thevoidforge 21.0.0

package/dist/wizard/api/cloud-providers.js

@@ -0,0 +1,363 @@
+import { request as httpsRequest } from 'node:https';
+import { addRoute } from '../router.js';
+import { vaultSet, vaultKeys } from '../lib/vault.js';
+import { getSessionPassword } from './credentials.js';
+import { parseJsonBody } from '../lib/body-parser.js';
+import { sendJson } from '../lib/http-helpers.js';
+function requirePassword(res) {
+    const password = getSessionPassword();
+    if (!password) {
+        sendJson(res, 401, { error: 'Vault is locked.' });
+        return null;
+    }
+    return password;
+}
+export const PROVIDERS = [
+    {
+        id: 'aws',
+        name: 'Amazon Web Services',
+        fields: [
+            { key: 'aws-access-key-id', label: 'Access Key ID', placeholder: 'AKIA...', secret: false },
+            { key: 'aws-secret-access-key', label: 'Secret Access Key', placeholder: 'wJalr...', secret: true },
+            { key: 'aws-region', label: 'Default Region', placeholder: 'us-east-1', secret: false },
+        ],
+        deployTargets: ['vps', 'static'],
+        description: 'EC2 instances, S3, RDS, ElastiCache, Route53, SES',
+        credentialUrl: 'https://console.aws.amazon.com/iam/home#/security_credentials',
+        help: '<ol><li>Sign in to the <a href="https://console.aws.amazon.com" target="_blank" rel="noopener">AWS Console</a></li><li>Go to <strong>IAM &rarr; Security Credentials</strong></li><li>Under "Access keys", click <strong>Create access key</strong></li><li>Copy the <strong>Access Key ID</strong> and <strong>Secret Access Key</strong></li><li>For region, use the region closest to your users (e.g. <code>us-east-1</code>)</li></ol><p>For production, create a dedicated IAM user with limited permissions instead of using root credentials.</p>',
+    },
+    {
+        id: 'vercel',
+        name: 'Vercel',
+        fields: [
+            { key: 'vercel-token', label: 'API Token', placeholder: 'Bearer token', secret: true },
+        ],
+        deployTargets: ['vercel'],
+        description: 'Serverless deployment for Next.js and static sites',
+        credentialUrl: 'https://vercel.com/account/tokens',
+        help: '<ol><li>Sign in to <a href="https://vercel.com" target="_blank" rel="noopener">vercel.com</a></li><li>Go to <strong>Settings &rarr; Tokens</strong></li><li>Click <strong>Create Token</strong></li><li>Give it a name (e.g. "VoidForge") and set scope to your team or personal account</li><li>Copy the token — it won\'t be shown again</li></ol>',
+    },
+    {
+        id: 'railway',
+        name: 'Railway',
+        fields: [
+            { key: 'railway-token', label: 'API Token', placeholder: 'Token', secret: true },
+        ],
+        deployTargets: ['railway'],
+        description: 'Managed deployment with Postgres, Redis, and auto-scaling',
+        credentialUrl: 'https://railway.com/account/tokens',
+        help: '<ol><li>Sign in to <a href="https://railway.com" target="_blank" rel="noopener">railway.com</a></li><li>Go to <strong>Account Settings &rarr; Tokens</strong></li><li>Click <strong>Create Token</strong></li><li>Give it a name and copy the token</li></ol>',
+    },
+    {
+        id: 'cloudflare',
+        name: 'Cloudflare',
+        fields: [
+            { key: 'cloudflare-api-token', label: 'API Token', placeholder: 'Token', secret: true },
+            { key: 'cloudflare-account-id', label: 'Account ID', placeholder: 'e.g. 1a2b3c...', secret: false },
+        ],
+        deployTargets: ['cloudflare'],
+        description: 'Workers, Pages, D1, R2 — edge-first deployment',
+        credentialUrl: 'https://dash.cloudflare.com/profile/api-tokens',
+        help: '<ol><li>Sign in to the <a href="https://dash.cloudflare.com" target="_blank" rel="noopener">Cloudflare Dashboard</a></li><li>Go to <strong>My Profile &rarr; API Tokens</strong></li><li>Click <strong>Create Token</strong></li><li>Use a <strong>custom token</strong> with permissions: <strong>Zone:DNS:Edit</strong>, <strong>Account:Cloudflare Pages:Edit</strong>, and <strong>Account:Registrar:Edit</strong> (for DNS wiring, Pages deployment, and domain registration)</li><li>Your <strong>Account ID</strong> is on the right sidebar of any zone\'s overview page, or at <strong>dash.cloudflare.com</strong> in the URL</li><li>Copy the token — it won\'t be shown again</li></ol>',
+    },
+    {
+        id: 'github',
+        name: 'GitHub',
+        fields: [
+            { key: 'github-token', label: 'Personal Access Token', placeholder: 'ghp_...', secret: true },
+            { key: 'github-owner', label: 'Owner (optional)', placeholder: 'username or org — defaults to token owner', secret: false, optional: true },
+        ],
+        deployTargets: ['vercel', 'cloudflare', 'railway', 'vps', 'static'],
+        description: 'Push code to GitHub for auto-deploy. Required for Vercel, Cloudflare Pages, and Railway.',
+        credentialUrl: 'https://github.com/settings/tokens',
+        help: '<ol><li>Sign in to <a href="https://github.com" target="_blank" rel="noopener">GitHub</a></li><li>Go to <strong>Settings &rarr; Developer settings &rarr; Personal access tokens &rarr; Fine-grained tokens</strong></li><li>Click <strong>Generate new token</strong></li><li>Set repository access to <strong>All repositories</strong> (or select specific repos)</li><li>Under permissions, enable: <strong>Contents: Read and write</strong> and <strong>Administration: Read and write</strong></li><li>Copy the token — it won\'t be shown again</li></ol><p>Classic tokens also work — select the <code>repo</code> scope.</p>',
+    },
+];
+// --- Validation functions ---
+function httpsGet(hostname, path, headers) {
+    return new Promise((resolve, reject) => {
+        const req = httpsRequest({ hostname, path, method: 'GET', headers, timeout: 10000 }, (res) => {
+            let body = '';
+            res.on('data', (chunk) => { body += chunk.toString(); });
+            res.on('end', () => resolve({ status: res.statusCode ?? 0, body }));
+        });
+        req.on('error', reject);
+        req.on('timeout', () => { req.destroy(); reject(new Error('Timed out')); });
+        req.end();
+    });
+}
+async function validateAws(accessKeyId, secretKey, region) {
+    // Format validation first
+    if (!accessKeyId.startsWith('AKIA') || accessKeyId.length < 16) {
+        return { valid: false, error: 'Access Key ID should start with AKIA and be at least 16 characters' };
+    }
+    if (secretKey.length < 20) {
+        return { valid: false, error: 'Secret Access Key seems too short' };
+    }
+    const validRegions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-west-2', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'ap-south-1', 'sa-east-1', 'ca-central-1'];
+    if (region && !validRegions.includes(region)) {
+        return { valid: false, error: `Unknown region "${region}". Common regions: us-east-1, us-west-2, eu-west-1` };
+    }
+    // v17.0: Real STS validation — call GetCallerIdentity (zero-permission call that validates credentials)
+    try {
+        const { STSClient, GetCallerIdentityCommand } = await import('@aws-sdk/client-sts');
+        const sts = new STSClient({
+            region: region || 'us-east-1',
+            credentials: { accessKeyId, secretAccessKey: secretKey },
+        });
+        const identity = await sts.send(new GetCallerIdentityCommand({}));
+        return { valid: true, identity: identity.Arn ?? identity.Account ?? 'Verified' };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : 'AWS credential validation failed';
+        if (message.includes('not authorized') || message.includes('InvalidClientTokenId') || message.includes('SignatureDoesNotMatch')) {
+            return { valid: false, error: `Invalid AWS credentials: ${message}` };
+        }
+        // Network errors — credentials might be valid but can't reach AWS
+        return { valid: false, error: `Could not reach AWS to validate: ${message}` };
+    }
+}
+async function validateVercel(token) {
+    try {
+        const { status, body } = await httpsGet('api.vercel.com', '/v2/user', {
+            'Authorization': `Bearer ${token}`,
+        });
+        if (status === 200) {
+            const data = JSON.parse(body);
+            return { valid: true, identity: data.user?.username };
+        }
+        if (status === 401 || status === 403) {
+            return { valid: false, error: 'Invalid or expired token' };
+        }
+        return { valid: false, error: `Vercel API returned ${status}` };
+    }
+    catch (err) {
+        return { valid: false, error: `Connection failed: ${err.message}` };
+    }
+}
+async function validateRailway(token) {
+    try {
+        // Railway uses GraphQL — try multiple queries since schema evolves
+        // Team tokens may not have access to `me`, so fall back to listing projects
+        const queries = [
+            { query: '{ me { name email } }', extract: (d) => { const me = d.me; return me?.name || me?.email; } },
+            { query: '{ projects { edges { node { name } } } }', extract: () => 'authenticated' },
+        ];
+        for (const q of queries) {
+            const postData = JSON.stringify({ query: q.query });
+            const result = await new Promise((resolve, reject) => {
+                const req = httpsRequest({
+                    hostname: 'backboard.railway.com',
+                    path: '/graphql/v2',
+                    method: 'POST',
+                    headers: {
+                        'Authorization': `Bearer ${token}`,
+                        'Content-Type': 'application/json',
+                        'Content-Length': Buffer.byteLength(postData),
+                    },
+                    timeout: 10000,
+                }, (res) => {
+                    let body = '';
+                    res.on('data', (chunk) => { body += chunk.toString(); });
+                    res.on('end', () => resolve({ status: res.statusCode ?? 0, body }));
+                });
+                req.on('error', reject);
+                req.on('timeout', () => { req.destroy(); reject(new Error('Timed out')); });
+                req.write(postData);
+                req.end();
+            });
+            if (result.status === 401) {
+                return { valid: false, error: 'Invalid or expired token' };
+            }
+            if (result.status === 200) {
+                const parsed = JSON.parse(result.body);
+                // If the query succeeded with data (no errors, or errors but still got data)
+                if (parsed.data && !parsed.errors) {
+                    const identity = q.extract(parsed.data);
+                    if (identity)
+                        return { valid: true, identity };
+                }
+                // If this query errored, try the next one
+                continue;
+            }
+            return { valid: false, error: `Railway API returned ${result.status}` };
+        }
+        // If we got here, all queries returned 200 but none yielded identity — token is likely valid
+        return { valid: true, identity: 'connected' };
+    }
+    catch (err) {
+        return { valid: false, error: `Connection failed: ${err.message}` };
+    }
+}
+async function validateGithub(token) {
+    try {
+        const { status, body } = await httpsGet('api.github.com', '/user', {
+            'Authorization': `Bearer ${token}`,
+            'User-Agent': 'VoidForge',
+            'X-GitHub-Api-Version': '2022-11-28',
+        });
+        if (status === 200) {
+            const data = JSON.parse(body);
+            return { valid: true, identity: data.login };
+        }
+        if (status === 401) {
+            return { valid: false, error: 'Invalid or expired token' };
+        }
+        if (status === 403) {
+            return { valid: false, error: 'Token lacks required permissions. Ensure "repo" scope (classic) or "Contents: Read and write" (fine-grained).' };
+        }
+        return { valid: false, error: `GitHub API returned ${status}` };
+    }
+    catch (err) {
+        return { valid: false, error: `Connection failed: ${err.message}` };
+    }
+}
+async function validateCloudflare(token) {
+    try {
+        const { status, body } = await httpsGet('api.cloudflare.com', '/client/v4/user/tokens/verify', {
+            'Authorization': `Bearer ${token}`,
+        });
+        if (status === 200) {
+            const data = JSON.parse(body);
+            if (data.success && data.result?.status === 'active') {
+                return { valid: true, identity: 'active token' };
+            }
+            return { valid: false, error: 'Token is not active' };
+        }
+        if (status === 401) {
+            return { valid: false, error: 'Invalid or expired token' };
+        }
+        return { valid: false, error: `Cloudflare API returned ${status}` };
+    }
+    catch (err) {
+        return { valid: false, error: `Connection failed: ${err.message}` };
+    }
+}
+// --- API Routes ---
+// GET /api/cloud/providers — list all providers with their fields
+addRoute('GET', '/api/cloud/providers', async (_req, res) => {
+    sendJson(res, 200, { providers: PROVIDERS });
+});
+// GET /api/cloud/status — which providers have stored credentials
+addRoute('GET', '/api/cloud/status', async (_req, res) => {
+    const password = requirePassword(res);
+    if (!password)
+        return;
+    const keys = await vaultKeys(password);
+    const status = {};
+    for (const provider of PROVIDERS) {
+        // IG-R2: Unified check — a provider is configured if all non-optional fields are stored
+        status[provider.id] = provider.fields.every((f) => f.optional || keys.includes(f.key));
+    }
+    sendJson(res, 200, { status });
+});
+// POST /api/cloud/validate — validate and store credentials for a provider
+addRoute('POST', '/api/cloud/validate', async (req, res) => {
+    const password = requirePassword(res);
+    if (!password)
+        return;
+    const body = await parseJsonBody(req);
+    if (!body.provider || !body.credentials || typeof body.credentials !== 'object') {
+        sendJson(res, 400, { error: 'provider and credentials are required' });
+        return;
+    }
+    // IG-R2: Validate all credential values are strings (prevent non-string vault storage)
+    if (Object.values(body.credentials).some((v) => typeof v !== 'string')) {
+        sendJson(res, 400, { error: 'All credential values must be strings' });
+        return;
+    }
+    const provider = PROVIDERS.find((p) => p.id === body.provider);
+    if (!provider) {
+        sendJson(res, 400, { error: `Unknown provider: ${body.provider}` });
+        return;
+    }
+    const creds = body.credentials;
+    // Validate based on provider
+    let result;
+    switch (body.provider) {
+        case 'aws':
+            result = await validateAws(creds['aws-access-key-id'] ?? '', creds['aws-secret-access-key'] ?? '', creds['aws-region'] ?? 'us-east-1');
+            break;
+        case 'vercel':
+            result = await validateVercel(creds['vercel-token'] ?? '');
+            break;
+        case 'railway':
+            result = await validateRailway(creds['railway-token'] ?? '');
+            break;
+        case 'github':
+            result = await validateGithub(creds['github-token'] ?? '');
+            break;
+        case 'cloudflare': {
+            result = await validateCloudflare(creds['cloudflare-api-token'] ?? '');
+            // After token validation succeeds, validate account ID format if provided
+            if (result.valid) {
+                const accountId = creds['cloudflare-account-id'];
+                if (accountId && !/^[a-f0-9]{32}$/i.test(accountId)) {
+                    result = { valid: false, error: 'Account ID should be a 32-character hex string (found on your Cloudflare dashboard)' };
+                }
+            }
+            break;
+        }
+        default:
+            result = { valid: false, error: 'No validator for this provider' };
+    }
+    if (!result.valid) {
+        sendJson(res, 400, { error: result.error ?? 'Validation failed' });
+        return;
+    }
+    // Store all fields in the vault
+    for (const field of provider.fields) {
+        const value = creds[field.key];
+        if (value) {
+            await vaultSet(password, field.key, value);
+        }
+    }
+    sendJson(res, 200, { stored: true, identity: result.identity });
+});
+// DELETE /api/cloud/provider — remove a provider's credentials
+addRoute('POST', '/api/cloud/remove', async (req, res) => {
+    const password = requirePassword(res);
+    if (!password)
+        return;
+    const body = await parseJsonBody(req);
+    if (!body.provider) {
+        sendJson(res, 400, { error: 'provider is required' });
+        return;
+    }
+    const provider = PROVIDERS.find((p) => p.id === body.provider);
+    if (!provider) {
+        sendJson(res, 400, { error: `Unknown provider: ${body.provider}` });
+        return;
+    }
+    // Import vaultDelete
+    const { vaultDelete } = await import('../lib/vault.js');
+    for (const field of provider.fields) {
+        await vaultDelete(password, field.key);
+    }
+    sendJson(res, 200, { removed: true });
+});
+// GET /api/cloud/deploy-targets — available deploy targets based on stored credentials
+addRoute('GET', '/api/cloud/deploy-targets', async (_req, res) => {
+    const password = requirePassword(res);
+    if (!password)
+        return;
+    const keys = await vaultKeys(password);
+    // Docker and static-local are always available (no credentials needed)
+    const targets = [
+        { id: 'vps', name: 'VPS (AWS EC2)', available: false, provider: 'aws', description: 'Full server with SSH access. Best for: full-stack apps, background workers, databases on the same box.' },
+        { id: 'vercel', name: 'Vercel', available: false, provider: 'vercel', description: 'Serverless + edge. Best for: Next.js, static sites, JAMstack.' },
+        { id: 'railway', name: 'Railway', available: false, provider: 'railway', description: 'Managed containers with add-ons. Best for: full-stack apps that need Postgres/Redis without managing servers.' },
+        { id: 'cloudflare', name: 'Cloudflare Workers/Pages', available: false, provider: 'cloudflare', description: 'Edge-first serverless. Best for: APIs, static sites, globally distributed apps.' },
+        { id: 'static', name: 'Static (S3 + CloudFront)', available: false, provider: 'aws', description: 'Static hosting with CDN. Best for: marketing sites, docs, SPAs with separate API.' },
+        { id: 'docker', name: 'Docker (local)', available: true, provider: null, description: 'Dockerfile + docker-compose.yml. No cloud credentials needed. Best for: local dev, self-hosted.' },
+    ];
+    for (const target of targets) {
+        if (target.provider) {
+            const provider = PROVIDERS.find((p) => p.id === target.provider);
+            if (provider) {
+                target.available = provider.fields.every((f) => f.optional || keys.includes(f.key));
+            }
+        }
+    }
+    sendJson(res, 200, { targets });
+});

package/dist/wizard/api/credentials.d.ts

@@ -0,0 +1 @@
+export declare function getSessionPassword(): string | null;

package/dist/wizard/api/credentials.js

@@ -0,0 +1,258 @@
+import { request as httpsRequest } from 'node:https';
+import { addRoute } from '../router.js';
+import { vaultSet, vaultExists, vaultUnlock, vaultKeys, vaultPath, vaultLock } from '../lib/vault.js';
+import { parseJsonBody } from '../lib/body-parser.js';
+import { clearModelCache } from '../lib/anthropic.js';
+import { sendJson } from '../lib/http-helpers.js';
+import { getClientIp } from '../lib/tower-auth.js';
+/** Session password — held in memory only, never written to disk */
+let sessionPassword = null;
+export function getSessionPassword() {
+    if (sessionPassword)
+        touchVaultAccess(); // SEC-R2-004: Reset auto-lock on every access
+    return sessionPassword;
+}
+// ── Vault unlock rate limiting (SEC-R2-003) ──────────
+// Separate from login rate limits to prevent cross-endpoint exhaustion (Deathstroke R4)
+const VAULT_RATE_LIMIT_MAX = 5;
+const VAULT_RATE_WINDOW_MS = 60_000;
+const VAULT_LOCKOUT_THRESHOLD = 10;
+const VAULT_LOCKOUT_DURATION_MS = 30 * 60_000;
+const vaultRateLimits = new Map();
+function checkVaultRateLimit(ip) {
+    const now = Date.now();
+    const entry = vaultRateLimits.get(ip);
+    if (!entry) {
+        vaultRateLimits.set(ip, { attempts: 1, firstAttempt: now, consecutiveFailures: 0, lockedUntil: 0 });
+        return { allowed: true, retryAfterMs: 0 };
+    }
+    if (entry.lockedUntil > now) {
+        return { allowed: false, retryAfterMs: entry.lockedUntil - now };
+    }
+    if (now - entry.firstAttempt > VAULT_RATE_WINDOW_MS) {
+        entry.attempts = 1;
+        entry.firstAttempt = now;
+        return { allowed: true, retryAfterMs: 0 };
+    }
+    entry.attempts++;
+    if (entry.attempts > VAULT_RATE_LIMIT_MAX) {
+        return { allowed: false, retryAfterMs: VAULT_RATE_WINDOW_MS - (now - entry.firstAttempt) };
+    }
+    return { allowed: true, retryAfterMs: 0 };
+}
+function recordVaultFailure(ip) {
+    const entry = vaultRateLimits.get(ip);
+    if (!entry)
+        return;
+    entry.consecutiveFailures++;
+    if (entry.consecutiveFailures >= VAULT_LOCKOUT_THRESHOLD) {
+        entry.lockedUntil = Date.now() + VAULT_LOCKOUT_DURATION_MS;
+        entry.consecutiveFailures = 0;
+    }
+}
+function clearVaultFailures(ip) {
+    const entry = vaultRateLimits.get(ip);
+    if (entry)
+        entry.consecutiveFailures = 0;
+}
+// ── Vault auto-lock (SEC-R2-004) ─────────────────────
+const VAULT_AUTO_LOCK_MS = 15 * 60_000; // 15 minutes idle
+let lastVaultAccess = 0;
+let autoLockTimer = null;
+function touchVaultAccess() {
+    lastVaultAccess = Date.now();
+    if (!autoLockTimer) {
+        autoLockTimer = setInterval(() => {
+            if (sessionPassword && Date.now() - lastVaultAccess > VAULT_AUTO_LOCK_MS) {
+                sessionPassword = null;
+                vaultLock();
+                if (autoLockTimer) {
+                    clearInterval(autoLockTimer);
+                    autoLockTimer = null;
+                }
+            }
+        }, 60_000); // Check every minute
+        autoLockTimer.unref(); // Don't prevent graceful shutdown
+    }
+}
+/** Validate an Anthropic API key by making a lightweight test call */
+function validateAnthropicKey(apiKey) {
+    return new Promise((resolve) => {
+        const postData = JSON.stringify({
+            model: 'claude-haiku-4-5-20251001',
+            max_tokens: 1,
+            messages: [{ role: 'user', content: 'hi' }],
+        });
+        const req = httpsRequest({
+            hostname: 'api.anthropic.com',
+            path: '/v1/messages',
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-api-key': apiKey,
+                'anthropic-version': '2023-06-01',
+                'Content-Length': Buffer.byteLength(postData),
+            },
+            timeout: 15000,
+        }, (res) => {
+            let body = '';
+            res.on('data', (chunk) => { body += chunk.toString(); });
+            res.on('end', () => {
+                if (res.statusCode === 200) {
+                    resolve({ valid: true });
+                }
+                else if (res.statusCode === 401) {
+                    resolve({ valid: false, error: 'Invalid API key' });
+                }
+                else {
+                    try {
+                        const parsed = JSON.parse(body);
+                        resolve({ valid: false, error: parsed.error?.message ?? `HTTP ${res.statusCode}` });
+                    }
+                    catch {
+                        resolve({ valid: false, error: `HTTP ${res.statusCode}` });
+                    }
+                }
+            });
+        });
+        req.on('error', (err) => {
+            resolve({ valid: false, error: `Connection failed: ${err.message}` });
+        });
+        req.on('timeout', () => {
+            req.destroy();
+            resolve({ valid: false, error: 'Request timed out' });
+        });
+        req.write(postData);
+        req.end();
+    });
+}
+// GET /api/credentials/status — check vault state and stored keys
+addRoute('GET', '/api/credentials/status', async (_req, res) => {
+    const exists = vaultExists();
+    const unlocked = sessionPassword !== null;
+    let hasAnthropic = false;
+    if (unlocked && sessionPassword) {
+        try {
+            const keys = await vaultKeys(sessionPassword);
+            hasAnthropic = keys.includes('anthropic-api-key');
+        }
+        catch {
+            // Vault read failed — treat as locked
+        }
+    }
+    sendJson(res, 200, {
+        vaultExists: exists,
+        unlocked,
+        anthropic: hasAnthropic,
+        vaultPath: vaultPath(),
+    });
+});
+// POST /api/credentials/unlock — unlock vault with password (or create new vault)
+addRoute('POST', '/api/credentials/unlock', async (req, res) => {
+    // SEC-R2-003: Rate limit vault unlock to prevent brute-force.
+    // Use getClientIp() for consistent IP extraction behind proxy (v17.0 fix).
+    const ip = getClientIp(req);
+    const rateCheck = checkVaultRateLimit(ip);
+    if (!rateCheck.allowed) {
+        sendJson(res, 429, { error: 'Too many unlock attempts. Try again later.', retryAfterMs: rateCheck.retryAfterMs });
+        return;
+    }
+    const body = await parseJsonBody(req);
+    if (!body.password || typeof body.password !== 'string') {
+        sendJson(res, 400, { error: 'password is required' });
+        return;
+    }
+    // QA-R3-017: Raise vault password minimum from 4 to 8 chars
+    if (body.password.length < 8) {
+        sendJson(res, 400, { error: 'Password must be at least 8 characters' });
+        return;
+    }
+    if (body.password.length > 256) {
+        sendJson(res, 400, { error: 'Password must be 256 characters or fewer' });
+        return;
+    }
+    // Capture vault existence BEFORE unlock — vaultUnlock creates the vault if new,
+    // so checking after would always return true (CODE-R1-001 / QA-009).
+    const wasNew = !vaultExists();
+    const valid = await vaultUnlock(body.password);
+    if (!valid) {
+        recordVaultFailure(ip);
+        sendJson(res, 401, { error: 'Wrong password' });
+        return;
+    }
+    clearVaultFailures(ip);
+    sessionPassword = body.password;
+    touchVaultAccess(); // SEC-R2-004: Start auto-lock timer
+    // Check what's already stored
+    let hasAnthropic = false;
+    try {
+        const keys = await vaultKeys(sessionPassword);
+        hasAnthropic = keys.includes('anthropic-api-key');
+    }
+    catch {
+        // Fresh vault
+    }
+    sendJson(res, 200, {
+        unlocked: true,
+        isNew: wasNew,
+        anthropic: hasAnthropic,
+    });
+});
+// POST /api/credentials/anthropic — validate and store Anthropic API key
+addRoute('POST', '/api/credentials/anthropic', async (req, res) => {
+    if (!sessionPassword) {
+        sendJson(res, 401, { error: 'Vault is locked. Unlock with your password first.' });
+        return;
+    }
+    const body = await parseJsonBody(req);
+    if (!body.apiKey || typeof body.apiKey !== 'string') {
+        sendJson(res, 400, { error: 'apiKey is required' });
+        return;
+    }
+    const apiKey = body.apiKey.trim();
+    if (!apiKey.startsWith('sk-ant-')) {
+        sendJson(res, 400, { error: 'Invalid key format. Anthropic API keys start with sk-ant-' });
+        return;
+    }
+    const result = await validateAnthropicKey(apiKey);
+    if (!result.valid) {
+        sendJson(res, 400, { error: result.error ?? 'Invalid API key' });
+        return;
+    }
+    await vaultSet(sessionPassword, 'anthropic-api-key', apiKey);
+    clearModelCache();
+    sendJson(res, 200, { stored: true });
+});
+// POST /api/credentials/env-batch — store multiple project-specific credentials at once
+addRoute('POST', '/api/credentials/env-batch', async (req, res) => {
+    if (!sessionPassword) {
+        sendJson(res, 401, { error: 'Vault is locked.' });
+        return;
+    }
+    const body = await parseJsonBody(req);
+    if (!body.credentials || typeof body.credentials !== 'object') {
+        sendJson(res, 400, { error: 'credentials object is required' });
+        return;
+    }
+    const entries = Object.entries(body.credentials).filter(([key, val]) => typeof key === 'string' && typeof val === 'string' && val.trim().length > 0);
+    if (entries.length === 0) {
+        sendJson(res, 400, { error: 'No non-empty credentials provided' });
+        return;
+    }
+    // Max 100 entries to prevent abuse
+    if (entries.length > 100) {
+        sendJson(res, 400, { error: 'Too many credentials (max 100)' });
+        return;
+    }
+    // Validate key format: only allow env-var-style keys
+    for (const [key] of entries) {
+        if (!/^[A-Z][A-Z0-9_]{1,100}$/.test(key)) {
+            sendJson(res, 400, { error: `Invalid credential key format: ${key}` });
+            return;
+        }
+    }
+    for (const [key, value] of entries) {
+        await vaultSet(sessionPassword, `env:${key}`, value.trim());
+    }
+    sendJson(res, 200, { stored: true, count: entries.length });
+});

package/dist/wizard/api/danger-room.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Danger Room API — Real-time data feeds for the mission control dashboard.
+ *
+ * Shared parsers and WebSocket infra live in wizard/lib/dashboard-*.ts.
+ * This file registers Danger Room routes and any Danger Room-specific endpoints
+ * (heartbeat, freeze, Deep Current).
+ */
+import type { IncomingMessage } from 'node:http';
+import type { Duplex } from 'node:stream';
+/** Broadcast a message to all connected Danger Room clients. */
+export declare const broadcastDangerRoom: (data: {
+    type: string;
+    [key: string]: unknown;
+}) => void;
+/** Close all Danger Room WebSocket connections, activity watcher, and shut down. */
+export declare function closeDangerRoom(): void;
+/** Handle WebSocket upgrade for /ws/danger-room. */
+export declare const handleDangerRoomUpgrade: (req: IncomingMessage, socket: Duplex, head: Buffer) => void;