agentlock-shared 0.1.0 → 0.3.0

package/dist/__tests__/redact.test.js

@@ -35,5 +35,81 @@ const redact_js_1 = require("../redact.js");
         (0, vitest_1.expect)(result.url).toBe('https://example.com');
         (0, vitest_1.expect)(result.status).toBe(200);
     });
+    (0, vitest_1.it)('redacts SSH public keys in output', () => {
+        const input = 'host-1.internal ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxxxxxxxxxxxxxxxxx';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).not.toContain('AAAAC3');
+    });
+    (0, vitest_1.it)('redacts shadow-style password hashes', () => {
+        const input = 'root:$6$saltsalt$hashedpasswordhere:12345:0:99999:7:::';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).not.toContain('hashedpasswordhere');
+    });
+});
+(0, vitest_1.describe)('WireGuard redaction', () => {
+    (0, vitest_1.it)('redacts PrivateKey = ... lines', () => {
+        const input = 'Loaded config: PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).not.toContain('yAnz5TF');
+    });
+    (0, vitest_1.it)('redacts PresharedKey = ... lines', () => {
+        const input = 'PresharedKey = FpCyhws9cxwWoV4xELtfJvjJN+zQVRPISllRWgeopVE=';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).not.toContain('FpCyhws9');
+    });
+    (0, vitest_1.it)('redacts bare base64 44-char keys in JSON-ish dumps', () => {
+        const input = '{"key":"yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="}';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).not.toContain('yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=');
+    });
+});
+(0, vitest_1.describe)('Inline secret redaction (e.g. command output / logs)', () => {
+    (0, vitest_1.it)('redacts OpenAI keys embedded in env-style text', () => {
+        const input = 'OPENAI_API_KEY=sk-abc123def456ghi789jkl012mno345pqr678';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).toContain('OPENAI_API_KEY=');
+        (0, vitest_1.expect)(out).toContain('[REDACTED]');
+        (0, vitest_1.expect)(out).not.toMatch(/sk-[a-zA-Z0-9]{20,}/);
+    });
+    (0, vitest_1.it)('redacts Anthropic keys (sk-ant-) without double-matching as OpenAI', () => {
+        const input = 'export ANTHROPIC_KEY=sk-ant-api03-abc123def456ghi789jkl012mno345pqr678';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('sk-ant-api03');
+        (0, vitest_1.expect)(out).toContain('[REDACTED]');
+    });
+    (0, vitest_1.it)('redacts GitHub PATs in shell output', () => {
+        const input = '$ echo $GITHUB_TOKEN\nghp_1234567890abcdef1234567890abcdef1234';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('ghp_1234567890abcdef1234567890abcdef1234');
+    });
+    (0, vitest_1.it)('redacts AWS access key IDs inline', () => {
+        const input = '[default]\naws_access_key_id = AKIAIOSFODNN7EXAMPLE';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('AKIAIOSFODNN7EXAMPLE');
+    });
+    (0, vitest_1.it)('redacts JWTs inline (eyJ prefix)', () => {
+        const input = 'Authorization cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abcdef';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9');
+    });
+    (0, vitest_1.it)('redacts multiple different secrets in the same string', () => {
+        const input = 'ANTHROPIC=sk-ant-api03-xxxxxxxxxxxxxxxxxxxxxxxxxxxx AWS=AKIAIOSFODNN7EXAMPLE';
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('sk-ant-api03');
+        (0, vitest_1.expect)(out).not.toContain('AKIAIOSFODNN7EXAMPLE');
+        (0, vitest_1.expect)((out.match(/\[REDACTED\]/g) ?? []).length).toBe(2);
+    });
+    (0, vitest_1.it)('does not redact short-looking non-secret strings', () => {
+        const input = 'hello world this is just some text';
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).toBe(input);
+    });
+    (0, vitest_1.it)('does not redact "sk-" appearing inside a word', () => {
+        const input = 'Turks-and-Caicos islands';
+        // "sk-" inline but followed by too few chars + word continuation — negative lookbehind on '-' boundary still ok
+        (0, vitest_1.expect)((0, redact_js_1.redact)(input)).toBe(input);
+    });
+    (0, vitest_1.it)('redacts inline secret inside SSH-style stdout', () => {
+        // Google key format: `AIza` + exactly 35 [A-Za-z0-9_-] chars.
+        const googleKey = 'AIza' + 'A'.repeat(35);
+        const input = `$ env | grep API\nSTRIPE_KEY=sk_live_abcdef1234567890abcdef1234\nGOOGLE_KEY=${googleKey}`;
+        const out = (0, redact_js_1.redact)(input);
+        (0, vitest_1.expect)(out).not.toContain('sk_live_abcdef1234567890abcdef1234');
+        (0, vitest_1.expect)(out).not.toContain(googleKey);
+    });
 });
 //# sourceMappingURL=redact.test.js.map

package/dist/__tests__/redact.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"redact.test.js","sourceRoot":"","sources":["../../src/__tests__/redact.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAqD;AAErD,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA4B,CAAC;QACtD,IAAA,eAAM,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAE,MAAM,CAAC,IAAgC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,OAAO,GAAG,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,IAAA,yBAAa,EAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACvE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA+D,CAAC;QACzF,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzD,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QACpE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAmC,CAAC;QAC7D,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,qBAAqB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAe,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,IAAA,eAAM,EAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"redact.test.js","sourceRoot":"","sources":["../../src/__tests__/redact.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAqD;AAErD,IAAA,iBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;QAClF,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA4B,CAAC;QACtD,IAAA,eAAM,EAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAE,MAAM,CAAC,IAAgC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1E,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,OAAO,GAAG,EAAE,aAAa,EAAE,eAAe,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,IAAA,yBAAa,EAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACvE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAA+D,CAAC;QACzF,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzD,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sBAAsB,EAAE,GAAG,EAAE;QAC9B,MAAM,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QACpE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAmC,CAAC;QAC7D,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,qBAAqB,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACtE,MAAM,MAAM,GAAG,IAAA,kBAAM,EAAC,GAAG,CAAe,CAAC;QACzC,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjC,IAAA,eAAM,EAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,KAAK,GAAG,yEAAyE,CAAC;QACxF,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,KAAK,GAAG,wDAAwD,CAAC;QACvE,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,KAAK,GAAG,0EAA0E,CAAC;QACzF,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,6DAA6D,CAAC;QAC5E,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,wDAAwD,CAAC;QACvE,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,8CAA8C,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,sDAAsD,EAAE,GAAG,EAAE;IACpE,IAAA,WAAE,EAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAG,wDAAwD,CAAC;QACvE,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,KAAK,GAAG,wEAAwE,CAAC;QACvF,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,KAAK,GAAG,gEAAgE,CAAC;QAC/E,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,0CAA0C,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,KAAK,GAAG,qDAAqD,CAAC;QACpE,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,KAAK,GAAG,+FAA+F,CAAC;QAC9G,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sCAAsC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,KAAK,GAAG,8EAA8E,CAAC;QAC7F,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;QAClD,IAAA,eAAM,EAAC,CAAC,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,KAAK,GAAG,oCAAoC,CAAC;QACnD,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,KAAK,GAAG,0BAA0B,CAAC;QACzC,gHAAgH;QAChH,IAAA,eAAM,EAAC,IAAA,kBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,8DAA8D;QAC9D,MAAM,SAAS,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,KAAK,GACT,+EAA+E,SAAS,EAAE,CAAC;QAC7F,MAAM,GAAG,GAAG,IAAA,kBAAM,EAAC,KAAK,CAAW,CAAC;QACpC,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,oCAAoC,CAAC,CAAC;QAChE,IAAA,eAAM,EAAC,GAAG,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/signing.test.js

@@ -1,7 +1,25 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const vitest_1 = require("vitest");
+const tweetnacl_1 = __importDefault(require("tweetnacl"));
+const tweetnacl_util_1 = require("tweetnacl-util");
 const signing_js_1 = require("../signing.js");
+/**
+ * Sign the pre-version-binding (legacy) pre-image: `canonical:timestamp:nonce`
+ * with NO `:version` suffix and no version header. Models an agent built
+ * before the version was bound into the signature.
+ */
+function signLegacyUnbound(body, privateKeyB64) {
+    const timestamp = String(Date.now());
+    const nonce = (0, tweetnacl_util_1.encodeBase64)(tweetnacl_1.default.randomBytes(16));
+    const canonical = (0, signing_js_1.canonicalStringify)(body);
+    const message = (0, tweetnacl_util_1.decodeUTF8)(`${canonical}:${timestamp}:${nonce}`);
+    const signature = tweetnacl_1.default.sign.detached(message, (0, tweetnacl_util_1.decodeBase64)(privateKeyB64));
+    return { timestamp, nonce, signature: (0, tweetnacl_util_1.encodeBase64)(signature) };
+}
 (0, vitest_1.describe)('Ed25519 Signing', () => {
     (0, vitest_1.it)('should generate valid keypair', () => {
         const kp = (0, signing_js_1.generateKeypair)();
@@ -47,5 +65,76 @@ const signing_js_1 = require("../signing.js");
         headers['x-timestamp'] = String(Date.now() - 10 * 60 * 1000);
         (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Timestamp skew');
     });
+    (0, vitest_1.it)('should reject timestamp from the future', () => {
+        // A permissive check would only look at now - ts. Replay would then work
+        // forever if you set the timestamp 2h in the future. Math.abs() catches
+        // both directions; guard against a future refactor dropping the abs.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'write', tool: 'demo', payload: {} };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        headers['x-timestamp'] = String(Date.now() + 10 * 60 * 1000);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Timestamp skew');
+    });
+    (0, vitest_1.it)('should produce unique nonces across many signs', () => {
+        // If nonces collide, the gateway's replay-protection unique-index
+        // rejects the second insert and the agent sees a 409. 200 iterations
+        // is enough to shake out a non-random generator without making CI slow.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const nonces = new Set();
+        for (let i = 0; i < 200; i++) {
+            const n = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey)['x-nonce'];
+            if (n)
+                nonces.add(n);
+        }
+        (0, vitest_1.expect)(nonces.size).toBe(200);
+    });
+    (0, vitest_1.it)('should reject a replayed request that only changes the nonce header', () => {
+        // The signature is bound to (body, timestamp, nonce). Just rotating
+        // the nonce without re-signing must not produce a verifying signature.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const headers = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        headers['x-nonce'] = 'AAAAAAAAAAAAAAAAAAAAAAAA'; // 24-char base64
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headers, kp.publicKey)).toThrow('Invalid signature');
+    });
+    (0, vitest_1.it)('should verify identical payloads signed concurrently with different nonces (race-safety)', () => {
+        // Simulate two concurrent signers of the same body. Both must verify
+        // independently; only the DB unique-constraint on nonce stops the
+        // second from actually executing in production.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const headersA = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        const headersB = (0, signing_js_1.signRequest)(body, 'agent-123', kp.privateKey);
+        (0, vitest_1.expect)(headersA['x-nonce']).toBeTruthy();
+        (0, vitest_1.expect)(headersA['x-nonce']).not.toBe(headersB['x-nonce']);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headersA, kp.publicKey)).not.toThrow();
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, headersB, kp.publicKey)).not.toThrow();
+    });
+    (0, vitest_1.it)('accepts a legacy unbound-preimage signature when NO version header is sent', () => {
+        // Transitional fallback: agents built before version-binding sign the
+        // unbound pre-image and send no header. They must keep verifying so the
+        // rollout doesn't force a simultaneous redeploy of every agent.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const { timestamp, nonce, signature } = signLegacyUnbound(body, kp.privateKey);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, { 'x-agent-id': 'a', 'x-timestamp': timestamp, 'x-signature': signature, 'x-nonce': nonce }, kp.publicKey)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects a legacy unbound-preimage signature once x-signature-version is present', () => {
+        // This is the property the gateway routes must preserve by FORWARDING the
+        // header: when a client declares its version, the unbound legacy pre-image
+        // is no longer an accepted downgrade. If a route drops the header, this
+        // downgrade path stays open for every request.
+        const kp = (0, signing_js_1.generateKeypair)();
+        const body = { action_type: 'read', tool: 'demo', payload: {} };
+        const { timestamp, nonce, signature } = signLegacyUnbound(body, kp.privateKey);
+        (0, vitest_1.expect)(() => (0, signing_js_1.verifyRequest)(body, {
+            'x-agent-id': 'a',
+            'x-timestamp': timestamp,
+            'x-signature': signature,
+            'x-nonce': nonce,
+            'x-signature-version': '1',
+        }, kp.publicKey)).toThrow('Invalid signature');
+    });
 });
 //# sourceMappingURL=signing.test.js.map

package/dist/__tests__/signing.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8CAAgG;AAEhG,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QAClC,IAAA,eAAM,EAAC,EAAE,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;QACnC,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,+BAAkB,EAAC,GAAG,CAAC,CAAC;QACvC,0CAA0C;QAC1C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../../src/__tests__/signing.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAA8C;AAC9C,0DAA6B;AAC7B,mDAAwE;AACxE,8CAAgG;AAEhG;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,IAA6B,EAAE,aAAqB;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,IAAA,6BAAY,EAAC,mBAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAA,+BAAkB,EAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,IAAA,2BAAU,EAAC,GAAG,SAAS,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,mBAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAA,6BAAY,EAAC,aAAa,CAAC,CAAC,CAAC;IAC3E,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,IAAA,6BAAY,EAAC,SAAS,CAAC,EAAE,CAAC;AAClE,CAAC;AAED,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,CAAC;QAClC,IAAA,eAAM,EAAC,EAAE,CAAC,UAAU,CAAC,CAAC,UAAU,EAAE,CAAC;QACnC,IAAA,eAAM,EAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC;QAC/E,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC;QAC5F,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,MAAM,GAAG,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAA,+BAAkB,EAAC,GAAG,CAAC,CAAC;QACvC,0CAA0C;QAC1C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IACpG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,yEAAyE;QACzE,wEAAwE;QACxE,qEAAqE;QACrE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,aAAa,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,kEAAkE;QAClE,qEAAqE;QACrE,wEAAwE;QACxE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,CAAC;YACnE,IAAI,CAAC;gBAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QACD,IAAA,eAAM,EAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qEAAqE,EAAE,GAAG,EAAE;QAC7E,oEAAoE;QACpE,uEAAuE;QACvE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,OAAO,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,SAAS,CAAC,GAAG,0BAA0B,CAAC,CAAC,iBAAiB;QAClE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0FAA0F,EAAE,GAAG,EAAE;QAClG,qEAAqE;QACrE,kEAAkE;QAClE,gDAAgD;QAChD,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,QAAQ,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,IAAA,wBAAW,EAAC,IAAI,EAAE,WAAW,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC;QACzC,IAAA,eAAM,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACxE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,0BAAa,EAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4EAA4E,EAAE,GAAG,EAAE;QACpF,sEAAsE;QACtE,wEAAwE;QACxE,gEAAgE;QAChE,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CACV,IAAA,0BAAa,EACX,IAAI,EACJ,EAAE,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,EAC3F,EAAE,CAAC,SAAS,CACb,CACF,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,0EAA0E;QAC1E,2EAA2E;QAC3E,wEAAwE;QACxE,+CAA+C;QAC/C,MAAM,EAAE,GAAG,IAAA,4BAAe,GAAE,CAAC;QAC7B,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CACV,IAAA,0BAAa,EACX,IAAI,EACJ;YACE,YAAY,EAAE,GAAG;YACjB,aAAa,EAAE,SAAS;YACxB,aAAa,EAAE,SAAS;YACxB,SAAS,EAAE,KAAK;YAChB,qBAAqB,EAAE,GAAG;SAC3B,EACD,EAAE,CAAC,SAAS,CACb,CACF,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/ssh-fingerprint.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ssh-fingerprint.test.d.ts.map

package/dist/__tests__/ssh-fingerprint.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-fingerprint.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/ssh-fingerprint.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/ssh-fingerprint.test.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const ssh_fingerprint_js_1 = require("../ssh-fingerprint.js");
+(0, vitest_1.describe)('normalizeSshHostKeyFingerprint', () => {
+    (0, vitest_1.it)('accepts canonical hex and lowercases it', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')).toBe('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa');
+    });
+    (0, vitest_1.it)('accepts OpenSSH-style SHA256 base64 and converts it to hex', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('SHA256:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')).toBe('0000000000000000000000000000000000000000000000000000000000000000');
+    });
+    (0, vitest_1.it)('accepts url-safe base64 without the SHA256 prefix', () => {
+        (0, vitest_1.expect)((0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('___________________________________________')).toBe('ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+    });
+    (0, vitest_1.it)('rejects malformed fingerprints', () => {
+        (0, vitest_1.expect)(() => (0, ssh_fingerprint_js_1.normalizeSshHostKeyFingerprint)('not-a-fingerprint')).toThrow(/Invalid SHA-256 host key fingerprint/);
+    });
+});
+//# sourceMappingURL=ssh-fingerprint.test.js.map

package/dist/__tests__/ssh-fingerprint.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-fingerprint.test.js","sourceRoot":"","sources":["../../src/__tests__/ssh-fingerprint.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8DAAuE;AAEvE,IAAA,iBAAQ,EAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAC5B,kEAAkE,CACnE,CACF,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAAC,oDAAoD,CAAC,CACrF,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,IAAA,eAAM,EACJ,IAAA,mDAA8B,EAAC,6CAA6C,CAAC,CAC9E,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mDAA8B,EAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CACvE,sCAAsC,CACvC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/vpn-route.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=vpn-route.test.d.ts.map

package/dist/__tests__/vpn-route.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpn-route.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/vpn-route.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/vpn-route.test.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const policy_js_1 = require("../policy.js");
+const UUID_A = '11111111-1111-4111-8111-111111111111';
+const UUID_B = '22222222-2222-4222-8222-222222222222';
+const UUID_C = '33333333-3333-4333-8333-333333333333';
+(0, vitest_1.describe)('resolveVpnRoute', () => {
+    (0, vitest_1.it)('returns undefined when host or routes are missing/empty', () => {
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)(undefined, undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('example.com', undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('example.com', [])).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('', [{ domainPattern: 'example.com', vpnCredentialId: UUID_A }])).toBeUndefined();
+    });
+    (0, vitest_1.it)('matches exact hostname case-insensitively', () => {
+        const routes = [
+            { domainPattern: 'Internal.Corp.Example', vpnCredentialId: UUID_A },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('internal.corp.example', routes)).toBe(UUID_A);
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('INTERNAL.CORP.EXAMPLE', routes)).toBe(UUID_A);
+        // Trailing dot in FQDN form is canonicalized away.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('internal.corp.example.', routes)).toBe(UUID_A);
+        // Unrelated host does not match.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('other.example', routes)).toBeUndefined();
+    });
+    (0, vitest_1.it)('wildcard "*.corp.example" matches subdomains but not the bare suffix', () => {
+        const routes = [
+            { domainPattern: '*.corp.example', vpnCredentialId: UUID_A },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('www.corp.example', routes)).toBe(UUID_A);
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('a.b.corp.example', routes)).toBe(UUID_A);
+        // Bare suffix must NOT match — users who want both add a second exact entry.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('corp.example', routes)).toBeUndefined();
+        // Different tail.
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('www.corp.other', routes)).toBeUndefined();
+    });
+    (0, vitest_1.it)('first match wins when multiple routes could apply', () => {
+        const routes = [
+            { domainPattern: 'db.corp.example', vpnCredentialId: UUID_A },
+            { domainPattern: '*.corp.example', vpnCredentialId: UUID_B },
+            { domainPattern: 'corp.example', vpnCredentialId: UUID_C },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('db.corp.example', routes)).toBe(UUID_A); // exact match wins over wildcard
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('web.corp.example', routes)).toBe(UUID_B); // wildcard hits here
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('corp.example', routes)).toBe(UUID_C); // bare suffix exact
+    });
+    (0, vitest_1.it)('silently skips malformed pattern entries instead of throwing', () => {
+        // Zod rejects these at save time; this is a belt-and-suspenders guard.
+        const routes = [
+            { domainPattern: '', vpnCredentialId: UUID_A },
+            { domainPattern: '   ', vpnCredentialId: UUID_A },
+            { domainPattern: '*.', vpnCredentialId: UUID_A },
+            { domainPattern: 'good.example', vpnCredentialId: UUID_B },
+        ];
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('good.example', routes)).toBe(UUID_B);
+        // And the malformed entries don't accidentally match:
+        (0, vitest_1.expect)((0, policy_js_1.resolveVpnRoute)('anything.com', routes)).toBeUndefined();
+    });
+});
+(0, vitest_1.describe)('hostnameFromUrl', () => {
+    (0, vitest_1.it)('extracts the lowercased hostname from http(s) URLs', () => {
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('https://Api.Example.COM/path?q=1')).toBe('api.example.com');
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('http://127.0.0.1:8080/x')).toBe('127.0.0.1');
+    });
+    (0, vitest_1.it)('returns undefined for non-URL inputs', () => {
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)(undefined)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)(null)).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('')).toBeUndefined();
+        (0, vitest_1.expect)((0, policy_js_1.hostnameFromUrl)('not a url')).toBeUndefined();
+    });
+});
+//# sourceMappingURL=vpn-route.test.js.map

package/dist/__tests__/vpn-route.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vpn-route.test.js","sourceRoot":"","sources":["../../src/__tests__/vpn-route.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAAgE;AAGhE,MAAM,MAAM,GAAG,sCAAsC,CAAC;AACtD,MAAM,MAAM,GAAG,sCAAsC,CAAC;AACtD,MAAM,MAAM,GAAG,sCAAsC,CAAC;AAEtD,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,aAAa,EAAE,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAClE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,aAAa,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC3D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,EAAE,EAAE,CAAC,EAAE,aAAa,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC3G,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,EAAE;SACpE,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtE,mDAAmD;QACnD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvE,iCAAiC;QACjC,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE;SAC7D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACjE,6EAA6E;QAC7E,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAChE,kBAAkB;QAClB,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,EAAE;YAC7D,EAAE,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,EAAE;YAC5D,EAAE,aAAa,EAAE,cAAc,EAAI,eAAe,EAAE,MAAM,EAAE;SAC7D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAG,iCAAiC;QACpG,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,qBAAqB;QACxF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAM,oBAAoB;IACzF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,uEAAuE;QACvE,MAAM,MAAM,GAA6B;YACvC,EAAE,aAAa,EAAE,EAAE,EAAE,eAAe,EAAE,MAAM,EAAE;YAC9C,EAAE,aAAa,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE;YACjD,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE;YAChD,EAAE,aAAa,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,EAAE;SAC3D,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7D,sDAAsD;QACtD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAA,WAAE,EAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,kCAAkC,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpF,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,SAAS,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QACnD,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,IAAI,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC9C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,EAAE,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;QAC5C,IAAA,eAAM,EAAC,IAAA,2BAAe,EAAC,WAAW,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/wireguard.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=wireguard.test.d.ts.map

package/dist/__tests__/wireguard.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireguard.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/wireguard.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/wireguard.test.js

@@ -0,0 +1,114 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const wireguard_js_1 = require("../wireguard.js");
+const validConfig = `
+[Interface]
+PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
+Address = 10.0.0.5/32
+DNS = 10.0.0.1
+MTU = 1420
+
+[Peer]
+PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
+PresharedKey = FpCyhws9cxwWoV4xELtfJvjJN+zQVRPISllRWgeopVE=
+Endpoint = vpn.example.com:51820
+AllowedIPs = 10.0.0.0/24, 192.168.1.0/24
+PersistentKeepalive = 25
+`;
+(0, vitest_1.describe)('parseWireGuardConfig', () => {
+    (0, vitest_1.it)('parses a complete valid config', () => {
+        const cfg = (0, wireguard_js_1.parseWireGuardConfig)(validConfig);
+        (0, vitest_1.expect)(cfg.privateKey).toBe('yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=');
+        (0, vitest_1.expect)(cfg.address).toBe('10.0.0.5/32');
+        (0, vitest_1.expect)(cfg.mtu).toBe(1420);
+        (0, vitest_1.expect)(cfg.dns).toEqual(['10.0.0.1']);
+        (0, vitest_1.expect)(cfg.peer.publicKey).toBe('xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=');
+        (0, vitest_1.expect)(cfg.peer.endpoint).toBe('vpn.example.com:51820');
+        (0, vitest_1.expect)(cfg.peer.allowedIPs).toEqual(['10.0.0.0/24', '192.168.1.0/24']);
+        (0, vitest_1.expect)(cfg.peer.persistentKeepalive).toBe(25);
+    });
+    (0, vitest_1.it)('accepts minimal config (no DNS, MTU, PSK, keepalive)', () => {
+        const minimal = `
+[Interface]
+PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
+Address = 10.0.0.5/32
+
+[Peer]
+PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
+Endpoint = vpn.example.com:51820
+AllowedIPs = 10.0.0.0/24
+`;
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(minimal)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects config missing [Interface]', () => {
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)('[Peer]\nPublicKey=x\nEndpoint=e:1\nAllowedIPs=0.0.0.0/0')).toThrow(/Interface/i);
+    });
+    (0, vitest_1.it)('rejects config with multiple [Peer] blocks', () => {
+        const dual = validConfig + '\n[Peer]\nPublicKey = x\nEndpoint = y:1\nAllowedIPs = 0.0.0.0/0\n';
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dual)).toThrow(/exactly one \[Peer\]/i);
+    });
+    (0, vitest_1.it)('rejects malformed base64 key', () => {
+        const bad = validConfig.replace('yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=', 'not-base64!');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/private key/i);
+    });
+    (0, vitest_1.it)('rejects invalid endpoint format', () => {
+        const bad = validConfig.replace('vpn.example.com:51820', 'no-port-here');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/endpoint/i);
+    });
+    (0, vitest_1.it)('Zod schema rejects extra fields', () => {
+        const withExtra = {
+            privateKey: 'yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=',
+            address: '10.0.0.5/32',
+            extraField: 'nope',
+            peer: {
+                publicKey: 'xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=',
+                endpoint: 'vpn.example.com:51820',
+                allowedIPs: ['10.0.0.0/24'],
+            },
+        };
+        (0, vitest_1.expect)(() => wireguard_js_1.WireGuardConfigSchema.parse(withExtra)).toThrow();
+    });
+    (0, vitest_1.it)('rejects endpoint with port > 65535', () => {
+        const bad = validConfig.replace('vpn.example.com:51820', 'vpn.example.com:99999');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/port/i);
+    });
+    (0, vitest_1.it)('rejects CIDR with octet > 255', () => {
+        const bad = validConfig.replace('10.0.0.5/32', '999.0.0.0/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/ipv4 cidr/i);
+    });
+    (0, vitest_1.it)('rejects CIDR with prefix > 32', () => {
+        const bad = validConfig.replace('10.0.0.0/24', '10.0.0.0/99');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(bad)).toThrow(/ipv4 cidr/i);
+    });
+    (0, vitest_1.it)('rejects duplicate [Interface] section', () => {
+        const dup = validConfig + '\n[Interface]\nPrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=\nAddress = 10.0.0.6/32\n';
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dup)).toThrow(/duplicate \[interface\]/i);
+    });
+    (0, vitest_1.it)('rejects duplicate key within a section', () => {
+        const dup = validConfig.replace('Address = 10.0.0.5/32', 'Address = 10.0.0.5/32\nAddress = 10.0.0.6/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(dup)).toThrow(/duplicate key: address/i);
+    });
+    (0, vitest_1.it)('rejects AllowedIPs routing to cloud-metadata or loopback (SSRF-exemption pivot)', () => {
+        const meta = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '169.254.169.254/32');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(meta)).toThrow();
+        const loop = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '127.0.0.0/8');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(loop)).toThrow();
+    });
+    (0, vitest_1.it)('still allows AllowedIPs in legitimate private (RFC1918) ranges', () => {
+        const priv = validConfig.replace('10.0.0.0/24, 192.168.1.0/24', '172.16.0.0/12');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(priv)).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects a DNS server pointing at the metadata address', () => {
+        const badDns = validConfig.replace('DNS = 10.0.0.1', 'DNS = 169.254.169.254');
+        (0, vitest_1.expect)(() => (0, wireguard_js_1.parseWireGuardConfig)(badDns)).toThrow();
+    });
+});
+(0, vitest_1.describe)('VPN_LIMITS_BY_PLAN', () => {
+    (0, vitest_1.it)('enforces free=0, pro=3, team=10', () => {
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.free).toBe(0);
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.pro).toBe(3);
+        (0, vitest_1.expect)(wireguard_js_1.VPN_LIMITS_BY_PLAN.team).toBe(10);
+    });
+});
+//# sourceMappingURL=wireguard.test.js.map

package/dist/__tests__/wireguard.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wireguard.test.js","sourceRoot":"","sources":["../../src/__tests__/wireguard.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,kDAAkG;AAElG,MAAM,WAAW,GAAG;;;;;;;;;;;;;CAanB,CAAC;AAEF,IAAA,iBAAQ,EAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,GAAG,GAAG,IAAA,mCAAoB,EAAC,WAAW,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACxC,IAAA,eAAM,EAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAA,eAAM,EAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QAChF,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACxD,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACvE,IAAA,eAAM,EAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,OAAO,GAAG;;;;;;;;;CASnB,CAAC;QACE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,yDAAyD,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACtH,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,IAAI,GAAG,WAAW,GAAG,mEAAmE,CAAC;QAC/F,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,8CAA8C,EAAE,aAAa,CAAC,CAAC;QAC/F,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,uBAAuB,EAAE,cAAc,CAAC,CAAC;QACzE,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,SAAS,GAAG;YAChB,UAAU,EAAE,8CAA8C;YAC1D,OAAO,EAAE,aAAa;YACtB,UAAU,EAAE,MAAM;YAClB,IAAI,EAAE;gBACJ,SAAS,EAAE,8CAA8C;gBACzD,QAAQ,EAAE,uBAAuB;gBACjC,UAAU,EAAE,CAAC,aAAa,CAAC;aAC5B;SACF,CAAC;QACF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,oCAAqB,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,uBAAuB,EAAE,uBAAuB,CAAC,CAAC;QAClF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAC9D,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,WAAW,GAAG,mGAAmG,CAAC;QAC9H,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAC7B,uBAAuB,EACvB,8CAA8C,CAC/C,CAAC;QACF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iFAAiF,EAAE,GAAG,EAAE;QACzF,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,oBAAoB,CAAC,CAAC;QACtF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,aAAa,CAAC,CAAC;QAC/E,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,6BAA6B,EAAE,eAAe,CAAC,CAAC;QACjF,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,gBAAgB,EAAE,uBAAuB,CAAC,CAAC;QAC9E,IAAA,eAAM,EAAC,GAAG,EAAE,CAAC,IAAA,mCAAoB,EAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;IACvD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,eAAM,EAAC,iCAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,IAAA,eAAM,EAAC,iCAAkB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACvC,IAAA,eAAM,EAAC,iCAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/billing.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Stripe subscription-status helpers shared by the billing routes.
+ *
+ * Keep these rules small and explicit: checkout/self-heal and webhook
+ * downgrade paths must make the same decision about whether an existing
+ * subscription can still be recovered or should be treated as terminal.
+ */
+export declare function isEntitledStripeSubscriptionStatus(status: string): boolean;
+export declare function isRecoverableStripeSubscriptionStatus(status: string): boolean;
+export declare function isTerminalStripeSubscriptionStatus(status: string): boolean;
+export declare function canStartNewCheckoutForStripeSubscriptionStatus(status: string): boolean;
+//# sourceMappingURL=billing.d.ts.map

package/dist/billing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing.d.ts","sourceRoot":"","sources":["../src/billing.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoBH,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED,wBAAgB,qCAAqC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE7E;AAED,wBAAgB,kCAAkC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAE1E;AAED,wBAAgB,8CAA8C,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEtF"}

package/dist/billing.js

@@ -0,0 +1,41 @@
+"use strict";
+/**
+ * Stripe subscription-status helpers shared by the billing routes.
+ *
+ * Keep these rules small and explicit: checkout/self-heal and webhook
+ * downgrade paths must make the same decision about whether an existing
+ * subscription can still be recovered or should be treated as terminal.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isEntitledStripeSubscriptionStatus = isEntitledStripeSubscriptionStatus;
+exports.isRecoverableStripeSubscriptionStatus = isRecoverableStripeSubscriptionStatus;
+exports.isTerminalStripeSubscriptionStatus = isTerminalStripeSubscriptionStatus;
+exports.canStartNewCheckoutForStripeSubscriptionStatus = canStartNewCheckoutForStripeSubscriptionStatus;
+const ENTITLED_STATUSES = new Set([
+    'active',
+    'trialing',
+]);
+const RECOVERABLE_STATUSES = new Set([
+    ...ENTITLED_STATUSES,
+    'past_due',
+    'unpaid',
+    'incomplete',
+    'paused',
+]);
+const TERMINAL_STATUSES = new Set([
+    'canceled',
+    'incomplete_expired',
+]);
+function isEntitledStripeSubscriptionStatus(status) {
+    return ENTITLED_STATUSES.has(status);
+}
+function isRecoverableStripeSubscriptionStatus(status) {
+    return RECOVERABLE_STATUSES.has(status);
+}
+function isTerminalStripeSubscriptionStatus(status) {
+    return TERMINAL_STATUSES.has(status);
+}
+function canStartNewCheckoutForStripeSubscriptionStatus(status) {
+    return isTerminalStripeSubscriptionStatus(status);
+}
+//# sourceMappingURL=billing.js.map

package/dist/billing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"billing.js","sourceRoot":"","sources":["../src/billing.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAoBH,gFAEC;AAED,sFAEC;AAED,gFAEC;AAED,wGAEC;AAhCD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,QAAQ;IACR,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,GAAG,iBAAiB;IACpB,UAAU;IACV,QAAQ;IACR,YAAY;IACZ,QAAQ;CACT,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,UAAU;IACV,oBAAoB;CACrB,CAAC,CAAC;AAEH,SAAgB,kCAAkC,CAAC,MAAc;IAC/D,OAAO,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,qCAAqC,CAAC,MAAc;IAClE,OAAO,oBAAoB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,SAAgB,kCAAkC,CAAC,MAAc;IAC/D,OAAO,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AAED,SAAgB,8CAA8C,CAAC,MAAc;IAC3E,OAAO,kCAAkC,CAAC,MAAM,CAAC,CAAC;AACpD,CAAC"}

package/dist/crypto.d.ts

@@ -1,9 +1,50 @@
 export declare function generateKey(): Uint8Array;
+/**
+ * Low-level symmetric encryption using a provided key.
+ * Callers that need envelope encryption (per-data DEK) should use
+ * envelopeEncrypt() instead.
+ */
 export declare function encrypt(data: string, key: Uint8Array): string;
+/**
+ * Low-level symmetric decryption. Handles both envelope-encrypted data
+ * (prefixed with "env1:") and legacy direct-key encrypted data.
+ *
+ * For envelope data: unwraps the per-data DEK using the master key,
+ * then decrypts the payload with the DEK.
+ *
+ * For legacy data: decrypts directly with the provided key, falling
+ * back to MASTER_KEY_PREVIOUS for key rotation support.
+ */
 export declare function decrypt(encryptedData: string, key: Uint8Array): string;
+/**
+ * Encrypt arbitrary data using a per-data DEK (envelope encryption).
+ * Generates a fresh 256-bit DEK, encrypts the data with it, then wraps
+ * the DEK with the provided master key. Returns a single string in the
+ * format "env1:<wrappedDEK>:<encryptedPayload>" so it fits in a single
+ * database column and is backward-compatible with decrypt().
+ *
+ * Use this instead of encrypt() for all data at rest. Each encrypted
+ * value gets its own DEK, so compromising one ciphertext does not
+ * expose other data -- the attacker still needs the master key to
+ * unwrap any individual DEK.
+ */
+export declare function envelopeEncrypt(data: string, masterKey: Uint8Array): string;
+/**
+ * Decrypt data produced by envelopeEncrypt(). Expects the "env1:" prefixed
+ * format. For general use, call decrypt() which auto-detects the format.
+ */
+export declare function envelopeDecrypt(encryptedData: string, masterKey: Uint8Array): string;
 export declare function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string;
 export declare function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Array;
 export declare function getMasterKey(): Uint8Array;
+/** Return every retired key in rotation order (most-recent first). Used by
+ *  the credential-decryption fallback path to try each until one succeeds.
+ */
+export declare function getPreviousMasterKeys(): Uint8Array[];
+/** Back-compat: first previous key only. Prefer `getPreviousMasterKeys()`. */
+export declare function getPreviousMasterKey(): Uint8Array | null;
+/** Zero and release cached master keys. Call on graceful shutdown. */
+export declare function clearCachedKeys(): void;
 export declare function generateMasterKey(): string;
 export declare function encryptCredential(payload: Record<string, unknown>, masterKey: Uint8Array): {
     encryptedDEK: string;

package/dist/crypto.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAGA,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAU7D;AAED,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAWtE;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAGlF;AAMD,wBAAgB,YAAY,IAAI,UAAU,CAMzC;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,EAAE,UAAU,GACpB;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAUpD;AAED,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,SAAS,EAAE,UAAU,GACpB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB"}
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAYA,wBAAgB,WAAW,IAAI,UAAU,CAExC;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAU7D;AAED;;;;;;;;;GASG;AACH,wBAAgB,OAAO,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,CAwBtE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAU3E;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,aAAa,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAKpF;AAkDD,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,MAAM,CAEzE;AAED,wBAAgB,UAAU,CAAC,YAAY,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAGlF;AA0BD,wBAAgB,YAAY,IAAI,UAAU,CAMzC;AAuCD;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,EAAE,CAOpD;AAED,8EAA8E;AAC9E,wBAAgB,oBAAoB,IAAI,UAAU,GAAG,IAAI,CAExD;AAED,sEAAsE;AACtE,wBAAgB,eAAe,IAAI,IAAI,CAUtC;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,EAAE,UAAU,GACpB;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,gBAAgB,EAAE,MAAM,CAAA;CAAE,CAUpD;AAED,wBAAgB,iBAAiB,CAC/B,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,SAAS,EAAE,UAAU,GACpB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAUzB"}