npm - envpkt - Versions diffs - 0.13.2 → 0.13.3 - Mend

envpkt 0.13.2 → 0.13.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -405,6 +405,25 @@ envpkt inspect --secrets --plaintext  # Show secret values in plaintext
 The `--secrets` flag reads values from environment variables matching each secret key. By default values are masked (`pos•••••yapp`). Add `--plaintext` to display full values.
+### `envpkt diff`
+Compare two configs — useful for spotting drift between environments (e.g. `dev.envpkt.toml` vs `prod.envpkt.toml`). Reports keys only in each side and field-level metadata changes for shared keys. Sealed ciphertext is ignored (the same secret re-encrypts differently); a sealed↔unsealed change is reported.
+```bash
+envpkt diff dev.envpkt.toml prod.envpkt.toml
+# - dev.envpkt.toml
+# + prod.envpkt.toml
+#
+# [secret]
+#   - OLD_KEY
+#   + NEW_KEY
+#   ~ API_KEY
+#       expires: 2026-01-01 → 2027-01-01
+envpkt diff a.toml b.toml --format json   # structured diff
+envpkt diff a.toml b.toml --exit-code     # exit non-zero on any difference (CI drift gate)
+```
 ### `envpkt exec`
 Run a pre-flight audit, inject secrets from fnox into the environment, then execute a command.

package/dist/cli.js CHANGED Viewed

@@ -930,6 +930,90 @@ const runConfigPath = (options) => {
 	});
 };
 //#endregion
+//#region src/core/diff.ts
+/** Normalize a metadata value to a comparable/displayable string (`undefined` = absent). */
+const serialize = (value) => value === void 0 ? void 0 : typeof value === "string" ? value : JSON.stringify(value);
+/**
+* Field-level diff of two entries. `encrypted_value` is excluded from value comparison — the same
+* secret re-encrypts to different ciphertext, so diffing it is noise — but a change in *sealed
+* status* (present ↔ absent) is reported as a synthetic `sealed` field.
+*/
+const metaDiff = (a, b) => {
+	const ar = a;
+	const br = b;
+	const sealedChange = !!ar["encrypted_value"] === !!br["encrypted_value"] ? [] : [{
+		field: "sealed",
+		a: ar["encrypted_value"] ? "yes" : "no",
+		b: br["encrypted_value"] ? "yes" : "no"
+	}];
+	const fieldChanges = [...Object.keys(ar), ...Object.keys(br)].filter((k, i, arr) => k !== "encrypted_value" && arr.indexOf(k) === i).flatMap((field) => {
+		const av = serialize(ar[field]);
+		const bv = serialize(br[field]);
+		return av === bv ? [] : [{
+			field,
+			a: av,
+			b: bv
+		}];
+	});
+	return [...sealedChange, ...fieldChanges.sort((x, y) => x.field.localeCompare(y.field))];
+};
+const sectionDiff = (a, b) => {
+	const aKeys = Object.keys(a);
+	const bKeys = Object.keys(b);
+	return {
+		onlyA: aKeys.filter((k) => !(k in b)).sort(),
+		onlyB: bKeys.filter((k) => !(k in a)).sort(),
+		changed: aKeys.filter((k) => k in b).sort().flatMap((key) => {
+			const changes = metaDiff(a[key], b[key]);
+			return changes.length === 0 ? [] : [{
+				key,
+				changes
+			}];
+		})
+	};
+};
+const isEmpty = (s) => s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0;
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+const diffConfigs = (a, b) => {
+	const secret = sectionDiff(a.secret ?? {}, b.secret ?? {});
+	const env = sectionDiff(a.env ?? {}, b.env ?? {});
+	return {
+		secret,
+		env,
+		identical: isEmpty(secret) && isEmpty(env)
+	};
+};
+//#endregion
+//#region src/cli/commands/diff.ts
+const formatSection = (name, s) => {
+	if (s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0) return [];
+	return [
+		`${BOLD}[${name}]${RESET}`,
+		...s.onlyA.map((k) => `  ${RED}- ${k}${RESET}`),
+		...s.onlyB.map((k) => `  ${GREEN}+ ${k}${RESET}`),
+		...s.changed.flatMap((c) => [`  ${YELLOW}~ ${c.key}${RESET}`, ...c.changes.map((ch) => `      ${ch.field}: ${DIM}${ch.a ?? "∅"}${RESET} → ${DIM}${ch.b ?? "∅"}${RESET}`)])
+	];
+};
+const loadOrExit = (path, side) => loadConfig(path).fold((err) => {
+	console.error(`${RED}Error${RESET} (${side} = ${path}): ${formatError(err)}`);
+	process.exit(2);
+}, (config) => config);
+/**
+* Compare two envpkt.toml files by their `[secret.*]` and `[env.*]` entries. Reports keys only in
+* each side and field-level metadata changes for shared keys (ciphertext is ignored; sealed-status
+* changes are reported). With `--exit-code`, exits non-zero when the configs differ.
+*/
+const runDiff = (pathA, pathB, options) => {
+	const diff = diffConfigs(loadOrExit(pathA, "a"), loadOrExit(pathB, "b"));
+	if (options.format === "json") console.log(JSON.stringify(diff, null, 2));
+	else if (diff.identical) console.log(`${GREEN}✓${RESET} no differences`);
+	else {
+		const body = [...formatSection("secret", diff.secret), ...formatSection("env", diff.env)];
+		console.log(`${DIM}- ${pathA}\n+ ${pathB}${RESET}\n\n${body.join("\n")}`);
+	}
+	if (options.exitCode && !diff.identical) process.exit(1);
+};
+//#endregion
 //#region src/fnox/cli.ts
 /** Export all secrets from fnox as key=value pairs for a given profile */
 const fnoxExport = (profile, agentKey) => {
@@ -5146,6 +5230,9 @@ program.command("sort").description("Group [env.*] and [secret.*] sections and a
 program.command("upgrade").description("Upgrade envpkt to the latest version (npm install -g envpkt@latest)").action(() => {
 	runUpgrade();
 });
+program.command("diff").description("Compare two envpkt.toml configs by their secret/env entries (keys + metadata)").argument("<a>", "First config path").argument("<b>", "Second config path").option("--format <format>", "Output format: text | json", "text").option("--exit-code", "Exit non-zero when the configs differ (for CI drift gates)").action((a, b, options) => {
+	runDiff(a, b, options);
+});
 program.command("doctor").description("Check that age is installed and that the resolved config's sealed secrets can be decrypted").option("-c, --config <path>", "Path to envpkt.toml").action((options) => {
 	runDoctor(options);
 });

package/dist/index.d.ts CHANGED Viewed

@@ -583,6 +583,32 @@ declare const quoteDotenvValue: (value: string) => string;
 /** Serialize entries to dotenv text (no trailing newline). */
 declare const formatDotenv: (entries: ReadonlyArray<DotenvEntry>, options?: FormatDotenvOptions) => string;
 //#endregion
+//#region src/core/diff.d.ts
+/** A single field that differs between two entries. `undefined` means the field is absent on that side. */
+type FieldChange = {
+  readonly field: string;
+  readonly a: string | undefined;
+  readonly b: string | undefined;
+};
+/** An entry present in both configs whose metadata differs. */
+type ChangedEntry = {
+  readonly key: string;
+  readonly changes: ReadonlyArray<FieldChange>;
+};
+/** Diff of one keyed section (`[secret.*]` or `[env.*]`). Key lists are sorted. */
+type SectionDiff = {
+  readonly onlyA: ReadonlyArray<string>;
+  readonly onlyB: ReadonlyArray<string>;
+  readonly changed: ReadonlyArray<ChangedEntry>;
+};
+type ConfigDiff = {
+  readonly secret: SectionDiff;
+  readonly env: SectionDiff;
+  readonly identical: boolean;
+};
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+declare const diffConfigs: (a: EnvpktConfig, b: EnvpktConfig) => ConfigDiff;
+//#endregion
 //#region src/core/toml-edit.d.ts
 /**
  * Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
@@ -668,4 +694,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type ChangedEntry, type CheckResult, type ConfidenceLevel, type ConfigDiff, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FieldChange, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type SectionDiff, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/dist/index.js CHANGED Viewed

@@ -2306,6 +2306,60 @@ const formatDotenv = (entries, options) => {
 	return header ? `${header}\n\n${body}` : body;
 };
 //#endregion
+//#region src/core/diff.ts
+/** Normalize a metadata value to a comparable/displayable string (`undefined` = absent). */
+const serialize = (value) => value === void 0 ? void 0 : typeof value === "string" ? value : JSON.stringify(value);
+/**
+* Field-level diff of two entries. `encrypted_value` is excluded from value comparison — the same
+* secret re-encrypts to different ciphertext, so diffing it is noise — but a change in *sealed
+* status* (present ↔ absent) is reported as a synthetic `sealed` field.
+*/
+const metaDiff = (a, b) => {
+	const ar = a;
+	const br = b;
+	const sealedChange = !!ar["encrypted_value"] === !!br["encrypted_value"] ? [] : [{
+		field: "sealed",
+		a: ar["encrypted_value"] ? "yes" : "no",
+		b: br["encrypted_value"] ? "yes" : "no"
+	}];
+	const fieldChanges = [...Object.keys(ar), ...Object.keys(br)].filter((k, i, arr) => k !== "encrypted_value" && arr.indexOf(k) === i).flatMap((field) => {
+		const av = serialize(ar[field]);
+		const bv = serialize(br[field]);
+		return av === bv ? [] : [{
+			field,
+			a: av,
+			b: bv
+		}];
+	});
+	return [...sealedChange, ...fieldChanges.sort((x, y) => x.field.localeCompare(y.field))];
+};
+const sectionDiff = (a, b) => {
+	const aKeys = Object.keys(a);
+	const bKeys = Object.keys(b);
+	return {
+		onlyA: aKeys.filter((k) => !(k in b)).sort(),
+		onlyB: bKeys.filter((k) => !(k in a)).sort(),
+		changed: aKeys.filter((k) => k in b).sort().flatMap((key) => {
+			const changes = metaDiff(a[key], b[key]);
+			return changes.length === 0 ? [] : [{
+				key,
+				changes
+			}];
+		})
+	};
+};
+const isEmpty = (s) => s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0;
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+const diffConfigs = (a, b) => {
+	const secret = sectionDiff(a.secret ?? {}, b.secret ?? {});
+	const env = sectionDiff(a.env ?? {}, b.env ?? {});
+	return {
+		secret,
+		env,
+		identical: isEmpty(secret) && isEmpty(env)
+	};
+};
+//#endregion
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
 const MULTILINE_OPEN = "\"\"\"";
@@ -2804,4 +2858,4 @@ const startServer = async () => {
 	await server.connect(transport);
 };
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.13.2",
+  "version": "0.13.3",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",