@the-ai-company/cbio-node-runtime 0.31.0

package/dist/http/secretAcquisition.js

@@ -0,0 +1,177 @@
+/**
+ * SecretAcquisition
+ *
+ * Fetches secrets from remote JSON endpoints and stores them in vault.
+ * Secret never leaves this module; fetch + extract + store is atomic.
+ */
+import { IdentityError } from '../errors.js';
+import { isAllowedSecretUrl } from '../vault/secretPolicy.js';
+function sanitize(obj, secret) {
+    if (typeof obj !== 'object' || obj === null)
+        return obj;
+    const newObj = Array.isArray(obj) ? [] : {};
+    for (const [key, value] of Object.entries(obj)) {
+        if (typeof value === 'string' && value === secret) {
+            newObj[key] = '***';
+        }
+        else if (typeof value === 'object') {
+            newObj[key] = sanitize(value, secret);
+        }
+        else {
+            newObj[key] = value;
+        }
+    }
+    return newObj;
+}
+function serializeJsonBody(body) {
+    return body === undefined ? undefined : JSON.stringify(body);
+}
+export class SecretAcquisition {
+    _vault;
+    _appendActivityLog;
+    constructor(_vault, _appendActivityLog) {
+        this._vault = _vault;
+        this._appendActivityLog = _appendActivityLog;
+    }
+    hasSecret(secretName) {
+        return this._vault.hasSecret(secretName);
+    }
+    listSecretNames() {
+        return this._vault.listSecretNames();
+    }
+    async fetchJsonAndAddSecret(options) {
+        const { url, method = 'POST', secretName } = options;
+        const fail = async (error, code) => {
+            try {
+                await this._appendActivityLog({
+                    ts: Date.now(),
+                    action: 'fetchJsonAndAddSecret',
+                    secretName,
+                    url,
+                    method,
+                    success: false,
+                    error,
+                });
+            }
+            catch {
+                return { success: false, error, code, activityLogWriteFailed: true };
+            }
+            return { success: false, error, code };
+        };
+        try {
+            const { headers = {}, body, extractKey, allowedOrigins } = options;
+            const sourceUrl = new URL(url);
+            if (!isAllowedSecretUrl(sourceUrl)) {
+                return fail(`Secret fetch requires HTTPS or loopback HTTP for local development. Received: ${url}`);
+            }
+            const response = await fetch(url, {
+                method,
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...headers
+                },
+                body: serializeJsonBody(body)
+            });
+            if (!response.ok) {
+                return fail(`HTTP Error: ${response.status}`);
+            }
+            const data = await response.json();
+            const key = extractKey(data);
+            if (!key) {
+                return fail("Failed to extract key from response");
+            }
+            let resolvedSecretName = secretName;
+            let suffix = 0;
+            while (this._vault.hasSecret(resolvedSecretName)) {
+                suffix++;
+                resolvedSecretName = `${secretName}_${suffix}`;
+            }
+            await this._vault.addSecret(resolvedSecretName, key, { allowedOrigins: allowedOrigins ?? [sourceUrl.origin] });
+            try {
+                await this._appendActivityLog({
+                    ts: Date.now(),
+                    action: 'fetchJsonAndAddSecret',
+                    secretName: resolvedSecretName,
+                    url,
+                    method,
+                    success: true,
+                });
+            }
+            catch {
+                const sanitizedData = sanitize(data, key);
+                return { success: true, data: sanitizedData, secretName: resolvedSecretName, activityLogWriteFailed: true };
+            }
+            const sanitizedData = sanitize(data, key);
+            return { success: true, data: sanitizedData, secretName: resolvedSecretName };
+        }
+        catch (e) {
+            const code = IdentityError.isIdentityError(e) ? e.code : undefined;
+            return fail(e.message ?? String(e), code);
+        }
+    }
+    async fetchJsonAndUpdateSecret(options) {
+        const { url, method = 'POST', secretName } = options;
+        const fail = async (error, code) => {
+            try {
+                await this._appendActivityLog({
+                    ts: Date.now(),
+                    action: 'fetchJsonAndUpdateSecret',
+                    secretName,
+                    url,
+                    method,
+                    success: false,
+                    error,
+                });
+            }
+            catch {
+                return { success: false, error, code, activityLogWriteFailed: true };
+            }
+            return { success: false, error, code };
+        };
+        try {
+            const { headers = {}, body, extractKey } = options;
+            const sourceUrl = new URL(url);
+            if (!isAllowedSecretUrl(sourceUrl)) {
+                return fail(`Secret rotation requires HTTPS or loopback HTTP for local development. Received: ${url}`);
+            }
+            const response = await fetch(url, {
+                method,
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...headers
+                },
+                body: serializeJsonBody(body)
+            });
+            if (!response.ok) {
+                return fail(`HTTP Error: ${response.status}`);
+            }
+            const data = await response.json();
+            const key = extractKey(data);
+            if (!key) {
+                return fail("Failed to extract key from response");
+            }
+            await this._vault.rotateSecret(secretName, key, sourceUrl.origin);
+            try {
+                await this._appendActivityLog({
+                    ts: Date.now(),
+                    action: 'fetchJsonAndUpdateSecret',
+                    secretName,
+                    url,
+                    method,
+                    success: true,
+                });
+            }
+            catch {
+                const sanitizedData = sanitize(data, key);
+                return { success: true, data: sanitizedData, secretName, activityLogWriteFailed: true };
+            }
+            const sanitizedData = sanitize(data, key);
+            return { success: true, data: sanitizedData, secretName };
+        }
+        catch (e) {
+            const code = IdentityError.isIdentityError(e) ? e.code : undefined;
+            return fail(e.message ?? String(e), code);
+        }
+    }
+}
+//# sourceMappingURL=secretAcquisition.js.map

package/dist/http/secretAcquisition.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretAcquisition.js","sourceRoot":"","sources":["../../src/http/secretAcquisition.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AA4C9D,SAAS,QAAQ,CAAC,GAAY,EAAE,MAAc;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,MAAM,GAAwC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACjF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;YAC/C,MAAkC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrD,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAkC,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACH,MAAkC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrD,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAa;IACpC,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,iBAAiB;IAEL;IACA;IAFrB,YACqB,MAAiB,EACjB,kBAA8D;QAD9D,WAAM,GAAN,MAAM,CAAW;QACjB,uBAAkB,GAAlB,kBAAkB,CAA4C;IAChF,CAAC;IAEJ,SAAS,CAAC,UAAkB;QACxB,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC;IAED,eAAe;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAuC,OAAuD;QACrH,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,EAAE,KAAa,EAAE,IAAa,EAAyB,EAAE;YACvE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,uBAAuB;oBAC/B,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK;iBACR,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzE,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC;QACF,IAAI,CAAC;YACD,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC;YACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,CAAC,iFAAiF,GAAG,EAAE,CAAC,CAAC;YACxG,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,MAAM;gBACN,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,GAAG,OAAO;iBACb;gBACD,IAAI,EAAE,iBAAiB,CAAC,IAAI,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;YAChD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAE7B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACP,OAAO,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACvD,CAAC;YAED,IAAI,kBAAkB,GAAG,UAAU,CAAC;YACpC,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC/C,MAAM,EAAE,CAAC;gBACT,kBAAkB,GAAG,GAAG,UAAU,IAAI,MAAM,EAAE,CAAC;YACnD,CAAC;YACD,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,kBAAkB,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,cAAc,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAE/G,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,uBAAuB;oBAC/B,UAAU,EAAE,kBAAkB;oBAC9B,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,IAAI;iBAChB,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YAC7H,CAAC;YAED,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC;QAC/F,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACnE,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACL,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAuC,OAA0D;QAC3H,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,EAAE,KAAa,EAAE,IAAa,EAAyB,EAAE;YACvE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,0BAA0B;oBAClC,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK;iBACR,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzE,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC;QACF,IAAI,CAAC;YACD,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;YACnD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,CAAC,oFAAoF,GAAG,EAAE,CAAC,CAAC;YAC3G,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,MAAM;gBACN,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,GAAG,OAAO;iBACb;gBACD,IAAI,EAAE,iBAAiB,CAAC,IAAI,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;YAChD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAE7B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACP,OAAO,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACvD,CAAC;YAED,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;YAElE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,0BAA0B;oBAClC,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,IAAI;iBAChB,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzG,CAAC;YAED,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,CAAC;QAC3E,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACnE,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACL,CAAC;CACJ"}

package/dist/protocol/childSecretNaming.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
+ * Not protocol objects. Protocol talks about public identities and signatures,
+ * not local secret names or internal storage prefixes.
+ */
+export declare const CHILD_KEY_PREFIX: "cbio:child:";
+export declare function getChildIdentitySecretName(publicKey: string): string;

package/dist/protocol/childSecretNaming.js

@@ -0,0 +1,12 @@
+/**
+ * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
+ * Not protocol objects. Protocol talks about public identities and signatures,
+ * not local secret names or internal storage prefixes.
+ */
+import * as crypto from 'node:crypto';
+export const CHILD_KEY_PREFIX = 'cbio:child:';
+export function getChildIdentitySecretName(publicKey) {
+    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+    return CHILD_KEY_PREFIX + hash;
+}
+//# sourceMappingURL=childSecretNaming.js.map

package/dist/protocol/childSecretNaming.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"childSecretNaming.js","sourceRoot":"","sources":["../../src/protocol/childSecretNaming.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,MAAM,CAAC,MAAM,gBAAgB,GAAG,aAAsB,CAAC;AAEvD,MAAM,UAAU,0BAA0B,CAAC,SAAiB;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,OAAO,gBAAgB,GAAG,IAAI,CAAC;AACnC,CAAC"}

package/dist/protocol/crypto.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Claw-biometric Core Crypto. Runtime wrappers over protocol primitives.
+ * LocalSigner, Signer. Re-exports protocol for consumers.
+ */
+import { generateIdentityKeys, derivePublicKey, verifySignature, generateNonce, type KeyPair } from '@the-ai-company/cbio-protocol';
+export type { KeyPair };
+export { generateIdentityKeys, derivePublicKey, verifySignature, generateNonce };
+export interface Signer {
+    getPublicKey(): Promise<string>;
+    sign(nonce: string): Promise<string>;
+}
+export declare class LocalSigner implements Signer {
+    #private;
+    constructor(keyPair: KeyPair);
+    getPublicKey(): Promise<string>;
+    sign(nonce: string): Promise<string>;
+    /** @internal For exportIdentity only. Admin operation. */
+    exportPrivateKey(): string;
+}
+/** @internal Alias for protocol signPayload. */
+export declare function signPayload(privateKey: string, payload: string): string;
+/** @internal Use signPayload for protocol-level signing. */
+export declare function signChallenge(privateKey: string, nonce: string): string;

package/dist/protocol/crypto.js

@@ -0,0 +1,37 @@
+/**
+ * Claw-biometric Core Crypto. Runtime wrappers over protocol primitives.
+ * LocalSigner, Signer. Re-exports protocol for consumers.
+ */
+import { IdentityError, IdentityErrorCode } from '../errors.js';
+import { signPayload as protocolSignPayload, generateIdentityKeys, derivePublicKey, verifySignature, generateNonce, } from '@the-ai-company/cbio-protocol';
+export { generateIdentityKeys, derivePublicKey, verifySignature, generateNonce };
+export class LocalSigner {
+    #privateKey;
+    #publicKey;
+    constructor(keyPair) {
+        if (!keyPair.publicKey) {
+            throw new IdentityError(IdentityErrorCode.SIGNER_REQUIRES_PUBLIC_KEY, "LocalSigner requires a publicKey. Use derivePublicKey() if you only have a privateKey.");
+        }
+        this.#privateKey = keyPair.privateKey;
+        this.#publicKey = keyPair.publicKey;
+    }
+    async getPublicKey() {
+        return this.#publicKey;
+    }
+    async sign(nonce) {
+        return protocolSignPayload(this.#privateKey, nonce);
+    }
+    /** @internal For exportIdentity only. Admin operation. */
+    exportPrivateKey() {
+        return this.#privateKey;
+    }
+}
+/** @internal Alias for protocol signPayload. */
+export function signPayload(privateKey, payload) {
+    return protocolSignPayload(privateKey, payload);
+}
+/** @internal Use signPayload for protocol-level signing. */
+export function signChallenge(privateKey, nonce) {
+    return protocolSignPayload(privateKey, nonce);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/protocol/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/protocol/crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EACH,WAAW,IAAI,mBAAmB,EAClC,oBAAoB,EACpB,eAAe,EACf,eAAe,EACf,aAAa,GAEhB,MAAM,+BAA+B,CAAC;AAGvC,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;AAOjF,MAAM,OAAO,WAAW;IACpB,WAAW,CAAS;IACpB,UAAU,CAAS;IAEnB,YAAY,OAAgB;QACxB,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;YACrB,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,0BAA0B,EAAE,wFAAwF,CAAC,CAAC;QACpK,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;QACtC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,YAAY;QACd,OAAO,IAAI,CAAC,UAAU,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,KAAa;QACpB,OAAO,mBAAmB,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACxD,CAAC;IAED,0DAA0D;IAC1D,gBAAgB;QACZ,OAAO,IAAI,CAAC,WAAW,CAAC;IAC5B,CAAC;CACJ;AAED,gDAAgD;AAChD,MAAM,UAAU,WAAW,CAAC,UAAkB,EAAE,OAAe;IAC3D,OAAO,mBAAmB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,4DAA4D;AAC5D,MAAM,UAAU,aAAa,CAAC,UAAkB,EAAE,KAAa;IAC3D,OAAO,mBAAmB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;AAClD,CAAC"}

package/dist/protocol/identity.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
+ * getVaultPath (runtime). Re-exports protocol for consumers.
+ */
+import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
+import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
+export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
+export declare function getVaultPath(publicKey: string): string;

package/dist/protocol/identity.js

@@ -0,0 +1,16 @@
+/**
+ * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
+ * getVaultPath (runtime). Re-exports protocol for consumers.
+ */
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
+import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
+export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
+export function getVaultPath(publicKey) {
+    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+    const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
+    return path.join(baseDir, `vault_${hash}.enc`);
+}
+//# sourceMappingURL=identity.js.map

package/dist/protocol/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAE3E,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/runtime/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Runtime export. For agent developers.
+ * Owner, Agent, storage, errors. Consumer surface only.
+ */
+export { CbioIdentity, CbioAgent } from "../agent/agent.js";
+export type { ActivityLogConfig, GetAgentOptions, IssuedCapabilityName, ManagedAgentHandleConfig, ManagedAgentCapabilityInfo, ManagedAgentCapabilityStatus, ManagedAgentContext, ManagedAgentIssueConfig, ManagedAgentIssueOptions, ManagedAgentLoadOptions, ManagedAgentStorageConfig, RegisterChildIdentityOptions, RegisterChildIdentityResult, IdentityLoadKeys, IdentityLoadOptions, RuntimePermissionName, RuntimePermissions, } from "../agent/agent.js";
+export type { MergeResult } from "../vault/vault.js";
+export type { FetchFailure, FetchJsonAndAddSecretOptions, FetchJsonAndUpdateSecretOptions, FetchResult, FetchSuccess, } from "../http/secretAcquisition.js";
+export { generateIdentityKeys } from "../protocol/crypto.js";
+export { IdentityError, IdentityErrorCode } from "../errors.js";
+export type { IStorageProvider } from "../storage/provider.js";
+export { FsStorageProvider } from "../storage/fs.js";
+export { MemoryStorageProvider } from "../storage/memory.js";
+export { startLocalAuthProxy, type FetchWithAuthLike, type LocalAuthProxyOptions, type LocalAuthProxyHandle, } from "../http/localAuthProxy.js";

package/dist/runtime/index.js

@@ -0,0 +1,11 @@
+/**
+ * Runtime export. For agent developers.
+ * Owner, Agent, storage, errors. Consumer surface only.
+ */
+export { CbioIdentity, CbioAgent } from "../agent/agent.js";
+export { generateIdentityKeys } from "../protocol/crypto.js";
+export { IdentityError, IdentityErrorCode } from "../errors.js";
+export { FsStorageProvider } from "../storage/fs.js";
+export { MemoryStorageProvider } from "../storage/memory.js";
+export { startLocalAuthProxy, } from "../http/localAuthProxy.js";
+//# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AA4B5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,mBAAmB,GAIpB,MAAM,2BAA2B,CAAC"}

package/dist/sealed/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
+ * Do not depend on CbioAgent.
+ */
+export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
+export type { SealedBlobPayload } from './seal.js';

package/dist/sealed/index.js

@@ -0,0 +1,6 @@
+/**
+ * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
+ * Do not depend on CbioAgent.
+ */
+export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
+//# sourceMappingURL=index.js.map

package/dist/sealed/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sealed/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/sealed/seal.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Sealed blob primitives. Single source of truth for sealed blob format.
+ * Used by vault and by Cloud for custody transfer. Do not depend on runtime.
+ */
+export declare const SEALED_BLOB_VERSION: "v1.0";
+export interface SealedBlobPayload {
+    version: string;
+    secrets: Record<string, string>;
+    secretMetadata: Record<string, unknown>;
+}
+/**
+ * Seal secrets with external key (AES-256-GCM). For custody transfer.
+ * kdk: 32 bytes, base64url-encoded.
+ */
+export declare function sealBlob(payload: SealedBlobPayload, kdk: string): string;
+/**
+ * Unseal blob encrypted with kdk. Returns payload for custody import.
+ */
+export declare function unsealBlob(sealedBlob: string, kdk: string): SealedBlobPayload;

package/dist/sealed/seal.js

@@ -0,0 +1,56 @@
+/**
+ * Sealed blob primitives. Single source of truth for sealed blob format.
+ * Used by vault and by Cloud for custody transfer. Do not depend on runtime.
+ */
+import { Buffer } from 'node:buffer';
+import * as crypto from 'node:crypto';
+import { IdentityError, IdentityErrorCode } from '../errors.js';
+export const SEALED_BLOB_VERSION = 'v1.0';
+/**
+ * Seal secrets with external key (AES-256-GCM). For custody transfer.
+ * kdk: 32 bytes, base64url-encoded.
+ */
+export function sealBlob(payload, kdk) {
+    const key = Buffer.from(kdk, 'base64url');
+    if (key.length !== 32) {
+        throw new IdentityError(IdentityErrorCode.INVALID_KDK, 'seal: kdk must be 32 bytes (base64url decoded)');
+    }
+    const plainText = JSON.stringify(payload);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(plainText, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([iv, tag, encrypted]).toString('base64url');
+}
+/**
+ * Unseal blob encrypted with kdk. Returns payload for custody import.
+ */
+export function unsealBlob(sealedBlob, kdk) {
+    const key = Buffer.from(kdk, 'base64url');
+    if (key.length !== 32) {
+        throw new IdentityError(IdentityErrorCode.INVALID_KDK, 'unseal: kdk must be 32 bytes (base64url decoded)');
+    }
+    const bundle = Buffer.from(sealedBlob, 'base64url');
+    const iv = bundle.subarray(0, 12);
+    const tag = bundle.subarray(12, 28);
+    const encrypted = bundle.subarray(28);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    const plainText = decipher.update(encrypted, undefined, 'utf8') + decipher.final('utf8');
+    const data = JSON.parse(plainText);
+    if (data.version === undefined || data.version === null) {
+        throw new IdentityError(IdentityErrorCode.INVALID_KDK, 'Sealed blob missing version. Legacy format is no longer supported.');
+    }
+    if (typeof data.secrets !== 'object' || data.secrets === null) {
+        throw new IdentityError(IdentityErrorCode.INVALID_KDK, 'Sealed blob must have a secrets object. Legacy format is no longer supported.');
+    }
+    if (typeof data.secretMetadata !== 'object' || data.secretMetadata === null) {
+        throw new IdentityError(IdentityErrorCode.INVALID_KDK, 'Sealed blob must have a secretMetadata object. Legacy format is no longer supported.');
+    }
+    return {
+        version: data.version,
+        secrets: data.secrets,
+        secretMetadata: data.secretMetadata,
+    };
+}
+//# sourceMappingURL=seal.js.map

package/dist/sealed/seal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seal.js","sourceRoot":"","sources":["../../src/sealed/seal.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,MAAM,CAAC,MAAM,mBAAmB,GAAG,MAAe,CAAC;AAQnD;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,OAA0B,EAAE,GAAW;IAC5D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC1C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,WAAW,EAAE,gDAAgD,CAAC,CAAC;IAC7G,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,UAAkB,EAAE,GAAW;IACtD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC1C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,WAAW,EAAE,kDAAkD,CAAC,CAAC;IAC/G,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAgB,EAAE,SAAS,EAAE,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChG,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QACtD,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,WAAW,EAAE,oEAAoE,CAAC,CAAC;IACjI,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QAC5D,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,WAAW,EAAE,+EAA+E,CAAC,CAAC;IAC5I,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,IAAI,IAAI,CAAC,cAAc,KAAK,IAAI,EAAE,CAAC;QAC1E,MAAM,IAAI,aAAa,CAAC,iBAAiB,CAAC,WAAW,EAAE,sFAAsF,CAAC,CAAC;IACnJ,CAAC;IACD,OAAO;QACH,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,cAAc,EAAE,IAAI,CAAC,cAAc;KACtC,CAAC;AACN,CAAC"}

package/dist/storage/fs.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Default file-system storage provider. Uses node:fs with atomic write.
+ */
+import type { IStorageProvider } from './provider.js';
+export declare class FsStorageProvider implements IStorageProvider {
+    private baseDir?;
+    constructor(baseDir?: string | undefined);
+    private static readonly DIRECTORY_MODE;
+    private static readonly FILE_MODE;
+    private resolve;
+    read(key: string): Promise<Buffer | null>;
+    write(key: string, data: Buffer): Promise<void>;
+    delete(key: string): Promise<void>;
+    has(key: string): Promise<boolean>;
+    rename(fromKey: string, toKey: string): Promise<void>;
+}

package/dist/storage/fs.js

@@ -0,0 +1,68 @@
+/**
+ * Default file-system storage provider. Uses node:fs with atomic write.
+ */
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+export class FsStorageProvider {
+    baseDir;
+    constructor(baseDir) {
+        this.baseDir = baseDir;
+    }
+    static DIRECTORY_MODE = 0o700;
+    static FILE_MODE = 0o600;
+    resolve(key) {
+        if (this.baseDir) {
+            return path.join(this.baseDir, key);
+        }
+        const dir = path.dirname(key);
+        if (dir && dir !== '.') {
+            return key;
+        }
+        return key;
+    }
+    async read(key) {
+        try {
+            return await fs.readFile(this.resolve(key));
+        }
+        catch (e) {
+            if (e.code === 'ENOENT')
+                return null;
+            throw e;
+        }
+    }
+    async write(key, data) {
+        const fullPath = this.resolve(key);
+        await fs.mkdir(path.dirname(fullPath), { recursive: true, mode: FsStorageProvider.DIRECTORY_MODE });
+        await fs.writeFile(fullPath, data, { mode: FsStorageProvider.FILE_MODE });
+        await fs.chmod(fullPath, FsStorageProvider.FILE_MODE);
+        const fh = await fs.open(fullPath, 'r+');
+        try {
+            await fh.sync();
+        }
+        finally {
+            await fh.close();
+        }
+    }
+    async delete(key) {
+        try {
+            await fs.unlink(this.resolve(key));
+        }
+        catch (e) {
+            if (e.code !== 'ENOENT')
+                throw e;
+        }
+    }
+    async has(key) {
+        try {
+            await fs.access(this.resolve(key));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async rename(fromKey, toKey) {
+        await fs.rename(this.resolve(fromKey), this.resolve(toKey));
+    }
+}
+//# sourceMappingURL=fs.js.map

package/dist/storage/fs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,MAAM,OAAO,iBAAiB;IACN;IAApB,YAAoB,OAAgB;QAAhB,YAAO,GAAP,OAAO,CAAS;IAAG,CAAC;IAEhC,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC"}

package/dist/storage/memory.d.ts

@@ -0,0 +1,11 @@
+/**
+ * In-memory storage provider. For testing and environments without persistent storage.
+ */
+import type { IStorageProvider } from './provider.js';
+export declare class MemoryStorageProvider implements IStorageProvider {
+    #private;
+    read(key: string): Promise<Buffer | null>;
+    write(key: string, data: Buffer): Promise<void>;
+    delete(key: string): Promise<void>;
+    has(key: string): Promise<boolean>;
+}

package/dist/storage/memory.js

@@ -0,0 +1,19 @@
+/**
+ * In-memory storage provider. For testing and environments without persistent storage.
+ */
+export class MemoryStorageProvider {
+    #store = new Map();
+    async read(key) {
+        return this.#store.get(key) ?? null;
+    }
+    async write(key, data) {
+        this.#store.set(key, data);
+    }
+    async delete(key) {
+        this.#store.delete(key);
+    }
+    async has(key) {
+        return this.#store.has(key);
+    }
+}
+//# sourceMappingURL=memory.js.map

package/dist/storage/memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,qBAAqB;IAC9B,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEnC,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;CACJ"}

package/dist/storage/provider.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Pluggable storage layer for vault persistence.
+ * Enables Cloud, Mobile, and Edge runtimes to use custom storage.
+ */
+export interface IStorageProvider {
+    read(key: string): Promise<Buffer | null>;
+    write(key: string, data: Buffer): Promise<void>;
+    delete(key: string): Promise<void>;
+    has(key: string): Promise<boolean>;
+    /** Optional. If present, used for atomic save. Otherwise vault does write+delete. */
+    rename?(fromKey: string, toKey: string): Promise<void>;
+}

package/dist/storage/provider.js

@@ -0,0 +1,6 @@
+/**
+ * Pluggable storage layer for vault persistence.
+ * Enables Cloud, Mobile, and Edge runtimes to use custom storage.
+ */
+export {};
+//# sourceMappingURL=provider.js.map

package/dist/storage/provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/storage/provider.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/vault/secretPolicy.d.ts

@@ -0,0 +1,3 @@
+export declare function isLoopbackHost(hostname: string): boolean;
+export declare function isAllowedSecretUrl(url: URL): boolean;
+export declare function normalizeSecretPolicyOrigin(origin: string): string;

package/dist/vault/secretPolicy.js

@@ -0,0 +1,14 @@
+export function isLoopbackHost(hostname) {
+    return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1';
+}
+export function isAllowedSecretUrl(url) {
+    return url.protocol === 'https:' || (url.protocol === 'http:' && isLoopbackHost(url.hostname));
+}
+export function normalizeSecretPolicyOrigin(origin) {
+    const url = new URL(origin);
+    if (!isAllowedSecretUrl(url)) {
+        throw new Error(`Secret policy requires HTTPS origin or loopback HTTP for local development. Received: ${origin}`);
+    }
+    return url.origin;
+}
+//# sourceMappingURL=secretPolicy.js.map

package/dist/vault/secretPolicy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretPolicy.js","sourceRoot":"","sources":["../../src/vault/secretPolicy.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC3C,OAAO,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,KAAK,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAQ;IACvC,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACtD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yFAAyF,MAAM,EAAE,CAAC,CAAC;IACvH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC;AACtB,CAAC"}