npm - @rabbitlock/runtime - Versions diffs - 0.1.0 - Mend

@rabbitlock/runtime 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/LICENSE +21 -0
package/README.md +38 -0
package/package.json +25 -0
package/pkg/package.json +14 -0
package/pkg/rabbitlock_crypto.d.ts +133 -0
package/pkg/rabbitlock_crypto.js +971 -0
package/pkg/rabbitlock_crypto_bg.js +849 -0
package/pkg/rabbitlock_crypto_bg.wasm +0 -0
package/pkg/rabbitlock_crypto_bg.wasm.d.ts +30 -0
package/rabbitlock-env.mjs +163 -0
package/rabbitlock_env.py +83 -0
package/runtime.test.mjs +110 -0

package/pkg/rabbitlock_crypto_bg.wasm ADDED Viewed

Binary file

package/pkg/rabbitlock_crypto_bg.wasm.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+/* tslint:disable */
+/* eslint-disable */
+export const memory: WebAssembly.Memory;
+export const greet: (a: number, b: number) => [number, number];
+export const parse_and_verify_sops: (a: number, b: number) => [number, number];
+export const derive_hybrid_keypair: (a: number, b: number) => [number, number, number, number];
+export const verify_sops_integrity: (a: number, b: number, c: number, d: number) => [number, number];
+export const decrypt_data_key: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const decrypt_and_verify_sops: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const decrypt_sops_content: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const encrypt_sops_json: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const encrypt_sops_json_for_recipient: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const pq_generate_keypair: () => [number, number];
+export const pq_encapsulate: (a: number, b: number) => [number, number, number, number];
+export const pq_decapsulate: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const pq_mlkem_generate_keypair: () => [number, number];
+export const pq_mlkem_encapsulate: (a: number, b: number) => [number, number, number, number];
+export const pq_mlkem_decapsulate: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const pq_get_sizes: () => [number, number];
+export const create_zip_archive: (a: any) => [number, number, number, number];
+export const encrypt_binary_hybrid: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const decrypt_binary_hybrid: (a: number, b: number, c: number, d: number) => [number, number, number, number];
+export const __wbindgen_malloc: (a: number, b: number) => number;
+export const __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
+export const __wbindgen_exn_store: (a: number) => void;
+export const __externref_table_alloc: () => number;
+export const __wbindgen_externrefs: WebAssembly.Table;
+export const __wbindgen_free: (a: number, b: number, c: number) => void;
+export const __externref_table_dealloc: (a: number) => void;
+export const __wbindgen_start: () => void;

package/rabbitlock-env.mjs ADDED Viewed

@@ -0,0 +1,163 @@
+#!/usr/bin/env node
+/**
+ * Minimal runtime helper: decrypts a SOPS JSON file with your PQ seed and
+ * exports env-style key/value pairs.
+ *
+ * Usage:
+ *   rabbitlock-env --seed $RABBITLOCK_SEED_HEX --in env.sops.json --export
+ *   rabbitlock-env --seed $RABBITLOCK_SEED_HEX --in env.sops.json --json
+ *   rabbitlock-env --seed $RABBITLOCK_SEED_HEX --in env.sops.json --write-env .env
+ */
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const args = process.argv.slice(2);
+const config = {
+  seed: process.env.RABBITLOCK_SEED_HEX || "",
+  input: "env.sops.json",
+  exportEnv: false,
+  outputEnvPath: "",
+  outputJson: false,
+};
+for (let i = 0; i < args.length; i++) {
+  const arg = args[i];
+  if (arg === "--seed") {
+    config.seed = args[++i] || "";
+  } else if (arg === "--in") {
+    config.input = args[++i] || config.input;
+  } else if (arg === "--export") {
+    config.exportEnv = true;
+  } else if (arg === "--write-env") {
+    config.outputEnvPath = args[++i] || "";
+  } else if (arg === "--json") {
+    config.outputJson = true;
+  } else if (arg === "--help" || arg === "-h") {
+    printHelp();
+    process.exit(0);
+  }
+}
+if (!config.seed) {
+  console.error(
+    "Missing seed. Provide --seed $RABBITLOCK_SEED_HEX or set RABBITLOCK_SEED_HEX.",
+  );
+  process.exit(1);
+}
+const wasmPath = path.resolve(__dirname, "./pkg/rabbitlock_crypto.js");
+const {
+  default: initWasm,
+  initSync,
+  derive_hybrid_keypair,
+  decrypt_data_key,
+  decrypt_sops_content,
+  verify_sops_integrity,
+} = await import(wasmPath);
+const wasmBytesPath = path.resolve(
+  __dirname,
+  "./pkg/rabbitlock_crypto_bg.wasm",
+);
+const loadWasm = async () => {
+  // Node: avoid fetch(file://...) by using initSync with local bytes.
+  if (typeof window === "undefined") {
+    const bytes = fs.readFileSync(wasmBytesPath);
+    initSync({ module: bytes });
+  } else {
+    await initWasm();
+  }
+};
+await loadWasm();
+const derivePrivateKey = (seedHex) => {
+  const kp = derive_hybrid_keypair(seedHex);
+  const idx = kp.indexOf(":");
+  if (idx === -1) {
+    throw new Error("Failed to derive hybrid keypair from seed.");
+  }
+  return kp.slice(0, idx);
+};
+const flattenEnv = (value, prefix = "", acc = new Map()) => {
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    for (const [k, v] of Object.entries(value)) {
+      const nextPrefix = prefix ? `${prefix}_${k}` : k;
+      flattenEnv(v, nextPrefix, acc);
+    }
+  } else if (Array.isArray(value)) {
+    value.forEach((v, idx) => flattenEnv(v, `${prefix}_${idx}`, acc));
+  } else {
+    const key = prefix.toUpperCase();
+    const val =
+      typeof value === "string"
+        ? value
+        : value === null
+          ? ""
+          : JSON.stringify(value);
+    acc.set(key, val);
+  }
+  return acc;
+};
+const run = () => {
+  const inputPath = path.resolve(process.cwd(), config.input);
+  const raw = fs.readFileSync(inputPath, "utf8");
+  const privateKey = derivePrivateKey(config.seed.trim());
+  const dataKey = decrypt_data_key(raw, privateKey);
+  const verified = verify_sops_integrity(raw, dataKey);
+  if (!verified.includes("Passed")) {
+    throw new Error(`Integrity check failed: ${verified}`);
+  }
+  const plaintext = decrypt_sops_content(raw, privateKey);
+  const json = JSON.parse(plaintext);
+  if (config.outputJson) {
+    console.log(JSON.stringify(json, null, 2));
+  }
+  if (config.exportEnv || config.outputEnvPath) {
+    const envLines = Array.from(flattenEnv(json).entries()).map(
+      ([k, v]) => `${k}=${v}`,
+    );
+    if (config.outputEnvPath) {
+      fs.writeFileSync(config.outputEnvPath, envLines.join("\n"));
+      console.error(
+        `Wrote ${envLines.length} entries to ${config.outputEnvPath}`,
+      );
+    } else {
+      console.log(envLines.join("\n"));
+    }
+  }
+};
+function printHelp() {
+  console.log(`RabbitLock env helper
+Options:
+  --seed <hex>        RABBITLOCK_SEED_HEX (or set env var)
+  --in <path>         SOPS JSON file (default: env.sops.json)
+  --export            Print env-style KEY=value lines
+  --write-env <path>  Write env lines to a file
+  --json              Print plaintext JSON
+  --help              Show this help
+`);
+}
+try {
+  run();
+} catch (err) {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+}

package/rabbitlock_env.py ADDED Viewed

@@ -0,0 +1,83 @@
+"""
+Lightweight Python shim for RabbitLock SOPS runtime.
+Requires Node available to execute `rabbitlock-env.mjs` (uses bundled Wasm).
+Usage:
+    from rabbitlock_env import load_env_dict, load_env_into_os
+    env_dict = load_env_dict(seed_hex="...", sops_path="env.sops.json")
+    load_env_into_os(seed_hex="...", sops_path="env.sops.json")
+"""
+from __future__ import annotations
+import json
+import os
+import subprocess
+from pathlib import Path
+from typing import Any, Dict
+ROOT = Path(__file__).resolve().parent
+NODE_CLI = ROOT / "rabbitlock-env.mjs"
+def _flatten_env(
+    value: Any, prefix: str = "", acc: Dict[str, str] | None = None
+) -> Dict[str, str]:
+    if acc is None:
+        acc = {}
+    if isinstance(value, dict):
+        for k, v in value.items():
+            _flatten_env(v, f"{prefix}_{k}" if prefix else k, acc)
+    elif isinstance(value, list):
+        for idx, v in enumerate(value):
+            _flatten_env(v, f"{prefix}_{idx}", acc)
+    else:
+        key = prefix.upper()
+        acc[key] = value if isinstance(value, str) else json.dumps(value)
+    return acc
+def _run_node(seed_hex: str, sops_path: str) -> Dict[str, Any]:
+    cmd = [
+        "node",
+        str(NODE_CLI),
+        "--seed",
+        seed_hex,
+        "--in",
+        sops_path,
+        "--json",
+    ]
+    result = subprocess.run(
+        cmd, check=True, text=True, capture_output=True, cwd=str(ROOT)
+    )
+    return json.loads(result.stdout)
+def load_env_dict(
+    seed_hex: str | None = None, sops_path: str | None = None
+) -> Dict[str, str]:
+    """Return a flat dict of env-style key/value pairs from a SOPS file."""
+    seed = seed_hex or os.environ.get("RABBITLOCK_SEED_HEX")
+    if not seed:
+        raise ValueError("Provide seed_hex or set RABBITLOCK_SEED_HEX")
+    path = sops_path or os.environ.get("RABBITLOCK_SOPS_PATH") or "env.sops.json"
+    plaintext = _run_node(seed, path)
+    return _flatten_env(plaintext)
+def load_env_into_os(
+    seed_hex: str | None = None, sops_path: str | None = None
+) -> Dict[str, str]:
+    """Populate os.environ with decrypted values and return the flat dict."""
+    env_dict = load_env_dict(seed_hex, sops_path)
+    os.environ.update(env_dict)
+    return env_dict
+if __name__ == "__main__":
+    sops_path_env = os.environ.get("RABBITLOCK_SOPS_PATH")
+    data = load_env_into_os(sops_path=sops_path_env)
+    for k, v in data.items():
+        print(f"{k}={v}")

package/runtime.test.mjs ADDED Viewed

@@ -0,0 +1,110 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+import initWasm, {
+  initSync,
+  derive_hybrid_keypair,
+  encrypt_sops_json_for_recipient,
+} from "./pkg/rabbitlock_crypto.js";
+const wasmUrl = new URL("./pkg/rabbitlock_crypto_bg.wasm", import.meta.url);
+const wasmBytes = fs.readFileSync(wasmUrl);
+initSync({ module: wasmBytes });
+const seedHex =
+  "1111111111111111111111111111111111111111111111111111111111111111"; // 32 bytes hex
+const cliPath = new URL("./rabbitlock-env.mjs", import.meta.url).pathname;
+const pyPath = new URL("./rabbitlock_env.py", import.meta.url).pathname;
+const makeTempSops = (plainObj) => {
+  const kp = derive_hybrid_keypair(seedHex);
+  const [, publicKey] = kp.split(":");
+  const sopsJson = encrypt_sops_json_for_recipient(
+    JSON.stringify(plainObj),
+    publicKey,
+  );
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), "rabbitlock-"));
+  const filePath = path.join(dir, "env.sops.json");
+  fs.writeFileSync(filePath, sopsJson);
+  return { filePath, dir };
+};
+test("Node CLI --json and --export round-trip env", () => {
+  const fixture = { API_KEY: "abc", DB_URL: "postgres://example" };
+  const { filePath, dir } = makeTempSops(fixture);
+  const jsonOut = execFileSync(
+    "node",
+    [cliPath, "--seed", seedHex, "--in", filePath, "--json"],
+    { encoding: "utf8" },
+  );
+  const parsed = JSON.parse(jsonOut);
+  assert.deepEqual(parsed, fixture);
+  const exportOut = execFileSync(
+    "node",
+    [cliPath, "--seed", seedHex, "--in", filePath, "--export"],
+    { encoding: "utf8" },
+  );
+  const kv = Object.fromEntries(
+    exportOut
+      .trim()
+      .split("\n")
+      .map((line) => line.split("=")),
+  );
+  assert.equal(kv.API_KEY, "abc");
+  assert.equal(kv.DB_URL, "postgres://example");
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+test("Python shim loads env via Node helper", () => {
+  const pythonCmd = detectPython();
+  if (!pythonCmd) {
+    test.skip("python not available");
+    return;
+  }
+  const fixture = { API_KEY: "xyz", REGION: "us-west-2" };
+  const { filePath, dir } = makeTempSops(fixture);
+  const output = execFileSync(pythonCmd, [pyPath], {
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      RABBITLOCK_SEED_HEX: seedHex,
+      RABBITLOCK_SOPS_PATH: filePath,
+    },
+  });
+  const kv = Object.fromEntries(
+    output
+      .trim()
+      .split("\n")
+      .map((line) => line.split("=")),
+  );
+  assert.equal(kv.API_KEY, "xyz");
+  assert.equal(kv.REGION, "us-west-2");
+  fs.rmSync(dir, { recursive: true, force: true });
+});
+function detectPython() {
+  const candidates = ["python", "python3"];
+  for (const cmd of candidates) {
+    try {
+      execFileSync(cmd, ["--version"], { stdio: "ignore" });
+      return cmd;
+    } catch {
+      // try next
+    }
+  }
+  return null;
+}