@panguard-ai/security-hardening 0.1.0

package/dist/audit/audit-logger.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Structured audit logging for security events
+ * 安全事件的結構化稽核日誌
+ *
+ * All security-relevant operations are logged in JSON format
+ * for SIEM integration and compliance.
+ * 所有安全相關操作以 JSON 格式記錄，用於 SIEM 整合和合規。
+ *
+ * @module @panguard-ai/security-hardening/audit/audit-logger
+ */
+import type { AuditEvent } from '../types.js';
+/**
+ * Log a security audit event
+ * 記錄安全稽核事件
+ *
+ * @param event - Partial audit event (timestamp auto-filled) / 部分稽核事件（時間戳自動填充）
+ */
+export declare function logAuditEvent(event: Omit<AuditEvent, 'timestamp' | 'module'>): void;
+/**
+ * Log WebSocket connection attempt
+ * 記錄 WebSocket 連線嘗試
+ */
+export declare function logWebSocketConnect(origin: string, result: 'success' | 'blocked', ipAddress?: string): void;
+/**
+ * Log credential access
+ * 記錄憑證存取
+ */
+export declare function logCredentialAccess(service: string, account: string, result: 'success' | 'failure'): void;
+/**
+ * Log file access attempt
+ * 記錄檔案存取嘗試
+ */
+export declare function logFileAccess(filePath: string, result: 'success' | 'blocked'): void;
+/**
+ * Log command execution attempt
+ * 記錄命令執行嘗試
+ */
+export declare function logCommandExecution(command: string, result: 'success' | 'blocked'): void;
+/**
+ * Log security policy check
+ * 記錄安全政策檢查
+ */
+export declare function logPolicyCheck(operation: string, result: 'success' | 'blocked'): void;
+//# sourceMappingURL=audit-logger.d.ts.map

package/dist/audit/audit-logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.d.ts","sourceRoot":"","sources":["../../src/audit/audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI9C;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,GAAG,QAAQ,CAAC,GAAG,IAAI,CAcnF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,SAAS,GAAG,SAAS,EAC7B,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI,CAQN;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,SAAS,GAAG,SAAS,GAC5B,IAAI,CAON;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,IAAI,CAOnF;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,IAAI,CAOxF;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,IAAI,CAOrF"}

package/dist/audit/audit-logger.js

@@ -0,0 +1,94 @@
+/**
+ * Structured audit logging for security events
+ * 安全事件的結構化稽核日誌
+ *
+ * All security-relevant operations are logged in JSON format
+ * for SIEM integration and compliance.
+ * 所有安全相關操作以 JSON 格式記錄，用於 SIEM 整合和合規。
+ *
+ * @module @panguard-ai/security-hardening/audit/audit-logger
+ */
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('audit');
+/**
+ * Log a security audit event
+ * 記錄安全稽核事件
+ *
+ * @param event - Partial audit event (timestamp auto-filled) / 部分稽核事件（時間戳自動填充）
+ */
+export function logAuditEvent(event) {
+    const fullEvent = {
+        timestamp: new Date().toISOString(),
+        module: 'audit',
+        ...event,
+    };
+    const logFn = event.result === 'blocked' ? logger.warn : logger.info;
+    logFn.call(logger, `[AUDIT] ${event.action}: ${event.result} -> ${event.target}`, {
+        action: fullEvent.action,
+        target: fullEvent.target,
+        result: fullEvent.result,
+        ...fullEvent.context,
+    });
+}
+/**
+ * Log WebSocket connection attempt
+ * 記錄 WebSocket 連線嘗試
+ */
+export function logWebSocketConnect(origin, result, ipAddress) {
+    logAuditEvent({
+        level: result === 'blocked' ? 'warn' : 'info',
+        action: 'websocket_connect',
+        target: origin,
+        result,
+        context: ipAddress ? { ipAddress } : undefined,
+    });
+}
+/**
+ * Log credential access
+ * 記錄憑證存取
+ */
+export function logCredentialAccess(service, account, result) {
+    logAuditEvent({
+        level: result === 'failure' ? 'warn' : 'info',
+        action: 'credential_access',
+        target: `${service}:${account}`,
+        result,
+    });
+}
+/**
+ * Log file access attempt
+ * 記錄檔案存取嘗試
+ */
+export function logFileAccess(filePath, result) {
+    logAuditEvent({
+        level: result === 'blocked' ? 'warn' : 'info',
+        action: 'file_access',
+        target: filePath,
+        result,
+    });
+}
+/**
+ * Log command execution attempt
+ * 記錄命令執行嘗試
+ */
+export function logCommandExecution(command, result) {
+    logAuditEvent({
+        level: result === 'blocked' ? 'warn' : 'info',
+        action: 'command_execution',
+        target: command,
+        result,
+    });
+}
+/**
+ * Log security policy check
+ * 記錄安全政策檢查
+ */
+export function logPolicyCheck(operation, result) {
+    logAuditEvent({
+        level: result === 'blocked' ? 'warn' : 'info',
+        action: 'policy_check',
+        target: operation,
+        result,
+    });
+}
+//# sourceMappingURL=audit-logger.js.map

package/dist/audit/audit-logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-logger.js","sourceRoot":"","sources":["../../src/audit/audit-logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;AAErC;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAA+C;IAC3E,MAAM,SAAS,GAAe;QAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,OAAO;QACf,GAAG,KAAK;KACT,CAAC;IAEF,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC;IACrE,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,EAAE;QAChF,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,MAAM,EAAE,SAAS,CAAC,MAAM;QACxB,GAAG,SAAS,CAAC,OAAO;KACrB,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAc,EACd,MAA6B,EAC7B,SAAkB;IAElB,aAAa,CAAC;QACZ,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7C,MAAM,EAAE,mBAAmB;QAC3B,MAAM,EAAE,MAAM;QACd,MAAM;QACN,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,SAAS;KAC/C,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,OAAe,EACf,MAA6B;IAE7B,aAAa,CAAC;QACZ,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7C,MAAM,EAAE,mBAAmB;QAC3B,MAAM,EAAE,GAAG,OAAO,IAAI,OAAO,EAAE;QAC/B,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB,EAAE,MAA6B;IAC3E,aAAa,CAAC;QACZ,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7C,MAAM,EAAE,aAAa;QACrB,MAAM,EAAE,QAAQ;QAChB,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAAe,EAAE,MAA6B;IAChF,aAAa,CAAC;QACZ,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7C,MAAM,EAAE,mBAAmB;QAC3B,MAAM,EAAE,OAAO;QACf,MAAM;KACP,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,SAAiB,EAAE,MAA6B;IAC7E,aAAa,CAAC;QACZ,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;QAC7C,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,SAAS;QACjB,MAAM;KACP,CAAC,CAAC;AACL,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Audit logging module
+ * 稽核日誌模組
+ *
+ * @module @panguard-ai/security-hardening/audit
+ */
+export { logAuditEvent, logWebSocketConnect, logCredentialAccess, logFileAccess, logCommandExecution, logPolicyCheck, } from './audit-logger.js';
+export { SyslogAdapter, formatSyslogMessage } from './syslog-adapter.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,9 @@
+/**
+ * Audit logging module
+ * 稽核日誌模組
+ *
+ * @module @panguard-ai/security-hardening/audit
+ */
+export { logAuditEvent, logWebSocketConnect, logCredentialAccess, logFileAccess, logCommandExecution, logPolicyCheck, } from './audit-logger.js';
+export { SyslogAdapter, formatSyslogMessage } from './syslog-adapter.js';
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,aAAa,EACb,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,EACb,mBAAmB,EACnB,cAAc,GACf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/audit/syslog-adapter.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Syslog adapter for audit event forwarding
+ * 稽核事件轉發的 Syslog 適配器
+ *
+ * Sends audit events to a syslog server using RFC 5424 format over UDP.
+ * 使用 RFC 5424 格式透過 UDP 將稽核事件發送到 syslog 伺服器。
+ *
+ * @module @panguard-ai/security-hardening/audit/syslog-adapter
+ */
+import type { AuditEvent } from '../types.js';
+/**
+ * Format an audit event as RFC 5424 syslog message
+ * 將稽核事件格式化為 RFC 5424 syslog 訊息
+ *
+ * @param event - Audit event / 稽核事件
+ * @returns RFC 5424 formatted message / RFC 5424 格式化訊息
+ */
+export declare function formatSyslogMessage(event: AuditEvent): string;
+/**
+ * Syslog adapter for sending audit events via UDP
+ * 透過 UDP 發送稽核事件的 Syslog 適配器
+ */
+export declare class SyslogAdapter {
+    private socket;
+    private readonly host;
+    private readonly port;
+    /**
+     * Create a new syslog adapter
+     * 建立新的 syslog 適配器
+     *
+     * @param host - Syslog server hostname / Syslog 伺服器主機名稱
+     * @param port - Syslog server port (default: 514) / Syslog 伺服器連接埠（預設：514）
+     */
+    constructor(host: string, port?: number);
+    /**
+     * Send an audit event to syslog
+     * 將稽核事件發送到 syslog
+     *
+     * @param event - Audit event to send / 要發送的稽核事件
+     */
+    send(event: AuditEvent): void;
+    /**
+     * Close the syslog socket
+     * 關閉 syslog socket
+     */
+    close(): void;
+}
+//# sourceMappingURL=syslog-adapter.d.ts.map

package/dist/audit/syslog-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"syslog-adapter.d.ts","sourceRoot":"","sources":["../../src/audit/syslog-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAc9C;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAa7D;AAED;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAE9B;;;;;;OAMG;gBACS,IAAI,EAAE,MAAM,EAAE,IAAI,SAAM;IAKpC;;;;;OAKG;IACH,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAsB7B;;;OAGG;IACH,KAAK,IAAI,IAAI;CAOd"}

package/dist/audit/syslog-adapter.js

@@ -0,0 +1,97 @@
+/**
+ * Syslog adapter for audit event forwarding
+ * 稽核事件轉發的 Syslog 適配器
+ *
+ * Sends audit events to a syslog server using RFC 5424 format over UDP.
+ * 使用 RFC 5424 格式透過 UDP 將稽核事件發送到 syslog 伺服器。
+ *
+ * @module @panguard-ai/security-hardening/audit/syslog-adapter
+ */
+import { createSocket } from 'dgram';
+import { hostname } from 'os';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('audit:syslog');
+/** Syslog severity mapping / Syslog 嚴重程度映射 */
+const SYSLOG_SEVERITY = {
+    error: 3, // Error
+    warn: 4, // Warning
+    info: 6, // Informational
+};
+/** Syslog facility: local0 = 16 / Syslog 設施：local0 = 16 */
+const FACILITY = 16;
+/**
+ * Format an audit event as RFC 5424 syslog message
+ * 將稽核事件格式化為 RFC 5424 syslog 訊息
+ *
+ * @param event - Audit event / 稽核事件
+ * @returns RFC 5424 formatted message / RFC 5424 格式化訊息
+ */
+export function formatSyslogMessage(event) {
+    const severity = SYSLOG_SEVERITY[event.level] ?? 6;
+    const priority = FACILITY * 8 + severity;
+    const host = hostname();
+    const appName = 'panguard-ai';
+    const procId = process.pid;
+    const msgId = event.action;
+    const timestamp = event.timestamp;
+    const structuredData = `[panguard action="${event.action}" target="${event.target}" result="${event.result}"]`;
+    // RFC 5424: <priority>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG
+    return `<${priority}>1 ${timestamp} ${host} ${appName} ${procId} ${msgId} ${structuredData} ${event.action}: ${event.result} -> ${event.target}`;
+}
+/**
+ * Syslog adapter for sending audit events via UDP
+ * 透過 UDP 發送稽核事件的 Syslog 適配器
+ */
+export class SyslogAdapter {
+    socket = null;
+    host;
+    port;
+    /**
+     * Create a new syslog adapter
+     * 建立新的 syslog 適配器
+     *
+     * @param host - Syslog server hostname / Syslog 伺服器主機名稱
+     * @param port - Syslog server port (default: 514) / Syslog 伺服器連接埠（預設：514）
+     */
+    constructor(host, port = 514) {
+        this.host = host;
+        this.port = port;
+    }
+    /**
+     * Send an audit event to syslog
+     * 將稽核事件發送到 syslog
+     *
+     * @param event - Audit event to send / 要發送的稽核事件
+     */
+    send(event) {
+        if (!this.socket) {
+            this.socket = createSocket('udp4');
+            this.socket.on('error', (err) => {
+                logger.error('Syslog socket error', { error: String(err) });
+            });
+        }
+        const message = formatSyslogMessage(event);
+        const buffer = Buffer.from(message, 'utf-8');
+        this.socket.send(buffer, 0, buffer.length, this.port, this.host, (err) => {
+            if (err) {
+                logger.error('Failed to send syslog message', {
+                    host: this.host,
+                    port: this.port,
+                    error: String(err),
+                });
+            }
+        });
+    }
+    /**
+     * Close the syslog socket
+     * 關閉 syslog socket
+     */
+    close() {
+        if (this.socket) {
+            this.socket.close();
+            this.socket = null;
+            logger.info('Syslog adapter closed');
+        }
+    }
+}
+//# sourceMappingURL=syslog-adapter.js.map

package/dist/audit/syslog-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"syslog-adapter.js","sourceRoot":"","sources":["../../src/audit/syslog-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAe,MAAM,OAAO,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAC9B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAC;AAE5C,8CAA8C;AAC9C,MAAM,eAAe,GAA2B;IAC9C,KAAK,EAAE,CAAC,EAAE,QAAQ;IAClB,IAAI,EAAE,CAAC,EAAE,UAAU;IACnB,IAAI,EAAE,CAAC,EAAE,gBAAgB;CAC1B,CAAC;AAEF,2DAA2D;AAC3D,MAAM,QAAQ,GAAG,EAAE,CAAC;AAEpB;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAiB;IACnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,QAAQ,GAAG,CAAC,GAAG,QAAQ,CAAC;IACzC,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,aAAa,CAAC;IAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC;IAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;IAElC,MAAM,cAAc,GAAG,qBAAqB,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,MAAM,aAAa,KAAK,CAAC,MAAM,IAAI,CAAC;IAE/G,2FAA2F;IAC3F,OAAO,IAAI,QAAQ,MAAM,SAAS,IAAI,IAAI,IAAI,OAAO,IAAI,MAAM,IAAI,KAAK,IAAI,cAAc,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC;AACnJ,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,GAAkB,IAAI,CAAC;IACpB,IAAI,CAAS;IACb,IAAI,CAAS;IAE9B;;;;;;OAMG;IACH,YAAY,IAAY,EAAE,IAAI,GAAG,GAAG;QAClC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED;;;;;OAKG;IACH,IAAI,CAAC,KAAiB;QACpB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC9B,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC9D,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE7C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE;YACvE,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;oBAC5C,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;CACF"}

package/dist/credentials/credential-store.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Platform-agnostic secure credential storage
+ * 平台無關的安全憑證儲存
+ *
+ * Provides encrypted credential storage using AES-256-GCM.
+ * No native dependencies required (unlike keytar).
+ * 使用 AES-256-GCM 提供加密憑證儲存。不需要原生相依套件。
+ *
+ * @module @panguard-ai/security-hardening/credentials/credential-store
+ */
+import type { CredentialStore } from '../types.js';
+/**
+ * In-memory credential store for testing
+ * 記憶體內憑證儲存（用於測試）
+ */
+export declare class InMemoryCredentialStore implements CredentialStore {
+    private readonly store;
+    private key;
+    get(service: string, account: string): Promise<string | null>;
+    set(service: string, account: string, password: string): Promise<void>;
+    delete(service: string, account: string): Promise<boolean>;
+    list(service: string): Promise<string[]>;
+}
+/**
+ * Encrypted file-based credential store
+ * 基於加密檔案的憑證儲存
+ *
+ * Stores credentials in encrypted JSON files using AES-256-GCM.
+ * Key is derived from machine-specific entropy (hostname + username).
+ * 使用 AES-256-GCM 將憑證儲存在加密的 JSON 檔案中。
+ * 金鑰從機器特定的熵值衍生（主機名稱 + 使用者名稱）。
+ */
+export declare class EncryptedFileCredentialStore implements CredentialStore {
+    private readonly storePath;
+    private readonly key;
+    /**
+     * Create a new encrypted file credential store
+     * 建立新的加密檔案憑證儲存
+     *
+     * @param storePath - Directory to store encrypted credentials / 儲存加密憑證的目錄
+     */
+    constructor(storePath: string);
+    private filePath;
+    private loadServiceData;
+    private saveServiceData;
+    get(service: string, account: string): Promise<string | null>;
+    set(service: string, account: string, password: string): Promise<void>;
+    delete(service: string, account: string): Promise<boolean>;
+    list(service: string): Promise<string[]>;
+}
+//# sourceMappingURL=credential-store.d.ts.map

package/dist/credentials/credential-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.d.ts","sourceRoot":"","sources":["../../src/credentials/credential-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAwDnD;;;GAGG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA6B;IAEnD,OAAO,CAAC,GAAG;IAIL,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAI7D,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1D,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAU/C;AAED;;;;;;;;GAQG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;;;;OAKG;gBACS,SAAS,EAAE,MAAM;IAU7B,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,eAAe;IAevB,OAAO,CAAC,eAAe;IAOjB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAW7D,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOtE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAkB1D,IAAI,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAI/C"}

package/dist/credentials/credential-store.js

@@ -0,0 +1,183 @@
+/**
+ * Platform-agnostic secure credential storage
+ * 平台無關的安全憑證儲存
+ *
+ * Provides encrypted credential storage using AES-256-GCM.
+ * No native dependencies required (unlike keytar).
+ * 使用 AES-256-GCM 提供加密憑證儲存。不需要原生相依套件。
+ *
+ * @module @panguard-ai/security-hardening/credentials/credential-store
+ */
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from 'crypto';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { hostname, userInfo } from 'os';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('credentials:store');
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+/**
+ * Derive an encryption key from machine-specific entropy
+ * 從機器特定的熵值衍生加密金鑰
+ *
+ * @param salt - Additional salt / 額外鹽值
+ * @returns 32-byte key / 32 位元組金鑰
+ */
+function deriveKey(salt) {
+    const machineId = `${hostname()}-${userInfo().username}-panguard-ai`;
+    return createHash('sha256').update(`${machineId}:${salt}`).digest();
+}
+/**
+ * Encrypt a string value
+ * 加密字串值
+ */
+function encrypt(value, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:encrypted (all base64)
+    return `${iv.toString('base64')}:${authTag.toString('base64')}:${encrypted.toString('base64')}`;
+}
+/**
+ * Decrypt an encrypted string
+ * 解密已加密的字串
+ */
+function decrypt(encryptedData, key) {
+    const parts = encryptedData.split(':');
+    if (parts.length !== 3) {
+        throw new Error('Invalid encrypted data format');
+    }
+    const [ivStr, authTagStr, dataStr] = parts;
+    if (!ivStr || !authTagStr || !dataStr) {
+        throw new Error('Invalid encrypted data format');
+    }
+    const iv = Buffer.from(ivStr, 'base64');
+    const authTag = Buffer.from(authTagStr, 'base64');
+    const encrypted = Buffer.from(dataStr, 'base64');
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    return decrypted.toString('utf8');
+}
+/**
+ * In-memory credential store for testing
+ * 記憶體內憑證儲存（用於測試）
+ */
+export class InMemoryCredentialStore {
+    store = new Map();
+    key(service, account) {
+        return `${service}:${account}`;
+    }
+    async get(service, account) {
+        return this.store.get(this.key(service, account)) ?? null;
+    }
+    async set(service, account, password) {
+        this.store.set(this.key(service, account), password);
+    }
+    async delete(service, account) {
+        return this.store.delete(this.key(service, account));
+    }
+    async list(service) {
+        const prefix = `${service}:`;
+        const accounts = [];
+        for (const k of this.store.keys()) {
+            if (k.startsWith(prefix)) {
+                accounts.push(k.slice(prefix.length));
+            }
+        }
+        return accounts;
+    }
+}
+/**
+ * Encrypted file-based credential store
+ * 基於加密檔案的憑證儲存
+ *
+ * Stores credentials in encrypted JSON files using AES-256-GCM.
+ * Key is derived from machine-specific entropy (hostname + username).
+ * 使用 AES-256-GCM 將憑證儲存在加密的 JSON 檔案中。
+ * 金鑰從機器特定的熵值衍生（主機名稱 + 使用者名稱）。
+ */
+export class EncryptedFileCredentialStore {
+    storePath;
+    key;
+    /**
+     * Create a new encrypted file credential store
+     * 建立新的加密檔案憑證儲存
+     *
+     * @param storePath - Directory to store encrypted credentials / 儲存加密憑證的目錄
+     */
+    constructor(storePath) {
+        this.storePath = storePath;
+        this.key = deriveKey('credential-store-v1');
+        if (!existsSync(storePath)) {
+            mkdirSync(storePath, { recursive: true, mode: 0o700 });
+            logger.info('Credential store directory created', { path: storePath });
+        }
+    }
+    filePath(service) {
+        // Sanitize service name for filesystem
+        const safe = service.replace(/[^a-zA-Z0-9_-]/g, '_');
+        return join(this.storePath, `${safe}.enc`);
+    }
+    loadServiceData(service) {
+        const path = this.filePath(service);
+        if (!existsSync(path)) {
+            return {};
+        }
+        try {
+            const encrypted = readFileSync(path, 'utf-8');
+            const json = decrypt(encrypted, this.key);
+            return JSON.parse(json);
+        }
+        catch (error) {
+            logger.error('Failed to load credential file', { service, error: String(error) });
+            return {};
+        }
+    }
+    saveServiceData(service, data) {
+        const path = this.filePath(service);
+        const json = JSON.stringify(data);
+        const encrypted = encrypt(json, this.key);
+        writeFileSync(path, encrypted, { mode: 0o600 });
+    }
+    async get(service, account) {
+        const data = this.loadServiceData(service);
+        const value = data[account];
+        if (value !== undefined) {
+            logger.info('Credential retrieved', { service, account });
+            return value;
+        }
+        logger.warn('Credential not found', { service, account });
+        return null;
+    }
+    async set(service, account, password) {
+        const data = this.loadServiceData(service);
+        data[account] = password;
+        this.saveServiceData(service, data);
+        logger.info('Credential stored securely', { service, account });
+    }
+    async delete(service, account) {
+        const data = this.loadServiceData(service);
+        if (!(account in data)) {
+            return false;
+        }
+        delete data[account];
+        if (Object.keys(data).length === 0) {
+            const path = this.filePath(service);
+            if (existsSync(path)) {
+                unlinkSync(path);
+            }
+        }
+        else {
+            this.saveServiceData(service, data);
+        }
+        logger.info('Credential deleted', { service, account });
+        return true;
+    }
+    async list(service) {
+        const data = this.loadServiceData(service);
+        return Object.keys(data);
+    }
+}
+//# sourceMappingURL=credential-store.js.map

package/dist/credentials/credential-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-store.js","sourceRoot":"","sources":["../../src/credentials/credential-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACnF,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACpF,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,MAAM,GAAG,YAAY,CAAC,mBAAmB,CAAC,CAAC;AAEjD,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB;;;;;;GAMG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,SAAS,GAAG,GAAG,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC,QAAQ,cAAc,CAAC;IACrE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;AACtE,CAAC;AAED;;;GAGG;AACH,SAAS,OAAO,CAAC,KAAa,EAAE,GAAW;IACzC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,4CAA4C;IAC5C,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AAClG,CAAC;AAED;;;GAGG;AACH,SAAS,OAAO,CAAC,aAAqB,EAAE,GAAW;IACjD,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IAC3C,IAAI,CAAC,KAAK,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC7B,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,uBAAuB;IACjB,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE3C,GAAG,CAAC,OAAe,EAAE,OAAe;QAC1C,OAAO,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,OAAe;QACxC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,IAAI,IAAI,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,OAAe,EAAE,QAAgB;QAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,OAAe;QAC3C,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe;QACxB,MAAM,MAAM,GAAG,GAAG,OAAO,GAAG,CAAC;QAC7B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzB,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,MAAM,OAAO,4BAA4B;IACtB,SAAS,CAAS;IAClB,GAAG,CAAS;IAE7B;;;;;OAKG;IACH,YAAY,SAAiB;QAC3B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAE5C,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YACvD,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,OAAe;QAC9B,uCAAuC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC;IAC7C,CAAC;IAEO,eAAe,CAAC,OAAe;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAA2B,CAAC;QACpD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClF,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,eAAe,CAAC,OAAe,EAAE,IAA4B;QACnE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,OAAe;QACxC,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1D,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,OAAe,EAAE,QAAgB;QAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,CAAC,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,OAAe;QAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,CAAC,CAAC,OAAO,IAAI,IAAI,CAAC,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC;QACrB,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,UAAU,CAAC,IAAI,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACtC,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAe;QACxB,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;QAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC;CACF"}

package/dist/credentials/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Credential security module
+ * 憑證安全模組
+ *
+ * @module @panguard-ai/security-hardening/credentials
+ */
+export { InMemoryCredentialStore, EncryptedFileCredentialStore } from './credential-store.js';
+export { scanPlaintextCredentials, migrateCredentials } from './migration.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/credentials/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,uBAAuB,EAAE,4BAA4B,EAAE,MAAM,uBAAuB,CAAC;AAC9F,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/credentials/index.js

@@ -0,0 +1,9 @@
+/**
+ * Credential security module
+ * 憑證安全模組
+ *
+ * @module @panguard-ai/security-hardening/credentials
+ */
+export { InMemoryCredentialStore, EncryptedFileCredentialStore } from './credential-store.js';
+export { scanPlaintextCredentials, migrateCredentials } from './migration.js';
+//# sourceMappingURL=index.js.map

package/dist/credentials/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,uBAAuB,EAAE,4BAA4B,EAAE,MAAM,uBAAuB,CAAC;AAC9F,OAAO,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/credentials/migration.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Migrate plaintext credentials to secure storage
+ * 將明文憑證遷移到安全儲存
+ *
+ * @module @panguard-ai/security-hardening/credentials/migration
+ */
+import type { CredentialStore, MigrationReport } from '../types.js';
+/**
+ * Plaintext credential file information
+ * 明文憑證檔案資訊
+ */
+interface PlaintextCredential {
+    service: string;
+    account: string;
+    value: string;
+    filePath: string;
+}
+/**
+ * Scan for plaintext credential files
+ * 掃描明文憑證檔案
+ *
+ * @param credentialsDir - Directory to scan / 要掃描的目錄
+ * @returns Array of found plaintext credentials / 找到的明文憑證陣列
+ */
+export declare function scanPlaintextCredentials(credentialsDir?: string): PlaintextCredential[];
+/**
+ * Migrate plaintext credentials to secure storage
+ * 將明文憑證遷移到安全儲存
+ *
+ * @param store - Target credential store / 目標憑證儲存
+ * @param credentialsDir - Source directory / 來源目錄
+ * @param dryRun - If true, only report without migrating / 僅報告而不遷移
+ * @returns Migration report / 遷移報告
+ */
+export declare function migrateCredentials(store: CredentialStore, credentialsDir?: string, dryRun?: boolean): Promise<MigrationReport>;
+export {};
+//# sourceMappingURL=migration.d.ts.map

package/dist/credentials/migration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration.d.ts","sourceRoot":"","sources":["../../src/credentials/migration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAOpE;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB;AAiBD;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,cAAc,GAAE,MAAgC,GAC/C,mBAAmB,EAAE,CA0CvB;AAED;;;;;;;;GAQG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,eAAe,EACtB,cAAc,GAAE,MAAgC,EAChD,MAAM,UAAQ,GACb,OAAO,CAAC,eAAe,CAAC,CA2C1B"}