@vibesdotdev/secrets 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +59 -0
- package/SPEC.md +47 -0
- package/dist/cli/check/schemas/check-result.d.ts +9 -0
- package/dist/cli/check/schemas/check-result.d.ts.map +1 -0
- package/dist/cli/check/schemas/check-result.js +2 -0
- package/dist/cli/check/schemas/check-result.js.map +1 -0
- package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/check/secrets.check.cli-command.descriptor.js +19 -0
- package/dist/cli/check/secrets.check.cli-command.descriptor.js.map +1 -0
- package/dist/cli/check/secrets.check.cli-command.impl.d.ts +5 -0
- package/dist/cli/check/secrets.check.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/check/secrets.check.cli-command.impl.js +135 -0
- package/dist/cli/check/secrets.check.cli-command.impl.js.map +1 -0
- package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/export/secrets.export.cli-command.descriptor.js +20 -0
- package/dist/cli/export/secrets.export.cli-command.descriptor.js.map +1 -0
- package/dist/cli/export/secrets.export.cli-command.impl.d.ts +5 -0
- package/dist/cli/export/secrets.export.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/export/secrets.export.cli-command.impl.js +104 -0
- package/dist/cli/export/secrets.export.cli-command.impl.js.map +1 -0
- package/dist/cli/hooks/pre-commit-secrets.d.ts +2 -0
- package/dist/cli/hooks/pre-commit-secrets.d.ts.map +1 -0
- package/dist/cli/hooks/pre-commit-secrets.js +68 -0
- package/dist/cli/hooks/pre-commit-secrets.js.map +1 -0
- package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/import/secrets.import.cli-command.descriptor.js +19 -0
- package/dist/cli/import/secrets.import.cli-command.descriptor.js.map +1 -0
- package/dist/cli/import/secrets.import.cli-command.impl.d.ts +5 -0
- package/dist/cli/import/secrets.import.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/import/secrets.import.cli-command.impl.js +155 -0
- package/dist/cli/import/secrets.import.cli-command.impl.js.map +1 -0
- package/dist/cli/list/secrets.list.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/list/secrets.list.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/list/secrets.list.cli-command.descriptor.js +18 -0
- package/dist/cli/list/secrets.list.cli-command.descriptor.js.map +1 -0
- package/dist/cli/list/secrets.list.cli-command.impl.d.ts +5 -0
- package/dist/cli/list/secrets.list.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/list/secrets.list.cli-command.impl.js +61 -0
- package/dist/cli/list/secrets.list.cli-command.impl.js.map +1 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.js +16 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.js.map +1 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.d.ts +5 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js +10 -0
- package/dist/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js.map +1 -0
- package/dist/cli/pull/secrets.pull.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/pull/secrets.pull.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/pull/secrets.pull.cli-command.descriptor.js +20 -0
- package/dist/cli/pull/secrets.pull.cli-command.descriptor.js.map +1 -0
- package/dist/cli/pull/secrets.pull.cli-command.impl.d.ts +5 -0
- package/dist/cli/pull/secrets.pull.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/pull/secrets.pull.cli-command.impl.js +76 -0
- package/dist/cli/pull/secrets.pull.cli-command.impl.js.map +1 -0
- package/dist/cli/push/secrets.push.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/push/secrets.push.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/push/secrets.push.cli-command.descriptor.js +22 -0
- package/dist/cli/push/secrets.push.cli-command.descriptor.js.map +1 -0
- package/dist/cli/push/secrets.push.cli-command.impl.d.ts +5 -0
- package/dist/cli/push/secrets.push.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/push/secrets.push.cli-command.impl.js +109 -0
- package/dist/cli/push/secrets.push.cli-command.impl.js.map +1 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js +19 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js.map +1 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts +5 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.impl.js +85 -0
- package/dist/cli/reveal/secrets.reveal.cli-command.impl.js.map +1 -0
- package/dist/cli/secrets.cli-group.descriptor.d.ts +4 -0
- package/dist/cli/secrets.cli-group.descriptor.d.ts.map +1 -0
- package/dist/cli/secrets.cli-group.descriptor.js +11 -0
- package/dist/cli/secrets.cli-group.descriptor.js.map +1 -0
- package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/set/secrets.set.cli-command.descriptor.js +21 -0
- package/dist/cli/set/secrets.set.cli-command.descriptor.js.map +1 -0
- package/dist/cli/set/secrets.set.cli-command.impl.d.ts +5 -0
- package/dist/cli/set/secrets.set.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/set/secrets.set.cli-command.impl.js +59 -0
- package/dist/cli/set/secrets.set.cli-command.impl.js.map +1 -0
- package/dist/cli/shared/resolve-environment.d.ts +14 -0
- package/dist/cli/shared/resolve-environment.d.ts.map +1 -0
- package/dist/cli/shared/resolve-environment.js +45 -0
- package/dist/cli/shared/resolve-environment.js.map +1 -0
- package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts +4 -0
- package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts.map +1 -0
- package/dist/cli/unset/secrets.unset.cli-command.descriptor.js +20 -0
- package/dist/cli/unset/secrets.unset.cli-command.descriptor.js.map +1 -0
- package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts +5 -0
- package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts.map +1 -0
- package/dist/cli/unset/secrets.unset.cli-command.impl.js +31 -0
- package/dist/cli/unset/secrets.unset.cli-command.impl.js.map +1 -0
- package/dist/docs/backends.docs.descriptor.d.ts +4 -0
- package/dist/docs/backends.docs.descriptor.d.ts.map +1 -0
- package/dist/docs/backends.docs.descriptor.js +149 -0
- package/dist/docs/backends.docs.descriptor.js.map +1 -0
- package/dist/docs/encryption.docs.descriptor.d.ts +4 -0
- package/dist/docs/encryption.docs.descriptor.d.ts.map +1 -0
- package/dist/docs/encryption.docs.descriptor.js +163 -0
- package/dist/docs/encryption.docs.descriptor.js.map +1 -0
- package/dist/docs/env-file.docs.descriptor.d.ts +4 -0
- package/dist/docs/env-file.docs.descriptor.d.ts.map +1 -0
- package/dist/docs/env-file.docs.descriptor.js +207 -0
- package/dist/docs/env-file.docs.descriptor.js.map +1 -0
- package/dist/index.d.ts +13 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +13 -0
- package/dist/index.js.map +1 -0
- package/dist/kinds/index.d.ts +4 -0
- package/dist/kinds/index.d.ts.map +1 -0
- package/dist/kinds/index.js +3 -0
- package/dist/kinds/index.js.map +1 -0
- package/dist/kinds/schemas/store.schema.d.ts +49 -0
- package/dist/kinds/schemas/store.schema.d.ts.map +1 -0
- package/dist/kinds/schemas/store.schema.js +34 -0
- package/dist/kinds/schemas/store.schema.js.map +1 -0
- package/dist/kinds/schemas/store.types.d.ts +28 -0
- package/dist/kinds/schemas/store.types.d.ts.map +1 -0
- package/dist/kinds/schemas/store.types.js +2 -0
- package/dist/kinds/schemas/store.types.js.map +1 -0
- package/dist/kinds/store.interface.d.ts +2 -0
- package/dist/kinds/store.interface.d.ts.map +1 -0
- package/dist/kinds/store.interface.js +2 -0
- package/dist/kinds/store.interface.js.map +1 -0
- package/dist/kinds/store.kind.d.ts +10 -0
- package/dist/kinds/store.kind.d.ts.map +1 -0
- package/dist/kinds/store.kind.js +36 -0
- package/dist/kinds/store.kind.js.map +1 -0
- package/dist/kinds/store.schema.d.ts +2 -0
- package/dist/kinds/store.schema.d.ts.map +1 -0
- package/dist/kinds/store.schema.js +2 -0
- package/dist/kinds/store.schema.js.map +1 -0
- package/dist/manifest/canonical.d.ts +30 -0
- package/dist/manifest/canonical.d.ts.map +1 -0
- package/dist/manifest/canonical.js +313 -0
- package/dist/manifest/canonical.js.map +1 -0
- package/dist/manifest/import-manifest.schema.d.ts +77 -0
- package/dist/manifest/import-manifest.schema.d.ts.map +1 -0
- package/dist/manifest/import-manifest.schema.js +55 -0
- package/dist/manifest/import-manifest.schema.js.map +1 -0
- package/dist/manifest/index.d.ts +3 -0
- package/dist/manifest/index.d.ts.map +1 -0
- package/dist/manifest/index.js +3 -0
- package/dist/manifest/index.js.map +1 -0
- package/dist/requirements/index.d.ts +2 -0
- package/dist/requirements/index.d.ts.map +1 -0
- package/dist/requirements/index.js +2 -0
- package/dist/requirements/index.js.map +1 -0
- package/dist/requirements/resolver.d.ts +52 -0
- package/dist/requirements/resolver.d.ts.map +1 -0
- package/dist/requirements/resolver.js +196 -0
- package/dist/requirements/resolver.js.map +1 -0
- package/dist/requirements/schemas/requirements.d.ts +27 -0
- package/dist/requirements/schemas/requirements.d.ts.map +1 -0
- package/dist/requirements/schemas/requirements.js +2 -0
- package/dist/requirements/schemas/requirements.js.map +1 -0
- package/dist/secrets.plugin.d.ts +8 -0
- package/dist/secrets.plugin.d.ts.map +1 -0
- package/dist/secrets.plugin.js +59 -0
- package/dist/secrets.plugin.js.map +1 -0
- package/package.json +108 -0
- package/src/cli/check/schemas/check-result.ts +8 -0
- package/src/cli/check/secrets.check.cli-command.descriptor.ts +21 -0
- package/src/cli/check/secrets.check.cli-command.impl.ts +163 -0
- package/src/cli/export/secrets.export.cli-command.descriptor.ts +22 -0
- package/src/cli/export/secrets.export.cli-command.impl.ts +139 -0
- package/src/cli/hooks/pre-commit-secrets.ts +73 -0
- package/src/cli/import/secrets.import.cli-command.descriptor.ts +21 -0
- package/src/cli/import/secrets.import.cli-command.impl.ts +178 -0
- package/src/cli/list/secrets.list.cli-command.descriptor.ts +21 -0
- package/src/cli/list/secrets.list.cli-command.impl.ts +79 -0
- package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.ts +18 -0
- package/src/cli/pre-commit/secrets.pre-commit-check.cli-command.impl.ts +11 -0
- package/src/cli/pull/secrets.pull.cli-command.descriptor.ts +22 -0
- package/src/cli/pull/secrets.pull.cli-command.impl.ts +103 -0
- package/src/cli/push/secrets.push.cli-command.descriptor.ts +24 -0
- package/src/cli/push/secrets.push.cli-command.impl.ts +149 -0
- package/src/cli/reveal/secrets.reveal.cli-command.descriptor.ts +21 -0
- package/src/cli/reveal/secrets.reveal.cli-command.impl.ts +108 -0
- package/src/cli/secrets.cli-group.descriptor.ts +13 -0
- package/src/cli/set/secrets.set.cli-command.descriptor.ts +23 -0
- package/src/cli/set/secrets.set.cli-command.impl.ts +77 -0
- package/src/cli/shared/resolve-environment.ts +57 -0
- package/src/cli/unset/secrets.unset.cli-command.descriptor.ts +22 -0
- package/src/cli/unset/secrets.unset.cli-command.impl.ts +41 -0
- package/src/docs/backends.docs.descriptor.ts +151 -0
- package/src/docs/encryption.docs.descriptor.ts +165 -0
- package/src/docs/env-file.docs.descriptor.ts +209 -0
- package/src/index.ts +35 -0
- package/src/kinds/index.ts +12 -0
- package/src/kinds/schemas/store.schema.ts +47 -0
- package/src/kinds/schemas/store.types.ts +35 -0
- package/src/kinds/store.interface.ts +1 -0
- package/src/kinds/store.kind.ts +52 -0
- package/src/kinds/store.schema.ts +8 -0
- package/src/manifest/canonical.ts +324 -0
- package/src/manifest/import-manifest.schema.ts +63 -0
- package/src/manifest/index.ts +12 -0
- package/src/requirements/index.ts +6 -0
- package/src/requirements/resolver.ts +216 -0
- package/src/requirements/schemas/requirements.ts +29 -0
- package/src/secrets.plugin.ts +65 -0
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secrets Import Manifest Schema
|
|
3
|
+
*
|
|
4
|
+
* Catalogs the secrets the platform expects to receive from local root env
|
|
5
|
+
* files at bootstrap time. Carries no values — only key identity, source
|
|
6
|
+
* preference, and intent. The manifest is the contract a `vibes secrets
|
|
7
|
+
* import` command (phase 5) reads against.
|
|
8
|
+
*/
|
|
9
|
+
import * as z from 'zod/v4';
|
|
10
|
+
/**
|
|
11
|
+
* Where a secret value is expected to originate from when running
|
|
12
|
+
* `vibes secrets import`. Sources with a `path` are repo-relative .env-shaped
|
|
13
|
+
* files; they are read-only inputs and never committed. Sources without a
|
|
14
|
+
* `path` (e.g. the canonical `manual` source) describe entries that are not
|
|
15
|
+
* importable from disk and must be set through other means
|
|
16
|
+
* (`vibes secrets set`, generated tokens, Cloudflare dashboard, etc.).
|
|
17
|
+
*/
|
|
18
|
+
export const SecretSourceSchema = z.object({
|
|
19
|
+
/** Repo-relative path to the .env file. Omit for non-importable sources. */
|
|
20
|
+
path: z.string().min(1).optional(),
|
|
21
|
+
/** Why this source owns this category of secrets (Vibes internals, providers, etc.) */
|
|
22
|
+
purpose: z.string().min(1)
|
|
23
|
+
});
|
|
24
|
+
export const SecretCategorySchema = z.enum([
|
|
25
|
+
'vibes-internal',
|
|
26
|
+
'vibes-auth',
|
|
27
|
+
'cloudflare',
|
|
28
|
+
'provider-llm',
|
|
29
|
+
'provider-voice',
|
|
30
|
+
'provider-search',
|
|
31
|
+
'provider-billing',
|
|
32
|
+
'provider-other'
|
|
33
|
+
]);
|
|
34
|
+
export const SecretManifestEntrySchema = z.object({
|
|
35
|
+
/** Canonical key in Cloudflare Secrets Store. Matches env var name unless renamed. */
|
|
36
|
+
key: z.string().regex(/^[_A-Z0-9]+$/),
|
|
37
|
+
/** Category this secret belongs to (drives source-file routing) */
|
|
38
|
+
category: SecretCategorySchema,
|
|
39
|
+
/** Preferred source file id (must exist in `sources`) */
|
|
40
|
+
source: z.string().min(1),
|
|
41
|
+
/** Alternate names this secret may appear under in the source file */
|
|
42
|
+
aliases: z.array(z.string().regex(/^[_A-Z0-9]+$/)).default([]),
|
|
43
|
+
/** Whether the secret is required for a production push */
|
|
44
|
+
required: z.boolean().default(true),
|
|
45
|
+
/** Human-readable description of what this secret unlocks */
|
|
46
|
+
description: z.string().min(1)
|
|
47
|
+
});
|
|
48
|
+
export const SecretsImportManifestSchema = z.object({
|
|
49
|
+
version: z.literal(1),
|
|
50
|
+
/** Map of source id → file path + purpose */
|
|
51
|
+
sources: z.record(z.string().min(1), SecretSourceSchema),
|
|
52
|
+
/** Catalog of expected secrets, keyed by canonical name */
|
|
53
|
+
secrets: z.array(SecretManifestEntrySchema)
|
|
54
|
+
});
|
|
55
|
+
//# sourceMappingURL=import-manifest.schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"import-manifest.schema.js","sourceRoot":"","sources":["../../src/manifest/import-manifest.schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,CAAC,MAAM,QAAQ,CAAC;AAE5B;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAC1C,4EAA4E;IAC5E,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,uFAAuF;IACvF,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1B,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC;IAC1C,gBAAgB;IAChB,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;IAClB,gBAAgB;CAChB,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,sFAAsF;IACtF,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC;IACrC,mEAAmE;IACnE,QAAQ,EAAE,oBAAoB;IAC9B,yDAAyD;IACzD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,sEAAsE;IACtE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IAC9D,2DAA2D;IAC3D,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACnC,6DAA6D;IAC7D,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC9B,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,CAAC,MAAM,CAAC;IACnD,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACrB,6CAA6C;IAC7C,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,kBAAkB,CAAC;IACxD,2DAA2D;IAC3D,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,yBAAyB,CAAC;CAC3C,CAAC,CAAC"}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
export { SecretsImportManifestSchema, SecretManifestEntrySchema, SecretSourceSchema, SecretCategorySchema, type SecretsImportManifest, type SecretManifestEntry, type SecretSource, type SecretCategory } from './import-manifest.schema';
|
|
2
|
+
export { canonicalImportManifest } from './canonical';
|
|
3
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/manifest/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,2BAA2B,EAC3B,yBAAyB,EACzB,kBAAkB,EAClB,oBAAoB,EACpB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,YAAY,EACjB,KAAK,cAAc,EACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/manifest/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,2BAA2B,EAC3B,yBAAyB,EACzB,kBAAkB,EAClB,oBAAoB,EAKpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/requirements/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,yBAAyB,EACzB,sBAAsB,EACtB,gBAAgB,EAChB,KAAK,iBAAiB,EACtB,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/requirements/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,yBAAyB,EACzB,sBAAsB,EACtB,gBAAgB,EAEhB,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secret Requirements Resolver
|
|
3
|
+
*
|
|
4
|
+
* Resolves secret requirements from two intentional sources:
|
|
5
|
+
*
|
|
6
|
+
* 1. Runtime infra descriptors (`.infra.ts` files) — workers and infrastructure.
|
|
7
|
+
* Queries runtime for `infra/worker` descriptors. Workers (e.g. job-workers)
|
|
8
|
+
* declare secrets here because they are infrastructure resources, not web apps.
|
|
9
|
+
* The `infra/web-app` path is kept for completeness but no longer discovers
|
|
10
|
+
* vestigial descriptors (deleted 2026-05-20).
|
|
11
|
+
*
|
|
12
|
+
* 2. `deployment.config.ts` files — the canonical per-app deployment system.
|
|
13
|
+
* Loads each config via `@vibesdotdev/infra-deploy` and extracts `secret: true`
|
|
14
|
+
* env entries from the `AppDeployment.env` array. This is the authoritative
|
|
15
|
+
* source for web-app secrets.
|
|
16
|
+
*
|
|
17
|
+
* The two-system split is intentional, not transitional:
|
|
18
|
+
* - `.infra.ts` = infrastructure resources + workers (runtime-discovered assets)
|
|
19
|
+
* - `deployment.config.ts` = web app deployments (build + deploy orchestration)
|
|
20
|
+
*
|
|
21
|
+
* Used by `vibes secrets check` to cross-reference stored secrets against
|
|
22
|
+
* declared requirements.
|
|
23
|
+
*/
|
|
24
|
+
import type { SecretRequirement, SecretRequirementsRuntime } from './schemas/requirements';
|
|
25
|
+
export type { SecretRequirement } from './schemas/requirements';
|
|
26
|
+
/**
|
|
27
|
+
* Resolve all secret requirements from infra descriptors and deployment configs.
|
|
28
|
+
*
|
|
29
|
+
* Queries two sources:
|
|
30
|
+
* 1. Runtime for `infra/worker` descriptors (`.infra.ts` — workers + infrastructure)
|
|
31
|
+
* 2. `deployment.config.ts` files via `@vibesdotdev/infra-deploy` (web apps)
|
|
32
|
+
*
|
|
33
|
+
* These two sources are mutually exclusive by app type, so there should be no
|
|
34
|
+
* overlap. Both are queried to cover the full surface:
|
|
35
|
+
* - Workers declare secrets in `.infra.ts` (job-workers, ai-workers, etc.)
|
|
36
|
+
* - Web apps declare secrets in `deployment.config.ts` (auth-web, ai-web, etc.)
|
|
37
|
+
*
|
|
38
|
+
* Deployment config entries are appended after descriptor entries.
|
|
39
|
+
* Duplicates are harmless for check reporting.
|
|
40
|
+
*/
|
|
41
|
+
export declare function resolveSecretRequirements(runtime: SecretRequirementsRuntime, options?: {
|
|
42
|
+
deploymentConfigRoot?: string;
|
|
43
|
+
}): Promise<SecretRequirement[]>;
|
|
44
|
+
/**
|
|
45
|
+
* Group requirements by app/worker ID for per-app reporting.
|
|
46
|
+
*/
|
|
47
|
+
export declare function groupRequirementsByApp(requirements: SecretRequirement[]): Map<string, SecretRequirement[]>;
|
|
48
|
+
/**
|
|
49
|
+
* Get unique secret keys across all apps (deduped).
|
|
50
|
+
*/
|
|
51
|
+
export declare function uniqueSecretKeys(requirements: SecretRequirement[]): string[];
|
|
52
|
+
//# sourceMappingURL=resolver.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolver.d.ts","sourceRoot":"","sources":["../../src/requirements/resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,KAAK,EAEX,iBAAiB,EACjB,yBAAyB,EACzB,MAAM,wBAAwB,CAAC;AAEhC,YAAY,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AA2GhE;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,yBAAyB,CAC9C,OAAO,EAAE,yBAAyB,EAClC,OAAO,CAAC,EAAE;IAAE,oBAAoB,CAAC,EAAE,MAAM,CAAA;CAAE,GACzC,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAoC9B;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACrC,YAAY,EAAE,iBAAiB,EAAE,GAC/B,GAAG,CAAC,MAAM,EAAE,iBAAiB,EAAE,CAAC,CAQlC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,iBAAiB,EAAE,GAAG,MAAM,EAAE,CAE5E"}
|
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secret Requirements Resolver
|
|
3
|
+
*
|
|
4
|
+
* Resolves secret requirements from two intentional sources:
|
|
5
|
+
*
|
|
6
|
+
* 1. Runtime infra descriptors (`.infra.ts` files) — workers and infrastructure.
|
|
7
|
+
* Queries runtime for `infra/worker` descriptors. Workers (e.g. job-workers)
|
|
8
|
+
* declare secrets here because they are infrastructure resources, not web apps.
|
|
9
|
+
* The `infra/web-app` path is kept for completeness but no longer discovers
|
|
10
|
+
* vestigial descriptors (deleted 2026-05-20).
|
|
11
|
+
*
|
|
12
|
+
* 2. `deployment.config.ts` files — the canonical per-app deployment system.
|
|
13
|
+
* Loads each config via `@vibesdotdev/infra-deploy` and extracts `secret: true`
|
|
14
|
+
* env entries from the `AppDeployment.env` array. This is the authoritative
|
|
15
|
+
* source for web-app secrets.
|
|
16
|
+
*
|
|
17
|
+
* The two-system split is intentional, not transitional:
|
|
18
|
+
* - `.infra.ts` = infrastructure resources + workers (runtime-discovered assets)
|
|
19
|
+
* - `deployment.config.ts` = web app deployments (build + deploy orchestration)
|
|
20
|
+
*
|
|
21
|
+
* Used by `vibes secrets check` to cross-reference stored secrets against
|
|
22
|
+
* declared requirements.
|
|
23
|
+
*/
|
|
24
|
+
import { loadDeploymentConfig } from '@vibesdotdev/infra-deploy';
|
|
25
|
+
const BAKED_SECRET_REQUIREMENTS_JSON = typeof __VIBES_BAKED_SECRET_REQUIREMENTS__ !== 'undefined'
|
|
26
|
+
? __VIBES_BAKED_SECRET_REQUIREMENTS__
|
|
27
|
+
: '[]';
|
|
28
|
+
function readBakedRequirements() {
|
|
29
|
+
if (!BAKED_SECRET_REQUIREMENTS_JSON || BAKED_SECRET_REQUIREMENTS_JSON === '[]') {
|
|
30
|
+
return [];
|
|
31
|
+
}
|
|
32
|
+
try {
|
|
33
|
+
const parsed = JSON.parse(BAKED_SECRET_REQUIREMENTS_JSON);
|
|
34
|
+
return Array.isArray(parsed) ? parsed : [];
|
|
35
|
+
}
|
|
36
|
+
catch {
|
|
37
|
+
return [];
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
function extractRequirements(descriptors) {
|
|
41
|
+
const results = [];
|
|
42
|
+
for (const desc of descriptors) {
|
|
43
|
+
if (!desc.env)
|
|
44
|
+
continue;
|
|
45
|
+
for (const entry of desc.env) {
|
|
46
|
+
if (!entry.secret)
|
|
47
|
+
continue;
|
|
48
|
+
results.push({
|
|
49
|
+
key: entry.name,
|
|
50
|
+
appId: desc.id,
|
|
51
|
+
required: entry.required ?? true,
|
|
52
|
+
description: entry.description
|
|
53
|
+
});
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
return results;
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* Resolve secret requirements from deployment.config.ts files.
|
|
60
|
+
*
|
|
61
|
+
* Walks the workspace for `deployment.config.ts` files (same discovery logic
|
|
62
|
+
* as `infra-deploy regenerate`), loads each via subprocess, and extracts
|
|
63
|
+
* `secret: true` env entries from the `AppDeployment.env` array.
|
|
64
|
+
*/
|
|
65
|
+
async function resolveFromDeploymentConfigs(rootDir) {
|
|
66
|
+
const { readdirSync, statSync } = await import('node:fs');
|
|
67
|
+
const { join } = await import('node:path');
|
|
68
|
+
const IGNORED = new Set([
|
|
69
|
+
'node_modules', '.git', '.svelte-kit', 'dist', '.next', '.turbo', '.vite', '.wrangler'
|
|
70
|
+
]);
|
|
71
|
+
const CONFIG_NAMES = new Set([
|
|
72
|
+
'deployment.config.ts', 'deployment.config.js', 'deployment.config.mjs'
|
|
73
|
+
]);
|
|
74
|
+
// Discover deployment.config.ts files (mirrors infra-deploy's findDeploymentConfigs)
|
|
75
|
+
const configs = [];
|
|
76
|
+
function walk(dir, depth) {
|
|
77
|
+
if (depth > 4)
|
|
78
|
+
return;
|
|
79
|
+
let entries;
|
|
80
|
+
try {
|
|
81
|
+
entries = readdirSync(dir);
|
|
82
|
+
}
|
|
83
|
+
catch {
|
|
84
|
+
return;
|
|
85
|
+
}
|
|
86
|
+
for (const entry of entries) {
|
|
87
|
+
if (CONFIG_NAMES.has(entry))
|
|
88
|
+
configs.push(join(dir, entry));
|
|
89
|
+
}
|
|
90
|
+
for (const entry of entries) {
|
|
91
|
+
if (IGNORED.has(entry) || entry.startsWith('.'))
|
|
92
|
+
continue;
|
|
93
|
+
const full = join(dir, entry);
|
|
94
|
+
let info;
|
|
95
|
+
try {
|
|
96
|
+
info = statSync(full);
|
|
97
|
+
}
|
|
98
|
+
catch {
|
|
99
|
+
continue;
|
|
100
|
+
}
|
|
101
|
+
if (info.isDirectory())
|
|
102
|
+
walk(full, depth + 1);
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
walk(rootDir, 0);
|
|
106
|
+
const requirements = [];
|
|
107
|
+
for (const configPath of configs) {
|
|
108
|
+
const appDir = configPath.replace(/\/deployment\.config\.(ts|js|mjs)$/, '');
|
|
109
|
+
try {
|
|
110
|
+
const loaded = await loadDeploymentConfig(appDir);
|
|
111
|
+
for (const entry of loaded.deployment.env) {
|
|
112
|
+
if (!entry.secret)
|
|
113
|
+
continue;
|
|
114
|
+
requirements.push({
|
|
115
|
+
key: entry.name,
|
|
116
|
+
appId: loaded.deployment.appId,
|
|
117
|
+
required: entry.required ?? true,
|
|
118
|
+
description: entry.description
|
|
119
|
+
});
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
catch {
|
|
123
|
+
// Config load failures are non-fatal for secret resolution.
|
|
124
|
+
// The regen pipeline catches these separately.
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
return requirements;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Resolve all secret requirements from infra descriptors and deployment configs.
|
|
131
|
+
*
|
|
132
|
+
* Queries two sources:
|
|
133
|
+
* 1. Runtime for `infra/worker` descriptors (`.infra.ts` — workers + infrastructure)
|
|
134
|
+
* 2. `deployment.config.ts` files via `@vibesdotdev/infra-deploy` (web apps)
|
|
135
|
+
*
|
|
136
|
+
* These two sources are mutually exclusive by app type, so there should be no
|
|
137
|
+
* overlap. Both are queried to cover the full surface:
|
|
138
|
+
* - Workers declare secrets in `.infra.ts` (job-workers, ai-workers, etc.)
|
|
139
|
+
* - Web apps declare secrets in `deployment.config.ts` (auth-web, ai-web, etc.)
|
|
140
|
+
*
|
|
141
|
+
* Deployment config entries are appended after descriptor entries.
|
|
142
|
+
* Duplicates are harmless for check reporting.
|
|
143
|
+
*/
|
|
144
|
+
export async function resolveSecretRequirements(runtime, options) {
|
|
145
|
+
const requirements = [];
|
|
146
|
+
if (runtime.hasKind('infra/web-app')) {
|
|
147
|
+
const webApps = runtime.assets('infra/web-app').descriptors();
|
|
148
|
+
requirements.push(...extractRequirements(webApps));
|
|
149
|
+
}
|
|
150
|
+
if (runtime.hasKind('infra/worker')) {
|
|
151
|
+
const workers = runtime.assets('infra/worker').descriptors();
|
|
152
|
+
requirements.push(...extractRequirements(workers));
|
|
153
|
+
}
|
|
154
|
+
// Load web-app secrets from deployment.config.ts — the canonical source.
|
|
155
|
+
// Falls back to process.cwd() when no root is explicitly provided.
|
|
156
|
+
let liveDeployReqs = [];
|
|
157
|
+
if (options?.deploymentConfigRoot || typeof process !== 'undefined') {
|
|
158
|
+
const root = options?.deploymentConfigRoot ?? process.cwd();
|
|
159
|
+
try {
|
|
160
|
+
liveDeployReqs = await resolveFromDeploymentConfigs(root);
|
|
161
|
+
}
|
|
162
|
+
catch {
|
|
163
|
+
// infra-deploy subprocess failures shouldn't block the check.
|
|
164
|
+
}
|
|
165
|
+
}
|
|
166
|
+
// In compiled binaries, `resolveFromDeploymentConfigs` returns [] because
|
|
167
|
+
// the standalone executable can't import workspace deployment.config.ts
|
|
168
|
+
// files at runtime. Fall back to the build-time snapshot captured by
|
|
169
|
+
// `apps/cli-bin/scripts/build.ts` so `--app <id>` filtering still works.
|
|
170
|
+
if (liveDeployReqs.length === 0) {
|
|
171
|
+
requirements.push(...readBakedRequirements());
|
|
172
|
+
}
|
|
173
|
+
else {
|
|
174
|
+
requirements.push(...liveDeployReqs);
|
|
175
|
+
}
|
|
176
|
+
return requirements;
|
|
177
|
+
}
|
|
178
|
+
/**
|
|
179
|
+
* Group requirements by app/worker ID for per-app reporting.
|
|
180
|
+
*/
|
|
181
|
+
export function groupRequirementsByApp(requirements) {
|
|
182
|
+
const grouped = new Map();
|
|
183
|
+
for (const req of requirements) {
|
|
184
|
+
const existing = grouped.get(req.appId) ?? [];
|
|
185
|
+
existing.push(req);
|
|
186
|
+
grouped.set(req.appId, existing);
|
|
187
|
+
}
|
|
188
|
+
return grouped;
|
|
189
|
+
}
|
|
190
|
+
/**
|
|
191
|
+
* Get unique secret keys across all apps (deduped).
|
|
192
|
+
*/
|
|
193
|
+
export function uniqueSecretKeys(requirements) {
|
|
194
|
+
return [...new Set(requirements.map((r) => r.key))];
|
|
195
|
+
}
|
|
196
|
+
//# sourceMappingURL=resolver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"resolver.js","sourceRoot":"","sources":["../../src/requirements/resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAmBjE,MAAM,8BAA8B,GACnC,OAAO,mCAAmC,KAAK,WAAW;IACzD,CAAC,CAAC,mCAAmC;IACrC,CAAC,CAAC,IAAI,CAAC;AAET,SAAS,qBAAqB;IAC7B,IAAI,CAAC,8BAA8B,IAAI,8BAA8B,KAAK,IAAI,EAAE,CAAC;QAChF,OAAO,EAAE,CAAC;IACX,CAAC;IACD,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC1D,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAE,MAA8B,CAAC,CAAC,CAAC,EAAE,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,CAAC;IACX,CAAC;AACF,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAyC;IACrE,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,GAAG;YAAE,SAAS;QACxB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,MAAM;gBAAE,SAAS;YAC5B,OAAO,CAAC,IAAI,CAAC;gBACZ,GAAG,EAAE,KAAK,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,EAAE;gBACd,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;gBAChC,WAAW,EAAE,KAAK,CAAC,WAAW;aAC9B,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IACD,OAAO,OAAO,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,4BAA4B,CAC1C,OAAe;IAEf,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAE3C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC;QACvB,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW;KACtF,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;QAC5B,sBAAsB,EAAE,sBAAsB,EAAE,uBAAuB;KACvE,CAAC,CAAC;IAEH,qFAAqF;IACrF,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,SAAS,IAAI,CAAC,GAAW,EAAE,KAAa;QACvC,IAAI,KAAK,GAAG,CAAC;YAAE,OAAO;QACtB,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YAAC,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO;QAAC,CAAC;QACrD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YAC9B,IAAI,IAAI,CAAC;YACT,IAAI,CAAC;gBAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC;gBAAC,SAAS;YAAC,CAAC;YAClD,IAAI,IAAI,CAAC,WAAW,EAAE;gBAAE,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QAC/C,CAAC;IACF,CAAC;IACD,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAEjB,MAAM,YAAY,GAAwB,EAAE,CAAC;IAC7C,KAAK,MAAM,UAAU,IAAI,OAAO,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,oCAAoC,EAAE,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAClD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;gBAC3C,IAAI,CAAC,KAAK,CAAC,MAAM;oBAAE,SAAS;gBAC5B,YAAY,CAAC,IAAI,CAAC;oBACjB,GAAG,EAAE,KAAK,CAAC,IAAI;oBACf,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,KAAK;oBAC9B,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,IAAI;oBAChC,WAAW,EAAE,KAAK,CAAC,WAAW;iBAC9B,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;QAAC,MAAM,CAAC;YACR,4DAA4D;YAC5D,+CAA+C;QAChD,CAAC;IACF,CAAC;IACD,OAAO,YAAY,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC9C,OAAkC,EAClC,OAA2C;IAE3C,MAAM,YAAY,GAAwB,EAAE,CAAC;IAE7C,IAAI,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAAwB,CAAC;QACpF,YAAY,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,WAAW,EAAwB,CAAC;QACnF,YAAY,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,yEAAyE;IACzE,mEAAmE;IACnE,IAAI,cAAc,GAAwB,EAAE,CAAC;IAC7C,IAAI,OAAO,EAAE,oBAAoB,IAAI,OAAO,OAAO,KAAK,WAAW,EAAE,CAAC;QACrE,MAAM,IAAI,GAAG,OAAO,EAAE,oBAAoB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAC5D,IAAI,CAAC;YACJ,cAAc,GAAG,MAAM,4BAA4B,CAAC,IAAI,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACR,8DAA8D;QAC/D,CAAC;IACF,CAAC;IAED,0EAA0E;IAC1E,wEAAwE;IACxE,qEAAqE;IACrE,yEAAyE;IACzE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,YAAY,CAAC,IAAI,CAAC,GAAG,qBAAqB,EAAE,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACP,YAAY,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;IACtC,CAAC;IAED,OAAO,YAAY,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACrC,YAAiC;IAEjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAA+B,CAAC;IACvD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAAiC;IACjE,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
export interface SecretRequirement {
|
|
2
|
+
/** Secret key name (e.g., VIBES_AUTH_SECRET) */
|
|
3
|
+
key: string;
|
|
4
|
+
/** App or worker ID that requires this secret */
|
|
5
|
+
appId: string;
|
|
6
|
+
/** Whether the secret is required for the app to function */
|
|
7
|
+
required: boolean;
|
|
8
|
+
/** Human-readable description of the secret's purpose */
|
|
9
|
+
description: string | undefined;
|
|
10
|
+
}
|
|
11
|
+
export interface RequirementEnvEntry {
|
|
12
|
+
name: string;
|
|
13
|
+
secret?: boolean;
|
|
14
|
+
required?: boolean;
|
|
15
|
+
description?: string;
|
|
16
|
+
}
|
|
17
|
+
export interface RequirementInfraDescriptor {
|
|
18
|
+
id: string;
|
|
19
|
+
env?: RequirementEnvEntry[];
|
|
20
|
+
}
|
|
21
|
+
export interface SecretRequirementsRuntime {
|
|
22
|
+
hasKind(kind: string): boolean;
|
|
23
|
+
assets(kind: string): {
|
|
24
|
+
descriptors(): RequirementInfraDescriptor[];
|
|
25
|
+
};
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=requirements.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"requirements.d.ts","sourceRoot":"","sources":["../../../src/requirements/schemas/requirements.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IACjC,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,iDAAiD;IACjD,KAAK,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,QAAQ,EAAE,OAAO,CAAC;IAClB,yDAAyD;IACzD,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;CAChC;AAED,MAAM,WAAW,mBAAmB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC5B;AAED,MAAM,WAAW,yBAAyB;IACzC,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG;QACrB,WAAW,IAAI,0BAA0B,EAAE,CAAC;KAC5C,CAAC;CACF"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"requirements.js","sourceRoot":"","sources":["../../../src/requirements/schemas/requirements.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secrets.plugin.d.ts","sourceRoot":"","sources":["../src/secrets.plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;;AAwBH,wBAoCG"}
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Secrets Runtime Plugin
|
|
3
|
+
*
|
|
4
|
+
* Registers the secrets/store kind and CLI backend loaders.
|
|
5
|
+
*/
|
|
6
|
+
import { createRuntimePlugin, loader } from '@vibesdotdev/runtime';
|
|
7
|
+
import { secretsStoreKind } from './kinds/store.kind';
|
|
8
|
+
// CLI
|
|
9
|
+
import secretsGroup from "./cli/secrets.cli-group.descriptor.js";
|
|
10
|
+
import secretsCheck from "./cli/check/secrets.check.cli-command.descriptor.js";
|
|
11
|
+
import secretsImport from "./cli/import/secrets.import.cli-command.descriptor.js";
|
|
12
|
+
import secretsExport from "./cli/export/secrets.export.cli-command.descriptor.js";
|
|
13
|
+
import secretsList from "./cli/list/secrets.list.cli-command.descriptor.js";
|
|
14
|
+
import secretsPull from "./cli/pull/secrets.pull.cli-command.descriptor.js";
|
|
15
|
+
import secretsPush from "./cli/push/secrets.push.cli-command.descriptor.js";
|
|
16
|
+
import secretsSet from "./cli/set/secrets.set.cli-command.descriptor.js";
|
|
17
|
+
import secretsUnset from "./cli/unset/secrets.unset.cli-command.descriptor.js";
|
|
18
|
+
import secretsReveal from "./cli/reveal/secrets.reveal.cli-command.descriptor.js";
|
|
19
|
+
import secretsPreCommitCheck from "./cli/pre-commit/secrets.pre-commit-check.cli-command.descriptor.js";
|
|
20
|
+
// Docs
|
|
21
|
+
import secretsBackendsDescriptor from "./docs/backends.docs.descriptor.js";
|
|
22
|
+
import secretsEncryptionDescriptor from "./docs/encryption.docs.descriptor.js";
|
|
23
|
+
import secretsEnvFileDescriptor from "./docs/env-file.docs.descriptor.js";
|
|
24
|
+
export default createRuntimePlugin({
|
|
25
|
+
id: 'secrets',
|
|
26
|
+
name: 'Secrets Management',
|
|
27
|
+
description: 'Environment-aware secrets storage with multiple backends',
|
|
28
|
+
dependencies: ['config'],
|
|
29
|
+
kinds: [secretsStoreKind],
|
|
30
|
+
descriptors: [
|
|
31
|
+
secretsGroup,
|
|
32
|
+
secretsCheck,
|
|
33
|
+
secretsImport,
|
|
34
|
+
secretsExport,
|
|
35
|
+
secretsList,
|
|
36
|
+
secretsPull,
|
|
37
|
+
secretsPush,
|
|
38
|
+
secretsSet,
|
|
39
|
+
secretsUnset,
|
|
40
|
+
secretsReveal,
|
|
41
|
+
secretsPreCommitCheck,
|
|
42
|
+
secretsBackendsDescriptor,
|
|
43
|
+
secretsEncryptionDescriptor,
|
|
44
|
+
secretsEnvFileDescriptor
|
|
45
|
+
],
|
|
46
|
+
loaders: [
|
|
47
|
+
loader('secrets.check', () => import('./cli/check/secrets.check.cli-command.impl.js')),
|
|
48
|
+
loader('secrets.import', () => import('./cli/import/secrets.import.cli-command.impl.js')),
|
|
49
|
+
loader('secrets.export', () => import('./cli/export/secrets.export.cli-command.impl.js')),
|
|
50
|
+
loader('secrets.list', () => import('./cli/list/secrets.list.cli-command.impl.js')),
|
|
51
|
+
loader('secrets.pull', () => import('./cli/pull/secrets.pull.cli-command.impl.js')),
|
|
52
|
+
loader('secrets.push', () => import('./cli/push/secrets.push.cli-command.impl.js')),
|
|
53
|
+
loader('secrets.set', () => import('./cli/set/secrets.set.cli-command.impl.js')),
|
|
54
|
+
loader('secrets.unset', () => import('./cli/unset/secrets.unset.cli-command.impl.js')),
|
|
55
|
+
loader('secrets.reveal', () => import('./cli/reveal/secrets.reveal.cli-command.impl.js')),
|
|
56
|
+
loader('dev.secrets.pre-commit-check', () => import('./cli/pre-commit/secrets.pre-commit-check.cli-command.impl.js'))
|
|
57
|
+
]
|
|
58
|
+
});
|
|
59
|
+
//# sourceMappingURL=secrets.plugin.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secrets.plugin.js","sourceRoot":"","sources":["../src/secrets.plugin.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,mBAAmB,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAEnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,MAAM;AACN,OAAO,YAAY,MAAM,uCAAuC,CAAC;AACjE,OAAO,YAAY,MAAM,qDAAqD,CAAC;AAC/E,OAAO,aAAa,MAAM,uDAAuD,CAAC;AAClF,OAAO,aAAa,MAAM,uDAAuD,CAAC;AAClF,OAAO,WAAW,MAAM,mDAAmD,CAAC;AAC5E,OAAO,WAAW,MAAM,mDAAmD,CAAC;AAC5E,OAAO,WAAW,MAAM,mDAAmD,CAAC;AAC5E,OAAO,UAAU,MAAM,iDAAiD,CAAC;AACzE,OAAO,YAAY,MAAM,qDAAqD,CAAC;AAC/E,OAAO,aAAa,MAAM,uDAAuD,CAAC;AAClF,OAAO,qBAAqB,MAAM,qEAAqE,CAAC;AAExG,OAAO;AACP,OAAO,yBAAyB,MAAM,oCAAoC,CAAC;AAC3E,OAAO,2BAA2B,MAAM,sCAAsC,CAAC;AAC/E,OAAO,wBAAwB,MAAM,oCAAoC,CAAC;AAE1E,eAAe,mBAAmB,CAAC;IAClC,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EAAE,0DAA0D;IACvE,YAAY,EAAE,CAAC,QAAQ,CAAC;IACxB,KAAK,EAAE,CAAC,gBAA+C,CAAC;IAExD,WAAW,EAAE;QACZ,YAAY;QACZ,YAAY;QACZ,aAAa;QACb,aAAa;QACb,WAAW;QACX,WAAW;QACX,WAAW;QACX,UAAU;QACV,YAAY;QACZ,aAAa;QACb,qBAAqB;QACrB,yBAAyB;QACzB,2BAA2B;QAC3B,wBAAwB;KACxB;IAED,OAAO,EAAE;QACR,MAAM,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC,CAAC;QACtF,MAAM,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iDAAiD,CAAC,CAAC;QACzF,MAAM,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iDAAiD,CAAC,CAAC;QACzF,MAAM,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC;QACnF,MAAM,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC;QACnF,MAAM,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC;QACnF,MAAM,CAAC,aAAa,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,2CAA2C,CAAC,CAAC;QAChF,MAAM,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+CAA+C,CAAC,CAAC;QACtF,MAAM,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,iDAAiD,CAAC,CAAC;QACzF,MAAM,CAAC,8BAA8B,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,+DAA+D,CAAC,CAAC;KACrH;CACD,CAAC,CAAC"}
|
package/package.json
ADDED
|
@@ -0,0 +1,108 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@vibesdotdev/secrets",
|
|
3
|
+
"version": "0.0.1",
|
|
4
|
+
"type": "module",
|
|
5
|
+
"main": "./dist/index.js",
|
|
6
|
+
"types": "./dist/index.d.ts",
|
|
7
|
+
"exports": {
|
|
8
|
+
".": {
|
|
9
|
+
"types": "./dist/index.d.ts",
|
|
10
|
+
"bun": "./src/index.ts",
|
|
11
|
+
"import": "./dist/index.js",
|
|
12
|
+
"default": "./dist/index.js"
|
|
13
|
+
},
|
|
14
|
+
"./kinds": {
|
|
15
|
+
"types": "./dist/kinds/index.d.ts",
|
|
16
|
+
"bun": "./src/kinds/index.ts",
|
|
17
|
+
"import": "./dist/kinds/index.js",
|
|
18
|
+
"default": "./dist/kinds/index.js"
|
|
19
|
+
},
|
|
20
|
+
"./kinds/*": {
|
|
21
|
+
"types": "./dist/kinds/*.d.ts",
|
|
22
|
+
"bun": "./src/kinds/*.ts",
|
|
23
|
+
"import": "./dist/kinds/*.js",
|
|
24
|
+
"default": "./dist/kinds/*.js"
|
|
25
|
+
},
|
|
26
|
+
"./manifest": {
|
|
27
|
+
"types": "./dist/manifest/index.d.ts",
|
|
28
|
+
"bun": "./src/manifest/index.ts",
|
|
29
|
+
"import": "./dist/manifest/index.js",
|
|
30
|
+
"default": "./dist/manifest/index.js"
|
|
31
|
+
},
|
|
32
|
+
"./manifest/*": {
|
|
33
|
+
"types": "./dist/manifest/*.d.ts",
|
|
34
|
+
"bun": "./src/manifest/*.ts",
|
|
35
|
+
"import": "./dist/manifest/*.js",
|
|
36
|
+
"default": "./dist/manifest/*.js"
|
|
37
|
+
},
|
|
38
|
+
"./requirements": {
|
|
39
|
+
"types": "./dist/requirements/index.d.ts",
|
|
40
|
+
"bun": "./src/requirements/index.ts",
|
|
41
|
+
"import": "./dist/requirements/index.js",
|
|
42
|
+
"default": "./dist/requirements/index.js"
|
|
43
|
+
},
|
|
44
|
+
"./plugin": {
|
|
45
|
+
"types": "./dist/secrets.plugin.d.ts",
|
|
46
|
+
"bun": "./src/secrets.plugin.ts",
|
|
47
|
+
"import": "./dist/secrets.plugin.js",
|
|
48
|
+
"default": "./dist/secrets.plugin.js"
|
|
49
|
+
}
|
|
50
|
+
},
|
|
51
|
+
"publishConfig": {
|
|
52
|
+
"registry": "https://registry.npmjs.org",
|
|
53
|
+
"access": "public"
|
|
54
|
+
},
|
|
55
|
+
"repository": {
|
|
56
|
+
"type": "git",
|
|
57
|
+
"url": "git+https://github.com/vibesdotdev/monorepo.git",
|
|
58
|
+
"directory": "packages/secrets"
|
|
59
|
+
},
|
|
60
|
+
"dependencies": {
|
|
61
|
+
"@vibesdotdev/runtime": "0.0.1",
|
|
62
|
+
"@vibesdotdev/config": "0.0.1",
|
|
63
|
+
"@vibesdotdev/infra-core": "0.0.1",
|
|
64
|
+
"@vibesdotdev/cli": "0.0.1"
|
|
65
|
+
},
|
|
66
|
+
"peerDependencies": {
|
|
67
|
+
"zod": "^4.3.6",
|
|
68
|
+
"@vibesdotdev/infra-deploy": "0.0.1"
|
|
69
|
+
},
|
|
70
|
+
"peerDependenciesMeta": {
|
|
71
|
+
"@vibesdotdev/infra-deploy": {
|
|
72
|
+
"optional": true
|
|
73
|
+
}
|
|
74
|
+
},
|
|
75
|
+
"scripts": {
|
|
76
|
+
"build": "tsc -p tsconfig.json",
|
|
77
|
+
"check": "bun --bun tsc -p tsconfig.json --noEmit",
|
|
78
|
+
"test": "bun test"
|
|
79
|
+
},
|
|
80
|
+
"license": "MIT",
|
|
81
|
+
"files": [
|
|
82
|
+
"dist",
|
|
83
|
+
"src",
|
|
84
|
+
"bin",
|
|
85
|
+
"README.md",
|
|
86
|
+
"SPEC.md",
|
|
87
|
+
"LICENSE",
|
|
88
|
+
"!src/**/__tests__/**",
|
|
89
|
+
"!src/**/__stubs__/**",
|
|
90
|
+
"!src/**/*.test.ts",
|
|
91
|
+
"!src/**/*.test.tsx",
|
|
92
|
+
"!src/**/*.spec.ts",
|
|
93
|
+
"!src/**/*.spec.tsx",
|
|
94
|
+
"!dist/**/__tests__/**",
|
|
95
|
+
"!dist/**/__stubs__/**",
|
|
96
|
+
"!dist/**/*.test.js",
|
|
97
|
+
"!dist/**/*.test.js.map",
|
|
98
|
+
"!dist/**/*.test.d.ts",
|
|
99
|
+
"!dist/**/*.test.d.ts.map",
|
|
100
|
+
"!dist/**/*.spec.js",
|
|
101
|
+
"!dist/**/*.spec.js.map",
|
|
102
|
+
"!dist/**/*.spec.d.ts",
|
|
103
|
+
"!dist/**/*.spec.d.ts.map"
|
|
104
|
+
],
|
|
105
|
+
"vibes": {
|
|
106
|
+
"visibility": "public-framework"
|
|
107
|
+
}
|
|
108
|
+
}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
|
|
2
|
+
|
|
3
|
+
const descriptor: CLICommandAssetDescriptor = {
|
|
4
|
+
kind: 'cli/command',
|
|
5
|
+
id: 'secrets.check',
|
|
6
|
+
name: 'check',
|
|
7
|
+
description: 'Validate stored secrets against infra manifest requirements',
|
|
8
|
+
group: 'secrets',
|
|
9
|
+
options: [
|
|
10
|
+
{ flags: '--environment <name>', description: 'Target environment (default: current)' },
|
|
11
|
+
{ flags: '--app <id>', description: 'Check a specific app or worker only' },
|
|
12
|
+
{ flags: '--manifest', description: 'Also cross-check against the canonical import manifest' },
|
|
13
|
+
{ flags: '--json', description: 'Output as JSON' }
|
|
14
|
+
],
|
|
15
|
+
surfaces: ['cli'],
|
|
16
|
+
hardware: ['consumer'],
|
|
17
|
+
enabled: true,
|
|
18
|
+
order: 50
|
|
19
|
+
};
|
|
20
|
+
|
|
21
|
+
export default descriptor;
|