envpkt 0.8.1 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -6
- package/dist/cli.js +431 -30
- package/dist/index.d.ts +76 -8
- package/dist/index.js +312 -31
- package/package.json +25 -23
- package/schemas/envpkt.schema.json +9 -4
package/dist/index.d.ts
CHANGED
|
@@ -44,6 +44,7 @@ declare const SecretMetaSchema: _$_sinclair_typebox0.TObject<{
|
|
|
44
44
|
model_hint: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
45
45
|
source: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
46
46
|
encrypted_value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
47
|
+
from_key: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
47
48
|
required: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
|
|
48
49
|
tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
|
|
49
50
|
}>;
|
|
@@ -63,7 +64,8 @@ type CallbackConfig = Static<typeof CallbackConfigSchema>;
|
|
|
63
64
|
declare const ToolsConfigSchema: _$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TUnknown>;
|
|
64
65
|
type ToolsConfig = Static<typeof ToolsConfigSchema>;
|
|
65
66
|
declare const EnvMetaSchema: _$_sinclair_typebox0.TObject<{
|
|
66
|
-
value: _$_sinclair_typebox0.TString
|
|
67
|
+
value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
68
|
+
from_key: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
67
69
|
purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
68
70
|
comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
69
71
|
tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
|
|
@@ -96,11 +98,13 @@ declare const EnvpktConfigSchema: _$_sinclair_typebox0.TObject<{
|
|
|
96
98
|
model_hint: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
97
99
|
source: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
98
100
|
encrypted_value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
101
|
+
from_key: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
99
102
|
required: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
|
|
100
103
|
tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
|
|
101
104
|
}>>>;
|
|
102
105
|
env: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TObject<{
|
|
103
|
-
value: _$_sinclair_typebox0.TString
|
|
106
|
+
value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
107
|
+
from_key: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
104
108
|
purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
105
109
|
comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
|
|
106
110
|
tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
|
|
@@ -133,7 +137,8 @@ type SecretHealth = {
|
|
|
133
137
|
readonly purpose: Option<string>;
|
|
134
138
|
readonly created: Option<string>;
|
|
135
139
|
readonly expires: Option<string>;
|
|
136
|
-
readonly issues: List<string>;
|
|
140
|
+
readonly issues: List<string>; /** If this entry is an alias (from_key), the reference it points at (e.g. "secret.X") */
|
|
141
|
+
readonly alias_of: Option<string>;
|
|
137
142
|
};
|
|
138
143
|
type AuditResult = {
|
|
139
144
|
readonly status: HealthStatus;
|
|
@@ -145,7 +150,8 @@ type AuditResult = {
|
|
|
145
150
|
readonly stale: number;
|
|
146
151
|
readonly missing: number;
|
|
147
152
|
readonly missing_metadata: number;
|
|
148
|
-
readonly orphaned: number;
|
|
153
|
+
readonly orphaned: number; /** Count of entries that are aliases (from_key). Included in `secrets` but reported separately for visibility. */
|
|
154
|
+
readonly aliases: number;
|
|
149
155
|
readonly identity?: Identity;
|
|
150
156
|
};
|
|
151
157
|
type EnvDriftStatus = "default" | "overridden" | "missing";
|
|
@@ -154,7 +160,8 @@ type EnvDriftEntry = {
|
|
|
154
160
|
readonly defaultValue: string;
|
|
155
161
|
readonly currentValue: string | undefined;
|
|
156
162
|
readonly status: EnvDriftStatus;
|
|
157
|
-
readonly purpose: string | undefined;
|
|
163
|
+
readonly purpose: string | undefined; /** If this entry is an alias (from_key), the reference it points at (e.g. "env.X") */
|
|
164
|
+
readonly alias_of: Option<string>;
|
|
158
165
|
};
|
|
159
166
|
type EnvAuditResult = {
|
|
160
167
|
readonly entries: ReadonlyArray<EnvDriftEntry>;
|
|
@@ -238,6 +245,40 @@ type CatalogError = {
|
|
|
238
245
|
readonly _tag: "MissingSecretsList";
|
|
239
246
|
readonly message: string;
|
|
240
247
|
};
|
|
248
|
+
type AliasTable = {
|
|
249
|
+
/** key → { type: "secret"|"env", targetType, targetKey } for every alias entry */readonly entries: ReadonlyMap<string, {
|
|
250
|
+
readonly kind: "secret" | "env";
|
|
251
|
+
readonly targetKind: "secret" | "env";
|
|
252
|
+
readonly targetKey: string;
|
|
253
|
+
}>;
|
|
254
|
+
};
|
|
255
|
+
type AliasError = {
|
|
256
|
+
readonly _tag: "AliasInvalidSyntax";
|
|
257
|
+
readonly key: string;
|
|
258
|
+
readonly kind: "secret" | "env";
|
|
259
|
+
readonly value: string;
|
|
260
|
+
} | {
|
|
261
|
+
readonly _tag: "AliasTargetMissing";
|
|
262
|
+
readonly key: string;
|
|
263
|
+
readonly target: string;
|
|
264
|
+
} | {
|
|
265
|
+
readonly _tag: "AliasSelfReference";
|
|
266
|
+
readonly key: string;
|
|
267
|
+
} | {
|
|
268
|
+
readonly _tag: "AliasChained";
|
|
269
|
+
readonly key: string;
|
|
270
|
+
readonly target: string;
|
|
271
|
+
} | {
|
|
272
|
+
readonly _tag: "AliasCrossType";
|
|
273
|
+
readonly key: string;
|
|
274
|
+
readonly kind: "secret" | "env";
|
|
275
|
+
readonly targetKind: "secret" | "env";
|
|
276
|
+
} | {
|
|
277
|
+
readonly _tag: "AliasValueConflict";
|
|
278
|
+
readonly key: string;
|
|
279
|
+
readonly kind: "secret" | "env";
|
|
280
|
+
readonly field: string;
|
|
281
|
+
};
|
|
241
282
|
type BootOptions = {
|
|
242
283
|
readonly configPath?: string;
|
|
243
284
|
readonly profile?: string;
|
|
@@ -256,7 +297,7 @@ type BootResult = {
|
|
|
256
297
|
readonly configPath: string;
|
|
257
298
|
readonly configSource: ConfigSource;
|
|
258
299
|
};
|
|
259
|
-
type BootError = ConfigError | FnoxError | CatalogError | {
|
|
300
|
+
type BootError = ConfigError | FnoxError | CatalogError | AliasError | {
|
|
260
301
|
readonly _tag: "AuditFailed";
|
|
261
302
|
readonly audit: AuditResult;
|
|
262
303
|
readonly message: string;
|
|
@@ -354,6 +395,33 @@ declare const resolveSecrets: (agentMeta: Record<string, SecretMeta>, catalogMet
|
|
|
354
395
|
/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
|
|
355
396
|
declare const resolveConfig: (agentConfig: EnvpktConfig, agentConfigDir: string) => Either<CatalogError, ResolveResult>;
|
|
356
397
|
//#endregion
|
|
398
|
+
//#region src/core/alias.d.ts
|
|
399
|
+
/**
|
|
400
|
+
* Validate all `from_key` references in a resolved config. Produces an
|
|
401
|
+
* AliasTable mapping each alias to its target, or an AliasError describing
|
|
402
|
+
* the first failure.
|
|
403
|
+
*
|
|
404
|
+
* Rules:
|
|
405
|
+
* - Ref must be "secret.<KEY>" or "env.<KEY>"
|
|
406
|
+
* - Target must exist in the same resolved config
|
|
407
|
+
* - Target must be the same type (secret→secret, env→env only)
|
|
408
|
+
* - Target must not itself be a from_key entry (single hop only)
|
|
409
|
+
* - Self-reference is rejected
|
|
410
|
+
* - An alias entry cannot also carry a value field (encrypted_value for
|
|
411
|
+
* secrets, value for env)
|
|
412
|
+
*/
|
|
413
|
+
declare const validateAliases: (config: EnvpktConfig) => Either<AliasError, AliasTable>;
|
|
414
|
+
/** Does this secret entry point at another entry? */
|
|
415
|
+
declare const isSecretAlias: (meta: {
|
|
416
|
+
from_key?: string;
|
|
417
|
+
} | undefined) => boolean;
|
|
418
|
+
/** Does this env entry point at another entry? */
|
|
419
|
+
declare const isEnvAlias: (meta: {
|
|
420
|
+
from_key?: string;
|
|
421
|
+
} | undefined) => boolean;
|
|
422
|
+
/** Format an alias error into a human-readable message */
|
|
423
|
+
declare const formatAliasError: (error: AliasError) => string;
|
|
424
|
+
//#endregion
|
|
357
425
|
//#region src/core/format.d.ts
|
|
358
426
|
type SecretDisplay = "encrypted" | "plaintext";
|
|
359
427
|
type FormatPacketOptions = {
|
|
@@ -364,7 +432,7 @@ declare const maskValue: (value: string) => string;
|
|
|
364
432
|
declare const formatPacket: (result: ResolveResult, options?: FormatPacketOptions) => string;
|
|
365
433
|
//#endregion
|
|
366
434
|
//#region src/core/audit.d.ts
|
|
367
|
-
declare const computeAudit: (config: EnvpktConfig, fnoxKeys?: ReadonlySet<string>, today?: Date) => AuditResult;
|
|
435
|
+
declare const computeAudit: (config: EnvpktConfig, fnoxKeys?: ReadonlySet<string>, today?: Date, aliasTable?: AliasTable) => AuditResult;
|
|
368
436
|
declare const computeEnvAudit: (config: EnvpktConfig, env?: Readonly<Record<string, string | undefined>>) => EnvAuditResult;
|
|
369
437
|
//#endregion
|
|
370
438
|
//#region src/core/patterns.d.ts
|
|
@@ -554,4 +622,4 @@ type ToolDef = {
|
|
|
554
622
|
declare const toolDefinitions: readonly ToolDef[];
|
|
555
623
|
declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
|
|
556
624
|
//#endregion
|
|
557
|
-
export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateConfig };
|
|
625
|
+
export { type AgentIdentity, AgentIdentitySchema, type AliasError, type AliasTable, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatAliasError, formatPacket, generateKeypair, generateTomlFromScan, isEnvAlias, isSecretAlias, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigIdentity, updateSectionFields, validateAliases, validateConfig };
|