@suronai/sdk 0.1.10 → 0.1.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/decrypt.js +24 -16
- package/src/poll.js +7 -1
- package/src/vault.js +6 -2
package/package.json
CHANGED
package/src/decrypt.js
CHANGED
|
@@ -1,21 +1,29 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { parse as dotenvxParse } from "@dotenvx/dotenvx";
|
|
2
|
+
import { readFileSync } from "fs";
|
|
3
|
+
import { join } from "path";
|
|
2
4
|
|
|
3
5
|
/**
|
|
4
|
-
* Decrypts the encrypted .env into process.env using dotenvx.
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
*
|
|
6
|
+
* Decrypts the encrypted .env (in envDir) into process.env using dotenvx.
|
|
7
|
+
*
|
|
8
|
+
* We use dotenvx.parse(src, { privateKey }) rather than config():
|
|
9
|
+
* - parse() is the documented API that accepts privateKey directly
|
|
10
|
+
* - It decrypts in-memory without touching process.env or requiring
|
|
11
|
+
* DOTENV_PRIVATE_KEY to be set anywhere
|
|
12
|
+
* - We then assign the decrypted values into process.env ourselves,
|
|
13
|
+
* which is explicit and race-condition-free
|
|
14
|
+
*
|
|
15
|
+
* @param {string} privateKey - 64-char hex secp256k1 private key from Suron
|
|
16
|
+
* @param {string} envDir - Directory containing the encrypted .env file
|
|
8
17
|
*/
|
|
9
|
-
export function decryptEnv(privateKey) {
|
|
10
|
-
const
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
}
|
|
18
|
+
export function decryptEnv(privateKey, envDir = process.cwd()) {
|
|
19
|
+
const envPath = join(envDir, ".env");
|
|
20
|
+
const src = readFileSync(envPath, "utf-8");
|
|
21
|
+
const parsed = dotenvxParse(src, { privateKey });
|
|
22
|
+
for (const [key, value] of Object.entries(parsed)) {
|
|
23
|
+
// Skip dotenvx's own metadata keys — these are infrastructure, not app secrets.
|
|
24
|
+
// DOTENV_PUBLIC_KEY is stored in plaintext in the .env file by dotenvx and
|
|
25
|
+
// would otherwise pollute the app's runtime environment.
|
|
26
|
+
if (key.startsWith("DOTENV_PUBLIC_KEY") || key.startsWith("DOTENV_PRIVATE_KEY")) continue;
|
|
27
|
+
process.env[key] = value;
|
|
20
28
|
}
|
|
21
29
|
}
|
package/src/poll.js
CHANGED
|
@@ -32,7 +32,13 @@ export async function pollUntilApproved(
|
|
|
32
32
|
|
|
33
33
|
if (!res.ok) continue; // Transient error — keep polling
|
|
34
34
|
|
|
35
|
-
|
|
35
|
+
let status;
|
|
36
|
+
try {
|
|
37
|
+
({ status } = await res.json());
|
|
38
|
+
} catch {
|
|
39
|
+
// Malformed JSON — treat as transient and keep polling
|
|
40
|
+
continue;
|
|
41
|
+
}
|
|
36
42
|
|
|
37
43
|
if (status === "approved") return;
|
|
38
44
|
if (status === "denied") {
|
package/src/vault.js
CHANGED
|
@@ -33,9 +33,13 @@ function readSuronJson(dir) {
|
|
|
33
33
|
} catch {
|
|
34
34
|
throw new SuronConfigError(".suron.json is malformed JSON");
|
|
35
35
|
}
|
|
36
|
-
|
|
36
|
+
const app = typeof parsed.app === "string" ? parsed.app.trim() : "";
|
|
37
|
+
const id = typeof parsed.id === "string" ? parsed.id.trim() : "";
|
|
38
|
+
if (!app || !id) {
|
|
37
39
|
throw new SuronConfigError(".suron.json is missing 'app' or 'id' field");
|
|
38
40
|
}
|
|
41
|
+
parsed.app = app;
|
|
42
|
+
parsed.id = id;
|
|
39
43
|
return parsed;
|
|
40
44
|
}
|
|
41
45
|
|
|
@@ -114,7 +118,7 @@ export async function vault(options = {}) {
|
|
|
114
118
|
await pollUntilApproved(apiUrl, requestId, timeout, pollInterval);
|
|
115
119
|
|
|
116
120
|
const privateKey = await fetchKey(apiUrl, requestId);
|
|
117
|
-
decryptEnv(privateKey);
|
|
121
|
+
decryptEnv(privateKey, configPath);
|
|
118
122
|
// Note: JS strings are immutable — there is no way to scrub the value from
|
|
119
123
|
// heap memory. The reference is dropped here and will be GC'd normally.
|
|
120
124
|
|