@vibesdotdev/secrets 0.0.1

package/src/kinds/schemas/store.schema.ts

@@ -0,0 +1,47 @@
+/**
+ * Secrets Store Descriptor Schema
+ *
+ * Defines the structure for secrets/store kind descriptors.
+ * Each descriptor represents a secrets storage backend
+ * (env-file, encrypted-local, cloudflare-api, vault).
+ */
+
+import * as z from 'zod/v4';
+
+export const EnvironmentTierSchema = z.enum(['local', 'dev', 'staging', 'production']);
+
+export type EnvironmentTier = z.infer<typeof EnvironmentTierSchema>;
+
+export const SecretsBackendSchema = z.enum([
+	'env-file',
+	'encrypted-local',
+	'cloudflare-api',
+	'cloudflare-secrets-store',
+	'vault'
+]);
+
+export type SecretsBackend = z.infer<typeof SecretsBackendSchema>;
+
+export const SecretsStoreDescriptorSchema = z.object({
+	id: z.string().min(1),
+	kind: z.literal('secrets/store'),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	tags: z.array(z.string()).optional(),
+	enabled: z.boolean().optional(),
+	hardware: z.array(z.string()).optional(),
+
+	/** Backend type for this store */
+	backend: SecretsBackendSchema,
+
+	/** Environment tiers this store operates on */
+	tiers: z.array(EnvironmentTierSchema).min(1),
+
+	/** Resolution priority (higher wins for write ops) */
+	priority: z.number().int().default(0),
+
+	/** Backend-specific configuration key-value pairs */
+	config: z.record(z.string(), z.string()).optional()
+});
+
+export type SecretsStoreDescriptor = z.infer<typeof SecretsStoreDescriptorSchema>;

package/src/kinds/schemas/store.types.ts

@@ -0,0 +1,35 @@
+import type { SecretsStoreDescriptor } from './store.schema';
+
+/** A single entry in a secrets listing */
+export interface SecretEntry {
+	/** Secret key name (e.g., VIBES_AUTH_SECRET) */
+	key: string;
+	/** Whether a value is stored for this key */
+	hasValue: boolean;
+	/** Backend source identifier */
+	source: string;
+}
+
+/** Interface all secrets store backends must implement */
+export interface SecretsStoreImplementation {
+	readonly id: string;
+	readonly descriptor: SecretsStoreDescriptor;
+
+	/** List all secret keys stored for an environment */
+	list(environment: string): Promise<SecretEntry[]>;
+
+	/** Get a single secret value (undefined if not found) */
+	get(environment: string, key: string): Promise<string | undefined>;
+
+	/** Set a secret value for an environment */
+	set(environment: string, key: string, value: string): Promise<void>;
+
+	/** Remove a secret from an environment */
+	unset(environment: string, key: string): Promise<void>;
+
+	/** Get all secret key-value pairs for an environment */
+	getAll(environment: string): Promise<Record<string, string>>;
+
+	/** Set multiple secrets at once (merges with existing) */
+	setAll(environment: string, secrets: Record<string, string>): Promise<void>;
+}

package/src/kinds/store.interface.ts

@@ -0,0 +1 @@
+export type { SecretEntry, SecretsStoreImplementation } from './schemas/store.types';

package/src/kinds/store.kind.ts

@@ -0,0 +1,52 @@
+/**
+ * Secrets Store Kind Definition
+ *
+ * Registers the secrets/store kind with the runtime.
+ * Resolution selects backends by environment tier and priority.
+ */
+
+import { createRuntimeKind } from '@vibesdotdev/runtime/factory/kind';
+import type { KindContext, RuntimeKindDescriptorRecord, RuntimeDescriptor } from '@vibesdotdev/runtime/schemas/kind';
+import type { RuntimeScope } from '@vibesdotdev/runtime/schemas/scope';
+import {
+	SecretsStoreDescriptorSchema,
+	type SecretsStoreDescriptor,
+	type EnvironmentTier
+} from './store.schema';
+import type { SecretsStoreImplementation } from './store.interface';
+/**
+ * Resolve the best secrets store for the current scope.
+ *
+ * Filters candidates by environment tier (from scope qualifiers),
+ * then picks the highest-priority match.
+ *
+ * No defaultImplementation — missing backends cause hard failure at resolve()
+ * time per the SPEC hard rule: "Missing-backend means hard failure."
+ */
+function resolveSecretsStore(
+	candidates: RuntimeDescriptor[],
+	scope: RuntimeScope,
+	_context: KindContext
+): SecretsStoreDescriptor | undefined {
+	const typed = candidates as SecretsStoreDescriptor[];
+	if (typed.length === 0) return undefined;
+	if (typed.length === 1) return typed[0];
+
+	const envTier = (scope.qualifiers?.environmentTier ?? 'local') as EnvironmentTier;
+	const tierMatches = typed.filter((d) => d.tiers.includes(envTier));
+	const pool = tierMatches.length > 0 ? tierMatches : typed;
+
+	pool.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+	return pool[0];
+}
+
+export const secretsStoreKind = createRuntimeKind<
+	SecretsStoreDescriptor,
+	SecretsStoreImplementation,
+	KindContext
+>({
+	id: 'secrets/store',
+	descriptorSchema: SecretsStoreDescriptorSchema,
+	resolve: resolveSecretsStore,
+	contexts: []
+});

package/src/kinds/store.schema.ts

@@ -0,0 +1,8 @@
+export {
+	SecretsStoreDescriptorSchema,
+	EnvironmentTierSchema,
+	SecretsBackendSchema,
+	type SecretsStoreDescriptor,
+	type EnvironmentTier,
+	type SecretsBackend
+} from './schemas/store.schema';

package/src/manifest/canonical.ts

@@ -0,0 +1,324 @@
+/**
+ * Vibes Secrets Import Manifest (canonical, value-free)
+ *
+ * Read by `vibes secrets import` to discover which keys to pull from which
+ * local root env files when bootstrapping the encrypted Vibes store. The
+ * manifest is reconciled against ground truth: every entry corresponds to a
+ * real `secret: true` env var declared by an app's deployment config (or, in
+ * auth-web's case, by its sub-manifest files).
+ *
+ * Sources:
+ *   - `local-env` (`.env.local`) is the canonical machine-local store of
+ *     every actual production-quality secret value: auth secrets, OAuth
+ *     client secrets (GitHub / Google / Discord / Microsoft), Resend, the
+ *     internal auth token, Stripe billing keys, etc.
+ *   - `production-env` (`.env.production`) holds production-flavored
+ *     non-secret config plus the operator's CF coordinates. Value-free here.
+ *   - `manual` is a pseudo-source for keys that must be set through another
+ *     channel (`vibes secrets set`, generated tokens, or pasted from a vault).
+ *     The import command skips `manual` entries with a notice.
+ *
+ * Operator credentials (`CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`,
+ * `CLOUDFLARE_SECRETS_STORE_ID`) are intentionally NOT in this manifest.
+ * They authenticate the operator's machine to push secrets into the store;
+ * they are never themselves pushed into the store.
+ */
+
+import {
+	SecretsImportManifestSchema,
+	type SecretsImportManifest
+} from './import-manifest.schema';
+
+const manifest: SecretsImportManifest = SecretsImportManifestSchema.parse({
+	version: 1,
+	sources: {
+		'local-env': {
+			path: '.env.local',
+			purpose:
+				'Canonical machine-local secret values: auth, OAuth, billing, internal tokens'
+		},
+		'production-env': {
+			path: '.env.production',
+			purpose: 'Production-flavored non-secret config + CF operator coordinates'
+		},
+		'manual': {
+			purpose:
+				"Set via `vibes secrets set <KEY>` or generated by ops; not sourced from a local file"
+		}
+	},
+	secrets: [
+		// --- Auth gateway (auth-web) — sourced from .env.local ----------------------
+		{
+			key: 'VIBES_AUTH_SECRET',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: true,
+			description: 'Better Auth signing secret (auth-web)'
+		},
+		// `VIBES_AUTH_DATABASE_URL` / `VIBES_AUTH_DATABASE_AUTH_TOKEN` are
+		// dev-only: production auth-web binds its own D1 database (`vibes-auth-db`)
+		// via the `DB` binding in `wrangler.jsonc`. The libsql/file fallback in
+		// `auth-web/src/server/persistence.ts` is for local dev only. We keep
+		// them in the manifest so `vibes secrets import` still picks them up
+		// for a working local store, but they're optional and never pushed to
+		// the production Secrets Store.
+		{
+			key: 'VIBES_AUTH_DATABASE_URL',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'LibSQL/Turso connection URL for auth persistence (DEV ONLY — production uses D1)'
+		},
+		{
+			key: 'VIBES_AUTH_DATABASE_AUTH_TOKEN',
+			category: 'vibes-auth',
+			source: 'local-env',
+			aliases: ['DATABASE_AUTH_TOKEN'],
+			required: false,
+			description: 'LibSQL/Turso auth token for auth persistence (DEV ONLY — production uses D1)'
+		},
+		{
+			key: 'VIBES_AUTH_RESEND_API_KEY',
+			category: 'vibes-auth',
+			source: 'local-env',
+			aliases: ['RESEND_API_KEY'],
+			required: false,
+			description: 'Resend API key for auth email delivery'
+		},
+		{
+			key: 'VIBES_AUTH_TWILIO_ACCOUNT_SID',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Twilio account SID for phone OTP delivery'
+		},
+		{
+			key: 'VIBES_AUTH_TWILIO_AUTH_TOKEN',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Twilio auth token for phone OTP delivery'
+		},
+		{
+			key: 'VIBES_AUTH_GITHUB_CLIENT_ID',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'GitHub OAuth client ID'
+		},
+		{
+			key: 'VIBES_AUTH_GITHUB_CLIENT_SECRET',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'GitHub OAuth client secret'
+		},
+		{
+			key: 'VIBES_AUTH_GOOGLE_CLIENT_ID',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Google OAuth client ID'
+		},
+		{
+			key: 'VIBES_AUTH_GOOGLE_CLIENT_SECRET',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Google OAuth client secret'
+		},
+		{
+			key: 'VIBES_AUTH_DISCORD_CLIENT_ID',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Discord OAuth client ID'
+		},
+		{
+			key: 'VIBES_AUTH_DISCORD_CLIENT_SECRET',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Discord OAuth client secret'
+		},
+		{
+			key: 'VIBES_AUTH_MICROSOFT_CLIENT_ID',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Microsoft (Azure AD) OAuth client ID'
+		},
+		{
+			key: 'VIBES_AUTH_MICROSOFT_CLIENT_SECRET',
+			category: 'vibes-auth',
+			source: 'local-env',
+			required: false,
+			description: 'Microsoft (Azure AD) OAuth client secret'
+		},
+
+		// --- Internal cross-app bearer tokens (account-web, ai-web) ------------------
+		{
+			key: 'VIBES_AUTH_INTERNAL_TOKEN',
+			category: 'vibes-internal',
+			source: 'local-env',
+			required: true,
+			description: 'Bearer token for internal/admin auth API calls'
+		},
+		{
+			key: 'VIBES_INTERNAL_SERVICE_TOKEN',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: true,
+			description: 'Shared internal bearer token for platform/account internal RPCs'
+		},
+		{
+			key: 'VIBES_PLATFORM_INTERNAL_TOKEN',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: false,
+			description: 'Platform-specific internal bearer token; falls back to VIBES_INTERNAL_SERVICE_TOKEN'
+		},
+		{
+			key: 'VIBES_EMAIL_INGRESS_TOKEN',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: false,
+			description: 'Bearer token for inbound email webhooks (auth-web /api/email)'
+		},
+
+		// --- Billing (account-web) ---------------------------------------------------
+		// `.env.production` stores Stripe under a `VIBES_ACCOUNT_STRIPE_*` prefix;
+		// `.env.local` uses the canonical names directly. Either source resolves.
+		{
+			key: 'STRIPE_SECRET_KEY',
+			category: 'provider-billing',
+			source: 'local-env',
+			aliases: ['VIBES_ACCOUNT_STRIPE_SECRET_KEY'],
+			required: false,
+			description: 'Stripe secret key for billing sync and checkout'
+		},
+		{
+			key: 'STRIPE_WEBHOOK_SECRET',
+			category: 'provider-billing',
+			source: 'local-env',
+			required: false,
+			description: 'Stripe webhook signing secret for /api/webhooks/stripe'
+		},
+		{
+			key: 'STRIPE_PUB_KEY',
+			category: 'provider-billing',
+			source: 'local-env',
+			aliases: ['PUBLIC_STRIPE_KEY', 'VIBES_ACCOUNT_STRIPE_PUB_KEY'],
+			required: false,
+			description: 'Stripe publishable key (pk_live_*/pk_test_*); safe to expose to clients but tracked here so live/test mode stays aligned with STRIPE_SECRET_KEY'
+		},
+		{
+			key: 'STRIPE_RESTRICTED_KEY',
+			category: 'provider-billing',
+			source: 'local-env',
+			aliases: ['VIBES_ACCOUNT_STRIPE_RESTRICTED_KEY'],
+			required: false,
+			description: 'Stripe restricted live key (rk_live_*) for narrow-scope ops/CI usage; not consumed at runtime — runtime uses STRIPE_SECRET_KEY'
+		},
+		{
+			key: 'CF_BILLING_SECRET',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: false,
+			description: 'Cloudflare-side billing webhook secret'
+		},
+		{
+			key: 'RESEND_API_KEY',
+			category: 'provider-other',
+			source: 'manual',
+			required: false,
+			description: 'Resend API key used by account-web to send invoice receipt emails'
+		},
+
+		// --- LLM / voice / search providers (ai-web, ai-web) ----------------------
+		{
+			key: 'OPENAI_API_KEY',
+			category: 'provider-llm',
+			source: 'manual',
+			required: false,
+			description: 'OpenAI provider key (ai-web)'
+		},
+		{
+			key: 'ANTHROPIC_API_KEY',
+			category: 'provider-llm',
+			source: 'manual',
+			required: false,
+			description: 'Anthropic provider key (ai-web)'
+		},
+		{
+			key: 'GOOGLE_API_KEY',
+			category: 'provider-llm',
+			source: 'manual',
+			required: false,
+			description: 'Google provider key (ai-web)'
+		},
+		{
+			key: 'GEMINI_API_KEY',
+			category: 'provider-llm',
+			source: 'manual',
+			required: false,
+			description: 'Gemini-named provider key alias (ai-web)'
+		},
+		{
+			key: 'DEEPGRAM_API_KEY',
+			category: 'provider-voice',
+			source: 'manual',
+			required: false,
+			description: 'Deepgram transcription provider key (ai-web)'
+		},
+		{
+			key: 'ELEVENLABS_API_KEY',
+			category: 'provider-voice',
+			source: 'manual',
+			required: false,
+			description: 'ElevenLabs TTS provider key (ai-web)'
+		},
+		{
+			key: 'FIRECRAWL_API_KEY',
+			category: 'provider-search',
+			source: 'manual',
+			required: false,
+			description: 'Firecrawl crawl/scrape provider key (ai-web)'
+		},
+		{
+			key: 'VIBES_API_TOKEN',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: false,
+			description: 'Tools-web internal API token'
+		},
+		{
+			key: 'VIBES_TOOL_REGISTRY_TOKEN',
+			category: 'vibes-internal',
+			source: 'manual',
+			required: false,
+			description: 'Tools-web tool-registry access token'
+		},
+
+		// --- Other provider creds (referenced by deployment configs but not in
+		//     a Pages app's secrets list yet — included so they round-trip if
+		//     they end up in `.env.local`) -----------------------------------------
+		{
+			key: 'DIGITALOCEAN_API_TOKEN',
+			category: 'provider-other',
+			source: 'local-env',
+			required: false,
+			description: 'DigitalOcean API token for DOKS / DO Spaces tooling'
+		},
+		{
+			key: 'NPM_TOKEN',
+			category: 'provider-other',
+			source: 'manual',
+			required: false,
+			description: 'npm publish token used by `vibes infra npm publish`'
+		}
+	]
+});
+
+export const canonicalImportManifest: SecretsImportManifest = manifest;
+export default manifest;

package/src/manifest/import-manifest.schema.ts

@@ -0,0 +1,63 @@
+/**
+ * Secrets Import Manifest Schema
+ *
+ * Catalogs the secrets the platform expects to receive from local root env
+ * files at bootstrap time. Carries no values — only key identity, source
+ * preference, and intent. The manifest is the contract a `vibes secrets
+ * import` command (phase 5) reads against.
+ */
+
+import * as z from 'zod/v4';
+
+/**
+ * Where a secret value is expected to originate from when running
+ * `vibes secrets import`. Sources with a `path` are repo-relative .env-shaped
+ * files; they are read-only inputs and never committed. Sources without a
+ * `path` (e.g. the canonical `manual` source) describe entries that are not
+ * importable from disk and must be set through other means
+ * (`vibes secrets set`, generated tokens, Cloudflare dashboard, etc.).
+ */
+export const SecretSourceSchema = z.object({
+	/** Repo-relative path to the .env file. Omit for non-importable sources. */
+	path: z.string().min(1).optional(),
+	/** Why this source owns this category of secrets (Vibes internals, providers, etc.) */
+	purpose: z.string().min(1)
+});
+export type SecretSource = z.infer<typeof SecretSourceSchema>;
+
+export const SecretCategorySchema = z.enum([
+	'vibes-internal',
+	'vibes-auth',
+	'cloudflare',
+	'provider-llm',
+	'provider-voice',
+	'provider-search',
+	'provider-billing',
+	'provider-other'
+]);
+export type SecretCategory = z.infer<typeof SecretCategorySchema>;
+
+export const SecretManifestEntrySchema = z.object({
+	/** Canonical key in Cloudflare Secrets Store. Matches env var name unless renamed. */
+	key: z.string().regex(/^[_A-Z0-9]+$/),
+	/** Category this secret belongs to (drives source-file routing) */
+	category: SecretCategorySchema,
+	/** Preferred source file id (must exist in `sources`) */
+	source: z.string().min(1),
+	/** Alternate names this secret may appear under in the source file */
+	aliases: z.array(z.string().regex(/^[_A-Z0-9]+$/)).default([]),
+	/** Whether the secret is required for a production push */
+	required: z.boolean().default(true),
+	/** Human-readable description of what this secret unlocks */
+	description: z.string().min(1)
+});
+export type SecretManifestEntry = z.infer<typeof SecretManifestEntrySchema>;
+
+export const SecretsImportManifestSchema = z.object({
+	version: z.literal(1),
+	/** Map of source id → file path + purpose */
+	sources: z.record(z.string().min(1), SecretSourceSchema),
+	/** Catalog of expected secrets, keyed by canonical name */
+	secrets: z.array(SecretManifestEntrySchema)
+});
+export type SecretsImportManifest = z.infer<typeof SecretsImportManifestSchema>;

package/src/manifest/index.ts

@@ -0,0 +1,12 @@
+export {
+	SecretsImportManifestSchema,
+	SecretManifestEntrySchema,
+	SecretSourceSchema,
+	SecretCategorySchema,
+	type SecretsImportManifest,
+	type SecretManifestEntry,
+	type SecretSource,
+	type SecretCategory
+} from './import-manifest.schema';
+
+export { canonicalImportManifest } from './canonical';

package/src/requirements/index.ts

@@ -0,0 +1,6 @@
+export {
+	resolveSecretRequirements,
+	groupRequirementsByApp,
+	uniqueSecretKeys,
+	type SecretRequirement
+} from './resolver';