@testany/hephos 0.3.17 → 0.4.0-dev.3

package/out/secure-config/InstructionNormalizer.d.ts

@@ -0,0 +1,5 @@
+import type { CLIConfig } from '@testany/agent-chatter-core';
+export declare class InstructionNormalizer {
+    static normalize(config: CLIConfig): CLIConfig;
+}
+//# sourceMappingURL=InstructionNormalizer.d.ts.map

package/out/secure-config/InstructionNormalizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InstructionNormalizer.d.ts","sourceRoot":"","sources":["../../src/secure-config/InstructionNormalizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAE7D,qBAAa,qBAAqB;IAChC,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,GAAG,SAAS;CAwB/C"}

package/out/secure-config/InstructionNormalizer.js

@@ -0,0 +1,20 @@
+export class InstructionNormalizer {
+    static normalize(config) {
+        const team = config.team;
+        if (!team)
+            return config;
+        if (team.instructionContent === undefined) {
+            team.instructionContent = '';
+        }
+        if (Array.isArray(team.members)) {
+            team.members.forEach((member) => {
+                const memberWithInstruction = member;
+                if (memberWithInstruction.instructionContent === undefined) {
+                    memberWithInstruction.instructionContent = '';
+                }
+            });
+        }
+        return config;
+    }
+}
+//# sourceMappingURL=InstructionNormalizer.js.map

package/out/secure-config/InstructionNormalizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"InstructionNormalizer.js","sourceRoot":"","sources":["../../src/secure-config/InstructionNormalizer.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,qBAAqB;IAChC,MAAM,CAAC,SAAS,CAAC,MAAiB;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAON,CAAC;QACf,IAAI,CAAC,IAAI;YAAE,OAAO,MAAM,CAAC;QAEzB,IAAI,IAAI,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;YAC1C,IAAI,CAAC,kBAAkB,GAAG,EAAE,CAAC;QAC/B,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;gBAC9B,MAAM,qBAAqB,GAAG,MAAyD,CAAC;gBACxF,IAAI,qBAAqB,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;oBAC3D,qBAAqB,CAAC,kBAAkB,GAAG,EAAE,CAAC;gBAChD,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}

package/out/secure-config/KeysetService.d.ts

@@ -0,0 +1,15 @@
+import * as crypto from 'crypto';
+import { SecureConfigClient } from './SecureConfigClient.js';
+export declare class KeysetService {
+    private cachePath;
+    private client;
+    private rootPublicKey;
+    constructor(client: SecureConfigClient, region: 'us' | 'cn', rootPublicKeyPem: string, cachePath?: string);
+    getPublicKeyByKid(kid: string): Promise<crypto.KeyObject | null>;
+    refresh(): Promise<void>;
+    private verifyKeysetSignature;
+    private isExpired;
+    private loadCache;
+    private saveCache;
+}
+//# sourceMappingURL=KeysetService.d.ts.map

package/out/secure-config/KeysetService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeysetService.d.ts","sourceRoot":"","sources":["../../src/secure-config/KeysetService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAKjC,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAW7D,qBAAa,aAAa;IACxB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,aAAa,CAAmB;gBAGtC,MAAM,EAAE,kBAAkB,EAC1B,MAAM,EAAE,IAAI,GAAG,IAAI,EACnB,gBAAgB,EAAE,MAAM,EACxB,SAAS,CAAC,EAAE,MAAM;IAYd,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;IAQhE,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAyB9B,OAAO,CAAC,qBAAqB;IAY7B,OAAO,CAAC,SAAS;IAMjB,OAAO,CAAC,SAAS;IAUjB,OAAO,CAAC,SAAS;CAOlB"}

package/out/secure-config/KeysetService.js

@@ -0,0 +1,88 @@
+import * as crypto from 'crypto';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { canonicalize } from './signatureUtils.js';
+const DEFAULT_TTL_MS = 24 * 60 * 60 * 1000;
+export class KeysetService {
+    cachePath;
+    client;
+    rootPublicKey;
+    constructor(client, region, rootPublicKeyPem, cachePath) {
+        this.client = client;
+        this.rootPublicKey = crypto.createPublicKey(rootPublicKeyPem);
+        if (cachePath) {
+            this.cachePath = cachePath;
+        }
+        else {
+            const baseDir = path.join(os.homedir(), '.agent-chatter', 'secure-config');
+            this.cachePath = path.join(baseDir, `keyset-${region}.json`);
+        }
+    }
+    async getPublicKeyByKid(kid) {
+        const cached = this.loadCache();
+        if (!cached || this.isExpired(cached))
+            return null;
+        const key = cached.keyset.keys.find((k) => k.kid === kid);
+        if (!key)
+            return null;
+        return crypto.createPublicKey(key.public_key_pem);
+    }
+    async refresh() {
+        const cached = this.loadCache();
+        const etag = cached?.etag ?? null;
+        const result = await this.client.fetchKeyset(etag);
+        if (result.notModified && cached) {
+            // Update fetched time to extend TTL
+            this.saveCache({ ...cached, fetched_at: new Date().toISOString() });
+            return;
+        }
+        if (!result.keyset) {
+            return;
+        }
+        if (!this.verifyKeysetSignature(result.keyset)) {
+            throw new Error('Keyset signature invalid');
+        }
+        this.saveCache({
+            keyset: result.keyset,
+            etag: result.etag,
+            fetched_at: new Date().toISOString(),
+        });
+    }
+    verifyKeysetSignature(keyset) {
+        const payload = {
+            region: keyset.region,
+            keys: keyset.keys,
+        };
+        const canonical = canonicalize(payload);
+        const signature = Buffer.from(keyset.signature, 'base64');
+        const verifier = crypto.createVerify('SHA256');
+        verifier.update(canonical);
+        return verifier.verify(this.rootPublicKey, signature);
+    }
+    isExpired(cache) {
+        const fetchedAt = Date.parse(cache.fetched_at);
+        if (!Number.isFinite(fetchedAt))
+            return true;
+        return Date.now() - fetchedAt > DEFAULT_TTL_MS;
+    }
+    loadCache() {
+        try {
+            if (!fs.existsSync(this.cachePath))
+                return null;
+            const raw = fs.readFileSync(this.cachePath, 'utf-8');
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    saveCache(cache) {
+        const dir = path.dirname(this.cachePath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+        }
+        fs.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2), { mode: 0o600 });
+    }
+}
+//# sourceMappingURL=KeysetService.js.map

package/out/secure-config/KeysetService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeysetService.js","sourceRoot":"","sources":["../../src/secure-config/KeysetService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AACjC,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AACzB,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAGzB,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAQnD,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE3C,MAAM,OAAO,aAAa;IAChB,SAAS,CAAS;IAClB,MAAM,CAAqB;IAC3B,aAAa,CAAmB;IAExC,YACE,MAA0B,EAC1B,MAAmB,EACnB,gBAAwB,EACxB,SAAkB;QAElB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,eAAe,CAAC,gBAAgB,CAAC,CAAC;QAC9D,IAAI,SAAS,EAAE,CAAC;YACd,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,gBAAgB,EAAE,eAAe,CAAC,CAAC;YAC3E,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,MAAM,OAAO,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAW;QACjC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QACnD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QAC1D,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,OAAO,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,EAAE,IAAI,IAAI,IAAI,CAAC;QAElC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,MAAM,CAAC,WAAW,IAAI,MAAM,EAAE,CAAC;YACjC,oCAAoC;YACpC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YACpE,OAAO;QACT,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,CAAC,SAAS,CAAC;YACb,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC,CAAC;IACL,CAAC;IAEO,qBAAqB,CAAC,MAA0B;QACtD,MAAM,OAAO,GAAG;YACd,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC;QACF,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC/C,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC3B,OAAO,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;IACxD,CAAC;IAEO,SAAS,CAAC,KAAsB;QACtC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;QAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,cAAc,CAAC;IACjD,CAAC;IAEO,SAAS;QACf,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;gBAAE,OAAO,IAAI,CAAC;YAChD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACrD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,SAAS,CAAC,KAAsB;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,CAAC;QACD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpF,CAAC;CACF"}

package/out/secure-config/SCPService.d.ts

@@ -0,0 +1,14 @@
+import type { SecureConfigPackage } from './types.js';
+import type { CLIConfig } from '@testany/agent-chatter-core';
+import { DeviceKeyService } from './DeviceKeyService.js';
+import { KeysetService } from './KeysetService.js';
+export declare class SCPService {
+    private deviceKeyService;
+    private keysetService;
+    constructor(deviceKeyService: DeviceKeyService, keysetService: KeysetService);
+    decryptSCP(scp: SecureConfigPackage, fetchSCPFn: () => Promise<SecureConfigPackage>): Promise<CLIConfig>;
+    private verifySignature;
+    private doDecrypt;
+    private decryptPayload;
+}
+//# sourceMappingURL=SCPService.d.ts.map

package/out/secure-config/SCPService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCPService.d.ts","sourceRoot":"","sources":["../../src/secure-config/SCPService.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAInD,qBAAa,UAAU;IAEnB,OAAO,CAAC,gBAAgB;IACxB,OAAO,CAAC,aAAa;gBADb,gBAAgB,EAAE,gBAAgB,EAClC,aAAa,EAAE,aAAa;IAGhC,UAAU,CACd,GAAG,EAAE,mBAAmB,EACxB,UAAU,EAAE,MAAM,OAAO,CAAC,mBAAmB,CAAC,GAC7C,OAAO,CAAC,SAAS,CAAC;YAoBP,eAAe;YA4Bf,SAAS;IAqBvB,OAAO,CAAC,cAAc;CAUvB"}

package/out/secure-config/SCPService.js

@@ -0,0 +1,79 @@
+import * as crypto from 'crypto';
+import { canonicalize, sha256Hex } from './signatureUtils.js';
+import { SecureConfigError } from './errors.js';
+export class SCPService {
+    deviceKeyService;
+    keysetService;
+    constructor(deviceKeyService, keysetService) {
+        this.deviceKeyService = deviceKeyService;
+        this.keysetService = keysetService;
+    }
+    async decryptSCP(scp, fetchSCPFn) {
+        if (!(await this.verifySignature(scp))) {
+            throw new SecureConfigError('SIGNATURE_INVALID', 'SCP signature verification failed');
+        }
+        try {
+            return await this.doDecrypt(scp);
+        }
+        catch {
+            const fresh = await fetchSCPFn();
+            if (!(await this.verifySignature(fresh))) {
+                throw new SecureConfigError('SIGNATURE_INVALID', 'SCP signature verification failed');
+            }
+            try {
+                return await this.doDecrypt(fresh);
+            }
+            catch {
+                throw new SecureConfigError('DECRYPTION_FAILED', 'Failed to decrypt SCP payload');
+            }
+        }
+    }
+    async verifySignature(scp) {
+        const payloadEncBuffer = Buffer.from(scp.payload_enc, 'base64');
+        const keyEncBuffer = Buffer.from(scp.key_enc, 'base64');
+        const signData = {
+            manifest: scp.manifest,
+            payload_enc_hash: sha256Hex(payloadEncBuffer),
+            key_enc_hash: sha256Hex(keyEncBuffer),
+        };
+        const canonical = canonicalize(signData);
+        const signature = Buffer.from(scp.signature, 'base64');
+        const verify = crypto.createVerify('SHA256');
+        verify.update(canonical);
+        const publicKey = await this.keysetService.getPublicKeyByKid(scp.manifest.kid);
+        if (!publicKey) {
+            await this.keysetService.refresh();
+        }
+        const refreshedKey = await this.keysetService.getPublicKeyByKid(scp.manifest.kid);
+        if (!refreshedKey) {
+            return false;
+        }
+        return verify.verify(refreshedKey, signature);
+    }
+    async doDecrypt(scp) {
+        const keyEncBuffer = Buffer.from(scp.key_enc, 'base64');
+        const devicePrivateKey = this.deviceKeyService.loadPrivateKey();
+        const dek = crypto.privateDecrypt({
+            key: devicePrivateKey,
+            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+            oaepHash: 'sha256',
+        }, keyEncBuffer);
+        try {
+            const payloadEncBuffer = Buffer.from(scp.payload_enc, 'base64');
+            const plaintext = this.decryptPayload(payloadEncBuffer, dek);
+            return JSON.parse(plaintext.toString('utf-8'));
+        }
+        finally {
+            dek.fill(0);
+        }
+    }
+    decryptPayload(encrypted, dek) {
+        const iv = encrypted.subarray(0, 12);
+        const authTag = encrypted.subarray(-16);
+        const ciphertext = encrypted.subarray(12, -16);
+        const decipher = crypto.createDecipheriv('aes-256-gcm', dek, iv);
+        decipher.setAuthTag(authTag);
+        return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    }
+}
+//# sourceMappingURL=SCPService.js.map

package/out/secure-config/SCPService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SCPService.js","sourceRoot":"","sources":["../../src/secure-config/SCPService.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAKjC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,OAAO,UAAU;IAEX;IACA;IAFV,YACU,gBAAkC,EAClC,aAA4B;QAD5B,qBAAgB,GAAhB,gBAAgB,CAAkB;QAClC,kBAAa,GAAb,aAAa,CAAe;IACnC,CAAC;IAEJ,KAAK,CAAC,UAAU,CACd,GAAwB,EACxB,UAA8C;QAE9C,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,EAAE,mCAAmC,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,KAAK,GAAG,MAAM,UAAU,EAAE,CAAC;YACjC,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,EAAE,mCAAmC,CAAC,CAAC;YACxF,CAAC;YACD,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,EAAE,+BAA+B,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,GAAwB;QACpD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAChE,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAExD,MAAM,QAAQ,GAAG;YACf,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,gBAAgB,EAAE,SAAS,CAAC,gBAAgB,CAAC;YAC7C,YAAY,EAAE,SAAS,CAAC,YAAY,CAAC;SACtC,CAAC;QAEF,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAEvD,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEzB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC/E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QACrC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAClF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,GAAwB;QAC9C,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxD,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC,cAAc,EAAE,CAAC;QAChE,MAAM,GAAG,GAAG,MAAM,CAAC,cAAc,CAC/B;YACE,GAAG,EAAE,gBAAgB;YACrB,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;YAChD,QAAQ,EAAE,QAAQ;SACnB,EACD,YAAY,CACb,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;YAChE,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;YAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAc,CAAC;QAC9D,CAAC;gBAAS,CAAC;YACT,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,SAAiB,EAAE,GAAW;QACnD,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;QACxC,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACxE,CAAC;CACF"}

package/out/secure-config/SecureConfigClient.d.ts

@@ -0,0 +1,30 @@
+import type { SecureConfigResponse, SecureConfigKeyset, DeviceRegisterRequest, DeviceRegisterResponse, TeamListResponse, ClientType } from './types.js';
+import type { AuthEnvironment } from '../auth/types.js';
+export interface SecureConfigClientOptions {
+    region: 'us' | 'cn';
+    environment: AuthEnvironment;
+    accessToken: string;
+    deviceId: string;
+    clientType: ClientType;
+    clientVersion: string;
+}
+export interface KeysetFetchResult {
+    keyset?: SecureConfigKeyset;
+    etag?: string | null;
+    notModified?: boolean;
+}
+export declare class SecureConfigClient {
+    private baseUrl;
+    private accessToken;
+    private deviceId;
+    private clientType;
+    private clientVersion;
+    constructor(options: SecureConfigClientOptions);
+    fetchSCP(teamId: string): Promise<SecureConfigResponse['data']>;
+    registerDevice(payload: DeviceRegisterRequest): Promise<DeviceRegisterResponse['data']>;
+    fetchKeyset(etag?: string | null): Promise<KeysetFetchResult>;
+    listTeams(limit?: number): Promise<TeamListResponse['data']>;
+    private request;
+    private rawRequest;
+}
+//# sourceMappingURL=SecureConfigClient.d.ts.map

package/out/secure-config/SecureConfigClient.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecureConfigClient.d.ts","sourceRoot":"","sources":["../../src/secure-config/SecureConfigClient.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,oBAAoB,EAEpB,kBAAkB,EAClB,qBAAqB,EACrB,sBAAsB,EACtB,gBAAgB,EAChB,UAAU,EACX,MAAM,YAAY,CAAC;AAGpB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD,MAAM,WAAW,yBAAyB;IACxC,MAAM,EAAE,IAAI,GAAG,IAAI,CAAC;IACpB,WAAW,EAAE,eAAe,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,UAAU,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,aAAa,CAAS;gBAElB,OAAO,EAAE,yBAAyB;IAQxC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAa/D,cAAc,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAUvF,WAAW,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAyB7D,SAAS,CAAC,KAAK,SAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;YAMhD,OAAO;YAiBP,UAAU;CAWzB"}

package/out/secure-config/SecureConfigClient.js

@@ -0,0 +1,81 @@
+import { SecureConfigError } from './errors.js';
+import { getApiBaseUrl } from '../auth/AuthConfig.js';
+export class SecureConfigClient {
+    baseUrl;
+    accessToken;
+    deviceId;
+    clientType;
+    clientVersion;
+    constructor(options) {
+        this.baseUrl = getApiBaseUrl(options.region, options.environment);
+        this.accessToken = options.accessToken;
+        this.deviceId = options.deviceId;
+        this.clientType = options.clientType;
+        this.clientVersion = options.clientVersion;
+    }
+    async fetchSCP(teamId) {
+        const path = `/secure-config/teams/${teamId}`;
+        const result = await this.request(path, {
+            method: 'GET',
+            headers: {
+                'X-Device-Id': this.deviceId,
+                'X-Client-Type': this.clientType,
+                'X-Client-Version': this.clientVersion,
+            },
+        });
+        return result.data;
+    }
+    async registerDevice(payload) {
+        const path = '/secure-config/devices/register';
+        const result = await this.request(path, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(payload),
+        });
+        return result.data;
+    }
+    async fetchKeyset(etag) {
+        const path = '/secure-config/public-keys';
+        const headers = {};
+        if (etag)
+            headers['If-None-Match'] = etag;
+        const response = await this.rawRequest(path, { method: 'GET', headers });
+        if (response.status === 304) {
+            return { notModified: true, etag };
+        }
+        const parsed = (await response.json());
+        if (!response.ok || parsed.success === false) {
+            const err = parsed;
+            throw new SecureConfigError(err?.error?.code || 'SECURE_CONFIG_ERROR', err?.error?.message || 'Failed to fetch keyset', response.status, err?.error?.request_id);
+        }
+        return {
+            keyset: parsed.data,
+            etag: response.headers.get('ETag'),
+        };
+    }
+    async listTeams(limit = 50) {
+        const path = `/teams?limit=${limit}`;
+        const result = await this.request(path, { method: 'GET' });
+        return result.data;
+    }
+    async request(path, init) {
+        const response = await this.rawRequest(path, init);
+        const parsed = (await response.json());
+        if (!response.ok || parsed.success === false) {
+            const err = parsed;
+            throw new SecureConfigError(err?.error?.code || 'SECURE_CONFIG_ERROR', err?.error?.message || `Request failed with status ${response.status}`, response.status, err?.error?.request_id);
+        }
+        return parsed;
+    }
+    async rawRequest(path, init) {
+        const headers = {
+            Authorization: `Bearer ${this.accessToken}`,
+            ...init.headers,
+        };
+        return await fetch(`${this.baseUrl}${path}`, {
+            ...init,
+            headers,
+        });
+    }
+}
+//# sourceMappingURL=SecureConfigClient.js.map

package/out/secure-config/SecureConfigClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecureConfigClient.js","sourceRoot":"","sources":["../../src/secure-config/SecureConfigClient.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAkBtD,MAAM,OAAO,kBAAkB;IACrB,OAAO,CAAS;IAChB,WAAW,CAAS;IACpB,QAAQ,CAAS;IACjB,UAAU,CAAa;IACvB,aAAa,CAAS;IAE9B,YAAY,OAAkC;QAC5C,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;QAClE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,MAAc;QAC3B,MAAM,IAAI,GAAG,wBAAwB,MAAM,EAAE,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAuB,IAAI,EAAE;YAC5D,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,IAAI,CAAC,QAAQ;gBAC5B,eAAe,EAAE,IAAI,CAAC,UAAU;gBAChC,kBAAkB,EAAE,IAAI,CAAC,aAAa;aACvC;SACF,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAA8B;QACjD,MAAM,IAAI,GAAG,iCAAiC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAyB,IAAI,EAAE;YAC9D,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAoB;QACpC,MAAM,IAAI,GAAG,4BAA4B,CAAC;QAC1C,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,IAAI,IAAI;YAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC;QAE1C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QACzE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACrC,CAAC;QACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAC;QAClF,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,MAAa,CAAC;YAC1B,MAAM,IAAI,iBAAiB,CACzB,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,qBAAqB,EACzC,GAAG,EAAE,KAAK,EAAE,OAAO,IAAI,wBAAwB,EAC/C,QAAQ,CAAC,MAAM,EACf,GAAG,EAAE,KAAK,EAAE,UAAU,CACvB,CAAC;QACJ,CAAC;QACD,OAAO;YACL,MAAM,EAAE,MAAM,CAAC,IAAI;YACnB,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;SACnC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAK,GAAG,EAAE;QACxB,MAAM,IAAI,GAAG,gBAAgB,KAAK,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAmB,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7E,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,IAAY,EAAE,IAAiB;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAmB,CAAC;QAEzD,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAK,MAAc,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACtD,MAAM,GAAG,GAAG,MAAa,CAAC;YAC1B,MAAM,IAAI,iBAAiB,CACzB,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,qBAAqB,EACzC,GAAG,EAAE,KAAK,EAAE,OAAO,IAAI,8BAA8B,QAAQ,CAAC,MAAM,EAAE,EACtE,QAAQ,CAAC,MAAM,EACf,GAAG,EAAE,KAAK,EAAE,UAAU,CACvB,CAAC;QACJ,CAAC;QAED,OAAO,MAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,IAAY,EAAE,IAAiB;QACtD,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;YAC3C,GAAI,IAAI,CAAC,OAA8C;SACxD,CAAC;QAEF,OAAO,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;YAC3C,GAAG,IAAI;YACP,OAAO;SACR,CAAC,CAAC;IACL,CAAC;CACF"}

package/out/secure-config/errors.d.ts

@@ -0,0 +1,8 @@
+export declare class SecureConfigError extends Error {
+    readonly code: string;
+    readonly status?: number | undefined;
+    readonly requestId?: string | undefined;
+    constructor(code: string, message: string, status?: number | undefined, requestId?: string | undefined);
+}
+export declare const SecureConfigExitCode: Record<string, number>;
+//# sourceMappingURL=errors.d.ts.map

package/out/secure-config/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/secure-config/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,iBAAkB,SAAQ,KAAK;aAExB,IAAI,EAAE,MAAM;aAEZ,MAAM,CAAC,EAAE,MAAM;aACf,SAAS,CAAC,EAAE,MAAM;gBAHlB,IAAI,EAAE,MAAM,EAC5B,OAAO,EAAE,MAAM,EACC,MAAM,CAAC,EAAE,MAAM,YAAA,EACf,SAAS,CAAC,EAAE,MAAM,YAAA;CAKrC;AAED,eAAO,MAAM,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAMvD,CAAC"}

package/out/secure-config/errors.js

@@ -0,0 +1,20 @@
+export class SecureConfigError extends Error {
+    code;
+    status;
+    requestId;
+    constructor(code, message, status, requestId) {
+        super(message);
+        this.code = code;
+        this.status = status;
+        this.requestId = requestId;
+        this.name = 'SecureConfigError';
+    }
+}
+export const SecureConfigExitCode = {
+    SIGNATURE_INVALID: 12,
+    DECRYPTION_FAILED: 13,
+    DEVICE_NOT_REGISTERED: 14,
+    USER_FROZEN: 20,
+    TEAM_ACCESS_DENIED: 21,
+};
+//# sourceMappingURL=errors.js.map

package/out/secure-config/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/secure-config/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAExB;IAEA;IACA;IAJlB,YACkB,IAAY,EAC5B,OAAe,EACC,MAAe,EACf,SAAkB;QAElC,KAAK,CAAC,OAAO,CAAC,CAAC;QALC,SAAI,GAAJ,IAAI,CAAQ;QAEZ,WAAM,GAAN,MAAM,CAAS;QACf,cAAS,GAAT,SAAS,CAAS;QAGlC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;IAClC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,oBAAoB,GAA2B;IAC1D,iBAAiB,EAAE,EAAE;IACrB,iBAAiB,EAAE,EAAE;IACrB,qBAAqB,EAAE,EAAE;IACzB,WAAW,EAAE,EAAE;IACf,kBAAkB,EAAE,EAAE;CACvB,CAAC"}

package/out/secure-config/index.d.ts

@@ -0,0 +1,11 @@
+export * from './types.js';
+export * from './errors.js';
+export * from './DeviceStore.js';
+export * from './DeviceKeyService.js';
+export * from './SecureConfigClient.js';
+export * from './KeysetService.js';
+export * from './SCPService.js';
+export * from './InstructionNormalizer.js';
+export * from './BaseDirResolver.js';
+export * from './rootKey.js';
+//# sourceMappingURL=index.d.ts.map

package/out/secure-config/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secure-config/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,cAAc,iBAAiB,CAAC;AAChC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,sBAAsB,CAAC;AACrC,cAAc,cAAc,CAAC"}

package/out/secure-config/index.js

@@ -0,0 +1,11 @@
+export * from './types.js';
+export * from './errors.js';
+export * from './DeviceStore.js';
+export * from './DeviceKeyService.js';
+export * from './SecureConfigClient.js';
+export * from './KeysetService.js';
+export * from './SCPService.js';
+export * from './InstructionNormalizer.js';
+export * from './BaseDirResolver.js';
+export * from './rootKey.js';
+//# sourceMappingURL=index.js.map

package/out/secure-config/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secure-config/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,oBAAoB,CAAC;AACnC,cAAc,iBAAiB,CAAC;AAChC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,sBAAsB,CAAC;AACrC,cAAc,cAAc,CAAC"}

package/out/secure-config/rootKey.d.ts

@@ -0,0 +1,3 @@
+import type { AuthEnvironment, AuthRegion } from '../auth/types.js';
+export declare function resolveRootPublicKeyPem(region: AuthRegion, env: AuthEnvironment): string;
+//# sourceMappingURL=rootKey.d.ts.map

package/out/secure-config/rootKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rootKey.d.ts","sourceRoot":"","sources":["../../src/secure-config/rootKey.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AA6CpE,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,eAAe,GAAG,MAAM,CAWxF"}

package/out/secure-config/rootKey.js

@@ -0,0 +1,57 @@
+const DEFAULT_ROOT_PUBLIC_KEYS = {
+    us: {
+        staging: `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyY9G5YRo3gCVX6zCdCL
+B2zJ+oAzazXHAMishHllBJxInvi/gnwlYbmzWifst17SKmyZL4ccTGxImjueH9aR
+gleHr1NSm9OnNmJqLWUekEYvR6quxrY/shrLsDx8rRljHSyGo4aWAE+TCG4LV2D1
+WvuudGvQbXd5U94dUDlx+Ft2MLPoW0v84W4zh93vciGXp6A4OK3zu/JicIs1y21p
+i/B/Gk90jQBpUgIZvBWHLCk+sX0sN6LU8TkgfUaTpKCuDmDPFjoiPtTNNiahX/hU
+WcuZBnd3LYBFKev+4hCjiSgNHp9ccXczMIftwTk8fgasyMaNr1uZROs6Rl+WhftN
+MQIDAQAB
+-----END PUBLIC KEY-----`,
+        prod: `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnRYIIqaGscRGTPoMRFS
+wm2XJEYfySBVfK1kfHwF1hgn4PUHjziCAE8LMKVi9mwSR9EKAe0LfTOul2YbCE0S
+kkoGopwcENx0+xGTaV3QVherhxrcoqewUHbbSDdDKLPsrTGkFPPNZ5h3q3h5TCjj
+VtATDN6kj17q4iYIk53KJSnWq5Iye68nZk5NPoo0zS0L7jwhRW/yxtCRfDQz2QDI
+AKADVsXZXSlfs4nTy/amE1xWhU+OC1P5ora26glUbWsOj2E/Th+5qNKu4dlKWQbM
+W4roPJ/YjNxapfGb0aVeXXKbOCDYy/F8yXNMkVd3whYc5WTQ+obcQLvYWRDgiEyc
+0wIDAQAB
+-----END PUBLIC KEY-----`,
+    },
+    cn: {
+        staging: `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1W/R74R3D1Ltr6zNa7Nx
+V7QrdtOnknxhUF6u8b/DwfhGnbhhYW1S8YdpQYYxY/Uf75nCfeZkau0+K04tUhUP
+qQHvlw3MzZyTDAijf7wRCrYDi5giLhnTZFX7yNWs0ypDgLjx97ectF0DNb76JOhb
+M8vwKhAV3CLliD0VglT6DcT7aM2NM/rjbGCh64zF2AXBvWJ7D6sc/oNHPWX8FA+z
+XMeM4917aaeqcCqFfhdx3udk0Cm+nrXpOUkvZeHCWFhL7nMZkKjutLyd9bUeokds
+ply/y9ol45JwQnQ/k6lOZP14MFIS0pPd9djE3/rjougNf8jqY0I28uuJYSCNGdxV
+CwIDAQAB
+-----END PUBLIC KEY-----`,
+        prod: `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEPAAr99fdziOBMA48aD
+ejTAyxcZmSkP+sbuZkJ71OXC9+PqXiDBWWYmz5D37PmErU85DYyDyRWKK1DrEVpW
+IwcA+SOzsVqgXeYyNDp07GqjDsypgXd7W89juV1dBzLcE9qvDnxoqscDO600B2Mr
+Y38Fpn1zOESL1By6MLvMl6gfbMWYir3+Eh2wSDfCcmDN2W1Nhj2YOORoIyTE9IqZ
+0T5uU3lvgWAcwOaBE9OjGj5BDa5piBnWGn3FiSyZxdbZmemJ99GXH1YiKrvvxDNE
+0ySbIiinTdvXLuNCXt2nx5hPu2kiOYh/IyvU9i9/tIbkmyqRGMkc0BeT90qombAY
+VQIDAQAB
+-----END PUBLIC KEY-----`,
+    },
+};
+export function resolveRootPublicKeyPem(region, env) {
+    const raw = process.env.SCP_ROOT_PUBLIC_KEY_PEM;
+    if (raw && raw.trim().length > 0) {
+        return normalizePem(raw);
+    }
+    const embedded = DEFAULT_ROOT_PUBLIC_KEYS[region]?.[env];
+    if (!embedded) {
+        throw new Error(`SCP_ROOT_PUBLIC_KEY_PEM is required for ${region}-${env}.`);
+    }
+    return embedded;
+}
+function normalizePem(raw) {
+    return raw.includes('\\n') ? raw.replace(/\\n/g, '\n') : raw;
+}
+//# sourceMappingURL=rootKey.js.map

package/out/secure-config/rootKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rootKey.js","sourceRoot":"","sources":["../../src/secure-config/rootKey.ts"],"names":[],"mappings":"AAEA,MAAM,wBAAwB,GAA0E;IACtG,EAAE,EAAE;QACF,OAAO,EAAE;;;;;;;;yBAQY;QACrB,IAAI,EAAE;;;;;;;;yBAQe;KACtB;IACD,EAAE,EAAE;QACF,OAAO,EAAE;;;;;;;;yBAQY;QACrB,IAAI,EAAE;;;;;;;;yBAQe;KACtB;CACF,CAAC;AAEF,MAAM,UAAU,uBAAuB,CAAC,MAAkB,EAAE,GAAoB;IAC9E,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC;IAChD,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,QAAQ,GAAG,wBAAwB,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IACzD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,2CAA2C,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC/D,CAAC"}

package/out/secure-config/signatureUtils.d.ts

@@ -0,0 +1,3 @@
+export declare function sha256Hex(input: Buffer): string;
+export declare function canonicalize(value: unknown): string;
+//# sourceMappingURL=signatureUtils.d.ts.map

package/out/secure-config/signatureUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatureUtils.d.ts","sourceRoot":"","sources":["../../src/secure-config/signatureUtils.ts"],"names":[],"mappings":"AAEA,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE/C;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEnD"}

package/out/secure-config/signatureUtils.js

@@ -0,0 +1,23 @@
+import * as crypto from 'crypto';
+export function sha256Hex(input) {
+    return crypto.createHash('sha256').update(input).digest('hex');
+}
+export function canonicalize(value) {
+    return JSON.stringify(sortKeys(value));
+}
+function sortKeys(value) {
+    if (Array.isArray(value)) {
+        return value.map(sortKeys);
+    }
+    if (value && typeof value === 'object') {
+        const record = value;
+        return Object.keys(record)
+            .sort()
+            .reduce((acc, key) => {
+            acc[key] = sortKeys(record[key]);
+            return acc;
+        }, {});
+    }
+    return value;
+}
+//# sourceMappingURL=signatureUtils.js.map

package/out/secure-config/signatureUtils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signatureUtils.js","sourceRoot":"","sources":["../../src/secure-config/signatureUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAEjC,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7B,CAAC;IACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,KAAgC,CAAC;QAChD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC;aACvB,IAAI,EAAE;aACN,MAAM,CAA0B,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,GAAG,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACjC,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/out/secure-config/types.d.ts

@@ -0,0 +1,79 @@
+export type ClientType = 'cli' | 'desktop';
+export interface SCPManifest {
+    team_id: string;
+    version: string;
+    ttl: number;
+    created_at: string;
+    kid: string;
+}
+export interface SecureConfigPackage {
+    manifest: SCPManifest;
+    payload_enc: string;
+    key_enc: string;
+    signature: string;
+}
+export interface SecureConfigKeyset {
+    region: 'us' | 'cn';
+    keys: Array<{
+        kid: string;
+        public_key_pem: string;
+        algorithm: 'RSASSA_PKCS1_V1_5_SHA_256';
+        status: 'active' | 'deprecated';
+        valid_from?: string;
+        valid_to?: string;
+    }>;
+    signature: string;
+}
+export interface SecureConfigKeysetResponse {
+    success: true;
+    data: SecureConfigKeyset;
+    request_id?: string;
+}
+export interface SecureConfigResponse {
+    success: true;
+    data: SecureConfigPackage;
+    request_id?: string;
+}
+export interface SecureConfigErrorResponse {
+    success: false;
+    error: {
+        code: string;
+        message: string;
+        details?: Record<string, unknown>;
+        request_id?: string;
+        retry_after_seconds?: number;
+    };
+}
+export interface DeviceRegisterRequest {
+    device_id: string;
+    public_key_pem: string;
+    device_name?: string;
+}
+export interface DeviceRegisterResponse {
+    success: true;
+    data: {
+        device_id: string;
+        registered_at: string;
+    };
+    request_id?: string;
+}
+export type ApiResponse<T> = T | SecureConfigErrorResponse;
+export interface DeviceKeyInfo {
+    deviceId: string;
+    publicKeyPem: string;
+}
+export interface TeamListResponse {
+    success: true;
+    data: {
+        teams: Array<{
+            team_id: string;
+            display_name?: string;
+            name?: string;
+            status?: string;
+        }>;
+        next_cursor: string | null;
+        has_more: boolean;
+    };
+    request_id?: string;
+}
+//# sourceMappingURL=types.d.ts.map