@vybestack/llxprt-code-auth 0.10.0-nightly.260613.1adad3b34

package/dist/src/proxy/proxy-socket-client.js

@@ -0,0 +1,219 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Unix domain socket client for credential proxy protocol.
+ *
+ * @plan PLAN-20250214-CREDPROXY.P03
+ * @requirement R6.1-R6.5, R24.1, R24.2
+ * @pseudocode analysis/pseudocode/001-framing-protocol.md
+ */
+import * as net from 'node:net';
+import * as crypto from 'node:crypto';
+import { encodeFrame, FrameDecoder } from './framing.js';
+export const REQUEST_TIMEOUT_MS = 30000;
+export const IDLE_TIMEOUT_MS = 300000;
+export const PROTOCOL_VERSION = 1;
+export class ProxySocketClient {
+    socketPath;
+    socket = null;
+    decoder = new FrameDecoder({
+        onPartialFrameTimeout: () => this.handlePartialFrameTimeout(),
+    });
+    pendingRequests = new Map();
+    handshakeComplete = false;
+    idleTimer = null;
+    connectingPromise = null;
+    handshakeResolver = null;
+    constructor(socketPath) {
+        this.socketPath = socketPath;
+    }
+    async ensureConnected() {
+        if (this.socket !== null && this.handshakeComplete) {
+            this.resetIdleTimer();
+            return;
+        }
+        if (this.connectingPromise) {
+            await this.connectingPromise;
+            return;
+        }
+        this.connectingPromise = this.connectAndHandshake();
+        try {
+            await this.connectingPromise;
+        }
+        finally {
+            this.connectingPromise = null;
+        }
+    }
+    isConnected() {
+        return this.socket !== null && this.handshakeComplete;
+    }
+    async request(op, payload) {
+        if (!this.isConnected()) {
+            await this.ensureConnected();
+        }
+        else {
+            this.resetIdleTimer();
+        }
+        return this.sendRequest(op, payload);
+    }
+    sendRequest(op, payload) {
+        const id = crypto.randomUUID();
+        const frame = { v: PROTOCOL_VERSION, id, op, payload };
+        const promise = new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                this.pendingRequests.delete(id);
+                reject(new Error(`Request timed out after ${REQUEST_TIMEOUT_MS}ms`));
+            }, REQUEST_TIMEOUT_MS);
+            this.pendingRequests.set(id, { resolve, reject, timer });
+        });
+        this.socket.write(encodeFrame(frame));
+        this.resetIdleTimer();
+        return promise;
+    }
+    close() {
+        this.cancelIdleTimer();
+        this.destroy('Client closed');
+    }
+    gracefulClose() {
+        this.handshakeComplete = false;
+        // Reject any pending requests
+        for (const [, pending] of this.pendingRequests) {
+            clearTimeout(pending.timer);
+            pending.reject(new Error('Connection closing'));
+        }
+        this.pendingRequests.clear();
+        if (this.handshakeResolver) {
+            const resolver = this.handshakeResolver;
+            this.handshakeResolver = null;
+            resolver.reject(new Error('Connection closing'));
+        }
+        if (this.socket !== null) {
+            // Remove listeners to prevent stale close events from affecting new connections
+            this.socket.removeAllListeners();
+            this.socket.end();
+            this.socket = null;
+        }
+        this.decoder.reset();
+    }
+    async connectAndHandshake() {
+        await this.connect();
+        await this.handshake();
+    }
+    async connect() {
+        this.socket = net.createConnection(this.socketPath);
+        this.decoder = new FrameDecoder({
+            onPartialFrameTimeout: () => this.handlePartialFrameTimeout(),
+        });
+        this.socket.on('data', (chunk) => this.onData(chunk));
+        this.socket.on('error', (err) => this.onError(err));
+        this.socket.on('close', () => this.onClose());
+        await new Promise((resolve, reject) => {
+            this.socket.once('connect', resolve);
+            this.socket.once('error', reject);
+        });
+    }
+    async handshake() {
+        const request = {
+            v: PROTOCOL_VERSION,
+            op: 'handshake',
+            payload: { minVersion: 1, maxVersion: 1 },
+        };
+        this.socket.write(encodeFrame(request));
+        const response = await new Promise((resolve, reject) => {
+            this.handshakeResolver = { resolve, reject };
+            const timer = setTimeout(() => {
+                this.handshakeResolver = null;
+                reject(new Error(`Handshake timed out after ${REQUEST_TIMEOUT_MS}ms`));
+            }, REQUEST_TIMEOUT_MS);
+            const originalResolve = this.handshakeResolver.resolve;
+            this.handshakeResolver.resolve = (value) => {
+                clearTimeout(timer);
+                originalResolve(value);
+            };
+            const originalReject = this.handshakeResolver.reject;
+            this.handshakeResolver.reject = (reason) => {
+                clearTimeout(timer);
+                originalReject(reason);
+            };
+        });
+        if (response.ok !== true) {
+            throw new Error('Version mismatch: ' + (response.error ?? 'unknown error'));
+        }
+        this.handshakeComplete = true;
+        this.resetIdleTimer();
+    }
+    onData(chunk) {
+        try {
+            const frames = this.decoder.feed(chunk);
+            for (const frame of frames) {
+                if (this.handshakeResolver) {
+                    const resolver = this.handshakeResolver;
+                    this.handshakeResolver = null;
+                    resolver.resolve(frame);
+                    continue;
+                }
+                this.resolvePendingRequest(frame);
+            }
+        }
+        catch {
+            this.destroy('Frame decode error');
+        }
+    }
+    resolvePendingRequest(frame) {
+        const id = frame.id;
+        if (!id) {
+            return;
+        }
+        const pending = this.pendingRequests.get(id);
+        if (pending) {
+            clearTimeout(pending.timer);
+            this.pendingRequests.delete(id);
+            pending.resolve(frame);
+        }
+    }
+    onError(_err) {
+        this.destroy('Credential proxy connection lost. Restart the session.');
+    }
+    onClose() {
+        if (this.handshakeComplete || this.handshakeResolver) {
+            this.destroy('Credential proxy connection lost. Restart the session.');
+        }
+    }
+    handlePartialFrameTimeout() {
+        this.destroy('Credential proxy partial frame timeout. Connection will be reset.');
+    }
+    destroy(message) {
+        this.cancelIdleTimer();
+        for (const [, pending] of this.pendingRequests) {
+            clearTimeout(pending.timer);
+            pending.reject(new Error(message));
+        }
+        this.pendingRequests.clear();
+        this.handshakeComplete = false;
+        if (this.socket !== null) {
+            this.socket.destroy();
+            this.socket = null;
+        }
+        this.decoder.reset();
+        if (this.handshakeResolver) {
+            const resolver = this.handshakeResolver;
+            this.handshakeResolver = null;
+            resolver.reject(new Error(message));
+        }
+    }
+    resetIdleTimer() {
+        this.cancelIdleTimer();
+        this.idleTimer = setTimeout(() => this.gracefulClose(), IDLE_TIMEOUT_MS);
+        this.idleTimer.unref();
+    }
+    cancelIdleTimer() {
+        if (this.idleTimer !== null) {
+            clearTimeout(this.idleTimer);
+            this.idleTimer = null;
+        }
+    }
+}
+//# sourceMappingURL=proxy-socket-client.js.map

package/dist/src/proxy/proxy-socket-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-socket-client.js","sourceRoot":"","sources":["../../../src/proxy/proxy-socket-client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;GAMG;AAEH,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAChC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAEzD,MAAM,CAAC,MAAM,kBAAkB,GAAG,KAAK,CAAC;AACxC,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC;AACtC,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,CAAC;AAgBlC,MAAM,OAAO,iBAAiB;IACX,UAAU,CAAS;IAC5B,MAAM,GAAsB,IAAI,CAAC;IACjC,OAAO,GAAiB,IAAI,YAAY,CAAC;QAC/C,qBAAqB,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE;KAC9D,CAAC,CAAC;IACK,eAAe,GAAgC,IAAI,GAAG,EAAE,CAAC;IACzD,iBAAiB,GAAY,KAAK,CAAC;IACnC,SAAS,GAAyC,IAAI,CAAC;IACvD,iBAAiB,GAAyB,IAAI,CAAC;IAC/C,iBAAiB,GAGd,IAAI,CAAC;IAEhB,YAAY,UAAkB;QAC5B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACnD,IAAI,CAAC,cAAc,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QACD,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,MAAM,IAAI,CAAC,iBAAiB,CAAC;YAC7B,OAAO;QACT,CAAC;QACD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,iBAAiB,CAAC;QAC/B,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;QAChC,CAAC;IACH,CAAC;IAEO,WAAW;QACjB,OAAO,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,IAAI,CAAC,iBAAiB,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,OAAO,CACX,EAAU,EACV,OAAgC;QAEhC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,cAAc,EAAE,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAEO,WAAW,CACjB,EAAU,EACV,OAAgC;QAEhC,MAAM,EAAE,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,EAAE,gBAAgB,EAAE,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;QAEvD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAChC,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,kBAAkB,IAAI,CAAC,CAAC,CAAC;YACvE,CAAC,EAAE,kBAAkB,CAAC,CAAC;YACvB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;QACvC,IAAI,CAAC,cAAc,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK;QACH,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAChC,CAAC;IAED,aAAa;QACX,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC;QAC/B,8BAA8B;QAC9B,KAAK,MAAM,CAAC,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC/C,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACxC,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACzB,gFAAgF;YAChF,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAEO,KAAK,CAAC,mBAAmB;QAC/B,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;IACzB,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO,GAAG,IAAI,YAAY,CAAC;YAC9B,qBAAqB,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1C,IAAI,CAAC,MAAO,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACtC,IAAI,CAAC,MAAO,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,SAAS;QACrB,MAAM,OAAO,GAAG;YACd,CAAC,EAAE,gBAAgB;YACnB,EAAE,EAAE,WAAW;YACf,OAAO,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;SAC1C,CAAC;QACF,IAAI,CAAC,MAAO,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;QAEzC,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAChC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAClB,IAAI,CAAC,iBAAiB,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;gBAC9B,MAAM,CACJ,IAAI,KAAK,CAAC,6BAA6B,kBAAkB,IAAI,CAAC,CAC/D,CAAC;YACJ,CAAC,EAAE,kBAAkB,CAAC,CAAC;YAEvB,MAAM,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;YACvD,IAAI,CAAC,iBAAiB,CAAC,OAAO,GAAG,CAAC,KAAK,EAAE,EAAE;gBACzC,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,eAAe,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC,CAAC;YACF,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC;YACrD,IAAI,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,MAAM,EAAE,EAAE;gBACzC,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,cAAc,CAAC,MAAM,CAAC,CAAC;YACzB,CAAC,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,IAAI,QAAQ,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CACb,oBAAoB,GAAG,CAAC,QAAQ,CAAC,KAAK,IAAI,eAAe,CAAC,CAC3D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;QAC9B,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAEO,MAAM,CAAC,KAAa;QAC1B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACxC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC;oBACxC,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;oBAC9B,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;oBACxB,SAAS;gBACX,CAAC;gBAED,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAEO,qBAAqB,CAAC,KAA8B;QAC1D,MAAM,EAAE,GAAG,KAAK,CAAC,EAAwB,CAAC;QAC1C,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO;QACT,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAChC,OAAO,CAAC,OAAO,CAAC,KAAiC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAEO,OAAO,CAAC,IAAW;QACzB,IAAI,CAAC,OAAO,CAAC,wDAAwD,CAAC,CAAC;IACzE,CAAC;IAEO,OAAO;QACb,IAAI,IAAI,CAAC,iBAAiB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACrD,IAAI,CAAC,OAAO,CAAC,wDAAwD,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAEO,yBAAyB;QAC/B,IAAI,CAAC,OAAO,CACV,mEAAmE,CACpE,CAAC;IACJ,CAAC;IAEO,OAAO,CAAC,OAAe;QAC7B,IAAI,CAAC,eAAe,EAAE,CAAC;QAEvB,KAAK,MAAM,CAAC,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YAC/C,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAE7B,IAAI,CAAC,iBAAiB,GAAG,KAAK,CAAC;QAE/B,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACtB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QAErB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACxC,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAEO,cAAc;QACpB,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,eAAe,CAAC,CAAC;QACzE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAEO,eAAe;QACrB,IAAI,IAAI,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC5B,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC7B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;CACF"}

package/dist/src/proxy/proxy-token-store.d.ts

@@ -0,0 +1,39 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Token store that proxies all operations through a Unix domain socket
+ * to the host-side credential proxy server. Used inside sandbox containers.
+ *
+ * @plan PLAN-20250214-CREDPROXY.P09
+ * @requirement R2.1, R8.1-R8.9, R23.3, R29.1-R29.4
+ * @pseudocode analysis/pseudocode/003-proxy-token-store.md
+ */
+import { type OAuthToken, type BucketStats } from '../types.js';
+import { type TokenStore } from '../token-store.js';
+import { ProxySocketClient } from './proxy-socket-client.js';
+export declare class ProxyTokenStore implements TokenStore {
+    private readonly client;
+    constructor(socketPath: string);
+    getToken(provider: string, bucket?: string): Promise<OAuthToken | null>;
+    saveToken(provider: string, token: OAuthToken, bucket?: string): Promise<void>;
+    removeToken(provider: string, bucket?: string): Promise<void>;
+    listProviders(): Promise<string[]>;
+    listBuckets(provider: string): Promise<string[]>;
+    getBucketStats(provider: string, bucket: string): Promise<BucketStats | null>;
+    acquireRefreshLock(_provider: string, _options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    releaseRefreshLock(_provider: string, _bucket?: string): Promise<void>;
+    acquireAuthLock(_provider: string, _options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    releaseAuthLock(_provider: string, _bucket?: string): Promise<void>;
+    getClient(): ProxySocketClient;
+}

package/dist/src/proxy/proxy-token-store.js

@@ -0,0 +1,87 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+import { ProxySocketClient } from './proxy-socket-client.js';
+export class ProxyTokenStore {
+    client;
+    constructor(socketPath) {
+        this.client = new ProxySocketClient(socketPath);
+    }
+    async getToken(provider, bucket) {
+        const response = await this.client.request('get_token', {
+            provider,
+            bucket,
+        });
+        if (!response.ok && response.code === 'NOT_FOUND')
+            return null;
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+        return response.data;
+    }
+    async saveToken(provider, token, bucket) {
+        const response = await this.client.request('save_token', {
+            provider,
+            bucket,
+            token,
+        });
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+    }
+    async removeToken(provider, bucket) {
+        const response = await this.client.request('remove_token', {
+            provider,
+            bucket,
+        });
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+    }
+    async listProviders() {
+        const response = await this.client.request('list_providers', {});
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+        return response.data.providers;
+    }
+    async listBuckets(provider) {
+        const response = await this.client.request('list_buckets', { provider });
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+        return response.data.buckets;
+    }
+    async getBucketStats(provider, bucket) {
+        const response = await this.client.request('get_bucket_stats', {
+            provider,
+            bucket,
+        });
+        if (!response.ok && response.code === 'NOT_FOUND')
+            return null;
+        if (!response.ok)
+            throw new Error(response.error ?? 'proxy error');
+        const data = response.data;
+        return {
+            bucket,
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- Proxy payloads can omit persisted bucket stats.
+            requestCount: data.requestCount ?? 0,
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition -- Proxy payloads can omit persisted bucket stats.
+            percentage: data.percentage ?? 0,
+            lastUsed: data.lastUsed,
+        };
+    }
+    async acquireRefreshLock(_provider, _options) {
+        return true;
+    }
+    async releaseRefreshLock(_provider, _bucket) {
+        // No-op: refresh coordination happens on host
+    }
+    async acquireAuthLock(_provider, _options) {
+        return true;
+    }
+    async releaseAuthLock(_provider, _bucket) {
+        // No-op: auth coordination happens on host
+    }
+    getClient() {
+        return this.client;
+    }
+}
+//# sourceMappingURL=proxy-token-store.js.map

package/dist/src/proxy/proxy-token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-token-store.js","sourceRoot":"","sources":["../../../src/proxy/proxy-token-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAaH,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAE7D,MAAM,OAAO,eAAe;IACT,MAAM,CAAoB;IAE3C,YAAY,UAAkB;QAC5B,IAAI,CAAC,MAAM,GAAG,IAAI,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,QAAgB,EAChB,MAAe;QAEf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE;YACtD,QAAQ;YACR,MAAM;SACP,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC,IAA6B,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,SAAS,CACb,QAAgB,EAChB,KAAiB,EACjB,MAAe;QAEf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE;YACvD,QAAQ;YACR,MAAM;YACN,KAAK;SACN,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,QAAgB,EAAE,MAAe;QACjD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE;YACzD,QAAQ;YACR,MAAM;SACP,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;QACnE,OAAQ,QAAQ,CAAC,IAAgC,CAAC,SAAqB,CAAC;IAC1E,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,QAAgB;QAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzE,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;QACnE,OAAQ,QAAQ,CAAC,IAAgC,CAAC,OAAmB,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,QAAgB,EAChB,MAAc;QAEd,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE;YAC7D,QAAQ;YACR,MAAM;SACP,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QAC/D,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,IAAI,aAAa,CAAC,CAAC;QACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,IAA+B,CAAC;QACtD,OAAO;YACL,MAAM;YACN,0HAA0H;YAC1H,YAAY,EAAG,IAAI,CAAC,YAAuB,IAAI,CAAC;YAChD,0HAA0H;YAC1H,UAAU,EAAG,IAAI,CAAC,UAAqB,IAAI,CAAC;YAC5C,QAAQ,EAAE,IAAI,CAAC,QAA8B;SAC9C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CACtB,SAAiB,EACjB,QAAiE;QAEjE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,SAAiB,EAAE,OAAgB;QAC1D,8CAA8C;IAChD,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,SAAiB,EACjB,QAAiE;QAEjE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,SAAiB,EAAE,OAAgB;QACvD,2CAA2C;IAC7C,CAAC;IAED,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}

package/dist/src/token-merge.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Token merge utility for credential refresh operations.
+ * Extracted from OAuthManager for shared use by proxy server.
+ *
+ * @plan PLAN-20250214-CREDPROXY.P06
+ * @requirement R12.1, R12.2, R12.3, R12.4, R12.5
+ * @pseudocode analysis/pseudocode/002-token-sanitization-merge.md
+ */
+import { type OAuthToken } from './types.js';
+export type OAuthTokenWithExtras = OAuthToken & Record<string, unknown>;
+export declare function mergeRefreshedToken(current: OAuthTokenWithExtras, next: Partial<OAuthTokenWithExtras>): OAuthTokenWithExtras;

package/dist/src/token-merge.js

@@ -0,0 +1,13 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export function mergeRefreshedToken(current, next) {
+    const merged = { ...current, ...next };
+    if (next.refresh_token === undefined || next.refresh_token === '') {
+        merged.refresh_token = current.refresh_token;
+    }
+    return merged;
+}
+//# sourceMappingURL=token-merge.js.map

package/dist/src/token-merge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-merge.js","sourceRoot":"","sources":["../../src/token-merge.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,MAAM,UAAU,mBAAmB,CACjC,OAA6B,EAC7B,IAAmC;IAEnC,MAAM,MAAM,GAAG,EAAE,GAAG,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC;IACvC,IAAI,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,IAAI,CAAC,aAAa,KAAK,EAAE,EAAE,CAAC;QAClE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;IAC/C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/src/token-sanitization.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Token sanitization for credential proxy security boundary.
+ * Strips refresh_token from all data crossing the Unix socket.
+ *
+ * @plan PLAN-20250214-CREDPROXY.P06
+ * @requirement R10.1, R10.2, R10.3
+ * @pseudocode analysis/pseudocode/002-token-sanitization-merge.md
+ */
+import { type OAuthToken } from './types.js';
+export type SanitizedOAuthToken = Omit<OAuthToken, 'refresh_token'> & Record<string, unknown>;
+export declare function sanitizeTokenForProxy(token: OAuthToken): SanitizedOAuthToken;

package/dist/src/token-sanitization.js

@@ -0,0 +1,10 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export function sanitizeTokenForProxy(token) {
+    const { refresh_token: _refresh_token, ...sanitized } = token;
+    return sanitized;
+}
+//# sourceMappingURL=token-sanitization.js.map

package/dist/src/token-sanitization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-sanitization.js","sourceRoot":"","sources":["../../src/token-sanitization.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAgBH,MAAM,UAAU,qBAAqB,CAAC,KAAiB;IACrD,MAAM,EAAE,aAAa,EAAE,cAAc,EAAE,GAAG,SAAS,EAAE,GAAG,KAAK,CAAC;IAC9D,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/src/token-store.d.ts

@@ -0,0 +1,93 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * @plan PLAN-20260213-KEYRINGTOKENSTORE.P10
+ * @requirement R13.2
+ */
+import { type OAuthToken, type BucketStats } from './types.js';
+/**
+ * Interface for multi-provider OAuth token storage
+ */
+export interface TokenStore {
+    /**
+     * Save an OAuth token for a specific provider
+     * @param provider - The provider name (e.g., 'gemini', 'qwen')
+     * @param token - The OAuth token to save
+     * @param bucket - Optional bucket name for multi-account support
+     */
+    saveToken(provider: string, token: OAuthToken, bucket?: string): Promise<void>;
+    /**
+     * Retrieve an OAuth token for a specific provider
+     * @param provider - The provider name
+     * @param bucket - Optional bucket name for multi-account support
+     * @returns The token if found, null otherwise
+     */
+    getToken(provider: string, bucket?: string): Promise<OAuthToken | null>;
+    /**
+     * Remove an OAuth token for a specific provider
+     * @param provider - The provider name
+     * @param bucket - Optional bucket name for multi-account support
+     */
+    removeToken(provider: string, bucket?: string): Promise<void>;
+    /**
+     * List all providers that have stored tokens
+     * @returns Array of provider names with stored tokens
+     */
+    listProviders(): Promise<string[]>;
+    /**
+     * List all buckets for a specific provider
+     * @param provider - The provider name
+     * @returns Array of bucket names for the provider
+     */
+    listBuckets(provider: string): Promise<string[]>;
+    /**
+     * Get usage statistics for a specific bucket
+     * @param provider - The provider name
+     * @param bucket - The bucket name
+     * @returns Bucket statistics if available, null otherwise
+     */
+    getBucketStats(provider: string, bucket: string): Promise<BucketStats | null>;
+    /**
+     * Acquire a refresh lock for a provider to prevent concurrent refreshes
+     * @param provider - The provider name
+     * @param options - Optional configuration for lock behavior
+     *   - waitMs: Maximum time to wait for lock
+     *   - staleMs: Threshold for considering a lock stale
+     *   - bucket: Optional bucket name for multi-account support
+     * @returns true if lock was acquired, false otherwise
+     */
+    acquireRefreshLock(provider: string, options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    /**
+     * Release the refresh lock for a provider
+     * @param provider - The provider name
+     * @param bucket - Optional bucket name for multi-account support
+     */
+    releaseRefreshLock(provider: string, bucket?: string): Promise<void>;
+    /**
+     * Acquire an auth lock for a provider to prevent concurrent interactive authentication
+     * @param provider - The provider name
+     * @param options - Optional configuration for lock behavior
+     *   - waitMs: Maximum time to wait for lock (default: 60000ms)
+     *   - staleMs: Threshold for considering a lock stale (default: 360000ms)
+     *   - bucket: Optional bucket name for multi-account support
+     * @returns true if lock was acquired, false otherwise
+     */
+    acquireAuthLock(provider: string, options?: {
+        waitMs?: number;
+        staleMs?: number;
+        bucket?: string;
+    }): Promise<boolean>;
+    /**
+     * Release the auth lock for a provider
+     * @param provider - The provider name
+     * @param bucket - Optional bucket name for multi-account support
+     */
+    releaseAuthLock(provider: string, bucket?: string): Promise<void>;
+}

package/dist/src/token-store.js

@@ -0,0 +1,7 @@
+/**
+ * @license
+ * Copyright 2025 Vybestack LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+export {};
+//# sourceMappingURL=token-store.js.map

package/dist/src/token-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-store.js","sourceRoot":"","sources":["../../src/token-store.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}