npm - agentlock-shared - Versions diffs - 0.1.0 → 0.3.0 - Mend

agentlock-shared 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/dist/__tests__/billing.test.d.ts +2 -0
package/dist/__tests__/billing.test.d.ts.map +1 -0
package/dist/__tests__/billing.test.js +31 -0
package/dist/__tests__/billing.test.js.map +1 -0
package/dist/__tests__/crypto.test.js +137 -47
package/dist/__tests__/crypto.test.js.map +1 -1
package/dist/__tests__/dns-pinning.test.d.ts +2 -0
package/dist/__tests__/dns-pinning.test.d.ts.map +1 -0
package/dist/__tests__/dns-pinning.test.js +33 -0
package/dist/__tests__/dns-pinning.test.js.map +1 -0
package/dist/__tests__/llm-classifier-cache-store.test.d.ts +2 -0
package/dist/__tests__/llm-classifier-cache-store.test.d.ts.map +1 -0
package/dist/__tests__/llm-classifier-cache-store.test.js +65 -0
package/dist/__tests__/llm-classifier-cache-store.test.js.map +1 -0
package/dist/__tests__/llm-classifier-cache.test.d.ts +2 -0
package/dist/__tests__/llm-classifier-cache.test.d.ts.map +1 -0
package/dist/__tests__/llm-classifier-cache.test.js +44 -0
package/dist/__tests__/llm-classifier-cache.test.js.map +1 -0
package/dist/__tests__/llm-classifier.test.d.ts +2 -0
package/dist/__tests__/llm-classifier.test.d.ts.map +1 -0
package/dist/__tests__/llm-classifier.test.js +167 -0
package/dist/__tests__/llm-classifier.test.js.map +1 -0
package/dist/__tests__/messaging.test.d.ts +2 -0
package/dist/__tests__/messaging.test.d.ts.map +1 -0
package/dist/__tests__/messaging.test.js +75 -0
package/dist/__tests__/messaging.test.js.map +1 -0
package/dist/__tests__/plans-classifier-limits.test.d.ts +2 -0
package/dist/__tests__/plans-classifier-limits.test.d.ts.map +1 -0
package/dist/__tests__/plans-classifier-limits.test.js +22 -0
package/dist/__tests__/plans-classifier-limits.test.js.map +1 -0
package/dist/__tests__/policy-category-floor.test.d.ts +2 -0
package/dist/__tests__/policy-category-floor.test.d.ts.map +1 -0
package/dist/__tests__/policy-category-floor.test.js +46 -0
package/dist/__tests__/policy-category-floor.test.js.map +1 -0
package/dist/__tests__/policy-claude-bash.test.d.ts +2 -0
package/dist/__tests__/policy-claude-bash.test.d.ts.map +1 -0
package/dist/__tests__/policy-claude-bash.test.js +401 -0
package/dist/__tests__/policy-claude-bash.test.js.map +1 -0
package/dist/__tests__/policy-llm-floor.test.d.ts +2 -0
package/dist/__tests__/policy-llm-floor.test.d.ts.map +1 -0
package/dist/__tests__/policy-llm-floor.test.js +107 -0
package/dist/__tests__/policy-llm-floor.test.js.map +1 -0
package/dist/__tests__/policy-ssh-e2e.test.d.ts +2 -0
package/dist/__tests__/policy-ssh-e2e.test.d.ts.map +1 -0
package/dist/__tests__/policy-ssh-e2e.test.js +89 -0
package/dist/__tests__/policy-ssh-e2e.test.js.map +1 -0
package/dist/__tests__/policy-ssh-sessions.test.d.ts +2 -0
package/dist/__tests__/policy-ssh-sessions.test.d.ts.map +1 -0
package/dist/__tests__/policy-ssh-sessions.test.js +139 -0
package/dist/__tests__/policy-ssh-sessions.test.js.map +1 -0
package/dist/__tests__/policy-ssh.test.d.ts +2 -0
package/dist/__tests__/policy-ssh.test.d.ts.map +1 -0
package/dist/__tests__/policy-ssh.test.js +180 -0
package/dist/__tests__/policy-ssh.test.js.map +1 -0
package/dist/__tests__/policy.test.js +522 -7
package/dist/__tests__/policy.test.js.map +1 -1
package/dist/__tests__/redact.test.js +76 -0
package/dist/__tests__/redact.test.js.map +1 -1
package/dist/__tests__/signing.test.js +89 -0
package/dist/__tests__/signing.test.js.map +1 -1
package/dist/__tests__/ssh-fingerprint.test.d.ts +2 -0
package/dist/__tests__/ssh-fingerprint.test.d.ts.map +1 -0
package/dist/__tests__/ssh-fingerprint.test.js +19 -0
package/dist/__tests__/ssh-fingerprint.test.js.map +1 -0
package/dist/__tests__/vpn-route.test.d.ts +2 -0
package/dist/__tests__/vpn-route.test.d.ts.map +1 -0
package/dist/__tests__/vpn-route.test.js +72 -0
package/dist/__tests__/vpn-route.test.js.map +1 -0
package/dist/__tests__/wireguard.test.d.ts +2 -0
package/dist/__tests__/wireguard.test.d.ts.map +1 -0
package/dist/__tests__/wireguard.test.js +114 -0
package/dist/__tests__/wireguard.test.js.map +1 -0
package/dist/billing.d.ts +12 -0
package/dist/billing.d.ts.map +1 -0
package/dist/billing.js +41 -0
package/dist/billing.js.map +1 -0
package/dist/crypto.d.ts +41 -0
package/dist/crypto.d.ts.map +1 -1
package/dist/crypto.js +208 -6
package/dist/crypto.js.map +1 -1
package/dist/dns-pinning.d.ts +28 -0
package/dist/dns-pinning.d.ts.map +1 -0
package/dist/dns-pinning.js +113 -0
package/dist/dns-pinning.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -0
package/dist/index.js.map +1 -1
package/dist/llm-classifier-cache-store.d.ts +49 -0
package/dist/llm-classifier-cache-store.d.ts.map +1 -0
package/dist/llm-classifier-cache-store.js +63 -0
package/dist/llm-classifier-cache-store.js.map +1 -0
package/dist/llm-classifier-cache.d.ts +6 -0
package/dist/llm-classifier-cache.d.ts.map +1 -0
package/dist/llm-classifier-cache.js +52 -0
package/dist/llm-classifier-cache.js.map +1 -0
package/dist/llm-classifier.d.ts +29 -0
package/dist/llm-classifier.d.ts.map +1 -0
package/dist/llm-classifier.js +191 -0
package/dist/llm-classifier.js.map +1 -0
package/dist/observability.d.ts +36 -0
package/dist/observability.d.ts.map +1 -0
package/dist/observability.js +75 -0
package/dist/observability.js.map +1 -0
package/dist/plans.d.ts +21 -0
package/dist/plans.d.ts.map +1 -1
package/dist/plans.js +52 -14
package/dist/plans.js.map +1 -1
package/dist/policy.d.ts +173 -3
package/dist/policy.d.ts.map +1 -1
package/dist/policy.js +951 -58
package/dist/policy.js.map +1 -1
package/dist/redact.d.ts.map +1 -1
package/dist/redact.js +104 -7
package/dist/redact.js.map +1 -1
package/dist/regex-safety.d.ts +21 -0
package/dist/regex-safety.d.ts.map +1 -0
package/dist/regex-safety.js +49 -0
package/dist/regex-safety.js.map +1 -0
package/dist/sanitize.d.ts +31 -0
package/dist/sanitize.d.ts.map +1 -0
package/dist/sanitize.js +54 -0
package/dist/sanitize.js.map +1 -0
package/dist/schemas.d.ts +267 -14
package/dist/schemas.d.ts.map +1 -1
package/dist/schemas.js +152 -10
package/dist/schemas.js.map +1 -1
package/dist/signing.d.ts +15 -0
package/dist/signing.d.ts.map +1 -1
package/dist/signing.js +53 -4
package/dist/signing.js.map +1 -1
package/dist/ssh-fingerprint.d.ts +10 -0
package/dist/ssh-fingerprint.d.ts.map +1 -0
package/dist/ssh-fingerprint.js +52 -0
package/dist/ssh-fingerprint.js.map +1 -0
package/dist/ssrf.d.ts +36 -0
package/dist/ssrf.d.ts.map +1 -0
package/dist/ssrf.js +140 -0
package/dist/ssrf.js.map +1 -0
package/dist/types.d.ts +131 -0
package/dist/types.d.ts.map +1 -1
package/dist/wireguard.d.ts +63 -0
package/dist/wireguard.d.ts.map +1 -0
package/dist/wireguard.js +226 -0
package/dist/wireguard.js.map +1 -0
package/package.json +42 -29
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test.log +0 -34
package/dist/__tests__/content-crypto.test.d.ts +0 -2
package/dist/__tests__/content-crypto.test.d.ts.map +0 -1
package/dist/__tests__/content-crypto.test.js +0 -117
package/dist/__tests__/content-crypto.test.js.map +0 -1
package/dist/content-crypto.d.ts +0 -24
package/dist/content-crypto.d.ts.map +0 -1
package/dist/content-crypto.js +0 -58
package/dist/content-crypto.js.map +0 -1
package/src/__tests__/policy.test.ts +0 -88
package/src/__tests__/redact.test.ts +0 -41
package/src/__tests__/signing.test.ts +0 -55
package/src/crypto.ts +0 -87
package/src/index.ts +0 -8
package/src/mcp-catalog.ts +0 -181
package/src/plans.ts +0 -96
package/src/policy.ts +0 -186
package/src/redact.ts +0 -114
package/src/schemas.ts +0 -53
package/src/signing.ts +0 -120
package/src/types.ts +0 -212
package/test-gateway.mjs +0 -47
package/tsconfig.json +0 -10
package/vitest.config.ts +0 -8

package/dist/content-crypto.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"content-crypto.js","sourceRoot":"","sources":["../src/content-crypto.ts"],"names":[],"mappings":";;;;;;AAUA,kCAEC;AAGD,0BAOC;AAGD,8BAYC;AAGD,8BAMC;AAGD,wCAQC;AAGD,8CASC;AArED,0DAA6B;AAC7B,mDAA4D;AAC5D,iDAA8C;AAE9C,iDAAiD;AACpC,QAAA,sBAAsB,GAAG,CAAC,CAAC;AACxC,+CAA+C;AAClC,QAAA,mBAAmB,GAAG,CAAC,CAAC;AAErC,sDAAsD;AACtD,SAAgB,WAAW;IACzB,OAAO,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,4FAA4F;AAC5F,SAAgB,OAAO,CACrB,GAAe,EACf,WAAuB;IAEvB,MAAM,KAAK,GAAG,mBAAI,CAAC,WAAW,CAAC,mBAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,mBAAI,CAAC,SAAS,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IACpD,OAAO,EAAE,UAAU,EAAE,IAAA,6BAAY,EAAC,GAAG,CAAC,EAAE,KAAK,EAAE,IAAA,6BAAY,EAAC,KAAK,CAAC,EAAE,CAAC;AACvE,CAAC;AAED,sEAAsE;AACtE,SAAgB,SAAS,CACvB,UAAkB,EAClB,KAAa,EACb,WAAuB;IAEvB,MAAM,GAAG,GAAG,IAAA,6BAAY,EAAC,UAAU,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,mBAAI,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,kEAAkE;AAClE,SAAgB,SAAS,CACvB,UAAkB,EAClB,IAAgB;IAEhB,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAChD,OAAO,IAAA,eAAM,EAAC,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;AACjE,CAAC;AAED,4EAA4E;AAC5E,SAAgB,cAAc,CAC5B,GAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAChD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,IAAI,EAAE,IAAA,6BAAY,EAAC,IAAI,CAAC,EAAE,CAAC;AACzD,CAAC;AAED,2EAA2E;AAC3E,SAAgB,iBAAiB,CAC/B,UAAkB,EAClB,KAAa,EACb,IAAY,EACZ,UAAkB;IAElB,MAAM,SAAS,GAAG,IAAA,6BAAY,EAAC,IAAI,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;IAC7C,OAAO,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;AAC3C,CAAC"}

package/src/__tests__/policy.test.ts DELETED Viewed

@@ -1,88 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { evaluatePolicy, DEFAULT_POLICY_RULES } from '../policy.js';
-import type { AgentActionRequest } from '../types.js';
-describe('Policy Engine', () => {
-  it('should ALLOW read actions by default', () => {
-    const action: AgentActionRequest = { action_type: 'read', tool: 'http', payload: {} };
-    expect(evaluatePolicy(action, DEFAULT_POLICY_RULES).decision).toBe('ALLOW');
-  });
-  it('should REQUIRE_APPROVAL for write actions', () => {
-    const action: AgentActionRequest = { action_type: 'write', tool: 'demo', payload: {} };
-    expect(evaluatePolicy(action, DEFAULT_POLICY_RULES).decision).toBe('REQUIRE_APPROVAL');
-  });
-  it('should BLOCK admin actions', () => {
-    const action: AgentActionRequest = { action_type: 'admin', tool: 'system', payload: {} };
-    expect(evaluatePolicy(action, DEFAULT_POLICY_RULES).decision).toBe('BLOCK');
-  });
-  it('should REQUIRE_APPROVAL for financial actions', () => {
-    const action: AgentActionRequest = { action_type: 'financial', tool: 'stripe', payload: {} };
-    expect(evaluatePolicy(action, DEFAULT_POLICY_RULES).decision).toBe('REQUIRE_APPROVAL');
-  });
-  it('should BLOCK disallowed HTTP domains', () => {
-    const action: AgentActionRequest = {
-      action_type: 'read',
-      tool: 'http',
-      payload: { url: 'https://evil.com/data', method: 'GET' },
-    };
-    const rules = {
-      ...DEFAULT_POLICY_RULES,
-      http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
-    };
-    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
-  });
-  it('should BLOCK explicitly blocklisted domains', () => {
-    const action: AgentActionRequest = {
-      action_type: 'read',
-      tool: 'http',
-      payload: { url: 'https://evil.com/data', method: 'GET' },
-    };
-    const rules = {
-      ...DEFAULT_POLICY_RULES,
-      http: { allowedDomains: [], allowedMethods: ['GET'], blockList: ['evil.com'] },
-    };
-    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
-  });
-  it('should ALLOW admin actions when defaultMode is allow and no matching rule', () => {
-    const action: AgentActionRequest = { action_type: 'admin', tool: 'system', payload: {} };
-    const rules = { ...DEFAULT_POLICY_RULES, defaultMode: 'allow' as const, rules: [] };
-    const result = evaluatePolicy(action, rules);
-    expect(result.decision).toBe('ALLOW');
-    expect(result.reason).toBe('Default policy');
-  });
-  it('should ALLOW financial actions when defaultMode is allow and no matching rule', () => {
-    const action: AgentActionRequest = { action_type: 'financial', tool: 'stripe', payload: {} };
-    const rules = { ...DEFAULT_POLICY_RULES, defaultMode: 'allow' as const, rules: [] };
-    const result = evaluatePolicy(action, rules);
-    expect(result.decision).toBe('ALLOW');
-    expect(result.reason).toBe('Default policy');
-  });
-  it('should still respect explicit rules for admin even with defaultMode allow', () => {
-    const action: AgentActionRequest = { action_type: 'admin', tool: 'system', payload: {} };
-    const rules = {
-      ...DEFAULT_POLICY_RULES,
-      defaultMode: 'allow' as const,
-      rules: [{ action_type: 'admin' as const, decision: 'BLOCK' as const }],
-    };
-    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
-  });
-  it('should BLOCK when cost exceeds limit', () => {
-    const action: AgentActionRequest = {
-      action_type: 'financial',
-      tool: 'stripe',
-      payload: {},
-      cost_estimate: 1000,
-    };
-    const rules = { ...DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
-    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
-  });
-});

package/src/__tests__/redact.test.ts DELETED Viewed

@@ -1,41 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { redact, redactHeaders } from '../redact.js';
-describe('Redaction', () => {
-  it('should redact api_key fields', () => {
-    const obj = { name: 'test', api_key: 'super-secret-123', data: { token: 'abc' } };
-    const result = redact(obj) as Record<string, unknown>;
-    expect(result.api_key).toBe('[REDACTED]');
-    expect((result.data as Record<string, unknown>).token).toBe('[REDACTED]');
-    expect(result.name).toBe('test');
-  });
-  it('should redact Authorization headers', () => {
-    const headers = { Authorization: 'Bearer secret', 'Content-Type': 'application/json' };
-    const result = redactHeaders(headers);
-    expect(result['Authorization']).toBe('[REDACTED]');
-    expect(result['Content-Type']).toBe('application/json');
-  });
-  it('should handle nested objects', () => {
-    const obj = { level1: { level2: { password: 'secret', safe: 'ok' } } };
-    const result = redact(obj) as { level1: { level2: { password: string; safe: string } } };
-    expect(result.level1.level2.password).toBe('[REDACTED]');
-    expect(result.level1.level2.safe).toBe('ok');
-  });
-  it('should handle arrays', () => {
-    const obj = { items: [{ token: 'secret1' }, { token: 'secret2' }] };
-    const result = redact(obj) as { items: { token: string }[] };
-    expect(result.items[0].token).toBe('[REDACTED]');
-    expect(result.items[1].token).toBe('[REDACTED]');
-  });
-  it('should not redact safe fields', () => {
-    const obj = { name: 'test', url: 'https://example.com', status: 200 };
-    const result = redact(obj) as typeof obj;
-    expect(result.name).toBe('test');
-    expect(result.url).toBe('https://example.com');
-    expect(result.status).toBe(200);
-  });
-});

package/src/__tests__/signing.test.ts DELETED Viewed

@@ -1,55 +0,0 @@
-import { describe, it, expect } from 'vitest';
-import { generateKeypair, signRequest, verifyRequest, canonicalStringify } from '../signing.js';
-describe('Ed25519 Signing', () => {
-  it('should generate valid keypair', () => {
-    const kp = generateKeypair();
-    expect(kp.publicKey).toBeTruthy();
-    expect(kp.privateKey).toBeTruthy();
-    expect(kp.publicKey.length).toBeGreaterThan(0);
-  });
-  it('should sign and verify a request', () => {
-    const kp = generateKeypair();
-    const body = { action_type: 'write', tool: 'demo', payload: { key: 'value' } };
-    const headers = signRequest(body, 'agent-123', kp.privateKey);
-    expect(() => verifyRequest(body, headers, kp.publicKey)).not.toThrow();
-  });
-  it('should reject tampered body (top-level field)', () => {
-    const kp = generateKeypair();
-    const body = { action_type: 'write', tool: 'demo', payload: { key: 'value' } };
-    const headers = signRequest(body, 'agent-123', kp.privateKey);
-    const tampered = { ...body, tool: 'admin' };
-    expect(() => verifyRequest(tampered, headers, kp.publicKey)).toThrow('Invalid signature');
-  });
-  it('should reject tampered nested payload field', () => {
-    const kp = generateKeypair();
-    const body = { action_type: 'write', tool: 'demo', payload: { key: 'value', amount: 100 } };
-    const headers = signRequest(body, 'agent-123', kp.privateKey);
-    const tampered = { ...body, payload: { key: 'value', amount: 999999 } };
-    expect(() => verifyRequest(tampered, headers, kp.publicKey)).toThrow('Invalid signature');
-  });
-  it('canonicalStringify should sort keys recursively at all nesting levels', () => {
-    const obj = { z: 1, a: { y: 2, b: 3 }, m: [{ q: 4, c: 5 }] };
-    const result = canonicalStringify(obj);
-    // All object levels must have sorted keys
-    expect(result).toBe('{"a":{"b":3,"y":2},"m":[{"c":5,"q":4}],"z":1}');
-  });
-  it('should reject missing headers', () => {
-    const kp = generateKeypair();
-    const body = { action_type: 'write', tool: 'demo', payload: {} };
-    expect(() => verifyRequest(body, {}, kp.publicKey)).toThrow('Missing required signature headers');
-  });
-  it('should reject stale timestamp', () => {
-    const kp = generateKeypair();
-    const body = { action_type: 'write', tool: 'demo', payload: {} };
-    const headers = signRequest(body, 'agent-123', kp.privateKey);
-    headers['x-timestamp'] = String(Date.now() - 10 * 60 * 1000);
-    expect(() => verifyRequest(body, headers, kp.publicKey)).toThrow('Timestamp skew');
-  });
-});

package/src/crypto.ts DELETED Viewed

@@ -1,87 +0,0 @@
-import nacl from 'tweetnacl';
-import { encodeBase64, decodeBase64 } from 'tweetnacl-util';
-export function generateKey(): Uint8Array {
-  return nacl.randomBytes(32);
-}
-export function encrypt(data: string, key: Uint8Array): string {
-  const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
-  const message = new TextEncoder().encode(data);
-  const box = nacl.secretbox(message, nonce, key);
-  const combined = new Uint8Array(nonce.length + box.length);
-  combined.set(nonce);
-  combined.set(box, nonce.length);
-  return encodeBase64(combined);
-}
-export function decrypt(encryptedData: string, key: Uint8Array): string {
-  const combined = decodeBase64(encryptedData);
-  const nonce = combined.slice(0, nacl.secretbox.nonceLength);
-  const box = combined.slice(nacl.secretbox.nonceLength);
-  const message = nacl.secretbox.open(box, nonce, key);
-  if (!message) {
-    throw new Error('Decryption failed: invalid key or corrupted data');
-  }
-  return new TextDecoder().decode(message);
-}
-export function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string {
-  return encrypt(encodeBase64(dek), masterKey);
-}
-export function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Array {
-  const dekBase64 = decrypt(encryptedDEK, masterKey);
-  return decodeBase64(dekBase64);
-}
-// Cache the decoded master key to avoid creating multiple copies in memory.
-// A single copy is preferable to many short-lived copies scattered on the heap.
-let _cachedMasterKey: Uint8Array | null = null;
-export function getMasterKey(): Uint8Array {
-  if (_cachedMasterKey) return _cachedMasterKey;
-  const key = process.env.MASTER_KEY;
-  if (!key) throw new Error('MASTER_KEY environment variable not set');
-  _cachedMasterKey = decodeBase64(key);
-  return _cachedMasterKey;
-}
-export function generateMasterKey(): string {
-  return encodeBase64(generateKey());
-}
-export function encryptCredential(
-  payload: Record<string, unknown>,
-  masterKey: Uint8Array
-): { encryptedDEK: string; encryptedPayload: string } {
-  const dek = generateKey();
-  try {
-    const encryptedDEK = encryptDEK(dek, masterKey);
-    const encryptedPayload = encrypt(JSON.stringify(payload), dek);
-    return { encryptedDEK, encryptedPayload };
-  } finally {
-    // Zero DEK from memory after use (defense-in-depth against heap dumps)
-    dek.fill(0);
-  }
-}
-export function decryptCredential(
-  encryptedDEK: string,
-  encryptedPayload: string,
-  masterKey: Uint8Array
-): Record<string, unknown> {
-  const dek = decryptDEK(encryptedDEK, masterKey);
-  try {
-    const json = decrypt(encryptedPayload, dek);
-    return JSON.parse(json);
-  } finally {
-    // Best-effort: zero DEK from memory to minimize exposure window.
-    // Not guaranteed by JS runtime, but reduces risk of heap-dump leaks.
-    dek.fill(0);
-  }
-}

package/src/index.ts DELETED Viewed

@@ -1,8 +0,0 @@
-export * from './types.js';
-export * from './crypto.js';
-export * from './signing.js';
-export * from './policy.js';
-export * from './redact.js';
-export * from './schemas.js';
-export * from './plans.js';
-export * from './mcp-catalog.js';

package/src/mcp-catalog.ts DELETED Viewed

@@ -1,181 +0,0 @@
-export interface McpServerTemplate {
-  id: string;
-  name: string;
-  description: string;
-  serverUrl: string;
-  authType: 'bearer' | 'none';
-  authLabel?: string;
-  authPlaceholder?: string;
-  authHelpUrl?: string;
-  category: string;
-}
-export const MCP_CATALOG: McpServerTemplate[] = [
-  // --- Developer Tools ---
-  {
-    id: 'github',
-    name: 'GitHub',
-    description: 'Manage repos, issues, PRs, and code search',
-    serverUrl: 'https://api.githubcopilot.com/mcp/',
-    authType: 'bearer',
-    authLabel: 'Personal Access Token',
-    authPlaceholder: 'ghp_...',
-    authHelpUrl: 'https://github.com/settings/tokens',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'gitlab',
-    name: 'GitLab',
-    description: 'Projects, merge requests, pipelines, and issues',
-    serverUrl: 'https://gitlab.com/-/mcp',
-    authType: 'bearer',
-    authLabel: 'Personal Access Token',
-    authPlaceholder: 'glpat-...',
-    authHelpUrl: 'https://gitlab.com/-/user_settings/personal_access_tokens',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'linear',
-    name: 'Linear',
-    description: 'Issue tracking, projects, and team workflows',
-    serverUrl: 'https://mcp.linear.app/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: 'lin_api_...',
-    authHelpUrl: 'https://linear.app/settings/api',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'sentry',
-    name: 'Sentry',
-    description: 'Error tracking, performance monitoring, and alerts',
-    serverUrl: 'https://mcp.sentry.dev/sse',
-    authType: 'bearer',
-    authLabel: 'Auth Token',
-    authPlaceholder: 'sntrys_...',
-    authHelpUrl: 'https://sentry.io/settings/account/api/auth-tokens/',
-    category: 'Developer Tools',
-  },
-  // --- Cloud & Infrastructure ---
-  {
-    id: 'cloudflare',
-    name: 'Cloudflare',
-    description: 'Workers, KV, D1, R2, and DNS management',
-    serverUrl: 'https://workers-mcp.cloudflare.com/mcp',
-    authType: 'bearer',
-    authLabel: 'API Token',
-    authPlaceholder: '',
-    authHelpUrl: 'https://dash.cloudflare.com/profile/api-tokens',
-    category: 'Cloud & Infrastructure',
-  },
-  // --- Communication ---
-  {
-    id: 'slack',
-    name: 'Slack',
-    description: 'Send messages, manage channels, and search conversations',
-    serverUrl: 'https://slack.com/api/mcp',
-    authType: 'bearer',
-    authLabel: 'Bot Token',
-    authPlaceholder: 'xoxb-...',
-    authHelpUrl: 'https://api.slack.com/apps',
-    category: 'Communication',
-  },
-  // --- Search & Data ---
-  {
-    id: 'brave-search',
-    name: 'Brave Search',
-    description: 'Web search, news, and local results',
-    serverUrl: 'https://mcp.brave.com/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: 'BSA...',
-    authHelpUrl: 'https://brave.com/search/api/',
-    category: 'Search & Data',
-  },
-  // --- Productivity ---
-  {
-    id: 'notion',
-    name: 'Notion',
-    description: 'Pages, databases, and workspace content',
-    serverUrl: 'https://mcp.notion.so/sse',
-    authType: 'bearer',
-    authLabel: 'Integration Token',
-    authPlaceholder: 'ntn_...',
-    authHelpUrl: 'https://www.notion.so/my-integrations',
-    category: 'Productivity',
-  },
-  // --- AI & LLMs ---
-  {
-    id: 'context7',
-    name: 'Context7',
-    description: 'Up-to-date documentation and code examples for any library',
-    serverUrl: 'https://mcp.context7.com/sse',
-    authType: 'none',
-    category: 'AI & LLMs',
-  },
-  // --- Databases ---
-  {
-    id: 'supabase',
-    name: 'Supabase',
-    description: 'Database queries, auth, storage, and edge functions',
-    serverUrl: 'https://mcp.supabase.com/sse',
-    authType: 'bearer',
-    authLabel: 'Access Token',
-    authPlaceholder: 'sbp_...',
-    authHelpUrl: 'https://supabase.com/dashboard/account/tokens',
-    category: 'Databases',
-  },
-  {
-    id: 'neon',
-    name: 'Neon',
-    description: 'Serverless Postgres — branches, queries, and management',
-    serverUrl: 'https://mcp.neon.tech/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: '',
-    authHelpUrl: 'https://console.neon.tech/app/settings/api-keys',
-    category: 'Databases',
-  },
-  // --- Payments ---
-  {
-    id: 'stripe',
-    name: 'Stripe',
-    description: 'Payments, subscriptions, customers, and invoices',
-    serverUrl: 'https://mcp.stripe.com/sse',
-    authType: 'bearer',
-    authLabel: 'Secret Key',
-    authPlaceholder: 'sk_...',
-    authHelpUrl: 'https://dashboard.stripe.com/apikeys',
-    category: 'Payments',
-  },
-  // --- Monitoring ---
-  {
-    id: 'grafana',
-    name: 'Grafana',
-    description: 'Dashboards, alerts, and observability data',
-    serverUrl: 'https://mcp.grafana.com/sse',
-    authType: 'bearer',
-    authLabel: 'Service Account Token',
-    authPlaceholder: 'glsa_...',
-    authHelpUrl: 'https://grafana.com/docs/grafana/latest/administration/service-accounts/',
-    category: 'Monitoring',
-  },
-];
-export const MCP_CATEGORIES = [...new Set(MCP_CATALOG.map((s) => s.category))];
-export function getMcpTemplate(id: string): McpServerTemplate | undefined {
-  return MCP_CATALOG.find((s) => s.id === id);
-}

package/src/plans.ts DELETED Viewed

@@ -1,96 +0,0 @@
-export type PlanId = 'free' | 'pro' | 'team';
-export interface PlanLimits {
-  actionsPerMonth: number;
-  agents: number;
-  credentials: number;
-  members: number;
-  timelineHistoryDays: number;
-  undoEnabled: boolean;
-  browserSessions: number;
-}
-export interface PlanDefinition extends PlanLimits {
-  id: PlanId;
-  name: string;
-  monthlyPrice: number; // USD cents
-  yearlyPrice: number; // USD cents (total per year)
-  stripePriceMonthly: string;
-  stripePriceYearly: string;
-}
-export const PLANS: Record<PlanId, PlanDefinition> = {
-  free: {
-    id: 'free',
-    name: 'Free',
-    monthlyPrice: 0,
-    yearlyPrice: 0,
-    stripePriceMonthly: '',
-    stripePriceYearly: '',
-    actionsPerMonth: 1000,
-    agents: 3,
-    credentials: 2,
-    members: 1,
-    timelineHistoryDays: 14,
-    undoEnabled: false,
-    browserSessions: 0,
-  },
-  pro: {
-    id: 'pro',
-    name: 'Pro',
-    monthlyPrice: 900,
-    yearlyPrice: 7900,
-    stripePriceMonthly: 'price_1T6b3m2NRlIkxMrBZ9bmEDYE',
-    stripePriceYearly: 'price_1T6b3m2NRlIkxMrBo2yx01sJ',
-    actionsPerMonth: Infinity,
-    agents: 10,
-    credentials: 25,
-    members: 5,
-    timelineHistoryDays: 90,
-    undoEnabled: true,
-    browserSessions: 2,
-  },
-  team: {
-    id: 'team',
-    name: 'Team',
-    monthlyPrice: 4900,
-    yearlyPrice: 41000,
-    stripePriceMonthly: 'price_1T6b3n2NRlIkxMrBstkfVECC',
-    stripePriceYearly: 'price_1T6b3o2NRlIkxMrBzHoQKPjz',
-    actionsPerMonth: Infinity,
-    agents: 50,
-    credentials: Infinity,
-    members: 25,
-    timelineHistoryDays: 365,
-    undoEnabled: true,
-    browserSessions: 5,
-  },
-} as const;
-export function getPlanLimits(plan: string): PlanLimits {
-  const def = PLANS[plan as PlanId];
-  if (!def) return PLANS.free;
-  return {
-    actionsPerMonth: def.actionsPerMonth,
-    agents: def.agents,
-    credentials: def.credentials,
-    members: def.members,
-    timelineHistoryDays: def.timelineHistoryDays,
-    undoEnabled: def.undoEnabled,
-    browserSessions: def.browserSessions,
-  };
-}
-export function canUndo(plan: string): boolean {
-  return getPlanLimits(plan).undoEnabled;
-}
-/** Map a Stripe price ID back to a plan ID */
-export function planFromPriceId(priceId: string): PlanId | null {
-  for (const plan of Object.values(PLANS)) {
-    if (plan.stripePriceMonthly === priceId || plan.stripePriceYearly === priceId) {
-      return plan.id;
-    }
-  }
-  return null;
-}