@vaharoni/devops 1.2.7 → 1.2.9

package/dist/app-support/crypto/aes.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export declare function encryptAes256Gcm(plaintext: string, key?: Buffer): string;
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export declare function decryptAes256Gcm(ciphertext: string, key?: Buffer): string;
+//# sourceMappingURL=aes.d.ts.map

package/dist/app-support/crypto/aes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/aes.ts"],"names":[],"mappings":"AAaA;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAqBxE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAiBzE"}

package/dist/app-support/crypto/aes.js

@@ -0,0 +1,56 @@
+import crypto from "crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12; // GCM recommended IV length
+const AUTH_TAG_LENGTH = 16;
+function getKey() {
+    const keyStr = process.env.MONOREPO_BASE_SECRET;
+    if (!keyStr)
+        throw new Error("MONOREPO_BASE_SECRET not set");
+    // The secret is 32 random bytes stored as hex (64 chars) - decode it directly
+    return Buffer.from(keyStr, "hex");
+}
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export function encryptAes256Gcm(plaintext, key) {
+    key ??= getKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+        authTagLength: AUTH_TAG_LENGTH,
+    });
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, "utf8"),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:ciphertext (all base64)
+    return [
+        iv.toString("base64"),
+        authTag.toString("base64"),
+        encrypted.toString("base64"),
+    ].join(":");
+}
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export function decryptAes256Gcm(ciphertext, key) {
+    key ??= getKey();
+    const [ivB64, authTagB64, encryptedB64] = ciphertext.split(":");
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(authTagB64, "base64");
+    const encrypted = Buffer.from(encryptedB64, "base64");
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+        authTagLength: AUTH_TAG_LENGTH,
+    });
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final(),
+    ]).toString("utf8");
+}

package/dist/app-support/crypto/aes.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=aes.spec.d.ts.map

package/dist/app-support/crypto/aes.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes.spec.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/aes.spec.ts"],"names":[],"mappings":""}

package/dist/app-support/crypto/aes.spec.js

@@ -0,0 +1,58 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import { encryptAes256Gcm, decryptAes256Gcm } from './aes';
+describe('AES-256-GCM encrypt and decrypt', () => {
+    beforeEach(() => {
+        // AES-256 requires a 32-byte key (64 hex characters)
+        process.env.MONOREPO_BASE_SECRET = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef';
+    });
+    it('should encrypt and decrypt a simple string', () => {
+        const plaintext = 'hello world';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should encrypt and decrypt an empty string', () => {
+        const plaintext = '';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should encrypt and decrypt unicode text', () => {
+        const plaintext = '你好世界 🌍 héllo';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should produce different ciphertexts for the same plaintext (random IV)', () => {
+        const plaintext = 'same input';
+        const encrypted1 = encryptAes256Gcm(plaintext);
+        const encrypted2 = encryptAes256Gcm(plaintext);
+        expect(encrypted1).not.toEqual(encrypted2);
+        // But both should decrypt to the same value
+        expect(decryptAes256Gcm(encrypted1)).toEqual(plaintext);
+        expect(decryptAes256Gcm(encrypted2)).toEqual(plaintext);
+    });
+    it('should produce ciphertext in expected format (iv:authTag:ciphertext)', () => {
+        const encrypted = encryptAes256Gcm('test');
+        const parts = encrypted.split(':');
+        expect(parts).toHaveLength(3);
+        // All parts should be valid base64
+        parts.forEach((part) => {
+            expect(() => Buffer.from(part, 'base64')).not.toThrow();
+        });
+    });
+    it('should throw on tampered ciphertext', () => {
+        const encrypted = encryptAes256Gcm('sensitive data');
+        const [iv, authTag, ciphertext] = encrypted.split(':');
+        const tamperedCiphertext = `${iv}:${authTag}:${ciphertext.slice(0, -1)}x`;
+        expect(() => decryptAes256Gcm(tamperedCiphertext)).toThrow();
+    });
+    it('should throw on tampered auth tag', () => {
+        const encrypted = encryptAes256Gcm('sensitive data');
+        const [iv, _authTag, ciphertext] = encrypted.split(':');
+        // Use a completely different auth tag (all zeros)
+        const fakeAuthTag = Buffer.alloc(16, 0).toString('base64');
+        const tamperedTag = `${iv}:${fakeAuthTag}:${ciphertext}`;
+        expect(() => decryptAes256Gcm(tamperedTag)).toThrow();
+    });
+});

package/dist/app-support/crypto/index.d.ts

@@ -1,3 +1,4 @@
+export { encryptAes256Gcm as encrypt, decryptAes256Gcm as decrypt } from "./aes";
 /**
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:
  * - generate a short-lived (60s) token with the given subject

package/dist/app-support/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/index.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,qBAAa,aAAa;IACL,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;IAElC,QAAQ;IAIR,aAAa,CAAC,KAAK,EAAE,MAAM;IAO3B,uBAAuB,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI;CAO5D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,IAAI,OAAO,EAAE,gBAAgB,IAAI,OAAO,EAAE,MAAM,OAAO,CAAC;AAEjF;;;;;;GAMG;AACH,qBAAa,aAAa;IACL,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;IAElC,QAAQ;IAIR,aAAa,CAAC,KAAK,EAAE,MAAM;IAO3B,uBAAuB,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI;CAO5D"}

package/dist/app-support/crypto/index.js

@@ -1,4 +1,5 @@
 import { generateInternalAuthToken, parseInternalAuthTokenOrThrow } from "./internal-token";
+export { encryptAes256Gcm as encrypt, decryptAes256Gcm as decrypt } from "./aes";
 /**
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:
  * - generate a short-lived (60s) token with the given subject

package/dist/cli/common.js

@@ -1,8 +1,8 @@
 import chalk from "chalk";
 import { execSync, spawn } from "child_process";
 import fs from "fs";
-import { globSync } from "glob";
 import { allSupportedEnvs } from "../libs/k8s-constants";
+import { globEnvYamlFiles } from "../libs/discovery";
 export class CLICommandParser {
     command;
     args;
@@ -207,7 +207,7 @@ export class CommandExecutor {
     _checkEnvYamlFiles() {
         if (!this.checkEnvYaml)
             return;
-        const envYamlFiles = globSync("**/env.yaml");
+        const envYamlFiles = globEnvYamlFiles();
         const checkEnvCmd = new CommandExecutor(`devops env _validate ${envYamlFiles.join(" ")}`, { env: this.env, quiet: true, checkEnvYaml: false });
         checkEnvCmd.exec();
     }

package/dist/cli/core/env.js

@@ -1,6 +1,6 @@
-import { globSync } from "glob";
 import { deleteMonorepoSecret, getMonorepoSecretStr, setMonorepoSecret, } from "../../libs/k8s-secrets-manager";
 import { CombinedEnvValidator } from "../../libs/validate-env";
+import { globEnvYamlFiles } from "../../libs/discovery";
 import { CLICommandParser, dotEnvFilesForEnv, printUsageAndExit, } from "../common";
 const oneLiner = "Commands to manipulate env variables";
 const keyExamples = `
@@ -28,7 +28,7 @@ function run(cmdObj) {
     const [command, ...rest] = cmdObj.args;
     switch (command) {
         case "validate": {
-            const envYamlFiles = globSync("**/env.yaml");
+            const envYamlFiles = globEnvYamlFiles();
             // We have to have a _validate so that we go through a CommandExecutor which injects env variables into the process
             cmdObj
                 .executorFromEnv(`devops env _validate ${envYamlFiles.join(" ")}`, { quiet: false })

package/dist/libs/discovery/index.d.ts

@@ -2,4 +2,5 @@ import type { SupportedLanguages, WorkspaceIndex } from "../../types";
 export declare function workspaces(): WorkspaceIndex;
 export declare function workspaceDirectoryForLanguage(language: SupportedLanguages): Record<string, import("../..").PackageData>;
 export declare function getWorkspace(workspaceName: string): import("../..").WorkspaceIndexEntry;
+export declare function globEnvYamlFiles(): string[];
 //# sourceMappingURL=index.d.ts.map

package/dist/libs/discovery/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/libs/discovery/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKtE,wBAAgB,UAAU,mBA8BzB;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,kBAAkB,+CASzE;AAED,wBAAgB,YAAY,CAAC,aAAa,EAAE,MAAM,uCAQjD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/libs/discovery/index.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAOtE,wBAAgB,UAAU,mBA8BzB;AAED,wBAAgB,6BAA6B,CAAC,QAAQ,EAAE,kBAAkB,+CASzE;AAED,wBAAgB,YAAY,CAAC,aAAa,EAAE,MAAM,uCAQjD;AAED,wBAAgB,gBAAgB,IAAI,MAAM,EAAE,CAQ3C"}

package/dist/libs/discovery/index.js

@@ -1,6 +1,9 @@
 import chalk from "chalk";
+import { globSync } from "glob";
+import path from "path";
 import { nodeWorkspaces } from "./process-package-json";
 import { pythonWorkspaces } from "./process-pyproject-toml";
+const rootPath = process.env.MONOREPO_ROOT || process.cwd();
 const _workspaces = {};
 let _workspacesLoaded = false;
 export function workspaces() {
@@ -53,3 +56,10 @@ export function getWorkspace(workspaceName) {
     }
     return workspace;
 }
+export function globEnvYamlFiles() {
+    const allWorkspaces = workspaces();
+    const workspacePaths = [
+        ...new Set(Object.values(allWorkspaces).map((w) => w.rootPath)),
+    ];
+    return workspacePaths.flatMap((wsPath) => globSync(path.join(rootPath, wsPath, "**/env.yaml")));
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vaharoni/devops",
   "type": "module",
-  "version": "1.2.7",
+  "version": "1.2.9",
   "description": "Devops utility",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/src/app-support/crypto/aes.spec.ts

@@ -0,0 +1,66 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import { encryptAes256Gcm, decryptAes256Gcm } from './aes';
+
+describe('AES-256-GCM encrypt and decrypt', () => {
+  beforeEach(() => {
+    // AES-256 requires a 32-byte key (64 hex characters)
+    process.env.MONOREPO_BASE_SECRET = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef';
+  });
+
+  it('should encrypt and decrypt a simple string', () => {
+    const plaintext = 'hello world';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should encrypt and decrypt an empty string', () => {
+    const plaintext = '';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should encrypt and decrypt unicode text', () => {
+    const plaintext = '你好世界 🌍 héllo';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should produce different ciphertexts for the same plaintext (random IV)', () => {
+    const plaintext = 'same input';
+    const encrypted1 = encryptAes256Gcm(plaintext);
+    const encrypted2 = encryptAes256Gcm(plaintext);
+    expect(encrypted1).not.toEqual(encrypted2);
+    // But both should decrypt to the same value
+    expect(decryptAes256Gcm(encrypted1)).toEqual(plaintext);
+    expect(decryptAes256Gcm(encrypted2)).toEqual(plaintext);
+  });
+
+  it('should produce ciphertext in expected format (iv:authTag:ciphertext)', () => {
+    const encrypted = encryptAes256Gcm('test');
+    const parts = encrypted.split(':');
+    expect(parts).toHaveLength(3);
+    // All parts should be valid base64
+    parts.forEach((part) => {
+      expect(() => Buffer.from(part, 'base64')).not.toThrow();
+    });
+  });
+
+  it('should throw on tampered ciphertext', () => {
+    const encrypted = encryptAes256Gcm('sensitive data');
+    const [iv, authTag, ciphertext] = encrypted.split(':');
+    const tamperedCiphertext = `${iv}:${authTag}:${ciphertext.slice(0, -1)}x`;
+    expect(() => decryptAes256Gcm(tamperedCiphertext)).toThrow();
+  });
+
+  it('should throw on tampered auth tag', () => {
+    const encrypted = encryptAes256Gcm('sensitive data');
+    const [iv, _authTag, ciphertext] = encrypted.split(':');
+    // Use a completely different auth tag (all zeros)
+    const fakeAuthTag = Buffer.alloc(16, 0).toString('base64');
+    const tamperedTag = `${iv}:${fakeAuthTag}:${ciphertext}`;
+    expect(() => decryptAes256Gcm(tamperedTag)).toThrow();
+  });
+});

package/src/app-support/crypto/aes.ts

@@ -0,0 +1,66 @@
+import crypto from "crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12; // GCM recommended IV length
+const AUTH_TAG_LENGTH = 16;
+
+function getKey(): Buffer {
+  const keyStr = process.env.MONOREPO_BASE_SECRET;
+  if (!keyStr) throw new Error("MONOREPO_BASE_SECRET not set");
+  // The secret is 32 random bytes stored as hex (64 chars) - decode it directly
+  return Buffer.from(keyStr, "hex");
+}
+
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext 
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export function encryptAes256Gcm(plaintext: string, key?: Buffer): string {
+  key ??= getKey();
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+
+  const authTag = cipher.getAuthTag();
+
+  // Format: iv:authTag:ciphertext (all base64)
+  return [
+    iv.toString("base64"),
+    authTag.toString("base64"),
+    encrypted.toString("base64"),
+  ].join(":");
+}
+
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export function decryptAes256Gcm(ciphertext: string, key?: Buffer): string {
+  key ??= getKey();
+  const [ivB64, authTagB64, encryptedB64] = ciphertext.split(":");
+
+  const iv = Buffer.from(ivB64, "base64");
+  const authTag = Buffer.from(authTagB64, "base64");
+  const encrypted = Buffer.from(encryptedB64, "base64");
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+
+  return Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final(),
+  ]).toString("utf8");
+}

package/src/app-support/crypto/index.ts

@@ -1,4 +1,5 @@
 import { generateInternalAuthToken, parseInternalAuthTokenOrThrow } from "./internal-token";
+export { encryptAes256Gcm as encrypt, decryptAes256Gcm as decrypt } from "./aes";
 
 /** 
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:

package/src/cli/common.ts

@@ -1,8 +1,8 @@
 import chalk from "chalk";
 import { execSync, spawn, type StdioOptions } from "child_process";
 import fs from "fs";
-import { globSync } from "glob";
 import { allSupportedEnvs } from "../libs/k8s-constants";
+import { globEnvYamlFiles } from "../libs/discovery";
 
 type ParsedArgs<TBoolKeys extends readonly string[], TParamKeys extends readonly string[]> = {
   args: string[];
@@ -294,7 +294,7 @@ export class CommandExecutor {
 
   _checkEnvYamlFiles() {
     if (!this.checkEnvYaml) return;
-    const envYamlFiles = globSync("**/env.yaml");
+    const envYamlFiles = globEnvYamlFiles();
     const checkEnvCmd = new CommandExecutor(
       `devops env _validate ${envYamlFiles.join(" ")}`,
       { env: this.env, quiet: true, checkEnvYaml: false }

package/src/cli/core/env.ts

@@ -1,10 +1,10 @@
-import { globSync } from "glob";
 import {
   deleteMonorepoSecret,
   getMonorepoSecretStr,
   setMonorepoSecret,
 } from "../../libs/k8s-secrets-manager";
 import { CombinedEnvValidator } from "../../libs/validate-env";
+import { globEnvYamlFiles } from "../../libs/discovery";
 import {
   CLICommandParser,
   dotEnvFilesForEnv,
@@ -38,7 +38,7 @@ function run(cmdObj: CLICommandParser) {
   const [command, ...rest] = cmdObj.args;
   switch (command) {
     case "validate": {
-      const envYamlFiles = globSync("**/env.yaml");
+      const envYamlFiles = globEnvYamlFiles();
 
       // We have to have a _validate so that we go through a CommandExecutor which injects env variables into the process
       cmdObj

package/src/libs/discovery/index.ts

@@ -1,8 +1,12 @@
 import chalk from "chalk";
+import { globSync } from "glob";
+import path from "path";
 import { nodeWorkspaces } from "./process-package-json";
 import { pythonWorkspaces } from "./process-pyproject-toml";
 import type { SupportedLanguages, WorkspaceIndex } from "../../types";
 
+const rootPath = process.env.MONOREPO_ROOT || process.cwd();
+
 const _workspaces: WorkspaceIndex = {};
 let _workspacesLoaded = false;
 
@@ -58,3 +62,13 @@ export function getWorkspace(workspaceName: string) {
   }
   return workspace;
 }
+
+export function globEnvYamlFiles(): string[] {
+  const allWorkspaces = workspaces();
+  const workspacePaths = [
+    ...new Set(Object.values(allWorkspaces).map((w) => w.rootPath)),
+  ];
+  return workspacePaths.flatMap((wsPath) =>
+    globSync(path.join(rootPath, wsPath, "**/env.yaml"))
+  );
+}

package/dist/test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=test.d.ts.map

package/dist/test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"test.d.ts","sourceRoot":"","sources":["../src/test.ts"],"names":[],"mappings":""}

package/dist/test.js

@@ -1 +0,0 @@
-export {};