patchrelay 0.1.0

package/dist/stage-lifecycle-publisher.js

@@ -0,0 +1,213 @@
+import { buildAwaitingHandoffComment, buildRunningStatusComment, resolveActiveLinearState, resolveWorkflowLabelCleanup, resolveWorkflowLabelNames, } from "./linear-workflow.js";
+import { sanitizeDiagnosticText } from "./utils.js";
+export class StageLifecyclePublisher {
+    config;
+    stores;
+    linearProvider;
+    logger;
+    constructor(config, stores, linearProvider, logger) {
+        this.config = config;
+        this.stores = stores;
+        this.linearProvider = linearProvider;
+        this.logger = logger;
+    }
+    async markStageActive(project, issue, stageRun) {
+        const activeState = resolveActiveLinearState(project, stageRun.stage);
+        const linear = await this.linearProvider.forProject(stageRun.projectId);
+        if (!activeState || !linear) {
+            return;
+        }
+        await linear.setIssueState(stageRun.linearIssueId, activeState);
+        const labels = resolveWorkflowLabelNames(project, "working");
+        if (labels.add.length > 0 || labels.remove.length > 0) {
+            await linear.updateIssueLabels({
+                issueId: stageRun.linearIssueId,
+                ...(labels.add.length > 0 ? { addNames: labels.add } : {}),
+                ...(labels.remove.length > 0 ? { removeNames: labels.remove } : {}),
+            });
+        }
+        this.stores.issueWorkflows.upsertTrackedIssue({
+            projectId: stageRun.projectId,
+            linearIssueId: stageRun.linearIssueId,
+            currentLinearState: activeState,
+            statusCommentId: issue.statusCommentId ?? null,
+            lifecycleStatus: "running",
+        });
+        this.stores.issueControl.upsertIssueControl({
+            projectId: stageRun.projectId,
+            linearIssueId: stageRun.linearIssueId,
+            ...(issue.statusCommentId ? { serviceOwnedCommentId: issue.statusCommentId } : {}),
+            ...(issue.activeAgentSessionId ? { activeAgentSessionId: issue.activeAgentSessionId } : {}),
+            lifecycleStatus: "running",
+        });
+    }
+    async refreshRunningStatusComment(projectId, issueId, stageRunId, issueKey) {
+        const linear = await this.linearProvider.forProject(projectId);
+        if (!linear) {
+            return;
+        }
+        const issue = this.stores.issueWorkflows.getTrackedIssue(projectId, issueId);
+        const stageRun = this.stores.issueWorkflows.getStageRun(stageRunId);
+        const workspace = stageRun ? this.stores.issueWorkflows.getWorkspace(stageRun.workspaceId) : undefined;
+        if (!issue || !stageRun || !workspace) {
+            return;
+        }
+        try {
+            const result = await linear.upsertIssueComment({
+                issueId,
+                ...(issue.statusCommentId ? { commentId: issue.statusCommentId } : {}),
+                body: buildRunningStatusComment({
+                    issue,
+                    stageRun,
+                    branchName: workspace.branchName,
+                }),
+            });
+            this.stores.issueWorkflows.setIssueStatusComment(projectId, issueId, result.id);
+            this.stores.issueControl.upsertIssueControl({
+                projectId,
+                linearIssueId: issueId,
+                serviceOwnedCommentId: result.id,
+                lifecycleStatus: issue.lifecycleStatus,
+            });
+        }
+        catch (error) {
+            this.logger.warn({
+                issueKey,
+                stageRunId,
+                issueId,
+                error: error instanceof Error ? error.message : String(error),
+            }, "Failed to refresh running status comment after stage startup");
+        }
+    }
+    async publishStageStarted(issue, stage) {
+        if (!issue.activeAgentSessionId) {
+            return;
+        }
+        const linear = await this.linearProvider.forProject(issue.projectId);
+        if (!linear) {
+            return;
+        }
+        try {
+            await linear.createAgentActivity({
+                agentSessionId: issue.activeAgentSessionId,
+                content: {
+                    type: "action",
+                    action: "running_workflow",
+                    parameter: stage,
+                    result: `PatchRelay started the ${stage} workflow.`,
+                },
+                ephemeral: true,
+            });
+        }
+        catch (error) {
+            this.logger.warn({
+                issueKey: issue.issueKey,
+                stage,
+                agentSessionId: issue.activeAgentSessionId,
+                error: error instanceof Error ? error.message : String(error),
+            }, "Failed to publish Linear agent activity after stage startup");
+        }
+    }
+    async publishStageCompletion(stageRun, enqueueIssue) {
+        const refreshedIssue = this.stores.issueWorkflows.getTrackedIssue(stageRun.projectId, stageRun.linearIssueId);
+        if (refreshedIssue?.desiredStage) {
+            await this.publishAgentCompletion(refreshedIssue, {
+                type: "thought",
+                body: `The ${stageRun.stage} workflow finished. PatchRelay is preparing the next requested workflow.`,
+            });
+            enqueueIssue(stageRun.projectId, stageRun.linearIssueId);
+            return;
+        }
+        const project = this.config.projects.find((candidate) => candidate.id === stageRun.projectId);
+        const activeState = project ? resolveActiveLinearState(project, stageRun.stage) : undefined;
+        const linear = project ? await this.linearProvider.forProject(stageRun.projectId) : undefined;
+        if (refreshedIssue && linear && project && activeState) {
+            try {
+                const linearIssue = await linear.getIssue(stageRun.linearIssueId);
+                if (linearIssue.stateName?.trim().toLowerCase() === activeState.trim().toLowerCase()) {
+                    const labels = resolveWorkflowLabelNames(project, "awaitingHandoff");
+                    if (labels.add.length > 0 || labels.remove.length > 0) {
+                        await linear.updateIssueLabels({
+                            issueId: stageRun.linearIssueId,
+                            ...(labels.add.length > 0 ? { addNames: labels.add } : {}),
+                            ...(labels.remove.length > 0 ? { removeNames: labels.remove } : {}),
+                        });
+                    }
+                    this.stores.issueWorkflows.setIssueLifecycleStatus(stageRun.projectId, stageRun.linearIssueId, "paused");
+                    this.stores.issueControl.upsertIssueControl({
+                        projectId: stageRun.projectId,
+                        linearIssueId: stageRun.linearIssueId,
+                        lifecycleStatus: "paused",
+                    });
+                    const finalStageRun = this.stores.issueWorkflows.getStageRun(stageRun.id) ?? stageRun;
+                    const result = await linear.upsertIssueComment({
+                        issueId: stageRun.linearIssueId,
+                        ...(refreshedIssue.statusCommentId ? { commentId: refreshedIssue.statusCommentId } : {}),
+                        body: buildAwaitingHandoffComment({
+                            issue: refreshedIssue,
+                            stageRun: finalStageRun,
+                            activeState,
+                        }),
+                    });
+                    this.stores.issueWorkflows.setIssueStatusComment(stageRun.projectId, stageRun.linearIssueId, result.id);
+                    this.stores.issueControl.upsertIssueControl({
+                        projectId: stageRun.projectId,
+                        linearIssueId: stageRun.linearIssueId,
+                        serviceOwnedCommentId: result.id,
+                        lifecycleStatus: "paused",
+                    });
+                    await this.publishAgentCompletion(refreshedIssue, {
+                        type: "elicitation",
+                        body: `PatchRelay finished the ${stageRun.stage} workflow. Move the issue to its next workflow state or leave a follow-up prompt to continue.`,
+                    });
+                    return;
+                }
+                const cleanup = resolveWorkflowLabelCleanup(project);
+                if (cleanup.remove.length > 0) {
+                    await linear.updateIssueLabels({
+                        issueId: stageRun.linearIssueId,
+                        removeNames: cleanup.remove,
+                    });
+                }
+            }
+            catch (error) {
+                this.logger.warn({
+                    issueKey: refreshedIssue.issueKey,
+                    issueId: stageRun.linearIssueId,
+                    stageRunId: stageRun.id,
+                    stage: stageRun.stage,
+                    error: sanitizeDiagnosticText(error instanceof Error ? error.message : String(error)),
+                }, "Stage completed locally but PatchRelay could not finish the final Linear sync");
+            }
+        }
+        if (refreshedIssue) {
+            await this.publishAgentCompletion(refreshedIssue, {
+                type: "response",
+                body: `PatchRelay finished the ${stageRun.stage} workflow.`,
+            });
+        }
+    }
+    async publishAgentCompletion(issue, content) {
+        if (!issue.activeAgentSessionId) {
+            return;
+        }
+        const linear = await this.linearProvider.forProject(issue.projectId);
+        if (!linear) {
+            return;
+        }
+        await linear
+            .createAgentActivity({
+            agentSessionId: issue.activeAgentSessionId,
+            content,
+        })
+            .catch((error) => {
+            this.logger.warn({
+                issueKey: issue.issueKey,
+                issueId: issue.linearIssueId,
+                agentSessionId: issue.activeAgentSessionId,
+                activityType: content.type,
+                error: sanitizeDiagnosticText(error instanceof Error ? error.message : String(error)),
+            }, "Failed to publish Linear agent activity");
+        });
+    }
+}

package/dist/stage-reporting.js

@@ -0,0 +1,153 @@
+export function extractStageSummary(report) {
+    return {
+        assistantMessageCount: report.assistantMessages.length,
+        commandCount: report.commands.length,
+        fileChangeCount: report.fileChanges.length,
+        toolCallCount: report.toolCalls.length,
+        latestAssistantMessage: report.assistantMessages.at(-1) ?? null,
+    };
+}
+export function summarizeCurrentThread(thread) {
+    const latestTurn = thread.turns.at(-1);
+    const latestAgentMessage = latestTurn?.items
+        .filter((item) => item.type === "agentMessage")
+        .at(-1)?.text;
+    return {
+        threadId: thread.id,
+        threadStatus: thread.status,
+        ...(latestTurn ? { latestTurnId: latestTurn.id, latestTurnStatus: latestTurn.status } : {}),
+        ...(latestAgentMessage ? { latestAgentMessage } : {}),
+    };
+}
+export function buildStageReport(stageRun, issue, thread, eventCounts) {
+    const assistantMessages = [];
+    const plans = [];
+    const reasoning = [];
+    const commands = [];
+    const fileChanges = [];
+    const toolCalls = [];
+    for (const turn of thread.turns) {
+        for (const rawItem of turn.items) {
+            const item = rawItem;
+            if (item.type === "agentMessage" && typeof item.text === "string") {
+                assistantMessages.push(item.text);
+            }
+            else if (item.type === "plan" && typeof item.text === "string") {
+                plans.push(item.text);
+            }
+            else if (item.type === "reasoning" && Array.isArray(item.summary) && Array.isArray(item.content)) {
+                reasoning.push(...item.summary, ...item.content);
+            }
+            else if (item.type === "commandExecution" && typeof item.command === "string" && typeof item.cwd === "string") {
+                commands.push({
+                    command: item.command,
+                    cwd: item.cwd,
+                    status: typeof item.status === "string" ? item.status : "unknown",
+                    ...(typeof item.exitCode === "number" || item.exitCode === null
+                        ? { exitCode: item.exitCode }
+                        : {}),
+                    ...(typeof item.durationMs === "number" || item.durationMs === null
+                        ? { durationMs: item.durationMs }
+                        : {}),
+                });
+            }
+            else if (item.type === "fileChange" && Array.isArray(item.changes)) {
+                fileChanges.push(...item.changes);
+            }
+            else if (item.type === "mcpToolCall" && typeof item.server === "string" && typeof item.tool === "string") {
+                toolCalls.push({
+                    type: "mcp",
+                    name: `${item.server}/${item.tool}`,
+                    status: typeof item.status === "string" ? item.status : "unknown",
+                    ...(typeof item.durationMs === "number" || item.durationMs === null
+                        ? { durationMs: item.durationMs }
+                        : {}),
+                });
+            }
+            else if (item.type === "dynamicToolCall" && typeof item.tool === "string") {
+                toolCalls.push({
+                    type: "dynamic",
+                    name: item.tool,
+                    status: typeof item.status === "string" ? item.status : "unknown",
+                    ...(typeof item.durationMs === "number" || item.durationMs === null
+                        ? { durationMs: item.durationMs }
+                        : {}),
+                });
+            }
+        }
+    }
+    return {
+        ...(issue.issueKey ? { issueKey: issue.issueKey } : {}),
+        stage: stageRun.stage,
+        status: stageRun.status,
+        ...(stageRun.threadId ? { threadId: stageRun.threadId } : {}),
+        ...(stageRun.parentThreadId ? { parentThreadId: stageRun.parentThreadId } : {}),
+        ...(stageRun.turnId ? { turnId: stageRun.turnId } : {}),
+        prompt: stageRun.promptText,
+        workflowFile: stageRun.workflowFile,
+        assistantMessages,
+        plans,
+        reasoning,
+        commands,
+        fileChanges,
+        toolCalls,
+        eventCounts,
+    };
+}
+export function buildFailedStageReport(stageRun, status, options) {
+    return {
+        stage: stageRun.stage,
+        status,
+        ...(options?.threadId ? { threadId: options.threadId } : {}),
+        ...(options?.turnId ? { turnId: options.turnId } : {}),
+        prompt: stageRun.promptText,
+        workflowFile: stageRun.workflowFile,
+        assistantMessages: [],
+        plans: [],
+        reasoning: [],
+        commands: [],
+        fileChanges: [],
+        toolCalls: [],
+        eventCounts: {},
+    };
+}
+export function countEventMethods(events) {
+    return events.reduce((counts, event) => {
+        counts[event.method] = (counts[event.method] ?? 0) + 1;
+        return counts;
+    }, {});
+}
+export function resolveStageRunStatus(params) {
+    const turn = params.turn;
+    if (!turn || typeof turn !== "object") {
+        return "failed";
+    }
+    const status = String(turn.status ?? "failed");
+    return status === "completed" ? "completed" : "failed";
+}
+export function extractTurnId(params) {
+    const turn = params.turn;
+    if (!turn || typeof turn !== "object") {
+        return undefined;
+    }
+    const id = turn.id;
+    return typeof id === "string" ? id : undefined;
+}
+export function buildPendingMaterializationThread(stageRun, error) {
+    return {
+        id: stageRun.threadId ?? "pending-thread",
+        preview: "",
+        cwd: "",
+        status: "pending-materialization",
+        turns: [
+            {
+                id: stageRun.turnId ?? "pending-turn",
+                status: "inProgress",
+                error: {
+                    message: error.message,
+                },
+                items: [],
+            },
+        ],
+    };
+}

package/dist/stage-turn-input-dispatcher.js

@@ -0,0 +1,102 @@
+import { sanitizeDiagnosticText } from "./utils.js";
+import { safeJsonParse } from "./utils.js";
+export class StageTurnInputDispatcher {
+    inputs;
+    codex;
+    logger;
+    constructor(inputs, codex, logger) {
+        this.inputs = inputs;
+        this.codex = codex;
+        this.logger = logger;
+    }
+    routePendingInputs(stageRun, threadId, turnId) {
+        const issueControl = this.inputs.issueControl.getIssueControl(stageRun.projectId, stageRun.linearIssueId);
+        if (!issueControl?.activeRunLeaseId) {
+            return;
+        }
+        for (const obligation of this.listPendingInputObligations(stageRun.projectId, stageRun.linearIssueId, issueControl.activeRunLeaseId)) {
+            this.inputs.obligations.updateObligationRouting(obligation.id, {
+                runLeaseId: issueControl.activeRunLeaseId,
+                threadId,
+                turnId,
+            });
+        }
+    }
+    async flush(stageRun, options) {
+        if (!stageRun.threadId || !stageRun.turnId) {
+            return { deliveredInputIds: [], deliveredObligationIds: [], deliveredCount: 0 };
+        }
+        const issueControl = this.inputs.issueControl.getIssueControl(stageRun.projectId, stageRun.linearIssueId);
+        if (!issueControl?.activeRunLeaseId) {
+            return { deliveredInputIds: [], deliveredObligationIds: [], deliveredCount: 0 };
+        }
+        const deliveredInputIds = [];
+        const deliveredObligationIds = [];
+        let deliveredCount = 0;
+        const obligationQuery = options?.retryInProgress ? { includeInProgress: true } : undefined;
+        for (const obligation of this.listPendingInputObligations(stageRun.projectId, stageRun.linearIssueId, issueControl.activeRunLeaseId, obligationQuery)) {
+            const payload = safeJsonParse(obligation.payloadJson);
+            const body = payload?.body?.trim();
+            if (!body) {
+                this.inputs.obligations.markObligationStatus(obligation.id, "failed", "obligation payload had no deliverable body");
+                continue;
+            }
+            const claimed = obligation.status === "in_progress" && options?.retryInProgress
+                ? true
+                : this.inputs.obligations.claimPendingObligation(obligation.id, {
+                    runLeaseId: issueControl.activeRunLeaseId,
+                    threadId: stageRun.threadId,
+                    turnId: stageRun.turnId,
+                });
+            if (!claimed) {
+                continue;
+            }
+            try {
+                if (obligation.status === "in_progress") {
+                    this.inputs.obligations.updateObligationRouting(obligation.id, {
+                        runLeaseId: issueControl.activeRunLeaseId,
+                        threadId: stageRun.threadId,
+                        turnId: stageRun.turnId,
+                    });
+                }
+                await this.codex.steerTurn({
+                    threadId: stageRun.threadId,
+                    turnId: stageRun.turnId,
+                    input: body,
+                });
+                deliveredObligationIds.push(obligation.id);
+                this.inputs.obligations.markObligationStatus(obligation.id, "completed");
+                deliveredCount += 1;
+                this.logger.debug({
+                    threadId: stageRun.threadId,
+                    turnId: stageRun.turnId,
+                    obligationId: obligation.id,
+                    source: obligation.source,
+                }, "Delivered queued turn input to Codex");
+            }
+            catch (error) {
+                this.inputs.obligations.markObligationStatus(obligation.id, "pending", error instanceof Error ? error.message : String(error));
+                this.logger.warn({
+                    issueKey: options?.issueKey,
+                    threadId: stageRun.threadId,
+                    turnId: stageRun.turnId,
+                    obligationId: obligation.id,
+                    source: obligation.source,
+                    error: sanitizeDiagnosticText(error instanceof Error ? error.message : String(error)),
+                }, options?.failureMessage ?? "Failed to deliver queued turn input");
+                break;
+            }
+        }
+        return { deliveredInputIds, deliveredObligationIds, deliveredCount };
+    }
+    listPendingInputObligations(projectId, linearIssueId, activeRunLeaseId, options) {
+        const query = options?.includeInProgress
+            ? { kind: "deliver_turn_input", includeInProgress: true }
+            : { kind: "deliver_turn_input" };
+        return this.inputs.obligations
+            .listPendingObligations(query)
+            .filter((obligation) => obligation.projectId === projectId &&
+            obligation.linearIssueId === linearIssueId &&
+            (obligation.runLeaseId === undefined || obligation.runLeaseId === activeRunLeaseId));
+    }
+}

package/dist/token-crypto.js

@@ -0,0 +1,21 @@
+import crypto from "node:crypto";
+function deriveKey(secret) {
+    return crypto.createHash("sha256").update(secret, "utf8").digest();
+}
+export function encryptSecret(value, secret) {
+    const iv = crypto.randomBytes(12);
+    const key = deriveKey(secret);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return Buffer.concat([iv, tag, ciphertext]).toString("base64");
+}
+export function decryptSecret(ciphertext, secret) {
+    const payload = Buffer.from(ciphertext, "base64");
+    const iv = payload.subarray(0, 12);
+    const tag = payload.subarray(12, 28);
+    const encrypted = payload.subarray(28);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", deriveKey(secret), iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
+}

package/dist/types.js

@@ -0,0 +1,5 @@
+export * from "./config-types.js";
+export * from "./workflow-types.js";
+export * from "./linear-types.js";
+export * from "./db-types.js";
+export * from "./codex-types.js";

package/dist/utils.js

@@ -0,0 +1,163 @@
+import crypto from "node:crypto";
+import { mkdir } from "node:fs/promises";
+import path from "node:path";
+import { execFile } from "node:child_process";
+const REDACTED_HEADER_NAMES = new Set(["authorization", "cookie", "set-cookie", "linear-signature"]);
+const DIAGNOSTIC_REPLACEMENTS = [
+    [/\bBearer\s+[A-Za-z0-9._~+/=-]+\b/gi, "Bearer [redacted]"],
+    [/\b(access[_-]?token|refresh[_-]?token|client[_-]?secret|webhook[_-]?secret|api[_-]?key|password|tokenEncryptionKey|bearerToken|secret)=([^\s&]+)/gi, "$1=[redacted]"],
+    [/"(access_token|refresh_token|client_secret|accessToken|refreshToken|clientSecret|webhookSecret|apiKey|password|tokenEncryptionKey|bearerToken|secret)"\s*:\s*"[^"]*"/g, "\"$1\":\"[redacted]\""],
+];
+export function ensureAbsolutePath(inputPath) {
+    return path.isAbsolute(inputPath) ? inputPath : path.resolve(process.cwd(), inputPath);
+}
+export async function ensureDir(dirPath) {
+    await mkdir(dirPath, { recursive: true });
+}
+export function timestampMsWithinSkew(timestampMs, maxSkewSeconds) {
+    return Math.abs(Date.now() - timestampMs) <= maxSkewSeconds * 1000;
+}
+export function verifyHmacSha256Hex(rawBody, secret, providedHex) {
+    if (!providedHex) {
+        return false;
+    }
+    const normalized = providedHex.trim().toLowerCase();
+    if (!/^[0-9a-f]+$/.test(normalized) || normalized.length !== 64) {
+        return false;
+    }
+    const expected = crypto.createHmac("sha256", secret).update(rawBody).digest();
+    const provided = Buffer.from(normalized, "hex");
+    return crypto.timingSafeEqual(expected, provided);
+}
+export function interpolateTemplate(input, context) {
+    return input.replace(/\{([a-zA-Z0-9_]+)\}/g, (_match, key) => context[key] ?? "");
+}
+export function interpolateTemplateArray(input, context) {
+    return input.map((value) => interpolateTemplate(value, context));
+}
+export async function execCommand(command, args, options = {}) {
+    return new Promise((resolve, reject) => {
+        execFile(command, args, {
+            cwd: options.cwd,
+            env: options.env,
+            timeout: options.timeoutMs,
+            killSignal: "SIGTERM",
+            encoding: "utf8",
+            maxBuffer: 10 * 1024 * 1024,
+            ...(options.stdio ? { stdio: options.stdio } : {}),
+        }, (error, stdout, stderr) => {
+            if (error) {
+                const timeoutError = typeof error === "object" &&
+                    error !== null &&
+                    "killed" in error &&
+                    "signal" in error &&
+                    error.killed === true &&
+                    error.signal === "SIGTERM" &&
+                    options.timeoutMs;
+                if (timeoutError) {
+                    reject(new Error(`Command timed out after ${options.timeoutMs}ms: ${command}`));
+                    return;
+                }
+                const rawCode = typeof error === "object" && error !== null && "code" in error ? error.code : undefined;
+                if (typeof rawCode === "string" && !/^-?\d+$/.test(rawCode)) {
+                    reject(error);
+                    return;
+                }
+                const exitCode = typeof rawCode === "number" ? rawCode : typeof rawCode === "string" ? Number(rawCode) : 1;
+                resolve({
+                    stdout: typeof stdout === "string" ? stdout : "",
+                    stderr: typeof stderr === "string" ? stderr : "",
+                    exitCode,
+                });
+                return;
+            }
+            resolve({
+                stdout: typeof stdout === "string" ? stdout : "",
+                stderr: typeof stderr === "string" ? stderr : "",
+                exitCode: 0,
+            });
+        });
+    });
+}
+export function safeJsonParse(value) {
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return undefined;
+    }
+}
+export function redactSensitiveHeaders(headers) {
+    return Object.fromEntries(Object.entries(headers).map(([name, value]) => [name, REDACTED_HEADER_NAMES.has(name.toLowerCase()) ? "[redacted]" : value]));
+}
+export function sanitizeDiagnosticText(text, maxLength = 500) {
+    let sanitized = text;
+    for (const [pattern, replacement] of DIAGNOSTIC_REPLACEMENTS) {
+        sanitized = sanitized.replace(pattern, replacement);
+    }
+    if (sanitized.length <= maxLength) {
+        return sanitized;
+    }
+    return `${sanitized.slice(0, Math.max(0, maxLength - 12))}[truncated]`;
+}
+export function encryptSecret(plaintext, keyMaterial) {
+    const key = crypto.createHash("sha256").update(keyMaterial).digest();
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return JSON.stringify({
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+    });
+}
+export function decryptSecret(payload, keyMaterial) {
+    const parsed = JSON.parse(payload);
+    const key = crypto.createHash("sha256").update(keyMaterial).digest();
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, Buffer.from(parsed.iv, "base64"));
+    decipher.setAuthTag(Buffer.from(parsed.tag, "base64"));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(parsed.ciphertext, "base64")),
+        decipher.final(),
+    ]);
+    return plaintext.toString("utf8");
+}
+export function extractFirstJsonObject(text) {
+    const start = text.indexOf("{");
+    if (start === -1) {
+        return undefined;
+    }
+    let depth = 0;
+    let inString = false;
+    let escaped = false;
+    for (let index = start; index < text.length; index += 1) {
+        const char = text[index];
+        if (inString) {
+            if (escaped) {
+                escaped = false;
+            }
+            else if (char === "\\") {
+                escaped = true;
+            }
+            else if (char === "\"") {
+                inString = false;
+            }
+            continue;
+        }
+        if (char === "\"") {
+            inString = true;
+            continue;
+        }
+        if (char === "{") {
+            depth += 1;
+        }
+        else if (char === "}") {
+            depth -= 1;
+            if (depth === 0) {
+                return text.slice(start, index + 1);
+            }
+        }
+    }
+    return undefined;
+}