npm - @geekmidas/cli - Versions diffs - 0.10.0 → 0.13.0 - Mend

@geekmidas/cli 0.10.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

package/README.md +525 -0
package/dist/bundler-B1qy9b-j.cjs +112 -0
package/dist/bundler-B1qy9b-j.cjs.map +1 -0
package/dist/bundler-DskIqW2t.mjs +111 -0
package/dist/bundler-DskIqW2t.mjs.map +1 -0
package/dist/{config-C9aXOHBe.cjs → config-AmInkU7k.cjs} +8 -8
package/dist/config-AmInkU7k.cjs.map +1 -0
package/dist/{config-BrkUalUh.mjs → config-DYULeEv8.mjs} +3 -3
package/dist/config-DYULeEv8.mjs.map +1 -0
package/dist/config.cjs +1 -1
package/dist/config.d.cts +1 -1
package/dist/config.d.mts +1 -1
package/dist/config.mjs +1 -1
package/dist/encryption-C8H-38Yy.mjs +42 -0
package/dist/encryption-C8H-38Yy.mjs.map +1 -0
package/dist/encryption-Dyf_r1h-.cjs +44 -0
package/dist/encryption-Dyf_r1h-.cjs.map +1 -0
package/dist/index.cjs +2123 -179
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +2141 -192
package/dist/index.mjs.map +1 -1
package/dist/{openapi-CZLI4QTr.mjs → openapi-BfFlOBCG.mjs} +801 -38
package/dist/openapi-BfFlOBCG.mjs.map +1 -0
package/dist/{openapi-BeHLKcwP.cjs → openapi-Bt_1FDpT.cjs} +794 -31
package/dist/openapi-Bt_1FDpT.cjs.map +1 -0
package/dist/{openapi-react-query-o5iMi8tz.cjs → openapi-react-query-B-sNWHFU.cjs} +5 -5
package/dist/openapi-react-query-B-sNWHFU.cjs.map +1 -0
package/dist/{openapi-react-query-CcciaVu5.mjs → openapi-react-query-B6XTeGqS.mjs} +5 -5
package/dist/openapi-react-query-B6XTeGqS.mjs.map +1 -0
package/dist/openapi-react-query.cjs +1 -1
package/dist/openapi-react-query.d.cts.map +1 -1
package/dist/openapi-react-query.d.mts.map +1 -1
package/dist/openapi-react-query.mjs +1 -1
package/dist/openapi.cjs +2 -2
package/dist/openapi.d.cts +1 -1
package/dist/openapi.d.cts.map +1 -1
package/dist/openapi.d.mts +1 -1
package/dist/openapi.d.mts.map +1 -1
package/dist/openapi.mjs +2 -2
package/dist/storage-BOOpAF8N.cjs +5 -0
package/dist/storage-Bj1E26lU.cjs +187 -0
package/dist/storage-Bj1E26lU.cjs.map +1 -0
package/dist/storage-kSxTjkNb.mjs +133 -0
package/dist/storage-kSxTjkNb.mjs.map +1 -0
package/dist/storage-tgZSUnKl.mjs +3 -0
package/dist/{types-b-vwGpqc.d.cts → types-BR0M2v_c.d.mts} +100 -1
package/dist/types-BR0M2v_c.d.mts.map +1 -0
package/dist/{types-DXgiA1sF.d.mts → types-BhkZc-vm.d.cts} +100 -1
package/dist/types-BhkZc-vm.d.cts.map +1 -0
package/examples/cron-example.ts +27 -27
package/examples/env.ts +27 -27
package/examples/function-example.ts +31 -31
package/examples/gkm.config.json +20 -20
package/examples/gkm.config.ts +8 -8
package/examples/gkm.minimal.config.json +5 -5
package/examples/gkm.production.config.json +25 -25
package/examples/logger.ts +2 -2
package/package.json +6 -6
package/src/__tests__/EndpointGenerator.hooks.spec.ts +191 -191
package/src/__tests__/config.spec.ts +55 -55
package/src/__tests__/loadEnvFiles.spec.ts +93 -93
package/src/__tests__/normalizeHooksConfig.spec.ts +58 -58
package/src/__tests__/openapi-react-query.spec.ts +497 -497
package/src/__tests__/openapi.spec.ts +428 -428
package/src/__tests__/test-helpers.ts +76 -76
package/src/auth/__tests__/credentials.spec.ts +204 -0
package/src/auth/__tests__/index.spec.ts +168 -0
package/src/auth/credentials.ts +187 -0
package/src/auth/index.ts +226 -0
package/src/build/__tests__/bundler.spec.ts +444 -0
package/src/build/__tests__/index-new.spec.ts +474 -474
package/src/build/__tests__/manifests.spec.ts +333 -333
package/src/build/bundler.ts +210 -0
package/src/build/endpoint-analyzer.ts +236 -0
package/src/build/handler-templates.ts +1253 -0
package/src/build/index.ts +260 -179
package/src/build/manifests.ts +52 -52
package/src/build/providerResolver.ts +145 -145
package/src/build/types.ts +64 -43
package/src/config.ts +39 -39
package/src/deploy/__tests__/docker.spec.ts +111 -0
package/src/deploy/__tests__/dokploy.spec.ts +245 -0
package/src/deploy/__tests__/init.spec.ts +662 -0
package/src/deploy/docker.ts +128 -0
package/src/deploy/dokploy.ts +204 -0
package/src/deploy/index.ts +136 -0
package/src/deploy/init.ts +484 -0
package/src/deploy/types.ts +48 -0
package/src/dev/__tests__/index.spec.ts +266 -266
package/src/dev/index.ts +647 -601
package/src/docker/__tests__/compose.spec.ts +531 -0
package/src/docker/__tests__/templates.spec.ts +280 -0
package/src/docker/compose.ts +273 -0
package/src/docker/index.ts +230 -0
package/src/docker/templates.ts +446 -0
package/src/generators/CronGenerator.ts +72 -72
package/src/generators/EndpointGenerator.ts +699 -398
package/src/generators/FunctionGenerator.ts +84 -84
package/src/generators/Generator.ts +72 -72
package/src/generators/OpenApiTsGenerator.ts +577 -577
package/src/generators/SubscriberGenerator.ts +124 -124
package/src/generators/__tests__/CronGenerator.spec.ts +433 -433
package/src/generators/__tests__/EndpointGenerator.spec.ts +532 -382
package/src/generators/__tests__/FunctionGenerator.spec.ts +244 -244
package/src/generators/__tests__/SubscriberGenerator.spec.ts +397 -382
package/src/generators/index.ts +4 -4
package/src/index.ts +623 -201
package/src/init/__tests__/generators.spec.ts +334 -334
package/src/init/__tests__/init.spec.ts +332 -332
package/src/init/__tests__/utils.spec.ts +89 -89
package/src/init/generators/config.ts +175 -175
package/src/init/generators/docker.ts +41 -41
package/src/init/generators/env.ts +72 -72
package/src/init/generators/index.ts +1 -1
package/src/init/generators/models.ts +64 -64
package/src/init/generators/monorepo.ts +161 -161
package/src/init/generators/package.ts +71 -71
package/src/init/generators/source.ts +6 -6
package/src/init/index.ts +203 -208
package/src/init/templates/api.ts +115 -115
package/src/init/templates/index.ts +75 -75
package/src/init/templates/minimal.ts +98 -98
package/src/init/templates/serverless.ts +89 -89
package/src/init/templates/worker.ts +98 -98
package/src/init/utils.ts +54 -56
package/src/openapi-react-query.ts +194 -194
package/src/openapi.ts +63 -63
package/src/secrets/__tests__/encryption.spec.ts +226 -0
package/src/secrets/__tests__/generator.spec.ts +319 -0
package/src/secrets/__tests__/index.spec.ts +91 -0
package/src/secrets/__tests__/storage.spec.ts +611 -0
package/src/secrets/encryption.ts +91 -0
package/src/secrets/generator.ts +164 -0
package/src/secrets/index.ts +383 -0
package/src/secrets/storage.ts +192 -0
package/src/secrets/types.ts +53 -0
package/src/types.ts +295 -176
package/tsdown.config.ts +11 -8
package/dist/config-BrkUalUh.mjs.map +0 -1
package/dist/config-C9aXOHBe.cjs.map +0 -1
package/dist/openapi-BeHLKcwP.cjs.map +0 -1
package/dist/openapi-CZLI4QTr.mjs.map +0 -1
package/dist/openapi-react-query-CcciaVu5.mjs.map +0 -1
package/dist/openapi-react-query-o5iMi8tz.cjs.map +0 -1
package/dist/types-DXgiA1sF.d.mts.map +0 -1
package/dist/types-b-vwGpqc.d.cts.map +0 -1

package/src/secrets/__tests__/storage.spec.ts ADDED Viewed

@@ -0,0 +1,611 @@
+import { existsSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import {
+	getSecretsDir,
+	getSecretsPath,
+	maskPassword,
+	readStageSecrets,
+	secretsExist,
+	setCustomSecret,
+	toEmbeddableSecrets,
+	validateEnvironmentVariables,
+	writeStageSecrets,
+} from '../storage';
+import type { StageSecrets } from '../types';
+describe('path utilities', () => {
+	describe('getSecretsDir', () => {
+		it('should return .gkm/secrets relative to cwd', () => {
+			const dir = getSecretsDir('/project');
+			expect(dir).toBe('/project/.gkm/secrets');
+		});
+	});
+	describe('getSecretsPath', () => {
+		it('should return path for stage file', () => {
+			const path = getSecretsPath('production', '/project');
+			expect(path).toBe('/project/.gkm/secrets/production.json');
+		});
+		it('should handle stage names with special characters', () => {
+			const path = getSecretsPath('dev-local', '/project');
+			expect(path).toBe('/project/.gkm/secrets/dev-local.json');
+		});
+	});
+	describe('secretsExist', () => {
+		it('should return false for non-existent secrets', () => {
+			const exists = secretsExist('nonexistent', '/nonexistent-path');
+			expect(exists).toBe(false);
+		});
+	});
+});
+describe('file operations', () => {
+	let tempDir: string;
+	beforeEach(async () => {
+		tempDir = join(tmpdir(), `gkm-test-${Date.now()}`);
+		await mkdir(tempDir, { recursive: true });
+	});
+	afterEach(async () => {
+		if (existsSync(tempDir)) {
+			await rm(tempDir, { recursive: true });
+		}
+	});
+	describe('writeStageSecrets / readStageSecrets', () => {
+		it('should write and read secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: '2024-01-01T00:00:00.000Z',
+				updatedAt: '2024-01-01T00:00:00.000Z',
+				services: {
+					postgres: {
+						host: 'postgres',
+						port: 5432,
+						username: 'app',
+						password: 'secret123',
+						database: 'app',
+					},
+				},
+				urls: {
+					DATABASE_URL: 'postgresql://app:secret123@postgres:5432/app',
+				},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const read = await readStageSecrets('production', tempDir);
+			expect(read).toEqual(secrets);
+		});
+		it('should create directory if it does not exist', async () => {
+			const secrets: StageSecrets = {
+				stage: 'staging',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			expect(existsSync(join(tempDir, '.gkm/secrets'))).toBe(true);
+			expect(existsSync(join(tempDir, '.gkm/secrets/staging.json'))).toBe(true);
+		});
+		it('should return null for non-existent stage', async () => {
+			const read = await readStageSecrets('nonexistent', tempDir);
+			expect(read).toBeNull();
+		});
+	});
+	describe('secretsExist', () => {
+		it('should return true when secrets file exists', async () => {
+			const secrets: StageSecrets = {
+				stage: 'test',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			expect(secretsExist('test', tempDir)).toBe(true);
+		});
+		it('should return false when secrets file does not exist', () => {
+			expect(secretsExist('nonexistent', tempDir)).toBe(false);
+		});
+	});
+	describe('setCustomSecret', () => {
+		it('should add custom secret to existing secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'sk_test_123',
+				tempDir,
+			);
+			expect(updated.custom.API_KEY).toBe('sk_test_123');
+		});
+		it('should update existing custom secret', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: { API_KEY: 'old-value' },
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'new-value',
+				tempDir,
+			);
+			expect(updated.custom.API_KEY).toBe('new-value');
+		});
+		it('should update updatedAt timestamp', async () => {
+			const originalTime = '2024-01-01T00:00:00.000Z';
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: originalTime,
+				updatedAt: originalTime,
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'KEY',
+				'value',
+				tempDir,
+			);
+			expect(updated.updatedAt).not.toBe(originalTime);
+		});
+		it('should throw if secrets do not exist for stage', async () => {
+			await expect(
+				setCustomSecret('nonexistent', 'KEY', 'value', tempDir),
+			).rejects.toThrow('Secrets not found for stage "nonexistent"');
+		});
+		it('should persist changes to disk', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			await setCustomSecret('production', 'NEW_KEY', 'new-value', tempDir);
+			const read = await readStageSecrets('production', tempDir);
+			expect(read!.custom.NEW_KEY).toBe('new-value');
+		});
+	});
+});
+describe('toEmbeddableSecrets', () => {
+	it('should include URLs', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+	});
+	it('should include custom secrets', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {},
+			custom: {
+				API_KEY: 'sk_test_123',
+				WEBHOOK_SECRET: 'whsec_abc',
+			},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.API_KEY).toBe('sk_test_123');
+		expect(embeddable.WEBHOOK_SECRET).toBe('whsec_abc');
+	});
+	it('should include postgres service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'secret123',
+					database: 'mydb',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.POSTGRES_USER).toBe('app');
+		expect(embeddable.POSTGRES_PASSWORD).toBe('secret123');
+		expect(embeddable.POSTGRES_DB).toBe('mydb');
+		expect(embeddable.POSTGRES_HOST).toBe('postgres');
+		expect(embeddable.POSTGRES_PORT).toBe('5432');
+	});
+	it('should include redis service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+		expect(embeddable.REDIS_HOST).toBe('redis');
+		expect(embeddable.REDIS_PORT).toBe('6379');
+	});
+	it('should include rabbitmq service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				rabbitmq: {
+					host: 'rabbitmq',
+					port: 5672,
+					username: 'app',
+					password: 'rmq-pass',
+					vhost: '/myapp',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.RABBITMQ_USER).toBe('app');
+		expect(embeddable.RABBITMQ_PASSWORD).toBe('rmq-pass');
+		expect(embeddable.RABBITMQ_HOST).toBe('rabbitmq');
+		expect(embeddable.RABBITMQ_PORT).toBe('5672');
+		expect(embeddable.RABBITMQ_VHOST).toBe('/myapp');
+	});
+	it('should handle all services and custom secrets together', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'pg-pass',
+					database: 'app',
+				},
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {
+				API_KEY: 'key123',
+			},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		// URLs
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+		// Custom
+		expect(embeddable.API_KEY).toBe('key123');
+		// Postgres
+		expect(embeddable.POSTGRES_PASSWORD).toBe('pg-pass');
+		// Redis
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+	});
+});
+describe('maskPassword', () => {
+	it('should mask middle characters', () => {
+		const masked = maskPassword('abcdefghijklmnop');
+		expect(masked).toBe('abcd**********op');
+	});
+	it('should show first 4 and last 2 characters', () => {
+		const masked = maskPassword('1234567890');
+		expect(masked.slice(0, 4)).toBe('1234');
+		expect(masked.slice(-2)).toBe('90');
+	});
+	it('should return all asterisks for short passwords', () => {
+		expect(maskPassword('short')).toBe('********');
+		expect(maskPassword('12345678')).toBe('********');
+	});
+	it('should handle exactly 9 character password', () => {
+		const masked = maskPassword('123456789');
+		expect(masked).toBe('1234***89');
+	});
+});
+describe('validateEnvironmentVariables', () => {
+	const baseSecrets: StageSecrets = {
+		stage: 'production',
+		createdAt: new Date().toISOString(),
+		updatedAt: new Date().toISOString(),
+		services: {},
+		urls: {},
+		custom: {},
+	};
+	it('should return valid when no variables are required', () => {
+		const result = validateEnvironmentVariables([], baseSecrets);
+		expect(result.valid).toBe(true);
+		expect(result.missing).toEqual([]);
+		expect(result.provided).toEqual([]);
+		expect(result.required).toEqual([]);
+	});
+	it('should return valid when all required variables are present', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+			},
+			custom: {
+				API_KEY: 'sk_test_123',
+			},
+		};
+		const result = validateEnvironmentVariables(
+			['DATABASE_URL', 'API_KEY'],
+			secrets,
+		);
+		expect(result.valid).toBe(true);
+		expect(result.missing).toEqual([]);
+		expect(result.provided).toEqual(['API_KEY', 'DATABASE_URL']);
+		expect(result.required).toEqual(['API_KEY', 'DATABASE_URL']);
+	});
+	it('should return invalid when some variables are missing', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+			},
+			custom: {},
+		};
+		const result = validateEnvironmentVariables(
+			['DATABASE_URL', 'API_KEY', 'JWT_SECRET'],
+			secrets,
+		);
+		expect(result.valid).toBe(false);
+		expect(result.missing).toEqual(['API_KEY', 'JWT_SECRET']);
+		expect(result.provided).toEqual(['DATABASE_URL']);
+		expect(result.required).toEqual(['API_KEY', 'DATABASE_URL', 'JWT_SECRET']);
+	});
+	it('should return invalid when all variables are missing', () => {
+		const result = validateEnvironmentVariables(
+			['API_KEY', 'JWT_SECRET'],
+			baseSecrets,
+		);
+		expect(result.valid).toBe(false);
+		expect(result.missing).toEqual(['API_KEY', 'JWT_SECRET']);
+		expect(result.provided).toEqual([]);
+	});
+	it('should recognize service credentials as provided', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'secret',
+					database: 'app',
+				},
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const result = validateEnvironmentVariables(
+			['POSTGRES_PASSWORD', 'REDIS_HOST', 'POSTGRES_DB'],
+			secrets,
+		);
+		expect(result.valid).toBe(true);
+		expect(result.missing).toEqual([]);
+		expect(result.provided).toEqual([
+			'POSTGRES_DB',
+			'POSTGRES_PASSWORD',
+			'REDIS_HOST',
+		]);
+	});
+	it('should sort missing and provided arrays alphabetically', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			custom: {
+				ZEBRA: 'value',
+				ALPHA: 'value',
+			},
+		};
+		const result = validateEnvironmentVariables(
+			['ZEBRA', 'ALPHA', 'YELLOW', 'BETA'],
+			secrets,
+		);
+		expect(result.missing).toEqual(['BETA', 'YELLOW']);
+		expect(result.provided).toEqual(['ALPHA', 'ZEBRA']);
+		expect(result.required).toEqual(['ALPHA', 'BETA', 'YELLOW', 'ZEBRA']);
+	});
+	it('should handle duplicate required variables', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			custom: {
+				API_KEY: 'value',
+			},
+		};
+		const result = validateEnvironmentVariables(
+			['API_KEY', 'API_KEY', 'MISSING'],
+			secrets,
+		);
+		expect(result.valid).toBe(false);
+		expect(result.missing).toEqual(['MISSING']);
+		// Note: duplicates in input are preserved in required list
+		expect(result.required).toEqual(['API_KEY', 'API_KEY', 'MISSING']);
+	});
+	it('should work with complex service configurations', () => {
+		const secrets: StageSecrets = {
+			...baseSecrets,
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'pg-secret',
+					database: 'mydb',
+				},
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-secret',
+				},
+				rabbitmq: {
+					host: 'rabbitmq',
+					port: 5672,
+					username: 'guest',
+					password: 'guest',
+					vhost: '/',
+				},
+			},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+				RABBITMQ_URL: 'amqp://...',
+			},
+			custom: {
+				JWT_SECRET: 'jwt-secret-value',
+			},
+		};
+		const result = validateEnvironmentVariables(
+			[
+				'DATABASE_URL',
+				'REDIS_URL',
+				'RABBITMQ_URL',
+				'JWT_SECRET',
+				'POSTGRES_PASSWORD',
+				'REDIS_PASSWORD',
+				'RABBITMQ_USER',
+				'MISSING_VAR',
+			],
+			secrets,
+		);
+		expect(result.valid).toBe(false);
+		expect(result.missing).toEqual(['MISSING_VAR']);
+		expect(result.provided).toContain('DATABASE_URL');
+		expect(result.provided).toContain('REDIS_URL');
+		expect(result.provided).toContain('RABBITMQ_URL');
+		expect(result.provided).toContain('JWT_SECRET');
+		expect(result.provided).toContain('POSTGRES_PASSWORD');
+		expect(result.provided).toContain('REDIS_PASSWORD');
+		expect(result.provided).toContain('RABBITMQ_USER');
+	});
+});

package/src/secrets/encryption.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import type { EmbeddableSecrets, EncryptedPayload } from './types';
+/** AES-256-GCM configuration */
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+/**
+ * Encrypt secrets for embedding in a bundle.
+ * Uses AES-256-GCM with a randomly generated ephemeral key.
+ *
+ * @param secrets - Key-value pairs to encrypt
+ * @returns Encrypted payload with ephemeral master key
+ */
+export function encryptSecrets(secrets: EmbeddableSecrets): EncryptedPayload {
+	// Generate ephemeral key and IV
+	const masterKey = randomBytes(KEY_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+	// Serialize secrets to JSON
+	const plaintext = JSON.stringify(secrets);
+	// Encrypt
+	const cipher = createCipheriv(ALGORITHM, masterKey, iv);
+	const ciphertext = Buffer.concat([
+		cipher.update(plaintext, 'utf-8'),
+		cipher.final(),
+	]);
+	// Get auth tag
+	const authTag = cipher.getAuthTag();
+	// Combine ciphertext + auth tag
+	const combined = Buffer.concat([ciphertext, authTag]);
+	return {
+		encrypted: combined.toString('base64'),
+		iv: iv.toString('hex'),
+		masterKey: masterKey.toString('hex'),
+	};
+}
+/**
+ * Decrypt secrets from an encrypted payload.
+ * Used at runtime to decrypt embedded credentials.
+ *
+ * @param encrypted - Base64 encoded ciphertext + auth tag
+ * @param iv - Hex encoded IV
+ * @param masterKey - Hex encoded master key
+ * @returns Decrypted secrets
+ */
+export function decryptSecrets(
+	encrypted: string,
+	iv: string,
+	masterKey: string,
+): EmbeddableSecrets {
+	// Decode inputs
+	const key = Buffer.from(masterKey, 'hex');
+	const ivBuffer = Buffer.from(iv, 'hex');
+	const combined = Buffer.from(encrypted, 'base64');
+	// Split ciphertext and auth tag
+	const ciphertext = combined.subarray(0, -AUTH_TAG_LENGTH);
+	const authTag = combined.subarray(-AUTH_TAG_LENGTH);
+	// Decrypt
+	const decipher = createDecipheriv(ALGORITHM, key, ivBuffer);
+	decipher.setAuthTag(authTag);
+	const plaintext = Buffer.concat([
+		decipher.update(ciphertext),
+		decipher.final(),
+	]);
+	return JSON.parse(plaintext.toString('utf-8')) as EmbeddableSecrets;
+}
+/**
+ * Generate the define options for tsdown/esbuild.
+ * These will be injected at build time.
+ */
+export function generateDefineOptions(
+	payload: EncryptedPayload,
+): Record<string, string> {
+	return {
+		__GKM_ENCRYPTED_CREDENTIALS__: JSON.stringify(payload.encrypted),
+		__GKM_CREDENTIALS_IV__: JSON.stringify(payload.iv),
+	};
+}