npm - @dragonmastery/tamer - Versions diffs - 0.36.0 → 0.36.2 - Mend

@dragonmastery/tamer 0.36.0 → 0.36.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/tamer.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env bun
 import { c as TAMER_OVERLAY_ENV_KEY, f as getDispatchNamespaces, n as materializeTamerResolvable, r as materializeVars, t as materializeCloudflareBindings } from "./normalize-DVSTRZhO.mjs";
 import { basename, dirname, relative, resolve } from "path";
 import { existsSync, readFileSync } from "fs";
@@ -5579,6 +5579,50 @@ async function deleteEnvSecretRows(api, env) {
 	await api.d1Query(uuid$1, `DELETE FROM secret_history WHERE name LIKE ?`, [`${env}:%`]);
 	return true;
 }
+/**
+* Copy all secret rows from one env namespace to another in the shared D1.
+* Copies ciphertext + hashes directly — no decryption/re-encryption. Requires
+* both envs to use the same master key (or the target to accept the source's
+* wrapped DEK, which it does since each row carries its own `wrapped_dek`).
+*
+* Used by `tamer secrets copy --from dev --to pr-42` for ephemeral PR envs.
+* Returns the number of secrets copied.
+*/
+async function copyEnvSecretRows(api, fromEnv, toEnv) {
+	const uuid$1 = await findTamerSecretsDatabaseUuid(api);
+	if (!uuid$1) throw new Error(`secrets copy: vault not found. Run "tamer bootstrap" first.`);
+	const { rows } = await api.d1Query(uuid$1, `SELECT name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
+     FROM secrets WHERE name LIKE ?`, [`${fromEnv}:%`]);
+	if (rows.length === 0) return 0;
+	const fromPrefix = `${fromEnv}:`;
+	const toPrefix = `${toEnv}:`;
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	for (const row of rows) {
+		const sourceName = String(row.name);
+		const targetName = `${toPrefix}${sourceName.startsWith(fromPrefix) ? sourceName.slice(fromPrefix.length) : sourceName}`;
+		await api.d1Query(uuid$1, `INSERT INTO secrets (
+        name, ciphertext, iv, wrapped_dek, dek_iv, value_hash, updated_at, updated_by
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(name) DO UPDATE SET
+        ciphertext = excluded.ciphertext,
+        iv = excluded.iv,
+        wrapped_dek = excluded.wrapped_dek,
+        dek_iv = excluded.dek_iv,
+        value_hash = excluded.value_hash,
+        updated_at = excluded.updated_at,
+        updated_by = excluded.updated_by`, [
+			targetName,
+			row.ciphertext,
+			row.iv,
+			row.wrapped_dek,
+			row.dek_iv,
+			row.value_hash,
+			now,
+			`copy:${fromEnv}`
+		]);
+	}
+	return rows.length;
+}
 //#endregion
 //#region src/core/secrets/masterKey.ts
@@ -8363,6 +8407,29 @@ async function runSecretsPush(options) {
 	console.log(`secrets push (${ctx.env}): ${pushed} pushed, ${skipped} already current`);
 }
+//#endregion
+//#region src/cli/commands/secrets/copy.ts
+/**
+* Copy all secrets from one env's vault namespace to another. Copies
+* ciphertext directly — no decryption/re-encryption. Each row carries its
+* own wrapped DEK, so the target env doesn't even need the same master key.
+*
+* Usage: `tamer secrets copy --from dev --to pr-42`
+*/
+async function runSecretsCopy(options) {
+	const { from, to } = options;
+	if (!from || !to) throw new Error("secrets copy: --from and --to are required (e.g. --from dev --to pr-42)");
+	if (from === to) throw new Error("secrets copy: --from and --to must be different");
+	const accountId = cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("CLOUDFLARE_ACCOUNT_ID required (env var or config account_id)");
+	const count = await copyEnvSecretRows(new CFApiClient(accountId), from, to);
+	if (count === 0) {
+		console.log(`secrets copy: no secrets found in vault for env "${from}".`);
+		return;
+	}
+	console.log(`secrets copy: copied ${count} secret(s) from "${from}" to "${to}".`);
+}
 //#endregion
 //#region src/cli/commands/secrets/index.ts
 const SECRETS_USAGE = `usage:
@@ -8370,6 +8437,7 @@ const SECRETS_USAGE = `usage:
   tamer secrets set <NAME> --env <env> [--config <path>]   # value on stdin (pipe only)
   tamer secrets load --env <env> [--worker <name>] [--file <path>] [--config <path>]
       # each worker: {workerDir}/.dev.vars.{env}; all declared workers when --worker omitted
+  tamer secrets copy --from <env> --to <env>                # copy vault between envs (e.g. dev → pr-42)
   tamer secrets get <NAME> --env <env> [--config <path>]   # confirmation + audit log
   tamer secrets list --env <env> [--config <path>]
   tamer secrets rm <NAME> --env <env> [--config <path>]
@@ -8396,7 +8464,9 @@ function parseSecretsArgs(argv) {
 		configPath: opts.config,
 		file: opts.file,
 		worker: opts.worker,
-		yes: opts.yes === true
+		yes: opts.yes === true,
+		from: opts.from,
+		to: opts.to
 	};
 }
 async function runSecrets(argv) {
@@ -8456,6 +8526,13 @@ async function runSecrets(argv) {
 				worker: parsed.worker
 			});
 			return 0;
+		case "copy":
+			await runSecretsCopy({
+				from: parsed.from,
+				to: parsed.to,
+				configPath: parsed.configPath
+			});
+			return 0;
 		default:
 			console.error(SECRETS_USAGE);
 			return 1;