secretless-ai 0.8.2 → 0.9.0

package/dist/broker/aim-client.d.ts

@@ -0,0 +1,39 @@
+/**
+ * AIM integration client — verifies agent identity via AIM REST API.
+ *
+ * Checks agent capabilities, trust scores, and verification status against
+ * the AIM server. Results are cached for 60 seconds to reduce API calls.
+ * Fails gracefully if AIM is unavailable (returns undefined, not errors).
+ */
+import type { AgentIdentity } from './types';
+export declare class AimClient {
+    private readonly baseUrl;
+    private readonly cache;
+    private readonly cacheTtlMs;
+    constructor(baseUrl: string, options?: {
+        cacheTtlMs?: number;
+    });
+    /**
+     * Fetch agent identity from AIM.
+     * Returns cached result if available and not expired.
+     * Returns undefined if AIM is unreachable or the agent is not found.
+     */
+    getAgentIdentity(agentId: string): Promise<AgentIdentity | undefined>;
+    /**
+     * Check if the AIM server is reachable.
+     */
+    isAvailable(): Promise<boolean>;
+    /**
+     * Clear the identity cache.
+     */
+    clearCache(): void;
+    /**
+     * Evict a specific agent from the cache.
+     */
+    evict(agentId: string): void;
+    /** Get the number of cached entries (for testing/status). */
+    get cacheSize(): number;
+    /** Simple HTTP GET returning parsed JSON body, or undefined on error. */
+    private httpGet;
+}
+//# sourceMappingURL=aim-client.d.ts.map

package/dist/broker/aim-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aim-client.d.ts","sourceRoot":"","sources":["../../src/broker/aim-client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAc7C,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsC;IAC5D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE;IAM9D;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAkC3E;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAUrC;;OAEG;IACH,UAAU,IAAI,IAAI;IAIlB;;OAEG;IACH,KAAK,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAI5B,6DAA6D;IAC7D,IAAI,SAAS,IAAI,MAAM,CAEtB;IAED,yEAAyE;IACzE,OAAO,CAAC,OAAO;CA+BhB"}

package/dist/broker/aim-client.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * AIM integration client — verifies agent identity via AIM REST API.
+ *
+ * Checks agent capabilities, trust scores, and verification status against
+ * the AIM server. Results are cached for 60 seconds to reduce API calls.
+ * Fails gracefully if AIM is unavailable (returns undefined, not errors).
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AimClient = void 0;
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+/** Default cache TTL in milliseconds (60 seconds). */
+const DEFAULT_CACHE_TTL_MS = 60000;
+/** Request timeout in milliseconds. */
+const REQUEST_TIMEOUT_MS = 5000;
+class AimClient {
+    constructor(baseUrl, options) {
+        this.cache = new Map();
+        // Remove trailing slash
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.cacheTtlMs = options?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+    }
+    /**
+     * Fetch agent identity from AIM.
+     * Returns cached result if available and not expired.
+     * Returns undefined if AIM is unreachable or the agent is not found.
+     */
+    async getAgentIdentity(agentId) {
+        // Check cache first
+        const cached = this.cache.get(agentId);
+        if (cached && cached.expiresAt > Date.now()) {
+            return cached.identity;
+        }
+        // Evict expired entry
+        if (cached) {
+            this.cache.delete(agentId);
+        }
+        try {
+            const url = `${this.baseUrl}/api/v1/agents/${encodeURIComponent(agentId)}`;
+            const response = await this.httpGet(url);
+            if (!response)
+                return undefined;
+            const identity = parseAgentResponse(response);
+            if (!identity)
+                return undefined;
+            // Cache the result
+            this.cache.set(agentId, {
+                identity,
+                expiresAt: Date.now() + this.cacheTtlMs,
+            });
+            return identity;
+        }
+        catch {
+            // AIM unavailable — fail gracefully
+            return undefined;
+        }
+    }
+    /**
+     * Check if the AIM server is reachable.
+     */
+    async isAvailable() {
+        try {
+            const url = `${this.baseUrl}/health`;
+            const response = await this.httpGet(url);
+            return response !== undefined;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Clear the identity cache.
+     */
+    clearCache() {
+        this.cache.clear();
+    }
+    /**
+     * Evict a specific agent from the cache.
+     */
+    evict(agentId) {
+        this.cache.delete(agentId);
+    }
+    /** Get the number of cached entries (for testing/status). */
+    get cacheSize() {
+        return this.cache.size;
+    }
+    /** Simple HTTP GET returning parsed JSON body, or undefined on error. */
+    httpGet(url) {
+        return new Promise((resolve) => {
+            const parsedUrl = new URL(url);
+            const transport = parsedUrl.protocol === 'https:' ? https : http;
+            const req = transport.get(url, { timeout: REQUEST_TIMEOUT_MS }, (res) => {
+                if (!res.statusCode || res.statusCode < 200 || res.statusCode >= 300) {
+                    res.resume(); // Drain response
+                    resolve(undefined);
+                    return;
+                }
+                const chunks = [];
+                res.on('data', (chunk) => chunks.push(chunk));
+                res.on('end', () => {
+                    try {
+                        const body = Buffer.concat(chunks).toString('utf-8');
+                        resolve(JSON.parse(body));
+                    }
+                    catch {
+                        resolve(undefined);
+                    }
+                });
+            });
+            req.on('error', () => resolve(undefined));
+            req.on('timeout', () => {
+                req.destroy();
+                resolve(undefined);
+            });
+        });
+    }
+}
+exports.AimClient = AimClient;
+/** Parse an AIM API agent response into an AgentIdentity. */
+function parseAgentResponse(data) {
+    const agentId = typeof data.agentId === 'string' ? data.agentId : undefined;
+    if (!agentId)
+        return undefined;
+    const trustScore = typeof data.trustScore === 'number' ? data.trustScore : 0;
+    const capabilities = Array.isArray(data.capabilities)
+        ? data.capabilities.filter((c) => typeof c === 'string')
+        : [];
+    const verified = typeof data.verified === 'boolean' ? data.verified : false;
+    return { agentId, trustScore, capabilities, verified };
+}
+//# sourceMappingURL=aim-client.js.map

package/dist/broker/aim-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aim-client.js","sourceRoot":"","sources":["../../src/broker/aim-client.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,2CAA6B;AAC7B,6CAA+B;AAS/B,sDAAsD;AACtD,MAAM,oBAAoB,GAAG,KAAM,CAAC;AAEpC,uCAAuC;AACvC,MAAM,kBAAkB,GAAG,IAAK,CAAC;AAEjC,MAAa,SAAS;IAKpB,YAAY,OAAe,EAAE,OAAiC;QAH7C,UAAK,GAA4B,IAAI,GAAG,EAAE,CAAC;QAI1D,wBAAwB;QACxB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,oBAAoB,CAAC;IAChE,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,gBAAgB,CAAC,OAAe;QACpC,oBAAoB;QACpB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACvC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5C,OAAO,MAAM,CAAC,QAAQ,CAAC;QACzB,CAAC;QAED,sBAAsB;QACtB,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,kBAAkB,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3E,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAEzC,IAAI,CAAC,QAAQ;gBAAE,OAAO,SAAS,CAAC;YAEhC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YAC9C,IAAI,CAAC,QAAQ;gBAAE,OAAO,SAAS,CAAC;YAEhC,mBAAmB;YACnB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,EAAE;gBACtB,QAAQ;gBACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU;aACxC,CAAC,CAAC;YAEH,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,MAAM,CAAC;YACP,oCAAoC;YACpC,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,SAAS,CAAC;YACrC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,QAAQ,KAAK,SAAS,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAe;QACnB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAED,6DAA6D;IAC7D,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED,yEAAyE;IACjE,OAAO,CAAC,GAAW;QACzB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC/B,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAEjE,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,kBAAkB,EAAE,EAAE,CAAC,GAAG,EAAE,EAAE;gBACtE,IAAI,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;oBACrE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,iBAAiB;oBAC/B,OAAO,CAAC,SAAS,CAAC,CAAC;oBACnB,OAAO;gBACT,CAAC;gBAED,MAAM,MAAM,GAAa,EAAE,CAAC;gBAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;gBACtD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,CAAC;wBACH,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACrD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;oBAC5B,CAAC;oBAAC,MAAM,CAAC;wBACP,OAAO,CAAC,SAAS,CAAC,CAAC;oBACrB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC1C,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;gBACrB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO,CAAC,SAAS,CAAC,CAAC;YACrB,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAlHD,8BAkHC;AAED,6DAA6D;AAC7D,SAAS,kBAAkB,CAAC,IAA6B;IACvD,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAE/B,MAAM,UAAU,GAAG,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7E,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;QACnD,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACrE,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;IAE5E,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AACzD,CAAC"}

package/dist/broker/audit.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Audit logger — append-only JSONL audit trail for broker operations.
+ *
+ * Writes structured audit entries to ~/.secretless-ai/broker-audit.log in
+ * JSON Lines format. Supports automatic log rotation at 50MB with 5 retained
+ * files. NEVER logs credential values.
+ */
+import type { AuditEntry } from './types';
+export declare class AuditLogger {
+    private readonly logPath;
+    private fd;
+    constructor(logPath?: string);
+    /**
+     * Write an audit entry to the log file.
+     * Creates the log directory and file if they do not exist.
+     */
+    log(entry: AuditEntry): void;
+    /**
+     * Create an audit entry from individual fields.
+     * Convenience method that populates the timestamp automatically.
+     */
+    logEvent(eventType: string, agentId: string, credentialName: string, policyId: string, result: 'allowed' | 'denied', reason: string, latencyMs: number): void;
+    /**
+     * Read recent audit entries (last N lines).
+     * Returns entries in chronological order (oldest first).
+     */
+    readRecent(count: number): AuditEntry[];
+    /**
+     * Close the audit logger and release file handles.
+     */
+    close(): void;
+    /** Rotate log file if it exceeds the size limit. */
+    private rotateIfNeeded;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/broker/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/broker/audit.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAU1C,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,EAAE,CAAuB;gBAErB,OAAO,CAAC,EAAE,MAAM;IAI5B;;;OAGG;IACH,GAAG,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAa5B;;;OAGG;IACH,QAAQ,CACN,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,SAAS,GAAG,QAAQ,EAC5B,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,IAAI;IAaP;;;OAGG;IACH,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,EAAE;IAoBvC;;OAEG;IACH,KAAK,IAAI,IAAI;IAWb,oDAAoD;IACpD,OAAO,CAAC,cAAc;CAmCvB"}

package/dist/broker/audit.js

@@ -0,0 +1,166 @@
+"use strict";
+/**
+ * Audit logger — append-only JSONL audit trail for broker operations.
+ *
+ * Writes structured audit entries to ~/.secretless-ai/broker-audit.log in
+ * JSON Lines format. Supports automatic log rotation at 50MB with 5 retained
+ * files. NEVER logs credential values.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const DEFAULT_AUDIT_LOG = path.join(os.homedir(), '.secretless-ai', 'broker-audit.log');
+/** Maximum log file size before rotation (50 MB). */
+const MAX_FILE_SIZE = 50 * 1024 * 1024;
+/** Number of rotated log files to retain. */
+const MAX_RETAINED = 5;
+class AuditLogger {
+    constructor(logPath) {
+        this.fd = null;
+        this.logPath = logPath ?? DEFAULT_AUDIT_LOG;
+    }
+    /**
+     * Write an audit entry to the log file.
+     * Creates the log directory and file if they do not exist.
+     */
+    log(entry) {
+        const dir = path.dirname(this.logPath);
+        fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+        // Check rotation before writing
+        this.rotateIfNeeded();
+        const line = JSON.stringify(entry) + '\n';
+        // Append-only write with restrictive permissions
+        fs.appendFileSync(this.logPath, line, { mode: 0o600 });
+    }
+    /**
+     * Create an audit entry from individual fields.
+     * Convenience method that populates the timestamp automatically.
+     */
+    logEvent(eventType, agentId, credentialName, policyId, result, reason, latencyMs) {
+        this.log({
+            timestamp: new Date().toISOString(),
+            eventType,
+            agentId,
+            credentialName,
+            policyId,
+            result,
+            reason,
+            latencyMs,
+        });
+    }
+    /**
+     * Read recent audit entries (last N lines).
+     * Returns entries in chronological order (oldest first).
+     */
+    readRecent(count) {
+        if (!fs.existsSync(this.logPath))
+            return [];
+        try {
+            const content = fs.readFileSync(this.logPath, 'utf-8');
+            const lines = content.trim().split('\n').filter(l => l.length > 0);
+            const recent = lines.slice(-count);
+            return recent.map(line => {
+                try {
+                    return JSON.parse(line);
+                }
+                catch {
+                    return null;
+                }
+            }).filter((e) => e !== null);
+        }
+        catch {
+            return [];
+        }
+    }
+    /**
+     * Close the audit logger and release file handles.
+     */
+    close() {
+        if (this.fd !== null) {
+            try {
+                fs.closeSync(this.fd);
+            }
+            catch {
+                // Ignore close errors
+            }
+            this.fd = null;
+        }
+    }
+    /** Rotate log file if it exceeds the size limit. */
+    rotateIfNeeded() {
+        if (!fs.existsSync(this.logPath))
+            return;
+        try {
+            const stat = fs.statSync(this.logPath);
+            if (stat.size < MAX_FILE_SIZE)
+                return;
+        }
+        catch {
+            return;
+        }
+        // Rotate: .4 -> .5 (deleted), .3 -> .4, .2 -> .3, .1 -> .2, current -> .1
+        for (let i = MAX_RETAINED; i >= 1; i--) {
+            const older = `${this.logPath}.${i}`;
+            const newer = i === 1 ? this.logPath : `${this.logPath}.${i - 1}`;
+            if (i === MAX_RETAINED) {
+                // Delete the oldest
+                try {
+                    fs.unlinkSync(older);
+                }
+                catch { /* ignore */ }
+            }
+            if (fs.existsSync(newer)) {
+                try {
+                    fs.renameSync(newer, older);
+                }
+                catch {
+                    // If rename fails (cross-device), copy and truncate
+                    try {
+                        fs.copyFileSync(newer, older);
+                        fs.writeFileSync(newer, '', { mode: 0o600 });
+                    }
+                    catch {
+                        // Give up on this rotation step
+                    }
+                }
+            }
+        }
+    }
+}
+exports.AuditLogger = AuditLogger;
+//# sourceMappingURL=audit.js.map

package/dist/broker/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/broker/audit.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAGzB,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;AAExF,qDAAqD;AACrD,MAAM,aAAa,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAEvC,6CAA6C;AAC7C,MAAM,YAAY,GAAG,CAAC,CAAC;AAEvB,MAAa,WAAW;IAItB,YAAY,OAAgB;QAFpB,OAAE,GAAkB,IAAI,CAAC;QAG/B,IAAI,CAAC,OAAO,GAAG,OAAO,IAAI,iBAAiB,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACH,GAAG,CAAC,KAAiB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvC,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAEpD,gCAAgC;QAChC,IAAI,CAAC,cAAc,EAAE,CAAC;QAEtB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAE1C,iDAAiD;QACjD,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;IAED;;;OAGG;IACH,QAAQ,CACN,SAAiB,EACjB,OAAe,EACf,cAAsB,EACtB,QAAgB,EAChB,MAA4B,EAC5B,MAAc,EACd,SAAiB;QAEjB,IAAI,CAAC,GAAG,CAAC;YACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,SAAS;YACT,OAAO;YACP,cAAc;YACd,QAAQ;YACR,MAAM;YACN,MAAM;YACN,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,KAAa;QACtB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,CAAC;QAE5C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACnE,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;YAEnC,OAAO,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;gBACvB,IAAI,CAAC;oBACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;gBACxC,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAmB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;YACD,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,oDAAoD;IAC5C,cAAc;QACpB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,OAAO;QAEzC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,IAAI,CAAC,IAAI,GAAG,aAAa;gBAAE,OAAO;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QAED,0EAA0E;QAC1E,KAAK,IAAI,CAAC,GAAG,YAAY,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAElE,IAAI,CAAC,KAAK,YAAY,EAAE,CAAC;gBACvB,oBAAoB;gBACpB,IAAI,CAAC;oBAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;gBAAC,CAAC;gBAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;YACtD,CAAC;YAED,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBAC9B,CAAC;gBAAC,MAAM,CAAC;oBACP,oDAAoD;oBACpD,IAAI,CAAC;wBACH,EAAE,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;wBAC9B,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;oBAC/C,CAAC;oBAAC,MAAM,CAAC;wBACP,gCAAgC;oBAClC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF;AA5HD,kCA4HC"}

package/dist/broker/daemon.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Broker daemon lifecycle — start, stop, status, and signal handling.
+ *
+ * Manages the broker process as a foreground daemon with PID file tracking.
+ * Handles graceful shutdown on SIGTERM/SIGINT and cleans up resources.
+ */
+import type { BrokerStatus } from './types';
+import { BrokerServer } from './server';
+declare const DEFAULT_PID_FILE: string;
+declare const DEFAULT_SOCKET_PATH: string;
+declare const DEFAULT_HTTP_PORT = 19421;
+declare const DEFAULT_POLICY_FILE: string;
+declare const DEFAULT_AUDIT_LOG: string;
+export interface DaemonOptions {
+    /** Override socket path. */
+    socketPath?: string;
+    /** Override HTTP port. */
+    httpPort?: number;
+    /** AIM server URL. */
+    aimUrl?: string;
+    /** Policy file path. */
+    policyFile?: string;
+    /** Audit log path. */
+    auditLog?: string;
+    /** PID file path. */
+    pidFile?: string;
+}
+/**
+ * Start the broker daemon in the foreground.
+ * Writes a PID file and installs signal handlers for graceful shutdown.
+ */
+export declare function startDaemon(options?: DaemonOptions): Promise<BrokerServer>;
+/**
+ * Stop a running broker daemon by sending SIGTERM.
+ * Returns true if the daemon was stopped, false if it was not running.
+ */
+export declare function stopDaemon(pidFile?: string): boolean;
+/**
+ * Get the status of the broker daemon.
+ * Returns null if the daemon is not running.
+ */
+export declare function getDaemonStatus(pidFile?: string): BrokerStatus | null;
+/**
+ * Check if a broker daemon is currently running.
+ */
+export declare function isDaemonRunning(pidFile?: string): boolean;
+export { DEFAULT_PID_FILE, DEFAULT_SOCKET_PATH, DEFAULT_HTTP_PORT, DEFAULT_POLICY_FILE, DEFAULT_AUDIT_LOG, };
+//# sourceMappingURL=daemon.d.ts.map

package/dist/broker/daemon.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../src/broker/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EAAgB,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGxC,QAAA,MAAM,gBAAgB,QAA0C,CAAC;AACjE,QAAA,MAAM,mBAAmB,QAA2C,CAAC;AACrE,QAAA,MAAM,iBAAiB,QAAQ,CAAC;AAChC,QAAA,MAAM,mBAAmB,QAAoD,CAAC;AAC9E,QAAA,MAAM,iBAAiB,QAAgD,CAAC;AAExE,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sBAAsB;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wBAAwB;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,CAmEhF;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAgBpD;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CA+BrE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAWzD;AAoCD,OAAO,EACL,gBAAgB,EAChB,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,GAClB,CAAC"}