npm - aquaman-plugin - Versions diffs - 0.5.1 → 0.7.0 - Mend

aquaman-plugin 0.5.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/src/plugin.ts CHANGED Viewed

@@ -2,14 +2,11 @@
  * OpenClaw Plugin Entry Point
  *
  * This is the main plugin that implements the OpenClaw plugin interface.
- * It provides credential isolation through two modes:
- *
- * 1. Embedded Mode (default): Direct vault access, simpler setup
- * 2. Proxy Mode: Separate process, stronger credential isolation
+ * It provides credential isolation through proxy mode:
+ * credentials are held in a separate process and never enter the Gateway.
  */
 import { type PluginConfig, mergeConfig, defaultConfig } from './config-schema.js';
-import { createEmbeddedMode, type EmbeddedMode } from './embedded.js';
 import { createProxyManager, type ProxyManager, type ProxyConnectionInfo } from './proxy-manager.js';
 import { executeCommand, type CommandContext, type CommandResult, getAvailableCommands, type PluginCommand } from './commands.js';
 import { HttpInterceptor, createHttpInterceptor } from './http-interceptor.js';
@@ -30,7 +27,6 @@ export class AquamanPlugin {
   readonly name = 'aquaman-plugin';
   private config: PluginConfig;
-  private embeddedMode: EmbeddedMode | null = null;
   private proxyManager: ProxyManager | null = null;
   private httpInterceptor: HttpInterceptor | null = null;
   private initialized = false;
@@ -61,16 +57,10 @@ export class AquamanPlugin {
     console.log('[aquaman] Initializing plugin...');
-    if (this.config.mode === 'proxy') {
-      // Proxy mode: Start separate process
-      await this.initProxyMode();
-    } else {
-      // Embedded mode: Direct vault access
-      await this.initEmbeddedMode();
-    }
+    await this.initProxyMode();
     this.initialized = true;
-    console.log(`[aquaman] Plugin initialized in ${this.config.mode || 'embedded'} mode`);
+    console.log('[aquaman] Plugin initialized in proxy mode');
   }
   /**
@@ -100,40 +90,20 @@ export class AquamanPlugin {
       this.proxyManager = null;
     }
-    this.embeddedMode = null;
     this.initialized = false;
     console.log('[aquaman] Plugin unloaded');
   }
-  /**
-   * Initialize embedded mode
-   */
-  private async initEmbeddedMode(): Promise<void> {
-    this.embeddedMode = createEmbeddedMode({
-      config: this.config
-    });
-    await this.embeddedMode.initialize();
-    // Set environment variables for OpenClaw
-    this.configureEnvironment();
-  }
   /**
    * Initialize proxy mode
    */
   private async initProxyMode(): Promise<void> {
-    if (!this.config.proxyAutoStart) {
-      console.log('[aquaman] Proxy auto-start disabled');
-      return;
-    }
     this.proxyManager = createProxyManager({
       config: this.config,
       onReady: (info) => {
-        console.log(`[aquaman] Proxy ready at ${info.baseUrl}`);
-        this.configureEnvironmentForProxy(info);
+        console.log(`[aquaman] Proxy ready on ${info.socketPath}`);
+        this.configureEnvironmentForProxy();
       },
       onError: (error) => {
         console.error('[aquaman] Proxy error:', error);
@@ -143,28 +113,20 @@ export class AquamanPlugin {
       }
     });
-    // Also initialize embedded mode for credential management
-    this.embeddedMode = createEmbeddedMode({
-      config: this.config
-    });
-    await this.embeddedMode.initialize();
     // Start proxy
     try {
       const info = await this.proxyManager.start();
-      this.configureEnvironmentForProxy(info);
-      this.activateHttpInterceptor(info.baseUrl);
+      this.configureEnvironmentForProxy();
+      this.activateHttpInterceptor(info.socketPath);
     } catch (error) {
       console.error('[aquaman] Failed to start proxy:', error);
-      console.log('[aquaman] Falling back to embedded mode');
-      this.configureEnvironment();
     }
   }
   /**
    * Activate HTTP interceptor for channel credential isolation.
    */
-  private activateHttpInterceptor(proxyBaseUrl: string): void {
+  private activateHttpInterceptor(proxySocketPath: string): void {
     // Build host map from the service registry's host patterns
     const hostMap = new Map<string, string>([
       ['api.anthropic.com', 'anthropic'],
@@ -193,7 +155,7 @@ export class AquamanPlugin {
     ]);
     this.httpInterceptor = createHttpInterceptor({
-      proxyBaseUrl,
+      socketPath: proxySocketPath,
       hostMap,
       log: (msg) => console.log(msg),
     });
@@ -202,68 +164,27 @@ export class AquamanPlugin {
   }
   /**
-   * Configure environment variables for embedded mode
-   * In embedded mode, we still set base URLs pointing to a local proxy
-   * so credential injection works consistently.
-   */
-  private configureEnvironment(): void {
-    const services = this.config.services || defaultConfig.services;
-    const port = this.config.proxyPort || 8081;
-    const baseUrl = `http://127.0.0.1:${port}`;
-    this.setServiceEnvironmentVariables(services!, baseUrl);
-    console.log('[aquaman] Embedded mode active - credentials available via plugin');
-  }
-  /**
-   * Configure environment variables to route through proxy
+   * Configure environment variables using sentinel hostname
    */
-  private configureEnvironmentForProxy(info: ProxyConnectionInfo): void {
+  private configureEnvironmentForProxy(): void {
     const services = this.config.services || defaultConfig.services;
-    this.setServiceEnvironmentVariables(services!, info.baseUrl);
-    // Handle TLS
-    if (info.protocol === 'https') {
-      if (this.config.tlsCertPath) {
-        this.setEnvVar('NODE_EXTRA_CA_CERTS', this.config.tlsCertPath);
-      } else {
-        // Development: disable TLS verification for self-signed certs
-        this.setEnvVar('NODE_TLS_REJECT_UNAUTHORIZED', '0');
-      }
-    }
-  }
-  /**
-   * Set environment variables for configured services
-   */
-  private setServiceEnvironmentVariables(services: string[], baseUrl: string): void {
-    for (const service of services) {
-      const serviceUrl = `${baseUrl}/${service}`;
+    for (const service of services!) {
+      const serviceUrl = `http://aquaman.local/${service}`;
       switch (service) {
         case 'anthropic':
           this.setEnvVar('ANTHROPIC_BASE_URL', serviceUrl);
-          this.setEnvVar('ANTHROPIC_API_KEY', 'aquaman-proxy-managed');
           break;
         case 'openai':
           this.setEnvVar('OPENAI_BASE_URL', serviceUrl);
-          this.setEnvVar('OPENAI_API_KEY', 'aquaman-proxy-managed');
           break;
         case 'github':
           this.setEnvVar('GITHUB_API_URL', serviceUrl);
-          this.setEnvVar('GITHUB_TOKEN', 'aquaman-proxy-managed');
           break;
-        case 'slack':
-          this.setEnvVar('SLACK_API_URL', serviceUrl);
-          this.setEnvVar('SLACK_BOT_TOKEN', 'aquaman-proxy-managed');
-          break;
-        case 'discord':
-          this.setEnvVar('DISCORD_API_URL', serviceUrl);
-          this.setEnvVar('DISCORD_BOT_TOKEN', 'aquaman-proxy-managed');
-          break;
-        default:
+        default: {
           const envKey = `${service.toUpperCase().replace(/-/g, '_')}_BASE_URL`;
           this.setEnvVar(envKey, serviceUrl);
+        }
       }
     }
   }
@@ -283,69 +204,29 @@ export class AquamanPlugin {
   async executeCommand(command: string, args: string[] = []): Promise<CommandResult> {
     const ctx: CommandContext = {
       config: this.config,
-      embeddedMode: this.embeddedMode || undefined,
       proxyManager: this.proxyManager || undefined
     };
     return executeCommand(ctx, command, args);
   }
-  /**
-   * Get credential (for embedded mode)
-   */
-  async getCredential(service: string, key: string): Promise<string | null> {
-    if (!this.embeddedMode) {
-      throw new Error('Plugin not initialized');
-    }
-    return this.embeddedMode.getCredential(service, key);
-  }
-  /**
-   * Set credential (for embedded mode)
-   */
-  async setCredential(service: string, key: string, value: string): Promise<void> {
-    if (!this.embeddedMode) {
-      throw new Error('Plugin not initialized');
-    }
-    return this.embeddedMode.setCredential(service, key, value);
-  }
-  /**
-   * List credentials
-   */
-  async listCredentials(service?: string): Promise<Array<{ service: string; key: string }>> {
-    if (!this.embeddedMode) {
-      throw new Error('Plugin not initialized');
-    }
-    return this.embeddedMode.listCredentials(service);
-  }
   /**
    * Get plugin status
    */
   getStatus(): {
     initialized: boolean;
-    mode: string;
     backend: string;
     proxyRunning: boolean;
     services: string[];
   } {
     return {
       initialized: this.initialized,
-      mode: this.config.mode || 'embedded',
       backend: this.config.backend || 'keychain',
       proxyRunning: this.proxyManager?.isRunning() || false,
       services: this.config.services || []
     };
   }
-  /**
-   * Get current operating mode
-   */
-  getMode(): 'embedded' | 'proxy' {
-    return (this.config.mode as 'embedded' | 'proxy') || 'embedded';
-  }
   /**
    * Get configured backend
    */
@@ -373,20 +254,12 @@ export class AquamanPlugin {
   getCommands(): PluginCommand[] {
     const ctx: CommandContext = {
       config: this.config,
-      embeddedMode: this.embeddedMode || undefined,
       proxyManager: this.proxyManager || undefined
     };
     return getAvailableCommands(ctx);
   }
-  /**
-   * Get proxy URL for a service (proxy mode only)
-   */
-  getProxyUrl(service: string): string | null {
-    return this.proxyManager?.getServiceUrl(service) || null;
-  }
   /**
    * Check if proxy is healthy
    */

package/src/proxy-health.ts CHANGED Viewed

@@ -1,43 +1,67 @@
 /**
  * Proxy health and discovery utilities.
  *
- * Separated from index.ts to avoid co-locating network calls with process.env
+ * Separated from index.ts to avoid co-locating network calls with env reads
  * (triggers OpenClaw code safety scanner env-harvesting false positive).
+ *
+ * Uses http.request with socketPath for UDS communication.
+ */
+import * as http from 'node:http';
+/**
+ * Make an HTTP request over a Unix domain socket.
  */
+function udsRequest(socketPath: string, urlPath: string, timeoutMs: number = 3000): Promise<{ ok: boolean; data: any }> {
+  return new Promise((resolve) => {
+    const req = http.request(
+      { socketPath, path: urlPath, method: 'GET' },
+      (res) => {
+        let body = '';
+        res.on('data', (chunk) => { body += chunk; });
+        res.on('end', () => {
+          try {
+            resolve({ ok: res.statusCode === 200, data: JSON.parse(body) });
+          } catch {
+            resolve({ ok: false, data: null });
+          }
+        });
+      }
+    );
+    req.on('error', () => resolve({ ok: false, data: null }));
+    req.setTimeout(timeoutMs, () => { req.destroy(); resolve({ ok: false, data: null }); });
+    req.end();
+  });
+}
 /**
- * Request host map from proxy's /_hostmap endpoint.
+ * Request host map from proxy's /_hostmap endpoint via UDS.
  * Returns an empty map if the endpoint is unavailable (caller handles fallback).
  */
-export async function fetchHostMap(
-  baseUrl: string,
-  token: string | null,
-): Promise<Map<string, string>> {
-  try {
-    const headers: Record<string, string> = {};
-    if (token) headers['X-Aquaman-Token'] = token;
-    const resp = await fetch(`${baseUrl}/_hostmap`, {
-      headers,
-      signal: AbortSignal.timeout(3000),
-    });
-    if (resp.ok) {
-      const obj = (await resp.json()) as Record<string, string>;
-      return new Map(Object.entries(obj));
-    }
-  } catch {
-    // Proxy may be older version without /_hostmap — caller uses fallback
+export async function loadHostMap(socketPath: string): Promise<Map<string, string>> {
+  const result = await udsRequest(socketPath, '/_hostmap');
+  if (result.ok && result.data) {
+    return new Map(Object.entries(result.data as Record<string, string>));
   }
   return new Map();
 }
 /**
- * Check if a proxy is already running on the given port.
+ * Check if a proxy is running on the given socket path.
+ */
+export async function isProxyRunning(socketPath: string): Promise<boolean> {
+  const result = await udsRequest(socketPath, '/_health');
+  return result.ok;
+}
+/**
+ * Get the version of a running proxy from its /_health endpoint via UDS.
+ * Returns null if the proxy is not running or doesn't report version.
  */
-export async function isProxyRunning(port: number): Promise<boolean> {
-  try {
-    const resp = await fetch(`http://127.0.0.1:${port}/_health`);
-    return resp.ok;
-  } catch {
-    return false;
+export async function getProxyVersion(socketPath: string): Promise<string | null> {
+  const result = await udsRequest(socketPath, '/_health');
+  if (result.ok && result.data?.version) {
+    return result.data.version;
   }
+  return null;
 }

package/src/proxy-manager.ts CHANGED Viewed

@@ -2,22 +2,20 @@
  * Proxy process lifecycle manager
  *
  * Spawns and manages the aquaman proxy daemon as a separate process
- * for maximum credential isolation.
+ * for maximum credential isolation. Communicates via Unix domain socket.
  */
 import { spawn, type ChildProcess } from 'node:child_process';
 import * as path from 'node:path';
 import * as fs from 'node:fs';
+import * as os from 'node:os';
 import type { PluginConfig } from './config-schema.js';
 export interface ProxyConnectionInfo {
   ready: boolean;
-  port: number;
-  protocol: 'http' | 'https';
-  baseUrl: string;
+  socketPath: string;
   services: string[];
   backend: string;
-  token?: string;
   hostMap?: Record<string, string>;
 }
@@ -79,11 +77,8 @@ export class ProxyManager {
         return;
       }
-      // Build arguments
-      const args = [
-        'plugin-mode',
-        '--port', String(config.proxyPort || 8081)
-      ];
+      // Build arguments — UDS is the default, no --port needed
+      const args = ['plugin-mode'];
       // Spawn proxy process
       this.process = spawn(binaryPath, args, {
@@ -139,7 +134,8 @@ export class ProxyManager {
         this.options.onExit?.(code);
         if (!this.connectionInfo) {
-          const error = new Error(`Proxy exited with code ${code}: ${stderr || stdout}`);
+          const stderrText = stderr || stdout;
+          const error = new Error(`Proxy exited with code ${code}: ${stderrText}`);
           reject(error);
         }
       });
@@ -196,20 +192,10 @@ export class ProxyManager {
   }
   /**
-   * Get client authentication token
+   * Get socket path
    */
-  getClientToken(): string | null {
-    return this.connectionInfo?.token || null;
-  }
-  /**
-   * Get base URL for a service
-   */
-  getServiceUrl(service: string): string | null {
-    if (!this.connectionInfo) {
-      return null;
-    }
-    return `${this.connectionInfo.baseUrl}/${service}`;
+  getSocketPath(): string | null {
+    return this.connectionInfo?.socketPath || null;
   }
   /**

package/src/embedded.ts DELETED Viewed

@@ -1,182 +0,0 @@
-/**
- * Embedded mode - Direct vault access within OpenClaw process
- *
- * This mode provides simpler setup but credentials DO enter the Gateway process memory.
- * Use proxy mode for maximum isolation.
- */
-import {
-  createCredentialStore,
-  createAuditLogger,
-  type CredentialStore,
-  type AuditLogger,
-  type CredentialBackend
-} from 'aquaman-core';
-import type { PluginConfig } from './config-schema.js';
-export interface EmbeddedModeOptions {
-  config: PluginConfig;
-}
-export class EmbeddedMode {
-  private config: PluginConfig;
-  private store: CredentialStore | null = null;
-  private auditLogger: AuditLogger | null = null;
-  private initialized = false;
-  constructor(options: EmbeddedModeOptions) {
-    this.config = options.config;
-  }
-  /**
-   * Initialize the embedded mode
-   */
-  async initialize(): Promise<void> {
-    if (this.initialized) {
-      return;
-    }
-    // Initialize credential store
-    this.store = createCredentialStore({
-      backend: (this.config.backend || 'keychain') as CredentialBackend,
-      vaultAddress: this.config.vaultAddress,
-      vaultToken: this.config.vaultToken,
-      vaultNamespace: this.config.vaultNamespace,
-      vaultMountPath: this.config.vaultMountPath,
-      onePasswordVault: this.config.onePasswordVault,
-      onePasswordAccount: this.config.onePasswordAccount,
-      encryptionPassword: process.env['AQUAMAN_ENCRYPTION_PASSWORD']
-    });
-    // Initialize audit logger
-    if (this.config.auditEnabled !== false) {
-      this.auditLogger = createAuditLogger({
-        logDir: this.config.auditLogDir || '~/.aquaman/audit',
-        enabled: true
-      });
-      await this.auditLogger.initialize();
-    }
-    this.initialized = true;
-  }
-  /**
-   * Get a credential for a service
-   * WARNING: This retrieves the credential into process memory
-   */
-  async getCredential(service: string, key: string): Promise<string | null> {
-    if (!this.store) {
-      throw new Error('Embedded mode not initialized');
-    }
-    const credential = await this.store.get(service, key);
-    // Log access
-    if (this.auditLogger) {
-      await this.auditLogger.logCredentialAccess('embedded', 'openclaw', {
-        service,
-        operation: 'read',
-        success: credential !== null
-      });
-    }
-    return credential;
-  }
-  /**
-   * Set a credential
-   */
-  async setCredential(service: string, key: string, value: string): Promise<void> {
-    if (!this.store) {
-      throw new Error('Embedded mode not initialized');
-    }
-    await this.store.set(service, key, value);
-    // Log access
-    if (this.auditLogger) {
-      await this.auditLogger.logCredentialAccess('embedded', 'openclaw', {
-        service,
-        operation: 'use',
-        success: true
-      });
-    }
-  }
-  /**
-   * Delete a credential
-   */
-  async deleteCredential(service: string, key: string): Promise<boolean> {
-    if (!this.store) {
-      throw new Error('Embedded mode not initialized');
-    }
-    return this.store.delete(service, key);
-  }
-  /**
-   * List credentials
-   */
-  async listCredentials(service?: string): Promise<Array<{ service: string; key: string }>> {
-    if (!this.store) {
-      throw new Error('Embedded mode not initialized');
-    }
-    return this.store.list(service);
-  }
-  /**
-   * Check if a credential exists
-   */
-  async hasCredential(service: string, key: string): Promise<boolean> {
-    if (!this.store) {
-      throw new Error('Embedded mode not initialized');
-    }
-    return this.store.exists(service, key);
-  }
-  /**
-   * Get the audit logger
-   */
-  getAuditLogger(): AuditLogger | null {
-    return this.auditLogger;
-  }
-  /**
-   * Get status info
-   */
-  getStatus(): { initialized: boolean; backend: string; auditEnabled: boolean } {
-    return {
-      initialized: this.initialized,
-      backend: this.config.backend || 'keychain',
-      auditEnabled: this.config.auditEnabled !== false
-    };
-  }
-  /**
-   * Verify audit log integrity
-   */
-  async verifyAuditIntegrity(): Promise<{ valid: boolean; errors: string[] }> {
-    if (!this.auditLogger) {
-      return { valid: true, errors: [] };
-    }
-    return this.auditLogger.verifyIntegrity();
-  }
-  /**
-   * Get recent audit entries
-   */
-  async getRecentAuditEntries(count: number = 10): Promise<any[]> {
-    if (!this.auditLogger) {
-      return [];
-    }
-    return this.auditLogger.tail(count);
-  }
-}
-export function createEmbeddedMode(options: EmbeddedModeOptions): EmbeddedMode {
-  return new EmbeddedMode(options);
-}