pairpod-bot 0.1.0

package/dist/targets/docker.js

@@ -0,0 +1,14 @@
+import { execInContainer, attachExec } from "../docker.js";
+export class DockerTarget {
+    ref;
+    constructor(ref) {
+        this.ref = ref;
+    }
+    exec(cmd) {
+        return execInContainer(this.ref, cmd);
+    }
+    openPty(cmd, cols, rows) {
+        return attachExec(this.ref, cmd, cols, rows);
+    }
+}
+//# sourceMappingURL=docker.js.map

package/dist/targets/docker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker.js","sourceRoot":"","sources":["../../src/targets/docker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG3D,MAAM,OAAO,YAAY;IACM;IAA7B,YAA6B,GAAW;QAAX,QAAG,GAAH,GAAG,CAAQ;IAAG,CAAC;IAE5C,IAAI,CAAC,GAAa;QAChB,OAAO,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;IAED,OAAO,CAAC,GAAa,EAAE,IAAY,EAAE,IAAY;QAC/C,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC/C,CAAC;CACF"}

package/dist/targets/index.d.ts

@@ -0,0 +1,4 @@
+import type { PodTarget } from "./types.js";
+import type { PodRow } from "../store.js";
+export declare function targetForPod(p: PodRow): PodTarget;
+export declare function disposeTarget(podId: string): Promise<void>;

package/dist/targets/index.js

@@ -0,0 +1,33 @@
+import { getDb } from "../db.js";
+import { DockerTarget } from "./docker.js";
+import { SshTarget } from "./ssh.js";
+const sshPool = new Map();
+export function targetForPod(p) {
+    if (p.kind !== "ssh")
+        return new DockerTarget(`pairpod-${p.id}`);
+    let target = sshPool.get(p.id);
+    if (!target) {
+        target = new SshTarget({
+            host: p.ssh_host,
+            port: p.ssh_port ?? 22,
+            username: p.ssh_user,
+            auth: p.ssh_auth,
+            keyPath: p.ssh_key_path ?? undefined,
+            vaultRef: p.ssh_vault_ref ?? undefined,
+            hostFingerprint: p.host_fingerprint ?? undefined,
+            onFingerprint: (fp) => {
+                getDb().prepare("UPDATE pods SET host_fingerprint = ? WHERE id = ?").run(fp, p.id);
+            },
+        });
+        sshPool.set(p.id, target);
+    }
+    return target;
+}
+export async function disposeTarget(podId) {
+    const target = sshPool.get(podId);
+    if (target) {
+        await target.dispose();
+        sshPool.delete(podId);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/targets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/targets/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAgB,MAAM,UAAU,CAAC;AAGnD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE7C,MAAM,UAAU,YAAY,CAAC,CAAS;IACpC,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,YAAY,CAAC,WAAW,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjE,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC/B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,IAAI,SAAS,CAAC;YACrB,IAAI,EAAE,CAAC,CAAC,QAAkB;YAC1B,IAAI,EAAE,CAAC,CAAC,QAAQ,IAAI,EAAE;YACtB,QAAQ,EAAE,CAAC,CAAC,QAAkB;YAC9B,IAAI,EAAE,CAAC,CAAC,QAAmB;YAC3B,OAAO,EAAE,CAAC,CAAC,YAAY,IAAI,SAAS;YACpC,QAAQ,EAAE,CAAC,CAAC,aAAa,IAAI,SAAS;YACtC,eAAe,EAAE,CAAC,CAAC,gBAAgB,IAAI,SAAS;YAChD,aAAa,EAAE,CAAC,EAAE,EAAE,EAAE;gBACpB,KAAK,EAAE,CAAC,OAAO,CAAC,mDAAmD,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;YACrF,CAAC;SACF,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;AACH,CAAC"}

package/dist/targets/ssh.d.ts

@@ -0,0 +1,25 @@
+import type { PodTarget, ExecResult, PtySession } from "./types.js";
+export type SshAuth = "agent" | "key_path" | "vault";
+export interface SshConnInfo {
+    host: string;
+    port: number;
+    username: string;
+    auth: SshAuth;
+    keyPath?: string;
+    vaultRef?: string;
+    hostFingerprint?: string;
+    onFingerprint?: (fingerprint: string) => void;
+}
+export declare function shellQuote(arg: string): string;
+export declare function shellJoin(cmd: string[]): string;
+export declare class SshTarget implements PodTarget {
+    private readonly info;
+    private client;
+    private connecting;
+    constructor(info: SshConnInfo);
+    private buildConfig;
+    private connect;
+    exec(cmd: string[]): Promise<ExecResult>;
+    openPty(cmd: string[], cols: number, rows: number): Promise<PtySession>;
+    dispose(): Promise<void>;
+}

package/dist/targets/ssh.js

@@ -0,0 +1,121 @@
+import fs from "node:fs";
+import crypto from "node:crypto";
+import { Client } from "ssh2";
+import { vaultGet } from "../vault.js";
+export function shellQuote(arg) {
+    return `'${arg.replace(/'/g, `'\\''`)}'`;
+}
+export function shellJoin(cmd) {
+    return cmd.map(shellQuote).join(" ");
+}
+function fingerprintOf(hostKey) {
+    return "SHA256:" + crypto.createHash("sha256").update(hostKey).digest("base64").replace(/=+$/, "");
+}
+export class SshTarget {
+    info;
+    client = null;
+    connecting = null;
+    constructor(info) {
+        this.info = info;
+    }
+    buildConfig() {
+        const cfg = {
+            host: this.info.host,
+            port: this.info.port,
+            username: this.info.username,
+            keepaliveInterval: 15000,
+            hostVerifier: (hostKey) => {
+                const fp = fingerprintOf(hostKey);
+                if (this.info.hostFingerprint)
+                    return fp === this.info.hostFingerprint;
+                this.info.onFingerprint?.(fp);
+                return true;
+            },
+        };
+        if (this.info.auth === "agent") {
+            cfg.agent = process.env.SSH_AUTH_SOCK;
+        }
+        else if (this.info.auth === "key_path") {
+            cfg.privateKey = fs.readFileSync(this.info.keyPath);
+            if (this.info.vaultRef) {
+                const secret = JSON.parse(vaultGet(this.info.vaultRef));
+                if (secret.passphrase)
+                    cfg.passphrase = secret.passphrase;
+            }
+        }
+        else {
+            const secret = JSON.parse(vaultGet(this.info.vaultRef));
+            cfg.privateKey = secret.privateKey;
+            if (secret.passphrase)
+                cfg.passphrase = secret.passphrase;
+        }
+        return cfg;
+    }
+    connect() {
+        if (this.client)
+            return Promise.resolve(this.client);
+        if (this.connecting)
+            return this.connecting;
+        this.connecting = new Promise((resolve, reject) => {
+            const conn = new Client();
+            conn.on("ready", () => {
+                this.client = conn;
+                resolve(conn);
+            });
+            conn.on("error", (e) => {
+                this.connecting = null;
+                reject(e);
+            });
+            conn.on("close", () => {
+                this.client = null;
+                this.connecting = null;
+            });
+            conn.connect(this.buildConfig());
+        });
+        return this.connecting;
+    }
+    async exec(cmd) {
+        const conn = await this.connect();
+        return new Promise((resolve, reject) => {
+            conn.exec(shellJoin(cmd), (err, stream) => {
+                if (err)
+                    return reject(err);
+                let stdout = "";
+                let stderr = "";
+                stream.on("data", (d) => {
+                    stdout += d.toString();
+                });
+                stream.stderr.on("data", (d) => {
+                    stderr += d.toString();
+                });
+                stream.on("close", (code) => {
+                    resolve({ stdout, stderr, exitCode: code ?? 0 });
+                });
+                stream.on("error", reject);
+            });
+        });
+    }
+    async openPty(cmd, cols, rows) {
+        const conn = await this.connect();
+        return new Promise((resolve, reject) => {
+            conn.exec(shellJoin(cmd), { pty: { cols, rows, term: "xterm-256color" } }, (err, stream) => {
+                if (err)
+                    return reject(err);
+                resolve({
+                    stream: stream,
+                    resize: (c, r) => {
+                        stream.setWindow(r, c, 0, 0);
+                    },
+                });
+            });
+        });
+    }
+    async dispose() {
+        if (this.client) {
+            this.client.end();
+            this.client = null;
+        }
+        this.connecting = null;
+    }
+}
+//# sourceMappingURL=ssh.js.map

package/dist/targets/ssh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh.js","sourceRoot":"","sources":["../../src/targets/ssh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAG9B,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAevC,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,GAAa;IACrC,OAAO,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACrG,CAAC;AAED,MAAM,OAAO,SAAS;IAIS;IAHrB,MAAM,GAAkB,IAAI,CAAC;IAC7B,UAAU,GAA2B,IAAI,CAAC;IAElD,YAA6B,IAAiB;QAAjB,SAAI,GAAJ,IAAI,CAAa;IAAG,CAAC;IAE1C,WAAW;QACjB,MAAM,GAAG,GAAkB;YACzB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACpB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;YACpB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;YAC5B,iBAAiB,EAAE,KAAK;YACxB,YAAY,EAAE,CAAC,OAAe,EAAE,EAAE;gBAChC,MAAM,EAAE,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;gBAClC,IAAI,IAAI,CAAC,IAAI,CAAC,eAAe;oBAAE,OAAO,EAAE,KAAK,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC9B,OAAO,IAAI,CAAC;YACd,CAAC;SACF,CAAC;QACF,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC/B,GAAG,CAAC,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QACxC,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YACzC,GAAG,CAAC,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,OAAiB,CAAC,CAAC;YAC9D,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACvB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAA4B,CAAC;gBACnF,IAAI,MAAM,CAAC,UAAU;oBAAE,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;YAC5D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,QAAkB,CAAC,CAG/D,CAAC;YACF,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;YACnC,IAAI,MAAM,CAAC,UAAU;gBAAE,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QAC5D,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,OAAO;QACb,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrD,IAAI,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC,UAAU,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACxD,MAAM,IAAI,GAAG,IAAI,MAAM,EAAE,CAAC;YAC1B,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;gBACrB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;gBACvB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACpB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;gBACnB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;YACzB,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;QACnC,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAa;QACtB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACjD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;gBACxC,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,IAAI,MAAM,GAAG,EAAE,CAAC;gBAChB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;oBAC9B,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;gBACzB,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;oBACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;gBACzB,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;oBACzC,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC;gBACnD,CAAC,CAAC,CAAC;gBACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAa,EAAE,IAAY,EAAE,IAAY;QACrD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO,IAAI,OAAO,CAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACjD,IAAI,CAAC,IAAI,CACP,SAAS,CAAC,GAAG,CAAC,EACd,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAC/C,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;gBACd,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,OAAO,CAAC;oBACN,MAAM,EAAE,MAA2B;oBACnC,MAAM,EAAE,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE;wBAC/B,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;oBAC/B,CAAC;iBACF,CAAC,CAAC;YACL,CAAC,CACF,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACrB,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;IACzB,CAAC;CACF"}

package/dist/targets/types.d.ts

@@ -0,0 +1,15 @@
+import type { Duplex } from "node:stream";
+export interface ExecResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+export interface PtySession {
+    stream: Duplex;
+    resize(cols: number, rows: number): Promise<void> | void;
+}
+export interface PodTarget {
+    exec(cmd: string[]): Promise<ExecResult>;
+    openPty(cmd: string[], cols: number, rows: number): Promise<PtySession>;
+    dispose?(): Promise<void>;
+}

package/dist/targets/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/targets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/targets/types.ts"],"names":[],"mappings":""}

package/dist/telegram-auth.d.ts

@@ -0,0 +1,7 @@
+export interface InitDataResult {
+    ok: boolean;
+    userId?: number;
+    username?: string;
+    reason?: string;
+}
+export declare function validateInitData(initData: string, botToken: string, maxAgeSec: number): InitDataResult;

package/dist/telegram-auth.js

@@ -0,0 +1,41 @@
+import crypto from "node:crypto";
+export function validateInitData(initData, botToken, maxAgeSec) {
+    if (!initData)
+        return { ok: false, reason: "empty" };
+    if (!botToken)
+        return { ok: false, reason: "no_token" };
+    const params = new URLSearchParams(initData);
+    const hash = params.get("hash");
+    if (!hash)
+        return { ok: false, reason: "no_hash" };
+    params.delete("hash");
+    const dataCheckString = [...params.entries()]
+        .sort(([a], [b]) => (a < b ? -1 : a > b ? 1 : 0))
+        .map(([k, v]) => `${k}=${v}`)
+        .join("\n");
+    const secretKey = crypto.createHmac("sha256", "WebAppData").update(botToken).digest();
+    const computed = crypto.createHmac("sha256", secretKey).update(dataCheckString).digest("hex");
+    const a = Buffer.from(computed, "hex");
+    const b = Buffer.from(hash, "hex");
+    if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
+        return { ok: false, reason: "bad_hash" };
+    }
+    const authDate = Number(params.get("auth_date"));
+    if (maxAgeSec > 0 && authDate > 0) {
+        const ageSec = Date.now() / 1000 - authDate;
+        if (ageSec > maxAgeSec)
+            return { ok: false, reason: "expired" };
+    }
+    let userId;
+    let username;
+    try {
+        const user = JSON.parse(params.get("user") ?? "{}");
+        if (typeof user.id === "number")
+            userId = user.id;
+        if (typeof user.username === "string")
+            username = user.username;
+    }
+    catch { }
+    return { ok: true, userId, username };
+}
+//# sourceMappingURL=telegram-auth.js.map

package/dist/telegram-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"telegram-auth.js","sourceRoot":"","sources":["../src/telegram-auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AASjC,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,SAAiB;IAEjB,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACrD,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAExD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACnD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEtB,MAAM,eAAe,GAAG,CAAC,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;SAC1C,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAChD,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;SAC5B,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IACtF,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAE9F,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACnC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC3D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC;IACjD,IAAI,SAAS,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,QAAQ,CAAC;QAC5C,IAAI,MAAM,GAAG,SAAS;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAClE,CAAC;IAED,IAAI,MAA0B,CAAC;IAC/B,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,CAAuC,CAAC;QAC1F,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ;YAAE,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;QAClD,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;YAAE,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IAEV,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AACxC,CAAC"}

package/dist/vault.d.ts

@@ -0,0 +1,4 @@
+export declare function vaultEnabled(): boolean;
+export declare function vaultPut(plaintext: string): string;
+export declare function vaultGet(ref: string): string;
+export declare function vaultRemove(ref: string): void;

package/dist/vault.js

@@ -0,0 +1,57 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { paths } from "./paths.js";
+const VAULT_DIR = paths.vault;
+function masterKey() {
+    const b64 = process.env.PAIRPOD_VAULT_KEY;
+    if (!b64)
+        return null;
+    const key = Buffer.from(b64, "base64");
+    if (key.length !== 32) {
+        throw new Error("PAIRPOD_VAULT_KEY must decode to 32 bytes (base64)");
+    }
+    return key;
+}
+export function vaultEnabled() {
+    return masterKey() !== null;
+}
+function refPath(ref) {
+    return path.join(VAULT_DIR, `${ref}.json`);
+}
+export function vaultPut(plaintext) {
+    const key = masterKey();
+    if (!key)
+        throw new Error("vault disabled (PAIRPOD_VAULT_KEY unset)");
+    const ref = crypto.randomUUID();
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const data = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const entry = {
+        iv: iv.toString("base64"),
+        tag: cipher.getAuthTag().toString("base64"),
+        data: data.toString("base64"),
+    };
+    fs.mkdirSync(VAULT_DIR, { recursive: true, mode: 0o700 });
+    fs.writeFileSync(refPath(ref), JSON.stringify(entry), { mode: 0o600 });
+    return ref;
+}
+export function vaultGet(ref) {
+    const key = masterKey();
+    if (!key)
+        throw new Error("vault disabled (PAIRPOD_VAULT_KEY unset)");
+    const entry = JSON.parse(fs.readFileSync(refPath(ref), "utf8"));
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, Buffer.from(entry.iv, "base64"));
+    decipher.setAuthTag(Buffer.from(entry.tag, "base64"));
+    return Buffer.concat([
+        decipher.update(Buffer.from(entry.data, "base64")),
+        decipher.final(),
+    ]).toString("utf8");
+}
+export function vaultRemove(ref) {
+    try {
+        fs.rmSync(refPath(ref));
+    }
+    catch { }
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAEnC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC;AAE9B,SAAS,SAAS;IAChB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC1C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACvC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,OAAO,SAAS,EAAE,KAAK,IAAI,CAAC;AAC9B,CAAC;AAED,SAAS,OAAO,CAAC,GAAW;IAC1B,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,GAAG,OAAO,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,SAAiB;IACxC,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC/E,MAAM,KAAK,GAAG;QACZ,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3C,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC9B,CAAC;IACF,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1D,EAAE,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACvE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,GAAW;IAClC,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IACtE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAI7D,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9F,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAClD,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;AACZ,CAAC"}