@zintrust/core 1.8.4 → 1.8.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "1.8.4",
+  "version": "1.8.6",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {
@@ -59,14 +59,14 @@
   "dependencies": {
     "@cloudflare/containers": "^0.3.4",
     "bcryptjs": "^3.0.3",
-    "bullmq": "^5.76.8",
+    "bullmq": "^5.76.10",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
     "inquirer": "^13.4.3",
     "jsonwebtoken": "^9.0.3",
     "mysql2": "^3.22.3",
-    "pg": "^8.20.0",
-    "tsx": "^4.22.0"
+    "pg": "^8.21.0",
+    "tsx": "^4.22.3"
   },
   "overrides": {
     "ajv": "^8.18.0",
@@ -76,8 +76,8 @@
     "@tootallnate/once": "3.0.1",
     "node-forge": "^1.4.0",
     "fast-uri": "3.1.2",
-    "fast-xml-builder": "1.2.0",
     "fast-xml-parser": "5.8.0",
+    "protobufjs": "7.5.9",
     "brace-expansion": "^5.0.5",
     "picomatch": "^4.0.4",
     "cross-spawn": "^7.0.5",

package/src/cli/CLI.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CLI.d.ts","sourceRoot":"","sources":["../../../src/cli/CLI.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA0EH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,MAAM,WAAW,IAAI;IACnB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,UAAU,IAAI,OAAO,CAAC;CACvB;AAqQD;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG;cACJ,IAAI;EAed,CAAC"}
+{"version":3,"file":"CLI.d.ts","sourceRoot":"","sources":["../../../src/cli/CLI.ts"],"names":[],"mappings":"AAAA;;;GAGG;AA2EH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,MAAM,WAAW,IAAI;IACnB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,UAAU,IAAI,OAAO,CAAC;CACvB;AAsQD;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG;cACJ,IAAI;EAed,CAAC"}

package/src/cli/CLI.js

@@ -21,6 +21,7 @@ import { DeployContainerWorkersCommand } from './commands/DeployContainerWorkers
 import { DockerCommand } from './commands/DockerCommand.js';
 import { DockerPushCommand } from './commands/DockerPushCommand.js';
 import { DoctorArchitectureCommand } from './commands/DoctorArchitectureCommand.js';
+import { EmailProxyCommand } from './commands/EmailProxyCommand.js';
 import { EnvKeyGenerateCommand } from './commands/EnvKeyGenerateCommand.js';
 import { FixCommand } from './commands/FixCommand.js';
 import { InitContainerCommand } from './commands/InitContainerCommand.js';
@@ -135,6 +136,7 @@ const buildCommandRegistry = () => {
         JwtDevCommand,
         ProxyCommand.create(),
         D1ProxyCommand.create(),
+        EmailProxyCommand.create(),
         KvProxyCommand.create(),
         MySqlProxyCommand.create(),
         PostgresProxyCommand.create(),

package/src/cli/cloudflare/CloudflareSecretSync.d.ts

@@ -15,20 +15,25 @@ type CloudflareSecretSyncArgs = {
     envPath: string;
     dryRun?: boolean;
     configGroups?: string[];
+    directKeys?: string[];
+    inlineValues?: Record<string, string>;
     configPath?: string;
     target?: string;
+    bulk?: boolean;
     requireSelection?: boolean;
 };
 export type CloudflareSecretSyncResult = {
     pushed: number;
+    pushedKeys: string[];
+    skippedEmptyKeys: string[];
     failures: CloudflareSecretSyncFailure[];
     selectedKeys: string[];
 };
-export declare const reportCloudflareSecretSync: (log: CloudflareSecretLog, result: Pick<CloudflareSecretSyncResult, "pushed" | "failures">) => void;
-export declare const syncCloudflareSecrets: ({ log, cwd, wranglerEnvs, envPath, dryRun, configGroups, configPath, target, requireSelection, }: CloudflareSecretSyncArgs) => Promise<CloudflareSecretSyncResult>;
+export declare const reportCloudflareSecretSync: (log: CloudflareSecretLog, result: Pick<CloudflareSecretSyncResult, "pushed" | "skippedEmptyKeys" | "failures">) => void;
+export declare const syncCloudflareSecrets: ({ log, cwd, wranglerEnvs, envPath, dryRun, configGroups, directKeys, inlineValues, configPath, target, bulk, requireSelection, }: CloudflareSecretSyncArgs) => Promise<CloudflareSecretSyncResult>;
 declare const _default: Readonly<{
-    syncCloudflareSecrets: ({ log, cwd, wranglerEnvs, envPath, dryRun, configGroups, configPath, target, requireSelection, }: CloudflareSecretSyncArgs) => Promise<CloudflareSecretSyncResult>;
-    reportCloudflareSecretSync: (log: CloudflareSecretLog, result: Pick<CloudflareSecretSyncResult, "pushed" | "failures">) => void;
+    syncCloudflareSecrets: ({ log, cwd, wranglerEnvs, envPath, dryRun, configGroups, directKeys, inlineValues, configPath, target, bulk, requireSelection, }: CloudflareSecretSyncArgs) => Promise<CloudflareSecretSyncResult>;
+    reportCloudflareSecretSync: (log: CloudflareSecretLog, result: Pick<CloudflareSecretSyncResult, "pushed" | "skippedEmptyKeys" | "failures">) => void;
 }>;
 export default _default;
 //# sourceMappingURL=CloudflareSecretSync.d.ts.map

package/src/cli/cloudflare/CloudflareSecretSync.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CloudflareSecretSync.d.ts","sourceRoot":"","sources":["../../../../src/cli/cloudflare/CloudflareSecretSync.ts"],"names":[],"mappings":"AAYA,KAAK,mBAAmB,GAAG;IACzB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAaF,KAAK,wBAAwB,GAAG;IAC9B,GAAG,EAAE,mBAAmB,CAAC;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,2BAA2B,EAAE,CAAC;IACxC,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAiJF,eAAO,MAAM,0BAA0B,GACrC,KAAK,mBAAmB,EACxB,QAAQ,IAAI,CAAC,0BAA0B,EAAE,QAAQ,GAAG,UAAU,CAAC,KAC9D,IAcF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAU,kGAUzC,wBAAwB,KAAG,OAAO,CAAC,0BAA0B,CAqC/D,CAAC;;8HArCC,wBAAwB,KAAG,OAAO,CAAC,0BAA0B,CAAC;sCA5B1D,mBAAmB,UAChB,IAAI,CAAC,0BAA0B,EAAE,QAAQ,GAAG,UAAU,CAAC,KAC9D,IAAI;;AAiEP,wBAGG"}
+{"version":3,"file":"CloudflareSecretSync.d.ts","sourceRoot":"","sources":["../../../../src/cli/cloudflare/CloudflareSecretSync.ts"],"names":[],"mappings":"AAaA,KAAK,mBAAmB,GAAG;IACzB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IAChC,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC,CAAC;AAEF,MAAM,MAAM,2BAA2B,GAAG;IACxC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAcF,KAAK,wBAAwB,GAAG;IAC9B,GAAG,EAAE,mBAAmB,CAAC;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B,CAAC;AAEF,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,QAAQ,EAAE,2BAA2B,EAAE,CAAC;IACxC,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB,CAAC;AAuTF,eAAO,MAAM,0BAA0B,GACrC,KAAK,mBAAmB,EACxB,QAAQ,IAAI,CAAC,0BAA0B,EAAE,QAAQ,GAAG,kBAAkB,GAAG,UAAU,CAAC,KACnF,IAcF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAU,kIAazC,wBAAwB,KAAG,OAAO,CAAC,0BAA0B,CAiD/D,CAAC;;8JAjDC,wBAAwB,KAAG,OAAO,CAAC,0BAA0B,CAAC;sCA/B1D,mBAAmB,UAChB,IAAI,CAAC,0BAA0B,EAAE,QAAQ,GAAG,kBAAkB,GAAG,UAAU,CAAC,KACnF,IAAI;;AAgFP,wBAGG"}

package/src/cli/cloudflare/CloudflareSecretSync.js

@@ -3,7 +3,8 @@ import { resolveNpmPath } from '../../common/index.js';
 import { appConfig } from '../../config/app.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import { execFileSync } from '../../node-singletons/child-process.js';
-import { existsSync } from '../../node-singletons/fs.js';
+import { existsSync, mkdtempSync, rmSync, writeFileSync } from '../../node-singletons/fs.js';
+import { tmpdir } from '../../node-singletons/os.js';
 import * as path from '../../node-singletons/path.js';
 import { EnvFile } from '../../toolkit/Secrets/EnvFile.js';
 const uniq = (items) => {
@@ -29,6 +30,12 @@ const resolveValue = (key, envMap) => {
     const fromProcess = process.env[key];
     return fromFile ?? fromProcess ?? '';
 };
+const resolveValueWithOverrides = (key, envMap, inlineValues) => {
+    const inlineValue = inlineValues[key];
+    if (typeof inlineValue === 'string')
+        return inlineValue;
+    return resolveValue(key, envMap);
+};
 const getPutTimeoutMs = () => {
     const raw = process.env['ZT_PUT_TIMEOUT_MS'];
     if (typeof raw !== 'string')
@@ -38,13 +45,20 @@ const getPutTimeoutMs = () => {
         return 120000;
     return parsed;
 };
+const describeWranglerEnv = (wranglerEnv) => wranglerEnv.trim() === '' ? 'top-level worker' : wranglerEnv;
 const putSecret = (wranglerEnv, key, value, configPath) => {
     const npmPath = resolveNpmPath();
     const args = ['exec', '--yes', '--', 'wrangler'];
     if (typeof configPath === 'string' && configPath.trim() !== '') {
         args.push('--config', configPath.trim());
     }
-    args.push('secret', 'put', key, '--env', wranglerEnv);
+    args.push('secret', 'put', key);
+    if (wranglerEnv.trim() === '') {
+        args.push('--env=');
+    }
+    else {
+        args.push('--env', wranglerEnv);
+    }
     execFileSync(npmPath, args, {
         stdio: ['pipe', 'inherit', 'inherit'],
         input: value,
@@ -54,8 +68,33 @@ const putSecret = (wranglerEnv, key, value, configPath) => {
         env: appConfig.getSafeEnv(),
     });
 };
+const putSecretBulk = (wranglerEnv, payloadPath, configPath) => {
+    const npmPath = resolveNpmPath();
+    const args = ['exec', '--yes', '--', 'wrangler'];
+    if (typeof configPath === 'string' && configPath.trim() !== '') {
+        args.push('--config', configPath.trim());
+    }
+    args.push('secret', 'bulk', payloadPath);
+    if (wranglerEnv.trim() === '') {
+        args.push('--env=');
+    }
+    else {
+        args.push('--env', wranglerEnv);
+    }
+    execFileSync(npmPath, args, {
+        stdio: ['ignore', 'inherit', 'inherit'],
+        encoding: 'utf8',
+        timeout: getPutTimeoutMs(),
+        killSignal: 'SIGTERM',
+        env: appConfig.getSafeEnv(),
+    });
+};
 const getFailureReason = (error) => error instanceof Error ? error.message : String(error);
-const resolveSelectedKeys = ({ log, config, cwd, wranglerEnvs, configGroups = [], configPath, target, requireSelection, }) => {
+const resolveSelectedKeys = ({ log, config, cwd, wranglerEnvs, configGroups = [], directKeys = [], configPath, target, requireSelection, }) => {
+    const selectedDirectKeys = uniq(directKeys);
+    if (selectedDirectKeys.length > 0) {
+        return selectedDirectKeys;
+    }
     const explicitKeys = uniq(configGroups.flatMap((groupKey) => {
         const keys = getConfigArray(config, groupKey);
         if (keys.length === 0) {
@@ -76,46 +115,109 @@ const resolveSelectedKeys = ({ log, config, cwd, wranglerEnvs, configGroups = []
         return selectedKeys;
     }
     throw ErrorFactory.createCliError(configGroups.length === 0
-        ? 'No secret keys resolved from .zintrust.json cloudflare.shared_env/cloudflare.targets/cloudflare.wrangler_envs. Use --var <group> or add a Cloudflare env manifest.'
+        ? 'No secret keys resolved from explicit keys or .zintrust.json cloudflare.shared_env/cloudflare.targets/cloudflare.wrangler_envs. Use --key/--keys, --var <group>, or add a Cloudflare env manifest.'
         : 'No secret keys resolved from selected groups.');
 };
-const processSecretSync = (log, wranglerEnvs, selectedKeys, envMap, dryRun, configPath) => {
+const resolveBulkPayload = (log, wranglerEnv, selectedKeys, envMap, inlineValues) => {
+    const payload = {};
+    const includedKeys = [];
+    const skippedEmptyKeys = [];
+    const wranglerEnvLabel = describeWranglerEnv(wranglerEnv);
+    for (const key of selectedKeys) {
+        const value = resolveValueWithOverrides(key, envMap, inlineValues);
+        if (value.trim() === '') {
+            log.warn(`skip ${key} -> ${wranglerEnvLabel}: empty value`);
+            skippedEmptyKeys.push(key);
+            continue;
+        }
+        payload[key] = value;
+        includedKeys.push(key);
+    }
+    return { payload, includedKeys, skippedEmptyKeys };
+};
+const processSecretSync = (log, wranglerEnvs, selectedKeys, envMap, dryRun, configPath, inlineValues) => {
     let pushed = 0;
+    const pushedKeys = [];
+    const skippedEmptyKeys = [];
     const failures = [];
     for (const wranglerEnv of wranglerEnvs) {
+        const wranglerEnvLabel = describeWranglerEnv(wranglerEnv);
         for (const key of selectedKeys) {
-            const value = resolveValue(key, envMap);
+            const value = resolveValueWithOverrides(key, envMap, inlineValues);
             if (value.trim() === '') {
-                failures.push({ wranglerEnv, key, reason: 'empty value' });
+                log.warn(`skip ${key} -> ${wranglerEnvLabel}: empty value`);
+                skippedEmptyKeys.push(key);
                 continue;
             }
             try {
                 if (!dryRun) {
-                    log.info(`putting ${key} -> ${wranglerEnv}...`);
+                    log.info(`putting ${key} -> ${wranglerEnvLabel}...`);
                     putSecret(wranglerEnv, key, value, configPath);
                 }
                 pushed += 1;
-                log.info(`${dryRun ? '[dry-run] ' : ''}put ${key} -> ${wranglerEnv}`);
+                pushedKeys.push(key);
+                log.info(`${dryRun ? '[dry-run] ' : ''}put ${key} -> ${wranglerEnvLabel}`);
             }
             catch (error) {
                 failures.push({ wranglerEnv, key, reason: getFailureReason(error) });
             }
         }
     }
-    return { pushed, failures };
+    return { pushed, pushedKeys, skippedEmptyKeys, failures };
+};
+const processSecretBulkSync = (log, wranglerEnvs, selectedKeys, envMap, dryRun, configPath, inlineValues) => {
+    let pushed = 0;
+    const pushedKeys = [];
+    const skippedEmptyKeys = [];
+    const failures = [];
+    for (const wranglerEnv of wranglerEnvs) {
+        const wranglerEnvLabel = describeWranglerEnv(wranglerEnv);
+        const { payload, includedKeys, skippedEmptyKeys: skippedForEnv, } = resolveBulkPayload(log, wranglerEnv, selectedKeys, envMap, inlineValues);
+        skippedEmptyKeys.push(...skippedForEnv);
+        if (includedKeys.length === 0) {
+            log.info(`skip bulk upload -> ${wranglerEnvLabel}: no non-empty keys`);
+            continue;
+        }
+        log.info(`${dryRun ? '[dry-run] ' : ''}bulk keys -> ${wranglerEnvLabel}: ${includedKeys.join(', ')}`);
+        if (dryRun) {
+            pushed += includedKeys.length;
+            pushedKeys.push(...includedKeys);
+            continue;
+        }
+        const tempDir = mkdtempSync(path.join(tmpdir(), 'zintrust-cloudflare-secret-bulk-'));
+        const payloadPath = path.join(tempDir, 'secrets.json');
+        try {
+            writeFileSync(payloadPath, JSON.stringify(payload, null, 2), 'utf8');
+            log.info(`bulk uploading ${includedKeys.length} key(s) -> ${wranglerEnvLabel}...`);
+            putSecretBulk(wranglerEnv, payloadPath, configPath);
+            pushed += includedKeys.length;
+            pushedKeys.push(...includedKeys);
+            log.info(`bulk put ${includedKeys.length} key(s) -> ${wranglerEnvLabel}`);
+        }
+        catch (error) {
+            const reason = getFailureReason(error);
+            for (const key of includedKeys) {
+                failures.push({ wranglerEnv, key, reason });
+            }
+        }
+        finally {
+            rmSync(tempDir, { recursive: true, force: true });
+        }
+    }
+    return { pushed, pushedKeys, skippedEmptyKeys, failures };
 };
 export const reportCloudflareSecretSync = (log, result) => {
     if (typeof log.success === 'function') {
-        log.success(`Cloudflare secrets report: pushed=${result.pushed}, failed=${result.failures.length}`);
+        log.success(`Cloudflare secrets report: pushed=${result.pushed}, skipped_empty=${result.skippedEmptyKeys.length}, failed=${result.failures.length}`);
     }
     else {
-        log.info(`Cloudflare secrets report: pushed=${result.pushed}, failed=${result.failures.length}`);
+        log.info(`Cloudflare secrets report: pushed=${result.pushed}, skipped_empty=${result.skippedEmptyKeys.length}, failed=${result.failures.length}`);
     }
     for (const item of result.failures) {
-        log.warn(`${item.key} -> ${item.wranglerEnv}: ${item.reason}`);
+        log.warn(`${item.key} -> ${describeWranglerEnv(item.wranglerEnv)}: ${item.reason}`);
     }
 };
-export const syncCloudflareSecrets = async ({ log, cwd, wranglerEnvs, envPath, dryRun = false, configGroups = [], configPath, target, requireSelection = true, }) => {
+export const syncCloudflareSecrets = async ({ log, cwd, wranglerEnvs, envPath, dryRun = false, configGroups = [], directKeys = [], inlineValues = {}, configPath, target, bulk = false, requireSelection = true, }) => {
     const normalizedConfigPath = typeof configPath === 'string' && configPath.trim() !== '' ? configPath.trim() : undefined;
     if (normalizedConfigPath !== undefined && !existsSync(path.join(cwd, normalizedConfigPath))) {
         throw ErrorFactory.createCliError(`Wrangler config not found: ${normalizedConfigPath}`);
@@ -127,15 +229,18 @@ export const syncCloudflareSecrets = async ({ log, cwd, wranglerEnvs, envPath, d
         cwd,
         wranglerEnvs,
         configGroups,
+        directKeys,
         configPath: normalizedConfigPath,
         target,
         requireSelection,
     });
     if (selectedKeys.length === 0) {
-        return { pushed: 0, failures: [], selectedKeys: [] };
+        return { pushed: 0, pushedKeys: [], skippedEmptyKeys: [], failures: [], selectedKeys: [] };
     }
     const envMap = await EnvFile.read({ cwd, path: envPath });
-    const syncResult = processSecretSync(log, wranglerEnvs, selectedKeys, envMap, dryRun, normalizedConfigPath);
+    const syncResult = bulk
+        ? processSecretBulkSync(log, wranglerEnvs, selectedKeys, envMap, dryRun, normalizedConfigPath, inlineValues)
+        : processSecretSync(log, wranglerEnvs, selectedKeys, envMap, dryRun, normalizedConfigPath, inlineValues);
     return {
         ...syncResult,
         selectedKeys,

package/src/cli/commands/EmailProxyCommand.d.ts

@@ -0,0 +1,6 @@
+import type { IBaseCommand } from '../BaseCommand';
+export declare const EmailProxyCommand: Readonly<{
+    create(): IBaseCommand;
+}>;
+export default EmailProxyCommand;
+//# sourceMappingURL=EmailProxyCommand.d.ts.map

package/src/cli/commands/EmailProxyCommand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EmailProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/EmailProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA4IrD,eAAO,MAAM,iBAAiB;cAClB,YAAY;EAmBtB,CAAC;AAEH,eAAe,iBAAiB,CAAC"}

package/src/cli/commands/EmailProxyCommand.js

@@ -0,0 +1,108 @@
+import { findQuotedValue, trimNonEmptyOption } from '../commands/ProxyScaffoldUtils.js';
+import { createWranglerProxyCommand, } from '../commands/WranglerProxyCommandUtils.js';
+import { Env } from '../../config/env.js';
+import { Logger } from '../../config/logger.js';
+const DEFAULT_CONFIG = 'wrangler.jsonc';
+const DEFAULT_COMPATIBILITY_DATE = '2026-03-12';
+const DEFAULT_BINDING = 'SEND_EMAIL';
+const DEFAULT_ENTRY_FILE = 'src/proxy/email/ZintrustEmailProxy.ts';
+const DEFAULT_ROUTE_PATTERN = 'email-proxy.example.com';
+const CORE_PROXY_MODULE = ['@zintrust', 'core', 'proxy'].join('/');
+const parseCsv = (value) => {
+    const parsed = (value ?? '')
+        .split(',')
+        .map((item) => item.trim())
+        .filter((item, index, items) => item !== '' && items.indexOf(item) === index);
+    return parsed.length === 0 ? undefined : parsed;
+};
+const renderArray = (values) => {
+    return `[${values.map((value) => JSON.stringify(value)).join(', ')}]`;
+};
+const resolveConfigValues = (content, options) => {
+    const fileContent = content ?? '';
+    return {
+        binding: trimNonEmptyOption(options.binding) ??
+            trimNonEmptyOption(Env.get('MAIL_CLOUDFLARE_BINDING', '')) ??
+            findQuotedValue(fileContent, 'MAIL_CLOUDFLARE_BINDING') ??
+            findQuotedValue(fileContent, 'name') ??
+            DEFAULT_BINDING,
+        destinationAddress: trimNonEmptyOption(options.destinationAddress) ??
+            trimNonEmptyOption(findQuotedValue(fileContent, 'destination_address')),
+        allowedDestinationAddresses: parseCsv(options.allowedDestinationAddresses) ??
+            parseCsv(Env.get('MAIL_CLOUDFLARE_ALLOWED_DESTINATION_ADDRESSES', '')),
+        allowedSenderAddresses: parseCsv(options.allowedSenderAddresses) ??
+            parseCsv(Env.get('MAIL_CLOUDFLARE_ALLOWED_SENDER_ADDRESSES', '')),
+    };
+};
+const renderSendEmailBinding = (values) => {
+    const lines = ['        {', `          "name": "${values.binding}"`];
+    if (values.destinationAddress !== undefined) {
+        lines.push(`          ,"destination_address": "${values.destinationAddress}"`);
+    }
+    if (values.allowedDestinationAddresses !== undefined) {
+        lines.push(`          ,"allowed_destination_addresses": ${renderArray(values.allowedDestinationAddresses)}`);
+    }
+    if (values.allowedSenderAddresses !== undefined) {
+        lines.push(`          ,"allowed_sender_addresses": ${renderArray(values.allowedSenderAddresses)}`);
+    }
+    lines.push('        }');
+    return lines;
+};
+const renderEmailProxyEnvBlock = (values) => {
+    return [
+        '    "email-proxy": {',
+        '      "name": "zintrust-email-proxy",',
+        '      "main": "./src/proxy/email/ZintrustEmailProxy.ts",',
+        '      "compatibility_flags": ["nodejs_compat"],',
+        `      "compatibility_date": "${DEFAULT_COMPATIBILITY_DATE}",`,
+        '      "vars": {',
+        `        "MAIL_CLOUDFLARE_BINDING": "${values.binding}",`,
+        '        "ZT_PROXY_SIGNING_WINDOW_MS": "60000",',
+        '        "ZT_MAX_BODY_BYTES": "131072",',
+        '        "NODE_ENV": "development"',
+        '      },',
+        '      "send_email": [',
+        ...renderSendEmailBinding(values),
+        '      ],',
+        '      // Add routes here when ready:',
+        `      // "routes": [{ "pattern": "${DEFAULT_ROUTE_PATTERN}", "custom_domain": true }]`,
+        '    }',
+    ].join('\n');
+};
+const warnOnMissingSigningSecret = () => {
+    const directSecret = trimNonEmptyOption(Env.get('MAIL_CLOUDFLARE_PROXY_SECRET', ''));
+    const fallbackSecret = trimNonEmptyOption(Env.get('APP_KEY', ''));
+    if (directSecret !== undefined || fallbackSecret !== undefined)
+        return;
+    Logger.warn('Email proxy signing will fail: the resolved project env does not expose MAIL_CLOUDFLARE_PROXY_SECRET or APP_KEY to the Worker runtime. Signed requests will be rejected with 401 CONFIG_ERROR until one of those keys is set.');
+};
+const addOptions = (command) => {
+    command.option('-c, --config <path>', 'Wrangler config file', DEFAULT_CONFIG);
+    command.option('--port <port>', 'Local Wrangler dev port', '5777');
+    command.option('--watch', 'Auto-restart proxy on file changes');
+    command.option('--binding <name>', 'send_email binding name', DEFAULT_BINDING);
+    command.option('--destination-address <email>', 'Restrict the binding to one destination');
+    command.option('--allowed-destination-addresses <emails>', 'Comma-separated allowlist of destination addresses');
+    command.option('--allowed-sender-addresses <emails>', 'Comma-separated allowlist of sender addresses');
+};
+export const EmailProxyCommand = Object.freeze({
+    create() {
+        return createWranglerProxyCommand({
+            name: 'proxy:email',
+            aliases: ['email:proxy', 'proxy:cl:mail', 'proxy:cloudflare:mail'],
+            description: 'Start the local Cloudflare email proxy Worker via Wrangler and scaffold env.email-proxy in wrangler.jsonc when missing',
+            envName: 'email-proxy',
+            defaultPort: 5777,
+            defaultConfig: DEFAULT_CONFIG,
+            compatibilityDate: DEFAULT_COMPATIBILITY_DATE,
+            entryFile: DEFAULT_ENTRY_FILE,
+            exportName: 'ZintrustEmailProxy',
+            moduleSpecifier: CORE_PROXY_MODULE,
+            addOptions,
+            resolveValues: resolveConfigValues,
+            renderEnvBlock: renderEmailProxyEnvBlock,
+            afterConfigResolved: warnOnMissingSigningSecret,
+        });
+    },
+});
+export default EmailProxyCommand;

package/src/cli/commands/ProxyCommand.d.ts

@@ -1,5 +1,6 @@
 import type { IBaseCommand } from '../BaseCommand';
 import '../../proxy/d1/register';
+import '../../proxy/email/register';
 import '../../proxy/kv/register';
 import '../../proxy/mysql/register';
 import '../../proxy/postgres/register';

package/src/cli/commands/ProxyCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/ProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAMrE,OAAO,oBAAoB,CAAC;AAC5B,OAAO,oBAAoB,CAAC;AAC5B,OAAO,uBAAuB,CAAC;AAC/B,OAAO,0BAA0B,CAAC;AAClC,OAAO,uBAAuB,CAAC;AAC/B,OAAO,sBAAsB,CAAC;AA2D9B,eAAO,MAAM,YAAY;cACb,YAAY;EAyBtB,CAAC;AAEH,eAAe,YAAY,CAAC"}
+{"version":3,"file":"ProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/ProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAMrE,OAAO,oBAAoB,CAAC;AAC5B,OAAO,uBAAuB,CAAC;AAC/B,OAAO,oBAAoB,CAAC;AAC5B,OAAO,uBAAuB,CAAC;AAC/B,OAAO,0BAA0B,CAAC;AAClC,OAAO,uBAAuB,CAAC;AAC/B,OAAO,sBAAsB,CAAC;AAgE9B,eAAO,MAAM,YAAY;cACb,YAAY;EAyBtB,CAAC;AAEH,eAAe,YAAY,CAAC"}

package/src/cli/commands/ProxyCommand.js

@@ -4,6 +4,7 @@ import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import * as path from '../../node-singletons/path.js';
 import { ProxyRegistry } from '../../proxy/ProxyRegistry.js';
 import '../../proxy/d1/register.js';
+import '../../proxy/email/register.js';
 import '../../proxy/kv/register.js';
 import '../../proxy/mysql/register.js';
 import '../../proxy/postgres/register.js';
@@ -11,6 +12,11 @@ import '../../proxy/redis/register.js';
 import '../../proxy/smtp/register.js';
 const PROXY_TARGET_MAP = Object.freeze({
     d1: 'proxy:d1',
+    email: 'proxy:email',
+    cl: 'proxy:email',
+    'cl:mail': 'proxy:email',
+    'cloudflare:mail': 'proxy:email',
+    'cloudflare-mail': 'proxy:email',
     kv: 'proxy:kv',
     mysql: 'proxy:mysql',
     my: 'proxy:mysql',

package/src/cli/commands/PutCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"PutCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/PutCommand.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAqFvF,eAAO,MAAM,UAAU;cACX,YAAY;EAWtB,CAAC;AAEH,eAAe,UAAU,CAAC"}
+{"version":3,"file":"PutCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/PutCommand.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAwHvF,eAAO,MAAM,UAAU;cACX,YAAY;EAWtB,CAAC;AAEH,eAAe,UAAU,CAAC"}

package/src/cli/commands/PutCommand.js

@@ -23,10 +23,25 @@ const uniq = (items) => {
 const resolveConfigGroups = (options) => {
     return uniq(toStringArray(options.var));
 };
+const resolveDirectKeys = (options) => {
+    return uniq([...toStringArray(options.key), ...toStringArray(options.keys)]);
+};
+const resolveInlineValues = (options) => {
+    if (typeof options.value !== 'string')
+        return {};
+    const directKeys = resolveDirectKeys(options);
+    if (directKeys.length === 0) {
+        throw ErrorFactory.createCliError('`--value` requires `--key` or `--keys`.');
+    }
+    if (directKeys.length !== 1) {
+        throw ErrorFactory.createCliError('`--value` supports exactly one selected key.');
+    }
+    return { [directKeys[0]]: options.value };
+};
 const resolveWranglerEnvs = (options) => {
     const requested = uniq(toStringArray(options.wg));
     if (requested.length === 0)
-        return ['worker'];
+        return [''];
     return requested;
 };
 const parseEnvPath = (options) => {
@@ -40,9 +55,13 @@ const addOptions = (command) => {
         .argument('[provider]', 'Secret provider (cloudflare)', 'cloudflare')
         .option('--wg <env...>', 'Wrangler environment target(s), e.g. d1-proxy kv-proxy')
         .option('--var <configKey...>', 'Config array key(s) from .zintrust.json (e.g. d1_env kv_env)')
+        .option('--key <name...>', 'Upload selected secret key(s) directly without group expansion')
+        .option('--keys <name...>', 'Upload selected secret key(s) from env source without group expansion')
+        .option('--value <value>', 'Inline value for a single `--key` upload')
         .option('--target <id>', 'Cloudflare worker target key from .zintrust.json cloudflare.targets')
         .option('--env_path <path>', 'Path to env file used as source values', '.env')
         .option('-c, --config <path>', 'Wrangler config file to target (optional)')
+        .option('--bulk', 'Upload the final key set with one wrangler secret bulk call per target')
         .option('--dry-run', 'Show what would be uploaded without calling wrangler');
 };
 const ensureCloudflareProvider = (providerRaw) => {
@@ -53,6 +72,8 @@ const ensureCloudflareProvider = (providerRaw) => {
 const execute = async (cmd, options) => {
     ensureCloudflareProvider(String(options.args?.[0] ?? 'cloudflare'));
     const cwd = process.cwd();
+    const directKeys = resolveDirectKeys(options);
+    const inlineValues = resolveInlineValues(options);
     const result = await syncCloudflareSecrets({
         log: cmd,
         cwd,
@@ -60,8 +81,11 @@ const execute = async (cmd, options) => {
         envPath: parseEnvPath(options),
         dryRun: options.dryRun === true,
         configGroups: resolveConfigGroups(options),
+        directKeys,
+        inlineValues,
         configPath: typeof options.config === 'string' ? options.config.trim() : undefined,
         target: typeof options.target === 'string' ? options.target : undefined,
+        bulk: options.bulk === true,
         requireSelection: true,
     });
     reportCloudflareSecretSync(cmd, result);

package/src/cli/commands/WranglerProxyCommandUtils.d.ts

@@ -10,6 +10,7 @@ type CreateWranglerProxyCommandInput<TValues, TOptions extends WranglerProxyComm
     aliases: string[];
     description: string;
     envName: string;
+    defaultPort?: number;
     defaultConfig: string;
     compatibilityDate: string;
     entryFile: string;

package/src/cli/commands/WranglerProxyCommandUtils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"WranglerProxyCommandUtils.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/WranglerProxyCommandUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAkBrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,MAAM,2BAA2B,GAAG,cAAc,GAAG;IACzD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,KAAK,+BAA+B,CAAC,OAAO,EAAE,QAAQ,SAAS,2BAA2B,IAAI;IAC5F,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;IACvC,aAAa,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,EAAE,QAAQ,KAAK,OAAO,CAAC;IAC3E,cAAc,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,MAAM,CAAC;IAC5C,mBAAmB,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;CACjD,CAAC;AAEF,eAAO,MAAM,2BAA2B,GAAI,SAAS,OAAO,EAAE,eAAe,MAAM,KAAG,IAIrF,CAAC;AAMF,eAAO,MAAM,0BAA0B,GAAI,OAAO,EAAE,QAAQ,SAAS,2BAA2B,EAC9F,OAAO,+BAA+B,CAAC,OAAO,EAAE,QAAQ,CAAC,KACxD,YAoFF,CAAC"}
+{"version":3,"file":"WranglerProxyCommandUtils.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/WranglerProxyCommandUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAmBrE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEzC,MAAM,MAAM,2BAA2B,GAAG,cAAc,GAAG;IACzD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,KAAK,+BAA+B,CAAC,OAAO,EAAE,QAAQ,SAAS,2BAA2B,IAAI;IAC5F,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;IACvC,aAAa,EAAE,CAAC,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE,OAAO,EAAE,QAAQ,KAAK,OAAO,CAAC;IAC3E,cAAc,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,MAAM,CAAC;IAC5C,mBAAmB,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;CACjD,CAAC;AAEF,eAAO,MAAM,2BAA2B,GAAI,SAAS,OAAO,EAAE,eAAe,MAAM,KAAG,IAIrF,CAAC;AA+BF,eAAO,MAAM,0BAA0B,GAAI,OAAO,EAAE,QAAQ,SAAS,2BAA2B,EAC9F,OAAO,+BAA+B,CAAC,OAAO,EAAE,QAAQ,CAAC,KACxD,YA0FF,CAAC"}

package/src/cli/commands/WranglerProxyCommandUtils.js

@@ -4,6 +4,7 @@ import { ensureProxyEnvLoadedForCwd, maybeRunProxyWatchMode, parseIntOption, } f
 import { ensureProxyEntrypoint, ensureWranglerConfig, renderProxyWranglerDevConfig, resolveConfigPath, } from '../commands/ProxyScaffoldUtils.js';
 import { SpawnUtil } from '../utils/spawn.js';
 import { Logger } from '../../config/logger.js';
+import { isNonEmptyString } from '../../helper/index.js';
 import { mkdirSync, writeFileSync } from '../../node-singletons/fs.js';
 import { dirname, join } from '../../node-singletons/path.js';
 export const addWranglerProxyBaseOptions = (command, defaultConfig) => {
@@ -14,6 +15,24 @@ export const addWranglerProxyBaseOptions = (command, defaultConfig) => {
 const toRootedProxyConfigContent = (content) => {
     return content.replaceAll('": "../../', '": "./');
 };
+const isTruthyFlag = (value) => {
+    if (!isNonEmptyString(value))
+        return false;
+    const normalized = value.trim().toLowerCase();
+    return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'on';
+};
+const createWranglerDevSpawnEnv = (runtimeEnv) => {
+    if (isTruthyFlag(runtimeEnv['ZIN_WRANGLER_DEV_KEEP_API_TOKEN'])) {
+        return runtimeEnv;
+    }
+    if (!isNonEmptyString(runtimeEnv['CLOUDFLARE_API_TOKEN'])) {
+        return runtimeEnv;
+    }
+    Logger.warn('Ignoring CLOUDFLARE_API_TOKEN for local wrangler dev. Wrangler 4.92+ blocks interactive OAuth login when that variable is exported. Set ZIN_WRANGLER_DEV_KEEP_API_TOKEN=true to preserve token-based auth.');
+    const env = { ...runtimeEnv };
+    delete env['CLOUDFLARE_API_TOKEN'];
+    return env;
+};
 export const createWranglerProxyCommand = (input) => {
     return BaseCommand.create({
         name: input.name,
@@ -23,7 +42,8 @@ export const createWranglerProxyCommand = (input) => {
         execute: async (options) => {
             const typedOptions = options;
             await maybeRunProxyWatchMode(typedOptions.watch);
-            const port = parseIntOption(typedOptions.port, 'port');
+            const port = parseIntOption(typedOptions.port ??
+                (input.defaultPort === undefined ? undefined : String(input.defaultPort)), 'port');
             const cwd = process.cwd();
             const projectRoot = ensureProxyEnvLoadedForCwd(cwd);
             const entrypoint = ensureProxyEntrypoint({
@@ -65,6 +85,7 @@ export const createWranglerProxyCommand = (input) => {
             if (port !== undefined) {
                 args.push('--port', String(port));
             }
+            const wranglerSpawnEnv = createWranglerDevSpawnEnv(process.env);
             const exitCode = await withWranglerDevVarsSnapshot({
                 cwd: wranglerDevVarsCwd,
                 projectRoot,
@@ -75,7 +96,7 @@ export const createWranglerProxyCommand = (input) => {
                 return SpawnUtil.spawnAndWait({
                     command: 'wrangler',
                     args,
-                    env: process.env,
+                    env: wranglerSpawnEnv,
                     forwardSignals: false,
                 });
             });

package/src/cli/scaffolding/env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/env.ts"],"names":[],"mappings":"AAsiBA,eAAO,MAAM,OAAO,GAClB,MAAM,MAAM,EACZ,MAAM,MAAM,EACZ,SAAS,MAAM,EACf,QAAQ,MAAM,EACd,oBAAoB,MAAM,EAC1B,SAAS,MAAM,EAAE,EACjB,cAAc,MAAM,KACnB,MAAM,EAWR,CAAC"}
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/env.ts"],"names":[],"mappings":"AA0iBA,eAAO,MAAM,OAAO,GAClB,MAAM,MAAM,EACZ,MAAM,MAAM,EACZ,SAAS,MAAM,EACf,QAAQ,MAAM,EACd,oBAAoB,MAAM,EAC1B,SAAS,MAAM,EAAE,EACjB,cAAc,MAAM,KACnB,MAAM,EAWR,CAAC"}

package/src/cli/scaffolding/env.js

@@ -431,6 +431,10 @@ const LoggingAndMail = () => [
     'MAIL_FROM_ADDRESS=',
     'MAIL_FROM_NAME=',
     'MAIL_CLOUDFLARE_BINDING=SEND_EMAIL',
+    'MAIL_CLOUDFLARE_PROXY_URL=',
+    'MAIL_CLOUDFLARE_PROXY_KEY_ID=',
+    'MAIL_CLOUDFLARE_PROXY_SECRET=',
+    'MAIL_CLOUDFLARE_PROXY_TIMEOUT_MS=30000',
     'MAIL_HOST=',
     'MAIL_PORT=587',
     'MAIL_USERNAME=',