kdep 0.4.1 → 0.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 450b677af3690ea40e247b8d68f1c368dc111022188672592c17225b4e5845be
-  data.tar.gz: 90a0f5d3d879ecc76a86a8f10948a5b3a4ebe3a30a291043231a15df4186d771
+  metadata.gz: ff3707147a8d4a32a335ba5ea6637e05275705d0a91c0fec08bdf649b506ba34
+  data.tar.gz: f3b17aeb70128be4e3b4ae9e3b46d359a11698657159a04f386a849daef6c468
 SHA512:
-  metadata.gz: c6dd760c8f39d27b1ac34d1778703ac1135aac8cedb815a5c7447f9b7a7eaca7927021c349b7afe32055169bd7cc956af88473f6ea0a1103ea8bb7e9e599a143
-  data.tar.gz: ae26cf5e39c5eafefcb90ca5c3d3b952c912a54ea424a0239db2c64a64b5015941f0df5a743550dce56c0b581bb70b79b41eb59a4442d36e3fd4b6320ada5ba1
+  metadata.gz: 5ca718ac0ff7e9f29fcafeecaae8a77e68abbaa90d6ac7c8dcea130523358e615775c8a6605becc1b7c46d9bee687f33ddf65d599eacf4d2ace92226ff7a7df2
+  data.tar.gz: a1750b835fee48cd3de6926e8178e904872e24a92b0a7a95433725212c4daa71b5d4cbff678db9c81ae49f21a1f0d52a45b5e05b93497c31f6852e3a48fe7b00

data/exe/kdep-update-all-rubies

@@ -1,53 +1,79 @@
-#!/usr/bin/env bash
-# Update kdep in every installed rbenv Ruby.
-# Skips 'system' (not managed by rbenv) and any Ruby that can't install the
-# current kdep gem (e.g. because it's below kdep's minimum Ruby requirement).
-
-set -eo pipefail
-
-eval "$(rbenv init -)"
-
-target_gem="${1:-kdep}"
-want_version="${2:-}"   # optional — defaults to latest on rubygems
-
-echo "== updating $target_gem${want_version:+ to $want_version} across rbenv rubies =="
-echo
-
-ok=()
-fail=()
-skipped=()
-
-for ruby in $(rbenv versions --bare); do
-  # Skip 'system' and non-MRI builds you probably don't care about by default.
-  if [[ "$ruby" == "system" ]]; then
-    skipped+=("$ruby (system ruby)")
-    continue
-  fi
-
-  printf -- "---- %s ----\n" "$ruby"
-  if ! RBENV_VERSION="$ruby" ruby -v >/dev/null 2>&1; then
-    echo "  ruby binary missing, skipping"
-    skipped+=("$ruby (binary missing)")
-    echo
-    continue
-  fi
-
-  cmd=(gem install --no-document "$target_gem")
-  [[ -n "$want_version" ]] && cmd+=(-v "$want_version")
-
-  if RBENV_VERSION="$ruby" "${cmd[@]}"; then
-    installed_ver=$(RBENV_VERSION="$ruby" gem list -i "$target_gem" -e --silent >/dev/null 2>&1 && \
-                    RBENV_VERSION="$ruby" gem list "$target_gem" | awk -v g="$target_gem" '$1==g {print $2}' | tr -d '(),' | head -1)
-    ok+=("$ruby -> $installed_ver")
+#!/usr/bin/env ruby
+# Update a gem (default: kdep) in every installed rbenv Ruby.
+# Iterates `rbenv versions --bare`, skips `system`, and `gem install`s into each.
+#
+# Usage:
+#   kdep-update-all-rubies            # latest kdep into every rbenv ruby
+#   kdep-update-all-rubies kdep 0.4.1 # pin to a version
+#   kdep-update-all-rubies rubocop    # works for any gem
+
+require "open3"
+
+gem_name = ARGV[0] || "kdep"
+gem_version = ARGV[1]  # optional
+
+def rbenv_available?
+  out, _err, status = Open3.capture3("sh", "-c", "rbenv --version")
+  status.success? && !out.strip.empty?
+end
+
+def list_rubies
+  out, _err, status = Open3.capture3("rbenv", "versions", "--bare")
+  return [] unless status.success?
+  out.lines.map(&:strip).reject(&:empty?)
+end
+
+def run_in_ruby(ruby, cmd)
+  # Resolve the target Ruby's bin dir via rbenv prefix, then exec commands
+  # from there. Avoids needing `eval "$(rbenv init -)"` in this script.
+  prefix, _err, status = Open3.capture3({ "RBENV_VERSION" => ruby }, "rbenv", "prefix")
+  return [nil, "rbenv prefix failed", status] unless status.success?
+  bin_dir = File.join(prefix.strip, "bin")
+  env = { "PATH" => "#{bin_dir}:#{ENV["PATH"]}", "RBENV_VERSION" => ruby }
+  Open3.capture3(env, *cmd)
+end
+
+unless rbenv_available?
+  warn "rbenv not found on PATH — this script requires rbenv"
+  exit 1
+end
+
+rubies = list_rubies
+rubies.delete("system")  # not managed by rbenv
+if rubies.empty?
+  warn "no rbenv rubies installed"
+  exit 1
+end
+
+label = gem_version ? "#{gem_name} #{gem_version}" : gem_name
+puts "== updating #{label} across rbenv rubies =="
+puts
+
+ok = []
+failed = []
+
+rubies.each do |ruby|
+  puts "---- #{ruby} ----"
+  cmd = ["gem", "install", "--no-document", gem_name]
+  cmd += ["-v", gem_version] if gem_version
+
+  stdout, stderr, status = run_in_ruby(ruby, cmd)
+  print stdout
+  $stderr.print stderr unless stderr.strip.empty?
+
+  if status&.success?
+    list_stdout, _ls, _lst = run_in_ruby(ruby, ["gem", "list", gem_name])
+    version_line = list_stdout.lines.find { |l| l =~ /^#{Regexp.escape(gem_name)}\s+/ } if list_stdout
+    installed = version_line ? version_line[/\(([^)]+)\)/, 1]&.split(",")&.first&.strip : "?"
+    ok << "#{ruby} -> #{installed}"
   else
-    fail+=("$ruby")
-  fi
-  echo
-done
+    failed << ruby
+  end
+  puts
+end
 
-echo "== summary =="
-for line in "${ok[@]-}";      do [[ -n "$line" ]] && echo "  ok:      $line";      done
-for line in "${skipped[@]-}"; do [[ -n "$line" ]] && echo "  skipped: $line"; done
-for line in "${fail[@]-}";    do [[ -n "$line" ]] && echo "  FAILED:  $line";    done
+puts "== summary =="
+ok.each     { |line| puts "  ok:     #{line}" }
+failed.each { |line| puts "  FAILED: #{line}" }
 
-exit $(( ${#fail[@]} > 0 ? 1 : 0 ))
+exit(failed.empty? ? 0 : 1)

data/lib/kdep/cli.rb

@@ -22,6 +22,8 @@ module Kdep
       "dashboard" => Commands::Dashboard,
       "doctor" => Commands::Doctor,
       "check"  => Commands::Check,
+      "env"    => Commands::Env,
+      "config" => Commands::Config,
     }.freeze
 
     def initialize(argv)

data/lib/kdep/commands/apply.rb

@@ -59,7 +59,7 @@ module Kdep
 
         writer = Kdep::Writer.new(output_dir)
         writer.clean
-        renderer = Kdep::Renderer.new(config, deploy_dir)
+        renderer = Kdep::Renderer.new(config, deploy_dir, env: env)
         validator = Kdep::Validator.new
         validation_errors = []
 

data/lib/kdep/commands/build.rb

@@ -42,9 +42,15 @@ module Kdep
         # Load config
         config = Kdep::Config.new(deploy_dir, env).load
 
-        # Construct full image tag
+        # Resolve tag from state.yml — app.yml has no tag field by design;
+        # state.yml is the source of truth for the last bumped version.
+        tag = Kdep::State.tag(deploy_dir)
+        unless tag
+          @ui.error("No tag in state.yml for #{deploy_dir}. Run `kdep bump` first.")
+          exit 1
+        end
+
         image = config["image"] || config["name"]
-        tag = config["tag"] || "latest"
         registry = config["registry"]
 
         if registry && !registry.to_s.empty?

data/lib/kdep/commands/bump.rb

@@ -60,7 +60,7 @@ module Kdep
           run_helm_pipeline(deploy_dir, env)
           return
         elsif preset == "custom"
-          run_custom_pipeline(deploy_dir, config, kdep_dir)
+          run_custom_pipeline(deploy_dir, config, kdep_dir, env)
           return
         end
 
@@ -138,7 +138,7 @@ module Kdep
 
             writer = Kdep::Writer.new(output_dir)
             writer.clean
-            renderer = Kdep::Renderer.new(config, deploy_dir)
+            renderer = Kdep::Renderer.new(config, deploy_dir, env: env)
             validator = Kdep::Validator.new
             validation_errors = []
 
@@ -230,7 +230,7 @@ module Kdep
       end
 
       # Feature E: custom-preset bump = render + apply, no docker, no state.
-      def run_custom_pipeline(deploy_dir, config, kdep_dir)
+      def run_custom_pipeline(deploy_dir, config, kdep_dir, env = nil)
         # Context guard for safety.
         begin
           Kdep::ContextGuard.new(config["context"]).validate!
@@ -245,7 +245,7 @@ module Kdep
 
         writer = Kdep::Writer.new(output_dir)
         writer.clean
-        renderer = Kdep::Renderer.new(config, deploy_dir)
+        renderer = Kdep::Renderer.new(config, deploy_dir, env: env)
         preset_resources = Kdep::Preset.new("custom", deploy_dir).resources
 
         preset_resources.each_with_index do |resource, idx|

data/lib/kdep/commands/config.rb

@@ -0,0 +1,56 @@
+require "optparse"
+
+module Kdep
+  module Commands
+    # `kdep config set <key> <value>` — writes a dotted key into ~/.kdep/config.yml.
+    # `kdep config get <key>`         — reads a dotted key.
+    #
+    # Currently used to seed Infisical settings:
+    #   kdep config set infisical.identity_id <uuid>
+    #   kdep config set infisical.host_api    https://dev-env.leadfy.xyz/api
+    class Config
+      SUBCOMMANDS = %w[set get show].freeze
+
+      def self.option_parser
+        OptionParser.new do |opts|
+          opts.banner = "Usage: kdep config <set|get|show> [key] [value]"
+        end
+      end
+
+      def initialize(global_options:, command_options:, args:)
+        @global_options = global_options
+        @command_options = command_options
+        @args = args
+        @ui = Kdep::UI.new
+      end
+
+      def execute
+        sub = @args.shift
+        unless SUBCOMMANDS.include?(sub)
+          @ui.error("Unknown subcommand: #{sub.inspect}. Available: #{SUBCOMMANDS.join(', ')}")
+          exit 2
+        end
+
+        case sub
+        when "set"
+          key, value = @args[0], @args[1]
+          unless key && value
+            @ui.error("Usage: kdep config set <key> <value>")
+            exit 2
+          end
+          path = Kdep::UserConfig.set(key, value)
+          @ui.success("Set #{key} -> #{value} (#{path})")
+        when "get"
+          key = @args[0]
+          unless key
+            @ui.error("Usage: kdep config get <key>")
+            exit 2
+          end
+          puts Kdep::UserConfig.get(*key.split("."))
+        when "show"
+          puts Kdep::UserConfig.load.to_yaml
+        end
+      end
+    end
+  end
+end

data/lib/kdep/commands/diff.rb

@@ -60,7 +60,7 @@ module Kdep
         Dir.mktmpdir("kdep-diff-") do |tmpdir|
           preset = Kdep::Preset.new(config["preset"], deploy_dir)
           writer = Kdep::Writer.new(tmpdir)
-          renderer = Kdep::Renderer.new(config, deploy_dir)
+          renderer = Kdep::Renderer.new(config, deploy_dir, env: env)
 
           preset.resources.each_with_index do |resource_name, idx|
             begin

data/lib/kdep/commands/env.rb

@@ -0,0 +1,46 @@
+require "optparse"
+
+module Kdep
+  module Commands
+    # Dispatcher for `kdep env <subcommand>`. Currently only `check` is wired.
+    class Env
+      SUBCOMMANDS = %w[check].freeze
+
+      def self.option_parser
+        OptionParser.new do |opts|
+          opts.banner = "Usage: kdep env <subcommand> [options] [deploy] [env]"
+          opts.separator ""
+          opts.separator "Subcommands:"
+          opts.separator "  check    Validate ConfigMap+Secret in cluster against env.spec"
+          opts.separator ""
+          opts.on("--env=ENV", "Environment scope (production|staging|dev)")
+        end
+      end
+
+      def initialize(global_options:, command_options:, args:)
+        @global_options = global_options
+        @command_options = command_options
+        @args = args
+        @ui = Kdep::UI.new
+      end
+
+      def execute
+        sub = @args.shift
+        unless SUBCOMMANDS.include?(sub)
+          @ui.error("Unknown subcommand: #{sub.inspect}. Available: #{SUBCOMMANDS.join(', ')}")
+          exit 2
+        end
+
+        case sub
+        when "check"
+          require "kdep/commands/env_check"
+          Kdep::Commands::EnvCheck.new(
+            global_options: @global_options,
+            command_options: @command_options,
+            args: @args
+          ).execute
+        end
+      end
+    end
+  end
+end

data/lib/kdep/commands/env_check.rb

@@ -0,0 +1,104 @@
+require "yaml"
+require "base64"
+
+module Kdep
+  module Commands
+    # Validates the live ConfigMap+Secret in the cluster against the contract
+    # declared in `env.spec` at the repo root.
+    #
+    # Reports three buckets:
+    #   - missing : keys declared (and required) in env.spec but absent in
+    #               cluster ConfigMap/Secret
+    #   - extra   : keys present in cluster but not declared in env.spec
+    #   - invalid : declared keys whose value fails type validation
+    #
+    # Independent of Infisical: just compares declared shape vs live K8s state.
+    class EnvCheck
+      def initialize(global_options:, command_options:, args:)
+        @global_options = global_options
+        @command_options = command_options
+        @args = args
+        @ui = Kdep::UI.new
+      end
+
+      def execute
+        deploy_name = @args[0]
+        env_arg = @args[1] || @command_options[:env]
+
+        discovery = Kdep::Discovery.new
+        kdep_dir = discovery.find_kdep_dir
+        unless kdep_dir
+          @ui.error("No kdep/ directory found")
+          exit 1
+        end
+
+        deploy_dir = resolve_deploy_dir(kdep_dir, deploy_name, discovery)
+        exit 1 unless deploy_dir
+
+        repo_root = File.expand_path("..", kdep_dir)
+        spec_path = File.join(repo_root, "env.spec")
+        unless File.exist?(spec_path)
+          @ui.error("env.spec not found at #{spec_path}")
+          exit 1
+        end
+
+        spec = EnvSpec.parse_file(spec_path)
+        config = Kdep::Config.new(deploy_dir, env_arg).load
+        namespace = config["namespace"]
+        unless namespace
+          @ui.error("namespace missing in app.yml -- cannot query cluster")
+          exit 1
+        end
+
+        configmap_name = config["configmap_name"] || "config-#{config["name"]}"
+        secret_name    = config["secret_name"]    || "#{File.basename(deploy_dir)}-secrets"
+
+        live_cm  = fetch_data("configmap", configmap_name, namespace)
+        live_sec = fetch_data("secret",    secret_name,    namespace, decode: true)
+
+        merged = live_cm.merge(live_sec)
+        problems = spec.validate(merged, env: env_arg || "*", strict: true)
+
+        scope_label = env_arg || "shared"
+        if problems.empty?
+          @ui.success("env satisfies env.spec (#{scope_label}, namespace=#{namespace})")
+          exit 0
+        end
+
+        @ui.error("env.spec mismatches in #{namespace} (scope=#{scope_label}):")
+        problems.each { |p| @ui.error("  - #{p}") }
+        exit 1
+      end
+
+      private
+
+      def resolve_deploy_dir(kdep_dir, deploy_name, discovery)
+        if deploy_name
+          dir = File.join(kdep_dir, deploy_name)
+          unless File.directory?(dir)
+            @ui.error("Deploy not found: #{deploy_name}")
+            return nil
+          end
+          dir
+        else
+          deploys = discovery.find_deploys
+          if deploys.length == 1
+            File.join(kdep_dir, deploys[0])
+          else
+            @ui.error("Specify a deploy: #{deploys.join(', ')}")
+            nil
+          end
+        end
+      end
+
+      def fetch_data(kind, name, namespace, decode: false)
+        yaml = Kdep::Kubectl.get(kind, name, namespace: namespace)
+        return {} unless yaml
+        parsed = YAML.safe_load(yaml) || {}
+        data = parsed["data"] || {}
+        return data unless decode
+        data.each_with_object({}) { |(k, v), out| out[k] = Base64.decode64(v.to_s) }
+      end
+    end
+  end
+end

data/lib/kdep/commands/helm_install.rb

@@ -26,6 +26,7 @@ module Kdep
       def execute
         deploy_name = @args[0]
         env = @args[1]
+        @env = env
         @dry_run = @command_options[:"dry-run"]
 
         # Discover kdep/ directory
@@ -239,7 +240,7 @@ module Kdep
 
         writer = Kdep::Writer.new(output_dir)
         writer.clean
-        renderer = Kdep::Renderer.new(config, @deploy_dir)
+        renderer = Kdep::Renderer.new(config, @deploy_dir, env: @env)
         validator = Kdep::Validator.new
 
         files_written = 0

data/lib/kdep/commands/init.rb

@@ -72,12 +72,20 @@ module Kdep
         File.write(File.join(target_dir, "app.yml"), app_yml_content)
         @ui.file_written("kdep/#{deploy_name}/app.yml")
 
-        # Copy secrets.yml
-        FileUtils.cp(
-          File.join(Kdep.templates_dir, "init", "secrets.yml"),
-          File.join(target_dir, "secrets.yml")
-        )
-        @ui.file_written("kdep/#{deploy_name}/secrets.yml")
+        # Drop env.spec at the repo root (one per repo, not per deploy).
+        # Skip if it already exists -- another deploy in this repo may have
+        # created it, and the spec is shared.
+        repo_root = Dir.pwd
+        env_spec_path = File.join(repo_root, "env.spec")
+        if File.exist?(env_spec_path)
+          @ui.info("env.spec already exists at repo root -- leaving as-is")
+        else
+          FileUtils.cp(
+            File.join(Kdep.templates_dir, "init", "env.spec"),
+            env_spec_path
+          )
+          @ui.file_written("env.spec")
+        end
 
         # Copy .gitignore
         FileUtils.cp(

data/lib/kdep/commands/migrate.rb

@@ -157,7 +157,7 @@ module Kdep
           output_dir = File.join(tmpdir, ".rendered")
           writer = Kdep::Writer.new(output_dir)
           writer.clean
-          renderer = Kdep::Renderer.new(config, target_dir)
+          renderer = Kdep::Renderer.new(config, target_dir, env: env)
 
           rendered_files = []
           preset.resources.each_with_index do |res, idx|

data/lib/kdep/commands/push.rb

@@ -41,9 +41,15 @@ module Kdep
         # Load config
         config = Kdep::Config.new(deploy_dir, env).load
 
-        # Construct full image tag
+        # Resolve tag from state.yml — app.yml has no tag field by design;
+        # state.yml is the source of truth for the last bumped version.
+        tag = Kdep::State.tag(deploy_dir)
+        unless tag
+          @ui.error("No tag in state.yml for #{deploy_dir}. Run `kdep bump` first.")
+          exit 1
+        end
+
         image = config["image"] || config["name"]
-        tag = config["tag"] || "latest"
         registry = config["registry"]
 
         if registry && !registry.to_s.empty?

data/lib/kdep/commands/render.rb

@@ -57,7 +57,7 @@ module Kdep
         # Set up writer and renderer
         writer = Kdep::Writer.new(output_dir)
         writer.clean
-        renderer = Kdep::Renderer.new(config, deploy_dir)
+        renderer = Kdep::Renderer.new(config, deploy_dir, env: env)
         validator = Kdep::Validator.new
 
         files_written = 0

data/lib/kdep/renderer.rb

@@ -3,28 +3,46 @@ require "yaml"
 
 module Kdep
   class Renderer
-    def initialize(config, deploy_dir)
+    # Convention: Infisical project slug = K8s namespace stripped of -stage/-dev
+    # suffix; envSlug = stage/dev/prod derived from the same suffix.
+    NS_ENV_SUFFIXES = { "-stage" => "stage", "-staging" => "stage", "-dev" => "dev" }.freeze
+
+    def initialize(config, deploy_dir, env: nil)
       @config = config
       @deploy_dir = deploy_dir
+      @env = env
     end
 
     def render_resource(resource_name)
-      template_path = resolve_template(resource_name)
-      raise "Template not found: #{resource_name}.yml.erb" unless template_path
+      # When env.spec is present, the `secret` slot becomes an InfisicalSecret CR
+      # instead of a native K8s Secret -- the Infisical operator materializes
+      # the K8s Secret in-cluster. Same env_from: secretRef wiring, no template
+      # changes in user-overridden resources.
+      effective_resource = resource_name
+      if resource_name == "secret" && env_spec
+        effective_resource = "infisical_secret"
+      end
+
+      template_path = resolve_template(effective_resource)
+      raise "Template not found: #{effective_resource}.yml.erb" unless template_path
 
       template_content = File.read(template_path)
-      erb = if RUBY_VERSION >= "2.6"
-              ERB.new(template_content, trim_mode: "-")
-            else
-              ERB.new(template_content, nil, "-")
-            end
+      erb = build_erb(template_content)
 
+      effective_config = @config
       secrets = {}
-      if resource_name == "secret"
-        secrets = load_secrets
+
+      case effective_resource
+      when "configmap"
+        effective_config = @config.merge("configmap" => resolved_configmap)
+      when "infisical_secret"
+        return nil if secret_keys_for_env.empty?
+        effective_config = @config.merge("infisical" => infisical_render_context)
+      when "secret"
+        secrets = legacy_load_secrets
       end
 
-      context = TemplateContext.new(@config, secrets)
+      context = TemplateContext.new(effective_config, secrets)
       erb.result(context.get_binding)
     end
 
@@ -36,12 +54,7 @@ module Kdep
 
       template_path = File.join(Kdep.templates_dir, "resources", "helm_ingress.yml.erb")
       raise "helm_ingress template not found at #{template_path}" unless File.exist?(template_path)
-      template_content = File.read(template_path)
-      erb = if RUBY_VERSION >= "2.6"
-              ERB.new(template_content, trim_mode: "-")
-            else
-              ERB.new(template_content, nil, "-")
-            end
+      erb = build_erb(File.read(template_path))
 
       entries.map do |ingress|
         context = TemplateContext.new(@config)
@@ -50,8 +63,101 @@ module Kdep
       end
     end
 
+    # Public so commands (e.g. `kdep env check`) can introspect the contract.
+    def env_spec
+      return @env_spec if defined?(@env_spec)
+      path = env_spec_path
+      @env_spec = path && File.exist?(path) ? EnvSpec.parse_file(path) : nil
+    end
+
     private
 
+    def build_erb(content)
+      if RUBY_VERSION >= "2.6"
+        ERB.new(content, trim_mode: "-")
+      else
+        ERB.new(content, nil, "-")
+      end
+    end
+
+    def env_spec_path
+      File.join(repo_root, "env.spec")
+    end
+
+    def repo_root
+      # deploy_dir is <repo>/kdep/<deploy>
+      File.expand_path("../..", @deploy_dir)
+    end
+
+    def env_scope
+      @env || "*"
+    end
+
+    def resolved_configmap
+      app_values = @config["configmap"] || {}
+      return app_values unless env_spec
+
+      declared = env_spec.configmap_for(env_scope)
+      out = {}
+      declared.each do |key, entry|
+        if app_values.key?(key)
+          out[key] = app_values[key]
+        elsif !entry.default.nil?
+          out[key] = entry.default
+        elsif !entry.optional
+          raise "env.spec: required ConfigMap key '#{key}' has no value " \
+                "in app.yml configmap and no default (declared at line #{entry.line})"
+        end
+      end
+      # Allow app.yml to carry keys not in spec (e.g. legacy or transitional)
+      app_values.each { |k, v| out[k] = v unless out.key?(k) }
+      out
+    end
+
+    def secret_keys_for_env
+      return [] unless env_spec
+      env_spec.secrets_for(env_scope).keys
+    end
+
+    def infisical_render_context
+      ns = @config["namespace"] || @config["secret_namespace"]
+      raise "infisical_secret: namespace missing in app.yml" unless ns
+      project, env_from_ns = split_namespace(ns)
+      env = env_from_ns || "prod"
+
+      # The materialized K8s Secret name defaults to <deploy>-secrets but
+      # respects an explicit app.yml secret_name override -- this preserves
+      # legacy env_from references (e.g. `secret/secret-foo`) so a repo
+      # can adopt env.spec without rewriting its deployment manifests.
+      managed_secret_name = @config["secret_name"] || "#{deploy_slug}-secrets"
+
+      {
+        "deploy"          => deploy_slug,
+        "secret_name"     => managed_secret_name,
+        "namespace"       => ns,
+        "identity_id"     => Kdep::UserConfig.get("infisical", "identity_id"),
+        "project_slug"    => project,
+        "secrets_path"    => "/#{deploy_slug}",
+        "env_slug"        => env,
+        "host_api"        => Kdep::UserConfig.get("infisical", "host_api") || "https://dev-env.leadfy.xyz/api",
+        "managed_keys"    => secret_keys_for_env,
+      }
+    end
+
+    def deploy_slug
+      File.basename(@deploy_dir)
+    end
+
+    # "leadfy-app"        -> ["leadfy-app", nil]    (-> envSlug=prod)
+    # "leadfy-app-stage"  -> ["leadfy-app", "stage"]
+    # "selly-dev"         -> ["selly", "dev"]
+    def split_namespace(ns)
+      NS_ENV_SUFFIXES.each do |suffix, env|
+        return [ns.sub(/#{Regexp.escape(suffix)}\z/, ""), env] if ns.end_with?(suffix)
+      end
+      [ns, nil]
+    end
+
     def resolve_template(resource_name)
       # Check user override first
       user_path = File.join(@deploy_dir, "resources", "#{resource_name}.yml.erb")
@@ -64,7 +170,9 @@ module Kdep
       nil
     end
 
-    def load_secrets
+    # Legacy: kdep/<deploy>/secrets.yml -- only used if env.spec is absent and
+    # the project still ships the native K8s Secret template.
+    def legacy_load_secrets
       secrets_path = File.join(@deploy_dir, "secrets.yml")
       return {} unless File.exist?(secrets_path)
 

data/lib/kdep/user_config.rb

@@ -0,0 +1,38 @@
+require "yaml"
+require "fileutils"
+
+module Kdep
+  # Per-user kdep config persisted at ~/.kdep/config.yml. Currently holds
+  # only Infisical settings (identity_id, host_api), but kept generic so
+  # other CLI-wide knobs can land here.
+  module UserConfig
+    PATH = File.expand_path("~/.kdep/config.yml").freeze
+
+    def self.load
+      return {} unless File.exist?(PATH)
+      YAML.safe_load(File.read(PATH)) || {}
+    end
+
+    def self.get(*keys)
+      load.dig(*keys.map(&:to_s))
+    end
+
+    def self.set(dotted_key, value)
+      keys = dotted_key.to_s.split(".")
+      data = load
+      cursor = data
+      keys[0..-2].each do |k|
+        cursor[k] = {} unless cursor[k].is_a?(Hash)
+        cursor = cursor[k]
+      end
+      cursor[keys.last] = value
+      write(data)
+    end
+
+    def self.write(data)
+      FileUtils.mkdir_p(File.dirname(PATH))
+      File.write(PATH, data.to_yaml)
+      PATH
+    end
+  end
+end

data/lib/kdep/version.rb

@@ -1,3 +1,3 @@
 module Kdep
-  VERSION = "0.4.1"
+  VERSION = "0.4.3"
 end

data/lib/kdep.rb

@@ -1,3 +1,4 @@
+require "envspec"
 require "kdep/version"
 require "kdep/ui"
 require "kdep/yaml_compat"
@@ -18,6 +19,7 @@ require "kdep/helm"
 require "kdep/registry"
 require "kdep/version_tagger"
 require "kdep/state"
+require "kdep/user_config"
 require "kdep/path_resolver"
 require "kdep/configmap_overlay"
 require "kdep/rollout_tracker"
@@ -42,6 +44,8 @@ require "kdep/commands/helm_install"
 require "kdep/commands/dashboard"
 require "kdep/commands/doctor"
 require "kdep/commands/check"
+require "kdep/commands/env"
+require "kdep/commands/config"
 require "kdep/dashboard/screen"
 require "kdep/dashboard/layout"
 require "kdep/dashboard/panel"

data/templates/init/env.spec

@@ -0,0 +1,33 @@
+# env.spec -- declarative env var contract for this repo.
+#
+# This file lives at the repo root, NOT inside kdep/. One spec per repo.
+# Values come from app.yml configmap: (for ConfigMap keys) and from
+# Infisical (for [secrets] keys -- materialized into the K8s Secret by
+# the Infisical operator at deploy time).
+#
+# Syntax:
+#   KEY                       # required str, ConfigMap, shared (all envs)
+#   KEY?                      # optional
+#   KEY: int                  # typed (str | int | bool | dsn | enum(a,b))
+#   KEY: str = default        # ConfigMap default (secrets cannot have defaults)
+#
+#   [secrets]                 # MODIFIER: subsequent keys become Secrets
+#   [env: production]         # SELECTOR: scope -> production (resets type to ConfigMap)
+#   [env: production, staging]# multi-env scope
+#
+# Validate against live cluster: kdep env check <deploy> --env=production
+# Lint syntax:                   envspec lint env.spec
+#
+# Example:
+# APP_NAME
+# LOG_LEVEL: enum(debug, info, warn, error) = info
+# PORT: int = 3000
+#
+# [secrets]
+# DATABASE_URL: dsn
+# OPENAI_API_KEY
+#
+# [env: production]
+# SENTRY_DSN: dsn
+# [secrets]
+# STRIPE_LIVE_KEY

data/templates/resources/infisical_secret.yml.erb

@@ -0,0 +1,38 @@
+<%
+  inf = @config["infisical"] || {}
+  managed_keys = inf["managed_keys"] || []
+  raise "infisical_secret: identity_id missing -- run 'kdep config set infisical.identity_id <uuid>'" unless inf["identity_id"]
+  raise "infisical_secret: env_slug missing -- pass --env=<production|staging|dev>" unless inf["env_slug"]
+-%>
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: <%= inf["deploy"] %>
+  namespace: <%= inf["namespace"] %>
+spec:
+  hostAPI: <%= inf["host_api"] %>
+  resyncInterval: 60
+  authentication:
+    kubernetesAuth:
+      identityId: <%= inf["identity_id"] %>
+      # K8s >=1.24 no longer auto-creates legacy SA token Secrets. Tell
+      # the operator to mint short-lived projected tokens via TokenRequest.
+      autoCreateServiceAccountToken: true
+      serviceAccountRef:
+        name: default
+        namespace: <%= inf["namespace"] %>
+      secretsScope:
+        projectSlug: <%= inf["project_slug"] %>
+        envSlug: <%= inf["env_slug"] %>
+        secretsPath: "<%= inf["secrets_path"] %>"
+        recursive: false
+  managedSecretReference:
+    secretName: <%= inf["secret_name"] %>
+    secretNamespace: <%= inf["namespace"] %>
+    creationPolicy: Owner
+<% if managed_keys.any? -%>
+# Managed keys (for human reference; operator pulls live from Infisical):
+<% managed_keys.sort.each do |k| -%>
+#   - <%= k %>
+<% end -%>
+<% end -%>

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: kdep
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.3
 platform: ruby
 authors:
 - Leadfy
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-04-22 00:00:00.000000000 Z
+date: 2026-05-06 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: envspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -72,10 +86,13 @@ files:
 - lib/kdep/commands/build.rb
 - lib/kdep/commands/bump.rb
 - lib/kdep/commands/check.rb
+- lib/kdep/commands/config.rb
 - lib/kdep/commands/dashboard.rb
 - lib/kdep/commands/diff.rb
 - lib/kdep/commands/doctor.rb
 - lib/kdep/commands/eject.rb
+- lib/kdep/commands/env.rb
+- lib/kdep/commands/env_check.rb
 - lib/kdep/commands/helm_install.rb
 - lib/kdep/commands/init.rb
 - lib/kdep/commands/log.rb
@@ -121,12 +138,14 @@ files:
 - lib/kdep/template_context.rb
 - lib/kdep/ui.rb
 - lib/kdep/update_check.rb
+- lib/kdep/user_config.rb
 - lib/kdep/validator.rb
 - lib/kdep/version.rb
 - lib/kdep/version_tagger.rb
 - lib/kdep/writer.rb
 - lib/kdep/yaml_compat.rb
 - templates/init/app.yml.erb
+- templates/init/env.spec
 - templates/init/gitignore
 - templates/init/secrets.yml
 - templates/presets/cronjob
@@ -141,6 +160,7 @@ files:
 - templates/resources/cronjob.yml.erb
 - templates/resources/deployment.yml.erb
 - templates/resources/helm_ingress.yml.erb
+- templates/resources/infisical_secret.yml.erb
 - templates/resources/ingress.yml.erb
 - templates/resources/job.yml.erb
 - templates/resources/secret.yml.erb