gloves 0.5.11

seamless secret manager and handoff
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280

# gloves

## Unreleased

## 0.5.11

- Added a ref-first OpenClaw config model with v2 support for:
  - `vault.mounts`
  - `integrations.*`
  - `agents.<id>.secrets.refs`
  - `agents.<id>.vault.mounts`
- Added grouped CLI support for:
  - `gloves openclaw bootstrap`
  - `gloves integration <name> list-refs|rotate|test`
- Canonicalized per-agent runtime identity paths under `agents/<agent>/...` while keeping legacy identity locations readable during transition.

- Added a thin `gloves bootstrap --profile openclaw` command for fresh setup:
  - initializes the runtime layout
  - creates per-agent age identities and recipients files
  - writes `.gloves.toml` and `store/.gloves.yaml`
  - validates config and verifies runtime state
  - defaults the OpenClaw profile to agent `main`

## 0.5.10

### Patch Changes

- Rebuilt `@gloves/openclaw` as a real OpenClaw-native plugin package that registers only the guaranteed-safe tool subset:
  - `gloves_list`
  - `gloves_status`
  - `gloves_requests_list`
  - `gloves_request_approve`
  - `gloves_request_deny`
- Redesigned process execution around explicit secret refs:
  - `gloves run --env NAME=gloves://... -- <command...>` is now the top-level user-facing execution UX
  - `gloves exec env --env NAME=gloves://... -- <command...>` exposes the lower-level env-delivery mechanic directly
  - `gloves vault exec` remains the separate vault mount / execute / unmount workflow
- Added runtime-neutral `gloves://...` secret refs and documented them as the contract between `gloves`, runtime layers, and last-mile injectors.
- Added `gloves-docker-bridge`, a private operator-controlled Docker wrapper that injects resolved secret refs into sandbox tmpfs files under `/run/secrets/...` without patching the OpenClaw binary.
- Split the docs and examples into:
  - official safe OpenClaw plugin support
  - preferred future `gloves-mcp` stdio transport
  - private Docker bridge support

## 0.5.9

### Patch Changes

- Collapsed the OpenClaw JS surface to two packages:
  - `@gloves/mcp-client`
  - `@gloves/openclaw`
- Moved the secret-delivery and OpenClaw plugin logic directly into `@gloves/openclaw` and removed the extra internal adapter packages.
- Renamed the public OpenClaw package from `@openclaw/gloves` to `@gloves/openclaw` so the published package matches the `@gloves` scope you control.
- Tightened release validation and publishing for the Bun packages:
  - CI now installs Bun, builds the package workspace, and runs the package test suites.
  - npm package metadata no longer ships workspace-only artifacts or unresolved `workspace:*` dependencies.

## 0.5.8

### Patch Changes

- Aligned the recommended OpenClaw integration with current plugin runtime behavior:
  - Added `@gloves/openclaw` plugin packaging metadata and generic reference config for host-side plugin tools.
  - Updated the documented OpenClaw path to launch `gloves-mcp` over stdio instead of bind-mounted sandbox sockets.
  - Kept Unix-socket transport available as a compatibility path for non-OpenClaw runtimes.
- Fixed `gloves-mcp` stdio sessions so secret notifications are emitted correctly when `socketPath` is omitted.
- Reworked the Docker end-to-end harness to exercise the plugin stdio flow instead of the legacy daemon socket path.
- Refreshed architecture, security, and operator docs to reflect the supported OpenClaw deployment model and remove user-specific host paths.
- Added regression coverage for stdio-only MCP sessions, plugin config without `socketPath`, updated OpenClaw artifacts, and the modernized Docker harness.

## 0.5.7

### Minor Changes

- Added the OpenClaw namespaced secret workflow:
  - `gloves set-identity` now provisions per-agent age identities and namespace recipient files.
  - `gloves set`, `get`, `show`, `updatekeys`, and `rotate` now support agent-scoped OpenClaw secret paths and redacted metadata output.
- Added first-class OpenClaw integration artifacts:
  - Published `gloves.json5` bridge config and `SKILL.md` guidance for agent-safe secret handling.
  - Added Bun-based `@gloves/mcp-client` and `@gloves/openclaw` packages, including native addon loading and environment/tmpfs injection flows.
- Rebuilt `gloves-mcp` around `rmcp` with brokered secret delivery:
  - Supports stdio and Unix-socket sessions with session-token authentication.
  - Exposes typed `gloves_*` tools with redacted responses, approval gating, audit logging, webhook callbacks, and metrics output.
- Added a Docker end-to-end OpenClaw harness:
  - `bun run docker:e2e` now exercises the sandboxed plugin flow, verifies cross-agent denial, and checks that secret plaintext stays out of tool responses and conversation logs.

### Patch Changes

- Added non-expiring secret TTL support for CLI and daemon secret writes:
  - `gloves secrets set ... --ttl never` and daemon `set` requests with `"ttl_days":"never"` now create secrets without an expiry timestamp.
  - Non-expiring secrets survive `gloves verify`, and machine-readable `set` responses now expose `never_expires`.
- Raised the built-in secret/request TTL default from 1 day to 30 days and surfaced secret expiry state in `gloves secrets set` output.
- Hardened OpenClaw approval and transport behavior with HTTPS webhook delivery, tmpfs startup validation, and more explicit configuration/runtime errors.
- Restored `@gloves/openclaw` as the packaged OpenClaw plugin surface.
- Added architecture and security documentation for the brokered-credentials model and linked the new operator guidance from the README.
- Expanded Rust and Bun regression coverage across the CLI, daemon, namespaced store, vault flows, and OpenClaw integration paths, lifting repo-wide Rust line coverage above 90%.

## 0.5.6

### Minor Changes

- Unified machine-readable output controls:
  - Added global `--json` output mode for command results.
  - Kept `--error-format json` support and made it equivalent to `--json` for JSON command output.
- Switched version reporting to flag-first CLI flow:
  - `gloves --version` is the canonical path.
  - JSON version output works with both `gloves --json --version` and `gloves --error-format json --version`.
- Upgraded TUI interaction model for heavy operator use:
  - Added mouse capture with pane-aware vertical and horizontal scrolling.
  - Added `o`/`O` shortcut to focus execution output pane directly.
  - Added horizontal-scroll clamping so panning cannot run past content width.

### Patch Changes

- Fixed JSON consistency for top-level help/version parse paths and success responses so automation receives stable JSON envelopes.
- Fixed `gloves tui` bootstrap handling to support both `--json` and `--error-format=json` before startup commands.
- Refined fullscreen `Enter` behavior in TUI:
  - Enter no longer cycles panes in fullscreen.
  - Pane behavior is now context-aware (commands select/toggle, fields execute while staying focused, output/globals remain focused).
- Updated TUI key/help text and docs to match shipped controls and output semantics.
- Added regression coverage for:
  - JSON alias parity (`--json` vs `--error-format json`)
  - `--version` JSON behavior
  - fullscreen Enter behavior
  - pane-focused mouse/horizontal scrolling and clamp behavior

## 0.5.5

### Minor Changes

- Upgraded `gloves tui` startup flow to auto-load and auto-run a command path passed after `tui`, opening directly in fullscreen output for immediate operator feedback.
- Added horizontal panning support in TUI panes:
  - Output pane supports left/right panning in both split and fullscreen views.
  - Fullscreen command/forms panes support horizontal panning for long rows and field help text.
  - Focused-pane panning shortcuts are available via `Shift+Left/Shift+Right` and `H/L`.

### Patch Changes

- Fixed fullscreen `Esc` behavior to return focus to the command tree first, then allow quit on subsequent `Esc` in split view.
- Hardened output rendering to prevent visual overlap/garbling:
  - Sanitize streamed lines by stripping ANSI sequences and control characters.
  - Keep tabs deterministic via expansion before render.
  - Render output with stable line windows to avoid wrapping artifacts under scroll.
- Refined `help tui` controls text to clearly describe startup autorun, fullscreen escape behavior, and horizontal navigation semantics.
- Added regression coverage for:
  - startup autorun + fullscreen entry
  - fullscreen escape focus reset
  - output sanitization and line-window rendering
  - horizontal scroll key behavior and viewport formatting

## 0.5.4

### Patch Changes

- Hardened vault driver regression tests to wait for expected command-log content (not just file creation), removing a CI timing race in `mount_passes_extpass_and_idle`.
- Expanded security/operator docs with clearer policy-selection guidance between executable allowlists, URL-prefix policies, and exact template policies.
- Added release runbook guidance for failed tagged publishes (patch bump + new tag flow).

## 0.5.3

### Patch Changes

- Added focused URL-policy matcher unit tests in `cli/commands.rs` to cover host-boundary, path-boundary, and query/fragment validation branches.
- Added integration coverage for exact-authority and exact-path URL-prefix allow cases.
- Restored coverage gate compliance for release publishing.

## 0.5.2

### Minor Changes

- Added config-managed URL policy for `gloves get --pipe-to-args` under `[secrets.pipe.commands.<command>]`, including `require_url` enforcement and per-command URL prefixes.
- Added `gloves audit` command (`--limit`, `--json`) for direct audit log inspection.
- Added `command_executed` audit events for both CLI and daemon actions, including interface and optional target metadata.

### Patch Changes

- Added strict validation for `[secrets.pipe.commands.*]` config entries (bare command names, valid URL prefixes, duplicate checks, and non-empty policy requirements).
- Hardened URL-prefix matching to enforce scheme + authority + path-segment boundaries, preventing host/path prefix bypasses.
- Rejected URL policy prefixes that include query (`?`) or fragment (`#`) components.
- Kept `GLOVES_GET_PIPE_URL_POLICY` as compatibility fallback when config does not define a command URL policy.
- Expanded regression coverage for config URL policy behavior across arbitrary commands, URL mismatch rejection, and require-URL enforcement.
- Added regression coverage for host-boundary and path-segment boundary bypass attempts.
- Expanded audit regression coverage for command event serialization and CLI/daemon logging paths.
- Updated operator docs (`README`, security hardening guide, VM multi-agent guide, config spec) with the new URL policy model and audit usage.

## 0.5.0

### Minor Changes

- Split OpenClaw skill packaging into `gloves-cli-usage` and `gloves-setup-migrate` with a hard break from `gloves-cli`.
- Added a dedicated setup and migration skill covering bootstrap, ACL migration, optional separate roots, GPG fingerprinting, audit verification, and rollback checklists.
- Updated `setup-openclaw.sh` to install both skills by default, added `--skills-dest`, and kept `--skill-dest` as a deprecated alias.
- Added installer regression coverage for two-skill installation, summary output, and explicit-missing-skill failures.
- Updated README and release docs to reflect the two-skill installation and usage paths.

## 0.4.1

### Patch Changes

- Added extensive ACL regression coverage for all ACL-gated secret operations, including request/approve/deny path matching and deny-by-default cases.
- Added daemon coverage for request parsing, error responses, and runtime handling branches to keep CI coverage thresholds stable.
- Expanded operator docs with a complete secret ACL operation map and multi-agent ACL config examples.
- Added `pass`-to-agent handoff guidance to the `gloves-cli` skill and command reference, including ACL requirements and `gpg denied` troubleshooting.

## 0.4.0

### Minor Changes

- Added native per-agent secret ACL policy under `[secrets.acl.<agent>]` with path pattern validation and operation-level enforcement.
- Enforced ACLs across `set/get/list/revoke/request/status/approve/deny`, including list filtering and hardening against `--no-config` bypass for the same root.
- Added secure `get --pipe-to <command>` support with command allowlisting via `GLOVES_GET_PIPE_ALLOWLIST` and non-TTY raw-output blocking by default.
- Added per-agent GPG key management commands (`gpg create`, `gpg fingerprint`) with `gpg_key_created` audit events.
- Hardened GPG key generation for deep or relative runtime roots by routing through a short stable homedir alias and added regression coverage.

## 0.3.3

### Patch Changes

- Fixed vault mount config resolution by extending discovery to walk from `--root` when cwd-based discovery does not find `.gloves.toml`.
- Fixed failed mount cleanup to terminate the spawned foreground `gocryptfs` process first and avoid unconditional `fusermount -u` noise on non-mounted paths.
- Increased vault mount readiness timeout from 3s to 10s to reduce false-negative readiness failures on slower environments.
- Updated unmount execution to capture `fusermount` stderr and return structured errors instead of leaking raw cleanup noise to CLI output.
- Added regression tests for root-based config discovery on mount and for suppressing misleading cleanup stderr in missing-binary mount failures.
- Documented that `set --stdin` trims trailing CR/LF bytes.

## 0.3.2

### Patch Changes

- Fixed vault extpass wiring by introducing an internal `extpass-get` helper with explicit environment propagation, removing shell-quote dependent command construction.
- Fixed CLI output handling to gracefully tolerate broken pipes and preserve exact raw bytes for `gloves get` (no lossy UTF-8 conversion, no forced newline).
- Fixed vault bootstrap defaults to honor configured `agent_id`, `vault_secret_ttl_days`, and `vault_secret_length_bytes` values.
- Fixed vault mount error handling to clean up failed mount sessions and propagate actionable missing-binary diagnostics.
- Added regression coverage for extpass env requirements, raw-byte secret output, broken-pipe behavior, vault defaults wiring, mount cleanup, and driver error propagation.

## 0.3.1

### Patch Changes

- Fixed GitHub publish workflow macOS matrix to use supported runners for Intel macOS artifacts.
- Added GitHub Release binary assets and SHA-256 checksum publishing in CI.
- Updated OpenClaw setup script to install prebuilt release binaries by default, with source fallback.

## 0.3.0

### Minor Changes

- Replaced runtime `rage`/`rage-keygen` subprocess crypto with in-process `age` library encryption/decryption (rage project format).
- Removed runtime dependency on external rage binaries for `set`/`get`/daemon secret operations.
- Updated setup/docs/tests/CI to reflect the in-process crypto backend.

## 0.2.0

### Minor Changes

- Added encrypted vault lifecycle support with init, mount/unmount, status/list, session TTLs, and trusted file handoff prompts.
- Added `.gloves.toml` bootstrap config parsing and validation with discovery precedence (`--config`, `GLOVES_CONFIG`, parent discovery, `--no-config`).
- Added CLI runtime wiring for config-driven defaults, plus new `config validate` and `access paths` commands.
- Added vault runtime mode enforcement (`auto`, `required`, `disabled`) with dependency checks for `gocryptfs`, `fusermount`, and `mountpoint`.
- Updated direct dependencies to latest stable releases and applied compatibility updates for crypto and security crates.

## 0.1.1

### Minor Changes

- Added TCP sidecar daemon mode for OpenClaw-compatible supervisor deployments.
- Enforced daemon bind safety checks (loopback-only and non-zero port) with startup preflight support.
- Added integration coverage for daemon request/response behavior and invalid input handling.
- Added hardened `systemd` user unit templates for daemon runtime and periodic verify tasks.
- Updated README and skill command references for sidecar operation and endpoint matching.

## 0.1.0

### Minor Changes

- Initial release of `gloves`, a dual-backend secrets manager for OpenClaw-style and other multi-agent runtimes.
- Added agent-owned secret storage with age-format encryption and checksum integrity validation.
- Added human-owned secret access flow via `pass` with request/approve/deny/status lifecycle.
- Added runtime security controls: restricted file permissions, append-only audit logging, and TTL-based expiry reaping.
- Added CLI command suite: `init`, `set`, `get`, `env`, `request`, `approve`, `deny`, `list`, `revoke`, and `verify`.