toolcraft 0.0.5 → 0.0.7

package/node_modules/@poe-code/file-lock/dist/lock.js

@@ -0,0 +1,203 @@
+import * as fsPromises from "node:fs/promises";
+import * as os from "node:os";
+export class LockTimeoutError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "LockTimeoutError";
+    }
+}
+function createAbortError() {
+    const error = new Error("The operation was aborted.");
+    error.name = "AbortError";
+    return error;
+}
+function throwIfAborted(signal) {
+    if (signal?.aborted) {
+        throw createAbortError();
+    }
+}
+function sleep(ms, signal) {
+    if (!signal) {
+        return new Promise((resolve) => setTimeout(resolve, ms));
+    }
+    if (signal.aborted) {
+        return Promise.reject(createAbortError());
+    }
+    return new Promise((resolve, reject) => {
+        const timeoutId = setTimeout(() => {
+            signal.removeEventListener("abort", onAbort);
+            resolve();
+        }, ms);
+        const onAbort = () => {
+            clearTimeout(timeoutId);
+            signal.removeEventListener("abort", onAbort);
+            reject(createAbortError());
+        };
+        signal.addEventListener("abort", onAbort, { once: true });
+    });
+}
+function backoff(attempt, minTimeout, maxTimeout) {
+    const delay = Math.min(maxTimeout, minTimeout * 2 ** attempt);
+    return delay + Math.random() * delay * 0.1;
+}
+function hasErrorCode(error, code) {
+    return (!!error &&
+        typeof error === "object" &&
+        "code" in error &&
+        error.code === code);
+}
+function hasAnyErrorCode(error, codes) {
+    return codes.some((code) => hasErrorCode(error, code));
+}
+function isPidRunning(pid) {
+    try {
+        process.kill(pid, 0);
+        return true;
+    }
+    catch (error) {
+        return !hasErrorCode(error, "ESRCH");
+    }
+}
+function createDefaultFs() {
+    return {
+        open: (path, flags) => fsPromises.open(path, flags),
+        readFile: (path, encoding) => fsPromises.readFile(path, encoding),
+        stat: fsPromises.stat,
+        unlink: fsPromises.unlink
+    };
+}
+async function removeLockFile(fs, lockPath, signal) {
+    for (let attempt = 0; attempt <= 4; attempt += 1) {
+        throwIfAborted(signal);
+        try {
+            await fs.unlink(lockPath);
+            return;
+        }
+        catch (error) {
+            if (hasErrorCode(error, "ENOENT")) {
+                return;
+            }
+            if (!hasAnyErrorCode(error, ["EPERM", "EBUSY"]) || attempt === 4) {
+                throw error;
+            }
+        }
+        await sleep(25 * 2 ** attempt, signal);
+    }
+}
+function parseLockMetadata(content) {
+    try {
+        const parsed = JSON.parse(content);
+        if (!parsed || typeof parsed !== "object" || !("host" in parsed) || !("pid" in parsed)) {
+            return undefined;
+        }
+        const { host, pid } = parsed;
+        if (typeof host === "string" && typeof pid === "number" && Number.isSafeInteger(pid) && pid > 0) {
+            return {
+                host,
+                pid
+            };
+        }
+    }
+    catch (ignoredError) {
+        void ignoredError;
+    }
+    return undefined;
+}
+async function readLockMetadata(fs, lockPath) {
+    if (!fs.readFile) {
+        return undefined;
+    }
+    try {
+        return parseLockMetadata(await fs.readFile(lockPath, "utf8"));
+    }
+    catch (error) {
+        if (hasErrorCode(error, "ENOENT")) {
+            return null;
+        }
+        return undefined;
+    }
+}
+async function shouldReclaimLock(options) {
+    const metadata = await readLockMetadata(options.fs, options.lockPath);
+    if (metadata === null) {
+        return "missing";
+    }
+    if (metadata?.host === os.hostname()) {
+        return !options.isPidRunning(metadata.pid);
+    }
+    return Date.now() - options.stat.mtimeMs > options.staleMs;
+}
+async function writeLockMetadata(handle) {
+    try {
+        await handle.writeFile(JSON.stringify({ pid: process.pid, host: os.hostname(), acquiredAt: new Date().toISOString() }), { encoding: "utf8" });
+    }
+    catch (ignoredError) {
+        void ignoredError;
+    }
+    try {
+        await handle.close();
+    }
+    catch (ignoredError) {
+        void ignoredError;
+    }
+}
+export async function acquireFileLock(filePath, options = {}) {
+    const fs = options.fs ?? createDefaultFs();
+    const retries = options.retries ?? 20;
+    const minTimeout = options.minTimeout ?? 25;
+    const maxTimeout = options.maxTimeout ?? 250;
+    const staleMs = options.staleMs ?? 1_000;
+    const pidIsRunning = options.isPidRunning ?? isPidRunning;
+    const lockPath = `${filePath}.lock`;
+    let attempt = 0;
+    while (attempt <= retries) {
+        throwIfAborted(options.signal);
+        try {
+            const handle = await fs.open(lockPath, "wx");
+            await writeLockMetadata(handle);
+            let released = false;
+            return async () => {
+                if (released) {
+                    return;
+                }
+                released = true;
+                await removeLockFile(fs, lockPath, options.signal);
+            };
+        }
+        catch (error) {
+            if (!hasErrorCode(error, "EEXIST")) {
+                throw error;
+            }
+        }
+        let stat;
+        try {
+            stat = await fs.stat(lockPath);
+        }
+        catch (statError) {
+            if (hasErrorCode(statError, "ENOENT")) {
+                continue;
+            }
+            throw statError;
+        }
+        const reclaimLock = await shouldReclaimLock({
+            fs,
+            isPidRunning: pidIsRunning,
+            lockPath,
+            staleMs,
+            stat
+        });
+        if (reclaimLock === "missing") {
+            continue;
+        }
+        if (reclaimLock) {
+            await removeLockFile(fs, lockPath, options.signal);
+            continue;
+        }
+        if (attempt >= retries) {
+            break;
+        }
+        await sleep(backoff(attempt, minTimeout, maxTimeout), options.signal);
+        attempt += 1;
+    }
+    throw new LockTimeoutError(`Failed to acquire lock on "${filePath}".`);
+}

package/node_modules/@poe-code/file-lock/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "@poe-code/file-lock",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "cd ../.. && vitest run packages/file-lock/src",
+    "test:unit": "cd ../.. && vitest run packages/file-lock/src"
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {}
+}

package/node_modules/auth-store/README.md

@@ -0,0 +1,47 @@
+# auth-store
+
+Generic encrypted secret storage with platform-aware backends.
+
+## Usage
+
+```ts
+import { createSecretStore } from "auth-store";
+
+const { store, backend } = createSecretStore({
+  backendEnvVar: "MY_AUTH_BACKEND",
+  fileStore: {
+    salt: "my-app:encrypted-store:v1",
+    defaultDirectory: ".my-app",
+    defaultFileName: "credentials.enc"
+  },
+  keychainStore: {
+    service: "my-app",
+    account: "api-key"
+  }
+});
+
+await store.set("secret-value");
+const value = await store.get(); // "secret-value"
+await store.delete();
+```
+
+## Backends
+
+| `backendEnvVar` value | Platform | Backend        |
+| --------------------- | -------- | -------------- |
+| _(unset)_             | any      | Encrypted file |
+| `file`                | any      | Encrypted file |
+| `keychain`            | macOS    | macOS Keychain |
+| `keychain`            | other    | Error          |
+
+### Encrypted file
+
+- AES-256-GCM with machine-derived key (hostname + username via scrypt)
+- Configurable salt, directory, and file name
+- File permissions: `0600`
+- Random IV per write
+
+### macOS Keychain
+
+- Uses the `security` CLI (`add-generic-password`, `find-generic-password`, `delete-generic-password`)
+- Configurable service and account names

package/node_modules/auth-store/dist/create-secret-store.d.ts

@@ -0,0 +1,2 @@
+import type { CreateSecretStoreInput, CreateSecretStoreResult } from "./types.js";
+export declare function createSecretStore(input: CreateSecretStoreInput): CreateSecretStoreResult;

package/node_modules/auth-store/dist/create-secret-store.js

@@ -0,0 +1,35 @@
+import { EncryptedFileStore } from "./encrypted-file-store.js";
+import { KeychainStore } from "./keychain-store.js";
+const DEFAULT_BACKEND_ENV_VAR = "AUTH_BACKEND";
+const MACOS_PLATFORM = "darwin";
+const storeFactories = {
+    file: (input) => {
+        if (!input.fileStore) {
+            throw new Error("fileStore configuration is required for file backend");
+        }
+        return new EncryptedFileStore(input.fileStore);
+    },
+    keychain: (input) => {
+        if (!input.keychainStore) {
+            throw new Error("keychainStore configuration is required for keychain backend");
+        }
+        return new KeychainStore(input.keychainStore);
+    }
+};
+export function createSecretStore(input) {
+    const backend = resolveBackend(input);
+    const platform = input.platform ?? process.platform;
+    if (backend === "keychain" && platform !== MACOS_PLATFORM) {
+        throw new Error(`Keychain backend is only supported on macOS. Current platform: ${platform}`);
+    }
+    const store = storeFactories[backend](input);
+    return { backend, store };
+}
+function resolveBackend(input) {
+    const envVar = input.backendEnvVar ?? DEFAULT_BACKEND_ENV_VAR;
+    const configuredBackend = input.backend ?? input.env?.[envVar] ?? process.env[envVar];
+    if (configuredBackend === "keychain") {
+        return "keychain";
+    }
+    return "file";
+}

package/node_modules/auth-store/dist/encrypted-file-store.d.ts

@@ -0,0 +1,39 @@
+import type { SecretStore } from "./types.js";
+export interface MachineIdentity {
+    hostname: string;
+    username: string;
+}
+export interface EncryptedFileStoreFileSystem {
+    readFile(path: string, encoding: BufferEncoding): Promise<string>;
+    writeFile(path: string, data: string | NodeJS.ArrayBufferView, options?: {
+        encoding?: BufferEncoding;
+    }): Promise<void>;
+    mkdir(path: string, options?: {
+        recursive?: boolean;
+    }): Promise<void | string | undefined>;
+    unlink(path: string): Promise<void>;
+    chmod(path: string, mode: number): Promise<void>;
+}
+export interface EncryptedFileStoreInput {
+    fs?: EncryptedFileStoreFileSystem;
+    filePath?: string;
+    salt: string;
+    defaultDirectory?: string;
+    defaultFileName?: string;
+    getMachineIdentity?: () => MachineIdentity | Promise<MachineIdentity>;
+    getHomeDirectory?: () => string;
+    getRandomBytes?: (size: number) => Buffer;
+}
+export declare class EncryptedFileStore implements SecretStore {
+    private readonly fs;
+    private readonly filePath;
+    private readonly salt;
+    private readonly getMachineIdentity;
+    private readonly getRandomBytes;
+    private keyPromise;
+    constructor(input: EncryptedFileStoreInput);
+    get(): Promise<string | null>;
+    set(value: string): Promise<void>;
+    delete(): Promise<void>;
+    private getEncryptionKey;
+}

package/node_modules/auth-store/dist/encrypted-file-store.js

@@ -0,0 +1,156 @@
+import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "node:crypto";
+import { promises as fs } from "node:fs";
+import { homedir, hostname, userInfo } from "node:os";
+import path from "node:path";
+const derivedKeyCache = new Map();
+const ENCRYPTION_ALGORITHM = "aes-256-gcm";
+const ENCRYPTION_VERSION = 1;
+const ENCRYPTION_KEY_BYTES = 32;
+const ENCRYPTION_IV_BYTES = 12;
+const ENCRYPTION_AUTH_TAG_BYTES = 16;
+const ENCRYPTION_FILE_MODE = 0o600;
+export class EncryptedFileStore {
+    fs;
+    filePath;
+    salt;
+    getMachineIdentity;
+    getRandomBytes;
+    keyPromise = null;
+    constructor(input) {
+        this.fs = input.fs ?? fs;
+        this.salt = input.salt;
+        this.filePath = input.filePath ?? path.join((input.getHomeDirectory ?? homedir)(), input.defaultDirectory ?? ".auth-store", input.defaultFileName ?? "credentials.enc");
+        this.getMachineIdentity = input.getMachineIdentity ?? defaultMachineIdentity;
+        this.getRandomBytes = input.getRandomBytes ?? randomBytes;
+    }
+    async get() {
+        let rawDocument;
+        try {
+            rawDocument = await this.fs.readFile(this.filePath, "utf8");
+        }
+        catch (error) {
+            if (isNotFoundError(error)) {
+                return null;
+            }
+            throw error;
+        }
+        const document = parseEncryptedDocument(rawDocument);
+        if (!document) {
+            return null;
+        }
+        const key = await this.getEncryptionKey();
+        try {
+            const iv = Buffer.from(document.iv, "base64");
+            const authTag = Buffer.from(document.authTag, "base64");
+            const ciphertext = Buffer.from(document.ciphertext, "base64");
+            if (iv.byteLength !== ENCRYPTION_IV_BYTES ||
+                authTag.byteLength !== ENCRYPTION_AUTH_TAG_BYTES) {
+                return null;
+            }
+            const decipher = createDecipheriv(ENCRYPTION_ALGORITHM, key, iv);
+            decipher.setAuthTag(authTag);
+            const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+            return plaintext.toString("utf8");
+        }
+        catch {
+            return null;
+        }
+    }
+    async set(value) {
+        const key = await this.getEncryptionKey();
+        const iv = this.getRandomBytes(ENCRYPTION_IV_BYTES);
+        const cipher = createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
+        const ciphertext = Buffer.concat([
+            cipher.update(value, "utf8"),
+            cipher.final()
+        ]);
+        const authTag = cipher.getAuthTag();
+        const document = {
+            version: ENCRYPTION_VERSION,
+            iv: iv.toString("base64"),
+            authTag: authTag.toString("base64"),
+            ciphertext: ciphertext.toString("base64")
+        };
+        await this.fs.mkdir(path.dirname(this.filePath), { recursive: true });
+        await this.fs.writeFile(this.filePath, JSON.stringify(document), {
+            encoding: "utf8"
+        });
+        await this.fs.chmod(this.filePath, ENCRYPTION_FILE_MODE);
+    }
+    async delete() {
+        try {
+            await this.fs.unlink(this.filePath);
+        }
+        catch (error) {
+            if (!isNotFoundError(error)) {
+                throw error;
+            }
+        }
+    }
+    getEncryptionKey() {
+        if (!this.keyPromise) {
+            this.keyPromise = deriveEncryptionKey(this.getMachineIdentity, this.salt);
+        }
+        return this.keyPromise;
+    }
+}
+function defaultMachineIdentity() {
+    return {
+        hostname: hostname(),
+        username: userInfo().username
+    };
+}
+async function deriveEncryptionKey(getMachineIdentity, salt) {
+    const machineIdentity = await getMachineIdentity();
+    const secret = `${machineIdentity.hostname}:${machineIdentity.username}`;
+    const cacheKey = `${secret}:${salt}`;
+    const cached = derivedKeyCache.get(cacheKey);
+    if (cached) {
+        return cached;
+    }
+    const keyPromise = new Promise((resolve, reject) => {
+        scrypt(secret, salt, ENCRYPTION_KEY_BYTES, (error, derivedKey) => {
+            if (error) {
+                reject(error);
+                return;
+            }
+            resolve(Buffer.from(derivedKey));
+        });
+    });
+    derivedKeyCache.set(cacheKey, keyPromise);
+    return keyPromise;
+}
+function parseEncryptedDocument(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        if (!isRecord(parsed)) {
+            return null;
+        }
+        if (parsed.version !== ENCRYPTION_VERSION) {
+            return null;
+        }
+        if (typeof parsed.iv !== "string" ||
+            typeof parsed.authTag !== "string" ||
+            typeof parsed.ciphertext !== "string") {
+            return null;
+        }
+        return {
+            version: parsed.version,
+            iv: parsed.iv,
+            authTag: parsed.authTag,
+            ciphertext: parsed.ciphertext
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function isRecord(value) {
+    return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function isNotFoundError(error) {
+    return Boolean(error &&
+        typeof error === "object" &&
+        "code" in error &&
+        error.code === "ENOENT");
+}

package/node_modules/auth-store/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { createSecretStore } from "./create-secret-store.js";
+export { EncryptedFileStore } from "./encrypted-file-store.js";
+export { KeychainStore } from "./keychain-store.js";
+export { key, MigratingSecretStore } from "./provider-store.js";
+export type { SecretStore, StoreBackend, CreateSecretStoreInput, CreateSecretStoreResult } from "./types.js";
+export type { MachineIdentity, EncryptedFileStoreInput, EncryptedFileStoreFileSystem } from "./encrypted-file-store.js";
+export type { KeychainStoreInput, KeychainCommandRunner, KeychainCommandResult } from "./keychain-store.js";

package/node_modules/auth-store/dist/index.js

@@ -0,0 +1,4 @@
+export { createSecretStore } from "./create-secret-store.js";
+export { EncryptedFileStore } from "./encrypted-file-store.js";
+export { KeychainStore } from "./keychain-store.js";
+export { key, MigratingSecretStore } from "./provider-store.js";

package/node_modules/auth-store/dist/keychain-store.d.ts

@@ -0,0 +1,22 @@
+import type { SecretStore } from "./types.js";
+export interface KeychainCommandResult {
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+export type KeychainCommandRunner = (command: string, args: string[]) => Promise<KeychainCommandResult>;
+export interface KeychainStoreInput {
+    runCommand?: KeychainCommandRunner;
+    service: string;
+    account: string;
+}
+export declare class KeychainStore implements SecretStore {
+    private readonly runCommand;
+    private readonly service;
+    private readonly account;
+    constructor(input: KeychainStoreInput);
+    get(): Promise<string | null>;
+    set(value: string): Promise<void>;
+    delete(): Promise<void>;
+    private executeSecurityCommand;
+}

package/node_modules/auth-store/dist/keychain-store.js

@@ -0,0 +1,111 @@
+import { spawn } from "node:child_process";
+const SECURITY_CLI = "security";
+const KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE = 44;
+export class KeychainStore {
+    runCommand;
+    service;
+    account;
+    constructor(input) {
+        this.runCommand = input.runCommand ?? runSecurityCommand;
+        this.service = input.service;
+        this.account = input.account;
+    }
+    async get() {
+        const result = await this.executeSecurityCommand(["find-generic-password", "-s", this.service, "-a", this.account, "-w"], "read secret from macOS Keychain");
+        if (result.exitCode === 0) {
+            return stripTrailingLineBreak(result.stdout);
+        }
+        if (isKeychainEntryNotFound(result)) {
+            return null;
+        }
+        throw createSecurityCliFailure("read secret from macOS Keychain", result);
+    }
+    async set(value) {
+        const result = await this.executeSecurityCommand([
+            "add-generic-password",
+            "-s",
+            this.service,
+            "-a",
+            this.account,
+            "-w",
+            value,
+            "-U"
+        ], "store secret in macOS Keychain");
+        if (result.exitCode !== 0) {
+            throw createSecurityCliFailure("store secret in macOS Keychain", result);
+        }
+    }
+    async delete() {
+        const result = await this.executeSecurityCommand(["delete-generic-password", "-s", this.service, "-a", this.account], "delete secret from macOS Keychain");
+        if (result.exitCode === 0 || isKeychainEntryNotFound(result)) {
+            return;
+        }
+        throw createSecurityCliFailure("delete secret from macOS Keychain", result);
+    }
+    async executeSecurityCommand(args, operation) {
+        try {
+            return await this.runCommand(SECURITY_CLI, args);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to ${operation}: ${message}`);
+        }
+    }
+}
+function runSecurityCommand(command, args) {
+    return new Promise((resolve) => {
+        const child = spawn(command, args, {
+            stdio: ["ignore", "pipe", "pipe"]
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout?.setEncoding("utf8");
+        child.stdout?.on("data", (chunk) => {
+            stdout += chunk.toString();
+        });
+        child.stderr?.setEncoding("utf8");
+        child.stderr?.on("data", (chunk) => {
+            stderr += chunk.toString();
+        });
+        child.on("error", (error) => {
+            const message = error instanceof Error ? error.message : String(error ?? "Unknown error");
+            resolve({
+                stdout,
+                stderr: stderr ? `${stderr}${message}` : message,
+                exitCode: 127
+            });
+        });
+        child.on("close", (code) => {
+            resolve({
+                stdout,
+                stderr,
+                exitCode: code ?? 0
+            });
+        });
+    });
+}
+function stripTrailingLineBreak(value) {
+    if (value.endsWith("\r\n")) {
+        return value.slice(0, -2);
+    }
+    if (value.endsWith("\n") || value.endsWith("\r")) {
+        return value.slice(0, -1);
+    }
+    return value;
+}
+function isKeychainEntryNotFound(result) {
+    if (result.exitCode === KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE) {
+        return true;
+    }
+    const output = `${result.stderr}\n${result.stdout}`.toLowerCase();
+    return (output.includes("could not be found") ||
+        output.includes("item not found") ||
+        output.includes("errsecitemnotfound"));
+}
+function createSecurityCliFailure(operation, result) {
+    const details = result.stderr.trim() || result.stdout.trim();
+    if (details) {
+        return new Error(`Failed to ${operation}: security exited with code ${result.exitCode}: ${details}`);
+    }
+    return new Error(`Failed to ${operation}: security exited with code ${result.exitCode}`);
+}

package/node_modules/auth-store/dist/provider-store.d.ts

@@ -0,0 +1,10 @@
+import type { SecretStore } from "./types.js";
+export declare function key(providerId: string): string;
+export declare class MigratingSecretStore implements SecretStore {
+    private readonly store;
+    private readonly legacyStore;
+    constructor(store: SecretStore, legacyStore?: SecretStore | null);
+    get(): Promise<string | null>;
+    set(value: string): Promise<void>;
+    delete(): Promise<void>;
+}