aquaman-proxy 0.6.0 → 0.7.0

package/dist/core/credentials/store.js

@@ -0,0 +1,289 @@
+/**
+ * Credential storage interface with multiple backend support
+ * Supports: macOS Keychain, 1Password, HashiCorp Vault, encrypted file
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { encryptWithPassword, decryptWithPassword } from '../utils/hash.js';
+import { getConfigDir } from '../utils/config.js';
+import { KeePassXCStore } from './backends/keepassxc.js';
+/**
+ * macOS Keychain backend using the keytar library
+ */
+export class KeychainStore {
+    keytar = null;
+    servicePrefix = 'aquaman';
+    indexService = 'aquaman/_index';
+    indexAccount = 'services';
+    async getKeytar() {
+        if (!this.keytar) {
+            try {
+                const mod = await import('keytar');
+                this.keytar = mod.default || mod;
+            }
+            catch {
+                throw new Error('keytar not available - install with: npm install keytar');
+            }
+        }
+        return this.keytar;
+    }
+    getServiceName(service) {
+        return `${this.servicePrefix}/${service}`;
+    }
+    async getIndex() {
+        const keytar = await this.getKeytar();
+        const raw = await keytar.getPassword(this.indexService, this.indexAccount);
+        if (!raw)
+            return [];
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return [];
+        }
+    }
+    async updateIndex(services) {
+        const keytar = await this.getKeytar();
+        await keytar.setPassword(this.indexService, this.indexAccount, JSON.stringify(services));
+    }
+    async get(service, key) {
+        const keytar = await this.getKeytar();
+        return keytar.getPassword(this.getServiceName(service), key);
+    }
+    async set(service, key, value) {
+        const keytar = await this.getKeytar();
+        await keytar.setPassword(this.getServiceName(service), key, value);
+        const index = await this.getIndex();
+        if (!index.includes(service)) {
+            index.push(service);
+            await this.updateIndex(index);
+        }
+    }
+    async delete(service, key) {
+        const keytar = await this.getKeytar();
+        const deleted = await keytar.deletePassword(this.getServiceName(service), key);
+        if (deleted) {
+            const remaining = await keytar.findCredentials(this.getServiceName(service));
+            if (remaining.length === 0) {
+                const index = await this.getIndex();
+                const updated = index.filter((s) => s !== service);
+                await this.updateIndex(updated);
+            }
+        }
+        return deleted;
+    }
+    async list() {
+        const keytar = await this.getKeytar();
+        const index = await this.getIndex();
+        const results = [];
+        for (const service of index) {
+            const creds = await keytar.findCredentials(this.getServiceName(service));
+            for (const cred of creds) {
+                results.push({ service, key: cred.account });
+            }
+        }
+        return results;
+    }
+    async exists(service, key) {
+        const value = await this.get(service, key);
+        return value !== null;
+    }
+}
+/**
+ * Encrypted file backend - fallback option
+ */
+export class EncryptedFileStore {
+    filePath;
+    password;
+    cache = null;
+    constructor(password, filePath) {
+        this.password = password;
+        this.filePath = filePath || path.join(os.homedir(), '.aquaman', 'credentials.enc');
+    }
+    getKey(service, key) {
+        return `${service}:${key}`;
+    }
+    async load() {
+        if (this.cache) {
+            return this.cache;
+        }
+        if (!fs.existsSync(this.filePath)) {
+            this.cache = new Map();
+            return this.cache;
+        }
+        try {
+            const encrypted = fs.readFileSync(this.filePath, 'utf-8');
+            const decrypted = decryptWithPassword(encrypted, this.password);
+            const data = JSON.parse(decrypted);
+            this.cache = new Map(Object.entries(data));
+            return this.cache;
+        }
+        catch {
+            throw new Error('Failed to decrypt credentials file - wrong password?');
+        }
+    }
+    async save() {
+        if (!this.cache)
+            return;
+        const data = {};
+        for (const [key, cred] of this.cache.entries()) {
+            data[key] = cred;
+        }
+        const json = JSON.stringify(data, null, 2);
+        const encrypted = encryptWithPassword(json, this.password);
+        const dir = path.dirname(this.filePath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        fs.writeFileSync(this.filePath, encrypted, { mode: 0o600 });
+    }
+    async get(service, key) {
+        const store = await this.load();
+        const cred = store.get(this.getKey(service, key));
+        return cred?.value ?? null;
+    }
+    async set(service, key, value, metadata) {
+        const store = await this.load();
+        const credential = {
+            service,
+            key,
+            value,
+            metadata,
+            createdAt: new Date()
+        };
+        store.set(this.getKey(service, key), credential);
+        await this.save();
+    }
+    async delete(service, key) {
+        const store = await this.load();
+        const deleted = store.delete(this.getKey(service, key));
+        if (deleted) {
+            await this.save();
+        }
+        return deleted;
+    }
+    async list(service) {
+        const store = await this.load();
+        const results = [];
+        for (const cred of store.values()) {
+            if (!service || cred.service === service) {
+                results.push({ service: cred.service, key: cred.key });
+            }
+        }
+        return results;
+    }
+    async exists(service, key) {
+        const store = await this.load();
+        return store.has(this.getKey(service, key));
+    }
+}
+/**
+ * In-memory store for testing
+ */
+export class MemoryStore {
+    store = new Map();
+    getKey(service, key) {
+        return `${service}:${key}`;
+    }
+    async get(service, key) {
+        return this.store.get(this.getKey(service, key))?.value ?? null;
+    }
+    async set(service, key, value, metadata) {
+        this.store.set(this.getKey(service, key), {
+            service,
+            key,
+            value,
+            metadata,
+            createdAt: new Date()
+        });
+    }
+    async delete(service, key) {
+        return this.store.delete(this.getKey(service, key));
+    }
+    async list(service) {
+        const results = [];
+        for (const cred of this.store.values()) {
+            if (!service || cred.service === service) {
+                results.push({ service: cred.service, key: cred.key });
+            }
+        }
+        return results;
+    }
+    async exists(service, key) {
+        return this.store.has(this.getKey(service, key));
+    }
+    clear() {
+        this.store.clear();
+    }
+}
+/**
+ * Validate encryption password strength for encrypted-file backend.
+ */
+export function validatePasswordStrength(password) {
+    const errors = [];
+    if (!password) {
+        errors.push('Password must not be empty');
+    }
+    else if (password.length < 12) {
+        errors.push(`Password must be at least 12 characters (got ${password.length})`);
+    }
+    return { valid: errors.length === 0, errors };
+}
+export function createCredentialStore(options) {
+    switch (options.backend) {
+        case 'keychain':
+            return new KeychainStore();
+        case 'encrypted-file':
+            if (!options.encryptionPassword) {
+                throw new Error('encryptionPassword required for encrypted-file backend');
+            }
+            {
+                const strength = validatePasswordStrength(options.encryptionPassword);
+                if (!strength.valid) {
+                    throw new Error(`Weak encryption password: ${strength.errors.join('; ')}`);
+                }
+            }
+            return new EncryptedFileStore(options.encryptionPassword, path.join(getConfigDir(), 'credentials.enc'));
+        case '1password': {
+            // Dynamically import to avoid loading if not used
+            const { OnePasswordStore } = require('./backends/onepassword.js');
+            return new OnePasswordStore({
+                vault: options.onePasswordVault,
+                account: options.onePasswordAccount
+            });
+        }
+        case 'vault': {
+            if (!options.vaultAddress) {
+                // Try env var
+                const envAddress = process.env['VAULT_ADDR'];
+                if (!envAddress) {
+                    throw new Error('vaultAddress required for vault backend. Set via config or VAULT_ADDR env var.');
+                }
+                options.vaultAddress = envAddress;
+            }
+            // Dynamically import to avoid loading if not used
+            const { VaultStore } = require('./backends/vault.js');
+            return new VaultStore({
+                address: options.vaultAddress,
+                token: options.vaultToken,
+                namespace: options.vaultNamespace,
+                mountPath: options.vaultMountPath
+            });
+        }
+        case 'keepassxc': {
+            const dbPath = options.keepassxcDatabasePath
+                || path.join(getConfigDir(), 'credentials.kdbx');
+            const password = options.encryptionPassword
+                || process.env['AQUAMAN_KEEPASS_PASSWORD'];
+            const keyFile = options.keepassxcKeyFilePath;
+            if (!password && !keyFile) {
+                throw new Error('KeePassXC backend requires a master password (AQUAMAN_KEEPASS_PASSWORD) or key file (keepassxcKeyFilePath)');
+            }
+            return new KeePassXCStore({ dbPath, password, keyFilePath: keyFile });
+        }
+        default:
+            throw new Error(`Unknown credential backend: ${options.backend}`);
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/core/credentials/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../../src/core/credentials/store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAoCzD;;GAEG;AACH,MAAM,OAAO,aAAa;IAChB,MAAM,GAAQ,IAAI,CAAC;IACnB,aAAa,GAAG,SAAS,CAAC;IAC1B,YAAY,GAAG,gBAAgB,CAAC;IAChC,YAAY,GAAG,UAAU,CAAC;IAE1B,KAAK,CAAC,SAAS;QACrB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAQ,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACxC,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC;YACnC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAEO,cAAc,CAAC,OAAe;QACpC,OAAO,GAAG,IAAI,CAAC,aAAa,IAAI,OAAO,EAAE,CAAC;IAC5C,CAAC;IAEO,KAAK,CAAC,QAAQ;QACpB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3E,IAAI,CAAC,GAAG;YAAE,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC;YAAC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO,EAAE,CAAC;QAAC,CAAC;IACtD,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,QAAkB;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3F,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW;QACpC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW,EAAE,KAAa;QACnD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpB,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;QAE/E,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;YAC7E,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC;gBAC3D,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,MAAM,OAAO,GAA4C,EAAE,CAAC;QAE5D,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;YACzE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,OAAO,KAAK,KAAK,IAAI,CAAC;IACxB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,kBAAkB;IACrB,QAAQ,CAAS;IACjB,QAAQ,CAAS;IACjB,KAAK,GAAmC,IAAI,CAAC;IAErD,YAAY,QAAgB,EAAE,QAAiB;QAC7C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACrF,CAAC;IAEO,MAAM,CAAC,OAAe,EAAE,GAAW;QACzC,OAAO,GAAG,OAAO,IAAI,GAAG,EAAE,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,IAAI;QAChB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC1D,MAAM,SAAS,GAAG,mBAAmB,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAChE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAA+B,CAAC;YAEjE,IAAI,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,IAAI;QAChB,IAAI,CAAC,IAAI,CAAC,KAAK;YAAE,OAAO;QAExB,MAAM,IAAI,GAA+B,EAAE,CAAC;QAC5C,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;QACnB,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3C,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE3D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzC,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW;QACpC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QAClD,OAAO,IAAI,EAAE,KAAK,IAAI,IAAI,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,OAAe,EACf,GAAW,EACX,KAAa,EACb,QAAiC;QAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,UAAU,GAAe;YAC7B,OAAO;YACP,GAAG;YACH,KAAK;YACL,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QACF,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;QACjD,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QACxD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,OAAO,GAA4C,EAAE,CAAC;QAE5D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAClC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBACzC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IAC9C,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAEtC,MAAM,CAAC,OAAe,EAAE,GAAW;QACzC,OAAO,GAAG,OAAO,IAAI,GAAG,EAAE,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,OAAe,EAAE,GAAW;QACpC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,OAAe,EACf,GAAW,EACX,KAAa,EACb,QAAiC;QAEjC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE;YACxC,OAAO;YACP,GAAG;YACH,KAAK;YACL,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAgB;QACzB,MAAM,OAAO,GAA4C,EAAE,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACvC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;gBACzC,OAAO,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,GAAW;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,QAAgB;IACvD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IAC5C,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,gDAAgD,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAA+B;IACnE,QAAQ,OAAO,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,UAAU;YACb,OAAO,IAAI,aAAa,EAAE,CAAC;QAE7B,KAAK,gBAAgB;YACnB,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;YAC5E,CAAC;YACD,CAAC;gBACC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;gBACtE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;oBACpB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACH,CAAC;YACD,OAAO,IAAI,kBAAkB,CAC3B,OAAO,CAAC,kBAAkB,EAC1B,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,iBAAiB,CAAC,CAC7C,CAAC;QAEJ,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,kDAAkD;YAClD,MAAM,EAAE,gBAAgB,EAAE,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAAC;YAClE,OAAO,IAAI,gBAAgB,CAAC;gBAC1B,KAAK,EAAE,OAAO,CAAC,gBAAgB;gBAC/B,OAAO,EAAE,OAAO,CAAC,kBAAkB;aACpC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;gBAC1B,cAAc;gBACd,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;gBAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,gFAAgF,CAAC,CAAC;gBACpG,CAAC;gBACD,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;YACpC,CAAC;YAED,kDAAkD;YAClD,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAC;YACtD,OAAO,IAAI,UAAU,CAAC;gBACpB,OAAO,EAAE,OAAO,CAAC,YAAY;gBAC7B,KAAK,EAAE,OAAO,CAAC,UAAU;gBACzB,SAAS,EAAE,OAAO,CAAC,cAAc;gBACjC,SAAS,EAAE,OAAO,CAAC,cAAc;aAClC,CAAC,CAAC;QACL,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,MAAM,GAAG,OAAO,CAAC,qBAAqB;mBACvC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,kBAAkB,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,OAAO,CAAC,kBAAkB;mBACtC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,oBAAoB,CAAC;YAC7C,IAAI,CAAC,QAAQ,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC1B,MAAM,IAAI,KAAK,CAAC,4GAA4G,CAAC,CAAC;YAChI,CAAC;YACD,OAAO,IAAI,cAAc,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,CAAC;QAED;YACE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACtE,CAAC;AACH,CAAC"}

package/dist/core/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * aquaman-core - Core credential storage, audit logging, and utilities
+ *
+ * This package provides the shared functionality for:
+ * - Credential storage backends (Keychain, 1Password, Vault, encrypted file)
+ * - Hash-chained tamper-evident audit logs
+ * - Cryptographic utilities
+ * - Configuration management
+ */
+export * from './types.js';
+export { type Credential, type CredentialStore, type CredentialStoreOptions, KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, validatePasswordStrength, type OnePasswordStoreOptions, OnePasswordStore, createOnePasswordStore, type VaultStoreOptions, VaultStore, createVaultStore, type KeePassXCStoreOptions, KeePassXCStore, createKeePassXCStore } from './credentials/index.js';
+export { type AuditLoggerOptions, AuditLogger, createAuditLogger, redactSensitiveParams } from './audit/index.js';
+export { computeHash, computeChainedHash, generateId, generateNonce, generateSigningKeyPair, sign, verify, encryptWithPassword, decryptWithPassword, generateSelfSignedCert, type SigningKeyPair, type SelfSignedCert, getConfigDir, getConfigPath, expandPath, getDefaultConfig, loadConfig, ensureConfigDir, saveConfig, applyEnvOverrides } from './utils/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,cAAc,YAAY,CAAC;AAG3B,OAAO,EACL,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,sBAAsB,EAC3B,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,wBAAwB,EACxB,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,sBAAsB,EACtB,KAAK,iBAAiB,EACtB,UAAU,EACV,gBAAgB,EAChB,KAAK,qBAAqB,EAC1B,cAAc,EACd,oBAAoB,EACrB,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,KAAK,kBAAkB,EACvB,WAAW,EACX,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,EACtB,IAAI,EACJ,MAAM,EACN,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,UAAU,EACV,iBAAiB,EAClB,MAAM,kBAAkB,CAAC"}

package/dist/core/index.js

@@ -0,0 +1,18 @@
+/**
+ * aquaman-core - Core credential storage, audit logging, and utilities
+ *
+ * This package provides the shared functionality for:
+ * - Credential storage backends (Keychain, 1Password, Vault, encrypted file)
+ * - Hash-chained tamper-evident audit logs
+ * - Cryptographic utilities
+ * - Configuration management
+ */
+// Types
+export * from './types.js';
+// Credentials
+export { KeychainStore, EncryptedFileStore, MemoryStore, createCredentialStore, validatePasswordStrength, OnePasswordStore, createOnePasswordStore, VaultStore, createVaultStore, KeePassXCStore, createKeePassXCStore } from './credentials/index.js';
+// Audit
+export { AuditLogger, createAuditLogger, redactSensitiveParams } from './audit/index.js';
+// Utils
+export { computeHash, computeChainedHash, generateId, generateNonce, generateSigningKeyPair, sign, verify, encryptWithPassword, decryptWithPassword, generateSelfSignedCert, getConfigDir, getConfigPath, expandPath, getDefaultConfig, loadConfig, ensureConfigDir, saveConfig, applyEnvOverrides } from './utils/index.js';
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,QAAQ;AACR,cAAc,YAAY,CAAC;AAE3B,cAAc;AACd,OAAO,EAIL,aAAa,EACb,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,wBAAwB,EAExB,gBAAgB,EAChB,sBAAsB,EAEtB,UAAU,EACV,gBAAgB,EAEhB,cAAc,EACd,oBAAoB,EACrB,MAAM,wBAAwB,CAAC;AAEhC,QAAQ;AACR,OAAO,EAEL,WAAW,EACX,iBAAiB,EACjB,qBAAqB,EACtB,MAAM,kBAAkB,CAAC;AAE1B,QAAQ;AACR,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,UAAU,EACV,aAAa,EACb,sBAAsB,EACtB,IAAI,EACJ,MAAM,EACN,mBAAmB,EACnB,mBAAmB,EACnB,sBAAsB,EAGtB,YAAY,EACZ,aAAa,EACb,UAAU,EACV,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,UAAU,EACV,iBAAiB,EAClB,MAAM,kBAAkB,CAAC"}

package/dist/core/types.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Core types for aquaman credential isolation layer
+ *
+ * This module focuses on unique features NOT in OpenClaw:
+ * - Credential proxy via Unix domain socket
+ * - Enterprise backends (1Password, Vault)
+ * - Hash-chained tamper-evident audit logs
+ * - Dynamic service registry
+ */
+export interface ToolCall {
+    id: string;
+    sessionId: string;
+    agentId: string;
+    tool: string;
+    params: Record<string, unknown>;
+    timestamp: Date;
+}
+export interface ToolResult {
+    id: string;
+    toolCallId: string;
+    result: unknown;
+    error?: string;
+    timestamp: Date;
+}
+export interface AuditEntry {
+    id: string;
+    timestamp: Date;
+    type: 'tool_call' | 'tool_result' | 'credential_access';
+    sessionId: string;
+    agentId: string;
+    data: ToolCall | ToolResult | CredentialAccess;
+    previousHash: string;
+    hash: string;
+}
+export interface CredentialAccess {
+    service: string;
+    operation: 'read' | 'use' | 'rotate';
+    success: boolean;
+    error?: string;
+}
+export interface ServiceConfig {
+    name: string;
+    upstream: string;
+    authHeader: string;
+    authPrefix?: string;
+    credentialKey: string;
+    description?: string;
+}
+export interface CredentialsConfig {
+    backend: 'keychain' | '1password' | 'vault' | 'encrypted-file' | 'keepassxc';
+    proxiedServices: string[];
+    encryptionPassword?: string;
+    onePasswordVault?: string;
+    onePasswordAccount?: string;
+    vaultAddress?: string;
+    vaultToken?: string;
+    vaultNamespace?: string;
+    vaultMountPath?: string;
+    keepassxcDatabasePath?: string;
+    keepassxcKeyFilePath?: string;
+}
+export interface AuditConfig {
+    enabled: boolean;
+    logDir: string;
+}
+export interface ServicesConfig {
+    configPath: string;
+}
+export interface OpenClawConfig {
+    autoLaunch: boolean;
+    configMethod: 'env' | 'dotenv' | 'shell-rc';
+    binaryPath?: string;
+}
+export interface WrapperConfig {
+    credentials: CredentialsConfig;
+    audit: AuditConfig;
+    services: ServicesConfig;
+    openclaw: OpenClawConfig;
+}
+export type CredentialBackend = 'keychain' | '1password' | 'vault' | 'encrypted-file' | 'keepassxc';
+//# sourceMappingURL=types.d.ts.map

package/dist/core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,IAAI,CAAC;IAChB,IAAI,EAAE,WAAW,GAAG,aAAa,GAAG,mBAAmB,CAAC;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,QAAQ,GAAG,UAAU,GAAG,gBAAgB,CAAC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,UAAU,GAAG,WAAW,GAAG,OAAO,GAAG,gBAAgB,GAAG,WAAW,CAAC;IAC7E,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,KAAK,GAAG,QAAQ,GAAG,UAAU,CAAC;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,iBAAiB,CAAC;IAC/B,KAAK,EAAE,WAAW,CAAC;IACnB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,cAAc,CAAC;CAC1B;AAED,MAAM,MAAM,iBAAiB,GAAG,UAAU,GAAG,WAAW,GAAG,OAAO,GAAG,gBAAgB,GAAG,WAAW,CAAC"}

package/dist/core/types.js

@@ -0,0 +1,11 @@
+/**
+ * Core types for aquaman credential isolation layer
+ *
+ * This module focuses on unique features NOT in OpenClaw:
+ * - Credential proxy via Unix domain socket
+ * - Enterprise backends (1Password, Vault)
+ * - Hash-chained tamper-evident audit logs
+ * - Dynamic service registry
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/core/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG"}

package/dist/core/utils/config.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Configuration loader and validator for aquaman
+ *
+ * Focused on credential isolation features:
+ * - Credential proxy settings
+ * - Enterprise backend configuration
+ * - Audit logging configuration
+ * - OpenClaw integration settings
+ */
+import type { WrapperConfig } from '../types.js';
+export declare function getConfigDir(): string;
+export declare function getConfigPath(): string;
+export declare function expandPath(p: string): string;
+export declare function getDefaultConfig(): WrapperConfig;
+export declare function loadConfig(): WrapperConfig;
+export declare function applyEnvOverrides(config: WrapperConfig): WrapperConfig;
+export declare function ensureConfigDir(): void;
+export declare function saveConfig(config: WrapperConfig): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/core/utils/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../src/core/utils/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAKjD,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAQ5C;AAED,wBAAgB,gBAAgB,IAAI,aAAa,CAmBhD;AAED,wBAAgB,UAAU,IAAI,aAAa,CAmB1C;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,aAAa,CAmCtE;AAiCD,wBAAgB,eAAe,IAAI,IAAI,CAKtC;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI,CAItD"}

package/dist/core/utils/config.js

@@ -0,0 +1,136 @@
+/**
+ * Configuration loader and validator for aquaman
+ *
+ * Focused on credential isolation features:
+ * - Credential proxy settings
+ * - Enterprise backend configuration
+ * - Audit logging configuration
+ * - OpenClaw integration settings
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+const DEFAULT_CONFIG_DIR = path.join(os.homedir(), '.aquaman');
+const CONFIG_FILE = 'config.yaml';
+export function getConfigDir() {
+    return process.env['AQUAMAN_CONFIG_DIR'] || DEFAULT_CONFIG_DIR;
+}
+export function getConfigPath() {
+    return path.join(getConfigDir(), CONFIG_FILE);
+}
+export function expandPath(p) {
+    if (p.startsWith('~')) {
+        return path.join(os.homedir(), p.slice(1));
+    }
+    if (p.includes('${HOME}')) {
+        return p.replace('${HOME}', os.homedir());
+    }
+    return p;
+}
+export function getDefaultConfig() {
+    return {
+        credentials: {
+            backend: 'keychain',
+            proxiedServices: ['anthropic', 'openai', 'slack', 'discord', 'github'],
+            vaultMountPath: 'secret'
+        },
+        audit: {
+            enabled: true,
+            logDir: path.join(getConfigDir(), 'audit')
+        },
+        services: {
+            configPath: path.join(getConfigDir(), 'services.yaml')
+        },
+        openclaw: {
+            autoLaunch: true,
+            configMethod: 'env'
+        }
+    };
+}
+export function loadConfig() {
+    const configPath = getConfigPath();
+    const defaultConfig = getDefaultConfig();
+    let config;
+    if (!fs.existsSync(configPath)) {
+        config = defaultConfig;
+    }
+    else {
+        try {
+            const content = fs.readFileSync(configPath, 'utf-8');
+            const userConfig = parseYaml(content);
+            config = mergeConfig(defaultConfig, userConfig);
+        }
+        catch (error) {
+            console.error(`Warning: Failed to load config from ${configPath}, using defaults`);
+            config = defaultConfig;
+        }
+    }
+    return applyEnvOverrides(config);
+}
+export function applyEnvOverrides(config) {
+    const env = process.env;
+    if (env['AQUAMAN_BACKEND']) {
+        const b = env['AQUAMAN_BACKEND'];
+        if (['keychain', '1password', 'vault', 'encrypted-file', 'keepassxc'].includes(b)) {
+            config.credentials.backend = b;
+        }
+    }
+    if (env['AQUAMAN_SERVICES']) {
+        config.credentials.proxiedServices = env['AQUAMAN_SERVICES'].split(',').map(s => s.trim()).filter(Boolean);
+    }
+    if (env['AQUAMAN_ENCRYPTION_PASSWORD']) {
+        config.credentials.encryptionPassword = env['AQUAMAN_ENCRYPTION_PASSWORD'];
+    }
+    if (env['AQUAMAN_AUDIT_ENABLED']) {
+        config.audit.enabled = env['AQUAMAN_AUDIT_ENABLED'] === 'true';
+    }
+    if (env['VAULT_ADDR']) {
+        config.credentials.vaultAddress = env['VAULT_ADDR'];
+    }
+    if (env['VAULT_TOKEN']) {
+        config.credentials.vaultToken = env['VAULT_TOKEN'];
+    }
+    if (env['VAULT_NAMESPACE']) {
+        config.credentials.vaultNamespace = env['VAULT_NAMESPACE'];
+    }
+    return config;
+}
+function mergeConfig(base, override) {
+    // Deprecation: ignore encryptionPassword from YAML config (env-var only)
+    if (override.credentials && 'encryptionPassword' in override.credentials) {
+        console.warn('Warning: credentials.encryptionPassword in config.yaml is deprecated and ignored. Use AQUAMAN_ENCRYPTION_PASSWORD env var instead.');
+        const { encryptionPassword: _, ...restCreds } = override.credentials;
+        override = { ...override, credentials: restCreds };
+    }
+    return {
+        credentials: {
+            ...base.credentials,
+            ...override.credentials,
+        },
+        audit: {
+            ...base.audit,
+            ...override.audit
+        },
+        services: {
+            ...base.services,
+            ...override.services
+        },
+        openclaw: {
+            ...base.openclaw,
+            ...override.openclaw
+        }
+    };
+}
+export function ensureConfigDir() {
+    const configDir = getConfigDir();
+    if (!fs.existsSync(configDir)) {
+        fs.mkdirSync(configDir, { recursive: true });
+    }
+}
+export function saveConfig(config) {
+    ensureConfigDir();
+    const configPath = getConfigPath();
+    fs.writeFileSync(configPath, stringifyYaml(config), 'utf-8');
+}
+//# sourceMappingURL=config.js.map

package/dist/core/utils/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/core/utils/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,SAAS,IAAI,aAAa,EAAE,MAAM,MAAM,CAAC;AAGtE,MAAM,kBAAkB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AAC/D,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC,MAAM,UAAU,YAAY;IAC1B,OAAO,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,kBAAkB,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,WAAW,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAS;IAClC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO;QACL,WAAW,EAAE;YACX,OAAO,EAAE,UAAU;YACnB,eAAe,EAAE,CAAC,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;YACtE,cAAc,EAAE,QAAQ;SACzB;QACD,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,OAAO,CAAC;SAC3C;QACD,QAAQ,EAAE;YACR,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,eAAe,CAAC;SACvD;QACD,QAAQ,EAAE;YACR,UAAU,EAAE,IAAI;YAChB,YAAY,EAAE,KAAK;SACpB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,MAAM,aAAa,GAAG,gBAAgB,EAAE,CAAC;IAEzC,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,MAAM,GAAG,aAAa,CAAC;IACzB,CAAC;SAAM,CAAC;QACN,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAA2B,CAAC;YAChE,MAAM,GAAG,WAAW,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,uCAAuC,UAAU,kBAAkB,CAAC,CAAC;YACnF,MAAM,GAAG,aAAa,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAqB;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAExB,IAAI,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,GAAG,GAAG,CAAC,iBAAiB,CAA4C,CAAC;QAC5E,IAAI,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,MAAM,CAAC,WAAW,CAAC,OAAO,GAAG,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,WAAW,CAAC,eAAe,GAAG,GAAG,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7G,CAAC;IAED,IAAI,GAAG,CAAC,6BAA6B,CAAC,EAAE,CAAC;QACvC,MAAM,CAAC,WAAW,CAAC,kBAAkB,GAAG,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,GAAG,CAAC,uBAAuB,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,uBAAuB,CAAC,KAAK,MAAM,CAAC;IACjE,CAAC;IAED,IAAI,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,WAAW,CAAC,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,WAAW,CAAC,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC3B,MAAM,CAAC,WAAW,CAAC,cAAc,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,WAAW,CAClB,IAAmB,EACnB,QAAgC;IAEhC,yEAAyE;IACzE,IAAI,QAAQ,CAAC,WAAW,IAAI,oBAAoB,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,oIAAoI,CAAC,CAAC;QACnJ,MAAM,EAAE,kBAAkB,EAAE,CAAC,EAAE,GAAG,SAAS,EAAE,GAAG,QAAQ,CAAC,WAAW,CAAC;QACrE,QAAQ,GAAG,EAAE,GAAG,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC;IACrD,CAAC;IAED,OAAO;QACL,WAAW,EAAE;YACX,GAAG,IAAI,CAAC,WAAW;YACnB,GAAG,QAAQ,CAAC,WAAW;SACxB;QACD,KAAK,EAAE;YACL,GAAG,IAAI,CAAC,KAAK;YACb,GAAG,QAAQ,CAAC,KAAK;SAClB;QACD,QAAQ,EAAE;YACR,GAAG,IAAI,CAAC,QAAQ;YAChB,GAAG,QAAQ,CAAC,QAAQ;SACrB;QACD,QAAQ,EAAE;YACR,GAAG,IAAI,CAAC,QAAQ;YAChB,GAAG,QAAQ,CAAC,QAAQ;SACrB;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAqB;IAC9C,eAAe,EAAE,CAAC;IAClB,MAAM,UAAU,GAAG,aAAa,EAAE,CAAC;IACnC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC;AAC/D,CAAC"}

package/dist/core/utils/hash.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Cryptographic utilities for hash chains and integrity verification
+ */
+export declare function computeHash(data: string): string;
+export declare function computeChainedHash(data: string, previousHash: string): string;
+export declare function generateId(): string;
+export declare function generateNonce(): string;
+export interface SigningKeyPair {
+    publicKey: string;
+    privateKey: string;
+}
+export declare function generateSigningKeyPair(): SigningKeyPair;
+export declare function sign(data: string, privateKey: string): string;
+export declare function verify(data: string, signature: string, publicKey: string): boolean;
+export declare function encryptWithPassword(data: string, password: string): string;
+export declare function decryptWithPassword(encryptedData: string, password: string): string;
+export interface SelfSignedCert {
+    cert: string;
+    key: string;
+}
+/**
+ * Generate a self-signed TLS certificate.
+ * Prefers openssl CLI (correct DER encoding on all platforms),
+ * falls back to manual ASN.1 DER encoding if openssl is unavailable.
+ */
+export declare function generateSelfSignedCert(commonName: string, days?: number): SelfSignedCert;
+//# sourceMappingURL=hash.d.ts.map

package/dist/core/utils/hash.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../../src/core/utils/hash.ts"],"names":[],"mappings":"AAAA;;GAEG;AAUH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhD;AAED,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,MAAM,CAE7E;AAED,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAED,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,sBAAsB,IAAI,cAAc,CAMvD;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAG7D;AAED,wBAAgB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAWlF;AAED,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAgB1E;AAED,wBAAgB,mBAAmB,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAmBnF;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,SAAM,GAAG,cAAc,CA+BrF"}