secretless-ai 0.10.2 → 0.11.2

package/README.md

@@ -52,6 +52,8 @@ Then enable CLI integration: **1Password > Settings > Developer > "Integrate wit
 npx secretless-ai backend set 1password       # Switch backend
 ```
 
+**Prevent repeated popups:** Run `npx secretless-ai warm --ttl 1h` before starting an AI coding session. This pre-loads all secrets into the encrypted cache so no `op` CLI calls (and no biometric popups) happen during the session. See [Session Management](#session-management).
+
 **CI/CD:** Set `OP_SERVICE_ACCOUNT_TOKEN` — same secrets, no code changes. No desktop app needed.
 
 ### HashiCorp Vault Backend
@@ -91,7 +93,7 @@ npx secretless-ai scope reset MY_CREDENTIAL      # Clear baseline
 |----------|-----------|----------|-------------------|
 | **GCP** | Service account key JSON | `testIamPermissions` (Cloud Resource Manager) | None (self-inspection) |
 | **Vault** | Token prefix (`hvs.`, `s.`) | `capabilities-self` (Sys) | None (self-inspection) |
-| **AWS** | Access key prefix (`AKIA`) | Planned | — |
+| **AWS** | Access key prefix (`AKIA`) | STS `GetCallerIdentity` + IAM policy introspection | None (self-inspection) |
 
 ### How It Works
 
@@ -242,7 +244,7 @@ npx secretless-ai init
 Output:
 
 ```
-  Secretless v0.10.1
+  Secretless v0.10.2
   Keeping secrets out of AI
 
   Detected:
@@ -300,6 +302,94 @@ npx secretless-ai verify
   PASS: Secrets are accessible via env vars but hidden from AI context.
 ```
 
+## Session Management
+
+If you use 1Password or OS keychain as your backend, every secret access triggers a biometric prompt (Touch ID, 1Password popup). During an AI coding session, these fire repeatedly and interrupt your workflow.
+
+The `warm` command front-loads all authentication into one intentional moment:
+
+```bash
+npx secretless-ai warm               # Authenticate once, pre-load all secrets into cache
+npx secretless-ai warm --ttl 1h      # Set session length (default: 5m, accepts 300, 10m, 1h, 1d)
+npx secretless-ai warm --no-broker   # Skip auto-starting the broker daemon
+```
+
+**What happens during warm:**
+
+1. Touch ID authenticates your biometric session (macOS)
+2. All secrets are resolved from your backend (1Password, keychain, vault) and cached in an AES-256-GCM encrypted file at `~/.secretless-ai/store/.secret-cache`
+3. Cache TTL is synced with your session TTL so entries don't expire mid-session
+4. The broker daemon starts if not already running
+
+**After warm, for the entire session:** every `resolve()` call hits the encrypted file cache. Zero `op` CLI calls, zero keychain prompts, zero popups.
+
+```
+$ npx secretless-ai warm --ttl 1h
+
+  Secretless Session
+
+  Warming session...
+  Session is warm.
+
+  TTL:          3600s (1h 0m)
+  Expires at:   2026-03-04T17:30:00.000Z
+  Touch ID:     used
+  Cache:        12 secrets preloaded
+  Broker:       running
+
+  You can now use AI tools without repeated auth prompts.
+```
+
+### Auto-Start on Login (macOS)
+
+Install as a macOS LaunchAgent so the broker starts automatically:
+
+```bash
+npx secretless-ai install            # Install LaunchAgent
+npx secretless-ai install status     # Check installation status
+npx secretless-ai install uninstall  # Remove LaunchAgent
+```
+
+### Claude Code Integration
+
+Add a session gate to Claude Code so it blocks tool calls when your session has expired:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "npx secretless-ai hook --check-only"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+When the session is warm, the hook passes silently (exit 0, ~57ms). When expired, it blocks with an actionable message:
+
+```
+Secretless session expired. Run: secretless-ai warm
+```
+
+If secretless has never been set up (no session file exists), the hook passes — it won't block users who haven't opted in.
+
+### Secret Cache
+
+The cache reduces OS authentication prompts for keychain and 1Password backends by storing resolved secrets in an AES-256-GCM encrypted file. The `warm` command pre-populates the cache automatically.
+
+```bash
+npx secretless-ai cache              # Show cache status
+npx secretless-ai cache ttl 1h       # Set cache TTL (5m, 1h, 1d, off)
+npx secretless-ai cache clear        # Clear cached secrets
+```
+
 ## Git Protection
 
 Prevent secrets from being committed:
@@ -310,17 +400,35 @@ npx secretless-ai hook status        # Check hook installation status
 npx secretless-ai hook uninstall     # Remove pre-commit hook
 ```
 
+## Shell History Protection
+
+Scan and clean credentials that leaked into shell history files:
+
+```bash
+npx secretless-ai scan --history         # Scan shell history for credentials
+npx secretless-ai clean-history          # Redact credentials in shell history
+npx secretless-ai clean-history --dry-run  # Preview without modifying
+```
+
 ## All Commands
 
 | Command | Description |
 |---------|-------------|
 | `init` | Set up protections for your AI tools |
 | `scan` | Scan for hardcoded secrets (49 patterns) |
-| `status` | Show protection status |
+| `status` | Show protection status (session, broker, transcripts) |
 | `verify` | Verify keys are usable but hidden from AI |
 | `doctor [--fix]` | Diagnose and auto-fix shell profile issues |
-| `clean [--dry-run]` | Scan and redact credentials in transcripts |
+| `clean [--dry-run] [--path P]` | Scan and redact credentials in transcripts |
 | `watch` | Monitor transcripts in real-time |
+| **Session Management** | |
+| `warm` | Warm biometric session and pre-load secrets into cache |
+| `warm --ttl 10m` | Set session TTL (accepts seconds, 5m, 1h, 1d) |
+| `warm --no-broker` | Skip auto-starting the broker daemon |
+| `install` | Install broker as macOS login daemon (LaunchAgent) |
+| `install uninstall` | Remove LaunchAgent |
+| `install status` | Check daemon installation status |
+| `hook --check-only` | Session gate for Claude Code PreToolUse hooks |
 | **Secret Management** | |
 | `secret set <NAME[=VALUE]>` | Store a secret |
 | `secret list` | List stored secret names |
@@ -336,6 +444,10 @@ npx secretless-ai hook uninstall     # Remove pre-commit hook
 | `hook install` | Install pre-commit secret scanner |
 | `hook uninstall` | Remove pre-commit hook |
 | `hook status` | Check hook installation status |
+| **Shell History** | |
+| `scan --history` | Scan shell history for credentials |
+| `clean-history` | Redact credentials in shell history |
+| `clean-history --dry-run` | Preview redaction without modifying |
 | **MCP Protection** | |
 | `protect-mcp [--backend TYPE]` | Encrypt MCP server secrets |
 | `mcp-status` | Show MCP protection status |
@@ -355,8 +467,13 @@ npx secretless-ai hook uninstall     # Remove pre-commit hook
 | `env [--only K1,K2]` | Output export statements for stored secrets (use with `eval`) |
 | `scan-staged` | Scan git staged files for secrets (used by pre-commit hook) |
 | **Cache Management** | |
+| `cache` | Show cache status (backend, TTL, entries) |
 | `cache clear` | Clear the encrypted secret cache |
 | `cache ttl [DURATION]` | Show or set cache TTL (e.g., `5m`, `1h`, `off`) |
+| **Credential Broker** | |
+| `broker start` | Start the credential broker daemon |
+| `broker stop` | Stop the broker daemon |
+| `broker status` | Show broker status, uptime, and request count |
 
 ## Usage via OpenA2A CLI
 
@@ -473,13 +590,13 @@ Each layer builds on the previous one. Start with `secretless-ai init` for immed
 
 ## What Gets Blocked
 
-### File patterns (20+)
+### File patterns (21)
 
 `.env`, `.env.*`, `*.key`, `*.pem`, `*.p12`, `*.pfx`, `*.crt`, `.aws/credentials`, `.ssh/*`, `.docker/config.json`, `.git-credentials`, `.npmrc`, `.pypirc`, `*.tfstate`, `*.tfvars`, `secrets/`, `credentials/`
 
-### Credential patterns (49)
+### Credential patterns (56)
 
-Anthropic API keys, OpenAI keys, AWS access keys, GitHub PATs, Slack tokens, Google API keys, Stripe keys, SendGrid keys, Supabase keys, Azure keys, GitLab tokens, Twilio keys, Mailgun keys, MongoDB URIs, JWTs, and 34 more
+Anthropic API keys, OpenAI keys, AWS access keys, GitHub PATs, Slack tokens, Google API keys, Stripe keys, SendGrid keys, Supabase keys, Azure keys, GitLab tokens, Twilio keys, Mailgun keys, MongoDB URIs, JWTs, and 41 more
 
 ### Bash commands
 
@@ -493,7 +610,7 @@ For Claude Code, Secretless installs a PreToolUse hook that intercepts every `Re
 
 ```bash
 npm run build      # Compile TypeScript to dist/
-npm test           # Run tests (vitest, 677 tests)
+npm test           # Run tests (vitest, 738 tests)
 npm run dev        # Watch mode — recompile on file changes
 npm run clean      # Remove dist/ directory
 ```

package/dist/backends/local.js

@@ -62,10 +62,10 @@ class LocalBackend {
             const encrypted = fs.readFileSync(storePath);
             const decrypted = this.decrypt(encrypted);
             const store = JSON.parse(decrypted);
-            // Path can be a key name or a glob pattern
+            // Empty prefix returns all secrets; otherwise match exact key or prefix/
             const results = {};
             for (const [key, value] of Object.entries(store)) {
-                if (key === secretPath || key.startsWith(secretPath + '/')) {
+                if (!secretPath || key === secretPath || key.startsWith(secretPath + '/')) {
                     results[key] = value;
                 }
             }

package/dist/backends/local.js.map

@@ -1 +1 @@
-{"version":3,"file":"local.js","sourceRoot":"","sources":["../../src/backends/local.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AAGjC,MAAM,UAAU,GAAG,aAAa,CAAC;AACjC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAOtC;;;GAGG;AACH,MAAa,YAAY;IAKvB,YAAY,MAAgC;QAJnC,SAAI,GAAG,OAAO,CAAC;QAKtB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;QACnE,IAAI,CAAC,QAAQ,GAAI,MAAM,EAAE,QAAmB,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAE3F,+EAA+E;QAC/E,8EAA8E;QAC9E,6EAA6E;QAC7E,MAAM,WAAW,GAAI,MAAM,EAAE,GAAc,IAAI,GAAG,IAAI,eAAe,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QACrG,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAEzC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEpC,2CAA2C;YAC3C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,EAAE,CAAC;oBAC3D,OAAO,CAAC,GAAG,CAAC,GAAG,KAAe,CAAC;gBACjC,CAAC;YACH,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC7B,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,sBAAsB;SACnE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,KAAa;QACpC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAE9D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,KAAK,GAA2B,EAAE,CAAC;QAEvC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBAC7C,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,IAAI,GAAc,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAE5C,IAAI,KAAK,GAA2B,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC7C,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAElC,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAc,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;gBACvE,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACzB,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,OAAO,CAAC,SAAiB;QAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,wCAAwC;QACxC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC;IAC7C,CAAC;IAEO,OAAO,CAAC,IAAY;QAC1B,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAClC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAChF,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC;CACF;AAnID,oCAmIC"}
+{"version":3,"file":"local.js","sourceRoot":"","sources":["../../src/backends/local.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AAGjC,MAAM,UAAU,GAAG,aAAa,CAAC;AACjC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAOtC;;;GAGG;AACH,MAAa,YAAY;IAKvB,YAAY,MAAgC;QAJnC,SAAI,GAAG,OAAO,CAAC;QAKtB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;QACnE,IAAI,CAAC,QAAQ,GAAI,MAAM,EAAE,QAAmB,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAE3F,+EAA+E;QAC/E,8EAA8E;QAC9E,6EAA6E;QAC7E,MAAM,WAAW,GAAI,MAAM,EAAE,GAAc,IAAI,GAAG,IAAI,eAAe,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QACrG,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAEzC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEpC,yEAAyE;YACzE,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,IAAI,CAAC,UAAU,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,EAAE,CAAC;oBAC1E,OAAO,CAAC,GAAG,CAAC,GAAG,KAAe,CAAC;gBACjC,CAAC;YACH,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC7B,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,sBAAsB;SACnE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,KAAa;QACpC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAE9D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,KAAK,GAA2B,EAAE,CAAC;QAEvC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBAC7C,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,IAAI,GAAc,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAE5C,IAAI,KAAK,GAA2B,EAAE,CAAC;QACvC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC7C,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAElC,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAc,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;gBACvE,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACzB,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,OAAO,CAAC,SAAiB;QAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,wCAAwC;QACxC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC;IAC7C,CAAC;IAEO,OAAO,CAAC,IAAY;QAC1B,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAClC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAChF,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC;CACF;AAnID,oCAmIC"}

package/dist/backends/migrate.d.ts

@@ -8,7 +8,7 @@ import type { WritableSecretBackend } from './types';
 export interface MigrateOptions {
     /** Delete successfully migrated secrets from the source backend. Default: false. */
     deleteFromSource?: boolean;
-    /** Secret path prefix to migrate (e.g. 'mcp'). Default: 'mcp'. */
+    /** Secret path prefix to migrate. Empty string means all secrets. Default: '' (all). */
     prefix?: string;
 }
 export interface MigrateResult {

package/dist/backends/migrate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/backends/migrate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAErD,MAAM,WAAW,cAAc;IAC7B,oFAAoF;IACpF,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACjD;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,qBAAqB,EAC7B,WAAW,EAAE,qBAAqB,EAClC,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAyBxB"}
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/backends/migrate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAErD,MAAM,WAAW,cAAc;IAC7B,oFAAoF;IACpF,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,wFAAwF;IACxF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACjD;AAED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,qBAAqB,EAC7B,WAAW,EAAE,qBAAqB,EAClC,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAyBxB"}

package/dist/backends/migrate.js

@@ -15,7 +15,7 @@ exports.migrateSecrets = migrateSecrets;
  * @param options     - Migration options
  */
 async function migrateSecrets(source, destination, options) {
-    const prefix = options?.prefix ?? 'mcp';
+    const prefix = options?.prefix ?? '';
     const deleteFromSource = options?.deleteFromSource ?? false;
     const secrets = await source.resolve(prefix);
     const result = { migrated: 0, failed: 0, errors: [] };

package/dist/backends/migrate.js.map

@@ -1 +1 @@
-{"version":3,"file":"migrate.js","sourceRoot":"","sources":["../../src/backends/migrate.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAwBH,wCA6BC;AApCD;;;;;;GAMG;AACI,KAAK,UAAU,cAAc,CAClC,MAA6B,EAC7B,WAAkC,EAClC,OAAwB;IAExB,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,KAAK,CAAC;IACxC,MAAM,gBAAgB,GAAG,OAAO,EAAE,gBAAgB,IAAI,KAAK,CAAC;IAE5D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAkB,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAErE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAElB,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,GAAG;gBACH,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"migrate.js","sourceRoot":"","sources":["../../src/backends/migrate.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAwBH,wCA6BC;AApCD;;;;;;GAMG;AACI,KAAK,UAAU,cAAc,CAClC,MAA6B,EAC7B,WAAkC,EAClC,OAAwB;IAExB,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,EAAE,CAAC;IACrC,MAAM,gBAAgB,GAAG,OAAO,EAAE,gBAAgB,IAAI,KAAK,CAAC;IAE5D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAkB,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAErE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC;YACH,MAAM,WAAW,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAElB,IAAI,gBAAgB,EAAE,CAAC;gBACrB,MAAM,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,GAAG;gBACH,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aAC1D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/broker/events.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Structured credential events — typed audit trail for AIM integration.
+ *
+ * Extends the existing audit logger with strongly-typed credential lifecycle
+ * events. These events can be emitted to AIM's audit endpoint for centralized
+ * visibility into credential usage across all agents.
+ *
+ * Event types follow the credential lifecycle:
+ *   requested -> granted | denied
+ *   granted -> expired | revoked
+ *   (any time) -> leak_detected | rotated
+ */
+import { AuditLogger } from './audit';
+/** Credential event types covering the full lifecycle. */
+export type CredentialEventType = 'credential.requested' | 'credential.granted' | 'credential.denied' | 'credential.expired' | 'credential.revoked' | 'credential.rotated' | 'credential.leak_detected';
+/** Alert severity levels. */
+export type AlertLevel = 'info' | 'warning' | 'critical';
+/** Structured credential event for AIM audit trail. */
+export interface CredentialEvent {
+    /** Event type. */
+    type: CredentialEventType;
+    /** ISO 8601 timestamp. */
+    timestamp: string;
+    /** Agent that triggered the event. */
+    agentId: string;
+    /** Secret reference (URI or name, never the actual value). */
+    secretRef: string;
+    /** AIM trust score at the time of the event (0.0 to 1.0). */
+    trustScore?: number;
+    /** TTL in seconds for granted credentials. */
+    ttlSeconds?: number;
+    /** Reason for the decision (denial reason, expiry reason, etc.). */
+    reason?: string;
+    /** Alert level for events that need attention. */
+    alertLevel?: AlertLevel;
+    /** Policy rule that matched (if any). */
+    policyRuleId?: string;
+    /** Capability that was requested or exercised. */
+    capability?: string;
+    /** Backend that was used (keychain, vault, etc.). */
+    backend?: string;
+    /** Event version for forward compatibility. */
+    version: 1;
+}
+/**
+ * Credential event emitter — writes structured events to audit log
+ * and optionally forwards them to AIM.
+ */
+export declare class CredentialEventEmitter {
+    private readonly auditLogger;
+    private readonly aimAuditUrl;
+    constructor(auditLogger: AuditLogger, aimAuditUrl?: string);
+    /** Emit a credential requested event. */
+    emitRequested(agentId: string, secretRef: string, capability?: string): void;
+    /** Emit a credential granted event. */
+    emitGranted(agentId: string, secretRef: string, options: {
+        trustScore?: number;
+        ttlSeconds?: number;
+        policyRuleId?: string;
+        backend?: string;
+    }): void;
+    /** Emit a credential denied event. */
+    emitDenied(agentId: string, secretRef: string, reason: string, options?: {
+        trustScore?: number;
+        policyRuleId?: string;
+        alertLevel?: AlertLevel;
+    }): void;
+    /** Emit a credential expired event. */
+    emitExpired(agentId: string, secretRef: string, wasUsed: boolean): void;
+    /** Emit a credential revoked event. */
+    emitRevoked(agentId: string, secretRef: string, reason: string): void;
+    /** Emit a credential leak detected event. */
+    emitLeakDetected(agentId: string, secretRef: string, leakContext: string): void;
+    /** Emit a credential rotated event. */
+    emitRotated(secretRef: string, trigger: string): void;
+    /**
+     * Core emit: write to local audit log + forward to AIM.
+     */
+    private emit;
+    /**
+     * Forward an event to AIM's audit endpoint.
+     * Non-blocking, fire-and-forget. Failure is never visible to the caller.
+     */
+    private forwardToAim;
+}
+//# sourceMappingURL=events.d.ts.map

package/dist/broker/events.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.d.ts","sourceRoot":"","sources":["../../src/broker/events.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtC,0DAA0D;AAC1D,MAAM,MAAM,mBAAmB,GAC3B,sBAAsB,GACtB,oBAAoB,GACpB,mBAAmB,GACnB,oBAAoB,GACpB,oBAAoB,GACpB,oBAAoB,GACpB,0BAA0B,CAAC;AAE/B,6BAA6B;AAC7B,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;AAEzD,uDAAuD;AACvD,MAAM,WAAW,eAAe;IAC9B,kBAAkB;IAClB,IAAI,EAAE,mBAAmB,CAAC;IAC1B,0BAA0B;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC;IAChB,8DAA8D;IAC9D,SAAS,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,yCAAyC;IACzC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qDAAqD;IACrD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+CAA+C;IAC/C,OAAO,EAAE,CAAC,CAAC;CACZ;AAED;;;GAGG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAgB;gBAEhC,WAAW,EAAE,WAAW,EAAE,WAAW,CAAC,EAAE,MAAM;IAK1D,yCAAyC;IACzC,aAAa,CACX,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI;IAYP,uCAAuC;IACvC,WAAW,CACT,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE;QACP,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,GACA,IAAI;IAeP,sCAAsC;IACtC,UAAU,CACR,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,OAAO,CAAC,EAAE;QACR,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,UAAU,CAAC,EAAE,UAAU,CAAC;KACzB,GACA,IAAI;IAcP,uCAAuC;IACvC,WAAW,CACT,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,GACf,IAAI;IAYP,uCAAuC;IACvC,WAAW,CACT,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,IAAI;IAYP,6CAA6C;IAC7C,gBAAgB,CACd,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GAClB,IAAI;IAYP,uCAAuC;IACvC,WAAW,CACT,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,IAAI;IAYP;;OAEG;IACH,OAAO,CAAC,IAAI;IAsBZ;;;OAGG;IACH,OAAO,CAAC,YAAY;CAoCrB"}

package/dist/broker/events.js

@@ -0,0 +1,204 @@
+"use strict";
+/**
+ * Structured credential events — typed audit trail for AIM integration.
+ *
+ * Extends the existing audit logger with strongly-typed credential lifecycle
+ * events. These events can be emitted to AIM's audit endpoint for centralized
+ * visibility into credential usage across all agents.
+ *
+ * Event types follow the credential lifecycle:
+ *   requested -> granted | denied
+ *   granted -> expired | revoked
+ *   (any time) -> leak_detected | rotated
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialEventEmitter = void 0;
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+/**
+ * Credential event emitter — writes structured events to audit log
+ * and optionally forwards them to AIM.
+ */
+class CredentialEventEmitter {
+    constructor(auditLogger, aimAuditUrl) {
+        this.auditLogger = auditLogger;
+        this.aimAuditUrl = aimAuditUrl ?? null;
+    }
+    /** Emit a credential requested event. */
+    emitRequested(agentId, secretRef, capability) {
+        this.emit({
+            type: 'credential.requested',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            capability,
+            alertLevel: 'info',
+            version: 1,
+        });
+    }
+    /** Emit a credential granted event. */
+    emitGranted(agentId, secretRef, options) {
+        this.emit({
+            type: 'credential.granted',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            trustScore: options.trustScore,
+            ttlSeconds: options.ttlSeconds,
+            policyRuleId: options.policyRuleId,
+            backend: options.backend,
+            alertLevel: 'info',
+            version: 1,
+        });
+    }
+    /** Emit a credential denied event. */
+    emitDenied(agentId, secretRef, reason, options) {
+        this.emit({
+            type: 'credential.denied',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            reason,
+            trustScore: options?.trustScore,
+            policyRuleId: options?.policyRuleId,
+            alertLevel: options?.alertLevel ?? 'warning',
+            version: 1,
+        });
+    }
+    /** Emit a credential expired event. */
+    emitExpired(agentId, secretRef, wasUsed) {
+        this.emit({
+            type: 'credential.expired',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            reason: wasUsed ? 'TTL expired after use' : 'TTL expired (unused)',
+            alertLevel: wasUsed ? 'info' : 'warning',
+            version: 1,
+        });
+    }
+    /** Emit a credential revoked event. */
+    emitRevoked(agentId, secretRef, reason) {
+        this.emit({
+            type: 'credential.revoked',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            reason,
+            alertLevel: 'warning',
+            version: 1,
+        });
+    }
+    /** Emit a credential leak detected event. */
+    emitLeakDetected(agentId, secretRef, leakContext) {
+        this.emit({
+            type: 'credential.leak_detected',
+            timestamp: new Date().toISOString(),
+            agentId,
+            secretRef,
+            reason: leakContext,
+            alertLevel: 'critical',
+            version: 1,
+        });
+    }
+    /** Emit a credential rotated event. */
+    emitRotated(secretRef, trigger) {
+        this.emit({
+            type: 'credential.rotated',
+            timestamp: new Date().toISOString(),
+            agentId: 'system',
+            secretRef,
+            reason: trigger,
+            alertLevel: 'info',
+            version: 1,
+        });
+    }
+    /**
+     * Core emit: write to local audit log + forward to AIM.
+     */
+    emit(event) {
+        // Write to local audit log (always)
+        this.auditLogger.logEvent(event.type, event.agentId, event.secretRef, event.policyRuleId ?? '', event.type.includes('denied') || event.type.includes('revoked') || event.type.includes('leak')
+            ? 'denied'
+            : 'allowed', event.reason ?? '', 0);
+        // Forward to AIM (best-effort, fire-and-forget)
+        if (this.aimAuditUrl) {
+            this.forwardToAim(event).catch(() => {
+                // Silently ignore AIM forwarding failures
+            });
+        }
+    }
+    /**
+     * Forward an event to AIM's audit endpoint.
+     * Non-blocking, fire-and-forget. Failure is never visible to the caller.
+     */
+    forwardToAim(event) {
+        return new Promise((resolve) => {
+            if (!this.aimAuditUrl) {
+                resolve();
+                return;
+            }
+            try {
+                const url = new URL(this.aimAuditUrl);
+                const transport = url.protocol === 'https:' ? https : http;
+                const body = JSON.stringify(event);
+                const req = transport.request({
+                    hostname: url.hostname,
+                    port: url.port,
+                    path: url.pathname,
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'Content-Length': Buffer.byteLength(body),
+                    },
+                    timeout: 3000, // 3s timeout — don't block on AIM
+                }, (res) => {
+                    res.resume(); // Drain response
+                    resolve();
+                });
+                req.on('error', () => resolve());
+                req.on('timeout', () => { req.destroy(); resolve(); });
+                req.write(body);
+                req.end();
+            }
+            catch {
+                resolve();
+            }
+        });
+    }
+}
+exports.CredentialEventEmitter = CredentialEventEmitter;
+//# sourceMappingURL=events.js.map

package/dist/broker/events.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"events.js","sourceRoot":"","sources":["../../src/broker/events.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,2CAA6B;AAC7B,6CAA+B;AA4C/B;;;GAGG;AACH,MAAa,sBAAsB;IAIjC,YAAY,WAAwB,EAAE,WAAoB;QACxD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,CAAC;IACzC,CAAC;IAED,yCAAyC;IACzC,aAAa,CACX,OAAe,EACf,SAAiB,EACjB,UAAmB;QAEnB,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,sBAAsB;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,UAAU;YACV,UAAU,EAAE,MAAM;YAClB,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,WAAW,CACT,OAAe,EACf,SAAiB,EACjB,OAKC;QAED,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,oBAAoB;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,UAAU,EAAE,MAAM;YAClB,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,UAAU,CACR,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,OAIC;QAED,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,mBAAmB;YACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,MAAM;YACN,UAAU,EAAE,OAAO,EAAE,UAAU;YAC/B,YAAY,EAAE,OAAO,EAAE,YAAY;YACnC,UAAU,EAAE,OAAO,EAAE,UAAU,IAAI,SAAS;YAC5C,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,WAAW,CACT,OAAe,EACf,SAAiB,EACjB,OAAgB;QAEhB,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,oBAAoB;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,sBAAsB;YAClE,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;YACxC,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,WAAW,CACT,OAAe,EACf,SAAiB,EACjB,MAAc;QAEd,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,oBAAoB;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,MAAM;YACN,UAAU,EAAE,SAAS;YACrB,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,gBAAgB,CACd,OAAe,EACf,SAAiB,EACjB,WAAmB;QAEnB,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,0BAA0B;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO;YACP,SAAS;YACT,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,UAAU;YACtB,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,WAAW,CACT,SAAiB,EACjB,OAAe;QAEf,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,oBAAoB;YAC1B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,QAAQ;YACjB,SAAS;YACT,MAAM,EAAE,OAAO;YACf,UAAU,EAAE,MAAM;YAClB,OAAO,EAAE,CAAC;SACX,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,KAAsB;QACjC,oCAAoC;QACpC,IAAI,CAAC,WAAW,CAAC,QAAQ,CACvB,KAAK,CAAC,IAAI,EACV,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,YAAY,IAAI,EAAE,EACxB,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC5F,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,SAAS,EACb,KAAK,CAAC,MAAM,IAAI,EAAE,EAClB,CAAC,CACF,CAAC;QAEF,gDAAgD;QAChD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBAClC,0CAA0C;YAC5C,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,YAAY,CAAC,KAAsB;QACzC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;gBAAC,OAAO,EAAE,CAAC;gBAAC,OAAO;YAAC,CAAC;YAE7C,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;gBACtC,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;gBAEnC,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAC3B;oBACE,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,QAAQ;oBAClB,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;qBAC1C;oBACD,OAAO,EAAE,IAAI,EAAE,kCAAkC;iBAClD,EACD,CAAC,GAAG,EAAE,EAAE;oBACN,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,iBAAiB;oBAC/B,OAAO,EAAE,CAAC;gBACZ,CAAC,CACF,CAAC;gBAEF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;gBACjC,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;gBACvD,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChB,GAAG,CAAC,GAAG,EAAE,CAAC;YACZ,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA/MD,wDA+MC"}

package/dist/broker/index.d.ts

@@ -6,4 +6,5 @@ export { AimClient } from './aim-client';
 export { CredentialResolver, type ResolverOptions } from './resolver';
 export { BrokerServer } from './server';
 export { startDaemon, stopDaemon, getDaemonStatus, isDaemonRunning, type DaemonOptions, } from './daemon';
+export { CredentialEventEmitter, type CredentialEvent, type CredentialEventType, type AlertLevel, } from './events';
 //# sourceMappingURL=index.d.ts.map

package/dist/broker/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/broker/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,YAAY,EACZ,cAAc,EACd,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,YAAY,EACZ,YAAY,GACb,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC9F,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,KAAK,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EACL,WAAW,EACX,UAAU,EACV,eAAe,EACf,eAAe,EACf,KAAK,aAAa,GACnB,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/broker/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,YAAY,EACZ,cAAc,EACd,eAAe,EACf,UAAU,EACV,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,YAAY,EACZ,YAAY,GACb,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC9F,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AACtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,KAAK,eAAe,EAAE,MAAM,YAAY,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EACL,WAAW,EACX,UAAU,EACV,eAAe,EACf,eAAe,EACf,KAAK,aAAa,GACnB,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,sBAAsB,EACtB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC"}

package/dist/broker/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isDaemonRunning = exports.getDaemonStatus = exports.stopDaemon = exports.startDaemon = exports.BrokerServer = exports.CredentialResolver = exports.AimClient = exports.AuditLogger = exports.RateLimiter = exports.isWithinTimeWindow = exports.matchGlob = exports.PolicyEngine = void 0;
+exports.CredentialEventEmitter = exports.isDaemonRunning = exports.getDaemonStatus = exports.stopDaemon = exports.startDaemon = exports.BrokerServer = exports.CredentialResolver = exports.AimClient = exports.AuditLogger = exports.RateLimiter = exports.isWithinTimeWindow = exports.matchGlob = exports.PolicyEngine = void 0;
 var policy_1 = require("./policy");
 Object.defineProperty(exports, "PolicyEngine", { enumerable: true, get: function () { return policy_1.PolicyEngine; } });
 Object.defineProperty(exports, "matchGlob", { enumerable: true, get: function () { return policy_1.matchGlob; } });
@@ -20,4 +20,6 @@ Object.defineProperty(exports, "startDaemon", { enumerable: true, get: function
 Object.defineProperty(exports, "stopDaemon", { enumerable: true, get: function () { return daemon_1.stopDaemon; } });
 Object.defineProperty(exports, "getDaemonStatus", { enumerable: true, get: function () { return daemon_1.getDaemonStatus; } });
 Object.defineProperty(exports, "isDaemonRunning", { enumerable: true, get: function () { return daemon_1.isDaemonRunning; } });
+var events_1 = require("./events");
+Object.defineProperty(exports, "CredentialEventEmitter", { enumerable: true, get: function () { return events_1.CredentialEventEmitter; } });
 //# sourceMappingURL=index.js.map

package/dist/broker/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/broker/index.ts"],"names":[],"mappings":";;;AAYA,mCAA8F;AAArF,sGAAA,YAAY,OAAA;AAAE,mGAAA,SAAS,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AACpD,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AACpB,iCAAsC;AAA7B,oGAAA,WAAW,OAAA;AACpB,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,uCAAsE;AAA7D,8GAAA,kBAAkB,OAAA;AAC3B,mCAAwC;AAA/B,sGAAA,YAAY,OAAA;AACrB,mCAMkB;AALhB,qGAAA,WAAW,OAAA;AACX,oGAAA,UAAU,OAAA;AACV,yGAAA,eAAe,OAAA;AACf,yGAAA,eAAe,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/broker/index.ts"],"names":[],"mappings":";;;AAYA,mCAA8F;AAArF,sGAAA,YAAY,OAAA;AAAE,mGAAA,SAAS,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AACpD,+CAA6C;AAApC,2GAAA,WAAW,OAAA;AACpB,iCAAsC;AAA7B,oGAAA,WAAW,OAAA;AACpB,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,uCAAsE;AAA7D,8GAAA,kBAAkB,OAAA;AAC3B,mCAAwC;AAA/B,sGAAA,YAAY,OAAA;AACrB,mCAMkB;AALhB,qGAAA,WAAW,OAAA;AACX,oGAAA,UAAU,OAAA;AACV,yGAAA,eAAe,OAAA;AACf,yGAAA,eAAe,OAAA;AAIjB,mCAKkB;AAJhB,gHAAA,sBAAsB,OAAA"}

package/dist/cli.d.ts

@@ -17,6 +17,8 @@
  *   npx secretless-ai setup    — Set up secrets from .secretless manifest
  *   npx secretless-ai hook     — Manage pre-commit hook
  *   npx secretless-ai broker   — Manage credential broker daemon (start, stop, status)
+ *   npx secretless-ai warm     — Warm biometric session (Touch ID on macOS)
+ *   npx secretless-ai install  — Install broker as login daemon (macOS LaunchAgent)
  */
 export {};
 //# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;GAkBG"}
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;;;;;;;;;;;GAoBG"}