aquaman-plugin 0.9.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +25 -28
  2. package/package.json +2 -2
package/README.md CHANGED
@@ -1,19 +1,18 @@
1
1
  # aquaman-plugin
2
2
 
3
- OpenClaw Gateway plugin for [aquaman](https://github.com/tech4242/aquaman) credential isolation.
4
-
5
- ## How It Works
3
+ OpenClaw Gateway plugin for [aquaman](https://github.com/tech4242/aquaman) credential isolation for OpenClaw.
6
4
 
7
5
  ```
8
6
  Agent / OpenClaw Gateway Aquaman Proxy
9
7
  ┌──────────────────────┐ ┌──────────────────────┐
10
8
  │ │ │ │
11
- │ ANTHROPIC_BASE_URL │══ Unix ════>│ Keychain / 1Pass / │
12
- │ = aquaman.local │ Domain │ Vault / Encrypted │
13
- │ │<═ Socket ═══│
14
- │ fetch() interceptor │══ (UDS) ══=>│ + Auth injected:
15
- │ redirects channel │ │ header / url-path
16
- │ API traffic │ │ basic / oauth
9
+ │ ANTHROPIC_BASE_URL │══ Unix ═════>│ Keychain / 1Pass / │
10
+ │ = aquaman.local │ Domain │ Vault / Encrypted │
11
+ │ │<═ Socket ════│
12
+ │ fetch() interceptor │══ (UDS) ════>│ + Policy enforced
13
+ │ redirects channel │ │ + Auth injected:
14
+ │ API traffic │ │ header / url-path
15
+ │ │ │ basic / oauth │
17
16
  │ │ │ │
18
17
  │ No credentials. │ ~/.aquaman/ │ │
19
18
  │ No open ports. │ proxy.sock │ │
@@ -30,24 +29,22 @@ Agent / OpenClaw Gateway Aquaman Proxy
30
29
  slack.com/api ...
31
30
  ```
32
31
 
33
- This plugin makes the left side work. It routes all LLM and channel API traffic through the aquaman proxy via Unix domain socket so credentials never enter the Gateway process. No TCP port is opened — traffic flows through `~/.aquaman/proxy.sock`.
32
+ This plugin is the left side it runs inside the Gateway process and routes all LLM and channel API traffic through the aquaman proxy via Unix domain socket. Credentials never enter the agent's address space.
33
+
34
+ **What it does on load:**
35
+ 1. Sets `ANTHROPIC_BASE_URL` / `OPENAI_BASE_URL` to `http://aquaman.local/<service>` (routed to UDS)
36
+ 2. Spawns the proxy daemon via `ProxyManager`
37
+ 3. Activates a `globalThis.fetch` interceptor to redirect channel API traffic through the proxy
38
+ 4. Registers `/aquaman-status` command and `aquaman_status` tool
34
39
 
35
40
  ## Quick Start
36
41
 
37
42
  ```bash
38
- npm install -g aquaman-proxy # install the proxy CLI
39
- aquaman setup # stores keys, installs plugin, configures OpenClaw
40
- openclaw # proxy starts automatically
43
+ npm install -g aquaman-proxy
44
+ aquaman setup # stores keys, installs this plugin, applies policy defaults
45
+ openclaw # proxy starts automatically
41
46
  ```
42
47
 
43
- > `aquaman setup` auto-detects your credential backend. macOS defaults to Keychain,
44
- > Linux defaults to encrypted file. Override with `--backend`:
45
- > `aquaman setup --backend keepassxc`
46
- > Options: `keychain`, `encrypted-file`, `keepassxc`, `1password`, `vault`, `systemd-creds`, `bitwarden`
47
-
48
- Existing plaintext credentials are migrated automatically during setup.
49
- Run again anytime to migrate new credentials: `aquaman migrate openclaw --auto`
50
-
51
48
  Troubleshooting: `aquaman doctor`
52
49
 
53
50
  ## Config Options
@@ -59,20 +56,20 @@ Troubleshooting: `aquaman doctor`
59
56
  | `backend` | `"keychain"` \| `"1password"` \| `"vault"` \| `"encrypted-file"` \| `"keepassxc"` \| `"systemd-creds"` \| `"bitwarden"` | `"keychain"` | Credential store |
60
57
  | `services` | `string[]` | `["anthropic", "openai"]` | Services to proxy |
61
58
 
62
- > Advanced settings (audit, vault) go in `~/.aquaman/config.yaml`.
59
+ > Advanced settings (audit, vault, request policies) go in `~/.aquaman/config.yaml`. See [request policy docs](https://github.com/tech4242/aquaman#request-policies).
63
60
 
64
- ## Security Audit Note
61
+ ## Security Audit
65
62
 
66
- Running `openclaw security audit --deep` will show two expected findings:
63
+ `openclaw security audit --deep` reports two expected findings:
67
64
 
68
- - **`dangerous-exec`** on `proxy-manager.ts` — the plugin spawns the aquaman proxy as a separate process, which is the whole point of credential isolation.
69
- - **`tools_reachable_permissive_policy`** — advisory that plugin tools are reachable under the default tool policy. This is about your OpenClaw tool profile setting, not about aquaman. Set `"tools": { "profile": "coding" }` in `openclaw.json` if your agents handle untrusted input.
65
+ - **`dangerous-exec`** on `proxy-manager.ts` — the plugin spawns the proxy as a separate process. This is how credential isolation works.
66
+ - **`tools_reachable_permissive_policy`** — advisory about your tool policy, not an aquaman vulnerability. Set `"tools": { "profile": "coding" }` in `openclaw.json` if your agents handle untrusted input.
70
67
 
71
- `aquaman setup` adds the plugin to your `plugins.allow` trust list automatically.
68
+ `aquaman setup` adds the plugin to `plugins.allow` automatically.
72
69
 
73
70
  ## Documentation
74
71
 
75
- See the [main README](https://github.com/tech4242/aquaman#readme) for architecture, Docker deployment, and manual testing.
72
+ See the [main README](https://github.com/tech4242/aquaman#readme) for the full security model, architecture diagrams, and manual testing guides.
76
73
 
77
74
  ## License
78
75
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "aquaman-plugin",
3
- "version": "0.9.2",
3
+ "version": "0.10.0",
4
4
  "description": "Credential isolation plugin for OpenClaw",
5
5
  "type": "module",
6
6
  "scripts": {
@@ -27,7 +27,7 @@
27
27
  },
28
28
  "peerDependencies": {
29
29
  "openclaw": ">=2026.1.11",
30
- "aquaman-proxy": "0.9.2"
30
+ "aquaman-proxy": "0.10.0"
31
31
  },
32
32
  "peerDependenciesMeta": {
33
33
  "aquaman-proxy": {