opc-agent 3.0.1 → 4.0.0

package/dist/security/approvals.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * Approvals Module - v1.0.0
+ * Policy-based exec approval system with queue, expiry, history, and callbacks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ExecApprovalManager = void 0;
+const crypto_1 = require("crypto");
+class ExecApprovalManager {
+    policy;
+    pending = new Map();
+    history = [];
+    allowedCommands = new Set();
+    expiryMs;
+    onRequestCallback;
+    expiryTimer;
+    constructor(options = {}) {
+        this.policy = options.policy ?? 'elevated-only';
+        this.expiryMs = options.expiryMs ?? 300_000; // 5 min default
+        this.onRequestCallback = options.onRequest;
+        if (options.allowedCommands) {
+            for (const cmd of options.allowedCommands)
+                this.allowedCommands.add(cmd);
+        }
+        this.expiryTimer = setInterval(() => this.expirePending(), 10_000);
+        if (this.expiryTimer.unref)
+            this.expiryTimer.unref();
+    }
+    getPolicy() { return this.policy; }
+    setPolicy(p) { this.policy = p; }
+    addAllowedCommand(cmd) { this.allowedCommands.add(cmd); }
+    removeAllowedCommand(cmd) { this.allowedCommands.delete(cmd); }
+    getAllowedCommands() { return [...this.allowedCommands]; }
+    needsApproval(command, elevated) {
+        switch (this.policy) {
+            case 'never': return false;
+            case 'always': return true;
+            case 'elevated-only': return elevated;
+            case 'allowlist': return !this.isAllowed(command);
+        }
+    }
+    isAllowed(command) {
+        for (const allowed of this.allowedCommands) {
+            if (command.startsWith(allowed) || command === allowed)
+                return true;
+        }
+        return false;
+    }
+    request(command, elevated = false) {
+        const now = Date.now();
+        const req = {
+            id: (0, crypto_1.randomUUID)(),
+            command,
+            elevated,
+            requestedAt: now,
+            expiresAt: now + this.expiryMs,
+            status: 'pending',
+        };
+        this.pending.set(req.id, req);
+        this.onRequestCallback?.(req);
+        return req;
+    }
+    approve(id, approver) {
+        const req = this.pending.get(id);
+        if (!req)
+            throw new Error(`Request ${id} not found`);
+        if (req.status !== 'pending')
+            throw new Error(`Request ${id} already ${req.status}`);
+        req.status = 'approved';
+        req.approvedBy = approver;
+        this.pending.delete(id);
+        this.history.push({ request: req, resolvedAt: Date.now() });
+        return req;
+    }
+    deny(id, approver, reason) {
+        const req = this.pending.get(id);
+        if (!req)
+            throw new Error(`Request ${id} not found`);
+        if (req.status !== 'pending')
+            throw new Error(`Request ${id} already ${req.status}`);
+        req.status = 'denied';
+        req.approvedBy = approver;
+        req.reason = reason;
+        this.pending.delete(id);
+        this.history.push({ request: req, resolvedAt: Date.now() });
+        return req;
+    }
+    getPending() {
+        return [...this.pending.values()];
+    }
+    getHistory() {
+        return [...this.history];
+    }
+    getRequest(id) {
+        return this.pending.get(id) ?? this.history.find(h => h.request.id === id)?.request;
+    }
+    expirePending() {
+        const now = Date.now();
+        for (const [id, req] of this.pending) {
+            if (now >= req.expiresAt) {
+                req.status = 'expired';
+                this.pending.delete(id);
+                this.history.push({ request: req, resolvedAt: now });
+            }
+        }
+    }
+    /** Force expire check (for testing) */
+    checkExpiry() { this.expirePending(); }
+    destroy() {
+        if (this.expiryTimer)
+            clearInterval(this.expiryTimer);
+    }
+}
+exports.ExecApprovalManager = ExecApprovalManager;
+//# sourceMappingURL=approvals.js.map

package/dist/security/elevated.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Elevated Permissions Module - v1.0.0
+ * Elevation mode management with allowed commands, auto-revoke, and audit log.
+ */
+export type ElevationMode = 'off' | 'ask' | 'on';
+export interface ElevationAuditEntry {
+    timestamp: number;
+    action: 'elevate' | 'revoke' | 'execute' | 'deny';
+    command?: string;
+    reason?: string;
+}
+export declare class ElevatedManager {
+    private mode;
+    private elevated;
+    private allowedCommands;
+    private auditLog;
+    private revokeTimer?;
+    private autoRevokeMs;
+    constructor(options?: {
+        mode?: ElevationMode;
+        allowedCommands?: (string | RegExp)[];
+        autoRevokeMs?: number;
+    });
+    getMode(): ElevationMode;
+    setMode(mode: ElevationMode): void;
+    isElevated(): boolean;
+    addAllowedCommand(pattern: string | RegExp): void;
+    isCommandAllowed(command: string): boolean;
+    elevate(reason?: string): boolean;
+    revoke(reason?: string): void;
+    canExecute(command: string): {
+        allowed: boolean;
+        needsElevation: boolean;
+    };
+    getAuditLog(): ElevationAuditEntry[];
+    clearAuditLog(): void;
+    private startAutoRevoke;
+    private clearAutoRevoke;
+    destroy(): void;
+}
+//# sourceMappingURL=elevated.d.ts.map

package/dist/security/elevated.js

@@ -0,0 +1,89 @@
+"use strict";
+/**
+ * Elevated Permissions Module - v1.0.0
+ * Elevation mode management with allowed commands, auto-revoke, and audit log.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ElevatedManager = void 0;
+class ElevatedManager {
+    mode;
+    elevated = false;
+    allowedCommands = [];
+    auditLog = [];
+    revokeTimer;
+    autoRevokeMs;
+    constructor(options = {}) {
+        this.mode = options.mode ?? 'ask';
+        this.autoRevokeMs = options.autoRevokeMs ?? 600_000; // 10 min
+        if (options.allowedCommands) {
+            for (const cmd of options.allowedCommands) {
+                this.allowedCommands.push(cmd instanceof RegExp ? cmd : new RegExp(`^${cmd.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+            }
+        }
+    }
+    getMode() { return this.mode; }
+    setMode(mode) { this.mode = mode; }
+    isElevated() { return this.elevated; }
+    addAllowedCommand(pattern) {
+        this.allowedCommands.push(pattern instanceof RegExp ? pattern : new RegExp(`^${pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+    }
+    isCommandAllowed(command) {
+        return this.allowedCommands.some(r => r.test(command));
+    }
+    elevate(reason) {
+        if (this.mode === 'off')
+            return false;
+        this.elevated = true;
+        this.auditLog.push({ timestamp: Date.now(), action: 'elevate', reason });
+        this.startAutoRevoke();
+        return true;
+    }
+    revoke(reason) {
+        this.elevated = false;
+        this.clearAutoRevoke();
+        this.auditLog.push({ timestamp: Date.now(), action: 'revoke', reason });
+    }
+    canExecute(command) {
+        if (this.isCommandAllowed(command))
+            return { allowed: true, needsElevation: false };
+        if (this.mode === 'off')
+            return { allowed: true, needsElevation: false };
+        if (this.mode === 'on') {
+            if (!this.elevated)
+                this.elevate('auto-on mode');
+            this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+            return { allowed: true, needsElevation: false };
+        }
+        // ask mode
+        if (this.elevated) {
+            this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+            return { allowed: true, needsElevation: false };
+        }
+        return { allowed: false, needsElevation: true };
+    }
+    getAuditLog() {
+        return [...this.auditLog];
+    }
+    clearAuditLog() {
+        this.auditLog = [];
+    }
+    startAutoRevoke() {
+        this.clearAutoRevoke();
+        this.revokeTimer = setTimeout(() => {
+            this.revoke('auto-revoke timer');
+        }, this.autoRevokeMs);
+        if (this.revokeTimer.unref)
+            this.revokeTimer.unref();
+    }
+    clearAutoRevoke() {
+        if (this.revokeTimer) {
+            clearTimeout(this.revokeTimer);
+            this.revokeTimer = undefined;
+        }
+    }
+    destroy() {
+        this.clearAutoRevoke();
+    }
+}
+exports.ElevatedManager = ElevatedManager;
+//# sourceMappingURL=elevated.js.map

package/dist/security/index.d.ts

@@ -1,4 +1,10 @@
 export { ApprovalManager } from './approval';
 export type { ApprovalPolicy, ApprovalRequest } from './approval';
 export { KeyManager } from './keys';
+export { ExecApprovalManager } from './approvals';
+export type { ExecApprovalPolicy, ExecApprovalRequest, ExecApprovalHistory, ApprovalRequestCallback } from './approvals';
+export { ElevatedManager } from './elevated';
+export type { ElevationMode, ElevationAuditEntry } from './elevated';
+export { SecretsManager } from './secrets';
+export type { SecretsStore } from './secrets';
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.js

@@ -1,8 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.KeyManager = exports.ApprovalManager = void 0;
+exports.SecretsManager = exports.ElevatedManager = exports.ExecApprovalManager = exports.KeyManager = exports.ApprovalManager = void 0;
 var approval_1 = require("./approval");
 Object.defineProperty(exports, "ApprovalManager", { enumerable: true, get: function () { return approval_1.ApprovalManager; } });
 var keys_1 = require("./keys");
 Object.defineProperty(exports, "KeyManager", { enumerable: true, get: function () { return keys_1.KeyManager; } });
+var approvals_1 = require("./approvals");
+Object.defineProperty(exports, "ExecApprovalManager", { enumerable: true, get: function () { return approvals_1.ExecApprovalManager; } });
+var elevated_1 = require("./elevated");
+Object.defineProperty(exports, "ElevatedManager", { enumerable: true, get: function () { return elevated_1.ElevatedManager; } });
+var secrets_1 = require("./secrets");
+Object.defineProperty(exports, "SecretsManager", { enumerable: true, get: function () { return secrets_1.SecretsManager; } });
 //# sourceMappingURL=index.js.map

package/dist/security/secrets.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Secrets Manager - v1.0.0
+ * AES-256-GCM encrypted secrets storage with rotation, export/import.
+ */
+export interface SecretsStore {
+    version: number;
+    secrets: Record<string, string>;
+}
+export declare class SecretsManager {
+    private masterKey;
+    private filePath;
+    private store;
+    constructor(options: {
+        password: string;
+        filePath?: string;
+    });
+    private init;
+    private load;
+    private save;
+    set(key: string, value: string): void;
+    get(key: string): string | undefined;
+    delete(key: string): boolean;
+    list(): string[];
+    has(key: string): boolean;
+    /** Inject secrets into env-like object */
+    inject(env: Record<string, string | undefined>, keys?: string[]): Record<string, string | undefined>;
+    /** Rotate: re-encrypt with new password */
+    rotate(newPassword: string): void;
+    /** Export as encrypted buffer */
+    exportEncrypted(): Buffer;
+    /** Import from encrypted buffer (must know password) */
+    static importEncrypted(data: Buffer, password: string, filePath: string): SecretsManager;
+}
+//# sourceMappingURL=secrets.d.ts.map

package/dist/security/secrets.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * Secrets Manager - v1.0.0
+ * AES-256-GCM encrypted secrets storage with rotation, export/import.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretsManager = void 0;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+const TAG_LEN = 16;
+class SecretsManager {
+    masterKey;
+    filePath;
+    store;
+    constructor(options) {
+        this.filePath = options.filePath ?? (0, path_1.join)((0, os_1.homedir)(), '.opc', 'secrets.enc');
+        // Derive a stable key from password (we store salt in the file)
+        this.masterKey = Buffer.alloc(KEY_LEN); // placeholder, set on load/init
+        this.store = { version: 1, secrets: {} };
+        this.init(options.password);
+    }
+    init(password) {
+        if ((0, fs_1.existsSync)(this.filePath)) {
+            this.load(password);
+        }
+        else {
+            const salt = (0, crypto_1.randomBytes)(SALT_LEN);
+            this.masterKey = (0, crypto_1.scryptSync)(password, salt, KEY_LEN);
+            this.store = { version: 1, secrets: {} };
+            this.save(salt);
+        }
+    }
+    load(password) {
+        const data = (0, fs_1.readFileSync)(this.filePath);
+        const salt = data.subarray(0, SALT_LEN);
+        const iv = data.subarray(SALT_LEN, SALT_LEN + IV_LEN);
+        const tag = data.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
+        const encrypted = data.subarray(SALT_LEN + IV_LEN + TAG_LEN);
+        this.masterKey = (0, crypto_1.scryptSync)(password, salt, KEY_LEN);
+        const decipher = (0, crypto_1.createDecipheriv)(ALGORITHM, this.masterKey, iv);
+        decipher.setAuthTag(tag);
+        const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+        this.store = JSON.parse(decrypted.toString('utf8'));
+    }
+    save(salt) {
+        const dir = (0, path_1.dirname)(this.filePath);
+        if (!(0, fs_1.existsSync)(dir))
+            (0, fs_1.mkdirSync)(dir, { recursive: true });
+        if (!salt && (0, fs_1.existsSync)(this.filePath)) {
+            salt = (0, fs_1.readFileSync)(this.filePath).subarray(0, SALT_LEN);
+        }
+        if (!salt)
+            salt = (0, crypto_1.randomBytes)(SALT_LEN);
+        const iv = (0, crypto_1.randomBytes)(IV_LEN);
+        const cipher = (0, crypto_1.createCipheriv)(ALGORITHM, this.masterKey, iv);
+        const encrypted = Buffer.concat([cipher.update(JSON.stringify(this.store), 'utf8'), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        (0, fs_1.writeFileSync)(this.filePath, Buffer.concat([salt, iv, tag, encrypted]));
+    }
+    set(key, value) {
+        this.store.secrets[key] = value;
+        this.save();
+    }
+    get(key) {
+        return this.store.secrets[key];
+    }
+    delete(key) {
+        if (!(key in this.store.secrets))
+            return false;
+        delete this.store.secrets[key];
+        this.save();
+        return true;
+    }
+    list() {
+        return Object.keys(this.store.secrets);
+    }
+    has(key) {
+        return key in this.store.secrets;
+    }
+    /** Inject secrets into env-like object */
+    inject(env, keys) {
+        const toInject = keys ?? this.list();
+        for (const k of toInject) {
+            if (this.has(k))
+                env[k] = this.store.secrets[k];
+        }
+        return env;
+    }
+    /** Rotate: re-encrypt with new password */
+    rotate(newPassword) {
+        const salt = (0, crypto_1.randomBytes)(SALT_LEN);
+        this.masterKey = (0, crypto_1.scryptSync)(newPassword, salt, KEY_LEN);
+        this.save(salt);
+    }
+    /** Export as encrypted buffer */
+    exportEncrypted() {
+        return (0, fs_1.readFileSync)(this.filePath);
+    }
+    /** Import from encrypted buffer (must know password) */
+    static importEncrypted(data, password, filePath) {
+        const dir = (0, path_1.dirname)(filePath);
+        if (!(0, fs_1.existsSync)(dir))
+            (0, fs_1.mkdirSync)(dir, { recursive: true });
+        (0, fs_1.writeFileSync)(filePath, data);
+        return new SecretsManager({ password, filePath });
+    }
+}
+exports.SecretsManager = SecretsManager;
+//# sourceMappingURL=secrets.js.map

package/dist/tools/builtin/browser.d.ts

@@ -0,0 +1,47 @@
+import type { MCPTool } from '../mcp';
+export declare class BrowserManager {
+    private browser;
+    private page;
+    private lastActivity;
+    private idleTimer;
+    private playwrightFactory;
+    constructor(playwrightFactory?: () => any);
+    private resetIdleTimer;
+    ensureBrowser(): Promise<any>;
+    navigate(url: string): Promise<{
+        title: string;
+        text: string;
+        url: string;
+    }>;
+    click(selector: string): Promise<void>;
+    type(selector: string, text: string): Promise<void>;
+    screenshot(): Promise<string>;
+    extract(): Promise<{
+        text: string;
+        links: string[];
+        images: string[];
+    }>;
+    scroll(direction: 'up' | 'down', amount?: number): Promise<void>;
+    back(): Promise<void>;
+    evaluate(script: string): Promise<any>;
+    getImages(): Promise<Array<{
+        src: string;
+        alt: string;
+    }>>;
+    waitFor(selector: string, timeout?: number): Promise<boolean>;
+    close(): Promise<void>;
+}
+declare const browserManager: BrowserManager;
+export declare const browserNavigateTool: MCPTool;
+export declare const browserClickTool: MCPTool;
+export declare const browserTypeTool: MCPTool;
+export declare const browserScreenshotTool: MCPTool;
+export declare const browserExtractTool: MCPTool;
+export declare const browserScrollTool: MCPTool;
+export declare const browserBackTool: MCPTool;
+export declare const browserEvalTool: MCPTool;
+export declare const browserGetImagesTool: MCPTool;
+export declare const browserWaitTool: MCPTool;
+export declare const browserTools: MCPTool[];
+export { browserManager };
+//# sourceMappingURL=browser.d.ts.map