opencode-varlock 0.0.1

package/dist/config.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Configuration system for opencode-varlock.
+ *
+ * Resolution order (last wins):
+ *   1. Built-in defaults
+ *   2. varlock.config.json in project root
+ *   3. .opencode/varlock.config.json
+ *   4. Programmatic options passed to createVarlockPlugin()
+ */
+export type GuardConfig = {
+    enabled: boolean;
+    sensitivePatterns: string[];
+    sensitiveGlobs: string[];
+    bashDenyPatterns: string[];
+    blockedReadTools: string[];
+    blockedWriteTools: string[];
+};
+export type EnvConfig = {
+    enabled: boolean;
+    allowedRoot: string;
+};
+export type VarlockConfig = {
+    enabled: boolean;
+    autoDetect: boolean;
+    command: string;
+    namespace: string;
+};
+export type PluginConfig = {
+    guard: GuardConfig;
+    env: EnvConfig;
+    varlock: VarlockConfig;
+};
+export declare const DEFAULT_CONFIG: PluginConfig;
+export declare function loadConfig(cwd: string, overrides?: DeepPartial<PluginConfig>): PluginConfig;
+type DeepPartial<T> = {
+    [K in keyof T]?: T[K] extends object ? DeepPartial<T[K]> : T[K];
+};
+export declare function deepMerge<T extends Record<string, any>>(target: T, source: DeepPartial<T>): T;
+export type { DeepPartial };
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,MAAM,WAAW,GAAG;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,iBAAiB,EAAE,MAAM,EAAE,CAAA;IAC3B,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAA;CAC5B,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,OAAO,EAAE,OAAO,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB,CAAA;AAED,MAAM,MAAM,aAAa,GAAG;IAC1B,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;IACnB,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,EAAE,WAAW,CAAA;IAClB,GAAG,EAAE,SAAS,CAAA;IACd,OAAO,EAAE,aAAa,CAAA;CACvB,CAAA;AAED,eAAO,MAAM,cAAc,EAAE,YAqC5B,CAAA;AAOD,wBAAgB,UAAU,CACxB,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,WAAW,CAAC,YAAY,CAAM,GACxC,YAAY,CA8Bd;AAED,KAAK,WAAW,CAAC,CAAC,IAAI;KACnB,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CAChE,CAAA;AAED,wBAAgB,SAAS,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACrD,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,GACrB,CAAC,CAyBH;AAED,YAAY,EAAE,WAAW,EAAE,CAAA"}

package/dist/config.js

@@ -0,0 +1,105 @@
+/**
+ * Configuration system for opencode-varlock.
+ *
+ * Resolution order (last wins):
+ *   1. Built-in defaults
+ *   2. varlock.config.json in project root
+ *   3. .opencode/varlock.config.json
+ *   4. Programmatic options passed to createVarlockPlugin()
+ */
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+export const DEFAULT_CONFIG = {
+    guard: {
+        enabled: true,
+        sensitivePatterns: [
+            ".env",
+            ".secret",
+            ".pem",
+            ".key",
+            "credentials",
+            ".pgpass",
+        ],
+        sensitiveGlobs: [
+            "**/.env",
+            "**/.env.*",
+            "**/.env.local",
+            "**/.env.production",
+            "**/*.pem",
+            "**/*.key",
+            "**/credentials",
+            "**/credentials.*",
+            "**/.pgpass",
+            "secrets/**",
+        ],
+        bashDenyPatterns: [],
+        blockedReadTools: ["read", "grep", "glob", "view"],
+        blockedWriteTools: ["write", "edit"],
+    },
+    env: {
+        enabled: true,
+        allowedRoot: ".",
+    },
+    varlock: {
+        enabled: false,
+        autoDetect: true,
+        command: "varlock",
+        namespace: "app",
+    },
+};
+const CONFIG_FILENAMES = [
+    "varlock.config.json",
+    ".opencode/varlock.config.json",
+];
+export function loadConfig(cwd, overrides = {}) {
+    let merged = structuredClone(DEFAULT_CONFIG);
+    for (const filename of CONFIG_FILENAMES) {
+        const filepath = resolve(cwd, filename);
+        if (existsSync(filepath)) {
+            try {
+                const raw = readFileSync(filepath, "utf-8");
+                const parsed = JSON.parse(raw);
+                delete parsed.$schema;
+                delete parsed.$comment;
+                merged = deepMerge(merged, parsed);
+                console.log(`[varlock] Loaded config from ${filepath}`);
+            }
+            catch (err) {
+                console.warn(`[varlock] Failed to parse ${filepath}: ${err.message}`);
+            }
+        }
+    }
+    merged = deepMerge(merged, overrides);
+    if (merged.env.allowedRoot && !resolve(merged.env.allowedRoot).startsWith("/")) {
+        merged.env.allowedRoot = resolve(cwd, merged.env.allowedRoot);
+    }
+    else if (merged.env.allowedRoot) {
+        merged.env.allowedRoot = resolve(merged.env.allowedRoot);
+    }
+    return merged;
+}
+export function deepMerge(target, source) {
+    const result = { ...target };
+    for (const key of Object.keys(source)) {
+        const srcVal = source[key];
+        if (srcVal === undefined || srcVal === null)
+            continue;
+        if (Array.isArray(srcVal)) {
+            ;
+            result[key] = [...srcVal];
+        }
+        else if (typeof srcVal === "object" &&
+            !Array.isArray(srcVal) &&
+            typeof result[key] === "object" &&
+            !Array.isArray(result[key])) {
+            ;
+            result[key] = deepMerge(result[key], srcVal);
+        }
+        else {
+            ;
+            result[key] = srcVal;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAA;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AA6B9B,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,KAAK,EAAE;QACL,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE;YACjB,MAAM;YACN,SAAS;YACT,MAAM;YACN,MAAM;YACN,aAAa;YACb,SAAS;SACV;QACD,cAAc,EAAE;YACd,SAAS;YACT,WAAW;YACX,eAAe;YACf,oBAAoB;YACpB,UAAU;YACV,UAAU;YACV,gBAAgB;YAChB,kBAAkB;YAClB,YAAY;YACZ,YAAY;SACb;QACD,gBAAgB,EAAE,EAAE;QACpB,gBAAgB,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;QAClD,iBAAiB,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;KACrC;IACD,GAAG,EAAE;QACH,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,GAAG;KACjB;IACD,OAAO,EAAE;QACP,OAAO,EAAE,KAAK;QACd,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,KAAK;KACjB;CACF,CAAA;AAED,MAAM,gBAAgB,GAAG;IACvB,qBAAqB;IACrB,+BAA+B;CAChC,CAAA;AAED,MAAM,UAAU,UAAU,CACxB,GAAW,EACX,YAAuC,EAAE;IAEzC,IAAI,MAAM,GAAG,eAAe,CAAC,cAAc,CAAC,CAAA;IAE5C,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;QACxC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAA;QACvC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;gBAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;gBAE9B,OAAO,MAAM,CAAC,OAAO,CAAA;gBACrB,OAAO,MAAM,CAAC,QAAQ,CAAA;gBAEtB,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;gBAClC,OAAO,CAAC,GAAG,CAAC,gCAAgC,QAAQ,EAAE,CAAC,CAAA;YACzD,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CAAC,6BAA6B,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAA;YACvE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,SAAgB,CAAC,CAAA;IAE5C,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/E,MAAM,CAAC,GAAG,CAAC,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC/D,CAAC;SAAM,IAAI,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,CAAC,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC1D,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAMD,MAAM,UAAU,SAAS,CACvB,MAAS,EACT,MAAsB;IAEtB,MAAM,MAAM,GAAG,EAAE,GAAG,MAAM,EAAE,CAAA;IAE5B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAmB,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAA;QAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,IAAI;YAAE,SAAQ;QAErD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,CAAC;YAAC,MAAc,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAA;QACrC,CAAC;aAAM,IACL,OAAO,MAAM,KAAK,QAAQ;YAC1B,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YACtB,OAAO,MAAM,CAAC,GAAG,CAAC,KAAK,QAAQ;YAC/B,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAC3B,CAAC;YACD,CAAC;YAAC,MAAc,CAAC,GAAG,CAAC,GAAG,SAAS,CAC/B,MAAM,CAAC,GAAG,CAAwB,EAClC,MAA6B,CAC9B,CAAA;QACH,CAAC;aAAM,CAAC;YACN,CAAC;YAAC,MAAc,CAAC,GAAG,CAAC,GAAG,MAAM,CAAA;QAChC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/guard.d.ts

@@ -0,0 +1,15 @@
+/**
+ * EnvGuard - tool.execute.before hook that prevents agents from
+ * reading sensitive files or running commands that expose secrets.
+ */
+import type { GuardConfig } from "./config.js";
+export type { GuardConfig } from "./config.js";
+type ToolInput = {
+    tool: string;
+};
+type ToolOutput = {
+    args: Record<string, any>;
+};
+export declare function createEnvGuard(config: GuardConfig): (input: ToolInput, output: ToolOutput) => Promise<void>;
+export declare function globToRegex(glob: string): RegExp;
+//# sourceMappingURL=guard.d.ts.map

package/dist/guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.d.ts","sourceRoot":"","sources":["../src/guard.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAE9C,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AAsC9C,KAAK,SAAS,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,CAAA;AACjC,KAAK,UAAU,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;CAAE,CAAA;AAG/C,wBAAgB,cAAc,CAC5B,MAAM,EAAE,WAAW,GAClB,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,KAAK,OAAO,CAAC,IAAI,CAAC,CA8EzD;AAsBD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAuChD"}

package/dist/guard.js

@@ -0,0 +1,163 @@
+/**
+ * EnvGuard - tool.execute.before hook that prevents agents from
+ * reading sensitive files or running commands that expose secrets.
+ */
+const BUILTIN_BASH_DENY = [
+    "cat .env",
+    "less .env",
+    "more .env",
+    "head .env",
+    "tail .env",
+    "bat .env",
+    "nano .env",
+    "vim .env",
+    "vi .env",
+    "code .env",
+    "printenv",
+    "echo $",
+    'echo "$',
+    "printf '%s' $",
+    "env |",
+    "env\n",
+    "export -p",
+    "declare -x",
+    "process.env",
+    "os.environ",
+    "dotenv",
+    "source .env",
+    ". .env",
+    "set -a",
+    "grep .env",
+    "rg .env",
+    "ag .env",
+    "ack .env",
+    "find . -name .env",
+    "find . -name '*.env'",
+    'find . -name "*.env"',
+    "curl.*env",
+    "wget.*env",
+];
+export function createEnvGuard(config) {
+    const { sensitivePatterns, sensitiveGlobs, bashDenyPatterns, blockedReadTools, blockedWriteTools, } = config;
+    const bashDeny = [...BUILTIN_BASH_DENY, ...bashDenyPatterns];
+    const compiledGlobs = sensitiveGlobs.map((g) => ({
+        source: g,
+        regex: globToRegex(g),
+    }));
+    return async (input, output) => {
+        const args = output.args;
+        if (blockedReadTools.includes(input.tool)) {
+            const target = args.filePath ?? args.path ?? args.pattern ?? args.file ?? "";
+            if (target && isSensitive(target, sensitivePatterns, compiledGlobs)) {
+                throw new Error(`[varlock] Blocked: cannot directly read "${target}". ` +
+                    `Use the load_env or load_secrets tool instead.`);
+            }
+        }
+        if (blockedWriteTools.includes(input.tool)) {
+            const target = args.filePath ?? args.path ?? args.file ?? "";
+            if (target && isSensitive(target, sensitivePatterns, compiledGlobs)) {
+                throw new Error(`[varlock] Blocked: cannot write to "${target}". ` +
+                    `Secret files are managed outside the agent's scope.`);
+            }
+        }
+        if (input.tool === "bash") {
+            const cmd = String(args.command ?? "").toLowerCase();
+            for (const pattern of bashDeny) {
+                if (cmd.includes(pattern.toLowerCase())) {
+                    throw new Error(`[varlock] Blocked: bash command matches deny pattern "${pattern}". ` +
+                        `Use the load_env or load_secrets tool to access secrets.`);
+                }
+            }
+            for (const sp of sensitivePatterns) {
+                const fileAccessRe = new RegExp(`(cat|less|more|head|tail|bat|vim?|nano|code|type|get-content|select-string)\\s+\\S*${escapeRegex(sp)}`, "i");
+                if (fileAccessRe.test(String(args.command ?? ""))) {
+                    throw new Error(`[varlock] Blocked: bash command appears to read a sensitive file (*${sp}*). ` +
+                        `Use the load_env or load_secrets tool instead.`);
+                }
+            }
+            if (compiledGlobs.length > 0) {
+                const tokens = extractPathTokens(String(args.command ?? ""));
+                for (const token of tokens) {
+                    for (const { source, regex } of compiledGlobs) {
+                        if (regex.test(token)) {
+                            throw new Error(`[varlock] Blocked: bash command references "${token}" which matches glob "${source}". ` +
+                                `Use the load_env or load_secrets tool instead.`);
+                        }
+                    }
+                }
+            }
+        }
+    };
+}
+function isSensitive(path, patterns, globs) {
+    const lower = path.toLowerCase();
+    if (patterns.some((p) => lower.includes(p.toLowerCase()))) {
+        return true;
+    }
+    for (const { regex } of globs) {
+        if (regex.test(path) || regex.test(lower)) {
+            return true;
+        }
+    }
+    return false;
+}
+export function globToRegex(glob) {
+    let result = "";
+    let i = 0;
+    while (i < glob.length) {
+        const ch = glob[i];
+        if (ch === "*") {
+            if (glob[i + 1] === "*") {
+                if (glob[i + 2] === "/") {
+                    result += "(?:.*/)?";
+                    i += 3;
+                }
+                else {
+                    result += ".*";
+                    i += 2;
+                }
+            }
+            else {
+                result += "[^/]*";
+                i++;
+            }
+        }
+        else if (ch === "?") {
+            result += "[^/]";
+            i++;
+        }
+        else if (ch === ".") {
+            result += "\\.";
+            i++;
+        }
+        else if (ch === "/" || ch === "\\") {
+            result += "[\\\\/]";
+            i++;
+        }
+        else if ("(){}[]^$+|".includes(ch)) {
+            result += "\\" + ch;
+            i++;
+        }
+        else {
+            result += ch;
+            i++;
+        }
+    }
+    return new RegExp(`^${result}$`, "i");
+}
+function extractPathTokens(cmd) {
+    const tokenRe = /(?:^|\s)((?:\.{0,2}\/)?[a-zA-Z0-9_./-]+\.[a-zA-Z0-9_.*]+)/g;
+    const tokens = [];
+    let match;
+    while ((match = tokenRe.exec(cmd)) !== null) {
+        const token = match[1].trim();
+        if (token.length > 1 && !token.startsWith("-")) {
+            tokens.push(token);
+        }
+    }
+    return tokens;
+}
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+//# sourceMappingURL=guard.js.map

package/dist/guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"guard.js","sourceRoot":"","sources":["../src/guard.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,iBAAiB,GAAG;IACxB,UAAU;IACV,WAAW;IACX,WAAW;IACX,WAAW;IACX,WAAW;IACX,UAAU;IACV,WAAW;IACX,UAAU;IACV,SAAS;IACT,WAAW;IACX,UAAU;IACV,QAAQ;IACR,SAAS;IACT,eAAe;IACf,OAAO;IACP,OAAO;IACP,WAAW;IACX,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,SAAS;IACT,SAAS;IACT,UAAU;IACV,mBAAmB;IACnB,sBAAsB;IACtB,sBAAsB;IACtB,WAAW;IACX,WAAW;CACZ,CAAA;AAMD,MAAM,UAAU,cAAc,CAC5B,MAAmB;IAEnB,MAAM,EACJ,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,GAClB,GAAG,MAAM,CAAA;IAEV,MAAM,QAAQ,GAAG,CAAC,GAAG,iBAAiB,EAAE,GAAG,gBAAgB,CAAC,CAAA;IAC5D,MAAM,aAAa,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC/C,MAAM,EAAE,CAAC;QACT,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;KACtB,CAAC,CAAC,CAAA;IAEH,OAAO,KAAK,EAAE,KAAgB,EAAE,MAAkB,EAAE,EAAE;QACpD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAA;QAExB,IAAI,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,CAAA;YAC5E,IAAI,MAAM,IAAI,WAAW,CAAC,MAAM,EAAE,iBAAiB,EAAE,aAAa,CAAC,EAAE,CAAC;gBACpE,MAAM,IAAI,KAAK,CACb,4CAA4C,MAAM,KAAK;oBACrD,gDAAgD,CACnD,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,iBAAiB,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,CAAA;YAC5D,IAAI,MAAM,IAAI,WAAW,CAAC,MAAM,EAAE,iBAAiB,EAAE,aAAa,CAAC,EAAE,CAAC;gBACpE,MAAM,IAAI,KAAK,CACb,uCAAuC,MAAM,KAAK;oBAChD,qDAAqD,CACxD,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAA;YAEpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CACb,yDAAyD,OAAO,KAAK;wBACnE,0DAA0D,CAC7D,CAAA;gBACH,CAAC;YACH,CAAC;YAED,KAAK,MAAM,EAAE,IAAI,iBAAiB,EAAE,CAAC;gBACnC,MAAM,YAAY,GAAG,IAAI,MAAM,CAC7B,sFAAsF,WAAW,CAAC,EAAE,CAAC,EAAE,EACvG,GAAG,CACJ,CAAA;gBACD,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CACb,sEAAsE,EAAE,MAAM;wBAC5E,gDAAgD,CACnD,CAAA;gBACH,CAAC;YACH,CAAC;YAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;gBAC5D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;oBAC3B,KAAK,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,aAAa,EAAE,CAAC;wBAC9C,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;4BACtB,MAAM,IAAI,KAAK,CACb,+CAA+C,KAAK,yBAAyB,MAAM,KAAK;gCACtF,gDAAgD,CACnD,CAAA;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAA;AACH,CAAC;AAED,SAAS,WAAW,CAClB,IAAY,EACZ,QAAkB,EAClB,KAAqB;IAErB,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;IAEhC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAA;IACb,CAAC;IAED,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,KAAK,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,IAAI,MAAM,GAAG,EAAE,CAAA;IACf,IAAI,CAAC,GAAG,CAAC,CAAA;IAET,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QAElB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACxB,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;oBACxB,MAAM,IAAI,UAAU,CAAA;oBACpB,CAAC,IAAI,CAAC,CAAA;gBACR,CAAC;qBAAM,CAAC;oBACN,MAAM,IAAI,IAAI,CAAA;oBACd,CAAC,IAAI,CAAC,CAAA;gBACR,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,OAAO,CAAA;gBACjB,CAAC,EAAE,CAAA;YACL,CAAC;QACH,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,MAAM,CAAA;YAChB,CAAC,EAAE,CAAA;QACL,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAA;YACf,CAAC,EAAE,CAAA;QACL,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACrC,MAAM,IAAI,SAAS,CAAA;YACnB,CAAC,EAAE,CAAA;QACL,CAAC;aAAM,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,IAAI,GAAG,EAAE,CAAA;YACnB,CAAC,EAAE,CAAA;QACL,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,EAAE,CAAA;YACZ,CAAC,EAAE,CAAA;QACL,CAAC;IACH,CAAC;IAED,OAAO,IAAI,MAAM,CAAC,IAAI,MAAM,GAAG,EAAE,GAAG,CAAC,CAAA;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,OAAO,GAAG,4DAA4D,CAAA;IAC5E,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,IAAI,KAA6B,CAAA;IAEjC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAC7B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACpB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,OAAO,CAAC,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;AACjD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { default } from "./plugin.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA"}

package/dist/index.js

@@ -0,0 +1,2 @@
+export { default } from "./plugin.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA"}

package/dist/plugin.d.ts

@@ -0,0 +1,6 @@
+import { type Plugin } from "@opencode-ai/plugin";
+import { type PluginConfig, type DeepPartial } from "./config.js";
+export declare const VarlockPlugin: Plugin;
+export declare function createVarlockPlugin(overrides?: DeepPartial<PluginConfig>): Plugin;
+export default VarlockPlugin;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,MAAM,EAAQ,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAc,KAAK,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAA;AAQ7E,eAAO,MAAM,aAAa,EAAE,MAE3B,CAAA;AAED,wBAAgB,mBAAmB,CACjC,SAAS,GAAE,WAAW,CAAC,YAAY,CAAM,GACxC,MAAM,CA0DR;AAED,eAAe,aAAa,CAAA"}

package/dist/plugin.js

@@ -0,0 +1,56 @@
+import { tool } from "@opencode-ai/plugin";
+import { loadConfig } from "./config.js";
+import { createEnvGuard } from "./guard.js";
+import { createLoadEnvTool, createLoadSecretsTool, createSecretStatusTool, } from "./tools.js";
+export const VarlockPlugin = async (ctx) => {
+    return createVarlockPlugin()(ctx);
+};
+export function createVarlockPlugin(overrides = {}) {
+    return async ({ $, project, directory }) => {
+        const cwd = directory ?? process.cwd();
+        const config = loadConfig(cwd, overrides);
+        let varlockAvailable = config.varlock.enabled;
+        if (!varlockAvailable && config.varlock.autoDetect) {
+            try {
+                const result = await $ `which ${config.varlock.command}`.quiet();
+                varlockAvailable = result.exitCode === 0;
+                if (varlockAvailable) {
+                    console.log(`[varlock] Auto-detected "${config.varlock.command}" CLI`);
+                }
+            }
+            catch {
+                varlockAvailable = false;
+            }
+        }
+        const tools = {};
+        if (config.env.enabled) {
+            tools.load_env = createLoadEnvTool(config.env);
+        }
+        if (varlockAvailable) {
+            tools.load_secrets = createLoadSecretsTool($, config.varlock);
+            tools.secret_status = createSecretStatusTool($, config.varlock);
+        }
+        const hookResult = {
+            tool: tools,
+            event: async ({ event }) => {
+                if (event.type === "session.created") {
+                    const sources = [];
+                    if (config.env.enabled)
+                        sources.push(".env");
+                    if (varlockAvailable)
+                        sources.push(`varlock (${config.varlock.command})`);
+                    const guardStatus = config.guard.enabled
+                        ? `${config.guard.sensitivePatterns.length} patterns, ${config.guard.sensitiveGlobs.length} globs`
+                        : "disabled";
+                    console.log(`[varlock] Sources: ${sources.join(", ") || "none"} | Guard: ${guardStatus}`);
+                }
+            },
+        };
+        if (config.guard.enabled) {
+            hookResult["tool.execute.before"] = createEnvGuard(config.guard);
+        }
+        return hookResult;
+    };
+}
+export default VarlockPlugin;
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,IAAI,EAAE,MAAM,qBAAqB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAuC,MAAM,aAAa,CAAA;AAC7E,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAC3C,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,YAAY,CAAA;AAEnB,MAAM,CAAC,MAAM,aAAa,GAAW,KAAK,EAAE,GAAG,EAAE,EAAE;IACjD,OAAO,mBAAmB,EAAE,CAAC,GAAG,CAAC,CAAA;AACnC,CAAC,CAAA;AAED,MAAM,UAAU,mBAAmB,CACjC,YAAuC,EAAE;IAEzC,OAAO,KAAK,EAAE,EAAE,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;QACzC,MAAM,GAAG,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAA;QAEtC,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;QAEzC,IAAI,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAA;QAC7C,IAAI,CAAC,gBAAgB,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YACnD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,CAAC,CAAA,SAAS,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,CAAA;gBAC/D,gBAAgB,GAAG,MAAM,CAAC,QAAQ,KAAK,CAAC,CAAA;gBACxC,IAAI,gBAAgB,EAAE,CAAC;oBACrB,OAAO,CAAC,GAAG,CACT,4BAA4B,MAAM,CAAC,OAAO,CAAC,OAAO,OAAO,CAC1D,CAAA;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gBAAgB,GAAG,KAAK,CAAA;YAC1B,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAA4C,EAAE,CAAA;QAEzD,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YACvB,KAAK,CAAC,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAChD,CAAC;QAED,IAAI,gBAAgB,EAAE,CAAC;YACrB,KAAK,CAAC,YAAY,GAAG,qBAAqB,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;YAC7D,KAAK,CAAC,aAAa,GAAG,sBAAsB,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;QACjE,CAAC;QAED,MAAM,UAAU,GAAwB;YACtC,IAAI,EAAE,KAAK;YAEX,KAAK,EAAE,KAAK,EAAE,EAAE,KAAK,EAA+B,EAAE,EAAE;gBACtD,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;oBACrC,MAAM,OAAO,GAAa,EAAE,CAAA;oBAC5B,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO;wBAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;oBAC5C,IAAI,gBAAgB;wBAAE,OAAO,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,OAAO,GAAG,CAAC,CAAA;oBAEzE,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO;wBACtC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,MAAM,cAAc,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,QAAQ;wBAClG,CAAC,CAAC,UAAU,CAAA;oBAEd,OAAO,CAAC,GAAG,CACT,sBAAsB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,aAAa,WAAW,EAAE,CAC7E,CAAA;gBACH,CAAC;YACH,CAAC;SACF,CAAA;QAED,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACzB,UAAU,CAAC,qBAAqB,CAAC,GAAG,cAAc,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAClE,CAAC;QAED,OAAO,UAAU,CAAA;IACnB,CAAC,CAAA;AACH,CAAC;AAED,eAAe,aAAa,CAAA"}

package/dist/tools.d.ts

@@ -0,0 +1,39 @@
+import type { EnvConfig, VarlockConfig } from "./config.js";
+export declare function createLoadEnvTool(envConfig: EnvConfig): {
+    description: string;
+    args: {
+        path: import("zod").ZodDefault<import("zod").ZodOptional<import("zod").ZodString>>;
+        override: import("zod").ZodDefault<import("zod").ZodOptional<import("zod").ZodBoolean>>;
+        prefix: import("zod").ZodOptional<import("zod").ZodString>;
+    };
+    execute(args: {
+        path: string;
+        override: boolean;
+        prefix?: string | undefined;
+    }, context: import("@opencode-ai/plugin").ToolContext): Promise<string>;
+};
+export declare function createLoadSecretsTool($: any, varlockConfig: VarlockConfig): {
+    description: string;
+    args: {
+        namespace: import("zod").ZodDefault<import("zod").ZodOptional<import("zod").ZodString>>;
+        keys: import("zod").ZodOptional<import("zod").ZodArray<import("zod").ZodString>>;
+        override: import("zod").ZodDefault<import("zod").ZodOptional<import("zod").ZodBoolean>>;
+        envPrefix: import("zod").ZodOptional<import("zod").ZodString>;
+    };
+    execute(args: {
+        namespace: string;
+        override: boolean;
+        keys?: string[] | undefined;
+        envPrefix?: string | undefined;
+    }, context: import("@opencode-ai/plugin").ToolContext): Promise<string>;
+};
+export declare function createSecretStatusTool($: any, varlockConfig: VarlockConfig): {
+    description: string;
+    args: {
+        namespace: import("zod").ZodDefault<import("zod").ZodOptional<import("zod").ZodString>>;
+    };
+    execute(args: {
+        namespace: string;
+    }, context: import("@opencode-ai/plugin").ToolContext): Promise<string>;
+};
+//# sourceMappingURL=tools.d.ts.map

package/dist/tools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../src/tools.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE3D,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,SAAS;;;;;;;;;;;;EAyFrD;AAED,wBAAgB,qBAAqB,CACnC,CAAC,EAAE,GAAG,EACN,aAAa,EAAE,aAAa;;;;;;;;;;;;;;EAoG7B;AAED,wBAAgB,sBAAsB,CACpC,CAAC,EAAE,GAAG,EACN,aAAa,EAAE,aAAa;;;;;;;;EAsD7B"}