@dragonmastery/tamer 0.35.1 → 0.35.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/tamer.mjs +24 -10
- package/dist/tamer.mjs.map +1 -1
- package/package.json +1 -1
package/dist/tamer.mjs
CHANGED
|
@@ -7808,7 +7808,8 @@ function defaultWorkerSecretsLoadFile(workerDir, env) {
|
|
|
7808
7808
|
}
|
|
7809
7809
|
/**
|
|
7810
7810
|
* When loading for a worker, only `secrets.required` names are imported.
|
|
7811
|
-
*
|
|
7811
|
+
* Extra keys in the file that aren't declared are logged as a warning but
|
|
7812
|
+
* do not block loading.
|
|
7812
7813
|
*/
|
|
7813
7814
|
function filterSecretsLoadEntriesForWorker(fileEntries, required$1) {
|
|
7814
7815
|
const requiredSet = new Set(required$1);
|
|
@@ -7816,10 +7817,11 @@ function filterSecretsLoadEntriesForWorker(fileEntries, required$1) {
|
|
|
7816
7817
|
const entries = {};
|
|
7817
7818
|
for (const [name, value] of Object.entries(fileEntries)) if (requiredSet.has(name)) entries[name] = value;
|
|
7818
7819
|
else extras.push(name);
|
|
7819
|
-
if (extras.length > 0)
|
|
7820
|
+
if (extras.length > 0) console.warn(`secrets load: ignoring key(s) not in worker secrets.required: ${extras.sort().join(", ")}`);
|
|
7820
7821
|
return {
|
|
7821
7822
|
entries,
|
|
7822
|
-
missing: required$1.filter((name) => !(name in fileEntries)).sort()
|
|
7823
|
+
missing: required$1.filter((name) => !(name in fileEntries)).sort(),
|
|
7824
|
+
extras
|
|
7823
7825
|
};
|
|
7824
7826
|
}
|
|
7825
7827
|
/**
|
|
@@ -8168,8 +8170,17 @@ const STATUS_LABEL = {
|
|
|
8168
8170
|
removed_from_vault: "removed from vault",
|
|
8169
8171
|
undeclared_on_worker: "not in secrets.required"
|
|
8170
8172
|
};
|
|
8171
|
-
|
|
8172
|
-
|
|
8173
|
+
/**
|
|
8174
|
+
* Only `declared_no_value` (secret declared in config but missing from vault)
|
|
8175
|
+
* is a hard failure — that's the "you forgot to set a secret" case that
|
|
8176
|
+
* should block CI before deploy.
|
|
8177
|
+
*
|
|
8178
|
+
* `never_deployed` and `rotated_not_deployed` are normal pre-deploy states:
|
|
8179
|
+
* the secret IS in the vault, deploy will push it. They're reported
|
|
8180
|
+
* informationally but don't fail the command.
|
|
8181
|
+
*/
|
|
8182
|
+
function isDeclaredFailure(status) {
|
|
8183
|
+
return status === "declared_no_value" || status === "removed_from_vault";
|
|
8173
8184
|
}
|
|
8174
8185
|
function sortEntries(entries) {
|
|
8175
8186
|
return [...entries].sort((a, b) => secretDerivedName(a.worker, a.name).localeCompare(secretDerivedName(b.worker, b.name)));
|
|
@@ -8216,13 +8227,16 @@ async function runSecretsVerify(options) {
|
|
|
8216
8227
|
for (const entry of onWorkerOnly) printEntry(entry);
|
|
8217
8228
|
console.log("");
|
|
8218
8229
|
}
|
|
8219
|
-
const
|
|
8220
|
-
|
|
8221
|
-
|
|
8222
|
-
|
|
8230
|
+
const failures = declared.filter((e) => isDeclaredFailure(e.status));
|
|
8231
|
+
const pending = declared.filter((e) => !isDeclaredFailure(e.status) && e.status !== "in_sync");
|
|
8232
|
+
if (failures.length === 0) {
|
|
8233
|
+
const parts = ["All declared secrets are in the vault."];
|
|
8234
|
+
if (pending.length > 0) parts.push(`${pending.length} will be pushed on next deploy.`);
|
|
8235
|
+
if (onWorkerOnly.length > 0) parts.push(`${onWorkerOnly.length} on worker but not in config (informational only).`);
|
|
8236
|
+
console.log(`${parts.join(" ")}\n`);
|
|
8223
8237
|
return 0;
|
|
8224
8238
|
}
|
|
8225
|
-
console.log(`${
|
|
8239
|
+
console.log(`${failures.length} declared secret(s) missing from vault — run \`tamer secrets set\` or \`tamer secrets load\` before deploying.\n`);
|
|
8226
8240
|
return 1;
|
|
8227
8241
|
}
|
|
8228
8242
|
|