npm - clawdi - Versions diffs - 0.6.0 → 0.7.0 - Mend

clawdi 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -74,7 +74,7 @@ Clawdi is the shared layer underneath:
 - **Portable skills** — Upload or install agent instructions once, then sync them into every registered agent.
 - **Project sharing** — Share read-only Project access, accept it from the CLI inbox, and explicitly attach accepted Projects to Agents when they should be used at runtime.
 - **Session sync** — Push local session history to the dashboard for review and recall.
-- **Vault secrets** — Store secrets server-side and inject them only when running a command.
+- **Vault secrets** — Store secrets server-side, commit only `clawdi://` references, and resolve them at runtime.
 - **App connections** — Hook agents into Notion, Gmail, Drive, Calendar, Linear, GitHub, and more from the dashboard. Tools show up inside every connected agent automatically over MCP.
 - **MCP tools** — Memory, vault, and connector tools served through the Model Context Protocol so any MCP-aware agent can use them.
@@ -86,13 +86,39 @@ remember that this repo uses Bun for TypeScript and PDM for backend scripts
 Later, in a different agent or a fresh session, ask "what package manager should I use here?" — it can call Clawdi memory search and answer from your actual context instead of guessing.
-Run a command with vault secrets without putting them on disk:
+Run a fullstack dev command with vault references without putting plaintext secrets on disk:
 ```bash
 clawdi vault set OPENAI_API_KEY
-clawdi run -- python scripts/ingest.py
+echo "OPENAI_API_KEY=clawdi://project/<project-id>/vault/default/field/OPENAI_API_KEY" > .env.clawdi
+clawdi run --dry-run --env-file .env.clawdi -- npm run dev
+clawdi run --env-file .env.clawdi -- npm run dev
+clawdi read clawdi://project/<project-id>/vault/default/field/OPENAI_API_KEY
+clawdi inject --dry-run --in .env.clawdi --out .env.local
+clawdi inject --force --in .env.clawdi --out .env.local
 ```
+`clawdi vault set`, `clawdi vault import`, and `clawdi vault list` print exact references that include the Project ID. Project-relative references such as `clawdi://default/OPENAI_API_KEY` still work for portable templates, but exact references are the default copy/read UX.
+Agents should prefer `clawdi run --env-file .env.clawdi -- <command>` when they can launch the tool themselves. Use `clawdi inject` only for tools that must read a physical `.env.local`; generated files are written owner-only and should stay gitignored.
+Use `--dry-run` on `clawdi read`, `clawdi inject`, `clawdi run`, and `clawdi vault resolve` to verify provenance without requesting plaintext values. `clawdi doctor` checks vault metadata only; it does not resolve stored secrets.
+Sync a local agent CLI credential profile to another machine:
+```bash
+clawdi agent credentials import codex
+clawdi agent credentials import claude-code
+clawdi agent credentials import gh
+clawdi agent credentials materialize codex
+clawdi agent credentials materialize claude-code
+clawdi agent credentials materialize gh
+```
+Credential profile sync is separate from `clawdi run`: it stores and restores a supported tool's local auth file, while `run` injects explicit `clawdi://` references into one child process. Profiles default to your stable Personal Project so `import` on one machine and `materialize` on another resolve the same namespace. They are personal backup/restore artifacts: shared Project viewers and env-bound Agent keys cannot materialize them. macOS Keychain imports are guarded behind `--source keychain` and require explicit `--keychain-service` plus `--keychain-account`; Clawdi does not guess or silently scrape credential-store items, and Keychain reads cannot use `--yes`.
+Current vault storage is server-managed encryption. Clawdi avoids plaintext secrets in repo files and local templates, but the backend can decrypt stored vault values and credential profiles today. Do not treat this release as zero-knowledge.
 Install a shared skill into every registered agent at once:
 ```bash
@@ -225,9 +251,12 @@ Each agent has a dedicated adapter in [`packages/cli/src/adapters`](https://gith
 | `clawdi project create/list/show/share/share-links/invite/invites/members/leave/unshare` | Manage Projects and read-only sharing |
 | `clawdi inbox [accept/decline/forget]` | Accept invitations and share links |
 | `clawdi agent projects list/attach/detach/move` | View the fixed Agent Project and manage attached Projects |
-| `clawdi project folder link/status/unlink` | Link a local folder to a Project for `clawdi run` vault selection |
-| `clawdi vault set/list/import` | Manage encrypted secrets |
-| `clawdi run -- <cmd>` | Run a command with vault secrets injected |
+| `clawdi agent credentials import/materialize` | Sync local CLI credential profiles for Codex, Claude Code, and GitHub CLI; explicit Keychain import requires service/account options |
+| `clawdi project folder link/status/unlink` | Link a local folder to a Project for vault reference selection |
+| `clawdi vault set/list/import` | Manage encrypted secrets and copy exact references |
+| `clawdi read <clawdi://...>` | Explicitly print one vault reference value |
+| `clawdi inject --in <file> --out <file>` | Render `clawdi://` references into templates |
+| `clawdi run --env-file <file> -- <cmd>` | Run a command with explicit vault references resolved |
 | `clawdi doctor` | Diagnose auth, agent paths, vault, and MCP config |
 | `clawdi update` | Check for a newer CLI version |
 | `clawdi mcp` | Start the MCP stdio server used by agents |