npm - @joinremba/beacon - Versions diffs - 0.4.0 → 0.5.0 - Mend

@joinremba/beacon 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -8,13 +8,13 @@
 <p align="center">
   <a href="https://www.npmjs.com/package/@joinremba/beacon"><img src="https://img.shields.io/npm/v/@joinremba/beacon.svg" alt="npm version"></a>
-  <a href="LICENSE"><img src="https://img.shields.io/npm/l/@joinremba/beacon.svg" alt="Licence"></a>
+  <a href="LICENSE"><img src="https://img.shields.io/npm/l/@joinremba/beacon.svg" alt="License"></a>
   <a href="https://github.com/joinremba/beacon/actions/workflows/ci.yml"><img src="https://github.com/joinremba/beacon/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
   <img src="https://img.shields.io/badge/Bun-%3E%3D1.3.1-black?logo=bun" alt="Bun">
   <img src="https://img.shields.io/badge/TypeScript-6-blue" alt="TypeScript">
 </p>
-Beacon helps TypeScript teams boot applications safely by validating environment variables, config, secrets, and runtime feature gates before production breaks.
+Beacon validates environment variables, config, secrets, and runtime feature gates before production breaks. Define your schema once — get type coercion, secret redaction, profile merging, per-command CLI tooling, and AES-256-GCM encryption for your `.env` files.
 ```sh
 bun add @joinremba/beacon
@@ -24,79 +24,207 @@ bunx beacon check
 ---
+## Features
+- **Schema-based validation** with type coercion — `string`, `url`, `number`, `integer`, `boolean`, `enum`, `port`, `host`, `email`
+- **Custom Zod schemas** for advanced validation rules
+- **Aggregated error reporting** — all errors collected at once, not fail-fast
+- **Secret redaction** — `[REDACTED]` in error messages and CLI output
+- **Default values** for optional variables
+- **Profile merging** — define different schemas per environment (dev, staging, production)
+- **Feature gates** with percentage-based rollout (deterministic djb2 hash)
+- **Kill switches** — `KILL_<NAME>` env var takes priority over feature gates
+- **Environment overrides** — `FEATURE_<NAME>` env var toggles features at runtime
+- **Remote config** via `client` option — connect to Nexus backend
+- **`strict: false` mode** for tests and bootstrap
+- **CLI commands** — `init`, `check`, `encrypt`, `decrypt`, `rotate`, `drift`, `docker`
+- **AES-256-GCM encryption** for `.env` files
+- **Zero runtime dependencies** beyond `zod` and `@joinremba/core`
+---
+## Installation
+```sh
+bun add @joinremba/beacon
+```
+---
 ## Quick Start
 ```ts
 import { createBeacon } from "@joinremba/beacon";
-const config = createBeacon({
-  DATABASE_URL: { type: "url", required: true },
-  REDIS_URL: { type: "url", required: true },
-  NODE_ENV: {
-    type: "enum",
-    values: ["development", "test", "staging", "production"],
-    default: "development",
-  },
-  PORT: { type: "port", default: 3000 },
-  API_KEY: { type: "string", required: true, secret: true },
+const beacon = createBeacon({
+  PORT:          { type: "port", default: 3000 },
+  DATABASE_URL:  { type: "url", secret: true },
+  NODE_ENV:      { type: "enum", values: ["dev", "prod"], default: "dev" },
+  FEATURE_NEW_CHECKOUT: { type: "boolean", default: "false" },
 });
-config.ensure();
-const dbUrl = config.get<string>("DATABASE_URL");
+await beacon.ensure();
+const port = beacon.get<number>("PORT");         // 3000
+const dbUrl = beacon.get<string>("DATABASE_URL"); // process.env value
 ```
-If any variable is missing or invalid, `ensure()` throws a `ConfigValidationError` with **all issues collected at once** — so you fix everything in a single pass, not iteratively.
+If any variable is missing or invalid, `ensure()` throws a `ConfigValidationError` with **all issues reported at once** — so you fix everything in a single pass.
 ---
-## Why Beacon?
+## Schema Field Types
-Most backend projects start with a scattered collection of helper functions for reading env vars, checking types, and remembering which vars are required. This works until:
+| Type      | Description                          | Coercion / Validation                  |
+|-----------|--------------------------------------|----------------------------------------|
+| `string`  | Any string value                     | `z.string()`                           |
+| `url`     | Valid URL                            | `z.string().url()`                     |
+| `number`  | Coerced to number                    | `z.coerce.number()`                    |
+| `integer` | Coerced to integer                   | `z.coerce.number().int()`              |
+| `boolean` | `true` / `false` / `1` / `0` / `yes` / `no` | String transform + `z.boolean()` |
+| `enum`    | Must match one of `values[]`         | `z.enum(values)`                       |
+| `port`    | Integer 1–65535                      | `z.coerce.number().int().min(1).max(65535)` |
+| `host`    | Hostname string                      | `z.string()`                           |
+| `email`   | Valid email format                   | `z.string().email()`                   |
-- A new developer joins and doesn't know which env vars exist
-- A staging environment crashes because a required var was renamed but not documented
-- A secret leaks into an error log because nobody added redaction
-- Your CI pipeline passes locally but fails in production due to config drift
+### Schema Entry Options
-Beacon solves these by giving you a **single source of truth** for your env schema, with built-in validation, secrets redaction, profile support, and CLI tools for generating `.env.example` and checking environments.
+```ts
+{ type: "url", required: true, default: "https://localhost", secret: true, description: "DB connection string" }
+```
----
+| Field         | Type        | Default  | Description                              |
+|---------------|-------------|----------|------------------------------------------|
+| `type`        | `FieldType` | —        | The field type to validate against.      |
+| `required`    | `boolean`   | `true`   | Whether the variable must be set.        |
+| `default`     | `unknown`   | —        | Default value when not set in env.       |
+| `secret`      | `boolean`   | `false`  | Redact value from errors and CLI output. |
+| `values`      | `string[]`  | —        | Allowed values (for `"enum"` type only). |
+| `description` | `string`    | —        | Used when generating `.env.example`.     |
-## Features
+### Custom Zod Schemas
+For advanced validation, pass a Zod schema directly:
-- **Schema-based validation** — Define your env schema with simple string types (`"url"`, `"port"`, `"enum"`, etc.) or raw Zod schemas.
-- **Missing variable detection** — All errors are collected and reported together, not one at a time.
-- **Secrets redaction** — Keep secrets out of logs and error messages automatically. Values are replaced with `[REDACTED]`.
-- **Local/staging/production profiles** — Define different schemas per environment.
-- **`.env.example` generation** — Generate a documented `.env.example` from your schema via the CLI.
-- **CLI** — `beacon init` scaffolds config, `beacon check` validates before deploying.
-- **Zero runtime overhead** — Validations run once at boot. After that, access is plain property reads.
-- **Framework-agnostic** — Works with Bun, Node.js, Express, Hono, Fastify, Next.js, Elysia.
+```ts
+import { z } from "zod";
+const beacon = createBeacon({
+  PORT:      { schema: z.coerce.number().positive().max(9999) },
+  WHITELIST: { schema: z.string().regex(/^[\d,]+$/) },
+});
+```
 ---
-## CLI
+## Feature Gates
-Beacon ships with a CLI for development and CI workflows.
+Toggle features on and off without redeploying. Define gates in the `features` option and check them with `isEnabled()`.
-### `beacon init`
+```ts
+const beacon = createBeacon(
+  { DATABASE_URL: { type: "url" } },
+  {
+    features: {
+      newDashboard:      { enabled: true },
+      darkMode:          { enabled: false },
+      gradualRollout:    { enabled: true, rollout: 0.5 },
+    },
+    killSwitches: {
+      brokenFeature: true,          // force-disabled
+    },
+  }
+);
+beacon.isEnabled("newDashboard");    // true
+beacon.isEnabled("darkMode");        // false
+beacon.isEnabled("gradualRollout");  // true for ~50% of instances (deterministic hash)
+beacon.isEnabled("brokenFeature");   // false — killed
+beacon.isKilled("brokenFeature");    // true
+```
+### `FeatureGate`
+| Option        | Type      | Default  | Description                                               |
+|---------------|-----------|----------|-----------------------------------------------------------|
+| `enabled`     | `boolean` | `false`  | Whether the gate is on by default.                        |
+| `rollout`     | `number`  | —        | Fraction of instances (0–1) that see the feature. Uses deterministic djb2 hash. |
+| `description` | `string`  | —        | Human-readable description.                               |
-Generate a documented `.env.example` from your beacon config:
+### Environment Overrides
+Set `FEATURE_<NAME>` in the environment to override any feature gate at runtime. CamelCase names are converted to `SCREAMING_SNAKE_CASE` (`newDashboard` → `FEATURE_NEW_DASHBOARD`). Accepted truthy values: `true`, `1`, `yes`.
 ```sh
-bunx beacon init
+FEATURE_DARK_MODE=true bun start
+FEATURE_NEW_DASHBOARD=false bun start
+```
-# With a production profile:
-bunx beacon init --profile production
+### Kill Switches
-# Custom config path:
-bunx beacon init -c ./config/beacon.json -o .env.example.prod
+Kill switches **always take priority** over feature gates. Set them via the `killSwitches` option or the `KILL_<NAME>` env var.
+```sh
+KILL_BROKEN_FEATURE=true bun start
+```
+```ts
+beacon.isKilled("brokenFeature"); // true
+beacon.isEnabled("brokenFeature"); // false — killed overrides enabled
+```
+---
+## Remote Config
+Beacon can merge in remote configuration entries from a Nexus backend before local validation. Pass a `Client` from `@joinremba/core` via the `client` option.
+```ts
+import { createBeacon } from "@joinremba/beacon";
+import { createClient } from "@joinremba/core";
+const beacon = createBeacon(
+  {
+    PORT: { type: "port", default: 3000 },
+  },
+  {
+    client: createClient({ apiKey: "api_core_live_..." }),
+  }
+);
+await beacon.ensure();
+// Remote entries fill gaps not defined in the schema.
+// Schema entries always take priority over remote values.
+// Network failures fall back silently to local-only validation.
 ```
-Output includes types, defaults, descriptions, and secret markers for every variable:
+---
+## CLI Commands
+Beacon ships with a CLI for development, CI, and ops workflows.
+| Command      | Description                                      |
+|--------------|--------------------------------------------------|
+| `init`       | Generate `.env.example` from your config file.   |
+| `check`      | Validate current environment against schema.     |
+| `encrypt`    | Encrypt `.env` (AES-256-GCM) for safe committing.|
+| `decrypt`    | Decrypt `.env.encrypted` back to plaintext.      |
+| `rotate`     | Print step-by-step secret rotation checklist.    |
+| `drift`      | Detect config drift — schema vs. actual env.     |
+| `docker`     | Validate env in Docker / Kubernetes contexts.    |
+### `beacon init`
 ```sh
+bunx beacon init                              # generate .env.example
+bunx beacon init --profile production         # with profile merge
+bunx beacon init --all-profiles               # generate for every profile
+bunx beacon init -c ./config/beacon.json -o .env.example.prod
+```
+Output includes types, defaults, descriptions, and secret markers:
+```
 # PostgreSQL connection string
 # Type: url
 # Required: yes
@@ -110,21 +238,15 @@ PORT=3000
 ### `beacon check`
-Validate your current environment against your schema:
 ```sh
-bunx beacon check
-# With a specific profile:
-bunx beacon check --profile staging
-# Custom config:
+bunx beacon check                             # validate env
+bunx beacon check --profile staging           # with profile
 bunx beacon check -c ./config/production.json
 ```
-Output is a colour-coded table:
+Colour-coded table output:
-```sh
+```
   KEY           STATUS    VALUE
   ────────────  ────────  ────────────────────
   DATABASE_URL  pass      postgres://localhost...
@@ -134,114 +256,97 @@ Output is a colour-coded table:
   LOG_LEVEL     pass      Optional, not set
   DB_HOST       MISSING   Not set
                      Did you mean DB_HOSTNAME?
-  2 issue(s), 3 pass
+  ✓ 3 pass, 2 issue(s)
 ```
-Exit codes: `0` if all pass, `1` if any issues found.
+Exit codes: `0` if all pass, `1` if any issues.
-### Per-command help
+### `beacon encrypt` / `beacon decrypt`
 ```sh
-beacon help init
-beacon check --help
-```
+# Encrypt .env → .env.encrypted
+BEACON_ENCRYPTION_KEY=your-key beacon encrypt
----
+# Decrypt back to plaintext
+BEACON_ENCRYPTION_KEY=your-key beacon decrypt
-## API Reference
+# Custom paths
+beacon encrypt -i .env.prod -o .env.prod.encrypted --key "your-key"
+beacon decrypt -i .env.prod.encrypted -o .env.prod --key "your-key"
+```
-### `createBeacon(schema, options?)`
+Uses **AES-256-GCM** with HKDF-SHA256 key derivation. The key can be passed via `--key` flag or `BEACON_ENCRYPTION_KEY` environment variable.
-The default export. Accepts an env schema and optional configuration.
+### `beacon rotate`
-**Parameters**
+Prints a step-by-step checklist for safely rotating secrets (generate → deploy alongside → update consumers → verify → revoke → audit).
-| Option     | Type                                          | Description                                                 |
-| ---------- | --------------------------------------------- | ----------------------------------------------------------- |
-| `schema`   | `Record<string, SchemaEntry>`                 | Map of environment variable names to field definitions.     |
-| `profile`  | `string`                                      | Active profile name. Merges matching entry from `profiles`. |
-| `profiles` | `Record<string, Record<string, SchemaEntry>>` | Named profile overrides.                                    |
-| `features` | `Record<string, FeatureGate>`                 | Feature gates for runtime toggles.                          |
+```sh
+bunx beacon rotate
+```
-**SchemaEntry** can be either:
+### `beacon drift`
-**1. String-based** — Simple type names for everyday use:
+Detects config drift — missing required variables, type mismatches, and unexpected enum values.
-| Field         | Type        | Default | Description                          |
-| ------------- | ----------- | ------- | ------------------------------------ |
-| `type`        | `FieldType` | —       | The type to validate against.        |
-| `required`    | `boolean`   | `true`  | Whether the variable must be set.    |
-| `default`     | `unknown`   | —       | Default value if not set.            |
-| `secret`      | `boolean`   | `false` | Redact value from errors and logs.   |
-| `values`      | `string[]`  | —       | Allowed values (only for `"enum"`).  |
-| `description` | `string`    | —       | Used when generating `.env.example`. |
+```sh
+bunx beacon drift
+bunx beacon drift --profile production
+```
-| Type      | Zod equivalent                               |
-| --------- | -------------------------------------------- |
-| `string`  | `z.string()`                                 |
-| `url`     | `z.string().url()`                           |
-| `number`  | `z.coerce.number()`                          |
-| `integer` | `z.coerce.number().int()`                    |
-| `boolean` | `"true"` / `"false"` / `"1"` / `"0"` coerced |
-| `port`    | integer 1–65535                              |
-| `enum`    | requires `values[]`                          |
-| `email`   | `z.string().email()`                         |
-| `host`    | `z.string()`                                 |
+### `beacon docker`
-**2. Zod schema** — Advanced users can pass Zod schemas directly:
+Detects Docker and Kubernetes runtimes, checks common container env vars, and runs a full schema validation.
-```ts
-{
-  PORT: { schema: z.coerce.number().positive().max(9999) },
-  WHITELIST: { schema: z.string().regex(/^[\d,]+$/) },
-}
+```sh
+bunx beacon docker
+bunx beacon docker --profile staging
 ```
-**Returns**
-A config instance with:
+---
-| Method / Property             | Description                                                                                                  |
-| ----------------------------- | ------------------------------------------------------------------------------------------------------------ |
-| `ensure()`                    | Validates all env vars. Throws `ConfigValidationError` on failure. Returns the config instance for chaining. |
-| `get<T>(key): T`              | Returns the validated value for the given key. Throws if called before `ensure()`.                           |
-| `secret`                      | Returns a `Record<string, boolean>` of which keys are marked as secrets.                                     |
-| `isEnabled(feature): boolean` | Checks if a feature gate is enabled. Respects env overrides (`FEATURE_<NAME>`).                              |
+## Profiles
-### TypeScript Types
+Define different schemas per environment using the `profiles` option. The active profile is selected via `profile`.
 ```ts
-import type {
-  BeaconOptions,
-  Beacon,
-  SchemaEntry,
-  FieldDefinition,
-  FieldType,
-  FeatureGate,
-  ConfigError,
-  ConfigValidationError,
-} from "@joinremba/beacon";
+const beacon = createBeacon(
+  {
+    DB_HOST: { type: "string", default: "localhost" },
+    DB_PORT: { type: "port", default: 5432 },
+  },
+  {
+    profile: "production",
+    profiles: {
+      production: {
+        DB_HOST: { type: "host", required: true },
+        DB_PORT: { type: "port", required: true },
+      },
+      staging: {
+        DB_HOST: { type: "host", required: true },
+      },
+    },
+  }
+);
 ```
-### Config file (`.beaconrc.json`)
+Profile entries are **merged into the base schema** — they can add new variables, override types, change defaults, or toggle required flags.
-Used by the CLI for `init` and `check` commands:
+You can also use profiles with the CLI:
+```sh
+bunx beacon init --profile production
+bunx beacon check --profile staging
+```
+### Config file (`.beaconrc.json`)
 ```json
 {
   "schema": {
-    "DATABASE_URL": {
-      "type": "url",
-      "required": true,
-      "description": "PostgreSQL connection string"
-    },
+    "DATABASE_URL": { "type": "url", "required": true, "description": "PostgreSQL connection string" },
     "PORT": { "type": "port", "default": 3000, "description": "HTTP server port" },
-    "NODE_ENV": {
-      "type": "enum",
-      "values": ["development", "production"],
-      "default": "development"
-    },
+    "NODE_ENV": { "type": "enum", "values": ["development", "production"], "default": "development" },
     "API_KEY": { "type": "string", "required": true, "secret": true }
   },
   "profiles": {
@@ -256,232 +361,131 @@ Used by the CLI for `init` and `check` commands:
 }
 ```
----
-## Examples
-### Basic env validation
-```ts
-import { createBeacon } from "@joinremba/beacon";
-const config = createBeacon({
-  NODE_ENV: {
-    type: "enum",
-    values: ["development", "production", "test"],
-    default: "development",
-  },
-  PORT: { type: "port", default: 3000 },
-});
-config.ensure();
-console.log(config.get("PORT"));
-```
-### With secrets redaction
+The CLI auto-discovers `.beaconrc.json` or `beacon.config.json`.
-```ts
-const config = createBeacon({
-  API_KEY: { type: "string", secret: true },
-  DATABASE_URL: { type: "url", secret: true },
-});
+---
-config.ensure();
-// Error messages never show API_KEY or DATABASE_URL values
-```
+## Error Handling
-### Custom error handling
+All validation errors are **collected and thrown together** as a single `ConfigValidationError` (an `AggregateError` subclass). Each individual issue is a `ConfigError` with the offending key and a human-readable message.
 ```ts
-import { ConfigValidationError } from "@joinremba/beacon";
+import { createBeacon, ConfigValidationError, ConfigError } from "@joinremba/beacon";
 try {
-  config.ensure();
+  await beacon.ensure();
 } catch (err) {
   if (err instanceof ConfigValidationError) {
     for (const issue of err.errors) {
       console.error(`[${issue.key}] ${issue.message}`);
+      // issue.redacted — true if the value was hidden
     }
   }
-  process.exit(1);
 }
 ```
-### Production profile
+### `strict: false` mode
-```ts
-const config = createBeacon(
-  {
-    DB_HOST: { type: "string", default: "localhost" },
-    DB_PORT: { type: "port", default: 5432 },
-  },
-  {
-    profile: "production",
-    profiles: {
-      production: {
-        DB_HOST: { type: "host", required: true },
-        DB_PORT: { type: "port", required: true },
-      },
-    },
-  }
-);
-```
-### Feature Gates
-Toggle features on/off without redeploying. Define gates in the `features` option and check them with `isEnabled()`:
+Pass `{ strict: false }` to `ensure()` to silently skip missing required variables without throwing. Useful in test environments or bootstrap scripts.
 ```ts
-const config = createBeacon(
-  { DATABASE_URL: { type: "url" } },
-  {
-    features: {
-      newDashboard: { enabled: true },
-      darkMode: { enabled: false },
-      gradualRollout: { enabled: true, rollout: 0.5 },
-    },
-  }
-);
-config.isEnabled("newDashboard"); // true
-config.isEnabled("darkMode"); // false
-config.isEnabled("gradualRollout"); // true for ~50% of deployments (deterministic hash)
+await beacon.ensure({ strict: false });
+// Missing required vars are skipped instead of throwing
 ```
-**Env overrides** — Any feature can be toggled at runtime via `FEATURE_<NAME>`:
+### Secret Redaction
-```sh
-FEATURE_DARK_MODE=true bun start
-```
+When a field is marked `{ secret: true }`, its value is replaced with `[REDACTED]` in all error messages and CLI output — never leaked into logs or terminal.
-CamelCase feature names map to `FEATURE_` prefixed uppercase with underscores (`newDashboard` → `FEATURE_NEW_DASHBOARD`). Accepted truthy values: `true`, `1`, `yes`. Everything else is `false`.
+---
-| Option        | Type      | Default | Description                                               |
-| ------------- | --------- | ------- | --------------------------------------------------------- |
-| `enabled`     | `boolean` | `false` | Whether the gate is on by default.                        |
-| `rollout`     | `number`  | —       | Percentage of deployments (0–1). Uses deterministic hash. |
-| `description` | `string`  | —       | Human-readable description.                               |
+## Encryption
-### Kill-Switch Flags
+Beacon provides AES-256-GCM encryption for `.env` files via the CLI and programmatic API.
-Force-disable a feature at runtime — overrides any feature gate. Define kill switches in the `killSwitches` option or set `KILL_<NAME>` env vars:
+### Programmatic
 ```ts
-const config = createBeacon(
-  { DATABASE_URL: { type: "url" } },
-  {
-    features: { newDashboard: { enabled: true } },
-    killSwitches: { newDashboard: true },
-  }
-);
-config.isEnabled("newDashboard"); // false — killed
-config.isKilled("newDashboard"); // true
-```
-**Env override** — `KILL_NEW_DASHBOARD=true` overrides the config. Accepted truthy values: `true`, `1`, `yes`.
-When a feature is killed, `isEnabled()` returns `false` regardless of the feature gate configuration.
-### Encrypted .env (`beacon encrypt` / `beacon decrypt`)
-Commit `.env` files safely using AES-256-GCM encryption. Requires an encryption key passed via `--key` or `BEACON_ENCRYPTION_KEY`.
-```sh
-# Encrypt .env → .env.encrypted
-BEACON_ENCRYPTION_KEY=your-256-bit-key beacon encrypt
-# Decrypt back to plaintext
-BEACON_ENCRYPTION_KEY=your-256-bit-key beacon decrypt
-# Custom paths
-beacon encrypt -i .env.prod -o .env.prod.encrypted --key "your-key"
-beacon decrypt -i .env.prod.encrypted -o .env.prod --key "your-key"
-```
-### Secret Rotation Checklist (`beacon rotate`)
+import { encryptEnv, decryptEnv } from "@joinremba/beacon";
-Prints a step-by-step checklist for rotating secrets (DB credentials, API keys, etc.):
-```sh
-beacon rotate
+const encrypted = await encryptEnv("DATABASE_URL=postgres://...", "your-key");
+const decrypted = await decryptEnv(encrypted, "your-key");
 ```
-Follows the generate → deploy alongside → update consumers → verify → revoke → audit workflow.
-### Config Drift Detection (`beacon drift`)
-Detects when your actual environment differs from the schema defined in your config:
+### CLI
 ```sh
-beacon drift
-beacon drift --profile production
+beacon encrypt -i .env -o .env.encrypted --key "your-key"
+beacon decrypt -i .env.encrypted -o .env --key "your-key"
 ```
-Reports missing required variables, type mismatches, and unexpected enum values.
-### Docker/Kubernetes Checks (`beacon docker`)
-Validates your environment in container contexts — detects Docker and Kubernetes runtimes, checks common container env vars, and runs a full schema validation:
-```sh
-beacon docker
-beacon docker --profile staging
-```
+The key can also be set via `BEACON_ENCRYPTION_KEY` env var. Key derivation uses HKDF-SHA256 with a 32-byte salt.
 ---
-## Roadmap
-**MVP** (current)
+## API Reference
-- Typed env validation with string-based types and Zod
-- Missing variable detection (aggregated errors)
-- Secrets redaction in errors and logs
-- Local/staging/production profiles
-- `.env.example` generation via CLI
-- `beacon check` CLI command
-- Coloured CLI output with suggestions
+### `createBeacon(schema, options?)`
-**V1** ✅
+| Parameter | Type                                    | Description                              |
+|-----------|-----------------------------------------|------------------------------------------|
+| `schema`  | `Record<string, SchemaEntry>`           | Map of env var names to field defs.      |
+| `options` | `BeaconOptions`                         | Optional config (features, profiles, etc.) |
-- Feature gates from local config
-- Kill-switch flags (`KILL_<NAME>` env vars, `config.isKilled()`)
-- Encrypted `.env` support (`beacon encrypt` / `beacon decrypt`)
-- Secret rotation checklist (`beacon rotate`)
-- CI validation action (`beacon check` in CI workflows)
-- Docker/Kubernetes env checks (`beacon docker`)
-- Config drift detection (`beacon drift`)
+#### `BeaconOptions`
-**V2**
+| Option         | Type                                             | Description                                      |
+|----------------|--------------------------------------------------|--------------------------------------------------|
+| `profile`      | `string`                                         | Active profile name.                              |
+| `profiles`     | `Record<string, Record<string, SchemaEntry>>`    | Named profile overrides.                          |
+| `features`     | `Record<string, FeatureGate>`                    | Feature gate definitions.                         |
+| `killSwitches` | `Record<string, boolean>`                        | Force-disabled features.                          |
+| `client`       | `Client` (from `@joinremba/core`)                | Remote config client.                             |
-- Hosted team secret sync
-- Audit trail for config changes
-- Deployment provider integrations
-- GitHub Actions integration
-- Remba Cloud dashboard
+#### `Beacon` (returned by `createBeacon`)
----
+| Method / Property              | Description                                                       |
+|--------------------------------|-------------------------------------------------------------------|
+| `ensure(options?)`             | Validates all env vars. Throws `ConfigValidationError` on failure. Returns the beacon instance. |
+| `get<T>(key)`                  | Returns the validated, coerced value. Throws if called before `ensure()`. |
+| `secret`                       | `Record<string, boolean>` — which keys are marked as secrets.     |
+| `isEnabled(feature)`           | Checks if a feature gate is enabled. Respects kill switches, env overrides, and rollout. |
+| `isKilled(feature)`            | Checks if a feature is force-disabled (kill switch or env).       |
-## Related Packages
+#### `EnsureOptions`
-- [@joinremba/catalog](https://github.com/joinremba/catalog) — Production-ready logging and error event layer built on Pino.
-- [@joinremba/gate](https://github.com/joinremba/gate) — API safety layer: validation, responses, idempotency, rate limiting, and API keys.
+| Option   | Type      | Default | Description                                              |
+|----------|-----------|---------|----------------------------------------------------------|
+| `strict` | `boolean` | `true`  | When `false`, missing required vars are skipped silently. |
-## Social Preview
+#### Types
-For sharing on X (Twitter) and other social platforms, use `assets/og-image.svg` as the repository's social preview image in GitHub repo settings:
-1. Go to your repo **Settings** → **Social preview** → **Upload image**
-2. Select `assets/og-image.svg`
-3. Save
+```ts
+import type {
+  Beacon,
+  BeaconOptions,
+  EnsureOptions,
+  SchemaEntry,
+  FieldDefinition,
+  FieldDefinitionWithSchema,
+  FieldType,
+  FeatureGate,
+  ConfigError,
+  ConfigValidationError,
+} from "@joinremba/beacon";
+```
-This will be used whenever your repo link is shared on social media, Slack, or Discord.
+#### Utilities
-## Contributing
+| Export         | Description                                      |
+|----------------|--------------------------------------------------|
+| `ConfigError`      | Individual config validation error (`key`, `message`, `redacted`). |
+| `ConfigValidationError` | `AggregateError` subclass containing all `ConfigError` instances. |
+| `encryptEnv`       | `(content: string, key: string) => Promise<string>` — AES-256-GCM encrypt. |
+| `decryptEnv`       | `(encrypted: string, key: string) => Promise<string>` — AES-256-GCM decrypt. |
-Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct, development process, and how to submit pull requests.
+---
 ## License
-MIT &mdash; see [LICENSE](LICENSE).
+MIT — see [LICENSE](LICENSE).

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@joinremba/beacon",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Validate environment variables, config, secrets, and runtime feature gates before production breaks.",
   "type": "module",
   "main": "./src/index.ts",

package/src/index.ts CHANGED Viewed

@@ -186,6 +186,13 @@ export function createBeacon(
       return map;
     },
+    getAll(): Record<string, unknown> {
+      if (validated === null) {
+        throw new ConfigError("", "Call beacon.ensure() before accessing config values");
+      }
+      return { ...validated };
+    },
     isKilled(feature: string): boolean {
       const envName = `KILL_${feature
         .replace(/([a-z])([A-Z])/g, "$1_$2")

package/src/types.ts CHANGED Viewed

@@ -53,6 +53,9 @@ export interface EnsureOptions {
 export interface Beacon {
   ensure(options?: EnsureOptions): Promise<Beacon>;
   get<T = unknown>(key: string): T;
+  /** Returns all validated entries as a flat key-value record.
+   *  Secrets are included — callers should redact as needed. */
+  getAll(): Record<string, unknown>;
   readonly secret: Record<string, boolean>;
   isEnabled(feature: string): boolean;
   isKilled(feature: string): boolean;