npm - @kustodian/plugin-1password - Versions diffs - 1.1.1 → 2.0.0 - Mend

@kustodian/plugin-1password 1.1.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/executor.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import type { KustodianErrorType } from '@kustodian/core';
+import { type ResultType } from '@kustodian/core';
+import { type OnePasswordPluginOptionsType } from './types.js';
+/**
+ * Result of a command execution.
+ */
+export interface CommandResultType {
+    stdout: string;
+    stderr: string;
+    exit_code: number;
+}
+/**
+ * Options for command execution.
+ */
+export interface ExecOptionsType {
+    cwd?: string | undefined;
+    timeout?: number | undefined;
+    env?: Record<string, string> | undefined;
+}
+/**
+ * Executes a command and returns the result.
+ * Uses execFile instead of exec for security (no shell invocation).
+ */
+export declare function exec_command(command: string, args?: string[], options?: ExecOptionsType): Promise<ResultType<CommandResultType, KustodianErrorType>>;
+/**
+ * Checks if op CLI is available in the system PATH.
+ */
+export declare function check_op_available(): Promise<ResultType<string, KustodianErrorType>>;
+/**
+ * Reads a single secret from 1Password.
+ */
+export declare function op_read(ref: string, options?: OnePasswordPluginOptionsType): Promise<ResultType<string, KustodianErrorType>>;
+/**
+ * Reads multiple secrets from 1Password in batch.
+ */
+export declare function op_read_batch(refs: string[], options?: OnePasswordPluginOptionsType): Promise<ResultType<Record<string, string>, KustodianErrorType>>;
+//# sourceMappingURL=executor.d.ts.map

package/dist/executor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"executor.d.ts","sourceRoot":"","sources":["../src/executor.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAU,KAAK,UAAU,EAAoB,MAAM,iBAAiB,CAAC;AAE5E,OAAO,EAAmB,KAAK,4BAA4B,EAAE,MAAM,YAAY,CAAC;AAIhF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAAC;CAC1C;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,MAAM,EACf,IAAI,GAAE,MAAM,EAAO,EACnB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,UAAU,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAC,CAwB5D;AA6BD;;GAEG;AACH,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAc1F;AAED;;GAEG;AACH,wBAAsB,OAAO,CAC3B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,4BAAiC,GACzC,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CA4CjD;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EAAE,EACd,OAAO,GAAE,4BAAiC,GACzC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,CAAC,CAAC,CAuBjE"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export { type CommandResultType, check_op_available, type ExecOptionsType, exec_command, op_read, op_read_batch, } from './executor.js';
+export { create_onepassword_plugin, plugin, plugin as default } from './plugin.js';
+export { resolve_onepassword_substitutions } from './resolver.js';
+export { DEFAULT_TIMEOUT, type OnePasswordPluginOptionsType, type OnePasswordRefType, parse_onepassword_ref, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,KAAK,iBAAiB,EACtB,kBAAkB,EAClB,KAAK,eAAe,EACpB,YAAY,EACZ,OAAO,EACP,aAAa,GACd,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,yBAAyB,EAAE,MAAM,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,aAAa,CAAC;AAGnF,OAAO,EAAE,iCAAiC,EAAE,MAAM,eAAe,CAAC;AAGlE,OAAO,EACL,eAAe,EACf,KAAK,4BAA4B,EACjC,KAAK,kBAAkB,EACvB,qBAAqB,GACtB,MAAM,YAAY,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,442 @@
+// src/executor.ts
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+// ../../packages/core/dist/index.js
+function create_error(code, message, cause) {
+  return { code, message, cause };
+}
+var ErrorCodes = {
+  UNKNOWN: "UNKNOWN",
+  INVALID_ARGUMENT: "INVALID_ARGUMENT",
+  NOT_FOUND: "NOT_FOUND",
+  ALREADY_EXISTS: "ALREADY_EXISTS",
+  FILE_NOT_FOUND: "FILE_NOT_FOUND",
+  FILE_READ_ERROR: "FILE_READ_ERROR",
+  FILE_WRITE_ERROR: "FILE_WRITE_ERROR",
+  DIRECTORY_NOT_FOUND: "DIRECTORY_NOT_FOUND",
+  PARSE_ERROR: "PARSE_ERROR",
+  YAML_PARSE_ERROR: "YAML_PARSE_ERROR",
+  JSON_PARSE_ERROR: "JSON_PARSE_ERROR",
+  VALIDATION_ERROR: "VALIDATION_ERROR",
+  SCHEMA_VALIDATION_ERROR: "SCHEMA_VALIDATION_ERROR",
+  CONFIG_NOT_FOUND: "CONFIG_NOT_FOUND",
+  CONFIG_INVALID: "CONFIG_INVALID",
+  TEMPLATE_NOT_FOUND: "TEMPLATE_NOT_FOUND",
+  CLUSTER_NOT_FOUND: "CLUSTER_NOT_FOUND",
+  PROFILE_NOT_FOUND: "PROFILE_NOT_FOUND",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  CONNECTION_REFUSED: "CONNECTION_REFUSED",
+  TIMEOUT: "TIMEOUT",
+  SSH_CONNECTION_ERROR: "SSH_CONNECTION_ERROR",
+  SSH_AUTH_ERROR: "SSH_AUTH_ERROR",
+  SSH_COMMAND_ERROR: "SSH_COMMAND_ERROR",
+  K8S_CONNECTION_ERROR: "K8S_CONNECTION_ERROR",
+  K8S_API_ERROR: "K8S_API_ERROR",
+  NODE_NOT_READY: "NODE_NOT_READY",
+  BOOTSTRAP_ERROR: "BOOTSTRAP_ERROR",
+  BOOTSTRAP_STATE_ERROR: "BOOTSTRAP_STATE_ERROR",
+  CLUSTER_PROVIDER_ERROR: "CLUSTER_PROVIDER_ERROR",
+  PLUGIN_NOT_FOUND: "PLUGIN_NOT_FOUND",
+  PLUGIN_LOAD_ERROR: "PLUGIN_LOAD_ERROR",
+  PLUGIN_EXECUTION_ERROR: "PLUGIN_EXECUTION_ERROR",
+  DEPENDENCY_CYCLE: "DEPENDENCY_CYCLE",
+  DEPENDENCY_MISSING: "DEPENDENCY_MISSING",
+  DEPENDENCY_SELF_REFERENCE: "DEPENDENCY_SELF_REFERENCE",
+  DEPENDENCY_VALIDATION_ERROR: "DEPENDENCY_VALIDATION_ERROR",
+  SECRET_CLI_NOT_FOUND: "SECRET_CLI_NOT_FOUND",
+  SECRET_NOT_FOUND: "SECRET_NOT_FOUND",
+  SECRET_AUTH_ERROR: "SECRET_AUTH_ERROR",
+  SECRET_TIMEOUT: "SECRET_TIMEOUT",
+  SOURCE_FETCH_ERROR: "SOURCE_FETCH_ERROR",
+  SOURCE_AUTH_ERROR: "SOURCE_AUTH_ERROR",
+  SOURCE_TIMEOUT: "SOURCE_TIMEOUT",
+  SOURCE_CHECKSUM_MISMATCH: "SOURCE_CHECKSUM_MISMATCH",
+  SOURCE_VERSION_NOT_FOUND: "SOURCE_VERSION_NOT_FOUND",
+  CACHE_READ_ERROR: "CACHE_READ_ERROR",
+  CACHE_WRITE_ERROR: "CACHE_WRITE_ERROR",
+  CACHE_CORRUPT: "CACHE_CORRUPT"
+};
+var Errors = {
+  unknown(message, cause) {
+    return create_error(ErrorCodes.UNKNOWN, message, cause);
+  },
+  invalid_argument(argument, reason) {
+    return create_error(ErrorCodes.INVALID_ARGUMENT, `Invalid argument '${argument}': ${reason}`);
+  },
+  not_found(resource, identifier) {
+    return create_error(ErrorCodes.NOT_FOUND, `${resource} '${identifier}' not found`);
+  },
+  already_exists(resource, identifier) {
+    return create_error(ErrorCodes.ALREADY_EXISTS, `${resource} '${identifier}' already exists`);
+  },
+  file_not_found(path) {
+    return create_error(ErrorCodes.FILE_NOT_FOUND, `File not found: ${path}`);
+  },
+  file_read_error(path, cause) {
+    return create_error(ErrorCodes.FILE_READ_ERROR, `Failed to read file: ${path}`, cause);
+  },
+  file_write_error(path, cause) {
+    return create_error(ErrorCodes.FILE_WRITE_ERROR, `Failed to write file: ${path}`, cause);
+  },
+  parse_error(format, message, cause) {
+    return create_error(ErrorCodes.PARSE_ERROR, `Failed to parse ${format}: ${message}`, cause);
+  },
+  yaml_parse_error(message, cause) {
+    return create_error(ErrorCodes.YAML_PARSE_ERROR, `YAML parse error: ${message}`, cause);
+  },
+  validation_error(message, cause) {
+    return create_error(ErrorCodes.VALIDATION_ERROR, message, cause);
+  },
+  schema_validation_error(errors) {
+    return create_error(ErrorCodes.SCHEMA_VALIDATION_ERROR, `Schema validation failed:
+${errors.map((e) => `  - ${e}`).join(`
+`)}`);
+  },
+  config_not_found(config_type, path) {
+    return create_error(ErrorCodes.CONFIG_NOT_FOUND, `${config_type} configuration not found at: ${path}`);
+  },
+  template_not_found(name) {
+    return create_error(ErrorCodes.TEMPLATE_NOT_FOUND, `Template '${name}' not found`);
+  },
+  cluster_not_found(name) {
+    return create_error(ErrorCodes.CLUSTER_NOT_FOUND, `Cluster '${name}' not found`);
+  },
+  profile_not_found(name) {
+    return create_error(ErrorCodes.PROFILE_NOT_FOUND, `Node profile '${name}' not found`);
+  },
+  ssh_connection_error(host, cause) {
+    return create_error(ErrorCodes.SSH_CONNECTION_ERROR, `Failed to connect to ${host} via SSH`, cause);
+  },
+  ssh_auth_error(host, cause) {
+    return create_error(ErrorCodes.SSH_AUTH_ERROR, `SSH authentication failed for ${host}`, cause);
+  },
+  bootstrap_error(message, cause) {
+    return create_error(ErrorCodes.BOOTSTRAP_ERROR, `Bootstrap failed: ${message}`, cause);
+  },
+  plugin_not_found(name) {
+    return create_error(ErrorCodes.PLUGIN_NOT_FOUND, `Plugin '${name}' not found`);
+  },
+  plugin_load_error(name, cause) {
+    return create_error(ErrorCodes.PLUGIN_LOAD_ERROR, `Failed to load plugin '${name}'`, cause);
+  },
+  dependency_cycle(cycle) {
+    const cycle_str = cycle.join(" → ");
+    return create_error(ErrorCodes.DEPENDENCY_CYCLE, `Dependency cycle detected: ${cycle_str}`);
+  },
+  dependency_missing(source, target) {
+    return create_error(ErrorCodes.DEPENDENCY_MISSING, `Kustomization '${source}' depends on '${target}' which does not exist`);
+  },
+  dependency_self_reference(node) {
+    return create_error(ErrorCodes.DEPENDENCY_SELF_REFERENCE, `Kustomization '${node}' cannot depend on itself`);
+  },
+  dependency_validation_error(errors) {
+    return create_error(ErrorCodes.DEPENDENCY_VALIDATION_ERROR, `Dependency validation failed:
+${errors.map((e) => `  - ${e}`).join(`
+`)}`);
+  },
+  secret_cli_not_found(provider, cli_name) {
+    return create_error(ErrorCodes.SECRET_CLI_NOT_FOUND, `${provider} CLI (${cli_name}) not found. Please install it first.`);
+  },
+  secret_not_found(provider, ref) {
+    return create_error(ErrorCodes.SECRET_NOT_FOUND, `Secret not found in ${provider}: ${ref}`);
+  },
+  secret_auth_error(provider, cause) {
+    return create_error(ErrorCodes.SECRET_AUTH_ERROR, `${provider} authentication failed. Check your credentials.`, cause);
+  },
+  secret_timeout(provider, timeout) {
+    return create_error(ErrorCodes.SECRET_TIMEOUT, `${provider} operation timed out after ${timeout}ms`);
+  },
+  source_fetch_error(source, cause) {
+    return create_error(ErrorCodes.SOURCE_FETCH_ERROR, `Failed to fetch template source '${source}'`, cause);
+  },
+  source_auth_error(source, cause) {
+    return create_error(ErrorCodes.SOURCE_AUTH_ERROR, `Authentication failed for source '${source}'`, cause);
+  },
+  source_timeout(source, timeout) {
+    return create_error(ErrorCodes.SOURCE_TIMEOUT, `Source '${source}' operation timed out after ${timeout}ms`);
+  },
+  source_checksum_mismatch(source, expected, actual) {
+    return create_error(ErrorCodes.SOURCE_CHECKSUM_MISMATCH, `Checksum mismatch for '${source}': expected ${expected}, got ${actual}`);
+  },
+  source_version_not_found(source, version) {
+    return create_error(ErrorCodes.SOURCE_VERSION_NOT_FOUND, `Version '${version}' not found for source '${source}'`);
+  },
+  cache_read_error(path, cause) {
+    return create_error(ErrorCodes.CACHE_READ_ERROR, `Failed to read cache at: ${path}`, cause);
+  },
+  cache_write_error(path, cause) {
+    return create_error(ErrorCodes.CACHE_WRITE_ERROR, `Failed to write cache at: ${path}`, cause);
+  },
+  cache_corrupt(path) {
+    return create_error(ErrorCodes.CACHE_CORRUPT, `Cache is corrupt at: ${path}`);
+  }
+};
+function success(value) {
+  return { success: true, value };
+}
+function failure(error) {
+  return { success: false, error };
+}
+// src/types.ts
+var DEFAULT_TIMEOUT = 30000;
+function parse_onepassword_ref(ref) {
+  const match = ref.match(/^op:\/\/([^/]+)\/([^/]+)\/(?:([^/]+)\/)?([^/]+)$/);
+  if (!match) {
+    return;
+  }
+  const vault = match[1];
+  const item = match[2];
+  const section = match[3];
+  const field = match[4];
+  if (field === undefined) {
+    if (!vault || !item || !section) {
+      return;
+    }
+    return {
+      vault,
+      item,
+      field: section
+    };
+  }
+  if (!vault || !item || !field) {
+    return;
+  }
+  return {
+    vault,
+    item,
+    section,
+    field
+  };
+}
+// src/executor.ts
+var exec_file_async = promisify(execFile);
+async function exec_command(command, args = [], options = {}) {
+  try {
+    const { stdout, stderr } = await exec_file_async(command, args, {
+      cwd: options.cwd,
+      timeout: options.timeout,
+      env: { ...process.env, ...options.env }
+    });
+    return success({
+      stdout,
+      stderr,
+      exit_code: 0
+    });
+  } catch (error) {
+    if (is_exec_error(error)) {
+      return success({
+        stdout: error.stdout ?? "",
+        stderr: error.stderr ?? "",
+        exit_code: error.code ?? 1
+      });
+    }
+    return failure(Errors.unknown(`Failed to execute command: ${command}`, error));
+  }
+}
+function is_exec_error(error) {
+  return typeof error === "object" && error !== null && (("stdout" in error) || ("stderr" in error) || ("code" in error));
+}
+function get_op_auth_env(options) {
+  const env = {};
+  const token = options.service_account_token ?? process.env["OP_SERVICE_ACCOUNT_TOKEN"];
+  if (token) {
+    env["OP_SERVICE_ACCOUNT_TOKEN"] = token;
+  }
+  return env;
+}
+async function check_op_available() {
+  const result = await exec_command("op", ["--version"]);
+  if (!result.success) {
+    return result;
+  }
+  if (result.value.exit_code !== 0) {
+    return failure(Errors.secret_cli_not_found("1Password", "op"));
+  }
+  const version = result.value.stdout.trim();
+  return success(version);
+}
+async function op_read(ref, options = {}) {
+  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  const env = get_op_auth_env(options);
+  const result = await exec_command("op", ["read", ref], {
+    timeout,
+    env
+  });
+  if (!result.success) {
+    return result;
+  }
+  const { stdout, stderr, exit_code } = result.value;
+  if (exit_code !== 0) {
+    const stderr_lower = stderr.toLowerCase();
+    if (stderr_lower.includes("not found") || stderr_lower.includes("doesn't exist") || stderr_lower.includes("no item")) {
+      return failure(Errors.secret_not_found("1Password", ref));
+    }
+    if (stderr_lower.includes("sign in") || stderr_lower.includes("authentication") || stderr_lower.includes("unauthorized") || stderr_lower.includes("not signed in")) {
+      return failure(Errors.secret_auth_error("1Password", stderr));
+    }
+    if (stderr_lower.includes("timeout")) {
+      return failure(Errors.secret_timeout("1Password", timeout));
+    }
+    return failure(Errors.unknown(`1Password error: ${stderr}`));
+  }
+  return success(stdout.trim());
+}
+async function op_read_batch(refs, options = {}) {
+  if (refs.length === 0) {
+    return success({});
+  }
+  const results = {};
+  for (const ref of refs) {
+    const result = await op_read(ref, options);
+    if (!result.success) {
+      if (options.fail_on_missing !== false) {
+        return result;
+      }
+      continue;
+    }
+    results[ref] = result.value;
+  }
+  return success(results);
+}
+// src/plugin.ts
+var manifest = {
+  name: "@kustodian/plugin-1password",
+  version: "0.1.0",
+  description: "1Password secret provider for Kustodian",
+  capabilities: ["commands", "hooks"]
+};
+function create_onepassword_plugin(options = {}) {
+  return {
+    manifest,
+    async activate() {
+      const check_result = await check_op_available();
+      if (!check_result.success) {
+        console.warn("1Password CLI (op) not found - secret resolution may fail");
+      }
+      return success(undefined);
+    },
+    async deactivate() {
+      return success(undefined);
+    },
+    get_commands() {
+      const onepassword_command = {
+        name: "1password",
+        description: "1Password secret management commands",
+        subcommands: [
+          {
+            name: "check",
+            description: "Check 1Password CLI availability and authentication",
+            handler: async () => {
+              const result = await check_op_available();
+              if (result.success) {
+                console.log(`1Password CLI version: ${result.value}`);
+                return success(undefined);
+              }
+              console.error("1Password CLI not available");
+              return result;
+            }
+          },
+          {
+            name: "test",
+            description: "Test reading a secret reference",
+            arguments: [
+              {
+                name: "ref",
+                description: "Secret reference (op://vault/item/field)",
+                required: true
+              }
+            ],
+            handler: async (ctx) => {
+              const ref = ctx.args[0];
+              if (!ref) {
+                console.error("Missing secret reference");
+                return success(undefined);
+              }
+              const result = await op_read(ref, options);
+              if (result.success) {
+                console.log("Secret retrieved successfully (value hidden)");
+                console.log(`Length: ${result.value.length} characters`);
+                return success(undefined);
+              }
+              console.error(`Failed to read secret: ${result.error.message}`);
+              return result;
+            }
+          }
+        ]
+      };
+      return [{ command: onepassword_command }];
+    },
+    get_hooks() {
+      return [
+        {
+          event: "generator:after_resolve",
+          priority: 50,
+          handler: async (_event, ctx) => {
+            return success(ctx);
+          }
+        }
+      ];
+    }
+  };
+}
+var plugin = create_onepassword_plugin();
+// src/resolver.ts
+async function resolve_onepassword_substitutions(substitutions, options = {}) {
+  if (substitutions.length === 0) {
+    return success({});
+  }
+  const results = {};
+  for (const sub of substitutions) {
+    let ref;
+    if (sub.ref) {
+      ref = sub.ref;
+    } else if (sub.item && sub.field) {
+      const vault = options.cluster_defaults?.vault;
+      if (!vault) {
+        return failure({
+          code: "MISSING_1PASSWORD_VAULT",
+          message: `1Password substitution '${sub.name}' uses shorthand but no cluster vault configured`
+        });
+      }
+      if (sub.section) {
+        ref = `op://${vault}/${sub.item}/${sub.section}/${sub.field}`;
+      } else {
+        ref = `op://${vault}/${sub.item}/${sub.field}`;
+      }
+    } else {
+      return failure({
+        code: "INVALID_1PASSWORD_REFERENCE",
+        message: `1Password substitution '${sub.name}' must specify either 'ref' or 'item'+'field'`
+      });
+    }
+    const result = await op_read(ref, options);
+    if (!result.success) {
+      if (sub.default !== undefined && options.fail_on_missing === false) {
+        results[sub.name] = sub.default;
+        continue;
+      }
+      if (sub.default !== undefined) {
+        results[sub.name] = sub.default;
+        continue;
+      }
+      return failure(result.error);
+    }
+    results[sub.name] = result.value;
+  }
+  return success(results);
+}
+export {
+  resolve_onepassword_substitutions,
+  plugin,
+  parse_onepassword_ref,
+  op_read_batch,
+  op_read,
+  exec_command,
+  plugin as default,
+  create_onepassword_plugin,
+  check_op_available,
+  DEFAULT_TIMEOUT
+};

package/dist/plugin.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { KustodianPluginType } from '@kustodian/plugins';
+import type { OnePasswordPluginOptionsType } from './types.js';
+/**
+ * Creates the 1Password plugin.
+ */
+export declare function create_onepassword_plugin(options?: OnePasswordPluginOptionsType): KustodianPluginType;
+/**
+ * Default plugin export.
+ */
+export declare const plugin: KustodianPluginType;
+export default plugin;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAIV,mBAAmB,EAIpB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC;AAY/D;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,GAAE,4BAAiC,GACzC,mBAAmB,CAiFrB;AAED;;GAEG;AACH,eAAO,MAAM,MAAM,qBAA8B,CAAC;AAElD,eAAe,MAAM,CAAC"}

package/dist/resolver.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { KustodianErrorType } from '@kustodian/core';
+import { type ResultType } from '@kustodian/core';
+import type { OnePasswordSubstitutionType } from '@kustodian/schema';
+import type { OnePasswordPluginOptionsType } from './types.js';
+/**
+ * Resolves 1Password substitutions to actual secret values.
+ * Supports both full references and shorthand with cluster defaults.
+ * Returns a map from substitution name to resolved value.
+ */
+export declare function resolve_onepassword_substitutions(substitutions: OnePasswordSubstitutionType[], options?: OnePasswordPluginOptionsType): Promise<ResultType<Record<string, string>, KustodianErrorType>>;
+//# sourceMappingURL=resolver.d.ts.map

package/dist/resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../src/resolver.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,KAAK,UAAU,EAAoB,MAAM,iBAAiB,CAAC;AACpE,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,mBAAmB,CAAC;AAGrE,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,YAAY,CAAC;AAE/D;;;;GAIG;AACH,wBAAsB,iCAAiC,CACrD,aAAa,EAAE,2BAA2B,EAAE,EAC5C,OAAO,GAAE,4BAAiC,GACzC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,CAAC,CAAC,CA4DjE"}

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+/**
+ * Cluster-level 1Password defaults.
+ */
+export interface OnePasswordClusterDefaultsType {
+    /** Default vault name or ID */
+    vault?: string | undefined;
+}
+/**
+ * Options for the 1Password plugin.
+ */
+export interface OnePasswordPluginOptionsType {
+    /** Service account token (can also be set via OP_SERVICE_ACCOUNT_TOKEN env var) */
+    service_account_token?: string | undefined;
+    /** Timeout for CLI operations in milliseconds (default: 30000) */
+    timeout?: number | undefined;
+    /** Whether to fail on missing secrets (default: true) */
+    fail_on_missing?: boolean | undefined;
+    /** Cluster-level defaults for vault */
+    cluster_defaults?: OnePasswordClusterDefaultsType | undefined;
+}
+/**
+ * Parsed 1Password reference.
+ */
+export interface OnePasswordRefType {
+    vault: string;
+    item: string;
+    section?: string | undefined;
+    field: string;
+}
+/**
+ * Default timeout for 1Password CLI operations.
+ */
+export declare const DEFAULT_TIMEOUT = 30000;
+/**
+ * Parses a 1Password secret reference.
+ * Format: op://vault/item[/section]/field
+ */
+export declare function parse_onepassword_ref(ref: string): OnePasswordRefType | undefined;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3C,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,yDAAyD;IACzD,eAAe,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACtC,uCAAuC;IACvC,gBAAgB,CAAC,EAAE,8BAA8B,GAAG,SAAS,CAAC;CAC/D;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,QAAQ,CAAC;AAErC;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAoCjF"}

package/package.json CHANGED Viewed

@@ -1,23 +1,25 @@
 {
   "name": "@kustodian/plugin-1password",
-  "version": "1.1.1",
+  "version": "2.0.0",
   "description": "1Password secret provider plugin for Kustodian",
   "type": "module",
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
     ".": {
-      "types": "./src/index.ts",
-      "import": "./src/index.ts"
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
     }
   },
   "files": [
-    "src"
+    "dist"
   ],
   "scripts": {
     "test": "bun test",
     "test:watch": "bun test --watch",
-    "typecheck": "bun run tsc --noEmit"
+    "typecheck": "bun run tsc --noEmit",
+    "build": "bun build src/index.ts --outdir dist --target node --format esm && tsc --emitDeclarationOnly --outDir dist",
+    "prepublishOnly": "bun run build"
   },
   "keywords": [
     "kustodian",
@@ -34,12 +36,13 @@
     "directory": "plugins/1password"
   },
   "publishConfig": {
-    "registry": "https://npm.pkg.github.com"
+    "access": "public",
+    "registry": "https://registry.npmjs.org"
   },
   "dependencies": {
-    "@kustodian/core": "1.1.0",
-    "@kustodian/plugins": "1.0.1",
-    "@kustodian/schema": "1.4.0"
+    "@kustodian/core": "2.0.0",
+    "@kustodian/plugins": "2.0.0",
+    "@kustodian/schema": "2.0.0"
   },
   "devDependencies": {}
 }

package/src/executor.ts DELETED Viewed

@@ -1,190 +0,0 @@
-import { execFile } from 'node:child_process';
-import { promisify } from 'node:util';
-import { Errors, type ResultType, failure, success } from '@kustodian/core';
-import type { KustodianErrorType } from '@kustodian/core';
-import { DEFAULT_TIMEOUT, type OnePasswordPluginOptionsType } from './types.js';
-const exec_file_async = promisify(execFile);
-/**
- * Result of a command execution.
- */
-export interface CommandResultType {
-  stdout: string;
-  stderr: string;
-  exit_code: number;
-}
-/**
- * Options for command execution.
- */
-export interface ExecOptionsType {
-  cwd?: string | undefined;
-  timeout?: number | undefined;
-  env?: Record<string, string> | undefined;
-}
-/**
- * Executes a command and returns the result.
- * Uses execFile instead of exec for security (no shell invocation).
- */
-export async function exec_command(
-  command: string,
-  args: string[] = [],
-  options: ExecOptionsType = {},
-): Promise<ResultType<CommandResultType, KustodianErrorType>> {
-  try {
-    const { stdout, stderr } = await exec_file_async(command, args, {
-      cwd: options.cwd,
-      timeout: options.timeout,
-      env: { ...process.env, ...options.env },
-    });
-    return success({
-      stdout,
-      stderr,
-      exit_code: 0,
-    });
-  } catch (error) {
-    if (is_exec_error(error)) {
-      return success({
-        stdout: error.stdout ?? '',
-        stderr: error.stderr ?? '',
-        exit_code: error.code ?? 1,
-      });
-    }
-    return failure(Errors.unknown(`Failed to execute command: ${command}`, error));
-  }
-}
-/**
- * Type guard for exec errors.
- */
-function is_exec_error(
-  error: unknown,
-): error is { stdout?: string; stderr?: string; code?: number } {
-  return (
-    typeof error === 'object' &&
-    error !== null &&
-    ('stdout' in error || 'stderr' in error || 'code' in error)
-  );
-}
-/**
- * Gets environment variables for 1Password CLI authentication.
- */
-function get_op_auth_env(options: OnePasswordPluginOptionsType): Record<string, string> {
-  const env: Record<string, string> = {};
-  const token = options.service_account_token ?? process.env['OP_SERVICE_ACCOUNT_TOKEN'];
-  if (token) {
-    env['OP_SERVICE_ACCOUNT_TOKEN'] = token;
-  }
-  return env;
-}
-/**
- * Checks if op CLI is available in the system PATH.
- */
-export async function check_op_available(): Promise<ResultType<string, KustodianErrorType>> {
-  const result = await exec_command('op', ['--version']);
-  if (!result.success) {
-    return result;
-  }
-  if (result.value.exit_code !== 0) {
-    return failure(Errors.secret_cli_not_found('1Password', 'op'));
-  }
-  // Parse version from output (e.g., "2.30.0")
-  const version = result.value.stdout.trim();
-  return success(version);
-}
-/**
- * Reads a single secret from 1Password.
- */
-export async function op_read(
-  ref: string,
-  options: OnePasswordPluginOptionsType = {},
-): Promise<ResultType<string, KustodianErrorType>> {
-  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
-  const env = get_op_auth_env(options);
-  const result = await exec_command('op', ['read', ref], {
-    timeout,
-    env,
-  });
-  if (!result.success) {
-    return result;
-  }
-  const { stdout, stderr, exit_code } = result.value;
-  if (exit_code !== 0) {
-    // Parse specific error types from stderr
-    const stderr_lower = stderr.toLowerCase();
-    if (
-      stderr_lower.includes('not found') ||
-      stderr_lower.includes("doesn't exist") ||
-      stderr_lower.includes('no item')
-    ) {
-      return failure(Errors.secret_not_found('1Password', ref));
-    }
-    if (
-      stderr_lower.includes('sign in') ||
-      stderr_lower.includes('authentication') ||
-      stderr_lower.includes('unauthorized') ||
-      stderr_lower.includes('not signed in')
-    ) {
-      return failure(Errors.secret_auth_error('1Password', stderr));
-    }
-    if (stderr_lower.includes('timeout')) {
-      return failure(Errors.secret_timeout('1Password', timeout));
-    }
-    return failure(Errors.unknown(`1Password error: ${stderr}`));
-  }
-  return success(stdout.trim());
-}
-/**
- * Reads multiple secrets from 1Password in batch.
- */
-export async function op_read_batch(
-  refs: string[],
-  options: OnePasswordPluginOptionsType = {},
-): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
-  if (refs.length === 0) {
-    return success({});
-  }
-  const results: Record<string, string> = {};
-  // Read secrets sequentially for now
-  for (const ref of refs) {
-    const result = await op_read(ref, options);
-    if (!result.success) {
-      if (options.fail_on_missing !== false) {
-        return result;
-      }
-      // Skip missing secrets if fail_on_missing is false
-      continue;
-    }
-    results[ref] = result.value;
-  }
-  return success(results);
-}

package/src/index.ts DELETED Viewed

@@ -1,24 +0,0 @@
-// Plugin exports
-export { create_onepassword_plugin, plugin } from './plugin.js';
-export { plugin as default } from './plugin.js';
-// Executor exports
-export {
-  check_op_available,
-  exec_command,
-  op_read,
-  op_read_batch,
-  type CommandResultType,
-  type ExecOptionsType,
-} from './executor.js';
-// Resolver exports
-export { resolve_onepassword_substitutions } from './resolver.js';
-// Types
-export {
-  parse_onepassword_ref,
-  DEFAULT_TIMEOUT,
-  type OnePasswordPluginOptionsType,
-  type OnePasswordRefType,
-} from './types.js';

package/src/plugin.ts DELETED Viewed

@@ -1,118 +0,0 @@
-import { success } from '@kustodian/core';
-import type {
-  CommandType,
-  HookContextType,
-  HookEventType,
-  KustodianPluginType,
-  PluginCommandContributionType,
-  PluginHookContributionType,
-  PluginManifestType,
-} from '@kustodian/plugins';
-import { check_op_available, op_read } from './executor.js';
-import type { OnePasswordPluginOptionsType } from './types.js';
-/**
- * 1Password plugin manifest.
- */
-const manifest: PluginManifestType = {
-  name: '@kustodian/plugin-1password',
-  version: '0.1.0',
-  description: '1Password secret provider for Kustodian',
-  capabilities: ['commands', 'hooks'],
-};
-/**
- * Creates the 1Password plugin.
- */
-export function create_onepassword_plugin(
-  options: OnePasswordPluginOptionsType = {},
-): KustodianPluginType {
-  return {
-    manifest,
-    async activate() {
-      // Verify CLI availability on activation (warning only)
-      const check_result = await check_op_available();
-      if (!check_result.success) {
-        console.warn('1Password CLI (op) not found - secret resolution may fail');
-      }
-      return success(undefined);
-    },
-    async deactivate() {
-      return success(undefined);
-    },
-    get_commands(): PluginCommandContributionType[] {
-      const onepassword_command: CommandType = {
-        name: '1password',
-        description: '1Password secret management commands',
-        subcommands: [
-          {
-            name: 'check',
-            description: 'Check 1Password CLI availability and authentication',
-            handler: async () => {
-              const result = await check_op_available();
-              if (result.success) {
-                console.log(`1Password CLI version: ${result.value}`);
-                return success(undefined);
-              }
-              console.error('1Password CLI not available');
-              return result;
-            },
-          },
-          {
-            name: 'test',
-            description: 'Test reading a secret reference',
-            arguments: [
-              {
-                name: 'ref',
-                description: 'Secret reference (op://vault/item/field)',
-                required: true,
-              },
-            ],
-            handler: async (ctx) => {
-              const ref = ctx.args[0];
-              if (!ref) {
-                console.error('Missing secret reference');
-                return success(undefined);
-              }
-              const result = await op_read(ref, options);
-              if (result.success) {
-                console.log('Secret retrieved successfully (value hidden)');
-                console.log(`Length: ${result.value.length} characters`);
-                return success(undefined);
-              }
-              console.error(`Failed to read secret: ${result.error.message}`);
-              return result;
-            },
-          },
-        ],
-      };
-      return [{ command: onepassword_command }];
-    },
-    get_hooks(): PluginHookContributionType[] {
-      return [
-        {
-          event: 'generator:after_resolve',
-          priority: 50, // Run before default (100) to inject secrets early
-          handler: async (_event: HookEventType, ctx: HookContextType) => {
-            // Hook for secret injection will be implemented in generator integration
-            return success(ctx);
-          },
-        },
-      ];
-    },
-  };
-}
-/**
- * Default plugin export.
- */
-export const plugin = create_onepassword_plugin();
-export default plugin;

package/src/resolver.ts DELETED Viewed

@@ -1,76 +0,0 @@
-import { type ResultType, failure, success } from '@kustodian/core';
-import type { KustodianErrorType } from '@kustodian/core';
-import type { OnePasswordSubstitutionType } from '@kustodian/schema';
-import { op_read } from './executor.js';
-import type { OnePasswordPluginOptionsType } from './types.js';
-/**
- * Resolves 1Password substitutions to actual secret values.
- * Supports both full references and shorthand with cluster defaults.
- * Returns a map from substitution name to resolved value.
- */
-export async function resolve_onepassword_substitutions(
-  substitutions: OnePasswordSubstitutionType[],
-  options: OnePasswordPluginOptionsType = {},
-): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
-  if (substitutions.length === 0) {
-    return success({});
-  }
-  const results: Record<string, string> = {};
-  for (const sub of substitutions) {
-    // Build the reference string
-    let ref: string;
-    if (sub.ref) {
-      // Full reference provided
-      ref = sub.ref;
-    } else if (sub.item && sub.field) {
-      // Shorthand reference - need cluster vault
-      const vault = options.cluster_defaults?.vault;
-      if (!vault) {
-        return failure({
-          code: 'MISSING_1PASSWORD_VAULT',
-          message: `1Password substitution '${sub.name}' uses shorthand but no cluster vault configured`,
-        });
-      }
-      // Build op:// reference
-      if (sub.section) {
-        ref = `op://${vault}/${sub.item}/${sub.section}/${sub.field}`;
-      } else {
-        ref = `op://${vault}/${sub.item}/${sub.field}`;
-      }
-    } else {
-      return failure({
-        code: 'INVALID_1PASSWORD_REFERENCE',
-        message: `1Password substitution '${sub.name}' must specify either 'ref' or 'item'+'field'`,
-      });
-    }
-    const result = await op_read(ref, options);
-    if (!result.success) {
-      // If we have a default and fail_on_missing is false, use the default
-      if (sub.default !== undefined && options.fail_on_missing === false) {
-        results[sub.name] = sub.default;
-        continue;
-      }
-      // If we have a default, use it
-      if (sub.default !== undefined) {
-        results[sub.name] = sub.default;
-        continue;
-      }
-      // Otherwise, propagate the error
-      return failure(result.error);
-    }
-    results[sub.name] = result.value;
-  }
-  return success(results);
-}

package/src/types.ts DELETED Viewed

@@ -1,78 +0,0 @@
-/**
- * Cluster-level 1Password defaults.
- */
-export interface OnePasswordClusterDefaultsType {
-  /** Default vault name or ID */
-  vault?: string | undefined;
-}
-/**
- * Options for the 1Password plugin.
- */
-export interface OnePasswordPluginOptionsType {
-  /** Service account token (can also be set via OP_SERVICE_ACCOUNT_TOKEN env var) */
-  service_account_token?: string | undefined;
-  /** Timeout for CLI operations in milliseconds (default: 30000) */
-  timeout?: number | undefined;
-  /** Whether to fail on missing secrets (default: true) */
-  fail_on_missing?: boolean | undefined;
-  /** Cluster-level defaults for vault */
-  cluster_defaults?: OnePasswordClusterDefaultsType | undefined;
-}
-/**
- * Parsed 1Password reference.
- */
-export interface OnePasswordRefType {
-  vault: string;
-  item: string;
-  section?: string | undefined;
-  field: string;
-}
-/**
- * Default timeout for 1Password CLI operations.
- */
-export const DEFAULT_TIMEOUT = 30000;
-/**
- * Parses a 1Password secret reference.
- * Format: op://vault/item[/section]/field
- */
-export function parse_onepassword_ref(ref: string): OnePasswordRefType | undefined {
-  // Match: op://vault/item/field or op://vault/item/section/field
-  const match = ref.match(/^op:\/\/([^/]+)\/([^/]+)\/(?:([^/]+)\/)?([^/]+)$/);
-  if (!match) {
-    return undefined;
-  }
-  const vault = match[1];
-  const item = match[2];
-  const section = match[3];
-  const field = match[4];
-  // If section is undefined, the field is in position 3
-  if (field === undefined) {
-    // When there's no section, match[3] contains the field
-    if (!vault || !item || !section) {
-      return undefined;
-    }
-    return {
-      vault,
-      item,
-      field: section,
-    };
-  }
-  if (!vault || !item || !field) {
-    return undefined;
-  }
-  return {
-    vault,
-    item,
-    section,
-    field,
-  };
-}