unotoken 0.1.0

package/dist/token-requests.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Token approval workflow for unotoken -- US-004.
+ *
+ * Provides a request-and-approve flow for prefix-scoped tokens.
+ * Apps request access to specific prefixes, and vault owners approve or deny.
+ *
+ * Storage: JSON file (token-requests.json) alongside the vault,
+ * consistent with the existing token-scopes.json pattern from db.ts.
+ *
+ * Workflow:
+ * 1. App requests: `unotoken token request --name ci-levelfit --prefix levelfit/ --reason '...'`
+ * 2. Owner reviews: `unotoken token requests`
+ * 3. Owner acts: `unotoken token approve <id>` or `unotoken token deny <id> --reason '...'`
+ * 4. On approval, a scoped token is created and displayed once.
+ */
+export type RequestStatus = 'pending' | 'approved' | 'denied';
+export interface TokenRequest {
+    id: string;
+    name: string;
+    prefixes: string[];
+    reason: string;
+    status: RequestStatus;
+    requested_at: string;
+    reviewed_at: string | null;
+    reviewed_by: string | null;
+    deny_reason: string | null;
+}
+export type TokenRequestStore = Record<string, TokenRequest>;
+export interface CreateRequestInput {
+    name: string;
+    prefixes: string[];
+    reason: string;
+}
+export interface ApproveResult {
+    request: TokenRequest;
+    /** The raw token value (displayed once) */
+    token: string;
+}
+export interface EmailNotification {
+    to: string;
+    subject: string;
+    body: string;
+}
+export declare function setNotifyFn(fn: (notification: EmailNotification) => void): void;
+export declare function getNotifyFn(): (notification: EmailNotification) => void;
+export declare function getDefaultRequestsPath(baseDir?: string): string;
+export declare function loadRequests(requestsPath?: string): TokenRequestStore;
+export declare function saveRequests(store: TokenRequestStore, requestsPath?: string): void;
+/**
+ * Create a new pending token request.
+ */
+export declare function createRequest(input: CreateRequestInput, ownerEmail?: string, requestsPath?: string): TokenRequest;
+/**
+ * List token requests, optionally filtered by status.
+ */
+export declare function listRequests(statusFilter?: RequestStatus, requestsPath?: string): TokenRequest[];
+/**
+ * Get a single request by ID.
+ */
+export declare function getRequest(id: string, requestsPath?: string): TokenRequest | null;
+/**
+ * Get a request by name (for status polling by the requester).
+ */
+export declare function getRequestByName(name: string, requestsPath?: string): TokenRequest | null;
+/**
+ * Approve a token request. Returns the request and the generated token value.
+ *
+ * The caller is responsible for actually creating the token via yokotoken's
+ * token API and storing the scopes. This function only updates the request status.
+ */
+export declare function approveRequest(id: string, reviewedBy: string, requestsPath?: string): TokenRequest;
+/**
+ * Deny a token request with an optional reason.
+ */
+export declare function denyRequest(id: string, reviewedBy: string, denyReason?: string, requestsPath?: string): TokenRequest;
+/**
+ * Format a request for display.
+ */
+export declare function formatRequest(req: TokenRequest): string;
+//# sourceMappingURL=token-requests.d.ts.map

package/dist/token-requests.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-requests.d.ts","sourceRoot":"","sources":["../src/token-requests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AASH,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAE9D,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,aAAa,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AAE7D,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,YAAY,CAAC;IACtB,2CAA2C;IAC3C,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;CACd;AAUD,wBAAgB,WAAW,CAAC,EAAE,EAAE,CAAC,YAAY,EAAE,iBAAiB,KAAK,IAAI,GAAG,IAAI,CAE/E;AAED,wBAAgB,WAAW,IAAI,CAAC,YAAY,EAAE,iBAAiB,KAAK,IAAI,CAEvE;AAID,wBAAgB,sBAAsB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED,wBAAgB,YAAY,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,iBAAiB,CAWrE;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,iBAAiB,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAOlF;AAWD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,KAAK,EAAE,kBAAkB,EACzB,UAAU,CAAC,EAAE,MAAM,EACnB,YAAY,CAAC,EAAE,MAAM,GACpB,YAAY,CAwCd;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,YAAY,CAAC,EAAE,aAAa,EAC5B,YAAY,CAAC,EAAE,MAAM,GACpB,YAAY,EAAE,CAShB;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAGjF;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,IAAI,CAMzF;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,EAAE,EAAE,MAAM,EACV,UAAU,EAAE,MAAM,EAClB,YAAY,CAAC,EAAE,MAAM,GACpB,YAAY,CAmBd;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,EAAE,EAAE,MAAM,EACV,UAAU,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,EACnB,YAAY,CAAC,EAAE,MAAM,GACpB,YAAY,CAoBd;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,YAAY,GAAG,MAAM,CAoBvD"}

package/dist/token-requests.js

@@ -0,0 +1,201 @@
+/**
+ * Token approval workflow for unotoken -- US-004.
+ *
+ * Provides a request-and-approve flow for prefix-scoped tokens.
+ * Apps request access to specific prefixes, and vault owners approve or deny.
+ *
+ * Storage: JSON file (token-requests.json) alongside the vault,
+ * consistent with the existing token-scopes.json pattern from db.ts.
+ *
+ * Workflow:
+ * 1. App requests: `unotoken token request --name ci-levelfit --prefix levelfit/ --reason '...'`
+ * 2. Owner reviews: `unotoken token requests`
+ * 3. Owner acts: `unotoken token approve <id>` or `unotoken token deny <id> --reason '...'`
+ * 4. On approval, a scoped token is created and displayed once.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+import { getVaultDir } from 'yokotoken';
+// ─── Notification callback ────────────────────────────────────────────
+/**
+ * Optional notification callback. Set via setNotifyFn() for email alerts.
+ * Default is a no-op. Tests can inject a mock.
+ */
+let notifyFn = () => { };
+export function setNotifyFn(fn) {
+    notifyFn = fn;
+}
+export function getNotifyFn() {
+    return notifyFn;
+}
+// ─── Storage ──────────────────────────────────────────────────────────
+export function getDefaultRequestsPath(baseDir) {
+    const dir = baseDir ?? getVaultDir();
+    return path.join(dir, 'token-requests.json');
+}
+export function loadRequests(requestsPath) {
+    const filePath = requestsPath ?? getDefaultRequestsPath();
+    try {
+        if (fs.existsSync(filePath)) {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            return JSON.parse(content);
+        }
+    }
+    catch {
+        // Corrupt file -- start fresh
+    }
+    return {};
+}
+export function saveRequests(store, requestsPath) {
+    const filePath = requestsPath ?? getDefaultRequestsPath();
+    const dir = path.dirname(filePath);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(filePath, JSON.stringify(store, null, 2), 'utf-8');
+}
+// ─── Operations ───────────────────────────────────────────────────────
+/**
+ * Generate a short unique request ID (8 hex chars).
+ */
+function generateRequestId() {
+    return crypto.randomBytes(4).toString('hex');
+}
+/**
+ * Create a new pending token request.
+ */
+export function createRequest(input, ownerEmail, requestsPath) {
+    const store = loadRequests(requestsPath);
+    const id = generateRequestId();
+    const request = {
+        id,
+        name: input.name,
+        prefixes: input.prefixes,
+        reason: input.reason,
+        status: 'pending',
+        requested_at: new Date().toISOString(),
+        reviewed_at: null,
+        reviewed_by: null,
+        deny_reason: null,
+    };
+    store[id] = request;
+    saveRequests(store, requestsPath);
+    // Send email notification if configured
+    if (ownerEmail) {
+        const prefixDisplay = input.prefixes.map((p) => `${p}*`).join(', ');
+        notifyFn({
+            to: ownerEmail,
+            subject: `New token request: ${input.name} wants access to ${prefixDisplay}`,
+            body: [
+                `A new token request has been submitted:`,
+                ``,
+                `Name: ${input.name}`,
+                `Prefixes: ${prefixDisplay}`,
+                `Reason: ${input.reason}`,
+                `Request ID: ${id}`,
+                ``,
+                `To approve: unotoken token approve ${id}`,
+                `To deny: unotoken token deny ${id} --reason "..."`,
+            ].join('\n'),
+        });
+    }
+    return request;
+}
+/**
+ * List token requests, optionally filtered by status.
+ */
+export function listRequests(statusFilter, requestsPath) {
+    const store = loadRequests(requestsPath);
+    let requests = Object.values(store);
+    if (statusFilter) {
+        requests = requests.filter((r) => r.status === statusFilter);
+    }
+    // Sort by requested_at descending (newest first)
+    requests.sort((a, b) => b.requested_at.localeCompare(a.requested_at));
+    return requests;
+}
+/**
+ * Get a single request by ID.
+ */
+export function getRequest(id, requestsPath) {
+    const store = loadRequests(requestsPath);
+    return store[id] ?? null;
+}
+/**
+ * Get a request by name (for status polling by the requester).
+ */
+export function getRequestByName(name, requestsPath) {
+    const store = loadRequests(requestsPath);
+    const requests = Object.values(store)
+        .filter((r) => r.name === name)
+        .sort((a, b) => b.requested_at.localeCompare(a.requested_at));
+    return requests[0] ?? null;
+}
+/**
+ * Approve a token request. Returns the request and the generated token value.
+ *
+ * The caller is responsible for actually creating the token via yokotoken's
+ * token API and storing the scopes. This function only updates the request status.
+ */
+export function approveRequest(id, reviewedBy, requestsPath) {
+    const store = loadRequests(requestsPath);
+    const request = store[id];
+    if (!request) {
+        throw new Error(`Token request '${id}' not found`);
+    }
+    if (request.status !== 'pending') {
+        throw new Error(`Token request '${id}' is already ${request.status}`);
+    }
+    request.status = 'approved';
+    request.reviewed_at = new Date().toISOString();
+    request.reviewed_by = reviewedBy;
+    store[id] = request;
+    saveRequests(store, requestsPath);
+    return request;
+}
+/**
+ * Deny a token request with an optional reason.
+ */
+export function denyRequest(id, reviewedBy, denyReason, requestsPath) {
+    const store = loadRequests(requestsPath);
+    const request = store[id];
+    if (!request) {
+        throw new Error(`Token request '${id}' not found`);
+    }
+    if (request.status !== 'pending') {
+        throw new Error(`Token request '${id}' is already ${request.status}`);
+    }
+    request.status = 'denied';
+    request.reviewed_at = new Date().toISOString();
+    request.reviewed_by = reviewedBy;
+    request.deny_reason = denyReason ?? null;
+    store[id] = request;
+    saveRequests(store, requestsPath);
+    return request;
+}
+/**
+ * Format a request for display.
+ */
+export function formatRequest(req) {
+    const prefixDisplay = req.prefixes.map((p) => `${p}*`).join(', ');
+    const lines = [
+        `ID: ${req.id}`,
+        `Name: ${req.name}`,
+        `Prefixes: ${prefixDisplay}`,
+        `Reason: ${req.reason}`,
+        `Status: ${req.status}`,
+        `Requested: ${req.requested_at}`,
+    ];
+    if (req.reviewed_at) {
+        lines.push(`Reviewed: ${req.reviewed_at}`);
+    }
+    if (req.reviewed_by) {
+        lines.push(`Reviewed by: ${req.reviewed_by}`);
+    }
+    if (req.deny_reason) {
+        lines.push(`Deny reason: ${req.deny_reason}`);
+    }
+    return lines.join('\n');
+}
+//# sourceMappingURL=token-requests.js.map

package/dist/token-requests.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-requests.js","sourceRoot":"","sources":["../src/token-requests.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAsCxC,yEAAyE;AAEzE;;;GAGG;AACH,IAAI,QAAQ,GAA8C,GAAG,EAAE,GAAE,CAAC,CAAC;AAEnE,MAAM,UAAU,WAAW,CAAC,EAA6C;IACvE,QAAQ,GAAG,EAAE,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,yEAAyE;AAEzE,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,MAAM,GAAG,GAAG,OAAO,IAAI,WAAW,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,YAAqB;IAChD,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,EAAE,CAAC;IAC1D,IAAI,CAAC;QACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAsB,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,8BAA8B;IAChC,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAwB,EAAE,YAAqB;IAC1E,MAAM,QAAQ,GAAG,YAAY,IAAI,sBAAsB,EAAE,CAAC;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IACD,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC;AAED,yEAAyE;AAEzE;;GAEG;AACH,SAAS,iBAAiB;IACxB,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC/C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,KAAyB,EACzB,UAAmB,EACnB,YAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,EAAE,GAAG,iBAAiB,EAAE,CAAC;IAE/B,MAAM,OAAO,GAAiB;QAC5B,EAAE;QACF,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,MAAM,EAAE,SAAS;QACjB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtC,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE,IAAI;KAClB,CAAC;IAEF,KAAK,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC;IACpB,YAAY,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAElC,wCAAwC;IACxC,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,aAAa,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpE,QAAQ,CAAC;YACP,EAAE,EAAE,UAAU;YACd,OAAO,EAAE,sBAAsB,KAAK,CAAC,IAAI,oBAAoB,aAAa,EAAE;YAC5E,IAAI,EAAE;gBACJ,yCAAyC;gBACzC,EAAE;gBACF,SAAS,KAAK,CAAC,IAAI,EAAE;gBACrB,aAAa,aAAa,EAAE;gBAC5B,WAAW,KAAK,CAAC,MAAM,EAAE;gBACzB,eAAe,EAAE,EAAE;gBACnB,EAAE;gBACF,sCAAsC,EAAE,EAAE;gBAC1C,gCAAgC,EAAE,iBAAiB;aACpD,CAAC,IAAI,CAAC,IAAI,CAAC;SACb,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,YAA4B,EAC5B,YAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,IAAI,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpC,IAAI,YAAY,EAAE,CAAC;QACjB,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,YAAY,CAAC,CAAC;IAC/D,CAAC;IACD,iDAAiD;IACjD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IACtE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,EAAU,EAAE,YAAqB;IAC1D,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,YAAqB;IAClE,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;SAClC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC;SAC9B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IAChE,OAAO,QAAQ,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;AAC7B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,EAAU,EACV,UAAkB,EAClB,YAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IAE1B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,gBAAgB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC;IAC5B,OAAO,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,CAAC,WAAW,GAAG,UAAU,CAAC;IACjC,KAAK,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC;IACpB,YAAY,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAElC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,EAAU,EACV,UAAkB,EAClB,UAAmB,EACnB,YAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC;IAE1B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,kBAAkB,EAAE,gBAAgB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,CAAC,MAAM,GAAG,QAAQ,CAAC;IAC1B,OAAO,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC/C,OAAO,CAAC,WAAW,GAAG,UAAU,CAAC;IACjC,OAAO,CAAC,WAAW,GAAG,UAAU,IAAI,IAAI,CAAC;IACzC,KAAK,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC;IACpB,YAAY,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAElC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAiB;IAC7C,MAAM,aAAa,GAAG,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG;QACZ,OAAO,GAAG,CAAC,EAAE,EAAE;QACf,SAAS,GAAG,CAAC,IAAI,EAAE;QACnB,aAAa,aAAa,EAAE;QAC5B,WAAW,GAAG,CAAC,MAAM,EAAE;QACvB,WAAW,GAAG,CAAC,MAAM,EAAE;QACvB,cAAc,GAAG,CAAC,YAAY,EAAE;KACjC,CAAC;IACF,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,aAAa,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/tokens.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Prefix-scoped token management for unotoken — US-001.
+ *
+ * Extends yokotoken's TokenManager with prefix-based scope enforcement.
+ * Scopes restrict which secret paths a token can access.
+ *
+ * Scope matching rules:
+ * - A scope "levelfit/" matches any path starting with "levelfit/"
+ * - Multiple scopes: token can access paths matching ANY of its scopes
+ * - No scopes (null): token has full access (backward compat)
+ * - Empty scopes array ([]): token has no access (effectively revoked)
+ */
+export interface ScopeCheckResult {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * Check if a secret path matches any of the allowed prefix scopes.
+ *
+ * @param secretPath - The secret path being accessed (e.g., "levelfit/stripe/key")
+ * @param scopes - Array of allowed prefixes (e.g., ["levelfit/"])
+ * @returns true if the path matches at least one scope
+ */
+export declare function matchesPrefix(secretPath: string, scopes: string[]): boolean;
+/**
+ * Check if a token (by raw value) is allowed to access a given path.
+ *
+ * @param rawToken - The raw bearer token
+ * @param secretPath - The secret path being accessed
+ * @param scopesPath - Optional path to the scopes file
+ * @returns ScopeCheckResult with allowed/denied and reason
+ */
+export declare function checkTokenScope(rawToken: string, secretPath: string, scopesPath?: string): ScopeCheckResult;
+/**
+ * Filter a list of secret paths to only those matching a token's scopes.
+ *
+ * @param rawToken - The raw bearer token
+ * @param paths - List of secret paths to filter
+ * @param scopesPath - Optional path to the scopes file
+ * @returns Filtered paths that the token can access
+ */
+export declare function filterByTokenScope(rawToken: string, paths: string[], scopesPath?: string): string[];
+/**
+ * Store scopes for a newly created token.
+ *
+ * @param rawToken - The raw token value (will be hashed for storage)
+ * @param name - The token name
+ * @param prefixes - Array of prefix scopes, or null for full access
+ * @param scopesPath - Optional path to the scopes file
+ */
+export declare function storeTokenScopes(rawToken: string, name: string, prefixes: string[] | null, scopesPath?: string): void;
+/**
+ * Remove scopes when a token is revoked.
+ */
+export declare function revokeTokenScopes(tokenName: string, scopesPath?: string): boolean;
+/**
+ * Get scope display string for a token.
+ * Examples: "levelfit/*", "hq-cloud/* + synesis/*", "*" (full access)
+ */
+export declare function formatScopes(scopes: string[] | null): string;
+/**
+ * Build a scope map from the store keyed by token name.
+ * Used by the CLI to display scopes alongside token metadata.
+ */
+export declare function buildScopesByName(scopesPath?: string): Map<string, string[] | null>;
+/**
+ * Intersect a query prefix with token scopes.
+ * Used for LIST operations: if the user requests prefix "levelfit/"
+ * and the token has scope ["levelfit/"], return "levelfit/".
+ * If the token has scope ["synesis/"], return null (no intersection).
+ *
+ * @param queryPrefix - The prefix from the list query (may be undefined for all)
+ * @param scopes - The token's allowed prefixes
+ * @returns The effective prefix to query, or null if no intersection
+ */
+export declare function intersectPrefixWithScopes(queryPrefix: string | undefined, scopes: string[] | null): {
+    effectivePrefixes: string[] | null;
+    restricted: boolean;
+};
+//# sourceMappingURL=tokens.d.ts.map

package/dist/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAWH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAG3E;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,EAClB,UAAU,CAAC,EAAE,MAAM,GAClB,gBAAgB,CAuBlB;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,CAAC,EAAE,MAAM,GAClB,MAAM,EAAE,CAWV;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,EACzB,UAAU,CAAC,EAAE,MAAM,GAClB,IAAI,CAGN;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAEjF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,MAAM,CAI5D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC,CAOnF;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GACtB;IAAE,iBAAiB,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,OAAO,CAAA;CAAE,CA8B7D"}

package/dist/tokens.js

@@ -0,0 +1,150 @@
+/**
+ * Prefix-scoped token management for unotoken — US-001.
+ *
+ * Extends yokotoken's TokenManager with prefix-based scope enforcement.
+ * Scopes restrict which secret paths a token can access.
+ *
+ * Scope matching rules:
+ * - A scope "levelfit/" matches any path starting with "levelfit/"
+ * - Multiple scopes: token can access paths matching ANY of its scopes
+ * - No scopes (null): token has full access (backward compat)
+ * - Empty scopes array ([]): token has no access (effectively revoked)
+ */
+import { hashToken } from 'yokotoken';
+import { getTokenScopes, setTokenScopes, removeTokenScopesByName, loadTokenScopes, } from './db.js';
+/**
+ * Check if a secret path matches any of the allowed prefix scopes.
+ *
+ * @param secretPath - The secret path being accessed (e.g., "levelfit/stripe/key")
+ * @param scopes - Array of allowed prefixes (e.g., ["levelfit/"])
+ * @returns true if the path matches at least one scope
+ */
+export function matchesPrefix(secretPath, scopes) {
+    if (scopes.length === 0)
+        return false;
+    return scopes.some((scope) => secretPath.startsWith(scope));
+}
+/**
+ * Check if a token (by raw value) is allowed to access a given path.
+ *
+ * @param rawToken - The raw bearer token
+ * @param secretPath - The secret path being accessed
+ * @param scopesPath - Optional path to the scopes file
+ * @returns ScopeCheckResult with allowed/denied and reason
+ */
+export function checkTokenScope(rawToken, secretPath, scopesPath) {
+    const tokenHash = hashToken(rawToken);
+    const scopes = getTokenScopes(tokenHash, scopesPath);
+    // No scope entry = full access (backward compat)
+    if (scopes === null) {
+        return { allowed: true };
+    }
+    // Empty scopes = no access
+    if (scopes.length === 0) {
+        return { allowed: false, reason: 'Token has no prefix scopes configured' };
+    }
+    // Check if path matches any scope
+    if (matchesPrefix(secretPath, scopes)) {
+        return { allowed: true };
+    }
+    return {
+        allowed: false,
+        reason: `Access denied: path '${secretPath}' is outside token's allowed prefixes: ${scopes.map((s) => `${s}*`).join(', ')}`,
+    };
+}
+/**
+ * Filter a list of secret paths to only those matching a token's scopes.
+ *
+ * @param rawToken - The raw bearer token
+ * @param paths - List of secret paths to filter
+ * @param scopesPath - Optional path to the scopes file
+ * @returns Filtered paths that the token can access
+ */
+export function filterByTokenScope(rawToken, paths, scopesPath) {
+    const tokenHash = hashToken(rawToken);
+    const scopes = getTokenScopes(tokenHash, scopesPath);
+    // No scope entry = full access
+    if (scopes === null) {
+        return paths;
+    }
+    // Filter to matching paths
+    return paths.filter((p) => matchesPrefix(p, scopes));
+}
+/**
+ * Store scopes for a newly created token.
+ *
+ * @param rawToken - The raw token value (will be hashed for storage)
+ * @param name - The token name
+ * @param prefixes - Array of prefix scopes, or null for full access
+ * @param scopesPath - Optional path to the scopes file
+ */
+export function storeTokenScopes(rawToken, name, prefixes, scopesPath) {
+    const tokenHash = hashToken(rawToken);
+    setTokenScopes(tokenHash, name, prefixes, scopesPath);
+}
+/**
+ * Remove scopes when a token is revoked.
+ */
+export function revokeTokenScopes(tokenName, scopesPath) {
+    return removeTokenScopesByName(tokenName, scopesPath);
+}
+/**
+ * Get scope display string for a token.
+ * Examples: "levelfit/*", "hq-cloud/* + synesis/*", "*" (full access)
+ */
+export function formatScopes(scopes) {
+    if (scopes === null)
+        return '*';
+    if (scopes.length === 0)
+        return '(none)';
+    return scopes.map((s) => `${s}*`).join(' + ');
+}
+/**
+ * Build a scope map from the store keyed by token name.
+ * Used by the CLI to display scopes alongside token metadata.
+ */
+export function buildScopesByName(scopesPath) {
+    const store = loadTokenScopes(scopesPath);
+    const map = new Map();
+    for (const entry of Object.values(store)) {
+        map.set(entry.name, entry.scopes);
+    }
+    return map;
+}
+/**
+ * Intersect a query prefix with token scopes.
+ * Used for LIST operations: if the user requests prefix "levelfit/"
+ * and the token has scope ["levelfit/"], return "levelfit/".
+ * If the token has scope ["synesis/"], return null (no intersection).
+ *
+ * @param queryPrefix - The prefix from the list query (may be undefined for all)
+ * @param scopes - The token's allowed prefixes
+ * @returns The effective prefix to query, or null if no intersection
+ */
+export function intersectPrefixWithScopes(queryPrefix, scopes) {
+    // No scopes = full access
+    if (scopes === null) {
+        return { effectivePrefixes: null, restricted: false };
+    }
+    // No query prefix = return all scope prefixes
+    if (!queryPrefix) {
+        return { effectivePrefixes: scopes, restricted: true };
+    }
+    // Find scopes that overlap with the query prefix
+    const matching = scopes.filter((scope) => {
+        // Query is more specific than scope: "levelfit/stripe/" starts with "levelfit/"
+        if (queryPrefix.startsWith(scope))
+            return true;
+        // Scope is more specific than query: "levelfit/" starts with "levelfit"
+        if (scope.startsWith(queryPrefix))
+            return true;
+        return false;
+    });
+    if (matching.length === 0) {
+        return { effectivePrefixes: [], restricted: true };
+    }
+    // Use the more specific prefix in each case
+    const effective = matching.map((scope) => queryPrefix.startsWith(scope) ? queryPrefix : scope);
+    return { effectivePrefixes: effective, restricted: true };
+}
+//# sourceMappingURL=tokens.js.map

package/dist/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../src/tokens.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EACL,cAAc,EACd,cAAc,EACd,uBAAuB,EACvB,eAAe,GAEhB,MAAM,SAAS,CAAC;AAOjB;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,UAAkB,EAAE,MAAgB;IAChE,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,UAAkB,EAClB,UAAmB;IAEnB,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAErD,iDAAiD;IACjD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,2BAA2B;IAC3B,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,uCAAuC,EAAE,CAAC;IAC7E,CAAC;IAED,kCAAkC;IAClC,IAAI,aAAa,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,wBAAwB,UAAU,0CAA0C,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KAC5H,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,KAAe,EACf,UAAmB;IAEnB,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAErD,+BAA+B;IAC/B,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2BAA2B;IAC3B,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,IAAY,EACZ,QAAyB,EACzB,UAAmB;IAEnB,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACtC,cAAc,CAAC,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB,EAAE,UAAmB;IACtE,OAAO,uBAAuB,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AACxD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,MAAuB;IAClD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IAChC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,UAAmB;IACnD,MAAM,KAAK,GAAoB,eAAe,CAAC,UAAU,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,IAAI,GAAG,EAA2B,CAAC;IAC/C,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CACvC,WAA+B,EAC/B,MAAuB;IAEvB,0BAA0B;IAC1B,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IACxD,CAAC;IAED,8CAA8C;IAC9C,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IACzD,CAAC;IAED,iDAAiD;IACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACvC,gFAAgF;QAChF,IAAI,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,wEAAwE;QACxE,IAAI,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,iBAAiB,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IACrD,CAAC;IAED,4CAA4C;IAC5C,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACvC,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CACpD,CAAC;IAEF,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC"}

package/package.json

@@ -0,0 +1,62 @@
+{
+  "name": "unotoken",
+  "version": "0.1.0",
+  "description": "unotoken — yokotoken + cloud features (OAuth unlock, team vaults, key escrow, device signatures)",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "unotoken": "dist/cli.js"
+  },
+  "files": [
+    "dist/",
+    "README.md"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./sdk": {
+      "types": "./dist/sdk.d.ts",
+      "import": "./dist/sdk.js"
+    },
+    "./client": {
+      "types": "./dist/client.d.ts",
+      "import": "./dist/client.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/indigoai-us/unotoken.git"
+  },
+  "license": "MIT",
+  "keywords": [
+    "vault",
+    "secrets",
+    "encryption",
+    "oauth",
+    "cloud",
+    "agent",
+    "ai"
+  ],
+  "author": "Indigo AI <engineering@getindigo.ai> (https://getindigo.ai)",
+  "dependencies": {
+    "commander": "^14.0.3",
+    "yokotoken": "^0.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.4",
+    "typescript": "^5.7.3",
+    "vitest": "^3.0.5"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}