@getjack/jack 0.1.33 → 0.1.34

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@getjack/jack",
-	"version": "0.1.33",
+	"version": "0.1.34",
 	"description": "Ship before you forget why you started. The vibecoder's deployment CLI.",
 	"license": "Apache-2.0",
 	"type": "module",

package/src/commands/secrets.ts

@@ -219,11 +219,13 @@ async function setSecret(args: string[], options: SecretsOptions): Promise<void>
  */
 async function setSecretManaged(projectId: string, name: string, value: string): Promise<void> {
 	const { authFetch } = await import("../lib/auth/index.ts");
+	const { encryptSecretValue } = await import("../lib/crypto.ts");
 
+	const encryptedValue = await encryptSecretValue(value);
 	const response = await authFetch(`${getControlApiUrl()}/v1/projects/${projectId}/secrets`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
-		body: JSON.stringify({ name, value }),
+		body: JSON.stringify({ name, value: encryptedValue }),
 	});
 
 	if (!response.ok) {

package/src/lib/crypto.ts

@@ -0,0 +1,84 @@
+/**
+ * Client-side encryption for secrets sent to the control plane.
+ *
+ * Uses hybrid RSA-OAEP + AES-GCM so secrets of any size can be encrypted.
+ * The control plane holds the matching RSA private key as a worker secret.
+ */
+
+export interface EncryptedEnvelope {
+	__encrypted: true;
+	kid: string;
+	wrappedKey: string; // base64url
+	iv: string; // base64url
+	ciphertext: string; // base64url
+}
+
+const KEY_ID = "v1";
+
+/** RSA-OAEP-256 public key for secrets encryption (generated by scripts/generate-encryption-keypair.ts) */
+const PUBLIC_KEY_JWK: JsonWebKey = {
+	alg: "RSA-OAEP-256",
+	e: "AQAB",
+	ext: true,
+	key_ops: ["encrypt"],
+	kty: "RSA",
+	n: "q2Y4K6heGkv_ABFOYokNXcwHFLAG3JScxEhjnZQTi7K8JEdCM9inqcy3gGhtT4lP6YWqhF4IHRMFU4qhPuByLASNp3bMWzDDKlckyDeWyPRnJqjb6IvwPYLw0ky1WumjjypAX_OSpNKhuYHx1X1hu7KQq9oa3f6sHFM5XbofMM2f__HvcEHnBVgkJvjTL2dn94DPgnsmtTLSRUAde34DQnXAKjVJ2jDuoC_sDAUmcmsEZKt3AUaCTkLBtbfW-ZI6_4VD2yNw-ySuOEprhhsNi6UpbjPY1ncduB5nkNhb276kVsjWo8w89KvDlhNCRyyZ_c0QRYSxn-nYEIE3vtS_h9FC9keMcDnH_fE4VPn14cjPV_G-eiUAoow8q5qBnFEp9DaaOswZ8IwEhpaxN6jvgk1WikZIBd58WB4HHSFWQ-W-096_5FA4cltQE7Qgwy86AgPnhpuCLLTqwpx8XF3GLbWtt9h4QYpfjrLyGuj4gJWCI4AJSDY1bvqiZtTfO1LdhyiZteEH0XhSBvXjXb1dJHbNXIcrIa_owtfEKqb53AxxwTvPaZazkigT0MqZ-141e7x6kuDkG_gSSFyCGrESaAyGYRh2K4wcGuV4jyZlQ6dzbQd0DPn8uRW3kC_vpToyZxZVqWGXFD6TtMYQwo_zWK3IaYCYMB-TYBFJj8a41z8",
+};
+
+function base64urlEncode(bytes: ArrayBuffer | Uint8Array): string {
+	const u8 = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+	let bin = "";
+	for (let i = 0; i < u8.length; i++) {
+		bin += String.fromCharCode(u8[i]);
+	}
+	return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+let _cachedPublicKey: CryptoKey | null = null;
+
+async function getPublicKey(): Promise<CryptoKey> {
+	if (_cachedPublicKey) return _cachedPublicKey;
+	_cachedPublicKey = await crypto.subtle.importKey(
+		"jwk",
+		PUBLIC_KEY_JWK,
+		{ name: "RSA-OAEP", hash: "SHA-256" },
+		false,
+		["encrypt"],
+	);
+	return _cachedPublicKey;
+}
+
+/** Encrypt a single plaintext string into an encrypted envelope. */
+export async function encryptSecretValue(plaintext: string): Promise<EncryptedEnvelope> {
+	const rsaKey = await getPublicKey();
+
+	// Generate ephemeral AES-256-GCM key
+	const aesKey = await crypto.subtle.generateKey({ name: "AES-GCM", length: 256 }, true, [
+		"encrypt",
+	]);
+
+	// Encrypt plaintext with AES-GCM
+	const iv = crypto.getRandomValues(new Uint8Array(12));
+	const plainBytes = new TextEncoder().encode(plaintext);
+	const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, aesKey, plainBytes);
+
+	// Wrap the AES key with RSA-OAEP
+	const rawAesKey = await crypto.subtle.exportKey("raw", aesKey);
+	const wrappedKey = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, rsaKey, rawAesKey);
+
+	return {
+		__encrypted: true,
+		kid: KEY_ID,
+		wrappedKey: base64urlEncode(wrappedKey),
+		iv: base64urlEncode(iv),
+		ciphertext: base64urlEncode(ciphertext),
+	};
+}
+
+/**
+ * Encrypt a full secrets map (Record<string, string>) as a single envelope.
+ * The entire JSON object is serialized then encrypted as one blob.
+ */
+export async function encryptSecrets(secrets: Record<string, string>): Promise<EncryptedEnvelope> {
+	return encryptSecretValue(JSON.stringify(secrets));
+}

package/src/lib/deploy-upload.ts

@@ -6,6 +6,7 @@ import { readFile } from "node:fs/promises";
 import type { AssetManifest } from "./asset-hash.ts";
 import { authFetch } from "./auth/index.ts";
 import { getControlApiUrl } from "./control-plane.ts";
+import { encryptSecrets } from "./crypto.ts";
 import { debug } from "./debug.ts";
 import { formatSize } from "./format.ts";
 
@@ -67,13 +68,16 @@ export async function uploadDeployment(options: DeployUploadOptions): Promise<De
 	}
 
 	if (options.secretsPath) {
-		const secretsContent = await readFile(options.secretsPath);
+		const secretsContent = await readFile(options.secretsPath, "utf-8");
+		const secretsJson = JSON.parse(secretsContent) as Record<string, string>;
+		const encryptedEnvelope = await encryptSecrets(secretsJson);
+		const encryptedPayload = JSON.stringify(encryptedEnvelope);
 		formData.append(
 			"secrets",
-			new Blob([secretsContent], { type: "application/json" }),
+			new Blob([encryptedPayload], { type: "application/json" }),
 			"secrets.json",
 		);
-		totalSize += secretsContent.length;
+		totalSize += encryptedPayload.length;
 	}
 
 	if (options.assetsZipPath) {

package/src/lib/hooks.ts

@@ -533,8 +533,7 @@ const actionHandlers: {
 					const { isCancel, text } = await import("@clack/prompts");
 					const value = await text({ message: promptMsg });
 
-					if (isCancel(value) || !value.trim()) {
-						ui.warn(`Skipped ${action.key}`);
+					if (isCancel(value) || !value || !value.trim()) {
 						return false;
 					}
 

package/src/lib/project-operations.ts

@@ -797,10 +797,18 @@ export async function createProject(
 			? resolve(targetDirOption, name)
 			: join(getJackHome(), name);
 		if (existsSync(effectiveTargetDir)) {
+			const existingLink = await readProjectLink(effectiveTargetDir);
+			if (existingLink) {
+				throw new JackError(
+					JackErrorCode.VALIDATION_ERROR,
+					`'${name}' already exists`,
+					`cd ${effectiveTargetDir} && jack ship  to deploy it, or  rm -rf ${effectiveTargetDir}  to start fresh.`,
+				);
+			}
 			throw new JackError(
 				JackErrorCode.VALIDATION_ERROR,
-				`Folder exists at ${effectiveTargetDir}/`,
-				"Remove it first, or use 'jack ship' if it's a project.",
+				`Folder already exists at ${effectiveTargetDir}/`,
+				"Remove it or pick a different name.",
 			);
 		}
 	}
@@ -873,10 +881,18 @@ export async function createProject(
 
 	// Check directory doesn't exist (only needed for auto-generated names now)
 	if (!nameWasProvided && existsSync(targetDir)) {
+		const existingLink = await readProjectLink(targetDir);
+		if (existingLink) {
+			throw new JackError(
+				JackErrorCode.VALIDATION_ERROR,
+				`'${projectName}' already exists`,
+				`cd ${targetDir} && jack ship  to deploy it, or  rm -rf ${targetDir}  to start fresh.`,
+			);
+		}
 		throw new JackError(
 			JackErrorCode.VALIDATION_ERROR,
-			`Folder exists at ${targetDir}/`,
-			"Remove it first, or use 'jack ship' if it's a project.",
+			`Folder already exists at ${targetDir}/`,
+			"Remove it first or pick a different name.",
 		);
 	}
 
@@ -1045,8 +1061,8 @@ export async function createProject(
 		if (!hookResult.success) {
 			throw new JackError(
 				JackErrorCode.VALIDATION_ERROR,
-				"Project setup incomplete",
-				"Missing required configuration",
+				"Project setup cancelled",
+				`Run the same command again when you're ready — jack new ${projectName} -t ${resolvedTemplate}`,
 			);
 		}
 	}
@@ -1111,7 +1127,7 @@ export async function createProject(
 				placeholder: "paste value or press Esc to skip",
 			});
 
-			if (!isCancel(value) && value.trim()) {
+			if (!isCancel(value) && value && value.trim()) {
 				secretsToUse[optionalSecret.name] = value.trim();
 				// Save to global secrets for reuse
 				await saveSecrets([
@@ -1123,7 +1139,7 @@ export async function createProject(
 				]);
 				reporter.success(`Saved ${optionalSecret.name}`);
 			} else {
-				reporter.info(`Skipped ${optionalSecret.name}`);
+				reporter.info(`Skipped ${optionalSecret.name} — add it later with: jack secrets add ${optionalSecret.name}`);
 			}
 
 			reporter.start("Creating project...");

package/src/lib/prompts.ts

@@ -68,7 +68,7 @@ async function promptAdditionalSecrets(): Promise<
 			message: "Enter secret name (or press enter to finish):",
 		});
 
-		if (isCancel(key) || !key.trim()) {
+		if (isCancel(key) || !key || !key.trim()) {
 			break;
 		}
 
@@ -76,7 +76,7 @@ async function promptAdditionalSecrets(): Promise<
 			message: `Enter value for ${key}:`,
 		});
 
-		if (isCancel(value)) {
+		if (isCancel(value) || !value) {
 			break;
 		}
 

package/templates/CLAUDE.md

@@ -114,6 +114,27 @@ Before shipping a new template:
 - [ ] Install time < 5s (cold cache + lockfile)
 - [ ] All scripts work without global tools except wrangler
 - [ ] `.gitignore` includes `.env`, `.dev.vars`, `.secrets.json`
+- [ ] Prebuilt builds without env vars: `bun run build` succeeds with zero secrets set
+- [ ] If template has `schema.sql`, verify it's included in prebuild output
+
+## Prebuild Compatibility (IMPORTANT)
+
+Templates are prebuilt at release time **without any env vars or secrets**. The prebuild runs `bun run build` in a clean environment. If the build depends on runtime env vars, it will fail silently (only discovered when someone runs `prebuild-templates.ts`).
+
+**Common failure:** A provider component (e.g., `ClerkProvider`, `AuthProvider`) in the root layout requires an API key at import time. Next.js tries to statically prerender pages and the provider throws because the key is missing.
+
+**Fix:** Add `export const dynamic = "force-dynamic"` to the root layout. This tells Next.js to skip static prerendering for all pages, deferring to runtime where env vars are available.
+
+```tsx
+// app/layout.tsx
+export const dynamic = "force-dynamic"; // Required: provider needs runtime env vars
+
+export default function RootLayout({ children }) {
+  return <SomeProvider>{children}</SomeProvider>;
+}
+```
+
+**General rule:** If a template imports any SDK/provider that reads `process.env` or `env.*` at initialization, that template's layout or pages must be force-dynamic to survive a zero-env-var prebuild.
 
 ## Placeholder System
 

package/templates/nextjs-clerk/app/layout.tsx

@@ -3,6 +3,8 @@ import type { Metadata } from "next";
 import { Header } from "@/components/header";
 import "./globals.css";
 
+export const dynamic = "force-dynamic";
+
 export const metadata: Metadata = {
 	title: "jack-template",
 	description: "Next.js + Clerk auth app built with jack",