ssh-mcp-pro 1.0.0

package/dist/remote/policy.js

@@ -0,0 +1,94 @@
+import path from "node:path";
+import { REMOTE_CAPABILITIES, } from "./types.js";
+function allCapabilities(value) {
+    return Object.fromEntries(REMOTE_CAPABILITIES.map((capability) => [capability, value]));
+}
+export function createAgentPolicy(profile = "read-only") {
+    const base = allCapabilities(false);
+    let allowServices = [];
+    let allowContainers = [];
+    if (profile === "read-only") {
+        base["hosts.read"] = true;
+        base["agents.read"] = true;
+        base["system.read"] = true;
+        base["logs.read"] = true;
+        base["audit.read"] = true;
+    }
+    if (profile === "operations") {
+        base["hosts.read"] = true;
+        base["agents.read"] = true;
+        base["system.read"] = true;
+        base["logs.read"] = true;
+        base["service.manage"] = true;
+        base["docker.manage"] = true;
+        base["files.read"] = true;
+        base["audit.read"] = true;
+    }
+    if (profile === "full-admin") {
+        for (const capability of REMOTE_CAPABILITIES) {
+            base[capability] = true;
+        }
+        allowServices = ["*"];
+        allowContainers = ["*"];
+    }
+    return {
+        profile,
+        capabilities: base,
+        allowPaths: ["/tmp", "/var/tmp"],
+        denyPaths: ["/", "/etc", "/boot", "/dev", "/proc", "/sys"],
+        allowServices,
+        allowContainers,
+        maxOutputBytes: 200_000,
+        maxActionTimeoutSeconds: 120,
+        version: 1,
+    };
+}
+export function mergeCustomPolicy(policy) {
+    const base = createAgentPolicy(policy.profile ?? "custom");
+    return {
+        ...base,
+        ...policy,
+        profile: policy.profile ?? "custom",
+        capabilities: {
+            ...base.capabilities,
+            ...(policy.capabilities ?? {}),
+        },
+        allowPaths: policy.allowPaths ?? base.allowPaths,
+        denyPaths: policy.denyPaths ?? base.denyPaths,
+        allowServices: policy.allowServices ?? base.allowServices,
+        allowContainers: policy.allowContainers ?? base.allowContainers,
+        maxOutputBytes: policy.maxOutputBytes ?? base.maxOutputBytes,
+        maxActionTimeoutSeconds: policy.maxActionTimeoutSeconds ?? base.maxActionTimeoutSeconds,
+        version: policy.version ?? base.version,
+    };
+}
+function normalizePolicyPath(value) {
+    const normalized = path.posix.normalize(value.replace(/\\/gu, "/"));
+    return normalized.replace(/\/$/u, "") || "/";
+}
+export function isPathAllowed(policy, filePath) {
+    const normalized = normalizePolicyPath(filePath);
+    const denied = policy.denyPaths.some((rawPrefix) => {
+        const prefix = normalizePolicyPath(rawPrefix);
+        if (prefix === "/") {
+            return normalized === "/";
+        }
+        return normalized === prefix || normalized.startsWith(`${prefix}/`);
+    });
+    if (denied) {
+        return false;
+    }
+    return policy.allowPaths.some((rawPrefix) => {
+        const prefix = normalizePolicyPath(rawPrefix);
+        return prefix === "/"
+            ? normalized === "/"
+            : normalized === prefix || normalized.startsWith(`${prefix}/`);
+    });
+}
+export function isServiceAllowed(policy, service) {
+    return policy.allowServices.includes("*") || policy.allowServices.includes(service);
+}
+export function isContainerAllowed(policy, container) {
+    return policy.allowContainers.includes("*") || policy.allowContainers.includes(container);
+}
+//# sourceMappingURL=policy.js.map

package/dist/remote/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/remote/policy.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,mBAAmB,GAIpB,MAAM,YAAY,CAAC;AAMpB,SAAS,eAAe,CAAC,KAAc;IACrC,OAAO,MAAM,CAAC,WAAW,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAGrF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,UAA4B,WAAW;IACvE,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,IAAI,aAAa,GAAa,EAAE,CAAC;IACjC,IAAI,eAAe,GAAa,EAAE,CAAC;IAEnC,IAAI,OAAO,KAAK,WAAW,EAAE,CAAC;QAC5B,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;QAC1B,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;IAC5B,CAAC;IAED,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;QAC1B,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,aAAa,CAAC,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,WAAW,CAAC,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC;QAC9B,IAAI,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC;QAC7B,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;QAC1B,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;IAC5B,CAAC;IAED,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC7B,KAAK,MAAM,UAAU,IAAI,mBAAmB,EAAE,CAAC;YAC7C,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;QAC1B,CAAC;QACD,aAAa,GAAG,CAAC,GAAG,CAAC,CAAC;QACtB,eAAe,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,OAAO;QACP,YAAY,EAAE,IAAI;QAClB,UAAU,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC;QAChC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC;QAC1D,aAAa;QACb,eAAe;QACf,cAAc,EAAE,OAAO;QACvB,uBAAuB,EAAE,GAAG;QAC5B,OAAO,EAAE,CAAC;KACX,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAwB;IACxD,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,CAAC,OAAO,IAAI,QAAQ,CAAC,CAAC;IAC3D,OAAO;QACL,GAAG,IAAI;QACP,GAAG,MAAM;QACT,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,QAAQ;QACnC,YAAY,EAAE;YACZ,GAAG,IAAI,CAAC,YAAY;YACpB,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;SAC/B;QACD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU;QAChD,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS;QAC7C,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,IAAI,CAAC,aAAa;QACzD,eAAe,EAAE,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC,eAAe;QAC/D,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc;QAC5D,uBAAuB,EAAE,MAAM,CAAC,uBAAuB,IAAI,IAAI,CAAC,uBAAuB;QACvF,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO;KACxC,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;IACpE,OAAO,UAAU,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAmB,EAAE,QAAgB;IACjE,MAAM,UAAU,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QAC9C,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YACnB,OAAO,UAAU,KAAK,GAAG,CAAC;QAC5B,CAAC;QACD,OAAO,UAAU,KAAK,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IACH,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE;QAC1C,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QAC9C,OAAO,MAAM,KAAK,GAAG;YACnB,CAAC,CAAC,UAAU,KAAK,GAAG;YACpB,CAAC,CAAC,UAAU,KAAK,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAmB,EAAE,OAAe;IACnE,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAmB,EAAE,SAAiB;IACvE,OAAO,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC5F,CAAC"}

package/dist/remote/schemas.d.ts

@@ -0,0 +1,298 @@
+import { z } from "zod";
+import { type ActionRequestEnvelope, type ActionResultEnvelope, type AgentHelloEnvelope, type AgentHostMetadata, type AgentPolicy, type PolicyUpdateEnvelope } from "./types.js";
+export declare const agentHostMetadataSchema: z.ZodObject<{
+    hostname: z.ZodString;
+    os: z.ZodString;
+    arch: z.ZodString;
+    platform: z.ZodString;
+}, z.core.$strict>;
+export declare const capabilityPolicySchema: z.ZodObject<{
+    "hosts.read": z.ZodBoolean;
+    "agents.read": z.ZodBoolean;
+    "agents.admin": z.ZodBoolean;
+    "system.read": z.ZodBoolean;
+    "logs.read": z.ZodBoolean;
+    "service.manage": z.ZodBoolean;
+    "docker.manage": z.ZodBoolean;
+    "files.read": z.ZodBoolean;
+    "files.write": z.ZodBoolean;
+    "shell.exec": z.ZodBoolean;
+    "sudo.exec": z.ZodBoolean;
+    "agent.admin": z.ZodBoolean;
+    "audit.read": z.ZodBoolean;
+}, z.core.$strict>;
+export declare const agentPolicySchema: z.ZodObject<{
+    profile: z.ZodEnum<{
+        "read-only": "read-only";
+        operations: "operations";
+        "full-admin": "full-admin";
+        custom: "custom";
+    }>;
+    capabilities: z.ZodObject<{
+        "hosts.read": z.ZodBoolean;
+        "agents.read": z.ZodBoolean;
+        "agents.admin": z.ZodBoolean;
+        "system.read": z.ZodBoolean;
+        "logs.read": z.ZodBoolean;
+        "service.manage": z.ZodBoolean;
+        "docker.manage": z.ZodBoolean;
+        "files.read": z.ZodBoolean;
+        "files.write": z.ZodBoolean;
+        "shell.exec": z.ZodBoolean;
+        "sudo.exec": z.ZodBoolean;
+        "agent.admin": z.ZodBoolean;
+        "audit.read": z.ZodBoolean;
+    }, z.core.$strict>;
+    allowPaths: z.ZodArray<z.ZodString>;
+    denyPaths: z.ZodArray<z.ZodString>;
+    allowServices: z.ZodArray<z.ZodString>;
+    allowContainers: z.ZodArray<z.ZodString>;
+    maxOutputBytes: z.ZodNumber;
+    maxActionTimeoutSeconds: z.ZodNumber;
+    version: z.ZodNumber;
+}, z.core.$strict>;
+export declare const agentHelloEnvelopeSchema: z.ZodObject<{
+    type: z.ZodLiteral<"agent.hello">;
+    agent_id: z.ZodString;
+    timestamp: z.ZodString;
+    nonce: z.ZodString;
+    capabilities: z.ZodArray<z.ZodEnum<{
+        "hosts.read": "hosts.read";
+        "agents.read": "agents.read";
+        "agents.admin": "agents.admin";
+        "system.read": "system.read";
+        "logs.read": "logs.read";
+        "service.manage": "service.manage";
+        "docker.manage": "docker.manage";
+        "files.read": "files.read";
+        "files.write": "files.write";
+        "shell.exec": "shell.exec";
+        "sudo.exec": "sudo.exec";
+        "agent.admin": "agent.admin";
+        "audit.read": "audit.read";
+    }>>;
+    agent_version: z.ZodString;
+    host: z.ZodObject<{
+        hostname: z.ZodString;
+        os: z.ZodString;
+        arch: z.ZodString;
+        platform: z.ZodString;
+    }, z.core.$strict>;
+    signature: z.ZodString;
+}, z.core.$strict>;
+export declare const actionRequestEnvelopeSchema: z.ZodObject<{
+    type: z.ZodLiteral<"action.request">;
+    action_id: z.ZodString;
+    agent_id: z.ZodString;
+    user_id: z.ZodString;
+    tool: z.ZodEnum<{
+        list_hosts: "list_hosts";
+        list_agents: "list_agents";
+        create_enrollment_token: "create_enrollment_token";
+        get_agent_install_command: "get_agent_install_command";
+        get_system_status: "get_system_status";
+        tail_logs: "tail_logs";
+        restart_service: "restart_service";
+        docker_ps: "docker_ps";
+        docker_logs: "docker_logs";
+        docker_restart: "docker_restart";
+        file_read: "file_read";
+        file_write: "file_write";
+        run_shell: "run_shell";
+        run_shell_as_root: "run_shell_as_root";
+        update_agent_policy: "update_agent_policy";
+        revoke_agent: "revoke_agent";
+        get_audit_events: "get_audit_events";
+    }>;
+    capability: z.ZodEnum<{
+        "hosts.read": "hosts.read";
+        "agents.read": "agents.read";
+        "agents.admin": "agents.admin";
+        "system.read": "system.read";
+        "logs.read": "logs.read";
+        "service.manage": "service.manage";
+        "docker.manage": "docker.manage";
+        "files.read": "files.read";
+        "files.write": "files.write";
+        "shell.exec": "shell.exec";
+        "sudo.exec": "sudo.exec";
+        "agent.admin": "agent.admin";
+        "audit.read": "audit.read";
+    }>;
+    args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    policy_version: z.ZodNumber;
+    issued_at: z.ZodString;
+    deadline: z.ZodString;
+    nonce: z.ZodString;
+    signature: z.ZodString;
+}, z.core.$strict>;
+export declare const actionResultEnvelopeSchema: z.ZodObject<{
+    type: z.ZodLiteral<"action.result">;
+    action_id: z.ZodString;
+    agent_id: z.ZodString;
+    nonce: z.ZodString;
+    status: z.ZodEnum<{
+        error: "error";
+        ok: "ok";
+    }>;
+    exit_code: z.ZodOptional<z.ZodNumber>;
+    stdout: z.ZodOptional<z.ZodString>;
+    stderr: z.ZodOptional<z.ZodString>;
+    started_at: z.ZodString;
+    finished_at: z.ZodString;
+    truncated: z.ZodBoolean;
+    error_code: z.ZodOptional<z.ZodEnum<{
+        UNAUTHORIZED: "UNAUTHORIZED";
+        FORBIDDEN: "FORBIDDEN";
+        INVALID_TOKEN: "INVALID_TOKEN";
+        INVALID_SCOPE: "INVALID_SCOPE";
+        INVALID_CLIENT: "INVALID_CLIENT";
+        INVALID_REDIRECT_URI: "INVALID_REDIRECT_URI";
+        PKCE_VALIDATION_FAILED: "PKCE_VALIDATION_FAILED";
+        AGENT_NOT_FOUND: "AGENT_NOT_FOUND";
+        AGENT_OFFLINE: "AGENT_OFFLINE";
+        AGENT_REVOKED: "AGENT_REVOKED";
+        AGENT_TIMEOUT: "AGENT_TIMEOUT";
+        POLICY_DENIED: "POLICY_DENIED";
+        CAPABILITY_DENIED: "CAPABILITY_DENIED";
+        ACTION_EXPIRED: "ACTION_EXPIRED";
+        ACTION_REPLAY_DETECTED: "ACTION_REPLAY_DETECTED";
+        SIGNATURE_INVALID: "SIGNATURE_INVALID";
+        COMMAND_TIMEOUT: "COMMAND_TIMEOUT";
+        OUTPUT_TRUNCATED: "OUTPUT_TRUNCATED";
+        UNSUPPORTED_PLATFORM: "UNSUPPORTED_PLATFORM";
+        UNSUPPORTED_PLATFORM_OR_PRIVILEGE: "UNSUPPORTED_PLATFORM_OR_PRIVILEGE";
+        INTERNAL_ERROR: "INTERNAL_ERROR";
+    }>>;
+    message: z.ZodOptional<z.ZodString>;
+    signature: z.ZodString;
+}, z.core.$strict>;
+export declare const policyUpdateEnvelopeSchema: z.ZodObject<{
+    type: z.ZodLiteral<"policy.update">;
+    agent_id: z.ZodString;
+    policy: z.ZodObject<{
+        profile: z.ZodEnum<{
+            "read-only": "read-only";
+            operations: "operations";
+            "full-admin": "full-admin";
+            custom: "custom";
+        }>;
+        capabilities: z.ZodObject<{
+            "hosts.read": z.ZodBoolean;
+            "agents.read": z.ZodBoolean;
+            "agents.admin": z.ZodBoolean;
+            "system.read": z.ZodBoolean;
+            "logs.read": z.ZodBoolean;
+            "service.manage": z.ZodBoolean;
+            "docker.manage": z.ZodBoolean;
+            "files.read": z.ZodBoolean;
+            "files.write": z.ZodBoolean;
+            "shell.exec": z.ZodBoolean;
+            "sudo.exec": z.ZodBoolean;
+            "agent.admin": z.ZodBoolean;
+            "audit.read": z.ZodBoolean;
+        }, z.core.$strict>;
+        allowPaths: z.ZodArray<z.ZodString>;
+        denyPaths: z.ZodArray<z.ZodString>;
+        allowServices: z.ZodArray<z.ZodString>;
+        allowContainers: z.ZodArray<z.ZodString>;
+        maxOutputBytes: z.ZodNumber;
+        maxActionTimeoutSeconds: z.ZodNumber;
+        version: z.ZodNumber;
+    }, z.core.$strict>;
+    policy_version: z.ZodNumber;
+    issued_at: z.ZodString;
+    nonce: z.ZodString;
+    signature: z.ZodString;
+}, z.core.$strict>;
+export declare const controlPlaneEnvelopeSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"action.request">;
+    action_id: z.ZodString;
+    agent_id: z.ZodString;
+    user_id: z.ZodString;
+    tool: z.ZodEnum<{
+        list_hosts: "list_hosts";
+        list_agents: "list_agents";
+        create_enrollment_token: "create_enrollment_token";
+        get_agent_install_command: "get_agent_install_command";
+        get_system_status: "get_system_status";
+        tail_logs: "tail_logs";
+        restart_service: "restart_service";
+        docker_ps: "docker_ps";
+        docker_logs: "docker_logs";
+        docker_restart: "docker_restart";
+        file_read: "file_read";
+        file_write: "file_write";
+        run_shell: "run_shell";
+        run_shell_as_root: "run_shell_as_root";
+        update_agent_policy: "update_agent_policy";
+        revoke_agent: "revoke_agent";
+        get_audit_events: "get_audit_events";
+    }>;
+    capability: z.ZodEnum<{
+        "hosts.read": "hosts.read";
+        "agents.read": "agents.read";
+        "agents.admin": "agents.admin";
+        "system.read": "system.read";
+        "logs.read": "logs.read";
+        "service.manage": "service.manage";
+        "docker.manage": "docker.manage";
+        "files.read": "files.read";
+        "files.write": "files.write";
+        "shell.exec": "shell.exec";
+        "sudo.exec": "sudo.exec";
+        "agent.admin": "agent.admin";
+        "audit.read": "audit.read";
+    }>;
+    args: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    policy_version: z.ZodNumber;
+    issued_at: z.ZodString;
+    deadline: z.ZodString;
+    nonce: z.ZodString;
+    signature: z.ZodString;
+}, z.core.$strict>, z.ZodObject<{
+    type: z.ZodLiteral<"policy.update">;
+    agent_id: z.ZodString;
+    policy: z.ZodObject<{
+        profile: z.ZodEnum<{
+            "read-only": "read-only";
+            operations: "operations";
+            "full-admin": "full-admin";
+            custom: "custom";
+        }>;
+        capabilities: z.ZodObject<{
+            "hosts.read": z.ZodBoolean;
+            "agents.read": z.ZodBoolean;
+            "agents.admin": z.ZodBoolean;
+            "system.read": z.ZodBoolean;
+            "logs.read": z.ZodBoolean;
+            "service.manage": z.ZodBoolean;
+            "docker.manage": z.ZodBoolean;
+            "files.read": z.ZodBoolean;
+            "files.write": z.ZodBoolean;
+            "shell.exec": z.ZodBoolean;
+            "sudo.exec": z.ZodBoolean;
+            "agent.admin": z.ZodBoolean;
+            "audit.read": z.ZodBoolean;
+        }, z.core.$strict>;
+        allowPaths: z.ZodArray<z.ZodString>;
+        denyPaths: z.ZodArray<z.ZodString>;
+        allowServices: z.ZodArray<z.ZodString>;
+        allowContainers: z.ZodArray<z.ZodString>;
+        maxOutputBytes: z.ZodNumber;
+        maxActionTimeoutSeconds: z.ZodNumber;
+        version: z.ZodNumber;
+    }, z.core.$strict>;
+    policy_version: z.ZodNumber;
+    issued_at: z.ZodString;
+    nonce: z.ZodString;
+    signature: z.ZodString;
+}, z.core.$strict>], "type">;
+export declare function parseAgentHostMetadata(value: unknown): AgentHostMetadata;
+export declare function parseAgentPolicy(value: unknown): AgentPolicy;
+export declare function parseAgentHelloEnvelope(value: unknown): AgentHelloEnvelope;
+export declare function parseActionRequestEnvelope(value: unknown): ActionRequestEnvelope;
+export declare function parseActionResultEnvelope(value: unknown): ActionResultEnvelope;
+export declare function parsePolicyUpdateEnvelope(value: unknown): PolicyUpdateEnvelope;
+export declare function parseControlPlaneEnvelope(value: unknown): ActionRequestEnvelope | PolicyUpdateEnvelope;
+//# sourceMappingURL=schemas.d.ts.map

package/dist/remote/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../src/remote/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAIL,KAAK,qBAAqB,EAC1B,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EAC1B,MAAM,YAAY,CAAC;AAMpB,eAAO,MAAM,uBAAuB;;;;;kBAOzB,CAAC;AAMZ,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;kBAA2C,CAAC;AAE/E,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAYnB,CAAC;AAEZ,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAW1B,CAAC;AAEZ,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAe7B,CAAC;AAEZ,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAiB5B,CAAC;AAEZ,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAU5B,CAAC;AAEZ,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;4BAGrC,CAAC;AAEH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,iBAAiB,CAExE;AAED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,WAAW,CAE5D;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,kBAAkB,CAE1E;AAED,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,qBAAqB,CAEhF;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,oBAAoB,CAE9E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,oBAAoB,CAE9E;AAED,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,OAAO,GACb,qBAAqB,GAAG,oBAAoB,CAE9C"}

package/dist/remote/schemas.js

@@ -0,0 +1,111 @@
+import { z } from "zod";
+import { REMOTE_CAPABILITIES, REMOTE_ERROR_CODES, REMOTE_TOOLS, } from "./types.js";
+const capabilitySchema = z.enum(REMOTE_CAPABILITIES);
+const toolSchema = z.enum(REMOTE_TOOLS);
+const errorCodeSchema = z.enum(REMOTE_ERROR_CODES);
+export const agentHostMetadataSchema = z
+    .object({
+    hostname: z.string().min(1).max(255),
+    os: z.string().min(1).max(128),
+    arch: z.string().min(1).max(64),
+    platform: z.string().min(1).max(128),
+})
+    .strict();
+const capabilityPolicyShape = Object.fromEntries(REMOTE_CAPABILITIES.map((capability) => [capability, z.boolean()]));
+export const capabilityPolicySchema = z.object(capabilityPolicyShape).strict();
+export const agentPolicySchema = z
+    .object({
+    profile: z.enum(["read-only", "operations", "full-admin", "custom"]),
+    capabilities: capabilityPolicySchema,
+    allowPaths: z.array(z.string()),
+    denyPaths: z.array(z.string()),
+    allowServices: z.array(z.string()),
+    allowContainers: z.array(z.string()),
+    maxOutputBytes: z.number().int().positive().max(10_000_000),
+    maxActionTimeoutSeconds: z.number().int().positive().max(3600),
+    version: z.number().int().positive(),
+})
+    .strict();
+export const agentHelloEnvelopeSchema = z
+    .object({
+    type: z.literal("agent.hello"),
+    agent_id: z.string().min(1),
+    timestamp: z.string().datetime(),
+    nonce: z.string().min(16),
+    capabilities: z.array(capabilitySchema),
+    agent_version: z.string().min(1).max(128),
+    host: agentHostMetadataSchema,
+    signature: z.string().min(1),
+})
+    .strict();
+export const actionRequestEnvelopeSchema = z
+    .object({
+    type: z.literal("action.request"),
+    action_id: z.string().min(1),
+    agent_id: z.string().min(1),
+    user_id: z.string().min(1),
+    tool: toolSchema,
+    capability: capabilitySchema,
+    args: z.record(z.string(), z.unknown()),
+    policy_version: z.number().int().positive(),
+    issued_at: z.string().datetime(),
+    deadline: z.string().datetime(),
+    nonce: z.string().min(16),
+    signature: z.string().min(1),
+})
+    .strict();
+export const actionResultEnvelopeSchema = z
+    .object({
+    type: z.literal("action.result"),
+    action_id: z.string().min(1),
+    agent_id: z.string().min(1),
+    nonce: z.string().min(16),
+    status: z.enum(["ok", "error"]),
+    exit_code: z.number().int().optional(),
+    stdout: z.string().optional(),
+    stderr: z.string().optional(),
+    started_at: z.string().datetime(),
+    finished_at: z.string().datetime(),
+    truncated: z.boolean(),
+    error_code: errorCodeSchema.optional(),
+    message: z.string().optional(),
+    signature: z.string().min(1),
+})
+    .strict();
+export const policyUpdateEnvelopeSchema = z
+    .object({
+    type: z.literal("policy.update"),
+    agent_id: z.string().min(1),
+    policy: agentPolicySchema,
+    policy_version: z.number().int().positive(),
+    issued_at: z.string().datetime(),
+    nonce: z.string().min(16),
+    signature: z.string().min(1),
+})
+    .strict();
+export const controlPlaneEnvelopeSchema = z.discriminatedUnion("type", [
+    actionRequestEnvelopeSchema,
+    policyUpdateEnvelopeSchema,
+]);
+export function parseAgentHostMetadata(value) {
+    return agentHostMetadataSchema.parse(value);
+}
+export function parseAgentPolicy(value) {
+    return agentPolicySchema.parse(value);
+}
+export function parseAgentHelloEnvelope(value) {
+    return agentHelloEnvelopeSchema.parse(value);
+}
+export function parseActionRequestEnvelope(value) {
+    return actionRequestEnvelopeSchema.parse(value);
+}
+export function parseActionResultEnvelope(value) {
+    return actionResultEnvelopeSchema.parse(value);
+}
+export function parsePolicyUpdateEnvelope(value) {
+    return policyUpdateEnvelopeSchema.parse(value);
+}
+export function parseControlPlaneEnvelope(value) {
+    return controlPlaneEnvelopeSchema.parse(value);
+}
+//# sourceMappingURL=schemas.js.map

package/dist/remote/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../src/remote/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,YAAY,GAOb,MAAM,YAAY,CAAC;AAEpB,MAAM,gBAAgB,GAAG,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;AACrD,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AACxC,MAAM,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;AAEnD,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC;KACrC,MAAM,CAAC;IACN,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACpC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAC9B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;CACrC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,qBAAqB,GAAG,MAAM,CAAC,WAAW,CAC9C,mBAAmB,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CACL,CAAC;AAEhE,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC,MAAM,EAAE,CAAC;AAE/E,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,CAAC;IACN,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;IACpE,YAAY,EAAE,sBAAsB;IACpC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC/B,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAC9B,aAAa,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IAClC,eAAe,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACpC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC;IAC3D,uBAAuB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC;IAC9D,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC;KACtC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAC9B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACzB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IACvC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IACzC,IAAI,EAAE,uBAAuB;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC;KACzC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,IAAI,EAAE,UAAU;IAChB,UAAU,EAAE,gBAAgB;IAC5B,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC;IACvC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC3C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC;KACxC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACzB,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACtC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE;IACtB,UAAU,EAAE,eAAe,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC;KACxC,MAAM,CAAC;IACN,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,MAAM,EAAE,iBAAiB;IACzB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAC3C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC;KACD,MAAM,EAAE,CAAC;AAEZ,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACrE,2BAA2B;IAC3B,0BAA0B;CAC3B,CAAC,CAAC;AAEH,MAAM,UAAU,sBAAsB,CAAC,KAAc;IACnD,OAAO,uBAAuB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,OAAO,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,KAAc;IACpD,OAAO,wBAAwB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,KAAc;IACvD,OAAO,2BAA2B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,OAAO,0BAA0B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,OAAO,0BAA0B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAc;IAEd,OAAO,0BAA0B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC"}

package/dist/remote/scopes.d.ts

@@ -0,0 +1,6 @@
+import { type RemoteCapability, type RemoteScope } from "./types.js";
+export declare function parseScopes(scope: string | undefined): RemoteScope[];
+export declare function capabilitiesFromScopes(scopes: RemoteScope[]): RemoteCapability[];
+export declare function hasCapability(capabilities: readonly RemoteCapability[], capability: RemoteCapability): boolean;
+export declare function allRemoteScopes(): RemoteScope[];
+//# sourceMappingURL=scopes.d.ts.map

package/dist/remote/scopes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.d.ts","sourceRoot":"","sources":["../../src/remote/scopes.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,gBAAgB,EACrB,KAAK,WAAW,EACjB,MAAM,YAAY,CAAC;AAEpB,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,WAAW,EAAE,CAQpE;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,WAAW,EAAE,GAAG,gBAAgB,EAAE,CAQhF;AAED,wBAAgB,aAAa,CAC3B,YAAY,EAAE,SAAS,gBAAgB,EAAE,EACzC,UAAU,EAAE,gBAAgB,GAC3B,OAAO,CAET;AAED,wBAAgB,eAAe,IAAI,WAAW,EAAE,CAE/C"}

package/dist/remote/scopes.js

@@ -0,0 +1,24 @@
+import { REMOTE_SCOPES, SCOPE_CAPABILITY_MAP, } from "./types.js";
+export function parseScopes(scope) {
+    if (!scope) {
+        return [];
+    }
+    const requested = scope.split(/\s+/u).filter(Boolean);
+    return requested.filter((item) => REMOTE_SCOPES.includes(item));
+}
+export function capabilitiesFromScopes(scopes) {
+    const capabilities = new Set();
+    for (const scope of scopes) {
+        for (const capability of SCOPE_CAPABILITY_MAP[scope]) {
+            capabilities.add(capability);
+        }
+    }
+    return [...capabilities];
+}
+export function hasCapability(capabilities, capability) {
+    return capabilities.includes(capability);
+}
+export function allRemoteScopes() {
+    return [...REMOTE_SCOPES];
+}
+//# sourceMappingURL=scopes.js.map

package/dist/remote/scopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.js","sourceRoot":"","sources":["../../src/remote/scopes.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,oBAAoB,GAGrB,MAAM,YAAY,CAAC;AAEpB,MAAM,UAAU,WAAW,CAAC,KAAyB;IACnD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACtD,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAuB,EAAE,CACpD,aAAa,CAAC,QAAQ,CAAC,IAAmB,CAAC,CAC5C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,MAAqB;IAC1D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAoB,CAAC;IACjD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,KAAK,MAAM,UAAU,IAAI,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,YAAY,CAAC,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,YAAyC,EACzC,UAA4B;IAE5B,OAAO,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,OAAO,CAAC,GAAG,aAAa,CAAC,CAAC;AAC5B,CAAC"}

package/dist/remote/store.d.ts

@@ -0,0 +1,45 @@
+import type { ActionRecord, AgentEnrollmentTokenRecord, AuditEvent, GitHubUser, OAuthAuthorizationCode, OAuthClient, RemoteAgentRecord } from "./types.js";
+type SqlValue = string | number | null;
+type NodeSqliteModule = {
+    DatabaseSync: unknown;
+};
+type RemoteStoreOptions = {
+    loadSqlite?: () => NodeSqliteModule;
+};
+export declare class RemoteStore {
+    private readonly db;
+    constructor(databaseUrl: string, options?: RemoteStoreOptions);
+    close(): void;
+    private migrate;
+    upsertUser(user: GitHubUser & {
+        internalId: string;
+        now: string;
+    }): void;
+    getUserByGitHubId(githubId: string): {
+        id: string;
+        githubId: string;
+        githubLogin: string;
+    } | undefined;
+    insertClient(client: OAuthClient): void;
+    getClient(clientId: string): OAuthClient | undefined;
+    countOAuthClients(): number;
+    insertAuthorizationCode(code: OAuthAuthorizationCode): void;
+    getAuthorizationCodeByHash(codeHash: string): OAuthAuthorizationCode | undefined;
+    markAuthorizationCodeUsed(codeHash: string, usedAt: string): void;
+    insertAgent(agent: RemoteAgentRecord): void;
+    updateAgent(agent: RemoteAgentRecord): void;
+    getAgent(agentId: string): RemoteAgentRecord | undefined;
+    getAgentByAlias(userId: string, alias: string): RemoteAgentRecord | undefined;
+    listAgents(userId: string): RemoteAgentRecord[];
+    private agentFromRow;
+    insertEnrollmentToken(token: AgentEnrollmentTokenRecord): void;
+    getEnrollmentTokenByHash(tokenHash: string): AgentEnrollmentTokenRecord | undefined;
+    markEnrollmentTokenUsed(tokenHash: string, usedAt: string): void;
+    insertAction(action: ActionRecord): void;
+    updateAction(action: ActionRecord): void;
+    insertAudit(event: AuditEvent): void;
+    listAudit(userId: string, agentId: string | undefined, limit: number): AuditEvent[];
+    run(sql: string, ...params: SqlValue[]): void;
+}
+export {};
+//# sourceMappingURL=store.d.ts.map

package/dist/remote/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","sourceRoot":"","sources":["../../src/remote/store.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,YAAY,EACZ,0BAA0B,EAC1B,UAAU,EACV,UAAU,EACV,sBAAsB,EACtB,WAAW,EACX,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAEpB,KAAK,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;AAEvC,KAAK,gBAAgB,GAAG;IAAE,YAAY,EAAE,OAAO,CAAA;CAAE,CAAC;AAElD,KAAK,kBAAkB,GAAG;IACxB,UAAU,CAAC,EAAE,MAAM,gBAAgB,CAAC;CACrC,CAAC;AAsDF,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAwC;gBAE/C,WAAW,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB;IAWjE,KAAK,IAAI,IAAI;IAIb,OAAO,CAAC,OAAO;IA0Ff,UAAU,CAAC,IAAI,EAAE,UAAU,GAAG;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;IAUxE,iBAAiB,CACf,QAAQ,EAAE,MAAM,GACf;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAcpE,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAmBvC,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS;IAmBpD,iBAAiB,IAAI,MAAM;IAO3B,uBAAuB,CAAC,IAAI,EAAE,sBAAsB,GAAG,IAAI;IAuB3D,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,sBAAsB,GAAG,SAAS;IAuBhF,yBAAyB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAWjE,WAAW,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAuB3C,WAAW,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI;IAsB3C,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;IAOxD,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,iBAAiB,GAAG,SAAS;IAO7E,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,iBAAiB,EAAE;IAQ/C,OAAO,CAAC,YAAY;IAmBpB,qBAAqB,CAAC,KAAK,EAAE,0BAA0B,GAAG,IAAI;IAkB9D,wBAAwB,CAAC,SAAS,EAAE,MAAM,GAAG,0BAA0B,GAAG,SAAS;IAkBnF,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAWhE,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAuBxC,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAgBxC,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAmBpC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,UAAU,EAAE;IAuBnF,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI;CAG9C"}