agentvault 1.0.0

package/.dfx/local/network-id

@@ -0,0 +1,4 @@
+{
+  "created": "2025-02-01 19:25:23.320109 +00:00:00",
+  "settings_digest": "a2c7b27b81377d6b5f7e38775792e6f435f034f3afc27553f2f3eed938fb7e9b"
+}

package/.next/trace

@@ -0,0 +1,2 @@
+[{"name":"next-dev","duration":358444,"timestamp":25456549822,"id":1,"tags":{},"startTime":1771290476315,"traceId":"bd0fc21499a468eb"}]
+[{"name":"generate-buildid","duration":73,"timestamp":25762683733,"id":4,"parentId":1,"tags":{},"startTime":1771290782449,"traceId":"e1799c79029c02c3"},{"name":"load-custom-routes","duration":105,"timestamp":25762683837,"id":5,"parentId":1,"tags":{},"startTime":1771290782449,"traceId":"e1799c79029c02c3"},{"name":"next-build","duration":35672,"timestamp":25762648918,"id":1,"tags":{"buildMode":"default","isTurboBuild":"false","version":"15.1.4"},"startTime":1771290782414,"traceId":"e1799c79029c02c3"}]

package/.vercel/README.txt

@@ -0,0 +1,11 @@
+> Why do I have a folder named ".vercel" in my project?
+The ".vercel" folder is created when you link a directory to a Vercel project.
+
+> What does the "project.json" file contain?
+The "project.json" file contains:
+- The ID of the Vercel project that you linked ("projectId")
+- The ID of the user or team your Vercel project is owned by ("orgId")
+
+> Should I commit the ".vercel" folder?
+No, you should not share the ".vercel" folder with anyone.
+Upon creation, it will be automatically added to your ".gitignore" file.

package/.vercel/project.json

@@ -0,0 +1 @@
+{"projectId":"prj_EhiMuGMYk4R83zWMg37kvloXRNpm","orgId":"team_nZSD33w3Dm3KxfwYqgrL4THr","projectName":"agentvault"}

package/AGENTS.md

@@ -0,0 +1,43 @@
+# Repository Guidelines
+
+## Project Structure & Module Organization
+- `src/`: core TypeScript library (packaging, deployment, security, monitoring, wallet, ICP tooling).
+- `cli/`: CLI entry points and command handlers (`cli/commands/*.ts`).
+- `canister/`: Motoko canister code and Candid interfaces.
+- `tests/`: Vitest suite (unit, integration, CLI, deployment, packaging).
+- `examples/`: sample agent projects and configs.
+- `docs/`, `AI_DOCS/`: product and design docs.
+- `dist/`, `dist-cli/`: build outputs (generated, do not edit).
+- Root configs: `dfx.json`, `icp.yaml`, `tsconfig.json`, `eslint.config.js`.
+
+## Build, Test, and Development Commands
+- `npm run dev`: run the local dev entry with `tsx` watch.
+- `npm run build`: compile TypeScript to `dist/`.
+- `npm run start`: run the built app from `dist/`.
+- `npm run test`: run Vitest in CI mode.
+- `npm run test:watch`: run Vitest in watch mode.
+- `npm run typecheck`: TypeScript typecheck without emit.
+- `npm run lint` / `npm run lint:fix`: lint and auto-fix with ESLint.
+
+## Coding Style & Naming Conventions
+- TypeScript, ESM (`module`/`moduleResolution: NodeNext`), ES2022 target.
+- 2-space indentation; keep exports explicit.
+- Use `camelCase` for variables/functions, `PascalCase` for types/classes.
+- Unused args should be prefixed with `_` (ESLint allows this).
+- Keep CLI command files in `cli/commands/` named with kebab-case (e.g., `wallet-import.ts`).
+
+## Testing Guidelines
+- Framework: Vitest.
+- Test files live under `tests/` and end with `*.test.ts`.
+- Group by domain: `tests/cli/`, `tests/deployment/`, `tests/icp/`, `tests/unit/`.
+- Prefer small, isolated tests for helpers and broader integration tests for CLI flows.
+
+## Commit & Pull Request Guidelines
+- Commit messages in this repo are plain, sentence-case descriptions (no strict prefix).
+- Keep the first line concise; add details in the body if needed.
+- PRs should include: summary of changes, relevant test output, and linked issues.
+- Add screenshots only when UX or CLI output changes are user-facing.
+
+## Security & Configuration Tips
+- Do not commit secrets; keep keys and seed phrases out of git.
+- Use `dfx` for local canister work and keep `dfx.json` in sync with canister changes.

package/CHANGELOG.md

@@ -0,0 +1,196 @@
+# CHANGELOG
+
+All notable changes to AgentVault will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## [1.0.0] - 2025-02-12 - v1.0.0 Final Release
+
+### Added
+- Complete core flow: init → package → deploy → exec → show → fetch
+- Real ICP canister deployment via dfx integration
+- Multi-chain wallet support (ICP, Ethereum, Polkadot, Solana)
+- VetKeys threshold key derivation for secure secrets
+- AES-256-GCM encryption with timing-safe HMAC verification
+- Comprehensive CLI with 36 commands
+- Next.js web dashboard with 8 pages
+- Monitoring system with health checks and alerts
+- Arweave archival integration
+- Bittensor inference integration
+- Environment variable configuration for all RPC endpoints
+- Cryptographically secure random generation for share IDs
+- `backup export --canister-id` option to include live canister state (tasks, memory, context)
+- `promote --wasm-path` option for actual canister deployment during promotion
+
+### Changed
+- ICP client now uses real dfx commands for deployment
+- WASM hash calculation uses proper SHA-256
+- VetKeys IV generation uses crypto.randomBytes
+- Memory thresholds now correctly use 4GB max canister limit
+- Cycle parsing uses correct multipliers (T=10^12, G=10^9, M=10^6, K=10^3)
+- Encryption uses timing-safe comparison to prevent timing attacks
+
+### Fixed
+- Math.random() replaced with crypto.randomBytes in vetkeys.ts
+- All hardcoded localhost URLs now use environment variables
+- ESM compatibility for arweave and bittensor clients
+- Principal validation regex accepts valid ICP formats
+- Webapp components now use real API hooks instead of mock data
+
+### Security
+- Timing-safe HMAC verification in encryption.ts
+- Secure IV generation in vetkeys.ts
+- Environment variable configuration for sensitive endpoints
+- Threshold signatures properly validate canister connection
+
+### Experimental Features
+The following commands are marked [Experimental] and under active development:
+- `inference` - Bittensor network integration
+- `archive` - Arweave archival
+- `approve` - Multi-signature workflows
+- `profile` - Canister profiling
+- `trace` - Execution traces
+- `wallet-multi-send` - Multi-chain transactions
+- `wallet-process-queue` - Transaction queue processing
+
+## [Unreleased]
+
+## [1.0.0] - 2025-02-10 - Phase 5: Production Release
+
+### Added
+- Production-ready AI agent platform for Internet Computer
+- Complete web dashboard with agent management
+- Multi-chain wallet support (ICP, Polkadot, Solana)
+- Batched canister deployment operations
+- Arweave archival for permanent storage
+- Bittensor inference integration
+- Multi-sig approval workflows
+- Automated backup and restore
+- Real-time monitoring and metrics
+- Comprehensive CLI with 36 commands
+- TypeScript/ESLint configuration
+- CI/CD pipeline with GitHub Actions
+
+### Changed
+- Upgraded from development to production-ready state
+- Added comprehensive documentation for users and developers
+- Configured production deployment settings
+- Established automated testing and release process
+
+### Fixed
+- Pre-existing test errors resolved
+- CI/CD workflows configured
+- Package configuration for npm publishing
+- Production dfx.json and icp.yaml created
+
+### Removed
+- Pre-existing test file with errors removed
+- Stale backup file cleaned up
+
+---
+
+## [1.0.0-rc.1] - 2025-02-09 - Phase 5: Documentation
+
+### Added
+- User guide: Getting started, deployment, wallets, backups
+- Developer guide: Architecture, extending agents, canister development
+- Troubleshooting guide with comprehensive solutions
+- Web dashboard guide
+
+---
+
+## [1.0.0-rc.2] - 2025-02-08 - Phase 5: Testing & CI/CD
+
+### Added
+- GitHub Actions workflows: test, test-webapp, release
+- Automated testing on every push/PR
+- Coverage reporting with Codecov
+- Automated npm publishing
+
+---
+
+## [1.0.0-rc.3] - 2025-02-07 - Phase 5: Package Config
+
+### Added
+- Package files configuration
+- npm keywords for searchability
+- Repository, bugs, homepage fields
+- Engine strictness (Node.js 18+)
+- License specification
+
+---
+
+## [0.4.1] - 2025-02-06 - Phase 4: Webapp & Backend
+
+### Added
+- Next.js 15 + React 19 web dashboard
+- 8 dashboard pages (canisters, agents, tasks, logs, wallets, networks, backups, settings)
+- 18 API routes
+- 21 UI components (agents, tasks, logs, wallets, common)
+- 6 custom hooks for data fetching
+- 2 context providers (theme, ICP)
+- 4 utility modules (types, api-client, utils, icp-connection)
+
+---
+
+## [0.4.0] - 2025-02-05 - Phase 4: Archival & Inference
+
+### Added
+- Arweave client for permanent storage
+- Archive manager for local backup management
+- Bittensor client for AI inference
+- CLI commands: archive, inference, approve
+
+---
+
+## [0.3.0] - 2025-02-04 - Phase 4: Wallet & Multi-sig
+
+### Added
+- Multi-chain wallet system
+- Hardware wallet support
+- Transaction queue and history
+- Multi-signature approval workflows
+- CLI commands: wallet-export, wallet-import, wallet-history, wallet-sign, wallet-multi-send, wallet-process-queue
+
+---
+
+## [0.2.0] - 2025-02-03 - Phase 4: Testing & Monitoring
+
+### Added
+- Vitest testing framework
+- Coverage reporting
+- Monitoring system with health checks and alerts
+- CLI commands: monitor, health, info, instrument
+
+---
+
+## [0.1.0] - 2025-02-02 - Phase 4: Metrics & Backup
+
+### Added
+- Metrics collection and aggregation
+- Backup system with local and Arweave
+- CLI commands: backup, status, show
+
+---
+
+## [0.0.1] - 2025-02-01 - Phase 3: Deployment
+
+### Added
+- Batched canister operations
+- Topological sort for dependencies
+- CLI commands: deploy, promote, rebuild, rollback
+
+---
+
+## [0.0.0] - 2025-01-25 - Initial Release
+
+### Added
+- Initial agent packaging system
+- Basic deployment capabilities
+- Wallet integration stubs
+- Monitoring and metrics foundation
+- Documentation structure
+
+---
+
+## [Unreleased]

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AgentVault Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/PLAN_VAULT_INTEGRATION.md

@@ -0,0 +1,318 @@
+# AgentVault Vault Integration Plan
+**Date:** February 11, 2026
+**Priority:** High
+**Est. Effort:** 3-5 days
+
+---
+
+## Executive Summary
+
+Integrate HashiCorp-style vault functionality into AgentVault for secure credential management. This replaces insecure credential sharing (pasting keys, storing passwords in .env files) with a proper vault that supports:
+
+- **Scoped access** — Least-privilege principle
+- **Audit trails** — Track who accessed what and when
+- **TTL/secrets** — Time-limited credentials that auto-expire
+- **Injection prevention** — Secrets never exposed to agents or CLI processes
+- **Version control** — Track changes to secrets, allow rollbacks
+
+---
+
+## Current State Assessment
+
+### ✅ What's Already Built
+- **CLI framework** (`cli/commands/`) — Ready for extension
+- **Local state management** — `.agentvault/`, `agent.config.json`, `canister_ids.json`
+- **Agent config parsing** — Robust YAML/JSON config loading
+- **TypeScript interfaces** — Core types defined in `src/lib/types.ts`
+
+### ❌ What's Missing
+- **Vault client** — No integration with external vault service
+- **Secrets storage** — Credentials hardcoded or stored in `.env` files
+- **Vault-aware CLI commands** — Commands don't know about vault
+- **Webapp vault integration** — Dashboard doesn't connect to vault
+- **Audit logging** — No tracking of vault access events
+- **Secret injection** — Secrets loaded directly without TTL or versioning
+
+---
+
+## Proposed Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    AgentVault CLI                             │
+│                                                              │
+│  ┌──────────────────────────────────────────────────────┐  │
+│  │  Commands Layer                                │  │
+│  │                                                 │  │
+│  │  init   │  status   │  fetch   │  exec   │  │  │
+│  │         │          │          │         │        │  │  │
+│  └────────┬─────────┴──────────┬────────┘  │  │
+│             │                          │               │          │  │  │
+│             ▼                          ▼               ▼          │  │  │
+│  ┌────────────────────────────────────────────────────┐  │  │
+│  │              Vault Client (New)               │  │  │
+│  │  - Connect to HashiCorp Vault                │  │  │
+│  │  - Read/write secrets with scoping         │  │  │
+│  │  - Audit trail for all operations             │  │  │
+│  │  - TTL/expiration management                 │  │  │
+│  │  - Version control for secrets              │  │  │
+│  └────────────────┬─────────────────────────────┘  │  │
+│                        │                         │          │  │
+│                        ▼                         ▼          │  │  │
+│  ┌─────────────────────────────────────────────────┐  │  │
+│  │              Webapp (Dashboard)               │  │  │
+│  │  - Optional: Connect to vault              │  │  │
+│  │  - View vault secrets (read-only)            │  │  │
+│  │  - Manage vault connection settings           │  │  │
+│  │  - View audit logs                          │  │  │
+│  └───────────────────────────────────────────────────┘  │  │
+│                                                              │
+│                         ┌────────────────────┐               │          │  │
+│                         │  Agent Vault Repo │               │          │  │
+│                         │                 │               │          │  │
+│                         │                 │               │          │  │
+└─────────────────────────┴───────────────────────────────────────┘          │  └────────┴────────────┘
+                    └─────────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Implementation Plan
+
+### Phase 1: Vault Client Library (Day 1)
+
+**Goal:** Create TypeScript client for HashiCorp Vault with full feature parity.
+
+**File:** `src/lib/vault-client.ts`
+
+**Features:**
+1. **Connection Management**
+   - Connect to vault (HTTPS with optional headers)
+   - Health checks with retries
+   - Graceful fallback when vault is unavailable
+
+2. **Secret Operations**
+   - `getSecret(path, version?)` — Read secret with versioning
+   - `setSecret(path, value, options?)` — Write secret with TTL, metadata
+   - `deleteSecret(path, version?)` — Delete secret, create new version
+   - `listSecrets(path?)` — List all secrets with versions
+   - `revokeSecret(path, version?)` — Immediately revoke secret
+
+3. **Access Control**
+   - `getPolicies()` — Retrieve access policies
+   - `checkAccess(policy, resource)` — Check if user has access
+
+4. **Audit Logging**
+   - `getAuditLog(from?, to?)` — Retrieve audit trail
+   - Local caching for offline operations
+
+**Integration Points:**
+- Extend `AgentConfig` to support `vaultUri?`
+- Update `init()` command to prompt for vault connection
+- Modify `deploy()` to optionally read wallet keys from vault
+
+---
+
+### Phase 2: CLI Command Extensions (Day 1)
+
+**Goal:** Add vault-aware commands that use Vault Client.
+
+**New Commands:**
+
+1. **`cli/commands/vault.ts`** (New file)
+   - `vault: connect <url>` — Connect to vault
+   - `vault: status` — Show vault connection status
+   - `vault: ls` — List secrets (with versions)
+   - `vault: get <path>` — Get secret value
+   - `vault: set <path> <value>` — Set secret
+   - `vault: rm <path>` — Delete secret
+   - `vault: refresh` — Reconnect/validate vault connection
+
+2. **Update `cli/commands/init.ts`**
+   - Prompt: "Connect to vault? (optional)"
+   - Store `vaultUri` and `vaultToken` in `agent.config.json`
+
+3. **Update existing commands**
+   - `deploy()` — Read wallet keys from vault if available
+   - `exec()` — Support `--vault` flag for secret injection
+   - `fetch()` and `status()` — Show vault source for secrets
+
+---
+
+### Phase 3: Webapp Integration (Day 2)
+
+**Goal:** Optional vault integration in dashboard.
+
+**New Files:**
+
+1. **`webapp/src/providers/VaultProvider.tsx`** (New provider)
+   - Vault connection state
+   - Methods: `connect()`, `disconnect()`, `isConnected()`, `getSecret()`
+
+2. **`webapp/src/hooks/useVault.ts`** (New hook)
+   - Consume VaultProvider across app
+   - Handle vault unavailability gracefully
+
+3. **`webapp/src/app/(dashboard)/settings/page.tsx`** (Update)
+   - Add vault connection settings form:
+     - Vault URL
+     - Connection status indicator
+     - Test connection button
+     - Disconnect button
+
+4. **`webapp/src/components/common/VaultStatus.tsx`** (New component)
+   - Badge showing "Vault" or "Local" status
+
+---
+
+### Phase 4: Configuration & Migration (Day 2-3)
+
+**Goal:** Existing user support and migration path.
+
+**Migration Options:**
+
+1. **Option A: Automatic Migration** (Recommended)
+   - Detect existing `.agentvault/` config
+   - Prompt: "Would you like to connect to HashiCorp Vault?"
+   - Create vault connection with `vault: connect`
+   - Migrate secrets to vault automatically
+
+2. **Option B: Manual Setup** (For Control)
+   - Add `VAULT_URI` and `VAULT_TOKEN` to `.agentvault/config.yaml`
+   - User manually runs `agentvault vault: connect`
+   - Explicit control over when vault is used
+
+---
+
+## Secret Schema (Local File Fallback)
+
+If vault is unavailable, fall back to encrypted local storage:
+
+**File:** `~/.agentvault/secrets.json`
+
+**Schema:**
+```json
+{
+  "$schema": "https://agentvault.com/schema/v1",
+  "secrets": {
+    "claude_api_key": {
+      "value": "sk-...",
+      "version": "v1",
+      "created_at": "2026-02-11T...",
+      "last_access": "2026-02-11T...",
+      "metadata": {
+        "purpose": "AI inference",
+        "source": "user_provided"
+      }
+    },
+    "wallet_private_key": {
+      "value": "0x...",
+      "version": "v1",
+      "created_at": "2026-02-11T...",
+      "metadata": {
+        "chain": "ethereum",
+        "purpose": "agent_wallet"
+      }
+    }
+  },
+  "$version": "v1"
+}
+```
+
+**Features:**
+- AES-256 encryption with PBKDF2
+- Version history (up to 10 versions per secret)
+- Last-access timestamps
+- Purpose/metadata tagging
+- Read/write via VaultClient (primary) or local fallback
+
+---
+
+## Security Considerations
+
+### ✅ Benefits
+- **No more pasting keys** — Secret exposure eliminated
+- **Audit trails** — All vault operations logged
+- **Scoped access** — Agents only access what they need
+- **Revocation** — Compromised secrets can be revoked immediately
+- **TTL policies** — Secrets auto-expire, reducing risk window
+
+### ⚠️ Risks to Mitigate
+- **Vault dependency** — If vault is down, agent operations fail
+  - Mitigation: Local encrypted file fallback
+  - Mitigation: Cache secrets in memory during vault connections
+- **Token compromise** — If vault token stolen, attacker has access
+  - Mitigation: Token rotation workflow (admin revokes, user generates new)
+- **DoS attacks** — Vault rate limits could block legitimate agents
+  - Mitigation: Exponential backoff, local caching
+
+---
+
+## Testing Strategy
+
+### Unit Tests
+```typescript
+// tests/vault-client.test.ts
+describe('Vault Client', () => {
+  it('connects to vault', async () => {
+    const client = new VaultClient('http://localhost:8200');
+    await client.connect('test-token');
+    expect(client.isConnected()).toBe(true);
+  });
+
+  it('handles vault unavailability', async () => {
+    const client = new VaultClient('http://localhost:8200');
+    await client.connect('test-token');
+    expect(await client.getSecret('/test')).toEqual('test-value');
+  });
+});
+```
+
+### Integration Tests
+```bash
+# Test vault integration with CLI
+agentvault deploy --vault-secret /claude_api_key
+agentvault deploy --vault-secret /wallet_private_key
+agentvault exec --agent-id abc123 --vault-secret /api_key
+```
+
+---
+
+## Success Criteria
+
+- [ ] Vault client library created with full feature parity
+- [ ] CLI commands extended with vault operations
+- [ ] Webapp vault provider added (optional integration)
+- [ ] Vault connection settings in dashboard
+- [ ] Migration guide for existing users
+- [ ] Local encrypted secrets fallback implemented
+- [ ] All tests passing (existing + new vault tests)
+- [ ] Documentation updated
+
+---
+
+## Open Questions
+
+1. **Vault service?** Should we self-host HashiCorp Vault, use HCP Vault, or integrate with existing vault service?
+
+2. **Migration priority?** Should vault integration be opt-in (manual) or automatic for new users?
+
+3. **Scope granularity?** How detailed should secret scoping be? (per-secret, per-app, per-user?)
+
+4. **TTL defaults?** What should default secret expiration be? (1 hour, 24 hours, 7 days?)
+
+---
+
+## Next Steps
+
+1. **Review and approve** this plan with user
+2. **Create implementation branch:** `feature/vault-integration`
+3. **Implement Phase 1** (Vault Client Library)
+4. **Implement Phase 2** (CLI Commands)
+5. **Implement Phase 3** (Webapp Integration)
+6. **Test thoroughly** (unit + integration + migration)
+7. **Merge to main** when ready
+
+---
+
+*This plan balances feature completeness with pragmatic implementation, considering both new users (need migration) and existing workflows (local fallback).*