aquaman-core 0.1.0

package/dist/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * aquaman-core - Core credential storage, audit logging, and utilities
+ *
+ * This package provides the shared functionality for:
+ * - Credential storage backends (Keychain, 1Password, Vault, encrypted file)
+ * - Hash-chained tamper-evident audit logs
+ * - Cryptographic utilities
+ * - Configuration management
+ */
+export * from './types.js';
+export { type Credential, type CredentialStore, type CredentialStoreOptions, KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, type OnePasswordStoreOptions, OnePasswordStore, createOnePasswordStore, type VaultStoreOptions, VaultStore, createVaultStore } from './credentials/index.js';
+export { type AuditLoggerOptions, AuditLogger, createAuditLogger } from './audit/index.js';
+export { computeHash, computeChainedHash, generateId, generateNonce, generateSigningKeyPair, sign, verify, encryptWithPassword, decryptWithPassword, generateSelfSignedCert, type SigningKeyPair, type SelfSignedCert, getConfigDir, getConfigPath, expandPath, getDefaultConfig, loadConfig, ensureConfigDir, saveConfig } from './utils/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,cAAc,YAAY,CAAC;AAG3B,OAAO,EACL,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,UAAU,EACV,gBAAgB,EACjB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,KAAK,kBAAkB,EACvB,WAAW,EACX,iBAAiB,EAClB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,EACtB,IAAI,EACJ,MAAM,EACN,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,UAAU,EACX,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+/**
+ * aquaman-core - Core credential storage, audit logging, and utilities
+ *
+ * This package provides the shared functionality for:
+ * - Credential storage backends (Keychain, 1Password, Vault, encrypted file)
+ * - Hash-chained tamper-evident audit logs
+ * - Cryptographic utilities
+ * - Configuration management
+ */
+// Types
+export * from './types.js';
+// Credentials
+export { KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, OnePasswordStore, createOnePasswordStore, VaultStore, createVaultStore } from './credentials/index.js';
+// Audit
+export { AuditLogger, createAuditLogger } from './audit/index.js';
+// Utils
+export { computeHash, computeChainedHash, generateId, generateNonce, generateSigningKeyPair, sign, verify, encryptWithPassword, decryptWithPassword, generateSelfSignedCert, getConfigDir, getConfigPath, expandPath, getDefaultConfig, loadConfig, ensureConfigDir, saveConfig } from './utils/index.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,QAAQ;AACR,cAAc,YAAY,CAAC;AAE3B,cAAc;AACd,OAAO,EAIL,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EAErB,gBAAgB,EAChB,sBAAsB,EAEtB,UAAU,EACV,gBAAgB,EACjB,MAAM,wBAAwB,CAAC;AAEhC,QAAQ;AACR,OAAO,EAEL,WAAW,EACX,iBAAiB,EAClB,MAAM,kBAAkB,CAAC;AAE1B,QAAQ;AACR,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,EACtB,IAAI,EACJ,MAAM,EACN,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EAGtB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,UAAU,EACX,MAAM,kBAAkB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Core types for aquaman credential isolation layer
+ *
+ * This module focuses on unique features NOT in OpenClaw:
+ * - Credential proxy with TLS
+ * - Enterprise backends (1Password, Vault)
+ * - Hash-chained tamper-evident audit logs
+ * - Dynamic service registry
+ */
+export interface ToolCall {
+    id: string;
+    sessionId: string;
+    agentId: string;
+    tool: string;
+    params: Record<string, unknown>;
+    timestamp: Date;
+}
+export interface ToolResult {
+    id: string;
+    toolCallId: string;
+    result: unknown;
+    error?: string;
+    timestamp: Date;
+}
+export interface AuditEntry {
+    id: string;
+    timestamp: Date;
+    type: 'tool_call' | 'tool_result' | 'credential_access';
+    sessionId: string;
+    agentId: string;
+    data: ToolCall | ToolResult | CredentialAccess;
+    previousHash: string;
+    hash: string;
+}
+export interface CredentialAccess {
+    service: string;
+    operation: 'read' | 'use' | 'rotate';
+    success: boolean;
+    error?: string;
+}
+export interface ServiceConfig {
+    name: string;
+    upstream: string;
+    authHeader: string;
+    authPrefix?: string;
+    credentialKey: string;
+    description?: string;
+}
+export interface CredentialsConfig {
+    backend: 'keychain' | '1password' | 'vault' | 'encrypted-file';
+    proxyPort: number;
+    proxiedServices: string[];
+    tls?: {
+        enabled: boolean;
+        certPath?: string;
+        keyPath?: string;
+        autoGenerate?: boolean;
+    };
+    onePasswordVault?: string;
+    onePasswordAccount?: string;
+    vaultAddress?: string;
+    vaultToken?: string;
+    vaultNamespace?: string;
+    vaultMountPath?: string;
+}
+export interface AuditConfig {
+    enabled: boolean;
+    logDir: string;
+}
+export interface ServicesConfig {
+    configPath: string;
+}
+export interface OpenClawConfig {
+    autoLaunch: boolean;
+    configMethod: 'env' | 'dotenv' | 'shell-rc';
+    binaryPath?: string;
+}
+export interface WrapperConfig {
+    credentials: CredentialsConfig;
+    audit: AuditConfig;
+    services: ServicesConfig;
+    openclaw: OpenClawConfig;
+}
+export type CredentialBackend = 'keychain' | '1password' | 'vault' | 'encrypted-file';
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,WAAW,GAAG,aAAa,GAAG,mBAAmB,CAAC;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,QAAQ,GAAG,UAAU,GAAG,gBAAgB,CAAC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,UAAU,GAAG,WAAW,GAAG,OAAO,GAAG,gBAAgB,CAAC;IAC/D,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,GAAG,CAAC,EAAE;QACJ,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,OAAO,CAAC;KACxB,CAAC;IAEF,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,KAAK,GAAG,QAAQ,GAAG,UAAU,CAAC;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,iBAAiB,CAAC;IAC/B,KAAK,EAAE,WAAW,CAAC;IACnB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,WAAW,GAAG,OAAO,GAAG,gBAAgB,CAAC"}

package/dist/types.js

@@ -0,0 +1,11 @@
+/**
+ * Core types for aquaman credential isolation layer
+ *
+ * This module focuses on unique features NOT in OpenClaw:
+ * - Credential proxy with TLS
+ * - Enterprise backends (1Password, Vault)
+ * - Hash-chained tamper-evident audit logs
+ * - Dynamic service registry
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/utils/config.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Configuration loader and validator for aquaman
+ *
+ * Focused on credential isolation features:
+ * - Credential proxy settings
+ * - Enterprise backend configuration
+ * - Audit logging configuration
+ * - OpenClaw integration settings
+ */
+import type { WrapperConfig } from '../types.js';
+export declare function getConfigDir(): string;
+export declare function getConfigPath(): string;
+export declare function expandPath(p: string): string;
+export declare function getDefaultConfig(): WrapperConfig;
+export declare function loadConfig(): WrapperConfig;
+export declare function ensureConfigDir(): void;
+export declare function saveConfig(config: WrapperConfig): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/utils/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAKjD,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAQ5C;AAED,wBAAgB,gBAAgB,IAAI,aAAa,CA0BhD;AAED,wBAAgB,UAAU,IAAI,aAAa,CAgB1C;AAqCD,wBAAgB,eAAe,IAAI,IAAI,CAKtC;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAItD"}

package/dist/utils/config.js

@@ -0,0 +1,115 @@
+/**
+ * Configuration loader and validator for aquaman
+ *
+ * Focused on credential isolation features:
+ * - Credential proxy settings
+ * - Enterprise backend configuration
+ * - Audit logging configuration
+ * - OpenClaw integration settings
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+const DEFAULT_CONFIG_DIR = path.join(os.homedir(), '.aquaman');
+const CONFIG_FILE = 'config.yaml';
+export function getConfigDir() {
+    return process.env['AQUAMAN_CONFIG_DIR'] || DEFAULT_CONFIG_DIR;
+}
+export function getConfigPath() {
+    return path.join(getConfigDir(), CONFIG_FILE);
+}
+export function expandPath(p) {
+    if (p.startsWith('~')) {
+        return path.join(os.homedir(), p.slice(1));
+    }
+    if (p.includes('${HOME}')) {
+        return p.replace('${HOME}', os.homedir());
+    }
+    return p;
+}
+export function getDefaultConfig() {
+    return {
+        credentials: {
+            backend: 'keychain',
+            proxyPort: 8081,
+            proxiedServices: ['anthropic', 'openai', 'slack', 'discord', 'github'],
+            tls: {
+                enabled: true,
+                autoGenerate: true,
+                certPath: path.join(getConfigDir(), 'certs', 'proxy.crt'),
+                keyPath: path.join(getConfigDir(), 'certs', 'proxy.key')
+            },
+            vaultMountPath: 'secret'
+        },
+        audit: {
+            enabled: true,
+            logDir: path.join(getConfigDir(), 'audit')
+        },
+        services: {
+            configPath: path.join(getConfigDir(), 'services.yaml')
+        },
+        openclaw: {
+            autoLaunch: true,
+            configMethod: 'env'
+        }
+    };
+}
+export function loadConfig() {
+    const configPath = getConfigPath();
+    const defaultConfig = getDefaultConfig();
+    if (!fs.existsSync(configPath)) {
+        return defaultConfig;
+    }
+    try {
+        const content = fs.readFileSync(configPath, 'utf-8');
+        const userConfig = parseYaml(content);
+        return mergeConfig(defaultConfig, userConfig);
+    }
+    catch (error) {
+        console.error(`Warning: Failed to load config from ${configPath}, using defaults`);
+        return defaultConfig;
+    }
+}
+function mergeConfig(base, override) {
+    // Merge TLS config, ensuring enabled has a value
+    const baseTls = base.credentials.tls;
+    const overrideTls = override.credentials?.tls;
+    const mergedTls = baseTls || overrideTls ? {
+        enabled: overrideTls?.enabled ?? baseTls?.enabled ?? true,
+        certPath: overrideTls?.certPath ?? baseTls?.certPath,
+        keyPath: overrideTls?.keyPath ?? baseTls?.keyPath,
+        autoGenerate: overrideTls?.autoGenerate ?? baseTls?.autoGenerate
+    } : undefined;
+    return {
+        credentials: {
+            ...base.credentials,
+            ...override.credentials,
+            tls: mergedTls
+        },
+        audit: {
+            ...base.audit,
+            ...override.audit
+        },
+        services: {
+            ...base.services,
+            ...override.services
+        },
+        openclaw: {
+            ...base.openclaw,
+            ...override.openclaw
+        }
+    };
+}
+export function ensureConfigDir() {
+    const configDir = getConfigDir();
+    if (!fs.existsSync(configDir)) {
+        fs.mkdirSync(configDir, { recursive: true });
+    }
+}
+export function saveConfig(config) {
+    ensureConfigDir();
+    const configPath = getConfigPath();
+    fs.writeFileSync(configPath, stringifyYaml(config), 'utf-8');
+}
+//# sourceMappingURL=config.js.map

package/dist/utils/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/utils/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAGtE,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,UAAU,YAAY;IAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,kBAAkB,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,WAAW,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAS;IAClC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO;QACL,WAAW,EAAE;YACX,OAAO,EAAE,UAAU;YACnB,SAAS,EAAE,IAAI;YACf,eAAe,EAAE,CAAC,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;YACtE,GAAG,EAAE;gBACH,OAAO,EAAE,IAAI;gBACb,YAAY,EAAE,IAAI;gBAClB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC;gBACzD,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC;aACzD;YACD,cAAc,EAAE,QAAQ;SACzB;QACD,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,OAAO,CAAC;SAC3C;QACD,QAAQ,EAAE;YACR,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,eAAe,CAAC;SACvD;QACD,QAAQ,EAAE;YACR,UAAU,EAAE,IAAI;YAChB,YAAY,EAAE,KAAK;SACpB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IAEzC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAA2B,CAAC;QAChE,OAAO,WAAW,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,UAAU,kBAAkB,CAAC,CAAC;QACnF,OAAO,aAAa,CAAC;IACvB,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAClB,IAAmB,EACnB,QAAgC;IAEhC,iDAAiD;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;IACrC,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC;IAC9C,MAAM,SAAS,GAAG,OAAO,IAAI,WAAW,CAAC,CAAC,CAAC;QACzC,OAAO,EAAE,WAAW,EAAE,OAAO,IAAI,OAAO,EAAE,OAAO,IAAI,IAAI;QACzD,QAAQ,EAAE,WAAW,EAAE,QAAQ,IAAI,OAAO,EAAE,QAAQ;QACpD,OAAO,EAAE,WAAW,EAAE,OAAO,IAAI,OAAO,EAAE,OAAO;QACjD,YAAY,EAAE,WAAW,EAAE,YAAY,IAAI,OAAO,EAAE,YAAY;KACjE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO;QACL,WAAW,EAAE;YACX,GAAG,IAAI,CAAC,WAAW;YACnB,GAAG,QAAQ,CAAC,WAAW;YACvB,GAAG,EAAE,SAAS;SACf;QACD,KAAK,EAAE;YACL,GAAG,IAAI,CAAC,KAAK;YACb,GAAG,QAAQ,CAAC,KAAK;SAClB;QACD,QAAQ,EAAE;YACR,GAAG,IAAI,CAAC,QAAQ;YAChB,GAAG,QAAQ,CAAC,QAAQ;SACrB;QACD,QAAQ,EAAE;YACR,GAAG,IAAI,CAAC,QAAQ;YAChB,GAAG,QAAQ,CAAC,QAAQ;SACrB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAqB;IAC9C,eAAe,EAAE,CAAC;IAClB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC"}

package/dist/utils/hash.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Cryptographic utilities for hash chains and integrity verification
+ */
+export declare function computeHash(data: string): string;
+export declare function computeChainedHash(data: string, previousHash: string): string;
+export declare function generateId(): string;
+export declare function generateNonce(): string;
+export interface SigningKeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export declare function generateSigningKeyPair(): SigningKeyPair;
+export declare function sign(data: string, privateKey: string): string;
+export declare function verify(data: string, signature: string, publicKey: string): boolean;
+export declare function encryptWithPassword(data: string, password: string): string;
+export declare function decryptWithPassword(encryptedData: string, password: string): string;
+export interface SelfSignedCert {
+    cert: string;
+    key: string;
+}
+/**
+ * Generate a self-signed TLS certificate.
+ * Prefers openssl CLI (correct DER encoding on all platforms),
+ * falls back to manual ASN.1 DER encoding if openssl is unavailable.
+ */
+export declare function generateSelfSignedCert(commonName: string, days?: number): SelfSignedCert;
+//# sourceMappingURL=hash.d.ts.map

package/dist/utils/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/utils/hash.ts"],"names":[],"mappings":"AAAA;;GAEG;AAUH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAE7E;AAED,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,sBAAsB,IAAI,cAAc,CAMvD;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAG7D;AAED,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAWlF;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgB1E;AAED,wBAAgB,mBAAmB,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAmBnF;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,SAAM,GAAG,cAAc,CA+BrF"}

package/dist/utils/hash.js

@@ -0,0 +1,348 @@
+/**
+ * Cryptographic utilities for hash chains and integrity verification
+ */
+import * as crypto from 'node:crypto';
+import { execFileSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+const HASH_ALGORITHM = 'sha256';
+export function computeHash(data) {
+    return crypto.createHash(HASH_ALGORITHM).update(data).digest('hex');
+}
+export function computeChainedHash(data, previousHash) {
+    return computeHash(previousHash + data);
+}
+export function generateId() {
+    return crypto.randomUUID();
+}
+export function generateNonce() {
+    return crypto.randomBytes(16).toString('hex');
+}
+export function generateSigningKeyPair() {
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519', {
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+    });
+    return { publicKey, privateKey };
+}
+export function sign(data, privateKey) {
+    const signature = crypto.sign(null, Buffer.from(data), privateKey);
+    return signature.toString('base64');
+}
+export function verify(data, signature, publicKey) {
+    try {
+        return crypto.verify(null, Buffer.from(data), publicKey, Buffer.from(signature, 'base64'));
+    }
+    catch {
+        return false;
+    }
+}
+export function encryptWithPassword(data, password) {
+    const salt = crypto.randomBytes(16);
+    const key = crypto.pbkdf2Sync(password, salt, 600000, 32, 'sha256');
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    let encrypted = cipher.update(data, 'utf-8', 'base64');
+    encrypted += cipher.final('base64');
+    const authTag = cipher.getAuthTag();
+    return [
+        salt.toString('base64'),
+        iv.toString('base64'),
+        authTag.toString('base64'),
+        encrypted
+    ].join(':');
+}
+export function decryptWithPassword(encryptedData, password) {
+    const [saltB64, ivB64, authTagB64, encrypted] = encryptedData.split(':');
+    if (!saltB64 || !ivB64 || !authTagB64 || !encrypted) {
+        throw new Error('Invalid encrypted data format');
+    }
+    const salt = Buffer.from(saltB64, 'base64');
+    const iv = Buffer.from(ivB64, 'base64');
+    const authTag = Buffer.from(authTagB64, 'base64');
+    const key = crypto.pbkdf2Sync(password, salt, 600000, 32, 'sha256');
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, 'base64', 'utf-8');
+    decrypted += decipher.final('utf-8');
+    return decrypted;
+}
+/**
+ * Generate a self-signed TLS certificate.
+ * Prefers openssl CLI (correct DER encoding on all platforms),
+ * falls back to manual ASN.1 DER encoding if openssl is unavailable.
+ */
+export function generateSelfSignedCert(commonName, days = 365) {
+    // Generate RSA key pair using Node.js crypto (always reliable)
+    const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+    });
+    // Try openssl CLI first — produces correct DER across all OpenSSL/LibreSSL versions
+    try {
+        const cert = generateCertWithOpenSSL(commonName, days, privateKey);
+        return { cert, key: privateKey };
+    }
+    catch {
+        // Fall back to manual ASN.1 DER encoding
+    }
+    const now = new Date();
+    const notBefore = now;
+    const notAfter = new Date(now.getTime() + days * 24 * 60 * 60 * 1000);
+    const serialNumber = crypto.randomBytes(16).toString('hex');
+    const cert = buildSelfSignedCert({
+        commonName,
+        publicKey,
+        privateKey,
+        notBefore,
+        notAfter,
+        serialNumber
+    });
+    return { cert, key: privateKey };
+}
+function generateCertWithOpenSSL(commonName, days, privateKey) {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'aquaman-cert-'));
+    const keyFile = path.join(tmpDir, 'key.pem');
+    const certFile = path.join(tmpDir, 'cert.pem');
+    const configFile = path.join(tmpDir, 'openssl.cnf');
+    try {
+        fs.writeFileSync(keyFile, privateKey, { mode: 0o600 });
+        // Minimal openssl config with SAN extension
+        fs.writeFileSync(configFile, [
+            '[req]',
+            'distinguished_name = dn',
+            'x509_extensions = ext',
+            'prompt = no',
+            '[dn]',
+            `CN = ${commonName}`,
+            '[ext]',
+            `subjectAltName = DNS:${commonName}`,
+            'basicConstraints = critical, CA:FALSE',
+            'keyUsage = critical, digitalSignature, keyEncipherment',
+        ].join('\n'));
+        execFileSync('openssl', [
+            'req', '-x509',
+            '-key', keyFile,
+            '-out', certFile,
+            '-days', String(days),
+            '-config', configFile,
+        ], { stdio: 'pipe' });
+        return fs.readFileSync(certFile, 'utf-8');
+    }
+    finally {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+}
+function buildSelfSignedCert(params) {
+    // Extract the public key bytes from PEM
+    const pubKeyDer = pemToDer(params.publicKey, 'PUBLIC KEY');
+    // Build TBSCertificate (To Be Signed Certificate)
+    const tbsCert = buildTBSCertificate(params, pubKeyDer);
+    // Sign the TBSCertificate
+    const signature = crypto.sign('sha256', tbsCert, params.privateKey);
+    // Build the complete certificate
+    const cert = buildCertificate(tbsCert, signature);
+    // Convert to PEM
+    return derToPem(cert, 'CERTIFICATE');
+}
+function pemToDer(pem, label) {
+    const base64 = pem
+        .replace(`-----BEGIN ${label}-----`, '')
+        .replace(`-----END ${label}-----`, '')
+        .replace(/\s/g, '');
+    return Buffer.from(base64, 'base64');
+}
+function derToPem(der, label) {
+    const base64 = der.toString('base64');
+    const lines = [];
+    for (let i = 0; i < base64.length; i += 64) {
+        lines.push(base64.slice(i, i + 64));
+    }
+    return `-----BEGIN ${label}-----\n${lines.join('\n')}\n-----END ${label}-----\n`;
+}
+// ASN.1 DER encoding helpers
+function encodeLength(length) {
+    if (length < 128) {
+        return Buffer.from([length]);
+    }
+    const bytes = [];
+    let temp = length;
+    while (temp > 0) {
+        bytes.unshift(temp & 0xff);
+        temp >>= 8;
+    }
+    return Buffer.from([0x80 | bytes.length, ...bytes]);
+}
+function encodeSequence(items) {
+    const content = Buffer.concat(items);
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x30]), lengthBytes, content]);
+}
+function encodeSet(items) {
+    const content = Buffer.concat(items);
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x31]), lengthBytes, content]);
+}
+function encodeInteger(value) {
+    let bytes;
+    if (typeof value === 'number') {
+        if (value === 0) {
+            bytes = Buffer.from([0]);
+        }
+        else {
+            const hex = value.toString(16);
+            bytes = Buffer.from(hex.length % 2 ? '0' + hex : hex, 'hex');
+        }
+    }
+    else {
+        bytes = value;
+    }
+    // Add leading zero if high bit is set (to ensure positive number)
+    if (bytes[0] & 0x80) {
+        bytes = Buffer.concat([Buffer.from([0]), bytes]);
+    }
+    const lengthBytes = encodeLength(bytes.length);
+    return Buffer.concat([Buffer.from([0x02]), lengthBytes, bytes]);
+}
+function encodeOID(oid) {
+    const parts = oid.split('.').map(Number);
+    const bytes = [];
+    // First two components are encoded specially
+    bytes.push(parts[0] * 40 + parts[1]);
+    // Remaining components use variable-length encoding
+    for (let i = 2; i < parts.length; i++) {
+        let n = parts[i];
+        if (n === 0) {
+            bytes.push(0);
+        }
+        else {
+            const octets = [];
+            while (n > 0) {
+                octets.unshift(n & 0x7f);
+                n >>= 7;
+            }
+            for (let j = 0; j < octets.length - 1; j++) {
+                octets[j] |= 0x80;
+            }
+            bytes.push(...octets);
+        }
+    }
+    const content = Buffer.from(bytes);
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x06]), lengthBytes, content]);
+}
+function encodePrintableString(str) {
+    const content = Buffer.from(str, 'ascii');
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x13]), lengthBytes, content]);
+}
+function encodeUTCTime(date) {
+    const year = date.getUTCFullYear() % 100;
+    const month = (date.getUTCMonth() + 1).toString().padStart(2, '0');
+    const day = date.getUTCDate().toString().padStart(2, '0');
+    const hours = date.getUTCHours().toString().padStart(2, '0');
+    const minutes = date.getUTCMinutes().toString().padStart(2, '0');
+    const seconds = date.getUTCSeconds().toString().padStart(2, '0');
+    const str = `${year.toString().padStart(2, '0')}${month}${day}${hours}${minutes}${seconds}Z`;
+    const content = Buffer.from(str, 'ascii');
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x17]), lengthBytes, content]);
+}
+function encodeBitString(data) {
+    // Add leading byte for unused bits (0)
+    const content = Buffer.concat([Buffer.from([0]), data]);
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0x03]), lengthBytes, content]);
+}
+function encodeContextTag(tag, content) {
+    const lengthBytes = encodeLength(content.length);
+    return Buffer.concat([Buffer.from([0xa0 | tag]), lengthBytes, content]);
+}
+function buildTBSCertificate(params, pubKeyDer) {
+    // Version (v3 = 2)
+    const version = encodeContextTag(0, encodeInteger(2));
+    // Serial number
+    const serial = encodeInteger(Buffer.from(params.serialNumber, 'hex'));
+    // Signature algorithm (SHA256 with RSA)
+    const signatureAlgorithm = encodeSequence([
+        encodeOID('1.2.840.113549.1.1.11'), // sha256WithRSAEncryption
+        Buffer.from([0x05, 0x00]) // NULL
+    ]);
+    // Issuer (same as subject for self-signed)
+    const issuer = buildName(params.commonName);
+    // Validity
+    const validity = encodeSequence([
+        encodeUTCTime(params.notBefore),
+        encodeUTCTime(params.notAfter)
+    ]);
+    // Subject
+    const subject = buildName(params.commonName);
+    // Subject Public Key Info (already in DER format)
+    const subjectPublicKeyInfo = pubKeyDer;
+    // Extensions (v3)
+    const extensions = buildExtensions(params.commonName);
+    const extensionsTagged = encodeContextTag(3, extensions);
+    return encodeSequence([
+        version,
+        serial,
+        signatureAlgorithm,
+        issuer,
+        validity,
+        subject,
+        subjectPublicKeyInfo,
+        extensionsTagged
+    ]);
+}
+function buildName(commonName) {
+    // Build RDN for CN (Common Name)
+    const cnOid = encodeOID('2.5.4.3'); // id-at-commonName
+    const cnValue = encodePrintableString(commonName);
+    const cnAttr = encodeSequence([cnOid, cnValue]);
+    const cnRdn = encodeSet([cnAttr]);
+    return encodeSequence([cnRdn]);
+}
+function buildExtensions(commonName) {
+    // Basic Constraints (CA: false)
+    const basicConstraints = encodeSequence([
+        encodeOID('2.5.29.19'), // id-ce-basicConstraints
+        Buffer.from([0x01, 0x01, 0xff]), // critical = true
+        Buffer.from([0x04, 0x02, 0x30, 0x00]) // OCTET STRING containing empty SEQUENCE
+    ]);
+    // Key Usage (digitalSignature, keyEncipherment)
+    const keyUsage = encodeSequence([
+        encodeOID('2.5.29.15'), // id-ce-keyUsage
+        Buffer.from([0x01, 0x01, 0xff]), // critical = true
+        Buffer.from([0x04, 0x04, 0x03, 0x02, 0x05, 0xa0]) // OCTET STRING containing BIT STRING
+    ]);
+    // Subject Alternative Name (DNS name)
+    const sanValue = encodeSequence([
+        Buffer.concat([
+            Buffer.from([0x82]), // context tag 2 (dNSName)
+            encodeLength(commonName.length),
+            Buffer.from(commonName, 'ascii')
+        ])
+    ]);
+    const sanOctet = Buffer.concat([
+        Buffer.from([0x04]),
+        encodeLength(sanValue.length),
+        sanValue
+    ]);
+    const san = encodeSequence([
+        encodeOID('2.5.29.17'), // id-ce-subjectAltName
+        sanOctet
+    ]);
+    return encodeSequence([basicConstraints, keyUsage, san]);
+}
+function buildCertificate(tbsCert, signature) {
+    // Signature algorithm
+    const signatureAlgorithm = encodeSequence([
+        encodeOID('1.2.840.113549.1.1.11'), // sha256WithRSAEncryption
+        Buffer.from([0x05, 0x00]) // NULL
+    ]);
+    // Signature value
+    const signatureValue = encodeBitString(signature);
+    return encodeSequence([tbsCert, signatureAlgorithm, signatureValue]);
+}
+//# sourceMappingURL=hash.js.map