envpkt 0.13.3 → 0.13.4

package/dist/index.d.ts

@@ -609,6 +609,23 @@ type ConfigDiff = {
 /** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
 declare const diffConfigs: (a: EnvpktConfig, b: EnvpktConfig) => ConfigDiff;
 //#endregion
+//#region src/core/copy.d.ts
+/**
+ * The SecretMeta to write into the destination on copy.
+ * - `created` is reset to today: the entry is new *here*, regardless of the source's age.
+ * - `last_rotated_at` is dropped — it's the source's rotation history, not the copy's.
+ * - `encryptedValue` re-derives the ciphertext: `Some(cipher)` sets the resealed value,
+ *   `None` strips it entirely (a metadata-only copy of a secret with no sealed value).
+ */
+declare const copyableSecretMeta: (meta: SecretMeta, opts: {
+  readonly today: string;
+  readonly encryptedValue: Option<string>;
+}) => SecretMeta;
+/** Serialize a `[secret.<name>]` block from its metadata, round-trippable by the TOML parser. */
+declare const serializeSecretBlock: (name: string, meta: SecretMeta) => string;
+/** Serialize an `[env.<name>]` block from its metadata. */
+declare const serializeEnvBlock: (name: string, meta: EnvMeta) => string;
+//#endregion
 //#region src/core/toml-edit.d.ts
 /**
  * Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
@@ -694,4 +711,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type ChangedEntry, type CheckResult, type ConfidenceLevel, type ConfigDiff, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FieldChange, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type SectionDiff, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type ChangedEntry, type CheckResult, type ConfidenceLevel, type ConfigDiff, type ConfigError, type ConfigSource, ConsumerType, type CredentialPattern, type DirectLogger, type DirectTestLoggerHandle, type DotenvEntry, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FieldChange, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatDotenvOptions, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type LogEntry, type LogLevel, type LogMetadata, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type SectionDiff, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, copyableSecretMeta, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, serializeEnvBlock, serializeSecretBlock, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/dist/index.js

@@ -2360,6 +2360,66 @@ const diffConfigs = (a, b) => {
 	};
 };
 //#endregion
+//#region src/core/copy.ts
+/** Escape a string for a TOML basic (double-quoted) string. */
+const tomlString = (s) => `"${s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n")}"`;
+const tomlStringArray = (arr) => `[${arr.map(tomlString).join(", ")}]`;
+const tomlInlineTable = (rec) => {
+	const entries = Object.entries(rec);
+	return entries.length === 0 ? "{}" : `{ ${entries.map(([k, v]) => `${k} = ${tomlString(v)}`).join(", ")} }`;
+};
+/**
+* The SecretMeta to write into the destination on copy.
+* - `created` is reset to today: the entry is new *here*, regardless of the source's age.
+* - `last_rotated_at` is dropped — it's the source's rotation history, not the copy's.
+* - `encryptedValue` re-derives the ciphertext: `Some(cipher)` sets the resealed value,
+*   `None` strips it entirely (a metadata-only copy of a secret with no sealed value).
+*/
+const copyableSecretMeta = (meta, opts) => {
+	const { last_rotated_at: _lra, encrypted_value: _ev, ...rest } = meta;
+	return opts.encryptedValue.fold(() => ({
+		...rest,
+		created: opts.today
+	}), (cipher) => ({
+		...rest,
+		created: opts.today,
+		encrypted_value: cipher
+	}));
+};
+/** Serialize a `[secret.<name>]` block from its metadata, round-trippable by the TOML parser. */
+const serializeSecretBlock = (name, meta) => {
+	const lines = [`[secret.${name}]`];
+	if (meta.service !== void 0) lines.push(`service = ${tomlString(meta.service)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.created !== void 0) lines.push(`created = ${tomlString(meta.created)}`);
+	if (meta.expires !== void 0) lines.push(`expires = ${tomlString(meta.expires)}`);
+	if (meta.rotates !== void 0) lines.push(`rotates = ${tomlString(meta.rotates)}`);
+	if (meta.rate_limit !== void 0) lines.push(`rate_limit = ${tomlString(meta.rate_limit)}`);
+	if (meta.model_hint !== void 0) lines.push(`model_hint = ${tomlString(meta.model_hint)}`);
+	if (meta.source !== void 0) lines.push(`source = ${tomlString(meta.source)}`);
+	if (meta.rotation_url !== void 0) lines.push(`rotation_url = ${tomlString(meta.rotation_url)}`);
+	if (meta.last_rotated_at !== void 0) lines.push(`last_rotated_at = ${tomlString(meta.last_rotated_at)}`);
+	if (meta.required !== void 0) lines.push(`required = ${meta.required ? "true" : "false"}`);
+	if (meta.capabilities !== void 0) lines.push(`capabilities = ${tomlStringArray(meta.capabilities)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.encrypted_value !== void 0 && meta.encrypted_value !== "") lines.push(`encrypted_value = """`, meta.encrypted_value, `"""`);
+	return `${lines.join("\n")}\n`;
+};
+/** Serialize an `[env.<name>]` block from its metadata. */
+const serializeEnvBlock = (name, meta) => {
+	const lines = [`[env.${name}]`];
+	if (meta.value !== void 0) lines.push(`value = ${tomlString(meta.value)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	return `${lines.join("\n")}\n`;
+};
+//#endregion
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
 const MULTILINE_OPEN = "\"\"\"";
@@ -2858,4 +2918,4 @@ const startServer = async () => {
 	await server.connect(transport);
 };
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, copyableSecretMeta, createDirectConsoleLogger, createDirectTestLogger, createServer, deriveServiceFromName, detectFnox, diffConfigs, directSilentLogger, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatDotenv, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, quoteDotenvValue, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, serializeEnvBlock, serializeSecretBlock, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.13.3",
+  "version": "0.13.4",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -42,14 +42,14 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@sinclair/typebox": "^0.34.49",
     "commander": "^15.0.0",
-    "functype": "^1.3.1",
-    "functype-log": "^1.3.1",
-    "functype-os": "^1.3.1",
+    "functype": "^1.4.3",
+    "functype-log": "^1.4.3",
+    "functype-os": "^1.4.3",
     "smol-toml": "^1.6.1"
   },
   "devDependencies": {
-    "@types/node": "^24.13.1",
-    "ts-builds": "^3.0.1",
+    "@types/node": "^24.13.2",
+    "ts-builds": "^3.2.0",
     "tsdown": "^0.22.2",
     "tsx": "^4.22.4"
   },
@@ -71,5 +71,5 @@
     "schemas"
   ],
   "prettier": "ts-builds/prettier",
-  "packageManager": "pnpm@11.5.2+sha512.71c631e382066efc25625d5cf029075de07b61b37f6e27350fbd84b1bda5864c8c1967adc280776b45c30a715c0359a3be08fef42d5bb09e2b99029979692916"
+  "packageManager": "pnpm@11.7.0+sha512.19cc852c120c7125760f2443ee6be0ca5b40f9f50598de1a09a1f177503e010e57c23c77646e01e761de59bf874fb22a3398c33ab9691fc13eb946b6f0f4d620"
 }