@chriscode/hush 2.8.1 → 2.8.3

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA2jChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAqkChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}

package/dist/commands/skill.js

@@ -413,6 +413,16 @@ Run \`npx hush init\` to generate configuration.
 
 ### "No sources defined in hush.yaml"
 Edit \`hush.yaml\` and add your source files under \`sources:\`.
+
+### "npm warn Unknown project config node-linker"
+This warning appears when running \`npx hush\` in a pnpm workspace because npm doesn't recognize pnpm-specific config in \`.npmrc\`.
+
+**Fix:** Add \`loglevel=error\` to the project's \`.npmrc\`:
+\`\`\`bash
+echo "loglevel=error" >> .npmrc
+\`\`\`
+
+This suppresses npm warnings while still showing errors. This is a per-project fix for any project using pnpm.
 `,
     'REFERENCE.md': `# Hush Command Reference
 

package/dist/lib/onepassword.d.ts

@@ -1,4 +1,4 @@
-export declare const OP_ITEM_PREFIX = "SOPS Key - ";
+export declare const OP_ITEM_PREFIX = "SOPS Key - hush/";
 export declare function opAvailable(): boolean;
 export declare function opGetKey(project: string, vault?: string): string | null;
 export declare function opStoreKey(project: string, privateKey: string, publicKey: string, vault?: string): void;

package/dist/lib/onepassword.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"onepassword.d.ts","sourceRoot":"","sources":["../../src/lib/onepassword.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,cAAc,gBAAgB,CAAC;AAE5C,wBAAgB,WAAW,IAAI,OAAO,CAOrC;AAED,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAcvG;AAED,wBAAgB,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAcnD"}
+{"version":3,"file":"onepassword.d.ts","sourceRoot":"","sources":["../../src/lib/onepassword.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,cAAc,qBAAqB,CAAC;AAcjD,wBAAgB,WAAW,IAAI,OAAO,CAOrC;AAED,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CASvE;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAiBvG;AAED,wBAAgB,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAYnD"}

package/dist/lib/onepassword.js

@@ -1,8 +1,19 @@
-import { execSync, spawnSync } from 'node:child_process';
-export const OP_ITEM_PREFIX = 'SOPS Key - ';
+import { execSync } from 'node:child_process';
+export const OP_ITEM_PREFIX = 'SOPS Key - hush/';
+/**
+ * 1Password CLI sessions don't persist across subprocesses, so we run
+ * `op signin` before every command to trigger biometric auth.
+ */
+function opExec(command) {
+    return execSync(`op signin && ${command}`, {
+        encoding: 'utf-8',
+        stdio: 'pipe',
+        shell: '/bin/bash',
+    });
+}
 export function opAvailable() {
     try {
-        execSync('op whoami', { stdio: 'pipe' });
+        opExec('op whoami');
         return true;
     }
     catch {
@@ -12,7 +23,8 @@ export function opAvailable() {
 export function opGetKey(project, vault) {
     try {
         const vaultArgs = vault ? ['--vault', vault] : [];
-        const result = execSync(['op', 'item', 'get', `${OP_ITEM_PREFIX}${project}`, ...vaultArgs, '--fields', 'password', '--reveal'].join(' '), { encoding: 'utf-8', stdio: 'pipe' });
+        const command = ['op', 'item', 'get', `${OP_ITEM_PREFIX}${project}`, ...vaultArgs, '--fields', 'password', '--reveal'].join(' ');
+        const result = opExec(command);
         return result.trim() || null;
     }
     catch {
@@ -20,23 +32,28 @@ export function opGetKey(project, vault) {
     }
 }
 export function opStoreKey(project, privateKey, publicKey, vault) {
-    const args = [
-        'item', 'create',
+    const vaultArgs = vault ? ['--vault', vault] : [];
+    const command = [
+        'op', 'item', 'create',
         '--category', 'password',
-        '--title', `${OP_ITEM_PREFIX}${project}`,
-        ...(vault ? ['--vault', vault] : []),
-        `password=${privateKey}`,
-        `public_key[text]=${publicKey}`,
-    ];
-    const result = spawnSync('op', args, { stdio: 'pipe', encoding: 'utf-8' });
-    if (result.status !== 0) {
-        throw new Error(result.stderr || 'Failed to store in 1Password');
+        '--title', `"${OP_ITEM_PREFIX}${project}"`,
+        ...vaultArgs,
+        `"password=${privateKey}"`,
+        `"public_key[text]=${publicKey}"`,
+    ].join(' ');
+    try {
+        opExec(command);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : 'Failed to store in 1Password';
+        throw new Error(message);
     }
 }
 export function opListKeys(vault) {
     try {
         const vaultArgs = vault ? ['--vault', vault] : [];
-        const result = execSync(['op', 'item', 'list', '--categories', 'password', ...vaultArgs, '--format', 'json'].join(' '), { encoding: 'utf-8', stdio: 'pipe' });
+        const command = ['op', 'item', 'list', '--categories', 'password', ...vaultArgs, '--format', 'json'].join(' ');
+        const result = opExec(command);
         const items = JSON.parse(result);
         return items
             .filter(i => i.title.startsWith(OP_ITEM_PREFIX))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "2.8.1",
+  "version": "2.8.3",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {