EXTENSIONS

Declarative authorized_keys controller for SSH-reachable hosts with atomic mv-T writes, symlink guards, and batched concurrency.

Declarative controller for a single 1Password SSH key item. Audits existence and fingerprint, upserts via op CLI with stdin-based secret delivery.

Per-environment snapshot of legacy/new vault key names consumed by the ssh-rotate workflow via data.latest().

Declarative authorized_keys controller for Hetzner servers via SSH with optional sshpass password auth.

Generate SSH key pairs via ssh-keygen and store them in a swamp vault.

Inventory of Hetzner Cloud and Robot dedicated servers with unified schema.

Lists KubeVirt VMI IP addresses with QEMU Guest Agent network probing.

Manages Harvester KeyPair custom resources for SSH key injection into VMs.

Declarative authorized_keys controller for Harvester VMs via QEMU Guest Agent.

Sync secrets to GitHub repository-scoped Actions secrets via the GitHub REST API.

Sync secrets to GitHub environment-scoped Actions secrets via the GitHub REST API.

GitHub Actions secret management via the local gh CLI. Supports repo-level, environment-scoped, and organization-scoped secrets with fan-out, code-search discovery, and a dry-run mode on the org-level setter. No PAT, GitHub App, or vault-held token required — auth comes from the operator's existing gh session.

ASCII-armored OpenPGP private key operations via the local gpg binary — inspect, extend expiry, sign-and-verify, upload to keyserver. Runs each invocation against an ephemeral GNUPGHOME so the host keyring is never touched. Auto-detects raw armored or base64-encoded armored key material on import (works around vault providers that strip newlines from multi-line field values).

GitHub pull-request and file-commit operations. Octokit-backed PR creation, merging, and fan-out across repos, plus gh-CLI-backed commitFile (branch creation + single-file commit) and openPullRequest (PR opening from an existing head→base pair) for one-shot file updates without a local checkout or token. dryRun supported on commitFile and openPullRequest.

GitHub models for swamp. Currently provides @hivemq/github/token, which audits a single GitHub token.

Manage Honeycomb SLOs, SLI derived columns, burn alerts, queries, query annotations, and triggers via the v1 Configuration API

Run Claude Code (and other workloads) inside a macOS apple/container sandbox.

Full-lifecycle handling of macOS installer packages (.pkg) by wrapping the native Apple toolchain.

Two-stage adversarial code review extension for swamp. Fans out across N