npm - envpkt - Versions diffs - 0.10.1 → 0.11.0 - Mend

envpkt 0.10.1 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -8,6 +8,7 @@ import { TypeCompiler } from "@sinclair/typebox/compiler";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse, stringify } from "smol-toml";
 import { FormatRegistry, Type } from "@sinclair/typebox";
+import { directSilentLogger } from "functype-log";
 import { execFileSync } from "node:child_process";
 import { homedir } from "node:os";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -88,8 +89,11 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 	const nonAliasMetaKeys = new Set(nonAliasEntries.map(([k]) => k));
 	const nonAliasHealth = nonAliasEntries.map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now));
 	const healthByKey = new Map(nonAliasHealth.map((h) => [h.key, h]));
+	const parseTargetKey = (from_key) => {
+		return /^secret\.(.+)$/.exec(from_key)?.[1];
+	};
 	const aliasHealth = aliasEntries.map(([key, meta]) => {
-		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey;
+		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey ?? (meta.from_key !== void 0 ? parseTargetKey(meta.from_key) : void 0);
 		const targetHealth = targetKey !== void 0 ? healthByKey.get(targetKey) : void 0;
 		const targetRef = meta.from_key ?? (targetKey !== void 0 ? `secret.${targetKey}` : "");
 		if (!targetHealth) return {
@@ -547,12 +551,14 @@ const formatAuditJson = (audit) => JSON.stringify({
 	missing: audit.missing,
 	missing_metadata: audit.missing_metadata,
 	orphaned: audit.orphaned,
+	aliases: audit.aliases,
 	secrets: audit.secrets.map((s) => ({
 		key: s.key,
 		service: s.service.fold(() => null, (sv) => sv),
 		status: s.status,
 		days_remaining: s.days_remaining.fold(() => null, (d) => d),
 		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		alias_of: s.alias_of.fold(() => null, (a) => a),
 		purpose: s.purpose.fold(() => null, (p) => p),
 		issues: s.issues.toArray()
 	})).toArray()
@@ -1279,7 +1285,15 @@ const bootSafe = (options) => {
 	const inject = opts.inject !== false;
 	const failOnExpired = opts.failOnExpired !== false;
 	const warnOnly = opts.warnOnly ?? false;
-	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => validateAliases(config).fold((err) => Left(err), (aliasTable) => {
+	const log = (opts.logger ?? directSilentLogger).withContext({ component: "envpkt.boot" });
+	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => validateAliases(config).fold((err) => {
+		log.warn("alias.validate.failed", {
+			tag: err._tag,
+			key: "key" in err ? err.key : void 0
+		});
+		return Left(err);
+	}, (aliasTable) => {
+		log.debug("alias.validate.success", { aliases: aliasTable.entries.size });
 		const secretEntries = config.secret ?? {};
 		const envEntries = config.env ?? {};
 		const nonAliasSecretEntries = Object.fromEntries(Object.entries(secretEntries).filter(([, meta]) => meta.from_key === void 0));
@@ -1308,19 +1322,28 @@ const bootSafe = (options) => {
 			const sealedKeys = /* @__PURE__ */ new Set();
 			const identityFilePath = resolveIdentityFilePath(config, configDir, true);
 			if (hasSealedValues) identityFilePath.fold(() => {
+				log.warn("phase.sealed.no_identity_file", { sealed_keys: nonAliasMetaKeys.filter((k) => !!nonAliasSecretEntries[k]?.encrypted_value).length });
 				warnings.push("Sealed values found but no identity file available for decryption");
 			}, (idPath) => {
 				unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
+					log.warn("phase.sealed.decrypt_failed", { message: err.message });
 					warnings.push(`Sealed value decryption failed: ${err.message}`);
 				}, (unsealed) => {
 					const unsealedEntries = Object.entries(unsealed);
 					Object.assign(secrets, unsealed);
 					injected.push(...unsealedEntries.map(([key]) => key));
-					unsealedEntries.map(([key]) => key).forEach((key) => sealedKeys.add(key));
+					unsealedEntries.forEach(([key]) => {
+						sealedKeys.add(key);
+						log.debug("phase.sealed.resolved", { key });
+					});
 				});
 			});
 			const remainingKeys = nonAliasMetaKeys.filter((k) => !sealedKeys.has(k));
 			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey.orUndefined()).fold((err) => {
+				log.warn("phase.fnox.export_failed", {
+					message: err.message,
+					skipped: remainingKeys.length
+				});
 				warnings.push(`fnox export failed: ${err.message}`);
 				skipped.push(...remainingKeys);
 			}, (exported) => {
@@ -1328,11 +1351,22 @@ const bootSafe = (options) => {
 				const notFound = remainingKeys.filter((key) => !(key in exported));
 				found.forEach((key) => {
 					secrets[key] = exported[key];
+					log.debug("phase.fnox.resolved", {
+						key,
+						profile: opts.profile
+					});
+				});
+				notFound.forEach((key) => {
+					log.debug("phase.fnox.not_in_export", {
+						key,
+						profile: opts.profile
+					});
 				});
 				injected.push(...found);
 				skipped.push(...notFound);
 			});
 			else {
+				log.debug("phase.fnox.unavailable", { skipped: remainingKeys.length });
 				if (!hasSealedValues) warnings.push("fnox not available — no secrets injected");
 				else warnings.push("fnox not available — unsealed secrets could not be resolved");
 				skipped.push(...remainingKeys);
@@ -1344,7 +1378,17 @@ const bootSafe = (options) => {
 				if (targetValue !== void 0) {
 					secrets[aliasKey] = targetValue;
 					injected.push(aliasKey);
-				} else skipped.push(aliasKey);
+					log.debug("phase.alias.copied", {
+						alias: aliasKey,
+						target: entry.targetKey
+					});
+				} else {
+					skipped.push(aliasKey);
+					log.debug("phase.alias.target_unresolved", {
+						alias: aliasKey,
+						target: entry.targetKey
+					});
+				}
 			});
 			aliasEnvKeys.forEach((aliasKey) => {
 				const entry = aliasTable.entries.get(`env.${aliasKey}`);

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as _$_sinclair_typebox0 from "@sinclair/typebox";
 import { Static } from "@sinclair/typebox";
 import { Either, List, Option } from "functype";
+import { DirectLogger, DirectLogger as DirectLogger$1, DirectTestLoggerHandle, LogEntry, LogLevel, LogMetadata, createDirectConsoleLogger, createDirectTestLogger, directSilentLogger } from "functype-log";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { CallToolResult, ReadResourceResult, Resource } from "@modelcontextprotocol/sdk/types.js";
@@ -285,6 +286,13 @@ type BootOptions = {
   readonly inject?: boolean;
   readonly failOnExpired?: boolean;
   readonly warnOnly?: boolean;
+  /**
+   * Optional diagnostic logger. Defaults to a silent logger (zero overhead).
+   * Receives structured trace events at boot resolution decision points
+   * (alias validation, sealed phase, fnox phase, alias copy phase). Useful
+   * for debugging why a particular secret landed in skipped[] vs injected[].
+   */
+  readonly logger?: DirectLogger$1;
 };
 type BootResult = {
   readonly audit: AuditResult;
@@ -622,4 +630,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/dist/index.js CHANGED Viewed

@@ -5,6 +5,7 @@ import { Cond, Either, Left, List, None, Option, Right, Some, Try } from "functy
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse } from "smol-toml";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { createDirectConsoleLogger, createDirectTestLogger, directSilentLogger, directSilentLogger as directSilentLogger$1 } from "functype-log";
 import { execFileSync } from "node:child_process";
 import { homedir } from "node:os";
 import { createInterface } from "node:readline";
@@ -650,8 +651,11 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 	const nonAliasMetaKeys = new Set(nonAliasEntries.map(([k]) => k));
 	const nonAliasHealth = nonAliasEntries.map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now));
 	const healthByKey = new Map(nonAliasHealth.map((h) => [h.key, h]));
+	const parseTargetKey = (from_key) => {
+		return /^secret\.(.+)$/.exec(from_key)?.[1];
+	};
 	const aliasHealth = aliasEntries.map(([key, meta]) => {
-		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey;
+		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey ?? (meta.from_key !== void 0 ? parseTargetKey(meta.from_key) : void 0);
 		const targetHealth = targetKey !== void 0 ? healthByKey.get(targetKey) : void 0;
 		const targetRef = meta.from_key ?? (targetKey !== void 0 ? `secret.${targetKey}` : "");
 		if (!targetHealth) return {
@@ -1927,7 +1931,15 @@ const bootSafe = (options) => {
 	const inject = opts.inject !== false;
 	const failOnExpired = opts.failOnExpired !== false;
 	const warnOnly = opts.warnOnly ?? false;
-	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => validateAliases(config).fold((err) => Left(err), (aliasTable) => {
+	const log = (opts.logger ?? directSilentLogger$1).withContext({ component: "envpkt.boot" });
+	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => validateAliases(config).fold((err) => {
+		log.warn("alias.validate.failed", {
+			tag: err._tag,
+			key: "key" in err ? err.key : void 0
+		});
+		return Left(err);
+	}, (aliasTable) => {
+		log.debug("alias.validate.success", { aliases: aliasTable.entries.size });
 		const secretEntries = config.secret ?? {};
 		const envEntries = config.env ?? {};
 		const nonAliasSecretEntries = Object.fromEntries(Object.entries(secretEntries).filter(([, meta]) => meta.from_key === void 0));
@@ -1956,19 +1968,28 @@ const bootSafe = (options) => {
 			const sealedKeys = /* @__PURE__ */ new Set();
 			const identityFilePath = resolveIdentityFilePath(config, configDir, true);
 			if (hasSealedValues) identityFilePath.fold(() => {
+				log.warn("phase.sealed.no_identity_file", { sealed_keys: nonAliasMetaKeys.filter((k) => !!nonAliasSecretEntries[k]?.encrypted_value).length });
 				warnings.push("Sealed values found but no identity file available for decryption");
 			}, (idPath) => {
 				unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
+					log.warn("phase.sealed.decrypt_failed", { message: err.message });
 					warnings.push(`Sealed value decryption failed: ${err.message}`);
 				}, (unsealed) => {
 					const unsealedEntries = Object.entries(unsealed);
 					Object.assign(secrets, unsealed);
 					injected.push(...unsealedEntries.map(([key]) => key));
-					unsealedEntries.map(([key]) => key).forEach((key) => sealedKeys.add(key));
+					unsealedEntries.forEach(([key]) => {
+						sealedKeys.add(key);
+						log.debug("phase.sealed.resolved", { key });
+					});
 				});
 			});
 			const remainingKeys = nonAliasMetaKeys.filter((k) => !sealedKeys.has(k));
 			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey.orUndefined()).fold((err) => {
+				log.warn("phase.fnox.export_failed", {
+					message: err.message,
+					skipped: remainingKeys.length
+				});
 				warnings.push(`fnox export failed: ${err.message}`);
 				skipped.push(...remainingKeys);
 			}, (exported) => {
@@ -1976,11 +1997,22 @@ const bootSafe = (options) => {
 				const notFound = remainingKeys.filter((key) => !(key in exported));
 				found.forEach((key) => {
 					secrets[key] = exported[key];
+					log.debug("phase.fnox.resolved", {
+						key,
+						profile: opts.profile
+					});
+				});
+				notFound.forEach((key) => {
+					log.debug("phase.fnox.not_in_export", {
+						key,
+						profile: opts.profile
+					});
 				});
 				injected.push(...found);
 				skipped.push(...notFound);
 			});
 			else {
+				log.debug("phase.fnox.unavailable", { skipped: remainingKeys.length });
 				if (!hasSealedValues) warnings.push("fnox not available — no secrets injected");
 				else warnings.push("fnox not available — unsealed secrets could not be resolved");
 				skipped.push(...remainingKeys);
@@ -1992,7 +2024,17 @@ const bootSafe = (options) => {
 				if (targetValue !== void 0) {
 					secrets[aliasKey] = targetValue;
 					injected.push(aliasKey);
-				} else skipped.push(aliasKey);
+					log.debug("phase.alias.copied", {
+						alias: aliasKey,
+						target: entry.targetKey
+					});
+				} else {
+					skipped.push(aliasKey);
+					log.debug("phase.alias.target_unresolved", {
+						alias: aliasKey,
+						target: entry.targetKey
+					});
+				}
 			});
 			aliasEnvKeys.forEach((aliasKey) => {
 				const entry = aliasTable.entries.get(`env.${aliasKey}`);
@@ -2637,4 +2679,4 @@ const startServer = async () => {
 	await server.connect(transport);
 };
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.10.1",
+  "version": "0.11.0",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -43,6 +43,7 @@
     "@sinclair/typebox": "^0.34.49",
     "commander": "^14.0.3",
     "functype": "^0.60.0",
+    "functype-log": "^0.60.0",
     "functype-os": "^0.60.0",
     "smol-toml": "^1.6.1"
   },