@vess-id/vess 0.2.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (280) hide show
  1. package/LICENSE +64 -0
  2. package/README.md +223 -0
  3. package/bin/vess.js +2 -0
  4. package/dist/__mocks__/@napi-rs/keyring.d.ts +9 -0
  5. package/dist/__mocks__/@napi-rs/keyring.d.ts.map +1 -0
  6. package/dist/__mocks__/@napi-rs/keyring.js +33 -0
  7. package/dist/__mocks__/@napi-rs/keyring.js.map +1 -0
  8. package/dist/__mocks__/node-mac-auth.d.ts +8 -0
  9. package/dist/__mocks__/node-mac-auth.d.ts.map +1 -0
  10. package/dist/__mocks__/node-mac-auth.js +29 -0
  11. package/dist/__mocks__/node-mac-auth.js.map +1 -0
  12. package/dist/adapter/mcp/http-transport.d.ts +34 -0
  13. package/dist/adapter/mcp/http-transport.d.ts.map +1 -0
  14. package/dist/adapter/mcp/http-transport.js +158 -0
  15. package/dist/adapter/mcp/http-transport.js.map +1 -0
  16. package/dist/adapter/mcp/mcp-adapter.d.ts +37 -0
  17. package/dist/adapter/mcp/mcp-adapter.d.ts.map +1 -0
  18. package/dist/adapter/mcp/mcp-adapter.js +48 -0
  19. package/dist/adapter/mcp/mcp-adapter.js.map +1 -0
  20. package/dist/adapter/mcp/mcp-server.factory.d.ts +35 -0
  21. package/dist/adapter/mcp/mcp-server.factory.d.ts.map +1 -0
  22. package/dist/adapter/mcp/mcp-server.factory.js +114 -0
  23. package/dist/adapter/mcp/mcp-server.factory.js.map +1 -0
  24. package/dist/adapter/mcp/stdio-transport.d.ts +7 -0
  25. package/dist/adapter/mcp/stdio-transport.d.ts.map +1 -0
  26. package/dist/adapter/mcp/stdio-transport.js +13 -0
  27. package/dist/adapter/mcp/stdio-transport.js.map +1 -0
  28. package/dist/adapter/mcp/transport.d.ts +10 -0
  29. package/dist/adapter/mcp/transport.d.ts.map +1 -0
  30. package/dist/adapter/mcp/transport.js +14 -0
  31. package/dist/adapter/mcp/transport.js.map +1 -0
  32. package/dist/approval/approval-token.d.ts +23 -0
  33. package/dist/approval/approval-token.d.ts.map +1 -0
  34. package/dist/approval/approval-token.js +81 -0
  35. package/dist/approval/approval-token.js.map +1 -0
  36. package/dist/audit/audit-dto-mapper.d.ts +29 -0
  37. package/dist/audit/audit-dto-mapper.d.ts.map +1 -0
  38. package/dist/audit/audit-dto-mapper.js +61 -0
  39. package/dist/audit/audit-dto-mapper.js.map +1 -0
  40. package/dist/audit/audit-logger.d.ts +35 -0
  41. package/dist/audit/audit-logger.d.ts.map +1 -0
  42. package/dist/audit/audit-logger.js +67 -0
  43. package/dist/audit/audit-logger.js.map +1 -0
  44. package/dist/audit/audit-sync.d.ts +12 -0
  45. package/dist/audit/audit-sync.d.ts.map +1 -0
  46. package/dist/audit/audit-sync.js +65 -0
  47. package/dist/audit/audit-sync.js.map +1 -0
  48. package/dist/auth/user-authenticator.d.ts +51 -0
  49. package/dist/auth/user-authenticator.d.ts.map +1 -0
  50. package/dist/auth/user-authenticator.js +155 -0
  51. package/dist/auth/user-authenticator.js.map +1 -0
  52. package/dist/cli/cli-db.d.ts +12 -0
  53. package/dist/cli/cli-db.d.ts.map +1 -0
  54. package/dist/cli/cli-db.js +20 -0
  55. package/dist/cli/cli-db.js.map +1 -0
  56. package/dist/cli/cli-utils.d.ts +14 -0
  57. package/dist/cli/cli-utils.d.ts.map +1 -0
  58. package/dist/cli/cli-utils.js +57 -0
  59. package/dist/cli/cli-utils.js.map +1 -0
  60. package/dist/cli/daemon-utils.d.ts +30 -0
  61. package/dist/cli/daemon-utils.d.ts.map +1 -0
  62. package/dist/cli/daemon-utils.js +131 -0
  63. package/dist/cli/daemon-utils.js.map +1 -0
  64. package/dist/cli/daemon.d.ts +13 -0
  65. package/dist/cli/daemon.d.ts.map +1 -0
  66. package/dist/cli/daemon.js +207 -0
  67. package/dist/cli/daemon.js.map +1 -0
  68. package/dist/cli/doctor.d.ts +2 -0
  69. package/dist/cli/doctor.d.ts.map +1 -0
  70. package/dist/cli/doctor.js +135 -0
  71. package/dist/cli/doctor.js.map +1 -0
  72. package/dist/cli/env-delete.d.ts +6 -0
  73. package/dist/cli/env-delete.d.ts.map +1 -0
  74. package/dist/cli/env-delete.js +80 -0
  75. package/dist/cli/env-delete.js.map +1 -0
  76. package/dist/cli/env-list.d.ts +5 -0
  77. package/dist/cli/env-list.d.ts.map +1 -0
  78. package/dist/cli/env-list.js +42 -0
  79. package/dist/cli/env-list.js.map +1 -0
  80. package/dist/cli/env-post-integration.d.ts +21 -0
  81. package/dist/cli/env-post-integration.d.ts.map +1 -0
  82. package/dist/cli/env-post-integration.js +300 -0
  83. package/dist/cli/env-post-integration.js.map +1 -0
  84. package/dist/cli/env-restore.d.ts +15 -0
  85. package/dist/cli/env-restore.d.ts.map +1 -0
  86. package/dist/cli/env-restore.js +130 -0
  87. package/dist/cli/env-restore.js.map +1 -0
  88. package/dist/cli/env.d.ts +14 -0
  89. package/dist/cli/env.d.ts.map +1 -0
  90. package/dist/cli/env.js +182 -0
  91. package/dist/cli/env.js.map +1 -0
  92. package/dist/cli/error-handlers.d.ts +13 -0
  93. package/dist/cli/error-handlers.d.ts.map +1 -0
  94. package/dist/cli/error-handlers.js +32 -0
  95. package/dist/cli/error-handlers.js.map +1 -0
  96. package/dist/cli/hook-check-env.d.ts +12 -0
  97. package/dist/cli/hook-check-env.d.ts.map +1 -0
  98. package/dist/cli/hook-check-env.js +117 -0
  99. package/dist/cli/hook-check-env.js.map +1 -0
  100. package/dist/cli/index.d.ts +2 -0
  101. package/dist/cli/index.d.ts.map +1 -0
  102. package/dist/cli/index.js +294 -0
  103. package/dist/cli/index.js.map +1 -0
  104. package/dist/cli/init-guard.d.ts +13 -0
  105. package/dist/cli/init-guard.d.ts.map +1 -0
  106. package/dist/cli/init-guard.js +62 -0
  107. package/dist/cli/init-guard.js.map +1 -0
  108. package/dist/cli/init.d.ts +19 -0
  109. package/dist/cli/init.d.ts.map +1 -0
  110. package/dist/cli/init.js +440 -0
  111. package/dist/cli/init.js.map +1 -0
  112. package/dist/cli/install.d.ts +14 -0
  113. package/dist/cli/install.d.ts.map +1 -0
  114. package/dist/cli/install.js +186 -0
  115. package/dist/cli/install.js.map +1 -0
  116. package/dist/cli/login.d.ts +6 -0
  117. package/dist/cli/login.d.ts.map +1 -0
  118. package/dist/cli/login.js +76 -0
  119. package/dist/cli/login.js.map +1 -0
  120. package/dist/cli/logs.d.ts +32 -0
  121. package/dist/cli/logs.d.ts.map +1 -0
  122. package/dist/cli/logs.js +147 -0
  123. package/dist/cli/logs.js.map +1 -0
  124. package/dist/cli/project.d.ts +8 -0
  125. package/dist/cli/project.d.ts.map +1 -0
  126. package/dist/cli/project.js +102 -0
  127. package/dist/cli/project.js.map +1 -0
  128. package/dist/cli/reset.d.ts +8 -0
  129. package/dist/cli/reset.d.ts.map +1 -0
  130. package/dist/cli/reset.js +137 -0
  131. package/dist/cli/reset.js.map +1 -0
  132. package/dist/cli/run.d.ts +22 -0
  133. package/dist/cli/run.d.ts.map +1 -0
  134. package/dist/cli/run.js +103 -0
  135. package/dist/cli/run.js.map +1 -0
  136. package/dist/cli/start.d.ts +2 -0
  137. package/dist/cli/start.d.ts.map +1 -0
  138. package/dist/cli/start.js +29 -0
  139. package/dist/cli/start.js.map +1 -0
  140. package/dist/cli/status.d.ts +12 -0
  141. package/dist/cli/status.d.ts.map +1 -0
  142. package/dist/cli/status.js +131 -0
  143. package/dist/cli/status.js.map +1 -0
  144. package/dist/cli/uninstall.d.ts +8 -0
  145. package/dist/cli/uninstall.d.ts.map +1 -0
  146. package/dist/cli/uninstall.js +111 -0
  147. package/dist/cli/uninstall.js.map +1 -0
  148. package/dist/config/config.d.ts +10 -0
  149. package/dist/config/config.d.ts.map +1 -0
  150. package/dist/config/config.js +64 -0
  151. package/dist/config/config.js.map +1 -0
  152. package/dist/config/constants.d.ts +3 -0
  153. package/dist/config/constants.d.ts.map +1 -0
  154. package/dist/config/constants.js +6 -0
  155. package/dist/config/constants.js.map +1 -0
  156. package/dist/config/paths.d.ts +9 -0
  157. package/dist/config/paths.d.ts.map +1 -0
  158. package/dist/config/paths.js +58 -0
  159. package/dist/config/paths.js.map +1 -0
  160. package/dist/core/execution-engine.d.ts +119 -0
  161. package/dist/core/execution-engine.d.ts.map +1 -0
  162. package/dist/core/execution-engine.js +1291 -0
  163. package/dist/core/execution-engine.js.map +1 -0
  164. package/dist/core/runtime.d.ts +43 -0
  165. package/dist/core/runtime.d.ts.map +1 -0
  166. package/dist/core/runtime.js +143 -0
  167. package/dist/core/runtime.js.map +1 -0
  168. package/dist/core/sync-scheduler.d.ts +42 -0
  169. package/dist/core/sync-scheduler.d.ts.map +1 -0
  170. package/dist/core/sync-scheduler.js +131 -0
  171. package/dist/core/sync-scheduler.js.map +1 -0
  172. package/dist/core/types.d.ts +77 -0
  173. package/dist/core/types.d.ts.map +1 -0
  174. package/dist/core/types.js +7 -0
  175. package/dist/core/types.js.map +1 -0
  176. package/dist/daemon/service-manager.d.ts +68 -0
  177. package/dist/daemon/service-manager.d.ts.map +1 -0
  178. package/dist/daemon/service-manager.js +303 -0
  179. package/dist/daemon/service-manager.js.map +1 -0
  180. package/dist/env/env-classifier.d.ts +14 -0
  181. package/dist/env/env-classifier.d.ts.map +1 -0
  182. package/dist/env/env-classifier.js +94 -0
  183. package/dist/env/env-classifier.js.map +1 -0
  184. package/dist/env/env-parser.d.ts +13 -0
  185. package/dist/env/env-parser.d.ts.map +1 -0
  186. package/dist/env/env-parser.js +33 -0
  187. package/dist/env/env-parser.js.map +1 -0
  188. package/dist/env/env-profile-store.d.ts +15 -0
  189. package/dist/env/env-profile-store.d.ts.map +1 -0
  190. package/dist/env/env-profile-store.js +35 -0
  191. package/dist/env/env-profile-store.js.map +1 -0
  192. package/dist/env/env-reference.d.ts +10 -0
  193. package/dist/env/env-reference.d.ts.map +1 -0
  194. package/dist/env/env-reference.js +33 -0
  195. package/dist/env/env-reference.js.map +1 -0
  196. package/dist/env/env-resolver.d.ts +18 -0
  197. package/dist/env/env-resolver.d.ts.map +1 -0
  198. package/dist/env/env-resolver.js +48 -0
  199. package/dist/env/env-resolver.js.map +1 -0
  200. package/dist/env/fs-utils.d.ts +9 -0
  201. package/dist/env/fs-utils.d.ts.map +1 -0
  202. package/dist/env/fs-utils.js +59 -0
  203. package/dist/env/fs-utils.js.map +1 -0
  204. package/dist/env/secret-backend.d.ts +15 -0
  205. package/dist/env/secret-backend.d.ts.map +1 -0
  206. package/dist/env/secret-backend.js +24 -0
  207. package/dist/env/secret-backend.js.map +1 -0
  208. package/dist/executor/executor-registry.d.ts +22 -0
  209. package/dist/executor/executor-registry.d.ts.map +1 -0
  210. package/dist/executor/executor-registry.js +42 -0
  211. package/dist/executor/executor-registry.js.map +1 -0
  212. package/dist/executor/process-launcher.d.ts +26 -0
  213. package/dist/executor/process-launcher.d.ts.map +1 -0
  214. package/dist/executor/process-launcher.js +98 -0
  215. package/dist/executor/process-launcher.js.map +1 -0
  216. package/dist/executor/secret-file.d.ts +28 -0
  217. package/dist/executor/secret-file.d.ts.map +1 -0
  218. package/dist/executor/secret-file.js +127 -0
  219. package/dist/executor/secret-file.js.map +1 -0
  220. package/dist/gateway/auth.d.ts +26 -0
  221. package/dist/gateway/auth.d.ts.map +1 -0
  222. package/dist/gateway/auth.js +66 -0
  223. package/dist/gateway/auth.js.map +1 -0
  224. package/dist/gateway/gateway-client.d.ts +298 -0
  225. package/dist/gateway/gateway-client.d.ts.map +1 -0
  226. package/dist/gateway/gateway-client.js +501 -0
  227. package/dist/gateway/gateway-client.js.map +1 -0
  228. package/dist/identity/agent-identity.d.ts +29 -0
  229. package/dist/identity/agent-identity.d.ts.map +1 -0
  230. package/dist/identity/agent-identity.js +54 -0
  231. package/dist/identity/agent-identity.js.map +1 -0
  232. package/dist/identity/did-manager.d.ts +17 -0
  233. package/dist/identity/did-manager.d.ts.map +1 -0
  234. package/dist/identity/did-manager.js +29 -0
  235. package/dist/identity/did-manager.js.map +1 -0
  236. package/dist/identity/key-manager.d.ts +18 -0
  237. package/dist/identity/key-manager.d.ts.map +1 -0
  238. package/dist/identity/key-manager.js +101 -0
  239. package/dist/identity/key-manager.js.map +1 -0
  240. package/dist/identity/session-key.d.ts +13 -0
  241. package/dist/identity/session-key.d.ts.map +1 -0
  242. package/dist/identity/session-key.js +17 -0
  243. package/dist/identity/session-key.js.map +1 -0
  244. package/dist/policy/policy-evaluator.d.ts +63 -0
  245. package/dist/policy/policy-evaluator.d.ts.map +1 -0
  246. package/dist/policy/policy-evaluator.js +266 -0
  247. package/dist/policy/policy-evaluator.js.map +1 -0
  248. package/dist/policy/policy-loader.d.ts +10 -0
  249. package/dist/policy/policy-loader.d.ts.map +1 -0
  250. package/dist/policy/policy-loader.js +71 -0
  251. package/dist/policy/policy-loader.js.map +1 -0
  252. package/dist/policy/types.d.ts +21 -0
  253. package/dist/policy/types.d.ts.map +1 -0
  254. package/dist/policy/types.js +3 -0
  255. package/dist/policy/types.js.map +1 -0
  256. package/dist/utils/credential-errors.d.ts +3 -0
  257. package/dist/utils/credential-errors.d.ts.map +1 -0
  258. package/dist/utils/credential-errors.js +23 -0
  259. package/dist/utils/credential-errors.js.map +1 -0
  260. package/dist/utils/resource-canonicalizer.d.ts +19 -0
  261. package/dist/utils/resource-canonicalizer.d.ts.map +1 -0
  262. package/dist/utils/resource-canonicalizer.js +100 -0
  263. package/dist/utils/resource-canonicalizer.js.map +1 -0
  264. package/dist/utils/vc-utils.d.ts +23 -0
  265. package/dist/utils/vc-utils.d.ts.map +1 -0
  266. package/dist/utils/vc-utils.js +53 -0
  267. package/dist/utils/vc-utils.js.map +1 -0
  268. package/dist/wallet/sqlite.d.ts +4 -0
  269. package/dist/wallet/sqlite.d.ts.map +1 -0
  270. package/dist/wallet/sqlite.js +158 -0
  271. package/dist/wallet/sqlite.js.map +1 -0
  272. package/dist/wallet/vp-builder.d.ts +18 -0
  273. package/dist/wallet/vp-builder.d.ts.map +1 -0
  274. package/dist/wallet/vp-builder.js +46 -0
  275. package/dist/wallet/vp-builder.js.map +1 -0
  276. package/dist/wallet/wallet.d.ts +58 -0
  277. package/dist/wallet/wallet.d.ts.map +1 -0
  278. package/dist/wallet/wallet.js +170 -0
  279. package/dist/wallet/wallet.js.map +1 -0
  280. package/package.json +80 -0
package/dist/env/env-resolver.js ADDED
@@ -0,0 +1,48 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.EnvResolver = void 0;
4
+ const env_reference_1 = require("./env-reference");
5
+ const env_parser_1 = require("./env-parser");
6
+ class EnvResolver {
7
+ backend;
8
+ constructor(backend) {
9
+ this.backend = backend;
10
+ }
11
+ /**
12
+ * Resolve env content, skipping unresolvable references with warnings.
13
+ * Previously this threw on any resolution failure; now it collects
14
+ * warnings and continues so that a single missing key does not block
15
+ * the entire process.
16
+ */
17
+ async resolveEnvContent(content) {
18
+ const { env } = await this.resolveEnvContentWithWarnings(content);
19
+ return env;
20
+ }
21
+ async resolveEnvContentWithWarnings(content) {
22
+ const env = {};
23
+ const warnings = [];
24
+ for (const line of (0, env_parser_1.parseEnvLines)(content)) {
25
+ if (line.isEmpty || line.isComment)
26
+ continue;
27
+ if ((0, env_reference_1.isEnvReference)(line.value)) {
28
+ const ref = (0, env_reference_1.parseEnvReference)(line.value);
29
+ if (!ref) {
30
+ warnings.push(`${line.key}: malformed vess:// URI — remove or re-import this entry`);
31
+ continue;
32
+ }
33
+ try {
34
+ env[line.key] = await this.backend.resolve(ref);
35
+ }
36
+ catch {
37
+ warnings.push(`${line.key}: not found in keychain (profile: ${ref.profile}) — run 'vess env import' to re-import, or remove this line from .env`);
38
+ }
39
+ }
40
+ else {
41
+ env[line.key] = line.value;
42
+ }
43
+ }
44
+ return { env, warnings };
45
+ }
46
+ }
47
+ exports.EnvResolver = EnvResolver;
48
+ //# sourceMappingURL=env-resolver.js.map
package/dist/env/env-resolver.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"env-resolver.js","sourceRoot":"","sources":["../../src/env/env-resolver.ts"],"names":[],"mappings":";;;AAAA,mDAAmE;AACnE,6CAA4C;AAQ5C,MAAa,WAAW;IACO;IAA7B,YAA6B,OAAsB;QAAtB,YAAO,GAAP,OAAO,CAAe;IAAG,CAAC;IAEvD;;;;;OAKG;IACH,KAAK,CAAC,iBAAiB,CAAC,OAAe;QACrC,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,CAAA;QACjE,OAAO,GAAG,CAAA;IACZ,CAAC;IAED,KAAK,CAAC,6BAA6B,CAAC,OAAe;QACjD,MAAM,GAAG,GAA2B,EAAE,CAAA;QACtC,MAAM,QAAQ,GAAa,EAAE,CAAA;QAE7B,KAAK,MAAM,IAAI,IAAI,IAAA,0BAAa,EAAC,OAAO,CAAC,EAAE,CAAC;YAC1C,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,SAAS;gBAAE,SAAQ;YAE5C,IAAI,IAAA,8BAAc,EAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC/B,MAAM,GAAG,GAAG,IAAA,iCAAiB,EAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBACzC,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,QAAQ,CAAC,IAAI,CACX,GAAG,IAAI,CAAC,GAAG,0DAA0D,CACtE,CAAA;oBACD,SAAQ;gBACV,CAAC;gBACD,IAAI,CAAC;oBACH,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBACjD,CAAC;gBAAC,MAAM,CAAC;oBACP,QAAQ,CAAC,IAAI,CACX,GAAG,IAAI,CAAC,GAAG,qCAAqC,GAAG,CAAC,OAAO,uEAAuE,CACnI,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,KAAK,CAAA;YAC5B,CAAC;QACH,CAAC;QAED,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAA;IAC1B,CAAC;CACF;AA3CD,kCA2CC"}
package/dist/env/fs-utils.d.ts ADDED
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Write a file atomically: write to .tmp then rename.
3
+ * Prevents partial writes from corrupting the target file.
4
+ * @param filePath - Target file path
5
+ * @param content - File content
6
+ * @param mode - File permissions (default: 0o600 for secret files)
7
+ */
8
+ export declare function atomicWriteFile(filePath: string, content: string, mode?: number): void;
9
+ //# sourceMappingURL=fs-utils.d.ts.map
package/dist/env/fs-utils.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"fs-utils.d.ts","sourceRoot":"","sources":["../../src/env/fs-utils.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,SAAQ,GAAG,IAAI,CASrF"}
package/dist/env/fs-utils.js ADDED
@@ -0,0 +1,59 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.atomicWriteFile = atomicWriteFile;
37
+ const fs = __importStar(require("fs"));
38
+ /**
39
+ * Write a file atomically: write to .tmp then rename.
40
+ * Prevents partial writes from corrupting the target file.
41
+ * @param filePath - Target file path
42
+ * @param content - File content
43
+ * @param mode - File permissions (default: 0o600 for secret files)
44
+ */
45
+ function atomicWriteFile(filePath, content, mode = 0o600) {
46
+ const tmpPath = filePath + '.tmp';
47
+ try {
48
+ fs.writeFileSync(tmpPath, content, { encoding: 'utf-8', mode });
49
+ fs.renameSync(tmpPath, filePath);
50
+ }
51
+ catch (err) {
52
+ try {
53
+ fs.unlinkSync(tmpPath);
54
+ }
55
+ catch { }
56
+ throw err;
57
+ }
58
+ }
59
+ //# sourceMappingURL=fs-utils.js.map
package/dist/env/fs-utils.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"fs-utils.js","sourceRoot":"","sources":["../../src/env/fs-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AASA,0CASC;AAlBD,uCAAwB;AAExB;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,QAAgB,EAAE,OAAe,EAAE,IAAI,GAAG,KAAK;IAC7E,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAA;IACjC,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAA;QAC/D,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAA;QAAC,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QACvC,MAAM,GAAG,CAAA;IACX,CAAC;AACH,CAAC"}
package/dist/env/secret-backend.d.ts ADDED
@@ -0,0 +1,15 @@
1
+ import { EnvReference } from './env-reference';
2
+ import { KeyManager } from '../identity/key-manager';
3
+ export interface SecretBackend {
4
+ resolve(ref: EnvReference): Promise<string>;
5
+ store(ref: EnvReference, value: string): Promise<void>;
6
+ delete(ref: EnvReference): Promise<void>;
7
+ }
8
+ export declare class KeychainBackend implements SecretBackend {
9
+ private readonly keyManager;
10
+ constructor(keyManager: KeyManager);
11
+ resolve(ref: EnvReference): Promise<string>;
12
+ store(ref: EnvReference, value: string): Promise<void>;
13
+ delete(ref: EnvReference): Promise<void>;
14
+ }
15
+ //# sourceMappingURL=secret-backend.d.ts.map
package/dist/env/secret-backend.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secret-backend.d.ts","sourceRoot":"","sources":["../../src/env/secret-backend.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAEpD,MAAM,WAAW,aAAa;IAC5B,OAAO,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;IAC3C,KAAK,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACtD,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CACzC;AAED,qBAAa,eAAgB,YAAW,aAAa;IACvC,OAAO,CAAC,QAAQ,CAAC,UAAU;gBAAV,UAAU,EAAE,UAAU;IAE7C,OAAO,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAQ3C,KAAK,CAAC,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAItD,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;CAG/C"}
package/dist/env/secret-backend.js ADDED
@@ -0,0 +1,24 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.KeychainBackend = void 0;
4
+ class KeychainBackend {
5
+ keyManager;
6
+ constructor(keyManager) {
7
+ this.keyManager = keyManager;
8
+ }
9
+ async resolve(ref) {
10
+ const value = this.keyManager.getEnvSecret(ref.profile, ref.key);
11
+ if (value === null) {
12
+ throw new Error(`Secret not found in keychain: ${ref.profile}/${ref.key}`);
13
+ }
14
+ return value;
15
+ }
16
+ async store(ref, value) {
17
+ this.keyManager.storeEnvSecret(ref.profile, ref.key, value);
18
+ }
19
+ async delete(ref) {
20
+ this.keyManager.deleteEnvSecret(ref.profile, ref.key);
21
+ }
22
+ }
23
+ exports.KeychainBackend = KeychainBackend;
24
+ //# sourceMappingURL=secret-backend.js.map
package/dist/env/secret-backend.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secret-backend.js","sourceRoot":"","sources":["../../src/env/secret-backend.ts"],"names":[],"mappings":";;;AASA,MAAa,eAAe;IACG;IAA7B,YAA6B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;IAAG,CAAC;IAEvD,KAAK,CAAC,OAAO,CAAC,GAAiB;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;QAChE,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC,CAAA;QAC5E,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAiB,EAAE,KAAa;QAC1C,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAiB;QAC5B,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;IACvD,CAAC;CACF;AAlBD,0CAkBC"}
package/dist/executor/executor-registry.d.ts ADDED
@@ -0,0 +1,22 @@
1
+ import { SecretFileContext } from './secret-file';
2
+ import { ProcessLaunchContext } from './process-launcher';
3
+ export interface ExecutorResult {
4
+ success: boolean;
5
+ data?: any;
6
+ error?: string;
7
+ normalizedResource?: string;
8
+ resourceFingerprint?: string;
9
+ }
10
+ /** Union of all executor context types */
11
+ export type LocalExecutorContext = SecretFileContext | ProcessLaunchContext;
12
+ export type LocalExecutor = (params: Record<string, any>, context: LocalExecutorContext) => ExecutorResult;
13
+ export declare function getLocalExecutor(action: string): LocalExecutor | undefined;
14
+ export declare function isLocalAction(action: string): boolean;
15
+ /**
16
+ * Determine execution routing (spec §7.4).
17
+ */
18
+ export declare function determineRouting(provider: string, _action: string): {
19
+ executor: 'local' | 'gateway';
20
+ enforcement: 'local' | 'gateway_verified_local' | 'cached_verified_local' | 'gateway';
21
+ };
22
+ //# sourceMappingURL=executor-registry.d.ts.map
package/dist/executor/executor-registry.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"executor-registry.d.ts","sourceRoot":"","sources":["../../src/executor/executor-registry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,iBAAiB,EAAoB,MAAM,eAAe,CAAA;AACpG,OAAO,EAAiB,oBAAoB,EAAuB,MAAM,oBAAoB,CAAA;AAE7F,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,GAAG,CAAA;IACV,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,0CAA0C;AAC1C,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,GAAG,oBAAoB,CAAA;AAE3E,MAAM,MAAM,aAAa,GAAG,CAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC3B,OAAO,EAAE,oBAAoB,KAC1B,cAAc,CAAA;AAsBnB,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAE1E;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG;IACnE,QAAQ,EAAE,OAAO,GAAG,SAAS,CAAA;IAC7B,WAAW,EAAE,OAAO,GAAG,wBAAwB,GAAG,uBAAuB,GAAG,SAAS,CAAA;CACtF,CAKA"}
package/dist/executor/executor-registry.js ADDED
@@ -0,0 +1,42 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.getLocalExecutor = getLocalExecutor;
4
+ exports.isLocalAction = isLocalAction;
5
+ exports.determineRouting = determineRouting;
6
+ const secret_file_1 = require("./secret-file");
7
+ const process_launcher_1 = require("./process-launcher");
8
+ const executors = {
9
+ 'os.secret.read': (params, context) => {
10
+ return (0, secret_file_1.readSecretFile)(params.file_path, context);
11
+ },
12
+ 'os.secret.write': (params, context) => {
13
+ return (0, secret_file_1.writeSecretFile)(params.file_path, params.content, context);
14
+ },
15
+ 'os.process.run': (params, context) => {
16
+ if (!Array.isArray(params.command)) {
17
+ return { success: false, error: 'command must be an array of strings' };
18
+ }
19
+ const result = (0, process_launcher_1.launchProcess)(params, context);
20
+ return {
21
+ success: result.success,
22
+ data: result.success ? { stdout: result.stdout, stderr: result.stderr, exitCode: result.exitCode } : undefined,
23
+ error: result.error || result.stderr,
24
+ };
25
+ },
26
+ };
27
+ function getLocalExecutor(action) {
28
+ return executors[action];
29
+ }
30
+ function isLocalAction(action) {
31
+ return action.startsWith('os.');
32
+ }
33
+ /**
34
+ * Determine execution routing (spec §7.4).
35
+ */
36
+ function determineRouting(provider, _action) {
37
+ if (provider === 'os') {
38
+ return { executor: 'local', enforcement: 'gateway_verified_local' };
39
+ }
40
+ return { executor: 'gateway', enforcement: 'gateway' };
41
+ }
42
+ //# sourceMappingURL=executor-registry.js.map
package/dist/executor/executor-registry.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"executor-registry.js","sourceRoot":"","sources":["../../src/executor/executor-registry.ts"],"names":[],"mappings":";;AAuCA,4CAEC;AAED,sCAEC;AAKD,4CAQC;AA1DD,+CAAoG;AACpG,yDAA6F;AAkB7F,MAAM,SAAS,GAAkC;IAC/C,gBAAgB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QACpC,OAAO,IAAA,4BAAc,EAAC,MAAM,CAAC,SAAS,EAAE,OAA4B,CAAC,CAAA;IACvE,CAAC;IACD,iBAAiB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QACrC,OAAO,IAAA,6BAAe,EAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,OAAO,EAAE,OAA4B,CAAC,CAAA;IACxF,CAAC;IACD,gBAAgB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,CAAA;QACzE,CAAC;QACD,MAAM,MAAM,GAAG,IAAA,gCAAa,EAAC,MAA6B,EAAE,OAA+B,CAAC,CAAA;QAC5F,OAAO;YACL,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;YAC9G,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM;SACrC,CAAA;IACH,CAAC;CACF,CAAA;AAED,SAAgB,gBAAgB,CAAC,MAAc;IAC7C,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC;AAED,SAAgB,aAAa,CAAC,MAAc;IAC1C,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;AACjC,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,QAAgB,EAAE,OAAe;IAIhE,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE,CAAA;IACrE,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,CAAA;AACxD,CAAC"}
package/dist/executor/process-launcher.d.ts ADDED
@@ -0,0 +1,26 @@
1
+ export interface ProcessLaunchParams {
2
+ command: string[];
3
+ working_directory?: string;
4
+ timeout_seconds?: number;
5
+ }
6
+ export interface ProcessLaunchContext {
7
+ resolvedEnv: Record<string, string>;
8
+ }
9
+ export interface ProcessLaunchResult {
10
+ success: boolean;
11
+ exitCode: number | null;
12
+ stdout?: string;
13
+ stderr?: string;
14
+ error?: string;
15
+ }
16
+ /**
17
+ * Spawn a child process with env injection.
18
+ *
19
+ * SECURITY NOTE: stdout/stderr from the process are captured and returned
20
+ * to the caller (which may be an AI agent via MCP). If the spawned process
21
+ * logs environment variables, injected secrets could leak through the output.
22
+ * This is an accepted trade-off for β — the process output is needed for
23
+ * debugging. Consider adding output redaction in a future version.
24
+ */
25
+ export declare function launchProcess(params: ProcessLaunchParams, context: ProcessLaunchContext): ProcessLaunchResult;
26
+ //# sourceMappingURL=process-launcher.d.ts.map
package/dist/executor/process-launcher.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"process-launcher.d.ts","sourceRoot":"","sources":["../../src/executor/process-launcher.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAA;IAChB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;IACvB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAKD;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,mBAAmB,EAC3B,OAAO,EAAE,oBAAoB,GAC5B,mBAAmB,CAqDrB"}
package/dist/executor/process-launcher.js ADDED
@@ -0,0 +1,98 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.launchProcess = launchProcess;
37
+ const child_process_1 = require("child_process");
38
+ const path = __importStar(require("path"));
39
+ const DEFAULT_TIMEOUT_SECONDS = 300;
40
+ const MAX_OUTPUT_BYTES = 1024 * 1024;
41
+ /**
42
+ * Spawn a child process with env injection.
43
+ *
44
+ * SECURITY NOTE: stdout/stderr from the process are captured and returned
45
+ * to the caller (which may be an AI agent via MCP). If the spawned process
46
+ * logs environment variables, injected secrets could leak through the output.
47
+ * This is an accepted trade-off for β — the process output is needed for
48
+ * debugging. Consider adding output redaction in a future version.
49
+ */
50
+ function launchProcess(params, context) {
51
+ if (!params.command || params.command.length === 0) {
52
+ return { success: false, exitCode: null, error: 'Command array is empty' };
53
+ }
54
+ // Block shell interpreters and dangerous commands
55
+ const BLOCKED_COMMANDS = new Set([
56
+ 'sh', 'bash', 'zsh', 'fish', 'csh', 'tcsh', 'ksh', 'dash',
57
+ 'cmd', 'cmd.exe', 'powershell', 'pwsh',
58
+ 'rm', 'rmdir', 'del',
59
+ 'sudo', 'su', 'doas',
60
+ 'chmod', 'chown',
61
+ 'curl', 'wget', // prevent arbitrary network calls with secrets in env
62
+ 'eval', 'exec',
63
+ 'env', 'xargs', 'printenv',
64
+ 'python', 'python3', 'ruby', 'perl', 'node',
65
+ 'npx', 'pnpx', 'bunx', // package runners can execute arbitrary code
66
+ ]);
67
+ const [cmd, ...args] = params.command;
68
+ const cmdBasename = path.basename(cmd).toLowerCase();
69
+ if (BLOCKED_COMMANDS.has(cmdBasename)) {
70
+ return {
71
+ success: false,
72
+ exitCode: null,
73
+ error: `Command "${cmd}" is blocked for security. Use a package manager (npm, pnpm, yarn) or application binary directly.`,
74
+ };
75
+ }
76
+ const timeoutMs = (params.timeout_seconds ?? DEFAULT_TIMEOUT_SECONDS) * 1000;
77
+ const env = { ...process.env, ...context.resolvedEnv };
78
+ const result = (0, child_process_1.spawnSync)(cmd, args, {
79
+ cwd: params.working_directory,
80
+ env,
81
+ timeout: timeoutMs,
82
+ maxBuffer: MAX_OUTPUT_BYTES,
83
+ stdio: ['ignore', 'pipe', 'pipe'],
84
+ });
85
+ if (result.error) {
86
+ return { success: false, exitCode: null, error: `Process spawn failed: ${result.error.message}` };
87
+ }
88
+ const stdout = result.stdout?.toString('utf-8');
89
+ const stderr = result.stderr?.toString('utf-8');
90
+ return {
91
+ success: result.status === 0,
92
+ exitCode: result.status,
93
+ stdout,
94
+ stderr,
95
+ error: result.status !== 0 ? `Process exited with code ${result.status}` : undefined,
96
+ };
97
+ }
98
+ //# sourceMappingURL=process-launcher.js.map
package/dist/executor/process-launcher.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"process-launcher.js","sourceRoot":"","sources":["../../src/executor/process-launcher.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCA,sCAwDC;AAzFD,iDAAyC;AACzC,2CAA4B;AAoB5B,MAAM,uBAAuB,GAAG,GAAG,CAAA;AACnC,MAAM,gBAAgB,GAAG,IAAI,GAAG,IAAI,CAAA;AAEpC;;;;;;;;GAQG;AACH,SAAgB,aAAa,CAC3B,MAA2B,EAC3B,OAA6B;IAE7B,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAA;IAC5E,CAAC;IAED,kDAAkD;IAClD,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;QAC/B,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM;QACzD,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM;QACtC,IAAI,EAAE,OAAO,EAAE,KAAK;QACpB,MAAM,EAAE,IAAI,EAAE,MAAM;QACpB,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,MAAM,EAAE,sDAAsD;QACtE,MAAM,EAAE,MAAM;QACd,KAAK,EAAE,OAAO,EAAE,UAAU;QAC1B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;QAC3C,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,6CAA6C;KACrE,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAA;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAA;IACpD,IAAI,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;QACtC,OAAO;YACL,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,YAAY,GAAG,oGAAoG;SAC3H,CAAA;IACH,CAAC;IACD,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,uBAAuB,CAAC,GAAG,IAAI,CAAA;IAC5E,MAAM,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,WAAW,EAAE,CAAA;IAEtD,MAAM,MAAM,GAAG,IAAA,yBAAS,EAAC,GAAG,EAAE,IAAI,EAAE;QAClC,GAAG,EAAE,MAAM,CAAC,iBAAiB;QAC7B,GAAG;QACH,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,gBAAgB;QAC3B,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;KAClC,CAAC,CAAA;IAEF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,yBAAyB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAA;IACnG,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;IAE/C,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM;QACvB,MAAM;QACN,MAAM;QACN,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,4BAA4B,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,SAAS;KACrF,CAAA;AACH,CAAC"}
package/dist/executor/secret-file.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ export interface SecretFileContext {
2
+ rootDid: string;
3
+ approvedResource?: string;
4
+ approvedFingerprint?: string;
5
+ }
6
+ export interface SecretFileResult {
7
+ success: boolean;
8
+ data?: string;
9
+ error?: string;
10
+ normalizedResource: string;
11
+ resourceFingerprint: string;
12
+ }
13
+ /**
14
+ * Read a secret file with resource verification (spec §8.3).
15
+ *
16
+ * Flow:
17
+ * 1. canonicalize(requested_path) -> normalized_resource
18
+ * 2. Compute fingerprint
19
+ * 3. Compare with approved resource (from VC/grant)
20
+ * 4. If mismatch -> deny
21
+ * 5. If match -> read file
22
+ */
23
+ export declare function readSecretFile(filePath: string, context: SecretFileContext): SecretFileResult;
24
+ /**
25
+ * Write content to a secret file with resource verification (spec §8.3).
26
+ */
27
+ export declare function writeSecretFile(filePath: string, content: string, context: SecretFileContext): SecretFileResult;
28
+ //# sourceMappingURL=secret-file.d.ts.map
package/dist/executor/secret-file.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secret-file.d.ts","sourceRoot":"","sources":["../../src/executor/secret-file.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,kBAAkB,EAAE,MAAM,CAAA;IAC1B,mBAAmB,EAAE,MAAM,CAAA;CAC5B;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,iBAAiB,GACzB,gBAAgB,CAuClB;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,iBAAiB,GACzB,gBAAgB,CAqClB"}
package/dist/executor/secret-file.js ADDED
@@ -0,0 +1,127 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.readSecretFile = readSecretFile;
37
+ exports.writeSecretFile = writeSecretFile;
38
+ const fs = __importStar(require("fs"));
39
+ const resource_canonicalizer_1 = require("../utils/resource-canonicalizer");
40
+ /**
41
+ * Read a secret file with resource verification (spec §8.3).
42
+ *
43
+ * Flow:
44
+ * 1. canonicalize(requested_path) -> normalized_resource
45
+ * 2. Compute fingerprint
46
+ * 3. Compare with approved resource (from VC/grant)
47
+ * 4. If mismatch -> deny
48
+ * 5. If match -> read file
49
+ */
50
+ function readSecretFile(filePath, context) {
51
+ const normalizedResource = (0, resource_canonicalizer_1.canonicalizePath)(filePath);
52
+ const resourceFingerprint = (0, resource_canonicalizer_1.computeFingerprint)(normalizedResource, context.rootDid);
53
+ // Verify against approved resource if provided
54
+ if (context.approvedResource && context.approvedResource !== normalizedResource) {
55
+ return {
56
+ success: false,
57
+ error: `Resource mismatch: requested ${normalizedResource} but approved ${context.approvedResource}`,
58
+ normalizedResource,
59
+ resourceFingerprint,
60
+ };
61
+ }
62
+ if (context.approvedFingerprint && context.approvedFingerprint !== resourceFingerprint) {
63
+ return {
64
+ success: false,
65
+ error: `Fingerprint mismatch: resource may have been moved or tampered with`,
66
+ normalizedResource,
67
+ resourceFingerprint,
68
+ };
69
+ }
70
+ try {
71
+ const content = fs.readFileSync(normalizedResource, 'utf-8');
72
+ return {
73
+ success: true,
74
+ data: content,
75
+ normalizedResource,
76
+ resourceFingerprint,
77
+ };
78
+ }
79
+ catch (err) {
80
+ return {
81
+ success: false,
82
+ error: `Failed to read file: ${err.message}`,
83
+ normalizedResource,
84
+ resourceFingerprint,
85
+ };
86
+ }
87
+ }
88
+ /**
89
+ * Write content to a secret file with resource verification (spec §8.3).
90
+ */
91
+ function writeSecretFile(filePath, content, context) {
92
+ const normalizedResource = (0, resource_canonicalizer_1.canonicalizePath)(filePath);
93
+ const resourceFingerprint = (0, resource_canonicalizer_1.computeFingerprint)(normalizedResource, context.rootDid);
94
+ if (context.approvedResource && context.approvedResource !== normalizedResource) {
95
+ return {
96
+ success: false,
97
+ error: `Resource mismatch: requested ${normalizedResource} but approved ${context.approvedResource}`,
98
+ normalizedResource,
99
+ resourceFingerprint,
100
+ };
101
+ }
102
+ if (context.approvedFingerprint && context.approvedFingerprint !== resourceFingerprint) {
103
+ return {
104
+ success: false,
105
+ error: `Fingerprint mismatch: resource may have been moved or tampered with`,
106
+ normalizedResource,
107
+ resourceFingerprint,
108
+ };
109
+ }
110
+ try {
111
+ fs.writeFileSync(normalizedResource, content, 'utf-8');
112
+ return {
113
+ success: true,
114
+ normalizedResource,
115
+ resourceFingerprint,
116
+ };
117
+ }
118
+ catch (err) {
119
+ return {
120
+ success: false,
121
+ error: `Failed to write file: ${err.message}`,
122
+ normalizedResource,
123
+ resourceFingerprint,
124
+ };
125
+ }
126
+ }
127
+ //# sourceMappingURL=secret-file.js.map
package/dist/executor/secret-file.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"secret-file.js","sourceRoot":"","sources":["../../src/executor/secret-file.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BA,wCA0CC;AAKD,0CAyCC;AAnHD,uCAAwB;AACxB,4EAAsF;AAgBtF;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAC5B,QAAgB,EAChB,OAA0B;IAE1B,MAAM,kBAAkB,GAAG,IAAA,yCAAgB,EAAC,QAAQ,CAAC,CAAA;IACrD,MAAM,mBAAmB,GAAG,IAAA,2CAAkB,EAAC,kBAAkB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnF,+CAA+C;IAC/C,IAAI,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,gBAAgB,KAAK,kBAAkB,EAAE,CAAC;QAChF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,gCAAgC,kBAAkB,iBAAiB,OAAO,CAAC,gBAAgB,EAAE;YACpG,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAED,IAAI,OAAO,CAAC,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,KAAK,mBAAmB,EAAE,CAAC;QACvF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,qEAAqE;YAC5E,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,kBAAkB,EAAE,OAAO,CAAC,CAAA;QAC5D,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,OAAO;YACb,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,wBAAwB,GAAG,CAAC,OAAO,EAAE;YAC5C,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAC7B,QAAgB,EAChB,OAAe,EACf,OAA0B;IAE1B,MAAM,kBAAkB,GAAG,IAAA,yCAAgB,EAAC,QAAQ,CAAC,CAAA;IACrD,MAAM,mBAAmB,GAAG,IAAA,2CAAkB,EAAC,kBAAkB,EAAE,OAAO,CAAC,OAAO,CAAC,CAAA;IAEnF,IAAI,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,gBAAgB,KAAK,kBAAkB,EAAE,CAAC;QAChF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,gCAAgC,kBAAkB,iBAAiB,OAAO,CAAC,gBAAgB,EAAE;YACpG,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAED,IAAI,OAAO,CAAC,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,KAAK,mBAAmB,EAAE,CAAC;QACvF,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,qEAAqE;YAC5E,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAED,IAAI,CAAC;QACH,EAAE,CAAC,aAAa,CAAC,kBAAkB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAA;QACtD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,yBAAyB,GAAG,CAAC,OAAO,EAAE;YAC7C,kBAAkB;YAClB,mBAAmB;SACpB,CAAA;IACH,CAAC;AACH,CAAC"}
package/dist/gateway/auth.d.ts ADDED
@@ -0,0 +1,26 @@
1
+ import { KeyManager } from '../identity/key-manager';
2
+ /**
3
+ * Device authentication manager.
4
+ * Session token is stored in OS Keychain (not config file) for security.
5
+ * Falls back to config file for migration from older versions.
6
+ */
7
+ export declare class DeviceAuth {
8
+ private readonly configPath;
9
+ private readonly keyManager;
10
+ constructor(configPath: string, keyManager?: KeyManager);
11
+ getSessionToken(): string | undefined;
12
+ setSessionToken(token: string): void;
13
+ isAuthenticated(): boolean;
14
+ /**
15
+ * Decode the session token JWT and return the `exp` claim (Unix epoch seconds).
16
+ * Returns null if no token is stored or the token is malformed.
17
+ */
18
+ getTokenExpiry(): number | null;
19
+ /**
20
+ * Check if the current session token is expiring within the given threshold.
21
+ * Returns true if no token is stored (treat as expired).
22
+ */
23
+ isTokenExpiringSoon(thresholdSeconds: number): boolean;
24
+ getGatewayUrl(): string;
25
+ }
26
+ //# sourceMappingURL=auth.d.ts.map
package/dist/gateway/auth.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/gateway/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AAEpD;;;;GAIG;AACH,qBAAa,UAAU;IAInB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAH7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAY;gBAGpB,UAAU,EAAE,MAAM,EACnC,UAAU,CAAC,EAAE,UAAU;IAKzB,eAAe,IAAI,MAAM,GAAG,SAAS;IASrC,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAIpC,eAAe,IAAI,OAAO;IAI1B;;;OAGG;IACH,cAAc,IAAI,MAAM,GAAG,IAAI;IAa/B;;;OAGG;IACH,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,GAAG,OAAO;IAMtD,aAAa,IAAI,MAAM;CAGxB"}