narai-primitives 2.0.0 → 2.1.0

package/dist/credentials/file.js

@@ -0,0 +1,159 @@
+/**
+ * file.ts — Plaintext secrets file credential provider.
+ *
+ * Reads a JSON file shaped like `{ "<secret-name>": "<value>", ... }`.
+ * Emits a single `console.warn` on first use to flag that secrets are
+ * stored in cleartext. Callers that need at-rest encryption should switch
+ * to the `cloud_secrets` or `keychain` provider.
+ *
+ * Future enhancement: support age/sops-encrypted files. For now the
+ * warning makes the trade-off explicit.
+ */
+import * as fs from "node:fs";
+export class FileProvider {
+    _path;
+    _suppressWarning;
+    _allowLoosePermissions;
+    _cacheTtlMs;
+    _warned = false;
+    _cache = null;
+    _cacheExpiresAt = null;
+    constructor(opts) {
+        this._path = opts.path;
+        this._suppressWarning = opts.suppressWarning ?? false;
+        this._allowLoosePermissions = opts.allowLoosePermissions ?? false;
+        this._cacheTtlMs = opts.cacheTtlMs ?? Infinity;
+    }
+    /**
+     * Discard the cached JSON so the next `getSecret` re-reads from disk.
+     * Useful when callers want to invalidate the cache on demand — e.g. after
+     * rotating the file — independent of the configured TTL.
+     */
+    clearCache() {
+        this._cache = null;
+        this._cacheExpiresAt = null;
+    }
+    /**
+     * Return the value for `name`. Two lookup strategies, in order:
+     *   1. Literal top-level key — preserves the original flat
+     *      `{ "<name>": "<value>" }` contract and lets users have
+     *      key names that contain dots.
+     *   2. Dot-path traversal — if the literal key doesn't resolve to a
+     *      string, treat `name` as a path (e.g. `db-prod.username`) and
+     *      walk the nested JSON. Returns null if any segment is missing
+     *      or the leaf is not a string. Lets nested credential layouts
+     *      reuse the same file/mode/warning machinery.
+     */
+    async getSecret(name) {
+        return this.getSecretSync(name);
+    }
+    getSecretSync(name) {
+        this._warnOnce();
+        const data = this._load();
+        if (data === null)
+            return null;
+        const literal = data[name];
+        if (typeof literal === "string")
+            return literal;
+        if (name.includes(".")) {
+            const parts = name.split(".");
+            let cur = data;
+            for (const part of parts) {
+                if (cur === null || typeof cur !== "object" || Array.isArray(cur)) {
+                    return null;
+                }
+                cur = cur[part];
+            }
+            if (typeof cur === "string")
+                return cur;
+        }
+        return null;
+    }
+    async describeSecret(name) {
+        const value = this.getSecretSync(name);
+        let lastModified;
+        try {
+            lastModified = fs.statSync(this._path).mtime;
+        }
+        catch {
+            // file absent or unreadable — skip
+        }
+        const out = { exists: value !== null, provider: "file" };
+        if (lastModified !== undefined)
+            out.lastModified = lastModified;
+        return out;
+    }
+    _warnOnce() {
+        if (this._warned || this._suppressWarning)
+            return;
+        this._warned = true;
+        console.warn(`[credential_providers/file] reading secrets from plaintext file ${this._path}; ` +
+            "consider using the keychain or cloud_secrets provider instead.");
+    }
+    /**
+     * Refuse to read the file if its mode is group- or world-accessible
+     * on POSIX systems (matches the OpenSSH posture for private keys).
+     * Skipped on Windows where stat().mode does not carry Unix permission
+     * bits in a portable way.
+     */
+    _checkFileMode() {
+        if (process.platform === "win32")
+            return;
+        if (this._allowLoosePermissions)
+            return;
+        const st = fs.statSync(this._path);
+        const insecureBits = st.mode & 0o077;
+        if (insecureBits !== 0) {
+            const octal = (st.mode & 0o777).toString(8).padStart(3, "0");
+            throw new Error(`[credential_providers/file] refusing to read ${this._path}: ` +
+                `file mode ${octal} is group- or world-accessible. ` +
+                `Run 'chmod 600 ${this._path}' to restrict to the owner.`);
+        }
+    }
+    /**
+     * Parse the credentials JSON. Stores the raw nested structure so
+     * dot-path traversal can find values inside subobjects (e.g. a
+     * `db-<env>: {username, password}` layout); literal-key lookups still
+     * filter to strings in `getSecret`.
+     *
+     * Cache lifecycle: by default held forever (fast path). When `cacheTtlMs`
+     * is finite, the mode check and file read re-run after the TTL elapses —
+     * that way rotated files with new bad permissions still get caught.
+     */
+    _load() {
+        if (this._cache !== null) {
+            if (this._cacheTtlMs === Infinity)
+                return this._cache;
+            if (this._cacheExpiresAt !== null &&
+                Date.now() < this._cacheExpiresAt) {
+                return this._cache;
+            }
+        }
+        if (!fs.existsSync(this._path))
+            return null;
+        this._checkFileMode();
+        const raw = fs.readFileSync(this._path, "utf-8");
+        let parsed;
+        try {
+            parsed = JSON.parse(raw);
+        }
+        catch (err) {
+            this._cache = null;
+            this._cacheExpiresAt = null;
+            throw err;
+        }
+        if (parsed === null ||
+            typeof parsed !== "object" ||
+            Array.isArray(parsed)) {
+            this._cache = null;
+            this._cacheExpiresAt = null;
+            throw new Error(`file provider: ${this._path} did not contain a JSON object`);
+        }
+        this._cache = parsed;
+        if (this._cacheTtlMs !== Infinity) {
+            this._cacheExpiresAt = Date.now() + this._cacheTtlMs;
+        }
+        return this._cache;
+    }
+}
+//# sourceMappingURL=file.js.map

package/dist/credentials/file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.js","sourceRoot":"","sources":["../../src/credentials/file.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AA0B9B,MAAM,OAAO,YAAY;IACN,KAAK,CAAS;IACd,gBAAgB,CAAU;IAC1B,sBAAsB,CAAU;IAChC,WAAW,CAAS;IAC7B,OAAO,GAAG,KAAK,CAAC;IAChB,MAAM,GAAmC,IAAI,CAAC;IAC9C,eAAe,GAAkB,IAAI,CAAC;IAE9C,YAAY,IAAyB;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC;QACvB,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,eAAe,IAAI,KAAK,CAAC;QACtD,IAAI,CAAC,sBAAsB,GAAG,IAAI,CAAC,qBAAqB,IAAI,KAAK,CAAC;QAClE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,UAAU,IAAI,QAAQ,CAAC;IACjD,CAAC;IAED;;;;OAIG;IACH,UAAU;QACR,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,SAAS,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC1B,IAAI,IAAI,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,OAAO,OAAO,KAAK,QAAQ;YAAE,OAAO,OAAO,CAAC;QAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,GAAG,GAAY,IAAI,CAAC;YACxB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClE,OAAO,IAAI,CAAC;gBACd,CAAC;gBACD,GAAG,GAAI,GAA+B,CAAC,IAAI,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,OAAO,GAAG,CAAC;QAC1C,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,YAA8B,CAAC;QACnC,IAAI,CAAC;YACH,YAAY,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,mCAAmC;QACrC,CAAC;QACD,MAAM,GAAG,GAAmB,EAAE,MAAM,EAAE,KAAK,KAAK,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACzE,IAAI,YAAY,KAAK,SAAS;YAAE,GAAG,CAAC,YAAY,GAAG,YAAY,CAAC;QAChE,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,SAAS;QACf,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB;YAAE,OAAO;QAClD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,OAAO,CAAC,IAAI,CACV,mEAAmE,IAAI,CAAC,KAAK,IAAI;YAC/E,gEAAgE,CACnE,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACK,cAAc;QACpB,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO;YAAE,OAAO;QACzC,IAAI,IAAI,CAAC,sBAAsB;YAAE,OAAO;QACxC,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,YAAY,GAAG,EAAE,CAAC,IAAI,GAAG,KAAK,CAAC;QACrC,IAAI,YAAY,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,CAAC,EAAE,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC7D,MAAM,IAAI,KAAK,CACb,gDAAgD,IAAI,CAAC,KAAK,IAAI;gBAC5D,aAAa,KAAK,kCAAkC;gBACpD,kBAAkB,IAAI,CAAC,KAAK,6BAA6B,CAC5D,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACK,KAAK;QACX,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC,MAAM,CAAC;YACtD,IACE,IAAI,CAAC,eAAe,KAAK,IAAI;gBAC7B,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,eAAe,EACjC,CAAC;gBACD,OAAO,IAAI,CAAC,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,IAAI,CAAC,cAAc,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,IACE,MAAM,KAAK,IAAI;YACf,OAAO,MAAM,KAAK,QAAQ;YAC1B,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EACrB,CAAC;YACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;YACnB,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,kBAAkB,IAAI,CAAC,KAAK,gCAAgC,CAC7D,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,MAAiC,CAAC;QAChD,IAAI,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAClC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC;QACvD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}

package/dist/credentials/index.d.ts

@@ -0,0 +1,114 @@
+/** Minimal interface every secret backend satisfies. */
+export interface CredentialProvider {
+    /** Look up a secret by logical name. Returns `null` on miss. */
+    getSecret(name: string): Promise<string | null>;
+    /**
+     * Optional synchronous lookup, for callers that cannot await (module-level
+     * config resolution, legacy synchronous dispatchers). Providers backed by
+     * sync-capable stores (`process.env`, `fs.readFileSync`) implement this;
+     * keychain and cloud providers do not because their backing APIs are
+     * async-only. Callers that need broad backend coverage should prefer
+     * `getSecret`.
+     */
+    getSecretSync?(name: string): string | null;
+    /**
+     * Optional metadata lookup. Default built-in providers fall back to
+     * calling getSecret and reporting `{exists, provider}` only. Cloud
+     * providers may override to surface real version / lastModified data.
+     */
+    describeSecret?(name: string): Promise<SecretMetadata | null>;
+}
+export interface SecretMetadata {
+    /** True when the secret exists in this backend. */
+    exists: boolean;
+    /** Backend-reported version identifier, if available. */
+    version?: string;
+    /** When the secret was last modified, if the backend tracks it. */
+    lastModified?: Date;
+    /** Which registered provider name produced this record. */
+    provider: string;
+}
+export interface ResolveSecretOptions {
+    /** Primary provider name. If unset, uses the first registered provider. */
+    provider?: string;
+    /**
+     * Ordered fallback provider names. Tried in order after the primary
+     * returns `null` or throws.
+     */
+    fallback?: string[];
+}
+export interface ResolveSecretsOptions {
+    /** When true, any null result (miss) causes the batch to reject. */
+    strict?: boolean;
+}
+/**
+ * A named registry of {@link CredentialProvider} instances plus the
+ * `resolveSecret` chain. Instantiate your own resolver for test isolation,
+ * multi-tenant setups, or any case where the module-level {@link defaultResolver}
+ * is too coarse.
+ */
+export declare class CredentialResolver {
+    private readonly _registry;
+    /** Register a provider under a short name (`keychain`, `env_var`, …). */
+    register(name: string, provider: CredentialProvider): void;
+    /** Look up a provider previously registered via {@link register}. */
+    get(name: string): CredentialProvider | undefined;
+    /** Drop all registered providers. */
+    clear(): void;
+    /** Return the list of currently registered provider names. */
+    list(): string[];
+    /**
+     * Resolve a secret through a primary provider and optional fallback chain.
+     *
+     * Returns `null` if no provider produces a value while at least one
+     * provider runs to completion (hit or miss). If *every* provider throws,
+     * an `AggregateError` is raised whose `.errors` array preserves each
+     * original error in the order providers were tried.
+     */
+    resolveSecret(name: string, options?: ResolveSecretOptions): Promise<string | null>;
+    /**
+     * Resolve multiple credential references in parallel.
+     *
+     * Each entry in `specs` maps an alias to a reference string (e.g.
+     * `{db: "env:PGPASSWORD", token: "keychain:gh"}`). Every reference is
+     * parsed up front with `strict: true` so typos in config surface at
+     * batch time rather than silently returning null.
+     *
+     * Per-alias errors are collected and re-thrown as an `AggregateError`
+     * — individual errors are wrapped to include their alias name so the
+     * `.errors` array is self-describing. With `strict: true`, any null
+     * result (miss) also causes the batch to reject.
+     */
+    resolveSecrets(specs: Record<string, string>, options?: ResolveSecretsOptions): Promise<Record<string, string | null>>;
+}
+/**
+ * Built-in provider short names. Matches the reference-string aliases
+ * recognized by `parseCredentialRef` (`env` → `env_var`, `cloud` →
+ * `cloud_secrets`). Consumers can iterate or narrow against this literal;
+ * the tuple is frozen so runtime mutation is rejected in strict mode.
+ */
+export declare const KNOWN_PROVIDERS: readonly ["env", "keychain", "file", "cloud"];
+export type KnownProvider = (typeof KNOWN_PROVIDERS)[number];
+/** Shared resolver used by the module-level delegators below. */
+export declare const defaultResolver: CredentialResolver;
+/** Register a provider on the {@link defaultResolver}. */
+export declare const registerProvider: (name: string, provider: CredentialProvider) => void;
+/** Look up a provider on the {@link defaultResolver}. */
+export declare const getProvider: (name: string) => CredentialProvider | undefined;
+/** Drop all providers from the {@link defaultResolver} (test helper). */
+export declare const clearProviders: () => void;
+/** List provider names registered on the {@link defaultResolver}. */
+export declare const listProviders: () => string[];
+/** Resolve a secret via the {@link defaultResolver}. */
+export declare const resolveSecret: (name: string, options?: ResolveSecretOptions) => Promise<string | null>;
+/** Resolve a batch of credential references via the {@link defaultResolver}. */
+export declare const resolveSecrets: (specs: Record<string, string>, options?: ResolveSecretsOptions) => Promise<Record<string, string | null>>;
+export { FileProvider } from "./file.js";
+export { EnvVarProvider } from "./env_var.js";
+export { KeychainProvider } from "./keychain.js";
+export { CloudSecretsProvider } from "./cloud_secrets.js";
+export type { CloudSecretsConfig, CloudSubProvider } from "./cloud_secrets.js";
+export { parseCredentialRef } from "./parse_ref.js";
+export type { CredentialRef, ParseCredentialRefOptions, } from "./parse_ref.js";
+export { redact, redactAll } from "./redact.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/credentials/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAcA,wDAAwD;AACxD,MAAM,WAAW,kBAAkB;IACjC,gEAAgE;IAChE,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAChD;;;;;;;OAOG;IACH,aAAa,CAAC,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC5C;;;;OAIG;IACH,cAAc,CAAC,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,cAAc;IAC7B,mDAAmD;IACnD,MAAM,EAAE,OAAO,CAAC;IAChB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,YAAY,CAAC,EAAE,IAAI,CAAC;IACpB,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,qBAAqB;IACpC,oEAAoE;IACpE,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;;;GAKG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyC;IAEnE,yEAAyE;IACzE,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI;IAI1D,qEAAqE;IACrE,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS;IAIjD,qCAAqC;IACrC,KAAK,IAAI,IAAI;IAIb,8DAA8D;IAC9D,IAAI,IAAI,MAAM,EAAE;IAIhB;;;;;;;OAOG;IACG,aAAa,CACjB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAgCzB;;;;;;;;;;;;OAYG;IACG,cAAc,CAClB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC7B,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;CA0D1C;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,+CAKuC,CAAC;AACpE,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,eAAe,CAAC,CAAC,MAAM,CAAC,CAAC;AAE7D,iEAAiE;AACjE,eAAO,MAAM,eAAe,oBAA2B,CAAC;AAExD,0DAA0D;AAC1D,eAAO,MAAM,gBAAgB,SA5JZ,MAAM,YAAY,kBAAkB,KAAG,IA4JsB,CAAC;AAC/E,yDAAyD;AACzD,eAAO,MAAM,WAAW,SAzJZ,MAAM,KAAG,kBAAkB,GAAG,SAyJ0B,CAAC;AACrE,yEAAyE;AACzE,eAAO,MAAM,cAAc,QAtJhB,IAsJ8D,CAAC;AAC1E,qEAAqE;AACrE,eAAO,MAAM,aAAa,QAnJhB,MAAM,EAmJuD,CAAC;AACxE,wDAAwD;AACxD,eAAO,MAAM,aAAa,SAxIhB,MAAM,YACH,oBAAoB,KAC5B,OAAO,CAAC,MAAM,GAAG,IAAI,CAuI2B,CAAC;AACtD,gFAAgF;AAChF,eAAO,MAAM,cAAc,UA3FhB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,YACpB,qBAAqB,KAC7B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CA0FY,CAAC;AAIvD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC1D,YAAY,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAK/E,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACpD,YAAY,EACV,aAAa,EACb,yBAAyB,GAC1B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC"}

package/dist/credentials/index.js

@@ -0,0 +1,174 @@
+/**
+ * credential_providers — pluggable secret-backend layer.
+ *
+ * Each provider implements {@link CredentialProvider}. A {@link CredentialResolver}
+ * instance keeps a named registry of providers and exposes `resolveSecret`,
+ * which chains providers in the given fallback order and returns the first
+ * non-null hit.
+ *
+ * A module-level {@link defaultResolver} plus thin delegators
+ * (`registerProvider`, `resolveSecret`, …) are provided so callers that only
+ * need a single global registry can keep their imports flat.
+ */
+import { parseCredentialRef } from "./parse_ref.js";
+/**
+ * A named registry of {@link CredentialProvider} instances plus the
+ * `resolveSecret` chain. Instantiate your own resolver for test isolation,
+ * multi-tenant setups, or any case where the module-level {@link defaultResolver}
+ * is too coarse.
+ */
+export class CredentialResolver {
+    _registry = new Map();
+    /** Register a provider under a short name (`keychain`, `env_var`, …). */
+    register(name, provider) {
+        this._registry.set(name, provider);
+    }
+    /** Look up a provider previously registered via {@link register}. */
+    get(name) {
+        return this._registry.get(name);
+    }
+    /** Drop all registered providers. */
+    clear() {
+        this._registry.clear();
+    }
+    /** Return the list of currently registered provider names. */
+    list() {
+        return [...this._registry.keys()];
+    }
+    /**
+     * Resolve a secret through a primary provider and optional fallback chain.
+     *
+     * Returns `null` if no provider produces a value while at least one
+     * provider runs to completion (hit or miss). If *every* provider throws,
+     * an `AggregateError` is raised whose `.errors` array preserves each
+     * original error in the order providers were tried.
+     */
+    async resolveSecret(name, options = {}) {
+        const order = [];
+        if (options.provider)
+            order.push(options.provider);
+        if (options.fallback)
+            order.push(...options.fallback);
+        if (order.length === 0) {
+            // Default: iterate whatever is in the registry, insertion order.
+            order.push(...this._registry.keys());
+        }
+        const errors = [];
+        let anySuccess = false;
+        for (const providerName of order) {
+            const provider = this._registry.get(providerName);
+            if (!provider)
+                continue;
+            try {
+                const value = await provider.getSecret(name);
+                anySuccess = true;
+                if (value !== null)
+                    return value;
+            }
+            catch (err) {
+                errors.push(err);
+            }
+        }
+        if (!anySuccess && errors.length > 0) {
+            throw new AggregateError(errors, `resolveSecret('${name}') failed: all ${errors.length} provider(s) threw`);
+        }
+        return null;
+    }
+    /**
+     * Resolve multiple credential references in parallel.
+     *
+     * Each entry in `specs` maps an alias to a reference string (e.g.
+     * `{db: "env:PGPASSWORD", token: "keychain:gh"}`). Every reference is
+     * parsed up front with `strict: true` so typos in config surface at
+     * batch time rather than silently returning null.
+     *
+     * Per-alias errors are collected and re-thrown as an `AggregateError`
+     * — individual errors are wrapped to include their alias name so the
+     * `.errors` array is self-describing. With `strict: true`, any null
+     * result (miss) also causes the batch to reject.
+     */
+    async resolveSecrets(specs, options = {}) {
+        const aliases = Object.keys(specs);
+        const parsed = aliases.map((alias) => ({
+            alias,
+            ref: parseCredentialRef(specs[alias], {
+                strict: true,
+                resolver: this,
+            }),
+        }));
+        const settled = await Promise.allSettled(parsed.map(({ ref }) => {
+            if (ref === null)
+                return Promise.resolve(null);
+            return this.resolveSecret(ref.key, { provider: ref.provider });
+        }));
+        const errors = [];
+        const failedAliases = [];
+        const out = {};
+        for (let i = 0; i < aliases.length; i++) {
+            const alias = aliases[i];
+            const result = settled[i];
+            if (result === undefined)
+                continue;
+            if (result.status === "rejected") {
+                const original = result.reason;
+                const origMsg = original instanceof Error
+                    ? original.message
+                    : String(original);
+                const wrapped = new Error(`resolveSecrets: alias "${alias}" failed: ${origMsg}`);
+                errors.push(wrapped);
+                failedAliases.push(alias);
+            }
+            else {
+                out[alias] = result.value;
+            }
+        }
+        if (errors.length > 0) {
+            throw new AggregateError(errors, `resolveSecrets failed for: ${failedAliases.join(", ")}`);
+        }
+        if (options.strict) {
+            const missingAliases = aliases.filter((a) => out[a] === null);
+            if (missingAliases.length > 0) {
+                throw new Error(`resolveSecrets strict: aliases returned null: ${missingAliases.join(", ")}`);
+            }
+        }
+        return out;
+    }
+}
+/**
+ * Built-in provider short names. Matches the reference-string aliases
+ * recognized by `parseCredentialRef` (`env` → `env_var`, `cloud` →
+ * `cloud_secrets`). Consumers can iterate or narrow against this literal;
+ * the tuple is frozen so runtime mutation is rejected in strict mode.
+ */
+export const KNOWN_PROVIDERS = Object.freeze([
+    "env",
+    "keychain",
+    "file",
+    "cloud",
+]);
+/** Shared resolver used by the module-level delegators below. */
+export const defaultResolver = new CredentialResolver();
+/** Register a provider on the {@link defaultResolver}. */
+export const registerProvider = defaultResolver.register.bind(defaultResolver);
+/** Look up a provider on the {@link defaultResolver}. */
+export const getProvider = defaultResolver.get.bind(defaultResolver);
+/** Drop all providers from the {@link defaultResolver} (test helper). */
+export const clearProviders = defaultResolver.clear.bind(defaultResolver);
+/** List provider names registered on the {@link defaultResolver}. */
+export const listProviders = defaultResolver.list.bind(defaultResolver);
+/** Resolve a secret via the {@link defaultResolver}. */
+export const resolveSecret = defaultResolver.resolveSecret.bind(defaultResolver);
+/** Resolve a batch of credential references via the {@link defaultResolver}. */
+export const resolveSecrets = defaultResolver.resolveSecrets.bind(defaultResolver);
+// Re-export provider implementations so callers can import everything from
+// `narai-primitives/credentials` directly.
+export { FileProvider } from "./file.js";
+export { EnvVarProvider } from "./env_var.js";
+export { KeychainProvider } from "./keychain.js";
+export { CloudSecretsProvider } from "./cloud_secrets.js";
+// Reference-string grammar. Config consumers call `parseCredentialRef` on
+// each string value to decide whether it's a literal or a reference into
+// one of the registered providers. See `parse_ref.ts` for the grammar.
+export { parseCredentialRef } from "./parse_ref.js";
+export { redact, redactAll } from "./redact.js";
+//# sourceMappingURL=index.js.map

package/dist/credentials/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/credentials/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAiDpD;;;;;GAKG;AACH,MAAM,OAAO,kBAAkB;IACZ,SAAS,GAAG,IAAI,GAAG,EAA8B,CAAC;IAEnE,yEAAyE;IACzE,QAAQ,CAAC,IAAY,EAAE,QAA4B;QACjD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED,qEAAqE;IACrE,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED,qCAAqC;IACrC,KAAK;QACH,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;IAED,8DAA8D;IAC9D,IAAI;QACF,OAAO,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IACpC,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,aAAa,CACjB,IAAY,EACZ,UAAgC,EAAE;QAElC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,OAAO,CAAC,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,OAAO,CAAC,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,iEAAiE;YACjE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,KAAK,MAAM,YAAY,IAAI,KAAK,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ;gBAAE,SAAS;YACxB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBAC7C,UAAU,GAAG,IAAI,CAAC;gBAClB,IAAI,KAAK,KAAK,IAAI;oBAAE,OAAO,KAAK,CAAC;YACnC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,UAAU,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,cAAc,CACtB,MAAM,EACN,kBAAkB,IAAI,kBAAkB,MAAM,CAAC,MAAM,oBAAoB,CAC1E,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,cAAc,CAClB,KAA6B,EAC7B,UAAiC,EAAE;QAEnC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACnC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACrC,KAAK;YACL,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC,KAAK,CAAW,EAAE;gBAC9C,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,IAAI;aACf,CAAC;SACH,CAAC,CAAC,CAAC;QAEJ,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE;YACrB,IAAI,GAAG,KAAK,IAAI;gBAAE,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QACjE,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,MAAM,GAAY,EAAE,CAAC;QAC3B,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,GAAG,GAAkC,EAAE,CAAC;QAC9C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAW,CAAC;YACnC,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,MAAM,KAAK,SAAS;gBAAE,SAAS;YACnC,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC/B,MAAM,OAAO,GACX,QAAQ,YAAY,KAAK;oBACvB,CAAC,CAAC,QAAQ,CAAC,OAAO;oBAClB,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACvB,MAAM,OAAO,GAAG,IAAI,KAAK,CACvB,0BAA0B,KAAK,aAAa,OAAO,EAAE,CACtD,CAAC;gBACF,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,cAAc,CACtB,MAAM,EACN,8BAA8B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;YAC9D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CACb,iDAAiD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC;IAC3C,KAAK;IACL,UAAU;IACV,MAAM;IACN,OAAO;CACC,CAAyD,CAAC;AAGpE,iEAAiE;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,kBAAkB,EAAE,CAAC;AAExD,0DAA0D;AAC1D,MAAM,CAAC,MAAM,gBAAgB,GAAG,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AAC/E,yDAAyD;AACzD,MAAM,CAAC,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AACrE,yEAAyE;AACzE,MAAM,CAAC,MAAM,cAAc,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AAC1E,qEAAqE;AACrE,MAAM,CAAC,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AACxE,wDAAwD;AACxD,MAAM,CAAC,MAAM,aAAa,GACxB,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AACtD,gFAAgF;AAChF,MAAM,CAAC,MAAM,cAAc,GACzB,eAAe,CAAC,cAAc,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;AAEvD,2EAA2E;AAC3E,2CAA2C;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAG1D,0EAA0E;AAC1E,yEAAyE;AACzE,uEAAuE;AACvE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAMpD,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC"}

package/dist/credentials/keychain.d.ts

@@ -0,0 +1,31 @@
+import type { CredentialProvider, SecretMetadata } from "./index.js";
+export interface KeychainProviderOptions {
+    /**
+     * Override the platform detection (for tests). Accepts any Node
+     * `process.platform` value.
+     */
+    platform?: NodeJS.Platform;
+    /**
+     * macOS Keychain "account" field (optional). If given, passed as
+     * `-a <account>` to `security find-generic-password`.
+     */
+    account?: string;
+    /**
+     * macOS Keychain "service" prefix. If set, the lookup name is
+     * `<servicePrefix>.<name>` so an application's secrets can be grouped
+     * under a single service name (e.g. `com.example.myapp`).
+     */
+    servicePrefix?: string;
+}
+export declare class KeychainProvider implements CredentialProvider {
+    private readonly _platform;
+    private readonly _account;
+    private readonly _servicePrefix;
+    constructor(opts?: KeychainProviderOptions);
+    getSecret(name: string): Promise<string | null>;
+    describeSecret(name: string): Promise<SecretMetadata>;
+    private _macos;
+    private _linux;
+    private _windows;
+}
+//# sourceMappingURL=keychain.d.ts.map

package/dist/credentials/keychain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.d.ts","sourceRoot":"","sources":["../../src/credentials/keychain.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAErE,MAAM,WAAW,uBAAuB;IACtC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,gBAAiB,YAAW,kBAAkB;IACzD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAkB;IAC5C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqB;IAC9C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;gBAE5B,IAAI,GAAE,uBAA4B;IAMxC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmB/C,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;IAK3D,OAAO,CAAC,MAAM;IAoBd,OAAO,CAAC,MAAM;YAoBA,QAAQ;CAqBvB"}

package/dist/credentials/keychain.js

@@ -0,0 +1,124 @@
+/**
+ * keychain.ts — OS-native keychain provider.
+ *
+ * Backends (selected by platform):
+ *   - darwin  → `security find-generic-password -s "<name>" -w`
+ *   - linux   → `secret-tool lookup name "<name>"` (libsecret).
+ *               If `secret-tool` is missing, throws a clear error.
+ *   - win32   → `@napi-rs/keyring` (Windows Credential Manager via N-API).
+ *               Lazy-imported; if the module is not installed, throws a
+ *               clear error with the install command.
+ */
+import { execFileSync } from "node:child_process";
+export class KeychainProvider {
+    _platform;
+    _account;
+    _servicePrefix;
+    constructor(opts = {}) {
+        this._platform = opts.platform ?? process.platform;
+        this._account = opts.account;
+        this._servicePrefix = opts.servicePrefix ?? "";
+    }
+    async getSecret(name) {
+        const service = this._servicePrefix
+            ? `${this._servicePrefix}.${name}`
+            : name;
+        switch (this._platform) {
+            case "darwin":
+                return this._macos(service);
+            case "linux":
+                return this._linux(service);
+            case "win32":
+                return this._windows(service);
+            default:
+                throw new Error(`keychain provider unsupported on platform '${this._platform}'`);
+        }
+    }
+    async describeSecret(name) {
+        const value = await this.getSecret(name);
+        return { exists: value !== null, provider: "keychain" };
+    }
+    _macos(service) {
+        const args = ["find-generic-password", "-s", service, "-w"];
+        if (this._account) {
+            args.splice(1, 0, "-a", this._account);
+        }
+        try {
+            const out = execFileSync("security", args, {
+                encoding: "utf-8",
+                stdio: ["ignore", "pipe", "pipe"],
+            });
+            const trimmed = out.replace(/\n$/, "");
+            return trimmed === "" ? null : trimmed;
+        }
+        catch (err) {
+            // `security` exits non-zero if the item is not found. Surface a
+            // null-miss rather than an error so the fallback chain can proceed.
+            if (_isMissingKeychainItem(err))
+                return null;
+            throw _wrapKeychainError(err, "security");
+        }
+    }
+    _linux(service) {
+        try {
+            const out = execFileSync("secret-tool", ["lookup", "name", service], {
+                encoding: "utf-8",
+                stdio: ["ignore", "pipe", "pipe"],
+            });
+            const trimmed = out.replace(/\n$/, "");
+            return trimmed === "" ? null : trimmed;
+        }
+        catch (err) {
+            if (_isCommandNotFound(err)) {
+                throw new Error("keychain provider on Linux requires `secret-tool` (libsecret). " +
+                    "Install with `apt install libsecret-tools` or equivalent.");
+            }
+            if (_isMissingKeychainItem(err))
+                return null;
+            throw _wrapKeychainError(err, "secret-tool");
+        }
+    }
+    async _windows(service) {
+        const mod = await _loadOptional("@napi-rs/keyring", "npm install --save-dev @napi-rs/keyring");
+        const { Entry } = mod;
+        const entry = new Entry(service, this._account ?? "default");
+        try {
+            const pw = entry.getPassword();
+            return pw === "" || pw === null ? null : pw;
+        }
+        catch (err) {
+            const msg = err.message ?? "";
+            if (/not (found|exist)|no.*entry/i.test(msg))
+                return null;
+            throw new Error(`keychain provider on Windows: ${msg}`);
+        }
+    }
+}
+function _isMissingKeychainItem(err) {
+    const e = err;
+    // macOS `security` returns 44 for "item not found"; libsecret's
+    // `secret-tool lookup` returns 1 with empty stdout when missing.
+    return e.status === 44 || e.status === 1;
+}
+function _isCommandNotFound(err) {
+    const e = err;
+    return e.code === "ENOENT";
+}
+function _wrapKeychainError(err, command) {
+    const e = err;
+    const stderr = e.stderr instanceof Buffer ? e.stderr.toString("utf-8") : e.stderr ?? "";
+    return new Error(`keychain provider: ${command} failed (status=${e.status}): ${stderr || e.message}`);
+}
+async function _loadOptional(pkg, install) {
+    try {
+        return (await import(pkg));
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "ERR_MODULE_NOT_FOUND" || e.code === "MODULE_NOT_FOUND") {
+            throw new Error(`keychain provider on Windows requires '${pkg}'. Run: ${install}`);
+        }
+        throw err;
+    }
+}
+//# sourceMappingURL=keychain.js.map

package/dist/credentials/keychain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keychain.js","sourceRoot":"","sources":["../../src/credentials/keychain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAsBlD,MAAM,OAAO,gBAAgB;IACV,SAAS,CAAkB;IAC3B,QAAQ,CAAqB;IAC7B,cAAc,CAAS;IAExC,YAAY,OAAgC,EAAE;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QACnD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC;QAC7B,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc;YACjC,CAAC,CAAC,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,EAAE;YAClC,CAAC,CAAC,IAAI,CAAC;QAET,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;YACvB,KAAK,QAAQ;gBACX,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC9B,KAAK,OAAO;gBACV,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC9B,KAAK,OAAO;gBACV,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAChC;gBACE,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,SAAS,GAAG,CAChE,CAAC;QACN,CAAC;IACH,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,OAAO,EAAE,MAAM,EAAE,KAAK,KAAK,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAC1D,CAAC;IAEO,MAAM,CAAC,OAAe;QAC5B,MAAM,IAAI,GAAG,CAAC,uBAAuB,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,IAAI,EAAE;gBACzC,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gEAAgE;YAChE,oEAAoE;YACpE,IAAI,sBAAsB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC7C,MAAM,kBAAkB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,OAAe;QAC5B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,aAAa,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;gBACnE,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACzC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,iEAAiE;oBAC/D,2DAA2D,CAC9D,CAAC;YACJ,CAAC;YACD,IAAI,sBAAsB,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC7C,MAAM,kBAAkB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,QAAQ,CAAC,OAAe;QACpC,MAAM,GAAG,GAAG,MAAM,aAAa,CAC7B,kBAAkB,EAClB,yCAAyC,CAC1C,CAAC;QACF,MAAM,EAAE,KAAK,EAAE,GAAG,GAKjB,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS,CAAC,CAAC;QAC7D,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;YAC/B,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAI,GAAa,CAAC,OAAO,IAAI,EAAE,CAAC;YACzC,IAAI,8BAA8B,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;CACF;AAUD,SAAS,sBAAsB,CAAC,GAAY;IAC1C,MAAM,CAAC,GAAG,GAAgB,CAAC;IAC3B,gEAAgE;IAChE,iEAAiE;IACjE,OAAO,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAY;IACtC,MAAM,CAAC,GAAG,GAAgB,CAAC;IAC3B,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC;AAC7B,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAY,EAAE,OAAe;IACvD,MAAM,CAAC,GAAG,GAAgB,CAAC;IAC3B,MAAM,MAAM,GACV,CAAC,CAAC,MAAM,YAAY,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC;IAC3E,OAAO,IAAI,KAAK,CACd,sBAAsB,OAAO,mBAAmB,CAAC,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,CAAC,OAAO,EAAE,CACpF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,GAAW,EACX,OAAe;IAEf,IAAI,CAAC;QACH,OAAO,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,CAAY,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,GAAG,GAA4B,CAAC;QACvC,IAAI,CAAC,CAAC,IAAI,KAAK,sBAAsB,IAAI,CAAC,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;YACvE,MAAM,IAAI,KAAK,CACb,0CAA0C,GAAG,WAAW,OAAO,EAAE,CAClE,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC"}