envpkt 0.13.2 → 0.13.4

package/dist/index.d.ts

@@ -583,6 +583,49 @@ declare const quoteDotenvValue: (value: string) => string;
 /** Serialize entries to dotenv text (no trailing newline). */
 declare const formatDotenv: (entries: ReadonlyArray<DotenvEntry>, options?: FormatDotenvOptions) => string;
 //#endregion
+//#region src/core/diff.d.ts
+/** A single field that differs between two entries. `undefined` means the field is absent on that side. */
+type FieldChange = {
+  readonly field: string;
+  readonly a: string | undefined;
+  readonly b: string | undefined;
+};
+/** An entry present in both configs whose metadata differs. */
+type ChangedEntry = {
+  readonly key: string;
+  readonly changes: ReadonlyArray<FieldChange>;
+};
+/** Diff of one keyed section (`[secret.*]` or `[env.*]`). Key lists are sorted. */
+type SectionDiff = {
+  readonly onlyA: ReadonlyArray<string>;
+  readonly onlyB: ReadonlyArray<string>;
+  readonly changed: ReadonlyArray<ChangedEntry>;
+};
+type ConfigDiff = {
+  readonly secret: SectionDiff;
+  readonly env: SectionDiff;
+  readonly identical: boolean;
+};
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+declare const diffConfigs: (a: EnvpktConfig, b: EnvpktConfig) => ConfigDiff;
+//#endregion
+//#region src/core/copy.d.ts
+/**
+ * The SecretMeta to write into the destination on copy.
+ * - `created` is reset to today: the entry is new *here*, regardless of the source's age.
+ * - `last_rotated_at` is dropped — it's the source's rotation history, not the copy's.
+ * - `encryptedValue` re-derives the ciphertext: `Some(cipher)` sets the resealed value,
+ *   `None` strips it entirely (a metadata-only copy of a secret with no sealed value).
+ */
+declare const copyableSecretMeta: (meta: SecretMeta, opts: {
+  readonly today: string;
+  readonly encryptedValue: Option<string>;
+}) => SecretMeta;
+/** Serialize a `[secret.<name>]` block from its metadata, round-trippable by the TOML parser. */
+declare const serializeSecretBlock: (name: string, meta: SecretMeta) => string;
+/** Serialize an `[env.<name>]` block from its metadata. */
+declare const serializeEnvBlock: (name: string, meta: EnvMeta) => string;
+//#endregion
 //#region src/core/toml-edit.d.ts
 /**
  * Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
@@ -668,4 +711,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type ChangedEntry, type CheckResult, type ConfidenceLevel, type ConfigDiff, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FieldChange, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type SectionDiff, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, copyableSecretMeta, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, serializeEnvBlock, serializeSecretBlock, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/dist/index.js

@@ -2306,6 +2306,120 @@ const formatDotenv = (entries, options) => {
 	return header ? `${header}\n\n${body}` : body;
 };
 //#endregion
+//#region src/core/diff.ts
+/** Normalize a metadata value to a comparable/displayable string (`undefined` = absent). */
+const serialize = (value) => value === void 0 ? void 0 : typeof value === "string" ? value : JSON.stringify(value);
+/**
+* Field-level diff of two entries. `encrypted_value` is excluded from value comparison — the same
+* secret re-encrypts to different ciphertext, so diffing it is noise — but a change in *sealed
+* status* (present ↔ absent) is reported as a synthetic `sealed` field.
+*/
+const metaDiff = (a, b) => {
+	const ar = a;
+	const br = b;
+	const sealedChange = !!ar["encrypted_value"] === !!br["encrypted_value"] ? [] : [{
+		field: "sealed",
+		a: ar["encrypted_value"] ? "yes" : "no",
+		b: br["encrypted_value"] ? "yes" : "no"
+	}];
+	const fieldChanges = [...Object.keys(ar), ...Object.keys(br)].filter((k, i, arr) => k !== "encrypted_value" && arr.indexOf(k) === i).flatMap((field) => {
+		const av = serialize(ar[field]);
+		const bv = serialize(br[field]);
+		return av === bv ? [] : [{
+			field,
+			a: av,
+			b: bv
+		}];
+	});
+	return [...sealedChange, ...fieldChanges.sort((x, y) => x.field.localeCompare(y.field))];
+};
+const sectionDiff = (a, b) => {
+	const aKeys = Object.keys(a);
+	const bKeys = Object.keys(b);
+	return {
+		onlyA: aKeys.filter((k) => !(k in b)).sort(),
+		onlyB: bKeys.filter((k) => !(k in a)).sort(),
+		changed: aKeys.filter((k) => k in b).sort().flatMap((key) => {
+			const changes = metaDiff(a[key], b[key]);
+			return changes.length === 0 ? [] : [{
+				key,
+				changes
+			}];
+		})
+	};
+};
+const isEmpty = (s) => s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0;
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+const diffConfigs = (a, b) => {
+	const secret = sectionDiff(a.secret ?? {}, b.secret ?? {});
+	const env = sectionDiff(a.env ?? {}, b.env ?? {});
+	return {
+		secret,
+		env,
+		identical: isEmpty(secret) && isEmpty(env)
+	};
+};
+//#endregion
+//#region src/core/copy.ts
+/** Escape a string for a TOML basic (double-quoted) string. */
+const tomlString = (s) => `"${s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n")}"`;
+const tomlStringArray = (arr) => `[${arr.map(tomlString).join(", ")}]`;
+const tomlInlineTable = (rec) => {
+	const entries = Object.entries(rec);
+	return entries.length === 0 ? "{}" : `{ ${entries.map(([k, v]) => `${k} = ${tomlString(v)}`).join(", ")} }`;
+};
+/**
+* The SecretMeta to write into the destination on copy.
+* - `created` is reset to today: the entry is new *here*, regardless of the source's age.
+* - `last_rotated_at` is dropped — it's the source's rotation history, not the copy's.
+* - `encryptedValue` re-derives the ciphertext: `Some(cipher)` sets the resealed value,
+*   `None` strips it entirely (a metadata-only copy of a secret with no sealed value).
+*/
+const copyableSecretMeta = (meta, opts) => {
+	const { last_rotated_at: _lra, encrypted_value: _ev, ...rest } = meta;
+	return opts.encryptedValue.fold(() => ({
+		...rest,
+		created: opts.today
+	}), (cipher) => ({
+		...rest,
+		created: opts.today,
+		encrypted_value: cipher
+	}));
+};
+/** Serialize a `[secret.<name>]` block from its metadata, round-trippable by the TOML parser. */
+const serializeSecretBlock = (name, meta) => {
+	const lines = [`[secret.${name}]`];
+	if (meta.service !== void 0) lines.push(`service = ${tomlString(meta.service)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.created !== void 0) lines.push(`created = ${tomlString(meta.created)}`);
+	if (meta.expires !== void 0) lines.push(`expires = ${tomlString(meta.expires)}`);
+	if (meta.rotates !== void 0) lines.push(`rotates = ${tomlString(meta.rotates)}`);
+	if (meta.rate_limit !== void 0) lines.push(`rate_limit = ${tomlString(meta.rate_limit)}`);
+	if (meta.model_hint !== void 0) lines.push(`model_hint = ${tomlString(meta.model_hint)}`);
+	if (meta.source !== void 0) lines.push(`source = ${tomlString(meta.source)}`);
+	if (meta.rotation_url !== void 0) lines.push(`rotation_url = ${tomlString(meta.rotation_url)}`);
+	if (meta.last_rotated_at !== void 0) lines.push(`last_rotated_at = ${tomlString(meta.last_rotated_at)}`);
+	if (meta.required !== void 0) lines.push(`required = ${meta.required ? "true" : "false"}`);
+	if (meta.capabilities !== void 0) lines.push(`capabilities = ${tomlStringArray(meta.capabilities)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.encrypted_value !== void 0 && meta.encrypted_value !== "") lines.push(`encrypted_value = """`, meta.encrypted_value, `"""`);
+	return `${lines.join("\n")}\n`;
+};
+/** Serialize an `[env.<name>]` block from its metadata. */
+const serializeEnvBlock = (name, meta) => {
+	const lines = [`[env.${name}]`];
+	if (meta.value !== void 0) lines.push(`value = ${tomlString(meta.value)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	return `${lines.join("\n")}\n`;
+};
+//#endregion
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
 const MULTILINE_OPEN = "\"\"\"";
@@ -2804,4 +2918,4 @@ const startServer = async () => {
 	await server.connect(transport);
 };
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, copyableSecretMeta, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, serializeEnvBlock, serializeSecretBlock, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.13.2",
+  "version": "0.13.4",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -42,14 +42,14 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@sinclair/typebox": "^0.34.49",
     "commander": "^15.0.0",
-    "functype": "^1.3.1",
-    "functype-log": "^1.3.1",
-    "functype-os": "^1.3.1",
+    "functype": "^1.4.3",
+    "functype-log": "^1.4.3",
+    "functype-os": "^1.4.3",
     "smol-toml": "^1.6.1"
   },
   "devDependencies": {
-    "@types/node": "^24.13.1",
-    "ts-builds": "^3.0.1",
+    "@types/node": "^24.13.2",
+    "ts-builds": "^3.2.0",
     "tsdown": "^0.22.2",
     "tsx": "^4.22.4"
   },
@@ -71,5 +71,5 @@
     "schemas"
   ],
   "prettier": "ts-builds/prettier",
-  "packageManager": "pnpm@11.5.2+sha512.71c631e382066efc25625d5cf029075de07b61b37f6e27350fbd84b1bda5864c8c1967adc280776b45c30a715c0359a3be08fef42d5bb09e2b99029979692916"
+  "packageManager": "pnpm@11.7.0+sha512.19cc852c120c7125760f2443ee6be0ca5b40f9f50598de1a09a1f177503e010e57c23c77646e01e761de59bf874fb22a3398c33ab9691fc13eb946b6f0f4d620"
 }