@remnic/core 1.1.1 → 1.1.3

package/dist/chunk-CK5NTM2S.js

@@ -0,0 +1,454 @@
+import {
+  decryptMemoryDirToPlaintext,
+  migrateMemoryDirToEncrypted
+} from "./chunk-YNJHCGDT.js";
+import {
+  buildHeaderFromPassphrase,
+  deriveKeyFromHeader,
+  getKey,
+  headerPath,
+  lock,
+  readHeader,
+  secureStoreDir,
+  status,
+  unlock,
+  verifyKey,
+  writeHeader
+} from "./chunk-BJMBJZ2Y.js";
+import {
+  DEFAULT_ARGON2ID_PARAMS,
+  DEFAULT_SCRYPT_PARAMS,
+  KDF_SALT_LENGTH
+} from "./chunk-FP2373TW.js";
+import {
+  generateSalt
+} from "./chunk-A6XUJE5D.js";
+
+// src/secure-store/cli-handlers.ts
+async function runSecureStoreInit(options) {
+  const { memoryDir, readPassphrase } = options;
+  if (typeof memoryDir !== "string" || memoryDir.length === 0) {
+    throw new Error("secure-store init: memoryDir is required");
+  }
+  const existing = await readHeader(memoryDir);
+  if (existing !== null) {
+    throw new Error(
+      `secure-store header already exists at ${headerPath(memoryDir)}. Run 'remnic secure-store status' to inspect, or remove the .secure-store directory explicitly to reinitialize.`
+    );
+  }
+  const passphrase = await readPassphrase("Enter new passphrase: ", { confirm: true });
+  validatePassphrase(passphrase);
+  const algorithm = options.algorithm ?? "argon2id";
+  const params = resolveParams(algorithm, options.params);
+  const salt = options.salt ?? generateSalt();
+  if (salt.length !== KDF_SALT_LENGTH) {
+    throw new Error(`salt must be ${KDF_SALT_LENGTH} bytes, got ${salt.length}`);
+  }
+  const built = buildHeaderFromPassphrase({
+    passphrase,
+    salt,
+    algorithm,
+    params,
+    ...options.note !== void 0 ? { note: options.note } : {},
+    ...options.now ? { createdAt: options.now().toISOString() } : {}
+  });
+  built.derivedKey.fill(0);
+  const writtenPath = await writeHeader(memoryDir, built.header);
+  return {
+    ok: true,
+    headerPath: writtenPath,
+    kdf: built.header.metadata.kdf,
+    createdAt: built.header.createdAt
+  };
+}
+async function runSecureStoreUnlock(options) {
+  const { memoryDir, readPassphrase } = options;
+  const header = await readHeader(memoryDir);
+  if (!header) {
+    return { ok: false, reason: "not-initialized" };
+  }
+  const passphrase = await readPassphrase("Enter passphrase: ");
+  validatePassphrase(passphrase);
+  const candidateKey = deriveKeyFromHeader(header, passphrase);
+  if (!verifyKey(header, candidateKey)) {
+    candidateKey.fill(0);
+    return { ok: false, reason: "wrong-passphrase" };
+  }
+  const id = options.keyringId ?? secureStoreDir(memoryDir);
+  const now = options.now ?? (() => /* @__PURE__ */ new Date());
+  unlock(id, candidateKey, now);
+  const status2 = status(id);
+  return {
+    ok: true,
+    unlockedAt: status2.unlockedAt ?? now().toISOString(),
+    algorithm: header.metadata.kdf.algorithm
+  };
+}
+function runSecureStoreLock(options) {
+  const id = options.keyringId ?? secureStoreDir(options.memoryDir);
+  const cleared = lock(id);
+  return { ok: true, cleared };
+}
+async function runSecureStoreMigrate(options) {
+  const { memoryDir } = options;
+  const header = await readHeader(memoryDir);
+  if (!header) {
+    return {
+      ok: false,
+      reason: "not-initialized",
+      encrypted: 0,
+      skipped: 0,
+      errors: []
+    };
+  }
+  const id = options.keyringId ?? secureStoreDir(memoryDir);
+  const key = getKey(id);
+  if (key === null) {
+    return {
+      ok: false,
+      reason: "locked",
+      encrypted: 0,
+      skipped: 0,
+      errors: []
+    };
+  }
+  const result = await migrateMemoryDirToEncrypted(memoryDir, key);
+  if (result.errors.length > 0) {
+    return { ok: false, reason: "file-errors", ...result };
+  }
+  return { ok: true, ...result };
+}
+async function runSecureStoreDisable(options) {
+  const { memoryDir } = options;
+  const header = await readHeader(memoryDir);
+  if (!header) {
+    return {
+      ok: false,
+      reason: "not-initialized",
+      decrypted: 0,
+      skipped: 0,
+      errors: []
+    };
+  }
+  const id = options.keyringId ?? secureStoreDir(memoryDir);
+  const key = getKey(id);
+  if (key === null) {
+    return {
+      ok: false,
+      reason: "locked",
+      decrypted: 0,
+      skipped: 0,
+      errors: []
+    };
+  }
+  const result = await decryptMemoryDirToPlaintext(memoryDir, key);
+  if (result.errors.length > 0) {
+    return { ok: false, reason: "file-errors", ...result };
+  }
+  return { ok: true, ...result };
+}
+async function runSecureStoreStatus(options) {
+  const { memoryDir } = options;
+  const id = options.keyringId ?? secureStoreDir(memoryDir);
+  const header = await readHeader(memoryDir);
+  const ks = status(id);
+  const target = headerPath(memoryDir);
+  if (!header) {
+    return {
+      initialized: false,
+      headerPath: target,
+      locked: !ks.unlocked,
+      unlockedAt: ks.unlockedAt,
+      kdf: null,
+      createdAt: null
+    };
+  }
+  return {
+    initialized: true,
+    headerPath: target,
+    locked: !ks.unlocked,
+    unlockedAt: ks.unlockedAt,
+    kdf: header.metadata.kdf,
+    createdAt: header.createdAt
+  };
+}
+var MIN_PASSPHRASE_LENGTH = 8;
+function validatePassphrase(passphrase) {
+  if (typeof passphrase !== "string") {
+    throw new Error("passphrase must be a string");
+  }
+  if (passphrase.length === 0) {
+    throw new Error("passphrase must not be empty");
+  }
+  if (passphrase.length < MIN_PASSPHRASE_LENGTH) {
+    throw new Error(`passphrase must be at least ${MIN_PASSPHRASE_LENGTH} characters`);
+  }
+}
+function resolveParams(algorithm, override) {
+  if (override !== void 0) return override;
+  if (algorithm === "scrypt") return { ...DEFAULT_SCRYPT_PARAMS };
+  return { ...DEFAULT_ARGON2ID_PARAMS };
+}
+
+// src/secure-store/cli-renderer.ts
+function renderInitReport(report) {
+  const lines = [];
+  lines.push("=== Remnic secure-store initialized ===");
+  lines.push("");
+  lines.push(`header: ${report.headerPath}`);
+  lines.push(`createdAt: ${report.createdAt}`);
+  lines.push(...renderKdfLines(report.kdf));
+  lines.push("");
+  lines.push("Note: init does NOT auto-unlock the store. Run");
+  lines.push("  remnic engram secure-store unlock");
+  lines.push("to register the master key with the running daemon.");
+  return lines.join("\n");
+}
+function renderUnlockReport(report) {
+  if (report.ok) {
+    return `OK \u2014 secure-store unlocked at ${report.unlockedAt} (algorithm=${report.algorithm}).`;
+  }
+  if (report.reason === "not-initialized") {
+    return "ERR \u2014 secure-store is not initialized. Run 'remnic engram secure-store init' first.";
+  }
+  return "ERR \u2014 wrong passphrase.";
+}
+function renderLockReport(report) {
+  if (report.cleared) {
+    return "OK \u2014 secure-store key cleared from in-memory keyring.";
+  }
+  return "OK \u2014 secure-store was already locked (no in-memory key to clear).";
+}
+function renderMigrateReport(report) {
+  if (!report.ok && report.reason === "not-initialized") {
+    return "ERR \u2014 secure-store is not initialized. Run 'remnic engram secure-store init' first.";
+  }
+  if (!report.ok && report.reason === "locked") {
+    return "ERR \u2014 secure-store is locked. Run 'remnic engram secure-store unlock' before migrate.";
+  }
+  const lines = [];
+  lines.push(report.ok ? "OK \u2014 secure-store migration complete." : "ERR \u2014 secure-store migration completed with file errors.");
+  lines.push(`encrypted: ${report.encrypted}`);
+  lines.push(`skipped: ${report.skipped}`);
+  lines.push(`errors: ${report.errors.length}`);
+  for (const entry of report.errors.slice(0, 10)) {
+    lines.push(`- ${entry.filePath}: ${entry.error}`);
+  }
+  if (report.errors.length > 10) {
+    lines.push(`- ... ${report.errors.length - 10} more error(s)`);
+  }
+  return lines.join("\n");
+}
+function renderDisableReport(report) {
+  if (!report.ok && report.reason === "not-initialized") {
+    return "ERR \u2014 secure-store is not initialized. Run 'remnic engram secure-store init' first.";
+  }
+  if (!report.ok && report.reason === "locked") {
+    return "ERR \u2014 secure-store is locked. Run 'remnic engram secure-store unlock' before disable.";
+  }
+  const lines = [];
+  lines.push(report.ok ? "OK \u2014 secure-store disable complete." : "ERR \u2014 secure-store disable completed with file errors.");
+  lines.push(`decrypted: ${report.decrypted}`);
+  lines.push(`skipped: ${report.skipped}`);
+  lines.push(`errors: ${report.errors.length}`);
+  for (const entry of report.errors.slice(0, 10)) {
+    lines.push(`- ${entry.filePath}: ${entry.error}`);
+  }
+  if (report.errors.length > 10) {
+    lines.push(`- ... ${report.errors.length - 10} more error(s)`);
+  }
+  lines.push("header: kept");
+  return lines.join("\n");
+}
+function renderStatusReport(report) {
+  const lines = [];
+  lines.push("=== Remnic secure-store status ===");
+  lines.push("");
+  lines.push(`header: ${report.headerPath}`);
+  lines.push(`initialized: ${report.initialized ? "yes" : "no"}`);
+  if (!report.initialized) {
+    lines.push("");
+    lines.push("Run 'remnic engram secure-store init' to initialize a new store.");
+    return lines.join("\n");
+  }
+  lines.push(`createdAt: ${report.createdAt ?? "n/a"}`);
+  lines.push(`locked: ${report.locked ? "yes" : "no"}`);
+  if (!report.locked) {
+    lines.push(`lastUnlockAt: ${report.unlockedAt ?? "n/a"}`);
+  }
+  if (report.kdf) {
+    lines.push(...renderKdfLines(report.kdf));
+  }
+  return lines.join("\n");
+}
+function renderKdfLines(kdf) {
+  const lines = [];
+  lines.push(`kdf.algorithm: ${kdf.algorithm}`);
+  if (kdf.algorithm === "scrypt") {
+    const { N, r, p, keyLength, maxmem } = kdf.params;
+    lines.push(`kdf.params: N=${N} r=${r} p=${p} keyLength=${keyLength} maxmem=${maxmem}`);
+  } else {
+    const { memoryKiB, iterations, parallelism, keyLength } = kdf.params;
+    lines.push(
+      `kdf.params: memoryKiB=${memoryKiB} iterations=${iterations} parallelism=${parallelism} keyLength=${keyLength}`
+    );
+  }
+  return lines;
+}
+
+// src/secure-store/passphrase-reader.ts
+import { createInterface } from "readline";
+import { StringDecoder } from "string_decoder";
+function createPassphraseReader(options = {}) {
+  const input = options.input ?? process.stdin;
+  const output = options.output ?? process.stdout;
+  const errorStream = options.errorStream ?? process.stderr;
+  let nonTtyReader = null;
+  let nonTtyWarned = false;
+  return async function readPassphrase(prompt, readerOptions) {
+    const first = await readSinglePassphrase(prompt);
+    if (readerOptions?.confirm) {
+      const second = await readSinglePassphrase("Confirm passphrase: ");
+      if (first !== second) {
+        throw new Error("passphrases did not match");
+      }
+    }
+    return first;
+  };
+  async function readSinglePassphrase(prompt) {
+    const inputAsAny = input;
+    if (inputAsAny.isTTY && typeof inputAsAny.setRawMode === "function") {
+      return readNoEcho(prompt, inputAsAny, output);
+    }
+    if (!nonTtyWarned) {
+      errorStream.write(
+        "[remnic secure-store] warning: stdin is not a TTY; reading passphrase as a plain line. Take care that the passphrase is not exposed in shell history.\n"
+      );
+      nonTtyWarned = true;
+    }
+    errorStream.write(prompt);
+    if (!nonTtyReader) nonTtyReader = createNonTtyLineReader(input);
+    return nonTtyReader.next();
+  }
+}
+function readNoEcho(prompt, input, output) {
+  return new Promise((resolve, reject) => {
+    output.write(prompt);
+    let buffer = "";
+    let settled = false;
+    const wasRaw = input.isRaw === true;
+    const decoder = new StringDecoder("utf8");
+    if (input.setRawMode) input.setRawMode(true);
+    input.resume();
+    const cleanup = () => {
+      input.pause();
+      input.removeListener("data", onData);
+      decoder.end();
+      if (input.setRawMode) input.setRawMode(wasRaw);
+      output.write("\n");
+    };
+    const onData = (chunk) => {
+      const str = decoder.write(chunk);
+      for (const ch of str) {
+        if (settled) return;
+        const code = ch.charCodeAt(0);
+        if (ch === "\n" || ch === "\r") {
+          settled = true;
+          cleanup();
+          resolve(buffer);
+          return;
+        }
+        if (code === 3) {
+          settled = true;
+          cleanup();
+          reject(new Error("passphrase entry aborted (Ctrl+C)"));
+          return;
+        }
+        if (code === 4) {
+          settled = true;
+          cleanup();
+          if (buffer.length === 0) {
+            reject(new Error("passphrase entry aborted (EOF)"));
+          } else {
+            resolve(buffer);
+          }
+          return;
+        }
+        if (code === 8 || code === 127) {
+          if (buffer.length > 0) {
+            const codePoints = Array.from(buffer);
+            buffer = codePoints.slice(0, -1).join("");
+          }
+          continue;
+        }
+        if (code < 32) {
+          continue;
+        }
+        buffer += ch;
+      }
+    };
+    input.on("data", onData);
+  });
+}
+function createNonTtyLineReader(input) {
+  const rl = createInterface({ input, terminal: false });
+  const lineQueue = [];
+  const waiterQueue = [];
+  const errorQueue = [];
+  let closed = false;
+  let error = null;
+  rl.on("line", (line) => {
+    const waiter = waiterQueue.shift();
+    if (waiter) {
+      waiter(line);
+    } else {
+      lineQueue.push(line);
+    }
+  });
+  rl.on("close", () => {
+    closed = true;
+    while (waiterQueue.length > 0) {
+      const w = waiterQueue.shift();
+      errorQueue.shift();
+      w("");
+    }
+  });
+  rl.on("error", (err) => {
+    error = err;
+    while (errorQueue.length > 0) {
+      const r = errorQueue.shift();
+      waiterQueue.shift();
+      r(err);
+    }
+  });
+  return {
+    next() {
+      if (error) return Promise.reject(error);
+      const queued = lineQueue.shift();
+      if (queued !== void 0) return Promise.resolve(queued);
+      if (closed) return Promise.resolve("");
+      return new Promise((resolve, reject) => {
+        waiterQueue.push(resolve);
+        errorQueue.push(reject);
+      });
+    }
+  };
+}
+
+export {
+  runSecureStoreInit,
+  runSecureStoreUnlock,
+  runSecureStoreLock,
+  runSecureStoreMigrate,
+  runSecureStoreDisable,
+  runSecureStoreStatus,
+  MIN_PASSPHRASE_LENGTH,
+  renderInitReport,
+  renderUnlockReport,
+  renderLockReport,
+  renderMigrateReport,
+  renderDisableReport,
+  renderStatusReport,
+  createPassphraseReader
+};
+//# sourceMappingURL=chunk-CK5NTM2S.js.map

package/dist/chunk-CK5NTM2S.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/secure-store/cli-handlers.ts","../src/secure-store/cli-renderer.ts","../src/secure-store/passphrase-reader.ts"],"sourcesContent":["/**\n * Pure handlers behind the `remnic secure-store {init,unlock,lock,\n * status,migrate,disable}` CLI surface (issue #690 PR 2/4 + #779/#780).\n *\n * Each handler:\n *   - takes an explicit `memoryDir` (already `~`-expanded by the CLI),\n *   - takes an injectable passphrase reader (so tests don't need a\n *     real TTY and never touch real readline state),\n *   - returns a structured report (no `console.log` inside),\n *   - never logs the passphrase or any secret material.\n *\n * The actual `console.log` formatting lives in `cli-renderer.ts` so\n * tests can assert on the report shape without parsing text.\n */\n\nimport { generateSalt as generateEnvelopeSalt } from \"./cipher.js\";\nimport {\n  buildHeaderFromPassphrase,\n  deriveKeyFromHeader,\n  headerPath,\n  readHeader,\n  secureStoreDir,\n  verifyKey,\n  writeHeader,\n  type SecureStoreHeader,\n} from \"./header.js\";\nimport * as keyring from \"./keyring.js\";\nimport {\n  DEFAULT_ARGON2ID_PARAMS,\n  DEFAULT_SCRYPT_PARAMS,\n  KDF_SALT_LENGTH,\n  type Argon2idParams,\n  type KdfAlgorithm,\n  type ScryptParams,\n} from \"./kdf.js\";\nimport {\n  decryptMemoryDirToPlaintext,\n  migrateMemoryDirToEncrypted,\n  type DecryptResult,\n  type MigrateResult,\n} from \"./secure-fs.js\";\n\n/** Passphrase source — async so callers can read from a TTY without echo. */\nexport type PassphraseReader = (\n  prompt: string,\n  options?: { confirm?: boolean },\n) => Promise<string>;\n\n/** Common options accepted by every handler. */\nexport interface SecureStoreHandlerCommon {\n  memoryDir: string;\n  /**\n   * Stable identifier for the in-memory keyring entry. Defaults to\n   * the secure-store directory under `memoryDir`. Tests override\n   * this to keep entries from leaking across cases.\n   */\n  keyringId?: string;\n  /** Optional clock injection for deterministic tests. */\n  now?: () => Date;\n}\n\n// ─── init ─────────────────────────────────────────────────────────────\n\nexport interface SecureStoreInitOptions extends SecureStoreHandlerCommon {\n  /** Passphrase reader — called twice (entry + confirmation). */\n  readPassphrase: PassphraseReader;\n  /**\n   * KDF algorithm. Defaults to `\"argon2id\"` for new stores.\n   * `\"scrypt\"` remains supported for explicit compatibility cases.\n   */\n  algorithm?: KdfAlgorithm;\n  /** KDF parameter override; defaults to OWASP-acceptable params for the selected KDF. */\n  params?: ScryptParams | Argon2idParams;\n  /** Pre-generated salt for tests; production callers should omit. */\n  salt?: Buffer;\n  /** Optional human-readable note recorded in metadata. Never persist secrets. */\n  note?: string;\n}\n\nexport interface SecureStoreInitReport {\n  ok: true;\n  /** Absolute path of the header file that was written. */\n  headerPath: string;\n  /** Algorithm + params used for the master key derivation. */\n  kdf: SecureStoreHeader[\"metadata\"][\"kdf\"];\n  /** ISO-8601 timestamp recorded in the header. */\n  createdAt: string;\n}\n\n/**\n * Initialize a new secure-store header. Refuses to overwrite an\n * existing header (use `header.ts:writeHeader` directly with explicit\n * intent if you need to reinitialize a destroyed store).\n */\nexport async function runSecureStoreInit(\n  options: SecureStoreInitOptions,\n): Promise<SecureStoreInitReport> {\n  const { memoryDir, readPassphrase } = options;\n  if (typeof memoryDir !== \"string\" || memoryDir.length === 0) {\n    throw new Error(\"secure-store init: memoryDir is required\");\n  }\n  // Fail fast if a header already exists, before we waste KDF time.\n  const existing = await readHeader(memoryDir);\n  if (existing !== null) {\n    throw new Error(\n      `secure-store header already exists at ${headerPath(memoryDir)}. Run 'remnic secure-store status' to inspect, or remove the .secure-store directory explicitly to reinitialize.`,\n    );\n  }\n  const passphrase = await readPassphrase(\"Enter new passphrase: \", { confirm: true });\n  validatePassphrase(passphrase);\n\n  const algorithm: KdfAlgorithm = options.algorithm ?? \"argon2id\";\n  const params = resolveParams(algorithm, options.params);\n  const salt = options.salt ?? generateEnvelopeSalt();\n  if (salt.length !== KDF_SALT_LENGTH) {\n    throw new Error(`salt must be ${KDF_SALT_LENGTH} bytes, got ${salt.length}`);\n  }\n\n  const built = buildHeaderFromPassphrase({\n    passphrase,\n    salt,\n    algorithm,\n    params,\n    ...(options.note !== undefined ? { note: options.note } : {}),\n    ...(options.now ? { createdAt: options.now().toISOString() } : {}),\n  });\n  // Zero the derived key — init does NOT auto-unlock; the operator\n  // must run `unlock` separately. This mirrors GnuPG-style hygiene\n  // and keeps `init` safe to run from automation that should never\n  // hold the master key in memory.\n  built.derivedKey.fill(0);\n\n  const writtenPath = await writeHeader(memoryDir, built.header);\n  return {\n    ok: true,\n    headerPath: writtenPath,\n    kdf: built.header.metadata.kdf,\n    createdAt: built.header.createdAt,\n  };\n}\n\n// ─── unlock ───────────────────────────────────────────────────────────\n\nexport interface SecureStoreUnlockOptions extends SecureStoreHandlerCommon {\n  readPassphrase: PassphraseReader;\n}\n\nexport type SecureStoreUnlockReport =\n  | { ok: true; unlockedAt: string; algorithm: KdfAlgorithm }\n  | { ok: false; reason: \"not-initialized\" | \"wrong-passphrase\" };\n\nexport async function runSecureStoreUnlock(\n  options: SecureStoreUnlockOptions,\n): Promise<SecureStoreUnlockReport> {\n  const { memoryDir, readPassphrase } = options;\n  const header = await readHeader(memoryDir);\n  if (!header) {\n    return { ok: false, reason: \"not-initialized\" };\n  }\n  const passphrase = await readPassphrase(\"Enter passphrase: \");\n  validatePassphrase(passphrase);\n  const candidateKey = deriveKeyFromHeader(header, passphrase);\n  if (!verifyKey(header, candidateKey)) {\n    candidateKey.fill(0);\n    return { ok: false, reason: \"wrong-passphrase\" };\n  }\n  const id = options.keyringId ?? secureStoreDir(memoryDir);\n  const now = options.now ?? (() => new Date());\n  keyring.unlock(id, candidateKey, now);\n  const status = keyring.status(id);\n  return {\n    ok: true,\n    unlockedAt: status.unlockedAt ?? now().toISOString(),\n    algorithm: header.metadata.kdf.algorithm,\n  };\n}\n\n// ─── lock ─────────────────────────────────────────────────────────────\n\nexport interface SecureStoreLockOptions extends SecureStoreHandlerCommon {}\n\nexport interface SecureStoreLockReport {\n  ok: true;\n  /** True if a key was registered and is now cleared; false if it was already locked. */\n  cleared: boolean;\n}\n\nexport function runSecureStoreLock(options: SecureStoreLockOptions): SecureStoreLockReport {\n  const id = options.keyringId ?? secureStoreDir(options.memoryDir);\n  const cleared = keyring.lock(id);\n  return { ok: true, cleared };\n}\n\n// ─── migrate ─────────────────────────────────────────────────────────\n\nexport interface SecureStoreMigrateOptions extends SecureStoreHandlerCommon {}\n\nexport type SecureStoreMigrateReport =\n  | ({ ok: true } & MigrateResult)\n  | ({\n      ok: false;\n      reason: \"not-initialized\" | \"locked\" | \"file-errors\";\n    } & MigrateResult);\n\nexport async function runSecureStoreMigrate(\n  options: SecureStoreMigrateOptions,\n): Promise<SecureStoreMigrateReport> {\n  const { memoryDir } = options;\n  const header = await readHeader(memoryDir);\n  if (!header) {\n    return {\n      ok: false,\n      reason: \"not-initialized\",\n      encrypted: 0,\n      skipped: 0,\n      errors: [],\n    };\n  }\n\n  const id = options.keyringId ?? secureStoreDir(memoryDir);\n  const key = keyring.getKey(id);\n  if (key === null) {\n    return {\n      ok: false,\n      reason: \"locked\",\n      encrypted: 0,\n      skipped: 0,\n      errors: [],\n    };\n  }\n\n  const result = await migrateMemoryDirToEncrypted(memoryDir, key);\n  if (result.errors.length > 0) {\n    return { ok: false, reason: \"file-errors\", ...result };\n  }\n  return { ok: true, ...result };\n}\n\n// ─── disable/decrypt ─────────────────────────────────────────────────\n\nexport interface SecureStoreDisableOptions extends SecureStoreHandlerCommon {}\n\nexport type SecureStoreDisableReport =\n  | ({ ok: true } & DecryptResult)\n  | ({\n      ok: false;\n      reason: \"not-initialized\" | \"locked\" | \"file-errors\";\n    } & DecryptResult);\n\nexport async function runSecureStoreDisable(\n  options: SecureStoreDisableOptions,\n): Promise<SecureStoreDisableReport> {\n  const { memoryDir } = options;\n  const header = await readHeader(memoryDir);\n  if (!header) {\n    return {\n      ok: false,\n      reason: \"not-initialized\",\n      decrypted: 0,\n      skipped: 0,\n      errors: [],\n    };\n  }\n\n  const id = options.keyringId ?? secureStoreDir(memoryDir);\n  const key = keyring.getKey(id);\n  if (key === null) {\n    return {\n      ok: false,\n      reason: \"locked\",\n      decrypted: 0,\n      skipped: 0,\n      errors: [],\n    };\n  }\n\n  const result = await decryptMemoryDirToPlaintext(memoryDir, key);\n  if (result.errors.length > 0) {\n    return { ok: false, reason: \"file-errors\", ...result };\n  }\n  return { ok: true, ...result };\n}\n\n// ─── status ───────────────────────────────────────────────────────────\n\nexport interface SecureStoreStatusOptions extends SecureStoreHandlerCommon {}\n\nexport interface SecureStoreStatusReport {\n  /** True iff a header file exists in `<memoryDir>/.secure-store/`. */\n  initialized: boolean;\n  /** Path the status check probed. Useful for operators. */\n  headerPath: string;\n  /** Locked/unlocked state of the in-memory keyring entry. */\n  locked: boolean;\n  /** ISO-8601 timestamp of the most recent unlock, or null when locked. */\n  unlockedAt: string | null;\n  /** Header metadata (algorithm + params + salt hex), or null when uninitialized. */\n  kdf: SecureStoreHeader[\"metadata\"][\"kdf\"] | null;\n  /** Header `createdAt`, or null when uninitialized. */\n  createdAt: string | null;\n}\n\nexport async function runSecureStoreStatus(\n  options: SecureStoreStatusOptions,\n): Promise<SecureStoreStatusReport> {\n  const { memoryDir } = options;\n  const id = options.keyringId ?? secureStoreDir(memoryDir);\n  const header = await readHeader(memoryDir);\n  const ks = keyring.status(id);\n  const target = headerPath(memoryDir);\n  if (!header) {\n    return {\n      initialized: false,\n      headerPath: target,\n      locked: !ks.unlocked,\n      unlockedAt: ks.unlockedAt,\n      kdf: null,\n      createdAt: null,\n    };\n  }\n  return {\n    initialized: true,\n    headerPath: target,\n    locked: !ks.unlocked,\n    unlockedAt: ks.unlockedAt,\n    kdf: header.metadata.kdf,\n    createdAt: header.createdAt,\n  };\n}\n\n// ─── helpers ──────────────────────────────────────────────────────────\n\n/** Minimum passphrase length. 8 chars is intentionally permissive — operators may use phrase managers. */\nexport const MIN_PASSPHRASE_LENGTH = 8;\n\nfunction validatePassphrase(passphrase: string): void {\n  if (typeof passphrase !== \"string\") {\n    throw new Error(\"passphrase must be a string\");\n  }\n  if (passphrase.length === 0) {\n    throw new Error(\"passphrase must not be empty\");\n  }\n  if (passphrase.length < MIN_PASSPHRASE_LENGTH) {\n    throw new Error(`passphrase must be at least ${MIN_PASSPHRASE_LENGTH} characters`);\n  }\n}\n\nfunction resolveParams(\n  algorithm: KdfAlgorithm,\n  override: ScryptParams | Argon2idParams | undefined,\n): ScryptParams | Argon2idParams {\n  if (override !== undefined) return override;\n  if (algorithm === \"scrypt\") return { ...DEFAULT_SCRYPT_PARAMS };\n  return { ...DEFAULT_ARGON2ID_PARAMS };\n}\n","/**\n * Console-text renderers for the `remnic engram secure-store {init,unlock,\n * lock,status,migrate,disable}` CLI surface (issue #690 PR 2/4 + #779/#780).\n *\n * Pure: each `render*` function takes a typed report and returns a\n * string. CLI handlers do the `console.log`. Tests assert on the\n * returned text directly so behavior stays decoupled from stdout.\n */\n\nimport type {\n  SecureStoreInitReport,\n  SecureStoreLockReport,\n  SecureStoreDisableReport,\n  SecureStoreMigrateReport,\n  SecureStoreStatusReport,\n  SecureStoreUnlockReport,\n} from \"./cli-handlers.js\";\nimport type { SecureStoreHeader } from \"./header.js\";\n\nexport function renderInitReport(report: SecureStoreInitReport): string {\n  const lines: string[] = [];\n  lines.push(\"=== Remnic secure-store initialized ===\");\n  lines.push(\"\");\n  lines.push(`header: ${report.headerPath}`);\n  lines.push(`createdAt: ${report.createdAt}`);\n  lines.push(...renderKdfLines(report.kdf));\n  lines.push(\"\");\n  lines.push(\"Note: init does NOT auto-unlock the store. Run\");\n  lines.push(\"  remnic engram secure-store unlock\");\n  lines.push(\"to register the master key with the running daemon.\");\n  return lines.join(\"\\n\");\n}\n\nexport function renderUnlockReport(report: SecureStoreUnlockReport): string {\n  if (report.ok) {\n    return `OK — secure-store unlocked at ${report.unlockedAt} (algorithm=${report.algorithm}).`;\n  }\n  if (report.reason === \"not-initialized\") {\n    return \"ERR — secure-store is not initialized. Run 'remnic engram secure-store init' first.\";\n  }\n  return \"ERR — wrong passphrase.\";\n}\n\nexport function renderLockReport(report: SecureStoreLockReport): string {\n  if (report.cleared) {\n    return \"OK — secure-store key cleared from in-memory keyring.\";\n  }\n  return \"OK — secure-store was already locked (no in-memory key to clear).\";\n}\n\nexport function renderMigrateReport(report: SecureStoreMigrateReport): string {\n  if (!report.ok && report.reason === \"not-initialized\") {\n    return \"ERR — secure-store is not initialized. Run 'remnic engram secure-store init' first.\";\n  }\n  if (!report.ok && report.reason === \"locked\") {\n    return \"ERR — secure-store is locked. Run 'remnic engram secure-store unlock' before migrate.\";\n  }\n\n  const lines: string[] = [];\n  lines.push(report.ok ? \"OK — secure-store migration complete.\" : \"ERR — secure-store migration completed with file errors.\");\n  lines.push(`encrypted: ${report.encrypted}`);\n  lines.push(`skipped: ${report.skipped}`);\n  lines.push(`errors: ${report.errors.length}`);\n  for (const entry of report.errors.slice(0, 10)) {\n    lines.push(`- ${entry.filePath}: ${entry.error}`);\n  }\n  if (report.errors.length > 10) {\n    lines.push(`- ... ${report.errors.length - 10} more error(s)`);\n  }\n  return lines.join(\"\\n\");\n}\n\nexport function renderDisableReport(report: SecureStoreDisableReport): string {\n  if (!report.ok && report.reason === \"not-initialized\") {\n    return \"ERR — secure-store is not initialized. Run 'remnic engram secure-store init' first.\";\n  }\n  if (!report.ok && report.reason === \"locked\") {\n    return \"ERR — secure-store is locked. Run 'remnic engram secure-store unlock' before disable.\";\n  }\n\n  const lines: string[] = [];\n  lines.push(report.ok ? \"OK — secure-store disable complete.\" : \"ERR — secure-store disable completed with file errors.\");\n  lines.push(`decrypted: ${report.decrypted}`);\n  lines.push(`skipped: ${report.skipped}`);\n  lines.push(`errors: ${report.errors.length}`);\n  for (const entry of report.errors.slice(0, 10)) {\n    lines.push(`- ${entry.filePath}: ${entry.error}`);\n  }\n  if (report.errors.length > 10) {\n    lines.push(`- ... ${report.errors.length - 10} more error(s)`);\n  }\n  lines.push(\"header: kept\");\n  return lines.join(\"\\n\");\n}\n\nexport function renderStatusReport(report: SecureStoreStatusReport): string {\n  const lines: string[] = [];\n  lines.push(\"=== Remnic secure-store status ===\");\n  lines.push(\"\");\n  lines.push(`header: ${report.headerPath}`);\n  lines.push(`initialized: ${report.initialized ? \"yes\" : \"no\"}`);\n  if (!report.initialized) {\n    lines.push(\"\");\n    lines.push(\"Run 'remnic engram secure-store init' to initialize a new store.\");\n    return lines.join(\"\\n\");\n  }\n  lines.push(`createdAt: ${report.createdAt ?? \"n/a\"}`);\n  lines.push(`locked: ${report.locked ? \"yes\" : \"no\"}`);\n  if (!report.locked) {\n    lines.push(`lastUnlockAt: ${report.unlockedAt ?? \"n/a\"}`);\n  }\n  if (report.kdf) {\n    lines.push(...renderKdfLines(report.kdf));\n  }\n  return lines.join(\"\\n\");\n}\n\nfunction renderKdfLines(kdf: SecureStoreHeader[\"metadata\"][\"kdf\"]): string[] {\n  const lines: string[] = [];\n  lines.push(`kdf.algorithm: ${kdf.algorithm}`);\n  if (kdf.algorithm === \"scrypt\") {\n    const { N, r, p, keyLength, maxmem } = kdf.params;\n    lines.push(`kdf.params: N=${N} r=${r} p=${p} keyLength=${keyLength} maxmem=${maxmem}`);\n  } else {\n    const { memoryKiB, iterations, parallelism, keyLength } = kdf.params;\n    lines.push(\n      `kdf.params: memoryKiB=${memoryKiB} iterations=${iterations} parallelism=${parallelism} keyLength=${keyLength}`,\n    );\n  }\n  return lines;\n}\n","/**\n * TTY passphrase reader (issue #690 PR 2/4).\n *\n * Reads a line from stdin without echoing it back to the terminal.\n * Disables echo by setting raw mode + manually buffering input until\n * Enter / EOT.\n *\n * Why not `readline.question`?\n * ----------------------------\n * `readline` echoes by default and has no clean \"no-echo\" toggle that\n * survives across Node versions. The raw-mode loop is the canonical\n * idiom for reading passwords on Node and matches what `npm` uses\n * internally.\n *\n * Security\n * --------\n *   - Never log the passphrase (no `console.log`, no debug output).\n *   - Never include it in a thrown error message.\n *   - On Ctrl+C / Ctrl+D, abort with a clear error rather than\n *     silently treating EOF as an empty submission.\n *   - On non-TTY stdin (pipe, redirect), read a line via line-buffered\n *     readline so automation (`echo \"passphrase\" | remnic ...`) works.\n *     Operators are responsible for not piping plaintext passphrases\n *     in shell history; we surface a stderr warning.\n */\n\nimport { createInterface } from \"node:readline\";\nimport type { Readable, Writable } from \"node:stream\";\nimport { StringDecoder } from \"node:string_decoder\";\n\nimport type { PassphraseReader } from \"./cli-handlers.js\";\n\nexport interface CreatePassphraseReaderOptions {\n  input?: Readable;\n  output?: Writable;\n  /** Override stderr for warning surface; defaults to `process.stderr`. */\n  errorStream?: Writable;\n}\n\n/**\n * Build a `PassphraseReader` bound to the given streams. Exported so\n * tests can construct one against in-memory streams without touching\n * the real TTY.\n */\nexport function createPassphraseReader(\n  options: CreatePassphraseReaderOptions = {},\n): PassphraseReader {\n  const input = options.input ?? process.stdin;\n  const output = options.output ?? process.stdout;\n  const errorStream = options.errorStream ?? process.stderr;\n  // Codex/Cursor on PR #737: a fresh readline interface per call\n  // breaks confirm-mode on piped non-TTY input — the first\n  // `createInterface` consumes the entire prebuffered stream\n  // (including the second line), so the second `createInterface`\n  // sees an already-ended stream and resolves to \"\". Fix: maintain\n  // ONE non-TTY line reader across both reads of a confirm-mode\n  // session and pull lines on demand from a buffered queue.\n  let nonTtyReader: NonTtyLineReader | null = null;\n  let nonTtyWarned = false;\n  return async function readPassphrase(\n    prompt: string,\n    readerOptions?: { confirm?: boolean },\n  ): Promise<string> {\n    const first = await readSinglePassphrase(prompt);\n    if (readerOptions?.confirm) {\n      const second = await readSinglePassphrase(\"Confirm passphrase: \");\n      if (first !== second) {\n        throw new Error(\"passphrases did not match\");\n      }\n    }\n    return first;\n  };\n\n  async function readSinglePassphrase(prompt: string): Promise<string> {\n    const inputAsAny = input as Readable & {\n      isTTY?: boolean;\n      setRawMode?: (raw: boolean) => Readable;\n    };\n    if (inputAsAny.isTTY && typeof inputAsAny.setRawMode === \"function\") {\n      return readNoEcho(prompt, inputAsAny, output);\n    }\n    // Non-TTY: line-buffered fallback. Warn once per reader so\n    // operators piping plaintext passphrases in shell pipelines are\n    // aware their history may contain the secret.\n    if (!nonTtyWarned) {\n      errorStream.write(\n        \"[remnic secure-store] warning: stdin is not a TTY; reading passphrase as a plain line. \" +\n          \"Take care that the passphrase is not exposed in shell history.\\n\",\n      );\n      nonTtyWarned = true;\n    }\n    // Codex P1 on PR #737: write the prompt to stderr, not stdout.\n    // When the surrounding command outputs JSON to stdout (e.g.\n    // `remnic secure-store status --json`), injecting prompt text on\n    // stdout corrupts the JSON output and breaks machine consumers.\n    // The prompt is UI noise — it belongs on the error/diagnostics\n    // stream regardless of whether we're in a TTY.\n    errorStream.write(prompt);\n    if (!nonTtyReader) nonTtyReader = createNonTtyLineReader(input);\n    return nonTtyReader.next();\n  }\n}\n\nfunction readNoEcho(\n  prompt: string,\n  input: Readable & { setRawMode?: (raw: boolean) => Readable },\n  output: Writable,\n): Promise<string> {\n  return new Promise((resolve, reject) => {\n    output.write(prompt);\n    let buffer = \"\";\n    let settled = false;\n    const wasRaw = (input as Readable & { isRaw?: boolean }).isRaw === true;\n    // Codex P2 on PR #737: per-chunk `chunk.toString(\"utf8\")` corrupts\n    // multibyte characters that straddle a chunk boundary (Node inserts\n    // U+FFFD replacement characters for incomplete sequences). Use a\n    // StringDecoder, which buffers partial sequences across chunks so\n    // non-ASCII passphrases survive intact.\n    const decoder = new StringDecoder(\"utf8\");\n    if (input.setRawMode) input.setRawMode(true);\n    input.resume();\n    const cleanup = (): void => {\n      input.pause();\n      input.removeListener(\"data\", onData);\n      // Flush any remaining bytes the decoder is holding so trailing\n      // partial sequences are surfaced rather than silently swallowed.\n      decoder.end();\n      // Restore the prior raw-mode state so we don't strand the parent shell\n      // in an unexpected configuration.\n      if (input.setRawMode) input.setRawMode(wasRaw);\n      output.write(\"\\n\");\n    };\n    const onData = (chunk: Buffer): void => {\n      const str = decoder.write(chunk);\n      for (const ch of str) {\n        if (settled) return;\n        const code = ch.charCodeAt(0);\n        // Enter / newline: submit.\n        if (ch === \"\\n\" || ch === \"\\r\") {\n          settled = true;\n          cleanup();\n          resolve(buffer);\n          return;\n        }\n        // Ctrl+C: abort.\n        if (code === 0x03) {\n          settled = true;\n          cleanup();\n          reject(new Error(\"passphrase entry aborted (Ctrl+C)\"));\n          return;\n        }\n        // Ctrl+D / EOT: treat as abort if buffer is empty, else submit.\n        if (code === 0x04) {\n          settled = true;\n          cleanup();\n          if (buffer.length === 0) {\n            reject(new Error(\"passphrase entry aborted (EOF)\"));\n          } else {\n            resolve(buffer);\n          }\n          return;\n        }\n        // Backspace / DEL.\n        // Cursor on PR #737: `buffer.slice(0, -1)` deletes one UTF-16\n        // code unit, which splits a surrogate pair when the last\n        // character is a non-BMP code point (emoji, etc.). Fix: count\n        // code points with `Array.from` and remove the last one. This\n        // correctly handles both BMP (single code unit) and non-BMP\n        // (surrogate pair) characters atomically.\n        if (code === 0x08 || code === 0x7f) {\n          if (buffer.length > 0) {\n            const codePoints = Array.from(buffer);\n            buffer = codePoints.slice(0, -1).join(\"\");\n          }\n          continue;\n        }\n        // Ignore other control bytes (escape sequences, etc.).\n        if (code < 0x20) {\n          continue;\n        }\n        buffer += ch;\n      }\n    };\n    input.on(\"data\", onData);\n  });\n}\n\n/**\n * One-shot line reader bound to a non-TTY input stream.\n *\n * Cursor medium on PR #737: a previous version constructed a fresh\n * `readline.createInterface` per `next()` call. On piped non-TTY\n * input, the first interface consumed the entire prebuffered stream\n * (including any subsequent lines) into its internal buffer. The\n * second interface saw an already-`end()`'d input and resolved to \"\".\n * Fix: construct ONE readline interface, queue every emitted `line`,\n * and let `next()` either return a queued line or wait for the next\n * one. Pending waiters at `close` time are resolved with \"\" (so an\n * abandoned-stream caller still sees a clean empty response).\n */\ninterface NonTtyLineReader {\n  next(): Promise<string>;\n}\n\nfunction createNonTtyLineReader(input: Readable): NonTtyLineReader {\n  const rl = createInterface({ input, terminal: false });\n  const lineQueue: string[] = [];\n  const waiterQueue: Array<(value: string) => void> = [];\n  const errorQueue: Array<(err: Error) => void> = [];\n  let closed = false;\n  let error: Error | null = null;\n\n  rl.on(\"line\", (line: string) => {\n    const waiter = waiterQueue.shift();\n    if (waiter) {\n      waiter(line);\n    } else {\n      lineQueue.push(line);\n    }\n  });\n  rl.on(\"close\", () => {\n    closed = true;\n    while (waiterQueue.length > 0) {\n      const w = waiterQueue.shift()!;\n      // Drop the matching error slot since we're settling cleanly.\n      errorQueue.shift();\n      w(\"\");\n    }\n  });\n  rl.on(\"error\", (err: Error) => {\n    error = err;\n    while (errorQueue.length > 0) {\n      const r = errorQueue.shift()!;\n      // Drop the matching value slot.\n      waiterQueue.shift();\n      r(err);\n    }\n  });\n\n  return {\n    next(): Promise<string> {\n      if (error) return Promise.reject(error);\n      const queued = lineQueue.shift();\n      if (queued !== undefined) return Promise.resolve(queued);\n      if (closed) return Promise.resolve(\"\");\n      return new Promise<string>((resolve, reject) => {\n        waiterQueue.push(resolve);\n        errorQueue.push(reject);\n      });\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AA8FA,eAAsB,mBACpB,SACgC;AAChC,QAAM,EAAE,WAAW,eAAe,IAAI;AACtC,MAAI,OAAO,cAAc,YAAY,UAAU,WAAW,GAAG;AAC3D,UAAM,IAAI,MAAM,0CAA0C;AAAA,EAC5D;AAEA,QAAM,WAAW,MAAM,WAAW,SAAS;AAC3C,MAAI,aAAa,MAAM;AACrB,UAAM,IAAI;AAAA,MACR,yCAAyC,WAAW,SAAS,CAAC;AAAA,IAChE;AAAA,EACF;AACA,QAAM,aAAa,MAAM,eAAe,0BAA0B,EAAE,SAAS,KAAK,CAAC;AACnF,qBAAmB,UAAU;AAE7B,QAAM,YAA0B,QAAQ,aAAa;AACrD,QAAM,SAAS,cAAc,WAAW,QAAQ,MAAM;AACtD,QAAM,OAAO,QAAQ,QAAQ,aAAqB;AAClD,MAAI,KAAK,WAAW,iBAAiB;AACnC,UAAM,IAAI,MAAM,gBAAgB,eAAe,eAAe,KAAK,MAAM,EAAE;AAAA,EAC7E;AAEA,QAAM,QAAQ,0BAA0B;AAAA,IACtC;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,QAAQ,SAAS,SAAY,EAAE,MAAM,QAAQ,KAAK,IAAI,CAAC;AAAA,IAC3D,GAAI,QAAQ,MAAM,EAAE,WAAW,QAAQ,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC;AAAA,EAClE,CAAC;AAKD,QAAM,WAAW,KAAK,CAAC;AAEvB,QAAM,cAAc,MAAM,YAAY,WAAW,MAAM,MAAM;AAC7D,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,YAAY;AAAA,IACZ,KAAK,MAAM,OAAO,SAAS;AAAA,IAC3B,WAAW,MAAM,OAAO;AAAA,EAC1B;AACF;AAYA,eAAsB,qBACpB,SACkC;AAClC,QAAM,EAAE,WAAW,eAAe,IAAI;AACtC,QAAM,SAAS,MAAM,WAAW,SAAS;AACzC,MAAI,CAAC,QAAQ;AACX,WAAO,EAAE,IAAI,OAAO,QAAQ,kBAAkB;AAAA,EAChD;AACA,QAAM,aAAa,MAAM,eAAe,oBAAoB;AAC5D,qBAAmB,UAAU;AAC7B,QAAM,eAAe,oBAAoB,QAAQ,UAAU;AAC3D,MAAI,CAAC,UAAU,QAAQ,YAAY,GAAG;AACpC,iBAAa,KAAK,CAAC;AACnB,WAAO,EAAE,IAAI,OAAO,QAAQ,mBAAmB;AAAA,EACjD;AACA,QAAM,KAAK,QAAQ,aAAa,eAAe,SAAS;AACxD,QAAM,MAAM,QAAQ,QAAQ,MAAM,oBAAI,KAAK;AAC3C,EAAQ,OAAO,IAAI,cAAc,GAAG;AACpC,QAAMA,UAAiB,OAAO,EAAE;AAChC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,YAAYA,QAAO,cAAc,IAAI,EAAE,YAAY;AAAA,IACnD,WAAW,OAAO,SAAS,IAAI;AAAA,EACjC;AACF;AAYO,SAAS,mBAAmB,SAAwD;AACzF,QAAM,KAAK,QAAQ,aAAa,eAAe,QAAQ,SAAS;AAChE,QAAM,UAAkB,KAAK,EAAE;AAC/B,SAAO,EAAE,IAAI,MAAM,QAAQ;AAC7B;AAaA,eAAsB,sBACpB,SACmC;AACnC,QAAM,EAAE,UAAU,IAAI;AACtB,QAAM,SAAS,MAAM,WAAW,SAAS;AACzC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,SAAS;AAAA,MACT,QAAQ,CAAC;AAAA,IACX;AAAA,EACF;AAEA,QAAM,KAAK,QAAQ,aAAa,eAAe,SAAS;AACxD,QAAM,MAAc,OAAO,EAAE;AAC7B,MAAI,QAAQ,MAAM;AAChB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,SAAS;AAAA,MACT,QAAQ,CAAC;AAAA,IACX;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,4BAA4B,WAAW,GAAG;AAC/D,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,WAAO,EAAE,IAAI,OAAO,QAAQ,eAAe,GAAG,OAAO;AAAA,EACvD;AACA,SAAO,EAAE,IAAI,MAAM,GAAG,OAAO;AAC/B;AAaA,eAAsB,sBACpB,SACmC;AACnC,QAAM,EAAE,UAAU,IAAI;AACtB,QAAM,SAAS,MAAM,WAAW,SAAS;AACzC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,SAAS;AAAA,MACT,QAAQ,CAAC;AAAA,IACX;AAAA,EACF;AAEA,QAAM,KAAK,QAAQ,aAAa,eAAe,SAAS;AACxD,QAAM,MAAc,OAAO,EAAE;AAC7B,MAAI,QAAQ,MAAM;AAChB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,SAAS;AAAA,MACT,QAAQ,CAAC;AAAA,IACX;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,4BAA4B,WAAW,GAAG;AAC/D,MAAI,OAAO,OAAO,SAAS,GAAG;AAC5B,WAAO,EAAE,IAAI,OAAO,QAAQ,eAAe,GAAG,OAAO;AAAA,EACvD;AACA,SAAO,EAAE,IAAI,MAAM,GAAG,OAAO;AAC/B;AAqBA,eAAsB,qBACpB,SACkC;AAClC,QAAM,EAAE,UAAU,IAAI;AACtB,QAAM,KAAK,QAAQ,aAAa,eAAe,SAAS;AACxD,QAAM,SAAS,MAAM,WAAW,SAAS;AACzC,QAAM,KAAa,OAAO,EAAE;AAC5B,QAAM,SAAS,WAAW,SAAS;AACnC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,aAAa;AAAA,MACb,YAAY;AAAA,MACZ,QAAQ,CAAC,GAAG;AAAA,MACZ,YAAY,GAAG;AAAA,MACf,KAAK;AAAA,MACL,WAAW;AAAA,IACb;AAAA,EACF;AACA,SAAO;AAAA,IACL,aAAa;AAAA,IACb,YAAY;AAAA,IACZ,QAAQ,CAAC,GAAG;AAAA,IACZ,YAAY,GAAG;AAAA,IACf,KAAK,OAAO,SAAS;AAAA,IACrB,WAAW,OAAO;AAAA,EACpB;AACF;AAKO,IAAM,wBAAwB;AAErC,SAAS,mBAAmB,YAA0B;AACpD,MAAI,OAAO,eAAe,UAAU;AAClC,UAAM,IAAI,MAAM,6BAA6B;AAAA,EAC/C;AACA,MAAI,WAAW,WAAW,GAAG;AAC3B,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AACA,MAAI,WAAW,SAAS,uBAAuB;AAC7C,UAAM,IAAI,MAAM,+BAA+B,qBAAqB,aAAa;AAAA,EACnF;AACF;AAEA,SAAS,cACP,WACA,UAC+B;AAC/B,MAAI,aAAa,OAAW,QAAO;AACnC,MAAI,cAAc,SAAU,QAAO,EAAE,GAAG,sBAAsB;AAC9D,SAAO,EAAE,GAAG,wBAAwB;AACtC;;;AC/UO,SAAS,iBAAiB,QAAuC;AACtE,QAAM,QAAkB,CAAC;AACzB,QAAM,KAAK,yCAAyC;AACpD,QAAM,KAAK,EAAE;AACb,QAAM,KAAK,WAAW,OAAO,UAAU,EAAE;AACzC,QAAM,KAAK,cAAc,OAAO,SAAS,EAAE;AAC3C,QAAM,KAAK,GAAG,eAAe,OAAO,GAAG,CAAC;AACxC,QAAM,KAAK,EAAE;AACb,QAAM,KAAK,gDAAgD;AAC3D,QAAM,KAAK,qCAAqC;AAChD,QAAM,KAAK,qDAAqD;AAChE,SAAO,MAAM,KAAK,IAAI;AACxB;AAEO,SAAS,mBAAmB,QAAyC;AAC1E,MAAI,OAAO,IAAI;AACb,WAAO,sCAAiC,OAAO,UAAU,eAAe,OAAO,SAAS;AAAA,EAC1F;AACA,MAAI,OAAO,WAAW,mBAAmB;AACvC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,iBAAiB,QAAuC;AACtE,MAAI,OAAO,SAAS;AAClB,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,SAAS,oBAAoB,QAA0C;AAC5E,MAAI,CAAC,OAAO,MAAM,OAAO,WAAW,mBAAmB;AACrD,WAAO;AAAA,EACT;AACA,MAAI,CAAC,OAAO,MAAM,OAAO,WAAW,UAAU;AAC5C,WAAO;AAAA,EACT;AAEA,QAAM,QAAkB,CAAC;AACzB,QAAM,KAAK,OAAO,KAAK,+CAA0C,+DAA0D;AAC3H,QAAM,KAAK,cAAc,OAAO,SAAS,EAAE;AAC3C,QAAM,KAAK,YAAY,OAAO,OAAO,EAAE;AACvC,QAAM,KAAK,WAAW,OAAO,OAAO,MAAM,EAAE;AAC5C,aAAW,SAAS,OAAO,OAAO,MAAM,GAAG,EAAE,GAAG;AAC9C,UAAM,KAAK,KAAK,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE;AAAA,EAClD;AACA,MAAI,OAAO,OAAO,SAAS,IAAI;AAC7B,UAAM,KAAK,SAAS,OAAO,OAAO,SAAS,EAAE,gBAAgB;AAAA,EAC/D;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;AAEO,SAAS,oBAAoB,QAA0C;AAC5E,MAAI,CAAC,OAAO,MAAM,OAAO,WAAW,mBAAmB;AACrD,WAAO;AAAA,EACT;AACA,MAAI,CAAC,OAAO,MAAM,OAAO,WAAW,UAAU;AAC5C,WAAO;AAAA,EACT;AAEA,QAAM,QAAkB,CAAC;AACzB,QAAM,KAAK,OAAO,KAAK,6CAAwC,6DAAwD;AACvH,QAAM,KAAK,cAAc,OAAO,SAAS,EAAE;AAC3C,QAAM,KAAK,YAAY,OAAO,OAAO,EAAE;AACvC,QAAM,KAAK,WAAW,OAAO,OAAO,MAAM,EAAE;AAC5C,aAAW,SAAS,OAAO,OAAO,MAAM,GAAG,EAAE,GAAG;AAC9C,UAAM,KAAK,KAAK,MAAM,QAAQ,KAAK,MAAM,KAAK,EAAE;AAAA,EAClD;AACA,MAAI,OAAO,OAAO,SAAS,IAAI;AAC7B,UAAM,KAAK,SAAS,OAAO,OAAO,SAAS,EAAE,gBAAgB;AAAA,EAC/D;AACA,QAAM,KAAK,cAAc;AACzB,SAAO,MAAM,KAAK,IAAI;AACxB;AAEO,SAAS,mBAAmB,QAAyC;AAC1E,QAAM,QAAkB,CAAC;AACzB,QAAM,KAAK,oCAAoC;AAC/C,QAAM,KAAK,EAAE;AACb,QAAM,KAAK,WAAW,OAAO,UAAU,EAAE;AACzC,QAAM,KAAK,gBAAgB,OAAO,cAAc,QAAQ,IAAI,EAAE;AAC9D,MAAI,CAAC,OAAO,aAAa;AACvB,UAAM,KAAK,EAAE;AACb,UAAM,KAAK,kEAAkE;AAC7E,WAAO,MAAM,KAAK,IAAI;AAAA,EACxB;AACA,QAAM,KAAK,cAAc,OAAO,aAAa,KAAK,EAAE;AACpD,QAAM,KAAK,WAAW,OAAO,SAAS,QAAQ,IAAI,EAAE;AACpD,MAAI,CAAC,OAAO,QAAQ;AAClB,UAAM,KAAK,iBAAiB,OAAO,cAAc,KAAK,EAAE;AAAA,EAC1D;AACA,MAAI,OAAO,KAAK;AACd,UAAM,KAAK,GAAG,eAAe,OAAO,GAAG,CAAC;AAAA,EAC1C;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;AAEA,SAAS,eAAe,KAAqD;AAC3E,QAAM,QAAkB,CAAC;AACzB,QAAM,KAAK,kBAAkB,IAAI,SAAS,EAAE;AAC5C,MAAI,IAAI,cAAc,UAAU;AAC9B,UAAM,EAAE,GAAG,GAAG,GAAG,WAAW,OAAO,IAAI,IAAI;AAC3C,UAAM,KAAK,iBAAiB,CAAC,MAAM,CAAC,MAAM,CAAC,cAAc,SAAS,WAAW,MAAM,EAAE;AAAA,EACvF,OAAO;AACL,UAAM,EAAE,WAAW,YAAY,aAAa,UAAU,IAAI,IAAI;AAC9D,UAAM;AAAA,MACJ,yBAAyB,SAAS,eAAe,UAAU,gBAAgB,WAAW,cAAc,SAAS;AAAA,IAC/G;AAAA,EACF;AACA,SAAO;AACT;;;ACxGA,SAAS,uBAAuB;AAEhC,SAAS,qBAAqB;AAgBvB,SAAS,uBACd,UAAyC,CAAC,GACxB;AAClB,QAAM,QAAQ,QAAQ,SAAS,QAAQ;AACvC,QAAM,SAAS,QAAQ,UAAU,QAAQ;AACzC,QAAM,cAAc,QAAQ,eAAe,QAAQ;AAQnD,MAAI,eAAwC;AAC5C,MAAI,eAAe;AACnB,SAAO,eAAe,eACpB,QACA,eACiB;AACjB,UAAM,QAAQ,MAAM,qBAAqB,MAAM;AAC/C,QAAI,eAAe,SAAS;AAC1B,YAAM,SAAS,MAAM,qBAAqB,sBAAsB;AAChE,UAAI,UAAU,QAAQ;AACpB,cAAM,IAAI,MAAM,2BAA2B;AAAA,MAC7C;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,iBAAe,qBAAqB,QAAiC;AACnE,UAAM,aAAa;AAInB,QAAI,WAAW,SAAS,OAAO,WAAW,eAAe,YAAY;AACnE,aAAO,WAAW,QAAQ,YAAY,MAAM;AAAA,IAC9C;AAIA,QAAI,CAAC,cAAc;AACjB,kBAAY;AAAA,QACV;AAAA,MAEF;AACA,qBAAe;AAAA,IACjB;AAOA,gBAAY,MAAM,MAAM;AACxB,QAAI,CAAC,aAAc,gBAAe,uBAAuB,KAAK;AAC9D,WAAO,aAAa,KAAK;AAAA,EAC3B;AACF;AAEA,SAAS,WACP,QACA,OACA,QACiB;AACjB,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,WAAO,MAAM,MAAM;AACnB,QAAI,SAAS;AACb,QAAI,UAAU;AACd,UAAM,SAAU,MAAyC,UAAU;AAMnE,UAAM,UAAU,IAAI,cAAc,MAAM;AACxC,QAAI,MAAM,WAAY,OAAM,WAAW,IAAI;AAC3C,UAAM,OAAO;AACb,UAAM,UAAU,MAAY;AAC1B,YAAM,MAAM;AACZ,YAAM,eAAe,QAAQ,MAAM;AAGnC,cAAQ,IAAI;AAGZ,UAAI,MAAM,WAAY,OAAM,WAAW,MAAM;AAC7C,aAAO,MAAM,IAAI;AAAA,IACnB;AACA,UAAM,SAAS,CAAC,UAAwB;AACtC,YAAM,MAAM,QAAQ,MAAM,KAAK;AAC/B,iBAAW,MAAM,KAAK;AACpB,YAAI,QAAS;AACb,cAAM,OAAO,GAAG,WAAW,CAAC;AAE5B,YAAI,OAAO,QAAQ,OAAO,MAAM;AAC9B,oBAAU;AACV,kBAAQ;AACR,kBAAQ,MAAM;AACd;AAAA,QACF;AAEA,YAAI,SAAS,GAAM;AACjB,oBAAU;AACV,kBAAQ;AACR,iBAAO,IAAI,MAAM,mCAAmC,CAAC;AACrD;AAAA,QACF;AAEA,YAAI,SAAS,GAAM;AACjB,oBAAU;AACV,kBAAQ;AACR,cAAI,OAAO,WAAW,GAAG;AACvB,mBAAO,IAAI,MAAM,gCAAgC,CAAC;AAAA,UACpD,OAAO;AACL,oBAAQ,MAAM;AAAA,UAChB;AACA;AAAA,QACF;AAQA,YAAI,SAAS,KAAQ,SAAS,KAAM;AAClC,cAAI,OAAO,SAAS,GAAG;AACrB,kBAAM,aAAa,MAAM,KAAK,MAAM;AACpC,qBAAS,WAAW,MAAM,GAAG,EAAE,EAAE,KAAK,EAAE;AAAA,UAC1C;AACA;AAAA,QACF;AAEA,YAAI,OAAO,IAAM;AACf;AAAA,QACF;AACA,kBAAU;AAAA,MACZ;AAAA,IACF;AACA,UAAM,GAAG,QAAQ,MAAM;AAAA,EACzB,CAAC;AACH;AAmBA,SAAS,uBAAuB,OAAmC;AACjE,QAAM,KAAK,gBAAgB,EAAE,OAAO,UAAU,MAAM,CAAC;AACrD,QAAM,YAAsB,CAAC;AAC7B,QAAM,cAA8C,CAAC;AACrD,QAAM,aAA0C,CAAC;AACjD,MAAI,SAAS;AACb,MAAI,QAAsB;AAE1B,KAAG,GAAG,QAAQ,CAAC,SAAiB;AAC9B,UAAM,SAAS,YAAY,MAAM;AACjC,QAAI,QAAQ;AACV,aAAO,IAAI;AAAA,IACb,OAAO;AACL,gBAAU,KAAK,IAAI;AAAA,IACrB;AAAA,EACF,CAAC;AACD,KAAG,GAAG,SAAS,MAAM;AACnB,aAAS;AACT,WAAO,YAAY,SAAS,GAAG;AAC7B,YAAM,IAAI,YAAY,MAAM;AAE5B,iBAAW,MAAM;AACjB,QAAE,EAAE;AAAA,IACN;AAAA,EACF,CAAC;AACD,KAAG,GAAG,SAAS,CAAC,QAAe;AAC7B,YAAQ;AACR,WAAO,WAAW,SAAS,GAAG;AAC5B,YAAM,IAAI,WAAW,MAAM;AAE3B,kBAAY,MAAM;AAClB,QAAE,GAAG;AAAA,IACP;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,OAAwB;AACtB,UAAI,MAAO,QAAO,QAAQ,OAAO,KAAK;AACtC,YAAM,SAAS,UAAU,MAAM;AAC/B,UAAI,WAAW,OAAW,QAAO,QAAQ,QAAQ,MAAM;AACvD,UAAI,OAAQ,QAAO,QAAQ,QAAQ,EAAE;AACrC,aAAO,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC9C,oBAAY,KAAK,OAAO;AACxB,mBAAW,KAAK,MAAM;AAAA,MACxB,CAAC;AAAA,IACH;AAAA,EACF;AACF;","names":["status"]}

package/dist/{chunk-3GXCSUXR.js → chunk-CRU27Q4J.js}

@@ -1,7 +1,7 @@
 import {
   getGatewayRuntimeAuthForModel,
   resolveProviderApiKey
-} from "./chunk-XZ2TIKGC.js";
+} from "./chunk-Q7FJ5ZHM.js";
 import {
   loadModelsJsonProviders
 } from "./chunk-ODWDQNRE.js";
@@ -458,4 +458,4 @@ function extractResponsesOutputText(data) {
 export {
   FallbackLlmClient
 };
-//# sourceMappingURL=chunk-3GXCSUXR.js.map
+//# sourceMappingURL=chunk-CRU27Q4J.js.map