@dragonmastery/tamer 0.31.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/tamer.mjs +17 -16
  2. package/dist/tamer.mjs.map +1 -1
  3. package/package.json +1 -1
package/dist/tamer.mjs CHANGED
@@ -7702,40 +7702,42 @@ function parseDotenvContent(content) {
7702
7702
  function readDotenvFile(filePath) {
7703
7703
  return parseDotenvContent(readFileSync(resolve(process.cwd(), filePath), "utf8"));
7704
7704
  }
7705
+ /** Default bulk-load file for a remote env. Plain `.dev.vars` is wrangler dev / local only. */
7706
+ function defaultSecretsLoadFile(env) {
7707
+ return `.dev.vars.${env}`;
7708
+ }
7705
7709
  /**
7706
- * Merge env vars for bulk load: all keys from `process.env`, then file
7707
- * entries overwrite on duplicate keys (file wins).
7710
+ * Reject plain `.dev.vars` — reserved for local `wrangler dev`, not vault seeding.
7708
7711
  */
7709
- function mergeLoadSources(fileEntries) {
7710
- const merged = {};
7711
- for (const [key, value] of Object.entries(process.env)) if (value != null && value !== "") merged[key] = value;
7712
- for (const [key, value] of Object.entries(fileEntries)) merged[key] = value;
7713
- return merged;
7712
+ function assertRemoteSecretsLoadFile(filePath, env) {
7713
+ if ((filePath.replace(/\\/g, "/").split("/").pop() ?? filePath) === ".dev.vars") throw new Error(`\`.dev.vars\` is for local wrangler dev only. Seed the vault with \`.dev.vars.${env}\` or omit --file (default).`);
7714
7714
  }
7715
7715
 
7716
7716
  //#endregion
7717
7717
  //#region src/cli/commands/secrets/load.ts
7718
7718
  async function runSecretsLoad(options) {
7719
- if (!options.file?.trim()) throw new Error("usage: tamer secrets load --file <path> --env <env>");
7719
+ const env = resolveSecretsEnv(options.env);
7720
+ const file = options.file?.trim() || defaultSecretsLoadFile(env);
7721
+ assertRemoteSecretsLoadFile(file, env);
7720
7722
  const ctx = await createSecretsContext({
7721
- env: options.env,
7723
+ env,
7722
7724
  configPath: options.configPath
7723
7725
  });
7724
- const merged = mergeLoadSources(readDotenvFile(options.file));
7725
- const names = Object.keys(merged).sort();
7726
+ const fileEntries = readDotenvFile(file);
7727
+ const names = Object.keys(fileEntries).sort();
7726
7728
  if (names.length === 0) {
7727
7729
  console.log("secrets load: no entries to import");
7728
7730
  return;
7729
7731
  }
7730
7732
  let count = 0;
7731
7733
  for (const name of names) {
7732
- const plaintext = merged[name];
7734
+ const plaintext = fileEntries[name];
7733
7735
  const encrypted = await encryptSecretValue(plaintext, ctx.masterKey);
7734
7736
  const valueHash = await secretValueFingerprint(plaintext);
7735
7737
  await ctx.vault.upsert(name, encrypted, valueHash, { updatedBy: cliUpdatedBy() });
7736
7738
  count += 1;
7737
7739
  }
7738
- console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${options.file}`);
7740
+ console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${file}`);
7739
7741
  }
7740
7742
 
7741
7743
  //#endregion
@@ -8154,7 +8156,7 @@ async function runSecretsPush(options) {
8154
8156
  const SECRETS_USAGE = `usage:
8155
8157
  tamer secrets init --env <env> [--config <path>]
8156
8158
  tamer secrets set <NAME> --env <env> [--config <path>] # value on stdin (pipe only)
8157
- tamer secrets load --file <path> --env <env> [--config <path>]
8159
+ tamer secrets load --env <env> [--file <path>] [--config <path>] # default file: .dev.vars.{env}
8158
8160
  tamer secrets get <NAME> --env <env> [--config <path>] # confirmation + audit log
8159
8161
  tamer secrets list --env <env> [--config <path>]
8160
8162
  tamer secrets rm <NAME> --env <env> [--config <path>]
@@ -8202,7 +8204,6 @@ async function runSecrets(argv) {
8202
8204
  });
8203
8205
  return 0;
8204
8206
  case "load":
8205
- if (!parsed.file) throw new Error("secrets load requires --file <path>");
8206
8207
  await runSecretsLoad({
8207
8208
  file: parsed.file,
8208
8209
  env: parsed.env,
@@ -8730,7 +8731,7 @@ Options:
8730
8731
  Secrets (requires TAMER_SECRETS_KEY_{env} master key env var):
8731
8732
  tamer secrets init --env <env> Generate master key (print once) + provision vault
8732
8733
  tamer secrets set <NAME> --env <env> Encrypt value from stdin into vault (pipe only)
8733
- tamer secrets load --file .dev.vars --env <env> Bulk import; file wins over process.env
8734
+ tamer secrets load --env <env> [--file .dev.vars.<env>] Bulk import from env file; not plain .dev.vars
8734
8735
  tamer secrets get <NAME> --env <env> Decrypt + print (confirmation + audit log)
8735
8736
  tamer secrets list --env <env> Names + fingerprints + last-set (never values)
8736
8737
  tamer secrets rm <NAME> --env <env> Remove from vault