@vibesdotdev/secrets 0.0.1

package/src/requirements/resolver.ts

@@ -0,0 +1,216 @@
+/**
+ * Secret Requirements Resolver
+ *
+ * Resolves secret requirements from two intentional sources:
+ *
+ * 1. Runtime infra descriptors (`.infra.ts` files) — workers and infrastructure.
+ *    Queries runtime for `infra/worker` descriptors. Workers (e.g. job-workers)
+ *    declare secrets here because they are infrastructure resources, not web apps.
+ *    The `infra/web-app` path is kept for completeness but no longer discovers
+ *    vestigial descriptors (deleted 2026-05-20).
+ *
+ * 2. `deployment.config.ts` files — the canonical per-app deployment system.
+ *    Loads each config via `@vibesdotdev/infra-deploy` and extracts `secret: true`
+ *    env entries from the `AppDeployment.env` array. This is the authoritative
+ *    source for web-app secrets.
+ *
+ * The two-system split is intentional, not transitional:
+ * - `.infra.ts` = infrastructure resources + workers (runtime-discovered assets)
+ * - `deployment.config.ts` = web app deployments (build + deploy orchestration)
+ *
+ * Used by `vibes secrets check` to cross-reference stored secrets against
+ * declared requirements.
+ */
+
+import type { WebAppDescriptor, WorkerDescriptor } from '@vibesdotdev/infra-core/kinds';
+import { loadDeploymentConfig } from '@vibesdotdev/infra-deploy';
+import type {
+	RequirementInfraDescriptor,
+	SecretRequirement,
+	SecretRequirementsRuntime
+} from './schemas/requirements';
+
+export type { SecretRequirement } from './schemas/requirements';
+
+/**
+ * Baked secret requirements captured at compile time by
+ * `apps/cli-bin/scripts/build.ts`. Compiled binaries can't re-import
+ * workspace `deployment.config.ts` files at runtime (their workspace
+ * specifiers don't resolve from the standalone executable), so we read
+ * pre-extracted requirements from this define-injected JSON string.
+ * In dev mode (source-run, tests) the symbol is undefined and we fall
+ * back to live discovery via `resolveFromDeploymentConfigs`.
+ */
+declare const __VIBES_BAKED_SECRET_REQUIREMENTS__: string;
+const BAKED_SECRET_REQUIREMENTS_JSON: string =
+	typeof __VIBES_BAKED_SECRET_REQUIREMENTS__ !== 'undefined'
+		? __VIBES_BAKED_SECRET_REQUIREMENTS__
+		: '[]';
+
+function readBakedRequirements(): SecretRequirement[] {
+	if (!BAKED_SECRET_REQUIREMENTS_JSON || BAKED_SECRET_REQUIREMENTS_JSON === '[]') {
+		return [];
+	}
+	try {
+		const parsed = JSON.parse(BAKED_SECRET_REQUIREMENTS_JSON);
+		return Array.isArray(parsed) ? (parsed as SecretRequirement[]) : [];
+	} catch {
+		return [];
+	}
+}
+
+function extractRequirements(descriptors: RequirementInfraDescriptor[]): SecretRequirement[] {
+	const results: SecretRequirement[] = [];
+	for (const desc of descriptors) {
+		if (!desc.env) continue;
+		for (const entry of desc.env) {
+			if (!entry.secret) continue;
+			results.push({
+				key: entry.name,
+				appId: desc.id,
+				required: entry.required ?? true,
+				description: entry.description
+			});
+		}
+	}
+	return results;
+}
+
+/**
+ * Resolve secret requirements from deployment.config.ts files.
+ *
+ * Walks the workspace for `deployment.config.ts` files (same discovery logic
+ * as `infra-deploy regenerate`), loads each via subprocess, and extracts
+ * `secret: true` env entries from the `AppDeployment.env` array.
+ */
+async function resolveFromDeploymentConfigs(
+	rootDir: string
+): Promise<SecretRequirement[]> {
+	const { readdirSync, statSync } = await import('node:fs');
+	const { join } = await import('node:path');
+
+	const IGNORED = new Set([
+		'node_modules', '.git', '.svelte-kit', 'dist', '.next', '.turbo', '.vite', '.wrangler'
+	]);
+	const CONFIG_NAMES = new Set([
+		'deployment.config.ts', 'deployment.config.js', 'deployment.config.mjs'
+	]);
+
+	// Discover deployment.config.ts files (mirrors infra-deploy's findDeploymentConfigs)
+	const configs: string[] = [];
+	function walk(dir: string, depth: number): void {
+		if (depth > 4) return;
+		let entries: string[];
+		try { entries = readdirSync(dir); } catch { return; }
+		for (const entry of entries) {
+			if (CONFIG_NAMES.has(entry)) configs.push(join(dir, entry));
+		}
+		for (const entry of entries) {
+			if (IGNORED.has(entry) || entry.startsWith('.')) continue;
+			const full = join(dir, entry);
+			let info;
+			try { info = statSync(full); } catch { continue; }
+			if (info.isDirectory()) walk(full, depth + 1);
+		}
+	}
+	walk(rootDir, 0);
+
+	const requirements: SecretRequirement[] = [];
+	for (const configPath of configs) {
+		const appDir = configPath.replace(/\/deployment\.config\.(ts|js|mjs)$/, '');
+		try {
+			const loaded = await loadDeploymentConfig(appDir);
+			for (const entry of loaded.deployment.env) {
+				if (!entry.secret) continue;
+				requirements.push({
+					key: entry.name,
+					appId: loaded.deployment.appId,
+					required: entry.required ?? true,
+					description: entry.description
+				});
+			}
+		} catch {
+			// Config load failures are non-fatal for secret resolution.
+			// The regen pipeline catches these separately.
+		}
+	}
+	return requirements;
+}
+
+/**
+ * Resolve all secret requirements from infra descriptors and deployment configs.
+ *
+ * Queries two sources:
+ * 1. Runtime for `infra/worker` descriptors (`.infra.ts` — workers + infrastructure)
+ * 2. `deployment.config.ts` files via `@vibesdotdev/infra-deploy` (web apps)
+ *
+ * These two sources are mutually exclusive by app type, so there should be no
+ * overlap. Both are queried to cover the full surface:
+ * - Workers declare secrets in `.infra.ts` (job-workers, ai-workers, etc.)
+ * - Web apps declare secrets in `deployment.config.ts` (auth-web, ai-web, etc.)
+ *
+ * Deployment config entries are appended after descriptor entries.
+ * Duplicates are harmless for check reporting.
+ */
+export async function resolveSecretRequirements(
+	runtime: SecretRequirementsRuntime,
+	options?: { deploymentConfigRoot?: string }
+): Promise<SecretRequirement[]> {
+	const requirements: SecretRequirement[] = [];
+
+	if (runtime.hasKind('infra/web-app')) {
+		const webApps = runtime.assets('infra/web-app').descriptors() as WebAppDescriptor[];
+		requirements.push(...extractRequirements(webApps));
+	}
+
+	if (runtime.hasKind('infra/worker')) {
+		const workers = runtime.assets('infra/worker').descriptors() as WorkerDescriptor[];
+		requirements.push(...extractRequirements(workers));
+	}
+
+	// Load web-app secrets from deployment.config.ts — the canonical source.
+	// Falls back to process.cwd() when no root is explicitly provided.
+	let liveDeployReqs: SecretRequirement[] = [];
+	if (options?.deploymentConfigRoot || typeof process !== 'undefined') {
+		const root = options?.deploymentConfigRoot ?? process.cwd();
+		try {
+			liveDeployReqs = await resolveFromDeploymentConfigs(root);
+		} catch {
+			// infra-deploy subprocess failures shouldn't block the check.
+		}
+	}
+
+	// In compiled binaries, `resolveFromDeploymentConfigs` returns [] because
+	// the standalone executable can't import workspace deployment.config.ts
+	// files at runtime. Fall back to the build-time snapshot captured by
+	// `apps/cli-bin/scripts/build.ts` so `--app <id>` filtering still works.
+	if (liveDeployReqs.length === 0) {
+		requirements.push(...readBakedRequirements());
+	} else {
+		requirements.push(...liveDeployReqs);
+	}
+
+	return requirements;
+}
+
+/**
+ * Group requirements by app/worker ID for per-app reporting.
+ */
+export function groupRequirementsByApp(
+	requirements: SecretRequirement[]
+): Map<string, SecretRequirement[]> {
+	const grouped = new Map<string, SecretRequirement[]>();
+	for (const req of requirements) {
+		const existing = grouped.get(req.appId) ?? [];
+		existing.push(req);
+		grouped.set(req.appId, existing);
+	}
+	return grouped;
+}
+
+/**
+ * Get unique secret keys across all apps (deduped).
+ */
+export function uniqueSecretKeys(requirements: SecretRequirement[]): string[] {
+	return [...new Set(requirements.map((r) => r.key))];
+}

package/src/requirements/schemas/requirements.ts

@@ -0,0 +1,29 @@
+export interface SecretRequirement {
+	/** Secret key name (e.g., VIBES_AUTH_SECRET) */
+	key: string;
+	/** App or worker ID that requires this secret */
+	appId: string;
+	/** Whether the secret is required for the app to function */
+	required: boolean;
+	/** Human-readable description of the secret's purpose */
+	description: string | undefined;
+}
+
+export interface RequirementEnvEntry {
+	name: string;
+	secret?: boolean;
+	required?: boolean;
+	description?: string;
+}
+
+export interface RequirementInfraDescriptor {
+	id: string;
+	env?: RequirementEnvEntry[];
+}
+
+export interface SecretRequirementsRuntime {
+	hasKind(kind: string): boolean;
+	assets(kind: string): {
+		descriptors(): RequirementInfraDescriptor[];
+	};
+}

package/src/secrets.plugin.ts

@@ -0,0 +1,65 @@
+/**
+ * Secrets Runtime Plugin
+ *
+ * Registers the secrets/store kind and CLI backend loaders.
+ */
+
+import { createRuntimePlugin, loader } from '@vibesdotdev/runtime';
+import type { RuntimeKindDescriptorRecord } from '@vibesdotdev/runtime/schemas/kind';
+import { secretsStoreKind } from './kinds/store.kind';
+
+// CLI
+import secretsGroup from './cli/secrets.cli-group.descriptor.ts';
+import secretsCheck from './cli/check/secrets.check.cli-command.descriptor.ts';
+import secretsImport from './cli/import/secrets.import.cli-command.descriptor.ts';
+import secretsExport from './cli/export/secrets.export.cli-command.descriptor.ts';
+import secretsList from './cli/list/secrets.list.cli-command.descriptor.ts';
+import secretsPull from './cli/pull/secrets.pull.cli-command.descriptor.ts';
+import secretsPush from './cli/push/secrets.push.cli-command.descriptor.ts';
+import secretsSet from './cli/set/secrets.set.cli-command.descriptor.ts';
+import secretsUnset from './cli/unset/secrets.unset.cli-command.descriptor.ts';
+import secretsReveal from './cli/reveal/secrets.reveal.cli-command.descriptor.ts';
+import secretsPreCommitCheck from './cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.ts';
+
+// Docs
+import secretsBackendsDescriptor from './docs/backends.docs.descriptor.ts';
+import secretsEncryptionDescriptor from './docs/encryption.docs.descriptor.ts';
+import secretsEnvFileDescriptor from './docs/env-file.docs.descriptor.ts';
+
+export default createRuntimePlugin({
+	id: 'secrets',
+	name: 'Secrets Management',
+	description: 'Environment-aware secrets storage with multiple backends',
+	dependencies: ['config'],
+	kinds: [secretsStoreKind as RuntimeKindDescriptorRecord],
+
+	descriptors: [
+		secretsGroup,
+		secretsCheck,
+		secretsImport,
+		secretsExport,
+		secretsList,
+		secretsPull,
+		secretsPush,
+		secretsSet,
+		secretsUnset,
+		secretsReveal,
+		secretsPreCommitCheck,
+		secretsBackendsDescriptor,
+		secretsEncryptionDescriptor,
+		secretsEnvFileDescriptor
+	],
+
+	loaders: [
+		loader('secrets.check', () => import('./cli/check/secrets.check.cli-command.impl.js')),
+		loader('secrets.import', () => import('./cli/import/secrets.import.cli-command.impl.js')),
+		loader('secrets.export', () => import('./cli/export/secrets.export.cli-command.impl.js')),
+		loader('secrets.list', () => import('./cli/list/secrets.list.cli-command.impl.js')),
+		loader('secrets.pull', () => import('./cli/pull/secrets.pull.cli-command.impl.js')),
+		loader('secrets.push', () => import('./cli/push/secrets.push.cli-command.impl.js')),
+		loader('secrets.set', () => import('./cli/set/secrets.set.cli-command.impl.js')),
+		loader('secrets.unset', () => import('./cli/unset/secrets.unset.cli-command.impl.js')),
+		loader('secrets.reveal', () => import('./cli/reveal/secrets.reveal.cli-command.impl.js')),
+		loader('dev.secrets.pre-commit-check', () => import('./cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js'))
+	]
+});