@vibesdotdev/secrets 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (208) hide show
  1. package/README.md +59 -0
  2. package/SPEC.md +47 -0
  3. package/dist/cli/check/schemas/check-result.d.ts +9 -0
  4. package/dist/cli/check/schemas/check-result.d.ts.map +1 -0
  5. package/dist/cli/check/schemas/check-result.js +2 -0
  6. package/dist/cli/check/schemas/check-result.js.map +1 -0
  7. package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts +4 -0
  8. package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts.map +1 -0
  9. package/dist/cli/check/secrets.check.cli-command.descriptor.js +19 -0
  10. package/dist/cli/check/secrets.check.cli-command.descriptor.js.map +1 -0
  11. package/dist/cli/check/secrets.check.cli-command.impl.d.ts +5 -0
  12. package/dist/cli/check/secrets.check.cli-command.impl.d.ts.map +1 -0
  13. package/dist/cli/check/secrets.check.cli-command.impl.js +135 -0
  14. package/dist/cli/check/secrets.check.cli-command.impl.js.map +1 -0
  15. package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts +4 -0
  16. package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts.map +1 -0
  17. package/dist/cli/export/secrets.export.cli-command.descriptor.js +20 -0
  18. package/dist/cli/export/secrets.export.cli-command.descriptor.js.map +1 -0
  19. package/dist/cli/export/secrets.export.cli-command.impl.d.ts +5 -0
  20. package/dist/cli/export/secrets.export.cli-command.impl.d.ts.map +1 -0
  21. package/dist/cli/export/secrets.export.cli-command.impl.js +104 -0
  22. package/dist/cli/export/secrets.export.cli-command.impl.js.map +1 -0
  23. package/dist/cli/hooks/pre-commit-secrets.d.ts +2 -0
  24. package/dist/cli/hooks/pre-commit-secrets.d.ts.map +1 -0
  25. package/dist/cli/hooks/pre-commit-secrets.js +68 -0
  26. package/dist/cli/hooks/pre-commit-secrets.js.map +1 -0
  27. package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts +4 -0
  28. package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts.map +1 -0
  29. package/dist/cli/import/secrets.import.cli-command.descriptor.js +19 -0
  30. package/dist/cli/import/secrets.import.cli-command.descriptor.js.map +1 -0
  31. package/dist/cli/import/secrets.import.cli-command.impl.d.ts +5 -0
  32. package/dist/cli/import/secrets.import.cli-command.impl.d.ts.map +1 -0
  33. package/dist/cli/import/secrets.import.cli-command.impl.js +155 -0
  34. package/dist/cli/import/secrets.import.cli-command.impl.js.map +1 -0
  35. package/dist/cli/list/secrets.list.cli-command.descriptor.d.ts +4 -0
  36. package/dist/cli/list/secrets.list.cli-command.descriptor.d.ts.map +1 -0
  37. package/dist/cli/list/secrets.list.cli-command.descriptor.js +18 -0
  38. package/dist/cli/list/secrets.list.cli-command.descriptor.js.map +1 -0
  39. package/dist/cli/list/secrets.list.cli-command.impl.d.ts +5 -0
  40. package/dist/cli/list/secrets.list.cli-command.impl.d.ts.map +1 -0
  41. package/dist/cli/list/secrets.list.cli-command.impl.js +61 -0
  42. package/dist/cli/list/secrets.list.cli-command.impl.js.map +1 -0
  43. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.d.ts +4 -0
  44. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.d.ts.map +1 -0
  45. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.js +16 -0
  46. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.js.map +1 -0
  47. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.d.ts +5 -0
  48. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.d.ts.map +1 -0
  49. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js +10 -0
  50. package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js.map +1 -0
  51. package/dist/cli/pull/secrets.pull.cli-command.descriptor.d.ts +4 -0
  52. package/dist/cli/pull/secrets.pull.cli-command.descriptor.d.ts.map +1 -0
  53. package/dist/cli/pull/secrets.pull.cli-command.descriptor.js +20 -0
  54. package/dist/cli/pull/secrets.pull.cli-command.descriptor.js.map +1 -0
  55. package/dist/cli/pull/secrets.pull.cli-command.impl.d.ts +5 -0
  56. package/dist/cli/pull/secrets.pull.cli-command.impl.d.ts.map +1 -0
  57. package/dist/cli/pull/secrets.pull.cli-command.impl.js +76 -0
  58. package/dist/cli/pull/secrets.pull.cli-command.impl.js.map +1 -0
  59. package/dist/cli/push/secrets.push.cli-command.descriptor.d.ts +4 -0
  60. package/dist/cli/push/secrets.push.cli-command.descriptor.d.ts.map +1 -0
  61. package/dist/cli/push/secrets.push.cli-command.descriptor.js +22 -0
  62. package/dist/cli/push/secrets.push.cli-command.descriptor.js.map +1 -0
  63. package/dist/cli/push/secrets.push.cli-command.impl.d.ts +5 -0
  64. package/dist/cli/push/secrets.push.cli-command.impl.d.ts.map +1 -0
  65. package/dist/cli/push/secrets.push.cli-command.impl.js +109 -0
  66. package/dist/cli/push/secrets.push.cli-command.impl.js.map +1 -0
  67. package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts +4 -0
  68. package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts.map +1 -0
  69. package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js +19 -0
  70. package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js.map +1 -0
  71. package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts +5 -0
  72. package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts.map +1 -0
  73. package/dist/cli/reveal/secrets.reveal.cli-command.impl.js +85 -0
  74. package/dist/cli/reveal/secrets.reveal.cli-command.impl.js.map +1 -0
  75. package/dist/cli/secrets.cli-group.descriptor.d.ts +4 -0
  76. package/dist/cli/secrets.cli-group.descriptor.d.ts.map +1 -0
  77. package/dist/cli/secrets.cli-group.descriptor.js +11 -0
  78. package/dist/cli/secrets.cli-group.descriptor.js.map +1 -0
  79. package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts +4 -0
  80. package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts.map +1 -0
  81. package/dist/cli/set/secrets.set.cli-command.descriptor.js +21 -0
  82. package/dist/cli/set/secrets.set.cli-command.descriptor.js.map +1 -0
  83. package/dist/cli/set/secrets.set.cli-command.impl.d.ts +5 -0
  84. package/dist/cli/set/secrets.set.cli-command.impl.d.ts.map +1 -0
  85. package/dist/cli/set/secrets.set.cli-command.impl.js +59 -0
  86. package/dist/cli/set/secrets.set.cli-command.impl.js.map +1 -0
  87. package/dist/cli/shared/resolve-environment.d.ts +14 -0
  88. package/dist/cli/shared/resolve-environment.d.ts.map +1 -0
  89. package/dist/cli/shared/resolve-environment.js +45 -0
  90. package/dist/cli/shared/resolve-environment.js.map +1 -0
  91. package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts +4 -0
  92. package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts.map +1 -0
  93. package/dist/cli/unset/secrets.unset.cli-command.descriptor.js +20 -0
  94. package/dist/cli/unset/secrets.unset.cli-command.descriptor.js.map +1 -0
  95. package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts +5 -0
  96. package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts.map +1 -0
  97. package/dist/cli/unset/secrets.unset.cli-command.impl.js +31 -0
  98. package/dist/cli/unset/secrets.unset.cli-command.impl.js.map +1 -0
  99. package/dist/docs/backends.docs.descriptor.d.ts +4 -0
  100. package/dist/docs/backends.docs.descriptor.d.ts.map +1 -0
  101. package/dist/docs/backends.docs.descriptor.js +149 -0
  102. package/dist/docs/backends.docs.descriptor.js.map +1 -0
  103. package/dist/docs/encryption.docs.descriptor.d.ts +4 -0
  104. package/dist/docs/encryption.docs.descriptor.d.ts.map +1 -0
  105. package/dist/docs/encryption.docs.descriptor.js +163 -0
  106. package/dist/docs/encryption.docs.descriptor.js.map +1 -0
  107. package/dist/docs/env-file.docs.descriptor.d.ts +4 -0
  108. package/dist/docs/env-file.docs.descriptor.d.ts.map +1 -0
  109. package/dist/docs/env-file.docs.descriptor.js +207 -0
  110. package/dist/docs/env-file.docs.descriptor.js.map +1 -0
  111. package/dist/index.d.ts +13 -0
  112. package/dist/index.d.ts.map +1 -0
  113. package/dist/index.js +13 -0
  114. package/dist/index.js.map +1 -0
  115. package/dist/kinds/index.d.ts +4 -0
  116. package/dist/kinds/index.d.ts.map +1 -0
  117. package/dist/kinds/index.js +3 -0
  118. package/dist/kinds/index.js.map +1 -0
  119. package/dist/kinds/schemas/store.schema.d.ts +49 -0
  120. package/dist/kinds/schemas/store.schema.d.ts.map +1 -0
  121. package/dist/kinds/schemas/store.schema.js +34 -0
  122. package/dist/kinds/schemas/store.schema.js.map +1 -0
  123. package/dist/kinds/schemas/store.types.d.ts +28 -0
  124. package/dist/kinds/schemas/store.types.d.ts.map +1 -0
  125. package/dist/kinds/schemas/store.types.js +2 -0
  126. package/dist/kinds/schemas/store.types.js.map +1 -0
  127. package/dist/kinds/store.interface.d.ts +2 -0
  128. package/dist/kinds/store.interface.d.ts.map +1 -0
  129. package/dist/kinds/store.interface.js +2 -0
  130. package/dist/kinds/store.interface.js.map +1 -0
  131. package/dist/kinds/store.kind.d.ts +10 -0
  132. package/dist/kinds/store.kind.d.ts.map +1 -0
  133. package/dist/kinds/store.kind.js +36 -0
  134. package/dist/kinds/store.kind.js.map +1 -0
  135. package/dist/kinds/store.schema.d.ts +2 -0
  136. package/dist/kinds/store.schema.d.ts.map +1 -0
  137. package/dist/kinds/store.schema.js +2 -0
  138. package/dist/kinds/store.schema.js.map +1 -0
  139. package/dist/manifest/canonical.d.ts +30 -0
  140. package/dist/manifest/canonical.d.ts.map +1 -0
  141. package/dist/manifest/canonical.js +313 -0
  142. package/dist/manifest/canonical.js.map +1 -0
  143. package/dist/manifest/import-manifest.schema.d.ts +77 -0
  144. package/dist/manifest/import-manifest.schema.d.ts.map +1 -0
  145. package/dist/manifest/import-manifest.schema.js +55 -0
  146. package/dist/manifest/import-manifest.schema.js.map +1 -0
  147. package/dist/manifest/index.d.ts +3 -0
  148. package/dist/manifest/index.d.ts.map +1 -0
  149. package/dist/manifest/index.js +3 -0
  150. package/dist/manifest/index.js.map +1 -0
  151. package/dist/requirements/index.d.ts +2 -0
  152. package/dist/requirements/index.d.ts.map +1 -0
  153. package/dist/requirements/index.js +2 -0
  154. package/dist/requirements/index.js.map +1 -0
  155. package/dist/requirements/resolver.d.ts +52 -0
  156. package/dist/requirements/resolver.d.ts.map +1 -0
  157. package/dist/requirements/resolver.js +196 -0
  158. package/dist/requirements/resolver.js.map +1 -0
  159. package/dist/requirements/schemas/requirements.d.ts +27 -0
  160. package/dist/requirements/schemas/requirements.d.ts.map +1 -0
  161. package/dist/requirements/schemas/requirements.js +2 -0
  162. package/dist/requirements/schemas/requirements.js.map +1 -0
  163. package/dist/secrets.plugin.d.ts +8 -0
  164. package/dist/secrets.plugin.d.ts.map +1 -0
  165. package/dist/secrets.plugin.js +59 -0
  166. package/dist/secrets.plugin.js.map +1 -0
  167. package/package.json +108 -0
  168. package/src/cli/check/schemas/check-result.ts +8 -0
  169. package/src/cli/check/secrets.check.cli-command.descriptor.ts +21 -0
  170. package/src/cli/check/secrets.check.cli-command.impl.ts +163 -0
  171. package/src/cli/export/secrets.export.cli-command.descriptor.ts +22 -0
  172. package/src/cli/export/secrets.export.cli-command.impl.ts +139 -0
  173. package/src/cli/hooks/pre-commit-secrets.ts +73 -0
  174. package/src/cli/import/secrets.import.cli-command.descriptor.ts +21 -0
  175. package/src/cli/import/secrets.import.cli-command.impl.ts +178 -0
  176. package/src/cli/list/secrets.list.cli-command.descriptor.ts +21 -0
  177. package/src/cli/list/secrets.list.cli-command.impl.ts +79 -0
  178. package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.ts +18 -0
  179. package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.ts +11 -0
  180. package/src/cli/pull/secrets.pull.cli-command.descriptor.ts +22 -0
  181. package/src/cli/pull/secrets.pull.cli-command.impl.ts +103 -0
  182. package/src/cli/push/secrets.push.cli-command.descriptor.ts +24 -0
  183. package/src/cli/push/secrets.push.cli-command.impl.ts +149 -0
  184. package/src/cli/reveal/secrets.reveal.cli-command.descriptor.ts +21 -0
  185. package/src/cli/reveal/secrets.reveal.cli-command.impl.ts +108 -0
  186. package/src/cli/secrets.cli-group.descriptor.ts +13 -0
  187. package/src/cli/set/secrets.set.cli-command.descriptor.ts +23 -0
  188. package/src/cli/set/secrets.set.cli-command.impl.ts +77 -0
  189. package/src/cli/shared/resolve-environment.ts +57 -0
  190. package/src/cli/unset/secrets.unset.cli-command.descriptor.ts +22 -0
  191. package/src/cli/unset/secrets.unset.cli-command.impl.ts +41 -0
  192. package/src/docs/backends.docs.descriptor.ts +151 -0
  193. package/src/docs/encryption.docs.descriptor.ts +165 -0
  194. package/src/docs/env-file.docs.descriptor.ts +209 -0
  195. package/src/index.ts +35 -0
  196. package/src/kinds/index.ts +12 -0
  197. package/src/kinds/schemas/store.schema.ts +47 -0
  198. package/src/kinds/schemas/store.types.ts +35 -0
  199. package/src/kinds/store.interface.ts +1 -0
  200. package/src/kinds/store.kind.ts +52 -0
  201. package/src/kinds/store.schema.ts +8 -0
  202. package/src/manifest/canonical.ts +324 -0
  203. package/src/manifest/import-manifest.schema.ts +63 -0
  204. package/src/manifest/index.ts +12 -0
  205. package/src/requirements/index.ts +6 -0
  206. package/src/requirements/resolver.ts +216 -0
  207. package/src/requirements/schemas/requirements.ts +29 -0
  208. package/src/secrets.plugin.ts +65 -0
package/dist/kinds/schemas/store.schema.js ADDED
@@ -0,0 +1,34 @@
1
+ /**
2
+ * Secrets Store Descriptor Schema
3
+ *
4
+ * Defines the structure for secrets/store kind descriptors.
5
+ * Each descriptor represents a secrets storage backend
6
+ * (env-file, encrypted-local, cloudflare-api, vault).
7
+ */
8
+ import * as z from 'zod/v4';
9
+ export const EnvironmentTierSchema = z.enum(['local', 'dev', 'staging', 'production']);
10
+ export const SecretsBackendSchema = z.enum([
11
+ 'env-file',
12
+ 'encrypted-local',
13
+ 'cloudflare-api',
14
+ 'cloudflare-secrets-store',
15
+ 'vault'
16
+ ]);
17
+ export const SecretsStoreDescriptorSchema = z.object({
18
+ id: z.string().min(1),
19
+ kind: z.literal('secrets/store'),
20
+ name: z.string().optional(),
21
+ description: z.string().optional(),
22
+ tags: z.array(z.string()).optional(),
23
+ enabled: z.boolean().optional(),
24
+ hardware: z.array(z.string()).optional(),
25
+ /** Backend type for this store */
26
+ backend: SecretsBackendSchema,
27
+ /** Environment tiers this store operates on */
28
+ tiers: z.array(EnvironmentTierSchema).min(1),
29
+ /** Resolution priority (higher wins for write ops) */
30
+ priority: z.number().int().default(0),
31
+ /** Backend-specific configuration key-value pairs */
32
+ config: z.record(z.string(), z.string()).optional()
33
+ });
34
+ //# sourceMappingURL=store.schema.js.map
package/dist/kinds/schemas/store.schema.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.schema.js","sourceRoot":"","sources":["../../../src/kinds/schemas/store.schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAE5B,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC;AAIvF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC1C,UAAU;IACV,iBAAiB;IACjB,gBAAgB;IAChB,0BAA0B;IAC1B,OAAO;CACP,CAAC,CAAC;AAIH,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,MAAM,CAAC;IACpD,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IAExC,kCAAkC;IAClC,OAAO,EAAE,oBAAoB;IAE7B,+CAA+C;IAC/C,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAE5C,sDAAsD;IACtD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IAErC,qDAAqD;IACrD,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC"}
package/dist/kinds/schemas/store.types.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ import type { SecretsStoreDescriptor } from './store.schema';
2
+ /** A single entry in a secrets listing */
3
+ export interface SecretEntry {
4
+ /** Secret key name (e.g., VIBES_AUTH_SECRET) */
5
+ key: string;
6
+ /** Whether a value is stored for this key */
7
+ hasValue: boolean;
8
+ /** Backend source identifier */
9
+ source: string;
10
+ }
11
+ /** Interface all secrets store backends must implement */
12
+ export interface SecretsStoreImplementation {
13
+ readonly id: string;
14
+ readonly descriptor: SecretsStoreDescriptor;
15
+ /** List all secret keys stored for an environment */
16
+ list(environment: string): Promise<SecretEntry[]>;
17
+ /** Get a single secret value (undefined if not found) */
18
+ get(environment: string, key: string): Promise<string | undefined>;
19
+ /** Set a secret value for an environment */
20
+ set(environment: string, key: string, value: string): Promise<void>;
21
+ /** Remove a secret from an environment */
22
+ unset(environment: string, key: string): Promise<void>;
23
+ /** Get all secret key-value pairs for an environment */
24
+ getAll(environment: string): Promise<Record<string, string>>;
25
+ /** Set multiple secrets at once (merges with existing) */
26
+ setAll(environment: string, secrets: Record<string, string>): Promise<void>;
27
+ }
28
+ //# sourceMappingURL=store.types.d.ts.map
package/dist/kinds/schemas/store.types.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.types.d.ts","sourceRoot":"","sources":["../../../src/kinds/schemas/store.types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAE7D,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC3B,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,6CAA6C;IAC7C,QAAQ,EAAE,OAAO,CAAC;IAClB,gCAAgC;IAChC,MAAM,EAAE,MAAM,CAAC;CACf;AAED,0DAA0D;AAC1D,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,UAAU,EAAE,sBAAsB,CAAC;IAE5C,qDAAqD;IACrD,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;IAElD,yDAAyD;IACzD,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAEnE,4CAA4C;IAC5C,GAAG,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEpE,0CAA0C;IAC1C,KAAK,CAAC,WAAW,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvD,wDAAwD;IACxD,MAAM,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAE7D,0DAA0D;IAC1D,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5E"}
package/dist/kinds/schemas/store.types.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=store.types.js.map
package/dist/kinds/schemas/store.types.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.types.js","sourceRoot":"","sources":["../../../src/kinds/schemas/store.types.ts"],"names":[],"mappings":""}
package/dist/kinds/store.interface.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export type { SecretEntry, SecretsStoreImplementation } from './schemas/store.types';
2
+ //# sourceMappingURL=store.interface.d.ts.map
package/dist/kinds/store.interface.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.interface.d.ts","sourceRoot":"","sources":["../../src/kinds/store.interface.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,WAAW,EAAE,0BAA0B,EAAE,MAAM,uBAAuB,CAAC"}
package/dist/kinds/store.interface.js ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=store.interface.js.map
package/dist/kinds/store.interface.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.interface.js","sourceRoot":"","sources":["../../src/kinds/store.interface.ts"],"names":[],"mappings":""}
package/dist/kinds/store.kind.d.ts ADDED
@@ -0,0 +1,10 @@
1
+ /**
2
+ * Secrets Store Kind Definition
3
+ *
4
+ * Registers the secrets/store kind with the runtime.
5
+ * Resolution selects backends by environment tier and priority.
6
+ */
7
+ import type { RuntimeKindDescriptorRecord } from '@vibesdotdev/runtime/schemas/kind';
8
+ import type { SecretsStoreImplementation } from './store.interface';
9
+ export declare const secretsStoreKind: RuntimeKindDescriptorRecord<SecretsStoreImplementation>;
10
+ //# sourceMappingURL=store.kind.d.ts.map
package/dist/kinds/store.kind.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.kind.d.ts","sourceRoot":"","sources":["../../src/kinds/store.kind.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAe,2BAA2B,EAAqB,MAAM,mCAAmC,CAAC;AAOrH,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,mBAAmB,CAAC;AA2BpE,eAAO,MAAM,gBAAgB,yDAS3B,CAAC"}
package/dist/kinds/store.kind.js ADDED
@@ -0,0 +1,36 @@
1
+ /**
2
+ * Secrets Store Kind Definition
3
+ *
4
+ * Registers the secrets/store kind with the runtime.
5
+ * Resolution selects backends by environment tier and priority.
6
+ */
7
+ import { createRuntimeKind } from '@vibesdotdev/runtime/factory/kind';
8
+ import { SecretsStoreDescriptorSchema } from './store.schema.js';
9
+ /**
10
+ * Resolve the best secrets store for the current scope.
11
+ *
12
+ * Filters candidates by environment tier (from scope qualifiers),
13
+ * then picks the highest-priority match.
14
+ *
15
+ * No defaultImplementation — missing backends cause hard failure at resolve()
16
+ * time per the SPEC hard rule: "Missing-backend means hard failure."
17
+ */
18
+ function resolveSecretsStore(candidates, scope, _context) {
19
+ const typed = candidates;
20
+ if (typed.length === 0)
21
+ return undefined;
22
+ if (typed.length === 1)
23
+ return typed[0];
24
+ const envTier = (scope.qualifiers?.environmentTier ?? 'local');
25
+ const tierMatches = typed.filter((d) => d.tiers.includes(envTier));
26
+ const pool = tierMatches.length > 0 ? tierMatches : typed;
27
+ pool.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
28
+ return pool[0];
29
+ }
30
+ export const secretsStoreKind = createRuntimeKind({
31
+ id: 'secrets/store',
32
+ descriptorSchema: SecretsStoreDescriptorSchema,
33
+ resolve: resolveSecretsStore,
34
+ contexts: []
35
+ });
36
+ //# sourceMappingURL=store.kind.js.map
package/dist/kinds/store.kind.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.kind.js","sourceRoot":"","sources":["../../src/kinds/store.kind.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAGtE,OAAO,EACN,4BAA4B,EAG5B,MAAM,gBAAgB,CAAC;AAExB;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAC3B,UAA+B,EAC/B,KAAmB,EACnB,QAAqB;IAErB,MAAM,KAAK,GAAG,UAAsC,CAAC;IACrD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAExC,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,UAAU,EAAE,eAAe,IAAI,OAAO,CAAoB,CAAC;IAClF,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACnE,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC;IAE1D,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC;AAChB,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,iBAAiB,CAI/C;IACD,EAAE,EAAE,eAAe;IACnB,gBAAgB,EAAE,4BAA4B;IAC9C,OAAO,EAAE,mBAAmB;IAC5B,QAAQ,EAAE,EAAE;CACZ,CAAC,CAAC"}
package/dist/kinds/store.schema.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export { SecretsStoreDescriptorSchema, EnvironmentTierSchema, SecretsBackendSchema, type SecretsStoreDescriptor, type EnvironmentTier, type SecretsBackend } from './schemas/store.schema';
2
+ //# sourceMappingURL=store.schema.d.ts.map
package/dist/kinds/store.schema.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.schema.d.ts","sourceRoot":"","sources":["../../src/kinds/store.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,4BAA4B,EAC5B,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,MAAM,wBAAwB,CAAC"}
package/dist/kinds/store.schema.js ADDED
@@ -0,0 +1,2 @@
1
+ export { SecretsStoreDescriptorSchema, EnvironmentTierSchema, SecretsBackendSchema } from './schemas/store.schema.js';
2
+ //# sourceMappingURL=store.schema.js.map
package/dist/kinds/store.schema.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"store.schema.js","sourceRoot":"","sources":["../../src/kinds/store.schema.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,4BAA4B,EAC5B,qBAAqB,EACrB,oBAAoB,EAIpB,MAAM,wBAAwB,CAAC"}
package/dist/manifest/canonical.d.ts ADDED
@@ -0,0 +1,30 @@
1
+ /**
2
+ * Vibes Secrets Import Manifest (canonical, value-free)
3
+ *
4
+ * Read by `vibes secrets import` to discover which keys to pull from which
5
+ * local root env files when bootstrapping the encrypted Vibes store. The
6
+ * manifest is reconciled against ground truth: every entry corresponds to a
7
+ * real `secret: true` env var declared by an app's deployment config (or, in
8
+ * auth-web's case, by its sub-manifest files).
9
+ *
10
+ * Sources:
11
+ * - `local-env` (`.env.local`) is the canonical machine-local store of
12
+ * every actual production-quality secret value: auth secrets, OAuth
13
+ * client secrets (GitHub / Google / Discord / Microsoft), Resend, the
14
+ * internal auth token, Stripe billing keys, etc.
15
+ * - `production-env` (`.env.production`) holds production-flavored
16
+ * non-secret config plus the operator's CF coordinates. Value-free here.
17
+ * - `manual` is a pseudo-source for keys that must be set through another
18
+ * channel (`vibes secrets set`, generated tokens, or pasted from a vault).
19
+ * The import command skips `manual` entries with a notice.
20
+ *
21
+ * Operator credentials (`CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`,
22
+ * `CLOUDFLARE_SECRETS_STORE_ID`) are intentionally NOT in this manifest.
23
+ * They authenticate the operator's machine to push secrets into the store;
24
+ * they are never themselves pushed into the store.
25
+ */
26
+ import { type SecretsImportManifest } from './import-manifest.schema';
27
+ declare const manifest: SecretsImportManifest;
28
+ export declare const canonicalImportManifest: SecretsImportManifest;
29
+ export default manifest;
30
+ //# sourceMappingURL=canonical.d.ts.map
package/dist/manifest/canonical.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../src/manifest/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAEN,KAAK,qBAAqB,EAC1B,MAAM,0BAA0B,CAAC;AAElC,QAAA,MAAM,QAAQ,EAAE,qBAiSd,CAAC;AAEH,eAAO,MAAM,uBAAuB,EAAE,qBAAgC,CAAC;AACvE,eAAe,QAAQ,CAAC"}
package/dist/manifest/canonical.js ADDED
@@ -0,0 +1,313 @@
1
+ /**
2
+ * Vibes Secrets Import Manifest (canonical, value-free)
3
+ *
4
+ * Read by `vibes secrets import` to discover which keys to pull from which
5
+ * local root env files when bootstrapping the encrypted Vibes store. The
6
+ * manifest is reconciled against ground truth: every entry corresponds to a
7
+ * real `secret: true` env var declared by an app's deployment config (or, in
8
+ * auth-web's case, by its sub-manifest files).
9
+ *
10
+ * Sources:
11
+ * - `local-env` (`.env.local`) is the canonical machine-local store of
12
+ * every actual production-quality secret value: auth secrets, OAuth
13
+ * client secrets (GitHub / Google / Discord / Microsoft), Resend, the
14
+ * internal auth token, Stripe billing keys, etc.
15
+ * - `production-env` (`.env.production`) holds production-flavored
16
+ * non-secret config plus the operator's CF coordinates. Value-free here.
17
+ * - `manual` is a pseudo-source for keys that must be set through another
18
+ * channel (`vibes secrets set`, generated tokens, or pasted from a vault).
19
+ * The import command skips `manual` entries with a notice.
20
+ *
21
+ * Operator credentials (`CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`,
22
+ * `CLOUDFLARE_SECRETS_STORE_ID`) are intentionally NOT in this manifest.
23
+ * They authenticate the operator's machine to push secrets into the store;
24
+ * they are never themselves pushed into the store.
25
+ */
26
+ import { SecretsImportManifestSchema } from './import-manifest.schema';
27
+ const manifest = SecretsImportManifestSchema.parse({
28
+ version: 1,
29
+ sources: {
30
+ 'local-env': {
31
+ path: '.env.local',
32
+ purpose: 'Canonical machine-local secret values: auth, OAuth, billing, internal tokens'
33
+ },
34
+ 'production-env': {
35
+ path: '.env.production',
36
+ purpose: 'Production-flavored non-secret config + CF operator coordinates'
37
+ },
38
+ 'manual': {
39
+ purpose: "Set via `vibes secrets set <KEY>` or generated by ops; not sourced from a local file"
40
+ }
41
+ },
42
+ secrets: [
43
+ // --- Auth gateway (auth-web) — sourced from .env.local ----------------------
44
+ {
45
+ key: 'VIBES_AUTH_SECRET',
46
+ category: 'vibes-auth',
47
+ source: 'local-env',
48
+ required: true,
49
+ description: 'Better Auth signing secret (auth-web)'
50
+ },
51
+ // `VIBES_AUTH_DATABASE_URL` / `VIBES_AUTH_DATABASE_AUTH_TOKEN` are
52
+ // dev-only: production auth-web binds its own D1 database (`vibes-auth-db`)
53
+ // via the `DB` binding in `wrangler.jsonc`. The libsql/file fallback in
54
+ // `auth-web/src/server/persistence.ts` is for local dev only. We keep
55
+ // them in the manifest so `vibes secrets import` still picks them up
56
+ // for a working local store, but they're optional and never pushed to
57
+ // the production Secrets Store.
58
+ {
59
+ key: 'VIBES_AUTH_DATABASE_URL',
60
+ category: 'vibes-auth',
61
+ source: 'local-env',
62
+ required: false,
63
+ description: 'LibSQL/Turso connection URL for auth persistence (DEV ONLY — production uses D1)'
64
+ },
65
+ {
66
+ key: 'VIBES_AUTH_DATABASE_AUTH_TOKEN',
67
+ category: 'vibes-auth',
68
+ source: 'local-env',
69
+ aliases: ['DATABASE_AUTH_TOKEN'],
70
+ required: false,
71
+ description: 'LibSQL/Turso auth token for auth persistence (DEV ONLY — production uses D1)'
72
+ },
73
+ {
74
+ key: 'VIBES_AUTH_RESEND_API_KEY',
75
+ category: 'vibes-auth',
76
+ source: 'local-env',
77
+ aliases: ['RESEND_API_KEY'],
78
+ required: false,
79
+ description: 'Resend API key for auth email delivery'
80
+ },
81
+ {
82
+ key: 'VIBES_AUTH_TWILIO_ACCOUNT_SID',
83
+ category: 'vibes-auth',
84
+ source: 'local-env',
85
+ required: false,
86
+ description: 'Twilio account SID for phone OTP delivery'
87
+ },
88
+ {
89
+ key: 'VIBES_AUTH_TWILIO_AUTH_TOKEN',
90
+ category: 'vibes-auth',
91
+ source: 'local-env',
92
+ required: false,
93
+ description: 'Twilio auth token for phone OTP delivery'
94
+ },
95
+ {
96
+ key: 'VIBES_AUTH_GITHUB_CLIENT_ID',
97
+ category: 'vibes-auth',
98
+ source: 'local-env',
99
+ required: false,
100
+ description: 'GitHub OAuth client ID'
101
+ },
102
+ {
103
+ key: 'VIBES_AUTH_GITHUB_CLIENT_SECRET',
104
+ category: 'vibes-auth',
105
+ source: 'local-env',
106
+ required: false,
107
+ description: 'GitHub OAuth client secret'
108
+ },
109
+ {
110
+ key: 'VIBES_AUTH_GOOGLE_CLIENT_ID',
111
+ category: 'vibes-auth',
112
+ source: 'local-env',
113
+ required: false,
114
+ description: 'Google OAuth client ID'
115
+ },
116
+ {
117
+ key: 'VIBES_AUTH_GOOGLE_CLIENT_SECRET',
118
+ category: 'vibes-auth',
119
+ source: 'local-env',
120
+ required: false,
121
+ description: 'Google OAuth client secret'
122
+ },
123
+ {
124
+ key: 'VIBES_AUTH_DISCORD_CLIENT_ID',
125
+ category: 'vibes-auth',
126
+ source: 'local-env',
127
+ required: false,
128
+ description: 'Discord OAuth client ID'
129
+ },
130
+ {
131
+ key: 'VIBES_AUTH_DISCORD_CLIENT_SECRET',
132
+ category: 'vibes-auth',
133
+ source: 'local-env',
134
+ required: false,
135
+ description: 'Discord OAuth client secret'
136
+ },
137
+ {
138
+ key: 'VIBES_AUTH_MICROSOFT_CLIENT_ID',
139
+ category: 'vibes-auth',
140
+ source: 'local-env',
141
+ required: false,
142
+ description: 'Microsoft (Azure AD) OAuth client ID'
143
+ },
144
+ {
145
+ key: 'VIBES_AUTH_MICROSOFT_CLIENT_SECRET',
146
+ category: 'vibes-auth',
147
+ source: 'local-env',
148
+ required: false,
149
+ description: 'Microsoft (Azure AD) OAuth client secret'
150
+ },
151
+ // --- Internal cross-app bearer tokens (account-web, ai-web) ------------------
152
+ {
153
+ key: 'VIBES_AUTH_INTERNAL_TOKEN',
154
+ category: 'vibes-internal',
155
+ source: 'local-env',
156
+ required: true,
157
+ description: 'Bearer token for internal/admin auth API calls'
158
+ },
159
+ {
160
+ key: 'VIBES_INTERNAL_SERVICE_TOKEN',
161
+ category: 'vibes-internal',
162
+ source: 'manual',
163
+ required: true,
164
+ description: 'Shared internal bearer token for platform/account internal RPCs'
165
+ },
166
+ {
167
+ key: 'VIBES_PLATFORM_INTERNAL_TOKEN',
168
+ category: 'vibes-internal',
169
+ source: 'manual',
170
+ required: false,
171
+ description: 'Platform-specific internal bearer token; falls back to VIBES_INTERNAL_SERVICE_TOKEN'
172
+ },
173
+ {
174
+ key: 'VIBES_EMAIL_INGRESS_TOKEN',
175
+ category: 'vibes-internal',
176
+ source: 'manual',
177
+ required: false,
178
+ description: 'Bearer token for inbound email webhooks (auth-web /api/email)'
179
+ },
180
+ // --- Billing (account-web) ---------------------------------------------------
181
+ // `.env.production` stores Stripe under a `VIBES_ACCOUNT_STRIPE_*` prefix;
182
+ // `.env.local` uses the canonical names directly. Either source resolves.
183
+ {
184
+ key: 'STRIPE_SECRET_KEY',
185
+ category: 'provider-billing',
186
+ source: 'local-env',
187
+ aliases: ['VIBES_ACCOUNT_STRIPE_SECRET_KEY'],
188
+ required: false,
189
+ description: 'Stripe secret key for billing sync and checkout'
190
+ },
191
+ {
192
+ key: 'STRIPE_WEBHOOK_SECRET',
193
+ category: 'provider-billing',
194
+ source: 'local-env',
195
+ required: false,
196
+ description: 'Stripe webhook signing secret for /api/webhooks/stripe'
197
+ },
198
+ {
199
+ key: 'STRIPE_PUB_KEY',
200
+ category: 'provider-billing',
201
+ source: 'local-env',
202
+ aliases: ['PUBLIC_STRIPE_KEY', 'VIBES_ACCOUNT_STRIPE_PUB_KEY'],
203
+ required: false,
204
+ description: 'Stripe publishable key (pk_live_*/pk_test_*); safe to expose to clients but tracked here so live/test mode stays aligned with STRIPE_SECRET_KEY'
205
+ },
206
+ {
207
+ key: 'STRIPE_RESTRICTED_KEY',
208
+ category: 'provider-billing',
209
+ source: 'local-env',
210
+ aliases: ['VIBES_ACCOUNT_STRIPE_RESTRICTED_KEY'],
211
+ required: false,
212
+ description: 'Stripe restricted live key (rk_live_*) for narrow-scope ops/CI usage; not consumed at runtime — runtime uses STRIPE_SECRET_KEY'
213
+ },
214
+ {
215
+ key: 'CF_BILLING_SECRET',
216
+ category: 'vibes-internal',
217
+ source: 'manual',
218
+ required: false,
219
+ description: 'Cloudflare-side billing webhook secret'
220
+ },
221
+ {
222
+ key: 'RESEND_API_KEY',
223
+ category: 'provider-other',
224
+ source: 'manual',
225
+ required: false,
226
+ description: 'Resend API key used by account-web to send invoice receipt emails'
227
+ },
228
+ // --- LLM / voice / search providers (ai-web, ai-web) ----------------------
229
+ {
230
+ key: 'OPENAI_API_KEY',
231
+ category: 'provider-llm',
232
+ source: 'manual',
233
+ required: false,
234
+ description: 'OpenAI provider key (ai-web)'
235
+ },
236
+ {
237
+ key: 'ANTHROPIC_API_KEY',
238
+ category: 'provider-llm',
239
+ source: 'manual',
240
+ required: false,
241
+ description: 'Anthropic provider key (ai-web)'
242
+ },
243
+ {
244
+ key: 'GOOGLE_API_KEY',
245
+ category: 'provider-llm',
246
+ source: 'manual',
247
+ required: false,
248
+ description: 'Google provider key (ai-web)'
249
+ },
250
+ {
251
+ key: 'GEMINI_API_KEY',
252
+ category: 'provider-llm',
253
+ source: 'manual',
254
+ required: false,
255
+ description: 'Gemini-named provider key alias (ai-web)'
256
+ },
257
+ {
258
+ key: 'DEEPGRAM_API_KEY',
259
+ category: 'provider-voice',
260
+ source: 'manual',
261
+ required: false,
262
+ description: 'Deepgram transcription provider key (ai-web)'
263
+ },
264
+ {
265
+ key: 'ELEVENLABS_API_KEY',
266
+ category: 'provider-voice',
267
+ source: 'manual',
268
+ required: false,
269
+ description: 'ElevenLabs TTS provider key (ai-web)'
270
+ },
271
+ {
272
+ key: 'FIRECRAWL_API_KEY',
273
+ category: 'provider-search',
274
+ source: 'manual',
275
+ required: false,
276
+ description: 'Firecrawl crawl/scrape provider key (ai-web)'
277
+ },
278
+ {
279
+ key: 'VIBES_API_TOKEN',
280
+ category: 'vibes-internal',
281
+ source: 'manual',
282
+ required: false,
283
+ description: 'Tools-web internal API token'
284
+ },
285
+ {
286
+ key: 'VIBES_TOOL_REGISTRY_TOKEN',
287
+ category: 'vibes-internal',
288
+ source: 'manual',
289
+ required: false,
290
+ description: 'Tools-web tool-registry access token'
291
+ },
292
+ // --- Other provider creds (referenced by deployment configs but not in
293
+ // a Pages app's secrets list yet — included so they round-trip if
294
+ // they end up in `.env.local`) -----------------------------------------
295
+ {
296
+ key: 'DIGITALOCEAN_API_TOKEN',
297
+ category: 'provider-other',
298
+ source: 'local-env',
299
+ required: false,
300
+ description: 'DigitalOcean API token for DOKS / DO Spaces tooling'
301
+ },
302
+ {
303
+ key: 'NPM_TOKEN',
304
+ category: 'provider-other',
305
+ source: 'manual',
306
+ required: false,
307
+ description: 'npm publish token used by `vibes infra npm publish`'
308
+ }
309
+ ]
310
+ });
311
+ export const canonicalImportManifest = manifest;
312
+ export default manifest;
313
+ //# sourceMappingURL=canonical.js.map
package/dist/manifest/canonical.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../src/manifest/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EACN,2BAA2B,EAE3B,MAAM,0BAA0B,CAAC;AAElC,MAAM,QAAQ,GAA0B,2BAA2B,CAAC,KAAK,CAAC;IACzE,OAAO,EAAE,CAAC;IACV,OAAO,EAAE;QACR,WAAW,EAAE;YACZ,IAAI,EAAE,YAAY;YAClB,OAAO,EACN,8EAA8E;SAC/E;QACD,gBAAgB,EAAE;YACjB,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE,iEAAiE;SAC1E;QACD,QAAQ,EAAE;YACT,OAAO,EACN,sFAAsF;SACvF;KACD;IACD,OAAO,EAAE;QACR,+EAA+E;QAC/E;YACC,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,uCAAuC;SACpD;QACD,mEAAmE;QACnE,4EAA4E;QAC5E,wEAAwE;QACxE,sEAAsE;QACtE,qEAAqE;QACrE,sEAAsE;QACtE,gCAAgC;QAChC;YACC,GAAG,EAAE,yBAAyB;YAC9B,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,kFAAkF;SAC/F;QACD;YACC,GAAG,EAAE,gCAAgC;YACrC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,CAAC,qBAAqB,CAAC;YAChC,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8EAA8E;SAC3F;QACD;YACC,GAAG,EAAE,2BAA2B;YAChC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,CAAC,gBAAgB,CAAC;YAC3B,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,wCAAwC;SACrD;QACD;YACC,GAAG,EAAE,+BAA+B;YACpC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,2CAA2C;SACxD;QACD;YACC,GAAG,EAAE,8BAA8B;YACnC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,0CAA0C;SACvD;QACD;YACC,GAAG,EAAE,6BAA6B;YAClC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,wBAAwB;SACrC;QACD;YACC,GAAG,EAAE,iCAAiC;YACtC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,4BAA4B;SACzC;QACD;YACC,GAAG,EAAE,6BAA6B;YAClC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,wBAAwB;SACrC;QACD;YACC,GAAG,EAAE,iCAAiC;YACtC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,4BAA4B;SACzC;QACD;YACC,GAAG,EAAE,8BAA8B;YACnC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,yBAAyB;SACtC;QACD;YACC,GAAG,EAAE,kCAAkC;YACvC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,6BAA6B;SAC1C;QACD;YACC,GAAG,EAAE,gCAAgC;YACrC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,sCAAsC;SACnD;QACD;YACC,GAAG,EAAE,oCAAoC;YACzC,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,0CAA0C;SACvD;QAED,gFAAgF;QAChF;YACC,GAAG,EAAE,2BAA2B;YAChC,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,gDAAgD;SAC7D;QACD;YACC,GAAG,EAAE,8BAA8B;YACnC,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,iEAAiE;SAC9E;QACD;YACC,GAAG,EAAE,+BAA+B;YACpC,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,qFAAqF;SAClG;QACD;YACC,GAAG,EAAE,2BAA2B;YAChC,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,+DAA+D;SAC5E;QAED,gFAAgF;QAChF,2EAA2E;QAC3E,0EAA0E;QAC1E;YACC,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,kBAAkB;YAC5B,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,CAAC,iCAAiC,CAAC;YAC5C,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,iDAAiD;SAC9D;QACD;YACC,GAAG,EAAE,uBAAuB;YAC5B,QAAQ,EAAE,kBAAkB;YAC5B,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,wDAAwD;SACrE;QACD;YACC,GAAG,EAAE,gBAAgB;YACrB,QAAQ,EAAE,kBAAkB;YAC5B,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,CAAC,mBAAmB,EAAE,8BAA8B,CAAC;YAC9D,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,iJAAiJ;SAC9J;QACD;YACC,GAAG,EAAE,uBAAuB;YAC5B,QAAQ,EAAE,kBAAkB;YAC5B,MAAM,EAAE,WAAW;YACnB,OAAO,EAAE,CAAC,qCAAqC,CAAC;YAChD,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,gIAAgI;SAC7I;QACD;YACC,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,wCAAwC;SACrD;QACD;YACC,GAAG,EAAE,gBAAgB;YACrB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,mEAAmE;SAChF;QAED,6EAA6E;QAC7E;YACC,GAAG,EAAE,gBAAgB;YACrB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8BAA8B;SAC3C;QACD;YACC,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,iCAAiC;SAC9C;QACD;YACC,GAAG,EAAE,gBAAgB;YACrB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8BAA8B;SAC3C;QACD;YACC,GAAG,EAAE,gBAAgB;YACrB,QAAQ,EAAE,cAAc;YACxB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,0CAA0C;SACvD;QACD;YACC,GAAG,EAAE,kBAAkB;YACvB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8CAA8C;SAC3D;QACD;YACC,GAAG,EAAE,oBAAoB;YACzB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,sCAAsC;SACnD;QACD;YACC,GAAG,EAAE,mBAAmB;YACxB,QAAQ,EAAE,iBAAiB;YAC3B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8CAA8C;SAC3D;QACD;YACC,GAAG,EAAE,iBAAiB;YACtB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,8BAA8B;SAC3C;QACD;YACC,GAAG,EAAE,2BAA2B;YAChC,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,sCAAsC;SACnD;QAED,wEAAwE;QACxE,sEAAsE;QACtE,6EAA6E;QAC7E;YACC,GAAG,EAAE,wBAAwB;YAC7B,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,WAAW;YACnB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,qDAAqD;SAClE;QACD;YACC,GAAG,EAAE,WAAW;YAChB,QAAQ,EAAE,gBAAgB;YAC1B,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,qDAAqD;SAClE;KACD;CACD,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,uBAAuB,GAA0B,QAAQ,CAAC;AACvE,eAAe,QAAQ,CAAC"}
package/dist/manifest/import-manifest.schema.d.ts ADDED
@@ -0,0 +1,77 @@
1
+ /**
2
+ * Secrets Import Manifest Schema
3
+ *
4
+ * Catalogs the secrets the platform expects to receive from local root env
5
+ * files at bootstrap time. Carries no values — only key identity, source
6
+ * preference, and intent. The manifest is the contract a `vibes secrets
7
+ * import` command (phase 5) reads against.
8
+ */
9
+ import * as z from 'zod/v4';
10
+ /**
11
+ * Where a secret value is expected to originate from when running
12
+ * `vibes secrets import`. Sources with a `path` are repo-relative .env-shaped
13
+ * files; they are read-only inputs and never committed. Sources without a
14
+ * `path` (e.g. the canonical `manual` source) describe entries that are not
15
+ * importable from disk and must be set through other means
16
+ * (`vibes secrets set`, generated tokens, Cloudflare dashboard, etc.).
17
+ */
18
+ export declare const SecretSourceSchema: z.ZodObject<{
19
+ path: z.ZodOptional<z.ZodString>;
20
+ purpose: z.ZodString;
21
+ }, z.core.$strip>;
22
+ export type SecretSource = z.infer<typeof SecretSourceSchema>;
23
+ export declare const SecretCategorySchema: z.ZodEnum<{
24
+ "vibes-internal": "vibes-internal";
25
+ "vibes-auth": "vibes-auth";
26
+ cloudflare: "cloudflare";
27
+ "provider-llm": "provider-llm";
28
+ "provider-voice": "provider-voice";
29
+ "provider-search": "provider-search";
30
+ "provider-billing": "provider-billing";
31
+ "provider-other": "provider-other";
32
+ }>;
33
+ export type SecretCategory = z.infer<typeof SecretCategorySchema>;
34
+ export declare const SecretManifestEntrySchema: z.ZodObject<{
35
+ key: z.ZodString;
36
+ category: z.ZodEnum<{
37
+ "vibes-internal": "vibes-internal";
38
+ "vibes-auth": "vibes-auth";
39
+ cloudflare: "cloudflare";
40
+ "provider-llm": "provider-llm";
41
+ "provider-voice": "provider-voice";
42
+ "provider-search": "provider-search";
43
+ "provider-billing": "provider-billing";
44
+ "provider-other": "provider-other";
45
+ }>;
46
+ source: z.ZodString;
47
+ aliases: z.ZodDefault<z.ZodArray<z.ZodString>>;
48
+ required: z.ZodDefault<z.ZodBoolean>;
49
+ description: z.ZodString;
50
+ }, z.core.$strip>;
51
+ export type SecretManifestEntry = z.infer<typeof SecretManifestEntrySchema>;
52
+ export declare const SecretsImportManifestSchema: z.ZodObject<{
53
+ version: z.ZodLiteral<1>;
54
+ sources: z.ZodRecord<z.ZodString, z.ZodObject<{
55
+ path: z.ZodOptional<z.ZodString>;
56
+ purpose: z.ZodString;
57
+ }, z.core.$strip>>;
58
+ secrets: z.ZodArray<z.ZodObject<{
59
+ key: z.ZodString;
60
+ category: z.ZodEnum<{
61
+ "vibes-internal": "vibes-internal";
62
+ "vibes-auth": "vibes-auth";
63
+ cloudflare: "cloudflare";
64
+ "provider-llm": "provider-llm";
65
+ "provider-voice": "provider-voice";
66
+ "provider-search": "provider-search";
67
+ "provider-billing": "provider-billing";
68
+ "provider-other": "provider-other";
69
+ }>;
70
+ source: z.ZodString;
71
+ aliases: z.ZodDefault<z.ZodArray<z.ZodString>>;
72
+ required: z.ZodDefault<z.ZodBoolean>;
73
+ description: z.ZodString;
74
+ }, z.core.$strip>>;
75
+ }, z.core.$strip>;
76
+ export type SecretsImportManifest = z.infer<typeof SecretsImportManifestSchema>;
77
+ //# sourceMappingURL=import-manifest.schema.d.ts.map
package/dist/manifest/import-manifest.schema.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"import-manifest.schema.d.ts","sourceRoot":"","sources":["../../src/manifest/import-manifest.schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAE5B;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB;;;iBAK7B,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D,eAAO,MAAM,oBAAoB;;;;;;;;;EAS/B,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;iBAapC,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAE5E,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;iBAMtC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC"}