envpkt 0.13.2 → 0.13.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +33 -0
- package/dist/cli.js +928 -685
- package/dist/index.d.ts +44 -1
- package/dist/index.js +115 -1
- package/package.json +7 -7
package/README.md
CHANGED
|
@@ -405,6 +405,39 @@ envpkt inspect --secrets --plaintext # Show secret values in plaintext
|
|
|
405
405
|
|
|
406
406
|
The `--secrets` flag reads values from environment variables matching each secret key. By default values are masked (`pos•••••yapp`). Add `--plaintext` to display full values.
|
|
407
407
|
|
|
408
|
+
### `envpkt diff`
|
|
409
|
+
|
|
410
|
+
Compare two configs — useful for spotting drift between environments (e.g. `dev.envpkt.toml` vs `prod.envpkt.toml`). Reports keys only in each side and field-level metadata changes for shared keys. Sealed ciphertext is ignored (the same secret re-encrypts differently); a sealed↔unsealed change is reported.
|
|
411
|
+
|
|
412
|
+
```bash
|
|
413
|
+
envpkt diff dev.envpkt.toml prod.envpkt.toml
|
|
414
|
+
# - dev.envpkt.toml
|
|
415
|
+
# + prod.envpkt.toml
|
|
416
|
+
#
|
|
417
|
+
# [secret]
|
|
418
|
+
# - OLD_KEY
|
|
419
|
+
# + NEW_KEY
|
|
420
|
+
# ~ API_KEY
|
|
421
|
+
# expires: 2026-01-01 → 2027-01-01
|
|
422
|
+
|
|
423
|
+
envpkt diff a.toml b.toml --format json # structured diff
|
|
424
|
+
envpkt diff a.toml b.toml --exit-code # exit non-zero on any difference (CI drift gate)
|
|
425
|
+
```
|
|
426
|
+
|
|
427
|
+
### `envpkt copy`
|
|
428
|
+
|
|
429
|
+
Copy a secret or env entry from one config to another. For a sealed secret, the value is unsealed with the **source's** age key and resealed for the **destination's** `identity.recipient` automatically — so you can move a credential between configs that use different keys without ever handling the plaintext yourself. Env entries (and secrets with no sealed value) copy as metadata only. The kind (secret vs env) is detected from where the key lives in the source.
|
|
430
|
+
|
|
431
|
+
```bash
|
|
432
|
+
envpkt copy DATABASE_URL --from prod.envpkt.toml --to staging.envpkt.toml
|
|
433
|
+
envpkt copy DATABASE_URL --from prod.envpkt.toml --to staging.envpkt.toml --as DB_URL # rename on copy
|
|
434
|
+
envpkt copy PORT --to other.envpkt.toml # --from defaults to the resolved config here
|
|
435
|
+
envpkt copy API_KEY --to b.toml --force # overwrite if it already exists in the destination
|
|
436
|
+
envpkt copy API_KEY --to b.toml --dry-run # preview without writing
|
|
437
|
+
```
|
|
438
|
+
|
|
439
|
+
`--from`/`--to` default to the config resolved for the current directory (and must already exist). On copy, `created` is reset to today and `last_rotated_at` is dropped (it's the source's rotation history). Copying a sealed secret needs the source key to unseal and the destination's `identity.recipient` to reseal.
|
|
440
|
+
|
|
408
441
|
### `envpkt exec`
|
|
409
442
|
|
|
410
443
|
Run a pre-flight audit, inject secrets from fnox into the environment, then execute a command.
|