aquaman-proxy 0.6.0 → 0.7.0

package/dist/core/credentials/backends/onepassword.js

@@ -0,0 +1,218 @@
+/**
+ * 1Password credential backend using the `op` CLI
+ * Requires: 1Password CLI installed and signed in
+ */
+import { spawnSync } from 'node:child_process';
+const DEFAULT_VAULT = 'aquaman';
+const ITEM_PREFIX = 'aquaman';
+export class OnePasswordStore {
+    vault;
+    account;
+    opPath = null;
+    constructor(options) {
+        this.vault = options?.vault || DEFAULT_VAULT;
+        this.account = options?.account;
+        this.validateOpCli();
+    }
+    validateOpCli() {
+        // Check if op CLI is installed
+        try {
+            const result = spawnSync('which', ['op'], { encoding: 'utf-8' });
+            if (result.status !== 0) {
+                throw new Error('1Password CLI (op) not found. Install from: https://1password.com/downloads/command-line/');
+            }
+            this.opPath = result.stdout.trim();
+        }
+        catch {
+            throw new Error('1Password CLI (op) not found. Install from: https://1password.com/downloads/command-line/');
+        }
+        // Check if signed in
+        try {
+            this.runOp(['account', 'get']);
+        }
+        catch (error) {
+            throw new Error('Not signed in to 1Password. Run: op signin');
+        }
+    }
+    runOp(args, input) {
+        const accountArgs = this.account ? ['--account', this.account] : [];
+        const fullArgs = [...args, ...accountArgs];
+        try {
+            const result = spawnSync('op', fullArgs, {
+                encoding: 'utf-8',
+                input,
+                maxBuffer: 10 * 1024 * 1024
+            });
+            if (result.status !== 0) {
+                const error = result.stderr || result.stdout || 'Unknown error';
+                throw new Error(`op command failed: ${error}`);
+            }
+            return result.stdout;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('op command failed')) {
+                throw error;
+            }
+            throw new Error(`Failed to run op command: ${error}`);
+        }
+    }
+    getItemName(service, key) {
+        return `${ITEM_PREFIX}-${service}-${key}`;
+    }
+    parseItemName(itemName) {
+        if (!itemName.startsWith(`${ITEM_PREFIX}-`)) {
+            return null;
+        }
+        const parts = itemName.slice(ITEM_PREFIX.length + 1).split('-');
+        if (parts.length < 2) {
+            return null;
+        }
+        // Handle service names with dashes by taking first part as service
+        const service = parts[0];
+        const key = parts.slice(1).join('-');
+        return { service, key };
+    }
+    ensureVaultExists() {
+        try {
+            this.runOp(['vault', 'get', this.vault]);
+        }
+        catch {
+            // Vault doesn't exist, create it
+            try {
+                this.runOp(['vault', 'create', this.vault]);
+                console.log(`Created 1Password vault: ${this.vault}`);
+            }
+            catch (createError) {
+                throw new Error(`Failed to create vault "${this.vault}": ${createError}`);
+            }
+        }
+    }
+    async get(service, key) {
+        const itemName = this.getItemName(service, key);
+        try {
+            const result = this.runOp([
+                'item', 'get', itemName,
+                '--vault', this.vault,
+                '--fields', 'credential',
+                '--format', 'json'
+            ]);
+            const parsed = JSON.parse(result);
+            return parsed.value || null;
+        }
+        catch (error) {
+            // Item not found is not an error
+            if (error instanceof Error && error.message.includes('not found')) {
+                return null;
+            }
+            throw error;
+        }
+    }
+    async set(service, key, value, metadata) {
+        this.ensureVaultExists();
+        const itemName = this.getItemName(service, key);
+        const tags = [ITEM_PREFIX, service];
+        // Check if item already exists
+        const existing = await this.get(service, key);
+        if (existing !== null) {
+            // Update existing item — pipe credential via stdin to avoid /proc/cmdline exposure
+            this.runOp([
+                'item', 'edit', itemName,
+                '--vault', this.vault,
+                'credential=-'
+            ], value);
+        }
+        else {
+            // Create new item — pipe credential via stdin to avoid /proc/cmdline exposure
+            const createArgs = [
+                'item', 'create',
+                '--category', 'API Credential',
+                '--vault', this.vault,
+                '--title', itemName,
+                'credential=-',
+                '--tags', tags.join(',')
+            ];
+            // Add metadata as fields
+            if (metadata) {
+                for (const [k, v] of Object.entries(metadata)) {
+                    createArgs.push(`${k}=${v}`);
+                }
+            }
+            this.runOp(createArgs, value);
+        }
+    }
+    async delete(service, key) {
+        const itemName = this.getItemName(service, key);
+        try {
+            this.runOp([
+                'item', 'delete', itemName,
+                '--vault', this.vault
+            ]);
+            return true;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('not found')) {
+                return false;
+            }
+            throw error;
+        }
+    }
+    async list(service) {
+        try {
+            const listArgs = [
+                'item', 'list',
+                '--vault', this.vault,
+                '--tags', service ? `${ITEM_PREFIX},${service}` : ITEM_PREFIX,
+                '--format', 'json'
+            ];
+            const result = this.runOp(listArgs);
+            const items = JSON.parse(result);
+            const credentials = [];
+            for (const item of items) {
+                const parsed = this.parseItemName(item.title);
+                if (parsed) {
+                    if (!service || parsed.service === service) {
+                        credentials.push(parsed);
+                    }
+                }
+            }
+            return credentials;
+        }
+        catch (error) {
+            // Vault might not exist yet
+            if (error instanceof Error && error.message.includes('not found')) {
+                return [];
+            }
+            throw error;
+        }
+    }
+    async exists(service, key) {
+        const value = await this.get(service, key);
+        return value !== null;
+    }
+    /**
+     * Get the vault name being used
+     */
+    getVault() {
+        return this.vault;
+    }
+    /**
+     * Check if 1Password CLI is available and signed in
+     */
+    static isAvailable() {
+        try {
+            const whichResult = spawnSync('which', ['op'], { encoding: 'utf-8' });
+            if (whichResult.status !== 0) {
+                return false;
+            }
+            const accountResult = spawnSync('op', ['account', 'get'], { encoding: 'utf-8' });
+            return accountResult.status === 0;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export function createOnePasswordStore(options) {
+    return new OnePasswordStore(options);
+}
+//# sourceMappingURL=onepassword.js.map

package/dist/core/credentials/backends/onepassword.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"onepassword.js","sourceRoot":"","sources":["../../../../src/core/credentials/backends/onepassword.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAQ/C,MAAM,aAAa,GAAG,SAAS,CAAC;AAChC,MAAM,WAAW,GAAG,SAAS,CAAC;AAE9B,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAS;IACd,OAAO,CAAU;IACjB,MAAM,GAAkB,IAAI,CAAC;IAErC,YAAY,OAAiC;QAC3C,IAAI,CAAC,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,aAAa,CAAC;QAC7C,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;QAChC,IAAI,CAAC,aAAa,EAAE,CAAC;IACvB,CAAC;IAEO,aAAa;QACnB,+BAA+B;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;YAC/G,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;QAC/G,CAAC;QAED,qBAAqB;QACrB,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,IAAc,EAAE,KAAc;QAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,WAAW,CAAC,CAAC;QAE3C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE;gBACvC,QAAQ,EAAE,OAAO;gBACjB,KAAK;gBACL,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;aAC5B,CAAC,CAAC;YAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,IAAI,eAAe,CAAC;gBAChE,MAAM,IAAI,KAAK,CAAC,sBAAsB,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YAED,OAAO,MAAM,CAAC,MAAM,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAC1E,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAEO,WAAW,CAAC,OAAe,EAAE,GAAW;QAC9C,OAAO,GAAG,WAAW,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;IAC5C,CAAC;IAEO,aAAa,CAAC,QAAgB;QACpC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,WAAW,GAAG,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChE,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,mEAAmE;QACnE,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAC1B,CAAC;IAEO,iBAAiB;QACvB,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;YACjC,IAAI,CAAC;gBACH,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC5C,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,WAAW,EAAE,CAAC;gBACrB,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,KAAK,MAAM,WAAW,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC;gBACxB,MAAM,EAAE,KAAK,EAAE,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,UAAU,EAAE,YAAY;gBACxB,UAAU,EAAE,MAAM;aACnB,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAClC,OAAO,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iCAAiC;YACjC,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW,EAAE,KAAa,EAAE,QAAiC;QACtF,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAEpC,+BAA+B;QAC/B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE9C,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,mFAAmF;YACnF,IAAI,CAAC,KAAK,CAAC;gBACT,MAAM,EAAE,MAAM,EAAE,QAAQ;gBACxB,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,cAAc;aACf,EAAE,KAAK,CAAC,CAAC;QACZ,CAAC;aAAM,CAAC;YACN,8EAA8E;YAC9E,MAAM,UAAU,GAAG;gBACjB,MAAM,EAAE,QAAQ;gBAChB,YAAY,EAAE,gBAAgB;gBAC9B,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,SAAS,EAAE,QAAQ;gBACnB,cAAc;gBACd,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;aACzB,CAAC;YAEF,yBAAyB;YACzB,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC/B,CAAC;YACH,CAAC;YAED,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAEhD,IAAI,CAAC;YACH,IAAI,CAAC,KAAK,CAAC;gBACT,MAAM,EAAE,QAAQ,EAAE,QAAQ;gBAC1B,SAAS,EAAE,IAAI,CAAC,KAAK;aACtB,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG;gBACf,MAAM,EAAE,MAAM;gBACd,SAAS,EAAE,IAAI,CAAC,KAAK;gBACrB,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,WAAW,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,WAAW;gBAC7D,UAAU,EAAE,MAAM;aACnB,CAAC;YAEF,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA6B,CAAC;YAE7D,MAAM,WAAW,GAA4C,EAAE,CAAC;YAEhE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAC9C,IAAI,MAAM,EAAE,CAAC;oBACX,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;wBAC3C,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAC3B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,4BAA4B;YAC5B,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAClE,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,OAAO,KAAK,KAAK,IAAI,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YACtE,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,OAAO,KAAK,CAAC;YACf,CAAC;YAED,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YACjF,OAAO,aAAa,CAAC,MAAM,KAAK,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,sBAAsB,CAAC,OAAiC;IACtE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC"}

package/dist/core/credentials/backends/vault.d.ts

@@ -0,0 +1,56 @@
+/**
+ * HashiCorp Vault credential backend using KV v2 API
+ * Requires: Vault server accessible and valid token
+ */
+import type { CredentialStore } from '../store.js';
+export interface VaultStoreOptions {
+    address: string;
+    token?: string;
+    namespace?: string;
+    mountPath?: string;
+}
+export declare class VaultStore implements CredentialStore {
+    private address;
+    private token;
+    private namespace?;
+    private mountPath;
+    constructor(options: VaultStoreOptions);
+    private getPath;
+    private getHeaders;
+    private request;
+    /**
+     * KV v2 uses data/ prefix for read/write and metadata/ prefix for metadata
+     */
+    private getDataPath;
+    private getMetadataPath;
+    private getListPath;
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string, metadata?: Record<string, string>): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(service?: string): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+    /**
+     * Get the Vault address being used
+     */
+    getAddress(): string;
+    /**
+     * Get the mount path being used
+     */
+    getMountPath(): string;
+    /**
+     * Check if Vault is reachable and token is valid
+     */
+    healthCheck(): Promise<{
+        healthy: boolean;
+        error?: string;
+    }>;
+    /**
+     * Check if Vault is available with given options
+     */
+    static isAvailable(options: VaultStoreOptions): Promise<boolean>;
+}
+export declare function createVaultStore(options: VaultStoreOptions): VaultStore;
+//# sourceMappingURL=vault.d.ts.map

package/dist/core/credentials/backends/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../../../src/core/credentials/backends/vault.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAKD,qBAAa,UAAW,YAAW,eAAe;IAChD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,SAAS,CAAC,CAAS;IAC3B,OAAO,CAAC,SAAS,CAAS;gBAEd,OAAO,EAAE,iBAAiB;IAetC,OAAO,CAAC,OAAO;IAIf,OAAO,CAAC,UAAU;YAaJ,OAAO;IA+BrB;;OAEG;IACH,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,eAAe;IAIvB,OAAO,CAAC,WAAW;IAOb,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmBzD,GAAG,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,OAAO,CAAC,IAAI,CAAC;IAiBV,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAatD,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IA0CxE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5D;;OAEG;IACH,UAAU,IAAI,MAAM;IAIpB;;OAEG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAiBlE;;OAEG;WACU,WAAW,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC;CASvE;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,UAAU,CAEvE"}

package/dist/core/credentials/backends/vault.js

@@ -0,0 +1,206 @@
+/**
+ * HashiCorp Vault credential backend using KV v2 API
+ * Requires: Vault server accessible and valid token
+ */
+const DEFAULT_MOUNT_PATH = 'secret';
+const AQUAMAN_PATH_PREFIX = 'aquaman';
+export class VaultStore {
+    address;
+    token;
+    namespace;
+    mountPath;
+    constructor(options) {
+        this.address = options.address.replace(/\/$/, ''); // Remove trailing slash
+        this.token = options.token || process.env['VAULT_TOKEN'] || '';
+        this.namespace = options.namespace || process.env['VAULT_NAMESPACE'];
+        this.mountPath = options.mountPath || DEFAULT_MOUNT_PATH;
+        if (!this.token) {
+            throw new Error('Vault token required. Provide via options.token or VAULT_TOKEN env var.');
+        }
+        if (!this.address) {
+            throw new Error('Vault address required. Provide via options.address or VAULT_ADDR env var.');
+        }
+    }
+    getPath(service, key) {
+        return `${AQUAMAN_PATH_PREFIX}/${service}/${key}`;
+    }
+    getHeaders() {
+        const headers = {
+            'X-Vault-Token': this.token,
+            'Content-Type': 'application/json'
+        };
+        if (this.namespace) {
+            headers['X-Vault-Namespace'] = this.namespace;
+        }
+        return headers;
+    }
+    async request(method, path, body) {
+        const url = `${this.address}/v1/${path}`;
+        const headers = this.getHeaders();
+        const response = await fetch(url, {
+            method,
+            headers,
+            body: body ? JSON.stringify(body) : undefined
+        });
+        if (response.status === 404) {
+            return { status: 404 };
+        }
+        if (!response.ok && response.status !== 204) {
+            const errorText = await response.text();
+            throw new Error(`Vault API error (${response.status}): ${errorText}`);
+        }
+        if (response.status === 204) {
+            return { status: 204 };
+        }
+        const data = await response.json();
+        return { data: data.data, status: response.status };
+    }
+    /**
+     * KV v2 uses data/ prefix for read/write and metadata/ prefix for metadata
+     */
+    getDataPath(service, key) {
+        return `${this.mountPath}/data/${this.getPath(service, key)}`;
+    }
+    getMetadataPath(service, key) {
+        return `${this.mountPath}/metadata/${this.getPath(service, key)}`;
+    }
+    getListPath(service) {
+        if (service) {
+            return `${this.mountPath}/metadata/${AQUAMAN_PATH_PREFIX}/${service}`;
+        }
+        return `${this.mountPath}/metadata/${AQUAMAN_PATH_PREFIX}`;
+    }
+    async get(service, key) {
+        try {
+            const result = await this.request('GET', this.getDataPath(service, key));
+            if (result.status === 404) {
+                return null;
+            }
+            // KV v2 wraps data in another data object
+            const kvData = result.data;
+            return kvData?.data?.credential || null;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('404')) {
+                return null;
+            }
+            throw error;
+        }
+    }
+    async set(service, key, value, metadata) {
+        const data = {
+            credential: value
+        };
+        // Add metadata to the secret data (Vault stores metadata separately but we can include it in data too)
+        if (metadata) {
+            for (const [k, v] of Object.entries(metadata)) {
+                data[`meta_${k}`] = v;
+            }
+        }
+        await this.request('POST', this.getDataPath(service, key), {
+            data
+        });
+    }
+    async delete(service, key) {
+        try {
+            // For KV v2, we need to delete the metadata to fully remove the secret
+            const result = await this.request('DELETE', this.getMetadataPath(service, key));
+            return result.status === 204 || result.status === 200;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('404')) {
+                return false;
+            }
+            throw error;
+        }
+    }
+    async list(service) {
+        const credentials = [];
+        try {
+            if (service) {
+                // List keys for a specific service
+                const result = await this.request('LIST', this.getListPath(service));
+                if (result.status === 404) {
+                    return [];
+                }
+                const keys = result.data?.keys || [];
+                for (const key of keys) {
+                    // Remove trailing slash if present (indicates directory)
+                    const cleanKey = key.replace(/\/$/, '');
+                    credentials.push({ service, key: cleanKey });
+                }
+            }
+            else {
+                // List all services first, then keys for each
+                const servicesResult = await this.request('LIST', this.getListPath());
+                if (servicesResult.status === 404) {
+                    return [];
+                }
+                const services = servicesResult.data?.keys || [];
+                for (const svc of services) {
+                    const cleanService = svc.replace(/\/$/, '');
+                    const serviceCredentials = await this.list(cleanService);
+                    credentials.push(...serviceCredentials);
+                }
+            }
+            return credentials;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('404')) {
+                return [];
+            }
+            throw error;
+        }
+    }
+    async exists(service, key) {
+        const value = await this.get(service, key);
+        return value !== null;
+    }
+    /**
+     * Get the Vault address being used
+     */
+    getAddress() {
+        return this.address;
+    }
+    /**
+     * Get the mount path being used
+     */
+    getMountPath() {
+        return this.mountPath;
+    }
+    /**
+     * Check if Vault is reachable and token is valid
+     */
+    async healthCheck() {
+        try {
+            // Check token validity by looking up self
+            const response = await fetch(`${this.address}/v1/auth/token/lookup-self`, {
+                headers: this.getHeaders()
+            });
+            if (response.ok) {
+                return { healthy: true };
+            }
+            return { healthy: false, error: `Token lookup failed: ${response.status}` };
+        }
+        catch (error) {
+            return { healthy: false, error: `Connection failed: ${error}` };
+        }
+    }
+    /**
+     * Check if Vault is available with given options
+     */
+    static async isAvailable(options) {
+        try {
+            const store = new VaultStore(options);
+            const health = await store.healthCheck();
+            return health.healthy;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export function createVaultStore(options) {
+    return new VaultStore(options);
+}
+//# sourceMappingURL=vault.js.map

package/dist/core/credentials/backends/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../../src/core/credentials/backends/vault.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,MAAM,kBAAkB,GAAG,QAAQ,CAAC;AACpC,MAAM,mBAAmB,GAAG,SAAS,CAAC;AAEtC,MAAM,OAAO,UAAU;IACb,OAAO,CAAS;IAChB,KAAK,CAAS;IACd,SAAS,CAAU;IACnB,SAAS,CAAS;IAE1B,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,wBAAwB;QAC3E,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACrE,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,kBAAkB,CAAC;QAEzD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;QAC7F,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAChG,CAAC;IACH,CAAC;IAEO,OAAO,CAAC,OAAe,EAAE,GAAW;QAC1C,OAAO,GAAG,mBAAmB,IAAI,OAAO,IAAI,GAAG,EAAE,CAAC;IACpD,CAAC;IAEO,UAAU;QAChB,MAAM,OAAO,GAA2B;YACtC,eAAe,EAAE,IAAI,CAAC,KAAK;YAC3B,cAAc,EAAE,kBAAkB;SACnC,CAAC;QAEF,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAChD,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,IAA8B;QAE9B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,IAAI,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAElC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC9C,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;QACzB,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAwC,CAAC;QACzE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,OAAe,EAAE,GAAW;QAC9C,OAAO,GAAG,IAAI,CAAC,SAAS,SAAS,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;IAChE,CAAC;IAEO,eAAe,CAAC,OAAe,EAAE,GAAW;QAClD,OAAO,GAAG,IAAI,CAAC,SAAS,aAAa,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;IACpE,CAAC;IAEO,WAAW,CAAC,OAAgB;QAClC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,GAAG,IAAI,CAAC,SAAS,aAAa,mBAAmB,IAAI,OAAO,EAAE,CAAC;QACxE,CAAC;QACD,OAAO,GAAG,IAAI,CAAC,SAAS,aAAa,mBAAmB,EAAE,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAEzE,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,0CAA0C;YAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAyC,CAAC;YAChE,OAAO,MAAM,EAAE,IAAI,EAAE,UAAU,IAAI,IAAI,CAAC;QAC1C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CACP,OAAe,EACf,GAAW,EACX,KAAa,EACb,QAAiC;QAEjC,MAAM,IAAI,GAA2B;YACnC,UAAU,EAAE,KAAK;SAClB,CAAC;QAEF,uGAAuG;QACvG,IAAI,QAAQ,EAAE,CAAC;YACb,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC9C,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;YACzD,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,IAAI,CAAC;YACH,uEAAuE;YACvE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;YAChF,OAAO,MAAM,CAAC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,MAAM,WAAW,GAA4C,EAAE,CAAC;QAEhE,IAAI,CAAC;YACH,IAAI,OAAO,EAAE,CAAC;gBACZ,mCAAmC;gBACnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC;gBACrE,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC1B,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,MAAM,IAAI,GAAI,MAAM,CAAC,IAA4B,EAAE,IAAI,IAAI,EAAE,CAAC;gBAC9D,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,yDAAyD;oBACzD,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACxC,WAAW,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,8CAA8C;gBAC9C,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;gBACtE,IAAI,cAAc,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAClC,OAAO,EAAE,CAAC;gBACZ,CAAC;gBAED,MAAM,QAAQ,GAAI,cAAc,CAAC,IAA4B,EAAE,IAAI,IAAI,EAAE,CAAC;gBAE1E,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;oBAC3B,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBAC5C,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBACzD,WAAW,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;YAED,OAAO,WAAW,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5D,OAAO,EAAE,CAAC;YACZ,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,OAAO,KAAK,KAAK,IAAI,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,OAAO,4BAA4B,EAAE;gBACxE,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE;aAC3B,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YAC3B,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,KAAK,EAAE,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,OAA0B;QACjD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;YACtC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,CAAC;YACzC,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,gBAAgB,CAAC,OAA0B;IACzD,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/dist/core/credentials/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Credential storage module
+ */
+export { type Credential, type CredentialStore, type CredentialStoreOptions, KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, validatePasswordStrength } from './store.js';
+export { type OnePasswordStoreOptions, OnePasswordStore, createOnePasswordStore } from './backends/onepassword.js';
+export { type VaultStoreOptions, VaultStore, createVaultStore } from './backends/vault.js';
+export { type KeePassXCStoreOptions, KeePassXCStore, createKeePassXCStore } from './backends/keepassxc.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/credentials/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/core/credentials/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,wBAAwB,EACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,KAAK,iBAAiB,EACtB,UAAU,EACV,gBAAgB,EACjB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,KAAK,qBAAqB,EAC1B,cAAc,EACd,oBAAoB,EACrB,MAAM,yBAAyB,CAAC"}

package/dist/core/credentials/index.js

@@ -0,0 +1,8 @@
+/**
+ * Credential storage module
+ */
+export { KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, validatePasswordStrength } from './store.js';
+export { OnePasswordStore, createOnePasswordStore } from './backends/onepassword.js';
+export { VaultStore, createVaultStore } from './backends/vault.js';
+export { KeePassXCStore, createKeePassXCStore } from './backends/keepassxc.js';
+//# sourceMappingURL=index.js.map

package/dist/core/credentials/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/core/credentials/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAIL,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,wBAAwB,EACzB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAEL,gBAAgB,EAChB,sBAAsB,EACvB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAEL,UAAU,EACV,gBAAgB,EACjB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAEL,cAAc,EACd,oBAAoB,EACrB,MAAM,yBAAyB,CAAC"}

package/dist/core/credentials/store.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Credential storage interface with multiple backend support
+ * Supports: macOS Keychain, 1Password, HashiCorp Vault, encrypted file
+ */
+import type { CredentialBackend } from '../types.js';
+export interface Credential {
+    service: string;
+    key: string;
+    value: string;
+    metadata?: Record<string, string>;
+    createdAt: Date;
+    lastUsed?: Date;
+    rotateAfter?: Date;
+}
+export interface CredentialStore {
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string, metadata?: Record<string, string>): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(service?: string): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+}
+export interface CredentialStoreOptions {
+    backend: CredentialBackend;
+    encryptionPassword?: string;
+    vaultAddress?: string;
+    vaultToken?: string;
+    vaultNamespace?: string;
+    vaultMountPath?: string;
+    onePasswordVault?: string;
+    onePasswordAccount?: string;
+    keepassxcDatabasePath?: string;
+    keepassxcKeyFilePath?: string;
+}
+/**
+ * macOS Keychain backend using the keytar library
+ */
+export declare class KeychainStore implements CredentialStore {
+    private keytar;
+    private servicePrefix;
+    private indexService;
+    private indexAccount;
+    private getKeytar;
+    private getServiceName;
+    private getIndex;
+    private updateIndex;
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+}
+/**
+ * Encrypted file backend - fallback option
+ */
+export declare class EncryptedFileStore implements CredentialStore {
+    private filePath;
+    private password;
+    private cache;
+    constructor(password: string, filePath?: string);
+    private getKey;
+    private load;
+    private save;
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string, metadata?: Record<string, string>): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(service?: string): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+}
+/**
+ * In-memory store for testing
+ */
+export declare class MemoryStore implements CredentialStore {
+    private store;
+    private getKey;
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string, metadata?: Record<string, string>): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(service?: string): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+    clear(): void;
+}
+/**
+ * Validate encryption password strength for encrypted-file backend.
+ */
+export declare function validatePasswordStrength(password: string): {
+    valid: boolean;
+    errors: string[];
+};
+export declare function createCredentialStore(options: CredentialStoreOptions): CredentialStore;
+//# sourceMappingURL=store.d.ts.map

package/dist/core/credentials/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../../src/core/credentials/store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,SAAS,EAAE,IAAI,CAAC;IAChB,QAAQ,CAAC,EAAE,IAAI,CAAC;IAChB,WAAW,CAAC,EAAE,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC1D,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnG,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC,CAAC;IACzE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CACxD;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,iBAAiB,CAAC;IAC3B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;GAEG;AACH,qBAAa,aAAc,YAAW,eAAe;IACnD,OAAO,CAAC,MAAM,CAAa;IAC3B,OAAO,CAAC,aAAa,CAAa;IAClC,OAAO,CAAC,YAAY,CAAoB;IACxC,OAAO,CAAC,YAAY,CAAc;YAEpB,SAAS;IAYvB,OAAO,CAAC,cAAc;YAIR,QAAQ;YAOR,WAAW;IAKnB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKzD,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAW/D,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBtD,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAexD,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAI7D;AAED;;GAEG;AACH,qBAAa,kBAAmB,YAAW,eAAe;IACxD,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,KAAK,CAAwC;gBAEzC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;IAK/C,OAAO,CAAC,MAAM;YAIA,IAAI;YAsBJ,IAAI;IAmBZ,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAMzD,GAAG,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,OAAO,CAAC,IAAI,CAAC;IAaV,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAStD,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAaxE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAI7D;AAED;;GAEG;AACH,qBAAa,WAAY,YAAW,eAAe;IACjD,OAAO,CAAC,KAAK,CAAiC;IAE9C,OAAO,CAAC,MAAM;IAIR,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAIzD,GAAG,CACP,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,OAAO,CAAC,IAAI,CAAC;IAUV,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAItD,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAUxE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5D,KAAK,IAAI,IAAI;CAGd;AAED;;GAEG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAQ/F;AAED,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,sBAAsB,GAAG,eAAe,CAgEtF"}