@karmaniverous/aws-secrets-manager-tools 0.1.1 → 0.2.1

package/README.md

@@ -1,102 +1,102 @@
-# AWS Secrets Manager Tools
-
-[![npm version](https://img.shields.io/npm/v/@karmaniverous/aws-secrets-manager-tools.svg)](https://www.npmjs.com/package/@karmaniverous/aws-secrets-manager-tools) ![Node Current](https://img.shields.io/node/v/@karmaniverous/aws-secrets-manager-tools) [![docs](https://img.shields.io/badge/docs-website-blue)](https://docs.karmanivero.us/aws-secrets-manager-tools) [![changelog](https://img.shields.io/badge/changelog-latest-blue.svg)](./CHANGELOG.md) [![license](https://img.shields.io/badge/license-BSD--3--Clause-blue.svg)](./LICENSE)
-
-Tools and a get-dotenv plugin for working with AWS Secrets Manager “env-map” secrets (JSON object maps of environment variables).
-
-This package provides:
-
-- A tools-style wrapper that owns AWS client setup (including optional AWS X-Ray capture):
-  - `AwsSecretsManagerTools`
-- A get-dotenv plugin intended to be mounted under `aws`:
-  - `secretsPlugin()` → `aws secrets pull|push|delete`
-- A CLI embedding get-dotenv with the secrets plugin:
-  - `aws-secrets-manager-tools`
-
-## Documentation
-
-- Learn the programmatic API: [AwsSecretsManagerTools guide](guides/aws-secrets-manager-tools.md)
-- Learn the CLI and plugin behavior: [aws secrets plugin guide](guides/secrets-plugin.md)
-- Browse the generated API reference: [TypeDoc site](https://docs.karmanivero.us/aws-secrets-manager-tools)
-
-## Install
-
-```bash
-npm i @karmaniverous/aws-secrets-manager-tools
-```
-
-This package is ESM-only (Node >= 20).
-
-## Quick start (programmatic)
-
-```ts
-import { AwsSecretsManagerTools } from '@karmaniverous/aws-secrets-manager-tools';
-
-const tools = await AwsSecretsManagerTools.init({
-  clientConfig: { region: 'us-east-1', logger: console },
-  xray: 'auto',
-});
-
-const current = await tools.readEnvSecret({ secretId: 'my-app/dev' });
-await tools.upsertEnvSecret({ secretId: 'my-app/dev', value: current });
-```
-
-When you need AWS functionality not wrapped by this package, use the fully configured AWS SDK v3 client at `tools.client` (see the [programmatic guide](guides/aws-secrets-manager-tools.md) for examples).
-
-## Quick start (CLI)
-
-```bash
-aws-secrets-manager-tools --env dev aws secrets pull --secret-name '$STACK_NAME'
-aws-secrets-manager-tools --env dev aws secrets push --secret-name '$STACK_NAME'
-aws-secrets-manager-tools --env dev aws secrets delete --secret-name '$STACK_NAME'
-```
-
-Notes:
-
-- `--env` is a root-level (get-dotenv) option and must appear before the command path.
-- Secret name expansion is evaluated at action time against `{ ...process.env, ...ctx.dotenv }` (ctx wins).
-
-## Env-map secret format
-
-Secrets are stored as a JSON object map of environment variables in `SecretString`:
-
-```json
-{ "KEY": "value", "OPTIONAL": null }
-```
-
-Notes:
-
-- Values must be strings or `null`.
-- `null` is treated as `undefined` when decoding.
-
-## AWS X-Ray capture (optional)
-
-X-Ray support is guarded:
-
-- Default behavior is `xray: 'auto'`: capture is enabled only when `AWS_XRAY_DAEMON_ADDRESS` is set.
-- To enable capture, install the optional peer dependency:
-  - `aws-xray-sdk`
-- In `auto` mode, if `AWS_XRAY_DAEMON_ADDRESS` is set but `aws-xray-sdk` is not installed, initialization throws.
-
-## Config defaults (getdotenv.config.\*)
-
-If you embed the plugin in your own get-dotenv host (or use the shipped CLI), you can provide safe defaults in config under `plugins['aws/secrets']`:
-
-```jsonc
-{
-  "plugins": {
-    "aws/secrets": {
-      "secretName": "$STACK_NAME",
-      "templateExtension": "template",
-      "push": { "from": ["file:env:private"] },
-      "pull": { "to": "env:private" },
-    },
-  },
-}
-```
-
-See the [secrets plugin guide](guides/secrets-plugin.md) for `--from` / `--to` selector details and all supported config keys.
-
----
-
-Built for you with ❤️ on Bali! Find more great tools & templates on [my GitHub Profile](https://github.com/karmaniverous).
+# AWS Secrets Manager Tools
+
+[![npm version](https://img.shields.io/npm/v/@karmaniverous/aws-secrets-manager-tools.svg)](https://www.npmjs.com/package/@karmaniverous/aws-secrets-manager-tools) ![Node Current](https://img.shields.io/node/v/@karmaniverous/aws-secrets-manager-tools) [![docs](https://img.shields.io/badge/docs-website-blue)](https://docs.karmanivero.us/aws-secrets-manager-tools) [![changelog](https://img.shields.io/badge/changelog-latest-blue.svg)](./CHANGELOG.md) [![license](https://img.shields.io/badge/license-BSD--3--Clause-blue.svg)](./LICENSE)
+
+Tools and a get-dotenv plugin for working with AWS Secrets Manager “env-map” secrets (JSON object maps of environment variables).
+
+This package provides:
+
+- A tools-style wrapper that owns AWS client setup (including optional AWS X-Ray capture):
+  - `AwsSecretsManagerTools`
+- A get-dotenv plugin intended to be mounted under `aws`:
+  - `secretsPlugin()` → `aws secrets pull|push|delete`
+- A CLI embedding get-dotenv with the secrets plugin:
+  - `aws-secrets-manager-tools`
+
+## Documentation
+
+- Learn the programmatic API: [AwsSecretsManagerTools guide](guides/aws-secrets-manager-tools.md)
+- Learn the CLI and plugin behavior: [aws secrets plugin guide](guides/secrets-plugin.md)
+- Browse the generated API reference: [TypeDoc site](https://docs.karmanivero.us/aws-secrets-manager-tools)
+
+## Install
+
+```bash
+npm i @karmaniverous/aws-secrets-manager-tools
+```
+
+This package is ESM-only (Node >= 20).
+
+## Quick start (programmatic)
+
+```ts
+import { AwsSecretsManagerTools } from '@karmaniverous/aws-secrets-manager-tools';
+
+const tools = new AwsSecretsManagerTools({
+  clientConfig: { region: 'us-east-1', logger: console },
+  xray: 'auto',
+});
+
+const current = await tools.readEnvSecret({ secretId: 'my-app/dev' });
+await tools.upsertEnvSecret({ secretId: 'my-app/dev', value: current });
+```
+
+When you need AWS functionality not wrapped by this package, use the fully configured AWS SDK v3 client at `tools.client` (see the [programmatic guide](guides/aws-secrets-manager-tools.md) for examples).
+
+## Quick start (CLI)
+
+```bash
+aws-secrets-manager-tools --env dev aws secrets pull --secret-name '$STACK_NAME'
+aws-secrets-manager-tools --env dev aws secrets push --secret-name '$STACK_NAME'
+aws-secrets-manager-tools --env dev aws secrets delete --secret-name '$STACK_NAME'
+```
+
+Notes:
+
+- `--env` is a root-level (get-dotenv) option and must appear before the command path.
+- Secret name expansion is evaluated at action time against `{ ...process.env, ...ctx.dotenv }` (ctx wins).
+
+## Env-map secret format
+
+Secrets are stored as a JSON object map of environment variables in `SecretString`:
+
+```json
+{ "KEY": "value", "OPTIONAL": null }
+```
+
+Notes:
+
+- Values must be strings or `null`.
+- `null` is treated as `undefined` when decoding.
+
+## AWS X-Ray capture (optional)
+
+X-Ray support is guarded:
+
+- Default behavior is `xray: 'auto'`: capture is enabled only when `AWS_XRAY_DAEMON_ADDRESS` is set.
+- To enable capture, install the optional peer dependency:
+  - `aws-xray-sdk`
+- In `auto` mode, if `AWS_XRAY_DAEMON_ADDRESS` is set but `aws-xray-sdk` is not installed, construction throws.
+
+## Config defaults (getdotenv.config.\*)
+
+If you embed the plugin in your own get-dotenv host (or use the shipped CLI), you can provide safe defaults in config under `plugins['aws/secrets']`:
+
+```jsonc
+{
+  "plugins": {
+    "aws/secrets": {
+      "secretName": "$STACK_NAME",
+      "templateExtension": "template",
+      "push": { "from": ["file:env:private"] },
+      "pull": { "to": "env:private" },
+    },
+  },
+}
+```
+
+See the [secrets plugin guide](guides/secrets-plugin.md) for `--from` / `--to` selector details and all supported config keys.
+
+---
+
+Built for you with ❤️ on Bali! Find more great tools & templates on [my GitHub Profile](https://github.com/karmaniverous).

package/dist/cli/aws-secrets-manager-tools/index.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { createCli } from '@karmaniverous/get-dotenv/cli';
-import { cmdPlugin, batchPlugin, awsPlugin, initPlugin } from '@karmaniverous/get-dotenv/plugins';
-import { readMergedOptions, z, definePlugin } from '@karmaniverous/get-dotenv/cliHost';
+import { getAwsRegion, cmdPlugin, batchPlugin, awsPlugin, initPlugin } from '@karmaniverous/get-dotenv/plugins';
+import { readMergedOptions, z, describeConfigKeyListDefaults, describeDefault, definePlugin } from '@karmaniverous/get-dotenv/cliHost';
+import { assertLogger, silentLogger, buildSpawnEnv, dotenvExpand, toNumber, getDotenvCliOptions2Options, applyIncludeExclude, editDotenvFile, requireString, assertByteLimit } from '@karmaniverous/get-dotenv';
 import { SecretsManagerClient, GetSecretValueCommand, PutSecretValueCommand, CreateSecretCommand, DeleteSecretCommand } from '@aws-sdk/client-secrets-manager';
-import { dotenvExpand, getDotenvCliOptions2Options, editDotenvFile } from '@karmaniverous/get-dotenv';
-import { omit, pick } from 'radash';
-import { Buffer } from 'node:buffer';
+import { shouldEnableXray, captureAwsSdkV3Client } from '@karmaniverous/aws-xray-tools';
+import { getAwsRegion as getAwsRegion$1 } from '@karmaniverous/get-dotenv/plugins/aws';
 
 /**
  * Requirements addressed:
@@ -21,74 +21,22 @@ const getAwsErrorCode = (err) => {
 const isAwsErrorCode = (err, code) => getAwsErrorCode(err) === code;
 const isResourceNotFoundError = (err) => isAwsErrorCode(err, 'ResourceNotFoundException');
 
-/**
- * Requirements addressed:
- * - Optional AWS X-Ray capture support.
- * - Default behavior “auto”: only attempt capture when AWS_XRAY_DAEMON_ADDRESS
- *   is set.
- * - Avoid importing/enabling X-Ray when the daemon address is not set (the
- *   X-Ray SDK will throw otherwise).
- */
-const shouldEnableXray = (mode, daemonAddress) => {
-    if (mode === 'off')
-        return false;
-    if (mode === 'on')
-        return true;
-    return Boolean(daemonAddress);
-};
-const captureAwsSdkV3Client = async (client, { mode = 'auto', logger = console, daemonAddress = process.env.AWS_XRAY_DAEMON_ADDRESS, } = {}) => {
-    if (!shouldEnableXray(mode, daemonAddress))
-        return client;
-    if (!daemonAddress) {
-        throw new Error('X-Ray capture requested but AWS_XRAY_DAEMON_ADDRESS is not set.');
-    }
-    // Guarded dynamic import: some X-Ray SDK integrations throw when daemon
-    // configuration is missing, so do not import unless we are capturing.
-    let mod;
-    try {
-        mod = (await import('aws-xray-sdk'));
-    }
-    catch {
-        throw new Error("X-Ray capture is enabled but 'aws-xray-sdk' is not installed. Install it or set xray to 'off'.");
-    }
-    const AWSXRay = (mod.default ?? mod);
-    if (typeof AWSXRay.captureAWSv3Client !== 'function') {
-        logger.debug('aws-xray-sdk does not expose captureAWSv3Client', AWSXRay);
-        throw new Error('aws-xray-sdk missing captureAWSv3Client export.');
-    }
-    logger.debug('Enabling AWS X-Ray capture for AWS SDK v3 client.');
-    return AWSXRay.captureAWSv3Client(client);
-};
-
 /**
  * Requirements addressed:
  * - Provide a public tools-style wrapper `AwsSecretsManagerTools`.
  * - Package consumers should not need to construct SecretsManagerClient; they
- *   should use `AwsSecretsManagerTools.init(...)` and optionally import AWS SDK
- *   Commands for advanced operations.
+ *   should construct `new AwsSecretsManagerTools(...)` and optionally import
+ *   AWS SDK Commands for advanced operations.
  * - Expose the fully configured SDK client via `tools.client`.
  * - Support optional AWS X-Ray capture:
  *   - Default “auto”: enable only when AWS_XRAY_DAEMON_ADDRESS is set.
  *   - In “auto”, if the daemon address is set but aws-xray-sdk is missing,
  *     throw with a clear message.
- * - Enforce a minimal logger contract (debug/info/warn/error); do not attempt
- *   to polyfill or proxy unknown loggers.
+ * - Enforce the get-dotenv minimal Logger contract (debug/info/warn/error);
+ *   validate and throw (no polyfills or proxies).
  * - Secret values are JSON object maps of env vars.
  */
-const assertLogger = (candidate) => {
-    if (!candidate || typeof candidate !== 'object') {
-        throw new Error('logger must be an object with debug, info, warn, and error methods');
-    }
-    const logger = candidate;
-    if (typeof logger.debug !== 'function' ||
-        typeof logger.info !== 'function' ||
-        typeof logger.warn !== 'function' ||
-        typeof logger.error !== 'function') {
-        throw new Error('logger must implement debug, info, warn, and error methods; wrap/proxy your logger if needed');
-    }
-    return logger;
-};
-const parseEnvSecretMap = (secretString) => {
+const parseProcessEnv = (secretString) => {
     let parsed;
     try {
         parsed = JSON.parse(secretString);
@@ -118,7 +66,7 @@ const toSecretString = (value) => JSON.stringify(value);
  * Tools-style AWS Secrets Manager wrapper for env-map secrets.
  *
  * The secret payload is always a JSON object map of environment variables:
- * `Record<string, string | undefined>`.
+ * `ProcessEnv`.
  *
  * Consumers should typically use the convenience methods on this class, and
  * use {@link AwsSecretsManagerTools.client} as an escape hatch when they need
@@ -141,17 +89,8 @@ class AwsSecretsManagerTools {
     logger;
     /** Materialized X-Ray state (mode + enabled + daemonAddress when relevant). */
     xray;
-    constructor({ client, clientConfig, logger, xray, }) {
-        this.client = client;
-        this.clientConfig = clientConfig;
-        this.logger = logger;
-        this.xray = xray;
-    }
     /**
-     * Initialize an `AwsSecretsManagerTools` instance.
-     *
-     * This factory owns all setup (including optional X-Ray capture) so consumers
-     * do not need to construct a base Secrets Manager client themselves.
+     * Construct an `AwsSecretsManagerTools` instance.
      *
      * @throws If `clientConfig.logger` is provided but does not implement
      * `debug`, `info`, `warn`, and `error`.
@@ -159,7 +98,7 @@ class AwsSecretsManagerTools {
      * with `AWS_XRAY_DAEMON_ADDRESS` set) but `aws-xray-sdk` is not installed.
      * @throws If X-Ray capture is requested but `AWS_XRAY_DAEMON_ADDRESS` is not set.
      */
-    static async init({ clientConfig = {}, xray: xrayMode = 'auto', } = {}) {
+    constructor({ clientConfig = {}, xray: xrayMode = 'auto', } = {}) {
         const logger = assertLogger(clientConfig.logger ?? console);
         const effectiveClientConfig = {
             ...clientConfig,
@@ -174,18 +113,16 @@ class AwsSecretsManagerTools {
             ...(enabled && daemonAddress ? { daemonAddress } : {}),
         };
         const effectiveClient = enabled
-            ? await captureAwsSdkV3Client(base, {
+            ? captureAwsSdkV3Client(base, {
                 mode: xrayMode,
                 logger,
                 daemonAddress,
             })
             : base;
-        return new AwsSecretsManagerTools({
-            client: effectiveClient,
-            clientConfig: effectiveClientConfig,
-            logger,
-            xray: xrayState,
-        });
+        this.client = effectiveClient;
+        this.clientConfig = effectiveClientConfig;
+        this.logger = logger;
+        this.xray = xrayState;
     }
     /**
      * Read a Secrets Manager secret and parse it as an env-map secret.
@@ -208,7 +145,7 @@ class AwsSecretsManagerTools {
         if (!res.SecretString) {
             throw new Error('SecretString is missing (binary secrets not supported).');
         }
-        return parseEnvSecretMap(res.SecretString);
+        return parseProcessEnv(res.SecretString);
     }
     /**
      * Write a new version value for an existing secret.
@@ -315,96 +252,6 @@ class AwsSecretsManagerTools {
     }
 }
 
-/**
- * Requirements addressed:
- * - Secret name expansion expands against `{ ...process.env, ...ctx.dotenv }`.
- * - include/exclude ignore unknown keys; use radash (no lodash).
- */
-const buildExpansionEnv = (ctxDotenv) => ({
-    ...process.env,
-    ...ctxDotenv,
-});
-const expandSecretName = (raw, envRef) => dotenvExpand(raw, envRef) ?? raw;
-const applyIncludeExclude = (env, { include, exclude, }) => {
-    let out = env;
-    if (exclude?.length)
-        out = omit(out, exclude);
-    if (include?.length)
-        out = pick(out, include);
-    return out;
-};
-
-/**
- * Requirements addressed:
- * - Enforce AWS Secrets Manager SecretString size limits (65,536 bytes).
- * - Provide safe parsing helpers for CLI-mapped inputs.
- * - Render config-derived defaults in dynamic option help text.
- * - Access aws plugin ctx state via runtime narrowing (no casts).
- */
-const silentLogger = {
-    debug: () => {
-        // no-op
-    },
-    info: () => {
-        // no-op
-    },
-    warn: () => {
-        // no-op
-    },
-    error: () => {
-        // no-op
-    },
-};
-const requireString = (v, msg) => {
-    if (typeof v !== 'string' || !v)
-        throw new Error(msg);
-    return v;
-};
-const toNumber = (v) => {
-    if (typeof v === 'undefined')
-        return;
-    if (typeof v === 'number')
-        return v;
-    if (typeof v === 'string' && v.trim())
-        return Number(v);
-    return;
-};
-const assertBytesWithinSecretsManagerLimit = (value) => {
-    const s = JSON.stringify(value);
-    const bytes = Buffer.byteLength(s, 'utf8');
-    if (bytes > 65_536) {
-        throw new Error(`SecretString size ${String(bytes)} bytes exceeds 65536 bytes; narrow selection with --from/--include/--exclude.`);
-    }
-};
-const describeDefault = (v) => {
-    if (Array.isArray(v))
-        return v.length ? v.join(' ') : 'none';
-    if (typeof v === 'string' && v.trim())
-        return v;
-    return 'none';
-};
-const isRecord = (v) => typeof v === 'object' && v !== null;
-const getAwsRegion = (ctx) => {
-    if (!isRecord(ctx.plugins))
-        return;
-    const aws = ctx.plugins['aws'];
-    if (!isRecord(aws))
-        return;
-    const region = aws['region'];
-    return typeof region === 'string' ? region : undefined;
-};
-const describeConfigKeyListDefaults = ({ cfgInclude, cfgExclude, }) => {
-    // Avoid throwing in help rendering: show an explicit invalid marker.
-    if (cfgInclude?.length && cfgExclude?.length) {
-        const msg = '(invalid: both set in config)';
-        return { includeDefault: msg, excludeDefault: msg };
-    }
-    return {
-        includeDefault: describeDefault(cfgExclude?.length ? undefined : cfgInclude),
-        excludeDefault: describeDefault(cfgInclude?.length ? undefined : cfgExclude),
-    };
-};
-
 /**
  * Requirements addressed:
  * - Provide `aws secrets delete`.
@@ -434,14 +281,14 @@ const registerDeleteCommand = ({ cli, plugin, }) => {
         const logger = console;
         const ctx = cli.getCtx();
         const cfg = plugin.readConfig(del);
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
         const recoveryWindowInDays = toNumber(opts.recoveryWindowDays);
         const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },
@@ -718,13 +565,13 @@ const registerPullCommand = ({ cli, plugin, }) => {
         const privateToken = rootOpts.privateToken ?? 'local';
         const toRaw = opts.to ?? cfg.pull?.to ?? 'env:private';
         const to = parseToSelector(toRaw);
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
-        const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        const region = getAwsRegion$1(ctx);
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },
@@ -750,7 +597,7 @@ const registerPullCommand = ({ cli, plugin, }) => {
             ? await editDotenvFile(secrets, {
                 ...editCommon,
                 scope: 'env',
-                env: requireString(bag.env ?? bag.defaultEnv, 'env is required (use --env or defaultEnv).'),
+                env: requireString(bag.env, 'env is required (use --env or defaultEnv).'),
             })
             : await editDotenvFile(secrets, {
                 ...editCommon,
@@ -823,16 +670,16 @@ const registerPushCommand = ({ cli, plugin, }) => {
             cfgInclude: cfg.push?.include,
             cfgExclude: cfg.push?.exclude,
         });
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
         const selected = selectEnvByProvenance(ctx.dotenv, ctx.dotenvProvenance, fromSelectors);
         const secrets = applyIncludeExclude(selected, { include, exclude });
-        assertBytesWithinSecretsManagerLimit(secrets);
-        const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        assertByteLimit(secrets, 65_536, (v, l) => `SecretString size ${String(v)} bytes exceeds ${String(l)} bytes; narrow selection with --from/--include/--exclude.`);
+        const region = getAwsRegion$1(ctx);
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },

package/dist/index.d.ts

@@ -1,59 +1,26 @@
 import { SecretsManagerClient, SecretsManagerClientConfig } from '@aws-sdk/client-secrets-manager';
+import { XrayState, XrayMode } from '@karmaniverous/aws-xray-tools';
+import { Logger, ProcessEnv } from '@karmaniverous/get-dotenv';
 import * as _karmaniverous_get_dotenv_cliHost from '@karmaniverous/get-dotenv/cliHost';
 
-/**
- * Requirements addressed:
- * - Secret values are always a JSON object map of env vars.
- */
-/**
- * Canonical “env secret” shape stored in AWS Secrets Manager.
- *
- * `undefined` values are not representable in JSON; readers should treat `null`
- * values as `undefined` when decoding.
- */
-type EnvSecretMap = Record<string, string | undefined>;
-
 /**
  * Requirements addressed:
  * - Provide a public tools-style wrapper `AwsSecretsManagerTools`.
  * - Package consumers should not need to construct SecretsManagerClient; they
- *   should use `AwsSecretsManagerTools.init(...)` and optionally import AWS SDK
- *   Commands for advanced operations.
+ *   should construct `new AwsSecretsManagerTools(...)` and optionally import
+ *   AWS SDK Commands for advanced operations.
  * - Expose the fully configured SDK client via `tools.client`.
  * - Support optional AWS X-Ray capture:
  *   - Default “auto”: enable only when AWS_XRAY_DAEMON_ADDRESS is set.
  *   - In “auto”, if the daemon address is set but aws-xray-sdk is missing,
  *     throw with a clear message.
- * - Enforce a minimal logger contract (debug/info/warn/error); do not attempt
- *   to polyfill or proxy unknown loggers.
+ * - Enforce the get-dotenv minimal Logger contract (debug/info/warn/error);
+ *   validate and throw (no polyfills or proxies).
  * - Secret values are JSON object maps of env vars.
  */
 
-/**
- * Console-like logger contract used by AwsSecretsManagerTools.
- *
- * If you pass a custom logger via `clientConfig.logger`, it must implement
- * these methods (no internal polyfills are applied).
- */
-type AwsSecretsManagerToolsLogger = Pick<Console, 'debug' | 'error' | 'info' | 'warn'>;
-/** X-Ray capture mode for {@link AwsSecretsManagerTools.init}. */
-type AwsSecretsManagerToolsXrayMode = 'auto' | 'on' | 'off';
-/**
- * Materialized X-Ray state for diagnostics and DX.
- *
- * Note: `enabled` reflects the effective runtime decision after applying the
- * configured `mode` and checking daemon configuration.
- */
-type XrayState = {
-    /** Capture mode configured for initialization. */
-    mode: AwsSecretsManagerToolsXrayMode;
-    /** Whether capture is enabled for the effective client instance. */
-    enabled: boolean;
-    /** Daemon address used when capture is enabled (if available). */
-    daemonAddress?: string;
-};
-/** Options for {@link AwsSecretsManagerTools.init}. */
-type AwsSecretsManagerToolsInitOptions = {
+/** Options for {@link AwsSecretsManagerTools} construction. */
+type AwsSecretsManagerToolsOptions = {
     /**
      * AWS SDK v3 Secrets Manager client config.
      *
@@ -69,13 +36,13 @@ type AwsSecretsManagerToolsInitOptions = {
      * - `on`: force enable (throws if daemon address is missing).
      * - `off`: disable.
      */
-    xray?: AwsSecretsManagerToolsXrayMode;
+    xray?: XrayMode;
 };
 /**
  * Tools-style AWS Secrets Manager wrapper for env-map secrets.
  *
  * The secret payload is always a JSON object map of environment variables:
- * `Record<string, string | undefined>`.
+ * `ProcessEnv`.
  *
  * Consumers should typically use the convenience methods on this class, and
  * use {@link AwsSecretsManagerTools.client} as an escape hatch when they need
@@ -95,15 +62,11 @@ declare class AwsSecretsManagerTools {
      */
     readonly clientConfig: SecretsManagerClientConfig;
     /** The logger used by this wrapper and (when applicable) by the AWS client. */
-    readonly logger: AwsSecretsManagerToolsLogger;
+    readonly logger: Logger;
     /** Materialized X-Ray state (mode + enabled + daemonAddress when relevant). */
     readonly xray: XrayState;
-    private constructor();
     /**
-     * Initialize an `AwsSecretsManagerTools` instance.
-     *
-     * This factory owns all setup (including optional X-Ray capture) so consumers
-     * do not need to construct a base Secrets Manager client themselves.
+     * Construct an `AwsSecretsManagerTools` instance.
      *
      * @throws If `clientConfig.logger` is provided but does not implement
      * `debug`, `info`, `warn`, and `error`.
@@ -111,7 +74,7 @@ declare class AwsSecretsManagerTools {
      * with `AWS_XRAY_DAEMON_ADDRESS` set) but `aws-xray-sdk` is not installed.
      * @throws If X-Ray capture is requested but `AWS_XRAY_DAEMON_ADDRESS` is not set.
      */
-    static init({ clientConfig, xray: xrayMode, }?: AwsSecretsManagerToolsInitOptions): Promise<AwsSecretsManagerTools>;
+    constructor({ clientConfig, xray: xrayMode, }?: AwsSecretsManagerToolsOptions);
     /**
      * Read a Secrets Manager secret and parse it as an env-map secret.
      *
@@ -124,7 +87,7 @@ declare class AwsSecretsManagerTools {
     readEnvSecret(opts: {
         secretId: string;
         versionId?: string;
-    }): Promise<EnvSecretMap>;
+    }): Promise<ProcessEnv>;
     /**
      * Write a new version value for an existing secret.
      *
@@ -137,7 +100,7 @@ declare class AwsSecretsManagerTools {
      */
     updateEnvSecret(opts: {
         secretId: string;
-        value: EnvSecretMap;
+        value: ProcessEnv;
         versionId?: string;
     }): Promise<void>;
     /**
@@ -152,7 +115,7 @@ declare class AwsSecretsManagerTools {
      */
     createEnvSecret(opts: {
         secretId: string;
-        value: EnvSecretMap;
+        value: ProcessEnv;
         description?: string;
         forceOverwriteReplicaSecret?: boolean;
         versionId?: string;
@@ -168,7 +131,7 @@ declare class AwsSecretsManagerTools {
      */
     upsertEnvSecret({ secretId, value, }: {
         secretId: string;
-        value: EnvSecretMap;
+        value: ProcessEnv;
     }): Promise<'updated' | 'created'>;
     /**
      * Delete a secret.
@@ -209,6 +172,7 @@ declare class AwsSecretsManagerTools {
 declare const secretsPlugin: () => _karmaniverous_get_dotenv_cliHost.PluginWithInstanceHelpers<Omit<{
     logger: unknown;
     defaultEnv?: string | undefined;
+    defaultEnvKey?: string | undefined;
     dotenvToken?: string | undefined;
     dynamicPath?: string | undefined;
     dynamic?: Record<string, unknown> | undefined;
@@ -225,7 +189,12 @@ declare const secretsPlugin: () => _karmaniverous_get_dotenv_cliHost.PluginWithI
     privateToken?: string | undefined;
     vars?: Record<string, string | undefined> | undefined;
 }, "dynamic" | "logger"> & {
-    logger: Record<string, (...args: unknown[]) => void> | Console;
+    logger: {
+        debug: (...data: any[]) => void;
+        info: (...data: any[]) => void;
+        warn: (...data: any[]) => void;
+        error: (...data: any[]) => void;
+    };
     dynamic?: {
         [x: string]: string | ((vars: {
             [x: string]: string | undefined;
@@ -247,4 +216,4 @@ declare const secretsPlugin: () => _karmaniverous_get_dotenv_cliHost.PluginWithI
 }, [], {}, {}>;
 
 export { AwsSecretsManagerTools, secretsPlugin };
-export type { AwsSecretsManagerToolsInitOptions, AwsSecretsManagerToolsLogger, AwsSecretsManagerToolsXrayMode, EnvSecretMap, XrayState };
+export type { AwsSecretsManagerToolsOptions };

package/dist/mjs/index.js

@@ -1,8 +1,9 @@
 import { SecretsManagerClient, GetSecretValueCommand, PutSecretValueCommand, CreateSecretCommand, DeleteSecretCommand } from '@aws-sdk/client-secrets-manager';
-import { readMergedOptions, z, definePlugin } from '@karmaniverous/get-dotenv/cliHost';
-import { dotenvExpand, getDotenvCliOptions2Options, editDotenvFile } from '@karmaniverous/get-dotenv';
-import { omit, pick } from 'radash';
-import { Buffer } from 'node:buffer';
+import { shouldEnableXray, captureAwsSdkV3Client } from '@karmaniverous/aws-xray-tools';
+import { assertLogger, silentLogger, buildSpawnEnv, dotenvExpand, toNumber, getDotenvCliOptions2Options, applyIncludeExclude, editDotenvFile, requireString, assertByteLimit } from '@karmaniverous/get-dotenv';
+import { readMergedOptions, z, describeConfigKeyListDefaults, describeDefault, definePlugin } from '@karmaniverous/get-dotenv/cliHost';
+import { getAwsRegion } from '@karmaniverous/get-dotenv/plugins';
+import { getAwsRegion as getAwsRegion$1 } from '@karmaniverous/get-dotenv/plugins/aws';
 
 /**
  * Requirements addressed:
@@ -18,74 +19,22 @@ const getAwsErrorCode = (err) => {
 const isAwsErrorCode = (err, code) => getAwsErrorCode(err) === code;
 const isResourceNotFoundError = (err) => isAwsErrorCode(err, 'ResourceNotFoundException');
 
-/**
- * Requirements addressed:
- * - Optional AWS X-Ray capture support.
- * - Default behavior “auto”: only attempt capture when AWS_XRAY_DAEMON_ADDRESS
- *   is set.
- * - Avoid importing/enabling X-Ray when the daemon address is not set (the
- *   X-Ray SDK will throw otherwise).
- */
-const shouldEnableXray = (mode, daemonAddress) => {
-    if (mode === 'off')
-        return false;
-    if (mode === 'on')
-        return true;
-    return Boolean(daemonAddress);
-};
-const captureAwsSdkV3Client = async (client, { mode = 'auto', logger = console, daemonAddress = process.env.AWS_XRAY_DAEMON_ADDRESS, } = {}) => {
-    if (!shouldEnableXray(mode, daemonAddress))
-        return client;
-    if (!daemonAddress) {
-        throw new Error('X-Ray capture requested but AWS_XRAY_DAEMON_ADDRESS is not set.');
-    }
-    // Guarded dynamic import: some X-Ray SDK integrations throw when daemon
-    // configuration is missing, so do not import unless we are capturing.
-    let mod;
-    try {
-        mod = (await import('aws-xray-sdk'));
-    }
-    catch {
-        throw new Error("X-Ray capture is enabled but 'aws-xray-sdk' is not installed. Install it or set xray to 'off'.");
-    }
-    const AWSXRay = (mod.default ?? mod);
-    if (typeof AWSXRay.captureAWSv3Client !== 'function') {
-        logger.debug('aws-xray-sdk does not expose captureAWSv3Client', AWSXRay);
-        throw new Error('aws-xray-sdk missing captureAWSv3Client export.');
-    }
-    logger.debug('Enabling AWS X-Ray capture for AWS SDK v3 client.');
-    return AWSXRay.captureAWSv3Client(client);
-};
-
 /**
  * Requirements addressed:
  * - Provide a public tools-style wrapper `AwsSecretsManagerTools`.
  * - Package consumers should not need to construct SecretsManagerClient; they
- *   should use `AwsSecretsManagerTools.init(...)` and optionally import AWS SDK
- *   Commands for advanced operations.
+ *   should construct `new AwsSecretsManagerTools(...)` and optionally import
+ *   AWS SDK Commands for advanced operations.
  * - Expose the fully configured SDK client via `tools.client`.
  * - Support optional AWS X-Ray capture:
  *   - Default “auto”: enable only when AWS_XRAY_DAEMON_ADDRESS is set.
  *   - In “auto”, if the daemon address is set but aws-xray-sdk is missing,
  *     throw with a clear message.
- * - Enforce a minimal logger contract (debug/info/warn/error); do not attempt
- *   to polyfill or proxy unknown loggers.
+ * - Enforce the get-dotenv minimal Logger contract (debug/info/warn/error);
+ *   validate and throw (no polyfills or proxies).
  * - Secret values are JSON object maps of env vars.
  */
-const assertLogger = (candidate) => {
-    if (!candidate || typeof candidate !== 'object') {
-        throw new Error('logger must be an object with debug, info, warn, and error methods');
-    }
-    const logger = candidate;
-    if (typeof logger.debug !== 'function' ||
-        typeof logger.info !== 'function' ||
-        typeof logger.warn !== 'function' ||
-        typeof logger.error !== 'function') {
-        throw new Error('logger must implement debug, info, warn, and error methods; wrap/proxy your logger if needed');
-    }
-    return logger;
-};
-const parseEnvSecretMap = (secretString) => {
+const parseProcessEnv = (secretString) => {
     let parsed;
     try {
         parsed = JSON.parse(secretString);
@@ -115,7 +64,7 @@ const toSecretString = (value) => JSON.stringify(value);
  * Tools-style AWS Secrets Manager wrapper for env-map secrets.
  *
  * The secret payload is always a JSON object map of environment variables:
- * `Record<string, string | undefined>`.
+ * `ProcessEnv`.
  *
  * Consumers should typically use the convenience methods on this class, and
  * use {@link AwsSecretsManagerTools.client} as an escape hatch when they need
@@ -138,17 +87,8 @@ class AwsSecretsManagerTools {
     logger;
     /** Materialized X-Ray state (mode + enabled + daemonAddress when relevant). */
     xray;
-    constructor({ client, clientConfig, logger, xray, }) {
-        this.client = client;
-        this.clientConfig = clientConfig;
-        this.logger = logger;
-        this.xray = xray;
-    }
     /**
-     * Initialize an `AwsSecretsManagerTools` instance.
-     *
-     * This factory owns all setup (including optional X-Ray capture) so consumers
-     * do not need to construct a base Secrets Manager client themselves.
+     * Construct an `AwsSecretsManagerTools` instance.
      *
      * @throws If `clientConfig.logger` is provided but does not implement
      * `debug`, `info`, `warn`, and `error`.
@@ -156,7 +96,7 @@ class AwsSecretsManagerTools {
      * with `AWS_XRAY_DAEMON_ADDRESS` set) but `aws-xray-sdk` is not installed.
      * @throws If X-Ray capture is requested but `AWS_XRAY_DAEMON_ADDRESS` is not set.
      */
-    static async init({ clientConfig = {}, xray: xrayMode = 'auto', } = {}) {
+    constructor({ clientConfig = {}, xray: xrayMode = 'auto', } = {}) {
         const logger = assertLogger(clientConfig.logger ?? console);
         const effectiveClientConfig = {
             ...clientConfig,
@@ -171,18 +111,16 @@ class AwsSecretsManagerTools {
             ...(enabled && daemonAddress ? { daemonAddress } : {}),
         };
         const effectiveClient = enabled
-            ? await captureAwsSdkV3Client(base, {
+            ? captureAwsSdkV3Client(base, {
                 mode: xrayMode,
                 logger,
                 daemonAddress,
             })
             : base;
-        return new AwsSecretsManagerTools({
-            client: effectiveClient,
-            clientConfig: effectiveClientConfig,
-            logger,
-            xray: xrayState,
-        });
+        this.client = effectiveClient;
+        this.clientConfig = effectiveClientConfig;
+        this.logger = logger;
+        this.xray = xrayState;
     }
     /**
      * Read a Secrets Manager secret and parse it as an env-map secret.
@@ -205,7 +143,7 @@ class AwsSecretsManagerTools {
         if (!res.SecretString) {
             throw new Error('SecretString is missing (binary secrets not supported).');
         }
-        return parseEnvSecretMap(res.SecretString);
+        return parseProcessEnv(res.SecretString);
     }
     /**
      * Write a new version value for an existing secret.
@@ -312,96 +250,6 @@ class AwsSecretsManagerTools {
     }
 }
 
-/**
- * Requirements addressed:
- * - Secret name expansion expands against `{ ...process.env, ...ctx.dotenv }`.
- * - include/exclude ignore unknown keys; use radash (no lodash).
- */
-const buildExpansionEnv = (ctxDotenv) => ({
-    ...process.env,
-    ...ctxDotenv,
-});
-const expandSecretName = (raw, envRef) => dotenvExpand(raw, envRef) ?? raw;
-const applyIncludeExclude = (env, { include, exclude, }) => {
-    let out = env;
-    if (exclude?.length)
-        out = omit(out, exclude);
-    if (include?.length)
-        out = pick(out, include);
-    return out;
-};
-
-/**
- * Requirements addressed:
- * - Enforce AWS Secrets Manager SecretString size limits (65,536 bytes).
- * - Provide safe parsing helpers for CLI-mapped inputs.
- * - Render config-derived defaults in dynamic option help text.
- * - Access aws plugin ctx state via runtime narrowing (no casts).
- */
-const silentLogger = {
-    debug: () => {
-        // no-op
-    },
-    info: () => {
-        // no-op
-    },
-    warn: () => {
-        // no-op
-    },
-    error: () => {
-        // no-op
-    },
-};
-const requireString = (v, msg) => {
-    if (typeof v !== 'string' || !v)
-        throw new Error(msg);
-    return v;
-};
-const toNumber = (v) => {
-    if (typeof v === 'undefined')
-        return;
-    if (typeof v === 'number')
-        return v;
-    if (typeof v === 'string' && v.trim())
-        return Number(v);
-    return;
-};
-const assertBytesWithinSecretsManagerLimit = (value) => {
-    const s = JSON.stringify(value);
-    const bytes = Buffer.byteLength(s, 'utf8');
-    if (bytes > 65_536) {
-        throw new Error(`SecretString size ${String(bytes)} bytes exceeds 65536 bytes; narrow selection with --from/--include/--exclude.`);
-    }
-};
-const describeDefault = (v) => {
-    if (Array.isArray(v))
-        return v.length ? v.join(' ') : 'none';
-    if (typeof v === 'string' && v.trim())
-        return v;
-    return 'none';
-};
-const isRecord = (v) => typeof v === 'object' && v !== null;
-const getAwsRegion = (ctx) => {
-    if (!isRecord(ctx.plugins))
-        return;
-    const aws = ctx.plugins['aws'];
-    if (!isRecord(aws))
-        return;
-    const region = aws['region'];
-    return typeof region === 'string' ? region : undefined;
-};
-const describeConfigKeyListDefaults = ({ cfgInclude, cfgExclude, }) => {
-    // Avoid throwing in help rendering: show an explicit invalid marker.
-    if (cfgInclude?.length && cfgExclude?.length) {
-        const msg = '(invalid: both set in config)';
-        return { includeDefault: msg, excludeDefault: msg };
-    }
-    return {
-        includeDefault: describeDefault(cfgExclude?.length ? undefined : cfgInclude),
-        excludeDefault: describeDefault(cfgInclude?.length ? undefined : cfgExclude),
-    };
-};
-
 /**
  * Requirements addressed:
  * - Provide `aws secrets delete`.
@@ -431,14 +279,14 @@ const registerDeleteCommand = ({ cli, plugin, }) => {
         const logger = console;
         const ctx = cli.getCtx();
         const cfg = plugin.readConfig(del);
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
         const recoveryWindowInDays = toNumber(opts.recoveryWindowDays);
         const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },
@@ -715,13 +563,13 @@ const registerPullCommand = ({ cli, plugin, }) => {
         const privateToken = rootOpts.privateToken ?? 'local';
         const toRaw = opts.to ?? cfg.pull?.to ?? 'env:private';
         const to = parseToSelector(toRaw);
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
-        const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        const region = getAwsRegion$1(ctx);
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },
@@ -747,7 +595,7 @@ const registerPullCommand = ({ cli, plugin, }) => {
             ? await editDotenvFile(secrets, {
                 ...editCommon,
                 scope: 'env',
-                env: requireString(bag.env ?? bag.defaultEnv, 'env is required (use --env or defaultEnv).'),
+                env: requireString(bag.env, 'env is required (use --env or defaultEnv).'),
             })
             : await editDotenvFile(secrets, {
                 ...editCommon,
@@ -820,16 +668,16 @@ const registerPushCommand = ({ cli, plugin, }) => {
             cfgInclude: cfg.push?.include,
             cfgExclude: cfg.push?.exclude,
         });
-        const envRef = buildExpansionEnv(ctx.dotenv);
+        const envRef = buildSpawnEnv(process.env, ctx.dotenv);
         const secretNameRaw = opts.secretName ?? cfg.secretName ?? '$STACK_NAME';
-        const secretId = expandSecretName(secretNameRaw, envRef);
+        const secretId = dotenvExpand(secretNameRaw, envRef);
         if (!secretId)
             throw new Error('secret-name is required.');
         const selected = selectEnvByProvenance(ctx.dotenv, ctx.dotenvProvenance, fromSelectors);
         const secrets = applyIncludeExclude(selected, { include, exclude });
-        assertBytesWithinSecretsManagerLimit(secrets);
-        const region = getAwsRegion(ctx);
-        const tools = await AwsSecretsManagerTools.init({
+        assertByteLimit(secrets, 65_536, (v, l) => `SecretString size ${String(v)} bytes exceeds ${String(l)} bytes; narrow selection with --from/--include/--exclude.`);
+        const region = getAwsRegion$1(ctx);
+        const tools = new AwsSecretsManagerTools({
             clientConfig: region
                 ? { region, logger: sdkLogger }
                 : { logger: sdkLogger },

package/package.json

@@ -13,12 +13,9 @@
     "url": "https://github.com/karmaniverous/aws-secrets-manager-tools/issues"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.958.0",
-    "@karmaniverous/get-dotenv": "^6.4.0",
-    "radash": "^12.1.1"
-  },
-  "peerDependencies": {
-    "aws-xray-sdk": "^3.12.0"
+    "@aws-sdk/client-secrets-manager": "^3.965.0",
+    "@karmaniverous/aws-xray-tools": "^0.2.0",
+    "@karmaniverous/get-dotenv": "^7.0.5"
   },
   "peerDependenciesMeta": {
     "aws-xray-sdk": {
@@ -36,7 +33,7 @@
     "@types/fs-extra": "^11.0.4",
     "@types/node": "^25.0.3",
     "@vitest/coverage-v8": "^4.0.16",
-    "@vitest/eslint-plugin": "^1.6.4",
+    "@vitest/eslint-plugin": "^1.6.6",
     "auto-changelog": "^2.5.0",
     "aws-xray-sdk": "^3.12.0",
     "eslint": "^9.39.2",
@@ -45,13 +42,13 @@
     "eslint-plugin-simple-import-sort": "^12.1.1",
     "eslint-plugin-tsdoc": "^0.5.0",
     "fs-extra": "^11.3.3",
-    "happy-dom": "^20.0.11",
-    "knip": "^5.78.0",
+    "happy-dom": "^20.1.0",
+    "knip": "^5.80.0",
     "lefthook": "^2.0.13",
     "prettier": "^3.7.4",
-    "release-it": "^19.2.2",
+    "release-it": "^19.2.3",
     "rimraf": "^6.1.2",
-    "rollup": "^4.54.0",
+    "rollup": "^4.55.1",
     "rollup-plugin-dts": "^6.3.0",
     "tslib": "^2.8.1",
     "tsx": "^4.21.0",
@@ -59,7 +56,7 @@
     "typedoc-plugin-mdn-links": "^5.0.10",
     "typedoc-plugin-replace-text": "^4.2.0",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.51.0",
+    "typescript-eslint": "^8.52.0",
     "vitest": "^4.0.16"
   },
   "engines": {
@@ -108,15 +105,15 @@
         "npm run knip",
         "npm run build"
       ],
-      "before:npm:release": [
-        "npx auto-changelog -p",
-        "npm run docs",
-        "git add -A"
-      ],
       "after:release": [
         "git switch -c release/${version}",
         "git push -u origin release/${version}",
         "git switch ${branchName}"
+      ],
+      "after:bump": [
+        "npx auto-changelog -p",
+        "npm run docs",
+        "git add CHANGELOG.md"
       ]
     },
     "npm": {
@@ -144,5 +141,5 @@
   },
   "type": "module",
   "types": "dist/index.d.ts",
-  "version": "0.1.1"
+  "version": "0.2.1"
 }