npm - declapract-typescript-ehmpathy - Versions diffs - 0.47.64 → 0.47.65 - Mend

declapract-typescript-ehmpathy 0.47.64 → 0.47.65

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/practices/cicd-app-react-native-expo/best-practice/.github/workflows/deploy.yml CHANGED Viewed

@@ -37,6 +37,7 @@ jobs:
     with:
       creds-aws-region: us-east-1
       creds-aws-role-arn: arn:aws:iam::@declapract{variable.awsAccountId.dev}:role/@declapract{variable.projectName}-github-actions-dev
+    secrets: inherit # keyrack firewall in .test.yml filters to declared keys
   dev:
     uses: ./.github/workflows/.deploy-expo.yml

package/dist/practices/cicd-common/best-practice/.github/workflows/.test.yml CHANGED Viewed

@@ -206,6 +206,16 @@ jobs:
       - name: prepare:rhachet
         run: npm run prepare:rhachet --if-present
+      # .why = keyrack firewall translates and validates secrets before tests run
+      #        - filters to declared keys in keyrack.yml
+      #        - translates mechanisms (e.g., GitHub App → ghs_* token)
+      #        - blocks dangerous patterns (ghp_*, AKIA*, etc.)
+      #        - exports to $GITHUB_ENV with mask applied
+      - name: keyrack firewall
+        run: npx rhachet keyrack firewall --env test --from 'json(env://SECRETS_JSON)' --into github.actions
+        env:
+          SECRETS_JSON: ${{ toJSON(secrets) }}
       - name: get aws auth, if creds supplied
         if: ${{ inputs.creds-aws-role-arn }}
         uses: aws-actions/configure-aws-credentials@v4
@@ -280,6 +290,16 @@ jobs:
       - name: prepare:rhachet
         run: npm run prepare:rhachet --if-present
+      # .why = keyrack firewall translates and validates secrets before tests run
+      #        - filters to declared keys in keyrack.yml
+      #        - translates mechanisms (e.g., GitHub App → ghs_* token)
+      #        - blocks dangerous patterns (ghp_*, AKIA*, etc.)
+      #        - exports to $GITHUB_ENV with mask applied
+      - name: keyrack firewall
+        run: npx rhachet keyrack firewall --env test --from 'json(env://SECRETS_JSON)' --into github.actions
+        env:
+          SECRETS_JSON: ${{ toJSON(secrets) }}
       - name: get aws auth, if creds supplied
         if: ${{ inputs.creds-aws-role-arn }}
         uses: aws-actions/configure-aws-credentials@v4

package/dist/practices/cicd-common/best-practice/.github/workflows/.test.yml.declapract.ts CHANGED Viewed

@@ -1,114 +1,15 @@
-import { existsSync } from 'node:fs';
-import { join } from 'node:path';
-import type { FileCheckFunction, FileFixFunction } from 'declapract';
-import { keyrack, type KeyrackGrantAttempt } from 'rhachet/keyrack';
+import { FileCheckType, type FileFixFunction } from 'declapract';
 /**
- * .what = gets keyrack key names for test env from target project
- * .why = single source of truth for key discovery
+ * .what = validates .test.yml matches the template exactly
+ * .why = keyrack firewall handles secrets at runtime; no build-time injection needed
  */
-const getKeyrackKeys = async (projectRootDir: string): Promise<string[]> => {
-  const keyrackYmlPath = join(projectRootDir, '.agent/keyrack.yml');
-  if (!existsSync(keyrackYmlPath)) return [];
-  const keys = (await keyrack.get({
-    for: { repo: true },
-    env: 'test',
-  })) as KeyrackGrantAttempt[];
-  if (!keys.length) return [];
-  // extract key names from slugs (format: org.env.KEY_NAME)
-  // .note = KeyrackGrantAttempt is a union of 4 variants (granted/absent/locked/blocked)
-  //         per rhachet/dist/domain.objects/keyrack/KeyrackGrantAttempt.d.ts:8
-  //         granted has slug at grant.slug; others have slug at top level
-  return keys.map((k) =>
-    (k.status === 'granted' ? k.grant.slug : k.slug).split('.').pop()!,
-  );
-};
+export const check = FileCheckType.EQUALS;
 /**
- * .what = builds the expected .test.yml content with keyrack secrets injected
- * .why = single source of truth for both check and fix
- */
-export const buildExpectedContent = (input: {
-  template: string;
-  keys: string[];
-}): string => {
-  let result = input.template;
-  // if no keys, return template as-is
-  if (!input.keys.length) {
-    return result;
-  }
-  // build secrets declaration block for workflow_call
-  const secretsDeclaration = input.keys
-    .map(
-      (key) =>
-        `      ${key}:\n        description: "api key for ${key.toLowerCase().replace(/_/g, ' ')}"\n        required: false`,
-    )
-    .join('\n');
-  // build env block for test-integration job
-  const envBlock = input.keys
-    .map((key) => `          ${key}: \${{ secrets.${key} }}`)
-    .join('\n');
-  // insert secrets declaration after workflow_call inputs
-  // look for the pattern: inputs: ... (multiline) followed by blank line or permissions:
-  result = result.replace(
-    /(on:\n  workflow_call:\n    inputs:\n(?:      [^\n]+\n)+)/,
-    `$1    secrets:\n${secretsDeclaration}\n\n`,
-  );
-  // insert env block to test-integration job
-  // add env block after needs: [install] line
-  result = result.replace(
-    /(test-integration:\n    runs-on: ubuntu-24\.04\n    needs: \[install\]\n)/,
-    `$1    env:\n${envBlock}\n`,
-  );
-  return result;
-};
-/**
- * .what = ensures .test.yml matches expected content with keyrack secrets
- * .why = enables integration tests to access required api keys via github secrets
- */
-export const check: FileCheckFunction = async (contents, context) => {
-  // get keyrack keys from project
-  const keys = await getKeyrackKeys(context.getProjectRootDirectory());
-  // build expected content from template + keys
-  const expected = buildExpectedContent({
-    template: context.declaredFileContents ?? '',
-    keys,
-  });
-  // if contents don't match expected, best practice is violated
-  if (contents !== expected) {
-    throw new Error(
-      'file does not match expected content with keyrack secrets',
-    );
-  }
-  // return = file matches expected (best practice followed)
-};
-/**
- * .what = fixes .test.yml to include keyrack secrets declaration and env vars
- * .why = ensures integration tests have access to required api keys
+ * .what = replaces .test.yml with the template content
+ * .why = ensures workflow has firewall step for keyrack secrets
  */
 export const fix: FileFixFunction = async (_contents, context) => {
-  // get keyrack keys from project
-  const keys = await getKeyrackKeys(context.getProjectRootDirectory());
-  // build expected content from template + keys
-  const expected = buildExpectedContent({
-    template: context.declaredFileContents ?? '',
-    keys,
-  });
-  return { contents: expected };
+  return { contents: context.declaredFileContents ?? '' };
 };

package/dist/practices/cicd-common/best-practice/.github/workflows/test.yml CHANGED Viewed

@@ -22,3 +22,4 @@ jobs:
     with:
       creds-aws-region: us-east-1
       creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it
+    secrets: inherit # keyrack firewall in .test.yml filters to declared keys

package/dist/practices/cicd-common/best-practice/.github/workflows/test.yml.declapract.ts CHANGED Viewed

@@ -1,45 +1,15 @@
-import type { FileCheckFunction, FileFixFunction } from 'declapract';
-import { UnexpectedCodePathError } from 'helpful-errors';
-import { buildWorkflowSecretsBlock } from '../../../../../utils/buildWorkflowSecretsBlock';
+import { FileCheckType, type FileFixFunction } from 'declapract';
 /**
- * .what = ensures test.yml matches expected content with apikey secrets block
- * .why = enables the reusable workflow to access github secrets
+ * .what = validates test.yml matches the template exactly
+ * .why = secrets: inherit passes all secrets to .test.yml; firewall handles key filter at runtime
  */
-export const check: FileCheckFunction = async (contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  // if contents don't match expected, best practice is violated
-  if (contents !== expected)
-    throw new Error('file does not match expected content with apikey secrets');
-  // return = file matches expected (best practice followed)
-};
+export const check = FileCheckType.EQUALS;
 /**
- * .what = fixes test.yml to include apikey secrets block
- * .why = ensures the reusable workflow receives required api keys
+ * .what = replaces test.yml with the template content
+ * .why = ensures caller workflow has secrets: inherit for firewall
  */
 export const fix: FileFixFunction = async (_contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  return { contents: expected };
+  return { contents: context.declaredFileContents ?? '' };
 };

package/dist/practices/cicd-package/best-practice/.github/workflows/publish.yml CHANGED Viewed

@@ -19,6 +19,7 @@ jobs:
     with:
       creds-aws-region: us-east-1
       creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it
+    secrets: inherit # keyrack firewall in .test.yml filters to declared keys
   publish:
     uses: ./.github/workflows/.publish-npm.yml

package/dist/practices/cicd-package/best-practice/.github/workflows/publish.yml.declapract.ts CHANGED Viewed

@@ -1,45 +1,15 @@
-import type { FileCheckFunction, FileFixFunction } from 'declapract';
-import { UnexpectedCodePathError } from 'helpful-errors';
-import { buildWorkflowSecretsBlock } from '../../../../../utils/buildWorkflowSecretsBlock';
+import { FileCheckType, type FileFixFunction } from 'declapract';
 /**
- * .what = ensures publish.yml matches expected content with apikey secrets block
- * .why = enables the reusable workflow to access github secrets during publish
+ * .what = validates publish.yml matches the template exactly
+ * .why = secrets: inherit passes all secrets to .test.yml; firewall handles key filter at runtime
  */
-export const check: FileCheckFunction = async (contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  // if contents don't match expected, best practice is violated
-  if (contents !== expected)
-    throw new Error('file does not match expected content with apikey secrets');
-  // return = file matches expected (best practice followed)
-};
+export const check = FileCheckType.EQUALS;
 /**
- * .what = fixes publish.yml to include apikey secrets block
- * .why = ensures the reusable workflow receives required api keys during publish
+ * .what = replaces publish.yml with the template content
+ * .why = ensures caller workflow has secrets: inherit for firewall
  */
 export const fix: FileFixFunction = async (_contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  return { contents: expected };
+  return { contents: context.declaredFileContents ?? '' };
 };

package/dist/practices/cicd-service/best-practice/.github/workflows/deploy.yml CHANGED Viewed

@@ -41,6 +41,7 @@ jobs:
     with:
       creds-aws-region: us-east-1
       creds-aws-role-arn: ${{ vars.CREDS_CICD_AWS_DEV_OIDC_ROLE_ARN }} # use aws auth via oidc, if this repo supplies it
+    secrets: inherit # keyrack firewall in .test.yml filters to declared keys
   dev:
     uses: ./.github/workflows/.deploy-sls.yml

package/dist/practices/cicd-service/best-practice/.github/workflows/deploy.yml.declapract.ts CHANGED Viewed

@@ -1,45 +1,15 @@
-import type { FileCheckFunction, FileFixFunction } from 'declapract';
-import { UnexpectedCodePathError } from 'helpful-errors';
-import { buildWorkflowSecretsBlock } from '../../../../../utils/buildWorkflowSecretsBlock';
+import { FileCheckType, type FileFixFunction } from 'declapract';
 /**
- * .what = ensures deploy.yml matches expected content with apikey secrets block
- * .why = enables the reusable workflow to access github secrets during deploy
+ * .what = validates deploy.yml matches the template exactly
+ * .why = secrets: inherit passes all secrets to .test.yml; firewall handles key filter at runtime
  */
-export const check: FileCheckFunction = async (contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  // if contents don't match expected, best practice is violated
-  if (contents !== expected)
-    throw new Error('file does not match expected content with apikey secrets');
-  // return = file matches expected (best practice followed)
-};
+export const check = FileCheckType.EQUALS;
 /**
- * .what = fixes deploy.yml to include apikey secrets block
- * .why = enables the reusable workflow receives required api keys during deploy
+ * .what = replaces deploy.yml with the template content
+ * .why = ensures caller workflow has secrets: inherit for firewall
  */
 export const fix: FileFixFunction = async (_contents, context) => {
-  // fail fast if template not found
-  if (!context.declaredFileContents)
-    throw new UnexpectedCodePathError('declaredFileContents not found', {
-      relativeFilePath: context.relativeFilePath,
-    });
-  const expected = await buildWorkflowSecretsBlock(
-    { template: context.declaredFileContents },
-    context,
-  );
-  return { contents: expected };
+  return { contents: context.declaredFileContents ?? '' };
 };

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "name": "declapract-typescript-ehmpathy",
   "author": "ehmpathy",
   "description": "declapract best practices declarations for typescript",
-  "version": "0.47.64",
+  "version": "0.47.65",
   "license": "MIT",
   "main": "src/index.js",
   "repository": "ehmpathy/declapract-typescript-ehmpathy",
@@ -75,12 +75,12 @@
     "esbuild-register": "3.6.0",
     "husky": "8.0.3",
     "jest": "30.2.0",
-    "rhachet": "1.39.9",
-    "rhachet-brains-anthropic": "0.4.0",
+    "rhachet": "1.41.1",
+    "rhachet-brains-anthropic": "0.4.1",
     "rhachet-brains-xai": "0.3.3",
-    "rhachet-roles-bhrain": "0.23.10",
-    "rhachet-roles-bhuild": "0.17.0",
-    "rhachet-roles-ehmpathy": "1.34.23",
+    "rhachet-roles-bhrain": "0.27.5",
+    "rhachet-roles-bhuild": "0.21.1",
+    "rhachet-roles-ehmpathy": "1.35.0",
     "tsc-alias": "1.8.10",
     "tsx": "4.20.6",
     "type-fns": "1.21.2",

package/dist/.test/infra/withKeyrackContext.ts DELETED Viewed

@@ -1,50 +0,0 @@
-import fs from 'node:fs';
-import os from 'os';
-import path from 'node:path';
-import type { KeyrackGrantAttempt } from 'rhachet/keyrack';
-/**
- * .what = creates a mock context with keyrack config in a temp directory
- * .why = enables test of buildWorkflowSecretsBlock with different keyrack configs
- */
-export const withKeyrackContext = async (
-  input: { keys: string[] },
-  fn: (context: { getProjectRootDirectory: () => string }) => Promise<void>,
-): Promise<void> => {
-  // create temp dir with keyrack.yml
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-'));
-  const agentDir = path.join(tempDir, '.agent');
-  fs.mkdirSync(agentDir, { recursive: true });
-  fs.writeFileSync(
-    path.join(agentDir, 'keyrack.yml'),
-    `org: test\nenv.test:\n${input.keys.map((k) => `  - ${k}`).join('\n')}`,
-  );
-  // mock keyrack.get to return grant attempts
-  const mockGrants: KeyrackGrantAttempt[] = input.keys.map((key) => ({
-    status: 'granted' as const,
-    grant: {
-      slug: `test.test.${key}`,
-      value: 'mock-value',
-      mech: 'PERMANENT_VIA_REPLICA' as const,
-      vault: 'os.direct' as const,
-    },
-  }));
-  // store original module
-  const keyrackModule = await import('rhachet/keyrack');
-  const originalGet = keyrackModule.keyrack.get;
-  // replace with mock
-  (keyrackModule.keyrack as { get: typeof originalGet }).get = async () =>
-    mockGrants;
-  try {
-    await fn({ getProjectRootDirectory: () => tempDir });
-  } finally {
-    // restore original
-    (keyrackModule.keyrack as { get: typeof originalGet }).get = originalGet;
-    fs.rmSync(tempDir, { recursive: true, force: true });
-  }
-};

package/dist/utils/buildWorkflowSecretsBlock.ts DELETED Viewed

@@ -1,46 +0,0 @@
-import { existsSync } from 'node:fs';
-import { join } from 'node:path';
-import { keyrack, type KeyrackGrantAttempt } from 'rhachet/keyrack';
-/**
- * .what = builds workflow content with keyrack secrets block for .test.yml
- * .why = single source of truth for test.yml, publish.yml, deploy.yml check+fix
- */
-export const buildWorkflowSecretsBlock = async (
-  input: { template: string },
-  context: { getProjectRootDirectory: () => string },
-): Promise<string> => {
-  // check if keyrack.yml exists
-  const keyrackYmlPath = join(
-    context.getProjectRootDirectory(),
-    '.agent/keyrack.yml',
-  );
-  if (!existsSync(keyrackYmlPath)) return input.template;
-  // get required keys from keyrack sdk
-  const keys = (await keyrack.get({
-    for: { repo: true },
-    env: 'test',
-  })) as KeyrackGrantAttempt[];
-  if (!keys.length) return input.template;
-  // extract key names from slugs (format: org.env.KEY_NAME)
-  // .note = KeyrackGrantAttempt is a union of 4 variants (granted/absent/locked/blocked)
-  //         per rhachet/dist/domain.objects/keyrack/KeyrackGrantAttempt.d.ts:8
-  //         granted has slug at grant.slug; others have slug at top level
-  const keyrackVars = keys.map((k) =>
-    (k.status === 'granted' ? k.grant.slug : k.slug).split('.').pop()!,
-  );
-  // build secrets block
-  const secretsBlock = keyrackVars
-    .map((key) => `      ${key}: \${{ secrets.${key} }}`)
-    .join('\n');
-  // find jobs that call .test.yml with 'with:' block and add secrets block after
-  return input.template.replace(
-    /(uses: \.\/\.github\/workflows\/\.test\.yml\n(?:    if: [^\n]+\n)?    with:\n(?:      [^\n]+\n)+)/g,
-    `$1    secrets:\n${secretsBlock}\n`,
-  );
-};