npm - @replayio/app-building - Versions diffs - 1.12.0 → 1.14.0 - Mend

@replayio/app-building 1.12.0 → 1.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -14,6 +14,8 @@ npm install @replayio/app-building
 import {
   loadDotEnv,
   FileContainerRegistry,
+  getInfisicalConfig,
+  resolveContainerSecrets,
   createMachine,
   destroyMachine,
   type ContainerConfig,
@@ -23,14 +25,17 @@ import {
   httpOptsFor,
 } from "@replayio/app-building";
-// Assemble config once at startup
-const envVars = loadDotEnv("/path/to/project");
+// Load orchestration vars from .env, then fetch build secrets from Infisical
+const orchestrationVars = loadDotEnv("/path/to/project");
+const infisicalConfig = getInfisicalConfig(orchestrationVars);
+const containerSecrets = await resolveContainerSecrets(infisicalConfig);
 const config: ContainerConfig = {
   projectRoot: "/path/to/project",  // optional — only needed for local Docker operations
-  envVars,
+  envVars: containerSecrets,
   registry: new FileContainerRegistry("/path/to/.container-registry.jsonl"),
-  flyToken: envVars.FLY_API_TOKEN,
-  flyApp: envVars.FLY_APP_NAME,
+  flyToken: orchestrationVars.FLY_API_TOKEN,
+  flyApp: orchestrationVars.FLY_APP_NAME,
 };
 // Create a Fly machine (automatically provisions a volume)
@@ -54,7 +59,7 @@ await destroyMachine(config.flyApp, config.flyToken, machineId, volumeId);
 | Export | Description |
 |---|---|
-| `ContainerConfig` | Interface bundling all external state: optional `projectRoot` (only needed for local Docker operations), `envVars`, `registry`, optional `flyToken`/`flyApp`/`imageRef`/`webhookUrl`/`detached`/`initialPrompt`. See [Webhooks](#webhooks) and [Container lifecycle](#container-lifecycle) below. |
+| `ContainerConfig` | Interface bundling all external state: optional `projectRoot` (only needed for local Docker operations), `envVars` (build secrets from Infisical), `registry`, optional `flyToken`/`flyApp`/`imageRef`/`webhookUrl`/`webhookSecret`/`detached`/`initialPrompt`/`localPort`. See [Webhooks](#webhooks) and [Container lifecycle](#container-lifecycle) below. |
 | `RepoOptions` | Per-invocation git settings: `repoUrl`, `cloneBranch`, `pushBranch`. |
 | `ContainerRegistry` | Interface for container registry storage. Methods: `log`, `markStopped`, `clearStopped`, `getRecent`, `find`, `findAlive`. |
 | `FileContainerRegistry` | Built-in file-backed implementation of `ContainerRegistry`, backed by a `.jsonl` file. |
@@ -183,7 +188,7 @@ so that interactive users can send follow-up messages at any time.
 ## Webhooks
-Set `webhookUrl` on `ContainerConfig` to receive real-time notifications of container activity. The container POSTs JSON to that URL on key events (no retries; failures are logged to stderr). If `WEBHOOK_SECRET` is set in the environment, the container sends it as a `Bearer` token in the `Authorization` header.
+Set `webhookUrl` on `ContainerConfig` to receive real-time notifications of container activity. The container POSTs JSON to that URL on key events (no retries; failures are logged to stderr). Set `webhookSecret` to include a `Bearer` token in the `Authorization` header for authenticating webhook requests.
 ### Payload format
@@ -224,10 +229,15 @@ Every POST body has this shape:
 ### Example
 ```ts
+const orchestrationVars = loadDotEnv("/path/to/project");
+const infisicalConfig = getInfisicalConfig(orchestrationVars);
+const containerSecrets = await resolveContainerSecrets(infisicalConfig);
 const config: ContainerConfig = {
   projectRoot: "/path/to/project",
-  envVars: loadDotEnv("/path/to/project"),
+  envVars: containerSecrets,
   registry: new FileContainerRegistry("/path/to/.container-registry.jsonl"),
   webhookUrl: "https://example.com/hooks/container-events",
+  webhookSecret: "your-webhook-secret",
 };
 ```

package/dist/secrets.d.ts CHANGED Viewed

@@ -3,6 +3,11 @@ export interface InfisicalConfig {
     projectId: string;
     environment: string;
 }
+/**
+ * Log in to Infisical using Universal Auth (Client ID + Client Secret).
+ * Returns a short-lived access token (default 30 day TTL).
+ */
+export declare function infisicalLogin(clientId: string, clientSecret: string): Promise<string>;
 /**
  * Fetch secrets from an Infisical folder path.
  * Returns a key-value record of secret names to values.
@@ -23,7 +28,9 @@ export declare function fetchBranchSecrets(config: InfisicalConfig, branch: stri
  */
 export declare function resolveContainerSecrets(config: InfisicalConfig): Promise<Record<string, string>>;
 /**
- * Extract Infisical config from environment variables.
- * Throws if any required Infisical var is missing.
+ * Extract Infisical config from environment variables and log in.
+ * Reads INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, INFISICAL_PROJECT_ID,
+ * and INFISICAL_ENVIRONMENT from the env vars.
+ * Throws if any required var is missing.
  */
-export declare function getInfisicalConfig(envVars: Record<string, string>): InfisicalConfig;
+export declare function getInfisicalConfig(envVars: Record<string, string>): Promise<InfisicalConfig>;

package/dist/secrets.js CHANGED Viewed

@@ -12,6 +12,23 @@ function getRequiredSecretKeys() {
         .filter((l) => l && l.includes("="))
         .map((l) => l.split("=")[0].trim());
 }
+/**
+ * Log in to Infisical using Universal Auth (Client ID + Client Secret).
+ * Returns a short-lived access token (default 30 day TTL).
+ */
+export async function infisicalLogin(clientId, clientSecret) {
+    const res = await fetch(`${INFISICAL_API_BASE}/api/v1/auth/universal-auth/login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ clientId, clientSecret }),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`Infisical login failed → ${res.status}: ${body}`);
+    }
+    const data = (await res.json());
+    return data.accessToken;
+}
 async function infisicalFetch(path, config) {
     const res = await fetch(`${INFISICAL_API_BASE}${path}`, {
         headers: {
@@ -76,20 +93,25 @@ export async function resolveContainerSecrets(config) {
     return secrets;
 }
 /**
- * Extract Infisical config from environment variables.
- * Throws if any required Infisical var is missing.
+ * Extract Infisical config from environment variables and log in.
+ * Reads INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, INFISICAL_PROJECT_ID,
+ * and INFISICAL_ENVIRONMENT from the env vars.
+ * Throws if any required var is missing.
  */
-export function getInfisicalConfig(envVars) {
-    const token = envVars.INFISICAL_TOKEN;
+export async function getInfisicalConfig(envVars) {
+    const clientId = envVars.INFISICAL_CLIENT_ID;
+    const clientSecret = envVars.INFISICAL_CLIENT_SECRET;
     const projectId = envVars.INFISICAL_PROJECT_ID;
     const environment = envVars.INFISICAL_ENVIRONMENT;
     const missing = [
-        !token && "INFISICAL_TOKEN",
+        !clientId && "INFISICAL_CLIENT_ID",
+        !clientSecret && "INFISICAL_CLIENT_SECRET",
         !projectId && "INFISICAL_PROJECT_ID",
         !environment && "INFISICAL_ENVIRONMENT",
     ].filter(Boolean);
     if (missing.length > 0) {
         throw new Error(`Missing Infisical config in .env: ${missing.join(", ")}`);
     }
-    return { token: token, projectId: projectId, environment: environment };
+    const token = await infisicalLogin(clientId, clientSecret);
+    return { token, projectId: projectId, environment: environment };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@replayio/app-building",
-  "version": "1.12.0",
+  "version": "1.14.0",
   "description": "Library for managing agentic app-building containers",
   "type": "module",
   "exports": {