@waiaas/daemon 2.0.0-rc.1

package/dist/infrastructure/settings/setting-keys.js

@@ -0,0 +1,105 @@
+/**
+ * Setting key definitions (SSoT) for daemon operational settings.
+ *
+ * Each setting has a key (DB storage), category, configPath (for config.toml lookup),
+ * defaultValue (matching DaemonConfigSchema .default()), and isCredential flag.
+ *
+ * Categories: notifications, rpc, security, daemon, walletconnect, oracle, display, autostop, monitoring, telegram
+ *
+ * @see packages/daemon/src/infrastructure/config/loader.ts for DaemonConfigSchema defaults
+ */
+// ---------------------------------------------------------------------------
+// Categories
+// ---------------------------------------------------------------------------
+export const SETTING_CATEGORIES = [
+    'notifications',
+    'rpc',
+    'security',
+    'daemon',
+    'walletconnect',
+    'oracle',
+    'display',
+    'autostop',
+    'monitoring',
+    'telegram',
+];
+// ---------------------------------------------------------------------------
+// Setting Definitions
+// ---------------------------------------------------------------------------
+export const SETTING_DEFINITIONS = [
+    // --- notifications category ---
+    { key: 'notifications.enabled', category: 'notifications', configPath: 'notifications.enabled', defaultValue: 'false', isCredential: false },
+    { key: 'notifications.telegram_bot_token', category: 'notifications', configPath: 'notifications.telegram_bot_token', defaultValue: '', isCredential: true },
+    { key: 'notifications.telegram_chat_id', category: 'notifications', configPath: 'notifications.telegram_chat_id', defaultValue: '', isCredential: false },
+    { key: 'notifications.discord_webhook_url', category: 'notifications', configPath: 'notifications.discord_webhook_url', defaultValue: '', isCredential: true },
+    { key: 'notifications.ntfy_server', category: 'notifications', configPath: 'notifications.ntfy_server', defaultValue: 'https://ntfy.sh', isCredential: false },
+    { key: 'notifications.ntfy_topic', category: 'notifications', configPath: 'notifications.ntfy_topic', defaultValue: '', isCredential: false },
+    { key: 'notifications.slack_webhook_url', category: 'notifications', configPath: 'notifications.slack_webhook_url', defaultValue: '', isCredential: true },
+    { key: 'notifications.locale', category: 'notifications', configPath: 'notifications.locale', defaultValue: 'en', isCredential: false },
+    { key: 'notifications.rate_limit_rpm', category: 'notifications', configPath: 'notifications.rate_limit_rpm', defaultValue: '20', isCredential: false },
+    // --- rpc category (Solana 3 + EVM 10 + evm_default_network) ---
+    { key: 'rpc.solana_mainnet', category: 'rpc', configPath: 'rpc.solana_mainnet', defaultValue: 'https://api.mainnet-beta.solana.com', isCredential: false },
+    { key: 'rpc.solana_devnet', category: 'rpc', configPath: 'rpc.solana_devnet', defaultValue: 'https://api.devnet.solana.com', isCredential: false },
+    { key: 'rpc.solana_testnet', category: 'rpc', configPath: 'rpc.solana_testnet', defaultValue: 'https://api.testnet.solana.com', isCredential: false },
+    { key: 'rpc.evm_ethereum_mainnet', category: 'rpc', configPath: 'rpc.evm_ethereum_mainnet', defaultValue: 'https://eth.drpc.org', isCredential: false },
+    { key: 'rpc.evm_ethereum_sepolia', category: 'rpc', configPath: 'rpc.evm_ethereum_sepolia', defaultValue: 'https://sepolia.drpc.org', isCredential: false },
+    { key: 'rpc.evm_polygon_mainnet', category: 'rpc', configPath: 'rpc.evm_polygon_mainnet', defaultValue: 'https://polygon.drpc.org', isCredential: false },
+    { key: 'rpc.evm_polygon_amoy', category: 'rpc', configPath: 'rpc.evm_polygon_amoy', defaultValue: 'https://polygon-amoy.drpc.org', isCredential: false },
+    { key: 'rpc.evm_arbitrum_mainnet', category: 'rpc', configPath: 'rpc.evm_arbitrum_mainnet', defaultValue: 'https://arbitrum.drpc.org', isCredential: false },
+    { key: 'rpc.evm_arbitrum_sepolia', category: 'rpc', configPath: 'rpc.evm_arbitrum_sepolia', defaultValue: 'https://arbitrum-sepolia.drpc.org', isCredential: false },
+    { key: 'rpc.evm_optimism_mainnet', category: 'rpc', configPath: 'rpc.evm_optimism_mainnet', defaultValue: 'https://optimism.drpc.org', isCredential: false },
+    { key: 'rpc.evm_optimism_sepolia', category: 'rpc', configPath: 'rpc.evm_optimism_sepolia', defaultValue: 'https://optimism-sepolia.drpc.org', isCredential: false },
+    { key: 'rpc.evm_base_mainnet', category: 'rpc', configPath: 'rpc.evm_base_mainnet', defaultValue: 'https://base.drpc.org', isCredential: false },
+    { key: 'rpc.evm_base_sepolia', category: 'rpc', configPath: 'rpc.evm_base_sepolia', defaultValue: 'https://base-sepolia.drpc.org', isCredential: false },
+    { key: 'rpc.evm_default_network', category: 'rpc', configPath: 'rpc.evm_default_network', defaultValue: 'ethereum-sepolia', isCredential: false },
+    // --- security category ---
+    { key: 'security.session_ttl', category: 'security', configPath: 'security.session_ttl', defaultValue: '86400', isCredential: false },
+    { key: 'security.max_sessions_per_wallet', category: 'security', configPath: 'security.max_sessions_per_wallet', defaultValue: '5', isCredential: false },
+    { key: 'security.max_pending_tx', category: 'security', configPath: 'security.max_pending_tx', defaultValue: '10', isCredential: false },
+    { key: 'security.rate_limit_global_ip_rpm', category: 'security', configPath: 'security.rate_limit_global_ip_rpm', defaultValue: '1000', isCredential: false },
+    { key: 'security.rate_limit_session_rpm', category: 'security', configPath: 'security.rate_limit_session_rpm', defaultValue: '300', isCredential: false },
+    { key: 'security.rate_limit_tx_rpm', category: 'security', configPath: 'security.rate_limit_tx_rpm', defaultValue: '10', isCredential: false },
+    { key: 'security.policy_defaults_delay_seconds', category: 'security', configPath: 'security.policy_defaults_delay_seconds', defaultValue: '300', isCredential: false },
+    { key: 'security.policy_defaults_approval_timeout', category: 'security', configPath: 'security.policy_defaults_approval_timeout', defaultValue: '3600', isCredential: false },
+    // --- policy default deny toggles (Phase 116) ---
+    { key: 'policy.default_deny_tokens', category: 'security', configPath: 'security.default_deny_tokens', defaultValue: 'true', isCredential: false },
+    { key: 'policy.default_deny_contracts', category: 'security', configPath: 'security.default_deny_contracts', defaultValue: 'true', isCredential: false },
+    { key: 'policy.default_deny_spenders', category: 'security', configPath: 'security.default_deny_spenders', defaultValue: 'true', isCredential: false },
+    // --- daemon category ---
+    { key: 'daemon.log_level', category: 'daemon', configPath: 'daemon.log_level', defaultValue: 'info', isCredential: false },
+    // --- walletconnect category ---
+    { key: 'walletconnect.project_id', category: 'walletconnect', configPath: 'walletconnect.project_id', defaultValue: '', isCredential: false },
+    { key: 'walletconnect.relay_url', category: 'walletconnect', configPath: 'walletconnect.relay_url', defaultValue: 'wss://relay.walletconnect.com', isCredential: false },
+    // --- oracle category ---
+    { key: 'oracle.coingecko_api_key', category: 'oracle', configPath: 'oracle.coingecko_api_key', defaultValue: '', isCredential: true },
+    { key: 'oracle.cross_validation_threshold', category: 'oracle', configPath: 'oracle.cross_validation_threshold', defaultValue: '5', isCredential: false },
+    // --- display category ---
+    { key: 'display.currency', category: 'display', configPath: 'display.currency', defaultValue: 'USD', isCredential: false },
+    // --- autostop category (AUTO-05 runtime-overridable) ---
+    { key: 'autostop.consecutive_failures_threshold', category: 'autostop', configPath: 'security.autostop_consecutive_failures_threshold', defaultValue: '5', isCredential: false },
+    { key: 'autostop.unusual_activity_threshold', category: 'autostop', configPath: 'security.autostop_unusual_activity_threshold', defaultValue: '20', isCredential: false },
+    { key: 'autostop.unusual_activity_window_sec', category: 'autostop', configPath: 'security.autostop_unusual_activity_window_sec', defaultValue: '300', isCredential: false },
+    { key: 'autostop.idle_timeout_sec', category: 'autostop', configPath: 'security.autostop_idle_timeout_sec', defaultValue: '3600', isCredential: false },
+    { key: 'autostop.idle_check_interval_sec', category: 'autostop', configPath: 'security.autostop_idle_check_interval_sec', defaultValue: '60', isCredential: false },
+    { key: 'autostop.enabled', category: 'autostop', configPath: 'security.autostop_enabled', defaultValue: 'true', isCredential: false },
+    // --- monitoring category (BMON-05 runtime-overridable) ---
+    { key: 'monitoring.check_interval_sec', category: 'monitoring', configPath: 'security.monitoring_check_interval_sec', defaultValue: '300', isCredential: false },
+    { key: 'monitoring.low_balance_threshold_sol', category: 'monitoring', configPath: 'security.monitoring_low_balance_threshold_sol', defaultValue: '0.01', isCredential: false },
+    { key: 'monitoring.low_balance_threshold_eth', category: 'monitoring', configPath: 'security.monitoring_low_balance_threshold_eth', defaultValue: '0.005', isCredential: false },
+    { key: 'monitoring.cooldown_hours', category: 'monitoring', configPath: 'security.monitoring_cooldown_hours', defaultValue: '24', isCredential: false },
+    { key: 'monitoring.enabled', category: 'monitoring', configPath: 'security.monitoring_enabled', defaultValue: 'true', isCredential: false },
+    // --- telegram category (Bot service settings) ---
+    { key: 'telegram.enabled', category: 'telegram', configPath: 'telegram.enabled', defaultValue: 'false', isCredential: false },
+    { key: 'telegram.bot_token', category: 'telegram', configPath: 'telegram.bot_token', defaultValue: '', isCredential: true },
+    { key: 'telegram.locale', category: 'telegram', configPath: 'telegram.locale', defaultValue: 'en', isCredential: false },
+];
+// ---------------------------------------------------------------------------
+// Lookup helpers
+// ---------------------------------------------------------------------------
+/** Map from key -> SettingDefinition for O(1) lookup */
+const definitionMap = new Map(SETTING_DEFINITIONS.map((def) => [def.key, def]));
+/** Get a setting definition by key, or undefined if not found */
+export function getSettingDefinition(key) {
+    return definitionMap.get(key);
+}
+//# sourceMappingURL=setting-keys.js.map

package/dist/infrastructure/settings/setting-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setting-keys.js","sourceRoot":"","sources":["../../../src/infrastructure/settings/setting-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAmBH,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,eAAe;IACf,KAAK;IACL,UAAU;IACV,QAAQ;IACR,eAAe;IACf,QAAQ;IACR,SAAS;IACT,UAAU;IACV,YAAY;IACZ,UAAU;CACF,CAAC;AAIX,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,CAAC,MAAM,mBAAmB,GAAiC;IAC/D,iCAAiC;IACjC,EAAE,GAAG,EAAE,uBAAuB,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,uBAAuB,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE;IAC5I,EAAE,GAAG,EAAE,kCAAkC,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,kCAAkC,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;IAC5J,EAAE,GAAG,EAAE,gCAAgC,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,gCAAgC,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;IACzJ,EAAE,GAAG,EAAE,mCAAmC,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,mCAAmC,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;IAC9J,EAAE,GAAG,EAAE,2BAA2B,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,2BAA2B,EAAE,YAAY,EAAE,iBAAiB,EAAE,YAAY,EAAE,KAAK,EAAE;IAC9J,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;IAC7I,EAAE,GAAG,EAAE,iCAAiC,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,iCAAiC,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;IAC1J,EAAE,GAAG,EAAE,sBAAsB,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,sBAAsB,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IACvI,EAAE,GAAG,EAAE,8BAA8B,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,8BAA8B,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IAEvJ,iEAAiE;IACjE,EAAE,GAAG,EAAE,oBAAoB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,oBAAoB,EAAE,YAAY,EAAE,qCAAqC,EAAE,YAAY,EAAE,KAAK,EAAE;IAC1J,EAAE,GAAG,EAAE,mBAAmB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,mBAAmB,EAAE,YAAY,EAAE,+BAA+B,EAAE,YAAY,EAAE,KAAK,EAAE;IAClJ,EAAE,GAAG,EAAE,oBAAoB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,oBAAoB,EAAE,YAAY,EAAE,gCAAgC,EAAE,YAAY,EAAE,KAAK,EAAE;IACrJ,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,sBAAsB,EAAE,YAAY,EAAE,KAAK,EAAE;IACvJ,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,0BAA0B,EAAE,YAAY,EAAE,KAAK,EAAE;IAC3J,EAAE,GAAG,EAAE,yBAAyB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,yBAAyB,EAAE,YAAY,EAAE,0BAA0B,EAAE,YAAY,EAAE,KAAK,EAAE;IACzJ,EAAE,GAAG,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,sBAAsB,EAAE,YAAY,EAAE,+BAA+B,EAAE,YAAY,EAAE,KAAK,EAAE;IACxJ,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,2BAA2B,EAAE,YAAY,EAAE,KAAK,EAAE;IAC5J,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,mCAAmC,EAAE,YAAY,EAAE,KAAK,EAAE;IACpK,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,2BAA2B,EAAE,YAAY,EAAE,KAAK,EAAE;IAC5J,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,mCAAmC,EAAE,YAAY,EAAE,KAAK,EAAE;IACpK,EAAE,GAAG,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,sBAAsB,EAAE,YAAY,EAAE,uBAAuB,EAAE,YAAY,EAAE,KAAK,EAAE;IAChJ,EAAE,GAAG,EAAE,sBAAsB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,sBAAsB,EAAE,YAAY,EAAE,+BAA+B,EAAE,YAAY,EAAE,KAAK,EAAE;IACxJ,EAAE,GAAG,EAAE,yBAAyB,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,yBAAyB,EAAE,YAAY,EAAE,kBAAkB,EAAE,YAAY,EAAE,KAAK,EAAE;IAEjJ,4BAA4B;IAC5B,EAAE,GAAG,EAAE,sBAAsB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,sBAAsB,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE;IACrI,EAAE,GAAG,EAAE,kCAAkC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,kCAAkC,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE;IACzJ,EAAE,GAAG,EAAE,yBAAyB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,yBAAyB,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IACxI,EAAE,GAAG,EAAE,mCAAmC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,mCAAmC,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAC9J,EAAE,GAAG,EAAE,iCAAiC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,iCAAiC,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE;IACzJ,EAAE,GAAG,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,4BAA4B,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IAC9I,EAAE,GAAG,EAAE,wCAAwC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,wCAAwC,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE;IACvK,EAAE,GAAG,EAAE,2CAA2C,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,2CAA2C,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAE9K,kDAAkD;IAClD,EAAE,GAAG,EAAE,4BAA4B,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,8BAA8B,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAClJ,EAAE,GAAG,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,iCAAiC,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IACxJ,EAAE,GAAG,EAAE,8BAA8B,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,gCAAgC,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAEtJ,0BAA0B;IAC1B,EAAE,GAAG,EAAE,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAE1H,iCAAiC;IACjC,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;IAC7I,EAAE,GAAG,EAAE,yBAAyB,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,EAAE,yBAAyB,EAAE,YAAY,EAAE,+BAA+B,EAAE,YAAY,EAAE,KAAK,EAAE;IAExK,0BAA0B;IAC1B,EAAE,GAAG,EAAE,0BAA0B,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,0BAA0B,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;IACrI,EAAE,GAAG,EAAE,mCAAmC,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,mCAAmC,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE;IAEzJ,2BAA2B;IAC3B,EAAE,GAAG,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE;IAE1H,0DAA0D;IAC1D,EAAE,GAAG,EAAE,yCAAyC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,kDAAkD,EAAE,YAAY,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE;IAChL,EAAE,GAAG,EAAE,qCAAqC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,8CAA8C,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IACzK,EAAE,GAAG,EAAE,sCAAsC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,+CAA+C,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE;IAC5K,EAAE,GAAG,EAAE,2BAA2B,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,oCAAoC,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IACvJ,EAAE,GAAG,EAAE,kCAAkC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,2CAA2C,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IACnK,EAAE,GAAG,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,2BAA2B,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAErI,4DAA4D;IAC5D,EAAE,GAAG,EAAE,+BAA+B,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,wCAAwC,EAAE,YAAY,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE;IAChK,EAAE,GAAG,EAAE,sCAAsC,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,+CAA+C,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAC/K,EAAE,GAAG,EAAE,sCAAsC,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,+CAA+C,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE;IAChL,EAAE,GAAG,EAAE,2BAA2B,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,oCAAoC,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;IACvJ,EAAE,GAAG,EAAE,oBAAoB,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,6BAA6B,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,EAAE;IAE3I,mDAAmD;IACnD,EAAE,GAAG,EAAE,kBAAkB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE;IAC7H,EAAE,GAAG,EAAE,oBAAoB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,oBAAoB,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE;IAC3H,EAAE,GAAG,EAAE,iBAAiB,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,YAAY,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE;CAChH,CAAC;AAEX,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,wDAAwD;AACxD,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B,mBAAmB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CACjD,CAAC;AAEF,iEAAiE;AACjE,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,OAAO,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC"}

package/dist/infrastructure/settings/settings-crypto.d.ts

@@ -0,0 +1,39 @@
+/**
+ * AES-256-GCM encryption/decryption for daemon settings credential values.
+ *
+ * Uses HKDF(SHA-256) to derive a settings-specific 32-byte subkey from the
+ * master password. Unlike the keystore's Argon2id KDF (300ms+), this uses
+ * a lightweight derivation suitable for frequent read operations.
+ *
+ * The fixed HKDF salt ensures the same master password always derives the
+ * same key, enabling decrypt without storing an extra per-entry salt.
+ *
+ * Encrypted format: base64(JSON({ iv, ct, tag })) where iv/ct/tag are hex strings.
+ */
+/**
+ * Derive a 32-byte AES-256 key from master password using HKDF(SHA-256).
+ */
+export declare function deriveSettingsKey(masterPassword: string): Buffer;
+/**
+ * Encrypt a plaintext setting value with AES-256-GCM.
+ *
+ * @param plaintext - The value to encrypt (e.g., bot token, webhook URL)
+ * @param masterPassword - Master password for key derivation
+ * @returns Base64-encoded JSON string containing { iv, ct, tag }
+ */
+export declare function encryptSettingValue(plaintext: string, masterPassword: string): string;
+/**
+ * Decrypt an AES-256-GCM encrypted setting value.
+ *
+ * @param encrypted - Base64-encoded JSON string from encryptSettingValue()
+ * @param masterPassword - Master password for key derivation
+ * @returns Decrypted plaintext string
+ * @throws Error if password is wrong or data is corrupted (GCM authTag mismatch)
+ */
+export declare function decryptSettingValue(encrypted: string, masterPassword: string): string;
+/**
+ * Settings keys whose values must be encrypted before DB storage.
+ * SettingsService checks this set to determine encrypt/decrypt behavior.
+ */
+export declare const CREDENTIAL_KEYS: Set<string>;
+//# sourceMappingURL=settings-crypto.d.ts.map

package/dist/infrastructure/settings/settings-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-crypto.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/settings/settings-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAOH;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAIhE;AAQD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAarF;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CAWrF;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,aAK1B,CAAC"}

package/dist/infrastructure/settings/settings-crypto.js

@@ -0,0 +1,73 @@
+/**
+ * AES-256-GCM encryption/decryption for daemon settings credential values.
+ *
+ * Uses HKDF(SHA-256) to derive a settings-specific 32-byte subkey from the
+ * master password. Unlike the keystore's Argon2id KDF (300ms+), this uses
+ * a lightweight derivation suitable for frequent read operations.
+ *
+ * The fixed HKDF salt ensures the same master password always derives the
+ * same key, enabling decrypt without storing an extra per-entry salt.
+ *
+ * Encrypted format: base64(JSON({ iv, ct, tag })) where iv/ct/tag are hex strings.
+ */
+import { randomBytes, createCipheriv, createDecipheriv, hkdfSync } from 'node:crypto';
+const SETTINGS_HKDF_SALT = 'waiaas-settings-v1';
+const SETTINGS_HKDF_INFO = 'settings-encryption';
+/**
+ * Derive a 32-byte AES-256 key from master password using HKDF(SHA-256).
+ */
+export function deriveSettingsKey(masterPassword) {
+    return Buffer.from(hkdfSync('sha256', masterPassword, SETTINGS_HKDF_SALT, SETTINGS_HKDF_INFO, 32));
+}
+/**
+ * Encrypt a plaintext setting value with AES-256-GCM.
+ *
+ * @param plaintext - The value to encrypt (e.g., bot token, webhook URL)
+ * @param masterPassword - Master password for key derivation
+ * @returns Base64-encoded JSON string containing { iv, ct, tag }
+ */
+export function encryptSettingValue(plaintext, masterPassword) {
+    const key = deriveSettingsKey(masterPassword);
+    const iv = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    key.fill(0); // zero key from memory
+    const obj = {
+        iv: iv.toString('hex'),
+        ct: ct.toString('hex'),
+        tag: tag.toString('hex'),
+    };
+    return Buffer.from(JSON.stringify(obj)).toString('base64');
+}
+/**
+ * Decrypt an AES-256-GCM encrypted setting value.
+ *
+ * @param encrypted - Base64-encoded JSON string from encryptSettingValue()
+ * @param masterPassword - Master password for key derivation
+ * @returns Decrypted plaintext string
+ * @throws Error if password is wrong or data is corrupted (GCM authTag mismatch)
+ */
+export function decryptSettingValue(encrypted, masterPassword) {
+    const key = deriveSettingsKey(masterPassword);
+    const obj = JSON.parse(Buffer.from(encrypted, 'base64').toString('utf8'));
+    const decipher = createDecipheriv('aes-256-gcm', key, Buffer.from(obj.iv, 'hex'));
+    decipher.setAuthTag(Buffer.from(obj.tag, 'hex'));
+    const plain = Buffer.concat([
+        decipher.update(Buffer.from(obj.ct, 'hex')),
+        decipher.final(),
+    ]);
+    key.fill(0); // zero key from memory
+    return plain.toString('utf8');
+}
+/**
+ * Settings keys whose values must be encrypted before DB storage.
+ * SettingsService checks this set to determine encrypt/decrypt behavior.
+ */
+export const CREDENTIAL_KEYS = new Set([
+    'notifications.telegram_bot_token',
+    'notifications.discord_webhook_url',
+    'notifications.slack_webhook_url',
+    'security.jwt_secret',
+]);
+//# sourceMappingURL=settings-crypto.js.map

package/dist/infrastructure/settings/settings-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-crypto.js","sourceRoot":"","sources":["../../../src/infrastructure/settings/settings-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEtF,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAChD,MAAM,kBAAkB,GAAG,qBAAqB,CAAC;AAEjD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,cAAsB;IACtD,OAAO,MAAM,CAAC,IAAI,CAChB,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAC/E,CAAC;AACJ,CAAC;AAQD;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB,EAAE,cAAsB;IAC3E,MAAM,GAAG,GAAG,iBAAiB,CAAC,cAAc,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,uBAAuB;IACpC,MAAM,GAAG,GAAmB;QAC1B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;KACzB,CAAC;IACF,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB,EAAE,cAAsB;IAC3E,MAAM,GAAG,GAAG,iBAAiB,CAAC,cAAc,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAmB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC1F,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;IAClF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC;QAC1B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAC3C,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,uBAAuB;IACpC,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IACrC,kCAAkC;IAClC,mCAAmC;IACnC,iCAAiC;IACjC,qBAAqB;CACtB,CAAC,CAAC"}

package/dist/infrastructure/settings/settings-service.d.ts

@@ -0,0 +1,82 @@
+/**
+ * SettingsService -- operational settings CRUD with DB > config.toml > default fallback.
+ *
+ * Provides get/set/getAll/getAllMasked/importFromConfig/setMany for daemon settings.
+ *
+ * Fallback chain for get(key):
+ *   1. DB settings table (encrypted values auto-decrypted)
+ *   2. DaemonConfig object (already includes config.toml + env overrides + Zod defaults)
+ *   3. SETTING_DEFINITIONS defaultValue (last resort)
+ *
+ * Credential values (isCredential=true) are AES-256-GCM encrypted before DB storage
+ * and auto-decrypted on retrieval using HKDF-derived subkey from master password.
+ *
+ * @see setting-keys.ts for SETTING_DEFINITIONS (SSoT)
+ * @see settings-crypto.ts for AES-GCM encrypt/decrypt
+ */
+import type { BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';
+import type * as schema from '../database/schema.js';
+import type { DaemonConfig } from '../config/loader.js';
+export interface SettingsServiceOptions {
+    db: BetterSQLite3Database<typeof schema>;
+    config: DaemonConfig;
+    masterPassword: string;
+}
+export declare class SettingsService {
+    private readonly db;
+    private readonly config;
+    private readonly masterPassword;
+    constructor(opts: SettingsServiceOptions);
+    /**
+     * Get a single setting value with fallback chain:
+     * DB (auto-decrypt credentials) -> config.toml -> SETTING_DEFINITIONS default.
+     *
+     * @throws WAIaaSError if key is not defined in SETTING_DEFINITIONS
+     */
+    get(key: string): string;
+    /**
+     * Set a single setting value. Credential keys are auto-encrypted with AES-GCM.
+     *
+     * @throws WAIaaSError if key is not defined in SETTING_DEFINITIONS
+     */
+    set(key: string, value: string): void;
+    /**
+     * Set multiple settings at once. Each entry is validated and auto-encrypted if credential.
+     */
+    setMany(entries: Array<{
+        key: string;
+        value: string;
+    }>): void;
+    /**
+     * Get all settings grouped by category. Credential values are decrypted.
+     * For each defined key: DB value > config.toml value > default.
+     */
+    getAll(): Record<string, Record<string, string>>;
+    /**
+     * Get all settings grouped by category. Credential values are masked:
+     * - Non-empty credential -> true
+     * - Empty credential -> false
+     * - Non-credential -> actual value
+     */
+    getAllMasked(): Record<string, Record<string, string | boolean>>;
+    /**
+     * Import config.toml operational settings into DB.
+     * Only imports keys that:
+     * - Are NOT already in DB (preserves existing values)
+     * - Have a config.toml value different from the default
+     *
+     * Credential values are auto-encrypted during import.
+     *
+     * @returns Count of imported and skipped keys
+     */
+    importFromConfig(): {
+        imported: number;
+        skipped: number;
+    };
+    /**
+     * Look up a value from the DaemonConfig object by configPath.
+     * configPath format: "section.field" (e.g., "notifications.telegram_bot_token")
+     */
+    private getConfigValue;
+}
+//# sourceMappingURL=settings-service.d.ts.map

package/dist/infrastructure/settings/settings-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-service.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/settings/settings-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,4BAA4B,CAAC;AAExE,OAAO,KAAK,KAAK,MAAM,MAAM,uBAAuB,CAAC;AAErD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AASxD,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,qBAAqB,CAAC,OAAO,MAAM,CAAC,CAAC;IACzC,MAAM,EAAE,YAAY,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAuC;IAC1D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAe;IACtC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;gBAE5B,IAAI,EAAE,sBAAsB;IAUxC;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IA+BxB;;;;OAIG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAqCrC;;OAEG;IACH,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,IAAI;IAU7D;;;OAGG;IACH,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAqChD;;;;;OAKG;IACH,YAAY,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;IAkDhE;;;;;;;;;OASG;IACH,gBAAgB,IAAI;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IA6CzD;;;OAGG;IACH,OAAO,CAAC,cAAc;CAevB"}

package/dist/infrastructure/settings/settings-service.js

@@ -0,0 +1,267 @@
+/**
+ * SettingsService -- operational settings CRUD with DB > config.toml > default fallback.
+ *
+ * Provides get/set/getAll/getAllMasked/importFromConfig/setMany for daemon settings.
+ *
+ * Fallback chain for get(key):
+ *   1. DB settings table (encrypted values auto-decrypted)
+ *   2. DaemonConfig object (already includes config.toml + env overrides + Zod defaults)
+ *   3. SETTING_DEFINITIONS defaultValue (last resort)
+ *
+ * Credential values (isCredential=true) are AES-256-GCM encrypted before DB storage
+ * and auto-decrypted on retrieval using HKDF-derived subkey from master password.
+ *
+ * @see setting-keys.ts for SETTING_DEFINITIONS (SSoT)
+ * @see settings-crypto.ts for AES-GCM encrypt/decrypt
+ */
+import { eq } from 'drizzle-orm';
+import { WAIaaSError } from '@waiaas/core';
+import { settings } from '../database/schema.js';
+import { SETTING_DEFINITIONS, SETTING_CATEGORIES, getSettingDefinition } from './setting-keys.js';
+import { encryptSettingValue, decryptSettingValue } from './settings-crypto.js';
+export class SettingsService {
+    db;
+    config;
+    masterPassword;
+    constructor(opts) {
+        this.db = opts.db;
+        this.config = opts.config;
+        this.masterPassword = opts.masterPassword;
+    }
+    // -------------------------------------------------------------------------
+    // get(key) -- DB > config.toml > default fallback
+    // -------------------------------------------------------------------------
+    /**
+     * Get a single setting value with fallback chain:
+     * DB (auto-decrypt credentials) -> config.toml -> SETTING_DEFINITIONS default.
+     *
+     * @throws WAIaaSError if key is not defined in SETTING_DEFINITIONS
+     */
+    get(key) {
+        const def = getSettingDefinition(key);
+        if (!def) {
+            throw new WAIaaSError('ACTION_VALIDATION_FAILED', {
+                message: `Unknown setting key: ${key}`,
+            });
+        }
+        // 1. Check DB
+        const row = this.db.select().from(settings).where(eq(settings.key, key)).get();
+        if (row) {
+            if (row.encrypted) {
+                return decryptSettingValue(row.value, this.masterPassword);
+            }
+            return row.value;
+        }
+        // 2. Check config.toml (DaemonConfig already has env overrides + Zod defaults)
+        const configValue = this.getConfigValue(def);
+        if (configValue !== undefined) {
+            return String(configValue);
+        }
+        // 3. Return definition default
+        return def.defaultValue;
+    }
+    // -------------------------------------------------------------------------
+    // set(key, value) -- UPSERT, auto-encrypt credentials
+    // -------------------------------------------------------------------------
+    /**
+     * Set a single setting value. Credential keys are auto-encrypted with AES-GCM.
+     *
+     * @throws WAIaaSError if key is not defined in SETTING_DEFINITIONS
+     */
+    set(key, value) {
+        const def = getSettingDefinition(key);
+        if (!def) {
+            throw new WAIaaSError('ACTION_VALIDATION_FAILED', {
+                message: `Unknown setting key: ${key}`,
+            });
+        }
+        const isCredential = def.isCredential;
+        const storedValue = isCredential
+            ? encryptSettingValue(value, this.masterPassword)
+            : value;
+        this.db
+            .insert(settings)
+            .values({
+            key,
+            value: storedValue,
+            encrypted: isCredential,
+            category: def.category,
+            updatedAt: new Date(),
+        })
+            .onConflictDoUpdate({
+            target: settings.key,
+            set: {
+                value: storedValue,
+                encrypted: isCredential,
+                updatedAt: new Date(),
+            },
+        })
+            .run();
+    }
+    // -------------------------------------------------------------------------
+    // setMany(entries) -- batch set
+    // -------------------------------------------------------------------------
+    /**
+     * Set multiple settings at once. Each entry is validated and auto-encrypted if credential.
+     */
+    setMany(entries) {
+        for (const entry of entries) {
+            this.set(entry.key, entry.value);
+        }
+    }
+    // -------------------------------------------------------------------------
+    // getAll() -- all settings grouped by category, credentials decrypted
+    // -------------------------------------------------------------------------
+    /**
+     * Get all settings grouped by category. Credential values are decrypted.
+     * For each defined key: DB value > config.toml value > default.
+     */
+    getAll() {
+        const result = {};
+        // Initialize categories
+        for (const cat of SETTING_CATEGORIES) {
+            result[cat] = {};
+        }
+        // Fetch all DB rows for O(1) lookup
+        const dbRows = this.db.select().from(settings).all();
+        const dbMap = new Map(dbRows.map((r) => [r.key, r]));
+        for (const def of SETTING_DEFINITIONS) {
+            const fieldName = def.key.split('.').slice(1).join('.');
+            const row = dbMap.get(def.key);
+            const catObj = result[def.category];
+            if (row) {
+                catObj[fieldName] = row.encrypted
+                    ? decryptSettingValue(row.value, this.masterPassword)
+                    : row.value;
+            }
+            else {
+                // Fallback: config.toml -> default
+                const configValue = this.getConfigValue(def);
+                catObj[fieldName] = configValue !== undefined
+                    ? String(configValue)
+                    : def.defaultValue;
+            }
+        }
+        return result;
+    }
+    // -------------------------------------------------------------------------
+    // getAllMasked() -- all settings grouped by category, credentials masked
+    // -------------------------------------------------------------------------
+    /**
+     * Get all settings grouped by category. Credential values are masked:
+     * - Non-empty credential -> true
+     * - Empty credential -> false
+     * - Non-credential -> actual value
+     */
+    getAllMasked() {
+        const result = {};
+        for (const cat of SETTING_CATEGORIES) {
+            result[cat] = {};
+        }
+        const dbRows = this.db.select().from(settings).all();
+        const dbMap = new Map(dbRows.map((r) => [r.key, r]));
+        for (const def of SETTING_DEFINITIONS) {
+            const fieldName = def.key.split('.').slice(1).join('.');
+            const row = dbMap.get(def.key);
+            const catObj = result[def.category];
+            if (def.isCredential) {
+                if (row) {
+                    // Credential in DB: mask as boolean (has value = true)
+                    try {
+                        const decrypted = decryptSettingValue(row.value, this.masterPassword);
+                        catObj[fieldName] = decrypted !== '';
+                    }
+                    catch {
+                        catObj[fieldName] = false;
+                    }
+                }
+                else {
+                    // Credential not in DB: check config fallback
+                    const configValue = this.getConfigValue(def);
+                    const val = configValue !== undefined ? String(configValue) : def.defaultValue;
+                    catObj[fieldName] = val !== '';
+                }
+            }
+            else {
+                // Non-credential: return actual value
+                if (row) {
+                    catObj[fieldName] = row.value;
+                }
+                else {
+                    const configValue = this.getConfigValue(def);
+                    catObj[fieldName] = configValue !== undefined
+                        ? String(configValue)
+                        : def.defaultValue;
+                }
+            }
+        }
+        return result;
+    }
+    // -------------------------------------------------------------------------
+    // importFromConfig() -- first-boot config.toml -> DB import
+    // -------------------------------------------------------------------------
+    /**
+     * Import config.toml operational settings into DB.
+     * Only imports keys that:
+     * - Are NOT already in DB (preserves existing values)
+     * - Have a config.toml value different from the default
+     *
+     * Credential values are auto-encrypted during import.
+     *
+     * @returns Count of imported and skipped keys
+     */
+    importFromConfig() {
+        let imported = 0;
+        let skipped = 0;
+        for (const def of SETTING_DEFINITIONS) {
+            // Check if already in DB
+            const existing = this.db.select().from(settings).where(eq(settings.key, def.key)).get();
+            if (existing) {
+                skipped++;
+                continue;
+            }
+            // Get config.toml value
+            const configValue = this.getConfigValue(def);
+            if (configValue === undefined) {
+                skipped++;
+                continue;
+            }
+            const strValue = String(configValue);
+            // Skip if value equals default (don't fill DB with defaults)
+            if (strValue === def.defaultValue) {
+                skipped++;
+                continue;
+            }
+            // Skip empty strings (no value to import)
+            if (strValue === '') {
+                skipped++;
+                continue;
+            }
+            // Import: use set() which handles encryption
+            this.set(def.key, strValue);
+            imported++;
+        }
+        return { imported, skipped };
+    }
+    // -------------------------------------------------------------------------
+    // Private: config.toml value lookup
+    // -------------------------------------------------------------------------
+    /**
+     * Look up a value from the DaemonConfig object by configPath.
+     * configPath format: "section.field" (e.g., "notifications.telegram_bot_token")
+     */
+    getConfigValue(def) {
+        const parts = def.configPath.split('.');
+        if (parts.length < 2)
+            return undefined;
+        const section = parts[0];
+        const field = parts.slice(1).join('_'); // rejoin in case of multi-part field names
+        const sectionObj = this.config[section];
+        if (sectionObj === undefined || sectionObj === null || typeof sectionObj !== 'object') {
+            return undefined;
+        }
+        const value = sectionObj[field];
+        return value;
+    }
+}
+//# sourceMappingURL=settings-service.js.map

package/dist/infrastructure/settings/settings-service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-service.js","sourceRoot":"","sources":["../../../src/infrastructure/settings/settings-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAElG,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAYhF,MAAM,OAAO,eAAe;IACT,EAAE,CAAuC;IACzC,MAAM,CAAe;IACrB,cAAc,CAAS;IAExC,YAAY,IAA4B;QACtC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;IAC5C,CAAC;IAED,4EAA4E;IAC5E,kDAAkD;IAClD,4EAA4E;IAE5E;;;;;OAKG;IACH,GAAG,CAAC,GAAW;QACb,MAAM,GAAG,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,WAAW,CAAC,0BAA0B,EAAE;gBAChD,OAAO,EAAE,wBAAwB,GAAG,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,cAAc;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;QAC/E,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;gBAClB,OAAO,mBAAmB,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;YAC7D,CAAC;YACD,OAAO,GAAG,CAAC,KAAK,CAAC;QACnB,CAAC;QAED,+EAA+E;QAC/E,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7B,CAAC;QAED,+BAA+B;QAC/B,OAAO,GAAG,CAAC,YAAY,CAAC;IAC1B,CAAC;IAED,4EAA4E;IAC5E,sDAAsD;IACtD,4EAA4E;IAE5E;;;;OAIG;IACH,GAAG,CAAC,GAAW,EAAE,KAAa;QAC5B,MAAM,GAAG,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,WAAW,CAAC,0BAA0B,EAAE;gBAChD,OAAO,EAAE,wBAAwB,GAAG,EAAE;aACvC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC;QACtC,MAAM,WAAW,GAAG,YAAY;YAC9B,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC;YACjD,CAAC,CAAC,KAAK,CAAC;QAEV,IAAI,CAAC,EAAE;aACJ,MAAM,CAAC,QAAQ,CAAC;aAChB,MAAM,CAAC;YACN,GAAG;YACH,KAAK,EAAE,WAAW;YAClB,SAAS,EAAE,YAAY;YACvB,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;aACD,kBAAkB,CAAC;YAClB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,GAAG,EAAE;gBACH,KAAK,EAAE,WAAW;gBAClB,SAAS,EAAE,YAAY;gBACvB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB;SACF,CAAC;aACD,GAAG,EAAE,CAAC;IACX,CAAC;IAED,4EAA4E;IAC5E,gCAAgC;IAChC,4EAA4E;IAE5E;;OAEG;IACH,OAAO,CAAC,OAA8C;QACpD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,sEAAsE;IACtE,4EAA4E;IAE5E;;;OAGG;IACH,MAAM;QACJ,MAAM,MAAM,GAA2C,EAAE,CAAC;QAE1D,wBAAwB;QACxB,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;YAErC,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,SAAS;oBAC/B,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC;oBACrD,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,mCAAmC;gBACnC,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;gBAC7C,MAAM,CAAC,SAAS,CAAC,GAAG,WAAW,KAAK,SAAS;oBAC3C,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC;oBACrB,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4EAA4E;IAC5E,yEAAyE;IACzE,4EAA4E;IAE5E;;;;;OAKG;IACH,YAAY;QACV,MAAM,MAAM,GAAqD,EAAE,CAAC;QAEpE,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAErD,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;YAErC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;gBACrB,IAAI,GAAG,EAAE,CAAC;oBACR,uDAAuD;oBACvD,IAAI,CAAC;wBACH,MAAM,SAAS,GAAG,mBAAmB,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;wBACtE,MAAM,CAAC,SAAS,CAAC,GAAG,SAAS,KAAK,EAAE,CAAC;oBACvC,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;oBAC5B,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,8CAA8C;oBAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;oBAC7C,MAAM,GAAG,GAAG,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;oBAC/E,MAAM,CAAC,SAAS,CAAC,GAAG,GAAG,KAAK,EAAE,CAAC;gBACjC,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,IAAI,GAAG,EAAE,CAAC;oBACR,MAAM,CAAC,SAAS,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;gBAChC,CAAC;qBAAM,CAAC;oBACN,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;oBAC7C,MAAM,CAAC,SAAS,CAAC,GAAG,WAAW,KAAK,SAAS;wBAC3C,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC;wBACrB,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,4EAA4E;IAC5E,4DAA4D;IAC5D,4EAA4E;IAE5E;;;;;;;;;OASG;IACH,gBAAgB;QACd,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;YACtC,yBAAyB;YACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YACxF,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,EAAE,CAAC;gBACV,SAAS;YACX,CAAC;YAED,wBAAwB;YACxB,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;gBAC9B,OAAO,EAAE,CAAC;gBACV,SAAS;YACX,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;YAErC,6DAA6D;YAC7D,IAAI,QAAQ,KAAK,GAAG,CAAC,YAAY,EAAE,CAAC;gBAClC,OAAO,EAAE,CAAC;gBACV,SAAS;YACX,CAAC;YAED,0CAA0C;YAC1C,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;gBACpB,OAAO,EAAE,CAAC;gBACV,SAAS;YACX,CAAC;YAED,6CAA6C;YAC7C,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YAC5B,QAAQ,EAAE,CAAC;QACb,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IAC/B,CAAC;IAED,4EAA4E;IAC5E,oCAAoC;IACpC,4EAA4E;IAE5E;;;OAGG;IACK,cAAc,CAAC,GAAsB;QAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC;QAEvC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAuB,CAAC;QAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,2CAA2C;QAEnF,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACxC,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACtF,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,KAAK,GAAI,UAAsC,CAAC,KAAK,CAAC,CAAC;QAC7D,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/infrastructure/telegram/index.d.ts

@@ -0,0 +1,6 @@
+export { TelegramBotService } from './telegram-bot-service.js';
+export { TelegramApi } from './telegram-api.js';
+export { TelegramAuth, PUBLIC_COMMANDS, READONLY_COMMANDS, ADMIN_COMMANDS } from './telegram-auth.js';
+export { buildConfirmKeyboard, buildWalletSelectKeyboard, buildApprovalKeyboard } from './telegram-keyboard.js';
+export type { TelegramUserRole } from './telegram-types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/infrastructure/telegram/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/telegram/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACtG,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAChH,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/infrastructure/telegram/index.js

@@ -0,0 +1,5 @@
+export { TelegramBotService } from './telegram-bot-service.js';
+export { TelegramApi } from './telegram-api.js';
+export { TelegramAuth, PUBLIC_COMMANDS, READONLY_COMMANDS, ADMIN_COMMANDS } from './telegram-auth.js';
+export { buildConfirmKeyboard, buildWalletSelectKeyboard, buildApprovalKeyboard } from './telegram-keyboard.js';
+//# sourceMappingURL=index.js.map

package/dist/infrastructure/telegram/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/telegram/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACtG,OAAO,EAAE,oBAAoB,EAAE,yBAAyB,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC"}