@executor-js/plugin-onepassword 1.4.33 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,8 +3,10 @@ import {
3
3
  OnePasswordAuth,
4
4
  OnePasswordConfig,
5
5
  OnePasswordError,
6
- Vault
7
- } from "./chunk-TRGRRIAX.js";
6
+ RedactedOnePasswordConfig,
7
+ Vault,
8
+ redactConfig
9
+ } from "./chunk-OYHEG6OK.js";
8
10
 
9
11
  // src/sdk/service.ts
10
12
  import { Context, Duration, Effect, Semaphore } from "effect";
@@ -123,14 +125,16 @@ import {
123
125
  definePlugin,
124
126
  StorageError,
125
127
  ToolResult,
126
- tool
128
+ tool,
129
+ ProviderItemId,
130
+ ProviderKey
127
131
  } from "@executor-js/sdk/core";
128
132
  var CREDENTIAL_FIELD = "credential";
129
133
  var DEFAULT_TIMEOUT_MS2 = 15e3;
130
134
  var CONFIG_KEY = "config";
135
+ var PROVIDER_KEY = ProviderKey.make("onepassword");
131
136
  var schemaToStaticToolSchema = (schema) => Schema.toStandardSchemaV1(Schema.toStandardJSONSchemaV1(schema));
132
137
  var OnePasswordConfigureInput = Schema.Struct({
133
- scope: Schema.String,
134
138
  auth: OnePasswordAuth,
135
139
  vaultId: Schema.String,
136
140
  name: Schema.String
@@ -139,15 +143,12 @@ var OnePasswordConfigureOutput = Schema.Struct({
139
143
  configured: Schema.Boolean
140
144
  });
141
145
  var OnePasswordGetConfigOutput = Schema.Struct({
142
- config: Schema.NullOr(OnePasswordConfig)
146
+ config: Schema.NullOr(RedactedOnePasswordConfig)
143
147
  });
144
148
  var OnePasswordListVaultsInput = OnePasswordAuth;
145
149
  var OnePasswordListVaultsOutput = Schema.Struct({
146
150
  vaults: Schema.Array(Vault)
147
151
  });
148
- var OnePasswordRemoveConfigInput = Schema.Struct({
149
- targetScope: Schema.String
150
- });
151
152
  var OnePasswordRemoveConfigOutput = Schema.Struct({
152
153
  removed: Schema.Boolean
153
154
  });
@@ -157,7 +158,6 @@ var OnePasswordConfigureOutputStd = schemaToStaticToolSchema(OnePasswordConfigur
157
158
  var OnePasswordGetConfigOutputStd = schemaToStaticToolSchema(OnePasswordGetConfigOutput);
158
159
  var OnePasswordListVaultsInputStd = schemaToStaticToolSchema(OnePasswordListVaultsInput);
159
160
  var OnePasswordListVaultsOutputStd = schemaToStaticToolSchema(OnePasswordListVaultsOutput);
160
- var OnePasswordRemoveConfigInputStd = schemaToStaticToolSchema(OnePasswordRemoveConfigInput);
161
161
  var OnePasswordRemoveConfigOutputStd = schemaToStaticToolSchema(OnePasswordRemoveConfigOutput);
162
162
  var OnePasswordStatusOutputStd = schemaToStaticToolSchema(OnePasswordStatusOutput);
163
163
  var decodeConfig = Schema.decodeUnknownEffect(Schema.fromJsonString(OnePasswordConfig));
@@ -180,99 +180,62 @@ var makeOnePasswordStore = (blobs) => ({
180
180
  );
181
181
  })
182
182
  ),
183
- saveConfig: (config, targetScope) => blobs.put(
183
+ saveConfig: (config, owner) => blobs.put(
184
184
  CONFIG_KEY,
185
185
  JSON.stringify({
186
186
  auth: config.auth,
187
187
  vaultId: config.vaultId,
188
188
  name: config.name
189
189
  }),
190
- { scope: targetScope }
190
+ { owner }
191
191
  ).pipe(Effect2.mapError(blobStorageError("write"))),
192
- deleteConfig: (targetScope) => blobs.delete(CONFIG_KEY, { scope: targetScope }).pipe(Effect2.mapError(blobStorageError("delete")))
192
+ deleteConfig: (owner) => blobs.delete(CONFIG_KEY, { owner }).pipe(Effect2.mapError(blobStorageError("delete")))
193
193
  });
194
- var resolveAuth = (auth, ctx) => {
195
- if (auth.kind === "desktop-app") {
196
- return Effect2.succeed({
197
- kind: "desktop-app",
198
- accountName: auth.accountName
199
- });
200
- }
201
- return ctx.secrets.get(auth.tokenSecretId).pipe(
202
- Effect2.catchTag(
203
- "SecretOwnedByConnectionError",
204
- () => Effect2.fail(
205
- new OnePasswordError({
206
- operation: "auth resolution",
207
- message: `Service account token secret "${auth.tokenSecretId}" not found`
208
- })
209
- )
210
- ),
211
- Effect2.flatMap((token) => {
212
- if (token === null) {
213
- return Effect2.fail(
214
- new OnePasswordError({
215
- operation: "auth resolution",
216
- message: `Service account token secret "${auth.tokenSecretId}" not found`
217
- })
218
- );
219
- }
220
- return Effect2.succeed({
221
- kind: "service-account",
222
- token
223
- });
224
- })
225
- );
226
- };
227
- var getServiceFromConfig = (config, ctx, timeoutMs, preferSdk) => resolveAuth(config.auth, ctx).pipe(
228
- Effect2.flatMap((resolved) => makeOnePasswordService(resolved, { timeoutMs, preferSdk }))
229
- );
230
- var configuredVaultUri = (config, secretId) => {
231
- if (!secretId.startsWith("op://")) {
232
- return `op://${config.vaultId}/${secretId}/${CREDENTIAL_FIELD}`;
194
+ var resolveAuth = (auth) => auth.kind === "desktop-app" ? { kind: "desktop-app", accountName: auth.accountName } : { kind: "service-account", token: auth.token };
195
+ var getServiceFromConfig = (config, timeoutMs, preferSdk) => makeOnePasswordService(resolveAuth(config.auth), { timeoutMs, preferSdk });
196
+ var configuredVaultUri = (config, itemId) => {
197
+ if (!itemId.startsWith("op://")) {
198
+ return `op://${config.vaultId}/${itemId}/${CREDENTIAL_FIELD}`;
233
199
  }
234
- const match = secretId.match(/^op:\/\/([^/]+)\/.+/);
200
+ const match = itemId.match(/^op:\/\/([^/]+)\/.+/);
235
201
  if (!match || match[1] !== config.vaultId) return null;
236
- return secretId;
202
+ return itemId;
237
203
  };
238
204
  var makeProvider = (ctx, timeoutMs, preferSdk) => ({
239
- key: "onepassword",
205
+ key: PROVIDER_KEY,
240
206
  writable: false,
241
- allowFallback: false,
242
- // 1Password vaults are named in the stored config; the executor-scope
243
- // arg isn't used for routing here. A future refactor could let the
244
- // plugin store per-scope vault bindings and pick based on `scope`.
245
- get: (secretId, _scope) => ctx.storage.getConfig().pipe(
207
+ get: (id) => ctx.storage.getConfig().pipe(
246
208
  Effect2.flatMap((config) => {
247
209
  if (!config) return Effect2.succeed(null);
248
- const uri = configuredVaultUri(config, secretId);
210
+ const uri = configuredVaultUri(config, id);
249
211
  if (uri === null) return Effect2.succeed(null);
250
- return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
212
+ return getServiceFromConfig(config, timeoutMs, preferSdk).pipe(
251
213
  Effect2.flatMap((svc) => svc.resolveSecret(uri)),
252
214
  Effect2.map((v) => v),
253
215
  Effect2.orElseSucceed(() => null)
254
216
  );
255
217
  }),
256
- Effect2.orElseSucceed(() => null)
218
+ Effect2.catch(() => Effect2.succeed(null))
257
219
  ),
258
220
  list: () => ctx.storage.getConfig().pipe(
259
221
  Effect2.flatMap((config) => {
260
222
  if (!config) return Effect2.succeed([]);
261
- return getServiceFromConfig(config, ctx, timeoutMs, preferSdk).pipe(
223
+ return getServiceFromConfig(config, timeoutMs, preferSdk).pipe(
262
224
  Effect2.flatMap((svc) => svc.listItems(config.vaultId)),
263
225
  Effect2.map(
264
- (items) => items.map((item2) => ({ id: item2.id, name: item2.title }))
226
+ (items) => items.map((item2) => ({ id: ProviderItemId.make(item2.id), name: item2.title }))
265
227
  )
266
228
  );
267
229
  }),
268
- Effect2.orElseSucceed(() => [])
230
+ Effect2.catch(() => Effect2.succeed([]))
269
231
  )
270
232
  });
233
+ var ownerForCtx = (ctx) => ctx.owner.subject === null ? "org" : "user";
271
234
  var makeOnePasswordExtension = (ctx, timeoutMs, preferSdk) => {
272
235
  return {
273
- configure: (config, targetScope) => ctx.storage.saveConfig(config, targetScope),
274
- getConfig: () => ctx.storage.getConfig(),
275
- removeConfig: (targetScope) => ctx.storage.deleteConfig(targetScope),
236
+ configure: (config) => ctx.storage.saveConfig(config, ownerForCtx(ctx)),
237
+ getConfig: () => ctx.storage.getConfig().pipe(Effect2.map((config) => config ? redactConfig(config) : null)),
238
+ removeConfig: () => ctx.storage.deleteConfig(ownerForCtx(ctx)),
276
239
  status: () => Effect2.gen(function* () {
277
240
  const config = yield* ctx.storage.getConfig();
278
241
  if (!config) {
@@ -281,7 +244,7 @@ var makeOnePasswordExtension = (ctx, timeoutMs, preferSdk) => {
281
244
  error: "Not configured"
282
245
  });
283
246
  }
284
- const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);
247
+ const svc = yield* getServiceFromConfig(config, timeoutMs, preferSdk);
285
248
  const vaults = yield* svc.listVaults();
286
249
  const vault2 = vaults.find((v) => v.id === config.vaultId);
287
250
  return ConnectionStatus.make({
@@ -290,8 +253,7 @@ var makeOnePasswordExtension = (ctx, timeoutMs, preferSdk) => {
290
253
  });
291
254
  }),
292
255
  listVaults: (auth) => Effect2.gen(function* () {
293
- const resolved = yield* resolveAuth(auth, ctx);
294
- const svc = yield* makeOnePasswordService(resolved, {
256
+ const svc = yield* makeOnePasswordService(resolveAuth(auth), {
295
257
  timeoutMs,
296
258
  preferSdk
297
259
  });
@@ -313,7 +275,7 @@ var makeOnePasswordExtension = (ctx, timeoutMs, preferSdk) => {
313
275
  message: "1Password secret URI is outside the configured vault"
314
276
  });
315
277
  }
316
- const svc = yield* getServiceFromConfig(config, ctx, timeoutMs, preferSdk);
278
+ const svc = yield* getServiceFromConfig(config, timeoutMs, preferSdk);
317
279
  return yield* svc.resolveSecret(scopedUri);
318
280
  })
319
281
  };
@@ -334,55 +296,51 @@ var onepasswordPlugin = definePlugin((options) => {
334
296
  tools: [
335
297
  tool({
336
298
  name: "status",
337
- description: "Check whether the 1Password secret provider is configured and can reach its selected vault. This returns status only, never secret values.",
299
+ description: "Check whether the 1Password credential provider is configured and can reach its selected vault. This returns status only, never secret values.",
338
300
  outputSchema: OnePasswordStatusOutputStd,
339
301
  execute: () => Effect2.map(self.status(), ToolResult.ok)
340
302
  }),
341
303
  tool({
342
304
  name: "getConfig",
343
- description: "Read the current 1Password provider configuration. This returns account/vault metadata and secret ids only; service-account token values are never returned.",
305
+ description: "Read the current 1Password provider configuration. This returns account/vault metadata only; service-account token values are never returned.",
344
306
  outputSchema: OnePasswordGetConfigOutputStd,
345
307
  execute: () => Effect2.map(self.getConfig(), (config) => ToolResult.ok({ config }))
346
308
  }),
347
309
  tool({
348
310
  name: "listVaults",
349
- description: "List available 1Password vaults before configuring the provider. For service-account auth, first call `executor.coreTools.secrets.create` so the token is entered in the browser, then pass that token secret id here.",
311
+ description: "List available 1Password vaults before configuring the provider. For service-account auth, pass the service account token directly.",
350
312
  inputSchema: OnePasswordListVaultsInputStd,
351
313
  outputSchema: OnePasswordListVaultsOutputStd,
352
314
  execute: (input) => Effect2.map(self.listVaults(input), (vaults) => ToolResult.ok({ vaults }))
353
315
  }),
354
316
  tool({
355
317
  name: "configure",
356
- description: "Configure the 1Password secret provider for a target executor scope. Use desktop-app auth for local biometric access, or service-account auth with a token secret id created through `executor.coreTools.secrets.create`; never ask the user to paste the token in chat.",
318
+ description: "Configure the 1Password credential provider for the acting owner. Use desktop-app auth for local biometric access, or service-account auth with the token. The token is stored in the plugin's owner-partitioned config and never surfaced again.",
357
319
  annotations: {
358
320
  requiresApproval: true,
359
- approvalDescription: "Configure the 1Password secret provider"
321
+ approvalDescription: "Configure the 1Password credential provider"
360
322
  },
361
323
  inputSchema: OnePasswordConfigureInputStd,
362
324
  outputSchema: OnePasswordConfigureOutputStd,
363
325
  execute: (input) => Effect2.as(
364
- self.configure(
365
- { auth: input.auth, vaultId: input.vaultId, name: input.name },
366
- input.scope
367
- ),
326
+ self.configure({ auth: input.auth, vaultId: input.vaultId, name: input.name }),
368
327
  ToolResult.ok({ configured: true })
369
328
  )
370
329
  }),
371
330
  tool({
372
331
  name: "removeConfig",
373
- description: "Remove the 1Password provider configuration from a target scope. Existing secrets are not revealed; future 1Password secret resolution will stop until reconfigured.",
332
+ description: "Remove the 1Password provider configuration for the acting owner. Future 1Password secret resolution stops until reconfigured.",
374
333
  annotations: {
375
334
  requiresApproval: true,
376
- approvalDescription: "Remove the 1Password secret provider configuration"
335
+ approvalDescription: "Remove the 1Password credential provider configuration"
377
336
  },
378
- inputSchema: OnePasswordRemoveConfigInputStd,
379
337
  outputSchema: OnePasswordRemoveConfigOutputStd,
380
- execute: (input) => Effect2.as(self.removeConfig(input.targetScope), ToolResult.ok({ removed: true }))
338
+ execute: () => Effect2.as(self.removeConfig(), ToolResult.ok({ removed: true }))
381
339
  })
382
340
  ]
383
341
  }
384
342
  ],
385
- secretProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)]
343
+ credentialProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)]
386
344
  };
387
345
  });
388
346
 
@@ -394,4 +352,4 @@ export {
394
352
  makeOnePasswordStore,
395
353
  onepasswordPlugin
396
354
  };
397
- //# sourceMappingURL=chunk-RJVQZBUT.js.map
355
+ //# sourceMappingURL=chunk-WFBABLCL.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/sdk/service.ts","../src/sdk/plugin.ts"],"sourcesContent":["import { Context, Duration, Effect, Semaphore } from \"effect\";\nimport * as op from \"@1password/op-js\";\n\nimport { OnePasswordError } from \"./errors\";\n\n// ---------------------------------------------------------------------------\n// Canonical service interface — all backends (SDK, CLI) implement this\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordVault {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordItem {\n readonly id: string;\n readonly title: string;\n}\n\nexport interface OnePasswordService {\n /** Resolve a secret by op:// URI */\n readonly resolveSecret: (uri: string) => Effect.Effect<string, OnePasswordError>;\n\n /** List accessible vaults */\n readonly listVaults: () => Effect.Effect<ReadonlyArray<OnePasswordVault>, OnePasswordError>;\n\n /** List items in a vault */\n readonly listItems: (\n vaultId: string,\n ) => Effect.Effect<ReadonlyArray<OnePasswordItem>, OnePasswordError>;\n}\n\nexport class OnePasswordServiceTag extends Context.Service<\n OnePasswordServiceTag,\n OnePasswordService\n>()(\"@executor-js/plugin-onepassword/OnePasswordService\") {}\n\n// ---------------------------------------------------------------------------\n// Resolved auth — raw credentials ready for any backend\n// ---------------------------------------------------------------------------\n\nexport type ResolvedAuth =\n | { readonly kind: \"desktop-app\"; readonly accountName: string }\n | { readonly kind: \"service-account\"; readonly token: string };\n\n// ---------------------------------------------------------------------------\n// SDK backend — uses @1password/sdk native IPC\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_TIMEOUT_MS = 15_000;\ntype OnePasswordSdkModule = typeof import(\"@1password/sdk\");\n\nconst loadOnePasswordSdk = (): Effect.Effect<OnePasswordSdkModule, OnePasswordError> =>\n Effect.tryPromise({\n try: () => import(\"@1password/sdk\"),\n catch: () =>\n new OnePasswordError({\n operation: \"sdk module load\",\n message: \"Failed to load 1Password SDK\",\n }),\n });\n\nconst makeTimeoutMessage = (operation: string, timeoutMs: number): string =>\n [\n `${operation}: timed out after ${Math.floor(timeoutMs / 1000)}s.`,\n \"Troubleshooting:\",\n \"1. Make sure the 1Password desktop app is open and unlocked\",\n \"2. Check for an approval prompt in the 1Password app — it may be behind other windows\",\n \"3. Ensure 'Developer > Connect with 1Password CLI' is enabled in 1Password Settings\",\n \"4. Make sure no other app or terminal is waiting for 1Password approval (only one prompt at a time)\",\n \"5. Try quitting 1Password completely and reopening it, then retry\",\n ].join(\"\\n\");\n\nconst timeoutWithOnePasswordError = (operation: string, timeoutMs: number) =>\n Effect.timeoutOrElse({\n duration: Duration.millis(timeoutMs),\n orElse: () =>\n Effect.fail(\n new OnePasswordError({\n operation,\n message: makeTimeoutMessage(operation, timeoutMs),\n }),\n ),\n });\n\nexport const makeNativeSdkService = (\n auth: ResolvedAuth,\n timeoutMs: number = DEFAULT_TIMEOUT_MS,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.gen(function* () {\n const sdk = yield* loadOnePasswordSdk().pipe(\n timeoutWithOnePasswordError(\"sdk module load\", timeoutMs),\n );\n\n const client = yield* Effect.tryPromise({\n try: () =>\n sdk.createClient({\n auth: auth.kind === \"desktop-app\" ? new sdk.DesktopAuth(auth.accountName) : auth.token,\n integrationName: \"Executor\",\n integrationVersion: \"0.0.0\",\n }),\n catch: () =>\n new OnePasswordError({\n operation: \"client setup\",\n message: \"Failed to set up 1Password client\",\n }),\n }).pipe(timeoutWithOnePasswordError(\"client setup\", timeoutMs));\n\n const wrap = <A>(fn: () => Promise<A>, operation: string): Effect.Effect<A, OnePasswordError> =>\n Effect.tryPromise({\n try: fn,\n catch: () =>\n new OnePasswordError({\n operation,\n message: `1Password SDK ${operation} failed`,\n }),\n }).pipe(\n timeoutWithOnePasswordError(operation, timeoutMs),\n Effect.withSpan(`onepassword.sdk.${operation}`),\n );\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrap(() => client.secrets.resolve(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrap(() => client.vaults.list({ decryptDetails: true }), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.title }))),\n ),\n\n listItems: (vaultId) =>\n wrap(() => client.items.list(vaultId), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.sdk.make_service\"));\n\n// ---------------------------------------------------------------------------\n// CLI backend — uses @1password/op-js (shells out to `op` CLI)\n// ---------------------------------------------------------------------------\n\nconst cliAuthLock = Semaphore.makeUnsafe(1);\n\nexport const makeCliService = (\n auth: ResolvedAuth,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n Effect.sync(() => {\n const wrapSync = <A>(fn: () => A, operation: string): Effect.Effect<A, OnePasswordError> =>\n cliAuthLock\n .withPermits(1)(\n Effect.try({\n try: () => {\n if (auth.kind === \"service-account\") {\n op.setGlobalFlags({});\n op.setServiceAccount(auth.token);\n } else {\n op.setServiceAccount(\"\");\n op.setGlobalFlags({ account: auth.accountName });\n }\n return fn();\n },\n catch: () =>\n new OnePasswordError({\n operation,\n message: `1Password CLI ${operation} failed`,\n }),\n }),\n )\n .pipe(Effect.withSpan(`onepassword.cli.${operation}`));\n\n return OnePasswordServiceTag.of({\n resolveSecret: (uri) => wrapSync(() => op.read.parse(uri), \"secret resolution\"),\n\n listVaults: () =>\n wrapSync(() => op.vault.list(), \"vault listing\").pipe(\n Effect.map((vaults) => vaults.map((v) => ({ id: v.id, title: v.name }))),\n ),\n\n listItems: (vaultId) =>\n wrapSync(() => op.item.list({ vault: vaultId }), \"item listing\").pipe(\n Effect.map((items) => items.map((i) => ({ id: i.id, title: i.title }))),\n ),\n });\n }).pipe(Effect.withSpan(\"onepassword.cli.make_service\"));\n\n// ---------------------------------------------------------------------------\n// Smart factory — tries CLI first (avoids IPC hang), falls back to SDK\n// ---------------------------------------------------------------------------\n\nexport const makeOnePasswordService = (\n auth: ResolvedAuth,\n options?: { readonly preferSdk?: boolean; readonly timeoutMs?: number },\n): Effect.Effect<OnePasswordService, OnePasswordError> => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n\n if (options?.preferSdk) {\n return makeNativeSdkService(auth, timeoutMs);\n }\n\n // Default: prefer CLI to avoid the IPC hang bug\n return makeCliService(auth).pipe(\n Effect.catch((cliError: OnePasswordError) =>\n // CLI unavailable (e.g. `op` not installed) — fall back to SDK\n makeNativeSdkService(auth, timeoutMs).pipe(Effect.mapError(() => cliError)),\n ),\n );\n};\n","import { Effect, Schema } from \"effect\";\n\nimport {\n definePlugin,\n StorageError,\n ToolResult,\n tool,\n ProviderItemId,\n ProviderKey,\n type CredentialProvider,\n type Owner,\n type PluginCtx,\n type PluginBlobStore,\n type ProviderEntry,\n type StaticToolSchema,\n type StorageFailure,\n} from \"@executor-js/sdk/core\";\n\nimport {\n OnePasswordAuth,\n OnePasswordConfig,\n RedactedOnePasswordConfig,\n Vault,\n ConnectionStatus,\n redactConfig,\n} from \"./types\";\nimport { OnePasswordError } from \"./errors\";\nimport { makeOnePasswordService, type ResolvedAuth, type OnePasswordService } from \"./service\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\nconst CREDENTIAL_FIELD = \"credential\";\nconst DEFAULT_TIMEOUT_MS = 15_000;\nconst CONFIG_KEY = \"config\";\nconst PROVIDER_KEY = ProviderKey.make(\"onepassword\");\n\nconst schemaToStaticToolSchema = <A, I>(schema: Schema.Decoder<A, I>): StaticToolSchema<A, I> =>\n Schema.toStandardSchemaV1(Schema.toStandardJSONSchemaV1(schema) as never) as StaticToolSchema<\n A,\n I\n >;\n\nconst OnePasswordConfigureInput = Schema.Struct({\n auth: OnePasswordAuth,\n vaultId: Schema.String,\n name: Schema.String,\n});\n\nconst OnePasswordConfigureOutput = Schema.Struct({\n configured: Schema.Boolean,\n});\n\nconst OnePasswordGetConfigOutput = Schema.Struct({\n config: Schema.NullOr(RedactedOnePasswordConfig),\n});\n\nconst OnePasswordListVaultsInput = OnePasswordAuth;\n\nconst OnePasswordListVaultsOutput = Schema.Struct({\n vaults: Schema.Array(Vault),\n});\n\nconst OnePasswordRemoveConfigOutput = Schema.Struct({\n removed: Schema.Boolean,\n});\n\nconst OnePasswordStatusOutput = ConnectionStatus;\n\nconst OnePasswordConfigureInputStd = schemaToStaticToolSchema<\n typeof OnePasswordConfigureInput.Type,\n typeof OnePasswordConfigureInput.Encoded\n>(OnePasswordConfigureInput);\nconst OnePasswordConfigureOutputStd = schemaToStaticToolSchema(OnePasswordConfigureOutput);\nconst OnePasswordGetConfigOutputStd = schemaToStaticToolSchema(OnePasswordGetConfigOutput);\nconst OnePasswordListVaultsInputStd = schemaToStaticToolSchema<\n typeof OnePasswordListVaultsInput.Type,\n typeof OnePasswordListVaultsInput.Encoded\n>(OnePasswordListVaultsInput);\nconst OnePasswordListVaultsOutputStd = schemaToStaticToolSchema(OnePasswordListVaultsOutput);\nconst OnePasswordRemoveConfigOutputStd = schemaToStaticToolSchema(OnePasswordRemoveConfigOutput);\nconst OnePasswordStatusOutputStd = schemaToStaticToolSchema(OnePasswordStatusOutput);\n\n// ---------------------------------------------------------------------------\n// Shared failure alias.\n//\n// Every extension method either touches storage (`ctx.storage` blobs) or\n// reaches the 1Password backend. Storage I/O surfaces as `StorageFailure`;\n// the HTTP edge (`withCapture`) translates `StorageError` to\n// `InternalError({ traceId })`. Domain problems (not configured, backend RPC\n// failure) stay as `OnePasswordError` and encode to 502 via the schema\n// annotation on the class.\n// ---------------------------------------------------------------------------\n\nexport type OnePasswordExtensionFailure = OnePasswordError | StorageFailure;\n\n// ---------------------------------------------------------------------------\n// Typed config store — single blob, JSON encoded, owner-partitioned. The\n// stored config carries the auth credential (desktop account name, or\n// service-account token) plus the selected vault. v1 keyed this by executor\n// scope; v2 partitions by `owner` — the plugin-owned config row owns the\n// partition, mirroring the connection model. Blob I/O failures surface as\n// `StorageError`; decode failures stay `OnePasswordError`.\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordStore {\n readonly getConfig: () => Effect.Effect<\n OnePasswordConfig | null,\n StorageError | OnePasswordError\n >;\n readonly saveConfig: (\n config: OnePasswordConfig,\n owner: Owner,\n ) => Effect.Effect<void, StorageError>;\n readonly deleteConfig: (owner: Owner) => Effect.Effect<void, StorageError>;\n}\n\nconst decodeConfig = Schema.decodeUnknownEffect(Schema.fromJsonString(OnePasswordConfig));\n\nconst blobStorageError =\n (operation: string) =>\n (cause: unknown): StorageError =>\n new StorageError({\n message: `onepassword blob ${operation} failed`,\n cause,\n });\n\nexport const makeOnePasswordStore = (blobs: PluginBlobStore): OnePasswordStore => ({\n getConfig: () =>\n blobs.get(CONFIG_KEY).pipe(\n Effect.mapError(blobStorageError(\"read\")),\n Effect.flatMap((raw) => {\n if (raw === null) return Effect.succeed(null);\n return decodeConfig(raw).pipe(\n Effect.mapError(\n () =>\n new OnePasswordError({\n operation: \"config decode\",\n message: \"Failed to decode 1Password config\",\n }),\n ),\n );\n }),\n ),\n\n saveConfig: (config, owner) =>\n blobs\n .put(\n CONFIG_KEY,\n JSON.stringify({\n auth: config.auth,\n vaultId: config.vaultId,\n name: config.name,\n }),\n { owner },\n )\n .pipe(Effect.mapError(blobStorageError(\"write\"))),\n\n deleteConfig: (owner) =>\n blobs.delete(CONFIG_KEY, { owner }).pipe(Effect.mapError(blobStorageError(\"delete\"))),\n});\n\n// ---------------------------------------------------------------------------\n// Helpers — auth resolution + service construction\n// ---------------------------------------------------------------------------\n\nconst resolveAuth = (auth: OnePasswordAuth): ResolvedAuth =>\n auth.kind === \"desktop-app\"\n ? { kind: \"desktop-app\", accountName: auth.accountName }\n : { kind: \"service-account\", token: auth.token };\n\nconst getServiceFromConfig = (\n config: OnePasswordConfig,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): Effect.Effect<OnePasswordService, OnePasswordError> =>\n makeOnePasswordService(resolveAuth(config.auth), { timeoutMs, preferSdk });\n\nconst configuredVaultUri = (config: OnePasswordConfig, itemId: string): string | null => {\n if (!itemId.startsWith(\"op://\")) {\n return `op://${config.vaultId}/${itemId}/${CREDENTIAL_FIELD}`;\n }\n const match = itemId.match(/^op:\\/\\/([^/]+)\\/.+/);\n if (!match || match[1] !== config.vaultId) return null;\n return itemId;\n};\n\n// ---------------------------------------------------------------------------\n// CredentialProvider — read-only, resolves op:// URIs or vaultId-based lookups.\n//\n// v2: `get(id)` receives only an opaque `ProviderItemId` — no scope. The id is\n// either a fully-qualified `op://vault/item/field` URI or a bare item id that\n// the stored config's vault scopes. The plugin's stored config supplies the\n// auth + vault binding; the provider never writes (writable: false).\n// ---------------------------------------------------------------------------\n\nconst makeProvider = (\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n): CredentialProvider => ({\n key: PROVIDER_KEY,\n writable: false,\n\n get: (id: ProviderItemId): Effect.Effect<string | null, StorageFailure> =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config) return Effect.succeed(null as string | null);\n\n const uri = configuredVaultUri(config, id);\n if (uri === null) return Effect.succeed(null as string | null);\n\n return getServiceFromConfig(config, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.resolveSecret(uri)),\n Effect.map((v): string | null => v),\n Effect.orElseSucceed(() => null),\n );\n }),\n Effect.catch(() => Effect.succeed(null as string | null)),\n ),\n\n list: (): Effect.Effect<readonly ProviderEntry[], StorageFailure> =>\n ctx.storage.getConfig().pipe(\n Effect.flatMap((config) => {\n if (!config) return Effect.succeed([] as readonly ProviderEntry[]);\n return getServiceFromConfig(config, timeoutMs, preferSdk).pipe(\n Effect.flatMap((svc) => svc.listItems(config.vaultId)),\n Effect.map((items): readonly ProviderEntry[] =>\n items.map((item) => ({ id: ProviderItemId.make(item.id), name: item.title })),\n ),\n );\n }),\n Effect.catch(() => Effect.succeed([] as readonly ProviderEntry[])),\n ),\n});\n\n// ---------------------------------------------------------------------------\n// Owner resolution — config is a single shared 1Password binding. We persist\n// it under the `user` partition when the executor is bound to a subject, else\n// the shared `org` partition.\n// ---------------------------------------------------------------------------\n\nconst ownerForCtx = (ctx: PluginCtx<OnePasswordStore>): Owner =>\n ctx.owner.subject === null ? \"org\" : \"user\";\n\nconst makeOnePasswordExtension = (\n ctx: PluginCtx<OnePasswordStore>,\n timeoutMs: number,\n preferSdk: boolean | undefined,\n) => {\n return {\n configure: (config: OnePasswordConfig) => ctx.storage.saveConfig(config, ownerForCtx(ctx)),\n\n getConfig: (): Effect.Effect<\n RedactedOnePasswordConfig | null,\n StorageError | OnePasswordError\n > =>\n ctx.storage.getConfig().pipe(Effect.map((config) => (config ? redactConfig(config) : null))),\n\n removeConfig: () => ctx.storage.deleteConfig(ownerForCtx(ctx)),\n\n status: () =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return ConnectionStatus.make({\n connected: false,\n error: \"Not configured\",\n });\n }\n const svc = yield* getServiceFromConfig(config, timeoutMs, preferSdk);\n const vaults = yield* svc.listVaults();\n const vault = vaults.find((v) => v.id === config.vaultId);\n return ConnectionStatus.make({\n connected: true,\n vaultName: vault?.title,\n });\n }),\n\n listVaults: (auth: OnePasswordAuth) =>\n Effect.gen(function* () {\n const svc = yield* makeOnePasswordService(resolveAuth(auth), {\n timeoutMs,\n preferSdk,\n });\n const vaults = yield* svc.listVaults();\n return vaults\n .map((v) => Vault.make({ id: v.id, name: v.title }))\n .sort((a, b) => a.name.localeCompare(b.name));\n }),\n\n resolve: (uri: string) =>\n Effect.gen(function* () {\n const config = yield* ctx.storage.getConfig();\n if (!config) {\n return yield* new OnePasswordError({\n operation: \"resolve\",\n message: \"1Password is not configured\",\n });\n }\n const scopedUri = configuredVaultUri(config, uri);\n if (scopedUri === null) {\n return yield* new OnePasswordError({\n operation: \"resolve\",\n message: \"1Password secret URI is outside the configured vault\",\n });\n }\n const svc = yield* getServiceFromConfig(config, timeoutMs, preferSdk);\n return yield* svc.resolveSecret(scopedUri);\n }),\n };\n};\n\nexport type OnePasswordExtension = ReturnType<typeof makeOnePasswordExtension>;\n\n// ---------------------------------------------------------------------------\n// Plugin factory\n// ---------------------------------------------------------------------------\n\nexport interface OnePasswordPluginOptions {\n /** Request timeout in ms (default: 15000) */\n readonly timeoutMs?: number;\n /** Force use of the native SDK instead of the CLI (default: false) */\n readonly preferSdk?: boolean;\n}\n\nexport const onepasswordPlugin = definePlugin((options?: OnePasswordPluginOptions) => {\n const timeoutMs = options?.timeoutMs ?? DEFAULT_TIMEOUT_MS;\n const preferSdk = options?.preferSdk;\n\n return {\n id: \"onepassword\" as const,\n packageName: \"@executor-js/plugin-onepassword\",\n storage: ({ blobs }) => makeOnePasswordStore(blobs),\n\n extension: (ctx) => makeOnePasswordExtension(ctx, timeoutMs, preferSdk),\n\n staticSources: (self) => [\n {\n id: \"onepassword\",\n kind: \"executor\",\n name: \"1Password\",\n tools: [\n tool({\n name: \"status\",\n description:\n \"Check whether the 1Password credential provider is configured and can reach its selected vault. This returns status only, never secret values.\",\n outputSchema: OnePasswordStatusOutputStd,\n execute: () => Effect.map(self.status(), ToolResult.ok),\n }),\n tool({\n name: \"getConfig\",\n description:\n \"Read the current 1Password provider configuration. This returns account/vault metadata only; service-account token values are never returned.\",\n outputSchema: OnePasswordGetConfigOutputStd,\n execute: () => Effect.map(self.getConfig(), (config) => ToolResult.ok({ config })),\n }),\n tool({\n name: \"listVaults\",\n description:\n \"List available 1Password vaults before configuring the provider. For service-account auth, pass the service account token directly.\",\n inputSchema: OnePasswordListVaultsInputStd,\n outputSchema: OnePasswordListVaultsOutputStd,\n execute: (input) =>\n Effect.map(self.listVaults(input), (vaults) => ToolResult.ok({ vaults })),\n }),\n tool({\n name: \"configure\",\n description:\n \"Configure the 1Password credential provider for the acting owner. Use desktop-app auth for local biometric access, or service-account auth with the token. The token is stored in the plugin's owner-partitioned config and never surfaced again.\",\n annotations: {\n requiresApproval: true,\n approvalDescription: \"Configure the 1Password credential provider\",\n },\n inputSchema: OnePasswordConfigureInputStd,\n outputSchema: OnePasswordConfigureOutputStd,\n execute: (input) =>\n Effect.as(\n self.configure({ auth: input.auth, vaultId: input.vaultId, name: input.name }),\n ToolResult.ok({ configured: true }),\n ),\n }),\n tool({\n name: \"removeConfig\",\n description:\n \"Remove the 1Password provider configuration for the acting owner. Future 1Password secret resolution stops until reconfigured.\",\n annotations: {\n requiresApproval: true,\n approvalDescription: \"Remove the 1Password credential provider configuration\",\n },\n outputSchema: OnePasswordRemoveConfigOutputStd,\n execute: () => Effect.as(self.removeConfig(), ToolResult.ok({ removed: true })),\n }),\n ],\n },\n ],\n\n credentialProviders: (ctx) => [makeProvider(ctx, timeoutMs, preferSdk)],\n };\n // HTTP transport (routes/handlers/extensionService) is layered on by\n // the api-aware factory in `@executor-js/plugin-onepassword/api`. Hosts\n // that want the HTTP surface import the plugin from there; SDK-only\n // consumers stay on this entry and avoid the server-only deps.\n});\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,SAAS,UAAU,QAAQ,iBAAiB;AACrD,YAAY,QAAQ;AA+Bb,IAAM,wBAAN,cAAoC,QAAQ,QAGjD,EAAE,oDAAoD,EAAE;AAAC;AAc3D,IAAM,qBAAqB;AAG3B,IAAM,qBAAqB,MACzB,OAAO,WAAW;AAAA,EAChB,KAAK,MAAM,OAAO,gBAAgB;AAAA,EAClC,OAAO,MACL,IAAI,iBAAiB;AAAA,IACnB,WAAW;AAAA,IACX,SAAS;AAAA,EACX,CAAC;AACL,CAAC;AAEH,IAAM,qBAAqB,CAAC,WAAmB,cAC7C;AAAA,EACE,GAAG,SAAS,qBAAqB,KAAK,MAAM,YAAY,GAAI,CAAC;AAAA,EAC7D;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,EAAE,KAAK,IAAI;AAEb,IAAM,8BAA8B,CAAC,WAAmB,cACtD,OAAO,cAAc;AAAA,EACnB,UAAU,SAAS,OAAO,SAAS;AAAA,EACnC,QAAQ,MACN,OAAO;AAAA,IACL,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,mBAAmB,WAAW,SAAS;AAAA,IAClD,CAAC;AAAA,EACH;AACJ,CAAC;AAEI,IAAM,uBAAuB,CAClC,MACA,YAAoB,uBAEpB,OAAO,IAAI,aAAa;AACtB,QAAM,MAAM,OAAO,mBAAmB,EAAE;AAAA,IACtC,4BAA4B,mBAAmB,SAAS;AAAA,EAC1D;AAEA,QAAM,SAAS,OAAO,OAAO,WAAW;AAAA,IACtC,KAAK,MACH,IAAI,aAAa;AAAA,MACf,MAAM,KAAK,SAAS,gBAAgB,IAAI,IAAI,YAAY,KAAK,WAAW,IAAI,KAAK;AAAA,MACjF,iBAAiB;AAAA,MACjB,oBAAoB;AAAA,IACtB,CAAC;AAAA,IACH,OAAO,MACL,IAAI,iBAAiB;AAAA,MACnB,WAAW;AAAA,MACX,SAAS;AAAA,IACX,CAAC;AAAA,EACL,CAAC,EAAE,KAAK,4BAA4B,gBAAgB,SAAS,CAAC;AAE9D,QAAM,OAAO,CAAI,IAAsB,cACrC,OAAO,WAAW;AAAA,IAChB,KAAK;AAAA,IACL,OAAO,MACL,IAAI,iBAAiB;AAAA,MACnB;AAAA,MACA,SAAS,iBAAiB,SAAS;AAAA,IACrC,CAAC;AAAA,EACL,CAAC,EAAE;AAAA,IACD,4BAA4B,WAAW,SAAS;AAAA,IAChD,OAAO,SAAS,mBAAmB,SAAS,EAAE;AAAA,EAChD;AAEF,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,KAAK,MAAM,OAAO,QAAQ,QAAQ,GAAG,GAAG,mBAAmB;AAAA,IAEnF,YAAY,MACV,KAAK,MAAM,OAAO,OAAO,KAAK,EAAE,gBAAgB,KAAK,CAAC,GAAG,eAAe,EAAE;AAAA,MACxE,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IAC1E;AAAA,IAEF,WAAW,CAAC,YACV,KAAK,MAAM,OAAO,MAAM,KAAK,OAAO,GAAG,cAAc,EAAE;AAAA,MACrD,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMzD,IAAM,cAAc,UAAU,WAAW,CAAC;AAEnC,IAAM,iBAAiB,CAC5B,SAEA,OAAO,KAAK,MAAM;AAChB,QAAM,WAAW,CAAI,IAAa,cAChC,YACG,YAAY,CAAC;AAAA,IACZ,OAAO,IAAI;AAAA,MACT,KAAK,MAAM;AACT,YAAI,KAAK,SAAS,mBAAmB;AACnC,UAAG,kBAAe,CAAC,CAAC;AACpB,UAAG,qBAAkB,KAAK,KAAK;AAAA,QACjC,OAAO;AACL,UAAG,qBAAkB,EAAE;AACvB,UAAG,kBAAe,EAAE,SAAS,KAAK,YAAY,CAAC;AAAA,QACjD;AACA,eAAO,GAAG;AAAA,MACZ;AAAA,MACA,OAAO,MACL,IAAI,iBAAiB;AAAA,QACnB;AAAA,QACA,SAAS,iBAAiB,SAAS;AAAA,MACrC,CAAC;AAAA,IACL,CAAC;AAAA,EACH,EACC,KAAK,OAAO,SAAS,mBAAmB,SAAS,EAAE,CAAC;AAEzD,SAAO,sBAAsB,GAAG;AAAA,IAC9B,eAAe,CAAC,QAAQ,SAAS,MAAS,QAAK,MAAM,GAAG,GAAG,mBAAmB;AAAA,IAE9E,YAAY,MACV,SAAS,MAAS,SAAM,KAAK,GAAG,eAAe,EAAE;AAAA,MAC/C,OAAO,IAAI,CAAC,WAAW,OAAO,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;AAAA,IACzE;AAAA,IAEF,WAAW,CAAC,YACV,SAAS,MAAS,QAAK,KAAK,EAAE,OAAO,QAAQ,CAAC,GAAG,cAAc,EAAE;AAAA,MAC/D,OAAO,IAAI,CAAC,UAAU,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;AAAA,IACxE;AAAA,EACJ,CAAC;AACH,CAAC,EAAE,KAAK,OAAO,SAAS,8BAA8B,CAAC;AAMlD,IAAM,yBAAyB,CACpC,MACA,YACwD;AACxD,QAAM,YAAY,SAAS,aAAa;AAExC,MAAI,SAAS,WAAW;AACtB,WAAO,qBAAqB,MAAM,SAAS;AAAA,EAC7C;AAGA,SAAO,eAAe,IAAI,EAAE;AAAA,IAC1B,OAAO;AAAA,MAAM,CAAC;AAAA;AAAA,QAEZ,qBAAqB,MAAM,SAAS,EAAE,KAAK,OAAO,SAAS,MAAM,QAAQ,CAAC;AAAA;AAAA,IAC5E;AAAA,EACF;AACF;;;AC7MA,SAAS,UAAAA,SAAQ,cAAc;AAE/B;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAQK;AAiBP,IAAM,mBAAmB;AACzB,IAAMC,sBAAqB;AAC3B,IAAM,aAAa;AACnB,IAAM,eAAe,YAAY,KAAK,aAAa;AAEnD,IAAM,2BAA2B,CAAO,WACtC,OAAO,mBAAmB,OAAO,uBAAuB,MAAM,CAAU;AAK1E,IAAM,4BAA4B,OAAO,OAAO;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS,OAAO;AAAA,EAChB,MAAM,OAAO;AACf,CAAC;AAED,IAAM,6BAA6B,OAAO,OAAO;AAAA,EAC/C,YAAY,OAAO;AACrB,CAAC;AAED,IAAM,6BAA6B,OAAO,OAAO;AAAA,EAC/C,QAAQ,OAAO,OAAO,yBAAyB;AACjD,CAAC;AAED,IAAM,6BAA6B;AAEnC,IAAM,8BAA8B,OAAO,OAAO;AAAA,EAChD,QAAQ,OAAO,MAAM,KAAK;AAC5B,CAAC;AAED,IAAM,gCAAgC,OAAO,OAAO;AAAA,EAClD,SAAS,OAAO;AAClB,CAAC;AAED,IAAM,0BAA0B;AAEhC,IAAM,+BAA+B,yBAGnC,yBAAyB;AAC3B,IAAM,gCAAgC,yBAAyB,0BAA0B;AACzF,IAAM,gCAAgC,yBAAyB,0BAA0B;AACzF,IAAM,gCAAgC,yBAGpC,0BAA0B;AAC5B,IAAM,iCAAiC,yBAAyB,2BAA2B;AAC3F,IAAM,mCAAmC,yBAAyB,6BAA6B;AAC/F,IAAM,6BAA6B,yBAAyB,uBAAuB;AAoCnF,IAAM,eAAe,OAAO,oBAAoB,OAAO,eAAe,iBAAiB,CAAC;AAExF,IAAM,mBACJ,CAAC,cACD,CAAC,UACC,IAAI,aAAa;AAAA,EACf,SAAS,oBAAoB,SAAS;AAAA,EACtC;AACF,CAAC;AAEE,IAAM,uBAAuB,CAAC,WAA8C;AAAA,EACjF,WAAW,MACT,MAAM,IAAI,UAAU,EAAE;AAAA,IACpBC,QAAO,SAAS,iBAAiB,MAAM,CAAC;AAAA,IACxCA,QAAO,QAAQ,CAAC,QAAQ;AACtB,UAAI,QAAQ,KAAM,QAAOA,QAAO,QAAQ,IAAI;AAC5C,aAAO,aAAa,GAAG,EAAE;AAAA,QACvBA,QAAO;AAAA,UACL,MACE,IAAI,iBAAiB;AAAA,YACnB,WAAW;AAAA,YACX,SAAS;AAAA,UACX,CAAC;AAAA,QACL;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEF,YAAY,CAAC,QAAQ,UACnB,MACG;AAAA,IACC;AAAA,IACA,KAAK,UAAU;AAAA,MACb,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,MAAM,OAAO;AAAA,IACf,CAAC;AAAA,IACD,EAAE,MAAM;AAAA,EACV,EACC,KAAKA,QAAO,SAAS,iBAAiB,OAAO,CAAC,CAAC;AAAA,EAEpD,cAAc,CAAC,UACb,MAAM,OAAO,YAAY,EAAE,MAAM,CAAC,EAAE,KAAKA,QAAO,SAAS,iBAAiB,QAAQ,CAAC,CAAC;AACxF;AAMA,IAAM,cAAc,CAAC,SACnB,KAAK,SAAS,gBACV,EAAE,MAAM,eAAe,aAAa,KAAK,YAAY,IACrD,EAAE,MAAM,mBAAmB,OAAO,KAAK,MAAM;AAEnD,IAAM,uBAAuB,CAC3B,QACA,WACA,cAEA,uBAAuB,YAAY,OAAO,IAAI,GAAG,EAAE,WAAW,UAAU,CAAC;AAE3E,IAAM,qBAAqB,CAAC,QAA2B,WAAkC;AACvF,MAAI,CAAC,OAAO,WAAW,OAAO,GAAG;AAC/B,WAAO,QAAQ,OAAO,OAAO,IAAI,MAAM,IAAI,gBAAgB;AAAA,EAC7D;AACA,QAAM,QAAQ,OAAO,MAAM,qBAAqB;AAChD,MAAI,CAAC,SAAS,MAAM,CAAC,MAAM,OAAO,QAAS,QAAO;AAClD,SAAO;AACT;AAWA,IAAM,eAAe,CACnB,KACA,WACA,eACwB;AAAA,EACxB,KAAK;AAAA,EACL,UAAU;AAAA,EAEV,KAAK,CAAC,OACJ,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC,OAAQ,QAAOA,QAAO,QAAQ,IAAqB;AAExD,YAAM,MAAM,mBAAmB,QAAQ,EAAE;AACzC,UAAI,QAAQ,KAAM,QAAOA,QAAO,QAAQ,IAAqB;AAE7D,aAAO,qBAAqB,QAAQ,WAAW,SAAS,EAAE;AAAA,QACxDA,QAAO,QAAQ,CAAC,QAAQ,IAAI,cAAc,GAAG,CAAC;AAAA,QAC9CA,QAAO,IAAI,CAAC,MAAqB,CAAC;AAAA,QAClCA,QAAO,cAAc,MAAM,IAAI;AAAA,MACjC;AAAA,IACF,CAAC;AAAA,IACDA,QAAO,MAAM,MAAMA,QAAO,QAAQ,IAAqB,CAAC;AAAA,EAC1D;AAAA,EAEF,MAAM,MACJ,IAAI,QAAQ,UAAU,EAAE;AAAA,IACtBA,QAAO,QAAQ,CAAC,WAAW;AACzB,UAAI,CAAC,OAAQ,QAAOA,QAAO,QAAQ,CAAC,CAA6B;AACjE,aAAO,qBAAqB,QAAQ,WAAW,SAAS,EAAE;AAAA,QACxDA,QAAO,QAAQ,CAAC,QAAQ,IAAI,UAAU,OAAO,OAAO,CAAC;AAAA,QACrDA,QAAO;AAAA,UAAI,CAAC,UACV,MAAM,IAAI,CAACC,WAAU,EAAE,IAAI,eAAe,KAAKA,MAAK,EAAE,GAAG,MAAMA,MAAK,MAAM,EAAE;AAAA,QAC9E;AAAA,MACF;AAAA,IACF,CAAC;AAAA,IACDD,QAAO,MAAM,MAAMA,QAAO,QAAQ,CAAC,CAA6B,CAAC;AAAA,EACnE;AACJ;AAQA,IAAM,cAAc,CAAC,QACnB,IAAI,MAAM,YAAY,OAAO,QAAQ;AAEvC,IAAM,2BAA2B,CAC/B,KACA,WACA,cACG;AACH,SAAO;AAAA,IACL,WAAW,CAAC,WAA8B,IAAI,QAAQ,WAAW,QAAQ,YAAY,GAAG,CAAC;AAAA,IAEzF,WAAW,MAIT,IAAI,QAAQ,UAAU,EAAE,KAAKA,QAAO,IAAI,CAAC,WAAY,SAAS,aAAa,MAAM,IAAI,IAAK,CAAC;AAAA,IAE7F,cAAc,MAAM,IAAI,QAAQ,aAAa,YAAY,GAAG,CAAC;AAAA,IAE7D,QAAQ,MACNA,QAAO,IAAI,aAAa;AACtB,YAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,UAAI,CAAC,QAAQ;AACX,eAAO,iBAAiB,KAAK;AAAA,UAC3B,WAAW;AAAA,UACX,OAAO;AAAA,QACT,CAAC;AAAA,MACH;AACA,YAAM,MAAM,OAAO,qBAAqB,QAAQ,WAAW,SAAS;AACpE,YAAM,SAAS,OAAO,IAAI,WAAW;AACrC,YAAME,SAAQ,OAAO,KAAK,CAAC,MAAM,EAAE,OAAO,OAAO,OAAO;AACxD,aAAO,iBAAiB,KAAK;AAAA,QAC3B,WAAW;AAAA,QACX,WAAWA,QAAO;AAAA,MACpB,CAAC;AAAA,IACH,CAAC;AAAA,IAEH,YAAY,CAAC,SACXF,QAAO,IAAI,aAAa;AACtB,YAAM,MAAM,OAAO,uBAAuB,YAAY,IAAI,GAAG;AAAA,QAC3D;AAAA,QACA;AAAA,MACF,CAAC;AACD,YAAM,SAAS,OAAO,IAAI,WAAW;AACrC,aAAO,OACJ,IAAI,CAAC,MAAM,MAAM,KAAK,EAAE,IAAI,EAAE,IAAI,MAAM,EAAE,MAAM,CAAC,CAAC,EAClD,KAAK,CAAC,GAAG,MAAM,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AAAA,IAChD,CAAC;AAAA,IAEH,SAAS,CAAC,QACRA,QAAO,IAAI,aAAa;AACtB,YAAM,SAAS,OAAO,IAAI,QAAQ,UAAU;AAC5C,UAAI,CAAC,QAAQ;AACX,eAAO,OAAO,IAAI,iBAAiB;AAAA,UACjC,WAAW;AAAA,UACX,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,YAAY,mBAAmB,QAAQ,GAAG;AAChD,UAAI,cAAc,MAAM;AACtB,eAAO,OAAO,IAAI,iBAAiB;AAAA,UACjC,WAAW;AAAA,UACX,SAAS;AAAA,QACX,CAAC;AAAA,MACH;AACA,YAAM,MAAM,OAAO,qBAAqB,QAAQ,WAAW,SAAS;AACpE,aAAO,OAAO,IAAI,cAAc,SAAS;AAAA,IAC3C,CAAC;AAAA,EACL;AACF;AAeO,IAAM,oBAAoB,aAAa,CAAC,YAAuC;AACpF,QAAM,YAAY,SAAS,aAAaD;AACxC,QAAM,YAAY,SAAS;AAE3B,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,aAAa;AAAA,IACb,SAAS,CAAC,EAAE,MAAM,MAAM,qBAAqB,KAAK;AAAA,IAElD,WAAW,CAAC,QAAQ,yBAAyB,KAAK,WAAW,SAAS;AAAA,IAEtE,eAAe,CAAC,SAAS;AAAA,MACvB;AAAA,QACE,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,MAAM;AAAA,QACN,OAAO;AAAA,UACL,KAAK;AAAA,YACH,MAAM;AAAA,YACN,aACE;AAAA,YACF,cAAc;AAAA,YACd,SAAS,MAAMC,QAAO,IAAI,KAAK,OAAO,GAAG,WAAW,EAAE;AAAA,UACxD,CAAC;AAAA,UACD,KAAK;AAAA,YACH,MAAM;AAAA,YACN,aACE;AAAA,YACF,cAAc;AAAA,YACd,SAAS,MAAMA,QAAO,IAAI,KAAK,UAAU,GAAG,CAAC,WAAW,WAAW,GAAG,EAAE,OAAO,CAAC,CAAC;AAAA,UACnF,CAAC;AAAA,UACD,KAAK;AAAA,YACH,MAAM;AAAA,YACN,aACE;AAAA,YACF,aAAa;AAAA,YACb,cAAc;AAAA,YACd,SAAS,CAAC,UACRA,QAAO,IAAI,KAAK,WAAW,KAAK,GAAG,CAAC,WAAW,WAAW,GAAG,EAAE,OAAO,CAAC,CAAC;AAAA,UAC5E,CAAC;AAAA,UACD,KAAK;AAAA,YACH,MAAM;AAAA,YACN,aACE;AAAA,YACF,aAAa;AAAA,cACX,kBAAkB;AAAA,cAClB,qBAAqB;AAAA,YACvB;AAAA,YACA,aAAa;AAAA,YACb,cAAc;AAAA,YACd,SAAS,CAAC,UACRA,QAAO;AAAA,cACL,KAAK,UAAU,EAAE,MAAM,MAAM,MAAM,SAAS,MAAM,SAAS,MAAM,MAAM,KAAK,CAAC;AAAA,cAC7E,WAAW,GAAG,EAAE,YAAY,KAAK,CAAC;AAAA,YACpC;AAAA,UACJ,CAAC;AAAA,UACD,KAAK;AAAA,YACH,MAAM;AAAA,YACN,aACE;AAAA,YACF,aAAa;AAAA,cACX,kBAAkB;AAAA,cAClB,qBAAqB;AAAA,YACvB;AAAA,YACA,cAAc;AAAA,YACd,SAAS,MAAMA,QAAO,GAAG,KAAK,aAAa,GAAG,WAAW,GAAG,EAAE,SAAS,KAAK,CAAC,CAAC;AAAA,UAChF,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,IAEA,qBAAqB,CAAC,QAAQ,CAAC,aAAa,KAAK,WAAW,SAAS,CAAC;AAAA,EACxE;AAKF,CAAC;","names":["Effect","DEFAULT_TIMEOUT_MS","Effect","item","vault"]}
package/dist/client.js CHANGED
@@ -6,7 +6,7 @@ import { lazy } from "react";
6
6
  var onePasswordSecretProviderPlugin = {
7
7
  key: "onepassword",
8
8
  label: "1Password",
9
- settings: lazy(() => import("./OnePasswordSettings-7A7INNUA.js"))
9
+ settings: lazy(() => import("./OnePasswordSettings-KMRJZYUZ.js"))
10
10
  };
11
11
 
12
12
  // src/react/plugin-client.tsx
package/dist/core.js CHANGED
@@ -5,16 +5,19 @@ import {
5
5
  makeOnePasswordService,
6
6
  makeOnePasswordStore,
7
7
  onepasswordPlugin
8
- } from "./chunk-RJVQZBUT.js";
8
+ } from "./chunk-WFBABLCL.js";
9
9
  import {
10
10
  ConnectionStatus,
11
11
  DesktopAppAuth,
12
12
  OnePasswordAuth,
13
13
  OnePasswordConfig,
14
14
  OnePasswordError,
15
+ RedactedOnePasswordAuth,
16
+ RedactedOnePasswordConfig,
15
17
  ServiceAccountAuth,
16
- Vault
17
- } from "./chunk-TRGRRIAX.js";
18
+ Vault,
19
+ redactConfig
20
+ } from "./chunk-OYHEG6OK.js";
18
21
  export {
19
22
  ConnectionStatus,
20
23
  DesktopAppAuth,
@@ -22,12 +25,15 @@ export {
22
25
  OnePasswordConfig,
23
26
  OnePasswordError,
24
27
  OnePasswordServiceTag,
28
+ RedactedOnePasswordAuth,
29
+ RedactedOnePasswordConfig,
25
30
  ServiceAccountAuth,
26
31
  Vault,
27
32
  makeCliService,
28
33
  makeNativeSdkService,
29
34
  makeOnePasswordService,
30
35
  makeOnePasswordStore,
31
- onepasswordPlugin
36
+ onepasswordPlugin,
37
+ redactConfig
32
38
  };
33
39
  //# sourceMappingURL=core.js.map
package/dist/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  onepasswordPlugin
3
- } from "./chunk-RJVQZBUT.js";
3
+ } from "./chunk-WFBABLCL.js";
4
4
  import {
5
5
  ConnectionStatus,
6
6
  DesktopAppAuth,
@@ -9,7 +9,7 @@ import {
9
9
  OnePasswordError,
10
10
  ServiceAccountAuth,
11
11
  Vault
12
- } from "./chunk-TRGRRIAX.js";
12
+ } from "./chunk-OYHEG6OK.js";
13
13
  export {
14
14
  ConnectionStatus,
15
15
  DesktopAppAuth,
@@ -1,31 +1,26 @@
1
- import type { ScopeId } from "@executor-js/sdk/shared";
2
- export declare const onepasswordWriteKeys: readonly ["secrets"];
3
- export declare const onepasswordConfigAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
1
+ export declare const onepasswordWriteKeys: readonly ["providers"];
2
+ export declare const onepasswordConfigAtom: import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
4
3
  readonly name: string;
5
4
  readonly auth: {
6
5
  readonly kind: "desktop-app";
7
6
  readonly accountName: string;
8
7
  } | {
9
8
  readonly kind: "service-account";
10
- readonly tokenSecretId: string;
11
9
  };
12
10
  readonly vaultId: string;
13
11
  } | null, import("@executor-js/sdk").InternalError | import("../promise").OnePasswordError>>;
14
- export declare const onepasswordStatusAtom: (scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
12
+ export declare const onepasswordStatusAtom: import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
15
13
  readonly connected: boolean;
16
14
  readonly error?: string | undefined;
17
15
  readonly vaultName?: string | undefined;
18
16
  }, import("@executor-js/sdk").InternalError | import("../promise").OnePasswordError>>;
19
- export declare const onepasswordVaultsAtom: (authKind: "desktop-app" | "service-account", account: string, scopeId: ScopeId) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
17
+ export declare const onepasswordVaultsAtom: (authKind: "desktop-app" | "service-account", account: string) => import("effect/unstable/reactivity/Atom").Atom<import("effect/unstable/reactivity/AsyncResult").AsyncResult<{
20
18
  readonly vaults: readonly {
21
19
  readonly id: string;
22
20
  readonly name: string;
23
21
  }[];
24
22
  }, import("@executor-js/sdk").InternalError | import("../promise").OnePasswordError>>;
25
23
  export declare const configureOnePassword: import("effect/unstable/reactivity/Atom").AtomResultFn<{
26
- readonly params: {
27
- readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
28
- };
29
24
  readonly payload: {
30
25
  readonly name: string;
31
26
  readonly auth: {
@@ -33,7 +28,7 @@ export declare const configureOnePassword: import("effect/unstable/reactivity/At
33
28
  readonly accountName: string;
34
29
  } | {
35
30
  readonly kind: "service-account";
36
- readonly tokenSecretId: string;
31
+ readonly token: string;
37
32
  };
38
33
  readonly vaultId: string;
39
34
  };
@@ -41,9 +36,8 @@ export declare const configureOnePassword: import("effect/unstable/reactivity/At
41
36
  readonly reactivityKeys?: readonly unknown[] | import("effect/Record").ReadonlyRecord<string, readonly unknown[]> | undefined;
42
37
  }, void, import("@executor-js/sdk").InternalError | import("../promise").OnePasswordError>;
43
38
  export declare const removeOnePasswordConfig: import("effect/unstable/reactivity/Atom").AtomResultFn<{
44
- readonly params: {
45
- readonly scopeId: string & import("effect/Brand").Brand<"ScopeId">;
46
- };
39
+ readonly reactivityKeys?: readonly unknown[] | import("effect/Record").ReadonlyRecord<string, readonly unknown[]> | undefined;
40
+ } | {
47
41
  readonly responseMode?: "decoded-only" | undefined;
48
42
  readonly reactivityKeys?: readonly unknown[] | import("effect/Record").ReadonlyRecord<string, readonly unknown[]> | undefined;
49
43
  }, void, import("@executor-js/sdk").InternalError | import("../promise").OnePasswordError>;
@@ -1,38 +1,27 @@
1
- export declare const OnePasswordClient: import("effect/unstable/reactivity/AtomHttpApi").AtomHttpApiClient<"Plugin_onepasswordClient", `Plugin_${string}Client`, import("effect/unstable/httpapi/HttpApiGroup").HttpApiGroup<"onepassword", import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"getConfig", "GET", "/scopes/:scopeId/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
2
- scopeId: import("effect/Schema").brand<import("effect/Schema").String, "ScopeId">;
3
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").NullOr<import("effect/Schema").Struct<{
1
+ export declare const OnePasswordClient: import("effect/unstable/reactivity/AtomHttpApi").AtomHttpApiClient<"Plugin_onepasswordClient", `Plugin_${string}Client`, import("effect/unstable/httpapi/HttpApiGroup").HttpApiGroup<"onepassword", import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"getConfig", "GET", "/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").NullOr<import("effect/Schema").Struct<{
4
2
  readonly auth: import("effect/Schema").Union<readonly [import("effect/Schema").Struct<{
5
3
  readonly kind: import("effect/Schema").Literal<"desktop-app">;
6
4
  readonly accountName: import("effect/Schema").String;
7
5
  }>, import("effect/Schema").Struct<{
8
6
  readonly kind: import("effect/Schema").Literal<"service-account">;
9
- readonly tokenSecretId: import("effect/Schema").String;
10
7
  }>]>;
11
8
  readonly vaultId: import("effect/Schema").String;
12
9
  readonly name: import("effect/Schema").String;
13
- }>>>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"configure", "PUT", "/scopes/:scopeId/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
14
- scopeId: import("effect/Schema").brand<import("effect/Schema").String, "ScopeId">;
15
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Struct<{
10
+ }>>>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"configure", "PUT", "/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Struct<{
16
11
  readonly auth: import("effect/Schema").Union<readonly [import("effect/Schema").Struct<{
17
12
  readonly kind: import("effect/Schema").Literal<"desktop-app">;
18
13
  readonly accountName: import("effect/Schema").String;
19
14
  }>, import("effect/Schema").Struct<{
20
15
  readonly kind: import("effect/Schema").Literal<"service-account">;
21
- readonly tokenSecretId: import("effect/Schema").String;
16
+ readonly token: import("effect/Schema").String;
22
17
  }>]>;
23
18
  readonly vaultId: import("effect/Schema").String;
24
19
  readonly name: import("effect/Schema").String;
25
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Void>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"removeConfig", "DELETE", "/scopes/:scopeId/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
26
- scopeId: import("effect/Schema").brand<import("effect/Schema").String, "ScopeId">;
27
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Void>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"status", "GET", "/scopes/:scopeId/onepassword/status", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
28
- scopeId: import("effect/Schema").brand<import("effect/Schema").String, "ScopeId">;
29
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Struct<{
20
+ }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Void>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"removeConfig", "DELETE", "/onepassword/config", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Void>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"status", "GET", "/onepassword/status", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Struct<{
30
21
  readonly connected: import("effect/Schema").Boolean;
31
22
  readonly vaultName: import("effect/Schema").optional<import("effect/Schema").String>;
32
23
  readonly error: import("effect/Schema").optional<import("effect/Schema").String>;
33
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"listVaults", "GET", "/scopes/:scopeId/onepassword/vaults", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
34
- scopeId: import("effect/Schema").brand<import("effect/Schema").String, "ScopeId">;
35
- }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
24
+ }>>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<typeof import("@executor-js/sdk").InternalError | typeof import("../promise").OnePasswordError>, never, never> | import("effect/unstable/httpapi/HttpApiEndpoint").HttpApiEndpoint<"listVaults", "GET", "/onepassword/vaults", import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<import("effect/Schema").Struct<{
36
25
  readonly authKind: import("effect/Schema").Literals<readonly ["desktop-app", "service-account"]>;
37
26
  readonly account: import("effect/Schema").String;
38
27
  }>>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").StringTree<never>, import("effect/unstable/httpapi/HttpApiEndpoint").Json<import("effect/Schema").Struct<{
@@ -1,4 +1,4 @@
1
1
  export { onepasswordPlugin, makeOnePasswordStore, type OnePasswordExtension, type OnePasswordPluginOptions, type OnePasswordStore, } from "./plugin";
2
- export { OnePasswordConfig, Vault, ConnectionStatus, OnePasswordAuth, DesktopAppAuth, ServiceAccountAuth, } from "./types";
2
+ export { OnePasswordConfig, RedactedOnePasswordConfig, RedactedOnePasswordAuth, redactConfig, Vault, ConnectionStatus, OnePasswordAuth, DesktopAppAuth, ServiceAccountAuth, } from "./types";
3
3
  export { OnePasswordError } from "./errors";
4
4
  export { makeOnePasswordService, makeNativeSdkService, makeCliService, OnePasswordServiceTag, type OnePasswordService, type ResolvedAuth, } from "./service";