json'))
+        .map(f => JSON.parse(readFileSync(join(dir, f), 'utf8')));
+}
+function findByUsername(platform, username) {
+    return readAllAccounts().find(a => a.platform === platform && a.username === username);
+}
+function findById(id) {
+    const fpath = accountPath(id);
+    if (!existsSync(fpath))
+        return undefined;
+    return JSON.parse(readFileSync(fpath, 'utf8'));
+}
+function writeAccount(account) {
+    ensureDirs();
+    writeFileSync(accountPath(account.id), JSON.stringify(account, null, 2));
+}
+// ─── Public API ────────────────────────────────────────────────────────────
+export function importAccount(platform, username, credentials, opts = {}) {
+    if (findByUsername(platform, username)) {
+        throw new Error(`${platform} account "${username}" already exists locally. Use 'remove' first if you want to re-import.`);
+    }
+    const id = newHexId();
+    const sessionSecret = randomBytes(32).toString('hex');
+    storeSecret(id, sessionSecret);
+    const account = {
+        id,
+        platform,
+        username,
+        previous_usernames: [],
+        cred_crypto: encrypt(JSON.stringify(credentials), sessionSecret),
+        proxy_session_id: opts.proxy_session_id,
+        country: opts.country ? opts.country.toLowerCase() : undefined,
+        meta: {
+            acquired_at: new Date().toISOString(),
+            acquisition_source: opts.source || 'import',
+            status: 'ready',
+            last_action_at: null,
+            notes: opts.notes,
+        },
+    };
+    writeAccount(account);
+    return summarise(account);
+}
+function summarise(acc) {
+    return {
+        id: acc.id,
+        platform: acc.platform,
+        username: acc.username,
+        status: acc.meta.status,
+        acquired_at: acc.meta.acquired_at,
+        source: acc.meta.acquisition_source,
+        last_action_at: acc.meta.last_action_at,
+        proxy_session_id: acc.proxy_session_id,
+        country: acc.country,
+    };
+}
+export function listAccounts(platform) {
+    return readAllAccounts()
+        .filter(a => !platform || a.platform === platform)
+        .map(summarise);
+}
+export function getAccount(platform, username) {
+    const acc = findByUsername(platform, username);
+    if (!acc)
+        return undefined;
+    return summarise(acc);
+}
+export function removeAccount(platform, username) {
+    const acc = findByUsername(platform, username);
+    if (!acc)
+        throw new Error(`${platform} account "${username}" not found locally`);
+    deleteSecret(acc.id);
+    const fpath = accountPath(acc.id);
+    if (existsSync(fpath))
+        unlinkSync(fpath);
+}
+export function renameAccount(platform, oldUsername, newUsername) {
+    const acc = findByUsername(platform, oldUsername);
+    if (!acc)
+        throw new Error(`${platform} account "${oldUsername}" not found locally`);
+    if (findByUsername(platform, newUsername)) {
+        throw new Error(`${platform} account "${newUsername}" already exists — can't rename into an existing slot`);
+    }
+    acc.previous_usernames.push(acc.username);
+    acc.username = newUsername;
+    writeAccount(acc);
+    return summarise(acc);
+}
+/**
+ * Decrypt and return credentials. Requires the session secret to be present
+ * in the OS credential store — i.e. the account must have been created on
+ * this machine. Use sparingly; prefer keeping creds out of memory.
+ */
+export function unlockCredentials(platform, username) {
+    const acc = findByUsername(platform, username);
+    if (!acc)
+        throw new Error(`${platform} account "${username}" not found locally`);
+    const sessionSecret = retrieveSecret(acc.id);
+    if (!sessionSecret) {
+        throw new Error(`No session secret found for ${platform}/${username}. The account was likely imported on a different machine, ` +
+            `or the OS credential store was wiped. Re-import the account to restore access.`);
+    }
+    const json = decrypt(acc.cred_crypto, sessionSecret);
+    return JSON.parse(json);
+}
+/**
+ * Update the status / notes / last_action_at fields on an account. Doesn't
+ * touch the encrypted credentials.
+ */
+export function updateMeta(platform, username, patch) {
+    const acc = findByUsername(platform, username);
+    if (!acc)
+        throw new Error(`${platform} account "${username}" not found locally`);
+    acc.meta = { ...acc.meta, ...patch };
+    writeAccount(acc);
+}
+/**
+ * Return the proxy_session_id for an account, if any. Server ops include
+ * this so the residential IP lineage is preserved (essential for pool
+ * accounts where the admin seasoned the session from a specific IP).
+ */
+export function getProxySessionId(platform, username) {
+    return findByUsername(platform, username)?.proxy_session_id;
+}
+/** Return the stored ISO country code for an account (lowercase), if any. */
+export function getCountry(platform, username) {
+    return findByUsername(platform, username)?.country;
+}
+function sessionPath(accountId) {
+    return join(getSocialDir(), 'sessions', `${accountId}.sess`);
+}
+/**
+ * Persist a login session. Cookies are AES-GCM encrypted with the same per-
+ * account session secret that protects credentials — an attacker with only
+ * read access to ~/.palmyr/social/sessions/ gets ciphertext, not cookies.
+ */
+export function saveSession(accountId, platform, cookies) {
+    ensureDirs();
+    const sessionSecret = retrieveSecret(accountId);
+    if (!sessionSecret) {
+        throw new Error(`Cannot encrypt session for ${accountId}: no session secret in the OS credential store. ` +
+            `Was the account imported on this machine?`);
+    }
+    const capturedAt = new Date().toISOString();
+    const payload = {
+        account_id: accountId,
+        platform,
+        captured_at: capturedAt,
+        cookies_crypto: encrypt(JSON.stringify(cookies), sessionSecret),
+    };
+    writeFileSync(sessionPath(accountId), JSON.stringify(payload, null, 2), { mode: 0o600 });
+    return { account_id: accountId, platform, cookies, captured_at: capturedAt };
+}
+export function loadSession(accountId) {
+    const fpath = sessionPath(accountId);
+    if (!existsSync(fpath))
+        return undefined;
+    const raw = JSON.parse(readFileSync(fpath, 'utf8'));
+    // Legacy (plaintext) sessions from before session encryption existed — migrate
+    // by re-saving encrypted when possible. Return as-is if the secret is missing.
+    if (raw.cookies && Array.isArray(raw.cookies)) {
+        const legacy = raw;
+        try {
+            saveSession(accountId, legacy.platform, legacy.cookies);
+        }
+        catch { }
+        return legacy;
+    }
+    const encFile = raw;
+    const sessionSecret = retrieveSecret(accountId);
+    if (!sessionSecret)
+        return undefined;
+    try {
+        const cookies = JSON.parse(decrypt(encFile.cookies_crypto, sessionSecret));
+        return {
+            account_id: encFile.account_id,
+            platform: encFile.platform,
+            cookies,
+            captured_at: encFile.captured_at,
+        };
+    }
+    catch {
+        return undefined;
+    }
+}
+export function sessionAgeHours(accountId) {
+    const fpath = sessionPath(accountId);
+    if (!existsSync(fpath))
+        return undefined;
+    try {
+        const raw = JSON.parse(readFileSync(fpath, 'utf8'));
+        if (!raw.captured_at)
+            return undefined;
+        return (Date.now() - new Date(raw.captured_at).getTime()) / 1000 / 3600;
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=social-vault.js.map

package/dist/social-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"social-vault.js","sourceRoot":"","sources":["../social-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAc,MAAM,QAAQ,CAAA;AAClF,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAA;AAChG,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAA;AAC5B,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAiFjF,SAAS,YAAY;IACnB,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAA;AAC/E,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,IAAI,CAAC,YAAY,EAAE,EAAE,UAAU,CAAC,CAAA;AACzC,CAAC;AAED,SAAS,UAAU;IACjB,MAAM,IAAI,GAAG,YAAY,EAAE,CAAA;IAC3B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAC3D,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAA;IACjC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,CAAA;IACvC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACnE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;IACrC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;AACnE,CAAC;AAED,SAAS,WAAW,CAAC,EAAU;IAC7B,OAAO,IAAI,CAAC,cAAc,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,CAAA;AAC7C,CAAC;AAED,SAAS,QAAQ;IACf,6EAA6E;IAC7E,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACvC,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB,EAAE,MAAc;IAChD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IACtC,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAC1B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAA;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IAC/B,OAAO;QACL,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;KACzB,CAAA;AACH,CAAC;AAED,SAAS,OAAO,CAAC,IAAmB,EAAE,MAAc;IAClD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;IACtC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAA;IAClF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;IACjD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;IAC/D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;IACnC,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,SAAS,eAAe;IACtB,UAAU,EAAE,CAAA;IACZ,MAAM,GAAG,GAAG,cAAc,EAAE,CAAA;IAC5B,OAAO,WAAW,CAAC,GAAG,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAsB,CAAC,CAAA;AAClF,CAAC;AAED,SAAS,cAAc,CAAC,QAAkB,EAAE,QAAgB;IAC1D,OAAO,eAAe,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAA;AACxF,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU;IAC1B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAC7B,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAA;IACxC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAsB,CAAA;AACrE,CAAC;AAED,SAAS,YAAY,CAAC,OAA0B;IAC9C,UAAU,EAAE,CAAA;IACZ,aAAa,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;AAC1E,CAAC;AAED,8EAA8E;AAE9E,MAAM,UAAU,aAAa,CAC3B,QAAkB,EAClB,QAAgB,EAChB,WAA8B,EAC9B,OAAyF,EAAE;IAE3F,IAAI,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,QAAQ,wEAAwE,CAAC,CAAA;IAC3H,CAAC;IAED,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAA;IACrB,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACrD,WAAW,CAAC,EAAE,EAAE,aAAa,CAAC,CAAA;IAE9B,MAAM,OAAO,GAAsB;QACjC,EAAE;QACF,QAAQ;QACR,QAAQ;QACR,kBAAkB,EAAE,EAAE;QACtB,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC;QAChE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;QAC9D,IAAI,EAAE;YACJ,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,kBAAkB,EAAE,IAAI,CAAC,MAAM,IAAI,QAAQ;YAC3C,MAAM,EAAE,OAAO;YACf,cAAc,EAAE,IAAI;YACpB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB;KACF,CAAA;IACD,YAAY,CAAC,OAAO,CAAC,CAAA;IAErB,OAAO,SAAS,CAAC,OAAO,CAAC,CAAA;AAC3B,CAAC;AAED,SAAS,SAAS,CAAC,GAAsB;IACvC,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;QACvB,WAAW,EAAE,GAAG,CAAC,IAAI,CAAC,WAAW;QACjC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,kBAAkB;QACnC,cAAc,EAAE,GAAG,CAAC,IAAI,CAAC,cAAc;QACvC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;QACtC,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAA;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,QAAmB;IAC9C,OAAO,eAAe,EAAE;SACrB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC;SACjD,GAAG,CAAC,SAAS,CAAC,CAAA;AACnB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,QAAkB,EAAE,QAAgB;IAC7D,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAA;IAC1B,OAAO,SAAS,CAAC,GAAG,CAAC,CAAA;AACvB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAkB,EAAE,QAAgB;IAChE,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAC9C,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,QAAQ,qBAAqB,CAAC,CAAA;IAChF,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACpB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACjC,IAAI,UAAU,CAAC,KAAK,CAAC;QAAE,UAAU,CAAC,KAAK,CAAC,CAAA;AAC1C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAkB,EAAE,WAAmB,EAAE,WAAmB;IACxF,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAA;IACjD,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,WAAW,qBAAqB,CAAC,CAAA;IACnF,IAAI,cAAc,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,WAAW,uDAAuD,CAAC,CAAA;IAC7G,CAAC;IACD,GAAG,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACzC,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAA;IAC1B,YAAY,CAAC,GAAG,CAAC,CAAA;IACjB,OAAO,SAAS,CAAC,GAAG,CAAC,CAAA;AACvB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB,EAAE,QAAgB;IACpE,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAC9C,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,QAAQ,qBAAqB,CAAC,CAAA;IAChF,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAC5C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,IAAI,QAAQ,4DAA4D;YAC/G,gFAAgF,CACjF,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC,CAAA;IACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAsB,CAAA;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,QAAkB,EAAE,QAAgB,EAAE,KAAyC;IACxG,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAA;IAC9C,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,aAAa,QAAQ,qBAAqB,CAAC,CAAA;IAChF,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,EAAE,GAAG,KAAK,EAAE,CAAA;IACpC,YAAY,CAAC,GAAG,CAAC,CAAA;AACnB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAkB,EAAE,QAAgB;IACpE,OAAO,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,gBAAgB,CAAA;AAC7D,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,UAAU,CAAC,QAAkB,EAAE,QAAgB;IAC7D,OAAO,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,OAAO,CAAA;AACpD,CAAC;AAkBD,SAAS,WAAW,CAAC,SAAiB;IACpC,OAAO,IAAI,CAAC,YAAY,EAAE,EAAE,UAAU,EAAE,GAAG,SAAS,OAAO,CAAC,CAAA;AAC9D,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,QAAkB,EAAE,OAAc;IAC/E,UAAU,EAAE,CAAA;IACZ,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAA;IAC/C,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,8BAA8B,SAAS,kDAAkD;YACzF,2CAA2C,CAC5C,CAAA;IACH,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAC3C,MAAM,OAAO,GAAyB;QACpC,UAAU,EAAE,SAAS;QACrB,QAAQ;QACR,WAAW,EAAE,UAAU;QACvB,cAAc,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,aAAa,CAAC;KAChE,CAAA;IACD,aAAa,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAA;IACxF,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,CAAA;AAC9E,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAiB;IAC3C,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACpC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAA;IACxC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAAyC,CAAA;IAE3F,+EAA+E;IAC/E,+EAA+E;IAC/E,IAAK,GAAqB,CAAC,OAAO,IAAI,KAAK,CAAC,OAAO,CAAE,GAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;QACpF,MAAM,MAAM,GAAG,GAAoB,CAAA;QACnC,IAAI,CAAC;YAAC,WAAW,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QACxE,OAAO,MAAM,CAAA;IACf,CAAC;IAED,MAAM,OAAO,GAAG,GAA2B,CAAA;IAC3C,MAAM,aAAa,GAAG,cAAc,CAAC,SAAS,CAAC,CAAA;IAC/C,IAAI,CAAC,aAAa;QAAE,OAAO,SAAS,CAAA;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,aAAa,CAAC,CAAU,CAAA;QACnF,OAAO;YACL,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO;YACP,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACpC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAA;IACxC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,CAA6B,CAAA;QAC/E,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,OAAO,SAAS,CAAA;QACtC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI,CAAA;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAA;IAClB,CAAC;AACH,CAAC"}

package/dist/social-worker.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Worker that consumes due scheduled items from cli/social-queue.ts and
+ * dispatches them via the existing paid X routes through the SDK.
+ *
+ * Designed to run inside the same Node process as the CLI — `agentos worker`
+ * keeps polling until SIGINT/SIGTERM. There's also a `--once` mode for cron.
+ *
+ * Failure classification routes back into the queue: retryable codes (rate
+ * limit, transient browser issue) get re-scheduled with exponential backoff;
+ * non-retryable codes (bad input, missing session) move to `failed[]`.
+ */
+import type { AgentOS } from './sdk.js';
+import * as sq from './social-queue.js';
+export interface DispatchResult {
+    ok: boolean;
+    result?: any;
+    error?: string;
+    retryable: boolean;
+}
+export declare function dispatchScheduledItem(item: sq.ScheduledItem, ao: AgentOS): Promise<DispatchResult>;
+export interface TickSummary {
+    tickStartedAt: string;
+    processed: number;
+    succeeded: number;
+    failed: number;
+    results: Array<{
+        id: string;
+        account: string;
+        action: string;
+        ok: boolean;
+        error?: string;
+        retryable?: boolean;
+        result?: any;
+    }>;
+}
+export declare function runWorkerOnce(ao: AgentOS, accountFilter?: string): Promise<TickSummary>;
+export interface WorkerLoopOptions {
+    intervalSec: number;
+    accountFilter?: string;
+    onLog: (msg: string) => void;
+    onTick?: (summary: TickSummary) => void;
+}
+export declare function runWorkerLoop(ao: AgentOS, opts: WorkerLoopOptions): Promise<void>;

package/dist/social-worker.js

@@ -0,0 +1,155 @@
+import * as sq from './social-queue.js';
+import * as sv from './social-vault.js';
+/**
+ * Codes returned by social-operations.ts. Retryable ones get re-scheduled
+ * by the queue; the rest move to `failed[]` immediately.
+ */
+const RETRYABLE_CODES = new Set([
+    'RATE_LIMITED',
+    'UI_TIMEOUT',
+    'LAUNCH_FAILED',
+    'UNKNOWN',
+]);
+export async function dispatchScheduledItem(item, ao) {
+    // Resolve account + session from local vault. Session staleness is the
+    // worker's most common failure — surface it clearly so the user knows to
+    // re-login (and so it doesn't waste retry attempts).
+    const acc = sv.getAccount('twitter', item.account_username);
+    if (!acc) {
+        return {
+            ok: false,
+            retryable: false,
+            error: `Account "${item.account_username}" not found in local vault.`,
+        };
+    }
+    const sess = sv.loadSession(acc.id);
+    if (!sess || !sess.cookies || sess.cookies.length === 0) {
+        return {
+            ok: false,
+            retryable: false,
+            error: `No cached session for "${item.account_username}". Run: agentos twitter login ${item.account_username}`,
+        };
+    }
+    const psid = sv.getProxySessionId('twitter', item.account_username);
+    // Materialise media to wire format only at dispatch time (keeps the queue
+    // file small; scheduled items reference paths or URLs).
+    let mediaForWire;
+    if (item.media && item.media.length > 0) {
+        try {
+            mediaForWire = item.media.map(m => sq.materializeMediaRefForWire(m));
+        }
+        catch (e) {
+            return { ok: false, retryable: false, error: `Media materialise failed: ${e.message}` };
+        }
+    }
+    // Dispatch by action shape.
+    let data;
+    try {
+        if (item.action === 'post') {
+            data = await ao.socialTwitterPost(acc.id, sess.cookies, item.text || '', psid, item.community_id);
+        }
+        else if (item.action === 'post_thread') {
+            data = await ao.socialTwitterPostThread(acc.id, sess.cookies, item.texts || [], psid, item.community_id);
+        }
+        else if (item.action === 'post_media') {
+            data = await ao.socialTwitterPostWithMedia(acc.id, sess.cookies, item.text || '', mediaForWire || [], psid, item.community_id);
+        }
+        else {
+            return { ok: false, retryable: false, error: `Unknown action: ${item.action}` };
+        }
+    }
+    catch (e) {
+        // Network/HTTP errors thrown from the SDK are retryable by default.
+        return { ok: false, retryable: true, error: e.message || String(e) };
+    }
+    if (!data?.success) {
+        const code = data?.error_code || 'UNKNOWN';
+        return {
+            ok: false,
+            retryable: RETRYABLE_CODES.has(code),
+            error: `${data?.error || 'unknown error'} [${code}]`,
+        };
+    }
+    // Update last_action_at on the account so the local vault's freshness
+    // tracking stays accurate even when posting via the worker.
+    sv.updateMeta('twitter', item.account_username, { last_action_at: new Date().toISOString() });
+    return { ok: true, retryable: false, result: data.data || {} };
+}
+export async function runWorkerOnce(ao, accountFilter) {
+    const tickStartedAt = new Date().toISOString();
+    const due = sq.getDueScheduled().filter(i => !accountFilter || i.account_username === accountFilter);
+    const results = [];
+    for (const item of due) {
+        // markScheduledInProgress is the lock — if another worker already claimed
+        // this item, it returns false and we skip.
+        if (!sq.markScheduledInProgress(item.id))
+            continue;
+        const r = await dispatchScheduledItem(item, ao);
+        if (r.ok) {
+            sq.markScheduledPublished(item.id, r.result);
+        }
+        else {
+            sq.markScheduledFailed(item.id, r.error || 'unknown', r.retryable);
+        }
+        results.push({
+            id: item.id,
+            account: item.account_username,
+            action: item.action,
+            ok: r.ok,
+            error: r.error,
+            retryable: r.retryable,
+            result: r.result,
+        });
+    }
+    return {
+        tickStartedAt,
+        processed: results.length,
+        succeeded: results.filter(r => r.ok).length,
+        failed: results.filter(r => !r.ok).length,
+        results,
+    };
+}
+export async function runWorkerLoop(ao, opts) {
+    let stopped = false;
+    const stop = (sig) => {
+        if (!stopped) {
+            stopped = true;
+            opts.onLog(`${sig} received, stopping after current tick`);
+        }
+    };
+    process.on('SIGINT', () => stop('SIGINT'));
+    process.on('SIGTERM', () => stop('SIGTERM'));
+    opts.onLog(`Worker started (interval ${opts.intervalSec}s` +
+        (opts.accountFilter ? `, account ${opts.accountFilter}` : '') +
+        `)`);
+    while (!stopped) {
+        let summary;
+        try {
+            summary = await runWorkerOnce(ao, opts.accountFilter);
+        }
+        catch (e) {
+            // A throw here is unusual (runWorkerOnce catches per-item errors).
+            // Log and keep the loop alive so a single bad tick doesn't kill the worker.
+            opts.onLog(`Tick crashed: ${e.message}`);
+            await sleep(opts.intervalSec * 1000);
+            continue;
+        }
+        opts.onTick?.(summary);
+        if (summary.processed > 0) {
+            opts.onLog(`Tick: ${summary.succeeded}/${summary.processed} ok` +
+                (summary.failed > 0 ? `, ${summary.failed} failed` : ''));
+            for (const r of summary.results) {
+                opts.onLog(`  - ${r.id} [${r.account}/${r.action}]: ${r.ok ? 'OK' : 'FAIL'} ` +
+                    (r.ok ? JSON.stringify(r.result) : `${r.error}${r.retryable ? ' (will retry)' : ''}`));
+            }
+        }
+        if (stopped)
+            break;
+        await sleep(opts.intervalSec * 1000);
+    }
+    opts.onLog('Worker stopped');
+}
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+//# sourceMappingURL=social-worker.js.map

package/dist/social-worker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"social-worker.js","sourceRoot":"","sources":["../social-worker.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,MAAM,mBAAmB,CAAA;AACvC,OAAO,KAAK,EAAE,MAAM,mBAAmB,CAAA;AASvC;;;GAGG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,cAAc;IACd,YAAY;IACZ,eAAe;IACf,SAAS;CACV,CAAC,CAAA;AAEF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAAsB,EACtB,EAAW;IAEX,uEAAuE;IACvE,yEAAyE;IACzE,qDAAqD;IACrD,MAAM,GAAG,GAAG,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,YAAY,IAAI,CAAC,gBAAgB,6BAA6B;SACtE,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IACnC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,0BAA0B,IAAI,CAAC,gBAAgB,iCAAiC,IAAI,CAAC,gBAAgB,EAAE;SAC/G,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,EAAE,CAAC,iBAAiB,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAEnE,0EAA0E;IAC1E,wDAAwD;IACxD,IAAI,YAAyH,CAAA;IAC7H,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAA;QACtE,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,CAAC,CAAC,OAAO,EAAE,EAAE,CAAA;QACzF,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,IAAI,IAAS,CAAA;IACb,IAAI,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,IAAI,GAAG,MAAM,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;QACnG,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;YACzC,IAAI,GAAG,MAAM,EAAE,CAAC,uBAAuB,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;QAC1G,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;YACxC,IAAI,GAAG,MAAM,EAAE,CAAC,0BAA0B,CACxC,GAAG,CAAC,EAAE,EACN,IAAI,CAAC,OAAO,EACZ,IAAI,CAAC,IAAI,IAAI,EAAE,EACf,YAAY,IAAI,EAAE,EAClB,IAAI,EACJ,IAAI,CAAC,YAAY,CAClB,CAAA;QACH,CAAC;aAAM,CAAC;YACN,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAoB,IAAY,CAAC,MAAM,EAAE,EAAE,CAAA;QAC1F,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,oEAAoE;QACpE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAA;IACtE,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QACnB,MAAM,IAAI,GAAG,IAAI,EAAE,UAAU,IAAI,SAAS,CAAA;QAC1C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,SAAS,EAAE,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;YACpC,KAAK,EAAE,GAAG,IAAI,EAAE,KAAK,IAAI,eAAe,KAAK,IAAI,GAAG;SACrD,CAAA;IACH,CAAC;IAED,sEAAsE;IACtE,4DAA4D;IAC5D,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,EAAE,EAAE,cAAc,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAE7F,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,CAAA;AAChE,CAAC;AAkBD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAW,EACX,aAAsB;IAEtB,MAAM,aAAa,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAC9C,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,gBAAgB,KAAK,aAAa,CAAC,CAAA;IACpG,MAAM,OAAO,GAA2B,EAAE,CAAA;IAE1C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,0EAA0E;QAC1E,2CAA2C;QAC3C,IAAI,CAAC,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAQ;QAElD,MAAM,CAAC,GAAG,MAAM,qBAAqB,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QAC/C,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC;YACT,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAA;QAC9C,CAAC;aAAM,CAAC;YACN,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAC,SAAS,CAAC,CAAA;QACpE,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,OAAO,EAAE,IAAI,CAAC,gBAAgB;YAC9B,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO;QACL,aAAa;QACb,SAAS,EAAE,OAAO,CAAC,MAAM;QACzB,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM;QAC3C,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM;QACzC,OAAO;KACR,CAAA;AACH,CAAC;AASD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAW,EACX,IAAuB;IAEvB,IAAI,OAAO,GAAG,KAAK,CAAA;IACnB,MAAM,IAAI,GAAG,CAAC,GAAW,EAAE,EAAE;QAC3B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,IAAI,CAAA;YACd,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,wCAAwC,CAAC,CAAA;QAC5D,CAAC;IACH,CAAC,CAAA;IACD,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;IAC1C,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAA;IAE5C,IAAI,CAAC,KAAK,CACR,4BAA4B,IAAI,CAAC,WAAW,GAAG;QAC/C,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC7D,GAAG,CACJ,CAAA;IAED,OAAO,CAAC,OAAO,EAAE,CAAC;QAChB,IAAI,OAAoB,CAAA;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,aAAa,CAAC,EAAE,EAAE,IAAI,CAAC,aAAa,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,mEAAmE;YACnE,4EAA4E;YAC5E,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;YACxC,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;YACpC,SAAQ;QACV,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,CAAA;QACtB,IAAI,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,CACR,SAAS,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK;gBACpD,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CACzD,CAAA;YACD,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBAChC,IAAI,CAAC,KAAK,CACR,OAAO,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,GAAG;oBAClE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CACtF,CAAA;YACH,CAAC;QACH,CAAC;QACD,IAAI,OAAO;YAAE,MAAK;QAClB,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,CAAA;IACtC,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;AAC9B,CAAC;AAED,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAA;AACxD,CAAC"}

package/dist/totp.d.ts

@@ -0,0 +1,2 @@
+export declare function code(secretBase32: string, timeMs?: number, stepSec?: number, digits?: number): string;
+export declare function secondsUntilNextCode(timeMs?: number, stepSec?: number): number;

package/dist/totp.js

@@ -0,0 +1,46 @@
+/**
+ * RFC 6238 TOTP code derivation. Pure Node crypto, no external deps.
+ *
+ * Secret is a base32-encoded string (RFC 4648) — the format X / Google Auth /
+ * Authy exchange via QR codes. `code(secret)` returns the current 6-digit code
+ * for the 30-second window.
+ */
+import { createHmac } from 'crypto';
+const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+function base32Decode(input) {
+    const clean = input.replace(/=+$/, '').replace(/\s+/g, '').toUpperCase();
+    const bits = [];
+    for (const ch of clean) {
+        const idx = BASE32_ALPHABET.indexOf(ch);
+        if (idx === -1)
+            throw new Error(`Invalid base32 character: ${ch}`);
+        for (let i = 4; i >= 0; i--)
+            bits.push((idx >> i) & 1);
+    }
+    const bytes = [];
+    for (let i = 0; i + 8 <= bits.length; i += 8) {
+        let byte = 0;
+        for (let j = 0; j < 8; j++)
+            byte = (byte << 1) | bits[i + j];
+        bytes.push(byte);
+    }
+    return Buffer.from(bytes);
+}
+export function code(secretBase32, timeMs = Date.now(), stepSec = 30, digits = 6) {
+    const key = base32Decode(secretBase32);
+    const counter = Math.floor(timeMs / 1000 / stepSec);
+    const buf = Buffer.alloc(8);
+    buf.writeBigUInt64BE(BigInt(counter), 0);
+    const hmac = createHmac('sha1', key).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const value = (((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff));
+    const mod = 10 ** digits;
+    return String(value % mod).padStart(digits, '0');
+}
+export function secondsUntilNextCode(timeMs = Date.now(), stepSec = 30) {
+    return stepSec - Math.floor(timeMs / 1000) % stepSec;
+}
+//# sourceMappingURL=totp.js.map

package/dist/totp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"totp.js","sourceRoot":"","sources":["../totp.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AAEnC,MAAM,eAAe,GAAG,kCAAkC,CAAA;AAE1D,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;IACxE,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,KAAK,MAAM,EAAE,IAAI,KAAK,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,eAAe,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACvC,IAAI,GAAG,KAAK,CAAC,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,EAAE,EAAE,CAAC,CAAA;QAClE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;YAAE,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;IACxD,CAAC;IACD,MAAM,KAAK,GAAa,EAAE,CAAA;IAC1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,IAAI,IAAI,GAAG,CAAC,CAAA;QACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;YAAE,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAC5D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAClB,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC3B,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,YAAoB,EAAE,SAAiB,IAAI,CAAC,GAAG,EAAE,EAAE,UAAkB,EAAE,EAAE,SAAiB,CAAC;IAC9G,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,CAAA;IACnD,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC3B,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAA;IACxC,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAA;IACzD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAA;IAC3C,MAAM,KAAK,GAAG,CACZ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAC1B,CAAA;IACD,MAAM,GAAG,GAAG,EAAE,IAAI,MAAM,CAAA;IACxB,OAAO,MAAM,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;AAClD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,SAAiB,IAAI,CAAC,GAAG,EAAE,EAAE,UAAkB,EAAE;IACpF,OAAO,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,OAAO,CAAA;AACtD,CAAC"}