npm - @sentroy-co/client-sdk - Versions diffs - 2.6.4 → 2.8.0 - Mend

@sentroy-co/client-sdk 2.6.4 → 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/AGENTS.md CHANGED Viewed

@@ -675,11 +675,110 @@ import {
 } from "@sentroy-co/client-sdk/react"
 ```
+## Env Vault (`@sentroy-co/client-sdk/vault` + `/vault/react`)
+Sentroy Env Vault — centralized runtime env management. Bootstrap is a
+single env (`SENTROY_ENV_API_KEY`); the rest of your config lives in
+the dashboard at `vault.sentroy.com`. Changing a variable does NOT
+require an app rebuild — the next read picks up the new value once the
+in-memory cache TTL elapses (5 min default).
+This module is intentionally **separate** from the main `Sentroy`
+client. They use different auth namespaces:
+| Surface | Token format | Scope |
+|---|---|---|
+| `Sentroy` (mail/storage) | `stk_...` | per-company access token |
+| Env Vault | `stk_env_...` | per-(project, environment) bootstrap token |
+### Server: `getEnv()`
+```ts
+import {
+  configureEnvClient,   // optional one-shot config
+  getEnv,               // async, undefined if missing
+  getEnvOrThrow,        // async, throws if missing
+  getAllEnvs,           // bulk: { KEY: value, ... }
+  getPublicEnvs,        // bulk: only `public: true` variables
+  preloadEnv,           // eager hydrate at process boot
+  refreshEnvCache,      // manual invalidation hook
+  setEnvCacheTTL,       // runtime TTL override (seconds)
+} from "@sentroy-co/client-sdk/vault"
+// Optional — defaults pull from process.env
+configureEnvClient({
+  baseUrl: "https://sentroy.com",        // or self-hosted Sentroy URL
+  apiKey: process.env.SENTROY_ENV_API_KEY, // default
+  ttlSeconds: 300,                          // 5 min
+  timeoutMs: 5000,
+})
+await preloadEnv() // optional: fail-fast if token invalid
+const dbUrl = await getEnv("DATABASE_URL")          // string | undefined
+const turn  = await getEnvOrThrow("TURNSTILE_SECRET") // string
+const all   = await getAllEnvs()                     // includes private
+const pub   = await getPublicEnvs()                  // public:true only
+```
+### React: SSR-injected provider + hook
+```tsx
+// app/layout.tsx (server component)
+import { getPublicEnvs } from "@sentroy-co/client-sdk/vault"
+import { EnvProvider } from "@sentroy-co/client-sdk/vault/react"
+export default async function RootLayout({ children }) {
+  const envs = await getPublicEnvs() // public:true only — never leak secrets
+  return (
+    <html>
+      <body>
+        <EnvProvider envs={envs}>{children}</EnvProvider>
+      </body>
+    </html>
+  )
+}
+```
+```tsx
+// any "use client" component
+"use client"
+import { useEnv, useAllEnvs, useEnvRefresh } from "@sentroy-co/client-sdk/vault/react"
+function CaptchaWidget() {
+  const siteKey = useEnv("TURNSTILE_SITE_KEY") // string | undefined
+  if (!siteKey) return null
+  return <Turnstile siteKey={siteKey} />
+}
+function ConfigPanel() {
+  const all = useAllEnvs() // Record<string, string> — public envs only
+  const { refresh, loading } = useEnvRefresh()
+  return <button onClick={refresh} disabled={loading}>Refresh config</button>
+}
+```
+### `EnvProvider` props
+| Prop | Type | Default | Notes |
+|---|---|---|---|
+| `envs` | `Record<string, string>` | required | SSR-fetched public envs |
+| `refreshUrl` | `string` | `/api/env-vault/public` | Endpoint for client polling |
+| `apiKey` | `string` | `process.env.NEXT_PUBLIC_SENTROY_ENV_API_KEY` | Bearer token for browser polling |
+| `refreshIntervalMs` | `number` | `300000` (5 min) | `0` to disable polling |
+### Security notes
+- `useEnv()` only ever returns variables marked `public: true` in the dashboard. Server-only secrets stay server-side.
+- The provider's polling is best-effort; network failures keep the previous values (fail-soft).
+- The bootstrap token is per-(project, environment). A `prod` token cannot read `staging` and vice versa.
+- Variable values are AES-256-GCM encrypted at rest in the Sentroy vault DB. Decryption happens server-side just before the fetch endpoint streams the response.
 ## Requirements
 - Node.js 18+ (uses native `fetch`)
-- React 18+ (only if you import from `/react`)
-- Tailwind CSS in the host app (only for React components)
+- React 18+ (only if you import from `/react` or `/vault/react`)
+- Tailwind CSS in the host app (only for React UI components like `<MediaManager />`)
 ## Raw URL — for LLM/agent context windows

package/README.md CHANGED Viewed

@@ -33,7 +33,8 @@
 - **Mail** — verified domains, mailboxes, multi-language templates, IMAP-backed inbox, transactional and bulk send, suppressions, webhooks, audience lists, deliverability logs.
 - **Storage** — isolated buckets, multipart uploads, image and media transformations, signed download URLs.
-- **React drop-ins** — `<MediaManager />` and `<MediaManagerTrigger />` for instant uploaders, no glue code (`@sentroy-co/client-sdk/react`).
+- **Env Vault** — runtime env variable management (`@sentroy-co/client-sdk/vault`) — change a value in the dashboard, your app picks it up on the next read; no rebuild.
+- **React drop-ins** — `<MediaManager />`, `<MediaManagerTrigger />` and `<EnvProvider>` / `useEnv()` (`@sentroy-co/client-sdk/react` + `@sentroy-co/client-sdk/vault/react`).
 - **One client, two backends** — point at `https://sentroy.com` for the hosted platform, or your own deployment for self-hosted. Same API, same types.
 ## Install
@@ -77,6 +78,34 @@ console.log(media.url) // signed URL, served from the CDN
 That's the smallest useful surface. Every other resource (`domains`, `mailboxes`, `templates`, `inbox`, `audience`, `webhooks`, `suppressions`, `logs`, `buckets`, `media`) follows the same `sentroy.<resource>.<verb>(...)` shape with full TypeScript types.
+## Env Vault
+Manage your env vars in the dashboard at [vault.sentroy.com](https://vault.sentroy.com), bootstrap your deploy with one token, and read values via a typed helper — no rebuild on change.
+```ts
+// server side
+import { getEnv, getEnvOrThrow, preloadEnv } from "@sentroy-co/client-sdk/vault"
+await preloadEnv() // optional fail-fast at boot
+const dbUrl = await getEnv("DATABASE_URL")
+const turnstile = await getEnvOrThrow("BETTER_AUTH_TURNSTILE_SECRET")
+```
+```tsx
+// React: SSR-injected provider + hook (no FOUC)
+import { getPublicEnvs } from "@sentroy-co/client-sdk/vault"
+import { EnvProvider, useEnv } from "@sentroy-co/client-sdk/vault/react"
+// app/layout.tsx (server)
+const envs = await getPublicEnvs()
+return <EnvProvider envs={envs}>{children}</EnvProvider>
+// any "use client" component
+const siteKey = useEnv("TURNSTILE_SITE_KEY")
+```
+Bootstrap is a single env: `SENTROY_ENV_API_KEY`. Public/private split is enforced server-side — the React hook only ever sees `public: true` variables. Full reference at [docs.sentroy.com/env-vault](https://docs.sentroy.com/env-vault).
 ## Self-hosted vs hosted
 The SDK is identical in both modes. Only `baseUrl` changes:

package/dist/vault/index.d.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * `@sentroy-co/client-sdk/vault` — Sentroy Env Vault server-side client.
+ *
+ * Bootstrap pattern:
+ *   `SENTROY_ENV_API_KEY` (process.env) → tek dış env. Fonksiyonlar
+ *   `getEnv("KEY")` ya da `getEnvOrThrow("KEY")` çağrılırken in-memory
+ *   cache'den döner; ilk çağrıda Sentroy core'a HTTP fetch yapar ve
+ *   o token scope'undaki TÜM env'leri (public + private) çeker.
+ *
+ * Cache stratejisi:
+ *   • Default TTL 5 dk; refresh deadline aşıldığında bir sonraki
+ *     `getEnv` çağrısında re-fetch tetiklenir.
+ *   • `await refreshEnvCache()` manuel invalidation — webhook ya da
+ *     SIGHUP-style restart sinyaline bağlanabilir.
+ *   • `setEnvCacheTTL(seconds)` runtime'da TTL değiştirme.
+ *
+ * Hata politikası: bootstrap fail (token yok / network down / 401)
+ *   → `getEnv` her çağrıda undefined döner; `getEnvOrThrow` exception
+ *   atar. Process startup'ında `await preloadEnv()` çağırırsanız
+ *   eksik env'leri erkenden yakalarsınız.
+ *
+ * **NOT**: Bu modül `Sentroy` ana client'ından (mail/storage REST
+ * resource'ları) bağımsızdır. Vault token'ları (stk_env_*) ile mail/
+ * storage token'ları (stk_*) farklı namespace'tedir; tek client'ta
+ * birleştirmek ergonomiyi bozardı.
+ */
+export interface EnvVariable {
+    key: string;
+    value: string;
+    type: string;
+    public: boolean;
+}
+export interface EnvCacheState {
+    fetchedAt: number;
+    variables: Map<string, EnvVariable>;
+    project: string;
+    environment: string;
+}
+interface ClientOptions {
+    /** Sentroy core URL (defaults to env or https://sentroy.com). */
+    baseUrl?: string;
+    /** API key — defaults to `process.env.SENTROY_ENV_API_KEY`. */
+    apiKey?: string;
+    /** Cache TTL in seconds; default 300. */
+    ttlSeconds?: number;
+    /** Fetch timeout in ms; default 5000. */
+    timeoutMs?: number;
+}
+/**
+ * One-time client config — Sentroy app'lerinde modül seviyesinde çağrılır,
+ * default'lara güvenilirse hiç çağrılmasına gerek yok.
+ */
+export declare function configureEnvClient(options?: ClientOptions): void;
+/** TTL'i runtime'da değiştir (örn. development için kısa, prod için uzun). */
+export declare function setEnvCacheTTL(seconds: number): void;
+/** Cache'i invalidate et — webhook ya da admin-driven manual refresh için. */
+export declare function refreshEnvCache(): Promise<void>;
+/** Process start'ında erkenden tetikle — eksik env'i fail-fast yakalar. */
+export declare function preloadEnv(): Promise<void>;
+/**
+ * Async — env yoksa undefined. Bu fonksiyon TÜM env'leri (server+public)
+ * gizler, çünkü `process.env` fallback yok; sadece vault'ta kayıtlı
+ * olanlar dönder. Token bootstrap fail ederse exception atar.
+ */
+export declare function getEnv(key: string): Promise<string | undefined>;
+/** Eksik env'i hemen patlatır — config-validation pattern'inde kullanışlı. */
+export declare function getEnvOrThrow(key: string): Promise<string>;
+/** Tüm env'leri map olarak döner (dump için kullanışlı). */
+export declare function getAllEnvs(): Promise<Record<string, string>>;
+/** Sadece public (`public: true`) env'ler — SSR helper için. */
+export declare function getPublicEnvs(): Promise<Record<string, string>>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,OAAO,CAAA;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;IACnC,OAAO,EAAE,MAAM,CAAA;IACf,WAAW,EAAE,MAAM,CAAA;CACpB;AAKD,UAAU,aAAa;IACrB,iEAAiE;IACjE,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAcD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CAYpE;AAED,8EAA8E;AAC9E,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEpD;AAED,8EAA8E;AAC9E,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAGrD;AAED,2EAA2E;AAC3E,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAEhD;AA6DD;;;;GAIG;AACH,wBAAsB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAGrE;AAED,8EAA8E;AAC9E,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAQhE;AAED,4DAA4D;AAC5D,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAKlE;AAED,gEAAgE;AAChE,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAOrE"}

package/dist/vault/index.js ADDED Viewed

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * `@sentroy-co/client-sdk/vault` — Sentroy Env Vault server-side client.
+ *
+ * Bootstrap pattern:
+ *   `SENTROY_ENV_API_KEY` (process.env) → tek dış env. Fonksiyonlar
+ *   `getEnv("KEY")` ya da `getEnvOrThrow("KEY")` çağrılırken in-memory
+ *   cache'den döner; ilk çağrıda Sentroy core'a HTTP fetch yapar ve
+ *   o token scope'undaki TÜM env'leri (public + private) çeker.
+ *
+ * Cache stratejisi:
+ *   • Default TTL 5 dk; refresh deadline aşıldığında bir sonraki
+ *     `getEnv` çağrısında re-fetch tetiklenir.
+ *   • `await refreshEnvCache()` manuel invalidation — webhook ya da
+ *     SIGHUP-style restart sinyaline bağlanabilir.
+ *   • `setEnvCacheTTL(seconds)` runtime'da TTL değiştirme.
+ *
+ * Hata politikası: bootstrap fail (token yok / network down / 401)
+ *   → `getEnv` her çağrıda undefined döner; `getEnvOrThrow` exception
+ *   atar. Process startup'ında `await preloadEnv()` çağırırsanız
+ *   eksik env'leri erkenden yakalarsınız.
+ *
+ * **NOT**: Bu modül `Sentroy` ana client'ından (mail/storage REST
+ * resource'ları) bağımsızdır. Vault token'ları (stk_env_*) ile mail/
+ * storage token'ları (stk_*) farklı namespace'tedir; tek client'ta
+ * birleştirmek ergonomiyi bozardı.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configureEnvClient = configureEnvClient;
+exports.setEnvCacheTTL = setEnvCacheTTL;
+exports.refreshEnvCache = refreshEnvCache;
+exports.preloadEnv = preloadEnv;
+exports.getEnv = getEnv;
+exports.getEnvOrThrow = getEnvOrThrow;
+exports.getAllEnvs = getAllEnvs;
+exports.getPublicEnvs = getPublicEnvs;
+const DEFAULT_TTL_MS = 5 * 60 * 1000;
+const DEFAULT_BASE_URL = "https://sentroy.com";
+let resolvedBaseUrl = DEFAULT_BASE_URL;
+let resolvedApiKey;
+let cacheTtlMs = DEFAULT_TTL_MS;
+let fetchTimeoutMs = 5000;
+let cache = null;
+let pendingRefresh = null;
+function readEnv(name) {
+    if (typeof process === "undefined")
+        return undefined;
+    return process.env?.[name];
+}
+/**
+ * One-time client config — Sentroy app'lerinde modül seviyesinde çağrılır,
+ * default'lara güvenilirse hiç çağrılmasına gerek yok.
+ */
+function configureEnvClient(options = {}) {
+    if (options.baseUrl)
+        resolvedBaseUrl = options.baseUrl.replace(/\/+$/, "");
+    else
+        resolvedBaseUrl = (readEnv("NEXT_PUBLIC_SENTROY_ENV_API_URL") ||
+            readEnv("SENTROY_ENV_API_URL") ||
+            readEnv("NEXT_PUBLIC_CORE_APP_URL") ||
+            DEFAULT_BASE_URL).replace(/\/+$/, "");
+    resolvedApiKey = options.apiKey ?? readEnv("SENTROY_ENV_API_KEY");
+    if (options.ttlSeconds)
+        cacheTtlMs = options.ttlSeconds * 1000;
+    if (options.timeoutMs)
+        fetchTimeoutMs = options.timeoutMs;
+}
+/** TTL'i runtime'da değiştir (örn. development için kısa, prod için uzun). */
+function setEnvCacheTTL(seconds) {
+    cacheTtlMs = seconds * 1000;
+}
+/** Cache'i invalidate et — webhook ya da admin-driven manual refresh için. */
+async function refreshEnvCache() {
+    cache = null;
+    await ensureCache();
+}
+/** Process start'ında erkenden tetikle — eksik env'i fail-fast yakalar. */
+async function preloadEnv() {
+    await ensureCache();
+}
+async function fetchVariables() {
+    if (!resolvedApiKey) {
+        // Lazy bootstrap — configureEnvClient çağrılmadıysa env'den oku.
+        configureEnvClient();
+    }
+    if (!resolvedApiKey) {
+        throw new Error("@sentroy-co/client-sdk/vault: SENTROY_ENV_API_KEY is not set. " +
+            "Set it on the platform (Coolify env) or call configureEnvClient({ apiKey: ... }) at boot.");
+    }
+    const url = `${resolvedBaseUrl}/api/env-vault/fetch`;
+    const res = await fetch(url, {
+        headers: { Authorization: `Bearer ${resolvedApiKey}` },
+        signal: AbortSignal.timeout(fetchTimeoutMs),
+        cache: "no-store",
+    });
+    if (!res.ok) {
+        throw new Error(`env-vault fetch failed: ${res.status} ${res.statusText} (url=${url})`);
+    }
+    const json = (await res.json());
+    if (!json.data)
+        throw new Error("env-vault fetch: malformed response");
+    const map = new Map();
+    for (const v of json.data.variables)
+        map.set(v.key, v);
+    return {
+        fetchedAt: Date.now(),
+        variables: map,
+        project: json.data.project,
+        environment: json.data.environment,
+    };
+}
+async function ensureCache() {
+    const now = Date.now();
+    if (cache && now - cache.fetchedAt < cacheTtlMs)
+        return cache;
+    if (pendingRefresh) {
+        await pendingRefresh;
+        if (cache)
+            return cache;
+    }
+    pendingRefresh = (async () => {
+        try {
+            cache = await fetchVariables();
+        }
+        finally {
+            pendingRefresh = null;
+        }
+    })();
+    await pendingRefresh;
+    if (!cache)
+        throw new Error("env-vault: cache hydrate failed");
+    return cache;
+}
+/**
+ * Async — env yoksa undefined. Bu fonksiyon TÜM env'leri (server+public)
+ * gizler, çünkü `process.env` fallback yok; sadece vault'ta kayıtlı
+ * olanlar dönder. Token bootstrap fail ederse exception atar.
+ */
+async function getEnv(key) {
+    const c = await ensureCache();
+    return c.variables.get(key)?.value;
+}
+/** Eksik env'i hemen patlatır — config-validation pattern'inde kullanışlı. */
+async function getEnvOrThrow(key) {
+    const v = await getEnv(key);
+    if (v === undefined) {
+        throw new Error(`env-vault: required variable ${key} is not defined (project=${cache?.project ?? "?"}, env=${cache?.environment ?? "?"})`);
+    }
+    return v;
+}
+/** Tüm env'leri map olarak döner (dump için kullanışlı). */
+async function getAllEnvs() {
+    const c = await ensureCache();
+    const out = {};
+    for (const [k, v] of c.variables)
+        out[k] = v.value;
+    return out;
+}
+/** Sadece public (`public: true`) env'ler — SSR helper için. */
+async function getPublicEnvs() {
+    const c = await ensureCache();
+    const out = {};
+    for (const [k, v] of c.variables) {
+        if (v.public)
+            out[k] = v.value;
+    }
+    return out;
+}
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;;AA8CH,gDAYC;AAGD,wCAEC;AAGD,0CAGC;AAGD,gCAEC;AAkED,wBAGC;AAGD,sCAQC;AAGD,gCAKC;AAGD,sCAOC;AA5JD,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AACpC,MAAM,gBAAgB,GAAG,qBAAqB,CAAA;AAa9C,IAAI,eAAe,GAAG,gBAAgB,CAAA;AACtC,IAAI,cAAkC,CAAA;AACtC,IAAI,UAAU,GAAG,cAAc,CAAA;AAC/B,IAAI,cAAc,GAAG,IAAI,CAAA;AACzB,IAAI,KAAK,GAAyB,IAAI,CAAA;AACtC,IAAI,cAAc,GAAyB,IAAI,CAAA;AAE/C,SAAS,OAAO,CAAC,IAAY;IAC3B,IAAI,OAAO,OAAO,KAAK,WAAW;QAAE,OAAO,SAAS,CAAA;IACpD,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAA;AAC5B,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,UAAyB,EAAE;IAC5D,IAAI,OAAO,CAAC,OAAO;QAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;;QAExE,eAAe,GAAG,CAChB,OAAO,CAAC,iCAAiC,CAAC;YAC1C,OAAO,CAAC,qBAAqB,CAAC;YAC9B,OAAO,CAAC,0BAA0B,CAAC;YACnC,gBAAgB,CACjB,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACvB,cAAc,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAA;IACjE,IAAI,OAAO,CAAC,UAAU;QAAE,UAAU,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAA;IAC9D,IAAI,OAAO,CAAC,SAAS;QAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAA;AAC3D,CAAC;AAED,8EAA8E;AAC9E,SAAgB,cAAc,CAAC,OAAe;IAC5C,UAAU,GAAG,OAAO,GAAG,IAAI,CAAA;AAC7B,CAAC;AAED,8EAA8E;AACvE,KAAK,UAAU,eAAe;IACnC,KAAK,GAAG,IAAI,CAAA;IACZ,MAAM,WAAW,EAAE,CAAA;AACrB,CAAC;AAED,2EAA2E;AACpE,KAAK,UAAU,UAAU;IAC9B,MAAM,WAAW,EAAE,CAAA;AACrB,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,iEAAiE;QACjE,kBAAkB,EAAE,CAAA;IACtB,CAAC;IACD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,gEAAgE;YAC9D,2FAA2F,CAC9F,CAAA;IACH,CAAC;IACD,MAAM,GAAG,GAAG,GAAG,eAAe,sBAAsB,CAAA;IACpD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC3B,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,cAAc,EAAE,EAAE;QACtD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,cAAc,CAAC;QAC3C,KAAK,EAAE,UAAU;KAClB,CAAC,CAAA;IACF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,2BAA2B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,SAAS,GAAG,GAAG,CACvE,CAAA;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAM7B,CAAA;IACD,IAAI,CAAC,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACtE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAuB,CAAA;IAC1C,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS;QAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;IACtD,OAAO;QACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,GAAG;QACd,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO;QAC1B,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,WAAW;KACnC,CAAA;AACH,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,IAAI,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,UAAU;QAAE,OAAO,KAAK,CAAA;IAC7D,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,cAAc,CAAA;QACpB,IAAI,KAAK;YAAE,OAAO,KAAK,CAAA;IACzB,CAAC;IACD,cAAc,GAAG,CAAC,KAAK,IAAI,EAAE;QAC3B,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,cAAc,EAAE,CAAA;QAChC,CAAC;gBAAS,CAAC;YACT,cAAc,GAAG,IAAI,CAAA;QACvB,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;IACJ,MAAM,cAAc,CAAA;IACpB,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAA;IAC9D,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,MAAM,CAAC,GAAW;IACtC,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,OAAO,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,CAAA;AACpC,CAAC;AAED,8EAA8E;AACvE,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,CAAA;IAC3B,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CACb,gCAAgC,GAAG,4BAA4B,KAAK,EAAE,OAAO,IAAI,GAAG,SAAS,KAAK,EAAE,WAAW,IAAI,GAAG,GAAG,CAC1H,CAAA;IACH,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,4DAA4D;AACrD,KAAK,UAAU,UAAU;IAC9B,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAA;IAClD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,gEAAgE;AACzD,KAAK,UAAU,aAAa;IACjC,MAAM,CAAC,GAAG,MAAM,WAAW,EAAE,CAAA;IAC7B,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC,CAAC,MAAM;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAA;IAChC,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/vault/react.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { type ReactNode } from "react";
+interface EnvProviderProps {
+    /** Server-side fetched public envs — SSR'da inject edilir. */
+    envs: Record<string, string>;
+    /** Public refresh endpoint URL — default `/api/env-vault/public`. */
+    refreshUrl?: string;
+    /** Bearer token — public endpoint için. Default `process.env.NEXT_PUBLIC_SENTROY_ENV_API_KEY`. */
+    apiKey?: string;
+    /** Refresh interval ms; 0 ise polling kapalı. Default 5 dk. */
+    refreshIntervalMs?: number;
+    children: ReactNode;
+}
+export declare function EnvProvider({ envs: initialEnvs, refreshUrl, apiKey, refreshIntervalMs, children, }: EnvProviderProps): import("react/jsx-runtime").JSX.Element;
+/**
+ * `useEnv("KEY")` — provider'ın hydrate ettiği env değerini döner.
+ * Yoksa undefined; çağıran fallback verir (`useEnv("X") ?? "default"`).
+ */
+export declare function useEnv(key: string): string | undefined;
+/** Tüm public env'leri Record olarak döner. */
+export declare function useAllEnvs(): Record<string, string>;
+/** Manuel refresh tetikleme (örn. admin "config updated" notification sonrası). */
+export declare function useEnvRefresh(): {
+    refresh: () => Promise<void>;
+    loading: boolean;
+};
+export {};
+//# sourceMappingURL=react.d.ts.map

package/dist/vault/react.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"react.d.ts","sourceRoot":"","sources":["../../src/vault/react.tsx"],"names":[],"mappings":"AAEA,OAAO,EAKL,KAAK,SAAS,EACf,MAAM,OAAO,CAAA;AAgCd,UAAU,gBAAgB;IACxB,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC5B,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,kGAAkG;IAClG,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,+DAA+D;IAC/D,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,QAAQ,EAAE,SAAS,CAAA;CACpB;AAID,wBAAgB,WAAW,CAAC,EAC1B,IAAI,EAAE,WAAW,EACjB,UAAoC,EACpC,MAAM,EACN,iBAA+C,EAC/C,QAAQ,GACT,EAAE,gBAAgB,2CA4ClB;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAGtD;AAED,+CAA+C;AAC/C,wBAAgB,UAAU,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAEnD;AAED,mFAAmF;AACnF,wBAAgB,aAAa,IAAI;IAAE,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,CAGlF"}

package/dist/vault/react.js ADDED Viewed

@@ -0,0 +1,73 @@
+"use strict";
+"use client";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnvProvider = EnvProvider;
+exports.useEnv = useEnv;
+exports.useAllEnvs = useAllEnvs;
+exports.useEnvRefresh = useEnvRefresh;
+const jsx_runtime_1 = require("react/jsx-runtime");
+const react_1 = require("react");
+const EnvContext = (0, react_1.createContext)({
+    envs: {},
+    loading: false,
+    refresh: async () => { },
+});
+const DEFAULT_REFRESH_INTERVAL_MS = 5 * 60 * 1000;
+function EnvProvider({ envs: initialEnvs, refreshUrl = "/api/env-vault/public", apiKey, refreshIntervalMs = DEFAULT_REFRESH_INTERVAL_MS, children, }) {
+    const [envs, setEnvs] = (0, react_1.useState)(initialEnvs);
+    const [loading, setLoading] = (0, react_1.useState)(false);
+    const effectiveKey = apiKey ??
+        (typeof process !== "undefined"
+            ? process.env?.NEXT_PUBLIC_SENTROY_ENV_API_KEY
+            : undefined);
+    async function refresh() {
+        if (!effectiveKey)
+            return; // bootstrap yoksa polling no-op
+        setLoading(true);
+        try {
+            const res = await fetch(refreshUrl, {
+                headers: { Authorization: `Bearer ${effectiveKey}` },
+                cache: "no-store",
+            });
+            if (!res.ok)
+                return;
+            const json = (await res.json());
+            const next = {};
+            for (const v of json.data?.variables ?? [])
+                next[v.key] = v.value;
+            setEnvs(next);
+        }
+        catch {
+            // network error — keep previous envs, fail-soft
+        }
+        finally {
+            setLoading(false);
+        }
+    }
+    (0, react_1.useEffect)(() => {
+        if (!refreshIntervalMs || refreshIntervalMs <= 0)
+            return;
+        const id = setInterval(refresh, refreshIntervalMs);
+        return () => clearInterval(id);
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [refreshIntervalMs, effectiveKey]);
+    return ((0, jsx_runtime_1.jsx)(EnvContext.Provider, { value: { envs, loading, refresh }, children: children }));
+}
+/**
+ * `useEnv("KEY")` — provider'ın hydrate ettiği env değerini döner.
+ * Yoksa undefined; çağıran fallback verir (`useEnv("X") ?? "default"`).
+ */
+function useEnv(key) {
+    const ctx = (0, react_1.useContext)(EnvContext);
+    return ctx.envs[key];
+}
+/** Tüm public env'leri Record olarak döner. */
+function useAllEnvs() {
+    return (0, react_1.useContext)(EnvContext).envs;
+}
+/** Manuel refresh tetikleme (örn. admin "config updated" notification sonrası). */
+function useEnvRefresh() {
+    const ctx = (0, react_1.useContext)(EnvContext);
+    return { refresh: ctx.refresh, loading: ctx.loading };
+}
+//# sourceMappingURL=react.js.map

package/dist/vault/react.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"react.js","sourceRoot":"","sources":["../../src/vault/react.tsx"],"names":[],"mappings":";AAAA,YAAY,CAAA;;AAsDZ,kCAkDC;AAMD,wBAGC;AAGD,gCAEC;AAGD,sCAGC;;AA1HD,iCAMc;AA0Bd,MAAM,UAAU,GAAG,IAAA,qBAAa,EAAkB;IAChD,IAAI,EAAE,EAAE;IACR,OAAO,EAAE,KAAK;IACd,OAAO,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;CACxB,CAAC,CAAA;AAcF,MAAM,2BAA2B,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA;AAEjD,SAAgB,WAAW,CAAC,EAC1B,IAAI,EAAE,WAAW,EACjB,UAAU,GAAG,uBAAuB,EACpC,MAAM,EACN,iBAAiB,GAAG,2BAA2B,EAC/C,QAAQ,GACS;IACjB,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,IAAA,gBAAQ,EAAyB,WAAW,CAAC,CAAA;IACrE,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG,IAAA,gBAAQ,EAAC,KAAK,CAAC,CAAA;IAE7C,MAAM,YAAY,GAChB,MAAM;QACN,CAAC,OAAO,OAAO,KAAK,WAAW;YAC7B,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,+BAA+B;YAC9C,CAAC,CAAC,SAAS,CAAC,CAAA;IAEhB,KAAK,UAAU,OAAO;QACpB,IAAI,CAAC,YAAY;YAAE,OAAM,CAAC,gCAAgC;QAC1D,UAAU,CAAC,IAAI,CAAC,CAAA;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;gBAClC,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,EAAE,EAAE;gBACpD,KAAK,EAAE,UAAU;aAClB,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAM;YACnB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAE7B,CAAA;YACD,MAAM,IAAI,GAA2B,EAAE,CAAA;YACvC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,EAAE,SAAS,IAAI,EAAE;gBAAE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAA;YACjE,OAAO,CAAC,IAAI,CAAC,CAAA;QACf,CAAC;QAAC,MAAM,CAAC;YACP,gDAAgD;QAClD,CAAC;gBAAS,CAAC;YACT,UAAU,CAAC,KAAK,CAAC,CAAA;QACnB,CAAC;IACH,CAAC;IAED,IAAA,iBAAS,EAAC,GAAG,EAAE;QACb,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,IAAI,CAAC;YAAE,OAAM;QACxD,MAAM,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAClD,OAAO,GAAG,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC,CAAA;QAC9B,uDAAuD;IACzD,CAAC,EAAE,CAAC,iBAAiB,EAAE,YAAY,CAAC,CAAC,CAAA;IAErC,OAAO,CACL,uBAAC,UAAU,CAAC,QAAQ,IAAC,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,YACnD,QAAQ,GACW,CACvB,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,SAAgB,MAAM,CAAC,GAAW;IAChC,MAAM,GAAG,GAAG,IAAA,kBAAU,EAAC,UAAU,CAAC,CAAA;IAClC,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACtB,CAAC;AAED,+CAA+C;AAC/C,SAAgB,UAAU;IACxB,OAAO,IAAA,kBAAU,EAAC,UAAU,CAAC,CAAC,IAAI,CAAA;AACpC,CAAC;AAED,mFAAmF;AACnF,SAAgB,aAAa;IAC3B,MAAM,GAAG,GAAG,IAAA,kBAAU,EAAC,UAAU,CAAC,CAAA;IAClC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAA;AACvD,CAAC"}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@sentroy-co/client-sdk",
-  "version": "2.6.4",
-  "description": "TypeScript SDK for the Sentroy platform — REST resources + React components.",
+  "version": "2.8.0",
+  "description": "TypeScript SDK for the Sentroy platform — mail, storage, env vault + React components.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -24,6 +24,16 @@
       "types": "./dist/react/crop/index.d.ts",
       "import": "./dist/react/crop/index.js",
       "require": "./dist/react/crop/index.js"
+    },
+    "./vault": {
+      "types": "./dist/vault/index.d.ts",
+      "import": "./dist/vault/index.js",
+      "require": "./dist/vault/index.js"
+    },
+    "./vault/react": {
+      "types": "./dist/vault/react.d.ts",
+      "import": "./dist/vault/react.js",
+      "require": "./dist/vault/react.js"
     }
   },
   "files": [
@@ -43,7 +53,11 @@
     "mail",
     "typescript",
     "react",
-    "media-manager"
+    "media-manager",
+    "env",
+    "vault",
+    "secrets",
+    "config"
   ],
   "repository": {
     "type": "git",

package/src/vault/index.ts ADDED Viewed

@@ -0,0 +1,198 @@
+/**
+ * `@sentroy-co/client-sdk/vault` — Sentroy Env Vault server-side client.
+ *
+ * Bootstrap pattern:
+ *   `SENTROY_ENV_API_KEY` (process.env) → tek dış env. Fonksiyonlar
+ *   `getEnv("KEY")` ya da `getEnvOrThrow("KEY")` çağrılırken in-memory
+ *   cache'den döner; ilk çağrıda Sentroy core'a HTTP fetch yapar ve
+ *   o token scope'undaki TÜM env'leri (public + private) çeker.
+ *
+ * Cache stratejisi:
+ *   • Default TTL 5 dk; refresh deadline aşıldığında bir sonraki
+ *     `getEnv` çağrısında re-fetch tetiklenir.
+ *   • `await refreshEnvCache()` manuel invalidation — webhook ya da
+ *     SIGHUP-style restart sinyaline bağlanabilir.
+ *   • `setEnvCacheTTL(seconds)` runtime'da TTL değiştirme.
+ *
+ * Hata politikası: bootstrap fail (token yok / network down / 401)
+ *   → `getEnv` her çağrıda undefined döner; `getEnvOrThrow` exception
+ *   atar. Process startup'ında `await preloadEnv()` çağırırsanız
+ *   eksik env'leri erkenden yakalarsınız.
+ *
+ * **NOT**: Bu modül `Sentroy` ana client'ından (mail/storage REST
+ * resource'ları) bağımsızdır. Vault token'ları (stk_env_*) ile mail/
+ * storage token'ları (stk_*) farklı namespace'tedir; tek client'ta
+ * birleştirmek ergonomiyi bozardı.
+ */
+export interface EnvVariable {
+  key: string
+  value: string
+  type: string
+  public: boolean
+}
+export interface EnvCacheState {
+  fetchedAt: number
+  variables: Map<string, EnvVariable>
+  project: string
+  environment: string
+}
+const DEFAULT_TTL_MS = 5 * 60 * 1000
+const DEFAULT_BASE_URL = "https://sentroy.com"
+interface ClientOptions {
+  /** Sentroy core URL (defaults to env or https://sentroy.com). */
+  baseUrl?: string
+  /** API key — defaults to `process.env.SENTROY_ENV_API_KEY`. */
+  apiKey?: string
+  /** Cache TTL in seconds; default 300. */
+  ttlSeconds?: number
+  /** Fetch timeout in ms; default 5000. */
+  timeoutMs?: number
+}
+let resolvedBaseUrl = DEFAULT_BASE_URL
+let resolvedApiKey: string | undefined
+let cacheTtlMs = DEFAULT_TTL_MS
+let fetchTimeoutMs = 5000
+let cache: EnvCacheState | null = null
+let pendingRefresh: Promise<void> | null = null
+function readEnv(name: string): string | undefined {
+  if (typeof process === "undefined") return undefined
+  return process.env?.[name]
+}
+/**
+ * One-time client config — Sentroy app'lerinde modül seviyesinde çağrılır,
+ * default'lara güvenilirse hiç çağrılmasına gerek yok.
+ */
+export function configureEnvClient(options: ClientOptions = {}): void {
+  if (options.baseUrl) resolvedBaseUrl = options.baseUrl.replace(/\/+$/, "")
+  else
+    resolvedBaseUrl = (
+      readEnv("NEXT_PUBLIC_SENTROY_ENV_API_URL") ||
+      readEnv("SENTROY_ENV_API_URL") ||
+      readEnv("NEXT_PUBLIC_CORE_APP_URL") ||
+      DEFAULT_BASE_URL
+    ).replace(/\/+$/, "")
+  resolvedApiKey = options.apiKey ?? readEnv("SENTROY_ENV_API_KEY")
+  if (options.ttlSeconds) cacheTtlMs = options.ttlSeconds * 1000
+  if (options.timeoutMs) fetchTimeoutMs = options.timeoutMs
+}
+/** TTL'i runtime'da değiştir (örn. development için kısa, prod için uzun). */
+export function setEnvCacheTTL(seconds: number): void {
+  cacheTtlMs = seconds * 1000
+}
+/** Cache'i invalidate et — webhook ya da admin-driven manual refresh için. */
+export async function refreshEnvCache(): Promise<void> {
+  cache = null
+  await ensureCache()
+}
+/** Process start'ında erkenden tetikle — eksik env'i fail-fast yakalar. */
+export async function preloadEnv(): Promise<void> {
+  await ensureCache()
+}
+async function fetchVariables(): Promise<EnvCacheState> {
+  if (!resolvedApiKey) {
+    // Lazy bootstrap — configureEnvClient çağrılmadıysa env'den oku.
+    configureEnvClient()
+  }
+  if (!resolvedApiKey) {
+    throw new Error(
+      "@sentroy-co/client-sdk/vault: SENTROY_ENV_API_KEY is not set. " +
+        "Set it on the platform (Coolify env) or call configureEnvClient({ apiKey: ... }) at boot.",
+    )
+  }
+  const url = `${resolvedBaseUrl}/api/env-vault/fetch`
+  const res = await fetch(url, {
+    headers: { Authorization: `Bearer ${resolvedApiKey}` },
+    signal: AbortSignal.timeout(fetchTimeoutMs),
+    cache: "no-store",
+  })
+  if (!res.ok) {
+    throw new Error(
+      `env-vault fetch failed: ${res.status} ${res.statusText} (url=${url})`,
+    )
+  }
+  const json = (await res.json()) as {
+    data?: {
+      project: string
+      environment: string
+      variables: EnvVariable[]
+    }
+  }
+  if (!json.data) throw new Error("env-vault fetch: malformed response")
+  const map = new Map<string, EnvVariable>()
+  for (const v of json.data.variables) map.set(v.key, v)
+  return {
+    fetchedAt: Date.now(),
+    variables: map,
+    project: json.data.project,
+    environment: json.data.environment,
+  }
+}
+async function ensureCache(): Promise<EnvCacheState> {
+  const now = Date.now()
+  if (cache && now - cache.fetchedAt < cacheTtlMs) return cache
+  if (pendingRefresh) {
+    await pendingRefresh
+    if (cache) return cache
+  }
+  pendingRefresh = (async () => {
+    try {
+      cache = await fetchVariables()
+    } finally {
+      pendingRefresh = null
+    }
+  })()
+  await pendingRefresh
+  if (!cache) throw new Error("env-vault: cache hydrate failed")
+  return cache
+}
+/**
+ * Async — env yoksa undefined. Bu fonksiyon TÜM env'leri (server+public)
+ * gizler, çünkü `process.env` fallback yok; sadece vault'ta kayıtlı
+ * olanlar dönder. Token bootstrap fail ederse exception atar.
+ */
+export async function getEnv(key: string): Promise<string | undefined> {
+  const c = await ensureCache()
+  return c.variables.get(key)?.value
+}
+/** Eksik env'i hemen patlatır — config-validation pattern'inde kullanışlı. */
+export async function getEnvOrThrow(key: string): Promise<string> {
+  const v = await getEnv(key)
+  if (v === undefined) {
+    throw new Error(
+      `env-vault: required variable ${key} is not defined (project=${cache?.project ?? "?"}, env=${cache?.environment ?? "?"})`,
+    )
+  }
+  return v
+}
+/** Tüm env'leri map olarak döner (dump için kullanışlı). */
+export async function getAllEnvs(): Promise<Record<string, string>> {
+  const c = await ensureCache()
+  const out: Record<string, string> = {}
+  for (const [k, v] of c.variables) out[k] = v.value
+  return out
+}
+/** Sadece public (`public: true`) env'ler — SSR helper için. */
+export async function getPublicEnvs(): Promise<Record<string, string>> {
+  const c = await ensureCache()
+  const out: Record<string, string> = {}
+  for (const [k, v] of c.variables) {
+    if (v.public) out[k] = v.value
+  }
+  return out
+}

package/src/vault/react.tsx ADDED Viewed

@@ -0,0 +1,125 @@
+"use client"
+import {
+  createContext,
+  useContext,
+  useEffect,
+  useState,
+  type ReactNode,
+} from "react"
+/**
+ * `@sentroy-co/client-sdk/vault/react` — React provider + hook.
+ *
+ * Akış:
+ *   1. Server-side `getPublicEnvs()` çağrılıp result `<EnvProvider envs={...}>`
+ *      ile root layout'a SSR sırasında inject edilir → ilk paint'te
+ *      `useEnv()` doğru değeri döndürür (FOUC yok).
+ *   2. Client-side periyodik refresh (`/api/env-vault/public` endpoint'i,
+ *      yalnızca public:true variable'lar) — admin değer değiştirince UI
+ *      kullanıcıyı zorla refresh etmeden günceli alır. `refreshIntervalMs`
+ *      0 verilirse polling kapalı.
+ *
+ * **Güvenlik:** Server-side `getEnv()` private env'leri de döner; bu hook
+ * yalnızca PUBLIC env'leri client'a sızdırır. Provider'a server-only
+ * env geçmek konvansiyon ihlali — `getPublicEnvs()` filter'ını atlayıp
+ * `getAllEnvs()` geçerseniz secret leak'lersiniz.
+ */
+interface EnvContextValue {
+  envs: Record<string, string>
+  loading: boolean
+  refresh: () => Promise<void>
+}
+const EnvContext = createContext<EnvContextValue>({
+  envs: {},
+  loading: false,
+  refresh: async () => {},
+})
+interface EnvProviderProps {
+  /** Server-side fetched public envs — SSR'da inject edilir. */
+  envs: Record<string, string>
+  /** Public refresh endpoint URL — default `/api/env-vault/public`. */
+  refreshUrl?: string
+  /** Bearer token — public endpoint için. Default `process.env.NEXT_PUBLIC_SENTROY_ENV_API_KEY`. */
+  apiKey?: string
+  /** Refresh interval ms; 0 ise polling kapalı. Default 5 dk. */
+  refreshIntervalMs?: number
+  children: ReactNode
+}
+const DEFAULT_REFRESH_INTERVAL_MS = 5 * 60 * 1000
+export function EnvProvider({
+  envs: initialEnvs,
+  refreshUrl = "/api/env-vault/public",
+  apiKey,
+  refreshIntervalMs = DEFAULT_REFRESH_INTERVAL_MS,
+  children,
+}: EnvProviderProps) {
+  const [envs, setEnvs] = useState<Record<string, string>>(initialEnvs)
+  const [loading, setLoading] = useState(false)
+  const effectiveKey =
+    apiKey ??
+    (typeof process !== "undefined"
+      ? process.env?.NEXT_PUBLIC_SENTROY_ENV_API_KEY
+      : undefined)
+  async function refresh() {
+    if (!effectiveKey) return // bootstrap yoksa polling no-op
+    setLoading(true)
+    try {
+      const res = await fetch(refreshUrl, {
+        headers: { Authorization: `Bearer ${effectiveKey}` },
+        cache: "no-store",
+      })
+      if (!res.ok) return
+      const json = (await res.json()) as {
+        data?: { variables: { key: string; value: string }[] }
+      }
+      const next: Record<string, string> = {}
+      for (const v of json.data?.variables ?? []) next[v.key] = v.value
+      setEnvs(next)
+    } catch {
+      // network error — keep previous envs, fail-soft
+    } finally {
+      setLoading(false)
+    }
+  }
+  useEffect(() => {
+    if (!refreshIntervalMs || refreshIntervalMs <= 0) return
+    const id = setInterval(refresh, refreshIntervalMs)
+    return () => clearInterval(id)
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [refreshIntervalMs, effectiveKey])
+  return (
+    <EnvContext.Provider value={{ envs, loading, refresh }}>
+      {children}
+    </EnvContext.Provider>
+  )
+}
+/**
+ * `useEnv("KEY")` — provider'ın hydrate ettiği env değerini döner.
+ * Yoksa undefined; çağıran fallback verir (`useEnv("X") ?? "default"`).
+ */
+export function useEnv(key: string): string | undefined {
+  const ctx = useContext(EnvContext)
+  return ctx.envs[key]
+}
+/** Tüm public env'leri Record olarak döner. */
+export function useAllEnvs(): Record<string, string> {
+  return useContext(EnvContext).envs
+}
+/** Manuel refresh tetikleme (örn. admin "config updated" notification sonrası). */
+export function useEnvRefresh(): { refresh: () => Promise<void>; loading: boolean } {
+  const ctx = useContext(EnvContext)
+  return { refresh: ctx.refresh, loading: ctx.loading }
+}