aquaman-proxy 0.5.1 → 0.7.0

package/README.md

@@ -8,15 +8,16 @@ Credential isolation proxy and CLI for [aquaman](https://github.com/tech4242/aqu
 Agent / OpenClaw Gateway              Aquaman Proxy
 ┌──────────────────────┐              ┌──────────────────────┐
 │                      │              │                      │
-│  ANTHROPIC_BASE_URL  │──request────>│  Keychain / 1Pass /  │
-│  = localhost:8081    │              │  Vault / Encrypted   │
-│                      │<─response────│                      │
-│  fetch() interceptor │──channel────>│  + Auth injected:    │
-│  redirects channel   │   traffic    │    header / url-path │
+│  ANTHROPIC_BASE_URL  │══ Unix ════>│  Keychain / 1Pass /  │
+│  = aquaman.local     │   Domain    │  Vault / Encrypted   │
+│                      │<═ Socket ═══│                      │
+│  fetch() interceptor │══ (UDS) ══=>│  + Auth injected:    │
+│  redirects channel   │              │    header / url-path │
 │  API traffic         │              │    basic / oauth     │
 │                      │              │                      │
-│  No credentials.     │              │                      │
-│  Nothing to steal.   │              │                      │
+│  No credentials.     │  ~/.aquaman/ │                      │
+│  No open ports.      │  proxy.sock  │                      │
+│  Nothing to steal.   │  (chmod 600) │                      │
 └──────────────────────┘              └───┬──────────┬───────┘
                                          │          │
                                          │          ▼
@@ -28,26 +29,33 @@ Agent / OpenClaw Gateway              Aquaman Proxy
                                slack.com/api  ...
 ```
 
-This package is the right side. A reverse proxy that intercepts API requests and injects credentials from secure backends. 23 builtin services, four auth modes.
+This package is the right side. A reverse proxy that listens on a Unix domain socket (`~/.aquaman/proxy.sock`) and injects credentials from secure backends. No TCP port, no network exposure. 23 builtin services, four auth modes.
 
 ## Quick Start
 
 With OpenClaw:
 
 ```bash
-npm install -g aquaman-proxy              # 1. Install
-aquaman setup                             # 2. Store keys, install plugin, configure OpenClaw
-aquaman migrate openclaw --auto           # 3. Move existing channel creds to secure store
-openclaw                                  # 4. Proxy starts automatically via plugin
+npm install -g aquaman-proxy              # install the proxy CLI
+aquaman setup                             # stores keys, installs plugin, configures OpenClaw
+openclaw                                  # proxy starts automatically via plugin
 ```
 
+> `aquaman setup` auto-detects your credential backend. macOS defaults to Keychain,
+> Linux defaults to encrypted file. Override with `--backend`:
+> `aquaman setup --backend keepassxc`
+> Options: `keychain`, `encrypted-file`, `keepassxc`, `1password`, `vault`
+
+Existing plaintext credentials are migrated automatically during setup.
+Run again anytime to migrate new credentials: `aquaman migrate openclaw --auto`
+
 Standalone:
 
 ```bash
 npm install -g aquaman-proxy
 aquaman init
 aquaman credentials add anthropic api_key
-aquaman daemon
+aquaman daemon                               # listens on ~/.aquaman/proxy.sock
 ```
 
 Troubleshooting: `aquaman doctor`