@terminals-tech/sdk 1.0.0-rc.1 → 1.0.0

package/dist/chunk-QWXPVB2L.js

@@ -0,0 +1,320 @@
+import {
+  createClient,
+  init_dist
+} from "./chunk-TSQ3BGLA.js";
+import {
+  __esm,
+  __export,
+  __toCommonJS
+} from "./chunk-2ESYSVXG.js";
+
+// ../../lib/terminals-tech/machines/core/secretsSupabase.ts
+var secretsSupabase_exports = {};
+__export(secretsSupabase_exports, {
+  SupabaseVault: () => SupabaseVault
+});
+var SupabaseVault;
+var init_secretsSupabase = __esm({
+  "../../lib/terminals-tech/machines/core/secretsSupabase.ts"() {
+    "use strict";
+    init_dist();
+    SupabaseVault = class {
+      client;
+      table;
+      encKey;
+      constructor(url, serviceRoleKey, table = "vault_secrets", encKey = process.env.TERMINALS_VAULT_KEY) {
+        this.client = createClient(url, serviceRoleKey, {
+          auth: { persistSession: false }
+        });
+        this.table = table;
+        this.encKey = String(encKey || "");
+      }
+      async put(s) {
+        const p_key = this.encKey;
+        if (!p_key) throw new Error("TERMINALS_VAULT_KEY is required for SupabaseVault");
+        const { error } = await this.client.rpc("vault_secret_upsert", {
+          p_name: s.name,
+          p_value: s.value,
+          p_key,
+          p_scopes: s.scopes
+        });
+        if (error) throw error;
+      }
+      async get(name) {
+        const p_key = this.encKey;
+        if (!p_key) {
+          console.warn("[SupabaseVault] TERMINALS_VAULT_KEY not set, skipping secret fetch for:", name);
+          return null;
+        }
+        const { data: val, error: e1 } = await this.client.rpc("vault_secret_get", {
+          p_name: name,
+          p_key
+        });
+        if (e1) throw e1;
+        const { data: meta, error: e2 } = await this.client.from(this.table).select("name, scopes, created_at, updated_at").eq("name", name).limit(1).maybeSingle();
+        if (e2) throw e2;
+        if (!meta) return null;
+        const scopes = Array.isArray(meta.scopes) ? { nodeIds: meta.scopes } : {};
+        return {
+          name,
+          value: String(val || ""),
+          scopes,
+          createdAt: new Date(meta.created_at).getTime(),
+          updatedAt: new Date(meta.updated_at).getTime()
+        };
+      }
+      async list() {
+        const { data, error } = await this.client.from(this.table).select("name, scopes, created_at, updated_at").order("created_at", { ascending: false });
+        if (error) throw error;
+        return (data || []).map(
+          (r) => ({
+            name: r.name,
+            value: "",
+            scopes: Array.isArray(r.scopes) ? { nodeIds: r.scopes } : {},
+            createdAt: new Date(r.created_at).getTime(),
+            updatedAt: new Date(r.updated_at).getTime()
+          })
+        );
+      }
+      async remove(name) {
+        const { error } = await this.client.rpc("vault_secret_delete", {
+          p_name: name
+        });
+        if (error) throw error;
+      }
+    };
+  }
+});
+
+// ../../lib/terminals-tech/machines/core/secrets.ts
+var InMemoryVault = class {
+  store = /* @__PURE__ */ new Map();
+  async put(s) {
+    const now = Date.now();
+    try {
+      const { encrypt } = await import("./crypto-D4LMI2RN.js");
+      const enc = encrypt(s.value);
+      this.store.set(s.name, {
+        ...s,
+        value: JSON.stringify(enc),
+        createdAt: now,
+        updatedAt: now
+      });
+    } catch {
+      this.store.set(s.name, { ...s, createdAt: now, updatedAt: now });
+    }
+  }
+  async get(name) {
+    return this.store.get(name) || null;
+  }
+  async list() {
+    return Array.from(this.store.values());
+  }
+  async remove(name) {
+    this.store.delete(name);
+  }
+};
+var _vault = null;
+function getVault() {
+  const url = process.env.NEXT_PUBLIC_SUPABASE_URL;
+  const key = process.env.SUPABASE_SERVICE_ROLE_KEY;
+  if (url && key) {
+    const { SupabaseVault: SupabaseVault2 } = (init_secretsSupabase(), __toCommonJS(secretsSupabase_exports));
+    return new SupabaseVault2(url, key);
+  }
+  if (!_vault) _vault = new InMemoryVault();
+  return _vault;
+}
+
+// ../../lib/terminals-tech/machines/core/secret-scope.ts
+var SECRET_SCOPE_PRECEDENCE = [
+  "terminal",
+  "world",
+  "applet",
+  "stack",
+  "user"
+];
+var SCOPE_PREFIX = {
+  user: "user",
+  stack: "stack",
+  applet: "applet",
+  world: "world",
+  terminal: "terminal"
+};
+function getScopeId(scope, level) {
+  switch (level) {
+    case "terminal":
+      return scope.terminalId || null;
+    case "world":
+      return scope.worldId || null;
+    case "applet":
+      return scope.appletId || null;
+    case "stack":
+      return scope.stackId || null;
+    case "user":
+      return null;
+    default:
+      return null;
+  }
+}
+function buildScopedSecretName(name, scope, level) {
+  const owner = scope.ownerId || "anonymous";
+  const scopeId = getScopeId(scope, level);
+  if (!scopeId || level === "user") {
+    return `${owner}::${name}`;
+  }
+  return `${owner}::${SCOPE_PREFIX[level]}:${scopeId}::${name}`;
+}
+function buildSecretCandidates(name, scope) {
+  const owner = scope.ownerId || "anonymous";
+  const candidates = [];
+  for (const level of SECRET_SCOPE_PRECEDENCE) {
+    const scopeId = getScopeId(scope, level);
+    if (level !== "user" && !scopeId) continue;
+    if (level === "user") {
+      candidates.push(`${owner}::${name}`);
+      continue;
+    }
+    candidates.push(`${owner}::${SCOPE_PREFIX[level]}:${scopeId}::${name}`);
+  }
+  return candidates;
+}
+function parseScopedSecretName(fullName, ownerId) {
+  const ownerPrefix = `${ownerId}::`;
+  if (!fullName.startsWith(ownerPrefix)) return null;
+  const remainder = fullName.slice(ownerPrefix.length);
+  const parts = remainder.split("::");
+  if (parts.length === 1) {
+    return { ownerId, level: "user", name: parts[0] };
+  }
+  const [scopePart, name] = parts;
+  if (!name) return null;
+  const scopeMatch = scopePart.match(/^(user|stack|applet|world|terminal):(.+)$/);
+  if (!scopeMatch) {
+    return { ownerId, level: "user", name: remainder };
+  }
+  const level = scopeMatch[1];
+  const scopeId = scopeMatch[2];
+  return { ownerId, level, scopeId, name };
+}
+
+// ../../lib/terminals-tech/machines/core/secret-store.ts
+function scopeMatches(record, scope) {
+  const meta = record.scopes || {};
+  if (meta.ownerId && meta.ownerId !== scope.ownerId) return false;
+  if (meta.stackId && meta.stackId !== scope.stackId) return false;
+  if (meta.appletId && meta.appletId !== scope.appletId) return false;
+  if (meta.worldId && meta.worldId !== scope.worldId) return false;
+  if (meta.terminalId && meta.terminalId !== scope.terminalId) return false;
+  if (Array.isArray(meta.nodeIds) && meta.nodeIds.length > 0) {
+    if (!scope.nodeId) return false;
+    if (!meta.nodeIds.includes(scope.nodeId)) return false;
+  }
+  return true;
+}
+function redactSecretValue(value) {
+  if (!value) return "";
+  if (value.length <= 8) return "***";
+  return `${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+async function putScopedSecret(input) {
+  const level = input.level || "user";
+  const key = buildScopedSecretName(input.name, input.scope, level);
+  const vault = getVault();
+  const scopes = {
+    level,
+    ownerId: input.scope.ownerId,
+    stackId: input.scope.stackId,
+    appletId: input.scope.appletId,
+    worldId: input.scope.worldId,
+    terminalId: input.scope.terminalId,
+    nodeIds: input.scope.nodeIds
+  };
+  await vault.put({
+    name: key,
+    value: input.value,
+    scopes
+  });
+}
+async function getScopedSecret(name, scope) {
+  const vault = getVault();
+  const candidates = buildSecretCandidates(name, scope);
+  for (const key of candidates) {
+    const rec = await vault.get(key);
+    if (!rec) continue;
+    if (!scopeMatches(rec, scope)) continue;
+    const parsed = parseScopedSecretName(rec.name, scope.ownerId);
+    const meta = rec.scopes || {};
+    const inferredLevel = meta.terminalId ? "terminal" : meta.worldId ? "world" : meta.appletId ? "applet" : meta.stackId ? "stack" : "user";
+    if (parsed && parsed.level === "user" && inferredLevel !== "user") {
+      const targetScope = {
+        ownerId: scope.ownerId,
+        stackId: meta.stackId,
+        appletId: meta.appletId,
+        worldId: meta.worldId,
+        terminalId: meta.terminalId,
+        nodeIds: meta.nodeIds
+      };
+      const targetKey = buildScopedSecretName(parsed.name, targetScope, inferredLevel);
+      await vault.put({
+        name: targetKey,
+        value: rec.value,
+        scopes: {
+          ...meta,
+          level: inferredLevel,
+          ownerId: scope.ownerId
+        }
+      });
+      await vault.remove(rec.name);
+      return {
+        ...rec,
+        name: targetKey,
+        scopes: {
+          ...meta,
+          level: inferredLevel,
+          ownerId: scope.ownerId
+        }
+      };
+    }
+    return rec;
+  }
+  const legacy = await vault.get(name);
+  if (legacy && scopeMatches(legacy, scope)) return legacy;
+  return null;
+}
+async function resolveSecretValue(name, scope) {
+  const rec = await getScopedSecret(name, scope);
+  return rec?.value || null;
+}
+async function listScopedSecrets(scope) {
+  const vault = getVault();
+  const list = await vault.list();
+  const results = [];
+  for (const item of list) {
+    const parsed = parseScopedSecretName(item.name, scope.ownerId);
+    if (!parsed) continue;
+    results.push({
+      name: parsed.name,
+      level: parsed.level,
+      scopeId: parsed.scopeId,
+      createdAt: item.createdAt,
+      updatedAt: item.updatedAt,
+      scopes: item.scopes
+    });
+  }
+  return results;
+}
+async function removeScopedSecret(name, scope, level = "user") {
+  const key = buildScopedSecretName(name, scope, level);
+  const vault = getVault();
+  await vault.remove(key);
+}
+
+export {
+  redactSecretValue,
+  putScopedSecret,
+  getScopedSecret,
+  resolveSecretValue,
+  listScopedSecrets,
+  removeScopedSecret
+};