@dotenvx/dotenvx-ops 0.30.3 → 0.31.1

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.30.3...main)
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.31.1...main)
+
+## [0.31.1](https://github.com/dotenvx/dotenvx-ops/compare/v0.31.0...v0.31.1) (2026-03-07)
+
+### Changed
+
+* Shortened default showable device id for `dotenvx-ops settings device` ([#24](https://github.com/dotenvx/dotenvx-ops/pull/24))
+
+## [0.31.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.30.3...v0.31.0) (2026-01-17)
+
+### Added
+
+* Add `dotenvx-ops gateway start` (supports openai only currently) ([#22](https://github.com/dotenvx/dotenvx-ops/pull/22))
 
 ## [0.30.3](https://github.com/dotenvx/dotenvx-ops/compare/v0.30.2...v0.30.3) (2026-01-17)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.30.3",
+  "version": "0.31.1",
   "name": "@dotenvx/dotenvx-ops",
   "description": "production grade dotenvx–with operational primitives",
   "author": "@motdotla",
@@ -41,7 +41,7 @@
   },
   "dependencies": {
     "@clack/core": "^0.4.2",
-    "@dotenvx/dotenvx": "^1.48.1",
+    "@dotenvx/dotenvx": "^1.52.0",
     "@inquirer/prompts": "^7.10.1",
     "arch": "^2.1.1",
     "commander": "^11.1.0",
@@ -49,6 +49,7 @@
     "dotenv": "^17.2.0",
     "eciesjs": "^0.4.7",
     "execa": "^5.1.1",
+    "express": "^5.2.1",
     "open": "^8.4.2",
     "playwright": "^1.57.0",
     "systeminformation": "^5.22.11",
@@ -60,7 +61,7 @@
     "sinon": "^14.0.1",
     "standard": "^17.1.2",
     "standard-version": "^9.5.0",
-    "tap": "^19.2.5"
+    "tap": "^21.6.2"
   },
   "publishConfig": {
     "access": "public"

package/src/cli/actions/gateway/start.js

@@ -0,0 +1,17 @@
+const { logger } = require('@dotenvx/dotenvx')
+
+const GatewayStart = require('./../../../lib/services/gatewayStart')
+
+async function start () {
+  try {
+    const options = this.opts()
+    logger.debug(`options: ${JSON.stringify(options)}`)
+
+    await new GatewayStart({ port: options.port, hostname: options.hostname }).run()
+  } catch (error) {
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = start

package/src/cli/actions/settings/device.js

@@ -10,7 +10,7 @@ function device () {
     const sesh = new Session()
     const devicePublicKey = sesh.devicePublicKey()
     if (devicePublicKey && devicePublicKey.length > 1) {
-      console.log(smartMask(devicePublicKey, options.unmask, 11))
+      console.log(smartMask(devicePublicKey, options.unmask, 6))
     } else {
       logger.error('missing device. Try generating one with [dotenvx-ops login].')
       process.exit(1)

package/src/cli/commands/gateway.js

@@ -0,0 +1,16 @@
+const { Command } = require('commander')
+
+const gateway = new Command('gateway')
+
+gateway
+  .description('🛡️  gateway')
+  .allowUnknownOption()
+
+// dotenvx-ops gateway start
+const startAction = require('./../actions/gateway/start')
+gateway
+  .command('start')
+  .description('start gateway')
+  .action(startAction)
+
+module.exports = gateway

package/src/cli/dotenvx-ops.js

@@ -117,7 +117,7 @@ program
   .description('status')
   .action(statusAction)
 
-// dotenvx-ops settings
+program.addCommand(require('./commands/gateway'))
 program.addCommand(require('./commands/settings'))
 
 // monkey-patch help output

package/src/db/session.js

@@ -36,15 +36,15 @@ class Session {
   // Get
   //
   hostname () {
-    return this.store.get('DOTENVX_OPS_HOSTNAME') || this.store.get('DOTENVX_RADAR_HOSTNAME') || 'https://ops.dotenvx.com'
+    return this.store.get('DOTENVX_OPS_HOSTNAME') || 'https://ops.dotenvx.com'
   }
 
   username () {
-    return this.store.get('DOTENVX_OPS_USERNAME') || this.store.get('DOTENVX_RADAR_USERNAME') || undefined
+    return this.store.get('DOTENVX_OPS_USERNAME') || undefined
   }
 
   token () {
-    return this.store.get('DOTENVX_OPS_TOKEN') || this.store.get('DOTENVX_RADAR_TOKEN') || undefined
+    return this.store.get('DOTENVX_OPS_TOKEN') || undefined
   }
 
   devicePublicKey () {
@@ -111,11 +111,6 @@ class Session {
     this.store.delete('DOTENVX_OPS_USERNAME')
     this.store.delete('DOTENVX_OPS_TOKEN')
     this.store.delete('DOTENVX_OPS_HOSTNAME')
-    this.store.delete('DOTENVX_RADAR_USER')
-    this.store.delete('DOTENVX_RADAR_USERNAME')
-    this.store.delete('DOTENVX_RADAR_TOKEN')
-    this.store.delete('DOTENVX_RADAR_HOSTNAME')
-
     return true
   }
 }

package/src/lib/main.js

@@ -13,12 +13,12 @@ const dotenvxProjectId = require('./helpers/dotenvxProjectId')
 const observe = async function (encoded, options = {}) {
   const sesh = new Session() // TODO: handle scenario where constructor fails
 
-  let hostname = process.env.DOTENVX_OPS_HOSTNAME || process.env.DOTENVX_RADAR_HOSTNAME || options.hostname
+  let hostname = process.env.DOTENVX_OPS_HOSTNAME || options.hostname
   if (!hostname) {
     hostname = sesh.hostname()
   }
 
-  let token = process.env.DOTENVX_OPS_TOKEN || process.env.DOTENVX_RADAR_TOKEN || options.token
+  let token = process.env.DOTENVX_OPS_TOKEN || options.token
   if (!token) {
     token = sesh.token()
   }
@@ -44,12 +44,12 @@ const observe = async function (encoded, options = {}) {
 const get = async function (uri, options = {}) {
   const sesh = new Session() // TODO: handle scenario where constructor fails
 
-  let hostname = process.env.DOTENVX_OPS_HOSTNAME || process.env.DOTENVX_RADAR_HOSTNAME || options.hostname
+  let hostname = process.env.DOTENVX_OPS_HOSTNAME || options.hostname
   if (!hostname) {
     hostname = sesh.hostname()
   }
 
-  let token = process.env.DOTENVX_OPS_TOKEN || process.env.DOTENVX_RADAR_TOKEN || options.token
+  let token = process.env.DOTENVX_OPS_TOKEN || options.token
   if (!token) {
     token = sesh.token()
   }
@@ -61,12 +61,12 @@ const get = async function (uri, options = {}) {
 const set = async function (uri, value, options = {}) {
   const sesh = new Session() // TODO: handle scenario where constructor fails
 
-  let hostname = process.env.DOTENVX_OPS_HOSTNAME || process.env.DOTENVX_RADAR_HOSTNAME || options.hostname
+  let hostname = process.env.DOTENVX_OPS_HOSTNAME || options.hostname
   if (!hostname) {
     hostname = sesh.hostname()
   }
 
-  let token = process.env.DOTENVX_OPS_TOKEN || process.env.DOTENVX_RADAR_TOKEN || options.token
+  let token = process.env.DOTENVX_OPS_TOKEN || options.token
   if (!token) {
     token = sesh.token()
   }

package/src/lib/services/gatewayStart.js

@@ -0,0 +1,132 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const { logger } = dotenvx
+const express = require('express')
+const { randomUUID } = require('node:crypto')
+const { Readable } = require('node:stream')
+
+class GatewayStart {
+  constructor (options = {}) {
+    this.port = Number(options.port) || 7278
+    this.hostname = options.hostname || '127.0.0.1'
+    this.upstreamBaseUrl = options.upstreamBaseUrl || 'https://api.openai.com/v1'
+  }
+
+  async run () {
+    dotenvx.config()
+
+    const app = express()
+    app.use(express.json({ limit: '10mb' }))
+    app.use((req, res, next) => {
+      const startedAt = process.hrtime.bigint()
+      const requestId = req.headers['x-request-id'] || randomUUID()
+      const fwd = req.headers['x-forwarded-for'] || req.socket.remoteAddress || '-'
+      const host = req.headers.host || `${this.hostname}:${this.port}`
+      const path = req.originalUrl || req.url
+
+      res.setHeader('x-request-id', requestId)
+
+      res.on('finish', () => {
+        const service = Math.max(1, Math.round(Number(process.hrtime.bigint() - startedAt) / 1e6))
+        const bytes = res.getHeader('content-length') || '-'
+        const protocol = `http/${req.httpVersion}`
+
+        console.log(
+          `at=info method=${req.method} path="${path}" host=${host} request_id=${requestId} ` +
+          `fwd="${fwd}" dyno=web.1 connect=0ms service=${service}ms status=${res.statusCode} bytes=${bytes} protocol=${protocol}`
+        )
+      })
+
+      next()
+    })
+
+    app.get('/', (req, res) => {
+      res.json({ service: 'dotenvx gateway', ok: true })
+    })
+
+    // Optional: health
+    app.get('/healthz', (req, res) => res.status(200).json({ ok: true }))
+
+    // OpenAI Responses API (required for pi openai defaults)
+    app.post('/v1/responses', (req, res) => this.handleProxy(req, res, '/responses'))
+
+    // Optional: OpenAI Chat Completions compatibility
+    app.post('/v1/chat/completions', (req, res) => this.handleProxy(req, res, '/chat/completions'))
+
+    // Optional: models passthrough
+    app.get('/v1/models', (req, res) => this.handleProxy(req, res, '/models'))
+
+    return await new Promise((resolve, reject) => {
+      const server = app.listen(this.port, this.hostname, () => {
+        logger.successv(`dotenvx gateway listening on http://${this.hostname}:${this.port}`)
+        resolve(server)
+      })
+      server.on('error', reject)
+    })
+  }
+
+  async handleProxy (req, res, upstreamPath) {
+    try {
+      // 1) Authenticate caller token (gateway token / vestauth token)
+      const auth = req.headers.authorization || ''
+      const token = auth.startsWith('Bearer ') ? auth.slice(7) : null
+      if (!token) return res.status(401).json({ error: { message: 'Missing bearer token' } })
+
+      // TODO: replace with real vestauth verification
+      // const subject = await this.verifyGatewayToken(token)
+      // if (!subject) return res.status(403).json({ error: { message: 'Invalid token' } })
+
+      // 2) Fetch provider secret just-in-time (dotenvx/as2)
+      const openaiApiKey = await this.getOpenAIKeyForSubject()
+      if (!openaiApiKey) return res.status(500).json({ error: { message: 'No upstream key available' } })
+
+      // 3) Forward request upstream
+      const upstreamUrl = `${this.upstreamBaseUrl}${upstreamPath}`
+
+      const upstreamResp = await fetch(upstreamUrl, {
+        method: req.method,
+        headers: {
+          'content-type': 'application/json',
+          authorization: `Bearer ${openaiApiKey}`
+        },
+        body: req.method === 'GET' ? undefined : JSON.stringify(req.body)
+      })
+
+      // 4) Pass through status + relevant headers
+      res.status(upstreamResp.status)
+      const contentType = upstreamResp.headers.get('content-type') || 'application/json'
+      res.setHeader('content-type', contentType)
+
+      const requestId = upstreamResp.headers.get('x-request-id')
+      if (requestId) res.setHeader('x-request-id', requestId)
+
+      // 5) Stream SSE directly when needed
+      if (contentType.includes('text/event-stream') && upstreamResp.body) {
+        res.setHeader('cache-control', 'no-cache')
+        res.setHeader('connection', 'keep-alive')
+        Readable.fromWeb(upstreamResp.body).pipe(res)
+        return
+      }
+
+      // 6) Non-stream response
+      const text = await upstreamResp.text()
+      res.send(text)
+    } catch (err) {
+      logger.error(`gateway proxy error: ${err?.message || err}`)
+      res.status(500).json({ error: { message: 'Gateway proxy failed' } })
+    }
+  }
+
+  async verifyGatewayToken (token) {
+    // TODO: verify with vestauth/dotenvx auth
+    // return subject string (e.g. user/org id) if valid
+    return token ? 'vestauth:user:123' : null
+  }
+
+  async getOpenAIKeyForSubject (subject = null) {
+    // TODO: call dotenvx.com/as2 with subject context and fetch secret JIT
+    // IMPORTANT: never log this value
+    return process.env.OPENAI_API_KEY // placeholder for initial test only
+  }
+}
+
+module.exports = GatewayStart