@1claw/cli 0.34.0 → 0.34.2

package/dist/src/local-policy.js

@@ -0,0 +1,123 @@
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const CONFIG_DIR = process.env.ONECLAW_CONFIG_DIR || join(homedir(), ".config", "1claw");
+export const POLICY_FILE = join(CONFIG_DIR, "policy.json");
+const DEFAULT_POLICY = {
+    version: 1,
+    defaults: {
+        inject_as: "bearer",
+        header_name: "Authorization",
+    },
+    secrets: {},
+};
+export function loadPolicy() {
+    if (!existsSync(POLICY_FILE)) {
+        return { ...DEFAULT_POLICY, secrets: {} };
+    }
+    try {
+        return JSON.parse(readFileSync(POLICY_FILE, "utf-8"));
+    }
+    catch {
+        return { ...DEFAULT_POLICY, secrets: {} };
+    }
+}
+export function savePolicy(policy) {
+    writeFileSync(POLICY_FILE, JSON.stringify(policy, null, 2) + "\n", "utf-8");
+}
+export function policyExists() {
+    return existsSync(POLICY_FILE);
+}
+export function getPolicyPath() {
+    return POLICY_FILE;
+}
+export function getSecretPolicy(policy, secretName) {
+    return policy.secrets[secretName] ?? null;
+}
+export function setSecretPolicy(policy, secretName, sp) {
+    policy.secrets[secretName] = sp;
+}
+export function removeSecretPolicy(policy, secretName) {
+    if (!(secretName in policy.secrets))
+        return false;
+    delete policy.secrets[secretName];
+    return true;
+}
+/**
+ * Check if a request URL is allowed by the secret's policy.
+ * When no policy exists for a secret, all hosts are denied by default
+ * (fail-closed — the daemon won't inject a secret without a policy).
+ */
+export function isHostAllowed(policy, secretName, targetUrl) {
+    const sp = policy.secrets[secretName];
+    if (!sp) {
+        return {
+            allowed: false,
+            reason: `No policy defined for secret "${secretName}". Add one with: 1claw daemon policy add ${secretName} --hosts <host1,host2>`,
+        };
+    }
+    if (sp.allowed_hosts.length === 0) {
+        return {
+            allowed: false,
+            reason: `Secret "${secretName}" has an empty allowed_hosts list.`,
+        };
+    }
+    let hostname;
+    try {
+        hostname = new URL(targetUrl).hostname;
+    }
+    catch {
+        return {
+            allowed: false,
+            reason: `Invalid URL: "${targetUrl}"`,
+        };
+    }
+    for (const pattern of sp.allowed_hosts) {
+        if (pattern === "*") {
+            return { allowed: true, reason: "Wildcard policy" };
+        }
+        if (pattern.startsWith("*.")) {
+            const suffix = pattern.slice(2);
+            if (hostname === suffix || hostname.endsWith("." + suffix)) {
+                return { allowed: true, reason: `Matches *.${suffix}` };
+            }
+        }
+        else if (hostname === pattern) {
+            return { allowed: true, reason: `Matches ${pattern}` };
+        }
+    }
+    return {
+        allowed: false,
+        reason: `Host "${hostname}" is not in the allowed list for "${secretName}": [${sp.allowed_hosts.join(", ")}]`,
+    };
+}
+/**
+ * Resolve how to inject a secret into a request.
+ */
+export function resolveInjection(policy, secretName, secretValue) {
+    const sp = policy.secrets[secretName];
+    const injectAs = sp?.inject_as ?? policy.defaults.inject_as;
+    const headers = {};
+    const queryParams = {};
+    switch (injectAs) {
+        case "bearer":
+            headers["Authorization"] = `Bearer ${secretValue}`;
+            break;
+        case "basic":
+            headers["Authorization"] =
+                `Basic ${Buffer.from(secretValue).toString("base64")}`;
+            break;
+        case "header": {
+            const headerName = sp?.header_name ?? policy.defaults.header_name ?? "Authorization";
+            headers[headerName] = secretValue;
+            break;
+        }
+        case "query": {
+            const param = sp?.query_param ?? secretName;
+            queryParams[param] = secretValue;
+            break;
+        }
+    }
+    return { headers, queryParams };
+}
+//# sourceMappingURL=local-policy.js.map

package/dist/src/local-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-policy.js","sourceRoot":"","sources":["../../src/local-policy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,UAAU,GACZ,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAE1E,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AAkB3D,MAAM,cAAc,GAAe;IAC/B,OAAO,EAAE,CAAC;IACV,QAAQ,EAAE;QACN,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,eAAe;KAC/B;IACD,OAAO,EAAE,EAAE;CACd,CAAC;AAEF,MAAM,UAAU,UAAU;IACtB,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,GAAG,cAAc,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAe,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,EAAE,GAAG,cAAc,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAC9C,CAAC;AACL,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAkB;IACzC,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,YAAY;IACxB,OAAO,UAAU,CAAC,WAAW,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,aAAa;IACzB,OAAO,WAAW,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,eAAe,CAC3B,MAAkB,EAClB,UAAkB;IAElB,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,eAAe,CAC3B,MAAkB,EAClB,UAAkB,EAClB,EAAgB;IAEhB,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAC9B,MAAkB,EAClB,UAAkB;IAElB,IAAI,CAAC,CAAC,UAAU,IAAI,MAAM,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,OAAO,IAAI,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CACzB,MAAkB,EAClB,UAAkB,EAClB,SAAiB;IAEjB,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACtC,IAAI,CAAC,EAAE,EAAE,CAAC;QACN,OAAO;YACH,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,iCAAiC,UAAU,4CAA4C,UAAU,wBAAwB;SACpI,CAAC;IACN,CAAC;IAED,IAAI,EAAE,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO;YACH,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,WAAW,UAAU,oCAAoC;SACpE,CAAC;IACN,CAAC;IAED,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACD,QAAQ,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACL,OAAO;YACH,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,iBAAiB,SAAS,GAAG;SACxC,CAAC;IACN,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,EAAE,CAAC,aAAa,EAAE,CAAC;QACrC,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;YAClB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,MAAM,CAAC,EAAE,CAAC;gBACzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,MAAM,EAAE,EAAE,CAAC;YAC5D,CAAC;QACL,CAAC;aAAM,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC9B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,OAAO,EAAE,EAAE,CAAC;QAC3D,CAAC;IACL,CAAC;IAED,OAAO;QACH,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,SAAS,QAAQ,qCAAqC,UAAU,OAAO,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KAChH,CAAC;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC5B,MAAkB,EAClB,UAAkB,EAClB,WAAmB;IAEnB,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,EAAE,EAAE,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;IAC5D,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,WAAW,GAA2B,EAAE,CAAC;IAE/C,QAAQ,QAAQ,EAAE,CAAC;QACf,KAAK,QAAQ;YACT,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,WAAW,EAAE,CAAC;YACnD,MAAM;QACV,KAAK,OAAO;YACR,OAAO,CAAC,eAAe,CAAC;gBACpB,SAAS,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3D,MAAM;QACV,KAAK,QAAQ,CAAC,CAAC,CAAC;YACZ,MAAM,UAAU,GACZ,EAAE,EAAE,WAAW,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,IAAI,eAAe,CAAC;YACtE,OAAO,CAAC,UAAU,CAAC,GAAG,WAAW,CAAC;YAClC,MAAM;QACV,CAAC;QACD,KAAK,OAAO,CAAC,CAAC,CAAC;YACX,MAAM,KAAK,GAAG,EAAE,EAAE,WAAW,IAAI,UAAU,CAAC;YAC5C,WAAW,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC;YACjC,MAAM;QACV,CAAC;IACL,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;AACpC,CAAC"}

package/dist/src/local-vault.d.ts

@@ -0,0 +1,39 @@
+export interface LocalSecret {
+    value: string;
+    type: string;
+    created_at: string;
+    updated_at: string;
+    synced_to_cloud: boolean;
+    cloud_vault_id: string | null;
+    cloud_path: string | null;
+}
+export interface LocalVaultData {
+    version: number;
+    created_at: string;
+    updated_at: string;
+    secrets: Record<string, LocalSecret>;
+}
+export declare function getVaultPath(): string;
+export declare function vaultExists(): boolean;
+export declare function createVault(passphrase: string): LocalVaultData;
+export declare function loadVault(passphrase: string): LocalVaultData;
+export declare function saveVault(vault: LocalVaultData, passphrase: string): void;
+export declare function addSecret(vault: LocalVaultData, name: string, value: string, type?: string): void;
+export declare function removeSecret(vault: LocalVaultData, name: string): boolean;
+export declare function getSecret(vault: LocalVaultData, name: string): LocalSecret | null;
+export declare function listSecrets(vault: LocalVaultData): Array<{
+    name: string;
+    type: string;
+    synced: boolean;
+    updated_at: string;
+}>;
+export declare function markSynced(vault: LocalVaultData, name: string, cloudVaultId: string, cloudPath: string): void;
+export declare function getVaultInfo(): {
+    exists: boolean;
+    sizeBytes?: number;
+    path: string;
+};
+export declare function deleteVault(): boolean;
+export declare function exportAsEnv(vault: LocalVaultData): string;
+export declare function fingerprintPassphrase(passphrase: string): string;
+//# sourceMappingURL=local-vault.d.ts.map

package/dist/src/local-vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-vault.d.ts","sourceRoot":"","sources":["../../src/local-vault.ts"],"names":[],"mappings":"AAiCA,MAAM,WAAW,WAAW;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,OAAO,CAAC;IACzB,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,cAAc;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACxC;AAuDD,wBAAgB,YAAY,IAAI,MAAM,CAErC;AAED,wBAAgB,WAAW,IAAI,OAAO,CAErC;AAED,wBAAgB,WAAW,CAAC,UAAU,EAAE,MAAM,GAAG,cAAc,CAe9D;AAED,wBAAgB,SAAS,CAAC,UAAU,EAAE,MAAM,GAAG,cAAc,CAU5D;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAkBzE;AAED,wBAAgB,SAAS,CACrB,KAAK,EAAE,cAAc,EACrB,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,EACb,IAAI,GAAE,MAAkB,GACzB,IAAI,CAWN;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAIzE;AAED,wBAAgB,SAAS,CACrB,KAAK,EAAE,cAAc,EACrB,IAAI,EAAE,MAAM,GACb,WAAW,GAAG,IAAI,CAEpB;AAED,wBAAgB,WAAW,CACvB,KAAK,EAAE,cAAc,GACtB,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAO5E;AAED,wBAAgB,UAAU,CACtB,KAAK,EAAE,cAAc,EACrB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,EACpB,SAAS,EAAE,MAAM,GAClB,IAAI,CAMN;AAED,wBAAgB,YAAY,IAAI;IAC5B,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;CAChB,CAMA;AAED,wBAAgB,WAAW,IAAI,OAAO,CAIrC;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,cAAc,GAAG,MAAM,CAOzD;AAED,wBAAgB,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAKhE"}

package/dist/src/local-vault.js

@@ -0,0 +1,166 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync, statSync, unlinkSync, renameSync, } from "node:fs";
+import { createCipheriv, createDecipheriv, randomBytes, pbkdf2Sync, createHash, } from "node:crypto";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const CONFIG_DIR = process.env.ONECLAW_CONFIG_DIR || join(homedir(), ".config", "1claw");
+const VAULT_FILE = process.env.ONECLAW_LOCAL_VAULT || join(CONFIG_DIR, "local-vault.enc");
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+const SALT_LENGTH = 16;
+const PBKDF2_ITERATIONS = 100_000;
+const FILE_VERSION = 1;
+function deriveKey(passphrase, salt) {
+    return pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, 32, "sha256");
+}
+function encrypt(plaintext, passphrase) {
+    const salt = randomBytes(SALT_LENGTH);
+    const key = deriveKey(passphrase, salt);
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, "utf-8"),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    // Wire format: [version:1][salt:16][iv:12][tag:16][ciphertext]
+    return Buffer.concat([
+        Buffer.from([FILE_VERSION]),
+        salt,
+        iv,
+        tag,
+        encrypted,
+    ]);
+}
+function decrypt(data, passphrase) {
+    const version = data[0];
+    if (version !== FILE_VERSION) {
+        throw new Error(`Unsupported vault file version: ${version}`);
+    }
+    let offset = 1;
+    const salt = data.subarray(offset, offset + SALT_LENGTH);
+    offset += SALT_LENGTH;
+    const iv = data.subarray(offset, offset + IV_LENGTH);
+    offset += IV_LENGTH;
+    const tag = data.subarray(offset, offset + TAG_LENGTH);
+    offset += TAG_LENGTH;
+    const encrypted = data.subarray(offset);
+    const key = deriveKey(passphrase, salt);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final(),
+    ]);
+    return decrypted.toString("utf-8");
+}
+export function getVaultPath() {
+    return VAULT_FILE;
+}
+export function vaultExists() {
+    return existsSync(VAULT_FILE);
+}
+export function createVault(passphrase) {
+    if (!existsSync(CONFIG_DIR)) {
+        mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    const now = new Date().toISOString();
+    const vault = {
+        version: FILE_VERSION,
+        created_at: now,
+        updated_at: now,
+        secrets: {},
+    };
+    saveVault(vault, passphrase);
+    return vault;
+}
+export function loadVault(passphrase) {
+    if (!existsSync(VAULT_FILE)) {
+        throw new Error("No local vault found. Run `1claw local init` first.");
+    }
+    const data = readFileSync(VAULT_FILE);
+    const json = decrypt(data, passphrase);
+    return JSON.parse(json);
+}
+export function saveVault(vault, passphrase) {
+    vault.updated_at = new Date().toISOString();
+    const json = JSON.stringify(vault);
+    const encrypted = encrypt(json, passphrase);
+    if (!existsSync(CONFIG_DIR)) {
+        mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    const tmpPath = VAULT_FILE + ".tmp";
+    writeFileSync(tmpPath, encrypted);
+    try {
+        chmodSync(tmpPath, 0o600);
+    }
+    catch {
+        // best-effort
+    }
+    renameSync(tmpPath, VAULT_FILE);
+}
+export function addSecret(vault, name, value, type = "api_key") {
+    const now = new Date().toISOString();
+    vault.secrets[name] = {
+        value,
+        type,
+        created_at: vault.secrets[name]?.created_at ?? now,
+        updated_at: now,
+        synced_to_cloud: false,
+        cloud_vault_id: null,
+        cloud_path: null,
+    };
+}
+export function removeSecret(vault, name) {
+    if (!(name in vault.secrets))
+        return false;
+    delete vault.secrets[name];
+    return true;
+}
+export function getSecret(vault, name) {
+    return vault.secrets[name] ?? null;
+}
+export function listSecrets(vault) {
+    return Object.entries(vault.secrets).map(([name, s]) => ({
+        name,
+        type: s.type,
+        synced: s.synced_to_cloud,
+        updated_at: s.updated_at,
+    }));
+}
+export function markSynced(vault, name, cloudVaultId, cloudPath) {
+    const secret = vault.secrets[name];
+    if (!secret)
+        return;
+    secret.synced_to_cloud = true;
+    secret.cloud_vault_id = cloudVaultId;
+    secret.cloud_path = cloudPath;
+}
+export function getVaultInfo() {
+    if (!existsSync(VAULT_FILE)) {
+        return { exists: false, path: VAULT_FILE };
+    }
+    const stat = statSync(VAULT_FILE);
+    return { exists: true, sizeBytes: stat.size, path: VAULT_FILE };
+}
+export function deleteVault() {
+    if (!existsSync(VAULT_FILE))
+        return false;
+    unlinkSync(VAULT_FILE);
+    return true;
+}
+export function exportAsEnv(vault) {
+    return Object.entries(vault.secrets)
+        .map(([name, s]) => {
+        const val = s.value.includes(" ") ? `"${s.value}"` : s.value;
+        return `${name}=${val}`;
+    })
+        .join("\n") + "\n";
+}
+export function fingerprintPassphrase(passphrase) {
+    return createHash("sha256")
+        .update(passphrase)
+        .digest("hex")
+        .slice(0, 8);
+}
+//# sourceMappingURL=local-vault.js.map

package/dist/src/local-vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-vault.js","sourceRoot":"","sources":["../../src/local-vault.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,UAAU,EACV,YAAY,EACZ,aAAa,EACb,SAAS,EACT,SAAS,EACT,QAAQ,EACR,UAAU,EACV,UAAU,GACb,MAAM,SAAS,CAAC;AACjB,OAAO,EACH,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,UAAU,GACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,MAAM,UAAU,GACZ,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAE1E,MAAM,UAAU,GACZ,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;AAE3E,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,YAAY,GAAG,CAAC,CAAC;AAmBvB,SAAS,SAAS,CAAC,UAAkB,EAAE,IAAY;IAC/C,OAAO,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,OAAO,CAAC,SAAiB,EAAE,UAAkB;IAClD,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAElC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC;QACjC,MAAM,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,+DAA+D;IAC/D,OAAO,MAAM,CAAC,MAAM,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,CAAC;QAC3B,IAAI;QACJ,EAAE;QACF,GAAG;QACH,SAAS;KACZ,CAAC,CAAC;AACP,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,UAAkB;IAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW,CAAC,CAAC;IACzD,MAAM,IAAI,WAAW,CAAC;IACtB,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACrD,MAAM,IAAI,SAAS,CAAC;IACpB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC;IACvD,MAAM,IAAI,UAAU,CAAC;IACrB,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAExC,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAEzB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;QAC1B,QAAQ,CAAC,KAAK,EAAE;KACnB,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,YAAY;IACxB,OAAO,UAAU,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,WAAW;IACvB,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,UAAkB;IAC1C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1B,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,KAAK,GAAmB;QAC1B,OAAO,EAAE,YAAY;QACrB,UAAU,EAAE,GAAG;QACf,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE;KACd,CAAC;IAEF,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAC7B,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,UAAkB;IACxC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACX,qDAAqD,CACxD,CAAC;IACN,CAAC;IAED,MAAM,IAAI,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IACvC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAmB,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,KAAqB,EAAE,UAAkB;IAC/D,KAAK,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAE5C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1B,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,OAAO,GAAG,UAAU,GAAG,MAAM,CAAC;IACpC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAClC,IAAI,CAAC;QACD,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACL,cAAc;IAClB,CAAC;IAED,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,SAAS,CACrB,KAAqB,EACrB,IAAY,EACZ,KAAa,EACb,OAAe,SAAS;IAExB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACrC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG;QAClB,KAAK;QACL,IAAI;QACJ,UAAU,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,IAAI,GAAG;QAClD,UAAU,EAAE,GAAG;QACf,eAAe,EAAE,KAAK;QACtB,cAAc,EAAE,IAAI;QACpB,UAAU,EAAE,IAAI;KACnB,CAAC;AACN,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAAqB,EAAE,IAAY;IAC5D,IAAI,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,SAAS,CACrB,KAAqB,EACrB,IAAY;IAEZ,OAAO,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,WAAW,CACvB,KAAqB;IAErB,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrD,IAAI;QACJ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,MAAM,EAAE,CAAC,CAAC,eAAe;QACzB,UAAU,EAAE,CAAC,CAAC,UAAU;KAC3B,CAAC,CAAC,CAAC;AACR,CAAC;AAED,MAAM,UAAU,UAAU,CACtB,KAAqB,EACrB,IAAY,EACZ,YAAoB,EACpB,SAAiB;IAEjB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,CAAC,MAAM;QAAE,OAAO;IACpB,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC;IAC9B,MAAM,CAAC,cAAc,GAAG,YAAY,CAAC;IACrC,MAAM,CAAC,UAAU,GAAG,SAAS,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,YAAY;IAKxB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;IAC/C,CAAC;IACD,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AACpE,CAAC;AAED,MAAM,UAAU,WAAW;IACvB,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,UAAU,CAAC,UAAU,CAAC,CAAC;IACvB,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAqB;IAC7C,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC;SAC/B,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE;QACf,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAC7D,OAAO,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;IAC5B,CAAC,CAAC;SACD,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,UAAkB;IACpD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACtB,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,KAAK,CAAC;SACb,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACrB,CAAC"}

package/dist/src/secret-proxy.d.ts

@@ -0,0 +1,27 @@
+import { type PolicyFile } from "./local-policy.js";
+import type { LocalVaultData } from "./local-vault.js";
+export interface ProxyRequest {
+    secretName: string;
+    url: string;
+    method?: string;
+    headers?: Record<string, string>;
+    body?: string;
+}
+export interface ProxyResponse {
+    status: number;
+    headers: Record<string, string>;
+    body: string;
+}
+export interface ProxyResult {
+    success: boolean;
+    response?: ProxyResponse;
+    error?: string;
+}
+/**
+ * Execute an HTTP request with a secret injected, without exposing
+ * the secret value to the caller. The secret is resolved from the
+ * local vault, checked against the policy, and injected into the
+ * request per the policy rules.
+ */
+export declare function proxyRequest(req: ProxyRequest, vault: LocalVaultData, policy: PolicyFile): Promise<ProxyResult>;
+//# sourceMappingURL=secret-proxy.d.ts.map

package/dist/src/secret-proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-proxy.d.ts","sourceRoot":"","sources":["../../src/secret-proxy.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,KAAK,UAAU,EAGlB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAEvD,MAAM,WAAW,YAAY;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IACxB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,aAAa,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAC9B,GAAG,EAAE,YAAY,EACjB,KAAK,EAAE,cAAc,EACrB,MAAM,EAAE,UAAU,GACnB,OAAO,CAAC,WAAW,CAAC,CAyEtB"}

package/dist/src/secret-proxy.js

@@ -0,0 +1,73 @@
+import { request as httpsRequest } from "node:https";
+import { request as httpRequest } from "node:http";
+import { URL } from "node:url";
+import { isHostAllowed, resolveInjection, } from "./local-policy.js";
+/**
+ * Execute an HTTP request with a secret injected, without exposing
+ * the secret value to the caller. The secret is resolved from the
+ * local vault, checked against the policy, and injected into the
+ * request per the policy rules.
+ */
+export async function proxyRequest(req, vault, policy) {
+    const secret = vault.secrets[req.secretName];
+    if (!secret) {
+        return {
+            success: false,
+            error: `Secret "${req.secretName}" not found in local vault.`,
+        };
+    }
+    const hostCheck = isHostAllowed(policy, req.secretName, req.url);
+    if (!hostCheck.allowed) {
+        return { success: false, error: hostCheck.reason };
+    }
+    const injection = resolveInjection(policy, req.secretName, secret.value);
+    const url = new URL(req.url);
+    for (const [k, v] of Object.entries(injection.queryParams)) {
+        url.searchParams.set(k, v);
+    }
+    const mergedHeaders = {
+        ...(req.headers ?? {}),
+        ...injection.headers,
+    };
+    const method = req.method ?? "GET";
+    return new Promise((resolve) => {
+        const isHttps = url.protocol === "https:";
+        const requestFn = isHttps ? httpsRequest : httpRequest;
+        const upstreamReq = requestFn(url, { method, headers: mergedHeaders }, (res) => {
+            const chunks = [];
+            res.on("data", (c) => chunks.push(c));
+            res.on("end", () => {
+                const body = Buffer.concat(chunks).toString("utf-8");
+                const responseHeaders = {};
+                for (const [k, v] of Object.entries(res.headers)) {
+                    if (typeof v === "string")
+                        responseHeaders[k] = v;
+                    else if (Array.isArray(v))
+                        responseHeaders[k] = v.join(", ");
+                }
+                resolve({
+                    success: true,
+                    response: {
+                        status: res.statusCode ?? 502,
+                        headers: responseHeaders,
+                        body,
+                    },
+                });
+            });
+        });
+        upstreamReq.on("error", (err) => {
+            resolve({
+                success: false,
+                error: `Upstream request failed: ${err.message}`,
+            });
+        });
+        upstreamReq.setTimeout(30_000, () => {
+            upstreamReq.destroy(new Error("Request timed out (30s)"));
+        });
+        if (req.body) {
+            upstreamReq.write(req.body);
+        }
+        upstreamReq.end();
+    });
+}
+//# sourceMappingURL=secret-proxy.js.map

package/dist/src/secret-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-proxy.js","sourceRoot":"","sources":["../../src/secret-proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,YAAY,CAAC;AACrD,OAAO,EAAE,OAAO,IAAI,WAAW,EAAwB,MAAM,WAAW,CAAC;AACzE,OAAO,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,EAEH,aAAa,EACb,gBAAgB,GACnB,MAAM,mBAAmB,CAAC;AAuB3B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAC9B,GAAiB,EACjB,KAAqB,EACrB,MAAkB;IAElB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,OAAO;YACH,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,WAAW,GAAG,CAAC,UAAU,6BAA6B;SAChE,CAAC;IACN,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IACjE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,CAAC,MAAM,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IAEzE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QACzD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC/B,CAAC;IAED,MAAM,aAAa,GAA2B;QAC1C,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QACtB,GAAG,SAAS,CAAC,OAAO;KACvB,CAAC;IAEF,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;IAEnC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC;QAEvD,MAAM,WAAW,GAAG,SAAS,CACzB,GAAG,EACH,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,EAClC,CAAC,GAAoB,EAAE,EAAE;YACrB,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YAC9C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACf,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACrD,MAAM,eAAe,GAA2B,EAAE,CAAC;gBACnD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC/C,IAAI,OAAO,CAAC,KAAK,QAAQ;wBAAE,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;yBAC7C,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;wBAAE,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjE,CAAC;gBACD,OAAO,CAAC;oBACJ,OAAO,EAAE,IAAI;oBACb,QAAQ,EAAE;wBACN,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,GAAG;wBAC7B,OAAO,EAAE,eAAe;wBACxB,IAAI;qBACP;iBACJ,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;QACP,CAAC,CACJ,CAAC;QAEF,WAAW,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YAC5B,OAAO,CAAC;gBACJ,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,4BAA4B,GAAG,CAAC,OAAO,EAAE;aACnD,CAAC,CAAC;QACP,CAAC,CAAC,CAAC;QAEH,WAAW,CAAC,UAAU,CAAC,MAAM,EAAE,GAAG,EAAE;YAChC,WAAW,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACX,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;QACD,WAAW,CAAC,GAAG,EAAE,CAAC;IACtB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@1claw/cli",
-  "version": "0.34.0",
+  "version": "0.34.2",
   "description": "CLI for 1Claw — secrets management for AI agents and humans",
   "license": "MIT",
   "repository": {