@the-ai-company/cbio-node-runtime 0.31.0

package/dist/audit/ActivityLog.js

@@ -0,0 +1,66 @@
+/**
+ * ActivityLog
+ *
+ * Audit log for fetchWithAuth/fetchJsonAndAddSecret/fetchJsonAndUpdateSecret. Separate from vault.
+ * No sensitive data. For dashboard/UI display. Optional, can be disabled.
+ * First line is metadata (_meta) for consumer identification.
+ */
+const NEWLINE = '\n';
+export async function appendActivityLog(storage, key, entry, metadata) {
+    let existing = await storage.read(key);
+    if ((!existing || existing.length === 0) && metadata) {
+        const metaLine = JSON.stringify({ _meta: metadata }) + NEWLINE;
+        existing = Buffer.from(metaLine, 'utf8');
+    }
+    const line = JSON.stringify(entry) + NEWLINE;
+    const next = existing ? Buffer.concat([existing, Buffer.from(line, 'utf8')]) : Buffer.from(line, 'utf8');
+    await storage.write(key, next);
+}
+export async function readActivityLog(storage, key) {
+    const buf = await storage.read(key);
+    if (!buf || buf.length === 0)
+        return [];
+    const text = buf.toString('utf8');
+    const lines = text.split(NEWLINE).filter(Boolean);
+    return lines
+        .map((l) => {
+        const raw = JSON.parse(l);
+        if (raw._meta)
+            return null;
+        const secretName = raw.secretName ?? raw.alias;
+        if (typeof raw.ts !== 'number')
+            return null;
+        if (raw.action !== 'fetchWithAuth' && raw.action !== 'fetchJsonAndAddSecret' && raw.action !== 'fetchJsonAndUpdateSecret')
+            return null;
+        if (typeof secretName !== 'string')
+            return null;
+        if (typeof raw.url !== 'string')
+            return null;
+        if (typeof raw.method !== 'string')
+            return null;
+        if (typeof raw.success !== 'boolean')
+            return null;
+        return {
+            ts: raw.ts,
+            action: raw.action,
+            secretName,
+            url: raw.url,
+            method: raw.method,
+            success: raw.success,
+            ...(typeof raw.error === 'string' ? { error: raw.error } : {}),
+        };
+    })
+        .filter((e) => e !== null);
+}
+export async function readActivityLogMetadata(storage, key) {
+    const buf = await storage.read(key);
+    if (!buf || buf.length === 0)
+        return null;
+    const firstLine = buf.toString('utf8').split(NEWLINE)[0];
+    if (!firstLine)
+        return null;
+    const raw = JSON.parse(firstLine);
+    const meta = raw._meta;
+    return meta && typeof meta.agentId === 'string' && typeof meta.storageKey === 'string' ? meta : null;
+}
+//# sourceMappingURL=ActivityLog.js.map

package/dist/audit/ActivityLog.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ActivityLog.js","sourceRoot":"","sources":["../../src/audit/ActivityLog.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA+BH,MAAM,OAAO,GAAG,IAAI,CAAC;AAErB,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACnC,OAAyB,EACzB,GAAW,EACX,KAAuB,EACvB,QAA8B;IAE9B,IAAI,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,IAAI,QAAQ,EAAE,CAAC;QACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,GAAG,OAAO,CAAC;QAC/D,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC;IAC7C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACzG,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACjC,OAAyB,EACzB,GAAW;IAEX,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAClD,OAAO,KAAK;SACP,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACP,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAA8C,CAAC;QACvE,IAAI,GAAG,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAC3B,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,KAAK,CAAC;QAC/C,IAAI,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC5C,IAAI,GAAG,CAAC,MAAM,KAAK,eAAe,IAAI,GAAG,CAAC,MAAM,KAAK,uBAAuB,IAAI,GAAG,CAAC,MAAM,KAAK,0BAA0B;YAAE,OAAO,IAAI,CAAC;QACvI,IAAI,OAAO,UAAU,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAChD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC7C,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAChD,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QAClD,OAAO;YACH,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,UAAU;YACV,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,GAAG,CAAC,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtC,CAAC;IACjC,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAyB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CACzC,OAAyB,EACzB,GAAW;IAEX,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAA4B,CAAC;IAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,KAAwC,CAAC;IAC1D,OAAO,IAAI,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AACzG,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Structured error hierarchy for local vault and identity operations.
+ */
+export declare enum IdentityErrorCode {
+    VAULT_PERSISTENCE_FAILED = "VAULT_PERSISTENCE_FAILED",
+    SECRET_NOT_FOUND = "SECRET_NOT_FOUND",
+    ISSUED_IDENTITY_INVALID = "ISSUED_IDENTITY_INVALID",
+    VAULT_WRITE_INTEGRITY_FAILED = "VAULT_WRITE_INTEGRITY_FAILED",
+    INVALID_KDK = "INVALID_KDK",
+    VAULT_CORRUPTED = "VAULT_CORRUPTED",
+    VAULT_DECRYPT_FAILED = "VAULT_DECRYPT_FAILED",
+    MERGE_IDENTITY_MISMATCH = "MERGE_IDENTITY_MISMATCH",
+    SIGNER_REQUIRES_PUBLIC_KEY = "SIGNER_REQUIRES_PUBLIC_KEY",
+    SIGNER_REQUIRES_PRIVATE_KEY = "SIGNER_REQUIRES_PRIVATE_KEY",
+    EXPORT_REQUIRES_LOCAL_SIGNER = "EXPORT_REQUIRES_LOCAL_SIGNER",
+    CHILD_IDENTITY_REQUIRES_PRIVATE_KEY = "CHILD_IDENTITY_REQUIRES_PRIVATE_KEY",
+    SECRET_ALREADY_EXISTS = "SECRET_ALREADY_EXISTS",
+    VAULT_FILE_NOT_FOUND = "VAULT_FILE_NOT_FOUND",
+    SECRET_POLICY_REQUIRED = "SECRET_POLICY_REQUIRED",
+    SECRET_SOURCE_ORIGIN_MISMATCH = "SECRET_SOURCE_ORIGIN_MISMATCH",
+    UNSUPPORTED_SIGNED_BODY = "UNSUPPORTED_SIGNED_BODY",
+    PERMISSION_DENIED = "PERMISSION_DENIED"
+}
+export declare class IdentityError extends Error {
+    readonly code: IdentityErrorCode;
+    constructor(code: IdentityErrorCode, message: string, options?: ErrorOptions);
+    static isIdentityError(e: unknown): e is IdentityError;
+}

package/dist/errors.js

@@ -0,0 +1,37 @@
+/**
+ * Structured error hierarchy for local vault and identity operations.
+ */
+export var IdentityErrorCode;
+(function (IdentityErrorCode) {
+    IdentityErrorCode["VAULT_PERSISTENCE_FAILED"] = "VAULT_PERSISTENCE_FAILED";
+    IdentityErrorCode["SECRET_NOT_FOUND"] = "SECRET_NOT_FOUND";
+    IdentityErrorCode["ISSUED_IDENTITY_INVALID"] = "ISSUED_IDENTITY_INVALID";
+    IdentityErrorCode["VAULT_WRITE_INTEGRITY_FAILED"] = "VAULT_WRITE_INTEGRITY_FAILED";
+    IdentityErrorCode["INVALID_KDK"] = "INVALID_KDK";
+    IdentityErrorCode["VAULT_CORRUPTED"] = "VAULT_CORRUPTED";
+    IdentityErrorCode["VAULT_DECRYPT_FAILED"] = "VAULT_DECRYPT_FAILED";
+    IdentityErrorCode["MERGE_IDENTITY_MISMATCH"] = "MERGE_IDENTITY_MISMATCH";
+    IdentityErrorCode["SIGNER_REQUIRES_PUBLIC_KEY"] = "SIGNER_REQUIRES_PUBLIC_KEY";
+    IdentityErrorCode["SIGNER_REQUIRES_PRIVATE_KEY"] = "SIGNER_REQUIRES_PRIVATE_KEY";
+    IdentityErrorCode["EXPORT_REQUIRES_LOCAL_SIGNER"] = "EXPORT_REQUIRES_LOCAL_SIGNER";
+    IdentityErrorCode["CHILD_IDENTITY_REQUIRES_PRIVATE_KEY"] = "CHILD_IDENTITY_REQUIRES_PRIVATE_KEY";
+    IdentityErrorCode["SECRET_ALREADY_EXISTS"] = "SECRET_ALREADY_EXISTS";
+    IdentityErrorCode["VAULT_FILE_NOT_FOUND"] = "VAULT_FILE_NOT_FOUND";
+    IdentityErrorCode["SECRET_POLICY_REQUIRED"] = "SECRET_POLICY_REQUIRED";
+    IdentityErrorCode["SECRET_SOURCE_ORIGIN_MISMATCH"] = "SECRET_SOURCE_ORIGIN_MISMATCH";
+    IdentityErrorCode["UNSUPPORTED_SIGNED_BODY"] = "UNSUPPORTED_SIGNED_BODY";
+    IdentityErrorCode["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+})(IdentityErrorCode || (IdentityErrorCode = {}));
+export class IdentityError extends Error {
+    code;
+    constructor(code, message, options) {
+        super(message, options);
+        this.name = "IdentityError";
+        this.code = code;
+        Object.setPrototypeOf(this, IdentityError.prototype);
+    }
+    static isIdentityError(e) {
+        return e instanceof IdentityError;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,iBAmBX;AAnBD,WAAY,iBAAiB;IACzB,0EAAqD,CAAA;IACrD,0DAAqC,CAAA;IACrC,wEAAmD,CAAA;IACnD,kFAA6D,CAAA;IAC7D,gDAA2B,CAAA;IAC3B,wDAAmC,CAAA;IACnC,kEAA6C,CAAA;IAC7C,wEAAmD,CAAA;IACnD,8EAAyD,CAAA;IACzD,gFAA2D,CAAA;IAC3D,kFAA6D,CAAA;IAC7D,gGAA2E,CAAA;IAC3E,oEAA+C,CAAA;IAC/C,kEAA6C,CAAA;IAC7C,sEAAiD,CAAA;IACjD,oFAA+D,CAAA;IAC/D,wEAAmD,CAAA;IACnD,4DAAuC,CAAA;AAC3C,CAAC,EAnBW,iBAAiB,KAAjB,iBAAiB,QAmB5B;AAED,MAAM,OAAO,aAAc,SAAQ,KAAK;IAC3B,IAAI,CAAoB;IAEjC,YAAY,IAAuB,EAAE,OAAe,EAAE,OAAsB;QACxE,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,CAAU;QAC7B,OAAO,CAAC,YAAY,aAAa,CAAC;IACtC,CAAC;CACJ"}

package/dist/http/authClient.d.ts

@@ -0,0 +1,26 @@
+/**
+ * AuthClient
+ *
+ * Runtime HTTP client that uses vault-stored secrets for Authorization.
+ * Handles fetchWithAuth and createFetchWithAuth. Vault only does storage.
+ */
+import { Signer } from '../protocol/crypto.js';
+import type { CbioVault } from '../vault/vault.js';
+import type { ActivityLogEntry } from '../audit/ActivityLog.js';
+export interface FetchWithAuthOptions extends RequestInit {
+    authPrefix?: string;
+    authHeaderName?: string;
+    withSignature?: boolean;
+}
+/**
+ * AuthClient uses vault's secrets for authenticated HTTP requests.
+ * Secret values never leave the vault; AuthClient reads via vault.getSecret.
+ */
+export declare class AuthClient {
+    private readonly _vault;
+    private readonly _signer;
+    private readonly _appendActivityLog;
+    constructor(_vault: CbioVault, _signer: Signer | null, _appendActivityLog: (entry: ActivityLogEntry) => Promise<void>);
+    fetchWithAuth(secretName: string, url: string, options?: FetchWithAuthOptions): Promise<Response>;
+    createFetchWithAuth(secretName: string): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+}

package/dist/http/authClient.js

@@ -0,0 +1,132 @@
+/**
+ * AuthClient
+ *
+ * Runtime HTTP client that uses vault-stored secrets for Authorization.
+ * Handles fetchWithAuth and createFetchWithAuth. Vault only does storage.
+ */
+import { createHash } from 'node:crypto';
+import { IdentityError, IdentityErrorCode } from '../errors.js';
+async function hashRequestBody(body) {
+    if (body == null)
+        return '';
+    if (typeof body === 'string') {
+        return createHash('sha256').update(body).digest('hex');
+    }
+    if (body instanceof URLSearchParams) {
+        return createHash('sha256').update(body.toString()).digest('hex');
+    }
+    if (body instanceof ArrayBuffer) {
+        return createHash('sha256').update(Buffer.from(body)).digest('hex');
+    }
+    if (ArrayBuffer.isView(body)) {
+        return createHash('sha256')
+            .update(Buffer.from(body.buffer, body.byteOffset, body.byteLength))
+            .digest('hex');
+    }
+    if (typeof Blob !== 'undefined' && body instanceof Blob) {
+        const bytes = Buffer.from(await body.arrayBuffer());
+        return createHash('sha256').update(bytes).digest('hex');
+    }
+    throw new IdentityError(IdentityErrorCode.UNSUPPORTED_SIGNED_BODY, 'withSignature only supports string, URLSearchParams, Blob, ArrayBuffer, and typed array request bodies.');
+}
+/**
+ * AuthClient uses vault's secrets for authenticated HTTP requests.
+ * Secret values never leave the vault; AuthClient reads via vault.getSecret.
+ */
+export class AuthClient {
+    _vault;
+    _signer;
+    _appendActivityLog;
+    constructor(_vault, _signer, _appendActivityLog) {
+        this._vault = _vault;
+        this._signer = _signer;
+        this._appendActivityLog = _appendActivityLog;
+    }
+    async fetchWithAuth(secretName, url, options = {}) {
+        const method = options.method ?? 'GET';
+        const appendFailure = async (error) => {
+            await this._appendActivityLog({
+                ts: Date.now(),
+                action: 'fetchWithAuth',
+                secretName,
+                url,
+                method,
+                success: false,
+                error,
+            });
+        };
+        const secretValue = this._vault.getSecret(secretName);
+        if (!secretValue) {
+            try {
+                await appendFailure(`Secret name '${secretName}' not found in vault.`);
+            }
+            catch (appendErr) {
+                throw new IdentityError(IdentityErrorCode.SECRET_NOT_FOUND, `Secret name '${secretName}' not found in vault.`, { cause: appendErr });
+            }
+            throw new IdentityError(IdentityErrorCode.SECRET_NOT_FOUND, `Secret name '${secretName}' not found in vault.`);
+        }
+        const { authPrefix = 'Bearer ', authHeaderName = 'Authorization', withSignature = false, ...fetchOptions } = options;
+        const headers = new Headers(fetchOptions.headers || {});
+        headers.set(authHeaderName, `${authPrefix}${secretValue}`);
+        if (withSignature && this._signer) {
+            const timestamp = Date.now().toString();
+            const methodUpper = (fetchOptions.method ?? 'GET').toUpperCase();
+            const bodyHash = await hashRequestBody(fetchOptions.body);
+            const message = `${methodUpper}:${url}:${timestamp}:${bodyHash}`;
+            const signature = await this._signer.sign(message);
+            headers.set('X-CBIO-Signature', signature);
+            headers.set('X-CBIO-Timestamp', timestamp);
+        }
+        try {
+            const response = await fetch(url, {
+                ...fetchOptions,
+                headers
+            });
+            await this._appendActivityLog({
+                ts: Date.now(),
+                action: 'fetchWithAuth',
+                secretName,
+                url,
+                method,
+                success: true,
+            });
+            return response;
+        }
+        catch (e) {
+            try {
+                await appendFailure(e.message ?? String(e));
+            }
+            catch (appendErr) {
+                const msg = e.message ?? String(e);
+                if (IdentityError.isIdentityError(e)) {
+                    throw new IdentityError(e.code, msg, { cause: appendErr });
+                }
+                throw new Error(msg, { cause: appendErr });
+            }
+            throw e;
+        }
+    }
+    createFetchWithAuth(secretName) {
+        const self = this;
+        return async function (input, init) {
+            let url;
+            let options = {};
+            if (typeof input === 'string') {
+                url = input;
+            }
+            else if (input instanceof URL) {
+                url = input.toString();
+            }
+            else {
+                const req = input.clone();
+                url = req.url;
+                options = { method: req.method, headers: req.headers, body: req.body };
+            }
+            if (init) {
+                options = { ...options, ...init };
+            }
+            return self.fetchWithAuth(secretName, url, options);
+        };
+    }
+}
+//# sourceMappingURL=authClient.js.map

package/dist/http/authClient.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authClient.js","sourceRoot":"","sources":["../../src/http/authClient.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAUhE,KAAK,UAAU,eAAe,CAAC,IAAiC;IAC5D,IAAI,IAAI,IAAI,IAAI;QAAE,OAAO,EAAE,CAAC;IAC5B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,IAAI,YAAY,eAAe,EAAE,CAAC;QAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,IAAI,YAAY,WAAW,EAAE,CAAC;QAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,UAAU,CAAC,QAAQ,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;aAClE,MAAM,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,YAAY,IAAI,EAAE,CAAC;QACtD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACpD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,IAAI,aAAa,CACnB,iBAAiB,CAAC,uBAAuB,EACzC,yGAAyG,CAC5G,CAAC;AACN,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,UAAU;IAEE;IACA;IACA;IAHrB,YACqB,MAAiB,EACjB,OAAsB,EACtB,kBAA8D;QAF9D,WAAM,GAAN,MAAM,CAAW;QACjB,YAAO,GAAP,OAAO,CAAe;QACtB,uBAAkB,GAAlB,kBAAkB,CAA4C;IAChF,CAAC;IAEJ,KAAK,CAAC,aAAa,CAAC,UAAkB,EAAE,GAAW,EAAE,UAAgC,EAAE;QACnF,MAAM,MAAM,GAAI,OAAO,CAAC,MAAiB,IAAI,KAAK,CAAC;QACnD,MAAM,aAAa,GAAG,KAAK,EAAE,KAAa,EAAiB,EAAE;YACzD,MAAM,IAAI,CAAC,kBAAkB,CAAC;gBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;gBACd,MAAM,EAAE,eAAe;gBACvB,UAAU;gBACV,GAAG;gBACH,MAAM;gBACN,OAAO,EAAE,KAAK;gBACd,KAAK;aACR,CAAC,CAAC;QACP,CAAC,CAAC;QAEF,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,EAAE,CAAC;YACf,IAAI,CAAC;gBACD,MAAM,aAAa,CAAC,gBAAgB,UAAU,uBAAuB,CAAC,CAAC;YAC3E,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACjB,MAAM,IAAI,aAAa,CACnB,iBAAiB,CAAC,gBAAgB,EAClC,gBAAgB,UAAU,uBAAuB,EACjD,EAAE,KAAK,EAAE,SAAS,EAAE,CACvB,CAAC;YACN,CAAC;YACD,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,gBAAgB,EAAE,gBAAgB,UAAU,uBAAuB,CAAC,CAAC;QACnH,CAAC;QAED,MAAM,EAAE,UAAU,GAAG,SAAS,EAAE,cAAc,GAAG,eAAe,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,YAAY,EAAE,GAAG,OAAO,CAAC;QACrH,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,GAAG,UAAU,GAAG,WAAW,EAAE,CAAC,CAAC;QAE3D,IAAI,aAAa,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;YACxC,MAAM,WAAW,GAAG,CAAC,YAAY,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;YACjE,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;YAE1D,MAAM,OAAO,GAAG,GAAG,WAAW,IAAI,GAAG,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;YACjE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,SAAS,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,GAAG,YAAY;gBACf,OAAO;aACV,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,kBAAkB,CAAC;gBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;gBACd,MAAM,EAAE,eAAe;gBACvB,UAAU;gBACV,GAAG;gBACH,MAAM;gBACN,OAAO,EAAE,IAAI;aAChB,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC;QACpB,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC;gBACD,MAAM,aAAa,CAAC,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACjB,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;oBACnC,MAAM,IAAI,aAAa,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBAC/D,CAAC;gBACD,MAAM,IAAI,KAAK,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YAC/C,CAAC;YACD,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,mBAAmB,CAAC,UAAkB;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC;QAClB,OAAO,KAAK,WAAW,KAAwB,EAAE,IAAkB;YAC/D,IAAI,GAAW,CAAC;YAChB,IAAI,OAAO,GAAgB,EAAE,CAAC;YAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC5B,GAAG,GAAG,KAAK,CAAC;YAChB,CAAC;iBAAM,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;gBAC9B,GAAG,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACJ,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC1B,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;gBACd,OAAO,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3E,CAAC;YACD,IAAI,IAAI,EAAE,CAAC;gBACP,OAAO,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC;YACtC,CAAC;YACD,OAAO,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC,CAAC;IACN,CAAC;CACJ"}

package/dist/http/localAuthProxy.d.ts

@@ -0,0 +1,33 @@
+import type { FetchWithAuthOptions } from "./authClient.js";
+export interface FetchWithAuthLike {
+    fetchWithAuth(secretName: string, url: string, options?: FetchWithAuthOptions): Promise<Response>;
+}
+/**
+ * Configuration for a local proxy that forwards requests to one upstream API
+ * while injecting a vault-backed secret into each outbound request.
+ */
+export interface LocalAuthProxyOptions {
+    /** Trusted handle used to send authenticated requests upstream. */
+    authHandle: FetchWithAuthLike;
+    /** Vault secret name to inject into the outbound auth header. */
+    secretName: string;
+    /** Upstream API base URL, such as `https://api.openai.com`. */
+    upstreamBaseUrl: string;
+    /** HTTP header name for auth. Defaults to `Authorization`. */
+    authHeaderName?: string;
+    /** Prefix prepended before the secret value. Defaults to `Bearer `. */
+    authPrefix?: string;
+    /** Local bind host for the proxy server. Defaults to `127.0.0.1`. */
+    host?: string;
+    /** Local bind port. Defaults to `0` for an ephemeral port. */
+    port?: number;
+}
+export interface LocalAuthProxyHandle {
+    readonly secretName: string;
+    readonly upstreamBaseUrl: string;
+    readonly host: string;
+    readonly port: number;
+    readonly baseUrl: string;
+    close(): Promise<void>;
+}
+export declare function startLocalAuthProxy(options: LocalAuthProxyOptions): Promise<LocalAuthProxyHandle>;

package/dist/http/localAuthProxy.js

@@ -0,0 +1,93 @@
+import * as http from "node:http";
+function normalizeProxyRequestHeaders(headers) {
+    const next = new Headers();
+    for (const [key, value] of Object.entries(headers)) {
+        if (value == null)
+            continue;
+        const lower = key.toLowerCase();
+        if (lower === "host" || lower === "content-length" || lower === "connection" || lower === "authorization") {
+            continue;
+        }
+        if (Array.isArray(value)) {
+            next.set(key, value.join(", "));
+        }
+        else {
+            next.set(key, value);
+        }
+    }
+    next.set("x-cbio-local-proxy", "1");
+    return next;
+}
+async function readRequestBody(req) {
+    const chunks = [];
+    for await (const chunk of req) {
+        chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+    }
+    if (chunks.length === 0)
+        return undefined;
+    return Buffer.concat(chunks);
+}
+export async function startLocalAuthProxy(options) {
+    const { authHandle, secretName, upstreamBaseUrl, authHeaderName = "Authorization", authPrefix = "Bearer ", host = "127.0.0.1", port = 0, } = options;
+    const upstream = new URL(upstreamBaseUrl);
+    const server = http.createServer(async (req, res) => {
+        try {
+            const method = req.method ?? "GET";
+            const targetUrl = new URL(req.url ?? "/", upstream);
+            const headers = normalizeProxyRequestHeaders(req.headers);
+            const body = await readRequestBody(req);
+            const upstreamResponse = await authHandle.fetchWithAuth(secretName, targetUrl.toString(), {
+                method,
+                headers,
+                body: body ? new Uint8Array(body) : undefined,
+                authHeaderName,
+                authPrefix,
+            });
+            res.statusCode = upstreamResponse.status;
+            upstreamResponse.headers.forEach((value, key) => {
+                const lower = key.toLowerCase();
+                if (lower === "content-length" || lower === "transfer-encoding" || lower === "connection") {
+                    return;
+                }
+                res.setHeader(key, value);
+            });
+            const responseBuffer = Buffer.from(await upstreamResponse.arrayBuffer());
+            res.end(responseBuffer);
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            res.statusCode = 502;
+            res.setHeader("Content-Type", "application/json");
+            res.end(JSON.stringify({
+                error: "CBIO_LOCAL_PROXY_UPSTREAM_FAILED",
+                message,
+            }));
+        }
+    });
+    await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(port, host, () => {
+            server.off("error", reject);
+            resolve();
+        });
+    });
+    const address = server.address();
+    if (!address || typeof address === "string") {
+        throw new Error("Failed to determine local proxy address.");
+    }
+    const resolvedAddress = address;
+    const baseUrl = `http://${host}:${resolvedAddress.port}`;
+    return {
+        secretName,
+        upstreamBaseUrl,
+        host,
+        port: resolvedAddress.port,
+        baseUrl,
+        close() {
+            return new Promise((resolve, reject) => {
+                server.close((err) => (err ? reject(err) : resolve()));
+            });
+        },
+    };
+}
+//# sourceMappingURL=localAuthProxy.js.map

package/dist/http/localAuthProxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"localAuthProxy.js","sourceRoot":"","sources":["../../src/http/localAuthProxy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAsClC,SAAS,4BAA4B,CAAC,OAAiC;IACrE,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,KAAK,IAAI,IAAI;YAAE,SAAS;QAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAChC,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,YAAY,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC1G,SAAS;QACX,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAyB;IACtD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,OAA8B;IACtE,MAAM,EACJ,UAAU,EACV,UAAU,EACV,eAAe,EACf,cAAc,GAAG,eAAe,EAChC,UAAU,GAAG,SAAS,EACtB,IAAI,GAAG,WAAW,EAClB,IAAI,GAAG,CAAC,GACT,GAAG,OAAO,CAAC;IACZ,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;YACnC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,QAAQ,CAAC,CAAC;YACpD,MAAM,OAAO,GAAG,4BAA4B,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC1D,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;YAExC,MAAM,gBAAgB,GAAG,MAAM,UAAU,CAAC,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,QAAQ,EAAE,EAAE;gBACxF,MAAM;gBACN,OAAO;gBACP,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;gBAC7C,cAAc;gBACd,UAAU;aACX,CAAC,CAAC;YAEH,GAAG,CAAC,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC;YACzC,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;gBAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;gBAChC,IAAI,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,mBAAmB,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;oBAC1F,OAAO;gBACT,CAAC;gBACD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,gBAAgB,CAAC,WAAW,EAAE,CAAC,CAAC;YACzE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC3D,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAClD,GAAG,CAAC,GAAG,CACL,IAAI,CAAC,SAAS,CAAC;gBACb,KAAK,EAAE,kCAAkC;gBACzC,OAAO;aACR,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;YAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,eAAe,GAAG,OAAsB,CAAC;IAC/C,MAAM,OAAO,GAAG,UAAU,IAAI,IAAI,eAAe,CAAC,IAAI,EAAE,CAAC;IAEzD,OAAO;QACL,UAAU;QACV,eAAe;QACf,IAAI;QACJ,IAAI,EAAE,eAAe,CAAC,IAAI;QAC1B,OAAO;QACP,KAAK;YACH,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC3C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/http/secretAcquisition.d.ts

@@ -0,0 +1,54 @@
+/**
+ * SecretAcquisition
+ *
+ * Fetches secrets from remote JSON endpoints and stores them in vault.
+ * Secret never leaves this module; fetch + extract + store is atomic.
+ */
+import type { CbioVault } from '../vault/vault.js';
+import type { ActivityLogEntry } from '../audit/ActivityLog.js';
+interface FetchResultBase {
+    /** True when the operation succeeded/failed but activity log write failed. Caller gets FetchResult; audit trail may be incomplete. */
+    activityLogWriteFailed?: boolean;
+}
+export interface FetchSuccess<TData = unknown> extends FetchResultBase {
+    success: true;
+    data: TData;
+    secretName: string;
+}
+export interface FetchFailure extends FetchResultBase {
+    success: false;
+    error: string;
+    code?: string;
+}
+export type FetchResult<TData = unknown> = FetchSuccess<TData> | FetchFailure;
+export interface FetchJsonAndAddSecretOptions<TResponse = unknown, TBody = unknown> {
+    secretName: string;
+    url: string;
+    method?: string;
+    headers?: Record<string, string>;
+    /** JSON-serializable request body. */
+    body?: TBody;
+    /** Extract the secret from a parsed JSON response body. */
+    extractKey: (response: TResponse) => string;
+    allowedOrigins?: string[];
+}
+export interface FetchJsonAndUpdateSecretOptions<TResponse = unknown, TBody = unknown> {
+    secretName: string;
+    url: string;
+    method?: string;
+    headers?: Record<string, string>;
+    /** JSON-serializable request body. */
+    body?: TBody;
+    /** Extract the rotated secret from a parsed JSON response body. */
+    extractKey: (response: TResponse) => string;
+}
+export declare class SecretAcquisition {
+    private readonly _vault;
+    private readonly _appendActivityLog;
+    constructor(_vault: CbioVault, _appendActivityLog: (entry: ActivityLogEntry) => Promise<void>);
+    hasSecret(secretName: string): boolean;
+    listSecretNames(): string[];
+    fetchJsonAndAddSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndAddSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
+    fetchJsonAndUpdateSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndUpdateSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
+}
+export {};