feat(agent_secrets): add 1Password as optional secret store backend (#5)

* feat(agent_secrets): add 1Password as optional secret store backend

Add OnePasswordStore implementing the SecretStore trait via the op CLI,
following the same pattern used by cargo-credential-1password.

- New platform/onepassword.rs with put/get/delete/list_keys via op CLI
- Items stored as Secure Notes with base64 content, tagged 'shadi'
- Runtime backend selection via SHADI_SECRET_BACKEND=onepassword env var
- Configurable vault (SHADI_OP_VAULT) and account (SHADI_OP_ACCOUNT)
- Gated behind 'onepassword' Cargo feature flag
- Feature enabled in shadictl and shadi_py
- Unit tests for JSON parsing, error classification, and construction

Closes #4

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* fix(demo): fix sandbox and secrets for 1Password backend demo

- Fix macOS Seatbelt sandbox: add sysctl-read, unrestricted mach-lookup
  for op daemon, ~/.slim write access for SLIM bindings, and resolve
  relative policy paths to absolute before emitting subpath rules
- Set default llm_provider to anthropic in secops.toml and import script
- Update import script to read LLM_PROVIDER env var with anthropic default
- Update launch scripts to forward SHADI_SECRET_BACKEND, SHADI_OP_VAULT,
  SHADI_OP_ACCOUNT and use uv run --no-project --python
- Add just build auto-install of shadi .so to venv
- Add -op Justfile targets for 1Password-backed demo workflow
- Update docs: README, architecture, security, cli, demo, scripts/README

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* fix(demo): pre-read 1P secrets, code-sign .so, fix SLIM startup and TLS

- scripts/launch_slim.sh: remove --endpoint flag (conflicts with slimctl)
- scripts/launch_secops_a2a.sh: add SLIM TLS cert defaults, PYTHONUNBUFFERED,
  and pre-read all 1Password secrets into SHADI_SECRET_* env vars before the
  sandbox starts (op CLI hangs without a TTY in background processes)
- scripts/launch_avatar.sh: same pre-read block for avatar LLM + SLIM secrets
- agents/secops/skills.py: require_shadi_secret() checks SHADI_SECRET_<KEY>
  env var fallback before calling op; avoids sandbox op hang
- agents/avatar/adk_agent/agent.py: same env var fallback in
  require_shadi_secret_value(); fix send_message() to collect artifacts from
  all terminal states using state.value for correct enum comparison
- agents/secops/a2a_server.py: startup print, executor debug print
- crates/shadi_sandbox/src/platform/macos.rs: allow ~/.cache write for gh CLI
- Justfile: codesign .so after build; demo-start depends on demo-stop;
  op vault list preflight in demo-start-op/demo-avatar-op
- policies/demo/*.json: add litellm.prod.outshift.ai and github.com to net_allow
- tools/test_avatar_transport.py: diagnostic transport test script

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* feat(secops): add OpenTelemetry tracing for command and skill execution

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* fix: resolve multiple bugs in sandbox, OTel, and memory storage

- sandbox/macos: normalize resolve_path('.') to avoid trailing dot in
  Seatbelt subpath rules (was silently denying writes to sandboxed CWD)

- secops/memory: fix SqlCipherMemoryStore called with key name instead of
  resolved key value; pass actual secret as key= arg not key_name=

- secops/a2a_server: normalize labels list to comma-separated string
  before passing to skill_collect_security_issues

- secops/telemetry: fix service.name empty when OTEL_SERVICE_NAME='';
  use 'or' fallback instead of getenv default; forward OTEL vars via Justfile

- tools/shadi_prompt.py: fix pre-existing syntax corruption (require_slima2a_packages
  body interleaved with load_secops_config and stray parser.add_argument calls;
  create_prompt_session missing if-not-ok body and return)

- tools/test_avatar_transport.py: configurable timeout via CLI arg

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* chore: update demo

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

* chore: update demo

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

---------

Signed-off-by: Luca Muscariello <muscariello@ieee.org>

Author: muscariello

Cargo.lock

@@ -9,6 +9,8 @@ REMEDIATE := "false"
 
 build:
   PYO3_PYTHON="{{python312}}" RUSTFLAGS="-C link-arg=-undefined -C link-arg=dynamic_lookup" cargo build
+  cp target/debug/libshadi.dylib .venv/lib/python3.12/site-packages/shadi/shadi.cpython-312-darwin.so
+  codesign --sign - --force .venv/lib/python3.12/site-packages/shadi/shadi.cpython-312-darwin.so
 
 windows-build:
   $env:PYO3_PYTHON = "{{python312}}"; cargo build
@@ -92,6 +94,9 @@ secops-run:
 secops-approve-prs:
   uv run --no-project --python .venv/bin/python agents/secops/secops.py --approve-prs
 
+secops-test-python:
+  uv run --with pytest pytest agents/secops/tests/test_skills.py
+
 secops-a2a:
   uv run --no-project --python .venv/bin/python agents/secops/a2a_server.py
 
@@ -110,6 +115,9 @@ secops-run-anthropic:
 secops-secrets:
   cargo run -p shadictl -- --list-keychain --list-prefix secops/
 
+secops-secrets-op:
+  SHADI_SECRET_BACKEND=onepassword cargo run -p shadictl -- --list-keychain --list-prefix secops/
+
 secops-policy:
   cargo run -p shadictl -- --policy policies/demo/secops-a.json --print-policy
 
@@ -148,7 +156,7 @@ launch-slim:
   ./scripts/launch_slim.sh
 
 launch-slim-example:
-  SHADI_TMP_DIR="./.tmp" SLIM_ENDPOINT="127.0.0.1:47357" ./scripts/launch_slim.sh
+  SHADI_TMP_DIR="./.tmp" ./scripts/launch_slim.sh
 
 launch-secops-a2a:
   ./scripts/launch_secops_a2a.sh
@@ -157,15 +165,80 @@ launch-secops-a2a-example:
   SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/import_secops_secrets.sh
   SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/launch_secops_a2a.sh
 
+launch-secops-a2a-example-op:
+  SHADI_SECRET_BACKEND=onepassword SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/import_secops_secrets.sh
+  SHADI_SECRET_BACKEND=onepassword SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/launch_secops_a2a.sh
+
 launch-avatar:
   ./scripts/launch_avatar.sh
 
 launch-avatar-example:
   SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="avatar-1" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/launch_avatar.sh
 
+launch-avatar-example-op:
+  SHADI_SECRET_BACKEND=onepassword SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="avatar-1" SHADI_OPERATOR_PRESENTATION="local-operator" ./scripts/launch_avatar.sh
+
 import-secops-secrets:
   ./scripts/import_secops_secrets.sh
 
+import-secops-secrets-op:
+  SHADI_SECRET_BACKEND=onepassword ./scripts/import_secops_secrets.sh
+
+# ── Demo orchestration ────────────────────────────────────────────────────────
+# Stop all demo processes (SLIM + SecOps A2A + Avatar).
+demo-stop:
+  -kill $(cat .tmp/slim.pid 2>/dev/null) 2>/dev/null; rm -f .tmp/slim.pid
+  -kill $(cat .tmp/secops-a2a.pid 2>/dev/null) 2>/dev/null; rm -f .tmp/secops-a2a.pid
+  -pkill -f "run_sandboxed_agent\.py|a2a_server\.py|run_shadi_memory\.py" 2>/dev/null || true
+  -pkill -f slimctl 2>/dev/null || true
+  @echo "Demo stopped."
+
+# Start SLIM + SecOps A2A in the background and write PIDs to .tmp/.
+# Use SHADI_HUMAN_GITHUB=<handle> to enable PR creation via gh CLI.
+demo-start: demo-stop
+  mkdir -p .tmp
+  slimctl slim start --config ".tmp/shadi-slim-mtls/server-config.yaml" >.tmp/slim.log 2>&1 & echo $! >.tmp/slim.pid
+  sleep 2
+  SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" \
+    ./scripts/launch_secops_a2a.sh >.tmp/secops-a2a.log 2>&1 & echo $! >.tmp/secops-a2a.pid
+  @echo "Demo started. Tail logs: just demo-logs"
+  @echo "Launch interactive avatar: just demo-avatar"
+
+# Same as demo-start but uses 1Password as the secret backend.
+demo-start-op: demo-stop
+  @OP_ACCOUNT="${SHADI_OP_ACCOUNT:-my.1password.com}"; \
+    op vault list --account "$OP_ACCOUNT" >/dev/null 2>&1 || \
+    { echo "ERROR: 1Password not unlocked for $OP_ACCOUNT. Open the 1Password app and authenticate (Touch ID) first."; exit 1; }
+  mkdir -p .tmp
+  slimctl slim start --config ".tmp/shadi-slim-mtls/server-config.yaml" >.tmp/slim.log 2>&1 & echo $! >.tmp/slim.pid
+  sleep 2
+  SHADI_SECRET_BACKEND=onepassword SHADI_OP_ACCOUNT="${SHADI_OP_ACCOUNT:-my.1password.com}" \
+  SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="secops-a" SHADI_OPERATOR_PRESENTATION="local-operator" \
+  SHADI_OTEL_CONSOLE="${SHADI_OTEL_CONSOLE:-}" \
+  OTEL_EXPORTER_OTLP_ENDPOINT="${OTEL_EXPORTER_OTLP_ENDPOINT:-}" \
+  OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-}" \
+    ./scripts/launch_secops_a2a.sh >.tmp/secops-a2a.log 2>&1 & echo $! >.tmp/secops-a2a.pid
+  @echo "Demo started (1Password). Tail logs: just demo-logs"
+  @echo "Launch interactive avatar: just demo-avatar-op"
+
+# Launch the interactive Avatar agent (foreground REPL).
+demo-avatar:
+  SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="avatar-1" SHADI_OPERATOR_PRESENTATION="local-operator" \
+    ./scripts/launch_avatar.sh
+
+# Same as demo-avatar but uses 1Password as the secret backend.
+demo-avatar-op:
+  @OP_ACCOUNT="${SHADI_OP_ACCOUNT:-my.1password.com}"; \
+    op vault list --account "$OP_ACCOUNT" >/dev/null 2>&1 || \
+    { echo "ERROR: 1Password not unlocked for $OP_ACCOUNT. Open the 1Password app and authenticate (Touch ID) first."; exit 1; }
+  SHADI_SECRET_BACKEND=onepassword SHADI_OP_ACCOUNT="${SHADI_OP_ACCOUNT:-my.1password.com}" \
+  SHADI_TMP_DIR="./.tmp" SHADI_AGENT_ID="avatar-1" SHADI_OPERATOR_PRESENTATION="local-operator" \
+    ./scripts/launch_avatar.sh
+
+# Tail background demo logs (SLIM + SecOps A2A).
+demo-logs:
+  tail -f .tmp/slim.log .tmp/secops-a2a.log
+
 secure-profile-strict:
   cargo run -p shadictl -- --profile strict --print-policy
 

Justfile

@@ -33,3 +33,6 @@ export SLIM_TLS_CA=./.tmp/shadi-slim-mtls/ca.crt
   SLIM endpoint and shared secret stored in SHADI.
 - Memory defaults to $SHADI_TMP_DIR/$SHADI_AGENT_ID/shadi-secops/secops_memory.db
   unless overridden by SHADI_ADK_MEMORY_DB.
+- To target a specific repo say "scan agentic-apps" or "remediate agntcy/agentic-apps".
+  The avatar will set `repos` in the SecOps command so only that repo is processed.
+  Omit the repo name to operate on all allowlisted repos.

agents/avatar/AGENTS.md

@@ -71,6 +71,10 @@ def verify_operator(verify_agent_id, session_id, presentation_bytes, claims):
 
 
 def require_shadi_secret_value(store, session, key_name, label):
+    env_var = "SHADI_SECRET_" + key_name.upper().replace("/", "_").replace("-", "_").replace(".", "_")
+    env_val = os.getenv(env_var, "").strip()
+    if env_val:
+        return env_val
     try:
         value = store.get(session, key_name)
     except Exception as exc:
@@ -190,22 +194,47 @@ async def send_message(types, client, text):
         message_id="avatar-message",
         parts=[types["Part"](root=types["TextPart"](text=text))],
     )
+    TERMINAL_STATES = {"completed", "failed", "canceled"}
     output = ""
     async for response in client.send_message(request=request):
+        print(f"[send_message] response type={type(response).__name__}", flush=True)
         if isinstance(response, types["Message"]):
             for part in response.parts:
                 if isinstance(part.root, types["TextPart"]):
                     output += part.root.text
         else:
             task, _ = response
-            if task.status.state == "completed" and task.artifacts:
+            state = task.status.state.value if task.status and hasattr(task.status.state, "value") else str(task.status.state) if task.status else ""
+            print(f"[send_message] task.state={state} artifacts={len(task.artifacts) if task.artifacts else 0}", flush=True)
+            if state in TERMINAL_STATES and task.artifacts:
                 for artifact in task.artifacts:
                     for part in artifact.parts:
                         if isinstance(part.root, types["TextPart"]):
                             output += part.root.text
     return output
 
 
+def format_secops_error(exc):
+    messages = []
+    current = exc
+    visited = set()
+    while current and id(current) not in visited:
+        visited.add(id(current))
+        message = str(current).strip()
+        if message:
+            messages.append(message)
+        current = getattr(current, "__cause__", None) or getattr(current, "__context__", None)
+
+    combined = " | ".join(messages)
+    if "session handshake failed" in combined:
+        return (
+            "SecOps connection failed during SLIM session handshake. "
+            "Check that the SecOps A2A server is running and that Avatar and SecOps use the same "
+            "SLIM endpoint, identity, shared secret, and TLS settings."
+        )
+    return str(exc)
+
+
 def normalize_secops_payload(payload):
     if isinstance(payload, dict):
         return json.dumps(payload)
@@ -223,12 +252,19 @@ def normalize_secops_payload(payload):
 
 
 async def send_secops_command(payload):
-    types = require_slima2a_packages()
-    config = resolve_slim_config()
     normalized = normalize_secops_payload(payload)
-
-    client, _httpx_client = await get_cached_client(types, config)
-    return await send_message(types, client, normalized)
+    print(f"[send_secops_command] payload={normalized}", flush=True)
+    try:
+        types = require_slima2a_packages()
+        config = resolve_slim_config()
+        client, _httpx_client = await get_cached_client(types, config)
+        result = await send_message(types, client, normalized)
+        print(f"[send_secops_command] result={result!r}", flush=True)
+        return result
+    except Exception as exc:
+        import traceback
+        traceback.print_exc()
+        return f"ERROR calling SecOps: {format_secops_error(exc)}"
 
 
 config_path, config = load_secops_config()
@@ -251,7 +287,11 @@ async def send_secops_command(payload):
     "You are Avatar, a human interface agent. Convert the user request into a JSON command "
     "for the SecOps agent and send it using the send_secops_command tool. The SecOps agent "
     "accepts commands: scan, remediate, approve_prs, report, and help. Optional JSON fields: "
-    "provider, labels, report_name. Always send valid JSON. Reply with the SecOps response."
+    "provider, labels, report_name, create_prs, human_github. "
+    "Use the 'repos' field (comma-separated owner/name string) to scope scan or remediate to "
+    "specific repositories — for example if the user says 'remediate agentic-apps' set "
+    "'repos': 'agntcy/agentic-apps'. When no specific repo is mentioned, omit repos. "
+    "Always send valid JSON. Reply with the SecOps response."
 )
 context = load_agent_context()
 if context: