npm - @vibesdotdev/secrets - Versions diffs - 0.0.1 - Mend

@vibesdotdev/secrets 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (208) hide show

package/src/cli/check/secrets.check.cli-command.impl.ts ADDED Viewed

@@ -0,0 +1,163 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor } from '../../kinds/store.schema';
+import type { CheckResult } from './schemas/check-result';
+import { resolveSecretRequirements, groupRequirementsByApp } from '../../requirements/resolver';
+import { canonicalImportManifest } from '../../manifest/canonical';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+interface ManifestCheck {
+	key: string;
+	required: boolean;
+	source: string | undefined;
+	status: 'ok' | 'missing' | 'warn';
+	storedIn: string | undefined;
+}
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			app?: string;
+			manifest?: boolean;
+			json?: boolean;
+		};
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+		let requirements = await resolveSecretRequirements(runtime);
+		if (options.app) {
+			requirements = requirements.filter((r) => r.appId === options.app);
+		}
+		if (requirements.length === 0 && !options.manifest) {
+			ui.info(options.app
+				? `No secret requirements found for app: ${options.app}`
+				: 'No secret requirements found in infra descriptors');
+			return;
+		}
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const tierStores = descriptors.filter((d) => d.tiers.includes(envTier));
+		const availableKeys = new Map<string, string>();
+		for (const desc of tierStores) {
+			const impl = (await runtime
+				.query('secrets/store')
+				.withId(desc.id)
+				.resolve()) as SecretsStoreImplementation;
+			const entries = await impl.list(envName);
+			for (const entry of entries) {
+				if (entry.hasValue && !availableKeys.has(entry.key)) {
+					availableKeys.set(entry.key, entry.source);
+				}
+			}
+		}
+		const results: CheckResult[] = requirements.map((req) => {
+			const source = availableKeys.get(req.key);
+			let status: 'ok' | 'missing' | 'warn';
+			if (source) {
+				status = 'ok';
+			} else if (req.required) {
+				status = 'missing';
+			} else {
+				status = 'warn';
+			}
+			return { ...req, status, source };
+		});
+		const manifestChecks: ManifestCheck[] = options.manifest
+			? canonicalImportManifest.secrets.map((entry) => {
+					const storedIn = availableKeys.get(entry.key);
+					let status: 'ok' | 'missing' | 'warn';
+					if (storedIn) status = 'ok';
+					else if (entry.required) status = 'missing';
+					else status = 'warn';
+					return { key: entry.key, required: entry.required, source: entry.source, status, storedIn };
+				})
+			: [];
+		if (options.json) {
+			const summary: Record<string, unknown> = {
+				environment: envName,
+				tier: envTier,
+				total: results.length,
+				ok: results.filter((r) => r.status === 'ok').length,
+				missing: results.filter((r) => r.status === 'missing').length,
+				warn: results.filter((r) => r.status === 'warn').length,
+				results
+			};
+			if (options.manifest) {
+				summary.manifest = {
+					total: manifestChecks.length,
+					ok: manifestChecks.filter((m) => m.status === 'ok').length,
+					missing: manifestChecks.filter((m) => m.status === 'missing').length,
+					warn: manifestChecks.filter((m) => m.status === 'warn').length,
+					results: manifestChecks
+				};
+			}
+			ui.render(summary, { format: 'json' });
+			const manifestMissing = manifestChecks.filter((m) => m.status === 'missing').length;
+			if (results.filter((r) => r.status === 'missing').length > 0 || manifestMissing > 0) {
+				process.exit(1);
+			}
+			return;
+		}
+		const grouped = groupRequirementsByApp(requirements);
+		const okCount = results.filter((r) => r.status === 'ok').length;
+		const missingCount = results.filter((r) => r.status === 'missing').length;
+		const warnCount = results.filter((r) => r.status === 'warn').length;
+		ui.log(`\nSecrets check for environment: ${envName} (${envTier})\n`);
+		for (const [appId, reqs] of grouped) {
+			ui.log(`  ${appId}`);
+			for (const req of reqs) {
+				const result = results.find((r) => r.key === req.key && r.appId === req.appId);
+				if (!result) continue;
+				const icon = result.status === 'ok' ? '+' : result.status === 'missing' ? 'x' : '?';
+				const label = result.required ? 'required' : 'optional';
+				const src = result.source ? ` (${result.source})` : '';
+				ui.log(`    [${icon}] ${result.key.padEnd(40)} ${label.padEnd(10)} ${result.status}${src}`);
+			}
+			ui.log('');
+		}
+		ui.log(`  Summary: ${okCount} ok, ${missingCount} missing, ${warnCount} optional not set`);
+		if (missingCount > 0) {
+			ui.log(`  Run 'vibes secrets set <KEY>' to add missing secrets`);
+		}
+		ui.log('');
+		let manifestMissing = 0;
+		if (options.manifest && manifestChecks.length > 0) {
+			ui.log(`  Canonical manifest cross-check (${manifestChecks.length} entries)`);
+			for (const m of manifestChecks) {
+				const icon = m.status === 'ok' ? '+' : m.status === 'missing' ? 'x' : '?';
+				const label = m.required ? 'required' : 'optional';
+				const where = m.storedIn ? ` (${m.storedIn})` : ` <- ${m.source}`;
+				ui.log(`    [${icon}] ${m.key.padEnd(40)} ${label.padEnd(10)} ${m.status}${where}`);
+			}
+			const mOk = manifestChecks.filter((m) => m.status === 'ok').length;
+			manifestMissing = manifestChecks.filter((m) => m.status === 'missing').length;
+			const mWarn = manifestChecks.filter((m) => m.status === 'warn').length;
+			ui.log(`  Manifest summary: ${mOk} ok, ${manifestMissing} missing, ${mWarn} optional not set`);
+			if (manifestMissing > 0) {
+				ui.log(`  Run 'vibes secrets import' to populate from local sources`);
+			}
+			ui.log('');
+		}
+		if (missingCount > 0 || manifestMissing > 0) {
+			process.exit(1);
+		}
+	}
+};

package/src/cli/export/secrets.export.cli-command.descriptor.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.export',
+	name: 'export',
+	description: 'Export secrets from a local backend to an env-formatted file (audit-logged)',
+	group: 'secrets',
+	options: [
+		{ flags: '--environment <name>', description: 'Source environment (default: current)' },
+		{ flags: '--from <backend>', description: 'Source backend (default: highest-priority local)' },
+		{ flags: '--out <path>', description: 'Output file path (required; created mode 0600)' },
+		{ flags: '--manifest-only', description: 'Limit to keys declared in the canonical manifest' },
+		{ flags: '--force', description: 'Skip the interactive bulk-reveal confirmation' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 35
+};
+export default descriptor;

package/src/cli/export/secrets.export.cli-command.impl.ts ADDED Viewed

@@ -0,0 +1,139 @@
+import { resolve, dirname } from 'node:path';
+import { mkdir, writeFile, chmod, rename } from 'node:fs/promises';
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { AuditLogInput } from '@vibesdotdev/logging';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor, EnvironmentTier } from '../../kinds/store.schema';
+import { canonicalImportManifest } from '../../manifest/canonical';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+const LOCAL_BACKENDS = new Set(['env-file', 'encrypted-local']);
+function findSourceBackend(
+	descriptors: SecretsStoreDescriptor[],
+	tier: EnvironmentTier,
+	backendId?: string
+): SecretsStoreDescriptor | undefined {
+	if (backendId) return descriptors.find((d) => d.id === backendId);
+	return descriptors
+		.filter((d) => d.tiers.includes(tier) && LOCAL_BACKENDS.has(d.backend))
+		.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+}
+function serializeEnv(secrets: Record<string, string>): string {
+	const lines = Object.keys(secrets)
+		.sort()
+		.map((key) => {
+			const value = secrets[key] ?? '';
+			const needsQuote = value.includes(' ') || value.includes('#') || value.includes('"');
+			const escaped = needsQuote ? `"${value.replace(/"/g, '\\"')}"` : value;
+			return `${key}=${escaped}`;
+		});
+	return `# Generated by 'vibes secrets export' — DO NOT COMMIT\n${lines.join('\n')}\n`;
+}
+async function writeEnvFile(path: string, content: string): Promise<void> {
+	const absolute = resolve(process.cwd(), path);
+	await mkdir(dirname(absolute), { recursive: true });
+	const tmp = `${absolute}.tmp.${Date.now()}.${Math.random().toString(36).slice(2)}`;
+	await writeFile(tmp, content, { encoding: 'utf-8', mode: 0o600 });
+	await rename(tmp, absolute);
+	await chmod(absolute, 0o600);
+}
+async function promptConfirm(prompt: string): Promise<boolean> {
+	process.stderr.write(prompt);
+	for await (const chunk of process.stdin) {
+		const answer = (chunk as Buffer).toString('utf-8').trim().toLowerCase();
+		return answer === 'y' || answer === 'yes';
+	}
+	return false;
+}
+function emitAudit(input: AuditLogInput): void {
+	process.stderr.write(`[AUDIT] ${JSON.stringify({
+		id: crypto.randomUUID(),
+		timestamp: new Date().toISOString(),
+		...input
+	})}\n`);
+}
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			from?: string;
+			out?: string;
+			manifestOnly?: boolean;
+			force?: boolean;
+		};
+		if (!options.out) {
+			ui.error('--out <path> is required. Export refuses to write secrets to stdout.');
+			process.exit(1);
+		}
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const source = findSourceBackend(descriptors, envTier, options.from);
+		if (!source) {
+			ui.error('No local secrets store found to export from.');
+			process.exit(1);
+		}
+		const impl = (await runtime
+			.query('secrets/store')
+			.withId(source.id)
+			.resolve()) as SecretsStoreImplementation;
+		let secrets = await impl.getAll(envName);
+		if (options.manifestOnly) {
+			const manifestKeys = new Set(canonicalImportManifest.secrets.map((s) => s.key));
+			secrets = Object.fromEntries(
+				Object.entries(secrets).filter(([k]) => manifestKeys.has(k))
+			);
+		}
+		const count = Object.keys(secrets).length;
+		if (count === 0) {
+			ui.info(`No secrets to export from [${source.id}] for ${envName}.`);
+			return;
+		}
+		if (!options.force) {
+			const confirmed = await promptConfirm(
+				`\n[EXPORT] About to write ${count} secret value(s) from [${source.id}] (${envName}) to ${options.out}.\nThis bulk reveal is logged to the audit trail.\nContinue? [y/N] `
+			);
+			if (!confirmed) {
+				ui.info('Export cancelled.');
+				return;
+			}
+		}
+		emitAudit({
+			category: 'data_access',
+			severity: 'high',
+			action: 'secrets.export',
+			actor: { id: 'cli', type: 'user', name: 'CLI user' },
+			target: { id: source.id, type: 'secrets-store', name: source.id },
+			outcome: 'success',
+			context: {
+				environment: envName,
+				backend: source.id,
+				count,
+				manifestOnly: options.manifestOnly === true,
+				outPath: options.out
+			}
+		});
+		await writeEnvFile(options.out, serializeEnv(secrets));
+		ui.success(`Exported ${count} secret(s) from [${source.id}] to ${options.out} (mode 0600)`);
+	}
+};

package/src/cli/hooks/pre-commit-secrets.ts ADDED Viewed

@@ -0,0 +1,73 @@
+const SECRET_PATTERNS: Array<{ pattern: RegExp; name: string }> = [
+	{ pattern: /sk_live_[a-zA-Z0-9]{24,}/, name: 'Stripe live secret key (sk_live_)' },
+	{ pattern: /pk_live_[a-zA-Z0-9]{24,}/, name: 'Stripe live public key (pk_live_)' },
+	{ pattern: /do_[a-zA-Z0-9]{32,}/, name: 'DigitalOcean API key (do_)' },
+	{ pattern: /AKIA[a-zA-Z0-9]{16,}/, name: 'AWS access key ID (AKIA)' },
+	{ pattern: /ghp_[a-zA-Z0-9]{36}/, name: 'GitHub personal access token (ghp_)' },
+	{ pattern: /gho_[a-zA-Z0-9]{36}/, name: 'GitHub OAuth token (gho_)' }
+];
+export async function runSecretsPreCommitCheck(workspacePath: string): Promise<number> {
+	const { execSync } = await import('node:child_process');
+	let stagedFiles: string[];
+	try {
+		const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
+			cwd: workspacePath,
+			encoding: 'utf-8'
+		});
+		stagedFiles = output.trim().split('\n').filter(Boolean);
+	} catch {
+		return 0;
+	}
+	if (!stagedFiles.length) return 0;
+	const violations: Array<{ file: string; name: string; line?: string }> = [];
+	const { readFileSync } = await import('node:fs');
+	for (const file of stagedFiles) {
+		const fullPath = `${workspacePath}/${file}`;
+		let content: string;
+		try {
+			content = readFileSync(fullPath, 'utf-8');
+		} catch {
+			continue;
+		}
+		const lines = content.split('\n');
+		for (let i = 0; i < lines.length; i++) {
+			const line = lines[i];
+			for (const { pattern, name } of SECRET_PATTERNS) {
+				if (pattern.test(line)) {
+					violations.push({
+						file,
+						name,
+						line: line.trim().substring(0, 80)
+					});
+					break;
+				}
+			}
+		}
+	}
+	if (violations.length > 0) {
+		process.stderr.write(`\n[SECRETS-001] ${violations.length} secret pattern(s) detected in staged files.\n\n`);
+		for (const v of violations) {
+			process.stderr.write(`  BLOCKED  ${v.file}\n`);
+			process.stderr.write(`    Pattern: ${v.name}\n`);
+			if (v.line) {
+				process.stderr.write(`    Line: ${v.line}\n`);
+			}
+			process.stderr.write('\n');
+		}
+		process.stderr.write('Commit blocked: production secrets must not be committed.\n');
+		process.stderr.write('  - Rotate any exposed keys immediately.\n');
+		process.stderr.write('  - Use `vibes secrets set` to store in a secret manager.\n');
+		process.stderr.write('  - Add to .gitignore if genuinely not a secret.\n\n');
+		return 1;
+	}
+	return 0;
+}

package/src/cli/import/secrets.import.cli-command.descriptor.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.import',
+	name: 'import',
+	description: 'Import secrets from local root env files into a backend, driven by the canonical manifest',
+	group: 'secrets',
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--to <backend>', description: 'Target backend (default: encrypted-local)' },
+		{ flags: '--source <id>', description: 'Restrict to one source from the manifest' },
+		{ flags: '--dry-run', description: 'Show what would be imported without writing' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 30
+};
+export default descriptor;

package/src/cli/import/secrets.import.cli-command.impl.ts ADDED Viewed

@@ -0,0 +1,178 @@
+import { resolve } from 'node:path';
+import { readFile } from 'node:fs/promises';
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { SecretsStoreImplementation } from '../../kinds/store.interface';
+import type { SecretsStoreDescriptor } from '../../kinds/store.schema';
+import { canonicalImportManifest } from '../../manifest/canonical';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+/**
+ * Tiny line-oriented .env parser. Returns a flat KEY → value map.
+ * Quoted values are unwrapped. Comments and blank lines are ignored.
+ * Missing files yield an empty map (not an error) — sources are bootstrap inputs.
+ */
+async function readEnvFile(path: string): Promise<Record<string, string>> {
+	let content: string;
+	try {
+		content = await readFile(path, 'utf-8');
+	} catch {
+		return {};
+	}
+	const result: Record<string, string> = {};
+	for (const raw of content.split('\n')) {
+		const line = raw.trim();
+		if (line === '' || line.startsWith('#')) continue;
+		const eqIdx = raw.indexOf('=');
+		if (eqIdx === -1) continue;
+		const key = raw.slice(0, eqIdx).trim();
+		let value = raw.slice(eqIdx + 1).trim();
+		if (
+			(value.startsWith('"') && value.endsWith('"')) ||
+			(value.startsWith("'") && value.endsWith("'"))
+		) {
+			value = value.slice(1, -1);
+		}
+		result[key] = value;
+	}
+	return result;
+}
+function pickValue(
+	envMap: Record<string, string>,
+	key: string,
+	aliases: string[]
+): string | undefined {
+	if (envMap[key] !== undefined && envMap[key] !== '') return envMap[key];
+	for (const alias of aliases) {
+		if (envMap[alias] !== undefined && envMap[alias] !== '') return envMap[alias];
+	}
+	return undefined;
+}
+export default {
+	async execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void> {
+		const runtime = getVibesRuntime();
+		const ui = (await runtime.context('cli/ui')) as UIContext;
+		const options = opts as {
+			environment?: string;
+			to?: string;
+			source?: string;
+			dryRun?: boolean;
+		};
+		const { name: envName, tier: envTier } = await resolveSecretsEnvironment(
+			ui,
+			options.environment
+		);
+		const sourceFilter = options.source;
+		if (sourceFilter && !canonicalImportManifest.sources[sourceFilter]) {
+			ui.error(`Unknown source: ${sourceFilter}. Known: ${Object.keys(canonicalImportManifest.sources).join(', ')}`);
+			process.exit(1);
+		}
+		const repoRoot = process.cwd();
+		const sourceContents = new Map<string, Record<string, string>>();
+		const manualSources = new Set<string>();
+		for (const [id, src] of Object.entries(canonicalImportManifest.sources)) {
+			if (sourceFilter && id !== sourceFilter) continue;
+			if (!src.path) {
+				manualSources.add(id);
+				continue;
+			}
+			sourceContents.set(id, await readEnvFile(resolve(repoRoot, src.path)));
+		}
+		const found: Record<string, string> = {};
+		const missingRequired: string[] = [];
+		const missingOptional: string[] = [];
+		const manualEntries: { key: string; required: boolean }[] = [];
+		for (const entry of canonicalImportManifest.secrets) {
+			if (sourceFilter && entry.source !== sourceFilter) continue;
+			if (manualSources.has(entry.source)) {
+				manualEntries.push({ key: entry.key, required: entry.required });
+				continue;
+			}
+			const sourceMap = sourceContents.get(entry.source);
+			if (!sourceMap) {
+				if (entry.required) missingRequired.push(entry.key);
+				else missingOptional.push(entry.key);
+				continue;
+			}
+			const value = pickValue(sourceMap, entry.key, entry.aliases);
+			if (value === undefined) {
+				if (entry.required) missingRequired.push(entry.key);
+				else missingOptional.push(entry.key);
+				continue;
+			}
+			found[entry.key] = value;
+		}
+		const foundCount = Object.keys(found).length;
+		if (options.dryRun) {
+			ui.log(`\nDry run: would import ${foundCount} secret(s) for ${envName}\n`);
+			for (const key of Object.keys(found).sort()) ui.log(`  + ${key}`);
+			if (missingRequired.length) {
+				ui.log(`\n  ${missingRequired.length} required secret(s) not found:`);
+				for (const key of missingRequired) ui.log(`  ! ${key}`);
+			}
+			if (missingOptional.length) {
+				ui.log(`\n  ${missingOptional.length} optional secret(s) not found:`);
+				for (const key of missingOptional) ui.log(`  ? ${key}`);
+			}
+			if (manualEntries.length) {
+				ui.log(`\n  ${manualEntries.length} manual entry/entries (set via 'vibes secrets set'):`);
+				for (const { key, required } of manualEntries) {
+					ui.log(`  m ${key} (${required ? 'required' : 'optional'})`);
+				}
+			}
+			ui.log('');
+			return;
+		}
+		if (foundCount === 0) {
+			ui.warn('No secrets found in any source file. Nothing to import.');
+			if (missingRequired.length > 0) process.exit(1);
+			return;
+		}
+		const descriptors = runtime.assets('secrets/store').descriptors() as SecretsStoreDescriptor[];
+		const targetId = options.to ?? 'encrypted-local';
+		const target = descriptors.find((d) => d.id === targetId)
+			?? descriptors.filter((d) => d.tiers.includes(envTier) && d.backend === 'encrypted-local')[0];
+		if (!target) {
+			ui.error(`No backend available with id [${targetId}] for tier ${envTier}`);
+			process.exit(1);
+		}
+		const impl = (await runtime
+			.query('secrets/store')
+			.withId(target.id)
+			.resolve()) as SecretsStoreImplementation;
+		await impl.setAll(envName, found);
+		ui.success(`Imported ${foundCount} secret(s) into [${target.id}] for ${envName}`);
+		const missingManualRequired = manualEntries.filter((e) => e.required).map((e) => e.key);
+		if (manualEntries.length > 0) {
+			ui.info(
+				`${manualEntries.length} manual entry/entries — set via 'vibes secrets set <KEY>' (${
+					missingManualRequired.length
+				} required)`
+			);
+		}
+		if (missingRequired.length > 0) {
+			ui.warn(`${missingRequired.length} required secret(s) missing from sources: ${missingRequired.join(', ')}`);
+			process.exit(1);
+		}
+		if (missingOptional.length > 0) {
+			ui.info(`${missingOptional.length} optional secret(s) skipped: ${missingOptional.join(', ')}`);
+		}
+	}
+};

package/src/cli/list/secrets.list.cli-command.descriptor.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+const descriptor: CLICommandAssetDescriptor = {
+	kind: 'cli/command',
+	id: 'secrets.list',
+	name: 'list',
+	description: 'List secrets for the current environment',
+	group: 'secrets',
+	options: [
+		{ flags: '--environment <name>', description: 'Target environment (default: current)' },
+		{ flags: '--backend <id>', description: 'Filter to a specific backend' },
+		{ flags: '--json', description: 'Output as JSON' }
+	],
+	surfaces: ['cli'],
+	hardware: ['consumer'],
+	enabled: true,
+	order: 10
+};
+export default descriptor;