feat: add KeePass plugin for KDBX 4.0 database support#413
Merged
theoephraim merged 4 commits intodmno-dev:mainfrom Mar 31, 2026
Merged
feat: add KeePass plugin for KDBX 4.0 database support#413theoephraim merged 4 commits intodmno-dev:mainfrom
theoephraim merged 4 commits intodmno-dev:mainfrom
Conversation
🦋 Changeset detectedLatest commit: 5a8370c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Contributor
Author
|
Full test folder, with executable "test" script. |
theoephraim
reviewed
Mar 16, 2026
Member
theoephraim
left a comment
theoephraim
left a comment
There was a problem hiding this comment.
Thanks for this! Looks pretty good :)
Left a few small comments.
| /** | ||
| * Find an entry by its path (e.g., "Group/SubGroup/EntryTitle"). | ||
| */ | ||
| private findEntry(db: kdbxweb.Kdbx, entryPath: string): kdbxweb.KdbxEntry | undefined { |
Member
There was a problem hiding this comment.
Is it worth doing a single pass putting everything into a hash with keys being the format used by the plugin? Make sure its only on the first actual read though, because we dont ever want to trigger an error if the plugin is not being used in the current resolution.
* feat: add KeePass plugin for KDBX 4.0 database and KeePassXC CLI support
Adds @varlock/keepass-plugin with two modes: direct KDBX file reading via
kdbxweb (production) and keepassxc-cli integration (development). Registers
@initKeePass decorator, kp()/kpBulk() resolvers, and kdbxPassword data type.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat: add argon2 support for KDBX 4.0, plugin README, root README update
- Register argon2 implementation in kdbxweb CryptoEngine for KDBX 4.0
key derivation (kdbxweb does not bundle one)
- Add argon2 as external dependency (native addon, not bundleable)
- Add createRequire banner in tsup for kdbxweb's require("crypto")
- Add comprehensive plugin README with usage examples
- Update root README plugin count and table
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: sanitize kpBulk keys into valid env var names
KeePass entry paths like "DB/itest" contain characters invalid in env
var names. Sanitize by replacing non-alphanumeric chars with underscores
and uppercasing. Non-default attributes (e.g. UserName) are appended as
a suffix to avoid collisions between bulk loads of different attributes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fixed spawnAsync to take an input option that gets streamed into the process stdin. Necessary for keepassxc-cli to work properly.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Replace native argon2 addon with hash-wasm (pure WASM, SEA-compatible)
- Rename useDesktopApp to useCli, now resolved at runtime (supports forEnv)
- Remove unnecessary CLI batching
- Add #attribute syntax for reading entry fields (kp("entry#UserName"))
- Add entry name inference from key (kp(), kp("#Attr"))
- Add customAttributesObj=true for bulk custom field loading
- Remove attribute param from kpBulk (always reads Password)
- Build as CJS matching other plugins, single self-contained bundle
- Add pluginTest() helper (varlock/test-helpers) for plugin integration tests
- Add comprehensive tests with programmatically generated KDBX databases
- Add stdin input support to spawnAsync in @env-spec/utils
- Add website docs page, sidebar entry, overview listing, README update
- Add changeset
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
6 tasks
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
varlock-website | 560535d | Commit Preview URL Branch Preview URL |
Mar 31 2026, 07:13 AM |
- Replace module-level CLI auth singletons with per-instance KpCliReader class, fixing a bug where multiple useCli=true instances would overwrite each other - Introduce KpReader interface to eliminate repeated if/else branching in every method of KeePassPluginInstance - Extract getPluginInstance() helper to deduplicate instance lookup logic - Move readAllEntries into KeePassPluginInstance (works for both modes) - Remove redundant "not configured" guards (decorator lifecycle guarantees order) - Fix copy-paste test bug: kp(attribute=X) test was retesting hash syntax - Add shared STANDARD_ENTRIES fixture to reduce test boilerplate - Remove dead main/types fields from package.json - Add Fedora install instruction to docs site Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
varlock
@varlock/astro-integration
@varlock/cloudflare-integration
@varlock/expo-integration
@varlock/nextjs-integration
@varlock/vite-integration
@varlock/1password-plugin
@varlock/aws-secrets-plugin
@varlock/azure-key-vault-plugin
@varlock/bitwarden-plugin
@varlock/google-secret-manager-plugin
@varlock/hashicorp-vault-plugin
@varlock/infisical-plugin
@varlock/keepass-plugin
@varlock/pass-plugin
@varlock/proton-pass-plugin
commit: |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
theoephraim
approved these changes
Mar 31, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
@varlock/keepass-pluginfor loading secrets from KeePass / KeePassXC databases (KDBX 4.0).Based on the original contribution by @qades, with significant rework.
Plugin features
kp()resolver with#attributesyntax (kp("entry#UserName")), entry name inference from key (kp(),kp("#Attr")), andcustomAttributesObj=truefor bulk custom field loadingkpBulk()resolver for loading all passwords from a group via@setValuesBulkkdbxPassworddata type for master password validationkeepassxc-cliwith dynamicuseClioption (e.g.,useCli=forEnv(dev))idparamChanges from original PR
argon2addon withhash-wasm(pure WASM, base64-embedded, SEA-compatible)useDesktopApptouseCli, now resolved at runtime (supportsforEnv())#attributesyntax as primary way to specify entry fieldscustomAttributesObj=truefor bulk custom field loadingattributeparam fromkpBulk(always reads Password)import { plugin } from 'varlock/plugin-lib'instead of globalinputoption tospawnAsyncin@env-spec/utilsTesting & docs
pluginTest()helper (varlock/test-helpers) — reusable for all plugin packagesTest plan
🤖 Generated with Claude Code