@executor-js/plugin-onepassword 0.0.2 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/sdk/types.ts","../src/sdk/errors.ts"],"sourcesContent":["import { Schema } from \"effect\";\n\n// ---------------------------------------------------------------------------\n// Auth — how to talk to 1Password\n// ---------------------------------------------------------------------------\n\nexport const DesktopAppAuthSchema = Schema.Struct({\n kind: Schema.Literal(\"desktop-app\"),\n /** 1Password account domain, e.g. \"my.1password.com\" */\n accountName: Schema.String,\n});\n\nexport class DesktopAppAuth extends Schema.Class<DesktopAppAuth>(\"DesktopAppAuth\")(\n DesktopAppAuthSchema.fields,\n) {}\n\nexport const ServiceAccountAuthSchema = Schema.Struct({\n kind: Schema.Literal(\"service-account\"),\n /** The service account token (stored as a secret) */\n tokenSecretId: Schema.String,\n});\n\nexport class ServiceAccountAuth extends Schema.Class<ServiceAccountAuth>(\"ServiceAccountAuth\")(\n ServiceAccountAuthSchema.fields,\n) {}\n\nexport const OnePasswordAuthSchema = Schema.Union([DesktopAppAuthSchema, ServiceAccountAuthSchema]);\nexport const OnePasswordAuth = Schema.Union([DesktopAppAuth, ServiceAccountAuth]);\nexport type OnePasswordAuth = typeof OnePasswordAuth.Type;\n\n// ---------------------------------------------------------------------------\n// Stored config — persisted via KV\n// ---------------------------------------------------------------------------\n\nexport const OnePasswordConfigSchema = Schema.Struct({\n auth: OnePasswordAuthSchema,\n /** Vault to scope operations to */\n vaultId: Schema.String,\n /** Human label */\n name: Schema.String,\n});\n\nexport class OnePasswordConfig extends Schema.Class<OnePasswordConfig>(\"OnePasswordConfig\")(\n OnePasswordConfigSchema.fields,\n) {}\n\n// ---------------------------------------------------------------------------\n// Vault\n// ---------------------------------------------------------------------------\n\nexport class Vault extends Schema.Class<Vault>(\"Vault\")({\n id: Schema.String,\n name: Schema.String,\n}) {}\n\n// ---------------------------------------------------------------------------\n// Connection status\n// ---------------------------------------------------------------------------\n\nexport class ConnectionStatus extends Schema.Class<ConnectionStatus>(\"ConnectionStatus\")({\n connected: Schema.Boolean,\n vaultName: Schema.optional(Schema.String),\n error: Schema.optional(Schema.String),\n}) {}\n","import { Schema } from \"effect\";\n\nexport class OnePasswordError extends Schema.TaggedErrorClass<OnePasswordError>()(\n \"OnePasswordError\",\n {\n operation: Schema.String,\n message: Schema.String,\n },\n { httpApiStatus: 502 },\n) {}\n"],"mappings":";AAAA,SAAS,cAAc;AAMhB,IAAM,uBAAuB,OAAO,OAAO;AAAA,EAChD,MAAM,OAAO,QAAQ,aAAa;AAAA;AAAA,EAElC,aAAa,OAAO;AACtB,CAAC;AAEM,IAAM,iBAAN,cAA6B,OAAO,MAAsB,gBAAgB;AAAA,EAC/E,qBAAqB;AACvB,EAAE;AAAC;AAEI,IAAM,2BAA2B,OAAO,OAAO;AAAA,EACpD,MAAM,OAAO,QAAQ,iBAAiB;AAAA;AAAA,EAEtC,eAAe,OAAO;AACxB,CAAC;AAEM,IAAM,qBAAN,cAAiC,OAAO,MAA0B,oBAAoB;AAAA,EAC3F,yBAAyB;AAC3B,EAAE;AAAC;AAEI,IAAM,wBAAwB,OAAO,MAAM,CAAC,sBAAsB,wBAAwB,CAAC;AAC3F,IAAM,kBAAkB,OAAO,MAAM,CAAC,gBAAgB,kBAAkB,CAAC;AAOzE,IAAM,0BAA0B,OAAO,OAAO;AAAA,EACnD,MAAM;AAAA;AAAA,EAEN,SAAS,OAAO;AAAA;AAAA,EAEhB,MAAM,OAAO;AACf,CAAC;AAEM,IAAM,oBAAN,cAAgC,OAAO,MAAyB,mBAAmB;AAAA,EACxF,wBAAwB;AAC1B,EAAE;AAAC;AAMI,IAAM,QAAN,cAAoB,OAAO,MAAa,OAAO,EAAE;AAAA,EACtD,IAAI,OAAO;AAAA,EACX,MAAM,OAAO;AACf,CAAC,EAAE;AAAC;AAMG,IAAM,mBAAN,cAA+B,OAAO,MAAwB,kBAAkB,EAAE;AAAA,EACvF,WAAW,OAAO;AAAA,EAClB,WAAW,OAAO,SAAS,OAAO,MAAM;AAAA,EACxC,OAAO,OAAO,SAAS,OAAO,MAAM;AACtC,CAAC,EAAE;AAAC;;;AC/DJ,SAAS,UAAAA,eAAc;AAEhB,IAAM,mBAAN,cAA+BA,QAAO,iBAAmC;AAAA,EAC9E;AAAA,EACA;AAAA,IACE,WAAWA,QAAO;AAAA,IAClB,SAASA,QAAO;AAAA,EAClB;AAAA,EACA,EAAE,eAAe,IAAI;AACvB,EAAE;AAAC;","names":["Schema"]}
@@ -1,61 +1,21 @@
1
- // src/sdk/types.ts
2
- import { Schema } from "effect";
3
- var DesktopAppAuth = class extends Schema.Class("DesktopAppAuth")({
4
- kind: Schema.Literal("desktop-app"),
5
- /** 1Password account domain, e.g. "my.1password.com" */
6
- accountName: Schema.String
7
- }) {
8
- };
9
- var ServiceAccountAuth = class extends Schema.Class("ServiceAccountAuth")({
10
- kind: Schema.Literal("service-account"),
11
- /** The service account token (stored as a secret) */
12
- tokenSecretId: Schema.String
13
- }) {
14
- };
15
- var OnePasswordAuth = Schema.Union([DesktopAppAuth, ServiceAccountAuth]);
16
- var OnePasswordConfig = class extends Schema.Class("OnePasswordConfig")({
17
- auth: OnePasswordAuth,
18
- /** Vault to scope operations to */
19
- vaultId: Schema.String,
20
- /** Human label */
21
- name: Schema.String
22
- }) {
23
- };
24
- var Vault = class extends Schema.Class("Vault")({
25
- id: Schema.String,
26
- name: Schema.String
27
- }) {
28
- };
29
- var ConnectionStatus = class extends Schema.Class("ConnectionStatus")({
30
- connected: Schema.Boolean,
31
- vaultName: Schema.optional(Schema.String),
32
- error: Schema.optional(Schema.String)
33
- }) {
34
- };
35
-
36
- // src/sdk/errors.ts
37
- import { Schema as Schema2 } from "effect";
38
- var OnePasswordError = class extends Schema2.TaggedErrorClass()(
39
- "OnePasswordError",
40
- {
41
- operation: Schema2.String,
42
- message: Schema2.String
43
- },
44
- { httpApiStatus: 502 }
45
- ) {
46
- };
1
+ import {
2
+ ConnectionStatus,
3
+ OnePasswordConfig,
4
+ OnePasswordError,
5
+ Vault
6
+ } from "./chunk-NRYSRUWU.js";
47
7
 
48
8
  // src/sdk/service.ts
49
- import { Context, Duration, Effect } from "effect";
9
+ import { Context, Duration, Effect, Semaphore } from "effect";
50
10
  import * as op from "@1password/op-js";
51
11
  var OnePasswordServiceTag = class extends Context.Service()("@executor-js/plugin-onepassword/OnePasswordService") {
52
12
  };
53
13
  var DEFAULT_TIMEOUT_MS = 15e3;
54
14
  var loadOnePasswordSdk = () => Effect.tryPromise({
55
15
  try: () => import("@1password/sdk"),
56
- catch: (cause) => new OnePasswordError({
16
+ catch: () => new OnePasswordError({
57
17
  operation: "sdk module load",
58
- message: cause instanceof Error ? cause.message : String(cause)
18
+ message: "Failed to load 1Password SDK"
59
19
  })
60
20
  });
61
21
  var makeTimeoutMessage = (operation, timeoutMs) => [
@@ -86,18 +46,16 @@ var makeNativeSdkService = (auth, timeoutMs = DEFAULT_TIMEOUT_MS) => Effect.gen(
86
46
  integrationName: "Executor",
87
47
  integrationVersion: "0.0.0"
88
48
  }),
89
- catch: (cause) => new OnePasswordError({
49
+ catch: () => new OnePasswordError({
90
50
  operation: "client setup",
91
- message: cause instanceof Error ? cause.message : String(cause)
51
+ message: "Failed to set up 1Password client"
92
52
  })
93
- }).pipe(
94
- timeoutWithOnePasswordError("client setup", timeoutMs)
95
- );
53
+ }).pipe(timeoutWithOnePasswordError("client setup", timeoutMs));
96
54
  const wrap = (fn, operation) => Effect.tryPromise({
97
55
  try: fn,
98
- catch: (cause) => new OnePasswordError({
56
+ catch: () => new OnePasswordError({
99
57
  operation,
100
- message: cause instanceof Error ? cause.message : String(cause)
58
+ message: `1Password SDK ${operation} failed`
101
59
  })
102
60
  }).pipe(
103
61
  timeoutWithOnePasswordError(operation, timeoutMs),
@@ -113,19 +71,26 @@ var makeNativeSdkService = (auth, timeoutMs = DEFAULT_TIMEOUT_MS) => Effect.gen(
113
71
  )
114
72
  });
115
73
  }).pipe(Effect.withSpan("onepassword.sdk.make_service"));
74
+ var cliAuthLock = Semaphore.makeUnsafe(1);
116
75
  var makeCliService = (auth) => Effect.sync(() => {
117
- if (auth.kind === "service-account") {
118
- op.setServiceAccount(auth.token);
119
- } else {
120
- op.setGlobalFlags({ account: auth.accountName });
121
- }
122
- const wrapSync = (fn, operation) => Effect.try({
123
- try: fn,
124
- catch: (cause) => new OnePasswordError({
125
- operation,
126
- message: cause instanceof Error ? cause.message : String(cause)
76
+ const wrapSync = (fn, operation) => cliAuthLock.withPermits(1)(
77
+ Effect.try({
78
+ try: () => {
79
+ if (auth.kind === "service-account") {
80
+ op.setGlobalFlags({});
81
+ op.setServiceAccount(auth.token);
82
+ } else {
83
+ op.setServiceAccount("");
84
+ op.setGlobalFlags({ account: auth.accountName });
85
+ }
86
+ return fn();
87
+ },
88
+ catch: () => new OnePasswordError({
89
+ operation,
90
+ message: `1Password CLI ${operation} failed`
91
+ })
127
92
  })
128
- }).pipe(Effect.withSpan(`onepassword.cli.${operation}`));
93
+ ).pipe(Effect.withSpan(`onepassword.cli.${operation}`));
129
94
  return OnePasswordServiceTag.of({
130
95
  resolveSecret: (uri) => wrapSync(() => op.read.parse(uri), "secret resolution"),
131
96
  listVaults: () => wrapSync(() => op.vault.list(), "vault listing").pipe(
@@ -152,7 +117,7 @@ var makeOnePasswordService = (auth, options) => {
152
117
  };
153
118
 
154
119
  // src/sdk/plugin.ts
155
- import { Effect as Effect2, Schema as Schema3 } from "effect";
120
+ import { Effect as Effect2, Schema } from "effect";
156
121
  import {
157
122
  definePlugin,
158
123
  StorageError
@@ -160,35 +125,36 @@ import {
160
125
  var CREDENTIAL_FIELD = "credential";
161
126
  var DEFAULT_TIMEOUT_MS2 = 15e3;
162
127
  var CONFIG_KEY = "config";
163
- var decodeConfig = Schema3.decodeUnknownSync(OnePasswordConfig);
128
+ var decodeConfig = Schema.decodeUnknownEffect(Schema.fromJsonString(OnePasswordConfig));
164
129
  var blobStorageError = (operation) => (cause) => new StorageError({
165
- message: `onepassword blob ${operation}: ${cause instanceof Error ? cause.message : String(cause)}`,
130
+ message: `onepassword blob ${operation} failed`,
166
131
  cause
167
132
  });
168
- var makeOnePasswordStore = (blobs, writeScope) => ({
133
+ var makeOnePasswordStore = (blobs) => ({
169
134
  getConfig: () => blobs.get(CONFIG_KEY).pipe(
170
135
  Effect2.mapError(blobStorageError("read")),
171
136
  Effect2.flatMap((raw) => {
172
137
  if (raw === null) return Effect2.succeed(null);
173
- return Effect2.try({
174
- try: () => decodeConfig(JSON.parse(raw)),
175
- catch: (cause) => new OnePasswordError({
176
- operation: "config decode",
177
- message: cause instanceof Error ? cause.message : String(cause)
178
- })
179
- });
138
+ return decodeConfig(raw).pipe(
139
+ Effect2.mapError(
140
+ () => new OnePasswordError({
141
+ operation: "config decode",
142
+ message: "Failed to decode 1Password config"
143
+ })
144
+ )
145
+ );
180
146
  })
181
147
  ),
182
- saveConfig: (config) => blobs.put(
148
+ saveConfig: (config, targetScope) => blobs.put(
183
149
  CONFIG_KEY,
184
150
  JSON.stringify({
185
151
  auth: config.auth,
186
152
  vaultId: config.vaultId,
187
153
  name: config.name
188
154
  }),
189
- { scope: writeScope }
155
+ { scope: targetScope }
190
156
  ).pipe(Effect2.mapError(blobStorageError("write"))),
191
- deleteConfig: () => blobs.delete(CONFIG_KEY, { scope: writeScope }).pipe(Effect2.mapError(blobStorageError("delete")))
157
+ deleteConfig: (targetScope) => blobs.delete(CONFIG_KEY, { scope: targetScope }).pipe(Effect2.mapError(blobStorageError("delete")))
192
158
  });
193
159
  var resolveAuth = (auth, ctx) => {
194
160
  if (auth.kind === "desktop-app") {
@@ -198,11 +164,14 @@ var resolveAuth = (auth, ctx) => {
198
164
  });
199
165
  }
200
166
  return ctx.secrets.get(auth.tokenSecretId).pipe(
201
- Effect2.mapError(
202
- (err) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OnePasswordError({
203
- operation: "auth resolution",
204
- message: `Service account token secret "${auth.tokenSecretId}" not found`
205
- }) : err
167
+ Effect2.catchTag(
168
+ "SecretOwnedByConnectionError",
169
+ () => Effect2.fail(
170
+ new OnePasswordError({
171
+ operation: "auth resolution",
172
+ message: `Service account token secret "${auth.tokenSecretId}" not found`
173
+ })
174
+ )
206
175
  ),
207
176
  Effect2.flatMap((token) => {
208
177
  if (token === null) {
@@ -221,20 +190,28 @@ var resolveAuth = (auth, ctx) => {
221
190
  );
222
191
  };
223
192
  var getServiceFromConfig = (config, ctx, timeoutMs, preferSdk) => resolveAuth(config.auth, ctx).pipe(
224
- Effect2.flatMap(
225
- (resolved) => makeOnePasswordService(resolved, { timeoutMs, preferSdk })
226
- )
193
+ Effect2.flatMap((resolved) => makeOnePasswordService(resolved, { timeoutMs, preferSdk }))
227
194
  );
195
+ var configuredVaultUri = (config, secretId) => {
196
+ if (!secretId.startsWith("op://")) {
197
+ return `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;
198
+ }
199
+ const match = secretId.match(/^op:\/\/([^/]+)\/.+/);
200
+ if (!match || match[1] !== config.vaultId) return null;
201
+ return secretId;
202
+ };
228
203
  var makeProvider = (ctx, timeoutMs, preferSdk) => ({
229
204
  key: "onepassword",
230
205
  writable: false,
206
+ allowFallback: false,
231
207
  // 1Password vaults are named in the stored config; the executor-scope
232
208
  // arg isn't used for routing here. A future refactor could let the
233
209
  // plugin store per-scope vault bindings and pick based on `scope`.
234
210
  get: (secretId, _scope) => ctx.storage.getConfig().pipe(
235
211
  Effect2.flatMap((config) => {
236
212
  if (!config) return Effect2.succeed(null);
237
- const uri = secretId.startsWith("op://") ? secretId : `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;
213
+ const uri = configuredVaultUri(config, secretId);
214
+ if (uri === null) return Effect2.succeed(null);
238
215
  return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
239
216
  Effect2.flatMap((svc) => svc.resolveSecret(uri)),
240
217
  Effect2.map((v) => v),
@@ -245,10 +222,7 @@ var makeProvider = (ctx, timeoutMs, preferSdk) => ({
245
222
  ),
246
223
  list: () => ctx.storage.getConfig().pipe(
247
224
  Effect2.flatMap((config) => {
248
- if (!config)
249
- return Effect2.succeed(
250
- []
251
- );
225
+ if (!config) return Effect2.succeed([]);
252
226
  return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
253
227
  Effect2.flatMap((svc) => svc.listItems(config.vaultId)),
254
228
  Effect2.map(
@@ -256,86 +230,72 @@ var makeProvider = (ctx, timeoutMs, preferSdk) => ({
256
230
  )
257
231
  );
258
232
  }),
259
- Effect2.orElseSucceed(
260
- () => []
261
- )
233
+ Effect2.orElseSucceed(() => [])
262
234
  )
263
235
  });
264
- var onepasswordPlugin = definePlugin(
265
- (options) => {
266
- const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
267
- const preferSdk = options?.preferSdk;
268
- return {
269
- id: "onepassword",
270
- storage: ({ blobs, scopes }) => makeOnePasswordStore(blobs, scopes.at(-1).id),
271
- extension: (ctx) => {
272
- return {
273
- configure: (config) => ctx.storage.saveConfig(config),
274
- getConfig: () => ctx.storage.getConfig(),
275
- removeConfig: () => ctx.storage.deleteConfig(),
276
- status: () => Effect2.gen(function* () {
277
- const config = yield* ctx.storage.getConfig();
278
- if (!config) {
279
- return new ConnectionStatus({
280
- connected: false,
281
- error: "Not configured"
282
- });
283
- }
284
- const svc = yield* getServiceFromConfig(
285
- config,
286
- ctx,
287
- timeoutMs,
288
- preferSdk
289
- );
290
- const vaults = yield* svc.listVaults();
291
- const vault2 = vaults.find((v) => v.id === config.vaultId);
292
- return new ConnectionStatus({
293
- connected: true,
294
- vaultName: vault2?.title
295
- });
296
- }),
297
- listVaults: (auth) => Effect2.gen(function* () {
298
- const resolved = yield* resolveAuth(auth, ctx);
299
- const svc = yield* makeOnePasswordService(resolved, {
300
- timeoutMs,
301
- preferSdk
302
- });
303
- const vaults = yield* svc.listVaults();
304
- return vaults.map((v) => new Vault({ id: v.id, name: v.title })).sort((a, b) => a.name.localeCompare(b.name));
305
- }),
306
- resolve: (uri) => Effect2.gen(function* () {
307
- const config = yield* ctx.storage.getConfig();
308
- if (!config) {
309
- return yield* Effect2.fail(
310
- new OnePasswordError({
311
- operation: "resolve",
312
- message: "1Password is not configured"
313
- })
314
- );
315
- }
316
- const svc = yield* getServiceFromConfig(
317
- config,
318
- ctx,
319
- timeoutMs,
320
- preferSdk
321
- );
322
- return yield* svc.resolveSecret(uri);
323
- })
324
- };
325
- },
326
- secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)]
327
- };
328
- }
329
- );
236
+ var makeOnePasswordExtension = (ctx, timeoutMs, preferSdk) => {
237
+ return {
238
+ configure: (config, targetScope) => ctx.storage.saveConfig(config, targetScope),
239
+ getConfig: () => ctx.storage.getConfig(),
240
+ removeConfig: (targetScope) => ctx.storage.deleteConfig(targetScope),
241
+ status: () => Effect2.gen(function* () {
242
+ const config = yield* ctx.storage.getConfig();
243
+ if (!config) {
244
+ return new ConnectionStatus({
245
+ connected: false,
246
+ error: "Not configured"
247
+ });
248
+ }
249
+ const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);
250
+ const vaults = yield* svc.listVaults();
251
+ const vault2 = vaults.find((v) => v.id === config.vaultId);
252
+ return new ConnectionStatus({
253
+ connected: true,
254
+ vaultName: vault2?.title
255
+ });
256
+ }),
257
+ listVaults: (auth) => Effect2.gen(function* () {
258
+ const resolved = yield* resolveAuth(auth, ctx);
259
+ const svc = yield* makeOnePasswordService(resolved, {
260
+ timeoutMs,
261
+ preferSdk
262
+ });
263
+ const vaults = yield* svc.listVaults();
264
+ return vaults.map((v) => new Vault({ id: v.id, name: v.title })).sort((a, b) => a.name.localeCompare(b.name));
265
+ }),
266
+ resolve: (uri) => Effect2.gen(function* () {
267
+ const config = yield* ctx.storage.getConfig();
268
+ if (!config) {
269
+ return yield* new OnePasswordError({
270
+ operation: "resolve",
271
+ message: "1Password is not configured"
272
+ });
273
+ }
274
+ const scopedUri = configuredVaultUri(config, uri);
275
+ if (scopedUri === null) {
276
+ return yield* new OnePasswordError({
277
+ operation: "resolve",
278
+ message: "1Password secret URI is outside the configured vault"
279
+ });
280
+ }
281
+ const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);
282
+ return yield* svc.resolveSecret(scopedUri);
283
+ })
284
+ };
285
+ };
286
+ var onepasswordPlugin = definePlugin((options) => {
287
+ const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
288
+ const preferSdk = options?.preferSdk;
289
+ return {
290
+ id: "onepassword",
291
+ packageName: "@executor-js/plugin-onepassword",
292
+ storage: ({ blobs }) => makeOnePasswordStore(blobs),
293
+ extension: (ctx) => makeOnePasswordExtension(ctx, timeoutMs, preferSdk),
294
+ secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)]
295
+ };
296
+ });
330
297
 
331
298
  export {
332
- DesktopAppAuth,
333
- ServiceAccountAuth,
334
- OnePasswordAuth,
335
- OnePasswordConfig,
336
- Vault,
337
- ConnectionStatus,
338
- OnePasswordError,
339
299
  OnePasswordServiceTag,
340
300
  makeNativeSdkService,
341
301
  makeCliService,
@@ -343,4 +303,4 @@ export {
343
303
  makeOnePasswordStore,
344
304
  onepasswordPlugin
345
305
  };
346
- //# sourceMappingURL=chunk-HWMHIFQL.js.map
306
+ //# sourceMappingURL=chunk-ULLNZ6JH.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/sdk/service.ts","../src/sdk/plugin.ts"],"sourcesContent":["import { Context, Duration, Effect, Semaphore } from \"effect\";\nimport * as op from \"@1password/op-js\";\n\nimport { OnePasswordError } from \"./errors\";\n\n// ---------------------------------------------------------------------------\n// Canonical service interface — all backends (SDK, CLI) implement this\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordVault {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordItem {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordService {\n /** Resolve a secret by op:// URI */\n readonly resolveSecret: (uri: string) => Effect.Effect<string, OnePasswordError>;\n\n /** List accessible vaults */\n readonly listVaults: () => Effect.Effect<ReadonlyArray<OnePasswordVault>, OnePasswordError>;\n\n /** List items in a vault */\n readonly listItems: (\n vaultId: string,\n ) => Effect.Effect<ReadonlyArray<OnePasswordItem>, OnePasswordError>;\n}\n\nexport class OnePasswordServiceTag extends Context.Service<\n OnePasswordServiceTag,\n OnePasswordService\n>()(\"@executor-js/plugin-onepassword/OnePasswordService\") {}\n\n// ---------------------------------------------------------------------------\n// Resolved auth — raw credentials ready for any backend\n// ---------------------------------------------------------------------------\n\nexport type ResolvedAuth =\n | { readonly kind: \"desktop-app\"; readonly accountName: string }\n | { readonly kind: \"service-account\"; readonly token: string };\n\n// ---------------------------------------------------------------------------\n// SDK backend — uses @1password/sdk native IPC\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_TIMEOUT_MS = 15_000;\ntype OnePasswordSdkModule = typeof import(\"@1password/sdk\");\n\nconst loadOnePasswordSdk = (): Effect.Effect<OnePasswordSdkModule, OnePasswordError> =>\n Effect.tryPromise({\n try: () => import(\"@1password/sdk\"),\n catch: () =>\n new OnePasswordError({\n operation: \"sdk module load\",\n message: \"Failed to load 1Password SDK\",\n }),\n });\n\nconst makeTimeoutMessage = (operation: string, timeoutMs: number): string =>\n [\n `${operation}: timed out after ${Math.floor(timeoutMs / 1000)}s.`,\n \"Troubleshooting:\",\n \"1. Make sure the 1Password desktop app is open and unlocked\",\n \"2. Check for an approval prompt in the 1Password app — it may be behind other windows\",\n \"3. Ensure 'Developer > Connect with 1Password CLI' is enabled in 1Password Settings\",\n \"4. Make sure no other app or terminal is waiting for 1Password approval (only one prompt at a time)\",\n \"5. Try quitting 1Password completely and reopening it, then retry\",\n ].join(\"\\n\");\n\nconst timeoutWithOnePasswordError = (operation: string, timeoutMs: number) =>\n Effect.timeoutOrElse({\n duration: Duration.millis(timeoutMs),\n orElse: () =>\n Effect.fail(\n new OnePasswordError({\n operation,\n message: makeTimeoutMessage(operation, timeoutMs),\n }),\n ),\n });\n\nexport const makeNativeSdkService = (\n auth: ResolvedAuth,\n timeoutMs: number = DEFAULT_TIMEOUT_MS,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.gen(function* () {\n const sdk = yield* loadOnePasswordSdk().pipe(\n timeoutWithOnePasswordError(\"sdk module load\", timeoutMs),\n );\n\n const client = yield* Effect.tryPromise({\n try: () =>\n sdk.createClient({\n auth: auth.kind === \"desktop-app\" ? new sdk.DesktopAuth(auth.accountName) : auth.token,\n integrationName: \"Executor\",\n integrationVersion: \"0.0.0\",\n }),\n catch: () =>\n new OnePasswordError({\n operation: \"client setup\",\n message: \"Failed to set up 1Password client\",\n }),\n }).pipe(timeoutWithOnePasswordError(\"client setup\", timeoutMs));\n\n const wrap = <A>(fn: () => Promise<A>, operation: string): Effect.Effect<A, OnePasswordError> =>\n Effect.tryPromise({\n try: fn,\n catch: () =>\n new OnePasswordError({\n operation,\n message: `1Password SDK ${operation} failed`,\n }),\n }).pipe(\n timeoutWithOnePasswordError(operation, timeoutMs),\n Effect.withSpan(`onepassword.sdk.${operation}`),\n );\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrap(() => client.secrets.resolve(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrap(() => client.vaults.list({ decryptDetails: true }), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.title }))),\n ),\n\n listItems: (vaultId) =>\n wrap(() => client.items.list(vaultId), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.sdk.make_service\"));\n\n// ---------------------------------------------------------------------------\n// CLI backend — uses @1password/op-js (shells out to `op` CLI)\n// ---------------------------------------------------------------------------\n\nconst cliAuthLock = Semaphore.makeUnsafe(1);\n\nexport const makeCliService = (\n auth: ResolvedAuth,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.sync(() => {\n const wrapSync = <A>(fn: () => A, operation: string): Effect.Effect<A, OnePasswordError> =>\n cliAuthLock\n .withPermits(1)(\n Effect.try({\n try: () => {\n if (auth.kind === \"service-account\") {\n op.setGlobalFlags({});\n op.setServiceAccount(auth.token);\n } else {\n op.setServiceAccount(\"\");\n op.setGlobalFlags({ account: auth.accountName });\n }\n return fn();\n },\n catch: () =>\n new OnePasswordError({\n operation,\n message: `1Password CLI ${operation} failed`,\n }),\n }),\n )\n .pipe(Effect.withSpan(`onepassword.cli.${operation}`));\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrapSync(() => op.read.parse(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrapSync(() => op.vault.list(), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.name }))),\n ),\n\n listItems: (vaultId) =>\n wrapSync(() => op.item.list({ vault: vaultId }), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.cli.make_service\"));\n\n// ---------------------------------------------------------------------------\n// Smart factory — tries CLI first (avoids IPC hang), falls back to SDK\n// ---------------------------------------------------------------------------\n\nexport const makeOnePasswordService = (\n auth: ResolvedAuth,\n options?: { readonly preferSdk?: boolean; readonly timeoutMs?: number },\n): Effect.Effect<OnePasswordService, OnePasswordError> => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n\n if (options?.preferSdk) {\n return makeNativeSdkService(auth, timeoutMs);\n }\n\n // Default: prefer CLI to avoid the IPC hang bug\n return makeCliService(auth).pipe(\n Effect.catch((cliError: OnePasswordError) =>\n // CLI unavailable (e.g. `op` not installed) — fall back to SDK\n makeNativeSdkService(auth, timeoutMs).pipe(Effect.mapError(() => cliError)),\n ),\n );\n};\n","import { Effect, Schema } from \"effect\";\n\nimport {\n definePlugin,\n StorageError,\n type PluginCtx,\n type PluginBlobStore,\n type SecretProvider,\n type StorageFailure,\n} from \"@executor-js/sdk/core\";\n\nimport { OnePasswordConfig, Vault, ConnectionStatus } from \"./types\";\nimport type { OnePasswordAuth } from \"./types\";\nimport { OnePasswordError } from \"./errors\";\nimport { makeOnePasswordService, type ResolvedAuth, type OnePasswordService } from \"./service\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\nconst CREDENTIAL_FIELD = \"credential\";\nconst DEFAULT_TIMEOUT_MS = 15_000;\nconst CONFIG_KEY = \"config\";\n\n// ---------------------------------------------------------------------------\n// Shared failure alias.\n//\n// Every extension method either touches storage (`ctx.storage` blobs or\n// `ctx.secrets`) or reaches the 1Password backend. Storage I/O surfaces\n// as `StorageFailure`; the HTTP edge (`withCapture`) translates\n// `StorageError` to `InternalError({ traceId })`. Domain problems (not\n// configured, service-account token missing, backend RPC failure) stay\n// as `OnePasswordError` and encode to 502 via the schema annotation on\n// the class.\n// ---------------------------------------------------------------------------\n\nexport type OnePasswordExtensionFailure = OnePasswordError | StorageFailure;\n\n// ---------------------------------------------------------------------------\n// Plugin extension — public API on executor.onepassword\n// ---------------------------------------------------------------------------\n\n// ---------------------------------------------------------------------------\n// Typed config store — single blob, JSON encoded. Blob I/O failures surface\n// as `StorageError` (HTTP edge translates to `InternalError`); decode\n// failures stay `OnePasswordError` — the blob's contents are a plugin\n// concern, not an infrastructure one.\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordStore {\n readonly getConfig: () => Effect.Effect<\n OnePasswordConfig | null,\n StorageError | OnePasswordError\n >;\n readonly saveConfig: (\n config: OnePasswordConfig,\n targetScope: string,\n ) => Effect.Effect<void, StorageError>;\n readonly deleteConfig: (targetScope: string) => Effect.Effect<void, StorageError>;\n}\n\nconst decodeConfig = Schema.decodeUnknownEffect(Schema.fromJsonString(OnePasswordConfig));\n\nconst blobStorageError =\n (operation: string) =>\n (cause: unknown): StorageError =>\n new StorageError({\n message: `onepassword blob ${operation} failed`,\n cause,\n });\n\nexport const makeOnePasswordStore = (blobs: PluginBlobStore): OnePasswordStore => ({\n getConfig: () =>\n blobs.get(CONFIG_KEY).pipe(\n Effect.mapError(blobStorageError(\"read\")),\n Effect.flatMap((raw) => {\n if (raw === null) return Effect.succeed(null);\n return decodeConfig(raw).pipe(\n Effect.mapError(\n () =>\n new OnePasswordError({\n operation: \"config decode\",\n message: \"Failed to decode 1Password config\",\n }),\n ),\n );\n }),\n ),\n\n saveConfig: (config, targetScope) =>\n blobs\n .put(\n CONFIG_KEY,\n JSON.stringify({\n auth: config.auth,\n vaultId: config.vaultId,\n name: config.name,\n }),\n { scope: targetScope },\n )\n .pipe(Effect.mapError(blobStorageError(\"write\"))),\n\n deleteConfig: (targetScope) =>\n blobs\n .delete(CONFIG_KEY, { scope: targetScope })\n .pipe(Effect.mapError(blobStorageError(\"delete\"))),\n});\n\n// ---------------------------------------------------------------------------\n// Helpers — auth resolution + service construction\n// ---------------------------------------------------------------------------\n\nconst resolveAuth = (\n auth: OnePasswordAuth,\n ctx: PluginCtx<OnePasswordStore>,\n): Effect.Effect<ResolvedAuth, OnePasswordError | StorageFailure> => {\n if (auth.kind === \"desktop-app\") {\n return Effect.succeed({\n kind: \"desktop-app\" as const,\n accountName: auth.accountName,\n });\n }\n return ctx.secrets.get(auth.tokenSecretId).pipe(\n Effect.catchTag(\"SecretOwnedByConnectionError\", () =>\n Effect.fail(\n new OnePasswordError({\n operation: \"auth resolution\",\n message: `Service account token secret \"${auth.tokenSecretId}\" not found`,\n }),\n ),\n ),\n Effect.flatMap((token) => {\n if (token === null) {\n return Effect.fail(\n new OnePasswordError({\n operation: \"auth resolution\",\n message: `Service account token secret \"${auth.tokenSecretId}\" not found`,\n }),\n );\n }\n return Effect.succeed({\n kind: \"service-account\" as const,\n token,\n });\n }),\n );\n};\n\nconst getServiceFromConfig = (\n config: OnePasswordConfig,\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): Effect.Effect<OnePasswordService, OnePasswordError | StorageFailure> =>\n resolveAuth(config.auth, ctx).pipe(\n Effect.flatMap((resolved) => makeOnePasswordService(resolved, { timeoutMs, preferSdk })),\n );\n\nconst configuredVaultUri = (config: OnePasswordConfig, secretId: string): string | null => {\n if (!secretId.startsWith(\"op://\")) {\n return `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;\n }\n const match = secretId.match(/^op:\\/\\/([^/]+)\\/.+/);\n if (!match || match[1] !== config.vaultId) return null;\n return secretId;\n};\n\n// ---------------------------------------------------------------------------\n// SecretProvider — read-only, resolves op:// URIs or vaultId-based lookups\n// ---------------------------------------------------------------------------\n\nconst makeProvider = (\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): SecretProvider => ({\n key: \"onepassword\",\n writable: false,\n allowFallback: false,\n\n // 1Password vaults are named in the stored config; the executor-scope\n // arg isn't used for routing here. A future refactor could let the\n // plugin store per-scope vault bindings and pick based on `scope`.\n get: (secretId, _scope) =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config) return Effect.succeed(null as string | null);\n\n const uri = configuredVaultUri(config, secretId);\n if (uri === null) return Effect.succeed(null as string | null);\n\n return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.resolveSecret(uri)),\n Effect.map((v): string | null => v),\n Effect.orElseSucceed(() => null),\n );\n }),\n Effect.orElseSucceed(() => null),\n ),\n\n list: () =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config) return Effect.succeed([] as ReadonlyArray<{ id: string; name: string }>);\n return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.listItems(config.vaultId)),\n Effect.map(\n (items): ReadonlyArray<{ id: string; name: string }> =>\n items.map((item) => ({ id: item.id, name: item.title })),\n ),\n );\n }),\n Effect.orElseSucceed(() => [] as ReadonlyArray<{ id: string; name: string }>),\n ),\n});\n\nconst makeOnePasswordExtension = (\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n) => {\n return {\n configure: (config: OnePasswordConfig, targetScope: string) =>\n ctx.storage.saveConfig(config, targetScope),\n\n getConfig: () => ctx.storage.getConfig(),\n\n removeConfig: (targetScope: string) => ctx.storage.deleteConfig(targetScope),\n\n status: () =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return new ConnectionStatus({\n connected: false,\n error: \"Not configured\",\n });\n }\n const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);\n const vaults = yield* svc.listVaults();\n const vault = vaults.find((v) => v.id === config.vaultId);\n return new ConnectionStatus({\n connected: true,\n vaultName: vault?.title,\n });\n }),\n\n listVaults: (auth: OnePasswordAuth) =>\n Effect.gen(function* () {\n const resolved = yield* resolveAuth(auth, ctx);\n const svc = yield* makeOnePasswordService(resolved, {\n timeoutMs,\n preferSdk,\n });\n const vaults = yield* svc.listVaults();\n return vaults\n .map((v) => new Vault({ id: v.id, name: v.title }))\n .sort((a, b) => a.name.localeCompare(b.name));\n }),\n\n resolve: (uri: string) =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return yield* new OnePasswordError({\n operation: \"resolve\",\n message: \"1Password is not configured\",\n });\n }\n const scopedUri = configuredVaultUri(config, uri);\n if (scopedUri === null) {\n return yield* new OnePasswordError({\n operation: \"resolve\",\n message: \"1Password secret URI is outside the configured vault\",\n });\n }\n const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);\n return yield* svc.resolveSecret(scopedUri);\n }),\n };\n};\n\nexport type OnePasswordExtension = ReturnType<typeof makeOnePasswordExtension>;\n\n// ---------------------------------------------------------------------------\n// Plugin factory\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordPluginOptions {\n /** Request timeout in ms (default: 15000) */\n readonly timeoutMs?: number;\n /** Force use of the native SDK instead of the CLI (default: false) */\n readonly preferSdk?: boolean;\n}\n\nexport const onepasswordPlugin = definePlugin((options?: OnePasswordPluginOptions) => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n const preferSdk = options?.preferSdk;\n\n return {\n id: \"onepassword\" as const,\n packageName: \"@executor-js/plugin-onepassword\",\n storage: ({ blobs }) => makeOnePasswordStore(blobs),\n\n extension: (ctx) => makeOnePasswordExtension(ctx, timeoutMs, preferSdk),\n\n secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)],\n };\n // HTTP transport (routes/handlers/extensionService) is layered on by\n // the api-aware factory in `@executor-js/plugin-onepassword/api`. Hosts\n // that want the HTTP surface import the plugin from there; SDK-only\n // consumers stay on this entry and avoid the server-only deps.\n});\n"],"mappings":";;;;;;;;AAAA,SAAS,SAAS,UAAU,QAAQ,iBAAiB;AACrD,YAAY,QAAQ;AA+Bb,IAAM,wBAAN,cAAoC,QAAQ,QAGjD,EAAE,oDAAoD,EAAE;AAAC;AAc3D,IAAM,qBAAqB;AAG3B,IAAM,qBAAqB,MACzB,OAAO,WAAW;AAAA,EAChB,KAAK,MAAM,OAAO,gBAAgB;AAAA,EAClC,OAAO,MACL,IAAI,iBAAiB;AAAA,IACnB,WAAW;AAAA,IACX,SAAS;AAAA,EACX,CAAC;AACL,CAAC;AAEH,IAAM,qBAAqB,CAAC,WAAmB,cAC7C;AAAA,EACE,GAAG,SAAS,qBAAqB,KAAK,MAAM,YAAY,GAAI,CAAC;AAAA,EAC7D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,EAAE,KAAK,IAAI;AAEb,IAAM,8BAA8B,CAAC,WAAmB,cACtD,OAAO,cAAc;AAAA,EACnB,UAAU,SAAS,OAAO,SAAS;AAAA,EACnC,QAAQ,MACN,OAAO;AAAA,IACL,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,mBAAmB,WAAW,SAAS;AAAA,IAClD,CAAC;AAAA,EACH;AACJ,CAAC;AAEI,IAAM,uBAAuB,CAClC,MACA,YAAoB,uBAEpB,OAAO,IAAI,aAAa;AACtB,QAAM,MAAM,OAAO,mBAAmB,EAAE;AAAA,IACtC,4BAA4B,mBAAmB,SAAS;AAAA,EAC1D;AAEA,QAAM,SAAS,OAAO,OAAO,WAAW;AAAA,IACtC,KAAK,MACH,IAAI,aAAa;AAAA,MACf,MAAM,KAAK,SAAS,gBAAgB,IAAI,IAAI,YAAY,KAAK,WAAW,IAAI,KAAK;AAAA,MACjF,iBAAiB;AAAA,MACjB,oBAAoB;AAAA,IACtB,CAAC;AAAA,IACH,OAAO,MACL,IAAI,iBAAiB;AAAA,MACnB,WAAW;AAAA,MACX,SAAS;AAAA,IACX,CAAC;AAAA,EACL,CAAC,EAAE,KAAK,4BAA4B,gBAAgB,SAAS,CAAC;AAE9D,QAAM,OAAO,CAAI,IAAsB,cACrC,OAAO,WAAW;AAAA,IAChB,KAAK;AAAA,IACL,OAAO,MACL,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,iBAAiB,SAAS;AAAA,IACrC,CAAC;AAAA,EACL,CAAC,EAAE;AAAA,IACD,4BAA4B,WAAW,SAAS;AAAA,IAChD,OAAO,SAAS,mBAAmB,SAAS,EAAE;AAAA,EAChD;AAEF,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,KAAK,MAAM,OAAO,QAAQ,QAAQ,GAAG,GAAG,mBAAmB;AAAA,IAEnF,YAAY,MACV,KAAK,MAAM,OAAO,OAAO,KAAK,EAAE,gBAAgB,KAAK,CAAC,GAAG,eAAe,EAAE;AAAA,MACxE,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IAC1E;AAAA,IAEF,WAAW,CAAC,YACV,KAAK,MAAM,OAAO,MAAM,KAAK,OAAO,GAAG,cAAc,EAAE;AAAA,MACrD,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMzD,IAAM,cAAc,UAAU,WAAW,CAAC;AAEnC,IAAM,iBAAiB,CAC5B,SAEA,OAAO,KAAK,MAAM;AAChB,QAAM,WAAW,CAAI,IAAa,cAChC,YACG,YAAY,CAAC;AAAA,IACZ,OAAO,IAAI;AAAA,MACT,KAAK,MAAM;AACT,YAAI,KAAK,SAAS,mBAAmB;AACnC,UAAG,kBAAe,CAAC,CAAC;AACpB,UAAG,qBAAkB,KAAK,KAAK;AAAA,QACjC,OAAO;AACL,UAAG,qBAAkB,EAAE;AACvB,UAAG,kBAAe,EAAE,SAAS,KAAK,YAAY,CAAC;AAAA,QACjD;AACA,eAAO,GAAG;AAAA,MACZ;AAAA,MACA,OAAO,MACL,IAAI,iBAAiB;AAAA,QACnB;AAAA,QACA,SAAS,iBAAiB,SAAS;AAAA,MACrC,CAAC;AAAA,IACL,CAAC;AAAA,EACH,EACC,KAAK,OAAO,SAAS,mBAAmB,SAAS,EAAE,CAAC;AAEzD,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,SAAS,MAAS,QAAK,MAAM,GAAG,GAAG,mBAAmB;AAAA,IAE9E,YAAY,MACV,SAAS,MAAS,SAAM,KAAK,GAAG,eAAe,EAAE;AAAA,MAC/C,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,IACzE;AAAA,IAEF,WAAW,CAAC,YACV,SAAS,MAAS,QAAK,KAAK,EAAE,OAAO,QAAQ,CAAC,GAAG,cAAc,EAAE;AAAA,MAC/D,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMlD,IAAM,yBAAyB,CACpC,MACA,YACwD;AACxD,QAAM,YAAY,SAAS,aAAa;AAExC,MAAI,SAAS,WAAW;AACtB,WAAO,qBAAqB,MAAM,SAAS;AAAA,EAC7C;AAGA,SAAO,eAAe,IAAI,EAAE;AAAA,IAC1B,OAAO;AAAA,MAAM,CAAC;AAAA;AAAA,QAEZ,qBAAqB,MAAM,SAAS,EAAE,KAAK,OAAO,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,IAC5E;AAAA,EACF;AACF;;;AC7MA,SAAS,UAAAA,SAAQ,cAAc;AAE/B;AAAA,EACE;AAAA,EACA;AAAA,OAKK;AAWP,IAAM,mBAAmB;AACzB,IAAMC,sBAAqB;AAC3B,IAAM,aAAa;AAuCnB,IAAM,eAAe,OAAO,oBAAoB,OAAO,eAAe,iBAAiB,CAAC;AAExF,IAAM,mBACJ,CAAC,cACD,CAAC,UACC,IAAI,aAAa;AAAA,EACf,SAAS,oBAAoB,SAAS;AAAA,EACtC;AACF,CAAC;AAEE,IAAM,uBAAuB,CAAC,WAA8C;AAAA,EACjF,WAAW,MACT,MAAM,IAAI,UAAU,EAAE;AAAA,IACpBC,QAAO,SAAS,iBAAiB,MAAM,CAAC;AAAA,IACxCA,QAAO,QAAQ,CAAC,QAAQ;AACtB,UAAI,QAAQ,KAAM,QAAOA,QAAO,QAAQ,IAAI;AAC5C,aAAO,aAAa,GAAG,EAAE;AAAA,QACvBA,QAAO;AAAA,UACL,MACE,IAAI,iBAAiB;AAAA,YACnB,WAAW;AAAA,YACX,SAAS;AAAA,UACX,CAAC;AAAA,QACL;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEF,YAAY,CAAC,QAAQ,gBACnB,MACG;AAAA,IACC;AAAA,IACA,KAAK,UAAU;AAAA,MACb,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,IACf,CAAC;AAAA,IACD,EAAE,OAAO,YAAY;AAAA,EACvB,EACC,KAAKA,QAAO,SAAS,iBAAiB,OAAO,CAAC,CAAC;AAAA,EAEpD,cAAc,CAAC,gBACb,MACG,OAAO,YAAY,EAAE,OAAO,YAAY,CAAC,EACzC,KAAKA,QAAO,SAAS,iBAAiB,QAAQ,CAAC,CAAC;AACvD;AAMA,IAAM,cAAc,CAClB,MACA,QACmE;AACnE,MAAI,KAAK,SAAS,eAAe;AAC/B,WAAOA,QAAO,QAAQ;AAAA,MACpB,MAAM;AAAA,MACN,aAAa,KAAK;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO,IAAI,QAAQ,IAAI,KAAK,aAAa,EAAE;AAAA,IACzCA,QAAO;AAAA,MAAS;AAAA,MAAgC,MAC9CA,QAAO;AAAA,QACL,IAAI,iBAAiB;AAAA,UACnB,WAAW;AAAA,UACX,SAAS,iCAAiC,KAAK,aAAa;AAAA,QAC9D,CAAC;AAAA,MACH;AAAA,IACF;AAAA,IACAA,QAAO,QAAQ,CAAC,UAAU;AACxB,UAAI,UAAU,MAAM;AAClB,eAAOA,QAAO;AAAA,UACZ,IAAI,iBAAiB;AAAA,YACnB,WAAW;AAAA,YACX,SAAS,iCAAiC,KAAK,aAAa;AAAA,UAC9D,CAAC;AAAA,QACH;AAAA,MACF;AACA,aAAOA,QAAO,QAAQ;AAAA,QACpB,MAAM;AAAA,QACN;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AACF;AAEA,IAAM,uBAAuB,CAC3B,QACA,KACA,WACA,cAEA,YAAY,OAAO,MAAM,GAAG,EAAE;AAAA,EAC5BA,QAAO,QAAQ,CAAC,aAAa,uBAAuB,UAAU,EAAE,WAAW,UAAU,CAAC,CAAC;AACzF;AAEF,IAAM,qBAAqB,CAAC,QAA2B,aAAoC;AACzF,MAAI,CAAC,SAAS,WAAW,OAAO,GAAG;AACjC,WAAO,QAAQ,OAAO,OAAO,IAAI,QAAQ,IAAI,gBAAgB;AAAA,EAC/D;AACA,QAAM,QAAQ,SAAS,MAAM,qBAAqB;AAClD,MAAI,CAAC,SAAS,MAAM,CAAC,MAAM,OAAO,QAAS,QAAO;AAClD,SAAO;AACT;AAMA,IAAM,eAAe,CACnB,KACA,WACA,eACoB;AAAA,EACpB,KAAK;AAAA,EACL,UAAU;AAAA,EACV,eAAe;AAAA;AAAA;AAAA;AAAA,EAKf,KAAK,CAAC,UAAU,WACd,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC,OAAQ,QAAOA,QAAO,QAAQ,IAAqB;AAExD,YAAM,MAAM,mBAAmB,QAAQ,QAAQ;AAC/C,UAAI,QAAQ,KAAM,QAAOA,QAAO,QAAQ,IAAqB;AAE7D,aAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS,EAAE;AAAA,QAC7DA,QAAO,QAAQ,CAAC,QAAQ,IAAI,cAAc,GAAG,CAAC;AAAA,QAC9CA,QAAO,IAAI,CAAC,MAAqB,CAAC;AAAA,QAClCA,QAAO,cAAc,MAAM,IAAI;AAAA,MACjC;AAAA,IACF,CAAC;AAAA,IACDA,QAAO,cAAc,MAAM,IAAI;AAAA,EACjC;AAAA,EAEF,MAAM,MACJ,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC,OAAQ,QAAOA,QAAO,QAAQ,CAAC,CAAgD;AACpF,aAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS,EAAE;AAAA,QAC7DA,QAAO,QAAQ,CAAC,QAAQ,IAAI,UAAU,OAAO,OAAO,CAAC;AAAA,QACrDA,QAAO;AAAA,UACL,CAAC,UACC,MAAM,IAAI,CAACC,WAAU,EAAE,IAAIA,MAAK,IAAI,MAAMA,MAAK,MAAM,EAAE;AAAA,QAC3D;AAAA,MACF;AAAA,IACF,CAAC;AAAA,IACDD,QAAO,cAAc,MAAM,CAAC,CAAgD;AAAA,EAC9E;AACJ;AAEA,IAAM,2BAA2B,CAC/B,KACA,WACA,cACG;AACH,SAAO;AAAA,IACL,WAAW,CAAC,QAA2B,gBACrC,IAAI,QAAQ,WAAW,QAAQ,WAAW;AAAA,IAE5C,WAAW,MAAM,IAAI,QAAQ,UAAU;AAAA,IAEvC,cAAc,CAAC,gBAAwB,IAAI,QAAQ,aAAa,WAAW;AAAA,IAE3E,QAAQ,MACNA,QAAO,IAAI,aAAa;AACtB,YAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,UAAI,CAAC,QAAQ;AACX,eAAO,IAAI,iBAAiB;AAAA,UAC1B,WAAW;AAAA,UACX,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AACA,YAAM,MAAM,OAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS;AACzE,YAAM,SAAS,OAAO,IAAI,WAAW;AACrC,YAAME,SAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,OAAO,OAAO;AACxD,aAAO,IAAI,iBAAiB;AAAA,QAC1B,WAAW;AAAA,QACX,WAAWA,QAAO;AAAA,MACpB,CAAC;AAAA,IACH,CAAC;AAAA,IAEH,YAAY,CAAC,SACXF,QAAO,IAAI,aAAa;AACtB,YAAM,WAAW,OAAO,YAAY,MAAM,GAAG;AAC7C,YAAM,MAAM,OAAO,uBAAuB,UAAU;AAAA,QAClD;AAAA,QACA;AAAA,MACF,CAAC;AACD,YAAM,SAAS,OAAO,IAAI,WAAW;AACrC,aAAO,OACJ,IAAI,CAAC,MAAM,IAAI,MAAM,EAAE,IAAI,EAAE,IAAI,MAAM,EAAE,MAAM,CAAC,CAAC,EACjD,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AAAA,IAChD,CAAC;AAAA,IAEH,SAAS,CAAC,QACRA,QAAO,IAAI,aAAa;AACtB,YAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,UAAI,CAAC,QAAQ;AACX,eAAO,OAAO,IAAI,iBAAiB;AAAA,UACjC,WAAW;AAAA,UACX,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,YAAY,mBAAmB,QAAQ,GAAG;AAChD,UAAI,cAAc,MAAM;AACtB,eAAO,OAAO,IAAI,iBAAiB;AAAA,UACjC,WAAW;AAAA,UACX,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,MAAM,OAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS;AACzE,aAAO,OAAO,IAAI,cAAc,SAAS;AAAA,IAC3C,CAAC;AAAA,EACL;AACF;AAeO,IAAM,oBAAoB,aAAa,CAAC,YAAuC;AACpF,QAAM,YAAY,SAAS,aAAaD;AACxC,QAAM,YAAY,SAAS;AAE3B,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,SAAS,CAAC,EAAE,MAAM,MAAM,qBAAqB,KAAK;AAAA,IAElD,WAAW,CAAC,QAAQ,yBAAyB,KAAK,WAAW,SAAS;AAAA,IAEtE,iBAAiB,CAAC,QAAQ,CAAC,aAAa,KAAK,WAAW,SAAS,CAAC;AAAA,EACpE;AAKF,CAAC;","names":["Effect","DEFAULT_TIMEOUT_MS","Effect","item","vault"]}
package/dist/client.js ADDED
@@ -0,0 +1,20 @@
1
+ // src/react/plugin-client.tsx
2
+ import { defineClientPlugin } from "@executor-js/sdk/client";
3
+
4
+ // src/react/secret-provider-plugin.ts
5
+ import { lazy } from "react";
6
+ var onePasswordSecretProviderPlugin = {
7
+ key: "onepassword",
8
+ label: "1Password",
9
+ settings: lazy(() => import("./OnePasswordSettings-NUPVIEGH.js"))
10
+ };
11
+
12
+ // src/react/plugin-client.tsx
13
+ var plugin_client_default = defineClientPlugin({
14
+ id: "onepassword",
15
+ secretProviderPlugin: onePasswordSecretProviderPlugin
16
+ });
17
+ export {
18
+ plugin_client_default as default
19
+ };
20
+ //# sourceMappingURL=client.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/react/plugin-client.tsx","../src/react/secret-provider-plugin.ts"],"sourcesContent":["import { defineClientPlugin } from \"@executor-js/sdk/client\";\n\nimport { onePasswordSecretProviderPlugin } from \"./secret-provider-plugin\";\n\nexport default defineClientPlugin({\n id: \"onepassword\" as const,\n secretProviderPlugin: onePasswordSecretProviderPlugin,\n});\n","import { lazy } from \"react\";\nimport type { SecretProviderPlugin } from \"@executor-js/sdk/client\";\n\nexport const onePasswordSecretProviderPlugin: SecretProviderPlugin = {\n key: \"onepassword\",\n label: \"1Password\",\n settings: lazy(() => import(\"./OnePasswordSettings\")),\n};\n"],"mappings":";AAAA,SAAS,0BAA0B;;;ACAnC,SAAS,YAAY;AAGd,IAAM,kCAAwD;AAAA,EACnE,KAAK;AAAA,EACL,OAAO;AAAA,EACP,UAAU,KAAK,MAAM,OAAO,mCAAuB,CAAC;AACtD;;;ADHA,IAAO,wBAAQ,mBAAmB;AAAA,EAChC,IAAI;AAAA,EACJ,sBAAsB;AACxB,CAAC;","names":[]}
package/dist/core.js CHANGED
@@ -1,18 +1,20 @@
1
1
  import {
2
- ConnectionStatus,
3
- DesktopAppAuth,
4
- OnePasswordAuth,
5
- OnePasswordConfig,
6
- OnePasswordError,
7
2
  OnePasswordServiceTag,
8
- ServiceAccountAuth,
9
- Vault,
10
3
  makeCliService,
11
4
  makeNativeSdkService,
12
5
  makeOnePasswordService,
13
6
  makeOnePasswordStore,
14
7
  onepasswordPlugin
15
- } from "./chunk-HWMHIFQL.js";
8
+ } from "./chunk-ULLNZ6JH.js";
9
+ import {
10
+ ConnectionStatus,
11
+ DesktopAppAuth,
12
+ OnePasswordAuth,
13
+ OnePasswordConfig,
14
+ OnePasswordError,
15
+ ServiceAccountAuth,
16
+ Vault
17
+ } from "./chunk-NRYSRUWU.js";
16
18
  export {
17
19
  ConnectionStatus,
18
20
  DesktopAppAuth,
package/dist/index.js CHANGED
@@ -1,3 +1,6 @@
1
+ import {
2
+ onepasswordPlugin
3
+ } from "./chunk-ULLNZ6JH.js";
1
4
  import {
2
5
  ConnectionStatus,
3
6
  DesktopAppAuth,
@@ -5,9 +8,8 @@ import {
5
8
  OnePasswordConfig,
6
9
  OnePasswordError,
7
10
  ServiceAccountAuth,
8
- Vault,
9
- onepasswordPlugin
10
- } from "./chunk-HWMHIFQL.js";
11
+ Vault
12
+ } from "./chunk-NRYSRUWU.js";
11
13
  export {
12
14
  ConnectionStatus,
13
15
  DesktopAppAuth,
@@ -1,22 +1,32 @@
1
1
  import type { ScopeId } from "@executor-js/sdk/core";
2
2
  export declare const onepasswordWriteKeys: readonly ["secrets"];
3
- export declare const onepasswordConfigAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<import("../promise").OnePasswordConfig | null, import("../promise").OnePasswordError | import("@executor-js/api").InternalError>>;
4
- export declare const onepasswordStatusAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<import("../promise").ConnectionStatus, import("../promise").OnePasswordError | import("@executor-js/api").InternalError>>;
3
+ export declare const onepasswordConfigAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<import("../promise").OnePasswordConfig | null, import("@executor-js/api").InternalError | import("../promise").OnePasswordError>>;
4
+ export declare const onepasswordStatusAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<import("../promise").ConnectionStatus, import("@executor-js/api").InternalError | import("../promise").OnePasswordError>>;
5
5
  export declare const onepasswordVaultsAtom: (authKind: "desktop-app" | "service-account", account: string, scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
6
6
  readonly vaults: readonly import("../promise").Vault[];
7
- }, import("../promise").OnePasswordError | import("@executor-js/api").InternalError>>;
7
+ }, import("@executor-js/api").InternalError | import("../promise").OnePasswordError>>;
8
8
  export declare const configureOnePassword: import("effect/unstable/reactivity/Atom").AtomResultFn<{
9
9
  readonly params: {
10
10
  readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
11
11
  };
12
- readonly payload: import("../promise").OnePasswordConfig;
12
+ readonly payload: {
13
+ readonly name: string;
14
+ readonly auth: {
15
+ readonly kind: "desktop-app";
16
+ readonly accountName: string;
17
+ } | {
18
+ readonly kind: "service-account";
19
+ readonly tokenSecretId: string;
20
+ };
21
+ readonly vaultId: string;
22
+ };
13
23
  readonly responseMode?: "decoded-only" | undefined;
14
24
  readonly reactivityKeys?: readonly unknown[] | import("effect/Record").ReadonlyRecord<string, readonly unknown[]> | undefined;
15
- }, void, import("../promise").OnePasswordError | import("@executor-js/api").InternalError>;
25
+ }, void, import("@executor-js/api").InternalError | import("../promise").OnePasswordError>;
16
26
  export declare const removeOnePasswordConfig: import("effect/unstable/reactivity/Atom").AtomResultFn<{
17
27
  readonly params: {
18
28
  readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
19
29
  };
20
30
  readonly responseMode?: "decoded-only" | undefined;
21
31
  readonly reactivityKeys?: readonly unknown[] | import("effect/Record").ReadonlyRecord<string, readonly unknown[]> | undefined;
22
- }, void, import("../promise").OnePasswordError | import("@executor-js/api").InternalError>;
32
+ }, void, import("@executor-js/api").InternalError | import("../promise").OnePasswordError>;