@partrocks/tokenvault 0.1.2

package/README.md

@@ -0,0 +1,122 @@
+# @partrocks/tokenvault
+
+TypeScript library for **Node 20+** and **Bun** that drives the **[tokenvault](https://github.com/partrocks/tokenVault)** CLI from your app. It wraps `tokenvault` as a subprocess (`node:child_process`): no in-process vault API.
+
+Use it to **bootstrap** a profile (credential, connection, attach, model cache, capability selection), **list** vault contents, **resolve secrets** per **capability** (`chat`, `embeddings`, …), and **change the model** for a capability without reimplementing CLI flags.
+
+## How it works
+
+1. **Locate** the `tokenvault` binary: `TOKENVAULT_BIN` env, else `PATH`.
+2. **Environment**: merges `TOKENVAULT_SECURE_STORE` defaults by OS (Keychain / Windows / Linux secret service) when unset, same idea as the hand-rolled bootstrap in the tokenVault project.
+3. **JSON vs TTY**: non-interactive steps use `tokenvault --json …` with captured stdout/stderr; interactive steps (e.g. `credential add`) inherit stdio.
+4. **Providers**: pluggable **`TokenVaultBootstrapProvider`** (OpenAI built in as **`builtInProviders.openai`**). You pass one into **`createTokenVault`**. Validation after `resolve` is provider-specific (e.g. OpenAI expects `providerId === "openai"`).
+5. **Published build**: npm tarball contains **`dist/`** only (ESM + `.d.ts`). **`prepublishOnly`** runs **`bun run build`** (`tsup`).
+
+## Install
+
+```bash
+bun add @partrocks/tokenvault
+# or
+npm install @partrocks/tokenvault
+```
+
+Local development: point your app at this directory with a `file:` dependency.
+
+## Requirements
+
+- **`tokenvault`** on `PATH`, or **`TOKENVAULT_BIN`** set to the executable.
+- Optional: **`TOKENVAULT_PASSPHRASE`**, **`TOKENVAULT_SECURE_STORE`** — same semantics as the tokenVault CLI.
+
+## Quick start
+
+```ts
+import {
+  createTokenVault,
+  CAPABILITY,
+  builtInProviders,
+} from "@partrocks/tokenvault";
+
+const tokenVault = createTokenVault({
+  provider: builtInProviders.openai,
+  namespace: "myapp",
+  appLabel: "myapp",
+  defaultModelByCapability: { [CAPABILITY.chat]: "gpt-4o-mini" },
+});
+
+// Idempotent: resolve first; if missing, interactive bootstrap (TTY) for chat
+const chat = await tokenVault.ensure();
+// VaultResolution: apiKey, modelId, providerId, baseURL?, connectionId?, credentialId?
+
+tokenVault.useProfile("other");
+const otherChat = await tokenVault.key(CAPABILITY.chat);
+
+await tokenVault.setCapabilityModel(
+  CAPABILITY.chat,
+  "myapp-openai",
+  "gpt-4o",
+);
+
+const snapshot = await tokenVault.listProfiles();
+// snapshot.profiles, snapshot.connections, snapshot.credentials, snapshot.providers
+```
+
+## API
+
+### `createTokenVault(options)`
+
+**Options** (summary):
+
+| Field | Purpose |
+| ----- | ------- |
+| `provider` | e.g. `builtInProviders.openai` |
+| `namespace` | Profile id; connection/credential id becomes `<namespace>-<providerId>` (e.g. `myapp-openai`) |
+| `profileId` + `connectionId` + `credentialId` | Explicit ids instead of `namespace` |
+| `appLabel` | Prefix for stderr messages |
+| `defaultModelByCapability` | Must include the **bootstrap** capability (default `chat`) |
+| `bootstrapCapability` | Capability wired by `ensure()` (default `CAPABILITY.chat`) |
+| `executablePath` | Override binary path |
+| `allowInteractiveBootstrap` | `false` to forbid interactive setup; `true` to force allow even in CI |
+| `logger` | Custom `{ notice, success }` |
+
+### `TokenVault` instance
+
+| Method | Behavior |
+| ------ | -------- |
+| `ensure(namespaceOverride?)` | Ensures bootstrap capability is resolvable; runs bootstrap if needed. Optional override uses same id convention for that namespace only. Returns **`VaultResolution`**. |
+| `listProfiles()` | `tokenvault list` as structured data. |
+| `useProfile(profileId)` | Sets active profile for `key()` / `setCapabilityModel`. |
+| `get activeProfileId` | Current active profile id. |
+| `key(capability)` | `resolve <profile> --capability <cap> --with-secret`. |
+| `setCapabilityModel(capability, connectionId, modelId)` | `tokenvault profile select …`. |
+
+### `CAPABILITY`
+
+Stable string constants aligned with tokenVault (`chat`, `reasoning`, `embeddings`, `image`, `audio`, `vision`, `tools`). Prefer these over raw strings.
+
+### Lower-level exports
+
+- **`builtInProviders`**, **`TokenVaultBootstrapProvider`**
+- **`createVaultCliRunner`**, **`VaultCliRunner`** (testing / custom spawn)
+- **`vaultProcessEnv`**, **`resolveTokenvaultExecutable`**
+- **`parseResolveStdout`**, **`parseVaultListPayload`**
+- Types: **`VaultResolution`**, **`VaultListResult`**, etc.
+
+## Interactive bootstrap and CI
+
+`ensure()` may spawn interactive `tokenvault` commands (TTY + stdin). By default interactive bootstrap is **disabled** when **`is-in-ci`** is true or stdin is not a TTY. Set **`allowInteractiveBootstrap: true`** only if you intend to run setup in CI with a fake TTY.
+
+## Publishing (maintainers)
+
+From the **tokenVault** repo root:
+
+```bash
+bun run publish:packages              # patch bump + bun publish
+bun run publish:packages -- minor
+bun run publish:packages -- --dry-run # no version bump
+```
+
+See `bin/publish-packages.sh` in the parent repository.
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,134 @@
+/** Aligned with tokenVault `src/domain/capability.ts` — keep in sync when adding capabilities. */
+declare const CAPABILITY: {
+    readonly chat: "chat";
+    readonly reasoning: "reasoning";
+    readonly embeddings: "embeddings";
+    readonly image: "image";
+    readonly audio: "audio";
+    readonly vision: "vision";
+    readonly tools: "tools";
+};
+type Capability = (typeof CAPABILITY)[keyof typeof CAPABILITY];
+declare function isCapability(s: string): s is Capability;
+declare function assertCapability(s: string): Capability;
+
+type VaultResolution = {
+    apiKey: string;
+    modelId: string;
+    providerId: string;
+    baseURL?: string;
+    connectionId?: string;
+    credentialId?: string;
+};
+type ListPayload = {
+    providers?: unknown[];
+    credentials?: {
+        id: string;
+        providerId: string;
+    }[];
+    connections?: {
+        id: string;
+        providerId: string;
+        credentialId: string;
+    }[];
+    profiles?: {
+        id: string;
+        attachedConnectionIds?: string[];
+    }[];
+};
+type CredentialCopyPick = {
+    profileId: string;
+    connectionId: string;
+    credentialId: string;
+};
+type VaultListResult = {
+    providers: ListPayload["providers"];
+    credentials: NonNullable<ListPayload["credentials"]>;
+    connections: NonNullable<ListPayload["connections"]>;
+    profiles: NonNullable<ListPayload["profiles"]>;
+};
+type Logger = {
+    notice: (message: string) => void;
+    success: (message: string) => void;
+};
+type ValidationContext = {
+    profileId: string;
+    capability: Capability;
+};
+
+type TokenVaultBootstrapProvider = {
+    /** tokenVault adapter id (e.g. `openai`) */
+    readonly tokenvaultProviderId: string;
+    /** After parse, enforce provider / model rules */
+    validateResolution(resolution: VaultResolution, ctx: ValidationContext): void;
+    /** Connections on other profiles eligible for credential copy during bootstrap */
+    listCredentialCopyPicks(payload: ListPayload, excludeProfileId: string): CredentialCopyPick[];
+    /** Run `connection refresh-models` after wiring (model-capable providers) */
+    readonly refreshModelsAfterBootstrap: boolean;
+};
+declare const builtInProviders: {
+    readonly openai: TokenVaultBootstrapProvider;
+};
+
+type RunJsonResult = {
+    code: number;
+    stdout: string;
+    stderr: string;
+};
+type VaultCliRunner = {
+    runJson: (args: string[]) => Promise<RunJsonResult>;
+    runInherit: (args: string[]) => Promise<number>;
+};
+declare function createVaultCliRunner(options: {
+    executablePath?: string;
+    env?: () => NodeJS.ProcessEnv;
+}): VaultCliRunner;
+
+type CreateTokenVaultOptions = {
+    provider: TokenVaultBootstrapProvider;
+    appLabel: string;
+    /** Default model per capability; must include entry for `bootstrapCapability` */
+    defaultModelByCapability: Partial<Record<Capability, string>>;
+    /** Capability wired by `ensure()` (default: chat) */
+    bootstrapCapability?: Capability;
+    executablePath?: string;
+    allowInteractiveBootstrap?: boolean;
+    logger?: Logger;
+    /** @internal Inject for tests */
+    runner?: VaultCliRunner;
+} & ({
+    namespace: string;
+} | {
+    profileId: string;
+    connectionId: string;
+    credentialId: string;
+});
+type TokenVault = {
+    /** Bootstrap `bootstrapCapability` for the given profile triple; optional one-off namespace convention. */
+    ensure: (namespaceOverride?: string) => Promise<VaultResolution>;
+    listProfiles: () => Promise<VaultListResult>;
+    /** Profile used by `key()` and `setCapabilityModel` (default: bootstrap profile). */
+    useProfile: (profileId: string) => void;
+    get activeProfileId(): string;
+    key: (capability: Capability | string) => Promise<VaultResolution>;
+    setCapabilityModel: (capability: Capability | string, connectionId: string, modelId: string) => Promise<void>;
+};
+declare function createTokenVault(options: CreateTokenVaultOptions): TokenVault;
+
+/**
+ * Prefer the OS secure store (Keychain / Secret Service / DPAPI) so tokenVault does not create a
+ * passphrase-backed vault. Ignored if the user already has `vault/passphrase-envelope.json` or
+ * sets TOKENVAULT_SECURE_STORE themselves.
+ */
+declare function vaultProcessEnv(): NodeJS.ProcessEnv;
+
+/**
+ * Resolve `tokenvault` on PATH (Windows respects PATHEXT).
+ * @throws if not found and no explicit path
+ */
+declare function resolveTokenvaultExecutable(explicit?: string): string;
+
+declare function parseVaultListPayload(stdout: string): ListPayload | null;
+declare function parseResolveStdout(stdout: string, provider: TokenVaultBootstrapProvider, ctx: ValidationContext): VaultResolution;
+
+export { CAPABILITY, type Capability, type CreateTokenVaultOptions, type CredentialCopyPick, type ListPayload, type Logger, type TokenVault, type TokenVaultBootstrapProvider, type ValidationContext, type VaultCliRunner, type VaultListResult, type VaultResolution, assertCapability, builtInProviders, createTokenVault, createVaultCliRunner, isCapability, parseResolveStdout, parseVaultListPayload, resolveTokenvaultExecutable, vaultProcessEnv };

package/dist/index.js

@@ -0,0 +1,648 @@
+// src/capability.ts
+var CAPABILITY = {
+  chat: "chat",
+  reasoning: "reasoning",
+  embeddings: "embeddings",
+  image: "image",
+  audio: "audio",
+  vision: "vision",
+  tools: "tools"
+};
+var CAP_VALUES = Object.values(CAPABILITY);
+function isCapability(s) {
+  return CAP_VALUES.includes(s);
+}
+function assertCapability(s) {
+  if (!isCapability(s)) {
+    throw new Error(
+      `Unknown capability "${s}". Expected one of: ${CAP_VALUES.join(", ")}`
+    );
+  }
+  return s;
+}
+
+// src/bootstrap.ts
+import * as readline from "readline";
+import isInCi from "is-in-ci";
+
+// src/parse.ts
+function parseVaultListPayload(stdout) {
+  try {
+    return JSON.parse(stdout);
+  } catch {
+    return null;
+  }
+}
+function parseResolveStdout(stdout, provider, ctx) {
+  let data;
+  try {
+    data = JSON.parse(stdout);
+  } catch {
+    throw new Error(
+      "Could not parse JSON from `tokenvault resolve` (unexpected output)."
+    );
+  }
+  const resolution = data.resolution;
+  if (!resolution || typeof resolution !== "object") {
+    throw new Error(
+      "`tokenvault resolve` JSON did not include a resolution object."
+    );
+  }
+  const apiKey = typeof resolution.apiKey === "string" ? resolution.apiKey.trim() : "";
+  const modelId = typeof resolution.modelId === "string" ? resolution.modelId.trim() : "";
+  const providerId = typeof resolution.providerId === "string" ? resolution.providerId.trim() : "";
+  const apiBaseUrl = typeof resolution.apiBaseUrl === "string" && resolution.apiBaseUrl.trim() ? resolution.apiBaseUrl.trim() : void 0;
+  const connectionId = typeof resolution.connectionId === "string" ? resolution.connectionId.trim() : void 0;
+  const credentialId = typeof resolution.credentialId === "string" ? resolution.credentialId.trim() : void 0;
+  if (!apiKey) {
+    throw new Error(
+      "`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see tokenVault README)."
+    );
+  }
+  const out = {
+    apiKey,
+    modelId,
+    providerId,
+    baseURL: apiBaseUrl,
+    connectionId,
+    credentialId
+  };
+  provider.validateResolution(out, ctx);
+  return out;
+}
+
+// src/bootstrap.ts
+function promptLine(question) {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stderr
+  });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+async function addCredentialInteractive(ctx, runner) {
+  const { provider, ids, logger } = ctx;
+  const listR = await runner.runJson(["list"]);
+  const payload = listR.code === 0 ? parseVaultListPayload(listR.stdout) : null;
+  const picks = payload ? provider.listCredentialCopyPicks(payload, ids.profileId) : [];
+  if (picks.length === 0) {
+    logger.notice(
+      `Adding API key to tokenVault for provider "${provider.tokenvaultProviderId}" (hidden input). Follow the tokenVault prompts if any appear.
+`
+    );
+  } else {
+    console.error("");
+    logger.notice(
+      `API key for tokenVault credential "${ids.credentialId}" (${provider.tokenvaultProviderId}):`
+    );
+    logger.notice(
+      "  1) Enter a new API key (hidden input via tokenvault)"
+    );
+    logger.notice(
+      "  2) Copy from another profile \u2192 connection \u2192 credential (reuse a stored key)"
+    );
+    console.error("");
+    const raw = await promptLine("Choose 1 or 2 [1]: ");
+    const mode = raw === "" ? "1" : raw;
+    if (mode === "2") {
+      console.error("");
+      for (let i = 0; i < picks.length; i++) {
+        const x = picks[i];
+        logger.notice(
+          `  ${i + 1}) profile "${x.profileId}" \u2192 connection "${x.connectionId}" \u2192 credential "${x.credentialId}"`
+        );
+      }
+      console.error("");
+      const numRaw = await promptLine(
+        `Enter 1\u2013${picks.length} (or blank to enter a new key instead): `
+      );
+      if (numRaw !== "") {
+        const n = Number.parseInt(numRaw, 10);
+        if (Number.isFinite(n) && n >= 1 && n <= picks.length) {
+          const credId = picks[n - 1].credentialId;
+          const copyR = await runner.runJson([
+            "credential",
+            "copy",
+            credId,
+            ids.credentialId
+          ]);
+          if (copyR.code === 0) {
+            console.error("");
+            return;
+          }
+          throw new Error(
+            copyR.stderr || copyR.stdout || `tokenvault credential copy failed (exit ${copyR.code})`
+          );
+        }
+      }
+      logger.notice("\nUsing new API key entry.\n");
+    }
+    logger.notice("Follow the tokenVault prompts (hidden API key).\n");
+  }
+  const code = await runner.runInherit([
+    "credential",
+    "add",
+    provider.tokenvaultProviderId,
+    ids.credentialId
+  ]);
+  if (code !== 0) {
+    throw new Error(`tokenvault credential add failed (exit ${code})`);
+  }
+}
+async function profileExists(runner, profileId) {
+  const r = await runner.runJson(["list"]);
+  if (r.code !== 0) return false;
+  let payload;
+  try {
+    payload = JSON.parse(r.stdout);
+  } catch {
+    return false;
+  }
+  return Boolean(payload.profiles?.some((p) => p.id === profileId));
+}
+async function credentialExists(runner, credentialId) {
+  const r = await runner.runJson(["credential", "inspect", credentialId]);
+  return r.code === 0;
+}
+async function connectionExists(runner, connectionId) {
+  const r = await runner.runJson(["connection", "inspect", connectionId]);
+  return r.code === 0;
+}
+async function tryResolve(runner, provider, profileId, capability) {
+  const r = await runner.runJson([
+    "resolve",
+    profileId,
+    "--capability",
+    capability,
+    "--with-secret"
+  ]);
+  if (r.code !== 0) return null;
+  return parseResolveStdout(r.stdout, provider, { profileId, capability });
+}
+async function bootstrapVaultProfile(ctx, runner) {
+  const { provider, ids, bootstrapCapability, defaultModelId, logger, appLabel } = ctx;
+  if (!ctx.allowInteractive) {
+    throw new Error(
+      `tokenVault profile "${ids.profileId}" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands from the tokenVault README for profile "${ids.profileId}".`
+    );
+  }
+  console.error("");
+  logger.notice(
+    `${appLabel}: tokenVault profile "${ids.profileId}" is missing or incomplete. Setting up credential "${ids.credentialId}" and wiring the profile.`
+  );
+  console.error("");
+  if (!await profileExists(runner, ids.profileId)) {
+    const r = await runner.runJson(["profile", "create", ids.profileId]);
+    if (r.code !== 0) {
+      throw new Error(
+        r.stderr || r.stdout || `tokenvault profile create failed (exit ${r.code})`
+      );
+    }
+  }
+  if (!await credentialExists(runner, ids.credentialId)) {
+    await addCredentialInteractive(ctx, runner);
+  }
+  if (!await connectionExists(runner, ids.connectionId)) {
+    const r = await runner.runJson([
+      "connection",
+      "add",
+      provider.tokenvaultProviderId,
+      ids.connectionId,
+      "--credential",
+      ids.credentialId
+    ]);
+    if (r.code !== 0) {
+      throw new Error(
+        r.stderr || r.stdout || `tokenvault connection add failed (exit ${r.code})`
+      );
+    }
+  }
+  {
+    const r = await runner.runJson([
+      "profile",
+      "attach",
+      ids.profileId,
+      ids.connectionId
+    ]);
+    if (r.code !== 0) {
+      throw new Error(
+        r.stderr || r.stdout || `tokenvault profile attach failed (exit ${r.code})`
+      );
+    }
+  }
+  if (provider.refreshModelsAfterBootstrap) {
+    logger.notice("Refreshing model cache in tokenVault\u2026\n");
+    const code = await runner.runInherit([
+      "connection",
+      "refresh-models",
+      ids.connectionId
+    ]);
+    if (code !== 0) {
+      throw new Error(
+        `tokenvault connection refresh-models failed (exit ${code})`
+      );
+    }
+  }
+  {
+    const r = await runner.runJson([
+      "profile",
+      "select",
+      ids.profileId,
+      bootstrapCapability,
+      ids.connectionId,
+      defaultModelId
+    ]);
+    if (r.code !== 0) {
+      throw new Error(
+        r.stderr || r.stdout || `tokenvault profile select failed (exit ${r.code}). Try: tokenvault connection refresh-models ${ids.connectionId}`
+      );
+    }
+  }
+  console.error("");
+  logger.success(
+    `${appLabel}: tokenVault profile "${ids.profileId}" is ready.
+`
+  );
+}
+function interactiveSetupAllowed(allowInteractiveBootstrap) {
+  if (allowInteractiveBootstrap === false) return false;
+  if (allowInteractiveBootstrap === true) return true;
+  return Boolean(process.stdin.isTTY) && !isInCi;
+}
+async function ensureBootstrapCapability(runner, ctx) {
+  const { provider, ids, bootstrapCapability } = ctx;
+  let cfg = await tryResolve(
+    runner,
+    provider,
+    ids.profileId,
+    bootstrapCapability
+  );
+  if (!cfg && await connectionExists(runner, ids.connectionId) && provider.refreshModelsAfterBootstrap) {
+    const code = await runner.runInherit([
+      "connection",
+      "refresh-models",
+      ids.connectionId
+    ]);
+    if (code === 0) {
+      cfg = await tryResolve(
+        runner,
+        provider,
+        ids.profileId,
+        bootstrapCapability
+      );
+    }
+  }
+  if (!cfg) {
+    await bootstrapVaultProfile(ctx, runner);
+    cfg = await tryResolve(
+      runner,
+      provider,
+      ids.profileId,
+      bootstrapCapability
+    );
+  }
+  if (!cfg) {
+    throw new Error(
+      `Could not resolve tokenVault profile "${ids.profileId}" for capability "${bootstrapCapability}" after setup. See: tokenvault resolve ${ids.profileId} --capability ${bootstrapCapability} --json`
+    );
+  }
+  return cfg;
+}
+async function resolveWithSecret(runner, provider, profileId, capability) {
+  const r = await runner.runJson([
+    "resolve",
+    profileId,
+    "--capability",
+    capability,
+    "--with-secret"
+  ]);
+  if (r.code !== 0) {
+    throw new Error(
+      r.stderr || r.stdout || `tokenvault resolve failed (exit ${r.code}) for profile "${profileId}" capability "${capability}"`
+    );
+  }
+  return parseResolveStdout(r.stdout, provider, { profileId, capability });
+}
+async function listVaultSnapshot(runner) {
+  const r = await runner.runJson(["list"]);
+  if (r.code !== 0) {
+    throw new Error(
+      r.stderr || r.stdout || `tokenvault list failed (exit ${r.code})`
+    );
+  }
+  const payload = parseVaultListPayload(r.stdout);
+  if (!payload) {
+    throw new Error("Could not parse JSON from `tokenvault list`.");
+  }
+  return {
+    providers: payload.providers,
+    credentials: payload.credentials ?? [],
+    connections: payload.connections ?? [],
+    profiles: payload.profiles ?? []
+  };
+}
+async function selectCapabilityModel(runner, params) {
+  const r = await runner.runJson([
+    "profile",
+    "select",
+    params.profileId,
+    params.capability,
+    params.connectionId,
+    params.modelId
+  ]);
+  if (r.code !== 0) {
+    throw new Error(
+      r.stderr || r.stdout || `tokenvault profile select failed (exit ${r.code})`
+    );
+  }
+}
+
+// src/executable.ts
+import fs from "fs";
+import path from "path";
+function resolveTokenvaultExecutable(explicit) {
+  const trimmed = explicit?.trim();
+  if (trimmed) return trimmed;
+  const fromEnv = process.env.TOKENVAULT_BIN?.trim();
+  if (fromEnv) return fromEnv;
+  const found = whichOnPath("tokenvault");
+  if (!found) {
+    throw new Error(
+      "tokenVault is not available: `tokenvault` was not found on PATH. Install tokenVault and link the CLI, or set TOKENVAULT_BIN to the tokenvault executable."
+    );
+  }
+  return found;
+}
+function whichOnPath(cmd) {
+  const isWin = process.platform === "win32";
+  const paths = process.env.PATH?.split(path.delimiter) ?? [];
+  const exts = isWin ? process.env.PATHEXT?.split(path.delimiter) ?? [".EXE", ".CMD", ".BAT", ""] : [""];
+  for (const dir of paths) {
+    for (const ext of exts) {
+      const candidate = path.join(dir, cmd + ext);
+      try {
+        const st = fs.statSync(candidate);
+        if (!st.isFile()) continue;
+        if (!isWin) {
+          try {
+            fs.accessSync(candidate, fs.constants.X_OK);
+          } catch {
+            continue;
+          }
+        }
+        return candidate;
+      } catch {
+      }
+    }
+  }
+  return null;
+}
+
+// src/logger.ts
+function stderrColorEnabled() {
+  if (process.env.NO_COLOR) return false;
+  if (process.env.TERM === "dumb") return false;
+  return Boolean(process.stderr.isTTY);
+}
+var ANSI_YELLOW = "\x1B[33m";
+var ANSI_GREEN = "\x1B[32m";
+var ANSI_RESET = "\x1B[0m";
+function createDefaultLogger() {
+  return {
+    notice(message) {
+      if (stderrColorEnabled())
+        console.error(`${ANSI_YELLOW}${message}${ANSI_RESET}`);
+      else console.error(message);
+    },
+    success(message) {
+      if (stderrColorEnabled())
+        console.error(`${ANSI_GREEN}${message}${ANSI_RESET}`);
+      else console.error(message);
+    }
+  };
+}
+
+// src/runner.ts
+import { spawn } from "child_process";
+
+// src/env.ts
+function vaultProcessEnv() {
+  const env = { ...process.env };
+  if (env.TOKENVAULT_SECURE_STORE?.trim()) return env;
+  switch (process.platform) {
+    case "darwin":
+      env.TOKENVAULT_SECURE_STORE = "macos-keychain";
+      break;
+    case "win32":
+      env.TOKENVAULT_SECURE_STORE = "windows";
+      break;
+    case "linux":
+      env.TOKENVAULT_SECURE_STORE = "linux-secret-service";
+      break;
+    default:
+      break;
+  }
+  return env;
+}
+
+// src/runner.ts
+function createVaultCliRunner(options) {
+  const envFactory = options.env ?? vaultProcessEnv;
+  function executable() {
+    return resolveTokenvaultExecutable(options.executablePath);
+  }
+  return {
+    async runJson(args) {
+      const exe = executable();
+      const env = envFactory();
+      const stdinMode = process.stdin.isTTY ? "inherit" : "ignore";
+      return await spawnCapture([exe, "--json", ...args], env, stdinMode);
+    },
+    async runInherit(args) {
+      const exe = executable();
+      const env = envFactory();
+      return await spawnInheritAll([exe, ...args], env);
+    }
+  };
+}
+function spawnCapture(argv, env, stdinMode) {
+  const [executablePath, ...args] = argv;
+  return new Promise((resolve, reject) => {
+    const child = spawn(executablePath, args, {
+      env,
+      stdio: [stdinMode, "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout?.setEncoding("utf8");
+    child.stderr?.setEncoding("utf8");
+    child.stdout?.on("data", (c) => {
+      stdout += c;
+    });
+    child.stderr?.on("data", (c) => {
+      stderr += c;
+    });
+    child.on("error", reject);
+    child.on("close", (code) => {
+      resolve({
+        code: code ?? 1,
+        stdout: stdout.trimEnd(),
+        stderr: stderr.trimEnd()
+      });
+    });
+  });
+}
+function spawnInheritAll(argv, env) {
+  const [executablePath, ...args] = argv;
+  return new Promise((resolve, reject) => {
+    const child = spawn(executablePath, args, { env, stdio: "inherit" });
+    child.on("error", reject);
+    child.on("close", (code) => resolve(code ?? 1));
+  });
+}
+
+// src/facade.ts
+function idsFromNamespace(ns, provider) {
+  const artifact = `${ns}-${provider.tokenvaultProviderId}`;
+  return { profileId: ns, connectionId: artifact, credentialId: artifact };
+}
+function resolveBootstrapIds(options) {
+  if ("namespace" in options) {
+    return idsFromNamespace(options.namespace, options.provider);
+  }
+  return {
+    profileId: options.profileId,
+    connectionId: options.connectionId,
+    credentialId: options.credentialId
+  };
+}
+function createTokenVault(options) {
+  const provider = options.provider;
+  const bootstrapCapability = options.bootstrapCapability ?? CAPABILITY.chat;
+  const defaultModelRaw = options.defaultModelByCapability[bootstrapCapability]?.trim();
+  if (!defaultModelRaw) {
+    throw new Error(
+      `createTokenVault: defaultModelByCapability must include a default model for bootstrap capability "${bootstrapCapability}"`
+    );
+  }
+  const defaultModelId = defaultModelRaw;
+  if (!options.runner) {
+    resolveTokenvaultExecutable(options.executablePath);
+  }
+  const runner = options.runner ?? createVaultCliRunner({ executablePath: options.executablePath });
+  const bootstrapIds = resolveBootstrapIds(options);
+  let resolveProfileId = bootstrapIds.profileId;
+  const logger = options.logger ?? createDefaultLogger();
+  const allowInteractive = interactiveSetupAllowed(
+    options.allowInteractiveBootstrap
+  );
+  function buildContext(ids) {
+    return {
+      provider,
+      ids,
+      bootstrapCapability,
+      defaultModelId,
+      appLabel: options.appLabel,
+      logger,
+      allowInteractive
+    };
+  }
+  return {
+    async ensure(namespaceOverride) {
+      const trimmed = namespaceOverride?.trim();
+      const ids = trimmed ? idsFromNamespace(trimmed, provider) : bootstrapIds;
+      return await ensureBootstrapCapability(
+        runner,
+        buildContext(ids)
+      );
+    },
+    async listProfiles() {
+      return await listVaultSnapshot(runner);
+    },
+    useProfile(profileId) {
+      resolveProfileId = profileId;
+    },
+    get activeProfileId() {
+      return resolveProfileId;
+    },
+    async key(capability) {
+      const cap = typeof capability === "string" ? assertCapability(capability) : capability;
+      return await resolveWithSecret(
+        runner,
+        provider,
+        resolveProfileId,
+        cap
+      );
+    },
+    async setCapabilityModel(capability, connectionId, modelId) {
+      const cap = typeof capability === "string" ? assertCapability(capability) : capability;
+      await selectCapabilityModel(runner, {
+        profileId: resolveProfileId,
+        capability: cap,
+        connectionId,
+        modelId
+      });
+    }
+  };
+}
+
+// src/provider.ts
+function openAiCopyPicks(payload, excludeProfileId) {
+  const profiles = payload.profiles ?? [];
+  const connections = payload.connections ?? [];
+  const byConnId = new Map(connections.map((c) => [c.id, c]));
+  const seenCred = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const p of profiles) {
+    if (p.id === excludeProfileId) continue;
+    for (const connId of p.attachedConnectionIds ?? []) {
+      const c = byConnId.get(connId);
+      if (!c || c.providerId !== "openai") continue;
+      if (seenCred.has(c.credentialId)) continue;
+      seenCred.add(c.credentialId);
+      out.push({
+        profileId: p.id,
+        connectionId: c.id,
+        credentialId: c.credentialId
+      });
+    }
+  }
+  return out;
+}
+var openAiProvider = {
+  tokenvaultProviderId: "openai",
+  refreshModelsAfterBootstrap: true,
+  listCredentialCopyPicks: openAiCopyPicks,
+  validateResolution(resolution, ctx) {
+    if (resolution.providerId !== "openai") {
+      throw new Error(
+        `tokenVault profile "${ctx.profileId}" must select an OpenAI connection for capability "${ctx.capability}" (got provider "${resolution.providerId}").`
+      );
+    }
+    if (!resolution.modelId) {
+      throw new Error(
+        `tokenVault profile "${ctx.profileId}" has no model selected for capability "${ctx.capability}". Run: tokenvault profile select ${ctx.profileId} ${ctx.capability} <connection> <model>`
+      );
+    }
+  }
+};
+var builtInProviders = {
+  openai: openAiProvider
+};
+export {
+  CAPABILITY,
+  assertCapability,
+  builtInProviders,
+  createTokenVault,
+  createVaultCliRunner,
+  isCapability,
+  parseResolveStdout,
+  parseVaultListPayload,
+  resolveTokenvaultExecutable,
+  vaultProcessEnv
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/capability.ts","../src/bootstrap.ts","../src/parse.ts","../src/executable.ts","../src/logger.ts","../src/runner.ts","../src/env.ts","../src/facade.ts","../src/provider.ts"],"sourcesContent":["/** Aligned with tokenVault `src/domain/capability.ts` — keep in sync when adding capabilities. */\nexport const CAPABILITY = {\n  chat: \"chat\",\n  reasoning: \"reasoning\",\n  embeddings: \"embeddings\",\n  image: \"image\",\n  audio: \"audio\",\n  vision: \"vision\",\n  tools: \"tools\",\n} as const;\n\nexport type Capability = (typeof CAPABILITY)[keyof typeof CAPABILITY];\n\nconst CAP_VALUES: readonly string[] = Object.values(CAPABILITY);\n\nexport function isCapability(s: string): s is Capability {\n  return CAP_VALUES.includes(s);\n}\n\nexport function assertCapability(s: string): Capability {\n  if (!isCapability(s)) {\n    throw new Error(\n      `Unknown capability \"${s}\". Expected one of: ${CAP_VALUES.join(\", \")}`,\n    );\n  }\n  return s;\n}\n","import * as readline from \"node:readline\";\nimport isInCi from \"is-in-ci\";\nimport type { Capability } from \"./capability.ts\";\nimport { parseResolveStdout, parseVaultListPayload } from \"./parse.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { VaultCliRunner } from \"./runner.ts\";\nimport type {\n  ListPayload,\n  Logger,\n  VaultListResult,\n  VaultResolution,\n} from \"./types.ts\";\n\nexport type BootstrapIds = {\n  profileId: string;\n  connectionId: string;\n  credentialId: string;\n};\n\nexport type BootstrapContext = {\n  provider: TokenVaultBootstrapProvider;\n  ids: BootstrapIds;\n  bootstrapCapability: Capability;\n  defaultModelId: string;\n  appLabel: string;\n  logger: Logger;\n  allowInteractive: boolean;\n};\n\nfunction promptLine(question: string): Promise<string> {\n  const rl = readline.createInterface({\n    input: process.stdin,\n    output: process.stderr,\n  });\n  return new Promise((resolve) => {\n    rl.question(question, (answer) => {\n      rl.close();\n      resolve(answer.trim());\n    });\n  });\n}\n\nasync function addCredentialInteractive(\n  ctx: BootstrapContext,\n  runner: VaultCliRunner,\n): Promise<void> {\n  const { provider, ids, logger } = ctx;\n  const listR = await runner.runJson([\"list\"]);\n  const payload =\n    listR.code === 0 ? parseVaultListPayload(listR.stdout) : null;\n  const picks = payload\n    ? provider.listCredentialCopyPicks(payload, ids.profileId)\n    : [];\n\n  if (picks.length === 0) {\n    logger.notice(\n      `Adding API key to tokenVault for provider \"${provider.tokenvaultProviderId}\" (hidden input). Follow the tokenVault prompts if any appear.\\n`,\n    );\n  } else {\n    console.error(\"\");\n    logger.notice(\n      `API key for tokenVault credential \"${ids.credentialId}\" (${provider.tokenvaultProviderId}):`,\n    );\n    logger.notice(\n      \"  1) Enter a new API key (hidden input via tokenvault)\",\n    );\n    logger.notice(\n      \"  2) Copy from another profile → connection → credential (reuse a stored key)\",\n    );\n    console.error(\"\");\n    const raw = await promptLine(\"Choose 1 or 2 [1]: \");\n    const mode = raw === \"\" ? \"1\" : raw;\n\n    if (mode === \"2\") {\n      console.error(\"\");\n      for (let i = 0; i < picks.length; i++) {\n        const x = picks[i]!;\n        logger.notice(\n          `  ${i + 1}) profile \"${x.profileId}\" → connection \"${x.connectionId}\" → credential \"${x.credentialId}\"`,\n        );\n      }\n      console.error(\"\");\n      const numRaw = await promptLine(\n        `Enter 1–${picks.length} (or blank to enter a new key instead): `,\n      );\n      if (numRaw !== \"\") {\n        const n = Number.parseInt(numRaw, 10);\n        if (Number.isFinite(n) && n >= 1 && n <= picks.length) {\n          const credId = picks[n - 1]!.credentialId;\n          const copyR = await runner.runJson([\n            \"credential\",\n            \"copy\",\n            credId,\n            ids.credentialId,\n          ]);\n          if (copyR.code === 0) {\n            console.error(\"\");\n            return;\n          }\n          throw new Error(\n            copyR.stderr ||\n              copyR.stdout ||\n              `tokenvault credential copy failed (exit ${copyR.code})`,\n          );\n        }\n      }\n      logger.notice(\"\\nUsing new API key entry.\\n\");\n    }\n\n    logger.notice(\"Follow the tokenVault prompts (hidden API key).\\n\");\n  }\n\n  const code = await runner.runInherit([\n    \"credential\",\n    \"add\",\n    provider.tokenvaultProviderId,\n    ids.credentialId,\n  ]);\n  if (code !== 0) {\n    throw new Error(`tokenvault credential add failed (exit ${code})`);\n  }\n}\n\nasync function profileExists(\n  runner: VaultCliRunner,\n  profileId: string,\n): Promise<boolean> {\n  const r = await runner.runJson([\"list\"]);\n  if (r.code !== 0) return false;\n  let payload: ListPayload;\n  try {\n    payload = JSON.parse(r.stdout) as ListPayload;\n  } catch {\n    return false;\n  }\n  return Boolean(payload.profiles?.some((p) => p.id === profileId));\n}\n\nasync function credentialExists(\n  runner: VaultCliRunner,\n  credentialId: string,\n): Promise<boolean> {\n  const r = await runner.runJson([\"credential\", \"inspect\", credentialId]);\n  return r.code === 0;\n}\n\nasync function connectionExists(\n  runner: VaultCliRunner,\n  connectionId: string,\n): Promise<boolean> {\n  const r = await runner.runJson([\"connection\", \"inspect\", connectionId]);\n  return r.code === 0;\n}\n\nasync function tryResolve(\n  runner: VaultCliRunner,\n  provider: TokenVaultBootstrapProvider,\n  profileId: string,\n  capability: Capability,\n): Promise<VaultResolution | null> {\n  const r = await runner.runJson([\n    \"resolve\",\n    profileId,\n    \"--capability\",\n    capability,\n    \"--with-secret\",\n  ]);\n  if (r.code !== 0) return null;\n  return parseResolveStdout(r.stdout, provider, { profileId, capability });\n}\n\nasync function bootstrapVaultProfile(\n  ctx: BootstrapContext,\n  runner: VaultCliRunner,\n): Promise<void> {\n  const { provider, ids, bootstrapCapability, defaultModelId, logger, appLabel } =\n    ctx;\n\n  if (!ctx.allowInteractive) {\n    throw new Error(\n      `tokenVault profile \"${ids.profileId}\" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands from the tokenVault README for profile \"${ids.profileId}\".`,\n    );\n  }\n\n  console.error(\"\");\n  logger.notice(\n    `${appLabel}: tokenVault profile \"${ids.profileId}\" is missing or incomplete. Setting up credential \"${ids.credentialId}\" and wiring the profile.`,\n  );\n  console.error(\"\");\n\n  if (!(await profileExists(runner, ids.profileId))) {\n    const r = await runner.runJson([\"profile\", \"create\", ids.profileId]);\n    if (r.code !== 0) {\n      throw new Error(\n        r.stderr || r.stdout || `tokenvault profile create failed (exit ${r.code})`,\n      );\n    }\n  }\n\n  if (!(await credentialExists(runner, ids.credentialId))) {\n    await addCredentialInteractive(ctx, runner);\n  }\n\n  if (!(await connectionExists(runner, ids.connectionId))) {\n    const r = await runner.runJson([\n      \"connection\",\n      \"add\",\n      provider.tokenvaultProviderId,\n      ids.connectionId,\n      \"--credential\",\n      ids.credentialId,\n    ]);\n    if (r.code !== 0) {\n      throw new Error(\n        r.stderr ||\n          r.stdout ||\n          `tokenvault connection add failed (exit ${r.code})`,\n      );\n    }\n  }\n\n  {\n    const r = await runner.runJson([\n      \"profile\",\n      \"attach\",\n      ids.profileId,\n      ids.connectionId,\n    ]);\n    if (r.code !== 0) {\n      throw new Error(\n        r.stderr ||\n          r.stdout ||\n          `tokenvault profile attach failed (exit ${r.code})`,\n      );\n    }\n  }\n\n  if (provider.refreshModelsAfterBootstrap) {\n    logger.notice(\"Refreshing model cache in tokenVault…\\n\");\n    const code = await runner.runInherit([\n      \"connection\",\n      \"refresh-models\",\n      ids.connectionId,\n    ]);\n    if (code !== 0) {\n      throw new Error(\n        `tokenvault connection refresh-models failed (exit ${code})`,\n      );\n    }\n  }\n\n  {\n    const r = await runner.runJson([\n      \"profile\",\n      \"select\",\n      ids.profileId,\n      bootstrapCapability,\n      ids.connectionId,\n      defaultModelId,\n    ]);\n    if (r.code !== 0) {\n      throw new Error(\n        r.stderr ||\n          r.stdout ||\n          `tokenvault profile select failed (exit ${r.code}). Try: tokenvault connection refresh-models ${ids.connectionId}`,\n      );\n    }\n  }\n\n  console.error(\"\");\n  logger.success(\n    `${appLabel}: tokenVault profile \"${ids.profileId}\" is ready.\\n`,\n  );\n}\n\nexport function interactiveSetupAllowed(\n  allowInteractiveBootstrap?: boolean,\n): boolean {\n  if (allowInteractiveBootstrap === false) return false;\n  if (allowInteractiveBootstrap === true) return true;\n  return Boolean(process.stdin.isTTY) && !isInCi;\n}\n\nexport async function ensureBootstrapCapability(\n  runner: VaultCliRunner,\n  ctx: BootstrapContext,\n): Promise<VaultResolution> {\n  const { provider, ids, bootstrapCapability } = ctx;\n\n  let cfg = await tryResolve(\n    runner,\n    provider,\n    ids.profileId,\n    bootstrapCapability,\n  );\n  if (\n    !cfg &&\n    (await connectionExists(runner, ids.connectionId)) &&\n    provider.refreshModelsAfterBootstrap\n  ) {\n    const code = await runner.runInherit([\n      \"connection\",\n      \"refresh-models\",\n      ids.connectionId,\n    ]);\n    if (code === 0) {\n      cfg = await tryResolve(\n        runner,\n        provider,\n        ids.profileId,\n        bootstrapCapability,\n      );\n    }\n  }\n\n  if (!cfg) {\n    await bootstrapVaultProfile(ctx, runner);\n    cfg = await tryResolve(\n      runner,\n      provider,\n      ids.profileId,\n      bootstrapCapability,\n    );\n  }\n\n  if (!cfg) {\n    throw new Error(\n      `Could not resolve tokenVault profile \"${ids.profileId}\" for capability \"${bootstrapCapability}\" after setup. See: tokenvault resolve ${ids.profileId} --capability ${bootstrapCapability} --json`,\n    );\n  }\n\n  return cfg;\n}\n\nexport async function resolveWithSecret(\n  runner: VaultCliRunner,\n  provider: TokenVaultBootstrapProvider,\n  profileId: string,\n  capability: Capability,\n): Promise<VaultResolution> {\n  const r = await runner.runJson([\n    \"resolve\",\n    profileId,\n    \"--capability\",\n    capability,\n    \"--with-secret\",\n  ]);\n  if (r.code !== 0) {\n    throw new Error(\n      r.stderr ||\n        r.stdout ||\n        `tokenvault resolve failed (exit ${r.code}) for profile \"${profileId}\" capability \"${capability}\"`,\n    );\n  }\n  return parseResolveStdout(r.stdout, provider, { profileId, capability });\n}\n\nexport async function listVaultSnapshot(\n  runner: VaultCliRunner,\n): Promise<VaultListResult> {\n  const r = await runner.runJson([\"list\"]);\n  if (r.code !== 0) {\n    throw new Error(\n      r.stderr || r.stdout || `tokenvault list failed (exit ${r.code})`,\n    );\n  }\n  const payload = parseVaultListPayload(r.stdout);\n  if (!payload) {\n    throw new Error(\"Could not parse JSON from `tokenvault list`.\");\n  }\n  return {\n    providers: payload.providers,\n    credentials: payload.credentials ?? [],\n    connections: payload.connections ?? [],\n    profiles: payload.profiles ?? [],\n  };\n}\n\nexport async function selectCapabilityModel(\n  runner: VaultCliRunner,\n  params: {\n    profileId: string;\n    capability: Capability;\n    connectionId: string;\n    modelId: string;\n  },\n): Promise<void> {\n  const r = await runner.runJson([\n    \"profile\",\n    \"select\",\n    params.profileId,\n    params.capability,\n    params.connectionId,\n    params.modelId,\n  ]);\n  if (r.code !== 0) {\n    throw new Error(\n      r.stderr ||\n        r.stdout ||\n        `tokenvault profile select failed (exit ${r.code})`,\n    );\n  }\n}\n","import type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { ListPayload, VaultResolution, ValidationContext } from \"./types.ts\";\n\nexport function parseVaultListPayload(stdout: string): ListPayload | null {\n  try {\n    return JSON.parse(stdout) as ListPayload;\n  } catch {\n    return null;\n  }\n}\n\nexport function parseResolveStdout(\n  stdout: string,\n  provider: TokenVaultBootstrapProvider,\n  ctx: ValidationContext,\n): VaultResolution {\n  let data: unknown;\n  try {\n    data = JSON.parse(stdout);\n  } catch {\n    throw new Error(\n      \"Could not parse JSON from `tokenvault resolve` (unexpected output).\",\n    );\n  }\n  const resolution = (data as { resolution?: Record<string, unknown> })\n    .resolution;\n  if (!resolution || typeof resolution !== \"object\") {\n    throw new Error(\n      \"`tokenvault resolve` JSON did not include a resolution object.\",\n    );\n  }\n  const apiKey =\n    typeof resolution.apiKey === \"string\" ? resolution.apiKey.trim() : \"\";\n  const modelId =\n    typeof resolution.modelId === \"string\" ? resolution.modelId.trim() : \"\";\n  const providerId =\n    typeof resolution.providerId === \"string\"\n      ? resolution.providerId.trim()\n      : \"\";\n  const apiBaseUrl =\n    typeof resolution.apiBaseUrl === \"string\" && resolution.apiBaseUrl.trim()\n      ? resolution.apiBaseUrl.trim()\n      : undefined;\n  const connectionId =\n    typeof resolution.connectionId === \"string\"\n      ? resolution.connectionId.trim()\n      : undefined;\n  const credentialId =\n    typeof resolution.credentialId === \"string\"\n      ? resolution.credentialId.trim()\n      : undefined;\n\n  if (!apiKey) {\n    throw new Error(\n      \"`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see tokenVault README).\",\n    );\n  }\n\n  const out: VaultResolution = {\n    apiKey,\n    modelId,\n    providerId,\n    baseURL: apiBaseUrl,\n    connectionId,\n    credentialId,\n  };\n  provider.validateResolution(out, ctx);\n  return out;\n}\n","import fs from \"node:fs\";\nimport path from \"node:path\";\n\n/**\n * Resolve `tokenvault` on PATH (Windows respects PATHEXT).\n * @throws if not found and no explicit path\n */\nexport function resolveTokenvaultExecutable(explicit?: string): string {\n  const trimmed = explicit?.trim();\n  if (trimmed) return trimmed;\n  const fromEnv = process.env.TOKENVAULT_BIN?.trim();\n  if (fromEnv) return fromEnv;\n  const found = whichOnPath(\"tokenvault\");\n  if (!found) {\n    throw new Error(\n      \"tokenVault is not available: `tokenvault` was not found on PATH. Install tokenVault and link the CLI, or set TOKENVAULT_BIN to the tokenvault executable.\",\n    );\n  }\n  return found;\n}\n\nfunction whichOnPath(cmd: string): string | null {\n  const isWin = process.platform === \"win32\";\n  const paths = process.env.PATH?.split(path.delimiter) ?? [];\n  const exts = isWin\n    ? process.env.PATHEXT?.split(path.delimiter) ?? [\".EXE\", \".CMD\", \".BAT\", \"\"]\n    : [\"\"];\n\n  for (const dir of paths) {\n    for (const ext of exts) {\n      const candidate = path.join(dir, cmd + ext);\n      try {\n        const st = fs.statSync(candidate);\n        if (!st.isFile()) continue;\n        if (!isWin) {\n          try {\n            fs.accessSync(candidate, fs.constants.X_OK);\n          } catch {\n            continue;\n          }\n        }\n        return candidate;\n      } catch {\n        /* try next */\n      }\n    }\n  }\n  return null;\n}\n","import type { Logger } from \"./types.ts\";\n\nfunction stderrColorEnabled(): boolean {\n  if (process.env.NO_COLOR) return false;\n  if (process.env.TERM === \"dumb\") return false;\n  return Boolean(process.stderr.isTTY);\n}\n\nconst ANSI_YELLOW = \"\\x1b[33m\";\nconst ANSI_GREEN = \"\\x1b[32m\";\nconst ANSI_RESET = \"\\x1b[0m\";\n\nexport function createDefaultLogger(): Logger {\n  return {\n    notice(message: string): void {\n      if (stderrColorEnabled())\n        console.error(`${ANSI_YELLOW}${message}${ANSI_RESET}`);\n      else console.error(message);\n    },\n    success(message: string): void {\n      if (stderrColorEnabled())\n        console.error(`${ANSI_GREEN}${message}${ANSI_RESET}`);\n      else console.error(message);\n    },\n  };\n}\n","import { spawn } from \"node:child_process\";\nimport { vaultProcessEnv } from \"./env.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\n\nexport type RunJsonResult = { code: number; stdout: string; stderr: string };\n\nexport type VaultCliRunner = {\n  runJson: (args: string[]) => Promise<RunJsonResult>;\n  runInherit: (args: string[]) => Promise<number>;\n};\n\nexport function createVaultCliRunner(options: {\n  executablePath?: string;\n  env?: () => NodeJS.ProcessEnv;\n}): VaultCliRunner {\n  const envFactory = options.env ?? vaultProcessEnv;\n\n  function executable(): string {\n    return resolveTokenvaultExecutable(options.executablePath);\n  }\n\n  return {\n    async runJson(args: string[]): Promise<RunJsonResult> {\n      const exe = executable();\n      const env = envFactory();\n      const stdinMode = process.stdin.isTTY ? \"inherit\" : \"ignore\";\n      return await spawnCapture([exe, \"--json\", ...args], env, stdinMode);\n    },\n    async runInherit(args: string[]): Promise<number> {\n      const exe = executable();\n      const env = envFactory();\n      return await spawnInheritAll([exe, ...args], env);\n    },\n  };\n}\n\nfunction spawnCapture(\n  argv: string[],\n  env: NodeJS.ProcessEnv,\n  stdinMode: \"inherit\" | \"ignore\",\n): Promise<RunJsonResult> {\n  const [executablePath, ...args] = argv;\n  return new Promise((resolve, reject) => {\n    const child = spawn(executablePath!, args, {\n      env,\n      stdio: [stdinMode, \"pipe\", \"pipe\"],\n    });\n    let stdout = \"\";\n    let stderr = \"\";\n    child.stdout?.setEncoding(\"utf8\");\n    child.stderr?.setEncoding(\"utf8\");\n    child.stdout?.on(\"data\", (c: string) => {\n      stdout += c;\n    });\n    child.stderr?.on(\"data\", (c: string) => {\n      stderr += c;\n    });\n    child.on(\"error\", reject);\n    child.on(\"close\", (code) => {\n      resolve({\n        code: code ?? 1,\n        stdout: stdout.trimEnd(),\n        stderr: stderr.trimEnd(),\n      });\n    });\n  });\n}\n\nfunction spawnInheritAll(\n  argv: string[],\n  env: NodeJS.ProcessEnv,\n): Promise<number> {\n  const [executablePath, ...args] = argv;\n  return new Promise((resolve, reject) => {\n    const child = spawn(executablePath!, args, { env, stdio: \"inherit\" });\n    child.on(\"error\", reject);\n    child.on(\"close\", (code) => resolve(code ?? 1));\n  });\n}\n","/**\n * Prefer the OS secure store (Keychain / Secret Service / DPAPI) so tokenVault does not create a\n * passphrase-backed vault. Ignored if the user already has `vault/passphrase-envelope.json` or\n * sets TOKENVAULT_SECURE_STORE themselves.\n */\nexport function vaultProcessEnv(): NodeJS.ProcessEnv {\n  const env: NodeJS.ProcessEnv = { ...process.env };\n  if (env.TOKENVAULT_SECURE_STORE?.trim()) return env;\n  switch (process.platform) {\n    case \"darwin\":\n      env.TOKENVAULT_SECURE_STORE = \"macos-keychain\";\n      break;\n    case \"win32\":\n      env.TOKENVAULT_SECURE_STORE = \"windows\";\n      break;\n    case \"linux\":\n      env.TOKENVAULT_SECURE_STORE = \"linux-secret-service\";\n      break;\n    default:\n      break;\n  }\n  return env;\n}\n","import {\n  assertCapability,\n  CAPABILITY,\n  type Capability,\n} from \"./capability.ts\";\nimport {\n  ensureBootstrapCapability,\n  interactiveSetupAllowed,\n  listVaultSnapshot,\n  resolveWithSecret,\n  selectCapabilityModel,\n  type BootstrapContext,\n  type BootstrapIds,\n} from \"./bootstrap.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\nimport { createDefaultLogger } from \"./logger.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport {\n  createVaultCliRunner,\n  type VaultCliRunner,\n} from \"./runner.ts\";\nimport type { Logger, VaultListResult, VaultResolution } from \"./types.ts\";\n\nexport type CreateTokenVaultOptions = {\n  provider: TokenVaultBootstrapProvider;\n  appLabel: string;\n  /** Default model per capability; must include entry for `bootstrapCapability` */\n  defaultModelByCapability: Partial<Record<Capability, string>>;\n  /** Capability wired by `ensure()` (default: chat) */\n  bootstrapCapability?: Capability;\n  executablePath?: string;\n  allowInteractiveBootstrap?: boolean;\n  logger?: Logger;\n  /** @internal Inject for tests */\n  runner?: VaultCliRunner;\n} & (\n  | { namespace: string }\n  | {\n      profileId: string;\n      connectionId: string;\n      credentialId: string;\n    }\n);\n\nexport type TokenVault = {\n  /** Bootstrap `bootstrapCapability` for the given profile triple; optional one-off namespace convention. */\n  ensure: (namespaceOverride?: string) => Promise<VaultResolution>;\n  listProfiles: () => Promise<VaultListResult>;\n  /** Profile used by `key()` and `setCapabilityModel` (default: bootstrap profile). */\n  useProfile: (profileId: string) => void;\n  get activeProfileId(): string;\n  key: (capability: Capability | string) => Promise<VaultResolution>;\n  setCapabilityModel: (\n    capability: Capability | string,\n    connectionId: string,\n    modelId: string,\n  ) => Promise<void>;\n};\n\nfunction idsFromNamespace(\n  ns: string,\n  provider: TokenVaultBootstrapProvider,\n): BootstrapIds {\n  const artifact = `${ns}-${provider.tokenvaultProviderId}`;\n  return { profileId: ns, connectionId: artifact, credentialId: artifact };\n}\n\nfunction resolveBootstrapIds(\n  options: CreateTokenVaultOptions,\n): BootstrapIds {\n  if (\"namespace\" in options) {\n    return idsFromNamespace(options.namespace, options.provider);\n  }\n  return {\n    profileId: options.profileId,\n    connectionId: options.connectionId,\n    credentialId: options.credentialId,\n  };\n}\n\nexport function createTokenVault(\n  options: CreateTokenVaultOptions,\n): TokenVault {\n  const provider = options.provider;\n  const bootstrapCapability =\n    options.bootstrapCapability ?? CAPABILITY.chat;\n  const defaultModelRaw =\n    options.defaultModelByCapability[bootstrapCapability]?.trim();\n  if (!defaultModelRaw) {\n    throw new Error(\n      `createTokenVault: defaultModelByCapability must include a default model for bootstrap capability \"${bootstrapCapability}\"`,\n    );\n  }\n  const defaultModelId: string = defaultModelRaw;\n\n  if (!options.runner) {\n    resolveTokenvaultExecutable(options.executablePath);\n  }\n\n  const runner =\n    options.runner ??\n    createVaultCliRunner({ executablePath: options.executablePath });\n\n  const bootstrapIds = resolveBootstrapIds(options);\n  let resolveProfileId = bootstrapIds.profileId;\n\n  const logger = options.logger ?? createDefaultLogger();\n  const allowInteractive = interactiveSetupAllowed(\n    options.allowInteractiveBootstrap,\n  );\n\n  function buildContext(ids: BootstrapIds): BootstrapContext {\n    return {\n      provider,\n      ids,\n      bootstrapCapability,\n      defaultModelId,\n      appLabel: options.appLabel,\n      logger,\n      allowInteractive,\n    };\n  }\n\n  return {\n    async ensure(namespaceOverride?: string): Promise<VaultResolution> {\n      const trimmed = namespaceOverride?.trim();\n      const ids = trimmed\n        ? idsFromNamespace(trimmed, provider)\n        : bootstrapIds;\n      return await ensureBootstrapCapability(\n        runner,\n        buildContext(ids),\n      );\n    },\n\n    async listProfiles(): Promise<VaultListResult> {\n      return await listVaultSnapshot(runner);\n    },\n\n    useProfile(profileId: string): void {\n      resolveProfileId = profileId;\n    },\n\n    get activeProfileId(): string {\n      return resolveProfileId;\n    },\n\n    async key(capability: Capability | string): Promise<VaultResolution> {\n      const cap = typeof capability === \"string\" ? assertCapability(capability) : capability;\n      return await resolveWithSecret(\n        runner,\n        provider,\n        resolveProfileId,\n        cap,\n      );\n    },\n\n    async setCapabilityModel(\n      capability: Capability | string,\n      connectionId: string,\n      modelId: string,\n    ): Promise<void> {\n      const cap =\n        typeof capability === \"string\" ? assertCapability(capability) : capability;\n      await selectCapabilityModel(runner, {\n        profileId: resolveProfileId,\n        capability: cap,\n        connectionId,\n        modelId,\n      });\n    },\n  };\n}\n","import type {\n  CredentialCopyPick,\n  ListPayload,\n  VaultResolution,\n  ValidationContext,\n} from \"./types.ts\";\n\nexport type TokenVaultBootstrapProvider = {\n  /** tokenVault adapter id (e.g. `openai`) */\n  readonly tokenvaultProviderId: string;\n  /** After parse, enforce provider / model rules */\n  validateResolution(\n    resolution: VaultResolution,\n    ctx: ValidationContext,\n  ): void;\n  /** Connections on other profiles eligible for credential copy during bootstrap */\n  listCredentialCopyPicks(\n    payload: ListPayload,\n    excludeProfileId: string,\n  ): CredentialCopyPick[];\n  /** Run `connection refresh-models` after wiring (model-capable providers) */\n  readonly refreshModelsAfterBootstrap: boolean;\n};\n\nfunction openAiCopyPicks(\n  payload: ListPayload,\n  excludeProfileId: string,\n): CredentialCopyPick[] {\n  const profiles = payload.profiles ?? [];\n  const connections = payload.connections ?? [];\n  const byConnId = new Map(connections.map((c) => [c.id, c]));\n  const seenCred = new Set<string>();\n  const out: CredentialCopyPick[] = [];\n  for (const p of profiles) {\n    if (p.id === excludeProfileId) continue;\n    for (const connId of p.attachedConnectionIds ?? []) {\n      const c = byConnId.get(connId);\n      if (!c || c.providerId !== \"openai\") continue;\n      if (seenCred.has(c.credentialId)) continue;\n      seenCred.add(c.credentialId);\n      out.push({\n        profileId: p.id,\n        connectionId: c.id,\n        credentialId: c.credentialId,\n      });\n    }\n  }\n  return out;\n}\n\nconst openAiProvider: TokenVaultBootstrapProvider = {\n  tokenvaultProviderId: \"openai\",\n  refreshModelsAfterBootstrap: true,\n  listCredentialCopyPicks: openAiCopyPicks,\n  validateResolution(resolution: VaultResolution, ctx: ValidationContext): void {\n    if (resolution.providerId !== \"openai\") {\n      throw new Error(\n        `tokenVault profile \"${ctx.profileId}\" must select an OpenAI connection for capability \"${ctx.capability}\" (got provider \"${resolution.providerId}\").`,\n      );\n    }\n    if (!resolution.modelId) {\n      throw new Error(\n        `tokenVault profile \"${ctx.profileId}\" has no model selected for capability \"${ctx.capability}\". Run: tokenvault profile select ${ctx.profileId} ${ctx.capability} <connection> <model>`,\n      );\n    }\n  },\n};\n\nexport const builtInProviders = {\n  openai: openAiProvider,\n} as const;\n"],"mappings":";AACO,IAAM,aAAa;AAAA,EACxB,MAAM;AAAA,EACN,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,OAAO;AAAA,EACP,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,OAAO;AACT;AAIA,IAAM,aAAgC,OAAO,OAAO,UAAU;AAEvD,SAAS,aAAa,GAA4B;AACvD,SAAO,WAAW,SAAS,CAAC;AAC9B;AAEO,SAAS,iBAAiB,GAAuB;AACtD,MAAI,CAAC,aAAa,CAAC,GAAG;AACpB,UAAM,IAAI;AAAA,MACR,uBAAuB,CAAC,uBAAuB,WAAW,KAAK,IAAI,CAAC;AAAA,IACtE;AAAA,EACF;AACA,SAAO;AACT;;;AC1BA,YAAY,cAAc;AAC1B,OAAO,YAAY;;;ACEZ,SAAS,sBAAsB,QAAoC;AACxE,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBACd,QACA,UACA,KACiB;AACjB,MAAI;AACJ,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,aAAc,KACjB;AACH,MAAI,CAAC,cAAc,OAAO,eAAe,UAAU;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,SACJ,OAAO,WAAW,WAAW,WAAW,WAAW,OAAO,KAAK,IAAI;AACrE,QAAM,UACJ,OAAO,WAAW,YAAY,WAAW,WAAW,QAAQ,KAAK,IAAI;AACvE,QAAM,aACJ,OAAO,WAAW,eAAe,WAC7B,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,aACJ,OAAO,WAAW,eAAe,YAAY,WAAW,WAAW,KAAK,IACpE,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AAEN,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,EACF;AACA,WAAS,mBAAmB,KAAK,GAAG;AACpC,SAAO;AACT;;;ADvCA,SAAS,WAAW,UAAmC;AACrD,QAAM,KAAc,yBAAgB;AAAA,IAClC,OAAO,QAAQ;AAAA,IACf,QAAQ,QAAQ;AAAA,EAClB,CAAC;AACD,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,OAAG,SAAS,UAAU,CAAC,WAAW;AAChC,SAAG,MAAM;AACT,cAAQ,OAAO,KAAK,CAAC;AAAA,IACvB,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAe,yBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,OAAO,IAAI;AAClC,QAAM,QAAQ,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AAC3C,QAAM,UACJ,MAAM,SAAS,IAAI,sBAAsB,MAAM,MAAM,IAAI;AAC3D,QAAM,QAAQ,UACV,SAAS,wBAAwB,SAAS,IAAI,SAAS,IACvD,CAAC;AAEL,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO;AAAA,MACL,8CAA8C,SAAS,oBAAoB;AAAA;AAAA,IAC7E;AAAA,EACF,OAAO;AACL,YAAQ,MAAM,EAAE;AAChB,WAAO;AAAA,MACL,sCAAsC,IAAI,YAAY,MAAM,SAAS,oBAAoB;AAAA,IAC3F;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,YAAQ,MAAM,EAAE;AAChB,UAAM,MAAM,MAAM,WAAW,qBAAqB;AAClD,UAAM,OAAO,QAAQ,KAAK,MAAM;AAEhC,QAAI,SAAS,KAAK;AAChB,cAAQ,MAAM,EAAE;AAChB,eAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAM,IAAI,MAAM,CAAC;AACjB,eAAO;AAAA,UACL,KAAK,IAAI,CAAC,cAAc,EAAE,SAAS,wBAAmB,EAAE,YAAY,wBAAmB,EAAE,YAAY;AAAA,QACvG;AAAA,MACF;AACA,cAAQ,MAAM,EAAE;AAChB,YAAM,SAAS,MAAM;AAAA,QACnB,gBAAW,MAAM,MAAM;AAAA,MACzB;AACA,UAAI,WAAW,IAAI;AACjB,cAAM,IAAI,OAAO,SAAS,QAAQ,EAAE;AACpC,YAAI,OAAO,SAAS,CAAC,KAAK,KAAK,KAAK,KAAK,MAAM,QAAQ;AACrD,gBAAM,SAAS,MAAM,IAAI,CAAC,EAAG;AAC7B,gBAAM,QAAQ,MAAM,OAAO,QAAQ;AAAA,YACjC;AAAA,YACA;AAAA,YACA;AAAA,YACA,IAAI;AAAA,UACN,CAAC;AACD,cAAI,MAAM,SAAS,GAAG;AACpB,oBAAQ,MAAM,EAAE;AAChB;AAAA,UACF;AACA,gBAAM,IAAI;AAAA,YACR,MAAM,UACJ,MAAM,UACN,2CAA2C,MAAM,IAAI;AAAA,UACzD;AAAA,QACF;AAAA,MACF;AACA,aAAO,OAAO,8BAA8B;AAAA,IAC9C;AAEA,WAAO,OAAO,mDAAmD;AAAA,EACnE;AAEA,QAAM,OAAO,MAAM,OAAO,WAAW;AAAA,IACnC;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,IAAI;AAAA,EACN,CAAC;AACD,MAAI,SAAS,GAAG;AACd,UAAM,IAAI,MAAM,0CAA0C,IAAI,GAAG;AAAA,EACnE;AACF;AAEA,eAAe,cACb,QACA,WACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,EAAE,MAAM;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,SAAO,QAAQ,QAAQ,UAAU,KAAK,CAAC,MAAM,EAAE,OAAO,SAAS,CAAC;AAClE;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,WACb,QACA,UACA,WACA,YACiC;AACjC,QAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,SAAO,mBAAmB,EAAE,QAAQ,UAAU,EAAE,WAAW,WAAW,CAAC;AACzE;AAEA,eAAe,sBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,qBAAqB,gBAAgB,QAAQ,SAAS,IAC3E;AAEF,MAAI,CAAC,IAAI,kBAAkB;AACzB,UAAM,IAAI;AAAA,MACR,uBAAuB,IAAI,SAAS,oJAAoJ,IAAI,SAAS;AAAA,IACvM;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS,sDAAsD,IAAI,YAAY;AAAA,EACzH;AACA,UAAQ,MAAM,EAAE;AAEhB,MAAI,CAAE,MAAM,cAAc,QAAQ,IAAI,SAAS,GAAI;AACjD,UAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,WAAW,UAAU,IAAI,SAAS,CAAC;AACnE,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UAAU,EAAE,UAAU,0CAA0C,EAAE,IAAI;AAAA,MAC1E;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,yBAAyB,KAAK,MAAM;AAAA,EAC5C;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,SAAS,6BAA6B;AACxC,WAAO,OAAO,8CAAyC;AACvD,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,IAAI;AAAA,QACR,qDAAqD,IAAI;AAAA,MAC3D;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI,gDAAgD,IAAI,YAAY;AAAA,MACpH;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS;AAAA;AAAA,EACnD;AACF;AAEO,SAAS,wBACd,2BACS;AACT,MAAI,8BAA8B,MAAO,QAAO;AAChD,MAAI,8BAA8B,KAAM,QAAO;AAC/C,SAAO,QAAQ,QAAQ,MAAM,KAAK,KAAK,CAAC;AAC1C;AAEA,eAAsB,0BACpB,QACA,KAC0B;AAC1B,QAAM,EAAE,UAAU,KAAK,oBAAoB,IAAI;AAE/C,MAAI,MAAM,MAAM;AAAA,IACd;AAAA,IACA;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,EACF;AACA,MACE,CAAC,OACA,MAAM,iBAAiB,QAAQ,IAAI,YAAY,KAChD,SAAS,6BACT;AACA,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,MAAM;AAAA,QACV;AAAA,QACA;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,sBAAsB,KAAK,MAAM;AACvC,UAAM,MAAM;AAAA,MACV;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,yCAAyC,IAAI,SAAS,qBAAqB,mBAAmB,0CAA0C,IAAI,SAAS,iBAAiB,mBAAmB;AAAA,IAC3L;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,kBACpB,QACA,UACA,WACA,YAC0B;AAC1B,QAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,mCAAmC,EAAE,IAAI,kBAAkB,SAAS,iBAAiB,UAAU;AAAA,IACnG;AAAA,EACF;AACA,SAAO,mBAAmB,EAAE,QAAQ,UAAU,EAAE,WAAW,WAAW,CAAC;AACzE;AAEA,eAAsB,kBACpB,QAC0B;AAC1B,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UAAU,EAAE,UAAU,gCAAgC,EAAE,IAAI;AAAA,IAChE;AAAA,EACF;AACA,QAAM,UAAU,sBAAsB,EAAE,MAAM;AAC9C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,UAAU,QAAQ,YAAY,CAAC;AAAA,EACjC;AACF;AAEA,eAAsB,sBACpB,QACA,QAMe;AACf,QAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,IAC7B;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACD,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,IACpD;AAAA,EACF;AACF;;;AElZA,OAAO,QAAQ;AACf,OAAO,UAAU;AAMV,SAAS,4BAA4B,UAA2B;AACrE,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,QAAS,QAAO;AACpB,QAAM,UAAU,QAAQ,IAAI,gBAAgB,KAAK;AACjD,MAAI,QAAS,QAAO;AACpB,QAAM,QAAQ,YAAY,YAAY;AACtC,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,KAA4B;AAC/C,QAAM,QAAQ,QAAQ,aAAa;AACnC,QAAM,QAAQ,QAAQ,IAAI,MAAM,MAAM,KAAK,SAAS,KAAK,CAAC;AAC1D,QAAM,OAAO,QACT,QAAQ,IAAI,SAAS,MAAM,KAAK,SAAS,KAAK,CAAC,QAAQ,QAAQ,QAAQ,EAAE,IACzE,CAAC,EAAE;AAEP,aAAW,OAAO,OAAO;AACvB,eAAW,OAAO,MAAM;AACtB,YAAM,YAAY,KAAK,KAAK,KAAK,MAAM,GAAG;AAC1C,UAAI;AACF,cAAM,KAAK,GAAG,SAAS,SAAS;AAChC,YAAI,CAAC,GAAG,OAAO,EAAG;AAClB,YAAI,CAAC,OAAO;AACV,cAAI;AACF,eAAG,WAAW,WAAW,GAAG,UAAU,IAAI;AAAA,UAC5C,QAAQ;AACN;AAAA,UACF;AAAA,QACF;AACA,eAAO;AAAA,MACT,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AC9CA,SAAS,qBAA8B;AACrC,MAAI,QAAQ,IAAI,SAAU,QAAO;AACjC,MAAI,QAAQ,IAAI,SAAS,OAAQ,QAAO;AACxC,SAAO,QAAQ,QAAQ,OAAO,KAAK;AACrC;AAEA,IAAM,cAAc;AACpB,IAAM,aAAa;AACnB,IAAM,aAAa;AAEZ,SAAS,sBAA8B;AAC5C,SAAO;AAAA,IACL,OAAO,SAAuB;AAC5B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,WAAW,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UAClD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,IACA,QAAQ,SAAuB;AAC7B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UACjD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,EACF;AACF;;;ACzBA,SAAS,aAAa;;;ACKf,SAAS,kBAAqC;AACnD,QAAM,MAAyB,EAAE,GAAG,QAAQ,IAAI;AAChD,MAAI,IAAI,yBAAyB,KAAK,EAAG,QAAO;AAChD,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF;AACE;AAAA,EACJ;AACA,SAAO;AACT;;;ADXO,SAAS,qBAAqB,SAGlB;AACjB,QAAM,aAAa,QAAQ,OAAO;AAElC,WAAS,aAAqB;AAC5B,WAAO,4BAA4B,QAAQ,cAAc;AAAA,EAC3D;AAEA,SAAO;AAAA,IACL,MAAM,QAAQ,MAAwC;AACpD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,YAAM,YAAY,QAAQ,MAAM,QAAQ,YAAY;AACpD,aAAO,MAAM,aAAa,CAAC,KAAK,UAAU,GAAG,IAAI,GAAG,KAAK,SAAS;AAAA,IACpE;AAAA,IACA,MAAM,WAAW,MAAiC;AAChD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,aAAO,MAAM,gBAAgB,CAAC,KAAK,GAAG,IAAI,GAAG,GAAG;AAAA,IAClD;AAAA,EACF;AACF;AAEA,SAAS,aACP,MACA,KACA,WACwB;AACxB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM;AAAA,MACzC;AAAA,MACA,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AACD,QAAI,SAAS;AACb,QAAI,SAAS;AACb,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS;AAC1B,cAAQ;AAAA,QACN,MAAM,QAAQ;AAAA,QACd,QAAQ,OAAO,QAAQ;AAAA,QACvB,QAAQ,OAAO,QAAQ;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,gBACP,MACA,KACiB;AACjB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM,EAAE,KAAK,OAAO,UAAU,CAAC;AACpE,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS,QAAQ,QAAQ,CAAC,CAAC;AAAA,EAChD,CAAC;AACH;;;AEnBA,SAAS,iBACP,IACA,UACc;AACd,QAAM,WAAW,GAAG,EAAE,IAAI,SAAS,oBAAoB;AACvD,SAAO,EAAE,WAAW,IAAI,cAAc,UAAU,cAAc,SAAS;AACzE;AAEA,SAAS,oBACP,SACc;AACd,MAAI,eAAe,SAAS;AAC1B,WAAO,iBAAiB,QAAQ,WAAW,QAAQ,QAAQ;AAAA,EAC7D;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,cAAc,QAAQ;AAAA,EACxB;AACF;AAEO,SAAS,iBACd,SACY;AACZ,QAAM,WAAW,QAAQ;AACzB,QAAM,sBACJ,QAAQ,uBAAuB,WAAW;AAC5C,QAAM,kBACJ,QAAQ,yBAAyB,mBAAmB,GAAG,KAAK;AAC9D,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI;AAAA,MACR,qGAAqG,mBAAmB;AAAA,IAC1H;AAAA,EACF;AACA,QAAM,iBAAyB;AAE/B,MAAI,CAAC,QAAQ,QAAQ;AACnB,gCAA4B,QAAQ,cAAc;AAAA,EACpD;AAEA,QAAM,SACJ,QAAQ,UACR,qBAAqB,EAAE,gBAAgB,QAAQ,eAAe,CAAC;AAEjE,QAAM,eAAe,oBAAoB,OAAO;AAChD,MAAI,mBAAmB,aAAa;AAEpC,QAAM,SAAS,QAAQ,UAAU,oBAAoB;AACrD,QAAM,mBAAmB;AAAA,IACvB,QAAQ;AAAA,EACV;AAEA,WAAS,aAAa,KAAqC;AACzD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU,QAAQ;AAAA,MAClB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,OAAO,mBAAsD;AACjE,YAAM,UAAU,mBAAmB,KAAK;AACxC,YAAM,MAAM,UACR,iBAAiB,SAAS,QAAQ,IAClC;AACJ,aAAO,MAAM;AAAA,QACX;AAAA,QACA,aAAa,GAAG;AAAA,MAClB;AAAA,IACF;AAAA,IAEA,MAAM,eAAyC;AAC7C,aAAO,MAAM,kBAAkB,MAAM;AAAA,IACvC;AAAA,IAEA,WAAW,WAAyB;AAClC,yBAAmB;AAAA,IACrB;AAAA,IAEA,IAAI,kBAA0B;AAC5B,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,IAAI,YAA2D;AACnE,YAAM,MAAM,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAC5E,aAAO,MAAM;AAAA,QACX;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAEA,MAAM,mBACJ,YACA,cACA,SACe;AACf,YAAM,MACJ,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAClE,YAAM,sBAAsB,QAAQ;AAAA,QAClC,WAAW;AAAA,QACX,YAAY;AAAA,QACZ;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;ACpJA,SAAS,gBACP,SACA,kBACsB;AACtB,QAAM,WAAW,QAAQ,YAAY,CAAC;AACtC,QAAM,cAAc,QAAQ,eAAe,CAAC;AAC5C,QAAM,WAAW,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC1D,QAAM,WAAW,oBAAI,IAAY;AACjC,QAAM,MAA4B,CAAC;AACnC,aAAW,KAAK,UAAU;AACxB,QAAI,EAAE,OAAO,iBAAkB;AAC/B,eAAW,UAAU,EAAE,yBAAyB,CAAC,GAAG;AAClD,YAAM,IAAI,SAAS,IAAI,MAAM;AAC7B,UAAI,CAAC,KAAK,EAAE,eAAe,SAAU;AACrC,UAAI,SAAS,IAAI,EAAE,YAAY,EAAG;AAClC,eAAS,IAAI,EAAE,YAAY;AAC3B,UAAI,KAAK;AAAA,QACP,WAAW,EAAE;AAAA,QACb,cAAc,EAAE;AAAA,QAChB,cAAc,EAAE;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAM,iBAA8C;AAAA,EAClD,sBAAsB;AAAA,EACtB,6BAA6B;AAAA,EAC7B,yBAAyB;AAAA,EACzB,mBAAmB,YAA6B,KAA8B;AAC5E,QAAI,WAAW,eAAe,UAAU;AACtC,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,sDAAsD,IAAI,UAAU,oBAAoB,WAAW,UAAU;AAAA,MACnJ;AAAA,IACF;AACA,QAAI,CAAC,WAAW,SAAS;AACvB,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,2CAA2C,IAAI,UAAU,qCAAqC,IAAI,SAAS,IAAI,IAAI,UAAU;AAAA,MACnK;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,mBAAmB;AAAA,EAC9B,QAAQ;AACV;","names":[]}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@partrocks/tokenvault",
+  "version": "0.1.2",
+  "description": "Facade for tokenvault CLI: bootstrap profiles, resolve secrets per capability, list profiles",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "prepublishOnly": "bun run build",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "is-in-ci": "^2.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "tsup": "^8.5.1",
+    "typescript": "^5.7.0"
+  },
+  "license": "MIT"
+}