vault.get() regex does not support spaces in vault names or secret keys

[danmcclain]

Description

The vault.get() regex in src/domain/expressions/model_resolver.ts does not support spaces in vault names or secret keys, even when quoted.

Steps to Reproduce

1. Create a vault backed by 1Password: swamp vault create @swamp/1password infra --config '{"op_vault": "Infra"}'
2. The 1Password item has fields with spaces, e.g. Client ID and Client Secret
3. Use a vault expression in a workflow: ${{ vault.get(infra, Tailscale K8s Operator/Client ID) }}
4. Run the workflow

Expected: The vault expression resolves the secret value.

Actual: CEL parse error: Expected RPAREN, got IDENTIFIER — the space in the key breaks parsing before the vault regex even runs.

Even if the CEL layer is bypassed, the vault regex itself would fail:

const vaultPattern = /vault\.get\(\s*(['"\`]?)([^'"\`\s,]+)\1\s*,\s*(['"\`]?)([^'"\`\s,]+)\3\s*\)/g;

The capture group [^'"\\s,]+explicitly excludes whitespace, soTailscale K8s Operator/Client ID` stops matching at the first space.

Workaround

Rename the 1Password fields to remove spaces (e.g. ClientID instead of Client ID), or use the item UUID with spaceless field names.

Suggested Fix

Update the vault regex to allow spaces inside quoted arguments. When quotes are present, the inner capture should permit any character except the matching quote. For example:

/vault\.get\(\s*(?:(['"\`])(.+?)\1|([^\s,)]+))\s*,\s*(?:(['"\`])(.+?)\4|([^\s,)]+))\s*\)/g

This would allow both vault.get(infra, mykey) and vault.get("infra", "My Key With Spaces").

The CEL expression parser layer (${{ }}) would also need to handle the vault.get() call before passing to the CEL evaluator, since CEL itself tokenizes on spaces.

Environment

• swamp version: 20260327.235335.0-sha.0c993a65
• OS: macOS

[github-actions]

Hi @danmcclain, thanks for opening this issue!

We appreciate you taking the time to report it. A maintainer will review it as soon as possible.

In the meantime, please make sure you've included all relevant details (steps to reproduce, expected vs actual behaviour, swamp version, etc.) to help us triage it quickly.

[keeb]

/triage

[github-actions]

Failed to triage issue. Please check the workflow logs for details.

[keeb]

/triage

[github-actions]

Implementation Plan

Summary

The vault.get() regex in src/domain/expressions/model_resolver.ts:831 incorrectly excludes whitespace from both quoted and unquoted arguments. When quotes are present (vault.get("infra", "Client ID")), spaces should be allowed inside the quoted content. The current regex explicitly excludes whitespace, causing "Client ID" to be parsed as just "Client".

Root Cause: Line 831 of model_resolver.ts uses a regex pattern where the capture groups disallow whitespace even when the argument is quoted, which breaks keys like Tailscale K8s Operator/Client ID from 1Password.

DDD Analysis

• Domain: Expressions (vault expression resolution)
• Value Object: Vault expression pattern (regex) - immutable transformation rule
• Domain Service: ModelResolver.resolveVaultExpressions() - stateless operation parsing vault expressions
• No new domain concepts required - this is a bug fix to existing expression parsing

Files to Modify

1. src/domain/expressions/model_resolver.ts (line ~831)

   • Update vaultPattern regex to allow spaces inside quoted arguments while preserving current behavior for unquoted arguments
   • The fix uses alternation: when quotes are present, match any char except the quote; when unquoted, match any char except whitespace/comma/paren

2. src/domain/vaults/vault_expression_test.ts

   • Add test cases for vault expressions with spaces in quoted arguments:
     • vault.get("vault", "Key With Spaces")
     • vault.get("vault", "Tailscale K8s Operator/Client ID")
     • vault.get("vault with space", "key")
     • Mixed: vault.get(unquoted-vault, "Key With Spaces")

Files to Create

None - this is a contained bug fix.

Implementation Steps

1. Update the regex pattern in model_resolver.ts:831 to use alternation: when quoted, allow any char except the quote; when unquoted, disallow spaces. Note: JS regex does not support backreferences in character classes, so the implementer will need separate patterns for each quote type or a different parsing approach.

2. Update the match extraction logic to handle the new capture group structure (groups shift due to alternation).

3. Add unit tests in vault_expression_test.ts covering quoted arguments with spaces, 1Password-style paths, and mixed quoted/unquoted arguments.

4. Run verification per CLAUDE.md.

Testing Strategy

Unit tests in src/domain/vaults/vault_expression_test.ts covering:

• should resolve vault expression with spaces in quoted key
• should resolve vault expression with spaces in quoted vault name
• should resolve vault expression with 1Password-style path (slashes and spaces)
• should work with mixed quoted and unquoted arguments

Verify existing tests still pass (no regression).

Verification Checklist

Run per CLAUDE.md: deno check, deno lint, deno fmt, deno run test, deno run compile.

Potential Challenges

1. Regex complexity: JS regex does not support dynamic backreferences in character classes. The implementer will need to use alternation with separate patterns for single-quoted, double-quoted, backtick-quoted, and unquoted variants.

2. Capture group indexing: The match extraction code (const [fullMatch, , vaultName, , secretKey] = match) at line 844 depends on specific capture group positions. After changing the regex structure, these indices must be updated correctly.

3. Edge cases: Ensure the fix handles empty quoted strings (should error at vault lookup, not parsing) and does not break existing behavior for unquoted arguments.

[keeb]

🔍 Triage started — fetching issue context

[keeb]

📋 Classified as bug (high) — The vault.get() regex in model_resolver.ts:831 uses character classes that exclude whitespace. When vault names or secret keys contain spaces (common with 1Password fields like Client ID), quoted arguments fail to match because the capture group rejects spaces even when quotes are present. The fix is contained to the regex and match extraction in resolveVaultExpressions().