feat: 1Password Rust SDK — initial implementation

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+  # Rust / Cargo dependencies
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 15
+    groups:
+      rust-minor-patch:
+        applies-to: version-updates
+        update-types:
+          - minor
+          - patch
+    labels:
+      - dependencies
+      - rust
+
+  # GitHub Actions — supply-chain risk for CI pipelines
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - ci

.github/workflows/ci.yml

@@ -0,0 +1,40 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: "1.93.1"
+          components: rustfmt, clippy
+
+      - name: Check formatting
+        run: cargo fmt --check
+
+      - name: Clippy (all features)
+        run: cargo clippy --all-features -- -D warnings
+
+      - name: Clippy (desktop only, no WASM)
+        run: cargo clippy --no-default-features --features desktop -- -D warnings
+
+      - name: Test
+        run: cargo test
+
+      - name: Test (desktop feature)
+        run: cargo test --features desktop
+
+  deny:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v2

.github/workflows/upstream-extism-watch.yml

@@ -0,0 +1,39 @@
+name: Upstream Extism Watch
+
+on:
+  schedule:
+    - cron: "0 15 * * 1"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  check-fixed-extism:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Explain watch condition
+        run: |
+          cat >> "$GITHUB_STEP_SUMMARY" <<'EOF'
+          This job tests whether a newer released Extism dependency clears the
+          temporary Wasmtime advisory ignores tracked in #2. If `cargo-deny`
+          fails with unused ignored advisories after the lockfile update,
+          update Extism, remove the stale ignores from `deny.toml`, and close #2.
+          EOF
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: "1.93.1"
+
+      - name: Try latest Extism-compatible lockfile
+        run: |
+          set -euxo pipefail
+          cargo update -p extism -p extism-convert -p extism-convert-macros -p extism-manifest
+
+      - name: Check advisories after Extism update
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          rust-version: "1.93.1"
+          command: check advisories

.gitignore

@@ -0,0 +1,4 @@
+/target
+.DS_Store
+.idea/
+*.swp

CLAUDE.md

@@ -0,0 +1,27 @@
+# 1Password Rust SDK
+
+## Build Commands
+
+- `cargo fmt --check` — check formatting
+- `cargo clippy -- -D warnings` — lint
+- `cargo test` — run tests
+- `cargo build` — build (default features)
+- `cargo build --features desktop` — build with desktop app integration
+
+## Conventions
+
+- Edition 2024, Rust 1.93.1
+- `#![deny(unsafe_code)]` at crate root; `#[allow(unsafe_code)]` only on FFI modules
+- `thiserror` for error types
+- `serde` for all JSON serialization
+- Inline `#[cfg(test)] mod tests` blocks
+- Conventional commits: `type(scope): description`
+- Run `cargo fmt --check && cargo clippy -- -D warnings && cargo test` before pushing
+- Do NOT add `Co-Authored-By: Claude` lines to commit messages
+
+## Architecture
+
+Typed wrapper around an opaque WASM core binary. All API calls serialize params to JSON,
+call `Core::invoke()`, and deserialize the response. Two core backends:
+- `ExtismCore` (default) — embedded WASM via Extism
+- `SharedLibCore` (feature: `desktop`) — native shared library from 1Password desktop app