@tokentestai/ais 0.1.0

package/dist/chunk-WVTDLVUU.js

@@ -0,0 +1,1400 @@
+#!/usr/bin/env node
+
+// src/automation/state.ts
+import { chmodSync, existsSync } from "fs";
+import { mkdir, readFile, rename, writeFile } from "fs/promises";
+import { homedir } from "os";
+import { dirname, join } from "path";
+
+// src/automation/model.ts
+var PROTECT_TOOLS = ["claude", "codex", "openclaw"];
+var UPDATE_CHANNELS = ["latest", "next"];
+function isProtectTool(value) {
+  return PROTECT_TOOLS.includes(value);
+}
+function isUpdateChannel(value) {
+  return UPDATE_CHANNELS.includes(value);
+}
+
+// src/automation/state.ts
+var STATE_FILE_MODE = 384;
+var DEFAULT_AUTOMATION_STATE_PATH_DISPLAY = "~/.ais/automation-state.json";
+function createDefaultAutomationState() {
+  return {
+    protect: {
+      tools: Object.fromEntries(
+        PROTECT_TOOLS.map((tool) => [tool, createDefaultProtectToolRuntimeState()])
+      )
+    },
+    update: {
+      lastResult: "never",
+      skipNextCheck: false
+    }
+  };
+}
+function createDefaultProtectToolRuntimeState() {
+  return {
+    installed: false,
+    suspended: false
+  };
+}
+function resolveAutomationStatePath(path) {
+  return expandHomePath(path ?? DEFAULT_AUTOMATION_STATE_PATH_DISPLAY);
+}
+async function loadAutomationState(path) {
+  const resolvedPath = resolveAutomationStatePath(path);
+  if (!existsSync(resolvedPath)) {
+    return {
+      exists: false,
+      path: resolvedPath,
+      state: createDefaultAutomationState()
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(await readFile(resolvedPath, "utf8"));
+  } catch (error) {
+    return recoverAutomationState(resolvedPath, error);
+  }
+  try {
+    return {
+      exists: true,
+      path: resolvedPath,
+      state: mergeAutomationState(parsed)
+    };
+  } catch (error) {
+    return recoverAutomationState(resolvedPath, error);
+  }
+}
+async function saveAutomationState(state, path) {
+  const resolvedPath = resolveAutomationStatePath(path);
+  const payload = `${JSON.stringify(state, null, 2)}
+`;
+  await mkdir(dirname(resolvedPath), { recursive: true });
+  await writeFile(resolvedPath, payload, { mode: STATE_FILE_MODE });
+  chmodSync(resolvedPath, STATE_FILE_MODE);
+}
+function cloneAutomationState(state) {
+  return {
+    protect: {
+      tools: Object.fromEntries(
+        PROTECT_TOOLS.map((tool) => [
+          tool,
+          {
+            ...state.protect.tools[tool]
+          }
+        ])
+      )
+    },
+    update: {
+      ...state.update
+    }
+  };
+}
+function mergeAutomationState(raw) {
+  if (!isRecord(raw)) {
+    throw new Error("Failed to load automation state: root must be an object");
+  }
+  const state = createDefaultAutomationState();
+  if ("update" in raw) {
+    const update = expectObject(raw.update, "update");
+    if ("lastResult" in update) {
+      state.update.lastResult = expectUpdateCheckResult(update.lastResult, "update.lastResult");
+    }
+    if ("skipNextCheck" in update) {
+      state.update.skipNextCheck = expectBoolean(update.skipNextCheck, "update.skipNextCheck");
+    }
+    if ("lastCheckedAt" in update) {
+      state.update.lastCheckedAt = expectOptionalFiniteNumber(update.lastCheckedAt, "update.lastCheckedAt");
+    }
+    if ("lastChannel" in update) {
+      state.update.lastChannel = expectOptionalUpdateChannel(update.lastChannel, "update.lastChannel");
+    }
+    if ("lastLocalVersion" in update) {
+      state.update.lastLocalVersion = expectOptionalString(update.lastLocalVersion, "update.lastLocalVersion");
+    }
+    if ("lastRemoteVersion" in update) {
+      state.update.lastRemoteVersion = expectOptionalString(update.lastRemoteVersion, "update.lastRemoteVersion");
+    }
+    if ("lastError" in update) {
+      state.update.lastError = expectOptionalString(update.lastError, "update.lastError");
+    }
+  }
+  if ("protect" in raw) {
+    const protect = expectObject(raw.protect, "protect");
+    if ("tools" in protect) {
+      const tools = expectObject(protect.tools, "protect.tools");
+      for (const [key, value] of Object.entries(tools)) {
+        if (!isProtectTool(key)) {
+          throw new Error(`Failed to load automation state: protect.tools.${key} is not supported`);
+        }
+        state.protect.tools[key] = parseProtectToolRuntimeState(value, `protect.tools.${key}`);
+      }
+    }
+  }
+  return state;
+}
+function parseProtectToolRuntimeState(value, path) {
+  const toolState = expectObject(value, path);
+  const parsed = createDefaultProtectToolRuntimeState();
+  if ("installed" in toolState) {
+    parsed.installed = expectBoolean(toolState.installed, `${path}.installed`);
+  }
+  if ("suspended" in toolState) {
+    parsed.suspended = expectBoolean(toolState.suspended, `${path}.suspended`);
+  }
+  if ("managedPath" in toolState) {
+    parsed.managedPath = expectOptionalString(toolState.managedPath, `${path}.managedPath`);
+  }
+  if ("backupPath" in toolState) {
+    parsed.backupPath = expectOptionalString(toolState.backupPath, `${path}.backupPath`);
+  }
+  if ("originalCommandPath" in toolState) {
+    parsed.originalCommandPath = expectOptionalString(
+      toolState.originalCommandPath,
+      `${path}.originalCommandPath`
+    );
+  }
+  if ("lastError" in toolState) {
+    parsed.lastError = expectOptionalString(toolState.lastError, `${path}.lastError`);
+  }
+  if ("lastChangedAt" in toolState) {
+    parsed.lastChangedAt = expectOptionalFiniteNumber(toolState.lastChangedAt, `${path}.lastChangedAt`);
+  }
+  return parsed;
+}
+async function recoverAutomationState(path, error) {
+  const message = error instanceof Error ? error.message : String(error);
+  const backupPath = `${path}.corrupt-${Date.now()}`;
+  let recoveredFrom;
+  try {
+    await rename(path, backupPath);
+    recoveredFrom = backupPath;
+  } catch {
+    recoveredFrom = path;
+  }
+  return {
+    exists: false,
+    path,
+    recoveredFrom,
+    recoveryReason: message,
+    state: createDefaultAutomationState()
+  };
+}
+function expectUpdateCheckResult(value, path) {
+  if (value !== "available" && value !== "failed" && value !== "never" && value !== "skipped" && value !== "up-to-date" && value !== "updated") {
+    throw new Error(`Failed to load automation state: ${path} must be a valid update result`);
+  }
+  return value;
+}
+function expectBoolean(value, path) {
+  if (typeof value !== "boolean") {
+    throw new Error(`Failed to load automation state: ${path} must be a boolean`);
+  }
+  return value;
+}
+function expectObject(value, path) {
+  if (!isRecord(value)) {
+    throw new Error(`Failed to load automation state: ${path} must be an object`);
+  }
+  return value;
+}
+function expectOptionalFiniteNumber(value, path) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw new Error(`Failed to load automation state: ${path} must be a finite number`);
+  }
+  return value;
+}
+function expectOptionalString(value, path) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new Error(`Failed to load automation state: ${path} must be a string`);
+  }
+  return value;
+}
+function expectOptionalUpdateChannel(value, path) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string" || !isUpdateChannel(value)) {
+    throw new Error(`Failed to load automation state: ${path} must be one of ${UPDATE_CHANNELS_LABEL}`);
+  }
+  return value;
+}
+function isRecord(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function expandHomePath(path) {
+  if (path === "~") {
+    return homedir();
+  }
+  if (path.startsWith("~/")) {
+    return join(homedir(), path.slice(2));
+  }
+  return path;
+}
+var UPDATE_CHANNELS_LABEL = "latest, next";
+
+// src/config.ts
+import { chmodSync as chmodSync3, existsSync as existsSync3 } from "fs";
+import { mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3 } from "fs/promises";
+import { homedir as homedir3 } from "os";
+import { dirname as dirname3, join as join3 } from "path";
+
+// src/ais/state.ts
+import { createHash } from "crypto";
+import { chmodSync as chmodSync2, existsSync as existsSync2 } from "fs";
+import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
+
+// src/vault/types.ts
+var SECRET_TYPES = [
+  "PASSWORD",
+  "APIKEY",
+  "DBCONN",
+  "PRIVATE_KEY",
+  "BEARER_TOKEN",
+  "JWT",
+  "GENERIC"
+];
+var SECRET_SOURCES = ["manual", "argv", "stdin", "proxy"];
+function isSecretType(value) {
+  return typeof value === "string" && SECRET_TYPES.includes(value);
+}
+function isSecretSource(value) {
+  return typeof value === "string" && SECRET_SOURCES.includes(value);
+}
+
+// src/ais/state.ts
+var STATE_FILE_MODE2 = 384;
+var DEFAULT_AIS_STATE_PATH_DISPLAY = "~/.ais/ais-state.json";
+function createDefaultAisState() {
+  return {
+    excludedRecordIds: [],
+    excludedTypes: [],
+    recentRecords: []
+  };
+}
+function buildAisRecordId(secret) {
+  return createHash("sha256").update(secret).digest("hex").slice(0, 12);
+}
+function resolveAisStatePath(path) {
+  return expandHomePath2(path ?? DEFAULT_AIS_STATE_PATH_DISPLAY);
+}
+var AisStore = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  dirty = false;
+  loaded = false;
+  state = createDefaultAisState();
+  async load() {
+    if (this.loaded) {
+      return this.getState();
+    }
+    const statePath = this.getPath();
+    if (!existsSync2(statePath)) {
+      this.loaded = true;
+      return this.getState();
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(await readFile2(statePath, "utf8"));
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`Failed to load AIS state: ${message}`);
+    }
+    this.state = mergeAisState(parsed);
+    this.loaded = true;
+    return this.getState();
+  }
+  async save() {
+    if (!this.loaded || !this.dirty) {
+      return;
+    }
+    const statePath = this.getPath();
+    const payload = `${JSON.stringify(this.state, null, 2)}
+`;
+    await mkdir2(dirname2(statePath), { recursive: true });
+    await writeFile2(statePath, payload, { mode: STATE_FILE_MODE2 });
+    chmodSync2(statePath, STATE_FILE_MODE2);
+    this.dirty = false;
+  }
+  getPath() {
+    return resolveAisStatePath(this.options.path);
+  }
+  getState() {
+    return {
+      excludedRecordIds: [...this.state.excludedRecordIds],
+      excludedTypes: [...this.state.excludedTypes],
+      recentRecords: this.state.recentRecords.map((record) => ({ ...record }))
+    };
+  }
+  isExcluded(secret, type) {
+    this.assertLoaded();
+    return this.state.excludedTypes.includes(type) || this.state.excludedRecordIds.includes(buildAisRecordId(secret));
+  }
+  recordSecret(secret, type, options) {
+    this.assertLoaded();
+    const id = buildAisRecordId(secret);
+    const timestamp = options.timestamp ?? Date.now();
+    const preview = buildPreview(secret);
+    const existing = this.state.recentRecords.find((record2) => record2.id === id);
+    if (existing) {
+      existing.lastSeenAt = timestamp;
+      existing.seenCount += 1;
+      existing.type = type;
+      existing.source = options.source;
+      existing.preview = preview;
+      existing.name = normalizeName(options.name) ?? existing.name;
+      this.sortRecentRecords();
+      this.dirty = true;
+      return { ...existing };
+    }
+    const record = {
+      id,
+      createdAt: timestamp,
+      lastSeenAt: timestamp,
+      name: normalizeName(options.name),
+      preview,
+      seenCount: 1,
+      source: options.source,
+      type
+    };
+    this.state.recentRecords.unshift(record);
+    this.trimRecentRecords();
+    this.sortRecentRecords();
+    this.dirty = true;
+    return { ...record };
+  }
+  setRecordExcluded(id, excluded) {
+    this.assertLoaded();
+    const normalizedId = id.trim();
+    if (!this.state.recentRecords.some((record) => record.id === normalizedId)) {
+      return false;
+    }
+    const nextIds = new Set(this.state.excludedRecordIds);
+    const hadValue = nextIds.has(normalizedId);
+    if (excluded) {
+      nextIds.add(normalizedId);
+    } else {
+      nextIds.delete(normalizedId);
+    }
+    if (hadValue === excluded) {
+      return true;
+    }
+    this.state.excludedRecordIds = Array.from(nextIds).sort();
+    this.dirty = true;
+    return true;
+  }
+  setTypeExcluded(type, excluded) {
+    this.assertLoaded();
+    const nextTypes = new Set(this.state.excludedTypes);
+    const hadValue = nextTypes.has(type);
+    if (excluded) {
+      nextTypes.add(type);
+    } else {
+      nextTypes.delete(type);
+    }
+    if (hadValue === excluded) {
+      return;
+    }
+    this.state.excludedTypes = Array.from(nextTypes).sort();
+    this.dirty = true;
+  }
+  assertLoaded() {
+    if (!this.loaded) {
+      throw new Error("AIS state must be loaded before use.");
+    }
+  }
+  sortRecentRecords() {
+    this.state.recentRecords.sort((left, right) => right.lastSeenAt - left.lastSeenAt);
+  }
+  trimRecentRecords() {
+    const recentLimit = Math.max(1, this.options.recentLimit ?? 20);
+    if (this.state.recentRecords.length > recentLimit) {
+      this.state.recentRecords.length = recentLimit;
+    }
+  }
+};
+function buildPreview(secret) {
+  const singleLine = secret.replace(/\s+/g, " ").trim();
+  if (singleLine.length <= 6) {
+    return `${singleLine.slice(0, 1)}***${singleLine.slice(-1)}`;
+  }
+  if (singleLine.length <= 12) {
+    return `${singleLine.slice(0, 2)}***${singleLine.slice(-2)}`;
+  }
+  return `${singleLine.slice(0, 4)}***${singleLine.slice(-4)}`;
+}
+function mergeAisState(raw) {
+  if (!isRecord2(raw)) {
+    throw new Error("Failed to load AIS state: root must be an object");
+  }
+  const state = createDefaultAisState();
+  if ("excludedRecordIds" in raw) {
+    if (!Array.isArray(raw.excludedRecordIds) || !raw.excludedRecordIds.every((value) => typeof value === "string")) {
+      throw new Error("Failed to load AIS state: excludedRecordIds must be a string array");
+    }
+    state.excludedRecordIds = raw.excludedRecordIds.map((value) => value.trim()).filter(Boolean);
+  }
+  if ("excludedTypes" in raw) {
+    if (!Array.isArray(raw.excludedTypes) || !raw.excludedTypes.every(isSecretType)) {
+      throw new Error("Failed to load AIS state: excludedTypes must contain valid secret types");
+    }
+    state.excludedTypes = [...raw.excludedTypes];
+  }
+  if ("recentRecords" in raw) {
+    if (!Array.isArray(raw.recentRecords)) {
+      throw new Error("Failed to load AIS state: recentRecords must be an array");
+    }
+    state.recentRecords = raw.recentRecords.map((value, index) => parseRecentRecord(value, index));
+  }
+  return state;
+}
+function parseRecentRecord(value, index) {
+  if (!isRecord2(value)) {
+    throw new Error(`Failed to load AIS state: recentRecords[${index}] must be an object`);
+  }
+  const id = expectString(value.id, `recentRecords[${index}].id`);
+  const createdAt = expectNumber(value.createdAt, `recentRecords[${index}].createdAt`);
+  const lastSeenAt = expectNumber(value.lastSeenAt, `recentRecords[${index}].lastSeenAt`);
+  const preview = expectString(value.preview, `recentRecords[${index}].preview`);
+  const seenCount = expectNumber(value.seenCount, `recentRecords[${index}].seenCount`);
+  const source = expectSecretSource(value.source, `recentRecords[${index}].source`);
+  const type = expectSecretType(value.type, `recentRecords[${index}].type`);
+  return {
+    id,
+    createdAt,
+    lastSeenAt,
+    name: normalizeName(expectOptionalString2(value.name, `recentRecords[${index}].name`)),
+    preview,
+    seenCount,
+    source,
+    type
+  };
+}
+function expectNumber(value, path) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw new Error(`Failed to load AIS state: ${path} must be a finite number`);
+  }
+  return value;
+}
+function expectOptionalString2(value, path) {
+  if (value === void 0) {
+    return void 0;
+  }
+  return expectString(value, path);
+}
+function expectSecretSource(value, path) {
+  if (!isSecretSource(value)) {
+    throw new Error(`Failed to load AIS state: ${path} must be a valid source`);
+  }
+  return value;
+}
+function expectSecretType(value, path) {
+  if (!isSecretType(value)) {
+    throw new Error(`Failed to load AIS state: ${path} must be a valid type`);
+  }
+  return value;
+}
+function expectString(value, path) {
+  if (typeof value !== "string") {
+    throw new Error(`Failed to load AIS state: ${path} must be a string`);
+  }
+  return value;
+}
+function isRecord2(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+function normalizeName(name) {
+  if (name === void 0) {
+    return void 0;
+  }
+  const trimmed = name.trim();
+  return trimmed.length === 0 ? void 0 : trimmed;
+}
+function expandHomePath2(path) {
+  if (path === "~") {
+    return homedir2();
+  }
+  if (path.startsWith("~/")) {
+    return join2(homedir2(), path.slice(2));
+  }
+  return path;
+}
+
+// src/config.ts
+var CONFIG_FILE_MODE = 384;
+var DEFAULT_CONFIG_PATH = join3(homedir3(), ".ais", "config.json");
+var DEFAULT_VAULT_PATH_DISPLAY = "~/.ais/vault.enc";
+function createDefaultConfig() {
+  return {
+    ais: {
+      recentLimit: 20,
+      statePath: DEFAULT_AIS_STATE_PATH_DISPLAY
+    },
+    automation: {
+      statePath: DEFAULT_AUTOMATION_STATE_PATH_DISPLAY
+    },
+    customPatterns: [],
+    detection: {
+      patterns: true,
+      context: true,
+      entropy: false,
+      entropyThreshold: 4
+    },
+    display: {
+      debug: false
+    },
+    protect: {
+      enabled: true,
+      tools: {
+        claude: true,
+        codex: true,
+        openclaw: true
+      }
+    },
+    storage: {
+      persistSecrets: false,
+      vaultPath: DEFAULT_VAULT_PATH_DISPLAY
+    },
+    update: {
+      channel: "latest",
+      checkIntervalMinutes: 1440,
+      enabled: true,
+      silent: true
+    }
+  };
+}
+function expandHomePath3(path) {
+  if (path === "~") {
+    return homedir3();
+  }
+  if (path.startsWith("~/")) {
+    return join3(homedir3(), path.slice(2));
+  }
+  return path;
+}
+function resolveConfigPath(path) {
+  return expandHomePath3(path ?? DEFAULT_CONFIG_PATH);
+}
+async function loadConfig(path) {
+  const resolvedPath = resolveConfigPath(path);
+  if (!existsSync3(resolvedPath)) {
+    return {
+      config: createDefaultConfig(),
+      exists: false,
+      path: resolvedPath
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(await readFile3(resolvedPath, "utf8"));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to load config: ${message}`);
+  }
+  return {
+    config: mergeConfig(parsed),
+    exists: true,
+    path: resolvedPath
+  };
+}
+async function saveConfig(config, path) {
+  const resolvedPath = resolveConfigPath(path);
+  const payload = `${JSON.stringify(config, null, 2)}
+`;
+  await mkdir3(dirname3(resolvedPath), { recursive: true });
+  await writeFile3(resolvedPath, payload, { mode: CONFIG_FILE_MODE });
+  chmodSync3(resolvedPath, CONFIG_FILE_MODE);
+}
+function mergeConfig(raw) {
+  if (!isRecord3(raw)) {
+    throw new Error("Failed to load config: root must be an object");
+  }
+  const config = createDefaultConfig();
+  if ("detection" in raw) {
+    const detection = expectObject2(raw.detection, "detection");
+    if ("patterns" in detection) {
+      config.detection.patterns = expectBoolean2(detection.patterns, "detection.patterns");
+    }
+    if ("context" in detection) {
+      config.detection.context = expectBoolean2(detection.context, "detection.context");
+    }
+    if ("entropy" in detection) {
+      config.detection.entropy = expectBoolean2(detection.entropy, "detection.entropy");
+    }
+    if ("entropyThreshold" in detection) {
+      config.detection.entropyThreshold = expectFiniteNumber(
+        detection.entropyThreshold,
+        "detection.entropyThreshold"
+      );
+    }
+  }
+  if ("ais" in raw) {
+    const ais = expectObject2(raw.ais, "ais");
+    if ("recentLimit" in ais) {
+      config.ais.recentLimit = expectPositiveInteger(ais.recentLimit, "ais.recentLimit");
+    }
+    if ("statePath" in ais) {
+      config.ais.statePath = expectString2(ais.statePath, "ais.statePath");
+    }
+  }
+  if ("automation" in raw) {
+    const automation = expectObject2(raw.automation, "automation");
+    if ("statePath" in automation) {
+      config.automation.statePath = expectString2(automation.statePath, "automation.statePath");
+    }
+  }
+  if ("display" in raw) {
+    const display = expectObject2(raw.display, "display");
+    if ("debug" in display) {
+      config.display.debug = expectBoolean2(display.debug, "display.debug");
+    }
+  }
+  if ("storage" in raw) {
+    const storage = expectObject2(raw.storage, "storage");
+    if ("persistSecrets" in storage) {
+      config.storage.persistSecrets = expectBoolean2(storage.persistSecrets, "storage.persistSecrets");
+    }
+    if ("vaultPath" in storage) {
+      config.storage.vaultPath = expectString2(storage.vaultPath, "storage.vaultPath");
+    }
+  }
+  if ("update" in raw) {
+    const update = expectObject2(raw.update, "update");
+    if ("enabled" in update) {
+      config.update.enabled = expectBoolean2(update.enabled, "update.enabled");
+    }
+    if ("channel" in update) {
+      config.update.channel = expectUpdateChannel(update.channel, "update.channel");
+    }
+    if ("checkIntervalMinutes" in update) {
+      config.update.checkIntervalMinutes = expectPositiveInteger(
+        update.checkIntervalMinutes,
+        "update.checkIntervalMinutes"
+      );
+    }
+    if ("silent" in update) {
+      config.update.silent = expectBoolean2(update.silent, "update.silent");
+    }
+  }
+  if ("protect" in raw) {
+    const protect = expectObject2(raw.protect, "protect");
+    if ("enabled" in protect) {
+      config.protect.enabled = expectBoolean2(protect.enabled, "protect.enabled");
+    }
+    if ("tools" in protect) {
+      const tools = expectObject2(protect.tools, "protect.tools");
+      if ("claude" in tools) {
+        config.protect.tools.claude = expectBoolean2(tools.claude, "protect.tools.claude");
+      }
+      if ("codex" in tools) {
+        config.protect.tools.codex = expectBoolean2(tools.codex, "protect.tools.codex");
+      }
+      if ("openclaw" in tools) {
+        config.protect.tools.openclaw = expectBoolean2(tools.openclaw, "protect.tools.openclaw");
+      }
+    }
+  }
+  if ("customPatterns" in raw) {
+    if (!Array.isArray(raw.customPatterns)) {
+      throw new Error("Failed to load config: customPatterns must be an array");
+    }
+    config.customPatterns = raw.customPatterns.map((value, index) => parseCustomPattern(value, index));
+  }
+  return config;
+}
+function parseCustomPattern(value, index) {
+  const pattern = expectObject2(value, `customPatterns[${index}]`);
+  const id = expectString2(pattern.id, `customPatterns[${index}].id`);
+  const regex = expectString2(pattern.regex, `customPatterns[${index}].regex`);
+  const type = expectString2(pattern.type, `customPatterns[${index}].type`);
+  if (!isSecretType(type)) {
+    throw new Error(`Failed to load config: customPatterns[${index}].type is invalid`);
+  }
+  try {
+    new RegExp(regex, "g");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to load config: customPatterns[${index}].regex is invalid: ${message}`);
+  }
+  return {
+    id,
+    regex,
+    type
+  };
+}
+function expectBoolean2(value, path) {
+  if (typeof value !== "boolean") {
+    throw new Error(`Failed to load config: ${path} must be a boolean`);
+  }
+  return value;
+}
+function expectFiniteNumber(value, path) {
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw new Error(`Failed to load config: ${path} must be a finite number`);
+  }
+  return value;
+}
+function expectPositiveInteger(value, path) {
+  const parsed = expectFiniteNumber(value, path);
+  if (!Number.isInteger(parsed) || parsed < 1) {
+    throw new Error(`Failed to load config: ${path} must be a positive integer`);
+  }
+  return parsed;
+}
+function expectUpdateChannel(value, path) {
+  if (typeof value !== "string" || !isUpdateChannel(value)) {
+    throw new Error(`Failed to load config: ${path} must be "latest" or "next"`);
+  }
+  return value;
+}
+function expectObject2(value, path) {
+  if (!isRecord3(value)) {
+    throw new Error(`Failed to load config: ${path} must be an object`);
+  }
+  return value;
+}
+function expectString2(value, path) {
+  if (typeof value !== "string") {
+    throw new Error(`Failed to load config: ${path} must be a string`);
+  }
+  return value;
+}
+function isRecord3(value) {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+
+// src/protect/index.ts
+import { spawn } from "child_process";
+import { constants, existsSync as existsSync4 } from "fs";
+import { access, chmod, lstat, mkdir as mkdir4, readFile as readFile4, readlink, rename as rename2, rm, writeFile as writeFile4 } from "fs/promises";
+import { homedir as homedir4 } from "os";
+import { basename, delimiter, dirname as dirname4, join as join4, resolve } from "path";
+import { fileURLToPath } from "url";
+var EXECUTABLE_MODE = 493;
+var MANAGED_WRAPPER_MARKER = "# AIS protect wrapper";
+var SHELL_BLOCK_START = "# >>> AIS protect >>>";
+var SHELL_BLOCK_END = "# <<< AIS protect <<<";
+async function syncProtectRuntime(config, state, options = {}) {
+  const context = createContext(options);
+  const nextState = cloneAutomationState(state);
+  const warnings = [];
+  const errors = [];
+  let managedBinNeeded = false;
+  for (const tool of PROTECT_TOOLS) {
+    const desired = config.protect.enabled && config.protect.tools[tool];
+    const result = desired ? await installToolTakeover(tool, nextState.protect.tools[tool], context) : await removeToolTakeover(tool, nextState.protect.tools[tool], context, true);
+    nextState.protect.tools[tool] = result.runtime;
+    managedBinNeeded ||= result.usesManagedBin;
+    if (result.warning) {
+      warnings.push(result.warning);
+    }
+    if (result.error) {
+      errors.push(result.error);
+    }
+  }
+  const shellChanged = managedBinNeeded ? await ensureShellBlock(context) : await removeShellBlock(context);
+  return {
+    changed: shellChanged || hasStateChanged(state, nextState),
+    errors,
+    state: nextState,
+    warnings
+  };
+}
+async function refreshProtectRuntime(state, options = {}) {
+  const context = createContext(options);
+  const nextState = cloneAutomationState(state);
+  const warnings = [];
+  for (const tool of PROTECT_TOOLS) {
+    const current = nextState.protect.tools[tool];
+    const inspection = await inspectToolRuntime(tool, current, context);
+    nextState.protect.tools[tool] = inspection.runtime;
+    if (inspection.warning) {
+      warnings.push(inspection.warning);
+    }
+  }
+  return {
+    changed: hasStateChanged(state, nextState),
+    errors: [],
+    state: nextState,
+    warnings
+  };
+}
+async function restoreProtectRuntime(config, state, options = {}) {
+  const context = createContext(options);
+  const nextState = cloneAutomationState(state);
+  const warnings = [];
+  const errors = [];
+  for (const tool of PROTECT_TOOLS) {
+    const result = await removeToolTakeover(tool, nextState.protect.tools[tool], context, false);
+    nextState.protect.tools[tool] = result.runtime;
+    if (result.warning) {
+      warnings.push(result.warning);
+    }
+    if (result.error) {
+      errors.push(result.error);
+    }
+  }
+  const shellChanged = await removeShellBlock(context);
+  const nextConfig = structuredClone(config);
+  nextConfig.protect.enabled = false;
+  nextConfig.protect.tools.claude = false;
+  nextConfig.protect.tools.codex = false;
+  nextConfig.protect.tools.openclaw = false;
+  return {
+    changed: shellChanged || hasStateChanged(state, nextState) || JSON.stringify(config.protect) !== JSON.stringify(nextConfig.protect),
+    config: nextConfig,
+    errors,
+    state: nextState,
+    warnings
+  };
+}
+async function resolveProtectedCommand(command, env = process.env, options = {}) {
+  if (env.AIS_PROTECT_WRAPPER_ACTIVE !== "1" || env.AIS_PROTECT_TOOL !== command || !PROTECT_TOOLS.includes(command)) {
+    return command;
+  }
+  const explicitCommand = env.AIS_PROTECT_REAL_COMMAND?.trim();
+  const wrapperPath = env.AIS_PROTECT_WRAPPER_PATH?.trim();
+  if (explicitCommand && explicitCommand !== wrapperPath && await isExecutablePath(explicitCommand)) {
+    return explicitCommand;
+  }
+  const homeDir = options.homeDir ?? env.HOME ?? homedir4();
+  const managedBinDir = env.AIS_PROTECT_WRAPPER_DIR?.trim() || join4(homeDir, ".ais", "bin");
+  const found = await findCommandPaths(command, env.PATH ?? process.env.PATH ?? "", {
+    excludeDirs: [managedBinDir],
+    excludePaths: wrapperPath ? [wrapperPath] : []
+  });
+  if (found.paths[0]) {
+    return found.paths[0];
+  }
+  throw new Error(
+    `Protected command ${command} does not have a real target yet. Install the original tool first, or run "ais protect off ${command}".`
+  );
+}
+function createContext(options) {
+  const env = options.env ?? process.env;
+  const homeDir = options.homeDir ?? env.HOME ?? homedir4();
+  return {
+    aisCliPath: options.aisCliPath ?? resolveManagedCliPath(),
+    backupRootDir: join4(homeDir, ".ais", "backups"),
+    env,
+    homeDir,
+    managedBinDir: join4(homeDir, ".ais", "bin"),
+    nodePath: options.nodePath ?? process.execPath,
+    now: options.now ?? Date.now,
+    shellPath: options.shellPath ?? env.SHELL,
+    shellRunner: options.shellRunner ?? runShellCommand
+  };
+}
+function resolveManagedCliPath() {
+  const candidatePaths = [
+    fileURLToPath(new URL("../../dist/cli.js", import.meta.url)),
+    fileURLToPath(new URL("../cli.js", import.meta.url)),
+    process.argv[1] ? resolve(process.argv[1]) : void 0
+  ].filter((value) => typeof value === "string" && value.length > 0);
+  const foundPath = candidatePaths.find((candidatePath) => existsSync4(candidatePath));
+  if (foundPath) {
+    return foundPath;
+  }
+  return resolve(join4(process.cwd(), "dist", "cli.js"));
+}
+async function installToolTakeover(tool, runtime, context) {
+  const commandInfo = await findCommandPaths(tool, context.env.PATH ?? process.env.PATH ?? "", {
+    context,
+    excludeDirs: [context.managedBinDir]
+  });
+  const collisionMessage = formatCollisionMessage(tool, commandInfo.collision);
+  if (runtime.installed && runtime.managedPath && await isManagedWrapper(runtime.managedPath)) {
+    if (runtime.managedPath.startsWith(context.managedBinDir)) {
+      const rewritten2 = await installPrependTakeover(tool, runtime, commandInfo, context);
+      if (collisionMessage && !rewritten2.warning) {
+        rewritten2.warning = collisionMessage;
+      }
+      return rewritten2;
+    }
+    const rewritten = await installInPlaceTakeover(
+      tool,
+      runtime.managedPath,
+      runtime.originalCommandPath ?? runtime.managedPath,
+      runtime.backupPath,
+      context
+    );
+    if (collisionMessage && !rewritten.warning) {
+      rewritten.warning = collisionMessage;
+    }
+    return rewritten;
+  }
+  if (commandInfo.firstPath && await shouldUseInPlaceTakeover(commandInfo.firstPath, context.homeDir)) {
+    const installed = await installInPlaceTakeover(tool, commandInfo.firstPath, commandInfo.firstPath, void 0, context);
+    if (collisionMessage && !installed.warning) {
+      installed.warning = collisionMessage;
+    }
+    return installed;
+  }
+  const prepended = await installPrependTakeover(tool, runtime, commandInfo, context);
+  if (collisionMessage && !prepended.warning) {
+    prepended.warning = collisionMessage;
+  }
+  return prepended;
+}
+async function installInPlaceTakeover(tool, managedPath, originalCommandPath, currentBackupPath, context) {
+  const backupPath = currentBackupPath ?? join4(context.backupRootDir, tool, basename(originalCommandPath));
+  const wrapper = createWrapperScript(tool, managedPath, context, backupPath);
+  let warning;
+  if (currentBackupPath && !existsSync4(currentBackupPath)) {
+    warning = `${tool}: backup target is missing, fallback lookup will be used until it is rebuilt.`;
+  }
+  if (await isManagedWrapper(managedPath)) {
+    await writeExecutableFile(managedPath, wrapper);
+    return {
+      runtime: buildRuntimeState({
+        backupPath,
+        installed: true,
+        lastError: warning,
+        managedPath,
+        originalCommandPath,
+        suspended: false
+      }, context),
+      usesManagedBin: false,
+      warning
+    };
+  }
+  await mkdir4(dirname4(backupPath), { recursive: true });
+  if (existsSync4(backupPath)) {
+    await rm(backupPath, { force: true, recursive: true });
+  }
+  let renamed = false;
+  try {
+    await rename2(managedPath, backupPath);
+    renamed = true;
+    await writeExecutableFile(managedPath, wrapper);
+    return {
+      runtime: buildRuntimeState({
+        backupPath,
+        installed: true,
+        lastError: warning,
+        managedPath,
+        originalCommandPath,
+        suspended: false
+      }, context),
+      usesManagedBin: false,
+      warning
+    };
+  } catch (error) {
+    if (renamed) {
+      await rm(managedPath, { force: true }).catch(() => void 0);
+      await rename2(backupPath, managedPath).catch(() => void 0);
+    }
+    return {
+      error: `${tool}: failed to install in-place takeover (${toErrorMessage(error)})`,
+      runtime: buildRuntimeState({
+        installed: false,
+        lastError: `install failed: ${toErrorMessage(error)}`,
+        originalCommandPath,
+        suspended: false
+      }, context),
+      usesManagedBin: false
+    };
+  }
+}
+async function installPrependTakeover(tool, runtime, commandInfo, context) {
+  if (runtime.installed && runtime.managedPath && !runtime.managedPath.startsWith(context.managedBinDir)) {
+    const removed = await removeToolTakeover(tool, runtime, context, false);
+    if (removed.error) {
+      return removed;
+    }
+  }
+  const managedPath = join4(context.managedBinDir, tool);
+  await mkdir4(context.managedBinDir, { recursive: true });
+  await writeExecutableFile(managedPath, createWrapperScript(tool, managedPath, context));
+  const warningParts = [];
+  if (!commandInfo.firstPath) {
+    warningParts.push(`${tool}: original command is not installed yet; AIS will wait for it to appear later.`);
+  }
+  const collisionMessage = formatCollisionMessage(tool, commandInfo.collision);
+  if (collisionMessage) {
+    warningParts.push(collisionMessage);
+  }
+  return {
+    runtime: buildRuntimeState({
+      installed: true,
+      lastError: warningParts.length === 0 ? void 0 : warningParts.join(" "),
+      managedPath,
+      originalCommandPath: commandInfo.firstPath,
+      suspended: false
+    }, context),
+    usesManagedBin: true,
+    warning: warningParts.length === 0 ? void 0 : warningParts.join(" ")
+  };
+}
+async function removeToolTakeover(tool, runtime, context, keepSuspended) {
+  const managedPath = runtime.managedPath;
+  const backupPath = runtime.backupPath;
+  const originalCommandPath = runtime.originalCommandPath;
+  if (managedPath && managedPath.startsWith(context.managedBinDir)) {
+    if (existsSync4(managedPath)) {
+      await rm(managedPath, { force: true }).catch(() => void 0);
+    }
+    const commandInfo2 = await findCommandPaths(tool, context.env.PATH ?? process.env.PATH ?? "", {
+      context,
+      excludeDirs: [context.managedBinDir]
+    });
+    return {
+      runtime: buildRuntimeState({
+        installed: false,
+        lastError: void 0,
+        originalCommandPath: commandInfo2.firstPath ?? originalCommandPath,
+        suspended: keepSuspended
+      }, context),
+      usesManagedBin: false
+    };
+  }
+  if (managedPath && backupPath && existsSync4(backupPath)) {
+    const managedIsWrapper = await isManagedWrapper(managedPath);
+    try {
+      if (managedIsWrapper) {
+        await rm(managedPath, { force: true });
+        await rename2(backupPath, originalCommandPath ?? managedPath);
+      } else if (!existsSync4(originalCommandPath ?? managedPath)) {
+        await rename2(backupPath, originalCommandPath ?? managedPath);
+      } else {
+        await rm(backupPath, { force: true, recursive: true });
+      }
+      return {
+        runtime: buildRuntimeState({
+          installed: false,
+          lastError: void 0,
+          originalCommandPath: originalCommandPath ?? managedPath,
+          suspended: keepSuspended
+        }, context),
+        usesManagedBin: false
+      };
+    } catch (error) {
+      return {
+        error: `${tool}: failed to restore original command (${toErrorMessage(error)})`,
+        runtime: buildRuntimeState({
+          backupPath,
+          installed: managedIsWrapper,
+          lastError: `restore failed: ${toErrorMessage(error)}`,
+          managedPath,
+          originalCommandPath: originalCommandPath ?? managedPath,
+          suspended: keepSuspended
+        }, context),
+        usesManagedBin: false
+      };
+    }
+  }
+  const commandInfo = await findCommandPaths(tool, context.env.PATH ?? process.env.PATH ?? "", {
+    context,
+    excludeDirs: [context.managedBinDir]
+  });
+  return {
+    runtime: buildRuntimeState({
+      installed: false,
+      lastError: void 0,
+      originalCommandPath: commandInfo.firstPath ?? originalCommandPath,
+      suspended: keepSuspended
+    }, context),
+    usesManagedBin: false
+  };
+}
+async function inspectToolRuntime(tool, runtime, context) {
+  const nextRuntime = {
+    ...runtime
+  };
+  const commandInfo = await findCommandPaths(tool, context.env.PATH ?? process.env.PATH ?? "", {
+    context,
+    excludeDirs: [context.managedBinDir],
+    excludePaths: runtime.managedPath ? [runtime.managedPath] : []
+  });
+  if (!runtime.managedPath) {
+    nextRuntime.installed = false;
+    nextRuntime.originalCommandPath = commandInfo.firstPath;
+    nextRuntime.lastError = void 0;
+    return {
+      runtime: nextRuntime,
+      usesManagedBin: false
+    };
+  }
+  const installed = await isManagedWrapper(runtime.managedPath);
+  const warningParts = [];
+  const collisionMessage = formatCollisionMessage(tool, commandInfo.collision);
+  if (collisionMessage) {
+    warningParts.push(collisionMessage);
+  }
+  if (runtime.managedPath.startsWith(context.managedBinDir) && !commandInfo.firstPath) {
+    warningParts.push(`${tool}: original command is not installed yet.`);
+  }
+  if (!installed) {
+    warningParts.push(`${tool}: managed entry is missing or has been replaced.`);
+  }
+  nextRuntime.installed = installed;
+  nextRuntime.originalCommandPath = commandInfo.firstPath ?? runtime.originalCommandPath;
+  nextRuntime.lastError = warningParts.length === 0 ? void 0 : warningParts.join(" ");
+  return {
+    runtime: nextRuntime,
+    usesManagedBin: runtime.managedPath.startsWith(context.managedBinDir),
+    warning: warningParts.length === 0 ? void 0 : warningParts.join(" ")
+  };
+}
+async function shouldUseInPlaceTakeover(commandPath, homeDir) {
+  const normalized = resolve(commandPath);
+  if (!normalized.startsWith(resolve(homeDir))) {
+    return false;
+  }
+  const lower = normalized.toLowerCase();
+  if (lower.includes("/.npm-global/bin/") || lower.includes("/.npm/bin/") || lower.includes("/node_modules/.bin/")) {
+    return true;
+  }
+  try {
+    const entry = await lstat(commandPath);
+    if (entry.isSymbolicLink()) {
+      const linked = resolve(dirname4(commandPath), await readlink(commandPath)).toLowerCase();
+      return linked.includes("/node_modules/");
+    }
+  } catch {
+    return false;
+  }
+  return false;
+}
+async function findCommandPaths(tool, pathValue, options = {}) {
+  const directories = pathValue.split(delimiter).map((entry) => entry.trim()).filter(Boolean).map((entry) => resolve(entry));
+  const excludeDirs = new Set((options.excludeDirs ?? []).map((entry) => resolve(entry)));
+  const excludePaths = new Set((options.excludePaths ?? []).filter(Boolean).map((entry) => resolve(entry)));
+  const paths = [];
+  for (const directory of directories) {
+    if (excludeDirs.has(directory)) {
+      continue;
+    }
+    const candidate = resolve(directory, tool);
+    if (excludePaths.has(candidate)) {
+      continue;
+    }
+    if (!await isExecutablePath(candidate)) {
+      continue;
+    }
+    paths.push(candidate);
+  }
+  const shellInspection = await inspectShellCommand(tool, options.context);
+  return {
+    collision: shellInspection.collision,
+    firstPath: paths[0],
+    paths
+  };
+}
+async function inspectShellCommand(tool, context) {
+  if (!context?.shellPath) {
+    return {};
+  }
+  try {
+    const result = await context.shellRunner(context.shellPath, ["-lic", `type -a ${tool}`], {
+      env: context.env
+    });
+    if (result.exitCode !== 0) {
+      return {};
+    }
+    const firstLine = result.stdout.split(/\r?\n/).map((line) => line.trim()).find((line) => line.length > 0);
+    if (!firstLine) {
+      return {};
+    }
+    if (/\b(alias|aliased)\b/i.test(firstLine)) {
+      return { collision: "alias" };
+    }
+    if (/\bfunction\b/i.test(firstLine)) {
+      return { collision: "function" };
+    }
+  } catch {
+    return {};
+  }
+  return {};
+}
+async function ensureShellBlock(context) {
+  const targets = await resolveShellTargets(context);
+  const block = buildShellBlock();
+  let changed = false;
+  for (const target of targets) {
+    const current = existsSync4(target) ? await readFile4(target, "utf8") : "";
+    const next = stripShellBlock(current).replace(/\s+$/, "");
+    const content = next.length === 0 ? `${block}
+` : `${next}
+
+${block}
+`;
+    if (current === content) {
+      continue;
+    }
+    await mkdir4(dirname4(target), { recursive: true });
+    await writeFile4(target, content, "utf8");
+    changed = true;
+  }
+  return changed;
+}
+async function removeShellBlock(context) {
+  const targets = await resolveShellTargets(context, true);
+  let changed = false;
+  for (const target of targets) {
+    if (!existsSync4(target)) {
+      continue;
+    }
+    const current = await readFile4(target, "utf8");
+    const next = stripShellBlock(current).replace(/\s+$/, "");
+    const content = next.length === 0 ? "" : `${next}
+`;
+    if (current === content) {
+      continue;
+    }
+    await writeFile4(target, content, "utf8");
+    changed = true;
+  }
+  return changed;
+}
+async function resolveShellTargets(context, includeAllExisting = false) {
+  const candidates = [
+    join4(context.homeDir, ".zshrc"),
+    join4(context.homeDir, ".zprofile"),
+    join4(context.homeDir, ".bashrc"),
+    join4(context.homeDir, ".bash_profile")
+  ];
+  const existing = candidates.filter((target) => existsSync4(target));
+  if (includeAllExisting) {
+    return existing;
+  }
+  if (existing.length > 0) {
+    return existing;
+  }
+  const shellPath = context.shellPath ?? "";
+  if (shellPath.includes("bash")) {
+    return [join4(context.homeDir, ".bashrc")];
+  }
+  return [join4(context.homeDir, ".zshrc")];
+}
+function buildShellBlock() {
+  return [
+    SHELL_BLOCK_START,
+    'if [ -d "$HOME/.ais/bin" ]; then',
+    '  export PATH="$HOME/.ais/bin:$PATH"',
+    "fi",
+    SHELL_BLOCK_END
+  ].join("\n");
+}
+function stripShellBlock(content) {
+  const pattern = new RegExp(`${escapeForRegExp(SHELL_BLOCK_START)}[\\s\\S]*?${escapeForRegExp(SHELL_BLOCK_END)}\\n?`, "g");
+  return content.replace(pattern, "");
+}
+function escapeForRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function createWrapperScript(tool, managedPath, context, realCommandPath) {
+  return [
+    "#!/bin/sh",
+    MANAGED_WRAPPER_MARKER,
+    `export AIS_PROTECT_WRAPPER_ACTIVE=${quoteForShell("1")}`,
+    `export AIS_PROTECT_TOOL=${quoteForShell(tool)}`,
+    `export AIS_PROTECT_WRAPPER_PATH=${quoteForShell(managedPath)}`,
+    `export AIS_PROTECT_WRAPPER_DIR=${quoteForShell(context.managedBinDir)}`,
+    `export AIS_PROTECT_REAL_COMMAND=${quoteForShell(realCommandPath ?? "")}`,
+    `exec ${quoteForShell(context.nodePath)} ${quoteForShell(context.aisCliPath)} ${quoteForShell(tool)} "$@"`,
+    ""
+  ].join("\n");
+}
+function buildRuntimeState(state, context) {
+  return {
+    ...createDefaultProtectToolRuntimeState(),
+    ...state,
+    lastChangedAt: context.now()
+  };
+}
+function formatCollisionMessage(tool, collision) {
+  if (!collision) {
+    return void 0;
+  }
+  return `${tool}: your current shell still has a ${collision} ahead of AIS, so direct launches may keep hitting that ${collision}.`;
+}
+function quoteForShell(value) {
+  return `'${value.replace(/'/g, `'\\''`)}'`;
+}
+async function isManagedWrapper(filePath) {
+  if (!existsSync4(filePath)) {
+    return false;
+  }
+  try {
+    const content = await readFile4(filePath, "utf8");
+    return content.includes(MANAGED_WRAPPER_MARKER);
+  } catch {
+    return false;
+  }
+}
+async function isExecutablePath(path) {
+  try {
+    const stats = await lstat(path);
+    if (stats.isDirectory()) {
+      return false;
+    }
+    await access(path, constants.X_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function writeExecutableFile(path, content) {
+  await writeFile4(path, content, "utf8");
+  await chmod(path, EXECUTABLE_MODE);
+}
+async function runShellCommand(command, args, options) {
+  return await new Promise((resolvePromise, reject) => {
+    const child = spawn(command, args, {
+      env: options.env,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("error", reject);
+    child.on("close", (exitCode) => {
+      resolvePromise({
+        exitCode: exitCode ?? 1,
+        stderr,
+        stdout
+      });
+    });
+  });
+}
+function hasStateChanged(previous, next) {
+  return JSON.stringify(previous) !== JSON.stringify(next);
+}
+function toErrorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+
+export {
+  isSecretType,
+  isSecretSource,
+  AisStore,
+  PROTECT_TOOLS,
+  isProtectTool,
+  loadAutomationState,
+  saveAutomationState,
+  cloneAutomationState,
+  expandHomePath3 as expandHomePath,
+  loadConfig,
+  saveConfig,
+  syncProtectRuntime,
+  refreshProtectRuntime,
+  restoreProtectRuntime,
+  resolveProtectedCommand
+};
+//# sourceMappingURL=chunk-WVTDLVUU.js.map