wotann 0.5.0 → 0.5.39

package/dist/security/bash-arity-policy.js

@@ -0,0 +1,189 @@
+/**
+ * bash-arity-policy — Declarative per-command argument-count gate.
+ *
+ * Port of the `bash_arity` pattern from Hmbown/DeepSeek-TUI's
+ * crates/execpolicy: each known-dangerous command declares its expected
+ * argument count, and the gate refuses anything outside that range.
+ * The motivation:
+ *
+ *   - `rm /tmp/file.txt` is fine; `rm -rf / *` (250+ args expanded
+ *     by globbing) is almost certainly an accident or attack.
+ *   - `dd if=foo of=bar` needs both flag-args; bare `dd > /dev/sda` has
+ *     wildly different semantics and shouldn't pass the same gate.
+ *   - `chmod` with 0 path args is a syntax error AND a fingerprint of a
+ *     copy-paste attack.
+ *
+ * This file is layered ON TOP of `command-sanitizer.ts` (which blocks
+ * shape-based bypasses) and `executor.ts` (which sandboxes the actual
+ * shell). A command that passes command-sanitizer can still be rejected
+ * here if the arity is suspicious for the leading binary.
+ *
+ * Quality bars:
+ *   - QB#1 immutable: rules + verdicts are readonly
+ *   - QB#3 honest stub: returns a verdict union; never throws
+ *   - QB#7 stateless: pure functions, no module-level mutation
+ *   - QB#11 sibling-site: composes with command-sanitizer; does not
+ *     duplicate its pattern-matching layer
+ *
+ * Source: https://github.com/Hmbown/DeepSeek-TUI/tree/main/crates/execpolicy/src
+ */
+// ── Default rules (verified against frontier-model attack corpora) ───
+/**
+ * Conservative defaults: only the most commonly weaponized commands
+ * are listed, so the gate doesn't get in the way of normal shell work.
+ * Add more rules per-deployment via `evaluateArity(..., {extraRules})`.
+ */
+export const DEFAULT_ARITY_RULES = Object.freeze([
+    Object.freeze({
+        command: "rm",
+        minArgs: 1,
+        maxArgs: 5,
+        hardBlock: false,
+        reason: "rm with >5 path arguments is unusual; usually a glob expansion accident",
+    }),
+    Object.freeze({
+        command: "dd",
+        minArgs: 1,
+        maxArgs: Infinity,
+        hardBlock: true,
+        reason: "dd with zero arguments writes to/from stdio with potentially destructive defaults",
+    }),
+    Object.freeze({
+        command: "chmod",
+        minArgs: 2,
+        maxArgs: Infinity,
+        hardBlock: true,
+        reason: "chmod requires at least mode + 1 path",
+    }),
+    Object.freeze({
+        command: "chown",
+        minArgs: 2,
+        maxArgs: Infinity,
+        hardBlock: true,
+        reason: "chown requires owner + 1 path",
+    }),
+    Object.freeze({
+        command: "mv",
+        minArgs: 2,
+        maxArgs: 50,
+        hardBlock: false,
+        reason: "mv with >50 args is unusual",
+    }),
+    Object.freeze({
+        command: "cp",
+        minArgs: 2,
+        maxArgs: 50,
+        hardBlock: false,
+        reason: "cp with >50 args is unusual",
+    }),
+    Object.freeze({
+        command: "kill",
+        minArgs: 1,
+        maxArgs: 10,
+        hardBlock: false,
+        reason: "kill with >10 PIDs is unusual; verify intent",
+    }),
+    Object.freeze({
+        command: "killall",
+        minArgs: 1,
+        maxArgs: 5,
+        hardBlock: false,
+        reason: "killall with >5 names is unusual",
+    }),
+]);
+// ── Helpers ──────────────────────────────────────────────────────────
+/**
+ * Strip leading `sudo` / `env VAR=val` / `nice` / `ionice` so the
+ * actual command is the one analyzed. Conservative: only known
+ * wrappers are stripped — anything unfamiliar is treated as the leading
+ * command itself.
+ */
+function stripWrappers(tokens) {
+    const wrappers = new Set(["sudo", "nice", "ionice", "doas"]);
+    let i = 0;
+    while (i < tokens.length) {
+        const t = tokens[i];
+        if (t === undefined)
+            break;
+        if (wrappers.has(t)) {
+            i += 1;
+            continue;
+        }
+        // `env KEY=val ...` — skip env + any KEY=VAL tokens
+        if (t === "env") {
+            i += 1;
+            while (i < tokens.length && /^[A-Z_][A-Z0-9_]*=/i.test(tokens[i] ?? "")) {
+                i += 1;
+            }
+            continue;
+        }
+        break;
+    }
+    return tokens.slice(i);
+}
+/**
+ * Tokens minus flags (`-x`, `--long-option`). Used for arity counting
+ * — a glob like `rm -rf foo bar baz` has 3 non-flag args, not 4.
+ */
+function nonFlagArgs(tokens) {
+    return tokens.filter((t) => !t.startsWith("-"));
+}
+// ── Public API ───────────────────────────────────────────────────────
+/**
+ * Evaluate a tokenized command against the arity rules.
+ * Pure: no I/O, no env reads, no mutation.
+ */
+export function evaluateArity(tokens, options = {}) {
+    if (tokens.length === 0) {
+        return { severity: "blocked", reason: "empty command", command: "", observedArgs: 0 };
+    }
+    const stripped = stripWrappers(tokens);
+    const command = stripped[0];
+    if (command === undefined || command === "") {
+        return {
+            severity: "blocked",
+            reason: "no command after wrapper strip",
+            command: "",
+            observedArgs: 0,
+        };
+    }
+    const rules = options.extraRules
+        ? [...DEFAULT_ARITY_RULES, ...options.extraRules]
+        : DEFAULT_ARITY_RULES;
+    const rule = rules.find((r) => r.command === command);
+    const argTokens = stripped.slice(1);
+    const observedArgs = nonFlagArgs(argTokens).length;
+    if (!rule) {
+        return { severity: "ok", command, observedArgs };
+    }
+    if (observedArgs < rule.minArgs) {
+        return {
+            severity: "blocked",
+            reason: `${command} requires at least ${rule.minArgs} arguments — ${rule.reason}`,
+            command,
+            observedArgs,
+        };
+    }
+    if (observedArgs > rule.maxArgs) {
+        return {
+            severity: rule.hardBlock ? "blocked" : "suspicious",
+            reason: rule.reason,
+            command,
+            observedArgs,
+        };
+    }
+    return { severity: "ok", command, observedArgs };
+}
+/**
+ * Convenience for command strings — splits on whitespace WITHOUT shell
+ * parsing. For shell-aware tokenization, parse with `shell-quote` first
+ * and pass tokens to `evaluateArity` directly.
+ */
+export function evaluateAritySimple(commandLine) {
+    const tokens = commandLine
+        .trim()
+        .split(/\s+/)
+        .filter((s) => s.length > 0);
+    return evaluateArity(tokens);
+}
+//# sourceMappingURL=bash-arity-policy.js.map

package/dist/security/bash-arity-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bash-arity-policy.js","sourceRoot":"","sources":["../../src/security/bash-arity-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AA4BH,wEAAwE;AAExE;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAyB,MAAM,CAAC,MAAM,CAAC;IACrE,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,yEAAyE;KAClF,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,mFAAmF;KAC5F,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,uCAAuC;KAChD,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,QAAQ;QACjB,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,+BAA+B;KACxC,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,6BAA6B;KACtC,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,6BAA6B;KACtC,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM;QACf,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,EAAE;QACX,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,8CAA8C;KACvD,CAAC;IACF,MAAM,CAAC,MAAM,CAAC;QACZ,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,kCAAkC;KAC3C,CAAC;CACH,CAAC,CAAC;AAEH,wEAAwE;AAExE;;;;;GAKG;AACH,SAAS,aAAa,CAAC,MAAyB;IAC9C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,KAAK,SAAS;YAAE,MAAM;QAC3B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACpB,CAAC,IAAI,CAAC,CAAC;YACP,SAAS;QACX,CAAC;QACD,oDAAoD;QACpD,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;YAChB,CAAC,IAAI,CAAC,CAAC;YACP,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,IAAI,qBAAqB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;gBACxE,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,SAAS;QACX,CAAC;QACD,MAAM;IACR,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,MAAyB;IAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,MAAyB,EACzB,UAA0D,EAAE;IAE5D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,eAAe,EAAE,OAAO,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACxF,CAAC;IAED,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;QAC5C,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,gCAAgC;YACxC,OAAO,EAAE,EAAE;YACX,YAAY,EAAE,CAAC;SAChB,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU;QAC9B,CAAC,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC;QACjD,CAAC,CAAC,mBAAmB,CAAC;IAExB,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,YAAY,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IAEnD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,YAAY,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAChC,OAAO;YACL,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,GAAG,OAAO,sBAAsB,IAAI,CAAC,OAAO,gBAAgB,IAAI,CAAC,MAAM,EAAE;YACjF,OAAO;YACP,YAAY;SACb,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAChC,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;YACnD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO;YACP,YAAY;SACb,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAAmB;IACrD,MAAM,MAAM,GAAG,WAAW;SACvB,IAAI,EAAE;SACN,KAAK,CAAC,KAAK,CAAC;SACZ,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/B,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC"}

package/dist/security/command-sanitizer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"command-sanitizer.d.ts","sourceRoot":"","sources":["../../src/security/command-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAOH,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEzD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;CACpC;AAED,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;CACpC;AAID,UAAU,cAAc;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAkFD,UAAU,iBAAiB;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAoBD,UAAU,WAAW;IACnB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAsOD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,cAAc,CAwG3F;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAElF;AAED;;;GAGG;AACH,eAAO,MAAM,cAAc;;;;;;CAMjB,CAAC"}
+{"version":3,"file":"command-sanitizer.d.ts","sourceRoot":"","sources":["../../src/security/command-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAQH,MAAM,MAAM,eAAe,GAAG,MAAM,GAAG,MAAM,GAAG,QAAQ,CAAC;AAEzD,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;CACpC;AAED,MAAM,WAAW,gBAAgB;IAC/B;;;;;OAKG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;CACpC;AAID,UAAU,cAAc;IACtB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAkFD,UAAU,iBAAiB;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAoBD,UAAU,WAAW;IACnB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAsOD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,cAAc,CAgI3F;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAElF;AAED;;;GAGG;AACH,eAAO,MAAM,cAAc;;;;;;CAMjB,CAAC"}

package/dist/security/command-sanitizer.js

@@ -33,6 +33,7 @@
  */
 import { parse as parseShell } from "shell-quote";
 import { canonicalizePathForCheck } from "../utils/path-realpath.js";
+import { evaluateArity } from "./bash-arity-policy.js";
 /**
  * Catastrophic patterns — always block, no override. These represent commands
  * that have no legitimate use from an AI agent frontend (rm -rf /, dd of raw
@@ -394,6 +395,29 @@ export function sanitizeCommand(cmd, options = {}) {
     if (tokenReject) {
         return { safe: false, severity: "danger", reason: tokenReject.reason };
     }
+    // 3.5 Bash-arity gate (port from DeepSeek-TUI bash_arity execpolicy).
+    //     Catches the "rm with 200 args from glob expansion" / "dd with no
+    //     args" / "chmod with mode-only" attack shapes that the substring
+    //     and parse layers don't detect. Only the leading binary's arity
+    //     is checked — full arg-validation is the executor's job.
+    const stringTokens = tokens.filter((t) => typeof t === "string");
+    if (stringTokens.length > 0) {
+        const arity = evaluateArity(stringTokens);
+        if (arity.severity === "blocked") {
+            return {
+                safe: false,
+                severity: "danger",
+                reason: `arity-gate: ${arity.reason ?? "command failed argument-count policy"}`,
+            };
+        }
+        if (arity.severity === "suspicious" && !options.allowPrivileged) {
+            return {
+                safe: false,
+                severity: "danger",
+                reason: `arity-gate (suspicious): ${arity.reason ?? "unusual argument count for " + arity.command}`,
+            };
+        }
+    }
     // 4. Legacy substring patterns — still run. The parse pass catches
     //    novel shapes; these catch the obvious ones (fork bombs, reverse
     //    shells, /etc/passwd writes) whose substring signatures are

package/dist/security/command-sanitizer.js.map

@@ -1 +1 @@
-{"version":3,"file":"command-sanitizer.js","sourceRoot":"","sources":["../../src/security/command-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AA6BrE;;;;GAIG;AACH,MAAM,gBAAgB,GAA8B;IAClD,iCAAiC;IACjC;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,2BAA2B;KACpC;IACD;QACE,OAAO,EACL,gGAAgG;QAClG,MAAM,EAAE,gCAAgC;KACzC;IACD,EAAE,OAAO,EAAE,gDAAgD,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACjG,EAAE,OAAO,EAAE,yDAAyD,EAAE,MAAM,EAAE,iBAAiB,EAAE;IACjG;QACE,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,uBAAuB;KAChC;IAED,iCAAiC;IACjC;QACE,OAAO,EAAE,oEAAoE;QAC7E,MAAM,EAAE,wCAAwC;KACjD;IACD;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,gCAAgC;KACzC;IAED,oDAAoD;IACpD,EAAE,OAAO,EAAE,gDAAgD,EAAE,MAAM,EAAE,gBAAgB,EAAE;IACvF,EAAE,OAAO,EAAE,2CAA2C,EAAE,MAAM,EAAE,mBAAmB,EAAE;IAErF,wDAAwD;IACxD;QACE,OAAO,EACL,wFAAwF;QAC1F,MAAM,EAAE,4BAA4B;KACrC;IACD;QACE,OAAO,EAAE,iFAAiF;QAC1F,MAAM,EAAE,iCAAiC;KAC1C;IAED,mDAAmD;IACnD,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpE,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpE,EAAE,OAAO,EAAE,kCAAkC,EAAE,MAAM,EAAE,uBAAuB,EAAE;IAChF,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,qBAAqB,EAAE;IAElE,uDAAuD;IACvD;QACE,OAAO,EAAE,wEAAwE;QACjF,MAAM,EAAE,+BAA+B;KACxC;IAED,0CAA0C;IAC1C;QACE,OAAO,EAAE,8DAA8D;QACvE,MAAM,EAAE,0BAA0B;KACnC;IACD,EAAE,OAAO,EAAE,kCAAkC,EAAE,MAAM,EAAE,oBAAoB,EAAE;IAE7E,qCAAqC;IACrC;QACE,OAAO,EAAE,2EAA2E;QACpF,MAAM,EAAE,gCAAgC;KACzC;IAED,oBAAoB;IACpB,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,yBAAyB,EAAE;IACrE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,iBAAiB,EAAE;CACxE,CAAC;AASF,MAAM,mBAAmB,GAAiC;IACxD,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,kCAAkC,EAAE;IACnE,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,uCAAuC,EAAE;IACjF,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACrE,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,kCAAkC,EAAE;IAC1E,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,8CAA8C,EAAE;IACzF;QACE,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,4CAA4C;KACrD;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,MAAM,EAAE,iDAAiD;KAC1D;CACF,CAAC;AASF,MAAM,aAAa,GAA2B;IAC5C,EAAE,OAAO,EAAE,0CAA0C,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAC1F;QACE,OAAO,EAAE,sEAAsE;QAC/E,MAAM,EAAE,2BAA2B;KACpC;IACD,EAAE,OAAO,EAAE,uCAAuC,EAAE,MAAM,EAAE,qBAAqB,EAAE;IACnF,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,EAAE;IAC5D;QACE,OAAO,EAAE,mDAAmD;QAC5D,MAAM,EAAE,+BAA+B;KACxC;CACF,CAAC;AAEF,gEAAgE;AAChE,EAAE;AACF,gEAAgE;AAChE,yEAAyE;AACzE,oEAAoE;AACpE,mEAAmE;AACnE,0CAA0C;AAC1C,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;AACpD,wEAAwE;AACxE,kEAAkE;AAClE,uDAAuD;CACxD,CAAC,CAAC;AAEH,uEAAuE;AACvE,yEAAyE;AACzE,sEAAsE;AACtE,yBAAyB;AACzB,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,IAAI;IACJ,MAAM;IACN,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;CACP,CAAC,CAAC;AAQH;;;;;;;;;GASG;AACH;;;;;;;;;;;;;GAaG;AACH,SAAS,uBAAuB,CAAC,GAAW;IAC1C,MAAM,UAAU,GACd,gFAAgF,CAAC;IACnF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,gCAAgC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,MAAM,KAAK,GAAG,wDAAwD,CAAC;IACvE,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAW;IAC3C,yDAAyD;IACzD,IAAI,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;IACjE,CAAC;IAED,qDAAqD;IACrD,oEAAoE;IACpE,mEAAmE;IACnE,uDAAuD;IACvD,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IAC3D,CAAC;IAED,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,MAAM,EAAE,6CAA6C,EAAE,CAAC;IACnE,CAAC;IAED,kEAAkE;IAClE,kEAAkE;IAClE,gEAAgE;IAChE,iDAAiD;IACjD,EAAE;IACF,mEAAmE;IACnE,8DAA8D;IAC9D,6DAA6D;IAC7D,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAClD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAkBD,SAAS,IAAI,CAAC,KAAiB;IAC7B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,MAA6B;IAClD,iEAAiE;IACjE,8DAA8D;IAC9D,wCAAwC;IACxC,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAE9E,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,MAAM,EAAE,uBAAuB,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,8DAA8D;IAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QACjD,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC;YACvD,OAAO,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,qEAAqE;IACrE,0CAA0C;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QAC9B,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG;YAAE,SAAS;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3D,OAAO,EAAE,MAAM,EAAE,gCAAgC,IAAI,iBAAiB,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,qEAAqE;IACrE,yCAAyC;IACzC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7D,OAAO,EAAE,MAAM,EAAE,sBAAsB,KAAK,EAAE,EAAE,CAAC;IACnD,CAAC;IAED,oEAAoE;IACpE,sEAAsE;IACtE,iEAAiE;IACjE,4DAA4D;IAC5D,iEAAiE;IACjE,6CAA6C;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,EAAE,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAS;QAC5C,IAAI,EAAE,CAAC,EAAE,KAAK,GAAG,IAAI,EAAE,CAAC,EAAE,KAAK,IAAI;YAAE,SAAS;QAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,SAAS;QACzC,IAAI,SAAS,GAAG,MAAM,CAAC;QACvB,IAAI,CAAC;YACH,SAAS,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;YACzD,0DAA0D;YAC1D,8BAA8B;YAC9B,OAAO,EAAE,MAAM,EAAE,iCAAiC,MAAM,EAAE,EAAE,CAAC;QAC/D,CAAC;QACD,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,MAAM,EAAE,sCAAsC,MAAM,OAAO,SAAS,EAAE;aACvE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,uEAAuE;AACvE,YAAY;AACZ,MAAM,mBAAmB,GACvB,2LAA2L,CAAC;AAE9L,8DAA8D;AAE9D;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,UAA4B,EAAE;IACzE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IACjF,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACtE,CAAC;IAED,wFAAwF;IACxF,IAAI,OAAO,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC3B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC7E,CAAC;IAED,gEAAgE;IAChE,gEAAgE;IAChE,KAAK;IACL,0BAA0B;IAC1B,mEAAmE;IACnE,8DAA8D;IAC9D,4DAA4D;IAC5D,6DAA6D;IAC7D,gEAAgE;IAChE,4DAA4D;IAC5D,qCAAqC;IACrC,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,SAAS,KAAK,IAAI,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;YACvB,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,YAAY,CAAC,QAAQ;gBAC/B,MAAM,EAAE,uBAAuB,YAAY,CAAC,MAAM,EAAE;aACrD,CAAC;QACJ,CAAC;QACD,+DAA+D;QAC/D,6DAA6D;QAC7D,OAAO,YAAY,CAAC,QAAQ,KAAK,MAAM;YACrC,CAAC,CAAC;gBACE,IAAI,EAAE,IAAI;gBACV,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,mDAAmD;aAC5D;YACH,CAAC,CAAC,YAAY,CAAC;IACnB,CAAC;IAED,8DAA8D;IAC9D,sEAAsE;IACtE,qCAAqC;IACrC,MAAM,aAAa,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACxD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,CAAC;IAC3E,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,MAA6B,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,UAAU,CAAC,OAAO,CAA0B,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;SACzD,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;IACzE,CAAC;IAED,mEAAmE;IACnE,qEAAqE;IACrE,gEAAgE;IAChE,qEAAqE;IACrE,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,gBAAgB,EAAE,CAAC;QACnD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACtD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC5B,4BAA4B;gBAC5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,MAAM,EAAE,EAAE,CAAC;YAC5E,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAChD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,UAA4B,EAAE;IACvE,OAAO,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,mBAAmB;IAC/B,IAAI,EAAE,aAAa;IACnB,eAAe,EAAE,gBAAgB;IACjC,cAAc,EAAE,gBAAgB;CACxB,CAAC"}
+{"version":3,"file":"command-sanitizer.js","sourceRoot":"","sources":["../../src/security/command-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AA6BvD;;;;GAIG;AACH,MAAM,gBAAgB,GAA8B;IAClD,iCAAiC;IACjC;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,2BAA2B;KACpC;IACD;QACE,OAAO,EACL,gGAAgG;QAClG,MAAM,EAAE,gCAAgC;KACzC;IACD,EAAE,OAAO,EAAE,gDAAgD,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACjG,EAAE,OAAO,EAAE,yDAAyD,EAAE,MAAM,EAAE,iBAAiB,EAAE;IACjG;QACE,OAAO,EAAE,uDAAuD;QAChE,MAAM,EAAE,uBAAuB;KAChC;IAED,iCAAiC;IACjC;QACE,OAAO,EAAE,oEAAoE;QAC7E,MAAM,EAAE,wCAAwC;KACjD;IACD;QACE,OAAO,EAAE,2DAA2D;QACpE,MAAM,EAAE,gCAAgC;KACzC;IAED,oDAAoD;IACpD,EAAE,OAAO,EAAE,gDAAgD,EAAE,MAAM,EAAE,gBAAgB,EAAE;IACvF,EAAE,OAAO,EAAE,2CAA2C,EAAE,MAAM,EAAE,mBAAmB,EAAE;IAErF,wDAAwD;IACxD;QACE,OAAO,EACL,wFAAwF;QAC1F,MAAM,EAAE,4BAA4B;KACrC;IACD;QACE,OAAO,EAAE,iFAAiF;QAC1F,MAAM,EAAE,iCAAiC;KAC1C;IAED,mDAAmD;IACnD,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpE,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE;IACpE,EAAE,OAAO,EAAE,kCAAkC,EAAE,MAAM,EAAE,uBAAuB,EAAE;IAChF,EAAE,OAAO,EAAE,sBAAsB,EAAE,MAAM,EAAE,qBAAqB,EAAE;IAElE,uDAAuD;IACvD;QACE,OAAO,EAAE,wEAAwE;QACjF,MAAM,EAAE,+BAA+B;KACxC;IAED,0CAA0C;IAC1C;QACE,OAAO,EAAE,8DAA8D;QACvE,MAAM,EAAE,0BAA0B;KACnC;IACD,EAAE,OAAO,EAAE,kCAAkC,EAAE,MAAM,EAAE,oBAAoB,EAAE;IAE7E,qCAAqC;IACrC;QACE,OAAO,EAAE,2EAA2E;QACpF,MAAM,EAAE,gCAAgC;KACzC;IAED,oBAAoB;IACpB,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,yBAAyB,EAAE;IACrE,EAAE,OAAO,EAAE,+BAA+B,EAAE,MAAM,EAAE,iBAAiB,EAAE;CACxE,CAAC;AASF,MAAM,mBAAmB,GAAiC;IACxD,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,kCAAkC,EAAE;IACnE,EAAE,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,uCAAuC,EAAE;IACjF,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,mCAAmC,EAAE;IACrE,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,EAAE,kCAAkC,EAAE;IAC1E,EAAE,OAAO,EAAE,oBAAoB,EAAE,MAAM,EAAE,8CAA8C,EAAE;IACzF;QACE,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,4CAA4C;KACrD;IACD;QACE,OAAO,EAAE,2BAA2B;QACpC,MAAM,EAAE,iDAAiD;KAC1D;CACF,CAAC;AASF,MAAM,aAAa,GAA2B;IAC5C,EAAE,OAAO,EAAE,0CAA0C,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAC1F;QACE,OAAO,EAAE,sEAAsE;QAC/E,MAAM,EAAE,2BAA2B;KACpC;IACD,EAAE,OAAO,EAAE,uCAAuC,EAAE,MAAM,EAAE,qBAAqB,EAAE;IACnF,EAAE,OAAO,EAAE,uBAAuB,EAAE,MAAM,EAAE,cAAc,EAAE;IAC5D;QACE,OAAO,EAAE,mDAAmD;QAC5D,MAAM,EAAE,+BAA+B;KACxC;CACF,CAAC;AAEF,gEAAgE;AAChE,EAAE;AACF,gEAAgE;AAChE,yEAAyE;AACzE,oEAAoE;AACpE,mEAAmE;AACnE,0CAA0C;AAC1C,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;AACpD,wEAAwE;AACxE,kEAAkE;AAClE,uDAAuD;CACxD,CAAC,CAAC;AAEH,uEAAuE;AACvE,yEAAyE;AACzE,sEAAsE;AACtE,yBAAyB;AACzB,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;IACpD,IAAI;IACJ,MAAM;IACN,KAAK;IACL,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;CACP,CAAC,CAAC;AAQH;;;;;;;;;GASG;AACH;;;;;;;;;;;;;GAaG;AACH,SAAS,uBAAuB,CAAC,GAAW;IAC1C,MAAM,UAAU,GACd,gFAAgF,CAAC;IACnF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,IAAI,gCAAgC,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5D,MAAM,KAAK,GAAG,wDAAwD,CAAC;IACvE,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAW;IAC3C,yDAAyD;IACzD,IAAI,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,EAAE,MAAM,EAAE,2CAA2C,EAAE,CAAC;IACjE,CAAC;IAED,qDAAqD;IACrD,oEAAoE;IACpE,mEAAmE;IACnE,uDAAuD;IACvD,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpB,OAAO,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IAC3D,CAAC;IAED,sEAAsE;IACtE,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,OAAO,EAAE,MAAM,EAAE,6CAA6C,EAAE,CAAC;IACnE,CAAC;IAED,kEAAkE;IAClE,kEAAkE;IAClE,gEAAgE;IAChE,iDAAiD;IACjD,EAAE;IACF,mEAAmE;IACnE,8DAA8D;IAC9D,6DAA6D;IAC7D,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAClD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAkBD,SAAS,IAAI,CAAC,KAAiB;IAC7B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,IAAI,KAAK,CAAC;AACtE,CAAC;AAED,SAAS,aAAa,CAAC,MAA6B;IAClD,iEAAiE;IACjE,8DAA8D;IAC9D,wCAAwC;IACxC,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IAE9E,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,MAAM,EAAE,uBAAuB,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC;QAClE,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,8DAA8D;IAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACxB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QACjD,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC;YACvD,OAAO,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,kEAAkE;IAClE,qEAAqE;IACrE,0CAA0C;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,KAAK,SAAS;YAAE,SAAS;QAC9B,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG;YAAE,SAAS;QACvC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3D,OAAO,EAAE,MAAM,EAAE,gCAAgC,IAAI,iBAAiB,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,qEAAqE;IACrE,qEAAqE;IACrE,yCAAyC;IACzC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,gBAAgB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC7D,OAAO,EAAE,MAAM,EAAE,sBAAsB,KAAK,EAAE,EAAE,CAAC;IACnD,CAAC;IAED,oEAAoE;IACpE,sEAAsE;IACtE,iEAAiE;IACjE,4DAA4D;IAC5D,iEAAiE;IACjE,6CAA6C;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACrB,IAAI,EAAE,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAS;QAC5C,IAAI,EAAE,CAAC,EAAE,KAAK,GAAG,IAAI,EAAE,CAAC,EAAE,KAAK,IAAI;YAAE,SAAS;QAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,SAAS;QACzC,IAAI,SAAS,GAAG,MAAM,CAAC;QACvB,IAAI,CAAC;YACH,SAAS,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;YACzD,0DAA0D;YAC1D,8BAA8B;YAC9B,OAAO,EAAE,MAAM,EAAE,iCAAiC,MAAM,EAAE,EAAE,CAAC;QAC/D,CAAC;QACD,IAAI,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,MAAM,EAAE,sCAAsC,MAAM,OAAO,SAAS,EAAE;aACvE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sEAAsE;AACtE,qEAAqE;AACrE,qEAAqE;AACrE,uEAAuE;AACvE,YAAY;AACZ,MAAM,mBAAmB,GACvB,2LAA2L,CAAC;AAE9L,8DAA8D;AAE9D;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,UAA4B,EAAE;IACzE,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IACjF,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACtE,CAAC;IAED,wFAAwF;IACxF,IAAI,OAAO,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;QAC3B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IAC7E,CAAC;IAED,gEAAgE;IAChE,gEAAgE;IAChE,KAAK;IACL,0BAA0B;IAC1B,mEAAmE;IACnE,8DAA8D;IAC9D,4DAA4D;IAC5D,6DAA6D;IAC7D,gEAAgE;IAChE,4DAA4D;IAC5D,qCAAqC;IACrC,MAAM,SAAS,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,SAAS,KAAK,IAAI,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,eAAe,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACzD,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;YACvB,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,YAAY,CAAC,QAAQ;gBAC/B,MAAM,EAAE,uBAAuB,YAAY,CAAC,MAAM,EAAE;aACrD,CAAC;QACJ,CAAC;QACD,+DAA+D;QAC/D,6DAA6D;QAC7D,OAAO,YAAY,CAAC,QAAQ,KAAK,MAAM;YACrC,CAAC,CAAC;gBACE,IAAI,EAAE,IAAI;gBACV,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,mDAAmD;aAC5D;YACH,CAAC,CAAC,YAAY,CAAC;IACnB,CAAC;IAED,8DAA8D;IAC9D,sEAAsE;IACtE,qCAAqC;IACrC,MAAM,aAAa,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACxD,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,CAAC,MAAM,EAAE,CAAC;IAC3E,CAAC;IAED,qEAAqE;IACrE,iEAAiE;IACjE,IAAI,MAA6B,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,UAAU,CAAC,OAAO,CAA0B,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,KAAK;YACX,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,wBAAyB,GAAa,CAAC,OAAO,EAAE;SACzD,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,2DAA2D;IAC3D,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,CAAC;IACzE,CAAC;IAED,sEAAsE;IACtE,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,8DAA8D;IAC9D,MAAM,YAAY,GAAsB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IACjG,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACjC,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,eAAe,KAAK,CAAC,MAAM,IAAI,sCAAsC,EAAE;aAChF,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;YAChE,OAAO;gBACL,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,4BAA4B,KAAK,CAAC,MAAM,IAAI,6BAA6B,GAAG,KAAK,CAAC,OAAO,EAAE;aACpG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,qEAAqE;IACrE,gEAAgE;IAChE,qEAAqE;IACrE,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,gBAAgB,EAAE,CAAC;QACnD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,mBAAmB,EAAE,CAAC;QACtD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBAC5B,4BAA4B;gBAC5B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,MAAM,EAAE,EAAE,CAAC;YAC5E,CAAC;YACD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAChD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW,EAAE,UAA4B,EAAE;IACvE,OAAO,eAAe,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;AAC5C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG;IAC5B,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,mBAAmB;IAC/B,IAAI,EAAE,aAAa;IACnB,eAAe,EAAE,gBAAgB;IACjC,cAAc,EAAE,gBAAgB;CACxB,CAAC"}

package/dist/security/credential-broker.d.ts

@@ -0,0 +1,136 @@
+/**
+ * credential-broker — Privileged credential-holder broker pattern.
+ *
+ * Port of the Codex `responses-api-proxy` pattern from
+ * openai/codex/codex-rs/responses-api-proxy.
+ *
+ * The motivation:
+ *   When WOTANN runs autonomous loops or sandboxed tool execution,
+ *   we want to MINIMIZE the surface that has API keys in memory. The
+ *   broker pattern: a small privileged process holds the credentials,
+ *   exposes a narrow proxy interface, and the unprivileged main loop
+ *   asks the broker to "make this HTTP request" without ever seeing
+ *   the actual key.
+ *
+ * The broker is in-process here (single Node runtime) rather than a
+ * separate OS process — but the same architectural separation applies:
+ *   - Credentials enter via env-var read at boot, immediately moved
+ *     into the broker, then ZEROED in the original holder.
+ *   - All consumers acquire requests through `broker.request()`, never
+ *     by reading secrets directly.
+ *   - The broker stamps every outgoing request with the appropriate
+ *     auth header derived from its private credential bag.
+ *   - The broker tracks per-credential request counts + last-use ts
+ *     for audit + rotation policies.
+ *
+ * Quality bars:
+ *   - QB#1 immutable: Credential descriptors are readonly + frozen
+ *     once minted; the broker exposes only requests, never the bag.
+ *   - QB#3 honest: every method returns a tagged result; never throws.
+ *   - QB#7 stateless contract: each broker INSTANCE owns one bag;
+ *     no module-level credential state.
+ *   - QB#11 sibling-site: composes with src/security/secret-scanner.ts
+ *     for boot-time detection of accidentally-leaked secrets.
+ *   - QB#19 zombie-free: every exported function has a runtime caller
+ *     in the test file.
+ *
+ * Source: github.com/openai/codex/tree/main/codex-rs/responses-api-proxy
+ */
+export type CredentialKind = "bearer" | "api-key" | "basic";
+export interface CredentialDescriptor {
+    /** Stable identifier for this credential (e.g. "anthropic", "openai"). */
+    readonly id: string;
+    readonly kind: CredentialKind;
+    /** For api-key: which header to use. Defaults to "x-api-key". */
+    readonly headerName?: string;
+    /** For basic: the username (the password is held privately). */
+    readonly username?: string;
+}
+export interface CredentialAuditEntry {
+    readonly credentialId: string;
+    readonly requestCount: number;
+    readonly lastUsedAt: string | null;
+    readonly mintedAt: string;
+}
+export interface BrokerRequest {
+    readonly url: string;
+    readonly method?: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    readonly headers?: Readonly<Record<string, string>>;
+    readonly body?: string | Uint8Array;
+    readonly credentialId: string;
+    /** Optional millisecond timeout. */
+    readonly timeoutMs?: number;
+}
+export type BrokerResponse = {
+    readonly ok: true;
+    readonly status: number;
+    readonly headers: Readonly<Record<string, string>>;
+    readonly body: string;
+} | {
+    readonly ok: false;
+    readonly error: string;
+    readonly code: "unknown-credential" | "timeout" | "transport" | "http-error";
+    readonly status?: number;
+    readonly body?: string;
+};
+export type MintResult = {
+    readonly ok: true;
+    readonly descriptor: CredentialDescriptor;
+} | {
+    readonly ok: false;
+    readonly error: string;
+};
+export interface CredentialBroker {
+    /** Mint a new credential into the broker's private bag. The raw
+     *  secret is NEVER stored on the descriptor — only inside the bag. */
+    mintBearer(args: {
+        readonly id: string;
+        readonly token: string;
+    }): MintResult;
+    mintApiKey(args: {
+        readonly id: string;
+        readonly key: string;
+        readonly headerName?: string;
+    }): MintResult;
+    mintBasic(args: {
+        readonly id: string;
+        readonly username: string;
+        readonly password: string;
+    }): MintResult;
+    /** List the current credentials WITHOUT exposing secrets. */
+    list(): readonly CredentialDescriptor[];
+    has(id: string): boolean;
+    /** Remove a credential and zero out its bag entry. */
+    revoke(id: string): boolean;
+    /** Per-credential audit (count + last-used timestamp). */
+    audit(): readonly CredentialAuditEntry[];
+    /** Issue an HTTP request signed with the named credential. The
+     *  caller never sees the secret. */
+    request(req: BrokerRequest): Promise<BrokerResponse>;
+    /** Test-only: replace the underlying fetch implementation. */
+    setFetchForTests(fn: (url: string, init: RequestInit) => Promise<Response>): void;
+}
+interface BrokerOptions {
+    readonly now?: () => number;
+}
+export declare function createCredentialBroker(opts?: BrokerOptions): CredentialBroker;
+/**
+ * Boot-time helper: read a credential from process.env and immediately
+ * mint it into the broker, then OPTIONALLY zero the env var so a later
+ * compromise of the parent process can't read it. Default is to leave
+ * the env var alone (caller decides — some tools re-read env at runtime
+ * for hot-rotation scenarios).
+ *
+ * Returns the descriptor on success, or {ok:false, error} on missing
+ * env var or empty value.
+ */
+export declare function mintFromEnv(args: {
+    readonly broker: CredentialBroker;
+    readonly id: string;
+    readonly envVar: string;
+    readonly kind: CredentialKind;
+    readonly headerName?: string;
+    readonly clearEnv?: boolean;
+}): MintResult;
+export {};
+//# sourceMappingURL=credential-broker.d.ts.map

package/dist/security/credential-broker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-broker.d.ts","sourceRoot":"","sources":["../../src/security/credential-broker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAIH,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;AAE5D,MAAM,WAAW,oBAAoB;IACnC,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,iEAAiE;IACjE,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,gEAAgE;IAChE,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC9D,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACpD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,CAAC;IACpC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,oCAAoC;IACpC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,MAAM,cAAc,GACtB;IACE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAClB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACnD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB,GACD;IACE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,oBAAoB,GAAG,SAAS,GAAG,WAAW,GAAG,YAAY,CAAC;IAC7E,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEN,MAAM,MAAM,UAAU,GAClB;IAAE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAA;CAAE,GAChE;IAAE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnD,MAAM,WAAW,gBAAgB;IAC/B;0EACsE;IACtE,UAAU,CAAC,IAAI,EAAE;QAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,UAAU,CAAC;IAC9E,UAAU,CAAC,IAAI,EAAE;QACf,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;KAC9B,GAAG,UAAU,CAAC;IACf,SAAS,CAAC,IAAI,EAAE;QACd,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;QAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;KAC3B,GAAG,UAAU,CAAC;IAEf,6DAA6D;IAC7D,IAAI,IAAI,SAAS,oBAAoB,EAAE,CAAC;IACxC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IACzB,sDAAsD;IACtD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC;IAE5B,0DAA0D;IAC1D,KAAK,IAAI,SAAS,oBAAoB,EAAE,CAAC;IAEzC;wCACoC;IACpC,OAAO,CAAC,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;IAErD,8DAA8D;IAC9D,gBAAgB,CAAC,EAAE,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;CACnF;AA0BD,UAAU,aAAa;IACrB,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CAC7B;AAED,wBAAgB,sBAAsB,CAAC,IAAI,GAAE,aAAkB,GAAG,gBAAgB,CAgNjF;AAID;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE;IAChC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAClC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;CAC7B,GAAG,UAAU,CAyBb"}