@captainsafia/burrow 1.0.0-preview.6e67e96 → 1.0.0-preview.aac83a8

package/README.md

@@ -30,7 +30,7 @@ burrow set DATABASE_URL=postgres://localhost/mydb --path ~/projects
 ### Get a secret
 
 ```bash
-burrow get API_KEY --show
+burrow get API_KEY
 burrow get API_KEY --format json
 ```
 
@@ -54,6 +54,14 @@ eval "$(burrow export --format shell)" && npm start
 burrow unset API_KEY --path ~/projects/app/tests
 ```
 
+### Remove a secret
+
+```bash
+burrow remove API_KEY --path ~/projects/app
+```
+
+Unlike `unset` which blocks inheritance, `remove` deletes the entry entirely, restoring inheritance from parent directories.
+
 ## How It Works
 
 Secrets are stored in your user profile:
@@ -76,13 +84,26 @@ import { BurrowClient } from '@captainsafia/burrow';
 
 const client = new BurrowClient();
 
-await client.set('API_KEY', 'secret123', { path: '/my/project' });
+try {
+  await client.set('API_KEY', 'secret123', { path: '/my/project' });
 
-const secret = await client.get('API_KEY', { cwd: '/my/project/subdir' });
-console.log(secret?.value); // 'secret123'
-console.log(secret?.sourcePath); // '/my/project'
+  const secret = await client.get('API_KEY', { cwd: '/my/project/subdir' });
+  console.log(secret?.value); // 'secret123'
+  console.log(secret?.sourcePath); // '/my/project'
 
-const allSecrets = await client.list({ cwd: '/my/project' });
+  const allSecrets = await client.list({ cwd: '/my/project' });
+} finally {
+  client.close(); // Clean up database connection
+}
+```
+
+Or with TypeScript's `using` declarations for automatic cleanup:
+
+```typescript
+{
+  using client = new BurrowClient();
+  await client.set('API_KEY', 'secret123');
+} // Automatically cleaned up
 ```
 
 ## Contributing

package/dist/api.d.ts

@@ -21,7 +21,7 @@ export interface BurrowClientOptions {
 	configDir?: string;
 	/**
 	 * Custom filename for the secrets store.
-	 * Defaults to `store.json`.
+	 * Defaults to `store.db`.
 	 */
 	storeFileName?: string;
 	/**
@@ -72,6 +72,16 @@ export interface BlockOptions {
 	 */
 	path?: string;
 }
+/**
+ * Options for the `remove` method.
+ */
+export interface RemoveOptions {
+	/**
+	 * Directory path to remove the secret from.
+	 * Defaults to the current working directory.
+	 */
+	path?: string;
+}
 /**
  * Options for the `export` method.
  */
@@ -89,10 +99,6 @@ export interface ExportOptions {
 	 * - `json`: Exports as a JSON object
 	 */
 	format?: ExportFormat;
-	/**
-	 * Whether to show actual values (currently unused, reserved for future use).
-	 */
-	showValues?: boolean;
 	/**
 	 * Whether to include source paths in JSON output.
 	 * When true, JSON output includes `{ key: { value, sourcePath } }` format.
@@ -141,7 +147,7 @@ export declare class BurrowClient {
 	 * The secret will be available to the specified directory and all its
 	 * subdirectories, unless overridden or blocked at a deeper level.
 	 *
-	 * @param key - Environment variable name. Must match `^[A-Z_][A-Z0-9_]*$`
+	 * @param key - Environment variable name. Must match `^[A-Za-z_][A-Za-z0-9_]*$`
 	 * @param value - Secret value to store
 	 * @param options - Set options including target path
 	 * @throws Error if the key format is invalid
@@ -205,7 +211,7 @@ export declare class BurrowClient {
 	 *
 	 * A blocked key can be re-enabled by calling `set` at the same or deeper path.
 	 *
-	 * @param key - Environment variable name to block. Must match `^[A-Z_][A-Z0-9_]*$`
+	 * @param key - Environment variable name to block. Must match `^[A-Za-z_][A-Za-z0-9_]*$`
 	 * @param options - Block options including target path
 	 * @throws Error if the key format is invalid
 	 *
@@ -223,6 +229,33 @@ export declare class BurrowClient {
 	 * ```
 	 */
 	block(key: string, options?: BlockOptions): Promise<void>;
+	/**
+	 * Removes a secret entry entirely from the specified path.
+	 *
+	 * Unlike `block`, which creates a tombstone to prevent inheritance,
+	 * `remove` completely deletes the secret entry. After removal, the key
+	 * may still be inherited from parent directories if defined there.
+	 *
+	 * @param key - Environment variable name to remove. Must match `^[A-Za-z_][A-Za-z0-9_]*$`
+	 * @param options - Remove options including target path
+	 * @returns true if the secret was found and removed, false if it didn't exist
+	 * @throws Error if the key format is invalid
+	 *
+	 * @example
+	 * ```typescript
+	 * // Set a secret
+	 * await client.set('API_KEY', 'secret', { path: '/projects/myapp' });
+	 *
+	 * // Remove it entirely
+	 * const removed = await client.remove('API_KEY', { path: '/projects/myapp' });
+	 * console.log(removed); // true
+	 *
+	 * // Trying to remove again returns false
+	 * const removedAgain = await client.remove('API_KEY', { path: '/projects/myapp' });
+	 * console.log(removedAgain); // false
+	 * ```
+	 */
+	remove(key: string, options?: RemoveOptions): Promise<boolean>;
 	/**
 	 * Exports resolved secrets in various formats.
 	 *
@@ -274,6 +307,36 @@ export declare class BurrowClient {
 	 * ```
 	 */
 	resolve(cwd?: string): Promise<Map<string, ResolvedSecret>>;
+	/**
+	 * Closes the database connection and releases resources.
+	 * After calling this method, the client instance should not be used.
+	 *
+	 * This method is safe to call multiple times.
+	 *
+	 * @example
+	 * ```typescript
+	 * const client = new BurrowClient();
+	 * try {
+	 *   await client.set('API_KEY', 'value');
+	 *   // ... do work
+	 * } finally {
+	 *   client.close();
+	 * }
+	 * ```
+	 */
+	close(): void;
+	/**
+	 * Allows using the BurrowClient with `using` declarations for automatic cleanup.
+	 *
+	 * @example
+	 * ```typescript
+	 * {
+	 *   using client = new BurrowClient();
+	 *   await client.set('API_KEY', 'value');
+	 * } // client.close() is called automatically
+	 * ```
+	 */
+	[Symbol.dispose](): void;
 }
 /**
  * Creates a new BurrowClient instance.

package/dist/api.js

@@ -1,6 +1,6 @@
 // src/storage/index.ts
 import { Database } from "bun:sqlite";
-import { mkdir } from "node:fs/promises";
+import { chmod, mkdir } from "node:fs/promises";
 import { join as join2 } from "node:path";
 
 // src/platform/index.ts
@@ -62,8 +62,14 @@ class Storage {
       return this.db;
     }
     await mkdir(this.configDir, { recursive: true });
+    if (!isWindows()) {
+      await chmod(this.configDir, 448);
+    }
     this.db = new Database(this.storePath);
     this.db.run("PRAGMA journal_mode = WAL");
+    if (!isWindows()) {
+      await chmod(this.storePath, 384);
+    }
     this.db.run(`
       CREATE TABLE IF NOT EXISTS secrets (
         path TEXT NOT NULL,
@@ -114,6 +120,11 @@ class Storage {
     const rows = db.query("SELECT DISTINCT path FROM secrets").all();
     return rows.map((row) => row.path);
   }
+  async getAncestorPaths(canonicalPath) {
+    const db = await this.ensureDb();
+    const rows = db.query("SELECT DISTINCT path FROM secrets WHERE ? = path OR ? LIKE path || '/' || '%' OR path = '/'").all(canonicalPath, canonicalPath);
+    return rows.map((row) => row.path);
+  }
   async removeKey(canonicalPath, key) {
     const db = await this.ensureDb();
     const existing = db.query("SELECT path FROM secrets WHERE path = ? AND key = ?").get(canonicalPath, key);
@@ -123,6 +134,15 @@ class Storage {
     db.query("DELETE FROM secrets WHERE path = ? AND key = ?").run(canonicalPath, key);
     return true;
   }
+  close() {
+    if (this.db) {
+      this.db.close();
+      this.db = null;
+    }
+  }
+  [Symbol.dispose]() {
+    this.close();
+  }
 }
 
 // src/core/path.ts
@@ -159,16 +179,6 @@ function normalizePath(path) {
   }
   return normalized;
 }
-function isAncestorOf(ancestorPath, descendantPath) {
-  if (ancestorPath === descendantPath) {
-    return true;
-  }
-  const ancestorWithSep = ancestorPath.endsWith(sep) ? ancestorPath : ancestorPath + sep;
-  if (isWindows()) {
-    return descendantPath.toLowerCase().startsWith(ancestorWithSep.toLowerCase());
-  }
-  return descendantPath.startsWith(ancestorWithSep);
-}
 // src/core/resolver.ts
 class Resolver {
   storage;
@@ -182,8 +192,7 @@ class Resolver {
   async resolve(cwd) {
     const workingDir = cwd ?? process.cwd();
     const canonicalCwd = await canonicalize(workingDir, this.pathOptions);
-    const allPaths = await this.storage.getAllPaths();
-    const ancestorPaths = allPaths.filter((storedPath) => isAncestorOf(storedPath, canonicalCwd));
+    const ancestorPaths = await this.storage.getAncestorPaths(canonicalCwd);
     ancestorPaths.sort((a, b) => {
       if (isWindows()) {
         return a.toLowerCase().localeCompare(b.toLowerCase());
@@ -222,7 +231,7 @@ class Resolver {
   }
 }
 // src/core/formatter.ts
-var ENV_KEY_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+var ENV_KEY_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
 function validateEnvKey(key) {
   return ENV_KEY_PATTERN.test(key);
 }
@@ -331,6 +340,12 @@ class BurrowClient {
     const canonicalPath = await canonicalize(targetPath, this.pathOptions);
     await this.storage.setSecret(canonicalPath, key, null);
   }
+  async remove(key, options = {}) {
+    assertValidEnvKey(key);
+    const targetPath = options.path ?? process.cwd();
+    const canonicalPath = await canonicalize(targetPath, this.pathOptions);
+    return this.storage.removeKey(canonicalPath, key);
+  }
   async export(options = {}) {
     const secrets = await this.resolver.resolve(options.cwd);
     const fmt = options.format ?? "shell";
@@ -341,6 +356,12 @@ class BurrowClient {
   async resolve(cwd) {
     return this.resolver.resolve(cwd);
   }
+  close() {
+    this.storage.close();
+  }
+  [Symbol.dispose]() {
+    this.close();
+  }
 }
 function createClient(options) {
   return new BurrowClient(options);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@captainsafia/burrow",
-  "version": "1.0.0-preview.6e67e96",
+  "version": "1.0.0-preview.aac83a8",
   "description": "Platform-agnostic, directory-scoped secrets manager",
   "type": "module",
   "main": "dist/api.js",