npm - @saasak/tool-env - Versions diffs - 1.0.0 → 1.0.2 - Mend

@saasak/tool-env 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/index.js CHANGED Viewed

@@ -1,3 +1,5 @@
+#!/usr/bin/env node
 import minimist from 'minimist';
 import fs from 'fs-extra';
 import path from 'path';
@@ -164,27 +166,30 @@ async function encryptCommand() {
 }
 async function besafeCommand() {
-	const relativeEnvPath = path.relative(__root, envFile);
+	// Find git root to ensure we're in a repository and use correct base path
+	const { stdout: gitRoot, exitCode: gitCheck } = await execa('git', ['rev-parse', '--show-toplevel'], { cwd: __root, reject: false });
+	if (gitCheck !== 0) {
+		return;
+	}
-	try {
-		const { stdout: stagedDiff } = await execa('git', ['diff', '--cached', '--name-only', '--', relativeEnvPath], { cwd: __root, reject: false });
-		const { stdout: unstagedDiff } = await execa('git', ['diff', '--name-only', '--', relativeEnvPath], { cwd: __root, reject: false });
-		const { stdout: untracked } = await execa('git', ['ls-files', '--others', '--exclude-standard', '--', relativeEnvPath], { cwd: __root, reject: false });
+	const relativeEnvPath = path.relative(gitRoot, envFile);
-		if (!stagedDiff?.trim() && !unstagedDiff?.trim() && !untracked?.trim()) {
-			return;
-		}
-	} catch (error) {
+	// Check if file has any changes (staged, unstaged, or untracked)
+	const { stdout: staged } = await execa('git', ['diff', '--cached', '--name-only', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
+	const { stdout: unstaged } = await execa('git', ['diff', '--name-only', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
+	const { stdout: untracked } = await execa('git', ['ls-files', '--others', '--exclude-standard', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
+	if (!staged?.trim() && !unstaged?.trim() && !untracked?.trim()) {
 		return;
 	}
-	await encrypt();
+	await encryptCommand();
 	if (!secret) {
-		console.error('Warning: potential security risk: secret not provided. Variables WERE NOT be encrypted.');
+		console.error('Warning: potential security risk: secret not provided. Variables WERE NOT encrypted.');
 	}
-	await execa('git', ['add', relativeEnvPath], { cwd: __root });
+	await execa('git', ['add', relativeEnvPath], { cwd: gitRoot });
 }
 async function addCommand() {

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@saasak/tool-env",
   "license": "MIT",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "author": "dev@saasak.studio",
   "description": "A small util to manage environment variables for your monorepo",
   "keywords": [
@@ -12,7 +12,8 @@
   "type": "module",
   "main": "bin/index.js",
   "files": [
-    "bin"
+    "bin",
+    "src"
   ],
   "bin": {
     "wrenv": "bin/index.js"

package/src/utils-crypto.js ADDED Viewed

@@ -0,0 +1,90 @@
+import crypto from 'crypto';
+// Constants for AES-256-GCM encryption
+// GCM provides authenticated encryption (confidentiality + integrity)
+// Using 256-bit keys for strong security
+const ENCRYPTION_PREFIX = '$enc$';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16; // 128 bits
+const SALT_LENGTH = 64; // 512 bits
+const TAG_LENGTH = 16; // 128 bits
+const KEY_LENGTH = 32; // 256 bits
+const ITERATIONS = 100000; // PBKDF2 iterations
+/**
+ * Derive a 256-bit key from a secret using PBKDF2
+ * This ensures consistent key generation from variable-length secrets
+ * and adds computational cost to prevent brute-force attacks
+ */
+function deriveKey(secret, salt) {
+	return crypto.pbkdf2Sync(secret, salt, ITERATIONS, KEY_LENGTH, 'sha256');
+}
+/**
+ * Encrypt a string value using AES-256-GCM
+ * Returns a string with format: $enc$<base64(salt+iv+ciphertext+tag)>
+ * Each encryption uses a unique salt and IV, so the same plaintext produces different ciphertexts
+ */
+export function encrypt(plaintext, secret) {
+	if (!plaintext) return plaintext;
+	const salt = crypto.randomBytes(SALT_LENGTH);
+	const iv = crypto.randomBytes(IV_LENGTH);
+	const key = deriveKey(secret, salt);
+	const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+	let encrypted = cipher.update(plaintext, 'utf8');
+	encrypted = Buffer.concat([encrypted, cipher.final()]);
+	const tag = cipher.getAuthTag();
+	// Combine: salt + iv + encrypted + tag, then base64 encode
+	const combined = Buffer.concat([salt, iv, encrypted, tag]);
+	const encoded = combined.toString('base64');
+	return `${ENCRYPTION_PREFIX}${encoded}`;
+}
+/**
+ * Decrypt an encrypted string
+ * Strips the prefix and decodes the base64 payload
+ * GCM authentication tag ensures the data hasn't been tampered with
+ */
+export function decrypt(encrypted, secret) {
+	if (!encrypted || !isEncrypted(encrypted)) {
+		return encrypted;
+	}
+	// Remove prefix and decode
+	const encoded = encrypted.slice(ENCRYPTION_PREFIX.length);
+	const combined = Buffer.from(encoded, 'base64');
+	// Extract components
+	const salt = combined.slice(0, SALT_LENGTH);
+	const iv = combined.slice(SALT_LENGTH, SALT_LENGTH + IV_LENGTH);
+	const tag = combined.slice(-TAG_LENGTH);
+	const encryptedData = combined.slice(
+		SALT_LENGTH + IV_LENGTH,
+		-TAG_LENGTH
+	);
+	const key = deriveKey(secret, salt);
+	const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+	decipher.setAuthTag(tag);
+	let decrypted = decipher.update(encryptedData);
+	decrypted = Buffer.concat([decrypted, decipher.final()]);
+	return decrypted.toString('utf8');
+}
+/**
+ * Check if a string is encrypted by looking for the prefix
+ * This allows the system to detect encrypted values without attempting decryption
+ */
+export function isEncrypted(value) {
+	return typeof value === 'string' && value.startsWith(ENCRYPTION_PREFIX);
+}

package/src/utils-env.js ADDED Viewed

@@ -0,0 +1,58 @@
+import { decrypt, isEncrypted } from './utils-crypto.js';
+// ========================================
+// Helpers for core logic
+// ========================================
+export function buildEnv(secret, target, env, names) {
+	const variablesForAllTargets = env.variables;
+	const overrides = env.overrides || {};
+	// For each variable, extract the value for the target env
+	const variables = Object.entries(variablesForAllTargets).reduce((acc, entry) => {
+		const [key, value] = entry;
+		return {
+			...acc,
+			[key]: extractValue(secret, value[target] || value['@@'] || '')
+		};
+	}, {});
+	// For each package, get all variables
+	// compute the overrides and merge them
+	// allVars is an object with the package name as key
+	// and the variables as value like so
+	// => { [name]: { [variable]: value } }
+	const allVars = names.reduce((acc, name) => {
+		acc[name] = {
+			...variables,
+			...parseOverrides(secret, target, overrides[name], variables)
+		};
+		return acc;
+	}, {});
+	return allVars;
+}
+function parseOverrides(secret, target, overrides, vars) {
+	if (!secret) return {};
+	if (!overrides) return {};
+	return Object.entries(overrides).reduce((acc, entry) => {
+		const [key, val] = entry;
+		const value = extractValue(secret, val[target] || val['@@'] || '');
+		if (value === null) return acc;
+		acc[key] = Array.isArray(value)
+			? value.map(v => vars[v] || v).join('')
+			: value
+		return acc;
+	}, {});
+}
+function extractValue(secret, value) {
+	if (!isEncrypted(value)) return value;
+	if (!secret) return '';
+	return decrypt(value, secret);
+}

package/src/utils-pkg.js ADDED Viewed

@@ -0,0 +1,68 @@
+import path from 'path';
+import fs from 'fs-extra';
+export async function findMonorepoPackages(rootDir, scope = null, maxDepth = 4) {
+	const packages = [];
+	async function processPackage(pkgPath, pkgDir) {
+		try {
+			const pkgContent = await fs.readFile(pkgPath, 'utf8');
+			const pkg = JSON.parse(pkgContent);
+			if (scope && !pkg.name?.startsWith(`${scope}/`)) {
+				return null;
+			}
+			return {
+				name: pkg.name,
+				dir: pkgDir,
+			};
+		} catch (err) {
+			return null;
+		}
+	}
+	async function traverse(dir, currentDepth = 0) {
+		if (currentDepth > maxDepth) return;
+		try {
+			const entries = await fs.readdir(dir, { withFileTypes: true });
+			for (const entry of entries) {
+				const fullPath = path.join(dir, entry.name);
+				if (entry.name === 'node_modules' || entry.isSymbolicLink()) {
+					continue;
+				}
+				if (!entry.isDirectory()) continue;
+				const pkgPath = path.join(fullPath, 'package.json');
+				const exists = await fs.pathExists(pkgPath);
+				if (exists) {
+					const pkg = await processPackage(pkgPath, fullPath);
+					packages.push(pkg);
+				}
+				await traverse(fullPath, currentDepth + 1);
+			}
+		} catch (err) {
+			return;
+		}
+	}
+	const rootPkgPath = path.join(rootDir, 'package.json');
+	const exists = await fs.pathExists(rootPkgPath);
+	if (!exists) return [];
+	const pkg = await processPackage(rootPkgPath, rootDir);
+	if (!pkg) return [];
+	packages.push(pkg);
+	await traverse(rootDir, 0);
+	return packages;
+}