{"version":3,"sources":["../src/authz.ts","../src/crypto.ts","../src/observability.ts","../src/manager.ts","../src/store/gcp.ts","../src/store/audit.ts","../src/store/serialization.ts","../src/store/postgres.ts","../src/store/s3.ts","../src/storage.ts"],"sourcesContent":["import type { Identity, Policy } from './domain';\n\nexport function enforcePolicy(value: string, policy: Policy): void {\n if (value.length < policy.minLength) {\n throw new Error(`Secret must be at least ${policy.minLength} characters long`);\n }\n if (policy.forbidPatterns) {\n for (const pattern of policy.forbidPatterns) {\n if (pattern && value.includes(pattern)) {\n throw new Error(`Secret must not contain forbidden pattern: ${pattern}`);\n }\n }\n }\n}\n\nexport function allowAction(actor: Identity, tenant: string, requiredRole: string): void {\n if (actor.tenant !== tenant) {\n throw new Error('Tenant mismatch for action');\n }\n if (!actor.hasRole(requiredRole)) {\n throw new Error(`Actor missing required role: ${requiredRole}`);\n }\n}\n","import crypto from 'node:crypto';\n\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst ALGORITHM = 'aes-256-gcm';\n\nfunction deriveKey(masterKey: string): Buffer {\n return crypto.createHash('sha256').update(masterKey, 'utf8').digest();\n}\n\nexport function encrypt(value: string, masterKey: string): string {\n const key = deriveKey(masterKey);\n const iv = crypto.randomBytes(IV_LENGTH);\n const cipher = crypto.createCipheriv(ALGORITHM, key, iv);\n const ciphertext = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);\n const authTag = cipher.getAuthTag();\n return Buffer.concat([iv, authTag, ciphertext]).toString('base64');\n}\n\nexport function decrypt(token: string, masterKey: string): string {\n const raw = Buffer.from(token, 'base64');\n const iv = raw.subarray(0, IV_LENGTH);\n const authTag = raw.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = raw.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n const key = deriveKey(masterKey);\n const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);\n decipher.setAuthTag(authTag);\n const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return plaintext.toString('utf8');\n}\n\nexport function checksum(value: string): string {\n return crypto.createHash('sha256').update(value, 'utf8').digest('hex');\n}\n","import type { Identity } from './domain';\n\nexport function recordObservation(action: string, secretId: string, actor: Identity): void {\n console.info(\n 'METRIC action=%s secret=%s subject=%s tenant=%s',\n action,\n secretId,\n actor.subject,\n actor.tenant\n );\n}\n","import crypto from 'node:crypto';\n\nimport { allowAction, enforcePolicy } from './authz';\nimport { checksum } from './crypto';\nimport { type Identity, type Policy, Secret, SecretVersion } from './domain';\nimport type { KtSecretEvent, SecretNotifier } from './events';\nimport { recordObservation } from './observability';\nimport type { SecretStore } from './storage';\n\nexport class SecretManager {\n constructor(\n private readonly store: SecretStore,\n private readonly eventNotifier?: SecretNotifier\n ) {}\n\n private async emitEvent(event: KtSecretEvent): Promise {\n if (this.eventNotifier) {\n await this.eventNotifier.notify(event);\n }\n }\n\n async createSecret(\n name: string,\n value: string,\n policy: Policy,\n actor: Identity,\n description?: string,\n rotationHandler?: () => string | Promise,\n ttlSeconds?: number\n ): Promise {\n enforcePolicy(value, policy);\n allowAction(actor, actor.tenant, 'admin');\n const secretId = crypto.randomUUID();\n const now = new Date();\n const expiresAt = ttlSeconds ? new Date(now.getTime() + ttlSeconds * 1000) : undefined;\n const version = new SecretVersion(1, now, value, checksum(value), actor.subject, expiresAt);\n const secret = new Secret(\n secretId,\n name,\n actor.tenant,\n policy,\n now,\n actor.subject,\n [version],\n description,\n rotationHandler\n );\n await this.store.save(secret, actor, 'create');\n recordObservation('create', secretId, actor);\n await this.emitEvent({\n type: 'created',\n secretId,\n tenant: actor.tenant,\n timestamp: now,\n actor: actor.subject,\n metadata: { name, policy: policy.name, ttlSeconds },\n });\n return secret;\n }\n\n async putSecret(\n secretId: string,\n value: string,\n actor: Identity,\n ttlSeconds?: number\n ): Promise {\n const secret = await this.getOrRaise(secretId);\n allowAction(actor, secret.tenant, 'writer');\n enforcePolicy(value, secret.policy);\n const expiresAt = ttlSeconds ? new Date(Date.now() + ttlSeconds * 1000) : undefined;\n const version = new SecretVersion(\n secret.nextVersionNumber(),\n new Date(),\n value,\n checksum(value),\n actor.subject,\n expiresAt\n );\n secret.versions.push(version);\n await this.store.save(secret, actor, 'put');\n recordObservation('put', secretId, actor);\n await this.emitEvent({\n type: 'updated',\n secretId,\n tenant: secret.tenant,\n timestamp: new Date(),\n actor: actor.subject,\n metadata: { version: version.version, ttlSeconds },\n });\n return secret;\n }\n\n async rotate(secretId: string, actor: Identity): Promise {\n const secret = await this.getOrRaise(secretId);\n allowAction(actor, secret.tenant, 'writer');\n if (!secret.rotationHandler) {\n throw new Error('No rotation handler configured for secret');\n }\n const newValue = await Promise.resolve(secret.rotationHandler());\n enforcePolicy(newValue, secret.policy);\n const version = new SecretVersion(\n secret.nextVersionNumber(),\n new Date(),\n newValue,\n checksum(newValue),\n actor.subject\n );\n secret.versions.push(version);\n await this.store.save(secret, actor, 'rotate');\n recordObservation('rotate', secretId, actor);\n return secret;\n }\n\n async getSecret(secretId: string, actor: Identity): Promise {\n const secret = await this.getOrRaise(secretId);\n allowAction(actor, secret.tenant, 'reader');\n\n const latestVersion = secret.latestVersion();\n if (latestVersion.isExpired()) {\n throw new Error(`Secret ${secretId} has expired`);\n }\n\n recordObservation('get', secretId, actor);\n await this.emitEvent({\n type: 'accessed',\n secretId,\n tenant: secret.tenant,\n timestamp: new Date(),\n actor: actor.subject,\n });\n return secret;\n }\n\n async listSecrets(actor: Identity): Promise {\n allowAction(actor, actor.tenant, 'reader');\n const secrets = await this.store.listSecrets(actor.tenant);\n for (const secret of secrets) {\n recordObservation('list', secret.id, actor);\n }\n return secrets;\n }\n\n async deleteSecret(secretId: string, actor: Identity): Promise {\n const secret = await this.getOrRaise(secretId);\n allowAction(actor, secret.tenant, 'admin');\n await this.store.delete(secretId, actor);\n recordObservation('delete', secretId, actor);\n await this.emitEvent({\n type: 'deleted',\n secretId,\n tenant: secret.tenant,\n timestamp: new Date(),\n actor: actor.subject,\n });\n }\n\n private async getOrRaise(secretId: string): Promise {\n const secret = await this.store.get(secretId);\n if (!secret) {\n throw new Error(`Secret ${secretId} not found`);\n }\n return secret;\n }\n}\n","import { Storage } from '@google-cloud/storage';\n\nimport type { AuditLogEntry, Identity, Secret } from '../domain';\nimport { appendAuditLog } from './audit';\nimport type { SecretStore, SecretStoreConfig } from './interface';\nimport { fromStoredSecret, type StoredSecret, toStoredSecret } from './serialization';\n\nexport type GCPStorageSecretStoreConfig = {\n bucket: string;\n projectId?: string;\n keyFilename?: string;\n keyPrefix?: string;\n} & SecretStoreConfig;\n\nexport class GCPStorageSecretStore implements SecretStore {\n private readonly storage: Storage;\n private readonly bucket: string;\n private readonly keyPrefix: string;\n private readonly masterKey: string;\n private readonly auditLogPath: string | undefined;\n\n constructor(config: GCPStorageSecretStoreConfig) {\n this.bucket = config.bucket;\n const keyPrefix = config.keyPrefix ?? 'secrets/';\n this.keyPrefix = keyPrefix;\n this.masterKey = config.masterKey;\n this.auditLogPath = config.auditLogPath;\n\n this.storage = new Storage({\n ...(config.projectId && { projectId: config.projectId }),\n ...(config.keyFilename && { keyFilename: config.keyFilename }),\n });\n }\n\n async listSecrets(tenant?: string): Promise {\n const data = await this.load();\n const secrets: Secret[] = [];\n for (const stored of Object.values(data)) {\n if (tenant && stored.tenant !== tenant) {\n continue;\n }\n secrets.push(fromStoredSecret(stored, this.masterKey));\n }\n return secrets;\n }\n\n async get(secretId: string): Promise {\n const data = await this.load();\n const stored = data[secretId];\n if (!stored) {\n return undefined;\n }\n return fromStoredSecret(stored, this.masterKey);\n }\n\n async save(secret: Secret, actor: Identity, action: string): Promise {\n const data = await this.load();\n data[secret.id] = toStoredSecret(secret, this.masterKey);\n await this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action,\n secretId: secret.id,\n tenant: secret.tenant,\n metadata: { policy: secret.policy.name },\n });\n }\n\n async delete(secretId: string, actor: Identity): Promise {\n const data = await this.load();\n delete data[secretId];\n await this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action: 'delete',\n secretId,\n tenant: actor.tenant,\n metadata: {},\n });\n }\n\n private async load(): Promise> {\n try {\n const file = this.storage.bucket(this.bucket).file(`${this.keyPrefix}store.json`);\n const [exists] = await file.exists();\n if (!exists) {\n return {};\n }\n const [content] = await file.download();\n const body = content.toString();\n if (!body.trim()) {\n return {};\n }\n return JSON.parse(body) as Record;\n } catch (error: unknown) {\n if (isErrorWithCode(error) && error.code === 404) {\n return {};\n }\n throw error;\n }\n }\n\n private async persist(data: Record): Promise {\n const file = this.storage.bucket(this.bucket).file(`${this.keyPrefix}store.json`);\n await file.save(JSON.stringify(data, null, 2), {\n contentType: 'application/json',\n });\n }\n\n private log(entry: AuditLogEntry): void {\n if (!this.auditLogPath) {\n return;\n }\n appendAuditLog(this.auditLogPath, entry);\n }\n}\n\nfunction isErrorWithCode(error: unknown): error is { code: number } {\n return (\n typeof error === 'object' &&\n error !== null &&\n 'code' in error &&\n typeof (error as { code?: unknown }).code === 'number'\n );\n}\n","import fs from 'node:fs';\n\nimport type { AuditLogEntry } from '../domain';\n\ntype SerializableAuditEntry = {\n timestamp: string;\n subject: string;\n action: string;\n secretId?: string | null;\n tenant: string;\n metadata: Record;\n};\n\nfunction serialize(entry: AuditLogEntry): SerializableAuditEntry {\n const payload: SerializableAuditEntry = {\n timestamp: entry.timestamp.toISOString(),\n subject: entry.subject,\n action: entry.action,\n tenant: entry.tenant,\n metadata: entry.metadata,\n };\n if (entry.secretId !== undefined) {\n payload.secretId = entry.secretId;\n }\n return payload;\n}\n\nexport function appendAuditLog(path: string, entry: AuditLogEntry): void {\n const payload = serialize(entry);\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n fs.appendFileSync(path, `${JSON.stringify(payload)}\\n`, { encoding: 'utf8' });\n console.info('AUDIT', payload);\n}\n","import { decrypt, encrypt } from '../crypto';\nimport { Policy, Secret, SecretVersion } from '../domain';\n\ntype StoredSecretVersion = {\n version: number;\n createdAt: string;\n value: string;\n checksum: string;\n createdBy: string;\n};\n\ntype StoredPolicy = {\n name: string;\n description: string;\n rotationDays: number;\n minLength: number;\n forbidPatterns?: string[];\n allowedCidrs?: string[];\n};\n\nexport type StoredSecret = {\n id: string;\n name: string;\n tenant: string;\n policy: StoredPolicy;\n createdAt: string;\n createdBy: string;\n versions: StoredSecretVersion[];\n description?: string;\n};\n\nexport function fromStoredSecret(payload: StoredSecret, masterKey: string): Secret {\n const policy = new Policy(\n payload.policy.name,\n payload.policy.description,\n payload.policy.rotationDays,\n payload.policy.minLength,\n payload.policy.forbidPatterns,\n payload.policy.allowedCidrs\n );\n const versions = payload.versions.map((storedVersion) => {\n return new SecretVersion(\n storedVersion.version,\n new Date(storedVersion.createdAt),\n decrypt(storedVersion.value, masterKey),\n storedVersion.checksum,\n storedVersion.createdBy\n );\n });\n return new Secret(\n payload.id,\n payload.name,\n payload.tenant,\n policy,\n new Date(payload.createdAt),\n payload.createdBy,\n versions,\n payload.description\n );\n}\n\nexport function toStoredSecret(secret: Secret, masterKey: string): StoredSecret {\n return {\n id: secret.id,\n name: secret.name,\n tenant: secret.tenant,\n policy: {\n name: secret.policy.name,\n description: secret.policy.description,\n rotationDays: secret.policy.rotationDays,\n minLength: secret.policy.minLength,\n ...(Array.isArray(secret.policy.forbidPatterns)\n ? { forbidPatterns: secret.policy.forbidPatterns }\n : {}),\n ...(Array.isArray(secret.policy.allowedCidrs)\n ? { allowedCidrs: secret.policy.allowedCidrs }\n : {}),\n },\n createdAt: secret.createdAt.toISOString(),\n createdBy: secret.createdBy,\n versions: secret.versions.map((version) => ({\n version: version.version,\n createdAt: version.createdAt.toISOString(),\n value: encrypt(version.value, masterKey),\n checksum: version.checksum,\n createdBy: version.createdBy,\n })),\n ...(typeof secret.description === 'string' ? { description: secret.description } : {}),\n };\n}\n","import { Client, type ClientConfig } from 'pg';\n\nimport type { AuditLogEntry, Identity, Secret } from '../domain';\nimport { appendAuditLog } from './audit';\nimport type { SecretStore, SecretStoreConfig } from './interface';\nimport { fromStoredSecret, type StoredSecret, toStoredSecret } from './serialization';\n\nexport type PostgreSQLSecretStoreConfig = {\n connectionString: string;\n tableName?: string;\n} & SecretStoreConfig;\n\nexport class PostgreSQLSecretStore implements SecretStore {\n private readonly config: ClientConfig;\n private readonly tableName: string;\n private readonly masterKey: string;\n private readonly auditLogPath: string | undefined;\n\n constructor(config: PostgreSQLSecretStoreConfig) {\n this.config = { connectionString: config.connectionString };\n const tableName = config.tableName ?? 'secrets';\n this.tableName = tableName;\n this.masterKey = config.masterKey;\n this.auditLogPath = config.auditLogPath;\n }\n\n async listSecrets(tenant?: string): Promise {\n const client = new Client(this.config);\n try {\n await client.connect();\n await this.ensureTable(client);\n\n let query = 'SELECT data FROM $1';\n const parameters: string[] = [this.tableName];\n\n if (tenant) {\n query += ' WHERE tenant = $2';\n parameters.push(tenant);\n }\n\n const result = await client.query(query, parameters);\n const secrets: Secret[] = [];\n\n for (const row of result.rows) {\n const stored = JSON.parse(row.data) as StoredSecret;\n secrets.push(fromStoredSecret(stored, this.masterKey));\n }\n\n return secrets;\n } finally {\n await client.end();\n }\n }\n\n async get(secretId: string): Promise {\n const client = new Client(this.config);\n try {\n await client.connect();\n await this.ensureTable(client);\n\n const result = await client.query('SELECT data FROM $1 WHERE id = $2', [\n this.tableName,\n secretId,\n ]);\n\n if (result.rows.length === 0) {\n return undefined;\n }\n\n const stored = JSON.parse(result.rows[0].data) as StoredSecret;\n return fromStoredSecret(stored, this.masterKey);\n } finally {\n await client.end();\n }\n }\n\n async save(secret: Secret, actor: Identity, action: string): Promise {\n const client = new Client(this.config);\n try {\n await client.connect();\n await this.ensureTable(client);\n\n const stored = toStoredSecret(secret, this.masterKey);\n const data = JSON.stringify(stored);\n\n await client.query(\n `INSERT INTO $1 (id, tenant, data) VALUES ($2, $3, $4)\n ON CONFLICT (id) DO UPDATE SET data = EXCLUDED.data, updated_at = NOW()`,\n [this.tableName, secret.id, secret.tenant, data]\n );\n\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action,\n secretId: secret.id,\n tenant: secret.tenant,\n metadata: { policy: secret.policy.name },\n });\n } finally {\n await client.end();\n }\n }\n\n async delete(secretId: string, actor: Identity): Promise {\n const client = new Client(this.config);\n try {\n await client.connect();\n await this.ensureTable(client);\n\n await client.query('DELETE FROM $1 WHERE id = $2', [this.tableName, secretId]);\n\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action: 'delete',\n secretId,\n tenant: actor.tenant,\n metadata: {},\n });\n } finally {\n await client.end();\n }\n }\n\n private async ensureTable(client: Client): Promise {\n await client.query(\n `\n CREATE TABLE IF NOT EXISTS $1 (\n id TEXT PRIMARY KEY,\n tenant TEXT NOT NULL,\n data JSONB NOT NULL,\n created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),\n updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()\n )\n `,\n [this.tableName]\n );\n\n await client.query(\n `\n CREATE INDEX IF NOT EXISTS idx_$1_tenant ON $1 (tenant)\n `,\n [this.tableName]\n );\n }\n\n private log(entry: AuditLogEntry): void {\n if (!this.auditLogPath) {\n return;\n }\n appendAuditLog(this.auditLogPath, entry);\n }\n}\n","import { GetObjectCommand, PutObjectCommand, S3Client } from '@aws-sdk/client-s3';\n\nimport type { AuditLogEntry, Identity, Secret } from '../domain';\nimport { appendAuditLog } from './audit';\nimport type { SecretStore, SecretStoreConfig } from './interface';\nimport { fromStoredSecret, type StoredSecret, toStoredSecret } from './serialization';\n\nexport type S3SecretStoreConfig = {\n bucket: string;\n region: string;\n keyPrefix?: string;\n accessKeyId?: string;\n secretAccessKey?: string;\n} & SecretStoreConfig;\n\nexport class S3SecretStore implements SecretStore {\n private readonly client: S3Client;\n private readonly bucket: string;\n private readonly keyPrefix: string;\n private readonly masterKey: string;\n private readonly auditLogPath: string | undefined;\n\n constructor(config: S3SecretStoreConfig) {\n this.bucket = config.bucket;\n const keyPrefix = config.keyPrefix ?? 'secrets/';\n this.keyPrefix = keyPrefix;\n this.masterKey = config.masterKey;\n this.auditLogPath = config.auditLogPath;\n\n const credentials =\n config.accessKeyId && config.secretAccessKey\n ? {\n accessKeyId: config.accessKeyId,\n secretAccessKey: config.secretAccessKey,\n }\n : undefined;\n\n this.client = new S3Client({\n region: config.region,\n ...(credentials ? { credentials } : {}),\n });\n }\n\n async listSecrets(tenant?: string): Promise {\n const data = await this.load();\n const secrets: Secret[] = [];\n for (const stored of Object.values(data)) {\n if (tenant && stored.tenant !== tenant) {\n continue;\n }\n secrets.push(fromStoredSecret(stored, this.masterKey));\n }\n return secrets;\n }\n\n async get(secretId: string): Promise {\n const data = await this.load();\n const stored = data[secretId];\n if (!stored) {\n return undefined;\n }\n return fromStoredSecret(stored, this.masterKey);\n }\n\n async save(secret: Secret, actor: Identity, action: string): Promise {\n const data = await this.load();\n data[secret.id] = toStoredSecret(secret, this.masterKey);\n await this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action,\n secretId: secret.id,\n tenant: secret.tenant,\n metadata: { policy: secret.policy.name },\n });\n }\n\n async delete(secretId: string, actor: Identity): Promise {\n const data = await this.load();\n delete data[secretId];\n await this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action: 'delete',\n secretId,\n tenant: actor.tenant,\n metadata: {},\n });\n }\n\n private async load(): Promise> {\n try {\n const command = new GetObjectCommand({\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n Bucket: this.bucket,\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n Key: `${this.keyPrefix}store.json`,\n });\n const response = await this.client.send(command);\n const body = await response.Body?.transformToString();\n if (!body?.trim()) {\n return {};\n }\n return JSON.parse(body) as Record;\n } catch (error: unknown) {\n if (isErrorWithName(error) && error.name === 'NoSuchKey') {\n return {};\n }\n throw error;\n }\n }\n\n private async persist(data: Record): Promise {\n const command = new PutObjectCommand({\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n Bucket: this.bucket,\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n Key: `${this.keyPrefix}store.json`,\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n Body: JSON.stringify(data, null, 2),\n // eslint-disable-next-line @typescript-eslint/naming-convention -- AWS SDK command input uses PascalCase\n ContentType: 'application/json',\n });\n await this.client.send(command);\n }\n\n private log(entry: AuditLogEntry): void {\n if (!this.auditLogPath) {\n return;\n }\n appendAuditLog(this.auditLogPath, entry);\n }\n}\n\nfunction isErrorWithName(error: unknown): error is { name: string } {\n return (\n typeof error === 'object' &&\n error !== null &&\n 'name' in error &&\n typeof (error as { name?: unknown }).name === 'string'\n );\n}\n","import fs from 'node:fs';\nimport path from 'node:path';\n\nimport type { AuditLogEntry, Identity, Secret } from './domain';\nimport { appendAuditLog } from './store/audit';\nimport type { SecretStore, SecretStoreConfig } from './store/interface';\nimport { fromStoredSecret, type StoredSecret, toStoredSecret } from './store/serialization';\n\nexport { allowAction, enforcePolicy } from './authz';\nexport { recordObservation } from './observability';\nexport { GCPStorageSecretStore, type GCPStorageSecretStoreConfig } from './store/gcp';\nexport type { SecretStore, SecretStoreConfig } from './store/interface';\nexport { PostgreSQLSecretStore, type PostgreSQLSecretStoreConfig } from './store/postgres';\nexport { S3SecretStore, type S3SecretStoreConfig } from './store/s3';\n\nexport class FileSecretStore implements SecretStore {\n private readonly masterKey: string;\n private readonly auditLogPath: string | undefined;\n\n constructor(\n private readonly storePath: string,\n config: SecretStoreConfig\n ) {\n this.masterKey = config.masterKey;\n if (config.auditLogPath) {\n this.auditLogPath = config.auditLogPath;\n }\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n fs.mkdirSync(directoryOf(this.storePath), { recursive: true });\n if (config.auditLogPath) {\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n fs.mkdirSync(directoryOf(config.auditLogPath), { recursive: true });\n }\n }\n\n listSecrets(tenant?: string): Promise {\n const data = this.load();\n const secrets: Secret[] = [];\n for (const stored of Object.values(data)) {\n if (tenant && stored.tenant !== tenant) {\n continue;\n }\n secrets.push(fromStoredSecret(stored, this.masterKey));\n }\n return Promise.resolve(secrets);\n }\n\n get(secretId: string): Promise {\n const data = this.load();\n const stored = data[secretId];\n if (!stored) {\n // eslint-disable-next-line unicorn/no-useless-undefined -- we want to return a promise\n return Promise.resolve(undefined);\n }\n return Promise.resolve(fromStoredSecret(stored, this.masterKey));\n }\n\n save(secret: Secret, actor: Identity, action: string): Promise {\n const data = this.load();\n data[secret.id] = toStoredSecret(secret, this.masterKey);\n this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action,\n secretId: secret.id,\n tenant: secret.tenant,\n metadata: { policy: secret.policy.name },\n });\n return Promise.resolve();\n }\n\n delete(secretId: string, actor: Identity): Promise {\n const data = this.load();\n delete data[secretId];\n this.persist(data);\n this.log({\n timestamp: new Date(),\n subject: actor.subject,\n action: 'delete',\n secretId,\n tenant: actor.tenant,\n metadata: {},\n });\n return Promise.resolve();\n }\n\n private load(): Record {\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n if (!fs.existsSync(this.storePath)) {\n return {};\n }\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n const raw = fs.readFileSync(this.storePath, 'utf8');\n if (!raw.trim()) {\n return {};\n }\n return JSON.parse(raw) as Record;\n }\n\n private persist(data: Record): void {\n // eslint-disable-next-line security/detect-non-literal-fs-filename -- file path comes from configuration\n fs.writeFileSync(this.storePath, JSON.stringify(data, null, 2));\n }\n\n private log(entry: AuditLogEntry): void {\n if (!this.auditLogPath) {\n return;\n }\n appendAuditLog(this.auditLogPath, entry);\n }\n}\n\nfunction directoryOf(target: string): string {\n return path.dirname(path.resolve(target));\n}\n"],"mappings":";;;;;;;;;;AAEO,SAAS,cAAc,OAAe,QAAsB;AACjE,MAAI,MAAM,SAAS,OAAO,WAAW;AACnC,UAAM,IAAI,MAAM,2BAA2B,OAAO,SAAS,kBAAkB;AAAA,EAC/E;AACA,MAAI,OAAO,gBAAgB;AACzB,eAAW,WAAW,OAAO,gBAAgB;AAC3C,UAAI,WAAW,MAAM,SAAS,OAAO,GAAG;AACtC,cAAM,IAAI,MAAM,8CAA8C,OAAO,EAAE;AAAA,MACzE;AAAA,IACF;AAAA,EACF;AACF;AAEO,SAAS,YAAY,OAAiB,QAAgB,cAA4B;AACvF,MAAI,MAAM,WAAW,QAAQ;AAC3B,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC9C;AACA,MAAI,CAAC,MAAM,QAAQ,YAAY,GAAG;AAChC,UAAM,IAAI,MAAM,gCAAgC,YAAY,EAAE;AAAA,EAChE;AACF;;;ACtBA,OAAO,YAAY;AAEnB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,YAAY;AAElB,SAAS,UAAU,WAA2B;AAC5C,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,WAAW,MAAM,EAAE,OAAO;AACtE;AAEO,SAAS,QAAQ,OAAe,WAA2B;AAChE,QAAM,MAAM,UAAU,SAAS;AAC/B,QAAM,KAAK,OAAO,YAAY,SAAS;AACvC,QAAM,SAAS,OAAO,eAAe,WAAW,KAAK,EAAE;AACvD,QAAM,aAAa,OAAO,OAAO,CAAC,OAAO,OAAO,OAAO,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC/E,QAAM,UAAU,OAAO,WAAW;AAClC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,UAAU,CAAC,EAAE,SAAS,QAAQ;AACnE;AAEO,SAAS,QAAQ,OAAe,WAA2B;AAChE,QAAM,MAAM,OAAO,KAAK,OAAO,QAAQ;AACvC,QAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,QAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,QAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAC3D,QAAM,MAAM,UAAU,SAAS;AAC/B,QAAM,WAAW,OAAO,iBAAiB,WAAW,KAAK,EAAE;AAC3D,WAAS,WAAW,OAAO;AAC3B,QAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,SAAO,UAAU,SAAS,MAAM;AAClC;AAEO,SAAS,SAAS,OAAuB;AAC9C,SAAO,OAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,MAAM,EAAE,OAAO,KAAK;AACvE;;;AC/BO,SAAS,kBAAkB,QAAgB,UAAkB,OAAuB;AACzF,UAAQ;AAAA,IACN;AAAA,IACA;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AACF;;;ACVA,OAAOA,aAAY;AASZ,IAAM,gBAAN,MAAoB;AAAA,EACzB,YACmB,OACA,eACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAEH,MAAc,UAAU,OAAqC;AAC3D,QAAI,KAAK,eAAe;AACtB,YAAM,KAAK,cAAc,OAAO,KAAK;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,MAAM,aACJ,MACA,OACA,QACA,OACA,aACA,iBACA,YACiB;AACjB,kBAAc,OAAO,MAAM;AAC3B,gBAAY,OAAO,MAAM,QAAQ,OAAO;AACxC,UAAM,WAAWC,QAAO,WAAW;AACnC,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,YAAY,aAAa,IAAI,KAAK,IAAI,QAAQ,IAAI,aAAa,GAAI,IAAI;AAC7E,UAAM,UAAU,IAAI,cAAc,GAAG,KAAK,OAAO,SAAS,KAAK,GAAG,MAAM,SAAS,SAAS;AAC1F,UAAM,SAAS,IAAI;AAAA,MACjB;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN;AAAA,MACA;AAAA,MACA,MAAM;AAAA,MACN,CAAC,OAAO;AAAA,MACR;AAAA,MACA;AAAA,IACF;AACA,UAAM,KAAK,MAAM,KAAK,QAAQ,OAAO,QAAQ;AAC7C,sBAAkB,UAAU,UAAU,KAAK;AAC3C,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN;AAAA,MACA,QAAQ,MAAM;AAAA,MACd,WAAW;AAAA,MACX,OAAO,MAAM;AAAA,MACb,UAAU,EAAE,MAAM,QAAQ,OAAO,MAAM,WAAW;AAAA,IACpD,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,UACJ,UACA,OACA,OACA,YACiB;AACjB,UAAM,SAAS,MAAM,KAAK,WAAW,QAAQ;AAC7C,gBAAY,OAAO,OAAO,QAAQ,QAAQ;AAC1C,kBAAc,OAAO,OAAO,MAAM;AAClC,UAAM,YAAY,aAAa,IAAI,KAAK,KAAK,IAAI,IAAI,aAAa,GAAI,IAAI;AAC1E,UAAM,UAAU,IAAI;AAAA,MAClB,OAAO,kBAAkB;AAAA,MACzB,oBAAI,KAAK;AAAA,MACT;AAAA,MACA,SAAS,KAAK;AAAA,MACd,MAAM;AAAA,MACN;AAAA,IACF;AACA,WAAO,SAAS,KAAK,OAAO;AAC5B,UAAM,KAAK,MAAM,KAAK,QAAQ,OAAO,KAAK;AAC1C,sBAAkB,OAAO,UAAU,KAAK;AACxC,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,WAAW,oBAAI,KAAK;AAAA,MACpB,OAAO,MAAM;AAAA,MACb,UAAU,EAAE,SAAS,QAAQ,SAAS,WAAW;AAAA,IACnD,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,OAAO,UAAkB,OAAkC;AAC/D,UAAM,SAAS,MAAM,KAAK,WAAW,QAAQ;AAC7C,gBAAY,OAAO,OAAO,QAAQ,QAAQ;AAC1C,QAAI,CAAC,OAAO,iBAAiB;AAC3B,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC7D;AACA,UAAM,WAAW,MAAM,QAAQ,QAAQ,OAAO,gBAAgB,CAAC;AAC/D,kBAAc,UAAU,OAAO,MAAM;AACrC,UAAM,UAAU,IAAI;AAAA,MAClB,OAAO,kBAAkB;AAAA,MACzB,oBAAI,KAAK;AAAA,MACT;AAAA,MACA,SAAS,QAAQ;AAAA,MACjB,MAAM;AAAA,IACR;AACA,WAAO,SAAS,KAAK,OAAO;AAC5B,UAAM,KAAK,MAAM,KAAK,QAAQ,OAAO,QAAQ;AAC7C,sBAAkB,UAAU,UAAU,KAAK;AAC3C,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,UAAkB,OAAkC;AAClE,UAAM,SAAS,MAAM,KAAK,WAAW,QAAQ;AAC7C,gBAAY,OAAO,OAAO,QAAQ,QAAQ;AAE1C,UAAM,gBAAgB,OAAO,cAAc;AAC3C,QAAI,cAAc,UAAU,GAAG;AAC7B,YAAM,IAAI,MAAM,UAAU,QAAQ,cAAc;AAAA,IAClD;AAEA,sBAAkB,OAAO,UAAU,KAAK;AACxC,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,WAAW,oBAAI,KAAK;AAAA,MACpB,OAAO,MAAM;AAAA,IACf,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,YAAY,OAAoC;AACpD,gBAAY,OAAO,MAAM,QAAQ,QAAQ;AACzC,UAAM,UAAU,MAAM,KAAK,MAAM,YAAY,MAAM,MAAM;AACzD,eAAW,UAAU,SAAS;AAC5B,wBAAkB,QAAQ,OAAO,IAAI,KAAK;AAAA,IAC5C;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,aAAa,UAAkB,OAAgC;AACnE,UAAM,SAAS,MAAM,KAAK,WAAW,QAAQ;AAC7C,gBAAY,OAAO,OAAO,QAAQ,OAAO;AACzC,UAAM,KAAK,MAAM,OAAO,UAAU,KAAK;AACvC,sBAAkB,UAAU,UAAU,KAAK;AAC3C,UAAM,KAAK,UAAU;AAAA,MACnB,MAAM;AAAA,MACN;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,WAAW,oBAAI,KAAK;AAAA,MACpB,OAAO,MAAM;AAAA,IACf,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,WAAW,UAAmC;AAC1D,UAAM,SAAS,MAAM,KAAK,MAAM,IAAI,QAAQ;AAC5C,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,UAAU,QAAQ,YAAY;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AACF;;;ACnKA,SAAS,eAAe;;;ACAxB,OAAO,QAAQ;AAaf,SAAS,UAAU,OAA8C;AAC/D,QAAM,UAAkC;AAAA,IACtC,WAAW,MAAM,UAAU,YAAY;AAAA,IACvC,SAAS,MAAM;AAAA,IACf,QAAQ,MAAM;AAAA,IACd,QAAQ,MAAM;AAAA,IACd,UAAU,MAAM;AAAA,EAClB;AACA,MAAI,MAAM,aAAa,QAAW;AAChC,YAAQ,WAAW,MAAM;AAAA,EAC3B;AACA,SAAO;AACT;AAEO,SAAS,eAAeC,OAAc,OAA4B;AACvE,QAAM,UAAU,UAAU,KAAK;AAE/B,KAAG,eAAeA,OAAM,GAAG,KAAK,UAAU,OAAO,CAAC;AAAA,GAAM,EAAE,UAAU,OAAO,CAAC;AAC5E,UAAQ,KAAK,SAAS,OAAO;AAC/B;;;ACDO,SAAS,iBAAiB,SAAuB,WAA2B;AACjF,QAAM,SAAS,IAAI;AAAA,IACjB,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,IACf,QAAQ,OAAO;AAAA,EACjB;AACA,QAAM,WAAW,QAAQ,SAAS,IAAI,CAAC,kBAAkB;AACvD,WAAO,IAAI;AAAA,MACT,cAAc;AAAA,MACd,IAAI,KAAK,cAAc,SAAS;AAAA,MAChC,QAAQ,cAAc,OAAO,SAAS;AAAA,MACtC,cAAc;AAAA,MACd,cAAc;AAAA,IAChB;AAAA,EACF,CAAC;AACD,SAAO,IAAI;AAAA,IACT,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR,QAAQ;AAAA,IACR;AAAA,IACA,IAAI,KAAK,QAAQ,SAAS;AAAA,IAC1B,QAAQ;AAAA,IACR;AAAA,IACA,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,eAAe,QAAgB,WAAiC;AAC9E,SAAO;AAAA,IACL,IAAI,OAAO;AAAA,IACX,MAAM,OAAO;AAAA,IACb,QAAQ,OAAO;AAAA,IACf,QAAQ;AAAA,MACN,MAAM,OAAO,OAAO;AAAA,MACpB,aAAa,OAAO,OAAO;AAAA,MAC3B,cAAc,OAAO,OAAO;AAAA,MAC5B,WAAW,OAAO,OAAO;AAAA,MACzB,GAAI,MAAM,QAAQ,OAAO,OAAO,cAAc,IAC1C,EAAE,gBAAgB,OAAO,OAAO,eAAe,IAC/C,CAAC;AAAA,MACL,GAAI,MAAM,QAAQ,OAAO,OAAO,YAAY,IACxC,EAAE,cAAc,OAAO,OAAO,aAAa,IAC3C,CAAC;AAAA,IACP;AAAA,IACA,WAAW,OAAO,UAAU,YAAY;AAAA,IACxC,WAAW,OAAO;AAAA,IAClB,UAAU,OAAO,SAAS,IAAI,CAAC,aAAa;AAAA,MAC1C,SAAS,QAAQ;AAAA,MACjB,WAAW,QAAQ,UAAU,YAAY;AAAA,MACzC,OAAO,QAAQ,QAAQ,OAAO,SAAS;AAAA,MACvC,UAAU,QAAQ;AAAA,MAClB,WAAW,QAAQ;AAAA,IACrB,EAAE;AAAA,IACF,GAAI,OAAO,OAAO,gBAAgB,WAAW,EAAE,aAAa,OAAO,YAAY,IAAI,CAAC;AAAA,EACtF;AACF;;;AF3EO,IAAM,wBAAN,MAAmD;AAAA,EAOxD,YAAY,QAAqC;AANjD,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AAGf,SAAK,SAAS,OAAO;AACrB,UAAM,YAAY,OAAO,aAAa;AACtC,SAAK,YAAY;AACjB,SAAK,YAAY,OAAO;AACxB,SAAK,eAAe,OAAO;AAE3B,SAAK,UAAU,IAAI,QAAQ;AAAA,MACzB,GAAI,OAAO,aAAa,EAAE,WAAW,OAAO,UAAU;AAAA,MACtD,GAAI,OAAO,eAAe,EAAE,aAAa,OAAO,YAAY;AAAA,IAC9D,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,YAAY,QAAoC;AACpD,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,UAAM,UAAoB,CAAC;AAC3B,eAAW,UAAU,OAAO,OAAO,IAAI,GAAG;AACxC,UAAI,UAAU,OAAO,WAAW,QAAQ;AACtC;AAAA,MACF;AACA,cAAQ,KAAK,iBAAiB,QAAQ,KAAK,SAAS,CAAC;AAAA,IACvD;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAA+C;AACvD,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,UAAM,SAAS,KAAK,QAAQ;AAC5B,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AACA,WAAO,iBAAiB,QAAQ,KAAK,SAAS;AAAA,EAChD;AAAA,EAEA,MAAM,KAAK,QAAgB,OAAiB,QAA+B;AACzE,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,SAAK,OAAO,EAAE,IAAI,eAAe,QAAQ,KAAK,SAAS;AACvD,UAAM,KAAK,QAAQ,IAAI;AACvB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf;AAAA,MACA,UAAU,OAAO;AAAA,MACjB,QAAQ,OAAO;AAAA,MACf,UAAU,EAAE,QAAQ,OAAO,OAAO,KAAK;AAAA,IACzC,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,OAAO,UAAkB,OAAgC;AAC7D,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,WAAO,KAAK,QAAQ;AACpB,UAAM,KAAK,QAAQ,IAAI;AACvB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ,MAAM;AAAA,MACd,UAAU,CAAC;AAAA,IACb,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,OAA8C;AAC1D,QAAI;AACF,YAAM,OAAO,KAAK,QAAQ,OAAO,KAAK,MAAM,EAAE,KAAK,GAAG,KAAK,SAAS,YAAY;AAChF,YAAM,CAAC,MAAM,IAAI,MAAM,KAAK,OAAO;AACnC,UAAI,CAAC,QAAQ;AACX,eAAO,CAAC;AAAA,MACV;AACA,YAAM,CAAC,OAAO,IAAI,MAAM,KAAK,SAAS;AACtC,YAAM,OAAO,QAAQ,SAAS;AAC9B,UAAI,CAAC,KAAK,KAAK,GAAG;AAChB,eAAO,CAAC;AAAA,MACV;AACA,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,SAAS,OAAgB;AACvB,UAAI,gBAAgB,KAAK,KAAK,MAAM,SAAS,KAAK;AAChD,eAAO,CAAC;AAAA,MACV;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAmD;AACvE,UAAM,OAAO,KAAK,QAAQ,OAAO,KAAK,MAAM,EAAE,KAAK,GAAG,KAAK,SAAS,YAAY;AAChF,UAAM,KAAK,KAAK,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG;AAAA,MAC7C,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA,EAEQ,IAAI,OAA4B;AACtC,QAAI,CAAC,KAAK,cAAc;AACtB;AAAA,IACF;AACA,mBAAe,KAAK,cAAc,KAAK;AAAA,EACzC;AACF;AAEA,SAAS,gBAAgB,OAA2C;AAClE,SACE,OAAO,UAAU,YACjB,UAAU,QACV,UAAU,SACV,OAAQ,MAA6B,SAAS;AAElD;;;AG9HA,SAAS,cAAiC;AAYnC,IAAM,wBAAN,MAAmD;AAAA,EAMxD,YAAY,QAAqC;AALjD,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AAGf,SAAK,SAAS,EAAE,kBAAkB,OAAO,iBAAiB;AAC1D,UAAM,YAAY,OAAO,aAAa;AACtC,SAAK,YAAY;AACjB,SAAK,YAAY,OAAO;AACxB,SAAK,eAAe,OAAO;AAAA,EAC7B;AAAA,EAEA,MAAM,YAAY,QAAoC;AACpD,UAAM,SAAS,IAAI,OAAO,KAAK,MAAM;AACrC,QAAI;AACF,YAAM,OAAO,QAAQ;AACrB,YAAM,KAAK,YAAY,MAAM;AAE7B,UAAI,QAAQ;AACZ,YAAM,aAAuB,CAAC,KAAK,SAAS;AAE5C,UAAI,QAAQ;AACV,iBAAS;AACT,mBAAW,KAAK,MAAM;AAAA,MACxB;AAEA,YAAM,SAAS,MAAM,OAAO,MAAM,OAAO,UAAU;AACnD,YAAM,UAAoB,CAAC;AAE3B,iBAAW,OAAO,OAAO,MAAM;AAC7B,cAAM,SAAS,KAAK,MAAM,IAAI,IAAI;AAClC,gBAAQ,KAAK,iBAAiB,QAAQ,KAAK,SAAS,CAAC;AAAA,MACvD;AAEA,aAAO;AAAA,IACT,UAAE;AACA,YAAM,OAAO,IAAI;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,UAA+C;AACvD,UAAM,SAAS,IAAI,OAAO,KAAK,MAAM;AACrC,QAAI;AACF,YAAM,OAAO,QAAQ;AACrB,YAAM,KAAK,YAAY,MAAM;AAE7B,YAAM,SAAS,MAAM,OAAO,MAAM,qCAAqC;AAAA,QACrE,KAAK;AAAA,QACL;AAAA,MACF,CAAC;AAED,UAAI,OAAO,KAAK,WAAW,GAAG;AAC5B,eAAO;AAAA,MACT;AAEA,YAAM,SAAS,KAAK,MAAM,OAAO,KAAK,CAAC,EAAE,IAAI;AAC7C,aAAO,iBAAiB,QAAQ,KAAK,SAAS;AAAA,IAChD,UAAE;AACA,YAAM,OAAO,IAAI;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAM,KAAK,QAAgB,OAAiB,QAA+B;AACzE,UAAM,SAAS,IAAI,OAAO,KAAK,MAAM;AACrC,QAAI;AACF,YAAM,OAAO,QAAQ;AACrB,YAAM,KAAK,YAAY,MAAM;AAE7B,YAAM,SAAS,eAAe,QAAQ,KAAK,SAAS;AACpD,YAAM,OAAO,KAAK,UAAU,MAAM;AAElC,YAAM,OAAO;AAAA,QACX;AAAA;AAAA,QAEA,CAAC,KAAK,WAAW,OAAO,IAAI,OAAO,QAAQ,IAAI;AAAA,MACjD;AAEA,WAAK,IAAI;AAAA,QACP,WAAW,oBAAI,KAAK;AAAA,QACpB,SAAS,MAAM;AAAA,QACf;AAAA,QACA,UAAU,OAAO;AAAA,QACjB,QAAQ,OAAO;AAAA,QACf,UAAU,EAAE,QAAQ,OAAO,OAAO,KAAK;AAAA,MACzC,CAAC;AAAA,IACH,UAAE;AACA,YAAM,OAAO,IAAI;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,UAAkB,OAAgC;AAC7D,UAAM,SAAS,IAAI,OAAO,KAAK,MAAM;AACrC,QAAI;AACF,YAAM,OAAO,QAAQ;AACrB,YAAM,KAAK,YAAY,MAAM;AAE7B,YAAM,OAAO,MAAM,gCAAgC,CAAC,KAAK,WAAW,QAAQ,CAAC;AAE7E,WAAK,IAAI;AAAA,QACP,WAAW,oBAAI,KAAK;AAAA,QACpB,SAAS,MAAM;AAAA,QACf,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ,MAAM;AAAA,QACd,UAAU,CAAC;AAAA,MACb,CAAC;AAAA,IACH,UAAE;AACA,YAAM,OAAO,IAAI;AAAA,IACnB;AAAA,EACF;AAAA,EAEA,MAAc,YAAY,QAA+B;AACvD,UAAM,OAAO;AAAA,MACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,CAAC,KAAK,SAAS;AAAA,IACjB;AAEA,UAAM,OAAO;AAAA,MACX;AAAA;AAAA;AAAA,MAGA,CAAC,KAAK,SAAS;AAAA,IACjB;AAAA,EACF;AAAA,EAEQ,IAAI,OAA4B;AACtC,QAAI,CAAC,KAAK,cAAc;AACtB;AAAA,IACF;AACA,mBAAe,KAAK,cAAc,KAAK;AAAA,EACzC;AACF;;;ACzJA,SAAS,kBAAkB,kBAAkB,gBAAgB;AAetD,IAAM,gBAAN,MAA2C;AAAA,EAOhD,YAAY,QAA6B;AANzC,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AACjB,wBAAiB;AAGf,SAAK,SAAS,OAAO;AACrB,UAAM,YAAY,OAAO,aAAa;AACtC,SAAK,YAAY;AACjB,SAAK,YAAY,OAAO;AACxB,SAAK,eAAe,OAAO;AAE3B,UAAM,cACJ,OAAO,eAAe,OAAO,kBACzB;AAAA,MACE,aAAa,OAAO;AAAA,MACpB,iBAAiB,OAAO;AAAA,IAC1B,IACA;AAEN,SAAK,SAAS,IAAI,SAAS;AAAA,MACzB,QAAQ,OAAO;AAAA,MACf,GAAI,cAAc,EAAE,YAAY,IAAI,CAAC;AAAA,IACvC,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,YAAY,QAAoC;AACpD,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,UAAM,UAAoB,CAAC;AAC3B,eAAW,UAAU,OAAO,OAAO,IAAI,GAAG;AACxC,UAAI,UAAU,OAAO,WAAW,QAAQ;AACtC;AAAA,MACF;AACA,cAAQ,KAAK,iBAAiB,QAAQ,KAAK,SAAS,CAAC;AAAA,IACvD;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,UAA+C;AACvD,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,UAAM,SAAS,KAAK,QAAQ;AAC5B,QAAI,CAAC,QAAQ;AACX,aAAO;AAAA,IACT;AACA,WAAO,iBAAiB,QAAQ,KAAK,SAAS;AAAA,EAChD;AAAA,EAEA,MAAM,KAAK,QAAgB,OAAiB,QAA+B;AACzE,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,SAAK,OAAO,EAAE,IAAI,eAAe,QAAQ,KAAK,SAAS;AACvD,UAAM,KAAK,QAAQ,IAAI;AACvB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf;AAAA,MACA,UAAU,OAAO;AAAA,MACjB,QAAQ,OAAO;AAAA,MACf,UAAU,EAAE,QAAQ,OAAO,OAAO,KAAK;AAAA,IACzC,CAAC;AAAA,EACH;AAAA,EAEA,MAAM,OAAO,UAAkB,OAAgC;AAC7D,UAAM,OAAO,MAAM,KAAK,KAAK;AAC7B,WAAO,KAAK,QAAQ;AACpB,UAAM,KAAK,QAAQ,IAAI;AACvB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ,MAAM;AAAA,MACd,UAAU,CAAC;AAAA,IACb,CAAC;AAAA,EACH;AAAA,EAEA,MAAc,OAA8C;AAC1D,QAAI;AACF,YAAM,UAAU,IAAI,iBAAiB;AAAA;AAAA,QAEnC,QAAQ,KAAK;AAAA;AAAA,QAEb,KAAK,GAAG,KAAK,SAAS;AAAA,MACxB,CAAC;AACD,YAAM,WAAW,MAAM,KAAK,OAAO,KAAK,OAAO;AAC/C,YAAM,OAAO,MAAM,SAAS,MAAM,kBAAkB;AACpD,UAAI,CAAC,MAAM,KAAK,GAAG;AACjB,eAAO,CAAC;AAAA,MACV;AACA,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,SAAS,OAAgB;AACvB,UAAI,gBAAgB,KAAK,KAAK,MAAM,SAAS,aAAa;AACxD,eAAO,CAAC;AAAA,MACV;AACA,YAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAc,QAAQ,MAAmD;AACvE,UAAM,UAAU,IAAI,iBAAiB;AAAA;AAAA,MAEnC,QAAQ,KAAK;AAAA;AAAA,MAEb,KAAK,GAAG,KAAK,SAAS;AAAA;AAAA,MAEtB,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC;AAAA;AAAA,MAElC,aAAa;AAAA,IACf,CAAC;AACD,UAAM,KAAK,OAAO,KAAK,OAAO;AAAA,EAChC;AAAA,EAEQ,IAAI,OAA4B;AACtC,QAAI,CAAC,KAAK,cAAc;AACtB;AAAA,IACF;AACA,mBAAe,KAAK,cAAc,KAAK;AAAA,EACzC;AACF;AAEA,SAAS,gBAAgB,OAA2C;AAClE,SACE,OAAO,UAAU,YACjB,UAAU,QACV,UAAU,SACV,OAAQ,MAA6B,SAAS;AAElD;;;AC/IA,OAAOC,SAAQ;AACf,OAAO,UAAU;AAcV,IAAM,kBAAN,MAA6C;AAAA,EAIlD,YACmB,WACjB,QACA;AAFiB;AAJnB,wBAAiB;AACjB,wBAAiB;AAMf,SAAK,YAAY,OAAO;AACxB,QAAI,OAAO,cAAc;AACvB,WAAK,eAAe,OAAO;AAAA,IAC7B;AAEA,IAAAC,IAAG,UAAU,YAAY,KAAK,SAAS,GAAG,EAAE,WAAW,KAAK,CAAC;AAC7D,QAAI,OAAO,cAAc;AAEvB,MAAAA,IAAG,UAAU,YAAY,OAAO,YAAY,GAAG,EAAE,WAAW,KAAK,CAAC;AAAA,IACpE;AAAA,EACF;AAAA,EAEA,YAAY,QAAoC;AAC9C,UAAM,OAAO,KAAK,KAAK;AACvB,UAAM,UAAoB,CAAC;AAC3B,eAAW,UAAU,OAAO,OAAO,IAAI,GAAG;AACxC,UAAI,UAAU,OAAO,WAAW,QAAQ;AACtC;AAAA,MACF;AACA,cAAQ,KAAK,iBAAiB,QAAQ,KAAK,SAAS,CAAC;AAAA,IACvD;AACA,WAAO,QAAQ,QAAQ,OAAO;AAAA,EAChC;AAAA,EAEA,IAAI,UAA+C;AACjD,UAAM,OAAO,KAAK,KAAK;AACvB,UAAM,SAAS,KAAK,QAAQ;AAC5B,QAAI,CAAC,QAAQ;AAEX,aAAO,QAAQ,QAAQ,MAAS;AAAA,IAClC;AACA,WAAO,QAAQ,QAAQ,iBAAiB,QAAQ,KAAK,SAAS,CAAC;AAAA,EACjE;AAAA,EAEA,KAAK,QAAgB,OAAiB,QAA+B;AACnE,UAAM,OAAO,KAAK,KAAK;AACvB,SAAK,OAAO,EAAE,IAAI,eAAe,QAAQ,KAAK,SAAS;AACvD,SAAK,QAAQ,IAAI;AACjB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf;AAAA,MACA,UAAU,OAAO;AAAA,MACjB,QAAQ,OAAO;AAAA,MACf,UAAU,EAAE,QAAQ,OAAO,OAAO,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEA,OAAO,UAAkB,OAAgC;AACvD,UAAM,OAAO,KAAK,KAAK;AACvB,WAAO,KAAK,QAAQ;AACpB,SAAK,QAAQ,IAAI;AACjB,SAAK,IAAI;AAAA,MACP,WAAW,oBAAI,KAAK;AAAA,MACpB,SAAS,MAAM;AAAA,MACf,QAAQ;AAAA,MACR;AAAA,MACA,QAAQ,MAAM;AAAA,MACd,UAAU,CAAC;AAAA,IACb,CAAC;AACD,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEQ,OAAqC;AAE3C,QAAI,CAACA,IAAG,WAAW,KAAK,SAAS,GAAG;AAClC,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,MAAMA,IAAG,aAAa,KAAK,WAAW,MAAM;AAClD,QAAI,CAAC,IAAI,KAAK,GAAG;AACf,aAAO,CAAC;AAAA,IACV;AACA,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB;AAAA,EAEQ,QAAQ,MAA0C;AAExD,IAAAA,IAAG,cAAc,KAAK,WAAW,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AAAA,EAChE;AAAA,EAEQ,IAAI,OAA4B;AACtC,QAAI,CAAC,KAAK,cAAc;AACtB;AAAA,IACF;AACA,mBAAe,KAAK,cAAc,KAAK;AAAA,EACzC;AACF;AAEA,SAAS,YAAY,QAAwB;AAC3C,SAAO,KAAK,QAAQ,KAAK,QAAQ,MAAM,CAAC;AAC1C;","names":["crypto","crypto","path","fs","fs"]}