@safeki/nuxt 0.1.1 → 0.1.3

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 safeki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,74 +1,153 @@
-<!--
-Get your module up and running quickly.
-
-Find and replace all on all files (CMD+SHIFT+F):
-- Name: My Module
-- Package name: @safeki/nuxt
-- Description: My new Nuxt module
--->
-
-# My Module
+# @safeki/nuxt
 
 [![npm version][npm-version-src]][npm-version-href]
 [![npm downloads][npm-downloads-src]][npm-downloads-href]
 [![License][license-src]][license-href]
 [![Nuxt][nuxt-src]][nuxt-href]
 
-My new Nuxt module for doing amazing things.
-
-- [✨ &nbsp;Release Notes](/CHANGELOG.md)
-<!-- - [🏀 Online playground](https://stackblitz.com/github/your-org/@safeki/nuxt?file=playground%2Fapp.vue) -->
-<!-- - [📖 &nbsp;Documentation](https://example.com) -->
+Safekit utilities for Nuxt applications. The module currently provides Sentry setup helpers and server-side crypto helpers for encrypting values during deployment and decrypting them inside Nitro runtime code.
 
 ## Features
 
-<!-- Highlight some of the features your module provide here -->
-- ⛰ &nbsp;Foo
-- 🚠 &nbsp;Bar
-- 🌲 &nbsp;Baz
+- Nuxt module wrapper for `@sentry/nuxt`
+- Private runtime config storage for a Safekit crypto secret key
+- AES-256-GCM encryption and decryption helpers
+- Server auto-imports for decrypting encrypted Safekit values in Nitro code
+- Playground form for testing encrypt and decrypt with a secret key entered directly in the UI
 
 ## Quick Setup
 
-Install the module to your Nuxt application with one command:
+Install the module in your Nuxt application:
 
 ```bash
 npx nuxt module add @safeki/nuxt
 ```
 
-That's it! You can now use My Module in your Nuxt app ✨
-
-
-## Contribution
-
-<details>
-  <summary>Local development</summary>
-  
-  ```bash
-  # Install dependencies
-  npm install
-  
-  # Generate type stubs
-  npm run dev:prepare
-  
-  # Develop with the playground
-  npm run dev
-  
-  # Build the playground
-  npm run dev:build
-  
-  # Run ESLint
-  npm run lint
-  
-  # Run Vitest
-  npm run test
-  npm run test:watch
-  
-  # Release new version
-  npm run release
-  ```
-
-</details>
+Add module options in `nuxt.config.ts`:
+
+```ts
+export default defineNuxtConfig({
+  modules: [
+    ['@safeki/nuxt', {
+      crypto: {
+        secretKey: process.env.SAFEKIT_CRYPTO_SECRET_KEY,
+      },
+      sentry: {
+        telemetry: false,
+        sourcemaps: {
+          disable: true,
+        },
+        client: {
+          dsn: process.env.NUXT_PUBLIC_SENTRY_DSN,
+          tracesSampleRate: 1,
+          replaysSessionSampleRate: 0,
+          replaysOnErrorSampleRate: 1,
+        },
+      },
+    }],
+  ],
+})
+```
+
+## Crypto
+
+Use `@safeki/nuxt/crypto` from a Docker entrypoint or any Node.js script to encrypt values before the Nuxt server starts:
+
+```bash
+node -e "import('@safeki/nuxt/crypto').then(({ encrypt }) => console.log(encrypt(process.env.PLAIN_TEXT, process.env.SAFEKIT_CRYPTO_SECRET_KEY)))"
+```
+
+The encrypted payload uses this format:
+
+```txt
+safekit:v1.<iv>.<authTag>.<encryptedText>
+```
+
+Decrypt inside server routes, server middleware, and Nitro code with the server-only auto-import:
+
+```ts
+export default defineEventHandler(() => {
+  return decryptSafekit('safekit:v1...')
+})
+```
+
+The package exports these crypto helpers:
+
+```ts
+import { decrypt, decryped, encrypt, encryped } from '@safeki/nuxt/crypto'
+```
+
+`encrypt` and `decrypt` are the preferred names. `encryped` and `decryped` are kept as aliases for compatibility with the original API wording.
+
+## Sentry
+
+Client Sentry options are stored under public runtime config and consumed by the module runtime config file. Server Sentry initialization reads from environment variables:
+
+```bash
+SENTRY_DSN=
+SENTRY_ENVIRONMENT=
+SENTRY_RELEASE=
+SENTRY_DEBUG=false
+SENTRY_SEND_DEFAULT_PII=false
+SENTRY_TRACES_SAMPLE_RATE=1
+```
+
+## Module Options
+
+```ts
+interface ModuleOptions {
+  crypto?: {
+    secretKey?: string
+  }
+  sentry?: SentryNuxtModuleOptions & {
+    client?: {
+      dsn?: string
+      environment?: string
+      release?: string
+      debug?: boolean
+      sendDefaultPii?: boolean
+      tracesSampleRate?: number
+      replaysSessionSampleRate?: number
+      replaysOnErrorSampleRate?: number
+      tracePropagationTargets?: string[]
+    }
+  }
+}
+```
+
+If `crypto.secretKey` is not provided, the module falls back to `process.env.SAFEKIT_CRYPTO_SECRET_KEY`.
+
+## Playground
+
+Run the playground locally:
+
+```bash
+npm run dev
+```
+
+The playground includes a crypto form for entering a secret key directly, encrypting plain text, and decrypting the encrypted output.
+
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Generate stubs and prepare playground
+npm run dev:prepare
+
+# Start playground
+npm run dev
+
+# Build package
+npm run prepack
+```
+
+The package build emits the Nuxt module entry plus the public `@safeki/nuxt/crypto` subpath used by deployment scripts.
+
+## License
 
+[MIT](./LICENSE)
 
 <!-- Badges -->
 [npm-version-src]: https://img.shields.io/npm/v/@safeki/nuxt/latest.svg?style=flat&colorA=020420&colorB=00DC82

package/dist/crypto.d.mts

@@ -0,0 +1,6 @@
+declare function encrypt(plainText: string, secretKey: string): string;
+declare function decrypt(encryptedText: string, secretKey: string): string;
+declare const encryped: typeof encrypt;
+declare const decryped: typeof decrypt;
+
+export { decryped, decrypt, encryped, encrypt };

package/dist/crypto.mjs

@@ -0,0 +1,55 @@
+import { randomBytes, createCipheriv, createDecipheriv, createHash } from 'node:crypto';
+
+const VERSION = "safekit:v1";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12;
+function assertSecretKey(secretKey) {
+  if (!secretKey) {
+    throw new Error("Safekit crypto secret key is required");
+  }
+}
+function createKey(secretKey) {
+  assertSecretKey(secretKey);
+  return createHash("sha256").update(secretKey).digest();
+}
+function toBase64Url(value) {
+  return value.toString("base64url");
+}
+function fromBase64Url(value) {
+  return Buffer.from(value, "base64url");
+}
+function encrypt(plainText, secretKey) {
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, createKey(secretKey), iv);
+  const encrypted = Buffer.concat([
+    cipher.update(plainText, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return [
+    VERSION,
+    toBase64Url(iv),
+    toBase64Url(authTag),
+    toBase64Url(encrypted)
+  ].join(".");
+}
+function decrypt(encryptedText, secretKey) {
+  const [version, encodedIv, encodedAuthTag, encodedEncrypted] = encryptedText.split(".");
+  if (version !== VERSION || !encodedIv || !encodedAuthTag || !encodedEncrypted) {
+    throw new Error("Invalid Safekit encrypted value");
+  }
+  const decipher = createDecipheriv(
+    ALGORITHM,
+    createKey(secretKey),
+    fromBase64Url(encodedIv)
+  );
+  decipher.setAuthTag(fromBase64Url(encodedAuthTag));
+  return Buffer.concat([
+    decipher.update(fromBase64Url(encodedEncrypted)),
+    decipher.final()
+  ]).toString("utf8");
+}
+const encryped = encrypt;
+const decryped = decrypt;
+
+export { decryped, decrypt, encryped, encrypt };

package/dist/module.d.mts

@@ -16,6 +16,9 @@ interface ModuleOptions {
     sentry?: ModuleOptions$1 & {
         client?: SafekitSentryClientOptions;
     };
+    crypto?: {
+        secretKey?: string;
+    };
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;
 

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@safeki/nuxt",
   "configKey": "nuxtSafekit",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, installModule } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addServerImports, installModule } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -10,12 +10,31 @@ const module$1 = defineNuxtModule({
   async setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
     const { client = {}, ...sentryModuleOptions } = options.sentry || {};
+    const secretKey = options.crypto?.secretKey || process.env.SAFEKIT_CRYPTO_SECRET_KEY || "";
+    nuxt.options.runtimeConfig.nuxtSafekit = {
+      ...nuxt.options.runtimeConfig.nuxtSafekit || {},
+      crypto: {
+        secretKey
+      }
+    };
     nuxt.options.runtimeConfig.public.nuxtSafekit = {
       ...nuxt.options.runtimeConfig.public.nuxtSafekit || {},
       sentry: {
         client
       }
     };
+    addServerImports([
+      {
+        name: "decryptSafekit",
+        as: "decryptSafekit",
+        from: resolver.resolve("./runtime/server/crypto")
+      },
+      {
+        name: "decrypedSafekit",
+        as: "decrypedSafekit",
+        from: resolver.resolve("./runtime/server/crypto")
+      }
+    ]);
     await installModule("@sentry/nuxt/module", {
       autoInjectServerSentry: "top-level-import",
       configDir: resolver.resolve("./runtime"),

package/dist/runtime/server/crypto.d.ts

@@ -0,0 +1,2 @@
+export declare function decryptSafekit(encryptedText: string): string;
+export declare const decrypedSafekit: typeof decryptSafekit;

package/dist/runtime/server/crypto.js

@@ -0,0 +1,7 @@
+import { useRuntimeConfig } from "#imports";
+import { decrypt } from "../../crypto";
+export function decryptSafekit(encryptedText) {
+  const secretKey = useRuntimeConfig().nuxtSafekit?.crypto?.secretKey;
+  return decrypt(encryptedText, secretKey);
+}
+export const decrypedSafekit = decryptSafekit;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@safeki/nuxt",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "My new Nuxt module",
   "repository": "your-org/@safeki/nuxt",
   "license": "MIT",
@@ -9,6 +9,10 @@
     ".": {
       "types": "./dist/types.d.mts",
       "import": "./dist/module.mjs"
+    },
+    "./crypto": {
+      "types": "./dist/crypto.d.mts",
+      "import": "./dist/crypto.mjs"
     }
   },
   "main": "./dist/module.mjs",
@@ -16,6 +20,9 @@
     "*": {
       ".": [
         "./dist/types.d.mts"
+      ],
+      "crypto": [
+        "./dist/crypto.d.mts"
       ]
     }
   },
@@ -31,6 +38,7 @@
     "dev:build": "nuxt build playground",
     "dev:prepare": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt prepare playground",
     "release": "npm run lint && npm run test && npm run prepack && changelogen --release && npm publish && git push --follow-tags",
+    "publish": "npm run lint && npm run test && npm run prepack && changelogen --release && npm publish --access public",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "test": "vitest run",