yep yep yep

Move the aws-sm, azure-kv, and 1password vault providers from built-in types to extension vaults, installable via swamp extension pull. This reduces core binary size, makes vault providers independently updatable, and dogfoods the extension vault system.

After migration, only local_encryption (and mock for testing) remain as built-in vault types.

Motivation

The extension system already fully supports vault extensions (UserVaultLoader, bundleExtension, extension pull)
Vault providers with external SDK dependencies (AWS, Azure) shouldn't be baked into the core binary
Makes it easier to add new vault providers without core releases

Plan

Phase 1: Create extension vault packages

Create three extensions publishable to swamp.club:

@swamp/aws-sm — wraps AwsVaultProvider with Zod configSchema + createProvider
@swamp/azure-kv — wraps AzureKvVaultProvider
@swamp/1password — wraps OnePasswordVaultProvider

Each exports a vault object matching the UserVaultSchema expected by UserVaultLoader.

Start with @swamp/1password as proof-of-concept — it only shells out to op CLI (no npm SDK dependencies), so bundling is trivially safe.

Phase 2: Validate SDK bundling

Test that deno bundle correctly inlines @aws-sdk/client-secrets-manager, @azure/identity, and @azure/keyvault-secrets into extension bundles. This is the main technical risk — if bundle size or correctness is an issue, we may need to explore alternatives (e.g. external dependency support in the bundler).

Phase 3: Publish to swamp.club

Push all three extensions to the registry:

swamp extension push @swamp/aws-sm
swamp extension push @swamp/azure-kv
swamp extension push @swamp/1password

Phase 4: Add migration guidance in VaultService

When VaultService.fromRepository() encounters a vault config with a type that's been migrated but the extension isn't installed, surface a clear error:

Vault 'my-aws-vault' uses type 'aws-sm' which is no longer built-in.
Install it with: swamp extension pull @swamp/aws-sm

Update RENAMED_VAULT_TYPES to map old names to new extension names:

const RENAMED_VAULT_TYPES: Record<string, string> = {
  "aws": "@swamp/aws-sm",
  "aws-sm": "@swamp/aws-sm",
  "azure": "@swamp/azure-kv",
  "azure-kv": "@swamp/azure-kv",
  "1password": "@swamp/1password",
};

Important: The migration error must fire after type remapping, checking if the remapped type is registered in the vault type registry.

Phase 5: Remove from core

vault_types.ts: Remove aws-sm, azure-kv, 1password from BUILT_IN_VAULT_TYPES
vault_service.ts: Remove switch cases, remove provider imports, remove isBuiltIn gate on createProvider path
vault_create.ts: Remove --region, --vault-url, --op-vault, --op-account flags and resolveProviderConfig(). Extension vaults use --config <json>
Delete aws_vault_provider.ts, azure_kv_vault_provider.ts, onepassword_vault_provider.ts from src/domain/vaults/
ensureDefaultVaults(): Remove auto-create-AWS-vault logic or have it suggest pulling the extension

Phase 6: Update `RENAMED_VAULT_TYPES` and backwards compat

Existing vault configs on disk (.swamp/vault/aws-sm/*.yaml) continue to work via type remapping — users don't need to edit config files, just pull the extension.

UX changes

vault create changes from:

swamp vault create aws-sm my-vault --region us-east-1

to:

swamp vault create @swamp/aws-sm my-vault --config '{"region":"us-east-1"}'

Follow-up: Add optional resolveConfig to VaultTypeInfo so extensions can provide interactive config prompting and preserve the convenience flag UX.

Risks

SDK bundling: AWS/Azure SDKs may produce large bundles or fail to bundle. Validate in Phase 2 before committing.
Offline users: Can't pull from registry. They can manually create extension files locally.
CLI UX regression: --config <json> is less ergonomic than dedicated flags. Mitigated by future resolveConfig support.

Files affected

src/domain/vaults/vault_types.ts
src/domain/vaults/vault_service.ts
src/domain/vaults/vault_type_registry.ts
src/domain/vaults/aws_vault_provider.ts (delete)
src/domain/vaults/azure_kv_vault_provider.ts (delete)
src/domain/vaults/onepassword_vault_provider.ts (delete)
src/cli/commands/vault_create.ts
Tests for all of the above

02Bog Flow

Closed

No activity in this phase yet.

03Sludge Pulse

yep yep yep

Support named argument syntax for model method run (e.g. --arg key=value)

env var overrides for globalArguments silently change which environment a model targets

deno lint no-import-prefix conflicts with swamp's required npm:/jsr: inline specifiers

AI agents should search community extensions before offering to create custom models

feat: add --content-type filter to extension search

Add a 'reports' feature

Port remaining CLI commands to libswamp + renderer pattern

Persistent runner / server mode to eliminate per-invocation CLI startup overhead

AI agent should prefer fan-out model methods over shell loops for fleet operations

Support unbundled helper scripts in extension packages

Add progress indicator for long-running model methods

Built-in structured output parser for CLI commands

Automatic trace context propagation across workflow steps

Native OpenTelemetry tracing for swamp CLI internals

Claude Code should prefer extending swamp extensions over using external CLI tools

Framework log lines written to stdout pollute model method output

Swamp skill should guide AI agents to create extension models instead of inline shell scripts

Shared team collectives for collaborative extension publishing

Delete methods should return last known state data

Add smoke-test skill for extension models

Workflow run output is unreadable — resource data and errors are buried in log noise

Recommend or manage lockfile strategy for extension model npm dependencies

Output of running a method is not the actual output

Add macOS Keychain vault type

bug: Vault secret shell escaping incomplete — $(), semicolons, and pipes are interpreted

Swamp should support "Scheduled"-type status for execution

feat: add support for Nix via a flake

ModelType.normalize replaces all dots with slashes, corrupting dotted type names

fix: collective validator error message omits drivers and datastores

Skill docs: document configSchema inline requirement and .describe() constraints for vault extensions

It takes 42 seconds to run swamp --help

After today upgrade

Auto-resolver fails when extensions/models/ directory does not exist for vault-only extensions

Azure Key Vault extension vault bundle fails to load in compiled binary

RangeError: Maximum call stack size exceeded when loading extension models with npm dependencies after upgrade to 20260317

Extension Zod schema incompatibility after upgrade to 20260312

Data garbage collection never fully removes expired data from disk

extension push --dry-run requires authentication unnecessarily

Typed context APIs to eliminate no-explicit-any in extension models

AWS extensions fail to load: missing _lib/aws.ts shared dependency

getContent() should resolve vault expressions for sensitive fields

getContent() should return parsed objects, not raw Uint8Array

Add context.readResource() to MethodContext for user extension models

Datastore lock: allow concurrent reads across different models

extension install should be an alias of extension pull

feat: Execution Driver Abstraction — Pluggable Isolation for Model Execution

Support --global-arg on model create

consider a libswamp

Running workflow should not block read-only operations

Update from 20260227 to 20260311 breaks existing model definitions (symlink + path-based type)

loadUserModels ignores --repo-dir, uses cwd instead

datastore lock release --force deadlocks on the stale lock it's trying to release

Datastore lock not released when interactive command fails in non-TTY context

vault put to 1Password stores empty password field

Leaderboard shows 0-event users whose profiles 404

Move AWS, Azure, and 1Password vault providers to extensions

Data instance name uniqueness is global across specs instead of per-spec

Audit timeline misses today's entries in UTC+ timezones

AI agent discoverability: reduce trial-and-error for CLI syntax

GlobalArguments CEL expressions fail when factory inputs are omitted — selective evaluation not working

Document factory pattern for model reuse in skills

Delete method uses identifier as data name instead of instance name

CLI method run ignores required arguments without .default()

Workflow run output mixes data, errors, and logs without clear separation — hard to find what actually executed

data.latest() in workflow step inputs resolved at workflow start, not at step execution time

Update method fails when globalArguments contain cross-model CEL expressions

Track resource deletion in local data model

fix: extension npm packages fail to resolve in compiled binary

swamp repo upgrade replaces entire CLAUDE.md with generic template instead of merging

Add drift detection to reconcile stored state against live cloud resources

Model inputs schema validated on all methods — delete fails requiring create-time inputs

Support wait-until-ready semantics for async resource provisioning

support pushing to organizations

Add data rename/move command for non-destructive refactoring

Schema mismatch warnings lack model context and misrepresent API response shapes

Support pre-flight validate method on models before method execution

Extension models need built-in support for idempotent create operations

Workflow reports succeeded when step outputs indicate failure

Swamp skills don't prevent AI agents from manually generating UUIDs for workflows

Phase 6: Update `RENAMED_VAULT_TYPES` and backwards compat