agent-vault-cli 0.1.0

package/dist/core/config.js

@@ -0,0 +1,80 @@
+import { readFile, writeFile, mkdir, chmod, access, constants } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { lock } from 'proper-lockfile';
+import { logAuditEvent } from './audit.js';
+const CONFIG_DIR = join(homedir(), '.agent-vault');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+// Secure file permissions: owner read/write only
+const SECURE_DIR_MODE = 0o700;
+const SECURE_FILE_MODE = 0o600;
+async function ensureConfigDir() {
+    await mkdir(CONFIG_DIR, { recursive: true, mode: SECURE_DIR_MODE });
+}
+async function fileExists(path) {
+    try {
+        await access(path, constants.F_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function loadConfig() {
+    try {
+        const data = await readFile(CONFIG_FILE, 'utf-8');
+        return JSON.parse(data);
+    }
+    catch {
+        return {};
+    }
+}
+export async function saveConfig(config) {
+    await ensureConfigDir();
+    const exists = await fileExists(CONFIG_FILE);
+    // Create empty file if it doesn't exist (for locking)
+    if (!exists) {
+        await writeFile(CONFIG_FILE, '{}', { mode: SECURE_FILE_MODE });
+    }
+    // Use file locking to prevent race conditions
+    let release = null;
+    try {
+        release = await lock(CONFIG_FILE, { retries: 3 });
+        await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: SECURE_FILE_MODE });
+        // Ensure permissions are set correctly
+        await chmod(CONFIG_FILE, SECURE_FILE_MODE);
+    }
+    finally {
+        if (release) {
+            await release();
+        }
+    }
+}
+export async function getConfigValue(key) {
+    const config = await loadConfig();
+    return config[key];
+}
+export async function setConfigValue(key, value) {
+    const config = await loadConfig();
+    config[key] = value;
+    await saveConfig(config);
+    await logAuditEvent('config_changed', { details: `Key: ${key}` });
+}
+export async function unsetConfigValue(key) {
+    const config = await loadConfig();
+    if (key in config) {
+        delete config[key];
+        await saveConfig(config);
+        await logAuditEvent('config_changed', { details: `Key removed: ${key}` });
+        return true;
+    }
+    return false;
+}
+export function isValidConfigKey(key) {
+    const validKeys = ['defaultUsername', 'allowHttp', 'cdpAllowlist'];
+    return validKeys.includes(key);
+}
+export function getValidConfigKeys() {
+    return ['defaultUsername', 'allowHttp', 'cdpAllowlist'];
+}
+//# sourceMappingURL=config.js.map

package/dist/core/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/core/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,IAAI,EAAU,MAAM,iBAAiB,CAAC;AAE/C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACnD,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AAEpD,iDAAiD;AACjD,MAAM,eAAe,GAAG,KAAK,CAAC;AAC9B,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B,KAAK,UAAU,eAAe;IAC5B,MAAM,KAAK,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,eAAe,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,IAAY;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAmB;IAClD,MAAM,eAAe,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,WAAW,CAAC,CAAC;IAE7C,sDAAsD;IACtD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,8CAA8C;IAC9C,IAAI,OAAO,GAAiC,IAAI,CAAC;IACjD,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,SAAS,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC1F,uCAAuC;QACvC,MAAM,KAAK,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;IAC7C,CAAC;YAAS,CAAC;QACT,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAc;IACjD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAc,EAAE,KAAa;IAChE,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACpB,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;IACzB,MAAM,aAAa,CAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,QAAQ,GAAG,EAAE,EAAE,CAAC,CAAC;AACpE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAc;IACnD,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,IAAI,GAAG,IAAI,MAAM,EAAE,CAAC;QAClB,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACnB,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC;QACzB,MAAM,aAAa,CAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,gBAAgB,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,SAAS,GAAgB,CAAC,iBAAiB,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IAChF,OAAO,SAAS,CAAC,QAAQ,CAAC,GAAgB,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,iBAAiB,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;AAC1D,CAAC"}

package/dist/core/crypto.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generate a cryptographically secure password using Node.js crypto.randomInt
+ * Guarantees at least one character from each class (lowercase, uppercase, digit, special)
+ *
+ * @param length - Password length (minimum 12, default 24)
+ * @throws Error if length is less than minimum
+ */
+export declare function generatePassword(length?: number): string;
+/**
+ * Alternative password generator using nanoid's customAlphabet
+ * Regenerates until complexity requirements are met
+ *
+ * @param length - Password length (minimum 12, default 24)
+ * @throws Error if length is less than minimum
+ */
+export declare function generatePasswordNanoid(length?: number): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/core/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/core/crypto.ts"],"names":[],"mappings":"AA8CA;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,MAAwB,GAAG,MAAM,CAoBzE;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,GAAE,MAAwB,GAAG,MAAM,CAuB/E"}

package/dist/core/crypto.js

@@ -0,0 +1,90 @@
+import { randomInt } from 'node:crypto';
+import { customAlphabet } from 'nanoid';
+const PASSWORD_LENGTH = 24;
+const MIN_PASSWORD_LENGTH = 12;
+const PASSWORD_CHARSET = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*';
+const CHAR_CLASSES = {
+    lowercase: 'abcdefghijklmnopqrstuvwxyz',
+    uppercase: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
+    digits: '0123456789',
+    special: '!@#$%^&*',
+};
+/**
+ * Cryptographically secure random character selection
+ */
+function secureRandomChar(charset) {
+    return charset[randomInt(charset.length)];
+}
+/**
+ * Cryptographically secure Fisher-Yates shuffle
+ */
+function secureShuffleArray(array) {
+    const result = [...array];
+    for (let i = result.length - 1; i > 0; i--) {
+        const j = randomInt(i + 1);
+        [result[i], result[j]] = [result[j], result[i]];
+    }
+    return result;
+}
+/**
+ * Check if password meets complexity requirements
+ */
+function meetsComplexityRequirements(password) {
+    return (/[a-z]/.test(password) &&
+        /[A-Z]/.test(password) &&
+        /[0-9]/.test(password) &&
+        /[!@#$%^&*]/.test(password));
+}
+/**
+ * Generate a cryptographically secure password using Node.js crypto.randomInt
+ * Guarantees at least one character from each class (lowercase, uppercase, digit, special)
+ *
+ * @param length - Password length (minimum 12, default 24)
+ * @throws Error if length is less than minimum
+ */
+export function generatePassword(length = PASSWORD_LENGTH) {
+    if (length < MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password length must be at least ${MIN_PASSWORD_LENGTH} characters`);
+    }
+    // Start with one guaranteed character from each class
+    const chars = [
+        secureRandomChar(CHAR_CLASSES.lowercase),
+        secureRandomChar(CHAR_CLASSES.uppercase),
+        secureRandomChar(CHAR_CLASSES.digits),
+        secureRandomChar(CHAR_CLASSES.special),
+    ];
+    // Fill remaining length with random characters from full charset
+    while (chars.length < length) {
+        chars.push(secureRandomChar(PASSWORD_CHARSET));
+    }
+    // Cryptographically secure shuffle to randomize position of guaranteed chars
+    return secureShuffleArray(chars).join('');
+}
+/**
+ * Alternative password generator using nanoid's customAlphabet
+ * Regenerates until complexity requirements are met
+ *
+ * @param length - Password length (minimum 12, default 24)
+ * @throws Error if length is less than minimum
+ */
+export function generatePasswordNanoid(length = PASSWORD_LENGTH) {
+    if (length < MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password length must be at least ${MIN_PASSWORD_LENGTH} characters`);
+    }
+    const generate = customAlphabet(PASSWORD_CHARSET, length);
+    // Generate until we meet complexity requirements
+    // With 24 chars from a 70-char alphabet including all classes,
+    // probability of missing a class is extremely low (~0.01%)
+    let password;
+    let attempts = 0;
+    const maxAttempts = 100;
+    do {
+        password = generate();
+        attempts++;
+        if (attempts >= maxAttempts) {
+            throw new Error('Failed to generate compliant password after maximum attempts');
+        }
+    } while (!meetsComplexityRequirements(password));
+    return password;
+}
+//# sourceMappingURL=crypto.js.map

package/dist/core/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/core/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC;AAExC,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,gBAAgB,GACpB,wEAAwE,CAAC;AAE3E,MAAM,YAAY,GAAG;IACnB,SAAS,EAAE,4BAA4B;IACvC,SAAS,EAAE,4BAA4B;IACvC,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,UAAU;CACX,CAAC;AAEX;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAI,KAAU;IACvC,MAAM,MAAM,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IAC1B,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAAC,QAAgB;IACnD,OAAO,CACL,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACtB,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAC5B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB,eAAe;IAC/D,IAAI,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,oCAAoC,mBAAmB,aAAa,CAAC,CAAC;IACxF,CAAC;IAED,sDAAsD;IACtD,MAAM,KAAK,GAAG;QACZ,gBAAgB,CAAC,YAAY,CAAC,SAAS,CAAC;QACxC,gBAAgB,CAAC,YAAY,CAAC,SAAS,CAAC;QACxC,gBAAgB,CAAC,YAAY,CAAC,MAAM,CAAC;QACrC,gBAAgB,CAAC,YAAY,CAAC,OAAO,CAAC;KACvC,CAAC;IAEF,iEAAiE;IACjE,OAAO,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,6EAA6E;IAC7E,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAiB,eAAe;IACrE,IAAI,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,oCAAoC,mBAAmB,aAAa,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE1D,iDAAiD;IACjD,+DAA+D;IAC/D,2DAA2D;IAC3D,IAAI,QAAgB,CAAC;IACrB,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,MAAM,WAAW,GAAG,GAAG,CAAC;IAExB,GAAG,CAAC;QACF,QAAQ,GAAG,QAAQ,EAAE,CAAC;QACtB,QAAQ,EAAE,CAAC;QACX,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,8DAA8D,CAAC,CAAC;QAClF,CAAC;IACH,CAAC,QAAQ,CAAC,2BAA2B,CAAC,QAAQ,CAAC,EAAE;IAEjD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/core/fields.d.ts

@@ -0,0 +1,5 @@
+import type { Page } from 'playwright';
+export declare function detectUsernameField(page: Page): Promise<string | null>;
+export declare function detectPasswordField(page: Page): Promise<string | null>;
+export declare function detectSubmitButton(page: Page): Promise<string | null>;
+//# sourceMappingURL=fields.d.ts.map

package/dist/core/fields.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fields.d.ts","sourceRoot":"","sources":["../../src/core/fields.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AA0BvC,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQ5E;AAED,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQ5E;AAED,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAY3E"}

package/dist/core/fields.js

@@ -0,0 +1,54 @@
+const USERNAME_SELECTORS = [
+    'input[type="email"]',
+    'input[name="email"]',
+    'input[autocomplete="username"]',
+    'input[autocomplete="email"]',
+    'input[name="username"]',
+    'input[id="username"]',
+    'input[id="email"]',
+];
+const PASSWORD_SELECTORS = [
+    'input[type="password"]',
+    'input[autocomplete="current-password"]',
+    'input[autocomplete="new-password"]',
+];
+const SUBMIT_SELECTORS = [
+    'button[type="submit"]',
+    'input[type="submit"]',
+    'button:has-text("Log in")',
+    'button:has-text("Sign in")',
+    'button:has-text("Login")',
+];
+export async function detectUsernameField(page) {
+    for (const selector of USERNAME_SELECTORS) {
+        const element = await page.$(selector);
+        if (element && await element.isVisible()) {
+            return selector;
+        }
+    }
+    return null;
+}
+export async function detectPasswordField(page) {
+    for (const selector of PASSWORD_SELECTORS) {
+        const element = await page.$(selector);
+        if (element && await element.isVisible()) {
+            return selector;
+        }
+    }
+    return null;
+}
+export async function detectSubmitButton(page) {
+    for (const selector of SUBMIT_SELECTORS) {
+        try {
+            const element = await page.$(selector);
+            if (element && await element.isVisible()) {
+                return selector;
+            }
+        }
+        catch {
+            // Some selectors might not be valid, continue
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=fields.js.map

package/dist/core/fields.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fields.js","sourceRoot":"","sources":["../../src/core/fields.ts"],"names":[],"mappings":"AAEA,MAAM,kBAAkB,GAAG;IACzB,qBAAqB;IACrB,qBAAqB;IACrB,gCAAgC;IAChC,6BAA6B;IAC7B,wBAAwB;IACxB,sBAAsB;IACtB,mBAAmB;CACpB,CAAC;AAEF,MAAM,kBAAkB,GAAG;IACzB,wBAAwB;IACxB,wCAAwC;IACxC,oCAAoC;CACrC,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,uBAAuB;IACvB,sBAAsB;IACtB,2BAA2B;IAC3B,4BAA4B;IAC5B,0BAA0B;CAC3B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAU;IAClD,KAAK,MAAM,QAAQ,IAAI,kBAAkB,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,OAAO,IAAI,MAAM,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;YACzC,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAU;IAClD,KAAK,MAAM,QAAQ,IAAI,kBAAkB,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,OAAO,IAAI,MAAM,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;YACzC,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,IAAU;IACjD,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;YACvC,IAAI,OAAO,IAAI,MAAM,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;gBACzC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/core/keychain.d.ts

@@ -0,0 +1,5 @@
+import type { RPConfig } from '../types/index.js';
+export declare function storeRP(config: RPConfig): Promise<void>;
+export declare function getRP(origin: string): Promise<RPConfig | null>;
+export declare function deleteRP(origin: string): Promise<boolean>;
+//# sourceMappingURL=keychain.d.ts.map

package/dist/core/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../src/core/keychain.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAmClD,wBAAsB,OAAO,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAY7D;AAED,wBAAsB,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAiDpE;AAED,wBAAsB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAO/D"}

package/dist/core/keychain.js

@@ -0,0 +1,97 @@
+import keytar from 'keytar';
+import { z } from 'zod';
+import { logAuditEvent } from './audit.js';
+import { checkRateLimit } from './ratelimit.js';
+const SERVICE_NAME = 'agent-vault';
+// Zod schema for strict validation of stored credentials
+const SelectorsSchema = z.object({
+    username: z.string().min(1),
+    password: z.string().min(1),
+    submit: z.string().optional(),
+});
+const CredentialsSchema = z.object({
+    username: z.string(),
+    password: z.string(),
+});
+const RPConfigSchema = z.object({
+    origin: z.string().url(),
+    selectors: SelectorsSchema,
+    credentials: CredentialsSchema,
+});
+/**
+ * Validate RPConfig data against schema
+ */
+function validateRPConfig(data) {
+    const result = RPConfigSchema.safeParse(data);
+    if (!result.success) {
+        return null;
+    }
+    return result.data;
+}
+export async function storeRP(config) {
+    // Rate limit credential storage
+    await checkRateLimit('store_credentials');
+    // Validate config before storing
+    const validated = validateRPConfig(config);
+    if (!validated) {
+        throw new Error('Invalid credential configuration');
+    }
+    await keytar.setPassword(SERVICE_NAME, config.origin, JSON.stringify(validated));
+    await logAuditEvent('credential_stored', { origin: config.origin });
+}
+export async function getRP(origin) {
+    try {
+        // Rate limit credential retrieval
+        await checkRateLimit('get_credentials');
+        const data = await keytar.getPassword(SERVICE_NAME, origin);
+        if (!data) {
+            await logAuditEvent('credential_retrieved', { origin, success: false });
+            return null;
+        }
+        let parsed;
+        try {
+            parsed = JSON.parse(data);
+        }
+        catch {
+            // Corrupted JSON data
+            await logAuditEvent('credential_retrieved', {
+                origin,
+                details: 'Corrupted data',
+                success: false,
+            });
+            return null;
+        }
+        // Validate with zod schema
+        const validated = validateRPConfig(parsed);
+        if (!validated) {
+            await logAuditEvent('credential_retrieved', {
+                origin,
+                details: 'Schema validation failed',
+                success: false,
+            });
+            return null;
+        }
+        await logAuditEvent('credential_retrieved', { origin, success: true });
+        return validated;
+    }
+    catch (error) {
+        // Don't expose internal errors - use generic message
+        if (error instanceof Error && error.message.includes('Rate limit')) {
+            throw error; // Re-throw rate limit errors
+        }
+        await logAuditEvent('credential_retrieved', {
+            origin,
+            details: 'Internal error',
+            success: false,
+        });
+        return null;
+    }
+}
+export async function deleteRP(origin) {
+    // Rate limit credential deletion
+    await checkRateLimit('delete_credentials');
+    const result = await keytar.deletePassword(SERVICE_NAME, origin);
+    await logAuditEvent('credential_deleted', { origin, success: result });
+    return result;
+}
+//# sourceMappingURL=keychain.js.map

package/dist/core/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../src/core/keychain.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,YAAY,GAAG,aAAa,CAAC;AAEnC,yDAAyD;AACzD,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;IACpB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;CACrB,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACxB,SAAS,EAAE,eAAe;IAC1B,WAAW,EAAE,iBAAiB;CAC/B,CAAC,CAAC;AAEH;;GAEG;AACH,SAAS,gBAAgB,CAAC,IAAa;IACrC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,MAAgB;IAC5C,gCAAgC;IAChC,MAAM,cAAc,CAAC,mBAAmB,CAAC,CAAC;IAE1C,iCAAiC;IACjC,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;IACjF,MAAM,aAAa,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,MAAc;IACxC,IAAI,CAAC;QACH,kCAAkC;QAClC,MAAM,cAAc,CAAC,iBAAiB,CAAC,CAAC;QAExC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC5D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,aAAa,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YACxE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,sBAAsB;YACtB,MAAM,aAAa,CAAC,sBAAsB,EAAE;gBAC1C,MAAM;gBACN,OAAO,EAAE,gBAAgB;gBACzB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,2BAA2B;QAC3B,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,aAAa,CAAC,sBAAsB,EAAE;gBAC1C,MAAM;gBACN,OAAO,EAAE,0BAA0B;gBACnC,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,aAAa,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACvE,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,qDAAqD;QACrD,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACnE,MAAM,KAAK,CAAC,CAAC,6BAA6B;QAC5C,CAAC;QACD,MAAM,aAAa,CAAC,sBAAsB,EAAE;YAC1C,MAAM;YACN,OAAO,EAAE,gBAAgB;YACzB,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAAc;IAC3C,iCAAiC;IACjC,MAAM,cAAc,CAAC,oBAAoB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACjE,MAAM,aAAa,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IACvE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/core/origin.d.ts

@@ -0,0 +1,25 @@
+export declare function extractOrigin(url: string): string;
+/**
+ * Check if origin uses HTTPS (secure)
+ */
+export declare function isSecureProtocol(origin: string): boolean;
+/**
+ * Check if origin uses HTTP (insecure)
+ */
+export declare function isHttpProtocol(origin: string): boolean;
+export declare function isValidOrigin(origin: string): boolean;
+export interface OriginValidationOptions {
+    allowHttp?: boolean;
+}
+/**
+ * Validate an origin with security checks.
+ * By default, requires HTTPS to prevent credentials from being sent in plaintext.
+ */
+export declare function validateOriginSecurity(origin: string, options?: OriginValidationOptions): Promise<void>;
+export declare function extractAndValidateOrigin(url: string): string;
+/**
+ * Extract and validate origin with full security checks.
+ * Use this for operations that store or retrieve credentials.
+ */
+export declare function extractAndValidateOriginSecure(url: string, options?: OriginValidationOptions): Promise<string>;
+//# sourceMappingURL=origin.d.ts.map

package/dist/core/origin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin.d.ts","sourceRoot":"","sources":["../../src/core/origin.ts"],"names":[],"mappings":"AAEA,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGjD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAOxD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAOtD;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAOrD;AAED,MAAM,WAAW,uBAAuB;IACtC,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,IAAI,CAAC,CAiBf;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAM5D;AAED;;;GAGG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,uBAA4B,GACpC,OAAO,CAAC,MAAM,CAAC,CAIjB"}

package/dist/core/origin.js

@@ -0,0 +1,73 @@
+import { getConfigValue } from './config.js';
+export function extractOrigin(url) {
+    const parsed = new URL(url);
+    return parsed.origin;
+}
+/**
+ * Check if origin uses HTTPS (secure)
+ */
+export function isSecureProtocol(origin) {
+    try {
+        const url = new URL(origin);
+        return url.protocol === 'https:';
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if origin uses HTTP (insecure)
+ */
+export function isHttpProtocol(origin) {
+    try {
+        const url = new URL(origin);
+        return url.protocol === 'http:';
+    }
+    catch {
+        return false;
+    }
+}
+export function isValidOrigin(origin) {
+    try {
+        const url = new URL(origin);
+        return url.protocol === 'https:' || url.protocol === 'http:';
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Validate an origin with security checks.
+ * By default, requires HTTPS to prevent credentials from being sent in plaintext.
+ */
+export async function validateOriginSecurity(origin, options = {}) {
+    // Check config for allowHttp setting
+    const configAllowHttp = await getConfigValue('allowHttp');
+    const allowHttp = options.allowHttp ?? configAllowHttp === 'true';
+    // Check HTTPS requirement
+    if (!allowHttp && isHttpProtocol(origin)) {
+        throw new Error('HTTP origins are not allowed by default. Credentials would be sent in plaintext. ' +
+            'Use --allow-http flag or set config allowHttp=true to override.');
+    }
+    // Validate basic origin format
+    if (!isValidOrigin(origin)) {
+        throw new Error('Invalid origin format');
+    }
+}
+export function extractAndValidateOrigin(url) {
+    const origin = extractOrigin(url);
+    if (!isValidOrigin(origin)) {
+        throw new Error('Invalid page origin');
+    }
+    return origin;
+}
+/**
+ * Extract and validate origin with full security checks.
+ * Use this for operations that store or retrieve credentials.
+ */
+export async function extractAndValidateOriginSecure(url, options = {}) {
+    const origin = extractOrigin(url);
+    await validateOriginSecurity(origin, options);
+    return origin;
+}
+//# sourceMappingURL=origin.js.map

package/dist/core/origin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin.js","sourceRoot":"","sources":["../../src/core/origin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAMD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,MAAc,EACd,UAAmC,EAAE;IAErC,qCAAqC;IACrC,MAAM,eAAe,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,eAAe,KAAK,MAAM,CAAC;IAElE,0BAA0B;IAC1B,IAAI,CAAC,SAAS,IAAI,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CACb,mFAAmF;YACjF,iEAAiE,CACpE,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,UAAmC,EAAE;IAErC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IAClC,MAAM,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/core/ratelimit.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Check if an operation is rate limited.
+ * Returns true if allowed, throws if rate limited.
+ */
+export declare function checkRateLimit(operation: string): Promise<void>;
+/**
+ * Reset rate limit state (for testing or admin purposes)
+ */
+export declare function resetRateLimit(): Promise<void>;
+//# sourceMappingURL=ratelimit.d.ts.map

package/dist/core/ratelimit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratelimit.d.ts","sourceRoot":"","sources":["../../src/core/ratelimit.ts"],"names":[],"mappings":"AAoCA;;;GAGG;AACH,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAyCrE;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAEpD"}

package/dist/core/ratelimit.js

@@ -0,0 +1,70 @@
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { logAuditEvent } from './audit.js';
+const RATE_LIMIT_DIR = join(homedir(), '.agent-vault');
+const RATE_LIMIT_FILE = join(RATE_LIMIT_DIR, '.ratelimit');
+// Rate limit configuration
+const MAX_ATTEMPTS = 5;
+const WINDOW_MS = 60 * 1000; // 1 minute window
+const LOCKOUT_MS = 5 * 60 * 1000; // 5 minute lockout after exceeding
+async function ensureRateLimitDir() {
+    await mkdir(RATE_LIMIT_DIR, { recursive: true, mode: 0o700 });
+}
+async function loadRateLimitState() {
+    try {
+        const data = await readFile(RATE_LIMIT_FILE, 'utf-8');
+        return JSON.parse(data);
+    }
+    catch {
+        return { attempts: [] };
+    }
+}
+async function saveRateLimitState(state) {
+    await ensureRateLimitDir();
+    await writeFile(RATE_LIMIT_FILE, JSON.stringify(state), { mode: 0o600 });
+}
+/**
+ * Check if an operation is rate limited.
+ * Returns true if allowed, throws if rate limited.
+ */
+export async function checkRateLimit(operation) {
+    const now = Date.now();
+    const state = await loadRateLimitState();
+    // Check if currently locked out
+    if (state.lockedUntil && now < state.lockedUntil) {
+        const remainingSeconds = Math.ceil((state.lockedUntil - now) / 1000);
+        await logAuditEvent('rate_limit_exceeded', {
+            details: `Operation: ${operation}, locked for ${remainingSeconds}s`,
+            success: false,
+        });
+        throw new Error(`Rate limit exceeded. Please wait ${remainingSeconds} seconds before trying again.`);
+    }
+    // Clear lockout if expired
+    if (state.lockedUntil && now >= state.lockedUntil) {
+        state.lockedUntil = undefined;
+        state.attempts = [];
+    }
+    // Filter attempts within the window
+    state.attempts = state.attempts.filter((ts) => now - ts < WINDOW_MS);
+    // Check if exceeding limit
+    if (state.attempts.length >= MAX_ATTEMPTS) {
+        state.lockedUntil = now + LOCKOUT_MS;
+        await saveRateLimitState(state);
+        await logAuditEvent('rate_limit_exceeded', {
+            details: `Operation: ${operation}, lockout initiated`,
+            success: false,
+        });
+        throw new Error(`Too many attempts. Please wait ${Math.ceil(LOCKOUT_MS / 1000)} seconds before trying again.`);
+    }
+    // Record this attempt
+    state.attempts.push(now);
+    await saveRateLimitState(state);
+}
+/**
+ * Reset rate limit state (for testing or admin purposes)
+ */
+export async function resetRateLimit() {
+    await saveRateLimitState({ attempts: [] });
+}
+//# sourceMappingURL=ratelimit.js.map

package/dist/core/ratelimit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratelimit.js","sourceRoot":"","sources":["../../src/core/ratelimit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,cAAc,CAAC,CAAC;AACvD,MAAM,eAAe,GAAG,IAAI,CAAC,cAAc,EAAE,YAAY,CAAC,CAAC;AAE3D,2BAA2B;AAC3B,MAAM,YAAY,GAAG,CAAC,CAAC;AACvB,MAAM,SAAS,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,kBAAkB;AAC/C,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,mCAAmC;AAOrE,KAAK,UAAU,kBAAkB;IAC/B,MAAM,KAAK,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAChE,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,KAAqB;IACrD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,SAAS,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,SAAiB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAEzC,gCAAgC;IAChC,IAAI,KAAK,CAAC,WAAW,IAAI,GAAG,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,WAAW,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,MAAM,aAAa,CAAC,qBAAqB,EAAE;YACzC,OAAO,EAAE,cAAc,SAAS,gBAAgB,gBAAgB,GAAG;YACnE,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CACb,oCAAoC,gBAAgB,+BAA+B,CACpF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,IAAI,KAAK,CAAC,WAAW,IAAI,GAAG,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;QAClD,KAAK,CAAC,WAAW,GAAG,SAAS,CAAC;QAC9B,KAAK,CAAC,QAAQ,GAAG,EAAE,CAAC;IACtB,CAAC;IAED,oCAAoC;IACpC,KAAK,CAAC,QAAQ,GAAG,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAErE,2BAA2B;IAC3B,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,IAAI,YAAY,EAAE,CAAC;QAC1C,KAAK,CAAC,WAAW,GAAG,GAAG,GAAG,UAAU,CAAC;QACrC,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,aAAa,CAAC,qBAAqB,EAAE;YACzC,OAAO,EAAE,cAAc,SAAS,qBAAqB;YACrD,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CACb,kCAAkC,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,+BAA+B,CAC9F,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,kBAAkB,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;AAC7C,CAAC"}

package/dist/core/secure-memory.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Secure memory utilities for handling sensitive data.
+ * Uses Buffer to allow explicit zeroing of memory.
+ */
+/**
+ * A secure string container that can be explicitly cleared from memory.
+ * Uses Buffer internally for memory that can be overwritten.
+ */
+export declare class SecureString {
+    private buffer;
+    private cleared;
+    constructor(value: string);
+    /**
+     * Get the string value. Throws if already cleared.
+     */
+    getValue(): string;
+    /**
+     * Securely clear the buffer by overwriting with zeros.
+     */
+    clear(): void;
+    /**
+     * Check if the string has been cleared.
+     */
+    isCleared(): boolean;
+    /**
+     * Get the length of the stored string.
+     */
+    get length(): number;
+}
+/**
+ * Execute a function with secure strings, ensuring cleanup on completion.
+ * @param values - Object with string values to protect
+ * @param fn - Function to execute with SecureString versions
+ * @returns Result of the function
+ */
+export declare function withSecureStrings<T extends Record<string, string>, R>(values: T, fn: (secure: {
+    [K in keyof T]: SecureString;
+}) => Promise<R>): Promise<R>;
+//# sourceMappingURL=secure-memory.d.ts.map

package/dist/core/secure-memory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-memory.d.ts","sourceRoot":"","sources":["../../src/core/secure-memory.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,OAAO,CAAS;gBAEZ,KAAK,EAAE,MAAM;IAIzB;;OAEG;IACH,QAAQ,IAAI,MAAM;IAOlB;;OAEG;IACH,KAAK,IAAI,IAAI;IAOb;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,CAEnB;CACF;AAED;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,EACzE,MAAM,EAAE,CAAC,EACT,EAAE,EAAE,CAAC,MAAM,EAAE;KAAG,CAAC,IAAI,MAAM,CAAC,GAAG,YAAY;CAAE,KAAK,OAAO,CAAC,CAAC,CAAC,GAC3D,OAAO,CAAC,CAAC,CAAC,CAgBZ"}