@quint-security/core 0.1.2

package/dist/auth-db.d.ts

@@ -0,0 +1,17 @@
+import type { ApiKey, Session } from "./types.js";
+export declare class AuthDb {
+    private db;
+    constructor(dbPath: string);
+    insertApiKey(key: ApiKey): void;
+    getApiKeyByHash(keyHash: string): ApiKey | undefined;
+    getApiKeyById(id: string): ApiKey | undefined;
+    listApiKeys(ownerId?: string): ApiKey[];
+    revokeApiKey(id: string): boolean;
+    insertSession(session: Session): void;
+    getSession(id: string): Session | undefined;
+    revokeSession(id: string): boolean;
+    revokeSessionsBySubject(subjectId: string): number;
+    close(): void;
+}
+export declare function openAuthDb(dataDir: string): AuthDb;
+//# sourceMappingURL=auth-db.d.ts.map

package/dist/auth-db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-db.d.ts","sourceRoot":"","sources":["../src/auth-db.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AA6BlD,qBAAa,MAAM;IACjB,OAAO,CAAC,EAAE,CAAoB;gBAElB,MAAM,EAAE,MAAM;IAS1B,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAU/B,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAQpD,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAQ7C,WAAW,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE;IAWvC,YAAY,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IASjC,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAUrC,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAQ3C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAOlC,uBAAuB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAOlD,KAAK,IAAI,IAAI;CAGd;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAElD"}

package/dist/auth-db.js

@@ -0,0 +1,112 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthDb = void 0;
+exports.openAuthDb = openAuthDb;
+const better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const AUTH_SCHEMA = `
+CREATE TABLE IF NOT EXISTS api_keys (
+  id          TEXT PRIMARY KEY,
+  key_hash    TEXT NOT NULL UNIQUE,
+  owner_id    TEXT NOT NULL,
+  label       TEXT NOT NULL,
+  scopes      TEXT NOT NULL DEFAULT '',
+  created_at  TEXT NOT NULL,
+  expires_at  TEXT,
+  revoked     INTEGER NOT NULL DEFAULT 0
+);
+
+CREATE TABLE IF NOT EXISTS sessions (
+  id          TEXT PRIMARY KEY,
+  subject_id  TEXT NOT NULL,
+  auth_method TEXT NOT NULL,
+  scopes      TEXT NOT NULL DEFAULT '',
+  issued_at   TEXT NOT NULL,
+  expires_at  TEXT NOT NULL,
+  revoked     INTEGER NOT NULL DEFAULT 0
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_hash    ON api_keys(key_hash);
+CREATE INDEX IF NOT EXISTS idx_api_keys_owner   ON api_keys(owner_id);
+CREATE INDEX IF NOT EXISTS idx_sessions_subject ON sessions(subject_id);
+`;
+class AuthDb {
+    db;
+    constructor(dbPath) {
+        (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(dbPath), { recursive: true });
+        this.db = new better_sqlite3_1.default(dbPath);
+        this.db.pragma("journal_mode = WAL");
+        this.db.exec(AUTH_SCHEMA);
+    }
+    // ── API Keys ──────────────────────────────────────────────────
+    insertApiKey(key) {
+        this.db.prepare(`
+      INSERT INTO api_keys (id, key_hash, owner_id, label, scopes, created_at, expires_at, revoked)
+      VALUES (@id, @key_hash, @owner_id, @label, @scopes, @created_at, @expires_at, @revoked)
+    `).run({
+            ...key,
+            revoked: key.revoked ? 1 : 0,
+        });
+    }
+    getApiKeyByHash(keyHash) {
+        const row = this.db.prepare("SELECT * FROM api_keys WHERE key_hash = ?").get(keyHash);
+        if (!row)
+            return undefined;
+        return { ...row, revoked: row.revoked === 1 };
+    }
+    getApiKeyById(id) {
+        const row = this.db.prepare("SELECT * FROM api_keys WHERE id = ?").get(id);
+        if (!row)
+            return undefined;
+        return { ...row, revoked: row.revoked === 1 };
+    }
+    listApiKeys(ownerId) {
+        const query = ownerId
+            ? "SELECT * FROM api_keys WHERE owner_id = ? ORDER BY created_at DESC"
+            : "SELECT * FROM api_keys ORDER BY created_at DESC";
+        const rows = (ownerId
+            ? this.db.prepare(query).all(ownerId)
+            : this.db.prepare(query).all());
+        return rows.map((r) => ({ ...r, revoked: r.revoked === 1 }));
+    }
+    revokeApiKey(id) {
+        const result = this.db.prepare("UPDATE api_keys SET revoked = 1 WHERE id = ?").run(id);
+        return result.changes > 0;
+    }
+    // ── Sessions ──────────────────────────────────────────────────
+    insertSession(session) {
+        this.db.prepare(`
+      INSERT INTO sessions (id, subject_id, auth_method, scopes, issued_at, expires_at, revoked)
+      VALUES (@id, @subject_id, @auth_method, @scopes, @issued_at, @expires_at, @revoked)
+    `).run({
+            ...session,
+            revoked: session.revoked ? 1 : 0,
+        });
+    }
+    getSession(id) {
+        const row = this.db.prepare("SELECT * FROM sessions WHERE id = ?").get(id);
+        if (!row)
+            return undefined;
+        return { ...row, revoked: row.revoked === 1 };
+    }
+    revokeSession(id) {
+        const result = this.db.prepare("UPDATE sessions SET revoked = 1 WHERE id = ?").run(id);
+        return result.changes > 0;
+    }
+    revokeSessionsBySubject(subjectId) {
+        const result = this.db.prepare("UPDATE sessions SET revoked = 1 WHERE subject_id = ? AND revoked = 0").run(subjectId);
+        return result.changes;
+    }
+    close() {
+        this.db.close();
+    }
+}
+exports.AuthDb = AuthDb;
+function openAuthDb(dataDir) {
+    return new AuthDb((0, node_path_1.join)(dataDir, "auth.db"));
+}
+//# sourceMappingURL=auth-db.js.map

package/dist/auth-db.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-db.js","sourceRoot":"","sources":["../src/auth-db.ts"],"names":[],"mappings":";;;;;;AA+HA,gCAEC;AAjID,oEAAsC;AACtC,qCAAoC;AACpC,yCAA0C;AAG1C,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;CAyBnB,CAAC;AAEF,MAAa,MAAM;IACT,EAAE,CAAoB;IAE9B,YAAY,MAAc;QACxB,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,EAAE,GAAG,IAAI,wBAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACrC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5B,CAAC;IAED,iEAAiE;IAEjE,YAAY,CAAC,GAAW;QACtB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAGf,CAAC,CAAC,GAAG,CAAC;YACL,GAAG,GAAG;YACN,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC7B,CAAC,CAAC;IACL,CAAC;IAED,eAAe,CAAC,OAAe;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACzB,2CAA2C,CAC5C,CAAC,GAAG,CAAC,OAAO,CAAgE,CAAC;QAC9E,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;IAChD,CAAC;IAED,aAAa,CAAC,EAAU;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACzB,qCAAqC,CACtC,CAAC,GAAG,CAAC,EAAE,CAAgE,CAAC;QACzE,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;IAChD,CAAC;IAED,WAAW,CAAC,OAAgB;QAC1B,MAAM,KAAK,GAAG,OAAO;YACnB,CAAC,CAAC,oEAAoE;YACtE,CAAC,CAAC,iDAAiD,CAAC;QACtD,MAAM,IAAI,GAAG,CAAC,OAAO;YACnB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;YACrC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,CACyB,CAAC;QAC1D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,YAAY,CAAC,EAAU;QACrB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,8CAA8C,CAC/C,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACV,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,iEAAiE;IAEjE,aAAa,CAAC,OAAgB;QAC5B,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAGf,CAAC,CAAC,GAAG,CAAC;YACL,GAAG,OAAO;YACV,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SACjC,CAAC,CAAC;IACL,CAAC;IAED,UAAU,CAAC,EAAU;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CACzB,qCAAqC,CACtC,CAAC,GAAG,CAAC,EAAE,CAAiE,CAAC;QAC1E,IAAI,CAAC,GAAG;YAAE,OAAO,SAAS,CAAC;QAC3B,OAAO,EAAE,GAAG,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;IAChD,CAAC;IAED,aAAa,CAAC,EAAU;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,8CAA8C,CAC/C,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACV,OAAO,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,uBAAuB,CAAC,SAAiB;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,sEAAsE,CACvE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACjB,OAAO,MAAM,CAAC,OAAO,CAAC;IACxB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF;AA7FD,wBA6FC;AAED,SAAgB,UAAU,CAAC,OAAe;IACxC,OAAO,IAAI,MAAM,CAAC,IAAA,gBAAI,EAAC,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;AAC9C,CAAC"}

package/dist/auth.d.ts

@@ -0,0 +1,41 @@
+import type { ApiKey, Session } from "./types.js";
+import type { AuthDb } from "./auth-db.js";
+/**
+ * Generate a new API key. Returns the raw key (shown once) and the stored record.
+ */
+export declare function generateApiKey(db: AuthDb, opts: {
+    label: string;
+    ownerId?: string;
+    scopes?: string[];
+    ttlSeconds?: number;
+}): {
+    rawKey: string;
+    apiKey: ApiKey;
+};
+/**
+ * Verify a raw API key. Returns the key record if valid, undefined otherwise.
+ */
+export declare function verifyApiKey(db: AuthDb, rawKey: string): ApiKey | undefined;
+/**
+ * Create a session after successful authentication.
+ */
+export declare function createSession(db: AuthDb, opts: {
+    subjectId: string;
+    authMethod: string;
+    scopes?: string;
+    ttlMs?: number;
+}): Session;
+/**
+ * Validate a session token. Returns the session if valid, undefined otherwise.
+ */
+export declare function validateSession(db: AuthDb, token: string): Session | undefined;
+/**
+ * Authenticate a bearer token — could be a raw API key or a session token.
+ * Returns { type, subject, scopes } if valid, undefined otherwise.
+ */
+export declare function authenticateBearer(db: AuthDb, token: string): {
+    type: "api_key" | "session";
+    subjectId: string;
+    scopes: string;
+} | undefined;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAW3C;;GAEG;AACH,wBAAgB,cAAc,CAC5B,EAAE,EAAE,MAAM,EACV,IAAI,EAAE;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAqBpC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAO3E;AAID;;GAEG;AACH,wBAAgB,aAAa,CAC3B,EAAE,EAAE,MAAM,EACV,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GAC/E,OAAO,CAgBT;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAM9E;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,MAAM,GACZ;IAAE,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAchF"}

package/dist/auth.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateApiKey = generateApiKey;
+exports.verifyApiKey = verifyApiKey;
+exports.createSession = createSession;
+exports.validateSession = validateSession;
+exports.authenticateBearer = authenticateBearer;
+const node_crypto_1 = require("node:crypto");
+const API_KEY_PREFIX = "qk_";
+const DEFAULT_SESSION_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+// ── API Key management ──────────────────────────────────────────
+function hashKey(rawKey) {
+    return (0, node_crypto_1.createHash)("sha256").update(rawKey, "utf-8").digest("hex");
+}
+/**
+ * Generate a new API key. Returns the raw key (shown once) and the stored record.
+ */
+function generateApiKey(db, opts) {
+    const rawKey = API_KEY_PREFIX + (0, node_crypto_1.randomBytes)(32).toString("hex");
+    const id = API_KEY_PREFIX + (0, node_crypto_1.randomUUID)().replace(/-/g, "").substring(0, 16);
+    const now = new Date().toISOString();
+    const expiresAt = opts.ttlSeconds && opts.ttlSeconds > 0
+        ? new Date(Date.now() + opts.ttlSeconds * 1000).toISOString()
+        : null;
+    const apiKey = {
+        id,
+        key_hash: hashKey(rawKey),
+        owner_id: opts.ownerId ?? "local",
+        label: opts.label,
+        scopes: (opts.scopes ?? []).join(","),
+        created_at: now,
+        expires_at: expiresAt,
+        revoked: false,
+    };
+    db.insertApiKey(apiKey);
+    return { rawKey, apiKey };
+}
+/**
+ * Verify a raw API key. Returns the key record if valid, undefined otherwise.
+ */
+function verifyApiKey(db, rawKey) {
+    const hash = hashKey(rawKey);
+    const key = db.getApiKeyByHash(hash);
+    if (!key)
+        return undefined;
+    if (key.revoked)
+        return undefined;
+    if (key.expires_at && new Date(key.expires_at) < new Date())
+        return undefined;
+    return key;
+}
+// ── Session management ──────────────────────────────────────────
+/**
+ * Create a session after successful authentication.
+ */
+function createSession(db, opts) {
+    const now = new Date();
+    const ttl = opts.ttlMs ?? DEFAULT_SESSION_TTL_MS;
+    const session = {
+        id: (0, node_crypto_1.randomUUID)(),
+        subject_id: opts.subjectId,
+        auth_method: opts.authMethod,
+        scopes: opts.scopes ?? "",
+        issued_at: now.toISOString(),
+        expires_at: new Date(now.getTime() + ttl).toISOString(),
+        revoked: false,
+    };
+    db.insertSession(session);
+    return session;
+}
+/**
+ * Validate a session token. Returns the session if valid, undefined otherwise.
+ */
+function validateSession(db, token) {
+    const session = db.getSession(token);
+    if (!session)
+        return undefined;
+    if (session.revoked)
+        return undefined;
+    if (new Date(session.expires_at) < new Date())
+        return undefined;
+    return session;
+}
+/**
+ * Authenticate a bearer token — could be a raw API key or a session token.
+ * Returns { type, subject, scopes } if valid, undefined otherwise.
+ */
+function authenticateBearer(db, token) {
+    // Try as session first (UUIDs are shorter, faster lookup)
+    const session = validateSession(db, token);
+    if (session) {
+        return { type: "session", subjectId: session.subject_id, scopes: session.scopes };
+    }
+    // Try as raw API key
+    const key = verifyApiKey(db, token);
+    if (key) {
+        return { type: "api_key", subjectId: key.id, scopes: key.scopes };
+    }
+    return undefined;
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":";;AAgBA,wCAwBC;AAKD,oCAOC;AAOD,sCAmBC;AAKD,0CAMC;AAMD,gDAiBC;AAhHD,6CAAkE;AAIlE,MAAM,cAAc,GAAG,KAAK,CAAC;AAC7B,MAAM,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AAE/D,mEAAmE;AAEnE,SAAS,OAAO,CAAC,MAAc;IAC7B,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAC5B,EAAU,EACV,IAAiF;IAEjF,MAAM,MAAM,GAAG,cAAc,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAChE,MAAM,EAAE,GAAG,cAAc,GAAG,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,GAAG,CAAC;QACtD,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QAC7D,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,MAAM,GAAW;QACrB,EAAE;QACF,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;QACzB,QAAQ,EAAE,IAAI,CAAC,OAAO,IAAI,OAAO;QACjC,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;QACrC,UAAU,EAAE,GAAG;QACf,UAAU,EAAE,SAAS;QACrB,OAAO,EAAE,KAAK;KACf,CAAC;IAEF,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IACxB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,EAAU,EAAE,MAAc;IACrD,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7B,MAAM,GAAG,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,GAAG,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAClC,IAAI,GAAG,CAAC,UAAU,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IAC9E,OAAO,GAAG,CAAC;AACb,CAAC;AAED,mEAAmE;AAEnE;;GAEG;AACH,SAAgB,aAAa,CAC3B,EAAU,EACV,IAAgF;IAEhF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,IAAI,sBAAsB,CAAC;IAEjD,MAAM,OAAO,GAAY;QACvB,EAAE,EAAE,IAAA,wBAAU,GAAE;QAChB,UAAU,EAAE,IAAI,CAAC,SAAS;QAC1B,WAAW,EAAE,IAAI,CAAC,UAAU;QAC5B,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE;QACzB,SAAS,EAAE,GAAG,CAAC,WAAW,EAAE;QAC5B,UAAU,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,CAAC,WAAW,EAAE;QACvD,OAAO,EAAE,KAAK;KACf,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IAC1B,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,EAAU,EAAE,KAAa;IACvD,MAAM,OAAO,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,IAAI,OAAO,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IACtC,IAAI,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,EAAE;QAAE,OAAO,SAAS,CAAC;IAChE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,EAAU,EACV,KAAa;IAEb,0DAA0D;IAC1D,MAAM,OAAO,GAAG,eAAe,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC3C,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;IACpF,CAAC;IAED,qBAAqB;IACrB,MAAM,GAAG,GAAG,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IACpC,IAAI,GAAG,EAAE,CAAC;QACR,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,GAAG,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC;IACpE,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/config.d.ts

@@ -0,0 +1,20 @@
+import type { PolicyConfig, Verdict } from "./types.js";
+export declare function resolveDataDir(raw: string): string;
+/**
+ * Load policy from either:
+ *   - a direct file path ending in .json
+ *   - a data directory containing policy.json
+ *   - QUINT_DATA_DIR env var
+ *   - default ~/.quint
+ */
+export declare function loadPolicy(pathOrDir?: string): PolicyConfig;
+export declare function initPolicy(dataDir?: string): string;
+export declare function validatePolicy(config: PolicyConfig): string[];
+/**
+ * Match a string against a pattern with glob wildcards.
+ * Supports: * (any chars), ? (single char).
+ * Examples: "write_*" matches "write_file", "Mechanic*" matches "MechanicRunTool"
+ */
+export declare function globMatch(pattern: string, value: string): boolean;
+export declare function evaluatePolicy(config: PolicyConfig, serverName: string, toolName: string | null): Verdict;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAwB,OAAO,EAAE,MAAM,YAAY,CAAC;AAe9E,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAKlD;AAID;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG,YAAY,CAyB3D;AAID,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAWnD;AAID,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,EAAE,CAiC7D;AAID;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CASjE;AAID,wBAAgB,cAAc,CAC5B,MAAM,EAAE,YAAY,EACpB,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,GACtB,OAAO,CAyBT"}

package/dist/config.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveDataDir = resolveDataDir;
+exports.loadPolicy = loadPolicy;
+exports.initPolicy = initPolicy;
+exports.validatePolicy = validatePolicy;
+exports.globMatch = globMatch;
+exports.evaluatePolicy = evaluatePolicy;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const node_os_1 = require("node:os");
+const DEFAULT_DATA_DIR = (0, node_path_1.join)((0, node_os_1.homedir)(), ".quint");
+const DEFAULT_POLICY = {
+    version: 1,
+    data_dir: "~/.quint",
+    log_level: "info",
+    servers: [
+        { server: "*", default_action: "allow", tools: [] },
+    ],
+};
+// ── Resolve ~ in paths ──────────────────────────────────────────
+function resolveDataDir(raw) {
+    if (raw.startsWith("~/")) {
+        return (0, node_path_1.join)((0, node_os_1.homedir)(), raw.slice(2));
+    }
+    return raw;
+}
+// ── Load policy ─────────────────────────────────────────────────
+/**
+ * Load policy from either:
+ *   - a direct file path ending in .json
+ *   - a data directory containing policy.json
+ *   - QUINT_DATA_DIR env var
+ *   - default ~/.quint
+ */
+function loadPolicy(pathOrDir) {
+    const envDir = process.env.QUINT_DATA_DIR;
+    let policyPath;
+    let dir;
+    if (pathOrDir && pathOrDir.endsWith(".json")) {
+        // Direct path to a policy file
+        policyPath = pathOrDir;
+        dir = (0, node_path_1.dirname)(policyPath);
+    }
+    else {
+        dir = pathOrDir ?? envDir ?? DEFAULT_DATA_DIR;
+        policyPath = (0, node_path_1.join)(dir, "policy.json");
+    }
+    if (!(0, node_fs_1.existsSync)(policyPath)) {
+        return { ...DEFAULT_POLICY, data_dir: dir };
+    }
+    const raw = (0, node_fs_1.readFileSync)(policyPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return {
+        ...parsed,
+        data_dir: resolveDataDir(parsed.data_dir ?? dir),
+    };
+}
+// ── Save/init policy ────────────────────────────────────────────
+function initPolicy(dataDir) {
+    const dir = dataDir ?? DEFAULT_DATA_DIR;
+    (0, node_fs_1.mkdirSync)(dir, { recursive: true });
+    const policyPath = (0, node_path_1.join)(dir, "policy.json");
+    if ((0, node_fs_1.existsSync)(policyPath)) {
+        return policyPath;
+    }
+    (0, node_fs_1.writeFileSync)(policyPath, JSON.stringify(DEFAULT_POLICY, null, 2) + "\n");
+    return policyPath;
+}
+// ── Validate policy ─────────────────────────────────────────────
+function validatePolicy(config) {
+    const errors = [];
+    if (config.version !== 1) {
+        errors.push(`Unsupported policy version: ${config.version}`);
+    }
+    if (!Array.isArray(config.servers)) {
+        errors.push("'servers' must be an array");
+        return errors;
+    }
+    for (const srv of config.servers) {
+        if (!srv.server || typeof srv.server !== "string") {
+            errors.push("Each server entry must have a 'server' name string");
+        }
+        if (!["allow", "deny"].includes(srv.default_action)) {
+            errors.push(`Invalid default_action '${srv.default_action}' for server '${srv.server}'`);
+        }
+        if (!Array.isArray(srv.tools)) {
+            errors.push(`'tools' must be an array for server '${srv.server}'`);
+            continue;
+        }
+        for (const rule of srv.tools) {
+            if (!rule.tool || typeof rule.tool !== "string") {
+                errors.push(`Tool rule missing 'tool' name in server '${srv.server}'`);
+            }
+            if (!["allow", "deny"].includes(rule.action)) {
+                errors.push(`Invalid action '${rule.action}' for tool '${rule.tool}' in server '${srv.server}'`);
+            }
+        }
+    }
+    return errors;
+}
+// ── Glob matching ───────────────────────────────────────────────
+/**
+ * Match a string against a pattern with glob wildcards.
+ * Supports: * (any chars), ? (single char).
+ * Examples: "write_*" matches "write_file", "Mechanic*" matches "MechanicRunTool"
+ */
+function globMatch(pattern, value) {
+    if (pattern === value || pattern === "*")
+        return true;
+    // Convert glob to regex: escape special chars, then replace * and ?
+    const escaped = pattern
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+        .replace(/\*/g, ".*")
+        .replace(/\?/g, ".");
+    return new RegExp(`^${escaped}$`).test(value);
+}
+// ── Evaluate policy for a tool call ─────────────────────────────
+function evaluatePolicy(config, serverName, toolName) {
+    // Find matching server policy (first match wins, * is wildcard)
+    let serverPolicy;
+    for (const sp of config.servers) {
+        if (globMatch(sp.server, serverName)) {
+            serverPolicy = sp;
+            break;
+        }
+    }
+    // No server match = fail closed
+    if (!serverPolicy)
+        return "deny";
+    // If no tool name (not a tools/call), passthrough
+    if (!toolName)
+        return "passthrough";
+    // Check tool-specific rules (first match wins, supports glob patterns)
+    for (const rule of serverPolicy.tools) {
+        if (globMatch(rule.tool, toolName)) {
+            return rule.action;
+        }
+    }
+    // Fall back to server default
+    return serverPolicy.default_action;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":";;AAkBA,wCAKC;AAWD,gCAyBC;AAID,gCAWC;AAID,wCAiCC;AASD,8BASC;AAID,wCA6BC;AAlKD,qCAA6E;AAC7E,yCAA0C;AAC1C,qCAAkC;AAGlC,MAAM,gBAAgB,GAAG,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,QAAQ,CAAC,CAAC;AAEnD,MAAM,cAAc,GAAiB;IACnC,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,MAAM;IACjB,OAAO,EAAE;QACP,EAAE,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE;KACpD;CACF,CAAC;AAEF,mEAAmE;AAEnE,SAAgB,cAAc,CAAC,GAAW;IACxC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,IAAA,gBAAI,EAAC,IAAA,iBAAO,GAAE,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,mEAAmE;AAEnE;;;;;;GAMG;AACH,SAAgB,UAAU,CAAC,SAAkB;IAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAE1C,IAAI,UAAkB,CAAC;IACvB,IAAI,GAAW,CAAC;IAEhB,IAAI,SAAS,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7C,+BAA+B;QAC/B,UAAU,GAAG,SAAS,CAAC;QACvB,GAAG,GAAG,IAAA,mBAAO,EAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,SAAS,IAAI,MAAM,IAAI,gBAAgB,CAAC;QAC9C,UAAU,GAAG,IAAA,gBAAI,EAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,CAAC,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,GAAG,cAAc,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,sBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;IAC/C,OAAO;QACL,GAAG,MAAM;QACT,QAAQ,EAAE,cAAc,CAAC,MAAM,CAAC,QAAQ,IAAI,GAAG,CAAC;KACjD,CAAC;AACJ,CAAC;AAED,mEAAmE;AAEnE,SAAgB,UAAU,CAAC,OAAgB;IACzC,MAAM,GAAG,GAAG,OAAO,IAAI,gBAAgB,CAAC;IACxC,IAAA,mBAAS,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,IAAA,gBAAI,EAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAE5C,IAAI,IAAA,oBAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,IAAA,uBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC1E,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,mEAAmE;AAEnE,SAAgB,cAAc,CAAC,MAAoB;IACjD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,+BAA+B,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;YACpD,MAAM,CAAC,IAAI,CAAC,2BAA2B,GAAG,CAAC,cAAc,iBAAiB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,wCAAwC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;YACnE,SAAS;QACX,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAChD,MAAM,CAAC,IAAI,CAAC,4CAA4C,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;YACzE,CAAC;YACD,IAAI,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,MAAM,eAAe,IAAI,CAAC,IAAI,gBAAgB,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;YACnG,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mEAAmE;AAEnE;;;;GAIG;AACH,SAAgB,SAAS,CAAC,OAAe,EAAE,KAAa;IACtD,IAAI,OAAO,KAAK,KAAK,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtD,oEAAoE;IACpE,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACpC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC;SACpB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACvB,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,mEAAmE;AAEnE,SAAgB,cAAc,CAC5B,MAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,gEAAgE;IAChE,IAAI,YAAsC,CAAC;IAC3C,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAChC,IAAI,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,CAAC;YACrC,YAAY,GAAG,EAAE,CAAC;YAClB,MAAM;QACR,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,IAAI,CAAC,YAAY;QAAE,OAAO,MAAM,CAAC;IAEjC,kDAAkD;IAClD,IAAI,CAAC,QAAQ;QAAE,OAAO,aAAa,CAAC;IAEpC,uEAAuE;IACvE,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;QACtC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,MAAM,CAAC;QACrB,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,OAAO,YAAY,CAAC,cAAc,CAAC;AACrC,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,11 @@
+import type { KeyPair } from "./types.js";
+export declare function generateKeyPair(): KeyPair;
+export declare function saveKeyPair(dataDir: string, kp: KeyPair): void;
+export declare function loadKeyPair(dataDir: string): KeyPair | null;
+export declare function ensureKeyPair(dataDir: string): KeyPair;
+export declare function signData(data: string, privateKeyPem: string): string;
+export declare function verifySignature(data: string, signatureHex: string, publicKeyPem: string): boolean;
+export declare function canonicalize(obj: Record<string, unknown>): string;
+export declare function sha256(data: string): string;
+export declare function publicKeyFingerprint(publicKeyPem: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAM1C,wBAAgB,eAAe,IAAI,OAAO,CAMzC;AAID,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,GAAG,IAAI,CAW9D;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAU3D;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAMtD;AAID,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CAIpE;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAIjG;AAYD,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAEjE;AAID,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE3C;AAID,wBAAgB,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAOjE"}

package/dist/crypto.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateKeyPair = generateKeyPair;
+exports.saveKeyPair = saveKeyPair;
+exports.loadKeyPair = loadKeyPair;
+exports.ensureKeyPair = ensureKeyPair;
+exports.signData = signData;
+exports.verifySignature = verifySignature;
+exports.canonicalize = canonicalize;
+exports.sha256 = sha256;
+exports.publicKeyFingerprint = publicKeyFingerprint;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const ALGORITHM = "Ed25519";
+// ── Key generation ──────────────────────────────────────────────
+function generateKeyPair() {
+    const { publicKey, privateKey } = (0, node_crypto_1.generateKeyPairSync)("ed25519", {
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    return { publicKey, privateKey };
+}
+// ── Key persistence ─────────────────────────────────────────────
+function saveKeyPair(dataDir, kp) {
+    const keysDir = (0, node_path_1.join)(dataDir, "keys");
+    (0, node_fs_1.mkdirSync)(keysDir, { recursive: true });
+    const privPath = (0, node_path_1.join)(keysDir, "quint.key");
+    const pubPath = (0, node_path_1.join)(keysDir, "quint.pub");
+    (0, node_fs_1.writeFileSync)(privPath, kp.privateKey, { mode: 0o600 });
+    // Ensure permission is set even if file existed
+    (0, node_fs_1.chmodSync)(privPath, 0o600);
+    (0, node_fs_1.writeFileSync)(pubPath, kp.publicKey, { mode: 0o644 });
+}
+function loadKeyPair(dataDir) {
+    const privPath = (0, node_path_1.join)(dataDir, "keys", "quint.key");
+    const pubPath = (0, node_path_1.join)(dataDir, "keys", "quint.pub");
+    if (!(0, node_fs_1.existsSync)(privPath) || !(0, node_fs_1.existsSync)(pubPath))
+        return null;
+    return {
+        privateKey: (0, node_fs_1.readFileSync)(privPath, "utf-8"),
+        publicKey: (0, node_fs_1.readFileSync)(pubPath, "utf-8"),
+    };
+}
+function ensureKeyPair(dataDir) {
+    const existing = loadKeyPair(dataDir);
+    if (existing)
+        return existing;
+    const kp = generateKeyPair();
+    saveKeyPair(dataDir, kp);
+    return kp;
+}
+// ── Signing ─────────────────────────────────────────────────────
+function signData(data, privateKeyPem) {
+    const key = (0, node_crypto_1.createPrivateKey)(privateKeyPem);
+    const signature = (0, node_crypto_1.sign)(null, Buffer.from(data, "utf-8"), key);
+    return signature.toString("hex");
+}
+function verifySignature(data, signatureHex, publicKeyPem) {
+    const key = (0, node_crypto_1.createPublicKey)(publicKeyPem);
+    const sigBuf = Buffer.from(signatureHex, "hex");
+    return (0, node_crypto_1.verify)(null, Buffer.from(data, "utf-8"), key, sigBuf);
+}
+// ── Canonical JSON for signing ──────────────────────────────────
+// NOTE: This is NOT RFC 8785 (JCS) compliant. It uses simple sorted-key
+// JSON.stringify which works correctly for ASCII strings, numbers, booleans,
+// and null values. It may produce non-deterministic output for:
+//   - Unicode strings with special escape sequences
+//   - Numbers requiring special IEEE 754 formatting
+// This is sufficient for the current use case where all values are ASCII
+// strings/numbers. If interoperability with external verifiers is needed,
+// replace with a proper RFC 8785 implementation.
+function canonicalize(obj) {
+    return JSON.stringify(obj, Object.keys(obj).sort());
+}
+// ── Hashing ─────────────────────────────────────────────────────
+function sha256(data) {
+    return (0, node_crypto_1.createHash)("sha256").update(data, "utf-8").digest("hex");
+}
+// ── Public key fingerprint (first 16 hex chars of key hash) ─────
+function publicKeyFingerprint(publicKeyPem) {
+    // Use a simple approach: take first 16 chars of the base64 key body
+    const body = publicKeyPem
+        .replace(/-----BEGIN PUBLIC KEY-----/, "")
+        .replace(/-----END PUBLIC KEY-----/, "")
+        .replace(/\s/g, "");
+    return body.substring(0, 16);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":";;AASA,0CAMC;AAID,kCAWC;AAED,kCAUC;AAED,sCAMC;AAID,4BAIC;AAED,0CAIC;AAYD,oCAEC;AAID,wBAEC;AAID,oDAOC;AA/FD,6CAA+G;AAC/G,qCAAwF;AACxF,yCAA0C;AAG1C,MAAM,SAAS,GAAG,SAAS,CAAC;AAE5B,mEAAmE;AAEnE,SAAgB,eAAe;IAC7B,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,IAAA,iCAAmB,EAAC,SAAS,EAAE;QAC/D,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IACH,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AACnC,CAAC;AAED,mEAAmE;AAEnE,SAAgB,WAAW,CAAC,OAAe,EAAE,EAAW;IACtD,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,IAAA,mBAAS,EAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAExC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAE3C,IAAA,uBAAa,EAAC,QAAQ,EAAE,EAAE,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,gDAAgD;IAChD,IAAA,mBAAS,EAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC3B,IAAA,uBAAa,EAAC,OAAO,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,SAAgB,WAAW,CAAC,OAAe;IACzC,MAAM,QAAQ,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAA,gBAAI,EAAC,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;IAEnD,IAAI,CAAC,IAAA,oBAAU,EAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,oBAAU,EAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/D,OAAO;QACL,UAAU,EAAE,IAAA,sBAAY,EAAC,QAAQ,EAAE,OAAO,CAAC;QAC3C,SAAS,EAAE,IAAA,sBAAY,EAAC,OAAO,EAAE,OAAO,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,SAAgB,aAAa,CAAC,OAAe;IAC3C,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC;IAC7B,WAAW,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACzB,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,mEAAmE;AAEnE,SAAgB,QAAQ,CAAC,IAAY,EAAE,aAAqB;IAC1D,MAAM,GAAG,GAAG,IAAA,8BAAgB,EAAC,aAAa,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,IAAA,kBAAI,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9D,OAAO,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,SAAgB,eAAe,CAAC,IAAY,EAAE,YAAoB,EAAE,YAAoB;IACtF,MAAM,GAAG,GAAG,IAAA,6BAAe,EAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;IAChD,OAAO,IAAA,oBAAM,EAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;AAC/D,CAAC;AAED,mEAAmE;AACnE,wEAAwE;AACxE,6EAA6E;AAC7E,gEAAgE;AAChE,oDAAoD;AACpD,oDAAoD;AACpD,yEAAyE;AACzE,0EAA0E;AAC1E,iDAAiD;AAEjD,SAAgB,YAAY,CAAC,GAA4B;IACvD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;AACtD,CAAC;AAED,mEAAmE;AAEnE,SAAgB,MAAM,CAAC,IAAY;IACjC,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,mEAAmE;AAEnE,SAAgB,oBAAoB,CAAC,YAAoB;IACvD,oEAAoE;IACpE,MAAM,IAAI,GAAG,YAAY;SACtB,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC;SACzC,OAAO,CAAC,0BAA0B,EAAE,EAAE,CAAC;SACvC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACtB,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC"}

package/dist/db.d.ts

@@ -0,0 +1,31 @@
+import type { AuditEntry } from "./types.js";
+export declare class AuditDb {
+    private db;
+    constructor(dbPath: string);
+    private migrate;
+    /** Get the signature of the last entry (for hash chaining) */
+    getLastSignature(): string | null;
+    /**
+     * Atomically read the last signature and insert a new entry.
+     * This prevents chain breaks when multiple proxy instances share a DB.
+     */
+    insertAtomic(buildEntry: (prevSignature: string | null) => Omit<AuditEntry, "id">): number;
+    insert(entry: Omit<AuditEntry, "id">): number;
+    getById(id: number): AuditEntry | undefined;
+    /** Get entries in ID order (ascending) for chain verification */
+    getRange(startId: number, endId: number): AuditEntry[];
+    /** Get all entries in ID order (ascending) for chain verification */
+    getAll(): AuditEntry[];
+    query(opts?: {
+        server?: string;
+        tool?: string;
+        verdict?: string;
+        since?: string;
+        limit?: number;
+    }): AuditEntry[];
+    getLast(n: number): AuditEntry[];
+    count(): number;
+    close(): void;
+}
+export declare function openAuditDb(dataDir: string): AuditDb;
+//# sourceMappingURL=db.d.ts.map

package/dist/db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../src/db.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAsC7C,qBAAa,OAAO;IAClB,OAAO,CAAC,EAAE,CAAoB;gBAElB,MAAM,EAAE,MAAM;IAQ1B,OAAO,CAAC,OAAO;IAUf,8DAA8D;IAC9D,gBAAgB,IAAI,MAAM,GAAG,IAAI;IAOjC;;;OAGG;IACH,YAAY,CAAC,UAAU,EAAE,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,MAAM;IAyB1F,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,MAAM;IAe7C,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAI3C,iEAAiE;IACjE,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,UAAU,EAAE;IAMtD,qEAAqE;IACrE,MAAM,IAAI,UAAU,EAAE;IAItB,KAAK,CAAC,IAAI,GAAE;QACV,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;KACX,GAAG,UAAU,EAAE;IA6BrB,OAAO,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,EAAE;IAMhC,KAAK,IAAI,MAAM;IAKf,KAAK,IAAI,IAAI;CAGd;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEpD"}