@skillfm/local 2.6.3 → 2.7.0

package/dist/vault/crypto.js

@@ -0,0 +1,54 @@
+// sdk/skillfm-local/src/vault/crypto.ts
+//
+// AES-256-GCM 加密原语
+// IV 12 bytes (GCM 推荐) / Auth tag 16 bytes / Key 32 bytes
+import { randomBytes, createCipheriv, createDecipheriv } from 'node:crypto';
+import { VaultError, VAULT_ERROR_CODES } from './types.js';
+const ALGO = 'aes-256-gcm';
+const KEY_BYTES = 32;
+const IV_BYTES = 12;
+const TAG_BYTES = 16;
+export function generateMasterKey() {
+    return randomBytes(KEY_BYTES);
+}
+export function encrypt(plaintext, key) {
+    if (key.length !== KEY_BYTES) {
+        throw new VaultError(VAULT_ERROR_CODES.MASTER_KEY_INVALID, `master key must be ${KEY_BYTES} bytes, got ${key.length}`);
+    }
+    const iv = randomBytes(IV_BYTES);
+    const cipher = createCipheriv(ALGO, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    if (tag.length !== TAG_BYTES) {
+        throw new VaultError(VAULT_ERROR_CODES.DECRYPT_FAILED, `unexpected auth tag length ${tag.length}`);
+    }
+    return {
+        iv_b64: iv.toString('base64'),
+        auth_tag_b64: tag.toString('base64'),
+        ciphertext_b64: encrypted.toString('base64'),
+    };
+}
+export function decrypt(blob, key) {
+    if (key.length !== KEY_BYTES) {
+        throw new VaultError(VAULT_ERROR_CODES.MASTER_KEY_INVALID, `master key must be ${KEY_BYTES} bytes`);
+    }
+    const iv = Buffer.from(blob.iv_b64, 'base64');
+    const tag = Buffer.from(blob.auth_tag_b64, 'base64');
+    const cipher_buf = Buffer.from(blob.ciphertext_b64, 'base64');
+    if (iv.length !== IV_BYTES) {
+        throw new VaultError(VAULT_ERROR_CODES.VAULT_FILE_CORRUPTED, `iv length ${iv.length} != ${IV_BYTES}`);
+    }
+    if (tag.length !== TAG_BYTES) {
+        throw new VaultError(VAULT_ERROR_CODES.VAULT_FILE_CORRUPTED, `tag length ${tag.length} != ${TAG_BYTES}`);
+    }
+    try {
+        const decipher = createDecipheriv(ALGO, key, iv);
+        decipher.setAuthTag(tag);
+        const decrypted = Buffer.concat([decipher.update(cipher_buf), decipher.final()]);
+        return decrypted.toString('utf8');
+    }
+    catch (e) {
+        throw new VaultError(VAULT_ERROR_CODES.DECRYPT_FAILED, `AES-GCM auth failed: ${e instanceof Error ? e.message : String(e)}`);
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/vault/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AAAA,wCAAwC;AACxC,EAAE;AACF,mBAAmB;AACnB,0DAA0D;AAE1D,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE3D,MAAM,IAAI,GAAG,aAAa,CAAC;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,QAAQ,GAAG,EAAE,CAAC;AACpB,MAAM,SAAS,GAAG,EAAE,CAAC;AAQrB,MAAM,UAAU,iBAAiB;IAC/B,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,kBAAkB,EAAE,sBAAsB,SAAS,eAAe,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACzH,CAAC;IACD,MAAM,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,cAAc,EAAE,8BAA8B,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IACrG,CAAC;IACD,OAAO;QACL,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC7B,YAAY,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACpC,cAAc,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,IAAmB,EAAE,GAAW;IACtD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,kBAAkB,EAAE,sBAAsB,SAAS,QAAQ,CAAC,CAAC;IACtG,CAAC;IACD,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAC;IAC9D,IAAI,EAAE,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC3B,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,oBAAoB,EAAE,aAAa,EAAE,CAAC,MAAM,OAAO,QAAQ,EAAE,CAAC,CAAC;IACxG,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,oBAAoB,EAAE,cAAc,GAAG,CAAC,MAAM,OAAO,SAAS,EAAE,CAAC,CAAC;IAC3G,CAAC;IACD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACjF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,cAAc,EAAE,wBAAwB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC/H,CAAC;AACH,CAAC"}

package/dist/vault/index.d.ts

@@ -0,0 +1,6 @@
+export type { VaultConfig } from './vault.js';
+export { Vault } from './vault.js';
+export type { VaultEntries, VaultFileV1, VaultProviderId } from './types.js';
+export { VaultError, VAULT_ERROR_CODES } from './types.js';
+export { encrypt, decrypt, generateMasterKey } from './crypto.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAEA,YAAY,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,YAAY,EAAE,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7E,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC"}

package/dist/vault/index.js

@@ -0,0 +1,5 @@
+// sdk/skillfm-local/src/vault/index.ts
+export { Vault } from './vault.js';
+export { VaultError, VAULT_ERROR_CODES } from './types.js';
+export { encrypt, decrypt, generateMasterKey } from './crypto.js';
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AAGvC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC"}

package/dist/vault/types.d.ts

@@ -0,0 +1,28 @@
+export type VaultProviderId = string;
+export interface VaultFileV1 {
+    version: 1;
+    /** 12 bytes IV, base64 */
+    iv: string;
+    /** 16 bytes auth tag, base64 */
+    auth_tag: string;
+    /** AES-256-GCM ciphertext, base64 */
+    ciphertext: string;
+    created_at: string;
+    updated_at: string;
+}
+export interface VaultEntries {
+    [provider: string]: string;
+}
+export declare class VaultError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
+export declare const VAULT_ERROR_CODES: {
+    readonly MASTER_KEY_NOT_FOUND: "VAULT_MASTER_KEY_NOT_FOUND";
+    readonly MASTER_KEY_INVALID: "VAULT_MASTER_KEY_INVALID";
+    readonly VAULT_FILE_CORRUPTED: "VAULT_FILE_CORRUPTED";
+    readonly DECRYPT_FAILED: "VAULT_DECRYPT_FAILED";
+    readonly PROVIDER_NOT_FOUND: "VAULT_PROVIDER_NOT_FOUND";
+    readonly IO_ERROR: "VAULT_IO_ERROR";
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/vault/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,CAAC,CAAC;IACX,0BAA0B;IAC1B,EAAE,EAAE,MAAM,CAAC;IACX,gCAAgC;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAC;CAC5B;AAED,qBAAa,UAAW,SAAQ,KAAK;IAChB,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAIjD;AAED,eAAO,MAAM,iBAAiB;;;;;;;CAOpB,CAAC"}

package/dist/vault/types.js

@@ -0,0 +1,22 @@
+// sdk/skillfm-local/src/vault/types.ts
+//
+// 凭证保险柜 — Day 3 D3-B1
+// AES-256-GCM 加密用户 BYOK key, master key 存节点本地 (~/.skillfm/vault.key chmod 0600)
+// 替代 Day 1+2 connector in-memory 处理 — Day 3 之后所有 connector 从 vault.get() 取 key
+export class VaultError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = 'VaultError';
+    }
+}
+export const VAULT_ERROR_CODES = {
+    MASTER_KEY_NOT_FOUND: 'VAULT_MASTER_KEY_NOT_FOUND',
+    MASTER_KEY_INVALID: 'VAULT_MASTER_KEY_INVALID',
+    VAULT_FILE_CORRUPTED: 'VAULT_FILE_CORRUPTED',
+    DECRYPT_FAILED: 'VAULT_DECRYPT_FAILED',
+    PROVIDER_NOT_FOUND: 'VAULT_PROVIDER_NOT_FOUND',
+    IO_ERROR: 'VAULT_IO_ERROR',
+};
+//# sourceMappingURL=types.js.map

package/dist/vault/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/vault/types.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,EAAE;AACF,sBAAsB;AACtB,gFAAgF;AAChF,+EAA+E;AAoB/E,MAAM,OAAO,UAAW,SAAQ,KAAK;IAChB;IAAnB,YAAmB,IAAY,EAAE,OAAe;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QADE,SAAI,GAAJ,IAAI,CAAQ;QAE7B,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;IAC3B,CAAC;CACF;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,oBAAoB,EAAE,4BAA4B;IAClD,kBAAkB,EAAE,0BAA0B;IAC9C,oBAAoB,EAAE,sBAAsB;IAC5C,cAAc,EAAE,sBAAsB;IACtC,kBAAkB,EAAE,0BAA0B;IAC9C,QAAQ,EAAE,gBAAgB;CAClB,CAAC"}

package/dist/vault/vault.d.ts

@@ -0,0 +1,34 @@
+import type { VaultProviderId } from './types.js';
+export interface VaultConfig {
+    /** master key 文件 (default: ~/.skillfm/vault.key) */
+    master_key_path?: string;
+    /** vault 加密文件 (default: ~/.skillfm/vault.enc) */
+    vault_path?: string;
+}
+export declare class Vault {
+    private master_key_path;
+    private vault_path;
+    private _master_key;
+    private _entries;
+    constructor(cfg?: VaultConfig);
+    /** 初始化: 加载 master key (没有则生成) + 加载 vault entries (没有则空) */
+    init(): Promise<void>;
+    put(provider: VaultProviderId, key: string): Promise<void>;
+    get(provider: VaultProviderId): Promise<string | null>;
+    list(): Promise<VaultProviderId[]>;
+    delete(provider: VaultProviderId): Promise<boolean>;
+    /** 轮换 master key — 重生成 master key + 重加密所有 entries */
+    rotate(): Promise<void>;
+    /** 验证 vault 是否健康 (能解密) */
+    health(): Promise<{
+        ok: boolean;
+        entry_count: number;
+        error?: string;
+    }>;
+    private ensureDir;
+    private ensureInitialized;
+    private loadOrCreateMasterKey;
+    private loadEntries;
+    private saveEntries;
+}
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../src/vault/vault.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAA6B,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7E,MAAM,WAAW,WAAW;IAC1B,oDAAoD;IACpD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iDAAiD;IACjD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,qBAAa,KAAK;IAChB,OAAO,CAAC,eAAe,CAAS;IAChC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,QAAQ,CAA6B;gBAEjC,GAAG,CAAC,EAAE,WAAW;IAK7B,2DAA2D;IACrD,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAMrB,GAAG,CAAC,QAAQ,EAAE,eAAe,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM1D,GAAG,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKtD,IAAI,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;IAKlC,MAAM,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IAUzD,qDAAqD;IAC/C,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAQ7B,0BAA0B;IACpB,MAAM,IAAI,OAAO,CAAC;QAAE,EAAE,EAAE,OAAO,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;YAe/D,SAAS;YAST,iBAAiB;YAMjB,qBAAqB;YAkBrB,WAAW;YAwBX,WAAW;CAsB1B"}

package/dist/vault/vault.js

@@ -0,0 +1,149 @@
+// sdk/skillfm-local/src/vault/vault.ts
+//
+// Vault 主 API — put / get / list / delete / rotate
+// 文件持久化: master key (~/.skillfm/vault.key chmod 0600) + vault.enc (加密 JSON)
+// 异步 (非阻塞 IO)
+import { promises as fs } from 'node:fs';
+import { homedir } from 'node:os';
+import path from 'node:path';
+import { encrypt, decrypt, generateMasterKey } from './crypto.js';
+import { VaultError, VAULT_ERROR_CODES } from './types.js';
+const DEFAULT_DIR = path.join(homedir(), '.skillfm');
+const DEFAULT_MASTER_KEY = path.join(DEFAULT_DIR, 'vault.key');
+const DEFAULT_VAULT = path.join(DEFAULT_DIR, 'vault.enc');
+export class Vault {
+    master_key_path;
+    vault_path;
+    _master_key = null;
+    _entries = null;
+    constructor(cfg) {
+        this.master_key_path = cfg?.master_key_path ?? DEFAULT_MASTER_KEY;
+        this.vault_path = cfg?.vault_path ?? DEFAULT_VAULT;
+    }
+    /** 初始化: 加载 master key (没有则生成) + 加载 vault entries (没有则空) */
+    async init() {
+        await this.ensureDir();
+        this._master_key = await this.loadOrCreateMasterKey();
+        this._entries = await this.loadEntries();
+    }
+    async put(provider, key) {
+        await this.ensureInitialized();
+        this._entries[provider] = key;
+        await this.saveEntries();
+    }
+    async get(provider) {
+        await this.ensureInitialized();
+        return this._entries[provider] ?? null;
+    }
+    async list() {
+        await this.ensureInitialized();
+        return Object.keys(this._entries).sort();
+    }
+    async delete(provider) {
+        await this.ensureInitialized();
+        if (provider in this._entries) {
+            delete this._entries[provider];
+            await this.saveEntries();
+            return true;
+        }
+        return false;
+    }
+    /** 轮换 master key — 重生成 master key + 重加密所有 entries */
+    async rotate() {
+        await this.ensureInitialized();
+        const new_key = generateMasterKey();
+        await fs.writeFile(this.master_key_path, new_key, { mode: 0o600 });
+        this._master_key = new_key;
+        await this.saveEntries();
+    }
+    /** 验证 vault 是否健康 (能解密) */
+    async health() {
+        try {
+            await this.ensureInitialized();
+            return { ok: true, entry_count: Object.keys(this._entries).length };
+        }
+        catch (e) {
+            return {
+                ok: false,
+                entry_count: 0,
+                error: e instanceof Error ? e.message : String(e),
+            };
+        }
+    }
+    // ────────────────────────── private ──────────────────────────
+    async ensureDir() {
+        const dir = path.dirname(this.master_key_path);
+        try {
+            await fs.mkdir(dir, { recursive: true, mode: 0o700 });
+        }
+        catch (e) {
+            throw new VaultError(VAULT_ERROR_CODES.IO_ERROR, `mkdir ${dir}: ${e instanceof Error ? e.message : e}`);
+        }
+    }
+    async ensureInitialized() {
+        if (!this._master_key || !this._entries) {
+            await this.init();
+        }
+    }
+    async loadOrCreateMasterKey() {
+        try {
+            const buf = await fs.readFile(this.master_key_path);
+            if (buf.length !== 32) {
+                throw new VaultError(VAULT_ERROR_CODES.MASTER_KEY_INVALID, `master key length ${buf.length} != 32`);
+            }
+            return buf;
+        }
+        catch (e) {
+            // 不存在 → 生成新的
+            if (e.code === 'ENOENT') {
+                const new_key = generateMasterKey();
+                await fs.writeFile(this.master_key_path, new_key, { mode: 0o600 });
+                return new_key;
+            }
+            throw e;
+        }
+    }
+    async loadEntries() {
+        try {
+            const raw = await fs.readFile(this.vault_path, 'utf8');
+            const file = JSON.parse(raw);
+            if (file.version !== 1) {
+                throw new VaultError(VAULT_ERROR_CODES.VAULT_FILE_CORRUPTED, `unsupported version ${file.version}`);
+            }
+            const plain = decrypt({ iv_b64: file.iv, auth_tag_b64: file.auth_tag, ciphertext_b64: file.ciphertext }, this._master_key);
+            return JSON.parse(plain);
+        }
+        catch (e) {
+            if (e.code === 'ENOENT') {
+                return {}; // 第一次, 空 vault
+            }
+            if (e instanceof VaultError)
+                throw e;
+            throw new VaultError(VAULT_ERROR_CODES.VAULT_FILE_CORRUPTED, `load vault: ${e instanceof Error ? e.message : e}`);
+        }
+    }
+    async saveEntries() {
+        const plain = JSON.stringify(this._entries);
+        const enc = encrypt(plain, this._master_key);
+        const now = new Date().toISOString();
+        let created_at = now;
+        try {
+            const existing = await fs.readFile(this.vault_path, 'utf8');
+            const f = JSON.parse(existing);
+            created_at = f.created_at ?? now;
+        }
+        catch {
+            /* 第一次写, created_at = now */
+        }
+        const file = {
+            version: 1,
+            iv: enc.iv_b64,
+            auth_tag: enc.auth_tag_b64,
+            ciphertext: enc.ciphertext_b64,
+            created_at,
+            updated_at: now,
+        };
+        await fs.writeFile(this.vault_path, JSON.stringify(file, null, 2), { mode: 0o600 });
+    }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/vault/vault.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,EAAE;AACF,mDAAmD;AACnD,4EAA4E;AAC5E,cAAc;AAEd,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAElE,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAS3D,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AACrD,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;AAC/D,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;AAE1D,MAAM,OAAO,KAAK;IACR,eAAe,CAAS;IACxB,UAAU,CAAS;IACnB,WAAW,GAAkB,IAAI,CAAC;IAClC,QAAQ,GAAwB,IAAI,CAAC;IAE7C,YAAY,GAAiB;QAC3B,IAAI,CAAC,eAAe,GAAG,GAAG,EAAE,eAAe,IAAI,kBAAkB,CAAC;QAClE,IAAI,CAAC,UAAU,GAAG,GAAG,EAAE,UAAU,IAAI,aAAa,CAAC;IACrD,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,EAAE,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAAyB,EAAE,GAAW;QAC9C,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,IAAI,CAAC,QAAS,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC;QAC/B,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,QAAyB;QACjC,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,QAAS,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAS,CAAC,CAAC,IAAI,EAAE,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAyB;QACpC,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,IAAI,QAAQ,IAAI,IAAI,CAAC,QAAS,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC;YAChC,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qDAAqD;IACrD,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QACpC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACnE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC;QAC3B,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3B,CAAC;IAED,0BAA0B;IAC1B,KAAK,CAAC,MAAM;QACV,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC/B,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QACvE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,WAAW,EAAE,CAAC;gBACd,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;aAClD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,gEAAgE;IAExD,KAAK,CAAC,SAAS;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,QAAQ,EAAE,SAAS,GAAG,KAAK,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1G,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,qBAAqB;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBACtB,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,kBAAkB,EAAE,qBAAqB,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;YACtG,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,aAAa;YACb,IAAK,CAA2B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACnD,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;gBACpC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;gBACnE,OAAO,OAAO,CAAC;YACjB,CAAC;YACD,MAAM,CAAC,CAAC;QACV,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;YAC5C,IAAI,IAAI,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;gBACvB,MAAM,IAAI,UAAU,CAAC,iBAAiB,CAAC,oBAAoB,EAAE,uBAAuB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YACtG,CAAC;YACD,MAAM,KAAK,GAAG,OAAO,CACnB,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,YAAY,EAAE,IAAI,CAAC,QAAQ,EAAE,cAAc,EAAE,IAAI,CAAC,UAAU,EAAE,EACjF,IAAI,CAAC,WAAY,CAClB,CAAC;YACF,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAiB,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAK,CAA2B,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACnD,OAAO,EAAE,CAAC,CAAC,eAAe;YAC5B,CAAC;YACD,IAAI,CAAC,YAAY,UAAU;gBAAE,MAAM,CAAC,CAAC;YACrC,MAAM,IAAI,UAAU,CAClB,iBAAiB,CAAC,oBAAoB,EACtC,eAAe,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CACpD,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,WAAY,CAAC,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,UAAU,GAAG,GAAG,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAC5D,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAgB,CAAC;YAC9C,UAAU,GAAG,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,4BAA4B;QAC9B,CAAC;QACD,MAAM,IAAI,GAAgB;YACxB,OAAO,EAAE,CAAC;YACV,EAAE,EAAE,GAAG,CAAC,MAAM;YACd,QAAQ,EAAE,GAAG,CAAC,YAAY;YAC1B,UAAU,EAAE,GAAG,CAAC,cAAc;YAC9B,UAAU;YACV,UAAU,EAAE,GAAG;SAChB,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtF,CAAC;CACF"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@skillfm/local",
-  "version": "2.6.3",
-  "description": "SkillFM local sidecar \u2014 a tiny localhost HTTP proxy that lets any AI agent activate and run SkillFM skills in the current conversation without restarting its MCP runtime. Writes ~/.skillfm/local.json for service discovery.",
+  "version": "2.7.0",
+  "description": "SkillFM local — single npm package for the SkillFM platform on user nodes. Subcommand router exposes (1) Beacon MCP stdio server (cost-optimizer for any agent; merged in from @skillfm/beacon-mcp on 2026-05-01), (2) skill runtime (BYOK Playwright / brain reverse-tunnel), (3) sidecar HTTP proxy + OAuth 2.1 device-flow activation. Writes ~/.skillfm/local.json for service discovery.",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -10,9 +10,17 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
+    "./mcp": {
+      "types": "./dist/mcp/index.d.ts",
+      "import": "./dist/mcp/index.js"
+    },
     "./mcp-stdio": {
       "types": "./dist/mcp-stdio/server.d.ts",
       "import": "./dist/mcp-stdio/server.js"
+    },
+    "./connectors": {
+      "types": "./dist/connectors/index.d.ts",
+      "import": "./dist/connectors/index.js"
     }
   },
   "files": [
@@ -31,19 +39,23 @@
     "localhost",
     "agent-native",
     "mcp",
+    "model-context-protocol",
+    "beacon",
+    "cost-optimizer",
+    "byok",
     "bootstrap"
   ],
   "scripts": {
     "build": "tsc",
-    "vendor:contracts": "node scripts/inline-contracts.ts",
+    "vendor:contracts": "node scripts/inline-contracts.ts && tsx scripts/inline-mcp-contracts.ts",
     "prebuild": "npm run vendor:contracts",
     "dev": "tsx src/index.ts",
     "typecheck": "tsc --noEmit",
     "start": "node dist/index.js start",
     "prepublishOnly": "npm run build && bash scripts/verify-no-bare-workspace-imports.sh dist",
-    "test": "tsx --test src/harness/detector.test.ts src/harness/priming.test.ts src/harness/writers.test.ts src/guard/state.test.ts src/soul.test.ts src/soul-security.test.ts src/harness/kernels/registry.test.ts src/harness/kernels/deny-pipeline.test.ts src/mcp-output/builder.test.ts src/mcp-output/deny-review.test.ts src/mcp-output/integration.test.ts src/skill-md/template.test.ts src/skill-md/writer.test.ts src/mcp-stdio/smoke.test.ts src/mcp-stdio/render-flow.contract.test.ts src/mcp-stdio/render-aha.test.ts src/mcp-stdio/sse-progress-client.test.ts src/mcp-stdio/parse-tolerant-json.test.ts src/self-upgrade.test.ts src/skill-tunnel/local-bridge.test.ts src/skill-tunnel/client.test.ts src/skill-runner/discovery.test.ts src/skill-installer/index.test.ts src/_dist-no-external-contracts.test.ts",
+    "test": "tsx --test src/harness/detector.test.ts src/harness/priming.test.ts src/harness/writers.test.ts src/guard/state.test.ts src/soul.test.ts src/soul-security.test.ts src/harness/kernels/registry.test.ts src/harness/kernels/deny-pipeline.test.ts src/mcp-output/builder.test.ts src/mcp-output/deny-review.test.ts src/mcp-output/integration.test.ts src/skill-md/template.test.ts src/skill-md/writer.test.ts src/mcp-stdio/smoke.test.ts src/mcp-stdio/render-flow.contract.test.ts src/mcp-stdio/render-aha.test.ts src/mcp-stdio/sse-progress-client.test.ts src/mcp-stdio/parse-tolerant-json.test.ts src/self-upgrade.test.ts src/skill-tunnel/local-bridge.test.ts src/skill-tunnel/client.test.ts src/skill-runner/discovery.test.ts src/skill-installer/index.test.ts src/_dist-no-external-contracts.test.ts src/mcp/server-boot.test.ts src/connectors/connectors.test.ts src/asset-connectors/asset-connectors.test.ts src/saas-connectors/saas-connectors.test.ts src/router/router.test.ts src/vault/vault.test.ts src/scheduler/scheduler.test.ts src/_signers/signers.test.ts src/memory/memory.test.ts src/mcp/tools/memory-tools.test.ts",
     "test:acceptance": "npm run build && bash scripts/acceptance-matrix.sh",
-    "postpublish": "curl -sS -m 10 -X PUT 'https://registry.npmmirror.com/-/package/@skillfm/local/syncs?sync_upstream=true' > /dev/null && echo '\u2713 npmmirror sync triggered' || echo '\u26a0 npmmirror sync failed (\u975e\u963b\u585e\uff0c\u53ef\u624b\u52a8\u89e6\u53d1)'"
+    "postpublish": "curl -sS -m 10 -X PUT 'https://registry.npmmirror.com/-/package/@skillfm/local/syncs?sync_upstream=true' > /dev/null && echo '✓ npmmirror sync triggered' || echo '⚠ npmmirror sync failed (非阻塞，可手动触发)'"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",