@townco/secret 0.1.0

package/dist/env-file.d.ts

@@ -0,0 +1,105 @@
+/**
+ * Represents a line in an .env file
+ */
+type EnvLine = {
+    type: "comment";
+    content: string;
+} | {
+    type: "blank";
+} | {
+    type: "entry";
+    key: string;
+    value: string;
+    raw: string;
+};
+/**
+ * A data structure that represents a parsed .env file while preserving
+ * all original content including comments, blank lines, and order.
+ */
+export declare class EnvFile {
+    private lines;
+    constructor(lines?: EnvLine[]);
+    /**
+     * Parse a .env file string into an EnvFile structure
+     */
+    static parse(content: string): EnvFile;
+    /**
+     * Serialize the EnvFile back to a string
+     */
+    toString(): string;
+    /**
+     * Get all entries as a key-value record
+     */
+    toRecord(): Record<string, string>;
+    /**
+     * Find an entry line by key
+     */
+    private findEntry;
+    /**
+     * Find the index of an entry by key
+     */
+    private findEntryIndex;
+    /**
+     * Create an entry line from key and value
+     */
+    private createEntry;
+    /**
+     * Normalize a value by ensuring it's properly quoted
+     */
+    private normalizeValue;
+    /**
+     * Find the insertion index for a new entry (before the final blank line if present)
+     */
+    private findInsertionIndex;
+    /**
+     * Get the value for a specific key
+     */
+    get(key: string): string | undefined;
+    /**
+     * Set a value for a key. If the key exists, updates it in place.
+     * If it doesn't exist, appends it above the final newline (if present).
+     * Values are always double quoted.
+     */
+    set(key: string, value: string): this;
+    /**
+     * Delete a key-value entry
+     */
+    delete(key: string): this;
+    /**
+     * Check if a key exists
+     */
+    has(key: string): boolean;
+    /**
+     * Get all keys
+     */
+    keys(): string[];
+    /**
+     * Iterate over all entries
+     */
+    entries(): IterableIterator<[string, string]>;
+    /**
+     * Apply a function to all entries and return a new EnvFile
+     */
+    map(fn: (key: string, value: string) => [string, string]): EnvFile;
+    /**
+     * Filter entries based on a predicate
+     */
+    filter(fn: (key: string, value: string) => boolean): EnvFile;
+    /**
+     * Add a comment line
+     */
+    addComment(content: string): this;
+    /**
+     * Add a blank line
+     */
+    addBlank(): this;
+    /**
+     * Get the raw lines array for custom operations
+     */
+    getLines(): readonly EnvLine[];
+    /**
+     * Create a clone of this EnvFile
+     */
+    clone(): EnvFile;
+}
+export {};

package/dist/env-file.js

@@ -0,0 +1,205 @@
+/**
+ * A data structure that represents a parsed .env file while preserving
+ * all original content including comments, blank lines, and order.
+ */
+export class EnvFile {
+    lines;
+    constructor(lines = []) {
+        this.lines = lines;
+    }
+    /**
+     * Parse a .env file string into an EnvFile structure
+     */
+    static parse(content) {
+        const lines = content.split("\n").map((line) => {
+            const trimmed = line.trim();
+            if (trimmed === "") {
+                return { type: "blank" };
+            }
+            if (trimmed.startsWith("#")) {
+                return { type: "comment", content: line };
+            }
+            const equalsIndex = line.indexOf("=");
+            if (equalsIndex === -1) {
+                // Malformed line, treat as comment
+                return { type: "comment", content: line };
+            }
+            const key = line.substring(0, equalsIndex).trim();
+            const value = line.substring(equalsIndex + 1);
+            return { type: "entry", key, value, raw: line };
+        });
+        return new EnvFile(lines);
+    }
+    /**
+     * Serialize the EnvFile back to a string
+     */
+    toString() {
+        return this.lines
+            .map((line) => {
+            switch (line.type) {
+                case "blank":
+                    return "";
+                case "comment":
+                    return line.content;
+                case "entry":
+                    return line.raw;
+                default:
+                    throw new Error(`Unknown line type`);
+            }
+        })
+            .join("\n");
+    }
+    /**
+     * Get all entries as a key-value record
+     */
+    toRecord() {
+        return Object.fromEntries(this.entries());
+    }
+    /**
+     * Find an entry line by key
+     */
+    findEntry(key) {
+        const line = this.lines.find((l) => l.type === "entry" && l.key === key);
+        return line;
+    }
+    /**
+     * Find the index of an entry by key
+     */
+    findEntryIndex(key) {
+        return this.lines.findIndex((l) => l.type === "entry" && l.key === key);
+    }
+    /**
+     * Create an entry line from key and value
+     */
+    createEntry(key, value) {
+        const quotedValue = this.normalizeValue(value);
+        return {
+            type: "entry",
+            key,
+            value: quotedValue,
+            raw: `${key}=${quotedValue}`,
+        };
+    }
+    /**
+     * Normalize a value by ensuring it's properly quoted
+     */
+    normalizeValue(value) {
+        // Strip existing quotes if present, then add quotes
+        const unquoted = value.startsWith('"') && value.endsWith('"') ? value.slice(1, -1) : value;
+        return `"${unquoted}"`;
+    }
+    /**
+     * Find the insertion index for a new entry (before the final blank line if present)
+     */
+    findInsertionIndex() {
+        const lastLine = this.lines[this.lines.length - 1];
+        return lastLine?.type === "blank"
+            ? this.lines.length - 1
+            : this.lines.length;
+    }
+    /**
+     * Get the value for a specific key
+     */
+    get(key) {
+        return this.findEntry(key)?.value;
+    }
+    /**
+     * Set a value for a key. If the key exists, updates it in place.
+     * If it doesn't exist, appends it above the final newline (if present).
+     * Values are always double quoted.
+     */
+    set(key, value) {
+        const index = this.findEntryIndex(key);
+        const entry = this.createEntry(key, value);
+        if (index !== -1) {
+            this.lines[index] = entry;
+        }
+        else {
+            this.lines.splice(this.findInsertionIndex(), 0, entry);
+        }
+        return this;
+    }
+    /**
+     * Delete a key-value entry
+     */
+    delete(key) {
+        this.lines = this.lines.filter((l) => !(l.type === "entry" && l.key === key));
+        return this;
+    }
+    /**
+     * Check if a key exists
+     */
+    has(key) {
+        return this.findEntry(key) !== undefined;
+    }
+    /**
+     * Get all keys
+     */
+    keys() {
+        return this.lines
+            .filter((l) => l.type === "entry")
+            .map((l) => l.key);
+    }
+    /**
+     * Iterate over all entries
+     */
+    *entries() {
+        for (const line of this.lines) {
+            if (line.type === "entry") {
+                yield [line.key, line.value];
+            }
+        }
+    }
+    /**
+     * Apply a function to all entries and return a new EnvFile
+     */
+    map(fn) {
+        const newLines = this.lines.map((line) => {
+            if (line.type === "entry") {
+                const [newKey, newValue] = fn(line.key, line.value);
+                return this.createEntry(newKey, newValue);
+            }
+            return line;
+        });
+        return new EnvFile(newLines);
+    }
+    /**
+     * Filter entries based on a predicate
+     */
+    filter(fn) {
+        const newLines = this.lines.filter((line) => {
+            if (line.type === "entry") {
+                return fn(line.key, line.value);
+            }
+            return true; // Keep comments and blank lines
+        });
+        return new EnvFile(newLines);
+    }
+    /**
+     * Add a comment line
+     */
+    addComment(content) {
+        const comment = content.startsWith("#") ? content : `# ${content}`;
+        this.lines.push({ type: "comment", content: comment });
+        return this;
+    }
+    /**
+     * Add a blank line
+     */
+    addBlank() {
+        this.lines.push({ type: "blank" });
+        return this;
+    }
+    /**
+     * Get the raw lines array for custom operations
+     */
+    getLines() {
+        return this.lines;
+    }
+    /**
+     * Create a clone of this EnvFile
+     */
+    clone() {
+        return new EnvFile([...this.lines]);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+export { EnvFile } from "./env-file";
+export { type OnePassword, OnePassword as OpItem } from "./onepassword";
+export type SecretValidation = {
+    key: string;
+    value: string;
+    valid: boolean;
+    error?: string;
+};
+export declare const listSecrets: () => Promise<Promise<SecretValidation[]>>;
+export declare const createSecret: (name: string, value: string) => Promise<Promise<void>>;
+export declare const deleteSecret: (name: string) => Promise<Promise<void>>;
+export declare const genenv: () => Promise<Promise<void>>;

package/dist/index.js

@@ -0,0 +1,130 @@
+import * as path from "node:path";
+import { EnvFile } from "./env-file";
+import { OnePassword } from "./onepassword";
+export { EnvFile } from "./env-file";
+export { OnePassword as OpItem } from "./onepassword";
+const ROOT_MARKER = ".root";
+const SECRET_FILE = ".env.in";
+const OP_VAULT = "app";
+const OP_ITEM = "dev";
+const findRoot = async (start = ".") => {
+    const startResolved = path.resolve(start);
+    const rootPath = path.join(startResolved, ROOT_MARKER);
+    if (await Bun.file(rootPath).exists())
+        return startResolved;
+    const parent = path.dirname(startResolved);
+    if (parent === "/") {
+        throw new Error("No root found");
+    }
+    return await findRoot(parent);
+};
+const withOpSignIn = (fn) => async (...args) => {
+    await OnePassword.signin();
+    return fn(...args);
+};
+const readEnvFile = async (filePath) => {
+    const content = await Bun.file(filePath).text();
+    return EnvFile.parse(content);
+};
+const writeEnvFile = async (filePath, envFile) => {
+    await Bun.write(filePath, envFile.toString());
+};
+const withEnvFile = (fn) => async (...args) => {
+    const filePath = path.join(await findRoot(), SECRET_FILE);
+    const envFile = await readEnvFile(filePath);
+    const originalRecord = envFile.toRecord();
+    const result = fn({ ...originalRecord }, ...args);
+    // If the result is a Record<string, string>, write it back
+    if (result && typeof result === "object" && !Array.isArray(result)) {
+        const resultRecord = result;
+        // Check if this looks like a secrets record (all string values)
+        const isSecretsRecord = Object.values(resultRecord).every((v) => typeof v === "string");
+        if (isSecretsRecord) {
+            const resultSecrets = resultRecord;
+            // Delete keys that are in original but not in result
+            for (const key of Object.keys(originalRecord)) {
+                if (!(key in resultSecrets)) {
+                    envFile.delete(key);
+                }
+            }
+            // Update or add keys from result
+            for (const [key, value] of Object.entries(resultSecrets)) {
+                envFile.set(key, value);
+            }
+            await writeEnvFile(filePath, envFile);
+        }
+    }
+    return result;
+};
+export const listSecrets = withOpSignIn(async () => {
+    const root = await findRoot();
+    const filePath = path.join(root, SECRET_FILE);
+    const envFile = await readEnvFile(filePath);
+    const secrets = envFile.toRecord();
+    // Fetch the dev item using OpItem
+    const opItem = await OnePassword.fetch(OP_VAULT, OP_ITEM);
+    const validations = [];
+    for (const [key, value] of Object.entries(secrets)) {
+        // Strip quotes from value if present
+        let unquotedValue = value;
+        if (value.startsWith('"') && value.endsWith('"')) {
+            unquotedValue = value.slice(1, -1);
+        }
+        const validation = {
+            key,
+            value: unquotedValue,
+            valid: true,
+        };
+        if (!validation.value.startsWith("op://")) {
+            validations.push(validation);
+            continue;
+        }
+        // Check if field exists in 1Password item
+        if (opItem.has(key)) {
+            validation.valid = false;
+            validation.error = `Field '${key}' not found in 1Password item`;
+            validations.push(validation);
+            continue;
+        }
+        // Build expected op:// reference
+        const expectedRef = opItem.getReference(key);
+        // Compare the value from .env.in with expected reference
+        if (unquotedValue !== expectedRef) {
+            validation.valid = false;
+            validation.error = `Reference mismatch: expected '${expectedRef}', got '${unquotedValue}'`;
+            validations.push(validation);
+            continue;
+        }
+        validations.push(validation);
+    }
+    return validations;
+});
+export const createSecret = withOpSignIn(async (name, value) => {
+    // Fetch the item, update it, and sync
+    const opItem = await OnePassword.fetch(OP_VAULT, OP_ITEM);
+    opItem.set(name, value);
+    await opItem.sync();
+    // Update the env file with the secret reference
+    await withEnvFile((secrets) => {
+        secrets[name] = opItem.getReference(name);
+        return secrets;
+    })();
+});
+export const deleteSecret = withOpSignIn(async (name) => {
+    // Fetch the item, delete the field, and sync
+    const opItem = await OnePassword.fetch(OP_VAULT, OP_ITEM);
+    opItem.delete(name);
+    await opItem.sync();
+    // Update the env file by removing the secret
+    await withEnvFile((secrets, fieldName) => {
+        delete secrets[fieldName];
+        return secrets;
+    })(name);
+});
+export const genenv = withOpSignIn(async () => {
+    const root = await findRoot();
+    const inputPath = path.join(root, SECRET_FILE);
+    const outputPath = path.join(root, ".env");
+    // Use OpItem to inject and resolve secret references
+    await OnePassword.inject(inputPath, outputPath);
+});

package/dist/onepassword.d.ts

@@ -0,0 +1,102 @@
+import type { FullItem } from "@1password/connect";
+/**
+ * Represents a change to be made to a 1Password item
+ */
+type OnePasswordChange = {
+    type: "add";
+    key: string;
+    value: string;
+} | {
+    type: "update";
+    key: string;
+    value: string;
+} | {
+    type: "delete";
+    key: string;
+};
+/**
+ * A data structure that represents a 1Password item and provides
+ * methods to detect changes and generate appropriate `op` CLI commands.
+ */
+export declare class OnePassword {
+    private vault;
+    private item;
+    private fields;
+    private originalFields;
+    constructor(vault: string, item: string, fields?: Map<string, string>);
+    /**
+     * Create an OpItem from a 1Password FullItem JSON response
+     */
+    static fromFullItem(vault: string, itemName: string, fullItem: FullItem): OnePassword;
+    /**
+     * Fetch an OpItem from 1Password using the CLI
+     */
+    static fetch(vault: string, item: string): Promise<OnePassword>;
+    /**
+     * Sign in to 1Password CLI
+     */
+    static signin(): Promise<void>;
+    /**
+     * Get a field value
+     */
+    get(key: string): string | undefined;
+    /**
+     * Set a field value (marks as changed)
+     */
+    set(key: string, value: string): this;
+    /**
+     * Delete a field (marks as deleted)
+     */
+    delete(key: string): this;
+    /**
+     * Check if a field exists
+     */
+    has(key: string): boolean;
+    /**
+     * Get all field keys
+     */
+    keys(): string[];
+    /**
+     * Get all fields as a record
+     */
+    toRecord(): Record<string, string>;
+    /**
+     * Get all field entries
+     */
+    entries(): IterableIterator<[string, string]>;
+    /**
+     * Build an op:// reference for a field
+     */
+    getReference(key: string): string;
+    /**
+     * Detect changes between original and current state
+     */
+    detectChanges(): OnePasswordChange[];
+    /**
+     * Generate op CLI arguments for a single change
+     */
+    private buildEditArgs;
+    /**
+     * Apply all changes to 1Password using the op CLI
+     * Returns the number of changes applied
+     */
+    sync(): Promise<number>;
+    /**
+     * Inject secrets from a template file to an output file
+     * This resolves op:// references to actual values
+     */
+    static inject(inputPath: string, outputPath: string): Promise<void>;
+    /**
+     * Create a clone of this OpItem
+     */
+    clone(): OnePassword;
+    /**
+     * Reset to original state (discard changes)
+     */
+    reset(): this;
+    /**
+     * Check if there are unsaved changes
+     */
+    hasChanges(): boolean;
+}
+export {};

package/dist/onepassword.js

@@ -0,0 +1,203 @@
+/**
+ * A data structure that represents a 1Password item and provides
+ * methods to detect changes and generate appropriate `op` CLI commands.
+ */
+export class OnePassword {
+    vault;
+    item;
+    fields;
+    originalFields;
+    constructor(vault, item, fields = new Map()) {
+        this.vault = vault;
+        this.item = item;
+        this.fields = new Map(fields);
+        this.originalFields = new Map(fields);
+    }
+    /**
+     * Create an OpItem from a 1Password FullItem JSON response
+     */
+    static fromFullItem(vault, itemName, fullItem) {
+        const fields = new Map();
+        if (fullItem.fields) {
+            for (const field of fullItem.fields) {
+                if (field.label && field.value) {
+                    fields.set(field.label, field.value);
+                }
+            }
+        }
+        return new OnePassword(vault, itemName, fields);
+    }
+    /**
+     * Fetch an OpItem from 1Password using the CLI
+     */
+    static async fetch(vault, item) {
+        try {
+            const proc = Bun.spawn([
+                "op",
+                "--format=json",
+                "item",
+                "get",
+                "--vault",
+                vault,
+                item,
+            ]);
+            const output = await new Response(proc.stdout).text();
+            await proc.exited;
+            const fullItem = JSON.parse(output);
+            return OnePassword.fromFullItem(vault, item, fullItem);
+        }
+        catch (error) {
+            throw new Error(`Failed to fetch item '${item}' from vault '${vault}': ${error}`);
+        }
+    }
+    /**
+     * Sign in to 1Password CLI
+     */
+    static async signin() {
+        await Bun.spawn(["op", "signin"]).exited;
+    }
+    /**
+     * Get a field value
+     */
+    get(key) {
+        return this.fields.get(key);
+    }
+    /**
+     * Set a field value (marks as changed)
+     */
+    set(key, value) {
+        this.fields.set(key, value);
+        return this;
+    }
+    /**
+     * Delete a field (marks as deleted)
+     */
+    delete(key) {
+        this.fields.delete(key);
+        return this;
+    }
+    /**
+     * Check if a field exists
+     */
+    has(key) {
+        return this.fields.has(key);
+    }
+    /**
+     * Get all field keys
+     */
+    keys() {
+        return Array.from(this.fields.keys());
+    }
+    /**
+     * Get all fields as a record
+     */
+    toRecord() {
+        return Object.fromEntries(this.fields);
+    }
+    /**
+     * Get all field entries
+     */
+    entries() {
+        return this.fields.entries();
+    }
+    /**
+     * Build an op:// reference for a field
+     */
+    getReference(key) {
+        return `op://${this.vault}/${this.item}/${key}`;
+    }
+    /**
+     * Detect changes between original and current state
+     */
+    detectChanges() {
+        const changes = [];
+        // Check for deletions
+        for (const key of this.originalFields.keys()) {
+            if (!this.fields.has(key)) {
+                changes.push({ type: "delete", key });
+            }
+        }
+        // Check for additions and updates
+        for (const [key, value] of this.fields.entries()) {
+            const originalValue = this.originalFields.get(key);
+            if (originalValue === undefined) {
+                changes.push({ type: "add", key, value });
+            }
+            else if (originalValue !== value) {
+                changes.push({ type: "update", key, value });
+            }
+        }
+        return changes;
+    }
+    /**
+     * Generate op CLI arguments for a single change
+     */
+    buildEditArgs(change) {
+        switch (change.type) {
+            case "add":
+            case "update":
+                return [`${change.key}[password]=${change.value}`];
+            case "delete":
+                return [`${change.key}[delete]`];
+        }
+    }
+    /**
+     * Apply all changes to 1Password using the op CLI
+     * Returns the number of changes applied
+     */
+    async sync() {
+        const changes = this.detectChanges();
+        if (changes.length === 0) {
+            return 0;
+        }
+        // Build all edit arguments
+        const editArgs = changes.flatMap((change) => this.buildEditArgs(change));
+        // Execute a single op item edit command with all changes
+        await Bun.spawn([
+            "op",
+            "item",
+            "edit",
+            this.item,
+            "--vault",
+            this.vault,
+            ...editArgs,
+        ]).exited;
+        // Update originalFields to match current state
+        this.originalFields = new Map(this.fields);
+        return changes.length;
+    }
+    /**
+     * Inject secrets from a template file to an output file
+     * This resolves op:// references to actual values
+     */
+    static async inject(inputPath, outputPath) {
+        await Bun.spawn([
+            "op",
+            "inject",
+            "-i",
+            inputPath,
+            "-o",
+            outputPath,
+            "--force",
+        ]).exited;
+    }
+    /**
+     * Create a clone of this OpItem
+     */
+    clone() {
+        return new OnePassword(this.vault, this.item, new Map(this.fields));
+    }
+    /**
+     * Reset to original state (discard changes)
+     */
+    reset() {
+        this.fields = new Map(this.originalFields);
+        return this;
+    }
+    /**
+     * Check if there are unsaved changes
+     */
+    hasChanges() {
+        return this.detectChanges().length > 0;
+    }
+}

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@townco/secret",
+  "version": "0.1.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/federicoweber/agent_hub.git"
+  },
+  "author": "Federico Weber",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@1password/connect": "^1.4.2"
+  },
+  "devDependencies": {
+    "@townco/tsconfig": "^0.1.0",
+    "@types/bun": "^1.3.1"
+  }
+}