envpkt 0.9.1 → 0.10.2

package/dist/cli.js

@@ -88,8 +88,11 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 	const nonAliasMetaKeys = new Set(nonAliasEntries.map(([k]) => k));
 	const nonAliasHealth = nonAliasEntries.map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now));
 	const healthByKey = new Map(nonAliasHealth.map((h) => [h.key, h]));
+	const parseTargetKey = (from_key) => {
+		return /^secret\.(.+)$/.exec(from_key)?.[1];
+	};
 	const aliasHealth = aliasEntries.map(([key, meta]) => {
-		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey;
+		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey ?? (meta.from_key !== void 0 ? parseTargetKey(meta.from_key) : void 0);
 		const targetHealth = targetKey !== void 0 ? healthByKey.get(targetKey) : void 0;
 		const targetRef = meta.from_key ?? (targetKey !== void 0 ? `secret.${targetKey}` : "");
 		if (!targetHealth) return {
@@ -547,12 +550,14 @@ const formatAuditJson = (audit) => JSON.stringify({
 	missing: audit.missing,
 	missing_metadata: audit.missing_metadata,
 	orphaned: audit.orphaned,
+	aliases: audit.aliases,
 	secrets: audit.secrets.map((s) => ({
 		key: s.key,
 		service: s.service.fold(() => null, (sv) => sv),
 		status: s.status,
 		days_remaining: s.days_remaining.fold(() => null, (d) => d),
 		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		alias_of: s.alias_of.fold(() => null, (a) => a),
 		purpose: s.purpose.fold(() => null, (p) => p),
 		issues: s.issues.toArray()
 	})).toArray()
@@ -871,9 +876,9 @@ const readFnoxConfig = (path) => Try(() => readFileSync(path, "utf-8")).fold((er
 const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
 //#endregion
 //#region src/core/alias.ts
-const ALIAS_REF_RE = /^(secret|env)\.(.+)$/;
+const ALIAS_REF_RE$2 = /^(secret|env)\.(.+)$/;
 const parseRef = (raw) => {
-	const match = ALIAS_REF_RE.exec(raw);
+	const match = ALIAS_REF_RE$2.exec(raw);
 	if (!match) return Option(void 0);
 	const kind = match[1];
 	const key = match[2];
@@ -2535,6 +2540,77 @@ const runEnvRm = (name, options) => {
 		});
 	});
 };
+const ALIAS_REF_RE$1 = /^(secret|env)\.(.+)$/;
+const buildEnvAliasBlock = (name, options) => {
+	const lines = [`[env.${name}]`, `from_key = "${options.from}"`];
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const runEnvAlias = (name, options) => {
+	const match = ALIAS_REF_RE$1.exec(options.from);
+	if (!match) {
+		console.error(`${RED}Error:${RESET} --from "${options.from}" must be formatted as "secret.<KEY>" or "env.<KEY>"`);
+		process.exit(1);
+	}
+	const [, targetKind, targetKey] = match;
+	if (targetKind !== "env") {
+		console.error(`${RED}Error:${RESET} env alias must point at another env entry — got "${options.from}". Use \`envpkt secret alias\` for secret→secret aliases.`);
+		process.exit(1);
+	}
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			const envEntries = config.env ?? {};
+			if (name === targetKey) {
+				console.error(`${RED}Error:${RESET} alias "${name}" cannot reference itself`);
+				process.exit(1);
+			}
+			const target = envEntries[targetKey];
+			if (!target) {
+				console.error(`${RED}Error:${RESET} alias target "${options.from}" not found in ${configPath}. Add the target env entry first.`);
+				process.exit(1);
+			}
+			if (target.from_key !== void 0) {
+				console.error(`${RED}Error:${RESET} alias target "${options.from}" is itself an alias. Chained aliases are not supported — point at the canonical entry instead.`);
+				process.exit(1);
+			}
+			const existing = envEntries[name];
+			if (existing) {
+				if (!options.force) {
+					console.error(`${YELLOW}Warning:${RESET} env entry "${name}" already exists in ${configPath} (${existing.from_key ? `currently alias → ${existing.from_key}` : "currently a regular entry"}).`);
+					console.error(`  Pass ${BOLD}--force${RESET} to overwrite, or use a different name.`);
+					process.exit(1);
+				}
+				console.error(`${YELLOW}Warning:${RESET} overwriting existing env entry "${name}" (${existing.from_key ? `was alias → ${existing.from_key}` : "was a regular entry"})`);
+			}
+			const block = buildEnvAliasBlock(name, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				if (existing) console.log(`${DIM}# (would replace existing [env.${name}] block)${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			const raw = readFileSync(configPath, "utf-8");
+			writeFileSync(configPath, appendSection(existing ? removeSection(raw, `[env.${name}]`).fold(() => raw, (r) => r) : raw, block), "utf-8");
+			console.log(`${GREEN}✓${RESET} Aliased ${BOLD}${name}${RESET} → ${BOLD}${options.from}${RESET} in ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
 const runEnvRename = (oldName, newName, options) => {
 	withConfig$1(Option(options.config), (configPath, raw) => {
 		renameSection(raw, `[env.${oldName}]`, `[env.${newName}]`).fold((err) => {
@@ -2574,6 +2650,9 @@ const registerEnvCommands = (program) => {
 	env.command("rename").description("Rename an env entry, preserving all fields").argument("<old>", "Current env variable name").argument("<new>", "New env variable name").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((oldName, newName, options) => {
 		runEnvRename(oldName, newName, options);
 	});
+	env.command("alias").description("Create an alias entry that reuses another env entry's resolved value").argument("<name>", "Alias name (becomes the env var key)").requiredOption("--from <ref>", "Target reference — must be \"env.<KEY>\"").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this alias exists (local metadata)").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--force", "Overwrite the entry if <name> already exists").option("--dry-run", "Preview the TOML block without writing").action((name, options) => {
+		runEnvAlias(name, options);
+	});
 };
 //#endregion
 //#region src/cli/commands/exec.ts
@@ -3799,6 +3878,77 @@ const runSecretRename = (oldName, newName, options) => {
 		});
 	});
 };
+const ALIAS_REF_RE = /^(secret|env)\.(.+)$/;
+const buildSecretAliasBlock = (name, options) => {
+	const lines = [`[secret.${name}]`, `from_key = "${options.from}"`];
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const runSecretAlias = (name, options) => {
+	const match = ALIAS_REF_RE.exec(options.from);
+	if (!match) {
+		console.error(`${RED}Error:${RESET} --from "${options.from}" must be formatted as "secret.<KEY>" or "env.<KEY>"`);
+		process.exit(1);
+	}
+	const [, targetKind, targetKey] = match;
+	if (targetKind !== "secret") {
+		console.error(`${RED}Error:${RESET} secret alias must point at another secret — got "${options.from}". Use \`envpkt env alias\` for env→env aliases.`);
+		process.exit(1);
+	}
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			const secrets = config.secret ?? {};
+			if (name === targetKey) {
+				console.error(`${RED}Error:${RESET} alias "${name}" cannot reference itself`);
+				process.exit(1);
+			}
+			const target = secrets[targetKey];
+			if (!target) {
+				console.error(`${RED}Error:${RESET} alias target "${options.from}" not found in ${configPath}. Add the target secret first.`);
+				process.exit(1);
+			}
+			if (target.from_key !== void 0) {
+				console.error(`${RED}Error:${RESET} alias target "${options.from}" is itself an alias. Chained aliases are not supported — point at the canonical entry instead.`);
+				process.exit(1);
+			}
+			const existing = secrets[name];
+			if (existing) {
+				if (!options.force) {
+					console.error(`${YELLOW}Warning:${RESET} secret "${name}" already exists in ${configPath} (${existing.from_key ? `currently alias → ${existing.from_key}` : "currently a regular entry"}).`);
+					console.error(`  Pass ${BOLD}--force${RESET} to overwrite, or use a different name.`);
+					process.exit(1);
+				}
+				console.error(`${YELLOW}Warning:${RESET} overwriting existing entry "${name}" (${existing.from_key ? `was alias → ${existing.from_key}` : "was a regular entry"})`);
+			}
+			const block = buildSecretAliasBlock(name, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				if (existing) console.log(`${DIM}# (would replace existing [secret.${name}] block)${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			const raw = readFileSync(configPath, "utf-8");
+			writeFileSync(configPath, appendSection(existing ? removeSection(raw, `[secret.${name}]`).fold(() => raw, (r) => r) : raw, block), "utf-8");
+			console.log(`${GREEN}✓${RESET} Aliased ${BOLD}${name}${RESET} → ${BOLD}${options.from}${RESET} in ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
 const addSecretFlags = (cmd) => cmd.option("--service <service>", "Service this secret authenticates to").option("--purpose <purpose>", "Why this secret exists").option("--comment <comment>", "Free-form annotation").option("--expires <date>", "Expiration date (YYYY-MM-DD)").option("--capabilities <caps>", "Comma-separated capabilities (e.g. read,write)").option("--rotates <schedule>", "Rotation schedule (e.g. 90d, quarterly)").option("--rate-limit <limit>", "Rate limit info (e.g. 1000/min)").option("--model-hint <hint>", "Suggested model or tier").option("--source <source>", "Where the value originates (e.g. vault, ci)").option("--rotation-url <url>", "URL for secret rotation procedure").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)");
 const registerSecretCommands = (program) => {
 	const secret = program.command("secret").description("Manage secret entries in envpkt.toml");
@@ -3814,6 +3964,9 @@ const registerSecretCommands = (program) => {
 	secret.command("rename").description("Rename a secret entry, preserving all metadata").argument("<old>", "Current secret name").argument("<new>", "New secret name").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((oldName, newName, options) => {
 		runSecretRename(oldName, newName, options);
 	});
+	secret.command("alias").description("Create an alias entry that reuses another secret's resolved value").argument("<name>", "Alias name (becomes the env var key)").requiredOption("--from <ref>", "Target reference — must be \"secret.<KEY>\"").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this alias exists (local metadata)").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--force", "Overwrite the entry if <name> already exists").option("--dry-run", "Preview the TOML block without writing").action((name, options) => {
+		runSecretAlias(name, options);
+	});
 };
 //#endregion
 //#region src/cli/commands/shell-hook.ts

package/dist/index.js

@@ -650,8 +650,11 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 	const nonAliasMetaKeys = new Set(nonAliasEntries.map(([k]) => k));
 	const nonAliasHealth = nonAliasEntries.map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now));
 	const healthByKey = new Map(nonAliasHealth.map((h) => [h.key, h]));
+	const parseTargetKey = (from_key) => {
+		return /^secret\.(.+)$/.exec(from_key)?.[1];
+	};
 	const aliasHealth = aliasEntries.map(([key, meta]) => {
-		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey;
+		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey ?? (meta.from_key !== void 0 ? parseTargetKey(meta.from_key) : void 0);
 		const targetHealth = targetKey !== void 0 ? healthByKey.get(targetKey) : void 0;
 		const targetRef = meta.from_key ?? (targetKey !== void 0 ? `secret.${targetKey}` : "");
 		if (!targetHealth) return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.9.1",
+  "version": "0.10.2",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -42,8 +42,8 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@sinclair/typebox": "^0.34.49",
     "commander": "^14.0.3",
-    "functype": "^0.58.1",
-    "functype-os": "^0.4.2",
+    "functype": "^0.60.0",
+    "functype-os": "^0.60.0",
     "smol-toml": "^1.6.1"
   },
   "devDependencies": {