@enspirit/emb 0.14.1 → 0.17.0

package/dist/src/config/schema.json

@@ -24,15 +24,7 @@
         "plugins": {
             "type": "array",
             "items": {
-                "type": "object",
-                "required": ["name"],
-                "properties": {
-                    "name": {
-                        "$ref": "#/definitions/Identifier"
-                    },
-                    "config": {}
-                },
-                "additionalProperties": false
+                "$ref": "#/definitions/PluginConfigItem"
             }
         },
         "env": {
@@ -376,6 +368,178 @@
                 { "$ref": "#/definitions/JsonPatchMoveOperation" },
                 { "$ref": "#/definitions/JsonPatchCopyOperation" }
             ]
+        },
+        "VaultTokenAuth": {
+            "type": "object",
+            "required": ["method", "token"],
+            "properties": {
+                "method": { "const": "token" },
+                "token": { "type": "string", "description": "Vault token for authentication" }
+            },
+            "additionalProperties": false
+        },
+        "VaultAppRoleAuth": {
+            "type": "object",
+            "required": ["method", "roleId", "secretId"],
+            "properties": {
+                "method": { "const": "approle" },
+                "roleId": { "type": "string", "description": "AppRole role ID" },
+                "secretId": { "type": "string", "description": "AppRole secret ID" }
+            },
+            "additionalProperties": false
+        },
+        "VaultKubernetesAuth": {
+            "type": "object",
+            "required": ["method", "role"],
+            "properties": {
+                "method": { "const": "kubernetes" },
+                "role": { "type": "string", "description": "Kubernetes auth role name" }
+            },
+            "additionalProperties": false
+        },
+        "VaultJwtAuth": {
+            "type": "object",
+            "required": ["method", "role", "jwt"],
+            "properties": {
+                "method": { "const": "jwt" },
+                "role": { "type": "string", "description": "JWT auth role name" },
+                "jwt": { "type": "string", "description": "JWT token for authentication" }
+            },
+            "additionalProperties": false
+        },
+        "VaultOidcAuth": {
+            "type": "object",
+            "required": ["method"],
+            "properties": {
+                "method": { "const": "oidc" },
+                "role": { "type": "string", "description": "OIDC auth role name" },
+                "port": { "type": "integer", "description": "Local port for OIDC callback" }
+            },
+            "additionalProperties": false
+        },
+        "VaultAuthConfig": {
+            "description": "Authentication configuration for HashiCorp Vault",
+            "oneOf": [
+                { "$ref": "#/definitions/VaultTokenAuth" },
+                { "$ref": "#/definitions/VaultAppRoleAuth" },
+                { "$ref": "#/definitions/VaultKubernetesAuth" },
+                { "$ref": "#/definitions/VaultJwtAuth" },
+                { "$ref": "#/definitions/VaultOidcAuth" }
+            ]
+        },
+        "VaultPluginConfig": {
+            "type": "object",
+            "description": "Configuration for the HashiCorp Vault plugin",
+            "properties": {
+                "address": {
+                    "type": "string",
+                    "description": "Vault server address. Defaults to VAULT_ADDR env var."
+                },
+                "namespace": {
+                    "type": "string",
+                    "description": "Vault namespace. Defaults to VAULT_NAMESPACE env var."
+                },
+                "auth": {
+                    "$ref": "#/definitions/VaultAuthConfig"
+                }
+            },
+            "additionalProperties": false
+        },
+        "AutoDockerPluginConfig": {
+            "type": "object",
+            "description": "Configuration for the AutoDocker plugin",
+            "properties": {
+                "glob": {
+                    "type": "string",
+                    "description": "Glob pattern to find Dockerfiles. Defaults to '*/Dockerfile'."
+                },
+                "ignore": {
+                    "oneOf": [
+                        { "type": "string" },
+                        { "type": "array", "items": { "type": "string" } }
+                    ],
+                    "description": "Patterns to ignore when searching for Dockerfiles."
+                }
+            },
+            "additionalProperties": false
+        },
+        "DotEnvPluginConfig": {
+            "type": "array",
+            "description": "Array of .env file paths to load",
+            "items": {
+                "type": "string"
+            }
+        },
+        "EmbfilesPluginConfig": {
+            "type": "object",
+            "description": "Configuration for the Embfiles loader plugin",
+            "properties": {
+                "glob": {
+                    "oneOf": [
+                        { "type": "string" },
+                        { "type": "array", "items": { "type": "string" } }
+                    ],
+                    "description": "Glob pattern(s) to find Embfiles. Defaults to '*/Embfile.{yaml,yml}'."
+                }
+            },
+            "additionalProperties": false
+        },
+        "PluginConfigItem": {
+            "type": "object",
+            "required": ["name"],
+            "properties": {
+                "name": {
+                    "$ref": "#/definitions/Identifier"
+                },
+                "config": {}
+            },
+            "additionalProperties": false,
+            "allOf": [
+                {
+                    "if": {
+                        "properties": { "name": { "const": "vault" } },
+                        "required": ["name"]
+                    },
+                    "then": {
+                        "properties": {
+                            "config": { "$ref": "#/definitions/VaultPluginConfig" }
+                        }
+                    }
+                },
+                {
+                    "if": {
+                        "properties": { "name": { "const": "autodocker" } },
+                        "required": ["name"]
+                    },
+                    "then": {
+                        "properties": {
+                            "config": { "$ref": "#/definitions/AutoDockerPluginConfig" }
+                        }
+                    }
+                },
+                {
+                    "if": {
+                        "properties": { "name": { "const": "dotenv" } },
+                        "required": ["name"]
+                    },
+                    "then": {
+                        "properties": {
+                            "config": { "$ref": "#/definitions/DotEnvPluginConfig" }
+                        }
+                    }
+                },
+                {
+                    "if": {
+                        "properties": { "name": { "const": "embfiles" } },
+                        "required": ["name"]
+                    },
+                    "then": {
+                        "properties": {
+                            "config": { "$ref": "#/definitions/EmbfilesPluginConfig" }
+                        }
+                    }
+                }
+            ]
         }
     }
 }

package/dist/src/context.d.ts

@@ -1,3 +1,12 @@
 import { EmbContext } from './types.js';
 export declare const getContext: () => EmbContext;
 export declare const setContext: (ctx: EmbContext) => EmbContext;
+/**
+ * Check if the context's EMB_ROOT matches the current environment.
+ * Used to detect when tests switch between different example monorepos.
+ */
+export declare const isContextStale: () => boolean;
+/**
+ * Reset the context. Used in testing to ensure a fresh context for each test suite.
+ */
+export declare const resetContext: () => void;

package/dist/src/context.js

@@ -1,8 +1,27 @@
 let context;
+let contextEmbRoot;
 export const getContext = () => {
     return context;
 };
 export const setContext = (ctx) => {
     context = ctx;
+    contextEmbRoot = process.env.EMB_ROOT;
     return ctx;
 };
+/**
+ * Check if the context's EMB_ROOT matches the current environment.
+ * Used to detect when tests switch between different example monorepos.
+ */
+export const isContextStale = () => {
+    if (!context) {
+        return false;
+    }
+    return contextEmbRoot !== process.env.EMB_ROOT;
+};
+/**
+ * Reset the context. Used in testing to ensure a fresh context for each test suite.
+ */
+export const resetContext = () => {
+    context = undefined;
+    contextEmbRoot = undefined;
+};

package/dist/src/docker/compose/operations/ComposeLogsOperation.d.ts

@@ -0,0 +1,21 @@
+import { Writable } from 'node:stream';
+import * as z from 'zod';
+import { AbstractOperation } from '../../../operations/index.js';
+/**
+ * https://docs.docker.com/reference/cli/docker/compose/logs/
+ */
+export declare const ComposeLogsOperationInputSchema: z.ZodOptional<z.ZodObject<{
+    services: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    follow: z.ZodOptional<z.ZodBoolean>;
+    timestamps: z.ZodOptional<z.ZodBoolean>;
+    tail: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>>;
+export declare class ComposeLogsOperation extends AbstractOperation<typeof ComposeLogsOperationInputSchema, void> {
+    protected out?: Writable | undefined;
+    /**
+     * @param out Optional writable stream to capture output. If not provided,
+     *            output is streamed directly to the terminal (stdio: 'inherit').
+     */
+    constructor(out?: Writable | undefined);
+    protected _run(input: z.input<typeof ComposeLogsOperationInputSchema>): Promise<void>;
+}

package/dist/src/docker/compose/operations/ComposeLogsOperation.js

@@ -0,0 +1,85 @@
+import { spawn } from 'node:child_process';
+import * as z from 'zod';
+import { AbstractOperation } from '../../../operations/index.js';
+/**
+ * https://docs.docker.com/reference/cli/docker/compose/logs/
+ */
+export const ComposeLogsOperationInputSchema = z
+    .object({
+    services: z
+        .array(z.string())
+        .optional()
+        .describe('The list of services to show logs for (all if omitted)'),
+    follow: z.boolean().optional().describe('Follow log output'),
+    timestamps: z.boolean().optional().describe('Show timestamps'),
+    tail: z
+        .number()
+        .optional()
+        .describe('Number of lines to show from the end'),
+})
+    .optional();
+export class ComposeLogsOperation extends AbstractOperation {
+    out;
+    /**
+     * @param out Optional writable stream to capture output. If not provided,
+     *            output is streamed directly to the terminal (stdio: 'inherit').
+     */
+    constructor(out) {
+        super(ComposeLogsOperationInputSchema);
+        this.out = out;
+    }
+    async _run(input) {
+        const { monorepo } = this.context;
+        const cmd = 'docker';
+        const args = ['compose', 'logs'];
+        const follow = input?.follow ?? true;
+        if (follow) {
+            args.push('-f');
+        }
+        if (input?.timestamps) {
+            args.push('-t');
+        }
+        if (input?.tail !== undefined) {
+            args.push('--tail', String(input.tail));
+        }
+        if (input?.services && input.services.length > 0) {
+            args.push(...input.services);
+        }
+        const child = spawn(cmd, args, {
+            stdio: this.out ? 'pipe' : 'inherit',
+            cwd: monorepo.rootDir,
+        });
+        if (this.out && child.stdout && child.stderr) {
+            child.stdout.pipe(this.out, { end: false });
+            child.stderr.pipe(this.out, { end: false });
+        }
+        const forward = (sig) => {
+            try {
+                child.kill(sig);
+            }
+            catch { }
+        };
+        const signals = [
+            'SIGINT',
+            'SIGTERM',
+            'SIGHUP',
+            'SIGQUIT',
+        ];
+        signals.forEach((sig) => {
+            process.on(sig, () => forward(sig));
+        });
+        return new Promise((resolve, reject) => {
+            child.on('error', (err) => {
+                reject(new Error(`Failed to execute docker compose logs: ${err.message}`));
+            });
+            child.on('exit', (code) => {
+                if (code !== null && code !== 0) {
+                    reject(new Error(`docker compose logs exited with code ${code}`));
+                }
+                else {
+                    resolve();
+                }
+            });
+        });
+    }
+}

package/dist/src/docker/compose/operations/index.d.ts

@@ -1,6 +1,7 @@
 export * from './ComposeDownOperation.js';
 export * from './ComposeExecOperation.js';
 export * from './ComposeExecShellOperation.js';
+export * from './ComposeLogsOperation.js';
 export * from './ComposePsOperation.js';
 export * from './ComposeRestartOperation.js';
 export * from './ComposeStartOperation.js';

package/dist/src/docker/compose/operations/index.js

@@ -1,6 +1,7 @@
 export * from './ComposeDownOperation.js';
 export * from './ComposeExecOperation.js';
 export * from './ComposeExecShellOperation.js';
+export * from './ComposeLogsOperation.js';
 export * from './ComposePsOperation.js';
 export * from './ComposeRestartOperation.js';
 export * from './ComposeStartOperation.js';

package/dist/src/docker/resources/DockerImageResource.js

@@ -19,12 +19,22 @@ class DockerImageResourceBuilder extends SentinelFileBasedBuilder {
             : buildContext.monorepo.join(buildContext.component.rootDir);
     }
     async getReference() {
-        const imageName = [
-            this.monorepo.name,
-            this.config?.tag || this.component.name,
-        ].join('/');
-        const tagName = this.config?.tag || this.monorepo.defaults.docker?.tag || 'latest';
-        return this.monorepo.expand(`${imageName}:${tagName}`);
+        const configTag = this.config?.tag;
+        let imageNamePart;
+        let tagPart;
+        if (configTag && configTag.includes(':')) {
+            // config.tag contains both image name and tag (e.g., "myimage:v1.0.0")
+            const colonIndex = configTag.lastIndexOf(':');
+            imageNamePart = configTag.slice(0, colonIndex);
+            tagPart = configTag.slice(colonIndex + 1);
+        }
+        else {
+            // config.tag is just an image name or undefined
+            imageNamePart = configTag || this.component.name;
+            tagPart = this.monorepo.defaults.docker?.tag || 'latest';
+        }
+        const imageName = [this.monorepo.name, imageNamePart].join('/');
+        return this.monorepo.expand(`${imageName}:${tagPart}`);
     }
     get monorepo() {
         return this.buildContext.monorepo;

package/dist/src/index.d.ts

@@ -2,5 +2,6 @@ export * from './context.js';
 export * from './docker/index.js';
 export * from './errors.js';
 export * from './monorepo/index.js';
+export * from './secrets/index.js';
 export * from './types.js';
 export { run } from '@oclif/core';

package/dist/src/index.js

@@ -2,5 +2,6 @@ export * from './context.js';
 export * from './docker/index.js';
 export * from './errors.js';
 export * from './monorepo/index.js';
+export * from './secrets/index.js';
 export * from './types.js';
 export { run } from '@oclif/core';

package/dist/src/monorepo/monorepo.js

@@ -1,4 +1,4 @@
-import { TaskManagerFactory } from '../index.js';
+import { getContext, TaskManagerFactory } from '../index.js';
 import jsonpatch from 'fast-json-patch';
 import { join } from 'node:path';
 import { TemplateExpander } from '../utils/index.js';
@@ -106,12 +106,20 @@ export class Monorepo {
     }
     // Helper to expand a record of strings
     async expand(toExpand, vars, expander = new TemplateExpander()) {
+        const secrets = getContext()?.secrets;
+        const sources = {
+            env: process.env,
+            vars: vars || this.vars,
+        };
+        // Add all registered secret providers as sources
+        if (secrets) {
+            for (const providerName of secrets.getProviderNames()) {
+                sources[providerName] = secrets.createSource(providerName);
+            }
+        }
         const options = {
             default: 'vars',
-            sources: {
-                env: process.env,
-                vars: vars || this.vars,
-            },
+            sources,
         };
         return expander.expandRecord(toExpand, options);
     }

package/dist/src/monorepo/operations/resources/BuildResourcesOperation.js

@@ -1,7 +1,6 @@
 import { PRESET_TIMER, } from 'listr2';
 import * as z from 'zod';
-import { EMBCollection, findRunOrder, } from '../../index.js';
-import { ResourceFactory } from '../../resources/ResourceFactory.js';
+import { EMBCollection, findRunOrder, ResourceFactory, } from '../../index.js';
 import { AbstractOperation } from '../../../operations/index.js';
 const schema = z.object({
     resources: z

package/dist/src/monorepo/operations/tasks/RunTasksOperation.d.ts

@@ -21,7 +21,7 @@ export type TaskWithScriptAndComponent = TaskInfo & {
 export declare class RunTasksOperation implements IOperation<RunTasksOperationParams, Array<TaskInfo>> {
     run(params: RunTasksOperationParams): Promise<Array<TaskInfo>>;
     protected runDocker(task: TaskWithScriptAndComponent, out?: Writable): Promise<void>;
-    protected runLocal(task: TaskWithScript, out: Writable): Promise<import("stream").Readable>;
+    protected runLocal(task: TaskWithScript, _out: Writable): Promise<import("stream").Readable>;
     private defaultExecutorFor;
     private ensureExecutorValid;
     private availableExecutorsFor;

package/dist/src/monorepo/operations/tasks/RunTasksOperation.js

@@ -82,7 +82,7 @@ export class RunTasksOperation {
             env: await monorepo.expand(task.vars || {}),
         });
     }
-    async runLocal(task, out) {
+    async runLocal(task, _out) {
         const { monorepo } = getContext();
         const cwd = task.component
             ? monorepo.join(monorepo.component(task.component).rootDir)

package/dist/src/monorepo/plugins/VaultPlugin.d.ts

@@ -0,0 +1,46 @@
+import { VaultAuthConfig } from '../../secrets/providers/VaultProvider.js';
+import { AbstractPlugin } from './plugin.js';
+/**
+ * Configuration for the Vault plugin in .emb.yml
+ */
+export interface VaultPluginConfig {
+    /** Vault server address. Defaults to VAULT_ADDR env var. */
+    address?: string;
+    /** Authentication configuration */
+    auth?: VaultAuthConfig;
+    /** Vault namespace. Defaults to VAULT_NAMESPACE env var. */
+    namespace?: string;
+}
+/**
+ * Plugin that integrates HashiCorp Vault with EMB.
+ *
+ * Usage in .emb.yml:
+ * ```yaml
+ * plugins:
+ *   - name: vault
+ *     config:
+ *       address: ${env:VAULT_ADDR:-http://localhost:8200}
+ *       auth:
+ *         method: token
+ *         token: ${env:VAULT_TOKEN}
+ * ```
+ *
+ * Then use secrets in templates:
+ * ```yaml
+ * env:
+ *   DB_PASSWORD: ${vault:secret/myapp/db#password}
+ * ```
+ */
+export declare class VaultPlugin extends AbstractPlugin<VaultPluginConfig> {
+    static name: string;
+    private provider;
+    init(): Promise<void>;
+    /**
+     * Resolve the plugin configuration, filling in defaults from env vars.
+     */
+    private resolveConfig;
+    /**
+     * Resolve authentication configuration.
+     */
+    private resolveAuth;
+}

package/dist/src/monorepo/plugins/VaultPlugin.js

@@ -0,0 +1,91 @@
+import { getContext } from '../../context.js';
+import { VaultProvider, } from '../../secrets/providers/VaultProvider.js';
+import { AbstractPlugin } from './plugin.js';
+/**
+ * Plugin that integrates HashiCorp Vault with EMB.
+ *
+ * Usage in .emb.yml:
+ * ```yaml
+ * plugins:
+ *   - name: vault
+ *     config:
+ *       address: ${env:VAULT_ADDR:-http://localhost:8200}
+ *       auth:
+ *         method: token
+ *         token: ${env:VAULT_TOKEN}
+ * ```
+ *
+ * Then use secrets in templates:
+ * ```yaml
+ * env:
+ *   DB_PASSWORD: ${vault:secret/myapp/db#password}
+ * ```
+ */
+export class VaultPlugin extends AbstractPlugin {
+    static name = 'vault';
+    provider = null;
+    async init() {
+        const resolvedConfig = this.resolveConfig();
+        this.provider = new VaultProvider(resolvedConfig);
+        await this.provider.connect();
+        // Register the provider with the global SecretManager
+        const context = getContext();
+        if (context?.secrets) {
+            context.secrets.register('vault', this.provider);
+        }
+    }
+    /**
+     * Resolve the plugin configuration, filling in defaults from env vars.
+     */
+    resolveConfig() {
+        const address = this.config.address || process.env.VAULT_ADDR;
+        if (!address) {
+            throw new Error('Vault address not configured. Set VAULT_ADDR environment variable or configure address in plugin config.');
+        }
+        const auth = this.resolveAuth();
+        return {
+            address,
+            namespace: this.config.namespace || process.env.VAULT_NAMESPACE,
+            auth,
+        };
+    }
+    /**
+     * Resolve authentication configuration.
+     */
+    resolveAuth() {
+        // If explicit auth config is provided, use it
+        if (this.config.auth) {
+            return this.config.auth;
+        }
+        // Try to infer from environment
+        const token = process.env.VAULT_TOKEN;
+        if (token) {
+            return { method: 'token', token };
+        }
+        const roleId = process.env.VAULT_ROLE_ID;
+        const secretId = process.env.VAULT_SECRET_ID;
+        if (roleId && secretId) {
+            return { method: 'approle', roleId, secretId };
+        }
+        const k8sRole = process.env.VAULT_K8S_ROLE;
+        if (k8sRole) {
+            return { method: 'kubernetes', role: k8sRole };
+        }
+        // JWT auth (non-interactive, for CI/CD)
+        const jwt = process.env.VAULT_JWT;
+        const jwtRole = process.env.VAULT_JWT_ROLE;
+        if (jwt && jwtRole) {
+            return { method: 'jwt', role: jwtRole, jwt };
+        }
+        // OIDC auth (interactive browser flow)
+        const oidcRole = process.env.VAULT_OIDC_ROLE;
+        if (oidcRole !== undefined) {
+            return { method: 'oidc', role: oidcRole || undefined };
+        }
+        throw new Error('Vault authentication not configured. ' +
+            'Set VAULT_TOKEN, or VAULT_ROLE_ID + VAULT_SECRET_ID, ' +
+            'or VAULT_K8S_ROLE, or VAULT_JWT + VAULT_JWT_ROLE, ' +
+            'or VAULT_OIDC_ROLE environment variable, ' +
+            'or configure auth in plugin config.');
+    }
+}

package/dist/src/monorepo/plugins/index.d.ts

@@ -2,6 +2,7 @@ import { AbstractPlugin } from './plugin.js';
 export * from './AutoDockerPlugin.js';
 export * from './DotEnvPlugin.js';
 export * from './EmbfileLoaderPlugin.js';
+export * from './VaultPlugin.js';
 import { Monorepo } from '../index.js';
 export type AbstractPluginConstructor = new <C, P extends AbstractPlugin<C>>(config: C, monorepo: Monorepo) => P;
 export declare const registerPlugin: (plugin: AbstractPluginConstructor) => void;

package/dist/src/monorepo/plugins/index.js

@@ -1,9 +1,11 @@
 export * from './AutoDockerPlugin.js';
 export * from './DotEnvPlugin.js';
 export * from './EmbfileLoaderPlugin.js';
+export * from './VaultPlugin.js';
 import { AutoDockerPlugin } from './AutoDockerPlugin.js';
 import { DotEnvPlugin } from './DotEnvPlugin.js';
 import { EmbfileLoaderPlugin } from './EmbfileLoaderPlugin.js';
+import { VaultPlugin } from './VaultPlugin.js';
 const PluginRegistry = new Map();
 export const registerPlugin = (plugin) => {
     if (PluginRegistry.has(plugin.name)) {
@@ -21,3 +23,4 @@ export const getPlugin = (name) => {
 registerPlugin(AutoDockerPlugin);
 registerPlugin(DotEnvPlugin);
 registerPlugin(EmbfileLoaderPlugin);
+registerPlugin(VaultPlugin);

package/dist/src/monorepo/resources/index.d.ts

@@ -1,3 +1,4 @@
 import './FileResourceBuilder.js';
 export * from './abstract/index.js';
+export * from './ResourceFactory.js';
 export * from './types.js';

package/dist/src/monorepo/resources/index.js

@@ -1,3 +1,4 @@
 import './FileResourceBuilder.js';
 export * from './abstract/index.js';
+export * from './ResourceFactory.js';
 export * from './types.js';