@keepur/hive 0.2.8 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +25 -1
  2. package/package.json +2 -1
  3. package/pkg/cli.min.js +120 -117
  4. package/pkg/mcp/structured-memory.min.js +21 -21
  5. package/pkg/server.min.js +197 -194
  6. package/scripts/honeypot +84 -34
package/scripts/honeypot CHANGED
@@ -4,16 +4,21 @@ set -euo pipefail
4
4
  # honeypot — macOS Keychain credential wrapper for Hive
5
5
  #
6
6
  # Stores secrets scoped to the Hive instance under service prefix "hive/<id>/".
7
+ # Also supports a cross-instance "beekeeper/<KEY>" namespace for Beekeeper-tier
8
+ # secrets (e.g. pipelines that run outside any specific Hive instance).
7
9
  # The keychain MCP server (keychain-mcp-server.ts) reads these at runtime.
8
10
  # Coexists with .env — either source works, Keychain is preferred for new installs.
9
11
  #
10
12
  # Usage:
11
- # honeypot set ANTHROPIC_API_KEY # prompt for value (hidden input)
12
- # honeypot set SLACK_BOT_TOKEN "xoxb-..." # inline value
13
- # honeypot get ANTHROPIC_API_KEY # print value
14
- # honeypot list # show stored keys (no values)
15
- # honeypot rm ANTHROPIC_API_KEY # delete
16
- # honeypot doctor # check required keys are present
13
+ # honeypot set ANTHROPIC_API_KEY # instance-scoped, prompts for value
14
+ # honeypot set SLACK_BOT_TOKEN "xoxb-..." # instance-scoped, inline value
15
+ # honeypot set beekeeper/LINEAR_API_KEY # beekeeper-tier (cross-instance)
16
+ # honeypot set hive/dodi/SOMETHING "v" # fully-qualified, used as-is
17
+ # honeypot get ANTHROPIC_API_KEY # print value
18
+ # honeypot get beekeeper/LINEAR_API_KEY # beekeeper-tier
19
+ # honeypot list # show stored keys (no values)
20
+ # honeypot rm ANTHROPIC_API_KEY # delete
21
+ # honeypot doctor # check required keys are present
17
22
 
18
23
  GREEN='\033[0;32m'
19
24
  RED='\033[0;31m'
@@ -47,6 +52,29 @@ resolve_instance_id() {
47
52
  INSTANCE_ID=$(resolve_instance_id)
48
53
  PREFIX="hive/${INSTANCE_ID}"
49
54
 
55
+ # Resolve the keychain service name (-s) and account (-a) for a given key arg.
56
+ # Sets globals: ACCOUNT_SERVICE, ACCOUNT_NAME
57
+ #
58
+ # Rules:
59
+ # beekeeper/<KEY> → service="beekeeper/<KEY>", account="<KEY>"
60
+ # hive/<id>/<KEY> → service="hive/<id>/<KEY>", account="<KEY>"
61
+ # <KEY> → service="hive/<instance>/<KEY>", account="<KEY>"
62
+ resolve_account() {
63
+ local key="$1"
64
+ if [[ "$key" == beekeeper/* ]]; then
65
+ ACCOUNT_SERVICE="$key"
66
+ ACCOUNT_NAME="${key#beekeeper/}"
67
+ elif [[ "$key" == hive/*/* ]]; then
68
+ ACCOUNT_SERVICE="$key"
69
+ # Strip "hive/<id>/" — the bit after the second slash is the bare key.
70
+ local rest="${key#hive/}"
71
+ ACCOUNT_NAME="${rest#*/}"
72
+ else
73
+ ACCOUNT_SERVICE="${PREFIX}/${key}"
74
+ ACCOUNT_NAME="$key"
75
+ fi
76
+ }
77
+
50
78
  cmd="${1:-help}"
51
79
  shift || true
52
80
 
@@ -56,8 +84,10 @@ case "$cmd" in
56
84
  value="${2:-}"
57
85
  if [ -z "$key" ]; then
58
86
  echo "Usage: honeypot set <KEY> [value]"
87
+ echo " honeypot set beekeeper/<KEY> [value]"
59
88
  exit 1
60
89
  fi
90
+ resolve_account "$key"
61
91
  if [ -z "$value" ]; then
62
92
  printf "Enter value for %s: " "$key"
63
93
  read -rs value
@@ -68,15 +98,15 @@ case "$cmd" in
68
98
  fi
69
99
  fi
70
100
  security add-generic-password \
71
- -s "${PREFIX}/${key}" \
72
- -a "$key" \
101
+ -s "$ACCOUNT_SERVICE" \
102
+ -a "$ACCOUNT_NAME" \
73
103
  -w "$value" \
74
104
  -U 2>/dev/null || \
75
105
  security add-generic-password \
76
- -s "${PREFIX}/${key}" \
77
- -a "$key" \
106
+ -s "$ACCOUNT_SERVICE" \
107
+ -a "$ACCOUNT_NAME" \
78
108
  -w "$value"
79
- echo -e "${GREEN}+${NC} ${PREFIX}/${key}"
109
+ echo -e "${GREEN}+${NC} ${ACCOUNT_SERVICE}"
80
110
  ;;
81
111
 
82
112
  get)
@@ -85,11 +115,12 @@ case "$cmd" in
85
115
  echo "Usage: honeypot get <KEY>"
86
116
  exit 1
87
117
  fi
118
+ resolve_account "$key"
88
119
  security find-generic-password \
89
- -s "${PREFIX}/${key}" \
90
- -a "$key" \
120
+ -s "$ACCOUNT_SERVICE" \
121
+ -a "$ACCOUNT_NAME" \
91
122
  -w 2>/dev/null || {
92
- echo -e "${RED}Not found:${NC} ${PREFIX}/${key}"
123
+ echo -e "${RED}Not found:${NC} ${ACCOUNT_SERVICE}"
93
124
  exit 1
94
125
  }
95
126
  ;;
@@ -100,31 +131,46 @@ case "$cmd" in
100
131
  echo "Usage: honeypot rm <KEY>"
101
132
  exit 1
102
133
  fi
134
+ resolve_account "$key"
103
135
  security delete-generic-password \
104
- -s "${PREFIX}/${key}" \
105
- -a "$key" &>/dev/null && \
106
- echo -e "${GREEN}-${NC} ${PREFIX}/${key}" || {
107
- echo -e "${RED}Not found:${NC} ${PREFIX}/${key}"
136
+ -s "$ACCOUNT_SERVICE" \
137
+ -a "$ACCOUNT_NAME" &>/dev/null && \
138
+ echo -e "${GREEN}-${NC} ${ACCOUNT_SERVICE}" || {
139
+ echo -e "${RED}Not found:${NC} ${ACCOUNT_SERVICE}"
108
140
  exit 1
109
141
  }
110
142
  ;;
111
143
 
112
144
  list|ls)
113
- echo -e "${DIM}Secrets under ${PREFIX}/:${NC}"
114
- echo ""
115
- # Extract service names matching our prefix from keychain dump
116
- entries=$(security dump-keychain 2>/dev/null | \
145
+ # Pull all matching service names from the keychain dump once.
146
+ all_entries=$(security dump-keychain 2>/dev/null | \
117
147
  grep "0x00000007" | \
118
148
  sed 's/.*<blob>="\([^"]*\)".*/\1/' | \
119
- grep "^${PREFIX}/" | \
120
149
  sort -u || true)
121
- if [ -n "$entries" ]; then
122
- echo "$entries" | while IFS= read -r svc; do
150
+
151
+ instance_entries=$(echo "$all_entries" | grep "^${PREFIX}/" || true)
152
+ beekeeper_entries=$(echo "$all_entries" | grep "^beekeeper/" || true)
153
+
154
+ echo -e "${DIM}Secrets under ${PREFIX}/:${NC}"
155
+ echo ""
156
+ if [ -n "$instance_entries" ]; then
157
+ echo "$instance_entries" | while IFS= read -r svc; do
123
158
  echo " ${svc#${PREFIX}/}"
124
159
  done
125
160
  else
126
161
  echo " (none)"
127
162
  fi
163
+
164
+ echo ""
165
+ echo -e "${DIM}Secrets under beekeeper/ (cross-instance):${NC}"
166
+ echo ""
167
+ if [ -n "$beekeeper_entries" ]; then
168
+ echo "$beekeeper_entries" | while IFS= read -r svc; do
169
+ echo " ${svc#beekeeper/}"
170
+ done
171
+ else
172
+ echo " (none)"
173
+ fi
128
174
  ;;
129
175
 
130
176
  doctor)
@@ -165,15 +211,19 @@ case "$cmd" in
165
211
  honeypot — macOS Keychain credential store for Hive
166
212
 
167
213
  Usage:
168
- honeypot set <KEY> [value] Store a credential (prompts if value omitted)
169
- honeypot get <KEY> Retrieve a credential
170
- honeypot list Show stored keys (no values)
171
- honeypot rm <KEY> Delete a credential
172
- honeypot doctor Check required credentials are present
173
- honeypot help This message
174
-
175
- Credentials are stored in macOS Keychain under "hive/<instance-id>/<KEY>"
176
- and are readable by the Hive keychain MCP server at runtime.
214
+ honeypot set <KEY> [value] Store an instance-scoped credential
215
+ honeypot set beekeeper/<KEY> [value] Store a cross-instance Beekeeper-tier secret
216
+ honeypot get <KEY> Retrieve a credential
217
+ honeypot list Show stored keys (no values)
218
+ honeypot rm <KEY> Delete a credential
219
+ honeypot doctor Check required credentials are present
220
+ honeypot help This message
221
+
222
+ Credentials are stored in macOS Keychain under one of:
223
+ hive/<instance-id>/<KEY> instance-scoped (default for bare KEY)
224
+ beekeeper/<KEY> cross-instance Beekeeper-tier (e.g. pipeline-tick)
225
+
226
+ Both namespaces are readable by the Hive keychain MCP server at runtime.
177
227
 
178
228
  HELP
179
229
  ;;