neoctl 0.2.5 → 0.2.6

package/dist/secrets/secret-crypto.d.ts

@@ -0,0 +1,22 @@
+export interface SecretKdfConfig {
+    type: "scrypt";
+    salt: string;
+    N: number;
+    r: number;
+    p: number;
+}
+export interface EncryptedSecretPayload {
+    ciphertext: string;
+    iv: string;
+    tag: string;
+}
+export interface SecretCryptoConfig {
+    kdf: SecretKdfConfig;
+    passphrase?: string;
+}
+export declare function createDefaultKdf(): SecretKdfConfig;
+export declare function resolveSecretPassphrase(passphrase?: string): string;
+export declare function deriveSecretKey(config: SecretCryptoConfig): Buffer;
+export declare function encryptSecret(plaintext: string, key: Buffer): EncryptedSecretPayload;
+export declare function decryptSecret(payload: EncryptedSecretPayload, key: Buffer): string;
+export declare function fingerprintSecret(value: string): string;

package/dist/secrets/secret-crypto.js

@@ -0,0 +1,58 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync, createHash } from "node:crypto";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const DEFAULT_KDF = { type: "scrypt", N: 32768, r: 8, p: 1 };
+export function createDefaultKdf() {
+    return { ...DEFAULT_KDF, salt: randomBytes(16).toString("base64") };
+}
+export function resolveSecretPassphrase(passphrase) {
+    const explicit = passphrase ?? process.env.NEOCTL_SECRETS_KEY ?? process.env.NEO_SECRETS_KEY;
+    if (explicit && explicit.length > 0)
+        return explicit;
+    // Local fallback keeps storage encrypted-at-rest without interactive prompting. Users who need stronger
+    // separation should set NEOCTL_SECRETS_KEY; changing it makes existing secrets undecryptable.
+    return `neoctl-local-secret-key:${process.env.USERPROFILE ?? process.env.HOME ?? "unknown"}`;
+}
+export function deriveSecretKey(config) {
+    const passphrase = resolveSecretPassphrase(config.passphrase);
+    if (/^[A-Za-z0-9+/=]+$/.test(passphrase)) {
+        try {
+            const decoded = Buffer.from(passphrase, "base64");
+            if (decoded.length === KEY_LENGTH)
+                return decoded;
+        }
+        catch {
+            // Fall through to scrypt.
+        }
+    }
+    return scryptSync(passphrase, Buffer.from(config.kdf.salt, "base64"), KEY_LENGTH, {
+        N: config.kdf.N,
+        r: config.kdf.r,
+        p: config.kdf.p,
+        maxmem: 64 * 1024 * 1024,
+    });
+}
+export function encryptSecret(plaintext, key) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        ciphertext: ciphertext.toString("base64"),
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+    };
+}
+export function decryptSecret(payload, key) {
+    const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(payload.iv, "base64"));
+    decipher.setAuthTag(Buffer.from(payload.tag, "base64"));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(payload.ciphertext, "base64")),
+        decipher.final(),
+    ]);
+    return plaintext.toString("utf8");
+}
+export function fingerprintSecret(value) {
+    return createHash("sha256").update(value).digest("hex").slice(0, 12);
+}
+//# sourceMappingURL=secret-crypto.js.map

package/dist/secrets/secret-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-crypto.js","sourceRoot":"","sources":["../../src/secrets/secret-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAqBpG,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,WAAW,GAAkC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;AAE5F,MAAM,UAAU,gBAAgB;IAC9B,OAAO,EAAE,GAAG,WAAW,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,UAAmB;IACzD,MAAM,QAAQ,GAAG,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC7F,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IACrD,wGAAwG;IACxG,8FAA8F;IAC9F,OAAO,2BAA2B,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAA0B;IACxD,MAAM,UAAU,GAAG,uBAAuB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9D,IAAI,mBAAmB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;YAClD,IAAI,OAAO,CAAC,MAAM,KAAK,UAAU;gBAAE,OAAO,OAAO,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,0BAA0B;QAC5B,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE;QAChF,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QACf,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QACf,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QACf,MAAM,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,GAAW;IAC1D,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzC,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC5B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAA+B,EAAE,GAAW;IACxE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IACzF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAC1D,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACvE,CAAC"}

package/dist/secrets/secret-redaction.d.ts

@@ -0,0 +1,8 @@
+import type { SecretRedactionRegistry } from "./secret-types.js";
+export declare class InMemorySecretRedactionRegistry implements SecretRedactionRegistry {
+    private readonly values;
+    record(key: string, value: string): void;
+    redact<T>(value: T): T;
+    redactString(input: string): string;
+}
+export declare function redactWithRegistry<T>(registry: SecretRedactionRegistry | undefined, value: T): T;

package/dist/secrets/secret-redaction.js

@@ -0,0 +1,40 @@
+export class InMemorySecretRedactionRegistry {
+    values = new Map();
+    record(key, value) {
+        if (!value)
+            return;
+        const set = this.values.get(key) ?? new Set();
+        set.add(value);
+        set.add(value.trim());
+        set.add(`Bearer ${value}`);
+        this.values.set(key, set);
+    }
+    redact(value) {
+        if (typeof value === "string")
+            return this.redactString(value);
+        if (Array.isArray(value))
+            return value.map((entry) => this.redact(entry));
+        if (value && typeof value === "object") {
+            const output = {};
+            for (const [k, v] of Object.entries(value))
+                output[k] = this.redact(v);
+            return output;
+        }
+        return value;
+    }
+    redactString(input) {
+        let output = input;
+        for (const [key, values] of this.values.entries()) {
+            for (const secret of values) {
+                if (!secret)
+                    continue;
+                output = output.split(secret).join(`[secret:${key}]`);
+            }
+        }
+        return output;
+    }
+}
+export function redactWithRegistry(registry, value) {
+    return registry ? registry.redact(value) : value;
+}
+//# sourceMappingURL=secret-redaction.js.map

package/dist/secrets/secret-redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-redaction.js","sourceRoot":"","sources":["../../src/secrets/secret-redaction.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,+BAA+B;IACzB,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEzD,MAAM,CAAC,GAAW,EAAE,KAAa;QAC/B,IAAI,CAAC,KAAK;YAAE,OAAO;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QACtD,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACf,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,UAAU,KAAK,EAAE,CAAC,CAAC;QAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,MAAM,CAAI,KAAQ;QAChB,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAM,CAAC;QACpE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAM,CAAC;QAC/E,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvC,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;gBAAE,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAClG,OAAO,MAAW,CAAC;QACrB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,YAAY,CAAC,KAAa;QACxB,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;gBAC5B,IAAI,CAAC,MAAM;oBAAE,SAAS;gBACtB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAAI,QAA6C,EAAE,KAAQ;IAC3F,OAAO,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACnD,CAAC"}

package/dist/secrets/secret-store.d.ts

@@ -0,0 +1,28 @@
+import { type SecretMetadata, type SecretResolver } from "./secret-types.js";
+export interface SecretStoreOptions {
+    filePath?: string;
+    passphrase?: string;
+}
+export declare class SecretStore implements SecretResolver {
+    private readonly filePath;
+    private readonly passphrase;
+    private file;
+    private constructor();
+    static open(options?: SecretStoreOptions): Promise<SecretStore>;
+    list(): Promise<SecretMetadata[]>;
+    info(key: string): Promise<SecretMetadata | undefined>;
+    requestEmpty(key: string, options?: {
+        reason?: string;
+        requestedBy?: "agent" | "user";
+    }): Promise<SecretMetadata>;
+    getPlaintext(key: string): Promise<string>;
+    setPlaintext(key: string, value: string): Promise<SecretMetadata>;
+    delete(key: string): Promise<boolean>;
+    rename(oldKey: string, newKey: string): Promise<SecretMetadata>;
+    resolve(key: string): Promise<string>;
+    resolveForTool(key: string): Promise<string>;
+    private requireEntry;
+    private decryptEntry;
+    private key;
+    private save;
+}

package/dist/secrets/secret-store.js

@@ -0,0 +1,158 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { getNeoctlHome } from "../paths.js";
+import { createDefaultKdf, decryptSecret, deriveSecretKey, encryptSecret } from "./secret-crypto.js";
+import { SecretEmptyError, SecretNotFoundError } from "./secret-types.js";
+function nowIso() {
+    return new Date().toISOString();
+}
+function validateKey(key) {
+    const trimmed = key.trim();
+    if (!/^[A-Za-z0-9_.:@/-]{1,128}$/.test(trimmed)) {
+        throw new Error("Secret key must be 1-128 chars and contain only letters, numbers, _, -, ., :, @, or /.");
+    }
+    return trimmed;
+}
+function metadata(entry) {
+    return {
+        key: entry.key,
+        status: entry.status,
+        length: entry.length,
+        createdAt: entry.createdAt,
+        updatedAt: entry.updatedAt,
+        requestedBy: entry.requestedBy,
+        requestReason: entry.requestReason,
+    };
+}
+export class SecretStore {
+    filePath;
+    passphrase;
+    file;
+    constructor(filePath, passphrase, file) {
+        this.filePath = filePath;
+        this.passphrase = passphrase;
+        this.file = file;
+    }
+    static async open(options = {}) {
+        const filePath = options.filePath ?? path.join(getNeoctlHome(), "secrets.json");
+        await fs.mkdir(path.dirname(filePath), { recursive: true });
+        let file;
+        try {
+            const raw = await fs.readFile(filePath, "utf8");
+            file = JSON.parse(raw);
+        }
+        catch (error) {
+            if (error.code !== "ENOENT")
+                throw error;
+        }
+        file ??= { version: 1, kdf: createDefaultKdf(), items: {} };
+        return new SecretStore(filePath, options.passphrase, file);
+    }
+    async list() {
+        return Object.values(this.file.items).map(metadata).sort((a, b) => a.key.localeCompare(b.key));
+    }
+    async info(key) {
+        const entry = this.file.items[validateKey(key)];
+        return entry ? metadata(entry) : undefined;
+    }
+    async requestEmpty(key, options = {}) {
+        const normalized = validateKey(key);
+        const existing = this.file.items[normalized];
+        if (existing) {
+            if (options.reason && !existing.requestReason)
+                existing.requestReason = options.reason;
+            existing.requestedBy ??= options.requestedBy;
+            existing.updatedAt = nowIso();
+            await this.save();
+            return metadata(existing);
+        }
+        const timestamp = nowIso();
+        const entry = {
+            key: normalized,
+            status: "empty",
+            length: 0,
+            createdAt: timestamp,
+            updatedAt: timestamp,
+            requestedBy: options.requestedBy,
+            requestReason: options.reason,
+        };
+        this.file.items[normalized] = entry;
+        await this.save();
+        return metadata(entry);
+    }
+    async getPlaintext(key) {
+        const entry = this.requireEntry(key);
+        if (entry.status === "empty")
+            return "";
+        return this.decryptEntry(entry);
+    }
+    async setPlaintext(key, value) {
+        const normalized = validateKey(key);
+        const timestamp = nowIso();
+        const existing = this.file.items[normalized];
+        const encrypted = encryptSecret(value, this.key());
+        const entry = {
+            key: normalized,
+            status: "set",
+            length: value.length,
+            createdAt: existing?.createdAt ?? timestamp,
+            updatedAt: timestamp,
+            requestedBy: existing?.requestedBy,
+            requestReason: existing?.requestReason,
+            ...encrypted,
+        };
+        this.file.items[normalized] = entry;
+        await this.save();
+        return metadata(entry);
+    }
+    async delete(key) {
+        const normalized = validateKey(key);
+        const existed = Boolean(this.file.items[normalized]);
+        delete this.file.items[normalized];
+        if (existed)
+            await this.save();
+        return existed;
+    }
+    async rename(oldKey, newKey) {
+        const oldNormalized = validateKey(oldKey);
+        const newNormalized = validateKey(newKey);
+        if (this.file.items[newNormalized])
+            throw new Error(`Secret "${newNormalized}" already exists.`);
+        const entry = this.requireEntry(oldNormalized);
+        delete this.file.items[oldNormalized];
+        const renamed = { ...entry, key: newNormalized, updatedAt: nowIso() };
+        this.file.items[newNormalized] = renamed;
+        await this.save();
+        return metadata(renamed);
+    }
+    async resolve(key) {
+        return this.resolveForTool(key);
+    }
+    async resolveForTool(key) {
+        const entry = this.requireEntry(key);
+        if (entry.status === "empty")
+            throw new SecretEmptyError(entry.key);
+        return this.decryptEntry(entry);
+    }
+    requireEntry(key) {
+        const normalized = validateKey(key);
+        const entry = this.file.items[normalized];
+        if (!entry)
+            throw new SecretNotFoundError(normalized);
+        return entry;
+    }
+    decryptEntry(entry) {
+        if (!entry.ciphertext || !entry.iv || !entry.tag)
+            throw new SecretEmptyError(entry.key);
+        return decryptSecret({ ciphertext: entry.ciphertext, iv: entry.iv, tag: entry.tag }, this.key());
+    }
+    key() {
+        return deriveSecretKey({ kdf: this.file.kdf, passphrase: this.passphrase });
+    }
+    async save() {
+        const tmp = `${this.filePath}.tmp`;
+        await fs.writeFile(tmp, `${JSON.stringify(this.file, null, 2)}\n`, "utf8");
+        await fs.rename(tmp, this.filePath);
+    }
+}
+//# sourceMappingURL=secret-store.js.map

package/dist/secrets/secret-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-store.js","sourceRoot":"","sources":["../../src/secrets/secret-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,eAAe,EAAE,aAAa,EAAwB,MAAM,oBAAoB,CAAC;AAC3H,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAA4C,MAAM,mBAAmB,CAAC;AAmBpH,SAAS,MAAM;IACb,OAAO,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;IAC5G,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,QAAQ,CAAC,KAAuB;IACvC,OAAO;QACL,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,aAAa,EAAE,KAAK,CAAC,aAAa;KACnC,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,WAAW;IAEH;IACA;IACT;IAHV,YACmB,QAAgB,EAChB,UAA8B,EACvC,IAAgB;QAFP,aAAQ,GAAR,QAAQ,CAAQ;QAChB,eAAU,GAAV,UAAU,CAAoB;QACvC,SAAI,GAAJ,IAAI,CAAY;IACvB,CAAC;IAEJ,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,UAA8B,EAAE;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,EAAE,cAAc,CAAC,CAAC;QAChF,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5D,IAAI,IAA4B,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAChD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAK,KAA+B,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,KAAK,CAAC;QACtE,CAAC;QACD,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,gBAAgB,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAC5D,OAAO,IAAI,WAAW,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,IAAI;QACR,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACjG,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,OAAO,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW,EAAE,UAA+D,EAAE;QAC/F,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa;gBAAE,QAAQ,CAAC,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC;YACvF,QAAQ,CAAC,WAAW,KAAK,OAAO,CAAC,WAAW,CAAC;YAC7C,QAAQ,CAAC,SAAS,GAAG,MAAM,EAAE,CAAC;YAC9B,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,OAAO,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAqB;YAC9B,GAAG,EAAE,UAAU;YACf,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,CAAC;YACT,SAAS,EAAE,SAAS;YACpB,SAAS,EAAE,SAAS;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,OAAO,CAAC,MAAM;SAC9B,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;QACpC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,OAAO;YAAE,OAAO,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAW,EAAE,KAAa;QAC3C,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QACnD,MAAM,KAAK,GAAqB;YAC9B,GAAG,EAAE,UAAU;YACf,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,SAAS,EAAE,QAAQ,EAAE,SAAS,IAAI,SAAS;YAC3C,SAAS,EAAE,SAAS;YACpB,WAAW,EAAE,QAAQ,EAAE,WAAW;YAClC,aAAa,EAAE,QAAQ,EAAE,aAAa;YACtC,GAAG,SAAS;SACb,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;QACpC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,QAAQ,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC;QACrD,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACnC,IAAI,OAAO;YAAE,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,MAAc,EAAE,MAAc;QACzC,MAAM,aAAa,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,aAAa,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,WAAW,aAAa,mBAAmB,CAAC,CAAC;QACjG,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,EAAE,GAAG,KAAK,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;QACzC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,GAAW;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,OAAO;YAAE,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAEO,YAAY,CAAC,GAAW;QAC9B,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,mBAAmB,CAAC,UAAU,CAAC,CAAC;QACtD,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,YAAY,CAAC,KAAuB;QAC1C,IAAI,CAAC,KAAK,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG;YAAE,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxF,OAAO,aAAa,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACnG,CAAC;IAEO,GAAG;QACT,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;IAC9E,CAAC;IAEO,KAAK,CAAC,IAAI;QAChB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,MAAM,CAAC;QACnC,MAAM,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC3E,MAAM,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;CACF"}

package/dist/secrets/secret-types.d.ts

@@ -0,0 +1,31 @@
+export type SecretStatus = "set" | "empty";
+export interface SecretMetadata {
+    key: string;
+    status: SecretStatus;
+    length: number;
+    createdAt: string;
+    updatedAt: string;
+    requestedBy?: "agent" | "user";
+    requestReason?: string;
+}
+export interface SecretResolver {
+    list(): Promise<SecretMetadata[]>;
+    info(key: string): Promise<SecretMetadata | undefined>;
+    requestEmpty(key: string, options?: {
+        reason?: string;
+        requestedBy?: "agent" | "user";
+    }): Promise<SecretMetadata>;
+    resolve(key: string): Promise<string>;
+}
+export interface SecretRedactionRegistry {
+    record(key: string, value: string): void;
+    redact<T>(value: T): T;
+}
+export declare class SecretNotFoundError extends Error {
+    readonly key: string;
+    constructor(key: string);
+}
+export declare class SecretEmptyError extends Error {
+    readonly key: string;
+    constructor(key: string);
+}

package/dist/secrets/secret-types.js

@@ -0,0 +1,17 @@
+export class SecretNotFoundError extends Error {
+    key;
+    constructor(key) {
+        super(`Secret "${key}" does not exist.`);
+        this.key = key;
+        this.name = "SecretNotFoundError";
+    }
+}
+export class SecretEmptyError extends Error {
+    key;
+    constructor(key) {
+        super(`Secret "${key}" exists but has no value. Fill it in REPL with: /secret set ${key} <value>`);
+        this.key = key;
+        this.name = "SecretEmptyError";
+    }
+}
+//# sourceMappingURL=secret-types.js.map

package/dist/secrets/secret-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-types.js","sourceRoot":"","sources":["../../src/secrets/secret-types.ts"],"names":[],"mappings":"AAwBA,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAChB;IAA5B,YAA4B,GAAW;QACrC,KAAK,CAAC,WAAW,GAAG,mBAAmB,CAAC,CAAC;QADf,QAAG,GAAH,GAAG,CAAQ;QAErC,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACb;IAA5B,YAA4B,GAAW;QACrC,KAAK,CAAC,WAAW,GAAG,gEAAgE,GAAG,UAAU,CAAC,CAAC;QADzE,QAAG,GAAH,GAAG,CAAQ;QAErC,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF"}

package/dist/secrets/smoke-secrets.js

@@ -0,0 +1,68 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { InMemoryAppState } from "../app/app-state.js";
+import { ToolRegistry } from "../tools/registry.js";
+import { runToolUse } from "../tools/run-tool-use.js";
+import { createExecTool } from "../tools/builtins/exec-tool.js";
+import { createSecretTools } from "../tools/builtins/secret-tools.js";
+import { InMemorySecretRedactionRegistry } from "./secret-redaction.js";
+import { SecretStore } from "./secret-store.js";
+async function main() {
+    const dir = await fs.mkdtemp(path.join(os.tmpdir(), "neoctl-secrets-"));
+    const filePath = path.join(dir, "secrets.json");
+    const store = await SecretStore.open({ filePath, passphrase: "smoke-passphrase" });
+    await store.setPlaintext("api_token", "super-secret-token");
+    const empty = await store.requestEmpty("github_token", { reason: "Need GitHub API", requestedBy: "agent" });
+    const raw = await fs.readFile(filePath, "utf8");
+    const encryptedAtRestOk = !raw.includes("super-secret-token") && raw.includes("api_token") && raw.includes("github_token");
+    const list = await store.list();
+    const metadataOk = list.some((entry) => entry.key === "api_token" && entry.status === "set" && entry.length === "super-secret-token".length)
+        && empty.status === "empty";
+    const registry = new ToolRegistry();
+    for (const tool of createSecretTools())
+        registry.register(tool);
+    registry.register(createExecTool());
+    const redactions = new InMemorySecretRedactionRegistry();
+    const context = {
+        agentId: "smoke",
+        tools: registry,
+        appState: new InMemoryAppState("smoke", dir),
+        secrets: store,
+        secretRedactions: redactions,
+        emit: () => undefined,
+    };
+    const secretList = await runToolUse({ id: "secret_list", name: "secret_list", input: {} }, context);
+    const secretListJson = JSON.stringify(secretList);
+    const listToolOk = secretListJson.includes("api_token") && secretListJson.includes('"length":18') && !secretListJson.includes("super-secret-token");
+    const request = await runToolUse({ id: "secret_request", name: "secret_request", input: { key: "new_token", reason: "test" } }, context);
+    const requestOk = JSON.stringify(request).includes("new_token") && (await store.info("new_token"))?.status === "empty";
+    const execResult = await runToolUse({
+        id: "exec_secret",
+        name: "exec",
+        input: {
+            command: "node -e \"console.log(process.env.API_TOKEN)\"",
+            description: "verify secret env redaction",
+            envSecrets: { API_TOKEN: "api_token" },
+            maxOutputChars: 1000,
+        },
+    }, context);
+    const execJson = JSON.stringify(execResult);
+    const execRedactedOk = execJson.includes("[secret:api_token]") && !execJson.includes("super-secret-token");
+    let emptyErrorOk = false;
+    try {
+        await store.resolveForTool("github_token");
+    }
+    catch (error) {
+        emptyErrorOk = error instanceof Error && error.message.includes("has no value");
+    }
+    const ok = encryptedAtRestOk && metadataOk && listToolOk && requestOk && execRedactedOk && emptyErrorOk;
+    console.log(JSON.stringify({ ok, encryptedAtRestOk, metadataOk, listToolOk, requestOk, execRedactedOk, emptyErrorOk }, null, 2));
+    if (!ok)
+        process.exitCode = 1;
+}
+void main().catch((error) => {
+    console.error(error);
+    process.exitCode = 1;
+});
+//# sourceMappingURL=smoke-secrets.js.map

package/dist/secrets/smoke-secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"smoke-secrets.js","sourceRoot":"","sources":["../../src/secrets/smoke-secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEtD,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,+BAA+B,EAAE,MAAM,uBAAuB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,KAAK,UAAU,IAAI;IACjB,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACxE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEnF,MAAM,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAC;IAC5D,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC;IAC5G,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,iBAAiB,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAC3H,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,KAAK,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,CAAC;WACvI,KAAK,CAAC,MAAM,KAAK,OAAO,CAAC;IAE9B,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;IACpC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE;QAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAChE,QAAQ,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,+BAA+B,EAAE,CAAC;IACzD,MAAM,OAAO,GAAmB;QAC9B,OAAO,EAAE,OAAO;QAChB,KAAK,EAAE,QAAQ;QACf,QAAQ,EAAE,IAAI,gBAAgB,CAAC,OAAO,EAAE,GAAG,CAAC;QAC5C,OAAO,EAAE,KAAK;QACd,gBAAgB,EAAE,UAAU;QAC5B,IAAI,EAAE,GAAG,EAAE,CAAC,SAAS;KACtB,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACpG,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,UAAU,GAAG,cAAc,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;IAEpJ,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,EAAE,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,CAAC,CAAC;IACzI,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC;IAEvH,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC;QAClC,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE;YACL,OAAO,EAAE,gDAAgD;YACzD,WAAW,EAAE,6BAA6B;YAC1C,UAAU,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE;YACtC,cAAc,EAAE,IAAI;SACrB;KACF,EAAE,OAAO,CAAC,CAAC;IACZ,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC5C,MAAM,cAAc,GAAG,QAAQ,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;IAE3G,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,cAAc,CAAC,cAAc,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,YAAY,GAAG,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,EAAE,GAAG,iBAAiB,IAAI,UAAU,IAAI,UAAU,IAAI,SAAS,IAAI,cAAc,IAAI,YAAY,CAAC;IACxG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,iBAAiB,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACjI,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,KAAK,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IAC1B,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACrB,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC"}

package/dist/tools/builtins/exec-tool.d.ts

@@ -8,11 +8,30 @@ export interface ExecToolInput {
     maxOutputChars: number;
     shell: ExecShell;
     env: Record<string, string>;
-    description?: string;
+    envSecrets: Record<string, string>;
+    description: string;
     background?: boolean;
 }
+export interface ForegroundExecDetachResult {
+    ok: boolean;
+    message: string;
+    taskId?: string;
+    agentId?: string;
+}
+export interface ForegroundExecDetachHandle {
+    toolUseId?: string;
+    command: string;
+    description?: string;
+    cwd: string;
+    startedAt: number;
+    detach(): ForegroundExecDetachResult;
+}
+export interface ForegroundExecDetachRegistry {
+    set(handle: ForegroundExecDetachHandle): () => void;
+}
 export interface ExecToolRuntime {
     taskStore?: TaskStore;
+    foregroundDetachRegistry?: ForegroundExecDetachRegistry;
 }
 export declare function createExecTool(runtime?: ExecToolRuntime): Tool<ExecToolInput>;
 export declare const execTool: Tool<ExecToolInput>;