secretless-ai 0.7.1 → 0.8.0

package/README.md

@@ -13,6 +13,110 @@ Part of the [OpenA2A](https://opena2a.org) ecosystem — open-source security fo
 npx secretless-ai init
 ```
 
+## Secret Storage Backends
+
+Secretless stores secrets in your choice of backend. Secrets are never in environment variables, shell profiles, or config files — they exist only in the backend and get injected into process memory at runtime.
+
+| Backend | Storage | Sync | Auth | Best For |
+|---------|---------|------|------|----------|
+| `local` | AES-256-GCM encrypted file | None (single machine) | Filesystem | Quick start, simple setups |
+| `keychain` | macOS Keychain / Linux Secret Service | Device-local | OS login | Native OS integration |
+| `1password` | 1Password vault | Cross-device | Biometric (Touch ID) / Service Account | Teams, CI/CD, multi-device |
+
+```bash
+npx secretless-ai backend                     # Show available backends
+npx secretless-ai backend set 1password       # Switch to 1Password
+npx secretless-ai backend set keychain        # Switch to OS keychain
+npx secretless-ai migrate --from local --to 1password  # Migrate existing secrets
+```
+
+### 1Password Backend
+
+Stores secrets in a dedicated "Secretless" vault using the [`op` CLI](https://developer.1password.com/docs/cli). Secrets never touch disk.
+
+**Setup:**
+
+```bash
+brew install --cask 1password                 # Install 1Password desktop app
+brew install --cask 1password-cli             # Install op CLI
+```
+
+Then enable CLI integration: **1Password > Settings > Developer > "Integrate with 1Password CLI"**. This allows the CLI to authenticate through the desktop app with biometric unlock (Touch ID / Windows Hello).
+
+```bash
+npx secretless-ai backend set 1password       # Switch backend
+```
+
+**CI/CD:** Set `OP_SERVICE_ACCOUNT_TOKEN` — same secrets, no code changes. No desktop app needed.
+
+## Secret Management
+
+Store, list, and inject secrets without exposing them to AI tools.
+
+```bash
+npx secretless-ai secret set STRIPE_KEY=sk_live_...   # Store a secret
+npx secretless-ai secret set DATABASE_URL              # Read value from stdin
+npx secretless-ai secret list                          # List secret names (never values)
+npx secretless-ai secret rm STRIPE_KEY                 # Remove a secret
+```
+
+### Running Commands with Secrets
+
+Inject secrets as environment variables into any command. The AI tool sees the command output but never the secret values.
+
+```bash
+npx secretless-ai run -- npm test                              # Inject all secrets
+npx secretless-ai run --only STRIPE_KEY -- curl -u "$STRIPE_KEY:" https://api.stripe.com/v1/balance
+npx secretless-ai run --only DATABASE_URL -- npm run migrate   # Inject specific key
+```
+
+### AI-Safe by Design
+
+When an AI tool tries to read a secret value, secretless blocks it:
+
+```
+$ npx secretless-ai secret get STRIPE_KEY    # (run by AI tool)
+
+  secretless: Blocked -- secret values cannot be read in non-interactive contexts.
+  AI tools capture stdout, which would expose the secret in their context.
+
+  To inject secrets into a command:
+    npx secretless-ai run -- <command>
+```
+
+Direct terminal access (human) works normally. The guard detects non-interactive execution (how AI tools run commands) and refuses to output.
+
+### Import from .env Files
+
+```bash
+npx secretless-ai import .env                 # Import from specific file
+npx secretless-ai import --detect             # Auto-find and import all .env files
+```
+
+### Project Manifests
+
+Define required secrets in a `.secretless` file at the project root:
+
+```
+STRIPE_KEY        required    Stripe API key for payments
+DATABASE_URL      required    PostgreSQL connection string
+SENTRY_DSN        optional    Error tracking
+```
+
+```bash
+npx secretless-ai setup                       # Interactive setup for missing secrets
+npx secretless-ai setup --check               # CI: fail if required secrets are missing
+```
+
+## Backend Inspection
+
+```bash
+npx secretless-ai backend list                # Show all entries grouped by prefix
+npx secretless-ai backend purge               # Dry-run: show what would be deleted
+npx secretless-ai backend purge --yes         # Delete all entries
+npx secretless-ai backend purge --prefix mcp --yes  # Delete only mcp/ entries
+```
+
 ## MCP Secret Protection
 
 Every MCP server config has plaintext API keys sitting in JSON files on your laptop. The LLM sees them. Secretless encrypts them.
@@ -42,48 +146,14 @@ npx secretless-ai protect-mcp
 
 1. Scans MCP configs across Claude Desktop, Cursor, Claude Code, VS Code, and Windsurf
 2. Identifies which env vars are secrets (key name patterns + value regex matching)
-3. Encrypts secrets into a local AES-256-GCM vault (`~/.secretless-ai/mcp-vault/`)
+3. Stores secrets in your configured backend (local, keychain, or 1Password)
 4. Rewrites configs to use the `secretless-mcp` wrapper — decrypts at runtime, injects as env vars
 5. Non-secret env vars (URLs, org names, regions) stay in the config untouched
 
-**Before:**
-```json
-{
-  "mcpServers": {
-    "github": {
-      "command": "npx",
-      "args": ["@github/mcp-server"],
-      "env": {
-        "GITHUB_TOKEN": "ghp_plaintext_visible_to_LLM",
-        "GITHUB_ORG": "my-org"
-      }
-    }
-  }
-}
-```
-
-**After:**
-```json
-{
-  "mcpServers": {
-    "github": {
-      "command": "secretless-mcp",
-      "args": ["--server", "github", "--client", "claude-desktop", "--", "npx", "@github/mcp-server"],
-      "env": {
-        "GITHUB_ORG": "my-org"
-      }
-    }
-  }
-}
-```
-
-The secret moves to the encrypted vault. The wrapper decrypts it at startup (<10ms overhead) and passes it to the MCP server as an env var. The LLM never sees it.
-
-**Other MCP commands:**
-
 ```bash
-npx secretless-ai mcp-status      # Show which servers are protected/exposed
-npx secretless-ai mcp-unprotect   # Restore original configs from backup
+npx secretless-ai protect-mcp --backend 1password  # Store MCP secrets in 1Password
+npx secretless-ai mcp-status                       # Show which servers are protected/exposed
+npx secretless-ai mcp-unprotect                    # Restore original configs from backup
 ```
 
 ---
@@ -117,7 +187,7 @@ npx secretless-ai init
 Output:
 
 ```
-  Secretless v0.6.0
+  Secretless v0.7.1
   Keeping secrets out of AI
 
   Detected:
@@ -153,40 +223,13 @@ Non-interactive subprocesses (Claude Code's Bash tool, CI/CD, Docker) don't sour
 | Linux | bash | `~/.bashrc` | Sourced by interactive bash; most tools source it explicitly |
 | Windows | — | System Environment Variables | Use `setx` or Settings > System > Environment Variables |
 
-**Common mistakes Secretless auto-fixes:**
-- **macOS:** Adding `export` lines to `~/.zshrc` instead of `~/.zshenv`. Secretless copies them to the correct file during `init`.
-- **Linux:** Adding exports to `~/.bash_profile` instead of `~/.bashrc`, or placing them after the interactive guard in `.bashrc`. Secretless inserts them before the guard.
-- **Windows:** Setting keys only in PowerShell `$PROFILE` (session-only). Secretless runs `setx` to set persistent user environment variables.
-
-```bash
-# macOS (zsh) — add to ~/.zshenv
-export ANTHROPIC_API_KEY="sk-ant-..."
-export OPENAI_API_KEY="sk-proj-..."
-
-# Linux (bash) — add to ~/.bashrc (before the interactive guard)
-export ANTHROPIC_API_KEY="sk-ant-..."
-export OPENAI_API_KEY="sk-proj-..."
-```
-
-```powershell
-# Windows — use setx (or Settings > System > Environment Variables)
-setx ANTHROPIC_API_KEY "sk-ant-..."
-setx OPENAI_API_KEY "sk-proj-..."
-```
-
-**Step 2: Remove keys from AI config files**
-
-Delete any hardcoded keys from `CLAUDE.md`, `.cursorrules`, `.env`, etc.
-
-**Step 3: Run secretless init**
+**Step 2: Run secretless init**
 
 ```bash
 npx secretless-ai init
 ```
 
-Secretless detects which env vars are set and adds a reference table to your AI tool's instruction file. The AI knows *which* keys are available and *how* to authenticate — without seeing the actual values.
-
-**Step 4: Verify**
+**Step 3: Verify**
 
 ```bash
 npx secretless-ai verify
@@ -202,94 +245,52 @@ npx secretless-ai verify
   PASS: Secrets are accessible via env vars but hidden from AI context.
 ```
 
-**Before:** Claude sees `ANTHROPIC_API_KEY=sk-ant-api03-abc123...` in CLAUDE.md — the key is in the context window, extractable via prompt injection.
-
-**After:** Claude sees a table saying `$ANTHROPIC_API_KEY` exists and the auth header is `x-api-key: $ANTHROPIC_API_KEY`. It uses `$ANTHROPIC_API_KEY` in shell commands. The shell resolves it. Claude never sees the actual value.
+## Git Protection
 
-## Commands
-
-### `npx secretless-ai init`
-
-Detects AI tools in your project and installs protections. If API keys are set as env vars, includes a reference table with service names and auth header formats so the AI can use them without seeing values. Safe to run multiple times.
-
-### `npx secretless-ai scan`
-
-Scans config files for hardcoded credentials — both project-level and global (`~/.claude/CLAUDE.md`). Detects 49 credential patterns including Anthropic, OpenAI, AWS, GitHub, Slack, Google, Stripe, SendGrid, Supabase, Azure, GitLab, Twilio, Mailgun, and more.
-
-```
-  Found 2 credential(s):
-
-  [CRIT] Anthropic API Key
-         ~/.claude/CLAUDE.md:286
-         ANTHROPIC_API_KEY=[Anthropic API Key REDACTED]
-
-  [CRIT] OpenAI Project Key
-         ~/.claude/CLAUDE.md:284
-         OPENAI_API_KEY=[OpenAI Project Key REDACTED]
-```
-
-### `npx secretless-ai verify`
-
-Confirms keys are usable but hidden from AI. Checks that env vars are set AND that the actual key values don't appear in any AI context file.
-
-```
-  PASS: Secrets are accessible via env vars but hidden from AI context.
-```
-
-### `npx secretless-ai doctor`
-
-Diagnoses shell profile issues that cause "No API keys found" errors. Detects when keys are in an interactive-only profile (like `~/.zshrc`) that non-interactive subprocesses can't see.
-
-Use `--fix` to auto-fix: copies export lines from the wrong profile to the correct one (non-destructive, does not modify the original file).
+Prevent secrets from being committed:
 
 ```bash
-npx secretless-ai doctor         # Diagnose
-npx secretless-ai doctor --fix   # Diagnose and auto-fix
+npx secretless-ai hook install       # Install pre-commit secret scanner
+npx secretless-ai hook status        # Check hook installation status
+npx secretless-ai hook uninstall     # Remove pre-commit hook
 ```
 
-Note: `init` also runs this auto-fix automatically, so most users never need to run `doctor` separately.
-
-```
-  Secretless Doctor
-
-  Platform: darwin
-  Shell:    zsh
-
-  Shell profiles:
-    - ~/.zshenv (RECOMMENDED): not found
-    + ~/.zshrc (interactive-only): 2 key(s)
-    - ~/.zprofile (login-only): not found
-
-  Auto-fix applied:
-    Copied 2 export(s) from ~/.zshrc to ~/.zshenv
-      + ANTHROPIC_API_KEY
-      + OPENAI_API_KEY
-    Restart your terminal for changes to take effect.
-```
-
-### `npx secretless-ai protect-mcp`
-
-Scans all MCP configs on your machine, encrypts plaintext secrets into a local vault, and rewrites configs to use the `secretless-mcp` wrapper. Safe to run multiple times — skips already-protected servers.
-
-### `npx secretless-ai mcp-status`
-
-Shows protection status for every MCP server across all clients. Tells you which servers have exposed secrets and which are protected.
-
-### `npx secretless-ai mcp-unprotect`
-
-Restores all MCP configs to their original state from backups. One command to undo everything.
-
-### `npx secretless-ai status`
-
-Shows current protection status.
-
-```
-  Protected:  Yes
-  Tools:      Claude Code, Cursor
-  Hook:       Installed
-  Deny rules: 14
-  Secrets:    0 found in config files
-```
+## All Commands
+
+| Command | Description |
+|---------|-------------|
+| `init` | Set up protections for your AI tools |
+| `scan` | Scan for hardcoded secrets (49 patterns) |
+| `status` | Show protection status |
+| `verify` | Verify keys are usable but hidden from AI |
+| `doctor [--fix]` | Diagnose and auto-fix shell profile issues |
+| `clean [--dry-run]` | Scan and redact credentials in transcripts |
+| `watch` | Monitor transcripts in real-time |
+| **Secret Management** | |
+| `secret set <NAME[=VALUE]>` | Store a secret |
+| `secret list` | List stored secret names |
+| `secret get <NAME>` | Retrieve a secret value (blocked in non-interactive contexts) |
+| `secret rm <NAME>` | Remove a secret |
+| `run [--only K1,K2] -- <cmd>` | Run command with secrets injected as env vars |
+| `import <file>` | Import secrets from .env file |
+| `import --detect` | Auto-find and import .env files |
+| **Project Setup** | |
+| `setup` | Interactive setup from `.secretless` manifest |
+| `setup --check` | CI: fail if required secrets are missing |
+| **Git Protection** | |
+| `hook install` | Install pre-commit secret scanner |
+| `hook uninstall` | Remove pre-commit hook |
+| `hook status` | Check hook installation status |
+| **MCP Protection** | |
+| `protect-mcp [--backend TYPE]` | Encrypt MCP server secrets |
+| `mcp-status` | Show MCP protection status |
+| `mcp-unprotect` | Restore original MCP configs |
+| **Backend Management** | |
+| `backend` | Show current backend status |
+| `backend set <TYPE>` | Set backend (local, keychain, 1password) |
+| `backend list` | List all stored entries |
+| `backend purge [--prefix] [--yes]` | Delete entries from backend |
+| `migrate --from TYPE --to TYPE` | Migrate secrets between backends |
 
 ## What Gets Blocked
 
@@ -309,19 +310,11 @@ Commands that dump secret files (`cat .env`, `head *.key`) and commands that ech
 
 For Claude Code, Secretless installs a PreToolUse hook that intercepts every `Read`, `Grep`, `Glob`, `Bash`, `Write`, and `Edit` tool call. The hook runs *before* the tool executes, so secrets never enter the AI context window.
 
-```bash
-# .claude/hooks/secretless-guard.sh
-# Runs before every tool call, checks file paths against block list
-# Returns deny decision if a secret file is targeted
-```
-
-Additionally, Secretless adds `permissions.deny` rules to `.claude/settings.json` as a second layer of defense, and adds instructions to `CLAUDE.md` so Claude understands why certain files are blocked.
-
 ## Development
 
 ```bash
 npm run build      # Compile TypeScript to dist/
-npm test           # Run tests (vitest)
+npm test           # Run tests (vitest, 461 tests)
 npm run dev        # Watch mode — recompile on file changes
 npm run clean      # Remove dist/ directory
 ```
@@ -330,10 +323,12 @@ npm run clean      # Remove dist/ directory
 
 - Node.js 18+
 - A project directory with at least one AI tool configured (or Secretless defaults to Claude Code)
+- **Optional:** 1Password CLI (`op`) for 1Password backend
+- **Optional:** macOS Keychain or `secret-tool` (Linux) for keychain backend
 
 ## Zero Dependencies
 
-Secretless has zero runtime dependencies. The npm package is 18 KB.
+Secretless has zero runtime dependencies.
 
 ## OpenA2A Ecosystem
 

package/dist/backends/config.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Backend configuration manager.
+ *
+ * Reads and writes the user's backend preference from ~/.secretless-ai/config.json.
+ * Resolution priority: explicit CLI flag > config file > default ('local').
+ */
+/** Writable backend types that can be selected by the user. */
+export type SelectableBackendType = 'local' | 'keychain' | '1password';
+/** Read the current backend configuration. Returns undefined if no config file exists. */
+export declare function readBackendConfig(): SelectableBackendType | undefined;
+/** Write the backend preference to the config file. */
+export declare function writeBackendConfig(backend: SelectableBackendType): void;
+/**
+ * Resolve which backend type to use.
+ *
+ * Priority: explicit flag > config file > default ('local').
+ */
+export declare function resolveBackendType(explicitFlag?: string): SelectableBackendType;
+//# sourceMappingURL=config.d.ts.map

package/dist/backends/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,+DAA+D;AAC/D,MAAM,MAAM,qBAAqB,GAAG,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;AAkBvE,0FAA0F;AAC1F,wBAAgB,iBAAiB,IAAI,qBAAqB,GAAG,SAAS,CAWrE;AAED,uDAAuD;AACvD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,qBAAqB,GAAG,IAAI,CAiBvE;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,qBAAqB,CAK/E"}

package/dist/backends/config.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * Backend configuration manager.
+ *
+ * Reads and writes the user's backend preference from ~/.secretless-ai/config.json.
+ * Resolution priority: explicit CLI flag > config file > default ('local').
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readBackendConfig = readBackendConfig;
+exports.writeBackendConfig = writeBackendConfig;
+exports.resolveBackendType = resolveBackendType;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const CONFIG_FILENAME = 'config.json';
+const DEFAULT_BACKEND = 'local';
+function configDir() {
+    const home = process.env.HOME ?? process.env.USERPROFILE ?? '/tmp';
+    return path.join(home, '.secretless-ai');
+}
+function configPath() {
+    return path.join(configDir(), CONFIG_FILENAME);
+}
+/** Read the current backend configuration. Returns undefined if no config file exists. */
+function readBackendConfig() {
+    try {
+        const raw = fs.readFileSync(configPath(), 'utf-8');
+        const config = JSON.parse(raw);
+        if (config.backend === 'local' || config.backend === 'keychain' || config.backend === '1password') {
+            return config.backend;
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/** Write the backend preference to the config file. */
+function writeBackendConfig(backend) {
+    const dir = configDir();
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+    const fp = configPath();
+    let config = {};
+    try {
+        const raw = fs.readFileSync(fp, 'utf-8');
+        config = JSON.parse(raw);
+    }
+    catch {
+        // No existing config or invalid JSON — start fresh
+    }
+    config.backend = backend;
+    const tmpPath = fp + '.tmp';
+    fs.writeFileSync(tmpPath, JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
+    fs.renameSync(tmpPath, fp);
+}
+/**
+ * Resolve which backend type to use.
+ *
+ * Priority: explicit flag > config file > default ('local').
+ */
+function resolveBackendType(explicitFlag) {
+    if (explicitFlag === 'local' || explicitFlag === 'keychain' || explicitFlag === '1password') {
+        return explicitFlag;
+    }
+    return readBackendConfig() ?? DEFAULT_BACKEND;
+}
+//# sourceMappingURL=config.js.map

package/dist/backends/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/backends/config.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0BH,8CAWC;AAGD,gDAiBC;AAOD,gDAKC;AAnED,uCAAyB;AACzB,2CAA6B;AAM7B,MAAM,eAAe,GAAG,aAAa,CAAC;AACtC,MAAM,eAAe,GAA0B,OAAO,CAAC;AAMvD,SAAS,SAAS;IAChB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;IACnE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,EAAE,eAAe,CAAC,CAAC;AACjD,CAAC;AAED,0FAA0F;AAC1F,SAAgB,iBAAiB;IAC/B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;QACnD,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,UAAU,IAAI,MAAM,CAAC,OAAO,KAAK,WAAW,EAAE,CAAC;YAClG,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,SAAgB,kBAAkB,CAAC,OAA8B;IAC/D,MAAM,GAAG,GAAG,SAAS,EAAE,CAAC;IACxB,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEpD,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;IACxB,IAAI,MAAM,GAAqB,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QACzC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,mDAAmD;IACrD,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,MAAM,OAAO,GAAG,EAAE,GAAG,MAAM,CAAC;IAC5B,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnF,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACH,SAAgB,kBAAkB,CAAC,YAAqB;IACtD,IAAI,YAAY,KAAK,OAAO,IAAI,YAAY,KAAK,UAAU,IAAI,YAAY,KAAK,WAAW,EAAE,CAAC;QAC5F,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,OAAO,iBAAiB,EAAE,IAAI,eAAe,CAAC;AAChD,CAAC"}

package/dist/backends/factory.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Backend factory — creates the appropriate WritableSecretBackend based on type.
+ *
+ * Dispatches 'keychain' to the platform-specific implementation (macOS or Linux).
+ * Dispatches '1password' to the OnePasswordBackend (requires `op` CLI).
+ * Falls back to 'local' on unsupported platforms with a console message.
+ */
+import type { WritableSecretBackend } from './types';
+import type { SelectableBackendType } from './config';
+/**
+ * Create a WritableSecretBackend instance for the given type.
+ *
+ * @param type   - 'local', 'keychain', or '1password'
+ * @param config - Backend-specific configuration (e.g. storeDir, key, vault)
+ */
+export declare function createBackend(type: SelectableBackendType, config?: Record<string, unknown>): WritableSecretBackend;
+/**
+ * Check if the OS keychain is available on the current platform.
+ * Returns a description of the keychain status.
+ */
+export declare function isKeychainAvailable(): {
+    available: boolean;
+    platform: string;
+    message: string;
+};
+/**
+ * Check if the 1Password CLI (`op`) is available and authenticated.
+ * Returns availability status and an actionable message.
+ */
+export declare function isOnePasswordAvailable(): {
+    available: boolean;
+    message: string;
+};
+//# sourceMappingURL=factory.d.ts.map

package/dist/backends/factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.d.ts","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAMH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AACrD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AAEtD;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,qBAAqB,EAC3B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,qBAAqB,CAYvB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAgC/F;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAwBhF"}

package/dist/backends/factory.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Backend factory — creates the appropriate WritableSecretBackend based on type.
+ *
+ * Dispatches 'keychain' to the platform-specific implementation (macOS or Linux).
+ * Dispatches '1password' to the OnePasswordBackend (requires `op` CLI).
+ * Falls back to 'local' on unsupported platforms with a console message.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBackend = createBackend;
+exports.isKeychainAvailable = isKeychainAvailable;
+exports.isOnePasswordAvailable = isOnePasswordAvailable;
+const local_1 = require("./local");
+const keychain_macos_1 = require("./keychain-macos");
+const keychain_linux_1 = require("./keychain-linux");
+const onepassword_1 = require("./onepassword");
+/**
+ * Create a WritableSecretBackend instance for the given type.
+ *
+ * @param type   - 'local', 'keychain', or '1password'
+ * @param config - Backend-specific configuration (e.g. storeDir, key, vault)
+ */
+function createBackend(type, config) {
+    switch (type) {
+        case 'keychain':
+            return createKeychainBackend(config);
+        case '1password':
+            return new onepassword_1.OnePasswordBackend(config);
+        case 'local':
+        default:
+            return new local_1.LocalBackend(config);
+    }
+}
+/**
+ * Check if the OS keychain is available on the current platform.
+ * Returns a description of the keychain status.
+ */
+function isKeychainAvailable() {
+    const platform = process.platform;
+    if (platform === 'darwin') {
+        try {
+            const { execFileSync } = require('child_process');
+            execFileSync('security', ['default-keychain'], { stdio: 'pipe' });
+            return { available: true, platform: 'macOS', message: 'macOS Keychain is available' };
+        }
+        catch {
+            return { available: false, platform: 'macOS', message: 'macOS Keychain is not accessible' };
+        }
+    }
+    if (platform === 'linux') {
+        try {
+            const { execFileSync } = require('child_process');
+            execFileSync('which', ['secret-tool'], { stdio: 'pipe' });
+            return { available: true, platform: 'Linux', message: 'secret-tool is available (Linux Secret Service)' };
+        }
+        catch {
+            return {
+                available: false,
+                platform: 'Linux',
+                message: 'secret-tool not found. Install libsecret-tools (Debian/Ubuntu) or libsecret (Fedora/RHEL).',
+            };
+        }
+    }
+    return {
+        available: false,
+        platform: platform,
+        message: `OS keychain is not supported on ${platform}. Using local encrypted backend.`,
+    };
+}
+/**
+ * Check if the 1Password CLI (`op`) is available and authenticated.
+ * Returns availability status and an actionable message.
+ */
+function isOnePasswordAvailable() {
+    try {
+        const { execFileSync } = require('child_process');
+        execFileSync('op', ['--version'], { stdio: 'pipe' });
+    }
+    catch {
+        return {
+            available: false,
+            message: '1Password CLI (op) not found. Install from https://developer.1password.com/docs/cli',
+        };
+    }
+    try {
+        const { execFileSync } = require('child_process');
+        execFileSync('op', ['account', 'get', '--format', 'json'], { stdio: 'pipe' });
+        return {
+            available: true,
+            message: '1Password CLI installed and authenticated',
+        };
+    }
+    catch {
+        return {
+            available: false,
+            message: '1Password CLI installed but not signed in. Run `op signin` or set OP_SERVICE_ACCOUNT_TOKEN.',
+        };
+    }
+}
+function createKeychainBackend(config) {
+    const platform = process.platform;
+    if (platform === 'darwin') {
+        return new keychain_macos_1.MacOSKeychainBackend(config);
+    }
+    if (platform === 'linux') {
+        return new keychain_linux_1.LinuxKeychainBackend(config);
+    }
+    // Unsupported platform — fall back to local with a message
+    console.error(`secretless: OS keychain not supported on ${platform}. Falling back to local encrypted backend.`);
+    return new local_1.LocalBackend(config);
+}
+//# sourceMappingURL=factory.js.map

package/dist/backends/factory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"factory.js","sourceRoot":"","sources":["../../src/backends/factory.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAeH,sCAeC;AAMD,kDAgCC;AAMD,wDAwBC;AAhGD,mCAAuC;AACvC,qDAAwD;AACxD,qDAAwD;AACxD,+CAAmD;AAInD;;;;;GAKG;AACH,SAAgB,aAAa,CAC3B,IAA2B,EAC3B,MAAgC;IAEhC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,UAAU;YACb,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAEvC,KAAK,WAAW;YACd,OAAO,IAAI,gCAAkB,CAAC,MAAM,CAAC,CAAC;QAExC,KAAK,OAAO,CAAC;QACb;YACE,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB;IACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;YAClD,YAAY,CAAC,UAAU,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;YAClD,YAAY,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YAC1D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,iDAAiD,EAAE,CAAC;QAC5G,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,4FAA4F;aACtG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE,QAAQ;QAClB,OAAO,EAAE,mCAAmC,QAAQ,kCAAkC;KACvF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAClD,YAAY,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,qFAAqF;SAC/F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;QAClD,YAAY,CAAC,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QAC9E,OAAO;YACL,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,2CAA2C;SACrD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,6FAA6F;SACvG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAgC;IAC7D,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,OAAO,IAAI,qCAAoB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,IAAI,qCAAoB,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAED,2DAA2D;IAC3D,OAAO,CAAC,KAAK,CACX,4CAA4C,QAAQ,4CAA4C,CACjG,CAAC;IACF,OAAO,IAAI,oBAAY,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC"}