envpkt 0.11.9 → 0.12.0

package/dist/cli.js

@@ -1,16 +1,17 @@
 #!/usr/bin/env node
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { appendFileSync, chmodSync, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
-import { $, Cond, Do, Either, Left, List, Map as Map$1, Option, Right, Set as Set$1, Try } from "functype";
+import { $, Cond, Do, Either, Left, List, Map as Map$1, None, Option, Right, Set as Set$1, Some, Try } from "functype";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse, stringify } from "smol-toml";
 import { FormatRegistry, Type } from "@sinclair/typebox";
+import { randomBytes } from "node:crypto";
+import { homedir, tmpdir } from "node:os";
 import { directSilentLogger } from "functype-log/direct";
 import { execFileSync } from "node:child_process";
-import { homedir } from "node:os";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
@@ -1062,6 +1063,11 @@ const formatAliasError = (error) => {
 //#region src/core/keygen.ts
 /** Resolve the age identity file path: ENVPKT_AGE_KEY_FILE env var > ~/.envpkt/age-key.txt */
 const resolveKeyPath = () => process.env["ENVPKT_AGE_KEY_FILE"] ?? join(homedir(), ".envpkt", "age-key.txt");
+/** Resolve an inline age key from ENVPKT_AGE_KEY env var (for CI) */
+const resolveInlineKey = () => {
+	const key = process.env["ENVPKT_AGE_KEY"];
+	return key ? Some(key) : None();
+};
 /** Generate an age keypair and write to disk. Refuses to overwrite if the file already exists. */
 const generateKeypair = (options) => {
 	if (!ageAvailable()) return Left({
@@ -1297,6 +1303,47 @@ const resolveIdentityFilePath = (config, configDir, useDefaultFallback) => {
 	const defaultPath = resolveKeyPath();
 	return existsSync(defaultPath) ? Option(defaultPath) : Option(void 0);
 };
+const noop = () => {};
+/** Write an inline age key to a private temp file so the `age` CLI (file-based) can use it. */
+const materializeInlineKey = (key) => {
+	const dir = mkdtempSync(join(tmpdir(), "envpkt-age-"));
+	const keyPath = join(dir, "age-key.txt");
+	writeFileSync(keyPath, key.endsWith("\n") ? key : `${key}\n`);
+	chmodSync(keyPath, 384);
+	return {
+		path: keyPath,
+		dispose: () => rmSync(dir, {
+			recursive: true,
+			force: true
+		})
+	};
+};
+/**
+* Resolve an age identity for unsealing sealed packets. Precedence:
+*   config.identity.key_file > ENVPKT_AGE_KEY_FILE > ENVPKT_AGE_KEY (inline) > ~/.envpkt/age-key.txt
+* The inline key (CI secret) ranks above the homedir default so an explicit
+* env var beats a stray local key. Inline keys are written to a 0600 temp file
+* the caller must dispose().
+*/
+const resolveSealIdentity = (config, configDir) => {
+	if (config.identity?.key_file) return Option({
+		path: resolve(configDir, expandPath(config.identity.key_file)),
+		dispose: noop
+	});
+	const envFile = process.env["ENVPKT_AGE_KEY_FILE"];
+	if (envFile && existsSync(envFile)) return Option({
+		path: envFile,
+		dispose: noop
+	});
+	const inlineKey = resolveInlineKey().orUndefined();
+	if (inlineKey) return Option(materializeInlineKey(inlineKey));
+	const defaultPath = join(homedir(), ".envpkt", "age-key.txt");
+	if (existsSync(defaultPath)) return Option({
+		path: defaultPath,
+		dispose: noop
+	});
+	return Option(void 0);
+};
 const resolveIdentityKey = (config, configDir) => {
 	return resolveIdentityFilePath(config, configDir, false).fold(() => Right(Option(void 0)), (path) => unwrapAgentKey(path).fold((err) => Left(err), (key) => Right(Option(key))));
 };
@@ -1379,23 +1426,26 @@ const bootSafe = (options) => {
 				process.env[envEnv(key)] = value;
 			});
 			const sealedKeys = /* @__PURE__ */ new Set();
-			const identityFilePath = resolveIdentityFilePath(config, configDir, true);
-			if (hasSealedValues) identityFilePath.fold(() => {
+			if (hasSealedValues) resolveSealIdentity(config, configDir).fold(() => {
 				log.warn("phase.sealed.no_identity_file", { sealed_keys: nonAliasMetaKeys.filter((k) => !!nonAliasSecretEntries[k]?.encrypted_value).length });
 				warnings.push("Sealed values found but no identity file available for decryption");
-			}, (idPath) => {
-				unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
-					log.warn("phase.sealed.decrypt_failed", { message: err.message });
-					warnings.push(`Sealed value decryption failed: ${err.message}`);
-				}, (unsealed) => {
-					const unsealedEntries = Object.entries(unsealed);
-					Object.assign(secrets, unsealed);
-					injected.push(...unsealedEntries.map(([key]) => key));
-					unsealedEntries.forEach(([key]) => {
-						sealedKeys.add(key);
-						log.debug("phase.sealed.resolved", { key });
+			}, ({ path: idPath, dispose }) => {
+				try {
+					unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
+						log.warn("phase.sealed.decrypt_failed", { message: err.message });
+						warnings.push(`Sealed value decryption failed: ${err.message}`);
+					}, (unsealed) => {
+						const unsealedEntries = Object.entries(unsealed);
+						Object.assign(secrets, unsealed);
+						injected.push(...unsealedEntries.map(([key]) => key));
+						unsealedEntries.forEach(([key]) => {
+							sealedKeys.add(key);
+							log.debug("phase.sealed.resolved", { key });
+						});
 					});
-				});
+				} finally {
+					dispose();
+				}
 			});
 			const remainingKeys = nonAliasMetaKeys.filter((k) => !sealedKeys.has(k));
 			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey.orUndefined()).fold((err) => {
@@ -2693,38 +2743,86 @@ const runEnvCheck = (options) => {
 	});
 };
 const shellEscape = (value) => value.replace(/'/g, "'\\''");
+/** Shared resolution for the emit commands (`export`, `github`): resolve without injecting. */
+const resolveForEmit = (options) => bootSafe({
+	inject: false,
+	configPath: options.config,
+	profile: options.profile,
+	warnOnly: true
+});
+/**
+* Flatten a resolved BootResult into the ordered (wire-name, value) pairs to emit:
+* env defaults, then overridden env entries (value from config), then secrets (which
+* override). `secret` marks values that consumers must redact (e.g. GitHub masking).
+*/
+const collectEmitEntries = (boot) => {
+	const wireName = (key) => boot.envNames[key] ?? key;
+	const defaults = Object.entries(boot.envDefaults).map(([key, value]) => ({
+		name: wireName(key),
+		value,
+		secret: false
+	}));
+	const overridden = boot.overridden.length === 0 ? [] : loadConfig(boot.configPath).fold(() => [], (config) => {
+		const envEntries = config.env ?? {};
+		return boot.overridden.flatMap((key) => {
+			const entry = envEntries[key];
+			if (!entry) return [];
+			const name = wireName(key);
+			return [{
+				name,
+				value: entry.value ?? process.env[name] ?? "",
+				secret: false
+			}];
+		});
+	});
+	const secrets = Object.entries(boot.secrets).map(([key, value]) => ({
+		name: wireName(key),
+		value,
+		secret: true
+	}));
+	return [
+		...defaults,
+		...overridden,
+		...secrets
+	];
+};
+const emitWarnings = (boot) => {
+	const sourceMsg = formatConfigSource(boot.configPath, boot.configSource);
+	if (sourceMsg) console.error(sourceMsg);
+	boot.warnings.forEach((warning) => {
+		console.error(`${YELLOW}Warning:${RESET} ${warning}`);
+	});
+};
 const runEnvExport = (options) => {
-	bootSafe({
-		inject: false,
-		configPath: options.config,
-		profile: options.profile,
-		warnOnly: true
-	}).fold((err) => {
+	resolveForEmit(options).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
 	}, (boot) => {
-		const sourceMsg = formatConfigSource(boot.configPath, boot.configSource);
-		if (sourceMsg) console.error(sourceMsg);
-		boot.warnings.forEach((warning) => {
-			console.error(`${YELLOW}Warning:${RESET} ${warning}`);
-		});
-		const wireName = (key) => boot.envNames[key] ?? key;
-		Object.entries(boot.envDefaults).forEach(([key, value]) => {
-			console.log(`export ${wireName(key)}='${shellEscape(value)}'`);
-		});
-		if (boot.overridden.length > 0) loadConfig(boot.configPath).fold(() => {}, (config) => {
-			const envEntries = config.env ?? {};
-			boot.overridden.forEach((key) => {
-				if (!(key in envEntries)) return;
-				const entry = envEntries[key];
-				const name = wireName(key);
-				const value = entry.value ?? process.env[name] ?? "";
-				console.log(`export ${name}='${shellEscape(value)}'`);
-			});
+		emitWarnings(boot);
+		collectEmitEntries(boot).forEach(({ name, value }) => {
+			console.log(`export ${name}='${shellEscape(value)}'`);
 		});
-		Object.entries(boot.secrets).forEach(([key, value]) => {
-			console.log(`export ${wireName(key)}='${shellEscape(value)}'`);
+	});
+};
+const runEnvGithub = (options) => {
+	resolveForEmit(options).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (boot) => {
+		emitWarnings(boot);
+		const entries = collectEmitEntries(boot);
+		entries.filter((e) => e.secret).forEach((e) => console.log(`::add-mask::${e.value}`));
+		const lines = entries.map(({ name, value }) => {
+			const delim = `__ENVPKT_${randomBytes(9).toString("hex")}__`;
+			return `${name}<<${delim}\n${value}\n${delim}`;
 		});
+		const githubEnv = process.env["GITHUB_ENV"];
+		if (githubEnv) appendFileSync(githubEnv, lines.length > 0 ? `${lines.join("\n")}\n` : "");
+		else {
+			console.error(`${YELLOW}Warning:${RESET} GITHUB_ENV not set — printing assignments to stdout (not a GitHub Actions runner)`);
+			lines.forEach((l) => console.log(l));
+		}
+		if (options.strict) process.exit(exitCodeForAudit(boot.audit));
 	});
 };
 const buildEnvBlock = (name, value, options) => {
@@ -2922,6 +3020,9 @@ const registerEnvCommands = (program) => {
 	env.command("export").description("Output export statements for eval-ing secrets into the current shell. Usage: eval \"$(envpkt env export)\"").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit").action((options) => {
 		runEnvExport(options);
 	});
+	env.command("github").description("Inject resolved secrets into $GITHUB_ENV for GitHub Actions, masking secret values in the log (::add-mask::)").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--strict", "Exit non-zero if the pre-flight audit is not healthy").action((options) => {
+		runEnvGithub(options);
+	});
 	env.command("add").description("Add a new environment default entry to envpkt.toml").argument("<name>", "Environment variable name").argument("<value>", "Default value").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this env var exists").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, value, options) => {
 		runEnvAdd(name, value, options);
 	});

package/dist/index.js

@@ -4,10 +4,10 @@ import { TypeCompiler } from "@sinclair/typebox/compiler";
 import { $, Cond, Do, Either, Left, List, Map as Map$1, None, Option, Right, Set as Set$1, Some, Try } from "functype";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse } from "smol-toml";
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { chmodSync, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
 import { createDirectConsoleLogger, createDirectTestLogger, directSilentLogger, directSilentLogger as directSilentLogger$1 } from "functype-log/direct";
 import { execFileSync } from "node:child_process";
-import { homedir } from "node:os";
 import { createInterface } from "node:readline";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
@@ -1926,6 +1926,47 @@ const resolveIdentityFilePath = (config, configDir, useDefaultFallback) => {
 	const defaultPath = resolveKeyPath();
 	return existsSync(defaultPath) ? Option(defaultPath) : Option(void 0);
 };
+const noop = () => {};
+/** Write an inline age key to a private temp file so the `age` CLI (file-based) can use it. */
+const materializeInlineKey = (key) => {
+	const dir = mkdtempSync(join(tmpdir(), "envpkt-age-"));
+	const keyPath = join(dir, "age-key.txt");
+	writeFileSync(keyPath, key.endsWith("\n") ? key : `${key}\n`);
+	chmodSync(keyPath, 384);
+	return {
+		path: keyPath,
+		dispose: () => rmSync(dir, {
+			recursive: true,
+			force: true
+		})
+	};
+};
+/**
+* Resolve an age identity for unsealing sealed packets. Precedence:
+*   config.identity.key_file > ENVPKT_AGE_KEY_FILE > ENVPKT_AGE_KEY (inline) > ~/.envpkt/age-key.txt
+* The inline key (CI secret) ranks above the homedir default so an explicit
+* env var beats a stray local key. Inline keys are written to a 0600 temp file
+* the caller must dispose().
+*/
+const resolveSealIdentity = (config, configDir) => {
+	if (config.identity?.key_file) return Option({
+		path: resolve(configDir, expandPath(config.identity.key_file)),
+		dispose: noop
+	});
+	const envFile = process.env["ENVPKT_AGE_KEY_FILE"];
+	if (envFile && existsSync(envFile)) return Option({
+		path: envFile,
+		dispose: noop
+	});
+	const inlineKey = resolveInlineKey().orUndefined();
+	if (inlineKey) return Option(materializeInlineKey(inlineKey));
+	const defaultPath = join(homedir(), ".envpkt", "age-key.txt");
+	if (existsSync(defaultPath)) return Option({
+		path: defaultPath,
+		dispose: noop
+	});
+	return Option(void 0);
+};
 const resolveIdentityKey = (config, configDir) => {
 	return resolveIdentityFilePath(config, configDir, false).fold(() => Right(Option(void 0)), (path) => unwrapAgentKey(path).fold((err) => Left(err), (key) => Right(Option(key))));
 };
@@ -2008,23 +2049,26 @@ const bootSafe = (options) => {
 				process.env[envEnv(key)] = value;
 			});
 			const sealedKeys = /* @__PURE__ */ new Set();
-			const identityFilePath = resolveIdentityFilePath(config, configDir, true);
-			if (hasSealedValues) identityFilePath.fold(() => {
+			if (hasSealedValues) resolveSealIdentity(config, configDir).fold(() => {
 				log.warn("phase.sealed.no_identity_file", { sealed_keys: nonAliasMetaKeys.filter((k) => !!nonAliasSecretEntries[k]?.encrypted_value).length });
 				warnings.push("Sealed values found but no identity file available for decryption");
-			}, (idPath) => {
-				unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
-					log.warn("phase.sealed.decrypt_failed", { message: err.message });
-					warnings.push(`Sealed value decryption failed: ${err.message}`);
-				}, (unsealed) => {
-					const unsealedEntries = Object.entries(unsealed);
-					Object.assign(secrets, unsealed);
-					injected.push(...unsealedEntries.map(([key]) => key));
-					unsealedEntries.forEach(([key]) => {
-						sealedKeys.add(key);
-						log.debug("phase.sealed.resolved", { key });
+			}, ({ path: idPath, dispose }) => {
+				try {
+					unsealSecrets(nonAliasSecretEntries, idPath).fold((err) => {
+						log.warn("phase.sealed.decrypt_failed", { message: err.message });
+						warnings.push(`Sealed value decryption failed: ${err.message}`);
+					}, (unsealed) => {
+						const unsealedEntries = Object.entries(unsealed);
+						Object.assign(secrets, unsealed);
+						injected.push(...unsealedEntries.map(([key]) => key));
+						unsealedEntries.forEach(([key]) => {
+							sealedKeys.add(key);
+							log.debug("phase.sealed.resolved", { key });
+						});
 					});
-				});
+				} finally {
+					dispose();
+				}
 			});
 			const remainingKeys = nonAliasMetaKeys.filter((k) => !sealedKeys.has(k));
 			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey.orUndefined()).fold((err) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.11.9",
+  "version": "0.12.0",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -42,14 +42,14 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@sinclair/typebox": "^0.34.49",
     "commander": "^15.0.0",
-    "functype": "^1.3.0",
-    "functype-log": "^1.3.0",
-    "functype-os": "^1.3.0",
+    "functype": "^1.3.1",
+    "functype-log": "^1.3.1",
+    "functype-os": "^1.3.1",
     "smol-toml": "^1.6.1"
   },
   "devDependencies": {
     "@types/node": "^24.13.1",
-    "ts-builds": "^3.0.0",
+    "ts-builds": "^3.0.1",
     "tsdown": "^0.22.2",
     "tsx": "^4.22.4"
   },