latchkey 2.7.3 → 2.9.0

package/dist/tests/oauthUtils.test.js

@@ -0,0 +1,63 @@
+import { describe, it, expect, vi, afterEach } from 'vitest';
+import { startOAuthCallbackServer, generateCodeVerifier, generateCodeChallenge, exchangeCodeForTokens, refreshAccessToken, OAuthTokenExchangeError, OAuthCallbackServerTimeoutError, } from '../src/oauthUtils.js';
+import * as curl from '../src/curl.js';
+afterEach(() => {
+    vi.restoreAllMocks();
+});
+void startOAuthCallbackServer;
+void OAuthTokenExchangeError;
+void OAuthCallbackServerTimeoutError;
+describe('startOAuthCallbackServer', () => {
+    it.todo('add tests');
+});
+describe('generateCodeVerifier', () => {
+    it('just runs', () => {
+        generateCodeVerifier();
+    });
+});
+describe('generateCodeChallenge', () => {
+    it('just runs', () => {
+        generateCodeChallenge('dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk');
+    });
+});
+describe('exchangeCodeForTokens', () => {
+    it('with PKCE: includes code_verifier in body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => exchangeCodeForTokens('https://api.notion.com/v1/oauth/token', 'auth-code-abc123', 'test-client-id', 'test-client-secret', 'http://localhost:12345/oauth2callback', 'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('code=auth-code-abc123&client_id=test-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Foauth2callback&grant_type=authorization_code&client_secret=test-client-secret&code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk');
+    });
+    it('without PKCE: omits code_verifier from body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => exchangeCodeForTokens('https://api.notion.com/v1/oauth/token', 'auth-code-abc123', 'test-client-id', 'test-client-secret', 'http://localhost:12345/oauth2callback')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('code=auth-code-abc123&client_id=test-client-id&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2Foauth2callback&grant_type=authorization_code&client_secret=test-client-secret');
+    });
+});
+describe('refreshAccessToken', () => {
+    it('confidential client: includes client_secret in body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => refreshAccessToken('https://api.notion.com/v1/oauth/token', 'refresh-token-xyz789', 'test-client-id', 'test-client-secret')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('refresh_token=refresh-token-xyz789&client_id=test-client-id&grant_type=refresh_token&client_secret=test-client-secret');
+    });
+    it('public client: omits client_secret from body', () => {
+        const spy = vi.spyOn(curl, 'runCaptured').mockImplementation(() => {
+            throw new Error('STOP');
+        });
+        expect(() => refreshAccessToken('https://api.notion.com/v1/oauth/token', 'refresh-token-xyz789', 'test-client-id', '')).toThrow('STOP');
+        const args = spy.mock.calls[0][0];
+        const body = args[args.indexOf('-d') + 1];
+        expect(body).toBe('refresh_token=refresh-token-xyz789&client_id=test-client-id&grant_type=refresh_token');
+    });
+});
+//# sourceMappingURL=oauthUtils.test.js.map

package/dist/tests/oauthUtils.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauthUtils.test.js","sourceRoot":"","sources":["../../tests/oauthUtils.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AAC7D,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAEvC,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,KAAK,wBAAwB,CAAC;AAC9B,KAAK,uBAAuB,CAAC;AAC7B,KAAK,+BAA+B,CAAC;AAErC,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE;QACnB,oBAAoB,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE;QACnB,qBAAqB,CAAC,6CAA6C,CAAC,CAAC;IACvE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,qBAAqB,CACnB,uCAAuC,EACvC,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,EACpB,uCAAuC,EACvC,6CAA6C,CAC9C,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,sOAAsO,CACvO,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,qBAAqB,CACnB,uCAAuC,EACvC,kBAAkB,EAClB,gBAAgB,EAChB,oBAAoB,EACpB,uCAAuC,CACxC,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,4KAA4K,CAC7K,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,kBAAkB,CAChB,uCAAuC,EACvC,sBAAsB,EACtB,gBAAgB,EAChB,oBAAoB,CACrB,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,uHAAuH,CACxH,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE;YAChE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,GAAG,EAAE,CACV,kBAAkB,CAChB,uCAAuC,EACvC,sBAAsB,EACtB,gBAAgB,EAChB,EAAE,CACH,CACF,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAElB,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CACf,sFAAsF,CACvF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/permissions.test.js

@@ -2,7 +2,11 @@ import { describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { mkdtempSync, writeFileSync, rmSync } from 'node:fs';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
+import { parseCurlArgs } from '@imbue-ai/detent';
 import { checkPermission, PermissionCheckError } from '../src/permissions.js';
+function requestFromCurl(args) {
+    return parseCurlArgs(args);
+}
 describe('checkPermission', () => {
     let tempDir;
     beforeEach(() => {
@@ -13,7 +17,7 @@ describe('checkPermission', () => {
     });
     it('should allow requests when no config file exists', async () => {
         const configPath = join(tempDir, 'nonexistent', 'permissions.json');
-        const result = await checkPermission(['-X', 'GET', 'https://api.example.com/anything'], configPath);
+        const result = await checkPermission(requestFromCurl(['-X', 'GET', 'https://api.example.com/anything']), configPath);
         expect(result).toBe(true);
     });
     it('should allow requests matching a permission rule', async () => {
@@ -35,7 +39,7 @@ describe('checkPermission', () => {
             },
             rules: [{ 'example-api': ['example-read'] }],
         }));
-        const result = await checkPermission(['https://api.example.com/users'], configPath);
+        const result = await checkPermission(requestFromCurl(['https://api.example.com/users']), configPath);
         expect(result).toBe(true);
     });
     it('should deny requests not matching any permission rule', async () => {
@@ -57,7 +61,7 @@ describe('checkPermission', () => {
             },
             rules: [{ 'example-api': ['example-read'] }],
         }));
-        const result = await checkPermission(['-X', 'POST', 'https://api.example.com/users'], configPath);
+        const result = await checkPermission(requestFromCurl(['-X', 'POST', 'https://api.example.com/users']), configPath);
         expect(result).toBe(false);
     });
     it('should deny requests to unrecognized domains when rules exist', async () => {
@@ -79,20 +83,20 @@ describe('checkPermission', () => {
             },
             rules: [{ 'example-api': ['example-read'] }],
         }));
-        const result = await checkPermission(['https://api.other.com/something'], configPath);
+        const result = await checkPermission(requestFromCurl(['https://api.other.com/something']), configPath);
         expect(result).toBe(false);
     });
     it('should throw PermissionCheckError for invalid config files', async () => {
         const configPath = join(tempDir, 'permissions.json');
         writeFileSync(configPath, 'not valid json');
-        await expect(checkPermission(['https://api.example.com/anything'], configPath)).rejects.toThrow(PermissionCheckError);
+        await expect(checkPermission(requestFromCurl(['https://api.example.com/anything']), configPath)).rejects.toThrow(PermissionCheckError);
     });
     it('should accept URLs without a scheme (defaulting to http://) when rules allow them', async () => {
         const configPath = join(tempDir, 'permissions.json');
         writeFileSync(configPath, JSON.stringify({
             rules: [{ any: ['any'] }],
         }));
-        const result = await checkPermission(['www.seznam.cz'], configPath);
+        const result = await checkPermission(requestFromCurl(['www.seznam.cz']), configPath);
         expect(result).toBe(true);
     });
     it('should throw PermissionCheckError when a rule references an unknown schema', async () => {
@@ -100,15 +104,15 @@ describe('checkPermission', () => {
         writeFileSync(configPath, JSON.stringify({
             rules: [{ 'non-existent-schema': ['any'] }],
         }));
-        await expect(checkPermission(['https://api.example.com/anything'], configPath, true)).rejects.toThrow(PermissionCheckError);
+        await expect(checkPermission(requestFromCurl(['https://api.example.com/anything']), configPath, true)).rejects.toThrow(PermissionCheckError);
     });
     it('should allow all requests with the any/any rule', async () => {
         const configPath = join(tempDir, 'permissions.json');
         writeFileSync(configPath, JSON.stringify({
             rules: [{ any: ['any'] }],
         }));
-        const resultGet = await checkPermission(['https://api.example.com/anything'], configPath);
-        const resultPost = await checkPermission(['-X', 'POST', '-d', '{"key":"value"}', 'https://api.other.com/resource'], configPath);
+        const resultGet = await checkPermission(requestFromCurl(['https://api.example.com/anything']), configPath);
+        const resultPost = await checkPermission(requestFromCurl(['-X', 'POST', '-d', '{"key":"value"}', 'https://api.other.com/resource']), configPath);
         expect(resultGet).toBe(true);
         expect(resultPost).toBe(true);
     });
@@ -117,7 +121,7 @@ describe('checkPermission', () => {
         writeFileSync(configPath, JSON.stringify({
             rules: [],
         }));
-        const result = await checkPermission(['https://api.example.com/anything'], configPath);
+        const result = await checkPermission(requestFromCurl(['https://api.example.com/anything']), configPath);
         expect(result).toBe(false);
     });
 });

package/dist/tests/permissions.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"permissions.test.js","sourceRoot":"","sources":["../../tests/permissions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAE9E,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,CAAC,IAAI,EAAE,KAAK,EAAE,kCAAkC,CAAC,EACjD,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,CAAC,+BAA+B,CAAC,EAAE,UAAU,CAAC,CAAC;QAEpF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,CAAC,IAAI,EAAE,MAAM,EAAE,+BAA+B,CAAC,EAC/C,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,CAAC,iCAAiC,CAAC,EAAE,UAAU,CAAC,CAAC;QAEtF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAE5C,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC,kCAAkC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC7F,oBAAoB,CACrB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;QACjG,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC1B,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,CAAC,eAAe,CAAC,EAAE,UAAU,CAAC,CAAC;QACpE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC5C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,CACV,eAAe,CAAC,CAAC,kCAAkC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,CACxE,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC1B,CAAC,CACH,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,CAAC,kCAAkC,CAAC,EAAE,UAAU,CAAC,CAAC;QAC1F,MAAM,UAAU,GAAG,MAAM,eAAe,CACtC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,gCAAgC,CAAC,EACzE,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,EAAE;SACV,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,CAAC,kCAAkC,CAAC,EAAE,UAAU,CAAC,CAAC;QAEvF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"permissions.test.js","sourceRoot":"","sources":["../../tests/permissions.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAE9E,SAAS,eAAe,CAAC,IAAuB;IAC9C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,4BAA4B,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,EAAE,kBAAkB,CAAC,CAAC;QAEpE,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,eAAe,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,kCAAkC,CAAC,CAAC,EAClE,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,eAAe,CAAC,CAAC,+BAA+B,CAAC,CAAC,EAClD,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,eAAe,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,+BAA+B,CAAC,CAAC,EAChE,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE;gBACP,aAAa,EAAE;oBACb,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE;qBACrC;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;gBACD,cAAc,EAAE;oBACd,UAAU,EAAE;wBACV,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;qBACzB;oBACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;iBACrB;aACF;YACD,KAAK,EAAE,CAAC,EAAE,aAAa,EAAE,CAAC,cAAc,CAAC,EAAE,CAAC;SAC7C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,eAAe,CAAC,CAAC,iCAAiC,CAAC,CAAC,EACpD,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAE5C,MAAM,MAAM,CACV,eAAe,CAAC,eAAe,CAAC,CAAC,kCAAkC,CAAC,CAAC,EAAE,UAAU,CAAC,CACnF,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;QACjG,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC1B,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,eAAe,CAAC,CAAC,eAAe,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACrF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,qBAAqB,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC5C,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,CACV,eAAe,CAAC,eAAe,CAAC,CAAC,kCAAkC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,CACzF,CAAC,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SAC1B,CAAC,CACH,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,eAAe,CACrC,eAAe,CAAC,CAAC,kCAAkC,CAAC,CAAC,EACrD,UAAU,CACX,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,eAAe,CACtC,eAAe,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,EAAE,gCAAgC,CAAC,CAAC,EAC1F,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QACrD,aAAa,CACX,UAAU,EACV,IAAI,CAAC,SAAS,CAAC;YACb,KAAK,EAAE,EAAE;SACV,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAClC,eAAe,CAAC,CAAC,kCAAkC,CAAC,CAAC,EACrD,UAAU,CACX,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/permissionsOverride.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=permissionsOverride.test.d.ts.map

package/dist/tests/permissionsOverride.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsOverride.test.d.ts","sourceRoot":"","sources":["../../tests/permissionsOverride.test.ts"],"names":[],"mappings":""}

package/dist/tests/permissionsOverride.test.js

@@ -0,0 +1,136 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { createHmac } from 'node:crypto';
+import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { createPermissionsOverrideJwt, derivePermissionsOverrideSigningKey, InvalidPermissionsOverrideError, PERMISSIONS_OVERRIDE_HEADER, PermissionsOverrideFileMissingError, resolvePermissionsOverride, verifyPermissionsOverrideJwt, } from '../src/gateway/permissionsOverride.js';
+const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
+const OTHER_ENCRYPTION_KEY = 'b3RoZXJrZXlvdGhlcmtleW90aGVya2V5b3RoZXJrZXk=';
+describe('PERMISSIONS_OVERRIDE_HEADER', () => {
+    it('is the lowercase header name', () => {
+        expect(PERMISSIONS_OVERRIDE_HEADER).toBe('x-latchkey-gateway-permissions-override');
+    });
+});
+describe('derivePermissionsOverrideSigningKey', () => {
+    it('produces a deterministic 32-byte key', () => {
+        const a = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        expect(a.length).toBe(32);
+        expect(a.equals(b)).toBe(true);
+    });
+    it('produces different keys for different master keys', () => {
+        const a = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const b = derivePermissionsOverrideSigningKey(OTHER_ENCRYPTION_KEY);
+        expect(a.equals(b)).toBe(false);
+    });
+    it('does not equal the encryption key itself', () => {
+        const derived = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+        const master = Buffer.from(TEST_ENCRYPTION_KEY, 'base64');
+        expect(derived.equals(master)).toBe(false);
+    });
+});
+describe('createPermissionsOverrideJwt / verifyPermissionsOverrideJwt', () => {
+    const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+    it('round-trips an absolute path', () => {
+        const token = createPermissionsOverrideJwt('/etc/latchkey/permissions.json', signingKey);
+        const payload = verifyPermissionsOverrideJwt(token, signingKey);
+        expect(payload).toEqual({ permissionsConfig: '/etc/latchkey/permissions.json' });
+    });
+    it('produces a three-segment JWT', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        expect(token.split('.')).toHaveLength(3);
+    });
+    it('uses HS256/JWT in the header', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const header = token.split('.')[0];
+        const json = Buffer.from(header, 'base64url').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ alg: 'HS256', typ: 'JWT' });
+    });
+    it('payload contains only the permissionsConfig field', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const payload = token.split('.')[1];
+        const json = Buffer.from(payload, 'base64url').toString('utf-8');
+        expect(JSON.parse(json)).toEqual({ permissionsConfig: '/x.json' });
+    });
+    it('rejects creation for non-absolute paths', () => {
+        expect(() => createPermissionsOverrideJwt('relative/path.json', signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens signed with a different key', () => {
+        const otherKey = derivePermissionsOverrideSigningKey(OTHER_ENCRYPTION_KEY);
+        const token = createPermissionsOverrideJwt('/x.json', otherKey);
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens with a tampered payload', () => {
+        const token = createPermissionsOverrideJwt('/x.json', signingKey);
+        const [header, , signature] = token.split('.');
+        const tamperedPayload = Buffer.from(JSON.stringify({ permissionsConfig: '/y.json' }), 'utf-8').toString('base64url');
+        const tampered = `${header}.${tamperedPayload}.${signature}`;
+        expect(() => verifyPermissionsOverrideJwt(tampered, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects tokens that do not have three segments', () => {
+        expect(() => verifyPermissionsOverrideJwt('a.b', signingKey)).toThrow(InvalidPermissionsOverrideError);
+        expect(() => verifyPermissionsOverrideJwt('a.b.c.d', signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    function base64Url(value) {
+        return Buffer.from(value, 'utf-8').toString('base64url');
+    }
+    function buildSignedToken(headerJson, payloadJson) {
+        const headerSegment = base64Url(headerJson);
+        const payloadSegment = base64Url(payloadJson);
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest('base64url');
+        return `${headerSegment}.${payloadSegment}.${signature}`;
+    }
+    it('rejects tokens whose payload is not valid JSON', () => {
+        // Sign a payload that is base64url of "not-json" so we hit the JSON parse
+        // error rather than the signature mismatch error first.
+        const headerSegment = base64Url(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+        const payloadSegment = base64Url('not-json');
+        const signature = createHmac('sha256', signingKey)
+            .update(`${headerSegment}.${payloadSegment}`)
+            .digest('base64url');
+        const token = `${headerSegment}.${payloadSegment}.${signature}`;
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects payloads without permissionsConfig', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ other: '/x.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects payloads whose permissionsConfig is not absolute', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), JSON.stringify({ permissionsConfig: 'relative.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+    it('rejects headers with the wrong algorithm', () => {
+        const token = buildSignedToken(JSON.stringify({ alg: 'none', typ: 'JWT' }), JSON.stringify({ permissionsConfig: '/x.json' }));
+        expect(() => verifyPermissionsOverrideJwt(token, signingKey)).toThrow(InvalidPermissionsOverrideError);
+    });
+});
+describe('resolvePermissionsOverride', () => {
+    const signingKey = derivePermissionsOverrideSigningKey(TEST_ENCRYPTION_KEY);
+    let tempDir;
+    beforeEach(() => {
+        tempDir = mkdtempSync(join(tmpdir(), 'latchkey-pp-test-'));
+    });
+    afterEach(() => {
+        rmSync(tempDir, { recursive: true, force: true });
+    });
+    it('returns the path when the file exists', () => {
+        const path = join(tempDir, 'permissions.json');
+        writeFileSync(path, '{}');
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(resolvePermissionsOverride(token, signingKey)).toBe(path);
+    });
+    it('throws PermissionsOverrideFileMissingError when the file is absent', () => {
+        const path = join(tempDir, 'does-not-exist.json');
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(() => resolvePermissionsOverride(token, signingKey)).toThrow(PermissionsOverrideFileMissingError);
+    });
+    it('throws PermissionsOverrideFileMissingError when the path is a directory', () => {
+        const path = join(tempDir, 'subdir');
+        mkdirSync(path);
+        const token = createPermissionsOverrideJwt(path, signingKey);
+        expect(() => resolvePermissionsOverride(token, signingKey)).toThrow(PermissionsOverrideFileMissingError);
+    });
+});
+//# sourceMappingURL=permissionsOverride.test.js.map

package/dist/tests/permissionsOverride.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permissionsOverride.test.js","sourceRoot":"","sources":["../../tests/permissionsOverride.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EACL,4BAA4B,EAC5B,mCAAmC,EACnC,+BAA+B,EAC/B,2BAA2B,EAC3B,mCAAmC,EACnC,0BAA0B,EAC1B,4BAA4B,GAC7B,MAAM,uCAAuC,CAAC;AAE/C,MAAM,mBAAmB,GAAG,8CAA8C,CAAC;AAC3E,MAAM,oBAAoB,GAAG,8CAA8C,CAAC;AAE5E,QAAQ,CAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,CAAC,2BAA2B,CAAC,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IACtF,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC1B,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACnE,MAAM,CAAC,GAAG,mCAAmC,CAAC,oBAAoB,CAAC,CAAC;QACpE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,OAAO,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAC;QAC1D,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,6DAA6D,EAAE,GAAG,EAAE;IAC3E,MAAM,UAAU,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;IAE5E,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,gCAAgC,EAAE,UAAU,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QAChE,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,gCAAgC,EAAE,CAAC,CAAC;IACnF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CAClF,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,QAAQ,GAAG,mCAAmC,CAAC,oBAAoB,CAAC,CAAC;QAC3E,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,KAAK,GAAG,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAA6B,CAAC;QAC3E,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,EAChD,OAAO,CACR,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,eAAe,IAAI,SAAS,EAAE,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACtE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACvE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAa;QAC9B,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,CAAC;IAED,SAAS,gBAAgB,CAAC,UAAkB,EAAE,WAAmB;QAC/D,MAAM,aAAa,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC5C,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,OAAO,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;IAC3D,CAAC;IAED,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,0EAA0E;QAC1E,wDAAwD;QACxD,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,cAAc,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;aAC/C,MAAM,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,CAAC;aAC5C,MAAM,CAAC,WAAW,CAAC,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;QAChE,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CACrC,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0DAA0D,EAAE,GAAG,EAAE;QAClE,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,eAAe,EAAE,CAAC,CACvD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,KAAK,GAAG,gBAAgB,CAC5B,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAC3C,IAAI,CAAC,SAAS,CAAC,EAAE,iBAAiB,EAAE,SAAS,EAAE,CAAC,CACjD,CAAC;QACF,MAAM,CAAC,GAAG,EAAE,CAAC,4BAA4B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACnE,+BAA+B,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,MAAM,UAAU,GAAG,mCAAmC,CAAC,mBAAmB,CAAC,CAAC;IAC5E,IAAI,OAAe,CAAC;IAEpB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,mBAAmB,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/C,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,GAAG,EAAE;QAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,qBAAqB,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,mCAAmC,CACpC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yEAAyE,EAAE,GAAG,EAAE;QACjF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrC,SAAS,CAAC,IAAI,CAAC,CAAC;QAChB,MAAM,KAAK,GAAG,4BAA4B,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7D,MAAM,CAAC,GAAG,EAAE,CAAC,0BAA0B,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,OAAO,CACjE,mCAAmC,CACpC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/resolveEncryptionKey.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=resolveEncryptionKey.test.d.ts.map

package/dist/tests/resolveEncryptionKey.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolveEncryptionKey.test.d.ts","sourceRoot":"","sources":["../../tests/resolveEncryptionKey.test.ts"],"names":[],"mappings":""}

package/dist/tests/resolveEncryptionKey.test.js

@@ -0,0 +1,26 @@
+import { describe, it, expect, vi } from 'vitest';
+import { EncryptionKeyLostError, generateKey, resolveEncryptionKey } from '../src/encryption.js';
+vi.mock('../src/keychain.js', async (importOriginal) => {
+    const original = await importOriginal();
+    return {
+        ...original,
+        retrieveFromKeychain: () => Promise.resolve(null),
+        storeInKeychain: () => Promise.resolve(undefined),
+    };
+});
+describe('resolveEncryptionKey', () => {
+    it('returns the override verbatim and does not touch the keychain', async () => {
+        const override = generateKey();
+        await expect(resolveEncryptionKey({ encryptionKeyOverride: override })).resolves.toBe(override);
+    });
+    it('throws EncryptionKeyLostError when allowKeyGeneration is false and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({ allowKeyGeneration: false })).rejects.toThrow(EncryptionKeyLostError);
+    });
+    it('generates a new key when allowKeyGeneration is true and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({ allowKeyGeneration: true })).resolves.toMatch(/.+/);
+    });
+    it('generates a new key when allowKeyGeneration is unset and keychain has no key', async () => {
+        await expect(resolveEncryptionKey({})).resolves.toMatch(/.+/);
+    });
+});
+//# sourceMappingURL=resolveEncryptionKey.test.js.map

package/dist/tests/resolveEncryptionKey.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolveEncryptionKey.test.js","sourceRoot":"","sources":["../../tests/resolveEncryptionKey.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAEjG,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,cAAc,EAAE,EAAE;IACrD,MAAM,QAAQ,GAAG,MAAM,cAAc,EAAuC,CAAC;IAC7E,OAAO;QACL,GAAG,QAAQ;QACX,oBAAoB,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC;QACjD,eAAe,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;KAClD,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;QAC/B,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,qBAAqB,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wFAAwF,EAAE,KAAK,IAAI,EAAE;QACtG,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAC/E,sBAAsB,CACvB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8EAA8E,EAAE,KAAK,IAAI,EAAE;QAC5F,MAAM,MAAM,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/tests/sharedOperations.test.js

@@ -13,8 +13,8 @@ import { Config } from '../src/config.js';
 import { servicesList, servicesInfo, authList, authBrowser, authBrowserPrepare, UnknownServiceError, PreparationRequiredError, } from '../src/sharedOperations.js';
 import { BrowserFlowsNotSupportedError } from '../src/playwrightUtils.js';
 const TEST_ENCRYPTION_KEY = 'dGVzdGtleXRlc3RrZXl0ZXN0a2V5dGVzdGtleXRlc3Q=';
-async function writeSecureFile(path, content) {
-    const storage = await EncryptedStorage.create({ encryptionKeyOverride: TEST_ENCRYPTION_KEY });
+function writeSecureFile(path, content) {
+    const storage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
     storage.writeFile(path, content);
 }
 function createMockService(overrides = {}) {
@@ -51,49 +51,47 @@ describe('operations', () => {
     afterEach(() => {
         rmSync(tempDir, { recursive: true, force: true });
     });
-    async function createApiCredentialStore(credentialsData = {}) {
+    function createApiCredentialStore(credentialsData = {}) {
         const storePath = join(tempDir, 'credentials.json');
-        await writeSecureFile(storePath, JSON.stringify(credentialsData));
-        const encryptedStorage = await EncryptedStorage.create({
-            encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-        });
+        writeSecureFile(storePath, JSON.stringify(credentialsData));
+        const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
         return new ApiCredentialStore(storePath, encryptedStorage);
     }
     describe('servicesList', () => {
-        it('should return sorted service names', async () => {
+        it('should return sorted service names', () => {
             const serviceA = createMockService({ name: 'zzz-service' });
             const serviceB = createMockService({ name: 'aaa-service' });
             const registry = new ServiceRegistry([serviceA, serviceB]);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig();
             const result = servicesList(registry, store, config, {});
             expect(result).toEqual(['aaa-service', 'zzz-service']);
         });
-        it('should filter to builtin services only', async () => {
+        it('should filter to builtin services only', () => {
             const builtinService = createMockService({ name: 'slack' });
             const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
             const registry = new ServiceRegistry([builtinService]);
             registry.addService(registeredService);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig();
             const result = servicesList(registry, store, config, { builtin: true });
             expect(result).toContain('slack');
             expect(result).not.toContain('my-gitlab');
         });
-        it('should filter to viable services with stored credentials', async () => {
+        it('should filter to viable services with stored credentials', () => {
             const service = createMockService({ name: 'slack', getSession: undefined });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore({
+            const store = createApiCredentialStore({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             });
             const config = createMockConfig({ browserDisabled: true });
             const result = servicesList(registry, store, config, { viable: true });
             expect(result).toContain('slack');
         });
-        it('should exclude non-viable services without credentials or browser', async () => {
+        it('should exclude non-viable services without credentials or browser', () => {
             const service = createMockService({ name: 'nologin', getSession: undefined });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore({});
+            const store = createApiCredentialStore({});
             const config = createMockConfig();
             const result = servicesList(registry, store, config, { viable: true });
             expect(result).not.toContain('nologin');
@@ -103,7 +101,7 @@ describe('operations', () => {
         it('should return service info', async () => {
             const service = createMockService();
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig();
             const info = await servicesInfo(registry, store, config, 'slack');
             expect(info.type).toBe('built-in');
@@ -115,14 +113,14 @@ describe('operations', () => {
         });
         it('should throw UnknownServiceError for unknown service', async () => {
             const registry = new ServiceRegistry([]);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig();
             await expect(servicesInfo(registry, store, config, 'unknown')).rejects.toThrow(UnknownServiceError);
         });
         it('should exclude browser from authOptions when browser disabled', async () => {
             const service = createMockService();
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig({ browserDisabled: true });
             const info = await servicesInfo(registry, store, config, 'slack');
             expect(info.authOptions).toEqual(['set']);
@@ -131,7 +129,7 @@ describe('operations', () => {
             const registeredService = new RegisteredService('my-gitlab', 'https://gitlab.example.com');
             const registry = new ServiceRegistry([]);
             registry.addService(registeredService);
-            const store = await createApiCredentialStore();
+            const store = createApiCredentialStore();
             const config = createMockConfig();
             const info = await servicesInfo(registry, store, config, 'my-gitlab');
             expect(info.type).toBe('user-registered');
@@ -141,7 +139,7 @@ describe('operations', () => {
         it('should return stored credentials with status', async () => {
             const service = createMockService();
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore({
+            const store = createApiCredentialStore({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             });
             const result = await authList(registry, store);
@@ -152,13 +150,13 @@ describe('operations', () => {
         });
         it('should return empty object when no credentials stored', async () => {
             const registry = new ServiceRegistry([]);
-            const store = await createApiCredentialStore({});
+            const store = createApiCredentialStore({});
             const result = await authList(registry, store);
             expect(Object.keys(result)).toHaveLength(0);
         });
         it('should treat unknown services as valid', async () => {
             const registry = new ServiceRegistry([]);
-            const store = await createApiCredentialStore({
+            const store = createApiCredentialStore({
                 unknown: { objectType: 'rawCurl', curlArguments: ['-H', 'X-Token: secret'] },
             });
             const result = await authList(registry, store);
@@ -171,20 +169,16 @@ describe('operations', () => {
     describe('authBrowser', () => {
         it('should throw UnknownServiceError for unknown service', async () => {
             const registry = new ServiceRegistry([]);
-            const store = await createApiCredentialStore();
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore();
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             await expect(authBrowser(registry, store, encryptedStorage, config, 'unknown')).rejects.toThrow(UnknownServiceError);
         });
         it('should throw BrowserFlowsNotSupportedError when service has no browser support', async () => {
             const service = createMockService({ getSession: undefined });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore();
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore();
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             await expect(authBrowser(registry, store, encryptedStorage, config, 'slack')).rejects.toThrow(BrowserFlowsNotSupportedError);
         });
@@ -196,10 +190,8 @@ describe('operations', () => {
                 }),
             });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore({});
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore({});
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             await expect(authBrowser(registry, store, encryptedStorage, config, 'slack')).rejects.toThrow(PreparationRequiredError);
         });
@@ -207,10 +199,8 @@ describe('operations', () => {
     describe('authBrowserPrepare', () => {
         it('should throw UnknownServiceError for unknown service', async () => {
             const registry = new ServiceRegistry([]);
-            const store = await createApiCredentialStore();
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore();
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             await expect(authBrowserPrepare(registry, store, encryptedStorage, config, 'unknown')).rejects.toThrow(UnknownServiceError);
         });
@@ -222,10 +212,8 @@ describe('operations', () => {
                 }),
             });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore();
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore();
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             const result = await authBrowserPrepare(registry, store, encryptedStorage, config, 'slack');
             expect(result.alreadyPrepared).toBe(true);
@@ -238,12 +226,10 @@ describe('operations', () => {
                 }),
             });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore({
+            const store = createApiCredentialStore({
                 slack: { objectType: 'slack', token: 'test-token', dCookie: 'test-cookie' },
             });
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             const result = await authBrowserPrepare(registry, store, encryptedStorage, config, 'slack');
             expect(result.alreadyPrepared).toBe(true);
@@ -251,10 +237,8 @@ describe('operations', () => {
         it('should return alreadyPrepared true when service has no getSession', async () => {
             const service = createMockService({ getSession: undefined });
             const registry = new ServiceRegistry([service]);
-            const store = await createApiCredentialStore();
-            const encryptedStorage = await EncryptedStorage.create({
-                encryptionKeyOverride: TEST_ENCRYPTION_KEY,
-            });
+            const store = createApiCredentialStore();
+            const encryptedStorage = new EncryptedStorage(TEST_ENCRYPTION_KEY);
             const config = createMockConfig();
             const result = await authBrowserPrepare(registry, store, encryptedStorage, config, 'slack');
             expect(result.alreadyPrepared).toBe(true);