PaddedCell

nav/PaddedCell

Fork 0

Commit Graph

Author	SHA1	Message	Date
zhi	ddaea57f2d	feat: rewrite pass_mgr with build-time AES key, update pcexec & install pass_mgr: - Complete rewrite using build-time AES key (injected via ldflags) - New command format: get-secret/get-username --key, set --key --secret - Admin commands: init, handoff, init-from (rejected when AGENT_* env set) - Inline pcguard check for agent commands - Legacy 'get <key>' kept for backward compat - Storage: pc-pass-store/<agent-id>/<key>.gpg with AES-256-GCM - Admin password stored as SHA-256 hash in .pass_mgr/admin.json pcexec.ts: - Support new 'get-secret --key' pattern alongside legacy 'get <key>' - Pass environment to fetchPassword for pcguard validation - Deduplicate matches, sanitize all resolved passwords from output install.mjs: - Generate random 32-byte hex build secret (.build-secret) - Reuse existing secret on rebuilds - Pass to go build via -ldflags -X main.buildSecret=<secret> README.md: - Document new pass_mgr command format - Document admin handoff/init-from workflow - Document security model limitations - Update project structure	2026-03-08 21:12:27 +00:00
zhi	0569a5dcf5	feat: refactor project structure + add pcguard + AGENT_VERIFY injection - Restructure: pcexec/ and safe-restart/ → plugin/{tools,core,commands} - New pcguard Go binary: validates AGENT_VERIFY, AGENT_ID, AGENT_WORKSPACE - pcexec now injects AGENT_VERIFY env + appends openclaw bin to PATH - plugin/index.ts: unified TypeScript entry point with resolveOpenclawPath() - install.mjs: support --openclaw-profile-path, install pcguard, new paths - README: updated structure docs + security limitations note - Removed old root index.js and openclaw.plugin.json	2026-03-08 11:48:53 +00:00

Author

SHA1

Message

Date

zhi

ddaea57f2d

feat: rewrite pass_mgr with build-time AES key, update pcexec & install

pass_mgr:
- Complete rewrite using build-time AES key (injected via ldflags)
- New command format: get-secret/get-username --key, set --key --secret
- Admin commands: init, handoff, init-from (rejected when AGENT_* env set)
- Inline pcguard check for agent commands
- Legacy 'get <key>' kept for backward compat
- Storage: pc-pass-store/<agent-id>/<key>.gpg with AES-256-GCM
- Admin password stored as SHA-256 hash in .pass_mgr/admin.json

pcexec.ts:
- Support new 'get-secret --key' pattern alongside legacy 'get <key>'
- Pass environment to fetchPassword for pcguard validation
- Deduplicate matches, sanitize all resolved passwords from output

install.mjs:
- Generate random 32-byte hex build secret (.build-secret)
- Reuse existing secret on rebuilds
- Pass to go build via -ldflags -X main.buildSecret=<secret>

README.md:
- Document new pass_mgr command format
- Document admin handoff/init-from workflow
- Document security model limitations
- Update project structure

2026-03-08 21:12:27 +00:00

zhi

0569a5dcf5

feat: refactor project structure + add pcguard + AGENT_VERIFY injection

- Restructure: pcexec/ and safe-restart/ → plugin/{tools,core,commands}
- New pcguard Go binary: validates AGENT_VERIFY, AGENT_ID, AGENT_WORKSPACE
- pcexec now injects AGENT_VERIFY env + appends openclaw bin to PATH
- plugin/index.ts: unified TypeScript entry point with resolveOpenclawPath()
- install.mjs: support --openclaw-profile-path, install pcguard, new paths
- README: updated structure docs + security limitations note
- Removed old root index.js and openclaw.plugin.json

2026-03-08 11:48:53 +00:00

2 Commits