@1claw/mcp 0.1.0

package/README.md

@@ -0,0 +1,144 @@
+# @1claw/mcp
+
+An MCP (Model Context Protocol) server that gives AI agents secure, just-in-time access to secrets stored in the [1claw](https://1claw.xyz) vault. Secrets are fetched at runtime via the 1claw Agent API and never persisted in the LLM context window beyond the moment they are used.
+
+## Transport Modes
+
+The server supports two transport modes:
+
+| Mode | Use case | Auth |
+|---|---|---|
+| **stdio** (default) | Local — Claude Desktop, Cursor | Env vars: `ONECLAW_AGENT_TOKEN`, `ONECLAW_VAULT_ID` |
+| **httpStream** | Hosted at `mcp.1claw.xyz` | Per-request headers: `Authorization`, `X-Vault-ID` |
+
+Set `MCP_TRANSPORT=httpStream` and `PORT=8080` to run in hosted mode.
+
+## Installation (local / stdio)
+
+```bash
+cd packages/mcp
+pnpm install
+pnpm run build
+```
+
+## Environment Variables
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `ONECLAW_AGENT_TOKEN` | stdio only | — | Bearer token for the 1claw Agent API |
+| `ONECLAW_VAULT_ID` | stdio only | — | UUID of the vault to operate on |
+| `ONECLAW_BASE_URL` | No | `https://api.1claw.xyz` | API base URL (override for self-hosted) |
+| `MCP_TRANSPORT` | No | `stdio` | Transport mode: `stdio` or `httpStream` |
+| `PORT` | No | `8080` | HTTP port (httpStream mode only) |
+
+## Tools
+
+| Tool | Description |
+|---|---|
+| `list_secrets` | List all secrets (metadata only — never values) |
+| `get_secret` | Fetch the decrypted value of a secret by path |
+| `put_secret` | Create or update a secret (creates a new version) |
+| `delete_secret` | Soft-delete a secret at a path |
+| `describe_secret` | Get metadata without fetching the value |
+| `rotate_and_store` | Store a new value for an existing secret and return the version |
+| `get_env_bundle` | Fetch an env_bundle secret and parse it as KEY=VALUE JSON |
+| `create_vault` | Create a new vault (auto-shared with the agent's human creator) |
+| `list_vaults` | List all vaults the agent can access (own + shared) |
+| `grant_access` | Share a vault with a user or agent (own vaults only) |
+
+## Resources
+
+| URI | Description |
+|---|---|
+| `vault://secrets` | Browsable listing of all secret paths (metadata only) |
+
+## Configuration
+
+### Hosted (mcp.1claw.xyz)
+
+For MCP clients that support remote servers with HTTP streaming:
+
+```json
+{
+  "mcpServers": {
+    "1claw": {
+      "url": "https://mcp.1claw.xyz/mcp",
+      "headers": {
+        "Authorization": "Bearer <your-agent-token>",
+        "X-Vault-ID": "<your-vault-id>"
+      }
+    }
+  }
+}
+```
+
+### Claude Desktop (local stdio)
+
+Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "1claw": {
+      "command": "node",
+      "args": ["/absolute/path/to/packages/mcp/dist/index.js"],
+      "env": {
+        "ONECLAW_AGENT_TOKEN": "your-agent-token-here",
+        "ONECLAW_VAULT_ID": "your-vault-id-here"
+      }
+    }
+  }
+}
+```
+
+### Cursor (local stdio)
+
+Add to `.cursor/mcp.json` in your project root:
+
+```json
+{
+  "mcpServers": {
+    "1claw": {
+      "command": "node",
+      "args": ["./packages/mcp/dist/index.js"],
+      "env": {
+        "ONECLAW_AGENT_TOKEN": "${env:ONECLAW_AGENT_TOKEN}",
+        "ONECLAW_VAULT_ID": "${env:ONECLAW_VAULT_ID}"
+      }
+    }
+  }
+}
+```
+
+## Example Workflow
+
+1. **Discover** — call `list_secrets` to see what credentials are available.
+2. **Check** — call `describe_secret` with path `api-keys/stripe` to verify it exists and hasn't expired.
+3. **Fetch** — call `get_secret` with path `api-keys/stripe` to get the decrypted value.
+4. **Use** — pass the value into your API call.
+5. **Forget** — do not store the value in summaries, logs, or memory.
+
+## Deployment
+
+The MCP server auto-deploys to Cloud Run on push to `main` (when `packages/mcp/**` changes). See `.github/workflows/deploy-mcp.yml`.
+
+Infrastructure is managed via Terraform in `infra/`. Set `mcp_domain = "mcp.1claw.xyz"` in your `terraform.tfvars` to configure the custom domain.
+
+## Development
+
+```bash
+# Interactive testing via CLI
+pnpm dev
+
+# MCP Inspector (browser UI)
+pnpm inspect
+```
+
+## Security
+
+- **Values are never logged.** `get_secret` logs only `"secret accessed: <path>"`.
+- **Secrets are fetched just-in-time.** They exist in the agent's context only for the duration of a single tool call.
+- **Per-session auth in hosted mode.** Each HTTP streaming connection authenticates independently via headers. No shared state between sessions.
+- **Token scoping.** Use the 1claw dashboard to create agent tokens with the minimum permissions needed. Restrict by vault, path prefix, or action.
+- **No hardcoded credentials.** All auth is via environment variables (stdio) or headers (httpStream).
+- **410/404 handling.** Expired or missing secrets surface clear error messages rather than raw HTTP codes.

package/dist/client.d.ts

@@ -0,0 +1,41 @@
+import type { SecretMetadata, SecretWithValue, SecretListResponse, VaultResponse, VaultListResponse, PolicyResponse, ShareLinkResponse } from "./types.js";
+export declare class OneClawApiError extends Error {
+    status: number;
+    detail: string;
+    constructor(status: number, detail: string);
+}
+export interface ClientConfig {
+    baseUrl: string;
+    token: string;
+    vaultId: string;
+}
+export declare class OneClawClient {
+    private baseUrl;
+    private token;
+    private vaultId;
+    constructor(config: ClientConfig);
+    private headers;
+    private vaultUrl;
+    private request;
+    listSecrets(): Promise<SecretListResponse>;
+    getSecret(path: string): Promise<SecretWithValue>;
+    putSecret(path: string, body: {
+        value: string;
+        type: string;
+        metadata?: Record<string, unknown>;
+        expires_at?: string;
+        max_access_count?: number;
+    }): Promise<SecretMetadata>;
+    deleteSecret(path: string): Promise<void>;
+    createVault(name: string, description?: string): Promise<VaultResponse>;
+    listVaults(): Promise<VaultListResponse>;
+    shareSecret(secretId: string, options: {
+        recipient_type: string;
+        email?: string;
+        recipient_id?: string;
+        expires_at: string;
+        max_access_count?: number;
+    }): Promise<ShareLinkResponse>;
+    createPolicy(vaultId: string, principalType: string, principalId: string, permissions: string[], secretPathPattern?: string): Promise<PolicyResponse>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,cAAc,EACd,eAAe,EACf,kBAAkB,EAClB,aAAa,EACb,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EAElB,MAAM,YAAY,CAAC;AAEpB,qBAAa,eAAgB,SAAQ,KAAK;IAE/B,MAAM,EAAE,MAAM;IACd,MAAM,EAAE,MAAM;gBADd,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM;CAKxB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AASD,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,OAAO,CAAS;gBAEZ,MAAM,EAAE,YAAY;IAMhC,OAAO,CAAC,OAAO;IAOf,OAAO,CAAC,QAAQ;YAIF,OAAO;IA2Bf,WAAW,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAI1C,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAMjD,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACnC,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,GACA,OAAO,CAAC,cAAc,CAAC;IAOpB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOzC,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAOvE,UAAU,IAAI,OAAO,CAAC,iBAAiB,CAAC;IAIxC,WAAW,CACf,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE;QACP,cAAc,EAAE,MAAM,CAAC;QACvB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;KAC3B,GACA,OAAO,CAAC,iBAAiB,CAAC;IAOvB,YAAY,CAChB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EAAE,EACrB,iBAAiB,SAAO,GACvB,OAAO,CAAC,cAAc,CAAC;CAc3B"}

package/dist/client.js

@@ -0,0 +1,92 @@
+export class OneClawApiError extends Error {
+    status;
+    detail;
+    constructor(status, detail) {
+        super(detail);
+        this.status = status;
+        this.detail = detail;
+        this.name = "OneClawApiError";
+    }
+}
+function encodePath(path) {
+    return path
+        .split("/")
+        .map((s) => encodeURIComponent(s))
+        .join("/");
+}
+export class OneClawClient {
+    baseUrl;
+    token;
+    vaultId;
+    constructor(config) {
+        this.baseUrl = config.baseUrl.replace(/\/$/, "");
+        this.token = config.token;
+        this.vaultId = config.vaultId;
+    }
+    headers() {
+        return {
+            Authorization: `Bearer ${this.token}`,
+            "Content-Type": "application/json",
+        };
+    }
+    vaultUrl(suffix = "") {
+        return `${this.baseUrl}/v1/vaults/${this.vaultId}${suffix}`;
+    }
+    async request(url, init) {
+        const res = await fetch(url, {
+            ...init,
+            headers: { ...this.headers(), ...init?.headers },
+        });
+        if (!res.ok) {
+            if (res.status === 402) {
+                throw new OneClawApiError(402, "Free tier quota exhausted. Upgrade your plan or add payment at https://1claw.xyz/settings/billing");
+            }
+            let detail = `HTTP ${res.status}`;
+            try {
+                const body = (await res.json());
+                if (body.detail)
+                    detail = body.detail;
+            }
+            catch {
+                // use default detail
+            }
+            throw new OneClawApiError(res.status, detail);
+        }
+        if (res.status === 204)
+            return undefined;
+        return res.json();
+    }
+    async listSecrets() {
+        return this.request(this.vaultUrl("/secrets"));
+    }
+    async getSecret(path) {
+        return this.request(this.vaultUrl(`/secrets/${encodePath(path)}`));
+    }
+    async putSecret(path, body) {
+        return this.request(this.vaultUrl(`/secrets/${encodePath(path)}`), { method: "PUT", body: JSON.stringify(body) });
+    }
+    async deleteSecret(path) {
+        await this.request(this.vaultUrl(`/secrets/${encodePath(path)}`), { method: "DELETE" });
+    }
+    async createVault(name, description) {
+        return this.request(`${this.baseUrl}/v1/vaults`, { method: "POST", body: JSON.stringify({ name, description: description ?? "" }) });
+    }
+    async listVaults() {
+        return this.request(`${this.baseUrl}/v1/vaults`);
+    }
+    async shareSecret(secretId, options) {
+        return this.request(`${this.baseUrl}/v1/secrets/${secretId}/share`, { method: "POST", body: JSON.stringify(options) });
+    }
+    async createPolicy(vaultId, principalType, principalId, permissions, secretPathPattern = "**") {
+        return this.request(`${this.baseUrl}/v1/vaults/${vaultId}/policies`, {
+            method: "POST",
+            body: JSON.stringify({
+                secret_path_pattern: secretPathPattern,
+                principal_type: principalType,
+                principal_id: principalId,
+                permissions,
+            }),
+        });
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAWA,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAE/B;IACA;IAFT,YACS,MAAc,EACd,MAAc;QAErB,KAAK,CAAC,MAAM,CAAC,CAAC;QAHP,WAAM,GAAN,MAAM,CAAQ;QACd,WAAM,GAAN,MAAM,CAAQ;QAGrB,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAQD,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;SACjC,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,MAAM,OAAO,aAAa;IAChB,OAAO,CAAS;IAChB,KAAK,CAAS;IACd,OAAO,CAAS;IAExB,YAAY,MAAoB;QAC9B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAChC,CAAC;IAEO,OAAO;QACb,OAAO;YACL,aAAa,EAAE,UAAU,IAAI,CAAC,KAAK,EAAE;YACrC,cAAc,EAAE,kBAAkB;SACnC,CAAC;IACJ,CAAC;IAEO,QAAQ,CAAC,MAAM,GAAG,EAAE;QAC1B,OAAO,GAAG,IAAI,CAAC,OAAO,cAAc,IAAI,CAAC,OAAO,GAAG,MAAM,EAAE,CAAC;IAC9D,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,GAAW,EAAE,IAAkB;QACtD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,GAAG,IAAI;YACP,OAAO,EAAE,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,GAAI,IAAI,EAAE,OAAkC,EAAE;SAC7E,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACvB,MAAM,IAAI,eAAe,CACvB,GAAG,EACH,mGAAmG,CACpG,CAAC;YACJ,CAAC;YACD,IAAI,MAAM,GAAG,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiB,CAAC;gBAChD,IAAI,IAAI,CAAC,MAAM;oBAAE,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;YACD,MAAM,IAAI,eAAe,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,SAAc,CAAC;QAC9C,OAAO,GAAG,CAAC,IAAI,EAAgB,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,IAAI,CAAC,OAAO,CAAqB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,IAAY;QAC1B,OAAO,IAAI,CAAC,OAAO,CACjB,IAAI,CAAC,QAAQ,CAAC,YAAY,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAC9C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS,CACb,IAAY,EACZ,IAMC;QAED,OAAO,IAAI,CAAC,OAAO,CACjB,IAAI,CAAC,QAAQ,CAAC,YAAY,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAC7C,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAC9C,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,IAAY;QAC7B,MAAM,IAAI,CAAC,OAAO,CAChB,IAAI,CAAC,QAAQ,CAAC,YAAY,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAC7C,EAAE,MAAM,EAAE,QAAQ,EAAE,CACrB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,IAAY,EAAE,WAAoB;QAClD,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,IAAI,CAAC,OAAO,YAAY,EAC3B,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,IAAI,EAAE,EAAE,CAAC,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,CAAoB,GAAG,IAAI,CAAC,OAAO,YAAY,CAAC,CAAC;IACtE,CAAC;IAED,KAAK,CAAC,WAAW,CACf,QAAgB,EAChB,OAMC;QAED,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,IAAI,CAAC,OAAO,eAAe,QAAQ,QAAQ,EAC9C,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAClD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,OAAe,EACf,aAAqB,EACrB,WAAmB,EACnB,WAAqB,EACrB,iBAAiB,GAAG,IAAI;QAExB,OAAO,IAAI,CAAC,OAAO,CACjB,GAAG,IAAI,CAAC,OAAO,cAAc,OAAO,WAAW,EAC/C;YACE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,mBAAmB,EAAE,iBAAiB;gBACtC,cAAc,EAAE,aAAa;gBAC7B,YAAY,EAAE,WAAW;gBACzB,WAAW;aACZ,CAAC;SACH,CACF,CAAC;IACJ,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+import { FastMCP, UserError } from "fastmcp";
+import { z } from "zod";
+import { OneClawClient, OneClawApiError } from "./client.js";
+import { listSecretsTool } from "./tools/list_secrets.js";
+import { getSecretTool } from "./tools/get_secret.js";
+import { putSecretTool } from "./tools/put_secret.js";
+import { deleteSecretTool } from "./tools/delete_secret.js";
+import { describeSecretTool } from "./tools/describe_secret.js";
+import { createVaultTool } from "./tools/create_vault.js";
+import { listVaultsTool } from "./tools/list_vaults.js";
+import { grantAccessTool } from "./tools/grant_access.js";
+import { shareSecretTool } from "./tools/share_secret.js";
+const baseUrl = process.env.ONECLAW_BASE_URL ?? "https://api.1claw.xyz";
+const transport = process.env.MCP_TRANSPORT ?? "stdio";
+const port = parseInt(process.env.PORT ?? "8080", 10);
+// ── Shared client (stdio mode) ──────────────────────
+let sharedClient;
+if (transport === "stdio") {
+    const token = process.env.ONECLAW_AGENT_TOKEN;
+    const vaultId = process.env.ONECLAW_VAULT_ID;
+    if (!token) {
+        console.error("ONECLAW_AGENT_TOKEN is required. Set it as an environment variable.");
+        process.exit(1);
+    }
+    if (!vaultId) {
+        console.error("ONECLAW_VAULT_ID is required. Set it as an environment variable.");
+        process.exit(1);
+    }
+    sharedClient = new OneClawClient({ baseUrl, token, vaultId });
+}
+function resolveClient(session) {
+    if (session) {
+        return new OneClawClient({ baseUrl, token: session.token, vaultId: session.vaultId });
+    }
+    if (sharedClient)
+        return sharedClient;
+    throw new UserError("Not authenticated. Provide Authorization and X-Vault-ID headers.");
+}
+const serverOpts = {
+    name: "1claw",
+    version: "0.1.0",
+    health: { enabled: true, path: "/health" },
+};
+if (transport === "httpStream") {
+    serverOpts.authenticate = (request) => {
+        const auth = (request.headers["authorization"] ?? "");
+        const token = auth.replace(/^Bearer\s+/i, "").trim();
+        const vaultId = (request.headers["x-vault-id"] ?? "");
+        if (!token)
+            return Promise.reject(new Error("Missing Authorization header (Bearer <agent-token>)"));
+        if (!vaultId)
+            return Promise.reject(new Error("Missing X-Vault-ID header"));
+        return Promise.resolve({ token, vaultId });
+    };
+}
+const server = new FastMCP(serverOpts);
+function registerTool(factory) {
+    const proto = factory(sharedClient ?? new OneClawClient({ baseUrl, token: "", vaultId: "" }));
+    server.addTool({
+        name: proto.name,
+        description: proto.description,
+        parameters: proto.parameters,
+        execute: async (args, context) => {
+            const client = resolveClient(context.session);
+            const tool = factory(client);
+            return tool.execute(args, context);
+        },
+    });
+}
+registerTool(listSecretsTool);
+registerTool(getSecretTool);
+registerTool(putSecretTool);
+registerTool(deleteSecretTool);
+registerTool(describeSecretTool);
+registerTool(createVaultTool);
+registerTool(listVaultsTool);
+registerTool(grantAccessTool);
+registerTool(shareSecretTool);
+// ── Stretch: rotate_and_store ────────────────────────
+server.addTool({
+    name: "rotate_and_store",
+    description: "Store a new value for an existing secret (creating a new version) and return the version number. Useful when an agent has regenerated an API key and needs to persist it.",
+    parameters: z.object({
+        path: z.string().min(1).describe("Secret path to rotate"),
+        value: z.string().min(1).describe("The new secret value"),
+    }),
+    execute: async (args, context) => {
+        const client = resolveClient(context.session);
+        const result = await client.putSecret(args.path, {
+            value: args.value,
+            type: "api_key",
+        });
+        context.log.info(`secret rotated: ${args.path}`);
+        return `Rotated secret at '${args.path}'. New version: ${result.version}.`;
+    },
+});
+// ── Stretch: get_env_bundle ──────────────────────────
+server.addTool({
+    name: "get_env_bundle",
+    description: "Fetch a secret of type env_bundle, parse its KEY=VALUE lines, and return a structured JSON object. Useful for injecting environment variables into subprocesses.",
+    parameters: z.object({
+        path: z.string().min(1).describe("Path to an env_bundle secret"),
+    }),
+    execute: async (args, context) => {
+        const client = resolveClient(context.session);
+        try {
+            const secret = await client.getSecret(args.path);
+            context.log.info(`env_bundle accessed: ${args.path}`);
+            if (secret.type !== "env_bundle") {
+                throw new UserError(`Secret at '${args.path}' is type '${secret.type}', not 'env_bundle'.`);
+            }
+            const env = {};
+            for (const line of secret.value.split("\n")) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith("#"))
+                    continue;
+                const eqIdx = trimmed.indexOf("=");
+                if (eqIdx === -1)
+                    continue;
+                env[trimmed.slice(0, eqIdx)] = trimmed.slice(eqIdx + 1);
+            }
+            return JSON.stringify(env, null, 2);
+        }
+        catch (err) {
+            if (err instanceof OneClawApiError) {
+                if (err.status === 410) {
+                    throw new UserError(`Secret at path '${args.path}' is expired or has exceeded its maximum access count.`);
+                }
+                if (err.status === 404) {
+                    throw new UserError(`No secret found at path '${args.path}'.`);
+                }
+            }
+            throw err;
+        }
+    },
+});
+// ── Resource: browsable secret listing ───────────────
+server.addResource({
+    uri: "vault://secrets",
+    name: "Vault secrets",
+    description: "Browsable listing of all secret paths in the configured vault (metadata only, no values).",
+    mimeType: "application/json",
+    async load(auth) {
+        const client = resolveClient(auth);
+        const data = await client.listSecrets();
+        return {
+            text: JSON.stringify(data.secrets.map((s) => ({
+                path: s.path,
+                type: s.type,
+                version: s.version,
+                expires_at: s.expires_at,
+            })), null, 2),
+        };
+    },
+});
+// ── Start ────────────────────────────────────────────
+if (transport === "httpStream") {
+    server.start({
+        transportType: "httpStream",
+        httpStream: { port, host: "0.0.0.0" },
+    });
+    console.log(`1claw MCP server listening on port ${port} (HTTP streaming)`);
+}
+else {
+    server.start({ transportType: "stdio" });
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAI1D,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,uBAAuB,CAAC;AACxE,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC;AACvD,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;AAEtD,uDAAuD;AAEvD,IAAI,YAAuC,CAAC;AAE5C,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;QACrF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;QAClF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,YAAY,GAAG,IAAI,aAAa,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,aAAa,CAAC,OAAqB;IAC1C,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,IAAI,aAAa,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,IAAI,SAAS,CAAC,kEAAkE,CAAC,CAAC;AAC1F,CAAC;AAMD,MAAM,UAAU,GAAe;IAC7B,IAAI,EAAE,OAAO;IACb,OAAO,EAAE,OAAO;IAChB,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;CAC3C,CAAC;AAEF,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;IAC/B,UAAU,CAAC,YAAY,GAAG,CAAC,OAA6B,EAAwB,EAAE;QAChF,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,EAAE,CAAW,CAAC;QAChE,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACrD,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAW,CAAC;QAEhE,IAAI,CAAC,KAAK;YAAE,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC,CAAC;QACpG,IAAI,CAAC,OAAO;YAAE,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC,CAAC;QAE5E,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAC7C,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,MAAM,GAAG,IAAI,OAAO,CAAc,UAAU,CAAC,CAAC;AAapD,SAAS,YAAY,CAAC,OAAuB;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,aAAa,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC9F,MAAM,CAAC,OAAO,CAAC;QACb,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,OAAO,EAAE,KAAK,EAAE,IAA6B,EAAE,OAAwE,EAAE,EAAE;YACzH,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC9C,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC7B,OAAQ,IAAI,CAAC,OAAuD,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACtF,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,aAA+B,CAAC,CAAC;AAC9C,YAAY,CAAC,aAA+B,CAAC,CAAC;AAC9C,YAAY,CAAC,gBAAkC,CAAC,CAAC;AACjD,YAAY,CAAC,kBAAoC,CAAC,CAAC;AACnD,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,cAAgC,CAAC,CAAC;AAC/C,YAAY,CAAC,eAAiC,CAAC,CAAC;AAChD,YAAY,CAAC,eAAiC,CAAC,CAAC;AAEhD,wDAAwD;AAExD,MAAM,CAAC,OAAO,CAAC;IACb,IAAI,EAAE,kBAAkB;IACxB,WAAW,EACT,2KAA2K;IAC7K,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;QACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QACzD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;KAC1D,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE;YAC/C,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACjD,OAAO,sBAAsB,IAAI,CAAC,IAAI,mBAAmB,MAAM,CAAC,OAAO,GAAG,CAAC;IAC7E,CAAC;CACF,CAAC,CAAC;AAEH,wDAAwD;AAExD,MAAM,CAAC,OAAO,CAAC;IACb,IAAI,EAAE,gBAAgB;IACtB,WAAW,EACT,kKAAkK;IACpK,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;QACnB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,8BAA8B,CAAC;KACjE,CAAC;IACF,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,wBAAwB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACjC,MAAM,IAAI,SAAS,CACjB,cAAc,IAAI,CAAC,IAAI,cAAc,MAAM,CAAC,IAAI,sBAAsB,CACvE,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAA2B,EAAE,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACnC,IAAI,KAAK,KAAK,CAAC,CAAC;oBAAE,SAAS;gBAC3B,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,eAAe,EAAE,CAAC;gBACnC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,MAAM,IAAI,SAAS,CACjB,mBAAmB,IAAI,CAAC,IAAI,wDAAwD,CACrF,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvB,MAAM,IAAI,SAAS,CAAC,4BAA4B,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;gBACjE,CAAC;YACH,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;CACF,CAAC,CAAC;AAEH,wDAAwD;AAExD,MAAM,CAAC,WAAW,CAAC;IACjB,GAAG,EAAE,iBAAiB;IACtB,IAAI,EAAE,eAAe;IACrB,WAAW,EACT,2FAA2F;IAC7F,QAAQ,EAAE,kBAAkB;IAC5B,KAAK,CAAC,IAAI,CAAC,IAAkB;QAC3B,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,EAAE,CAAC;QACxC,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,SAAS,CAClB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACvB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC,CAAC,EACH,IAAI,EACJ,CAAC,CACF;SACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,wDAAwD;AAExD,IAAI,SAAS,KAAK,YAAY,EAAE,CAAC;IAC/B,MAAM,CAAC,KAAK,CAAC;QACX,aAAa,EAAE,YAAY;QAC3B,UAAU,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE;KACtC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,sCAAsC,IAAI,mBAAmB,CAAC,CAAC;AAC7E,CAAC;KAAM,CAAC;IACN,MAAM,CAAC,KAAK,CAAC,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;AAC3C,CAAC"}

package/dist/tools/create_vault.d.ts

@@ -0,0 +1,21 @@
+import { z } from "zod";
+import type { OneClawClient } from "../client.js";
+export declare function createVaultTool(client: OneClawClient): {
+    name: "create_vault";
+    description: string;
+    parameters: z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        description?: string | undefined;
+    }, {
+        name: string;
+        description?: string | undefined;
+    }>;
+    execute: (args: {
+        name: string;
+        description?: string;
+    }) => Promise<string>;
+};
+//# sourceMappingURL=create_vault.d.ts.map

package/dist/tools/create_vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create_vault.d.ts","sourceRoot":"","sources":["../../src/tools/create_vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAElD,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa;;;;;;;;;;;;;oBAgB3B;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE;EAY/D"}

package/dist/tools/create_vault.js

@@ -0,0 +1,28 @@
+import { z } from "zod";
+export function createVaultTool(client) {
+    return {
+        name: "create_vault",
+        description: "Create a new vault for organising secrets. The vault is owned by this agent and automatically shared with the human who registered you. Use descriptive names so your human collaborator can find it in the dashboard.",
+        parameters: z.object({
+            name: z
+                .string()
+                .min(1)
+                .max(255)
+                .describe("Vault name (e.g. 'stripe-production', 'ci-deploy-keys')"),
+            description: z
+                .string()
+                .optional()
+                .describe("Short description of what this vault is for"),
+        }),
+        execute: async (args) => {
+            const vault = await client.createVault(args.name, args.description);
+            return (`Vault created successfully.\n` +
+                `  ID: ${vault.id}\n` +
+                `  Name: ${vault.name}\n` +
+                `  Owner: ${vault.created_by_type}:${vault.created_by}\n\n` +
+                `The vault has been automatically shared with your creator. ` +
+                `You can now store secrets with put_secret (use the vault list to switch vaults).`);
+        },
+    };
+}
+//# sourceMappingURL=create_vault.js.map

package/dist/tools/create_vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create_vault.js","sourceRoot":"","sources":["../../src/tools/create_vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,MAAM,UAAU,eAAe,CAAC,MAAqB;IACnD,OAAO;QACL,IAAI,EAAE,cAAuB;QAC7B,WAAW,EACT,wNAAwN;QAC1N,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;YACnB,IAAI,EAAE,CAAC;iBACJ,MAAM,EAAE;iBACR,GAAG,CAAC,CAAC,CAAC;iBACN,GAAG,CAAC,GAAG,CAAC;iBACR,QAAQ,CAAC,yDAAyD,CAAC;YACtE,WAAW,EAAE,CAAC;iBACX,MAAM,EAAE;iBACR,QAAQ,EAAE;iBACV,QAAQ,CAAC,6CAA6C,CAAC;SAC3D,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,IAA4C,EAAE,EAAE;YAC9D,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;YACpE,OAAO,CACL,+BAA+B;gBAC/B,SAAS,KAAK,CAAC,EAAE,IAAI;gBACrB,WAAW,KAAK,CAAC,IAAI,IAAI;gBACzB,YAAY,KAAK,CAAC,eAAe,IAAI,KAAK,CAAC,UAAU,MAAM;gBAC3D,6DAA6D;gBAC7D,kFAAkF,CACnF,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/tools/delete_secret.d.ts

@@ -0,0 +1,21 @@
+import { z } from "zod";
+import { type OneClawClient } from "../client.js";
+export declare function deleteSecretTool(client: OneClawClient): {
+    name: "delete_secret";
+    description: string;
+    parameters: z.ZodObject<{
+        path: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+    }, {
+        path: string;
+    }>;
+    execute: (args: {
+        path: string;
+    }, { log }: {
+        log: {
+            info: (msg: string) => void;
+        };
+    }) => Promise<string>;
+};
+//# sourceMappingURL=delete_secret.d.ts.map

package/dist/tools/delete_secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delete_secret.d.ts","sourceRoot":"","sources":["../../src/tools/delete_secret.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAmB,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAEnE,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,aAAa;;;;;;;;;;oBAW5B;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,WAAW;QAAE,GAAG,EAAE;YAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;SAAE,CAAA;KAAE;EAa5F"}

package/dist/tools/delete_secret.js

@@ -0,0 +1,29 @@
+import { z } from "zod";
+import { UserError } from "fastmcp";
+import { OneClawApiError } from "../client.js";
+export function deleteSecretTool(client) {
+    return {
+        name: "delete_secret",
+        description: "Soft-delete a secret at the given path. All versions are marked deleted. This is reversible by an admin.",
+        parameters: z.object({
+            path: z
+                .string()
+                .min(1)
+                .describe("Secret path to delete, e.g. 'api-keys/old-stripe'"),
+        }),
+        execute: async (args, { log }) => {
+            try {
+                await client.deleteSecret(args.path);
+                log.info(`secret deleted: ${args.path}`);
+                return `Secret at '${args.path}' has been soft-deleted.`;
+            }
+            catch (err) {
+                if (err instanceof OneClawApiError && err.status === 404) {
+                    throw new UserError(`No secret found at path '${args.path}'.`);
+                }
+                throw err;
+            }
+        },
+    };
+}
+//# sourceMappingURL=delete_secret.js.map

package/dist/tools/delete_secret.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delete_secret.js","sourceRoot":"","sources":["../../src/tools/delete_secret.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,eAAe,EAAsB,MAAM,cAAc,CAAC;AAEnE,MAAM,UAAU,gBAAgB,CAAC,MAAqB;IACpD,OAAO;QACL,IAAI,EAAE,eAAwB;QAC9B,WAAW,EACT,0GAA0G;QAC5G,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC;YACnB,IAAI,EAAE,CAAC;iBACJ,MAAM,EAAE;iBACR,GAAG,CAAC,CAAC,CAAC;iBACN,QAAQ,CAAC,mDAAmD,CAAC;SACjE,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,IAAsB,EAAE,EAAE,GAAG,EAA4C,EAAE,EAAE;YAC3F,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrC,GAAG,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBACzC,OAAO,cAAc,IAAI,CAAC,IAAI,0BAA0B,CAAC;YAC3D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,eAAe,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACzD,MAAM,IAAI,SAAS,CAAC,4BAA4B,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;gBACjE,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/tools/describe_secret.d.ts

@@ -0,0 +1,17 @@
+import { z } from "zod";
+import { type OneClawClient } from "../client.js";
+export declare function describeSecretTool(client: OneClawClient): {
+    name: "describe_secret";
+    description: string;
+    parameters: z.ZodObject<{
+        path: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+    }, {
+        path: string;
+    }>;
+    execute: (args: {
+        path: string;
+    }) => Promise<string>;
+};
+//# sourceMappingURL=describe_secret.d.ts.map

package/dist/tools/describe_secret.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"describe_secret.d.ts","sourceRoot":"","sources":["../../src/tools/describe_secret.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAmB,KAAK,aAAa,EAAE,MAAM,cAAc,CAAC;AAEnE,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa;;;;;;;;;;oBAW9B;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE;EAgDzC"}