npm - envpkt - Versions diffs - 0.1.0 - Mend

envpkt 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/LICENSE +21 -0
package/README.md +507 -0
package/dist/cli.js +2254 -0
package/dist/index.d.ts +392 -0
package/dist/index.js +1769 -0
package/package.json +71 -0
package/schemas/envpkt.schema.json +211 -0

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,392 @@
+import * as _sinclair_typebox0 from "@sinclair/typebox";
+import { Static } from "@sinclair/typebox";
+import { Either, List, Option } from "functype";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { CallToolResult, ReadResourceResult, Resource } from "@modelcontextprotocol/sdk/types.js";
+//#region src/core/schema.d.ts
+declare const ConsumerType: _sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>;
+type ConsumerType = Static<typeof ConsumerType>;
+declare const AgentIdentitySchema: _sinclair_typebox0.TObject<{
+  name: _sinclair_typebox0.TString;
+  consumer: _sinclair_typebox0.TOptional<_sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>>;
+  description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+  expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  services: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+  identity: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+}>;
+type AgentIdentity = Static<typeof AgentIdentitySchema>;
+declare const SecretMetaSchema: _sinclair_typebox0.TObject<{
+  service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+  created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+  tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+}>;
+type SecretMeta = Static<typeof SecretMetaSchema>;
+declare const LifecycleConfigSchema: _sinclair_typebox0.TObject<{
+  stale_warning_days: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
+  require_expiration: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+  require_service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+}>;
+type LifecycleConfig = Static<typeof LifecycleConfigSchema>;
+declare const CallbackConfigSchema: _sinclair_typebox0.TObject<{
+  on_expiring: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  on_expired: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  on_audit_fail: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+}>;
+type CallbackConfig = Static<typeof CallbackConfigSchema>;
+declare const ToolsConfigSchema: _sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TUnknown>;
+type ToolsConfig = Static<typeof ToolsConfigSchema>;
+declare const EnvpktConfigSchema: _sinclair_typebox0.TObject<{
+  version: _sinclair_typebox0.TNumber;
+  catalog: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  agent: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
+    name: _sinclair_typebox0.TString;
+    consumer: _sinclair_typebox0.TOptional<_sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>>;
+    description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+    expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    services: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+    identity: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+  }>>;
+  meta: _sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
+    service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+    created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+    tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+  }>>;
+  lifecycle: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
+    stale_warning_days: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
+    require_expiration: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+    require_service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+  }>>;
+  callbacks: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
+    on_expiring: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    on_expired: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+    on_audit_fail: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  }>>;
+  tools: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TUnknown>>;
+}>;
+type EnvpktConfig = Static<typeof EnvpktConfigSchema>;
+//#endregion
+//#region src/core/types.d.ts
+type HealthStatus = "healthy" | "degraded" | "critical";
+type SecretStatus = "healthy" | "expiring_soon" | "expired" | "stale" | "missing" | "missing_metadata";
+type SecretHealth = {
+  readonly key: string;
+  readonly service: Option<string>;
+  readonly status: SecretStatus;
+  readonly days_remaining: Option<number>;
+  readonly rotation_url: Option<string>;
+  readonly purpose: Option<string>;
+  readonly created: Option<string>;
+  readonly expires: Option<string>;
+  readonly issues: List<string>;
+};
+type AuditResult = {
+  readonly status: HealthStatus;
+  readonly secrets: List<SecretHealth>;
+  readonly total: number;
+  readonly healthy: number;
+  readonly expiring_soon: number;
+  readonly expired: number;
+  readonly stale: number;
+  readonly missing: number;
+  readonly missing_metadata: number;
+  readonly orphaned: number;
+  readonly agent?: AgentIdentity;
+};
+type FleetAgent = {
+  readonly path: string;
+  readonly agent?: AgentIdentity;
+  readonly min_expiry_days?: number;
+  readonly audit: AuditResult;
+};
+type FleetHealth = {
+  readonly status: HealthStatus;
+  readonly agents: List<FleetAgent>;
+  readonly total_agents: number;
+  readonly total_secrets: number;
+  readonly expired: number;
+  readonly expiring_soon: number;
+};
+type FnoxSecret = {
+  readonly key: string;
+  readonly profile: Option<string>;
+};
+type FnoxConfig = {
+  readonly secrets: Record<string, unknown>;
+  readonly profiles: Option<Record<string, unknown>>;
+};
+type ConfigError = {
+  readonly _tag: "FileNotFound";
+  readonly path: string;
+} | {
+  readonly _tag: "ParseError";
+  readonly message: string;
+} | {
+  readonly _tag: "ValidationError";
+  readonly errors: List<string>;
+} | {
+  readonly _tag: "ReadError";
+  readonly message: string;
+};
+type FnoxError = {
+  readonly _tag: "FnoxNotFound";
+  readonly message: string;
+} | {
+  readonly _tag: "FnoxCliError";
+  readonly message: string;
+} | {
+  readonly _tag: "FnoxParseError";
+  readonly message: string;
+};
+type ResolveOptions = {
+  readonly configPath?: string;
+  readonly output?: string;
+};
+type ResolveResult = {
+  readonly config: EnvpktConfig;
+  readonly catalogPath?: string;
+  readonly merged: ReadonlyArray<string>;
+  readonly overridden: ReadonlyArray<string>;
+  readonly warnings: ReadonlyArray<string>;
+};
+type CatalogError = {
+  readonly _tag: "CatalogNotFound";
+  readonly path: string;
+} | {
+  readonly _tag: "CatalogLoadError";
+  readonly message: string;
+} | {
+  readonly _tag: "SecretNotInCatalog";
+  readonly key: string;
+  readonly catalogPath: string;
+} | {
+  readonly _tag: "MissingSecretsList";
+  readonly message: string;
+};
+type BootOptions = {
+  readonly configPath?: string;
+  readonly profile?: string;
+  readonly inject?: boolean;
+  readonly failOnExpired?: boolean;
+  readonly warnOnly?: boolean;
+};
+type BootResult = {
+  readonly audit: AuditResult;
+  readonly injected: ReadonlyArray<string>;
+  readonly skipped: ReadonlyArray<string>;
+  readonly secrets: Readonly<Record<string, string>>;
+  readonly warnings: ReadonlyArray<string>;
+};
+type BootError = ConfigError | FnoxError | CatalogError | {
+  readonly _tag: "AuditFailed";
+  readonly audit: AuditResult;
+  readonly message: string;
+} | IdentityError;
+type IdentityError = {
+  readonly _tag: "AgeNotFound";
+  readonly message: string;
+} | {
+  readonly _tag: "DecryptFailed";
+  readonly message: string;
+} | {
+  readonly _tag: "IdentityNotFound";
+  readonly path: string;
+};
+//#endregion
+//#region src/core/config.d.ts
+/** Find envpkt.toml in the given directory */
+declare const findConfigPath: (dir: string) => Option<string>;
+/** Read a config file, returning Either<ConfigError, string> */
+declare const readConfigFile: (path: string) => Either<ConfigError, string>;
+/** Parse a TOML string, returning Either<ConfigError, unknown> */
+declare const parseToml: (raw: string) => Either<ConfigError, unknown>;
+/** Validate parsed data against the TypeBox schema */
+declare const validateConfig: (data: unknown) => Either<ConfigError, EnvpktConfig>;
+/** Load and validate an envpkt.toml from a file path */
+declare const loadConfig: (path: string) => Either<ConfigError, EnvpktConfig>;
+/** Load config from CWD, returning both path and parsed config */
+declare const loadConfigFromCwd: (cwd?: string) => Either<ConfigError, {
+  path: string;
+  config: EnvpktConfig;
+}>;
+/**
+ * Resolve config path via priority chain:
+ * 1. Explicit flag path
+ * 2. ENVPKT_CONFIG env var
+ * 3. CWD discovery
+ */
+declare const resolveConfigPath: (flagPath?: string, envVar?: string, cwd?: string) => Either<ConfigError, string>;
+//#endregion
+//#region src/core/catalog.d.ts
+/** Load and validate a catalog file, mapping ConfigError → CatalogError */
+declare const loadCatalog: (catalogPath: string) => Either<CatalogError, EnvpktConfig>;
+/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
+declare const resolveSecrets: (agentMeta: Record<string, SecretMeta>, catalogMeta: Record<string, SecretMeta>, agentSecrets: ReadonlyArray<string>, catalogPath: string) => Either<CatalogError, Record<string, SecretMeta>>;
+/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
+declare const resolveConfig: (agentConfig: EnvpktConfig, agentConfigDir: string) => Either<CatalogError, ResolveResult>;
+//#endregion
+//#region src/core/format.d.ts
+type SecretDisplay = "encrypted" | "plaintext";
+type FormatPacketOptions = {
+  readonly secrets?: Readonly<Record<string, string>>;
+  readonly secretDisplay?: SecretDisplay;
+};
+declare const maskValue: (value: string) => string;
+declare const formatPacket: (result: ResolveResult, options?: FormatPacketOptions) => string;
+//#endregion
+//#region src/core/audit.d.ts
+declare const computeAudit: (config: EnvpktConfig, fnoxKeys?: ReadonlySet<string>, today?: Date) => AuditResult;
+//#endregion
+//#region src/core/patterns.d.ts
+type ConfidenceLevel = "high" | "medium" | "low";
+type CredentialPattern = {
+  readonly kind: "name" | "prefix" | "suffix" | "value_prefix" | "value_regex";
+  readonly pattern: string;
+  readonly service: string;
+  readonly confidence: ConfidenceLevel;
+  readonly description: string;
+};
+type MatchResult = {
+  readonly envVar: string;
+  readonly value: string;
+  readonly service: Option<string>;
+  readonly confidence: ConfidenceLevel;
+  readonly matchedBy: string;
+};
+/** Detect service from value prefix/shape */
+declare const matchValueShape: (value: string) => Option<{
+  service: string;
+  description: string;
+}>;
+/** Strip common suffixes and derive a service name from an env var name */
+declare const deriveServiceFromName: (name: string) => string;
+/** Match a single env var against all patterns */
+declare const matchEnvVar: (name: string, value: string) => Option<MatchResult>;
+/** Scan full env, sorted by confidence (high first) then alphabetically */
+declare const scanEnv: (env: Readonly<Record<string, string | undefined>>) => ReadonlyArray<MatchResult>;
+//#endregion
+//#region src/core/env.d.ts
+type ScanResult = {
+  readonly discovered: List<MatchResult>;
+  readonly total_scanned: number;
+  readonly high_confidence: number;
+  readonly medium_confidence: number;
+  readonly low_confidence: number;
+};
+type DriftStatus = "tracked" | "missing_from_env" | "untracked";
+type DriftEntry = {
+  readonly envVar: string;
+  readonly service: Option<string>;
+  readonly status: DriftStatus;
+  readonly confidence: Option<ConfidenceLevel>;
+};
+type CheckResult = {
+  readonly entries: List<DriftEntry>;
+  readonly tracked_and_present: number;
+  readonly missing_from_env: number;
+  readonly untracked_credentials: number;
+  readonly is_clean: boolean;
+};
+type ScanOptions = {
+  readonly includeUnknown?: boolean;
+};
+/** Scan env for credentials, returning structured results */
+declare const envScan: (env: Readonly<Record<string, string | undefined>>, options?: ScanOptions) => ScanResult;
+/** Bidirectional drift detection between config and live environment */
+declare const envCheck: (config: EnvpktConfig, env: Readonly<Record<string, string | undefined>>) => CheckResult;
+/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+declare const generateTomlFromScan: (matches: ReadonlyArray<MatchResult>) => string;
+//#endregion
+//#region src/core/boot.d.ts
+/** Programmatic boot — returns Either<BootError, BootResult> */
+declare const bootSafe: (options?: BootOptions) => Either<BootError, BootResult>;
+/** Programmatic boot — throws EnvpktBootError on failure */
+declare const boot: (options?: BootOptions) => BootResult;
+/** Error class for boot() failures */
+declare class EnvpktBootError extends Error {
+  readonly error: BootError;
+  constructor(error: BootError);
+}
+//#endregion
+//#region src/core/fleet.d.ts
+declare const scanFleet: (rootDir: string, options?: {
+  maxDepth?: number;
+}) => FleetHealth;
+//#endregion
+//#region src/fnox/cli.d.ts
+/** Export all secrets from fnox as key=value pairs for a given profile */
+declare const fnoxExport: (profile?: string, agentKey?: string) => Either<FnoxError, Record<string, string>>;
+/** Get a single secret value from fnox */
+declare const fnoxGet: (key: string, profile?: string, agentKey?: string) => Either<FnoxError, string>;
+//#endregion
+//#region src/fnox/detect.d.ts
+/** Detect fnox.toml in the given directory */
+declare const detectFnox: (dir: string) => Option<string>;
+/** Check if fnox CLI is available on PATH */
+declare const fnoxAvailable: () => boolean;
+//#endregion
+//#region src/fnox/identity.d.ts
+/** Check if the age CLI is available on PATH */
+declare const ageAvailable: () => boolean;
+/** Unwrap an encrypted agent key using age --decrypt */
+declare const unwrapAgentKey: (identityPath: string) => Either<IdentityError, string>;
+//#endregion
+//#region src/fnox/parse.d.ts
+/** Read and parse fnox.toml, extracting secret keys and profiles */
+declare const readFnoxConfig: (path: string) => Either<FnoxError, FnoxConfig>;
+/** Extract the set of secret key names from a parsed fnox config */
+declare const extractFnoxKeys: (config: FnoxConfig) => ReadonlySet<string>;
+//#endregion
+//#region src/fnox/sync.d.ts
+/** Compare fnox keys and envpkt meta keys to find mismatches */
+declare const compareFnoxAndEnvpkt: (fnoxKeys: ReadonlySet<string>, envpktKeys: ReadonlySet<string>) => {
+  missing: List<string>;
+  orphaned: List<string>;
+};
+//#endregion
+//#region src/mcp/resources.d.ts
+declare const resourceDefinitions: readonly Resource[];
+declare const readResource: (uri: string) => ReadResourceResult | undefined;
+//#endregion
+//#region src/mcp/server.d.ts
+declare const createServer: () => Server;
+declare const startServer: () => Promise<void>;
+//#endregion
+//#region src/mcp/tools.d.ts
+type ToolDef = {
+  readonly name: string;
+  readonly description: string;
+  readonly inputSchema: {
+    readonly type: "object";
+    readonly properties?: Record<string, unknown>;
+    readonly required?: readonly string[];
+  };
+};
+declare const toolDefinitions: readonly ToolDef[];
+declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
+//#endregion
+export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type IdentityError, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ScanOptions, type ScanResult, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type ToolsConfig, ToolsConfigSchema, ageAvailable, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, createServer, deriveServiceFromName, detectFnox, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resourceDefinitions, scanEnv, scanFleet, startServer, toolDefinitions, unwrapAgentKey, validateConfig };