sandstream-kit 1.0.0

package/dist/policy.js

@@ -0,0 +1,160 @@
+/**
+ * Agent-write pre-approval policy.
+ *
+ * `.kit.toml [policy.agent_writes]` declares which sensitive vendor
+ * operations the operator pre-authorizes for this repository. Classifiers
+ * and agents read a stable hash of the policy via `KIT_POLICY_HASH` so
+ * the in-scope ops can run without per-call human confirmation, while
+ * out-of-scope ops still require explicit elevation.
+ *
+ * Format in .kit.toml:
+ *
+ *   [policy.agent_writes]
+ *   sentry = ["resolve_issue", "create_release"]
+ *   supabase = ["rotate_jwt", "list_projects"]
+ *   vercel = ["env_set", "trigger_deploy"]
+ *   stripe = []        # all writes still gated
+ *
+ *   [policy]
+ *   default_mode = "read-only"   # force --read-only globally for this repo
+ *
+ * Runtime contract:
+ *   1. At boot, the orchestrator (cli.ts:main) reads `[policy]` from the
+ *      loaded config, computes a SHA-256 of the canonical JSON, exports
+ *      `KIT_POLICY_HASH=<hex>` to env so child processes / classifiers
+ *      see the same identity.
+ *   2. Callers that mutate vendor state call `checkPolicy(vendor, op)` —
+ *      returns true if the op appears in `agent_writes[vendor]`. False
+ *      means the op is gated and requires elevation.
+ *   3. Every policy check emits an audit event with `policy_scope_matched`
+ *      so the forensic trail covers both grants and denials.
+ *
+ * This module deliberately does NOT enforce — it just SURFACES. The
+ * existing elevation + read-only gates remain authoritative; the policy
+ * block is the explicit "operator agreed to this scope" signal that
+ * upstream classifiers (Claude Code, etc.) can honor.
+ */
+import { createHash } from "node:crypto";
+import { appendAuditEventDirect } from "./audit.js";
+const POLICY_HASH_ENV = "KIT_POLICY_HASH";
+/**
+ * Canonical JSON for hashing — sorted keys at every level so the hash is
+ * stable across reorderings in `.kit.toml`.
+ */
+function canonicalize(value) {
+    if (value === null || typeof value !== "object") {
+        return JSON.stringify(value);
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map(canonicalize).join(",")}]`;
+    }
+    const obj = value;
+    const keys = Object.keys(obj).sort();
+    const parts = keys.map((k) => `${JSON.stringify(k)}:${canonicalize(obj[k])}`);
+    return `{${parts.join(",")}}`;
+}
+export function hashPolicy(policy) {
+    if (!policy)
+        return null;
+    return createHash("sha256").update(canonicalize(policy)).digest("hex");
+}
+/**
+ * Computes the policy hash and exports it to env. Called once from main()
+ * after config is loaded. Idempotent.
+ */
+export function installPolicyHash(policy) {
+    const hash = hashPolicy(policy);
+    if (hash) {
+        process.env[POLICY_HASH_ENV] = hash;
+    }
+    else {
+        delete process.env[POLICY_HASH_ENV];
+    }
+}
+export function currentPolicyHash() {
+    return process.env[POLICY_HASH_ENV] ?? null;
+}
+/**
+ * Check whether `op` against `vendor` is pre-approved by the policy.
+ *
+ * Returns `{ approved: false }` when the policy is missing, the vendor
+ * isn't declared, or the op isn't in the vendor's allow-list. Callers
+ * should treat false as "elevation still required" — this is not a
+ * substitute for the elevation gate, just an explicit declaration that
+ * the OPERATOR consented to this scope at configuration time.
+ */
+export async function checkPolicy(policy, vendor, op) {
+    const policyHash = hashPolicy(policy);
+    if (!policy?.agent_writes) {
+        const result = {
+            approved: false,
+            reason: "no [policy.agent_writes] declared in .kit.toml",
+            policyHash,
+        };
+        await appendAuditEventDirect({
+            operation: "policy-check",
+            environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown",
+            success: false,
+            metadata: { vendor, op, policy_hash: policyHash, reason: result.reason },
+        });
+        return result;
+    }
+    const allowed = policy.agent_writes[vendor];
+    if (!allowed) {
+        const result = {
+            approved: false,
+            reason: `vendor "${vendor}" not in [policy.agent_writes]`,
+            policyHash,
+        };
+        await appendAuditEventDirect({
+            operation: "policy-check",
+            environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown",
+            success: false,
+            metadata: { vendor, op, policy_hash: policyHash, reason: result.reason },
+        });
+        return result;
+    }
+    if (!allowed.includes(op)) {
+        const result = {
+            approved: false,
+            reason: `op "${op}" not in [policy.agent_writes.${vendor}] (= ${JSON.stringify(allowed)})`,
+            policyHash,
+        };
+        await appendAuditEventDirect({
+            operation: "policy-check",
+            environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown",
+            success: false,
+            metadata: {
+                vendor,
+                op,
+                policy_hash: policyHash,
+                allowed_ops: allowed,
+                reason: result.reason,
+            },
+        });
+        return result;
+    }
+    const result = {
+        approved: true,
+        reason: `op "${op}" approved by [policy.agent_writes.${vendor}]`,
+        policyHash,
+    };
+    await appendAuditEventDirect({
+        operation: "policy-check",
+        environment: process.env.KIT_ENV ?? process.env.NODE_ENV ?? "unknown",
+        success: true,
+        metadata: {
+            vendor,
+            op,
+            policy_hash: policyHash,
+        },
+    });
+    return result;
+}
+/**
+ * Test-only: reset env var so tests start fresh.
+ */
+export function _resetPolicyHashForTests() {
+    delete process.env[POLICY_HASH_ENV];
+}
+//# sourceMappingURL=policy.js.map

package/dist/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../src/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAEpD,MAAM,eAAe,GAAG,iBAAiB,CAAC;AAE1C;;;GAGG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAClD,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC9E,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAgC;IACzD,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAgC;IAChE,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAgC,EAChC,MAAc,EACd,EAAU;IAEV,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAsB;YAChC,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,gDAAgD;YACxD,UAAU;SACX,CAAC;QACF,MAAM,sBAAsB,CAAC;YAC3B,SAAS,EAAE,cAAc;YACzB,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;YACrE,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SACzE,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,MAAM,GAAsB;YAChC,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,WAAW,MAAM,gCAAgC;YACzD,UAAU;SACX,CAAC;QACF,MAAM,sBAAsB,CAAC;YAC3B,SAAS,EAAE,cAAc;YACzB,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;YACrE,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE;SACzE,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAsB;YAChC,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,OAAO,EAAE,iCAAiC,MAAM,QAAQ,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG;YAC1F,UAAU;SACX,CAAC;QACF,MAAM,sBAAsB,CAAC;YAC3B,SAAS,EAAE,cAAc;YACzB,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;YACrE,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE;gBACR,MAAM;gBACN,EAAE;gBACF,WAAW,EAAE,UAAU;gBACvB,WAAW,EAAE,OAAO;gBACpB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB;SACF,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,MAAM,GAAsB;QAChC,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,OAAO,EAAE,sCAAsC,MAAM,GAAG;QAChE,UAAU;KACX,CAAC;IACF,MAAM,sBAAsB,CAAC;QAC3B,SAAS,EAAE,cAAc;QACzB,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;QACrE,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,MAAM;YACN,EAAE;YACF,WAAW,EAAE,UAAU;SACxB;KACF,CAAC,CAAC;IACH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;AACtC,CAAC"}

package/dist/post-pull-audit.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Post-pull / post-merge security audit.
+ *
+ * After a `git pull` (or merge) brings in teammates' changes, surface
+ * anything that should trigger a security review BEFORE the next
+ * `npm install` / `pnpm install` / deploy:
+ *
+ *   1. **New dependencies** in `package.json` — each one should be
+ *      run through `kit triage` before it lands on disk.
+ *   2. **Removed `.gitignore` entries** — someone deleting `.env*` or
+ *      `*.pem` from the ignore list opens a leak vector.
+ *   3. **Plaintext secrets** introduced in any committed file across
+ *      the diff range (same SECRET_PATTERNS as scan-staged).
+ *   4. **`.kit-allowlist.json` / `.kit-policy.json` changes** —
+ *      relaxed enforcement is worth a second look.
+ *   5. **`.kit.toml [secrets.keys]` changes** — keys added / removed.
+ *
+ * Wraps the existing scanner helpers; this module only does the diff
+ * collection + per-category dispatch.
+ */
+import { type SecretFinding } from "./utils/redactSecrets.js";
+export interface PullAuditReport {
+    baseRef: string;
+    headRef: string;
+    newDependencies: string[];
+    removedDependencies: string[];
+    removedGitignoreEntries: string[];
+    newGitignoreEntries: string[];
+    plaintextHits: {
+        file: string;
+        findings: SecretFinding[];
+    }[];
+    allowlistChanged: boolean;
+    policyChanged: boolean;
+    kitTomlChanged: boolean;
+    changedFiles: string[];
+}
+export declare function auditPull(cwd?: string, baseRef?: string, headRef?: string): Promise<PullAuditReport>;
+export declare function reportSeverity(report: PullAuditReport): "ok" | "warn" | "fail";

package/dist/post-pull-audit.js

@@ -0,0 +1,151 @@
+/**
+ * Post-pull / post-merge security audit.
+ *
+ * After a `git pull` (or merge) brings in teammates' changes, surface
+ * anything that should trigger a security review BEFORE the next
+ * `npm install` / `pnpm install` / deploy:
+ *
+ *   1. **New dependencies** in `package.json` — each one should be
+ *      run through `kit triage` before it lands on disk.
+ *   2. **Removed `.gitignore` entries** — someone deleting `.env*` or
+ *      `*.pem` from the ignore list opens a leak vector.
+ *   3. **Plaintext secrets** introduced in any committed file across
+ *      the diff range (same SECRET_PATTERNS as scan-staged).
+ *   4. **`.kit-allowlist.json` / `.kit-policy.json` changes** —
+ *      relaxed enforcement is worth a second look.
+ *   5. **`.kit.toml [secrets.keys]` changes** — keys added / removed.
+ *
+ * Wraps the existing scanner helpers; this module only does the diff
+ * collection + per-category dispatch.
+ */
+import { findSecrets } from "./utils/redactSecrets.js";
+import { exec } from "./utils/exec.js";
+async function tryGitShow(ref, path, cwd) {
+    try {
+        const { stdout } = await exec("git", ["show", `${ref}:${path}`], {
+            cwd,
+            timeout: 5_000,
+            maxBuffer: 5 * 1024 * 1024,
+        });
+        return stdout;
+    }
+    catch {
+        return null;
+    }
+}
+async function listChangedFiles(baseRef, headRef, cwd) {
+    try {
+        const { stdout } = await exec("git", ["diff", "--name-only", "--diff-filter=AM", "-z", baseRef, headRef], { cwd, timeout: 10_000 });
+        return stdout.split("\0").filter(Boolean);
+    }
+    catch {
+        return [];
+    }
+}
+function diffDeps(before, after) {
+    const beforeAll = new Set([
+        ...Object.keys(before?.dependencies ?? {}),
+        ...Object.keys(before?.devDependencies ?? {}),
+    ]);
+    const afterAll = new Set([
+        ...Object.keys(after?.dependencies ?? {}),
+        ...Object.keys(after?.devDependencies ?? {}),
+    ]);
+    return {
+        added: [...afterAll].filter((name) => !beforeAll.has(name)),
+        removed: [...beforeAll].filter((name) => !afterAll.has(name)),
+    };
+}
+function diffLines(before, after) {
+    const cleanup = (t) => {
+        if (!t)
+            return new Set();
+        return new Set(t
+            .split("\n")
+            .map((l) => {
+            const i = l.indexOf("#");
+            const stripped = i >= 0 ? l.slice(0, i) : l;
+            return stripped.trim();
+        })
+            .filter((l) => l.length > 0));
+    };
+    const b = cleanup(before);
+    const a = cleanup(after);
+    return {
+        added: [...a].filter((line) => !b.has(line)),
+        removed: [...b].filter((line) => !a.has(line)),
+    };
+}
+export async function auditPull(cwd = process.cwd(), baseRef = "HEAD~1", headRef = "HEAD") {
+    const report = {
+        baseRef,
+        headRef,
+        newDependencies: [],
+        removedDependencies: [],
+        removedGitignoreEntries: [],
+        newGitignoreEntries: [],
+        plaintextHits: [],
+        allowlistChanged: false,
+        policyChanged: false,
+        kitTomlChanged: false,
+        changedFiles: [],
+    };
+    // 1. Dependencies
+    const beforePkg = await tryGitShow(baseRef, "package.json", cwd);
+    const afterPkg = await tryGitShow(headRef, "package.json", cwd);
+    if (beforePkg || afterPkg) {
+        try {
+            const before = beforePkg ? JSON.parse(beforePkg) : null;
+            const after = afterPkg ? JSON.parse(afterPkg) : null;
+            const { added, removed } = diffDeps(before, after);
+            report.newDependencies = added;
+            report.removedDependencies = removed;
+        }
+        catch {
+            // malformed package.json — skip
+        }
+    }
+    // 2. .gitignore
+    const beforeGi = await tryGitShow(baseRef, ".gitignore", cwd);
+    const afterGi = await tryGitShow(headRef, ".gitignore", cwd);
+    const giDiff = diffLines(beforeGi, afterGi);
+    report.newGitignoreEntries = giDiff.added;
+    report.removedGitignoreEntries = giDiff.removed;
+    // 3. Plaintext secrets across all changed files
+    const changed = await listChangedFiles(baseRef, headRef, cwd);
+    report.changedFiles = changed;
+    for (const path of changed) {
+        const content = await tryGitShow(headRef, path, cwd);
+        if (!content)
+            continue;
+        const findings = findSecrets(content);
+        if (findings.length > 0) {
+            report.plaintextHits.push({ file: path, findings });
+        }
+    }
+    // 4 + 5. Allowlist / policy / kit.toml shape changes
+    const allowlistBefore = await tryGitShow(baseRef, ".kit-allowlist.json", cwd);
+    const allowlistAfter = await tryGitShow(headRef, ".kit-allowlist.json", cwd);
+    report.allowlistChanged = (allowlistBefore ?? "") !== (allowlistAfter ?? "");
+    const policyBefore = await tryGitShow(baseRef, ".kit-policy.json", cwd);
+    const policyAfter = await tryGitShow(headRef, ".kit-policy.json", cwd);
+    report.policyChanged = (policyBefore ?? "") !== (policyAfter ?? "");
+    const tomlBefore = await tryGitShow(baseRef, ".kit.toml", cwd);
+    const tomlAfter = await tryGitShow(headRef, ".kit.toml", cwd);
+    report.kitTomlChanged = (tomlBefore ?? "") !== (tomlAfter ?? "");
+    return report;
+}
+export function reportSeverity(report) {
+    if (report.plaintextHits.length > 0)
+        return "fail";
+    if (report.removedGitignoreEntries.some((l) => /\.env|\.pem|\.key|id_rsa/.test(l))) {
+        return "fail";
+    }
+    if (report.newDependencies.length > 0 ||
+        report.allowlistChanged ||
+        report.policyChanged) {
+        return "warn";
+    }
+    return "ok";
+}
+//# sourceMappingURL=post-pull-audit.js.map

package/dist/post-pull-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"post-pull-audit.js","sourceRoot":"","sources":["../src/post-pull-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,WAAW,EAAsB,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAsBvC,KAAK,UAAU,UAAU,CACvB,GAAW,EACX,IAAY,EACZ,GAAW;IAEX,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,EAAE;YAC/D,GAAG;YACH,OAAO,EAAE,KAAK;YACd,SAAS,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI;SAC3B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,OAAe,EACf,OAAe,EACf,GAAW;IAEX,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,KAAK,EACL,CAAC,MAAM,EAAE,aAAa,EAAE,kBAAkB,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,EACnE,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CACzB,CAAC;QACF,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CACf,MAA0B,EAC1B,KAAyB;IAEzB,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;QACxB,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC;QAC1C,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,eAAe,IAAI,EAAE,CAAC;KAC9C,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;QACvB,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,IAAI,EAAE,CAAC;QACzC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,eAAe,IAAI,EAAE,CAAC;KAC7C,CAAC,CAAC;IACH,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC3D,OAAO,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;KAC9D,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,MAAqB,EAAE,KAAoB;IAI5D,MAAM,OAAO,GAAG,CAAC,CAAgB,EAAe,EAAE;QAChD,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,GAAG,EAAE,CAAC;QACzB,OAAO,IAAI,GAAG,CACZ,CAAC;aACE,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACT,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACzB,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5C,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAC/B,CAAC;IACJ,CAAC,CAAC;IACF,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IACzB,OAAO;QACL,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;KAC/C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,UAAkB,QAAQ,EAC1B,UAAkB,MAAM;IAExB,MAAM,MAAM,GAAoB;QAC9B,OAAO;QACP,OAAO;QACP,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,EAAE;QACvB,uBAAuB,EAAE,EAAE;QAC3B,mBAAmB,EAAE,EAAE;QACvB,aAAa,EAAE,EAAE;QACjB,gBAAgB,EAAE,KAAK;QACvB,aAAa,EAAE,KAAK;QACpB,cAAc,EAAE,KAAK;QACrB,YAAY,EAAE,EAAE;KACjB,CAAC;IAEF,kBAAkB;IAClB,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;IACjE,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,SAAS,CAAiB,CAAC,CAAC,CAAC,IAAI,CAAC;YACzE,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAiB,CAAC,CAAC,CAAC,IAAI,CAAC;YACtE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;YACnD,MAAM,CAAC,eAAe,GAAG,KAAK,CAAC;YAC/B,MAAM,CAAC,mBAAmB,GAAG,OAAO,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,gBAAgB;IAChB,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC5C,MAAM,CAAC,mBAAmB,GAAG,MAAM,CAAC,KAAK,CAAC;IAC1C,MAAM,CAAC,uBAAuB,GAAG,MAAM,CAAC,OAAO,CAAC;IAEhD,gDAAgD;IAChD,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAC9D,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;IAC9E,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,qBAAqB,EAAE,GAAG,CAAC,CAAC;IAC7E,MAAM,CAAC,gBAAgB,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,kBAAkB,EAAE,GAAG,CAAC,CAAC;IACvE,MAAM,CAAC,aAAa,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,CAAC,CAAC;IAC9D,MAAM,CAAC,cAAc,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,KAAK,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IAEjE,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAuB;IACpD,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,MAAM,CAAC;IACnD,IAAI,MAAM,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,0BAA0B,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnF,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IACE,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;QACjC,MAAM,CAAC,gBAAgB;QACvB,MAAM,CAAC,aAAa,EACpB,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/provision.d.ts

@@ -0,0 +1,17 @@
+import type { ProvisionResult } from "./adapters/types.js";
+/**
+ * Provision a service using the appropriate adapter
+ */
+export declare function provisionService(serviceName: string, projectPath: string, projectName?: string): Promise<ProvisionResult>;
+/**
+ * List available services
+ */
+export declare function listAvailableServices(): string[];
+/**
+ * Get adapter info
+ */
+export declare function getServiceInfo(serviceName: string): {
+    name: string;
+    description: string;
+    tools: string[];
+} | null;

package/dist/provision.js

@@ -0,0 +1,147 @@
+import { writeFile, readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { adapters } from "./adapters/index.js";
+import { loadPluginAdapters } from "./plugin-loader.js";
+/**
+ * Load existing environment variables
+ */
+async function loadExistingEnv(projectPath) {
+    try {
+        const envPath = resolve(projectPath, ".env.local");
+        const content = await readFile(envPath, "utf-8");
+        const env = {};
+        for (const line of content.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith("#"))
+                continue;
+            const [key, ...valueParts] = trimmed.split("=");
+            if (key && valueParts.length > 0) {
+                env[key.trim()] = valueParts.join("=").trim();
+            }
+        }
+        return env;
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Update .env.local with new secrets
+ */
+async function updateEnvFile(projectPath, secrets) {
+    const envPath = resolve(projectPath, ".env.local");
+    const existing = await loadExistingEnv(projectPath);
+    // Merge with existing
+    const merged = { ...existing, ...secrets };
+    // Write back
+    const lines = [];
+    for (const [key, value] of Object.entries(merged)) {
+        lines.push(`${key}=${value}`);
+    }
+    await writeFile(envPath, lines.join("\n") + "\n", "utf-8");
+}
+/**
+ * Update skills-lock.json with provisioning info
+ */
+async function updateSkillsLock(projectPath, serviceName, config) {
+    const lockPath = resolve(projectPath, "skills-lock.json");
+    let lockData = { provisioned: {} };
+    try {
+        const content = await readFile(lockPath, "utf-8");
+        lockData = JSON.parse(content);
+    }
+    catch {
+        // File doesn't exist or parse error
+    }
+    if (!lockData.provisioned) {
+        lockData.provisioned = {};
+    }
+    lockData.provisioned[serviceName] = {
+        ...config,
+        provisionedAt: new Date().toISOString(),
+    };
+    await writeFile(lockPath, JSON.stringify(lockData, null, 2) + "\n", "utf-8");
+}
+/**
+ * Provision a service using the appropriate adapter
+ */
+export async function provisionService(serviceName, projectPath, projectName) {
+    // Merge built-in adapters with any plugin adapters from kitPlugins in package.json
+    const pluginAdapters = await loadPluginAdapters(projectPath);
+    const allAdapters = { ...adapters, ...pluginAdapters };
+    const adapter = allAdapters[serviceName];
+    if (!adapter) {
+        const available = Object.keys(allAdapters).join(", ");
+        return {
+            success: false,
+            error: `Unknown service: ${serviceName}`,
+            message: `Available services: ${available}`,
+        };
+    }
+    // Check required tools
+    const requiredTools = adapter.getRequiredTools();
+    for (const tool of requiredTools) {
+        try {
+            const { execFile } = await import("node:child_process");
+            const { promisify } = await import("node:util");
+            const exec = promisify(execFile);
+            await exec(tool, ["--version"], { timeout: 5_000 });
+        }
+        catch {
+            return {
+                success: false,
+                error: `Required tool not installed: ${tool}`,
+                message: `Install ${tool} before provisioning ${serviceName}`,
+            };
+        }
+    }
+    // Load context
+    const existingEnv = await loadExistingEnv(projectPath);
+    const context = {
+        projectPath,
+        projectName,
+        existingEnv,
+    };
+    // Check if already provisioned
+    const alreadyProvisioned = await adapter.check(context);
+    if (alreadyProvisioned) {
+        return {
+            success: true,
+            message: `${serviceName} is already provisioned`,
+            config: { alreadyProvisioned: true },
+        };
+    }
+    // Provision the service
+    const result = await adapter.provision(context);
+    if (result.success) {
+        // Update .env.local with secrets
+        if (result.secrets && Object.keys(result.secrets).length > 0) {
+            await updateEnvFile(projectPath, result.secrets);
+        }
+        // Update skills-lock.json with config
+        if (result.config) {
+            await updateSkillsLock(projectPath, serviceName, result.config);
+        }
+    }
+    return result;
+}
+/**
+ * List available services
+ */
+export function listAvailableServices() {
+    return Object.keys(adapters);
+}
+/**
+ * Get adapter info
+ */
+export function getServiceInfo(serviceName) {
+    const adapter = adapters[serviceName];
+    if (!adapter)
+        return null;
+    return {
+        name: adapter.name,
+        description: adapter.description,
+        tools: adapter.getRequiredTools(),
+    };
+}
+//# sourceMappingURL=provision.js.map

package/dist/provision.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provision.js","sourceRoot":"","sources":["../src/provision.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAGxD;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,WAAmB;IAChD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;QACnD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEjD,MAAM,GAAG,GAA2B,EAAE,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAElD,MAAM,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAChD,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAChD,CAAC;QACH,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,WAAmB,EACnB,OAA+B;IAE/B,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IAEpD,sBAAsB;IACtB,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,CAAC;IAE3C,aAAa;IACb,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAC7B,WAAmB,EACnB,WAAmB,EACnB,MAA+B;IAE/B,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,kBAAkB,CAAC,CAAC;IAE1D,IAAI,QAAQ,GAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC1B,QAAQ,CAAC,WAAW,GAAG,EAAE,CAAC;IAC5B,CAAC;IAED,QAAQ,CAAC,WAAW,CAAC,WAAW,CAAC,GAAG;QAClC,GAAG,MAAM;QACT,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACxC,CAAC;IAEF,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,WAAmB,EACnB,WAAmB,EACnB,WAAoB;IAEpB,mFAAmF;IACnF,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAC7D,MAAM,WAAW,GAAG,EAAE,GAAG,QAAQ,EAAE,GAAG,cAAc,EAAE,CAAC;IAEvD,MAAM,OAAO,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IAEzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,OAAO;YACL,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,oBAAoB,WAAW,EAAE;YACxC,OAAO,EAAE,uBAAuB,SAAS,EAAE;SAC5C,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IACjD,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YACxD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;YAChD,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YACjC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,gCAAgC,IAAI,EAAE;gBAC7C,OAAO,EAAE,WAAW,IAAI,wBAAwB,WAAW,EAAE;aAC9D,CAAC;QACJ,CAAC;IACH,CAAC;IAED,eAAe;IACf,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,WAAW,CAAC,CAAC;IACvD,MAAM,OAAO,GAAmB;QAC9B,WAAW;QACX,WAAW;QACX,WAAW;KACZ,CAAC;IAEF,+BAA+B;IAC/B,MAAM,kBAAkB,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACxD,IAAI,kBAAkB,EAAE,CAAC;QACvB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,GAAG,WAAW,yBAAyB;YAChD,MAAM,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE;SACrC,CAAC;IACJ,CAAC;IAED,wBAAwB;IACxB,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEhD,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,iCAAiC;QACjC,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7D,MAAM,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QACnD,CAAC;QAED,sCAAsC;QACtC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,MAAM,gBAAgB,CAAC,WAAW,EAAE,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,WAAmB;IAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,KAAK,EAAE,OAAO,CAAC,gBAAgB,EAAE;KAClC,CAAC;AACJ,CAAC"}

package/dist/query-optimizer.d.ts

@@ -0,0 +1,102 @@
+export interface QueryPlan {
+    query: string;
+    estimatedCost: number;
+    indexesUsed: string[];
+    batchSize: number;
+    useConnection: boolean;
+}
+export interface QueryResult {
+    rows: Record<string, unknown>[];
+    executionTime: number;
+    indexesUsed: string[];
+}
+export interface IndexDefinition {
+    name: string;
+    columns: string[];
+    type: "btree" | "hash";
+    unique: boolean;
+}
+export interface BatchOperation {
+    id: string;
+    operations: Array<{
+        type: "insert" | "update" | "delete";
+        data: unknown;
+    }>;
+    status: "pending" | "executing" | "completed" | "failed";
+    result?: unknown;
+}
+export declare class QueryOptimizer {
+    private queryCache;
+    private indexes;
+    private executionStats;
+    private batchQueue;
+    /**
+     * Create an index for faster queries.
+     */
+    createIndex(indexDef: IndexDefinition): void;
+    /**
+     * Get index definition by name.
+     */
+    getIndex(indexName: string): IndexDefinition | null;
+    /**
+     * Get all indexes.
+     */
+    getAllIndexes(): IndexDefinition[];
+    /**
+     * Drop an index.
+     */
+    dropIndex(indexName: string): boolean;
+    /**
+     * Generate optimized query plan.
+     */
+    planQuery(query: string, columns?: string[]): QueryPlan;
+    private findApplicableIndexes;
+    private calculateQueryCost;
+    private recommendBatchSize;
+    /**
+     * Get cached query plan.
+     */
+    getCachedPlan(query: string): QueryPlan | null;
+    /**
+     * Clear query plan cache.
+     */
+    clearCache(): void;
+    /**
+     * Execute query with optimization.
+     */
+    executeQuery(query: string, columns?: string[]): QueryResult;
+    /**
+     * Get query execution statistics.
+     */
+    getExecutionStats(limit?: number): Array<{
+        query: string;
+        executionTime: number;
+        timestamp: string;
+    }>;
+    /**
+     * Get average query execution time.
+     */
+    getAverageExecutionTime(query?: string): number;
+    /**
+     * Queue batch operation.
+     */
+    queueBatchOperation(id: string, operations: Array<{
+        type: "insert" | "update" | "delete";
+        data: unknown;
+    }>): BatchOperation;
+    /**
+     * Execute queued batch operation.
+     */
+    executeBatch(id: string): BatchOperation | null;
+    /**
+     * Get batch operation by ID.
+     */
+    getBatchOperation(id: string): BatchOperation | null;
+    /**
+     * Get all pending batches.
+     */
+    getPendingBatches(): BatchOperation[];
+    getIndexCache(): Map<string, IndexDefinition>;
+    getQueryCacheSize(): number;
+    getBatchQueueSize(): number;
+}