aquaman-core 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 tech4242
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,51 @@
+# aquaman-core
+
+Core credential storage, audit logging, and crypto utilities for [aquaman](https://github.com/tech4242/aquaman).
+
+## What This Is
+
+`aquaman-core` provides the foundational building blocks for credential isolation:
+
+- **Credential backends** — Keychain (macOS), encrypted file (Linux/CI), 1Password, HashiCorp Vault
+- **Audit logger** — Hash-chained (SHA-256) tamper-evident logging with WAL-based crash recovery
+- **Crypto utilities** — Key derivation, AES-256-GCM encryption, hash chain verification
+
+## Installation
+
+```bash
+npm install aquaman-core
+```
+
+## Credential Backends
+
+| Backend | Platform | Use Case |
+|---------|----------|----------|
+| `keychain` | macOS | Local dev, personal machines |
+| `encrypted-file` | Linux, WSL2, CI/CD | Servers without native keyring |
+| `1password` | Any (via `op` CLI) | Team credential sharing |
+| `vault` | Any (via HTTP API) | Enterprise secrets management |
+
+## Usage
+
+```typescript
+import { createCredentialStore } from 'aquaman-core/credentials';
+import { AuditLogger } from 'aquaman-core/audit';
+
+// Create a credential store
+const store = await createCredentialStore({ backend: 'keychain' });
+await store.set('anthropic', 'api_key', 'sk-ant-...');
+const key = await store.get('anthropic', 'api_key');
+
+// Hash-chained audit logging
+const logger = new AuditLogger({ logDir: '~/.aquaman/audit' });
+await logger.log({ action: 'credential_access', service: 'anthropic' });
+await logger.verify(); // Verify chain integrity
+```
+
+## Documentation
+
+See the [main README](https://github.com/tech4242/aquaman#readme) for full documentation, architecture details, and configuration options.
+
+## License
+
+MIT

package/dist/audit/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Audit logging module
+ */
+export { type AuditLoggerOptions, AuditLogger, createAuditLogger } from './logger.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EACL,KAAK,kBAAkB,EACvB,WAAW,EACX,iBAAiB,EAClB,MAAM,aAAa,CAAC"}

package/dist/audit/index.js

@@ -0,0 +1,5 @@
+/**
+ * Audit logging module
+ */
+export { AuditLogger, createAuditLogger } from './logger.js';
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAEL,WAAW,EACX,iBAAiB,EAClB,MAAM,aAAa,CAAC"}

package/dist/audit/logger.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Hash-chained audit logger with tamper-evident storage
+ *
+ * Provides cryptographic integrity verification for audit logs.
+ * Note: Credential redaction is handled by OpenClaw's built-in redaction.
+ */
+import type { AuditEntry, CredentialAccess } from '../types.js';
+export interface AuditLoggerOptions {
+    logDir: string;
+    enabled?: boolean;
+    walEnabled?: boolean;
+}
+export declare class AuditLogger {
+    private logDir;
+    private currentLogPath;
+    private walPath;
+    private enabled;
+    private walEnabled;
+    private lastHash;
+    private entryCount;
+    private initialized;
+    constructor(options: AuditLoggerOptions);
+    initialize(): Promise<void>;
+    private recoverState;
+    private recoverFromWal;
+    logToolCall(sessionId: string, agentId: string, tool: string, params: Record<string, unknown>): Promise<AuditEntry | null>;
+    logToolResult(sessionId: string, agentId: string, toolCallId: string, result: unknown, error?: string): Promise<AuditEntry | null>;
+    logCredentialAccess(sessionId: string, agentId: string, access: CredentialAccess): Promise<AuditEntry | null>;
+    private writeEntry;
+    verifyIntegrity(): Promise<{
+        valid: boolean;
+        errors: string[];
+    }>;
+    getEntries(options?: {
+        limit?: number;
+        offset?: number;
+        type?: AuditEntry['type'];
+        sessionId?: string;
+    }): Promise<AuditEntry[]>;
+    tail(count?: number): Promise<AuditEntry[]>;
+    getStats(): {
+        entryCount: number;
+        lastHash: string;
+    };
+    rotateLog(): Promise<string>;
+}
+export declare function createAuditLogger(options: AuditLoggerOptions): AuditLogger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/audit/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/audit/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EACV,UAAU,EAGV,gBAAgB,EACjB,MAAM,aAAa,CAAC;AAIrB,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,OAAO,CAAU;IACzB,OAAO,CAAC,UAAU,CAAU;IAC5B,OAAO,CAAC,QAAQ,CAAwB;IACxC,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,WAAW,CAAkB;gBAEzB,OAAO,EAAE,kBAAkB;IAQjC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;YA2BnB,YAAY;YAyBZ,cAAc;IAwBtB,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAevB,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,OAAO,EACf,KAAK,CAAC,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAcvB,mBAAmB,CACvB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;YAKf,UAAU;IAiDlB,eAAe,IAAI,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IA4ChE,UAAU,CAAC,OAAO,CAAC,EAAE;QACzB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAyBnB,IAAI,CAAC,KAAK,GAAE,MAAW,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAKrD,QAAQ,IAAI;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IAO9C,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;CAiBnC;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CAE1E"}

package/dist/audit/logger.js

@@ -0,0 +1,237 @@
+/**
+ * Hash-chained audit logger with tamper-evident storage
+ *
+ * Provides cryptographic integrity verification for audit logs.
+ * Note: Credential redaction is handled by OpenClaw's built-in redaction.
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { computeChainedHash, generateId } from '../utils/hash.js';
+import { expandPath } from '../utils/config.js';
+const GENESIS_HASH = '0000000000000000000000000000000000000000000000000000000000000000';
+export class AuditLogger {
+    logDir;
+    currentLogPath;
+    walPath;
+    enabled;
+    walEnabled;
+    lastHash = GENESIS_HASH;
+    entryCount = 0;
+    initialized = false;
+    constructor(options) {
+        this.logDir = expandPath(options.logDir);
+        this.currentLogPath = path.join(this.logDir, 'current.jsonl');
+        this.walPath = path.join(this.logDir, 'current.wal');
+        this.enabled = options.enabled ?? true;
+        this.walEnabled = options.walEnabled ?? true;
+    }
+    async initialize() {
+        if (this.initialized)
+            return;
+        if (!this.enabled) {
+            this.initialized = true;
+            return;
+        }
+        // Ensure directories exist
+        const archiveDir = path.join(this.logDir, 'archive');
+        const integrityDir = path.join(this.logDir, 'integrity');
+        fs.mkdirSync(this.logDir, { recursive: true });
+        fs.mkdirSync(archiveDir, { recursive: true });
+        fs.mkdirSync(integrityDir, { recursive: true });
+        // Recover state from existing log
+        await this.recoverState();
+        // Recover from WAL if present
+        if (this.walEnabled) {
+            await this.recoverFromWal();
+        }
+        this.initialized = true;
+    }
+    async recoverState() {
+        if (!fs.existsSync(this.currentLogPath)) {
+            return;
+        }
+        const content = fs.readFileSync(this.currentLogPath, 'utf-8');
+        const lines = content.trim().split('\n').filter(line => line.length > 0);
+        if (lines.length === 0) {
+            return;
+        }
+        this.entryCount = lines.length;
+        // Get the hash of the last entry
+        const lastLine = lines[lines.length - 1];
+        try {
+            const lastEntry = JSON.parse(lastLine);
+            this.lastHash = lastEntry.hash;
+        }
+        catch {
+            // If we can't parse the last line, start fresh with integrity warning
+            console.error('Warning: Could not parse last audit entry, integrity may be compromised');
+        }
+    }
+    async recoverFromWal() {
+        if (!fs.existsSync(this.walPath)) {
+            return;
+        }
+        const walContent = fs.readFileSync(this.walPath, 'utf-8');
+        const lines = walContent.trim().split('\n').filter(line => line.length > 0);
+        for (const line of lines) {
+            try {
+                const entry = JSON.parse(line);
+                // Write to main log
+                fs.appendFileSync(this.currentLogPath, JSON.stringify(entry) + '\n');
+                this.lastHash = entry.hash;
+                this.entryCount++;
+            }
+            catch {
+                console.error('Warning: Could not recover WAL entry');
+            }
+        }
+        // Clear WAL after recovery
+        fs.writeFileSync(this.walPath, '');
+    }
+    async logToolCall(sessionId, agentId, tool, params) {
+        if (!this.enabled)
+            return null;
+        const toolCall = {
+            id: generateId(),
+            sessionId,
+            agentId,
+            tool,
+            params,
+            timestamp: new Date()
+        };
+        return this.writeEntry('tool_call', sessionId, agentId, toolCall);
+    }
+    async logToolResult(sessionId, agentId, toolCallId, result, error) {
+        if (!this.enabled)
+            return null;
+        const toolResult = {
+            id: generateId(),
+            toolCallId,
+            result,
+            error,
+            timestamp: new Date()
+        };
+        return this.writeEntry('tool_result', sessionId, agentId, toolResult);
+    }
+    async logCredentialAccess(sessionId, agentId, access) {
+        if (!this.enabled)
+            return null;
+        return this.writeEntry('credential_access', sessionId, agentId, access);
+    }
+    async writeEntry(type, sessionId, agentId, data) {
+        if (!this.initialized) {
+            await this.initialize();
+        }
+        const entry = {
+            id: generateId(),
+            timestamp: new Date(),
+            type,
+            sessionId,
+            agentId,
+            data,
+            previousHash: this.lastHash,
+            hash: '' // Will be computed below
+        };
+        // Compute hash including previous hash for chain integrity
+        const entryData = JSON.stringify({
+            ...entry,
+            hash: undefined
+        });
+        entry.hash = computeChainedHash(entryData, this.lastHash);
+        const line = JSON.stringify(entry) + '\n';
+        // Write to WAL first (for crash recovery)
+        if (this.walEnabled) {
+            fs.appendFileSync(this.walPath, line);
+        }
+        // Write to main log
+        fs.appendFileSync(this.currentLogPath, line);
+        // Clear WAL entry after successful write
+        if (this.walEnabled) {
+            fs.writeFileSync(this.walPath, '');
+        }
+        this.lastHash = entry.hash;
+        this.entryCount++;
+        return entry;
+    }
+    async verifyIntegrity() {
+        const errors = [];
+        if (!fs.existsSync(this.currentLogPath)) {
+            return { valid: true, errors: [] };
+        }
+        const content = fs.readFileSync(this.currentLogPath, 'utf-8');
+        const lines = content.trim().split('\n').filter(line => line.length > 0);
+        let previousHash = GENESIS_HASH;
+        for (let i = 0; i < lines.length; i++) {
+            try {
+                const entry = JSON.parse(lines[i]);
+                // Verify previous hash reference
+                if (entry.previousHash !== previousHash) {
+                    errors.push(`Entry ${i}: previousHash mismatch (expected ${previousHash}, got ${entry.previousHash})`);
+                }
+                // Verify entry hash
+                const entryData = JSON.stringify({
+                    ...entry,
+                    hash: undefined
+                });
+                const expectedHash = computeChainedHash(entryData, entry.previousHash);
+                if (entry.hash !== expectedHash) {
+                    errors.push(`Entry ${i}: hash mismatch (expected ${expectedHash}, got ${entry.hash})`);
+                }
+                previousHash = entry.hash;
+            }
+            catch (parseError) {
+                errors.push(`Entry ${i}: failed to parse JSON`);
+            }
+        }
+        return {
+            valid: errors.length === 0,
+            errors
+        };
+    }
+    async getEntries(options) {
+        if (!fs.existsSync(this.currentLogPath)) {
+            return [];
+        }
+        const content = fs.readFileSync(this.currentLogPath, 'utf-8');
+        const lines = content.trim().split('\n').filter(line => line.length > 0);
+        let entries = lines.map(line => JSON.parse(line));
+        // Apply filters
+        if (options?.type) {
+            entries = entries.filter(e => e.type === options.type);
+        }
+        if (options?.sessionId) {
+            entries = entries.filter(e => e.sessionId === options.sessionId);
+        }
+        // Apply pagination
+        const offset = options?.offset ?? 0;
+        const limit = options?.limit ?? entries.length;
+        return entries.slice(offset, offset + limit);
+    }
+    async tail(count = 10) {
+        const entries = await this.getEntries();
+        return entries.slice(-count);
+    }
+    getStats() {
+        return {
+            entryCount: this.entryCount,
+            lastHash: this.lastHash
+        };
+    }
+    async rotateLog() {
+        if (!fs.existsSync(this.currentLogPath)) {
+            throw new Error('No log file to rotate');
+        }
+        const archiveDir = path.join(this.logDir, 'archive');
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+        const archivePath = path.join(archiveDir, `audit-${timestamp}.jsonl`);
+        fs.renameSync(this.currentLogPath, archivePath);
+        // Reset state for new log
+        this.lastHash = GENESIS_HASH;
+        this.entryCount = 0;
+        return archivePath;
+    }
+}
+export function createAuditLogger(options) {
+    return new AuditLogger(options);
+}
+//# sourceMappingURL=logger.js.map

package/dist/audit/logger.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/audit/logger.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAQhD,MAAM,YAAY,GAAG,kEAAkE,CAAC;AAQxF,MAAM,OAAO,WAAW;IACd,MAAM,CAAS;IACf,cAAc,CAAS;IACvB,OAAO,CAAS;IAChB,OAAO,CAAU;IACjB,UAAU,CAAU;IACpB,QAAQ,GAAW,YAAY,CAAC;IAChC,UAAU,GAAW,CAAC,CAAC;IACvB,WAAW,GAAY,KAAK,CAAC;IAErC,YAAY,OAA2B;QACrC,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;QACrD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;QACvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,OAAO;QACT,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAEzD,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,kCAAkC;QAClC,MAAM,IAAI,CAAC,YAAY,EAAE,CAAC;QAE1B,8BAA8B;QAC9B,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9B,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,YAAY;QACxB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEzE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;QAE/B,iCAAiC;QACjC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAe,CAAC;YACrD,IAAI,CAAC,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;YACtE,OAAO,CAAC,KAAK,CAAC,yEAAyE,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC1D,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE5E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC;gBAC7C,oBAAoB;gBACpB,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;gBACrE,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;gBAC3B,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAED,2BAA2B;QAC3B,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,WAAW,CACf,SAAiB,EACjB,OAAe,EACf,IAAY,EACZ,MAA+B;QAE/B,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,QAAQ,GAAa;YACzB,EAAE,EAAE,UAAU,EAAE;YAChB,SAAS;YACT,OAAO;YACP,IAAI;YACJ,MAAM;YACN,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QAEF,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACpE,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,OAAe,EACf,UAAkB,EAClB,MAAe,EACf,KAAc;QAEd,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE/B,MAAM,UAAU,GAAe;YAC7B,EAAE,EAAE,UAAU,EAAE;YAChB,UAAU;YACV,MAAM;YACN,KAAK;YACL,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QAEF,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,EAAE,SAAS,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,SAAiB,EACjB,OAAe,EACf,MAAwB;QAExB,IAAI,CAAC,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,mBAAmB,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1E,CAAC;IAEO,KAAK,CAAC,UAAU,CACtB,IAAwB,EACxB,SAAiB,EACjB,OAAe,EACf,IAAwB;QAExB,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,GAAe;YACxB,EAAE,EAAE,UAAU,EAAE;YAChB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,IAAI;YACJ,SAAS;YACT,OAAO;YACP,IAAI;YACJ,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,IAAI,EAAE,EAAE,CAAC,yBAAyB;SACnC,CAAC;QAEF,2DAA2D;QAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;YAC/B,GAAG,KAAK;YACR,IAAI,EAAE,SAAS;SAChB,CAAC,CAAC;QACH,KAAK,CAAC,IAAI,GAAG,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE1D,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;QAE1C,0CAA0C;QAC1C,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACxC,CAAC;QAED,oBAAoB;QACpB,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;QAE7C,yCAAyC;QACzC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC;QAC3B,IAAI,CAAC,UAAU,EAAE,CAAC;QAElB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACrC,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEzE,IAAI,YAAY,GAAG,YAAY,CAAC;QAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAe,CAAC;gBAEjD,iCAAiC;gBACjC,IAAI,KAAK,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;oBACxC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,qCAAqC,YAAY,SAAS,KAAK,CAAC,YAAY,GAAG,CAAC,CAAC;gBACzG,CAAC;gBAED,oBAAoB;gBACpB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC/B,GAAG,KAAK;oBACR,IAAI,EAAE,SAAS;iBAChB,CAAC,CAAC;gBACH,MAAM,YAAY,GAAG,kBAAkB,CAAC,SAAS,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;gBAEvE,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAChC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,6BAA6B,YAAY,SAAS,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;gBACzF,CAAC;gBAED,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC;YAC5B,CAAC;YAAC,OAAO,UAAU,EAAE,CAAC;gBACpB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM;SACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAKhB;QACC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QAC9D,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEzE,IAAI,OAAO,GAAiB,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAC,CAAC;QAE9E,gBAAgB;QAChB,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;YAClB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;YACvB,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CAAC,CAAC;QACnE,CAAC;QAED,mBAAmB;QACnB,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,CAAC,CAAC;QACpC,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;QAE/C,OAAO,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAgB,EAAE;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,QAAQ;QACN,OAAO;YACL,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACjE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,SAAS,QAAQ,CAAC,CAAC;QAEtE,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAEhD,0BAA0B;QAC1B,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC;QAC7B,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QAEpB,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,OAA2B;IAC3D,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;AAClC,CAAC"}

package/dist/credentials/backends/onepassword.d.ts

@@ -0,0 +1,38 @@
+/**
+ * 1Password credential backend using the `op` CLI
+ * Requires: 1Password CLI installed and signed in
+ */
+import type { CredentialStore } from '../store.js';
+export interface OnePasswordStoreOptions {
+    vault?: string;
+    account?: string;
+}
+export declare class OnePasswordStore implements CredentialStore {
+    private vault;
+    private account?;
+    private opPath;
+    constructor(options?: OnePasswordStoreOptions);
+    private validateOpCli;
+    private runOp;
+    private getItemName;
+    private parseItemName;
+    private ensureVaultExists;
+    get(service: string, key: string): Promise<string | null>;
+    set(service: string, key: string, value: string, metadata?: Record<string, string>): Promise<void>;
+    delete(service: string, key: string): Promise<boolean>;
+    list(service?: string): Promise<Array<{
+        service: string;
+        key: string;
+    }>>;
+    exists(service: string, key: string): Promise<boolean>;
+    /**
+     * Get the vault name being used
+     */
+    getVault(): string;
+    /**
+     * Check if 1Password CLI is available and signed in
+     */
+    static isAvailable(): boolean;
+}
+export declare function createOnePasswordStore(options?: OnePasswordStoreOptions): OnePasswordStore;
+//# sourceMappingURL=onepassword.d.ts.map

package/dist/credentials/backends/onepassword.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"onepassword.d.ts","sourceRoot":"","sources":["../../../src/credentials/backends/onepassword.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD,MAAM,WAAW,uBAAuB;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAKD,qBAAa,gBAAiB,YAAW,eAAe;IACtD,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,OAAO,CAAC,CAAS;IACzB,OAAO,CAAC,MAAM,CAAuB;gBAEzB,OAAO,CAAC,EAAE,uBAAuB;IAM7C,OAAO,CAAC,aAAa;IAoBrB,OAAO,CAAC,KAAK;IAyBb,OAAO,CAAC,WAAW;IAInB,OAAO,CAAC,aAAa;IAcrB,OAAO,CAAC,iBAAiB;IAcnB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAsBzD,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAsClG,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBtD,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAiCxE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK5D;;OAEG;IACH,QAAQ,IAAI,MAAM;IAIlB;;OAEG;IACH,MAAM,CAAC,WAAW,IAAI,OAAO;CAa9B;AAED,wBAAgB,sBAAsB,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,gBAAgB,CAE1F"}

package/dist/credentials/backends/onepassword.js

@@ -0,0 +1,218 @@
+/**
+ * 1Password credential backend using the `op` CLI
+ * Requires: 1Password CLI installed and signed in
+ */
+import { spawnSync } from 'node:child_process';
+const DEFAULT_VAULT = 'aquaman';
+const ITEM_PREFIX = 'aquaman';
+export class OnePasswordStore {
+    vault;
+    account;
+    opPath = null;
+    constructor(options) {
+        this.vault = options?.vault || DEFAULT_VAULT;
+        this.account = options?.account;
+        this.validateOpCli();
+    }
+    validateOpCli() {
+        // Check if op CLI is installed
+        try {
+            const result = spawnSync('which', ['op'], { encoding: 'utf-8' });
+            if (result.status !== 0) {
+                throw new Error('1Password CLI (op) not found. Install from: https://1password.com/downloads/command-line/');
+            }
+            this.opPath = result.stdout.trim();
+        }
+        catch {
+            throw new Error('1Password CLI (op) not found. Install from: https://1password.com/downloads/command-line/');
+        }
+        // Check if signed in
+        try {
+            this.runOp(['account', 'get']);
+        }
+        catch (error) {
+            throw new Error('Not signed in to 1Password. Run: op signin');
+        }
+    }
+    runOp(args, input) {
+        const accountArgs = this.account ? ['--account', this.account] : [];
+        const fullArgs = [...args, ...accountArgs];
+        try {
+            const result = spawnSync('op', fullArgs, {
+                encoding: 'utf-8',
+                input,
+                maxBuffer: 10 * 1024 * 1024
+            });
+            if (result.status !== 0) {
+                const error = result.stderr || result.stdout || 'Unknown error';
+                throw new Error(`op command failed: ${error}`);
+            }
+            return result.stdout;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('op command failed')) {
+                throw error;
+            }
+            throw new Error(`Failed to run op command: ${error}`);
+        }
+    }
+    getItemName(service, key) {
+        return `${ITEM_PREFIX}-${service}-${key}`;
+    }
+    parseItemName(itemName) {
+        if (!itemName.startsWith(`${ITEM_PREFIX}-`)) {
+            return null;
+        }
+        const parts = itemName.slice(ITEM_PREFIX.length + 1).split('-');
+        if (parts.length < 2) {
+            return null;
+        }
+        // Handle service names with dashes by taking first part as service
+        const service = parts[0];
+        const key = parts.slice(1).join('-');
+        return { service, key };
+    }
+    ensureVaultExists() {
+        try {
+            this.runOp(['vault', 'get', this.vault]);
+        }
+        catch {
+            // Vault doesn't exist, create it
+            try {
+                this.runOp(['vault', 'create', this.vault]);
+                console.log(`Created 1Password vault: ${this.vault}`);
+            }
+            catch (createError) {
+                throw new Error(`Failed to create vault "${this.vault}": ${createError}`);
+            }
+        }
+    }
+    async get(service, key) {
+        const itemName = this.getItemName(service, key);
+        try {
+            const result = this.runOp([
+                'item', 'get', itemName,
+                '--vault', this.vault,
+                '--fields', 'credential',
+                '--format', 'json'
+            ]);
+            const parsed = JSON.parse(result);
+            return parsed.value || null;
+        }
+        catch (error) {
+            // Item not found is not an error
+            if (error instanceof Error && error.message.includes('not found')) {
+                return null;
+            }
+            throw error;
+        }
+    }
+    async set(service, key, value, metadata) {
+        this.ensureVaultExists();
+        const itemName = this.getItemName(service, key);
+        const tags = [ITEM_PREFIX, service];
+        // Check if item already exists
+        const existing = await this.get(service, key);
+        if (existing !== null) {
+            // Update existing item
+            this.runOp([
+                'item', 'edit', itemName,
+                '--vault', this.vault,
+                `credential=${value}`
+            ]);
+        }
+        else {
+            // Create new item
+            const createArgs = [
+                'item', 'create',
+                '--category', 'API Credential',
+                '--vault', this.vault,
+                '--title', itemName,
+                `credential=${value}`,
+                '--tags', tags.join(',')
+            ];
+            // Add metadata as fields
+            if (metadata) {
+                for (const [k, v] of Object.entries(metadata)) {
+                    createArgs.push(`${k}=${v}`);
+                }
+            }
+            this.runOp(createArgs);
+        }
+    }
+    async delete(service, key) {
+        const itemName = this.getItemName(service, key);
+        try {
+            this.runOp([
+                'item', 'delete', itemName,
+                '--vault', this.vault
+            ]);
+            return true;
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('not found')) {
+                return false;
+            }
+            throw error;
+        }
+    }
+    async list(service) {
+        try {
+            const listArgs = [
+                'item', 'list',
+                '--vault', this.vault,
+                '--tags', service ? `${ITEM_PREFIX},${service}` : ITEM_PREFIX,
+                '--format', 'json'
+            ];
+            const result = this.runOp(listArgs);
+            const items = JSON.parse(result);
+            const credentials = [];
+            for (const item of items) {
+                const parsed = this.parseItemName(item.title);
+                if (parsed) {
+                    if (!service || parsed.service === service) {
+                        credentials.push(parsed);
+                    }
+                }
+            }
+            return credentials;
+        }
+        catch (error) {
+            // Vault might not exist yet
+            if (error instanceof Error && error.message.includes('not found')) {
+                return [];
+            }
+            throw error;
+        }
+    }
+    async exists(service, key) {
+        const value = await this.get(service, key);
+        return value !== null;
+    }
+    /**
+     * Get the vault name being used
+     */
+    getVault() {
+        return this.vault;
+    }
+    /**
+     * Check if 1Password CLI is available and signed in
+     */
+    static isAvailable() {
+        try {
+            const whichResult = spawnSync('which', ['op'], { encoding: 'utf-8' });
+            if (whichResult.status !== 0) {
+                return false;
+            }
+            const accountResult = spawnSync('op', ['account', 'get'], { encoding: 'utf-8' });
+            return accountResult.status === 0;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export function createOnePasswordStore(options) {
+    return new OnePasswordStore(options);
+}
+//# sourceMappingURL=onepassword.js.map