npm - @partrocks/tokenvault - Versions diffs - 0.1.5 → 0.1.6 - Mend

@partrocks/tokenvault 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -1,122 +1,7 @@
 # @partrocks/tokenvault
-TypeScript library for **Node 20+** and **Bun** that drives the **[tokenvault](https://github.com/partrocks/tokenVault)** CLI from your app. It wraps `tokenvault` as a subprocess (`node:child_process`): no in-process vault API.
+TypeScript library for **Node 20+** and **Bun** that drives the **[tokenvault](https://github.com/partrocks/tokenVault)** CLI from your app.
-Use it to **bootstrap** a profile (credential, connection, attach, model cache, capability selection), **list** vault contents, **resolve secrets** per **capability** (`chat`, `embeddings`, …), and **change the model** for a capability without reimplementing CLI flags.
+Full API reference, quick start, CI behaviour, and publishing notes: **[TOKENVAULT_BOOTSTRAP.md](./TOKENVAULT_BOOTSTRAP.md)**.
-## How it works
-1. **Locate** the `tokenvault` binary: `TOKENVAULT_BIN` env, else `PATH`.
-2. **Environment**: merges `TOKENVAULT_SECURE_STORE` defaults by OS (Keychain / Windows / Linux secret service) when unset, same idea as the hand-rolled bootstrap in the tokenVault project.
-3. **JSON vs TTY**: non-interactive steps use `tokenvault --json …` with captured stdout/stderr; interactive steps (e.g. `credential add`) inherit stdio.
-4. **Providers**: pluggable **`TokenVaultBootstrapProvider`** (OpenAI built in as **`builtInProviders.openai`**). You pass one into **`createTokenVault`**. Validation after `resolve` is provider-specific (e.g. OpenAI expects `providerId === "openai"`).
-5. **Published build**: npm tarball contains **`dist/`** only (ESM + `.d.ts`). **`prepublishOnly`** runs **`bun run build`** (`tsup`).
-## Install
-```bash
-bun add @partrocks/tokenvault
-# or
-npm install @partrocks/tokenvault
-```
-Local development: point your app at this directory with a `file:` dependency.
-## Requirements
-- **`tokenvault`** on `PATH`, or **`TOKENVAULT_BIN`** set to the executable.
-- Optional: **`TOKENVAULT_PASSPHRASE`**, **`TOKENVAULT_SECURE_STORE`** — same semantics as the tokenVault CLI.
-## Quick start
-```ts
-import {
-  createTokenVault,
-  CAPABILITY,
-  builtInProviders,
-} from "@partrocks/tokenvault";
-const tokenVault = createTokenVault({
-  provider: builtInProviders.openai,
-  namespace: "myapp",
-  appLabel: "myapp",
-  defaultModelByCapability: { [CAPABILITY.chat]: "gpt-4o-mini" },
-});
-// Idempotent: resolve first; if missing, interactive bootstrap (TTY) for chat
-const chat = await tokenVault.ensure();
-// VaultResolution: apiKey, modelId, providerId, baseURL?, connectionId?, credentialId?
-tokenVault.useProfile("other");
-const otherChat = await tokenVault.key(CAPABILITY.chat);
-await tokenVault.setCapabilityModel(
-  CAPABILITY.chat,
-  "myapp-openai",
-  "gpt-4o",
-);
-const snapshot = await tokenVault.listProfiles();
-// snapshot.profiles, snapshot.connections, snapshot.credentials, snapshot.providers
-```
-## API
-### `createTokenVault(options)`
-**Options** (summary):
-| Field | Purpose |
-| ----- | ------- |
-| `provider` | e.g. `builtInProviders.openai` |
-| `namespace` | Profile id; connection/credential id becomes `<namespace>-<providerId>` (e.g. `myapp-openai`) |
-| `profileId` + `connectionId` + `credentialId` | Explicit ids instead of `namespace` |
-| `appLabel` | Prefix for stderr messages |
-| `defaultModelByCapability` | Must include the **bootstrap** capability (default `chat`) |
-| `bootstrapCapability` | Capability wired by `ensure()` (default `CAPABILITY.chat`) |
-| `executablePath` | Override binary path |
-| `allowInteractiveBootstrap` | `false` to forbid interactive setup; `true` to force allow even in CI |
-| `logger` | Custom `{ notice, success }` |
-### `TokenVault` instance
-| Method | Behavior |
-| ------ | -------- |
-| `ensure(namespaceOverride?)` | Ensures bootstrap capability is resolvable; runs bootstrap if needed. Optional override uses same id convention for that namespace only. Returns **`VaultResolution`**. |
-| `listProfiles()` | `tokenvault list` as structured data. |
-| `useProfile(profileId)` | Sets active profile for `key()` / `setCapabilityModel`. |
-| `get activeProfileId` | Current active profile id. |
-| `key(capability)` | `resolve <profile> --capability <cap> --with-secret`. |
-| `setCapabilityModel(capability, connectionId, modelId)` | `tokenvault profile select …`. |
-### `CAPABILITY`
-Stable string constants aligned with tokenVault (`chat`, `reasoning`, `embeddings`, `image`, `audio`, `vision`, `tools`). Prefer these over raw strings.
-### Lower-level exports
-- **`builtInProviders`**, **`TokenVaultBootstrapProvider`**
-- **`createVaultCliRunner`**, **`VaultCliRunner`** (testing / custom spawn)
-- **`vaultProcessEnv`**, **`resolveTokenvaultExecutable`**
-- **`parseResolveStdout`**, **`parseVaultListPayload`**
-- Types: **`VaultResolution`**, **`VaultListResult`**, etc.
-## Interactive bootstrap and CI
-`ensure()` may spawn interactive `tokenvault` commands (TTY + stdin). By default interactive bootstrap is **disabled** when **`is-in-ci`** is true or stdin is not a TTY. Set **`allowInteractiveBootstrap: true`** only if you intend to run setup in CI with a fake TTY.
-## Publishing (maintainers)
-From the **tokenVault** repo root:
-```bash
-bun run publish:packages              # patch bump + bun publish
-bun run publish:packages -- minor
-bun run publish:packages -- --dry-run # no version bump
-```
-See `bin/publish-packages.sh` in the parent repository.
-## License
-MIT
+CLI and repository documentation: **[TOKENVAULT.md](../../TOKENVAULT.md)**.

package/TOKENVAULT_BOOTSTRAP.md ADDED Viewed

@@ -0,0 +1,122 @@
+# @partrocks/tokenvault
+TypeScript library for **Node 20+** and **Bun** that drives the **[tokenvault](https://github.com/partrocks/tokenVault)** CLI from your app. It wraps `tokenvault` as a subprocess (`node:child_process`): no in-process vault API.
+Use it to **bootstrap** a profile (credential, connection, attach, model cache, capability selection), **list** vault contents, **resolve secrets** per **capability** (`chat`, `embeddings`, …), and **change the model** for a capability without reimplementing CLI flags.
+## How it works
+1. **Locate** the `tokenvault` binary: `TOKENVAULT_BIN` env, else `PATH`.
+2. **Environment**: merges `TOKENVAULT_SECURE_STORE` defaults by OS (Keychain / Windows / Linux secret service) when unset, same idea as the hand-rolled bootstrap in the tokenVault project.
+3. **JSON vs TTY**: non-interactive steps use `tokenvault --json …` with captured stdout/stderr; interactive steps (e.g. `credential add`) inherit stdio.
+4. **Providers**: pluggable **`TokenVaultBootstrapProvider`** (OpenAI built in as **`builtInProviders.openai`**). You pass one into **`createTokenVault`**. Validation after `resolve` is provider-specific (e.g. OpenAI expects `providerId === "openai"`).
+5. **Published build**: npm tarball contains **`dist/`** only (ESM + `.d.ts`). **`prepublishOnly`** runs **`bun run build`** (`tsup`).
+## Install
+```bash
+bun add @partrocks/tokenvault
+# or
+npm install @partrocks/tokenvault
+```
+Local development: point your app at this directory with a `file:` dependency.
+## Requirements
+- **`tokenvault`** on `PATH`, or **`TOKENVAULT_BIN`** set to the executable.
+- Optional: **`TOKENVAULT_PASSPHRASE`**, **`TOKENVAULT_SECURE_STORE`** — same semantics as the tokenVault CLI.
+## Quick start
+```ts
+import {
+  createTokenVault,
+  CAPABILITY,
+  builtInProviders,
+} from "@partrocks/tokenvault";
+const tokenVault = createTokenVault({
+  provider: builtInProviders.openai,
+  namespace: "myapp",
+  appLabel: "myapp",
+  defaultModelByCapability: { [CAPABILITY.chat]: "gpt-4o-mini" },
+});
+// Idempotent: resolve first; if missing, interactive bootstrap (TTY) for chat
+const chat = await tokenVault.ensure();
+// VaultResolution: apiKey, modelId, providerId, baseURL?, connectionId?, credentialId?
+tokenVault.useProfile("other");
+const otherChat = await tokenVault.key(CAPABILITY.chat);
+await tokenVault.setCapabilityModel(
+  CAPABILITY.chat,
+  "myapp-openai",
+  "gpt-4o",
+);
+const snapshot = await tokenVault.listProfiles();
+// snapshot.profiles, snapshot.connections, snapshot.credentials, snapshot.providers
+```
+## API
+### `createTokenVault(options)`
+**Options** (summary):
+| Field | Purpose |
+| ----- | ------- |
+| `provider` | e.g. `builtInProviders.openai` |
+| `namespace` | Profile id; connection/credential id becomes `<namespace>-<providerId>` (e.g. `myapp-openai`) |
+| `profileId` + `connectionId` + `credentialId` | Explicit ids instead of `namespace` |
+| `appLabel` | Prefix for stderr messages |
+| `defaultModelByCapability` | Must include the **bootstrap** capability (default `chat`) |
+| `bootstrapCapability` | Capability wired by `ensure()` (default `CAPABILITY.chat`) |
+| `executablePath` | Override binary path |
+| `allowInteractiveBootstrap` | `false` to forbid interactive setup; `true` to force allow even in CI |
+| `logger` | Custom `{ notice, success }` |
+### `TokenVault` instance
+| Method | Behavior |
+| ------ | -------- |
+| `ensure(namespaceOverride?)` | Ensures bootstrap capability is resolvable; runs bootstrap if needed. Optional override uses same id convention for that namespace only. Returns **`VaultResolution`**. |
+| `listProfiles()` | `tokenvault list` as structured data. |
+| `useProfile(profileId)` | Sets active profile for `key()` / `setCapabilityModel`. |
+| `get activeProfileId` | Current active profile id. |
+| `key(capability)` | `resolve <profile> --capability <cap> --with-secret`. |
+| `setCapabilityModel(capability, connectionId, modelId)` | `tokenvault profile select …`. |
+### `CAPABILITY`
+Stable string constants aligned with tokenVault (`chat`, `reasoning`, `embeddings`, `image`, `audio`, `vision`, `tools`). Prefer these over raw strings.
+### Lower-level exports
+- **`builtInProviders`**, **`TokenVaultBootstrapProvider`**
+- **`createVaultCliRunner`**, **`VaultCliRunner`** (testing / custom spawn)
+- **`vaultProcessEnv`**, **`resolveTokenvaultExecutable`**
+- **`parseResolveStdout`**, **`parseVaultListPayload`**
+- Types: **`VaultResolution`**, **`VaultListResult`**, etc.
+## Interactive bootstrap and CI
+`ensure()` may spawn interactive `tokenvault` commands (TTY + stdin). By default interactive bootstrap is **disabled** when **`is-in-ci`** is true or stdin is not a TTY. Set **`allowInteractiveBootstrap: true`** only if you intend to run setup in CI with a fake TTY.
+## Publishing (maintainers)
+From the **tokenVault** repo root:
+```bash
+bun run publish:packages              # patch bump + bun publish
+bun run publish:packages -- minor
+bun run publish:packages -- --dry-run # no version bump
+```
+See `bin/publish-packages.sh` in the parent repository.
+## License
+MIT

package/dist/index.js CHANGED Viewed

@@ -56,7 +56,7 @@ function parseResolveStdout(stdout, provider, ctx) {
   const credentialId = typeof resolution.credentialId === "string" ? resolution.credentialId.trim() : void 0;
   if (!apiKey) {
     throw new Error(
-      "`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see tokenVault README)."
+      "`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see TOKENVAULT.md in the tokenVault repository)."
     );
   }
   const out = {
@@ -196,7 +196,7 @@ async function bootstrapVaultProfile(ctx, runner) {
   const { provider, ids, bootstrapCapability, defaultModelId, logger, appLabel } = ctx;
   if (!ctx.allowInteractive) {
     throw new Error(
-      `tokenVault profile "${ids.profileId}" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands from the tokenVault README for profile "${ids.profileId}".`
+      `tokenVault profile "${ids.profileId}" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands documented in TOKENVAULT.md for profile "${ids.profileId}".`
     );
   }
   console.error("");

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/capability.ts","../src/bootstrap.ts","../src/parse.ts","../src/executable.ts","../src/logger.ts","../src/runner.ts","../src/env.ts","../src/facade.ts","../src/provider.ts"],"sourcesContent":["/** Aligned with tokenVault `src/domain/capability.ts` — keep in sync when adding capabilities. /\nexport const CAPABILITY = {\n chat: \"chat\",\n reasoning: \"reasoning\",\n embeddings: \"embeddings\",\n image: \"image\",\n audio: \"audio\",\n vision: \"vision\",\n tools: \"tools\",\n} as const;\n\nexport type Capability = (typeof CAPABILITY)[keyof typeof CAPABILITY];\n\nconst CAP_VALUES: readonly string[] = Object.values(CAPABILITY);\n\nexport function isCapability(s: string): s is Capability {\n return CAP_VALUES.includes(s);\n}\n\nexport function assertCapability(s: string): Capability {\n if (!isCapability(s)) {\n throw new Error(\n `Unknown capability \"${s}\". Expected one of: ${CAP_VALUES.join(\", \")}`,\n );\n }\n return s;\n}\n","import as readline from \"node:readline\";\nimport isInCi from \"is-in-ci\";\nimport type { Capability } from \"./capability.ts\";\nimport { parseResolveStdout, parseVaultListPayload } from \"./parse.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { VaultCliRunner } from \"./runner.ts\";\nimport type {\n ListPayload,\n Logger,\n VaultListResult,\n VaultResolution,\n} from \"./types.ts\";\n\nexport type BootstrapIds = {\n profileId: string;\n connectionId: string;\n credentialId: string;\n};\n\nexport type BootstrapContext = {\n provider: TokenVaultBootstrapProvider;\n ids: BootstrapIds;\n bootstrapCapability: Capability;\n defaultModelId: string;\n appLabel: string;\n logger: Logger;\n allowInteractive: boolean;\n};\n\nfunction promptLine(question: string): Promise<string> {\n const rl = readline.createInterface({\n input: process.stdin,\n output: process.stderr,\n });\n return new Promise((resolve) => {\n rl.question(question, (answer) => {\n rl.close();\n resolve(answer.trim());\n });\n });\n}\n\nasync function addCredentialInteractive(\n ctx: BootstrapContext,\n runner: VaultCliRunner,\n): Promise<void> {\n const { provider, ids, logger } = ctx;\n const listR = await runner.runJson([\"list\"]);\n const payload =\n listR.code === 0 ? parseVaultListPayload(listR.stdout) : null;\n const picks = payload\n ? provider.listCredentialCopyPicks(payload, ids.profileId)\n : [];\n\n if (picks.length === 0) {\n logger.notice(\n `Adding API key to tokenVault for provider \"${provider.tokenvaultProviderId}\" (hidden input). Follow the tokenVault prompts if any appear.\\n`,\n );\n } else {\n console.error(\"\");\n logger.notice(\n `API key for tokenVault credential \"${ids.credentialId}\" (${provider.tokenvaultProviderId}):`,\n );\n logger.notice(\n \" 1) Enter a new API key (hidden input via tokenvault)\",\n );\n logger.notice(\n \" 2) Copy from another profile → connection → credential (reuse a stored key)\",\n );\n console.error(\"\");\n const raw = await promptLine(\"Choose 1 or 2 [1]: \");\n const mode = raw === \"\" ? \"1\" : raw;\n\n if (mode === \"2\") {\n console.error(\"\");\n for (let i = 0; i < picks.length; i++) {\n const x = picks[i]!;\n logger.notice(\n ` ${i + 1}) profile \"${x.profileId}\" → connection \"${x.connectionId}\" → credential \"${x.credentialId}\"`,\n );\n }\n console.error(\"\");\n const numRaw = await promptLine(\n `Enter 1–${picks.length} (or blank to enter a new key instead): `,\n );\n if (numRaw !== \"\") {\n const n = Number.parseInt(numRaw, 10);\n if (Number.isFinite(n) && n >= 1 && n <= picks.length) {\n const credId = picks[n - 1]!.credentialId;\n const copyR = await runner.runJson([\n \"credential\",\n \"copy\",\n credId,\n ids.credentialId,\n ]);\n if (copyR.code === 0) {\n console.error(\"\");\n return;\n }\n throw new Error(\n copyR.stderr \|\|\n copyR.stdout \|\|\n `tokenvault credential copy failed (exit ${copyR.code})`,\n );\n }\n }\n logger.notice(\"\\nUsing new API key entry.\\n\");\n }\n\n logger.notice(\"Follow the tokenVault prompts (hidden API key).\\n\");\n }\n\n const code = await runner.runInherit([\n \"credential\",\n \"add\",\n provider.tokenvaultProviderId,\n ids.credentialId,\n ]);\n if (code !== 0) {\n throw new Error(`tokenvault credential add failed (exit ${code})`);\n }\n}\n\nasync function profileExists(\n runner: VaultCliRunner,\n profileId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"list\"]);\n if (r.code !== 0) return false;\n let payload: ListPayload;\n try {\n payload = JSON.parse(r.stdout) as ListPayload;\n } catch {\n return false;\n }\n return Boolean(payload.profiles?.some((p) => p.id === profileId));\n}\n\nasync function credentialExists(\n runner: VaultCliRunner,\n credentialId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"credential\", \"inspect\", credentialId]);\n return r.code === 0;\n}\n\nasync function connectionExists(\n runner: VaultCliRunner,\n connectionId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"connection\", \"inspect\", connectionId]);\n return r.code === 0;\n}\n\nasync function tryResolve(\n runner: VaultCliRunner,\n provider: TokenVaultBootstrapProvider,\n profileId: string,\n capability: Capability,\n selectionName?: string,\n): Promise<VaultResolution \| null> {\n const argv = [\n \"resolve\",\n profileId,\n \"--capability\",\n capability,\n \"--with-secret\",\n ];\n const trimmed = selectionName?.trim();\n if (trimmed) {\n argv.push(\"--selection\", trimmed);\n }\n const r = await runner.runJson(argv);\n if (r.code !== 0) return null;\n return parseResolveStdout(r.stdout, provider, {\n profileId,\n capability,\n ...(trimmed ? { selectionName: trimmed } : {}),\n });\n}\n\nasync function bootstrapVaultProfile(\n ctx: BootstrapContext,\n runner: VaultCliRunner,\n): Promise<void> {\n const { provider, ids, bootstrapCapability, defaultModelId, logger, appLabel } =\n ctx;\n\n if (!ctx.allowInteractive) {\n throw new Error(\n `tokenVault profile \"${ids.profileId}\" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands from the tokenVault README for profile \"${ids.profileId}\".`,\n );\n }\n\n console.error(\"\");\n logger.notice(\n `${appLabel}: tokenVault profile \"${ids.profileId}\" is missing or incomplete. Setting up credential \"${ids.credentialId}\" and wiring the profile.`,\n );\n console.error(\"\");\n\n if (!(await profileExists(runner, ids.profileId))) {\n const r = await runner.runJson([\"profile\", \"create\", ids.profileId]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\| r.stdout \|\| `tokenvault profile create failed (exit ${r.code})`,\n );\n }\n }\n\n if (!(await credentialExists(runner, ids.credentialId))) {\n await addCredentialInteractive(ctx, runner);\n }\n\n if (!(await connectionExists(runner, ids.connectionId))) {\n const r = await runner.runJson([\n \"connection\",\n \"add\",\n provider.tokenvaultProviderId,\n ids.connectionId,\n \"--credential\",\n ids.credentialId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault connection add failed (exit ${r.code})`,\n );\n }\n }\n\n {\n const r = await runner.runJson([\n \"profile\",\n \"attach\",\n ids.profileId,\n ids.connectionId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile attach failed (exit ${r.code})`,\n );\n }\n }\n\n if (provider.refreshModelsAfterBootstrap) {\n logger.notice(\"Refreshing model cache in tokenVault…\\n\");\n const code = await runner.runInherit([\n \"connection\",\n \"refresh-models\",\n ids.connectionId,\n ]);\n if (code !== 0) {\n throw new Error(\n `tokenvault connection refresh-models failed (exit ${code})`,\n );\n }\n }\n\n {\n const r = await runner.runJson([\n \"profile\",\n \"select\",\n ids.profileId,\n bootstrapCapability,\n ids.connectionId,\n defaultModelId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile select failed (exit ${r.code}). Try: tokenvault connection refresh-models ${ids.connectionId}`,\n );\n }\n }\n\n console.error(\"\");\n logger.success(\n `${appLabel}: tokenVault profile \"${ids.profileId}\" is ready.\\n`,\n );\n}\n\nexport function interactiveSetupAllowed(\n allowInteractiveBootstrap?: boolean,\n): boolean {\n if (allowInteractiveBootstrap === false) return false;\n if (allowInteractiveBootstrap === true) return true;\n return Boolean(process.stdin.isTTY) && !isInCi;\n}\n\nexport async function ensureBootstrapCapability(\n runner: VaultCliRunner,\n ctx: BootstrapContext,\n): Promise<VaultResolution> {\n const { provider, ids, bootstrapCapability } = ctx;\n\n let cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n if (\n !cfg &&\n (await connectionExists(runner, ids.connectionId)) &&\n provider.refreshModelsAfterBootstrap\n ) {\n const code = await runner.runInherit([\n \"connection\",\n \"refresh-models\",\n ids.connectionId,\n ]);\n if (code === 0) {\n cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n }\n }\n\n if (!cfg) {\n await bootstrapVaultProfile(ctx, runner);\n cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n }\n\n if (!cfg) {\n throw new Error(\n `Could not resolve tokenVault profile \"${ids.profileId}\" for capability \"${bootstrapCapability}\" after setup. See: tokenvault resolve ${ids.profileId} --capability ${bootstrapCapability} --json`,\n );\n }\n\n return cfg;\n}\n\nexport async function resolveWithSecret(\n runner: VaultCliRunner,\n provider: TokenVaultBootstrapProvider,\n profileId: string,\n capability: Capability,\n selectionName?: string,\n): Promise<VaultResolution> {\n const argv = [\n \"resolve\",\n profileId,\n \"--capability\",\n capability,\n \"--with-secret\",\n ];\n const trimmed = selectionName?.trim();\n if (trimmed) {\n argv.push(\"--selection\", trimmed);\n }\n const r = await runner.runJson(argv);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault resolve failed (exit ${r.code}) for profile \"${profileId}\" capability \"${capability}\"`,\n );\n }\n return parseResolveStdout(r.stdout, provider, {\n profileId,\n capability,\n ...(trimmed ? { selectionName: trimmed } : {}),\n });\n}\n\nexport async function listVaultSnapshot(\n runner: VaultCliRunner,\n): Promise<VaultListResult> {\n const r = await runner.runJson([\"list\"]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\| r.stdout \|\| `tokenvault list failed (exit ${r.code})`,\n );\n }\n const payload = parseVaultListPayload(r.stdout);\n if (!payload) {\n throw new Error(\"Could not parse JSON from `tokenvault list`.\");\n }\n return {\n providers: payload.providers,\n credentials: payload.credentials ?? [],\n connections: payload.connections ?? [],\n profiles: payload.profiles ?? [],\n };\n}\n\nexport async function selectCapabilityModel(\n runner: VaultCliRunner,\n params: {\n profileId: string;\n capability: Capability;\n connectionId: string;\n modelId: string;\n },\n): Promise<void> {\n const r = await runner.runJson([\n \"profile\",\n \"select\",\n params.profileId,\n params.capability,\n params.connectionId,\n params.modelId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile select failed (exit ${r.code})`,\n );\n }\n}\n","import type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { ListPayload, VaultResolution, ValidationContext } from \"./types.ts\";\n\nexport function parseVaultListPayload(stdout: string): ListPayload \| null {\n try {\n return JSON.parse(stdout) as ListPayload;\n } catch {\n return null;\n }\n}\n\nexport function parseResolveStdout(\n stdout: string,\n provider: TokenVaultBootstrapProvider,\n ctx: ValidationContext,\n): VaultResolution {\n let data: unknown;\n try {\n data = JSON.parse(stdout);\n } catch {\n throw new Error(\n \"Could not parse JSON from `tokenvault resolve` (unexpected output).\",\n );\n }\n const resolution = (data as { resolution?: Record<string, unknown> })\n .resolution;\n if (!resolution \|\| typeof resolution !== \"object\") {\n throw new Error(\n \"`tokenvault resolve` JSON did not include a resolution object.\",\n );\n }\n const apiKey =\n typeof resolution.apiKey === \"string\" ? resolution.apiKey.trim() : \"\";\n const modelId =\n typeof resolution.modelId === \"string\" ? resolution.modelId.trim() : \"\";\n const providerId =\n typeof resolution.providerId === \"string\"\n ? resolution.providerId.trim()\n : \"\";\n const apiBaseUrl =\n typeof resolution.apiBaseUrl === \"string\" && resolution.apiBaseUrl.trim()\n ? resolution.apiBaseUrl.trim()\n : undefined;\n const connectionId =\n typeof resolution.connectionId === \"string\"\n ? resolution.connectionId.trim()\n : undefined;\n const credentialId =\n typeof resolution.credentialId === \"string\"\n ? resolution.credentialId.trim()\n : undefined;\n\n if (!apiKey) {\n throw new Error(\n \"`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see tokenVault README).\",\n );\n }\n\n const out: VaultResolution = {\n apiKey,\n modelId,\n providerId,\n baseURL: apiBaseUrl,\n connectionId,\n credentialId,\n };\n provider.validateResolution(out, ctx);\n return out;\n}\n","import fs from \"node:fs\";\nimport path from \"node:path\";\n\n/*\n Resolve `tokenvault` on PATH (Windows respects PATHEXT).\n * @throws if not found and no explicit path\n /\nexport function resolveTokenvaultExecutable(explicit?: string): string {\n const trimmed = explicit?.trim();\n if (trimmed) return trimmed;\n const fromEnv = process.env.TOKENVAULT_BIN?.trim();\n if (fromEnv) return fromEnv;\n const found = whichOnPath(\"tokenvault\");\n if (!found) {\n throw new Error(\n \"tokenVault is not available: `tokenvault` was not found on PATH. Install tokenVault and link the CLI, or set TOKENVAULT_BIN to the tokenvault executable.\",\n );\n }\n return found;\n}\n\nfunction whichOnPath(cmd: string): string \| null {\n const isWin = process.platform === \"win32\";\n const paths = process.env.PATH?.split(path.delimiter) ?? [];\n const exts = isWin\n ? process.env.PATHEXT?.split(path.delimiter) ?? [\".EXE\", \".CMD\", \".BAT\", \"\"]\n : [\"\"];\n\n for (const dir of paths) {\n for (const ext of exts) {\n const candidate = path.join(dir, cmd + ext);\n try {\n const st = fs.statSync(candidate);\n if (!st.isFile()) continue;\n if (!isWin) {\n try {\n fs.accessSync(candidate, fs.constants.X_OK);\n } catch {\n continue;\n }\n }\n return candidate;\n } catch {\n / try next /\n }\n }\n }\n return null;\n}\n","import type { Logger } from \"./types.ts\";\n\nfunction stderrColorEnabled(): boolean {\n if (process.env.NO_COLOR) return false;\n if (process.env.TERM === \"dumb\") return false;\n return Boolean(process.stderr.isTTY);\n}\n\nconst ANSI_YELLOW = \"\\x1b[33m\";\nconst ANSI_GREEN = \"\\x1b[32m\";\nconst ANSI_RESET = \"\\x1b[0m\";\n\nexport function createDefaultLogger(): Logger {\n return {\n notice(message: string): void {\n if (stderrColorEnabled())\n console.error(`${ANSI_YELLOW}${message}${ANSI_RESET}`);\n else console.error(message);\n },\n success(message: string): void {\n if (stderrColorEnabled())\n console.error(`${ANSI_GREEN}${message}${ANSI_RESET}`);\n else console.error(message);\n },\n };\n}\n","import { spawn } from \"node:child_process\";\nimport { vaultProcessEnv } from \"./env.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\n\nexport type RunJsonResult = { code: number; stdout: string; stderr: string };\n\nexport type VaultCliRunner = {\n runJson: (args: string[]) => Promise<RunJsonResult>;\n runInherit: (args: string[]) => Promise<number>;\n};\n\nexport function createVaultCliRunner(options: {\n executablePath?: string;\n env?: () => NodeJS.ProcessEnv;\n}): VaultCliRunner {\n const envFactory = options.env ?? vaultProcessEnv;\n\n function executable(): string {\n return resolveTokenvaultExecutable(options.executablePath);\n }\n\n return {\n async runJson(args: string[]): Promise<RunJsonResult> {\n const exe = executable();\n const env = envFactory();\n const stdinMode = process.stdin.isTTY ? \"inherit\" : \"ignore\";\n return await spawnCapture([exe, \"--json\", ...args], env, stdinMode);\n },\n async runInherit(args: string[]): Promise<number> {\n const exe = executable();\n const env = envFactory();\n return await spawnInheritAll([exe, ...args], env);\n },\n };\n}\n\nfunction spawnCapture(\n argv: string[],\n env: NodeJS.ProcessEnv,\n stdinMode: \"inherit\" \| \"ignore\",\n): Promise<RunJsonResult> {\n const [executablePath, ...args] = argv;\n return new Promise((resolve, reject) => {\n const child = spawn(executablePath!, args, {\n env,\n stdio: [stdinMode, \"pipe\", \"pipe\"],\n });\n let stdout = \"\";\n let stderr = \"\";\n child.stdout?.setEncoding(\"utf8\");\n child.stderr?.setEncoding(\"utf8\");\n child.stdout?.on(\"data\", (c: string) => {\n stdout += c;\n });\n child.stderr?.on(\"data\", (c: string) => {\n stderr += c;\n });\n child.on(\"error\", reject);\n child.on(\"close\", (code) => {\n resolve({\n code: code ?? 1,\n stdout: stdout.trimEnd(),\n stderr: stderr.trimEnd(),\n });\n });\n });\n}\n\nfunction spawnInheritAll(\n argv: string[],\n env: NodeJS.ProcessEnv,\n): Promise<number> {\n const [executablePath, ...args] = argv;\n return new Promise((resolve, reject) => {\n const child = spawn(executablePath!, args, { env, stdio: \"inherit\" });\n child.on(\"error\", reject);\n child.on(\"close\", (code) => resolve(code ?? 1));\n });\n}\n","/\n Prefer the OS secure store (Keychain / Secret Service / DPAPI) so tokenVault does not create a\n * passphrase-backed vault. Ignored if the user already has `vault/passphrase-envelope.json` or\n * sets TOKENVAULT_SECURE_STORE themselves.\n /\nexport function vaultProcessEnv(): NodeJS.ProcessEnv {\n const env: NodeJS.ProcessEnv = { ...process.env };\n if (env.TOKENVAULT_SECURE_STORE?.trim()) return env;\n switch (process.platform) {\n case \"darwin\":\n env.TOKENVAULT_SECURE_STORE = \"macos-keychain\";\n break;\n case \"win32\":\n env.TOKENVAULT_SECURE_STORE = \"windows\";\n break;\n case \"linux\":\n env.TOKENVAULT_SECURE_STORE = \"linux-secret-service\";\n break;\n default:\n break;\n }\n return env;\n}\n","import {\n assertCapability,\n CAPABILITY,\n type Capability,\n} from \"./capability.ts\";\nimport {\n ensureBootstrapCapability,\n interactiveSetupAllowed,\n listVaultSnapshot,\n resolveWithSecret,\n selectCapabilityModel,\n type BootstrapContext,\n type BootstrapIds,\n} from \"./bootstrap.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\nimport { createDefaultLogger } from \"./logger.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport {\n createVaultCliRunner,\n type VaultCliRunner,\n} from \"./runner.ts\";\nimport type { Logger, VaultListResult, VaultResolution } from \"./types.ts\";\n\nexport type CreateTokenVaultOptions = {\n provider: TokenVaultBootstrapProvider;\n appLabel: string;\n /* Default model per capability; must include entry for `bootstrapCapability` /\n defaultModelByCapability: Partial<Record<Capability, string>>;\n /* Capability wired by `ensure()` (default: chat) /\n bootstrapCapability?: Capability;\n executablePath?: string;\n allowInteractiveBootstrap?: boolean;\n logger?: Logger;\n /* @internal Inject for tests /\n runner?: VaultCliRunner;\n} & (\n \| { namespace: string }\n \| {\n profileId: string;\n connectionId: string;\n credentialId: string;\n }\n);\n\nexport type TokenVault = {\n /* Bootstrap `bootstrapCapability` for the given profile triple; optional one-off namespace convention. /\n ensure: (namespaceOverride?: string) => Promise<VaultResolution>;\n listProfiles: () => Promise<VaultListResult>;\n /* Profile used by `key()` and `setCapabilityModel` (default: bootstrap profile). /\n useProfile: (profileId: string) => void;\n get activeProfileId(): string;\n key: (\n capability: Capability \| string,\n options?: { selection?: string },\n ) => Promise<VaultResolution>;\n setCapabilityModel: (\n capability: Capability \| string,\n connectionId: string,\n modelId: string,\n ) => Promise<void>;\n};\n\nfunction idsFromNamespace(\n ns: string,\n provider: TokenVaultBootstrapProvider,\n): BootstrapIds {\n const artifact = `${ns}-${provider.tokenvaultProviderId}`;\n return { profileId: ns, connectionId: artifact, credentialId: artifact };\n}\n\nfunction resolveBootstrapIds(\n options: CreateTokenVaultOptions,\n): BootstrapIds {\n if (\"namespace\" in options) {\n return idsFromNamespace(options.namespace, options.provider);\n }\n return {\n profileId: options.profileId,\n connectionId: options.connectionId,\n credentialId: options.credentialId,\n };\n}\n\nexport function createTokenVault(\n options: CreateTokenVaultOptions,\n): TokenVault {\n const provider = options.provider;\n const bootstrapCapability =\n options.bootstrapCapability ?? CAPABILITY.chat;\n const defaultModelRaw =\n options.defaultModelByCapability[bootstrapCapability]?.trim();\n if (!defaultModelRaw) {\n throw new Error(\n `createTokenVault: defaultModelByCapability must include a default model for bootstrap capability \"${bootstrapCapability}\"`,\n );\n }\n const defaultModelId: string = defaultModelRaw;\n\n if (!options.runner) {\n resolveTokenvaultExecutable(options.executablePath);\n }\n\n const runner =\n options.runner ??\n createVaultCliRunner({ executablePath: options.executablePath });\n\n const bootstrapIds = resolveBootstrapIds(options);\n let resolveProfileId = bootstrapIds.profileId;\n\n const logger = options.logger ?? createDefaultLogger();\n const allowInteractive = interactiveSetupAllowed(\n options.allowInteractiveBootstrap,\n );\n\n function buildContext(ids: BootstrapIds): BootstrapContext {\n return {\n provider,\n ids,\n bootstrapCapability,\n defaultModelId,\n appLabel: options.appLabel,\n logger,\n allowInteractive,\n };\n }\n\n return {\n async ensure(namespaceOverride?: string): Promise<VaultResolution> {\n const trimmed = namespaceOverride?.trim();\n const ids = trimmed\n ? idsFromNamespace(trimmed, provider)\n : bootstrapIds;\n return await ensureBootstrapCapability(\n runner,\n buildContext(ids),\n );\n },\n\n async listProfiles(): Promise<VaultListResult> {\n return await listVaultSnapshot(runner);\n },\n\n useProfile(profileId: string): void {\n resolveProfileId = profileId;\n },\n\n get activeProfileId(): string {\n return resolveProfileId;\n },\n\n async key(\n capability: Capability \| string,\n options?: { selection?: string },\n ): Promise<VaultResolution> {\n const cap = typeof capability === \"string\" ? assertCapability(capability) : capability;\n return await resolveWithSecret(\n runner,\n provider,\n resolveProfileId,\n cap,\n options?.selection,\n );\n },\n\n async setCapabilityModel(\n capability: Capability \| string,\n connectionId: string,\n modelId: string,\n ): Promise<void> {\n const cap =\n typeof capability === \"string\" ? assertCapability(capability) : capability;\n await selectCapabilityModel(runner, {\n profileId: resolveProfileId,\n capability: cap,\n connectionId,\n modelId,\n });\n },\n };\n}\n","import type {\n CredentialCopyPick,\n ListPayload,\n VaultResolution,\n ValidationContext,\n} from \"./types.ts\";\n\nexport type TokenVaultBootstrapProvider = {\n /* tokenVault adapter id (e.g. `openai`) /\n readonly tokenvaultProviderId: string;\n /* After parse, enforce provider / model rules /\n validateResolution(\n resolution: VaultResolution,\n ctx: ValidationContext,\n ): void;\n /* Connections on other profiles eligible for credential copy during bootstrap /\n listCredentialCopyPicks(\n payload: ListPayload,\n excludeProfileId: string,\n ): CredentialCopyPick[];\n /* Run `connection refresh-models` after wiring (model-capable providers) */\n readonly refreshModelsAfterBootstrap: boolean;\n};\n\nfunction openAiCopyPicks(\n payload: ListPayload,\n excludeProfileId: string,\n): CredentialCopyPick[] {\n const profiles = payload.profiles ?? [];\n const connections = payload.connections ?? [];\n const byConnId = new Map(connections.map((c) => [c.id, c]));\n const seenCred = new Set<string>();\n const out: CredentialCopyPick[] = [];\n for (const p of profiles) {\n if (p.id === excludeProfileId) continue;\n for (const connId of p.attachedConnectionIds ?? []) {\n const c = byConnId.get(connId);\n if (!c \|\| c.providerId !== \"openai\") continue;\n if (seenCred.has(c.credentialId)) continue;\n seenCred.add(c.credentialId);\n out.push({\n profileId: p.id,\n connectionId: c.id,\n credentialId: c.credentialId,\n });\n }\n }\n return out;\n}\n\nconst openAiProvider: TokenVaultBootstrapProvider = {\n tokenvaultProviderId: \"openai\",\n refreshModelsAfterBootstrap: true,\n listCredentialCopyPicks: openAiCopyPicks,\n validateResolution(resolution: VaultResolution, ctx: ValidationContext): void {\n if (resolution.providerId !== \"openai\") {\n throw new Error(\n `tokenVault profile \"${ctx.profileId}\" must select an OpenAI connection for capability \"${ctx.capability}\" (got provider \"${resolution.providerId}\").`,\n );\n }\n if (!resolution.modelId) {\n throw new Error(\n `tokenVault profile \"${ctx.profileId}\" has no model selected for capability \"${ctx.capability}\". Run: tokenvault profile select ${ctx.profileId} ${ctx.capability} <connection> <model>`,\n );\n }\n },\n};\n\nexport const builtInProviders = {\n openai: openAiProvider,\n} as const;\n"],"mappings":";AACO,IAAM,aAAa;AAAA,EACxB,MAAM;AAAA,EACN,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,OAAO;AAAA,EACP,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,OAAO;AACT;AAIA,IAAM,aAAgC,OAAO,OAAO,UAAU;AAEvD,SAAS,aAAa,GAA4B;AACvD,SAAO,WAAW,SAAS,CAAC;AAC9B;AAEO,SAAS,iBAAiB,GAAuB;AACtD,MAAI,CAAC,aAAa,CAAC,GAAG;AACpB,UAAM,IAAI;AAAA,MACR,uBAAuB,CAAC,uBAAuB,WAAW,KAAK,IAAI,CAAC;AAAA,IACtE;AAAA,EACF;AACA,SAAO;AACT;;;AC1BA,YAAY,cAAc;AAC1B,OAAO,YAAY;;;ACEZ,SAAS,sBAAsB,QAAoC;AACxE,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBACd,QACA,UACA,KACiB;AACjB,MAAI;AACJ,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,aAAc,KACjB;AACH,MAAI,CAAC,cAAc,OAAO,eAAe,UAAU;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,SACJ,OAAO,WAAW,WAAW,WAAW,WAAW,OAAO,KAAK,IAAI;AACrE,QAAM,UACJ,OAAO,WAAW,YAAY,WAAW,WAAW,QAAQ,KAAK,IAAI;AACvE,QAAM,aACJ,OAAO,WAAW,eAAe,WAC7B,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,aACJ,OAAO,WAAW,eAAe,YAAY,WAAW,WAAW,KAAK,IACpE,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AAEN,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,EACF;AACA,WAAS,mBAAmB,KAAK,GAAG;AACpC,SAAO;AACT;;;ADvCA,SAAS,WAAW,UAAmC;AACrD,QAAM,KAAc,yBAAgB;AAAA,IAClC,OAAO,QAAQ;AAAA,IACf,QAAQ,QAAQ;AAAA,EAClB,CAAC;AACD,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,OAAG,SAAS,UAAU,CAAC,WAAW;AAChC,SAAG,MAAM;AACT,cAAQ,OAAO,KAAK,CAAC;AAAA,IACvB,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAe,yBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,OAAO,IAAI;AAClC,QAAM,QAAQ,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AAC3C,QAAM,UACJ,MAAM,SAAS,IAAI,sBAAsB,MAAM,MAAM,IAAI;AAC3D,QAAM,QAAQ,UACV,SAAS,wBAAwB,SAAS,IAAI,SAAS,IACvD,CAAC;AAEL,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO;AAAA,MACL,8CAA8C,SAAS,oBAAoB;AAAA;AAAA,IAC7E;AAAA,EACF,OAAO;AACL,YAAQ,MAAM,EAAE;AAChB,WAAO;AAAA,MACL,sCAAsC,IAAI,YAAY,MAAM,SAAS,oBAAoB;AAAA,IAC3F;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,YAAQ,MAAM,EAAE;AAChB,UAAM,MAAM,MAAM,WAAW,qBAAqB;AAClD,UAAM,OAAO,QAAQ,KAAK,MAAM;AAEhC,QAAI,SAAS,KAAK;AAChB,cAAQ,MAAM,EAAE;AAChB,eAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAM,IAAI,MAAM,CAAC;AACjB,eAAO;AAAA,UACL,KAAK,IAAI,CAAC,cAAc,EAAE,SAAS,wBAAmB,EAAE,YAAY,wBAAmB,EAAE,YAAY;AAAA,QACvG;AAAA,MACF;AACA,cAAQ,MAAM,EAAE;AAChB,YAAM,SAAS,MAAM;AAAA,QACnB,gBAAW,MAAM,MAAM;AAAA,MACzB;AACA,UAAI,WAAW,IAAI;AACjB,cAAM,IAAI,OAAO,SAAS,QAAQ,EAAE;AACpC,YAAI,OAAO,SAAS,CAAC,KAAK,KAAK,KAAK,KAAK,MAAM,QAAQ;AACrD,gBAAM,SAAS,MAAM,IAAI,CAAC,EAAG;AAC7B,gBAAM,QAAQ,MAAM,OAAO,QAAQ;AAAA,YACjC;AAAA,YACA;AAAA,YACA;AAAA,YACA,IAAI;AAAA,UACN,CAAC;AACD,cAAI,MAAM,SAAS,GAAG;AACpB,oBAAQ,MAAM,EAAE;AAChB;AAAA,UACF;AACA,gBAAM,IAAI;AAAA,YACR,MAAM,UACJ,MAAM,UACN,2CAA2C,MAAM,IAAI;AAAA,UACzD;AAAA,QACF;AAAA,MACF;AACA,aAAO,OAAO,8BAA8B;AAAA,IAC9C;AAEA,WAAO,OAAO,mDAAmD;AAAA,EACnE;AAEA,QAAM,OAAO,MAAM,OAAO,WAAW;AAAA,IACnC;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,IAAI;AAAA,EACN,CAAC;AACD,MAAI,SAAS,GAAG;AACd,UAAM,IAAI,MAAM,0CAA0C,IAAI,GAAG;AAAA,EACnE;AACF;AAEA,eAAe,cACb,QACA,WACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,EAAE,MAAM;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,SAAO,QAAQ,QAAQ,UAAU,KAAK,CAAC,MAAM,EAAE,OAAO,SAAS,CAAC;AAClE;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,WACb,QACA,UACA,WACA,YACA,eACiC;AACjC,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,eAAe,KAAK;AACpC,MAAI,SAAS;AACX,SAAK,KAAK,eAAe,OAAO;AAAA,EAClC;AACA,QAAM,IAAI,MAAM,OAAO,QAAQ,IAAI;AACnC,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,SAAO,mBAAmB,EAAE,QAAQ,UAAU;AAAA,IAC5C;AAAA,IACA;AAAA,IACA,GAAI,UAAU,EAAE,eAAe,QAAQ,IAAI,CAAC;AAAA,EAC9C,CAAC;AACH;AAEA,eAAe,sBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,qBAAqB,gBAAgB,QAAQ,SAAS,IAC3E;AAEF,MAAI,CAAC,IAAI,kBAAkB;AACzB,UAAM,IAAI;AAAA,MACR,uBAAuB,IAAI,SAAS,oJAAoJ,IAAI,SAAS;AAAA,IACvM;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS,sDAAsD,IAAI,YAAY;AAAA,EACzH;AACA,UAAQ,MAAM,EAAE;AAEhB,MAAI,CAAE,MAAM,cAAc,QAAQ,IAAI,SAAS,GAAI;AACjD,UAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,WAAW,UAAU,IAAI,SAAS,CAAC;AACnE,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UAAU,EAAE,UAAU,0CAA0C,EAAE,IAAI;AAAA,MAC1E;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,yBAAyB,KAAK,MAAM;AAAA,EAC5C;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,SAAS,6BAA6B;AACxC,WAAO,OAAO,8CAAyC;AACvD,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,IAAI;AAAA,QACR,qDAAqD,IAAI;AAAA,MAC3D;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI,gDAAgD,IAAI,YAAY;AAAA,MACpH;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS;AAAA;AAAA,EACnD;AACF;AAEO,SAAS,wBACd,2BACS;AACT,MAAI,8BAA8B,MAAO,QAAO;AAChD,MAAI,8BAA8B,KAAM,QAAO;AAC/C,SAAO,QAAQ,QAAQ,MAAM,KAAK,KAAK,CAAC;AAC1C;AAEA,eAAsB,0BACpB,QACA,KAC0B;AAC1B,QAAM,EAAE,UAAU,KAAK,oBAAoB,IAAI;AAE/C,MAAI,MAAM,MAAM;AAAA,IACd;AAAA,IACA;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,EACF;AACA,MACE,CAAC,OACA,MAAM,iBAAiB,QAAQ,IAAI,YAAY,KAChD,SAAS,6BACT;AACA,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,MAAM;AAAA,QACV;AAAA,QACA;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,sBAAsB,KAAK,MAAM;AACvC,UAAM,MAAM;AAAA,MACV;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,yCAAyC,IAAI,SAAS,qBAAqB,mBAAmB,0CAA0C,IAAI,SAAS,iBAAiB,mBAAmB;AAAA,IAC3L;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,kBACpB,QACA,UACA,WACA,YACA,eAC0B;AAC1B,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,eAAe,KAAK;AACpC,MAAI,SAAS;AACX,SAAK,KAAK,eAAe,OAAO;AAAA,EAClC;AACA,QAAM,IAAI,MAAM,OAAO,QAAQ,IAAI;AACnC,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,mCAAmC,EAAE,IAAI,kBAAkB,SAAS,iBAAiB,UAAU;AAAA,IACnG;AAAA,EACF;AACA,SAAO,mBAAmB,EAAE,QAAQ,UAAU;AAAA,IAC5C;AAAA,IACA;AAAA,IACA,GAAI,UAAU,EAAE,eAAe,QAAQ,IAAI,CAAC;AAAA,EAC9C,CAAC;AACH;AAEA,eAAsB,kBACpB,QAC0B;AAC1B,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UAAU,EAAE,UAAU,gCAAgC,EAAE,IAAI;AAAA,IAChE;AAAA,EACF;AACA,QAAM,UAAU,sBAAsB,EAAE,MAAM;AAC9C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,UAAU,QAAQ,YAAY,CAAC;AAAA,EACjC;AACF;AAEA,eAAsB,sBACpB,QACA,QAMe;AACf,QAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,IAC7B;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACD,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,IACpD;AAAA,EACF;AACF;;;AEzaA,OAAO,QAAQ;AACf,OAAO,UAAU;AAMV,SAAS,4BAA4B,UAA2B;AACrE,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,QAAS,QAAO;AACpB,QAAM,UAAU,QAAQ,IAAI,gBAAgB,KAAK;AACjD,MAAI,QAAS,QAAO;AACpB,QAAM,QAAQ,YAAY,YAAY;AACtC,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,KAA4B;AAC/C,QAAM,QAAQ,QAAQ,aAAa;AACnC,QAAM,QAAQ,QAAQ,IAAI,MAAM,MAAM,KAAK,SAAS,KAAK,CAAC;AAC1D,QAAM,OAAO,QACT,QAAQ,IAAI,SAAS,MAAM,KAAK,SAAS,KAAK,CAAC,QAAQ,QAAQ,QAAQ,EAAE,IACzE,CAAC,EAAE;AAEP,aAAW,OAAO,OAAO;AACvB,eAAW,OAAO,MAAM;AACtB,YAAM,YAAY,KAAK,KAAK,KAAK,MAAM,GAAG;AAC1C,UAAI;AACF,cAAM,KAAK,GAAG,SAAS,SAAS;AAChC,YAAI,CAAC,GAAG,OAAO,EAAG;AAClB,YAAI,CAAC,OAAO;AACV,cAAI;AACF,eAAG,WAAW,WAAW,GAAG,UAAU,IAAI;AAAA,UAC5C,QAAQ;AACN;AAAA,UACF;AAAA,QACF;AACA,eAAO;AAAA,MACT,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AC9CA,SAAS,qBAA8B;AACrC,MAAI,QAAQ,IAAI,SAAU,QAAO;AACjC,MAAI,QAAQ,IAAI,SAAS,OAAQ,QAAO;AACxC,SAAO,QAAQ,QAAQ,OAAO,KAAK;AACrC;AAEA,IAAM,cAAc;AACpB,IAAM,aAAa;AACnB,IAAM,aAAa;AAEZ,SAAS,sBAA8B;AAC5C,SAAO;AAAA,IACL,OAAO,SAAuB;AAC5B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,WAAW,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UAClD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,IACA,QAAQ,SAAuB;AAC7B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UACjD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,EACF;AACF;;;ACzBA,SAAS,aAAa;;;ACKf,SAAS,kBAAqC;AACnD,QAAM,MAAyB,EAAE,GAAG,QAAQ,IAAI;AAChD,MAAI,IAAI,yBAAyB,KAAK,EAAG,QAAO;AAChD,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF;AACE;AAAA,EACJ;AACA,SAAO;AACT;;;ADXO,SAAS,qBAAqB,SAGlB;AACjB,QAAM,aAAa,QAAQ,OAAO;AAElC,WAAS,aAAqB;AAC5B,WAAO,4BAA4B,QAAQ,cAAc;AAAA,EAC3D;AAEA,SAAO;AAAA,IACL,MAAM,QAAQ,MAAwC;AACpD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,YAAM,YAAY,QAAQ,MAAM,QAAQ,YAAY;AACpD,aAAO,MAAM,aAAa,CAAC,KAAK,UAAU,GAAG,IAAI,GAAG,KAAK,SAAS;AAAA,IACpE;AAAA,IACA,MAAM,WAAW,MAAiC;AAChD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,aAAO,MAAM,gBAAgB,CAAC,KAAK,GAAG,IAAI,GAAG,GAAG;AAAA,IAClD;AAAA,EACF;AACF;AAEA,SAAS,aACP,MACA,KACA,WACwB;AACxB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM;AAAA,MACzC;AAAA,MACA,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AACD,QAAI,SAAS;AACb,QAAI,SAAS;AACb,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS;AAC1B,cAAQ;AAAA,QACN,MAAM,QAAQ;AAAA,QACd,QAAQ,OAAO,QAAQ;AAAA,QACvB,QAAQ,OAAO,QAAQ;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,gBACP,MACA,KACiB;AACjB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM,EAAE,KAAK,OAAO,UAAU,CAAC;AACpE,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS,QAAQ,QAAQ,CAAC,CAAC;AAAA,EAChD,CAAC;AACH;;;AEhBA,SAAS,iBACP,IACA,UACc;AACd,QAAM,WAAW,GAAG,EAAE,IAAI,SAAS,oBAAoB;AACvD,SAAO,EAAE,WAAW,IAAI,cAAc,UAAU,cAAc,SAAS;AACzE;AAEA,SAAS,oBACP,SACc;AACd,MAAI,eAAe,SAAS;AAC1B,WAAO,iBAAiB,QAAQ,WAAW,QAAQ,QAAQ;AAAA,EAC7D;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,cAAc,QAAQ;AAAA,EACxB;AACF;AAEO,SAAS,iBACd,SACY;AACZ,QAAM,WAAW,QAAQ;AACzB,QAAM,sBACJ,QAAQ,uBAAuB,WAAW;AAC5C,QAAM,kBACJ,QAAQ,yBAAyB,mBAAmB,GAAG,KAAK;AAC9D,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI;AAAA,MACR,qGAAqG,mBAAmB;AAAA,IAC1H;AAAA,EACF;AACA,QAAM,iBAAyB;AAE/B,MAAI,CAAC,QAAQ,QAAQ;AACnB,gCAA4B,QAAQ,cAAc;AAAA,EACpD;AAEA,QAAM,SACJ,QAAQ,UACR,qBAAqB,EAAE,gBAAgB,QAAQ,eAAe,CAAC;AAEjE,QAAM,eAAe,oBAAoB,OAAO;AAChD,MAAI,mBAAmB,aAAa;AAEpC,QAAM,SAAS,QAAQ,UAAU,oBAAoB;AACrD,QAAM,mBAAmB;AAAA,IACvB,QAAQ;AAAA,EACV;AAEA,WAAS,aAAa,KAAqC;AACzD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU,QAAQ;AAAA,MAClB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,OAAO,mBAAsD;AACjE,YAAM,UAAU,mBAAmB,KAAK;AACxC,YAAM,MAAM,UACR,iBAAiB,SAAS,QAAQ,IAClC;AACJ,aAAO,MAAM;AAAA,QACX;AAAA,QACA,aAAa,GAAG;AAAA,MAClB;AAAA,IACF;AAAA,IAEA,MAAM,eAAyC;AAC7C,aAAO,MAAM,kBAAkB,MAAM;AAAA,IACvC;AAAA,IAEA,WAAW,WAAyB;AAClC,yBAAmB;AAAA,IACrB;AAAA,IAEA,IAAI,kBAA0B;AAC5B,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,IACJ,YACAA,UAC0B;AAC1B,YAAM,MAAM,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAC5E,aAAO,MAAM;AAAA,QACX;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACAA,UAAS;AAAA,MACX;AAAA,IACF;AAAA,IAEA,MAAM,mBACJ,YACA,cACA,SACe;AACf,YAAM,MACJ,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAClE,YAAM,sBAAsB,QAAQ;AAAA,QAClC,WAAW;AAAA,QACX,YAAY;AAAA,QACZ;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AC3JA,SAAS,gBACP,SACA,kBACsB;AACtB,QAAM,WAAW,QAAQ,YAAY,CAAC;AACtC,QAAM,cAAc,QAAQ,eAAe,CAAC;AAC5C,QAAM,WAAW,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC1D,QAAM,WAAW,oBAAI,IAAY;AACjC,QAAM,MAA4B,CAAC;AACnC,aAAW,KAAK,UAAU;AACxB,QAAI,EAAE,OAAO,iBAAkB;AAC/B,eAAW,UAAU,EAAE,yBAAyB,CAAC,GAAG;AAClD,YAAM,IAAI,SAAS,IAAI,MAAM;AAC7B,UAAI,CAAC,KAAK,EAAE,eAAe,SAAU;AACrC,UAAI,SAAS,IAAI,EAAE,YAAY,EAAG;AAClC,eAAS,IAAI,EAAE,YAAY;AAC3B,UAAI,KAAK;AAAA,QACP,WAAW,EAAE;AAAA,QACb,cAAc,EAAE;AAAA,QAChB,cAAc,EAAE;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAM,iBAA8C;AAAA,EAClD,sBAAsB;AAAA,EACtB,6BAA6B;AAAA,EAC7B,yBAAyB;AAAA,EACzB,mBAAmB,YAA6B,KAA8B;AAC5E,QAAI,WAAW,eAAe,UAAU;AACtC,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,sDAAsD,IAAI,UAAU,oBAAoB,WAAW,UAAU;AAAA,MACnJ;AAAA,IACF;AACA,QAAI,CAAC,WAAW,SAAS;AACvB,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,2CAA2C,IAAI,UAAU,qCAAqC,IAAI,SAAS,IAAI,IAAI,UAAU;AAAA,MACnK;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,mBAAmB;AAAA,EAC9B,QAAQ;AACV;","names":["options"]}
1	+ {"version":3,"sources":["../src/capability.ts","../src/bootstrap.ts","../src/parse.ts","../src/executable.ts","../src/logger.ts","../src/runner.ts","../src/env.ts","../src/facade.ts","../src/provider.ts"],"sourcesContent":["/** Aligned with tokenVault `src/domain/capability.ts` — keep in sync when adding capabilities. /\nexport const CAPABILITY = {\n chat: \"chat\",\n reasoning: \"reasoning\",\n embeddings: \"embeddings\",\n image: \"image\",\n audio: \"audio\",\n vision: \"vision\",\n tools: \"tools\",\n} as const;\n\nexport type Capability = (typeof CAPABILITY)[keyof typeof CAPABILITY];\n\nconst CAP_VALUES: readonly string[] = Object.values(CAPABILITY);\n\nexport function isCapability(s: string): s is Capability {\n return CAP_VALUES.includes(s);\n}\n\nexport function assertCapability(s: string): Capability {\n if (!isCapability(s)) {\n throw new Error(\n `Unknown capability \"${s}\". Expected one of: ${CAP_VALUES.join(\", \")}`,\n );\n }\n return s;\n}\n","import as readline from \"node:readline\";\nimport isInCi from \"is-in-ci\";\nimport type { Capability } from \"./capability.ts\";\nimport { parseResolveStdout, parseVaultListPayload } from \"./parse.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { VaultCliRunner } from \"./runner.ts\";\nimport type {\n ListPayload,\n Logger,\n VaultListResult,\n VaultResolution,\n} from \"./types.ts\";\n\nexport type BootstrapIds = {\n profileId: string;\n connectionId: string;\n credentialId: string;\n};\n\nexport type BootstrapContext = {\n provider: TokenVaultBootstrapProvider;\n ids: BootstrapIds;\n bootstrapCapability: Capability;\n defaultModelId: string;\n appLabel: string;\n logger: Logger;\n allowInteractive: boolean;\n};\n\nfunction promptLine(question: string): Promise<string> {\n const rl = readline.createInterface({\n input: process.stdin,\n output: process.stderr,\n });\n return new Promise((resolve) => {\n rl.question(question, (answer) => {\n rl.close();\n resolve(answer.trim());\n });\n });\n}\n\nasync function addCredentialInteractive(\n ctx: BootstrapContext,\n runner: VaultCliRunner,\n): Promise<void> {\n const { provider, ids, logger } = ctx;\n const listR = await runner.runJson([\"list\"]);\n const payload =\n listR.code === 0 ? parseVaultListPayload(listR.stdout) : null;\n const picks = payload\n ? provider.listCredentialCopyPicks(payload, ids.profileId)\n : [];\n\n if (picks.length === 0) {\n logger.notice(\n `Adding API key to tokenVault for provider \"${provider.tokenvaultProviderId}\" (hidden input). Follow the tokenVault prompts if any appear.\\n`,\n );\n } else {\n console.error(\"\");\n logger.notice(\n `API key for tokenVault credential \"${ids.credentialId}\" (${provider.tokenvaultProviderId}):`,\n );\n logger.notice(\n \" 1) Enter a new API key (hidden input via tokenvault)\",\n );\n logger.notice(\n \" 2) Copy from another profile → connection → credential (reuse a stored key)\",\n );\n console.error(\"\");\n const raw = await promptLine(\"Choose 1 or 2 [1]: \");\n const mode = raw === \"\" ? \"1\" : raw;\n\n if (mode === \"2\") {\n console.error(\"\");\n for (let i = 0; i < picks.length; i++) {\n const x = picks[i]!;\n logger.notice(\n ` ${i + 1}) profile \"${x.profileId}\" → connection \"${x.connectionId}\" → credential \"${x.credentialId}\"`,\n );\n }\n console.error(\"\");\n const numRaw = await promptLine(\n `Enter 1–${picks.length} (or blank to enter a new key instead): `,\n );\n if (numRaw !== \"\") {\n const n = Number.parseInt(numRaw, 10);\n if (Number.isFinite(n) && n >= 1 && n <= picks.length) {\n const credId = picks[n - 1]!.credentialId;\n const copyR = await runner.runJson([\n \"credential\",\n \"copy\",\n credId,\n ids.credentialId,\n ]);\n if (copyR.code === 0) {\n console.error(\"\");\n return;\n }\n throw new Error(\n copyR.stderr \|\|\n copyR.stdout \|\|\n `tokenvault credential copy failed (exit ${copyR.code})`,\n );\n }\n }\n logger.notice(\"\\nUsing new API key entry.\\n\");\n }\n\n logger.notice(\"Follow the tokenVault prompts (hidden API key).\\n\");\n }\n\n const code = await runner.runInherit([\n \"credential\",\n \"add\",\n provider.tokenvaultProviderId,\n ids.credentialId,\n ]);\n if (code !== 0) {\n throw new Error(`tokenvault credential add failed (exit ${code})`);\n }\n}\n\nasync function profileExists(\n runner: VaultCliRunner,\n profileId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"list\"]);\n if (r.code !== 0) return false;\n let payload: ListPayload;\n try {\n payload = JSON.parse(r.stdout) as ListPayload;\n } catch {\n return false;\n }\n return Boolean(payload.profiles?.some((p) => p.id === profileId));\n}\n\nasync function credentialExists(\n runner: VaultCliRunner,\n credentialId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"credential\", \"inspect\", credentialId]);\n return r.code === 0;\n}\n\nasync function connectionExists(\n runner: VaultCliRunner,\n connectionId: string,\n): Promise<boolean> {\n const r = await runner.runJson([\"connection\", \"inspect\", connectionId]);\n return r.code === 0;\n}\n\nasync function tryResolve(\n runner: VaultCliRunner,\n provider: TokenVaultBootstrapProvider,\n profileId: string,\n capability: Capability,\n selectionName?: string,\n): Promise<VaultResolution \| null> {\n const argv = [\n \"resolve\",\n profileId,\n \"--capability\",\n capability,\n \"--with-secret\",\n ];\n const trimmed = selectionName?.trim();\n if (trimmed) {\n argv.push(\"--selection\", trimmed);\n }\n const r = await runner.runJson(argv);\n if (r.code !== 0) return null;\n return parseResolveStdout(r.stdout, provider, {\n profileId,\n capability,\n ...(trimmed ? { selectionName: trimmed } : {}),\n });\n}\n\nasync function bootstrapVaultProfile(\n ctx: BootstrapContext,\n runner: VaultCliRunner,\n): Promise<void> {\n const { provider, ids, bootstrapCapability, defaultModelId, logger, appLabel } =\n ctx;\n\n if (!ctx.allowInteractive) {\n throw new Error(\n `tokenVault profile \"${ids.profileId}\" is not usable in this environment. Configure it interactively on a TTY, or run the tokenvault commands documented in TOKENVAULT.md for profile \"${ids.profileId}\".`,\n );\n }\n\n console.error(\"\");\n logger.notice(\n `${appLabel}: tokenVault profile \"${ids.profileId}\" is missing or incomplete. Setting up credential \"${ids.credentialId}\" and wiring the profile.`,\n );\n console.error(\"\");\n\n if (!(await profileExists(runner, ids.profileId))) {\n const r = await runner.runJson([\"profile\", \"create\", ids.profileId]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\| r.stdout \|\| `tokenvault profile create failed (exit ${r.code})`,\n );\n }\n }\n\n if (!(await credentialExists(runner, ids.credentialId))) {\n await addCredentialInteractive(ctx, runner);\n }\n\n if (!(await connectionExists(runner, ids.connectionId))) {\n const r = await runner.runJson([\n \"connection\",\n \"add\",\n provider.tokenvaultProviderId,\n ids.connectionId,\n \"--credential\",\n ids.credentialId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault connection add failed (exit ${r.code})`,\n );\n }\n }\n\n {\n const r = await runner.runJson([\n \"profile\",\n \"attach\",\n ids.profileId,\n ids.connectionId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile attach failed (exit ${r.code})`,\n );\n }\n }\n\n if (provider.refreshModelsAfterBootstrap) {\n logger.notice(\"Refreshing model cache in tokenVault…\\n\");\n const code = await runner.runInherit([\n \"connection\",\n \"refresh-models\",\n ids.connectionId,\n ]);\n if (code !== 0) {\n throw new Error(\n `tokenvault connection refresh-models failed (exit ${code})`,\n );\n }\n }\n\n {\n const r = await runner.runJson([\n \"profile\",\n \"select\",\n ids.profileId,\n bootstrapCapability,\n ids.connectionId,\n defaultModelId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile select failed (exit ${r.code}). Try: tokenvault connection refresh-models ${ids.connectionId}`,\n );\n }\n }\n\n console.error(\"\");\n logger.success(\n `${appLabel}: tokenVault profile \"${ids.profileId}\" is ready.\\n`,\n );\n}\n\nexport function interactiveSetupAllowed(\n allowInteractiveBootstrap?: boolean,\n): boolean {\n if (allowInteractiveBootstrap === false) return false;\n if (allowInteractiveBootstrap === true) return true;\n return Boolean(process.stdin.isTTY) && !isInCi;\n}\n\nexport async function ensureBootstrapCapability(\n runner: VaultCliRunner,\n ctx: BootstrapContext,\n): Promise<VaultResolution> {\n const { provider, ids, bootstrapCapability } = ctx;\n\n let cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n if (\n !cfg &&\n (await connectionExists(runner, ids.connectionId)) &&\n provider.refreshModelsAfterBootstrap\n ) {\n const code = await runner.runInherit([\n \"connection\",\n \"refresh-models\",\n ids.connectionId,\n ]);\n if (code === 0) {\n cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n }\n }\n\n if (!cfg) {\n await bootstrapVaultProfile(ctx, runner);\n cfg = await tryResolve(\n runner,\n provider,\n ids.profileId,\n bootstrapCapability,\n undefined,\n );\n }\n\n if (!cfg) {\n throw new Error(\n `Could not resolve tokenVault profile \"${ids.profileId}\" for capability \"${bootstrapCapability}\" after setup. See: tokenvault resolve ${ids.profileId} --capability ${bootstrapCapability} --json`,\n );\n }\n\n return cfg;\n}\n\nexport async function resolveWithSecret(\n runner: VaultCliRunner,\n provider: TokenVaultBootstrapProvider,\n profileId: string,\n capability: Capability,\n selectionName?: string,\n): Promise<VaultResolution> {\n const argv = [\n \"resolve\",\n profileId,\n \"--capability\",\n capability,\n \"--with-secret\",\n ];\n const trimmed = selectionName?.trim();\n if (trimmed) {\n argv.push(\"--selection\", trimmed);\n }\n const r = await runner.runJson(argv);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault resolve failed (exit ${r.code}) for profile \"${profileId}\" capability \"${capability}\"`,\n );\n }\n return parseResolveStdout(r.stdout, provider, {\n profileId,\n capability,\n ...(trimmed ? { selectionName: trimmed } : {}),\n });\n}\n\nexport async function listVaultSnapshot(\n runner: VaultCliRunner,\n): Promise<VaultListResult> {\n const r = await runner.runJson([\"list\"]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\| r.stdout \|\| `tokenvault list failed (exit ${r.code})`,\n );\n }\n const payload = parseVaultListPayload(r.stdout);\n if (!payload) {\n throw new Error(\"Could not parse JSON from `tokenvault list`.\");\n }\n return {\n providers: payload.providers,\n credentials: payload.credentials ?? [],\n connections: payload.connections ?? [],\n profiles: payload.profiles ?? [],\n };\n}\n\nexport async function selectCapabilityModel(\n runner: VaultCliRunner,\n params: {\n profileId: string;\n capability: Capability;\n connectionId: string;\n modelId: string;\n },\n): Promise<void> {\n const r = await runner.runJson([\n \"profile\",\n \"select\",\n params.profileId,\n params.capability,\n params.connectionId,\n params.modelId,\n ]);\n if (r.code !== 0) {\n throw new Error(\n r.stderr \|\|\n r.stdout \|\|\n `tokenvault profile select failed (exit ${r.code})`,\n );\n }\n}\n","import type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport type { ListPayload, VaultResolution, ValidationContext } from \"./types.ts\";\n\nexport function parseVaultListPayload(stdout: string): ListPayload \| null {\n try {\n return JSON.parse(stdout) as ListPayload;\n } catch {\n return null;\n }\n}\n\nexport function parseResolveStdout(\n stdout: string,\n provider: TokenVaultBootstrapProvider,\n ctx: ValidationContext,\n): VaultResolution {\n let data: unknown;\n try {\n data = JSON.parse(stdout);\n } catch {\n throw new Error(\n \"Could not parse JSON from `tokenvault resolve` (unexpected output).\",\n );\n }\n const resolution = (data as { resolution?: Record<string, unknown> })\n .resolution;\n if (!resolution \|\| typeof resolution !== \"object\") {\n throw new Error(\n \"`tokenvault resolve` JSON did not include a resolution object.\",\n );\n }\n const apiKey =\n typeof resolution.apiKey === \"string\" ? resolution.apiKey.trim() : \"\";\n const modelId =\n typeof resolution.modelId === \"string\" ? resolution.modelId.trim() : \"\";\n const providerId =\n typeof resolution.providerId === \"string\"\n ? resolution.providerId.trim()\n : \"\";\n const apiBaseUrl =\n typeof resolution.apiBaseUrl === \"string\" && resolution.apiBaseUrl.trim()\n ? resolution.apiBaseUrl.trim()\n : undefined;\n const connectionId =\n typeof resolution.connectionId === \"string\"\n ? resolution.connectionId.trim()\n : undefined;\n const credentialId =\n typeof resolution.credentialId === \"string\"\n ? resolution.credentialId.trim()\n : undefined;\n\n if (!apiKey) {\n throw new Error(\n \"`tokenvault resolve` did not return an apiKey. Use a tokenVault build that supports `tokenvault resolve --with-secret` (see TOKENVAULT.md in the tokenVault repository).\",\n );\n }\n\n const out: VaultResolution = {\n apiKey,\n modelId,\n providerId,\n baseURL: apiBaseUrl,\n connectionId,\n credentialId,\n };\n provider.validateResolution(out, ctx);\n return out;\n}\n","import fs from \"node:fs\";\nimport path from \"node:path\";\n\n/*\n Resolve `tokenvault` on PATH (Windows respects PATHEXT).\n * @throws if not found and no explicit path\n /\nexport function resolveTokenvaultExecutable(explicit?: string): string {\n const trimmed = explicit?.trim();\n if (trimmed) return trimmed;\n const fromEnv = process.env.TOKENVAULT_BIN?.trim();\n if (fromEnv) return fromEnv;\n const found = whichOnPath(\"tokenvault\");\n if (!found) {\n throw new Error(\n \"tokenVault is not available: `tokenvault` was not found on PATH. Install tokenVault and link the CLI, or set TOKENVAULT_BIN to the tokenvault executable.\",\n );\n }\n return found;\n}\n\nfunction whichOnPath(cmd: string): string \| null {\n const isWin = process.platform === \"win32\";\n const paths = process.env.PATH?.split(path.delimiter) ?? [];\n const exts = isWin\n ? process.env.PATHEXT?.split(path.delimiter) ?? [\".EXE\", \".CMD\", \".BAT\", \"\"]\n : [\"\"];\n\n for (const dir of paths) {\n for (const ext of exts) {\n const candidate = path.join(dir, cmd + ext);\n try {\n const st = fs.statSync(candidate);\n if (!st.isFile()) continue;\n if (!isWin) {\n try {\n fs.accessSync(candidate, fs.constants.X_OK);\n } catch {\n continue;\n }\n }\n return candidate;\n } catch {\n / try next /\n }\n }\n }\n return null;\n}\n","import type { Logger } from \"./types.ts\";\n\nfunction stderrColorEnabled(): boolean {\n if (process.env.NO_COLOR) return false;\n if (process.env.TERM === \"dumb\") return false;\n return Boolean(process.stderr.isTTY);\n}\n\nconst ANSI_YELLOW = \"\\x1b[33m\";\nconst ANSI_GREEN = \"\\x1b[32m\";\nconst ANSI_RESET = \"\\x1b[0m\";\n\nexport function createDefaultLogger(): Logger {\n return {\n notice(message: string): void {\n if (stderrColorEnabled())\n console.error(`${ANSI_YELLOW}${message}${ANSI_RESET}`);\n else console.error(message);\n },\n success(message: string): void {\n if (stderrColorEnabled())\n console.error(`${ANSI_GREEN}${message}${ANSI_RESET}`);\n else console.error(message);\n },\n };\n}\n","import { spawn } from \"node:child_process\";\nimport { vaultProcessEnv } from \"./env.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\n\nexport type RunJsonResult = { code: number; stdout: string; stderr: string };\n\nexport type VaultCliRunner = {\n runJson: (args: string[]) => Promise<RunJsonResult>;\n runInherit: (args: string[]) => Promise<number>;\n};\n\nexport function createVaultCliRunner(options: {\n executablePath?: string;\n env?: () => NodeJS.ProcessEnv;\n}): VaultCliRunner {\n const envFactory = options.env ?? vaultProcessEnv;\n\n function executable(): string {\n return resolveTokenvaultExecutable(options.executablePath);\n }\n\n return {\n async runJson(args: string[]): Promise<RunJsonResult> {\n const exe = executable();\n const env = envFactory();\n const stdinMode = process.stdin.isTTY ? \"inherit\" : \"ignore\";\n return await spawnCapture([exe, \"--json\", ...args], env, stdinMode);\n },\n async runInherit(args: string[]): Promise<number> {\n const exe = executable();\n const env = envFactory();\n return await spawnInheritAll([exe, ...args], env);\n },\n };\n}\n\nfunction spawnCapture(\n argv: string[],\n env: NodeJS.ProcessEnv,\n stdinMode: \"inherit\" \| \"ignore\",\n): Promise<RunJsonResult> {\n const [executablePath, ...args] = argv;\n return new Promise((resolve, reject) => {\n const child = spawn(executablePath!, args, {\n env,\n stdio: [stdinMode, \"pipe\", \"pipe\"],\n });\n let stdout = \"\";\n let stderr = \"\";\n child.stdout?.setEncoding(\"utf8\");\n child.stderr?.setEncoding(\"utf8\");\n child.stdout?.on(\"data\", (c: string) => {\n stdout += c;\n });\n child.stderr?.on(\"data\", (c: string) => {\n stderr += c;\n });\n child.on(\"error\", reject);\n child.on(\"close\", (code) => {\n resolve({\n code: code ?? 1,\n stdout: stdout.trimEnd(),\n stderr: stderr.trimEnd(),\n });\n });\n });\n}\n\nfunction spawnInheritAll(\n argv: string[],\n env: NodeJS.ProcessEnv,\n): Promise<number> {\n const [executablePath, ...args] = argv;\n return new Promise((resolve, reject) => {\n const child = spawn(executablePath!, args, { env, stdio: \"inherit\" });\n child.on(\"error\", reject);\n child.on(\"close\", (code) => resolve(code ?? 1));\n });\n}\n","/\n Prefer the OS secure store (Keychain / Secret Service / DPAPI) so tokenVault does not create a\n * passphrase-backed vault. Ignored if the user already has `vault/passphrase-envelope.json` or\n * sets TOKENVAULT_SECURE_STORE themselves.\n /\nexport function vaultProcessEnv(): NodeJS.ProcessEnv {\n const env: NodeJS.ProcessEnv = { ...process.env };\n if (env.TOKENVAULT_SECURE_STORE?.trim()) return env;\n switch (process.platform) {\n case \"darwin\":\n env.TOKENVAULT_SECURE_STORE = \"macos-keychain\";\n break;\n case \"win32\":\n env.TOKENVAULT_SECURE_STORE = \"windows\";\n break;\n case \"linux\":\n env.TOKENVAULT_SECURE_STORE = \"linux-secret-service\";\n break;\n default:\n break;\n }\n return env;\n}\n","import {\n assertCapability,\n CAPABILITY,\n type Capability,\n} from \"./capability.ts\";\nimport {\n ensureBootstrapCapability,\n interactiveSetupAllowed,\n listVaultSnapshot,\n resolveWithSecret,\n selectCapabilityModel,\n type BootstrapContext,\n type BootstrapIds,\n} from \"./bootstrap.ts\";\nimport { resolveTokenvaultExecutable } from \"./executable.ts\";\nimport { createDefaultLogger } from \"./logger.ts\";\nimport type { TokenVaultBootstrapProvider } from \"./provider.ts\";\nimport {\n createVaultCliRunner,\n type VaultCliRunner,\n} from \"./runner.ts\";\nimport type { Logger, VaultListResult, VaultResolution } from \"./types.ts\";\n\nexport type CreateTokenVaultOptions = {\n provider: TokenVaultBootstrapProvider;\n appLabel: string;\n /* Default model per capability; must include entry for `bootstrapCapability` /\n defaultModelByCapability: Partial<Record<Capability, string>>;\n /* Capability wired by `ensure()` (default: chat) /\n bootstrapCapability?: Capability;\n executablePath?: string;\n allowInteractiveBootstrap?: boolean;\n logger?: Logger;\n /* @internal Inject for tests /\n runner?: VaultCliRunner;\n} & (\n \| { namespace: string }\n \| {\n profileId: string;\n connectionId: string;\n credentialId: string;\n }\n);\n\nexport type TokenVault = {\n /* Bootstrap `bootstrapCapability` for the given profile triple; optional one-off namespace convention. /\n ensure: (namespaceOverride?: string) => Promise<VaultResolution>;\n listProfiles: () => Promise<VaultListResult>;\n /* Profile used by `key()` and `setCapabilityModel` (default: bootstrap profile). /\n useProfile: (profileId: string) => void;\n get activeProfileId(): string;\n key: (\n capability: Capability \| string,\n options?: { selection?: string },\n ) => Promise<VaultResolution>;\n setCapabilityModel: (\n capability: Capability \| string,\n connectionId: string,\n modelId: string,\n ) => Promise<void>;\n};\n\nfunction idsFromNamespace(\n ns: string,\n provider: TokenVaultBootstrapProvider,\n): BootstrapIds {\n const artifact = `${ns}-${provider.tokenvaultProviderId}`;\n return { profileId: ns, connectionId: artifact, credentialId: artifact };\n}\n\nfunction resolveBootstrapIds(\n options: CreateTokenVaultOptions,\n): BootstrapIds {\n if (\"namespace\" in options) {\n return idsFromNamespace(options.namespace, options.provider);\n }\n return {\n profileId: options.profileId,\n connectionId: options.connectionId,\n credentialId: options.credentialId,\n };\n}\n\nexport function createTokenVault(\n options: CreateTokenVaultOptions,\n): TokenVault {\n const provider = options.provider;\n const bootstrapCapability =\n options.bootstrapCapability ?? CAPABILITY.chat;\n const defaultModelRaw =\n options.defaultModelByCapability[bootstrapCapability]?.trim();\n if (!defaultModelRaw) {\n throw new Error(\n `createTokenVault: defaultModelByCapability must include a default model for bootstrap capability \"${bootstrapCapability}\"`,\n );\n }\n const defaultModelId: string = defaultModelRaw;\n\n if (!options.runner) {\n resolveTokenvaultExecutable(options.executablePath);\n }\n\n const runner =\n options.runner ??\n createVaultCliRunner({ executablePath: options.executablePath });\n\n const bootstrapIds = resolveBootstrapIds(options);\n let resolveProfileId = bootstrapIds.profileId;\n\n const logger = options.logger ?? createDefaultLogger();\n const allowInteractive = interactiveSetupAllowed(\n options.allowInteractiveBootstrap,\n );\n\n function buildContext(ids: BootstrapIds): BootstrapContext {\n return {\n provider,\n ids,\n bootstrapCapability,\n defaultModelId,\n appLabel: options.appLabel,\n logger,\n allowInteractive,\n };\n }\n\n return {\n async ensure(namespaceOverride?: string): Promise<VaultResolution> {\n const trimmed = namespaceOverride?.trim();\n const ids = trimmed\n ? idsFromNamespace(trimmed, provider)\n : bootstrapIds;\n return await ensureBootstrapCapability(\n runner,\n buildContext(ids),\n );\n },\n\n async listProfiles(): Promise<VaultListResult> {\n return await listVaultSnapshot(runner);\n },\n\n useProfile(profileId: string): void {\n resolveProfileId = profileId;\n },\n\n get activeProfileId(): string {\n return resolveProfileId;\n },\n\n async key(\n capability: Capability \| string,\n options?: { selection?: string },\n ): Promise<VaultResolution> {\n const cap = typeof capability === \"string\" ? assertCapability(capability) : capability;\n return await resolveWithSecret(\n runner,\n provider,\n resolveProfileId,\n cap,\n options?.selection,\n );\n },\n\n async setCapabilityModel(\n capability: Capability \| string,\n connectionId: string,\n modelId: string,\n ): Promise<void> {\n const cap =\n typeof capability === \"string\" ? assertCapability(capability) : capability;\n await selectCapabilityModel(runner, {\n profileId: resolveProfileId,\n capability: cap,\n connectionId,\n modelId,\n });\n },\n };\n}\n","import type {\n CredentialCopyPick,\n ListPayload,\n VaultResolution,\n ValidationContext,\n} from \"./types.ts\";\n\nexport type TokenVaultBootstrapProvider = {\n /* tokenVault adapter id (e.g. `openai`) /\n readonly tokenvaultProviderId: string;\n /* After parse, enforce provider / model rules /\n validateResolution(\n resolution: VaultResolution,\n ctx: ValidationContext,\n ): void;\n /* Connections on other profiles eligible for credential copy during bootstrap /\n listCredentialCopyPicks(\n payload: ListPayload,\n excludeProfileId: string,\n ): CredentialCopyPick[];\n /* Run `connection refresh-models` after wiring (model-capable providers) */\n readonly refreshModelsAfterBootstrap: boolean;\n};\n\nfunction openAiCopyPicks(\n payload: ListPayload,\n excludeProfileId: string,\n): CredentialCopyPick[] {\n const profiles = payload.profiles ?? [];\n const connections = payload.connections ?? [];\n const byConnId = new Map(connections.map((c) => [c.id, c]));\n const seenCred = new Set<string>();\n const out: CredentialCopyPick[] = [];\n for (const p of profiles) {\n if (p.id === excludeProfileId) continue;\n for (const connId of p.attachedConnectionIds ?? []) {\n const c = byConnId.get(connId);\n if (!c \|\| c.providerId !== \"openai\") continue;\n if (seenCred.has(c.credentialId)) continue;\n seenCred.add(c.credentialId);\n out.push({\n profileId: p.id,\n connectionId: c.id,\n credentialId: c.credentialId,\n });\n }\n }\n return out;\n}\n\nconst openAiProvider: TokenVaultBootstrapProvider = {\n tokenvaultProviderId: \"openai\",\n refreshModelsAfterBootstrap: true,\n listCredentialCopyPicks: openAiCopyPicks,\n validateResolution(resolution: VaultResolution, ctx: ValidationContext): void {\n if (resolution.providerId !== \"openai\") {\n throw new Error(\n `tokenVault profile \"${ctx.profileId}\" must select an OpenAI connection for capability \"${ctx.capability}\" (got provider \"${resolution.providerId}\").`,\n );\n }\n if (!resolution.modelId) {\n throw new Error(\n `tokenVault profile \"${ctx.profileId}\" has no model selected for capability \"${ctx.capability}\". Run: tokenvault profile select ${ctx.profileId} ${ctx.capability} <connection> <model>`,\n );\n }\n },\n};\n\nexport const builtInProviders = {\n openai: openAiProvider,\n} as const;\n"],"mappings":";AACO,IAAM,aAAa;AAAA,EACxB,MAAM;AAAA,EACN,WAAW;AAAA,EACX,YAAY;AAAA,EACZ,OAAO;AAAA,EACP,OAAO;AAAA,EACP,QAAQ;AAAA,EACR,OAAO;AACT;AAIA,IAAM,aAAgC,OAAO,OAAO,UAAU;AAEvD,SAAS,aAAa,GAA4B;AACvD,SAAO,WAAW,SAAS,CAAC;AAC9B;AAEO,SAAS,iBAAiB,GAAuB;AACtD,MAAI,CAAC,aAAa,CAAC,GAAG;AACpB,UAAM,IAAI;AAAA,MACR,uBAAuB,CAAC,uBAAuB,WAAW,KAAK,IAAI,CAAC;AAAA,IACtE;AAAA,EACF;AACA,SAAO;AACT;;;AC1BA,YAAY,cAAc;AAC1B,OAAO,YAAY;;;ACEZ,SAAS,sBAAsB,QAAoC;AACxE,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mBACd,QACA,UACA,KACiB;AACjB,MAAI;AACJ,MAAI;AACF,WAAO,KAAK,MAAM,MAAM;AAAA,EAC1B,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,aAAc,KACjB;AACH,MAAI,CAAC,cAAc,OAAO,eAAe,UAAU;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,SACJ,OAAO,WAAW,WAAW,WAAW,WAAW,OAAO,KAAK,IAAI;AACrE,QAAM,UACJ,OAAO,WAAW,YAAY,WAAW,WAAW,QAAQ,KAAK,IAAI;AACvE,QAAM,aACJ,OAAO,WAAW,eAAe,WAC7B,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,aACJ,OAAO,WAAW,eAAe,YAAY,WAAW,WAAW,KAAK,IACpE,WAAW,WAAW,KAAK,IAC3B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AACN,QAAM,eACJ,OAAO,WAAW,iBAAiB,WAC/B,WAAW,aAAa,KAAK,IAC7B;AAEN,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,MAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,IACA;AAAA,EACF;AACA,WAAS,mBAAmB,KAAK,GAAG;AACpC,SAAO;AACT;;;ADvCA,SAAS,WAAW,UAAmC;AACrD,QAAM,KAAc,yBAAgB;AAAA,IAClC,OAAO,QAAQ;AAAA,IACf,QAAQ,QAAQ;AAAA,EAClB,CAAC;AACD,SAAO,IAAI,QAAQ,CAAC,YAAY;AAC9B,OAAG,SAAS,UAAU,CAAC,WAAW;AAChC,SAAG,MAAM;AACT,cAAQ,OAAO,KAAK,CAAC;AAAA,IACvB,CAAC;AAAA,EACH,CAAC;AACH;AAEA,eAAe,yBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,OAAO,IAAI;AAClC,QAAM,QAAQ,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AAC3C,QAAM,UACJ,MAAM,SAAS,IAAI,sBAAsB,MAAM,MAAM,IAAI;AAC3D,QAAM,QAAQ,UACV,SAAS,wBAAwB,SAAS,IAAI,SAAS,IACvD,CAAC;AAEL,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO;AAAA,MACL,8CAA8C,SAAS,oBAAoB;AAAA;AAAA,IAC7E;AAAA,EACF,OAAO;AACL,YAAQ,MAAM,EAAE;AAChB,WAAO;AAAA,MACL,sCAAsC,IAAI,YAAY,MAAM,SAAS,oBAAoB;AAAA,IAC3F;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,WAAO;AAAA,MACL;AAAA,IACF;AACA,YAAQ,MAAM,EAAE;AAChB,UAAM,MAAM,MAAM,WAAW,qBAAqB;AAClD,UAAM,OAAO,QAAQ,KAAK,MAAM;AAEhC,QAAI,SAAS,KAAK;AAChB,cAAQ,MAAM,EAAE;AAChB,eAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,cAAM,IAAI,MAAM,CAAC;AACjB,eAAO;AAAA,UACL,KAAK,IAAI,CAAC,cAAc,EAAE,SAAS,wBAAmB,EAAE,YAAY,wBAAmB,EAAE,YAAY;AAAA,QACvG;AAAA,MACF;AACA,cAAQ,MAAM,EAAE;AAChB,YAAM,SAAS,MAAM;AAAA,QACnB,gBAAW,MAAM,MAAM;AAAA,MACzB;AACA,UAAI,WAAW,IAAI;AACjB,cAAM,IAAI,OAAO,SAAS,QAAQ,EAAE;AACpC,YAAI,OAAO,SAAS,CAAC,KAAK,KAAK,KAAK,KAAK,MAAM,QAAQ;AACrD,gBAAM,SAAS,MAAM,IAAI,CAAC,EAAG;AAC7B,gBAAM,QAAQ,MAAM,OAAO,QAAQ;AAAA,YACjC;AAAA,YACA;AAAA,YACA;AAAA,YACA,IAAI;AAAA,UACN,CAAC;AACD,cAAI,MAAM,SAAS,GAAG;AACpB,oBAAQ,MAAM,EAAE;AAChB;AAAA,UACF;AACA,gBAAM,IAAI;AAAA,YACR,MAAM,UACJ,MAAM,UACN,2CAA2C,MAAM,IAAI;AAAA,UACzD;AAAA,QACF;AAAA,MACF;AACA,aAAO,OAAO,8BAA8B;AAAA,IAC9C;AAEA,WAAO,OAAO,mDAAmD;AAAA,EACnE;AAEA,QAAM,OAAO,MAAM,OAAO,WAAW;AAAA,IACnC;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT,IAAI;AAAA,EACN,CAAC;AACD,MAAI,SAAS,GAAG;AACd,UAAM,IAAI,MAAM,0CAA0C,IAAI,GAAG;AAAA,EACnE;AACF;AAEA,eAAe,cACb,QACA,WACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,EAAE,MAAM;AAAA,EAC/B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,SAAO,QAAQ,QAAQ,UAAU,KAAK,CAAC,MAAM,EAAE,OAAO,SAAS,CAAC;AAClE;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,iBACb,QACA,cACkB;AAClB,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,cAAc,WAAW,YAAY,CAAC;AACtE,SAAO,EAAE,SAAS;AACpB;AAEA,eAAe,WACb,QACA,UACA,WACA,YACA,eACiC;AACjC,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,eAAe,KAAK;AACpC,MAAI,SAAS;AACX,SAAK,KAAK,eAAe,OAAO;AAAA,EAClC;AACA,QAAM,IAAI,MAAM,OAAO,QAAQ,IAAI;AACnC,MAAI,EAAE,SAAS,EAAG,QAAO;AACzB,SAAO,mBAAmB,EAAE,QAAQ,UAAU;AAAA,IAC5C;AAAA,IACA;AAAA,IACA,GAAI,UAAU,EAAE,eAAe,QAAQ,IAAI,CAAC;AAAA,EAC9C,CAAC;AACH;AAEA,eAAe,sBACb,KACA,QACe;AACf,QAAM,EAAE,UAAU,KAAK,qBAAqB,gBAAgB,QAAQ,SAAS,IAC3E;AAEF,MAAI,CAAC,IAAI,kBAAkB;AACzB,UAAM,IAAI;AAAA,MACR,uBAAuB,IAAI,SAAS,qJAAqJ,IAAI,SAAS;AAAA,IACxM;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS,sDAAsD,IAAI,YAAY;AAAA,EACzH;AACA,UAAQ,MAAM,EAAE;AAEhB,MAAI,CAAE,MAAM,cAAc,QAAQ,IAAI,SAAS,GAAI;AACjD,UAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,WAAW,UAAU,IAAI,SAAS,CAAC;AACnE,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UAAU,EAAE,UAAU,0CAA0C,EAAE,IAAI;AAAA,MAC1E;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,yBAAyB,KAAK,MAAM;AAAA,EAC5C;AAEA,MAAI,CAAE,MAAM,iBAAiB,QAAQ,IAAI,YAAY,GAAI;AACvD,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,SAAS;AAAA,MACT,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ,IAAI;AAAA,IACN,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,MACpD;AAAA,IACF;AAAA,EACF;AAEA,MAAI,SAAS,6BAA6B;AACxC,WAAO,OAAO,8CAAyC;AACvD,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,IAAI;AAAA,QACR,qDAAqD,IAAI;AAAA,MAC3D;AAAA,IACF;AAAA,EACF;AAEA;AACE,UAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,MAC7B;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,IACF,CAAC;AACD,QAAI,EAAE,SAAS,GAAG;AAChB,YAAM,IAAI;AAAA,QACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI,gDAAgD,IAAI,YAAY;AAAA,MACpH;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,MAAM,EAAE;AAChB,SAAO;AAAA,IACL,GAAG,QAAQ,yBAAyB,IAAI,SAAS;AAAA;AAAA,EACnD;AACF;AAEO,SAAS,wBACd,2BACS;AACT,MAAI,8BAA8B,MAAO,QAAO;AAChD,MAAI,8BAA8B,KAAM,QAAO;AAC/C,SAAO,QAAQ,QAAQ,MAAM,KAAK,KAAK,CAAC;AAC1C;AAEA,eAAsB,0BACpB,QACA,KAC0B;AAC1B,QAAM,EAAE,UAAU,KAAK,oBAAoB,IAAI;AAE/C,MAAI,MAAM,MAAM;AAAA,IACd;AAAA,IACA;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,EACF;AACA,MACE,CAAC,OACA,MAAM,iBAAiB,QAAQ,IAAI,YAAY,KAChD,SAAS,6BACT;AACA,UAAM,OAAO,MAAM,OAAO,WAAW;AAAA,MACnC;AAAA,MACA;AAAA,MACA,IAAI;AAAA,IACN,CAAC;AACD,QAAI,SAAS,GAAG;AACd,YAAM,MAAM;AAAA,QACV;AAAA,QACA;AAAA,QACA,IAAI;AAAA,QACJ;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,sBAAsB,KAAK,MAAM;AACvC,UAAM,MAAM;AAAA,MACV;AAAA,MACA;AAAA,MACA,IAAI;AAAA,MACJ;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR,yCAAyC,IAAI,SAAS,qBAAqB,mBAAmB,0CAA0C,IAAI,SAAS,iBAAiB,mBAAmB;AAAA,IAC3L;AAAA,EACF;AAEA,SAAO;AACT;AAEA,eAAsB,kBACpB,QACA,UACA,WACA,YACA,eAC0B;AAC1B,QAAM,OAAO;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,eAAe,KAAK;AACpC,MAAI,SAAS;AACX,SAAK,KAAK,eAAe,OAAO;AAAA,EAClC;AACA,QAAM,IAAI,MAAM,OAAO,QAAQ,IAAI;AACnC,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,mCAAmC,EAAE,IAAI,kBAAkB,SAAS,iBAAiB,UAAU;AAAA,IACnG;AAAA,EACF;AACA,SAAO,mBAAmB,EAAE,QAAQ,UAAU;AAAA,IAC5C;AAAA,IACA;AAAA,IACA,GAAI,UAAU,EAAE,eAAe,QAAQ,IAAI,CAAC;AAAA,EAC9C,CAAC;AACH;AAEA,eAAsB,kBACpB,QAC0B;AAC1B,QAAM,IAAI,MAAM,OAAO,QAAQ,CAAC,MAAM,CAAC;AACvC,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UAAU,EAAE,UAAU,gCAAgC,EAAE,IAAI;AAAA,IAChE;AAAA,EACF;AACA,QAAM,UAAU,sBAAsB,EAAE,MAAM;AAC9C,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,aAAa,QAAQ,eAAe,CAAC;AAAA,IACrC,UAAU,QAAQ,YAAY,CAAC;AAAA,EACjC;AACF;AAEA,eAAsB,sBACpB,QACA,QAMe;AACf,QAAM,IAAI,MAAM,OAAO,QAAQ;AAAA,IAC7B;AAAA,IACA;AAAA,IACA,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,IACP,OAAO;AAAA,EACT,CAAC;AACD,MAAI,EAAE,SAAS,GAAG;AAChB,UAAM,IAAI;AAAA,MACR,EAAE,UACA,EAAE,UACF,0CAA0C,EAAE,IAAI;AAAA,IACpD;AAAA,EACF;AACF;;;AEzaA,OAAO,QAAQ;AACf,OAAO,UAAU;AAMV,SAAS,4BAA4B,UAA2B;AACrE,QAAM,UAAU,UAAU,KAAK;AAC/B,MAAI,QAAS,QAAO;AACpB,QAAM,UAAU,QAAQ,IAAI,gBAAgB,KAAK;AACjD,MAAI,QAAS,QAAO;AACpB,QAAM,QAAQ,YAAY,YAAY;AACtC,MAAI,CAAC,OAAO;AACV,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,YAAY,KAA4B;AAC/C,QAAM,QAAQ,QAAQ,aAAa;AACnC,QAAM,QAAQ,QAAQ,IAAI,MAAM,MAAM,KAAK,SAAS,KAAK,CAAC;AAC1D,QAAM,OAAO,QACT,QAAQ,IAAI,SAAS,MAAM,KAAK,SAAS,KAAK,CAAC,QAAQ,QAAQ,QAAQ,EAAE,IACzE,CAAC,EAAE;AAEP,aAAW,OAAO,OAAO;AACvB,eAAW,OAAO,MAAM;AACtB,YAAM,YAAY,KAAK,KAAK,KAAK,MAAM,GAAG;AAC1C,UAAI;AACF,cAAM,KAAK,GAAG,SAAS,SAAS;AAChC,YAAI,CAAC,GAAG,OAAO,EAAG;AAClB,YAAI,CAAC,OAAO;AACV,cAAI;AACF,eAAG,WAAW,WAAW,GAAG,UAAU,IAAI;AAAA,UAC5C,QAAQ;AACN;AAAA,UACF;AAAA,QACF;AACA,eAAO;AAAA,MACT,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AC9CA,SAAS,qBAA8B;AACrC,MAAI,QAAQ,IAAI,SAAU,QAAO;AACjC,MAAI,QAAQ,IAAI,SAAS,OAAQ,QAAO;AACxC,SAAO,QAAQ,QAAQ,OAAO,KAAK;AACrC;AAEA,IAAM,cAAc;AACpB,IAAM,aAAa;AACnB,IAAM,aAAa;AAEZ,SAAS,sBAA8B;AAC5C,SAAO;AAAA,IACL,OAAO,SAAuB;AAC5B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,WAAW,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UAClD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,IACA,QAAQ,SAAuB;AAC7B,UAAI,mBAAmB;AACrB,gBAAQ,MAAM,GAAG,UAAU,GAAG,OAAO,GAAG,UAAU,EAAE;AAAA,UACjD,SAAQ,MAAM,OAAO;AAAA,IAC5B;AAAA,EACF;AACF;;;ACzBA,SAAS,aAAa;;;ACKf,SAAS,kBAAqC;AACnD,QAAM,MAAyB,EAAE,GAAG,QAAQ,IAAI;AAChD,MAAI,IAAI,yBAAyB,KAAK,EAAG,QAAO;AAChD,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF,KAAK;AACH,UAAI,0BAA0B;AAC9B;AAAA,IACF;AACE;AAAA,EACJ;AACA,SAAO;AACT;;;ADXO,SAAS,qBAAqB,SAGlB;AACjB,QAAM,aAAa,QAAQ,OAAO;AAElC,WAAS,aAAqB;AAC5B,WAAO,4BAA4B,QAAQ,cAAc;AAAA,EAC3D;AAEA,SAAO;AAAA,IACL,MAAM,QAAQ,MAAwC;AACpD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,YAAM,YAAY,QAAQ,MAAM,QAAQ,YAAY;AACpD,aAAO,MAAM,aAAa,CAAC,KAAK,UAAU,GAAG,IAAI,GAAG,KAAK,SAAS;AAAA,IACpE;AAAA,IACA,MAAM,WAAW,MAAiC;AAChD,YAAM,MAAM,WAAW;AACvB,YAAM,MAAM,WAAW;AACvB,aAAO,MAAM,gBAAgB,CAAC,KAAK,GAAG,IAAI,GAAG,GAAG;AAAA,IAClD;AAAA,EACF;AACF;AAEA,SAAS,aACP,MACA,KACA,WACwB;AACxB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM;AAAA,MACzC;AAAA,MACA,OAAO,CAAC,WAAW,QAAQ,MAAM;AAAA,IACnC,CAAC;AACD,QAAI,SAAS;AACb,QAAI,SAAS;AACb,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,YAAY,MAAM;AAChC,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,QAAQ,GAAG,QAAQ,CAAC,MAAc;AACtC,gBAAU;AAAA,IACZ,CAAC;AACD,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS;AAC1B,cAAQ;AAAA,QACN,MAAM,QAAQ;AAAA,QACd,QAAQ,OAAO,QAAQ;AAAA,QACvB,QAAQ,OAAO,QAAQ;AAAA,MACzB,CAAC;AAAA,IACH,CAAC;AAAA,EACH,CAAC;AACH;AAEA,SAAS,gBACP,MACA,KACiB;AACjB,QAAM,CAAC,gBAAgB,GAAG,IAAI,IAAI;AAClC,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAM,QAAQ,MAAM,gBAAiB,MAAM,EAAE,KAAK,OAAO,UAAU,CAAC;AACpE,UAAM,GAAG,SAAS,MAAM;AACxB,UAAM,GAAG,SAAS,CAAC,SAAS,QAAQ,QAAQ,CAAC,CAAC;AAAA,EAChD,CAAC;AACH;;;AEhBA,SAAS,iBACP,IACA,UACc;AACd,QAAM,WAAW,GAAG,EAAE,IAAI,SAAS,oBAAoB;AACvD,SAAO,EAAE,WAAW,IAAI,cAAc,UAAU,cAAc,SAAS;AACzE;AAEA,SAAS,oBACP,SACc;AACd,MAAI,eAAe,SAAS;AAC1B,WAAO,iBAAiB,QAAQ,WAAW,QAAQ,QAAQ;AAAA,EAC7D;AACA,SAAO;AAAA,IACL,WAAW,QAAQ;AAAA,IACnB,cAAc,QAAQ;AAAA,IACtB,cAAc,QAAQ;AAAA,EACxB;AACF;AAEO,SAAS,iBACd,SACY;AACZ,QAAM,WAAW,QAAQ;AACzB,QAAM,sBACJ,QAAQ,uBAAuB,WAAW;AAC5C,QAAM,kBACJ,QAAQ,yBAAyB,mBAAmB,GAAG,KAAK;AAC9D,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI;AAAA,MACR,qGAAqG,mBAAmB;AAAA,IAC1H;AAAA,EACF;AACA,QAAM,iBAAyB;AAE/B,MAAI,CAAC,QAAQ,QAAQ;AACnB,gCAA4B,QAAQ,cAAc;AAAA,EACpD;AAEA,QAAM,SACJ,QAAQ,UACR,qBAAqB,EAAE,gBAAgB,QAAQ,eAAe,CAAC;AAEjE,QAAM,eAAe,oBAAoB,OAAO;AAChD,MAAI,mBAAmB,aAAa;AAEpC,QAAM,SAAS,QAAQ,UAAU,oBAAoB;AACrD,QAAM,mBAAmB;AAAA,IACvB,QAAQ;AAAA,EACV;AAEA,WAAS,aAAa,KAAqC;AACzD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU,QAAQ;AAAA,MAClB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM,OAAO,mBAAsD;AACjE,YAAM,UAAU,mBAAmB,KAAK;AACxC,YAAM,MAAM,UACR,iBAAiB,SAAS,QAAQ,IAClC;AACJ,aAAO,MAAM;AAAA,QACX;AAAA,QACA,aAAa,GAAG;AAAA,MAClB;AAAA,IACF;AAAA,IAEA,MAAM,eAAyC;AAC7C,aAAO,MAAM,kBAAkB,MAAM;AAAA,IACvC;AAAA,IAEA,WAAW,WAAyB;AAClC,yBAAmB;AAAA,IACrB;AAAA,IAEA,IAAI,kBAA0B;AAC5B,aAAO;AAAA,IACT;AAAA,IAEA,MAAM,IACJ,YACAA,UAC0B;AAC1B,YAAM,MAAM,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAC5E,aAAO,MAAM;AAAA,QACX;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACAA,UAAS;AAAA,MACX;AAAA,IACF;AAAA,IAEA,MAAM,mBACJ,YACA,cACA,SACe;AACf,YAAM,MACJ,OAAO,eAAe,WAAW,iBAAiB,UAAU,IAAI;AAClE,YAAM,sBAAsB,QAAQ;AAAA,QAClC,WAAW;AAAA,QACX,YAAY;AAAA,QACZ;AAAA,QACA;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AC3JA,SAAS,gBACP,SACA,kBACsB;AACtB,QAAM,WAAW,QAAQ,YAAY,CAAC;AACtC,QAAM,cAAc,QAAQ,eAAe,CAAC;AAC5C,QAAM,WAAW,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC1D,QAAM,WAAW,oBAAI,IAAY;AACjC,QAAM,MAA4B,CAAC;AACnC,aAAW,KAAK,UAAU;AACxB,QAAI,EAAE,OAAO,iBAAkB;AAC/B,eAAW,UAAU,EAAE,yBAAyB,CAAC,GAAG;AAClD,YAAM,IAAI,SAAS,IAAI,MAAM;AAC7B,UAAI,CAAC,KAAK,EAAE,eAAe,SAAU;AACrC,UAAI,SAAS,IAAI,EAAE,YAAY,EAAG;AAClC,eAAS,IAAI,EAAE,YAAY;AAC3B,UAAI,KAAK;AAAA,QACP,WAAW,EAAE;AAAA,QACb,cAAc,EAAE;AAAA,QAChB,cAAc,EAAE;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAEA,IAAM,iBAA8C;AAAA,EAClD,sBAAsB;AAAA,EACtB,6BAA6B;AAAA,EAC7B,yBAAyB;AAAA,EACzB,mBAAmB,YAA6B,KAA8B;AAC5E,QAAI,WAAW,eAAe,UAAU;AACtC,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,sDAAsD,IAAI,UAAU,oBAAoB,WAAW,UAAU;AAAA,MACnJ;AAAA,IACF;AACA,QAAI,CAAC,WAAW,SAAS;AACvB,YAAM,IAAI;AAAA,QACR,uBAAuB,IAAI,SAAS,2CAA2C,IAAI,UAAU,qCAAqC,IAAI,SAAS,IAAI,IAAI,UAAU;AAAA,MACnK;AAAA,IACF;AAAA,EACF;AACF;AAEO,IAAM,mBAAmB;AAAA,EAC9B,QAAQ;AACV;","names":["options"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@partrocks/tokenvault",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Facade for tokenvault CLI: bootstrap profiles, resolve secrets per capability, list profiles",
   "type": "module",
   "main": "./dist/index.js",
@@ -14,7 +14,8 @@
   },
   "files": [
     "dist",
-    "README.md"
+    "README.md",
+    "TOKENVAULT_BOOTSTRAP.md"
   ],
   "publishConfig": {
     "access": "public"