siclaw 0.1.0 → 0.1.2

package/dist/tools/command-validator.js

@@ -0,0 +1,357 @@
+/**
+ * Unified command validation: shell parsing, context-based whitelist, and restrictions.
+ *
+ * Centralises logic previously duplicated across restricted-bash.ts and node-exec.ts.
+ */
+import { ALLOWED_COMMANDS, COMMAND_CATEGORIES, CONTEXT_CATEGORIES, getCommandBinary, validateCommandRestrictions, } from "./command-sets.js";
+// ── extractCommands (moved from restricted-bash.ts) ──────────────────
+/**
+ * Extract individual commands from a shell pipeline.
+ * Splits on |, &&, ;, || while respecting quotes and subshells.
+ */
+export function extractCommands(input) {
+    const commands = [];
+    let current = "";
+    let inQuote = null;
+    let parenDepth = 0;
+    for (let i = 0; i < input.length; i++) {
+        const ch = input[i];
+        if (inQuote) {
+            current += ch;
+            if (ch === inQuote) {
+                // Count consecutive preceding backslashes — char is escaped only if count is odd
+                let backslashes = 0;
+                for (let j = i - 1; j >= 0 && input[j] === "\\"; j--)
+                    backslashes++;
+                if (backslashes % 2 === 0) {
+                    inQuote = null;
+                }
+            }
+            continue;
+        }
+        if (ch === '"' || ch === "'" || ch === "`") {
+            inQuote = ch;
+            current += ch;
+            continue;
+        }
+        if (ch === "(") {
+            parenDepth++;
+            current += ch;
+            continue;
+        }
+        if (ch === ")") {
+            parenDepth--;
+            current += ch;
+            continue;
+        }
+        // Only split at top-level (not inside subshells)
+        if (parenDepth === 0) {
+            // Check for ||, &&
+            if ((ch === "&" && input[i + 1] === "&") ||
+                (ch === "|" && input[i + 1] === "|")) {
+                if (current.trim())
+                    commands.push(current.trim());
+                current = "";
+                i++; // skip next char
+                continue;
+            }
+            // Check for single & (background), | and ;
+            // But skip & when preceded by > (fd redirection like >&2, 2>&1)
+            if (ch === "&" && current.length > 0 && current[current.length - 1] === ">") {
+                current += ch;
+                continue;
+            }
+            if (ch === "&" || ch === "|" || ch === ";") {
+                if (current.trim())
+                    commands.push(current.trim());
+                current = "";
+                continue;
+            }
+        }
+        current += ch;
+    }
+    if (current.trim())
+        commands.push(current.trim());
+    return commands;
+}
+/**
+ * Extract individual commands from a shell pipeline, tracking whether each
+ * command follows a pipe (|) operator vs other separators (&&, ||, ;, &).
+ * Used by validateCommand to pass pipe position to COMMAND_RULES (pipeOnly).
+ */
+export function extractPipeline(input) {
+    const segments = [];
+    let current = "";
+    let inQuote = null;
+    let parenDepth = 0;
+    let nextIsPiped = false;
+    for (let i = 0; i < input.length; i++) {
+        const ch = input[i];
+        if (inQuote) {
+            current += ch;
+            if (ch === inQuote) {
+                // Count consecutive preceding backslashes — char is escaped only if count is odd
+                let backslashes = 0;
+                for (let j = i - 1; j >= 0 && input[j] === "\\"; j--)
+                    backslashes++;
+                if (backslashes % 2 === 0) {
+                    inQuote = null;
+                }
+            }
+            continue;
+        }
+        if (ch === '"' || ch === "'" || ch === "`") {
+            inQuote = ch;
+            current += ch;
+            continue;
+        }
+        if (ch === "(") {
+            parenDepth++;
+            current += ch;
+            continue;
+        }
+        if (ch === ")") {
+            parenDepth--;
+            current += ch;
+            continue;
+        }
+        if (parenDepth === 0) {
+            // Check for || and &&
+            if ((ch === "&" && input[i + 1] === "&") ||
+                (ch === "|" && input[i + 1] === "|")) {
+                if (current.trim())
+                    segments.push({ command: current.trim(), piped: nextIsPiped });
+                current = "";
+                nextIsPiped = false; // || and && are not pipes
+                i++; // skip next char
+                continue;
+            }
+            // Skip & when preceded by > (fd redirection like >&2, 2>&1)
+            if (ch === "&" && current.length > 0 && current[current.length - 1] === ">") {
+                current += ch;
+                continue;
+            }
+            // Single | — next command receives piped input
+            if (ch === "|") {
+                if (current.trim())
+                    segments.push({ command: current.trim(), piped: nextIsPiped });
+                current = "";
+                nextIsPiped = true;
+                continue;
+            }
+            // & or ; — not pipes
+            if (ch === "&" || ch === ";") {
+                if (current.trim())
+                    segments.push({ command: current.trim(), piped: nextIsPiped });
+                current = "";
+                nextIsPiped = false;
+                continue;
+            }
+        }
+        current += ch;
+    }
+    if (current.trim())
+        segments.push({ command: current.trim(), piped: nextIsPiped });
+    return segments;
+}
+// ── validateShellOperators (moved from restricted-bash.ts) ───────────
+/**
+ * Validate that a command does not use dangerous shell operators.
+ * Scans character-by-character respecting quotes.
+ * Blocks: > >> (output redirection, except >&N fd duplication and >/dev/null),
+ *         $() and backticks (command substitution), <() >() (process substitution).
+ * Returns an error message if blocked, or null if safe.
+ */
+export function validateShellOperators(command) {
+    let inQuote = null;
+    for (let i = 0; i < command.length; i++) {
+        const ch = command[i];
+        // Block newline/carriage-return characters — bash interprets them as command
+        // separators, but extractCommands() does not split on them, so they can be
+        // used to smuggle commands past whitelist validation.
+        if (ch === "\n" || ch === "\r") {
+            return JSON.stringify({
+                error: "Newline characters are not allowed in commands.",
+            }, null, 2);
+        }
+        // Block backtick command substitution everywhere (including inside quotes)
+        if (ch === "`") {
+            return JSON.stringify({
+                error: "Backtick command substitution is not allowed.",
+            }, null, 2);
+        }
+        // Block $() command substitution everywhere (including inside quotes)
+        if (ch === "$" && command[i + 1] === "(") {
+            return JSON.stringify({
+                error: "$() command substitution is not allowed.",
+            }, null, 2);
+        }
+        // Track quote state for redirection checks only
+        if (inQuote) {
+            if (ch === inQuote && command[i - 1] !== "\\") {
+                inQuote = null;
+            }
+            continue;
+        }
+        if (ch === "'" || ch === '"') {
+            inQuote = ch;
+            continue;
+        }
+        // Block <() process substitution
+        if (ch === "<" && command[i + 1] === "(") {
+            return JSON.stringify({
+                error: "<() process substitution is not allowed.",
+            }, null, 2);
+        }
+        // Block bare < input redirection (but not <( which is already handled above)
+        if (ch === "<" && command[i + 1] !== "(") {
+            return JSON.stringify({
+                error: "Input redirection (<) is not allowed.",
+            }, null, 2);
+        }
+        // Check output redirection: > and >>
+        if (ch === ">") {
+            // Allow >() process substitution — already blocked above when preceded by nothing,
+            // but >( after a word is process substitution too
+            if (command[i + 1] === "(") {
+                return JSON.stringify({
+                    error: ">() process substitution is not allowed.",
+                }, null, 2);
+            }
+            // Allow fd duplication: >&N (e.g. 2>&1, >&2)
+            if (command[i + 1] === "&")
+                continue;
+            // Determine the redirect target (skip optional second > for >>)
+            let j = i + 1;
+            if (command[j] === ">")
+                j++; // >>
+            // Skip whitespace
+            while (j < command.length && command[j] === " ")
+                j++;
+            // Allow redirect to /dev/null
+            const target = command.substring(j);
+            if (/^\/dev\/null\b/.test(target))
+                continue;
+            return JSON.stringify({
+                error: "Output redirection (> or >>) to files is not allowed.",
+            }, null, 2);
+        }
+    }
+    return null;
+}
+// ── Context-based command whitelist ──────────────────────────────────
+const contextCommandsCache = new Map();
+/**
+ * Get the set of commands allowed for a given execution context.
+ * Results are cached for performance.
+ */
+export function getContextCommands(context) {
+    const cached = contextCommandsCache.get(context);
+    if (cached)
+        return cached;
+    const categories = CONTEXT_CATEGORIES[context];
+    if (!categories)
+        return ALLOWED_COMMANDS; // fallback
+    const categorySet = new Set(categories);
+    const cmds = new Set();
+    for (const [cmd, cat] of Object.entries(COMMAND_CATEGORIES)) {
+        if (categorySet.has(cat))
+            cmds.add(cmd);
+    }
+    contextCommandsCache.set(context, cmds);
+    return cmds;
+}
+// ── Sensitive path patterns (secondary defense) ──────────────────────
+const FILE_READING_CMDS = new Set([
+    "cat", "head", "tail", "less", "more",
+    "grep", "egrep", "fgrep", "awk", "gawk",
+    "cut", "sort", "wc", "uniq", "column",
+    "jq", "yq", "strings", "diff",
+]);
+// ── Unified validation entry point ──────────────────────────────────
+/**
+ * Validate a command string against context-based whitelist and restrictions.
+ * Pipeline:
+ *   1. validateShellOperators()
+ *   2. extractPipeline() (with pipe position tracking)
+ *   3. Per-command: context whitelist + extraAllowed + isAllowed
+ *   4. pipelineValidators (e.g. validateKubectlInPipeline)
+ *   5. validateCommandRestrictions() — includes pipeOnly, noFilePaths,
+ *      blockedFlags via COMMAND_RULES (context + pipe-position-aware)
+ *   6. sensitivePathPatterns check
+ *
+ * Returns an error message string if blocked, or null if allowed.
+ */
+export function validateCommand(command, options) {
+    if (!command || !command.trim()) {
+        return "Command must not be empty.";
+    }
+    // 1. Shell operator validation
+    const shellOpErr = validateShellOperators(command);
+    if (shellOpErr)
+        return shellOpErr;
+    // 2. Split pipeline (with pipe position tracking)
+    const pipeline = extractPipeline(command);
+    const commands = pipeline.map(s => s.command);
+    if (commands.length === 0) {
+        return "Command must not be empty.";
+    }
+    // 3. Per-command whitelist check
+    const context = options?.context ?? "node";
+    const contextCmds = getContextCommands(context);
+    const violations = [];
+    for (const cmd of commands) {
+        const binary = getCommandBinary(cmd);
+        if (!binary)
+            continue;
+        // Check extraAllowed first (e.g., kubectl for local)
+        if (options?.extraAllowed?.has(binary))
+            continue;
+        // Check context whitelist
+        if (contextCmds.has(binary))
+            continue;
+        // Check custom isAllowed (e.g., skill scripts)
+        if (options?.isAllowed?.(cmd))
+            continue;
+        violations.push(binary);
+    }
+    if (violations.length > 0) {
+        return JSON.stringify({
+            error: `Blocked: disallowed command(s) — "${[...new Set(violations)].join(", ")}" is not in the allowed command list`,
+            allowed: [...contextCmds, ...(options?.extraAllowed ?? [])].sort(),
+        }, null, 2);
+    }
+    // 4. Pipeline validators (e.g., kubectl subcommand checks)
+    if (options?.pipelineValidators) {
+        for (const validator of options.pipelineValidators) {
+            const err = validator(commands);
+            if (err)
+                return err;
+        }
+    }
+    // 5. Per-command restrictions (pipeOnly, noFilePaths, blockedFlags,
+    //    allowedFlags, positionals, etc. — all via COMMAND_RULES)
+    for (const seg of pipeline) {
+        const err = validateCommandRestrictions(seg.command, {
+            context,
+            piped: seg.piped,
+        });
+        if (err)
+            return err;
+    }
+    // 6. Sensitive path patterns (secondary defense layer)
+    if (options?.sensitivePathPatterns) {
+        for (const cmd of commands) {
+            const binary = getCommandBinary(cmd);
+            if (binary && FILE_READING_CMDS.has(binary)) {
+                if (options.sensitivePathPatterns.some((re) => re.test(cmd))) {
+                    return JSON.stringify({
+                        error: "Reading credential or config files is not allowed.",
+                    }, null, 2);
+                }
+            }
+        }
+    }
+    return null;
+}
+//# sourceMappingURL=command-validator.js.map

package/dist/tools/command-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-validator.js","sourceRoot":"","sources":["../../src/tools/command-validator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,gBAAgB,EAChB,2BAA2B,GAC5B,MAAM,mBAAmB,CAAC;AAmB3B,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEpB,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;gBACnB,iFAAiF;gBACjF,IAAI,WAAW,GAAG,CAAC,CAAC;gBACpB,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE;oBAAE,WAAW,EAAE,CAAC;gBACpE,IAAI,WAAW,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1B,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC3C,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,UAAU,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,UAAU,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,SAAS;QACX,CAAC;QAED,iDAAiD;QACjD,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,mBAAmB;YACnB,IACE,CAAC,EAAE,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC;gBACpC,CAAC,EAAE,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,EACpC,CAAC;gBACD,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBAClD,OAAO,GAAG,EAAE,CAAC;gBACb,CAAC,EAAE,CAAC,CAAC,iBAAiB;gBACtB,SAAS;YACX,CAAC;YACD,2CAA2C;YAC3C,gEAAgE;YAChE,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC5E,OAAO,IAAI,EAAE,CAAC;gBACd,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBAC3C,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;gBAClD,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;QACH,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAClD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAUD;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,WAAW,GAAG,KAAK,CAAC;IAExB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEpB,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;gBACnB,iFAAiF;gBACjF,IAAI,WAAW,GAAG,CAAC,CAAC;gBACpB,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,EAAE;oBAAE,WAAW,EAAE,CAAC;gBACpE,IAAI,WAAW,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1B,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC3C,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAAC,UAAU,EAAE,CAAC;YAAC,OAAO,IAAI,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAC1D,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAAC,UAAU,EAAE,CAAC;YAAC,OAAO,IAAI,EAAE,CAAC;YAAC,SAAS;QAAC,CAAC;QAE1D,IAAI,UAAU,KAAK,CAAC,EAAE,CAAC;YACrB,sBAAsB;YACtB,IACE,CAAC,EAAE,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC;gBACpC,CAAC,EAAE,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,EACpC,CAAC;gBACD,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBACnF,OAAO,GAAG,EAAE,CAAC;gBACb,WAAW,GAAG,KAAK,CAAC,CAAC,0BAA0B;gBAC/C,CAAC,EAAE,CAAC,CAAC,iBAAiB;gBACtB,SAAS;YACX,CAAC;YACD,4DAA4D;YAC5D,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC5E,OAAO,IAAI,EAAE,CAAC;gBACd,SAAS;YACX,CAAC;YACD,+CAA+C;YAC/C,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBACnF,OAAO,GAAG,EAAE,CAAC;gBACb,WAAW,GAAG,IAAI,CAAC;gBACnB,SAAS;YACX,CAAC;YACD,qBAAqB;YACrB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBAC7B,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;gBACnF,OAAO,GAAG,EAAE,CAAC;gBACb,WAAW,GAAG,KAAK,CAAC;gBACpB,SAAS;YACX,CAAC;QACH,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE;QAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACnF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,wEAAwE;AAExE;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAe;IACpD,IAAI,OAAO,GAAkB,IAAI,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAEtB,6EAA6E;QAC7E,2EAA2E;QAC3E,sDAAsD;QACtD,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,iDAAiD;aACzD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;QAED,2EAA2E;QAC3E,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,+CAA+C;aACvD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;QAED,sEAAsE;QACtE,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,0CAA0C;aAClD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;QAED,gDAAgD;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,EAAE,KAAK,OAAO,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC9C,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC7B,OAAO,GAAG,EAAE,CAAC;YACb,SAAS;QACX,CAAC;QAED,iCAAiC;QACjC,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,0CAA0C;aAClD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;QAED,6EAA6E;QAC7E,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,uCAAuC;aAC/C,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;QAED,qCAAqC;QACrC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,mFAAmF;YACnF,kDAAkD;YAClD,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC3B,OAAO,IAAI,CAAC,SAAS,CAAC;oBACpB,KAAK,EAAE,0CAA0C;iBAClD,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACd,CAAC;YAED,6CAA6C;YAC7C,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG;gBAAE,SAAS;YAErC,gEAAgE;YAChE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACd,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,CAAC,EAAE,CAAC,CAAC,KAAK;YAClC,kBAAkB;YAClB,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG;gBAAE,CAAC,EAAE,CAAC;YAErD,8BAA8B;YAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACpC,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE5C,OAAO,IAAI,CAAC,SAAS,CAAC;gBACpB,KAAK,EAAE,uDAAuD;aAC/D,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wEAAwE;AAExE,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAA+B,CAAC;AAEpE;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAoB;IACrD,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,CAAC,UAAU;QAAE,OAAO,gBAAgB,CAAC,CAAC,WAAW;IAErD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,IAAI,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,oBAAoB,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACxC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,wEAAwE;AAExE,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IACrC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM;IACvC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ;IACrC,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM;CAC9B,CAAC,CAAC;AAEH,uEAAuE;AAEvE;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,OAAgC;IAC/E,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAChC,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,+BAA+B;IAC/B,MAAM,UAAU,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAElC,kDAAkD;IAClD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,4BAA4B,CAAC;IACtC,CAAC;IAED,iCAAiC;IACjC,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,MAAM,CAAC;IAC3C,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM;YAAE,SAAS;QAEtB,qDAAqD;QACrD,IAAI,OAAO,EAAE,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QAEjD,0BAA0B;QAC1B,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QAEtC,+CAA+C;QAC/C,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC;YAAE,SAAS;QAExC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,KAAK,EAAE,qCAAqC,CAAC,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,sCAAsC;YACrH,OAAO,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,CAAC,OAAO,EAAE,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE;SACnE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACd,CAAC;IAED,2DAA2D;IAC3D,IAAI,OAAO,EAAE,kBAAkB,EAAE,CAAC;QAChC,KAAK,MAAM,SAAS,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YAChC,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC;QACtB,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,8DAA8D;IAC9D,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,2BAA2B,CAAC,GAAG,CAAC,OAAO,EAAE;YACnD,OAAO;YACP,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,CAAC,CAAC;QACH,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;IACtB,CAAC;IAED,uDAAuD;IACvD,IAAI,OAAO,EAAE,qBAAqB,EAAE,CAAC;QACnC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,MAAM,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5C,IAAI,OAAO,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;oBAC7D,OAAO,IAAI,CAAC,SAAS,CAAC;wBACpB,KAAK,EAAE,oDAAoD;qBAC5D,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/tools/create-skill.js

@@ -50,7 +50,32 @@ Important:
 - If the user asks to "change", "modify", "update", or "replace" a skill (whether created earlier in this conversation or not), always use \`update_skill\`.
 - Only use \`create_skill\` when the user explicitly wants a brand-new, separate skill.
 
-**Approval required**: Skills with scripts require admin approval before they become active. After creating a skill, do NOT attempt to test or run it — it will not be available until an admin approves it. Inform the user that the skill is pending review.
+## Duplicate / Overlap Check — CRITICAL
+
+**Before calling \`create_skill\`, you MUST check whether an existing skill already covers the same functionality.** Check \`<available_skills>\` in your system prompt and compare the user's request against existing builtin, team, and personal skills.
+
+- **Exact name match**: The tool will reject creation if a skill with the same name exists. But functional overlap with a DIFFERENT name is equally problematic.
+- **Functional overlap found**: If an existing skill solves the same problem (even with a different name), DO NOT silently create a new one. Instead:
+  1. Tell the user which existing skill overlaps and what it does.
+  2. Ask if they want to: (a) use the existing skill as-is, (b) fork it with \`fork_skill\` to make a customized personal copy, or (c) still create a brand-new separate skill.
+  3. Only proceed with \`create_skill\` if the user explicitly chooses option (c).
+- **Why this matters**: Duplicate skills with similar functionality confuse the model — it cannot reliably choose between two skills that do the same thing. One well-maintained skill is always better than two overlapping ones.
+- To fork a builtin or team skill into a personal copy, use \`fork_skill\`.
+
+## Environments and Approval Workflow
+
+Skills go through a review workflow that behaves differently per environment:
+
+| Environment | Behavior |
+|-------------|----------|
+| **Dev / Test** | Newly created skills (draft status) are immediately visible and usable. You can test them right away. |
+| **Production** | Only **approved** skill versions are visible. Draft and pending skills do NOT appear in production. |
+
+- After creating a skill, it starts in **draft** status.
+- Skills with scripts must be **submitted for review** and **approved by an admin** before they become active in production.
+- Skills without scripts (pure guidance) also start as draft but can be submitted and approved more quickly.
+- **After creating a skill in production context**: inform the user that the skill is pending review and will not be available in production until approved. Suggest testing in the dev/test environment first.
+- **Do NOT attempt to test or run a newly created skill in production** — it will not be found.
 
 ## Script Execution Modes
 

package/dist/tools/create-skill.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-skill.js","sourceRoot":"","sources":["../../src/tools/create-skill.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAWjF,MAAM,UAAU,qBAAqB;IACnC,OAAO;QACL,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsFV;QACH,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC;gBAChB,WAAW,EAAE,iDAAiD;aAC/D,CAAC;YACF,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC;gBACvB,WAAW,EAAE,6CAA6C;aAC3D,CAAC;YACF,IAAI,EAAE,IAAI,CAAC,QAAQ,CACjB,IAAI,CAAC,MAAM,CAAC;gBACV,WAAW,EAAE,sFAAsF;aACpG,CAAC,CACH;YACD,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC;gBACjB,WAAW,EAAE,wDAAwD;aACtE,CAAC;YACF,OAAO,EAAE,IAAI,CAAC,QAAQ,CACpB,IAAI,CAAC,KAAK,CACR,IAAI,CAAC,MAAM,CAAC;gBACV,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,gDAAgD,EAAE,CAAC;gBACpF,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,kGAAkG,EAAE,CAAC,CAAC;aACzJ,CAAC,EACF,EAAE,WAAW,EAAE,+IAA+I,EAAE,CACjK,CACF;YACD,MAAM,EAAE,IAAI,CAAC,QAAQ,CACnB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,mEAAmE,EAAE,CAAC,CAChH;SACF,CAAC;QACF,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS;YAClC,MAAM,MAAM,GAAG,SAA8B,CAAC;YAE9C,2BAA2B;YAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;gBACzB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE,CAAC;oBACvF,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC;gBAC1B,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC,EAAE,CAAC;oBAC3G,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAErC,sDAAsD;YACtD,IAAI,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,kBAAkB,SAAS,qHAAqH,EAAE,CAAC,EAAE,CAAC;oBAC9M,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YACD,IAAI,oBAAoB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,0BAA0B,SAAS,wFAAwF,EAAE,CAAC,EAAE,CAAC;oBACzL,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG;gBACb,KAAK,EAAE;oBACL,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE;oBACxB,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;oBAC7C,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,QAAQ;oBACrC,KAAK,EAAE,MAAM,CAAC,KAAK;oBACnB,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACnC,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,OAAO,EAAE,CAAC,CAAC,OAAO;qBACnB,CAAC,CAAC,IAAI,EAAE;oBACT,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;iBACzD;gBACD,OAAO,EAAE,6BAA6B,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,kCAAkC;sBACtF,CAAC,UAAU,CAAC,CAAC,CAAC,wHAAwH,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChJ,UAAU,EAAE,UAAU;oBACpB,CAAC,CAAC,0MAA0M;oBAC5M,CAAC,CAAC,SAAS;aACd,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,EAAE;aACZ,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"create-skill.js","sourceRoot":"","sources":["../../src/tools/create-skill.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAWjF,MAAM,UAAU,qBAAqB;IACnC,OAAO;QACL,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+GV;QACH,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC;gBAChB,WAAW,EAAE,iDAAiD;aAC/D,CAAC;YACF,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC;gBACvB,WAAW,EAAE,6CAA6C;aAC3D,CAAC;YACF,IAAI,EAAE,IAAI,CAAC,QAAQ,CACjB,IAAI,CAAC,MAAM,CAAC;gBACV,WAAW,EAAE,sFAAsF;aACpG,CAAC,CACH;YACD,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC;gBACjB,WAAW,EAAE,wDAAwD;aACtE,CAAC;YACF,OAAO,EAAE,IAAI,CAAC,QAAQ,CACpB,IAAI,CAAC,KAAK,CACR,IAAI,CAAC,MAAM,CAAC;gBACV,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,gDAAgD,EAAE,CAAC;gBACpF,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,kGAAkG,EAAE,CAAC,CAAC;aACzJ,CAAC,EACF,EAAE,WAAW,EAAE,+IAA+I,EAAE,CACjK,CACF;YACD,MAAM,EAAE,IAAI,CAAC,QAAQ,CACnB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,mEAAmE,EAAE,CAAC,CAChH;SACF,CAAC;QACF,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS;YAClC,MAAM,MAAM,GAAG,SAA8B,CAAC;YAE9C,2BAA2B;YAC3B,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC;gBACzB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,EAAE,CAAC;oBACvF,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC;gBAC1B,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,6CAA6C,EAAE,CAAC,EAAE,CAAC;oBAC3G,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAErC,sDAAsD;YACtD,IAAI,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACnC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,kBAAkB,SAAS,qHAAqH,EAAE,CAAC,EAAE,CAAC;oBAC9M,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YACD,IAAI,oBAAoB,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,0BAA0B,SAAS,wFAAwF,EAAE,CAAC,EAAE,CAAC;oBACzL,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;iBACzB,CAAC;YACJ,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;YAC/D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACjE,MAAM,MAAM,GAAG;gBACb,KAAK,EAAE;oBACL,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE;oBACxB,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE;oBAC7C,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,QAAQ;oBACrC,KAAK,EAAE,MAAM,CAAC,KAAK;oBACnB,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACnC,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,OAAO,EAAE,CAAC,CAAC,OAAO;qBACnB,CAAC,CAAC,IAAI,EAAE;oBACT,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;iBACzD;gBACD,OAAO,EAAE,6BAA6B,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,kCAAkC;sBACtF,CAAC,UAAU,CAAC,CAAC,CAAC,wHAAwH,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChJ,UAAU,EAAE,UAAU;oBACpB,CAAC,CAAC,0MAA0M;oBAC5M,CAAC,CAAC,SAAS;aACd,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,EAAE;aACZ,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/tools/credential-list.js

@@ -1,32 +1,10 @@
-import { execFile } from "node:child_process";
 import fs from "node:fs";
 import path from "node:path";
 import { Type } from "@sinclair/typebox";
 import { Text } from "@mariozechner/pi-tui";
 import { renderTextResult } from "./tool-render.js";
 import { loadConfig } from "../core/config.js";
-/** Probe a kubeconfig with `kubectl version` (3s timeout, parallel-safe). */
-function probeKubeconfig(kubeconfigPath) {
-    return new Promise((resolve) => {
-        execFile("kubectl", ["version", "--output=json", `--kubeconfig=${kubeconfigPath}`, "--request-timeout=3s"], { timeout: 5000 }, (err, stdout) => {
-            if (err) {
-                const msg = err.message?.includes("timed out")
-                    ? "connection timeout"
-                    : err.message?.split("\n")[0] ?? "unknown error";
-                resolve({ reachable: false, error: msg });
-                return;
-            }
-            try {
-                const info = JSON.parse(stdout);
-                const ver = info.serverVersion?.gitVersion ?? "unknown";
-                resolve({ reachable: true, version: ver });
-            }
-            catch {
-                resolve({ reachable: true, version: "unknown" });
-            }
-        });
-    });
-}
+import { probeKubeconfig } from "./credential-manager.js";
 /**
  * Tool to list available credentials and their metadata.
  * Reads manifest.json from the credentials directory.

package/dist/tools/credential-list.js.map

@@ -1 +1 @@
-{"version":3,"file":"credential-list.js","sourceRoot":"","sources":["../../src/tools/credential-list.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAkB/C,6EAA6E;AAC7E,SAAS,eAAe,CAAC,cAAsB;IAC7C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,QAAQ,CACN,SAAS,EACT,CAAC,SAAS,EAAE,eAAe,EAAE,gBAAgB,cAAc,EAAE,EAAE,sBAAsB,CAAC,EACtF,EAAE,OAAO,EAAE,IAAI,EAAE,EACjB,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;YACd,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,WAAW,CAAC;oBAC5C,CAAC,CAAC,oBAAoB;oBACtB,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC;gBACnD,OAAO,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;gBAChC,MAAM,GAAG,GAAG,IAAI,CAAC,aAAa,EAAE,UAAU,IAAI,SAAS,CAAC;gBACxD,OAAO,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC;YACnD,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAA4B;IACnE,OAAO;QACL,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,iBAAiB;QACxB,UAAU,CAAC,IAAS,EAAE,KAAU;YAC9B,MAAM,MAAM,GAAG,IAAI,EAAE,IAAI,IAAI,IAAI,EAAE,IAAI,IAAI,KAAK,CAAC;YACjD,OAAO,IAAI,IAAI,CACb,KAAK,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAClD,GAAG,GAAG,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,EAClC,CAAC,EAAE,CAAC,CACL,CAAC;QACJ,CAAC;QACD,YAAY,EAAE,gBAAgB;QAC9B,WAAW,EAAE;;;;;;;yCAOwB;QACrC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,2BAA2B,EAAE,CAAC,CAAC;YAC9E,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,kCAAkC,EAAE,CAAC,CAAC;SACtF,CAAC;QACF,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS;YAClC,MAAM,MAAM,GAAG,SAAiC,CAAC;YACjD,MAAM,cAAc,GAAG,aAAa,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;YAEtH,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC,EAAE,CAAC;oBACpG,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;YAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBACjC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,EAAE,CAAC;oBAC/H,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,IAAI,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAsB,CAAC;gBAE1F,gBAAgB;gBAChB,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAChB,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClE,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;oBACzC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;gBACjF,CAAC;gBAED,8EAA8E;gBAC9E,MAAM,QAAQ,GAAsB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC1D,GAAG,CAAC;oBACJ,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,cAAc,IAAI,CAAC,EAAE,CAAC;iBACpD,CAAC,CAAC,CAAC;gBAEJ,4CAA4C;gBAC5C,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;gBACpE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;wBAC1B,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBACpF,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC,cAAc,CAAC,EAAE,CAAC;oBACxE,CAAC,CAAC,CACH,CAAC;oBACF,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,MAAM,EAAE,CAAC;wBACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;wBACnD,IAAI,IAAI,EAAE,CAAC;4BACT,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;4BACjC,IAAI,KAAK,CAAC,OAAO;gCAAE,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC;4BACvD,IAAI,KAAK,CAAC,KAAK;gCAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;wBAClD,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,qFAAqF;gBACrF,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACtC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI;oBAClC,GAAG,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjE,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACzD,CAAC,CAAC,CAAC;gBAEJ,qCAAqC;gBACrC,MAAM,oBAAoB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACpE,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,IAAI,GAAG,kBAAkB,WAAW,CAAC,MAAM,uBAAuB,oBAAoB,CAAC,MAAM,yGAAyG,CAAC;gBACzM,CAAC;qBAAM,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBACjE,IAAI,GAAG,qCAAqC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,qBAAqB,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,oBAAoB,CAAC;gBACrI,CAAC;gBAED,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;oBAC9F,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;oBACrE,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"credential-list.js","sourceRoot":"","sources":["../../src/tools/credential-list.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAEzC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAEpD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAkB1D;;;;GAIG;AACH,MAAM,UAAU,wBAAwB,CAAC,aAA4B;IACnE,OAAO;QACL,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,iBAAiB;QACxB,UAAU,CAAC,IAAS,EAAE,KAAU;YAC9B,MAAM,MAAM,GAAG,IAAI,EAAE,IAAI,IAAI,IAAI,EAAE,IAAI,IAAI,KAAK,CAAC;YACjD,OAAO,IAAI,IAAI,CACb,KAAK,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAClD,GAAG,GAAG,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,EAClC,CAAC,EAAE,CAAC,CACL,CAAC;QACJ,CAAC;QACD,YAAY,EAAE,gBAAgB;QAC9B,WAAW,EAAE;;;;;;;yCAOwB;QACrC,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC;YACtB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,2BAA2B,EAAE,CAAC,CAAC;YAC9E,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,WAAW,EAAE,kCAAkC,EAAE,CAAC,CAAC;SACtF,CAAC;QACF,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS;YAClC,MAAM,MAAM,GAAG,SAAiC,CAAC;YACjD,MAAM,cAAc,GAAG,aAAa,CAAC,cAAc,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;YAEtH,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC,EAAE,CAAC;oBACpG,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;YAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBACjC,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,EAAE,CAAC;oBAC/H,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAED,IAAI,CAAC;gBACH,IAAI,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAsB,CAAC;gBAE1F,gBAAgB;gBAChB,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAChB,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClE,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;oBACzC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;gBACjF,CAAC;gBAED,8EAA8E;gBAC9E,MAAM,QAAQ,GAAsB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBAC1D,GAAG,CAAC;oBACJ,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,cAAc,IAAI,CAAC,EAAE,CAAC;iBACpD,CAAC,CAAC,CAAC;gBAEJ,4CAA4C;gBAC5C,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;gBACpE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9B,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;wBAC1B,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;wBACpF,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC,cAAc,CAAC,EAAE,CAAC;oBACxE,CAAC,CAAC,CACH,CAAC;oBACF,KAAK,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,MAAM,EAAE,CAAC;wBACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;wBACnD,IAAI,IAAI,EAAE,CAAC;4BACT,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;4BACjC,IAAI,KAAK,CAAC,OAAO;gCAAE,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC;4BACvD,IAAI,KAAK,CAAC,KAAK;gCAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;wBAClD,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,qFAAqF;gBACrF,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;oBACtC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI;oBAClC,GAAG,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACjE,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBACzD,CAAC,CAAC,CAAC;gBAEJ,qCAAqC;gBACrC,MAAM,oBAAoB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;gBACpE,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,IAAI,GAAG,kBAAkB,WAAW,CAAC,MAAM,uBAAuB,oBAAoB,CAAC,MAAM,yGAAyG,CAAC;gBACzM,CAAC;qBAAM,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;oBACjE,IAAI,GAAG,qCAAqC,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,qBAAqB,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,oBAAoB,CAAC;gBACrI,CAAC;gBAED,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;oBAC9F,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;oBACrE,OAAO,EAAE,EAAE;iBACZ,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/tools/credential-manager.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Generic credential registration, removal, and listing for TUI mode.
+ *
+ * Writes the same manifest.json + credential files format used by Gateway's
+ * buildCredentialPayload(), so credential_list tool works identically.
+ */
+export interface CredentialManifestEntry {
+    name: string;
+    type: string;
+    description?: string | null;
+    files: string[];
+    metadata?: Record<string, unknown>;
+}
+export type CredentialType = "kubeconfig" | "ssh_key" | "ssh_password" | "api_token" | "api_basic_auth";
+export interface RegisterKubeconfigOpts {
+    name: string;
+    /** Absolute path to the source kubeconfig file (provide this OR content) */
+    sourcePath?: string;
+    /** Raw kubeconfig YAML/JSON content (provide this OR sourcePath) */
+    content?: string;
+    description?: string;
+}
+export interface RegisterSshPasswordOpts {
+    name: string;
+    host: string;
+    port?: number;
+    username: string;
+    password: string;
+    description?: string;
+}
+export interface RegisterSshKeyOpts {
+    name: string;
+    host: string;
+    port?: number;
+    username: string;
+    /** Absolute path to the private key file */
+    keyPath: string;
+    passphrase?: string;
+    description?: string;
+}
+export interface RegisterApiTokenOpts {
+    name: string;
+    url?: string;
+    token: string;
+    description?: string;
+}
+export interface RegisterApiBasicAuthOpts {
+    name: string;
+    url?: string;
+    username: string;
+    password: string;
+    description?: string;
+}
+export interface ProbeResult {
+    reachable: boolean;
+    version?: string;
+    error?: string;
+}
+export interface CredentialListEntry extends CredentialManifestEntry {
+    reachable?: boolean;
+    server_version?: string;
+    probe_error?: string;
+}
+declare function safeName(name: string): string;
+/** Reject values that could inject SSH config directives (newlines, leading whitespace). */
+declare function sanitizeSshField(value: string, fieldName: string): string;
+declare function readManifest(credentialsDir: string): CredentialManifestEntry[];
+/** Probe a kubeconfig with `kubectl version` (3s timeout, parallel-safe). */
+export declare function probeKubeconfig(kubeconfigPath: string): Promise<ProbeResult>;
+type RegisterResult = {
+    entry: CredentialManifestEntry;
+    error?: undefined;
+} | {
+    entry?: undefined;
+    error: string;
+};
+export declare function registerKubeconfig(credentialsDir: string, opts: RegisterKubeconfigOpts): RegisterResult;
+export declare function registerSshPassword(credentialsDir: string, opts: RegisterSshPasswordOpts): {
+    entry: CredentialManifestEntry;
+};
+export declare function registerSshKey(credentialsDir: string, opts: RegisterSshKeyOpts): RegisterResult;
+export declare function registerApiToken(credentialsDir: string, opts: RegisterApiTokenOpts): {
+    entry: CredentialManifestEntry;
+};
+export declare function registerApiBasicAuth(credentialsDir: string, opts: RegisterApiBasicAuthOpts): {
+    entry: CredentialManifestEntry;
+};
+export declare function removeCredential(credentialsDir: string, name: string): {
+    removed: boolean;
+};
+export declare function listCredentials(credentialsDir: string): Promise<CredentialListEntry[]>;
+/** @internal Exposed for unit testing only. */
+export declare const _testing: {
+    safeName: typeof safeName;
+    sanitizeSshField: typeof sanitizeSshField;
+    readManifest: typeof readManifest;
+};
+export {};