secretless-ai 0.4.0 → 0.6.0

package/README.md

@@ -11,7 +11,82 @@ Part of the [OpenA2A](https://opena2a.org) ecosystem — open-source security fo
 npx secretless-ai init
 ```
 
-## The Problem
+## MCP Secret Protection
+
+Every MCP server config has plaintext API keys sitting in JSON files on your laptop. The LLM sees them. Secretless encrypts them.
+
+```bash
+npx secretless-ai protect-mcp
+```
+
+```
+  Secretless MCP Protection
+
+  Scanned 1 client(s)
+
+  + claude-desktop/browserbase
+      BROWSERBASE_API_KEY (encrypted)
+  + claude-desktop/github
+      GITHUB_PERSONAL_ACCESS_TOKEN (encrypted)
+  + claude-desktop/stripe
+      STRIPE_SECRET_KEY (encrypted)
+
+  3 secret(s) encrypted across 3 server(s).
+
+  MCP servers will start normally — no workflow changes needed.
+```
+
+**What happens:**
+
+1. Scans MCP configs across Claude Desktop, Cursor, Claude Code, VS Code, and Windsurf
+2. Identifies which env vars are secrets (key name patterns + value regex matching)
+3. Encrypts secrets into a local AES-256-GCM vault (`~/.secretless-ai/mcp-vault/`)
+4. Rewrites configs to use the `secretless-mcp` wrapper — decrypts at runtime, injects as env vars
+5. Non-secret env vars (URLs, org names, regions) stay in the config untouched
+
+**Before:**
+```json
+{
+  "mcpServers": {
+    "github": {
+      "command": "npx",
+      "args": ["@github/mcp-server"],
+      "env": {
+        "GITHUB_TOKEN": "ghp_plaintext_visible_to_LLM",
+        "GITHUB_ORG": "my-org"
+      }
+    }
+  }
+}
+```
+
+**After:**
+```json
+{
+  "mcpServers": {
+    "github": {
+      "command": "secretless-mcp",
+      "args": ["--server", "github", "--client", "claude-desktop", "--", "npx", "@github/mcp-server"],
+      "env": {
+        "GITHUB_ORG": "my-org"
+      }
+    }
+  }
+}
+```
+
+The secret moves to the encrypted vault. The wrapper decrypts it at startup (<10ms overhead) and passes it to the MCP server as an env var. The LLM never sees it.
+
+**Other MCP commands:**
+
+```bash
+npx secretless-ai mcp-status      # Show which servers are protected/exposed
+npx secretless-ai mcp-unprotect   # Restore original configs from backup
+```
+
+---
+
+## AI Context Protection
 
 AI coding tools read your files to provide context. That includes `.env` files, API keys in config, SSH keys, and cloud credentials. Once a secret enters an AI context window, it's sent to a remote API — and you can't take it back.
 
@@ -40,7 +115,7 @@ npx secretless-ai init
 Output:
 
 ```
-  Secretless v0.3.0
+  Secretless v0.6.0
   Keeping secrets out of AI
 
   Detected:
@@ -114,7 +189,7 @@ Detects AI tools in your project and installs protections. If API keys are set a
 
 ### `npx secretless-ai scan`
 
-Scans config files for hardcoded credentials — both project-level and global (`~/.claude/CLAUDE.md`). Detects 12 credential patterns including Anthropic, OpenAI, AWS, GitHub, Slack, Google, Stripe, SendGrid, Supabase, and Azure keys.
+Scans config files for hardcoded credentials — both project-level and global (`~/.claude/CLAUDE.md`). Detects 49 credential patterns including Anthropic, OpenAI, AWS, GitHub, Slack, Google, Stripe, SendGrid, Supabase, Azure, GitLab, Twilio, Mailgun, and more.
 
 ```
   Found 2 credential(s):
@@ -136,6 +211,18 @@ Confirms keys are usable but hidden from AI. Checks that env vars are set AND th
   PASS: Secrets are accessible via env vars but hidden from AI context.
 ```
 
+### `npx secretless-ai protect-mcp`
+
+Scans all MCP configs on your machine, encrypts plaintext secrets into a local vault, and rewrites configs to use the `secretless-mcp` wrapper. Safe to run multiple times — skips already-protected servers.
+
+### `npx secretless-ai mcp-status`
+
+Shows protection status for every MCP server across all clients. Tells you which servers have exposed secrets and which are protected.
+
+### `npx secretless-ai mcp-unprotect`
+
+Restores all MCP configs to their original state from backups. One command to undo everything.
+
 ### `npx secretless-ai status`
 
 Shows current protection status.
@@ -154,9 +241,9 @@ Shows current protection status.
 
 `.env`, `.env.*`, `*.key`, `*.pem`, `*.p12`, `*.pfx`, `*.crt`, `.aws/credentials`, `.ssh/*`, `.docker/config.json`, `.git-credentials`, `.npmrc`, `.pypirc`, `*.tfstate`, `*.tfvars`, `secrets/`, `credentials/`
 
-### Credential patterns (12)
+### Credential patterns (49)
 
-Anthropic API keys, OpenAI keys (project + legacy), AWS access keys, GitHub PATs (classic + fine-grained), Slack tokens, Google API keys, Stripe live keys, SendGrid keys, Supabase service keys, Azure keys
+Anthropic API keys, OpenAI keys, AWS access keys, GitHub PATs, Slack tokens, Google API keys, Stripe keys, SendGrid keys, Supabase keys, Azure keys, GitLab tokens, Twilio keys, Mailgun keys, MongoDB URIs, JWTs, and 34 more
 
 ### Bash commands
 

package/dist/backends/aws-sm.d.ts

@@ -0,0 +1,23 @@
+import type { SecretBackend, BackendHealth } from './types';
+/**
+ * AWS Secrets Manager backend — IAM/IRSA auth.
+ * Zero dependencies. Uses raw HTTP with AWS Signature V4.
+ *
+ * Config:
+ *   region: AWS region (default: AWS_REGION or us-east-1)
+ *   accessKeyId: (default: AWS_ACCESS_KEY_ID env)
+ *   secretAccessKey: (default: AWS_SECRET_ACCESS_KEY env)
+ *   sessionToken: (default: AWS_SESSION_TOKEN env — for IRSA/AssumeRole)
+ */
+export declare class AWSSecretsManagerBackend implements SecretBackend {
+    readonly name = "aws-sm";
+    private readonly region;
+    private readonly accessKeyId;
+    private readonly secretAccessKey;
+    private readonly sessionToken;
+    constructor(config?: Record<string, unknown>);
+    resolve(secretPath: string): Promise<Record<string, string>>;
+    healthCheck(): Promise<BackendHealth>;
+    private signedRequest;
+}
+//# sourceMappingURL=aws-sm.d.ts.map

package/dist/backends/aws-sm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-sm.d.ts","sourceRoot":"","sources":["../../src/backends/aws-sm.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE5D;;;;;;;;;GASG;AACH,qBAAa,wBAAyB,YAAW,aAAa;IAC5D,QAAQ,CAAC,IAAI,YAAY;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;IACzC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;gBAE1B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAOtC,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAqB5D,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;IAoB3C,OAAO,CAAC,aAAa;CAoFtB"}

package/dist/backends/aws-sm.js

@@ -0,0 +1,179 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AWSSecretsManagerBackend = void 0;
+const https = __importStar(require("https"));
+const crypto = __importStar(require("crypto"));
+/**
+ * AWS Secrets Manager backend — IAM/IRSA auth.
+ * Zero dependencies. Uses raw HTTP with AWS Signature V4.
+ *
+ * Config:
+ *   region: AWS region (default: AWS_REGION or us-east-1)
+ *   accessKeyId: (default: AWS_ACCESS_KEY_ID env)
+ *   secretAccessKey: (default: AWS_SECRET_ACCESS_KEY env)
+ *   sessionToken: (default: AWS_SESSION_TOKEN env — for IRSA/AssumeRole)
+ */
+class AWSSecretsManagerBackend {
+    constructor(config) {
+        this.name = 'aws-sm';
+        this.region = config?.region ?? process.env.AWS_REGION ?? process.env.AWS_DEFAULT_REGION ?? 'us-east-1';
+        this.accessKeyId = config?.accessKeyId ?? process.env.AWS_ACCESS_KEY_ID ?? '';
+        this.secretAccessKey = config?.secretAccessKey ?? process.env.AWS_SECRET_ACCESS_KEY ?? '';
+        this.sessionToken = config?.sessionToken ?? process.env.AWS_SESSION_TOKEN ?? '';
+    }
+    async resolve(secretPath) {
+        try {
+            const body = JSON.stringify({ SecretId: secretPath });
+            const response = await this.signedRequest('GetSecretValue', body);
+            const data = JSON.parse(response);
+            if (data.SecretString) {
+                // Try to parse as JSON (common pattern)
+                try {
+                    return JSON.parse(data.SecretString);
+                }
+                catch {
+                    // Not JSON — return as single key-value
+                    return { [secretPath]: data.SecretString };
+                }
+            }
+            return {};
+        }
+        catch {
+            return {};
+        }
+    }
+    async healthCheck() {
+        const start = Date.now();
+        try {
+            // List secrets (limited to 1) to verify auth
+            const body = JSON.stringify({ MaxResults: 1 });
+            await this.signedRequest('ListSecrets', body);
+            return {
+                healthy: true,
+                latencyMs: Date.now() - start,
+                message: `AWS Secrets Manager (${this.region})`,
+            };
+        }
+        catch (err) {
+            return {
+                healthy: false,
+                latencyMs: Date.now() - start,
+                message: `AWS SM error: ${err instanceof Error ? err.message : String(err)}`,
+            };
+        }
+    }
+    signedRequest(action, body) {
+        return new Promise((resolve, reject) => {
+            const host = `secretsmanager.${this.region}.amazonaws.com`;
+            const now = new Date();
+            const dateStamp = now.toISOString().replace(/[:-]|\.\d{3}/g, '').slice(0, 8);
+            const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, '');
+            const headers = {
+                'Content-Type': 'application/x-amz-json-1.1',
+                'X-Amz-Target': `secretsmanager.${action}`,
+                'X-Amz-Date': amzDate,
+                Host: host,
+            };
+            if (this.sessionToken) {
+                headers['X-Amz-Security-Token'] = this.sessionToken;
+            }
+            // AWS Signature V4
+            const canonicalHeaders = Object.entries(headers)
+                .sort(([a], [b]) => a.toLowerCase().localeCompare(b.toLowerCase()))
+                .map(([k, v]) => `${k.toLowerCase()}:${v}`)
+                .join('\n') + '\n';
+            const signedHeaders = Object.keys(headers)
+                .map((k) => k.toLowerCase())
+                .sort()
+                .join(';');
+            const payloadHash = crypto.createHash('sha256').update(body).digest('hex');
+            const canonicalRequest = [
+                'POST',
+                '/',
+                '',
+                canonicalHeaders,
+                signedHeaders,
+                payloadHash,
+            ].join('\n');
+            const credentialScope = `${dateStamp}/${this.region}/secretsmanager/aws4_request`;
+            const stringToSign = [
+                'AWS4-HMAC-SHA256',
+                amzDate,
+                credentialScope,
+                crypto.createHash('sha256').update(canonicalRequest).digest('hex'),
+            ].join('\n');
+            const signingKey = getSignatureKey(this.secretAccessKey, dateStamp, this.region, 'secretsmanager');
+            const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex');
+            headers['Authorization'] = [
+                `AWS4-HMAC-SHA256 Credential=${this.accessKeyId}/${credentialScope}`,
+                `SignedHeaders=${signedHeaders}`,
+                `Signature=${signature}`,
+            ].join(', ');
+            const options = {
+                hostname: host,
+                port: 443,
+                path: '/',
+                method: 'POST',
+                headers: { ...headers, 'Content-Length': String(Buffer.byteLength(body)) },
+                timeout: 10000,
+            };
+            const req = https.request(options, (res) => {
+                let data = '';
+                res.on('data', (chunk) => { data += chunk; });
+                res.on('end', () => {
+                    if (res.statusCode && res.statusCode >= 400) {
+                        reject(new Error(`AWS SM ${res.statusCode}: ${data.slice(0, 200)}`));
+                    }
+                    else {
+                        resolve(data);
+                    }
+                });
+            });
+            req.on('error', reject);
+            req.on('timeout', () => { req.destroy(); reject(new Error('AWS SM request timeout')); });
+            req.write(body);
+            req.end();
+        });
+    }
+}
+exports.AWSSecretsManagerBackend = AWSSecretsManagerBackend;
+function getSignatureKey(key, dateStamp, region, service) {
+    const kDate = crypto.createHmac('sha256', `AWS4${key}`).update(dateStamp).digest();
+    const kRegion = crypto.createHmac('sha256', kDate).update(region).digest();
+    const kService = crypto.createHmac('sha256', kRegion).update(service).digest();
+    return crypto.createHmac('sha256', kService).update('aws4_request').digest();
+}
+//# sourceMappingURL=aws-sm.js.map

package/dist/backends/aws-sm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-sm.js","sourceRoot":"","sources":["../../src/backends/aws-sm.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA+B;AAC/B,+CAAiC;AAGjC;;;;;;;;;GASG;AACH,MAAa,wBAAwB;IAOnC,YAAY,MAAgC;QANnC,SAAI,GAAG,QAAQ,CAAC;QAOvB,IAAI,CAAC,MAAM,GAAI,MAAM,EAAE,MAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,WAAW,CAAC;QACpH,IAAI,CAAC,WAAW,GAAI,MAAM,EAAE,WAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;QAC1F,IAAI,CAAC,eAAe,GAAI,MAAM,EAAE,eAA0B,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,CAAC;QACtG,IAAI,CAAC,YAAY,GAAI,MAAM,EAAE,YAAuB,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,EAAE,CAAC;IAC9F,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;YAClE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAElC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,wCAAwC;gBACxC,IAAI,CAAC;oBACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;gBACvC,CAAC;gBAAC,MAAM,CAAC;oBACP,wCAAwC;oBACxC,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC7C,CAAC;YACH,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,6CAA6C;YAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC,CAAC;YAC/C,MAAM,IAAI,CAAC,aAAa,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;YAC9C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC7B,OAAO,EAAE,wBAAwB,IAAI,CAAC,MAAM,GAAG;aAChD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC7B,OAAO,EAAE,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;aAC7E,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,MAAc,EAAE,IAAY;QAChD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,IAAI,GAAG,kBAAkB,IAAI,CAAC,MAAM,gBAAgB,CAAC;YAC3D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,SAAS,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7E,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;YAE/D,MAAM,OAAO,GAA2B;gBACtC,cAAc,EAAE,4BAA4B;gBAC5C,cAAc,EAAE,kBAAkB,MAAM,EAAE;gBAC1C,YAAY,EAAE,OAAO;gBACrB,IAAI,EAAE,IAAI;aACX,CAAC;YAEF,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC;YACtD,CAAC;YAED,mBAAmB;YACnB,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;iBAC7C,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;iBAClE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,CAAC;iBAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;YAErB,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;iBACvC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;iBAC3B,IAAI,EAAE;iBACN,IAAI,CAAC,GAAG,CAAC,CAAC;YAEb,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE3E,MAAM,gBAAgB,GAAG;gBACvB,MAAM;gBACN,GAAG;gBACH,EAAE;gBACF,gBAAgB;gBAChB,aAAa;gBACb,WAAW;aACZ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEb,MAAM,eAAe,GAAG,GAAG,SAAS,IAAI,IAAI,CAAC,MAAM,8BAA8B,CAAC;YAClF,MAAM,YAAY,GAAG;gBACnB,kBAAkB;gBAClB,OAAO;gBACP,eAAe;gBACf,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aACnE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEb,MAAM,UAAU,GAAG,eAAe,CAAC,IAAI,CAAC,eAAe,EAAE,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;YACnG,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE7F,OAAO,CAAC,eAAe,CAAC,GAAG;gBACzB,+BAA+B,IAAI,CAAC,WAAW,IAAI,eAAe,EAAE;gBACpE,iBAAiB,aAAa,EAAE;gBAChC,aAAa,SAAS,EAAE;aACzB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEb,MAAM,OAAO,GAAG;gBACd,QAAQ,EAAE,IAAI;gBACd,IAAI,EAAE,GAAG;gBACT,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,GAAG,OAAO,EAAE,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EAAE;gBAC1E,OAAO,EAAE,KAAK;aACf,CAAC;YAEF,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzC,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;wBAC5C,MAAM,CAAC,IAAI,KAAK,CAAC,UAAU,GAAG,CAAC,UAAU,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;oBACvE,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACzF,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAChB,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA3ID,4DA2IC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,SAAiB,EAAE,MAAc,EAAE,OAAe;IACtF,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;IACnF,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAC/E,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,EAAE,CAAC;AAC/E,CAAC"}

package/dist/backends/env.d.ts

@@ -0,0 +1,11 @@
+import type { SecretBackend, BackendHealth } from './types';
+/**
+ * Environment variable backend — resolves secrets from process.env.
+ * The simplest backend. Zero dependencies. Always available.
+ */
+export declare class EnvBackend implements SecretBackend {
+    readonly name = "env";
+    resolve(path: string): Promise<Record<string, string>>;
+    healthCheck(): Promise<BackendHealth>;
+}
+//# sourceMappingURL=env.d.ts.map

package/dist/backends/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/backends/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE5D;;;GAGG;AACH,qBAAa,UAAW,YAAW,aAAa;IAC9C,QAAQ,CAAC,IAAI,SAAS;IAEhB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAYtD,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;CAG5C"}

package/dist/backends/env.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnvBackend = void 0;
+/**
+ * Environment variable backend — resolves secrets from process.env.
+ * The simplest backend. Zero dependencies. Always available.
+ */
+class EnvBackend {
+    constructor() {
+        this.name = 'env';
+    }
+    async resolve(path) {
+        // Path format: "ENV_VAR_NAME" or "prefix/ENV_VAR_NAME"
+        const varName = path.includes('/') ? path.split('/').pop() : path;
+        const value = process.env[varName];
+        if (value === undefined) {
+            return {};
+        }
+        return { [varName]: value };
+    }
+    async healthCheck() {
+        return { healthy: true, latencyMs: 0, message: 'Environment variables always available' };
+    }
+}
+exports.EnvBackend = EnvBackend;
+//# sourceMappingURL=env.js.map

package/dist/backends/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/backends/env.ts"],"names":[],"mappings":";;;AAEA;;;GAGG;AACH,MAAa,UAAU;IAAvB;QACW,SAAI,GAAG,KAAK,CAAC;IAiBxB,CAAC;IAfC,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,uDAAuD;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QACnE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IAC5F,CAAC;CACF;AAlBD,gCAkBC"}

package/dist/backends/index.d.ts

@@ -0,0 +1,38 @@
+import type { SecretBackend, BackendConfig, BackendType, BackendHealth } from './types';
+export type { SecretBackend, BackendConfig, BackendType, BackendHealth, AccessAuditEntry } from './types';
+export { EnvBackend } from './env';
+export { LocalBackend } from './local';
+export { VaultBackend } from './vault';
+export { AWSSecretsManagerBackend } from './aws-sm';
+export { OnePasswordBackend } from './onepassword';
+/** Create a backend instance from config */
+export declare function createBackend(type: BackendType, config?: Record<string, unknown>): SecretBackend;
+/**
+ * Backend registry — routes secret resolution to the right backend.
+ * Supports prefix-based routing and priority ordering.
+ */
+export declare class BackendRegistry {
+    private readonly backends;
+    private readonly auditDir?;
+    constructor(configs?: BackendConfig[], auditDir?: string);
+    /** Resolve a secret, trying backends in priority order */
+    resolve(secretPath: string): Promise<Record<string, string>>;
+    /** Health check all backends */
+    healthCheckAll(): Promise<Array<{
+        name: string;
+        health: BackendHealth;
+    }>>;
+    /** List configured backends */
+    list(): Array<{
+        name: string;
+        prefix: string;
+        priority: number;
+    }>;
+    /** Migrate secrets from one backend to another */
+    migrate(fromBackend: SecretBackend, toBackend: SecretBackend, paths: string[]): Promise<{
+        migrated: number;
+        failed: number;
+    }>;
+    private audit;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/backends/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAoB,MAAM,SAAS,CAAC;AAS1G,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,SAAS,CAAC;AAC1G,OAAO,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAInD,4CAA4C;AAC5C,wBAAgB,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAUhG;AAED;;;GAGG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA2E;IACpG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAS;gBAEvB,OAAO,CAAC,EAAE,aAAa,EAAE,EAAE,QAAQ,CAAC,EAAE,MAAM;IAqBxD,0DAA0D;IACpD,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IA0ClE,gCAAgC;IAC1B,cAAc,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,aAAa,CAAA;KAAE,CAAC,CAAC;IAoB/E,+BAA+B;IAC/B,IAAI,IAAI,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAQjE,kDAAkD;IAC5C,OAAO,CACX,WAAW,EAAE,aAAa,EAC1B,SAAS,EAAE,aAAa,EACxB,KAAK,EAAE,MAAM,EAAE,GACd,OAAO,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;IA4BhD,OAAO,CAAC,KAAK;CAad"}

package/dist/backends/index.js

@@ -0,0 +1,195 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BackendRegistry = exports.OnePasswordBackend = exports.AWSSecretsManagerBackend = exports.VaultBackend = exports.LocalBackend = exports.EnvBackend = void 0;
+exports.createBackend = createBackend;
+const env_1 = require("./env");
+const local_1 = require("./local");
+const vault_1 = require("./vault");
+const aws_sm_1 = require("./aws-sm");
+const onepassword_1 = require("./onepassword");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+var env_2 = require("./env");
+Object.defineProperty(exports, "EnvBackend", { enumerable: true, get: function () { return env_2.EnvBackend; } });
+var local_2 = require("./local");
+Object.defineProperty(exports, "LocalBackend", { enumerable: true, get: function () { return local_2.LocalBackend; } });
+var vault_2 = require("./vault");
+Object.defineProperty(exports, "VaultBackend", { enumerable: true, get: function () { return vault_2.VaultBackend; } });
+var aws_sm_2 = require("./aws-sm");
+Object.defineProperty(exports, "AWSSecretsManagerBackend", { enumerable: true, get: function () { return aws_sm_2.AWSSecretsManagerBackend; } });
+var onepassword_2 = require("./onepassword");
+Object.defineProperty(exports, "OnePasswordBackend", { enumerable: true, get: function () { return onepassword_2.OnePasswordBackend; } });
+const AUDIT_FILE = 'access-audit.jsonl';
+/** Create a backend instance from config */
+function createBackend(type, config) {
+    switch (type) {
+        case 'env': return new env_1.EnvBackend();
+        case 'local': return new local_1.LocalBackend(config);
+        case 'vault': return new vault_1.VaultBackend(config);
+        case 'aws-sm': return new aws_sm_1.AWSSecretsManagerBackend(config);
+        case '1password': return new onepassword_1.OnePasswordBackend(config);
+        default:
+            throw new Error(`Unknown backend type: ${type}`);
+    }
+}
+/**
+ * Backend registry — routes secret resolution to the right backend.
+ * Supports prefix-based routing and priority ordering.
+ */
+class BackendRegistry {
+    constructor(configs, auditDir) {
+        this.backends = [];
+        this.auditDir = auditDir;
+        if (configs && configs.length > 0) {
+            for (const cfg of configs) {
+                const backend = createBackend(cfg.type, cfg.config);
+                this.backends.push({
+                    backend,
+                    prefix: cfg.prefix ?? '',
+                    priority: cfg.priority ?? 100,
+                });
+            }
+        }
+        else {
+            // Default: env backend
+            this.backends.push({ backend: new env_1.EnvBackend(), prefix: '', priority: 100 });
+        }
+        // Sort by priority (lower = preferred)
+        this.backends.sort((a, b) => a.priority - b.priority);
+    }
+    /** Resolve a secret, trying backends in priority order */
+    async resolve(secretPath) {
+        const start = Date.now();
+        for (const entry of this.backends) {
+            // Check prefix match
+            if (entry.prefix && !secretPath.startsWith(entry.prefix))
+                continue;
+            // Strip prefix before resolving
+            const resolvedPath = entry.prefix
+                ? secretPath.slice(entry.prefix.length).replace(/^\//, '')
+                : secretPath;
+            try {
+                const result = await entry.backend.resolve(resolvedPath);
+                if (Object.keys(result).length > 0) {
+                    this.audit({
+                        timestamp: new Date().toISOString(),
+                        backend: entry.backend.name,
+                        path: secretPath,
+                        action: 'resolve',
+                        success: true,
+                        latencyMs: Date.now() - start,
+                    });
+                    return result;
+                }
+            }
+            catch {
+                // Try next backend
+            }
+        }
+        this.audit({
+            timestamp: new Date().toISOString(),
+            backend: 'none',
+            path: secretPath,
+            action: 'resolve',
+            success: false,
+            latencyMs: Date.now() - start,
+        });
+        return {};
+    }
+    /** Health check all backends */
+    async healthCheckAll() {
+        const results = [];
+        for (const entry of this.backends) {
+            const health = await entry.backend.healthCheck();
+            results.push({ name: entry.backend.name, health });
+            this.audit({
+                timestamp: new Date().toISOString(),
+                backend: entry.backend.name,
+                path: '',
+                action: 'healthCheck',
+                success: health.healthy,
+                latencyMs: health.latencyMs,
+            });
+        }
+        return results;
+    }
+    /** List configured backends */
+    list() {
+        return this.backends.map((e) => ({
+            name: e.backend.name,
+            prefix: e.prefix,
+            priority: e.priority,
+        }));
+    }
+    /** Migrate secrets from one backend to another */
+    async migrate(fromBackend, toBackend, paths) {
+        let migrated = 0;
+        let failed = 0;
+        for (const secretPath of paths) {
+            try {
+                const secrets = await fromBackend.resolve(secretPath);
+                if (Object.keys(secrets).length === 0) {
+                    failed++;
+                    continue;
+                }
+                // Store in target backend (if it supports store)
+                if ('store' in toBackend && typeof toBackend.store === 'function') {
+                    for (const [key, value] of Object.entries(secrets)) {
+                        await toBackend.store(key, value);
+                    }
+                }
+                migrated++;
+            }
+            catch {
+                failed++;
+            }
+        }
+        return { migrated, failed };
+    }
+    audit(entry) {
+        if (!this.auditDir)
+            return;
+        try {
+            fs.mkdirSync(this.auditDir, { recursive: true });
+            fs.appendFileSync(path.join(this.auditDir, AUDIT_FILE), JSON.stringify(entry) + '\n', 'utf-8');
+        }
+        catch {
+            // Audit logging is best-effort
+        }
+    }
+}
+exports.BackendRegistry = BackendRegistry;
+//# sourceMappingURL=index.js.map

package/dist/backends/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/backends/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmBA,sCAUC;AA5BD,+BAAmC;AACnC,mCAAuC;AACvC,mCAAuC;AACvC,qCAAoD;AACpD,+CAAmD;AACnD,uCAAyB;AACzB,2CAA6B;AAG7B,6BAAmC;AAA1B,iGAAA,UAAU,OAAA;AACnB,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AACrB,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AACrB,mCAAoD;AAA3C,kHAAA,wBAAwB,OAAA;AACjC,6CAAmD;AAA1C,iHAAA,kBAAkB,OAAA;AAE3B,MAAM,UAAU,GAAG,oBAAoB,CAAC;AAExC,4CAA4C;AAC5C,SAAgB,aAAa,CAAC,IAAiB,EAAE,MAAgC;IAC/E,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,KAAK,CAAC,CAAC,OAAO,IAAI,gBAAU,EAAE,CAAC;QACpC,KAAK,OAAO,CAAC,CAAC,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;QAC9C,KAAK,OAAO,CAAC,CAAC,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;QAC9C,KAAK,QAAQ,CAAC,CAAC,OAAO,IAAI,iCAAwB,CAAC,MAAM,CAAC,CAAC;QAC3D,KAAK,WAAW,CAAC,CAAC,OAAO,IAAI,gCAAkB,CAAC,MAAM,CAAC,CAAC;QACxD;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,EAAE,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAa,eAAe;IAI1B,YAAY,OAAyB,EAAE,QAAiB;QAHvC,aAAQ,GAAwE,EAAE,CAAC;QAIlG,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;gBACpD,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACjB,OAAO;oBACP,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,EAAE;oBACxB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,GAAG;iBAC9B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;aAAM,CAAC;YACN,uBAAuB;YACvB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,gBAAU,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QAC/E,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;IACxD,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEzB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClC,qBAAqB;YACrB,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC;gBAAE,SAAS;YAEnE,gCAAgC;YAChC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM;gBAC/B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;gBAC1D,CAAC,CAAC,UAAU,CAAC;YAEf,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;gBACzD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACnC,IAAI,CAAC,KAAK,CAAC;wBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;wBACnC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI;wBAC3B,IAAI,EAAE,UAAU;wBAChB,MAAM,EAAE,SAAS;wBACjB,OAAO,EAAE,IAAI;wBACb,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;qBAC9B,CAAC,CAAC;oBACH,OAAO,MAAM,CAAC;gBAChB,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,mBAAmB;YACrB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC;YACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,UAAU;YAChB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,KAAK;YACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC9B,CAAC,CAAC;QAEH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,gCAAgC;IAChC,KAAK,CAAC,cAAc;QAClB,MAAM,OAAO,GAAmD,EAAE,CAAC;QAEnE,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;YACjD,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YAEnD,IAAI,CAAC,KAAK,CAAC;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI;gBAC3B,IAAI,EAAE,EAAE;gBACR,MAAM,EAAE,aAAa;gBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,SAAS,EAAE,MAAM,CAAC,SAAS;aAC5B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,+BAA+B;IAC/B,IAAI;QACF,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/B,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;IAED,kDAAkD;IAClD,KAAK,CAAC,OAAO,CACX,WAA0B,EAC1B,SAAwB,EACxB,KAAe;QAEf,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,UAAU,IAAI,KAAK,EAAE,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACtC,MAAM,EAAE,CAAC;oBACT,SAAS;gBACX,CAAC;gBAED,iDAAiD;gBACjD,IAAI,OAAO,IAAI,SAAS,IAAI,OAAQ,SAAiC,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;oBAC3F,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnD,MAAO,SAA0B,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBACtD,CAAC;gBACH,CAAC;gBAED,QAAQ,EAAE,CAAC;YACb,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAC9B,CAAC;IAEO,KAAK,CAAC,KAAuB;QACnC,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO;QAC3B,IAAI,CAAC;YACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,EAAE,CAAC,cAAc,CACf,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,EACpC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAC5B,OAAO,CACR,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;CACF;AAhJD,0CAgJC"}