envpkt 0.8.1 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +30 -6
  2. package/dist/cli.js +431 -30
  3. package/dist/index.d.ts +76 -8
  4. package/dist/index.js +312 -31
  5. package/package.json +25 -23
  6. package/schemas/envpkt.schema.json +9 -4
package/README.md CHANGED
@@ -141,6 +141,29 @@ value = "info"
141
141
  purpose = "Application log verbosity"
142
142
  ```
143
143
 
144
+ ### Aliases
145
+
146
+ When a consumer hardcodes a different env var name than the one you govern
147
+ canonically, use `from_key` to expose the same value under a second name —
148
+ without duplicating the secret:
149
+
150
+ ```toml
151
+ [secret.API_KEY]
152
+ service = "stripe"
153
+ expires = "2027-01-15"
154
+ rotation_url = "https://dashboard.stripe.com/apikeys"
155
+
156
+ # Same governed value, under a legacy name some consumer expects
157
+ [secret.STRIPE_SECRET_KEY]
158
+ from_key = "secret.API_KEY"
159
+ ```
160
+
161
+ Both names are injected at boot, both appear in audit output, and expiration
162
+ tracking lives on the target — an alias is healthy iff its target is. Same
163
+ pattern works for `[env.*]`. Cross-type aliasing (secret → env) is rejected
164
+ at load time. See [TOML Schema → Aliases](https://envpkt.dev/reference/toml-schema/#aliases)
165
+ for the full rules.
166
+
144
167
  See [`examples/`](./examples/) for more configurations.
145
168
 
146
169
  ## Sealed Packets
@@ -150,21 +173,22 @@ Sealed packets embed age-encrypted secret values directly in `envpkt.toml`. This
150
173
  ### Setup
151
174
 
152
175
  ```bash
153
- # Generate an age keypair
154
- age-keygen -o identity.txt
155
- # public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
176
+ # Generate an age keypair — writes to ~/.envpkt/<project>-key.txt and updates envpkt.toml
177
+ envpkt keygen
156
178
  ```
157
179
 
158
- Add the public key to your config and the identity file to `.gitignore`:
180
+ This writes `[identity]` with `name`, `recipient`, and `key_file` to your `envpkt.toml`. Add the key file to `.gitignore`:
159
181
 
160
182
  ```toml
161
183
  [identity]
162
184
  name = "my-agent"
163
185
  recipient = "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
164
- key_file = "identity.txt"
186
+ key_file = "~/.envpkt/my-agent-key.txt"
165
187
  ```
166
188
 
167
- The `key_file` path supports `~` expansion and environment variables (`$VAR`, `${VAR}`), so you can use paths like `~/keys/identity.txt` or `$KEYS_DIR/identity.txt`. Relative paths are resolved from the config file's directory. When omitted, envpkt falls back to `ENVPKT_AGE_KEY_FILE` env var, then `~/.envpkt/age-key.txt`.
189
+ `envpkt keygen` defaults to a **project-specific path** (`~/.envpkt/<project>-key.txt`), so separate projects never collide. For multi-environment projects (e.g. `prod.envpkt.toml` + `dev.envpkt.toml`), each config gets its own key automatically. Pass `--global` to use the shared `~/.envpkt/age-key.txt` path instead.
190
+
191
+ The `key_file` path supports `~` expansion and environment variables (`$VAR`, `${VAR}`). Relative paths are resolved from the config file's directory. When omitted, envpkt falls back to `ENVPKT_AGE_KEY_FILE` env var, then `~/.envpkt/age-key.txt` — but it's best to set `key_file` explicitly so the config tells you which key it needs.
168
192
 
169
193
  ### Seal
170
194