@the-ai-company/cbio-node-runtime 0.39.0 → 1.0.0

package/dist/http/localSecretIngress.js

@@ -1,162 +0,0 @@
-import * as crypto from "node:crypto";
-import * as http from "node:http";
-function normalizeIngressPath(input) {
-    if (!input)
-        return `/cbio/ingest/${crypto.randomBytes(12).toString("hex")}`;
-    return input.startsWith("/") ? input : `/${input}`;
-}
-function isAuthorized(req, authToken) {
-    const header = req.headers.authorization;
-    if (typeof header === "string" && header === `Bearer ${authToken}`) {
-        return true;
-    }
-    const fallback = req.headers["x-cbio-ingest-token"];
-    return typeof fallback === "string" && fallback === authToken;
-}
-async function readRequestBody(req, maxBodyBytes) {
-    const chunks = [];
-    let total = 0;
-    for await (const chunk of req) {
-        const next = typeof chunk === "string" ? Buffer.from(chunk) : chunk;
-        total += next.length;
-        if (total > maxBodyBytes) {
-            throw new Error("CBIO_LOCAL_SECRET_TOO_LARGE");
-        }
-        chunks.push(next);
-    }
-    return Buffer.concat(chunks);
-}
-function extractSecret(body, contentType) {
-    const normalizedType = (contentType ?? "").split(";")[0].trim().toLowerCase();
-    if (normalizedType === "application/json") {
-        const parsed = JSON.parse(body.toString("utf8"));
-        const candidate = parsed.secret ?? parsed.value ?? parsed.token;
-        if (typeof candidate !== "string" || candidate.length === 0) {
-            throw new Error("CBIO_LOCAL_SECRET_MISSING");
-        }
-        return candidate;
-    }
-    const value = body.toString("utf8");
-    if (!value) {
-        throw new Error("CBIO_LOCAL_SECRET_MISSING");
-    }
-    return value;
-}
-export async function startLocalSecretIngress(options) {
-    const { vault, secretName, allowedOrigins, overwrite = false, host = "127.0.0.1", port = 0, path, authToken = crypto.randomBytes(24).toString("base64url"), once = true, maxBodyBytes = 64 * 1024, } = options;
-    const ingressPath = normalizeIngressPath(path);
-    let settled = false;
-    let completionResult = null;
-    let completionError = null;
-    const waiters = [];
-    const server = http.createServer(async (req, res) => {
-        try {
-            if ((req.socket.remoteAddress ?? "") !== host) {
-                res.statusCode = 403;
-                res.end(JSON.stringify({ error: "CBIO_LOCAL_SECRET_REMOTE_DENIED" }));
-                return;
-            }
-            if ((req.method ?? "GET").toUpperCase() !== "POST" || (req.url ?? "/") !== ingressPath) {
-                res.statusCode = 404;
-                res.end(JSON.stringify({ error: "CBIO_LOCAL_SECRET_NOT_FOUND" }));
-                return;
-            }
-            if (!isAuthorized(req, authToken)) {
-                res.statusCode = 401;
-                res.end(JSON.stringify({ error: "CBIO_LOCAL_SECRET_UNAUTHORIZED" }));
-                return;
-            }
-            if (settled && once) {
-                res.statusCode = 409;
-                res.end(JSON.stringify({ error: "CBIO_LOCAL_SECRET_ALREADY_CONSUMED" }));
-                return;
-            }
-            const body = await readRequestBody(req, maxBodyBytes);
-            const secretValue = extractSecret(body, req.headers["content-type"]);
-            if (vault.hasSecret(secretName)) {
-                if (!overwrite || !vault.updateSecret) {
-                    res.statusCode = 409;
-                    res.end(JSON.stringify({ error: "CBIO_LOCAL_SECRET_ALREADY_EXISTS" }));
-                    return;
-                }
-                await vault.updateSecret(secretName, secretValue);
-            }
-            else {
-                await vault.addSecret(secretName, secretValue, { allowedOrigins });
-            }
-            settled = true;
-            completionResult = { secretName };
-            for (const waiter of waiters.splice(0)) {
-                waiter.resolve(completionResult);
-            }
-            res.statusCode = 201;
-            res.setHeader("Content-Type", "application/json");
-            res.end(JSON.stringify({ ok: true, secretName }));
-            if (once) {
-                setImmediate(() => {
-                    server.close();
-                });
-            }
-        }
-        catch (error) {
-            if (!settled && completionError == null) {
-                completionError = error;
-                for (const waiter of waiters.splice(0)) {
-                    waiter.reject(error);
-                }
-            }
-            const code = error instanceof Error ? error.message : "CBIO_LOCAL_SECRET_INGEST_FAILED";
-            res.statusCode = code === "CBIO_LOCAL_SECRET_TOO_LARGE" ? 413 : 400;
-            res.setHeader("Content-Type", "application/json");
-            res.end(JSON.stringify({ error: code }));
-        }
-    });
-    server.on("close", () => {
-        if (!settled && completionError == null) {
-            completionError = new Error("CBIO_LOCAL_SECRET_INGRESS_CLOSED");
-            for (const waiter of waiters.splice(0)) {
-                waiter.reject(completionError);
-            }
-        }
-    });
-    await new Promise((resolve, reject) => {
-        server.once("error", reject);
-        server.listen(port, host, () => {
-            server.off("error", reject);
-            resolve();
-        });
-    });
-    const address = server.address();
-    if (!address || typeof address === "string") {
-        throw new Error("Failed to determine local secret ingress address.");
-    }
-    const resolvedAddress = address;
-    const baseUrl = `http://${host}:${resolvedAddress.port}`;
-    const url = `${baseUrl}${ingressPath}`;
-    return {
-        secretName,
-        host,
-        port: resolvedAddress.port,
-        path: ingressPath,
-        baseUrl,
-        url,
-        authToken,
-        close() {
-            return new Promise((resolve, reject) => {
-                server.close((err) => (err ? reject(err) : resolve()));
-            });
-        },
-        waitForSecret() {
-            if (completionResult) {
-                return Promise.resolve(completionResult);
-            }
-            if (completionError != null) {
-                return Promise.reject(completionError);
-            }
-            return new Promise((resolve, reject) => {
-                waiters.push({ resolve, reject });
-            });
-        },
-    };
-}
-//# sourceMappingURL=localSecretIngress.js.map

package/dist/http/localSecretIngress.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"localSecretIngress.js","sourceRoot":"","sources":["../../src/http/localSecretIngress.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAuClC,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,CAAC,KAAK;QAAE,OAAO,gBAAgB,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC5E,OAAO,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,YAAY,CAAC,GAAyB,EAAE,SAAiB;IAChE,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IACzC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,UAAU,SAAS,EAAE,EAAE,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACpD,OAAO,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,SAAS,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAyB,EAAE,YAAoB;IAC5E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACpE,KAAK,IAAI,IAAI,CAAC,MAAM,CAAC;QACrB,IAAI,KAAK,GAAG,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC;IACD,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,aAAa,CAAC,IAAY,EAAE,WAA+B;IAClE,MAAM,cAAc,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9E,IAAI,cAAc,KAAK,kBAAkB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA2D,CAAC;QAC3G,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,CAAC;QAChE,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,OAAkC;IAC9E,MAAM,EACJ,KAAK,EACL,UAAU,EACV,cAAc,EACd,SAAS,GAAG,KAAK,EACjB,IAAI,GAAG,WAAW,EAClB,IAAI,GAAG,CAAC,EACR,IAAI,EACJ,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EACxD,IAAI,GAAG,IAAI,EACX,YAAY,GAAG,EAAE,GAAG,IAAI,GACzB,GAAG,OAAO,CAAC;IACZ,MAAM,WAAW,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IAE/C,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,gBAAgB,GAAoC,IAAI,CAAC;IAC7D,IAAI,eAAe,GAAY,IAAI,CAAC;IACpC,MAAM,OAAO,GAAqG,EAAE,CAAC;IAErH,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClD,IAAI,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;YAED,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,WAAW,EAAE,CAAC;gBACvF,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC,CAAC;gBAClE,OAAO;YACT,CAAC;YAED,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,CAAC;gBAClC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YAED,IAAI,OAAO,IAAI,IAAI,EAAE,CAAC;gBACpB,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;gBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC,CAAC;gBACzE,OAAO;YACT,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YACtD,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;YAErE,IAAI,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;oBACtC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;oBACrB,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC,CAAC,CAAC;oBACvE,OAAO;gBACT,CAAC;gBACD,MAAM,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;YACpD,CAAC;iBAAM,CAAC;gBACN,MAAM,KAAK,CAAC,SAAS,CAAC,UAAU,EAAE,WAAW,EAAE,EAAE,cAAc,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,OAAO,GAAG,IAAI,CAAC;YACf,gBAAgB,GAAG,EAAE,UAAU,EAAE,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YACnC,CAAC;YAED,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;YAElD,IAAI,IAAI,EAAE,CAAC;gBACT,YAAY,CAAC,GAAG,EAAE;oBAChB,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,IAAI,eAAe,IAAI,IAAI,EAAE,CAAC;gBACxC,eAAe,GAAG,KAAK,CAAC;gBACxB,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;YACD,MAAM,IAAI,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iCAAiC,CAAC;YACxF,GAAG,CAAC,UAAU,GAAG,IAAI,KAAK,6BAA6B,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACpE,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QACtB,IAAI,CAAC,OAAO,IAAI,eAAe,IAAI,IAAI,EAAE,CAAC;YACxC,eAAe,GAAG,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;YAChE,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;YAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,eAAe,GAAG,OAAsB,CAAC;IAC/C,MAAM,OAAO,GAAG,UAAU,IAAI,IAAI,eAAe,CAAC,IAAI,EAAE,CAAC;IACzD,MAAM,GAAG,GAAG,GAAG,OAAO,GAAG,WAAW,EAAE,CAAC;IAEvC,OAAO;QACL,UAAU;QACV,IAAI;QACJ,IAAI,EAAE,eAAe,CAAC,IAAI;QAC1B,IAAI,EAAE,WAAW;QACjB,OAAO;QACP,GAAG;QACH,SAAS;QACT,KAAK;YACH,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC3C,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;QACL,CAAC;QACD,aAAa;YACX,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YAC3C,CAAC;YACD,IAAI,eAAe,IAAI,IAAI,EAAE,CAAC;gBAC5B,OAAO,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;YACzC,CAAC;YACD,OAAO,IAAI,OAAO,CAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC/D,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/http/secretAcquisition.d.ts

@@ -1,54 +0,0 @@
-/**
- * SecretAcquisition
- *
- * Fetches secrets from remote JSON endpoints and stores them in vault.
- * Secret never leaves this module; fetch + extract + store is atomic.
- */
-import type { CbioVault } from '../vault/vault.js';
-import type { ActivityLogEntry } from '../audit/ActivityLog.js';
-interface FetchResultBase {
-    /** True when the operation succeeded/failed but activity log write failed. Caller gets FetchResult; audit trail may be incomplete. */
-    activityLogWriteFailed?: boolean;
-}
-export interface FetchSuccess<TData = unknown> extends FetchResultBase {
-    success: true;
-    data: TData;
-    secretName: string;
-}
-export interface FetchFailure extends FetchResultBase {
-    success: false;
-    error: string;
-    code?: string;
-}
-export type FetchResult<TData = unknown> = FetchSuccess<TData> | FetchFailure;
-export interface FetchJsonAndAddSecretOptions<TResponse = unknown, TBody = unknown> {
-    secretName: string;
-    url: string;
-    method?: string;
-    headers?: Record<string, string>;
-    /** JSON-serializable request body. */
-    body?: TBody;
-    /** Extract the secret from a parsed JSON response body. */
-    extractKey: (response: TResponse) => string;
-    allowedOrigins?: string[];
-}
-export interface FetchJsonAndUpdateSecretOptions<TResponse = unknown, TBody = unknown> {
-    secretName: string;
-    url: string;
-    method?: string;
-    headers?: Record<string, string>;
-    /** JSON-serializable request body. */
-    body?: TBody;
-    /** Extract the rotated secret from a parsed JSON response body. */
-    extractKey: (response: TResponse) => string;
-}
-export declare class SecretAcquisition {
-    private readonly _vault;
-    private readonly _appendActivityLog;
-    constructor(_vault: CbioVault, _appendActivityLog: (entry: ActivityLogEntry) => Promise<void>);
-    hasSecret(secretName: string): boolean;
-    listSecretNames(): string[];
-    fetchJsonAndAddSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndAddSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-    fetchJsonAndUpdateSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndUpdateSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-}
-export {};

package/dist/http/secretAcquisition.js

@@ -1,177 +0,0 @@
-/**
- * SecretAcquisition
- *
- * Fetches secrets from remote JSON endpoints and stores them in vault.
- * Secret never leaves this module; fetch + extract + store is atomic.
- */
-import { IdentityError } from '../errors.js';
-import { isAllowedSecretUrl } from '../vault/secretPolicy.js';
-function sanitize(obj, secret) {
-    if (typeof obj !== 'object' || obj === null)
-        return obj;
-    const newObj = Array.isArray(obj) ? [] : {};
-    for (const [key, value] of Object.entries(obj)) {
-        if (typeof value === 'string' && value === secret) {
-            newObj[key] = '***';
-        }
-        else if (typeof value === 'object') {
-            newObj[key] = sanitize(value, secret);
-        }
-        else {
-            newObj[key] = value;
-        }
-    }
-    return newObj;
-}
-function serializeJsonBody(body) {
-    return body === undefined ? undefined : JSON.stringify(body);
-}
-export class SecretAcquisition {
-    _vault;
-    _appendActivityLog;
-    constructor(_vault, _appendActivityLog) {
-        this._vault = _vault;
-        this._appendActivityLog = _appendActivityLog;
-    }
-    hasSecret(secretName) {
-        return this._vault.hasSecret(secretName);
-    }
-    listSecretNames() {
-        return this._vault.listSecretNames();
-    }
-    async fetchJsonAndAddSecret(options) {
-        const { url, method = 'POST', secretName } = options;
-        const fail = async (error, code) => {
-            try {
-                await this._appendActivityLog({
-                    ts: Date.now(),
-                    action: 'fetchJsonAndAddSecret',
-                    secretName,
-                    url,
-                    method,
-                    success: false,
-                    error,
-                });
-            }
-            catch {
-                return { success: false, error, code, activityLogWriteFailed: true };
-            }
-            return { success: false, error, code };
-        };
-        try {
-            const { headers = {}, body, extractKey, allowedOrigins } = options;
-            const sourceUrl = new URL(url);
-            if (!isAllowedSecretUrl(sourceUrl)) {
-                return fail(`Secret fetch requires HTTPS or loopback HTTP for local development. Received: ${url}`);
-            }
-            const response = await fetch(url, {
-                method,
-                headers: {
-                    'Content-Type': 'application/json',
-                    ...headers
-                },
-                body: serializeJsonBody(body)
-            });
-            if (!response.ok) {
-                return fail(`HTTP Error: ${response.status}`);
-            }
-            const data = await response.json();
-            const key = extractKey(data);
-            if (!key) {
-                return fail("Failed to extract key from response");
-            }
-            let resolvedSecretName = secretName;
-            let suffix = 0;
-            while (this._vault.hasSecret(resolvedSecretName)) {
-                suffix++;
-                resolvedSecretName = `${secretName}_${suffix}`;
-            }
-            await this._vault.addSecret(resolvedSecretName, key, { allowedOrigins: allowedOrigins ?? [sourceUrl.origin] });
-            try {
-                await this._appendActivityLog({
-                    ts: Date.now(),
-                    action: 'fetchJsonAndAddSecret',
-                    secretName: resolvedSecretName,
-                    url,
-                    method,
-                    success: true,
-                });
-            }
-            catch {
-                const sanitizedData = sanitize(data, key);
-                return { success: true, data: sanitizedData, secretName: resolvedSecretName, activityLogWriteFailed: true };
-            }
-            const sanitizedData = sanitize(data, key);
-            return { success: true, data: sanitizedData, secretName: resolvedSecretName };
-        }
-        catch (e) {
-            const code = IdentityError.isIdentityError(e) ? e.code : undefined;
-            return fail(e.message ?? String(e), code);
-        }
-    }
-    async fetchJsonAndUpdateSecret(options) {
-        const { url, method = 'POST', secretName } = options;
-        const fail = async (error, code) => {
-            try {
-                await this._appendActivityLog({
-                    ts: Date.now(),
-                    action: 'fetchJsonAndUpdateSecret',
-                    secretName,
-                    url,
-                    method,
-                    success: false,
-                    error,
-                });
-            }
-            catch {
-                return { success: false, error, code, activityLogWriteFailed: true };
-            }
-            return { success: false, error, code };
-        };
-        try {
-            const { headers = {}, body, extractKey } = options;
-            const sourceUrl = new URL(url);
-            if (!isAllowedSecretUrl(sourceUrl)) {
-                return fail(`Secret rotation requires HTTPS or loopback HTTP for local development. Received: ${url}`);
-            }
-            const response = await fetch(url, {
-                method,
-                headers: {
-                    'Content-Type': 'application/json',
-                    ...headers
-                },
-                body: serializeJsonBody(body)
-            });
-            if (!response.ok) {
-                return fail(`HTTP Error: ${response.status}`);
-            }
-            const data = await response.json();
-            const key = extractKey(data);
-            if (!key) {
-                return fail("Failed to extract key from response");
-            }
-            await this._vault.rotateSecret(secretName, key, sourceUrl.origin);
-            try {
-                await this._appendActivityLog({
-                    ts: Date.now(),
-                    action: 'fetchJsonAndUpdateSecret',
-                    secretName,
-                    url,
-                    method,
-                    success: true,
-                });
-            }
-            catch {
-                const sanitizedData = sanitize(data, key);
-                return { success: true, data: sanitizedData, secretName, activityLogWriteFailed: true };
-            }
-            const sanitizedData = sanitize(data, key);
-            return { success: true, data: sanitizedData, secretName };
-        }
-        catch (e) {
-            const code = IdentityError.isIdentityError(e) ? e.code : undefined;
-            return fail(e.message ?? String(e), code);
-        }
-    }
-}
-//# sourceMappingURL=secretAcquisition.js.map

package/dist/http/secretAcquisition.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"secretAcquisition.js","sourceRoot":"","sources":["../../src/http/secretAcquisition.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAG7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AA4C9D,SAAS,QAAQ,CAAC,GAAY,EAAE,MAAc;IAC1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IACxD,MAAM,MAAM,GAAwC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACjF,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;YAC/C,MAAkC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrD,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAkC,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACvE,CAAC;aAAM,CAAC;YACH,MAAkC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACrD,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAa;IACpC,OAAO,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,iBAAiB;IAEL;IACA;IAFrB,YACqB,MAAiB,EACjB,kBAA8D;QAD9D,WAAM,GAAN,MAAM,CAAW;QACjB,uBAAkB,GAAlB,kBAAkB,CAA4C;IAChF,CAAC;IAEJ,SAAS,CAAC,UAAkB;QACxB,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC7C,CAAC;IAED,eAAe;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAuC,OAAuD;QACrH,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,EAAE,KAAa,EAAE,IAAa,EAAyB,EAAE;YACvE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,uBAAuB;oBAC/B,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK;iBACR,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzE,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC;QACF,IAAI,CAAC;YACD,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC;YACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,CAAC,iFAAiF,GAAG,EAAE,CAAC,CAAC;YACxG,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,MAAM;gBACN,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,GAAG,OAAO;iBACb;gBACD,IAAI,EAAE,iBAAiB,CAAC,IAAI,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;YAChD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAE7B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACP,OAAO,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACvD,CAAC;YAED,IAAI,kBAAkB,GAAG,UAAU,CAAC;YACpC,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC/C,MAAM,EAAE,CAAC;gBACT,kBAAkB,GAAG,GAAG,UAAU,IAAI,MAAM,EAAE,CAAC;YACnD,CAAC;YACD,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,kBAAkB,EAAE,GAAG,EAAE,EAAE,cAAc,EAAE,cAAc,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAE/G,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,uBAAuB;oBAC/B,UAAU,EAAE,kBAAkB;oBAC9B,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,IAAI;iBAChB,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YAC7H,CAAC;YAED,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC;QAC/F,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACnE,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACL,CAAC;IAED,KAAK,CAAC,wBAAwB,CAAuC,OAA0D;QAC3H,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QACrD,MAAM,IAAI,GAAG,KAAK,EAAE,KAAa,EAAE,IAAa,EAAyB,EAAE;YACvE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,0BAA0B;oBAClC,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK;iBACR,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzE,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC;QACF,IAAI,CAAC;YACD,MAAM,EAAE,OAAO,GAAG,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;YACnD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,OAAO,IAAI,CAAC,oFAAoF,GAAG,EAAE,CAAC,CAAC;YAC3G,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;gBAC9B,MAAM;gBACN,OAAO,EAAE;oBACL,cAAc,EAAE,kBAAkB;oBAClC,GAAG,OAAO;iBACb;gBACD,IAAI,EAAE,iBAAiB,CAAC,IAAI,CAAC;aAChC,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAe,CAAC;YAChD,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;YAE7B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACP,OAAO,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACvD,CAAC;YAED,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,UAAU,EAAE,GAAG,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;YAElE,IAAI,CAAC;gBACD,MAAM,IAAI,CAAC,kBAAkB,CAAC;oBAC1B,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,0BAA0B;oBAClC,UAAU;oBACV,GAAG;oBACH,MAAM;oBACN,OAAO,EAAE,IAAI;iBAChB,CAAC,CAAC;YACP,CAAC;YAAC,MAAM,CAAC;gBACL,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;gBAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,sBAAsB,EAAE,IAAI,EAAE,CAAC;YACzG,CAAC;YAED,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,aAA0B,EAAE,UAAU,EAAE,CAAC;QAC3E,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,MAAM,IAAI,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACnE,OAAO,IAAI,CAAC,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9C,CAAC;IACL,CAAC;CACJ"}

package/dist/protocol/childSecretNaming.d.ts

@@ -1,7 +0,0 @@
-/**
- * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
- * Not protocol objects. Protocol talks about public identities and signatures,
- * not local secret names or internal storage prefixes.
- */
-export declare const CHILD_KEY_PREFIX: "cbio:child:";
-export declare function getChildIdentitySecretName(publicKey: string): string;

package/dist/protocol/childSecretNaming.js

@@ -1,12 +0,0 @@
-/**
- * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
- * Not protocol objects. Protocol talks about public identities and signatures,
- * not local secret names or internal storage prefixes.
- */
-import * as crypto from 'node:crypto';
-export const CHILD_KEY_PREFIX = 'cbio:child:';
-export function getChildIdentitySecretName(publicKey) {
-    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
-    return CHILD_KEY_PREFIX + hash;
-}
-//# sourceMappingURL=childSecretNaming.js.map

package/dist/protocol/childSecretNaming.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"childSecretNaming.js","sourceRoot":"","sources":["../../src/protocol/childSecretNaming.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,MAAM,CAAC,MAAM,gBAAgB,GAAG,aAAsB,CAAC;AAEvD,MAAM,UAAU,0BAA0B,CAAC,SAAiB;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,OAAO,gBAAgB,GAAG,IAAI,CAAC;AACnC,CAAC"}

package/dist/protocol/identity.d.ts

@@ -1,8 +0,0 @@
-/**
- * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
- * getVaultPath (runtime). Re-exports protocol for consumers.
- */
-import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
-import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
-export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
-export declare function getVaultPath(publicKey: string): string;

package/dist/protocol/identity.js

@@ -1,16 +0,0 @@
-/**
- * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
- * getVaultPath (runtime). Re-exports protocol for consumers.
- */
-import * as os from 'node:os';
-import * as path from 'node:path';
-import * as crypto from 'node:crypto';
-import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
-import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
-export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
-export function getVaultPath(publicKey) {
-    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
-    const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
-    return path.join(baseDir, `vault_${hash}.enc`);
-}
-//# sourceMappingURL=identity.js.map

package/dist/protocol/identity.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAE3E,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/sealed/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
- * Do not depend on CbioAgent.
- */
-export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
-export type { SealedBlobPayload } from './seal.js';

package/dist/sealed/index.js

@@ -1,6 +0,0 @@
-/**
- * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
- * Do not depend on CbioAgent.
- */
-export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
-//# sourceMappingURL=index.js.map

package/dist/sealed/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sealed/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/vault/secretPolicy.d.ts

@@ -1,3 +0,0 @@
-export declare function isLoopbackHost(hostname: string): boolean;
-export declare function isAllowedSecretUrl(url: URL): boolean;
-export declare function normalizeSecretPolicyOrigin(origin: string): string;

package/dist/vault/secretPolicy.js

@@ -1,14 +0,0 @@
-export function isLoopbackHost(hostname) {
-    return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1';
-}
-export function isAllowedSecretUrl(url) {
-    return url.protocol === 'https:' || (url.protocol === 'http:' && isLoopbackHost(url.hostname));
-}
-export function normalizeSecretPolicyOrigin(origin) {
-    const url = new URL(origin);
-    if (!isAllowedSecretUrl(url)) {
-        throw new Error(`Secret policy requires HTTPS origin or loopback HTTP for local development. Received: ${origin}`);
-    }
-    return url.origin;
-}
-//# sourceMappingURL=secretPolicy.js.map

package/dist/vault/secretPolicy.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"secretPolicy.js","sourceRoot":"","sources":["../../src/vault/secretPolicy.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC3C,OAAO,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,KAAK,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAQ;IACvC,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACtD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yFAAyF,MAAM,EAAE,CAAC,CAAC;IACvH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC;AACtB,CAAC"}

package/dist/vault/vault.d.ts

@@ -1,100 +0,0 @@
-import { Signer } from '../protocol/crypto.js';
-import type { IStorageProvider } from '../storage/provider.js';
-import { type ActivityLogEntry, type ActivityLogMetadata } from '../audit/ActivityLog.js';
-export interface SecretPolicy {
-    allowedOrigins?: string[];
-}
-/**
- * CbioVault
- *
- * A secure container for third-party API keys and secrets.
- * Secrets are stored in a private field (#) and are inaccessible
- * to the outside Agent logic. Vault stores ONLY secrets (encrypted).
- */
-export declare class CbioVault {
-    #private;
-    private static readonly PERSIST_SALT;
-    private static readonly VERSIONED_SECRET_PREFIX;
-    private static readonly REVOCATION_PREFIX;
-    private static readonly SECRET_OPERATION_WINDOW_MS;
-    private static readonly SECRET_OPERATION_LIMIT;
-    /**
-     * @internal Used by Owner. Binds storage and loads vault from disk. Do not call directly.
-     */
-    initFromStorage(signer: Signer, storageKey: string, storage?: IStorageProvider, activityLogKey?: string, activityLogKeyIsDerived?: boolean): Promise<void>;
-    /**
-     * @internal Used by Owner.importIdentity. Binds storage and loads vault from blob. Do not call directly.
-     */
-    initFromBlob(signer: Signer, blob: string, storageKey: string, storage?: IStorageProvider, activityLogKey?: string, activityLogKeyIsDerived?: boolean): Promise<void>;
-    /**
-     * Add a new secret. Fails if secretName already exists.
-     */
-    addSecret(secretName: string, secretValue: string, options?: SecretPolicy): Promise<void>;
-    /**
-     * Update an existing secret. Fails if secretName does not exist.
-     */
-    updateSecret(secretName: string, secretValue: string): Promise<void>;
-    setSecretAllowedOrigins(secretName: string, allowedOrigins: readonly string[]): Promise<void>;
-    rotateSecret(secretName: string, secretValue: string, sourceOrigin: string): Promise<void>;
-    /**
-     * Case 3: Retrieve a secret in plaintext.
-     * @internal @admin
-     * WARNING: This is an ADMIN-ONLY method. Do not use in Agent's autonomous logic.
-     */
-    getSecret(secretName: string): string | undefined;
-    internalHasSecret(secretName: string): boolean;
-    internalGetSecret(secretName: string): string | undefined;
-    internalSetSecret(secretName: string, secretValue: string, options?: SecretPolicy): Promise<void>;
-    internalDeleteSecret(secretName: string): Promise<void>;
-    assertSecretOperationAllowed(secretName: string, operation: string): void;
-    /**
-     * Case 4: Permanently delete a secret from memory and disk.
-     * @internal @admin
-     * WARNING: This is an ADMIN-ONLY method. Agent should NEVER be allowed
-     * to delete its own memory autonomously. Only Owner (Human) can call this.
-     */
-    deleteSecret(secretName: string): Promise<void>;
-    /**
-     * @internal Used by AuthClient to append activity log entries.
-     */
-    appendActivityLogEntry(entry: ActivityLogEntry): Promise<void>;
-    /**
-     * Persistence: Atomic save with write-read-verify.
-     */
-    save(signer: Signer, storageKey?: string, storage?: IStorageProvider): Promise<void>;
-    serializeToBlob(signer: Signer): Promise<string>;
-    /**
-     * Seal vault with external key (AES-256-GCM) for portable local storage.
-     */
-    seal(kdk: string): string;
-    /**
-     * Unseal vault from blob encrypted with kdk.
-     */
-    unseal(kdk: string, sealed: string): void;
-    hasSecret(secretName: string): boolean;
-    listSecretNames(): string[];
-    listAllSecretNames(): string[];
-    /**
-     * Read activity log. Owner-only. Returns [] if activity log not enabled.
-     */
-    getActivityLog(): Promise<readonly ActivityLogEntry[]>;
-    /**
-     * Read activity log metadata (agentId, storageKey). Returns null if not present.
-     */
-    getActivityLogMetadata(): Promise<ActivityLogMetadata | null>;
-    /**
-     * Merge secrets from another vault instance.
-     * Only allowed if both vaults belong to the same identity.
-     * @param options.onConflict 'abort' = return conflicts (default); 'skip' = merge non-conflicting only; 'overwrite' = use other's value for conflicts.
-     */
-    mergeFrom(otherVault: CbioVault, options?: {
-        onConflict?: 'abort' | 'skip' | 'overwrite';
-    }): Promise<MergeResult>;
-}
-export interface MergeResult {
-    merged: boolean;
-    added: string[];
-    skipped: string[];
-    overwritten: string[];
-    conflicts?: string[];
-}