@sena-ai/platform-core 1.4.0

package/dist/relay/api-proxy.d.ts

@@ -0,0 +1,10 @@
+import { Hono } from 'hono';
+import type { Vault } from '../types/vault.js';
+import type { BotRepository } from '../types/repository.js';
+/**
+ * Slack API proxy.
+ * Local runtimes send POST /relay/api with Slack API calls.
+ * The proxy decrypts the bot_token from Vault and forwards the request.
+ */
+export declare function createApiProxy(botRepo: BotRepository, vault: Vault): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
+//# sourceMappingURL=api-proxy.d.ts.map

package/dist/relay/api-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-proxy.d.ts","sourceRoot":"","sources":["../../src/relay/api-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAE3D;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,8EAmDlE"}

package/dist/relay/api-proxy.js

@@ -0,0 +1,40 @@
+import { Hono } from 'hono';
+/**
+ * Slack API proxy.
+ * Local runtimes send POST /relay/api with Slack API calls.
+ * The proxy decrypts the bot_token from Vault and forwards the request.
+ */
+export function createApiProxy(botRepo, vault) {
+    const app = new Hono();
+    app.post('/relay/api', async (c) => {
+        const connectKey = c.req.header('x-connect-key');
+        if (!connectKey) {
+            return c.json({ ok: false, error: 'missing x-connect-key header' }, 401);
+        }
+        const bot = await botRepo.findByConnectKeyAndStatus(connectKey, 'active');
+        if (!bot) {
+            return c.json({ ok: false, error: 'invalid connect_key or bot not active' }, 401);
+        }
+        if (!bot.botTokenEnc) {
+            return c.json({ ok: false, error: 'bot has no token configured' }, 500);
+        }
+        const botToken = await vault.decrypt(bot.botTokenEnc);
+        const body = await c.req.json();
+        if (!body.method) {
+            return c.json({ ok: false, error: 'missing method field' }, 400);
+        }
+        const slackUrl = `https://slack.com/api/${body.method}`;
+        const slackRes = await fetch(slackUrl, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${botToken}`,
+                'Content-Type': 'application/json; charset=utf-8',
+            },
+            body: JSON.stringify(body.params || {}),
+        });
+        const slackData = await slackRes.json();
+        return c.json(slackData);
+    });
+    return app;
+}
+//# sourceMappingURL=api-proxy.js.map

package/dist/relay/api-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-proxy.js","sourceRoot":"","sources":["../../src/relay/api-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAI3B;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,OAAsB,EAAE,KAAY;IACjE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IAEtB,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACjC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;QAChD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,EACpD,GAAG,CACJ,CAAA;QACH,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,yBAAyB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;QACzE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAC7D,GAAG,CACJ,CAAA;QACH,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,EAAE,GAAG,CAAC,CAAA;QACzE,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;QAErD,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAGzB,CAAA;QAEJ,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,EAAE,GAAG,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,QAAQ,GAAG,yBAAyB,IAAI,CAAC,MAAM,EAAE,CAAA;QAEvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,QAAQ,EAAE;gBACnC,cAAc,EAAE,iCAAiC;aAClD;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;SACxC,CAAC,CAAA;QAEF,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;QACvC,OAAO,CAAC,CAAC,IAAI,CAAC,SAAoC,CAAC,CAAA;IACrD,CAAC,CAAC,CAAA;IAEF,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/runtime/cf/crypto.d.ts

@@ -0,0 +1,7 @@
+import type { CryptoProvider } from '../../types/crypto.js';
+/**
+ * CryptoProvider implementation using Web Crypto API.
+ * Compatible with CF Workers runtime.
+ */
+export declare function createCfCrypto(): CryptoProvider;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/runtime/cf/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/runtime/cf/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAE3D;;;GAGG;AACH,wBAAgB,cAAc,IAAI,cAAc,CAmE/C"}

package/dist/runtime/cf/crypto.js

@@ -0,0 +1,48 @@
+/**
+ * CryptoProvider implementation using Web Crypto API.
+ * Compatible with CF Workers runtime.
+ */
+export function createCfCrypto() {
+    return {
+        async randomHex(byteLength) {
+            const bytes = crypto.getRandomValues(new Uint8Array(byteLength));
+            return Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, '0'))
+                .join('');
+        },
+        uuid() {
+            return crypto.randomUUID();
+        },
+        async hmacSha256(key, data) {
+            const encoder = new TextEncoder();
+            const cryptoKey = await crypto.subtle.importKey('raw', encoder.encode(key), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+            const signature = await crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(data));
+            return Array.from(new Uint8Array(signature))
+                .map((b) => b.toString(16).padStart(2, '0'))
+                .join('');
+        },
+        async timingSafeEqual(a, b) {
+            const encoder = new TextEncoder();
+            const bufA = encoder.encode(a);
+            const bufB = encoder.encode(b);
+            if (bufA.length !== bufB.length)
+                return false;
+            // Import both as HMAC keys and compare by signing
+            // This provides constant-time comparison without node:crypto
+            const key = crypto.getRandomValues(new Uint8Array(32));
+            const cryptoKey = await crypto.subtle.importKey('raw', key, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+            const [sigA, sigB] = await Promise.all([
+                crypto.subtle.sign('HMAC', cryptoKey, bufA),
+                crypto.subtle.sign('HMAC', cryptoKey, bufB),
+            ]);
+            const arrA = new Uint8Array(sigA);
+            const arrB = new Uint8Array(sigB);
+            let result = 0;
+            for (let i = 0; i < arrA.length; i++) {
+                result |= arrA[i] ^ arrB[i];
+            }
+            return result === 0;
+        },
+    };
+}
+//# sourceMappingURL=crypto.js.map

package/dist/runtime/cf/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/runtime/cf/crypto.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO;QACL,KAAK,CAAC,SAAS,CAAC,UAAkB;YAChC,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAA;YAChE,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;iBACrB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;QACb,CAAC;QAED,IAAI;YACF,OAAO,MAAM,CAAC,UAAU,EAAE,CAAA;QAC5B,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,IAAY;YACxC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;YACjC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EACnB,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;YAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,MAAM,EACN,SAAS,EACT,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAA;YAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;iBACzC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;iBAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;QACb,CAAC;QAED,KAAK,CAAC,eAAe,CAAC,CAAS,EAAE,CAAS;YACxC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;YACjC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;YAC9B,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;YAE9B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAA;YAE7C,kDAAkD;YAClD,6DAA6D;YAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;YACtD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAA;YAED,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACrC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC;gBAC3C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC;aAC5C,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAA;YACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAA;YAEjC,IAAI,MAAM,GAAG,CAAC,CAAA;YACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACrC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;YAC7B,CAAC;YACD,OAAO,MAAM,KAAK,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/runtime/cf/index.d.ts

@@ -0,0 +1,20 @@
+import type { Vault } from '../../types/vault.js';
+import type { RelayHub } from '../../types/relay.js';
+import type { CryptoProvider } from '../../types/crypto.js';
+export interface CfEnv {
+    RELAY_DO: DurableObjectNamespace;
+    VAULT_MASTER_KEY: string;
+    PLATFORM_BASE_URL: string;
+    SLACK_WORKSPACE_ID: string;
+}
+export interface CfRuntime {
+    vault: Vault;
+    relay: RelayHub;
+    crypto: CryptoProvider;
+}
+/**
+ * Create runtime services for Cloudflare Workers (vault, relay, crypto).
+ * Does NOT include DB repositories -- those are created separately via the DB subpath.
+ */
+export declare function createCfRuntime(env: CfEnv): Promise<CfRuntime>;
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/cf/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/cf/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAK3D,MAAM,WAAW,KAAK;IACpB,QAAQ,EAAE,sBAAsB,CAAA;IAChC,gBAAgB,EAAE,MAAM,CAAA;IACxB,iBAAiB,EAAE,MAAM,CAAA;IACzB,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,KAAK,CAAA;IACZ,KAAK,EAAE,QAAQ,CAAA;IACf,MAAM,EAAE,cAAc,CAAA;CACvB;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,GAAG,EAAE,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,CAMpE"}

package/dist/runtime/cf/index.js

@@ -0,0 +1,14 @@
+import { createCfVault } from './vault.js';
+import { createCfCrypto } from './crypto.js';
+import { createCfRelay } from './relay.js';
+/**
+ * Create runtime services for Cloudflare Workers (vault, relay, crypto).
+ * Does NOT include DB repositories -- those are created separately via the DB subpath.
+ */
+export async function createCfRuntime(env) {
+    const vault = await createCfVault(env.VAULT_MASTER_KEY);
+    const crypto = createCfCrypto();
+    const relay = createCfRelay(env.RELAY_DO);
+    return { vault, relay, crypto };
+}
+//# sourceMappingURL=index.js.map

package/dist/runtime/cf/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/cf/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAC1C,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAe1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAU;IAC9C,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAA;IACvD,MAAM,MAAM,GAAG,cAAc,EAAE,CAAA;IAC/B,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAEzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAA;AACjC,CAAC"}

package/dist/runtime/cf/relay.d.ts

@@ -0,0 +1,11 @@
+import type { RelayHub } from '../../types/relay.js';
+/**
+ * Durable Objects-based RelayHub for CF Workers.
+ *
+ * This stub communicates with a Durable Object namespace.
+ * Each bot gets its own Durable Object instance that manages WebSocket connections.
+ *
+ * The actual Durable Object class (RelayDurableObject) is exported from apps/worker.
+ */
+export declare function createCfRelay(doNamespace: DurableObjectNamespace): RelayHub;
+//# sourceMappingURL=relay.d.ts.map

package/dist/runtime/cf/relay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.d.ts","sourceRoot":"","sources":["../../../src/runtime/cf/relay.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AAEpD;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,sBAAsB,GAAG,QAAQ,CA8D3E"}

package/dist/runtime/cf/relay.js

@@ -0,0 +1,57 @@
+/**
+ * Durable Objects-based RelayHub for CF Workers.
+ *
+ * This stub communicates with a Durable Object namespace.
+ * Each bot gets its own Durable Object instance that manages WebSocket connections.
+ *
+ * The actual Durable Object class (RelayDurableObject) is exported from apps/worker.
+ */
+export function createCfRelay(doNamespace) {
+    function getStub(botId) {
+        const id = doNamespace.idFromName(botId);
+        return doNamespace.get(id);
+    }
+    return {
+        async handleStream(c, botId, _connectKey) {
+            const upgradeHeader = c.req.header('Upgrade');
+            if (upgradeHeader !== 'websocket') {
+                return c.json({ error: 'expected websocket upgrade' }, { status: 426 });
+            }
+            // Forward the WebSocket upgrade request to the Durable Object
+            const stub = getStub(botId);
+            const url = new URL(c.req.url);
+            url.pathname = '/ws';
+            url.searchParams.set('botId', botId);
+            return stub.fetch(url.toString(), {
+                headers: c.req.raw.headers,
+            });
+        },
+        dispatch(botId, event) {
+            // Fire and forget -- send event to the DO
+            const stub = getStub(botId);
+            const url = new URL('https://internal/dispatch');
+            url.searchParams.set('botId', botId);
+            stub
+                .fetch(url.toString(), {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(event),
+            })
+                .catch((err) => {
+                console.error(`[cf-relay] dispatch error for bot ${botId}:`, err);
+            });
+            // We return true optimistically; the DO handles delivery
+            return true;
+        },
+        isConnected(_botId) {
+            // In CF Workers, we cannot synchronously check DO state
+            // This is best-effort
+            return true;
+        },
+        connectedBots() {
+            // Cannot enumerate Durable Objects synchronously
+            return [];
+        },
+    };
+}
+//# sourceMappingURL=relay.js.map

package/dist/runtime/cf/relay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.js","sourceRoot":"","sources":["../../../src/runtime/cf/relay.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAAC,WAAmC;IAC/D,SAAS,OAAO,CAAC,KAAa;QAC5B,MAAM,EAAE,GAAG,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;QACxC,OAAO,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAC5B,CAAC;IAED,OAAO;QACL,KAAK,CAAC,YAAY,CAChB,CAAU,EACV,KAAa,EACb,WAAmB;YAEnB,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAC7C,IAAI,aAAa,KAAK,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,KAAK,EAAE,4BAA4B,EAAE,EACvC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAA;YACH,CAAC;YAED,8DAA8D;YAC9D,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;YAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAC9B,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAA;YACpB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YAEpC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;gBAChC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO;aAC3B,CAAwB,CAAA;QAC3B,CAAC;QAED,QAAQ,CAAC,KAAa,EAAE,KAAc;YACpC,0CAA0C;YAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;YAC3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,2BAA2B,CAAC,CAAA;YAChD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YAEpC,IAAI;iBACD,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;gBACrB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;aAC5B,CAAC;iBACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;gBACtB,OAAO,CAAC,KAAK,CAAC,qCAAqC,KAAK,GAAG,EAAE,GAAG,CAAC,CAAA;YACnE,CAAC,CAAC,CAAA;YAEJ,yDAAyD;YACzD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,WAAW,CAAC,MAAc;YACxB,wDAAwD;YACxD,sBAAsB;YACtB,OAAO,IAAI,CAAA;QACb,CAAC;QAED,aAAa;YACX,iDAAiD;YACjD,OAAO,EAAE,CAAA;QACX,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/runtime/cf/vault.d.ts

@@ -0,0 +1,7 @@
+import type { Vault } from '../../types/vault.js';
+/**
+ * AES-256-GCM Vault implementation using Web Crypto API.
+ * Compatible with CF Workers runtime.
+ */
+export declare function createCfVault(masterKeyHex: string): Promise<Vault>;
+//# sourceMappingURL=vault.d.ts.map

package/dist/runtime/cf/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/runtime/cf/vault.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAKjD;;;GAGG;AACH,wBAAsB,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAgExE"}

package/dist/runtime/cf/vault.js

@@ -0,0 +1,68 @@
+const ALGORITHM = 'AES-GCM';
+const IV_LENGTH = 12;
+/**
+ * AES-256-GCM Vault implementation using Web Crypto API.
+ * Compatible with CF Workers runtime.
+ */
+export async function createCfVault(masterKeyHex) {
+    const rawKey = hexToArrayBuffer(masterKeyHex);
+    if (rawKey.byteLength !== 32) {
+        throw new Error('VAULT_MASTER_KEY must be 32 bytes (64 hex chars)');
+    }
+    const cryptoKey = await crypto.subtle.importKey('raw', rawKey, { name: ALGORITHM }, false, ['encrypt', 'decrypt']);
+    return {
+        async encrypt(plaintext) {
+            const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+            const encoded = new TextEncoder().encode(plaintext);
+            const ciphertext = await crypto.subtle.encrypt({ name: ALGORITHM, iv }, cryptoKey, encoded);
+            // Web Crypto appends authTag to ciphertext
+            // Format: base64(iv + ciphertext_with_tag) -- matches Node.js layout
+            // Node layout: iv(12) + authTag(16) + ciphertext
+            // WebCrypto layout: ciphertext + authTag(16)
+            // We need to rearrange to match Node.js format
+            const ctBytes = new Uint8Array(ciphertext);
+            const actualCiphertext = ctBytes.slice(0, ctBytes.length - 16);
+            const authTag = ctBytes.slice(ctBytes.length - 16);
+            const result = new Uint8Array(iv.length + authTag.length + actualCiphertext.length);
+            result.set(iv, 0);
+            result.set(authTag, iv.length);
+            result.set(actualCiphertext, iv.length + authTag.length);
+            return uint8ArrayToBase64(result);
+        },
+        async decrypt(encoded) {
+            const data = base64ToUint8Array(encoded);
+            const iv = data.slice(0, IV_LENGTH);
+            const authTag = data.slice(IV_LENGTH, IV_LENGTH + 16);
+            const ciphertext = data.slice(IV_LENGTH + 16);
+            // Reconstruct WebCrypto format: ciphertext + authTag
+            const combined = new Uint8Array(ciphertext.length + authTag.length);
+            combined.set(ciphertext, 0);
+            combined.set(authTag, ciphertext.length);
+            const decrypted = await crypto.subtle.decrypt({ name: ALGORITHM, iv }, cryptoKey, combined);
+            return new TextDecoder().decode(decrypted);
+        },
+    };
+}
+function hexToArrayBuffer(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = Number.parseInt(hex.substring(i, i + 2), 16);
+    }
+    return bytes.buffer;
+}
+function uint8ArrayToBase64(bytes) {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+function base64ToUint8Array(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+//# sourceMappingURL=vault.js.map

package/dist/runtime/cf/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/runtime/cf/vault.ts"],"names":[],"mappings":"AAEA,MAAM,SAAS,GAAG,SAAS,CAAA;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAA;AAEpB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,YAAoB;IACtD,MAAM,MAAM,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAA;IAC7C,IAAI,MAAM,CAAC,UAAU,KAAK,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;IACrE,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,MAAM,EACN,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAA;IAED,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,SAAiB;YAC7B,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAA;YAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;YAEnD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,SAAS,EACT,OAAO,CACR,CAAA;YAED,2CAA2C;YAC3C,qEAAqE;YACrE,iDAAiD;YACjD,6CAA6C;YAC7C,+CAA+C;YAC/C,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAA;YAC1C,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;YAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;YAElD,MAAM,MAAM,GAAG,IAAI,UAAU,CAC3B,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,gBAAgB,CAAC,MAAM,CACrD,CAAA;YACD,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAA;YACjB,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;YAC9B,MAAM,CAAC,GAAG,CAAC,gBAAgB,EAAE,EAAE,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;YAExD,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAA;QACnC,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,OAAe;YAC3B,MAAM,IAAI,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAA;YACxC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,GAAG,EAAE,CAAC,CAAA;YACrD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,EAAE,CAAC,CAAA;YAE7C,qDAAqD;YACrD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;YACnE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAA;YAC3B,QAAQ,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,CAAA;YAExC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EACvB,SAAS,EACT,QAAQ,CACT,CAAA;YAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAC5C,CAAC;KACF,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IACnC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC7D,CAAC;IACD,OAAO,KAAK,CAAC,MAAM,CAAA;AACrB,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAiB;IAC3C,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IACzC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAA;AACrB,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc;IACxC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAA;IAC3B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;IACjC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/runtime/node/crypto.d.ts

@@ -0,0 +1,6 @@
+import type { CryptoProvider } from '../../types/crypto.js';
+/**
+ * CryptoProvider implementation using Node.js crypto module.
+ */
+export declare function createNodeCrypto(): CryptoProvider;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/runtime/node/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../../src/runtime/node/crypto.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAE3D;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,cAAc,CAqBjD"}

package/dist/runtime/node/crypto.js

@@ -0,0 +1,26 @@
+import { createHmac, randomBytes, timingSafeEqual as nodeTimingSafeEqual, } from 'node:crypto';
+import { v4 as uuidv4 } from 'uuid';
+/**
+ * CryptoProvider implementation using Node.js crypto module.
+ */
+export function createNodeCrypto() {
+    return {
+        async randomHex(byteLength) {
+            return randomBytes(byteLength).toString('hex');
+        },
+        uuid() {
+            return uuidv4();
+        },
+        async hmacSha256(key, data) {
+            return createHmac('sha256', key).update(data).digest('hex');
+        },
+        async timingSafeEqual(a, b) {
+            const bufA = Buffer.from(a, 'utf8');
+            const bufB = Buffer.from(b, 'utf8');
+            if (bufA.length !== bufB.length)
+                return false;
+            return nodeTimingSafeEqual(bufA, bufB);
+        },
+    };
+}
+//# sourceMappingURL=crypto.js.map

package/dist/runtime/node/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../../src/runtime/node/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,WAAW,EACX,eAAe,IAAI,mBAAmB,GACvC,MAAM,aAAa,CAAA;AACpB,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAA;AAGnC;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,OAAO;QACL,KAAK,CAAC,SAAS,CAAC,UAAkB;YAChC,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QAChD,CAAC;QAED,IAAI;YACF,OAAO,MAAM,EAAE,CAAA;QACjB,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,IAAY;YACxC,OAAO,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAC7D,CAAC;QAED,KAAK,CAAC,eAAe,CAAC,CAAS,EAAE,CAAS;YACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;YACnC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;YACnC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAA;YAC7C,OAAO,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;QACxC,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/runtime/node/index.d.ts

@@ -0,0 +1,17 @@
+import type { Vault } from '../../types/vault.js';
+import type { RelayHub } from '../../types/relay.js';
+import type { CryptoProvider } from '../../types/crypto.js';
+export interface NodeRuntimeConfig {
+    vaultMasterKey: string;
+}
+export interface NodeRuntime {
+    vault: Vault;
+    relay: RelayHub;
+    crypto: CryptoProvider;
+}
+/**
+ * Create runtime services for Node.js (vault, relay, crypto).
+ * Does NOT include DB repositories -- those are created separately via the DB subpath.
+ */
+export declare function createNodeRuntime(config: NodeRuntimeConfig): NodeRuntime;
+//# sourceMappingURL=index.d.ts.map

package/dist/runtime/node/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/runtime/node/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AACjD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAK3D,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,KAAK,CAAA;IACZ,KAAK,EAAE,QAAQ,CAAA;IACf,MAAM,EAAE,cAAc,CAAA;CACvB;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,WAAW,CAMxE"}

package/dist/runtime/node/index.js

@@ -0,0 +1,14 @@
+import { createNodeVault } from './vault.js';
+import { createNodeCrypto } from './crypto.js';
+import { createNodeRelay } from './relay.js';
+/**
+ * Create runtime services for Node.js (vault, relay, crypto).
+ * Does NOT include DB repositories -- those are created separately via the DB subpath.
+ */
+export function createNodeRuntime(config) {
+    const vault = createNodeVault(config.vaultMasterKey);
+    const crypto = createNodeCrypto();
+    const relay = createNodeRelay();
+    return { vault, relay, crypto };
+}
+//# sourceMappingURL=index.js.map

package/dist/runtime/node/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/runtime/node/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAA;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAY5C;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAyB;IACzD,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;IACpD,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAA;IACjC,MAAM,KAAK,GAAG,eAAe,EAAE,CAAA;IAE/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAA;AACjC,CAAC"}

package/dist/runtime/node/relay.d.ts

@@ -0,0 +1,6 @@
+import type { RelayHub } from '../../types/relay.js';
+/**
+ * SSE-based RelayHub implementation for Node.js.
+ */
+export declare function createNodeRelay(): RelayHub;
+//# sourceMappingURL=relay.d.ts.map

package/dist/runtime/node/relay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.d.ts","sourceRoot":"","sources":["../../../src/runtime/node/relay.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AASpD;;GAEG;AACH,wBAAgB,eAAe,IAAI,QAAQ,CAmF1C"}

package/dist/runtime/node/relay.js

@@ -0,0 +1,73 @@
+import { streamSSE } from 'hono/streaming';
+/**
+ * SSE-based RelayHub implementation for Node.js.
+ */
+export function createNodeRelay() {
+    // botId -> SSEClient (1 bot = 1 active connection)
+    const clients = new Map();
+    let eventCounter = 0;
+    return {
+        async handleStream(c, botId, connectKey) {
+            return streamSSE(c, async (stream) => {
+                // Replace existing connection (reconnect scenario)
+                const existing = clients.get(botId);
+                if (existing) {
+                    existing.close();
+                }
+                let closed = false;
+                const client = {
+                    botId,
+                    connectKey,
+                    send(event, data, id) {
+                        if (closed)
+                            return;
+                        stream.writeSSE({ event, data, id }).catch(() => {
+                            closed = true;
+                        });
+                    },
+                    close() {
+                        closed = true;
+                    },
+                };
+                clients.set(botId, client);
+                // Connection confirmation event
+                client.send('connected', JSON.stringify({ botId, ts: Date.now() }));
+                // Heartbeat (every 30 seconds)
+                const heartbeatInterval = setInterval(() => {
+                    if (closed) {
+                        clearInterval(heartbeatInterval);
+                        return;
+                    }
+                    client.send('ping', JSON.stringify({ ts: Date.now() }));
+                }, 30_000);
+                // Wait for connection close
+                stream.onAbort(() => {
+                    closed = true;
+                    clearInterval(heartbeatInterval);
+                    clients.delete(botId);
+                });
+                // Keep connection alive until aborted
+                while (!closed) {
+                    await new Promise((r) => setTimeout(r, 1000));
+                }
+                clearInterval(heartbeatInterval);
+                clients.delete(botId);
+            });
+        },
+        dispatch(botId, event) {
+            const client = clients.get(botId);
+            if (!client)
+                return false;
+            const id = String(++eventCounter);
+            client.send('slack_event', JSON.stringify(event), id);
+            return true;
+        },
+        isConnected(botId) {
+            return clients.has(botId);
+        },
+        connectedBots() {
+            return Array.from(clients.keys());
+        },
+    };
+}
+//# sourceMappingURL=relay.js.map

package/dist/runtime/node/relay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"relay.js","sourceRoot":"","sources":["../../../src/runtime/node/relay.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAA;AAU1C;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAA;IAE5C,IAAI,YAAY,GAAG,CAAC,CAAA;IAEpB,OAAO;QACL,KAAK,CAAC,YAAY,CAChB,CAAU,EACV,KAAa,EACb,UAAkB;YAElB,OAAO,SAAS,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE;gBACnC,mDAAmD;gBACnD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;gBACnC,IAAI,QAAQ,EAAE,CAAC;oBACb,QAAQ,CAAC,KAAK,EAAE,CAAA;gBAClB,CAAC;gBAED,IAAI,MAAM,GAAG,KAAK,CAAA;gBAElB,MAAM,MAAM,GAAc;oBACxB,KAAK;oBACL,UAAU;oBACV,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;wBAClB,IAAI,MAAM;4BAAE,OAAM;wBAClB,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;4BAC9C,MAAM,GAAG,IAAI,CAAA;wBACf,CAAC,CAAC,CAAA;oBACJ,CAAC;oBACD,KAAK;wBACH,MAAM,GAAG,IAAI,CAAA;oBACf,CAAC;iBACF,CAAA;gBAED,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;gBAE1B,gCAAgC;gBAChC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAA;gBAEnE,+BAA+B;gBAC/B,MAAM,iBAAiB,GAAG,WAAW,CAAC,GAAG,EAAE;oBACzC,IAAI,MAAM,EAAE,CAAC;wBACX,aAAa,CAAC,iBAAiB,CAAC,CAAA;wBAChC,OAAM;oBACR,CAAC;oBACD,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAA;gBACzD,CAAC,EAAE,MAAM,CAAC,CAAA;gBAEV,4BAA4B;gBAC5B,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE;oBAClB,MAAM,GAAG,IAAI,CAAA;oBACb,aAAa,CAAC,iBAAiB,CAAC,CAAA;oBAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;gBACvB,CAAC,CAAC,CAAA;gBAEF,sCAAsC;gBACtC,OAAO,CAAC,MAAM,EAAE,CAAC;oBACf,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAA;gBAC/C,CAAC;gBAED,aAAa,CAAC,iBAAiB,CAAC,CAAA;gBAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;YACvB,CAAC,CAAwB,CAAA;QAC3B,CAAC;QAED,QAAQ,CAAC,KAAa,EAAE,KAAc;YACpC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;YACjC,IAAI,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAA;YAEzB,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,YAAY,CAAC,CAAA;YACjC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAA;YACrD,OAAO,IAAI,CAAA;QACb,CAAC;QAED,WAAW,CAAC,KAAa;YACvB,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAC3B,CAAC;QAED,aAAa;YACX,OAAO,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;QACnC,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/runtime/node/vault.d.ts

@@ -0,0 +1,7 @@
+import type { Vault } from '../../types/vault.js';
+/**
+ * AES-256-GCM Vault implementation using Node.js crypto.
+ * Returns Promises to match the Vault interface (Web Crypto compatibility).
+ */
+export declare function createNodeVault(masterKeyHex: string): Vault;
+//# sourceMappingURL=vault.d.ts.map

package/dist/runtime/node/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../src/runtime/node/vault.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,sBAAsB,CAAA;AAMjD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,KAAK,CAkC3D"}

package/dist/runtime/node/vault.js

@@ -0,0 +1,41 @@
+import { createCipheriv, createDecipheriv, randomBytes, } from 'node:crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+/**
+ * AES-256-GCM Vault implementation using Node.js crypto.
+ * Returns Promises to match the Vault interface (Web Crypto compatibility).
+ */
+export function createNodeVault(masterKeyHex) {
+    const masterKey = Buffer.from(masterKeyHex, 'hex');
+    if (masterKey.length !== 32) {
+        throw new Error('VAULT_MASTER_KEY must be 32 bytes (64 hex chars)');
+    }
+    return {
+        async encrypt(plaintext) {
+            const iv = randomBytes(IV_LENGTH);
+            const cipher = createCipheriv(ALGORITHM, masterKey, iv, {
+                authTagLength: AUTH_TAG_LENGTH,
+            });
+            const encrypted = Buffer.concat([
+                cipher.update(plaintext, 'utf8'),
+                cipher.final(),
+            ]);
+            const authTag = cipher.getAuthTag();
+            // Format: base64(iv + authTag + ciphertext)
+            return Buffer.concat([iv, authTag, encrypted]).toString('base64');
+        },
+        async decrypt(encoded) {
+            const data = Buffer.from(encoded, 'base64');
+            const iv = data.subarray(0, IV_LENGTH);
+            const authTag = data.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+            const ciphertext = data.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+            const decipher = createDecipheriv(ALGORITHM, masterKey, iv, {
+                authTagLength: AUTH_TAG_LENGTH,
+            });
+            decipher.setAuthTag(authTag);
+            return decipher.update(ciphertext) + decipher.final('utf8');
+        },
+    };
+}
+//# sourceMappingURL=vault.js.map

package/dist/runtime/node/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../src/runtime/node/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,GACZ,MAAM,aAAa,CAAA;AAGpB,MAAM,SAAS,GAAG,aAAa,CAAA;AAC/B,MAAM,SAAS,GAAG,EAAE,CAAA;AACpB,MAAM,eAAe,GAAG,EAAE,CAAA;AAE1B;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,YAAoB;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAA;IAClD,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;IACrE,CAAC;IAED,OAAO;QACL,KAAK,CAAC,OAAO,CAAC,SAAiB;YAC7B,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;YACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,EAAE;gBACtD,aAAa,EAAE,eAAe;aAC/B,CAAC,CAAA;YACF,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC;gBAChC,MAAM,CAAC,KAAK,EAAE;aACf,CAAC,CAAA;YACF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;YACnC,4CAA4C;YAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnE,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,OAAe;YAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;YAC3C,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;YACtC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAA;YACrE,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,GAAG,eAAe,CAAC,CAAA;YAE7D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,EAAE;gBAC1D,aAAa,EAAE,eAAe;aAC/B,CAAC,CAAA;YACF,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;YAC5B,OAAO,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAC7D,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/slack/events.d.ts

@@ -0,0 +1,15 @@
+import { Hono } from 'hono';
+import type { Vault } from '../types/vault.js';
+import type { RelayHub } from '../types/relay.js';
+import type { CryptoProvider } from '../types/crypto.js';
+import type { BotRepository } from '../types/repository.js';
+/**
+ * Slack HTTP Events API receiver + relay to SSE/WebSocket Hub.
+ *
+ * Route: POST /slack/events/:botId
+ * - url_verification challenge auto-response
+ * - signing_secret signature verification
+ * - Relay to local runtime via RelayHub
+ */
+export declare function createSlackEventsHandler(botRepo: BotRepository, vault: Vault, relay: RelayHub, crypto: CryptoProvider): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
+//# sourceMappingURL=events.d.ts.map

package/dist/slack/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/slack/events.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAA;AAC9C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAA;AACjD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAE3D;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,aAAa,EACtB,KAAK,EAAE,KAAK,EACZ,KAAK,EAAE,QAAQ,EACf,MAAM,EAAE,cAAc,8EAyEvB"}