#314
swamp issue get should rate-limit unauthenticated users instead of blocking
2h ago
#313
swamp issue get should not require authentication
2h ago
#312
telemetry: emit child entries for follow-up action method invocations
7h ago
#311
Publish release-candidate / unstable extension versions
8h ago
#310
extension source rm leaves stale @local/. rows in catalog, blocking later pulls of registry types
s3h ago
#309
extension push drops binaries: field from re-emitted archive manifest.yaml
s3h ago
#308
macOS launchd autoupdate (club.swamp.autoupdate) silently fails — binary stays stale
s2h ago
#307
Clicking @hivemq/honeycomb extension card on /extensions shows 'Something went wrong'
4h ago
#306
Docs: Update model-definitions.md and workflows.md for direct type execution
s3h ago
#305
Docs: document binaries manifest field in extension-manifest.md
s1d ago
#304
Add an official @swamp/ssh extension for general-purpose SSH (brownfield-friendly)
1d ago
#303
Accept and display binaries field from extension push metadata
s1d ago
#302
Direct type execution: collapse model create + method run into one command
s1d ago
#301
Per-method telemetry events for workflow runs
k1d ago
#300
Workflow run liveness: orphaned 'running' records when originating CLI process dies mid-run
2d ago
#299
Provide a CLI-shape primer for AI agents to reduce rediscovery overhead
s2d ago
#298
quality rubric: don't penalize extensions whose upstream constrains them to a single platform
s2d ago
#297
Extension update rejects multiple .ts files extending the same target type within one local extension (regression)
2d ago
#296
swamp extension push deadlocks when invoked from inside a swamp workflow step
s2d ago
#295
Collective-scoped auth keys + OIDC federation for CI publishing
2d ago
#294
forEach self.* in modelIdOrName not resolved in runtime execution path
s2d ago
#293
Award leaderboard points for referrals and collective invites
2d ago
#292
Add agent harness detection and AiTool to telemetry
k3d ago
#291
Workflow-level runtime expressions (env.*, vault.*) not resolved in driverConfig — docker driver receives literal ${{ ... }} strings
3d ago
#290
Implement W5: Per-fingerprint import URLs + subprocess test harness (extension catalog rearchitecture)
3d ago
#289
swamp config set crashes with YAML serialization error
s3d ago
#288
datastore compact: VACUUM fails in compiled binary (SQLITE_LIMIT_ATTACHED=0)
s3d ago
#287
Repo-level version gating: minSwampVersion high-water mark for team consistency
3d ago
#286
Docs: document self.* expressions in modelIdOrName during forEach
s3d ago
#285
Docs: How-to guide for background autoupdating
s3d ago
#284
Manifest version bumps silently ignored for existing local extension aggregates
s3d ago
#283
materialiseExtensions misclassifies pulled rows when manifest name collides with a pulled extension
s3d ago
#282
Local extension edits don't reliably trigger rebundle
3d ago
#280
Missing unique indexes on user.email and user.username allow duplicate users
k3d ago
#279
Resolve self.* expressions in modelIdOrName during forEach expansion
s3d ago
#278
discord-bot double-sends sign_up notifications
k3d ago
#277
Discord bot sends duplicate signup notifications
3d ago
#276
Add 'swamp workflow list' as alias for 'swamp workflow search'
s3d ago
#275
Add 'swamp auth status' as alias for 'swamp auth whoami'
s3d ago
#274
Extension bundle cache does not invalidate on source edits
s3d ago
#273
extension pull fails on @local/[email protected] phantom-claim collision when local repo has its own extension
s3d ago
#272
Lab search by numeric issue ID returns no results
s3d ago
#271
W3 sourceToRow writes empty source_mtime — should carry filesystem mtime through Source entity
s2d ago
#270
Warm-start rebundleAndUpdateCatalog should respect terminal RowStates set by reconcile
2d ago
#269
Implement W4: KindAdapter + unified loader (extension catalog rearchitecture)
s2d ago
#268
Docs: add vault read-secret command to reference manual
s4d ago
#267
Extension layer garbage collection: prune catalog rows + evict orphaned bundles
4d ago
#266
Docs: document workflow concurrency limits in reference manual
s4d ago
#265
Locally-sourced extension: source_mtime updates without regenerating stale bundle
s4d ago
#264
Extension push: allow shipping executable host helpers (bin/mudroom blocker)
s1d ago
#263
Vault expressions silently deliver __SWAMP_VSEC__ sentinels under the docker driver
s4d ago
#262
First-class shell-shim support for extensions, with registry-level visibility
4d ago
#261
Local extension model bundles don't rebuild when source changes (no rebuild CLI; manual cache delete breaks the runner)
s4d ago
#260
Configurable concurrency limits for workflow fan-out (forEach, parallel jobs/steps)
s4d ago
#258
feat(security): redact sensitive method arg values from audit log
s5d ago
#257
docs: document swamp datastore compact and GC WAL behaviour
5d ago
#256
UAT: swamp datastore compact reclaims WAL and catalog space
4d ago
#255
Plan v4 step 9 literal test untestable under current catalog PK semantics
5d ago
#254
Cross-process concurrency stress for W2 lifecycle services
s4d ago
#253
UAT additions for W2 lifecycle services (Install/Remove/Upgrade)
4d ago
#252
Implement W3: ReconcileFromDisk + freshness-as-aggregate-query (extension catalog rearchitecture)
s4d ago
#251
doctor extensions repair: clean catalog-only orphans
4d ago
#250
Extensions should be able to ship Claude Code skills
s5d ago
#249
Pre-existing TOCTOU windows in YAML repo walkers (findAll directory level + findById)
s5d ago
#248
`swamp datastore setup` migration is not resumable / leaves the repo in a partial state on failure
s3d ago
#247
Built-in models must honor AbortSignal so --timeout works in practice
s5d ago
#246
Reader-lock or lock-free read path for data list/get/search/query
s4d ago
#245
data search: surface jobTag alongside workflowTag and stepTag (follow-up to #237)
s5d ago
#244
global-arg silently strips unknown keys; should reject via strict Zod schema
s5d ago
#242
redmine extension: adopt state machine patterns from @magistr for agent-driven workflows
5d ago
#241
performance degrades significantly with large SQLite catalog
s5d ago
#240
summarise: timeout/hang on repos with many workflow runs
s5d ago
#239
extension quality/fmt fail on pulled extensions (path mismatch)
s4d ago
#238
vault: add read-secret CLI command for agent-driven secret retrieval
s4d ago
#237
data query: stepName and jobName fields always empty in CEL results
s5d ago
#236
Extension ecosystem: shared utility library, version sync tooling, and HTTP resilience patterns
5d ago
#235
Agentic CLI improvements: --json stdout isolation, array inputs, and --repo-dir consistency
s5d ago
#234
data delete fails with "Directory not empty (os error 39)" when concurrent writes are active
s5d ago
#233
Extract LockfileRepository (W2 prequel for swamp-club#231)
s6d ago
#232
Extend DatastoreSyncService.markDirty() with optional relPath argument
k6d ago
#231
Implement W2: Lifecycle services own the catalog write (extension catalog rearchitecture)
s5d ago
#230
data·delete logger double-quotes the data name in log output
s6d ago
#229
DDD: refactor data services to depend on domain-side ports instead of infrastructure types
s6d ago
#228
Detect AWS CredentialsProviderError in @swamp/aws-sm-vault and prepend SSO-expiration hint
s4d ago
#227
Opt-in background autoupdate for the swamp binary (configurable cadence + risk tolerance)
s3d ago
#226
Detect AWS CredentialsProviderError in summarizeSyncError and prepend SSO-expiration hint
s6d ago
#225
S3 datastore hydrate has no fallback for buckets without .datastore-index.json
s6d ago
#224
S3 datastore stale-lock retry loop never evicts orphan locks left by swamp processes that panic at shutdown
s6d ago
#223
Implement W1b: Repository and RowState (extension catalog rearchitecture)
s6d ago
#222
Redundant push after pullChanged: localMtime clobbered by pullIndex(forceRemote)
s6d ago
#221
Docs: update datastore-configuration manual after #220 setup-hydration fix lands
s6d ago
#220
workflow run search returns empty after S3 datastore setup, despite run YAMLs in datastore
s6d ago
#219
CLI crashes with exit 134 (Rust panic in tls_wrap.rs) after successful command output
s5d ago
#218
S3 datastore global lock enters infinite stale-lock loop after interrupted workflow
s6d ago
#217
swamp-extension-model skill: include description field in upgrades quickref
s6d ago
#216
swamp-extension-model skill: include field in upgrades quickref
7d ago
#215
Adversarial UAT test: missing cached bundle with intact catalog should self-recover
4d ago
#214
Port importBundleByPath ENOENT fallback to datastore/driver/vault/report loaders
4d ago
#213
`swamp datastore setup` (filesystem→S3 migration) panics in deno Node TLS layer mid-migration
5d ago
#212
swamp model type describe fails with 'No such file' instead of rebundling when bundle is missing
k8d ago
#211
Implement W1: Repository and RowState (extension catalog rearchitecture)
s6d ago
#210
feat: swamp extension verify — opaque extension-lifecycle verification primitive
9d ago
#209
Schema-invalid extensions loop in rebundle path: catalog row never updates after first failed validation
s9d ago
#208
swamp model type search is slow (~8s) and re-bundles all extensions on every call
s9d ago
#207
Per-extension layout migration drops Claude skill from @magistr/good-planning
s9d ago
#206
swamp extension outdated crashes on empty repo (Stream ended...)
s9d ago
#205
Docs: extension install/pull/update sync-to-manifest behaviour
9d ago
#204
Add process-level install lock around installExtension
s9d ago
#203
Docs: extension commands reference
s9d ago
#202
swamp extension install/pull does not prune source files dropped between versions, causing catalog to re-index orphans
s9d ago
#201
Catalog retains stale source-file entries when extension version drops a file; no native prune/repair
4d ago
#200
Document and surface a native cache-refresh path so agents stop doing cache surgery
4d ago
#199
swamp should warn when installed extensions are outdated
s9d ago
#198
Catalog retains stale source-file entries when extension version drops a file; no native prune/repair
9d ago
#197
Document and surface a native cache-refresh path so agents stop doing cache surgery
9d ago
#196
swamp should warn when installed extensions are outdated
9d ago
#195
Skill/prompt guidance: prefer the bundled deno when no system deno is on PATH
s9d ago
#194
Vault backend backed by GitHub Actions Secrets (read via gh token)
s2d ago
#193
Re-enable Windows tests as deno compile for Windows lands
9d ago
#192
swamp-club extension card no longer exposes @ns/slug as contiguous text
k10d ago
#191
Docs: multi-tool repo support
s10d ago
#190
swamp vault: vendor-specific annotations (e.g. 1Password notesPlain, tags, custom fields)
10d ago
#189
swamp model method run: --foreach to fan out across instances
11d ago
#188
swamp workflow validate: actionable error messages and template scaffolds
11d ago
#187
swamp CLI cold-start latency (~5–7 s per invocation) compounds in workflows that shell out
11d ago
#186
Workflow tasks should support ephemeral model instances (modelType + globalArgs) so workflows are zero-prereq
11d ago
#185
CEL expression evaluator throws 'Unhandled node type: string'
s10d ago
#184
cli: agents need to add ripples (comments) to issues via the CLI
s11d ago
#183
quality: models and additionalFiles paths resolve relative to different directories
s11d ago
#182
quality: has-readme/has-license miss additionalFiles in subdirectories
s11d ago
#181
Add swamp data delete command to remove a data artifact by model and name
s6d ago
#180
add `swamp doctor extensions` subcommand for on-demand extension load diagnostics
s10d ago
#179
AI agent skipped adversarial review step before smoke testing extension code
s12d ago
#178
Better Auth rejects requests on hostnames not in hardcoded trustedOrigins (signup/signin broken on non-canonical hosts)
k13d ago
#177
Local extension models in extensions/models are not discovered in fresh repo tutorial flow
s12d ago
#176
ticket 1138 not clear - can we still use github?
12d ago
#175
Drag Windows into the Swamp
s12d ago
#174
Add `swamp extension test` command to run built-in extension tests with coverage
4d ago
#173
swamp repo init --tool kiro does not create .kiro/settings/cli.json
s12d ago
#172
Support multi-agent repo initialization (multiple --tool targets)
s6d ago
#171
CLI dumps 300-line Cliffy Command object on unknown flags / subcommands
s13d ago
#170
Docs: repository-configuration.md missing defaultDriver / defaultDriverConfig
ks10d ago
#169
Server-side parse query params on /lab/all so refresh preserves multi-filter URLs
k4d ago
#168
fast-path sidecar TOCTOU: post-op HEAD can record generation from a concurrent writer's push, masking their data on next sync
s16d ago
#167
Scorer should honour files/deno.json imports so bare specifiers resolve
s16d ago
#166
@swamp/gcs-datastore: same minutes-slow zero-diff sync cliff as lab/164; mirror fingerprint fast path
s16d ago
#165
cleanup for repoDriver
k16d ago
#164
swamp datastore sync is minutes-slow at 4k-file scale even with zero-diff; outer 300s timeout fires
s16d ago
#163
swamp-extension-publish skill: add quality rubric check before push
s16d ago
#162
New @swamp extension: extension quality rubric checker for CI
s16d ago
#161
swamp-extension-quality and swamp-extension-publish skills don't guide zod import map resolution for scorer
s16d ago
#160
swamp repo upgrade deletes extension model source files
s16d ago
#159
Add repo-level `defaultDriver` to `.swamp.yaml`
k16d ago
#158
User report extensions registered lazily are silently skipped during method execution
s16d ago
#157
swamp extension install: datastore push hangs ~8.5m then crashes with Deno TLS panic (tls_wrap.rs:1918 unwrap on None)
s17d ago
#156
Add a preflight diagnostic for AI-tool audit integrations (so upstream CLI changes stop breaking us silently)
s16d ago
#155
audit record --from-hook silently drops input from kiro-cli postToolUse hooks
17d ago
#154
codegen pipelines don't detect _lib/*.ts changes so manifest CalVer never bumps
16d ago
#153
Link to namespace extensions listing from profile pages
s17d ago
#152
Trailing slash on /extensions/@<namespace>/ returns 404
s17d ago
#151
No way to browse all extensions belonging to a collective by URL
s17d ago
#150
DatastoreProvider.resolveCachePath declared optional but silently required at runtime
s17d ago
#147
Accept-invite link returns HTML instead of JSON, breaking collective join
s18d ago
#146
additionalFiles flatten to basenames on push and lack a runtime access API, creating a source-vs-pulled layout mismatch
s18d ago
#145
Extension search returns inflated results for quoted phrase queries
s18d ago
#144
Docs: document jsr:/https: imports and non-local pinning convention in user-facing manual
s19d ago
#143
First-class jsr: specifier support in extension bundler
s19d ago
#142
Cross-extension code sharing via manifest exports field
14d ago
#141
Extension models: document/resolve implicit-any in execute parameters when imported by test files
s19d ago
#140
extension yank: allow unyank and version-specific yanks
s19d ago
#139
extension source add does not discover brand new types — only overrides already-pulled types
s19d ago
#138
Add light mode to swamp.club and swamp open UI
3d ago
#137
Add 'swamp open' command to open the swamp.club web UI
10d ago
#136
Add light mode to swamp.club website
10d ago
#135
Datastore sync surfaces opaque errors from extensions verbatim — no status code or body preview
s20d ago
#134
@swamp/s3-datastore: first-attempt 403 masked as "UnknownError" from AWS SDK deserializer
20d ago
#133
Extension auto-resolve reports "already_installed" for truncated pulled-extension trees
20d ago
#131
Email delivery for mention notifications
4d ago
#130
Auto-update WARN is silent in --json mode (logger suppresses non-fatal)
s20d ago
#129
open.ts web UI uses force:true pullExtension, same data-loss family as #126
s20d ago
#128
Port bundle_freshness (content-fingerprint cache invalidation) to reports / drivers / datastores / vaults loaders
s20d ago
#127
Mentions and notifications system for issues
s20d ago
#126
Datastore auto-update in resolve_datastore.ts uses force:true, risking silent overwrite of local edits
s22d ago
#125
Per-repo user-extension bundle cache doesn't invalidate on source changes
s23d ago
#124
Adding methods to in-body `methods:{}` on `export const model` doesn't re-register
s16d ago
#123
User extensions silently dropped when base type not yet registered at scan time
s23d ago
#122
Footer floats when page content is shorter than viewport
s19d ago
#121
workflow validate can silently overwrite local edits to pulled extensions via force-pull in auto-resolver
s23d ago
#120
Extension pull should namespace files by extension to prevent filename collisions
s23d ago
#119
Update CLAUDE.md co-author instructions to use swamp-club issue author lookup
s25d ago
#118
Add swamp issue get CLI command to fetch issue details
s4d ago
#117
swamp-club API: include issue author in GET /api/v1/lab/issues/{number} response
s25d ago
#116
Install command curl-pipe-sh overflows the component on swamp.club homepage
s25d ago
#115
'Assigned to me' overlaps 'Privacy policy' on short viewports
s25d ago
#114
Collapsible left rail and repositionable right rail in Lab
k24d ago
#113
Usernames aren't linked to their profile pages
k24d ago
#112
Filter lab issues by author (opened by user)
k24d ago
#111
Add skills extension type for bundling agent/human guidance documents
s26d ago
#110
Remove traffic lights in column 2 of /lab
ks23d ago
#109
Multi-select combo filtering on /lab
k24d ago
#108
data gc skips version-count GC when no lifetime-expired data exists
k27d ago
#107
Content filter should identify the flagged word or phrase
k27d ago
#106
Bog flow: text rendering and layout issues
k24d ago
#101
Flow modal: text rendering issues
k24d ago
#99
Normalize text sizing across issue list and detail views
k27d ago
#98
Description 'Show more' button appears even when text fits
k27d ago
#97
Inline editing: click-to-edit fields instead of pencil icons
ks19d ago
#96
Persist lab filter selection in localStorage
k15d ago
#95
Update how-to guide with swamp-extension-publish skill
s27d ago
#94
Fix incorrect favicon in Google search results
27d ago
#93
Missing section on user profile page for wendy
s27d ago
#92
Extension skills missing repository initialization and publishing prerequisites
s27d ago
#91
Vault CEL expressions replaced with VaultSecretBag sentinels after model type upgrade
k28d ago
#90
Audit: modelRegistry.get() without ensureTypeLoaded() in YAML repository save() paths
s27d ago
#89
Cross-model expression validator fails on lazy-loaded types — modelRegistry.get() bypasses ensureTypeLoaded
29d ago
#88
forEach.in with data.latest() throws misleading 'got: object' error for unresolved Promise
s27d ago
#86
issue-lifecycle models should support --assignee for swamp.club issues
s29d ago
#85
Driver capability registry: declare richer execution capabilities at driver design time
s4d ago
#84
Consolidate MethodReportContext construction — manual and workflow report paths build contexts divergently
s26d ago
#83
Workflow-level workspace for docker driver: stateful multi-step workflows
s4d ago
#82
"OG Swamper" badge inconsistent
k29d ago
#81
Workflow-scope user extension reports don't execute: getAll() excludes lazy-loaded reports
s29d ago
#80
Improve skill trigger routing accuracy across models
s26d ago
#66
Add GitHub Copilot IDE support
s25d ago
#65
Phase 1: /feed — judge-gated content stream
k17d ago
#64
Add reactions and Giphy integration to comments
24d ago
#63
Architecture violation: search route imports directly from lib/infrastructure
s1mo ago
#62
Introduce domain events to formalize the telemetry-to-consumer pipeline
24d ago
#61
Refactor: move telemetry track() calls from route handlers to application services
s1mo ago
#59
Reindex path feeds error events to consumer, bypassing filtering
s29d ago
#58
Custom swamp-themed avatar generator with daily rerolls
4d ago
#57
Profile content links with scoring for community contributions
17d ago
#56
Score extension pull events for extension authors
s1mo ago
#55
Score daily sign-in events with streak multiplier
s29d ago
#54
Score sign_up events in the telemetry pipeline
17d ago
#53
Score extension publish events in the telemetry pipeline
s29d ago
#52
Add 'award' telemetry event type for arbitrary score grants
4d ago
#51
Bug: authenticated pulls always shows 0 on profile page
23d ago
#50
Decouple identity_map from main app: username renames via event, not shared DB
24d ago
#49
Optimise MongoDB Search Queries
24d ago
#48
Transactional emails on login with google/similar
24d ago
#47
Add rate limiting to send-verification-email endpoint
24d ago
#46
Add authentication or rate limiting to check-verified endpoint
24d ago
#45
swamp data query for morning-message in hello-world tutorial returns nothing.
a29d ago
#44
Document vault migrate command in reference docs
s1mo ago
#43
Locks on long running actions
1mo ago
#42
issue-lifecycle skill: improve resumption and close-out guidance
s1mo ago
#41
deprovision: firewall deletion fails with resource_in_use immediately after server delete
s17d ago
#40
swamp workflow validate should check step inputs against method's required arguments
s1mo ago
#39
data.latest() returns null when new data written while _catalog.db is already marked populated
a1mo ago
#38
Bundle cache fallback silently skipped when source and bundle have equal mtimes
s1mo ago
#37
Add vault migrate command to move secrets between vaults
s1mo ago
#35
Consolidate method execution paths — workflow steps and manual runs build MethodContext divergently
k29d ago
#33
CatalogStore constructor runs createSchema before migrateIfNeeded; v1→v2 upgrade fails on existing repos
a1mo ago
#32
discord-bot poller double-processes events with >1 replica
1mo ago
#31
datastore sync: clean up zombie _catalog.db* entries from remote index and S3 bucket
1mo ago
#30
datastore sync --push runs pushChanged() twice per invocation (coordinator dedup)
1mo ago
#29
datastore sync --push fails on _catalog.db-wal: catalog SQLite DB lives inside the S3 sync cache
1mo ago
#28
.swamp/datastore-bundles/ leaks into deno lint and deno fmt scans
1mo ago
#27
deno run audit task missing --allow-env flag
1mo ago
#26
Error when submitting a new issue manually
1mo ago
#25
Green text on issue details is a lot
1mo ago
#24
evals/promptfoo: bump hono and @hono/node-server to clear 6 dependabot alerts
1mo ago
#21
issue-lifecycle: COMMENTED PR review can overwrite a prior decisive state in fetchPrReviews
17d ago
#20
Add agent-constraints/ for issue-lifecycle skill
17d ago
#19
@swamp/aws/ec2: auto-generated models lack list, tag, and factory-compatible update methods
1mo ago
#18
@swamp/digitalocean/space-key stores secret in plaintext - should mark as sensitive
1mo ago
#17
Add Azure provider pipeline to codegen
6d ago
#16
feat: Namespace.so execution driver for remote workload execution
29d ago
#15
Add macOS Keychain vault type
24d ago
#14
Add uniform bucket-level IAM support to @swamp/gcp/storage
1mo ago
#13
Expand DataRecord with first-class provenance fields; remove all hidden scoping from data access
a1mo ago
#12
feat: Private extensions
1mo ago
#11
Workflow execution repeats #1091: cross-model CEL expression validation fails for unresolved types
s23d ago
#10
context.readModelData returns different results depending on invocation context (manual vs workflow)
s23d ago
#9
Handle sensitive fields gracefully when no vault is configured
s1mo ago
#8
Vault reads for model global arguments are cached at workflow start, making in-workflow token refresh ineffective
24d ago
#7
feat: approval gates for workflow steps and jobs
24d ago
#6
Install script: curl fails TLS verification for swamp.club (certificate chain)
14d ago
#5
Extension Patches: contribution workflow for community extensions
4d ago
#4
Feature: swamp issue for extensions — bug reports, security disclosures, and author notifications
s18d ago
#3
Support 'swamp <app> run' as containerized entrypoint for easy onboarding
1mo ago
#2
Persistent runner / server mode to eliminate per-invocation CLI startup overhead
16d ago
#1
feat: add support for Nix via a flake
20d ago
← Back to list4/30/2026, 2:23:43 PM
01Issue
FeatureOpenSwamp CLI
AssigneesNone
#190 swamp vault: vendor-specific annotations (e.g. 1Password notesPlain, tags, custom fields)
Opened by bixu · 4/30/2026
Problem
The swamp vault CLI exposes only key/value semantics: put, get, list-keys. Inside an extension model, this means there's no way to attach contextual metadata to a stored secret — for example, the rotation history line Rotated <ISO timestamp> that the bash predecessor of an SSH-key rotation extension writes via op item edit … notesPlain=….
When the underlying vault provider is 1Password, items have a rich field model: notesPlain, tags, custom [concealed]/[text] fields. The same goes for AWS Secrets Manager (Description, Tags) and probably other providers we'd want to support. None of that is reachable through swamp vault.
Use case (real)
Working on a swamp extension model for SSH-key rotation on Harvester nodes (PLT-487 in hivemq/hivemq-terraform-harvester). The bash script that this model replaces appends a rotation timestamp to the 1Password item's notesPlain field on every rotate, giving operators a vault-side audit trail. To stay vault-agnostic and use only swamp vault put + swamp vault list-keys, we had to drop that audit trail entirely — operators now rely on stdout logs.
Proposed solution
A vault-provider-aware annotation API. Two API shapes worth considering:
A. Generic annotate subcommand
swamp vault annotate <vault> <key> <annotation-name> <value><annotation-name> is provider-defined. For @swamp/1password: notesPlain, tags, or any custom field name. For @swamp/aws-sm: Description or Tags. The built-in vault could no-op or store annotations in a sidecar.
B. --metadata key=value flag on swamp vault put
echo \"\$SECRET\" | swamp vault put my-vault MY_KEY --metadata notesPlain=\"Rotated 2026-04-30T12:00:00Z\"Same provider-defined keys, but co-located with the put.
Either way: in-model TS access via the swamp model context (e.g. a vault helper that lets a method write annotations alongside the secret).
Alternatives considered
- Drop the audit trail entirely (current workaround) — what we did for now. Loses vault-side visibility.
- Shell out to
op item editdirectly from inside the model — bypasses swamp's vault abstraction, couples model to 1P, breaks if anyone migrates the vault to a different backend. - Sibling vault key per metadata field (e.g.
MY_KEY_ROTATION_LOG) — works for read-modify-write of multi-line text, but pollutes the keyspace andswamp vault list-keysoutput, and there's no way to atomically update both the value and the metadata.
Context
- swamp `20260429.224106.0-sha.e4033bbc`
@swamp/1password2026.04.22.2- Discovered while writing
bootstrapandrotatemethods for@hivemq/host-kernel-ssh(hivemq/hivemq-terraform-harvester#212).
02Bog Flow
Open
No activity in this phase yet.
03Sludge Pulse
Sign in to post a ripple.