@suluk/platform 0.4.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/plan.ts +10 -10
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@suluk/platform",
3
- "version": "0.4.0",
3
+ "version": "0.4.1",
4
4
  "description": "The platform generator (C051): write one `definePlatform` manifest → it plans the shadcn-registry adds, generates the wired Hono entry, and merges each module's provision fragment into a single provision.config. The manifest compiles to a shadcn-add list + a C047 provision.config; the generator runs the adds + `@suluk/provision`. Turns the Suluk backend registry into a one-command platform. CANDIDATE tooling.",
5
5
  "publishConfig": {
6
6
  "access": "public"
package/src/plan.ts CHANGED
@@ -96,21 +96,21 @@ const secretsOf = (env: EnvVar[]): EnvVar[] => env.filter((e) => e.secret);
96
96
  * Non-secret config is NOT here — it's in the manifest `vars` → wrangler `[vars]`. Safe to commit (no values). */
97
97
  function buildEnvExample(env: EnvVar[]): string {
98
98
  const line = (e: EnvVar) => `${e.name}=${e.hint ? ` # ${e.hint}` : ""}`;
99
- const provisioning = provisioningOf(env).filter((e) => !e.minted); // the master + account id (the raw inputs)
100
- const minted = env.filter((e) => e.minted); // the scoped tokens the mint step creates
99
+ // .env.example mirrors the COMMITTED .env AFTER provisioning: SULUK_PUBLIC_KEY (plaintext) + every secret EXCEPT the
100
+ // EPHEMERAL master (deleted after minting). Keepers + minted scoped tokens + runtime secrets — all encrypted at rest.
101
+ const localKeepers = secretsOf(env).filter((e) => !e.provisioning && (e.minted || e.surface === "local")); // account-id + minted tokens
101
102
  const runtime = runtimeSecretsOf(env);
102
103
  return [
103
- "# Secret keys checklist (generated). SETUP: fill `.env.temp` (plaintext) `bun run provision`. It creates the keypair,",
104
- "# provisions infra, mints the scoped tokens, ENCRYPTS the keepers into the COMMITTED `.env` (@suluk/env ML-KEM-768), and",
105
- "# DELETES the ephemeral CF master token. Non-secret config lives in platform.config.ts `vars` (→ wrangler.toml [vars]).",
104
+ "# .env.example — the keys in the COMMITTED .env AFTER `bun run provision` (values ENCRYPTED with @suluk/env;",
105
+ "# SULUK_PUBLIC_KEY plaintext). The EPHEMERAL CF master token (CLOUDFLARE_API_TOKEN) is supplied in .env.temp and DELETED",
106
+ "# after minting it is NOT here. Non-secret config lives in platform.config.ts `vars` (→ wrangler.toml [vars]).",
106
107
  "",
107
- "# PROVISIONING creds supply in .env.temp (plaintext). The master is EPHEMERAL (deleted after minting; never committed):",
108
- ...provisioning.map(line),
108
+ "SULUK_PUBLIC_KEY= # @suluk/env public key (plaintext; can only encrypt)",
109
109
  "",
110
- "# Scoped least-privilege tokens MINTED by `bun run provision`/`mint-tokens` (you don't supply these); kept encrypted:",
111
- ...minted.map((e) => `# ${line(e)}`),
110
+ "# Provisioning keeper + minted scoped tokens (surface local never shipped to the Worker; encrypted):",
111
+ ...localKeepers.map(line),
112
112
  "",
113
- "# RUNTIME secrets — supply in .env.temp; encrypted into .env + shipped to the Worker:",
113
+ "# Runtime secrets (encrypted; reach the Worker via loadEnv / sync-secrets):",
114
114
  ...runtime.map((e) => (e.required ? line(e) : `# ${line(e)}`)),
115
115
  "",
116
116
  ].join("\n");