opencode-dotenv 0.2.0 → 0.3.2

package/README.md

@@ -2,28 +2,9 @@
 
 OpenCode plugin to load `.env` files at startup.
 
-## Features
+## Setup
 
-- Load multiple `.env` files in order via config file
-- Load `.env` from current working directory (optional)
-- Override existing environment variables (later files override earlier ones)
-- Configurable logging to `/tmp/opencode-dotenv.log` (enabled by default)
-- Prevents double loading with load guard
-- JSONC config file format (supports comments and trailing commas)
-- **Requires Bun runtime**
-
-## Installation
-
-Add to your `opencode.jsonc`:
-
-```jsonc
-{
-  "$schema": "https://opencode.ai/config.json",
-  "plugin": ["file:./plugins/opencode-dotenv"]
-}
-```
-
-After publishing to npm, you can use:
+Add to `~/.config/opencode/opencode.jsonc`:
 
 ```jsonc
 {
@@ -31,165 +12,51 @@ After publishing to npm, you can use:
 }
 ```
 
-## Configuration
-
-Create `opencode-dotenv.jsonc` in one of these locations:
-
-1. `~/.config/opencode/opencode-dotenv.jsonc` (recommended, global config)
-2. `./opencode-dotenv.jsonc` in current working directory (project-specific)
-
-**Note:** Config files are loaded in the order above; the first found file is used.
-
-### Config Schema
-
-Config file uses **JSONC format** (JSON with Comments), which supports:
-- `//` single-line comments
-- `/* */` multi-line comments
-- Trailing commas
-- Trailing spaces
-
-```jsonc
-{
-  "files": [
-    "~/.config/opencode/.env",
-    "~/a/.env"
-  ],
-  "load_cwd_env": true,
-  "logging": {
-    "enabled": true
-  }
-}
-```
-
-**Fields:**
-- `files` (array, optional): List of `.env` file paths to load in order. Later files override earlier ones.
-- `load_cwd_env` (boolean, optional): Whether to load `.env` from the directory where OpenCode is opened. Defaults to `true`.
-- `logging.enabled` (boolean, optional): Enable/disable logging to `/tmp/opencode-dotenv.log`. Defaults to `true`.
-
-**Notes:**
-- Use `~` for home directory (automatically expanded)
-- Paths are expanded before loading
-- If no config file exists, only loads `./.env` from cwd (if present)
-- Logging writes to `/tmp/opencode-dotenv.log` for debugging
-
-### Load Order
-
-1. Files listed in `config.files` array (in order, later files override earlier ones)
-2. `.env` from current working directory (if `load_cwd_env: true`)
+## Config
 
-This ensures project-specific env vars have the highest precedence.
-
-## Usage Examples
-
-### Load global and project-specific .env files
-
-Config (`~/.config/opencode/opencode-dotenv.jsonc`):
+Create `~/.config/opencode/opencode-dotenv.jsonc`:
 
 ```jsonc
 {
-  "files": [
-    "~/.config/opencode/.env"
-  ],
+  "files": ["~/.config/opencode/.env"],
   "load_cwd_env": true,
-  "logging": {
-    "enabled": true
-  }
-}
-```
-
-Result:
-1. Loads `~/.config/opencode/.env`
-2. Loads `./.env` from cwd (overrides any conflicts)
-3. Logs all activity to `/tmp/opencode-dotenv.log`
-
-### Load multiple global files without cwd .env
-
-Config (`~/.config/opencode/opencode-dotenv.jsonc`):
-
-```jsonc
-{
-  "files": [
-    "~/.config/opencode/.env",
-    "~/a/.env"
-  ],
-  "load_cwd_env": false,
-  "logging": {
-    "enabled": false
-  }
+  "prefix": "", // or "MYAPP_"
+  "logging": { "enabled": true }
 }
 ```
 
-Result:
-1. Loads `~/.config/opencode/.env`
-2. Loads `~/a/.env` (overrides conflicts from first file)
-3. Skips cwd `.env`
-4. No logging output
-
-### Example .env files
+| Option | Default | Description |
+|--------|---------|-------------|
+| `files` | `[]` | `.env` files to load (later overrides earlier) |
+| `load_cwd_env` | `true` | Load `.env` from cwd |
+| `prefix` | `""` | Prefix for all variable names |
+| `logging.enabled` | `true` | Log to `/tmp/opencode-dotenv.log` |
 
-`~/.config/opencode/.env`:
+## .env Format
 
 ```bash
-# OpenCode Dotenv Configuration
-OPENCODE_API_KEY=your_api_key_here
-OPENCODE_DEBUG=true
-OPENCODE_MAX_TOKENS=100000
+KEY=value
+export EXPORTED=value
+QUOTED="with spaces"
+SINGLE='literal'
+MULTILINE=first\
+second
+INLINE=value # comment stripped
+ESCAPES="line1\nline2\ttab"
 ```
 
-`./.env` (project-specific):
+## Security
 
-```bash
-# Project-specific overrides
-OPENCODE_DEBUG=false
-PROJECT_API_KEY=project_specific_key
-```
+- Paths restricted to `$HOME` or cwd
+- Path traversal rejected
+- Keys validated: `^[a-zA-Z_][a-zA-Z0-9_]*$`
 
-Result: `OPENCODE_DEBUG` will be `false` (from cwd), `OPENCODE_API_KEY` from global, `PROJECT_API_KEY` from cwd.
-
-### Logging
-
-View plugin activity logs:
+## Debug
 
 ```bash
 tail -f /tmp/opencode-dotenv.log
 ```
 
-Disable logging in config:
-
-```jsonc
-{
-  "files": ["~/.config/opencode/.env"],
-  "logging": {
-    "enabled": false
-  }
-}
-```
-
-## Development
-
-### Plugin structure
-
-```
-opencode-dotenv/
-├── package.json
-├── src/
-│   └── index.ts
-└── dist/
-    └── index.js  (built)
-```
-
-### Build
-
-```bash
-bun run build
-```
-
-### Publish
-
-```bash
-npm publish
-```
-
 ## License
 
 MIT

package/dist/index.js

@@ -1,7 +1,4 @@
 // @bun
-// src/index.ts
-import { homedir } from "os";
-
 // node_modules/jsonc-parser/lib/esm/impl/scanner.js
 function createScanner(text, ignoreTrivia = false) {
   const len = text.length;
@@ -807,114 +804,220 @@ var ParseErrorCode;
 })(ParseErrorCode || (ParseErrorCode = {}));
 
 // src/index.ts
+import { resolve, normalize } from "path";
+import { homedir as osHomedir } from "os";
 var LOG_FILE = "/tmp/opencode-dotenv.log";
 var LOAD_GUARD = "__opencodeDotenvLoaded";
+var VALID_ENV_KEY = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+function getHomeDir() {
+  return process.env.HOME ?? osHomedir();
+}
 function parseDotenv(content) {
   const result = {};
-  for (const line of content.split(`
-`)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#"))
+  const lines = content.split(`
+`);
+  let i = 0;
+  while (i < lines.length) {
+    let line = lines[i].trim();
+    i++;
+    if (!line || line.startsWith("#"))
       continue;
-    const match = trimmed.match(/^export\s+([^=]+)=(.*)$/);
-    const key = match ? match[1] : trimmed.split("=")[0];
-    const value = match ? match[2] : trimmed.substring(key.length + 1);
-    if (key) {
-      let parsedValue = value.trim();
-      if (parsedValue.startsWith('"') && parsedValue.endsWith('"') || parsedValue.startsWith("'") && parsedValue.endsWith("'")) {
-        parsedValue = parsedValue.slice(1, -1);
-      }
-      result[key.trim()] = parsedValue;
+    while (line.endsWith("\\") && i < lines.length) {
+      line = line.slice(0, -1) + lines[i];
+      i++;
+    }
+    const exportMatch = line.match(/^export\s+(.*)$/);
+    if (exportMatch) {
+      line = exportMatch[1];
+    }
+    const eqIndex = line.indexOf("=");
+    if (eqIndex === -1)
+      continue;
+    const key = line.substring(0, eqIndex).trim();
+    const value = parseValue(line.substring(eqIndex + 1));
+    if (key && isValidEnvKey(key)) {
+      result[key] = value;
     }
   }
   return result;
 }
-function expandPath(path) {
-  return path.replace(/^~/, homedir());
+function parseValue(raw) {
+  let value = raw.trim();
+  if (value.startsWith('"')) {
+    const endQuote = findClosingQuote(value, '"');
+    if (endQuote !== -1) {
+      value = value.substring(1, endQuote);
+      return value.replace(/\\n/g, `
+`).replace(/\\r/g, "\r").replace(/\\t/g, "\t").replace(/\\"/g, '"').replace(/\\\\/g, "\\");
+    }
+    return value;
+  }
+  if (value.startsWith("'")) {
+    const endQuote = findClosingQuote(value, "'");
+    if (endQuote !== -1) {
+      return value.substring(1, endQuote);
+    }
+    return value;
+  }
+  const inlineCommentIndex = value.indexOf(" #");
+  if (inlineCommentIndex !== -1) {
+    value = value.substring(0, inlineCommentIndex);
+  }
+  return value.trim();
+}
+function findClosingQuote(str, quote) {
+  let i = 1;
+  while (i < str.length) {
+    if (str[i] === "\\" && i + 1 < str.length) {
+      i += 2;
+      continue;
+    }
+    if (str[i] === quote) {
+      return i;
+    }
+    i++;
+  }
+  return -1;
+}
+function isValidEnvKey(key) {
+  return VALID_ENV_KEY.test(key);
+}
+function expandPath(rawPath) {
+  if (typeof rawPath !== "string") {
+    return null;
+  }
+  const home = getHomeDir();
+  const expanded = rawPath.replace(/^~/, home);
+  const resolved = resolve(expanded);
+  const normalized = normalize(resolved);
+  const cwd = process.cwd();
+  const isWithinAllowedDirectory = normalized.startsWith(home) || normalized.startsWith(cwd);
+  return isWithinAllowedDirectory ? normalized : null;
 }
 var loggingEnabled = true;
+var logBuffer = [];
+var flushScheduled = false;
 function logToFile(message) {
   if (!loggingEnabled)
     return;
+  const timestamp = new Date().toISOString();
+  logBuffer.push(`[${timestamp}] ${message}`);
+  if (!flushScheduled) {
+    flushScheduled = true;
+    queueMicrotask(flushLogs);
+  }
+}
+async function flushLogs() {
+  if (logBuffer.length === 0) {
+    flushScheduled = false;
+    return;
+  }
+  const messages = logBuffer.join(`
+`) + `
+`;
+  logBuffer = [];
+  flushScheduled = false;
   try {
-    const timestamp = new Date().toISOString();
-    Bun.appendFileSync(LOG_FILE, `[${timestamp}] ${message}
-`);
-  } catch (e) {}
+    const file = Bun.file(LOG_FILE);
+    const existing = await file.exists() ? await file.text() : "";
+    await Bun.write(LOG_FILE, existing + messages);
+  } catch {
+    loggingEnabled = false;
+  }
 }
 async function loadConfig() {
-  const configPaths = [
-    `${homedir()}/.config/opencode/opencode-dotenv.jsonc`,
-    `${process.cwd()}/opencode-dotenv.jsonc`
-  ];
-  for (const configPath of configPaths) {
-    try {
-      const file = Bun.file(configPath);
-      if (!await file.exists())
-        continue;
+  const configPath = `${getHomeDir()}/.config/opencode/opencode-dotenv.jsonc`;
+  try {
+    const file = Bun.file(configPath);
+    if (await file.exists()) {
       const content = await file.text();
-      const config = parse2(content, [], { allowTrailingComma: true });
+      const config = parse2(content, [], {
+        allowTrailingComma: true
+      });
       loggingEnabled = config.logging?.enabled !== false;
       return config;
-    } catch (e) {
-      logToFile(`Failed to load config: ${e}`);
     }
+  } catch (e) {
+    logToFile(`Failed to load config: ${e}`);
   }
   return { files: [], load_cwd_env: true };
 }
-async function loadDotenvFile(filePath) {
+async function loadDotenvFile(filePath, prefix) {
+  const skipped = [];
   try {
     const file = Bun.file(filePath);
     if (!await file.exists()) {
       logToFile(`File not found: ${filePath}`);
-      return { count: 0, success: false };
+      return { count: 0, success: false, skipped };
     }
     const content = await file.text();
     const envVars = parseDotenv(content);
+    let count = 0;
     for (const [key, value] of Object.entries(envVars)) {
-      process.env[key] = value;
+      if (!isValidEnvKey(key)) {
+        skipped.push(key);
+        continue;
+      }
+      const envKey = prefix ? `${prefix}${key}` : key;
+      process.env[envKey] = value;
+      count++;
     }
-    return { count: Object.keys(envVars).length, success: true };
+    return { count, success: true, skipped };
   } catch (error) {
     logToFile(`Failed to load ${filePath}: ${error}`);
-    return { count: 0, success: false };
+    return { count: 0, success: false, skipped };
   }
 }
-var DotEnvPlugin = async (ctx) => {
+var DotEnvPlugin = async () => {
   if (globalThis[LOAD_GUARD]) {
     return {};
   }
   globalThis[LOAD_GUARD] = true;
   logToFile("Plugin started");
   const config = await loadConfig();
-  logToFile(`Config loaded: ${config.files.length} files, load_cwd_env=${config.load_cwd_env}, logging=${loggingEnabled}`);
+  logToFile(`Config loaded: ${config.files.length} files, load_cwd_env=${config.load_cwd_env}, prefix=${config.prefix ?? "(none)"}, logging=${loggingEnabled}`);
   let totalFiles = 0;
   let totalVars = 0;
   for (const rawPath of config.files) {
     const filePath = expandPath(rawPath);
+    if (!filePath) {
+      logToFile(`SECURITY: Rejected path outside allowed directories: ${rawPath}`);
+      continue;
+    }
     logToFile(`Loading: ${filePath}`);
-    const result = await loadDotenvFile(filePath);
+    const result = await loadDotenvFile(filePath, config.prefix);
     if (result.success) {
       totalFiles++;
       totalVars += result.count;
       logToFile(`Loaded ${result.count} vars`);
+      if (result.skipped.length > 0) {
+        logToFile(`Skipped invalid keys: ${result.skipped.join(", ")}`);
+      }
     }
   }
   if (config.load_cwd_env !== false) {
     const cwdEnvPath = `${process.cwd()}/.env`;
     logToFile(`Loading cwd: ${cwdEnvPath}`);
-    const result = await loadDotenvFile(cwdEnvPath);
+    const result = await loadDotenvFile(cwdEnvPath, config.prefix);
     if (result.success) {
       totalFiles++;
       totalVars += result.count;
       logToFile(`Loaded ${result.count} vars from cwd`);
+      if (result.skipped.length > 0) {
+        logToFile(`Skipped invalid keys: ${result.skipped.join(", ")}`);
+      }
     }
   }
   logToFile(`Plugin finished: ${totalFiles} files, ${totalVars} vars`);
+  await flushLogs();
   return {};
 };
 var src_default = DotEnvPlugin;
 export {
+  parseValue,
+  parseDotenv,
+  isValidEnvKey,
+  expandPath,
   src_default as default,
   DotEnvPlugin
 };

package/package.json

@@ -1,12 +1,28 @@
 {
   "name": "opencode-dotenv",
-  "version": "0.2.0",
+  "version": "0.3.2",
   "description": "OpenCode plugin to load .env files at startup",
   "main": "./dist/index.js",
   "type": "module",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/assagman/opencode-dotenv.git"
+  },
+  "bugs": {
+    "url": "https://github.com/assagman/opencode-dotenv/issues"
+  },
+  "keywords": [
+    "opencode",
+    "plugin",
+    "dotenv",
+    "env",
+    "environment",
+    "variables"
+  ],
   "scripts": {
     "build": "bun build src/index.ts --outdir dist --target bun",
+    "test": "bun test",
     "prepublishOnly": "bun run build"
   },
   "files": [
@@ -20,5 +36,7 @@
   "dependencies": {
     "jsonc-parser": "^3.3.1"
   },
-  "devDependencies": {}
+  "devDependencies": {
+    "@types/bun": "^1.2.4"
+  }
 }