@zero-server/sdk 0.9.5 → 0.9.7

package/lib/auth/jwt.js

@@ -13,7 +13,7 @@
  *   const app = createApp();
  *   const SECRET = process.env.JWT_SECRET;
  *
- *   // Public — issue tokens
+ *   // Public - issue tokens
  *   app.post('/login', json(), async (req, res) => {
  *       const { email, password } = req.body;
  *       const user = await db.users.findOne({ email });
@@ -24,7 +24,7 @@
  *       res.json({ token });
  *   });
  *
- *   // Protected — everything under /api requires a valid token
+ *   // Protected - everything under /api requires a valid token
  *   const api = Router();
  *   api.use(jwt({ secret: SECRET }));
  *   api.get('/me', (req, res) => res.json({ id: req.user.sub, role: req.user.role }));
@@ -79,7 +79,7 @@ function _base64urlDecode(str)
 
 /**
  * Decode a JWT without verifying the signature.
- * Returns `null` for malformed tokens — never throws.
+ * Returns `null` for malformed tokens - never throws.
  *
  * @param {string} token - Raw JWT string.
  * @returns {{ header: object, payload: object, signature: string }|null}
@@ -268,7 +268,7 @@ function verify(token, secretOrKey, opts = {})
  * @param {Function} [opts.fetcher] - Custom fetch function (default: built-in fetch).
  * @param {number} [opts.cacheTtl=600000] - Cache TTL in ms (default 10 minutes).
  * @param {number} [opts.requestTimeout=5000] - Request timeout in ms.
- * @returns {Function} `async (header) => publicKey` — resolves the signing key for a JWT header.
+ * @returns {Function} `async (header) => publicKey` - resolves the signing key for a JWT header.
  *
  * @example
  *   const getKey = jwks('https://auth.example.com/.well-known/jwks.json');
@@ -330,7 +330,7 @@ function jwks(jwksUri, opts = {})
             return pem;
         }
 
-        // No kid — return the first RSA key
+        // No kid - return the first RSA key
         const first = keys.values().next().value;
         if (!first) throw _jwtError('No suitable key in JWKS', 'JWKS_NO_KEY');
         return first;
@@ -347,9 +347,9 @@ function jwks(jwksUri, opts = {})
  * Create JWT authentication middleware.
  *
  * On success, populates:
- *   - `req.user` — decoded payload
- *   - `req.auth` — `{ header, payload, token }` full decode info
- *   - `req.token` — raw JWT string
+ *   - `req.user` - decoded payload
+ *   - `req.auth` - `{ header, payload, token }` full decode info
+ *   - `req.token` - raw JWT string
  *
  * @param {object} opts - Configuration.
  * @param {string|Buffer} [opts.secret] - HMAC secret for HS* algorithms.
@@ -367,7 +367,7 @@ function jwks(jwksUri, opts = {})
  * @param {number} [opts.clockTolerance=0] - Clock skew tolerance in seconds.
  * @param {number} [opts.maxAge] - Maximum token age in seconds.
  * @param {boolean} [opts.credentialsRequired=true] - Return 401 if no token found (false = optional auth).
- * @param {Function} [opts.isRevoked] - `async (payload) => boolean` — check token revocation.
+ * @param {Function} [opts.isRevoked] - `async (payload) => boolean` - check token revocation.
  * @param {Function} [opts.onError] - Custom error handler `(err, req, res) => void`.
  * @returns {Function} Middleware `(req, res, next) => void`.
  *

package/lib/auth/oauth.js

@@ -224,7 +224,7 @@ function oauth(opts = {})
             // Validate state (CSRF prevention)
             if (verify.state && query.state !== verify.state)
             {
-                throw _oauthError('State mismatch — possible CSRF attack', 'OAUTH_STATE_MISMATCH');
+                throw _oauthError('State mismatch - possible CSRF attack', 'OAUTH_STATE_MISMATCH');
             }
 
             const body = {

package/lib/auth/session.js

@@ -263,7 +263,7 @@ class Session
         return { ...this._flash };
     }
 
-    /** @private — serialize to JSON for cookie/store */
+    /** @private - serialize to JSON for cookie/store */
     _serialize()
     {
         const obj = { d: this._data };
@@ -271,7 +271,7 @@ class Session
         return JSON.stringify(obj);
     }
 
-    /** @private — deserialize from JSON */
+    /** @private - deserialize from JSON */
     static _deserialize(json, id)
     {
         try
@@ -472,7 +472,7 @@ function session(opts = {})
         req.session = sess;
 
         // Intercept response to persist session
-        // Hook into res.raw.end (Node ServerResponse) — the Response wrapper
+        // Hook into res.raw.end (Node ServerResponse) - the Response wrapper
         // has no .end() method; its .send()/.json() helpers call raw.end().
         const raw = res.raw;
         const origEnd = raw.end.bind(raw);
@@ -481,7 +481,7 @@ function session(opts = {})
             try
             {
                 // _saveSession calls res.cookie() / res.clearCookie() which set
-                // Set-Cookie headers on raw via raw.setHeader — safe because
+                // Set-Cookie headers on raw via raw.setHeader - safe because
                 // headers aren't flushed until the original end() runs.
                 // NOTE: store-based sessions are sync-compatible because
                 // MemoryStore.set/get return resolved promises synchronously
@@ -574,7 +574,7 @@ function _saveSession(req, res, sess, ctx)
         const encrypted = _encrypt(payload, ctx.keys[0]);
         if (encrypted.length > MAX_COOKIE_SIZE)
         {
-            log.warn('session cookie exceeds %d bytes — consider using a store', MAX_COOKIE_SIZE);
+            log.warn('session cookie exceeds %d bytes - consider using a store', MAX_COOKIE_SIZE);
         }
         res.cookie(ctx.cookieName, encrypted, cOpts);
         log.debug('cookie session saved');

package/lib/auth/trustedDevice.js

@@ -7,7 +7,7 @@
  *              Subsequent requests skip the 2FA prompt if the trust token is valid.
  *              Supports secret rotation, IP binding, and revocation.
  *
- *              Uses AES-256-GCM encryption — tokens are encrypted, not just signed,
+ *              Uses AES-256-GCM encryption - tokens are encrypted, not just signed,
  *              preventing information leakage.
  *
  * @example
@@ -370,7 +370,7 @@ function _defaultFingerprint(req)
  */
 function _defaultGetUserId(req)
 {
-    if (!req.user) throw new Error('No user on request — authentication middleware required');
+    if (!req.user) throw new Error('No user on request - authentication middleware required');
     return req.user.id || req.user.sub || req.user._id;
 }
 

package/lib/auth/twoFactor.js

@@ -4,7 +4,7 @@
  *              Implements TOTP (RFC 6238 / RFC 4226), backup codes,
  *              and composable middleware for step-up verification.
  *
- *              Uses only Node.js built-in `crypto` — no external packages.
+ *              Uses only Node.js built-in `crypto` - no external packages.
  *
  * @example | Setup 2FA for a user
  *   const { twoFactor } = require('@zero-server/sdk');
@@ -228,7 +228,7 @@ function _base32Decode(str)
 
 /**
  * Generate an HOTP code for a given counter value.
- * Implements RFC 4226 §5 — HMAC-based One-Time Password.
+ * Implements RFC 4226 §5 - HMAC-based One-Time Password.
  *
  * @param {Buffer} secret - Shared secret key.
  * @param {number} counter - 8-byte counter value.
@@ -498,13 +498,13 @@ function verifyBackupCode(code, hashes)
 
 /**
  * Middleware that requires completed 2FA verification on the session.
- * Checks `req.session.get('twoFactorVerified')` — returns 403 if not set.
+ * Checks `req.session.get('twoFactorVerified')` - returns 403 if not set.
  *
  * Designed to compose with `jwt()` or `session()` middleware:
  *
  *     app.use(jwt({ secret }));
  *     app.use(require2FA());
- *     // — or —
+ *     // - or -
  *     app.use(session({ secret }));
  *     app.use(require2FA());
  *
@@ -517,7 +517,7 @@ function verifyBackupCode(code, hashes)
  *        Defaults to always requiring 2FA.
  * @returns {Function} Middleware `(req, res, next) => void`.
  *
- * @example | Basic — all authenticated users must complete 2FA
+ * @example | Basic - all authenticated users must complete 2FA
  *   app.use(require2FA());
  *
  * @example | Only enforce for users who have enrolled
@@ -548,7 +548,7 @@ function require2FA(opts = {})
                 const enabled = await isEnabled(req);
                 if (!enabled)
                 {
-                    log('2FA not enabled for user — skipping');
+                    log('2FA not enabled for user - skipping');
                     return next();
                 }
             }
@@ -568,7 +568,7 @@ function require2FA(opts = {})
         const session = req.session;
         if (!session || typeof session.get !== 'function')
         {
-            log.warn('require2FA: no session found — is session() middleware active?');
+            log.warn('require2FA: no session found - is session() middleware active?');
             const raw = res.raw || res;
             if (raw.headersSent) return;
             raw.statusCode = 500;
@@ -583,7 +583,7 @@ function require2FA(opts = {})
             return next();
         }
 
-        log.warn('2FA not completed — blocking request');
+        log.warn('2FA not completed - blocking request');
         const raw = res.raw || res;
         if (raw.headersSent) return;
         raw.statusCode = statusCode;
@@ -690,7 +690,7 @@ function verifyTOTPMiddleware(opts = {})
                 raw.end(JSON.stringify({ error: 'Too many attempts. Try again later.', retryAfter }));
                 return;
             }
-            // Lockout expired — reset
+            // Lockout expired - reset
             attempts.delete(ip);
         }
 
@@ -735,7 +735,7 @@ function verifyTOTPMiddleware(opts = {})
 
         if (result.valid)
         {
-            // Replay prevention (RFC 6238 §5.2) — check AFTER signature
+            // Replay prevention (RFC 6238 §5.2) - check AFTER signature
             // verification to avoid leaking timing information about whether
             // a code was previously used.
             if (opts.replayStore)
@@ -775,7 +775,7 @@ function verifyTOTPMiddleware(opts = {})
                 catch (err)
                 {
                     log.error('replay store error: %s', err.message);
-                    // Fail open for store errors — don't block legitimate users
+                    // Fail open for store errors - don't block legitimate users
                 }
             }
 

package/lib/auth/webauthn.js

@@ -145,7 +145,7 @@ const cbor = {
                     if (additionalInfo === 23) return undefined;
                     if (additionalInfo === 25)
                     {
-                        // float16 — not commonly used in WebAuthn but handle it
+                        // float16 - not commonly used in WebAuthn but handle it
                         offset -= 0; // already read
                         return readArgument(additionalInfo);
                     }
@@ -593,7 +593,7 @@ function verifyRegistration(opts)
         if (clientData.type !== 'webauthn.create')
             return { verified: false, credential: null, error: `Invalid type: ${clientData.type}` };
 
-        // Strict origin validation — exact match, no regex
+        // Strict origin validation - exact match, no regex
         if (clientData.origin !== expectedOrigin)
             return { verified: false, credential: null, error: `Origin mismatch: ${clientData.origin}` };
 
@@ -627,7 +627,7 @@ function verifyRegistration(opts)
 
         if (fmt === 'none')
         {
-            // No attestation — acceptable for 'none' conveyance
+            // No attestation - acceptable for 'none' conveyance
             log.debug('registration with "none" attestation format');
         }
         else if (fmt === 'packed')
@@ -644,7 +644,7 @@ function verifyRegistration(opts)
         }
         else
         {
-            log.warn('unknown attestation format: %s — treating as none', fmt);
+            log.warn('unknown attestation format: %s - treating as none', fmt);
         }
 
         // 8. Extract public key from COSE format
@@ -703,7 +703,7 @@ function _verifyPackedAttestation(attStmt, parsedAuthData, rawAuthData, clientDa
     }
     else
     {
-        // Self-attestation — verify with the credential public key
+        // Self-attestation - verify with the credential public key
         const { key } = _coseToPublicKey(parsedAuthData.credentialPublicKey);
         const algName = _coseAlgToNodeAlg(alg);
         return crypto.verify(algName, signedData, key, sig);
@@ -881,7 +881,7 @@ function verifyAuthentication(opts)
         if (!authData.userPresent)
             return { verified: false, newCounter: null, error: 'User not present' };
 
-        // 5. Counter validation — detect cloned authenticators
+        // 5. Counter validation - detect cloned authenticators
         if (authData.signCount > 0 || credential.counter > 0)
         {
             if (authData.signCount <= credential.counter)

package/lib/body/json.js

@@ -37,7 +37,7 @@ function _sanitize(obj)
  * @param {boolean}         [options.strict=true] - When true, reject non-object/array roots.
  * @param {string|string[]|Function} [options.type='application/json'] - Content-Type(s) to match.
  * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
- * @param {Function}        [options.verify]   - `verify(req, res, buf, encoding)` — called before parsing. Throw to reject with 403.
+ * @param {Function}        [options.verify]   - `verify(req, res, buf, encoding)` - called before parsing. Throw to reject with 403.
  * @param {boolean}         [options.inflate=true] - Decompress gzip/deflate/br bodies. When false, compressed bodies return 415.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  *

package/lib/body/raw.js

@@ -15,7 +15,7 @@ const sendError = require('./sendError');
  * @param {string|number}   [options.limit]                           - Max body size. Default `'1mb'`.
  * @param {string|string[]|Function} [options.type='application/octet-stream'] - Content-Type(s) to match.
  * @param {boolean}         [options.requireSecure=false]             - When true, reject non-HTTPS requests with 403.
- * @param {Function}        [options.verify]   - `verify(req, res, buf)` — called before setting body. Throw to reject with 403.
+ * @param {Function}        [options.verify]   - `verify(req, res, buf)` - called before setting body. Throw to reject with 403.
  * @param {boolean}         [options.inflate=true] - Decompress gzip/deflate/br bodies. When false, compressed bodies return 415.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  *

package/lib/body/rawBuffer.js

@@ -78,7 +78,7 @@ function rawBuffer(req, opts = {})
         const encoding = (headers['content-encoding'] || '').toLowerCase().trim();
         const isCompressed = encoding && encoding !== 'identity';
 
-        // Content-Length pre-check (skip for compressed bodies — CL is the compressed size)
+        // Content-Length pre-check (skip for compressed bodies - CL is the compressed size)
         if (!isCompressed)
         {
             const cl = parseInt(headers['content-length'], 10);

package/lib/body/text.js

@@ -17,7 +17,7 @@ const sendError = require('./sendError');
  * @param {string}          [options.encoding='utf8']    - Fallback character encoding when Content-Type has no charset.
  * @param {string|string[]|Function} [options.type='text/*'] - Content-Type(s) to match.
  * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
- * @param {Function}        [options.verify]   - `verify(req, res, buf, encoding)` — called before decoding. Throw to reject with 403.
+ * @param {Function}        [options.verify]   - `verify(req, res, buf, encoding)` - called before decoding. Throw to reject with 403.
  * @param {boolean}         [options.inflate=true] - Decompress gzip/deflate/br bodies. When false, compressed bodies return 415.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  *

package/lib/body/urlencoded.js

@@ -35,7 +35,7 @@ function appendValue(prev, val)
  * @param {boolean}         [options.requireSecure=false] - When true, reject non-HTTPS requests with 403.
  * @param {number}          [options.parameterLimit=1000] - Max number of parameters. Prevents DoS via huge payloads.
  * @param {number}          [options.depth=32]  - Max nesting depth for bracket syntax. Prevents deep-nesting DoS.
- * @param {Function}        [options.verify]    - `verify(req, res, buf, encoding)` — called before parsing. Throw to reject with 403.
+ * @param {Function}        [options.verify]    - `verify(req, res, buf, encoding)` - called before parsing. Throw to reject with 403.
  * @param {boolean}         [options.inflate=true] - Decompress gzip/deflate/br bodies.
  * @returns {Function} Async middleware `(req, res, next) => void`.
  *
@@ -158,7 +158,7 @@ function urlencoded(options = {})
                                 cur.push(v);
                                 break;
                             }
-                            // Intermediate empty bracket — navigate into next element of the array
+                            // Intermediate empty bracket - navigate into next element of the array
                             if (!Array.isArray(cur))
                             {
                                 const arr = [];
@@ -200,7 +200,7 @@ function urlencoded(options = {})
                                     cur = cur[idx];
                                 } else
                                 {
-                                    // Non-numeric key on array — navigate into last pushed object
+                                    // Non-numeric key on array - navigate into last pushed object
                                     if (cur.length === 0) cur.push({});
                                     if (typeof cur[cur.length - 1] !== 'object') cur.push({});
                                     const obj = cur[cur.length - 1];

package/lib/cli.js

@@ -9,7 +9,7 @@
  *              that exports your database adapter and connection settings.
  *
  * @example
- *   // zero.config.js — required by all CLI commands except make:* and help
+ *   // zero.config.js - required by all CLI commands except make:* and help
  *   module.exports = {
  *       adapter: 'sqlite',
  *       connection: { filename: './app.db' },
@@ -150,6 +150,15 @@ class CLI
      */
     async run()
     {
+        // WebRTC subcommands - delegate the whole `webrtc:*` namespace to the
+        // webrtc CLI module so the top-level dispatcher stays small.
+        if (typeof this.command === 'string' && this.command.startsWith('webrtc:'))
+        {
+            const { runWebRTCCommand } = require('./webrtc/cli');
+            await runWebRTCCommand(this.command.slice('webrtc:'.length), this.flags);
+            return;
+        }
+
         const commands = {
             'migrate':           () => this._migrate(),
             'migrate:rollback':  () => this._rollback(),
@@ -421,7 +430,7 @@ class CLI
         const status = await migrator.status();
         if (status.executed.includes(lastMigration.name))
         {
-            console.error(red(`Cannot remove "${lastMigration.name}" — it has already been applied.`));
+            console.error(red(`Cannot remove "${lastMigration.name}" - it has already been applied.`));
             console.error(dim('Run "zh migrate:rollback" first, then try again.'));
             process.exitCode = 1;
             await db.close();
@@ -645,7 +654,7 @@ module.exports = {
 
         if (hasNoChanges(changes))
         {
-            console.log(dim('No schema changes detected — nothing to migrate.'));
+            console.log(dim('No schema changes detected - nothing to migrate.'));
             return;
         }
 
@@ -742,7 +751,7 @@ module.exports = ${className};
     _help()
     {
         console.log(`
-${bold('zh CLI')} — zero-server ORM tooling
+${bold('zh CLI')} - zero-server ORM tooling
 
 ${bold('Usage:')}  npx zh <command> [options]
 
@@ -761,6 +770,12 @@ ${bold('Commands:')}
   ${cyan('make:migration')} <n>   Auto-generate migration from model changes
   ${cyan('make:seeder')} <name>   Scaffold a new seeder file
 
+  ${cyan('webrtc:stun')}          Run a STUN binding probe, print public addr
+  ${cyan('webrtc:turn-creds')}    Issue ephemeral TURN credentials
+  ${cyan('webrtc:join-token')}    Sign a signaling join token
+  ${cyan('webrtc:verify-token')}  Verify and decode a join token
+  ${cyan('webrtc:help')}          Show webrtc subcommand help
+
   ${cyan('help')}                 Show this help message
   ${cyan('version')}              Show version
 

package/lib/cluster.js

@@ -455,7 +455,7 @@ class ClusterManager
 
     /**
      * Perform a rolling restart of all workers (zero-downtime).
-     * Workers are restarted one at a time — a new worker is spawned and
+     * Workers are restarted one at a time - a new worker is spawned and
      * confirmed listening before the old one is disconnected.
      *
      * @returns {Promise<void>} Resolves when all workers have been replaced.
@@ -482,7 +482,7 @@ class ClusterManager
             await new Promise((resolve) =>
             {
                 replacement.once('listening', resolve);
-                // Safety timeout — don't wait forever
+                // Safety timeout - don't wait forever
                 const timer = setTimeout(resolve, 10000);
                 if (timer.unref) timer.unref();
             });
@@ -630,7 +630,7 @@ function clusterize(workerFn, opts = {})
     }
     else
     {
-        // Worker process — listen for shutdown IPC from primary
+        // Worker process - listen for shutdown IPC from primary
         mgr.onMessage('shutdown', () =>
         {
             log.info('worker received shutdown message');

package/lib/debug.js

@@ -16,7 +16,7 @@
  *   log.error('failed to connect', err);
  *   log('shorthand for debug level');
  *
- *   // Set minimum level — anything below is silenced
+ *   // Set minimum level - anything below is silenced
  *   debug.level('warn');   // only warn, error, fatal
  *   debug.level('silent'); // suppress all output
  *   debug.level('trace');  // show everything
@@ -81,7 +81,7 @@ _enabledPatterns = _parsePatterns();
  */
 function _isEnabled(ns)
 {
-    if (!_enabledPatterns) return true; // No DEBUG set — enable all
+    if (!_enabledPatterns) return true; // No DEBUG set - enable all
     let enabled = false;
     for (const { neg, re } of _enabledPatterns)
     {
@@ -116,7 +116,7 @@ function _ts()
 }
 
 /**
- * Format arguments (like console.log — supports %s, %d, %j, %o).
+ * Format arguments (like console.log - supports %s, %d, %j, %o).
  * @private
  */
 function _format(args)
@@ -278,13 +278,13 @@ function debug(namespace)
  * Messages below this level are silenced.
  *
  * @param {string|number} level - Level name or number.
- *   `'trace'` (0) — all output
- *   `'debug'` (1) — debug and above
- *   `'info'` (2) — info and above
- *   `'warn'` (3) — warn and above
- *   `'error'` (4) — error and fatal only
- *   `'fatal'` (5) — fatal only
- *   `'silent'` (6) — nothing
+ *   `'trace'` (0) - all output
+ *   `'debug'` (1) - debug and above
+ *   `'info'` (2) - info and above
+ *   `'warn'` (3) - warn and above
+ *   `'error'` (4) - error and fatal only
+ *   `'fatal'` (5) - fatal only
+ *   `'silent'` (6) - nothing
  */
 debug.level = function(level)
 {

package/lib/env/index.js

@@ -61,7 +61,7 @@ function parse(src)
         const key = line.slice(0, eqIdx).trim();
         let value = line.slice(eqIdx + 1).trim();
 
-        // Validate key name — only word chars + dots
+        // Validate key name - only word chars + dots
         if (!/^[\w.]+$/.test(key)) continue;
 
         // Quoted values
@@ -72,7 +72,7 @@ function parse(src)
         }
         else if (q === '"' || q === "'" || q === '`')
         {
-            // Multiline — read until closing quote
+            // Multiline - read until closing quote
             let multiline = value.slice(1);
             while (i < lines.length)
             {
@@ -89,7 +89,7 @@ function parse(src)
         }
         else
         {
-            // Unquoted — strip inline comment
+            // Unquoted - strip inline comment
             const hashIdx = value.indexOf(' #');
             if (hashIdx !== -1) value = value.slice(0, hashIdx).trim();
         }
@@ -215,10 +215,10 @@ let _loaded = false;
  * Load environment variables from `.env` files and validate against a typed schema.
  *
  * Files are loaded in precedence order (later overrides earlier):
- * 1. `.env` — shared defaults
- * 2. `.env.local` — local overrides (gitignored)
- * 3. `.env.{NODE_ENV}` — environment-specific  (e.g. `.env.production`)
- * 4. `.env.{NODE_ENV}.local` — env-specific local overrides
+ * 1. `.env` - shared defaults
+ * 2. `.env.local` - local overrides (gitignored)
+ * 3. `.env.{NODE_ENV}` - environment-specific  (e.g. `.env.production`)
+ * 4. `.env.{NODE_ENV}.local` - env-specific local overrides
  *
  * Process environment variables (`process.env`) always take precedence.
  *
@@ -284,7 +284,7 @@ function load(schema, options = {})
     }
     else
     {
-        // No schema — load everything
+        // No schema - load everything
         Object.assign(merged, raw);
         for (const key of Object.keys(raw))
         {
@@ -340,7 +340,7 @@ function load(schema, options = {})
     }
     else
     {
-        // No schema — store raw strings
+        // No schema - store raw strings
         Object.assign(_store, merged);
     }
 
@@ -427,11 +427,11 @@ function reset()
 }
 
 // ===========================================================
-//  Proxy-based accessor — env.PORT, env('PORT'), env.get('PORT')
+//  Proxy-based accessor - env.PORT, env('PORT'), env.get('PORT')
 // ===========================================================
 
 /**
- * The env function — callable as `env(key)` or `env.key`.
+ * The env function - callable as `env(key)` or `env.key`.
  *
  * @param {string} key - Environment variable name.
  * @returns {*} Result value.