@rusamer/env-guards 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 EnvGod
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,107 @@
+# EnvGod SDK
+
+A secure, server-side Node.js and Next.js SDK for fetching environment bundles from the EnvGod Data Plane.
+
+## Features
+
+- **Secure by Default**: Throws if executed in a browser environment.
+- **In-Memory Only**: Never writes secrets to disk or logs them.
+- **Auto-Auth**: Exchanges `ENVGOD_API_KEY` for short-lived JWTs.
+- **Smart Caching**: Caches tokens and bundles in memory until expiry.
+- **Reliable**: Automatic retry on 401 (token expiry) and network resiliency.
+- **Next.js Ready**: Dedicated `envgod/next` entry point with `server-only` guards.
+
+## Installation
+
+```bash
+npm install @rusamer/envgod
+# or
+pnpm add @rusamer/envgod
+# or
+yarn add @rusamer/envgod
+```
+
+## Configuration
+
+The SDK automatically reads the following environment variables:
+
+| Variable | Description |
+|C...|...|
+| `ENVGOD_API_URL` | URL of the EnvGod Data Plane |
+| `ENVGOD_API_KEY` | Your project Service Key |
+| `ENVGOD_PROJECT` | Project ID |
+| `ENVGOD_ENV` | Environment Name (e.g., prod) |
+| `ENVGOD_SERVICE` | Service Name |
+
+```env
+ENVGOD_API_URL=https://api.example.com
+ENVGOD_API_KEY=sk_xxx
+ENVGOD_PROJECT=myapp
+ENVGOD_ENV=prod
+ENVGOD_SERVICE=web
+```
+
+## Usage
+
+### Node.js
+
+```typescript
+import { loadEnv } from '@rusamer/envgod';
+
+async function main() {
+  const env = await loadEnv();
+  
+  console.log(process.env.MY_SECRET); // Accessed from process.env
+  console.log(env.MY_SECRET);         // Or from the returned object
+}
+
+main();
+```
+
+### Next.js (App Router / Server Actions)
+
+Use the Next.js specific helper to ensure server-side only execution.
+
+```typescript
+// src/lib/env.ts
+import { loadServerEnv } from '@rusamer/envgod/next';
+
+export async function getSecrets() {
+  return loadServerEnv();
+}
+```
+
+```typescript
+// src/app/page.tsx
+import { getSecrets } from '@/lib/env';
+
+export default async function Page() {
+  const env = await getSecrets();
+  return <div>Secret length: {env.API_KEY.length}</div>;
+}
+```
+
+## Security Notes
+
+1. **Server-Only**: This SDK is designed strictly for server environments. It explicitly checks for `window` and imports `server-only` in the Next.js entrypoint.
+2. **No Persistence**: Secrets are held in memory. Restarting the server will trigger a fresh fetch.
+3. **Logs**: The SDK does not log secret values.
+
+## For Maintainers
+
+### Build
+
+```bash
+pnpm build
+```
+
+### Test
+
+```bash
+pnpm test
+```
+
+### Publish
+
+1. `npm version patch`
+2. `npm publish`

package/dist/index.d.mts

@@ -0,0 +1,8 @@
+import { L as LoadEnvOptions } from './types-BxDfpIC9.mjs';
+export { A as AuthExchangeResponse, B as BundleResponse, E as EnvGuardsConfig } from './types-BxDfpIC9.mjs';
+
+/** @internal For testing only */
+declare function _resetState(): void;
+declare function loadEnv(options?: LoadEnvOptions): Promise<Record<string, string>>;
+
+export { LoadEnvOptions, _resetState, loadEnv };

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+import { L as LoadEnvOptions } from './types-BxDfpIC9.js';
+export { A as AuthExchangeResponse, B as BundleResponse, E as EnvGuardsConfig } from './types-BxDfpIC9.js';
+
+/** @internal For testing only */
+declare function _resetState(): void;
+declare function loadEnv(options?: LoadEnvOptions): Promise<Record<string, string>>;
+
+export { LoadEnvOptions, _resetState, loadEnv };

package/dist/index.js

@@ -0,0 +1,239 @@
+'use strict';
+
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/keytar/build/Release/keytar.node
+var keytar_default;
+var init_keytar = __esm({
+  "node_modules/keytar/build/Release/keytar.node"() {
+    keytar_default = "./keytar-F4YAPN53.node";
+  }
+});
+
+// node-file:D:\projects\envguards-sdk\node_modules\keytar\build\Release\keytar.node
+var require_keytar = __commonJS({
+  "node-file:D:\\projects\\envguards-sdk\\node_modules\\keytar\\build\\Release\\keytar.node"(exports$1, module) {
+    init_keytar();
+    try {
+      module.exports = __require(keytar_default);
+    } catch {
+    }
+  }
+});
+
+// node_modules/keytar/lib/keytar.js
+var require_keytar2 = __commonJS({
+  "node_modules/keytar/lib/keytar.js"(exports$1, module) {
+    var keytar = require_keytar();
+    function checkRequired(val, name) {
+      if (!val || val.length <= 0) {
+        throw new Error(name + " is required.");
+      }
+    }
+    module.exports = {
+      getPassword: function(service, account) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        return keytar.getPassword(service, account);
+      },
+      setPassword: function(service, account, password) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        checkRequired(password, "Password");
+        return keytar.setPassword(service, account, password);
+      },
+      deletePassword: function(service, account) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        return keytar.deletePassword(service, account);
+      },
+      findPassword: function(service) {
+        checkRequired(service, "Service");
+        return keytar.findPassword(service);
+      },
+      findCredentials: function(service) {
+        checkRequired(service, "Service");
+        return keytar.findCredentials(service);
+      }
+    };
+  }
+});
+
+// src/index.ts
+var cache = /* @__PURE__ */ new Map();
+var pendingLoadPromise = null;
+function _resetState() {
+  cache.clear();
+  pendingLoadPromise = null;
+}
+function checkBrowser() {
+  if (typeof window !== "undefined") {
+    throw new Error("[Env.Guards] Security Warning: SDK execution attempting in browser environment. This SDK is server-only.");
+  }
+}
+async function fetchWithTimeout(url, init) {
+  const { timeout = 5e3, ...rest } = init;
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const res = await fetch(url, { ...rest, signal: controller.signal });
+    return res;
+  } catch (err) {
+    if (err.name === "AbortError") {
+      throw new Error(`[Env.Guards] Request timed out after ${timeout}ms`);
+    }
+    throw err;
+  } finally {
+    clearTimeout(id);
+  }
+}
+async function resolveRuntimeKey(config) {
+  if (config.apiKey) return config.apiKey;
+  if (process.env.ENV_GUARDS_API_KEY) return process.env.ENV_GUARDS_API_KEY;
+  try {
+    const keytar = (await Promise.resolve().then(() => __toESM(require_keytar2()))).default;
+    const SERVICE = "env-guards";
+    const { apiUrl, org, project, env, service } = config;
+    if (apiUrl && org && project && env && service) {
+      const account = `runtime:${apiUrl}:${org}:${project}:${env}:${service}`;
+      const key = await keytar.getPassword(SERVICE, account);
+      if (key) return key;
+    }
+  } catch (err) {
+  }
+  throw new Error("[Env.Guards] Runtime key not found. Please set ENV_GUARDS_API_KEY, use `env-guards run`, or run `env-guards add-runtime-key`.");
+}
+function getFullConfig(options) {
+  const env = process.env;
+  return {
+    apiUrl: options?.config?.apiUrl ?? env.ENV_GUARDS_API_URL,
+    apiKey: options?.config?.apiKey ?? env.ENV_GUARDS_API_KEY,
+    org: options?.config?.org ?? env.ENV_GUARDS_ORG,
+    project: options?.config?.project ?? env.ENV_GUARDS_PROJECT,
+    env: options?.config?.env ?? env.ENV_GUARDS_ENV,
+    service: options?.config?.service ?? env.ENV_GUARDS_SERVICE
+  };
+}
+async function exchangeToken(apiUrl, runtimeKey, scope, timeout, state) {
+  const res = await fetchWithTimeout(`${apiUrl}/v1/auth/exchange`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${runtimeKey}`
+    },
+    body: JSON.stringify(scope),
+    timeout
+  });
+  if (!res.ok) {
+    throw new Error(`[Env.Guards] Auth exchange failed: ${res.status} ${res.statusText}`);
+  }
+  const data = await res.json();
+  state.token = data.token;
+  state.tokenExpiresAt = new Date(data.expiresAt).getTime();
+  return data.token;
+}
+async function fetchBundle(apiUrl, token, timeout) {
+  const res = await fetchWithTimeout(`${apiUrl}/v1/bundle`, {
+    method: "GET",
+    headers: { "Authorization": `Bearer ${token}` },
+    timeout
+  });
+  if (res.status === 401) throw new Error("401");
+  if (!res.ok) throw new Error(`[Env.Guards] Fetch bundle failed: ${res.status} ${res.statusText}`);
+  const data = await res.json();
+  return data.values;
+}
+function getConfigFingerprint(apiUrl, runtimeKey, config) {
+  const keyPrefix = runtimeKey.substring(0, 12);
+  return [apiUrl, keyPrefix, config.org, config.project, config.env, config.service].join("|");
+}
+async function loadEnvInternal(options) {
+  checkBrowser();
+  const config = getFullConfig(options);
+  const { apiUrl, ...scope } = config;
+  if (!apiUrl) {
+    throw new Error("[Env.Guards] Missing required configuration: apiUrl is required.");
+  }
+  const runtimeKey = await resolveRuntimeKey(config);
+  const timeout = options?.timeout ?? 5e3;
+  const now = Date.now();
+  const TOKEN_SKEW_MS = 30 * 1e3;
+  const fingerprint = getConfigFingerprint(apiUrl, runtimeKey, config);
+  if (!cache.has(fingerprint)) {
+    cache.set(fingerprint, { token: null, tokenExpiresAt: null, bundle: null });
+  }
+  const state = cache.get(fingerprint);
+  let token = state.token;
+  let tokenValid = token && state.tokenExpiresAt && state.tokenExpiresAt > now + TOKEN_SKEW_MS;
+  if (!tokenValid) {
+    token = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);
+  }
+  if (state.bundle && tokenValid) {
+    Object.assign(process.env, state.bundle);
+    return state.bundle;
+  }
+  try {
+    const values = await fetchBundle(apiUrl, token, timeout);
+    state.bundle = values;
+    Object.assign(process.env, values);
+    return values;
+  } catch (err) {
+    if (err.message === "401") {
+      state.token = null;
+      state.bundle = null;
+      const newToken = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);
+      const values = await fetchBundle(apiUrl, newToken, timeout);
+      state.bundle = values;
+      Object.assign(process.env, values);
+      return values;
+    }
+    throw err;
+  }
+}
+function loadEnv(options) {
+  if (pendingLoadPromise) {
+    return pendingLoadPromise;
+  }
+  pendingLoadPromise = loadEnvInternal(options).finally(() => {
+    pendingLoadPromise = null;
+  });
+  return pendingLoadPromise;
+}
+
+exports._resetState = _resetState;
+exports.loadEnv = loadEnv;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["node-file:D:/projects/envguards-sdk/node_modules/keytar/build/Release/keytar.node","../node_modules/keytar/lib/keytar.js","../src/index.ts"],"names":["exports","require_keytar"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,cAAA,GAAA,UAAA,CAAA;AAAA,EAAA,0FAAA,CAAAA,SAAA,EAAA,MAAA,EAAA;AACY,IAAA,WAAA,EAAA;AACA,IAAA,IAAI;AAAE,MAAA,MAAA,CAAO,OAAA,GAAU,UAAQ,cAAI,CAAA;AAAA,IAAE,CAAA,CAAA,MAC/B;AAAA,IAAC;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACHnB,IAAAC,eAAAA,GAAA,UAAA,CAAA;AAAA,EAAA,mCAAA,CAAAD,SAAA,EAAA,MAAA,EAAA;AAAA,IAAA,IAAI,MAAA,GAAS,cAAA,EAAA;AAEb,IAAA,SAAS,aAAA,CAAc,KAAK,IAAA,EAAM;AAChC,MAAA,IAAI,CAAC,GAAA,IAAO,GAAA,CAAI,MAAA,IAAU,CAAA,EAAG;AAC3B,QAAA,MAAM,IAAI,KAAA,CAAM,IAAA,GAAO,eAAe,CAAA;AAAA,MACxC;AAAA,IACF;AAEA,IAAA,MAAA,CAAO,OAAA,GAAU;AAAA,MACf,WAAA,EAAa,SAAU,OAAA,EAAS,OAAA,EAAS;AACvC,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAChC,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAEhC,QAAA,OAAO,MAAA,CAAO,WAAA,CAAY,OAAA,EAAS,OAAO,CAAA;AAAA,MAC5C,CAAA;AAAA,MAEA,WAAA,EAAa,SAAU,OAAA,EAAS,OAAA,EAAS,QAAA,EAAU;AACjD,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAChC,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAChC,QAAA,aAAA,CAAc,UAAU,UAAU,CAAA;AAElC,QAAA,OAAO,MAAA,CAAO,WAAA,CAAY,OAAA,EAAS,OAAA,EAAS,QAAQ,CAAA;AAAA,MACtD,CAAA;AAAA,MAEA,cAAA,EAAgB,SAAU,OAAA,EAAS,OAAA,EAAS;AAC1C,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAChC,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAEhC,QAAA,OAAO,MAAA,CAAO,cAAA,CAAe,OAAA,EAAS,OAAO,CAAA;AAAA,MAC/C,CAAA;AAAA,MAEA,YAAA,EAAc,SAAU,OAAA,EAAS;AAC/B,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAEhC,QAAA,OAAO,MAAA,CAAO,aAAa,OAAO,CAAA;AAAA,MACpC,CAAA;AAAA,MAEA,eAAA,EAAiB,SAAU,OAAA,EAAS;AAClC,QAAA,aAAA,CAAc,SAAS,SAAS,CAAA;AAEhC,QAAA,OAAO,MAAA,CAAO,gBAAgB,OAAO,CAAA;AAAA,MACvC;AAAA,KACF;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACjCA,IAAM,KAAA,uBAAY,GAAA,EAAwB;AAC1C,IAAI,kBAAA,GAA6D,IAAA;AAG1D,SAAS,WAAA,GAAc;AAC1B,EAAA,KAAA,CAAM,KAAA,EAAM;AACZ,EAAA,kBAAA,GAAqB,IAAA;AACzB;AAIA,SAAS,YAAA,GAAe;AACpB,EAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AAC/B,IAAA,MAAM,IAAI,MAAM,0GAA0G,CAAA;AAAA,EAC9H;AACJ;AAEA,eAAe,gBAAA,CAAiB,KAAa,IAAA,EAA0C;AACnF,EAAA,MAAM,EAAE,OAAA,GAAU,GAAA,EAAM,GAAG,MAAK,GAAI,IAAA;AACpC,EAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,EAAA,MAAM,KAAK,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAEvD,EAAA,IAAI;AACA,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK,EAAE,GAAG,IAAA,EAAM,MAAA,EAAQ,UAAA,CAAW,MAAA,EAAQ,CAAA;AACnE,IAAA,OAAO,GAAA;AAAA,EACX,SAAS,GAAA,EAAU;AACf,IAAA,IAAI,GAAA,CAAI,SAAS,YAAA,EAAc;AAC3B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,OAAO,CAAA,EAAA,CAAI,CAAA;AAAA,IACvE;AACA,IAAA,MAAM,GAAA;AAAA,EACV,CAAA,SAAE;AACE,IAAA,YAAA,CAAa,EAAE,CAAA;AAAA,EACnB;AACJ;AAIA,eAAe,kBAAkB,MAAA,EAA0C;AAEvE,EAAA,IAAI,MAAA,CAAO,MAAA,EAAQ,OAAO,MAAA,CAAO,MAAA;AAGjC,EAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,kBAAA,EAAoB,OAAO,QAAQ,GAAA,CAAI,kBAAA;AAGvD,EAAA,IAAI;AACA,IAAA,MAAM,MAAA,GAAA,CAAU,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,MAAA,OAAA,CAAA,eAAA,EAAA,CAAA,CAAA,EAAkB,OAAA;AACxC,IAAA,MAAM,OAAA,GAAU,YAAA;AAChB,IAAA,MAAM,EAAE,MAAA,EAAQ,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,SAAQ,GAAI,MAAA;AAC/C,IAAA,IAAI,MAAA,IAAU,GAAA,IAAO,OAAA,IAAW,GAAA,IAAO,OAAA,EAAS;AAC5C,MAAA,MAAM,OAAA,GAAU,CAAA,QAAA,EAAW,MAAM,CAAA,CAAA,EAAI,GAAG,IAAI,OAAO,CAAA,CAAA,EAAI,GAAG,CAAA,CAAA,EAAI,OAAO,CAAA,CAAA;AACrE,MAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,WAAA,CAAY,SAAS,OAAO,CAAA;AACrD,MAAA,IAAI,KAAK,OAAO,GAAA;AAAA,IACpB;AAAA,EACJ,SAAS,GAAA,EAAK;AAAA,EAEd;AAEA,EAAA,MAAM,IAAI,MAAM,+HAA+H,CAAA;AACnJ;AAEA,SAAS,cAAc,OAAA,EAA2C;AAC9D,EAAA,MAAM,MAAM,OAAA,CAAQ,GAAA;AACpB,EAAA,OAAO;AAAA,IACH,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,MAAA,IAAU,GAAA,CAAI,kBAAA;AAAA,IACvC,MAAA,EAAQ,OAAA,EAAS,MAAA,EAAQ,MAAA,IAAU,GAAA,CAAI,kBAAA;AAAA,IACvC,GAAA,EAAK,OAAA,EAAS,MAAA,EAAQ,GAAA,IAAO,GAAA,CAAI,cAAA;AAAA,IACjC,OAAA,EAAS,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,CAAI,kBAAA;AAAA,IACzC,GAAA,EAAK,OAAA,EAAS,MAAA,EAAQ,GAAA,IAAO,GAAA,CAAI,cAAA;AAAA,IACjC,OAAA,EAAS,OAAA,EAAS,MAAA,EAAQ,OAAA,IAAW,GAAA,CAAI;AAAA,GAC7C;AACJ;AAEA,eAAe,aAAA,CAAc,MAAA,EAAgB,UAAA,EAAoB,KAAA,EAAiC,SAAiB,KAAA,EAAoC;AACnJ,EAAA,MAAM,GAAA,GAAM,MAAM,gBAAA,CAAiB,CAAA,EAAG,MAAM,CAAA,iBAAA,CAAA,EAAqB;AAAA,IAC7D,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA,EAAS;AAAA,MACL,cAAA,EAAgB,kBAAA;AAAA,MAChB,eAAA,EAAiB,UAAU,UAAU,CAAA;AAAA,KACzC;AAAA,IACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAAA,IAC1B;AAAA,GACH,CAAA;AAED,EAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACT,IAAA,MAAM,IAAI,MAAM,CAAA,mCAAA,EAAsC,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,GAAA,CAAI,UAAU,CAAA,CAAE,CAAA;AAAA,EACxF;AAEA,EAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,EAAA,KAAA,CAAM,QAAQ,IAAA,CAAK,KAAA;AACnB,EAAA,KAAA,CAAM,iBAAiB,IAAI,IAAA,CAAK,IAAA,CAAK,SAAS,EAAE,OAAA,EAAQ;AACxD,EAAA,OAAO,IAAA,CAAK,KAAA;AAChB;AAEA,eAAe,WAAA,CAAY,MAAA,EAAgB,KAAA,EAAe,OAAA,EAAkD;AACxG,EAAA,MAAM,GAAA,GAAM,MAAM,gBAAA,CAAiB,CAAA,EAAG,MAAM,CAAA,UAAA,CAAA,EAAc;AAAA,IACtD,MAAA,EAAQ,KAAA;AAAA,IACR,OAAA,EAAS,EAAE,eAAA,EAAiB,CAAA,OAAA,EAAU,KAAK,CAAA,CAAA,EAAG;AAAA,IAC9C;AAAA,GACH,CAAA;AAED,EAAA,IAAI,IAAI,MAAA,KAAW,GAAA,EAAK,MAAM,IAAI,MAAM,KAAK,CAAA;AAC7C,EAAA,IAAI,CAAC,GAAA,CAAI,EAAA,EAAI,MAAM,IAAI,KAAA,CAAM,CAAA,kCAAA,EAAqC,GAAA,CAAI,MAAM,CAAA,CAAA,EAAI,GAAA,CAAI,UAAU,CAAA,CAAE,CAAA;AAEhG,EAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,EAAA,OAAO,IAAA,CAAK,MAAA;AAChB;AAEA,SAAS,oBAAA,CAAqB,MAAA,EAAgB,UAAA,EAAoB,MAAA,EAAiC;AAC/F,EAAA,MAAM,SAAA,GAAY,UAAA,CAAW,SAAA,CAAU,CAAA,EAAG,EAAE,CAAA;AAC5C,EAAA,OAAO,CAAC,MAAA,EAAQ,SAAA,EAAW,MAAA,CAAO,GAAA,EAAK,MAAA,CAAO,OAAA,EAAS,MAAA,CAAO,GAAA,EAAK,MAAA,CAAO,OAAO,CAAA,CAAE,KAAK,GAAG,CAAA;AAC/F;AAEA,eAAe,gBAAgB,OAAA,EAA2D;AACtF,EAAA,YAAA,EAAa;AACb,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AACpC,EAAA,MAAM,EAAE,MAAA,EAAQ,GAAG,KAAA,EAAM,GAAI,MAAA;AAE7B,EAAA,IAAI,CAAC,MAAA,EAAQ;AACT,IAAA,MAAM,IAAI,MAAM,kEAAkE,CAAA;AAAA,EACtF;AAEA,EAAA,MAAM,UAAA,GAAa,MAAM,iBAAA,CAAkB,MAAM,CAAA;AACjD,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,GAAA;AACpC,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,MAAM,gBAAgB,EAAA,GAAK,GAAA;AAE3B,EAAA,MAAM,WAAA,GAAc,oBAAA,CAAqB,MAAA,EAAQ,UAAA,EAAY,MAAM,CAAA;AACnE,EAAA,IAAI,CAAC,KAAA,CAAM,GAAA,CAAI,WAAW,CAAA,EAAG;AACzB,IAAA,KAAA,CAAM,GAAA,CAAI,aAAa,EAAE,KAAA,EAAO,MAAM,cAAA,EAAgB,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,CAAA;AAAA,EAC9E;AACA,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,GAAA,CAAI,WAAW,CAAA;AAEnC,EAAA,IAAI,QAAQ,KAAA,CAAM,KAAA;AAClB,EAAA,IAAI,aAAa,KAAA,IAAS,KAAA,CAAM,cAAA,IAAkB,KAAA,CAAM,iBAAkB,GAAA,GAAM,aAAA;AAEhF,EAAA,IAAI,CAAC,UAAA,EAAY;AACb,IAAA,KAAA,GAAQ,MAAM,aAAA,CAAc,MAAA,EAAQ,UAAA,EAAY,KAAA,EAAO,SAAS,KAAK,CAAA;AAAA,EACzE;AAEA,EAAA,IAAI,KAAA,CAAM,UAAU,UAAA,EAAY;AAC5B,IAAA,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,GAAA,EAAK,KAAA,CAAM,MAAM,CAAA;AACvC,IAAA,OAAO,KAAA,CAAM,MAAA;AAAA,EACjB;AAEA,EAAA,IAAI;AACA,IAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA,EAAQ,OAAQ,OAAO,CAAA;AACxD,IAAA,KAAA,CAAM,MAAA,GAAS,MAAA;AACf,IAAA,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,GAAA,EAAK,MAAM,CAAA;AACjC,IAAA,OAAO,MAAA;AAAA,EACX,SAAS,GAAA,EAAU;AACf,IAAA,IAAI,GAAA,CAAI,YAAY,KAAA,EAAO;AACvB,MAAA,KAAA,CAAM,KAAA,GAAQ,IAAA;AACd,MAAA,KAAA,CAAM,MAAA,GAAS,IAAA;AACf,MAAA,MAAM,WAAW,MAAM,aAAA,CAAc,QAAQ,UAAA,EAAY,KAAA,EAAO,SAAS,KAAK,CAAA;AAC9E,MAAA,MAAM,MAAA,GAAS,MAAM,WAAA,CAAY,MAAA,EAAQ,UAAU,OAAO,CAAA;AAC1D,MAAA,KAAA,CAAM,MAAA,GAAS,MAAA;AACf,MAAA,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,GAAA,EAAK,MAAM,CAAA;AACjC,MAAA,OAAO,MAAA;AAAA,IACX;AACA,IAAA,MAAM,GAAA;AAAA,EACV;AACJ;AAEO,SAAS,QAAQ,OAAA,EAA2D;AAC/E,EAAA,IAAI,kBAAA,EAAoB;AACpB,IAAA,OAAO,kBAAA;AAAA,EACX;AAEA,EAAA,kBAAA,GAAqB,eAAA,CAAgB,OAAO,CAAA,CAAE,OAAA,CAAQ,MAAM;AACxD,IAAA,kBAAA,GAAqB,IAAA;AAAA,EACzB,CAAC,CAAA;AAED,EAAA,OAAO,kBAAA;AACX","file":"index.js","sourcesContent":["\n            import path from \"D:\\\\projects\\\\envguards-sdk\\\\node_modules\\\\keytar\\\\build\\\\Release\\\\keytar.node\"\n            try { module.exports = require(path) }\n            catch {}\n          ","var keytar = require('../build/Release/keytar.node')\n\nfunction checkRequired(val, name) {\n  if (!val || val.length <= 0) {\n    throw new Error(name + ' is required.');\n  }\n}\n\nmodule.exports = {\n  getPassword: function (service, account) {\n    checkRequired(service, 'Service')\n    checkRequired(account, 'Account')\n\n    return keytar.getPassword(service, account)\n  },\n\n  setPassword: function (service, account, password) {\n    checkRequired(service, 'Service')\n    checkRequired(account, 'Account')\n    checkRequired(password, 'Password')\n\n    return keytar.setPassword(service, account, password)\n  },\n\n  deletePassword: function (service, account) {\n    checkRequired(service, 'Service')\n    checkRequired(account, 'Account')\n\n    return keytar.deletePassword(service, account)\n  },\n\n  findPassword: function (service) {\n    checkRequired(service, 'Service')\n\n    return keytar.findPassword(service)\n  },\n\n  findCredentials: function (service) {\n    checkRequired(service, 'Service')\n\n    return keytar.findCredentials(service)\n  }\n}\n","import type { EnvGuardsConfig, LoadEnvOptions, AuthExchangeResponse, BundleResponse } from './types.js';\r\n\r\n// --- State ---\r\ninterface CacheState {\r\n    token: string | null;\r\n    tokenExpiresAt: number | null; // Timestamp in ms\r\n    bundle: Record<string, string> | null;\r\n}\r\n\r\nconst cache = new Map<string, CacheState>();\r\nlet pendingLoadPromise: Promise<Record<string, string>> | null = null;\r\n\r\n/** @internal For testing only */\r\nexport function _resetState() {\r\n    cache.clear();\r\n    pendingLoadPromise = null;\r\n}\r\n\r\n// --- Helpers ---\r\n\r\nfunction checkBrowser() {\r\n    if (typeof window !== 'undefined') {\r\n        throw new Error('[Env.Guards] Security Warning: SDK execution attempting in browser environment. This SDK is server-only.');\r\n    }\r\n}\r\n\r\nasync function fetchWithTimeout(url: string, init: RequestInit & { timeout?: number }) {\r\n    const { timeout = 5000, ...rest } = init;\r\n    const controller = new AbortController();\r\n    const id = setTimeout(() => controller.abort(), timeout);\r\n\r\n    try {\r\n        const res = await fetch(url, { ...rest, signal: controller.signal });\r\n        return res;\r\n    } catch (err: any) {\r\n        if (err.name === 'AbortError') {\r\n            throw new Error(`[Env.Guards] Request timed out after ${timeout}ms`);\r\n        }\r\n        throw err;\r\n    } finally {\r\n        clearTimeout(id);\r\n    }\r\n}\r\n\r\n// --- Core Logic ---\r\n\r\nasync function resolveRuntimeKey(config: EnvGuardsConfig): Promise<string> {\r\n    // 1. Explicitly passed apiKey\r\n    if (config.apiKey) return config.apiKey;\r\n\r\n    // 2. Environment variable\r\n    if (process.env.ENV_GUARDS_API_KEY) return process.env.ENV_GUARDS_API_KEY;\r\n\r\n    // 3. Keytar (for local development, optional)\r\n    try {\r\n        const keytar = (await import('keytar')).default;\r\n        const SERVICE = 'env-guards';\r\n        const { apiUrl, org, project, env, service } = config;\r\n        if (apiUrl && org && project && env && service) {\r\n            const account = `runtime:${apiUrl}:${org}:${project}:${env}:${service}`;\r\n            const key = await keytar.getPassword(SERVICE, account);\r\n            if (key) return key;\r\n        }\r\n    } catch (err) {\r\n        // Keytar is optional, so we ignore errors (e.g., native module not built).\r\n    }\r\n\r\n    throw new Error('[Env.Guards] Runtime key not found. Please set ENV_GUARDS_API_KEY, use `env-guards run`, or run `env-guards add-runtime-key`.');\r\n}\r\n\r\nfunction getFullConfig(options?: LoadEnvOptions): EnvGuardsConfig {\r\n    const env = process.env;\r\n    return {\r\n        apiUrl: options?.config?.apiUrl ?? env.ENV_GUARDS_API_URL,\r\n        apiKey: options?.config?.apiKey ?? env.ENV_GUARDS_API_KEY,\r\n        org: options?.config?.org ?? env.ENV_GUARDS_ORG,\r\n        project: options?.config?.project ?? env.ENV_GUARDS_PROJECT,\r\n        env: options?.config?.env ?? env.ENV_GUARDS_ENV,\r\n        service: options?.config?.service ?? env.ENV_GUARDS_SERVICE,\r\n    };\r\n}\r\n\r\nasync function exchangeToken(apiUrl: string, runtimeKey: string, scope: Partial<EnvGuardsConfig>, timeout: number, state: CacheState): Promise<string> {\r\n    const res = await fetchWithTimeout(`${apiUrl}/v1/auth/exchange`, {\r\n        method: 'POST',\r\n        headers: {\r\n            'Content-Type': 'application/json',\r\n            'Authorization': `Bearer ${runtimeKey}`,\r\n        },\r\n        body: JSON.stringify(scope),\r\n        timeout,\r\n    });\r\n\r\n    if (!res.ok) {\r\n        throw new Error(`[Env.Guards] Auth exchange failed: ${res.status} ${res.statusText}`);\r\n    }\r\n\r\n    const data = (await res.json()) as AuthExchangeResponse;\r\n    state.token = data.token;\r\n    state.tokenExpiresAt = new Date(data.expiresAt).getTime();\r\n    return data.token;\r\n}\r\n\r\nasync function fetchBundle(apiUrl: string, token: string, timeout: number): Promise<Record<string, string>> {\r\n    const res = await fetchWithTimeout(`${apiUrl}/v1/bundle`, {\r\n        method: 'GET',\r\n        headers: { 'Authorization': `Bearer ${token}` },\r\n        timeout,\r\n    });\r\n\r\n    if (res.status === 401) throw new Error('401'); // Signal to retry\r\n    if (!res.ok) throw new Error(`[Env.Guards] Fetch bundle failed: ${res.status} ${res.statusText}`);\r\n\r\n    const data = (await res.json()) as BundleResponse;\r\n    return data.values;\r\n}\r\n\r\nfunction getConfigFingerprint(apiUrl: string, runtimeKey: string, config: EnvGuardsConfig): string {\r\n    const keyPrefix = runtimeKey.substring(0, 12); // env-guards_sk_...\r\n    return [apiUrl, keyPrefix, config.org, config.project, config.env, config.service].join('|');\r\n}\r\n\r\nasync function loadEnvInternal(options?: LoadEnvOptions): Promise<Record<string, string>> {\r\n    checkBrowser();\r\n    const config = getFullConfig(options);\r\n    const { apiUrl, ...scope } = config;\r\n\r\n    if (!apiUrl) {\r\n        throw new Error('[Env.Guards] Missing required configuration: apiUrl is required.');\r\n    }\r\n\r\n    const runtimeKey = await resolveRuntimeKey(config);\r\n    const timeout = options?.timeout ?? 5000;\r\n    const now = Date.now();\r\n    const TOKEN_SKEW_MS = 30 * 1000;\r\n\r\n    const fingerprint = getConfigFingerprint(apiUrl, runtimeKey, config);\r\n    if (!cache.has(fingerprint)) {\r\n        cache.set(fingerprint, { token: null, tokenExpiresAt: null, bundle: null });\r\n    }\r\n    const state = cache.get(fingerprint)!;\r\n\r\n    let token = state.token;\r\n    let tokenValid = token && state.tokenExpiresAt && state.tokenExpiresAt > (now + TOKEN_SKEW_MS);\r\n\r\n    if (!tokenValid) {\r\n        token = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);\r\n    }\r\n\r\n    if (state.bundle && tokenValid) {\r\n        Object.assign(process.env, state.bundle);\r\n        return state.bundle;\r\n    }\r\n\r\n    try {\r\n        const values = await fetchBundle(apiUrl, token!, timeout);\r\n        state.bundle = values;\r\n        Object.assign(process.env, values);\r\n        return values;\r\n    } catch (err: any) {\r\n        if (err.message === '401') {\r\n            state.token = null;\r\n            state.bundle = null;\r\n            const newToken = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);\r\n            const values = await fetchBundle(apiUrl, newToken, timeout);\r\n            state.bundle = values;\r\n            Object.assign(process.env, values);\r\n            return values;\r\n        }\r\n        throw err;\r\n    }\r\n}\r\n\r\nexport function loadEnv(options?: LoadEnvOptions): Promise<Record<string, string>> {\r\n    if (pendingLoadPromise) {\r\n        return pendingLoadPromise;\r\n    }\r\n\r\n    pendingLoadPromise = loadEnvInternal(options).finally(() => {\r\n        pendingLoadPromise = null;\r\n    });\r\n\r\n    return pendingLoadPromise;\r\n}\r\n\r\nexport * from './types.js';\r\n"]}

package/dist/index.mjs

@@ -0,0 +1,236 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require2() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/keytar/build/Release/keytar.node
+var keytar_default;
+var init_keytar = __esm({
+  "node_modules/keytar/build/Release/keytar.node"() {
+    keytar_default = "./keytar-F4YAPN53.node";
+  }
+});
+
+// node-file:D:\projects\envguards-sdk\node_modules\keytar\build\Release\keytar.node
+var require_keytar = __commonJS({
+  "node-file:D:\\projects\\envguards-sdk\\node_modules\\keytar\\build\\Release\\keytar.node"(exports$1, module) {
+    init_keytar();
+    try {
+      module.exports = __require(keytar_default);
+    } catch {
+    }
+  }
+});
+
+// node_modules/keytar/lib/keytar.js
+var require_keytar2 = __commonJS({
+  "node_modules/keytar/lib/keytar.js"(exports$1, module) {
+    var keytar = require_keytar();
+    function checkRequired(val, name) {
+      if (!val || val.length <= 0) {
+        throw new Error(name + " is required.");
+      }
+    }
+    module.exports = {
+      getPassword: function(service, account) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        return keytar.getPassword(service, account);
+      },
+      setPassword: function(service, account, password) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        checkRequired(password, "Password");
+        return keytar.setPassword(service, account, password);
+      },
+      deletePassword: function(service, account) {
+        checkRequired(service, "Service");
+        checkRequired(account, "Account");
+        return keytar.deletePassword(service, account);
+      },
+      findPassword: function(service) {
+        checkRequired(service, "Service");
+        return keytar.findPassword(service);
+      },
+      findCredentials: function(service) {
+        checkRequired(service, "Service");
+        return keytar.findCredentials(service);
+      }
+    };
+  }
+});
+
+// src/index.ts
+var cache = /* @__PURE__ */ new Map();
+var pendingLoadPromise = null;
+function _resetState() {
+  cache.clear();
+  pendingLoadPromise = null;
+}
+function checkBrowser() {
+  if (typeof window !== "undefined") {
+    throw new Error("[Env.Guards] Security Warning: SDK execution attempting in browser environment. This SDK is server-only.");
+  }
+}
+async function fetchWithTimeout(url, init) {
+  const { timeout = 5e3, ...rest } = init;
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const res = await fetch(url, { ...rest, signal: controller.signal });
+    return res;
+  } catch (err) {
+    if (err.name === "AbortError") {
+      throw new Error(`[Env.Guards] Request timed out after ${timeout}ms`);
+    }
+    throw err;
+  } finally {
+    clearTimeout(id);
+  }
+}
+async function resolveRuntimeKey(config) {
+  if (config.apiKey) return config.apiKey;
+  if (process.env.ENV_GUARDS_API_KEY) return process.env.ENV_GUARDS_API_KEY;
+  try {
+    const keytar = (await Promise.resolve().then(() => __toESM(require_keytar2()))).default;
+    const SERVICE = "env-guards";
+    const { apiUrl, org, project, env, service } = config;
+    if (apiUrl && org && project && env && service) {
+      const account = `runtime:${apiUrl}:${org}:${project}:${env}:${service}`;
+      const key = await keytar.getPassword(SERVICE, account);
+      if (key) return key;
+    }
+  } catch (err) {
+  }
+  throw new Error("[Env.Guards] Runtime key not found. Please set ENV_GUARDS_API_KEY, use `env-guards run`, or run `env-guards add-runtime-key`.");
+}
+function getFullConfig(options) {
+  const env = process.env;
+  return {
+    apiUrl: options?.config?.apiUrl ?? env.ENV_GUARDS_API_URL,
+    apiKey: options?.config?.apiKey ?? env.ENV_GUARDS_API_KEY,
+    org: options?.config?.org ?? env.ENV_GUARDS_ORG,
+    project: options?.config?.project ?? env.ENV_GUARDS_PROJECT,
+    env: options?.config?.env ?? env.ENV_GUARDS_ENV,
+    service: options?.config?.service ?? env.ENV_GUARDS_SERVICE
+  };
+}
+async function exchangeToken(apiUrl, runtimeKey, scope, timeout, state) {
+  const res = await fetchWithTimeout(`${apiUrl}/v1/auth/exchange`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${runtimeKey}`
+    },
+    body: JSON.stringify(scope),
+    timeout
+  });
+  if (!res.ok) {
+    throw new Error(`[Env.Guards] Auth exchange failed: ${res.status} ${res.statusText}`);
+  }
+  const data = await res.json();
+  state.token = data.token;
+  state.tokenExpiresAt = new Date(data.expiresAt).getTime();
+  return data.token;
+}
+async function fetchBundle(apiUrl, token, timeout) {
+  const res = await fetchWithTimeout(`${apiUrl}/v1/bundle`, {
+    method: "GET",
+    headers: { "Authorization": `Bearer ${token}` },
+    timeout
+  });
+  if (res.status === 401) throw new Error("401");
+  if (!res.ok) throw new Error(`[Env.Guards] Fetch bundle failed: ${res.status} ${res.statusText}`);
+  const data = await res.json();
+  return data.values;
+}
+function getConfigFingerprint(apiUrl, runtimeKey, config) {
+  const keyPrefix = runtimeKey.substring(0, 12);
+  return [apiUrl, keyPrefix, config.org, config.project, config.env, config.service].join("|");
+}
+async function loadEnvInternal(options) {
+  checkBrowser();
+  const config = getFullConfig(options);
+  const { apiUrl, ...scope } = config;
+  if (!apiUrl) {
+    throw new Error("[Env.Guards] Missing required configuration: apiUrl is required.");
+  }
+  const runtimeKey = await resolveRuntimeKey(config);
+  const timeout = options?.timeout ?? 5e3;
+  const now = Date.now();
+  const TOKEN_SKEW_MS = 30 * 1e3;
+  const fingerprint = getConfigFingerprint(apiUrl, runtimeKey, config);
+  if (!cache.has(fingerprint)) {
+    cache.set(fingerprint, { token: null, tokenExpiresAt: null, bundle: null });
+  }
+  const state = cache.get(fingerprint);
+  let token = state.token;
+  let tokenValid = token && state.tokenExpiresAt && state.tokenExpiresAt > now + TOKEN_SKEW_MS;
+  if (!tokenValid) {
+    token = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);
+  }
+  if (state.bundle && tokenValid) {
+    Object.assign(process.env, state.bundle);
+    return state.bundle;
+  }
+  try {
+    const values = await fetchBundle(apiUrl, token, timeout);
+    state.bundle = values;
+    Object.assign(process.env, values);
+    return values;
+  } catch (err) {
+    if (err.message === "401") {
+      state.token = null;
+      state.bundle = null;
+      const newToken = await exchangeToken(apiUrl, runtimeKey, scope, timeout, state);
+      const values = await fetchBundle(apiUrl, newToken, timeout);
+      state.bundle = values;
+      Object.assign(process.env, values);
+      return values;
+    }
+    throw err;
+  }
+}
+function loadEnv(options) {
+  if (pendingLoadPromise) {
+    return pendingLoadPromise;
+  }
+  pendingLoadPromise = loadEnvInternal(options).finally(() => {
+    pendingLoadPromise = null;
+  });
+  return pendingLoadPromise;
+}
+
+export { _resetState, loadEnv };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map