@wrongstack/core 0.7.4 → 0.7.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -424,7 +424,9 @@ var DefaultSecretVault = class {
424
424
  try {
425
425
  const buf = fs2.readFileSync(this.keyFile);
426
426
  if (buf.length !== KEY_BYTES) {
427
- throw new Error(`SecretVault: key file ${this.keyFile} has wrong size`);
427
+ throw new Error(
428
+ `SecretVault: key file ${this.keyFile} is ${buf.length} bytes (expected ${KEY_BYTES}). Remove it manually to generate a new key.`
429
+ );
428
430
  }
429
431
  this.key = buf;
430
432
  return this.key;
@@ -439,7 +441,9 @@ var DefaultSecretVault = class {
439
441
  if (err.code !== "EEXIST") throw err;
440
442
  const buf = fs2.readFileSync(this.keyFile);
441
443
  if (buf.length !== KEY_BYTES) {
442
- throw new Error(`SecretVault: key file ${this.keyFile} has wrong size`);
444
+ throw new Error(
445
+ `SecretVault: key file ${this.keyFile} is ${buf.length} bytes (expected ${KEY_BYTES}). Remove it manually to generate a new key.`
446
+ );
443
447
  }
444
448
  this.key = buf;
445
449
  return this.key;
@@ -500,10 +504,7 @@ async function rewriteConfigEncrypted(configPath, vault, patch) {
500
504
  const encrypted = encryptConfigSecrets(merged, vault);
501
505
  await fs.mkdir(path4.dirname(configPath), { recursive: true });
502
506
  await atomicWrite(configPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
503
- try {
504
- await fs.chmod(configPath, 384);
505
- } catch {
506
- }
507
+ await restrictFilePermissions(configPath);
507
508
  }
508
509
  async function migratePlaintextSecrets(configPath, vault) {
509
510
  let raw;
@@ -522,12 +523,26 @@ async function migratePlaintextSecrets(configPath, vault) {
522
523
  const migrated = walkCount(parsed, vault, counter);
523
524
  if (counter.n === 0) return { migrated: 0, file: configPath };
524
525
  await atomicWrite(configPath, JSON.stringify(migrated, null, 2), { mode: 384 });
525
- try {
526
- await fs.chmod(configPath, 384);
527
- } catch {
528
- }
526
+ await restrictFilePermissions(configPath);
529
527
  return { migrated: counter.n, file: configPath };
530
528
  }
529
+ async function restrictFilePermissions(filePath) {
530
+ if (process.platform === "win32") {
531
+ try {
532
+ const { execFile } = await import('child_process');
533
+ const { promisify } = await import('util');
534
+ const execFileAsync = promisify(execFile);
535
+ await execFileAsync("icacls", [filePath, "/inheritance:r", "/grant:r", `${process.env.USERNAME}:(F)`]);
536
+ } catch {
537
+ console.warn(`[secret-vault] Could not restrict permissions on ${filePath} \u2014 config file may be readable by other users on this system.`);
538
+ }
539
+ } else {
540
+ try {
541
+ await fs.chmod(filePath, 384);
542
+ } catch {
543
+ }
544
+ }
545
+ }
531
546
  function walkCount(node, vault, counter) {
532
547
  if (node === null || node === void 0) return node;
533
548
  if (typeof node !== "object") return node;