@executor-js/plugin-onepassword 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,4 +1,9 @@
1
1
  import { Schema } from "effect";
2
+ export declare const DesktopAppAuthSchema: Schema.Struct<{
3
+ readonly kind: Schema.Literal<"desktop-app">;
4
+ /** 1Password account domain, e.g. "my.1password.com" */
5
+ readonly accountName: Schema.String;
6
+ }>;
2
7
  declare const DesktopAppAuth_base: Schema.Class<DesktopAppAuth, Schema.Struct<{
3
8
  readonly kind: Schema.Literal<"desktop-app">;
4
9
  /** 1Password account domain, e.g. "my.1password.com" */
@@ -6,6 +11,11 @@ declare const DesktopAppAuth_base: Schema.Class<DesktopAppAuth, Schema.Struct<{
6
11
  }>, {}>;
7
12
  export declare class DesktopAppAuth extends DesktopAppAuth_base {
8
13
  }
14
+ export declare const ServiceAccountAuthSchema: Schema.Struct<{
15
+ readonly kind: Schema.Literal<"service-account">;
16
+ /** The service account token (stored as a secret) */
17
+ readonly tokenSecretId: Schema.String;
18
+ }>;
9
19
  declare const ServiceAccountAuth_base: Schema.Class<ServiceAccountAuth, Schema.Struct<{
10
20
  readonly kind: Schema.Literal<"service-account">;
11
21
  /** The service account token (stored as a secret) */
@@ -13,10 +23,42 @@ declare const ServiceAccountAuth_base: Schema.Class<ServiceAccountAuth, Schema.S
13
23
  }>, {}>;
14
24
  export declare class ServiceAccountAuth extends ServiceAccountAuth_base {
15
25
  }
26
+ export declare const OnePasswordAuthSchema: Schema.Union<readonly [Schema.Struct<{
27
+ readonly kind: Schema.Literal<"desktop-app">;
28
+ /** 1Password account domain, e.g. "my.1password.com" */
29
+ readonly accountName: Schema.String;
30
+ }>, Schema.Struct<{
31
+ readonly kind: Schema.Literal<"service-account">;
32
+ /** The service account token (stored as a secret) */
33
+ readonly tokenSecretId: Schema.String;
34
+ }>]>;
16
35
  export declare const OnePasswordAuth: Schema.Union<readonly [typeof DesktopAppAuth, typeof ServiceAccountAuth]>;
17
36
  export type OnePasswordAuth = typeof OnePasswordAuth.Type;
37
+ export declare const OnePasswordConfigSchema: Schema.Struct<{
38
+ readonly auth: Schema.Union<readonly [Schema.Struct<{
39
+ readonly kind: Schema.Literal<"desktop-app">;
40
+ /** 1Password account domain, e.g. "my.1password.com" */
41
+ readonly accountName: Schema.String;
42
+ }>, Schema.Struct<{
43
+ readonly kind: Schema.Literal<"service-account">;
44
+ /** The service account token (stored as a secret) */
45
+ readonly tokenSecretId: Schema.String;
46
+ }>]>;
47
+ /** Vault to scope operations to */
48
+ readonly vaultId: Schema.String;
49
+ /** Human label */
50
+ readonly name: Schema.String;
51
+ }>;
18
52
  declare const OnePasswordConfig_base: Schema.Class<OnePasswordConfig, Schema.Struct<{
19
- readonly auth: Schema.Union<readonly [typeof DesktopAppAuth, typeof ServiceAccountAuth]>;
53
+ readonly auth: Schema.Union<readonly [Schema.Struct<{
54
+ readonly kind: Schema.Literal<"desktop-app">;
55
+ /** 1Password account domain, e.g. "my.1password.com" */
56
+ readonly accountName: Schema.String;
57
+ }>, Schema.Struct<{
58
+ readonly kind: Schema.Literal<"service-account">;
59
+ /** The service account token (stored as a secret) */
60
+ readonly tokenSecretId: Schema.String;
61
+ }>]>;
20
62
  /** Vault to scope operations to */
21
63
  readonly vaultId: Schema.String;
22
64
  /** Human label */
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@executor-js/plugin-onepassword",
3
- "version": "0.1.0",
3
+ "version": "0.2.1",
4
4
  "homepage": "https://github.com/RhysSullivan/executor/tree/main/packages/plugins/onepassword",
5
5
  "bugs": {
6
6
  "url": "https://github.com/RhysSullivan/executor/issues"
@@ -27,6 +27,12 @@
27
27
  "types": "./dist/sdk/index.d.ts",
28
28
  "default": "./dist/core.js"
29
29
  }
30
+ },
31
+ "./client": {
32
+ "import": {
33
+ "types": "./dist/react/plugin-client.d.ts",
34
+ "default": "./dist/client.js"
35
+ }
30
36
  }
31
37
  },
32
38
  "publishConfig": {
@@ -43,7 +49,7 @@
43
49
  "@1password/op-js": "^0.1.13",
44
50
  "@1password/sdk": "^0.4.1-beta.1",
45
51
  "@effect/atom-react": "4.0.0-beta.59",
46
- "@executor-js/sdk": "0.1.0",
52
+ "@executor-js/sdk": "0.2.1",
47
53
  "effect": "4.0.0-beta.59"
48
54
  },
49
55
  "devDependencies": {
@@ -1,446 +0,0 @@
1
- // src/sdk/errors.ts
2
- import { Schema } from "effect";
3
- var OnePasswordError = class extends Schema.TaggedErrorClass()(
4
- "OnePasswordError",
5
- {
6
- operation: Schema.String,
7
- message: Schema.String
8
- },
9
- { httpApiStatus: 502 }
10
- ) {
11
- };
12
-
13
- // src/sdk/types.ts
14
- import { Schema as Schema2 } from "effect";
15
- var DesktopAppAuth = class extends Schema2.Class("DesktopAppAuth")({
16
- kind: Schema2.Literal("desktop-app"),
17
- /** 1Password account domain, e.g. "my.1password.com" */
18
- accountName: Schema2.String
19
- }) {
20
- };
21
- var ServiceAccountAuth = class extends Schema2.Class("ServiceAccountAuth")({
22
- kind: Schema2.Literal("service-account"),
23
- /** The service account token (stored as a secret) */
24
- tokenSecretId: Schema2.String
25
- }) {
26
- };
27
- var OnePasswordAuth = Schema2.Union([DesktopAppAuth, ServiceAccountAuth]);
28
- var OnePasswordConfig = class extends Schema2.Class("OnePasswordConfig")({
29
- auth: OnePasswordAuth,
30
- /** Vault to scope operations to */
31
- vaultId: Schema2.String,
32
- /** Human label */
33
- name: Schema2.String
34
- }) {
35
- };
36
- var Vault = class extends Schema2.Class("Vault")({
37
- id: Schema2.String,
38
- name: Schema2.String
39
- }) {
40
- };
41
- var ConnectionStatus = class extends Schema2.Class("ConnectionStatus")({
42
- connected: Schema2.Boolean,
43
- vaultName: Schema2.optional(Schema2.String),
44
- error: Schema2.optional(Schema2.String)
45
- }) {
46
- };
47
-
48
- // src/sdk/service.ts
49
- import { Context, Duration, Effect } from "effect";
50
- import * as op from "@1password/op-js";
51
- var OnePasswordServiceTag = class extends Context.Service()("@executor-js/plugin-onepassword/OnePasswordService") {
52
- };
53
- var DEFAULT_TIMEOUT_MS = 15e3;
54
- var loadOnePasswordSdk = () => Effect.tryPromise({
55
- try: () => import("@1password/sdk"),
56
- catch: (cause) => new OnePasswordError({
57
- operation: "sdk module load",
58
- message: cause instanceof Error ? cause.message : String(cause)
59
- })
60
- });
61
- var makeTimeoutMessage = (operation, timeoutMs) => [
62
- `${operation}: timed out after ${Math.floor(timeoutMs / 1e3)}s.`,
63
- "Troubleshooting:",
64
- "1. Make sure the 1Password desktop app is open and unlocked",
65
- "2. Check for an approval prompt in the 1Password app \u2014 it may be behind other windows",
66
- "3. Ensure 'Developer > Connect with 1Password CLI' is enabled in 1Password Settings",
67
- "4. Make sure no other app or terminal is waiting for 1Password approval (only one prompt at a time)",
68
- "5. Try quitting 1Password completely and reopening it, then retry"
69
- ].join("\n");
70
- var timeoutWithOnePasswordError = (operation, timeoutMs) => Effect.timeoutOrElse({
71
- duration: Duration.millis(timeoutMs),
72
- orElse: () => Effect.fail(
73
- new OnePasswordError({
74
- operation,
75
- message: makeTimeoutMessage(operation, timeoutMs)
76
- })
77
- )
78
- });
79
- var makeNativeSdkService = (auth, timeoutMs = DEFAULT_TIMEOUT_MS) => Effect.gen(function* () {
80
- const sdk = yield* loadOnePasswordSdk().pipe(
81
- timeoutWithOnePasswordError("sdk module load", timeoutMs)
82
- );
83
- const client = yield* Effect.tryPromise({
84
- try: () => sdk.createClient({
85
- auth: auth.kind === "desktop-app" ? new sdk.DesktopAuth(auth.accountName) : auth.token,
86
- integrationName: "Executor",
87
- integrationVersion: "0.0.0"
88
- }),
89
- catch: (cause) => new OnePasswordError({
90
- operation: "client setup",
91
- message: cause instanceof Error ? cause.message : String(cause)
92
- })
93
- }).pipe(
94
- timeoutWithOnePasswordError("client setup", timeoutMs)
95
- );
96
- const wrap = (fn, operation) => Effect.tryPromise({
97
- try: fn,
98
- catch: (cause) => new OnePasswordError({
99
- operation,
100
- message: cause instanceof Error ? cause.message : String(cause)
101
- })
102
- }).pipe(
103
- timeoutWithOnePasswordError(operation, timeoutMs),
104
- Effect.withSpan(`onepassword.sdk.${operation}`)
105
- );
106
- return OnePasswordServiceTag.of({
107
- resolveSecret: (uri) => wrap(() => client.secrets.resolve(uri), "secret resolution"),
108
- listVaults: () => wrap(() => client.vaults.list({ decryptDetails: true }), "vault listing").pipe(
109
- Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.title })))
110
- ),
111
- listItems: (vaultId) => wrap(() => client.items.list(vaultId), "item listing").pipe(
112
- Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title })))
113
- )
114
- });
115
- }).pipe(Effect.withSpan("onepassword.sdk.make_service"));
116
- var makeCliService = (auth) => Effect.sync(() => {
117
- if (auth.kind === "service-account") {
118
- op.setServiceAccount(auth.token);
119
- } else {
120
- op.setGlobalFlags({ account: auth.accountName });
121
- }
122
- const wrapSync = (fn, operation) => Effect.try({
123
- try: fn,
124
- catch: (cause) => new OnePasswordError({
125
- operation,
126
- message: cause instanceof Error ? cause.message : String(cause)
127
- })
128
- }).pipe(Effect.withSpan(`onepassword.cli.${operation}`));
129
- return OnePasswordServiceTag.of({
130
- resolveSecret: (uri) => wrapSync(() => op.read.parse(uri), "secret resolution"),
131
- listVaults: () => wrapSync(() => op.vault.list(), "vault listing").pipe(
132
- Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.name })))
133
- ),
134
- listItems: (vaultId) => wrapSync(() => op.item.list({ vault: vaultId }), "item listing").pipe(
135
- Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title })))
136
- )
137
- });
138
- }).pipe(Effect.withSpan("onepassword.cli.make_service"));
139
- var makeOnePasswordService = (auth, options) => {
140
- const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;
141
- if (options?.preferSdk) {
142
- return makeNativeSdkService(auth, timeoutMs);
143
- }
144
- return makeCliService(auth).pipe(
145
- Effect.catch(
146
- (cliError) => (
147
- // CLI unavailable (e.g. `op` not installed) — fall back to SDK
148
- makeNativeSdkService(auth, timeoutMs).pipe(Effect.mapError(() => cliError))
149
- )
150
- )
151
- );
152
- };
153
-
154
- // src/sdk/plugin.ts
155
- import { Effect as Effect3, Schema as Schema4 } from "effect";
156
- import {
157
- definePlugin,
158
- StorageError
159
- } from "@executor-js/sdk/core";
160
-
161
- // src/api/group.ts
162
- import { HttpApiEndpoint, HttpApiGroup } from "effect/unstable/httpapi";
163
- import { Schema as Schema3 } from "effect";
164
- import { ScopeId } from "@executor-js/sdk/core";
165
- import { InternalError } from "@executor-js/api";
166
- var ScopeParams = { scopeId: ScopeId };
167
- var ConfigurePayload = OnePasswordConfig;
168
- var ListVaultsParams = Schema3.Struct({
169
- authKind: Schema3.Literals(["desktop-app", "service-account"]),
170
- account: Schema3.String
171
- });
172
- var ListVaultsResponse = Schema3.Struct({
173
- vaults: Schema3.Array(Vault)
174
- });
175
- var GetConfigResponse = Schema3.NullOr(OnePasswordConfig);
176
- var OnePasswordGroup = HttpApiGroup.make("onepassword").add(
177
- HttpApiEndpoint.get("getConfig", "/scopes/:scopeId/onepassword/config", {
178
- params: ScopeParams,
179
- success: GetConfigResponse,
180
- error: [InternalError, OnePasswordError]
181
- })
182
- ).add(
183
- HttpApiEndpoint.put("configure", "/scopes/:scopeId/onepassword/config", {
184
- params: ScopeParams,
185
- payload: ConfigurePayload,
186
- success: Schema3.Void,
187
- error: [InternalError, OnePasswordError]
188
- })
189
- ).add(
190
- HttpApiEndpoint.delete("removeConfig", "/scopes/:scopeId/onepassword/config", {
191
- params: ScopeParams,
192
- success: Schema3.Void,
193
- error: [InternalError, OnePasswordError]
194
- })
195
- ).add(
196
- HttpApiEndpoint.get("status", "/scopes/:scopeId/onepassword/status", {
197
- params: ScopeParams,
198
- success: ConnectionStatus,
199
- error: [InternalError, OnePasswordError]
200
- })
201
- ).add(
202
- HttpApiEndpoint.get("listVaults", "/scopes/:scopeId/onepassword/vaults", {
203
- params: ScopeParams,
204
- query: ListVaultsParams,
205
- success: ListVaultsResponse,
206
- error: [InternalError, OnePasswordError]
207
- })
208
- );
209
-
210
- // src/api/handlers.ts
211
- import { HttpApiBuilder } from "effect/unstable/httpapi";
212
- import { Context as Context2, Effect as Effect2 } from "effect";
213
- import { addGroup, capture } from "@executor-js/api";
214
- var OnePasswordExtensionService = class extends Context2.Service()("OnePasswordExtensionService") {
215
- };
216
- var ExecutorApiWithOnePassword = addGroup(OnePasswordGroup);
217
- var OnePasswordHandlers = HttpApiBuilder.group(
218
- ExecutorApiWithOnePassword,
219
- "onepassword",
220
- (handlers) => handlers.handle(
221
- "getConfig",
222
- () => capture(Effect2.gen(function* () {
223
- const ext = yield* OnePasswordExtensionService;
224
- return yield* ext.getConfig();
225
- }))
226
- ).handle(
227
- "configure",
228
- ({ payload }) => capture(Effect2.gen(function* () {
229
- const ext = yield* OnePasswordExtensionService;
230
- yield* ext.configure(payload);
231
- }))
232
- ).handle(
233
- "removeConfig",
234
- () => capture(Effect2.gen(function* () {
235
- const ext = yield* OnePasswordExtensionService;
236
- yield* ext.removeConfig();
237
- }))
238
- ).handle(
239
- "status",
240
- () => capture(Effect2.gen(function* () {
241
- const ext = yield* OnePasswordExtensionService;
242
- return yield* ext.status();
243
- }))
244
- ).handle(
245
- "listVaults",
246
- ({ query: urlParams }) => capture(Effect2.gen(function* () {
247
- const ext = yield* OnePasswordExtensionService;
248
- const auth = urlParams.authKind === "desktop-app" ? { kind: "desktop-app", accountName: urlParams.account } : { kind: "service-account", tokenSecretId: urlParams.account };
249
- const vaults = yield* ext.listVaults(auth);
250
- return { vaults: [...vaults] };
251
- }))
252
- )
253
- );
254
-
255
- // src/sdk/plugin.ts
256
- var CREDENTIAL_FIELD = "credential";
257
- var DEFAULT_TIMEOUT_MS2 = 15e3;
258
- var CONFIG_KEY = "config";
259
- var decodeConfig = Schema4.decodeUnknownSync(OnePasswordConfig);
260
- var blobStorageError = (operation) => (cause) => new StorageError({
261
- message: `onepassword blob ${operation}: ${cause instanceof Error ? cause.message : String(cause)}`,
262
- cause
263
- });
264
- var makeOnePasswordStore = (blobs, writeScope) => ({
265
- getConfig: () => blobs.get(CONFIG_KEY).pipe(
266
- Effect3.mapError(blobStorageError("read")),
267
- Effect3.flatMap((raw) => {
268
- if (raw === null) return Effect3.succeed(null);
269
- return Effect3.try({
270
- try: () => decodeConfig(JSON.parse(raw)),
271
- catch: (cause) => new OnePasswordError({
272
- operation: "config decode",
273
- message: cause instanceof Error ? cause.message : String(cause)
274
- })
275
- });
276
- })
277
- ),
278
- saveConfig: (config) => blobs.put(
279
- CONFIG_KEY,
280
- JSON.stringify({
281
- auth: config.auth,
282
- vaultId: config.vaultId,
283
- name: config.name
284
- }),
285
- { scope: writeScope }
286
- ).pipe(Effect3.mapError(blobStorageError("write"))),
287
- deleteConfig: () => blobs.delete(CONFIG_KEY, { scope: writeScope }).pipe(Effect3.mapError(blobStorageError("delete")))
288
- });
289
- var resolveAuth = (auth, ctx) => {
290
- if (auth.kind === "desktop-app") {
291
- return Effect3.succeed({
292
- kind: "desktop-app",
293
- accountName: auth.accountName
294
- });
295
- }
296
- return ctx.secrets.get(auth.tokenSecretId).pipe(
297
- Effect3.mapError(
298
- (err) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OnePasswordError({
299
- operation: "auth resolution",
300
- message: `Service account token secret "${auth.tokenSecretId}" not found`
301
- }) : err
302
- ),
303
- Effect3.flatMap((token) => {
304
- if (token === null) {
305
- return Effect3.fail(
306
- new OnePasswordError({
307
- operation: "auth resolution",
308
- message: `Service account token secret "${auth.tokenSecretId}" not found`
309
- })
310
- );
311
- }
312
- return Effect3.succeed({
313
- kind: "service-account",
314
- token
315
- });
316
- })
317
- );
318
- };
319
- var getServiceFromConfig = (config, ctx, timeoutMs, preferSdk) => resolveAuth(config.auth, ctx).pipe(
320
- Effect3.flatMap(
321
- (resolved) => makeOnePasswordService(resolved, { timeoutMs, preferSdk })
322
- )
323
- );
324
- var makeProvider = (ctx, timeoutMs, preferSdk) => ({
325
- key: "onepassword",
326
- writable: false,
327
- // 1Password vaults are named in the stored config; the executor-scope
328
- // arg isn't used for routing here. A future refactor could let the
329
- // plugin store per-scope vault bindings and pick based on `scope`.
330
- get: (secretId, _scope) => ctx.storage.getConfig().pipe(
331
- Effect3.flatMap((config) => {
332
- if (!config) return Effect3.succeed(null);
333
- const uri = secretId.startsWith("op://") ? secretId : `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;
334
- return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
335
- Effect3.flatMap((svc) => svc.resolveSecret(uri)),
336
- Effect3.map((v) => v),
337
- Effect3.orElseSucceed(() => null)
338
- );
339
- }),
340
- Effect3.orElseSucceed(() => null)
341
- ),
342
- list: () => ctx.storage.getConfig().pipe(
343
- Effect3.flatMap((config) => {
344
- if (!config)
345
- return Effect3.succeed(
346
- []
347
- );
348
- return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
349
- Effect3.flatMap((svc) => svc.listItems(config.vaultId)),
350
- Effect3.map(
351
- (items) => items.map((item2) => ({ id: item2.id, name: item2.title }))
352
- )
353
- );
354
- }),
355
- Effect3.orElseSucceed(
356
- () => []
357
- )
358
- )
359
- });
360
- var onepasswordPlugin = definePlugin(
361
- (options) => {
362
- const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS2;
363
- const preferSdk = options?.preferSdk;
364
- return {
365
- id: "onepassword",
366
- packageName: "@executor-js/plugin-onepassword",
367
- storage: ({ blobs, scopes }) => makeOnePasswordStore(blobs, scopes.at(-1).id),
368
- extension: (ctx) => {
369
- return {
370
- configure: (config) => ctx.storage.saveConfig(config),
371
- getConfig: () => ctx.storage.getConfig(),
372
- removeConfig: () => ctx.storage.deleteConfig(),
373
- status: () => Effect3.gen(function* () {
374
- const config = yield* ctx.storage.getConfig();
375
- if (!config) {
376
- return new ConnectionStatus({
377
- connected: false,
378
- error: "Not configured"
379
- });
380
- }
381
- const svc = yield* getServiceFromConfig(
382
- config,
383
- ctx,
384
- timeoutMs,
385
- preferSdk
386
- );
387
- const vaults = yield* svc.listVaults();
388
- const vault2 = vaults.find((v) => v.id === config.vaultId);
389
- return new ConnectionStatus({
390
- connected: true,
391
- vaultName: vault2?.title
392
- });
393
- }),
394
- listVaults: (auth) => Effect3.gen(function* () {
395
- const resolved = yield* resolveAuth(auth, ctx);
396
- const svc = yield* makeOnePasswordService(resolved, {
397
- timeoutMs,
398
- preferSdk
399
- });
400
- const vaults = yield* svc.listVaults();
401
- return vaults.map((v) => new Vault({ id: v.id, name: v.title })).sort((a, b) => a.name.localeCompare(b.name));
402
- }),
403
- resolve: (uri) => Effect3.gen(function* () {
404
- const config = yield* ctx.storage.getConfig();
405
- if (!config) {
406
- return yield* Effect3.fail(
407
- new OnePasswordError({
408
- operation: "resolve",
409
- message: "1Password is not configured"
410
- })
411
- );
412
- }
413
- const svc = yield* getServiceFromConfig(
414
- config,
415
- ctx,
416
- timeoutMs,
417
- preferSdk
418
- );
419
- return yield* svc.resolveSecret(uri);
420
- })
421
- };
422
- },
423
- secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)],
424
- routes: () => OnePasswordGroup,
425
- handlers: () => OnePasswordHandlers,
426
- extensionService: OnePasswordExtensionService
427
- };
428
- }
429
- );
430
-
431
- export {
432
- OnePasswordError,
433
- DesktopAppAuth,
434
- ServiceAccountAuth,
435
- OnePasswordAuth,
436
- OnePasswordConfig,
437
- Vault,
438
- ConnectionStatus,
439
- OnePasswordServiceTag,
440
- makeNativeSdkService,
441
- makeCliService,
442
- makeOnePasswordService,
443
- makeOnePasswordStore,
444
- onepasswordPlugin
445
- };
446
- //# sourceMappingURL=chunk-2NSVLCQP.js.map
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/sdk/errors.ts","../src/sdk/types.ts","../src/sdk/service.ts","../src/sdk/plugin.ts","../src/api/group.ts","../src/api/handlers.ts"],"sourcesContent":["import { Schema } from \"effect\";\n\nexport class OnePasswordError extends Schema.TaggedErrorClass<OnePasswordError>()(\n \"OnePasswordError\",\n {\n operation: Schema.String,\n message: Schema.String,\n },\n { httpApiStatus: 502 },\n) {}\n","import { Schema } from \"effect\";\n\n// ---------------------------------------------------------------------------\n// Auth — how to talk to 1Password\n// ---------------------------------------------------------------------------\n\nexport class DesktopAppAuth extends Schema.Class<DesktopAppAuth>(\"DesktopAppAuth\")({\n kind: Schema.Literal(\"desktop-app\"),\n /** 1Password account domain, e.g. \"my.1password.com\" */\n accountName: Schema.String,\n}) {}\n\nexport class ServiceAccountAuth extends Schema.Class<ServiceAccountAuth>(\"ServiceAccountAuth\")({\n kind: Schema.Literal(\"service-account\"),\n /** The service account token (stored as a secret) */\n tokenSecretId: Schema.String,\n}) {}\n\nexport const OnePasswordAuth = Schema.Union([DesktopAppAuth, ServiceAccountAuth]);\nexport type OnePasswordAuth = typeof OnePasswordAuth.Type;\n\n// ---------------------------------------------------------------------------\n// Stored config — persisted via KV\n// ---------------------------------------------------------------------------\n\nexport class OnePasswordConfig extends Schema.Class<OnePasswordConfig>(\"OnePasswordConfig\")({\n auth: OnePasswordAuth,\n /** Vault to scope operations to */\n vaultId: Schema.String,\n /** Human label */\n name: Schema.String,\n}) {}\n\n// ---------------------------------------------------------------------------\n// Vault\n// ---------------------------------------------------------------------------\n\nexport class Vault extends Schema.Class<Vault>(\"Vault\")({\n id: Schema.String,\n name: Schema.String,\n}) {}\n\n// ---------------------------------------------------------------------------\n// Connection status\n// ---------------------------------------------------------------------------\n\nexport class ConnectionStatus extends Schema.Class<ConnectionStatus>(\"ConnectionStatus\")({\n connected: Schema.Boolean,\n vaultName: Schema.optional(Schema.String),\n error: Schema.optional(Schema.String),\n}) {}\n","import { Context, Duration, Effect } from \"effect\";\nimport * as op from \"@1password/op-js\";\n\nimport { OnePasswordError } from \"./errors\";\n\n// ---------------------------------------------------------------------------\n// Canonical service interface — all backends (SDK, CLI) implement this\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordVault {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordItem {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordService {\n /** Resolve a secret by op:// URI */\n readonly resolveSecret: (uri: string) => Effect.Effect<string, OnePasswordError>;\n\n /** List accessible vaults */\n readonly listVaults: () => Effect.Effect<ReadonlyArray<OnePasswordVault>, OnePasswordError>;\n\n /** List items in a vault */\n readonly listItems: (\n vaultId: string,\n ) => Effect.Effect<ReadonlyArray<OnePasswordItem>, OnePasswordError>;\n}\n\nexport class OnePasswordServiceTag extends Context.Service<\n OnePasswordServiceTag,\n OnePasswordService\n>()(\"@executor-js/plugin-onepassword/OnePasswordService\") {}\n\n// ---------------------------------------------------------------------------\n// Resolved auth — raw credentials ready for any backend\n// ---------------------------------------------------------------------------\n\nexport type ResolvedAuth =\n | { readonly kind: \"desktop-app\"; readonly accountName: string }\n | { readonly kind: \"service-account\"; readonly token: string };\n\n// ---------------------------------------------------------------------------\n// SDK backend — uses @1password/sdk native IPC\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_TIMEOUT_MS = 15_000;\ntype OnePasswordSdkModule = typeof import(\"@1password/sdk\");\n\nconst loadOnePasswordSdk = (): Effect.Effect<OnePasswordSdkModule, OnePasswordError> =>\n Effect.tryPromise({\n try: () => import(\"@1password/sdk\"),\n catch: (cause) =>\n new OnePasswordError({\n operation: \"sdk module load\",\n message: cause instanceof Error ? cause.message : String(cause),\n }),\n });\n\nconst makeTimeoutMessage = (operation: string, timeoutMs: number): string =>\n [\n `${operation}: timed out after ${Math.floor(timeoutMs / 1000)}s.`,\n \"Troubleshooting:\",\n \"1. Make sure the 1Password desktop app is open and unlocked\",\n \"2. Check for an approval prompt in the 1Password app — it may be behind other windows\",\n \"3. Ensure 'Developer > Connect with 1Password CLI' is enabled in 1Password Settings\",\n \"4. Make sure no other app or terminal is waiting for 1Password approval (only one prompt at a time)\",\n \"5. Try quitting 1Password completely and reopening it, then retry\",\n ].join(\"\\n\");\n\nconst timeoutWithOnePasswordError = (operation: string, timeoutMs: number) =>\n Effect.timeoutOrElse({\n duration: Duration.millis(timeoutMs),\n orElse: () =>\n Effect.fail(\n new OnePasswordError({\n operation,\n message: makeTimeoutMessage(operation, timeoutMs),\n }),\n ),\n });\n\nexport const makeNativeSdkService = (\n auth: ResolvedAuth,\n timeoutMs: number = DEFAULT_TIMEOUT_MS,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.gen(function* () {\n const sdk = yield* loadOnePasswordSdk().pipe(\n timeoutWithOnePasswordError(\"sdk module load\", timeoutMs),\n );\n\n const client = yield* Effect.tryPromise({\n try: () =>\n sdk.createClient({\n auth: auth.kind === \"desktop-app\" ? new sdk.DesktopAuth(auth.accountName) : auth.token,\n integrationName: \"Executor\",\n integrationVersion: \"0.0.0\",\n }),\n catch: (cause) =>\n new OnePasswordError({\n operation: \"client setup\",\n message: cause instanceof Error ? cause.message : String(cause),\n }),\n }).pipe(\n timeoutWithOnePasswordError(\"client setup\", timeoutMs),\n );\n\n const wrap = <A>(fn: () => Promise<A>, operation: string): Effect.Effect<A, OnePasswordError> =>\n Effect.tryPromise({\n try: fn,\n catch: (cause) =>\n new OnePasswordError({\n operation,\n message: cause instanceof Error ? cause.message : String(cause),\n }),\n }).pipe(\n timeoutWithOnePasswordError(operation, timeoutMs),\n Effect.withSpan(`onepassword.sdk.${operation}`),\n );\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrap(() => client.secrets.resolve(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrap(() => client.vaults.list({ decryptDetails: true }), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.title }))),\n ),\n\n listItems: (vaultId) =>\n wrap(() => client.items.list(vaultId), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.sdk.make_service\"));\n\n// ---------------------------------------------------------------------------\n// CLI backend — uses @1password/op-js (shells out to `op` CLI)\n// ---------------------------------------------------------------------------\n\nexport const makeCliService = (\n auth: ResolvedAuth,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.sync(() => {\n // Configure auth\n if (auth.kind === \"service-account\") {\n op.setServiceAccount(auth.token);\n } else {\n op.setGlobalFlags({ account: auth.accountName });\n }\n\n const wrapSync = <A>(fn: () => A, operation: string): Effect.Effect<A, OnePasswordError> =>\n Effect.try({\n try: fn,\n catch: (cause) =>\n new OnePasswordError({\n operation,\n message: cause instanceof Error ? cause.message : String(cause),\n }),\n }).pipe(Effect.withSpan(`onepassword.cli.${operation}`));\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrapSync(() => op.read.parse(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrapSync(() => op.vault.list(), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.name }))),\n ),\n\n listItems: (vaultId) =>\n wrapSync(() => op.item.list({ vault: vaultId }), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.cli.make_service\"));\n\n// ---------------------------------------------------------------------------\n// Smart factory — tries CLI first (avoids IPC hang), falls back to SDK\n// ---------------------------------------------------------------------------\n\nexport const makeOnePasswordService = (\n auth: ResolvedAuth,\n options?: { readonly preferSdk?: boolean; readonly timeoutMs?: number },\n): Effect.Effect<OnePasswordService, OnePasswordError> => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n\n if (options?.preferSdk) {\n return makeNativeSdkService(auth, timeoutMs);\n }\n\n // Default: prefer CLI to avoid the IPC hang bug\n return makeCliService(auth).pipe(\n Effect.catch((cliError: OnePasswordError) =>\n // CLI unavailable (e.g. `op` not installed) — fall back to SDK\n makeNativeSdkService(auth, timeoutMs).pipe(Effect.mapError(() => cliError)),\n ),\n );\n};\n","import { Effect, Schema } from \"effect\";\n\nimport {\n definePlugin,\n StorageError,\n type PluginCtx,\n type PluginBlobStore,\n type SecretProvider,\n type StorageFailure,\n} from \"@executor-js/sdk/core\";\n\nimport { OnePasswordGroup } from \"../api/group\";\nimport {\n OnePasswordExtensionService,\n OnePasswordHandlers,\n} from \"../api/handlers\";\n\nimport { OnePasswordConfig, Vault, ConnectionStatus } from \"./types\";\nimport type { OnePasswordAuth } from \"./types\";\nimport { OnePasswordError } from \"./errors\";\nimport {\n makeOnePasswordService,\n type ResolvedAuth,\n type OnePasswordService,\n} from \"./service\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\nconst CREDENTIAL_FIELD = \"credential\";\nconst DEFAULT_TIMEOUT_MS = 15_000;\nconst CONFIG_KEY = \"config\";\n\n// ---------------------------------------------------------------------------\n// Shared failure alias.\n//\n// Every extension method either touches storage (`ctx.storage` blobs or\n// `ctx.secrets`) or reaches the 1Password backend. Storage I/O surfaces\n// as `StorageFailure`; the HTTP edge (`withCapture`) translates\n// `StorageError` to `InternalError({ traceId })`. Domain problems (not\n// configured, service-account token missing, backend RPC failure) stay\n// as `OnePasswordError` and encode to 502 via the schema annotation on\n// the class.\n// ---------------------------------------------------------------------------\n\nexport type OnePasswordExtensionFailure = OnePasswordError | StorageFailure;\n\n// ---------------------------------------------------------------------------\n// Plugin extension — public API on executor.onepassword\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordExtension {\n /** Configure the 1Password connection */\n readonly configure: (\n config: OnePasswordConfig,\n ) => Effect.Effect<void, StorageFailure>;\n\n /** Get current configuration (if any) */\n readonly getConfig: () => Effect.Effect<\n OnePasswordConfig | null,\n OnePasswordExtensionFailure\n >;\n\n /** Remove the 1Password configuration */\n readonly removeConfig: () => Effect.Effect<void, StorageFailure>;\n\n /** Check connection status */\n readonly status: () => Effect.Effect<\n ConnectionStatus,\n OnePasswordExtensionFailure\n >;\n\n /** List accessible vaults (requires auth) */\n readonly listVaults: (\n auth: OnePasswordAuth,\n ) => Effect.Effect<ReadonlyArray<Vault>, OnePasswordExtensionFailure>;\n\n /** Resolve a secret directly by op:// URI */\n readonly resolve: (\n uri: string,\n ) => Effect.Effect<string, OnePasswordExtensionFailure>;\n}\n\n// ---------------------------------------------------------------------------\n// Typed config store — single blob, JSON encoded. Blob I/O failures surface\n// as `StorageError` (HTTP edge translates to `InternalError`); decode\n// failures stay `OnePasswordError` — the blob's contents are a plugin\n// concern, not an infrastructure one.\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordStore {\n readonly getConfig: () => Effect.Effect<\n OnePasswordConfig | null,\n StorageError | OnePasswordError\n >;\n readonly saveConfig: (\n config: OnePasswordConfig,\n ) => Effect.Effect<void, StorageError>;\n readonly deleteConfig: () => Effect.Effect<void, StorageError>;\n}\n\nconst decodeConfig = Schema.decodeUnknownSync(OnePasswordConfig);\n\nconst blobStorageError = (operation: string) =>\n (cause: unknown): StorageError =>\n new StorageError({\n message: `onepassword blob ${operation}: ${\n cause instanceof Error ? cause.message : String(cause)\n }`,\n cause,\n });\n\nexport const makeOnePasswordStore = (\n blobs: PluginBlobStore,\n /** Scope id that owns the single 1Password config blob. Default is the\n * outermost scope (org/workspace) so the config is visible across\n * every per-user scope via the blob store's fall-through read. */\n writeScope: string,\n): OnePasswordStore => ({\n getConfig: () =>\n blobs.get(CONFIG_KEY).pipe(\n Effect.mapError(blobStorageError(\"read\")),\n Effect.flatMap((raw) => {\n if (raw === null) return Effect.succeed(null);\n return Effect.try({\n try: () => decodeConfig(JSON.parse(raw)),\n catch: (cause) =>\n new OnePasswordError({\n operation: \"config decode\",\n message: cause instanceof Error ? cause.message : String(cause),\n }),\n });\n }),\n ),\n\n saveConfig: (config) =>\n blobs\n .put(\n CONFIG_KEY,\n JSON.stringify({\n auth: config.auth,\n vaultId: config.vaultId,\n name: config.name,\n }),\n { scope: writeScope },\n )\n .pipe(Effect.mapError(blobStorageError(\"write\"))),\n\n deleteConfig: () =>\n blobs\n .delete(CONFIG_KEY, { scope: writeScope })\n .pipe(Effect.mapError(blobStorageError(\"delete\"))),\n});\n\n// ---------------------------------------------------------------------------\n// Helpers — auth resolution + service construction\n// ---------------------------------------------------------------------------\n\nconst resolveAuth = (\n auth: OnePasswordAuth,\n ctx: PluginCtx<OnePasswordStore>,\n): Effect.Effect<ResolvedAuth, OnePasswordError | StorageFailure> => {\n if (auth.kind === \"desktop-app\") {\n return Effect.succeed({\n kind: \"desktop-app\" as const,\n accountName: auth.accountName,\n });\n }\n return ctx.secrets.get(auth.tokenSecretId).pipe(\n Effect.mapError((err) =>\n \"_tag\" in err && err._tag === \"SecretOwnedByConnectionError\"\n ? new OnePasswordError({\n operation: \"auth resolution\",\n message: `Service account token secret \"${auth.tokenSecretId}\" not found`,\n })\n : err,\n ),\n Effect.flatMap((token) => {\n if (token === null) {\n return Effect.fail(\n new OnePasswordError({\n operation: \"auth resolution\",\n message: `Service account token secret \"${auth.tokenSecretId}\" not found`,\n }),\n );\n }\n return Effect.succeed({\n kind: \"service-account\" as const,\n token,\n });\n }),\n );\n};\n\nconst getServiceFromConfig = (\n config: OnePasswordConfig,\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): Effect.Effect<OnePasswordService, OnePasswordError | StorageFailure> =>\n resolveAuth(config.auth, ctx).pipe(\n Effect.flatMap((resolved) =>\n makeOnePasswordService(resolved, { timeoutMs, preferSdk }),\n ),\n );\n\n// ---------------------------------------------------------------------------\n// SecretProvider — read-only, resolves op:// URIs or vaultId-based lookups\n// ---------------------------------------------------------------------------\n\nconst makeProvider = (\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): SecretProvider => ({\n key: \"onepassword\",\n writable: false,\n\n // 1Password vaults are named in the stored config; the executor-scope\n // arg isn't used for routing here. A future refactor could let the\n // plugin store per-scope vault bindings and pick based on `scope`.\n get: (secretId, _scope) =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config) return Effect.succeed(null as string | null);\n\n const uri = secretId.startsWith(\"op://\")\n ? secretId\n : `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;\n\n return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.resolveSecret(uri)),\n Effect.map((v): string | null => v),\n Effect.orElseSucceed(() => null),\n );\n }),\n Effect.orElseSucceed(() => null),\n ),\n\n list: () =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config)\n return Effect.succeed(\n [] as ReadonlyArray<{ id: string; name: string }>,\n );\n return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.listItems(config.vaultId)),\n Effect.map(\n (items): ReadonlyArray<{ id: string; name: string }> =>\n items.map((item) => ({ id: item.id, name: item.title })),\n ),\n );\n }),\n Effect.orElseSucceed(\n () => [] as ReadonlyArray<{ id: string; name: string }>,\n ),\n ),\n});\n\n// ---------------------------------------------------------------------------\n// Plugin factory\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordPluginOptions {\n /** Request timeout in ms (default: 15000) */\n readonly timeoutMs?: number;\n /** Force use of the native SDK instead of the CLI (default: false) */\n readonly preferSdk?: boolean;\n}\n\nexport const onepasswordPlugin = definePlugin(\n (options?: OnePasswordPluginOptions) => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n const preferSdk = options?.preferSdk;\n\n return {\n id: \"onepassword\" as const,\n packageName: \"@executor-js/plugin-onepassword\",\n storage: ({ blobs, scopes }) =>\n makeOnePasswordStore(blobs, scopes.at(-1)!.id as string),\n\n extension: (ctx) => {\n return {\n configure: (config) => ctx.storage.saveConfig(config),\n\n getConfig: () => ctx.storage.getConfig(),\n\n removeConfig: () => ctx.storage.deleteConfig(),\n\n status: () =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return new ConnectionStatus({\n connected: false,\n error: \"Not configured\",\n });\n }\n const svc = yield* getServiceFromConfig(\n config,\n ctx,\n timeoutMs,\n preferSdk,\n );\n const vaults = yield* svc.listVaults();\n const vault = vaults.find((v) => v.id === config.vaultId);\n return new ConnectionStatus({\n connected: true,\n vaultName: vault?.title,\n });\n }),\n\n listVaults: (auth) =>\n Effect.gen(function* () {\n const resolved = yield* resolveAuth(auth, ctx);\n const svc = yield* makeOnePasswordService(resolved, {\n timeoutMs,\n preferSdk,\n });\n const vaults = yield* svc.listVaults();\n return vaults\n .map((v) => new Vault({ id: v.id, name: v.title }))\n .sort((a, b) => a.name.localeCompare(b.name));\n }),\n\n resolve: (uri) =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return yield* Effect.fail(\n new OnePasswordError({\n operation: \"resolve\",\n message: \"1Password is not configured\",\n }),\n );\n }\n const svc = yield* getServiceFromConfig(\n config,\n ctx,\n timeoutMs,\n preferSdk,\n );\n return yield* svc.resolveSecret(uri);\n }),\n } satisfies OnePasswordExtension;\n },\n\n secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)],\n\n routes: () => OnePasswordGroup,\n handlers: () => OnePasswordHandlers,\n extensionService: OnePasswordExtensionService,\n };\n },\n);\n","import { HttpApiEndpoint, HttpApiGroup } from \"effect/unstable/httpapi\";\nimport { Schema } from \"effect\";\nimport { ScopeId } from \"@executor-js/sdk/core\";\nimport { InternalError } from \"@executor-js/api\";\n\nimport { OnePasswordError } from \"../sdk/errors\";\nimport { OnePasswordConfig, Vault, ConnectionStatus } from \"../sdk/types\";\n\n// ---------------------------------------------------------------------------\n// Params\n// ---------------------------------------------------------------------------\n\nconst ScopeParams = { scopeId: ScopeId };\n\n// ---------------------------------------------------------------------------\n// Payloads\n// ---------------------------------------------------------------------------\n\nconst ConfigurePayload = OnePasswordConfig;\n\nconst ListVaultsParams = Schema.Struct({\n authKind: Schema.Literals([\"desktop-app\", \"service-account\"]),\n account: Schema.String,\n});\n\n// ---------------------------------------------------------------------------\n// Responses\n// ---------------------------------------------------------------------------\n\nconst ListVaultsResponse = Schema.Struct({\n vaults: Schema.Array(Vault),\n});\n\nconst GetConfigResponse = Schema.NullOr(OnePasswordConfig);\n\n// ---------------------------------------------------------------------------\n// Group\n//\n// Plugin SDK errors (OnePasswordError) are declared once at the group level\n// via `.addError(...)` — every endpoint inherits. The error carries its own\n// 502 status via `HttpApiSchema.annotations` in errors.ts.\n//\n// `InternalError` is the shared opaque 500 schema translated at the HTTP\n// edge by `withCapture` (see observability.ts). Storage failures on\n// `ctx.storage`/`ctx.secrets` flow through as `StorageFailure` in the\n// typed channel and are captured + downgraded to `InternalError({ traceId })`\n// at Layer composition. No per-handler translation.\n// ---------------------------------------------------------------------------\n\nexport const OnePasswordGroup = HttpApiGroup.make(\"onepassword\")\n .add(\n HttpApiEndpoint.get(\"getConfig\", \"/scopes/:scopeId/onepassword/config\", {\n params: ScopeParams,\n success: GetConfigResponse,\n error: [InternalError, OnePasswordError],\n }),\n )\n .add(\n HttpApiEndpoint.put(\"configure\", \"/scopes/:scopeId/onepassword/config\", {\n params: ScopeParams,\n payload: ConfigurePayload,\n success: Schema.Void,\n error: [InternalError, OnePasswordError],\n }),\n )\n .add(\n HttpApiEndpoint.delete(\"removeConfig\", \"/scopes/:scopeId/onepassword/config\", {\n params: ScopeParams,\n success: Schema.Void,\n error: [InternalError, OnePasswordError],\n }),\n )\n .add(\n HttpApiEndpoint.get(\"status\", \"/scopes/:scopeId/onepassword/status\", {\n params: ScopeParams,\n success: ConnectionStatus,\n error: [InternalError, OnePasswordError],\n }),\n )\n .add(\n HttpApiEndpoint.get(\"listVaults\", \"/scopes/:scopeId/onepassword/vaults\", {\n params: ScopeParams,\n query: ListVaultsParams,\n success: ListVaultsResponse,\n error: [InternalError, OnePasswordError],\n }),\n );\n","import { HttpApiBuilder } from \"effect/unstable/httpapi\";\nimport { Context, Effect } from \"effect\";\n\nimport { addGroup, capture } from \"@executor-js/api\";\nimport type { OnePasswordExtension } from \"../sdk/plugin\";\nimport { OnePasswordGroup } from \"./group\";\n\n// ---------------------------------------------------------------------------\n// Service tag\n//\n// Holds the `Captured` shape — every method's `StorageFailure` channel has\n// been swapped for `InternalError({ traceId })`. The host provides an\n// already-wrapped extension via\n// `Layer.succeed(OnePasswordExtensionService, withCapture(executor).onepassword)`.\n// Handlers see `InternalError` in the error union, which matches\n// `.addError(InternalError)` on the group — no per-handler translation.\n// ---------------------------------------------------------------------------\n\nexport class OnePasswordExtensionService extends Context.Service<OnePasswordExtensionService, OnePasswordExtension\n>()(\"OnePasswordExtensionService\") {}\n\n// ---------------------------------------------------------------------------\n// Composed API — core + onepassword group\n// ---------------------------------------------------------------------------\n\nconst ExecutorApiWithOnePassword = addGroup(OnePasswordGroup);\n\n// ---------------------------------------------------------------------------\n// Handlers\n//\n// Each handler is exactly: yield the extension service, call the method,\n// return. Plugin SDK errors flow through the typed channel and are\n// schema-encoded (OnePasswordError -> 502) by HttpApi. Defects bubble up\n// and are captured + downgraded to `InternalError(traceId)` by the\n// observability middleware.\n// ---------------------------------------------------------------------------\n\nexport const OnePasswordHandlers = HttpApiBuilder.group(\n ExecutorApiWithOnePassword,\n \"onepassword\",\n (handlers) =>\n handlers\n .handle(\"getConfig\", () =>\n capture(Effect.gen(function* () {\n const ext = yield* OnePasswordExtensionService;\n return yield* ext.getConfig();\n })),\n )\n .handle(\"configure\", ({ payload }) =>\n capture(Effect.gen(function* () {\n const ext = yield* OnePasswordExtensionService;\n yield* ext.configure(payload);\n })),\n )\n .handle(\"removeConfig\", () =>\n capture(Effect.gen(function* () {\n const ext = yield* OnePasswordExtensionService;\n yield* ext.removeConfig();\n })),\n )\n .handle(\"status\", () =>\n capture(Effect.gen(function* () {\n const ext = yield* OnePasswordExtensionService;\n return yield* ext.status();\n })),\n )\n .handle(\"listVaults\", ({ query: urlParams }) =>\n capture(Effect.gen(function* () {\n const ext = yield* OnePasswordExtensionService;\n const auth =\n urlParams.authKind === \"desktop-app\"\n ? { kind: \"desktop-app\" as const, accountName: urlParams.account }\n : { kind: \"service-account\" as const, tokenSecretId: urlParams.account };\n const vaults = yield* ext.listVaults(auth);\n return { vaults: [...vaults] };\n })),\n ),\n);\n"],"mappings":";AAAA,SAAS,cAAc;AAEhB,IAAM,mBAAN,cAA+B,OAAO,iBAAmC;AAAA,EAC9E;AAAA,EACA;AAAA,IACE,WAAW,OAAO;AAAA,IAClB,SAAS,OAAO;AAAA,EAClB;AAAA,EACA,EAAE,eAAe,IAAI;AACvB,EAAE;AAAC;;;ACTH,SAAS,UAAAA,eAAc;AAMhB,IAAM,iBAAN,cAA6BA,QAAO,MAAsB,gBAAgB,EAAE;AAAA,EACjF,MAAMA,QAAO,QAAQ,aAAa;AAAA;AAAA,EAElC,aAAaA,QAAO;AACtB,CAAC,EAAE;AAAC;AAEG,IAAM,qBAAN,cAAiCA,QAAO,MAA0B,oBAAoB,EAAE;AAAA,EAC7F,MAAMA,QAAO,QAAQ,iBAAiB;AAAA;AAAA,EAEtC,eAAeA,QAAO;AACxB,CAAC,EAAE;AAAC;AAEG,IAAM,kBAAkBA,QAAO,MAAM,CAAC,gBAAgB,kBAAkB,CAAC;AAOzE,IAAM,oBAAN,cAAgCA,QAAO,MAAyB,mBAAmB,EAAE;AAAA,EAC1F,MAAM;AAAA;AAAA,EAEN,SAASA,QAAO;AAAA;AAAA,EAEhB,MAAMA,QAAO;AACf,CAAC,EAAE;AAAC;AAMG,IAAM,QAAN,cAAoBA,QAAO,MAAa,OAAO,EAAE;AAAA,EACtD,IAAIA,QAAO;AAAA,EACX,MAAMA,QAAO;AACf,CAAC,EAAE;AAAC;AAMG,IAAM,mBAAN,cAA+BA,QAAO,MAAwB,kBAAkB,EAAE;AAAA,EACvF,WAAWA,QAAO;AAAA,EAClB,WAAWA,QAAO,SAASA,QAAO,MAAM;AAAA,EACxC,OAAOA,QAAO,SAASA,QAAO,MAAM;AACtC,CAAC,EAAE;AAAC;;;AClDJ,SAAS,SAAS,UAAU,cAAc;AAC1C,YAAY,QAAQ;AA+Bb,IAAM,wBAAN,cAAoC,QAAQ,QAGjD,EAAE,oDAAoD,EAAE;AAAC;AAc3D,IAAM,qBAAqB;AAG3B,IAAM,qBAAqB,MACzB,OAAO,WAAW;AAAA,EAChB,KAAK,MAAM,OAAO,gBAAgB;AAAA,EAClC,OAAO,CAAC,UACN,IAAI,iBAAiB;AAAA,IACnB,WAAW;AAAA,IACX,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,EAChE,CAAC;AACL,CAAC;AAEH,IAAM,qBAAqB,CAAC,WAAmB,cAC7C;AAAA,EACE,GAAG,SAAS,qBAAqB,KAAK,MAAM,YAAY,GAAI,CAAC;AAAA,EAC7D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,EAAE,KAAK,IAAI;AAEb,IAAM,8BAA8B,CAAC,WAAmB,cACtD,OAAO,cAAc;AAAA,EACnB,UAAU,SAAS,OAAO,SAAS;AAAA,EACnC,QAAQ,MACN,OAAO;AAAA,IACL,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,mBAAmB,WAAW,SAAS;AAAA,IAClD,CAAC;AAAA,EACH;AACJ,CAAC;AAEI,IAAM,uBAAuB,CAClC,MACA,YAAoB,uBAEpB,OAAO,IAAI,aAAa;AACtB,QAAM,MAAM,OAAO,mBAAmB,EAAE;AAAA,IACtC,4BAA4B,mBAAmB,SAAS;AAAA,EAC1D;AAEA,QAAM,SAAS,OAAO,OAAO,WAAW;AAAA,IACtC,KAAK,MACH,IAAI,aAAa;AAAA,MACf,MAAM,KAAK,SAAS,gBAAgB,IAAI,IAAI,YAAY,KAAK,WAAW,IAAI,KAAK;AAAA,MACjF,iBAAiB;AAAA,MACjB,oBAAoB;AAAA,IACtB,CAAC;AAAA,IACH,OAAO,CAAC,UACN,IAAI,iBAAiB;AAAA,MACnB,WAAW;AAAA,MACX,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AAAA,EACL,CAAC,EAAE;AAAA,IACD,4BAA4B,gBAAgB,SAAS;AAAA,EACvD;AAEA,QAAM,OAAO,CAAI,IAAsB,cACrC,OAAO,WAAW;AAAA,IAChB,KAAK;AAAA,IACL,OAAO,CAAC,UACN,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AAAA,EACL,CAAC,EAAE;AAAA,IACD,4BAA4B,WAAW,SAAS;AAAA,IAChD,OAAO,SAAS,mBAAmB,SAAS,EAAE;AAAA,EAChD;AAEF,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,KAAK,MAAM,OAAO,QAAQ,QAAQ,GAAG,GAAG,mBAAmB;AAAA,IAEnF,YAAY,MACV,KAAK,MAAM,OAAO,OAAO,KAAK,EAAE,gBAAgB,KAAK,CAAC,GAAG,eAAe,EAAE;AAAA,MACxE,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IAC1E;AAAA,IAEF,WAAW,CAAC,YACV,KAAK,MAAM,OAAO,MAAM,KAAK,OAAO,GAAG,cAAc,EAAE;AAAA,MACrD,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMlD,IAAM,iBAAiB,CAC5B,SAEA,OAAO,KAAK,MAAM;AAEhB,MAAI,KAAK,SAAS,mBAAmB;AACnC,IAAG,qBAAkB,KAAK,KAAK;AAAA,EACjC,OAAO;AACL,IAAG,kBAAe,EAAE,SAAS,KAAK,YAAY,CAAC;AAAA,EACjD;AAEA,QAAM,WAAW,CAAI,IAAa,cAChC,OAAO,IAAI;AAAA,IACT,KAAK;AAAA,IACL,OAAO,CAAC,UACN,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,IAChE,CAAC;AAAA,EACL,CAAC,EAAE,KAAK,OAAO,SAAS,mBAAmB,SAAS,EAAE,CAAC;AAEzD,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,SAAS,MAAS,QAAK,MAAM,GAAG,GAAG,mBAAmB;AAAA,IAE9E,YAAY,MACV,SAAS,MAAS,SAAM,KAAK,GAAG,eAAe,EAAE;AAAA,MAC/C,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,IACzE;AAAA,IAEF,WAAW,CAAC,YACV,SAAS,MAAS,QAAK,KAAK,EAAE,OAAO,QAAQ,CAAC,GAAG,cAAc,EAAE;AAAA,MAC/D,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMlD,IAAM,yBAAyB,CACpC,MACA,YACwD;AACxD,QAAM,YAAY,SAAS,aAAa;AAExC,MAAI,SAAS,WAAW;AACtB,WAAO,qBAAqB,MAAM,SAAS;AAAA,EAC7C;AAGA,SAAO,eAAe,IAAI,EAAE;AAAA,IAC1B,OAAO;AAAA,MAAM,CAAC;AAAA;AAAA,QAEZ,qBAAqB,MAAM,SAAS,EAAE,KAAK,OAAO,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,IAC5E;AAAA,EACF;AACF;;;ACvMA,SAAS,UAAAC,SAAQ,UAAAC,eAAc;AAE/B;AAAA,EACE;AAAA,EACA;AAAA,OAKK;;;ACTP,SAAS,iBAAiB,oBAAoB;AAC9C,SAAS,UAAAC,eAAc;AACvB,SAAS,eAAe;AACxB,SAAS,qBAAqB;AAS9B,IAAM,cAAc,EAAE,SAAS,QAAQ;AAMvC,IAAM,mBAAmB;AAEzB,IAAM,mBAAmBC,QAAO,OAAO;AAAA,EACrC,UAAUA,QAAO,SAAS,CAAC,eAAe,iBAAiB,CAAC;AAAA,EAC5D,SAASA,QAAO;AAClB,CAAC;AAMD,IAAM,qBAAqBA,QAAO,OAAO;AAAA,EACvC,QAAQA,QAAO,MAAM,KAAK;AAC5B,CAAC;AAED,IAAM,oBAAoBA,QAAO,OAAO,iBAAiB;AAgBlD,IAAM,mBAAmB,aAAa,KAAK,aAAa,EAC5D;AAAA,EACC,gBAAgB,IAAI,aAAa,uCAAuC;AAAA,IACtE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,OAAO,CAAC,eAAe,gBAAgB;AAAA,EACzC,CAAC;AACH,EACC;AAAA,EACC,gBAAgB,IAAI,aAAa,uCAAuC;AAAA,IACtE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,SAASA,QAAO;AAAA,IAChB,OAAO,CAAC,eAAe,gBAAgB;AAAA,EACzC,CAAC;AACH,EACC;AAAA,EACC,gBAAgB,OAAO,gBAAgB,uCAAuC;AAAA,IAC5E,QAAQ;AAAA,IACR,SAASA,QAAO;AAAA,IAChB,OAAO,CAAC,eAAe,gBAAgB;AAAA,EACzC,CAAC;AACH,EACC;AAAA,EACC,gBAAgB,IAAI,UAAU,uCAAuC;AAAA,IACnE,QAAQ;AAAA,IACR,SAAS;AAAA,IACT,OAAO,CAAC,eAAe,gBAAgB;AAAA,EACzC,CAAC;AACH,EACC;AAAA,EACC,gBAAgB,IAAI,cAAc,uCAAuC;AAAA,IACvE,QAAQ;AAAA,IACR,OAAO;AAAA,IACP,SAAS;AAAA,IACT,OAAO,CAAC,eAAe,gBAAgB;AAAA,EACzC,CAAC;AACH;;;ACtFF,SAAS,sBAAsB;AAC/B,SAAS,WAAAC,UAAS,UAAAC,eAAc;AAEhC,SAAS,UAAU,eAAe;AAe3B,IAAM,8BAAN,cAA0CC,SAAQ,QACvD,EAAE,6BAA6B,EAAE;AAAC;AAMpC,IAAM,6BAA6B,SAAS,gBAAgB;AAYrD,IAAM,sBAAsB,eAAe;AAAA,EAChD;AAAA,EACA;AAAA,EACA,CAAC,aACC,SACG;AAAA,IAAO;AAAA,IAAa,MACnB,QAAQC,QAAO,IAAI,aAAa;AAC9B,YAAM,MAAM,OAAO;AACnB,aAAO,OAAO,IAAI,UAAU;AAAA,IAC9B,CAAC,CAAC;AAAA,EACJ,EACC;AAAA,IAAO;AAAA,IAAa,CAAC,EAAE,QAAQ,MAC9B,QAAQA,QAAO,IAAI,aAAa;AAC9B,YAAM,MAAM,OAAO;AACnB,aAAO,IAAI,UAAU,OAAO;AAAA,IAC9B,CAAC,CAAC;AAAA,EACJ,EACC;AAAA,IAAO;AAAA,IAAgB,MACtB,QAAQA,QAAO,IAAI,aAAa;AAC9B,YAAM,MAAM,OAAO;AACnB,aAAO,IAAI,aAAa;AAAA,IAC1B,CAAC,CAAC;AAAA,EACJ,EACC;AAAA,IAAO;AAAA,IAAU,MAChB,QAAQA,QAAO,IAAI,aAAa;AAC9B,YAAM,MAAM,OAAO;AACnB,aAAO,OAAO,IAAI,OAAO;AAAA,IAC3B,CAAC,CAAC;AAAA,EACJ,EACC;AAAA,IAAO;AAAA,IAAc,CAAC,EAAE,OAAO,UAAU,MACxC,QAAQA,QAAO,IAAI,aAAa;AAC9B,YAAM,MAAM,OAAO;AACnB,YAAM,OACJ,UAAU,aAAa,gBACnB,EAAE,MAAM,eAAwB,aAAa,UAAU,QAAQ,IAC/D,EAAE,MAAM,mBAA4B,eAAe,UAAU,QAAQ;AAC3E,YAAM,SAAS,OAAO,IAAI,WAAW,IAAI;AACzC,aAAO,EAAE,QAAQ,CAAC,GAAG,MAAM,EAAE;AAAA,IAC/B,CAAC,CAAC;AAAA,EACJ;AACN;;;AF/CA,IAAM,mBAAmB;AACzB,IAAMC,sBAAqB;AAC3B,IAAM,aAAa;AAsEnB,IAAM,eAAeC,QAAO,kBAAkB,iBAAiB;AAE/D,IAAM,mBAAmB,CAAC,cACxB,CAAC,UACC,IAAI,aAAa;AAAA,EACf,SAAS,oBAAoB,SAAS,KACpC,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,EACA;AACF,CAAC;AAEE,IAAM,uBAAuB,CAClC,OAIA,gBACsB;AAAA,EACtB,WAAW,MACT,MAAM,IAAI,UAAU,EAAE;AAAA,IACpBC,QAAO,SAAS,iBAAiB,MAAM,CAAC;AAAA,IACxCA,QAAO,QAAQ,CAAC,QAAQ;AACtB,UAAI,QAAQ,KAAM,QAAOA,QAAO,QAAQ,IAAI;AAC5C,aAAOA,QAAO,IAAI;AAAA,QAChB,KAAK,MAAM,aAAa,KAAK,MAAM,GAAG,CAAC;AAAA,QACvC,OAAO,CAAC,UACN,IAAI,iBAAiB;AAAA,UACnB,WAAW;AAAA,UACX,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QAChE,CAAC;AAAA,MACL,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA,EAEF,YAAY,CAAC,WACX,MACG;AAAA,IACC;AAAA,IACA,KAAK,UAAU;AAAA,MACb,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,IACf,CAAC;AAAA,IACD,EAAE,OAAO,WAAW;AAAA,EACtB,EACC,KAAKA,QAAO,SAAS,iBAAiB,OAAO,CAAC,CAAC;AAAA,EAEpD,cAAc,MACZ,MACG,OAAO,YAAY,EAAE,OAAO,WAAW,CAAC,EACxC,KAAKA,QAAO,SAAS,iBAAiB,QAAQ,CAAC,CAAC;AACvD;AAMA,IAAM,cAAc,CAClB,MACA,QACmE;AACnE,MAAI,KAAK,SAAS,eAAe;AAC/B,WAAOA,QAAO,QAAQ;AAAA,MACpB,MAAM;AAAA,MACN,aAAa,KAAK;AAAA,IACpB,CAAC;AAAA,EACH;AACA,SAAO,IAAI,QAAQ,IAAI,KAAK,aAAa,EAAE;AAAA,IACzCA,QAAO;AAAA,MAAS,CAAC,QACf,UAAU,OAAO,IAAI,SAAS,iCAC1B,IAAI,iBAAiB;AAAA,QACnB,WAAW;AAAA,QACX,SAAS,iCAAiC,KAAK,aAAa;AAAA,MAC9D,CAAC,IACD;AAAA,IACN;AAAA,IACAA,QAAO,QAAQ,CAAC,UAAU;AACxB,UAAI,UAAU,MAAM;AAClB,eAAOA,QAAO;AAAA,UACZ,IAAI,iBAAiB;AAAA,YACnB,WAAW;AAAA,YACX,SAAS,iCAAiC,KAAK,aAAa;AAAA,UAC9D,CAAC;AAAA,QACH;AAAA,MACF;AACA,aAAOA,QAAO,QAAQ;AAAA,QACpB,MAAM;AAAA,QACN;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AACF;AAEA,IAAM,uBAAuB,CAC3B,QACA,KACA,WACA,cAEA,YAAY,OAAO,MAAM,GAAG,EAAE;AAAA,EAC5BA,QAAO;AAAA,IAAQ,CAAC,aACd,uBAAuB,UAAU,EAAE,WAAW,UAAU,CAAC;AAAA,EAC3D;AACF;AAMF,IAAM,eAAe,CACnB,KACA,WACA,eACoB;AAAA,EACpB,KAAK;AAAA,EACL,UAAU;AAAA;AAAA;AAAA;AAAA,EAKV,KAAK,CAAC,UAAU,WACd,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC,OAAQ,QAAOA,QAAO,QAAQ,IAAqB;AAExD,YAAM,MAAM,SAAS,WAAW,OAAO,IACnC,WACA,QAAQ,OAAO,OAAO,IAAI,QAAQ,IAAI,gBAAgB;AAE1D,aAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS,EAAE;AAAA,QAC7DA,QAAO,QAAQ,CAAC,QAAQ,IAAI,cAAc,GAAG,CAAC;AAAA,QAC9CA,QAAO,IAAI,CAAC,MAAqB,CAAC;AAAA,QAClCA,QAAO,cAAc,MAAM,IAAI;AAAA,MACjC;AAAA,IACF,CAAC;AAAA,IACDA,QAAO,cAAc,MAAM,IAAI;AAAA,EACjC;AAAA,EAEF,MAAM,MACJ,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC;AACH,eAAOA,QAAO;AAAA,UACZ,CAAC;AAAA,QACH;AACF,aAAO,qBAAqB,QAAQ,KAAK,WAAW,SAAS,EAAE;AAAA,QAC7DA,QAAO,QAAQ,CAAC,QAAQ,IAAI,UAAU,OAAO,OAAO,CAAC;AAAA,QACrDA,QAAO;AAAA,UACL,CAAC,UACC,MAAM,IAAI,CAACC,WAAU,EAAE,IAAIA,MAAK,IAAI,MAAMA,MAAK,MAAM,EAAE;AAAA,QAC3D;AAAA,MACF;AAAA,IACF,CAAC;AAAA,IACDD,QAAO;AAAA,MACL,MAAM,CAAC;AAAA,IACT;AAAA,EACF;AACJ;AAaO,IAAM,oBAAoB;AAAA,EAC/B,CAAC,YAAuC;AACtC,UAAM,YAAY,SAAS,aAAaF;AACxC,UAAM,YAAY,SAAS;AAE3B,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,aAAa;AAAA,MACb,SAAS,CAAC,EAAE,OAAO,OAAO,MACxB,qBAAqB,OAAO,OAAO,GAAG,EAAE,EAAG,EAAY;AAAA,MAEzD,WAAW,CAAC,QAAQ;AAClB,eAAO;AAAA,UACL,WAAW,CAAC,WAAW,IAAI,QAAQ,WAAW,MAAM;AAAA,UAEpD,WAAW,MAAM,IAAI,QAAQ,UAAU;AAAA,UAEvC,cAAc,MAAM,IAAI,QAAQ,aAAa;AAAA,UAE7C,QAAQ,MACNE,QAAO,IAAI,aAAa;AACtB,kBAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,gBAAI,CAAC,QAAQ;AACX,qBAAO,IAAI,iBAAiB;AAAA,gBAC1B,WAAW;AAAA,gBACX,OAAO;AAAA,cACT,CAAC;AAAA,YACH;AACA,kBAAM,MAAM,OAAO;AAAA,cACjB;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AACA,kBAAM,SAAS,OAAO,IAAI,WAAW;AACrC,kBAAME,SAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,OAAO,OAAO;AACxD,mBAAO,IAAI,iBAAiB;AAAA,cAC1B,WAAW;AAAA,cACX,WAAWA,QAAO;AAAA,YACpB,CAAC;AAAA,UACH,CAAC;AAAA,UAEH,YAAY,CAAC,SACXF,QAAO,IAAI,aAAa;AACtB,kBAAM,WAAW,OAAO,YAAY,MAAM,GAAG;AAC7C,kBAAM,MAAM,OAAO,uBAAuB,UAAU;AAAA,cAClD;AAAA,cACA;AAAA,YACF,CAAC;AACD,kBAAM,SAAS,OAAO,IAAI,WAAW;AACrC,mBAAO,OACJ,IAAI,CAAC,MAAM,IAAI,MAAM,EAAE,IAAI,EAAE,IAAI,MAAM,EAAE,MAAM,CAAC,CAAC,EACjD,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AAAA,UAChD,CAAC;AAAA,UAEH,SAAS,CAAC,QACRA,QAAO,IAAI,aAAa;AACtB,kBAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,gBAAI,CAAC,QAAQ;AACX,qBAAO,OAAOA,QAAO;AAAA,gBACnB,IAAI,iBAAiB;AAAA,kBACnB,WAAW;AAAA,kBACX,SAAS;AAAA,gBACX,CAAC;AAAA,cACH;AAAA,YACF;AACA,kBAAM,MAAM,OAAO;AAAA,cACjB;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AACA,mBAAO,OAAO,IAAI,cAAc,GAAG;AAAA,UACrC,CAAC;AAAA,QACL;AAAA,MACF;AAAA,MAEA,iBAAiB,CAAC,QAAQ,CAAC,aAAa,KAAK,WAAW,SAAS,CAAC;AAAA,MAElE,QAAQ,MAAM;AAAA,MACd,UAAU,MAAM;AAAA,MAChB,kBAAkB;AAAA,IACpB;AAAA,EACF;AACF;","names":["Schema","Effect","Schema","Schema","Schema","Context","Effect","Context","Effect","DEFAULT_TIMEOUT_MS","Schema","Effect","item","vault"]}