create-nextblock 0.10.4 → 0.10.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,10 +1,14 @@
|
|
|
1
1
|
import {
|
|
2
|
-
decryptOpenRouterApiKey,
|
|
3
2
|
encryptOpenRouterApiKey,
|
|
4
3
|
getMaskedOpenRouterKey,
|
|
5
4
|
getOpenRouterKeyEnvelopeStatus,
|
|
6
5
|
type EncryptedOpenRouterKeyEnvelope,
|
|
7
6
|
} from './ai-key-crypto';
|
|
7
|
+
import {
|
|
8
|
+
hasSecretEncryptionKey,
|
|
9
|
+
resolveSecretEncryptionKey,
|
|
10
|
+
tryDecryptWithEnvKey,
|
|
11
|
+
} from '@nextblock-cms/db/server';
|
|
8
12
|
|
|
9
13
|
const SERVER_ONLY_ERROR_MESSAGE =
|
|
10
14
|
'Cortex AI configuration can only be imported from server-side code.';
|
|
@@ -33,17 +37,24 @@ export function getCortexAiEnvConfig() {
|
|
|
33
37
|
return {
|
|
34
38
|
encryptionKey: readEnvValue('CORTEX_AI_ENCRYPTION_KEY'),
|
|
35
39
|
freemiusSandboxKey: readEnvValue('FREEMIUS_AI_SANDBOX_KEY'),
|
|
36
|
-
|
|
40
|
+
// True when ANY usable key exists: an explicit env key OR the service-role-derived
|
|
41
|
+
// fallback — so BYOK works on a one-click Vercel deploy with no extra env var.
|
|
42
|
+
hasEncryptionKey: hasSecretEncryptionKey(),
|
|
37
43
|
hasOpenRouterEnvKey: Boolean(openRouterApiKey),
|
|
38
44
|
openRouterEnvKeyLast4: openRouterApiKey ? openRouterApiKey.slice(-4) : null,
|
|
39
45
|
};
|
|
40
46
|
}
|
|
41
47
|
|
|
42
48
|
function requireEncryptionKey() {
|
|
43
|
-
|
|
49
|
+
// Resolve via the shared chain: NEXTBLOCK_ENCRYPTION_KEY -> CORTEX_AI_ENCRYPTION_KEY ->
|
|
50
|
+
// a stable key derived from the Supabase service-role key. The derived fallback lets
|
|
51
|
+
// BYOK work out-of-the-box on hosted installs (e.g. one-click Vercel).
|
|
52
|
+
const encryptionKey = resolveSecretEncryptionKey();
|
|
44
53
|
|
|
45
54
|
if (!encryptionKey) {
|
|
46
|
-
throw new Error(
|
|
55
|
+
throw new Error(
|
|
56
|
+
'An encryption key (NEXTBLOCK_ENCRYPTION_KEY, CORTEX_AI_ENCRYPTION_KEY, or a Supabase service-role key) is required to manage stored OpenRouter keys.'
|
|
57
|
+
);
|
|
47
58
|
}
|
|
48
59
|
|
|
49
60
|
return encryptionKey;
|
|
@@ -57,10 +68,16 @@ export function encryptStoredOpenRouterApiKey(apiKey: string) {
|
|
|
57
68
|
}
|
|
58
69
|
|
|
59
70
|
export function decryptStoredOpenRouterApiKey(encryptedKey: unknown) {
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
71
|
+
// Try every candidate key (explicit env keys + the derived fallback). This keeps a key
|
|
72
|
+
// stored under one key readable if another is added later, and matches the SMTP/payment
|
|
73
|
+
// secret behaviour. The envelope is byte-compatible with the shared secret-crypto format.
|
|
74
|
+
const result = tryDecryptWithEnvKey(encryptedKey);
|
|
75
|
+
|
|
76
|
+
if (result === null) {
|
|
77
|
+
throw new Error('Failed to decrypt stored OpenRouter key.');
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
return result;
|
|
64
81
|
}
|
|
65
82
|
|
|
66
83
|
export function getStoredOpenRouterKeyStatus(value: unknown) {
|