imperium-crawl 1.5.3 → 2.1.0

package/dist/security/auth-vault.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Auth Vault — Encrypted credential storage for login automation.
+ *
+ * Stores login profiles (URL, username, password, form selectors)
+ * encrypted on disk. Profiles are decrypted on-demand for login flows.
+ */
+export interface AuthProfile {
+    name: string;
+    url: string;
+    username: string;
+    password: string;
+    selectors: {
+        username: string;
+        password: string;
+        submit: string;
+    };
+    lastLogin?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface AuthProfileMeta {
+    name: string;
+    url: string;
+    username: string;
+    lastLogin?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Save an auth profile (encrypted on disk).
+ */
+export declare function saveAuthProfile(profile: Omit<AuthProfile, "createdAt" | "updatedAt">): Promise<void>;
+/**
+ * Get a decrypted auth profile by name.
+ */
+export declare function getAuthProfile(name: string): Promise<AuthProfile | null>;
+/**
+ * List all auth profiles (meta only — no passwords).
+ */
+export declare function listAuthProfiles(): Promise<AuthProfileMeta[]>;
+/**
+ * Delete an auth profile.
+ */
+export declare function deleteAuthProfile(name: string): Promise<boolean>;
+/**
+ * Update the lastLogin timestamp for a profile.
+ */
+export declare function updateLastLogin(name: string): Promise<void>;
+//# sourceMappingURL=auth-vault.d.ts.map

package/dist/security/auth-vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-vault.d.ts","sourceRoot":"","sources":["../../src/security/auth-vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAaD;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1G;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAgB9E;AAED;;GAEG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAiCnE;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAOtE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAQjE"}

package/dist/security/auth-vault.js

@@ -0,0 +1,133 @@
+/**
+ * Auth Vault — Encrypted credential storage for login automation.
+ *
+ * Stores login profiles (URL, username, password, form selectors)
+ * encrypted on disk. Profiles are decrypted on-demand for login flows.
+ */
+import fs from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+import { SKILLS_DIR_NAME } from "../constants.js";
+import { encryptData, decryptData, isEncryptedPayload, ensureEncryptionKey } from "../sessions/encryption.js";
+const AUTH_SUBDIR = "auth";
+const PROFILE_NAME_REGEX = /^[a-zA-Z0-9_-]+$/;
+function getAuthDir() {
+    return path.join(os.homedir(), SKILLS_DIR_NAME, AUTH_SUBDIR);
+}
+function profilePath(name) {
+    if (!PROFILE_NAME_REGEX.test(name)) {
+        throw new Error(`Invalid profile name: '${name}'. Use only alphanumeric, underscore, and hyphen.`);
+    }
+    return path.join(getAuthDir(), `${name}.json`);
+}
+/**
+ * Save an auth profile (encrypted on disk).
+ */
+export async function saveAuthProfile(profile) {
+    const key = await ensureEncryptionKey();
+    if (!key) {
+        throw new Error("Encryption key required for auth vault. Set SESSION_ENCRYPTION_KEY env var or run 'imperium-crawl setup'.");
+    }
+    const dir = getAuthDir();
+    await fs.mkdir(dir, { recursive: true });
+    // Load existing for createdAt preservation
+    let createdAt = new Date().toISOString();
+    try {
+        const existing = await getAuthProfile(profile.name);
+        if (existing)
+            createdAt = existing.createdAt;
+    }
+    catch {
+        // New profile
+    }
+    const fullProfile = {
+        ...profile,
+        createdAt,
+        updatedAt: new Date().toISOString(),
+    };
+    const encrypted = encryptData(JSON.stringify(fullProfile), key);
+    const filePath = profilePath(profile.name);
+    const tmpPath = filePath + ".tmp";
+    await fs.writeFile(tmpPath, JSON.stringify(encrypted, null, 2), { encoding: "utf-8", mode: 0o600 });
+    await fs.rename(tmpPath, filePath);
+}
+/**
+ * Get a decrypted auth profile by name.
+ */
+export async function getAuthProfile(name) {
+    const key = await ensureEncryptionKey();
+    if (!key)
+        return null;
+    try {
+        const data = await fs.readFile(profilePath(name), "utf-8");
+        const parsed = JSON.parse(data);
+        if (isEncryptedPayload(parsed)) {
+            return JSON.parse(decryptData(parsed, key));
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * List all auth profiles (meta only — no passwords).
+ */
+export async function listAuthProfiles() {
+    const dir = getAuthDir();
+    const key = await ensureEncryptionKey();
+    try {
+        const files = await fs.readdir(dir);
+        const profiles = [];
+        for (const file of files) {
+            if (!file.endsWith(".json") || file.endsWith(".tmp.json"))
+                continue;
+            const name = file.replace(/\.json$/, "");
+            try {
+                const profile = key ? await getAuthProfile(name) : null;
+                if (profile) {
+                    profiles.push({
+                        name: profile.name,
+                        url: profile.url,
+                        username: profile.username,
+                        lastLogin: profile.lastLogin,
+                        createdAt: profile.createdAt,
+                        updatedAt: profile.updatedAt,
+                    });
+                }
+            }
+            catch {
+                // Skip unreadable profiles
+            }
+        }
+        return profiles;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Delete an auth profile.
+ */
+export async function deleteAuthProfile(name) {
+    try {
+        await fs.unlink(profilePath(name));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Update the lastLogin timestamp for a profile.
+ */
+export async function updateLastLogin(name) {
+    const profile = await getAuthProfile(name);
+    if (!profile)
+        return;
+    await saveAuthProfile({
+        ...profile,
+        lastLogin: new Date().toISOString(),
+    });
+}
+//# sourceMappingURL=auth-vault.js.map

package/dist/security/auth-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-vault.js","sourceRoot":"","sources":["../../src/security/auth-vault.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAE9G,MAAM,WAAW,GAAG,MAAM,CAAC;AAC3B,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AA0B9C,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,mDAAmD,CAAC,CAAC;IACrG,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAqD;IACzF,MAAM,GAAG,GAAG,MAAM,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,2GAA2G,CAAC,CAAC;IAC/H,CAAC;IAED,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEzC,2CAA2C;IAC3C,IAAI,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,QAAQ;YAAE,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,GAAG,OAAO;QACV,SAAS;QACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,GAAG,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IAElC,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACpG,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,IAAY;IAC/C,MAAM,GAAG,GAAG,MAAM,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEhC,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAgB,CAAC;QAC7D,CAAC;QAED,OAAO,MAAqB,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,MAAM,GAAG,GAAG,UAAU,EAAE,CAAC;IACzB,MAAM,GAAG,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAExC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAsB,EAAE,CAAC;QAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAAE,SAAS;YACpE,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAEzC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxD,IAAI,OAAO,EAAE,CAAC;oBACZ,QAAQ,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,OAAO,CAAC,IAAI;wBAClB,GAAG,EAAE,OAAO,CAAC,GAAG;wBAChB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;qBAC7B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,2BAA2B;YAC7B,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,IAAY;IAClD,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAAY;IAChD,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,IAAI,CAAC,CAAC;IAC3C,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,MAAM,eAAe,CAAC;QACpB,GAAG,OAAO;QACV,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC"}

package/dist/security/domain-filter.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Domain Filter — Security sandbox for browser actions.
+ *
+ * Blocks requests to non-allowed domains via page.route().
+ * Also patches WebSocket/EventSource/sendBeacon to prevent data exfiltration.
+ */
+type BrowserContext = import("rebrowser-playwright").BrowserContext;
+/**
+ * Check if a hostname matches any of the allowed patterns.
+ * Supports exact match and wildcard (*.example.com).
+ */
+export declare function isDomainAllowed(hostname: string, patterns: string[]): boolean;
+/**
+ * Install domain filter on a browser context.
+ * Blocks all requests to non-allowed domains + patches WebSocket/EventSource.
+ */
+export declare function installDomainFilter(context: BrowserContext, allowedDomains: string[]): Promise<void>;
+export {};
+//# sourceMappingURL=domain-filter.d.ts.map

package/dist/security/domain-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"domain-filter.d.ts","sourceRoot":"","sources":["../../src/security/domain-filter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,KAAK,cAAc,GAAG,OAAO,sBAAsB,EAAE,cAAc,CAAC;AAEpE;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAa7E;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,OAAO,EAAE,cAAc,EACvB,cAAc,EAAE,MAAM,EAAE,GACvB,OAAO,CAAC,IAAI,CAAC,CAoFf"}

package/dist/security/domain-filter.js

@@ -0,0 +1,114 @@
+/**
+ * Domain Filter — Security sandbox for browser actions.
+ *
+ * Blocks requests to non-allowed domains via page.route().
+ * Also patches WebSocket/EventSource/sendBeacon to prevent data exfiltration.
+ */
+/**
+ * Check if a hostname matches any of the allowed patterns.
+ * Supports exact match and wildcard (*.example.com).
+ */
+export function isDomainAllowed(hostname, patterns) {
+    const lower = hostname.toLowerCase();
+    for (const pattern of patterns) {
+        const p = pattern.toLowerCase();
+        if (p === lower)
+            return true;
+        if (p.startsWith("*.")) {
+            const suffix = p.slice(2);
+            if (lower === suffix || lower.endsWith(`.${suffix}`))
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Install domain filter on a browser context.
+ * Blocks all requests to non-allowed domains + patches WebSocket/EventSource.
+ */
+export async function installDomainFilter(context, allowedDomains) {
+    if (!allowedDomains.length)
+        return;
+    // Block HTTP requests to non-allowed domains
+    await context.route("**/*", (route) => {
+        try {
+            const url = new URL(route.request().url());
+            if (isDomainAllowed(url.hostname, allowedDomains)) {
+                route.continue();
+            }
+            else {
+                route.abort("blockedbyclient");
+            }
+        }
+        catch {
+            // Invalid URL — allow (probably internal)
+            route.continue();
+        }
+    });
+    // Patch WebSocket/EventSource/sendBeacon in page context
+    const initScript = `
+    (function() {
+      const allowedDomains = ${JSON.stringify(allowedDomains)};
+
+      function isDomainAllowed(hostname) {
+        const lower = hostname.toLowerCase();
+        for (const pattern of allowedDomains) {
+          const p = pattern.toLowerCase();
+          if (p === lower) return true;
+          if (p.startsWith('*.')) {
+            const suffix = p.slice(2);
+            if (lower === suffix || lower.endsWith('.' + suffix)) return true;
+          }
+        }
+        return false;
+      }
+
+      function checkUrl(urlStr) {
+        try {
+          const url = new URL(urlStr, window.location.href);
+          return isDomainAllowed(url.hostname);
+        } catch {
+          return false;
+        }
+      }
+
+      // Patch WebSocket
+      const OrigWebSocket = window.WebSocket;
+      window.WebSocket = function(url, protocols) {
+        if (!checkUrl(url)) {
+          console.warn('[imperium-crawl] Blocked WebSocket to:', url);
+          throw new DOMException('Blocked by domain filter', 'SecurityError');
+        }
+        return new OrigWebSocket(url, protocols);
+      };
+      window.WebSocket.prototype = OrigWebSocket.prototype;
+
+      // Patch EventSource
+      const OrigEventSource = window.EventSource;
+      if (OrigEventSource) {
+        window.EventSource = function(url, opts) {
+          if (!checkUrl(url)) {
+            console.warn('[imperium-crawl] Blocked EventSource to:', url);
+            throw new DOMException('Blocked by domain filter', 'SecurityError');
+          }
+          return new OrigEventSource(url, opts);
+        };
+        window.EventSource.prototype = OrigEventSource.prototype;
+      }
+
+      // Patch sendBeacon
+      const origSendBeacon = navigator.sendBeacon?.bind(navigator);
+      if (origSendBeacon) {
+        navigator.sendBeacon = function(url, data) {
+          if (!checkUrl(url)) {
+            console.warn('[imperium-crawl] Blocked sendBeacon to:', url);
+            return false;
+          }
+          return origSendBeacon(url, data);
+        };
+      }
+    })();
+  `;
+    await context.addInitScript(initScript);
+}
+//# sourceMappingURL=domain-filter.js.map

package/dist/security/domain-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"domain-filter.js","sourceRoot":"","sources":["../../src/security/domain-filter.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,QAAkB;IAClE,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAErC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;QAC7B,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QACpE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,OAAuB,EACvB,cAAwB;IAExB,IAAI,CAAC,cAAc,CAAC,MAAM;QAAE,OAAO;IAEnC,6CAA6C;IAC7C,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;YAC3C,IAAI,eAAe,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;gBAClD,KAAK,CAAC,QAAQ,EAAE,CAAC;YACnB,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,0CAA0C;YAC1C,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,yDAAyD;IACzD,MAAM,UAAU,GAAG;;+BAEU,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4D1D,CAAC;IAEF,MAAM,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;AAC1C,CAAC"}

package/dist/security/types.d.ts

@@ -0,0 +1,19 @@
+/** Action policy decision */
+export type PolicyDecision = "allow" | "deny" | "confirm";
+/** Action policy configuration */
+export interface ActionPolicyConfig {
+    /** Default decision for uncategorized actions */
+    default: "allow" | "deny";
+    /** Allowed categories override default */
+    allow?: string[];
+    /** Denied categories override default and allow */
+    deny?: string[];
+    /** Categories requiring explicit confirmation */
+    confirm?: string[];
+}
+/** Domain filter patterns */
+export interface DomainFilterConfig {
+    /** Allowed domain patterns (exact or wildcard *.example.com) */
+    allowed_domains: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;AAE1D,kCAAkC;AAClC,MAAM,WAAW,kBAAkB;IACjC,iDAAiD;IACjD,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC;IAC1B,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,mDAAmD;IACnD,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,iDAAiD;IACjD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,6BAA6B;AAC7B,MAAM,WAAW,kBAAkB;IACjC,gEAAgE;IAChE,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B"}

package/dist/security/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/security/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":""}

package/dist/sessions/encryption.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Session Encryption — AES-256-GCM with scrypt key derivation.
+ *
+ * Auto-encrypts session files when SESSION_ENCRYPTION_KEY env var is set.
+ * Uses Node.js crypto module only, zero deps.
+ */
+export interface EncryptedPayload {
+    version: 1;
+    algorithm: "aes-256-gcm";
+    iv: string;
+    authTag: string;
+    ciphertext: string;
+    salt: string;
+}
+/**
+ * Encrypt plaintext with AES-256-GCM.
+ */
+export declare function encryptData(plaintext: string, userKey: string): EncryptedPayload;
+/**
+ * Decrypt an encrypted payload.
+ */
+export declare function decryptData(payload: EncryptedPayload, userKey: string): string;
+/**
+ * Check if an object looks like an encrypted payload.
+ */
+export declare function isEncryptedPayload(obj: unknown): obj is EncryptedPayload;
+/**
+ * Get encryption key from env var or auto-generated key file.
+ * Returns undefined if no key is configured and no key file exists.
+ */
+export declare function ensureEncryptionKey(): Promise<string | undefined>;
+/**
+ * Generate a new encryption key and save to file.
+ * Only call this explicitly (e.g. from setup wizard).
+ */
+export declare function generateEncryptionKey(): Promise<string>;
+//# sourceMappingURL=encryption.d.ts.map

package/dist/sessions/encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../../src/sessions/encryption.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAoBH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,CAAC,CAAC;IACX,SAAS,EAAE,aAAa,CAAC;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CACd;AASD;;GAEG;AACH,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,gBAAgB,CAoBhF;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAc9E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,gBAAgB,CAWxE;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAcvE;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,MAAM,CAAC,CAS7D"}

package/dist/sessions/encryption.js

@@ -0,0 +1,108 @@
+/**
+ * Session Encryption — AES-256-GCM with scrypt key derivation.
+ *
+ * Auto-encrypts session files when SESSION_ENCRYPTION_KEY env var is set.
+ * Uses Node.js crypto module only, zero deps.
+ */
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync, } from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+import { SKILLS_DIR_NAME } from "../constants.js";
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const SALT_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+const ENCRYPTION_KEY_FILENAME = "encryption.key";
+/**
+ * Derive a 256-bit key from user password using scrypt.
+ */
+function deriveKey(userKey, salt) {
+    return scryptSync(userKey, salt, KEY_LENGTH);
+}
+/**
+ * Encrypt plaintext with AES-256-GCM.
+ */
+export function encryptData(plaintext, userKey) {
+    const salt = randomBytes(SALT_LENGTH);
+    const key = deriveKey(userKey, salt);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, "utf-8"),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    return {
+        version: 1,
+        algorithm: ALGORITHM,
+        iv: iv.toString("hex"),
+        authTag: authTag.toString("hex"),
+        ciphertext: encrypted.toString("hex"),
+        salt: salt.toString("hex"),
+    };
+}
+/**
+ * Decrypt an encrypted payload.
+ */
+export function decryptData(payload, userKey) {
+    const salt = Buffer.from(payload.salt, "hex");
+    const key = deriveKey(userKey, salt);
+    const iv = Buffer.from(payload.iv, "hex");
+    const authTag = Buffer.from(payload.authTag, "hex");
+    const ciphertext = Buffer.from(payload.ciphertext, "hex");
+    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([
+        decipher.update(ciphertext),
+        decipher.final(),
+    ]).toString("utf-8");
+}
+/**
+ * Check if an object looks like an encrypted payload.
+ */
+export function isEncryptedPayload(obj) {
+    if (!obj || typeof obj !== "object")
+        return false;
+    const o = obj;
+    return (o.version === 1 &&
+        o.algorithm === ALGORITHM &&
+        typeof o.iv === "string" &&
+        typeof o.authTag === "string" &&
+        typeof o.ciphertext === "string" &&
+        typeof o.salt === "string");
+}
+/**
+ * Get encryption key from env var or auto-generated key file.
+ * Returns undefined if no key is configured and no key file exists.
+ */
+export async function ensureEncryptionKey() {
+    // Env var takes priority
+    const envKey = process.env.SESSION_ENCRYPTION_KEY?.trim();
+    if (envKey)
+        return envKey;
+    // Check for existing key file
+    const keyPath = path.join(os.homedir(), SKILLS_DIR_NAME, ENCRYPTION_KEY_FILENAME);
+    try {
+        const key = await fs.readFile(keyPath, "utf-8");
+        return key.trim();
+    }
+    catch {
+        // No key file — return undefined (encryption not configured)
+        return undefined;
+    }
+}
+/**
+ * Generate a new encryption key and save to file.
+ * Only call this explicitly (e.g. from setup wizard).
+ */
+export async function generateEncryptionKey() {
+    const key = randomBytes(32).toString("hex");
+    const dir = path.join(os.homedir(), SKILLS_DIR_NAME);
+    const keyPath = path.join(dir, ENCRYPTION_KEY_FILENAME);
+    await fs.mkdir(dir, { recursive: true });
+    await fs.writeFile(keyPath, key, { encoding: "utf-8", mode: 0o600 });
+    return key;
+}
+//# sourceMappingURL=encryption.js.map

package/dist/sessions/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/sessions/encryption.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EACL,WAAW,EACX,cAAc,EACd,gBAAgB,EAChB,UAAU,GACX,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,uBAAuB,GAAG,gBAAgB,CAAC;AAWjD;;GAEG;AACH,SAAS,SAAS,CAAC,OAAe,EAAE,IAAY;IAC9C,OAAO,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,OAAe;IAC5D,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAElC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IACtF,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;QACjC,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO;QACL,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,SAAS;QACpB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QAChC,UAAU,EAAE,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QACrC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;KAC3B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAyB,EAAE,OAAe;IACpE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAE1D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC,CAAC;IAC1F,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;QAC3B,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAY;IAC7C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAClD,MAAM,CAAC,GAAG,GAA8B,CAAC;IACzC,OAAO,CACL,CAAC,CAAC,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,SAAS,KAAK,SAAS;QACzB,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ;QACxB,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;QAC7B,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ;QAChC,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAC3B,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,yBAAyB;IACzB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IAC1D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,8BAA8B;IAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,eAAe,EAAE,uBAAuB,CAAC,CAAC;IAClF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAChD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;QAC7D,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,eAAe,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;IAExD,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAErE,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/sessions/index.d.ts

@@ -1,3 +1,4 @@
 export type { StoredSession, StoredCookie } from "./types.js";
 export { SessionManager, getSessionManager, resetSessionManager } from "./manager.js";
+export { encryptData, decryptData, isEncryptedPayload, ensureEncryptionKey, generateEncryptionKey, } from "./encryption.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/sessions/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EACL,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC"}

package/dist/sessions/index.js

@@ -1,2 +1,3 @@
 export { SessionManager, getSessionManager, resetSessionManager } from "./manager.js";
+export { encryptData, decryptData, isEncryptedPayload, ensureEncryptionKey, generateEncryptionKey, } from "./encryption.js";
 //# sourceMappingURL=index.js.map

package/dist/sessions/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sessions/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACtF,OAAO,EACL,WAAW,EACX,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC"}

package/dist/sessions/manager.d.ts

@@ -2,7 +2,10 @@ import type { StoredSession, StoredCookie } from "./types.js";
 export declare class SessionManager {
     private cache;
     private dir;
+    private encryptionKey;
+    private keyLoaded;
     constructor(dir?: string);
+    private getEncryptionKey;
     private sessionPath;
     save(id: string, cookies: StoredCookie[], url: string): Promise<void>;
     load(id: string): Promise<StoredSession | null>;

package/dist/sessions/manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/sessions/manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE9D,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,GAAG,CAAS;gBAER,GAAG,CAAC,EAAE,MAAM;IAIxB,OAAO,CAAC,WAAW;IAMb,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAqBrE,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAwB/C,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAUhC;AAMD,wBAAgB,iBAAiB,IAAI,cAAc,CAKlD;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/sessions/manager.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG9D,qBAAa,cAAc;IACzB,OAAO,CAAC,KAAK,CAAoC;IACjD,OAAO,CAAC,GAAG,CAAS;IACpB,OAAO,CAAC,aAAa,CAAqB;IAC1C,OAAO,CAAC,SAAS,CAAS;gBAEd,GAAG,CAAC,EAAE,MAAM;YAIV,gBAAgB;IAQ9B,OAAO,CAAC,WAAW;IAMb,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IA2BrE,IAAI,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAqC/C,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IASjC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAUhC;AAMD,wBAAgB,iBAAiB,IAAI,cAAc,CAKlD;AAED,oCAAoC;AACpC,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C"}

package/dist/sessions/manager.js

@@ -1,12 +1,22 @@
 import fs from "node:fs/promises";
 import path from "node:path";
 import { getSessionsDir } from "../config.js";
+import { encryptData, decryptData, isEncryptedPayload, ensureEncryptionKey } from "./encryption.js";
 export class SessionManager {
     cache = new Map();
     dir;
+    encryptionKey;
+    keyLoaded = false;
     constructor(dir) {
         this.dir = dir ?? getSessionsDir();
     }
+    async getEncryptionKey() {
+        if (!this.keyLoaded) {
+            this.encryptionKey = await ensureEncryptionKey();
+            this.keyLoaded = true;
+        }
+        return this.encryptionKey;
+    }
     sessionPath(id) {
         // Sanitize id to prevent path traversal
         const safe = id.replace(/[^a-zA-Z0-9_\-]/g, "_");
@@ -26,7 +36,11 @@ export class SessionManager {
         await fs.mkdir(this.dir, { recursive: true });
         const filePath = this.sessionPath(id);
         const tmpPath = filePath + ".tmp";
-        await fs.writeFile(tmpPath, JSON.stringify(session, null, 2), "utf-8");
+        const key = await this.getEncryptionKey();
+        const content = key
+            ? JSON.stringify(encryptData(JSON.stringify(session), key), null, 2)
+            : JSON.stringify(session, null, 2);
+        await fs.writeFile(tmpPath, content, "utf-8");
         await fs.rename(tmpPath, filePath);
     }
     async load(id) {
@@ -34,7 +48,19 @@ export class SessionManager {
             return this.cache.get(id);
         try {
             const data = await fs.readFile(this.sessionPath(id), "utf-8");
-            const session = JSON.parse(data);
+            const parsed = JSON.parse(data);
+            let session;
+            if (isEncryptedPayload(parsed)) {
+                const key = await this.getEncryptionKey();
+                if (!key) {
+                    console.error("[sessions] Encrypted session found but no encryption key configured");
+                    return null;
+                }
+                session = JSON.parse(decryptData(parsed, key));
+            }
+            else {
+                session = parsed;
+            }
             this.cache.set(id, session);
             return session;
         }

package/dist/sessions/manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/sessions/manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAG9C,MAAM,OAAO,cAAc;IACjB,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IACzC,GAAG,CAAS;IAEpB,YAAY,GAAY;QACtB,IAAI,CAAC,GAAG,GAAG,GAAG,IAAI,cAAc,EAAE,CAAC;IACrC,CAAC;IAEO,WAAW,CAAC,EAAU;QAC5B,wCAAwC;QACxC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,OAAuB,EAAE,GAAW;QACzD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEpC,MAAM,OAAO,GAAkB;YAC7B,EAAE;YACF,OAAO;YACP,GAAG;YACH,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,GAAG;YACrC,SAAS,EAAE,GAAG;SACf,CAAC;QAEF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;QAClC,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU;QACnB,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;YAC9D,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAkB,CAAC;YAClD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YAC5B,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,QAAQ,GACZ,GAAG;gBACH,OAAO,GAAG,KAAK,QAAQ;gBACvB,MAAM,IAAI,GAAG;gBACZ,GAA6B,CAAC,IAAI,KAAK,QAAQ,CAAC;YACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,KAAK,CACX,oCAAoC,EACpC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CACjD,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,KAAK;iBACT,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;iBAC9D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAED,kBAAkB;AAElB,IAAI,OAAO,GAA0B,IAAI,CAAC;AAE1C,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oCAAoC;AACpC,MAAM,UAAU,mBAAmB;IACjC,OAAO,GAAG,IAAI,CAAC;AACjB,CAAC"}
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/sessions/manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAEpG,MAAM,OAAO,cAAc;IACjB,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IACzC,GAAG,CAAS;IACZ,aAAa,CAAqB;IAClC,SAAS,GAAG,KAAK,CAAC;IAE1B,YAAY,GAAY;QACtB,IAAI,CAAC,GAAG,GAAG,GAAG,IAAI,cAAc,EAAE,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,gBAAgB;QAC5B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,IAAI,CAAC,aAAa,GAAG,MAAM,mBAAmB,EAAE,CAAC;YACjD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IAEO,WAAW,CAAC,EAAU;QAC5B,wCAAwC;QACxC,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,OAAO,CAAC,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU,EAAE,OAAuB,EAAE,GAAW;QACzD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEpC,MAAM,OAAO,GAAkB;YAC7B,EAAE;YACF,OAAO;YACP,GAAG;YACH,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,GAAG;YACrC,SAAS,EAAE,GAAG;SACf,CAAC;QAEF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;QAElC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,GAAG;YACjB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YACpE,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAErC,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,EAAU;QACnB,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;YAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAEhC,IAAI,OAAsB,CAAC;YAC3B,IAAI,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1C,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;oBACrF,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAkB,CAAC;YAClE,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,MAAuB,CAAC;YACpC,CAAC;YAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;YAC5B,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,QAAQ,GACZ,GAAG;gBACH,OAAO,GAAG,KAAK,QAAQ;gBACvB,MAAM,IAAI,GAAG;gBACZ,GAA6B,CAAC,IAAI,KAAK,QAAQ,CAAC;YACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,KAAK,CACX,oCAAoC,EACpC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CACjD,CAAC;YACJ,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,EAAU;QACrB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI;QACR,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,KAAK;iBACT,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;iBAC9D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CACF;AAED,kBAAkB;AAElB,IAAI,OAAO,GAA0B,IAAI,CAAC;AAE1C,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oCAAoC;AACpC,MAAM,UAAU,mBAAmB;IACjC,OAAO,GAAG,IAAI,CAAC;AACjB,CAAC"}