@env-lane/vault 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +22 -0
- package/dist/index.cjs +787 -0
- package/dist/index.d.cts +173 -0
- package/dist/index.d.ts +173 -0
- package/dist/index.js +740 -0
- package/package.json +60 -0
package/dist/index.d.cts
ADDED
|
@@ -0,0 +1,173 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
|
|
3
|
+
declare const schema: z.ZodObject<{
|
|
4
|
+
envFiles: z.ZodArray<z.ZodString>;
|
|
5
|
+
outputDir: z.ZodDefault<z.ZodString>;
|
|
6
|
+
outputFile: z.ZodDefault<z.ZodString>;
|
|
7
|
+
trackDeletions: z.ZodDefault<z.ZodBoolean>;
|
|
8
|
+
exclude: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
9
|
+
files: z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodString]>;
|
|
10
|
+
keys: z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodString]>;
|
|
11
|
+
}, z.core.$strip>>>;
|
|
12
|
+
sort: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
13
|
+
file: z.ZodString;
|
|
14
|
+
template: z.ZodString;
|
|
15
|
+
files: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
16
|
+
}, z.core.$strip>>>;
|
|
17
|
+
disableUnsafeWarning: z.ZodOptional<z.ZodBoolean>;
|
|
18
|
+
}, z.core.$strip>;
|
|
19
|
+
interface VaultConfig {
|
|
20
|
+
baseDir: string;
|
|
21
|
+
envFiles: string[];
|
|
22
|
+
outputDir: string;
|
|
23
|
+
outputFile: string;
|
|
24
|
+
storePath: string;
|
|
25
|
+
trackDeletions: boolean;
|
|
26
|
+
exclude: Array<{
|
|
27
|
+
files: string[];
|
|
28
|
+
keys: string[];
|
|
29
|
+
}>;
|
|
30
|
+
sort?: Record<string, {
|
|
31
|
+
file: string;
|
|
32
|
+
template: string;
|
|
33
|
+
files?: Record<string, string>;
|
|
34
|
+
}>;
|
|
35
|
+
disableUnsafeWarning: boolean;
|
|
36
|
+
}
|
|
37
|
+
declare function defineVaultConfig(config: z.input<typeof schema>): z.input<typeof schema>;
|
|
38
|
+
declare function loadVaultConfig(configPath: string): Promise<VaultConfig>;
|
|
39
|
+
|
|
40
|
+
declare function deriveVaultKey(keyFilePath: string): Buffer;
|
|
41
|
+
declare function encryptRecord(key: Buffer, plaintext: string): string;
|
|
42
|
+
declare function decryptRecord(key: Buffer, line: string): string;
|
|
43
|
+
|
|
44
|
+
type VaultOperation = 'set' | 'delete';
|
|
45
|
+
type RestoreAction = 'add' | 'modify' | 'delete' | 'identical';
|
|
46
|
+
interface VaultRecord {
|
|
47
|
+
f: string;
|
|
48
|
+
k: string;
|
|
49
|
+
t: number;
|
|
50
|
+
op: VaultOperation;
|
|
51
|
+
v?: string;
|
|
52
|
+
order?: number;
|
|
53
|
+
}
|
|
54
|
+
interface RestorePlanEntry {
|
|
55
|
+
filePath: string;
|
|
56
|
+
key: string;
|
|
57
|
+
action: RestoreAction;
|
|
58
|
+
currentValues: string[];
|
|
59
|
+
occurrenceCount: number;
|
|
60
|
+
nextValue?: string;
|
|
61
|
+
}
|
|
62
|
+
interface RestorePlanFile {
|
|
63
|
+
filePath: string;
|
|
64
|
+
entries: RestorePlanEntry[];
|
|
65
|
+
changed: boolean;
|
|
66
|
+
}
|
|
67
|
+
interface RestorePlan {
|
|
68
|
+
storePath: string;
|
|
69
|
+
files: RestorePlanFile[];
|
|
70
|
+
summary: Record<RestoreAction, number> & {
|
|
71
|
+
filesWithChanges: number;
|
|
72
|
+
};
|
|
73
|
+
failedRecords: number;
|
|
74
|
+
parsedRecords: number;
|
|
75
|
+
rawRecords: number;
|
|
76
|
+
aliasedRecords: number;
|
|
77
|
+
unmanagedStoreFiles: string[];
|
|
78
|
+
excludedRecordsIgnored: number;
|
|
79
|
+
}
|
|
80
|
+
declare function encryptEnvFiles(configPath: string, keyFilePath: string, options?: {
|
|
81
|
+
disableUnsafeWarning?: boolean;
|
|
82
|
+
ignoreCorruptRecords?: boolean;
|
|
83
|
+
}): Promise<{
|
|
84
|
+
storePath: string;
|
|
85
|
+
setRecordsWritten: number;
|
|
86
|
+
deleteRecordsWritten: number;
|
|
87
|
+
skippedUnchanged: number;
|
|
88
|
+
excludedEntriesIgnored: number;
|
|
89
|
+
missingFilesSkipped: number;
|
|
90
|
+
invalidLinesIgnored: number;
|
|
91
|
+
shadowedEntriesIgnored: number;
|
|
92
|
+
rawRecords: number;
|
|
93
|
+
parsedRecords: number;
|
|
94
|
+
failedRecords: number;
|
|
95
|
+
aliasedRecords: number;
|
|
96
|
+
}>;
|
|
97
|
+
declare function buildRestorePlan(configPath: string, keyFilePath: string, options?: {
|
|
98
|
+
disableUnsafeWarning?: boolean;
|
|
99
|
+
ignoreCorruptRecords?: boolean;
|
|
100
|
+
}): Promise<RestorePlan>;
|
|
101
|
+
declare function decryptEnvFiles(configPath: string, keyFilePath: string, options?: {
|
|
102
|
+
dryRun?: boolean;
|
|
103
|
+
autoApprove?: boolean;
|
|
104
|
+
disableUnsafeWarning?: boolean;
|
|
105
|
+
ignoreCorruptRecords?: boolean;
|
|
106
|
+
}): Promise<{
|
|
107
|
+
applied: boolean;
|
|
108
|
+
filesWritten: number;
|
|
109
|
+
results: {
|
|
110
|
+
filePath: string;
|
|
111
|
+
keys: number;
|
|
112
|
+
changed: boolean;
|
|
113
|
+
entries: RestorePlanEntry[];
|
|
114
|
+
}[];
|
|
115
|
+
storePath: string;
|
|
116
|
+
files: RestorePlanFile[];
|
|
117
|
+
summary: Record<RestoreAction, number> & {
|
|
118
|
+
filesWithChanges: number;
|
|
119
|
+
};
|
|
120
|
+
failedRecords: number;
|
|
121
|
+
parsedRecords: number;
|
|
122
|
+
rawRecords: number;
|
|
123
|
+
aliasedRecords: number;
|
|
124
|
+
unmanagedStoreFiles: string[];
|
|
125
|
+
excludedRecordsIgnored: number;
|
|
126
|
+
}>;
|
|
127
|
+
declare function runVault(configPath: string, keyFilePath: string, mode: 'encrypt' | 'decrypt', options?: {
|
|
128
|
+
dryRun?: boolean;
|
|
129
|
+
autoApprove?: boolean;
|
|
130
|
+
disableUnsafeWarning?: boolean;
|
|
131
|
+
ignoreCorruptRecords?: boolean;
|
|
132
|
+
}): Promise<{
|
|
133
|
+
storePath: string;
|
|
134
|
+
setRecordsWritten: number;
|
|
135
|
+
deleteRecordsWritten: number;
|
|
136
|
+
skippedUnchanged: number;
|
|
137
|
+
excludedEntriesIgnored: number;
|
|
138
|
+
missingFilesSkipped: number;
|
|
139
|
+
invalidLinesIgnored: number;
|
|
140
|
+
shadowedEntriesIgnored: number;
|
|
141
|
+
rawRecords: number;
|
|
142
|
+
parsedRecords: number;
|
|
143
|
+
failedRecords: number;
|
|
144
|
+
aliasedRecords: number;
|
|
145
|
+
} | {
|
|
146
|
+
applied: boolean;
|
|
147
|
+
filesWritten: number;
|
|
148
|
+
results: {
|
|
149
|
+
filePath: string;
|
|
150
|
+
keys: number;
|
|
151
|
+
changed: boolean;
|
|
152
|
+
entries: RestorePlanEntry[];
|
|
153
|
+
}[];
|
|
154
|
+
storePath: string;
|
|
155
|
+
files: RestorePlanFile[];
|
|
156
|
+
summary: Record<RestoreAction, number> & {
|
|
157
|
+
filesWithChanges: number;
|
|
158
|
+
};
|
|
159
|
+
failedRecords: number;
|
|
160
|
+
parsedRecords: number;
|
|
161
|
+
rawRecords: number;
|
|
162
|
+
aliasedRecords: number;
|
|
163
|
+
unmanagedStoreFiles: string[];
|
|
164
|
+
excludedRecordsIgnored: number;
|
|
165
|
+
}>;
|
|
166
|
+
|
|
167
|
+
declare const VAULT_UNSAFE_WARNING = "[env-lane:vault] WARNING: This vault is not a production secret-management system.\n[env-lane:vault] It stores reversible encrypted .env records and depends on local key-file handling.\n[env-lane:vault] Use CI/CD secrets, cloud KMS, HashiCorp Vault, SOPS, age, or a platform Secret Manager for production.";
|
|
168
|
+
declare function warnUnsafeVault(options?: {
|
|
169
|
+
disableUnsafeWarning?: boolean;
|
|
170
|
+
stderr?: Pick<typeof process.stderr, 'write'>;
|
|
171
|
+
}): void;
|
|
172
|
+
|
|
173
|
+
export { type RestoreAction, type RestorePlan, type RestorePlanEntry, type RestorePlanFile, VAULT_UNSAFE_WARNING, type VaultConfig, type VaultOperation, type VaultRecord, buildRestorePlan, decryptEnvFiles, decryptRecord, defineVaultConfig, deriveVaultKey, encryptEnvFiles, encryptRecord, loadVaultConfig, runVault, warnUnsafeVault };
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,173 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
|
|
3
|
+
declare const schema: z.ZodObject<{
|
|
4
|
+
envFiles: z.ZodArray<z.ZodString>;
|
|
5
|
+
outputDir: z.ZodDefault<z.ZodString>;
|
|
6
|
+
outputFile: z.ZodDefault<z.ZodString>;
|
|
7
|
+
trackDeletions: z.ZodDefault<z.ZodBoolean>;
|
|
8
|
+
exclude: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
9
|
+
files: z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodString]>;
|
|
10
|
+
keys: z.ZodUnion<[z.ZodArray<z.ZodString>, z.ZodString]>;
|
|
11
|
+
}, z.core.$strip>>>;
|
|
12
|
+
sort: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
13
|
+
file: z.ZodString;
|
|
14
|
+
template: z.ZodString;
|
|
15
|
+
files: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
16
|
+
}, z.core.$strip>>>;
|
|
17
|
+
disableUnsafeWarning: z.ZodOptional<z.ZodBoolean>;
|
|
18
|
+
}, z.core.$strip>;
|
|
19
|
+
interface VaultConfig {
|
|
20
|
+
baseDir: string;
|
|
21
|
+
envFiles: string[];
|
|
22
|
+
outputDir: string;
|
|
23
|
+
outputFile: string;
|
|
24
|
+
storePath: string;
|
|
25
|
+
trackDeletions: boolean;
|
|
26
|
+
exclude: Array<{
|
|
27
|
+
files: string[];
|
|
28
|
+
keys: string[];
|
|
29
|
+
}>;
|
|
30
|
+
sort?: Record<string, {
|
|
31
|
+
file: string;
|
|
32
|
+
template: string;
|
|
33
|
+
files?: Record<string, string>;
|
|
34
|
+
}>;
|
|
35
|
+
disableUnsafeWarning: boolean;
|
|
36
|
+
}
|
|
37
|
+
declare function defineVaultConfig(config: z.input<typeof schema>): z.input<typeof schema>;
|
|
38
|
+
declare function loadVaultConfig(configPath: string): Promise<VaultConfig>;
|
|
39
|
+
|
|
40
|
+
declare function deriveVaultKey(keyFilePath: string): Buffer;
|
|
41
|
+
declare function encryptRecord(key: Buffer, plaintext: string): string;
|
|
42
|
+
declare function decryptRecord(key: Buffer, line: string): string;
|
|
43
|
+
|
|
44
|
+
type VaultOperation = 'set' | 'delete';
|
|
45
|
+
type RestoreAction = 'add' | 'modify' | 'delete' | 'identical';
|
|
46
|
+
interface VaultRecord {
|
|
47
|
+
f: string;
|
|
48
|
+
k: string;
|
|
49
|
+
t: number;
|
|
50
|
+
op: VaultOperation;
|
|
51
|
+
v?: string;
|
|
52
|
+
order?: number;
|
|
53
|
+
}
|
|
54
|
+
interface RestorePlanEntry {
|
|
55
|
+
filePath: string;
|
|
56
|
+
key: string;
|
|
57
|
+
action: RestoreAction;
|
|
58
|
+
currentValues: string[];
|
|
59
|
+
occurrenceCount: number;
|
|
60
|
+
nextValue?: string;
|
|
61
|
+
}
|
|
62
|
+
interface RestorePlanFile {
|
|
63
|
+
filePath: string;
|
|
64
|
+
entries: RestorePlanEntry[];
|
|
65
|
+
changed: boolean;
|
|
66
|
+
}
|
|
67
|
+
interface RestorePlan {
|
|
68
|
+
storePath: string;
|
|
69
|
+
files: RestorePlanFile[];
|
|
70
|
+
summary: Record<RestoreAction, number> & {
|
|
71
|
+
filesWithChanges: number;
|
|
72
|
+
};
|
|
73
|
+
failedRecords: number;
|
|
74
|
+
parsedRecords: number;
|
|
75
|
+
rawRecords: number;
|
|
76
|
+
aliasedRecords: number;
|
|
77
|
+
unmanagedStoreFiles: string[];
|
|
78
|
+
excludedRecordsIgnored: number;
|
|
79
|
+
}
|
|
80
|
+
declare function encryptEnvFiles(configPath: string, keyFilePath: string, options?: {
|
|
81
|
+
disableUnsafeWarning?: boolean;
|
|
82
|
+
ignoreCorruptRecords?: boolean;
|
|
83
|
+
}): Promise<{
|
|
84
|
+
storePath: string;
|
|
85
|
+
setRecordsWritten: number;
|
|
86
|
+
deleteRecordsWritten: number;
|
|
87
|
+
skippedUnchanged: number;
|
|
88
|
+
excludedEntriesIgnored: number;
|
|
89
|
+
missingFilesSkipped: number;
|
|
90
|
+
invalidLinesIgnored: number;
|
|
91
|
+
shadowedEntriesIgnored: number;
|
|
92
|
+
rawRecords: number;
|
|
93
|
+
parsedRecords: number;
|
|
94
|
+
failedRecords: number;
|
|
95
|
+
aliasedRecords: number;
|
|
96
|
+
}>;
|
|
97
|
+
declare function buildRestorePlan(configPath: string, keyFilePath: string, options?: {
|
|
98
|
+
disableUnsafeWarning?: boolean;
|
|
99
|
+
ignoreCorruptRecords?: boolean;
|
|
100
|
+
}): Promise<RestorePlan>;
|
|
101
|
+
declare function decryptEnvFiles(configPath: string, keyFilePath: string, options?: {
|
|
102
|
+
dryRun?: boolean;
|
|
103
|
+
autoApprove?: boolean;
|
|
104
|
+
disableUnsafeWarning?: boolean;
|
|
105
|
+
ignoreCorruptRecords?: boolean;
|
|
106
|
+
}): Promise<{
|
|
107
|
+
applied: boolean;
|
|
108
|
+
filesWritten: number;
|
|
109
|
+
results: {
|
|
110
|
+
filePath: string;
|
|
111
|
+
keys: number;
|
|
112
|
+
changed: boolean;
|
|
113
|
+
entries: RestorePlanEntry[];
|
|
114
|
+
}[];
|
|
115
|
+
storePath: string;
|
|
116
|
+
files: RestorePlanFile[];
|
|
117
|
+
summary: Record<RestoreAction, number> & {
|
|
118
|
+
filesWithChanges: number;
|
|
119
|
+
};
|
|
120
|
+
failedRecords: number;
|
|
121
|
+
parsedRecords: number;
|
|
122
|
+
rawRecords: number;
|
|
123
|
+
aliasedRecords: number;
|
|
124
|
+
unmanagedStoreFiles: string[];
|
|
125
|
+
excludedRecordsIgnored: number;
|
|
126
|
+
}>;
|
|
127
|
+
declare function runVault(configPath: string, keyFilePath: string, mode: 'encrypt' | 'decrypt', options?: {
|
|
128
|
+
dryRun?: boolean;
|
|
129
|
+
autoApprove?: boolean;
|
|
130
|
+
disableUnsafeWarning?: boolean;
|
|
131
|
+
ignoreCorruptRecords?: boolean;
|
|
132
|
+
}): Promise<{
|
|
133
|
+
storePath: string;
|
|
134
|
+
setRecordsWritten: number;
|
|
135
|
+
deleteRecordsWritten: number;
|
|
136
|
+
skippedUnchanged: number;
|
|
137
|
+
excludedEntriesIgnored: number;
|
|
138
|
+
missingFilesSkipped: number;
|
|
139
|
+
invalidLinesIgnored: number;
|
|
140
|
+
shadowedEntriesIgnored: number;
|
|
141
|
+
rawRecords: number;
|
|
142
|
+
parsedRecords: number;
|
|
143
|
+
failedRecords: number;
|
|
144
|
+
aliasedRecords: number;
|
|
145
|
+
} | {
|
|
146
|
+
applied: boolean;
|
|
147
|
+
filesWritten: number;
|
|
148
|
+
results: {
|
|
149
|
+
filePath: string;
|
|
150
|
+
keys: number;
|
|
151
|
+
changed: boolean;
|
|
152
|
+
entries: RestorePlanEntry[];
|
|
153
|
+
}[];
|
|
154
|
+
storePath: string;
|
|
155
|
+
files: RestorePlanFile[];
|
|
156
|
+
summary: Record<RestoreAction, number> & {
|
|
157
|
+
filesWithChanges: number;
|
|
158
|
+
};
|
|
159
|
+
failedRecords: number;
|
|
160
|
+
parsedRecords: number;
|
|
161
|
+
rawRecords: number;
|
|
162
|
+
aliasedRecords: number;
|
|
163
|
+
unmanagedStoreFiles: string[];
|
|
164
|
+
excludedRecordsIgnored: number;
|
|
165
|
+
}>;
|
|
166
|
+
|
|
167
|
+
declare const VAULT_UNSAFE_WARNING = "[env-lane:vault] WARNING: This vault is not a production secret-management system.\n[env-lane:vault] It stores reversible encrypted .env records and depends on local key-file handling.\n[env-lane:vault] Use CI/CD secrets, cloud KMS, HashiCorp Vault, SOPS, age, or a platform Secret Manager for production.";
|
|
168
|
+
declare function warnUnsafeVault(options?: {
|
|
169
|
+
disableUnsafeWarning?: boolean;
|
|
170
|
+
stderr?: Pick<typeof process.stderr, 'write'>;
|
|
171
|
+
}): void;
|
|
172
|
+
|
|
173
|
+
export { type RestoreAction, type RestorePlan, type RestorePlanEntry, type RestorePlanFile, VAULT_UNSAFE_WARNING, type VaultConfig, type VaultOperation, type VaultRecord, buildRestorePlan, decryptEnvFiles, decryptRecord, defineVaultConfig, deriveVaultKey, encryptEnvFiles, encryptRecord, loadVaultConfig, runVault, warnUnsafeVault };
|