aquaman-plugin 0.11.2 → 0.11.4

package/src/commands.ts

@@ -1,306 +0,0 @@
-/**
- * Slash commands for the OpenClaw plugin
- *
- * Provides /aquaman commands for users to interact with the plugin.
- * Non-interactive commands execute the aquaman proxy binary directly.
- * Interactive commands (add) show instructions since slash commands
- * run in the chat UI where TTY is not available.
- */
-
-import type { ProxyManager } from './proxy-manager.js';
-import { execAquamanProxyCli, findAquamanProxyBinary } from './proxy-manager.js';
-import type { PluginConfig } from './config-schema.js';
-
-export interface CommandContext {
-  config: PluginConfig;
-  proxyManager?: ProxyManager;
-}
-
-export interface CommandResult {
-  success: boolean;
-  message: string;
-  data?: any;
-}
-
-/**
- * Plugin command definition for OpenClaw
- */
-export interface PluginCommand {
-  name: string;
-  description: string;
-  execute: (args: Record<string, string>) => Promise<string | object>;
-}
-
-/**
- * /aquaman status - Show plugin status
- */
-export async function statusCommand(ctx: CommandContext): Promise<CommandResult> {
-  const lines: string[] = [];
-  const cliInstalled = findAquamanProxyBinary() !== null;
-
-  lines.push('aquaman plugin status');
-  lines.push('');
-  lines.push(`Backend: ${ctx.config.backend || 'keychain'}`);
-  lines.push(`Services: ${(ctx.config.services || []).join(', ')}`);
-  lines.push(`Proxy binary: ${cliInstalled ? 'found' : 'NOT FOUND'}`);
-
-  if (ctx.proxyManager?.isRunning()) {
-    const info = ctx.proxyManager.getConnectionInfo();
-    lines.push('');
-    lines.push('Proxy Status: Running');
-    lines.push(`  Socket: ${info?.socketPath}`);
-  } else {
-    lines.push('');
-    lines.push('Proxy Status: Not running');
-    if (!cliInstalled) {
-      lines.push('');
-      lines.push('Setup: npm install -g aquaman-proxy && aquaman setup');
-    }
-  }
-
-  return {
-    success: true,
-    message: lines.join('\n')
-  };
-}
-
-/**
- * /aquaman add <service> - Add a credential (shows instructions — TTY not available in chat UI)
- */
-export async function addCommand(
-  _ctx: CommandContext,
-  service: string,
-  key: string = 'api_key'
-): Promise<CommandResult> {
-  return {
-    success: true,
-    message: `To add a credential for ${service}/${key}:\n\n` +
-      `Run: openclaw aquaman credentials add ${service} ${key}\n` +
-      `Or in terminal: aquaman credentials add ${service} ${key}`
-  };
-}
-
-/**
- * /aquaman list - List stored credentials
- */
-export async function listCommand(_ctx: CommandContext): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['credentials', 'list']);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman credentials list` };
-  }
-}
-
-/**
- * /aquaman doctor - Run diagnostic checks
- */
-export async function doctorCommand(_ctx: CommandContext): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['doctor']);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman doctor` };
-  }
-}
-
-/**
- * /aquaman logs - Show recent audit entries
- */
-export async function logsCommand(_ctx: CommandContext, count: number = 10): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['audit', 'tail', '-n', String(count)]);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman audit tail` };
-  }
-}
-
-/**
- * /aquaman verify - Verify audit log integrity
- */
-export async function verifyCommand(_ctx: CommandContext): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['audit', 'verify']);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman audit verify` };
-  }
-}
-
-/**
- * /aquaman policy - List policy rules
- */
-export async function policyListCommand(_ctx: CommandContext): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['policy', 'list']);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman policy list` };
-  }
-}
-
-/**
- * /aquaman services - List configured services
- */
-export async function servicesListCommand(_ctx: CommandContext): Promise<CommandResult> {
-  try {
-    const result = await execAquamanProxyCli(['services', 'list']);
-    return { success: result.exitCode === 0, message: result.stdout || result.stderr };
-  } catch (err: any) {
-    return { success: false, message: `Failed: ${err.message}\n\nRun in terminal: aquaman services list` };
-  }
-}
-
-/**
- * Parse and execute a command
- */
-export async function executeCommand(
-  ctx: CommandContext,
-  command: string,
-  args: string[]
-): Promise<CommandResult> {
-  switch (command.toLowerCase()) {
-    case 'status':
-      return statusCommand(ctx);
-
-    case 'add':
-      if (args.length < 1) {
-        return { success: false, message: 'Usage: /aquaman add <service> [key]' };
-      }
-      return addCommand(ctx, args[0], args[1]);
-
-    case 'list':
-      return listCommand(ctx);
-
-    case 'doctor':
-      return doctorCommand(ctx);
-
-    case 'logs': {
-      const count = args[0] ? parseInt(args[0], 10) : 10;
-      return logsCommand(ctx, count);
-    }
-
-    case 'verify':
-      return verifyCommand(ctx);
-
-    case 'policy':
-      return policyListCommand(ctx);
-
-    case 'services':
-      return servicesListCommand(ctx);
-
-    case 'help':
-    default:
-      return {
-        success: true,
-        message: `aquaman plugin commands:
-
-  /aquaman status    - Show plugin and proxy status
-  /aquaman doctor    - Run diagnostic checks
-  /aquaman add       - Add a credential
-  /aquaman list      - List stored credentials
-  /aquaman policy    - List request policy rules
-  /aquaman services  - List configured services
-  /aquaman logs [n]  - Show recent audit entries
-  /aquaman verify    - Verify audit log integrity
-  /aquaman help      - Show this help message
-
-CLI commands (via terminal or openclaw aquaman <cmd>):
-
-  openclaw aquaman setup           - Run the setup wizard
-  openclaw aquaman doctor          - Diagnose issues
-  openclaw aquaman credentials list - List credentials
-  openclaw aquaman credentials add  - Add a credential (interactive)
-  openclaw aquaman policy-list     - Show policy rules
-  openclaw aquaman audit-tail      - Recent audit entries
-  openclaw aquaman services-list   - List services`
-      };
-  }
-}
-
-/**
- * Get available commands for OpenClaw to register
- */
-export function getAvailableCommands(ctx: CommandContext): PluginCommand[] {
-  return [
-    {
-      name: 'status',
-      description: 'Show aquaman plugin status',
-      execute: async () => {
-        const result = await statusCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'add',
-      description: 'Add a credential for a service',
-      execute: async (args) => {
-        const service = args.service || args._?.[0];
-        const key = args.key || args._?.[1] || 'api_key';
-        if (!service) {
-          return 'Usage: /aquaman add <service> [key]';
-        }
-        const result = await addCommand(ctx, service, key);
-        return result.message;
-      }
-    },
-    {
-      name: 'list',
-      description: 'List stored credentials',
-      execute: async () => {
-        const result = await listCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'doctor',
-      description: 'Run diagnostic checks',
-      execute: async () => {
-        const result = await doctorCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'policy',
-      description: 'List request policy rules',
-      execute: async () => {
-        const result = await policyListCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'services',
-      description: 'List configured services',
-      execute: async () => {
-        const result = await servicesListCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'logs',
-      description: 'Show recent audit log entries',
-      execute: async (args) => {
-        const count = args.count ? parseInt(args.count, 10) : 10;
-        const result = await logsCommand(ctx, count);
-        return result.message;
-      }
-    },
-    {
-      name: 'verify',
-      description: 'Verify audit log integrity',
-      execute: async () => {
-        const result = await verifyCommand(ctx);
-        return result.message;
-      }
-    },
-    {
-      name: 'help',
-      description: 'Show help for aquaman commands',
-      execute: async () => {
-        const result = await executeCommand(ctx, 'help', []);
-        return result.message;
-      }
-    }
-  ];
-}

package/src/config-schema.ts

@@ -1,68 +0,0 @@
-/**
- * TypeBox configuration schema for the OpenClaw plugin
- *
- * Defines the structure of plugin configuration in openclaw.json
- */
-
-import { Type, type Static } from '@sinclair/typebox';
-
-/**
- * Credential backend type
- */
-export const CredentialBackend = Type.Union([
-  Type.Literal('keychain'),
-  Type.Literal('1password'),
-  Type.Literal('vault'),
-  Type.Literal('encrypted-file'),
-  Type.Literal('keepassxc')
-], { default: 'keychain' });
-
-/**
- * Services to proxy
- */
-export const ProxiedServices = Type.Array(Type.String(), {
-  default: ['anthropic', 'openai']
-});
-
-/**
- * Complete plugin configuration schema
- */
-export const ConfigSchema = Type.Object({
-  // Credential backend
-  backend: Type.Optional(CredentialBackend),
-
-  // Services to proxy
-  services: Type.Optional(ProxiedServices),
-
-  // 1Password options
-  onePasswordVault: Type.Optional(Type.String()),
-  onePasswordAccount: Type.Optional(Type.String()),
-
-  // HashiCorp Vault options
-  vaultAddress: Type.Optional(Type.String({ format: 'uri' })),
-  vaultToken: Type.Optional(Type.String()),
-  vaultNamespace: Type.Optional(Type.String()),
-  vaultMountPath: Type.Optional(Type.String({ default: 'secret' })),
-});
-
-export type PluginConfig = Static<typeof ConfigSchema>;
-
-/**
- * Default configuration values
- */
-export const defaultConfig: PluginConfig = {
-  backend: 'keychain',
-  services: ['anthropic', 'openai'],
-  vaultMountPath: 'secret',
-};
-
-/**
- * Merge user config with defaults
- */
-export function mergeConfig(userConfig: Partial<PluginConfig>): PluginConfig {
-  return {
-    ...defaultConfig,
-    ...userConfig,
-    services: userConfig.services || defaultConfig.services
-  };
-}

package/src/http-interceptor.ts

@@ -1,176 +0,0 @@
-/**
- * HTTP interceptor for channel credential isolation.
- *
- * Overrides globalThis.fetch to redirect requests targeting known channel API
- * hosts through the aquaman credential proxy via Unix domain socket.
- * The proxy injects the real credentials, so the Gateway process never sees them.
- *
- * OpenClaw channels use globalThis.fetch (backed by undici) for all HTTP calls.
- * Many channel monitor functions also accept a `proxyFetch` parameter that
- * falls back to globalThis.fetch, so overriding it covers both paths.
- *
- * Uses sentinel hostname `aquaman.local` — SDK base URLs are set to
- * `http://aquaman.local/<service>` and the interceptor routes them through UDS.
- */
-
-import { Agent } from 'undici';
-
-/** Sentinel hostname used in SDK base URLs to route through UDS */
-const PROXY_HOST = 'aquaman.local';
-
-export interface HttpInterceptorOptions {
-  /** Unix domain socket path for the proxy */
-  socketPath: string;
-  /** Map of hostname (or *.domain wildcard) → service name */
-  hostMap: Map<string, string>;
-  /** Optional logger */
-  log?: (msg: string) => void;
-}
-
-export class HttpInterceptor {
-  private socketPath: string;
-  private hostMap: Map<string, string>;
-  private originalFetch: typeof globalThis.fetch | null = null;
-  private active = false;
-  private log: (msg: string) => void;
-  private socketAgent: Agent | null = null;
-
-  constructor(options: HttpInterceptorOptions) {
-    this.socketPath = options.socketPath;
-    this.hostMap = options.hostMap;
-    this.log = options.log || (() => {});
-  }
-
-  /**
-   * Activate the interceptor by replacing globalThis.fetch.
-   */
-  activate(): void {
-    if (this.active) return;
-
-    this.originalFetch = globalThis.fetch;
-    this.socketAgent = new Agent({ connect: { socketPath: this.socketPath } });
-
-    const origFetch = this.originalFetch;
-    const socketAgent = this.socketAgent;
-    const matchHost = this.matchHost.bind(this);
-    const extractUrl = this.extractUrl.bind(this);
-    const stripAuthHeaders = this.stripAuthHeaders.bind(this);
-    const logFn = this.log;
-
-    (globalThis as any).fetch = (
-      input: RequestInfo | URL,
-      init?: RequestInit
-    ): Promise<Response> => {
-      const url = extractUrl(input);
-      if (!url) {
-        return origFetch.call(globalThis, input, init);
-      }
-
-      // SDK traffic via env vars (hostname = aquaman.local) — route through UDS
-      if (url.hostname === PROXY_HOST) {
-        return origFetch.call(globalThis, input, { ...init, dispatcher: socketAgent } as any);
-      }
-
-      // Channel traffic — match against host map
-      const service = matchHost(url.hostname);
-      if (!service) {
-        return origFetch.call(globalThis, input, init);
-      }
-
-      // Rewrite the URL to go through the proxy
-      const proxyUrl = `http://${PROXY_HOST}/${service}${url.pathname}${url.search}`;
-      logFn(`[aquaman] Intercepted ${url.hostname}${url.pathname} → ${service}`);
-
-      // Strip any existing authorization headers — the proxy will inject the real ones
-      let newInit = init;
-      if (init?.headers) {
-        const stripped = stripAuthHeaders(init.headers);
-        newInit = { ...init, headers: stripped };
-      }
-
-      return origFetch.call(globalThis, proxyUrl, { ...newInit, redirect: 'manual', dispatcher: socketAgent } as any);
-    };
-
-    this.active = true;
-    this.log(`[aquaman] HTTP interceptor active for ${this.hostMap.size} host patterns`);
-  }
-
-  /**
-   * Deactivate the interceptor and restore the original fetch.
-   */
-  deactivate(): void {
-    if (!this.active || !this.originalFetch) return;
-
-    globalThis.fetch = this.originalFetch;
-    this.originalFetch = null;
-    this.active = false;
-
-    if (this.socketAgent) {
-      this.socketAgent.close();
-      this.socketAgent = null;
-    }
-
-    this.log('[aquaman] HTTP interceptor deactivated');
-  }
-
-  isActive(): boolean {
-    return this.active;
-  }
-
-  /**
-   * Match a hostname against the host map, supporting wildcard patterns.
-   */
-  matchHost(hostname: string): string | null {
-    // Direct match
-    const direct = this.hostMap.get(hostname);
-    if (direct) return direct;
-
-    // Wildcard match: *.example.com matches sub.example.com
-    for (const [pattern, service] of this.hostMap) {
-      if (pattern.startsWith('*.') && hostname.endsWith(pattern.slice(1))) {
-        return service;
-      }
-    }
-
-    return null;
-  }
-
-  private extractUrl(input: RequestInfo | URL): URL | null {
-    try {
-      if (input instanceof URL) return input;
-      if (typeof input === 'string') return new URL(input);
-      if (typeof input === 'object' && 'url' in input) return new URL(input.url);
-    } catch {
-      // Not a valid URL — pass through
-    }
-    return null;
-  }
-
-  private stripAuthHeaders(headers: HeadersInit): HeadersInit {
-    if (headers instanceof Headers) {
-      const h = new Headers(headers);
-      h.delete('authorization');
-      h.delete('x-api-key');
-      return h;
-    }
-
-    if (Array.isArray(headers)) {
-      return headers.filter(
-        ([key]) => key.toLowerCase() !== 'authorization' && key.toLowerCase() !== 'x-api-key'
-      );
-    }
-
-    // Plain object
-    const result: Record<string, string> = {};
-    for (const [key, value] of Object.entries(headers)) {
-      if (key.toLowerCase() !== 'authorization' && key.toLowerCase() !== 'x-api-key') {
-        result[key] = value;
-      }
-    }
-    return result;
-  }
-}
-
-export function createHttpInterceptor(options: HttpInterceptorOptions): HttpInterceptor {
-  return new HttpInterceptor(options);
-}

package/src/index.ts

@@ -1,62 +0,0 @@
-/**
- * aquaman-plugin - Credential isolation plugin for OpenClaw
- *
- * This package provides an OpenClaw plugin that enables:
- * - Secure credential storage using enterprise backends (Keychain, 1Password, Vault)
- * - Proxy mode: Separate process, credentials never in Gateway memory
- * - Hash-chained tamper-evident audit logs
- * - Slash commands for credential management
- *
- * Installation:
- *   npm install aquaman-plugin
- *
- * Configuration in openclaw.json:
- *   {
- *     "plugins": {
- *       "aquaman-plugin": {
- *         "backend": "keychain",
- *         "services": ["anthropic", "openai"]
- *       }
- *     }
- *   }
- */
-
-// Plugin
-export {
-  type AquamanPluginOptions,
-  AquamanPlugin,
-  createAquamanPlugin
-} from './plugin.js';
-
-// Config Schema
-export {
-  ConfigSchema,
-  CredentialBackend,
-  ProxiedServices,
-  type PluginConfig,
-  defaultConfig,
-  mergeConfig
-} from './config-schema.js';
-
-// Proxy Manager
-export {
-  type ProxyConnectionInfo,
-  type ProxyManagerOptions,
-  ProxyManager,
-  createProxyManager
-} from './proxy-manager.js';
-
-// Commands
-export {
-  type CommandContext,
-  type CommandResult,
-  statusCommand,
-  addCommand,
-  listCommand,
-  logsCommand,
-  verifyCommand,
-  executeCommand
-} from './commands.js';
-
-// Default export for OpenClaw plugin loading
-export { default } from './plugin.js';