npm - aquaman-plugin - Versions diffs - 0.5.1 → 0.7.0 - Mend

aquaman-plugin 0.5.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/src/commands.ts CHANGED Viewed

@@ -4,13 +4,11 @@
  * Provides /aquaman commands for users to interact with the plugin.
  */
-import type { EmbeddedMode } from './embedded.js';
 import type { ProxyManager } from './proxy-manager.js';
 import type { PluginConfig } from './config-schema.js';
 export interface CommandContext {
   config: PluginConfig;
-  embeddedMode?: EmbeddedMode;
   proxyManager?: ProxyManager;
 }
@@ -37,43 +35,17 @@ export async function statusCommand(ctx: CommandContext): Promise<CommandResult>
   lines.push('aquaman plugin status');
   lines.push('');
-  lines.push(`Mode: ${ctx.config.mode || 'embedded'}`);
   lines.push(`Backend: ${ctx.config.backend || 'keychain'}`);
   lines.push(`Services: ${(ctx.config.services || []).join(', ')}`);
-  if (ctx.config.mode === 'proxy') {
-    if (ctx.proxyManager?.isRunning()) {
-      const info = ctx.proxyManager.getConnectionInfo();
-      lines.push('');
-      lines.push('Proxy Status: Running');
-      lines.push(`  URL: ${info?.baseUrl}`);
-      lines.push(`  Port: ${info?.port}`);
-      lines.push(`  Protocol: ${info?.protocol}`);
-    } else {
-      lines.push('');
-      lines.push('Proxy Status: Not running');
-    }
-  } else if (ctx.embeddedMode) {
-    const status = ctx.embeddedMode.getStatus();
+  if (ctx.proxyManager?.isRunning()) {
+    const info = ctx.proxyManager.getConnectionInfo();
     lines.push('');
-    lines.push('Embedded Mode Status:');
-    lines.push(`  Initialized: ${status.initialized}`);
-    lines.push(`  Audit Enabled: ${status.auditEnabled}`);
-  }
-  // List credentials (without values)
-  if (ctx.embeddedMode) {
-    try {
-      const creds = await ctx.embeddedMode.listCredentials();
-      lines.push('');
-      lines.push(`Stored Credentials: ${creds.length}`);
-      for (const cred of creds) {
-        lines.push(`  - ${cred.service}/${cred.key}`);
-      }
-    } catch (error) {
-      lines.push('');
-      lines.push('Credentials: (unavailable)');
-    }
+    lines.push('Proxy Status: Running');
+    lines.push(`  Socket: ${info?.socketPath}`);
+  } else {
+    lines.push('');
+    lines.push('Proxy Status: Not running');
   }
   return {
@@ -86,19 +58,10 @@ export async function statusCommand(ctx: CommandContext): Promise<CommandResult>
  * /aquaman add <service> - Add a credential (prompts for value)
  */
 export async function addCommand(
-  ctx: CommandContext,
+  _ctx: CommandContext,
   service: string,
   key: string = 'api_key'
 ): Promise<CommandResult> {
-  if (!ctx.embeddedMode) {
-    return {
-      success: false,
-      message: 'Embedded mode not available. Use proxy mode for credential management.'
-    };
-  }
-  // Note: In a real OpenClaw plugin, this would trigger a secure input prompt
-  // For now, we return instructions
   return {
     success: true,
     message: `To add a credential for ${service}/${key}:\n\n` +
@@ -111,143 +74,30 @@ export async function addCommand(
 /**
  * /aquaman list - List stored credentials
  */
-export async function listCommand(ctx: CommandContext): Promise<CommandResult> {
-  if (!ctx.embeddedMode) {
-    return {
-      success: false,
-      message: 'Embedded mode not available.'
-    };
-  }
-  try {
-    const creds = await ctx.embeddedMode.listCredentials();
-    if (creds.length === 0) {
-      return {
-        success: true,
-        message: 'No credentials stored.\n\nUse `aquaman credentials add <service> <key>` to add one.'
-      };
-    }
-    const lines = ['Stored credentials:', ''];
-    for (const cred of creds) {
-      lines.push(`  ${cred.service}/${cred.key}`);
-    }
-    return {
-      success: true,
-      message: lines.join('\n'),
-      data: creds
-    };
-  } catch (error) {
-    return {
-      success: false,
-      message: `Failed to list credentials: ${error}`
-    };
-  }
+export async function listCommand(_ctx: CommandContext): Promise<CommandResult> {
+  return {
+    success: true,
+    message: 'Run in your terminal:\n  aquaman credentials list'
+  };
 }
 /**
  * /aquaman logs - Show recent audit entries
  */
-export async function logsCommand(ctx: CommandContext, count: number = 10): Promise<CommandResult> {
-  if (!ctx.embeddedMode) {
-    return {
-      success: false,
-      message: 'Embedded mode not available.'
-    };
-  }
-  try {
-    const entries = await ctx.embeddedMode.getRecentAuditEntries(count);
-    if (entries.length === 0) {
-      return {
-        success: true,
-        message: 'No audit entries found.'
-      };
-    }
-    const lines = [`Last ${entries.length} audit entries:`, ''];
-    for (const entry of entries) {
-      const time = new Date(entry.timestamp).toISOString();
-      const type = entry.type.toUpperCase().padEnd(16);
-      let details = '';
-      if (entry.type === 'credential_access') {
-        details = `${entry.data.service} ${entry.data.operation} ${entry.data.success ? 'OK' : 'FAIL'}`;
-      } else {
-        details = JSON.stringify(entry.data).slice(0, 60);
-      }
-      lines.push(`${time} [${type}] ${details}`);
-    }
-    return {
-      success: true,
-      message: lines.join('\n'),
-      data: entries
-    };
-  } catch (error) {
-    return {
-      success: false,
-      message: `Failed to get audit logs: ${error}`
-    };
-  }
+export async function logsCommand(_ctx: CommandContext, _count: number = 10): Promise<CommandResult> {
+  return {
+    success: true,
+    message: 'Run in your terminal:\n  aquaman audit tail'
+  };
 }
 /**
  * /aquaman verify - Verify audit log integrity
  */
-export async function verifyCommand(ctx: CommandContext): Promise<CommandResult> {
-  if (!ctx.embeddedMode) {
-    return {
-      success: false,
-      message: 'Embedded mode not available.'
-    };
-  }
-  try {
-    const result = await ctx.embeddedMode.verifyAuditIntegrity();
-    if (result.valid) {
-      return {
-        success: true,
-        message: 'Audit log integrity verified. No tampering detected.'
-      };
-    } else {
-      return {
-        success: false,
-        message: 'Audit log integrity FAILED!\n\n' +
-          'Errors:\n' +
-          result.errors.map(e => `  - ${e}`).join('\n')
-      };
-    }
-  } catch (error) {
-    return {
-      success: false,
-      message: `Failed to verify audit log: ${error}`
-    };
-  }
-}
-/**
- * /aquaman mode <embedded|proxy> - Switch mode
- */
-export async function modeCommand(ctx: CommandContext, mode: 'embedded' | 'proxy'): Promise<CommandResult> {
-  if (mode !== 'embedded' && mode !== 'proxy') {
-    return {
-      success: false,
-      message: 'Invalid mode. Use "embedded" or "proxy".'
-    };
-  }
-  // Mode switching requires configuration change
+export async function verifyCommand(_ctx: CommandContext): Promise<CommandResult> {
   return {
     success: true,
-    message: `To switch to ${mode} mode, update your openclaw.json:\n\n` +
-      `{\n  "plugins": {\n    "aquaman": {\n      "mode": "${mode}"\n    }\n  }\n}\n\n` +
-      `Then restart OpenClaw.`
+    message: 'Run in your terminal:\n  aquaman audit verify'
   };
 }
@@ -272,36 +122,26 @@ export async function executeCommand(
     case 'list':
       return listCommand(ctx);
-    case 'logs':
+    case 'logs': {
       const count = args[0] ? parseInt(args[0], 10) : 10;
       return logsCommand(ctx, count);
+    }
     case 'verify':
       return verifyCommand(ctx);
-    case 'mode':
-      if (args.length < 1) {
-        return { success: false, message: 'Usage: /aquaman mode <embedded|proxy>' };
-      }
-      return modeCommand(ctx, args[0] as 'embedded' | 'proxy');
     case 'help':
     default:
       return {
         success: true,
         message: `aquaman plugin commands:
-  /aquaman status    - Show plugin status and stored credentials
+  /aquaman status    - Show plugin status
   /aquaman add       - Add a credential (shows instructions)
   /aquaman list      - List stored credentials
-  /aquaman logs [n]  - Show recent audit entries (default: 10)
+  /aquaman logs [n]  - Show recent audit entries
   /aquaman verify    - Verify audit log integrity
-  /aquaman mode      - Switch between embedded and proxy mode
-  /aquaman help      - Show this help message
-Mode comparison:
-  embedded: Simpler setup, credentials in Gateway memory
-  proxy:    Stronger isolation, credentials in separate process`
+  /aquaman help      - Show this help message`
       };
   }
 }
@@ -313,7 +153,7 @@ export function getAvailableCommands(ctx: CommandContext): PluginCommand[] {
   return [
     {
       name: 'status',
-      description: 'Show aquaman plugin status and stored credentials',
+      description: 'Show aquaman plugin status',
       execute: async () => {
         const result = await statusCommand(ctx);
         return result.message;
@@ -357,18 +197,6 @@ export function getAvailableCommands(ctx: CommandContext): PluginCommand[] {
         return result.message;
       }
     },
-    {
-      name: 'mode',
-      description: 'Switch between embedded and proxy mode',
-      execute: async (args) => {
-        const mode = args.mode || args._?.[0];
-        if (!mode) {
-          return 'Usage: /aquaman mode <embedded|proxy>';
-        }
-        const result = await modeCommand(ctx, mode as 'embedded' | 'proxy');
-        return result.message;
-      }
-    },
     {
       name: 'help',
       description: 'Show help for aquaman commands',

package/src/config-schema.ts CHANGED Viewed

@@ -6,16 +6,6 @@
 import { Type, type Static } from '@sinclair/typebox';
-/**
- * Plugin operation mode
- * - embedded: Direct vault access within OpenClaw process (simpler, less isolation)
- * - proxy: Separate proxy process (stronger isolation, credentials never in Gateway)
- */
-export const PluginMode = Type.Union([
-  Type.Literal('embedded'),
-  Type.Literal('proxy')
-], { default: 'embedded' });
 /**
  * Credential backend type
  */
@@ -23,7 +13,8 @@ export const CredentialBackend = Type.Union([
   Type.Literal('keychain'),
   Type.Literal('1password'),
   Type.Literal('vault'),
-  Type.Literal('encrypted-file')
+  Type.Literal('encrypted-file'),
+  Type.Literal('keepassxc')
 ], { default: 'keychain' });
 /**
@@ -37,19 +28,12 @@ export const ProxiedServices = Type.Array(Type.String(), {
  * Complete plugin configuration schema
  */
 export const ConfigSchema = Type.Object({
-  // Mode selection
-  mode: Type.Optional(PluginMode),
   // Credential backend
   backend: Type.Optional(CredentialBackend),
   // Services to proxy
   services: Type.Optional(ProxiedServices),
-  // Proxy mode options
-  proxyPort: Type.Optional(Type.Number({ default: 8081, minimum: 1024, maximum: 65535 })),
-  proxyAutoStart: Type.Optional(Type.Boolean({ default: true })),
   // 1Password options
   onePasswordVault: Type.Optional(Type.String()),
   onePasswordAccount: Type.Optional(Type.String()),
@@ -59,15 +43,6 @@ export const ConfigSchema = Type.Object({
   vaultToken: Type.Optional(Type.String()),
   vaultNamespace: Type.Optional(Type.String()),
   vaultMountPath: Type.Optional(Type.String({ default: 'secret' })),
-  // TLS options
-  tlsEnabled: Type.Optional(Type.Boolean({ default: true })),
-  tlsCertPath: Type.Optional(Type.String()),
-  tlsKeyPath: Type.Optional(Type.String()),
-  // Audit options
-  auditEnabled: Type.Optional(Type.Boolean({ default: true })),
-  auditLogDir: Type.Optional(Type.String())
 });
 export type PluginConfig = Static<typeof ConfigSchema>;
@@ -76,14 +51,9 @@ export type PluginConfig = Static<typeof ConfigSchema>;
  * Default configuration values
  */
 export const defaultConfig: PluginConfig = {
-  mode: 'embedded',
   backend: 'keychain',
   services: ['anthropic', 'openai'],
-  proxyPort: 8081,
-  proxyAutoStart: true,
   vaultMountPath: 'secret',
-  tlsEnabled: true,
-  auditEnabled: true
 };
 /**

package/src/http-interceptor.ts CHANGED Viewed

@@ -1,47 +1,44 @@
 /**
- * HTTP fetch interceptor for channel credential isolation.
+ * HTTP interceptor for channel credential isolation.
  *
  * Overrides globalThis.fetch to redirect requests targeting known channel API
- * hosts through the aquaman credential proxy. The proxy injects the real
- * credentials, so the Gateway process never sees them.
+ * hosts through the aquaman credential proxy via Unix domain socket.
+ * The proxy injects the real credentials, so the Gateway process never sees them.
  *
  * OpenClaw channels use globalThis.fetch (backed by undici) for all HTTP calls.
  * Many channel monitor functions also accept a `proxyFetch` parameter that
  * falls back to globalThis.fetch, so overriding it covers both paths.
+ *
+ * Uses sentinel hostname `aquaman.local` — SDK base URLs are set to
+ * `http://aquaman.local/<service>` and the interceptor routes them through UDS.
  */
+import { Agent } from 'undici';
+/** Sentinel hostname used in SDK base URLs to route through UDS */
+const PROXY_HOST = 'aquaman.local';
 export interface HttpInterceptorOptions {
-  /** Base URL of the aquaman proxy, e.g. "http://127.0.0.1:8081" */
-  proxyBaseUrl: string;
+  /** Unix domain socket path for the proxy */
+  socketPath: string;
   /** Map of hostname (or *.domain wildcard) → service name */
   hostMap: Map<string, string>;
-  /** Client authentication token for the proxy */
-  clientToken?: string;
   /** Optional logger */
   log?: (msg: string) => void;
 }
 export class HttpInterceptor {
-  private proxyBaseUrl: string;
-  private proxyHost: string;
+  private socketPath: string;
   private hostMap: Map<string, string>;
-  private clientToken: string | null;
   private originalFetch: typeof globalThis.fetch | null = null;
   private active = false;
   private log: (msg: string) => void;
+  private socketAgent: Agent | null = null;
   constructor(options: HttpInterceptorOptions) {
-    this.proxyBaseUrl = options.proxyBaseUrl.replace(/\/$/, '');
+    this.socketPath = options.socketPath;
     this.hostMap = options.hostMap;
-    this.clientToken = options.clientToken || null;
     this.log = options.log || (() => {});
-    // Extract proxy hostname to avoid intercepting requests to the proxy itself
-    try {
-      this.proxyHost = new URL(this.proxyBaseUrl).hostname;
-    } catch {
-      this.proxyHost = '127.0.0.1';
-    }
   }
   /**
@@ -51,15 +48,13 @@ export class HttpInterceptor {
     if (this.active) return;
     this.originalFetch = globalThis.fetch;
+    this.socketAgent = new Agent({ connect: { socketPath: this.socketPath } });
     const origFetch = this.originalFetch;
-    const proxyBase = this.proxyBaseUrl;
-    const proxyHostname = this.proxyHost;
-    const token = this.clientToken;
+    const socketAgent = this.socketAgent;
     const matchHost = this.matchHost.bind(this);
     const extractUrl = this.extractUrl.bind(this);
     const stripAuthHeaders = this.stripAuthHeaders.bind(this);
-    const injectToken = this.injectTokenHeader.bind(this);
     const logFn = this.log;
     (globalThis as any).fetch = (
@@ -71,22 +66,19 @@ export class HttpInterceptor {
         return origFetch.call(globalThis, input, init);
       }
-      // Requests to the proxy itself (SDK traffic via env vars) — inject token, pass through
-      if (url.hostname === proxyHostname || url.hostname === 'localhost') {
-        if (token) {
-          const tokenInit = injectToken(init, token);
-          return origFetch.call(globalThis, input, tokenInit);
-        }
-        return origFetch.call(globalThis, input, init);
+      // SDK traffic via env vars (hostname = aquaman.local) — route through UDS
+      if (url.hostname === PROXY_HOST) {
+        return origFetch.call(globalThis, input, { ...init, dispatcher: socketAgent } as any);
       }
+      // Channel traffic — match against host map
       const service = matchHost(url.hostname);
       if (!service) {
         return origFetch.call(globalThis, input, init);
       }
       // Rewrite the URL to go through the proxy
-      const proxyUrl = `${proxyBase}/${service}${url.pathname}${url.search}`;
+      const proxyUrl = `http://${PROXY_HOST}/${service}${url.pathname}${url.search}`;
       logFn(`[aquaman] Intercepted ${url.hostname}${url.pathname} → ${service}`);
       // Strip any existing authorization headers — the proxy will inject the real ones
@@ -96,12 +88,7 @@ export class HttpInterceptor {
         newInit = { ...init, headers: stripped };
       }
-      // Inject client token for proxy authentication
-      if (token) {
-        newInit = injectToken(newInit, token);
-      }
-      return origFetch.call(globalThis, proxyUrl, { ...newInit, redirect: 'manual' });
+      return origFetch.call(globalThis, proxyUrl, { ...newInit, redirect: 'manual', dispatcher: socketAgent } as any);
     };
     this.active = true;
@@ -117,6 +104,12 @@ export class HttpInterceptor {
     globalThis.fetch = this.originalFetch;
     this.originalFetch = null;
     this.active = false;
+    if (this.socketAgent) {
+      this.socketAgent.close();
+      this.socketAgent = null;
+    }
     this.log('[aquaman] HTTP interceptor deactivated');
   }
@@ -153,28 +146,6 @@ export class HttpInterceptor {
     return null;
   }
-  private injectTokenHeader(init: RequestInit | undefined, token: string): RequestInit {
-    const base = init || {};
-    const headers = base.headers;
-    if (!headers) {
-      return { ...base, headers: { 'x-aquaman-token': token } };
-    }
-    if (headers instanceof Headers) {
-      const h = new Headers(headers);
-      h.set('x-aquaman-token', token);
-      return { ...base, headers: h };
-    }
-    if (Array.isArray(headers)) {
-      return { ...base, headers: [...headers, ['x-aquaman-token', token]] };
-    }
-    // Plain object
-    return { ...base, headers: { ...headers, 'x-aquaman-token': token } };
-  }
   private stripAuthHeaders(headers: HeadersInit): HeadersInit {
     if (headers instanceof Headers) {
       const h = new Headers(headers);

package/src/index.ts CHANGED Viewed

@@ -3,9 +3,7 @@
  *
  * This package provides an OpenClaw plugin that enables:
  * - Secure credential storage using enterprise backends (Keychain, 1Password, Vault)
- * - Two operation modes:
- *   - Embedded: Direct vault access (simpler, credentials in Gateway memory)
- *   - Proxy: Separate process (stronger isolation, credentials never in Gateway)
+ * - Proxy mode: Separate process, credentials never in Gateway memory
  * - Hash-chained tamper-evident audit logs
  * - Slash commands for credential management
  *
@@ -16,7 +14,6 @@
  *   {
  *     "plugins": {
  *       "aquaman-plugin": {
- *         "mode": "embedded",
  *         "backend": "keychain",
  *         "services": ["anthropic", "openai"]
  *       }
@@ -34,7 +31,6 @@ export {
 // Config Schema
 export {
   ConfigSchema,
-  PluginMode,
   CredentialBackend,
   ProxiedServices,
   type PluginConfig,
@@ -42,13 +38,6 @@ export {
   mergeConfig
 } from './config-schema.js';
-// Embedded Mode
-export {
-  type EmbeddedModeOptions,
-  EmbeddedMode,
-  createEmbeddedMode
-} from './embedded.js';
 // Proxy Manager
 export {
   type ProxyConnectionInfo,
@@ -66,7 +55,6 @@ export {
   listCommand,
   logsCommand,
   verifyCommand,
-  modeCommand,
   executeCommand
 } from './commands.js';