npm - envpkt - Versions diffs - 0.1.0 → 0.4.0 - Mend

envpkt 0.1.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +296 -107
package/dist/cli.js +803 -198
package/dist/index.d.ts +85 -7
package/dist/index.js +369 -75
package/package.json +22 -20
package/schemas/envpkt.schema.json +46 -3

package/dist/index.d.ts CHANGED Viewed

@@ -24,12 +24,14 @@ declare const SecretMetaSchema: _sinclair_typebox0.TObject<{
   expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
   created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  encrypted_value: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
   required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
   tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
 }>;
@@ -48,6 +50,13 @@ declare const CallbackConfigSchema: _sinclair_typebox0.TObject<{
 type CallbackConfig = Static<typeof CallbackConfigSchema>;
 declare const ToolsConfigSchema: _sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TUnknown>;
 type ToolsConfig = Static<typeof ToolsConfigSchema>;
+declare const EnvMetaSchema: _sinclair_typebox0.TObject<{
+  value: _sinclair_typebox0.TString;
+  purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+}>;
+type EnvMeta = Static<typeof EnvMetaSchema>;
 declare const EnvpktConfigSchema: _sinclair_typebox0.TObject<{
   version: _sinclair_typebox0.TNumber;
   catalog: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
@@ -62,20 +71,28 @@ declare const EnvpktConfigSchema: _sinclair_typebox0.TObject<{
     recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
   }>>;
-  meta: _sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
+  secret: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
     service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
     created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    encrypted_value: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
     required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
     tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
-  }>>;
+  }>>>;
+  env: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
+    value: _sinclair_typebox0.TString;
+    purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+  }>>>;
   lifecycle: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
     stale_warning_days: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
     require_expiration: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
@@ -117,6 +134,21 @@ type AuditResult = {
   readonly orphaned: number;
   readonly agent?: AgentIdentity;
 };
+type EnvDriftStatus = "default" | "overridden" | "missing";
+type EnvDriftEntry = {
+  readonly key: string;
+  readonly defaultValue: string;
+  readonly currentValue: string | undefined;
+  readonly status: EnvDriftStatus;
+  readonly purpose: string | undefined;
+};
+type EnvAuditResult = {
+  readonly entries: ReadonlyArray<EnvDriftEntry>;
+  readonly total: number;
+  readonly defaults_applied: number;
+  readonly overridden: number;
+  readonly missing: number;
+};
 type FleetAgent = {
   readonly path: string;
   readonly agent?: AgentIdentity;
@@ -162,6 +194,11 @@ type FnoxError = {
   readonly _tag: "FnoxParseError";
   readonly message: string;
 };
+type ConfigSource = "flag" | "env" | "cwd" | "search";
+type ResolvedPath = {
+  readonly path: string;
+  readonly source: ConfigSource;
+};
 type ResolveOptions = {
   readonly configPath?: string;
   readonly output?: string;
@@ -200,6 +237,10 @@ type BootResult = {
   readonly skipped: ReadonlyArray<string>;
   readonly secrets: Readonly<Record<string, string>>;
   readonly warnings: ReadonlyArray<string>;
+  readonly envDefaults: Readonly<Record<string, string>>;
+  readonly overridden: ReadonlyArray<string>;
+  readonly configPath: string;
+  readonly configSource: ConfigSource;
 };
 type BootError = ConfigError | FnoxError | CatalogError | {
   readonly _tag: "AuditFailed";
@@ -216,10 +257,31 @@ type IdentityError = {
   readonly _tag: "IdentityNotFound";
   readonly path: string;
 };
+type SealError = {
+  readonly _tag: "AgeNotFound";
+  readonly message: string;
+} | {
+  readonly _tag: "EncryptFailed";
+  readonly key: string;
+  readonly message: string;
+} | {
+  readonly _tag: "DecryptFailed";
+  readonly key: string;
+  readonly message: string;
+} | {
+  readonly _tag: "NoRecipient";
+  readonly message: string;
+};
 //#endregion
 //#region src/core/config.d.ts
 /** Find envpkt.toml in the given directory */
 declare const findConfigPath: (dir: string) => Option<string>;
+type DiscoveredConfig = {
+  readonly path: string;
+  readonly source: "cwd" | "search";
+};
+/** Discover config by checking CWD, then ENVPKT_SEARCH_PATH, then built-in candidate paths */
+declare const discoverConfig: (cwd?: string) => Option<DiscoveredConfig>;
 /** Read a config file, returning Either<ConfigError, string> */
 declare const readConfigFile: (path: string) => Either<ConfigError, string>;
 /** Parse a TOML string, returning Either<ConfigError, unknown> */
@@ -228,18 +290,19 @@ declare const parseToml: (raw: string) => Either<ConfigError, unknown>;
 declare const validateConfig: (data: unknown) => Either<ConfigError, EnvpktConfig>;
 /** Load and validate an envpkt.toml from a file path */
 declare const loadConfig: (path: string) => Either<ConfigError, EnvpktConfig>;
-/** Load config from CWD, returning both path and parsed config */
+/** Load config from CWD or discovery chain, returning path, source, and parsed config */
 declare const loadConfigFromCwd: (cwd?: string) => Either<ConfigError, {
   path: string;
+  source: "cwd" | "search";
   config: EnvpktConfig;
 }>;
 /**
  * Resolve config path via priority chain:
  * 1. Explicit flag path
  * 2. ENVPKT_CONFIG env var
- * 3. CWD discovery
+ * 3. CWD + discovery chain (home dir, cloud storage, custom search paths)
  */
-declare const resolveConfigPath: (flagPath?: string, envVar?: string, cwd?: string) => Either<ConfigError, string>;
+declare const resolveConfigPath: (flagPath?: string, envVar?: string, cwd?: string) => Either<ConfigError, ResolvedPath>;
 //#endregion
 //#region src/core/catalog.d.ts
 /** Load and validate a catalog file, mapping ConfigError → CatalogError */
@@ -260,6 +323,7 @@ declare const formatPacket: (result: ResolveResult, options?: FormatPacketOption
 //#endregion
 //#region src/core/audit.d.ts
 declare const computeAudit: (config: EnvpktConfig, fnoxKeys?: ReadonlySet<string>, today?: Date) => AuditResult;
+declare const computeEnvAudit: (config: EnvpktConfig, env?: Readonly<Record<string, string | undefined>>) => EnvAuditResult;
 //#endregion
 //#region src/core/patterns.d.ts
 type ConfidenceLevel = "high" | "medium" | "low";
@@ -318,7 +382,7 @@ type ScanOptions = {
 declare const envScan: (env: Readonly<Record<string, string | undefined>>, options?: ScanOptions) => ScanResult;
 /** Bidirectional drift detection between config and live environment */
 declare const envCheck: (config: EnvpktConfig, env: Readonly<Record<string, string | undefined>>) => CheckResult;
-/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+/** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
 declare const generateTomlFromScan: (matches: ReadonlyArray<MatchResult>) => string;
 //#endregion
 //#region src/core/boot.d.ts
@@ -332,6 +396,20 @@ declare class EnvpktBootError extends Error {
   constructor(error: BootError);
 }
 //#endregion
+//#region src/core/seal.d.ts
+/** Encrypt a plaintext string using age with the given recipient public key (armored output) */
+declare const ageEncrypt: (plaintext: string, recipient: string) => Either<SealError, string>;
+/** Decrypt an age-armored ciphertext using the given identity file */
+declare const ageDecrypt: (ciphertext: string, identityPath: string) => Either<SealError, string>;
+/** Seal multiple secrets: encrypt each value with the recipient key and set encrypted_value on meta */
+declare const sealSecrets: (meta: Readonly<Record<string, SecretMeta>>, values: Readonly<Record<string, string>>, recipient: string) => Either<SealError, Record<string, SecretMeta>>;
+/** Unseal secrets: decrypt encrypted_value for each meta entry that has one */
+declare const unsealSecrets: (meta: Readonly<Record<string, SecretMeta>>, identityPath: string) => Either<SealError, Record<string, string>>;
+//#endregion
+//#region src/core/resolve-values.d.ts
+/** Resolve plaintext values for the given keys via cascade: fnox → env → interactive prompt */
+declare const resolveValues: (keys: ReadonlyArray<string>, profile?: string, agentKey?: string) => Promise<Record<string, string>>;
+//#endregion
 //#region src/core/fleet.d.ts
 declare const scanFleet: (rootDir: string, options?: {
   maxDepth?: number;
@@ -389,4 +467,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type IdentityError, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ScanOptions, type ScanResult, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type ToolsConfig, ToolsConfigSchema, ageAvailable, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, createServer, deriveServiceFromName, detectFnox, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resourceDefinitions, scanEnv, scanFleet, startServer, toolDefinitions, unwrapAgentKey, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type IdentityError, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, validateConfig };