openclaw-airlock 0.4.7

package/dist/client.d.ts

@@ -0,0 +1,136 @@
+/**
+ * Airlock Client — wraps @airlockapp/gateway-sdk with approval workflow logic.
+ *
+ * Responsibilities:
+ * - Submit encrypted artifacts for approval
+ * - Poll for decisions (long-poll with server-side 25s timeout)
+ * - Verify decision signatures (Ed25519)
+ * - Claim pre-generated pairing codes (X25519 ECDH key exchange)
+ * - Persist pairing state to disk
+ * - Health check via gateway echo
+ * - Presence heartbeat
+ * - DND (Do Not Disturb) policy check
+ * - Handle HTTP errors (401, 403, 422, 429) with appropriate responses
+ */
+import type { AirlockConfig } from "./config.js";
+/** Payload for an approval request. */
+export interface ApprovalPayload {
+    /** Tool name or action type (e.g. "shell.exec", "deploy.run"). */
+    actionType: string;
+    /** The command or action text to display to the approver. */
+    commandText: string;
+    /** Human-readable description for the approval card. */
+    description: string;
+    /** Optional additional context. */
+    context?: string;
+}
+/** Approval decision returned by the client. */
+export interface Decision {
+    /** The decision result. */
+    decision: "approved" | "rejected" | "timeout";
+    /** Optional reason from the approver. */
+    reason?: string;
+    /** The exchange request ID. */
+    requestId: string;
+}
+/** Gateway health check result. */
+export interface HealthResult {
+    connected: boolean;
+    gatewayUrl: string;
+    serverTime?: string;
+    error?: string;
+}
+/** Consent status values. */
+export type ConsentStatus = "approved" | "required" | "pending" | "denied" | "unknown";
+/** Result of a consent check. */
+export interface ConsentResult {
+    status: ConsentStatus;
+    message?: string;
+    consentUrl?: string;
+}
+export declare class AirlockClient {
+    private readonly gateway;
+    private readonly config;
+    private readonly log;
+    private heartbeatTimer;
+    private pairedKeys;
+    constructor(config: AirlockConfig, logger?: (msg: string) => void);
+    private initPromise;
+    /**
+     * Restore pairing state from disk and start presence heartbeat.
+     * Idempotent — safe to call multiple times; only runs once.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Ensure initialization is complete before proceeding.
+     * CLI commands should await this before checking config.routingToken etc.
+     */
+    ensureInitialized(): Promise<void>;
+    private _doInitialize;
+    /** Stop background tasks (heartbeat timer). */
+    dispose(): void;
+    /**
+     * Submit an encrypted artifact for approval and poll for the decision.
+     * Returns when the approver decides or the timeout elapses.
+     */
+    requestApproval(payload: ApprovalPayload): Promise<Decision>;
+    /**
+     * Poll for a decision using the long-poll endpoint.
+     * Repeats until the decision is received or timeout elapses.
+     */
+    private pollDecision;
+    /**
+     * Check if a DND (Do Not Disturb) policy is active that would auto-approve
+     * actions for the current enforcer/workspace.
+     *
+     * @returns True if a matching DND policy covers this action (auto-approve).
+     */
+    isDndActive(): Promise<boolean>;
+    /** Result of a consent check. */
+    /** {@link checkConsent} */
+    /**
+     * Check the user consent status for this enforcer app.
+     *
+     * Calls GET /v1/consent/status. The gateway returns:
+     * - 200 + { status: "approved" } — consent granted
+     * - 403 + app_consent_required   — first contact; push sent to mobile app
+     * - 403 + app_consent_pending    — user hasn't responded yet
+     * - 403 + app_consent_denied     — user denied
+     *
+     * @returns ConsentResult with status and optional message/consentUrl.
+     */
+    checkConsent(): Promise<ConsentResult>;
+    /** Check gateway connectivity via the echo endpoint. */
+    checkHealth(): Promise<HealthResult>;
+    /**
+     * Get the status of an exchange by request ID.
+     * Returns the exchange state (Pending, Decided, Expired, Withdrawn).
+     */
+    getExchangeStatus(requestId: string): Promise<{
+        state: string;
+        createdAt?: string;
+        expiresAt?: string;
+    }>;
+    /** Start periodic presence heartbeat so the mobile app shows enforcer online. */
+    private startHeartbeat;
+    /**
+     * Claim a pre-generated pairing code with proper X25519 ECDH key exchange.
+     * Polls until pairing is completed, derives shared encryption key,
+     * and persists the pairing state to disk.
+     *
+     * @param code The pre-generated pairing code.
+     * @returns Routing token and encryption key for artifact encryption.
+     */
+    claimPairing(code: string): Promise<{
+        routingToken: string;
+        encryptionKey: string;
+        pairingNonce: string;
+    }>;
+    private parseDecision;
+    private handleSubmitError;
+    /** Clear pairing state from memory and disk. */
+    private clearPairingState;
+}
+/** Factory function to create an AirlockClient from validated config. */
+export declare function createAirlockClient(config: AirlockConfig, logger?: (msg: string) => void): AirlockClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAUH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAgBjD,uCAAuC;AACvC,MAAM,WAAW,eAAe;IAC9B,kEAAkE;IAClE,UAAU,EAAE,MAAM,CAAC;IACnB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,wDAAwD;IACxD,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,gDAAgD;AAChD,MAAM,WAAW,QAAQ;IACvB,2BAA2B;IAC3B,QAAQ,EAAE,UAAU,GAAG,UAAU,GAAG,SAAS,CAAC;IAC9C,yCAAyC;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,mCAAmC;AACnC,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,6BAA6B;AAC7B,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,UAAU,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEvF,iCAAiC;AACjC,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,aAAa,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAeD,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAuB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAwB;IAC5C,OAAO,CAAC,cAAc,CAA+C;IACrE,OAAO,CAAC,UAAU,CAAsC;gBAE5C,MAAM,EAAE,aAAa,EAAE,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI;IAYjE,OAAO,CAAC,WAAW,CAA8B;IAIjD;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAOjC;;;OAGG;IACG,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;YAI1B,aAAa;IAkB3B,+CAA+C;IAC/C,OAAO,IAAI,IAAI;IASf;;;OAGG;IACG,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC;IA6DlE;;;OAGG;YACW,YAAY;IA0C1B;;;;;OAKG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAmBrC,iCAAiC;IACjC,2BAA2B;IAE3B;;;;;;;;;;OAUG;IACG,YAAY,IAAI,OAAO,CAAC,aAAa,CAAC;IAwC5C,wDAAwD;IAClD,WAAW,IAAI,OAAO,CAAC,YAAY,CAAC;IAmB1C;;;OAGG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QAClD,KAAK,EAAE,MAAM,CAAC;QACd,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;IAWF,iFAAiF;IACjF,OAAO,CAAC,cAAc;IAyBtB;;;;;;;OAOG;IACG,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IAwFF,OAAO,CAAC,aAAa;YAuCP,iBAAiB;IAmD/B,gDAAgD;YAClC,iBAAiB;CAOhC;AAED,yEAAyE;AACzE,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,aAAa,EACrB,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAC7B,aAAa,CAEf"}

package/dist/client.js

@@ -0,0 +1,474 @@
+/**
+ * Airlock Client — wraps @airlockapp/gateway-sdk with approval workflow logic.
+ *
+ * Responsibilities:
+ * - Submit encrypted artifacts for approval
+ * - Poll for decisions (long-poll with server-side 25s timeout)
+ * - Verify decision signatures (Ed25519)
+ * - Claim pre-generated pairing codes (X25519 ECDH key exchange)
+ * - Persist pairing state to disk
+ * - Health check via gateway echo
+ * - Presence heartbeat
+ * - DND (Do Not Disturb) policy check
+ * - Handle HTTP errors (401, 403, 422, 429) with appropriate responses
+ */
+import { AirlockGatewayClient, AirlockGatewayError, } from "@airlockapp/gateway-sdk";
+import { generateX25519KeyPair, deriveSharedKey, verifyDecisionSignature, } from "./crypto.js";
+import { loadPairingState, savePairingState, clearPairingState, } from "./state.js";
+// ── Constants ───────────────────────────────────────────────────
+/** Server-side long-poll timeout per request (seconds). */
+const LONG_POLL_TIMEOUT_SEC = 25;
+/** Source identifier sent in artifact metadata. */
+const SOURCE_ID = "openclaw-airlock";
+/** Presence heartbeat interval (ms). */
+const HEARTBEAT_INTERVAL_MS = 45_000;
+// ── Client ──────────────────────────────────────────────────────
+export class AirlockClient {
+    gateway;
+    config;
+    log;
+    heartbeatTimer = null;
+    pairedKeys = {};
+    constructor(config, logger) {
+        this.config = config;
+        this.log = logger ?? ((msg) => console.info(`[Airlock] ${msg}`));
+        this.gateway = new AirlockGatewayClient({
+            baseUrl: config.gatewayUrl,
+            pat: config.pat,
+            clientId: config.clientId,
+            clientSecret: config.clientSecret,
+        });
+    }
+    initPromise = null;
+    // ── Initialization ────────────────────────────────────────────
+    /**
+     * Restore pairing state from disk and start presence heartbeat.
+     * Idempotent — safe to call multiple times; only runs once.
+     */
+    async initialize() {
+        if (!this.initPromise) {
+            this.initPromise = this._doInitialize();
+        }
+        return this.initPromise;
+    }
+    /**
+     * Ensure initialization is complete before proceeding.
+     * CLI commands should await this before checking config.routingToken etc.
+     */
+    async ensureInitialized() {
+        await this.initialize();
+    }
+    async _doInitialize() {
+        // Restore persisted pairing state (only if not already set from config)
+        if (!this.config.routingToken || !this.config.encryptionKey) {
+            const state = await loadPairingState();
+            if (state) {
+                this.config.routingToken = state.routingToken;
+                this.config.encryptionKey = state.encryptionKey;
+                this.pairedKeys = state.pairedKeys;
+                this.log("Pairing state restored from disk");
+            }
+        }
+        else {
+            this.log("Pairing state already in config");
+        }
+        // Start presence heartbeat
+        this.startHeartbeat();
+    }
+    /** Stop background tasks (heartbeat timer). */
+    dispose() {
+        if (this.heartbeatTimer) {
+            clearInterval(this.heartbeatTimer);
+            this.heartbeatTimer = null;
+        }
+    }
+    // ── Approval Flow ─────────────────────────────────────────────
+    /**
+     * Submit an encrypted artifact for approval and poll for the decision.
+     * Returns when the approver decides or the timeout elapses.
+     */
+    async requestApproval(payload) {
+        if (!this.config.encryptionKey) {
+            return {
+                decision: "rejected",
+                reason: "Not paired — run 'airlock pair' first",
+                requestId: "",
+            };
+        }
+        if (!this.config.routingToken) {
+            return {
+                decision: "rejected",
+                reason: "No routing token — run 'airlock pair' first",
+                requestId: "",
+            };
+        }
+        // Build plaintext payload with HARP requestedActions extension
+        const plaintextPayload = JSON.stringify({
+            actionType: payload.actionType,
+            commandText: payload.commandText,
+            description: payload.description,
+            context: payload.context ?? "",
+            workspace: this.config.workspaceName,
+            source: SOURCE_ID,
+            extensions: {
+                "org.harp.requestedActions": {
+                    version: 1,
+                    actions: [
+                        { id: "approve", caption: "Approve", style: "primary", decision: "approve" },
+                        { id: "reject", caption: "Reject", style: "danger", decision: "reject" },
+                    ],
+                },
+            },
+        });
+        let requestId;
+        try {
+            requestId = await this.gateway.encryptAndSubmitArtifact({
+                enforcerId: this.config.enforcerId,
+                artifactType: "command.review",
+                plaintextPayload,
+                encryptionKeyBase64Url: this.config.encryptionKey,
+                metadata: {
+                    workspaceName: this.config.workspaceName,
+                    routingToken: this.config.routingToken,
+                    requestLabel: payload.actionType === "terminal_command" ? "Terminal Command" : "Agent Action",
+                },
+            });
+        }
+        catch (err) {
+            return await this.handleSubmitError(err);
+        }
+        this.log(`Artifact submitted: ${requestId}`);
+        // Submit ack (fire-and-forget)
+        this.gateway.submitAck(`msg-${requestId}`, requestId).catch(() => { });
+        return this.pollDecision(requestId);
+    }
+    /**
+     * Poll for a decision using the long-poll endpoint.
+     * Repeats until the decision is received or timeout elapses.
+     */
+    async pollDecision(requestId) {
+        const deadline = Date.now() + this.config.timeoutMs;
+        let pollCount = 0;
+        while (Date.now() < deadline) {
+            pollCount++;
+            const remainingSec = Math.ceil((deadline - Date.now()) / 1000);
+            const serverTimeout = Math.min(LONG_POLL_TIMEOUT_SEC, remainingSec);
+            if (serverTimeout <= 0)
+                break;
+            try {
+                const envelope = await this.gateway.waitForDecision(requestId, serverTimeout);
+                if (!envelope) {
+                    // 204 — no decision yet, continue polling
+                    continue;
+                }
+                const decision = this.parseDecision(envelope, requestId);
+                if (decision)
+                    return decision;
+            }
+            catch (err) {
+                if (err instanceof AirlockGatewayError) {
+                    if (err.statusCode === 401) {
+                        this.log("Received 401 during poll — retrying");
+                        continue;
+                    }
+                    this.log(`Poll error (HTTP ${err.statusCode}): ${err.message}`);
+                }
+                else {
+                    this.log(`Poll error: ${err instanceof Error ? err.message : String(err)}`);
+                }
+            }
+        }
+        // Timed out — withdraw the stale exchange
+        this.log(`Approval timed out after ${this.config.timeoutMs}ms (${pollCount} polls)`);
+        this.gateway.withdrawExchange(requestId).catch(() => { });
+        return { decision: "timeout", requestId };
+    }
+    // ── DND Policy Check ──────────────────────────────────────────
+    /**
+     * Check if a DND (Do Not Disturb) policy is active that would auto-approve
+     * actions for the current enforcer/workspace.
+     *
+     * @returns True if a matching DND policy covers this action (auto-approve).
+     */
+    async isDndActive() {
+        try {
+            const resp = await this.gateway.getEffectiveDndPolicies(this.config.enforcerId, this.config.enforcerId);
+            if (resp.body && resp.body.length > 0) {
+                this.log(`DND active: ${resp.body.length} policy/policies`);
+                return true;
+            }
+            return false;
+        }
+        catch {
+            // DND check is best-effort — if it fails, proceed to normal approval
+            return false;
+        }
+    }
+    // ── Consent ────────────────────────────────────────────────────
+    /** Result of a consent check. */
+    /** {@link checkConsent} */
+    /**
+     * Check the user consent status for this enforcer app.
+     *
+     * Calls GET /v1/consent/status. The gateway returns:
+     * - 200 + { status: "approved" } — consent granted
+     * - 403 + app_consent_required   — first contact; push sent to mobile app
+     * - 403 + app_consent_pending    — user hasn't responded yet
+     * - 403 + app_consent_denied     — user denied
+     *
+     * @returns ConsentResult with status and optional message/consentUrl.
+     */
+    async checkConsent() {
+        try {
+            const status = await this.gateway.checkConsent();
+            return { status: status };
+        }
+        catch (err) {
+            if (err instanceof AirlockGatewayError) {
+                const code = err.errorCode ?? "";
+                if (code === "app_consent_required" ||
+                    code === "app_consent_pending" ||
+                    code === "app_consent_denied") {
+                    // Parse consentUrl and message from the response body
+                    let consentUrl;
+                    let message;
+                    try {
+                        const body = JSON.parse(err.responseBody ?? "{}");
+                        consentUrl = body.consentUrl;
+                        message = body.message;
+                    }
+                    catch {
+                        // ignore parse errors
+                    }
+                    return {
+                        status: code === "app_consent_required"
+                            ? "required"
+                            : code === "app_consent_pending"
+                                ? "pending"
+                                : "denied",
+                        message: message ?? err.message,
+                        consentUrl,
+                    };
+                }
+            }
+            // Non-consent errors — rethrow
+            throw err;
+        }
+    }
+    // ── Health Check ──────────────────────────────────────────────
+    /** Check gateway connectivity via the echo endpoint. */
+    async checkHealth() {
+        try {
+            const echo = await this.gateway.echo();
+            return {
+                connected: true,
+                gatewayUrl: this.config.gatewayUrl,
+                serverTime: echo.utc,
+            };
+        }
+        catch (err) {
+            return {
+                connected: false,
+                gatewayUrl: this.config.gatewayUrl,
+                error: err instanceof Error ? err.message : String(err),
+            };
+        }
+    }
+    // ── Exchange Status ───────────────────────────────────────────
+    /**
+     * Get the status of an exchange by request ID.
+     * Returns the exchange state (Pending, Decided, Expired, Withdrawn).
+     */
+    async getExchangeStatus(requestId) {
+        const resp = await this.gateway.getExchangeStatus(requestId);
+        return {
+            state: resp.body?.state ?? "unknown",
+            createdAt: resp.body?.createdAt,
+            expiresAt: resp.body?.expiresAt,
+        };
+    }
+    // ── Presence Heartbeat ────────────────────────────────────────
+    /** Start periodic presence heartbeat so the mobile app shows enforcer online. */
+    startHeartbeat() {
+        if (this.heartbeatTimer)
+            return;
+        const sendHeartbeat = () => {
+            this.gateway.sendHeartbeat({
+                enforcerId: this.config.enforcerId,
+                workspaceName: this.config.workspaceName,
+                enforcerLabel: "OpenClaw",
+            }).catch(() => {
+                // Heartbeat is best-effort
+            });
+        };
+        // Send immediately on start, then at intervals
+        sendHeartbeat();
+        this.heartbeatTimer = setInterval(sendHeartbeat, HEARTBEAT_INTERVAL_MS);
+        // Prevent the timer from blocking Node.js exit
+        if (this.heartbeatTimer && typeof this.heartbeatTimer === "object" && "unref" in this.heartbeatTimer) {
+            this.heartbeatTimer.unref();
+        }
+    }
+    // ── Pairing ───────────────────────────────────────────────────
+    /**
+     * Claim a pre-generated pairing code with proper X25519 ECDH key exchange.
+     * Polls until pairing is completed, derives shared encryption key,
+     * and persists the pairing state to disk.
+     *
+     * @param code The pre-generated pairing code.
+     * @returns Routing token and encryption key for artifact encryption.
+     */
+    async claimPairing(code) {
+        const { randomUUID } = await import("node:crypto");
+        const deviceId = `openclaw-${randomUUID().slice(0, 8)}`;
+        // Generate X25519 keypair for ECDH key exchange
+        const keyPair = generateX25519KeyPair();
+        this.log(`Claiming pairing code: ${code}`);
+        const claim = await this.gateway.claimPairing({
+            pairingCode: code,
+            deviceId,
+            enforcerId: this.config.enforcerId,
+            enforcerLabel: "OpenClaw",
+            workspaceName: this.config.workspaceName,
+            x25519PublicKey: keyPair.publicKey,
+        });
+        this.log(`Pairing initiated: nonce=${claim.pairingNonce}, expires=${claim.expiresAt}`);
+        // Poll for completion
+        const deadline = Date.now() + 10 * 60 * 1000; // 10 min
+        const pollInterval = 3000;
+        while (Date.now() < deadline) {
+            await new Promise((r) => setTimeout(r, pollInterval));
+            const status = await this.gateway.getPairingStatus(claim.pairingNonce);
+            if (status.state === "Expired") {
+                throw new Error("Pairing code expired. Generate a new one and try again.");
+            }
+            if (status.state !== "Completed") {
+                continue;
+            }
+            if (!status.routingToken || !status.responseJson) {
+                throw new Error("Invalid pairing completion response — missing routing token or response data");
+            }
+            // Parse the pairing response to get the approver's X25519 public key
+            const response = JSON.parse(status.responseJson);
+            // Derive shared encryption key via X25519 ECDH
+            if (!response.x25519PublicKey) {
+                throw new Error("Pairing response missing x25519PublicKey — cannot derive encryption key");
+            }
+            const encryptionKey = deriveSharedKey(keyPair.privateKey, response.x25519PublicKey);
+            // Store the approver's Ed25519 signing key for decision verification
+            const pairedKeys = {};
+            if (response.signerKeyId && response.publicKey) {
+                pairedKeys[response.signerKeyId] = {
+                    publicKey: response.publicKey,
+                    deviceId: response.deviceId ?? "mobile",
+                };
+            }
+            // Update runtime state
+            this.config.routingToken = status.routingToken;
+            this.config.encryptionKey = encryptionKey;
+            this.pairedKeys = pairedKeys;
+            // Persist state to disk
+            await savePairingState({
+                routingToken: status.routingToken,
+                encryptionKey,
+                pairedKeys,
+                pairedAt: new Date().toISOString(),
+                pairingNonce: claim.pairingNonce,
+            });
+            this.log("Pairing completed — keys derived and persisted");
+            return {
+                routingToken: status.routingToken,
+                encryptionKey,
+                pairingNonce: claim.pairingNonce,
+            };
+        }
+        throw new Error("Pairing timed out (10 minutes). Try again.");
+    }
+    // ── Helpers ───────────────────────────────────────────────────
+    parseDecision(envelope, requestId) {
+        const body = envelope.body;
+        if (!body)
+            return null;
+        const dec = String(body.decision ?? "").toLowerCase();
+        if (dec !== "approve" && dec !== "reject")
+            return null;
+        // Verify decision signature if signing material is present
+        const signerKeyId = body.signerKeyId;
+        const signature = body.signature;
+        const nonce = body.nonce;
+        const artifactHash = body.artifactHash;
+        if (signature && signerKeyId && nonce && artifactHash) {
+            const verified = verifyDecisionSignature(this.pairedKeys, artifactHash, dec, nonce, signature, signerKeyId);
+            if (!verified) {
+                this.log(`Decision signature verification failed for signerKeyId=${signerKeyId}`);
+                return null; // Reject unverifiable decisions
+            }
+            this.log("Decision signature verified ✓");
+        }
+        return {
+            decision: dec === "approve" ? "approved" : "rejected",
+            reason: body.reason,
+            requestId,
+        };
+    }
+    async handleSubmitError(err) {
+        if (err instanceof AirlockGatewayError) {
+            // 403 — pairing revoked or access denied
+            if (err.statusCode === 403) {
+                const code = err.errorCode ?? "";
+                if (code === "pairing_revoked" || code === "no_approver") {
+                    await this.clearPairingState();
+                }
+                return {
+                    decision: "rejected",
+                    reason: `Access denied: ${code || "forbidden"} — run 'airlock pair' again`,
+                    requestId: "",
+                };
+            }
+            // 422 — validation error (may include no_approver)
+            if (err.statusCode === 422) {
+                const code = err.errorCode ?? "";
+                if (code === "no_approver") {
+                    await this.clearPairingState();
+                    return {
+                        decision: "rejected",
+                        reason: "No approver available — pairing may be stale. Run 'airlock pair' again.",
+                        requestId: "",
+                    };
+                }
+                return {
+                    decision: "rejected",
+                    reason: `Validation error: ${err.message}`,
+                    requestId: "",
+                };
+            }
+            // 429 — quota exceeded
+            if (err.statusCode === 429) {
+                return {
+                    decision: "rejected",
+                    reason: "Quota exceeded — try again later",
+                    requestId: "",
+                };
+            }
+        }
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+            decision: "rejected",
+            reason: `Gateway error: ${msg}`,
+            requestId: "",
+        };
+    }
+    /** Clear pairing state from memory and disk. */
+    async clearPairingState() {
+        this.config.routingToken = undefined;
+        this.config.encryptionKey = undefined;
+        this.pairedKeys = {};
+        await clearPairingState().catch(() => { });
+        this.log("Pairing state cleared (revoked or stale)");
+    }
+}
+/** Factory function to create an AirlockClient from validated config. */
+export function createAirlockClient(config, logger) {
+    return new AirlockClient(config, logger);
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EACL,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,yBAAyB,CAAC;AAMjC,OAAO,EACL,qBAAqB,EACrB,eAAe,EACf,uBAAuB,GAExB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,YAAY,CAAC;AA4CpB,mEAAmE;AAEnE,2DAA2D;AAC3D,MAAM,qBAAqB,GAAG,EAAE,CAAC;AAEjC,mDAAmD;AACnD,MAAM,SAAS,GAAG,kBAAkB,CAAC;AAErC,wCAAwC;AACxC,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAErC,mEAAmE;AAEnE,MAAM,OAAO,aAAa;IACP,OAAO,CAAuB;IAC9B,MAAM,CAAgB;IACtB,GAAG,CAAwB;IACpC,cAAc,GAA0C,IAAI,CAAC;IAC7D,UAAU,GAAmC,EAAE,CAAC;IAExD,YAAY,MAAqB,EAAE,MAA8B;QAC/D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,GAAG,GAAG,MAAM,IAAI,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC;QAEzE,IAAI,CAAC,OAAO,GAAG,IAAI,oBAAoB,CAAC;YACtC,OAAO,EAAE,MAAM,CAAC,UAAU;YAC1B,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,YAAY,EAAE,MAAM,CAAC,YAAY;SAClC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW,GAAyB,IAAI,CAAC;IAEjD,iEAAiE;IAEjE;;;OAGG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;QAC1C,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,iBAAiB;QACrB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,aAAa;QACzB,wEAAwE;QACxE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC5D,MAAM,KAAK,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACvC,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;gBAC9C,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,KAAK,CAAC,aAAa,CAAC;gBAChD,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC;gBACnC,IAAI,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC9C,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;IACxB,CAAC;IAED,+CAA+C;IAC/C,OAAO;QACL,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,iEAAiE;IAEjE;;;OAGG;IACH,KAAK,CAAC,eAAe,CAAC,OAAwB;QAC5C,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC/B,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,uCAAuC;gBAC/C,SAAS,EAAE,EAAE;aACd,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;YAC9B,OAAO;gBACL,QAAQ,EAAE,UAAU;gBACpB,MAAM,EAAE,6CAA6C;gBACrD,SAAS,EAAE,EAAE;aACd,CAAC;QACJ,CAAC;QAED,+DAA+D;QAC/D,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;YACtC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;YAC9B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;YACpC,MAAM,EAAE,SAAS;YACjB,UAAU,EAAE;gBACV,2BAA2B,EAAE;oBAC3B,OAAO,EAAE,CAAC;oBACV,OAAO,EAAE;wBACP,EAAE,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE;wBAC5E,EAAE,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE;qBACzE;iBACF;aACF;SACF,CAAC,CAAC;QAEH,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,wBAAwB,CAAC;gBACtD,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;gBAClC,YAAY,EAAE,gBAAgB;gBAC9B,gBAAgB;gBAChB,sBAAsB,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACjD,QAAQ,EAAE;oBACR,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;oBACxC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;oBACtC,YAAY,EAAE,OAAO,CAAC,UAAU,KAAK,kBAAkB,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,cAAc;iBAC9F;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,uBAAuB,SAAS,EAAE,CAAC,CAAC;QAE7C,+BAA+B;QAC/B,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,SAAS,EAAE,EAAE,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEtE,OAAO,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,YAAY,CAAC,SAAiB;QAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;QACpD,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,SAAS,EAAE,CAAC;YACZ,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YAC/D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,qBAAqB,EAAE,YAAY,CAAC,CAAC;YACpE,IAAI,aAAa,IAAI,CAAC;gBAAE,MAAM;YAE9B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;gBAE9E,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,0CAA0C;oBAC1C,SAAS;gBACX,CAAC;gBAED,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;gBACzD,IAAI,QAAQ;oBAAE,OAAO,QAAQ,CAAC;YAChC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;oBACvC,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;wBAC3B,IAAI,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;wBAChD,SAAS;oBACX,CAAC;oBACD,IAAI,CAAC,GAAG,CAAC,oBAAoB,GAAG,CAAC,UAAU,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClE,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,GAAG,CAAC,eAAe,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,CAAC,GAAG,CAAC,4BAA4B,IAAI,CAAC,MAAM,CAAC,SAAS,OAAO,SAAS,SAAS,CAAC,CAAC;QACrF,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEzD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAC5C,CAAC;IAED,iEAAiE;IAEjE;;;;;OAKG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,uBAAuB,CACrD,IAAI,CAAC,MAAM,CAAC,UAAU,EACtB,IAAI,CAAC,MAAM,CAAC,UAAU,CACvB,CAAC;YACF,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtC,IAAI,CAAC,GAAG,CAAC,eAAe,IAAI,CAAC,IAAI,CAAC,MAAM,kBAAkB,CAAC,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,qEAAqE;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,kEAAkE;IAElE,iCAAiC;IACjC,2BAA2B;IAE3B;;;;;;;;;;OAUG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;YACjD,OAAO,EAAE,MAAM,EAAE,MAAuB,EAAE,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;gBACvC,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;gBACjC,IACE,IAAI,KAAK,sBAAsB;oBAC/B,IAAI,KAAK,qBAAqB;oBAC9B,IAAI,KAAK,oBAAoB,EAC7B,CAAC;oBACD,sDAAsD;oBACtD,IAAI,UAA8B,CAAC;oBACnC,IAAI,OAA2B,CAAC;oBAChC,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,CAAC,CAAC;wBAClD,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;wBAC7B,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;oBACzB,CAAC;oBAAC,MAAM,CAAC;wBACP,sBAAsB;oBACxB,CAAC;oBACD,OAAO;wBACL,MAAM,EAAE,IAAI,KAAK,sBAAsB;4BACrC,CAAC,CAAC,UAAU;4BACZ,CAAC,CAAC,IAAI,KAAK,qBAAqB;gCAC9B,CAAC,CAAC,SAAS;gCACX,CAAC,CAAC,QAAQ;wBACd,OAAO,EAAE,OAAO,IAAI,GAAG,CAAC,OAAO;wBAC/B,UAAU;qBACX,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,+BAA+B;YAC/B,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,iEAAiE;IAEjE,wDAAwD;IACxD,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,IAAI,GAAiB,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACrD,OAAO;gBACL,SAAS,EAAE,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;gBAClC,UAAU,EAAE,IAAI,CAAC,GAAG;aACrB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;gBAClC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC;QACJ,CAAC;IACH,CAAC;IAED,iEAAiE;IAEjE;;;OAGG;IACH,KAAK,CAAC,iBAAiB,CAAC,SAAiB;QAKvC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAC7D,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,IAAI,SAAS;YACpC,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS;YAC/B,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS;SAChC,CAAC;IACJ,CAAC;IAED,iEAAiE;IAEjE,iFAAiF;IACzE,cAAc;QACpB,IAAI,IAAI,CAAC,cAAc;YAAE,OAAO;QAEhC,MAAM,aAAa,GAAG,GAAG,EAAE;YACzB,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;gBACzB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;gBAClC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACxC,aAAa,EAAE,UAAU;aAC1B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,2BAA2B;YAC7B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC;QAEF,+CAA+C;QAC/C,aAAa,EAAE,CAAC;QAChB,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,aAAa,EAAE,qBAAqB,CAAC,CAAC;QAExE,+CAA+C;QAC/C,IAAI,IAAI,CAAC,cAAc,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,IAAI,OAAO,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACrG,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,iEAAiE;IAEjE;;;;;;;OAOG;IACH,KAAK,CAAC,YAAY,CAAC,IAAY;QAK7B,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,YAAY,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAExD,gDAAgD;QAChD,MAAM,OAAO,GAAG,qBAAqB,EAAE,CAAC;QAExC,IAAI,CAAC,GAAG,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;QAE3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC;YAC5C,WAAW,EAAE,IAAI;YACjB,QAAQ;YACR,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;YACxC,eAAe,EAAE,OAAO,CAAC,SAAS;SACnC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,4BAA4B,KAAK,CAAC,YAAY,aAAa,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC;QAEvF,sBAAsB;QACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;QACvD,MAAM,YAAY,GAAG,IAAI,CAAC;QAE1B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;YAC7B,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC;YAEtD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAEvE,IAAI,MAAM,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,KAAK,WAAW,EAAE,CAAC;gBACjC,SAAS;YACX,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;gBACjD,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;YAClG,CAAC;YAED,qEAAqE;YACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAEjD,+CAA+C;YAC/C,IAAI,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,CAAC,UAAU,EAAE,QAAQ,CAAC,eAAe,CAAC,CAAC;YAEpF,qEAAqE;YACrE,MAAM,UAAU,GAAmC,EAAE,CAAC;YACtD,IAAI,QAAQ,CAAC,WAAW,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;gBAC/C,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG;oBACjC,SAAS,EAAE,QAAQ,CAAC,SAAS;oBAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,QAAQ;iBACxC,CAAC;YACJ,CAAC;YAED,uBAAuB;YACvB,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,aAAa,CAAC;YAC1C,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;YAE7B,wBAAwB;YACxB,MAAM,gBAAgB,CAAC;gBACrB,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa;gBACb,UAAU;gBACV,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBAClC,YAAY,EAAE,KAAK,CAAC,YAAY;aACjC,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;YAE3D,OAAO;gBACL,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,aAAa;gBACb,YAAY,EAAE,KAAK,CAAC,YAAY;aACjC,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IAED,iEAAiE;IAEzD,aAAa,CACnB,QAAiC,EACjC,SAAiB;QAEjB,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;QAC3B,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEvB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACtD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAEvD,2DAA2D;QAC3D,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QACzB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;QAEvC,IAAI,SAAS,IAAI,WAAW,IAAI,KAAK,IAAI,YAAY,EAAE,CAAC;YACtD,MAAM,QAAQ,GAAG,uBAAuB,CACtC,IAAI,CAAC,UAAU,EACf,YAAY,EACZ,GAAG,EACH,KAAK,EACL,SAAS,EACT,WAAW,CACZ,CAAC;YACF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,IAAI,CAAC,GAAG,CAAC,0DAA0D,WAAW,EAAE,CAAC,CAAC;gBAClF,OAAO,IAAI,CAAC,CAAC,gCAAgC;YAC/C,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU;YACrD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS;SACV,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,GAAY;QAC1C,IAAI,GAAG,YAAY,mBAAmB,EAAE,CAAC;YACvC,yCAAyC;YACzC,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;gBACjC,IAAI,IAAI,KAAK,iBAAiB,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;oBACzD,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACjC,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,kBAAkB,IAAI,IAAI,WAAW,6BAA6B;oBAC1E,SAAS,EAAE,EAAE;iBACd,CAAC;YACJ,CAAC;YAED,mDAAmD;YACnD,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC;gBACjC,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;oBAC3B,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBAC/B,OAAO;wBACL,QAAQ,EAAE,UAAU;wBACpB,MAAM,EAAE,yEAAyE;wBACjF,SAAS,EAAE,EAAE;qBACd,CAAC;gBACJ,CAAC;gBACD,OAAO;oBACL,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,qBAAqB,GAAG,CAAC,OAAO,EAAE;oBAC1C,SAAS,EAAE,EAAE;iBACd,CAAC;YACJ,CAAC;YAED,uBAAuB;YACvB,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,OAAO;oBACL,QAAQ,EAAE,UAAU;oBACpB,MAAM,EAAE,kCAAkC;oBAC1C,SAAS,EAAE,EAAE;iBACd,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO;YACL,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,kBAAkB,GAAG,EAAE;YAC/B,SAAS,EAAE,EAAE;SACd,CAAC;IACJ,CAAC;IAED,gDAAgD;IACxC,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,SAAS,CAAC;QACtC,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;QACrB,MAAM,iBAAiB,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC1C,IAAI,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;IACvD,CAAC;CACF;AAED,yEAAyE;AACzE,MAAM,UAAU,mBAAmB,CACjC,MAAqB,EACrB,MAA8B;IAE9B,OAAO,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC3C,CAAC"}

package/dist/commands/airlockStatus.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Command: airlock-status — Diagnostic slash command.
+ *
+ * Shows the current Airlock configuration, gateway connectivity,
+ * pairing status, and enforcement settings.
+ */
+import type { AirlockClient } from "../client.js";
+import type { AirlockConfig } from "../config.js";
+/** Command definition for OpenClaw registration. */
+export declare const airlockStatusCommandDef: {
+    name: string;
+    description: string;
+};
+/**
+ * Register the /airlock-status command with the OpenClaw plugin API.
+ */
+export declare function registerAirlockStatusCommand(api: {
+    registerCommand: (def: unknown, handler: () => Promise<string>) => void;
+}, client: AirlockClient, config: AirlockConfig): void;
+//# sourceMappingURL=airlockStatus.d.ts.map

package/dist/commands/airlockStatus.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"airlockStatus.d.ts","sourceRoot":"","sources":["../../src/commands/airlockStatus.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAGlD,oDAAoD;AACpD,eAAO,MAAM,uBAAuB;;;CAGnC,CAAC;AAEF;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,GAAG,EAAE;IAAE,eAAe,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAA;CAAE,EAChF,MAAM,EAAE,aAAa,EACrB,MAAM,EAAE,aAAa,GACpB,IAAI,CAiCN"}