@vibesdotdev/secrets 0.0.1 → 0.0.2

package/README.md

@@ -1,59 +1,22 @@
 # @vibesdotdev/secrets
 
-Runtime-resolved secrets management. Universal core: defines the
-`secrets/store` kind. Backends live in sibling packages.
+Secret store contracts, encrypted local secret support, and runtime descriptors for Vibes packages.
 
-## Quickstart
+This package is part of the public Vibes framework package set. The source repository is private while the public repository split is being prepared, so package documentation is published on the Vibes docs site.
 
-### Read a secret
+## Install
 
-```ts
-import { getVibesRuntime } from '@vibesdotdev/runtime';
-
-const store = await getVibesRuntime().query('secrets/store').resolve();
-const apiKey = await store.get('production', 'STRIPE_API_KEY');
-
-if (!apiKey) {
-  throw new Error('STRIPE_API_KEY not set for production tier');
-}
-```
-
-If no backend is registered for the current scope, `resolve()` throws — apps
-should surface this at bootstrap.
-
-### Declare requirements (consumed by `vibes secrets check`)
-
-Apps declare what secrets they need via `infra/web-app` or `infra/worker`
-descriptors (owned by [`infra-core`](../infra-core/SPEC.md)). The requirements
-resolver extracts them; the CLI compares against the active store.
-
-## CLI
-
-```bash
-vibes secrets check
-vibes secrets list --environment <name>
-vibes secrets list --environment <name> --show-values
-vibes secrets set <key> [value] --environment <name>
-vibes secrets unset <key> --environment <name>
-vibes secrets pull --environment <name>
-vibes secrets push --environment <name>
+```sh
+bun add @vibesdotdev/secrets
+# or
+npm install @vibesdotdev/secrets
 ```
 
-## Backends
-
-Core ships zero backends. Apps load the backend packages their scope supports:
+## Documentation
 
-- [`@vibesdotdev/secrets-backend-env-file`](../secrets-backend-env-file/) — local `.env` files
-- [`@vibesdotdev/secrets-backend-encrypted-local`](../secrets-backend-encrypted-local/) — encrypted local files
-- External vendor integrations (AWS Secrets Manager, Vault, GCP) → [`platform`](../platform/SPEC.md)
-
-## Test
-
-```bash
-bun test
-```
+- Package guide: https://docs.vibes.dev/packages/secrets
+- Vibes docs: https://docs.vibes.dev
 
-## Docs
+## License
 
-- [SPEC.md](./SPEC.md) — package contract, hard rules, migration debt
-- [runtime](../runtime/SPEC.md), [infra-core](../infra-core/SPEC.md)
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibesdotdev/secrets",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -52,20 +52,15 @@
     "registry": "https://registry.npmjs.org",
     "access": "public"
   },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/vibesdotdev/monorepo.git",
-    "directory": "packages/secrets"
-  },
   "dependencies": {
-    "@vibesdotdev/runtime": "0.0.1",
-    "@vibesdotdev/config": "0.0.1",
-    "@vibesdotdev/infra-core": "0.0.1",
-    "@vibesdotdev/cli": "0.0.1"
+    "@vibesdotdev/runtime": "0.0.2",
+    "@vibesdotdev/config": "0.0.2",
+    "@vibesdotdev/infra-core": "0.0.2",
+    "@vibesdotdev/cli": "0.0.2"
   },
   "peerDependencies": {
     "zod": "^4.3.6",
-    "@vibesdotdev/infra-deploy": "0.0.1"
+    "@vibesdotdev/infra-deploy": "0.0.2"
   },
   "peerDependenciesMeta": {
     "@vibesdotdev/infra-deploy": {
@@ -83,7 +78,6 @@
     "src",
     "bin",
     "README.md",
-    "SPEC.md",
     "LICENSE",
     "!src/**/__tests__/**",
     "!src/**/__stubs__/**",
@@ -104,5 +98,10 @@
   ],
   "vibes": {
     "visibility": "public-framework"
+  },
+  "description": "Secret store contracts, encrypted local secret support, and runtime descriptors for Vibes packages.",
+  "homepage": "https://docs.vibes.dev/packages/secrets",
+  "bugs": {
+    "url": "https://docs.vibes.dev/packages/secrets#support"
   }
 }

package/SPEC.md

@@ -1,47 +0,0 @@
-# @vibesdotdev/secrets
-
-Runtime-resolved secrets management. Universal core: defines the `secrets/store` kind, environment-tier resolution, and the requirements resolver. Backends live in sibling packages and register themselves.
-
-## Owns
-
-- **Runtime kind:** `secrets/store`
-- **Kind definition + resolver** (`./kinds/store.kind`): backend resolution by environment tier (`scope.qualifiers.environmentTier`) + descriptor priority
-- **Schemas** (`./kinds/schemas`, `./kinds/store.schema`): Zod descriptors for stores and stored values; `EnvironmentTierSchema`, `SecretsBackendSchema`
-- **Store interface** (`./kinds/store.interface`): TS contract every backend implements (`list`, `get`, `set`, `unset`, `getAll`, `setAll`)
-- **Requirements resolver** (`./requirements/resolver`): reads `infra/web-app` and `infra/worker` descriptors to extract required secrets; helpers for grouping/deduping for `vibes secrets check`
-- **CLI descriptors** (`./cli`): `vibes secrets` group + `check`, `list`, `set`, `unset`, `pull`, `push`, `import`, `export`, `reveal`, `pre-commit-check`. Commands query the runtime; they do not import backends.
-- **Plugin:** `./plugin` (= `./secrets.plugin`) — registers the kind + CLI descriptors only
-
-## Does not own
-
-- **Backend implementations** → each backend is its own package: [`secrets-backend-env-file`](../secrets-backend-env-file/), [`secrets-backend-encrypted-local`](../secrets-backend-encrypted-local/), and future cloud/keychain backends
-- **External vendor integrations** (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, etc.) → [`platform`](../platform/SPEC.md) integrations
-- **Encryption primitive** → [`security`](../security/SPEC.md) / [`config/services`](../config/SPEC.md). Encrypted backends consume it.
-- **Application data persistence** (user/org/business secrets stored as data) → owning module's `storage/manifest`
-- **Auth credentials, sessions, cookies** → [`auth`](../auth/SPEC.md)
-- **Infra descriptor ownership** → [`infra-core`](../infra-core/SPEC.md)
-- **A separate secrets UI surface.** Apps that need a UI consume secrets through the runtime; no standalone secrets app.
-
-## Hard rules
-
-- **The core package is universal.** No FS, crypto, or HTTP imports in core. Anything that breaks browser or Cloudflare bundles belongs in a backend package.
-- **All secret access goes through `runtime.query('secrets/store').resolve()`.** No direct backend imports in features. No reading `.env` files in feature code.
-- **Backend selection is runtime-resolved by scope** (`hardware`, `qualifiers.environmentTier`). Features do not branch on `isCloud`/`connectionMode`.
-- **Environment tiers are canonical** (dev/staging/prod). Backends declare which tiers they serve; the resolver picks the active backend by current tier + priority.
-- **Missing-backend means hard failure.** No silent no-op fallback. `resolve()` throws "no `secrets/store` registered for current scope" if no backend has registered. Apps surface this at bootstrap, not at first secret access.
-- **Backend package contract:** each `secrets-backend-{name}` package exports a plugin that registers a `secrets/store` descriptor + impl. Apps load only the backends their scope can support. Core never imports backend packages.
-- **Requirements resolver is read-only.** It surfaces what's required from infra descriptors. It does not write or modify infra.
-
-## Public entrypoints
-
-`.`, `./kinds`, `./kinds/*`, `./requirements`, `./plugin` (= `./secrets.plugin`).
-
-## Verification
-
-`bun test` from package root. Covers kind registration, environment-tier resolution, requirements resolver against fixture infra descriptors, CLI descriptor wiring. Backend-specific tests live in each backend package.
-
-## Links
-
-- [runtime/SPEC.md](../runtime/SPEC.md)
-- [config/SPEC.md](../config/SPEC.md), [security/SPEC.md](../security/SPEC.md)
-- [infra-core/SPEC.md](../infra-core/SPEC.md), [platform/SPEC.md](../platform/SPEC.md)