@waiaas/daemon 2.11.0-rc → 2.11.0-rc.13

package/dist/infrastructure/credential/credential-vault.js

@@ -0,0 +1,235 @@
+/**
+ * Credential Vault -- secure encrypted storage for external service credentials.
+ *
+ * ICredentialVault defines the interface for credential CRUD operations.
+ * LocalCredentialVault implements it using the local SQLite database with
+ * AES-256-GCM encryption (HKDF-derived key from master password).
+ *
+ * Resolution priority for name-based lookup:
+ *   1. Per-wallet credential (walletId + name match)
+ *   2. Global credential (walletId IS NULL + name match)
+ *
+ * @see docs/81-external-action-design.md D3.6 CredentialVault
+ */
+import { eq, and, isNull } from 'drizzle-orm';
+import { WAIaaSError } from '@waiaas/core';
+import { walletCredentials } from '../database/schema.js';
+import { generateId } from '../database/id.js';
+import { encryptCredential, decryptCredential } from './credential-crypto.js';
+// ---------------------------------------------------------------------------
+// Implementation
+// ---------------------------------------------------------------------------
+// UUID v7 regex (loose): 8-4-4-4-12 hex groups
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+/**
+ * Build AAD string for a credential row.
+ * Format: "{id}:{walletId|global}:{type}"
+ */
+function buildAad(id, walletId, type) {
+    return `${id}:${walletId ?? 'global'}:${type}`;
+}
+/**
+ * Convert a DB row to CredentialMetadata (without value).
+ */
+function toMetadata(row) {
+    return {
+        id: row.id,
+        walletId: row.walletId,
+        type: row.type,
+        name: row.name,
+        metadata: JSON.parse(row.metadata),
+        expiresAt: row.expiresAt,
+        createdAt: row.createdAt instanceof Date
+            ? Math.floor(row.createdAt.getTime() / 1000)
+            : row.createdAt,
+        updatedAt: row.updatedAt instanceof Date
+            ? Math.floor(row.updatedAt.getTime() / 1000)
+            : row.updatedAt,
+    };
+}
+export class LocalCredentialVault {
+    db;
+    getMasterPassword;
+    constructor(db, getMasterPassword) {
+        this.db = db;
+        this.getMasterPassword = getMasterPassword;
+    }
+    // -----------------------------------------------------------------------
+    // create
+    // -----------------------------------------------------------------------
+    async create(walletId, params) {
+        // Check for duplicate name in same scope
+        // (SQLite NULL != NULL for unique indexes, so global duplicates need manual check)
+        const existingCondition = walletId
+            ? and(eq(walletCredentials.walletId, walletId), eq(walletCredentials.name, params.name))
+            : and(isNull(walletCredentials.walletId), eq(walletCredentials.name, params.name));
+        const existing = this.db.select().from(walletCredentials).where(existingCondition).get();
+        if (existing) {
+            throw new WAIaaSError('ACTION_VALIDATION_FAILED', {
+                message: `Credential with name "${params.name}" already exists for this scope`,
+            });
+        }
+        const id = generateId();
+        const masterPassword = this.getMasterPassword();
+        const aad = buildAad(id, walletId, params.type);
+        const encrypted = encryptCredential(params.value, masterPassword, aad);
+        const now = new Date();
+        try {
+            this.db
+                .insert(walletCredentials)
+                .values({
+                id,
+                walletId,
+                type: params.type,
+                name: params.name,
+                encryptedValue: encrypted.encryptedValue,
+                iv: encrypted.iv,
+                authTag: encrypted.authTag,
+                metadata: JSON.stringify(params.metadata ?? {}),
+                expiresAt: params.expiresAt ?? null,
+                createdAt: now,
+                updatedAt: now,
+            })
+                .run();
+        }
+        catch (err) {
+            // SQLite UNIQUE constraint violation (belt-and-suspenders after pre-check above)
+            if (err instanceof Error && err.message.includes('UNIQUE constraint failed')) {
+                throw new WAIaaSError('ACTION_VALIDATION_FAILED', {
+                    message: `Credential with name "${params.name}" already exists for this scope`,
+                });
+            }
+            throw err;
+        }
+        return {
+            id,
+            walletId,
+            type: params.type,
+            name: params.name,
+            metadata: params.metadata ?? {},
+            expiresAt: params.expiresAt ?? null,
+            createdAt: Math.floor(now.getTime() / 1000),
+            updatedAt: Math.floor(now.getTime() / 1000),
+        };
+    }
+    // -----------------------------------------------------------------------
+    // get
+    // -----------------------------------------------------------------------
+    async get(ref, walletId) {
+        const row = await this.resolveRow(ref, walletId);
+        // Check expiry
+        if (row.expiresAt !== null) {
+            const nowSec = Math.floor(Date.now() / 1000);
+            if (row.expiresAt < nowSec) {
+                throw new WAIaaSError('CREDENTIAL_EXPIRED', {
+                    message: `Credential "${row.name}" has expired`,
+                });
+            }
+        }
+        const masterPassword = this.getMasterPassword();
+        const aad = buildAad(row.id, row.walletId, row.type);
+        const value = decryptCredential({
+            encryptedValue: row.encryptedValue,
+            iv: row.iv,
+            authTag: row.authTag,
+        }, masterPassword, aad);
+        return {
+            ...toMetadata(row),
+            value,
+        };
+    }
+    // -----------------------------------------------------------------------
+    // list
+    // -----------------------------------------------------------------------
+    async list(walletId) {
+        const condition = walletId
+            ? eq(walletCredentials.walletId, walletId)
+            : isNull(walletCredentials.walletId);
+        const rows = this.db
+            .select()
+            .from(walletCredentials)
+            .where(condition)
+            .all();
+        return rows.map(toMetadata);
+    }
+    // -----------------------------------------------------------------------
+    // delete
+    // -----------------------------------------------------------------------
+    async delete(ref) {
+        const row = await this.resolveRow(ref);
+        this.db.delete(walletCredentials).where(eq(walletCredentials.id, row.id)).run();
+    }
+    // -----------------------------------------------------------------------
+    // rotate
+    // -----------------------------------------------------------------------
+    async rotate(ref, newValue) {
+        const row = await this.resolveRow(ref);
+        const masterPassword = this.getMasterPassword();
+        const aad = buildAad(row.id, row.walletId, row.type);
+        const encrypted = encryptCredential(newValue, masterPassword, aad);
+        const now = new Date();
+        this.db
+            .update(walletCredentials)
+            .set({
+            encryptedValue: encrypted.encryptedValue,
+            iv: encrypted.iv,
+            authTag: encrypted.authTag,
+            updatedAt: now,
+        })
+            .where(eq(walletCredentials.id, row.id))
+            .run();
+        return {
+            ...toMetadata(row),
+            updatedAt: Math.floor(now.getTime() / 1000),
+        };
+    }
+    // -----------------------------------------------------------------------
+    // Internal helpers
+    // -----------------------------------------------------------------------
+    /**
+     * Resolve a credential reference to a DB row.
+     *
+     * Reference formats:
+     *   1. UUID (direct lookup)
+     *   2. Name string (per-wallet priority, then global fallback)
+     */
+    async resolveRow(ref, walletId) {
+        // 1. UUID direct lookup
+        if (UUID_RE.test(ref)) {
+            const row = this.db
+                .select()
+                .from(walletCredentials)
+                .where(eq(walletCredentials.id, ref))
+                .get();
+            if (!row) {
+                throw new WAIaaSError('CREDENTIAL_NOT_FOUND', {
+                    message: `Credential not found: ${ref}`,
+                });
+            }
+            return row;
+        }
+        // 2. Name-based resolution with per-wallet priority
+        if (walletId) {
+            // Try per-wallet first
+            const perWallet = this.db
+                .select()
+                .from(walletCredentials)
+                .where(and(eq(walletCredentials.walletId, walletId), eq(walletCredentials.name, ref)))
+                .get();
+            if (perWallet)
+                return perWallet;
+        }
+        // Try global fallback
+        const global = this.db
+            .select()
+            .from(walletCredentials)
+            .where(and(isNull(walletCredentials.walletId), eq(walletCredentials.name, ref)))
+            .get();
+        if (global)
+            return global;
+        throw new WAIaaSError('CREDENTIAL_NOT_FOUND', {
+            message: `Credential not found: ${ref}`,
+        });
+    }
+}
+//# sourceMappingURL=credential-vault.js.map

package/dist/infrastructure/credential/credential-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-vault.js","sourceRoot":"","sources":["../../../src/infrastructure/credential/credential-vault.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAc9E,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,+CAA+C;AAC/C,MAAM,OAAO,GAAG,iEAAiE,CAAC;AAElF;;;GAGG;AACH,SAAS,QAAQ,CAAC,EAAU,EAAE,QAAuB,EAAE,IAAY;IACjE,OAAO,GAAG,EAAE,IAAI,QAAQ,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,GAA0C;IAC5D,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,IAAI,EAAE,GAAG,CAAC,IAAkC;QAC5C,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAA4B;QAC7D,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,SAAS,EAAE,GAAG,CAAC,SAAS,YAAY,IAAI;YACtC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;YAC5C,CAAC,CAAE,GAAG,CAAC,SAAoB;QAC7B,SAAS,EAAE,GAAG,CAAC,SAAS,YAAY,IAAI;YACtC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;YAC5C,CAAC,CAAE,GAAG,CAAC,SAAoB;KAC9B,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,oBAAoB;IAEZ;IACA;IAFnB,YACmB,EAAwC,EACxC,iBAA+B;QAD/B,OAAE,GAAF,EAAE,CAAsC;QACxC,sBAAiB,GAAjB,iBAAiB,CAAc;IAC/C,CAAC;IAEJ,0EAA0E;IAC1E,SAAS;IACT,0EAA0E;IAE1E,KAAK,CAAC,MAAM,CACV,QAAuB,EACvB,MAA8B;QAE9B,yCAAyC;QACzC,mFAAmF;QACnF,MAAM,iBAAiB,GAAG,QAAQ;YAChC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;YACxF,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;QACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,GAAG,EAAE,CAAC;QACzF,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,WAAW,CAAC,0BAA0B,EAAE;gBAChD,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,iCAAiC;aAC/E,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;QACxB,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,iBAAiB,CAAC,MAAM,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;QACvE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,IAAI,CAAC;YACH,IAAI,CAAC,EAAE;iBACJ,MAAM,CAAC,iBAAiB,CAAC;iBACzB,MAAM,CAAC;gBACN,EAAE;gBACF,QAAQ;gBACR,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,cAAc,EAAE,SAAS,CAAC,cAAc;gBACxC,EAAE,EAAE,SAAS,CAAC,EAAE;gBAChB,OAAO,EAAE,SAAS,CAAC,OAAO;gBAC1B,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAC/C,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;gBACnC,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;aACf,CAAC;iBACD,GAAG,EAAE,CAAC;QACX,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,iFAAiF;YACjF,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,0BAA0B,CAAC,EAAE,CAAC;gBAC7E,MAAM,IAAI,WAAW,CAAC,0BAA0B,EAAE;oBAChD,OAAO,EAAE,yBAAyB,MAAM,CAAC,IAAI,iCAAiC;iBAC/E,CAAC,CAAC;YACL,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,OAAO;YACL,EAAE;YACF,QAAQ;YACR,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;YACnC,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;YAC3C,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;SAC5C,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,MAAM;IACN,0EAA0E;IAE1E,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,QAAiB;QACtC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAEjD,eAAe;QACf,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC7C,IAAI,GAAG,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;gBAC3B,MAAM,IAAI,WAAW,CAAC,oBAAoB,EAAE;oBAC1C,OAAO,EAAE,eAAe,GAAG,CAAC,IAAI,eAAe;iBAChD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,KAAK,GAAG,iBAAiB,CAC7B;YACE,cAAc,EAAE,GAAG,CAAC,cAAc;YAClC,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,EACD,cAAc,EACd,GAAG,CACJ,CAAC;QAEF,OAAO;YACL,GAAG,UAAU,CAAC,GAAG,CAAC;YAClB,KAAK;SACN,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,OAAO;IACP,0EAA0E;IAE1E,KAAK,CAAC,IAAI,CAAC,QAAiB;QAC1B,MAAM,SAAS,GAAG,QAAQ;YACxB,CAAC,CAAC,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC;YAC1C,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAEvC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,MAAM,EAAE;aACR,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CAAC,SAAS,CAAC;aAChB,GAAG,EAAE,CAAC;QAET,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,0EAA0E;IAC1E,SAAS;IACT,0EAA0E;IAE1E,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;IAClF,CAAC;IAED,0EAA0E;IAC1E,SAAS;IACT,0EAA0E;IAE1E,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,QAAgB;QACxC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACvC,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,iBAAiB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;QACnE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,IAAI,CAAC,EAAE;aACJ,MAAM,CAAC,iBAAiB,CAAC;aACzB,GAAG,CAAC;YACH,cAAc,EAAE,SAAS,CAAC,cAAc;YACxC,EAAE,EAAE,SAAS,CAAC,EAAE;YAChB,OAAO,EAAE,SAAS,CAAC,OAAO;YAC1B,SAAS,EAAE,GAAG;SACf,CAAC;aACD,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;aACvC,GAAG,EAAE,CAAC;QAET,OAAO;YACL,GAAG,UAAU,CAAC,GAAG,CAAC;YAClB,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;SAC5C,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,mBAAmB;IACnB,0EAA0E;IAE1E;;;;;;OAMG;IACK,KAAK,CAAC,UAAU,CACtB,GAAW,EACX,QAAiB;QAEjB,wBAAwB;QACxB,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;iBAChB,MAAM,EAAE;iBACR,IAAI,CAAC,iBAAiB,CAAC;iBACvB,KAAK,CAAC,EAAE,CAAC,iBAAiB,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;iBACpC,GAAG,EAAE,CAAC;YACT,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,WAAW,CAAC,sBAAsB,EAAE;oBAC5C,OAAO,EAAE,yBAAyB,GAAG,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QAED,oDAAoD;QACpD,IAAI,QAAQ,EAAE,CAAC;YACb,uBAAuB;YACvB,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE;iBACtB,MAAM,EAAE;iBACR,IAAI,CAAC,iBAAiB,CAAC;iBACvB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACxC,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAChC,CACF;iBACA,GAAG,EAAE,CAAC;YACT,IAAI,SAAS;gBAAE,OAAO,SAAS,CAAC;QAClC,CAAC;QAED,sBAAsB;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE;aACnB,MAAM,EAAE;aACR,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CACJ,GAAG,CACD,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,EAClC,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC,CAChC,CACF;aACA,GAAG,EAAE,CAAC;QACT,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,MAAM,IAAI,WAAW,CAAC,sBAAsB,EAAE;YAC5C,OAAO,EAAE,yBAAyB,GAAG,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/infrastructure/credential/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Credential vault module barrel export.
+ */
+export { deriveCredentialKey, encryptCredential, decryptCredential, type EncryptedCredentialData, } from './credential-crypto.js';
+export { type ICredentialVault, LocalCredentialVault, } from './credential-vault.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/infrastructure/credential/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/credential/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,uBAAuB,GAC7B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,KAAK,gBAAgB,EACrB,oBAAoB,GACrB,MAAM,uBAAuB,CAAC"}

package/dist/infrastructure/credential/index.js

@@ -0,0 +1,6 @@
+/**
+ * Credential vault module barrel export.
+ */
+export { deriveCredentialKey, encryptCredential, decryptCredential, } from './credential-crypto.js';
+export { LocalCredentialVault, } from './credential-vault.js';
+//# sourceMappingURL=index.js.map

package/dist/infrastructure/credential/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/infrastructure/credential/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAEL,oBAAoB,GACrB,MAAM,uBAAuB,CAAC"}

package/dist/infrastructure/database/migrate.d.ts

@@ -28,7 +28,7 @@ import type { Database } from 'better-sqlite3';
  * pushSchema() records this version for fresh databases so migrations are skipped.
  * Increment this whenever DDL statements are updated to match a new migration.
  */
-export declare const LATEST_SCHEMA_VERSION = 54;
+export declare const LATEST_SCHEMA_VERSION = 58;
 /** A single incremental migration (ALTER TABLE, CREATE INDEX, etc.). */
 export interface Migration {
     /** Monotonically increasing version number (must be > 1, since version 1 = initial schema). */

package/dist/infrastructure/database/migrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/database/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAmD/C;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,KAAK,CAAC;AA0kBxC,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACxB,+FAA+F;IAC/F,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,2FAA2F;IAC3F,EAAE,EAAE,CAAC,MAAM,EAAE,QAAQ,KAAK,IAAI,CAAC;CAChC;AAED;;;GAGG;AACH,eAAO,MAAM,UAAU,EAAE,SAAS,EAAO,CAAC;AAm2E1C;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,QAAQ,EAChB,UAAU,GAAE,SAAS,EAAe,GACnC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAgFtC;AAMD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,QAAQ,GAAG,IAAI,CAsGjD"}
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../../src/infrastructure/database/migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAmD/C;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,KAAK,CAAC;AA4mBxC,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACxB,+FAA+F;IAC/F,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,WAAW,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,2FAA2F;IAC3F,EAAE,EAAE,CAAC,MAAM,EAAE,QAAQ,KAAK,IAAI,CAAC;CAChC;AAED;;;GAGG;AACH,eAAO,MAAM,UAAU,EAAE,SAAS,EAAO,CAAC;AAghF1C;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,QAAQ,EAChB,UAAU,GAAE,SAAS,EAAe,GACnC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAgFtC;AAMD;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,QAAQ,GAAG,IAAI,CAsGjD"}

package/dist/infrastructure/database/migrate.js

@@ -47,14 +47,14 @@ const LEGACY_NETWORK_NORMALIZE = {
     testnet: 'solana-testnet',
 };
 // ---------------------------------------------------------------------------
-// DDL statements for all 30 tables (latest schema: wallets + wallet_id + session_wallets + token_registry + settings + telegram_users + wc_sessions + wc_store + incoming_transactions + incoming_tx_cursors + defi_positions + wallet_apps + webhooks + webhook_logs + agent_identities + reputation_cache + nft_metadata_cache + userop_builds + hyperliquid_orders + hyperliquid_sub_accounts + polymarket_orders + polymarket_positions + polymarket_api_keys)
+// DDL statements for all 31 tables (latest schema: wallets + wallet_id + session_wallets + token_registry + settings + telegram_users + wc_sessions + wc_store + incoming_transactions + incoming_tx_cursors + defi_positions + wallet_apps + webhooks + webhook_logs + agent_identities + reputation_cache + nft_metadata_cache + userop_builds + hyperliquid_orders + hyperliquid_sub_accounts + polymarket_orders + polymarket_positions + polymarket_api_keys + wallet_credentials)
 // ---------------------------------------------------------------------------
 /**
  * The latest schema version that getCreateTableStatements() represents.
  * pushSchema() records this version for fresh databases so migrations are skipped.
  * Increment this whenever DDL statements are updated to match a new migration.
  */
-export const LATEST_SCHEMA_VERSION = 54;
+export const LATEST_SCHEMA_VERSION = 58;
 function getCreateTableStatements() {
     return [
         // Table 1: wallets (renamed from agents in v3, environment model in v6b, v29.3: default_network removed)
@@ -136,8 +136,12 @@ function getCreateTableStatements() {
   error TEXT,
   metadata TEXT,
   network TEXT CHECK (network IS NULL OR network IN (${inList(NETWORK_TYPES)})),
-  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED')),
-  bridge_metadata TEXT
+  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED', 'PARTIALLY_FILLED', 'FILLED', 'CANCELED', 'SETTLED', 'EXPIRED')),
+  bridge_metadata TEXT,
+  action_kind TEXT NOT NULL DEFAULT 'contractCall',
+  venue TEXT,
+  operation TEXT,
+  external_id TEXT
 )`,
         // Table 4: policies (network column added in v8)
         `CREATE TABLE IF NOT EXISTS policies (
@@ -472,6 +476,21 @@ function getCreateTableStatements() {
   proxy_address TEXT,
   created_at INTEGER NOT NULL DEFAULT (unixepoch()),
   UNIQUE(wallet_id)
+)`,
+        // Table 31: wallet_credentials (External Action credential vault, v55)
+        `CREATE TABLE IF NOT EXISTS wallet_credentials (
+  id TEXT NOT NULL PRIMARY KEY,
+  wallet_id TEXT,
+  type TEXT NOT NULL CHECK (type IN ('api-key','hmac-secret','rsa-private-key','session-token','custom')),
+  name TEXT NOT NULL,
+  encrypted_value BLOB NOT NULL,
+  iv BLOB NOT NULL,
+  auth_tag BLOB NOT NULL,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  expires_at INTEGER,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  FOREIGN KEY (wallet_id) REFERENCES wallets(id) ON DELETE CASCADE
 )`,
     ];
 }
@@ -577,6 +596,17 @@ function getCreateIndexStatements() {
         'CREATE INDEX IF NOT EXISTS idx_pm_positions_condition ON polymarket_positions(condition_id)',
         'CREATE INDEX IF NOT EXISTS idx_pm_positions_resolved ON polymarket_positions(market_resolved)',
         // v54: polymarket_api_keys indexes (UNIQUE on wallet_id is inline)
+        // v55: wallet_credentials indexes
+        'CREATE UNIQUE INDEX IF NOT EXISTS idx_wallet_credentials_wallet_name ON wallet_credentials(wallet_id, name)',
+        'CREATE INDEX IF NOT EXISTS idx_wallet_credentials_global_name ON wallet_credentials(name) WHERE wallet_id IS NULL',
+        'CREATE INDEX IF NOT EXISTS idx_wallet_credentials_wallet_id ON wallet_credentials(wallet_id)',
+        'CREATE INDEX IF NOT EXISTS idx_wallet_credentials_expires_at ON wallet_credentials(expires_at) WHERE expires_at IS NOT NULL',
+        // v56: transactions action tracking indexes
+        'CREATE INDEX IF NOT EXISTS idx_transactions_action_kind ON transactions(action_kind)',
+        'CREATE INDEX IF NOT EXISTS idx_transactions_venue ON transactions(venue) WHERE venue IS NOT NULL',
+        'CREATE INDEX IF NOT EXISTS idx_transactions_external_id ON transactions(external_id) WHERE external_id IS NOT NULL',
+        // v57: composite index for external action tracking queries
+        'CREATE INDEX IF NOT EXISTS idx_transactions_action_kind_bridge_status ON transactions(action_kind, bridge_status) WHERE bridge_status IS NOT NULL',
     ];
 }
 /**
@@ -1659,7 +1689,7 @@ MIGRATIONS.push({
   error TEXT,
   metadata TEXT,
   network TEXT CHECK (network IS NULL OR network IN (${inList(NETWORK_TYPES_WITH_LEGACY)})),
-  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED')),
+  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED', 'PARTIALLY_FILLED', 'FILLED', 'CANCELED', 'SETTLED', 'EXPIRED')),
   bridge_metadata TEXT
 )`);
             // Step 2: Copy existing data (bridge_status and bridge_metadata default to NULL)
@@ -1953,7 +1983,7 @@ MIGRATIONS.push({
   error TEXT,
   metadata TEXT,
   network TEXT CHECK (network IS NULL OR network IN (${inList(NETWORK_TYPES)})),
-  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED')),
+  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED', 'PARTIALLY_FILLED', 'FILLED', 'CANCELED', 'SETTLED', 'EXPIRED')),
   bridge_metadata TEXT
 )`);
             sqlite.exec(`INSERT INTO transactions_new
@@ -2688,6 +2718,161 @@ MIGRATIONS.push({
         }
     },
 });
+// ---------------------------------------------------------------------------
+// v55: wallet_credentials table for External Action credential vault
+// ---------------------------------------------------------------------------
+MIGRATIONS.push({
+    version: 55,
+    description: 'Create wallet_credentials table for External Action credential vault',
+    up: (sqlite) => {
+        // Idempotent check
+        const tables = sqlite
+            .prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='wallet_credentials'")
+            .all();
+        if (tables.length > 0)
+            return;
+        sqlite.exec(`
+      CREATE TABLE wallet_credentials (
+        id TEXT NOT NULL PRIMARY KEY,
+        wallet_id TEXT,
+        type TEXT NOT NULL CHECK (type IN ('api-key','hmac-secret','rsa-private-key','session-token','custom')),
+        name TEXT NOT NULL,
+        encrypted_value BLOB NOT NULL,
+        iv BLOB NOT NULL,
+        auth_tag BLOB NOT NULL,
+        metadata TEXT NOT NULL DEFAULT '{}',
+        expires_at INTEGER,
+        created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+        updated_at INTEGER NOT NULL DEFAULT (unixepoch()),
+        FOREIGN KEY (wallet_id) REFERENCES wallets(id) ON DELETE CASCADE
+      );
+      CREATE UNIQUE INDEX idx_wallet_credentials_wallet_name ON wallet_credentials(wallet_id, name);
+      CREATE INDEX idx_wallet_credentials_global_name ON wallet_credentials(name) WHERE wallet_id IS NULL;
+      CREATE INDEX idx_wallet_credentials_wallet_id ON wallet_credentials(wallet_id);
+      CREATE INDEX idx_wallet_credentials_expires_at ON wallet_credentials(expires_at) WHERE expires_at IS NOT NULL;
+    `);
+    },
+});
+// ---------------------------------------------------------------------------
+// v56: transactions table action tracking columns
+// ---------------------------------------------------------------------------
+MIGRATIONS.push({
+    version: 56,
+    description: 'Add action_kind, venue, operation, external_id columns to transactions',
+    up: (sqlite) => {
+        // Check if columns already exist (pushSchema may have already added them)
+        const cols = sqlite.prepare('PRAGMA table_info(transactions)').all()
+            .map(c => c.name);
+        if (!cols.includes('action_kind')) {
+            sqlite.exec("ALTER TABLE transactions ADD COLUMN action_kind TEXT NOT NULL DEFAULT 'contractCall'");
+        }
+        if (!cols.includes('venue')) {
+            sqlite.exec('ALTER TABLE transactions ADD COLUMN venue TEXT');
+        }
+        if (!cols.includes('operation')) {
+            sqlite.exec('ALTER TABLE transactions ADD COLUMN operation TEXT');
+        }
+        if (!cols.includes('external_id')) {
+            sqlite.exec('ALTER TABLE transactions ADD COLUMN external_id TEXT');
+        }
+        // Create indexes (idempotent with IF NOT EXISTS)
+        sqlite.exec('CREATE INDEX IF NOT EXISTS idx_transactions_action_kind ON transactions(action_kind)');
+        sqlite.exec('CREATE INDEX IF NOT EXISTS idx_transactions_venue ON transactions(venue) WHERE venue IS NOT NULL');
+        sqlite.exec('CREATE INDEX IF NOT EXISTS idx_transactions_external_id ON transactions(external_id) WHERE external_id IS NOT NULL');
+    },
+});
+// ---------------------------------------------------------------------------
+// v57: composite index for external action tracking queries
+// ---------------------------------------------------------------------------
+MIGRATIONS.push({
+    version: 57,
+    description: 'Add composite index idx_transactions_action_kind_bridge_status',
+    up: (sqlite) => {
+        sqlite.exec('CREATE INDEX IF NOT EXISTS idx_transactions_action_kind_bridge_status ON transactions(action_kind, bridge_status) WHERE bridge_status IS NOT NULL');
+    },
+});
+// ---------------------------------------------------------------------------
+// v58: Update transactions type CHECK constraint to include CONTRACT_DEPLOY
+// ---------------------------------------------------------------------------
+MIGRATIONS.push({
+    version: 58,
+    description: 'Add CONTRACT_DEPLOY to transactions type CHECK constraint (12-step table recreation)',
+    managesOwnTransaction: true,
+    up: (sqlite) => {
+        sqlite.exec('BEGIN');
+        try {
+            // Step 1: Create transactions_new with updated CHECK constraints (CONTRACT_DEPLOY in TRANSACTION_TYPES)
+            sqlite.exec(`CREATE TABLE transactions_new (
+  id TEXT PRIMARY KEY,
+  wallet_id TEXT NOT NULL REFERENCES wallets(id) ON DELETE RESTRICT,
+  session_id TEXT REFERENCES sessions(id) ON DELETE SET NULL,
+  chain TEXT NOT NULL,
+  tx_hash TEXT,
+  type TEXT NOT NULL CHECK (type IN (${inList(TRANSACTION_TYPES)})),
+  amount TEXT,
+  to_address TEXT,
+  token_mint TEXT,
+  contract_address TEXT,
+  method_signature TEXT,
+  spender_address TEXT,
+  approved_amount TEXT,
+  parent_id TEXT REFERENCES transactions_new(id) ON DELETE CASCADE,
+  batch_index INTEGER,
+  status TEXT NOT NULL DEFAULT 'PENDING' CHECK (status IN (${inList(TRANSACTION_STATUSES)})),
+  tier TEXT CHECK (tier IS NULL OR tier IN (${inList(POLICY_TIERS)})),
+  queued_at INTEGER,
+  executed_at INTEGER,
+  created_at INTEGER NOT NULL,
+  reserved_amount TEXT,
+  amount_usd REAL,
+  reserved_amount_usd REAL,
+  error TEXT,
+  metadata TEXT,
+  network TEXT CHECK (network IS NULL OR network IN (${inList(NETWORK_TYPES)})),
+  bridge_status TEXT CHECK (bridge_status IS NULL OR bridge_status IN ('PENDING', 'COMPLETED', 'FAILED', 'BRIDGE_MONITORING', 'TIMEOUT', 'REFUNDED', 'PARTIALLY_FILLED', 'FILLED', 'CANCELED', 'SETTLED', 'EXPIRED')),
+  bridge_metadata TEXT,
+  action_kind TEXT NOT NULL DEFAULT 'contractCall',
+  venue TEXT,
+  operation TEXT,
+  external_id TEXT
+)`);
+            // Step 2: Copy existing data
+            sqlite.exec(`INSERT INTO transactions_new (id, wallet_id, session_id, chain, tx_hash, type, amount, to_address, token_mint, contract_address, method_signature, spender_address, approved_amount, parent_id, batch_index, status, tier, queued_at, executed_at, created_at, reserved_amount, amount_usd, reserved_amount_usd, error, metadata, network, bridge_status, bridge_metadata, action_kind, venue, operation, external_id)
+  SELECT id, wallet_id, session_id, chain, tx_hash, type, amount, to_address, token_mint, contract_address, method_signature, spender_address, approved_amount, parent_id, batch_index, status, tier, queued_at, executed_at, created_at, reserved_amount, amount_usd, reserved_amount_usd, error, metadata, network, bridge_status, bridge_metadata, action_kind, venue, operation, external_id FROM transactions`);
+            // Step 3: Drop old table
+            sqlite.exec('DROP TABLE transactions');
+            // Step 4: Rename new table
+            sqlite.exec('ALTER TABLE transactions_new RENAME TO transactions');
+            // Step 5: Recreate all 14 indexes
+            sqlite.exec('CREATE INDEX idx_transactions_wallet_status ON transactions(wallet_id, status)');
+            sqlite.exec('CREATE INDEX idx_transactions_session_id ON transactions(session_id)');
+            sqlite.exec('CREATE UNIQUE INDEX idx_transactions_tx_hash ON transactions(tx_hash)');
+            sqlite.exec('CREATE INDEX idx_transactions_queued_at ON transactions(queued_at)');
+            sqlite.exec('CREATE INDEX idx_transactions_created_at ON transactions(created_at)');
+            sqlite.exec('CREATE INDEX idx_transactions_type ON transactions(type)');
+            sqlite.exec('CREATE INDEX idx_transactions_contract_address ON transactions(contract_address)');
+            sqlite.exec('CREATE INDEX idx_transactions_parent_id ON transactions(parent_id)');
+            sqlite.exec("CREATE INDEX idx_transactions_bridge_status ON transactions(bridge_status) WHERE bridge_status IS NOT NULL");
+            sqlite.exec("CREATE INDEX idx_transactions_gas_waiting ON transactions(status) WHERE status = 'GAS_WAITING'");
+            sqlite.exec('CREATE INDEX idx_transactions_action_kind ON transactions(action_kind)');
+            sqlite.exec("CREATE INDEX idx_transactions_venue ON transactions(venue) WHERE venue IS NOT NULL");
+            sqlite.exec("CREATE INDEX idx_transactions_external_id ON transactions(external_id) WHERE external_id IS NOT NULL");
+            sqlite.exec('CREATE INDEX idx_transactions_action_kind_bridge_status ON transactions(action_kind, bridge_status) WHERE bridge_status IS NOT NULL');
+            // Step 6: Commit
+            sqlite.exec('COMMIT');
+        }
+        catch (err) {
+            sqlite.exec('ROLLBACK');
+            throw err;
+        }
+        // Step 7: Re-enable foreign keys and verify integrity
+        sqlite.pragma('foreign_keys = ON');
+        const fkErrors = sqlite.pragma('foreign_key_check');
+        if (fkErrors.length > 0) {
+            throw new Error(`FK integrity violation after v58: ${JSON.stringify(fkErrors)}`);
+        }
+    },
+});
 /**
  * Run incremental migrations against the database.
  *