@kustodian/plugin-1password 1.0.1 → 1.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kustodian/plugin-1password",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "description": "1Password secret provider plugin for Kustodian",
   "type": "module",
   "main": "./src/index.ts",
@@ -37,9 +37,9 @@
     "registry": "https://npm.pkg.github.com"
   },
   "dependencies": {
-    "@kustodian/core": "workspace:*",
-    "@kustodian/plugins": "workspace:*",
-    "@kustodian/schema": "workspace:*"
+    "@kustodian/core": "1.1.0",
+    "@kustodian/plugins": "1.0.1",
+    "@kustodian/schema": "1.3.0"
   },
   "devDependencies": {}
 }

package/src/resolver.ts

@@ -7,6 +7,7 @@ import type { OnePasswordPluginOptionsType } from './types.js';
 
 /**
  * Resolves 1Password substitutions to actual secret values.
+ * Supports both full references and shorthand with cluster defaults.
  * Returns a map from substitution name to resolved value.
  */
 export async function resolve_onepassword_substitutions(
@@ -20,7 +21,36 @@ export async function resolve_onepassword_substitutions(
   const results: Record<string, string> = {};
 
   for (const sub of substitutions) {
-    const result = await op_read(sub.ref, options);
+    // Build the reference string
+    let ref: string;
+
+    if (sub.ref) {
+      // Full reference provided
+      ref = sub.ref;
+    } else if (sub.item && sub.field) {
+      // Shorthand reference - need cluster vault
+      const vault = options.cluster_defaults?.vault;
+      if (!vault) {
+        return failure({
+          code: 'MISSING_1PASSWORD_VAULT',
+          message: `1Password substitution '${sub.name}' uses shorthand but no cluster vault configured`,
+        });
+      }
+
+      // Build op:// reference
+      if (sub.section) {
+        ref = `op://${vault}/${sub.item}/${sub.section}/${sub.field}`;
+      } else {
+        ref = `op://${vault}/${sub.item}/${sub.field}`;
+      }
+    } else {
+      return failure({
+        code: 'INVALID_1PASSWORD_REFERENCE',
+        message: `1Password substitution '${sub.name}' must specify either 'ref' or 'item'+'field'`,
+      });
+    }
+
+    const result = await op_read(ref, options);
 
     if (!result.success) {
       // If we have a default and fail_on_missing is false, use the default

package/src/types.ts

@@ -1,3 +1,11 @@
+/**
+ * Cluster-level 1Password defaults.
+ */
+export interface OnePasswordClusterDefaultsType {
+  /** Default vault name or ID */
+  vault?: string | undefined;
+}
+
 /**
  * Options for the 1Password plugin.
  */
@@ -8,6 +16,8 @@ export interface OnePasswordPluginOptionsType {
   timeout?: number | undefined;
   /** Whether to fail on missing secrets (default: true) */
   fail_on_missing?: boolean | undefined;
+  /** Cluster-level defaults for vault */
+  cluster_defaults?: OnePasswordClusterDefaultsType | undefined;
 }
 
 /**
@@ -37,20 +47,31 @@ export function parse_onepassword_ref(ref: string): OnePasswordRefType | undefin
     return undefined;
   }
 
-  const [, vault, item, section, field] = match;
+  const vault = match[1];
+  const item = match[2];
+  const section = match[3];
+  const field = match[4];
 
   // If section is undefined, the field is in position 3
   if (field === undefined) {
+    // When there's no section, match[3] contains the field
+    if (!vault || !item || !section) {
+      return undefined;
+    }
     return {
-      vault: vault!,
-      item: item!,
-      field: section!,
+      vault,
+      item,
+      field: section,
     };
   }
 
+  if (!vault || !item || !field) {
+    return undefined;
+  }
+
   return {
-    vault: vault!,
-    item: item!,
+    vault,
+    item,
     section,
     field,
   };