@dragonmastery/tamer 0.35.2 → 0.35.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/tamer.mjs +19 -7
  2. package/dist/tamer.mjs.map +1 -1
  3. package/package.json +1 -1
package/dist/tamer.mjs CHANGED
@@ -8170,8 +8170,17 @@ const STATUS_LABEL = {
8170
8170
  removed_from_vault: "removed from vault",
8171
8171
  undeclared_on_worker: "not in secrets.required"
8172
8172
  };
8173
- function isDeclaredIssue(status) {
8174
- return status !== "in_sync" && status !== "undeclared_on_worker";
8173
+ /**
8174
+ * Only `declared_no_value` (secret declared in config but missing from vault)
8175
+ * is a hard failure — that's the "you forgot to set a secret" case that
8176
+ * should block CI before deploy.
8177
+ *
8178
+ * `never_deployed` and `rotated_not_deployed` are normal pre-deploy states:
8179
+ * the secret IS in the vault, deploy will push it. They're reported
8180
+ * informationally but don't fail the command.
8181
+ */
8182
+ function isDeclaredFailure(status) {
8183
+ return status === "declared_no_value" || status === "removed_from_vault";
8175
8184
  }
8176
8185
  function sortEntries(entries) {
8177
8186
  return [...entries].sort((a, b) => secretDerivedName(a.worker, a.name).localeCompare(secretDerivedName(b.worker, b.name)));
@@ -8218,13 +8227,16 @@ async function runSecretsVerify(options) {
8218
8227
  for (const entry of onWorkerOnly) printEntry(entry);
8219
8228
  console.log("");
8220
8229
  }
8221
- const declaredIssues = declared.filter((e) => isDeclaredIssue(e.status)).length;
8222
- if (declaredIssues === 0) {
8223
- const suffix = onWorkerOnly.length > 0 ? ` (${onWorkerOnly.length} on worker but not in config — informational only)` : "";
8224
- console.log(`All declared secrets in sync.${suffix}\n`);
8230
+ const failures = declared.filter((e) => isDeclaredFailure(e.status));
8231
+ const pending = declared.filter((e) => !isDeclaredFailure(e.status) && e.status !== "in_sync");
8232
+ if (failures.length === 0) {
8233
+ const parts = ["All declared secrets are in the vault."];
8234
+ if (pending.length > 0) parts.push(`${pending.length} will be pushed on next deploy.`);
8235
+ if (onWorkerOnly.length > 0) parts.push(`${onWorkerOnly.length} on worker but not in config (informational only).`);
8236
+ console.log(`${parts.join(" ")}\n`);
8225
8237
  return 0;
8226
8238
  }
8227
- console.log(`${declaredIssues} declared secret(s) need attention.\n`);
8239
+ console.log(`${failures.length} declared secret(s) missing from vault — run \`tamer secrets set\` or \`tamer secrets load\` before deploying.\n`);
8228
8240
  return 1;
8229
8241
  }
8230
8242