unotoken 0.1.0

package/dist/env-mapper.js

@@ -0,0 +1,97 @@
+/**
+ * env-mapper — Convert vault secret paths to environment variable names.
+ *
+ * Used by `exec` and `dotenv` commands to inject vault secrets as env vars.
+ *
+ * Mapping rules:
+ * 1. Strip the prefix from the path (e.g., "levelfit/" from "levelfit/stripe/secret/key")
+ * 2. Replace slashes with underscores
+ * 3. Uppercase the result
+ *
+ * Example: prefix="levelfit/", path="levelfit/stripe/secret/key" → "STRIPE_SECRET_KEY"
+ */
+/**
+ * Strip a prefix from a vault secret path.
+ *
+ * @param secretPath - Full secret path (e.g., "levelfit/stripe/secret/key")
+ * @param prefix - Prefix to strip (e.g., "levelfit/")
+ * @returns Remaining path after prefix removal
+ */
+export function stripPrefix(secretPath, prefix) {
+    if (!prefix)
+        return secretPath;
+    // Normalize: ensure prefix ends with /
+    const normalizedPrefix = prefix.endsWith('/') ? prefix : prefix + '/';
+    if (secretPath.startsWith(normalizedPrefix)) {
+        return secretPath.slice(normalizedPrefix.length);
+    }
+    return secretPath;
+}
+/**
+ * Convert a vault secret path (after prefix stripping) to an env var name.
+ *
+ * @param pathAfterPrefix - Path with prefix already stripped (e.g., "stripe/secret/key")
+ * @returns Environment variable name (e.g., "STRIPE_SECRET_KEY")
+ */
+export function pathToEnvVar(pathAfterPrefix) {
+    return pathAfterPrefix
+        .replace(/\//g, '_')
+        .toUpperCase();
+}
+/**
+ * Convert a full vault secret path to an env var name, stripping the given prefix.
+ *
+ * @param secretPath - Full secret path (e.g., "levelfit/stripe/secret/key")
+ * @param prefix - Prefix to strip (e.g., "levelfit/")
+ * @returns Environment variable name (e.g., "STRIPE_SECRET_KEY")
+ */
+export function secretPathToEnvVar(secretPath, prefix) {
+    const stripped = stripPrefix(secretPath, prefix);
+    return pathToEnvVar(stripped);
+}
+/**
+ * Build an env var map from vault secrets.
+ *
+ * @param secrets - Array of { path, value } from the vault
+ * @param prefix - Prefix to strip when converting to env var names
+ * @returns Map of env var name to value
+ */
+export function buildEnvMap(secrets, prefix) {
+    const env = {};
+    for (const secret of secrets) {
+        const envVar = secretPathToEnvVar(secret.path, prefix);
+        env[envVar] = secret.value;
+    }
+    return env;
+}
+/**
+ * Parse a .env file into key-value pairs.
+ * Handles: KEY=VALUE, quoted values, comments, blank lines.
+ *
+ * @param content - Raw .env file content
+ * @returns Record of key-value pairs
+ */
+export function parseEnvFile(content) {
+    const env = {};
+    for (const line of content.split('\n')) {
+        const trimmed = line.trim();
+        // Skip empty lines and comments
+        if (!trimmed || trimmed.startsWith('#'))
+            continue;
+        const eqIndex = trimmed.indexOf('=');
+        if (eqIndex === -1)
+            continue;
+        const key = trimmed.slice(0, eqIndex).trim();
+        let value = trimmed.slice(eqIndex + 1).trim();
+        // Remove surrounding quotes
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (key) {
+            env[key] = value;
+        }
+    }
+    return env;
+}
+//# sourceMappingURL=env-mapper.js.map

package/dist/env-mapper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-mapper.js","sourceRoot":"","sources":["../src/env-mapper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,UAAkB,EAAE,MAAc;IAC5D,IAAI,CAAC,MAAM;QAAE,OAAO,UAAU,CAAC;IAE/B,uCAAuC;IACvC,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC;IAEtE,IAAI,UAAU,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC5C,OAAO,UAAU,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,eAAuB;IAClD,OAAO,eAAe;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,WAAW,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,MAAc;IACnE,MAAM,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACjD,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,OAA+C,EAC/C,MAAc;IAEd,MAAM,GAAG,GAA2B,EAAE,CAAC;IAEvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,kBAAkB,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvD,GAAG,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC;IAC7B,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,GAAG,GAA2B,EAAE,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAE7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE9C,4BAA4B;QAC5B,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,IAAI,GAAG,EAAE,CAAC;YACR,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/exec.d.ts

@@ -0,0 +1,80 @@
+/**
+ * exec — Spawn a child process with vault secrets injected as env vars.
+ *
+ * Usage: unotoken exec --prefix levelfit/ -- npm run dev
+ *
+ * Fetches all secrets under the given prefix from the vault, converts
+ * them to env vars (prefix stripped, slashes → underscores, uppercased),
+ * and spawns the child process with those vars merged into the environment.
+ */
+export interface ExecOptions {
+    /** Vault prefix to fetch secrets from (e.g., "levelfit/") */
+    prefix: string;
+    /** Command and arguments to run */
+    command: string[];
+    /** Bearer token for vault authentication */
+    token: string;
+    /** Vault server host (default: "127.0.0.1") */
+    host?: string;
+    /** Vault server port */
+    port: number;
+    /** If true, vault values override existing env vars with matching keys (default: true) */
+    force?: boolean;
+    /** Optional supplementary .env file path */
+    envFile?: string;
+    /** Whether to use HTTPS (default: false for local) */
+    insecure?: boolean;
+}
+export interface VaultSecret {
+    path: string;
+    value: string;
+}
+/**
+ * Fetch all secrets under a prefix from the vault.
+ *
+ * @param opts - Connection options
+ * @returns Array of { path, value } for each secret
+ */
+export declare function fetchSecretsForPrefix(opts: {
+    prefix: string;
+    token: string;
+    host: string;
+    port: number;
+    insecure?: boolean;
+}): Promise<VaultSecret[]>;
+/**
+ * Build the environment for the child process.
+ *
+ * Merges: process.env + envFile (if any) + vault secrets.
+ * By default, vault secrets take precedence over existing env vars.
+ * Use force=false to skip vault vars that already exist in the environment.
+ */
+export declare function buildChildEnv(opts: {
+    secrets: VaultSecret[];
+    prefix: string;
+    force?: boolean;
+    envFile?: string;
+    baseEnv?: Record<string, string | undefined>;
+}): Record<string, string>;
+/**
+ * Execute a command with vault secrets injected as env vars.
+ *
+ * @returns Exit code of the child process
+ */
+export declare function execWithVaultSecrets(opts: ExecOptions): Promise<number>;
+/**
+ * Resolve the vault token from options, env var, or token file.
+ *
+ * Priority: explicit token > UNOTOKEN_TOKEN env var > ~/.yokotoken/token
+ */
+export declare function resolveToken(explicitToken?: string): Promise<string>;
+/**
+ * Resolve the vault port from options, env var, or port file.
+ *
+ * Priority: explicit vault-url > UNOTOKEN_URL env var > port file
+ */
+export declare function resolveVaultConnection(vaultUrl?: string): Promise<{
+    host: string;
+    port: number;
+}>;
+//# sourceMappingURL=exec.d.ts.map

package/dist/exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../src/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,MAAM,WAAW,WAAW;IAC1B,6DAA6D;IAC7D,MAAM,EAAE,MAAM,CAAC;IAEf,mCAAmC;IACnC,OAAO,EAAE,MAAM,EAAE,CAAC;IAElB,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IAEd,+CAA+C;IAC/C,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IAEb,0FAA0F;IAC1F,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,4CAA4C;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,sDAAsD;IACtD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAsB,qBAAqB,CAAC,IAAI,EAAE;IAChD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAwCzB;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE;IAClC,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CAC9C,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAmCzB;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAgD7E;AAgBD;;;;GAIG;AACH,wBAAsB,YAAY,CAChC,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,CAwBjB;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAsCzC"}

package/dist/exec.js

@@ -0,0 +1,214 @@
+/**
+ * exec — Spawn a child process with vault secrets injected as env vars.
+ *
+ * Usage: unotoken exec --prefix levelfit/ -- npm run dev
+ *
+ * Fetches all secrets under the given prefix from the vault, converts
+ * them to env vars (prefix stripped, slashes → underscores, uppercased),
+ * and spawns the child process with those vars merged into the environment.
+ */
+import { spawn } from 'node:child_process';
+import fs from 'node:fs';
+import { buildEnvMap, parseEnvFile } from './env-mapper.js';
+/**
+ * Fetch all secrets under a prefix from the vault.
+ *
+ * @param opts - Connection options
+ * @returns Array of { path, value } for each secret
+ */
+export async function fetchSecretsForPrefix(opts) {
+    const { vaultRequest } = await import('yokotoken');
+    const config = {
+        port: opts.port,
+        host: opts.host,
+        token: opts.token,
+        insecure: opts.insecure !== false, // default true for local
+    };
+    // List secrets under the prefix
+    const listRes = await vaultRequest(config, 'GET', `/v1/secrets?prefix=${encodeURIComponent(opts.prefix)}`);
+    if (listRes.statusCode !== 200) {
+        const body = listRes.body;
+        throw new Error(body.error || `Failed to list secrets (HTTP ${listRes.statusCode})`);
+    }
+    const entries = listRes.body.entries || [];
+    // Fetch each secret's value
+    const secrets = [];
+    for (const entry of entries) {
+        const getRes = await vaultRequest(config, 'GET', `/v1/secrets/${encodeURIComponent(entry.path)}`);
+        if (getRes.statusCode === 200) {
+            const body = getRes.body;
+            secrets.push({ path: entry.path, value: body.value });
+        }
+    }
+    return secrets;
+}
+/**
+ * Build the environment for the child process.
+ *
+ * Merges: process.env + envFile (if any) + vault secrets.
+ * By default, vault secrets take precedence over existing env vars.
+ * Use force=false to skip vault vars that already exist in the environment.
+ */
+export function buildChildEnv(opts) {
+    const base = opts.baseEnv ?? process.env;
+    const force = opts.force !== false; // default: vault values take precedence
+    // Start with current environment
+    const env = {};
+    for (const [key, value] of Object.entries(base)) {
+        if (value !== undefined) {
+            env[key] = value;
+        }
+    }
+    // Layer 2: supplementary .env file (if provided)
+    if (opts.envFile) {
+        const content = fs.readFileSync(opts.envFile, 'utf-8');
+        const envFileVars = parseEnvFile(content);
+        Object.assign(env, envFileVars);
+    }
+    // Layer 3: vault secrets
+    const vaultEnv = buildEnvMap(opts.secrets, opts.prefix);
+    if (force) {
+        // Vault values override everything
+        Object.assign(env, vaultEnv);
+    }
+    else {
+        // Only set vault values that don't already exist
+        for (const [key, value] of Object.entries(vaultEnv)) {
+            if (!(key in env)) {
+                env[key] = value;
+            }
+        }
+    }
+    return env;
+}
+/**
+ * Execute a command with vault secrets injected as env vars.
+ *
+ * @returns Exit code of the child process
+ */
+export async function execWithVaultSecrets(opts) {
+    const host = opts.host ?? '127.0.0.1';
+    const prefix = opts.prefix;
+    // Fetch secrets from vault
+    const secrets = await fetchSecretsForPrefix({
+        prefix,
+        token: opts.token,
+        host,
+        port: opts.port,
+        insecure: opts.insecure,
+    });
+    // Build child environment
+    const childEnv = buildChildEnv({
+        secrets,
+        prefix,
+        force: opts.force,
+        envFile: opts.envFile,
+    });
+    // Spawn child process
+    const [cmd, ...args] = opts.command;
+    if (!cmd) {
+        throw new Error('No command specified');
+    }
+    return new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, {
+            stdio: 'inherit',
+            env: childEnv,
+            shell: true,
+        });
+        child.on('error', (err) => {
+            reject(new Error(`Failed to start command '${cmd}': ${err.message}`));
+        });
+        child.on('exit', (code, signal) => {
+            if (signal) {
+                // Process was killed by a signal
+                resolve(128 + (signalToNumber(signal) || 1));
+            }
+            else {
+                resolve(code ?? 1);
+            }
+        });
+    });
+}
+/**
+ * Convert a signal name to its numeric value.
+ */
+function signalToNumber(signal) {
+    const signals = {
+        SIGHUP: 1,
+        SIGINT: 2,
+        SIGQUIT: 3,
+        SIGTERM: 15,
+        SIGKILL: 9,
+    };
+    return signals[signal] || 0;
+}
+/**
+ * Resolve the vault token from options, env var, or token file.
+ *
+ * Priority: explicit token > UNOTOKEN_TOKEN env var > ~/.yokotoken/token
+ */
+export async function resolveToken(explicitToken) {
+    // 1. Explicit token from --token flag
+    if (explicitToken)
+        return explicitToken;
+    // 2. UNOTOKEN_TOKEN environment variable
+    const envToken = process.env['UNOTOKEN_TOKEN'];
+    if (envToken)
+        return envToken;
+    // 3. Token file (~/.yokotoken/token)
+    try {
+        const { readTokenFile, getDefaultTokenFile } = await import('yokotoken');
+        const tokenFile = getDefaultTokenFile();
+        const fileToken = readTokenFile(tokenFile);
+        if (fileToken)
+            return fileToken;
+    }
+    catch {
+        // Token file not found or unreadable
+    }
+    throw new Error('No authentication token found. Provide one via:\n' +
+        '  --token <token>\n' +
+        '  UNOTOKEN_TOKEN environment variable\n' +
+        '  ~/.yokotoken/token file (created by vault server)');
+}
+/**
+ * Resolve the vault port from options, env var, or port file.
+ *
+ * Priority: explicit vault-url > UNOTOKEN_URL env var > port file
+ */
+export async function resolveVaultConnection(vaultUrl) {
+    // 1. Explicit --vault-url
+    if (vaultUrl) {
+        const url = new URL(vaultUrl);
+        return {
+            host: url.hostname,
+            port: parseInt(url.port, 10) || (url.protocol === 'https:' ? 443 : 80),
+        };
+    }
+    // 2. UNOTOKEN_URL environment variable
+    const envUrl = process.env['UNOTOKEN_URL'];
+    if (envUrl) {
+        const url = new URL(envUrl);
+        return {
+            host: url.hostname,
+            port: parseInt(url.port, 10) || (url.protocol === 'https:' ? 443 : 80),
+        };
+    }
+    // 3. Port file (local vault)
+    try {
+        const { readServerPort, getDefaultPortFile } = await import('yokotoken');
+        const portFile = getDefaultPortFile();
+        const port = readServerPort(portFile);
+        if (port) {
+            return { host: '127.0.0.1', port };
+        }
+    }
+    catch {
+        // Port file not found
+    }
+    throw new Error('Cannot reach vault. Ensure the vault server is running, or provide:\n' +
+        '  --vault-url <url>\n' +
+        '  UNOTOKEN_URL environment variable\n' +
+        '  Start local vault with: unotoken server');
+}
+//# sourceMappingURL=exec.js.map

package/dist/exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.js","sourceRoot":"","sources":["../src/exec.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAiC5D;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,IAM3C;IACC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,MAAM,MAAM,GAAG;QACb,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ,KAAK,KAAK,EAAE,yBAAyB;KAC7D,CAAC;IAEF,gCAAgC;IAChC,MAAM,OAAO,GAAG,MAAM,YAAY,CAChC,MAAM,EACN,KAAK,EACL,sBAAsB,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CACxD,CAAC;IAEF,IAAI,OAAO,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,IAA8B,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,gCAAgC,OAAO,CAAC,UAAU,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,OAAO,GAAI,OAAO,CAAC,IAA6C,CAAC,OAAO,IAAI,EAAE,CAAC;IAErF,4BAA4B;IAC5B,MAAM,OAAO,GAAkB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,YAAY,CAC/B,MAAM,EACN,KAAK,EACL,eAAe,kBAAkB,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAChD,CAAC;QAEF,IAAI,MAAM,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;YAC9B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAyB,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAM7B;IACC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,IAAK,OAAO,CAAC,GAA0C,CAAC;IACjF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,wCAAwC;IAE5E,iCAAiC;IACjC,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACvD,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAClC,CAAC;IAED,yBAAyB;IACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAExD,IAAI,KAAK,EAAE,CAAC;QACV,mCAAmC;QACnC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC/B,CAAC;SAAM,CAAC;QACN,iDAAiD;QACjD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpD,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC;gBAClB,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAiB;IAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,WAAW,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAE3B,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,qBAAqB,CAAC;QAC1C,MAAM;QACN,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,IAAI;QACJ,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;KACxB,CAAC,CAAC;IAEH,0BAA0B;IAC1B,MAAM,QAAQ,GAAG,aAAa,CAAC;QAC7B,OAAO;QACP,MAAM;QACN,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;IAEpC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,QAAQ;YACb,KAAK,EAAE,IAAI;SACZ,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,MAAM,CAAC,IAAI,KAAK,CAAC,4BAA4B,GAAG,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACxE,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YAChC,IAAI,MAAM,EAAE,CAAC;gBACX,iCAAiC;gBACjC,OAAO,CAAC,GAAG,GAAG,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,OAAO,GAA2B;QACtC,MAAM,EAAE,CAAC;QACT,MAAM,EAAE,CAAC;QACT,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,CAAC;KACX,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,aAAsB;IAEtB,sCAAsC;IACtC,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IAExC,yCAAyC;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC/C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;IACvC,CAAC;IAED,MAAM,IAAI,KAAK,CACb,mDAAmD;QACnD,qBAAqB;QACrB,yCAAyC;QACzC,qDAAqD,CACtD,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAAiB;IAEjB,0BAA0B;IAC1B,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9B,OAAO;YACL,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,GAAG,CAAC,QAAQ;YAClB,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;SACvE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACzE,MAAM,QAAQ,GAAG,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;QACrC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,MAAM,IAAI,KAAK,CACb,uEAAuE;QACvE,uBAAuB;QACvB,uCAAuC;QACvC,2CAA2C,CAC5C,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * unotoken — yokotoken + cloud features.
+ *
+ * Re-exports the entire yokotoken public API so that `unotoken` can be used
+ * as a drop-in replacement. Cloud-specific exports (OAuth, team vaults,
+ * key escrow) are added as additional named exports.
+ */
+export { VaultEngine, type SecretEntry, type SecretMetadata, type SecretListEntry, type VaultStatus, createVaultServer, getDefaultVaultPath, getDefaultPidFile, getDefaultPortFile, getVaultDir, isServerRunning, readServerPort, DEFAULT_PORT, DEFAULT_IDLE_TIMEOUT_MS, type ServerConfig, vaultRequest, type ClientConfig, type ClientResponse, readPassphrase, readAndConfirmPassphrase, generateToken, getDefaultTokenFile, writeTokenFile, readTokenFile, validateBearerToken, RateLimiter, DEFAULT_RATE_LIMIT, type RateLimitConfig, ensureCerts, generateSelfSignedCert, getDefaultCertPaths, certsExist, type TlsCertPaths, type TlsCertData, TokenManager, generateAccessToken, hashToken, parseTTL, type TokenCreateOptions, type TokenCreateResult, type TokenMetadata, type TokenValidationResult, getSecret, storeSecret, listSecrets, VaultSdkError, type VaultSdkConfig, startDaemon, stopDaemon, restartDaemon, rotateLogIfNeeded, getDefaultLogFile, MAX_LOG_SIZE, type DaemonStartOptions, type DaemonStartResult, type DaemonStopResult, AuditLogger, readAuditLog, tailAuditLog, getDefaultAuditLogPath, type AuditOperation, type AuditEntry, type AuditFilterOptions, createBackup, restoreBackup, exportEnv, importEnv, parseEnvFile, pathToEnvName, envNameToPath, detectImportDuplicates, BACKUP_MAGIC, BACKUP_VERSION, BACKUP_HEADER_SIZE, type BackupResult, type RestoreResult, type ExportResult, type ImportResult, type ImportConflictStrategy, type ImportDuplicate, type EnvEntry, IdentityDatabase, getDefaultIdentityDbPath, type Identity, type IdentityType, type Org, type Project, type OrgMember, type ProjectMember, type MemberRole, type IdentityCreateResult, NetworkVaultClient, NetworkClientError, type NetworkClientConfig, type NetworkClientResponse, readConfig, writeConfig, setConfigField, getConfigField, deleteConfigField, resolveFieldName, formatConfigForDisplay, getDefaultConfigPath, getValidFields, type VaultConfig, type VaultConfigField, } from 'yokotoken';
+export { matchesPrefix, checkTokenScope, filterByTokenScope, storeTokenScopes, revokeTokenScopes, formatScopes, buildScopesByName, intersectPrefixWithScopes, type ScopeCheckResult, } from './tokens.js';
+export { loadTokenScopes, saveTokenScopes, setTokenScopes, getTokenScopes, removeTokenScopesByName, listTokenScopes, getDefaultScopesPath, type TokenScopeEntry, type TokenScopeStore, } from './db.js';
+export { createScopedVaultServer, type ScopedServerConfig, } from './server.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAEL,WAAW,EACX,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,WAAW,EAGhB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,cAAc,EACd,YAAY,EACZ,uBAAuB,EACvB,KAAK,YAAY,EAGjB,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,cAAc,EAGnB,cAAc,EACd,wBAAwB,EAGxB,aAAa,EACb,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,WAAW,EACX,kBAAkB,EAClB,KAAK,eAAe,EAGpB,WAAW,EACX,sBAAsB,EACtB,mBAAmB,EACnB,UAAU,EACV,KAAK,YAAY,EACjB,KAAK,WAAW,EAGhB,YAAY,EACZ,mBAAmB,EACnB,SAAS,EACT,QAAQ,EACR,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAG1B,SAAS,EACT,WAAW,EACX,WAAW,EACX,aAAa,EACb,KAAK,cAAc,EAGnB,WAAW,EACX,UAAU,EACV,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,EACZ,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EAGrB,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,kBAAkB,EAGvB,YAAY,EACZ,aAAa,EACb,SAAS,EACT,SAAS,EACT,YAAY,EACZ,aAAa,EACb,aAAa,EACb,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,QAAQ,EAGb,gBAAgB,EAChB,wBAAwB,EACxB,KAAK,QAAQ,EACb,KAAK,YAAY,EACjB,KAAK,GAAG,EACR,KAAK,OAAO,EACZ,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,UAAU,EACf,KAAK,oBAAoB,EAGzB,kBAAkB,EAClB,kBAAkB,EAClB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,EAG1B,UAAU,EACV,WAAW,EACX,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,oBAAoB,EACpB,cAAc,EACd,KAAK,WAAW,EAChB,KAAK,gBAAgB,GACtB,MAAM,WAAW,CAAC;AAKnB,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,iBAAiB,EACjB,yBAAyB,EACzB,KAAK,gBAAgB,GACtB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,eAAe,EACf,eAAe,EACf,cAAc,EACd,cAAc,EACd,uBAAuB,EACvB,eAAe,EACf,oBAAoB,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,GACrB,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,uBAAuB,EACvB,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,43 @@
+/**
+ * unotoken — yokotoken + cloud features.
+ *
+ * Re-exports the entire yokotoken public API so that `unotoken` can be used
+ * as a drop-in replacement. Cloud-specific exports (OAuth, team vaults,
+ * key escrow) are added as additional named exports.
+ */
+// Re-export everything from yokotoken core
+export { 
+// Vault engine
+VaultEngine, 
+// Server
+createVaultServer, getDefaultVaultPath, getDefaultPidFile, getDefaultPortFile, getVaultDir, isServerRunning, readServerPort, DEFAULT_PORT, DEFAULT_IDLE_TIMEOUT_MS, 
+// Client
+vaultRequest, 
+// Passphrase
+readPassphrase, readAndConfirmPassphrase, 
+// Auth
+generateToken, getDefaultTokenFile, writeTokenFile, readTokenFile, validateBearerToken, RateLimiter, DEFAULT_RATE_LIMIT, 
+// TLS
+ensureCerts, generateSelfSignedCert, getDefaultCertPaths, certsExist, 
+// Tokens
+TokenManager, generateAccessToken, hashToken, parseTTL, 
+// SDK
+getSecret, storeSecret, listSecrets, VaultSdkError, 
+// Daemon
+startDaemon, stopDaemon, restartDaemon, rotateLogIfNeeded, getDefaultLogFile, MAX_LOG_SIZE, 
+// Audit
+AuditLogger, readAuditLog, tailAuditLog, getDefaultAuditLogPath, 
+// Backup
+createBackup, restoreBackup, exportEnv, importEnv, parseEnvFile, pathToEnvName, envNameToPath, detectImportDuplicates, BACKUP_MAGIC, BACKUP_VERSION, BACKUP_HEADER_SIZE, 
+// Identity
+IdentityDatabase, getDefaultIdentityDbPath, 
+// Network Client
+NetworkVaultClient, NetworkClientError, 
+// Config
+readConfig, writeConfig, setConfigField, getConfigField, deleteConfigField, resolveFieldName, formatConfigForDisplay, getDefaultConfigPath, getValidFields, } from 'yokotoken';
+// ─── unotoken-specific exports ──────────────────────────────────────
+// Scoped tokens (US-001)
+export { matchesPrefix, checkTokenScope, filterByTokenScope, storeTokenScopes, revokeTokenScopes, formatScopes, buildScopesByName, intersectPrefixWithScopes, } from './tokens.js';
+export { loadTokenScopes, saveTokenScopes, setTokenScopes, getTokenScopes, removeTokenScopesByName, listTokenScopes, getDefaultScopesPath, } from './db.js';
+export { createScopedVaultServer, } from './server.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,2CAA2C;AAC3C,OAAO;AACL,eAAe;AACf,WAAW;AAMX,SAAS;AACT,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,EAClB,WAAW,EACX,eAAe,EACf,cAAc,EACd,YAAY,EACZ,uBAAuB;AAGvB,SAAS;AACT,YAAY;AAIZ,aAAa;AACb,cAAc,EACd,wBAAwB;AAExB,OAAO;AACP,aAAa,EACb,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,mBAAmB,EACnB,WAAW,EACX,kBAAkB;AAGlB,MAAM;AACN,WAAW,EACX,sBAAsB,EACtB,mBAAmB,EACnB,UAAU;AAIV,SAAS;AACT,YAAY,EACZ,mBAAmB,EACnB,SAAS,EACT,QAAQ;AAMR,MAAM;AACN,SAAS,EACT,WAAW,EACX,WAAW,EACX,aAAa;AAGb,SAAS;AACT,WAAW,EACX,UAAU,EACV,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,YAAY;AAKZ,QAAQ;AACR,WAAW,EACX,YAAY,EACZ,YAAY,EACZ,sBAAsB;AAKtB,SAAS;AACT,YAAY,EACZ,aAAa,EACb,SAAS,EACT,SAAS,EACT,YAAY,EACZ,aAAa,EACb,aAAa,EACb,sBAAsB,EACtB,YAAY,EACZ,cAAc,EACd,kBAAkB;AASlB,WAAW;AACX,gBAAgB,EAChB,wBAAwB;AAUxB,iBAAiB;AACjB,kBAAkB,EAClB,kBAAkB;AAIlB,SAAS;AACT,UAAU,EACV,WAAW,EACX,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,sBAAsB,EACtB,oBAAoB,EACpB,cAAc,GAGf,MAAM,WAAW,CAAC;AAEnB,uEAAuE;AAEvE,yBAAyB;AACzB,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,gBAAgB,EAChB,iBAAiB,EACjB,YAAY,EACZ,iBAAiB,EACjB,yBAAyB,GAE1B,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,eAAe,EACf,eAAe,EACf,cAAc,EACd,cAAc,EACd,uBAAuB,EACvB,eAAe,EACf,oBAAoB,GAGrB,MAAM,SAAS,CAAC;AAEjB,OAAO,EACL,uBAAuB,GAExB,MAAM,aAAa,CAAC"}

package/dist/oauth/commands.d.ts

@@ -0,0 +1,151 @@
+/**
+ * OAuth CLI command handlers for unotoken.
+ *
+ * Implements:
+ * - `auth link <provider>` — Link an OAuth identity for passwordless unlock
+ * - `unlock --oauth` — Unlock the vault using a linked OAuth identity
+ *
+ * These commands bridge the OAuth flow engine, key wrapping, and yokotoken's
+ * vault engine to provide a passwordless unlock experience.
+ *
+ * @module
+ */
+import { type OAuthFlowConfig } from './flow.js';
+import type { OAuthProvider } from './provider.js';
+export type ProviderName = 'google' | 'github';
+export interface AuthLinkOptions {
+    /** Passphrase to derive the master key (vault must be initialized) */
+    passphrase: string;
+    /** Path to the vault database (default: ~/.hq-vault/vault.db) */
+    vaultPath?: string;
+    /** Device directory for device.key storage (default: ~/.yokotoken) */
+    deviceDir?: string;
+    /** OAuth flow configuration overrides (for testing) */
+    flowConfig?: OAuthFlowConfig;
+    /** Custom Google provider options */
+    googleOptions?: {
+        clientId?: string;
+        fetch?: typeof globalThis.fetch;
+    };
+    /** Custom GitHub provider options */
+    githubOptions?: {
+        clientId?: string;
+        clientSecret?: string;
+        fetch?: typeof globalThis.fetch;
+    };
+}
+export interface AuthLinkResult {
+    provider: ProviderName;
+    email?: string;
+    name?: string;
+    subjectId: string;
+}
+export interface UnlockOAuthOptions {
+    /** Specific provider to use (if omitted and multiple linked, must choose) */
+    provider?: ProviderName;
+    /** Path to the vault database (default: ~/.hq-vault/vault.db) */
+    vaultPath?: string;
+    /** Device directory for device.key storage (default: ~/.yokotoken) */
+    deviceDir?: string;
+    /** OAuth flow configuration overrides (for testing) */
+    flowConfig?: OAuthFlowConfig;
+    /** Custom Google provider options */
+    googleOptions?: {
+        clientId?: string;
+        fetch?: typeof globalThis.fetch;
+    };
+    /** Custom GitHub provider options */
+    githubOptions?: {
+        clientId?: string;
+        clientSecret?: string;
+        fetch?: typeof globalThis.fetch;
+    };
+    /** If true, attempt to notify the running server (default: true) */
+    sendToServer?: boolean;
+}
+export interface UnlockOAuthResult {
+    provider: ProviderName;
+    email?: string;
+    name?: string;
+    /** Whether the vault server was notified */
+    serverNotified: boolean;
+}
+export interface LinkedProvider {
+    provider: string;
+    subjectId: string;
+    createdAt: string;
+    lastUsedAt: string;
+}
+/**
+ * Validate that a provider name is supported.
+ */
+export declare function isValidProvider(name: string): name is ProviderName;
+/**
+ * Create an OAuthProvider instance for the given provider name.
+ */
+export declare function resolveProvider(name: ProviderName, options?: AuthLinkOptions | UnlockOAuthOptions): OAuthProvider;
+/**
+ * Link an OAuth identity to the vault for passwordless unlock.
+ *
+ * Flow:
+ * 1. Open vault database
+ * 2. Derive master key from passphrase (verifies passphrase is correct)
+ * 3. Run OAuth browser flow to authenticate the user
+ * 4. Wrap (encrypt) the master key with the OAuth identity
+ * 5. Store the wrapped key in the oauth_links table
+ *
+ * The vault must be initialized (have a passphrase set). The user provides
+ * their passphrase to prove ownership before linking.
+ *
+ * @param providerName - OAuth provider to link ('google' or 'github')
+ * @param options - Configuration options
+ * @returns Link result with provider info and user identity
+ */
+export declare function authLink(providerName: ProviderName, options: AuthLinkOptions): Promise<AuthLinkResult>;
+/**
+ * Unlock the vault using a linked OAuth identity.
+ *
+ * Flow:
+ * 1. Open vault database, list linked providers
+ * 2. If provider not specified and multiple linked, throw (caller must choose)
+ * 3. Run OAuth browser flow to authenticate the user
+ * 4. Unwrap (decrypt) the master key using the OAuth identity
+ * 5. Verify the unwrapped key against the vault's verification entry
+ * 6. Optionally notify the running vault server
+ *
+ * @param options - Configuration options
+ * @returns Unlock result with provider info
+ */
+export declare function unlockWithOAuth(options?: UnlockOAuthOptions): Promise<UnlockOAuthResult>;
+/**
+ * List all linked OAuth providers for the vault.
+ *
+ * Does NOT require the vault to be unlocked — reads the oauth_links table.
+ */
+export declare function listLinkedProviders(vaultPath?: string): Promise<LinkedProvider[]>;
+export interface UnlinkResult {
+    provider: string;
+    /** Whether this was the last linked provider (user now has passphrase only) */
+    wasLastProvider: boolean;
+}
+/**
+ * Remove an OAuth link for a specific provider.
+ *
+ * Does NOT require the vault to be unlocked — modifies the oauth_links table directly.
+ *
+ * @param providerName - OAuth provider to unlink ('google' or 'github')
+ * @param vaultPath - Path to the vault database (default: ~/.hq-vault/vault.db)
+ * @returns Unlink result indicating what was removed
+ * @throws Error if the provider is not linked
+ */
+export declare function unlinkProvider(providerName: string, vaultPath?: string): Promise<UnlinkResult>;
+/**
+ * Error thrown when multiple OAuth providers are linked and no specific
+ * provider was requested. The caller should present these to the user
+ * and re-call with a specific provider.
+ */
+export declare class MultipleProvidersError extends Error {
+    readonly providers: LinkedProvider[];
+    constructor(providers: LinkedProvider[]);
+}
+//# sourceMappingURL=commands.d.ts.map

package/dist/oauth/commands.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../../src/oauth/commands.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAaH,OAAO,EAAgB,KAAK,eAAe,EAAwB,MAAM,WAAW,CAAC;AAWrF,OAAO,KAAK,EAAE,aAAa,EAAiB,MAAM,eAAe,CAAC;AAKlE,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE/C,MAAM,WAAW,eAAe;IAC9B,sEAAsE;IACtE,UAAU,EAAE,MAAM,CAAC;IACnB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,qCAAqC;IACrC,aAAa,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;KAAE,CAAC;IACvE,qCAAqC;IACrC,aAAa,CAAC,EAAE;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;KACjC,CAAC;CACH;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,6EAA6E;IAC7E,QAAQ,CAAC,EAAE,YAAY,CAAC;IACxB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sEAAsE;IACtE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,UAAU,CAAC,EAAE,eAAe,CAAC;IAC7B,qCAAqC;IACrC,aAAa,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;KAAE,CAAC;IACvE,qCAAqC;IACrC,aAAa,CAAC,EAAE;QACd,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;KACjC,CAAC;IACF,oEAAoE;IACpE,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,YAAY,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACpB;AAMD;;GAEG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,IAAI,YAAY,CAElE;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,YAAY,EAClB,OAAO,CAAC,EAAE,eAAe,GAAG,kBAAkB,GAC7C,aAAa,CAWf;AAID;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,QAAQ,CAC5B,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,cAAc,CAAC,CAsDzB;AAID;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CACnC,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CAsG5B;AAiED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,cAAc,EAAE,CAAC,CAmB3B;AAID,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,+EAA+E;IAC/E,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAClC,YAAY,EAAE,MAAM,EACpB,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CA0CvB;AAID;;;;GAIG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,QAAQ,CAAC,SAAS,EAAE,cAAc,EAAE,CAAC;gBAEzB,SAAS,EAAE,cAAc,EAAE;CASxC"}