@share-crm/sharecrm-cli 1.1.0

package/dist/core/state/legacySessionMigration.js

@@ -0,0 +1,109 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toSessionMetaRecord = toSessionMetaRecord;
+exports.toStoredSecretRecord = toStoredSecretRecord;
+exports.toSessionAccountKey = toSessionAccountKey;
+exports.parseStoredSecretRecord = parseStoredSecretRecord;
+exports.removeLegacySessionFile = removeLegacySessionFile;
+exports.migrateLegacySessionIfNeeded = migrateLegacySessionIfNeeded;
+const promises_1 = require("node:fs/promises");
+const paths_1 = require("./paths");
+function toSessionMetaRecord(session) {
+    const scope = Array.isArray(session.scope) ? session.scope.filter((item) => typeof item === 'string') : [];
+    return {
+        userId: session.userId,
+        userName: session.userName,
+        appId: session.appId,
+        apiUrl: session.apiUrl,
+        scope,
+        grantedAt: session.grantedAt,
+        tokenExpireAt: session.tokenExpireAt,
+        identity: session.identity,
+    };
+}
+function toStoredSecretRecord(session) {
+    return {
+        accessToken: session.accessToken,
+        refreshToken: session.refreshToken,
+    };
+}
+function toSessionAccountKey(appId, userId) {
+    return `${appId}:${userId}`;
+}
+function parseStoredSecretRecord(value) {
+    if (!value) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(value);
+        if (!parsed || typeof parsed.accessToken !== 'string' || parsed.accessToken.length === 0) {
+            return null;
+        }
+        if (parsed.refreshToken !== undefined && typeof parsed.refreshToken !== 'string') {
+            return null;
+        }
+        return {
+            accessToken: parsed.accessToken,
+            refreshToken: parsed.refreshToken,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+async function removeLegacySessionFile() {
+    await (0, promises_1.rm)((0, paths_1.resolveCliPaths)().legacySessionFile, { force: true });
+}
+async function hasSecureSession(metaStore, secretStore) {
+    const config = await metaStore.load();
+    const meta = config?.session;
+    if (!meta?.appId || !meta.userId) {
+        return false;
+    }
+    const rawSecret = await secretStore.get(toSessionAccountKey(meta.appId, meta.userId));
+    return parseStoredSecretRecord(rawSecret) !== null;
+}
+async function loadLegacySession() {
+    try {
+        const content = await (0, promises_1.readFile)((0, paths_1.resolveCliPaths)().legacySessionFile, 'utf8');
+        try {
+            return JSON.parse(content);
+        }
+        catch {
+            return null;
+        }
+    }
+    catch (error) {
+        if (error.code === 'ENOENT') {
+            return null;
+        }
+        throw error;
+    }
+}
+async function migrateLegacySessionIfNeeded(metaStore, secretStore) {
+    if (await hasSecureSession(metaStore, secretStore)) {
+        await removeLegacySessionFile();
+        return;
+    }
+    const legacySession = await loadLegacySession();
+    if (!legacySession) {
+        return;
+    }
+    if (!legacySession.appId || !legacySession.userId || !legacySession.accessToken) {
+        return;
+    }
+    const account = toSessionAccountKey(legacySession.appId, legacySession.userId);
+    await metaStore.saveSession(toSessionMetaRecord(legacySession));
+    await secretStore.set(account, JSON.stringify(toStoredSecretRecord(legacySession)));
+    const verifiedConfig = await metaStore.load();
+    const verifiedMeta = verifiedConfig?.session;
+    if (!verifiedMeta?.appId || !verifiedMeta.userId) {
+        throw new Error('Failed to verify migrated session metadata.');
+    }
+    const verifiedAccount = toSessionAccountKey(verifiedMeta.appId, verifiedMeta.userId);
+    const verifiedSecret = parseStoredSecretRecord(await secretStore.get(verifiedAccount));
+    if (!verifiedSecret) {
+        throw new Error('Failed to verify migrated session secret.');
+    }
+    await removeLegacySessionFile();
+}

package/dist/core/state/paths.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolveCliPaths = resolveCliPaths;
+const node_os_1 = __importDefault(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+function resolveConfigDir(platform) {
+    const envConfigDir = process.env.FS_CLI_CONFIG_DIR;
+    if (envConfigDir)
+        return envConfigDir;
+    const homeDir = node_os_1.default.homedir() || process.env.HOME?.trim();
+    if (!homeDir) {
+        if (platform === 'win32') {
+            const userProfile = process.env.USERPROFILE?.trim();
+            if (userProfile)
+                return userProfile;
+            const homeDrive = process.env.HOMEDRIVE?.trim();
+            const homePath = process.env.HOMEPATH?.trim();
+            if (homeDrive && homePath)
+                return node_path_1.default.join(homeDrive, homePath);
+        }
+        throw new Error('无法确定配置目录位置，请设置 FS_CLI_CONFIG_DIR 环境变量。');
+    }
+    return node_path_1.default.join(homeDir, '.sharecrm-cli');
+}
+function resolveCliPaths(platform = process.platform) {
+    const rootDir = resolveConfigDir(platform);
+    return {
+        rootDir,
+        configFile: node_path_1.default.join(rootDir, 'config.json'),
+        sessionFile: node_path_1.default.join(rootDir, 'session.json'),
+        // Kept as an alias during staged auth-storage migration so existing readers continue to resolve the same path.
+        legacySessionFile: node_path_1.default.join(rootDir, 'session.json'),
+        keychainDir: node_path_1.default.join(rootDir, 'keychain'),
+        sessionLockFile: node_path_1.default.join(rootDir, 'session.lock'),
+        commandCacheFile: node_path_1.default.join(rootDir, 'command-cache.json'),
+    };
+}

package/dist/core/state/secretStore/commonFileCrypto.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMasterKey = createMasterKey;
+exports.accountToCipherFileName = accountToCipherFileName;
+exports.encryptToFile = encryptToFile;
+exports.decryptFromFile = decryptFromFile;
+const node_crypto_1 = require("node:crypto");
+const promises_1 = require("node:fs/promises");
+const AES_GCM_ALGORITHM = 'aes-256-gcm';
+const AES_GCM_KEY_SIZE = 32;
+const AES_GCM_IV_SIZE = 12;
+const AES_GCM_TAG_SIZE = 16;
+function assertKey(key) {
+    if (key.length !== AES_GCM_KEY_SIZE) {
+        throw new Error(`Invalid AES-256-GCM key length: ${key.length}`);
+    }
+}
+function createMasterKey() {
+    return (0, node_crypto_1.randomBytes)(AES_GCM_KEY_SIZE);
+}
+function accountToCipherFileName(account) {
+    if (!account) {
+        throw new Error('Account is required.');
+    }
+    return `${(0, node_crypto_1.createHash)('sha256').update(account).digest('hex')}.enc`;
+}
+async function encryptToFile(targetPath, plaintext, key) {
+    assertKey(key);
+    const iv = (0, node_crypto_1.randomBytes)(AES_GCM_IV_SIZE);
+    const cipher = (0, node_crypto_1.createCipheriv)(AES_GCM_ALGORITHM, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    const payload = Buffer.concat([iv, tag, ciphertext]);
+    const tmpPath = `${targetPath}.${process.pid}.${(0, node_crypto_1.randomUUID)()}.tmp`;
+    let moved = false;
+    try {
+        await (0, promises_1.writeFile)(tmpPath, payload, { mode: 0o600, flag: 'wx' });
+        await (0, promises_1.chmod)(tmpPath, 0o600);
+        await (0, promises_1.rename)(tmpPath, targetPath);
+        moved = true;
+    }
+    finally {
+        if (!moved) {
+            await (0, promises_1.rm)(tmpPath, { force: true }).catch(() => { });
+        }
+    }
+}
+async function decryptFromFile(targetPath, key) {
+    assertKey(key);
+    const payload = await (0, promises_1.readFile)(targetPath);
+    if (payload.length < AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE) {
+        throw new Error(`Encrypted payload is corrupted at ${targetPath}.`);
+    }
+    const iv = payload.subarray(0, AES_GCM_IV_SIZE);
+    const tag = payload.subarray(AES_GCM_IV_SIZE, AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE);
+    const ciphertext = payload.subarray(AES_GCM_IV_SIZE + AES_GCM_TAG_SIZE);
+    const decipher = (0, node_crypto_1.createDecipheriv)(AES_GCM_ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plaintext.toString('utf8');
+}

package/dist/core/state/secretStore/index.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUnsupportedSecretStore = exports.createWin32SecretStore = exports.createDarwinSecretStore = exports.createLinuxSecretStore = void 0;
+exports.createSecretStore = createSecretStore;
+const secretStore_darwin_1 = require("./secretStore.darwin");
+const secretStore_linux_1 = require("./secretStore.linux");
+const secretStore_unsupported_1 = require("./secretStore.unsupported");
+const secretStore_win32_1 = require("./secretStore.win32");
+function createSecretStore(platform = process.platform) {
+    switch (platform) {
+        case 'linux':
+            return (0, secretStore_linux_1.createLinuxSecretStore)();
+        case 'darwin':
+            return (0, secretStore_darwin_1.createDarwinSecretStore)();
+        case 'win32':
+            return (0, secretStore_win32_1.createWin32SecretStore)();
+        default:
+            return (0, secretStore_unsupported_1.createUnsupportedSecretStore)(platform);
+    }
+}
+var secretStore_linux_2 = require("./secretStore.linux");
+Object.defineProperty(exports, "createLinuxSecretStore", { enumerable: true, get: function () { return secretStore_linux_2.createLinuxSecretStore; } });
+var secretStore_darwin_2 = require("./secretStore.darwin");
+Object.defineProperty(exports, "createDarwinSecretStore", { enumerable: true, get: function () { return secretStore_darwin_2.createDarwinSecretStore; } });
+var secretStore_win32_2 = require("./secretStore.win32");
+Object.defineProperty(exports, "createWin32SecretStore", { enumerable: true, get: function () { return secretStore_win32_2.createWin32SecretStore; } });
+var secretStore_unsupported_2 = require("./secretStore.unsupported");
+Object.defineProperty(exports, "createUnsupportedSecretStore", { enumerable: true, get: function () { return secretStore_unsupported_2.createUnsupportedSecretStore; } });

package/dist/core/state/secretStore/secretStore.darwin.js

@@ -0,0 +1,139 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDarwinSecretStore = createDarwinSecretStore;
+const node_child_process_1 = require("node:child_process");
+const promises_1 = require("node:fs/promises");
+const node_path_1 = __importDefault(require("node:path"));
+const node_util_1 = require("node:util");
+const paths_1 = require("../paths");
+const commonFileCrypto_1 = require("./commonFileCrypto");
+const DEFAULT_SECURITY_SERVICE = 'sharecrm-cli.secret-store';
+const DEFAULT_SECURITY_ACCOUNT = 'default';
+const execFileAsync = (0, node_util_1.promisify)(node_child_process_1.execFile);
+async function defaultExecFile(file, args, options) {
+    const result = await execFileAsync(file, [...args], {
+        encoding: 'utf8',
+        env: options?.env,
+    });
+    return {
+        stdout: String(result.stdout ?? ''),
+        stderr: String(result.stderr ?? ''),
+    };
+}
+function isMissingSecurityItem(error) {
+    const maybe = error;
+    if (maybe.code === 44 || maybe.code === '44') {
+        return true;
+    }
+    const detail = `${maybe.stderr ?? ''}\n${maybe.message ?? ''}`.toLowerCase();
+    return detail.includes('could not be found');
+}
+function isDuplicateSecurityItem(error) {
+    const maybe = error;
+    if (maybe.code === 45 || maybe.code === '45') {
+        return true;
+    }
+    const detail = `${maybe.stderr ?? ''}\n${maybe.message ?? ''}`.toLowerCase();
+    return detail.includes('already exists') || detail.includes('-25299');
+}
+function decodeMasterKey(encodedValue) {
+    const key = Buffer.from(encodedValue.trim(), 'base64');
+    if (key.length !== 32) {
+        throw new Error(`Invalid macOS secret-store master key length: ${key.length}`);
+    }
+    return key;
+}
+async function ensureKeychainDir(keychainDir) {
+    await (0, promises_1.mkdir)(keychainDir, { recursive: true });
+    await (0, promises_1.chmod)(keychainDir, 0o700);
+}
+async function findMasterKey(execFile, securityService, securityAccount) {
+    try {
+        const result = await execFile('security', [
+            'find-generic-password',
+            '-s',
+            securityService,
+            '-a',
+            securityAccount,
+            '-w',
+        ]);
+        return decodeMasterKey(result.stdout);
+    }
+    catch (error) {
+        if (isMissingSecurityItem(error)) {
+            return null;
+        }
+        throw error;
+    }
+}
+async function createAndPersistMasterKey(execFile, securityService, securityAccount) {
+    const encoded = (0, commonFileCrypto_1.createMasterKey)().toString('base64');
+    await execFile('security', [
+        'add-generic-password',
+        '-s',
+        securityService,
+        '-a',
+        securityAccount,
+        '-w',
+        encoded,
+    ]);
+    return decodeMasterKey(encoded);
+}
+function createDarwinSecretStore(options = {}) {
+    const keychainDir = options.keychainDir ?? (0, paths_1.resolveCliPaths)().keychainDir;
+    const securityService = options.securityService ?? DEFAULT_SECURITY_SERVICE;
+    const securityAccount = options.securityAccount ?? DEFAULT_SECURITY_ACCOUNT;
+    const execFile = options.execFile ?? defaultExecFile;
+    async function getMasterKey(allowCreate) {
+        const existing = await findMasterKey(execFile, securityService, securityAccount);
+        if (existing || !allowCreate) {
+            return existing;
+        }
+        try {
+            return await createAndPersistMasterKey(execFile, securityService, securityAccount);
+        }
+        catch (error) {
+            if (!isDuplicateSecurityItem(error)) {
+                throw error;
+            }
+            return findMasterKey(execFile, securityService, securityAccount);
+        }
+    }
+    return {
+        async get(account) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            const key = await getMasterKey(false);
+            if (!key) {
+                return null;
+            }
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            try {
+                return await (0, commonFileCrypto_1.decryptFromFile)(payloadPath, key);
+            }
+            catch (error) {
+                if (error.code === 'ENOENT') {
+                    return null;
+                }
+                throw error;
+            }
+        },
+        async set(account, value) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            await ensureKeychainDir(keychainDir);
+            const key = await getMasterKey(true);
+            if (!key) {
+                throw new Error('Unable to initialize macOS secret-store master key.');
+            }
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            await (0, commonFileCrypto_1.encryptToFile)(payloadPath, value, key);
+        },
+        async remove(account) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            await (0, promises_1.rm)(payloadPath, { force: true });
+        },
+    };
+}

package/dist/core/state/secretStore/secretStore.linux.js

@@ -0,0 +1,90 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLinuxSecretStore = createLinuxSecretStore;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = __importDefault(require("node:path"));
+const paths_1 = require("../paths");
+const commonFileCrypto_1 = require("./commonFileCrypto");
+async function ensureKeychainDir(keychainDir) {
+    await (0, promises_1.mkdir)(keychainDir, { recursive: true });
+    await (0, promises_1.chmod)(keychainDir, 0o700);
+}
+function resolveMasterKeyPath(keychainDir) {
+    return node_path_1.default.join(keychainDir, 'master.key');
+}
+async function readMasterKey(masterKeyPath) {
+    try {
+        const key = await (0, promises_1.readFile)(masterKeyPath);
+        if (key.length !== 32) {
+            throw new Error(`Invalid Linux secret-store master key length: ${key.length}`);
+        }
+        return key;
+    }
+    catch (error) {
+        if (error.code === 'ENOENT') {
+            return null;
+        }
+        throw error;
+    }
+}
+async function loadOrCreateMasterKey(keychainDir) {
+    await ensureKeychainDir(keychainDir);
+    const masterKeyPath = resolveMasterKeyPath(keychainDir);
+    const existing = await readMasterKey(masterKeyPath);
+    if (existing) {
+        return existing;
+    }
+    const created = (0, commonFileCrypto_1.createMasterKey)();
+    try {
+        await (0, promises_1.writeFile)(masterKeyPath, created, { mode: 0o600, flag: 'wx' });
+    }
+    catch (error) {
+        if (error.code !== 'EEXIST') {
+            throw error;
+        }
+        const raced = await readMasterKey(masterKeyPath);
+        if (!raced) {
+            throw error;
+        }
+        return raced;
+    }
+    await (0, promises_1.chmod)(masterKeyPath, 0o600);
+    return created;
+}
+function createLinuxSecretStore(options = {}) {
+    const keychainDir = options.keychainDir ?? (0, paths_1.resolveCliPaths)().keychainDir;
+    const masterKeyPath = resolveMasterKeyPath(keychainDir);
+    return {
+        async get(account) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            const key = await readMasterKey(masterKeyPath);
+            if (!key) {
+                return null;
+            }
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            try {
+                return await (0, commonFileCrypto_1.decryptFromFile)(payloadPath, key);
+            }
+            catch (error) {
+                if (error.code === 'ENOENT') {
+                    return null;
+                }
+                throw error;
+            }
+        },
+        async set(account, value) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            const key = await loadOrCreateMasterKey(keychainDir);
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            await (0, commonFileCrypto_1.encryptToFile)(payloadPath, value, key);
+        },
+        async remove(account) {
+            const fileName = (0, commonFileCrypto_1.accountToCipherFileName)(account);
+            const payloadPath = node_path_1.default.join(keychainDir, fileName);
+            await (0, promises_1.rm)(payloadPath, { force: true });
+        },
+    };
+}

package/dist/core/state/secretStore/secretStore.unsupported.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createUnsupportedSecretStore = createUnsupportedSecretStore;
+function createUnsupportedSecretStore(platform = process.platform) {
+    const error = () => new Error(`SecretStore is not supported on platform "${platform}".`);
+    return {
+        async get() {
+            throw error();
+        },
+        async set() {
+            throw error();
+        },
+        async remove() {
+            throw error();
+        },
+    };
+}

package/dist/core/state/secretStore/secretStore.win32.js

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createWin32SecretStore = createWin32SecretStore;
+const node_child_process_1 = require("node:child_process");
+const node_util_1 = require("node:util");
+const DEFAULT_REGISTRY_PATH = 'HKCU:\\Software\\sharecrm-cli\\keychain';
+const execFileAsync = (0, node_util_1.promisify)(node_child_process_1.execFile);
+const NOT_FOUND_MARKER = '__FS_CLI_NOT_FOUND__';
+const FOUND_MARKER = '__FS_CLI_FOUND__';
+const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+const ENV_PLAIN_B64 = 'FS_CLI_SECRET_PLAIN_B64';
+const ENV_PROTECTED_B64 = 'FS_CLI_SECRET_PROTECTED_B64';
+const ENV_REGISTRY_PATH_B64 = 'FS_CLI_SECRET_REGISTRY_PATH_B64';
+const ENV_REGISTRY_NAME_B64 = 'FS_CLI_SECRET_REGISTRY_NAME_B64';
+const ENV_REGISTRY_VALUE_B64 = 'FS_CLI_SECRET_REGISTRY_VALUE_B64';
+const PROTECT_SCRIPT = [
+    'Add-Type -AssemblyName System.Security',
+    `$plain64 = $env:${ENV_PLAIN_B64}`,
+    'if ($null -eq $plain64) { throw "Missing plaintext input." }',
+    '$plainBytes = [Convert]::FromBase64String($plain64)',
+    '$protectedBytes = [System.Security.Cryptography.ProtectedData]::Protect($plainBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)',
+    '[Console]::Out.Write([Convert]::ToBase64String($protectedBytes))',
+    '',
+].join('\n');
+const UNPROTECT_SCRIPT = [
+    'Add-Type -AssemblyName System.Security',
+    `$protected64 = $env:${ENV_PROTECTED_B64}`,
+    'if ($null -eq $protected64) { throw "Missing protected input." }',
+    '$protectedBytes = [Convert]::FromBase64String($protected64)',
+    '$plainBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($protectedBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)',
+    '[Console]::Out.Write([Convert]::ToBase64String($plainBytes))',
+    '',
+].join('\n');
+const WRITE_REGISTRY_SCRIPT = [
+    `$path = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_PATH_B64}))`,
+    `$name = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_NAME_B64}))`,
+    `$value = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_VALUE_B64}))`,
+    'New-Item -Path $path -Force | Out-Null',
+    'Set-ItemProperty -Path $path -Name $name -Value $value',
+    '',
+].join('\n');
+const READ_REGISTRY_SCRIPT = [
+    `$path = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_PATH_B64}))`,
+    `$name = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_NAME_B64}))`,
+    'if (-not (Test-Path -Path $path)) {',
+    `  [Console]::Out.Write('${NOT_FOUND_MARKER}')`,
+    '  return',
+    '}',
+    '$item = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue',
+    'if ($null -eq $item -or -not ($item.PSObject.Properties.Name -contains $name)) {',
+    `  [Console]::Out.Write('${NOT_FOUND_MARKER}')`,
+    '  return',
+    '}',
+    '$value = [string]$item.$name',
+    `[Console]::Out.Write('${FOUND_MARKER}' + $value)`,
+    '',
+].join('\n');
+const REMOVE_REGISTRY_SCRIPT = [
+    `$path = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_PATH_B64}))`,
+    `$name = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($env:${ENV_REGISTRY_NAME_B64}))`,
+    'if (Test-Path -Path $path) {',
+    '  Remove-ItemProperty -Path $path -Name $name -ErrorAction SilentlyContinue',
+    '}',
+    '',
+].join('\n');
+async function defaultExecFile(file, args, options) {
+    const result = await execFileAsync(file, [...args], {
+        encoding: 'utf8',
+        env: options?.env,
+    });
+    return {
+        stdout: String(result.stdout ?? ''),
+        stderr: String(result.stderr ?? ''),
+    };
+}
+function toBase64Utf8(value) {
+    return Buffer.from(value, 'utf8').toString('base64');
+}
+function toBase64Utf16Le(value) {
+    return Buffer.from(value, 'utf16le').toString('base64');
+}
+function normalizePowerShellOutput(output) {
+    return output
+        .replace(/(?:^|\r?\n)#< CLIXML[\s\S]*$/m, '')
+        .replace(/^[\r\n]+|[\r\n]+$/g, '');
+}
+function decodeBase64Strict(value, label) {
+    const normalized = normalizePowerShellOutput(value);
+    if (normalized.length === 0) {
+        return '';
+    }
+    if (!BASE64_PATTERN.test(normalized)) {
+        throw new Error(`Failed to parse PowerShell ${label} output.`);
+    }
+    const decoded = Buffer.from(normalized, 'base64');
+    if (decoded.toString('base64') !== normalized) {
+        throw new Error(`Failed to parse PowerShell ${label} output.`);
+    }
+    return decoded.toString('utf8');
+}
+async function runPowerShell(execFile, script, env) {
+    const result = await execFile('powershell.exe', [
+        '-NoProfile',
+        '-NonInteractive',
+        '-ExecutionPolicy',
+        'Bypass',
+        '-EncodedCommand',
+        toBase64Utf16Le(script),
+    ], {
+        env: {
+            ...process.env,
+            ...env,
+        },
+    });
+    return result.stdout;
+}
+function buildRegistryEnv(registryPath, name) {
+    return {
+        [ENV_REGISTRY_PATH_B64]: toBase64Utf8(registryPath),
+        [ENV_REGISTRY_NAME_B64]: toBase64Utf8(name),
+    };
+}
+function parseReadRegistryOutput(output) {
+    const normalized = normalizePowerShellOutput(output);
+    if (normalized === NOT_FOUND_MARKER) {
+        return null;
+    }
+    if (!normalized.startsWith(FOUND_MARKER)) {
+        throw new Error(`Unexpected PowerShell registry read output: ${normalized}`);
+    }
+    return normalized.slice(FOUND_MARKER.length);
+}
+function createWin32SecretStore(options = {}) {
+    const execFile = options.execFile ?? defaultExecFile;
+    const registryPath = options.registryPath ?? DEFAULT_REGISTRY_PATH;
+    return {
+        async get(account) {
+            const protectedValue = parseReadRegistryOutput(await runPowerShell(execFile, READ_REGISTRY_SCRIPT, buildRegistryEnv(registryPath, account)));
+            if (protectedValue === null) {
+                return null;
+            }
+            return decodeBase64Strict(await runPowerShell(execFile, UNPROTECT_SCRIPT, {
+                [ENV_PROTECTED_B64]: protectedValue,
+            }), 'unprotect');
+        },
+        async set(account, value) {
+            const protectedValue = normalizePowerShellOutput(await runPowerShell(execFile, PROTECT_SCRIPT, {
+                [ENV_PLAIN_B64]: toBase64Utf8(value),
+            }));
+            if (!protectedValue) {
+                throw new Error('Failed to protect secret via DPAPI.');
+            }
+            await runPowerShell(execFile, WRITE_REGISTRY_SCRIPT, {
+                ...buildRegistryEnv(registryPath, account),
+                [ENV_REGISTRY_VALUE_B64]: toBase64Utf8(protectedValue),
+            });
+        },
+        async remove(account) {
+            await runPowerShell(execFile, REMOVE_REGISTRY_SCRIPT, buildRegistryEnv(registryPath, account));
+        },
+    };
+}

package/dist/core/state/secretStore/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/core/state/sessionMetaStore.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SessionMetaStore = void 0;
+const configStore_1 = require("./configStore");
+class SessionMetaStore {
+    configStore;
+    constructor(configStore = new configStore_1.ConfigStore()) {
+        this.configStore = configStore;
+    }
+    async load() {
+        return this.configStore.load();
+    }
+    async loadSession() {
+        return (await this.load())?.session;
+    }
+    async saveSession(meta) {
+        const base = await this.configStore.initialize();
+        await this.configStore.save({
+            ...base,
+            session: meta,
+        });
+    }
+}
+exports.SessionMetaStore = SessionMetaStore;