npm - @captainsafia/burrow - Versions diffs - 1.0.0-preview.0a24dbc → 1.0.0-preview.0d335f8 - Mend

@captainsafia/burrow 1.0.0-preview.0a24dbc → 1.0.0-preview.0d335f8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -54,6 +54,14 @@ eval "$(burrow export --format shell)" && npm start
 burrow unset API_KEY --path ~/projects/app/tests
 ```
+### Remove a secret
+```bash
+burrow remove API_KEY --path ~/projects/app
+```
+Unlike `unset` which blocks inheritance, `remove` deletes the entry entirely, restoring inheritance from parent directories.
 ## How It Works
 Secrets are stored in your user profile:

package/dist/api.d.ts CHANGED Viewed

@@ -72,6 +72,16 @@ export interface BlockOptions {
 	 */
 	path?: string;
 }
+/**
+ * Options for the `remove` method.
+ */
+export interface RemoveOptions {
+	/**
+	 * Directory path to remove the secret from.
+	 * Defaults to the current working directory.
+	 */
+	path?: string;
+}
 /**
  * Options for the `export` method.
  */
@@ -223,6 +233,33 @@ export declare class BurrowClient {
 	 * ```
 	 */
 	block(key: string, options?: BlockOptions): Promise<void>;
+	/**
+	 * Removes a secret entry entirely from the specified path.
+	 *
+	 * Unlike `block`, which creates a tombstone to prevent inheritance,
+	 * `remove` completely deletes the secret entry. After removal, the key
+	 * may still be inherited from parent directories if defined there.
+	 *
+	 * @param key - Environment variable name to remove. Must match `^[A-Z_][A-Z0-9_]*$`
+	 * @param options - Remove options including target path
+	 * @returns true if the secret was found and removed, false if it didn't exist
+	 * @throws Error if the key format is invalid
+	 *
+	 * @example
+	 * ```typescript
+	 * // Set a secret
+	 * await client.set('API_KEY', 'secret', { path: '/projects/myapp' });
+	 *
+	 * // Remove it entirely
+	 * const removed = await client.remove('API_KEY', { path: '/projects/myapp' });
+	 * console.log(removed); // true
+	 *
+	 * // Trying to remove again returns false
+	 * const removedAgain = await client.remove('API_KEY', { path: '/projects/myapp' });
+	 * console.log(removedAgain); // false
+	 * ```
+	 */
+	remove(key: string, options?: RemoveOptions): Promise<boolean>;
 	/**
 	 * Exports resolved secrets in various formats.
 	 *
@@ -274,6 +311,36 @@ export declare class BurrowClient {
 	 * ```
 	 */
 	resolve(cwd?: string): Promise<Map<string, ResolvedSecret>>;
+	/**
+	 * Closes the database connection and releases resources.
+	 * After calling this method, the client instance should not be used.
+	 *
+	 * This method is safe to call multiple times.
+	 *
+	 * @example
+	 * ```typescript
+	 * const client = new BurrowClient();
+	 * try {
+	 *   await client.set('API_KEY', 'value');
+	 *   // ... do work
+	 * } finally {
+	 *   client.close();
+	 * }
+	 * ```
+	 */
+	close(): void;
+	/**
+	 * Allows using the BurrowClient with `using` declarations for automatic cleanup.
+	 *
+	 * @example
+	 * ```typescript
+	 * {
+	 *   using client = new BurrowClient();
+	 *   await client.set('API_KEY', 'value');
+	 * } // client.close() is called automatically
+	 * ```
+	 */
+	[Symbol.dispose](): void;
 }
 /**
  * Creates a new BurrowClient instance.

package/dist/api.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // src/storage/index.ts
-import { mkdir, rename, readFile, unlink } from "node:fs/promises";
+import { Database } from "bun:sqlite";
+import { chmod, mkdir } from "node:fs/promises";
 import { join as join2 } from "node:path";
-import { randomBytes } from "node:crypto";
 // src/platform/index.ts
 import { homedir } from "node:os";
@@ -44,18 +44,12 @@ function isWindows() {
 }
 // src/storage/index.ts
-var STORE_VERSION = 1;
-var DEFAULT_STORE_FILE = "store.json";
-function createEmptyStore() {
-  return {
-    version: STORE_VERSION,
-    paths: {}
-  };
-}
+var DEFAULT_STORE_FILE = "store.db";
 class Storage {
   configDir;
   storeFileName;
+  db = null;
   constructor(options = {}) {
     this.configDir = options.configDir ?? getConfigDir();
     this.storeFileName = options.storeFileName ?? DEFAULT_STORE_FILE;
@@ -63,68 +57,92 @@ class Storage {
   get storePath() {
     return join2(this.configDir, this.storeFileName);
   }
-  async read() {
-    try {
-      const content = await readFile(this.storePath, "utf-8");
-      const store = JSON.parse(content);
-      if (store.version !== STORE_VERSION) {
-        throw new Error(`Unsupported store version: ${store.version}. Expected: ${STORE_VERSION}`);
-      }
-      return store;
-    } catch (error) {
-      if (error.code === "ENOENT") {
-        return createEmptyStore();
-      }
-      throw error;
+  async ensureDb() {
+    if (this.db) {
+      return this.db;
     }
-  }
-  async write(store) {
     await mkdir(this.configDir, { recursive: true });
-    const tempFileName = `.store-${randomBytes(8).toString("hex")}.tmp`;
-    const tempPath = join2(this.configDir, tempFileName);
-    const content = JSON.stringify(store, null, 2);
-    try {
-      const file = Bun.file(tempPath);
-      await Bun.write(file, content);
-      await rename(tempPath, this.storePath);
-    } catch (error) {
-      try {
-        await unlink(tempPath);
-      } catch {}
-      throw error;
+    if (!isWindows()) {
+      await chmod(this.configDir, 448);
+    }
+    this.db = new Database(this.storePath);
+    this.db.run("PRAGMA journal_mode = WAL");
+    if (!isWindows()) {
+      await chmod(this.storePath, 384);
     }
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS secrets (
+        path TEXT NOT NULL,
+        key TEXT NOT NULL,
+        value TEXT,
+        updated_at TEXT NOT NULL,
+        PRIMARY KEY (path, key)
+      )
+    `);
+    this.db.run("CREATE INDEX IF NOT EXISTS idx_secrets_path ON secrets (path)");
+    const versionResult = this.db.query("PRAGMA user_version").get();
+    const currentVersion = versionResult?.user_version ?? 0;
+    if (currentVersion === 0) {
+      this.db.run("PRAGMA user_version = 1");
+    } else if (currentVersion !== 1) {
+      throw new Error(`Unsupported store version: ${currentVersion}. Expected: 1`);
+    }
+    return this.db;
   }
   async setSecret(canonicalPath, key, value) {
-    const store = await this.read();
-    if (!store.paths[canonicalPath]) {
-      store.paths[canonicalPath] = {};
-    }
-    store.paths[canonicalPath][key] = {
-      value,
-      updatedAt: new Date().toISOString()
-    };
-    await this.write(store);
+    const db = await this.ensureDb();
+    const updatedAt = new Date().toISOString();
+    db.query(`
+      INSERT INTO secrets (path, key, value, updated_at)
+      VALUES (?, ?, ?, ?)
+      ON CONFLICT(path, key) DO UPDATE SET
+        value = excluded.value,
+        updated_at = excluded.updated_at
+    `).run(canonicalPath, key, value, updatedAt);
   }
   async getPathSecrets(canonicalPath) {
-    const store = await this.read();
-    return store.paths[canonicalPath];
+    const db = await this.ensureDb();
+    const rows = db.query("SELECT key, value, updated_at FROM secrets WHERE path = ?").all(canonicalPath);
+    if (rows.length === 0) {
+      return;
+    }
+    const secrets = {};
+    for (const row of rows) {
+      secrets[row.key] = {
+        value: row.value,
+        updatedAt: row.updated_at
+      };
+    }
+    return secrets;
   }
   async getAllPaths() {
-    const store = await this.read();
-    return Object.keys(store.paths);
+    const db = await this.ensureDb();
+    const rows = db.query("SELECT DISTINCT path FROM secrets").all();
+    return rows.map((row) => row.path);
+  }
+  async getAncestorPaths(canonicalPath) {
+    const db = await this.ensureDb();
+    const rows = db.query("SELECT DISTINCT path FROM secrets WHERE ? = path OR ? LIKE path || '/' || '%' OR path = '/'").all(canonicalPath, canonicalPath);
+    return rows.map((row) => row.path);
   }
   async removeKey(canonicalPath, key) {
-    const store = await this.read();
-    if (!store.paths[canonicalPath]?.[key]) {
+    const db = await this.ensureDb();
+    const existing = db.query("SELECT path FROM secrets WHERE path = ? AND key = ?").get(canonicalPath, key);
+    if (!existing) {
       return false;
     }
-    delete store.paths[canonicalPath][key];
-    if (Object.keys(store.paths[canonicalPath]).length === 0) {
-      delete store.paths[canonicalPath];
-    }
-    await this.write(store);
+    db.query("DELETE FROM secrets WHERE path = ? AND key = ?").run(canonicalPath, key);
     return true;
   }
+  close() {
+    if (this.db) {
+      this.db.close();
+      this.db = null;
+    }
+  }
+  [Symbol.dispose]() {
+    this.close();
+  }
 }
 // src/core/path.ts
@@ -161,16 +179,6 @@ function normalizePath(path) {
   }
   return normalized;
 }
-function isAncestorOf(ancestorPath, descendantPath) {
-  if (ancestorPath === descendantPath) {
-    return true;
-  }
-  const ancestorWithSep = ancestorPath.endsWith(sep) ? ancestorPath : ancestorPath + sep;
-  if (isWindows()) {
-    return descendantPath.toLowerCase().startsWith(ancestorWithSep.toLowerCase());
-  }
-  return descendantPath.startsWith(ancestorWithSep);
-}
 // src/core/resolver.ts
 class Resolver {
   storage;
@@ -184,8 +192,7 @@ class Resolver {
   async resolve(cwd) {
     const workingDir = cwd ?? process.cwd();
     const canonicalCwd = await canonicalize(workingDir, this.pathOptions);
-    const allPaths = await this.storage.getAllPaths();
-    const ancestorPaths = allPaths.filter((storedPath) => isAncestorOf(storedPath, canonicalCwd));
+    const ancestorPaths = await this.storage.getAncestorPaths(canonicalCwd);
     ancestorPaths.sort((a, b) => {
       if (isWindows()) {
         return a.toLowerCase().localeCompare(b.toLowerCase());
@@ -224,7 +231,7 @@ class Resolver {
   }
 }
 // src/core/formatter.ts
-var ENV_KEY_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+var ENV_KEY_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
 function validateEnvKey(key) {
   return ENV_KEY_PATTERN.test(key);
 }
@@ -333,6 +340,12 @@ class BurrowClient {
     const canonicalPath = await canonicalize(targetPath, this.pathOptions);
     await this.storage.setSecret(canonicalPath, key, null);
   }
+  async remove(key, options = {}) {
+    assertValidEnvKey(key);
+    const targetPath = options.path ?? process.cwd();
+    const canonicalPath = await canonicalize(targetPath, this.pathOptions);
+    return this.storage.removeKey(canonicalPath, key);
+  }
   async export(options = {}) {
     const secrets = await this.resolver.resolve(options.cwd);
     const fmt = options.format ?? "shell";
@@ -343,6 +356,12 @@ class BurrowClient {
   async resolve(cwd) {
     return this.resolver.resolve(cwd);
   }
+  close() {
+    this.storage.close();
+  }
+  [Symbol.dispose]() {
+    this.close();
+  }
 }
 function createClient(options) {
   return new BurrowClient(options);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@captainsafia/burrow",
-  "version": "1.0.0-preview.0a24dbc",
+  "version": "1.0.0-preview.0d335f8",
   "description": "Platform-agnostic, directory-scoped secrets manager",
   "type": "module",
   "main": "dist/api.js",