botinabox 0.1.1 → 0.2.1

package/CHANGELOG.md

@@ -0,0 +1,35 @@
+# Changelog
+
+All notable changes to `botinabox` are documented here.
+
+Format: [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). Versioning: [SemVer](https://semver.org/).
+
+---
+
+## [0.2.0] — 2026-04-03
+
+### Added
+
+- **Users primitive** — `users` and `user_identities` core tables. Users are protected objects (never auto-rendered into other entities' context). `UserRegistry` class: `register()`, `getById()`, `getByEmail()`, `resolveByIdentity()`, `resolveOrCreate()`, `addIdentity()`.
+- **Secrets primitive** — `secrets` core table for encrypted credential storage. Protected by default. `SecretStore` class: `set()`, `get()`, `getMeta()`, `list()`, `rotate()`, `delete()`.
+- **Message pipeline user resolution** — `MessagePipeline` accepts optional `UserRegistry`. When provided, resolves `InboundMessage.from` to a user ID via `resolveOrCreate()` before task creation. `InboundMessage.userId` field added.
+- **`user_id` on messages table** — Tracks resolved user alongside raw `peer_id`.
+- **Protected/encrypted passthrough** — `EntityContextDef` now supports `protected` and `encrypted` fields, passed through to Lattice's entity context system.
+
+### Changed
+
+- Core table count: 15 → 18 (added `users`, `user_identities`, `secrets`).
+- `messages` table gains `user_id` column.
+
+## [0.1.1] — 2026-03-28
+
+### Fixed
+
+- Initial release bug fixes and stability improvements.
+
+## [0.1.0] — 2026-03-25
+
+### Added
+
+- Initial release: DataStore, HookBus, AgentRegistry, TaskQueue, RunManager, WakeupQueue, BudgetController, WorkflowEngine, SessionManager, ChannelRegistry, MessagePipeline.
+- 15 core tables, LLM provider routing, channel adapters (Slack, Discord, Webhook).

package/README.md

@@ -11,6 +11,7 @@ A modular TypeScript framework for building multi-agent bots with LLM orchestrat
 - **SQLite data layer** — Schema-driven tables, migrations, entity context rendering, and query builder. WAL mode for concurrent reads.
 - **Event-driven hooks** — Priority-ordered, filter-based event bus for decoupled inter-layer communication.
 - **Budget controls** — Per-agent and global cost tracking with warning thresholds and hard stops.
+- **Protected primitives** — Users and secrets are first-class, privacy-isolated objects. User identity resolution across channels. Secrets with optional AES-256-GCM at-rest encryption.
 - **Security** — Input sanitization, field length enforcement, audit logging, and HMAC webhook verification.
 - **Self-updating** — Built-in update checker with configurable policies and maintenance windows.
 

package/dist/{channel-m9f7MFD7.d.ts → channel-06G0vbIn.d.ts}

@@ -21,6 +21,7 @@ interface InboundMessage {
     channel: string;
     account?: string;
     from: string;
+    userId?: string;
     body: string;
     threadId?: string;
     replyToId?: string;

package/dist/channels/discord/index.d.ts

@@ -1,4 +1,4 @@
-import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-m9f7MFD7.js';
+import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-06G0vbIn.js';
 
 /**
  * DiscordAdapter — ChannelAdapter implementation for Discord.

package/dist/channels/slack/index.d.ts

@@ -1,4 +1,4 @@
-import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-m9f7MFD7.js';
+import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-06G0vbIn.js';
 
 /**
  * SlackAdapter — ChannelAdapter implementation for Slack.

package/dist/channels/webhook/index.d.ts

@@ -1,4 +1,4 @@
-import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-m9f7MFD7.js';
+import { C as ChannelAdapter, c as ChannelMeta, a as ChannelCapabilities, I as InboundMessage, b as ChannelConfig, H as HealthStatus, O as OutboundPayload, S as SendResult } from '../../channel-06G0vbIn.js';
 
 /**
  * WebhookAdapter — ChannelAdapter implementation for webhook-based channels.

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { C as ChannelAdapter, H as HealthStatus, I as InboundMessage } from './channel-m9f7MFD7.js';
-export { A as Attachment, a as ChannelCapabilities, b as ChannelConfig, c as ChannelMeta, d as ChatType, F as FormattingMode, O as OutboundPayload, S as SendResult } from './channel-m9f7MFD7.js';
+import { C as ChannelAdapter, H as HealthStatus, I as InboundMessage } from './channel-06G0vbIn.js';
+export { A as Attachment, a as ChannelCapabilities, b as ChannelConfig, c as ChannelMeta, d as ChatType, F as FormattingMode, O as OutboundPayload, S as SendResult } from './channel-06G0vbIn.js';
 import { T as TokenUsage, L as LLMProvider, M as ModelInfo, R as ResolvedModel, C as ChatMessage } from './provider-qqJYv9nv.js';
 export { a as ChatParams, b as ChatResult, c as ContentBlock, d as ToolDefinition, e as ToolUse } from './provider-qqJYv9nv.js';
 import * as better_sqlite3 from 'better-sqlite3';
@@ -518,6 +518,12 @@ interface EntityContextDef {
     files: Record<string, EntityFileSpec>;
     indexFile?: string;
     protectedFiles?: string[];
+    /** When true, this entity's data is never rendered into other entities' context files. */
+    protected?: boolean;
+    /** Enable at-rest encryption. Requires encryptionKey in Lattice options. */
+    encrypted?: boolean | {
+        columns: string[];
+    };
 }
 interface EntityFileSpec {
     source: EntitySource;
@@ -741,6 +747,52 @@ declare class TaskQueue {
     private poll;
 }
 
+interface UserInput {
+    id?: string;
+    org_id?: string;
+    name: string;
+    email?: string;
+    role?: string;
+    title?: string;
+    external_id?: string;
+    channel?: string;
+    timezone?: string;
+    preferences?: string;
+    notes?: string;
+}
+interface User {
+    id: string;
+    org_id: string | null;
+    name: string;
+    email: string | null;
+    role: string | null;
+    title: string | null;
+    external_id: string | null;
+    channel: string | null;
+    timezone: string | null;
+    preferences: string;
+    notes: string | null;
+    created_at: string;
+    updated_at: string;
+    deleted_at: string | null;
+}
+declare class UserRegistry {
+    private readonly db;
+    private readonly hooks;
+    constructor(db: DataStore, hooks: HookBus);
+    register(input: UserInput): Promise<User>;
+    getById(id: string): Promise<User | null>;
+    getByEmail(email: string): Promise<User | null>;
+    resolveByIdentity(channel: string, externalId: string): Promise<User | null>;
+    resolveOrCreate(externalId: string, channel: string, defaults?: Partial<UserInput>): Promise<User>;
+    list(filter?: {
+        role?: string;
+        org_id?: string;
+    }): Promise<User[]>;
+    update(id: string, changes: Partial<UserInput>): Promise<void>;
+    addIdentity(userId: string, channel: string, externalId: string, displayName?: string): Promise<void>;
+}
+
 /**
  * MessagePipeline — routes inbound messages to the task queue.
  * Story 4.2
@@ -752,7 +804,8 @@ declare class MessagePipeline {
     private readonly taskQueue;
     private readonly config;
     private readonly agentBindings;
-    constructor(hooks: HookBus, agentRegistry: AgentRegistry, taskQueue: TaskQueue, config: BotConfig);
+    private readonly userRegistry?;
+    constructor(hooks: HookBus, agentRegistry: AgentRegistry, taskQueue: TaskQueue, config: BotConfig, userRegistry?: UserRegistry);
     /**
      * Process an inbound message end-to-end.
      * 1. Emit 'message.inbound'
@@ -906,7 +959,7 @@ declare function chunkText(text: string, maxLen: number): string[];
 declare function formatText(text: string, mode: "mrkdwn" | "html" | "plain"): string;
 
 /**
- * Define all 15 core tables on a DataStore instance.
+ * Define all 18 core tables on a DataStore instance.
  * Call before db.init().
  */
 declare function defineCoreTables(db: DataStore): void;
@@ -1265,4 +1318,43 @@ declare class CliExecutionAdapter {
     }>;
 }
 
-export { AGENT_STATUSES, type AgentConfig, type AgentDefinition, type AgentFilter, type AgentRecord, AgentRegistry, type AgentStatus, ApiExecutionAdapter, AuditEmitter, type AuditEvent, BackupManager, type BotConfig, type BudgetCheck, type BudgetConfig, BudgetController, CORE_MIGRATIONS, ChannelAdapter, ChannelRegistry, ChannelRegistryError, ChatMessage, ChatSessionManager, CliExecutionAdapter, type ColumnValidator, ColumnValidatorImpl, type ConfigLoadError, type ConfigLoadResult, DEFAULTS, DEFAULT_CONFIG, type DataConfig, DataStore, DataStoreError, EVENTS, type EntityColumnDef, type EntityConfig, type EntityContextDef, type EntityFileSpec, type EntitySource, type ExecutionAdapter, type Filter, HealthStatus, HeartbeatScheduler, HookBus, type HookHandler, type HookOptions, type HookRegistration, InboundMessage, LLMProvider, MAX_CHAIN_DEPTH, MessagePipeline, type ModelConfig, ModelInfo, ModelRouter, NdjsonLogger, NotificationQueue, type PackageMigration, type PackageUpdate, type PkLookup, ProviderRegistry, type QueryOptions, RUN_STATUSES, type RelationDef, type RenderConfig, ResolvedModel, type RetryPolicy, type Row, type RunContext, RunManager, type RunResult, type RunStatus, type SanitizerOptions, type SchemaError, type SecurityConfig, type SeedItem, SessionKey, SessionManager, type SqliteAdapter, type StepRef, TASK_STATUSES, type TableDefinition, type TableInfoRow, type TaskDefinition, TaskQueue, type TaskRecord, type TaskStatus, TokenUsage, type Unsubscribe, UpdateChecker, type UpdateConfig, UpdateManager, type UpdateManifest, WakeupQueue, type WorkflowConfigEntry, type WorkflowDefinition$1 as WorkflowDefinition, WorkflowEngine, type WorkflowRunRecord, type WorkflowRunStatus, type WorkflowStep$1 as WorkflowStep, type WorkflowStepConfig, type WorkflowTrigger, _resetConfig, areDependenciesMet, buildAgentBindings, buildChainOrigin, checkAllowlist, checkChainDepth, checkMentionGate, chunkText, classifyUpdate, compareVersions, createConfigRevision, defineCoreTables, detectCycle, discoverChannels, discoverProviders, formatText, getConfig, initConfig, interpolate, interpolateEnv, loadConfig, parseVersion, runPackageMigrations, sanitize, topologicalSort, validateConfig };
+interface SecretInput {
+    name: string;
+    type?: string;
+    environment?: string;
+    value?: string;
+    location?: string;
+    description?: string;
+    rotation_schedule?: string;
+    expires_at?: string;
+    notes?: string;
+    org_id?: string;
+}
+interface SecretMeta {
+    id: string;
+    org_id: string | null;
+    name: string;
+    type: string;
+    environment: string;
+    location: string | null;
+    description: string | null;
+    rotation_schedule: string | null;
+    expires_at: string | null;
+    notes: string | null;
+    created_at: string;
+    updated_at: string;
+}
+declare class SecretStore {
+    private readonly db;
+    private readonly hooks;
+    constructor(db: DataStore, hooks: HookBus);
+    set(input: SecretInput): Promise<SecretMeta>;
+    get(name: string, environment?: string): Promise<string | null>;
+    getMeta(name: string, environment?: string): Promise<SecretMeta | null>;
+    list(): Promise<SecretMeta[]>;
+    rotate(name: string, newValue: string, environment?: string): Promise<void>;
+    delete(name: string, environment?: string): Promise<void>;
+    private _toMeta;
+}
+
+export { AGENT_STATUSES, type AgentConfig, type AgentDefinition, type AgentFilter, type AgentRecord, AgentRegistry, type AgentStatus, ApiExecutionAdapter, AuditEmitter, type AuditEvent, BackupManager, type BotConfig, type BudgetCheck, type BudgetConfig, BudgetController, CORE_MIGRATIONS, ChannelAdapter, ChannelRegistry, ChannelRegistryError, ChatMessage, ChatSessionManager, CliExecutionAdapter, type ColumnValidator, ColumnValidatorImpl, type ConfigLoadError, type ConfigLoadResult, DEFAULTS, DEFAULT_CONFIG, type DataConfig, DataStore, DataStoreError, EVENTS, type EntityColumnDef, type EntityConfig, type EntityContextDef, type EntityFileSpec, type EntitySource, type ExecutionAdapter, type Filter, HealthStatus, HeartbeatScheduler, HookBus, type HookHandler, type HookOptions, type HookRegistration, InboundMessage, LLMProvider, MAX_CHAIN_DEPTH, MessagePipeline, type ModelConfig, ModelInfo, ModelRouter, NdjsonLogger, NotificationQueue, type PackageMigration, type PackageUpdate, type PkLookup, ProviderRegistry, type QueryOptions, RUN_STATUSES, type RelationDef, type RenderConfig, ResolvedModel, type RetryPolicy, type Row, type RunContext, RunManager, type RunResult, type RunStatus, type SanitizerOptions, type SchemaError, type SecretInput, type SecretMeta, SecretStore, type SecurityConfig, type SeedItem, SessionKey, SessionManager, type SqliteAdapter, type StepRef, TASK_STATUSES, type TableDefinition, type TableInfoRow, type TaskDefinition, TaskQueue, type TaskRecord, type TaskStatus, TokenUsage, type Unsubscribe, UpdateChecker, type UpdateConfig, UpdateManager, type UpdateManifest, type User, type UserInput, UserRegistry, WakeupQueue, type WorkflowConfigEntry, type WorkflowDefinition$1 as WorkflowDefinition, WorkflowEngine, type WorkflowRunRecord, type WorkflowRunStatus, type WorkflowStep$1 as WorkflowStep, type WorkflowStepConfig, type WorkflowTrigger, _resetConfig, areDependenciesMet, buildAgentBindings, buildChainOrigin, checkAllowlist, checkChainDepth, checkMentionGate, chunkText, classifyUpdate, compareVersions, createConfigRevision, defineCoreTables, detectCycle, discoverChannels, discoverProviders, formatText, getConfig, initConfig, interpolate, interpolateEnv, loadConfig, parseVersion, runPackageMigrations, sanitize, topologicalSort, validateConfig };

package/dist/index.js

@@ -686,18 +686,20 @@ function checkMentionGate(msg, botId) {
 
 // src/core/chat/pipeline.ts
 var MessagePipeline = class {
-  constructor(hooks, agentRegistry, taskQueue, config) {
+  constructor(hooks, agentRegistry, taskQueue, config, userRegistry) {
     this.hooks = hooks;
     this.agentRegistry = agentRegistry;
     this.taskQueue = taskQueue;
     this.config = config;
     this.agentBindings = buildAgentBindings(config.agents);
+    this.userRegistry = userRegistry;
   }
   hooks;
   agentRegistry;
   taskQueue;
   config;
   agentBindings;
+  userRegistry;
   /**
    * Process an inbound message end-to-end.
    * 1. Emit 'message.inbound'
@@ -708,6 +710,10 @@ var MessagePipeline = class {
    */
   async processInbound(msg) {
     await this.hooks.emit("message.inbound", { message: msg, channel: msg.channel });
+    if (this.userRegistry && !msg.userId) {
+      const user = await this.userRegistry.resolveOrCreate(msg.from, msg.channel);
+      msg.userId = user.id;
+    }
     const agentId = this.resolveAgent(msg);
     if (agentId !== void 0) {
       const allowed = this.evaluatePolicy(msg, agentId);
@@ -716,14 +722,15 @@ var MessagePipeline = class {
           title: `Message from ${msg.from} on ${msg.channel}`,
           description: msg.body,
           assignee_id: agentId,
-          context: JSON.stringify({ message: msg })
+          context: JSON.stringify({ message: msg, userId: msg.userId })
         });
       }
     }
     await this.hooks.emit("message.processed", {
       message: msg,
       channel: msg.channel,
-      agentId: agentId ?? null
+      agentId: agentId ?? null,
+      userId: msg.userId ?? null
     });
   }
   /**
@@ -1123,10 +1130,16 @@ var DataStore = class {
    */
   defineEntityContext(name, def) {
     this.lattice.defineEntityContext(name, {
-      slug: (row) => row[def.slugColumn],
+      slug: (row) => {
+        const val = row[def.slugColumn];
+        if (val == null) return String(row.id ?? row.name ?? "unknown");
+        return String(val);
+      },
       directoryRoot: def.directory,
       files: def.files,
       protectedFiles: def.protectedFiles,
+      protected: def.protected,
+      encrypted: def.encrypted,
       index: def.indexFile ? { outputFile: def.indexFile, render: (rows) => "" } : void 0
     });
   }
@@ -1338,6 +1351,7 @@ function defineCoreTables(db) {
       agent_id: "TEXT NOT NULL",
       channel: "TEXT NOT NULL",
       peer_id: "TEXT NOT NULL",
+      user_id: "TEXT",
       last_message_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
       message_count: "INTEGER NOT NULL DEFAULT 0",
       context: "TEXT NOT NULL DEFAULT '{}'",
@@ -1478,6 +1492,64 @@ function defineCoreTables(db) {
       rolled_back_at: "TEXT"
     }
   });
+  db.define("users", {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      org_id: "TEXT",
+      name: "TEXT NOT NULL",
+      email: "TEXT",
+      role: "TEXT",
+      title: "TEXT",
+      external_id: "TEXT",
+      channel: "TEXT",
+      timezone: "TEXT",
+      preferences: "TEXT NOT NULL DEFAULT '{}'",
+      notes: "TEXT",
+      created_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
+      updated_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
+      deleted_at: "TEXT"
+    },
+    tableConstraints: [
+      "CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email ON users(email) WHERE email IS NOT NULL AND deleted_at IS NULL",
+      "CREATE INDEX IF NOT EXISTS idx_users_external_id ON users(external_id) WHERE deleted_at IS NULL"
+    ]
+  });
+  db.define("user_identities", {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      user_id: "TEXT NOT NULL",
+      channel: "TEXT NOT NULL",
+      external_id: "TEXT NOT NULL",
+      display_name: "TEXT",
+      verified: "INTEGER NOT NULL DEFAULT 0",
+      created_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP"
+    },
+    tableConstraints: [
+      "CREATE UNIQUE INDEX IF NOT EXISTS idx_user_identities_channel_ext ON user_identities(channel, external_id)",
+      "FOREIGN KEY (user_id) REFERENCES users(id)"
+    ]
+  });
+  db.define("secrets", {
+    columns: {
+      id: "TEXT PRIMARY KEY",
+      org_id: "TEXT",
+      name: "TEXT NOT NULL",
+      type: "TEXT NOT NULL DEFAULT 'api_key'",
+      environment: "TEXT NOT NULL DEFAULT 'production'",
+      value: "TEXT",
+      location: "TEXT",
+      description: "TEXT",
+      rotation_schedule: "TEXT",
+      expires_at: "TEXT",
+      notes: "TEXT",
+      created_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
+      updated_at: "TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP",
+      deleted_at: "TEXT"
+    },
+    tableConstraints: [
+      "CREATE UNIQUE INDEX IF NOT EXISTS idx_secrets_name_env ON secrets(name, environment, org_id) WHERE deleted_at IS NULL"
+    ]
+  });
 }
 
 // src/core/data/core-migrations.ts
@@ -2900,6 +2972,164 @@ var CliExecutionAdapter = class {
     return { output, exitCode };
   }
 };
+
+// src/core/orchestrator/user-registry.ts
+import { v4 as uuidv4 } from "uuid";
+var UserRegistry = class {
+  db;
+  hooks;
+  constructor(db, hooks) {
+    this.db = db;
+    this.hooks = hooks;
+  }
+  async register(input) {
+    const id = input.id ?? uuidv4();
+    await this.db.insert("users", { ...input, id });
+    const user = await this.db.get("users", id);
+    await this.hooks.emit("user.created", { user });
+    return user;
+  }
+  async getById(id) {
+    const row = await this.db.get("users", id);
+    return row ?? null;
+  }
+  async getByEmail(email) {
+    const rows = await this.db.query("users", {
+      where: { email },
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    return rows.length > 0 ? rows[0] : null;
+  }
+  async resolveByIdentity(channel, externalId) {
+    const identities = await this.db.query("user_identities", {
+      where: { channel, external_id: externalId },
+      limit: 1
+    });
+    if (identities.length === 0) return null;
+    return this.getById(identities[0].user_id);
+  }
+  async resolveOrCreate(externalId, channel, defaults) {
+    const existing = await this.resolveByIdentity(channel, externalId);
+    if (existing) return existing;
+    const user = await this.register({
+      name: defaults?.name ?? externalId,
+      external_id: externalId,
+      channel,
+      ...defaults
+    });
+    await this.addIdentity(user.id, channel, externalId);
+    return user;
+  }
+  async list(filter) {
+    const where = {};
+    const filters = [{ col: "deleted_at", op: "isNull" }];
+    if (filter?.role) where.role = filter.role;
+    if (filter?.org_id) where.org_id = filter.org_id;
+    const rows = await this.db.query("users", { where, filters });
+    return rows;
+  }
+  async update(id, changes) {
+    await this.db.update("users", id, {
+      ...changes,
+      updated_at: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  async addIdentity(userId, channel, externalId, displayName) {
+    await this.db.insert("user_identities", {
+      id: uuidv4(),
+      user_id: userId,
+      channel,
+      external_id: externalId,
+      display_name: displayName ?? null,
+      verified: 0
+    });
+  }
+};
+
+// src/core/orchestrator/secret-store.ts
+import { v4 as uuidv42 } from "uuid";
+var SecretStore = class {
+  db;
+  hooks;
+  constructor(db, hooks) {
+    this.db = db;
+    this.hooks = hooks;
+  }
+  async set(input) {
+    const id = uuidv42();
+    await this.db.insert("secrets", { ...input, id });
+    await this.hooks.emit("secret.created", { name: input.name });
+    const row = await this.db.get("secrets", id);
+    return this._toMeta(row);
+  }
+  async get(name, environment = "production") {
+    const rows = await this.db.query("secrets", {
+      where: { name, environment },
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (rows.length === 0) return null;
+    await this.hooks.emit("secret.accessed", { name, environment });
+    return rows[0].value ?? null;
+  }
+  async getMeta(name, environment = "production") {
+    const rows = await this.db.query("secrets", {
+      where: { name, environment },
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    return rows.length > 0 ? this._toMeta(rows[0]) : null;
+  }
+  async list() {
+    const rows = await this.db.query("secrets", {
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      orderBy: "name"
+    });
+    return rows.map((r) => this._toMeta(r));
+  }
+  async rotate(name, newValue, environment = "production") {
+    const rows = await this.db.query("secrets", {
+      where: { name, environment },
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (rows.length === 0) throw new Error(`Secret "${name}" not found`);
+    await this.db.update("secrets", rows[0].id, {
+      value: newValue,
+      updated_at: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    await this.hooks.emit("secret.rotated", { name, environment });
+  }
+  async delete(name, environment = "production") {
+    const rows = await this.db.query("secrets", {
+      where: { name, environment },
+      filters: [{ col: "deleted_at", op: "isNull" }],
+      limit: 1
+    });
+    if (rows.length === 0) return;
+    await this.db.update("secrets", rows[0].id, {
+      deleted_at: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    await this.hooks.emit("secret.deleted", { name, environment });
+  }
+  _toMeta(row) {
+    return {
+      id: row.id,
+      org_id: row.org_id ?? null,
+      name: row.name,
+      type: row.type,
+      environment: row.environment,
+      location: row.location ?? null,
+      description: row.description ?? null,
+      rotation_schedule: row.rotation_schedule ?? null,
+      expires_at: row.expires_at ?? null,
+      notes: row.notes ?? null,
+      created_at: row.created_at,
+      updated_at: row.updated_at
+    };
+  }
+};
 export {
   AGENT_STATUSES,
   AgentRegistry,
@@ -2928,12 +3158,14 @@ export {
   ProviderRegistry,
   RUN_STATUSES,
   RunManager,
+  SecretStore,
   SessionKey,
   SessionManager,
   TASK_STATUSES,
   TaskQueue,
   UpdateChecker,
   UpdateManager,
+  UserRegistry,
   WakeupQueue,
   WorkflowEngine,
   _resetConfig,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botinabox",
-  "version": "0.1.1",
+  "version": "0.2.1",
   "description": "Bot in a Box — framework for building multi-agent bots",
   "type": "module",
   "main": "./dist/index.js",
@@ -44,8 +44,10 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
+    "@types/uuid": "^10.0.0",
     "ajv": "^8.17.1",
-    "latticesql": "^0.17.1",
+    "latticesql": "^0.18.0",
+    "uuid": "^13.0.0",
     "yaml": "^2.7.0"
   },
   "peerDependencies": {