@effect-x/envault 0.1.0

package/src/domain.ts

@@ -0,0 +1,56 @@
+export type EnvVariable = {
+  readonly key: string;
+  readonly value: string;
+  readonly rawValue: string;
+  readonly encrypted: boolean;
+};
+
+export type EnvFileInfo = {
+  readonly path: string;
+  readonly absolutePath: string;
+  readonly variables: ReadonlyArray<EnvVariable>;
+  readonly encrypted: boolean;
+  readonly hasKeys: boolean;
+};
+
+export type EnvScanOptions = {
+  readonly root: string;
+  readonly decrypt?: boolean | undefined;
+  readonly maxDepth?: number | undefined;
+};
+
+export type EnvFileRequest = {
+  readonly root: string;
+  readonly path: string;
+  readonly decrypt?: boolean | undefined;
+};
+
+export type SetEnvVariableRequest = {
+  readonly root: string;
+  readonly path: string;
+  readonly key: string;
+  readonly value: string;
+  readonly decrypt?: boolean | undefined;
+  readonly encrypt?: boolean | undefined;
+};
+
+export type CreateEnvFileRequest = {
+  readonly root: string;
+  readonly path: string;
+  readonly decrypt?: boolean | undefined;
+};
+
+export type DeleteEnvVariableRequest = {
+  readonly root: string;
+  readonly path: string;
+  readonly key: string;
+  readonly decrypt?: boolean | undefined;
+};
+
+export type WorkspaceKind = "single" | "pnpm" | "npm" | "moon" | "nx";
+
+export type WorkspaceInfo = {
+  readonly root: string;
+  readonly kind: WorkspaceKind;
+  readonly packageDirectories: ReadonlyArray<string>;
+};

package/src/env-file.ts

@@ -0,0 +1,440 @@
+import { config as dotenvConfig, set as dotenvSet } from "@dotenvx/dotenvx";
+import { Effect, Layer, Schema, Context } from "effect";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import type {
+  DeleteEnvVariableRequest,
+  CreateEnvFileRequest,
+  EnvFileInfo,
+  EnvFileRequest,
+  EnvScanOptions,
+  EnvVariable,
+  SetEnvVariableRequest,
+} from "./domain.ts";
+
+export class EnvFileError extends Schema.TaggedErrorClass<EnvFileError>()("EnvFileError", {
+  message: Schema.String,
+}) {}
+
+export class EnvFileService extends Context.Service<
+  EnvFileService,
+  {
+    readonly scan: (
+      options: EnvScanOptions,
+    ) => Effect.Effect<ReadonlyArray<EnvFileInfo>, EnvFileError>;
+    readonly get: (request: EnvFileRequest) => Effect.Effect<EnvFileInfo, EnvFileError>;
+    readonly createFile: (
+      request: CreateEnvFileRequest,
+    ) => Effect.Effect<EnvFileInfo, EnvFileError>;
+    readonly setVariable: (
+      request: SetEnvVariableRequest,
+    ) => Effect.Effect<EnvFileInfo, EnvFileError>;
+    readonly deleteVariable: (
+      request: DeleteEnvVariableRequest,
+    ) => Effect.Effect<EnvFileInfo, EnvFileError>;
+  }
+>()("EnvFileService") {}
+
+export declare namespace EnvFileService {
+  export type Methods = Context.Service.Shape<typeof EnvFileService>;
+}
+
+const skipDirectories = new Set([
+  ".cache",
+  ".git",
+  ".jj",
+  ".moon/cache",
+  ".next",
+  ".nx",
+  ".turbo",
+  "build",
+  "coverage",
+  "dist",
+  "node_modules",
+  "out",
+]);
+
+const keyPattern = /^[A-Za-z_][A-Za-z0-9_]*$/u;
+
+export const isEnvFileName = (name: string): boolean =>
+  name.startsWith(".env") && name !== ".envrc" && !name.endsWith(".keys");
+
+export const isEncryptedValue = (value: string): boolean => value.startsWith("encrypted:");
+
+const toEnvFileError = (message: string) => (cause: unknown) =>
+  new EnvFileError({ message: `${message}: ${String(cause)}` });
+
+const normalizeRoot = (root: string): string => path.resolve(root);
+
+const relativeEnvPath = (root: string, absolutePath: string): string =>
+  path.relative(root, absolutePath).split(path.sep).join("/");
+
+const resolveEnvPath = (root: string, inputPath: string): Effect.Effect<string, EnvFileError> =>
+  Effect.sync(() => {
+    const normalizedRoot = normalizeRoot(root);
+    const target = path.resolve(normalizedRoot, inputPath);
+    const relative = path.relative(normalizedRoot, target);
+
+    if (relative.startsWith("..") || path.isAbsolute(relative)) {
+      throw new EnvFileError({ message: `Env file path escapes root: ${inputPath}` });
+    }
+    if (!isEnvFileName(path.basename(target))) {
+      throw new EnvFileError({ message: `Not an env file: ${inputPath}` });
+    }
+
+    return target;
+  }).pipe(
+    Effect.mapError(
+      (cause) => new EnvFileError({ message: `Invalid env file path: ${String(cause)}` }),
+    ),
+  );
+
+const readText = (target: string): Effect.Effect<string, EnvFileError> =>
+  Effect.tryPromise({
+    try: () => fs.readFile(target, "utf8"),
+    catch: toEnvFileError(`Failed to read ${target}`),
+  });
+
+const writeText = (target: string, content: string): Effect.Effect<void, EnvFileError> =>
+  Effect.tryPromise({
+    try: () => fs.writeFile(target, content),
+    catch: toEnvFileError(`Failed to write ${target}`),
+  });
+
+const createEmptyFile = (target: string): Effect.Effect<void, EnvFileError> =>
+  Effect.tryPromise({
+    try: async () => {
+      await fs.mkdir(path.dirname(target), { recursive: true });
+      await fs.writeFile(target, "", { flag: "wx" });
+    },
+    catch: toEnvFileError(`Failed to create ${target}`),
+  });
+
+const exists = (target: string): Effect.Effect<boolean> =>
+  Effect.tryPromise({
+    try: async () => {
+      await fs.access(target);
+      return true;
+    },
+    catch: () => new EnvFileError({ message: `Path does not exist: ${target}` }),
+  }).pipe(Effect.catch(() => Effect.succeed(false)));
+
+const parseVariables = (content: string): ReadonlyArray<EnvVariable> => {
+  const variables: Array<EnvVariable> = [];
+
+  for (const line of content.split(/\r?\n/u)) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0 || trimmed.startsWith("#")) continue;
+
+    const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/u);
+    if (match === null) continue;
+
+    const key = match[1] ?? "";
+    let rawValue = match[2] ?? "";
+    if (
+      (rawValue.startsWith('"') && rawValue.endsWith('"')) ||
+      (rawValue.startsWith("'") && rawValue.endsWith("'"))
+    ) {
+      rawValue = rawValue.slice(1, -1);
+    }
+
+    variables.push({
+      key,
+      value: isEncryptedValue(rawValue) ? "***" : rawValue,
+      rawValue,
+      encrypted: isEncryptedValue(rawValue),
+    });
+  }
+
+  return variables;
+};
+
+const decryptVariables = ({
+  absolutePath,
+  keysPath,
+  variables,
+}: {
+  readonly absolutePath: string;
+  readonly keysPath: string;
+  readonly variables: ReadonlyArray<EnvVariable>;
+}): ReadonlyArray<EnvVariable> => {
+  try {
+    const result = dotenvConfig({
+      envKeysFile: keysPath,
+      ignore: ["MISSING_ENV_FILE"],
+      path: [absolutePath],
+      processEnv: {},
+      quiet: true,
+    });
+    const parsed = result.parsed ?? {};
+    return variables.map((variable) => ({
+      ...variable,
+      value: parsed[variable.key] ?? variable.value,
+    }));
+  } catch {
+    return variables;
+  }
+};
+
+const parseEnvFile = ({
+  absolutePath,
+  root,
+  decrypt,
+}: {
+  readonly absolutePath: string;
+  readonly root: string;
+  readonly decrypt: boolean;
+}): Effect.Effect<EnvFileInfo, EnvFileError> =>
+  Effect.gen(function* () {
+    const content = yield* readText(absolutePath);
+    const rootKeysPath = path.join(root, ".env.keys");
+    const siblingKeysPath = path.join(path.dirname(absolutePath), ".env.keys");
+    const hasRootKeys = yield* exists(rootKeysPath);
+    const hasSiblingKeys = hasRootKeys ? false : yield* exists(siblingKeysPath);
+    const keysPath = hasRootKeys ? rootKeysPath : siblingKeysPath;
+    const hasKeys = hasRootKeys || hasSiblingKeys;
+    const parsedVariables = parseVariables(content);
+    const encrypted = parsedVariables.some((variable) => variable.encrypted);
+    const variables =
+      decrypt && encrypted && hasKeys
+        ? decryptVariables({ absolutePath, keysPath, variables: parsedVariables })
+        : parsedVariables;
+
+    return {
+      absolutePath,
+      encrypted,
+      hasKeys,
+      path: relativeEnvPath(root, absolutePath),
+      variables,
+    };
+  });
+
+const shouldSkipDirectory = (name: string, relativePath: string): boolean =>
+  skipDirectories.has(name) || skipDirectories.has(relativePath);
+
+const findEnvFiles = ({
+  maxDepth,
+  root,
+}: {
+  readonly maxDepth: number;
+  readonly root: string;
+}): Effect.Effect<ReadonlyArray<string>, EnvFileError> =>
+  Effect.tryPromise({
+    try: async () => {
+      const results: Array<string> = [];
+
+      const visit = async (directory: string, depth: number): Promise<void> => {
+        if (depth > maxDepth) return;
+
+        const entries = await fs.readdir(directory, { withFileTypes: true });
+        for (const entry of entries) {
+          const absolutePath = path.join(directory, entry.name);
+          const relativePath = relativeEnvPath(root, absolutePath);
+
+          if (entry.isDirectory()) {
+            if (!shouldSkipDirectory(entry.name, relativePath)) {
+              await visit(absolutePath, depth + 1);
+            }
+            continue;
+          }
+
+          if (entry.isFile() && isEnvFileName(entry.name)) {
+            results.push(absolutePath);
+          }
+        }
+      };
+
+      await visit(root, 0);
+      return results.sort((left, right) =>
+        relativeEnvPath(root, left).localeCompare(relativeEnvPath(root, right)),
+      );
+    },
+    catch: toEnvFileError(`Failed to scan env files under ${root}`),
+  });
+
+const escapeQuotedValue = (value: string, quote: string): string =>
+  quote === '"' ? value.replace(/\\/gu, "\\\\").replace(/"/gu, '\\"') : value.replace(/'/gu, "\\'");
+
+const renderNewValue = (value: string): string =>
+  /[\s#"']/u.test(value) ? `"${escapeQuotedValue(value, '"')}"` : value;
+
+const splitValueAndComment = (rest: string) => {
+  let quote: string | undefined;
+  let escaped = false;
+  for (let index = 0; index < rest.length; index += 1) {
+    const char = rest[index];
+    if (escaped) {
+      escaped = false;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      continue;
+    }
+    if (quote !== undefined) {
+      if (char === quote) quote = undefined;
+      continue;
+    }
+    if (char === '"' || char === "'") {
+      quote = char;
+      continue;
+    }
+    if (char === "#" && (index === 0 || /\s/u.test(rest[index - 1] ?? ""))) {
+      const rawValueWithWhitespace = rest.slice(0, index);
+      const trailingWhitespace = rawValueWithWhitespace.match(/\s*$/u)?.[0] ?? "";
+      return {
+        valuePart: rawValueWithWhitespace.slice(
+          0,
+          rawValueWithWhitespace.length - trailingWhitespace.length,
+        ),
+        commentPart: `${trailingWhitespace}${rest.slice(index)}`,
+      };
+    }
+  }
+  return { valuePart: rest, commentPart: "" };
+};
+
+const renderReplacementLine = (line: string, key: string, value: string): string | undefined => {
+  const escapedKey = key.replace(/[.*+?^${}()|[\]\\]/gu, "\\$&");
+  const match = line.match(new RegExp(`^(\\s*(?:export\\s+)?${escapedKey}\\s*=)(.*)$`, "u"));
+  if (match === null) return undefined;
+  const prefix = match[1] ?? "";
+  const rest = match[2] ?? "";
+  const { valuePart, commentPart } = splitValueAndComment(rest);
+  const trimmedValue = valuePart.trim();
+  const quote =
+    trimmedValue.startsWith('"') && trimmedValue.endsWith('"')
+      ? '"'
+      : trimmedValue.startsWith("'") && trimmedValue.endsWith("'")
+        ? "'"
+        : undefined;
+  const rendered =
+    quote === undefined
+      ? renderNewValue(value)
+      : `${quote}${escapeQuotedValue(value, quote)}${quote}`;
+  return `${prefix}${rendered}${commentPart}`;
+};
+
+const setVariableInContent = ({
+  content,
+  key,
+  value,
+}: {
+  readonly content: string;
+  readonly key: string;
+  readonly value: string;
+}): string => {
+  const lines = content.split(/\r?\n/u);
+  let replaced = false;
+
+  const nextLines = lines.map((line) => {
+    const replacement = renderReplacementLine(line, key, value);
+    if (replacement === undefined) return line;
+    replaced = true;
+    return replacement;
+  });
+
+  if (replaced) {
+    return nextLines.join("\n");
+  }
+
+  const suffix = content.endsWith("\n") || content.length === 0 ? "" : "\n";
+  return `${content}${suffix}${key}=${renderNewValue(value)}\n`;
+};
+
+const deleteVariableFromContent = ({
+  content,
+  key,
+}: {
+  readonly content: string;
+  readonly key: string;
+}): string =>
+  content
+    .split(/\r?\n/u)
+    .filter((line) => renderReplacementLine(line, key, "") === undefined)
+    .join("\n");
+
+const setEncryptedVariable = ({
+  absolutePath,
+  key,
+  root,
+  value,
+}: {
+  readonly absolutePath: string;
+  readonly key: string;
+  readonly root: string;
+  readonly value: string;
+}): Effect.Effect<void, EnvFileError> =>
+  Effect.try({
+    try: () => {
+      dotenvSet(key, value, {
+        envKeysFile: path.join(root, ".env.keys"),
+        noOps: true,
+        path: absolutePath,
+      });
+    },
+    catch: toEnvFileError(`Failed to encrypt ${key} in ${absolutePath}`),
+  });
+
+const validateKey = (key: string): Effect.Effect<void, EnvFileError> =>
+  keyPattern.test(key)
+    ? Effect.void
+    : Effect.fail(new EnvFileError({ message: `Invalid env variable key: ${key}` }));
+
+export const EnvFileServiceLive = Layer.succeed(EnvFileService)(
+  EnvFileService.of({
+    scan: (options) =>
+      Effect.gen(function* () {
+        const root = normalizeRoot(options.root);
+        const paths = yield* findEnvFiles({ root, maxDepth: options.maxDepth ?? 6 });
+        return yield* Effect.all(
+          paths.map((absolutePath) =>
+            parseEnvFile({ absolutePath, root, decrypt: options.decrypt ?? false }),
+          ),
+        );
+      }),
+    get: (request) =>
+      Effect.gen(function* () {
+        const root = normalizeRoot(request.root);
+        const absolutePath = yield* resolveEnvPath(root, request.path);
+        return yield* parseEnvFile({ absolutePath, root, decrypt: request.decrypt ?? false });
+      }),
+    createFile: (request) =>
+      Effect.gen(function* () {
+        const root = normalizeRoot(request.root);
+        const absolutePath = yield* resolveEnvPath(root, request.path);
+        yield* createEmptyFile(absolutePath);
+        return yield* parseEnvFile({ absolutePath, root, decrypt: request.decrypt ?? false });
+      }),
+    setVariable: (request) =>
+      Effect.gen(function* () {
+        yield* validateKey(request.key);
+        const root = normalizeRoot(request.root);
+        const absolutePath = yield* resolveEnvPath(root, request.path);
+        if (request.encrypt === true) {
+          yield* setEncryptedVariable({
+            absolutePath,
+            root,
+            key: request.key,
+            value: request.value,
+          });
+        } else {
+          const content = yield* readText(absolutePath);
+          yield* writeText(
+            absolutePath,
+            setVariableInContent({ content, key: request.key, value: request.value }),
+          );
+        }
+        return yield* parseEnvFile({ absolutePath, root, decrypt: request.decrypt ?? false });
+      }),
+    deleteVariable: (request) =>
+      Effect.gen(function* () {
+        yield* validateKey(request.key);
+        const root = normalizeRoot(request.root);
+        const absolutePath = yield* resolveEnvPath(root, request.path);
+        const content = yield* readText(absolutePath);
+        yield* writeText(absolutePath, deleteVariableFromContent({ content, key: request.key }));
+        return yield* parseEnvFile({ absolutePath, root, decrypt: request.decrypt ?? false });
+      }),
+  }),
+);