@dotenvx/dotenvx-vlt 0.49.0

package/src/lib/services/armorUp.js

@@ -0,0 +1,79 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const prompts = require('../helpers/prompts')
+const PostArmorUp = require('../api/postArmorUp')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+const removeEnvKey = require('../helpers/removeEnvKey')
+
+function teamChoicesFromMeta (meta) {
+  return meta.organizations.map(org => ({
+    name: org.provider_slug,
+    value: org.provider_slug
+  }))
+}
+
+class ArmorUp {
+  constructor (hostname, token, devicePublicKey, envFile = '.env', team = undefined) {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+    this.team = team
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+    const team = this.team
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'], noOps: true })
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true, ignore: ['MISSING_KEY'], noOps: true })
+
+    let json
+
+    if (team) {
+      json = await new PostArmorUp(hostname, token, devicePublicKey, publicKey, privateKey, team).run()
+    } else {
+      try {
+        json = await new PostArmorUp(hostname, token, devicePublicKey, publicKey, privateKey, undefined).run()
+      } catch (error) {
+        if (error.code !== 'DOTENVX_TEAM_REQUIRED') {
+          throw error
+        }
+
+        const choices = teamChoicesFromMeta(error.meta)
+
+        let team = choices[0].value
+        if (choices.length > 1) {
+          team = await prompts.select({
+            message: 'Select team',
+            choices
+          }, {
+            input: process.stdin,
+            output: process.stderr
+          })
+        }
+
+        json = await new PostArmorUp(hostname, token, devicePublicKey, publicKey, privateKey, team).run()
+      }
+    }
+
+    removeEnvKey(privateKeyName)
+
+    return {
+      ...json,
+      changed: json.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key,
+      publicKeyValue: publicKey
+    }
+  }
+}
+
+module.exports = ArmorUp

package/src/lib/services/backup.js

@@ -0,0 +1,105 @@
+const fs = require('fs')
+const path = require('path')
+const si = require('systeminformation')
+const dotenvx = require('@dotenvx/dotenvx')
+const prompts = require('../helpers/prompts')
+
+const Session = require('./../../db/session')
+
+const gitUrl = require('./../helpers/gitUrl')
+const gitBranch = require('./../helpers/gitBranch')
+const dotenvxProjectId = require('./../helpers/dotenvxProjectId')
+
+// api calls
+const GetAccount = require('./../api/getAccount')
+const PostBackup = require('./../api/postBackup')
+
+class Backup {
+  constructor (hostname, org = null) {
+    this.hostname = hostname
+    this.org = org
+    this.cwd = process.cwd()
+  }
+
+  async run () {
+    const sesh = new Session()
+    const token = sesh.token()
+    const devicePublicKey = sesh.devicePublicKey()
+    let _org = this.org
+    let projectEnvXFileNeedsWrite = false
+
+    // required
+    const files = this._files()
+    const payload = { files }
+    const encoded = Buffer.from(JSON.stringify(payload)).toString('base64')
+
+    // user must be logged in to use feature
+    const accountJson = await new GetAccount(this.hostname, token).run()
+
+    // optional project id
+    const _dotenvxProjectId = dotenvxProjectId(this.cwd, false)
+
+    // missing .env.x file
+    if (!_dotenvxProjectId) {
+      projectEnvXFileNeedsWrite = true // for writing
+
+      // set org
+      if (!_org) {
+        const choices = accountJson.organizations.map(o => ({
+          name: o.provider_slug,
+          value: o.provider_slug
+        }))
+
+        if (choices.length === 1) {
+          _org = choices[0].value // just use first choice
+        } else {
+          _org = await prompts.select({
+            message: 'Select org',
+            choices
+          }, {
+            input: process.stdin,
+            output: process.stderr
+          })
+        }
+      }
+    }
+
+    // optional
+    const _pwd = this.cwd
+    const _gitUrl = gitUrl()
+    const _gitBranch = gitBranch()
+
+    const system = await si.system()
+    const _systemUuid = system.uuid
+
+    const osInfo = await si.osInfo()
+    const _osPlatform = osInfo.platform
+    const _osArch = osInfo.arch
+
+    const data = await new PostBackup(this.hostname, token, devicePublicKey, encoded, _dotenvxProjectId, _org, _pwd, _gitUrl, _gitBranch, _systemUuid, _osPlatform, _osArch).run()
+
+    return {
+      id: data.id,
+      dotenvxProjectId: data.dotenvx_project_id,
+      projectUsernameName: data.project_username_name,
+      projectEnvXSrc: data.project_env_x_src,
+      projectEnvXFileNeedsWrite,
+      files: data.files
+    }
+  }
+
+  _files () {
+    const out = []
+    const filepaths = dotenvx.ls(this.cwd, '.env.keys*')
+
+    for (const fp of filepaths) {
+      const abs = path.join(this.cwd, fp)
+      const src = fs.readFileSync(abs, 'utf8')
+      out.push({ filepath: fp, src })
+    }
+
+    return out
+  }
+}
+
+module.exports = Backup

package/src/lib/services/gatewayStart.js

@@ -0,0 +1,132 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const { logger } = dotenvx
+const express = require('express')
+const { randomUUID } = require('node:crypto')
+const { Readable } = require('node:stream')
+
+class GatewayStart {
+  constructor (options = {}) {
+    this.port = Number(options.port) || 7278
+    this.hostname = options.hostname || '127.0.0.1'
+    this.upstreamBaseUrl = options.upstreamBaseUrl || 'https://api.openai.com/v1'
+  }
+
+  async run () {
+    dotenvx.config()
+
+    const app = express()
+    app.use(express.json({ limit: '10mb' }))
+    app.use((req, res, next) => {
+      const startedAt = process.hrtime.bigint()
+      const requestId = req.headers['x-request-id'] || randomUUID()
+      const fwd = req.headers['x-forwarded-for'] || req.socket.remoteAddress || '-'
+      const host = req.headers.host || `${this.hostname}:${this.port}`
+      const path = req.originalUrl || req.url
+
+      res.setHeader('x-request-id', requestId)
+
+      res.on('finish', () => {
+        const service = Math.max(1, Math.round(Number(process.hrtime.bigint() - startedAt) / 1e6))
+        const bytes = res.getHeader('content-length') || '-'
+        const protocol = `http/${req.httpVersion}`
+
+        console.log(
+          `at=info method=${req.method} path="${path}" host=${host} request_id=${requestId} ` +
+          `fwd="${fwd}" dyno=web.1 connect=0ms service=${service}ms status=${res.statusCode} bytes=${bytes} protocol=${protocol}`
+        )
+      })
+
+      next()
+    })
+
+    app.get('/', (req, res) => {
+      res.json({ service: 'dotenvx gateway', ok: true })
+    })
+
+    // Optional: health
+    app.get('/healthz', (req, res) => res.status(200).json({ ok: true }))
+
+    // OpenAI Responses API (required for pi openai defaults)
+    app.post('/v1/responses', (req, res) => this.handleProxy(req, res, '/responses'))
+
+    // Optional: OpenAI Chat Completions compatibility
+    app.post('/v1/chat/completions', (req, res) => this.handleProxy(req, res, '/chat/completions'))
+
+    // Optional: models passthrough
+    app.get('/v1/models', (req, res) => this.handleProxy(req, res, '/models'))
+
+    return await new Promise((resolve, reject) => {
+      const server = app.listen(this.port, this.hostname, () => {
+        logger.successv(`dotenvx gateway listening on http://${this.hostname}:${this.port}`)
+        resolve(server)
+      })
+      server.on('error', reject)
+    })
+  }
+
+  async handleProxy (req, res, upstreamPath) {
+    try {
+      // 1) Authenticate caller token (gateway token / vestauth token)
+      const auth = req.headers.authorization || ''
+      const token = auth.startsWith('Bearer ') ? auth.slice(7) : null
+      if (!token) return res.status(401).json({ error: { message: 'Missing bearer token' } })
+
+      // TODO: replace with real vestauth verification
+      // const subject = await this.verifyGatewayToken(token)
+      // if (!subject) return res.status(403).json({ error: { message: 'Invalid token' } })
+
+      // 2) Fetch provider secret just-in-time (dotenvx/as2)
+      const openaiApiKey = await this.getOpenAIKeyForSubject()
+      if (!openaiApiKey) return res.status(500).json({ error: { message: 'No upstream key available' } })
+
+      // 3) Forward request upstream
+      const upstreamUrl = `${this.upstreamBaseUrl}${upstreamPath}`
+
+      const upstreamResp = await fetch(upstreamUrl, {
+        method: req.method,
+        headers: {
+          'content-type': 'application/json',
+          authorization: `Bearer ${openaiApiKey}`
+        },
+        body: req.method === 'GET' ? undefined : JSON.stringify(req.body)
+      })
+
+      // 4) Pass through status + relevant headers
+      res.status(upstreamResp.status)
+      const contentType = upstreamResp.headers.get('content-type') || 'application/json'
+      res.setHeader('content-type', contentType)
+
+      const requestId = upstreamResp.headers.get('x-request-id')
+      if (requestId) res.setHeader('x-request-id', requestId)
+
+      // 5) Stream SSE directly when needed
+      if (contentType.includes('text/event-stream') && upstreamResp.body) {
+        res.setHeader('cache-control', 'no-cache')
+        res.setHeader('connection', 'keep-alive')
+        Readable.fromWeb(upstreamResp.body).pipe(res)
+        return
+      }
+
+      // 6) Non-stream response
+      const text = await upstreamResp.text()
+      res.send(text)
+    } catch (err) {
+      logger.error(`gateway proxy error: ${err?.message || err}`)
+      res.status(500).json({ error: { message: 'Gateway proxy failed' } })
+    }
+  }
+
+  async verifyGatewayToken (token) {
+    // TODO: verify with vestauth/dotenvx auth
+    // return subject string (e.g. user/org id) if valid
+    return token ? 'vestauth:user:123' : null
+  }
+
+  async getOpenAIKeyForSubject (subject = null) {
+    // TODO: call dotenvx.com/as2 with subject context and fetch secret JIT
+    // IMPORTANT: never log this value
+    return process.env.OPENAI_API_KEY // placeholder for initial test only
+  }
+}
+
+module.exports = GatewayStart

package/src/lib/services/keypair.js

@@ -0,0 +1,59 @@
+const prompts = require('../helpers/prompts')
+const PostKeypair = require('../api/postKeypair')
+const keypairMetadata = require('../helpers/keypairMetadata')
+
+function teamChoicesFromMeta (meta) {
+  return meta.organizations.map(org => ({
+    name: org.provider_slug,
+    value: org.provider_slug
+  }))
+}
+
+class Keypair {
+  constructor (hostname, token, devicePublicKey, publicKey, team = undefined, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+    this.team = team
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const team = this.team
+    const metadata = keypairMetadata(this.envFile)
+
+    if (team) {
+      return await new PostKeypair(hostname, token, devicePublicKey, publicKey, team, metadata).run()
+    }
+
+    try {
+      return await new PostKeypair(hostname, token, devicePublicKey, publicKey, undefined, metadata).run()
+    } catch (error) {
+      if (error.code !== 'DOTENVX_TEAM_REQUIRED') {
+        throw error
+      }
+
+      const choices = teamChoicesFromMeta(error.meta)
+
+      let team = choices[0].value
+      if (choices.length > 1) {
+        team = await prompts.select({
+          message: 'Select team',
+          choices
+        }, {
+          input: process.stdin,
+          output: process.stderr
+        })
+      }
+
+      return await new PostKeypair(hostname, token, devicePublicKey, publicKey, team, metadata).run()
+    }
+  }
+}
+
+module.exports = Keypair

package/src/lib/services/loggedIn.js

@@ -0,0 +1,24 @@
+const Session = require('./../../db/session')
+const GetAccount = require('./../../lib/api/getAccount')
+
+class LoggedIn {
+  constructor (hostname) {
+    this.hostname = hostname
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const sesh = new Session()
+    const token = sesh.token()
+
+    try {
+      await new GetAccount(hostname, token).run()
+      return true
+    } catch (error) {
+      if (error.code === 'unauthorized') return false
+      throw error
+    }
+  }
+}
+
+module.exports = LoggedIn

package/src/lib/services/login.js

@@ -0,0 +1,28 @@
+const Session = require('./../../db/session')
+
+// api calls
+const PostOauthDeviceCode = require('./../../lib/api/postOauthDeviceCode')
+
+class Login {
+  constructor (hostname) {
+    this.hostname = hostname
+  }
+
+  async run () {
+    const sesh = new Session()
+    const devicePublicKey = sesh.devicePublicKey()
+    const systemInformation = await sesh.systemInformation()
+
+    const data = await new PostOauthDeviceCode(this.hostname, devicePublicKey, systemInformation).run()
+
+    return {
+      deviceCode: data.device_code,
+      userCode: data.user_code,
+      verificationUri: data.verification_uri,
+      verificationUriComplete: data.verification_uri_complete,
+      interval: data.interval
+    }
+  }
+}
+
+module.exports = Login

package/src/lib/services/loginPoll.js

@@ -0,0 +1,43 @@
+const Session = require('./../../db/session')
+
+// api calls
+const PostOauthToken = require('./../../lib/api/postOauthToken')
+
+class LoginPoll {
+  constructor (hostname, deviceCode, interval) {
+    this.hostname = hostname
+    this.deviceCode = deviceCode
+    this.interval = interval
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const deviceCode = this.deviceCode
+    const interval = this.interval
+
+    const sesh = new Session()
+
+    while (true) {
+      try {
+        const data = await new PostOauthToken(hostname, deviceCode).run()
+
+        if (data.access_token) {
+          sesh.login(hostname, data.id, data.username, data.access_token) // log in user
+          return data
+        }
+
+        await new Promise(resolve => setTimeout(resolve, interval * 1000))
+      } catch (error) {
+        // continue polling if authorization_pending
+        if (error.code === 'authorization_pending') {
+          const newInterval = interval + 1 // grow the interval
+          await new Promise(resolve => setTimeout(resolve, newInterval * 1000))
+        } else {
+          throw error
+        }
+      }
+    }
+  }
+}
+
+module.exports = LoginPoll

package/src/lib/services/logout.js

@@ -0,0 +1,28 @@
+const Session = require('./../../db/session')
+
+// api calls
+const PostLogout = require('./../../lib/api/postLogout')
+
+class Logout {
+  constructor (hostname) {
+    this.hostname = hostname
+  }
+
+  async run () {
+    const sesh = new Session()
+    const token = sesh.token()
+
+    const data = await new PostLogout(this.hostname, token).run()
+
+    const id = data.id
+    const username = data.username
+    const accessToken = data.access_token
+    const settingsDevicesUrl = `${this.hostname}/settings/devices`
+
+    sesh.logout(this.hostname, id, accessToken)
+
+    return { username, accessToken, settingsDevicesUrl }
+  }
+}
+
+module.exports = Logout

package/src/lib/services/rotate.js

@@ -0,0 +1,28 @@
+const PostRotate = require('./../api/postRotate')
+
+class Rotate {
+  constructor (hostname, token, inputUri) {
+    this.hostname = hostname
+    this.token = token
+    this.inputUri = inputUri
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const inputUri = this.inputUri
+
+    const json = await new PostRotate(hostname, token, inputUri).run()
+    const uri = json.uri
+    const url = json.url
+    const rotUid = json.rot_uid
+
+    return {
+      uri,
+      url,
+      rotUid
+    }
+  }
+}
+
+module.exports = Rotate

package/src/lib/services/rotateGithubConnect.js

@@ -0,0 +1,56 @@
+const PostRotateConnect = require('./../api/postRotateConnect')
+
+const playwrightConnect = require('./../helpers/playwrightConnect')
+
+const TIMEOUT = 500 // visibility timeout
+const SLUG = 'github' // hardcoded
+
+class RotateGithubConnect {
+  constructor (hostname, token, org, username, password, email = null) {
+    this.hostname = hostname
+    this.org = org
+    this.token = token
+    this.username = username
+    this.password = password
+
+    // optional
+    this.email = email
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const org = this.org
+    const username = this.username
+    const password = this.password
+    const email = this.email
+
+    const { browser, context, page } = await playwrightConnect()
+
+    const usernameSelector = 'input[type="text"]'
+    const passwordSelector = 'input[type="password"]'
+
+    await page.goto('https://github.com/login', { waitUntil: 'domcontentloaded' })
+    await page.waitForTimeout(TIMEOUT)
+    await page.fill(usernameSelector, username)
+    await page.waitForTimeout(TIMEOUT)
+    await page.fill(passwordSelector, password)
+    await page.waitForTimeout(TIMEOUT)
+    await page.press('input[type="password"]', 'Enter')
+    await page.waitForNavigation({ timeout: 0 })
+    await page.waitForSelector('img.avatar', { state: 'visible', timeout: 0 })
+
+    const playwrightStorageStateStringified = JSON.stringify(await context.storageState())
+
+    const { uid, url } = await new PostRotateConnect(hostname, token, org, SLUG, username, password, email, playwrightStorageStateStringified).run()
+
+    await browser.close()
+
+    return {
+      uid,
+      url
+    }
+  }
+}
+
+module.exports = RotateGithubConnect

package/src/lib/services/rotateNpmConnect.js

@@ -0,0 +1,56 @@
+const PostRotateConnect = require('./../api/postRotateConnect')
+
+const playwrightConnect = require('./../helpers/playwrightConnect')
+
+const TIMEOUT = 500 // visibility timeout
+const SLUG = 'npm'
+
+class RotateNpmConnect {
+  constructor (hostname, token, org, username, password, email = null) {
+    this.hostname = hostname
+    this.org = org
+    this.token = token
+    this.username = username
+    this.password = password
+
+    // optional
+    this.email = email
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const org = this.org
+    const username = this.username
+    const password = this.password
+    const email = this.email
+
+    const { browser, context, page } = await playwrightConnect()
+
+    const usernameSelector = 'input[type="text"]'
+    const passwordSelector = 'input[type="password"]'
+
+    await page.goto('https://npmjs.com/login', { waitUntil: 'domcontentloaded' })
+    await page.waitForTimeout(TIMEOUT)
+    await page.fill(usernameSelector, username)
+    await page.waitForTimeout(TIMEOUT)
+    await page.fill(passwordSelector, password)
+    await page.waitForTimeout(TIMEOUT)
+    await page.press('input[type="password"]', 'Enter')
+    await page.waitForNavigation({ timeout: 0 })
+    await page.waitForSelector('img[alt="avatar"]', { state: 'visible', timeout: 0 })
+
+    const playwrightStorageStateStringified = JSON.stringify(await context.storageState())
+
+    const { uid, url } = await new PostRotateConnect(hostname, token, org, SLUG, username, password, email, playwrightStorageStateStringified).run()
+
+    await browser.close()
+
+    return {
+      uid,
+      url
+    }
+  }
+}
+
+module.exports = RotateNpmConnect