cloudvault-mcp 1.0.0

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+/**
+ * CloudVault MCP — Cloud infrastructure analysis server.
+ * Phase 1: AWS inventory — compute, databases, storage, secrets.
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG"}

package/dist/index.js

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+/**
+ * CloudVault MCP — Cloud infrastructure analysis server.
+ * Phase 1: AWS inventory — compute, databases, storage, secrets.
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { z } from 'zod';
+import { list_instances } from './tools/list_instances.js';
+import { list_databases } from './tools/list_databases.js';
+import { list_storage } from './tools/list_storage.js';
+import { get_secrets } from './tools/get_secrets.js';
+const server = new McpServer({
+    name: 'cloudvault-mcp',
+    version: '1.0.0',
+});
+// list_instances
+server.tool('list_instances', 'List compute instances with state, type, IP, region, and cost estimate.', {
+    provider: z.enum(['aws', 'gcp', 'azure']).describe('Cloud provider'),
+    region: z.string().optional().describe('Filter by region (e.g., us-east-1)'),
+    state: z.enum(['running', 'stopped', 'terminated', 'pending']).optional().describe('Filter by instance state'),
+    tags: z.record(z.string()).optional().describe('Filter by tag key/value pairs'),
+}, async (input) => {
+    return list_instances(input);
+});
+// list_databases
+server.tool('list_databases', 'List managed databases with engine, version, storage size, and backup status.', {
+    provider: z.enum(['aws', 'gcp', 'azure']).describe('Cloud provider'),
+    region: z.string().optional().describe('Filter by region'),
+    engine: z.string().optional().describe('Filter by database engine (e.g., postgres, mysql)'),
+}, async (input) => {
+    return list_databases(input);
+});
+// list_storage
+server.tool('list_storage', 'List storage buckets/containers with public access status and encryption info.', {
+    provider: z.enum(['aws', 'gcp', 'azure']).describe('Cloud provider'),
+    region: z.string().optional().describe('Filter by region'),
+}, async (input) => {
+    return list_storage(input);
+});
+// get_secrets
+server.tool('get_secrets', 'List secret names and metadata. SECURITY: Secret values are NEVER returned.', {
+    provider: z.enum(['aws', 'gcp', 'azure']).describe('Cloud provider'),
+    prefix: z.string().optional().describe('Filter secrets by name prefix (e.g., prod/)'),
+}, async (input) => {
+    return get_secrets(input);
+});
+// Start server
+const transport = new StdioServerTransport();
+await server.connect(transport);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;GAGG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAErD,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,gBAAgB;IACtB,OAAO,EAAE,OAAO;CACjB,CAAC,CAAC;AAEH,iBAAiB;AACjB,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,yEAAyE,EACzE;IACE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;IACpE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;IAC5E,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,0BAA0B,CAAC;IAC9G,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,+BAA+B,CAAC;CAChF,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;IACd,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC,CACF,CAAC;AAEF,iBAAiB;AACjB,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,+EAA+E,EAC/E;IACE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;IACpE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;IAC1D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,mDAAmD,CAAC;CAC5F,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;IACd,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC,CACF,CAAC;AAEF,eAAe;AACf,MAAM,CAAC,IAAI,CACT,cAAc,EACd,gFAAgF,EAChF;IACE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;IACpE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;CAC3D,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;IACd,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC,CACF,CAAC;AAEF,cAAc;AACd,MAAM,CAAC,IAAI,CACT,aAAa,EACb,6EAA6E,EAC7E;IACE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;IACpE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,6CAA6C,CAAC;CACtF,EACD,KAAK,EAAE,KAAK,EAAE,EAAE;IACd,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC,CACF,CAAC;AAEF,eAAe;AACf,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC"}

package/dist/lib/audit.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Audit trail module — SQLite-backed logging of all CloudVault tool calls.
+ * Stores to ~/.cloudvault/audit.db by default.
+ * 90-day retention with automatic cleanup on init.
+ */
+export interface AuditLogEntry {
+    tool_name: string;
+    input_summary: string;
+    result_summary: string;
+    success: boolean;
+    duration_ms?: number;
+}
+export interface AuditRow {
+    id: number;
+    created_at: string;
+    tool_name: string;
+    input_summary: string;
+    result_summary: string;
+    success: number;
+    duration_ms: number | null;
+}
+export interface AuditQueryOptions {
+    timeframe?: '1d' | '7d' | '30d';
+    tool_name?: string;
+    limit?: number;
+}
+/**
+ * Return the shared AuditLog singleton, creating it on first call (lazy init).
+ * Callers should use this instead of `new AuditLog()` to avoid opening a new
+ * SQLite connection per tool invocation.
+ */
+export declare function getAuditLog(): AuditLog;
+/**
+ * Reset the singleton — intended for test isolation only.
+ * Closes the existing connection (if any) and clears the cached instance.
+ */
+export declare function resetAuditLogSingleton(): void;
+export declare class AuditLog {
+    private readonly db;
+    constructor(dbPath?: string);
+    private defaultPath;
+    private init;
+    /**
+     * Sanitize input record — redact any values whose key looks like a secret.
+     * Values are truncated to 200 chars to keep audit.db small.
+     */
+    sanitize(input: Record<string, unknown>): string;
+    log(entry: AuditLogEntry): void;
+    query(opts?: AuditQueryOptions): AuditRow[];
+    /**
+     * Close the underlying SQLite connection.
+     * NOTE: Do not call this on the singleton returned by getAuditLog() — it will
+     * break subsequent log writes. This method is retained for test isolation only.
+     */
+    close(): void;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/lib/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/lib/audit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,CAAC,EAAE,IAAI,GAAG,IAAI,GAAG,KAAK,CAAC;IAChC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAgBD;;;;GAIG;AACH,wBAAgB,WAAW,IAAI,QAAQ,CAKtC;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,IAAI,CAS7C;AAED,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAoB;gBAE3B,MAAM,CAAC,EAAE,MAAM;IAM3B,OAAO,CAAC,WAAW;IAMnB,OAAO,CAAC,IAAI;IAsBZ;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM;IAehD,GAAG,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAe/B,KAAK,CAAC,IAAI,GAAE,iBAAsB,GAAG,QAAQ,EAAE;IA6B/C;;;;OAIG;IACH,KAAK,IAAI,IAAI;CAGd"}

package/dist/lib/audit.js

@@ -0,0 +1,136 @@
+/**
+ * Audit trail module — SQLite-backed logging of all CloudVault tool calls.
+ * Stores to ~/.cloudvault/audit.db by default.
+ * 90-day retention with automatic cleanup on init.
+ */
+import Database from 'better-sqlite3';
+import { homedir } from 'os';
+import { mkdirSync } from 'fs';
+import { join } from 'path';
+// Sensitive key patterns to redact from input summaries
+const SENSITIVE_PATTERNS = [
+    /token/i,
+    /password/i,
+    /secret/i,
+    /api_key/i,
+    /auth/i,
+    /credential/i,
+    /private/i,
+];
+// Module-level singleton — opened once, reused across all tool calls.
+let _instance = null;
+/**
+ * Return the shared AuditLog singleton, creating it on first call (lazy init).
+ * Callers should use this instead of `new AuditLog()` to avoid opening a new
+ * SQLite connection per tool invocation.
+ */
+export function getAuditLog() {
+    if (!_instance) {
+        _instance = new AuditLog();
+    }
+    return _instance;
+}
+/**
+ * Reset the singleton — intended for test isolation only.
+ * Closes the existing connection (if any) and clears the cached instance.
+ */
+export function resetAuditLogSingleton() {
+    if (_instance) {
+        try {
+            _instance.close();
+        }
+        catch {
+            // Ignore close errors during test teardown
+        }
+        _instance = null;
+    }
+}
+export class AuditLog {
+    db;
+    constructor(dbPath) {
+        const path = dbPath ?? this.defaultPath();
+        this.db = new Database(path);
+        this.init();
+    }
+    defaultPath() {
+        const dir = join(homedir(), '.cloudvault');
+        mkdirSync(dir, { recursive: true });
+        return join(dir, 'audit.db');
+    }
+    init() {
+        this.db.exec(`
+      CREATE TABLE IF NOT EXISTS audit_log (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        created_at TEXT DEFAULT (datetime('now')),
+        tool_name TEXT NOT NULL,
+        input_summary TEXT NOT NULL DEFAULT '',
+        result_summary TEXT NOT NULL DEFAULT '',
+        success INTEGER DEFAULT 1,
+        duration_ms INTEGER
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_log(created_at);
+      CREATE INDEX IF NOT EXISTS idx_audit_tool ON audit_log(tool_name);
+    `);
+        // 90-day cleanup on init
+        this.db.exec("DELETE FROM audit_log WHERE created_at < datetime('now', '-90 days')");
+    }
+    /**
+     * Sanitize input record — redact any values whose key looks like a secret.
+     * Values are truncated to 200 chars to keep audit.db small.
+     */
+    sanitize(input) {
+        const sanitized = {};
+        for (const [key, value] of Object.entries(input)) {
+            const isSensitive = SENSITIVE_PATTERNS.some((p) => p.test(key));
+            if (isSensitive) {
+                sanitized[key] = '[REDACTED]';
+            }
+            else if (typeof value === 'string' && value.length > 200) {
+                sanitized[key] = value.substring(0, 200) + '…';
+            }
+            else {
+                sanitized[key] = value;
+            }
+        }
+        return JSON.stringify(sanitized);
+    }
+    log(entry) {
+        const stmt = this.db.prepare(`
+      INSERT INTO audit_log (tool_name, input_summary, result_summary, success, duration_ms)
+      VALUES (?, ?, ?, ?, ?)
+    `);
+        stmt.run(entry.tool_name, entry.input_summary, entry.result_summary?.substring(0, 500) ?? '', entry.success ? 1 : 0, entry.duration_ms ?? null);
+    }
+    query(opts = {}) {
+        const conditions = [];
+        const params = [];
+        if (opts.timeframe) {
+            const days = opts.timeframe === '1d' ? 1 : opts.timeframe === '7d' ? 7 : 30;
+            conditions.push(`created_at >= datetime('now', '-${days} days')`);
+        }
+        if (opts.tool_name) {
+            conditions.push('tool_name = ?');
+            params.push(opts.tool_name);
+        }
+        const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+        const limit = opts.limit ?? 50;
+        const sql = `
+      SELECT id, created_at, tool_name, input_summary, result_summary, success, duration_ms
+      FROM audit_log
+      ${where}
+      ORDER BY created_at DESC
+      LIMIT ?
+    `;
+        return this.db.prepare(sql).all(...params, limit);
+    }
+    /**
+     * Close the underlying SQLite connection.
+     * NOTE: Do not call this on the singleton returned by getAuditLog() — it will
+     * break subsequent log writes. This method is retained for test isolation only.
+     */
+    close() {
+        this.db.close();
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/lib/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/lib/audit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,QAAQ,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AA0B5B,wDAAwD;AACxD,MAAM,kBAAkB,GAAG;IACzB,QAAQ;IACR,WAAW;IACX,SAAS;IACT,UAAU;IACV,OAAO;IACP,aAAa;IACb,UAAU;CACX,CAAC;AAEF,sEAAsE;AACtE,IAAI,SAAS,GAAoB,IAAI,CAAC;AAEtC;;;;GAIG;AACH,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,SAAS,GAAG,IAAI,QAAQ,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB;IACpC,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,SAAS,CAAC,KAAK,EAAE,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,2CAA2C;QAC7C,CAAC;QACD,SAAS,GAAG,IAAI,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,OAAO,QAAQ;IACF,EAAE,CAAoB;IAEvC,YAAY,MAAe;QACzB,MAAM,IAAI,GAAG,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QAC1C,IAAI,CAAC,EAAE,GAAG,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAEO,WAAW;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,aAAa,CAAC,CAAC;QAC3C,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACpC,OAAO,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC/B,CAAC;IAEO,IAAI;QACV,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC;;;;;;;;;;;;;KAaZ,CAAC,CAAC;QAEH,yBAAyB;QACzB,IAAI,CAAC,EAAE,CAAC,IAAI,CACV,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,KAA8B;QACrC,MAAM,SAAS,GAA4B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,IAAI,WAAW,EAAE,CAAC;gBAChB,SAAS,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;YAChC,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBAC3D,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC;YACjD,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;IAED,GAAG,CAAC,KAAoB;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;KAG5B,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CACN,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,aAAa,EACnB,KAAK,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,EAC7C,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EACrB,KAAK,CAAC,WAAW,IAAI,IAAI,CAC1B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAA0B,EAAE;QAChC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAc,EAAE,CAAC;QAE7B,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,UAAU,CAAC,IAAI,CAAC,mCAAmC,IAAI,SAAS,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9B,CAAC;QAED,MAAM,KAAK,GACT,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACnE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAE/B,MAAM,GAAG,GAAG;;;QAGR,KAAK;;;KAGR,CAAC;QAEF,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,EAAE,KAAK,CAAe,CAAC;IAClE,CAAC;IAED;;;;OAIG;IACH,KAAK;QACH,IAAI,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;CACF"}

package/dist/lib/cost-estimates.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Static monthly cost estimates for common AWS EC2 instance types.
+ * Values are approximate on-demand prices in USD cents (us-east-1).
+ * These are estimates only — actual costs vary by region, OS, and usage.
+ */
+/**
+ * Get the estimated monthly cost in USD cents for a given EC2 instance type.
+ * Returns undefined if the instance type is not in the lookup table.
+ */
+export declare function getInstanceCostEstimate(instanceType: string): number | undefined;
+/**
+ * Get a human-readable cost estimate string (e.g., "~$8/mo").
+ * Returns "unknown" if the type is not in the table.
+ */
+export declare function formatCostEstimate(instanceType: string): string;
+//# sourceMappingURL=cost-estimates.d.ts.map

package/dist/lib/cost-estimates.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cost-estimates.d.ts","sourceRoot":"","sources":["../../src/lib/cost-estimates.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA0FH;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAEhF;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAK/D"}

package/dist/lib/cost-estimates.js

@@ -0,0 +1,101 @@
+/**
+ * Static monthly cost estimates for common AWS EC2 instance types.
+ * Values are approximate on-demand prices in USD cents (us-east-1).
+ * These are estimates only — actual costs vary by region, OS, and usage.
+ */
+// Monthly cost in USD cents (approximate on-demand, us-east-1, Linux)
+const COST_TABLE = {
+    // t3 family
+    't3.nano': 475, // ~$4.75/mo
+    't3.micro': 834, // ~$8.34/mo
+    't3.small': 1670, // ~$16.70/mo
+    't3.medium': 3341, // ~$33.41/mo
+    't3.large': 6682, // ~$66.82/mo
+    't3.xlarge': 13363, // ~$133.63/mo
+    't3.2xlarge': 26726, // ~$267.26/mo
+    // t3a family
+    't3a.nano': 428,
+    't3a.micro': 752,
+    't3a.small': 1505,
+    't3a.medium': 3010,
+    't3a.large': 6019,
+    't3a.xlarge': 12038,
+    // t2 family
+    't2.nano': 517,
+    't2.micro': 1168,
+    't2.small': 2336,
+    't2.medium': 4672,
+    't2.large': 9344,
+    't2.xlarge': 18688,
+    't2.2xlarge': 37376,
+    // m5 family
+    'm5.large': 7008, // ~$70.08/mo
+    'm5.xlarge': 14016,
+    'm5.2xlarge': 28032,
+    'm5.4xlarge': 56064,
+    'm5.8xlarge': 112128,
+    'm5.12xlarge': 168192,
+    'm5.16xlarge': 224256,
+    'm5.24xlarge': 336384,
+    // m6i family
+    'm6i.large': 7344,
+    'm6i.xlarge': 14688,
+    'm6i.2xlarge': 29376,
+    'm6i.4xlarge': 58752,
+    // c5 family
+    'c5.large': 6197,
+    'c5.xlarge': 12395,
+    'c5.2xlarge': 24789,
+    'c5.4xlarge': 49579,
+    'c5.9xlarge': 111553,
+    'c5.12xlarge': 148737,
+    'c5.18xlarge': 223106,
+    'c5.24xlarge': 297474,
+    // c6i family
+    'c6i.large': 6140,
+    'c6i.xlarge': 12279,
+    'c6i.2xlarge': 24558,
+    'c6i.4xlarge': 49117,
+    // r5 family
+    'r5.large': 10079,
+    'r5.xlarge': 20158,
+    'r5.2xlarge': 40315,
+    'r5.4xlarge': 80630,
+    'r5.8xlarge': 161261,
+    'r5.12xlarge': 241891,
+    'r5.16xlarge': 322522,
+    'r5.24xlarge': 483782,
+    // r6i family
+    'r6i.large': 10548,
+    'r6i.xlarge': 21096,
+    'r6i.2xlarge': 42192,
+    'r6i.4xlarge': 84384,
+    // p3 family (GPU)
+    'p3.2xlarge': 306340,
+    'p3.8xlarge': 1225360,
+    'p3.16xlarge': 2450720,
+    // g4dn family (GPU)
+    'g4dn.xlarge': 52631,
+    'g4dn.2xlarge': 75209,
+    'g4dn.4xlarge': 136314,
+    'g4dn.8xlarge': 225657,
+};
+/**
+ * Get the estimated monthly cost in USD cents for a given EC2 instance type.
+ * Returns undefined if the instance type is not in the lookup table.
+ */
+export function getInstanceCostEstimate(instanceType) {
+    return COST_TABLE[instanceType];
+}
+/**
+ * Get a human-readable cost estimate string (e.g., "~$8/mo").
+ * Returns "unknown" if the type is not in the table.
+ */
+export function formatCostEstimate(instanceType) {
+    const cents = COST_TABLE[instanceType];
+    if (cents === undefined)
+        return 'unknown';
+    const dollars = Math.round(cents / 100);
+    return `~$${dollars}/mo`;
+}
+//# sourceMappingURL=cost-estimates.js.map

package/dist/lib/cost-estimates.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cost-estimates.js","sourceRoot":"","sources":["../../src/lib/cost-estimates.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,sEAAsE;AACtE,MAAM,UAAU,GAA2B;IACzC,YAAY;IACZ,SAAS,EAAK,GAAG,EAAK,YAAY;IAClC,UAAU,EAAI,GAAG,EAAK,YAAY;IAClC,UAAU,EAAI,IAAI,EAAI,aAAa;IACnC,WAAW,EAAG,IAAI,EAAI,aAAa;IACnC,UAAU,EAAI,IAAI,EAAI,aAAa;IACnC,WAAW,EAAG,KAAK,EAAG,cAAc;IACpC,YAAY,EAAE,KAAK,EAAG,cAAc;IAEpC,aAAa;IACb,UAAU,EAAI,GAAG;IACjB,WAAW,EAAG,GAAG;IACjB,WAAW,EAAG,IAAI;IAClB,YAAY,EAAE,IAAI;IAClB,WAAW,EAAG,IAAI;IAClB,YAAY,EAAE,KAAK;IAEnB,YAAY;IACZ,SAAS,EAAK,GAAG;IACjB,UAAU,EAAI,IAAI;IAClB,UAAU,EAAI,IAAI;IAClB,WAAW,EAAG,IAAI;IAClB,UAAU,EAAI,IAAI;IAClB,WAAW,EAAG,KAAK;IACnB,YAAY,EAAE,KAAK;IAEnB,YAAY;IACZ,UAAU,EAAK,IAAI,EAAI,aAAa;IACpC,WAAW,EAAI,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IAErB,aAAa;IACb,WAAW,EAAK,IAAI;IACpB,YAAY,EAAI,KAAK;IACrB,aAAa,EAAG,KAAK;IACrB,aAAa,EAAG,KAAK;IAErB,YAAY;IACZ,UAAU,EAAK,IAAI;IACnB,WAAW,EAAI,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IAErB,aAAa;IACb,WAAW,EAAK,IAAI;IACpB,YAAY,EAAI,KAAK;IACrB,aAAa,EAAG,KAAK;IACrB,aAAa,EAAG,KAAK;IAErB,YAAY;IACZ,UAAU,EAAK,KAAK;IACpB,WAAW,EAAI,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,KAAK;IACpB,YAAY,EAAG,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IACrB,aAAa,EAAE,MAAM;IAErB,aAAa;IACb,WAAW,EAAK,KAAK;IACrB,YAAY,EAAI,KAAK;IACrB,aAAa,EAAG,KAAK;IACrB,aAAa,EAAG,KAAK;IAErB,kBAAkB;IAClB,YAAY,EAAI,MAAM;IACtB,YAAY,EAAI,OAAO;IACvB,aAAa,EAAG,OAAO;IAEvB,oBAAoB;IACpB,aAAa,EAAG,KAAK;IACrB,cAAc,EAAE,KAAK;IACrB,cAAc,EAAE,MAAM;IACtB,cAAc,EAAE,MAAM;CACvB,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,YAAoB;IAC1D,OAAO,UAAU,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACvC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;IACxC,OAAO,KAAK,OAAO,KAAK,CAAC;AAC3B,CAAC"}

package/dist/lib/fetch-retry.d.ts

@@ -0,0 +1,7 @@
+/**
+ * fetchWithRetry — retries on 429 (rate limit) and 5xx (server errors).
+ * Uses Retry-After header when present, otherwise exponential backoff.
+ * Max 3 retries by default.
+ */
+export declare function fetchWithRetry(url: string | URL, init?: RequestInit, maxRetries?: number): Promise<Response>;
+//# sourceMappingURL=fetch-retry.d.ts.map

package/dist/lib/fetch-retry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-retry.d.ts","sourceRoot":"","sources":["../../src/lib/fetch-retry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,GAAG,EACjB,IAAI,CAAC,EAAE,WAAW,EAClB,UAAU,SAAI,GACb,OAAO,CAAC,QAAQ,CAAC,CA+BnB"}

package/dist/lib/fetch-retry.js

@@ -0,0 +1,35 @@
+/**
+ * fetchWithRetry — retries on 429 (rate limit) and 5xx (server errors).
+ * Uses Retry-After header when present, otherwise exponential backoff.
+ * Max 3 retries by default.
+ */
+export async function fetchWithRetry(url, init, maxRetries = 3) {
+    let lastError = null;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        try {
+            const res = await fetch(url, init);
+            if (res.status === 429) {
+                if (attempt >= maxRetries)
+                    return res;
+                const retryAfter = parseInt(res.headers.get('Retry-After') ?? '', 10);
+                const waitMs = (retryAfter > 0 ? retryAfter * 1000 : 2000) * Math.pow(2, attempt);
+                await new Promise(r => setTimeout(r, waitMs));
+                continue;
+            }
+            if (res.status >= 500 && attempt < maxRetries) {
+                await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
+                continue;
+            }
+            return res;
+        }
+        catch (err) {
+            lastError = err instanceof Error ? err : new Error(String(err));
+            if (attempt < maxRetries) {
+                await new Promise(r => setTimeout(r, 1000 * Math.pow(2, attempt)));
+                continue;
+            }
+        }
+    }
+    throw lastError ?? new Error('fetchWithRetry: max retries exceeded');
+}
+//# sourceMappingURL=fetch-retry.js.map

package/dist/lib/fetch-retry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-retry.js","sourceRoot":"","sources":["../../src/lib/fetch-retry.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAiB,EACjB,IAAkB,EAClB,UAAU,GAAG,CAAC;IAEd,IAAI,SAAS,GAAiB,IAAI,CAAC;IAEnC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;QACvD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YAEnC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,IAAI,OAAO,IAAI,UAAU;oBAAE,OAAO,GAAG,CAAC;gBACtC,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBACtE,MAAM,MAAM,GAAG,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBAClF,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;gBAC9C,SAAS;YACX,CAAC;YAED,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBAC9C,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;gBACnE,SAAS;YACX,CAAC;YAED,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,IAAI,OAAO,GAAG,UAAU,EAAE,CAAC;gBACzB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;gBACnE,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,SAAS,IAAI,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;AACvE,CAAC"}

package/dist/lib/providers.d.ts

@@ -0,0 +1,7 @@
+import type { CloudProvider } from '../adapters/types.js';
+export type ProviderName = 'aws' | 'gcp' | 'azure';
+export declare function getProvider(name: ProviderName): CloudProvider;
+export declare function getProviders(names: ProviderName[]): CloudProvider[];
+/** Clear the cache — useful for testing. */
+export declare function clearProviderCache(): void;
+//# sourceMappingURL=providers.d.ts.map

package/dist/lib/providers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.d.ts","sourceRoot":"","sources":["../../src/lib/providers.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAI1D,MAAM,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAEnD,wBAAgB,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,aAAa,CAkB7D;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,YAAY,EAAE,GAAG,aAAa,EAAE,CAEnE;AAED,4CAA4C;AAC5C,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC"}

package/dist/lib/providers.js

@@ -0,0 +1,37 @@
+/**
+ * Cached provider factory.
+ * Adapters are created once and reused across calls to avoid
+ * repeated credential validation and multiple client instances.
+ *
+ * Phase 1: aws only
+ * Phase 2: + gcp
+ * Phase 3: + azure
+ */
+import { AwsAdapter } from '../adapters/aws.js';
+const cache = new Map();
+export function getProvider(name) {
+    if (cache.has(name))
+        return cache.get(name);
+    let adapter;
+    switch (name) {
+        case 'aws':
+            adapter = new AwsAdapter();
+            break;
+        case 'gcp':
+            throw new Error('Unknown provider: gcp. Supported: aws');
+        case 'azure':
+            throw new Error('Unknown provider: azure. Supported: aws');
+        default:
+            throw new Error(`Unknown provider: ${name}. Supported: aws`);
+    }
+    cache.set(name, adapter);
+    return adapter;
+}
+export function getProviders(names) {
+    return names.map((n) => getProvider(n));
+}
+/** Clear the cache — useful for testing. */
+export function clearProviderCache() {
+    cache.clear();
+}
+//# sourceMappingURL=providers.js.map

package/dist/lib/providers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"providers.js","sourceRoot":"","sources":["../../src/lib/providers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;AAI/C,MAAM,UAAU,WAAW,CAAC,IAAkB;IAC5C,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC,GAAG,CAAC,IAAI,CAAE,CAAC;IAE7C,IAAI,OAAsB,CAAC;IAC3B,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK;YACR,OAAO,GAAG,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM;QACR,KAAK,KAAK;YACR,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,KAAK,OAAO;YACV,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D;YACE,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAc,kBAAkB,CAAC,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACzB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAqB;IAChD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,kBAAkB;IAChC,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}

package/dist/premium/gate.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Premium license gate.
+ * Reads PRO_LICENSE dynamically from process.env at call time — not cached.
+ * This allows the license to be set after server start without restart.
+ */
+/**
+ * Returns true if a valid Pro license is currently set in the environment.
+ * A valid key starts with "CPK-" and is at least 8 characters long.
+ */
+export declare function isPro(): boolean;
+/**
+ * Throws if no valid Pro license is configured.
+ * Call at the start of every Pro-gated tool handler.
+ *
+ * @param toolName - The name of the tool being called, used in the error message.
+ */
+export declare function requirePro(toolName: string): void;
+//# sourceMappingURL=gate.d.ts.map

package/dist/premium/gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.d.ts","sourceRoot":"","sources":["../../src/premium/gate.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;GAGG;AACH,wBAAgB,KAAK,IAAI,OAAO,CAG/B;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAQjD"}

package/dist/premium/gate.js

@@ -0,0 +1,27 @@
+/**
+ * Premium license gate.
+ * Reads PRO_LICENSE dynamically from process.env at call time — not cached.
+ * This allows the license to be set after server start without restart.
+ */
+/**
+ * Returns true if a valid Pro license is currently set in the environment.
+ * A valid key starts with "CPK-" and is at least 8 characters long.
+ */
+export function isPro() {
+    const key = process.env.PRO_LICENSE;
+    return Boolean(key && key.length >= 8 && key.startsWith("CPK-"));
+}
+/**
+ * Throws if no valid Pro license is configured.
+ * Call at the start of every Pro-gated tool handler.
+ *
+ * @param toolName - The name of the tool being called, used in the error message.
+ */
+export function requirePro(toolName) {
+    if (!isPro()) {
+        throw new Error(`[${toolName}] requires a Pro license. ` +
+            `Get one at https://craftpipe.dev/products/cloudvault-mcp — ` +
+            `then set PRO_LICENSE=<your-key> in your environment.`);
+    }
+}
+//# sourceMappingURL=gate.js.map

package/dist/premium/gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gate.js","sourceRoot":"","sources":["../../src/premium/gate.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;GAGG;AACH,MAAM,UAAU,KAAK;IACnB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACpC,OAAO,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,IAAI,CAAC,KAAK,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,IAAI,QAAQ,4BAA4B;YACtC,6DAA6D;YAC7D,sDAAsD,CACzD,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/tools/get_secrets.d.ts

@@ -0,0 +1,16 @@
+/**
+ * get_secrets tool — secret names and metadata only.
+ * SECURITY: Secret values are NEVER returned, only names and metadata.
+ */
+import { type ProviderName } from '../lib/providers.js';
+export interface GetSecretsInput {
+    provider: ProviderName;
+    prefix?: string;
+}
+export declare function get_secrets(input: GetSecretsInput): Promise<{
+    content: {
+        type: "text";
+        text: string;
+    }[];
+}>;
+//# sourceMappingURL=get_secrets.d.ts.map

package/dist/tools/get_secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_secrets.d.ts","sourceRoot":"","sources":["../../src/tools/get_secrets.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAe,KAAK,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAGrE,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,YAAY,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,WAAW,CAAC,KAAK,EAAE,eAAe;;;;;GA+CvD"}

package/dist/tools/get_secrets.js

@@ -0,0 +1,52 @@
+/**
+ * get_secrets tool — secret names and metadata only.
+ * SECURITY: Secret values are NEVER returned, only names and metadata.
+ */
+import { getProvider } from '../lib/providers.js';
+import { getAuditLog } from '../lib/audit.js';
+export async function get_secrets(input) {
+    const start = Date.now();
+    const audit = getAuditLog();
+    try {
+        const provider = getProvider(input.provider);
+        const secrets = await provider.getSecrets({
+            prefix: input.prefix,
+        });
+        // SECURITY: Ensure no values are ever returned
+        const safeSecrets = secrets.map((s) => {
+            const safe = s;
+            const result = { ...safe };
+            // Belt-and-suspenders: remove any value fields that should not be there
+            delete result.value;
+            delete result.secret_value;
+            delete result.secret_string;
+            delete result.secret_binary;
+            return result;
+        });
+        audit.log({
+            tool_name: 'get_secrets',
+            input_summary: audit.sanitize({
+                provider: input.provider,
+                prefix: input.prefix,
+            }),
+            result_summary: JSON.stringify({ count: safeSecrets.length }),
+            success: true,
+            duration_ms: Date.now() - start,
+        });
+        return {
+            content: [{ type: 'text', text: JSON.stringify({ data: safeSecrets, count: safeSecrets.length }) }],
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        audit.log({
+            tool_name: 'get_secrets',
+            input_summary: audit.sanitize({ provider: input.provider }),
+            result_summary: message,
+            success: false,
+            duration_ms: Date.now() - start,
+        });
+        throw err;
+    }
+}
+//# sourceMappingURL=get_secrets.js.map

package/dist/tools/get_secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_secrets.js","sourceRoot":"","sources":["../../src/tools/get_secrets.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,WAAW,EAAqB,MAAM,qBAAqB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAO9C,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,KAAsB;IACtD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC;YACxC,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAC;QAEH,+CAA+C;QAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACpC,MAAM,IAAI,GAAG,CAAuC,CAAC;YACrD,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YAC3B,wEAAwE;YACxE,OAAO,MAAM,CAAC,KAAK,CAAC;YACpB,OAAO,MAAM,CAAC,YAAY,CAAC;YAC3B,OAAO,MAAM,CAAC,aAAa,CAAC;YAC5B,OAAO,MAAM,CAAC,aAAa,CAAC;YAC5B,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,GAAG,CAAC;YACR,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,KAAK,CAAC,QAAQ,CAAC;gBAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;aACrB,CAAC;YACF,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;YAC7D,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAChC,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC,EAAE,CAAC;SAC7G,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,KAAK,CAAC,GAAG,CAAC;YACR,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,KAAK,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC3D,cAAc,EAAE,OAAO;YACvB,OAAO,EAAE,KAAK;YACd,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAChC,CAAC,CAAC;QACH,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}