aquaman-proxy 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/README.md +9 -8
  2. package/dist/cli/index.js +96 -23
  3. package/dist/cli/index.js.map +1 -1
  4. package/dist/core/credentials/backends/bitwarden.d.ts +63 -0
  5. package/dist/core/credentials/backends/bitwarden.d.ts.map +1 -0
  6. package/dist/core/credentials/backends/bitwarden.js +395 -0
  7. package/dist/core/credentials/backends/bitwarden.js.map +1 -0
  8. package/dist/core/credentials/store.d.ts +4 -1
  9. package/dist/core/credentials/store.d.ts.map +1 -1
  10. package/dist/core/credentials/store.js +10 -1
  11. package/dist/core/credentials/store.js.map +1 -1
  12. package/dist/core/types.d.ts +5 -2
  13. package/dist/core/types.d.ts.map +1 -1
  14. package/dist/core/utils/config.d.ts.map +1 -1
  15. package/dist/core/utils/config.js +10 -1
  16. package/dist/core/utils/config.js.map +1 -1
  17. package/dist/service-registry.d.ts.map +1 -1
  18. package/dist/service-registry.js +20 -0
  19. package/dist/service-registry.js.map +1 -1
  20. package/package.json +1 -1
package/README.md CHANGED
@@ -25,11 +25,12 @@ Agent / OpenClaw Gateway Aquaman Proxy
25
25
  │ (hash-chained log)
26
26
 
27
27
  api.anthropic.com
28
+ api.mistral.ai
28
29
  api.telegram.org
29
30
  slack.com/api ...
30
31
  ```
31
32
 
32
- This package is the right side. A reverse proxy that listens on a Unix domain socket (`~/.aquaman/proxy.sock`) and injects credentials from secure backends. No TCP port, no network exposure. 23 builtin services, four auth modes.
33
+ This package is the right side. A reverse proxy that listens on a Unix domain socket (`~/.aquaman/proxy.sock`) and injects credentials from secure backends. No TCP port, no network exposure. 25 builtin services, six auth modes.
33
34
 
34
35
  ## Quick Start
35
36
 
@@ -44,7 +45,7 @@ openclaw # proxy starts automatically via plugi
44
45
  > `aquaman setup` auto-detects your credential backend. macOS defaults to Keychain,
45
46
  > Linux defaults to encrypted file. Override with `--backend`:
46
47
  > `aquaman setup --backend keepassxc`
47
- > Options: `keychain`, `encrypted-file`, `keepassxc`, `1password`, `vault`, `systemd-creds`
48
+ > Options: `keychain`, `encrypted-file`, `keepassxc`, `1password`, `vault`, `systemd-creds`, `bitwarden`
48
49
 
49
50
  Existing plaintext credentials are migrated automatically during setup.
50
51
  Run again anytime to migrate new credentials: `aquaman migrate openclaw --auto`
@@ -76,15 +77,15 @@ Troubleshooting: `aquaman doctor`
76
77
  | `aquaman audit tail` | Recent audit entries |
77
78
  | `aquaman audit verify` | Verify hash chain integrity |
78
79
 
79
- ## 23 Builtin Services
80
+ ## 25 Builtin Services
80
81
 
81
82
  | Category | Services |
82
83
  |----------|----------|
83
- | **LLM / AI** | Anthropic, OpenAI, GitHub, xAI, Cloudflare AI Gateway |
84
- | **Header** | Slack, Discord, Matrix, Mattermost, LINE, Twitch, Telnyx, ElevenLabs, Zalo |
85
- | **URL-path** | Telegram |
86
- | **HTTP Basic** | Twilio, BlueBubbles, Nextcloud Talk |
87
- | **OAuth** | MS Teams, Feishu, Google Chat |
84
+ | **Providers** | Anthropic, OpenAI, GitHub, xAI, Cloudflare AI Gateway, Mistral, Hugging Face, ElevenLabs |
85
+ | **Channels (header)** | Slack, Discord, Matrix, Mattermost, LINE, Twitch, Telnyx, Zalo |
86
+ | **Channels (URL-path)** | Telegram |
87
+ | **Channels (basic)** | Twilio, BlueBubbles, Nextcloud Talk |
88
+ | **Channels (OAuth)** | MS Teams, Feishu, Google Chat |
88
89
  | **At-rest only** | Nostr, Tlon |
89
90
 
90
91
  ## Documentation
package/dist/cli/index.js CHANGED
@@ -147,7 +147,7 @@ program
147
147
  // Initialize credential store
148
148
  let credentialStore;
149
149
  try {
150
- credentialStore = createCredentialStore({
150
+ credentialStore = await createCredentialStore({
151
151
  backend: config.credentials.backend,
152
152
  encryptionPassword: config.credentials.encryptionPassword,
153
153
  vaultAddress: config.credentials.vaultAddress,
@@ -157,7 +157,10 @@ program
157
157
  onePasswordVault: config.credentials.onePasswordVault,
158
158
  onePasswordAccount: config.credentials.onePasswordAccount,
159
159
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
160
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
160
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
161
+ bitwardenFolder: config.credentials.bitwardenFolder,
162
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
163
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
161
164
  });
162
165
  }
163
166
  catch (err) {
@@ -297,7 +300,7 @@ program
297
300
  // Initialize credential store
298
301
  let credentialStore;
299
302
  try {
300
- credentialStore = createCredentialStore({
303
+ credentialStore = await createCredentialStore({
301
304
  backend: config.credentials.backend,
302
305
  encryptionPassword: config.credentials.encryptionPassword,
303
306
  vaultAddress: config.credentials.vaultAddress,
@@ -307,7 +310,10 @@ program
307
310
  onePasswordVault: config.credentials.onePasswordVault,
308
311
  onePasswordAccount: config.credentials.onePasswordAccount,
309
312
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
310
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
313
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
314
+ bitwardenFolder: config.credentials.bitwardenFolder,
315
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
316
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
311
317
  });
312
318
  }
313
319
  catch (err) {
@@ -365,7 +371,7 @@ program
365
371
  // Initialize credential store
366
372
  let credentialStore;
367
373
  try {
368
- credentialStore = createCredentialStore({
374
+ credentialStore = await createCredentialStore({
369
375
  backend: config.credentials.backend,
370
376
  encryptionPassword: config.credentials.encryptionPassword,
371
377
  vaultAddress: config.credentials.vaultAddress,
@@ -375,7 +381,10 @@ program
375
381
  onePasswordVault: config.credentials.onePasswordVault,
376
382
  onePasswordAccount: config.credentials.onePasswordAccount,
377
383
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
378
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
384
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
385
+ bitwardenFolder: config.credentials.bitwardenFolder,
386
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
387
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
379
388
  });
380
389
  }
381
390
  catch (err) {
@@ -487,7 +496,7 @@ program
487
496
  program
488
497
  .command('setup')
489
498
  .description('All-in-one setup wizard — creates config, stores credentials, installs plugin')
490
- .option('--backend <backend>', 'Credential backend (keychain, encrypted-file, keepassxc, 1password, vault, systemd-creds)')
499
+ .option('--backend <backend>', 'Credential backend (keychain, encrypted-file, keepassxc, 1password, vault, systemd-creds, bitwarden)')
491
500
  .option('--no-openclaw', 'Skip OpenClaw plugin installation')
492
501
  .option('--non-interactive', 'Use environment variables instead of prompts (for CI)')
493
502
  .action(async (options) => {
@@ -533,7 +542,7 @@ program
533
542
  }
534
543
  }
535
544
  // Validate backend
536
- const validBackends = ['keychain', 'encrypted-file', 'keepassxc', '1password', 'vault', 'systemd-creds'];
545
+ const validBackends = ['keychain', 'encrypted-file', 'keepassxc', '1password', 'vault', 'systemd-creds', 'bitwarden'];
537
546
  if (!validBackends.includes(backend)) {
538
547
  console.error(` Invalid backend: ${backend}`);
539
548
  console.error(` Valid options: ${validBackends.join(', ')}`);
@@ -614,6 +623,43 @@ program
614
623
  process.exit(1);
615
624
  }
616
625
  }
626
+ else if (backend === 'bitwarden') {
627
+ try {
628
+ const { execSync } = await import('node:child_process');
629
+ execSync('which bw', { stdio: 'pipe' });
630
+ // Check status
631
+ const statusJson = execSync('bw status', { stdio: 'pipe', encoding: 'utf-8' });
632
+ const status = JSON.parse(statusJson);
633
+ if (status.status === 'unauthenticated') {
634
+ console.error(' Bitwarden CLI is installed but not logged in.');
635
+ console.error(' Run: bw login');
636
+ process.exit(1);
637
+ }
638
+ if (status.status === 'locked') {
639
+ const session = process.env['BW_SESSION'];
640
+ if (!session) {
641
+ console.error(' Bitwarden vault is locked.');
642
+ console.error(' Run: export BW_SESSION=$(bw unlock --raw)');
643
+ process.exit(1);
644
+ }
645
+ // Verify session works
646
+ try {
647
+ execSync('bw sync', { stdio: 'pipe', env: { ...process.env, BW_SESSION: session } });
648
+ }
649
+ catch {
650
+ console.error(' BW_SESSION is invalid or expired.');
651
+ console.error(' Run: export BW_SESSION=$(bw unlock --raw)');
652
+ process.exit(1);
653
+ }
654
+ }
655
+ }
656
+ catch {
657
+ console.error(' Bitwarden CLI not found.');
658
+ console.error(' Install: https://bitwarden.com/help/cli/');
659
+ console.error(' Then: bw login && export BW_SESSION=$(bw unlock --raw)');
660
+ process.exit(1);
661
+ }
662
+ }
617
663
  // 2. Run init internally (create dirs, config)
618
664
  ensureConfigDir();
619
665
  const config = getDefaultConfig();
@@ -625,7 +671,7 @@ program
625
671
  // 3. Prompt for API keys (or read from env in non-interactive mode)
626
672
  let store;
627
673
  try {
628
- store = createCredentialStore({
674
+ store = await createCredentialStore({
629
675
  backend: config.credentials.backend,
630
676
  encryptionPassword: config.credentials.encryptionPassword || process.env['AQUAMAN_ENCRYPTION_PASSWORD'] || process.env['AQUAMAN_KEEPASS_PASSWORD'],
631
677
  vaultAddress: config.credentials.vaultAddress || process.env['VAULT_ADDR'],
@@ -633,7 +679,10 @@ program
633
679
  onePasswordVault: config.credentials.onePasswordVault,
634
680
  onePasswordAccount: config.credentials.onePasswordAccount,
635
681
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
636
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
682
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
683
+ bitwardenFolder: config.credentials.bitwardenFolder,
684
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
685
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
637
686
  });
638
687
  }
639
688
  catch (err) {
@@ -898,7 +947,16 @@ program
898
947
  throw new Error('systemd-creds backend requires systemd >= 256 with --user support');
899
948
  }
900
949
  }
901
- store = createCredentialStore({
950
+ if (config.credentials.backend === 'bitwarden') {
951
+ const { BitwardenStore } = await import('../core/credentials/backends/bitwarden.js');
952
+ if (!BitwardenStore.isAvailable()) {
953
+ throw new Error('Bitwarden CLI (bw) not found. Install: https://bitwarden.com/help/cli/');
954
+ }
955
+ if (!BitwardenStore.isUnlocked()) {
956
+ throw new Error('Bitwarden vault is locked. Run: export BW_SESSION=$(bw unlock --raw)');
957
+ }
958
+ }
959
+ store = await createCredentialStore({
902
960
  backend: config.credentials.backend,
903
961
  encryptionPassword: config.credentials.encryptionPassword,
904
962
  vaultAddress: config.credentials.vaultAddress,
@@ -906,7 +964,10 @@ program
906
964
  onePasswordVault: config.credentials.onePasswordVault,
907
965
  onePasswordAccount: config.credentials.onePasswordAccount,
908
966
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
909
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
967
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
968
+ bitwardenFolder: config.credentials.bitwardenFolder,
969
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
970
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
910
971
  });
911
972
  // 3. Count credentials
912
973
  const creds = await store.list();
@@ -1266,7 +1327,7 @@ credentials
1266
1327
  const backend = options.backend || config.credentials.backend;
1267
1328
  let store;
1268
1329
  try {
1269
- store = createCredentialStore({
1330
+ store = await createCredentialStore({
1270
1331
  backend,
1271
1332
  encryptionPassword: config.credentials.encryptionPassword,
1272
1333
  vaultAddress: config.credentials.vaultAddress,
@@ -1276,7 +1337,10 @@ credentials
1276
1337
  onePasswordVault: config.credentials.onePasswordVault,
1277
1338
  onePasswordAccount: config.credentials.onePasswordAccount,
1278
1339
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
1279
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
1340
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
1341
+ bitwardenFolder: config.credentials.bitwardenFolder,
1342
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
1343
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
1280
1344
  });
1281
1345
  }
1282
1346
  catch (error) {
@@ -1322,7 +1386,7 @@ credentials
1322
1386
  const config = loadConfig();
1323
1387
  let store;
1324
1388
  try {
1325
- store = createCredentialStore({
1389
+ store = await createCredentialStore({
1326
1390
  backend: config.credentials.backend,
1327
1391
  encryptionPassword: config.credentials.encryptionPassword,
1328
1392
  vaultAddress: config.credentials.vaultAddress,
@@ -1330,7 +1394,10 @@ credentials
1330
1394
  onePasswordVault: config.credentials.onePasswordVault,
1331
1395
  onePasswordAccount: config.credentials.onePasswordAccount,
1332
1396
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
1333
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
1397
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
1398
+ bitwardenFolder: config.credentials.bitwardenFolder,
1399
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
1400
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
1334
1401
  });
1335
1402
  }
1336
1403
  catch {
@@ -1354,7 +1421,7 @@ credentials
1354
1421
  const config = loadConfig();
1355
1422
  let store;
1356
1423
  try {
1357
- store = createCredentialStore({
1424
+ store = await createCredentialStore({
1358
1425
  backend: config.credentials.backend,
1359
1426
  encryptionPassword: config.credentials.encryptionPassword,
1360
1427
  vaultAddress: config.credentials.vaultAddress,
@@ -1362,7 +1429,10 @@ credentials
1362
1429
  onePasswordVault: config.credentials.onePasswordVault,
1363
1430
  onePasswordAccount: config.credentials.onePasswordAccount,
1364
1431
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
1365
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
1432
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
1433
+ bitwardenFolder: config.credentials.bitwardenFolder,
1434
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
1435
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
1366
1436
  });
1367
1437
  }
1368
1438
  catch {
@@ -1380,7 +1450,7 @@ credentials
1380
1450
  credentials
1381
1451
  .command('guide')
1382
1452
  .description('Show setup commands for seeding credentials based on your backend')
1383
- .option('--backend <backend>', 'Override backend (keychain, encrypted-file, vault, 1password)')
1453
+ .option('--backend <backend>', 'Override backend (keychain, encrypted-file, keepassxc, 1password, vault, systemd-creds, bitwarden)')
1384
1454
  .option('--service <name>', 'Show commands for a single service only')
1385
1455
  .action(async (options) => {
1386
1456
  const config = loadConfig();
@@ -1701,7 +1771,7 @@ migrate
1701
1771
  // Migrate
1702
1772
  let store;
1703
1773
  try {
1704
- store = createCredentialStore({
1774
+ store = await createCredentialStore({
1705
1775
  backend: appConfig.credentials.backend,
1706
1776
  encryptionPassword: appConfig.credentials.encryptionPassword,
1707
1777
  vaultAddress: appConfig.credentials.vaultAddress,
@@ -1855,7 +1925,7 @@ migrate
1855
1925
  if (opts.dryRun) {
1856
1926
  console.log('(dry run - no credentials will be written)\n');
1857
1927
  }
1858
- const store = createCredentialStore({
1928
+ const store = await createCredentialStore({
1859
1929
  backend: appConfig.credentials.backend,
1860
1930
  encryptionPassword: appConfig.credentials.encryptionPassword,
1861
1931
  vaultAddress: appConfig.credentials.vaultAddress,
@@ -1911,7 +1981,7 @@ program
1911
1981
  }
1912
1982
  // Check for stored credentials
1913
1983
  try {
1914
- const store = createCredentialStore({
1984
+ const store = await createCredentialStore({
1915
1985
  backend: config.credentials.backend,
1916
1986
  encryptionPassword: config.credentials.encryptionPassword,
1917
1987
  vaultAddress: config.credentials.vaultAddress,
@@ -1919,7 +1989,10 @@ program
1919
1989
  onePasswordVault: config.credentials.onePasswordVault,
1920
1990
  onePasswordAccount: config.credentials.onePasswordAccount,
1921
1991
  keepassxcDatabasePath: config.credentials.keepassxcDatabasePath,
1922
- keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath
1992
+ keepassxcKeyFilePath: config.credentials.keepassxcKeyFilePath,
1993
+ bitwardenFolder: config.credentials.bitwardenFolder,
1994
+ bitwardenOrganizationId: config.credentials.bitwardenOrganizationId,
1995
+ bitwardenCollectionId: config.credentials.bitwardenCollectionId
1923
1996
  });
1924
1997
  const creds = await store.list();
1925
1998
  console.log(`\nStored credentials: ${creds.length}`);