@sentroy-co/client-sdk 2.8.0 → 2.12.0

package/AGENTS.md

@@ -767,6 +767,21 @@ function ConfigPanel() {
 | `apiKey` | `string` | `process.env.NEXT_PUBLIC_SENTROY_ENV_API_KEY` | Bearer token for browser polling |
 | `refreshIntervalMs` | `number` | `300000` (5 min) | `0` to disable polling |
 
+### Migration helper: `getEnvWithFallback(key)`
+
+For codebases moving from `process.env` to vault gradually, use `getEnvWithFallback` — it tries vault first, falls back to `process.env[key]` on cache miss / fetch failure / missing token. The point is *zero downtime*: deploy the code change before populating the vault, and nothing breaks; fill the vault later, and the same code starts reading from there.
+
+```ts
+import { getEnvWithFallback } from "@sentroy-co/client-sdk/vault"
+
+// Old:                     process.env.STRIPE_SECRET_KEY
+const stripeKey = await getEnvWithFallback("STRIPE_SECRET_KEY")
+```
+
+After the value is in the vault and you've verified it's being read, swap the call to `getEnv` (or `getEnvOrThrow`) so a future `process.env` re-introduction doesn't silently shadow the vault value.
+
+Bootstrap path (no `SENTROY_ENV_API_KEY` set) skips the fetch entirely and goes straight to `process.env` — so an app deployed without vault credentials still boots and reads its envs the legacy way. This is intentional: the vault is opt-in, not a hard requirement.
+
 ### Security notes
 
 - `useEnv()` only ever returns variables marked `public: true` in the dashboard. Server-only secrets stay server-side.
@@ -774,6 +789,88 @@ function ConfigPanel() {
 - The bootstrap token is per-(project, environment). A `prod` token cannot read `staging` and vice versa.
 - Variable values are AES-256-GCM encrypted at rest in the Sentroy vault DB. Decryption happens server-side just before the fetch endpoint streams the response.
 
+### Webhooks (`createVaultWebhookHandler`)
+
+Variable changes can push directly to your app instead of waiting on the 5-min cache TTL. Configure a webhook in the dashboard under a project's **Webhooks** tab — Sentroy will POST to your URL on every `variable.create | variable.update | variable.delete`.
+
+```ts
+// app/api/sentroy/vault-webhook/route.ts
+import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
+
+export const POST = createVaultWebhookHandler({
+  secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
+  // optional — default behaviour: await refreshEnvCache()
+  async onChange(payload) {
+    console.log("vault changed", payload.action, payload.keys)
+    // your invalidation logic, then:
+    await refreshEnvCache()
+  },
+  // optional — replay-window check, default 5 min
+  maxAgeMs: 5 * 60 * 1000,
+})
+```
+
+Payload (signed):
+```json
+{
+  "event": "vault.variable.changed",
+  "project": "<projectId>",
+  "environment": "prod",
+  "action": "create" | "update" | "delete",
+  "keys": ["DATABASE_URL", "..."],
+  "timestamp": 1731430000000
+}
+```
+
+Headers Sentroy sends: `X-Sentroy-Signature: sha256=<hex>` (HMAC over the raw body), `X-Sentroy-Event: vault.variable.changed`, `X-Sentroy-Webhook-Id: <id>`.
+
+The handler returns:
+- `200` with `{ ok: true }` after a verified signature + completed `onChange`
+- `401` for missing/malformed/invalid signature, or timestamp outside the replay window
+- `400` for an invalid JSON body
+- `500` if `onChange` throws
+
+Delivery is fire-and-forget on the Sentroy side with a 5 sec timeout; the dashboard records the last delivery's status + error string per webhook for visibility. Failed deliveries are not auto-retried (admin can flip the enabled toggle to retry manually by re-saving a variable, or we'll add a "resend" button later).
+
+The vault webhook secret namespace is `whsec_*` — distinct from access tokens (`stk_*` / `stk_env_*`).
+
+### CLI (`sentroy env ...`)
+
+The package ships a `sentroy` binary. After `npm install` (or `npm install -g`) it's available on `PATH`; `npx sentroy ...` works without a global install.
+
+Auth is the same `SENTROY_ENV_API_KEY` used by `getEnv()` (or pass `--token=stk_env_...`). Base URL defaults to `https://sentroy.com` (override with `SENTROY_ENV_API_URL` or `--url=`). The token's (project, environment) scope is implicit — never specified on the CLI.
+
+```bash
+# Push a local file to the vault. Without --delete-missing it's upsert-only.
+# With --delete-missing it's a full sync — any vault key not in the file
+# is removed (CLI prompts for confirmation interactively).
+sentroy env push .env.production --delete-missing
+sentroy env push .env.production --dry-run     # show diff, no writes
+
+# Diff local vs vault without writing.
+sentroy env diff .env.production --delete-missing
+
+# Pull the vault into a local file. Refuses to overwrite without --force.
+sentroy env pull .env.staging --force
+
+# List keys (or KEY=value with --values; only public-flagged with --public-only).
+sentroy env list
+sentroy env list --values
+sentroy env list --public-only
+```
+
+`push` requires the token to have `write` permission (toggle when generating the token in the dashboard). `pull`, `list`, and `diff` only need `read`.
+
+The CLI parses the same `.env` flavour as the dashboard's developer mode:
+
+- blank line resets pending description / public flag
+- `# any comment` above a key becomes the variable's description
+- `# @public` on its own line marks the next key as browser-readable
+- `KEY="quoted with spaces"` and `KEY='single quoted'` both supported
+- `export KEY=value` prefix is stripped
+
+REST endpoint behind `push`: `POST /api/env-vault/push` with body `{ entries: [{key, value, public?, description?}], deleteMissing?: boolean }` and `Authorization: Bearer stk_env_...`. Response: `{ added, updated, unchanged, deleted, total, project, environment }`. Each insert/update/delete writes one audit log entry (checksum, no plaintext) tagged `source: "cli-push"`.
+
 ## Requirements
 
 - Node.js 18+ (uses native `fetch`)

package/README.md

@@ -84,11 +84,15 @@ Manage your env vars in the dashboard at [vault.sentroy.com](https://vault.sentr
 
 ```ts
 // server side
-import { getEnv, getEnvOrThrow, preloadEnv } from "@sentroy-co/client-sdk/vault"
+import { getEnv, getEnvOrThrow, getEnvWithFallback, preloadEnv } from "@sentroy-co/client-sdk/vault"
 
 await preloadEnv() // optional fail-fast at boot
 const dbUrl = await getEnv("DATABASE_URL")
 const turnstile = await getEnvOrThrow("BETTER_AUTH_TURNSTILE_SECRET")
+
+// Migration helper — vault'tan oku, yoksa process.env fallback.
+// Sentroy app'lerini kademeli olarak migrate ederken kullanışlı.
+const stripe = await getEnvWithFallback("STRIPE_SECRET_KEY")
 ```
 
 ```tsx
@@ -106,6 +110,35 @@ const siteKey = useEnv("TURNSTILE_SITE_KEY")
 
 Bootstrap is a single env: `SENTROY_ENV_API_KEY`. Public/private split is enforced server-side — the React hook only ever sees `public: true` variables. Full reference at [docs.sentroy.com/env-vault](https://docs.sentroy.com/env-vault).
 
+### Webhooks (real-time invalidation)
+
+Skip the 5-min cache TTL — point the vault at your app and it'll POST whenever any variable changes. The default handler verifies the HMAC-SHA256 signature and refreshes the cache:
+
+```ts
+// app/api/sentroy/vault-webhook/route.ts
+import { createVaultWebhookHandler } from "@sentroy-co/client-sdk/vault"
+
+export const POST = createVaultWebhookHandler({
+  secret: process.env.SENTROY_VAULT_WEBHOOK_SECRET!,
+})
+```
+
+Configure the receiver URL in the vault dashboard under the project's **Webhooks** tab; the secret comes back once at create-time. Provide your own `onChange` handler for custom logic.
+
+### CLI
+
+The package ships a `sentroy` CLI for syncing local `.env` files to the vault — useful for build pipelines and onboarding.
+
+```bash
+# Use SENTROY_ENV_API_KEY (or pass --token=stk_env_...)
+npx sentroy env push .env.production --delete-missing
+npx sentroy env diff .env.production
+npx sentroy env pull .env.staging --force
+npx sentroy env list --values --public-only
+```
+
+The token's (project, environment) scope is implicit. `--delete-missing` makes the push a full sync — keys not in the local file are removed from the vault. The token must have `write` permission for `push`; everything else only needs `read`.
+
 ## Self-hosted vs hosted
 
 The SDK is identical in both modes. Only `baseUrl` changes:

package/bin/sentroy.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+// Thin shim — keeps the shebang out of TypeScript-emitted files so tsc
+// can still emit them as plain CommonJS modules without preserving comments.
+require("../dist/cli/index.js")

package/dist/cli/dotenv.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Minimal .env parser + serializer used by the CLI.
+ *
+ * Format conventions (mirrors apps/core/components/admin/env-vault-content.tsx
+ * developer mode):
+ *   - blank line resets pending description/public flag
+ *   - `# @public` on its own line marks the next variable as browser-readable
+ *   - `# any other text` becomes the next variable's description
+ *   - `KEY=value`               (unquoted)
+ *   - `KEY="value with spaces"` (double-quoted; supports \n, \", \\ escapes)
+ *   - `KEY='single quotes'`     (single-quoted; literal)
+ *   - `export KEY=value`        (export prefix stripped)
+ *
+ * Anything else is reported as a parse error with the offending line number.
+ */
+export interface DotenvEntry {
+    key: string;
+    value: string;
+    public: boolean;
+    description: string | null;
+}
+export interface DotenvParseResult {
+    entries: DotenvEntry[];
+    errors: {
+        line: number;
+        message: string;
+    }[];
+}
+export declare function parseDotenv(text: string): DotenvParseResult;
+/**
+ * Inverse of parseDotenv — emit a .env document that round-trips through it.
+ * Quotes values that contain whitespace or shell-special characters.
+ */
+export declare function serializeDotenv(entries: DotenvEntry[]): string;
+//# sourceMappingURL=dotenv.d.ts.map

package/dist/cli/dotenv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dotenv.d.ts","sourceRoot":"","sources":["../../src/cli/dotenv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,OAAO,CAAA;IACf,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,WAAW,EAAE,CAAA;IACtB,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,EAAE,CAAA;CAC5C;AAID,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,CA2F3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,MAAM,CAkB9D"}

package/dist/cli/dotenv.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * Minimal .env parser + serializer used by the CLI.
+ *
+ * Format conventions (mirrors apps/core/components/admin/env-vault-content.tsx
+ * developer mode):
+ *   - blank line resets pending description/public flag
+ *   - `# @public` on its own line marks the next variable as browser-readable
+ *   - `# any other text` becomes the next variable's description
+ *   - `KEY=value`               (unquoted)
+ *   - `KEY="value with spaces"` (double-quoted; supports \n, \", \\ escapes)
+ *   - `KEY='single quotes'`     (single-quoted; literal)
+ *   - `export KEY=value`        (export prefix stripped)
+ *
+ * Anything else is reported as a parse error with the offending line number.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseDotenv = parseDotenv;
+exports.serializeDotenv = serializeDotenv;
+const KEY_PATTERN = /^[A-Z_][A-Z0-9_]*$/;
+function parseDotenv(text) {
+    const lines = text.split(/\r?\n/);
+    const entries = [];
+    const errors = [];
+    const seen = new Set();
+    let pendingDescription = [];
+    let pendingPublic = false;
+    for (let i = 0; i < lines.length; i++) {
+        const raw = lines[i] ?? "";
+        const line = raw.trim();
+        if (line === "") {
+            pendingDescription = [];
+            pendingPublic = false;
+            continue;
+        }
+        if (line.startsWith("#")) {
+            const body = line.slice(1).trim();
+            if (body === "@public") {
+                pendingPublic = true;
+            }
+            else if (body) {
+                pendingDescription.push(body);
+            }
+            continue;
+        }
+        const work = line.startsWith("export ") ? line.slice(7).trimStart() : line;
+        const eq = work.indexOf("=");
+        if (eq <= 0) {
+            errors.push({
+                line: i + 1,
+                message: "invalid syntax (expected KEY=value)",
+            });
+            pendingDescription = [];
+            pendingPublic = false;
+            continue;
+        }
+        const key = work.slice(0, eq).trim();
+        let value = work.slice(eq + 1);
+        if (!KEY_PATTERN.test(key)) {
+            errors.push({
+                line: i + 1,
+                message: "key must match [A-Z_][A-Z0-9_]*",
+            });
+            pendingDescription = [];
+            pendingPublic = false;
+            continue;
+        }
+        const trimmed = value.trim();
+        if ((trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+            (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+            value = trimmed.slice(1, -1);
+            if (trimmed.startsWith('"')) {
+                value = value
+                    .replace(/\\n/g, "\n")
+                    .replace(/\\"/g, '"')
+                    .replace(/\\\\/g, "\\");
+            }
+        }
+        else {
+            value = trimmed;
+        }
+        if (seen.has(key)) {
+            errors.push({ line: i + 1, message: `duplicate key ${key}` });
+            pendingDescription = [];
+            pendingPublic = false;
+            continue;
+        }
+        seen.add(key);
+        entries.push({
+            key,
+            value,
+            public: pendingPublic,
+            description: pendingDescription.length > 0 ? pendingDescription.join(" ") : null,
+        });
+        pendingDescription = [];
+        pendingPublic = false;
+    }
+    return { entries, errors };
+}
+/**
+ * Inverse of parseDotenv — emit a .env document that round-trips through it.
+ * Quotes values that contain whitespace or shell-special characters.
+ */
+function serializeDotenv(entries) {
+    const blocks = [];
+    for (const e of entries) {
+        const parts = [];
+        if (e.description)
+            parts.push(`# ${e.description}`);
+        if (e.public)
+            parts.push("# @public");
+        const value = e.value;
+        const needsQuote = /[\s"'#$`\\]/.test(value) || value === "";
+        const escaped = needsQuote
+            ? `"${value
+                .replace(/\\/g, "\\\\")
+                .replace(/"/g, '\\"')
+                .replace(/\n/g, "\\n")}"`
+            : value;
+        parts.push(`${e.key}=${escaped}`);
+        blocks.push(parts.join("\n"));
+    }
+    return blocks.join("\n\n") + (blocks.length > 0 ? "\n" : "");
+}
+//# sourceMappingURL=dotenv.js.map

package/dist/cli/dotenv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dotenv.js","sourceRoot":"","sources":["../../src/cli/dotenv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAgBH,kCA2FC;AAMD,0CAkBC;AArHD,MAAM,WAAW,GAAG,oBAAoB,CAAA;AAExC,SAAgB,WAAW,CAAC,IAAY;IACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IACjC,MAAM,OAAO,GAAkB,EAAE,CAAA;IACjC,MAAM,MAAM,GAAgC,EAAE,CAAA;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAE9B,IAAI,kBAAkB,GAAa,EAAE,CAAA;IACrC,IAAI,aAAa,GAAG,KAAK,CAAA;IAEzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAC1B,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;QAEvB,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;YAChB,kBAAkB,GAAG,EAAE,CAAA;YACvB,aAAa,GAAG,KAAK,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;YACjC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,aAAa,GAAG,IAAI,CAAA;YACtB,CAAC;iBAAM,IAAI,IAAI,EAAE,CAAC;gBAChB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/B,CAAC;YACD,SAAQ;QACV,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;QAC1E,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC5B,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,OAAO,EAAE,qCAAqC;aAC/C,CAAC,CAAA;YACF,kBAAkB,GAAG,EAAE,CAAA;YACvB,aAAa,GAAG,KAAK,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;QACpC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAA;QAE9B,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,OAAO,EAAE,iCAAiC;aAC3C,CAAC,CAAA;YACF,kBAAkB,GAAG,EAAE,CAAA;YACvB,aAAa,GAAG,KAAK,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAA;QAC5B,IACE,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAClD,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAClD,CAAC;YACD,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;YAC5B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,KAAK,GAAG,KAAK;qBACV,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC;qBACrB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;qBACpB,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;YAC3B,CAAC;QACH,CAAC;aAAM,CAAC;YACN,KAAK,GAAG,OAAO,CAAA;QACjB,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,iBAAiB,GAAG,EAAE,EAAE,CAAC,CAAA;YAC7D,kBAAkB,GAAG,EAAE,CAAA;YACvB,aAAa,GAAG,KAAK,CAAA;YACrB,SAAQ;QACV,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAEb,OAAO,CAAC,IAAI,CAAC;YACX,GAAG;YACH,KAAK;YACL,MAAM,EAAE,aAAa;YACrB,WAAW,EACT,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;SACtE,CAAC,CAAA;QAEF,kBAAkB,GAAG,EAAE,CAAA;QACvB,aAAa,GAAG,KAAK,CAAA;IACvB,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;AAC5B,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,OAAsB;IACpD,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,KAAK,GAAa,EAAE,CAAA;QAC1B,IAAI,CAAC,CAAC,WAAW;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;QACnD,IAAI,CAAC,CAAC,MAAM;YAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;QACrC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAA;QACrB,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAA;QAC5D,MAAM,OAAO,GAAG,UAAU;YACxB,CAAC,CAAC,IAAI,KAAK;iBACN,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;iBACtB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;iBACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG;YAC7B,CAAC,CAAC,KAAK,CAAA;QACT,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,OAAO,EAAE,CAAC,CAAA;QACjC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;IAC/B,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;AAC9D,CAAC"}

package/dist/cli/env.d.ts

@@ -0,0 +1,11 @@
+/**
+ * `sentroy env <subcommand>` — vault sync from a local .env file.
+ *
+ * The token's (project, environment) scope is implicit; the CLI never
+ * asks for either since it can't change them.
+ */
+export declare function cmdPush(args: string[]): Promise<void>;
+export declare function cmdPull(args: string[]): Promise<void>;
+export declare function cmdList(args: string[]): Promise<void>;
+export declare function cmdDiff(args: string[]): Promise<void>;
+//# sourceMappingURL=env.d.ts.map

package/dist/cli/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/cli/env.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgMH,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAgF3D;AAID,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAwB3D;AAID,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAmB3D;AAID,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAyB3D"}