Skip to main content

CAPABILITIES

Documentation Map

CAPABILITIES

Tool / Contract Summary

jhf-keystore exposes a small set of local-first capabilities for controlled Vaultwarden or Bitwarden reads, runtime diagnosis, layout planning, package production, and Fabric-readable documentation. It does not expose a remote service API and it does not become a second policy or identity truth.

Business Value

  • operators get a repeatable local verification path before deployment or handoff
  • OpenClaw-style consumers can resolve controlled reads through source: exec
  • Fabric and jhf-web can read stable metadata and documentation without reading secrets
  • deployment consumers can validate versioned artifacts without inferring repo-local semantics

Current Verified State

  • repo-local CLI surfaces are covered by the Python test suite and the repo function sweep
  • packaging and manifest surfaces are verified in the default CI gate
  • live deep verification remains operator-driven and fail-closed
  • Fabric contract adoption is declared explicitly and consumed read-only

Stable External Capabilities

Capability key

openclaw-exec-secretref

  • Title: OpenClaw exec SecretRef consumption
  • Stability: stable
  • Exposure: external
  • Primary API surface / command / artifact / file: scripts/run.sh (C:/CodexTest/jhf-keystore/scripts/run.sh), examples/openclaw/gateway.secrets.yaml (C:/CodexTest/jhf-keystore/examples/openclaw/gateway.secrets.yaml), python3 -m vaultwarden_oc_keystore resolve

Capability key

versioned-package-artifact

  • Title: Versioned package handoff
  • Stability: stable
  • Exposure: external
  • Primary API surface / command / artifact / file: scripts/build-package.py (C:/CodexTest/jhf-keystore/scripts/build-package.py), scripts/verify-package.py (C:/CodexTest/jhf-keystore/scripts/verify-package.py), docs/ARTIFACT_CONTRACT.md (C:/CodexTest/jhf-keystore/docs/ARTIFACT_CONTRACT.md)

Capability key

fabric-doc-and-manifest-intake

  • Title: Fabric-readable documentation and manifest intake
  • Stability: stable
  • Exposure: external
  • Primary API surface / command / artifact / file: fabric-manifest.json (C:/CodexTest/jhf-keystore/fabric-manifest.json), docs/FABRIC_TOOL_PROFILE.md (C:/CodexTest/jhf-keystore/docs/FABRIC_TOOL_PROFILE.md), scripts/export-fabric-metadata.py (C:/CodexTest/jhf-keystore/scripts/export-fabric-metadata.py)

Stable Internal Capabilities

Capability key

cli-probe-light

  • Title: Lightweight runtime probe
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 -m vaultwarden_oc_keystore probe --mode light, vaultwarden_oc_keystore/resolver.py (C:/CodexTest/jhf-keystore/vaultwarden_oc_keystore/resolver.py)

Capability key

cli-probe-deep

  • Title: Deep operator probe and doctor report
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 -m vaultwarden_oc_keystore probe --mode deep --json, python3 -m vaultwarden_oc_keystore doctor --mode deep --json, vaultwarden_oc_keystore/cli.py (C:/CodexTest/jhf-keystore/vaultwarden_oc_keystore/cli.py)

Capability key

secret-reference-resolution

  • Title: Secret reference resolution
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 -m vaultwarden_oc_keystore resolve <secret-ref>, vaultwarden_oc_keystore/resolver.py (C:/CodexTest/jhf-keystore/vaultwarden_oc_keystore/resolver.py)

Capability key

layout-plan

  • Title: Vaultwarden collection and account layout planning
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 -m vaultwarden_oc_keystore plan-layout, vaultwarden_oc_keystore/layout.py (C:/CodexTest/jhf-keystore/vaultwarden_oc_keystore/layout.py)

Capability key

built-in-docs

  • Title: CLI-rendered built-in documentation
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 -m vaultwarden_oc_keystore docs [topic], vaultwarden_oc_keystore/docs.py (C:/CodexTest/jhf-keystore/vaultwarden_oc_keystore/docs.py)

Capability key

contract-catalog-validation

  • Title: Access-model and contract catalog validation
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: scripts/validate-access-model.py (C:/CodexTest/jhf-keystore/scripts/validate-access-model.py), contracts/ (C:/CodexTest/jhf-keystore/contracts)

Capability key

repo-function-sweep

  • Title: Repo-local regression and packaging sweep
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: scripts/repo-function-sweep.sh (C:/CodexTest/jhf-keystore/scripts/repo-function-sweep.sh), docs/REPO_FUNCTION_SWEEP.md (C:/CodexTest/jhf-keystore/docs/REPO_FUNCTION_SWEEP.md)

Capability key

host-auth-bootstrap-contract

  • Title: Non-interactive BW auth bootstrap contract
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: contracts/non-interactive-bw-auth-bootstrap.md (C:/CodexTest/jhf-keystore/contracts/non-interactive-bw-auth-bootstrap.md), scripts/host_live_gate_bw_auth.sh (C:/CodexTest/jhf-keystore/scripts/host_live_gate_bw_auth.sh)
  • Notes: bootstrap checks are single-flight, throttled, timeout-bounded, and must fail closed instead of polling

Capability key

vaultwarden-admitted-sso-consumer-verify

  • Title: Vaultwarden admitted SSO consumer posture verification
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: contracts/vaultwarden-sso-consumer-runtime.json (C:/CodexTest/jhf-keystore/contracts/vaultwarden-sso-consumer-runtime.json), scripts/verify-vaultwarden-sso-consumer-contract.sh (C:/CodexTest/jhf-keystore/scripts/verify-vaultwarden-sso-consumer-contract.sh), docs/VAULTWARDEN_SSO_CONSUMER.md (C:/CodexTest/jhf-keystore/docs/VAULTWARDEN_SSO_CONSUMER.md)

Capability key

sso-v4-cross-surface-acceptance-suite

  • Title: Cross-surface SSO v4 acceptance and drift routing
  • Stability: stable
  • Exposure: internal
  • Primary API surface / command / artifact / file: contracts/sso-v4-cross-surface-acceptance.json (C:/CodexTest/jhf-keystore/contracts/sso-v4-cross-surface-acceptance.json), scripts/verify-sso-v4-cross-surface-acceptance.sh (C:/CodexTest/jhf-keystore/scripts/verify-sso-v4-cross-surface-acceptance.sh), docs/SSO_V4_ACCEPTANCE_SUITE.md (C:/CodexTest/jhf-keystore/docs/SSO_V4_ACCEPTANCE_SUITE.md)

Experimental or Transitional Capabilities

<!-- Compatibility marker: ## Experimental Or Transitional Capabilities -->

Capability key

bw-serve-loopback

  • Title: Local bw serve provider mode
  • Stability: transitional
  • Exposure: internal
  • Primary API surface / command / artifact / file: VW_PROVIDER=serve, scripts/start-local-bw-serve.sh (C:/CodexTest/jhf-keystore/scripts/start-local-bw-serve.sh)

Capability key

workspace-upstream-contract-check

  • Title: Workspace-scoped upstream contract validation
  • Stability: transitional
  • Exposure: internal
  • Primary API surface / command / artifact / file: python3 scripts/validate-access-model.py --check-upstreams --workspace-root ... --upstream-source ..., contracts/consumed-upstream-contracts.json (C:/CodexTest/jhf-keystore/contracts/consumed-upstream-contracts.json)

Current Gaps

  • no public REST API
  • no webhook receiver
  • no MCP server
  • no write-back or provisioning path
  • no local source of truth for identity, entitlements, or Fabric policy
  • no remote metrics or HTTP health endpoint
  • live deep verification still depends on host runtime prerequisites outside the default CI gate